summaryrefslogtreecommitdiffstats
path: root/security/manager
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
commit26a029d407be480d791972afb5975cf62c9360a6 (patch)
treef435a8308119effd964b339f76abb83a57c29483 /security/manager
parentInitial commit. (diff)
downloadfirefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz
firefox-26a029d407be480d791972afb5975cf62c9360a6.zip
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager')
-rw-r--r--security/manager/android_stub.h31
-rw-r--r--security/manager/locales/en-US/chrome/pipnss/nsserrors.properties331
-rw-r--r--security/manager/locales/en-US/chrome/pipnss/pipnss.properties123
-rw-r--r--security/manager/locales/en-US/chrome/pippki/pippki.properties34
-rw-r--r--security/manager/locales/en-US/security/certificates/certManager.ftl228
-rw-r--r--security/manager/locales/en-US/security/certificates/deviceManager.ftl132
-rw-r--r--security/manager/locales/en-US/security/pippki/pippki.ftl107
-rw-r--r--security/manager/locales/jar.mn14
-rw-r--r--security/manager/locales/moz.build7
-rw-r--r--security/manager/moz.build13
-rw-r--r--security/manager/pki/components.conf18
-rw-r--r--security/manager/pki/moz.build34
-rw-r--r--security/manager/pki/nsIASN1Tree.idl24
-rw-r--r--security/manager/pki/nsNSSDialogHelper.cpp45
-rw-r--r--security/manager/pki/nsNSSDialogHelper.h39
-rw-r--r--security/manager/pki/nsNSSDialogs.cpp216
-rw-r--r--security/manager/pki/nsNSSDialogs.h37
-rw-r--r--security/manager/pki/resources/content/certManager.css34
-rw-r--r--security/manager/pki/resources/content/certManager.js771
-rw-r--r--security/manager/pki/resources/content/certManager.xhtml333
-rw-r--r--security/manager/pki/resources/content/changepassword.js212
-rw-r--r--security/manager/pki/resources/content/changepassword.xhtml77
-rw-r--r--security/manager/pki/resources/content/clientauthask.css17
-rw-r--r--security/manager/pki/resources/content/clientauthask.js162
-rw-r--r--security/manager/pki/resources/content/clientauthask.xhtml116
-rw-r--r--security/manager/pki/resources/content/deletecert.css24
-rw-r--r--security/manager/pki/resources/content/deletecert.js121
-rw-r--r--security/manager/pki/resources/content/deletecert.xhtml36
-rw-r--r--security/manager/pki/resources/content/device_manager.js433
-rw-r--r--security/manager/pki/resources/content/device_manager.xhtml113
-rw-r--r--security/manager/pki/resources/content/downloadcert.js83
-rw-r--r--security/manager/pki/resources/content/downloadcert.xhtml66
-rw-r--r--security/manager/pki/resources/content/editcacert.js52
-rw-r--r--security/manager/pki/resources/content/editcacert.xhtml35
-rw-r--r--security/manager/pki/resources/content/exceptionDialog.css35
-rw-r--r--security/manager/pki/resources/content/exceptionDialog.js322
-rw-r--r--security/manager/pki/resources/content/exceptionDialog.xhtml91
-rw-r--r--security/manager/pki/resources/content/load_device.js75
-rw-r--r--security/manager/pki/resources/content/load_device.xhtml55
-rw-r--r--security/manager/pki/resources/content/pippki.js300
-rw-r--r--security/manager/pki/resources/content/resetpassword.js28
-rw-r--r--security/manager/pki/resources/content/resetpassword.xhtml49
-rw-r--r--security/manager/pki/resources/content/setp12password.js127
-rw-r--r--security/manager/pki/resources/content/setp12password.xhtml56
-rw-r--r--security/manager/pki/resources/jar.mn33
-rw-r--r--security/manager/pki/resources/moz.build7
-rw-r--r--security/manager/ssl/AppSignatureVerification.cpp1410
-rw-r--r--security/manager/ssl/AppTrustDomain.cpp319
-rw-r--r--security/manager/ssl/AppTrustDomain.h94
-rw-r--r--security/manager/ssl/CertStorageMemoryReporting.cpp17
-rw-r--r--security/manager/ssl/ClientAuthDialogService.sys.mjs68
-rw-r--r--security/manager/ssl/CommonSocketControl.cpp519
-rw-r--r--security/manager/ssl/CommonSocketControl.h191
-rw-r--r--security/manager/ssl/ContentSignatureVerifier.cpp454
-rw-r--r--security/manager/ssl/ContentSignatureVerifier.h32
-rw-r--r--security/manager/ssl/CredentialManagerSecret.cpp103
-rw-r--r--security/manager/ssl/CredentialManagerSecret.h26
-rw-r--r--security/manager/ssl/CryptoTask.cpp43
-rw-r--r--security/manager/ssl/CryptoTask.h52
-rw-r--r--security/manager/ssl/DER.sys.mjs333
-rw-r--r--security/manager/ssl/DataStorageManager.cpp68
-rw-r--r--security/manager/ssl/DataStorageManager.h29
-rw-r--r--security/manager/ssl/EnterpriseRoots.cpp514
-rw-r--r--security/manager/ssl/EnterpriseRoots.h38
-rw-r--r--security/manager/ssl/IPCClientCertsChild.cpp17
-rw-r--r--security/manager/ssl/IPCClientCertsChild.h36
-rw-r--r--security/manager/ssl/IPCClientCertsParent.cpp130
-rw-r--r--security/manager/ssl/IPCClientCertsParent.h40
-rw-r--r--security/manager/ssl/KeychainSecret.cpp160
-rw-r--r--security/manager/ssl/KeychainSecret.h49
-rw-r--r--security/manager/ssl/LibSecret.cpp321
-rw-r--r--security/manager/ssl/LibSecret.h29
-rw-r--r--security/manager/ssl/NSSErrorsService.cpp212
-rw-r--r--security/manager/ssl/NSSErrorsService.h56
-rw-r--r--security/manager/ssl/NSSKeyStore.cpp154
-rw-r--r--security/manager/ssl/NSSKeyStore.h34
-rw-r--r--security/manager/ssl/NSSSocketControl.cpp732
-rw-r--r--security/manager/ssl/NSSSocketControl.h366
-rw-r--r--security/manager/ssl/OSKeyStore.cpp628
-rw-r--r--security/manager/ssl/OSKeyStore.h98
-rw-r--r--security/manager/ssl/OSReauthenticator.cpp562
-rw-r--r--security/manager/ssl/OSReauthenticator.h36
-rw-r--r--security/manager/ssl/OSReauthenticatorDarwin.mm63
-rw-r--r--security/manager/ssl/PIPCClientCerts.ipdl32
-rw-r--r--security/manager/ssl/PKCS11ModuleDB.cpp184
-rw-r--r--security/manager/ssl/PKCS11ModuleDB.h35
-rw-r--r--security/manager/ssl/PSMIPCTypes.ipdlh51
-rw-r--r--security/manager/ssl/PSMRunnable.cpp42
-rw-r--r--security/manager/ssl/PSMRunnable.h49
-rw-r--r--security/manager/ssl/PSelectTLSClientAuthCert.ipdl24
-rw-r--r--security/manager/ssl/PVerifySSLServerCert.ipdl31
-rw-r--r--security/manager/ssl/PublicKeyPinningService.cpp393
-rw-r--r--security/manager/ssl/PublicKeyPinningService.h54
-rw-r--r--security/manager/ssl/PublicSSL.h24
-rw-r--r--security/manager/ssl/RemoteSecuritySettings.sys.mjs709
-rw-r--r--security/manager/ssl/RootCertificateTelemetryUtils.cpp139
-rw-r--r--security/manager/ssl/RootCertificateTelemetryUtils.h37
-rw-r--r--security/manager/ssl/RootHashes.inc1597
-rw-r--r--security/manager/ssl/SSLServerCertVerification.cpp1134
-rw-r--r--security/manager/ssl/SSLServerCertVerification.h161
-rw-r--r--security/manager/ssl/ScopedNSSTypes.h464
-rw-r--r--security/manager/ssl/SecretDecoderRing.cpp344
-rw-r--r--security/manager/ssl/SecretDecoderRing.h37
-rw-r--r--security/manager/ssl/SelectTLSClientAuthCertChild.h42
-rw-r--r--security/manager/ssl/SelectTLSClientAuthCertParent.h54
-rw-r--r--security/manager/ssl/SharedCertVerifier.h38
-rw-r--r--security/manager/ssl/SharedSSLState.cpp192
-rw-r--r--security/manager/ssl/SharedSSLState.h74
-rw-r--r--security/manager/ssl/StaticHPKPins.errors33
-rw-r--r--security/manager/ssl/StaticHPKPins.h783
-rw-r--r--security/manager/ssl/TLSClientAuthCertSelection.cpp1050
-rw-r--r--security/manager/ssl/TLSClientAuthCertSelection.h120
-rw-r--r--security/manager/ssl/TransportSecurityInfo.cpp1131
-rw-r--r--security/manager/ssl/TransportSecurityInfo.h107
-rw-r--r--security/manager/ssl/VerifySSLServerCertChild.cpp143
-rw-r--r--security/manager/ssl/VerifySSLServerCertChild.h62
-rw-r--r--security/manager/ssl/VerifySSLServerCertParent.cpp179
-rw-r--r--security/manager/ssl/VerifySSLServerCertParent.h60
-rw-r--r--security/manager/ssl/X509.sys.mjs641
-rw-r--r--security/manager/ssl/X509CertValidity.cpp96
-rw-r--r--security/manager/ssl/X509CertValidity.h31
-rw-r--r--security/manager/ssl/addons-public-intermediate.crtbin0 -> 1841 bytes
-rw-r--r--security/manager/ssl/addons-public.crtbin0 -> 1637 bytes
-rw-r--r--security/manager/ssl/addons-stage.crtbin0 -> 1895 bytes
-rw-r--r--security/manager/ssl/builtins/Cargo.toml18
-rw-r--r--security/manager/ssl/builtins/build.rs568
-rw-r--r--security/manager/ssl/builtins/dynamic-library/builtins.symbols1
-rw-r--r--security/manager/ssl/builtins/dynamic-library/moz.build38
-rw-r--r--security/manager/ssl/builtins/dynamic-library/stub.c27
-rw-r--r--security/manager/ssl/builtins/dynamic-library/stub.cpp17
-rw-r--r--security/manager/ssl/builtins/moz.build9
-rw-r--r--security/manager/ssl/builtins/src/certdata.rs52
-rw-r--r--security/manager/ssl/builtins/src/internal.rs344
-rw-r--r--security/manager/ssl/builtins/src/lib.rs9
-rw-r--r--security/manager/ssl/builtins/src/pkcs11.rs1229
-rw-r--r--security/manager/ssl/builtins/src/version.rs6
-rw-r--r--security/manager/ssl/cert_storage/Cargo.toml24
-rw-r--r--security/manager/ssl/cert_storage/src/cert_storage.h24
-rw-r--r--security/manager/ssl/cert_storage/src/lib.rs1807
-rw-r--r--security/manager/ssl/components.conf155
-rw-r--r--security/manager/ssl/content-signature-local.crtbin0 -> 558 bytes
-rw-r--r--security/manager/ssl/content-signature-prod.crtbin0 -> 1637 bytes
-rw-r--r--security/manager/ssl/content-signature-stage.crtbin0 -> 1904 bytes
-rw-r--r--security/manager/ssl/crashtests/398665-1.html1
-rw-r--r--security/manager/ssl/crashtests/crashtests.list1
-rw-r--r--security/manager/ssl/crypto_hash/Cargo.toml15
-rw-r--r--security/manager/ssl/crypto_hash/crypto_hash.h46
-rw-r--r--security/manager/ssl/crypto_hash/src/lib.rs177
-rw-r--r--security/manager/ssl/data_storage/Cargo.toml18
-rw-r--r--security/manager/ssl/data_storage/src/lib.rs1017
-rw-r--r--security/manager/ssl/gen_cert_header.py46
-rw-r--r--security/manager/ssl/ipcclientcerts/Cargo.toml16
-rw-r--r--security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols1
-rw-r--r--security/manager/ssl/ipcclientcerts/dynamic-library/moz.build40
-rw-r--r--security/manager/ssl/ipcclientcerts/dynamic-library/stub.c43
-rw-r--r--security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp29
-rw-r--r--security/manager/ssl/ipcclientcerts/moz.build9
-rw-r--r--security/manager/ssl/ipcclientcerts/src/backend.rs373
-rw-r--r--security/manager/ssl/ipcclientcerts/src/lib.rs1049
-rw-r--r--security/manager/ssl/md4.c179
-rw-r--r--security/manager/ssl/md4.h38
-rw-r--r--security/manager/ssl/metrics.yaml180
-rw-r--r--security/manager/ssl/moz.build273
-rw-r--r--security/manager/ssl/nsCertOverrideService.cpp757
-rw-r--r--security/manager/ssl/nsCertOverrideService.h152
-rw-r--r--security/manager/ssl/nsCertTree.cpp844
-rw-r--r--security/manager/ssl/nsCertTree.h131
-rw-r--r--security/manager/ssl/nsClientAuthRemember.cpp435
-rw-r--r--security/manager/ssl/nsClientAuthRemember.h101
-rw-r--r--security/manager/ssl/nsICertOverrideService.idl143
-rw-r--r--security/manager/ssl/nsICertStorage.idl265
-rw-r--r--security/manager/ssl/nsICertTree.idl39
-rw-r--r--security/manager/ssl/nsICertificateDialogs.idl68
-rw-r--r--security/manager/ssl/nsIClientAuthDialogService.idl43
-rw-r--r--security/manager/ssl/nsIClientAuthRememberService.idl65
-rw-r--r--security/manager/ssl/nsIContentSignatureVerifier.idl49
-rw-r--r--security/manager/ssl/nsICryptoHash.idl109
-rw-r--r--security/manager/ssl/nsIDataStorage.idl119
-rw-r--r--security/manager/ssl/nsINSSComponent.idl107
-rw-r--r--security/manager/ssl/nsINSSErrorsService.idl72
-rw-r--r--security/manager/ssl/nsINSSVersion.idl37
-rw-r--r--security/manager/ssl/nsIOSKeyStore.idl112
-rw-r--r--security/manager/ssl/nsIOSReauthenticator.idl45
-rw-r--r--security/manager/ssl/nsIPK11Token.idl81
-rw-r--r--security/manager/ssl/nsIPK11TokenDB.idl31
-rw-r--r--security/manager/ssl/nsIPKCS11Module.idl21
-rw-r--r--security/manager/ssl/nsIPKCS11ModuleDB.idl40
-rw-r--r--security/manager/ssl/nsIPKCS11Slot.idl52
-rw-r--r--security/manager/ssl/nsIPublicKeyPinningService.idl22
-rw-r--r--security/manager/ssl/nsISecretDecoderRing.idl77
-rw-r--r--security/manager/ssl/nsISecurityUITelemetry.idl34
-rw-r--r--security/manager/ssl/nsISiteSecurityService.idl145
-rw-r--r--security/manager/ssl/nsITLSSocketControl.idl195
-rw-r--r--security/manager/ssl/nsITokenPasswordDialogs.idl30
-rw-r--r--security/manager/ssl/nsITransportSecurityInfo.idl137
-rw-r--r--security/manager/ssl/nsIX509Cert.idl200
-rw-r--r--security/manager/ssl/nsIX509CertDB.idl351
-rw-r--r--security/manager/ssl/nsIX509CertValidity.idl25
-rw-r--r--security/manager/ssl/nsNSSCallbacks.cpp1152
-rw-r--r--security/manager/ssl/nsNSSCallbacks.h45
-rw-r--r--security/manager/ssl/nsNSSCertHelper.cpp99
-rw-r--r--security/manager/ssl/nsNSSCertHelper.h31
-rw-r--r--security/manager/ssl/nsNSSCertTrust.cpp121
-rw-r--r--security/manager/ssl/nsNSSCertTrust.h55
-rw-r--r--security/manager/ssl/nsNSSCertificate.cpp686
-rw-r--r--security/manager/ssl/nsNSSCertificate.h50
-rw-r--r--security/manager/ssl/nsNSSCertificateDB.cpp1375
-rw-r--r--security/manager/ssl/nsNSSCertificateDB.h71
-rw-r--r--security/manager/ssl/nsNSSComponent.cpp2551
-rw-r--r--security/manager/ssl/nsNSSComponent.h165
-rw-r--r--security/manager/ssl/nsNSSHelper.h32
-rw-r--r--security/manager/ssl/nsNSSIOLayer.cpp1804
-rw-r--r--security/manager/ssl/nsNSSIOLayer.h134
-rw-r--r--security/manager/ssl/nsNSSModule.cpp107
-rw-r--r--security/manager/ssl/nsNSSModule.h21
-rw-r--r--security/manager/ssl/nsNSSVersion.cpp78
-rw-r--r--security/manager/ssl/nsNSSVersion.h30
-rw-r--r--security/manager/ssl/nsNTLMAuthModule.cpp1040
-rw-r--r--security/manager/ssl/nsNTLMAuthModule.h33
-rw-r--r--security/manager/ssl/nsPK11TokenDB.cpp287
-rw-r--r--security/manager/ssl/nsPK11TokenDB.h67
-rw-r--r--security/manager/ssl/nsPKCS11Slot.cpp277
-rw-r--r--security/manager/ssl/nsPKCS11Slot.h58
-rw-r--r--security/manager/ssl/nsPKCS12Blob.cpp357
-rw-r--r--security/manager/ssl/nsPKCS12Blob.h54
-rw-r--r--security/manager/ssl/nsRandomGenerator.cpp41
-rw-r--r--security/manager/ssl/nsRandomGenerator.h29
-rw-r--r--security/manager/ssl/nsSSLSocketProvider.cpp46
-rw-r--r--security/manager/ssl/nsSSLSocketProvider.h32
-rw-r--r--security/manager/ssl/nsSTSPreloadList.inc158718
-rw-r--r--security/manager/ssl/nsSecureBrowserUI.cpp168
-rw-r--r--security/manager/ssl/nsSecureBrowserUI.h53
-rw-r--r--security/manager/ssl/nsSecurityHeaderParser.cpp206
-rw-r--r--security/manager/ssl/nsSecurityHeaderParser.h78
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp1011
-rw-r--r--security/manager/ssl/nsSiteSecurityService.h158
-rw-r--r--security/manager/ssl/nsTLSSocketProvider.cpp47
-rw-r--r--security/manager/ssl/nsTLSSocketProvider.h31
-rw-r--r--security/manager/ssl/nsVerificationJob.h48
-rw-r--r--security/manager/ssl/osclientcerts/Cargo.toml32
-rw-r--r--security/manager/ssl/osclientcerts/dynamic-library/moz.build33
-rw-r--r--security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols1
-rw-r--r--security/manager/ssl/osclientcerts/dynamic-library/stub.cpp8
-rw-r--r--security/manager/ssl/osclientcerts/moz.build9
-rw-r--r--security/manager/ssl/osclientcerts/src/backend_macos.rs849
-rw-r--r--security/manager/ssl/osclientcerts/src/backend_windows.rs914
-rw-r--r--security/manager/ssl/osclientcerts/src/bindings_macos.rs79
-rw-r--r--security/manager/ssl/osclientcerts/src/lib.rs1237
-rw-r--r--security/manager/ssl/osclientcerts/test/certificate.binbin0 -> 909 bytes
-rw-r--r--security/manager/ssl/osclientcerts/test/modulus.bin2
-rw-r--r--security/manager/ssl/osclientcerts/test/rsa.binbin0 -> 270 bytes
-rw-r--r--security/manager/ssl/rsclientcerts/Cargo.toml10
-rw-r--r--security/manager/ssl/rsclientcerts/src/error.rs103
-rw-r--r--security/manager/ssl/rsclientcerts/src/lib.rs11
-rw-r--r--security/manager/ssl/rsclientcerts/src/manager.rs671
-rw-r--r--security/manager/ssl/rsclientcerts/src/util.rs540
-rw-r--r--security/manager/ssl/rsclientcerts/test/certificate.binbin0 -> 909 bytes
-rw-r--r--security/manager/ssl/rsclientcerts/test/modulus.bin2
-rw-r--r--security/manager/ssl/rsclientcerts/test/rsa.binbin0 -> 270 bytes
-rw-r--r--security/manager/ssl/tests/.eslintrc.js8
-rw-r--r--security/manager/ssl/tests/gtest/CoseTest.cpp756
-rw-r--r--security/manager/ssl/tests/gtest/DeserializeCertTest.cpp507
-rw-r--r--security/manager/ssl/tests/gtest/HMACTest.cpp62
-rw-r--r--security/manager/ssl/tests/gtest/MD4Test.cpp62
-rw-r--r--security/manager/ssl/tests/gtest/OCSPCacheTest.cpp357
-rw-r--r--security/manager/ssl/tests/gtest/README.txt2
-rw-r--r--security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp383
-rw-r--r--security/manager/ssl/tests/gtest/moz.build24
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser.toml52
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_HSTS.js277
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js69
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js94
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_certViewer.js112
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js105
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js290
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js385
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html6
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js84
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js161
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js259
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js134
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js141
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js164
-rw-r--r--security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js312
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ca.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem19
-rw-r--r--security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem20
-rw-r--r--security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/code-ee.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/email-ee.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/expired-ca.pem18
-rw-r--r--security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-cn.pem18
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem16
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-o.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-ou.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/head.js82
-rw-r--r--security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs16
-rw-r--r--security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html22
-rw-r--r--security/manager/ssl/tests/mochitest/browser/intermediate.pem20
-rw-r--r--security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/browser/invalid.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/longOID.pem25
-rw-r--r--security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/browser/md5-ee.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/moz.build7
-rw-r--r--security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem21
-rw-r--r--security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem21
-rw-r--r--security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/browser/revoked.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/some_content.html6
-rw-r--r--security/manager/ssl/tests/mochitest/browser/some_content_framed.html14
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ssl-ee.pem18
-rw-r--r--security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem17
-rw-r--r--security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec2
-rw-r--r--security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem18
-rw-r--r--security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs7
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/backward.html18
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js10
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html28
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html29
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/download.auto1
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^2
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs6
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs17
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/iframe.html13
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html14
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html8
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js211
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml104
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpgbin0 -> 52159 bytes
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/moz.build7
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs5
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css4
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html89
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html37
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html46
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html34
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html39
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html42
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html41
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html46
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html38
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html40
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html47
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html48
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html44
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html44
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html46
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html39
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html42
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html40
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html34
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html42
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html35
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html38
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html34
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html20
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html36
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html9
-rw-r--r--security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html34
-rw-r--r--security/manager/ssl/tests/mochitest/moz.build10
-rw-r--r--security/manager/ssl/tests/moz.build17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expired-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key16
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mitm.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/noValidNames.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValid.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem22
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/v1Cert.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/corrupted_crlite_helper.js103
-rwxr-xr-xsecurity/manager/ssl/tests/unit/crlite_enrollment_id.py33
-rwxr-xr-xsecurity/manager/ssl/tests/unit/crlite_key.py58
-rw-r--r--security/manager/ssl/tests/unit/head_psm.js1247
-rw-r--r--security/manager/ssl/tests/unit/moz.build10
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem20
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key28
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key16
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem15
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/moz.build20
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp597
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols1
-rw-r--r--security/manager/ssl/tests/unit/requirements.txt6
-rwxr-xr-xsecurity/manager/ssl/tests/unit/sign_app.py426
-rw-r--r--security/manager/ssl/tests/unit/test_add_preexisting_cert.js46
-rw-r--r--security/manager/ssl/tests/unit/test_allow_all_cert_errors.js25
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js78
-rw-r--r--security/manager/ssl/tests/unit/test_blocklist_onecrl.js148
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips.js61
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt5
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js56
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js117
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import.js187
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfxbin0 -> 2041 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfxbin0 -> 2068 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfxbin0 -> 2068 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12bin0 -> 3239 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js123
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js148
-rw-r--r--security/manager/ssl/tests/unit/test_cert_chains.js394
-rw-r--r--security/manager/ssl/tests/unit/test_cert_dbKey.js225
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku.js189
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null.js54
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_expiration_canary.js40
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage.js76
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_override_read.js188
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides.js767
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only.js94
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.dbbin0 -> 28672 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1.js53
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures.js140
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage.js258
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_broken_db.js72
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct.js417
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem41
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlitebin0 -> 15244 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem34
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting.js48
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdbbin0 -> 45056 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.binbin0 -> 122 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdbbin0 -> 8192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js83
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coveragebin0 -> 97 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment1
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filterbin0 -> 15244 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.binbin0 -> 1607775 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js324
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8.js79
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem24
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version.js304
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec2
-rwxr-xr-xsecurity/manager/ssl/tests/unit/test_cert_version/generate.py93
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js83
-rw-r--r--security/manager/ssl/tests/unit/test_constructX509FromBase64.js87
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing.js438
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/pysign.py36
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/test.txt1
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/test.txt.signature1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filterbin0 -> 1 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment2
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage2
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coveragebin0 -> 48 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coveragebin0 -> 36 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coveragebin0 -> 49 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollmentbin0 -> 33 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_missing.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_version.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_enrollment_version.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js21
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters.js880
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filterbin0 -> 62 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stashbin0 -> 36632 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stashbin0 -> 57737 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem28
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem33
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem38
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem36
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem36
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem42
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/valid.pem39
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting.js208
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coveragebin0 -> 97 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stashbin0 -> 209843 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js91
-rw-r--r--security/manager/ssl/tests/unit/test_ct.js72
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem28
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem34
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_data_storage.js119
-rw-r--r--security/manager/ssl/tests/unit/test_db_format_pref_new.js30
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials.js91
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key5
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem16
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key6
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_der.js345
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello.js101
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js32
-rw-r--r--security/manager/ssl/tests/unit/test_enterprise_roots.js83
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs.js310
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server.js142
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.key5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js119
-rw-r--r--security/manager/ssl/tests/unit/test_hash_algorithms.js149
-rw-r--r--security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js138
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads.js528
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize.js204
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem9
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev.js169
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec8
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_logoutAndTeardown.js192
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate.js92
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints.js71
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/dciss.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_nonascii_path.js52
-rw-r--r--security/manager/ssl/tests/unit/test_nsCertType.js32
-rw-r--r--security/manager/ssl/tests/unit/test_nsIX509CertValidity.js25
-rw-r--r--security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js96
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_caching.js479
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js146
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_must_staple.js160
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js58
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_private_caching.js115
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_required.js95
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling.js400
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js324
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js48
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_timeout.js100
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url.js122
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt41
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_osclientcerts_module.js60
-rw-r--r--security/manager/ssl/tests/unit/test_oskeystore.js272
-rw-r--r--security/manager/ssl/tests/unit/test_osreauthenticator.js27
-rw-r--r--security/manager/ssl/tests/unit/test_password_prompt.js87
-rw-r--r--security/manager/ssl/tests/unit/test_pinning.js318
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_module.js58
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js46
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js58
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_slot.js161
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_token.js149
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem38
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js95
-rw-r--r--security/manager/ssl/tests/unit/test_sdr.js272
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting.js79
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js135
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs.js109
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/cert9.dbbin0 -> 45056 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_session_resumption.js291
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps.js1038
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/README1
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/data/image.pngbin0 -> 534 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json5
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest10
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sigbin0 -> 655 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README2
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.pngbin0 -> 534 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json5
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zipbin0 -> 2678 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zipbin0 -> 2341 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zipbin0 -> 2362 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zipbin0 -> 2624 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zipbin0 -> 2288 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zipbin0 -> 2309 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zipbin0 -> 2643 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zipbin0 -> 2307 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zipbin0 -> 2327 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zipbin0 -> 2562 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zipbin0 -> 2226 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zipbin0 -> 2247 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zipbin0 -> 2513 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zipbin0 -> 2174 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zipbin0 -> 2196 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zipbin0 -> 2526 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zipbin0 -> 2192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zipbin0 -> 2210 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zipbin0 -> 2601 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zipbin0 -> 2264 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zipbin0 -> 2287 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zipbin0 -> 2549 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zipbin0 -> 2213 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zipbin0 -> 2234 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zipbin0 -> 2567 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zipbin0 -> 2232 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zipbin0 -> 2251 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zipbin0 -> 459148 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zipbin0 -> 459984 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zipbin0 -> 458382 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zipbin0 -> 459272 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zipbin0 -> 459192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zipbin0 -> 460028 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zipbin0 -> 458426 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zipbin0 -> 459315 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zipbin0 -> 8107 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zipbin0 -> 2698 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zipbin0 -> 4047 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zipbin0 -> 3946 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zipbin0 -> 3398 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zipbin0 -> 3379 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zipbin0 -> 1890 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zipbin0 -> 31397 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/moz.build78
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zipbin0 -> 2110 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zipbin0 -> 1565 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zipbin0 -> 2257 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zipbin0 -> 510 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zipbin0 -> 3394 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zipbin0 -> 3393 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.derbin0 -> 794 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ssl_status.js75
-rw-r--r--security/manager/ssl/tests/unit/test_sss_eviction.js41
-rw-r--r--security/manager/ssl/tests/unit/test_sss_migration.js64
-rw-r--r--security/manager/ssl/tests/unit/test_sss_originAttributes.js105
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate.js141
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_empty.js43
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_garbage.js77
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_huge.js72
-rw-r--r--security/manager/ssl/tests/unit/test_sss_resetState.js62
-rw-r--r--security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js59
-rw-r--r--security/manager/ssl/tests/unit/test_sss_savestate.js91
-rw-r--r--security/manager/ssl/tests/unit/test_sts_fqdn.js40
-rw-r--r--security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js55
-rw-r--r--security/manager/ssl/tests/unit/test_sts_parser.js126
-rw-r--r--security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js269
-rw-r--r--security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js22
-rw-r--r--security/manager/ssl/tests/unit/test_validity.js106
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec8
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_x509.js124
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp141
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp142
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp178
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp257
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp168
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp153
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp87
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/moz.build45
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/default-ee.der3
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp204
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h66
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp694
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h93
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/moz.build48
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/moz.build8
-rw-r--r--security/manager/ssl/tests/unit/xpcshell-smartcards.toml22
-rw-r--r--security/manager/ssl/tests/unit/xpcshell.toml361
-rw-r--r--security/manager/tools/.eslintrc.js13
-rw-r--r--security/manager/tools/KnownRootHashes.json1343
-rw-r--r--security/manager/tools/PreloadedHPKPins.json207
-rw-r--r--security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py156
-rw-r--r--security/manager/tools/crtshToIdentifyingStruct/requirements.txt4
-rw-r--r--security/manager/tools/dumpGoogleRoots.js108
-rw-r--r--security/manager/tools/genRootCAHashes.js275
-rwxr-xr-xsecurity/manager/tools/getCTKnownLogs.py330
-rw-r--r--security/manager/tools/log_list.json403
-rw-r--r--security/manager/tools/mach_commands.py129
-rwxr-xr-xsecurity/manager/tools/pycert.py805
-rwxr-xr-xsecurity/manager/tools/pycms.py219
-rw-r--r--security/manager/tools/pyct.py103
-rwxr-xr-xsecurity/manager/tools/pykey.py957
-rw-r--r--security/manager/tools/pypkcs12.py124
1424 files changed, 256386 insertions, 0 deletions
diff --git a/security/manager/android_stub.h b/security/manager/android_stub.h
new file mode 100644
index 0000000000..8e83f76568
--- /dev/null
+++ b/security/manager/android_stub.h
@@ -0,0 +1,31 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This file allows NSS to build by stubbing out
+ * features that aren't provided by Android/Bionic */
+
+#ifndef ANDROID_STUB_H
+#define ANDROID_STUB_H
+
+/* sysinfo is defined but not implemented.
+ * we may be able to implement it ourselves. */
+#define _SYS_SYSINFO_H_
+
+#include <sys/cdefs.h>
+#include <sys/resource.h>
+#include <linux/kernel.h>
+#include <unistd.h>
+
+#ifndef ANDROID_VERSION
+# include <android/api-level.h>
+# define ANDROID_VERSION __ANDROID_API__
+#endif
+
+#if ANDROID_VERSION < 21
+# define RTLD_NOLOAD 0
+#endif
+
+#define sysinfo(foo) -1
+
+#endif /* ANDROID_STUB_H */
diff --git a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties
new file mode 100644
index 0000000000..d698db12af
--- /dev/null
+++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties
@@ -0,0 +1,331 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SSL_ERROR_EXPORT_ONLY_SERVER=Unable to communicate securely. Peer does not support high-grade encryption.
+SSL_ERROR_US_ONLY_SERVER=Unable to communicate securely. Peer requires high-grade encryption which is not supported.
+SSL_ERROR_NO_CYPHER_OVERLAP=Cannot communicate securely with peer: no common encryption algorithm(s).
+SSL_ERROR_NO_CERTIFICATE=Unable to find the certificate or key necessary for authentication.
+SSL_ERROR_BAD_CERTIFICATE=Unable to communicate securely with peer: peers’s certificate was rejected.
+SSL_ERROR_BAD_CLIENT=The server has encountered bad data from the client.
+SSL_ERROR_BAD_SERVER=The client has encountered bad data from the server.
+SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE=Unsupported certificate type.
+SSL_ERROR_UNSUPPORTED_VERSION=Peer using unsupported version of security protocol.
+SSL_ERROR_WRONG_CERTIFICATE=Client authentication failed: private key in key database does not match public key in certificate database.
+SSL_ERROR_BAD_CERT_DOMAIN=Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
+SSL_ERROR_POST_WARNING=Unrecognized SSL error code.
+SSL_ERROR_SSL2_DISABLED=Peer only supports SSL version 2, which is locally disabled.
+SSL_ERROR_BAD_MAC_READ=SSL received a record with an incorrect Message Authentication Code.
+SSL_ERROR_BAD_MAC_ALERT=SSL peer reports incorrect Message Authentication Code.
+SSL_ERROR_BAD_CERT_ALERT=SSL peer cannot verify your certificate.
+SSL_ERROR_REVOKED_CERT_ALERT=SSL peer rejected your certificate as revoked.
+SSL_ERROR_EXPIRED_CERT_ALERT=SSL peer rejected your certificate as expired.
+SSL_ERROR_SSL_DISABLED=Cannot connect: SSL is disabled.
+SSL_ERROR_FORTEZZA_PQG=Cannot connect: SSL peer is in another FORTEZZA domain.
+SSL_ERROR_UNKNOWN_CIPHER_SUITE=An unknown SSL cipher suite has been requested.
+SSL_ERROR_NO_CIPHERS_SUPPORTED=No cipher suites are present and enabled in this program.
+SSL_ERROR_BAD_BLOCK_PADDING=SSL received a record with bad block padding.
+SSL_ERROR_RX_RECORD_TOO_LONG=SSL received a record that exceeded the maximum permissible length.
+SSL_ERROR_TX_RECORD_TOO_LONG=SSL attempted to send a record that exceeded the maximum permissible length.
+SSL_ERROR_RX_MALFORMED_HELLO_REQUEST=SSL received a malformed Hello Request handshake message.
+SSL_ERROR_RX_MALFORMED_CLIENT_HELLO=SSL received a malformed Client Hello handshake message.
+SSL_ERROR_RX_MALFORMED_SERVER_HELLO=SSL received a malformed Server Hello handshake message.
+SSL_ERROR_RX_MALFORMED_CERTIFICATE=SSL received a malformed Certificate handshake message.
+SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH=SSL received a malformed Server Key Exchange handshake message.
+SSL_ERROR_RX_MALFORMED_CERT_REQUEST=SSL received a malformed Certificate Request handshake message.
+SSL_ERROR_RX_MALFORMED_HELLO_DONE=SSL received a malformed Server Hello Done handshake message.
+SSL_ERROR_RX_MALFORMED_CERT_VERIFY=SSL received a malformed Certificate Verify handshake message.
+SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH=SSL received a malformed Client Key Exchange handshake message.
+SSL_ERROR_RX_MALFORMED_FINISHED=SSL received a malformed Finished handshake message.
+SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER=SSL received a malformed Change Cipher Spec record.
+SSL_ERROR_RX_MALFORMED_ALERT=SSL received a malformed Alert record.
+SSL_ERROR_RX_MALFORMED_HANDSHAKE=SSL received a malformed Handshake record.
+SSL_ERROR_RX_MALFORMED_APPLICATION_DATA=SSL received a malformed Application Data record.
+SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST=SSL received an unexpected Hello Request handshake message.
+SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO=SSL received an unexpected Client Hello handshake message.
+SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO=SSL received an unexpected Server Hello handshake message.
+SSL_ERROR_RX_UNEXPECTED_CERTIFICATE=SSL received an unexpected Certificate handshake message.
+SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH=SSL received an unexpected Server Key Exchange handshake message.
+SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST=SSL received an unexpected Certificate Request handshake message.
+SSL_ERROR_RX_UNEXPECTED_HELLO_DONE=SSL received an unexpected Server Hello Done handshake message.
+SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY=SSL received an unexpected Certificate Verify handshake message.
+SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH=SSL received an unexpected Client Key Exchange handshake message.
+SSL_ERROR_RX_UNEXPECTED_FINISHED=SSL received an unexpected Finished handshake message.
+SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER=SSL received an unexpected Change Cipher Spec record.
+SSL_ERROR_RX_UNEXPECTED_ALERT=SSL received an unexpected Alert record.
+SSL_ERROR_RX_UNEXPECTED_HANDSHAKE=SSL received an unexpected Handshake record.
+SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA=SSL received an unexpected Application Data record.
+SSL_ERROR_RX_UNKNOWN_RECORD_TYPE=SSL received a record with an unknown content type.
+SSL_ERROR_RX_UNKNOWN_HANDSHAKE=SSL received a handshake message with an unknown message type.
+SSL_ERROR_RX_UNKNOWN_ALERT=SSL received an alert record with an unknown alert description.
+SSL_ERROR_CLOSE_NOTIFY_ALERT=SSL peer has closed this connection.
+SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT=SSL peer was not expecting a handshake message it received.
+SSL_ERROR_DECOMPRESSION_FAILURE_ALERT=SSL peer was unable to successfully decompress an SSL record it received.
+SSL_ERROR_HANDSHAKE_FAILURE_ALERT=SSL peer was unable to negotiate an acceptable set of security parameters.
+SSL_ERROR_ILLEGAL_PARAMETER_ALERT=SSL peer rejected a handshake message for unacceptable content.
+SSL_ERROR_UNSUPPORTED_CERT_ALERT=SSL peer does not support certificates of the type it received.
+SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT=SSL peer had some unspecified issue with the certificate it received.
+SSL_ERROR_GENERATE_RANDOM_FAILURE=SSL experienced a failure of its random number generator.
+SSL_ERROR_SIGN_HASHES_FAILURE=Unable to digitally sign data required to verify your certificate.
+SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE=SSL was unable to extract the public key from the peer’s certificate.
+SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Server Key Exchange handshake.
+SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Client Key Exchange handshake.
+SSL_ERROR_ENCRYPTION_FAILURE=Bulk data encryption algorithm failed in selected cipher suite.
+SSL_ERROR_DECRYPTION_FAILURE=Bulk data decryption algorithm failed in selected cipher suite.
+SSL_ERROR_SOCKET_WRITE_FAILURE=Attempt to write encrypted data to underlying socket failed.
+SSL_ERROR_MD5_DIGEST_FAILURE=MD5 digest function failed.
+SSL_ERROR_SHA_DIGEST_FAILURE=SHA-1 digest function failed.
+SSL_ERROR_MAC_COMPUTATION_FAILURE=MAC computation failed.
+SSL_ERROR_SYM_KEY_CONTEXT_FAILURE=Failure to create Symmetric Key context.
+SSL_ERROR_SYM_KEY_UNWRAP_FAILURE=Failure to unwrap the Symmetric key in Client Key Exchange message.
+SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED=SSL Server attempted to use domestic-grade public key with export cipher suite.
+SSL_ERROR_IV_PARAM_FAILURE=PKCS11 code failed to translate an IV into a param.
+SSL_ERROR_INIT_CIPHER_SUITE_FAILURE=Failed to initialize the selected cipher suite.
+SSL_ERROR_SESSION_KEY_GEN_FAILURE=Client failed to generate session keys for SSL session.
+SSL_ERROR_NO_SERVER_KEY_FOR_ALG=Server has no key for the attempted key exchange algorithm.
+SSL_ERROR_TOKEN_INSERTION_REMOVAL=PKCS#11 token was inserted or removed while operation was in progress.
+SSL_ERROR_TOKEN_SLOT_NOT_FOUND=No PKCS#11 token could be found to do a required operation.
+SSL_ERROR_NO_COMPRESSION_OVERLAP=Cannot communicate securely with peer: no common compression algorithm(s).
+SSL_ERROR_HANDSHAKE_NOT_COMPLETED=Cannot initiate another SSL handshake until current handshake is complete.
+SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE=Received incorrect handshakes hash values from peer.
+SSL_ERROR_CERT_KEA_MISMATCH=The certificate provided cannot be used with the selected key exchange algorithm.
+SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA=No certificate authority is trusted for SSL client authentication.
+SSL_ERROR_SESSION_NOT_FOUND=Client’s SSL session ID not found in server’s session cache.
+SSL_ERROR_DECRYPTION_FAILED_ALERT=Peer was unable to decrypt an SSL record it received.
+SSL_ERROR_RECORD_OVERFLOW_ALERT=Peer received an SSL record that was longer than is permitted.
+SSL_ERROR_UNKNOWN_CA_ALERT=Peer does not recognize and trust the CA that issued your certificate.
+SSL_ERROR_ACCESS_DENIED_ALERT=Peer received a valid certificate, but access was denied.
+SSL_ERROR_DECODE_ERROR_ALERT=Peer could not decode an SSL handshake message.
+SSL_ERROR_DECRYPT_ERROR_ALERT=Peer reports failure of signature verification or key exchange.
+SSL_ERROR_EXPORT_RESTRICTION_ALERT=Peer reports negotiation not in compliance with export regulations.
+SSL_ERROR_PROTOCOL_VERSION_ALERT=Peer reports incompatible or unsupported protocol version.
+SSL_ERROR_INSUFFICIENT_SECURITY_ALERT=Server requires ciphers more secure than those supported by client.
+SSL_ERROR_INTERNAL_ERROR_ALERT=Peer reports it experienced an internal error.
+SSL_ERROR_USER_CANCELED_ALERT=Peer user canceled handshake.
+SSL_ERROR_NO_RENEGOTIATION_ALERT=Peer does not permit renegotiation of SSL security parameters.
+SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED=SSL server cache not configured and not disabled for this socket.
+SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT=SSL peer does not support requested TLS hello extension.
+SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT=SSL peer could not obtain your certificate from the supplied URL.
+SSL_ERROR_UNRECOGNIZED_NAME_ALERT=SSL peer has no certificate for the requested DNS name.
+SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT=SSL peer was unable to get an OCSP response for its certificate.
+SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT=SSL peer reported bad certificate hash value.
+SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET=SSL received an unexpected New Session Ticket handshake message.
+SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET=SSL received a malformed New Session Ticket handshake message.
+SSL_ERROR_DECOMPRESSION_FAILURE=SSL received a compressed record that could not be decompressed.
+SSL_ERROR_RENEGOTIATION_NOT_ALLOWED=Renegotiation is not allowed on this SSL socket.
+SSL_ERROR_UNSAFE_NEGOTIATION=Peer attempted old style (potentially vulnerable) handshake.
+SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD=SSL received an unexpected uncompressed record.
+SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY=SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
+SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID=SSL received invalid NPN extension data.
+SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2=SSL feature not supported for SSL 2.0 connections.
+SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS=SSL feature not supported for servers.
+SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS=SSL feature not supported for clients.
+SSL_ERROR_INVALID_VERSION_RANGE=SSL version range is not valid.
+SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION=SSL peer selected a cipher suite disallowed for the selected protocol version.
+SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST=SSL received a malformed Hello Verify Request handshake message.
+SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST=SSL received an unexpected Hello Verify Request handshake message.
+SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION=SSL feature not supported for the protocol version.
+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS=SSL received an unexpected Certificate Status handshake message.
+SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM=Unsupported hash algorithm used by TLS peer.
+SSL_ERROR_DIGEST_FAILURE=Digest function failed.
+SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM=Incorrect signature algorithm specified in a digitally-signed element.
+SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK=The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.
+SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL=The server supports no protocols that the client advertises in the ALPN extension.
+SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT=The server rejected the handshake because the client downgraded to a lower TLS version than the server supports.
+SSL_ERROR_WEAK_SERVER_CERT_KEY=The server certificate included a public key that was too weak.
+SSL_ERROR_RX_SHORT_DTLS_READ=Not enough room in buffer for DTLS record.
+SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM=No supported TLS signature algorithm was configured.
+SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM=The peer used an unsupported combination of signature and hash algorithm.
+SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET=The peer tried to resume without a correct extended_master_secret extension.
+SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET=The peer tried to resume with an unexpected extended_master_secret extension.
+SEC_ERROR_IO=An I/O error occurred during security authorization.
+SEC_ERROR_LIBRARY_FAILURE=security library failure.
+SEC_ERROR_BAD_DATA=security library: received bad data.
+SEC_ERROR_OUTPUT_LEN=security library: output length error.
+SEC_ERROR_INPUT_LEN=security library has experienced an input length error.
+SEC_ERROR_INVALID_ARGS=security library: invalid arguments.
+SEC_ERROR_INVALID_ALGORITHM=security library: invalid algorithm.
+SEC_ERROR_INVALID_AVA=security library: invalid AVA.
+SEC_ERROR_INVALID_TIME=Improperly formatted time string.
+SEC_ERROR_BAD_DER=security library: improperly formatted DER-encoded message.
+SEC_ERROR_BAD_SIGNATURE=Peer’s certificate has an invalid signature.
+SEC_ERROR_EXPIRED_CERTIFICATE=Peer’s Certificate has expired.
+SEC_ERROR_REVOKED_CERTIFICATE=Peer’s Certificate has been revoked.
+SEC_ERROR_UNKNOWN_ISSUER=Peer’s Certificate issuer is not recognized.
+SEC_ERROR_BAD_KEY=Peer’s public key is invalid.
+SEC_ERROR_BAD_PASSWORD=The security password entered is incorrect.
+SEC_ERROR_RETRY_PASSWORD=New password entered incorrectly. Please try again.
+SEC_ERROR_NO_NODELOCK=security library: no nodelock.
+SEC_ERROR_BAD_DATABASE=security library: bad database.
+SEC_ERROR_NO_MEMORY=security library: memory allocation failure.
+SEC_ERROR_UNTRUSTED_ISSUER=Peer’s certificate issuer has been marked as not trusted by the user.
+SEC_ERROR_UNTRUSTED_CERT=Peer’s certificate has been marked as not trusted by the user.
+SEC_ERROR_DUPLICATE_CERT=Certificate already exists in your database.
+SEC_ERROR_DUPLICATE_CERT_NAME=Downloaded certificate’s name duplicates one already in your database.
+SEC_ERROR_ADDING_CERT=Error adding certificate to database.
+SEC_ERROR_FILING_KEY=Error refiling the key for this certificate.
+SEC_ERROR_NO_KEY=The private key for this certificate cannot be found in key database
+SEC_ERROR_CERT_VALID=This certificate is valid.
+SEC_ERROR_CERT_NOT_VALID=This certificate is not valid.
+SEC_ERROR_CERT_NO_RESPONSE=Cert Library: No Response
+SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE=The certificate issuer’s certificate has expired. Check your system date and time.
+SEC_ERROR_CRL_EXPIRED=The CRL for the certificate’s issuer has expired. Update it or check your system date and time.
+SEC_ERROR_CRL_BAD_SIGNATURE=The CRL for the certificate’s issuer has an invalid signature.
+SEC_ERROR_CRL_INVALID=New CRL has an invalid format.
+SEC_ERROR_EXTENSION_VALUE_INVALID=Certificate extension value is invalid.
+SEC_ERROR_EXTENSION_NOT_FOUND=Certificate extension not found.
+SEC_ERROR_CA_CERT_INVALID=Issuer certificate is invalid.
+SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID=Certificate path length constraint is invalid.
+SEC_ERROR_CERT_USAGES_INVALID=Certificate usages field is invalid.
+SEC_INTERNAL_ONLY=**Internal ONLY module**
+SEC_ERROR_INVALID_KEY=The key does not support the requested operation.
+SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION=Certificate contains unknown critical extension.
+SEC_ERROR_OLD_CRL=New CRL is not later than the current one.
+SEC_ERROR_NO_EMAIL_CERT=Not encrypted or signed: you do not yet have an email certificate.
+SEC_ERROR_NO_RECIPIENT_CERTS_QUERY=Not encrypted: you do not have certificates for each of the recipients.
+SEC_ERROR_NOT_A_RECIPIENT=Cannot decrypt: you are not a recipient, or matching certificate and private key not found.
+SEC_ERROR_PKCS7_KEYALG_MISMATCH=Cannot decrypt: key encryption algorithm does not match your certificate.
+SEC_ERROR_PKCS7_BAD_SIGNATURE=Signature verification failed: no signer found, too many signers found, or improper or corrupted data.
+SEC_ERROR_UNSUPPORTED_KEYALG=Unsupported or unknown key algorithm.
+SEC_ERROR_DECRYPTION_DISALLOWED=Cannot decrypt: encrypted using a disallowed algorithm or key size.
+XP_SEC_FORTEZZA_BAD_CARD=Fortezza card has not been properly initialized. Please remove it and return it to your issuer.
+XP_SEC_FORTEZZA_NO_CARD=No Fortezza cards Found
+XP_SEC_FORTEZZA_NONE_SELECTED=No Fortezza card selected
+XP_SEC_FORTEZZA_MORE_INFO=Please select a personality to get more info on
+XP_SEC_FORTEZZA_PERSON_NOT_FOUND=Personality not found
+XP_SEC_FORTEZZA_NO_MORE_INFO=No more information on that Personality
+XP_SEC_FORTEZZA_BAD_PIN=Invalid Pin
+XP_SEC_FORTEZZA_PERSON_ERROR=Couldn’t initialize Fortezza personalities.
+SEC_ERROR_NO_KRL=No KRL for this site’s certificate has been found.
+SEC_ERROR_KRL_EXPIRED=The KRL for this site’s certificate has expired.
+SEC_ERROR_KRL_BAD_SIGNATURE=The KRL for this site’s certificate has an invalid signature.
+SEC_ERROR_REVOKED_KEY=The key for this site’s certificate has been revoked.
+SEC_ERROR_KRL_INVALID=New KRL has an invalid format.
+SEC_ERROR_NEED_RANDOM=security library: need random data.
+SEC_ERROR_NO_MODULE=security library: no security module can perform the requested operation.
+SEC_ERROR_NO_TOKEN=The security card or token does not exist, needs to be initialized, or has been removed.
+SEC_ERROR_READ_ONLY=security library: read-only database.
+SEC_ERROR_NO_SLOT_SELECTED=No slot or token was selected.
+SEC_ERROR_CERT_NICKNAME_COLLISION=A certificate with the same nickname already exists.
+SEC_ERROR_KEY_NICKNAME_COLLISION=A key with the same nickname already exists.
+SEC_ERROR_SAFE_NOT_CREATED=error while creating safe object
+SEC_ERROR_BAGGAGE_NOT_CREATED=error while creating baggage object
+XP_JAVA_REMOVE_PRINCIPAL_ERROR=Couldn’t remove the principal
+XP_JAVA_DELETE_PRIVILEGE_ERROR=Couldn’t delete the privilege
+XP_JAVA_CERT_NOT_EXISTS_ERROR=This principal doesn’t have a certificate
+SEC_ERROR_BAD_EXPORT_ALGORITHM=Required algorithm is not allowed.
+SEC_ERROR_EXPORTING_CERTIFICATES=Error attempting to export certificates.
+SEC_ERROR_IMPORTING_CERTIFICATES=Error attempting to import certificates.
+SEC_ERROR_PKCS12_DECODING_PFX=Unable to import. Decoding error. File not valid.
+SEC_ERROR_PKCS12_INVALID_MAC=Unable to import. Invalid MAC. Incorrect password or corrupt file.
+SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM=Unable to import. MAC algorithm not supported.
+SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE=Unable to import. Only password integrity and privacy modes supported.
+SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE=Unable to import. File structure is corrupt.
+SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM=Unable to import. Encryption algorithm not supported.
+SEC_ERROR_PKCS12_UNSUPPORTED_VERSION=Unable to import. File version not supported.
+SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT=Unable to import. Incorrect privacy password.
+SEC_ERROR_PKCS12_CERT_COLLISION=Unable to import. Same nickname already exists in database.
+SEC_ERROR_USER_CANCELLED=The user pressed cancel.
+SEC_ERROR_PKCS12_DUPLICATE_DATA=Not imported, already in database.
+SEC_ERROR_MESSAGE_SEND_ABORTED=Message not sent.
+SEC_ERROR_INADEQUATE_KEY_USAGE=Certificate key usage inadequate for attempted operation.
+SEC_ERROR_INADEQUATE_CERT_TYPE=Certificate type not approved for application.
+SEC_ERROR_CERT_ADDR_MISMATCH=Address in signing certificate does not match address in message headers.
+SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY=Unable to import. Error attempting to import private key.
+SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN=Unable to import. Error attempting to import certificate chain.
+SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME=Unable to export. Unable to locate certificate or key by nickname.
+SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY=Unable to export. Private Key could not be located and exported.
+SEC_ERROR_PKCS12_UNABLE_TO_WRITE=Unable to export. Unable to write the export file.
+SEC_ERROR_PKCS12_UNABLE_TO_READ=Unable to import. Unable to read the import file.
+SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED=Unable to export. Key database corrupt or deleted.
+SEC_ERROR_KEYGEN_FAIL=Unable to generate public/private key pair.
+SEC_ERROR_INVALID_PASSWORD=Password entered is invalid. Please pick a different one.
+SEC_ERROR_RETRY_OLD_PASSWORD=Old password entered incorrectly. Please try again.
+SEC_ERROR_BAD_NICKNAME=Certificate nickname already in use.
+SEC_ERROR_NOT_FORTEZZA_ISSUER=Peer FORTEZZA chain has a non-FORTEZZA Certificate.
+SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY=A sensitive key cannot be moved to the slot where it is needed.
+SEC_ERROR_JS_INVALID_MODULE_NAME=Invalid module name.
+SEC_ERROR_JS_INVALID_DLL=Invalid module path/filename
+SEC_ERROR_JS_ADD_MOD_FAILURE=Unable to add module
+SEC_ERROR_JS_DEL_MOD_FAILURE=Unable to delete module
+SEC_ERROR_OLD_KRL=New KRL is not later than the current one.
+SEC_ERROR_CKL_CONFLICT=New CKL has different issuer than current CKL. Delete current CKL.
+SEC_ERROR_CERT_NOT_IN_NAME_SPACE=The Certifying Authority for this certificate is not permitted to issue a certificate with this name.
+SEC_ERROR_KRL_NOT_YET_VALID=The key revocation list for this certificate is not yet valid.
+SEC_ERROR_CRL_NOT_YET_VALID=The certificate revocation list for this certificate is not yet valid.
+SEC_ERROR_UNKNOWN_CERT=The requested certificate could not be found.
+SEC_ERROR_UNKNOWN_SIGNER=The signer’s certificate could not be found.
+SEC_ERROR_CERT_BAD_ACCESS_LOCATION=The location for the certificate status server has invalid format.
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE=The OCSP response cannot be fully decoded; it is of an unknown type.
+SEC_ERROR_OCSP_BAD_HTTP_RESPONSE=The OCSP server returned unexpected/invalid HTTP data.
+SEC_ERROR_OCSP_MALFORMED_REQUEST=The OCSP server found the request to be corrupted or improperly formed.
+SEC_ERROR_OCSP_SERVER_ERROR=The OCSP server experienced an internal error.
+SEC_ERROR_OCSP_TRY_SERVER_LATER=The OCSP server suggests trying again later.
+SEC_ERROR_OCSP_REQUEST_NEEDS_SIG=The OCSP server requires a signature on this request.
+SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST=The OCSP server has refused this request as unauthorized.
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS=The OCSP server returned an unrecognizable status.
+SEC_ERROR_OCSP_UNKNOWN_CERT=The OCSP server has no status for the certificate.
+SEC_ERROR_OCSP_NOT_ENABLED=You must enable OCSP before performing this operation.
+SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER=You must set the OCSP default responder before performing this operation.
+SEC_ERROR_OCSP_MALFORMED_RESPONSE=The response from the OCSP server was corrupted or improperly formed.
+SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE=The signer of the OCSP response is not authorized to give status for this certificate.
+SEC_ERROR_OCSP_FUTURE_RESPONSE=The OCSP response is not yet valid (contains a date in the future).
+SEC_ERROR_OCSP_OLD_RESPONSE=The OCSP response contains out-of-date information.
+SEC_ERROR_DIGEST_NOT_FOUND=The CMS or PKCS #7 Digest was not found in signed message.
+SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE=The CMS or PKCS #7 Message type is unsupported.
+SEC_ERROR_MODULE_STUCK=PKCS #11 module could not be removed because it is still in use.
+SEC_ERROR_BAD_TEMPLATE=Could not decode ASN.1 data. Specified template was invalid.
+SEC_ERROR_CRL_NOT_FOUND=No matching CRL was found.
+SEC_ERROR_REUSED_ISSUER_AND_SERIAL=You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
+SEC_ERROR_BUSY=NSS could not shutdown. Objects are still in use.
+SEC_ERROR_EXTRA_INPUT=DER-encoded message contained extra unused data.
+SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE=Unsupported elliptic curve.
+SEC_ERROR_UNSUPPORTED_EC_POINT_FORM=Unsupported elliptic curve point form.
+SEC_ERROR_UNRECOGNIZED_OID=Unrecognized Object Identifier.
+SEC_ERROR_OCSP_INVALID_SIGNING_CERT=Invalid OCSP signing certificate in OCSP response.
+SEC_ERROR_REVOKED_CERTIFICATE_CRL=Certificate is revoked in issuer’s certificate revocation list.
+SEC_ERROR_REVOKED_CERTIFICATE_OCSP=Issuer’s OCSP responder reports certificate is revoked.
+SEC_ERROR_CRL_INVALID_VERSION=Issuer’s Certificate Revocation List has an unknown version number.
+SEC_ERROR_CRL_V1_CRITICAL_EXTENSION=Issuer’s V1 Certificate Revocation List has a critical extension.
+SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION=Issuer’s V2 Certificate Revocation List has an unknown critical extension.
+SEC_ERROR_UNKNOWN_OBJECT_TYPE=Unknown object type specified.
+SEC_ERROR_INCOMPATIBLE_PKCS11=PKCS #11 driver violates the spec in an incompatible way.
+SEC_ERROR_NO_EVENT=No new slot event is available at this time.
+SEC_ERROR_CRL_ALREADY_EXISTS=CRL already exists.
+SEC_ERROR_NOT_INITIALIZED=NSS is not initialized.
+SEC_ERROR_TOKEN_NOT_LOGGED_IN=The operation failed because the PKCS#11 token is not logged in.
+SEC_ERROR_OCSP_RESPONDER_CERT_INVALID=Configured OCSP responder’s certificate is invalid.
+SEC_ERROR_OCSP_BAD_SIGNATURE=OCSP response has an invalid signature.
+SEC_ERROR_OUT_OF_SEARCH_LIMITS=Cert validation search is out of search limits
+SEC_ERROR_INVALID_POLICY_MAPPING=Policy mapping contains anypolicy
+SEC_ERROR_POLICY_VALIDATION_FAILED=Cert chain fails policy validation
+SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE=Unknown location type in cert AIA extension
+SEC_ERROR_BAD_HTTP_RESPONSE=Server returned bad HTTP response
+SEC_ERROR_BAD_LDAP_RESPONSE=Server returned bad LDAP response
+SEC_ERROR_FAILED_TO_ENCODE_DATA=Failed to encode data with ASN1 encoder
+SEC_ERROR_BAD_INFO_ACCESS_LOCATION=Bad information access location in cert extension
+SEC_ERROR_LIBPKIX_INTERNAL=Libpkix internal error occurred during cert validation.
+SEC_ERROR_PKCS11_GENERAL_ERROR=A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.
+SEC_ERROR_PKCS11_FUNCTION_FAILED=A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.
+SEC_ERROR_PKCS11_DEVICE_ERROR=A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
+SEC_ERROR_BAD_INFO_ACCESS_METHOD=Unknown information access method in certificate extension.
+SEC_ERROR_CRL_IMPORT_FAILED=Error attempting to import a CRL.
+SEC_ERROR_EXPIRED_PASSWORD=The password expired.
+SEC_ERROR_LOCKED_PASSWORD=The password is locked.
+SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
+SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
+SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.
+MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
+MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case.
+MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.
+MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA=An X.509 version 1 certificate that is not a trust anchor was used to issue the server’s certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates.
+MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE=The server presented a certificate that is not yet valid.
+MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE=A certificate that is not yet valid was used to issue the server’s certificate.
+MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH=The signature algorithm in the signature field of the certificate does not match the algorithm in its signatureAlgorithm field.
+MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING=The OCSP response does not include a status for the certificate being verified.
+MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG=The server presented a certificate that is valid for too long.
+MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING=A required TLS feature is missing.
+MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING=The server presented a certificate that contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary.
+MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME=The server presented a certificate with an empty issuer distinguished name.
+MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED=An additional policy constraint failed when validating this certificate.
+MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT=The certificate is not trusted because it is self-signed.
diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
new file mode 100644
index 0000000000..c7f946dd60
--- /dev/null
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -0,0 +1,123 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CertPasswordPrompt=Please enter the password for the PKCS#11 token %S.
+
+CertPasswordPromptDefault=Please enter your Primary Password.
+
+# The following strings have special requirements: they must fit in a 32 or 64
+# bytes buffer after being encoded to UTF-8.
+#
+# It's possible to verify the length of a translation using the Browser Console
+# in Firefox and evaluating the following code:
+#
+# (new TextEncoder().encode('YOURSTRING')).length
+#
+# Simply replace YOURSTRING with your translation.
+#
+# If it's not possible to produce an understandable translation within these
+# limits, keeping the English text is an acceptable workaround.
+
+# LOCALIZATION NOTE (RootCertModuleName): string limit is 64 bytes after
+# conversion to UTF-8.
+# length_limit = 64 bytes
+RootCertModuleName=Builtin Roots Module
+# LOCALIZATION NOTE (ManufacturerID): string limit is 32 bytes after conversion
+# to UTF-8.
+# length_limit = 32 bytes
+ManufacturerID=Mozilla.org
+# LOCALIZATION NOTE (LibraryDescription): string limit is 32 bytes after
+# conversion to UTF-8.
+# length_limit = 32 bytes
+LibraryDescription=PSM Internal Crypto Services
+# LOCALIZATION NOTE (TokenDescription): string limit is 32 bytes after
+# conversion to UTF-8.
+# length_limit = 32 bytes
+TokenDescription=Generic Crypto Services
+# LOCALIZATION NOTE (PrivateTokenDescription): string limit is 32 bytes after
+# conversion to UTF-8.
+# length_limit = 32 bytes
+PrivateTokenDescription=Software Security Device
+# LOCALIZATION NOTE (SlotDescription): string limit is 64 bytes after conversion
+# to UTF-8.
+# length_limit = 64 bytes
+SlotDescription=PSM Internal Cryptographic Services
+# LOCALIZATION NOTE (PrivateSlotDescription): string limit is 64 bytes after
+# conversion to UTF-8.
+# length_limit = 64 bytes
+PrivateSlotDescription=PSM Private Keys
+# LOCALIZATION NOTE (Fips140TokenDescription): string limit is 32 bytes after
+# conversion to UTF-8.
+# length_limit = 32 bytes
+Fips140TokenDescription=Software Security Device (FIPS)
+# LOCALIZATION NOTE (Fips140SlotDescription): string limit is 64 bytes after
+# conversion to UTF-8.
+# length_limit = 64 bytes
+Fips140SlotDescription=FIPS 140 Cryptographic, Key and Certificate Services
+
+# LOCALIZATION NOTE (nick_template): $1s is the common name from a cert (e.g. "Mozilla"), $2s is the CA name (e.g. VeriSign)
+nick_template=%1$s’s %2$s ID
+
+CertDumpKUSign=Signing
+CertDumpKUNonRep=Non-repudiation
+CertDumpKUEnc=Key Encipherment
+CertDumpKUDEnc=Data Encipherment
+CertDumpKUKA=Key Agreement
+CertDumpKUCertSign=Certificate Signer
+CertDumpKUCRLSigner=CRL Signer
+
+PSMERR_SSL_Disabled=Can’t connect securely because the SSL protocol has been disabled.
+PSMERR_SSL2_Disabled=Can’t connect securely because the site uses an older, insecure version of the SSL protocol.
+PSMERR_HostReusedIssuerSerial=You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:\n\nYour certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
+
+# LOCALIZATION NOTE (SSLConnectionErrorPrefix2): %1$S is the host string, %2$S is more detailed information (localized as well).
+SSLConnectionErrorPrefix2=An error occurred during a connection to %1$S. %2$S\n
+
+certErrorIntro=%S uses an invalid security certificate.
+
+certErrorTrust_SelfSigned=The certificate is not trusted because it is self-signed.
+certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown.
+certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates.
+certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported.
+certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
+certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
+certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
+certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
+certErrorTrust_Untrusted=The certificate does not come from a trusted source.
+certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
+
+certErrorMismatch=The certificate is not valid for the name %S.
+# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
+certErrorMismatchSinglePrefix=The certificate is only valid for %S.
+certErrorMismatchMultiple=The certificate is only valid for the following names:
+
+# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
+certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
+
+# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time)
+certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
+
+certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities.
+# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName
+certErrorMitM2=%S is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security.
+# LOCALIZATION NOTE (certErrorMitM3): %S is brandShortName
+certErrorMitM3=%S uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe.
+
+certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.
+
+# LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.
+certErrorCodePrefix3=Error code: %S
+
+P12DefaultNickname=Imported Certificate
+CertUnknown=Unknown
+CertNoEmailAddress=(no email address)
+CaCertExists=This certificate is already installed as a certificate authority.
+NotACACert=This is not a certificate authority certificate, so it can’t be imported into the certificate authority list.
+UserCertIgnoredNoPrivateKey=This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.
+UserCertImported=Your personal certificate has been installed. You should keep a backup copy of this certificate.
+CertOrgUnknown=(Unknown)
+CertNotStored=(Not Stored)
+CertExceptionPermanent=Permanent
+CertExceptionTemporary=Temporary
diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.properties b/security/manager/locales/en-US/chrome/pippki/pippki.properties
new file mode 100644
index 0000000000..7583c03728
--- /dev/null
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties
@@ -0,0 +1,34 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Download Cert dialog
+# LOCALIZATION NOTE(newCAMessage1):
+# %S is a string representative of the certificate being downloaded/imported.
+newCAMessage1=Do you want to trust “%S†for the following purposes?
+unnamedCA=Certificate Authority (unnamed)
+
+# PKCS#12 file dialogs
+getPKCS12FilePasswordMessage=Please enter the password that was used to encrypt this certificate backup:
+
+# Page Info
+pageInfo_NoEncryption=Connection Not Encrypted
+pageInfo_Privacy_None1=The website %S does not support encryption for the page you are viewing.
+pageInfo_Privacy_None2=Information sent over the Internet without encryption can be seen by other people while it is in transit.
+pageInfo_Privacy_None4=The page you are viewing was not encrypted before being transmitted over the Internet.
+# LOCALIZATION NOTE (pageInfo_EncryptionWithBitsAndProtocol and pageInfo_BrokenEncryption):
+# %1$S is the name of the encryption standard,
+# %2$S is the key size of the cipher.
+# %3$S is protocol version like "SSL 3" or "TLS 1.2"
+pageInfo_EncryptionWithBitsAndProtocol=Connection Encrypted (%1$S, %2$S bit keys, %3$S)
+pageInfo_BrokenEncryption=Broken Encryption (%1$S, %2$S bit keys, %3$S)
+pageInfo_Privacy_Encrypted1=The page you are viewing was encrypted before being transmitted over the Internet.
+pageInfo_Privacy_Encrypted2=Encryption makes it difficult for unauthorized people to view information traveling between computers. It is therefore unlikely that anyone read this page as it traveled across the network.
+pageInfo_MixedContent=Connection Partially Encrypted
+pageInfo_MixedContent2=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.
+pageInfo_WeakCipher=Your connection to this website uses weak encryption and is not private. Other people can view your information or modify the website’s behavior.
+pageInfo_CertificateTransparency_Compliant=This website complies with the Certificate Transparency policy.
+
+# Token Manager
+password_not_set=(not set)
+enable_fips=Enable FIPS
diff --git a/security/manager/locales/en-US/security/certificates/certManager.ftl b/security/manager/locales/en-US/security/certificates/certManager.ftl
new file mode 100644
index 0000000000..4e8d372291
--- /dev/null
+++ b/security/manager/locales/en-US/security/certificates/certManager.ftl
@@ -0,0 +1,228 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certmgr-title =
+ .title = Certificate Manager
+
+certmgr-tab-mine =
+ .label = Your Certificates
+
+certmgr-tab-remembered =
+ .label = Authentication Decisions
+
+certmgr-tab-people =
+ .label = People
+
+certmgr-tab-servers =
+ .label = Servers
+
+certmgr-tab-ca =
+ .label = Authorities
+
+certmgr-mine = You have certificates from these organizations that identify you
+certmgr-remembered = These certificates are used to identify you to websites
+certmgr-people = You have certificates on file that identify these people
+certmgr-server = These entries identify server certificate error exceptions
+certmgr-ca = You have certificates on file that identify these certificate authorities
+
+certmgr-edit-ca-cert2 =
+ .title = Edit CA certificate trust settings
+ .style = min-width: 48em;
+
+certmgr-edit-cert-edit-trust = Edit trust settings:
+
+certmgr-edit-cert-trust-ssl =
+ .label = This certificate can identify websites.
+
+certmgr-edit-cert-trust-email =
+ .label = This certificate can identify mail users.
+
+certmgr-delete-cert2 =
+ .title = Delete Certificate
+ .style = min-width: 48em; min-height: 24em;
+
+certmgr-cert-host =
+ .label = Host
+
+certmgr-cert-name =
+ .label = Certificate Name
+
+certmgr-cert-server =
+ .label = Server
+
+certmgr-token-name =
+ .label = Security Device
+
+certmgr-begins-label =
+ .label = Begins On
+
+certmgr-expires-label =
+ .label = Expires On
+
+certmgr-email =
+ .label = E-Mail Address
+
+certmgr-serial =
+ .label = Serial Number
+
+certmgr-fingerprint-sha-256 =
+ .label = SHA-256 Fingerprint
+
+certmgr-view =
+ .label = View…
+ .accesskey = V
+
+certmgr-edit =
+ .label = Edit Trust…
+ .accesskey = E
+
+certmgr-export =
+ .label = Export…
+ .accesskey = x
+
+certmgr-delete =
+ .label = Delete…
+ .accesskey = D
+
+certmgr-delete-builtin =
+ .label = Delete or Distrust…
+ .accesskey = D
+
+certmgr-backup =
+ .label = Backup…
+ .accesskey = B
+
+certmgr-backup-all =
+ .label = Backup All…
+ .accesskey = k
+
+certmgr-restore =
+ .label = Import…
+ .accesskey = m
+
+certmgr-add-exception =
+ .label = Add Exception…
+ .accesskey = x
+
+exception-mgr =
+ .title = Add Security Exception
+
+exception-mgr-extra-button =
+ .label = Confirm Security Exception
+ .accesskey = C
+
+exception-mgr-supplemental-warning = Legitimate banks, stores, and other public sites will not ask you to do this.
+
+exception-mgr-cert-location-url =
+ .value = Location:
+
+exception-mgr-cert-location-download =
+ .label = Get Certificate
+ .accesskey = G
+
+exception-mgr-cert-status-view-cert =
+ .label = View…
+ .accesskey = V
+
+exception-mgr-permanent =
+ .label = Permanently store this exception
+ .accesskey = P
+
+pk11-bad-password = The password entered was incorrect.
+pkcs12-decode-err = Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or the password you entered was incorrect.
+pkcs12-unknown-err-restore = Failed to restore the PKCS #12 file for unknown reasons.
+pkcs12-unknown-err-backup = Failed to create the PKCS #12 backup file for unknown reasons.
+pkcs12-unknown-err = The PKCS #12 operation failed for unknown reasons.
+pkcs12-info-no-smartcard-backup = It is not possible to back up certificates from a hardware security device such as a smart card.
+pkcs12-dup-data = The certificate and private key already exist on the security device.
+
+## PKCS#12 file dialogs
+
+choose-p12-backup-file-dialog = File Name to Backup
+file-browse-pkcs12-spec = PKCS12 Files
+choose-p12-restore-file-dialog = Certificate File to Import
+
+## Import certificate(s) file dialog
+
+file-browse-certificate-spec = Certificate Files
+import-ca-certs-prompt = Select File containing CA certificate(s) to import
+import-email-cert-prompt = Select File containing somebody’s Email certificate to import
+
+## For editing certificates trust
+
+# Variables:
+# $certName: the name of certificate
+edit-trust-ca = The certificate “{ $certName }†represents a Certificate Authority.
+
+## For Deleting Certificates
+
+delete-user-cert-title =
+ .title = Delete your Certificates
+delete-user-cert-confirm = Are you sure you want to delete these certificates?
+delete-user-cert-impact = If you delete one of your own certificates, you can no longer use it to identify yourself.
+
+
+delete-ssl-override-title =
+ .title = Delete Server Certificate Exception
+delete-ssl-override-confirm = Are you sure you want to delete this server exception?
+delete-ssl-override-impact = If you delete a server exception, you restore the usual security checks for that server and require it uses a valid certificate.
+
+delete-ca-cert-title =
+ .title = Delete or Distrust CA Certificates
+delete-ca-cert-confirm = You have requested to delete these CA certificates. For built-in certificates all trust will be removed, which has the same effect. Are you sure you want to delete or distrust?
+delete-ca-cert-impact = If you delete or distrust a certificate authority (CA) certificate, this application will no longer trust any certificates issued by that CA.
+
+
+delete-email-cert-title =
+ .title = Delete E-Mail Certificates
+delete-email-cert-confirm = Are you sure you want to delete these people’s e-mail certificates?
+delete-email-cert-impact = If you delete a person’s e-mail certificate, you will no longer be able to send encrypted e-mail to that person.
+
+# Used for semi-uniquely representing a cert.
+#
+# Variables:
+# $serialNumber : the serial number of the cert in AA:BB:CC hex format.
+cert-with-serial =
+ .value = Certificate with serial number: { $serialNumber }
+
+# Used to indicate that the user chose not to send a client authentication certificate to a server that requested one in a TLS handshake.
+send-no-client-certificate = Send no client certificate
+
+# Used when no cert is stored for an override
+no-cert-stored-for-override = (Not Stored)
+
+# When a certificate is unavailable (for example, it has been deleted or the token it exists on has been removed).
+certificate-not-available = (Unavailable)
+
+## Used to show whether an override is temporary or permanent
+
+permanent-override = Permanent
+temporary-override = Temporary
+
+## Add Security Exception dialog
+
+add-exception-branded-warning = You are about to override how { -brand-short-name } identifies this site.
+add-exception-invalid-header = This site attempts to identify itself with invalid information.
+add-exception-domain-mismatch-short = Wrong Site
+add-exception-domain-mismatch-long = The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.
+add-exception-expired-short = Outdated Information
+add-exception-expired-long = The certificate is not currently valid. It may have been stolen or lost, and could be used by someone to impersonate this site.
+add-exception-unverified-or-bad-signature-short = Unknown Identity
+add-exception-unverified-or-bad-signature-long = The certificate is not trusted because it hasn’t been verified as issued by a trusted authority using a secure signature.
+add-exception-valid-short = Valid Certificate
+add-exception-valid-long = This site provides valid, verified identification. There is no need to add an exception.
+add-exception-checking-short = Checking Information
+add-exception-checking-long = Attempting to identify this site…
+add-exception-no-cert-short = No Information Available
+add-exception-no-cert-long = Unable to obtain identification status for this site.
+
+## Certificate export "Save as" and error dialogs
+
+save-cert-as = Save Certificate To File
+cert-format-base64 = X.509 Certificate (PEM)
+cert-format-base64-chain = X.509 Certificate with chain (PEM)
+cert-format-der = X.509 Certificate (DER)
+cert-format-pkcs7 = X.509 Certificate (PKCS#7)
+cert-format-pkcs7-chain = X.509 Certificate with chain (PKCS#7)
+write-file-failure = File Error
diff --git a/security/manager/locales/en-US/security/certificates/deviceManager.ftl b/security/manager/locales/en-US/security/certificates/deviceManager.ftl
new file mode 100644
index 0000000000..0e73acb813
--- /dev/null
+++ b/security/manager/locales/en-US/security/certificates/deviceManager.ftl
@@ -0,0 +1,132 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+## Strings used for device manager
+
+devmgr-window =
+ .title = Device Manager
+ .style = min-width: 67em; min-height: 32em;
+
+devmgr-devlist =
+ .label = Security Modules and Devices
+
+devmgr-header-details =
+ .label = Details
+
+devmgr-header-value =
+ .label = Value
+
+devmgr-button-login =
+ .label = Log In
+ .accesskey = n
+
+devmgr-button-logout =
+ .label = Log Out
+ .accesskey = O
+
+devmgr-button-changepw =
+ .label = Change Password
+ .accesskey = P
+
+devmgr-button-load =
+ .label = Load
+ .accesskey = L
+
+devmgr-button-unload =
+ .label = Unload
+ .accesskey = U
+
+devmgr-button-enable-fips =
+ .label = Enable FIPS
+ .accesskey = F
+
+devmgr-button-disable-fips =
+ .label = Disable FIPS
+ .accesskey = F
+
+## Strings used for load device
+
+load-device =
+ .title = Load PKCS#11 Device Driver
+
+load-device-info = Enter the information for the module you want to add.
+
+load-device-modname =
+ .value = Module Name
+ .accesskey = M
+
+load-device-modname-default =
+ .value = New PKCS#11 Module
+
+load-device-filename =
+ .value = Module filename
+ .accesskey = f
+
+load-device-browse =
+ .label = Browse…
+ .accesskey = B
+
+## Token Manager
+
+devinfo-status =
+ .label = Status
+
+devinfo-status-disabled =
+ .label = Disabled
+
+devinfo-status-not-present =
+ .label = Not Present
+
+devinfo-status-uninitialized =
+ .label = Uninitialized
+
+devinfo-status-not-logged-in =
+ .label = Not Logged In
+
+devinfo-status-logged-in =
+ .label = Logged In
+
+devinfo-status-ready =
+ .label = Ready
+
+devinfo-desc =
+ .label = Description
+
+devinfo-man-id =
+ .label = Manufacturer
+
+devinfo-hwversion =
+ .label = HW Version
+devinfo-fwversion =
+ .label = FW Version
+
+devinfo-modname =
+ .label = Module
+
+devinfo-modpath =
+ .label = Path
+
+login-failed = Failed to Login
+
+devinfo-label =
+ .label = Label
+
+devinfo-serialnum =
+ .label = Serial Number
+
+fips-nonempty-primary-password-required = FIPS mode requires that you have a Primary Password set for each security device. Please set the password before trying to enable FIPS mode.
+unable-to-toggle-fips = Unable to change the FIPS mode for the security device. It is recommended that you exit and restart this application.
+load-pk11-module-file-picker-title = Choose a PKCS#11 device driver to load
+
+# Load Module Dialog
+load-module-help-empty-module-name =
+ .value = The module name cannot be empty.
+
+# Do not translate 'Root Certs'
+load-module-help-root-certs-module-name =
+ .value = ‘Root Certs‘ is reserved and cannot be used as the module name.
+
+add-module-failure = Unable to add module
+del-module-warning = Are you sure you want to delete this security module?
+del-module-error = Unable to delete module
diff --git a/security/manager/locales/en-US/security/pippki/pippki.ftl b/security/manager/locales/en-US/security/pippki/pippki.ftl
new file mode 100644
index 0000000000..b4ab82c816
--- /dev/null
+++ b/security/manager/locales/en-US/security/pippki/pippki.ftl
@@ -0,0 +1,107 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+password-quality-meter = Password quality meter
+
+## Change Password dialog
+
+change-device-password-window =
+ .title = Change Password
+
+# Variables:
+# $tokenName (String) - Security device of the change password dialog
+change-password-token = Security Device: { $tokenName }
+change-password-old = Current password:
+change-password-new = New password:
+change-password-reenter = New password (again):
+
+pippki-failed-pw-change = Unable to change password.
+pippki-incorrect-pw = You did not enter the correct current password. Please try again.
+pippki-pw-change-ok = Password successfully changed.
+
+pippki-pw-empty-warning = Your stored passwords and private keys will not be protected.
+pippki-pw-erased-ok = You have deleted your password. { pippki-pw-empty-warning }
+pippki-pw-not-wanted = Warning! You have decided not to use a password. { pippki-pw-empty-warning }
+
+pippki-pw-change2empty-in-fips-mode = You are currently in FIPS mode. FIPS requires a non-empty password.
+
+## Reset Primary Password dialog
+
+reset-primary-password-window2 =
+ .title = Reset Primary Password
+ .style = min-width: 40em
+reset-password-button-label =
+ .label = Reset
+reset-primary-password-text = If you reset your Primary Password, all your stored web and e-mail passwords, personal certificates, and private keys will be forgotten. Are you sure you want to reset your Primary Password?
+
+pippki-reset-password-confirmation-title = Reset Primary Password
+pippki-reset-password-confirmation-message = Your Primary Password has been reset.
+
+## Downloading cert dialog
+
+download-cert-window2 =
+ .title = Downloading Certificate
+ .style = min-width: 46em
+download-cert-message = You have been asked to trust a new Certificate Authority (CA).
+download-cert-trust-ssl =
+ .label = Trust this CA to identify websites.
+download-cert-trust-email =
+ .label = Trust this CA to identify email users.
+download-cert-message-desc = Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available).
+download-cert-view-cert =
+ .label = View
+download-cert-view-text = Examine CA certificate
+
+## Client Authentication Ask dialog
+
+client-auth-window =
+ .title = User Identification Request
+client-auth-send-no-certificate =
+ .label = Don’t send a certificate
+
+# Variables:
+# $hostname (String) - The domain name of the site requesting the client authentication certificate
+client-auth-site-identification = “{ $hostname }†has requested that you identify yourself with a certificate:
+client-auth-cert-details = Details of selected certificate:
+# Variables:
+# $issuedTo (String) - The subject common name of the currently-selected client authentication certificate
+client-auth-cert-details-issued-to = Issued to: { $issuedTo }
+# Variables:
+# $serialNumber (String) - The serial number of the certificate (hexadecimal of the form "AA:BB:...")
+client-auth-cert-details-serial-number = Serial number: { $serialNumber }
+# Variables:
+# $notBefore (String) - The date before which the certificate is not valid (e.g. Apr 21, 2023, 1:47:53 PM UTC)
+# $notAfter (String) - The date after which the certificate is not valid
+client-auth-cert-details-validity-period = Valid from { $notBefore } to { $notAfter }
+# Variables:
+# $keyUsages (String) - A list of already-localized key usages for which the certificate may be used
+client-auth-cert-details-key-usages = Key usages: { $keyUsages }
+# Variables:
+# $emailAddresses (String) - A list of email addresses present in the certificate
+client-auth-cert-details-email-addresses = Email addresses: { $emailAddresses }
+# Variables:
+# $issuedBy (String) - The issuer common name of the certificate
+client-auth-cert-details-issued-by = Issued by: { $issuedBy }
+# Variables:
+# $storedOn (String) - The name of the token holding the certificate (for example, "OS Client Cert Token (Modern)")
+client-auth-cert-details-stored-on = Stored on: { $storedOn }
+client-auth-cert-remember-box =
+ .label = Remember this decision
+
+## Set password (p12) dialog
+
+set-password-window =
+ .title = Choose a Certificate Backup Password
+set-password-message = The certificate backup password you set here protects the backup file that you are about to create. You must set this password to proceed with the backup.
+set-password-backup-pw =
+ .value = Certificate backup password:
+set-password-repeat-backup-pw =
+ .value = Certificate backup password (again):
+set-password-reminder = Important: If you forget your certificate backup password, you will not be able to restore this backup later. Please record it in a safe location.
+
+## Protected authentication alert
+
+# Variables:
+# $tokenName (String) - The name of the token to authenticate to (for example, "OS Client Cert Token (Modern)")
+protected-auth-alert = Please authenticate to the token “{ $tokenName }â€. How to do so depends on the token (for example, using a fingerprint reader or entering a code with a keypad).
diff --git a/security/manager/locales/jar.mn b/security/manager/locales/jar.mn
new file mode 100644
index 0000000000..a61529289a
--- /dev/null
+++ b/security/manager/locales/jar.mn
@@ -0,0 +1,14 @@
+#filter substitution
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+[localization] @AB_CD@.jar:
+ security (%security/**/*.ftl)
+
+@AB_CD@.jar:
+% locale pipnss @AB_CD@ %locale/@AB_CD@/pipnss/
+% locale pippki @AB_CD@ %locale/@AB_CD@/pippki/
+ locale/@AB_CD@/pipnss/pipnss.properties (%chrome/pipnss/pipnss.properties)
+ locale/@AB_CD@/pipnss/nsserrors.properties (%chrome/pipnss/nsserrors.properties)
+ locale/@AB_CD@/pippki/pippki.properties (%chrome/pippki/pippki.properties)
diff --git a/security/manager/locales/moz.build b/security/manager/locales/moz.build
new file mode 100644
index 0000000000..d988c0ff9b
--- /dev/null
+++ b/security/manager/locales/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ["jar.mn"]
diff --git a/security/manager/moz.build b/security/manager/moz.build
new file mode 100644
index 0000000000..3890007503
--- /dev/null
+++ b/security/manager/moz.build
@@ -0,0 +1,13 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+ BUG_COMPONENT = ("Core", "Security: PSM")
+
+DIRS += ["ssl", "locales"]
+
+if CONFIG["MOZ_BUILD_APP"] != "mobile/android":
+ DIRS += ["pki"]
diff --git a/security/manager/pki/components.conf b/security/manager/pki/components.conf
new file mode 100644
index 0000000000..7abebd9d6f
--- /dev/null
+++ b/security/manager/pki/components.conf
@@ -0,0 +1,18 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Classes = [
+ {
+ 'cid': '{518e071f-1dd2-11b2-937e-c45f14def778}',
+ 'contract_ids': [
+ '@mozilla.org/nsCertificateDialogs;1',
+ '@mozilla.org/nsTokenPasswordDialogs;1',
+ ],
+ 'type': 'nsNSSDialogs',
+ 'headers': ['/security/manager/pki/nsNSSDialogs.h'],
+ 'init_method': 'Init',
+ },
+]
diff --git a/security/manager/pki/moz.build b/security/manager/pki/moz.build
new file mode 100644
index 0000000000..5f0bf95738
--- /dev/null
+++ b/security/manager/pki/moz.build
@@ -0,0 +1,34 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["resources"]
+
+UNIFIED_SOURCES += [
+ "nsNSSDialogHelper.cpp",
+ "nsNSSDialogs.cpp",
+]
+
+XPCOM_MANIFESTS += [
+ "components.conf",
+]
+
+LOCAL_INCLUDES += [
+ "!/dist/public/nss",
+]
+
+FINAL_LIBRARY = "xul"
+
+if CONFIG["CC_TYPE"] in ("clang", "gcc"):
+ CXXFLAGS += [
+ "-Wextra",
+ # -Wextra enables this warning, but it's too noisy to be useful.
+ "-Wno-missing-field-initializers",
+ ]
+
+ # Gecko headers aren't warning-free enough for us to enable these warnings.
+ CXXFLAGS += [
+ "-Wno-unused-parameter",
+ ]
diff --git a/security/manager/pki/nsIASN1Tree.idl b/security/manager/pki/nsIASN1Tree.idl
new file mode 100644
index 0000000000..b44362e5b2
--- /dev/null
+++ b/security/manager/pki/nsIASN1Tree.idl
@@ -0,0 +1,24 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsITreeView.idl"
+#include "nsIX509Cert.idl"
+
+[scriptable, uuid(de142307-7b88-4e0a-b232-250f310e25d8)]
+interface nsIASN1Tree : nsITreeView {
+ [must_use]
+ void loadASN1Structure(in nsIASN1Object asn1Object);
+
+ [must_use]
+ AString getDisplayData(in unsigned long index);
+};
+
+%{C++
+
+#define NS_ASN1TREE_CONTRACTID "@mozilla.org/security/nsASN1Tree;1"
+
+%}
diff --git a/security/manager/pki/nsNSSDialogHelper.cpp b/security/manager/pki/nsNSSDialogHelper.cpp
new file mode 100644
index 0000000000..18691aa6e9
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogHelper.cpp
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSDialogHelper.h"
+
+#include "mozIDOMWindow.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "nsCOMPtr.h"
+#include "nsIWindowWatcher.h"
+#include "nsServiceManagerUtils.h"
+
+static const char kOpenDialogParam[] = "centerscreen,chrome,modal,titlebar";
+static const char kOpenWindowParam[] = "centerscreen,chrome,titlebar";
+
+nsresult nsNSSDialogHelper::openDialog(mozIDOMWindowProxy* window,
+ const char* url, nsISupports* params,
+ bool modal) {
+ nsresult rv;
+ nsCOMPtr<nsIWindowWatcher> windowWatcher =
+ do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv);
+ if (NS_FAILED(rv)) return rv;
+
+ nsCOMPtr<mozIDOMWindowProxy> parent = window;
+
+ if (!parent) {
+ windowWatcher->GetActiveWindow(getter_AddRefs(parent));
+ }
+
+ // We're loading XUL into this window, and it's happening on behalf of the
+ // system, not on behalf of content. Make sure the initial about:blank window
+ // gets a system principal, otherwise we'll bork when trying to wrap the
+ // nsIKeyGenThread |arguments| property into the unprivileged scoope.
+ MOZ_ASSERT(!strncmp("chrome://", url, strlen("chrome://")));
+ mozilla::dom::AutoNoJSAPI nojsapi;
+
+ nsCOMPtr<mozIDOMWindowProxy> newWindow;
+ rv = windowWatcher->OpenWindow(
+ parent, nsDependentCString(url), "_blank"_ns,
+ nsDependentCString(modal ? kOpenDialogParam : kOpenWindowParam), params,
+ getter_AddRefs(newWindow));
+ return rv;
+}
diff --git a/security/manager/pki/nsNSSDialogHelper.h b/security/manager/pki/nsNSSDialogHelper.h
new file mode 100644
index 0000000000..a7f3d5e474
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogHelper.h
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSDialogHelper_h
+#define nsNSSDialogHelper_h
+
+#include "nsError.h"
+
+class mozIDOMWindowProxy;
+class nsISupports;
+
+/**
+ * Helper class that uses the window watcher service to open a standard dialog,
+ * with or without a parent context.
+ */
+class nsNSSDialogHelper {
+ public:
+ /**
+ * Opens a XUL dialog.
+ *
+ * @param window
+ * Parent window of the dialog, or nullptr to signal no parent.
+ * @param url
+ * URL to the XUL dialog.
+ * @param params
+ * Parameters to pass to the dialog. Same semantics as the
+ * nsIWindowWatcher.openWindow() |aArguments| parameter.
+ * @param modal
+ * true if the dialog should be modal, false otherwise.
+ * @return The result of opening the dialog.
+ */
+ static nsresult openDialog(mozIDOMWindowProxy* window, const char* url,
+ nsISupports* params, bool modal = true);
+};
+
+#endif // nsNSSDialogHelper_h
diff --git a/security/manager/pki/nsNSSDialogs.cpp b/security/manager/pki/nsNSSDialogs.cpp
new file mode 100644
index 0000000000..159c873d34
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogs.cpp
@@ -0,0 +1,216 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Dialog services for PIP.
+ */
+
+#include "nsNSSDialogs.h"
+
+#include "mozIDOMWindow.h"
+#include "nsArray.h"
+#include "nsComponentManagerUtils.h"
+#include "nsEmbedCID.h"
+#include "nsHashPropertyBag.h"
+#include "nsIDialogParamBlock.h"
+#include "nsIInterfaceRequestor.h"
+#include "nsIInterfaceRequestorUtils.h"
+#include "nsIPK11Token.h"
+#include "nsIPromptService.h"
+#include "nsIWindowWatcher.h"
+#include "nsIX509CertDB.h"
+#include "nsIX509Cert.h"
+#include "nsNSSDialogHelper.h"
+#include "nsPromiseFlatString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsString.h"
+#include "nsVariant.h"
+
+#define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties"
+
+nsNSSDialogs::nsNSSDialogs() = default;
+
+nsNSSDialogs::~nsNSSDialogs() = default;
+
+NS_IMPL_ISUPPORTS(nsNSSDialogs, nsITokenPasswordDialogs, nsICertificateDialogs)
+
+nsresult nsNSSDialogs::Init() {
+ nsresult rv;
+
+ nsCOMPtr<nsIStringBundleService> service =
+ do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv);
+ if (NS_FAILED(rv)) return rv;
+
+ rv = service->CreateBundle(PIPSTRING_BUNDLE_URL,
+ getter_AddRefs(mPIPStringBundle));
+ return rv;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::SetPassword(nsIInterfaceRequestor* ctx, nsIPK11Token* token,
+ /*out*/ bool* canceled) {
+ // |ctx| is allowed to be null.
+ NS_ENSURE_ARG(canceled);
+
+ *canceled = false;
+
+ // Get the parent window for the dialog
+ nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+
+ nsCOMPtr<nsIDialogParamBlock> block =
+ do_CreateInstance(NS_DIALOGPARAMBLOCK_CONTRACTID);
+ if (!block) return NS_ERROR_FAILURE;
+
+ nsCOMPtr<nsIMutableArray> objects = nsArrayBase::Create();
+ if (!objects) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv = objects->AppendElement(token);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = block->SetObjects(objects);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = nsNSSDialogHelper::openDialog(
+ parent, "chrome://pippki/content/changepassword.xhtml", block);
+
+ if (NS_FAILED(rv)) return rv;
+
+ int32_t status;
+
+ rv = block->GetInt(1, &status);
+ if (NS_FAILED(rv)) return rv;
+
+ *canceled = (status == 0);
+
+ return rv;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx,
+ nsIX509Cert* cert,
+ /*out*/ uint32_t* trust,
+ /*out*/ bool* importConfirmed) {
+ // |ctx| is allowed to be null.
+ NS_ENSURE_ARG(cert);
+ NS_ENSURE_ARG(trust);
+ NS_ENSURE_ARG(importConfirmed);
+
+ nsCOMPtr<nsIMutableArray> argArray = nsArrayBase::Create();
+ if (!argArray) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsresult rv = argArray->AppendElement(cert);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
+ rv = argArray->AppendElement(retVals);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Get the parent window for the dialog
+ nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+ rv = nsNSSDialogHelper::openDialog(
+ parent, "chrome://pippki/content/downloadcert.xhtml", argArray);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = retVals->GetPropertyAsBool(u"importConfirmed"_ns, importConfirmed);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ *trust = nsIX509CertDB::UNTRUSTED;
+ if (!*importConfirmed) {
+ return NS_OK;
+ }
+
+ bool trustForSSL = false;
+ rv = retVals->GetPropertyAsBool(u"trustForSSL"_ns, &trustForSSL);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ bool trustForEmail = false;
+ rv = retVals->GetPropertyAsBool(u"trustForEmail"_ns, &trustForEmail);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ *trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0;
+ *trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0;
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::SetPKCS12FilePassword(nsIInterfaceRequestor* ctx,
+ /*out*/ nsAString& password,
+ /*out*/ bool* confirmedPassword) {
+ // |ctx| is allowed to be null.
+ NS_ENSURE_ARG(confirmedPassword);
+
+ // Get the parent window for the dialog
+ nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+ nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
+ nsresult rv = nsNSSDialogHelper::openDialog(
+ parent, "chrome://pippki/content/setp12password.xhtml", retVals);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = retVals->GetPropertyAsBool(u"confirmedPassword"_ns, confirmedPassword);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (!*confirmedPassword) {
+ return NS_OK;
+ }
+
+ return retVals->GetPropertyAsAString(u"password"_ns, password);
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::GetPKCS12FilePassword(nsIInterfaceRequestor* ctx,
+ nsAString& _password, bool* _retval) {
+ *_retval = false;
+
+ nsCOMPtr<nsIPromptService> promptSvc(
+ do_GetService(NS_PROMPTSERVICE_CONTRACTID));
+ if (!promptSvc) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsAutoString msg;
+ nsresult rv =
+ mPIPStringBundle->GetStringFromName("getPKCS12FilePasswordMessage", msg);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Get the parent window for the dialog
+ nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+ char16_t* pwTemp = nullptr;
+ rv = promptSvc->PromptPassword(parent, nullptr, msg.get(), &pwTemp, _retval);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (*_retval) {
+ _password.Assign(pwTemp);
+ free(pwTemp);
+ }
+
+ return NS_OK;
+}
diff --git a/security/manager/pki/nsNSSDialogs.h b/security/manager/pki/nsNSSDialogs.h
new file mode 100644
index 0000000000..7528492a5a
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogs.h
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSDialogs_h
+#define nsNSSDialogs_h
+
+#include "nsCOMPtr.h"
+#include "nsICertificateDialogs.h"
+#include "nsIStringBundle.h"
+#include "nsITokenPasswordDialogs.h"
+
+#define NS_NSSDIALOGS_CID \
+ { \
+ 0x518e071f, 0x1dd2, 0x11b2, { \
+ 0x93, 0x7e, 0xc4, 0x5f, 0x14, 0xde, 0xf7, 0x78 \
+ } \
+ }
+
+class nsNSSDialogs : public nsICertificateDialogs,
+ public nsITokenPasswordDialogs {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSITOKENPASSWORDDIALOGS
+ NS_DECL_NSICERTIFICATEDIALOGS
+ nsNSSDialogs();
+
+ nsresult Init();
+
+ protected:
+ virtual ~nsNSSDialogs();
+ nsCOMPtr<nsIStringBundle> mPIPStringBundle;
+};
+
+#endif // nsNSSDialogs_h
diff --git a/security/manager/pki/resources/content/certManager.css b/security/manager/pki/resources/content/certManager.css
new file mode 100644
index 0000000000..9259472771
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.css
@@ -0,0 +1,34 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Good enough support for equalsize=always for the cert manager use cases.
+ * You probably shouldn't use this as-is elsewhere, this selector is somewhat
+ * slow, it relies on stuff having display: flex, and you probably can use
+ * something simpler if you need this */
+[equalsize="always"] > * {
+ flex: 1;
+ contain: inline-size;
+}
+
+treecol {
+ flex: 1 auto;
+ width: 0; /* Don't let intrinsic sizes affect our minimum size. */
+}
+
+#certmanager {
+ /* This prevents horizontal scrollbars due to <tree> and non-XUL layout
+ * interactions */
+ padding: 0;
+}
+
+/* This matches the <tree> height from dialog.css */
+richlistbox {
+ min-height: 15em;
+ contain: size;
+}
+
+richlistbox,
+richlistitem {
+ min-height: 30px;
+}
diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js
new file mode 100644
index 0000000000..b1fcaff30f
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.js
@@ -0,0 +1,771 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+const gCertFileTypes = "*.p7b; *.crt; *.cert; *.cer; *.pem; *.der";
+
+var { NetUtil } = ChromeUtils.importESModule(
+ "resource://gre/modules/NetUtil.sys.mjs"
+);
+
+var key;
+
+var certdialogs = Cc["@mozilla.org/nsCertificateDialogs;1"].getService(
+ Ci.nsICertificateDialogs
+);
+
+/**
+ * List of certs currently selected in the active tab.
+ *
+ * @type {nsIX509Cert[]}
+ */
+var selected_certs = [];
+var selected_tree_items = [];
+var selected_index = [];
+var certdb;
+
+/**
+ * Cert tree for the "Authorities" tab.
+ *
+ * @type {nsICertTree}
+ */
+var caTreeView;
+/**
+ * Cert tree for the "Servers" tab.
+ *
+ * @type {nsICertTree}
+ */
+var serverTreeView;
+
+var overrideService;
+
+function createRichlistItem(item) {
+ let innerHbox = document.createXULElement("hbox");
+ innerHbox.setAttribute("align", "center");
+ innerHbox.setAttribute("flex", "1");
+
+ let row = document.createXULElement("label");
+ row.setAttribute("flex", "1");
+ row.setAttribute("crop", "end");
+ row.setAttribute("style", "margin-inline-start: 15px;");
+ if ("raw" in item) {
+ row.setAttribute("value", item.raw);
+ } else {
+ document.l10n.setAttributes(row, item.l10nid);
+ }
+ row.setAttribute("ordinal", "1");
+ innerHbox.appendChild(row);
+
+ return innerHbox;
+}
+
+var serverRichList = {
+ richlist: undefined,
+
+ buildRichList() {
+ let overrides = overrideService.getOverrides().map(item => {
+ return {
+ hostPort: item.hostPort,
+ asciiHost: item.asciiHost,
+ port: item.port,
+ originAttributes: item.originAttributes,
+ fingerprint: item.fingerprint,
+ };
+ });
+ overrides.sort((a, b) => {
+ let criteria = ["hostPort", "fingerprint"];
+ for (let c of criteria) {
+ let res = a[c].localeCompare(b[c]);
+ if (res !== 0) {
+ return res;
+ }
+ }
+ return 0;
+ });
+
+ this.richlist.textContent = "";
+ this.richlist.clearSelection();
+
+ let frag = document.createDocumentFragment();
+ for (let override of overrides) {
+ let richlistitem = this._richBoxAddItem(override);
+ frag.appendChild(richlistitem);
+ }
+ this.richlist.appendChild(frag);
+
+ this._setButtonState();
+ this.richlist.addEventListener("select", () => this._setButtonState());
+ },
+
+ _richBoxAddItem(item) {
+ let richlistitem = document.createXULElement("richlistitem");
+
+ richlistitem.setAttribute("host", item.asciiHost);
+ richlistitem.setAttribute("port", item.port);
+ richlistitem.setAttribute("hostPort", item.hostPort);
+ richlistitem.setAttribute("fingerprint", item.fingerprint);
+ richlistitem.setAttribute(
+ "originAttributes",
+ JSON.stringify(item.originAttributes)
+ );
+
+ let hbox = document.createXULElement("hbox");
+ hbox.setAttribute("flex", "1");
+ hbox.setAttribute("equalsize", "always");
+
+ hbox.appendChild(createRichlistItem({ raw: item.hostPort }));
+ hbox.appendChild(createRichlistItem({ raw: item.fingerprint }));
+
+ richlistitem.appendChild(hbox);
+
+ return richlistitem;
+ },
+
+ deleteSelectedRichListItem() {
+ let selectedItem = this.richlist.selectedItem;
+ if (!selectedItem) {
+ return;
+ }
+
+ let retVals = {
+ deleteConfirmed: false,
+ };
+ window.browsingContext.topChromeWindow.openDialog(
+ "chrome://pippki/content/deletecert.xhtml",
+ "",
+ "chrome,centerscreen,modal",
+ "websites_tab",
+ [
+ {
+ hostPort: selectedItem.attributes.hostPort.value,
+ },
+ ],
+ retVals
+ );
+
+ if (retVals.deleteConfirmed) {
+ overrideService.clearValidityOverride(
+ selectedItem.attributes.host.value,
+ selectedItem.attributes.port.value,
+ JSON.parse(selectedItem.attributes.originAttributes.value)
+ );
+ this.buildRichList();
+ }
+ },
+
+ addException() {
+ let retval = {
+ exceptionAdded: false,
+ };
+ window.browsingContext.topChromeWindow.openDialog(
+ "chrome://pippki/content/exceptionDialog.xhtml",
+ "",
+ "chrome,centerscreen,modal",
+ retval
+ );
+ if (retval.exceptionAdded) {
+ this.buildRichList();
+ }
+ },
+
+ _setButtonState() {
+ let websiteDeleteButton = document.getElementById("websites_deleteButton");
+ websiteDeleteButton.disabled = this.richlist.selectedIndex < 0;
+ },
+};
+/**
+ * Cert tree for the "People" tab.
+ *
+ * @type {nsICertTree}
+ */
+var emailTreeView;
+/**
+ * Cert tree for the "Your Certificates" tab.
+ *
+ * @type {nsICertTree}
+ */
+var userTreeView;
+
+var clientAuthRememberService;
+
+var rememberedDecisionsRichList = {
+ richlist: undefined,
+
+ buildRichList() {
+ let rememberedDecisions = clientAuthRememberService.getDecisions();
+
+ let oldItems = this.richlist.querySelectorAll("richlistitem");
+ for (let item of oldItems) {
+ item.remove();
+ }
+
+ let frag = document.createDocumentFragment();
+ for (let decision of rememberedDecisions) {
+ let richlistitem = this._richBoxAddItem(decision);
+ frag.appendChild(richlistitem);
+ }
+ this.richlist.appendChild(frag);
+
+ this.richlist.addEventListener("select", () => this.setButtonState());
+ },
+
+ _richBoxAddItem(item) {
+ let richlistitem = document.createXULElement("richlistitem");
+
+ richlistitem.setAttribute("entryKey", item.entryKey);
+ richlistitem.setAttribute("dbKey", item.dbKey);
+
+ let hbox = document.createXULElement("hbox");
+ hbox.setAttribute("flex", "1");
+ hbox.setAttribute("equalsize", "always");
+
+ hbox.appendChild(createRichlistItem({ raw: item.asciiHost }));
+ if (item.dbKey == "") {
+ hbox.appendChild(
+ createRichlistItem({ l10nid: "send-no-client-certificate" })
+ );
+
+ hbox.appendChild(createRichlistItem({ raw: "" }));
+ } else {
+ let tmpCert = certdb.findCertByDBKey(item.dbKey);
+ // The certificate corresponding to this item's dbKey may not be
+ // available (for example, if it was stored on a token that's been
+ // removed, or if it was deleted).
+ if (tmpCert) {
+ hbox.appendChild(createRichlistItem({ raw: tmpCert.commonName }));
+ hbox.appendChild(createRichlistItem({ raw: tmpCert.serialNumber }));
+ } else {
+ hbox.appendChild(
+ createRichlistItem({ l10nid: "certificate-not-available" })
+ );
+ hbox.appendChild(
+ createRichlistItem({ l10nid: "certificate-not-available" })
+ );
+ }
+ }
+
+ richlistitem.appendChild(hbox);
+
+ return richlistitem;
+ },
+
+ deleteSelectedRichListItem() {
+ let selectedItem = this.richlist.selectedItem;
+ let index = this.richlist.selectedIndex;
+ if (index < 0) {
+ return;
+ }
+
+ clientAuthRememberService.forgetRememberedDecision(
+ selectedItem.attributes.entryKey.value
+ );
+
+ this.buildRichList();
+ this.setButtonState();
+ },
+
+ viewSelectedRichListItem() {
+ let selectedItem = this.richlist.selectedItem;
+ let index = this.richlist.selectedIndex;
+ if (index < 0) {
+ return;
+ }
+
+ if (selectedItem.attributes.dbKey.value != "") {
+ let cert = certdb.findCertByDBKey(selectedItem.attributes.dbKey.value);
+ viewCertHelper(window, cert);
+ }
+ },
+
+ setButtonState() {
+ let rememberedDeleteButton = document.getElementById(
+ "remembered_deleteButton"
+ );
+ let rememberedViewButton = document.getElementById("remembered_viewButton");
+
+ rememberedDeleteButton.disabled = this.richlist.selectedIndex < 0;
+ rememberedViewButton.disabled =
+ this.richlist.selectedItem == null
+ ? true
+ : this.richlist.selectedItem.attributes.dbKey.value == "";
+ },
+};
+
+function LoadCerts() {
+ certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ var certcache = certdb.getCerts();
+
+ caTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+ Ci.nsICertTree
+ );
+ caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+ document.getElementById("ca-tree").view = caTreeView;
+
+ emailTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+ Ci.nsICertTree
+ );
+ emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT);
+ document.getElementById("email-tree").view = emailTreeView;
+
+ userTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+ Ci.nsICertTree
+ );
+ userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT);
+ document.getElementById("user-tree").view = userTreeView;
+
+ clientAuthRememberService = Cc[
+ "@mozilla.org/security/clientAuthRememberService;1"
+ ].getService(Ci.nsIClientAuthRememberService);
+
+ overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+ Ci.nsICertOverrideService
+ );
+
+ rememberedDecisionsRichList.richlist =
+ document.getElementById("rememberedList");
+ serverRichList.richlist = document.getElementById("serverList");
+
+ rememberedDecisionsRichList.buildRichList();
+ serverRichList.buildRichList();
+
+ rememberedDecisionsRichList.setButtonState();
+
+ enableBackupAllButton();
+}
+
+function enableBackupAllButton() {
+ let backupAllButton = document.getElementById("mine_backupAllButton");
+ backupAllButton.disabled = userTreeView.rowCount < 1;
+}
+
+function getSelectedCerts() {
+ var ca_tab = document.getElementById("ca_tab");
+ var mine_tab = document.getElementById("mine_tab");
+ var others_tab = document.getElementById("others_tab");
+ var items = null;
+ if (ca_tab.selected) {
+ items = caTreeView.selection;
+ } else if (mine_tab.selected) {
+ items = userTreeView.selection;
+ } else if (others_tab.selected) {
+ items = emailTreeView.selection;
+ }
+ selected_certs = [];
+ var cert = null;
+ var nr = 0;
+ if (items != null) {
+ nr = items.getRangeCount();
+ }
+ if (nr > 0) {
+ for (let i = 0; i < nr; i++) {
+ var o1 = {};
+ var o2 = {};
+ items.getRangeAt(i, o1, o2);
+ var min = o1.value;
+ var max = o2.value;
+ for (let j = min; j <= max; j++) {
+ if (ca_tab.selected) {
+ cert = caTreeView.getCert(j);
+ } else if (mine_tab.selected) {
+ cert = userTreeView.getCert(j);
+ } else if (others_tab.selected) {
+ cert = emailTreeView.getCert(j);
+ }
+ if (cert) {
+ var sc = selected_certs.length;
+ selected_certs[sc] = cert;
+ selected_index[sc] = j;
+ }
+ }
+ }
+ }
+}
+
+function getSelectedTreeItems() {
+ var ca_tab = document.getElementById("ca_tab");
+ var mine_tab = document.getElementById("mine_tab");
+ var others_tab = document.getElementById("others_tab");
+ var items = null;
+ if (ca_tab.selected) {
+ items = caTreeView.selection;
+ } else if (mine_tab.selected) {
+ items = userTreeView.selection;
+ } else if (others_tab.selected) {
+ items = emailTreeView.selection;
+ }
+ selected_certs = [];
+ selected_tree_items = [];
+ selected_index = [];
+ var tree_item = null;
+ var nr = 0;
+ if (items != null) {
+ nr = items.getRangeCount();
+ }
+ if (nr > 0) {
+ for (let i = 0; i < nr; i++) {
+ var o1 = {};
+ var o2 = {};
+ items.getRangeAt(i, o1, o2);
+ var min = o1.value;
+ var max = o2.value;
+ for (let j = min; j <= max; j++) {
+ if (ca_tab.selected) {
+ tree_item = caTreeView.getTreeItem(j);
+ } else if (mine_tab.selected) {
+ tree_item = userTreeView.getTreeItem(j);
+ } else if (others_tab.selected) {
+ tree_item = emailTreeView.getTreeItem(j);
+ }
+ if (tree_item) {
+ var sc = selected_tree_items.length;
+ selected_tree_items[sc] = tree_item;
+ selected_index[sc] = j;
+ }
+ }
+ }
+ }
+}
+
+/**
+ * Returns true if nothing in the given cert tree is selected or if the
+ * selection includes a container. Returns false otherwise.
+ *
+ * @param {nsICertTree} certTree
+ * @returns {boolean}
+ */
+function nothingOrContainerSelected(certTree) {
+ var certTreeSelection = certTree.selection;
+ var numSelectionRanges = certTreeSelection.getRangeCount();
+
+ if (numSelectionRanges == 0) {
+ return true;
+ }
+
+ for (var i = 0; i < numSelectionRanges; i++) {
+ var o1 = {};
+ var o2 = {};
+ certTreeSelection.getRangeAt(i, o1, o2);
+ var minIndex = o1.value;
+ var maxIndex = o2.value;
+ for (var j = minIndex; j <= maxIndex; j++) {
+ if (certTree.isContainer(j)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+async function promptError(aErrorCode) {
+ if (aErrorCode != Ci.nsIX509CertDB.Success) {
+ let msgName = "pkcs12-unknown-err";
+ switch (aErrorCode) {
+ case Ci.nsIX509CertDB.ERROR_PKCS12_NOSMARTCARD_EXPORT:
+ msgName = "pkcs12-info-no-smartcard-backup";
+ break;
+ case Ci.nsIX509CertDB.ERROR_PKCS12_RESTORE_FAILED:
+ msgName = "pkcs12-unknown-err-restore";
+ break;
+ case Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED:
+ msgName = "pkcs12-unknown-err-backup";
+ break;
+ case Ci.nsIX509CertDB.ERROR_PKCS12_CERT_COLLISION:
+ case Ci.nsIX509CertDB.ERROR_PKCS12_DUPLICATE_DATA:
+ msgName = "pkcs12-dup-data";
+ break;
+ case Ci.nsIX509CertDB.ERROR_BAD_PASSWORD:
+ msgName = "pk11-bad-password";
+ break;
+ case Ci.nsIX509CertDB.ERROR_DECODE_ERROR:
+ msgName = "pkcs12-decode-err";
+ break;
+ default:
+ break;
+ }
+ let [message] = await document.l10n.formatValues([{ id: msgName }]);
+ let prompter = Services.ww.getNewPrompter(window);
+ prompter.alert(null, message);
+ }
+}
+
+/**
+ * Enables or disables buttons corresponding to a cert tree depending on what
+ * is selected in the cert tree.
+ *
+ * @param {nsICertTree} certTree
+ * @param {Array} idList A list of string identifiers for button elements to
+ * enable or disable.
+ */
+function enableButtonsForCertTree(certTree, idList) {
+ let disableButtons = nothingOrContainerSelected(certTree);
+
+ for (let id of idList) {
+ document.getElementById(id).setAttribute("disabled", disableButtons);
+ }
+}
+
+function ca_enableButtons() {
+ let idList = [
+ "ca_viewButton",
+ "ca_editButton",
+ "ca_exportButton",
+ "ca_deleteButton",
+ ];
+ enableButtonsForCertTree(caTreeView, idList);
+}
+
+function mine_enableButtons() {
+ let idList = ["mine_viewButton", "mine_backupButton", "mine_deleteButton"];
+ enableButtonsForCertTree(userTreeView, idList);
+}
+
+function email_enableButtons() {
+ let idList = ["email_viewButton", "email_exportButton", "email_deleteButton"];
+ enableButtonsForCertTree(emailTreeView, idList);
+}
+
+async function backupCerts() {
+ getSelectedCerts();
+ var numcerts = selected_certs.length;
+ if (numcerts == 0) {
+ return;
+ }
+
+ var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ let [backupFileDialog, filePkcs12Spec] = await document.l10n.formatValues([
+ { id: "choose-p12-backup-file-dialog" },
+ { id: "file-browse-pkcs12-spec" },
+ ]);
+ fp.init(window, backupFileDialog, Ci.nsIFilePicker.modeSave);
+ fp.appendFilter(filePkcs12Spec, "*.p12");
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ fp.defaultExtension = "p12";
+ fp.open(rv => {
+ if (
+ rv == Ci.nsIFilePicker.returnOK ||
+ rv == Ci.nsIFilePicker.returnReplace
+ ) {
+ let password = {};
+ if (certdialogs.setPKCS12FilePassword(window, password)) {
+ let errorCode = certdb.exportPKCS12File(
+ fp.file,
+ selected_certs,
+ password.value
+ );
+ promptError(errorCode);
+ }
+ }
+ });
+}
+
+function backupAllCerts() {
+ // Select all rows, then call doBackup()
+ userTreeView.selection.selectAll();
+ backupCerts();
+}
+
+function editCerts() {
+ getSelectedCerts();
+
+ for (let cert of selected_certs) {
+ window.browsingContext.topChromeWindow.openDialog(
+ "chrome://pippki/content/editcacert.xhtml",
+ "",
+ "chrome,centerscreen,modal",
+ cert
+ );
+ }
+}
+
+async function restoreCerts() {
+ var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ let [restoreFileDialog, filePkcs12Spec, fileCertSpec] =
+ await document.l10n.formatValues([
+ { id: "choose-p12-restore-file-dialog" },
+ { id: "file-browse-pkcs12-spec" },
+ { id: "file-browse-certificate-spec" },
+ ]);
+ fp.init(window, restoreFileDialog, Ci.nsIFilePicker.modeOpen);
+ fp.appendFilter(filePkcs12Spec, "*.p12; *.pfx");
+ fp.appendFilter(fileCertSpec, gCertFileTypes);
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ fp.open(rv => {
+ if (rv != Ci.nsIFilePicker.returnOK) {
+ return;
+ }
+
+ // If this is an X509 user certificate, import it as one.
+
+ var isX509FileType = false;
+ var fileTypesList = gCertFileTypes.slice(1).split("; *");
+ for (var type of fileTypesList) {
+ if (fp.file.path.endsWith(type)) {
+ isX509FileType = true;
+ break;
+ }
+ }
+
+ if (isX509FileType) {
+ let fstream = Cc[
+ "@mozilla.org/network/file-input-stream;1"
+ ].createInstance(Ci.nsIFileInputStream);
+ fstream.init(fp.file, -1, 0, 0);
+ let dataString = NetUtil.readInputStreamToString(
+ fstream,
+ fstream.available()
+ );
+ let dataArray = [];
+ for (let i = 0; i < dataString.length; i++) {
+ dataArray.push(dataString.charCodeAt(i));
+ }
+ fstream.close();
+ let prompter = Services.ww.getNewPrompter(window);
+ let interfaceRequestor = {
+ getInterface() {
+ return prompter;
+ },
+ };
+ certdb.importUserCertificate(
+ dataArray,
+ dataArray.length,
+ interfaceRequestor
+ );
+ } else {
+ // Otherwise, assume it's a PKCS12 file and import it that way.
+ let password = {};
+ let errorCode = Ci.nsIX509CertDB.ERROR_BAD_PASSWORD;
+ while (
+ errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD &&
+ certdialogs.getPKCS12FilePassword(window, password)
+ ) {
+ errorCode = certdb.importPKCS12File(fp.file, password.value);
+ if (
+ errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD &&
+ !password.value.length
+ ) {
+ // It didn't like empty string password, try no password.
+ errorCode = certdb.importPKCS12File(fp.file, null);
+ }
+ promptError(errorCode);
+ }
+ }
+
+ var certcache = certdb.getCerts();
+ userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT);
+ userTreeView.selection.clearSelection();
+ caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+ caTreeView.selection.clearSelection();
+ enableBackupAllButton();
+ });
+}
+
+async function exportCerts() {
+ getSelectedCerts();
+
+ for (let cert of selected_certs) {
+ await exportToFile(window, cert);
+ }
+}
+
+/**
+ * Deletes the selected certs in the active tab.
+ */
+function deleteCerts() {
+ getSelectedTreeItems();
+ let numcerts = selected_tree_items.length;
+ if (numcerts == 0) {
+ return;
+ }
+
+ const treeViewMap = {
+ mine_tab: userTreeView,
+ ca_tab: caTreeView,
+ others_tab: emailTreeView,
+ };
+ let selTab = document.getElementById("certMgrTabbox").selectedItem;
+ let selTabID = selTab.getAttribute("id");
+
+ if (!(selTabID in treeViewMap)) {
+ return;
+ }
+
+ let retVals = {
+ deleteConfirmed: false,
+ };
+ window.browsingContext.topChromeWindow.openDialog(
+ "chrome://pippki/content/deletecert.xhtml",
+ "",
+ "chrome,centerscreen,modal",
+ selTabID,
+ selected_tree_items,
+ retVals
+ );
+
+ if (retVals.deleteConfirmed) {
+ let treeView = treeViewMap[selTabID];
+
+ for (let t = numcerts - 1; t >= 0; t--) {
+ treeView.deleteEntryObject(selected_index[t]);
+ }
+
+ selected_tree_items = [];
+ selected_index = [];
+ treeView.selection.clearSelection();
+ if (selTabID == "mine_tab") {
+ enableBackupAllButton();
+ }
+ }
+}
+
+function viewCerts() {
+ getSelectedCerts();
+
+ for (let cert of selected_certs) {
+ viewCertHelper(window, cert);
+ }
+}
+
+async function addCACerts() {
+ var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ let [importCa, fileCertSpec] = await document.l10n.formatValues([
+ { id: "import-ca-certs-prompt" },
+ { id: "file-browse-certificate-spec" },
+ ]);
+ fp.init(window, importCa, Ci.nsIFilePicker.modeOpen);
+ fp.appendFilter(fileCertSpec, gCertFileTypes);
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ fp.open(rv => {
+ if (rv == Ci.nsIFilePicker.returnOK) {
+ certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT);
+ let certcache = certdb.getCerts();
+ caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+ caTreeView.selection.clearSelection();
+ }
+ });
+}
+
+async function addEmailCert() {
+ var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ let [importEmail, fileCertSpec] = await document.l10n.formatValues([
+ { id: "import-email-cert-prompt" },
+ { id: "file-browse-certificate-spec" },
+ ]);
+ fp.init(window, importEmail, Ci.nsIFilePicker.modeOpen);
+ fp.appendFilter(fileCertSpec, gCertFileTypes);
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ fp.open(rv => {
+ if (rv == Ci.nsIFilePicker.returnOK) {
+ certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.EMAIL_CERT);
+ var certcache = certdb.getCerts();
+ emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT);
+ emailTreeView.selection.clearSelection();
+ caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+ caTreeView.selection.clearSelection();
+ }
+ });
+}
diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml
new file mode 100644
index 0000000000..194509bdd6
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.xhtml
@@ -0,0 +1,333 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ windowtype="mozilla:certmanager"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ data-l10n-id="certmgr-title"
+ onload="LoadCerts();"
+ persist="screenX screenY width height"
+>
+ <dialog id="certmanager" buttons="accept">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+ <html:link
+ rel="stylesheet"
+ href="chrome://pippki/content/certManager.css"
+ />
+
+ <html:link
+ rel="localization"
+ href="security/certificates/certManager.ftl"
+ />
+ </linkset>
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/certManager.js" />
+
+ <tabbox id="certmanagertabs" flex="1" persist="selectedIndex">
+ <tabs id="certMgrTabbox">
+ <tab id="mine_tab" data-l10n-id="certmgr-tab-mine" />
+ <tab id="remembered_tab" data-l10n-id="certmgr-tab-remembered" />
+ <tab id="others_tab" data-l10n-id="certmgr-tab-people" />
+ <tab id="websites_tab" data-l10n-id="certmgr-tab-servers" />
+ <tab id="ca_tab" data-l10n-id="certmgr-tab-ca" selected="true" />
+ </tabs>
+ <tabpanels flex="1">
+ <vbox id="myCerts" flex="1">
+ <description data-l10n-id="certmgr-mine"></description>
+ <separator class="thin" />
+ <tree
+ id="user-tree"
+ flex="1"
+ enableColumnDrag="true"
+ onselect="mine_enableButtons()"
+ >
+ <treecols>
+ <!--
+ The below code may suggest that 'ordinal' is still a supported XUL
+ XUL attribute. It is not. This is a crutch so that we can
+ continue persisting the CSS order property,
+ which is the appropriate replacement for the ordinal attribute
+ but cannot yet be easily persisted. The code that synchronizes
+ the attribute with the CSS lives in
+ toolkit/content/widget/tree.js and is specific to tree elements.
+ -->
+ <treecol
+ id="certcol"
+ data-l10n-id="certmgr-cert-name"
+ primary="true"
+ persist="hidden width ordinal"
+ />
+ <splitter class="tree-splitter" />
+ <treecol
+ id="tokencol"
+ data-l10n-id="certmgr-token-name"
+ persist="hidden width ordinal"
+ />
+ <splitter class="tree-splitter" />
+ <treecol
+ id="serialnumcol"
+ data-l10n-id="certmgr-serial"
+ persist="hidden width ordinal"
+ />
+ <splitter class="tree-splitter" />
+ <treecol
+ id="issuedcol"
+ data-l10n-id="certmgr-begins-label"
+ hidden="true"
+ persist="hidden width ordinal"
+ />
+ <splitter class="tree-splitter" />
+ <treecol
+ id="expiredcol"
+ data-l10n-id="certmgr-expires-label"
+ persist="hidden width ordinal"
+ />
+ </treecols>
+ <treechildren ondblclick="viewCerts();" />
+ </tree>
+
+ <separator class="thin" />
+
+ <hbox>
+ <button
+ id="mine_viewButton"
+ class="normal"
+ data-l10n-id="certmgr-view"
+ disabled="true"
+ oncommand="viewCerts();"
+ />
+ <button
+ id="mine_backupButton"
+ class="normal"
+ data-l10n-id="certmgr-backup"
+ disabled="true"
+ oncommand="backupCerts();"
+ />
+ <button
+ id="mine_backupAllButton"
+ class="normal"
+ data-l10n-id="certmgr-backup-all"
+ oncommand="backupAllCerts();"
+ />
+ <button
+ id="mine_restoreButton"
+ class="normal"
+ data-l10n-id="certmgr-restore"
+ oncommand="restoreCerts();"
+ />
+ <button
+ id="mine_deleteButton"
+ class="normal"
+ data-l10n-id="certmgr-delete"
+ disabled="true"
+ oncommand="deleteCerts();"
+ />
+ </hbox>
+ </vbox>
+ <vbox id="rememberedCerts" flex="1">
+ <description data-l10n-id="certmgr-remembered"></description>
+ <separator class="thin" />
+
+ <listheader equalsize="always">
+ <treecol
+ id="hostcol"
+ data-l10n-id="certmgr-cert-host"
+ primary="true"
+ persist="hidden width ordinal"
+ />
+ <treecol
+ id="certcol"
+ data-l10n-id="certmgr-cert-name"
+ primary="true"
+ persist="hidden width ordinal"
+ />
+ <treecol
+ id="serialnumcol"
+ data-l10n-id="certmgr-serial"
+ persist="hidden width ordinal"
+ />
+ </listheader>
+ <richlistbox id="rememberedList" flex="1" selected="false" />
+
+ <separator class="thin" />
+
+ <hbox>
+ <button
+ id="remembered_deleteButton"
+ class="normal"
+ data-l10n-id="certmgr-delete"
+ oncommand="rememberedDecisionsRichList.deleteSelectedRichListItem()"
+ />
+
+ <button
+ id="remembered_viewButton"
+ class="normal"
+ data-l10n-id="certmgr-view"
+ oncommand="rememberedDecisionsRichList.viewSelectedRichListItem()"
+ />
+ </hbox>
+ </vbox>
+ <vbox id="othersCerts" flex="1">
+ <description data-l10n-id="certmgr-people"></description>
+ <separator class="thin" />
+ <tree id="email-tree" flex="1" onselect="email_enableButtons()">
+ <treecols>
+ <treecol
+ id="certcol"
+ data-l10n-id="certmgr-cert-name"
+ primary="true"
+ />
+ <splitter class="tree-splitter" />
+ <treecol id="emailcol" data-l10n-id="certmgr-email" />
+ <splitter class="tree-splitter" />
+ <treecol id="expiredcol" data-l10n-id="certmgr-expires-label" />
+ </treecols>
+ <treechildren flex="1" ondblclick="viewCerts();" />
+ </tree>
+
+ <separator class="thin" />
+
+ <hbox>
+ <button
+ id="email_viewButton"
+ data-l10n-id="certmgr-view"
+ disabled="true"
+ oncommand="viewCerts();"
+ />
+ <button
+ id="email_addButton"
+ data-l10n-id="certmgr-restore"
+ oncommand="addEmailCert();"
+ />
+ <button
+ id="email_exportButton"
+ data-l10n-id="certmgr-export"
+ disabled="true"
+ oncommand="exportCerts();"
+ />
+ <button
+ id="email_deleteButton"
+ data-l10n-id="certmgr-delete"
+ disabled="true"
+ oncommand="deleteCerts();"
+ />
+ </hbox>
+ </vbox>
+
+ <vbox id="webCerts" flex="1">
+ <description data-l10n-id="certmgr-server"></description>
+ <separator class="thin" />
+
+ <listheader equalsize="always">
+ <treecol
+ id="sitecol"
+ data-l10n-id="certmgr-cert-server"
+ primary="true"
+ />
+ <treecol
+ id="sha256col"
+ data-l10n-id="certmgr-fingerprint-sha-256"
+ />
+ </listheader>
+ <richlistbox
+ ondblclick="serverRichList.viewSelectedRichListItem();"
+ id="serverList"
+ flex="1"
+ selected="false"
+ />
+
+ <separator class="thin" />
+
+ <hbox>
+ <button
+ id="websites_deleteButton"
+ data-l10n-id="certmgr-delete"
+ oncommand="serverRichList.deleteSelectedRichListItem();"
+ />
+ <button
+ id="websites_exceptionButton"
+ data-l10n-id="certmgr-add-exception"
+ oncommand="serverRichList.addException();"
+ />
+ </hbox>
+ </vbox>
+ <vbox id="CACerts" flex="1">
+ <description data-l10n-id="certmgr-ca"></description>
+ <separator class="thin" />
+ <tree
+ id="ca-tree"
+ flex="1"
+ enableColumnDrag="true"
+ onselect="ca_enableButtons()"
+ >
+ <treecols>
+ <!--
+ The below code may suggest that 'ordinal' is still a supported XUL
+ XUL attribute. It is not. This is a crutch so that we can
+ continue persisting the CSS order property,
+ which is the appropriate replacement for the ordinal attribute
+ but cannot yet be easily persisted. The code that synchronizes
+ the attribute with the CSS lives in
+ toolkit/content/widget/tree.js and is specific to tree elements.
+ -->
+ <treecol
+ id="certcol"
+ data-l10n-id="certmgr-cert-name"
+ primary="true"
+ persist="hidden width ordinal"
+ />
+ <splitter class="tree-splitter" />
+ <treecol
+ id="tokencol"
+ data-l10n-id="certmgr-token-name"
+ persist="hidden width ordinal"
+ />
+ </treecols>
+ <treechildren ondblclick="viewCerts();" />
+ </tree>
+
+ <separator class="thin" />
+
+ <hbox>
+ <button
+ id="ca_viewButton"
+ data-l10n-id="certmgr-view"
+ disabled="true"
+ oncommand="viewCerts();"
+ />
+ <button
+ id="ca_editButton"
+ data-l10n-id="certmgr-edit"
+ disabled="true"
+ oncommand="editCerts();"
+ />
+ <button
+ id="ca_addButton"
+ data-l10n-id="certmgr-restore"
+ oncommand="addCACerts();"
+ />
+ <button
+ id="ca_exportButton"
+ data-l10n-id="certmgr-export"
+ disabled="true"
+ oncommand="exportCerts();"
+ />
+ <button
+ id="ca_deleteButton"
+ data-l10n-id="certmgr-delete-builtin"
+ disabled="true"
+ oncommand="deleteCerts();"
+ />
+ </hbox>
+ </vbox>
+ </tabpanels>
+ </tabbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/changepassword.js b/security/manager/pki/resources/content/changepassword.js
new file mode 100644
index 0000000000..b498bf9ce0
--- /dev/null
+++ b/security/manager/pki/resources/content/changepassword.js
@@ -0,0 +1,212 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+const { XPCOMUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+ChromeUtils.defineLazyGetter(
+ this,
+ "l10n",
+ () => new Localization(["security/pippki/pippki.ftl"], true)
+);
+
+var params;
+var token;
+var pw1;
+
+function doPrompt(messageL10nId) {
+ let msg = l10n.formatValueSync(messageL10nId);
+ Services.prompt.alert(window, null, msg);
+}
+
+function onLoad() {
+ document.getElementById("set_password").getButton("accept").disabled = true;
+ document.addEventListener("dialogaccept", setPassword);
+
+ pw1 = document.getElementById("pw1");
+ params = window.arguments[0].QueryInterface(Ci.nsIDialogParamBlock);
+ token = params.objects.GetElementAt(0).QueryInterface(Ci.nsIPK11Token);
+
+ document.l10n.setAttributes(
+ document.getElementById("tokenName"),
+ "change-password-token",
+ { tokenName: token.tokenName }
+ );
+ process();
+}
+
+function process() {
+ let bundle = document.getElementById("pippki_bundle");
+ let oldpwbox = document.getElementById("oldpw");
+ let msgBox = document.getElementById("message");
+ // If the token is unitialized, don't use the old password box.
+ // Otherwise, do.
+ if ((token.needsLogin() && token.needsUserInit) || !token.needsLogin()) {
+ oldpwbox.hidden = true;
+ msgBox.setAttribute("value", bundle.getString("password_not_set"));
+ msgBox.hidden = false;
+
+ if (!token.needsLogin()) {
+ oldpwbox.setAttribute("inited", "empty");
+ } else {
+ oldpwbox.setAttribute("inited", "true");
+ }
+
+ // Select first password field
+ document.getElementById("pw1").focus();
+ } else {
+ // Select old password field
+ oldpwbox.hidden = false;
+ msgBox.hidden = true;
+ oldpwbox.setAttribute("inited", "false");
+ oldpwbox.focus();
+ }
+
+ // Return value 0 means "canceled"
+ params.SetInt(1, 0);
+
+ checkPasswords();
+}
+
+function setPassword(event) {
+ var oldpwbox = document.getElementById("oldpw");
+ var initpw = oldpwbox.getAttribute("inited");
+
+ var success = false;
+
+ if (initpw == "false" || initpw == "empty") {
+ try {
+ var oldpw = "";
+ var passok = 0;
+
+ if (initpw == "empty") {
+ passok = 1;
+ } else {
+ oldpw = oldpwbox.value;
+ passok = token.checkPassword(oldpw);
+ }
+
+ if (passok) {
+ if (initpw == "empty" && pw1.value == "") {
+ // checkPasswords() should have prevented this path from being reached.
+ } else {
+ if (pw1.value == "") {
+ var secmoddb = Cc[
+ "@mozilla.org/security/pkcs11moduledb;1"
+ ].getService(Ci.nsIPKCS11ModuleDB);
+ if (secmoddb.isFIPSEnabled) {
+ // empty passwords are not allowed in FIPS mode
+ doPrompt("pippki-pw-change2empty-in-fips-mode");
+ passok = 0;
+ }
+ }
+ if (passok) {
+ token.changePassword(oldpw, pw1.value);
+ if (pw1.value == "") {
+ doPrompt("pippki-pw-erased-ok");
+ } else {
+ doPrompt("pippki-pw-change-ok");
+ }
+ success = true;
+ }
+ }
+ } else {
+ oldpwbox.focus();
+ oldpwbox.setAttribute("value", "");
+ doPrompt("pippki-incorrect-pw");
+ }
+ } catch (e) {
+ doPrompt("pippki-failed-pw-change");
+ }
+ } else {
+ token.initPassword(pw1.value);
+ if (pw1.value == "") {
+ doPrompt("pippki-pw-not-wanted");
+ }
+ success = true;
+ }
+
+ if (success && params) {
+ // Return value 1 means "successfully executed ok"
+ params.SetInt(1, 1);
+ }
+
+ // Terminate dialog
+ if (!success) {
+ event.preventDefault();
+ }
+}
+
+function setPasswordStrength() {
+ // We weigh the quality of the password by checking the number of:
+ // - Characters
+ // - Numbers
+ // - Non-alphanumeric chars
+ // - Upper and lower case characters
+
+ let pw = document.getElementById("pw1").value;
+
+ let pwlength = pw.length;
+ if (pwlength > 5) {
+ pwlength = 5;
+ }
+
+ let numnumeric = pw.replace(/[0-9]/g, "");
+ let numeric = pw.length - numnumeric.length;
+ if (numeric > 3) {
+ numeric = 3;
+ }
+
+ let symbols = pw.replace(/\W/g, "");
+ let numsymbols = pw.length - symbols.length;
+ if (numsymbols > 3) {
+ numsymbols = 3;
+ }
+
+ let numupper = pw.replace(/[A-Z]/g, "");
+ let upper = pw.length - numupper.length;
+ if (upper > 3) {
+ upper = 3;
+ }
+
+ let pwstrength =
+ pwlength * 10 - 20 + numeric * 10 + numsymbols * 15 + upper * 10;
+
+ // Clamp strength to [0, 100].
+ if (pwstrength < 0) {
+ pwstrength = 0;
+ }
+ if (pwstrength > 100) {
+ pwstrength = 100;
+ }
+
+ let meter = document.getElementById("pwmeter");
+ meter.setAttribute("value", pwstrength);
+}
+
+function checkPasswords() {
+ let pw1 = document.getElementById("pw1").value;
+ let pw2 = document.getElementById("pw2").value;
+
+ var oldpwbox = document.getElementById("oldpw");
+ if (oldpwbox) {
+ var initpw = oldpwbox.getAttribute("inited");
+
+ if (initpw == "empty" && pw1 == "") {
+ // The token has already been initialized, therefore this dialog
+ // was called with the intention to change the password.
+ // The token currently uses an empty password.
+ // We will not allow changing the password from empty to empty.
+ document
+ .getElementById("set_password")
+ .getButton("accept").disabled = true;
+ return;
+ }
+ }
+
+ document.getElementById("set_password").getButton("accept").disabled =
+ pw1 != pw2;
+}
diff --git a/security/manager/pki/resources/content/changepassword.xhtml b/security/manager/pki/resources/content/changepassword.xhtml
new file mode 100644
index 0000000000..7215f3a536
--- /dev/null
+++ b/security/manager/pki/resources/content/changepassword.xhtml
@@ -0,0 +1,77 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="change-device-password-window"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ onload="onLoad();"
+>
+ <dialog id="set_password" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link rel="localization" href="security/pippki/pippki.ftl" />
+ </linkset>
+
+ <stringbundle
+ id="pippki_bundle"
+ src="chrome://pippki/locale/pippki.properties"
+ />
+
+ <script src="chrome://global/content/globalOverlay.js" />
+ <script src="chrome://global/content/editMenuOverlay.js" />
+
+ <script src="chrome://pippki/content/changepassword.js" />
+
+ <hbox align="center">
+ <label
+ id="tokenName"
+ data-l10n-id="change-password-token"
+ data-l10n-args='{"tokenName":""}'
+ />
+ </hbox>
+
+ <separator />
+
+ <vbox>
+ <hbox class="input-row">
+ <label flex="1" data-l10n-id="change-password-old" />
+ <html:input id="oldpw" type="password" />
+ <!-- This textbox is inserted as a workaround to the fact that making the 'type'
+ & 'disabled' property of the 'oldpw' textbox toggle between ['password' &
+ 'false'] and ['text' & 'true'] - as would be necessary if the menu has more
+ than one tokens, some initialized and some not - does not work properly. So,
+ either the textbox 'oldpw' or the textbox 'message' would be displayed,
+ depending on the state of the token selected
+ -->
+ <html:input id="message" disabled="true" />
+ </hbox>
+ <hbox class="input-row">
+ <label flex="1" data-l10n-id="change-password-new" />
+ <html:input
+ id="pw1"
+ type="password"
+ oninput="setPasswordStrength(); checkPasswords();"
+ />
+ </hbox>
+ <hbox class="input-row">
+ <label flex="1" data-l10n-id="change-password-reenter" />
+ <html:input id="pw2" type="password" oninput="checkPasswords();" />
+ </hbox>
+ </vbox>
+
+ <vbox style="margin: 6px">
+ <label
+ for="pwmeter"
+ style="display: flex"
+ data-l10n-id="password-quality-meter"
+ />
+ <html:progress id="pwmeter" value="0" max="100" />
+ </vbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/clientauthask.css b/security/manager/pki/resources/content/clientauthask.css
new file mode 100644
index 0000000000..0b8217bc4b
--- /dev/null
+++ b/security/manager/pki/resources/content/clientauthask.css
@@ -0,0 +1,17 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+:root {
+ min-width: 48em;
+}
+
+.important {
+ font-weight: bold;
+}
+
+.details {
+ text-overflow: ellipsis;
+ overflow: hidden;
+ white-space: nowrap;
+}
diff --git a/security/manager/pki/resources/content/clientauthask.js b/security/manager/pki/resources/content/clientauthask.js
new file mode 100644
index 0000000000..e9df667dbe
--- /dev/null
+++ b/security/manager/pki/resources/content/clientauthask.js
@@ -0,0 +1,162 @@
+/* -*- tab-width: 2; indent-tabs-mode: nil; js-indent-level: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+const { parse, pemToDER } = ChromeUtils.importESModule(
+ "chrome://global/content/certviewer/certDecoder.mjs"
+);
+
+/**
+ * @file Implements the functionality of clientauthask.xhtml: a dialog that allows
+ * a user pick a client certificate for TLS client authentication.
+ * @param {object} window.arguments.0
+ * An Object with the properties:
+ * {String} hostname
+ * The hostname of the server requesting client authentication.
+ * {Array<nsIX509Cert>} certArray
+ * Array of certificates the user can choose from
+ * {Object} retVal
+ * Object to set the return values of calling the dialog on.
+ * See ClientAuthAskReturnValues.
+ */
+
+/**
+ * @typedef ClientAuthAskReturnValues
+ * @type {object}
+ * @property {nsIX509Cert} cert
+ * The certificate, if chosen. null otherwise.
+ * @property {boolean} rememberDecision
+ * Set to true if the user wanted their cert selection to be
+ * remembered, false otherwise.
+ */
+
+/**
+ * The array of certs the user can choose from.
+ *
+ * @type {Array<nsIX509Cert>}
+ */
+var certArray;
+
+/**
+ * The checkbox storing whether the user wants to remember the selected cert.
+ *
+ * @type {HTMLInputElement} Element checkbox, has to have |checked| property.
+ */
+var rememberBox;
+
+async function onLoad() {
+ let rememberSetting = Services.prefs.getBoolPref(
+ "security.remember_cert_checkbox_default_setting"
+ );
+ rememberBox = document.getElementById("rememberBox");
+ rememberBox.checked = rememberSetting;
+
+ certArray = window.arguments[0].certArray;
+
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthSiteIdentification"),
+ "client-auth-site-identification",
+ { hostname: window.arguments[0].hostname }
+ );
+
+ let selectElement = document.getElementById("nicknames");
+ for (let i = 0; i < certArray.length; i++) {
+ let menuItemNode = document.createXULElement("menuitem");
+ let cert = certArray[i];
+ let nickAndSerial = `${cert.displayName} [${cert.serialNumber}]`;
+ menuItemNode.setAttribute("value", i);
+ menuItemNode.setAttribute("label", nickAndSerial); // This is displayed.
+ selectElement.menupopup.appendChild(menuItemNode);
+ if (i == 0) {
+ selectElement.selectedItem = menuItemNode;
+ }
+ }
+
+ await setDetails();
+ document.addEventListener("dialogaccept", doOK);
+ document.addEventListener("dialogcancel", doCancel);
+
+ Services.obs.notifyObservers(
+ document.getElementById("certAuthAsk"),
+ "cert-dialog-loaded"
+ );
+}
+
+/**
+ * Populates the details section with information concerning the selected cert.
+ */
+async function setDetails() {
+ let index = parseInt(document.getElementById("nicknames").value);
+ let cert = certArray[index];
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsIssuedTo"),
+ "client-auth-cert-details-issued-to",
+ { issuedTo: cert.subjectName }
+ );
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsSerialNumber"),
+ "client-auth-cert-details-serial-number",
+ { serialNumber: cert.serialNumber }
+ );
+ const formatter = new Intl.DateTimeFormat(undefined, {
+ dateStyle: "medium",
+ timeStyle: "long",
+ });
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsValidityPeriod"),
+ "client-auth-cert-details-validity-period",
+ {
+ notBefore: formatter.format(new Date(cert.validity.notBefore / 1000)),
+ notAfter: formatter.format(new Date(cert.validity.notAfter / 1000)),
+ }
+ );
+ let parsedCert = await parse(pemToDER(cert.getBase64DERString()));
+ let keyUsages = parsedCert.ext.keyUsages;
+ if (keyUsages && keyUsages.purposes.length) {
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsKeyUsages"),
+ "client-auth-cert-details-key-usages",
+ { keyUsages: keyUsages.purposes.join(", ") }
+ );
+ }
+ let emailAddresses = cert.getEmailAddresses();
+ if (emailAddresses.length) {
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsEmailAddresses"),
+ "client-auth-cert-details-email-addresses",
+ { emailAddresses: emailAddresses.join(", ") }
+ );
+ }
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsIssuedBy"),
+ "client-auth-cert-details-issued-by",
+ { issuedBy: cert.issuerName }
+ );
+ document.l10n.setAttributes(
+ document.getElementById("clientAuthCertDetailsStoredOn"),
+ "client-auth-cert-details-stored-on",
+ { storedOn: cert.tokenName }
+ );
+}
+
+async function onCertSelected() {
+ await setDetails();
+}
+
+function doOK() {
+ let { retVals } = window.arguments[0];
+ let index = parseInt(document.getElementById("nicknames").value);
+ let cert = certArray[index];
+ retVals.cert = cert;
+ retVals.rememberDecision = rememberBox.checked;
+}
+
+function doCancel() {
+ let { retVals } = window.arguments[0];
+ retVals.cert = null;
+ retVals.rememberDecision = rememberBox.checked;
+}
diff --git a/security/manager/pki/resources/content/clientauthask.xhtml b/security/manager/pki/resources/content/clientauthask.xhtml
new file mode 100644
index 0000000000..717dec5670
--- /dev/null
+++ b/security/manager/pki/resources/content/clientauthask.xhtml
@@ -0,0 +1,116 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="client-auth-window"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ onload="onLoad();"
+>
+ <dialog
+ id="certAuthAsk"
+ buttons="accept,cancel"
+ buttonidcancel="client-auth-send-no-certificate"
+ >
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+ <html:link
+ rel="stylesheet"
+ href="chrome://pippki/content/clientauthask.css"
+ />
+
+ <html:link rel="localization" href="security/pippki/pippki.ftl" />
+ </linkset>
+
+ <stringbundleset id="stringbundleset">
+ <stringbundle
+ id="pippki_bundle"
+ src="chrome://pippki/locale/pippki.properties"
+ />
+ </stringbundleset>
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/clientauthask.js" />
+ <script src="chrome://global/content/globalOverlay.js" />
+ <script src="chrome://global/content/editMenuOverlay.js" />
+
+ <description
+ class="important"
+ id="clientAuthSiteIdentification"
+ data-l10n-id="client-auth-site-identification"
+ data-l10n-args='{"hostname":""}'
+ ></description>
+
+ <!-- The items in this menulist must never be sorted,
+ but remain in the order filled by the application
+-->
+ <menulist id="nicknames" oncommand="onCertSelected();" native="true">
+ <menupopup />
+ </menulist>
+
+ <description
+ class="important"
+ data-l10n-id="client-auth-cert-details"
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsIssuedTo"
+ class="details"
+ data-l10n-id="client-auth-cert-details-issued-to"
+ data-l10n-args='{"issuedTo":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsSerialNumber"
+ class="details"
+ data-l10n-id="client-auth-cert-details-serial-number"
+ data-l10n-args='{"serialNumber":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsValidityPeriod"
+ class="details"
+ data-l10n-id="client-auth-cert-details-validity-period"
+ data-l10n-args='{"notBefore":"","notAfter":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsKeyUsages"
+ class="details"
+ data-l10n-id="client-auth-cert-details-key-usages"
+ data-l10n-args='{"keyUsages":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsEmailAddresses"
+ class="details"
+ data-l10n-id="client-auth-cert-details-email-addresses"
+ data-l10n-args='{"emailAddresses":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsIssuedBy"
+ class="details"
+ data-l10n-id="client-auth-cert-details-issued-by"
+ data-l10n-args='{"issuedBy":""}'
+ ></description>
+
+ <description
+ id="clientAuthCertDetailsStoredOn"
+ class="details"
+ data-l10n-id="client-auth-cert-details-stored-on"
+ data-l10n-args='{"storedOn":""}'
+ ></description>
+
+ <checkbox
+ id="rememberBox"
+ data-l10n-id="client-auth-cert-remember-box"
+ checked="true"
+ native="true"
+ />
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/deletecert.css b/security/manager/pki/resources/content/deletecert.css
new file mode 100644
index 0000000000..b959b9c492
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.css
@@ -0,0 +1,24 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+dialog::part(content-box) {
+ flex: 1;
+}
+
+#confirm,
+#impact {
+ /* We don't want these to impact the horizontal size of the dialog */
+ contain: inline-size;
+}
+
+#impact {
+ margin-block-start: 12px;
+}
+
+#certlist {
+ flex: 1;
+ min-height: 8em;
+ contain: size;
+ min-width: 35em;
+}
diff --git a/security/manager/pki/resources/content/deletecert.js b/security/manager/pki/resources/content/deletecert.js
new file mode 100644
index 0000000000..7d926863ed
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.js
@@ -0,0 +1,121 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+/**
+ * @file Implements the functionality of deletecert.xhtml: a dialog that allows a
+ * user to confirm whether to delete certain certificates.
+ * @param {string} window.arguments.0
+ * One of the tab IDs listed in certManager.xhtml.
+ * @param {object[]} window.arguments.1
+ * An array of objects representing the certs to delete.
+ * Each must have a 'cert' property or a 'hostPort' property.
+ * @param {DeleteCertReturnValues} window.arguments.2
+ * Object holding the return values of calling the dialog.
+ */
+
+/**
+ * @typedef DeleteCertReturnValues
+ * @type {object}
+ * @property {boolean} deleteConfirmed
+ * Set to true if the user confirmed deletion of the given certs,
+ * false otherwise.
+ */
+
+/**
+ * Returns the element to represent the given cert to delete.
+ *
+ * @param {object} certToDelete
+ * The item to represent.
+ * @returns {Element}
+ * A element of each cert tree item.
+ */
+function getLabelForCertToDelete(certToDelete) {
+ let element = document.createXULElement("label");
+ let cert = certToDelete.cert;
+ if (!cert) {
+ element.setAttribute("value", certToDelete.hostPort);
+ return element;
+ }
+
+ const attributes = [
+ cert.commonName,
+ cert.organizationalUnit,
+ cert.organization,
+ cert.subjectName,
+ ];
+ for (let attribute of attributes) {
+ if (attribute) {
+ element.setAttribute("value", attribute);
+ return element;
+ }
+ }
+
+ document.l10n.setAttributes(element, "cert-with-serial", {
+ serialNumber: cert.serialNumber,
+ });
+ return element;
+}
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+ let typeFlag = window.arguments[0];
+ let confirm = document.getElementById("confirm");
+ let impact = document.getElementById("impact");
+ let prefixForType;
+ switch (typeFlag) {
+ case "mine_tab":
+ prefixForType = "delete-user-cert-";
+ break;
+ case "websites_tab":
+ prefixForType = "delete-ssl-override-";
+ break;
+ case "ca_tab":
+ prefixForType = "delete-ca-cert-";
+ break;
+ case "others_tab":
+ prefixForType = "delete-email-cert-";
+ break;
+ default:
+ return;
+ }
+
+ document.l10n.setAttributes(
+ document.documentElement,
+ prefixForType + "title"
+ );
+ document.l10n.setAttributes(confirm, prefixForType + "confirm");
+ document.l10n.setAttributes(impact, prefixForType + "impact");
+
+ document.addEventListener("dialogaccept", onDialogAccept);
+ document.addEventListener("dialogcancel", onDialogCancel);
+
+ let box = document.getElementById("certlist");
+ let certsToDelete = window.arguments[1];
+ for (let certToDelete of certsToDelete) {
+ let listItem = document.createXULElement("richlistitem");
+ let label = getLabelForCertToDelete(certToDelete);
+ listItem.appendChild(label);
+ box.appendChild(listItem);
+ }
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+ let retVals = window.arguments[2];
+ retVals.deleteConfirmed = true;
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+ let retVals = window.arguments[2];
+ retVals.deleteConfirmed = false;
+}
diff --git a/security/manager/pki/resources/content/deletecert.xhtml b/security/manager/pki/resources/content/deletecert.xhtml
new file mode 100644
index 0000000000..08e48ade58
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.xhtml
@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="certmgr-delete-cert2"
+ data-l10n-attrs="style"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ onload="onLoad();"
+>
+ <dialog id="deleteCertificate" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+ <html:link
+ rel="stylesheet"
+ href="chrome://pippki/content/deletecert.css"
+ />
+
+ <html:link
+ rel="localization"
+ href="security/certificates/certManager.ftl"
+ />
+ </linkset>
+
+ <script src="pippki.js" />
+ <script src="chrome://pippki/content/deletecert.js" />
+
+ <description id="confirm" />
+ <richlistbox id="certlist" class="box-padded" />
+ <description id="impact" />
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/device_manager.js b/security/manager/pki/resources/content/device_manager.js
new file mode 100644
index 0000000000..deb58d2ff3
--- /dev/null
+++ b/security/manager/pki/resources/content/device_manager.js
@@ -0,0 +1,433 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+const { XPCOMUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+var secmoddb;
+var skip_enable_buttons = false;
+
+/* Do the initial load of all PKCS# modules and list them. */
+function LoadModules() {
+ secmoddb = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ RefreshDeviceList();
+}
+
+async function doPrompt(l10n_id) {
+ let [msg] = await document.l10n.formatValues([{ id: l10n_id }]);
+ Services.prompt.alert(window, null, msg);
+}
+
+async function doConfirm(l10n_id) {
+ let [msg] = await document.l10n.formatValues([{ id: l10n_id }]);
+ return Services.prompt.confirm(window, null, msg);
+}
+
+function RefreshDeviceList() {
+ for (let module of secmoddb.listModules()) {
+ let slots = module.listSlots();
+ AddModule(module, slots);
+ }
+
+ // Set the text on the FIPS button.
+ SetFIPSButton();
+}
+
+function SetFIPSButton() {
+ var fipsButton = document.getElementById("fipsbutton");
+ if (secmoddb.isFIPSEnabled) {
+ document.l10n.setAttributes(fipsButton, "devmgr-button-disable-fips");
+ } else {
+ document.l10n.setAttributes(fipsButton, "devmgr-button-enable-fips");
+ }
+
+ var can_toggle = secmoddb.canToggleFIPS;
+ if (can_toggle) {
+ fipsButton.removeAttribute("disabled");
+ } else {
+ fipsButton.setAttribute("disabled", "true");
+ }
+}
+
+/* Add a module to the tree. slots is the array of slots in the module,
+ * to be represented as children.
+ */
+function AddModule(module, slots) {
+ var tree = document.getElementById("device_list");
+ var item = document.createXULElement("treeitem");
+ var row = document.createXULElement("treerow");
+ var cell = document.createXULElement("treecell");
+ cell.setAttribute("label", module.name);
+ row.appendChild(cell);
+ item.appendChild(row);
+ var parent = document.createXULElement("treechildren");
+ for (let slot of slots) {
+ var child_item = document.createXULElement("treeitem");
+ var child_row = document.createXULElement("treerow");
+ var child_cell = document.createXULElement("treecell");
+ child_cell.setAttribute("label", slot.name);
+ child_row.appendChild(child_cell);
+ child_item.appendChild(child_row);
+ child_item.setAttribute("pk11kind", "slot");
+ // 'slot' is an attribute on any HTML element, hence 'slotObject' instead.
+ child_item.slotObject = slot;
+ parent.appendChild(child_item);
+ }
+ item.appendChild(parent);
+ item.setAttribute("pk11kind", "module");
+ item.module = module;
+ item.setAttribute("open", "true");
+ item.setAttribute("container", "true");
+ tree.appendChild(item);
+}
+
+var selected_slot;
+var selected_module;
+
+/* get the slot selected by the user (can only be one-at-a-time) */
+function getSelectedItem() {
+ let tree = document.getElementById("device_tree");
+ if (tree.currentIndex < 0) {
+ return;
+ }
+ let item = tree.view.getItemAtIndex(tree.currentIndex);
+ selected_slot = null;
+ selected_module = null;
+ if (item) {
+ let kind = item.getAttribute("pk11kind");
+ if (kind == "slot") {
+ selected_slot = item.slotObject;
+ } else {
+ // (kind == "module")
+ selected_module = item.module;
+ }
+ }
+}
+
+function enableButtons() {
+ if (skip_enable_buttons) {
+ return;
+ }
+
+ var login_toggle = "true";
+ var logout_toggle = "true";
+ var pw_toggle = "true";
+ var unload_toggle = "true";
+ getSelectedItem();
+ if (selected_module) {
+ unload_toggle = "false";
+ showModuleInfo();
+ } else if (selected_slot) {
+ // here's the workaround - login functions are all with token,
+ // so grab the token type
+ var selected_token = selected_slot.getToken();
+ if (selected_token != null) {
+ if (selected_token.needsLogin() || !selected_token.needsUserInit) {
+ pw_toggle = "false";
+ if (selected_token.needsLogin()) {
+ if (selected_token.isLoggedIn()) {
+ logout_toggle = "false";
+ } else {
+ login_toggle = "false";
+ }
+ }
+ }
+
+ if (
+ !Services.policies.isAllowed("createMasterPassword") &&
+ selected_token.isInternalKeyToken &&
+ !selected_token.hasPassword
+ ) {
+ pw_toggle = "true";
+ }
+ }
+ showSlotInfo();
+ }
+ document
+ .getElementById("login_button")
+ .setAttribute("disabled", login_toggle);
+ document
+ .getElementById("logout_button")
+ .setAttribute("disabled", logout_toggle);
+ document
+ .getElementById("change_pw_button")
+ .setAttribute("disabled", pw_toggle);
+ document
+ .getElementById("unload_button")
+ .setAttribute("disabled", unload_toggle);
+}
+
+// clear the display of information for the slot
+function ClearInfoList() {
+ let infoList = document.getElementById("info_list");
+ while (infoList.hasChildNodes()) {
+ infoList.firstChild.remove();
+ }
+}
+
+function ClearDeviceList() {
+ ClearInfoList();
+
+ skip_enable_buttons = true;
+ var tree = document.getElementById("device_tree");
+ tree.view.selection.clearSelection();
+ skip_enable_buttons = false;
+
+ // Remove the existing listed modules so that a refresh doesn't display the
+ // module that just changed.
+ let deviceList = document.getElementById("device_list");
+ while (deviceList.hasChildNodes()) {
+ deviceList.firstChild.remove();
+ }
+}
+
+// show a list of info about a slot
+function showSlotInfo() {
+ var present = true;
+ ClearInfoList();
+ switch (selected_slot.status) {
+ case Ci.nsIPKCS11Slot.SLOT_DISABLED:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-disabled" },
+ "tok_status"
+ );
+ present = false;
+ break;
+ case Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-not-present" },
+ "tok_status"
+ );
+ present = false;
+ break;
+ case Ci.nsIPKCS11Slot.SLOT_UNINITIALIZED:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-uninitialized" },
+ "tok_status"
+ );
+ break;
+ case Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-not-logged-in" },
+ "tok_status"
+ );
+ break;
+ case Ci.nsIPKCS11Slot.SLOT_LOGGED_IN:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-logged-in" },
+ "tok_status"
+ );
+ break;
+ case Ci.nsIPKCS11Slot.SLOT_READY:
+ AddInfoRow(
+ "devinfo-status",
+ { l10nID: "devinfo-status-ready" },
+ "tok_status"
+ );
+ break;
+ default:
+ return;
+ }
+ AddInfoRow("devinfo-desc", { label: selected_slot.desc }, "slot_desc");
+ AddInfoRow("devinfo-man-id", { label: selected_slot.manID }, "slot_manID");
+ AddInfoRow(
+ "devinfo-hwversion",
+ { label: selected_slot.HWVersion },
+ "slot_hwv"
+ );
+ AddInfoRow(
+ "devinfo-fwversion",
+ { label: selected_slot.FWVersion },
+ "slot_fwv"
+ );
+ if (present) {
+ showTokenInfo();
+ }
+}
+
+function showModuleInfo() {
+ ClearInfoList();
+ AddInfoRow("devinfo-modname", { label: selected_module.name }, "module_name");
+ AddInfoRow(
+ "devinfo-modpath",
+ { label: selected_module.libName },
+ "module_path"
+ );
+}
+
+// add a row to the info list, as [col1 col2] (ex.: ["status" "logged in"])
+function AddInfoRow(l10nID, col2, cell_id) {
+ var tree = document.getElementById("info_list");
+ var item = document.createXULElement("treeitem");
+ var row = document.createXULElement("treerow");
+ var cell1 = document.createXULElement("treecell");
+ document.l10n.setAttributes(cell1, l10nID);
+ cell1.setAttribute("crop", "never");
+ row.appendChild(cell1);
+ var cell2 = document.createXULElement("treecell");
+ if (col2.l10nID) {
+ document.l10n.setAttributes(cell2, col2.l10nID);
+ } else {
+ cell2.setAttribute("label", col2.label);
+ }
+ cell2.setAttribute("crop", "never");
+ cell2.setAttribute("id", cell_id);
+ row.appendChild(cell2);
+ item.appendChild(row);
+ tree.appendChild(item);
+}
+
+// log in to a slot
+function doLogin() {
+ getSelectedItem();
+ // here's the workaround - login functions are with token
+ var selected_token = selected_slot.getToken();
+ try {
+ selected_token.login(false);
+ var tok_status = document.getElementById("tok_status");
+ if (selected_token.isLoggedIn()) {
+ document.l10n.setAttributes(tok_status, "devinfo-status-logged-in");
+ } else {
+ document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in");
+ }
+ } catch (e) {
+ doPrompt("login-failed");
+ }
+ enableButtons();
+}
+
+// log out of a slot
+function doLogout() {
+ getSelectedItem();
+ // here's the workaround - login functions are with token
+ var selected_token = selected_slot.getToken();
+ try {
+ selected_token.logoutAndDropAuthenticatedResources();
+ var tok_status = document.getElementById("tok_status");
+ if (selected_token.isLoggedIn()) {
+ document.l10n.setAttributes(tok_status, "devinfo-status-logged-in");
+ } else {
+ document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in");
+ }
+ } catch (e) {}
+ enableButtons();
+}
+
+// load a new device
+function doLoad() {
+ window.browsingContext.topChromeWindow.open(
+ "load_device.xhtml",
+ "loaddevice",
+ "chrome,centerscreen,modal"
+ );
+ ClearDeviceList();
+ RefreshDeviceList();
+}
+
+async function deleteSelected() {
+ getSelectedItem();
+ if (selected_module && (await doConfirm("del-module-warning"))) {
+ try {
+ secmoddb.deleteModule(selected_module.name);
+ } catch (e) {
+ doPrompt("del-module-error");
+ return false;
+ }
+ selected_module = null;
+ return true;
+ }
+ return false;
+}
+
+async function doUnload() {
+ if (await deleteSelected()) {
+ ClearDeviceList();
+ RefreshDeviceList();
+ }
+}
+
+function changePassword() {
+ getSelectedItem();
+ let params = Cc["@mozilla.org/embedcomp/dialogparam;1"].createInstance(
+ Ci.nsIDialogParamBlock
+ );
+ let objects = Cc["@mozilla.org/array;1"].createInstance(Ci.nsIMutableArray);
+ objects.appendElement(selected_slot.getToken());
+ params.objects = objects;
+ window.browsingContext.topChromeWindow.openDialog(
+ "changepassword.xhtml",
+ "",
+ "chrome,centerscreen,modal",
+ params
+ );
+ showSlotInfo();
+ enableButtons();
+}
+
+// ------------------------------------- Old code
+
+function showTokenInfo() {
+ var selected_token = selected_slot.getToken();
+ AddInfoRow("devinfo-label", { label: selected_token.tokenName }, "tok_label");
+ AddInfoRow(
+ "devinfo-man-id",
+ { label: selected_token.tokenManID },
+ "tok_manID"
+ );
+ AddInfoRow(
+ "devinfo-serialnum",
+ { label: selected_token.tokenSerialNumber },
+ "tok_sNum"
+ );
+ AddInfoRow(
+ "devinfo-hwversion",
+ { label: selected_token.tokenHWVersion },
+ "tok_hwv"
+ );
+ AddInfoRow(
+ "devinfo-fwversion",
+ { label: selected_token.tokenFWVersion },
+ "tok_fwv"
+ );
+}
+
+function toggleFIPS() {
+ if (!secmoddb.isFIPSEnabled) {
+ // A restriction of FIPS mode is, the password must be set
+ // In FIPS mode the password must be non-empty.
+ // This is different from what we allow in NON-Fips mode.
+
+ var tokendb = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ var internal_token = tokendb.getInternalKeyToken(); // nsIPK11Token
+ if (!internal_token.hasPassword) {
+ // Token has either no or an empty password.
+ doPrompt("fips-nonempty-primary-password-required");
+ return;
+ }
+ }
+
+ try {
+ secmoddb.toggleFIPSMode();
+ } catch (e) {
+ doPrompt("unable-to-toggle-fips");
+ return;
+ }
+
+ // Remove the existing listed modules so that a refresh doesn't display the
+ // module that just changed.
+ ClearDeviceList();
+
+ RefreshDeviceList();
+}
diff --git a/security/manager/pki/resources/content/device_manager.xhtml b/security/manager/pki/resources/content/device_manager.xhtml
new file mode 100644
index 0000000000..cca3e19e75
--- /dev/null
+++ b/security/manager/pki/resources/content/device_manager.xhtml
@@ -0,0 +1,113 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE dialog>
+
+<window
+ windowtype="mozilla:devicemanager"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ data-l10n-id="devmgr-window"
+ data-l10n-attrs="style"
+ persist="screenX screenY width height"
+ onload="LoadModules();"
+>
+ <dialog id="devicemanager" buttons="accept">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link
+ rel="localization"
+ href="security/certificates/deviceManager.ftl"
+ />
+ </linkset>
+
+ <script src="chrome://pippki/content/device_manager.js" />
+
+ <hbox flex="1" style="margin: 5px">
+ <!-- List of devices -->
+ <tree
+ id="device_tree"
+ seltype="single"
+ onselect="enableButtons();"
+ hidecolumnpicker="true"
+ flex="1"
+ style="min-width: 15em"
+ >
+ <treecols>
+ <treecol
+ id="deviceCol"
+ flex="1"
+ primary="true"
+ data-l10n-id="devmgr-devlist"
+ />
+ </treecols>
+ <treechildren id="device_list" />
+ </tree>
+ <!-- / List of devices -->
+ <!-- Device status -->
+ <tree
+ id="info_tree"
+ seltype="single"
+ hidecolumnpicker="true"
+ style="flex: 3 3; min-width: 10em"
+ >
+ <treecols>
+ <treecol
+ id="title1Col"
+ style="flex: 5 5 auto"
+ primary="true"
+ data-l10n-id="devmgr-header-details"
+ />
+ <treecol
+ id="title2Col"
+ style="flex: 7 7 auto"
+ data-l10n-id="devmgr-header-value"
+ />
+ </treecols>
+ <treechildren id="info_list" />
+ </tree>
+ <!-- / Device status -->
+ <vbox>
+ <!-- Buttons for manipulating devices -->
+ <button
+ id="login_button"
+ data-l10n-id="devmgr-button-login"
+ oncommand="doLogin();"
+ disabled="true"
+ />
+ <button
+ id="logout_button"
+ data-l10n-id="devmgr-button-logout"
+ oncommand="doLogout();"
+ disabled="true"
+ />
+ <button
+ id="change_pw_button"
+ data-l10n-id="devmgr-button-changepw"
+ oncommand="changePassword();"
+ disabled="true"
+ />
+ <button
+ id="load_button"
+ data-l10n-id="devmgr-button-load"
+ oncommand="doLoad();"
+ />
+ <button
+ id="unload_button"
+ data-l10n-id="devmgr-button-unload"
+ oncommand="doUnload();"
+ disabled="true"
+ />
+ <button
+ id="fipsbutton"
+ data-l10n-id="devmgr-button-enable-fips"
+ oncommand="toggleFIPS();"
+ />
+ </vbox>
+ <!-- / Buttons for manipulating devices -->
+ </hbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/downloadcert.js b/security/manager/pki/resources/content/downloadcert.js
new file mode 100644
index 0000000000..8451997441
--- /dev/null
+++ b/security/manager/pki/resources/content/downloadcert.js
@@ -0,0 +1,83 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+/**
+ * @file Implements the functionality of downloadcert.xhtml: a dialog that allows
+ * a user to confirm whether to import a certificate, and if so what trust
+ * to give it.
+ * @param {nsISupports} window.arguments.0
+ * Certificate to confirm import of, queryable to nsIX509Cert.
+ * @param {nsISupports} window.arguments.1
+ * Object to set the return values of calling the dialog on, queryable
+ * to the underlying type of DownloadCertReturnValues.
+ */
+
+/**
+ * @typedef DownloadCertReturnValues
+ * @type {nsIWritablePropertyBag2}
+ * @property {boolean} importConfirmed
+ * Set to true if the user confirmed import of the cert and accepted
+ * the dialog, false otherwise.
+ * @property {boolean} trustForSSL
+ * Set to true if the cert should be trusted for SSL, false otherwise.
+ * Undefined value if |importConfirmed| is not true.
+ * @property {boolean} trustForEmail
+ * Set to true if the cert should be trusted for e-mail, false
+ * otherwise. Undefined value if |importConfirmed| is not true.
+ */
+
+/**
+ * The cert to potentially import.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert;
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+ gCert = window.arguments[0].QueryInterface(Ci.nsIX509Cert);
+
+ document.addEventListener("dialogaccept", onDialogAccept);
+ document.addEventListener("dialogcancel", onDialogCancel);
+
+ let bundle = document.getElementById("pippki_bundle");
+ let caName = gCert.commonName;
+ if (!caName.length) {
+ caName = bundle.getString("unnamedCA");
+ }
+
+ setText("trustHeader", bundle.getFormattedString("newCAMessage1", [caName]));
+}
+
+/**
+ * Handler for the "View Cert" button.
+ */
+function viewCert() {
+ viewCertHelper(window, gCert, "window");
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+ let checkSSL = document.getElementById("trustSSL");
+ let checkEmail = document.getElementById("trustEmail");
+
+ let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
+ retVals.setPropertyAsBool("importConfirmed", true);
+ retVals.setPropertyAsBool("trustForSSL", checkSSL.checked);
+ retVals.setPropertyAsBool("trustForEmail", checkEmail.checked);
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+ let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
+ retVals.setPropertyAsBool("importConfirmed", false);
+}
diff --git a/security/manager/pki/resources/content/downloadcert.xhtml b/security/manager/pki/resources/content/downloadcert.xhtml
new file mode 100644
index 0000000000..83c1fc1ac0
--- /dev/null
+++ b/security/manager/pki/resources/content/downloadcert.xhtml
@@ -0,0 +1,66 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="download-cert-window2"
+ data-l10n-attrs="title, style"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ onload="onLoad();"
+>
+ <dialog id="download_cert" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link rel="localization" href="security/pippki/pippki.ftl" />
+ </linkset>
+
+ <stringbundle
+ id="pippki_bundle"
+ src="chrome://pippki/locale/pippki.properties"
+ />
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/downloadcert.js" />
+
+ <!-- Let 'em know what they're doing -->
+ <vbox>
+ <description data-l10n-id="download-cert-message"></description>
+ </vbox>
+
+ <separator />
+
+ <!-- checkboxes for trust bits
+ - "do you want to?"
+ - * trust for SSL
+ - * trust for email
+ -->
+ <vbox>
+ <description id="trustHeader" />
+ <checkbox data-l10n-id="download-cert-trust-ssl" id="trustSSL" />
+ <checkbox data-l10n-id="download-cert-trust-email" id="trustEmail" />
+ </vbox>
+
+ <separator />
+
+ <vbox>
+ <description data-l10n-id="download-cert-message-desc"></description>
+ <separator />
+ <hbox>
+ <button
+ id="viewC-button"
+ data-l10n-id="download-cert-view-cert"
+ oncommand="viewCert();"
+ />
+ <description
+ style="margin: 4px"
+ data-l10n-id="download-cert-view-text"
+ ></description>
+ </hbox>
+ </vbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/editcacert.js b/security/manager/pki/resources/content/editcacert.js
new file mode 100644
index 0000000000..ecb6b3e3ce
--- /dev/null
+++ b/security/manager/pki/resources/content/editcacert.js
@@ -0,0 +1,52 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+/**
+ * Cert to edit the trust of.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert = window.arguments[0];
+
+document.addEventListener("DOMContentLoaded", init);
+
+function init() {
+ document.addEventListener("dialogaccept", onDialogAccept);
+
+ let sslCheckbox = document.getElementById("trustSSL");
+ sslCheckbox.checked = gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ );
+
+ let emailCheckbox = document.getElementById("trustEmail");
+ emailCheckbox.checked = gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ );
+
+ let certMsg = document.getElementById("certmsg");
+ document.l10n.setAttributes(certMsg, "edit-trust-ca", {
+ certName: gCert.commonName,
+ });
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+ let sslCheckbox = document.getElementById("trustSSL");
+ let emailCheckbox = document.getElementById("trustEmail");
+ let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0;
+ let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0;
+
+ gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail);
+}
diff --git a/security/manager/pki/resources/content/editcacert.xhtml b/security/manager/pki/resources/content/editcacert.xhtml
new file mode 100644
index 0000000000..cdd0afedb9
--- /dev/null
+++ b/security/manager/pki/resources/content/editcacert.xhtml
@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="certmgr-edit-ca-cert2"
+ data-l10n-attrs="style"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+>
+ <dialog id="editCaCert" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link
+ rel="localization"
+ href="security/certificates/certManager.ftl"
+ />
+ </linkset>
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/editcacert.js" />
+
+ <description id="certmsg" />
+ <separator />
+ <description data-l10n-id="certmgr-edit-cert-edit-trust" />
+ <vbox align="start">
+ <checkbox data-l10n-id="certmgr-edit-cert-trust-ssl" id="trustSSL" />
+ <checkbox data-l10n-id="certmgr-edit-cert-trust-email" id="trustEmail" />
+ </vbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/exceptionDialog.css b/security/manager/pki/resources/content/exceptionDialog.css
new file mode 100644
index 0000000000..b2c8eb7a7b
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.css
@@ -0,0 +1,35 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+:root {
+ max-width: 40em;
+ min-width: 35em;
+}
+
+#warningSupplemental,
+.description {
+ font-weight: bold;
+}
+
+.longDescription {
+ padding-bottom: 1em;
+}
+
+#warningText,
+#warningSupplemental,
+#headerDescription,
+.longDescription {
+ /* Don't let these affect the min horizontal size of the dialog */
+ contain: inline-size;
+ white-space: pre-wrap;
+}
+
+.description:empty,
+.longDescription:empty {
+ display: none;
+}
+
+#locationTextBox {
+ flex: 1;
+}
diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js
new file mode 100644
index 0000000000..02fed06a38
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.js
@@ -0,0 +1,322 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+var gDialog;
+var gSecInfo;
+var gCert;
+var gChecking;
+var gBroken;
+var gNeedReset;
+
+const { PrivateBrowsingUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/PrivateBrowsingUtils.sys.mjs"
+);
+
+function initExceptionDialog() {
+ gNeedReset = false;
+ gDialog = document.getElementById("exceptiondialog");
+ let warningText = document.getElementById("warningText");
+ document.l10n.setAttributes(warningText, "add-exception-branded-warning");
+ let confirmButton = gDialog.getButton("extra1");
+ let l10nUpdatedElements = [confirmButton, warningText];
+ confirmButton.disabled = true;
+
+ var args = window.arguments;
+ if (args && args[0]) {
+ if (args[0].location) {
+ // We were pre-seeded with a location.
+ document.getElementById("locationTextBox").value = args[0].location;
+ document.getElementById("checkCertButton").disabled = false;
+
+ if (args[0].securityInfo) {
+ gSecInfo = args[0].securityInfo;
+ gCert = gSecInfo.serverCert;
+ gBroken = true;
+ l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus());
+ } else if (args[0].prefetchCert) {
+ // We can optionally pre-fetch the certificate too. Don't do this
+ // synchronously, since it would prevent the window from appearing
+ // until the fetch is completed, which could be multiple seconds.
+ // Instead, let's use a timer to spawn the actual fetch, but update
+ // the dialog to "checking..." state right away, so that the UI
+ // is appropriately responsive. Bug 453855
+ document.getElementById("checkCertButton").disabled = true;
+ gChecking = true;
+ l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus());
+
+ window.setTimeout(checkCert, 0);
+ }
+ }
+
+ // Set out parameter to false by default
+ args[0].exceptionAdded = false;
+ }
+
+ for (let id of [
+ "warningSupplemental",
+ "certLocationLabel",
+ "checkCertButton",
+ "statusDescription",
+ "statusLongDescription",
+ "viewCertButton",
+ "permanent",
+ ]) {
+ let element = document.getElementById(id);
+ l10nUpdatedElements.push(element);
+ }
+
+ document.l10n
+ .translateElements(l10nUpdatedElements)
+ .then(() => window.sizeToContent());
+
+ document.addEventListener("dialogextra1", addException);
+ document.addEventListener("dialogextra2", checkCert);
+}
+
+/**
+ * Helper function for checkCert. Set as the onerror/onload callbacks for an
+ * XMLHttpRequest. Sets gSecInfo, gCert, gBroken, and gChecking according to
+ * the load information from the request. Probably should not be used directly.
+ *
+ * @param {XMLHttpRequest} req
+ * The XMLHttpRequest created and sent by checkCert.
+ * @param {Event} evt
+ * The load or error event.
+ */
+function grabCert(req, evt) {
+ if (req.channel && req.channel.securityInfo) {
+ gSecInfo = req.channel.securityInfo;
+ gCert = gSecInfo ? gSecInfo.serverCert : null;
+ }
+ gBroken = evt.type == "error";
+ gChecking = false;
+ document.l10n
+ .translateElements(updateCertStatus())
+ .then(() => window.sizeToContent());
+}
+
+/**
+ * Attempt to download the certificate for the location specified, and populate
+ * the Certificate Status section with the result.
+ */
+async function checkCert() {
+ gCert = null;
+ gSecInfo = null;
+ gChecking = true;
+ gBroken = false;
+ await document.l10n.translateElements(updateCertStatus());
+ window.sizeToContent();
+
+ let uri = getURI();
+
+ if (uri) {
+ let req = new XMLHttpRequest();
+ req.open("GET", uri.prePath);
+ req.onerror = grabCert.bind(this, req);
+ req.onload = grabCert.bind(this, req);
+ req.send(null);
+ } else {
+ gChecking = false;
+ await document.l10n.translateElements(updateCertStatus());
+ window.sizeToContent();
+ }
+}
+
+/**
+ * Build and return a URI, based on the information supplied in the
+ * Certificate Location fields
+ *
+ * @returns {nsIURI}
+ * URI constructed from the information supplied on success, null
+ * otherwise.
+ */
+function getURI() {
+ // Use fixup service instead of just ioservice's newURI since it's quite
+ // likely that the host will be supplied without a protocol prefix, resulting
+ // in malformed uri exceptions being thrown.
+ let locationTextBox = document.getElementById("locationTextBox");
+ let { preferredURI: uri } = Services.uriFixup.getFixupURIInfo(
+ locationTextBox.value
+ );
+
+ if (!uri) {
+ return null;
+ }
+
+ let mutator = uri.mutate();
+ if (uri.scheme == "http") {
+ mutator.setScheme("https");
+ }
+
+ if (uri.port == -1) {
+ mutator.setPort(443);
+ }
+
+ return mutator.finalize();
+}
+
+function resetDialog() {
+ document.getElementById("viewCertButton").disabled = true;
+ document.getElementById("permanent").disabled = true;
+ gDialog.getButton("extra1").disabled = true;
+ setText("headerDescription", "");
+ setText("statusDescription", "");
+ setText("statusLongDescription", "");
+ setText("status2Description", "");
+ setText("status2LongDescription", "");
+ setText("status3Description", "");
+ setText("status3LongDescription", "");
+ window.sizeToContent();
+}
+
+/**
+ * Called by input textboxes to manage UI state
+ */
+function handleTextChange() {
+ var checkCertButton = document.getElementById("checkCertButton");
+ checkCertButton.disabled = !document.getElementById("locationTextBox").value;
+ if (gNeedReset) {
+ gNeedReset = false;
+ resetDialog();
+ }
+}
+
+function updateCertStatus() {
+ var shortDesc, longDesc;
+ let l10nUpdatedElements = [];
+ if (gCert) {
+ if (gBroken) {
+ var mms = "add-exception-domain-mismatch-short";
+ var mml = "add-exception-domain-mismatch-long";
+ var exs = "add-exception-expired-short";
+ var exl = "add-exception-expired-long";
+ var uts = "add-exception-unverified-or-bad-signature-short";
+ var utl = "add-exception-unverified-or-bad-signature-long";
+ if (
+ gSecInfo.overridableErrorCategory ==
+ Ci.nsITransportSecurityInfo.ERROR_TRUST
+ ) {
+ shortDesc = uts;
+ longDesc = utl;
+ } else if (
+ gSecInfo.overridableErrorCategory ==
+ Ci.nsITransportSecurityInfo.ERROR_DOMAIN
+ ) {
+ shortDesc = mms;
+ longDesc = mml;
+ } else if (
+ gSecInfo.overridableErrorCategory ==
+ Ci.nsITransportSecurityInfo.ERROR_TIME
+ ) {
+ shortDesc = exs;
+ longDesc = exl;
+ }
+ // In these cases, we do want to enable the "Add Exception" button
+ gDialog.getButton("extra1").disabled = false;
+
+ // If the Private Browsing service is available and the mode is active,
+ // don't store permanent exceptions, since they would persist after
+ // private browsing mode was disabled.
+ var inPrivateBrowsing = inPrivateBrowsingMode();
+ var pe = document.getElementById("permanent");
+ pe.disabled = inPrivateBrowsing;
+ pe.checked = !inPrivateBrowsing;
+
+ let headerDescription = document.getElementById("headerDescription");
+ document.l10n.setAttributes(
+ headerDescription,
+ "add-exception-invalid-header"
+ );
+ l10nUpdatedElements.push(headerDescription);
+ } else {
+ shortDesc = "add-exception-valid-short";
+ longDesc = "add-exception-valid-long";
+ gDialog.getButton("extra1").disabled = true;
+ document.getElementById("permanent").disabled = true;
+ }
+
+ // We're done checking the certificate, so allow the user to check it again.
+ document.getElementById("checkCertButton").disabled = false;
+ document.getElementById("viewCertButton").disabled = false;
+
+ // Notify observers about the availability of the certificate
+ Services.obs.notifyObservers(null, "cert-exception-ui-ready");
+ } else if (gChecking) {
+ shortDesc = "add-exception-checking-short";
+ longDesc = "add-exception-checking-long";
+ // We're checking the certificate, so we disable the Get Certificate
+ // button to make sure that the user can't interrupt the process and
+ // trigger another certificate fetch.
+ document.getElementById("checkCertButton").disabled = true;
+ document.getElementById("viewCertButton").disabled = true;
+ gDialog.getButton("extra1").disabled = true;
+ document.getElementById("permanent").disabled = true;
+ } else {
+ shortDesc = "add-exception-no-cert-short";
+ longDesc = "add-exception-no-cert-long";
+ // We're done checking the certificate, so allow the user to check it again.
+ document.getElementById("checkCertButton").disabled = false;
+ document.getElementById("viewCertButton").disabled = true;
+ gDialog.getButton("extra1").disabled = true;
+ document.getElementById("permanent").disabled = true;
+ }
+ let statusDescription = document.getElementById("statusDescription");
+ let statusLongDescription = document.getElementById("statusLongDescription");
+ document.l10n.setAttributes(statusDescription, shortDesc);
+ document.l10n.setAttributes(statusLongDescription, longDesc);
+ l10nUpdatedElements.push(statusDescription);
+ l10nUpdatedElements.push(statusLongDescription);
+
+ gNeedReset = true;
+ return l10nUpdatedElements;
+}
+
+/**
+ * Handle user request to display certificate details
+ */
+function viewCertButtonClick() {
+ if (gCert) {
+ viewCertHelper(this, gCert);
+ }
+}
+
+/**
+ * Handle user request to add an exception for the specified cert
+ */
+function addException() {
+ if (!gCert || !gSecInfo) {
+ return;
+ }
+
+ var overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+ Ci.nsICertOverrideService
+ );
+ var permanentCheckbox = document.getElementById("permanent");
+ var shouldStorePermanently =
+ permanentCheckbox.checked && !inPrivateBrowsingMode();
+ var uri = getURI();
+ overrideService.rememberValidityOverride(
+ uri.asciiHost,
+ uri.port,
+ {},
+ gCert,
+ !shouldStorePermanently
+ );
+
+ let args = window.arguments;
+ if (args && args[0]) {
+ args[0].exceptionAdded = true;
+ }
+
+ gDialog.acceptDialog();
+}
+
+/**
+ * @returns {boolean} Whether this dialog is in private browsing mode.
+ */
+function inPrivateBrowsingMode() {
+ return PrivateBrowsingUtils.isWindowPrivate(window);
+}
diff --git a/security/manager/pki/resources/content/exceptionDialog.xhtml b/security/manager/pki/resources/content/exceptionDialog.xhtml
new file mode 100644
index 0000000000..c913c698f2
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.xhtml
@@ -0,0 +1,91 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window windowtype="mozilla:exceptiondialog"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ data-l10n-id="exception-mgr"
+ onload="initExceptionDialog();">
+<dialog id="exceptiondialog"
+ buttonidextra1="exception-mgr-extra-button"
+ buttons="cancel,extra1,extra2"
+ defaultButton="extra2">
+
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+ <html:link
+ rel="stylesheet"
+ href="chrome://pippki/content/exceptionDialog.css"
+ />
+
+ <html:link rel="localization" href="branding/brand.ftl"/>
+ <html:link rel="localization" href="security/certificates/certManager.ftl"/>
+ </linkset>
+
+ <script src="chrome://global/content/globalOverlay.js"/>
+ <script src="chrome://global/content/editMenuOverlay.js"/>
+
+ <script src="chrome://pippki/content/pippki.js"/>
+ <script src="chrome://pippki/content/exceptionDialog.js"/>
+
+ <hbox>
+ <vbox>
+#ifdef MOZ_WIDGET_GTK
+ <image src="moz-icon://stock/gtk-dialog-warning?size=dialog"/>
+#else
+ <image src="chrome://global/skin/icons/warning-large.png"/>
+#endif
+ <spacer flex="1"/>
+ </vbox>
+ <vbox flex="1">
+ <!-- Note that because of the styling, there must be no whitespace within
+ the description tags -->
+ <description id="warningText"/>
+ <description id="warningSupplemental"
+ data-l10n-id="exception-mgr-supplemental-warning"/>
+ </vbox>
+ </hbox>
+
+ <hbox align="center">
+ <label control="locationTextBox"
+ id="certLocationLabel"
+ data-l10n-id="exception-mgr-cert-location-url"/>
+ <html:input id="locationTextBox"
+ oninput="handleTextChange();"
+ value="https://"
+ class="uri-element"/>
+ <button id="checkCertButton"
+ disabled="true"
+ dlgtype="extra2"
+ data-l10n-id="exception-mgr-cert-location-download"/>
+ </hbox>
+
+ <hbox align="center">
+ <description id="headerDescription"
+ flex="1"/>
+ <button id="viewCertButton"
+ data-l10n-id="exception-mgr-cert-status-view-cert"
+ disabled="true"
+ oncommand="viewCertButtonClick();"/>
+ </hbox>
+ <description id="statusDescription"
+ class="description"/>
+ <description id="statusLongDescription"
+ class="longDescription"/>
+ <description id="status2Description"
+ class="description"/>
+ <description id="status2LongDescription"
+ class="longDescription"/>
+ <description id="status3Description"
+ class="description"/>
+ <description id="status3LongDescription"
+ class="longDescription"/>
+ <checkbox id="permanent"
+ disabled="true"
+ data-l10n-id="exception-mgr-permanent"/>
+</dialog>
+</window>
diff --git a/security/manager/pki/resources/content/load_device.js b/security/manager/pki/resources/content/load_device.js
new file mode 100644
index 0000000000..0f77e1f1bd
--- /dev/null
+++ b/security/manager/pki/resources/content/load_device.js
@@ -0,0 +1,75 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+document.addEventListener("dialogaccept", onDialogAccept);
+
+/**
+ * @file Implements the functionality of load_device.xhtml: a dialog that allows
+ * a PKCS #11 module to be loaded into Firefox.
+ */
+
+async function onBrowseBtnPress() {
+ let fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ let [loadPK11ModuleFilePickerTitle] = await document.l10n.formatValues([
+ { id: "load-pk11-module-file-picker-title" },
+ ]);
+ fp.init(window, loadPK11ModuleFilePickerTitle, Ci.nsIFilePicker.modeOpen);
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ fp.open(rv => {
+ if (rv == Ci.nsIFilePicker.returnOK) {
+ document.getElementById("device_path").value = fp.file.path;
+ }
+
+ // This notification gets sent solely for test purposes. It should not be
+ // used by production code.
+ Services.obs.notifyObservers(window, "LoadPKCS11Module:FilePickHandled");
+ });
+}
+
+/**
+ * ondialogaccept() handler.
+ *
+ * @param {object} event
+ * The event causing this handler function to be called.
+ */
+function onDialogAccept(event) {
+ let nameBox = document.getElementById("device_name");
+ let pathBox = document.getElementById("device_path");
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+
+ try {
+ pkcs11ModuleDB.addModule(nameBox.value, pathBox.value, 0, 0);
+ } catch (e) {
+ addModuleFailure("add-module-failure");
+ event.preventDefault();
+ }
+}
+
+async function addModuleFailure(l10nID) {
+ let [AddModuleFailure] = await document.l10n.formatValues([{ id: l10nID }]);
+ alertPromptService(null, AddModuleFailure);
+}
+
+function validateModuleName() {
+ let name = document.getElementById("device_name").value;
+ let helpText = document.getElementById("helpText");
+ helpText.value = "";
+ let dialogNode = document.querySelector("dialog");
+ dialogNode.removeAttribute("buttondisabledaccept");
+ if (name == "") {
+ document.l10n.setAttributes(helpText, "load-module-help-empty-module-name");
+ dialogNode.setAttribute("buttondisabledaccept", true);
+ }
+ if (name == "Root Certs") {
+ document.l10n.setAttributes(
+ helpText,
+ "load-module-help-root-certs-module-name"
+ );
+ dialogNode.setAttribute("buttondisabledaccept", true);
+ }
+}
diff --git a/security/manager/pki/resources/content/load_device.xhtml b/security/manager/pki/resources/content/load_device.xhtml
new file mode 100644
index 0000000000..8963b8c177
--- /dev/null
+++ b/security/manager/pki/resources/content/load_device.xhtml
@@ -0,0 +1,55 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ data-l10n-id="load-device"
+>
+ <dialog id="loaddevice" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link
+ rel="localization"
+ href="security/certificates/deviceManager.ftl"
+ />
+ </linkset>
+
+ <script src="chrome://global/content/globalOverlay.js" />
+ <script src="chrome://global/content/editMenuOverlay.js" />
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/load_device.js" />
+
+ <html:style>
+ #device_name, #device_path { flex: 1; }
+ </html:style>
+
+ <description data-l10n-id="load-device-info"></description>
+ <hbox align="center">
+ <label data-l10n-id="load-device-modname" control="device_name" />
+ <html:input
+ id="device_name"
+ data-l10n-id="load-device-modname-default"
+ data-l10n-attrs="value"
+ onchange="validateModuleName();"
+ />
+ </hbox>
+ <hbox align="center">
+ <label data-l10n-id="load-device-filename" control="device_path" />
+ <html:input id="device_path" />
+ <button
+ id="browse"
+ flex="1"
+ data-l10n-id="load-device-browse"
+ oncommand="onBrowseBtnPress();"
+ />
+ </hbox>
+ <label id="helpText" value="" />
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/pippki.js b/security/manager/pki/resources/content/pippki.js
new file mode 100644
index 0000000000..8094074281
--- /dev/null
+++ b/security/manager/pki/resources/content/pippki.js
@@ -0,0 +1,300 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+/*
+ * These are helper functions to be included
+ * pippki UI js files.
+ */
+
+function setText(id, value) {
+ let element = document.getElementById(id);
+ if (!element) {
+ return;
+ }
+ if (element.hasChildNodes()) {
+ element.firstChild.remove();
+ }
+ element.appendChild(document.createTextNode(value));
+}
+
+async function viewCertHelper(parent, cert, openingOption = "tab") {
+ if (!cert) {
+ return;
+ }
+
+ let win = Services.wm.getMostRecentBrowserWindow();
+ let results = await asyncDetermineUsages(cert);
+ let chain = getBestChain(results);
+ if (!chain) {
+ chain = [cert];
+ }
+ let certs = chain.map(elem => encodeURIComponent(elem.getBase64DERString()));
+ let certsStringURL = certs.map(elem => `cert=${elem}`);
+ certsStringURL = certsStringURL.join("&");
+ let url = `about:certificate?${certsStringURL}`;
+ let opened = win.switchToTabHavingURI(url, false, {});
+ if (!opened) {
+ win.openTrustedLinkIn(url, openingOption);
+ }
+}
+
+function getPKCS7Array(certArray) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let pkcs7String = certdb.asPKCS7Blob(certArray);
+ let pkcs7Array = new Uint8Array(pkcs7String.length);
+ for (let i = 0; i < pkcs7Array.length; i++) {
+ pkcs7Array[i] = pkcs7String.charCodeAt(i);
+ }
+ return pkcs7Array;
+}
+
+function getPEMString(cert) {
+ var derb64 = cert.getBase64DERString();
+ // Wrap the Base64 string into lines of 64 characters with CRLF line breaks
+ // (as specified in RFC 1421).
+ var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n");
+ return (
+ "-----BEGIN CERTIFICATE-----\r\n" +
+ wrapped +
+ "\r\n-----END CERTIFICATE-----\r\n"
+ );
+}
+
+function alertPromptService(title, message) {
+ // XXX Bug 1425832 - Using Services.prompt here causes tests to report memory
+ // leaks.
+ // eslint-disable-next-line mozilla/use-services
+ var ps = Cc["@mozilla.org/prompter;1"].getService(Ci.nsIPromptService);
+ ps.alert(window, title, message);
+}
+
+const DEFAULT_CERT_EXTENSION = "crt";
+
+/**
+ * Generates a filename for a cert suitable to set as the |defaultString|
+ * attribute on an Ci.nsIFilePicker.
+ *
+ * @param {nsIX509Cert} cert
+ * The cert to generate a filename for.
+ * @returns {string}
+ * Generated filename.
+ */
+function certToFilename(cert) {
+ let filename = cert.displayName;
+
+ // Remove unneeded and/or unsafe characters.
+ filename = filename
+ .replace(/\s/g, "")
+ .replace(/\./g, "_")
+ .replace(/\\/g, "")
+ .replace(/\//g, "");
+
+ // Ci.nsIFilePicker.defaultExtension is more of a suggestion to some
+ // implementations, so we include the extension in the file name as well. This
+ // is what the documentation for Ci.nsIFilePicker.defaultString says we should do
+ // anyways.
+ return `${filename}.${DEFAULT_CERT_EXTENSION}`;
+}
+
+async function exportToFile(parent, cert) {
+ if (!cert) {
+ return;
+ }
+
+ let results = await asyncDetermineUsages(cert);
+ let chain = getBestChain(results);
+ if (!chain) {
+ chain = [cert];
+ }
+
+ let formats = {
+ base64: "*.crt; *.pem",
+ "base64-chain": "*.crt; *.pem",
+ der: "*.der",
+ pkcs7: "*.p7c",
+ "pkcs7-chain": "*.p7c",
+ };
+ let [saveCertAs, ...formatLabels] = await document.l10n.formatValues(
+ ["save-cert-as", ...Object.keys(formats).map(f => "cert-format-" + f)].map(
+ id => ({ id })
+ )
+ );
+
+ var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+ fp.init(parent, saveCertAs, Ci.nsIFilePicker.modeSave);
+ fp.defaultString = certToFilename(cert);
+ fp.defaultExtension = DEFAULT_CERT_EXTENSION;
+ for (let format of Object.values(formats)) {
+ fp.appendFilter(formatLabels.shift(), format);
+ }
+ fp.appendFilters(Ci.nsIFilePicker.filterAll);
+ let filePickerResult = await new Promise(resolve => {
+ fp.open(resolve);
+ });
+
+ if (
+ filePickerResult != Ci.nsIFilePicker.returnOK &&
+ filePickerResult != Ci.nsIFilePicker.returnReplace
+ ) {
+ return;
+ }
+
+ var content = "";
+ switch (fp.filterIndex) {
+ case 1:
+ content = getPEMString(cert);
+ for (let i = 1; i < chain.length; i++) {
+ content += getPEMString(chain[i]);
+ }
+ break;
+ case 2:
+ // IOUtils.write requires a typed array.
+ // nsIX509Cert.getRawDER() returns an array (not a typed array), so we
+ // convert it here.
+ content = Uint8Array.from(cert.getRawDER());
+ break;
+ case 3:
+ // getPKCS7Array returns a typed array already, so no conversion is
+ // necessary.
+ content = getPKCS7Array([cert]);
+ break;
+ case 4:
+ content = getPKCS7Array(chain);
+ break;
+ case 0:
+ default:
+ content = getPEMString(cert);
+ break;
+ }
+
+ if (typeof content === "string") {
+ content = new TextEncoder().encode(content);
+ }
+
+ try {
+ await IOUtils.write(fp.file.path, content);
+ } catch (ex) {
+ let title = await document.l10n.formatValue("write-file-failure");
+ alertPromptService(title, ex.toString());
+ }
+ if (Cu.isInAutomation) {
+ Services.obs.notifyObservers(null, "cert-export-finished");
+ }
+}
+
+const PRErrorCodeSuccess = 0;
+
+// Certificate usages we care about in the certificate viewer.
+const certificateUsageSSLClient = 0x0001;
+const certificateUsageSSLServer = 0x0002;
+const certificateUsageSSLCA = 0x0008;
+const certificateUsageEmailSigner = 0x0010;
+const certificateUsageEmailRecipient = 0x0020;
+
+// A map from the name of a certificate usage to the value of the usage.
+// Useful for printing debugging information and for enumerating all supported
+// usages.
+const certificateUsages = {
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageSSLCA,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+};
+
+/**
+ * Returns a promise that will resolve with a results array consisting of what
+ * usages the given certificate successfully verified for.
+ *
+ * @param {nsIX509Cert} cert
+ * The certificate to determine valid usages for.
+ * @returns {Promise}
+ * A promise that will resolve with the results of the verifications.
+ */
+function asyncDetermineUsages(cert) {
+ let promises = [];
+ let now = Date.now() / 1000;
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ Object.keys(certificateUsages).forEach(usageString => {
+ promises.push(
+ new Promise((resolve, reject) => {
+ let usage = certificateUsages[usageString];
+ certdb.asyncVerifyCertAtTime(
+ cert,
+ usage,
+ 0,
+ null,
+ now,
+ (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
+ resolve({
+ usageString,
+ errorCode: aPRErrorCode,
+ chain: aVerifiedChain,
+ });
+ }
+ );
+ })
+ );
+ });
+ return Promise.all(promises);
+}
+
+/**
+ * Given a results array, returns the "best" verified certificate chain. Since
+ * the primary use case is for TLS server certificates in Firefox, such a
+ * verified chain will be returned if present. Otherwise, the priority is: TLS
+ * client certificate, email signer, email recipient, CA. Returns null if no
+ * usage verified successfully.
+ *
+ * @param {Array} results
+ * An array of results from `asyncDetermineUsages`. See `displayUsages`.
+ * @returns {Array} An array of `nsIX509Cert` representing the verified
+ * certificate chain for the given usage, or null if there is none.
+ */
+function getBestChain(results) {
+ let usages = [
+ certificateUsageSSLServer,
+ certificateUsageSSLClient,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+ certificateUsageSSLCA,
+ ];
+ for (let usage of usages) {
+ let chain = getChainForUsage(results, usage);
+ if (chain) {
+ return chain;
+ }
+ }
+ return null;
+}
+
+/**
+ * Given a results array, returns the chain corresponding to the desired usage,
+ * if verifying for that usage succeeded. Returns null otherwise.
+ *
+ * @param {Array} results
+ * An array of results from `asyncDetermineUsages`. See `displayUsages`.
+ * @param {number} usage
+ * A numerical value corresponding to a usage. See `certificateUsages`.
+ * @returns {Array} An array of `nsIX509Cert` representing the verified
+ * certificate chain for the given usage, or null if there is none.
+ */
+function getChainForUsage(results, usage) {
+ for (let result of results) {
+ if (
+ certificateUsages[result.usageString] == usage &&
+ result.errorCode == PRErrorCodeSuccess
+ ) {
+ return result.chain;
+ }
+ }
+ return null;
+}
diff --git a/security/manager/pki/resources/content/resetpassword.js b/security/manager/pki/resources/content/resetpassword.js
new file mode 100644
index 0000000000..30db349794
--- /dev/null
+++ b/security/manager/pki/resources/content/resetpassword.js
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+document.addEventListener("dialogaccept", resetPassword);
+
+function resetPassword() {
+ var pk11db = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ var token = pk11db.getInternalKeyToken();
+ token.reset();
+
+ try {
+ Services.logins.removeAllUserFacingLogins();
+ } catch (e) {}
+
+ let l10n = new Localization(["security/pippki/pippki.ftl"], true);
+ if (l10n) {
+ Services.prompt.alert(
+ window,
+ l10n.formatValueSync("pippki-reset-password-confirmation-title"),
+ l10n.formatValueSync("pippki-reset-password-confirmation-message")
+ );
+ }
+}
diff --git a/security/manager/pki/resources/content/resetpassword.xhtml b/security/manager/pki/resources/content/resetpassword.xhtml
new file mode 100644
index 0000000000..c473654da4
--- /dev/null
+++ b/security/manager/pki/resources/content/resetpassword.xhtml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="reset-primary-password-window2"
+ data-l10n-attrs="title, style"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+>
+ <dialog
+ id="reset_password"
+ buttons="accept,cancel"
+ buttonidaccept="reset-password-button-label"
+ defaultButton="cancel"
+ >
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link rel="localization" href="security/pippki/pippki.ftl" />
+ </linkset>
+
+ <stringbundle
+ id="pippki_bundle"
+ src="chrome://pippki/locale/pippki.properties"
+ />
+
+ <script src="chrome://pippki/content/pippki.js" />
+ <script src="chrome://pippki/content/resetpassword.js" />
+
+ <hbox flex="1">
+ <vbox>
+ <image class="alert-icon" style="margin: 5px" />
+ </vbox>
+ <vbox style="margin: 5px" flex="1">
+ <hbox flex="1">
+ <vbox flex="1">
+ <description
+ data-l10n-id="reset-primary-password-text"
+ ></description>
+ </vbox>
+ </hbox>
+ </vbox>
+ </hbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/setp12password.js b/security/manager/pki/resources/content/setp12password.js
new file mode 100644
index 0000000000..14200c36ce
--- /dev/null
+++ b/security/manager/pki/resources/content/setp12password.js
@@ -0,0 +1,127 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+/**
+ * @file Implements the functionality of setp12password.xhtml: a dialog that lets
+ * the user confirm the password to set on a PKCS #12 file.
+ * @param {nsISupports} window.arguments.0
+ * Object to set the return values of calling the dialog on, queryable
+ * to the underlying type of SetP12PasswordReturnValues.
+ */
+
+/**
+ * @typedef SetP12PasswordReturnValues
+ * @type {nsIWritablePropertyBag2}
+ * @property {boolean} confirmedPassword
+ * Set to true if the user entered two matching passwords and
+ * confirmed the dialog.
+ * @property {string} password
+ * The password the user entered. Undefined value if
+ * |confirmedPassword| is not true.
+ */
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+ // Ensure the first password textbox has focus.
+ document.getElementById("pw1").focus();
+ document.addEventListener("dialogaccept", onDialogAccept);
+ document.addEventListener("dialogcancel", onDialogCancel);
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+ let password = document.getElementById("pw1").value;
+
+ let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2);
+ retVals.setPropertyAsBool("confirmedPassword", true);
+ retVals.setPropertyAsAString("password", password);
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+ let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2);
+ retVals.setPropertyAsBool("confirmedPassword", false);
+}
+
+/**
+ * Calculates the strength of the given password, suitable for use in updating
+ * a progress bar that represents said strength.
+ *
+ * The strength of the password is calculated by checking the number of:
+ * - Characters
+ * - Numbers
+ * - Non-alphanumeric chars
+ * - Upper case characters
+ *
+ * @param {string} password
+ * The password to calculate the strength of.
+ * @returns {number}
+ * The strength of the password in the range [0, 100].
+ */
+function getPasswordStrength(password) {
+ let lengthStrength = password.length;
+ if (lengthStrength > 5) {
+ lengthStrength = 5;
+ }
+
+ let nonNumericChars = password.replace(/[0-9]/g, "");
+ let numericStrength = password.length - nonNumericChars.length;
+ if (numericStrength > 3) {
+ numericStrength = 3;
+ }
+
+ let nonSymbolChars = password.replace(/\W/g, "");
+ let symbolStrength = password.length - nonSymbolChars.length;
+ if (symbolStrength > 3) {
+ symbolStrength = 3;
+ }
+
+ let nonUpperAlphaChars = password.replace(/[A-Z]/g, "");
+ let upperAlphaStrength = password.length - nonUpperAlphaChars.length;
+ if (upperAlphaStrength > 3) {
+ upperAlphaStrength = 3;
+ }
+
+ let strength =
+ lengthStrength * 10 -
+ 20 +
+ numericStrength * 10 +
+ symbolStrength * 15 +
+ upperAlphaStrength * 10;
+ if (strength < 0) {
+ strength = 0;
+ }
+ if (strength > 100) {
+ strength = 100;
+ }
+
+ return strength;
+}
+
+/**
+ * oninput() handler for both password textboxes.
+ *
+ * @param {boolean} recalculatePasswordStrength
+ * Whether to recalculate the strength of the first password.
+ */
+function onPasswordInput(recalculatePasswordStrength) {
+ let pw1 = document.getElementById("pw1").value;
+
+ if (recalculatePasswordStrength) {
+ document.getElementById("pwmeter").value = getPasswordStrength(pw1);
+ }
+
+ // Disable the accept button if the two passwords don't match, and enable it
+ // if the passwords do match.
+ let pw2 = document.getElementById("pw2").value;
+ document.getElementById("setp12password").getButton("accept").disabled =
+ pw1 != pw2;
+}
diff --git a/security/manager/pki/resources/content/setp12password.xhtml b/security/manager/pki/resources/content/setp12password.xhtml
new file mode 100644
index 0000000000..5f43a1e811
--- /dev/null
+++ b/security/manager/pki/resources/content/setp12password.xhtml
@@ -0,0 +1,56 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<!DOCTYPE window>
+
+<window
+ data-l10n-id="set-password-window"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+ xmlns:html="http://www.w3.org/1999/xhtml"
+ style="width: 48em"
+ onload="onLoad();"
+>
+ <dialog id="setp12password" buttons="accept,cancel">
+ <linkset>
+ <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
+
+ <html:link rel="localization" href="security/pippki/pippki.ftl" />
+ </linkset>
+
+ <script src="chrome://global/content/globalOverlay.js" />
+ <script src="chrome://global/content/editMenuOverlay.js" />
+
+ <script src="chrome://pippki/content/setp12password.js" />
+
+ <description data-l10n-id="set-password-message"></description>
+ <separator />
+ <vbox>
+ <hbox class="input-row">
+ <label flex="1" data-l10n-id="set-password-backup-pw" />
+ <html:input id="pw1" type="password" oninput="onPasswordInput(true);" />
+ </hbox>
+ <hbox class="input-row">
+ <label flex="1" data-l10n-id="set-password-repeat-backup-pw" />
+ <html:input
+ id="pw2"
+ type="password"
+ oninput="onPasswordInput(false);"
+ />
+ </hbox>
+ </vbox>
+ <separator />
+ <description data-l10n-id="set-password-reminder"></description>
+ <separator />
+
+ <vbox style="margin: 6px">
+ <html:label
+ for="pwmeter"
+ style="display: flex"
+ data-l10n-id="password-quality-meter"
+ ></html:label>
+ <html:progress id="pwmeter" value="0" max="100" />
+ </vbox>
+ </dialog>
+</window>
diff --git a/security/manager/pki/resources/jar.mn b/security/manager/pki/resources/jar.mn
new file mode 100644
index 0000000000..15e808ae19
--- /dev/null
+++ b/security/manager/pki/resources/jar.mn
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+pippki.jar:
+% content pippki %content/pippki/
+ content/pippki/certManager.js (content/certManager.js)
+ content/pippki/certManager.css (content/certManager.css)
+ content/pippki/certManager.xhtml (content/certManager.xhtml)
+ content/pippki/changepassword.js (content/changepassword.js)
+ content/pippki/changepassword.xhtml (content/changepassword.xhtml)
+ content/pippki/clientauthask.css (content/clientauthask.css)
+ content/pippki/clientauthask.js (content/clientauthask.js)
+ content/pippki/clientauthask.xhtml (content/clientauthask.xhtml)
+ content/pippki/deletecert.js (content/deletecert.js)
+ content/pippki/deletecert.css (content/deletecert.css)
+ content/pippki/deletecert.xhtml (content/deletecert.xhtml)
+ content/pippki/device_manager.js (content/device_manager.js)
+ content/pippki/device_manager.xhtml (content/device_manager.xhtml)
+ content/pippki/downloadcert.js (content/downloadcert.js)
+ content/pippki/downloadcert.xhtml (content/downloadcert.xhtml)
+ content/pippki/editcacert.js (content/editcacert.js)
+ content/pippki/editcacert.xhtml (content/editcacert.xhtml)
+ content/pippki/exceptionDialog.css (content/exceptionDialog.css)
+ content/pippki/exceptionDialog.js (content/exceptionDialog.js)
+* content/pippki/exceptionDialog.xhtml (content/exceptionDialog.xhtml)
+ content/pippki/load_device.js (content/load_device.js)
+ content/pippki/load_device.xhtml (content/load_device.xhtml)
+ content/pippki/pippki.js (content/pippki.js)
+ content/pippki/resetpassword.js (content/resetpassword.js)
+ content/pippki/resetpassword.xhtml (content/resetpassword.xhtml)
+ content/pippki/setp12password.js (content/setp12password.js)
+ content/pippki/setp12password.xhtml (content/setp12password.xhtml)
diff --git a/security/manager/pki/resources/moz.build b/security/manager/pki/resources/moz.build
new file mode 100644
index 0000000000..d988c0ff9b
--- /dev/null
+++ b/security/manager/pki/resources/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ["jar.mn"]
diff --git a/security/manager/ssl/AppSignatureVerification.cpp b/security/manager/ssl/AppSignatureVerification.cpp
new file mode 100644
index 0000000000..399516dd9c
--- /dev/null
+++ b/security/manager/ssl/AppSignatureVerification.cpp
@@ -0,0 +1,1410 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCertificateDB.h"
+
+#include "AppTrustDomain.h"
+#include "CryptoTask.h"
+#include "NSSCertDBTrustDomain.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "certdb.h"
+#include "cms.h"
+#include "cosec.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Unused.h"
+#include "nsCOMPtr.h"
+#include "nsComponentManagerUtils.h"
+#include "nsDependentString.h"
+#include "nsHashKeys.h"
+#include "nsIFile.h"
+#include "nsIInputStream.h"
+#include "nsIStringEnumerator.h"
+#include "nsIZipReader.h"
+#include "nsNSSCertificate.h"
+#include "nsNetUtil.h"
+#include "nsProxyRelease.h"
+#include "nsString.h"
+#include "nsTHashtable.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixutil.h"
+#include "secerr.h"
+#include "secmime.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla;
+using namespace mozilla::psm;
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+namespace {
+
+// A convenient way to pair the bytes of a digest with the algorithm that
+// purportedly produced those bytes. Only SHA-1 and SHA-256 are supported.
+struct DigestWithAlgorithm {
+ nsresult ValidateLength() const {
+ size_t hashLen;
+ switch (mAlgorithm) {
+ case SEC_OID_SHA256:
+ hashLen = SHA256_LENGTH;
+ break;
+ case SEC_OID_SHA1:
+ hashLen = SHA1_LENGTH;
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE(
+ "unsupported hash type in DigestWithAlgorithm::ValidateLength");
+ return NS_ERROR_FAILURE;
+ }
+ if (mDigest.Length() != hashLen) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+ return NS_OK;
+ }
+
+ nsAutoCString mDigest;
+ SECOidTag mAlgorithm;
+};
+
+// The digest must have a lifetime greater than or equal to the returned string.
+inline nsDependentCSubstring DigestToDependentString(
+ nsTArray<uint8_t>& digest) {
+ return nsDependentCSubstring(BitwiseCast<char*, uint8_t*>(digest.Elements()),
+ digest.Length());
+}
+
+// Reads a maximum of 8MB from a stream into the supplied buffer.
+// The reason for the 8MB limit is because this function is used to read
+// signature-related files and we want to avoid OOM. The uncompressed length of
+// an entry can be hundreds of times larger than the compressed version,
+// especially if someone has specifically crafted the entry to cause OOM or to
+// consume massive amounts of disk space.
+//
+// @param stream The input stream to read from.
+// @param buf The buffer that we read the stream into, which must have
+// already been allocated.
+nsresult ReadStream(const nsCOMPtr<nsIInputStream>& stream,
+ /*out*/ SECItem& buf) {
+ // The size returned by Available() might be inaccurate so we need
+ // to check that Available() matches up with the actual length of
+ // the file.
+ uint64_t length;
+ nsresult rv = stream->Available(&length);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ // Cap the maximum accepted size of signature-related files at 8MB (which
+ // should be much larger than necessary for our purposes) to avoid OOM.
+ static const uint32_t MAX_LENGTH = 8 * 1000 * 1000;
+ if (length > MAX_LENGTH) {
+ return NS_ERROR_FILE_TOO_BIG;
+ }
+
+ // With bug 164695 in mind we +1 to leave room for null-terminating
+ // the buffer.
+ SECITEM_AllocItem(buf, static_cast<uint32_t>(length + 1));
+
+ // buf.len == length + 1. We attempt to read length + 1 bytes
+ // instead of length, so that we can check whether the metadata for
+ // the entry is incorrect.
+ uint32_t bytesRead;
+ rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len,
+ &bytesRead);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+ if (bytesRead != length) {
+ return NS_ERROR_FILE_CORRUPTED;
+ }
+
+ buf.data[buf.len - 1] = 0; // null-terminate
+
+ return NS_OK;
+}
+
+// Finds exactly one (signature metadata) JAR entry that matches the given
+// search pattern, and then loads it. Fails if there are no matches or if
+// there is more than one match. If bufDigest is not null then on success
+// bufDigest will contain the digeset of the entry using the given digest
+// algorithm.
+nsresult FindAndLoadOneEntry(
+ nsIZipReader* zip, const nsACString& searchPattern,
+ /*out*/ nsACString& filename,
+ /*out*/ SECItem& buf,
+ /*optional, in*/ SECOidTag digestAlgorithm = SEC_OID_SHA1,
+ /*optional, out*/ nsTArray<uint8_t>* bufDigest = nullptr) {
+ nsCOMPtr<nsIUTF8StringEnumerator> files;
+ nsresult rv = zip->FindEntries(searchPattern, getter_AddRefs(files));
+ if (NS_FAILED(rv) || !files) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ bool more;
+ rv = files->HasMore(&more);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!more) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ rv = files->GetNext(filename);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Check if there is more than one match, if so then error!
+ rv = files->HasMore(&more);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (more) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ nsCOMPtr<nsIInputStream> stream;
+ rv = zip->GetInputStream(filename, getter_AddRefs(stream));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = ReadStream(stream, buf);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
+ }
+
+ if (bufDigest) {
+ rv = Digest::DigestBuf(digestAlgorithm,
+ Span<uint8_t>{buf.data, buf.len - 1}, *bufDigest);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ return NS_OK;
+}
+
+// Verify the digest of an entry. We avoid loading the entire entry into memory
+// at once, which would require memory in proportion to the size of the largest
+// entry. Instead, we require only a small, fixed amount of memory.
+//
+// @param stream an input stream from a JAR entry or file depending on whether
+// it is from a signed archive or unpacked into a directory
+// @param digestFromManifest The digest that we're supposed to check the file's
+// contents against, from the manifest
+// @param buf A scratch buffer that we use for doing the I/O, which must have
+// already been allocated. The size of this buffer is the unit
+// size of our I/O.
+nsresult VerifyStreamContentDigest(
+ nsIInputStream* stream, const DigestWithAlgorithm& digestFromManifest,
+ SECItem& buf) {
+ MOZ_ASSERT(buf.len > 0);
+ nsresult rv = digestFromManifest.ValidateLength();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ uint64_t len64;
+ rv = stream->Available(&len64);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (len64 > UINT32_MAX) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
+ }
+
+ Digest digest;
+
+ rv = digest.Begin(digestFromManifest.mAlgorithm);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ uint64_t totalBytesRead = 0;
+ for (;;) {
+ uint32_t bytesRead;
+ rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len,
+ &bytesRead);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (bytesRead == 0) {
+ break; // EOF
+ }
+
+ totalBytesRead += bytesRead;
+ if (totalBytesRead >= UINT32_MAX) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
+ }
+
+ rv = digest.Update(buf.data, bytesRead);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ if (totalBytesRead != len64) {
+ // The metadata we used for Available() doesn't match the actual size of
+ // the entry.
+ return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
+ }
+
+ // Verify that the digests match.
+ nsTArray<uint8_t> outArray;
+ rv = digest.End(outArray);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsDependentCSubstring digestStr(DigestToDependentString(outArray));
+ if (!digestStr.Equals(digestFromManifest.mDigest)) {
+ return NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY;
+ }
+
+ return NS_OK;
+}
+
+nsresult VerifyEntryContentDigest(nsIZipReader* zip,
+ const nsACString& aFilename,
+ const DigestWithAlgorithm& digestFromManifest,
+ SECItem& buf) {
+ nsCOMPtr<nsIInputStream> stream;
+ nsresult rv = zip->GetInputStream(aFilename, getter_AddRefs(stream));
+ if (NS_FAILED(rv)) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
+ }
+
+ return VerifyStreamContentDigest(stream, digestFromManifest, buf);
+}
+
+// On input, nextLineStart is the start of the current line. On output,
+// nextLineStart is the start of the next line.
+nsresult ReadLine(/*in/out*/ const char*& nextLineStart,
+ /*out*/ nsCString& line, bool allowContinuations = true) {
+ line.Truncate();
+ size_t previousLength = 0;
+ size_t currentLength = 0;
+ for (;;) {
+ const char* eol = strpbrk(nextLineStart, "\r\n");
+
+ if (!eol) { // Reached end of file before newline
+ eol = nextLineStart + strlen(nextLineStart);
+ }
+
+ previousLength = currentLength;
+ line.Append(nextLineStart, eol - nextLineStart);
+ currentLength = line.Length();
+
+ // The spec says "No line may be longer than 72 bytes (not characters)"
+ // in its UTF8-encoded form.
+ static const size_t lineLimit = 72;
+ if (currentLength - previousLength > lineLimit) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ // The spec says: "Implementations should support 65535-byte
+ // (not character) header values..."
+ if (currentLength > 65535) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ if (*eol == '\r') {
+ ++eol;
+ }
+ if (*eol == '\n') {
+ ++eol;
+ }
+
+ nextLineStart = eol;
+
+ if (*eol != ' ') {
+ // not a continuation
+ return NS_OK;
+ }
+
+ // continuation
+ if (!allowContinuations) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ ++nextLineStart; // skip space and keep appending
+ }
+}
+
+// The header strings are defined in the JAR specification.
+#define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$"
+#define JAR_COSE_MF_SEARCH_STRING "(M|/M)ETA-INF/cose.manifest$"
+#define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$"
+#define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$"
+#define JAR_COSE_SEARCH_STRING "(M|/M)ETA-INF/cose.sig$"
+#define JAR_META_DIR "META-INF"
+#define JAR_MF_HEADER "Manifest-Version: 1.0"
+#define JAR_SF_HEADER "Signature-Version: 1.0"
+
+nsresult ParseAttribute(const nsAutoCString& curLine,
+ /*out*/ nsAutoCString& attrName,
+ /*out*/ nsAutoCString& attrValue) {
+ // Find the colon that separates the name from the value.
+ int32_t colonPos = curLine.FindChar(':');
+ if (colonPos == kNotFound) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ // set attrName to the name, skipping spaces between the name and colon
+ int32_t nameEnd = colonPos;
+ for (;;) {
+ if (nameEnd == 0) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; // colon with no name
+ }
+ if (curLine[nameEnd - 1] != ' ') break;
+ --nameEnd;
+ }
+ curLine.Left(attrName, nameEnd);
+
+ // Set attrValue to the value, skipping spaces between the colon and the
+ // value. The value may be empty.
+ int32_t valueStart = colonPos + 1;
+ int32_t curLineLength = curLine.Length();
+ while (valueStart != curLineLength && curLine[valueStart] == ' ') {
+ ++valueStart;
+ }
+ curLine.Right(attrValue, curLineLength - valueStart);
+
+ return NS_OK;
+}
+
+// Parses the version line of the MF or SF header.
+nsresult CheckManifestVersion(const char*& nextLineStart,
+ const nsACString& expectedHeader) {
+ // The JAR spec says: "Manifest-Version and Signature-Version must be first,
+ // and in exactly that case (so that they can be recognized easily as magic
+ // strings)."
+ nsAutoCString curLine;
+ nsresult rv = ReadLine(nextLineStart, curLine, false);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!curLine.Equals(expectedHeader)) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+ return NS_OK;
+}
+
+// Parses a signature file (SF) based on the JDK 8 JAR Specification.
+//
+// The SF file must contain a SHA*-Digest-Manifest attribute in the main
+// section (where the * is either 1 or 256, depending on the given digest
+// algorithm). All other sections are ignored. This means that this will NOT
+// parse old-style signature files that have separate digests per entry.
+// The JDK8 x-Digest-Manifest variant is better because:
+//
+// (1) It allows us to follow the principle that we should minimize the
+// processing of data that we do before we verify its signature. In
+// particular, with the x-Digest-Manifest style, we can verify the digest
+// of MANIFEST.MF before we parse it, which prevents malicious JARs
+// exploiting our MANIFEST.MF parser.
+// (2) It is more time-efficient and space-efficient to have one
+// x-Digest-Manifest instead of multiple x-Digest values.
+//
+// filebuf must be null-terminated. On output, mfDigest will contain the
+// decoded value of the appropriate SHA*-DigestManifest, if found.
+nsresult ParseSF(const char* filebuf, SECOidTag digestAlgorithm,
+ /*out*/ nsAutoCString& mfDigest) {
+ const char* digestNameToFind = nullptr;
+ switch (digestAlgorithm) {
+ case SEC_OID_SHA256:
+ digestNameToFind = "sha256-digest-manifest";
+ break;
+ case SEC_OID_SHA1:
+ digestNameToFind = "sha1-digest-manifest";
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("bad argument to ParseSF");
+ return NS_ERROR_FAILURE;
+ }
+
+ const char* nextLineStart = filebuf;
+ nsresult rv =
+ CheckManifestVersion(nextLineStart, nsLiteralCString(JAR_SF_HEADER));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ for (;;) {
+ nsAutoCString curLine;
+ rv = ReadLine(nextLineStart, curLine);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (curLine.Length() == 0) {
+ // End of main section (blank line or end-of-file). We didn't find the
+ // SHA*-Digest-Manifest we were looking for.
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ nsAutoCString attrName;
+ nsAutoCString attrValue;
+ rv = ParseAttribute(curLine, attrName, attrValue);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (attrName.EqualsIgnoreCase(digestNameToFind)) {
+ rv = Base64Decode(attrValue, mfDigest);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // There could be multiple SHA*-Digest-Manifest attributes, which
+ // would be an error, but it's better to just skip any erroneous
+ // duplicate entries rather than trying to detect them, because:
+ //
+ // (1) It's simpler, and simpler generally means more secure
+ // (2) An attacker can't make us accept a JAR we would otherwise
+ // reject just by adding additional SHA*-Digest-Manifest
+ // attributes.
+ return NS_OK;
+ }
+
+ // ignore unrecognized attributes
+ }
+
+ MOZ_ASSERT_UNREACHABLE("somehow exited loop in ParseSF without returning");
+ return NS_ERROR_FAILURE;
+}
+
+// Parses MANIFEST.MF. The filenames of all entries will be returned in
+// mfItems. buf must be a pre-allocated scratch buffer that is used for doing
+// I/O. Each file's contents are verified against the entry in the manifest with
+// the digest algorithm that matches the given one. This algorithm comes from
+// the signature file. If the signature file has a SHA-256 digest, then SHA-256
+// entries must be present in the manifest file. If the signature file only has
+// a SHA-1 digest, then only SHA-1 digests will be used in the manifest file.
+nsresult ParseMF(const char* filebuf, nsIZipReader* zip,
+ SECOidTag digestAlgorithm,
+ /*out*/ nsTHashtable<nsCStringHashKey>& mfItems,
+ ScopedAutoSECItem& buf) {
+ const char* digestNameToFind = nullptr;
+ switch (digestAlgorithm) {
+ case SEC_OID_SHA256:
+ digestNameToFind = "sha256-digest";
+ break;
+ case SEC_OID_SHA1:
+ digestNameToFind = "sha1-digest";
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("bad argument to ParseMF");
+ return NS_ERROR_FAILURE;
+ }
+
+ const char* nextLineStart = filebuf;
+ nsresult rv =
+ CheckManifestVersion(nextLineStart, nsLiteralCString(JAR_MF_HEADER));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Skip the rest of the header section, which ends with a blank line.
+ {
+ nsAutoCString line;
+ do {
+ rv = ReadLine(nextLineStart, line);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } while (line.Length() > 0);
+
+ // Manifest containing no file entries is OK, though useless.
+ if (*nextLineStart == '\0') {
+ return NS_OK;
+ }
+ }
+
+ nsAutoCString curItemName;
+ nsAutoCString digest;
+
+ for (;;) {
+ nsAutoCString curLine;
+ rv = ReadLine(nextLineStart, curLine);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (curLine.Length() == 0) {
+ // end of section (blank line or end-of-file)
+
+ if (curItemName.Length() == 0) {
+ // '...Each section must start with an attribute with the name as
+ // "Name",...', so every section must have a Name attribute.
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ if (digest.IsEmpty()) {
+ // We require every entry to have a digest, since we require every
+ // entry to be signed and we don't allow duplicate entries.
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ if (mfItems.Contains(curItemName)) {
+ // Duplicate entry
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ // Verify that the entry's content digest matches the digest from this
+ // MF section.
+ DigestWithAlgorithm digestWithAlgorithm = {digest, digestAlgorithm};
+ rv = VerifyEntryContentDigest(zip, curItemName, digestWithAlgorithm, buf);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ mfItems.PutEntry(curItemName);
+
+ if (*nextLineStart == '\0') {
+ // end-of-file
+ break;
+ }
+
+ // reset so we know we haven't encountered either of these for the next
+ // item yet.
+ curItemName.Truncate();
+ digest.Truncate();
+
+ continue; // skip the rest of the loop below
+ }
+
+ nsAutoCString attrName;
+ nsAutoCString attrValue;
+ rv = ParseAttribute(curLine, attrName, attrValue);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Lines to look for:
+
+ // (1) Digest:
+ if (attrName.EqualsIgnoreCase(digestNameToFind)) {
+ if (!digest.IsEmpty()) { // multiple SHA* digests in section
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ rv = Base64Decode(attrValue, digest);
+ if (NS_FAILED(rv)) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ continue;
+ }
+
+ // (2) Name: associates this manifest section with a file in the jar.
+ if (attrName.LowerCaseEqualsLiteral("name")) {
+ if (MOZ_UNLIKELY(curItemName.Length() > 0)) // multiple names in section
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+
+ if (MOZ_UNLIKELY(attrValue.Length() == 0))
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+
+ curItemName = attrValue;
+
+ continue;
+ }
+
+ // (3) Magic: the only other must-understand attribute
+ if (attrName.LowerCaseEqualsLiteral("magic")) {
+ // We don't understand any magic, so we can't verify an entry that
+ // requires magic. Since we require every entry to have a valid
+ // signature, we have no choice but to reject the entry.
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ // unrecognized attributes must be ignored
+ }
+
+ return NS_OK;
+}
+
+nsresult VerifyCertificate(Span<const uint8_t> signerCert,
+ AppTrustedRoot trustedRoot,
+ nsTArray<Span<const uint8_t>>&& collectedCerts) {
+ AppTrustDomain trustDomain(std::move(collectedCerts));
+ nsresult rv = trustDomain.SetTrustedRoot(trustedRoot);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ Input certDER;
+ mozilla::pkix::Result result =
+ certDER.Init(signerCert.Elements(), signerCert.Length());
+ if (result != Success) {
+ return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
+ }
+
+ result = BuildCertChain(
+ trustDomain, certDER, Now(), EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::digitalSignature, KeyPurposeId::id_kp_codeSigning,
+ CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/);
+ if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE ||
+ result == mozilla::pkix::Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+ // For code-signing you normally need trusted 3rd-party timestamps to
+ // handle expiration properly. The signer could always mess with their
+ // system clock so you can't trust the certificate was un-expired when
+ // the signing took place. The choice is either to ignore expiration
+ // or to enforce expiration at time of use. The latter leads to the
+ // user-hostile result that perfectly good code stops working.
+ //
+ // Our package format doesn't support timestamps (nor do we have a
+ // trusted 3rd party timestamper), but since we sign all of our apps and
+ // add-ons ourselves we can trust ourselves not to mess with the clock
+ // on the signing systems. We also have a revocation mechanism if we
+ // need it. Under these conditions it's OK to ignore cert errors related
+ // to time validity (expiration and "not yet valid").
+ //
+ // This is an invalid approach if
+ // * we issue certs to let others sign their own packages
+ // * mozilla::pkix returns "expired" when there are "worse" problems
+ // with the certificate or chain.
+ // (see bug 1267318)
+ result = Success;
+ }
+ if (result != Success) {
+ return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
+ }
+
+ return NS_OK;
+}
+
+// Given a SECOidTag representing a digest algorithm (either SEC_OID_SHA1 or
+// SEC_OID_SHA256), returns the first signerInfo in the given signedData that
+// purports to have been created using that digest algorithm, or nullptr if
+// there is none.
+// The returned signerInfo is owned by signedData, so the caller must ensure
+// that the lifetime of the signerInfo is contained by the lifetime of the
+// signedData.
+NSSCMSSignerInfo* GetSignerInfoForDigestAlgorithm(NSSCMSSignedData* signedData,
+ SECOidTag digestAlgorithm) {
+ MOZ_ASSERT(digestAlgorithm == SEC_OID_SHA1 ||
+ digestAlgorithm == SEC_OID_SHA256);
+ if (digestAlgorithm != SEC_OID_SHA1 && digestAlgorithm != SEC_OID_SHA256) {
+ return nullptr;
+ }
+
+ int numSigners = NSS_CMSSignedData_SignerInfoCount(signedData);
+ if (numSigners < 1) {
+ return nullptr;
+ }
+ for (int i = 0; i < numSigners; i++) {
+ NSSCMSSignerInfo* signerInfo =
+ NSS_CMSSignedData_GetSignerInfo(signedData, i);
+ // NSS_CMSSignerInfo_GetDigestAlgTag isn't exported from NSS.
+ SECOidData* digestAlgOID = SECOID_FindOID(&signerInfo->digestAlg.algorithm);
+ if (!digestAlgOID) {
+ continue;
+ }
+ if (digestAlgorithm == digestAlgOID->offset) {
+ return signerInfo;
+ }
+ }
+ return nullptr;
+}
+
+Span<const uint8_t> GetPKCS7SignerCert(
+ NSSCMSSignerInfo* signerInfo,
+ nsTArray<Span<const uint8_t>>& collectedCerts) {
+ if (!signerInfo) {
+ return {};
+ }
+ // The NSS APIs use the term "CMS", but since these are all signed by Mozilla
+ // infrastructure, we know they are actually PKCS7. This means that this only
+ // needs to handle issuer/serial number signer identifiers.
+ if (signerInfo->signerIdentifier.identifierType != NSSCMSSignerID_IssuerSN) {
+ return {};
+ }
+ CERTIssuerAndSN* issuerAndSN = signerInfo->signerIdentifier.id.issuerAndSN;
+ if (!issuerAndSN) {
+ return {};
+ }
+ Input issuer;
+ mozilla::pkix::Result result =
+ issuer.Init(issuerAndSN->derIssuer.data, issuerAndSN->derIssuer.len);
+ if (result != Success) {
+ return {};
+ }
+ Input serialNumber;
+ result = serialNumber.Init(issuerAndSN->serialNumber.data,
+ issuerAndSN->serialNumber.len);
+ if (result != Success) {
+ return {};
+ }
+ for (const auto& certDER : collectedCerts) {
+ Input certInput;
+ result = certInput.Init(certDER.Elements(), certDER.Length());
+ if (result != Success) {
+ continue; // probably too big
+ }
+ // Since this only decodes the certificate and doesn't attempt to build a
+ // verified chain with it, the EndEntityOrCA parameter doesn't matter.
+ BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+ result = cert.Init();
+ if (result != Success) {
+ continue;
+ }
+ if (InputsAreEqual(issuer, cert.GetIssuer()) &&
+ InputsAreEqual(serialNumber, cert.GetSerialNumber())) {
+ return certDER;
+ }
+ }
+ return {};
+}
+
+nsresult VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
+ nsTArray<uint8_t>& detachedSHA1Digest,
+ nsTArray<uint8_t>& detachedSHA256Digest,
+ /*out*/ SECOidTag& digestAlgorithm,
+ /*out*/ nsTArray<uint8_t>& signerCert) {
+ if (NS_WARN_IF(!buffer.data || buffer.len == 0 ||
+ detachedSHA1Digest.Length() == 0 ||
+ detachedSHA256Digest.Length() == 0)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ UniqueNSSCMSMessage cmsMsg(NSS_CMSMessage_CreateFromDER(
+ const_cast<SECItem*>(&buffer), nullptr, nullptr, nullptr, nullptr,
+ nullptr, nullptr));
+ if (!cmsMsg) {
+ return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
+ }
+
+ if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
+ return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
+ }
+
+ NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0);
+ if (!cinfo) {
+ return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
+ }
+
+ // We're expecting this to be a PKCS#7 signedData content info.
+ if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) !=
+ SEC_OID_PKCS7_SIGNED_DATA) {
+ return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
+ }
+
+ // signedData is non-owning
+ NSSCMSSignedData* signedData =
+ static_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));
+ if (!signedData) {
+ return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
+ }
+
+ nsTArray<Span<const uint8_t>> collectedCerts;
+ if (signedData->rawCerts) {
+ for (size_t i = 0; signedData->rawCerts[i]; ++i) {
+ Span<const uint8_t> cert(signedData->rawCerts[i]->data,
+ signedData->rawCerts[i]->len);
+ collectedCerts.AppendElement(std::move(cert));
+ }
+ }
+
+ NSSCMSSignerInfo* signerInfo =
+ GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA256);
+ nsTArray<uint8_t>* tmpDetachedDigest = &detachedSHA256Digest;
+ digestAlgorithm = SEC_OID_SHA256;
+ if (!signerInfo) {
+ signerInfo = GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA1);
+ if (!signerInfo) {
+ return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
+ }
+ tmpDetachedDigest = &detachedSHA1Digest;
+ digestAlgorithm = SEC_OID_SHA1;
+ }
+
+ const SECItem detachedDigest = {
+ siBuffer, tmpDetachedDigest->Elements(),
+ static_cast<unsigned int>(tmpDetachedDigest->Length())};
+
+ // Get the certificate that issued the PKCS7 signature.
+ Span<const uint8_t> signerCertSpan =
+ GetPKCS7SignerCert(signerInfo, collectedCerts);
+ if (signerCertSpan.IsEmpty()) {
+ return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
+ }
+
+ nsresult rv =
+ VerifyCertificate(signerCertSpan, trustedRoot, std::move(collectedCerts));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ signerCert.Clear();
+ signerCert.AppendElements(signerCertSpan);
+
+ // Ensure that the PKCS#7 data OID is present as the PKCS#9 contentType.
+ const char* pkcs7DataOidString = "1.2.840.113549.1.7.1";
+ ScopedAutoSECItem pkcs7DataOid;
+ if (SEC_StringToOID(nullptr, &pkcs7DataOid, pkcs7DataOidString, 0) !=
+ SECSuccess) {
+ return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
+ }
+
+ // NSS_CMSSignerInfo_Verify relies on NSS_CMSSignerInfo_GetSigningCertificate
+ // having been called already. This relies on the signing certificate being
+ // decoded as a CERTCertificate.
+ // This assertion should never fail, as this certificate has been
+ // successfully verified, which means it fits in the size of an unsigned int.
+ SECItem signingCertificateItem = {
+ siBuffer, const_cast<unsigned char*>(signerCertSpan.Elements()),
+ AssertedCast<unsigned int>(signerCertSpan.Length())};
+ UniqueCERTCertificate signingCertificateHandle(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &signingCertificateItem, nullptr, false, true));
+ if (!signingCertificateHandle) {
+ return mozilla::psm::GetXPCOMFromNSSError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+ }
+ // NB: This function does not return an owning reference, unlike with many
+ // other NSS APIs.
+ if (!NSS_CMSSignerInfo_GetSigningCertificate(signerInfo,
+ CERT_GetDefaultCertDB())) {
+ return mozilla::psm::GetXPCOMFromNSSError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+ }
+ return MapSECStatus(NSS_CMSSignerInfo_Verify(
+ signerInfo, const_cast<SECItem*>(&detachedDigest), &pkcs7DataOid));
+}
+
+class CoseVerificationContext {
+ public:
+ explicit CoseVerificationContext(AppTrustedRoot aTrustedRoot)
+ : mTrustedRoot(aTrustedRoot) {}
+ ~CoseVerificationContext() = default;
+
+ AppTrustedRoot GetTrustedRoot() { return mTrustedRoot; }
+ void SetCert(Span<const uint8_t> certDER) {
+ mCertDER.Clear();
+ mCertDER.AppendElements(certDER);
+ }
+
+ nsTArray<uint8_t> TakeCert() { return std::move(mCertDER); }
+
+ private:
+ AppTrustedRoot mTrustedRoot;
+ nsTArray<uint8_t> mCertDER;
+};
+
+// Verification function called from cose-rust.
+// Returns true if everything goes well and the signature and certificate chain
+// are good, false in any other case.
+bool CoseVerificationCallback(const uint8_t* aPayload, size_t aPayloadLen,
+ const uint8_t** aCertChain, size_t aCertChainLen,
+ const size_t* aCertsLen, const uint8_t* aEECert,
+ size_t aEECertLen, const uint8_t* aSignature,
+ size_t aSignatureLen, uint8_t aSignatureAlgorithm,
+ void* ctx) {
+ if (!ctx || !aPayload || !aEECert || !aSignature) {
+ return false;
+ }
+ // The ctx here is a pointer to a CoseVerificationContext object
+ CoseVerificationContext* context = static_cast<CoseVerificationContext*>(ctx);
+ AppTrustedRoot aTrustedRoot = context->GetTrustedRoot();
+
+ CK_MECHANISM_TYPE mechanism;
+ SECOidTag oid;
+ uint32_t hash_length;
+ SECItem param = {siBuffer, nullptr, 0};
+ switch (aSignatureAlgorithm) {
+ case ES256:
+ mechanism = CKM_ECDSA;
+ oid = SEC_OID_SHA256;
+ hash_length = SHA256_LENGTH;
+ break;
+ case ES384:
+ mechanism = CKM_ECDSA;
+ oid = SEC_OID_SHA384;
+ hash_length = SHA384_LENGTH;
+ break;
+ case ES512:
+ mechanism = CKM_ECDSA;
+ oid = SEC_OID_SHA512;
+ hash_length = SHA512_LENGTH;
+ break;
+ default:
+ return false;
+ }
+
+ uint8_t hashBuf[HASH_LENGTH_MAX];
+ SECStatus rv = PK11_HashBuf(oid, hashBuf, aPayload, aPayloadLen);
+ if (rv != SECSuccess) {
+ return false;
+ }
+ SECItem hashItem = {siBuffer, hashBuf, hash_length};
+ Input certInput;
+ if (certInput.Init(aEECert, aEECertLen) != Success) {
+ return false;
+ }
+ // Since this only decodes the certificate and doesn't attempt to build a
+ // verified chain with it, the EndEntityOrCA parameter doesn't matter.
+ BackCert backCert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+ if (backCert.Init() != Success) {
+ return false;
+ }
+ Input spkiInput = backCert.GetSubjectPublicKeyInfo();
+ SECItem spkiItem = {siBuffer, const_cast<uint8_t*>(spkiInput.UnsafeGetData()),
+ spkiInput.GetLength()};
+ UniqueCERTSubjectPublicKeyInfo spki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+ if (!spki) {
+ return false;
+ }
+ UniqueSECKEYPublicKey key(SECKEY_ExtractPublicKey(spki.get()));
+ SECItem signatureItem = {siBuffer, const_cast<uint8_t*>(aSignature),
+ static_cast<unsigned int>(aSignatureLen)};
+ rv = PK11_VerifyWithMechanism(key.get(), mechanism, &param, &signatureItem,
+ &hashItem, nullptr);
+ if (rv != SECSuccess) {
+ return false;
+ }
+
+ nsTArray<Span<const uint8_t>> collectedCerts;
+ for (size_t i = 0; i < aCertChainLen; ++i) {
+ Span<const uint8_t> cert(aCertChain[i], aCertsLen[i]);
+ collectedCerts.AppendElement(std::move(cert));
+ }
+
+ Span<const uint8_t> certSpan = {aEECert, aEECertLen};
+ nsresult nrv =
+ VerifyCertificate(certSpan, aTrustedRoot, std::move(collectedCerts));
+ bool result = true;
+ if (NS_FAILED(nrv)) {
+ result = false;
+ }
+
+ // Passing back the signing certificate in form of the DER cert.
+ context->SetCert(certSpan);
+ if (NS_FAILED(nrv)) {
+ result = false;
+ }
+
+ return result;
+}
+
+nsresult VerifyAppManifest(SECOidTag aDigestToUse, nsCOMPtr<nsIZipReader> aZip,
+ nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+ const SECItem& aManifestBuffer) {
+ // Allocate the I/O buffer only once per JAR, instead of once per entry, in
+ // order to minimize malloc/free calls and in order to avoid fragmenting
+ // memory.
+ ScopedAutoSECItem buf(128 * 1024);
+
+ nsTHashtable<nsCStringHashKey> items;
+
+ nsresult rv =
+ ParseMF(BitwiseCast<char*, unsigned char*>(aManifestBuffer.data), aZip,
+ aDigestToUse, items, buf);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Verify every entry in the file.
+ nsCOMPtr<nsIUTF8StringEnumerator> entries;
+ rv = aZip->FindEntries(""_ns, getter_AddRefs(entries));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!entries) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ for (;;) {
+ bool hasMore;
+ rv = entries->HasMore(&hasMore);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (!hasMore) {
+ break;
+ }
+
+ nsAutoCString entryFilename;
+ rv = entries->GetNext(entryFilename);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Verifying digests for %s", entryFilename.get()));
+
+ if (entryFilename.Length() == 0) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
+ }
+
+ // The files that comprise the signature mechanism are not covered by the
+ // signature. Ignore these files.
+ if (aIgnoredFiles.Contains(entryFilename)) {
+ continue;
+ }
+
+ // Entries with names that end in "/" are directory entries, which are not
+ // signed.
+ //
+ // Since bug 1415991 we don't support unpacked JARs. The "/" entries are
+ // therefore harmless.
+ if (entryFilename.Last() == '/') {
+ continue;
+ }
+
+ nsCStringHashKey* item = items.GetEntry(entryFilename);
+ if (!item) {
+ return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
+ }
+
+ // Remove the item so we can check for leftover items later
+ items.RemoveEntry(item);
+ }
+
+ // We verified that every entry that we require to be signed is signed. But,
+ // were there any missing entries--that is, entries that are mentioned in the
+ // manifest but missing from the archive?
+ if (items.Count() != 0) {
+ return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
+ }
+
+ return NS_OK;
+}
+
+// This corresponds to the preference "security.signed_app_signatures.policy".
+// The lowest order bit determines which PKCS#7 algorithms are accepted.
+// xxx_0_: SHA-1 and/or SHA-256 PKCS#7 allowed
+// xxx_1_: SHA-256 PKCS#7 allowed
+// The next two bits determine whether COSE is required and PKCS#7 is allowed
+// x_00_x: COSE disabled, ignore files, PKCS#7 must verify
+// x_01_x: COSE is verified if present, PKCS#7 must verify
+// x_10_x: COSE is required, PKCS#7 must verify if present
+// x_11_x: COSE is required, PKCS#7 disabled (fail when present)
+class SignaturePolicy {
+ public:
+ explicit SignaturePolicy(int32_t preference)
+ : mProcessCose(true),
+ mCoseRequired(false),
+ mProcessPK7(true),
+ mPK7Required(true),
+ mSHA1Allowed(true),
+ mSHA256Allowed(true) {
+ mCoseRequired = (preference & 0b100) != 0;
+ mProcessCose = (preference & 0b110) != 0;
+ mPK7Required = (preference & 0b100) == 0;
+ mProcessPK7 = (preference & 0b110) != 0b110;
+ if ((preference & 0b1) == 0) {
+ mSHA1Allowed = true;
+ mSHA256Allowed = true;
+ } else {
+ mSHA1Allowed = false;
+ mSHA256Allowed = true;
+ }
+ }
+ ~SignaturePolicy() = default;
+ bool ProcessCOSE() { return mProcessCose; }
+ bool COSERequired() { return mCoseRequired; }
+ bool PK7Required() { return mPK7Required; }
+ bool ProcessPK7() { return mProcessPK7; }
+ bool IsPK7HashAllowed(SECOidTag aHashAlg) {
+ if (aHashAlg == SEC_OID_SHA256 && mSHA256Allowed) {
+ return true;
+ }
+ if (aHashAlg == SEC_OID_SHA1 && mSHA1Allowed) {
+ return true;
+ }
+ return false;
+ }
+
+ private:
+ bool mProcessCose;
+ bool mCoseRequired;
+ bool mProcessPK7;
+ bool mPK7Required;
+ bool mSHA1Allowed;
+ bool mSHA256Allowed;
+};
+
+nsresult VerifyCOSESignature(AppTrustedRoot aTrustedRoot, nsIZipReader* aZip,
+ SignaturePolicy& aPolicy,
+ nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+ /* out */ bool& aVerified,
+ /* out */ nsTArray<uint8_t>& aCoseCertDER) {
+ NS_ENSURE_ARG_POINTER(aZip);
+ bool required = aPolicy.COSERequired();
+ aVerified = false;
+
+ // Read COSE signature file.
+ nsAutoCString coseFilename;
+ ScopedAutoSECItem coseBuffer;
+ nsresult rv = FindAndLoadOneEntry(
+ aZip, nsLiteralCString(JAR_COSE_SEARCH_STRING), coseFilename, coseBuffer);
+ if (NS_FAILED(rv)) {
+ return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : NS_OK;
+ }
+
+ // Verify COSE signature.
+ nsAutoCString mfFilename;
+ ScopedAutoSECItem manifestBuffer;
+ rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_COSE_MF_SEARCH_STRING),
+ mfFilename, manifestBuffer);
+ if (NS_FAILED(rv)) {
+ return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : rv;
+ }
+ MOZ_ASSERT(manifestBuffer.len >= 1);
+ MOZ_ASSERT(coseBuffer.len >= 1);
+ CoseVerificationContext context(aTrustedRoot);
+ bool coseVerification = verify_cose_signature_ffi(
+ manifestBuffer.data, manifestBuffer.len - 1, coseBuffer.data,
+ coseBuffer.len - 1, &context, CoseVerificationCallback);
+ if (!coseVerification) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+ // CoseVerificationCallback sets the context certificate to the first cert
+ // it encounters.
+ aCoseCertDER = context.TakeCert();
+
+ // aIgnoredFiles contains the PKCS#7 manifest and signature files iff the
+ // PKCS#7 verification was successful.
+ aIgnoredFiles.PutEntry(mfFilename);
+ aIgnoredFiles.PutEntry(coseFilename);
+ rv = VerifyAppManifest(SEC_OID_SHA256, aZip, aIgnoredFiles, manifestBuffer);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ aVerified = true;
+ return NS_OK;
+}
+
+nsresult VerifyPK7Signature(
+ AppTrustedRoot aTrustedRoot, nsIZipReader* aZip, SignaturePolicy& aPolicy,
+ /* out */ nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+ /* out */ bool& aVerified,
+ /* out */ nsTArray<uint8_t>& aSignerCert) {
+ NS_ENSURE_ARG_POINTER(aZip);
+ bool required = aPolicy.PK7Required();
+ aVerified = false;
+
+ // Signature (RSA) file
+ nsAutoCString sigFilename;
+ ScopedAutoSECItem sigBuffer;
+ nsresult rv = FindAndLoadOneEntry(
+ aZip, nsLiteralCString(JAR_RSA_SEARCH_STRING), sigFilename, sigBuffer);
+ if (NS_FAILED(rv)) {
+ return required ? NS_ERROR_SIGNED_JAR_NOT_SIGNED : NS_OK;
+ }
+
+ // Signature (SF) file
+ nsAutoCString sfFilename;
+ ScopedAutoSECItem sfBuffer;
+ rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_SF_SEARCH_STRING),
+ sfFilename, sfBuffer);
+ if (NS_FAILED(rv)) {
+ return required ? NS_ERROR_SIGNED_JAR_MANIFEST_INVALID : NS_OK;
+ }
+
+ // Calculate both the SHA-1 and SHA-256 hashes of the signature file - we
+ // don't know what algorithm the PKCS#7 signature used.
+ nsTArray<uint8_t> sfCalculatedSHA1Digest;
+ rv = Digest::DigestBuf(SEC_OID_SHA1, sfBuffer.data, sfBuffer.len - 1,
+ sfCalculatedSHA1Digest);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsTArray<uint8_t> sfCalculatedSHA256Digest;
+ rv = Digest::DigestBuf(SEC_OID_SHA256, sfBuffer.data, sfBuffer.len - 1,
+ sfCalculatedSHA256Digest);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Verify PKCS#7 signature.
+ // If we get here, the signature has to verify even if PKCS#7 is not required.
+ sigBuffer.type = siBuffer;
+ SECOidTag digestToUse;
+ rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedSHA1Digest,
+ sfCalculatedSHA256Digest, digestToUse, aSignerCert);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Check the digest used for the signature against the policy.
+ if (!aPolicy.IsPK7HashAllowed(digestToUse)) {
+ return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
+ }
+
+ nsAutoCString mfDigest;
+ rv = ParseSF(BitwiseCast<char*, unsigned char*>(sfBuffer.data), digestToUse,
+ mfDigest);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Read PK7 manifest (MF) file.
+ ScopedAutoSECItem manifestBuffer;
+ nsTArray<uint8_t> digestArray;
+ nsAutoCString mfFilename;
+ rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_MF_SEARCH_STRING),
+ mfFilename, manifestBuffer, digestToUse,
+ &digestArray);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsDependentCSubstring calculatedDigest(
+ BitwiseCast<char*, uint8_t*>(digestArray.Elements()),
+ digestArray.Length());
+ if (!mfDigest.Equals(calculatedDigest)) {
+ return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+ }
+
+ // Verify PKCS7 manifest file hashes.
+ aIgnoredFiles.PutEntry(sfFilename);
+ aIgnoredFiles.PutEntry(sigFilename);
+ aIgnoredFiles.PutEntry(mfFilename);
+ rv = VerifyAppManifest(digestToUse, aZip, aIgnoredFiles, manifestBuffer);
+ if (NS_FAILED(rv)) {
+ aIgnoredFiles.Clear();
+ return rv;
+ }
+
+ aVerified = true;
+ return NS_OK;
+}
+
+nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
+ SignaturePolicy aPolicy,
+ /* out, optional */ nsIZipReader** aZipReader,
+ /* out, optional */ nsIX509Cert** aSignerCert) {
+ NS_ENSURE_ARG_POINTER(aJarFile);
+
+ if (aZipReader) {
+ *aZipReader = nullptr;
+ }
+
+ if (aSignerCert) {
+ *aSignerCert = nullptr;
+ }
+
+ nsresult rv;
+
+ static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
+ nsCOMPtr<nsIZipReader> zip = do_CreateInstance(kZipReaderCID, &rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = zip->Open(aJarFile);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ bool pk7Verified = false;
+ bool coseVerified = false;
+ nsTHashtable<nsCStringHashKey> ignoredFiles;
+ nsTArray<uint8_t> pkcs7CertDER;
+ nsTArray<uint8_t> coseCertDER;
+
+ // First we have to verify the PKCS#7 signature if there is one.
+ // This signature covers all files (except for the signature files itself),
+ // including the COSE signature files. Only when this verification is
+ // successful the respective files will be ignored in the subsequent COSE
+ // signature verification.
+ if (aPolicy.ProcessPK7()) {
+ rv = VerifyPK7Signature(aTrustedRoot, zip, aPolicy, ignoredFiles,
+ pk7Verified, pkcs7CertDER);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ if (aPolicy.ProcessCOSE()) {
+ rv = VerifyCOSESignature(aTrustedRoot, zip, aPolicy, ignoredFiles,
+ coseVerified, coseCertDER);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ // Bits 1 and 2
+ // 00 = Didn't Process PKCS#7 signatures
+ // 01 = Processed but no valid cert or signature
+ // 10 = Processed and valid cert found, but addon didn't match manifest
+ // 11 = Processed and valid.
+ // Bits 3 and 4 are the same but for COSE.
+ uint32_t bucket = 0;
+ bucket += aPolicy.ProcessCOSE();
+ bucket += !coseCertDER.IsEmpty();
+ bucket += coseVerified;
+ bucket <<= 2;
+ bucket += aPolicy.ProcessPK7();
+ bucket += !pkcs7CertDER.IsEmpty();
+ bucket += pk7Verified;
+ Telemetry::Accumulate(Telemetry::ADDON_SIGNATURE_VERIFICATION_STATUS, bucket);
+
+ if ((aPolicy.PK7Required() && !pk7Verified) ||
+ (aPolicy.COSERequired() && !coseVerified)) {
+ return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
+ }
+
+ // Return the reader to the caller if they want it
+ if (aZipReader) {
+ zip.forget(aZipReader);
+ }
+
+ // Return the signer's certificate to the reader if they want it.
+ if (aSignerCert) {
+ // The COSE certificate is authoritative.
+ if (aPolicy.COSERequired() || !coseCertDER.IsEmpty()) {
+ if (coseCertDER.IsEmpty()) {
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIX509Cert> signerCert(
+ new nsNSSCertificate(std::move(coseCertDER)));
+ signerCert.forget(aSignerCert);
+ } else {
+ if (pkcs7CertDER.IsEmpty()) {
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIX509Cert> signerCert(
+ new nsNSSCertificate(std::move(pkcs7CertDER)));
+ signerCert.forget(aSignerCert);
+ }
+ }
+
+ return NS_OK;
+}
+
+class OpenSignedAppFileTask final : public CryptoTask {
+ public:
+ OpenSignedAppFileTask(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
+ SignaturePolicy aPolicy,
+ nsIOpenSignedAppFileCallback* aCallback)
+ : mTrustedRoot(aTrustedRoot),
+ mJarFile(aJarFile),
+ mPolicy(aPolicy),
+ mCallback(new nsMainThreadPtrHolder<nsIOpenSignedAppFileCallback>(
+ "OpenSignedAppFileTask::mCallback", aCallback)) {}
+
+ private:
+ virtual nsresult CalculateResult() override {
+ return OpenSignedAppFile(mTrustedRoot, mJarFile, mPolicy,
+ getter_AddRefs(mZipReader),
+ getter_AddRefs(mSignerCert));
+ }
+
+ virtual void CallCallback(nsresult rv) override {
+ (void)mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
+ }
+
+ const AppTrustedRoot mTrustedRoot;
+ const nsCOMPtr<nsIFile> mJarFile;
+ const SignaturePolicy mPolicy;
+ nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
+ nsCOMPtr<nsIZipReader> mZipReader; // out
+ nsCOMPtr<nsIX509Cert> mSignerCert; // out
+};
+
+static const int32_t sDefaultSignaturePolicy = 0b10;
+
+} // unnamed namespace
+
+NS_IMETHODIMP
+nsNSSCertificateDB::OpenSignedAppFileAsync(
+ AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
+ nsIOpenSignedAppFileCallback* aCallback) {
+ NS_ENSURE_ARG_POINTER(aJarFile);
+ NS_ENSURE_ARG_POINTER(aCallback);
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ int32_t policyInt =
+ Preferences::GetInt("security.signed_app_signatures.policy",
+ static_cast<int32_t>(sDefaultSignaturePolicy));
+ SignaturePolicy policy(policyInt);
+ RefPtr<OpenSignedAppFileTask> task(
+ new OpenSignedAppFileTask(aTrustedRoot, aJarFile, policy, aCallback));
+ return task->Dispatch();
+}
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
new file mode 100644
index 0000000000..2cdf275ade
--- /dev/null
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -0,0 +1,319 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AppTrustDomain.h"
+
+#include "MainThreadUtils.h"
+#include "cert_storage/src/cert_storage.h"
+// FIXME: these two must be included before certdb.h {
+#include "seccomon.h"
+#include "certt.h"
+// }
+#include "certdb.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozpkix/pkixnss.h"
+#include "NSSCertDBTrustDomain.h"
+#include "nsComponentManagerUtils.h"
+#include "nsDirectoryServiceUtils.h"
+#include "nsIContentSignatureVerifier.h"
+#include "nsIX509CertDB.h"
+#include "nsNSSCertificate.h"
+#include "nsNetUtil.h"
+#include "prerror.h"
+
+// Generated by gen_cert_header.py, which gets called by the build system.
+#include "xpcshell.inc"
+// Add-on signing Certificates
+#include "addons-public.inc"
+#include "addons-public-intermediate.inc"
+#include "addons-stage.inc"
+// Content signature root certificates
+#include "content-signature-dev.inc"
+#include "content-signature-local.inc"
+#include "content-signature-prod.inc"
+#include "content-signature-stage.inc"
+
+using namespace mozilla::pkix;
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+namespace mozilla {
+namespace psm {
+
+AppTrustDomain::AppTrustDomain(nsTArray<Span<const uint8_t>>&& collectedCerts)
+ : mIntermediates(std::move(collectedCerts)),
+ mCertBlocklist(do_GetService(NS_CERT_STORAGE_CID)) {}
+
+nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
+ switch (trustedRoot) {
+ case nsIX509CertDB::AppXPCShellRoot:
+ mTrustedRoot = {xpcshellRoot};
+ break;
+
+ case nsIX509CertDB::AddonsPublicRoot:
+ mTrustedRoot = {addonsPublicRoot};
+ break;
+
+ case nsIX509CertDB::AddonsStageRoot:
+ mTrustedRoot = {addonsStageRoot};
+ break;
+
+ case nsIContentSignatureVerifier::ContentSignatureLocalRoot:
+ mTrustedRoot = {contentSignatureLocalRoot};
+ break;
+
+ case nsIContentSignatureVerifier::ContentSignatureProdRoot:
+ mTrustedRoot = {contentSignatureProdRoot};
+ break;
+
+ case nsIContentSignatureVerifier::ContentSignatureStageRoot:
+ mTrustedRoot = {contentSignatureStageRoot};
+ break;
+
+ case nsIContentSignatureVerifier::ContentSignatureDevRoot:
+ mTrustedRoot = {contentSignatureDevRoot};
+ break;
+
+ default:
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // If we're verifying add-ons signed by our production root, we want to make
+ // sure a valid intermediate certificate is available for path building.
+ if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
+ mAddonsIntermediate = {addonsPublicIntermediate};
+ }
+
+ return NS_OK;
+}
+
+pkix::Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
+ IssuerChecker& checker, Time) {
+ MOZ_ASSERT(!mTrustedRoot.IsEmpty());
+ if (mTrustedRoot.IsEmpty()) {
+ return pkix::Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ nsTArray<Input> candidates;
+ Input rootInput;
+ pkix::Result rv =
+ rootInput.Init(mTrustedRoot.Elements(), mTrustedRoot.Length());
+ // This should never fail, since the possible roots are all hard-coded and
+ // they should never be too long.
+ if (rv != Success) {
+ return rv;
+ }
+ candidates.AppendElement(std::move(rootInput));
+ if (!mAddonsIntermediate.IsEmpty()) {
+ Input intermediateInput;
+ rv = intermediateInput.Init(mAddonsIntermediate.Elements(),
+ mAddonsIntermediate.Length());
+ // Again, this should never fail for the same reason as above.
+ if (rv != Success) {
+ return rv;
+ }
+ candidates.AppendElement(std::move(intermediateInput));
+ }
+ for (const auto& intermediate : mIntermediates) {
+ Input intermediateInput;
+ rv = intermediateInput.Init(intermediate.Elements(), intermediate.Length());
+ // This is untrusted input, so skip any intermediates that are too large.
+ if (rv != Success) {
+ continue;
+ }
+ candidates.AppendElement(std::move(intermediateInput));
+ }
+
+ for (const auto& candidate : candidates) {
+ bool keepGoing;
+ rv = checker.Check(candidate, nullptr /*additionalNameConstraints*/,
+ keepGoing);
+ if (rv != Success) {
+ return rv;
+ }
+ if (!keepGoing) {
+ return Success;
+ }
+ }
+
+ // If the above did not succeed in building a verified certificate chain,
+ // fall back to searching for candidates in NSS. This is important in case an
+ // intermediate involved in add-on signing expires before it is replaced. See
+ // bug 1548973.
+ SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
+ UniqueCERTCertList nssCandidates(CERT_CreateSubjectCertList(
+ nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameSECItem, 0, false));
+ if (nssCandidates) {
+ for (CERTCertListNode* n = CERT_LIST_HEAD(nssCandidates);
+ !CERT_LIST_END(n, nssCandidates); n = CERT_LIST_NEXT(n)) {
+ Input certDER;
+ pkix::Result rv =
+ certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
+ if (rv != Success) {
+ continue; // probably too big
+ }
+
+ bool keepGoing;
+ rv = checker.Check(certDER, nullptr /*additionalNameConstraints*/,
+ keepGoing);
+ if (rv != Success) {
+ return rv;
+ }
+ if (!keepGoing) {
+ break;
+ }
+ }
+ }
+
+ return Success;
+}
+
+pkix::Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
+ const CertPolicyId& policy,
+ Input candidateCertDER,
+ /*out*/ TrustLevel& trustLevel) {
+ MOZ_ASSERT(policy.IsAnyPolicy());
+ MOZ_ASSERT(!mTrustedRoot.IsEmpty());
+ if (!policy.IsAnyPolicy()) {
+ return pkix::Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ if (mTrustedRoot.IsEmpty()) {
+ return pkix::Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ nsTArray<uint8_t> issuerBytes;
+ nsTArray<uint8_t> serialBytes;
+ nsTArray<uint8_t> subjectBytes;
+ nsTArray<uint8_t> pubKeyBytes;
+
+ pkix::Result result =
+ BuildRevocationCheckArrays(candidateCertDER, endEntityOrCA, issuerBytes,
+ serialBytes, subjectBytes, pubKeyBytes);
+ if (result != Success) {
+ return result;
+ }
+
+ int16_t revocationState;
+ nsresult nsrv = mCertBlocklist->GetRevocationState(
+ issuerBytes, serialBytes, subjectBytes, pubKeyBytes, &revocationState);
+ if (NS_FAILED(nsrv)) {
+ return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+
+ if (revocationState == nsICertStorage::STATE_ENFORCE) {
+ return pkix::Result::ERROR_REVOKED_CERTIFICATE;
+ }
+
+ // mTrustedRoot is the only trust anchor for this validation.
+ Span<const uint8_t> candidateCertDERSpan = {candidateCertDER.UnsafeGetData(),
+ candidateCertDER.GetLength()};
+ if (mTrustedRoot == candidateCertDERSpan) {
+ trustLevel = TrustLevel::TrustAnchor;
+ return Success;
+ }
+
+ trustLevel = TrustLevel::InheritsTrust;
+ return Success;
+}
+
+pkix::Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen) {
+ return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+}
+
+pkix::Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
+ Duration,
+ /*optional*/ const Input*,
+ /*optional*/ const Input*,
+ /*optional*/ const Input*) {
+ // We don't currently do revocation checking. If we need to distrust an Apps
+ // certificate, we will use the active distrust mechanism.
+ return Success;
+}
+
+pkix::Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
+ const CertPolicyId& requiredPolicy) {
+ MOZ_ASSERT(requiredPolicy.IsAnyPolicy());
+ return Success;
+}
+
+pkix::Result AppTrustDomain::CheckSignatureDigestAlgorithm(
+ DigestAlgorithm digestAlg, EndEntityOrCA, Time) {
+ switch (digestAlg) {
+ case DigestAlgorithm::sha256: // fall through
+ case DigestAlgorithm::sha384: // fall through
+ case DigestAlgorithm::sha512:
+ return Success;
+ case DigestAlgorithm::sha1:
+ return pkix::Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+ }
+ return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+}
+
+pkix::Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
+ EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
+ if (modulusSizeInBits < 2048u) {
+ return pkix::Result::ERROR_INADEQUATE_KEY_SIZE;
+ }
+ return Success;
+}
+
+pkix::Result AppTrustDomain::VerifyRSAPKCS1SignedData(
+ Input data, DigestAlgorithm digestAlgorithm, Input signature,
+ Input subjectPublicKeyInfo) {
+ // TODO: We should restrict signatures to SHA-256 or better.
+ return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
+ subjectPublicKeyInfo, nullptr);
+}
+
+pkix::Result AppTrustDomain::VerifyRSAPSSSignedData(
+ Input data, DigestAlgorithm digestAlgorithm, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+ subjectPublicKeyInfo, nullptr);
+}
+
+pkix::Result AppTrustDomain::CheckECDSACurveIsAcceptable(
+ EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
+ switch (curve) {
+ case NamedCurve::secp256r1: // fall through
+ case NamedCurve::secp384r1: // fall through
+ case NamedCurve::secp521r1:
+ return Success;
+ }
+
+ return pkix::Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+}
+
+pkix::Result AppTrustDomain::VerifyECDSASignedData(
+ Input data, DigestAlgorithm digestAlgorithm, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
+ subjectPublicKeyInfo, nullptr);
+}
+
+pkix::Result AppTrustDomain::CheckValidityIsAcceptable(
+ Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
+ KeyPurposeId /*keyPurpose*/) {
+ return Success;
+}
+
+pkix::Result AppTrustDomain::NetscapeStepUpMatchesServerAuth(
+ Time /*notBefore*/,
+ /*out*/ bool& matches) {
+ matches = false;
+ return Success;
+}
+
+void AppTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
+ Input /*extensionData*/) {}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
new file mode 100644
index 0000000000..4d09cdabdf
--- /dev/null
+++ b/security/manager/ssl/AppTrustDomain.h
@@ -0,0 +1,94 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef AppTrustDomain_h
+#define AppTrustDomain_h
+
+#include "mozilla/Span.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsCOMPtr.h"
+#include "nsDebug.h"
+#include "nsICertStorage.h"
+#include "nsIX509CertDB.h"
+#include "nsTArray.h"
+
+namespace mozilla {
+namespace psm {
+
+class AppTrustDomain final : public mozilla::pkix::TrustDomain {
+ public:
+ typedef mozilla::pkix::Result Result;
+
+ explicit AppTrustDomain(nsTArray<Span<const uint8_t>>&& collectedCerts);
+
+ nsresult SetTrustedRoot(AppTrustedRoot trustedRoot);
+
+ virtual Result GetCertTrust(
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ const mozilla::pkix::CertPolicyId& policy,
+ mozilla::pkix::Input candidateCertDER,
+ /*out*/ mozilla::pkix::TrustLevel& trustLevel) override;
+ virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
+ IssuerChecker& checker,
+ mozilla::pkix::Time time) override;
+ virtual Result CheckRevocation(
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
+ mozilla::pkix::Duration validityDuration,
+ /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
+ /*optional*/ const mozilla::pkix::Input* aiaExtension,
+ /*optional*/ const mozilla::pkix::Input* sctExtension) override;
+ virtual Result IsChainValid(
+ const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
+ const mozilla::pkix::CertPolicyId& requiredPolicy) override;
+ virtual Result CheckSignatureDigestAlgorithm(
+ mozilla::pkix::DigestAlgorithm digestAlg,
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ mozilla::pkix::Time notBefore) override;
+ virtual Result CheckRSAPublicKeyModulusSizeInBits(
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ unsigned int modulusSizeInBits) override;
+ virtual Result VerifyRSAPKCS1SignedData(
+ mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual Result VerifyRSAPSSSignedData(
+ mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual Result CheckECDSACurveIsAcceptable(
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ mozilla::pkix::NamedCurve curve) override;
+ virtual Result VerifyECDSASignedData(
+ mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual Result CheckValidityIsAcceptable(
+ mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
+ mozilla::pkix::KeyPurposeId keyPurpose) override;
+ virtual Result NetscapeStepUpMatchesServerAuth(
+ mozilla::pkix::Time notBefore,
+ /*out*/ bool& matches) override;
+ virtual void NoteAuxiliaryExtension(
+ mozilla::pkix::AuxiliaryExtension extension,
+ mozilla::pkix::Input extensionData) override;
+ virtual Result DigestBuf(mozilla::pkix::Input item,
+ mozilla::pkix::DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen) override;
+
+ private:
+ Span<const uint8_t> mTrustedRoot;
+ Span<const uint8_t> mAddonsIntermediate;
+ nsTArray<Span<const uint8_t>> mIntermediates;
+ nsCOMPtr<nsICertStorage> mCertBlocklist;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // AppTrustDomain_h
diff --git a/security/manager/ssl/CertStorageMemoryReporting.cpp b/security/manager/ssl/CertStorageMemoryReporting.cpp
new file mode 100644
index 0000000000..524d16fc02
--- /dev/null
+++ b/security/manager/ssl/CertStorageMemoryReporting.cpp
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsIMemoryReporter.h"
+
+// Rust doesn't support weak-linking, so MFBT_API functions like
+// moz_malloc_size_of need a C++ wrapper that uses the regular ABI
+//
+// We're not using MOZ_DEFINE_MALLOC_SIZE_OF here because that makes the
+// function `static`, which would make it not visible outside this file
+extern "C" size_t cert_storage_malloc_size_of(void* aPtr) {
+ MOZ_REPORT(aPtr);
+ return moz_malloc_size_of(aPtr);
+}
diff --git a/security/manager/ssl/ClientAuthDialogService.sys.mjs b/security/manager/ssl/ClientAuthDialogService.sys.mjs
new file mode 100644
index 0000000000..7019dcc5cd
--- /dev/null
+++ b/security/manager/ssl/ClientAuthDialogService.sys.mjs
@@ -0,0 +1,68 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// ClientAuthDialogService implements nsIClientAuthDialogService, and aims to
+// open a dialog asking the user to select a client authentication certificate.
+// Ideally the dialog will be tab-modal to the tab corresponding to the load
+// that resulted in the request for the client authentication certificate.
+export function ClientAuthDialogService() {}
+
+// Given a loadContext (CanonicalBrowsingContext), attempts to return a
+// TabDialogBox for the browser corresponding to loadContext.
+function getTabDialogBoxForLoadContext(loadContext) {
+ let tabBrowser = loadContext?.topFrameElement?.getTabBrowser();
+ if (!tabBrowser) {
+ return null;
+ }
+ for (let browser of tabBrowser.browsers) {
+ if (browser.browserId == loadContext.top?.browserId) {
+ return tabBrowser.getTabDialogBox(browser);
+ }
+ }
+ return null;
+}
+
+ClientAuthDialogService.prototype = {
+ classID: Components.ID("{d7d2490d-2640-411b-9f09-a538803c11ee}"),
+ QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]),
+
+ chooseCertificate: function ClientAuthDialogService_chooseCertificate(
+ hostname,
+ certArray,
+ loadContext,
+ callback
+ ) {
+ const clientAuthAskURI = "chrome://pippki/content/clientauthask.xhtml";
+ let retVals = { cert: null, rememberDecision: false };
+ // First attempt to find a TabDialogBox for the loadContext. This allows
+ // for a tab-modal dialog specific to the tab causing the load, which is a
+ // better user experience.
+ let tabDialogBox = getTabDialogBoxForLoadContext(loadContext);
+ if (tabDialogBox) {
+ tabDialogBox
+ .open(clientAuthAskURI, {}, { hostname, certArray, retVals })
+ .closedPromise.then(() => {
+ callback.certificateChosen(retVals.cert, retVals.rememberDecision);
+ });
+ return;
+ }
+ // Otherwise, attempt to open a window-modal dialog on the window that at
+ // least has the tab the load is occurring in.
+ let browserWindow = loadContext?.topFrameElement?.ownerGlobal;
+ // Failing that, open a window-modal dialog on the most recent window.
+ if (!browserWindow) {
+ browserWindow = Services.wm.getMostRecentBrowserWindow();
+ }
+ if (browserWindow) {
+ browserWindow.gDialogBox
+ .open(clientAuthAskURI, { hostname, certArray, retVals })
+ .then(() => {
+ callback.certificateChosen(retVals.cert, retVals.rememberDecision);
+ });
+ return;
+ }
+ // Otherwise, continue the connection with no certificate.
+ callback.certificateChosen(null, false);
+ },
+};
diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp
new file mode 100644
index 0000000000..2208333fb3
--- /dev/null
+++ b/security/manager/ssl/CommonSocketControl.cpp
@@ -0,0 +1,519 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CommonSocketControl.h"
+
+#include "PublicKeyPinningService.h"
+#include "SharedCertVerifier.h"
+#include "SharedSSLState.h"
+#include "mozilla/ErrorResult.h"
+#include "mozilla/StaticPrefs_network.h"
+#include "mozilla/dom/Promise.h"
+#include "nsICertOverrideService.h"
+#include "nsISocketProvider.h"
+#include "nsITlsHandshakeListener.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "secerr.h"
+#include "ssl.h"
+#include "sslt.h"
+
+using namespace mozilla;
+
+extern LazyLogModule gPIPNSSLog;
+
+NS_IMPL_ISUPPORTS(CommonSocketControl, nsITLSSocketControl)
+
+CommonSocketControl::CommonSocketControl(const nsCString& aHostName,
+ int32_t aPort, uint32_t aProviderFlags)
+ : mHostName(aHostName),
+ mPort(aPort),
+ mCanceled(false),
+ mHandshakeCompleted(false),
+ mJoined(false),
+ mSentClientCert(false),
+ mFailedVerification(false),
+ mSSLVersionUsed(nsITLSSocketControl::SSL_VERSION_UNKNOWN),
+ mProviderFlags(aProviderFlags),
+ mSecurityState(0),
+ mErrorCode(0),
+ mServerCert(nullptr),
+ mCertificateTransparencyStatus(0),
+ mMadeOCSPRequests(false),
+ mUsedPrivateDNS(false),
+ mNPNCompleted(false),
+ mResumed(false),
+ mIsBuiltCertChainRootBuiltInRoot(false) {
+#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
+ mOwningThread = PR_GetCurrentThread();
+#endif
+}
+
+void CommonSocketControl::SetStatusErrorBits(
+ const nsCOMPtr<nsIX509Cert>& cert,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ overridableErrorCategory) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ SetServerCert(cert, mozilla::psm::EVStatus::NotEV);
+ mOverridableErrorCategory = Some(overridableErrorCategory);
+}
+
+static void CreateCertChain(nsTArray<RefPtr<nsIX509Cert>>& aOutput,
+ nsTArray<nsTArray<uint8_t>>&& aCertList) {
+ nsTArray<nsTArray<uint8_t>> certList = std::move(aCertList);
+ aOutput.Clear();
+ for (auto& certBytes : certList) {
+ RefPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certBytes));
+ aOutput.AppendElement(cert);
+ }
+}
+
+void CommonSocketControl::SetServerCert(
+ const nsCOMPtr<nsIX509Cert>& aServerCert,
+ mozilla::psm::EVStatus aEVStatus) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mServerCert = aServerCert;
+ mIsEV = Some(aEVStatus == mozilla::psm::EVStatus::EV);
+}
+
+void CommonSocketControl::SetSucceededCertChain(
+ nsTArray<nsTArray<uint8_t>>&& aCertList) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return CreateCertChain(mSucceededCertChain, std::move(aCertList));
+}
+
+void CommonSocketControl::SetFailedCertChain(
+ nsTArray<nsTArray<uint8_t>>&& aCertList) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return CreateCertChain(mFailedCertChain, std::move(aCertList));
+}
+
+void CommonSocketControl::SetCanceled(PRErrorCode errorCode) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ MOZ_ASSERT(errorCode != 0);
+ if (errorCode == 0) {
+ errorCode = SEC_ERROR_LIBRARY_FAILURE;
+ }
+
+ mErrorCode = errorCode;
+ mCanceled = true;
+}
+
+// NB: GetErrorCode may be called before an error code is set (if ever). In that
+// case, this returns 0, which is treated as a successful value.
+int32_t CommonSocketControl::GetErrorCode() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ // We're in an inconsistent state if we think we've been canceled but no error
+ // code was set or we haven't been canceled but an error code was set.
+ MOZ_ASSERT(
+ !((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0)));
+ if ((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0)) {
+ mCanceled = true;
+ mErrorCode = SEC_ERROR_LIBRARY_FAILURE;
+ }
+
+ return mErrorCode;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::ProxyStartSSL(void) { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+CommonSocketControl::StartTLS(void) { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+CommonSocketControl::SetNPNList(nsTArray<nsCString>& aNPNList) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetAlpnEarlySelection(nsACString& _retval) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetEarlyDataAccepted(bool* aEarlyDataAccepted) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::DriveHandshake(void) { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+CommonSocketControl::JoinConnection(const nsACString& npnProtocol,
+ const nsACString& hostname, int32_t port,
+ bool* _retval) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ nsresult rv = TestJoinConnection(npnProtocol, hostname, port, _retval);
+ if (NS_SUCCEEDED(rv) && *_retval) {
+ // All tests pass - this is joinable
+ mJoined = true;
+ }
+ return rv;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::TestJoinConnection(const nsACString& npnProtocol,
+ const nsACString& hostname,
+ int32_t port, bool* _retval) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *_retval = false;
+
+ // Different ports may not be joined together
+ if (port != GetPort()) return NS_OK;
+
+ // Make sure NPN has been completed and matches requested npnProtocol
+ if (!mNPNCompleted || !mNegotiatedNPN.Equals(npnProtocol)) {
+ return NS_OK;
+ }
+
+ IsAcceptableForHost(hostname, _retval); // sets _retval
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
+ bool* _retval) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ NS_ENSURE_ARG(_retval);
+
+ *_retval = false;
+
+ // If this is the same hostname then the certicate status does not
+ // need to be considered. They are joinable.
+ if (hostname.Equals(GetHostName())) {
+ *_retval = true;
+ return NS_OK;
+ }
+
+ // Before checking the server certificate we need to make sure the
+ // handshake has completed.
+ if (!mHandshakeCompleted || !HasServerCert()) {
+ return NS_OK;
+ }
+
+ // Security checks can only be skipped when running xpcshell tests.
+ if (PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR")) {
+ nsCOMPtr<nsICertOverrideService> overrideService =
+ do_GetService(NS_CERTOVERRIDE_CONTRACTID);
+ if (overrideService) {
+ bool securityCheckDisabled = false;
+ overrideService->GetSecurityCheckDisabled(&securityCheckDisabled);
+ if (securityCheckDisabled) {
+ *_retval = true;
+ return NS_OK;
+ }
+ }
+ }
+
+ // If the cert has error bits (e.g. it is untrusted) then do not join.
+ if (mOverridableErrorCategory.isSome()) {
+ return NS_OK;
+ }
+
+ // If the connection is using client certificates then do not join
+ // because the user decides on whether to send client certs to hosts on a
+ // per-domain basis.
+ if (mSentClientCert) return NS_OK;
+
+ // Ensure that the server certificate covers the hostname that would
+ // like to join this connection
+
+ nsCOMPtr<nsIX509Cert> cert(GetServerCert());
+ if (!cert) {
+ return NS_OK;
+ }
+ nsTArray<uint8_t> certDER;
+ if (NS_FAILED(cert->GetRawDER(certDER))) {
+ return NS_OK;
+ }
+
+ // An empty mSucceededCertChain means the server certificate verification
+ // failed before, so don't join in this case.
+ if (mSucceededCertChain.IsEmpty()) {
+ return NS_OK;
+ }
+
+ // See where CheckCertHostname() is called in
+ // CertVerifier::VerifySSLServerCert. We are doing the same hostname-specific
+ // checks here. If any hostname-specific checks are added to
+ // CertVerifier::VerifySSLServerCert we need to add them here too.
+ pkix::Input serverCertInput;
+ mozilla::pkix::Result rv =
+ serverCertInput.Init(certDER.Elements(), certDER.Length());
+ if (rv != pkix::Success) {
+ return NS_OK;
+ }
+
+ pkix::Input hostnameInput;
+ rv = hostnameInput.Init(
+ BitwiseCast<const uint8_t*, const char*>(hostname.BeginReading()),
+ hostname.Length());
+ if (rv != pkix::Success) {
+ return NS_OK;
+ }
+
+ rv = CheckCertHostname(serverCertInput, hostnameInput);
+ if (rv != pkix::Success) {
+ return NS_OK;
+ }
+
+ nsTArray<nsTArray<uint8_t>> rawDerCertList;
+ nsTArray<Span<const uint8_t>> derCertSpanList;
+ for (const auto& cert : mSucceededCertChain) {
+ rawDerCertList.EmplaceBack();
+ nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
+ if (NS_FAILED(nsrv)) {
+ return nsrv;
+ }
+ derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
+ }
+ bool chainHasValidPins;
+ nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
+ derCertSpanList, PromiseFlatCString(hostname).BeginReading(), pkix::Now(),
+ mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
+ if (NS_FAILED(nsrv)) {
+ return NS_OK;
+ }
+
+ if (!chainHasValidPins) {
+ return NS_OK;
+ }
+
+ // All tests pass
+ *_retval = true;
+ return NS_OK;
+}
+
+void CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mSessionCacheInfo) {
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache cannot "
+ "find cached info."));
+ return;
+ }
+
+ mozilla::net::SessionCacheInfo& info = *mSessionCacheInfo;
+ nsCOMPtr<nsIX509Cert> cert(
+ new nsNSSCertificate(std::move(info.mServerCertBytes)));
+ if (info.mOverridableErrorCategory ==
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET) {
+ SetServerCert(cert, info.mEVStatus);
+ } else {
+ SetStatusErrorBits(cert, info.mOverridableErrorCategory);
+ }
+ SetCertificateTransparencyStatus(info.mCertificateTransparencyStatus);
+ if (info.mSucceededCertChainBytes) {
+ SetSucceededCertChain(std::move(*info.mSucceededCertChainBytes));
+ }
+
+ if (info.mIsBuiltCertChainRootBuiltInRoot) {
+ SetIsBuiltCertChainRootBuiltInRoot(*info.mIsBuiltCertChainRootBuiltInRoot);
+ }
+
+ if (info.mFailedCertChainBytes) {
+ SetFailedCertChain(std::move(*info.mFailedCertChainBytes));
+ }
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetKEAUsed(int16_t* aKEAUsed) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetKEAKeyBits(uint32_t* aKEAKeyBits) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetProviderFlags(uint32_t* aProviderFlags) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aProviderFlags = mProviderFlags;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetSSLVersionUsed(int16_t* aSSLVersionUsed) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aSSLVersionUsed = mSSLVersionUsed;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetSSLVersionOffered(int16_t* aSSLVersionOffered) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetMACAlgorithmUsed(int16_t* aMACAlgorithmUsed) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+bool CommonSocketControl::GetDenyClientCert() { return true; }
+
+void CommonSocketControl::SetDenyClientCert(bool aDenyClientCert) {}
+
+NS_IMETHODIMP
+CommonSocketControl::GetClientCertSent(bool* arg) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *arg = mSentClientCert;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetFailedVerification(bool* arg) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *arg = mFailedVerification;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetEsniTxt(nsACString& aEsniTxt) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::SetEsniTxt(const nsACString& aEsniTxt) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetEchConfig(nsACString& aEchConfig) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::SetEchConfig(const nsACString& aEchConfig) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetRetryEchConfig(nsACString& aEchConfig) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::SetHandshakeCallbackListener(
+ nsITlsHandshakeCallbackListener* callback) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::DisableEarlyData(void) { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+CommonSocketControl::GetPeerId(nsACString& aResult) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mPeerId.IsEmpty()) {
+ aResult.Assign(mPeerId);
+ return NS_OK;
+ }
+
+ if (mProviderFlags &
+ nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080
+ mPeerId.AppendLiteral("anon:");
+ }
+ if (mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE) {
+ mPeerId.AppendLiteral("private:");
+ }
+ if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) {
+ mPeerId.AppendLiteral("beConservative:");
+ }
+
+ mPeerId.Append(mHostName);
+ mPeerId.Append(':');
+ mPeerId.AppendInt(GetPort());
+ nsAutoCString suffix;
+ mOriginAttributes.CreateSuffix(suffix);
+ mPeerId.Append(suffix);
+
+ aResult.Assign(mPeerId);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::GetSecurityInfo(nsITransportSecurityInfo** aSecurityInfo) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ // Make sure peerId is set.
+ nsAutoCString unused;
+ nsresult rv = GetPeerId(unused);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo(
+ new psm::TransportSecurityInfo(
+ mSecurityState, mErrorCode, mFailedCertChain.Clone(), mServerCert,
+ mSucceededCertChain.Clone(), mCipherSuite, mKeaGroupName,
+ mSignatureSchemeName, mProtocolVersion,
+ mCertificateTransparencyStatus, mIsAcceptedEch,
+ mIsDelegatedCredential, mOverridableErrorCategory, mMadeOCSPRequests,
+ mUsedPrivateDNS, mIsEV, mNPNCompleted, mNegotiatedNPN, mResumed,
+ mIsBuiltCertChainRootBuiltInRoot, mPeerId));
+ securityInfo.forget(aSecurityInfo);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+CommonSocketControl::AsyncGetSecurityInfo(JSContext* aCx,
+ mozilla::dom::Promise** aPromise) {
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG_POINTER(aCx);
+ NS_ENSURE_ARG_POINTER(aPromise);
+
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (!globalObject) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ ErrorResult result;
+ RefPtr<mozilla::dom::Promise> promise =
+ mozilla::dom::Promise::Create(globalObject, result);
+ if (result.Failed()) {
+ return result.StealNSResult();
+ }
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "CommonSocketControl::AsyncGetSecurityInfo",
+ [promise, self = RefPtr{this}]() mutable {
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+ nsresult rv = self->GetSecurityInfo(getter_AddRefs(securityInfo));
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "CommonSocketControl::AsyncGetSecurityInfoResolve",
+ [rv, promise = std::move(promise),
+ securityInfo = std::move(securityInfo)]() {
+ if (NS_FAILED(rv)) {
+ promise->MaybeReject(rv);
+ } else {
+ promise->MaybeResolve(securityInfo);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+ }));
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ promise.forget(aPromise);
+ return NS_OK;
+}
+
+NS_IMETHODIMP CommonSocketControl::Claim() { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP CommonSocketControl::SetBrowserId(uint64_t) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP CommonSocketControl::GetBrowserId(uint64_t*) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
diff --git a/security/manager/ssl/CommonSocketControl.h b/security/manager/ssl/CommonSocketControl.h
new file mode 100644
index 0000000000..ca0bf2bcf7
--- /dev/null
+++ b/security/manager/ssl/CommonSocketControl.h
@@ -0,0 +1,191 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef CommonSocketControl_h
+#define CommonSocketControl_h
+
+#include "CertVerifier.h"
+#include "TransportSecurityInfo.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/net/SSLTokensCache.h"
+#include "nsIInterfaceRequestor.h"
+#include "nsITLSSocketControl.h"
+#include "nsSocketTransportService2.h"
+
+#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
+# include "prthread.h"
+# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \
+ MOZ_DIAGNOSTIC_ASSERT(mOwningThread == PR_GetCurrentThread())
+#else
+# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \
+ do { \
+ } while (false)
+#endif
+
+// CommonSocketControl is the base class that implements nsITLSSocketControl.
+// Various concrete TLS socket control implementations inherit from this class.
+// Currently these implementations consist of NSSSocketControl (a socket
+// control for NSS) and QuicSocketControl (a socket control for quic).
+// NB: these classes must only be used on the socket thread (the one exception
+// being tests that incidentally use CommonSocketControl on the main thread
+// (and only the main thread)). This is enforced via the macro
+// COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() that should be called at the
+// beginning of every function in this class and all subclasses.
+class CommonSocketControl : public nsITLSSocketControl {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSITLSSOCKETCONTROL
+
+ CommonSocketControl(const nsCString& aHostName, int32_t aPort,
+ uint32_t aProviderFlags);
+
+ // Use "errorCode" 0 to indicate success.
+ virtual void SetCertVerificationResult(PRErrorCode errorCode) {
+ MOZ_ASSERT_UNREACHABLE("Subclasses must override this.");
+ }
+
+ const nsACString& GetHostName() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mHostName;
+ }
+ int32_t GetPort() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mPort;
+ }
+ void SetMadeOCSPRequests(bool aMadeOCSPRequests) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mMadeOCSPRequests = aMadeOCSPRequests;
+ }
+ bool GetMadeOCSPRequests() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mMadeOCSPRequests;
+ }
+ void SetUsedPrivateDNS(bool aUsedPrivateDNS) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mUsedPrivateDNS = aUsedPrivateDNS;
+ }
+ bool GetUsedPrivateDNS() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mUsedPrivateDNS;
+ }
+
+ void SetServerCert(const nsCOMPtr<nsIX509Cert>& aServerCert,
+ mozilla::psm::EVStatus aEVStatus);
+ already_AddRefed<nsIX509Cert> GetServerCert() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return do_AddRef(mServerCert);
+ }
+ bool HasServerCert() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mServerCert != nullptr;
+ }
+ void SetStatusErrorBits(const nsCOMPtr<nsIX509Cert>& cert,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ overridableErrorCategory);
+ bool HasUserOverriddenCertificateError() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mOverridableErrorCategory.isSome() &&
+ *mOverridableErrorCategory !=
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET;
+ }
+ void SetSucceededCertChain(nsTArray<nsTArray<uint8_t>>&& certList);
+ void SetFailedCertChain(nsTArray<nsTArray<uint8_t>>&& certList);
+ void SetIsBuiltCertChainRootBuiltInRoot(
+ bool aIsBuiltCertChainRootBuiltInRoot) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot;
+ }
+ void SetCertificateTransparencyStatus(
+ uint16_t aCertificateTransparencyStatus) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mCertificateTransparencyStatus = aCertificateTransparencyStatus;
+ }
+ void SetOriginAttributes(const mozilla::OriginAttributes& aOriginAttributes) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mOriginAttributes = aOriginAttributes;
+ }
+ mozilla::OriginAttributes& GetOriginAttributes() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mOriginAttributes;
+ }
+
+ void SetSecurityState(uint32_t aSecurityState) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mSecurityState = aSecurityState;
+ }
+ void SetResumed(bool aResumed) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mResumed = aResumed;
+ }
+
+ uint32_t GetProviderFlags() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mProviderFlags;
+ }
+ void SetSSLVersionUsed(uint16_t version) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mSSLVersionUsed = version;
+ }
+ void SetSessionCacheInfo(mozilla::net::SessionCacheInfo&& aInfo) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mSessionCacheInfo.reset();
+ mSessionCacheInfo.emplace(std::move(aInfo));
+ }
+ void RebuildCertificateInfoFromSSLTokenCache();
+ void SetCanceled(PRErrorCode errorCode);
+ bool IsCanceled() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mCanceled;
+ }
+ int32_t GetErrorCode();
+
+ protected:
+ virtual ~CommonSocketControl() = default;
+
+ nsCString mHostName;
+ int32_t mPort;
+ mozilla::OriginAttributes mOriginAttributes;
+
+ bool mCanceled;
+ mozilla::Maybe<mozilla::net::SessionCacheInfo> mSessionCacheInfo;
+ bool mHandshakeCompleted;
+ bool mJoined;
+ bool mSentClientCert;
+ bool mFailedVerification;
+ uint16_t mSSLVersionUsed;
+ uint32_t mProviderFlags;
+
+ // Fields used to build a TransportSecurityInfo
+ uint32_t mSecurityState;
+ PRErrorCode mErrorCode;
+ // Peer cert chain for failed connections.
+ nsTArray<RefPtr<nsIX509Cert>> mFailedCertChain;
+ nsCOMPtr<nsIX509Cert> mServerCert;
+ nsTArray<RefPtr<nsIX509Cert>> mSucceededCertChain;
+ mozilla::Maybe<uint16_t> mCipherSuite;
+ mozilla::Maybe<nsCString> mKeaGroupName;
+ mozilla::Maybe<nsCString> mSignatureSchemeName;
+ mozilla::Maybe<uint16_t> mProtocolVersion;
+ uint16_t mCertificateTransparencyStatus;
+ mozilla::Maybe<bool> mIsAcceptedEch;
+ mozilla::Maybe<bool> mIsDelegatedCredential;
+ mozilla::Maybe<nsITransportSecurityInfo::OverridableErrorCategory>
+ mOverridableErrorCategory;
+ bool mMadeOCSPRequests;
+ bool mUsedPrivateDNS;
+ mozilla::Maybe<bool> mIsEV;
+ bool mNPNCompleted;
+ nsCString mNegotiatedNPN;
+ bool mResumed;
+ bool mIsBuiltCertChainRootBuiltInRoot;
+ nsCString mPeerId;
+
+#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
+ const PRThread* mOwningThread;
+#endif
+};
+
+#endif // CommonSocketControl_h
diff --git a/security/manager/ssl/ContentSignatureVerifier.cpp b/security/manager/ssl/ContentSignatureVerifier.cpp
new file mode 100644
index 0000000000..bc0a7c5d06
--- /dev/null
+++ b/security/manager/ssl/ContentSignatureVerifier.cpp
@@ -0,0 +1,454 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ContentSignatureVerifier.h"
+
+#include "AppTrustDomain.h"
+#include "CryptoTask.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Logging.h"
+#include "mozilla/dom/Promise.h"
+#include "nsCOMPtr.h"
+#include "nsPromiseFlatString.h"
+#include "nsSecurityHeaderParser.h"
+#include "nsWhitespaceTokenizer.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixutil.h"
+#include "secerr.h"
+#include "ssl.h"
+
+NS_IMPL_ISUPPORTS(ContentSignatureVerifier, nsIContentSignatureVerifier)
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::psm;
+using dom::Promise;
+
+static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier");
+#define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args)
+
+// Content-Signature prefix
+const unsigned char kPREFIX[] = {'C', 'o', 'n', 't', 'e', 'n', 't',
+ '-', 'S', 'i', 'g', 'n', 'a', 't',
+ 'u', 'r', 'e', ':', 0};
+
+class VerifyContentSignatureTask : public CryptoTask {
+ public:
+ VerifyContentSignatureTask(const nsACString& aData,
+ const nsACString& aCSHeader,
+ const nsACString& aCertChain,
+ const nsACString& aHostname,
+ AppTrustedRoot aTrustedRoot,
+ RefPtr<Promise>& aPromise)
+ : mData(aData),
+ mCSHeader(aCSHeader),
+ mCertChain(aCertChain),
+ mHostname(aHostname),
+ mTrustedRoot(aTrustedRoot),
+ mSignatureVerified(false),
+ mPromise(new nsMainThreadPtrHolder<Promise>(
+ "VerifyContentSignatureTask::mPromise", aPromise)) {}
+
+ private:
+ virtual nsresult CalculateResult() override;
+ virtual void CallCallback(nsresult rv) override;
+
+ nsCString mData;
+ nsCString mCSHeader;
+ nsCString mCertChain;
+ nsCString mHostname;
+ AppTrustedRoot mTrustedRoot;
+ bool mSignatureVerified;
+ nsMainThreadPtrHandle<Promise> mPromise;
+};
+
+NS_IMETHODIMP
+ContentSignatureVerifier::AsyncVerifyContentSignature(
+ const nsACString& aData, const nsACString& aCSHeader,
+ const nsACString& aCertChain, const nsACString& aHostname,
+ AppTrustedRoot aTrustedRoot, JSContext* aCx, Promise** aPromise) {
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (NS_WARN_IF(!globalObject)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ ErrorResult result;
+ RefPtr<Promise> promise = Promise::Create(globalObject, result);
+ if (NS_WARN_IF(result.Failed())) {
+ return result.StealNSResult();
+ }
+
+ RefPtr<VerifyContentSignatureTask> task(new VerifyContentSignatureTask(
+ aData, aCSHeader, aCertChain, aHostname, aTrustedRoot, promise));
+ nsresult rv = task->Dispatch();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ promise.forget(aPromise);
+ return NS_OK;
+}
+
+static nsresult VerifyContentSignatureInternal(
+ const nsACString& aData, const nsACString& aCSHeader,
+ const nsACString& aCertChain, const nsACString& aHostname,
+ AppTrustedRoot aTrustedRoot,
+ /* out */
+ mozilla::Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS&
+ aErrorLabel,
+ /* out */ nsACString& aCertFingerprint, /* out */ uint32_t& aErrorValue);
+static nsresult ParseContentSignatureHeader(
+ const nsACString& aContentSignatureHeader,
+ /* out */ nsCString& aSignature);
+
+nsresult VerifyContentSignatureTask::CalculateResult() {
+ // 3 is the default, non-specific, "something failed" error.
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS errorLabel =
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err3;
+ nsAutoCString certFingerprint;
+ uint32_t errorValue = 3;
+ nsresult rv = VerifyContentSignatureInternal(
+ mData, mCSHeader, mCertChain, mHostname, mTrustedRoot, errorLabel,
+ certFingerprint, errorValue);
+ if (NS_FAILED(rv)) {
+ CSVerifier_LOG(("CSVerifier: Signature verification failed"));
+ if (certFingerprint.Length() > 0) {
+ Telemetry::AccumulateCategoricalKeyed(certFingerprint, errorLabel);
+ }
+ Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, errorValue);
+ if (rv == NS_ERROR_INVALID_SIGNATURE) {
+ return NS_OK;
+ }
+ return rv;
+ }
+
+ mSignatureVerified = true;
+ Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 0);
+
+ return NS_OK;
+}
+
+void VerifyContentSignatureTask::CallCallback(nsresult rv) {
+ if (NS_FAILED(rv)) {
+ mPromise->MaybeReject(rv);
+ } else {
+ mPromise->MaybeResolve(mSignatureVerified);
+ }
+}
+
+bool IsNewLine(char16_t c) { return c == '\n' || c == '\r'; }
+
+nsresult ReadChainIntoCertList(const nsACString& aCertChain,
+ nsTArray<nsTArray<uint8_t>>& aCertList) {
+ bool inBlock = false;
+ bool certFound = false;
+
+ const nsCString header = "-----BEGIN CERTIFICATE-----"_ns;
+ const nsCString footer = "-----END CERTIFICATE-----"_ns;
+
+ nsCWhitespaceTokenizerTemplate<IsNewLine> tokenizer(aCertChain);
+
+ nsAutoCString blockData;
+ while (tokenizer.hasMoreTokens()) {
+ nsDependentCSubstring token = tokenizer.nextToken();
+ if (token.IsEmpty()) {
+ continue;
+ }
+ if (inBlock) {
+ if (token.Equals(footer)) {
+ inBlock = false;
+ certFound = true;
+ // base64 decode data, make certs, append to chain
+ nsAutoCString derString;
+ nsresult rv = Base64Decode(blockData, derString);
+ if (NS_FAILED(rv)) {
+ CSVerifier_LOG(("CSVerifier: decoding the signature failed"));
+ return rv;
+ }
+ nsTArray<uint8_t> derBytes(derString.Data(), derString.Length());
+ aCertList.AppendElement(std::move(derBytes));
+ } else {
+ blockData.Append(token);
+ }
+ } else if (token.Equals(header)) {
+ inBlock = true;
+ blockData = "";
+ }
+ }
+ if (inBlock || !certFound) {
+ // the PEM data did not end; bad data.
+ CSVerifier_LOG(("CSVerifier: supplied chain contains bad data"));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+// Given data to verify, a content signature header value, a string representing
+// a list of PEM-encoded certificates, and a hostname to validate the
+// certificates against, this function attempts to validate the certificate
+// chain, extract the signature from the header, and verify the data using the
+// key in the end-entity certificate from the chain. Returns NS_OK if everything
+// is satisfactory and a failing nsresult otherwise. The output parameters are
+// filled with telemetry data to report in the case of failures.
+static nsresult VerifyContentSignatureInternal(
+ const nsACString& aData, const nsACString& aCSHeader,
+ const nsACString& aCertChain, const nsACString& aHostname,
+ AppTrustedRoot aTrustedRoot,
+ /* out */
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS& aErrorLabel,
+ /* out */ nsACString& aCertFingerprint,
+ /* out */ uint32_t& aErrorValue) {
+ nsTArray<nsTArray<uint8_t>> certList;
+ nsresult rv = ReadChainIntoCertList(aCertChain, certList);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (certList.Length() < 1) {
+ return NS_ERROR_FAILURE;
+ }
+ // The 0th element should be the end-entity that issued the content
+ // signature.
+ nsTArray<uint8_t>& certBytes(certList.ElementAt(0));
+ Input certInput;
+ mozilla::pkix::Result result =
+ certInput.Init(certBytes.Elements(), certBytes.Length());
+ if (result != Success) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // Get EE certificate fingerprint for telemetry.
+ unsigned char fingerprint[SHA256_LENGTH] = {0};
+ SECStatus srv =
+ PK11_HashBuf(SEC_OID_SHA256, fingerprint, certInput.UnsafeGetData(),
+ certInput.GetLength());
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ SECItem fingerprintItem = {siBuffer, fingerprint, SHA256_LENGTH};
+ UniquePORTString tmpFingerprintString(
+ CERT_Hexify(&fingerprintItem, false /* don't use colon delimiters */));
+ if (!tmpFingerprintString) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ aCertFingerprint.Assign(tmpFingerprintString.get());
+
+ nsTArray<Span<const uint8_t>> certSpans;
+ // Collect just the CAs.
+ for (size_t i = 1; i < certList.Length(); i++) {
+ Span<const uint8_t> certSpan(certList.ElementAt(i).Elements(),
+ certList.ElementAt(i).Length());
+ certSpans.AppendElement(std::move(certSpan));
+ }
+ AppTrustDomain trustDomain(std::move(certSpans));
+ rv = trustDomain.SetTrustedRoot(aTrustedRoot);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // Check the signerCert chain is good
+ result = BuildCertChain(
+ trustDomain, certInput, Now(), EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_codeSigning,
+ CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/);
+ if (result != Success) {
+ // if there was a library error, return an appropriate error
+ if (IsFatalError(result)) {
+ return NS_ERROR_FAILURE;
+ }
+ // otherwise, assume the signature was invalid
+ if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE) {
+ aErrorLabel =
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err4;
+ aErrorValue = 4;
+ } else if (result ==
+ mozilla::pkix::Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+ aErrorLabel =
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err5;
+ aErrorValue = 5;
+ } else {
+ // Building cert chain failed for some other reason.
+ aErrorLabel =
+ Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err6;
+ aErrorValue = 6;
+ }
+ CSVerifier_LOG(("CSVerifier: The supplied chain is bad (%s)",
+ MapResultToName(result)));
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ // Check the SAN
+ Input hostnameInput;
+
+ result = hostnameInput.Init(
+ BitwiseCast<const uint8_t*, const char*>(aHostname.BeginReading()),
+ aHostname.Length());
+ if (result != Success) {
+ return NS_ERROR_FAILURE;
+ }
+
+ result = CheckCertHostname(certInput, hostnameInput);
+ if (result != Success) {
+ // EE cert isnot valid for the given host name.
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err7;
+ aErrorValue = 7;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ pkix::BackCert backCert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+ result = backCert.Init();
+ // This should never fail, because we've already built a verified certificate
+ // chain with this certificate.
+ if (result != Success) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8;
+ aErrorValue = 8;
+ CSVerifier_LOG(("CSVerifier: couldn't decode certificate to get spki"));
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+ Input spkiInput = backCert.GetSubjectPublicKeyInfo();
+ SECItem spkiItem = {siBuffer, const_cast<uint8_t*>(spkiInput.UnsafeGetData()),
+ spkiInput.GetLength()};
+ UniqueCERTSubjectPublicKeyInfo spki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+ if (!spki) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8;
+ aErrorValue = 8;
+ CSVerifier_LOG(("CSVerifier: couldn't decode spki"));
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+ mozilla::UniqueSECKEYPublicKey key(SECKEY_ExtractPublicKey(spki.get()));
+ if (!key) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8;
+ aErrorValue = 8;
+ CSVerifier_LOG(("CSVerifier: unable to extract a key"));
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ nsAutoCString signature;
+ rv = ParseContentSignatureHeader(aCSHeader, signature);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Base 64 decode the signature
+ nsAutoCString rawSignature;
+ rv = Base64Decode(signature, rawSignature);
+ if (NS_FAILED(rv)) {
+ CSVerifier_LOG(("CSVerifier: decoding the signature failed"));
+ return rv;
+ }
+
+ // get signature object
+ ScopedAutoSECItem signatureItem;
+ SECItem rawSignatureItem = {
+ siBuffer,
+ BitwiseCast<unsigned char*, const char*>(rawSignature.get()),
+ uint32_t(rawSignature.Length()),
+ };
+ // We have a raw ecdsa signature r||s so we have to DER-encode it first
+ // Note that we have to check rawSignatureItem->len % 2 here as
+ // DSAU_EncodeDerSigWithLen asserts this
+ if (rawSignatureItem.len == 0 || rawSignatureItem.len % 2 != 0) {
+ CSVerifier_LOG(("CSVerifier: signature length is bad"));
+ return NS_ERROR_FAILURE;
+ }
+ if (DSAU_EncodeDerSigWithLen(&signatureItem, &rawSignatureItem,
+ rawSignatureItem.len) != SECSuccess) {
+ CSVerifier_LOG(("CSVerifier: encoding the signature failed"));
+ return NS_ERROR_FAILURE;
+ }
+
+ // this is the only OID we support for now
+ SECOidTag oid = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE;
+ mozilla::UniqueVFYContext cx(
+ VFY_CreateContext(key.get(), &signatureItem, oid, nullptr));
+ if (!cx) {
+ // Creating context failed.
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err9;
+ aErrorValue = 9;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ if (VFY_Begin(cx.get()) != SECSuccess) {
+ // Creating context failed.
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err9;
+ aErrorValue = 9;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+ if (VFY_Update(cx.get(), kPREFIX, sizeof(kPREFIX)) != SECSuccess) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1;
+ aErrorValue = 1;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+ if (VFY_Update(cx.get(),
+ reinterpret_cast<const unsigned char*>(aData.BeginReading()),
+ aData.Length()) != SECSuccess) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1;
+ aErrorValue = 1;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+ if (VFY_End(cx.get()) != SECSuccess) {
+ aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1;
+ aErrorValue = 1;
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ return NS_OK;
+}
+
+static nsresult ParseContentSignatureHeader(
+ const nsACString& aContentSignatureHeader,
+ /* out */ nsCString& aSignature) {
+ // We only support p384 ecdsa.
+ constexpr auto signature_var = "p384ecdsa"_ns;
+
+ aSignature.Truncate();
+
+ const nsCString& flatHeader = PromiseFlatCString(aContentSignatureHeader);
+ nsSecurityHeaderParser parser(flatHeader);
+ nsresult rv = parser.Parse();
+ if (NS_FAILED(rv)) {
+ CSVerifier_LOG(("CSVerifier: could not parse ContentSignature header"));
+ return NS_ERROR_FAILURE;
+ }
+ LinkedList<nsSecurityHeaderDirective>* directives = parser.GetDirectives();
+
+ for (nsSecurityHeaderDirective* directive = directives->getFirst();
+ directive != nullptr; directive = directive->getNext()) {
+ CSVerifier_LOG(
+ ("CSVerifier: found directive '%s'", directive->mName.get()));
+ if (directive->mName.EqualsIgnoreCase(signature_var)) {
+ if (!aSignature.IsEmpty()) {
+ CSVerifier_LOG(("CSVerifier: found two ContentSignatures"));
+ return NS_ERROR_INVALID_SIGNATURE;
+ }
+
+ CSVerifier_LOG(("CSVerifier: found a ContentSignature directive"));
+ aSignature.Assign(directive->mValue);
+ }
+ }
+
+ // we have to ensure that we found a signature at this point
+ if (aSignature.IsEmpty()) {
+ CSVerifier_LOG(
+ ("CSVerifier: got a Content-Signature header but didn't find a "
+ "signature."));
+ return NS_ERROR_FAILURE;
+ }
+
+ // Bug 769521: We have to change b64 url to regular encoding as long as we
+ // don't have a b64 url decoder. This should change soon, but in the meantime
+ // we have to live with this.
+ aSignature.ReplaceChar('-', '+');
+ aSignature.ReplaceChar('_', '/');
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/ContentSignatureVerifier.h b/security/manager/ssl/ContentSignatureVerifier.h
new file mode 100644
index 0000000000..a10c9fe89c
--- /dev/null
+++ b/security/manager/ssl/ContentSignatureVerifier.h
@@ -0,0 +1,32 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef ContentSignatureVerifier_h
+#define ContentSignatureVerifier_h
+
+#include "nsIContentSignatureVerifier.h"
+#include "nsString.h"
+
+// 45a5fe2f-c350-4b86-962d-02d5aaaa955a
+#define NS_CONTENTSIGNATUREVERIFIER_CID \
+ { \
+ 0x45a5fe2f, 0xc350, 0x4b86, { \
+ 0x96, 0x2d, 0x02, 0xd5, 0xaa, 0xaa, 0x95, 0x5a \
+ } \
+ }
+#define NS_CONTENTSIGNATUREVERIFIER_CONTRACTID \
+ "@mozilla.org/security/contentsignatureverifier;1"
+
+class ContentSignatureVerifier final : public nsIContentSignatureVerifier {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSICONTENTSIGNATUREVERIFIER
+
+ private:
+ ~ContentSignatureVerifier() = default;
+};
+
+#endif // ContentSignatureVerifier_h
diff --git a/security/manager/ssl/CredentialManagerSecret.cpp b/security/manager/ssl/CredentialManagerSecret.cpp
new file mode 100644
index 0000000000..ec25b8731f
--- /dev/null
+++ b/security/manager/ssl/CredentialManagerSecret.cpp
@@ -0,0 +1,103 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CredentialManagerSecret.h"
+
+#include <windows.h>
+#include <wincred.h>
+
+#include "mozilla/Logging.h"
+#include "mozilla/SyncRunnable.h"
+
+// This is the implementation of CredentialManagerSecretSecret, an instantiation
+// of OSKeyStore for Windows. It uses the system credential manager, hence the
+// name.
+
+using namespace mozilla;
+
+LazyLogModule gCredentialManagerSecretLog("credentialmanagersecret");
+struct ScopedDelete {
+ void operator()(CREDENTIALA* cred) { CredFree(cred); }
+};
+
+template <class T>
+struct ScopedMaybeDelete {
+ void operator()(T* ptr) {
+ if (ptr) {
+ ScopedDelete del;
+ del(ptr);
+ }
+ }
+};
+typedef std::unique_ptr<CREDENTIALA, ScopedMaybeDelete<CREDENTIALA>>
+ ScopedCREDENTIALA;
+
+CredentialManagerSecret::CredentialManagerSecret() {}
+
+CredentialManagerSecret::~CredentialManagerSecret() {}
+
+nsresult CredentialManagerSecret::StoreSecret(const nsACString& aSecret,
+ const nsACString& aLabel) {
+ if (aSecret.Length() > CRED_MAX_CREDENTIAL_BLOB_SIZE) {
+ // Windows doesn't allow blobs larger than CRED_MAX_CREDENTIAL_BLOB_SIZE
+ // bytes.
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("StoreSecret secret must not be larger than 512 bytes (got %zd)",
+ aSecret.Length()));
+ return NS_ERROR_FAILURE;
+ }
+ CREDENTIALA cred = {0};
+ cred.Type = CRED_TYPE_GENERIC;
+ const nsCString& label = PromiseFlatCString(aLabel);
+ cred.TargetName = const_cast<LPSTR>(label.get());
+ cred.CredentialBlobSize = aSecret.Length();
+ const nsCString& secret = PromiseFlatCString(aSecret);
+ cred.CredentialBlob = (LPBYTE)secret.get();
+ cred.Persist = CRED_PERSIST_LOCAL_MACHINE;
+ cred.UserName = const_cast<char*>(""); // -Wwritable-strings
+
+ // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritea
+ BOOL ok = CredWriteA(&cred, 0);
+ if (!ok) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("CredWriteW failed %lu", GetLastError()));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+nsresult CredentialManagerSecret::DeleteSecret(const nsACString& aLabel) {
+ // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creddeletea
+ const nsCString& label = PromiseFlatCString(aLabel);
+ BOOL ok = CredDeleteA(label.get(), CRED_TYPE_GENERIC, 0);
+ int error = GetLastError();
+ if (!ok && error != ERROR_NOT_FOUND) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("CredDeleteA failed %d", error));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+nsresult CredentialManagerSecret::RetrieveSecret(
+ const nsACString& aLabel,
+ /* out */ nsACString& aSecret) {
+ aSecret.Truncate();
+ PCREDENTIALA pcred_raw = nullptr;
+ const nsCString& label = PromiseFlatCString(aLabel);
+ // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreada
+ BOOL ok = CredReadA(label.get(), CRED_TYPE_GENERIC, 0, &pcred_raw);
+ ScopedCREDENTIALA pcred(pcred_raw);
+ if (!ok) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("CredReadA failed %lu", GetLastError()));
+ return NS_ERROR_FAILURE;
+ }
+ MOZ_ASSERT(pcred);
+ aSecret.Assign(reinterpret_cast<const char*>(pcred->CredentialBlob),
+ pcred->CredentialBlobSize);
+ return NS_OK;
+}
diff --git a/security/manager/ssl/CredentialManagerSecret.h b/security/manager/ssl/CredentialManagerSecret.h
new file mode 100644
index 0000000000..7f94493edc
--- /dev/null
+++ b/security/manager/ssl/CredentialManagerSecret.h
@@ -0,0 +1,26 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef CredentialManagerSecret_h
+#define CredentialManagerSecret_h
+
+#include "OSKeyStore.h"
+#include "nsString.h"
+
+class CredentialManagerSecret final : public AbstractOSKeyStore {
+ public:
+ CredentialManagerSecret();
+
+ virtual nsresult RetrieveSecret(const nsACString& label,
+ /* out */ nsACString& secret) override;
+ virtual nsresult StoreSecret(const nsACString& secret,
+ const nsACString& label) override;
+ virtual nsresult DeleteSecret(const nsACString& label) override;
+
+ virtual ~CredentialManagerSecret();
+};
+
+#endif // CredentialManagerSecret_h
diff --git a/security/manager/ssl/CryptoTask.cpp b/security/manager/ssl/CryptoTask.cpp
new file mode 100644
index 0000000000..a466a374f6
--- /dev/null
+++ b/security/manager/ssl/CryptoTask.cpp
@@ -0,0 +1,43 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CryptoTask.h"
+#include "nsNSSComponent.h"
+#include "nsNetCID.h"
+
+namespace mozilla {
+
+nsresult CryptoTask::Dispatch() {
+ // Ensure that NSS is initialized, since presumably CalculateResult
+ // will use NSS functions
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // The stream transport service (note: not the socket transport service) can
+ // be used to perform background tasks or I/O that would otherwise block the
+ // main thread.
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ return target->Dispatch(this, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+CryptoTask::Run() {
+ if (!NS_IsMainThread()) {
+ mRv = CalculateResult();
+ NS_DispatchToMainThread(this);
+ } else {
+ // back on the main thread
+ CallCallback(mRv);
+ }
+ return NS_OK;
+}
+
+} // namespace mozilla
diff --git a/security/manager/ssl/CryptoTask.h b/security/manager/ssl/CryptoTask.h
new file mode 100644
index 0000000000..2cbd082d7a
--- /dev/null
+++ b/security/manager/ssl/CryptoTask.h
@@ -0,0 +1,52 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla__CryptoTask_h
+#define mozilla__CryptoTask_h
+
+#include "mozilla/Attributes.h"
+#include "nsThreadUtils.h"
+
+namespace mozilla {
+
+/**
+ * Frequently we need to run a task on a background thread without blocking
+ * the main thread, and then call a callback on the main thread with the
+ * result. This class provides the framework for that. Subclasses must:
+ *
+ * (1) Override CalculateResult for the off-the-main-thread computation.
+ * (2) Override CallCallback() for the on-the-main-thread call of the
+ * callback.
+ */
+class CryptoTask : public Runnable {
+ public:
+ nsresult Dispatch();
+
+ protected:
+ CryptoTask() : Runnable("CryptoTask"), mRv(NS_ERROR_NOT_INITIALIZED) {}
+
+ virtual ~CryptoTask() = default;
+
+ /**
+ * Called on a background thread (never the main thread). Its result will be
+ * passed to CallCallback on the main thread.
+ */
+ virtual nsresult CalculateResult() = 0;
+
+ /**
+ * Called on the main thread with the result from CalculateResult().
+ */
+ virtual void CallCallback(nsresult rv) = 0;
+
+ private:
+ NS_IMETHOD Run() final;
+
+ nsresult mRv;
+};
+
+} // namespace mozilla
+
+#endif // mozilla__CryptoTask_h
diff --git a/security/manager/ssl/DER.sys.mjs b/security/manager/ssl/DER.sys.mjs
new file mode 100644
index 0000000000..3620cf9f29
--- /dev/null
+++ b/security/manager/ssl/DER.sys.mjs
@@ -0,0 +1,333 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// A minimal ASN.1 DER decoder. Supports input lengths up to 65539 (one byte for
+// the outer tag, one byte for the 0x82 length-length indicator, two bytes
+// indicating a contents length of 65535, and then the 65535 bytes of contents).
+// Intended to be used like so:
+//
+// let bytes = <an array of bytes describing a SEQUENCE OF INTEGER>;
+// let der = new DER.DERDecoder(bytes);
+// let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE));
+// while (!contents.atEnd()) {
+// let integerBytes = contents.readTagAndGetContents(DER.INTEGER);
+// <... do something with integerBytes ...>
+// }
+// der.assertAtEnd();
+//
+// For CHOICE, use readTLVChoice and pass an array of acceptable tags.
+// The convenience function readBIT_STRING is provided to handle the unused bits
+// aspect of BIT STRING. It returns an object that has the properties contents
+// (an array of bytes consisting of the bytes making up the BIT STRING) and
+// unusedBits (indicating the number of unused bits at the end).
+// All other functions generally return an array of bytes or a single byte as
+// appropriate.
+// peekTag can be used to see if the next tag is an expected given tag.
+// readTLV reads and returns an entire (tag, length, value) tuple (again
+// returned as an array of bytes).
+//
+// NB: While DERDecoder must be given an array, it does not validate that each
+// element in the array is an integer in the range [0, 255]. If the input to be
+// decoded could conceivably violate this property, callers should perform this
+// check before using DERDecoder.
+
+const UNIVERSAL = 0 << 6;
+const CONSTRUCTED = 1 << 5;
+const CONTEXT_SPECIFIC = 2 << 6;
+
+const INTEGER = UNIVERSAL | 0x02; // 0x02
+const BIT_STRING = UNIVERSAL | 0x03; // 0x03
+const NULL = UNIVERSAL | 0x05; // 0x05
+const OBJECT_IDENTIFIER = UNIVERSAL | 0x06; // 0x06
+const PrintableString = UNIVERSAL | 0x13; // 0x13
+const TeletexString = UNIVERSAL | 0x14; // 0x14
+const IA5String = UNIVERSAL | 0x16; // 0x16
+const UTCTime = UNIVERSAL | 0x17; // 0x17
+const GeneralizedTime = UNIVERSAL | 0x18; // 0x18
+const UTF8String = UNIVERSAL | 0x0c; // 0x0c
+const SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10; // 0x30
+const SET = UNIVERSAL | CONSTRUCTED | 0x11; // 0x31
+
+const ERROR_INVALID_INPUT = "invalid input";
+const ERROR_DATA_TRUNCATED = "data truncated";
+const ERROR_EXTRA_DATA = "extra data";
+const ERROR_INVALID_LENGTH = "invalid length";
+const ERROR_UNSUPPORTED_ASN1 = "unsupported asn.1";
+const ERROR_UNSUPPORTED_LENGTH = "unsupported length";
+const ERROR_INVALID_BIT_STRING = "invalid BIT STRING encoding";
+
+/** Class representing a decoded BIT STRING. */
+class BitString {
+ /**
+ * @param {number} unusedBits the number of unused bits
+ * @param {number[]} contents an array of bytes comprising the BIT STRING
+ */
+ constructor(unusedBits, contents) {
+ this._unusedBits = unusedBits;
+ this._contents = contents;
+ }
+
+ /**
+ * Get the number of unused bits in the BIT STRING
+ *
+ * @returns {number} the number of unused bits
+ */
+ get unusedBits() {
+ return this._unusedBits;
+ }
+
+ /**
+ * Get the contents of the BIT STRING
+ *
+ * @returns {number[]} an array of bytes representing the contents
+ */
+ get contents() {
+ return this._contents;
+ }
+}
+
+/** Class representing DER-encoded data. Provides methods for decoding it. */
+class DERDecoder {
+ /**
+ * @param {number[]} bytes an array of bytes representing the encoded data
+ */
+ constructor(bytes) {
+ // Reject non-array inputs.
+ if (!Array.isArray(bytes)) {
+ throw new Error(ERROR_INVALID_INPUT);
+ }
+ if (bytes.length > 65539) {
+ throw new Error(ERROR_UNSUPPORTED_LENGTH);
+ }
+ this._bytes = bytes;
+ this._cursor = 0;
+ }
+
+ /**
+ * Asserts that the decoder is at the end of the given data. Throws an error
+ * if this is not the case.
+ */
+ assertAtEnd() {
+ if (!this.atEnd()) {
+ throw new Error(ERROR_EXTRA_DATA);
+ }
+ }
+
+ /**
+ * Determines whether or not the decoder is at the end of the given data.
+ *
+ * @returns {boolean} true if the decoder is at the end and false otherwise
+ */
+ atEnd() {
+ return this._cursor == this._bytes.length;
+ }
+
+ /**
+ * Reads the next byte of data. Throws if no more data is available.
+ *
+ * @returns {number} the next byte of data
+ */
+ readByte() {
+ if (this._cursor >= this._bytes.length) {
+ throw new Error(ERROR_DATA_TRUNCATED);
+ }
+ let val = this._bytes[this._cursor];
+ this._cursor++;
+ return val;
+ }
+
+ /**
+ * Given the next expected tag, reads and asserts that the next tag is in fact
+ * the given tag.
+ *
+ * @param {number} expectedTag the expected next tag
+ */
+ _readExpectedTag(expectedTag) {
+ let tag = this.readByte();
+ if (tag != expectedTag) {
+ throw new Error(`unexpected tag: found ${tag} instead of ${expectedTag}`);
+ }
+ }
+
+ /**
+ * Decodes and returns the length portion of an ASN.1 TLV tuple. Throws if the
+ * length is incorrectly encoded or if it describes a length greater than
+ * 65535 bytes. Indefinite-length encoding is not supported.
+ *
+ * @returns {number} the length of the value of the TLV tuple
+ */
+ _readLength() {
+ let nextByte = this.readByte();
+ if (nextByte < 0x80) {
+ return nextByte;
+ }
+ if (nextByte == 0x80) {
+ throw new Error(ERROR_UNSUPPORTED_ASN1);
+ }
+ if (nextByte == 0x81) {
+ let length = this.readByte();
+ if (length < 0x80) {
+ throw new Error(ERROR_INVALID_LENGTH);
+ }
+ return length;
+ }
+ if (nextByte == 0x82) {
+ let length1 = this.readByte();
+ let length2 = this.readByte();
+ let length = (length1 << 8) | length2;
+ if (length < 256) {
+ throw new Error(ERROR_INVALID_LENGTH);
+ }
+ return length;
+ }
+ throw new Error(ERROR_UNSUPPORTED_LENGTH);
+ }
+
+ /**
+ * Reads <length> bytes of data if available. Throws if less than <length>
+ * bytes are available.
+ *
+ * @param {number} length the number of bytes to read. Must be non-negative.
+ * @returns {number[]} the next <length> bytes of data
+ */
+ readBytes(length) {
+ if (length < 0) {
+ throw new Error(ERROR_INVALID_LENGTH);
+ }
+ if (this._cursor + length > this._bytes.length) {
+ throw new Error(ERROR_DATA_TRUNCATED);
+ }
+ let bytes = this._bytes.slice(this._cursor, this._cursor + length);
+ this._cursor += length;
+ return bytes;
+ }
+
+ /**
+ * Given an expected next ASN.1 tag, ensures that that tag is next and returns
+ * the contents of that tag. Throws if a different tag is encountered or if
+ * the data is otherwise incorrectly encoded.
+ *
+ * @param {number} tag the next expected ASN.1 tag
+ * @returns {number[]} the contents of the tag
+ */
+ readTagAndGetContents(tag) {
+ this._readExpectedTag(tag);
+ let length = this._readLength();
+ return this.readBytes(length);
+ }
+
+ /**
+ * Returns the next byte without advancing the decoder. Throws if no more data
+ * is available.
+ *
+ * @returns {number} the next available byte
+ */
+ _peekByte() {
+ if (this._cursor >= this._bytes.length) {
+ throw new Error(ERROR_DATA_TRUNCATED);
+ }
+ return this._bytes[this._cursor];
+ }
+
+ /**
+ * Given an expected tag, reads the next entire ASN.1 TLV tuple, asserting
+ * that the tag matches.
+ *
+ * @param {number} tag the expected tag
+ * @returns {number[]} an array of bytes representing the TLV tuple
+ */
+ _readExpectedTLV(tag) {
+ let mark = this._cursor;
+ this._readExpectedTag(tag);
+ let length = this._readLength();
+ // read the bytes so we know they're there (also to advance the cursor)
+ this.readBytes(length);
+ return this._bytes.slice(mark, this._cursor);
+ }
+
+ /**
+ * Reads the next ASN.1 tag, length, and value and returns them as an array of
+ * bytes.
+ *
+ * @returns {number[]} an array of bytes representing the next ASN.1 TLV
+ */
+ readTLV() {
+ let nextTag = this._peekByte();
+ return this._readExpectedTLV(nextTag);
+ }
+
+ /**
+ * Convenience function for decoding a BIT STRING. Reads and returns the
+ * contents of the expected next BIT STRING. Throws if the next TLV isn't a
+ * BIT STRING or if the BIT STRING is incorrectly encoded.
+ *
+ * @returns {BitString} the next BIT STRING
+ */
+ readBIT_STRING() {
+ let contents = this.readTagAndGetContents(BIT_STRING);
+ if (contents.length < 1) {
+ throw new Error(ERROR_INVALID_BIT_STRING);
+ }
+ let unusedBits = contents[0];
+ if (unusedBits > 7) {
+ throw new Error(ERROR_INVALID_BIT_STRING);
+ }
+ // Zero bytes of content but some amount of padding is invalid.
+ if (contents.length == 1 && unusedBits != 0) {
+ throw new Error(ERROR_INVALID_BIT_STRING);
+ }
+ return new BitString(unusedBits, contents.slice(1, contents.length));
+ }
+
+ /**
+ * Looks to see if the next ASN.1 tag is the expected given tag.
+ *
+ * @param {number} tag the expected next ASN.1 tag
+ * @returns {boolean} true if the next tag is the given one and false otherwise
+ */
+ peekTag(tag) {
+ if (this._cursor >= this._bytes.length) {
+ return false;
+ }
+ return this._bytes[this._cursor] == tag;
+ }
+
+ /**
+ * Given a list of possible next ASN.1 tags, returns the next TLV if the next
+ * tag is in the list. Throws if the next tag is not in the list or if the
+ * data is incorrectly encoded.
+ *
+ * @param {number[]} tagList the list of potential next tags
+ * @returns {number[]} the contents of the next TLV if the next tag is in
+ * <tagList>
+ */
+ readTLVChoice(tagList) {
+ let tag = this._peekByte();
+ if (!tagList.includes(tag)) {
+ throw new Error(
+ `unexpected tag: found ${tag} instead of one of ${tagList}`
+ );
+ }
+ return this._readExpectedTLV(tag);
+ }
+}
+
+export const DER = {
+ UNIVERSAL,
+ CONSTRUCTED,
+ CONTEXT_SPECIFIC,
+ INTEGER,
+ BIT_STRING,
+ NULL,
+ OBJECT_IDENTIFIER,
+ PrintableString,
+ TeletexString,
+ IA5String,
+ UTCTime,
+ GeneralizedTime,
+ UTF8String,
+ SEQUENCE,
+ SET,
+ DERDecoder,
+};
diff --git a/security/manager/ssl/DataStorageManager.cpp b/security/manager/ssl/DataStorageManager.cpp
new file mode 100644
index 0000000000..a1d6daa7f8
--- /dev/null
+++ b/security/manager/ssl/DataStorageManager.cpp
@@ -0,0 +1,68 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "DataStorageManager.h"
+#include "MainThreadUtils.h"
+#include "nsIMemoryReporter.h"
+#include "nsString.h"
+
+using VoidPtrToSizeFn = uintptr_t (*)(const void* ptr);
+
+extern "C" nsresult make_data_storage(const nsAString* basename,
+ size_t valueLength,
+ VoidPtrToSizeFn sizeOfOp,
+ VoidPtrToSizeFn enclosingSizeOfOp,
+ nsIDataStorage** result);
+
+MOZ_DEFINE_MALLOC_SIZE_OF(DataStorageMallocSizeOf)
+MOZ_DEFINE_MALLOC_ENCLOSING_SIZE_OF(DataStorageMallocEnclosingSizeOf)
+
+namespace mozilla {
+
+NS_IMPL_ISUPPORTS(DataStorageManager, nsIDataStorageManager)
+
+NS_IMETHODIMP
+DataStorageManager::Get(nsIDataStorageManager::DataStorage aDataStorage,
+ nsIDataStorage** aResult) {
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ nsAutoString filename;
+ size_t valueLength = 1024;
+ switch (aDataStorage) {
+ case nsIDataStorageManager::AlternateServices:
+ if (mAlternateServicesCreated) {
+ return NS_ERROR_ALREADY_INITIALIZED;
+ }
+ mAlternateServicesCreated = true;
+ filename.Assign(u"AlternateServices"_ns);
+ break;
+ case nsIDataStorageManager::ClientAuthRememberList:
+ if (mClientAuthRememberListCreated) {
+ return NS_ERROR_ALREADY_INITIALIZED;
+ }
+ mClientAuthRememberListCreated = true;
+ filename.Assign(u"ClientAuthRememberList"_ns);
+ break;
+ case nsIDataStorageManager::SiteSecurityServiceState:
+ if (mSiteSecurityServiceStateCreated) {
+ return NS_ERROR_ALREADY_INITIALIZED;
+ }
+ mSiteSecurityServiceStateCreated = true;
+ filename.Assign(u"SiteSecurityServiceState"_ns);
+ // For most nsIDataStorage use cases, values can be quite long (1024
+ // bytes by default). For HSTS, much less information is stored, so save
+ // space by limiting values to 24 bytes.
+ valueLength = 24;
+ break;
+ default:
+ return NS_ERROR_INVALID_ARG;
+ }
+ return make_data_storage(&filename, valueLength, &DataStorageMallocSizeOf,
+ &DataStorageMallocEnclosingSizeOf, aResult);
+}
+
+} // namespace mozilla
diff --git a/security/manager/ssl/DataStorageManager.h b/security/manager/ssl/DataStorageManager.h
new file mode 100644
index 0000000000..3475b4d1dd
--- /dev/null
+++ b/security/manager/ssl/DataStorageManager.h
@@ -0,0 +1,29 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_DataStorageManager_h
+#define mozilla_DataStorageManager_h
+
+#include "nsIDataStorage.h"
+
+namespace mozilla {
+
+class DataStorageManager final : public nsIDataStorageManager {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIDATASTORAGEMANAGER
+
+ private:
+ ~DataStorageManager() = default;
+
+ bool mAlternateServicesCreated = false;
+ bool mClientAuthRememberListCreated = false;
+ bool mSiteSecurityServiceStateCreated = false;
+};
+
+} // namespace mozilla
+
+#endif // mozilla_DataStorageManager_h
diff --git a/security/manager/ssl/EnterpriseRoots.cpp b/security/manager/ssl/EnterpriseRoots.cpp
new file mode 100644
index 0000000000..7fd9126ec7
--- /dev/null
+++ b/security/manager/ssl/EnterpriseRoots.cpp
@@ -0,0 +1,514 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "EnterpriseRoots.h"
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Unused.h"
+#include "mozpkix/Result.h"
+#include "nsCRT.h"
+#include "nsNSSCertHelper.h"
+#include "nsThreadUtils.h"
+
+#ifdef MOZ_WIDGET_ANDROID
+# include "mozilla/java/EnterpriseRootsWrappers.h"
+#endif // MOZ_WIDGET_ANDROID
+
+#ifdef XP_MACOSX
+# include <Security/Security.h>
+# include "KeychainSecret.h"
+#endif
+
+#ifdef XP_WIN
+# include <windows.h>
+# include <wincrypt.h>
+#endif // XP_WIN
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+using namespace mozilla;
+
+void EnterpriseCert::CopyBytes(nsTArray<uint8_t>& dest) const {
+ dest.Assign(mDER);
+}
+
+pkix::Result EnterpriseCert::GetInput(pkix::Input& input) const {
+ return input.Init(mDER.Elements(), mDER.Length());
+}
+
+bool EnterpriseCert::GetIsRoot() const { return mIsRoot; }
+
+bool EnterpriseCert::IsKnownRoot(UniqueSECMODModule& rootsModule) {
+ if (!rootsModule) {
+ return false;
+ }
+
+ SECItem certItem = {siBuffer, mDER.Elements(),
+ static_cast<unsigned int>(mDER.Length())};
+ AutoSECMODListReadLock lock;
+ for (int i = 0; i < rootsModule->slotCount; i++) {
+ PK11SlotInfo* slot = rootsModule->slots[i];
+ if (PK11_FindEncodedCertInSlot(slot, &certItem, nullptr) !=
+ CK_INVALID_HANDLE) {
+ return true;
+ }
+ }
+ return false;
+}
+
+#ifdef XP_WIN
+struct CertStoreLocation {
+ const wchar_t* mName;
+ const bool mIsRoot;
+
+ CertStoreLocation(const wchar_t* name, bool isRoot)
+ : mName(name), mIsRoot(isRoot) {}
+};
+
+// The documentation doesn't make this clear, but the certificate location
+// identified by "ROOT" contains trusted root certificates. The certificate
+// location identified by "CA" contains intermediate certificates.
+const CertStoreLocation kCertStoreLocations[] = {
+ CertStoreLocation(L"ROOT", true), CertStoreLocation(L"CA", false)};
+
+// Because HCERTSTORE is just a typedef void*, we can't use any of the nice
+// scoped or unique pointer templates. To elaborate, any attempt would
+// instantiate those templates with T = void. When T gets used in the context
+// of T&, this results in void&, which isn't legal.
+class ScopedCertStore final {
+ public:
+ explicit ScopedCertStore(HCERTSTORE certstore) : certstore(certstore) {}
+
+ ~ScopedCertStore() { CertCloseStore(certstore, 0); }
+
+ HCERTSTORE get() { return certstore; }
+
+ private:
+ ScopedCertStore(const ScopedCertStore&) = delete;
+ ScopedCertStore& operator=(const ScopedCertStore&) = delete;
+ HCERTSTORE certstore;
+};
+
+// To determine if a certificate would be useful when verifying a server
+// certificate for TLS server auth, Windows provides the function
+// `CertGetEnhancedKeyUsage`, which combines the extended key usage extension
+// with something called "enhanced key usage", which appears to be a Microsoft
+// concept.
+static bool CertCanBeUsedForTLSServerAuth(PCCERT_CONTEXT certificate) {
+ DWORD usageSize = 0;
+ if (!CertGetEnhancedKeyUsage(certificate, 0, NULL, &usageSize)) {
+ return false;
+ }
+ nsTArray<uint8_t> usageBytes;
+ usageBytes.SetLength(usageSize);
+ PCERT_ENHKEY_USAGE usage(
+ reinterpret_cast<PCERT_ENHKEY_USAGE>(usageBytes.Elements()));
+ if (!CertGetEnhancedKeyUsage(certificate, 0, usage, &usageSize)) {
+ return false;
+ }
+ // https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetenhancedkeyusage:
+ // "If the cUsageIdentifier member is zero, the certificate might be valid
+ // for all uses or the certificate might have no valid uses. The return from
+ // a call to GetLastError can be used to determine whether the certificate is
+ // good for all uses or for none. If GetLastError returns CRYPT_E_NOT_FOUND,
+ // the certificate is good for all uses. If it returns zero, the certificate
+ // has no valid uses."
+ if (usage->cUsageIdentifier == 0) {
+ return GetLastError() == static_cast<DWORD>(CRYPT_E_NOT_FOUND);
+ }
+ for (DWORD i = 0; i < usage->cUsageIdentifier; i++) {
+ if (!nsCRT::strcmp(usage->rgpszUsageIdentifier[i],
+ szOID_PKIX_KP_SERVER_AUTH) ||
+ !nsCRT::strcmp(usage->rgpszUsageIdentifier[i],
+ szOID_ANY_ENHANCED_KEY_USAGE)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+// Loads the enterprise roots at the registry location corresponding to the
+// given location flag.
+// Supported flags are:
+// CERT_SYSTEM_STORE_LOCAL_MACHINE
+// (for HKLM\SOFTWARE\Microsoft\SystemCertificates)
+// CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
+// (for HKLM\SOFTWARE\Policy\Microsoft\SystemCertificates)
+// CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
+// (for HKLM\SOFTWARE\Microsoft\EnterpriseCertificates)
+// CERT_SYSTEM_STORE_CURRENT_USER
+// (for HKCU\SOFTWARE\Microsoft\SystemCertificates)
+// CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY
+// (for HKCU\SOFTWARE\Policy\Microsoft\SystemCertificates)
+static void GatherEnterpriseCertsForLocation(DWORD locationFlag,
+ nsTArray<EnterpriseCert>& certs,
+ UniqueSECMODModule& rootsModule) {
+ MOZ_ASSERT(locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE ||
+ locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY ||
+ locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE ||
+ locationFlag == CERT_SYSTEM_STORE_CURRENT_USER ||
+ locationFlag == CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
+ "unexpected locationFlag for GatherEnterpriseRootsForLocation");
+ if (!(locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE ||
+ locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY ||
+ locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE ||
+ locationFlag == CERT_SYSTEM_STORE_CURRENT_USER ||
+ locationFlag == CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY)) {
+ return;
+ }
+
+ DWORD flags =
+ locationFlag | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG;
+ // The certificate store being opened should consist only of certificates
+ // added by a user or administrator and not any certificates that are part
+ // of Microsoft's root store program.
+ // The 3rd parameter to CertOpenStore should be NULL according to
+ // https://msdn.microsoft.com/en-us/library/windows/desktop/aa376559%28v=vs.85%29.aspx
+ for (const auto& location : kCertStoreLocations) {
+ ScopedCertStore certStore(CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W,
+ 0, NULL, flags, location.mName));
+ if (!certStore.get()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("failed to open certificate store"));
+ continue;
+ }
+ PCCERT_CONTEXT certificate = nullptr;
+ uint32_t numImported = 0;
+ while ((certificate = CertFindCertificateInStore(
+ certStore.get(), X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr,
+ certificate))) {
+ if (!CertCanBeUsedForTLSServerAuth(certificate)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("skipping cert not relevant for TLS server auth"));
+ continue;
+ }
+ EnterpriseCert enterpriseCert(certificate->pbCertEncoded,
+ certificate->cbCertEncoded,
+ location.mIsRoot);
+ if (!enterpriseCert.IsKnownRoot(rootsModule)) {
+ certs.AppendElement(std::move(enterpriseCert));
+ numImported++;
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert"));
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("imported %u certs from %S", numImported, location.mName));
+ }
+}
+
+static void GatherEnterpriseCertsWindows(nsTArray<EnterpriseCert>& certs,
+ UniqueSECMODModule& rootsModule) {
+ GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE, certs,
+ rootsModule);
+ GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY,
+ certs, rootsModule);
+ GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
+ certs, rootsModule);
+ GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_CURRENT_USER, certs,
+ rootsModule);
+ GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
+ certs, rootsModule);
+}
+#endif // XP_WIN
+
+#ifdef XP_MACOSX
+enum class CertificateTrustResult {
+ CanUseAsIntermediate,
+ CanUseAsTrustAnchor,
+ DoNotUse,
+};
+
+ScopedCFType<CFArrayRef> GetCertificateTrustSettingsInDomain(
+ const SecCertificateRef certificate, SecTrustSettingsDomain domain) {
+ CFArrayRef trustSettingsRaw;
+ OSStatus rv =
+ SecTrustSettingsCopyTrustSettings(certificate, domain, &trustSettingsRaw);
+ if (rv != errSecSuccess || !trustSettingsRaw) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" SecTrustSettingsCopyTrustSettings failed (or not found) for "
+ "domain %" PRIu32,
+ domain));
+ return nullptr;
+ }
+ ScopedCFType<CFArrayRef> trustSettings(trustSettingsRaw);
+ return trustSettings;
+}
+
+// This function processes trust settings returned by
+// SecTrustSettingsCopyTrustSettings. See the documentation at
+// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
+// `trustSettings` is an array of CFDictionaryRef. Each dictionary may impose
+// a constraint.
+CertificateTrustResult ProcessCertificateTrustSettings(
+ ScopedCFType<CFArrayRef>& trustSettings) {
+ // If the array is empty, the certificate is a trust anchor.
+ const CFIndex numTrustDictionaries = CFArrayGetCount(trustSettings.get());
+ if (numTrustDictionaries == 0) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" empty trust settings -> trust anchor"));
+ return CertificateTrustResult::CanUseAsTrustAnchor;
+ }
+ CertificateTrustResult currentTrustSettings =
+ CertificateTrustResult::CanUseAsIntermediate;
+ for (CFIndex i = 0; i < numTrustDictionaries; i++) {
+ CFDictionaryRef trustDictionary = reinterpret_cast<CFDictionaryRef>(
+ CFArrayGetValueAtIndex(trustSettings.get(), i));
+ // kSecTrustSettingsApplication specifies an external application that
+ // determines the certificate's trust settings.
+ // kSecTrustSettingsPolicyString appears to be a mechanism like name
+ // constraints.
+ // These are not supported, so conservatively assume this certificate is
+ // distrusted if either are present.
+ if (CFDictionaryContainsKey(trustDictionary,
+ kSecTrustSettingsApplication) ||
+ CFDictionaryContainsKey(trustDictionary,
+ kSecTrustSettingsPolicyString)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" found unsupported policy -> assuming distrusted"));
+ return CertificateTrustResult::DoNotUse;
+ }
+
+ // kSecTrustSettingsKeyUsage seems to be essentially the equivalent of the
+ // x509 keyUsage extension. For parity, we allow
+ // kSecTrustSettingsKeyUseSignature, kSecTrustSettingsKeyUseSignCert, and
+ // kSecTrustSettingsKeyUseAny.
+ if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsKeyUsage)) {
+ CFNumberRef keyUsage = (CFNumberRef)CFDictionaryGetValue(
+ trustDictionary, kSecTrustSettingsKeyUsage);
+ int32_t keyUsageValue;
+ if (!keyUsage ||
+ CFNumberGetValue(keyUsage, kCFNumberSInt32Type, &keyUsageValue) ||
+ keyUsageValue < 0) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" no trust settings key usage or couldn't get value"));
+ return CertificateTrustResult::DoNotUse;
+ }
+ switch ((uint64_t)keyUsageValue) {
+ case kSecTrustSettingsKeyUseSignature: // fall-through
+ case kSecTrustSettingsKeyUseSignCert: // fall-through
+ case kSecTrustSettingsKeyUseAny:
+ break;
+ default:
+ return CertificateTrustResult::DoNotUse;
+ }
+ }
+
+ // If there is a specific policy, ensure that it's for the
+ // 'kSecPolicyAppleSSL' policy, which is the TLS server auth policy (i.e.
+ // x509 + domain name checking).
+ if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsPolicy)) {
+ SecPolicyRef policy = (SecPolicyRef)CFDictionaryGetValue(
+ trustDictionary, kSecTrustSettingsPolicy);
+ if (!policy) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" kSecTrustSettingsPolicy present, but null?"));
+ continue;
+ }
+ ScopedCFType<CFDictionaryRef> policyProperties(
+ SecPolicyCopyProperties(policy));
+ CFStringRef policyOid = (CFStringRef)CFDictionaryGetValue(
+ policyProperties.get(), kSecPolicyOid);
+ if (!CFEqual(policyOid, kSecPolicyAppleSSL)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" policy doesn't match"));
+ continue;
+ }
+ }
+
+ // By default, the trust setting result value is
+ // kSecTrustSettingsResultTrustRoot.
+ int32_t trustSettingsValue = kSecTrustSettingsResultTrustRoot;
+ if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsResult)) {
+ CFNumberRef trustSetting = (CFNumberRef)CFDictionaryGetValue(
+ trustDictionary, kSecTrustSettingsResult);
+ if (!trustSetting || !CFNumberGetValue(trustSetting, kCFNumberSInt32Type,
+ &trustSettingsValue)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" no trust settings result or couldn't get value"));
+ continue;
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" trust setting: %d", trustSettingsValue));
+ if (trustSettingsValue == kSecTrustSettingsResultDeny) {
+ return CertificateTrustResult::DoNotUse;
+ }
+ if (trustSettingsValue == kSecTrustSettingsResultTrustRoot ||
+ trustSettingsValue == kSecTrustSettingsResultTrustAsRoot) {
+ currentTrustSettings = CertificateTrustResult::CanUseAsTrustAnchor;
+ }
+ }
+ return currentTrustSettings;
+}
+
+CertificateTrustResult GetCertificateTrustResult(
+ const SecCertificateRef certificate) {
+ ScopedCFType<CFStringRef> subject(
+ SecCertificateCopySubjectSummary(certificate));
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("determining trust for '%s'",
+ CFStringGetCStringPtr(subject.get(), kCFStringEncodingUTF8)));
+ // There are three trust settings domains: kSecTrustSettingsDomainUser,
+ // kSecTrustSettingsDomainAdmin, and kSecTrustSettingsDomainSystem. User
+ // overrides admin and admin overrides system. However, if the given
+ // certificate has trust settings in the system domain, it shipped with the
+ // OS, so we don't want to use it.
+ ScopedCFType<CFArrayRef> systemTrustSettings(
+ GetCertificateTrustSettingsInDomain(certificate,
+ kSecTrustSettingsDomainSystem));
+ if (systemTrustSettings) {
+ return CertificateTrustResult::DoNotUse;
+ }
+
+ // At this point, if there is no trust information regarding this
+ // certificate, it can be used as an intermediate.
+ CertificateTrustResult certificateTrustResult =
+ CertificateTrustResult::CanUseAsIntermediate;
+
+ // Process trust information in the user domain, if any.
+ ScopedCFType<CFArrayRef> userTrustSettings(
+ GetCertificateTrustSettingsInDomain(certificate,
+ kSecTrustSettingsDomainUser));
+ if (userTrustSettings) {
+ certificateTrustResult = ProcessCertificateTrustSettings(userTrustSettings);
+ // If there is definite information one way or another (either indicating
+ // this is a trusted root or a distrusted certificate), use that
+ // information.
+ if (certificateTrustResult !=
+ CertificateTrustResult::CanUseAsIntermediate) {
+ return certificateTrustResult;
+ }
+ }
+
+ // Process trust information in the admin domain, if any.
+ ScopedCFType<CFArrayRef> adminTrustSettings(
+ GetCertificateTrustSettingsInDomain(certificate,
+ kSecTrustSettingsDomainAdmin));
+ if (adminTrustSettings) {
+ certificateTrustResult =
+ ProcessCertificateTrustSettings(adminTrustSettings);
+ }
+
+ // Use whatever result we ended up with.
+ return certificateTrustResult;
+}
+
+OSStatus GatherEnterpriseCertsMacOS(nsTArray<EnterpriseCert>& certs,
+ UniqueSECMODModule& rootsModule) {
+ // The following builds a search dictionary corresponding to:
+ // { class: "certificate",
+ // match limit: "match all" }
+ // This operates on items that have been added to the keychain and thus gives
+ // us all 3rd party certificates. Unfortunately, if a root that shipped with
+ // the OS has had its trust settings changed, it can also be returned from
+ // this query. Further work (below) filters such certificates out.
+ const CFStringRef keys[] = {kSecClass, kSecMatchLimit};
+ const void* values[] = {kSecClassCertificate, kSecMatchLimitAll};
+ static_assert(ArrayLength(keys) == ArrayLength(values),
+ "mismatched SecItemCopyMatching key/value array sizes");
+ // https://developer.apple.com/documentation/corefoundation/1516782-cfdictionarycreate
+ ScopedCFType<CFDictionaryRef> searchDictionary(CFDictionaryCreate(
+ nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
+ CFTypeRef items;
+ // https://developer.apple.com/documentation/security/1398306-secitemcopymatching
+ OSStatus rv = SecItemCopyMatching(searchDictionary.get(), &items);
+ if (rv != errSecSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("SecItemCopyMatching failed"));
+ return rv;
+ }
+ // If given a match limit greater than 1 (which we did), SecItemCopyMatching
+ // returns a CFArrayRef.
+ ScopedCFType<CFArrayRef> arr(reinterpret_cast<CFArrayRef>(items));
+ CFIndex count = CFArrayGetCount(arr.get());
+ uint32_t numImported = 0;
+ for (CFIndex i = 0; i < count; i++) {
+ // Because we asked for certificates, each CFTypeRef in the array is really
+ // a SecCertificateRef.
+ const SecCertificateRef certificate =
+ (const SecCertificateRef)CFArrayGetValueAtIndex(arr.get(), i);
+ CertificateTrustResult certificateTrustResult =
+ GetCertificateTrustResult(certificate);
+ if (certificateTrustResult == CertificateTrustResult::DoNotUse) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping distrusted cert"));
+ continue;
+ }
+ ScopedCFType<CFDataRef> der(SecCertificateCopyData(certificate));
+ if (!der) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("couldn't get bytes of certificate?"));
+ continue;
+ }
+ bool isRoot =
+ certificateTrustResult == CertificateTrustResult::CanUseAsTrustAnchor;
+ EnterpriseCert enterpriseCert(CFDataGetBytePtr(der.get()),
+ CFDataGetLength(der.get()), isRoot);
+ if (!enterpriseCert.IsKnownRoot(rootsModule)) {
+ certs.AppendElement(std::move(enterpriseCert));
+ numImported++;
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("importing as %s", isRoot ? "root" : "intermediate"));
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert"));
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("imported %u certs", numImported));
+ return errSecSuccess;
+}
+#endif // XP_MACOSX
+
+#ifdef MOZ_WIDGET_ANDROID
+void GatherEnterpriseCertsAndroid(nsTArray<EnterpriseCert>& certs,
+ UniqueSECMODModule& rootsModule) {
+ if (!jni::IsAvailable()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("JNI not available"));
+ return;
+ }
+ jni::ObjectArray::LocalRef roots =
+ java::EnterpriseRoots::GatherEnterpriseRoots();
+ uint32_t numImported = 0;
+ for (size_t i = 0; i < roots->Length(); i++) {
+ jni::ByteArray::LocalRef root = roots->GetElement(i);
+ // Currently we treat all certificates gleaned from the Android
+ // CA store as roots.
+ EnterpriseCert enterpriseCert(
+ reinterpret_cast<uint8_t*>(root->GetElements().Elements()),
+ root->Length(), true);
+ if (!enterpriseCert.IsKnownRoot(rootsModule)) {
+ certs.AppendElement(std::move(enterpriseCert));
+ numImported++;
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert"));
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("imported %u certs", numImported));
+}
+#endif // MOZ_WIDGET_ANDROID
+
+nsresult GatherEnterpriseCerts(nsTArray<EnterpriseCert>& certs) {
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ certs.Clear();
+ UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName));
+#ifdef XP_WIN
+ GatherEnterpriseCertsWindows(certs, rootsModule);
+#endif // XP_WIN
+#ifdef XP_MACOSX
+ OSStatus rv = GatherEnterpriseCertsMacOS(certs, rootsModule);
+ if (rv != errSecSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+#endif // XP_MACOSX
+#ifdef MOZ_WIDGET_ANDROID
+ GatherEnterpriseCertsAndroid(certs, rootsModule);
+#endif // MOZ_WIDGET_ANDROID
+ return NS_OK;
+}
diff --git a/security/manager/ssl/EnterpriseRoots.h b/security/manager/ssl/EnterpriseRoots.h
new file mode 100644
index 0000000000..25567d4511
--- /dev/null
+++ b/security/manager/ssl/EnterpriseRoots.h
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef EnterpriseRoots_h
+#define EnterpriseRoots_h
+
+#include "ScopedNSSTypes.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
+#include "nsTArray.h"
+
+class EnterpriseCert {
+ public:
+ EnterpriseCert(const uint8_t* data, size_t len, bool isRoot)
+ : mDER(data, len), mIsRoot(isRoot) {}
+ EnterpriseCert(const EnterpriseCert& other)
+ : mDER(other.mDER.Clone()), mIsRoot(other.mIsRoot) {}
+ EnterpriseCert(EnterpriseCert&& other)
+ : mDER(std::move(other.mDER)), mIsRoot(other.mIsRoot) {}
+
+ void CopyBytes(nsTArray<uint8_t>& dest) const;
+ mozilla::pkix::Result GetInput(mozilla::pkix::Input& input) const;
+ bool GetIsRoot() const;
+ // Is this certificate a known, built-in root?
+ bool IsKnownRoot(mozilla::UniqueSECMODModule& rootsModule);
+
+ private:
+ nsTArray<uint8_t> mDER;
+ bool mIsRoot;
+};
+
+// This may block and must not be called from the main thread.
+nsresult GatherEnterpriseCerts(nsTArray<EnterpriseCert>& certs);
+
+#endif // EnterpriseRoots_h
diff --git a/security/manager/ssl/IPCClientCertsChild.cpp b/security/manager/ssl/IPCClientCertsChild.cpp
new file mode 100644
index 0000000000..bea0e27dff
--- /dev/null
+++ b/security/manager/ssl/IPCClientCertsChild.cpp
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "IPCClientCertsChild.h"
+
+#include "mozilla/ipc/BackgroundChild.h"
+#include "mozilla/ipc/PBackgroundChild.h"
+
+namespace mozilla::psm {
+
+IPCClientCertsChild::IPCClientCertsChild() = default;
+
+} // namespace mozilla::psm
diff --git a/security/manager/ssl/IPCClientCertsChild.h b/security/manager/ssl/IPCClientCertsChild.h
new file mode 100644
index 0000000000..17020fce2e
--- /dev/null
+++ b/security/manager/ssl/IPCClientCertsChild.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_IPCClientCertsChild_h__
+#define mozilla_psm_IPCClientCertsChild_h__
+
+#include "mozilla/psm/PIPCClientCertsChild.h"
+
+namespace mozilla {
+
+namespace ipc {
+class BackgroundChildImpl;
+} // namespace ipc
+
+namespace psm {
+
+class IPCClientCertsChild final : public PIPCClientCertsChild {
+ friend class mozilla::ipc::BackgroundChildImpl;
+
+ public:
+ IPCClientCertsChild();
+
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCClientCertsChild);
+
+ private:
+ ~IPCClientCertsChild() = default;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/IPCClientCertsParent.cpp b/security/manager/ssl/IPCClientCertsParent.cpp
new file mode 100644
index 0000000000..3b726df979
--- /dev/null
+++ b/security/manager/ssl/IPCClientCertsParent.cpp
@@ -0,0 +1,130 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "IPCClientCertsParent.h"
+#include "ScopedNSSTypes.h"
+#include "nsNetCID.h"
+#include "nsNSSComponent.h"
+#include "nsNSSIOLayer.h"
+
+#include "mozilla/SyncRunnable.h"
+
+namespace mozilla::psm {
+
+IPCClientCertsParent::IPCClientCertsParent() = default;
+
+// When the IPC client certs module needs to find certificate and key objects
+// in the socket process, it will cause this function to be called in the
+// parent process. The parent process needs to find all certificates with
+// private keys (because these are potential client certificates).
+mozilla::ipc::IPCResult IPCClientCertsParent::RecvFindObjects(
+ nsTArray<IPCClientCertObject>* aObjects) {
+ nsCOMPtr<nsIEventTarget> socketThread(
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
+ if (!socketThread) {
+ return IPC_OK();
+ }
+ // Look for client certificates on the socket thread.
+ UniqueCERTCertList certList;
+ mozilla::SyncRunnable::DispatchToThread(
+ socketThread, NS_NewRunnableFunction(
+ "IPCClientCertsParent::RecvFindObjects", [&certList]() {
+ certList =
+ psm::FindClientCertificatesWithPrivateKeys();
+ }));
+ if (!certList) {
+ return IPC_OK();
+ }
+ CERTCertListNode* n = CERT_LIST_HEAD(certList);
+ while (!CERT_LIST_END(n, certList)) {
+ nsTArray<uint8_t> certDER(n->cert->derCert.data, n->cert->derCert.len);
+ uint32_t slotType;
+ UniqueSECKEYPublicKey pubkey(CERT_ExtractPublicKey(n->cert));
+ if (!pubkey) {
+ return IPC_OK();
+ }
+ switch (SECKEY_GetPublicKeyType(pubkey.get())) {
+ case rsaKey:
+ case rsaPssKey: {
+ slotType = PK11_DoesMechanism(n->cert->slot, CKM_RSA_PKCS_PSS)
+ ? kIPCClientCertsSlotTypeModern
+ : kIPCClientCertsSlotTypeLegacy;
+ nsTArray<uint8_t> modulus(pubkey->u.rsa.modulus.data,
+ pubkey->u.rsa.modulus.len);
+ RSAKey rsakey(modulus, certDER, slotType);
+ aObjects->AppendElement(std::move(rsakey));
+ break;
+ }
+ case ecKey: {
+ slotType = kIPCClientCertsSlotTypeModern;
+ nsTArray<uint8_t> params(pubkey->u.ec.DEREncodedParams.data,
+ pubkey->u.ec.DEREncodedParams.len);
+ ECKey eckey(params, certDER, slotType);
+ aObjects->AppendElement(std::move(eckey));
+ break;
+ }
+ default:
+ n = CERT_LIST_NEXT(n);
+ continue;
+ }
+ Certificate cert(certDER, slotType);
+ aObjects->AppendElement(std::move(cert));
+
+ n = CERT_LIST_NEXT(n);
+ }
+ return IPC_OK();
+}
+
+// When the IPC client certs module needs to sign data using a key managed by
+// the parent process, it will cause this function to be called in the parent
+// process. The parent process needs to find the key corresponding to the
+// given certificate and sign the given data with the given parameters.
+mozilla::ipc::IPCResult IPCClientCertsParent::RecvSign(ByteArray aCert,
+ ByteArray aData,
+ ByteArray aParams,
+ ByteArray* aSignature) {
+ SECItem certItem = {siBuffer, const_cast<uint8_t*>(aCert.data().Elements()),
+ static_cast<unsigned int>(aCert.data().Length())};
+ aSignature->data().Clear();
+
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &certItem, nullptr, false, true));
+ if (!cert) {
+ return IPC_OK();
+ }
+ UniqueSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert.get(), nullptr));
+ if (!key) {
+ return IPC_OK();
+ }
+ SECItem params = {siBuffer, aParams.data().Elements(),
+ static_cast<unsigned int>(aParams.data().Length())};
+ SECItem* paramsPtr = aParams.data().Length() > 0 ? &params : nullptr;
+ CK_MECHANISM_TYPE mechanism;
+ switch (key->keyType) {
+ case ecKey:
+ mechanism = CKM_ECDSA;
+ break;
+ case rsaKey:
+ mechanism = aParams.data().Length() > 0 ? CKM_RSA_PKCS_PSS : CKM_RSA_PKCS;
+ break;
+ default:
+ return IPC_OK();
+ }
+ uint32_t len = PK11_SignatureLen(key.get());
+ UniqueSECItem sig(::SECITEM_AllocItem(nullptr, nullptr, len));
+ SECItem hash = {siBuffer, aData.data().Elements(),
+ static_cast<unsigned int>(aData.data().Length())};
+ SECStatus srv =
+ PK11_SignWithMechanism(key.get(), mechanism, paramsPtr, sig.get(), &hash);
+ if (srv != SECSuccess) {
+ return IPC_OK();
+ }
+ aSignature->data().AppendElements(sig->data, sig->len);
+ return IPC_OK();
+}
+
+} // namespace mozilla::psm
diff --git a/security/manager/ssl/IPCClientCertsParent.h b/security/manager/ssl/IPCClientCertsParent.h
new file mode 100644
index 0000000000..46ce96523b
--- /dev/null
+++ b/security/manager/ssl/IPCClientCertsParent.h
@@ -0,0 +1,40 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_IPCClientCertsParent_h__
+#define mozilla_psm_IPCClientCertsParent_h__
+
+#include "mozilla/psm/PIPCClientCertsParent.h"
+
+namespace mozilla {
+
+namespace net {
+class SocketProcessBackgroundParent;
+} // namespace net
+
+namespace psm {
+
+class IPCClientCertsParent final : public PIPCClientCertsParent {
+ friend class mozilla::net::SocketProcessBackgroundParent;
+
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCClientCertsParent)
+
+ mozilla::ipc::IPCResult RecvFindObjects(
+ nsTArray<IPCClientCertObject>* aObjects);
+ mozilla::ipc::IPCResult RecvSign(ByteArray aCert, ByteArray aData,
+ ByteArray aParams, ByteArray* aSignature);
+
+ private:
+ IPCClientCertsParent();
+ ~IPCClientCertsParent() = default;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/KeychainSecret.cpp b/security/manager/ssl/KeychainSecret.cpp
new file mode 100644
index 0000000000..4b0d2bf5fd
--- /dev/null
+++ b/security/manager/ssl/KeychainSecret.cpp
@@ -0,0 +1,160 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "KeychainSecret.h"
+
+#include <Security/Security.h>
+
+#include "mozilla/Logging.h"
+
+// This is the implementation of KeychainSecret, an instantiation of OSKeyStore
+// for OS X. It uses the system keychain, hence the name.
+
+using namespace mozilla;
+
+LazyLogModule gKeychainSecretLog("keychainsecret");
+
+KeychainSecret::KeychainSecret() {}
+
+KeychainSecret::~KeychainSecret() {}
+
+ScopedCFType<CFStringRef> MozillaStringToCFString(const nsACString& stringIn) {
+ // https://developer.apple.com/documentation/corefoundation/1543419-cfstringcreatewithbytes
+ ScopedCFType<CFStringRef> stringOut(CFStringCreateWithBytes(
+ nullptr, reinterpret_cast<const UInt8*>(stringIn.BeginReading()),
+ stringIn.Length(), kCFStringEncodingUTF8, false));
+ return stringOut;
+}
+
+nsresult KeychainSecret::StoreSecret(const nsACString& aSecret,
+ const nsACString& aLabel) {
+ // This creates a CFDictionary of the form:
+ // { class: generic password,
+ // account: the given label,
+ // value: the given secret }
+ // "account" is the way we differentiate different secrets.
+ // By default, secrets stored by the application (Firefox) in this way are not
+ // accessible to other applications, so we shouldn't need to worry about
+ // unauthorized access or namespace collisions. This will be the case as long
+ // as we never set the kSecAttrAccessGroup attribute on the CFDictionary. The
+ // platform enforces this restriction using the application-identifier
+ // entitlement that each application bundle should have. See
+ // https://developer.apple.com/documentation/security/1401659-secitemadd?language=objc#discussion
+
+ // The keychain does not overwrite secrets by default (unlike other backends
+ // like libsecret and credential manager). To be consistent, we first delete
+ // any previously-stored secrets that use the given label.
+ nsresult rv = DeleteSecret(aLabel);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("DeleteSecret before StoreSecret failed"));
+ return rv;
+ }
+ const CFStringRef keys[] = {kSecClass, kSecAttrAccount, kSecValueData};
+ ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel));
+ if (!label) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("MozillaStringToCFString failed"));
+ return NS_ERROR_FAILURE;
+ }
+ ScopedCFType<CFDataRef> secret(CFDataCreate(
+ nullptr, reinterpret_cast<const UInt8*>(aSecret.BeginReading()),
+ aSecret.Length()));
+ if (!secret) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, ("CFDataCreate failed"));
+ return NS_ERROR_FAILURE;
+ }
+ const void* values[] = {kSecClassGenericPassword, label.get(), secret.get()};
+ static_assert(ArrayLength(keys) == ArrayLength(values),
+ "mismatched SecItemAdd key/value array sizes");
+ ScopedCFType<CFDictionaryRef> addDictionary(CFDictionaryCreate(
+ nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
+ // https://developer.apple.com/documentation/security/1401659-secitemadd
+ OSStatus osrv = SecItemAdd(addDictionary.get(), nullptr);
+ if (osrv != errSecSuccess) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("SecItemAdd failed: %d", osrv));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+nsresult KeychainSecret::DeleteSecret(const nsACString& aLabel) {
+ // To delete a secret, we create a CFDictionary of the form:
+ // { class: generic password,
+ // account: the given label }
+ // and then call SecItemDelete.
+ const CFStringRef keys[] = {kSecClass, kSecAttrAccount};
+ ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel));
+ if (!label) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("MozillaStringToCFString failed"));
+ return NS_ERROR_FAILURE;
+ }
+ const void* values[] = {kSecClassGenericPassword, label.get()};
+ static_assert(ArrayLength(keys) == ArrayLength(values),
+ "mismatched SecItemDelete key/value array sizes");
+ ScopedCFType<CFDictionaryRef> deleteDictionary(CFDictionaryCreate(
+ nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
+ // https://developer.apple.com/documentation/security/1395547-secitemdelete
+ OSStatus rv = SecItemDelete(deleteDictionary.get());
+ if (rv != errSecSuccess && rv != errSecItemNotFound) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("SecItemDelete failed: %d", rv));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+nsresult KeychainSecret::RetrieveSecret(const nsACString& aLabel,
+ /* out */ nsACString& aSecret) {
+ // To retrieve a secret, we create a CFDictionary of the form:
+ // { class: generic password,
+ // account: the given label,
+ // match limit: match one,
+ // return attributes: true,
+ // return data: true }
+ // This searches for and returns the attributes and data for the secret
+ // matching the given label. We then extract the data (i.e. the secret) and
+ // return it.
+ const CFStringRef keys[] = {kSecClass, kSecAttrAccount, kSecMatchLimit,
+ kSecReturnAttributes, kSecReturnData};
+ ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel));
+ if (!label) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("MozillaStringToCFString failed"));
+ return NS_ERROR_FAILURE;
+ }
+ const void* values[] = {kSecClassGenericPassword, label.get(),
+ kSecMatchLimitOne, kCFBooleanTrue, kCFBooleanTrue};
+ static_assert(ArrayLength(keys) == ArrayLength(values),
+ "mismatched SecItemCopyMatching key/value array sizes");
+ ScopedCFType<CFDictionaryRef> searchDictionary(CFDictionaryCreate(
+ nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
+ CFTypeRef item;
+ // https://developer.apple.com/documentation/security/1398306-secitemcopymatching
+ OSStatus rv = SecItemCopyMatching(searchDictionary.get(), &item);
+ if (rv != errSecSuccess) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("SecItemCopyMatching failed: %d", rv));
+ return NS_ERROR_FAILURE;
+ }
+ ScopedCFType<CFDictionaryRef> dictionary(
+ reinterpret_cast<CFDictionaryRef>(item));
+ CFDataRef secret = reinterpret_cast<CFDataRef>(
+ CFDictionaryGetValue(dictionary.get(), kSecValueData));
+ if (!secret) {
+ MOZ_LOG(gKeychainSecretLog, LogLevel::Debug,
+ ("CFDictionaryGetValue failed"));
+ return NS_ERROR_FAILURE;
+ }
+ aSecret.Assign(reinterpret_cast<const char*>(CFDataGetBytePtr(secret)),
+ CFDataGetLength(secret));
+ return NS_OK;
+}
diff --git a/security/manager/ssl/KeychainSecret.h b/security/manager/ssl/KeychainSecret.h
new file mode 100644
index 0000000000..7a0850a001
--- /dev/null
+++ b/security/manager/ssl/KeychainSecret.h
@@ -0,0 +1,49 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef KeychainSecret_h
+#define KeychainSecret_h
+
+#include "CoreFoundation/CFBase.h"
+
+#include "OSKeyStore.h"
+#include "nsString.h"
+
+template <typename T>
+class ScopedCFType {
+ public:
+ explicit ScopedCFType(T value) : mValue(value) {}
+
+ MOZ_IMPLICIT ScopedCFType(decltype(nullptr)) : mValue(nullptr) {}
+
+ ~ScopedCFType() {
+ if (mValue) {
+ CFRelease((CFTypeRef)mValue);
+ }
+ }
+
+ T get() { return mValue; }
+
+ explicit operator bool() const { return mValue != nullptr; }
+
+ private:
+ T mValue;
+};
+
+class KeychainSecret final : public AbstractOSKeyStore {
+ public:
+ KeychainSecret();
+
+ virtual nsresult RetrieveSecret(const nsACString& label,
+ /* out */ nsACString& secret) override;
+ virtual nsresult StoreSecret(const nsACString& secret,
+ const nsACString& label) override;
+ virtual nsresult DeleteSecret(const nsACString& label) override;
+
+ virtual ~KeychainSecret();
+};
+
+#endif // KeychainSecret_h
diff --git a/security/manager/ssl/LibSecret.cpp b/security/manager/ssl/LibSecret.cpp
new file mode 100644
index 0000000000..4b50c4d0b3
--- /dev/null
+++ b/security/manager/ssl/LibSecret.cpp
@@ -0,0 +1,321 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "LibSecret.h"
+
+#include <gio/gio.h>
+#include <gmodule.h>
+#include <memory>
+
+#include "mozilla/Base64.h"
+#include "mozilla/Logging.h"
+#include "MainThreadUtils.h"
+#include "prlink.h"
+
+// This is the implementation of LibSecret, an instantiation of OSKeyStore for
+// Linux.
+
+using namespace mozilla;
+
+LazyLogModule gLibSecretLog("libsecret");
+
+static PRLibrary* libsecret = nullptr;
+
+typedef struct _SecretService SecretService;
+typedef struct _SecretCollection SecretCollection;
+
+typedef enum {
+ SECRET_SCHEMA_NONE = 0,
+ SECRET_SCHEMA_DONT_MATCH_NAME = 1 << 1
+} SecretSchemaFlags;
+
+typedef enum {
+ SECRET_SCHEMA_ATTRIBUTE_STRING = 0,
+ SECRET_SCHEMA_ATTRIBUTE_INTEGER = 1,
+ SECRET_SCHEMA_ATTRIBUTE_BOOLEAN = 2,
+} SecretSchemaAttributeType;
+
+typedef struct {
+ const gchar* name;
+ SecretSchemaAttributeType type;
+} SecretSchemaAttribute;
+
+typedef struct {
+ const gchar* name;
+ SecretSchemaFlags flags;
+ SecretSchemaAttribute attributes[32];
+
+ /* <private> */
+ gint reserved;
+ gpointer reserved1;
+ gpointer reserved2;
+ gpointer reserved3;
+ gpointer reserved4;
+ gpointer reserved5;
+ gpointer reserved6;
+ gpointer reserved7;
+} SecretSchema;
+
+typedef enum {
+ SECRET_COLLECTION_NONE = 0 << 0,
+ SECRET_COLLECTION_LOAD_ITEMS = 1 << 1,
+} SecretCollectionFlags;
+
+typedef enum {
+ SECRET_SERVICE_NONE = 0,
+ SECRET_SERVICE_OPEN_SESSION = 1 << 1,
+ SECRET_SERVICE_LOAD_COLLECTIONS = 1 << 2,
+} SecretServiceFlags;
+
+typedef enum {
+ SECRET_ERROR_PROTOCOL = 1,
+ SECRET_ERROR_IS_LOCKED = 2,
+ SECRET_ERROR_NO_SUCH_OBJECT = 3,
+ SECRET_ERROR_ALREADY_EXISTS = 4,
+} SecretError;
+
+#define SECRET_COLLECTION_DEFAULT "default"
+
+typedef SecretCollection* (*secret_collection_for_alias_sync_fn)(
+ SecretService*, const gchar*, SecretCollectionFlags, GCancellable*,
+ GError**);
+typedef SecretService* (*secret_service_get_sync_fn)(SecretServiceFlags,
+ GCancellable*, GError**);
+typedef gboolean (*secret_password_clear_sync_fn)(const SecretSchema*,
+ GCancellable*, GError**, ...);
+typedef gchar* (*secret_password_lookup_sync_fn)(const SecretSchema*,
+ GCancellable*, GError**, ...);
+typedef gboolean (*secret_password_store_sync_fn)(const SecretSchema*,
+ const gchar*, const gchar*,
+ const gchar*, GCancellable*,
+ GError**, ...);
+typedef void (*secret_password_free_fn)(const gchar*);
+typedef GQuark (*secret_error_get_quark_fn)();
+
+static secret_collection_for_alias_sync_fn secret_collection_for_alias_sync =
+ nullptr;
+static secret_service_get_sync_fn secret_service_get_sync = nullptr;
+static secret_password_clear_sync_fn secret_password_clear_sync = nullptr;
+static secret_password_lookup_sync_fn secret_password_lookup_sync = nullptr;
+static secret_password_store_sync_fn secret_password_store_sync = nullptr;
+static secret_password_free_fn secret_password_free = nullptr;
+static secret_error_get_quark_fn secret_error_get_quark = nullptr;
+
+nsresult MaybeLoadLibSecret() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ if (!libsecret) {
+ libsecret = PR_LoadLibrary("libsecret-1.so.0");
+ if (!libsecret) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+// With TSan, we cannot unload libsecret once we have loaded it because
+// TSan does not support unloading libraries that are matched from its
+// suppression list. Hence we just keep the library loaded in TSan builds.
+#ifdef MOZ_TSAN
+# define UNLOAD_LIBSECRET(x) \
+ do { \
+ } while (0)
+#else
+# define UNLOAD_LIBSECRET(x) PR_UnloadLibrary(x)
+#endif
+
+#define FIND_FUNCTION_SYMBOL(function) \
+ function = (function##_fn)PR_FindFunctionSymbol(libsecret, #function); \
+ if (!(function)) { \
+ UNLOAD_LIBSECRET(libsecret); \
+ libsecret = nullptr; \
+ return NS_ERROR_NOT_AVAILABLE; \
+ }
+ FIND_FUNCTION_SYMBOL(secret_collection_for_alias_sync);
+ FIND_FUNCTION_SYMBOL(secret_service_get_sync);
+ FIND_FUNCTION_SYMBOL(secret_password_clear_sync);
+ FIND_FUNCTION_SYMBOL(secret_password_lookup_sync);
+ FIND_FUNCTION_SYMBOL(secret_password_store_sync);
+ FIND_FUNCTION_SYMBOL(secret_password_free);
+ FIND_FUNCTION_SYMBOL(secret_error_get_quark);
+#undef FIND_FUNCTION_SYMBOL
+ }
+
+ return NS_OK;
+}
+
+struct ScopedDelete {
+ void operator()(SecretService* ss) {
+ if (ss) g_object_unref(ss);
+ }
+ void operator()(SecretCollection* sc) {
+ if (sc) g_object_unref(sc);
+ }
+ void operator()(GError* error) {
+ if (error) g_error_free(error);
+ }
+ void operator()(GList* list) {
+ if (list) g_list_free(list);
+ }
+ void operator()(char* val) {
+ if (val) secret_password_free(val);
+ }
+};
+
+template <class T>
+struct ScopedMaybeDelete {
+ void operator()(T* ptr) {
+ if (ptr) {
+ ScopedDelete del;
+ del(ptr);
+ }
+ }
+};
+
+typedef std::unique_ptr<GError, ScopedMaybeDelete<GError>> ScopedGError;
+typedef std::unique_ptr<GList, ScopedMaybeDelete<GList>> ScopedGList;
+typedef std::unique_ptr<char, ScopedMaybeDelete<char>> ScopedPassword;
+typedef std::unique_ptr<SecretCollection, ScopedMaybeDelete<SecretCollection>>
+ ScopedSecretCollection;
+typedef std::unique_ptr<SecretService, ScopedMaybeDelete<SecretService>>
+ ScopedSecretService;
+
+LibSecret::LibSecret() = default;
+
+LibSecret::~LibSecret() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
+ }
+ if (libsecret) {
+ secret_collection_for_alias_sync = nullptr;
+ secret_service_get_sync = nullptr;
+ secret_password_clear_sync = nullptr;
+ secret_password_lookup_sync = nullptr;
+ secret_password_store_sync = nullptr;
+ secret_password_free = nullptr;
+ secret_error_get_quark = nullptr;
+ UNLOAD_LIBSECRET(libsecret);
+ libsecret = nullptr;
+ }
+}
+
+static const SecretSchema kSchema = {
+ "mozilla.firefox",
+ SECRET_SCHEMA_NONE,
+ {{"string", SECRET_SCHEMA_ATTRIBUTE_STRING}, /* the label */
+ {"NULL", SECRET_SCHEMA_ATTRIBUTE_STRING}}};
+
+nsresult GetScopedServices(ScopedSecretService& aSs,
+ ScopedSecretCollection& aSc) {
+ MOZ_ASSERT(secret_service_get_sync && secret_collection_for_alias_sync);
+ if (!secret_service_get_sync || !secret_collection_for_alias_sync) {
+ return NS_ERROR_FAILURE;
+ }
+ GError* raw_error = nullptr;
+ aSs = ScopedSecretService(secret_service_get_sync(
+ static_cast<SecretServiceFlags>(
+ SECRET_SERVICE_OPEN_SESSION), // SecretServiceFlags
+ nullptr, // GCancellable
+ &raw_error));
+ ScopedGError error(raw_error);
+ if (error || !aSs) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Couldn't get a secret service"));
+ return NS_ERROR_FAILURE;
+ }
+
+ aSc = ScopedSecretCollection(secret_collection_for_alias_sync(
+ aSs.get(), "default", static_cast<SecretCollectionFlags>(0),
+ nullptr, // GCancellable
+ &raw_error));
+ error.reset(raw_error);
+ if (!aSc) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug,
+ ("Couldn't get a secret collection"));
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+nsresult LibSecret::StoreSecret(const nsACString& aSecret,
+ const nsACString& aLabel) {
+ MOZ_ASSERT(secret_password_store_sync);
+ if (!secret_password_store_sync) {
+ return NS_ERROR_FAILURE;
+ }
+ // libsecret expects a null-terminated string, so to be safe we store the
+ // secret (which could be arbitrary bytes) base64-encoded.
+ nsAutoCString base64;
+ nsresult rv = Base64Encode(aSecret, base64);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error base64-encoding secret"));
+ return rv;
+ }
+ GError* raw_error = nullptr;
+ bool stored = secret_password_store_sync(
+ &kSchema, SECRET_COLLECTION_DEFAULT, PromiseFlatCString(aLabel).get(),
+ PromiseFlatCString(base64).get(),
+ nullptr, // GCancellable
+ &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr);
+ ScopedGError error(raw_error);
+ if (raw_error) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error storing secret"));
+ return NS_ERROR_FAILURE;
+ }
+
+ return stored ? NS_OK : NS_ERROR_FAILURE;
+}
+
+nsresult LibSecret::DeleteSecret(const nsACString& aLabel) {
+ MOZ_ASSERT(secret_password_clear_sync && secret_error_get_quark);
+ if (!secret_password_clear_sync || !secret_error_get_quark) {
+ return NS_ERROR_FAILURE;
+ }
+ GError* raw_error = nullptr;
+ Unused << secret_password_clear_sync(
+ &kSchema,
+ nullptr, // GCancellable
+ &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr);
+ ScopedGError error(raw_error);
+ if (raw_error && !(raw_error->domain == secret_error_get_quark() &&
+ raw_error->code == SECRET_ERROR_NO_SUCH_OBJECT)) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error deleting secret"));
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+nsresult LibSecret::RetrieveSecret(const nsACString& aLabel,
+ /* out */ nsACString& aSecret) {
+ MOZ_ASSERT(secret_password_lookup_sync && secret_password_free);
+ if (!secret_password_lookup_sync || !secret_password_free) {
+ return NS_ERROR_FAILURE;
+ }
+ GError* raw_error = nullptr;
+ aSecret.Truncate();
+ ScopedPassword s(secret_password_lookup_sync(
+ &kSchema,
+ nullptr, // GCancellable
+ &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr));
+ ScopedGError error(raw_error);
+ if (raw_error || !s) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug,
+ ("Error retrieving secret or didn't find it"));
+ return NS_ERROR_FAILURE;
+ }
+ // libsecret expects a null-terminated string, so to be safe we store the
+ // secret (which could be arbitrary bytes) base64-encoded, which means we have
+ // to base64-decode it here.
+ nsAutoCString base64Encoded(s.get());
+ nsresult rv = Base64Decode(base64Encoded, aSecret);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error base64-decoding secret"));
+ return rv;
+ }
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/LibSecret.h b/security/manager/ssl/LibSecret.h
new file mode 100644
index 0000000000..b4aa8fbce8
--- /dev/null
+++ b/security/manager/ssl/LibSecret.h
@@ -0,0 +1,29 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LibSecret_h
+#define LibSecret_h
+
+#include "OSKeyStore.h"
+
+#include "nsString.h"
+
+nsresult MaybeLoadLibSecret();
+
+class LibSecret final : public AbstractOSKeyStore {
+ public:
+ LibSecret();
+
+ virtual nsresult RetrieveSecret(const nsACString& label,
+ /* out */ nsACString& secret) override;
+ virtual nsresult StoreSecret(const nsACString& secret,
+ const nsACString& label) override;
+ virtual nsresult DeleteSecret(const nsACString& label) override;
+
+ virtual ~LibSecret();
+};
+
+#endif // LibSecret_h
diff --git a/security/manager/ssl/NSSErrorsService.cpp b/security/manager/ssl/NSSErrorsService.cpp
new file mode 100644
index 0000000000..06c0b1e790
--- /dev/null
+++ b/security/manager/ssl/NSSErrorsService.cpp
@@ -0,0 +1,212 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "NSSErrorsService.h"
+
+#include "nsIStringBundle.h"
+#include "nsNSSComponent.h"
+#include "nsServiceManagerUtils.h"
+#include "mozpkix/pkixnss.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+#define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties"
+#define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties"
+
+namespace mozilla {
+namespace psm {
+
+static_assert(mozilla::pkix::ERROR_BASE ==
+ nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE,
+ "MOZILLA_PKIX_ERROR_BASE and "
+ "nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE do not match.");
+static_assert(mozilla::pkix::ERROR_LIMIT ==
+ nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT,
+ "MOZILLA_PKIX_ERROR_LIMIT and "
+ "nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT do not match.");
+
+static bool IsPSMError(PRErrorCode error) {
+ return (error >= mozilla::pkix::ERROR_BASE &&
+ error < mozilla::pkix::ERROR_LIMIT);
+}
+
+NS_IMPL_ISUPPORTS(NSSErrorsService, nsINSSErrorsService)
+
+NSSErrorsService::~NSSErrorsService() = default;
+
+nsresult NSSErrorsService::Init() {
+ nsresult rv;
+ nsCOMPtr<nsIStringBundleService> bundleService(
+ do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv));
+ if (NS_FAILED(rv) || !bundleService) return NS_ERROR_FAILURE;
+
+ bundleService->CreateBundle(PIPNSS_STRBUNDLE_URL,
+ getter_AddRefs(mPIPNSSBundle));
+ if (!mPIPNSSBundle) rv = NS_ERROR_FAILURE;
+
+ bundleService->CreateBundle(NSSERR_STRBUNDLE_URL,
+ getter_AddRefs(mNSSErrorsBundle));
+ if (!mNSSErrorsBundle) rv = NS_ERROR_FAILURE;
+
+ return rv;
+}
+
+#define EXPECTED_SEC_ERROR_BASE (-0x2000)
+#define EXPECTED_SSL_ERROR_BASE (-0x3000)
+
+#if SEC_ERROR_BASE != EXPECTED_SEC_ERROR_BASE || \
+ SSL_ERROR_BASE != EXPECTED_SSL_ERROR_BASE
+# error \
+ "Unexpected change of error code numbers in lib NSS, please adjust the mapping code"
+/*
+ * Please ensure the NSS error codes are mapped into the positive range 0x1000
+ * to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no
+ * conflicts. The current code also assumes that NSS library error codes are
+ * negative.
+ */
+#endif
+
+bool IsNSSErrorCode(PRErrorCode code) {
+ return IS_SEC_ERROR(code) || IS_SSL_ERROR(code) || IsPSMError(code);
+}
+
+nsresult GetXPCOMFromNSSError(PRErrorCode code) {
+ if (!code) {
+ MOZ_CRASH("Function failed without calling PR_GetError");
+ }
+
+ // The error codes within each module must be a 16 bit value.
+ // For simplicity we use the positive value of the NSS code.
+ return (nsresult)NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY,
+ -1 * code);
+}
+
+NS_IMETHODIMP
+NSSErrorsService::IsNSSErrorCode(int32_t aNSPRCode, bool* _retval) {
+ if (!_retval) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ *_retval = mozilla::psm::IsNSSErrorCode(aNSPRCode);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSErrorsService::GetXPCOMFromNSSError(int32_t aNSPRCode,
+ nsresult* aXPCOMErrorCode) {
+ if (!aXPCOMErrorCode) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ *aXPCOMErrorCode = mozilla::psm::GetXPCOMFromNSSError(aNSPRCode);
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode,
+ uint32_t* aErrorClass) {
+ NS_ENSURE_ARG(aErrorClass);
+
+ if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
+ NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
+ return NS_ERROR_FAILURE;
+ }
+
+ int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
+
+ if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) {
+ *aErrorClass = ERROR_CLASS_BAD_CERT;
+ } else {
+ *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
+ }
+
+ return NS_OK;
+}
+
+bool ErrorIsOverridable(PRErrorCode code) {
+ switch (code) {
+ // Overridable errors.
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
+ case SEC_ERROR_CA_CERT_INVALID:
+ case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ case SEC_ERROR_INVALID_TIME:
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ return true;
+ // Non-overridable errors.
+ default:
+ return false;
+ }
+}
+
+static const char* getOverrideErrorStringName(PRErrorCode aErrorCode) {
+ switch (aErrorCode) {
+ case SSL_ERROR_SSL_DISABLED:
+ return "PSMERR_SSL_Disabled";
+ case SSL_ERROR_SSL2_DISABLED:
+ return "PSMERR_SSL2_Disabled";
+ case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
+ return "PSMERR_HostReusedIssuerSerial";
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
+ return "certErrorTrust_MitM";
+ default:
+ return nullptr;
+ }
+}
+
+NS_IMETHODIMP
+NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode,
+ nsAString& aErrorMessage) {
+ if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
+ NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
+ return NS_ERROR_FAILURE;
+ }
+
+ int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
+
+ if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle;
+ const char* idStr = getOverrideErrorStringName(aNSPRCode);
+
+ if (!idStr) {
+ idStr = PR_ErrorToName(aNSPRCode);
+ theBundle = mNSSErrorsBundle;
+ }
+
+ if (!idStr || !theBundle) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsAutoString msg;
+ nsresult rv = theBundle->GetStringFromName(idStr, msg);
+ if (NS_SUCCEEDED(rv)) {
+ aErrorMessage = msg;
+ }
+ return rv;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/NSSErrorsService.h b/security/manager/ssl/NSSErrorsService.h
new file mode 100644
index 0000000000..a19bea9e5f
--- /dev/null
+++ b/security/manager/ssl/NSSErrorsService.h
@@ -0,0 +1,56 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSErrorsService_h
+#define NSSErrorsService_h
+
+#include "mozilla/Attributes.h"
+#include "nsCOMPtr.h"
+#include "nsILineInputStream.h"
+#include "nsINSSErrorsService.h"
+#include "nsISafeOutputStream.h"
+#include "nsIStringBundle.h"
+#include "prerror.h"
+
+class nsIStringBundle;
+
+namespace mozilla {
+namespace psm {
+
+class NSSErrorsService final : public nsINSSErrorsService {
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSINSSERRORSSERVICE
+
+ public:
+ nsresult Init();
+
+ private:
+ // For XPCOM implementations that are not a base class for some other
+ // class, it is good practice to make the destructor non-virtual and
+ // private. Then the only way to delete the object is via Release.
+#ifdef _MSC_VER
+ // C4265: Class has virtual members but destructor is not virtual
+ __pragma(warning(disable : 4265))
+#endif
+ ~NSSErrorsService();
+
+ nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
+ nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
+};
+
+bool IsNSSErrorCode(PRErrorCode code);
+nsresult GetXPCOMFromNSSError(PRErrorCode code);
+bool ErrorIsOverridable(PRErrorCode code);
+
+} // namespace psm
+} // namespace mozilla
+
+#define NS_NSSERRORSSERVICE_CID \
+ { \
+ 0x9ef18451, 0xa157, 0x4d17, { \
+ 0x81, 0x32, 0x47, 0xaf, 0xef, 0x21, 0x36, 0x89 \
+ } \
+ }
+
+#endif // NSSErrorsService_h
diff --git a/security/manager/ssl/NSSKeyStore.cpp b/security/manager/ssl/NSSKeyStore.cpp
new file mode 100644
index 0000000000..4a516294c0
--- /dev/null
+++ b/security/manager/ssl/NSSKeyStore.cpp
@@ -0,0 +1,154 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "NSSKeyStore.h"
+
+#include "mozilla/AbstractThread.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Logging.h"
+#include "mozilla/SyncRunnable.h"
+#include "nsIThread.h"
+#include "nsNSSComponent.h"
+#include "nsPK11TokenDB.h"
+#include "nsXULAppAPI.h"
+
+/* Implementing OSKeyStore when there is no platform specific one.
+ * This key store instead puts the keys into the NSS DB.
+ */
+
+using namespace mozilla;
+using mozilla::SyncRunnable;
+
+LazyLogModule gNSSKeyStoreLog("nsskeystore");
+
+NSSKeyStore::NSSKeyStore() {
+ MOZ_ASSERT(XRE_IsParentProcess());
+ if (!XRE_IsParentProcess()) {
+ // This shouldn't happen as this is only initialised when creating the
+ // OSKeyStore, which is ParentProcessOnly.
+ return;
+ }
+ Unused << EnsureNSSInitializedChromeOrContent();
+ Unused << InitToken();
+}
+NSSKeyStore::~NSSKeyStore() = default;
+
+nsresult NSSKeyStore::InitToken() {
+ if (!mSlot) {
+ mSlot = UniquePK11SlotInfo(PK11_GetInternalKeySlot());
+ if (!mSlot) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug,
+ ("Error getting internal key slot"));
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ }
+ return NS_OK;
+}
+
+nsresult NSSKeyStore::StoreSecret(const nsACString& aSecret,
+ const nsACString& aLabel) {
+ NS_ENSURE_STATE(mSlot);
+
+ // It is possible for multiple keys to have the same nickname in NSS. To
+ // prevent the problem of not knowing which key to use in the future, simply
+ // delete all keys with this nickname before storing a new one.
+ nsresult rv = DeleteSecret(aLabel);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug,
+ ("DeleteSecret before StoreSecret failed"));
+ return rv;
+ }
+
+ uint8_t* p = BitwiseCast<uint8_t*, const char*>(aSecret.BeginReading());
+ UniqueSECItem key(SECITEM_AllocItem(nullptr, nullptr, aSecret.Length()));
+ if (!key) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ key->type = siBuffer;
+ memcpy(key->data, p, aSecret.Length());
+ key->len = aSecret.Length();
+ UniquePK11SymKey symKey(
+ PK11_ImportSymKey(mSlot.get(), CKM_AES_GCM, PK11_OriginUnwrap,
+ CKA_DECRYPT | CKA_ENCRYPT, key.get(), nullptr));
+ if (!symKey) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error creating NSS SymKey"));
+ return NS_ERROR_FAILURE;
+ }
+ UniquePK11SymKey storedKey(
+ PK11_ConvertSessionSymKeyToTokenSymKey(symKey.get(), nullptr));
+ if (!storedKey) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug,
+ ("Error storing NSS SymKey in DB"));
+ return NS_ERROR_FAILURE;
+ }
+ SECStatus srv =
+ PK11_SetSymKeyNickname(storedKey.get(), PromiseFlatCString(aLabel).get());
+ if (srv != SECSuccess) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error naming NSS SymKey"));
+ (void)PK11_DeleteTokenSymKey(storedKey.get());
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+nsresult NSSKeyStore::DeleteSecret(const nsACString& aLabel) {
+ NS_ENSURE_STATE(mSlot);
+
+ UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot(
+ mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()),
+ nullptr));
+ if (!symKey) {
+ // Couldn't find the key or something is wrong. Be nice.
+ return NS_OK;
+ }
+ for (PK11SymKey* tmp = symKey.get(); tmp; tmp = PK11_GetNextSymKey(tmp)) {
+ SECStatus srv = PK11_DeleteTokenSymKey(tmp);
+ if (srv != SECSuccess) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error deleting NSS SymKey"));
+ return NS_ERROR_FAILURE;
+ }
+ }
+ return NS_OK;
+}
+
+bool NSSKeyStore::SecretAvailable(const nsACString& aLabel) {
+ if (!mSlot) {
+ return false;
+ }
+
+ UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot(
+ mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()),
+ nullptr));
+ if (!symKey) {
+ return false;
+ }
+ return true;
+}
+
+nsresult NSSKeyStore::EncryptDecrypt(const nsACString& aLabel,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes,
+ bool encrypt) {
+ NS_ENSURE_STATE(mSlot);
+
+ UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot(
+ mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()),
+ nullptr));
+ if (!symKey) {
+ MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug,
+ ("Error finding key for given label"));
+ return NS_ERROR_FAILURE;
+ }
+ return DoCipher(symKey, inBytes, outBytes, encrypt);
+}
+
+// Because NSSKeyStore overrides AbstractOSKeyStore's EncryptDecrypt and
+// SecretAvailable functions, this isn't necessary.
+nsresult NSSKeyStore::RetrieveSecret(const nsACString& aLabel,
+ /* out */ nsACString& aSecret) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
diff --git a/security/manager/ssl/NSSKeyStore.h b/security/manager/ssl/NSSKeyStore.h
new file mode 100644
index 0000000000..6e0411d6cc
--- /dev/null
+++ b/security/manager/ssl/NSSKeyStore.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSKeyStore_h
+#define NSSKeyStore_h
+
+#include "OSKeyStore.h"
+#include "nsString.h"
+
+class NSSKeyStore final : public AbstractOSKeyStore {
+ public:
+ NSSKeyStore();
+
+ virtual nsresult RetrieveSecret(const nsACString& aLabel,
+ /* out */ nsACString& aSecret) override;
+ virtual nsresult StoreSecret(const nsACString& secret,
+ const nsACString& label) override;
+ virtual nsresult DeleteSecret(const nsACString& label) override;
+ virtual nsresult EncryptDecrypt(const nsACString& label,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes,
+ bool encrypt) override;
+ virtual bool SecretAvailable(const nsACString& label) override;
+ virtual ~NSSKeyStore();
+
+ private:
+ nsresult InitToken();
+ mozilla::UniquePK11SlotInfo mSlot = nullptr;
+};
+
+#endif // NSSKeyStore_h
diff --git a/security/manager/ssl/NSSSocketControl.cpp b/security/manager/ssl/NSSSocketControl.cpp
new file mode 100644
index 0000000000..e8f0f99dae
--- /dev/null
+++ b/security/manager/ssl/NSSSocketControl.cpp
@@ -0,0 +1,732 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "NSSSocketControl.h"
+
+#include "ssl.h"
+#include "sslexp.h"
+#include "nsISocketProvider.h"
+#include "secerr.h"
+#include "mozilla/Base64.h"
+#include "nsNSSCallbacks.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+NSSSocketControl::NSSSocketControl(const nsCString& aHostName, int32_t aPort,
+ SharedSSLState& aState,
+ uint32_t providerFlags,
+ uint32_t providerTlsFlags)
+ : CommonSocketControl(aHostName, aPort, providerFlags),
+ mFd(nullptr),
+ mCertVerificationState(BeforeCertVerification),
+ mSharedState(aState),
+ mForSTARTTLS(false),
+ mTLSVersionRange{0, 0},
+ mHandshakePending(true),
+ mPreliminaryHandshakeDone(false),
+ mEarlyDataAccepted(false),
+ mDenyClientCert(false),
+ mFalseStartCallbackCalled(false),
+ mFalseStarted(false),
+ mIsFullHandshake(false),
+ mNotedTimeUntilReady(false),
+ mEchExtensionStatus(EchExtensionStatus::kNotPresent),
+ mSentXyberShare(false),
+ mHasTls13HandshakeSecrets(false),
+ mIsShortWritePending(false),
+ mShortWritePendingByte(0),
+ mShortWriteOriginalAmount(-1),
+ mKEAUsed(nsITLSSocketControl::KEY_EXCHANGE_UNKNOWN),
+ mKEAKeyBits(0),
+ mMACAlgorithmUsed(nsITLSSocketControl::SSL_MAC_UNKNOWN),
+ mProviderTlsFlags(providerTlsFlags),
+ mSocketCreationTimestamp(TimeStamp::Now()),
+ mPlaintextBytesRead(0),
+ mClaimed(!(providerFlags & nsISocketProvider::IS_SPECULATIVE_CONNECTION)),
+ mPendingSelectClientAuthCertificate(nullptr),
+ mBrowserId(0) {}
+
+NS_IMETHODIMP
+NSSSocketControl::GetKEAUsed(int16_t* aKea) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aKea = mKEAUsed;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetKEAKeyBits(uint32_t* aKeyBits) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aKeyBits = mKEAKeyBits;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetSSLVersionOffered(int16_t* aSSLVersionOffered) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aSSLVersionOffered = mTLSVersionRange.max;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetMACAlgorithmUsed(int16_t* aMac) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aMac = mMACAlgorithmUsed;
+ return NS_OK;
+}
+
+void NSSSocketControl::NoteTimeUntilReady() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (mNotedTimeUntilReady) {
+ return;
+ }
+ mNotedTimeUntilReady = true;
+
+ auto timestampNow = TimeStamp::Now();
+ if (!(mProviderFlags & nsISocketProvider::IS_RETRY)) {
+ Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_FIRST_TRY,
+ mSocketCreationTimestamp, timestampNow);
+ }
+
+ if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) {
+ Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_CONSERVATIVE,
+ mSocketCreationTimestamp, timestampNow);
+ }
+
+ switch (GetEchExtensionStatus()) {
+ case EchExtensionStatus::kGREASE:
+ Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_ECH_GREASE,
+ mSocketCreationTimestamp, timestampNow);
+ break;
+ case EchExtensionStatus::kReal:
+ Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_ECH,
+ mSocketCreationTimestamp, timestampNow);
+ break;
+ default:
+ break;
+ }
+ // This will include TCP and proxy tunnel wait time
+ Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY,
+ mSocketCreationTimestamp, timestampNow);
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] NSSSocketControl::NoteTimeUntilReady\n", mFd));
+}
+
+void NSSSocketControl::SetHandshakeCompleted() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mHandshakeCompleted) {
+ enum HandshakeType {
+ Resumption = 1,
+ FalseStarted = 2,
+ ChoseNotToFalseStart = 3,
+ NotAllowedToFalseStart = 4,
+ };
+
+ HandshakeType handshakeType = !IsFullHandshake() ? Resumption
+ : mFalseStarted ? FalseStarted
+ : mFalseStartCallbackCalled
+ ? ChoseNotToFalseStart
+ : NotAllowedToFalseStart;
+ // This will include TCP and proxy tunnel wait time
+ if (mKeaGroupName.isSome()) {
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::SSL_TIME_UNTIL_HANDSHAKE_FINISHED_KEYED_BY_KA,
+ *mKeaGroupName, mSocketCreationTimestamp, TimeStamp::Now());
+ }
+
+ // If the handshake is completed for the first time from just 1 callback
+ // that means that TLS session resumption must have been used.
+ Telemetry::Accumulate(Telemetry::SSL_RESUMED_SESSION,
+ handshakeType == Resumption);
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_TYPE, handshakeType);
+ }
+
+ // Remove the plaintext layer as it is not needed anymore.
+ // The plaintext layer is not always present - so it's not a fatal error if it
+ // cannot be removed.
+ // Note that PR_PopIOLayer may modify its stack, so a pointer returned by
+ // PR_GetIdentitiesLayer may not point to what we think it points to after
+ // calling PR_PopIOLayer. We must operate on the pointer returned by
+ // PR_PopIOLayer.
+ if (PR_GetIdentitiesLayer(mFd,
+ nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity)) {
+ PRFileDesc* poppedPlaintext =
+ PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+ poppedPlaintext->dtor(poppedPlaintext);
+ }
+
+ mHandshakeCompleted = true;
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] NSSSocketControl::SetHandshakeCompleted\n", (void*)mFd));
+
+ mIsFullHandshake = false; // reset for next handshake on this connection
+
+ if (mTlsHandshakeCallback) {
+ auto callback = std::move(mTlsHandshakeCallback);
+ Unused << callback->HandshakeDone();
+ }
+}
+
+void NSSSocketControl::SetNegotiatedNPN(const char* value, uint32_t length) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!value) {
+ mNegotiatedNPN.Truncate();
+ } else {
+ mNegotiatedNPN.Assign(value, length);
+ }
+ mNPNCompleted = true;
+}
+
+#define MAX_ALPN_LENGTH 255
+
+NS_IMETHODIMP
+NSSSocketControl::GetAlpnEarlySelection(nsACString& aAlpnSelected) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ aAlpnSelected.Truncate();
+
+ SSLPreliminaryChannelInfo info;
+ SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info));
+ if (rv != SECSuccess || !info.canSendEarlyData) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ SSLNextProtoState alpnState;
+ unsigned char chosenAlpn[MAX_ALPN_LENGTH];
+ unsigned int chosenAlpnLen;
+ rv = SSL_GetNextProto(mFd, &alpnState, chosenAlpn, &chosenAlpnLen,
+ AssertedCast<unsigned int>(ArrayLength(chosenAlpn)));
+
+ if (rv != SECSuccess) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ if (alpnState == SSL_NEXT_PROTO_EARLY_VALUE) {
+ aAlpnSelected.Assign(BitwiseCast<char*, unsigned char*>(chosenAlpn),
+ chosenAlpnLen);
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetEarlyDataAccepted(bool* aAccepted) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aAccepted = mEarlyDataAccepted;
+ return NS_OK;
+}
+
+void NSSSocketControl::SetEarlyDataAccepted(bool aAccepted) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mEarlyDataAccepted = aAccepted;
+}
+
+bool NSSSocketControl::GetDenyClientCert() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mDenyClientCert;
+}
+
+void NSSSocketControl::SetDenyClientCert(bool aDenyClientCert) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mDenyClientCert = aDenyClientCert;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::DriveHandshake() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mFd) {
+ return NS_ERROR_FAILURE;
+ }
+ if (IsCanceled()) {
+ PRErrorCode errorCode = GetErrorCode();
+ MOZ_DIAGNOSTIC_ASSERT(errorCode, "handshake cancelled without error code");
+ return GetXPCOMFromNSSError(errorCode);
+ }
+
+ SECStatus rv = SSL_ForceHandshake(mFd);
+
+ if (rv != SECSuccess) {
+ PRErrorCode errorCode = PR_GetError();
+ MOZ_ASSERT(errorCode, "handshake failed without error code");
+ // There is a bug in NSS. Sometimes SSL_ForceHandshake will return
+ // SECFailure without setting an error code. In these cases, cancel
+ // the connection with SEC_ERROR_LIBRARY_FAILURE.
+ if (!errorCode) {
+ errorCode = SEC_ERROR_LIBRARY_FAILURE;
+ }
+ if (errorCode == PR_WOULD_BLOCK_ERROR) {
+ return NS_BASE_STREAM_WOULD_BLOCK;
+ }
+
+ SetCanceled(errorCode);
+ return GetXPCOMFromNSSError(errorCode);
+ }
+ return NS_OK;
+}
+
+bool NSSSocketControl::GetForSTARTTLS() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mForSTARTTLS;
+}
+
+void NSSSocketControl::SetForSTARTTLS(bool aForSTARTTLS) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mForSTARTTLS = aForSTARTTLS;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::ProxyStartSSL() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return ActivateSSL();
+}
+
+NS_IMETHODIMP
+NSSSocketControl::StartTLS() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return ActivateSSL();
+}
+
+NS_IMETHODIMP
+NSSSocketControl::SetNPNList(nsTArray<nsCString>& protocolArray) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mFd) return NS_ERROR_FAILURE;
+
+ // the npn list is a concatenated list of 8 bit byte strings.
+ nsCString npnList;
+
+ for (uint32_t index = 0; index < protocolArray.Length(); ++index) {
+ if (protocolArray[index].IsEmpty() || protocolArray[index].Length() > 255)
+ return NS_ERROR_ILLEGAL_VALUE;
+
+ npnList.Append(protocolArray[index].Length());
+ npnList.Append(protocolArray[index]);
+ }
+
+ if (SSL_SetNextProtoNego(
+ mFd, BitwiseCast<const unsigned char*, const char*>(npnList.get()),
+ npnList.Length()) != SECSuccess)
+ return NS_ERROR_FAILURE;
+
+ return NS_OK;
+}
+
+nsresult NSSSocketControl::ActivateSSL() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true))
+ return NS_ERROR_FAILURE;
+ if (SECSuccess != SSL_ResetHandshake(mFd, false)) return NS_ERROR_FAILURE;
+
+ mHandshakePending = true;
+
+ return SetResumptionTokenFromExternalCache(mFd);
+}
+
+nsresult NSSSocketControl::GetFileDescPtr(PRFileDesc** aFilePtr) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ *aFilePtr = mFd;
+ return NS_OK;
+}
+
+nsresult NSSSocketControl::SetFileDescPtr(PRFileDesc* aFilePtr) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mFd = aFilePtr;
+ return NS_OK;
+}
+
+void NSSSocketControl::SetCertVerificationWaiting() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ // mCertVerificationState may be BeforeCertVerification for the first
+ // handshake on the connection, or AfterCertVerification for subsequent
+ // renegotiation handshakes.
+ MOZ_ASSERT(mCertVerificationState != WaitingForCertVerification,
+ "Invalid state transition to WaitingForCertVerification");
+ mCertVerificationState = WaitingForCertVerification;
+}
+
+// Be careful that SetCertVerificationResult does NOT get called while we are
+// processing a SSL callback function, because SSL_AuthCertificateComplete will
+// attempt to acquire locks that are already held by libssl when it calls
+// callbacks.
+void NSSSocketControl::SetCertVerificationResult(PRErrorCode errorCode) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ SetUsedPrivateDNS(GetProviderFlags() & nsISocketProvider::USED_PRIVATE_DNS);
+ MOZ_ASSERT(mCertVerificationState == WaitingForCertVerification,
+ "Invalid state transition to AfterCertVerification");
+
+ if (mFd) {
+ SECStatus rv = SSL_AuthCertificateComplete(mFd, errorCode);
+ // Only replace errorCode if there was originally no error.
+ // SSL_AuthCertificateComplete will return SECFailure with the error code
+ // set to PR_WOULD_BLOCK_ERROR if there is a pending event to select a
+ // client authentication certificate. This is not an error.
+ if (rv != SECSuccess && PR_GetError() != PR_WOULD_BLOCK_ERROR &&
+ errorCode == 0) {
+ errorCode = PR_GetError();
+ if (errorCode == 0) {
+ NS_ERROR("SSL_AuthCertificateComplete didn't set error code");
+ errorCode = PR_INVALID_STATE_ERROR;
+ }
+ }
+ }
+
+ if (errorCode) {
+ mFailedVerification = true;
+ SetCanceled(errorCode);
+ }
+
+ if (mPlaintextBytesRead && !errorCode) {
+ Telemetry::Accumulate(Telemetry::SSL_BYTES_BEFORE_CERT_CALLBACK,
+ AssertedCast<uint32_t>(mPlaintextBytesRead));
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] SetCertVerificationResult to AfterCertVerification, "
+ "mTlsHandshakeCallback=%p",
+ (void*)mFd, mTlsHandshakeCallback.get()));
+
+ mCertVerificationState = AfterCertVerification;
+ if (mTlsHandshakeCallback) {
+ Unused << mTlsHandshakeCallback->CertVerificationDone();
+ }
+}
+
+void NSSSocketControl::ClientAuthCertificateSelected(
+ nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ // If mFd is nullptr, the connection has been closed already, so we don't
+ // need to do anything here.
+ if (!mFd) {
+ return;
+ }
+ SECItem certItem = {
+ siBuffer,
+ const_cast<uint8_t*>(certBytes.Elements()),
+ static_cast<unsigned int>(certBytes.Length()),
+ };
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &certItem, nullptr, false, true));
+ UniqueSECKEYPrivateKey key;
+ if (cert) {
+ key.reset(PK11_FindKeyByAnyCert(cert.get(), nullptr));
+ mClientCertChain.reset(CERT_NewCertList());
+ if (key && mClientCertChain) {
+ for (const auto& certBytes : certChainBytes) {
+ SECItem certItem = {
+ siBuffer,
+ const_cast<uint8_t*>(certBytes.Elements()),
+ static_cast<unsigned int>(certBytes.Length()),
+ };
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &certItem, nullptr, false, true));
+ if (cert) {
+ if (CERT_AddCertToListTail(mClientCertChain.get(), cert.get()) ==
+ SECSuccess) {
+ Unused << cert.release();
+ }
+ }
+ }
+ }
+ }
+
+ bool sendingClientAuthCert = cert && key;
+ if (sendingClientAuthCert) {
+ mSentClientCert = true;
+ Telemetry::ScalarAdd(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE,
+ u"sent"_ns, 1);
+ }
+
+ Unused << SSL_ClientCertCallbackComplete(
+ mFd, sendingClientAuthCert ? SECSuccess : SECFailure,
+ sendingClientAuthCert ? key.release() : nullptr,
+ sendingClientAuthCert ? cert.release() : nullptr);
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] ClientAuthCertificateSelected mTlsHandshakeCallback=%p",
+ (void*)mFd, mTlsHandshakeCallback.get()));
+ if (mTlsHandshakeCallback) {
+ Unused << mTlsHandshakeCallback->ClientAuthCertificateSelected();
+ }
+}
+
+SharedSSLState& NSSSocketControl::SharedState() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mSharedState;
+}
+
+void NSSSocketControl::SetSharedOwningReference(SharedSSLState* aRef) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mOwningSharedRef = aRef;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::DisableEarlyData() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mFd) {
+ return NS_OK;
+ }
+ if (IsCanceled()) {
+ return NS_OK;
+ }
+
+ if (SSL_OptionSet(mFd, SSL_ENABLE_0RTT_DATA, false) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::SetHandshakeCallbackListener(
+ nsITlsHandshakeCallbackListener* callback) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mTlsHandshakeCallback = callback;
+ return NS_OK;
+}
+
+PRStatus NSSSocketControl::CloseSocketAndDestroy() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+
+ mPendingSelectClientAuthCertificate = nullptr;
+
+ PRFileDesc* popped = PR_PopIOLayer(mFd, PR_TOP_IO_LAYER);
+ MOZ_ASSERT(
+ popped && popped->identity == nsSSLIOLayerHelpers::nsSSLIOLayerIdentity,
+ "SSL Layer not on top of stack");
+
+ // The plaintext layer is not always present - so it's not a fatal error if it
+ // cannot be removed.
+ // Note that PR_PopIOLayer may modify its stack, so a pointer returned by
+ // PR_GetIdentitiesLayer may not point to what we think it points to after
+ // calling PR_PopIOLayer. We must operate on the pointer returned by
+ // PR_PopIOLayer.
+ if (PR_GetIdentitiesLayer(mFd,
+ nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity)) {
+ PRFileDesc* poppedPlaintext =
+ PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+ poppedPlaintext->dtor(poppedPlaintext);
+ }
+
+ // We need to clear the callback to make sure the ssl layer cannot call the
+ // callback after mFD is nulled.
+ SSL_SetResumptionTokenCallback(mFd, nullptr, nullptr);
+
+ PRStatus status = mFd->methods->close(mFd);
+
+ // the NSSSocketControl instance can out-live the connection, so we need some
+ // indication that the connection has been closed. mFd == nullptr is that
+ // indication. This is needed, for example, when the connection is closed
+ // before we have finished validating the server's certificate.
+ mFd = nullptr;
+
+ if (status != PR_SUCCESS) return status;
+
+ popped->identity = PR_INVALID_IO_LAYER;
+ popped->dtor(popped);
+
+ return PR_SUCCESS;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetEsniTxt(nsACString& aEsniTxt) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ aEsniTxt = mEsniTxt;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::SetEsniTxt(const nsACString& aEsniTxt) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mEsniTxt = aEsniTxt;
+
+ if (mEsniTxt.Length()) {
+ nsAutoCString esniBin;
+ if (NS_OK != Base64Decode(mEsniTxt, esniBin)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] Invalid ESNIKeys record. Couldn't base64 decode\n",
+ (void*)mFd));
+ return NS_OK;
+ }
+
+ if (SECSuccess !=
+ SSL_EnableESNI(mFd, reinterpret_cast<const PRUint8*>(esniBin.get()),
+ esniBin.Length(), nullptr)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] Invalid ESNIKeys record %s\n", (void*)mFd,
+ PR_ErrorToName(PR_GetError())));
+ return NS_OK;
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetEchConfig(nsACString& aEchConfig) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ aEchConfig = mEchConfig;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::SetEchConfig(const nsACString& aEchConfig) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mEchConfig = aEchConfig;
+
+ if (mEchConfig.Length()) {
+ if (SECSuccess !=
+ SSL_SetClientEchConfigs(
+ mFd, reinterpret_cast<const PRUint8*>(aEchConfig.BeginReading()),
+ aEchConfig.Length())) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] Invalid EchConfig record %s\n", (void*)mFd,
+ PR_ErrorToName(PR_GetError())));
+ return NS_OK;
+ }
+ UpdateEchExtensionStatus(EchExtensionStatus::kReal);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetRetryEchConfig(nsACString& aEchConfig) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mFd) {
+ return NS_ERROR_FAILURE;
+ }
+
+ ScopedAutoSECItem retryConfigItem;
+ SECStatus rv = SSL_GetEchRetryConfigs(mFd, &retryConfigItem);
+ if (rv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ aEchConfig = nsCString(reinterpret_cast<const char*>(retryConfigItem.data),
+ retryConfigItem.len);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+NSSSocketControl::GetPeerId(nsACString& aResult) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mPeerId.IsEmpty()) {
+ aResult.Assign(mPeerId);
+ return NS_OK;
+ }
+
+ if (mProviderFlags &
+ nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080
+ mPeerId.AppendLiteral("anon:");
+ }
+ if (mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE) {
+ mPeerId.AppendLiteral("private:");
+ }
+ if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) {
+ mPeerId.AppendLiteral("beConservative:");
+ }
+
+ mPeerId.AppendPrintf("tlsflags0x%08x:", mProviderTlsFlags);
+
+ mPeerId.Append(mHostName);
+ mPeerId.Append(':');
+ mPeerId.AppendInt(GetPort());
+ nsAutoCString suffix;
+ mOriginAttributes.CreateSuffix(suffix);
+ mPeerId.Append(suffix);
+
+ aResult.Assign(mPeerId);
+ return NS_OK;
+}
+
+nsresult NSSSocketControl::SetResumptionTokenFromExternalCache(PRFileDesc* fd) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!fd) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // If SSL_NO_CACHE option was set, we must not use the cache
+ PRIntn val;
+ if (SSL_OptionGet(fd, SSL_NO_CACHE, &val) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (val != 0) {
+ return NS_OK;
+ }
+
+ nsTArray<uint8_t> token;
+ nsAutoCString peerId;
+ nsresult rv = GetPeerId(peerId);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ uint64_t tokenId = 0;
+ mozilla::net::SessionCacheInfo info;
+ rv = mozilla::net::SSLTokensCache::Get(peerId, token, info, &tokenId);
+ if (NS_FAILED(rv)) {
+ if (rv == NS_ERROR_NOT_AVAILABLE) {
+ // It's ok if we can't find the token.
+ return NS_OK;
+ }
+
+ return rv;
+ }
+
+ SECStatus srv = SSL_SetResumptionToken(fd, token.Elements(), token.Length());
+ if (srv == SECFailure) {
+ PRErrorCode error = PR_GetError();
+ mozilla::net::SSLTokensCache::Remove(peerId, tokenId);
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Setting token failed with NSS error %d [id=%s]", error,
+ PromiseFlatCString(peerId).get()));
+ // We don't consider SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR as a hard error,
+ // since this error means this token is just expired or can't be decoded
+ // correctly.
+ if (error == SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR) {
+ return NS_OK;
+ }
+
+ return NS_ERROR_FAILURE;
+ }
+
+ SetSessionCacheInfo(std::move(info));
+
+ return NS_OK;
+}
+
+void NSSSocketControl::SetPreliminaryHandshakeInfo(
+ const SSLChannelInfo& channelInfo, const SSLCipherSuiteInfo& cipherInfo) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mResumed = channelInfo.resumed;
+ mCipherSuite.emplace(channelInfo.cipherSuite);
+ mProtocolVersion.emplace(channelInfo.protocolVersion & 0xFF);
+ mKeaGroupName.emplace(getKeaGroupName(channelInfo.keaGroup));
+ mSignatureSchemeName.emplace(getSignatureName(channelInfo.signatureScheme));
+ mIsDelegatedCredential.emplace(channelInfo.peerDelegCred);
+ mIsAcceptedEch.emplace(channelInfo.echAccepted);
+}
+
+NS_IMETHODIMP NSSSocketControl::Claim() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mClaimed = true;
+ return NS_OK;
+}
+
+NS_IMETHODIMP NSSSocketControl::SetBrowserId(uint64_t browserId) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mBrowserId = browserId;
+ return NS_OK;
+}
+
+NS_IMETHODIMP NSSSocketControl::GetBrowserId(uint64_t* browserId) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!browserId) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ *browserId = mBrowserId;
+ return NS_OK;
+}
diff --git a/security/manager/ssl/NSSSocketControl.h b/security/manager/ssl/NSSSocketControl.h
new file mode 100644
index 0000000000..f607340b76
--- /dev/null
+++ b/security/manager/ssl/NSSSocketControl.h
@@ -0,0 +1,366 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSSocketControl_h
+#define NSSSocketControl_h
+
+#include "CommonSocketControl.h"
+#include "SharedSSLState.h"
+#include "TLSClientAuthCertSelection.h"
+#include "nsThreadUtils.h"
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+class SelectClientAuthCertificate;
+
+class NSSSocketControl final : public CommonSocketControl {
+ public:
+ NSSSocketControl(const nsCString& aHostName, int32_t aPort,
+ mozilla::psm::SharedSSLState& aState, uint32_t providerFlags,
+ uint32_t providerTlsFlags);
+
+ NS_INLINE_DECL_REFCOUNTING_INHERITED(NSSSocketControl, CommonSocketControl);
+
+ void SetForSTARTTLS(bool aForSTARTTLS);
+ bool GetForSTARTTLS();
+
+ nsresult GetFileDescPtr(PRFileDesc** aFilePtr);
+ nsresult SetFileDescPtr(PRFileDesc* aFilePtr);
+
+ bool IsHandshakePending() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mHandshakePending;
+ }
+ void SetHandshakeNotPending() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mHandshakePending = false;
+ }
+
+ void SetTLSVersionRange(SSLVersionRange range) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mTLSVersionRange = range;
+ }
+ SSLVersionRange GetTLSVersionRange() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mTLSVersionRange;
+ };
+
+ // From nsITLSSocketControl.
+ NS_IMETHOD ProxyStartSSL(void) override;
+ NS_IMETHOD StartTLS(void) override;
+ NS_IMETHOD SetNPNList(nsTArray<nsCString>& aNPNList) override;
+ NS_IMETHOD GetAlpnEarlySelection(nsACString& _retval) override;
+ NS_IMETHOD GetEarlyDataAccepted(bool* aEarlyDataAccepted) override;
+ NS_IMETHOD DriveHandshake(void) override;
+ NS_IMETHOD GetKEAUsed(int16_t* aKEAUsed) override;
+ NS_IMETHOD GetKEAKeyBits(uint32_t* aKEAKeyBits) override;
+ NS_IMETHOD GetSSLVersionOffered(int16_t* aSSLVersionOffered) override;
+ NS_IMETHOD GetMACAlgorithmUsed(int16_t* aMACAlgorithmUsed) override;
+ bool GetDenyClientCert() override;
+ void SetDenyClientCert(bool aDenyClientCert) override;
+ NS_IMETHOD GetEsniTxt(nsACString& aEsniTxt) override;
+ NS_IMETHOD SetEsniTxt(const nsACString& aEsniTxt) override;
+ NS_IMETHOD GetEchConfig(nsACString& aEchConfig) override;
+ NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override;
+ NS_IMETHOD GetPeerId(nsACString& aResult) override;
+ NS_IMETHOD GetRetryEchConfig(nsACString& aEchConfig) override;
+ NS_IMETHOD DisableEarlyData(void) override;
+ NS_IMETHOD SetHandshakeCallbackListener(
+ nsITlsHandshakeCallbackListener* callback) override;
+ NS_IMETHOD Claim() override;
+ NS_IMETHOD SetBrowserId(uint64_t browserId) override;
+ NS_IMETHOD GetBrowserId(uint64_t* browserId) override;
+
+ PRStatus CloseSocketAndDestroy();
+
+ void SetNegotiatedNPN(const char* value, uint32_t length);
+ void SetEarlyDataAccepted(bool aAccepted);
+
+ void SetHandshakeCompleted();
+ bool IsHandshakeCompleted() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mHandshakeCompleted;
+ }
+ void NoteTimeUntilReady();
+
+ void SetFalseStartCallbackCalled() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mFalseStartCallbackCalled = true;
+ }
+ void SetFalseStarted() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mFalseStarted = true;
+ }
+
+ // Note that this is only valid *during* a handshake; at the end of the
+ // handshake, it gets reset back to false.
+ void SetFullHandshake() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mIsFullHandshake = true;
+ }
+ bool IsFullHandshake() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mIsFullHandshake;
+ }
+
+ void UpdateEchExtensionStatus(EchExtensionStatus aEchExtensionStatus) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mEchExtensionStatus = std::max(aEchExtensionStatus, mEchExtensionStatus);
+ }
+ EchExtensionStatus GetEchExtensionStatus() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mEchExtensionStatus;
+ }
+
+ void WillSendXyberShare() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mSentXyberShare = true;
+ }
+
+ bool SentXyberShare() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mSentXyberShare;
+ }
+
+ void SetHasTls13HandshakeSecrets() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mHasTls13HandshakeSecrets = true;
+ }
+
+ bool HasTls13HandshakeSecrets() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mHasTls13HandshakeSecrets;
+ }
+
+ bool GetJoined() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mJoined;
+ }
+
+ uint32_t GetProviderTlsFlags() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mProviderTlsFlags;
+ }
+
+ mozilla::psm::SharedSSLState& SharedState();
+
+ enum CertVerificationState {
+ BeforeCertVerification,
+ WaitingForCertVerification,
+ AfterCertVerification
+ };
+
+ void SetCertVerificationWaiting();
+
+ // Use errorCode == 0 to indicate success;
+ void SetCertVerificationResult(PRErrorCode errorCode) override;
+
+ void ClientAuthCertificateSelected(
+ nsTArray<uint8_t>& certBytes,
+ nsTArray<nsTArray<uint8_t>>& certChainBytes);
+
+ bool IsWaitingForCertVerification() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mCertVerificationState == WaitingForCertVerification;
+ }
+ void AddPlaintextBytesRead(uint64_t val) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mPlaintextBytesRead += val;
+ }
+
+ bool IsPreliminaryHandshakeDone() const {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mPreliminaryHandshakeDone;
+ }
+ void SetPreliminaryHandshakeDone() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mPreliminaryHandshakeDone = true;
+ }
+
+ void SetKEAUsed(int16_t kea) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mKEAUsed = kea;
+ }
+
+ void SetKEAKeyBits(uint32_t keaBits) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mKEAKeyBits = keaBits;
+ }
+
+ void SetMACAlgorithmUsed(int16_t mac) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mMACAlgorithmUsed = mac;
+ }
+
+ void SetShortWritePending(int32_t amount, unsigned char data) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mIsShortWritePending = true;
+ mShortWriteOriginalAmount = amount;
+ mShortWritePendingByte = data;
+ }
+
+ bool IsShortWritePending() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return mIsShortWritePending;
+ }
+
+ unsigned char const* GetShortWritePendingByteRef() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ return &mShortWritePendingByte;
+ }
+
+ int32_t ResetShortWritePending() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mIsShortWritePending = false;
+ return mShortWriteOriginalAmount;
+ }
+
+#ifdef DEBUG
+ // These helpers assert that the caller does try to send the same data
+ // as it was previously when we hit the short-write. This is a measure
+ // to make sure we communicate correctly to the consumer.
+ void RememberShortWrittenBuffer(const unsigned char* data) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ mShortWriteBufferCheck =
+ mozilla::MakeUnique<char[]>(mShortWriteOriginalAmount);
+ memcpy(mShortWriteBufferCheck.get(), data, mShortWriteOriginalAmount);
+ }
+ void CheckShortWrittenBuffer(const unsigned char* data, int32_t amount) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!mShortWriteBufferCheck) return;
+ MOZ_ASSERT(amount >= mShortWriteOriginalAmount,
+ "unexpected amount length after short write");
+ MOZ_ASSERT(
+ !memcmp(mShortWriteBufferCheck.get(), data, mShortWriteOriginalAmount),
+ "unexpected buffer content after short write");
+ mShortWriteBufferCheck = nullptr;
+ }
+#endif
+
+ void SetSharedOwningReference(mozilla::psm::SharedSSLState* ref);
+
+ nsresult SetResumptionTokenFromExternalCache(PRFileDesc* fd);
+
+ void SetPreliminaryHandshakeInfo(const SSLChannelInfo& channelInfo,
+ const SSLCipherSuiteInfo& cipherInfo);
+
+ void SetPendingSelectClientAuthCertificate(
+ nsCOMPtr<nsIRunnable>&& selectClientAuthCertificate) {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ MOZ_LOG(
+ gPIPNSSLog, mozilla::LogLevel::Debug,
+ ("[%p] setting pending select client auth certificate", (void*)mFd));
+ // If the connection corresponding to this socket hasn't been claimed, it
+ // is a speculative connection. The connection will block until the "choose
+ // a client auth certificate" dialog has been shown. The dialog will only
+ // be shown when this connection gets claimed. However, necko will never
+ // claim the connection as long as it is blocking. Thus, this connection
+ // can't proceed, so it's best to cancel it. Necko will create a new,
+ // non-speculative connection instead.
+ if (!mClaimed) {
+ SetCanceled(PR_CONNECT_RESET_ERROR);
+ } else {
+ mPendingSelectClientAuthCertificate =
+ std::move(selectClientAuthCertificate);
+ }
+ }
+
+ void MaybeDispatchSelectClientAuthCertificate() {
+ COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
+ if (!IsWaitingForCertVerification() && mClaimed &&
+ mPendingSelectClientAuthCertificate) {
+ MOZ_LOG(gPIPNSSLog, mozilla::LogLevel::Debug,
+ ("[%p] dispatching pending select client auth certificate",
+ (void*)mFd));
+ mozilla::Unused << NS_DispatchToMainThread(
+ mPendingSelectClientAuthCertificate);
+ mPendingSelectClientAuthCertificate = nullptr;
+ }
+ }
+
+ private:
+ ~NSSSocketControl() = default;
+
+ PRFileDesc* mFd;
+
+ CertVerificationState mCertVerificationState;
+
+ mozilla::psm::SharedSSLState& mSharedState;
+ bool mForSTARTTLS;
+ SSLVersionRange mTLSVersionRange;
+ bool mHandshakePending;
+ bool mPreliminaryHandshakeDone; // after false start items are complete
+
+ nsresult ActivateSSL();
+
+ nsCString mEsniTxt;
+ nsCString mEchConfig;
+ bool mEarlyDataAccepted;
+ bool mDenyClientCert;
+ bool mFalseStartCallbackCalled;
+ bool mFalseStarted;
+ bool mIsFullHandshake;
+ bool mNotedTimeUntilReady;
+ EchExtensionStatus mEchExtensionStatus; // Currently only used for telemetry.
+ bool mSentXyberShare;
+ bool mHasTls13HandshakeSecrets;
+
+ // True when SSL layer has indicated an "SSL short write", i.e. need
+ // to call on send one or more times to push all pending data to write.
+ bool mIsShortWritePending;
+
+ // These are only valid if mIsShortWritePending is true.
+ //
+ // Value of the last byte pending from the SSL short write that needs
+ // to be passed to subsequent calls to send to perform the flush.
+ unsigned char mShortWritePendingByte;
+
+ // Original amount of data the upper layer has requested to write to
+ // return after the successful flush.
+ int32_t mShortWriteOriginalAmount;
+
+#ifdef DEBUG
+ mozilla::UniquePtr<char[]> mShortWriteBufferCheck;
+#endif
+
+ // mKEA* are used in false start and http/2 detetermination
+ // Values are from nsITLSSocketControl
+ int16_t mKEAUsed;
+ uint32_t mKEAKeyBits;
+ int16_t mMACAlgorithmUsed;
+
+ uint32_t mProviderTlsFlags;
+ mozilla::TimeStamp mSocketCreationTimestamp;
+ uint64_t mPlaintextBytesRead;
+
+ bool mClaimed;
+ nsCOMPtr<nsIRunnable> mPendingSelectClientAuthCertificate;
+
+ // Regarding the client certificate message in the TLS handshake, RFC 5246
+ // (TLS 1.2) says:
+ // If the certificate_authorities list in the certificate request
+ // message was non-empty, one of the certificates in the certificate
+ // chain SHOULD be issued by one of the listed CAs.
+ // (RFC 8446 (TLS 1.3) has a similar provision)
+ // These certificates may be known to gecko but not NSS (e.g. enterprise
+ // intermediates). In order to make these certificates discoverable to NSS
+ // so it can include them in the message, we cache them here as temporary
+ // certificates.
+ mozilla::UniqueCERTCertList mClientCertChain;
+
+ // if non-null this is a reference to the mSharedState (which is
+ // not an owning reference). If this is used, the info has a private
+ // state that does not share things like intolerance lists with the
+ // rest of the session. This is normally used when you have per
+ // socket tls flags overriding session wide defaults.
+ RefPtr<mozilla::psm::SharedSSLState> mOwningSharedRef;
+
+ nsCOMPtr<nsITlsHandshakeCallbackListener> mTlsHandshakeCallback;
+
+ uint64_t mBrowserId;
+};
+
+#endif // NSSSocketControl_h
diff --git a/security/manager/ssl/OSKeyStore.cpp b/security/manager/ssl/OSKeyStore.cpp
new file mode 100644
index 0000000000..5ab289b0dd
--- /dev/null
+++ b/security/manager/ssl/OSKeyStore.cpp
@@ -0,0 +1,628 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OSKeyStore.h"
+
+#include "mozilla/Base64.h"
+#include "mozilla/dom/Promise.h"
+#include "nsThreadUtils.h"
+#include "nsXPCOM.h"
+#include "pk11pub.h"
+
+#if defined(XP_MACOSX)
+# include "KeychainSecret.h"
+#elif defined(XP_WIN)
+# include "CredentialManagerSecret.h"
+#elif defined(MOZ_WIDGET_GTK)
+# include "LibSecret.h"
+# include "NSSKeyStore.h"
+#else
+# include "NSSKeyStore.h"
+#endif
+
+NS_IMPL_ISUPPORTS(OSKeyStore, nsIOSKeyStore)
+
+using namespace mozilla;
+using dom::Promise;
+
+OSKeyStore::OSKeyStore() : mKs(nullptr) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (NS_WARN_IF(!NS_IsMainThread())) {
+ return;
+ }
+
+#if defined(XP_MACOSX)
+ mKs.reset(new KeychainSecret());
+#elif defined(XP_WIN)
+ mKs.reset(new CredentialManagerSecret());
+#elif defined(MOZ_WIDGET_GTK)
+ if (NS_SUCCEEDED(MaybeLoadLibSecret())) {
+ mKs.reset(new LibSecret());
+ } else {
+ mKs.reset(new NSSKeyStore());
+ }
+#else
+ mKs.reset(new NSSKeyStore());
+#endif
+}
+
+static nsresult GenerateRandom(std::vector<uint8_t>& r) {
+ if (r.empty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+
+ SECStatus srv = PK11_GenerateRandomOnSlot(slot.get(), r.data(), r.size());
+ if (srv != SECSuccess) {
+ r.clear();
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+nsresult OSKeyStore::SecretAvailable(const nsACString& aLabel,
+ /* out */ bool* aAvailable) {
+ NS_ENSURE_STATE(mKs);
+ *aAvailable = mKs->SecretAvailable(aLabel);
+ return NS_OK;
+}
+
+nsresult OSKeyStore::GenerateSecret(const nsACString& aLabel,
+ /* out */ nsACString& aRecoveryPhrase) {
+ NS_ENSURE_STATE(mKs);
+ size_t keyByteLength = mKs->GetKeyByteLength();
+ std::vector<uint8_t> secret(keyByteLength);
+ nsresult rv = GenerateRandom(secret);
+ if (NS_FAILED(rv) || secret.size() != keyByteLength) {
+ return NS_ERROR_FAILURE;
+ }
+ nsAutoCString secretString;
+ secretString.Assign(BitwiseCast<char*, uint8_t*>(secret.data()),
+ secret.size());
+
+ nsCString base64;
+ rv = Base64Encode(secretString, base64);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = mKs->StoreSecret(secretString, aLabel);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ aRecoveryPhrase = std::move(base64);
+ return NS_OK;
+}
+
+nsresult OSKeyStore::RecoverSecret(const nsACString& aLabel,
+ const nsACString& aRecoveryPhrase) {
+ NS_ENSURE_STATE(mKs);
+ nsAutoCString secret;
+ nsresult rv = Base64Decode(aRecoveryPhrase, secret);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (secret.Length() != mKs->GetKeyByteLength()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ rv = mKs->StoreSecret(secret, aLabel);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+nsresult OSKeyStore::DeleteSecret(const nsACString& aLabel) {
+ NS_ENSURE_STATE(mKs);
+ return mKs->DeleteSecret(aLabel);
+}
+
+enum Cipher { Encrypt = true, Decrypt = false };
+
+nsresult OSKeyStore::EncryptBytes(const nsACString& aLabel,
+ const std::vector<uint8_t>& aInBytes,
+ /*out*/ nsACString& aEncryptedBase64Text) {
+ NS_ENSURE_STATE(mKs);
+
+ aEncryptedBase64Text.Truncate();
+ std::vector<uint8_t> outBytes;
+ nsresult rv =
+ mKs->EncryptDecrypt(aLabel, aInBytes, outBytes, Cipher::Encrypt);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsAutoCString ciphertext;
+ ciphertext.Assign(BitwiseCast<char*, uint8_t*>(outBytes.data()),
+ outBytes.size());
+
+ nsCString base64ciphertext;
+ rv = Base64Encode(ciphertext, base64ciphertext);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ aEncryptedBase64Text = std::move(base64ciphertext);
+ return NS_OK;
+}
+
+nsresult OSKeyStore::DecryptBytes(const nsACString& aLabel,
+ const nsACString& aEncryptedBase64Text,
+ /*out*/ uint32_t* outLen,
+ /*out*/ uint8_t** outBytes) {
+ NS_ENSURE_STATE(mKs);
+ NS_ENSURE_ARG_POINTER(outLen);
+ NS_ENSURE_ARG_POINTER(outBytes);
+ *outLen = 0;
+ *outBytes = nullptr;
+
+ nsAutoCString ciphertext;
+ nsresult rv = Base64Decode(aEncryptedBase64Text, ciphertext);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ uint8_t* tmp = BitwiseCast<uint8_t*, const char*>(ciphertext.BeginReading());
+ const std::vector<uint8_t> ciphertextBytes(tmp, tmp + ciphertext.Length());
+ std::vector<uint8_t> plaintextBytes;
+ rv = mKs->EncryptDecrypt(aLabel, ciphertextBytes, plaintextBytes,
+ Cipher::Decrypt);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ *outBytes = (uint8_t*)moz_xmalloc(plaintextBytes.size());
+ memcpy(*outBytes, plaintextBytes.data(), plaintextBytes.size());
+ *outLen = plaintextBytes.size();
+ return NS_OK;
+}
+
+// Async interfaces that return promises because the key store implementation
+// might block, e.g. asking for a password.
+
+nsresult GetPromise(JSContext* aCx, /* out */ RefPtr<Promise>& aPromise) {
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (NS_WARN_IF(!globalObject)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+ ErrorResult result;
+ aPromise = Promise::Create(globalObject, result);
+ if (NS_WARN_IF(result.Failed())) {
+ return result.StealNSResult();
+ }
+ return NS_OK;
+}
+
+void BackgroundGenerateSecret(const nsACString& aLabel,
+ RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ nsAutoCString recovery;
+ nsresult rv = self->GenerateSecret(aLabel, recovery);
+ nsAutoString recoveryString;
+ if (NS_SUCCEEDED(rv)) {
+ CopyUTF8toUTF16(recovery, recoveryString);
+ }
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundGenerateSecreteOSKSResolve",
+ [rv, aPromise = std::move(aPromise), recoveryString]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(recoveryString);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncGenerateSecret(const nsACString& aLabel, JSContext* aCx,
+ Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundGenerateSecret",
+ [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable {
+ BackgroundGenerateSecret(aLabel, promiseHandle, self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+void BackgroundSecretAvailable(const nsACString& aLabel,
+ RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ bool available = false;
+ nsresult rv = self->SecretAvailable(aLabel, &available);
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundSecreteAvailableOSKSResolve",
+ [rv, aPromise = std::move(aPromise), available = available]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(available);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncSecretAvailable(const nsACString& aLabel, JSContext* aCx,
+ Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundSecretAvailable",
+ [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable {
+ BackgroundSecretAvailable(aLabel, promiseHandle, self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+void BackgroundRecoverSecret(const nsACString& aLabel,
+ const nsACString& aRecoveryPhrase,
+ RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ nsresult rv = self->RecoverSecret(aLabel, aRecoveryPhrase);
+ nsCOMPtr<nsIRunnable> runnable(
+ NS_NewRunnableFunction("BackgroundRecoverSecreteOSKSResolve",
+ [rv, aPromise = std::move(aPromise)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolveWithUndefined();
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncRecoverSecret(const nsACString& aLabel,
+ const nsACString& aRecoveryPhrase,
+ JSContext* aCx, Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundRecoverSecret",
+ [self, promiseHandle, aLabel = nsAutoCString(aLabel),
+ aRecoveryPhrase = nsAutoCString(aRecoveryPhrase)]() mutable {
+ BackgroundRecoverSecret(aLabel, aRecoveryPhrase, promiseHandle, self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+void BackgroundDeleteSecret(const nsACString& aLabel, RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ nsresult rv = self->DeleteSecret(aLabel);
+ nsCOMPtr<nsIRunnable> runnable(
+ NS_NewRunnableFunction("BackgroundDeleteSecreteOSKSResolve",
+ [rv, aPromise = std::move(aPromise)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolveWithUndefined();
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncDeleteSecret(const nsACString& aLabel, JSContext* aCx,
+ Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundDeleteSecret",
+ [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable {
+ BackgroundDeleteSecret(aLabel, promiseHandle, self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+static void BackgroundEncryptBytes(const nsACString& aLabel,
+ const std::vector<uint8_t>& aInBytes,
+ RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ nsAutoCString ciphertext;
+ nsresult rv = self->EncryptBytes(aLabel, aInBytes, ciphertext);
+ nsAutoString ctext;
+ CopyUTF8toUTF16(ciphertext, ctext);
+
+ nsCOMPtr<nsIRunnable> runnable(
+ NS_NewRunnableFunction("BackgroundEncryptOSKSResolve",
+ [rv, aPromise = std::move(aPromise), ctext]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(ctext);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncEncryptBytes(const nsACString& aLabel,
+ const nsTArray<uint8_t>& inBytes, JSContext* aCx,
+ Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundEncryptBytes",
+ [promiseHandle,
+ inBytes = std::vector<uint8_t>(inBytes.Elements(),
+ inBytes.Elements() + inBytes.Length()),
+ aLabel = nsAutoCString(aLabel), self]() mutable {
+ BackgroundEncryptBytes(aLabel, inBytes, promiseHandle, self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+void BackgroundDecryptBytes(const nsACString& aLabel,
+ const nsACString& aEncryptedBase64Text,
+ RefPtr<Promise>& aPromise,
+ RefPtr<OSKeyStore> self) {
+ uint8_t* plaintext = nullptr;
+ uint32_t plaintextLen = 0;
+ nsresult rv = self->DecryptBytes(aLabel, aEncryptedBase64Text, &plaintextLen,
+ &plaintext);
+ nsTArray<uint8_t> plain;
+ if (plaintext) {
+ MOZ_ASSERT(plaintextLen > 0);
+ plain.AppendElements(plaintext, plaintextLen);
+ free(plaintext);
+ }
+
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundDecryptOSKSResolve",
+ [rv, aPromise = std::move(aPromise), plain = std::move(plain)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(plain);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSKeyStore::AsyncDecryptBytes(const nsACString& aLabel,
+ const nsACString& aEncryptedBase64Text,
+ JSContext* aCx, Promise** promiseOut) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ RefPtr<OSKeyStore> self = this;
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundDecryptBytes",
+ [promiseHandle, self,
+ aEncryptedBase64Text = nsAutoCString(aEncryptedBase64Text),
+ aLabel = nsAutoCString(aLabel)]() mutable {
+ BackgroundDecryptBytes(aLabel, aEncryptedBase64Text, promiseHandle,
+ self);
+ }));
+
+ promiseHandle.forget(promiseOut);
+ return NS_DispatchBackgroundTask(runnable.forget(),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+// Generic AES-GCM cipher wrapper for NSS functions.
+
+nsresult AbstractOSKeyStore::BuildAesGcmKey(std::vector<uint8_t> aKeyBytes,
+ /* out */ UniquePK11SymKey& aKey) {
+ if (aKeyBytes.size() != mKeyByteLength) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+
+ UniqueSECItem key =
+ UniqueSECItem(SECITEM_AllocItem(nullptr, nullptr, mKeyByteLength));
+ if (!key) {
+ return NS_ERROR_FAILURE;
+ }
+ key->type = siBuffer;
+ memcpy(key->data, aKeyBytes.data(), mKeyByteLength);
+ key->len = mKeyByteLength;
+
+ UniquePK11SymKey symKey(
+ PK11_ImportSymKey(slot.get(), CKM_AES_GCM, PK11_OriginUnwrap,
+ CKA_DECRYPT | CKA_ENCRYPT, key.get(), nullptr));
+
+ if (!symKey) {
+ return NS_ERROR_FAILURE;
+ }
+ aKey.swap(symKey);
+
+ return NS_OK;
+}
+
+nsresult AbstractOSKeyStore::DoCipher(const UniquePK11SymKey& aSymKey,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes,
+ bool encrypt) {
+ NS_ENSURE_ARG_POINTER(aSymKey);
+ outBytes.clear();
+
+ // Build params.
+ // We need to get the IV from inBytes if we decrypt.
+ if (!encrypt && (inBytes.size() < mIVLength || inBytes.empty())) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ const uint8_t* ivp = nullptr;
+ std::vector<uint8_t> ivBuf;
+ if (encrypt) {
+ // Generate a new IV.
+ ivBuf.resize(mIVLength);
+ nsresult rv = GenerateRandom(ivBuf);
+ if (NS_FAILED(rv) || ivBuf.size() != mIVLength) {
+ return NS_ERROR_FAILURE;
+ }
+ ivp = ivBuf.data();
+ } else {
+ // An IV was passed in. Use the first mIVLength bytes from inBytes as IV.
+ ivp = inBytes.data();
+ }
+
+ CK_GCM_PARAMS gcm_params;
+ gcm_params.pIv = const_cast<unsigned char*>(ivp);
+ gcm_params.ulIvLen = mIVLength;
+ gcm_params.ulIvBits = gcm_params.ulIvLen * 8;
+ gcm_params.ulTagBits = 128;
+ gcm_params.pAAD = nullptr;
+ gcm_params.ulAADLen = 0;
+
+ SECItem paramsItem = {siBuffer, reinterpret_cast<unsigned char*>(&gcm_params),
+ sizeof(CK_GCM_PARAMS)};
+
+ size_t blockLength = 16;
+ outBytes.resize(inBytes.size() + blockLength);
+ unsigned int outLen = 0;
+ SECStatus srv = SECFailure;
+ if (encrypt) {
+ srv = PK11_Encrypt(aSymKey.get(), CKM_AES_GCM, &paramsItem, outBytes.data(),
+ &outLen, inBytes.size() + blockLength, inBytes.data(),
+ inBytes.size());
+ // Prepend the used IV to the ciphertext.
+ Unused << outBytes.insert(outBytes.begin(), ivp, ivp + mIVLength);
+ outLen += mIVLength;
+ } else {
+ // Remove the IV from the input.
+ std::vector<uint8_t> input(inBytes);
+ input.erase(input.begin(), input.begin() + mIVLength);
+ srv = PK11_Decrypt(aSymKey.get(), CKM_AES_GCM, &paramsItem, outBytes.data(),
+ &outLen, input.size() + blockLength, input.data(),
+ input.size());
+ }
+ if (srv != SECSuccess || outLen > outBytes.size()) {
+ outBytes.clear();
+ return NS_ERROR_FAILURE;
+ }
+ if (outLen < outBytes.size()) {
+ outBytes.resize(outLen);
+ }
+
+ return NS_OK;
+}
+
+bool AbstractOSKeyStore::SecretAvailable(const nsACString& aLabel) {
+ nsAutoCString secret;
+ nsresult rv = RetrieveSecret(aLabel, secret);
+ if (NS_FAILED(rv) || secret.Length() == 0) {
+ return false;
+ }
+ return true;
+}
+
+nsresult AbstractOSKeyStore::EncryptDecrypt(const nsACString& aLabel,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes,
+ bool encrypt) {
+ nsAutoCString secret;
+ nsresult rv = RetrieveSecret(aLabel, secret);
+ if (NS_FAILED(rv) || secret.Length() == 0) {
+ return NS_ERROR_FAILURE;
+ }
+
+ uint8_t* p = BitwiseCast<uint8_t*, const char*>(secret.BeginReading());
+ std::vector<uint8_t> buf(p, p + secret.Length());
+ UniquePK11SymKey symKey;
+ rv = BuildAesGcmKey(buf, symKey);
+ if (NS_FAILED(rv)) {
+ return NS_ERROR_FAILURE;
+ }
+ return DoCipher(symKey, inBytes, outBytes, encrypt);
+}
diff --git a/security/manager/ssl/OSKeyStore.h b/security/manager/ssl/OSKeyStore.h
new file mode 100644
index 0000000000..8094b448d9
--- /dev/null
+++ b/security/manager/ssl/OSKeyStore.h
@@ -0,0 +1,98 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Generic key store implementation for platforms that we don't support with OS
+// specific implementations.
+
+#ifndef OSKeyStore_h
+#define OSKeyStore_h
+
+#include "nsCOMPtr.h"
+#include "nsIOSKeyStore.h"
+#include "nsString.h"
+#include "ScopedNSSTypes.h"
+
+#include <memory>
+#include <vector>
+
+class AbstractOSKeyStore {
+ public:
+ // Retrieve a secret with the given label.
+ virtual nsresult RetrieveSecret(const nsACString& aLabel,
+ /* out */ nsACString& aSecret) = 0;
+ // Store a new secret with the given label.
+ virtual nsresult StoreSecret(const nsACString& secret,
+ const nsACString& label) = 0;
+ // Delete the secret with the given label.
+ virtual nsresult DeleteSecret(const nsACString& label) = 0;
+ virtual ~AbstractOSKeyStore() = default;
+
+ // Returns true if the secret with the given label is available in the key
+ // store, false otherwise.
+ virtual bool SecretAvailable(const nsACString& label);
+ // Perform encryption or decryption operation with the given secret and input
+ // bytes. The output is written in outBytes. This function can make use of the
+ // AesGcm class to use NSS for encryption and decryption.
+ virtual nsresult EncryptDecrypt(const nsACString& label,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes, bool encrypt);
+
+ size_t GetKeyByteLength() { return mKeyByteLength; }
+
+ protected:
+ /* These helper functions are implemented in OSKeyStore.cpp and implement
+ * common functionality of the abstract key store to encrypt and decrypt.
+ */
+ nsresult DoCipher(const mozilla::UniquePK11SymKey& aSymKey,
+ const std::vector<uint8_t>& inBytes,
+ std::vector<uint8_t>& outBytes, bool aEncrypt);
+ nsresult BuildAesGcmKey(std::vector<uint8_t> keyBytes,
+ /* out */ mozilla::UniquePK11SymKey& aKey);
+
+ private:
+ const size_t mKeyByteLength = 16;
+ const size_t mIVLength = 12;
+};
+
+#define NS_OSKEYSTORE_CONTRACTID "@mozilla.org/security/oskeystore;1"
+#define NS_OSKEYSTORE_CID \
+ { \
+ 0x57972956, 0x5718, 0x42d2, { \
+ 0x80, 0x70, 0xb3, 0xfc, 0x72, 0x21, 0x2e, 0xaf \
+ } \
+ }
+
+nsresult GetPromise(JSContext* aCx,
+ /* out */ RefPtr<mozilla::dom::Promise>& aPromise);
+
+class OSKeyStore final : public nsIOSKeyStore {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIOSKEYSTORE
+
+ OSKeyStore();
+ nsresult GenerateSecret(const nsACString& aLabel,
+ /* out */ nsACString& aRecoveryPhrase);
+ nsresult SecretAvailable(const nsACString& aLabel,
+ /* out */ bool* aAvailable);
+ nsresult RecoverSecret(const nsACString& aLabel,
+ const nsACString& aRecoveryPhrase);
+ nsresult DeleteSecret(const nsACString& aLabel);
+ nsresult EncryptBytes(const nsACString& aLabel,
+ const std::vector<uint8_t>& aInBytes,
+ /*out*/ nsACString& aEncryptedBase64Text);
+ nsresult DecryptBytes(const nsACString& aLabel,
+ const nsACString& aEncryptedBase64Text,
+ /*out*/ uint32_t* outLen,
+ /*out*/ uint8_t** outBytes);
+
+ private:
+ ~OSKeyStore() = default;
+
+ std::unique_ptr<AbstractOSKeyStore> mKs;
+};
+
+#endif // OSKeyStore_h
diff --git a/security/manager/ssl/OSReauthenticator.cpp b/security/manager/ssl/OSReauthenticator.cpp
new file mode 100644
index 0000000000..b63b8d557f
--- /dev/null
+++ b/security/manager/ssl/OSReauthenticator.cpp
@@ -0,0 +1,562 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OSReauthenticator.h"
+
+#include "OSKeyStore.h"
+#include "nsNetCID.h"
+#include "mozilla/dom/Promise.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/Preferences.h"
+#include "nsComponentManagerUtils.h"
+#include "nsIBaseWindow.h"
+#include "nsIDocShell.h"
+#include "nsISupportsUtils.h"
+#include "nsIWidget.h"
+#include "nsPIDOMWindow.h"
+#include "nsServiceManagerUtils.h"
+#include "nsThreadUtils.h"
+#include "mozilla/ipc/IPCTypes.h"
+
+NS_IMPL_ISUPPORTS(OSReauthenticator, nsIOSReauthenticator)
+
+extern mozilla::LazyLogModule gCredentialManagerSecretLog;
+
+using mozilla::LogLevel;
+using mozilla::Maybe;
+using mozilla::Preferences;
+using mozilla::WindowsHandle;
+using mozilla::dom::Promise;
+
+#define PREF_BLANK_PASSWORD "security.osreauthenticator.blank_password"
+#define PREF_PASSWORD_LAST_CHANGED_LO \
+ "security.osreauthenticator.password_last_changed_lo"
+#define PREF_PASSWORD_LAST_CHANGED_HI \
+ "security.osreauthenticator.password_last_changed_hi"
+
+#if defined(XP_WIN)
+# include <combaseapi.h>
+# include <ntsecapi.h>
+# include <wincred.h>
+# include <windows.h>
+# include "nsIWindowsRegKey.h" // Must be included after <windows.h> for HKEY definition
+# define SECURITY_WIN32
+# include <security.h>
+# include <shlwapi.h>
+# if !defined(__MINGW32__)
+# include <Lm.h>
+# undef ACCESS_READ // nsWindowsRegKey defines its own ACCESS_READ
+# endif // !defined(__MINGW32__)
+struct HandleCloser {
+ typedef HANDLE pointer;
+ void operator()(HANDLE h) {
+ if (h != INVALID_HANDLE_VALUE) {
+ CloseHandle(h);
+ }
+ }
+};
+struct BufferFreer {
+ typedef LPVOID pointer;
+ ULONG mSize;
+ explicit BufferFreer(ULONG size) : mSize(size) {}
+ void operator()(LPVOID b) {
+ SecureZeroMemory(b, mSize);
+ CoTaskMemFree(b);
+ }
+};
+struct LsaDeregistrator {
+ typedef HANDLE pointer;
+ void operator()(HANDLE h) {
+ if (h != INVALID_HANDLE_VALUE) {
+ LsaDeregisterLogonProcess(h);
+ }
+ }
+};
+typedef std::unique_ptr<HANDLE, HandleCloser> ScopedHANDLE;
+typedef std::unique_ptr<LPVOID, BufferFreer> ScopedBuffer;
+typedef std::unique_ptr<HANDLE, LsaDeregistrator> ScopedLsaHANDLE;
+
+constexpr int64_t Int32Modulo = 2147483648;
+
+// Get the token info holding the sid.
+std::unique_ptr<char[]> GetTokenInfo(ScopedHANDLE& token) {
+ DWORD length = 0;
+ // https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-gettokeninformation
+ mozilla::Unused << GetTokenInformation(token.get(), TokenUser, nullptr, 0,
+ &length);
+ if (!length || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Unable to obtain current token info."));
+ return nullptr;
+ }
+ std::unique_ptr<char[]> token_info(new char[length]);
+ if (!GetTokenInformation(token.get(), TokenUser, token_info.get(), length,
+ &length)) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Unable to obtain current token info (second call, possible "
+ "system error."));
+ return nullptr;
+ }
+ return token_info;
+}
+
+std::unique_ptr<char[]> GetUserTokenInfo() {
+ // Get current user sid to make sure the same user got logged in.
+ HANDLE token;
+ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)) {
+ // Couldn't get a process token. This will fail any unlock attempts later.
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Unable to obtain process token."));
+ return nullptr;
+ }
+ ScopedHANDLE scopedToken(token);
+ return GetTokenInfo(scopedToken);
+}
+
+Maybe<int64_t> GetPasswordLastChanged(const WCHAR* username) {
+# if defined(__MINGW32__)
+ // NetUserGetInfo requires Lm.h which is not provided in MinGW builds
+ return mozilla::Nothing();
+# else
+ LPUSER_INFO_1 user_info = NULL;
+ DWORD passwordAgeInSeconds = 0;
+
+ NET_API_STATUS ret =
+ NetUserGetInfo(NULL, username, 1, reinterpret_cast<LPBYTE*>(&user_info));
+
+ if (ret == NERR_Success) {
+ // Returns seconds since last password change.
+ passwordAgeInSeconds = user_info->usri1_password_age;
+ NetApiBufferFree(user_info);
+ } else {
+ return mozilla::Nothing();
+ }
+
+ // Return the time that the password was changed so we can use this
+ // for future comparisons.
+ return mozilla::Some(PR_Now() - passwordAgeInSeconds * PR_USEC_PER_SEC);
+# endif
+}
+
+bool IsAutoAdminLogonEnabled() {
+ // https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows
+ nsresult rv;
+ nsCOMPtr<nsIWindowsRegKey> regKey =
+ do_CreateInstance("@mozilla.org/windows-registry-key;1", &rv);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ rv = regKey->Open(
+ nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE,
+ nsLiteralString(
+ u"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"),
+ nsIWindowsRegKey::ACCESS_READ);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ nsAutoString value;
+ rv = regKey->ReadStringValue(u"AutoAdminLogon"_ns, value);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+ regKey->Close();
+
+ return value.Equals(u"1"_ns);
+}
+
+bool IsRequireSignonEnabled() {
+ // https://docs.microsoft.com/en-us/windows-hardware/customize/power-settings/no-subgroup-settings-prompt-for-password-on-resume
+ nsresult rv;
+ nsCOMPtr<nsIWindowsRegKey> regKey =
+ do_CreateInstance("@mozilla.org/windows-registry-key;1", &rv);
+ if (NS_FAILED(rv)) {
+ return true;
+ }
+
+ rv = regKey->Open(nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE,
+ u"System\\CurrentControlSet\\Control\\Power\\User\\Power"
+ "Schemes"_ns,
+ nsIWindowsRegKey::ACCESS_READ);
+ if (NS_FAILED(rv)) {
+ return true;
+ }
+
+ nsAutoString activePowerScheme;
+ rv = regKey->ReadStringValue(u"ActivePowerScheme"_ns, activePowerScheme);
+ if (NS_FAILED(rv)) {
+ return true;
+ }
+ regKey->Close();
+
+ rv = regKey->Open(nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE,
+ u"System\\CurrentControlSet\\Control\\Power\\User\\Power"
+ "Schemes\\"_ns +
+ activePowerScheme +
+ u"\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"_ns,
+ nsIWindowsRegKey::ACCESS_READ);
+ if (NS_FAILED(rv)) {
+ return true;
+ }
+
+ uint32_t value;
+ rv = regKey->ReadIntValue(u"ACSettingIndex"_ns, &value);
+ if (NS_FAILED(rv)) {
+ return true;
+ }
+ regKey->Close();
+
+ return !!value;
+}
+
+// Use the Windows credential prompt to ask the user to authenticate the
+// currently used account.
+static nsresult ReauthenticateUserWindows(
+ const nsAString& aMessageText, const nsAString& aCaptionText,
+ const WindowsHandle& hwndParent,
+ /* out */ bool& reauthenticated,
+ /* inout */ bool& isBlankPassword,
+ /* inout */ int64_t& prefLastChanged,
+ /* out */ bool& isAutoAdminLogonEnabled,
+ /* out */ bool& isRequireSignonEnabled) {
+ reauthenticated = false;
+ isAutoAdminLogonEnabled = false;
+ isRequireSignonEnabled = true;
+
+ // Check if the user has a blank password before proceeding
+ DWORD usernameLength = CREDUI_MAX_USERNAME_LENGTH + 1;
+ WCHAR username[CREDUI_MAX_USERNAME_LENGTH + 1] = {0};
+
+ if (!GetUserNameEx(NameSamCompatible, username, &usernameLength)) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error getting username"));
+ return NS_ERROR_FAILURE;
+ }
+
+ if (!IsOS(OS_DOMAINMEMBER)) {
+ const WCHAR* usernameNoDomain = username;
+ // Don't include the domain portion of the username when calling LogonUser.
+ LPCWSTR backslash = wcschr(username, L'\\');
+ if (backslash) {
+ usernameNoDomain = backslash + 1;
+ }
+
+ Maybe<int64_t> lastChanged = GetPasswordLastChanged(usernameNoDomain);
+ if (lastChanged.isSome()) {
+ bool shouldCheckAgain = lastChanged.value() > prefLastChanged;
+ // Update the value stored in preferences
+ prefLastChanged = lastChanged.value();
+
+ if (shouldCheckAgain) {
+ HANDLE logonUserHandle = INVALID_HANDLE_VALUE;
+ bool result =
+ LogonUser(usernameNoDomain, L".", L"", LOGON32_LOGON_INTERACTIVE,
+ LOGON32_PROVIDER_DEFAULT, &logonUserHandle);
+ if (result) {
+ CloseHandle(logonUserHandle);
+ }
+ // ERROR_ACCOUNT_RESTRICTION: Indicates a referenced user name and
+ // authentication information are valid, but some user account
+ // restriction has prevented successful authentication (such as
+ // time-of-day restrictions).
+ reauthenticated = isBlankPassword =
+ (result || GetLastError() == ERROR_ACCOUNT_RESTRICTION);
+ } else if (isBlankPassword) {
+ reauthenticated = true;
+ }
+
+ if (reauthenticated) {
+ return NS_OK;
+ }
+ } else {
+ isBlankPassword = false;
+ }
+ } else {
+ // Update any preferences, assuming domain members do not have blank
+ // passwords
+ isBlankPassword = false;
+ }
+
+ isAutoAdminLogonEnabled = IsAutoAdminLogonEnabled();
+
+ isRequireSignonEnabled = IsRequireSignonEnabled();
+
+ // Is used in next iteration if the previous login failed.
+ DWORD err = 0;
+ std::unique_ptr<char[]> userTokenInfo = GetUserTokenInfo();
+
+ // CredUI prompt.
+ CREDUI_INFOW credui = {};
+ credui.cbSize = sizeof(credui);
+ credui.hwndParent = reinterpret_cast<HWND>(hwndParent);
+ const nsString& messageText = PromiseFlatString(aMessageText);
+ credui.pszMessageText = messageText.get();
+ const nsString& captionText = PromiseFlatString(aCaptionText);
+ credui.pszCaptionText = captionText.get();
+ credui.hbmBanner = nullptr; // ignored
+
+ while (!reauthenticated) {
+ HANDLE lsa = INVALID_HANDLE_VALUE;
+ // Get authentication handle for future user authentications.
+ // https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaconnectuntrusted
+ if (LsaConnectUntrusted(&lsa) != ERROR_SUCCESS) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error acquiring lsa. Authentication attempts will fail."));
+ return NS_ERROR_FAILURE;
+ }
+ ScopedLsaHANDLE scopedLsa(lsa);
+
+ if (!userTokenInfo || lsa == INVALID_HANDLE_VALUE) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error setting up login and user token."));
+ return NS_ERROR_FAILURE;
+ }
+
+ ULONG authPackage = 0;
+ ULONG outCredSize = 0;
+ LPVOID outCredBuffer = nullptr;
+
+ // Get user's Windows credentials.
+ // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creduipromptforwindowscredentialsw
+ err = CredUIPromptForWindowsCredentialsW(
+ &credui, err, &authPackage, nullptr, 0, &outCredBuffer, &outCredSize,
+ nullptr, CREDUIWIN_ENUMERATE_CURRENT_USER);
+ ScopedBuffer scopedOutCredBuffer(outCredBuffer, BufferFreer(outCredSize));
+ if (err == ERROR_CANCELLED) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error getting authPackage for user login, user cancel."));
+ return NS_OK;
+ }
+ if (err != ERROR_SUCCESS) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error getting authPackage for user login."));
+ return NS_ERROR_FAILURE;
+ }
+
+ // Verify the credentials.
+ TOKEN_SOURCE source;
+ PCHAR contextName = const_cast<PCHAR>("Mozilla");
+ size_t nameLength =
+ std::min(TOKEN_SOURCE_LENGTH, static_cast<int>(strlen(contextName)));
+ // Note that the string must not be longer than TOKEN_SOURCE_LENGTH.
+ memcpy(source.SourceName, contextName, nameLength);
+ // https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-allocatelocallyuniqueid
+ if (!AllocateLocallyUniqueId(&source.SourceIdentifier)) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error allocating ID for logon process."));
+ return NS_ERROR_FAILURE;
+ }
+
+ NTSTATUS substs;
+ void* profileBuffer = nullptr;
+ ULONG profileBufferLength = 0;
+ QUOTA_LIMITS limits = {0};
+ LUID luid;
+ HANDLE token = INVALID_HANDLE_VALUE;
+ LSA_STRING name;
+ name.Buffer = contextName;
+ name.Length = strlen(name.Buffer);
+ name.MaximumLength = name.Length;
+ // https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalogonuser
+ NTSTATUS sts = LsaLogonUser(
+ scopedLsa.get(), &name, (SECURITY_LOGON_TYPE)Interactive, authPackage,
+ scopedOutCredBuffer.get(), outCredSize, nullptr, &source,
+ &profileBuffer, &profileBufferLength, &luid, &token, &limits, &substs);
+ ScopedHANDLE scopedToken(token);
+ LsaFreeReturnBuffer(profileBuffer);
+ if (sts == ERROR_SUCCESS) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("User logged in successfully."));
+ } else {
+ err = LsaNtStatusToWinError(sts);
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Login failed with %lx (%lx).", sts, err));
+ continue;
+ }
+
+ // The user can select any user to log-in on the authentication prompt.
+ // Make sure that the logged in user is the current user.
+ std::unique_ptr<char[]> logonTokenInfo = GetTokenInfo(scopedToken);
+ if (!logonTokenInfo) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Error getting logon token info."));
+ return NS_ERROR_FAILURE;
+ }
+ PSID logonSID =
+ reinterpret_cast<TOKEN_USER*>(logonTokenInfo.get())->User.Sid;
+ PSID userSID = reinterpret_cast<TOKEN_USER*>(userTokenInfo.get())->User.Sid;
+ if (EqualSid(userSID, logonSID)) {
+ MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug,
+ ("Login successfully (correct user)."));
+ reauthenticated = true;
+ break;
+ } else {
+ err = ERROR_LOGON_FAILURE;
+ }
+ }
+ return NS_OK;
+}
+#endif // XP_WIN
+
+static nsresult ReauthenticateUser(const nsAString& prompt,
+ const nsAString& caption,
+ const WindowsHandle& hwndParent,
+ /* out */ bool& reauthenticated,
+ /* inout */ bool& isBlankPassword,
+ /* inout */ int64_t& prefLastChanged,
+ /* out */ bool& isAutoAdminLogonEnabled,
+ /* out */ bool& isRequireSignonEnabled) {
+ reauthenticated = false;
+#if defined(XP_WIN)
+ return ReauthenticateUserWindows(
+ prompt, caption, hwndParent, reauthenticated, isBlankPassword,
+ prefLastChanged, isAutoAdminLogonEnabled, isRequireSignonEnabled);
+#elif defined(XP_MACOSX)
+ return ReauthenticateUserMacOS(prompt, reauthenticated, isBlankPassword);
+#else
+ return NS_OK;
+#endif // Reauthentication is not implemented for this platform.
+}
+
+static void BackgroundReauthenticateUser(RefPtr<Promise>& aPromise,
+ const nsAString& aMessageText,
+ const nsAString& aCaptionText,
+ const WindowsHandle& hwndParent,
+ bool isBlankPassword,
+ int64_t prefLastChanged) {
+ nsAutoCString recovery;
+ bool reauthenticated;
+ bool isAutoAdminLogonEnabled;
+ bool isRequireSignonEnabled;
+ nsresult rv = ReauthenticateUser(
+ aMessageText, aCaptionText, hwndParent, reauthenticated, isBlankPassword,
+ prefLastChanged, isAutoAdminLogonEnabled, isRequireSignonEnabled);
+
+ nsTArray<int32_t> prefLastChangedUpdates;
+#if defined(XP_WIN)
+ // Increase the lastChanged time to account for clock skew.
+ prefLastChanged += PR_USEC_PER_SEC;
+ // Need to split the 64bit integer to its hi and lo bits before sending it
+ // back to JS.
+ int32_t prefLastChangedHi = prefLastChanged / Int32Modulo;
+ int32_t prefLastChangedLo = prefLastChanged % Int32Modulo;
+ prefLastChangedUpdates.AppendElement(prefLastChangedHi);
+ prefLastChangedUpdates.AppendElement(prefLastChangedLo);
+#endif
+
+ nsTArray<int32_t> results;
+ results.AppendElement(reauthenticated);
+ results.AppendElement(isBlankPassword);
+#if defined(XP_WIN)
+ results.AppendElement(isAutoAdminLogonEnabled);
+ results.AppendElement(isRequireSignonEnabled);
+#endif
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundReauthenticateUserResolve",
+ [rv, results = std::move(results),
+ prefLastChangedUpdates = std::move(prefLastChangedUpdates),
+ aPromise = std::move(aPromise)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(results);
+ }
+
+ nsresult rv = Preferences::SetBool(PREF_BLANK_PASSWORD, results[1]);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ if (prefLastChangedUpdates.Length() > 1) {
+ rv = Preferences::SetInt(PREF_PASSWORD_LAST_CHANGED_HI,
+ prefLastChangedUpdates[0]);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ Preferences::SetInt(PREF_PASSWORD_LAST_CHANGED_LO,
+ prefLastChangedUpdates[1]);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+NS_IMETHODIMP
+OSReauthenticator::AsyncReauthenticateUser(const nsAString& aMessageText,
+ const nsAString& aCaptionText,
+ mozIDOMWindow* aParentWindow,
+ JSContext* aCx,
+ Promise** promiseOut) {
+ NS_ENSURE_ARG_POINTER(aCx);
+
+ RefPtr<Promise> promiseHandle;
+ nsresult rv = GetPromise(aCx, promiseHandle);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ WindowsHandle hwndParent = 0;
+ if (aParentWindow) {
+ nsPIDOMWindowInner* win = nsPIDOMWindowInner::From(aParentWindow);
+ nsIDocShell* docShell = win->GetDocShell();
+ if (docShell) {
+ nsCOMPtr<nsIBaseWindow> baseWindow = do_QueryInterface(docShell);
+ if (baseWindow) {
+ nsCOMPtr<nsIWidget> widget;
+ baseWindow->GetMainWidget(getter_AddRefs(widget));
+ if (widget) {
+ hwndParent = reinterpret_cast<WindowsHandle>(
+ widget->GetNativeData(NS_NATIVE_WINDOW));
+ }
+ }
+ }
+ }
+
+ int64_t prefLastChanged = 0;
+ bool isBlankPassword = false;
+#if defined(XP_WIN)
+ // These preferences are only supported on Windows.
+ // Preferences are read/write main-thread only.
+ int32_t prefLastChangedLo;
+ int32_t prefLastChangedHi;
+ rv = Preferences::GetBool(PREF_BLANK_PASSWORD, &isBlankPassword);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = Preferences::GetInt(PREF_PASSWORD_LAST_CHANGED_LO, &prefLastChangedLo);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = Preferences::GetInt(PREF_PASSWORD_LAST_CHANGED_HI, &prefLastChangedHi);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ prefLastChanged = prefLastChangedHi * Int32Modulo + prefLastChangedLo;
+#endif
+
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundReauthenticateUser",
+ [promiseHandle, aMessageText = nsAutoString(aMessageText),
+ aCaptionText = nsAutoString(aCaptionText), hwndParent, isBlankPassword,
+ prefLastChanged]() mutable {
+ BackgroundReauthenticateUser(promiseHandle, aMessageText, aCaptionText,
+ hwndParent, isBlankPassword,
+ prefLastChanged);
+ }));
+
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ promiseHandle.forget(promiseOut);
+ return NS_OK;
+}
diff --git a/security/manager/ssl/OSReauthenticator.h b/security/manager/ssl/OSReauthenticator.h
new file mode 100644
index 0000000000..837dfa91c0
--- /dev/null
+++ b/security/manager/ssl/OSReauthenticator.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef OSReauthenticator_h
+#define OSReauthenticator_h
+
+#include "nsIOSReauthenticator.h"
+
+#define NS_OSREAUTHENTICATOR_CONTRACTID \
+ "@mozilla.org/security/osreauthenticator;1"
+#define NS_OSREAUTHENTICATOR_CID \
+ { \
+ 0x4fe082ae, 0x6ff0, 0x4b41, { \
+ 0xb2, 0x4f, 0xea, 0xa6, 0x64, 0xf6, 0xe4, 0x6a \
+ } \
+ }
+
+class OSReauthenticator : public nsIOSReauthenticator {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIOSREAUTHENTICATOR
+
+ private:
+ virtual ~OSReauthenticator() = default;
+};
+
+#ifdef XP_MACOSX
+nsresult ReauthenticateUserMacOS(const nsAString& aPrompt,
+ /* out */ bool& aReauthenticated,
+ /* out */ bool& aIsBlankPassword);
+#endif // XP_MACOSX
+
+#endif // OSReauthenticator_h
diff --git a/security/manager/ssl/OSReauthenticatorDarwin.mm b/security/manager/ssl/OSReauthenticatorDarwin.mm
new file mode 100644
index 0000000000..5776f60674
--- /dev/null
+++ b/security/manager/ssl/OSReauthenticatorDarwin.mm
@@ -0,0 +1,63 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OSReauthenticator.h"
+
+#include "nsCocoaUtils.h"
+
+using namespace mozilla;
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <LocalAuthentication/LocalAuthentication.h>
+
+static const int32_t kPasswordNotSetErrorCode = -1000;
+
+nsresult ReauthenticateUserMacOS(const nsAString& aPrompt,
+ /* out */ bool& aReauthenticated,
+ /* out */ bool& aIsBlankPassword) {
+ // The idea here is that we ask to be authorized to unlock the user's session.
+ // This should cause a prompt to come up for the user asking them for their
+ // password. If they correctly enter it, we'll set aReauthenticated to true.
+
+ LAContext* context = [[LAContext alloc] init];
+ NSString* prompt = nsCocoaUtils::ToNSString(aPrompt);
+
+ dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+ __block BOOL biometricSuccess = NO; // mark variable r/w across the block
+ __block BOOL errorPasswordNotSet = NO; // mark variable r/w across the block
+
+ // Note: This is an async callback in an already-async Promise chain.
+ [context evaluatePolicy:LAPolicyDeviceOwnerAuthentication
+ localizedReason:prompt
+ reply:^(BOOL success, NSError* error) {
+ dispatch_async(dispatch_get_main_queue(), ^{
+ // error is not particularly useful in this context, and
+ // we have no mechanism to really return it. We could
+ // use it to set the nsresult, but this is a best-effort
+ // mechanism and there's no particular case for
+ // propagating up XPCOM. The one exception being a user
+ // account that has no passcode set, which we handle
+ // below.
+ errorPasswordNotSet =
+ error && [error code] == kPasswordNotSetErrorCode;
+ biometricSuccess = success || errorPasswordNotSet;
+ dispatch_semaphore_signal(sema);
+ });
+ }];
+
+ // What we want to do here is convert this into a blocking call, since
+ // our calling methods expect us to block and set aReauthenticated on return.
+ dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
+ dispatch_release(sema);
+ sema = NULL;
+
+ aReauthenticated = biometricSuccess;
+ aIsBlankPassword = errorPasswordNotSet;
+
+ [context release];
+ return NS_OK;
+}
diff --git a/security/manager/ssl/PIPCClientCerts.ipdl b/security/manager/ssl/PIPCClientCerts.ipdl
new file mode 100644
index 0000000000..5adecae93d
--- /dev/null
+++ b/security/manager/ssl/PIPCClientCerts.ipdl
@@ -0,0 +1,32 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+include PSMIPCTypes;
+
+using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h";
+
+namespace mozilla {
+namespace psm {
+
+[ChildProc=Socket]
+sync protocol PIPCClientCerts
+{
+parent:
+ // Called from the socket process to the parent process to find client
+ // certificates and associated keys.
+ sync FindObjects() returns (IPCClientCertObject[] aObjects);
+
+ // Called from the socket process to the parent process to sign the given
+ // data with the given parameters using the key associated with the given
+ // certificate. Used when a TLS server requests a client authentication
+ // certificate.
+ sync Sign(ByteArray aCert, ByteArray aData, ByteArray aParams)
+ returns (ByteArray aSignature);
+
+ async __delete__();
+};
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PKCS11ModuleDB.cpp b/security/manager/ssl/PKCS11ModuleDB.cpp
new file mode 100644
index 0000000000..3825abb8b2
--- /dev/null
+++ b/security/manager/ssl/PKCS11ModuleDB.cpp
@@ -0,0 +1,184 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "PKCS11ModuleDB.h"
+
+#include "ScopedNSSTypes.h"
+#include "nsComponentManagerUtils.h"
+#include "nsIMutableArray.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSComponent.h"
+#include "nsNativeCharsetUtils.h"
+#include "nsPKCS11Slot.h"
+#include "nsServiceManagerUtils.h"
+
+namespace mozilla {
+namespace psm {
+
+NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB)
+
+// Convert the UTF16 name of the module as it appears to the user to the
+// internal representation. For most modules this just involves converting from
+// UTF16 to UTF8. For the builtin root module, it also involves mapping from the
+// localized name to the internal, non-localized name.
+static nsresult NormalizeModuleNameIn(const nsAString& moduleNameIn,
+ nsCString& moduleNameOut) {
+ nsAutoString localizedRootModuleName;
+ nsresult rv =
+ GetPIPNSSBundleString("RootCertModuleName", localizedRootModuleName);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (moduleNameIn.Equals(localizedRootModuleName)) {
+ moduleNameOut.Assign(kRootModuleName);
+ return NS_OK;
+ }
+ moduleNameOut.Assign(NS_ConvertUTF16toUTF8(moduleNameIn));
+ return NS_OK;
+}
+
+// Delete a PKCS11 module from the user's profile.
+NS_IMETHODIMP
+PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName) {
+ if (aModuleName.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ nsAutoCString moduleNameNormalized;
+ nsresult rv = NormalizeModuleNameIn(aModuleName, moduleNameNormalized);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // modType is an output variable. We ignore it.
+ int32_t modType;
+ SECStatus srv = SECMOD_DeleteModule(moduleNameNormalized.get(), &modType);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+// Add a new PKCS11 module to the user's profile.
+NS_IMETHODIMP
+PKCS11ModuleDB::AddModule(const nsAString& aModuleName,
+ const nsAString& aLibraryFullPath,
+ int32_t aCryptoMechanismFlags, int32_t aCipherFlags) {
+ if (aModuleName.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // "Root Certs" is the name some NSS command-line utilities will give the
+ // roots module if they decide to load it when there happens to be a
+ // `MOZ_DLL_PREFIX "nssckbi" MOZ_DLL_SUFFIX` file in the directory being
+ // operated on. This causes failures, so as a workaround, the PSM
+ // initialization code will unconditionally remove any module named "Root
+ // Certs". We should prevent the user from adding an unrelated module named
+ // "Root Certs" in the first place so PSM doesn't delete it. See bug 1406396.
+ if (aModuleName.EqualsLiteral("Root Certs")) {
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
+
+ // There appears to be a deadlock if we try to load modules concurrently, so
+ // just wait until the loadable roots module has been loaded.
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsAutoCString moduleNameNormalized;
+ rv = NormalizeModuleNameIn(aModuleName, moduleNameNormalized);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCString fullPath;
+ CopyUTF16toUTF8(aLibraryFullPath, fullPath);
+ uint32_t mechFlags = SECMOD_PubMechFlagstoInternal(aCryptoMechanismFlags);
+ uint32_t cipherFlags = SECMOD_PubCipherFlagstoInternal(aCipherFlags);
+ SECStatus srv = SECMOD_AddNewModule(moduleNameNormalized.get(),
+ fullPath.get(), mechFlags, cipherFlags);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
+ if (!array) {
+ return NS_ERROR_FAILURE;
+ }
+
+ /* lock down the list for reading */
+ AutoSECMODListReadLock lock;
+ for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
+ list = list->next) {
+ nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
+ nsresult rv = array->AppendElement(module);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ /* Get the modules in the database that didn't load */
+ for (SECMODModuleList* list = SECMOD_GetDeadModuleList(); list;
+ list = list->next) {
+ nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
+ nsresult rv = array->AppendElement(module);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ return array->Enumerate(_retval, NS_GET_IID(nsIPKCS11Module));
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS) {
+ NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
+
+ *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::ToggleFIPSMode() {
+ // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
+ // delete the internal module, and it gets replaced with the opposite module
+ // (i.e. if it was FIPS before, then it becomes non-FIPS next).
+ // SECMOD_GetInternalModule() returns a pointer to a local copy of the
+ // internal module stashed in NSS. We don't want to delete it since it will
+ // cause much pain in NSS.
+ SECMODModule* internal = SECMOD_GetInternalModule();
+ if (!internal) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (SECMOD_DeleteInternalModule(internal->commonName) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled) {
+ NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
+
+ *aIsFIPSEnabled = PK11_IsFIPS();
+ return NS_OK;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PKCS11ModuleDB.h b/security/manager/ssl/PKCS11ModuleDB.h
new file mode 100644
index 0000000000..c167afe410
--- /dev/null
+++ b/security/manager/ssl/PKCS11ModuleDB.h
@@ -0,0 +1,35 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef PKCS11ModuleDB_h
+#define PKCS11ModuleDB_h
+
+#include "nsIPKCS11ModuleDB.h"
+
+namespace mozilla {
+namespace psm {
+
+#define NS_PKCS11MODULEDB_CID \
+ { \
+ 0xff9fbcd7, 0x9517, 0x4334, { \
+ 0xb9, 0x7a, 0xce, 0xed, 0x78, 0x90, 0x99, 0x74 \
+ } \
+ }
+
+class PKCS11ModuleDB : public nsIPKCS11ModuleDB {
+ public:
+ PKCS11ModuleDB() = default;
+
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIPKCS11MODULEDB
+
+ protected:
+ virtual ~PKCS11ModuleDB() = default;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // PKCS11ModuleDB_h
diff --git a/security/manager/ssl/PSMIPCTypes.ipdlh b/security/manager/ssl/PSMIPCTypes.ipdlh
new file mode 100644
index 0000000000..54bce317c2
--- /dev/null
+++ b/security/manager/ssl/PSMIPCTypes.ipdlh
@@ -0,0 +1,51 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+namespace mozilla {
+namespace psm {
+
+struct ByteArray{
+ uint8_t[] data;
+};
+
+// For ECKey, RSAKey, and Certificate, slotType indicates which slot this object
+// should exist on:
+// 1: modern (supports EC, RSA-PSS)
+// 2: legacy (only supports RSA PKCS#1v1.5)
+
+struct ECKey{
+ uint8_t[] params; // the EC point representing this key
+ uint8_t[] cert; // the encoded certificate containing this key
+ uint32_t slotType;
+};
+
+struct RSAKey{
+ uint8_t[] modulus; // the modulus of this RSA key
+ uint8_t[] cert; // the encoded certificate containing this key
+ uint32_t slotType;
+};
+
+struct Certificate{
+ uint8_t[] der; // the encoding of this certificate
+ uint32_t slotType;
+};
+
+// Helper type for sending keys and certificates over IPC for use by IPC client
+// certs.
+union IPCClientCertObject{
+ ECKey;
+ RSAKey;
+ Certificate;
+};
+
+struct DelegatedCredentialInfoArg {
+ uint32_t scheme;
+ uint32_t authKeyBits;
+};
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PSMRunnable.cpp b/security/manager/ssl/PSMRunnable.cpp
new file mode 100644
index 0000000000..b962f52af3
--- /dev/null
+++ b/security/manager/ssl/PSMRunnable.cpp
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "PSMRunnable.h"
+
+namespace mozilla {
+namespace psm {
+
+SyncRunnableBase::SyncRunnableBase()
+ : Runnable("psm::SyncRunnableBase"), monitor("SyncRunnableBase::monitor") {}
+
+nsresult SyncRunnableBase::DispatchToMainThreadAndWait() {
+ nsresult rv;
+ if (NS_IsMainThread()) {
+ RunOnTargetThread();
+ rv = NS_OK;
+ } else {
+ mozilla::MonitorAutoLock lock(monitor);
+ rv = NS_DispatchToMainThread(this);
+ if (NS_SUCCEEDED(rv)) {
+ lock.Wait();
+ }
+ }
+
+ return rv;
+}
+
+NS_IMETHODIMP
+SyncRunnableBase::Run() {
+ RunOnTargetThread();
+ mozilla::MonitorAutoLock(monitor).Notify();
+ return NS_OK;
+}
+
+nsresult NotifyObserverRunnable::Run() {
+ mObserver->Observe(nullptr, mTopic, nullptr);
+ return NS_OK;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PSMRunnable.h b/security/manager/ssl/PSMRunnable.h
new file mode 100644
index 0000000000..faafb14c60
--- /dev/null
+++ b/security/manager/ssl/PSMRunnable.h
@@ -0,0 +1,49 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef PSMRunnable_h
+#define PSMRunnable_h
+
+#include "mozilla/Monitor.h"
+#include "nsThreadUtils.h"
+#include "nsIObserver.h"
+#include "nsProxyRelease.h"
+
+namespace mozilla {
+namespace psm {
+
+// Wait for the event to run on the target thread without spinning the event
+// loop on the calling thread. (Dispatching events to a thread using
+// NS_DispatchAndSpinEventLoopUntilComplete would cause the event loop on the
+// calling thread to spin.)
+class SyncRunnableBase : public Runnable {
+ public:
+ NS_DECL_NSIRUNNABLE
+ nsresult DispatchToMainThreadAndWait();
+
+ protected:
+ SyncRunnableBase();
+ virtual void RunOnTargetThread() = 0;
+
+ private:
+ mozilla::Monitor monitor MOZ_UNANNOTATED;
+};
+
+class NotifyObserverRunnable : public Runnable {
+ public:
+ NotifyObserverRunnable(nsIObserver* observer, const char* topicStringLiteral)
+ : Runnable("psm::NotifyObserverRunnable"),
+ mObserver(new nsMainThreadPtrHolder<nsIObserver>(
+ "psm::NotifyObserverRunnable::mObserver", observer)),
+ mTopic(topicStringLiteral) {}
+ NS_DECL_NSIRUNNABLE
+ private:
+ nsMainThreadPtrHandle<nsIObserver> mObserver;
+ const char* const mTopic;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/PSelectTLSClientAuthCert.ipdl b/security/manager/ssl/PSelectTLSClientAuthCert.ipdl
new file mode 100644
index 0000000000..bca7c543d8
--- /dev/null
+++ b/security/manager/ssl/PSelectTLSClientAuthCert.ipdl
@@ -0,0 +1,24 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+include PSMIPCTypes;
+
+namespace mozilla {
+namespace psm {
+
+[ChildProc=Socket]
+protocol PSelectTLSClientAuthCert
+{
+child:
+ async TLSClientAuthCertSelected(ByteArray aSelectedCertBytes,
+ ByteArray[] aSelectedCertChainBytes);
+
+ async __delete__();
+};
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PVerifySSLServerCert.ipdl b/security/manager/ssl/PVerifySSLServerCert.ipdl
new file mode 100644
index 0000000000..92a14160ce
--- /dev/null
+++ b/security/manager/ssl/PVerifySSLServerCert.ipdl
@@ -0,0 +1,31 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+include PSMIPCTypes;
+
+using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h";
+
+namespace mozilla {
+namespace psm {
+
+[ChildProc=Socket]
+protocol PVerifySSLServerCert
+{
+child:
+ async OnVerifiedSSLServerCertSuccess(ByteArray[] aBuiltCertChain,
+ uint16_t aCertTransparencyStatus,
+ uint8_t aEVStatus,
+ bool isBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests);
+
+ async OnVerifiedSSLServerCertFailure(int32_t aFinalError,
+ uint32_t aOverridableErrorCategory, bool aMadeOCSPRequests);
+
+ async __delete__();
+};
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp
new file mode 100644
index 0000000000..e3d02ce326
--- /dev/null
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -0,0 +1,393 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "PublicKeyPinningService.h"
+
+#include "RootCertificateTelemetryUtils.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Base64.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Span.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/Telemetry.h"
+#include "nsDependentString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsSiteSecurityService.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixutil.h"
+#include "seccomon.h"
+#include "sechash.h"
+
+#include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::psm;
+
+LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService");
+
+NS_IMPL_ISUPPORTS(PublicKeyPinningService, nsIPublicKeyPinningService)
+
+enum class PinningMode : uint32_t {
+ Disabled = 0,
+ AllowUserCAMITM = 1,
+ Strict = 2,
+ EnforceTestMode = 3
+};
+
+PinningMode GetPinningMode() {
+ PinningMode pinningMode = static_cast<PinningMode>(
+ StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly());
+ switch (pinningMode) {
+ case PinningMode::Disabled:
+ return PinningMode::Disabled;
+ case PinningMode::AllowUserCAMITM:
+ return PinningMode::AllowUserCAMITM;
+ case PinningMode::Strict:
+ return PinningMode::Strict;
+ case PinningMode::EnforceTestMode:
+ return PinningMode::EnforceTestMode;
+ default:
+ return PinningMode::Disabled;
+ }
+}
+
+/**
+ Computes in the location specified by base64Out the SHA256 digest
+ of the DER Encoded subject Public Key Info for the given cert
+*/
+static nsresult GetBase64HashSPKI(const BackCert& cert,
+ nsACString& hashSPKIDigest) {
+ Input derPublicKey = cert.GetSubjectPublicKeyInfo();
+
+ hashSPKIDigest.Truncate();
+ nsTArray<uint8_t> digestArray;
+ nsresult nsrv =
+ Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(),
+ derPublicKey.GetLength(), digestArray);
+ if (NS_FAILED(nsrv)) {
+ return nsrv;
+ }
+ return Base64Encode(nsDependentCSubstring(
+ BitwiseCast<char*, uint8_t*>(digestArray.Elements()),
+ digestArray.Length()),
+ hashSPKIDigest);
+}
+
+/*
+ * Sets certMatchesPinset to true if a given cert matches any fingerprints from
+ * the given pinset and false otherwise.
+ */
+static nsresult EvalCert(const BackCert& cert,
+ const StaticFingerprints* fingerprints,
+ /*out*/ bool& certMatchesPinset) {
+ certMatchesPinset = false;
+ if (!fingerprints) {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: No hashes found\n"));
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ nsAutoCString base64Out;
+ nsresult rv = GetBase64HashSPKI(cert, base64Out);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: GetBase64HashSPKI failed!\n"));
+ return rv;
+ }
+
+ if (fingerprints) {
+ for (size_t i = 0; i < fingerprints->size; i++) {
+ if (base64Out.Equals(fingerprints->data[i])) {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: found pin base_64 ='%s'\n", base64Out.get()));
+ certMatchesPinset = true;
+ return NS_OK;
+ }
+ }
+ }
+ return NS_OK;
+}
+
+/*
+ * Sets certListIntersectsPinset to true if a given chain matches any
+ * fingerprints from the given static fingerprints and false otherwise.
+ */
+static nsresult EvalChain(const nsTArray<Span<const uint8_t>>& derCertList,
+ const StaticFingerprints* fingerprints,
+ /*out*/ bool& certListIntersectsPinset) {
+ certListIntersectsPinset = false;
+ if (!fingerprints) {
+ MOZ_ASSERT(false, "Must pass in at least one type of pinset");
+ return NS_ERROR_FAILURE;
+ }
+
+ EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
+ for (const auto& cert : derCertList) {
+ Input certInput;
+ mozilla::pkix::Result rv = certInput.Init(cert.data(), cert.size());
+ if (rv != mozilla::pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ BackCert backCert(certInput, endEntityOrCA, nullptr);
+ rv = backCert.Init();
+ if (rv != mozilla::pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ nsresult nsrv = EvalCert(backCert, fingerprints, certListIntersectsPinset);
+ if (NS_FAILED(nsrv)) {
+ return nsrv;
+ }
+ if (certListIntersectsPinset) {
+ break;
+ }
+ endEntityOrCA = EndEntityOrCA::MustBeCA;
+ }
+
+ if (!certListIntersectsPinset) {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: no matches found\n"));
+ }
+ return NS_OK;
+}
+
+class TransportSecurityPreloadBinarySearchComparator {
+ public:
+ explicit TransportSecurityPreloadBinarySearchComparator(
+ const char* aTargetHost)
+ : mTargetHost(aTargetHost) {}
+
+ int operator()(const TransportSecurityPreload& val) const {
+ return strcmp(mTargetHost, val.mHost);
+ }
+
+ private:
+ const char* mTargetHost; // non-owning
+};
+
+#ifdef DEBUG
+static Atomic<bool> sValidatedPinningPreloadList(false);
+
+static void ValidatePinningPreloadList() {
+ if (sValidatedPinningPreloadList) {
+ return;
+ }
+ for (const auto& entry : kPublicKeyPinningPreloadList) {
+ // If and only if a static entry is a Mozilla entry, it has a telemetry ID.
+ MOZ_ASSERT((entry.mIsMoz && entry.mId != kUnknownId) ||
+ (!entry.mIsMoz && entry.mId == kUnknownId));
+ }
+ sValidatedPinningPreloadList = true;
+}
+#endif // DEBUG
+
+// Returns via one of the output parameters the most relevant pinning
+// information that is valid for the given host at the given time.
+static nsresult FindPinningInformation(
+ const char* hostname, mozilla::pkix::Time time,
+ /*out*/ const TransportSecurityPreload*& staticFingerprints) {
+#ifdef DEBUG
+ ValidatePinningPreloadList();
+#endif
+ if (!hostname || hostname[0] == 0) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ staticFingerprints = nullptr;
+ const TransportSecurityPreload* foundEntry = nullptr;
+ const char* evalHost = hostname;
+ const char* evalPart;
+ // Notice how the (xx = strchr) prevents pins for unqualified domain names.
+ while (!foundEntry && (evalPart = strchr(evalHost, '.'))) {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: Querying pinsets for host: '%s'\n", evalHost));
+ size_t foundEntryIndex;
+ if (BinarySearchIf(kPublicKeyPinningPreloadList, 0,
+ ArrayLength(kPublicKeyPinningPreloadList),
+ TransportSecurityPreloadBinarySearchComparator(evalHost),
+ &foundEntryIndex)) {
+ foundEntry = &kPublicKeyPinningPreloadList[foundEntryIndex];
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: Found pinset for host: '%s'\n", evalHost));
+ if (evalHost != hostname) {
+ if (!foundEntry->mIncludeSubdomains) {
+ // Does not apply to this host, continue iterating
+ foundEntry = nullptr;
+ }
+ }
+ } else {
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: Didn't find pinset for host: '%s'\n", evalHost));
+ }
+ // Add one for '.'
+ evalHost = evalPart + 1;
+ }
+
+ if (foundEntry && foundEntry->pinset) {
+ if (time > TimeFromEpochInSeconds(kPreloadPKPinsExpirationTime /
+ PR_USEC_PER_SEC)) {
+ return NS_OK;
+ }
+ staticFingerprints = foundEntry;
+ }
+ return NS_OK;
+}
+
+// Returns true via the output parameter if the given certificate list meets
+// pinning requirements for the given host at the given time. It must be the
+// case that either there is an intersection between the set of hashes of
+// subject public key info data in the list and the most relevant non-expired
+// pinset for the host or there is no pinning information for the host.
+static nsresult CheckPinsForHostname(
+ const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+ bool enforceTestMode, mozilla::pkix::Time time,
+ /*out*/ bool& chainHasValidPins,
+ /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
+ chainHasValidPins = false;
+ if (certList.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (!hostname || hostname[0] == 0) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ const TransportSecurityPreload* staticFingerprints = nullptr;
+ nsresult rv = FindPinningInformation(hostname, time, staticFingerprints);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If we have no pinning information, the certificate chain trivially
+ // validates with respect to pinning.
+ if (!staticFingerprints) {
+ chainHasValidPins = true;
+ return NS_OK;
+ }
+ if (staticFingerprints) {
+ bool enforceTestModeResult;
+ rv = EvalChain(certList, staticFingerprints->pinset, enforceTestModeResult);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ chainHasValidPins = enforceTestModeResult;
+ if (staticFingerprints->mTestMode && !enforceTestMode) {
+ chainHasValidPins = true;
+ }
+
+ if (pinningTelemetryInfo) {
+ // If and only if a static entry is a Mozilla entry, it has a telemetry
+ // ID.
+ if ((staticFingerprints->mIsMoz &&
+ staticFingerprints->mId == kUnknownId) ||
+ (!staticFingerprints->mIsMoz &&
+ staticFingerprints->mId != kUnknownId)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ Telemetry::HistogramID histogram;
+ int32_t bucket;
+ // We can collect per-host pinning violations for this host because it is
+ // operationally critical to Firefox.
+ if (staticFingerprints->mIsMoz) {
+ histogram = staticFingerprints->mTestMode
+ ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
+ : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST;
+ bucket = staticFingerprints->mId * 2 + (enforceTestModeResult ? 1 : 0);
+ } else {
+ histogram = staticFingerprints->mTestMode
+ ? Telemetry::CERT_PINNING_TEST_RESULTS
+ : Telemetry::CERT_PINNING_RESULTS;
+ bucket = enforceTestModeResult ? 1 : 0;
+ }
+ pinningTelemetryInfo->accumulateResult = true;
+ pinningTelemetryInfo->certPinningResultHistogram = Some(histogram);
+ pinningTelemetryInfo->certPinningResultBucket = bucket;
+
+ // We only collect per-CA pinning statistics upon failures.
+ if (!enforceTestModeResult) {
+ int32_t binNumber = RootCABinNumber(certList.LastElement());
+ if (binNumber != ROOT_CERTIFICATE_UNKNOWN) {
+ pinningTelemetryInfo->accumulateForRoot = true;
+ pinningTelemetryInfo->rootBucket = binNumber;
+ }
+ }
+ }
+
+ MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+ ("pkpin: Pin check %s for %s host '%s' (mode=%s)\n",
+ enforceTestModeResult ? "passed" : "failed",
+ staticFingerprints->mIsMoz ? "mozilla" : "non-mozilla", hostname,
+ staticFingerprints->mTestMode ? "test" : "production"));
+ }
+
+ return NS_OK;
+}
+
+nsresult PublicKeyPinningService::ChainHasValidPins(
+ const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+ mozilla::pkix::Time time, bool isBuiltInRoot,
+ /*out*/ bool& chainHasValidPins,
+ /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
+ PinningMode pinningMode(GetPinningMode());
+ if (pinningMode == PinningMode::Disabled ||
+ (!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) {
+ chainHasValidPins = true;
+ return NS_OK;
+ }
+
+ chainHasValidPins = false;
+ if (certList.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (!hostname || hostname[0] == 0) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
+ bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode;
+ return CheckPinsForHostname(certList, canonicalizedHostname.get(),
+ enforceTestMode, time, chainHasValidPins,
+ pinningTelemetryInfo);
+}
+
+NS_IMETHODIMP
+PublicKeyPinningService::HostHasPins(nsIURI* aURI, bool* hostHasPins) {
+ NS_ENSURE_ARG(aURI);
+ NS_ENSURE_ARG(hostHasPins);
+ *hostHasPins = false;
+ PinningMode pinningMode(GetPinningMode());
+ if (pinningMode == PinningMode::Disabled) {
+ return NS_OK;
+ }
+ nsAutoCString hostname;
+ nsresult rv = nsSiteSecurityService::GetHost(aURI, hostname);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (nsSiteSecurityService::HostIsIPAddress(hostname)) {
+ return NS_OK;
+ }
+
+ const TransportSecurityPreload* staticFingerprints = nullptr;
+ rv = FindPinningInformation(hostname.get(), Now(), staticFingerprints);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (staticFingerprints) {
+ *hostHasPins = !staticFingerprints->mTestMode ||
+ pinningMode == PinningMode::EnforceTestMode;
+ }
+ return NS_OK;
+}
+
+nsAutoCString PublicKeyPinningService::CanonicalizeHostname(
+ const char* hostname) {
+ nsAutoCString canonicalizedHostname(hostname);
+ ToLowerCase(canonicalizedHostname);
+ while (canonicalizedHostname.Length() > 0 &&
+ canonicalizedHostname.Last() == '.') {
+ canonicalizedHostname.Truncate(canonicalizedHostname.Length() - 1);
+ }
+ return canonicalizedHostname;
+}
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h
new file mode 100644
index 0000000000..46bcf01d18
--- /dev/null
+++ b/security/manager/ssl/PublicKeyPinningService.h
@@ -0,0 +1,54 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef PublicKeyPinningService_h
+#define PublicKeyPinningService_h
+
+#include "CertVerifier.h"
+#include "nsIPublicKeyPinningService.h"
+#include "nsString.h"
+#include "nsTArray.h"
+#include "mozilla/Span.h"
+#include "mozpkix/Time.h"
+
+namespace mozilla {
+namespace psm {
+
+class PublicKeyPinningService final : public nsIPublicKeyPinningService {
+ public:
+ PublicKeyPinningService() = default;
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIPUBLICKEYPINNINGSERVICE
+
+ /**
+ * Sets chainHasValidPins to true if the given (host, certList) passes pinning
+ * checks, or to false otherwise. If the host is pinned, returns true via
+ * chainHasValidPins if one of the keys in the given certificate chain matches
+ * the pin set specified by the hostname. The certList's head is the EE cert
+ * and the tail is the trust anchor.
+ * Note: if an alt name is a wildcard, it won't necessarily find a pinset
+ * that would otherwise be valid for it
+ */
+ static nsresult ChainHasValidPins(
+ const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+ mozilla::pkix::Time time, bool isBuiltInRoot,
+ /*out*/ bool& chainHasValidPins,
+ /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
+
+ /**
+ * Given a hostname of potentially mixed case with potentially multiple
+ * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
+ * trailing '.'.
+ */
+ static nsAutoCString CanonicalizeHostname(const char* hostname);
+
+ private:
+ ~PublicKeyPinningService() = default;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // PublicKeyPinningService_h
diff --git a/security/manager/ssl/PublicSSL.h b/security/manager/ssl/PublicSSL.h
new file mode 100644
index 0000000000..06a67fac5f
--- /dev/null
+++ b/security/manager/ssl/PublicSSL.h
@@ -0,0 +1,24 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SSL_h
+#define mozilla_SSL_h
+
+namespace mozilla {
+
+void ClearPrivateSSLState();
+
+namespace psm {
+
+void InitializeSSLServerCertVerificationThreads();
+void StopSSLServerCertVerificationThreads();
+void DisableMD5();
+nsresult InitializeCipherSuite();
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/RemoteSecuritySettings.sys.mjs b/security/manager/ssl/RemoteSecuritySettings.sys.mjs
new file mode 100644
index 0000000000..5283a21a3c
--- /dev/null
+++ b/security/manager/ssl/RemoteSecuritySettings.sys.mjs
@@ -0,0 +1,709 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { RemoteSettings } from "resource://services-settings/remote-settings.sys.mjs";
+
+import { X509 } from "resource://gre/modules/psm/X509.sys.mjs";
+
+const SECURITY_STATE_BUCKET = "security-state";
+const SECURITY_STATE_SIGNER = "onecrl.content-signature.mozilla.org";
+
+const INTERMEDIATES_DL_PER_POLL_PREF =
+ "security.remote_settings.intermediates.downloads_per_poll";
+const INTERMEDIATES_DL_PARALLEL_REQUESTS =
+ "security.remote_settings.intermediates.parallel_downloads";
+const INTERMEDIATES_ENABLED_PREF =
+ "security.remote_settings.intermediates.enabled";
+const LOGLEVEL_PREF = "browser.policies.loglevel";
+
+const CRLITE_FILTERS_ENABLED_PREF =
+ "security.remote_settings.crlite_filters.enabled";
+
+const lazy = {};
+
+ChromeUtils.defineLazyGetter(lazy, "gTextDecoder", () => new TextDecoder());
+
+ChromeUtils.defineLazyGetter(lazy, "log", () => {
+ let { ConsoleAPI } = ChromeUtils.importESModule(
+ "resource://gre/modules/Console.sys.mjs"
+ );
+ return new ConsoleAPI({
+ prefix: "RemoteSecuritySettings.jsm",
+ // tip: set maxLogLevel to "debug" and use log.debug() to create detailed
+ // messages during development. See LOG_LEVELS in Console.sys.mjs for details.
+ maxLogLevel: "error",
+ maxLogLevelPref: LOGLEVEL_PREF,
+ });
+});
+
+// Converts a JS string to an array of bytes consisting of the char code at each
+// index in the string.
+function stringToBytes(s) {
+ let b = [];
+ for (let i = 0; i < s.length; i++) {
+ b.push(s.charCodeAt(i));
+ }
+ return b;
+}
+
+// Converts an array of bytes to a JS string using fromCharCode on each byte.
+function bytesToString(bytes) {
+ if (bytes.length > 65535) {
+ throw new Error("input too long for bytesToString");
+ }
+ return String.fromCharCode.apply(null, bytes);
+}
+
+class CRLiteCoverage {
+ constructor(b64LogID, minTimestamp, maxTimestamp) {
+ this.b64LogID = b64LogID;
+ this.minTimestamp = minTimestamp;
+ this.maxTimestamp = maxTimestamp;
+ }
+}
+CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([
+ "nsICRLiteCoverage",
+]);
+
+class CertInfo {
+ constructor(cert, subject) {
+ this.cert = cert;
+ this.subject = subject;
+ this.trust = Ci.nsICertStorage.TRUST_INHERIT;
+ }
+}
+CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]);
+
+class RevocationState {
+ constructor(state) {
+ this.state = state;
+ }
+}
+
+class IssuerAndSerialRevocationState extends RevocationState {
+ constructor(issuer, serial, state) {
+ super(state);
+ this.issuer = issuer;
+ this.serial = serial;
+ }
+}
+IssuerAndSerialRevocationState.prototype.QueryInterface =
+ ChromeUtils.generateQI(["nsIIssuerAndSerialRevocationState"]);
+
+class SubjectAndPubKeyRevocationState extends RevocationState {
+ constructor(subject, pubKey, state) {
+ super(state);
+ this.subject = subject;
+ this.pubKey = pubKey;
+ }
+}
+SubjectAndPubKeyRevocationState.prototype.QueryInterface =
+ ChromeUtils.generateQI(["nsISubjectAndPubKeyRevocationState"]);
+
+function setRevocations(certStorage, revocations) {
+ return new Promise(resolve =>
+ certStorage.setRevocations(revocations, resolve)
+ );
+}
+
+/**
+ * Helper function that returns a promise that will resolve with whether or not
+ * the nsICertStorage implementation has prior data of the given type.
+ *
+ * @param {Integer} dataType a Ci.nsICertStorage.DATA_TYPE_* constant
+ * indicating the type of data
+
+ * @returns {Promise} a promise that will resolve with true if the data type is
+ * present
+ */
+function hasPriorData(dataType) {
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ return new Promise(resolve => {
+ certStorage.hasPriorData(dataType, (rv, hasPriorData) => {
+ if (rv == Cr.NS_OK) {
+ resolve(hasPriorData);
+ } else {
+ // If calling hasPriorData failed, assume we need to reload everything
+ // (even though it's unlikely doing so will succeed).
+ resolve(false);
+ }
+ });
+ });
+}
+
+/**
+ * Revoke the appropriate certificates based on the records from the blocklist.
+ *
+ * @param {object} options
+ * @param {object} options.data Current records in the local db.
+ * @param {Array} options.data.current
+ * @param {Array} options.data.created
+ * @param {Array} options.data.updated
+ * @param {Array} options.data.deleted
+ */
+const updateCertBlocklist = async function ({
+ data: { current, created, updated, deleted },
+}) {
+ let items = [];
+
+ // See if we have prior revocation data (this can happen when we can't open
+ // the database and we have to re-create it (see bug 1546361)).
+ let hasPriorRevocationData = await hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION
+ );
+
+ // If we don't have prior data, make it so we re-load everything.
+ if (!hasPriorRevocationData) {
+ deleted = [];
+ updated = [];
+ created = current;
+ }
+
+ let toDelete = deleted.concat(updated.map(u => u.old));
+ for (let item of toDelete) {
+ if (item.issuerName && item.serialNumber) {
+ items.push(
+ new IssuerAndSerialRevocationState(
+ item.issuerName,
+ item.serialNumber,
+ Ci.nsICertStorage.STATE_UNSET
+ )
+ );
+ } else if (item.subject && item.pubKeyHash) {
+ items.push(
+ new SubjectAndPubKeyRevocationState(
+ item.subject,
+ item.pubKeyHash,
+ Ci.nsICertStorage.STATE_UNSET
+ )
+ );
+ }
+ }
+
+ const toAdd = created.concat(updated.map(u => u.new));
+
+ for (let item of toAdd) {
+ if (item.issuerName && item.serialNumber) {
+ items.push(
+ new IssuerAndSerialRevocationState(
+ item.issuerName,
+ item.serialNumber,
+ Ci.nsICertStorage.STATE_ENFORCE
+ )
+ );
+ } else if (item.subject && item.pubKeyHash) {
+ items.push(
+ new SubjectAndPubKeyRevocationState(
+ item.subject,
+ item.pubKeyHash,
+ Ci.nsICertStorage.STATE_ENFORCE
+ )
+ );
+ }
+ }
+
+ try {
+ const certList = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ await setRevocations(certList, items);
+ } catch (e) {
+ lazy.log.error(e);
+ }
+};
+
+export var RemoteSecuritySettings = {
+ _initialized: false,
+ OneCRLBlocklistClient: null,
+ IntermediatePreloadsClient: null,
+ CRLiteFiltersClient: null,
+
+ /**
+ * Initialize the clients (cheap instantiation) and setup their sync event.
+ * This static method is called from BrowserGlue.sys.mjs soon after startup.
+ *
+ * @returns {object} instantiated clients for security remote settings.
+ */
+ init() {
+ // Avoid repeated initialization (work-around for bug 1730026).
+ if (this._initialized) {
+ return this;
+ }
+ this._initialized = true;
+
+ this.OneCRLBlocklistClient = RemoteSettings("onecrl", {
+ bucketName: SECURITY_STATE_BUCKET,
+ signerName: SECURITY_STATE_SIGNER,
+ });
+ this.OneCRLBlocklistClient.on("sync", updateCertBlocklist);
+
+ this.IntermediatePreloadsClient = new IntermediatePreloads();
+
+ this.CRLiteFiltersClient = new CRLiteFilters();
+ this.CRLiteFiltersClient.cleanAttachmentCache();
+
+ return this;
+ },
+};
+
+class IntermediatePreloads {
+ constructor() {
+ this.client = RemoteSettings("intermediates", {
+ bucketName: SECURITY_STATE_BUCKET,
+ signerName: SECURITY_STATE_SIGNER,
+ localFields: ["cert_import_complete"],
+ });
+
+ this.client.on("sync", this.onSync.bind(this));
+ Services.obs.addObserver(
+ this.onObservePollEnd.bind(this),
+ "remote-settings:changes-poll-end"
+ );
+
+ lazy.log.debug("Intermediate Preloading: constructor");
+ }
+
+ async updatePreloadedIntermediates() {
+ if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) {
+ lazy.log.debug("Intermediate Preloading is disabled");
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:intermediates-updated",
+ "disabled"
+ );
+ return;
+ }
+
+ // Download attachments that are awaiting download, up to a max.
+ const maxDownloadsPerRun = Services.prefs.getIntPref(
+ INTERMEDIATES_DL_PER_POLL_PREF,
+ 100
+ );
+ const parallelDownloads = Services.prefs.getIntPref(
+ INTERMEDIATES_DL_PARALLEL_REQUESTS,
+ 8
+ );
+
+ // Bug 1519256: Move this to a separate method that's on a separate timer
+ // with a higher frequency (so we can attempt to download outstanding
+ // certs more than once daily)
+
+ // See if we have prior cert data (this can happen when we can't open the database and we
+ // have to re-create it (see bug 1546361)).
+ let hasPriorCertData = await hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CERTIFICATE
+ );
+ // If we don't have prior data, make it so we re-load everything.
+ if (!hasPriorCertData) {
+ let current;
+ try {
+ current = await this.client.db.list();
+ } catch (err) {
+ lazy.log.warn(
+ `Unable to list intermediate preloading collection: ${err}`
+ );
+ return;
+ }
+ const toReset = current.filter(record => record.cert_import_complete);
+ try {
+ await this.client.db.importChanges(
+ undefined, // do not touch metadata.
+ undefined, // do not touch collection timestamp.
+ toReset.map(r => ({ ...r, cert_import_complete: false }))
+ );
+ } catch (err) {
+ lazy.log.warn(
+ `Unable to update intermediate preloading collection: ${err}`
+ );
+ return;
+ }
+ }
+ let current;
+ try {
+ current = await this.client.db.list();
+ } catch (err) {
+ lazy.log.warn(
+ `Unable to list intermediate preloading collection: ${err}`
+ );
+ return;
+ }
+ const waiting = current.filter(record => !record.cert_import_complete);
+
+ lazy.log.debug(
+ `There are ${waiting.length} intermediates awaiting download.`
+ );
+ if (!waiting.length) {
+ // Nothing to do.
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:intermediates-updated",
+ "success"
+ );
+ return;
+ }
+
+ let toDownload = waiting.slice(0, maxDownloadsPerRun);
+ let recordsCertsAndSubjects = [];
+ for (let i = 0; i < toDownload.length; i += parallelDownloads) {
+ const chunk = toDownload.slice(i, i + parallelDownloads);
+ const downloaded = await Promise.all(
+ chunk.map(record => this.maybeDownloadAttachment(record))
+ );
+ recordsCertsAndSubjects = recordsCertsAndSubjects.concat(downloaded);
+ }
+
+ let certInfos = [];
+ let recordsToUpdate = [];
+ for (let { record, cert, subject } of recordsCertsAndSubjects) {
+ if (cert && subject) {
+ certInfos.push(new CertInfo(cert, subject));
+ recordsToUpdate.push(record);
+ }
+ }
+ const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let result = await new Promise(resolve => {
+ certStorage.addCerts(certInfos, resolve);
+ }).catch(err => err);
+ if (result != Cr.NS_OK) {
+ lazy.log.error(`certStorage.addCerts failed: ${result}`);
+ return;
+ }
+ try {
+ await this.client.db.importChanges(
+ undefined, // do not touch metadata.
+ undefined, // do not touch collection timestamp.
+ recordsToUpdate.map(r => ({ ...r, cert_import_complete: true }))
+ );
+ } catch (err) {
+ lazy.log.warn(
+ `Unable to update intermediate preloading collection: ${err}`
+ );
+ return;
+ }
+
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:intermediates-updated",
+ "success"
+ );
+ }
+
+ async onObservePollEnd(subject, topic, data) {
+ lazy.log.debug(`onObservePollEnd ${subject} ${topic}`);
+
+ try {
+ await this.updatePreloadedIntermediates();
+ } catch (err) {
+ lazy.log.warn(`Unable to update intermediate preloads: ${err}`);
+ }
+ }
+
+ // This method returns a promise to RemoteSettingsClient.maybeSync method.
+ async onSync({ data: { current, created, updated, deleted } }) {
+ if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) {
+ lazy.log.debug("Intermediate Preloading is disabled");
+ return;
+ }
+
+ lazy.log.debug(`Removing ${deleted.length} Intermediate certificates`);
+ await this.removeCerts(deleted);
+ }
+
+ /**
+ * Attempts to download the attachment, assuming it's not been processed
+ * already. Does not retry, and always resolves (e.g., does not reject upon
+ * failure.) Errors are reported via console.error.
+ *
+ * @param {AttachmentRecord} record defines which data to obtain
+ * @returns {Promise} a Promise that will resolve to an object with the properties
+ * record, cert, and subject. record is the original record.
+ * cert is the base64-encoded bytes of the downloaded certificate (if
+ * downloading was successful), and null otherwise.
+ * subject is the base64-encoded bytes of the subject distinguished
+ * name of the same.
+ */
+ async maybeDownloadAttachment(record) {
+ let result = { record, cert: null, subject: null };
+
+ let dataAsString = null;
+ try {
+ let buffer = await this.client.attachments.downloadAsBytes(record, {
+ retries: 0,
+ });
+ dataAsString = lazy.gTextDecoder.decode(new Uint8Array(buffer));
+ } catch (err) {
+ if (err.name == "BadContentError") {
+ lazy.log.debug(`Bad attachment content.`);
+ } else {
+ lazy.log.error(`Failed to download attachment: ${err}`);
+ }
+ return result;
+ }
+
+ let certBase64;
+ let subjectBase64;
+ try {
+ // split off the header and footer
+ certBase64 = dataAsString.split("-----")[2].replace(/\s/g, "");
+ // get an array of bytes so we can use X509.jsm
+ let certBytes = stringToBytes(atob(certBase64));
+ let cert = new X509.Certificate();
+ cert.parse(certBytes);
+ // get the DER-encoded subject and get a base64-encoded string from it
+ // TODO(bug 1542028): add getters for _der and _bytes
+ subjectBase64 = btoa(
+ bytesToString(cert.tbsCertificate.subject._der._bytes)
+ );
+ } catch (err) {
+ lazy.log.error(`Failed to decode cert: ${err}`);
+ return result;
+ }
+ result.cert = certBase64;
+ result.subject = subjectBase64;
+ return result;
+ }
+
+ async maybeSync(expectedTimestamp, options) {
+ return this.client.maybeSync(expectedTimestamp, options);
+ }
+
+ async removeCerts(recordsToRemove) {
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let hashes = recordsToRemove.map(record => record.derHash);
+ let result = await new Promise(resolve => {
+ certStorage.removeCertsByHashes(hashes, resolve);
+ }).catch(err => err);
+ if (result != Cr.NS_OK) {
+ lazy.log.error(`Failed to remove some intermediate certificates`);
+ }
+ }
+}
+
+// Helper function to compare filters. One filter is "less than" another filter (i.e. it sorts
+// earlier) if its timestamp is farther in the past than the other.
+function compareFilters(filterA, filterB) {
+ return filterA.effectiveTimestamp - filterB.effectiveTimestamp;
+}
+
+class CRLiteFilters {
+ constructor() {
+ this.client = RemoteSettings("cert-revocations", {
+ bucketName: SECURITY_STATE_BUCKET,
+ signerName: SECURITY_STATE_SIGNER,
+ localFields: ["loaded_into_cert_storage"],
+ });
+
+ Services.obs.addObserver(
+ this.onObservePollEnd.bind(this),
+ "remote-settings:changes-poll-end"
+ );
+ }
+
+ async cleanAttachmentCache() {
+ // Bug 1795710 - misuse of Remote Settings `downloadToDisk` caused us to
+ // keep filters and stashes on disk indefinitely. We're no longer caching
+ // these downloads, so if there are any filters still in the cache they can
+ // be removed.
+ let cachePath = PathUtils.join(
+ PathUtils.localProfileDir,
+ ...this.client.attachments.folders
+ );
+
+ try {
+ let needCleanup = await IOUtils.exists(cachePath);
+ if (needCleanup) {
+ let cacheFiles = await IOUtils.getChildren(cachePath);
+ let staleFilters = cacheFiles.filter(
+ path => path.endsWith("filter") || path.endsWith("filter.stash")
+ );
+ if (cacheFiles.length == staleFilters.length) {
+ // Expected case. No files other than filters, we can remove the
+ // entire directory
+ await IOUtils.remove(cachePath, { recursive: true });
+ } else {
+ for (let filter of staleFilters) {
+ await IOUtils.remove(filter);
+ }
+ }
+ }
+ } catch (e) {
+ lazy.log.error("Could not clean cert-revocations attachment cache", e);
+ }
+ }
+
+ async onObservePollEnd(subject, topic, data) {
+ if (!Services.prefs.getBoolPref(CRLITE_FILTERS_ENABLED_PREF, true)) {
+ lazy.log.debug("CRLite filter downloading is disabled");
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:crlite-filters-downloaded",
+ "disabled"
+ );
+ return;
+ }
+
+ let hasPriorFilter = await hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL
+ );
+ if (!hasPriorFilter) {
+ let current = await this.client.db.list();
+ let toReset = current.filter(
+ record => !record.incremental && record.loaded_into_cert_storage
+ );
+ await this.client.db.importChanges(
+ undefined, // do not touch metadata.
+ undefined, // do not touch collection timestamp.
+ toReset.map(r => ({ ...r, loaded_into_cert_storage: false }))
+ );
+ }
+ let hasPriorStash = await hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL
+ );
+ if (!hasPriorStash) {
+ let current = await this.client.db.list();
+ let toReset = current.filter(
+ record => record.incremental && record.loaded_into_cert_storage
+ );
+ await this.client.db.importChanges(
+ undefined, // do not touch metadata.
+ undefined, // do not touch collection timestamp.
+ toReset.map(r => ({ ...r, loaded_into_cert_storage: false }))
+ );
+ }
+
+ let current = await this.client.db.list();
+ let fullFilters = current.filter(filter => !filter.incremental);
+ if (fullFilters.length < 1) {
+ lazy.log.debug("no full CRLite filters to download?");
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:crlite-filters-downloaded",
+ "unavailable"
+ );
+ return;
+ }
+ fullFilters.sort(compareFilters);
+ lazy.log.debug("fullFilters:", fullFilters);
+ let fullFilter = fullFilters.pop(); // the most recent filter sorts last
+ let incrementalFilters = current.filter(
+ filter =>
+ // Return incremental filters that are more recent than (i.e. sort later than) the full
+ // filter.
+ filter.incremental && compareFilters(filter, fullFilter) > 0
+ );
+ incrementalFilters.sort(compareFilters);
+ // Map of id to filter where that filter's parent has the given id.
+ let parentIdMap = {};
+ for (let filter of incrementalFilters) {
+ if (filter.parent in parentIdMap) {
+ lazy.log.debug(`filter with parent id ${filter.parent} already seen?`);
+ } else {
+ parentIdMap[filter.parent] = filter;
+ }
+ }
+ let filtersToDownload = [];
+ let nextFilter = fullFilter;
+ while (nextFilter) {
+ filtersToDownload.push(nextFilter);
+ nextFilter = parentIdMap[nextFilter.id];
+ }
+ const certList = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ filtersToDownload = filtersToDownload.filter(
+ filter => !filter.loaded_into_cert_storage
+ );
+ lazy.log.debug("filtersToDownload:", filtersToDownload);
+ let filtersDownloaded = [];
+ for (let filter of filtersToDownload) {
+ try {
+ let attachment = await this.client.attachments.downloadAsBytes(filter);
+ let bytes = new Uint8Array(attachment);
+ lazy.log.debug(
+ `Downloaded ${filter.details.name}: ${bytes.length} bytes`
+ );
+ filter.bytes = bytes;
+ filtersDownloaded.push(filter);
+ } catch (e) {
+ lazy.log.error("failed to download CRLite filter", e);
+ }
+ }
+ let fullFiltersDownloaded = filtersDownloaded.filter(
+ filter => !filter.incremental
+ );
+ if (fullFiltersDownloaded.length) {
+ if (fullFiltersDownloaded.length > 1) {
+ lazy.log.warn("trying to install more than one full CRLite filter?");
+ }
+ let filter = fullFiltersDownloaded[0];
+
+ let coverage = [];
+ if (filter.coverage) {
+ for (let entry of filter.coverage) {
+ coverage.push(
+ new CRLiteCoverage(
+ entry.logID,
+ entry.minTimestamp,
+ entry.maxTimestamp
+ )
+ );
+ }
+ }
+ let enrollment = filter.enrolledIssuers ? filter.enrolledIssuers : [];
+
+ await new Promise(resolve => {
+ certList.setFullCRLiteFilter(filter.bytes, enrollment, coverage, rv => {
+ lazy.log.debug(`setFullCRLiteFilter: ${rv}`);
+ resolve();
+ });
+ });
+ }
+ let stashes = filtersDownloaded.filter(filter => filter.incremental);
+ let totalLength = stashes.reduce(
+ (sum, filter) => sum + filter.bytes.length,
+ 0
+ );
+ let concatenatedStashes = new Uint8Array(totalLength);
+ let offset = 0;
+ for (let filter of stashes) {
+ concatenatedStashes.set(filter.bytes, offset);
+ offset += filter.bytes.length;
+ }
+ if (concatenatedStashes.length) {
+ lazy.log.debug(
+ `adding concatenated incremental updates of total length ${concatenatedStashes.length}`
+ );
+ await new Promise(resolve => {
+ certList.addCRLiteStash(concatenatedStashes, rv => {
+ lazy.log.debug(`addCRLiteStash: ${rv}`);
+ resolve();
+ });
+ });
+ }
+
+ for (let filter of filtersDownloaded) {
+ delete filter.bytes;
+ }
+
+ await this.client.db.importChanges(
+ undefined, // do not touch metadata.
+ undefined, // do not touch collection timestamp.
+ filtersDownloaded.map(r => ({ ...r, loaded_into_cert_storage: true }))
+ );
+
+ Services.obs.notifyObservers(
+ null,
+ "remote-security-settings:crlite-filters-downloaded",
+ `finished;${filtersDownloaded
+ .map(filter => filter.details.name)
+ .join(",")}`
+ );
+ }
+}
diff --git a/security/manager/ssl/RootCertificateTelemetryUtils.cpp b/security/manager/ssl/RootCertificateTelemetryUtils.cpp
new file mode 100644
index 0000000000..d6bd54d741
--- /dev/null
+++ b/security/manager/ssl/RootCertificateTelemetryUtils.cpp
@@ -0,0 +1,139 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "RootCertificateTelemetryUtils.h"
+
+#include "RootHashes.inc" // Note: Generated by genRootCAHashes.js
+#include "ScopedNSSTypes.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Logging.h"
+#include "nsINSSComponent.h"
+#include "nsNSSCertHelper.h"
+#include "nsServiceManagerUtils.h"
+#include "pk11pub.h"
+
+namespace mozilla {
+namespace psm {
+
+mozilla::LazyLogModule gPublicKeyPinningTelemetryLog(
+ "PublicKeyPinningTelemetryService");
+
+// Used in the BinarySearch method, this does a memcmp between the pointer
+// provided to its construtor and whatever the binary search is looking for.
+//
+// This implementation assumes everything to be of HASH_LEN, so it should not
+// be used generically.
+class BinaryHashSearchArrayComparator {
+ public:
+ explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len)
+ : mTarget(aTarget) {
+ MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length.");
+ }
+
+ int operator()(const CertAuthorityHash val) const {
+ return memcmp(mTarget, val.hash, HASH_LEN);
+ }
+
+ private:
+ const uint8_t* mTarget;
+};
+
+// Perform a hash of the provided cert, then search in the RootHashes.inc data
+// structure for a matching bin number.
+// If no matching root is found, this may be a CA from the softoken (cert9.db),
+// it may be a CA from an external PKCS#11 token, or it may be a CA from OS
+// storage (Enterprise Root).
+// See also the constants in RootCertificateTelemetryUtils.h.
+int32_t RootCABinNumber(Span<const uint8_t> cert) {
+ nsTArray<uint8_t> digestArray;
+
+ // Compute SHA256 hash of the certificate
+ nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert, digestArray);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return ROOT_CERTIFICATE_HASH_FAILURE;
+ }
+
+ // Compare against list of stored hashes
+ size_t idx;
+
+ MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
+ ("pkpinTelem: First bytes %02x %02x %02x %02x\n",
+ digestArray.ElementAt(0), digestArray.ElementAt(1),
+ digestArray.ElementAt(2), digestArray.ElementAt(3)));
+
+ if (mozilla::BinarySearchIf(ROOT_TABLE, 0, ArrayLength(ROOT_TABLE),
+ BinaryHashSearchArrayComparator(
+ digestArray.Elements(), digestArray.Length()),
+ &idx)) {
+ MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
+ ("pkpinTelem: Telemetry index was %zu, bin is %d\n", idx,
+ ROOT_TABLE[idx].binNumber));
+ return (int32_t)ROOT_TABLE[idx].binNumber;
+ }
+
+ // Didn't find this certificate in the built-in list. It may be an enterprise
+ // root (gathered from the OS) or it may be from the softoken or an external
+ // PKCS#11 token.
+ nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (!component) {
+ return ROOT_CERTIFICATE_UNKNOWN;
+ }
+ nsTArray<nsTArray<uint8_t>> enterpriseRoots;
+ rv = component->GetEnterpriseRoots(enterpriseRoots);
+ if (NS_FAILED(rv)) {
+ return ROOT_CERTIFICATE_UNKNOWN;
+ }
+ for (const auto& enterpriseRoot : enterpriseRoots) {
+ if (enterpriseRoot.Length() == cert.size() &&
+ memcmp(enterpriseRoot.Elements(), cert.data(),
+ enterpriseRoot.Length()) == 0) {
+ return ROOT_CERTIFICATE_ENTERPRISE_ROOT;
+ }
+ }
+
+ SECItem certItem = {siBuffer, const_cast<uint8_t*>(cert.data()),
+ static_cast<unsigned int>(cert.size())};
+ UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot());
+ if (!softokenSlot) {
+ return ROOT_CERTIFICATE_UNKNOWN;
+ }
+ CK_OBJECT_HANDLE softokenCertHandle =
+ PK11_FindEncodedCertInSlot(softokenSlot.get(), &certItem, nullptr);
+ if (softokenCertHandle != CK_INVALID_HANDLE) {
+ return ROOT_CERTIFICATE_SOFTOKEN;
+ }
+ // In theory this should never find the certificate in the root module,
+ // because then it should have already matched our built-in list. This is
+ // here as a backstop to catch situations where a built-in root was added but
+ // the built-in telemetry information was not updated.
+ UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName));
+ AutoSECMODListReadLock secmodLock;
+ if (!rootsModule || rootsModule->slotCount != 1) {
+ return ROOT_CERTIFICATE_UNKNOWN;
+ }
+ CK_OBJECT_HANDLE builtinCertHandle =
+ PK11_FindEncodedCertInSlot(rootsModule->slots[0], &certItem, nullptr);
+ if (builtinCertHandle == CK_INVALID_HANDLE) {
+ return ROOT_CERTIFICATE_EXTERNAL_TOKEN;
+ }
+
+ // We have no idea what this is.
+ return ROOT_CERTIFICATE_UNKNOWN;
+}
+
+// Attempt to increment the appropriate bin in the provided Telemetry probe ID.
+// If there was a hash failure, we do nothing.
+void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
+ const Span<const uint8_t> cert) {
+ int32_t binId = RootCABinNumber(cert);
+
+ if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
+ Accumulate(probe, binId);
+ }
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/RootCertificateTelemetryUtils.h b/security/manager/ssl/RootCertificateTelemetryUtils.h
new file mode 100644
index 0000000000..01d033ec59
--- /dev/null
+++ b/security/manager/ssl/RootCertificateTelemetryUtils.h
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef RootCertificateTelemetryUtils_h
+#define RootCertificateTelemetryUtils_h
+
+#include "mozilla/Span.h"
+#include "mozilla/Telemetry.h"
+
+namespace mozilla {
+namespace psm {
+
+// Note: New CAs will show up as UNKNOWN_ROOT until
+// RootHashes.inc is updated to include them. 0 is reserved by
+// genRootCAHashes.js for the unknowns.
+#define ROOT_CERTIFICATE_UNKNOWN 0
+// 1 indicates the CA is not a built-in and comes from the softoken (cert9.db)
+#define ROOT_CERTIFICATE_SOFTOKEN 1
+// 2 indicates the CA is not a bilt-in and comes from an external PKCS#11 token
+#define ROOT_CERTIFICATE_EXTERNAL_TOKEN 2
+// 3 indicates the CA is not a built-in and comes from the OS via the
+// "Enterprise Roots" feature
+#define ROOT_CERTIFICATE_ENTERPRISE_ROOT 3
+#define ROOT_CERTIFICATE_HASH_FAILURE -1
+
+int32_t RootCABinNumber(Span<const uint8_t> cert);
+
+void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
+ const Span<const uint8_t> cert);
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // RootCertificateTelemetryUtils_h
diff --git a/security/manager/ssl/RootHashes.inc b/security/manager/ssl/RootHashes.inc
new file mode 100644
index 0000000000..4060eddd4b
--- /dev/null
+++ b/security/manager/ssl/RootHashes.inc
@@ -0,0 +1,1597 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*****************************************************************************/
+/* This is an automatically generated file. If you're not */
+/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */
+/*****************************************************************************/
+
+#define HASH_LEN 32
+struct CertAuthorityHash {
+ // See bug 1338873 about making these fields const.
+ uint8_t hash[HASH_LEN];
+ int32_t binNumber;
+};
+
+static const struct CertAuthorityHash ROOT_TABLE[] = {
+ {
+ /* DigiCert_TLS_ECC_P384_Root_G5 */
+ { 0x01, 0x8E, 0x13, 0xF0, 0x77, 0x25, 0x32, 0xCF, 0x80, 0x9B, 0xD1, 0xB1, 0x72, 0x81, 0x86, 0x72,
+ 0x83, 0xFC, 0x48, 0xC6, 0xE1, 0x3B, 0xE9, 0xC6, 0x98, 0x12, 0x85, 0x4A, 0x49, 0x0C, 0x1B, 0x05 },
+ 243 /* Bin Number */
+ },
+ {
+ /* CommScope_Public_Trust_RSA_Root_01 */
+ { 0x02, 0xBD, 0xF9, 0x6E, 0x2A, 0x45, 0xDD, 0x9B, 0xF1, 0x8F, 0xC7, 0xE1, 0xDB, 0xDF, 0x21, 0xA0,
+ 0x37, 0x9B, 0xA3, 0xC9, 0xC2, 0x61, 0x03, 0x44, 0xCF, 0xD8, 0xD6, 0x06, 0xFE, 0xC1, 0xED, 0x81 },
+ 262 /* Bin Number */
+ },
+ {
+ /* Entrust_Root_Certification_Authority___EC1 */
+ { 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56, 0x67, 0x91, 0x70, 0x0D, 0x64,
+ 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2, 0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 },
+ 164 /* Bin Number */
+ },
+ {
+ /* AffirmTrust_Commercial */
+ { 0x03, 0x76, 0xAB, 0x1D, 0x54, 0xC5, 0xF9, 0x80, 0x3C, 0xE4, 0xB2, 0xE2, 0x01, 0xA0, 0xEE, 0x7E,
+ 0xEF, 0x7B, 0x57, 0xB6, 0x36, 0xE8, 0xA9, 0x3C, 0x9B, 0x8D, 0x48, 0x60, 0xC9, 0x6F, 0x5F, 0xA7 },
+ 109 /* Bin Number */
+ },
+ {
+ /* ACEDICOM_Root */
+ { 0x03, 0x95, 0x0F, 0xB4, 0x9A, 0x53, 0x1F, 0x3E, 0x19, 0x91, 0x94, 0x23, 0x98, 0xDF, 0xA9, 0xE0,
+ 0xEA, 0x32, 0xD7, 0xBA, 0x1C, 0xDD, 0x9B, 0xC8, 0x5D, 0xB5, 0x7E, 0xD9, 0x40, 0x0B, 0x43, 0x4A },
+ 98 /* Bin Number */
+ },
+ {
+ /* Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 */
+ { 0x04, 0x04, 0x80, 0x28, 0xBF, 0x1F, 0x28, 0x64, 0xD4, 0x8F, 0x9A, 0xD4, 0xD8, 0x32, 0x94, 0x36,
+ 0x6A, 0x82, 0x88, 0x56, 0x55, 0x3F, 0x3B, 0x14, 0x30, 0x3F, 0x90, 0x14, 0x7F, 0x5D, 0x40, 0xEF },
+ 102 /* Bin Number */
+ },
+ {
+ /* Chambers_of_Commerce_Root___2008 */
+ { 0x06, 0x3E, 0x4A, 0xFA, 0xC4, 0x91, 0xDF, 0xD3, 0x32, 0xF3, 0x08, 0x9B, 0x85, 0x42, 0xE9, 0x46,
+ 0x17, 0xD8, 0x93, 0xD7, 0xFE, 0x94, 0x4E, 0x10, 0xA7, 0x93, 0x7E, 0xE2, 0x9D, 0x96, 0x93, 0xC0 },
+ 104 /* Bin Number */
+ },
+ {
+ /* DST_Root_CA_X3 */
+ { 0x06, 0x87, 0x26, 0x03, 0x31, 0xA7, 0x24, 0x03, 0xD9, 0x09, 0xF1, 0x05, 0xE6, 0x9B, 0xCF, 0x0D,
+ 0x32, 0xE1, 0xBD, 0x24, 0x93, 0xFF, 0xC6, 0xD9, 0x20, 0x6D, 0x11, 0xBC, 0xD6, 0x77, 0x07, 0x39 },
+ 52 /* Bin Number */
+ },
+ {
+ /* TrustCor_RootCert_CA_2 */
+ { 0x07, 0x53, 0xE9, 0x40, 0x37, 0x8C, 0x1B, 0xD5, 0xE3, 0x83, 0x6E, 0x39, 0x5D, 0xAE, 0xA5, 0xCB,
+ 0x83, 0x9E, 0x50, 0x46, 0xF1, 0xBD, 0x0E, 0xAE, 0x19, 0x51, 0xCF, 0x10, 0xFE, 0xC7, 0xC9, 0x65 },
+ 191 /* Bin Number */
+ },
+ {
+ /* AddTrust_Public_CA_Root */
+ { 0x07, 0x91, 0xCA, 0x07, 0x49, 0xB2, 0x07, 0x82, 0xAA, 0xD3, 0xC7, 0xD7, 0xBD, 0x0C, 0xDF, 0xC9,
+ 0x48, 0x58, 0x35, 0x84, 0x3E, 0xB2, 0xD7, 0x99, 0x60, 0x09, 0xCE, 0x43, 0xAB, 0x6C, 0x69, 0x27 },
+ 16 /* Bin Number */
+ },
+ {
+ /* D_TRUST_EV_Root_CA_1_2020 */
+ { 0x08, 0x17, 0x0D, 0x1A, 0xA3, 0x64, 0x53, 0x90, 0x1A, 0x2F, 0x95, 0x92, 0x45, 0xE3, 0x47, 0xDB,
+ 0x0C, 0x8D, 0x37, 0xAB, 0xAA, 0xBC, 0x56, 0xB8, 0x1A, 0xA1, 0x00, 0xDC, 0x95, 0x89, 0x70, 0xDB },
+ 242 /* Bin Number */
+ },
+ {
+ /* OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US */
+ { 0x08, 0x29, 0x7A, 0x40, 0x47, 0xDB, 0xA2, 0x36, 0x80, 0xC7, 0x31, 0xDB, 0x6E, 0x31, 0x76, 0x53,
+ 0xCA, 0x78, 0x48, 0xE1, 0xBE, 0xBD, 0x3A, 0x0B, 0x01, 0x79, 0xA7, 0x07, 0xF9, 0x2C, 0xF1, 0x78 },
+ 4 /* Bin Number */
+ },
+ {
+ /* AffirmTrust_Networking */
+ { 0x0A, 0x81, 0xEC, 0x5A, 0x92, 0x97, 0x77, 0xF1, 0x45, 0x90, 0x4A, 0xF3, 0x8D, 0x5D, 0x50, 0x9F,
+ 0x66, 0xB5, 0xE2, 0xC5, 0x8F, 0xCD, 0xB5, 0x31, 0x05, 0x8B, 0x0E, 0x17, 0xF3, 0xF0, 0xB4, 0x1B },
+ 110 /* Bin Number */
+ },
+ {
+ /* Chambers_of_Commerce_Root */
+ { 0x0C, 0x25, 0x8A, 0x12, 0xA5, 0x67, 0x4A, 0xEF, 0x25, 0xF2, 0x8B, 0xA7, 0xDC, 0xFA, 0xEC, 0xEE,
+ 0xA3, 0x48, 0xE5, 0x41, 0xE6, 0xF5, 0xCC, 0x4E, 0xE6, 0x3B, 0x71, 0xB3, 0x61, 0x60, 0x6A, 0xC3 },
+ 39 /* Bin Number */
+ },
+ {
+ /* COMODO_Certification_Authority */
+ { 0x0C, 0x2C, 0xD6, 0x3D, 0xF7, 0x80, 0x6F, 0xA3, 0x99, 0xED, 0xE8, 0x09, 0x11, 0x6B, 0x57, 0x5B,
+ 0xF8, 0x79, 0x89, 0xF0, 0x65, 0x18, 0xF9, 0x80, 0x8C, 0x86, 0x05, 0x03, 0x17, 0x8B, 0xAF, 0x66 },
+ 63 /* Bin Number */
+ },
+ {
+ /* Buypass_Class_2_CA_1 */
+ { 0x0F, 0x4E, 0x9C, 0xDD, 0x26, 0x4B, 0x02, 0x55, 0x50, 0xD1, 0x70, 0x80, 0x63, 0x40, 0x21, 0x4F,
+ 0xE9, 0x44, 0x34, 0xC9, 0xB0, 0x2F, 0x69, 0x7E, 0xC7, 0x10, 0xFC, 0x5F, 0xEA, 0xFB, 0x5E, 0x38 },
+ 80 /* Bin Number */
+ },
+ {
+ /* Class_2_Primary_CA */
+ { 0x0F, 0x99, 0x3C, 0x8A, 0xEF, 0x97, 0xBA, 0xAF, 0x56, 0x87, 0x14, 0x0E, 0xD5, 0x9A, 0xD1, 0x82,
+ 0x1B, 0xB4, 0xAF, 0xAC, 0xF0, 0xAA, 0x9A, 0x58, 0xB5, 0xD5, 0x7A, 0x33, 0x8A, 0x3A, 0xFB, 0xCB },
+ 51 /* Bin Number */
+ },
+ {
+ /* CommScope_Public_Trust_ECC_Root_01 */
+ { 0x11, 0x43, 0x7C, 0xDA, 0x7B, 0xB4, 0x5E, 0x41, 0x36, 0x5F, 0x45, 0xB3, 0x9A, 0x38, 0x98, 0x6B,
+ 0x0D, 0xE0, 0x0D, 0xEF, 0x34, 0x8E, 0x0C, 0x7B, 0xB0, 0x87, 0x36, 0x33, 0x80, 0x0B, 0xC3, 0x8B },
+ 264 /* Bin Number */
+ },
+ {
+ /* emSign_Root_CA___C1 */
+ { 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 0x82, 0x39, 0xCB, 0x6A, 0x34,
+ 0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F },
+ 208 /* Bin Number */
+ },
+ {
+ /* Global_Chambersign_Root___2008 */
+ { 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, 0xD3, 0x24, 0xDE, 0x72, 0x28,
+ 0x4E, 0x07, 0x9D, 0x7B, 0x52, 0x20, 0xBB, 0x8F, 0xBD, 0x74, 0x78, 0x16, 0xEE, 0xBE, 0xBA, 0xCA },
+ 105 /* Bin Number */
+ },
+ {
+ /* OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US */
+ { 0x14, 0x65, 0xFA, 0x20, 0x53, 0x97, 0xB8, 0x76, 0xFA, 0xA6, 0xF0, 0xA9, 0x95, 0x8E, 0x55, 0x90,
+ 0xE4, 0x0F, 0xCC, 0x7F, 0xAA, 0x4F, 0xB7, 0xC2, 0xC8, 0x67, 0x75, 0x21, 0xFB, 0x5F, 0xB6, 0x58 },
+ 44 /* Bin Number */
+ },
+ {
+ /* Certplus_Root_CA_G1 */
+ { 0x15, 0x2A, 0x40, 0x2B, 0xFC, 0xDF, 0x2C, 0xD5, 0x48, 0x05, 0x4D, 0x22, 0x75, 0xB3, 0x9C, 0x7F,
+ 0xCA, 0x3E, 0xC0, 0x97, 0x80, 0x78, 0xB0, 0xF0, 0xEA, 0x76, 0xE5, 0x61, 0xA6, 0xC7, 0x43, 0x3E },
+ 176 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R3 */
+ { 0x15, 0xD5, 0xB8, 0x77, 0x46, 0x19, 0xEA, 0x7D, 0x54, 0xCE, 0x1C, 0xA6, 0xD0, 0xB0, 0xC4, 0x03,
+ 0xE0, 0x37, 0xA9, 0x17, 0xF1, 0x31, 0xE8, 0xA0, 0x4E, 0x1E, 0x6B, 0x7A, 0x71, 0xBA, 0xBC, 0xE5 },
+ 201 /* Bin Number */
+ },
+ {
+ /* Network_Solutions_Certificate_Authority */
+ { 0x15, 0xF0, 0xBA, 0x00, 0xA3, 0xAC, 0x7A, 0xF3, 0xAC, 0x88, 0x4C, 0x07, 0x2B, 0x10, 0x11, 0xA0,
+ 0x77, 0xBD, 0x77, 0xC0, 0x97, 0xF4, 0x01, 0x64, 0xB2, 0xF8, 0x59, 0x8A, 0xBD, 0x83, 0x86, 0x0C },
+ 64 /* Bin Number */
+ },
+ {
+ /* Baltimore_CyberTrust_Root */
+ { 0x16, 0xAF, 0x57, 0xA9, 0xF6, 0x76, 0xB0, 0xAB, 0x12, 0x60, 0x95, 0xAA, 0x5E, 0xBA, 0xDE, 0xF2,
+ 0x2A, 0xB3, 0x11, 0x19, 0xD6, 0x44, 0xAC, 0x95, 0xCD, 0x4B, 0x93, 0xDB, 0xF3, 0xF2, 0x6A, 0xEB },
+ 11 /* Bin Number */
+ },
+ {
+ /* COMODO_ECC_Certification_Authority */
+ { 0x17, 0x93, 0x92, 0x7A, 0x06, 0x14, 0x54, 0x97, 0x89, 0xAD, 0xCE, 0x2F, 0x8F, 0x34, 0xF7, 0xF0,
+ 0xB6, 0x6D, 0x0F, 0x3A, 0xE3, 0xA3, 0xB8, 0x4D, 0x21, 0xEC, 0x15, 0xDB, 0xBA, 0x4F, 0xAD, 0xC7 },
+ 66 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0x17, 0x9F, 0xBC, 0x14, 0x8A, 0x3D, 0xD0, 0x0F, 0xD2, 0x4E, 0xA1, 0x34, 0x58, 0xCC, 0x43, 0xBF,
+ 0xA7, 0xF5, 0x9C, 0x81, 0x82, 0xD7, 0x83, 0xA5, 0x13, 0xF6, 0xEB, 0xEC, 0x10, 0x0C, 0x89, 0x24 },
+ 158 /* Bin Number */
+ },
+ {
+ /* Amazon_Root_CA_3 */
+ { 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 0xB8, 0xDF, 0xE8, 0x68, 0xCB,
+ 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 },
+ 185 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_CA_3 */
+ { 0x18, 0xF1, 0xFC, 0x7F, 0x20, 0x5D, 0xF8, 0xAD, 0xDD, 0xEB, 0x7F, 0xE0, 0x07, 0xDD, 0x57, 0xE3,
+ 0xAF, 0x37, 0x5A, 0x9C, 0x4D, 0x8D, 0x73, 0x54, 0x6B, 0xF4, 0xF1, 0xFE, 0xD1, 0xE1, 0x8D, 0x35 },
+ 33 /* Bin Number */
+ },
+ {
+ /* Amazon_Root_CA_2 */
+ { 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 0x18, 0xF8, 0x0B, 0xEC, 0x4F,
+ 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 },
+ 184 /* Bin Number */
+ },
+ {
+ /* China_Internet_Network_Information_Center_EV_Certificates_Root */
+ { 0x1C, 0x01, 0xC6, 0xF4, 0xDB, 0xB2, 0xFE, 0xFC, 0x22, 0x55, 0x8B, 0x2B, 0xCA, 0x32, 0x56, 0x3F,
+ 0x49, 0x84, 0x4A, 0xCF, 0xC3, 0x2B, 0x7B, 0xE4, 0xB0, 0xFF, 0x59, 0x9F, 0x9E, 0x8C, 0x7A, 0xF7 },
+ 133 /* Bin Number */
+ },
+ {
+ /* Swisscom_Root_CA_1 */
+ { 0x21, 0xDB, 0x20, 0x12, 0x36, 0x60, 0xBB, 0x2E, 0xD4, 0x18, 0x20, 0x5D, 0xA1, 0x1E, 0xE7, 0xA8,
+ 0x5A, 0x65, 0xE2, 0xBC, 0x6E, 0x55, 0xB5, 0xAF, 0x7E, 0x78, 0x99, 0xC8, 0xA2, 0x66, 0xD9, 0x2E },
+ 47 /* Bin Number */
+ },
+ {
+ /* SSL_com_EV_Root_Certification_Authority_ECC */
+ { 0x22, 0xA2, 0xC1, 0xF7, 0xBD, 0xED, 0x70, 0x4C, 0xC1, 0xE7, 0x01, 0xB5, 0xF4, 0x08, 0xC3, 0x10,
+ 0x88, 0x0F, 0xE9, 0x56, 0xB5, 0xDE, 0x2A, 0x4A, 0x44, 0xF9, 0x9C, 0x87, 0x3A, 0x25, 0xA7, 0xC8 },
+ 196 /* Bin Number */
+ },
+ {
+ /* VeriSign_Universal_Root_Certification_Authority */
+ { 0x23, 0x99, 0x56, 0x11, 0x27, 0xA5, 0x71, 0x25, 0xDE, 0x8C, 0xEF, 0xEA, 0x61, 0x0D, 0xDF, 0x2F,
+ 0xA0, 0x78, 0xB5, 0xC8, 0x06, 0x7F, 0x4E, 0x82, 0x82, 0x90, 0xBF, 0xB8, 0x60, 0xE8, 0x4B, 0x3C },
+ 90 /* Bin Number */
+ },
+ {
+ /* Telia_Root_CA_v2 */
+ { 0x24, 0x2B, 0x69, 0x74, 0x2F, 0xCB, 0x1E, 0x5B, 0x2A, 0xBF, 0x98, 0x89, 0x8B, 0x94, 0x57, 0x21,
+ 0x87, 0x54, 0x4E, 0x5B, 0x4D, 0x99, 0x11, 0x78, 0x65, 0x73, 0x62, 0x1F, 0x6A, 0x74, 0xB8, 0x2C },
+ 240 /* Bin Number */
+ },
+ {
+ /* Security_Communication_RootCA3 */
+ { 0x24, 0xA5, 0x5C, 0x2A, 0xB0, 0x51, 0x44, 0x2D, 0x06, 0x17, 0x76, 0x65, 0x41, 0x23, 0x9A, 0x4A,
+ 0xD0, 0x32, 0xD7, 0xC5, 0x51, 0x75, 0xAA, 0x34, 0xFF, 0xDE, 0x2F, 0xBC, 0x4F, 0x5C, 0x52, 0x94 },
+ 249 /* Bin Number */
+ },
+ {
+ /* Izenpe_com */
+ { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, 0x9B, 0x1F, 0xBA, 0x1B, 0x09,
+ 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F },
+ 103 /* Bin Number */
+ },
+ {
+ /* OpenTrust_Root_CA_G2 */
+ { 0x27, 0x99, 0x58, 0x29, 0xFE, 0x6A, 0x75, 0x15, 0xC1, 0xBF, 0xE8, 0x48, 0xF9, 0xC4, 0x76, 0x1D,
+ 0xB1, 0x6C, 0x22, 0x59, 0x29, 0x25, 0x7B, 0xF4, 0x0D, 0x08, 0x94, 0xF2, 0x9E, 0xA8, 0xBA, 0xF2 },
+ 179 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R1 */
+ { 0x2A, 0x57, 0x54, 0x71, 0xE3, 0x13, 0x40, 0xBC, 0x21, 0x58, 0x1C, 0xBD, 0x2C, 0xF1, 0x3E, 0x15,
+ 0x84, 0x63, 0x20, 0x3E, 0xCE, 0x94, 0xBC, 0xF9, 0xD3, 0xCC, 0x19, 0x6B, 0xF0, 0x9A, 0x54, 0x72 },
+ 199 /* Bin Number */
+ },
+ {
+ /* Certinomis___Root_CA */
+ { 0x2A, 0x99, 0xF5, 0xBC, 0x11, 0x74, 0xB7, 0x3C, 0xBB, 0x1D, 0x62, 0x08, 0x84, 0xE0, 0x1C, 0x34,
+ 0xE5, 0x1C, 0xCB, 0x39, 0x78, 0xDA, 0x12, 0x5F, 0x0E, 0x33, 0x26, 0x88, 0x83, 0xBF, 0x41, 0x58 },
+ 168 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0x2C, 0xAB, 0xEA, 0xFE, 0x37, 0xD0, 0x6C, 0xA2, 0x2A, 0xBA, 0x73, 0x91, 0xC0, 0x03, 0x3D, 0x25,
+ 0x98, 0x29, 0x52, 0xC4, 0x53, 0x64, 0x73, 0x49, 0x76, 0x3A, 0x3A, 0xB5, 0xAD, 0x6C, 0xCF, 0x69 },
+ 197 /* Bin Number */
+ },
+ {
+ /* Starfield_Root_Certificate_Authority___G2 */
+ { 0x2C, 0xE1, 0xCB, 0x0B, 0xF9, 0xD2, 0xF9, 0xE1, 0x02, 0x99, 0x3F, 0xBE, 0x21, 0x51, 0x52, 0xC3,
+ 0xB2, 0xDD, 0x0C, 0xAB, 0xDE, 0x1C, 0x68, 0xE5, 0x31, 0x9B, 0x83, 0x91, 0x54, 0xDB, 0xB7, 0xF5 },
+ 107 /* Bin Number */
+ },
+ {
+ /* OU_ApplicationCA_O_Japanese_Government_C_JP */
+ { 0x2D, 0x47, 0x43, 0x7D, 0xE1, 0x79, 0x51, 0x21, 0x5A, 0x12, 0xF3, 0xC5, 0x8E, 0x51, 0xC7, 0x29,
+ 0xA5, 0x80, 0x26, 0xEF, 0x1F, 0xCC, 0x0A, 0x5F, 0xB3, 0xD9, 0xDC, 0x01, 0x2F, 0x60, 0x0D, 0x19 },
+ 85 /* Bin Number */
+ },
+ {
+ /* TunTrust_Root_CA */
+ { 0x2E, 0x44, 0x10, 0x2A, 0xB5, 0x8C, 0xB8, 0x54, 0x19, 0x45, 0x1C, 0x8E, 0x19, 0xD9, 0xAC, 0xF3,
+ 0x66, 0x2C, 0xAF, 0xBC, 0x61, 0x4B, 0x6A, 0x53, 0x96, 0x0A, 0x30, 0xF7, 0xD0, 0xE2, 0xEB, 0x41 },
+ 227 /* Bin Number */
+ },
+ {
+ /* SSL_com_EV_Root_Certification_Authority_RSA_R2 */
+ { 0x2E, 0x7B, 0xF1, 0x6C, 0xC2, 0x24, 0x85, 0xA7, 0xBB, 0xE2, 0xAA, 0x86, 0x96, 0x75, 0x07, 0x61,
+ 0xB0, 0xAE, 0x39, 0xBE, 0x3B, 0x2F, 0xE9, 0xD0, 0xCC, 0x6D, 0x4E, 0xF7, 0x34, 0x91, 0x42, 0x5C },
+ 195 /* Bin Number */
+ },
+ {
+ /* CommScope_Public_Trust_ECC_Root_02 */
+ { 0x2F, 0xFB, 0x7F, 0x81, 0x3B, 0xBB, 0xB3, 0xC8, 0x9A, 0xB4, 0xE8, 0x16, 0x2D, 0x0F, 0x16, 0xD7,
+ 0x15, 0x09, 0xA8, 0x30, 0xCC, 0x9D, 0x73, 0xC2, 0x62, 0xE5, 0x14, 0x08, 0x75, 0xD1, 0xAD, 0x4A },
+ 263 /* Bin Number */
+ },
+ {
+ /* IdenTrust_Public_Sector_Root_CA_1 */
+ { 0x30, 0xD0, 0x89, 0x5A, 0x9A, 0x44, 0x8A, 0x26, 0x20, 0x91, 0x63, 0x55, 0x22, 0xD1, 0xF5, 0x20,
+ 0x10, 0xB5, 0x86, 0x7A, 0xCA, 0xE1, 0x2C, 0x78, 0xEF, 0x95, 0x8F, 0xD4, 0xF4, 0x38, 0x9F, 0x2F },
+ 162 /* Bin Number */
+ },
+ {
+ /* vTrus_ECC_Root_CA */
+ { 0x30, 0xFB, 0xBA, 0x2C, 0x32, 0x23, 0x8E, 0x2A, 0x98, 0x54, 0x7A, 0xF9, 0x79, 0x31, 0xE5, 0x50,
+ 0x42, 0x8B, 0x9B, 0x3F, 0x1C, 0x8E, 0xEB, 0x66, 0x33, 0xDC, 0xFA, 0x86, 0xC5, 0xB2, 0x7D, 0xD3 },
+ 231 /* Bin Number */
+ },
+ {
+ /* DigiCert_Global_Root_G3 */
+ { 0x31, 0xAD, 0x66, 0x48, 0xF8, 0x10, 0x41, 0x38, 0xC7, 0x38, 0xF3, 0x9E, 0xA4, 0x32, 0x01, 0x33,
+ 0x39, 0x3E, 0x3A, 0x18, 0xCC, 0x02, 0x29, 0x6E, 0xF9, 0x7C, 0x2A, 0xC9, 0xEF, 0x67, 0x31, 0xD0 },
+ 150 /* Bin Number */
+ },
+ {
+ /* Microsec_e_Szigno_Root_CA */
+ { 0x32, 0x7A, 0x3D, 0x76, 0x1A, 0xBA, 0xDE, 0xA0, 0x34, 0xEB, 0x99, 0x84, 0x06, 0x27, 0x5C, 0xB1,
+ 0xA4, 0x77, 0x6E, 0xFD, 0xAE, 0x2F, 0xDF, 0x6D, 0x01, 0x68, 0xEA, 0x1C, 0x4F, 0x55, 0x67, 0xD0 },
+ 70 /* Bin Number */
+ },
+ {
+ /* SSL_com_Root_Certification_Authority_ECC */
+ { 0x34, 0x17, 0xBB, 0x06, 0xCC, 0x60, 0x07, 0xDA, 0x1B, 0x96, 0x1C, 0x92, 0x0B, 0x8A, 0xB4, 0xCE,
+ 0x3F, 0xAD, 0x82, 0x0E, 0x4A, 0xA3, 0x0B, 0x9A, 0xCB, 0xC4, 0xA7, 0x4E, 0xBD, 0xCE, 0xBC, 0x65 },
+ 194 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R4 */
+ { 0x34, 0x9D, 0xFA, 0x40, 0x58, 0xC5, 0xE2, 0x63, 0x12, 0x3B, 0x39, 0x8A, 0xE7, 0x95, 0x57, 0x3C,
+ 0x4E, 0x13, 0x13, 0xC8, 0x3F, 0xE6, 0x8F, 0x93, 0x55, 0x6C, 0xD5, 0xE8, 0x03, 0x1B, 0x3C, 0x7D },
+ 239 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R3 */
+ { 0x34, 0xD8, 0xA7, 0x3E, 0xE2, 0x08, 0xD9, 0xBC, 0xDB, 0x0D, 0x95, 0x65, 0x20, 0x93, 0x4B, 0x4E,
+ 0x40, 0xE6, 0x94, 0x82, 0x59, 0x6E, 0x8B, 0x6F, 0x73, 0xC8, 0x42, 0x6B, 0x01, 0x0A, 0x6F, 0x48 },
+ 238 /* Bin Number */
+ },
+ {
+ /* Microsoft_ECC_Root_Certificate_Authority_2017 */
+ { 0x35, 0x8D, 0xF3, 0x9D, 0x76, 0x4A, 0xF9, 0xE1, 0xB7, 0x66, 0xE9, 0xC9, 0x72, 0xDF, 0x35, 0x2E,
+ 0xE1, 0x5C, 0xFA, 0xC2, 0x27, 0xAF, 0x6A, 0xD1, 0xD7, 0x0E, 0x8E, 0x4A, 0x6E, 0xDC, 0xBA, 0x02 },
+ 212 /* Bin Number */
+ },
+ {
+ /* EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */
+ { 0x35, 0xAE, 0x5B, 0xDD, 0xD8, 0xF7, 0xAE, 0x63, 0x5C, 0xFF, 0xBA, 0x56, 0x82, 0xA8, 0xF0, 0x0B,
+ 0x95, 0xF4, 0x84, 0x62, 0xC7, 0x10, 0x8E, 0xE9, 0xA0, 0xE5, 0x29, 0x2B, 0x07, 0x4A, 0xAF, 0xB2 },
+ 82 /* Bin Number */
+ },
+ {
+ /* DigiCert_TLS_RSA4096_Root_G5 */
+ { 0x37, 0x1A, 0x00, 0xDC, 0x05, 0x33, 0xB3, 0x72, 0x1A, 0x7E, 0xEB, 0x40, 0xE8, 0x41, 0x9E, 0x70,
+ 0x79, 0x9D, 0x2B, 0x0A, 0x0F, 0x2C, 0x1D, 0x80, 0x69, 0x31, 0x65, 0xF7, 0xCE, 0xC4, 0xAD, 0x75 },
+ 244 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Primary_Certification_Authority */
+ { 0x37, 0xD5, 0x10, 0x06, 0xC5, 0x12, 0xEA, 0xAB, 0x62, 0x64, 0x21, 0xF1, 0xEC, 0x8C, 0x92, 0x01,
+ 0x3F, 0xC5, 0xF8, 0x2A, 0xE9, 0x8E, 0xE5, 0x33, 0xEB, 0x46, 0x19, 0xB8, 0xDE, 0xB4, 0xD0, 0x6C },
+ 58 /* Bin Number */
+ },
+ {
+ /* Staat_der_Nederlanden_Root_CA___G3 */
+ { 0x3C, 0x4F, 0xB0, 0xB9, 0x5A, 0xB8, 0xB3, 0x00, 0x32, 0xF4, 0x32, 0xB8, 0x6F, 0x53, 0x5F, 0xE1,
+ 0x72, 0xC1, 0x85, 0xD0, 0xFD, 0x39, 0x86, 0x58, 0x37, 0xCF, 0x36, 0x18, 0x7F, 0xA6, 0xF4, 0x28 },
+ 159 /* Bin Number */
+ },
+ {
+ /* Microsec_e_Szigno_Root_CA_2009 */
+ { 0x3C, 0x5F, 0x81, 0xFE, 0xA5, 0xFA, 0xB8, 0x2C, 0x64, 0xBF, 0xA2, 0xEA, 0xEC, 0xAF, 0xCD, 0xE8,
+ 0xE0, 0x77, 0xFC, 0x86, 0x20, 0xA7, 0xCA, 0xE5, 0x37, 0x16, 0x3D, 0xF3, 0x6E, 0xDB, 0xF3, 0x78 },
+ 99 /* Bin Number */
+ },
+ {
+ /* PSCProcert */
+ { 0x3C, 0xFC, 0x3C, 0x14, 0xD1, 0xF6, 0x84, 0xFF, 0x17, 0xE3, 0x8C, 0x43, 0xCA, 0x44, 0x0C, 0x00,
+ 0xB9, 0x67, 0xEC, 0x93, 0x3E, 0x8B, 0xFE, 0x06, 0x4C, 0xA1, 0xD7, 0x2C, 0x90, 0xF2, 0xAD, 0xB0 },
+ 132 /* Bin Number */
+ },
+ {
+ /* EE_Certification_Centre_Root_CA */
+ { 0x3E, 0x84, 0xBA, 0x43, 0x42, 0x90, 0x85, 0x16, 0xE7, 0x75, 0x73, 0xC0, 0x99, 0x2F, 0x09, 0x79,
+ 0xCA, 0x08, 0x4E, 0x46, 0x85, 0x68, 0x1F, 0xF1, 0x95, 0xCC, 0xBA, 0x8A, 0x22, 0x9B, 0x8A, 0x76 },
+ 128 /* Bin Number */
+ },
+ {
+ /* DigiCert_Assured_ID_Root_CA */
+ { 0x3E, 0x90, 0x99, 0xB5, 0x01, 0x5E, 0x8F, 0x48, 0x6C, 0x00, 0xBC, 0xEA, 0x9D, 0x11, 0x1E, 0xE7,
+ 0x21, 0xFA, 0xBA, 0x35, 0x5A, 0x89, 0xBC, 0xF1, 0xDF, 0x69, 0x56, 0x1E, 0x3D, 0xC6, 0x32, 0x5C },
+ 48 /* Bin Number */
+ },
+ {
+ /* Trusted_Certificate_Services */
+ { 0x3F, 0x06, 0xE5, 0x56, 0x81, 0xD4, 0x96, 0xF5, 0xBE, 0x16, 0x9E, 0xB5, 0x38, 0x9F, 0x9F, 0x2B,
+ 0x8F, 0xF6, 0x1E, 0x17, 0x08, 0xDF, 0x68, 0x81, 0x72, 0x48, 0x49, 0xCD, 0x5D, 0x27, 0xCB, 0x69 },
+ 30 /* Bin Number */
+ },
+ {
+ /* HARICA_TLS_ECC_Root_CA_2021 */
+ { 0x3F, 0x99, 0xCC, 0x47, 0x4A, 0xCF, 0xCE, 0x4D, 0xFE, 0xD5, 0x87, 0x94, 0x66, 0x5E, 0x47, 0x8D,
+ 0x15, 0x47, 0x73, 0x9F, 0x2E, 0x78, 0x0F, 0x1B, 0xB4, 0xCA, 0x9B, 0x13, 0x30, 0x97, 0xD4, 0x01 },
+ 229 /* Bin Number */
+ },
+ {
+ /* emSign_Root_CA___G1 */
+ { 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 0x5A, 0x4E, 0x9C, 0xCE, 0x62,
+ 0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 },
+ 206 /* Bin Number */
+ },
+ {
+ /* OISTE_WISeKey_Global_Root_GA_CA */
+ { 0x41, 0xC9, 0x23, 0x86, 0x6A, 0xB4, 0xCA, 0xD6, 0xB7, 0xAD, 0x57, 0x80, 0x81, 0x58, 0x2E, 0x02,
+ 0x07, 0x97, 0xA6, 0xCB, 0xDF, 0x4F, 0xFF, 0x78, 0xCE, 0x83, 0x96, 0xB3, 0x89, 0x37, 0xD7, 0xF5 },
+ 69 /* Bin Number */
+ },
+ {
+ /* Secure_Global_CA */
+ { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, 0x20, 0x9E, 0xD1, 0x50, 0x30,
+ 0x29, 0xFB, 0xCB, 0xD4, 0x1C, 0xA1, 0xB5, 0x06, 0xEC, 0x27, 0xF1, 0x5A, 0xDE, 0x7D, 0xAC, 0x69 },
+ 62 /* Bin Number */
+ },
+ {
+ /* DigiCert_Global_Root_CA */
+ { 0x43, 0x48, 0xA0, 0xE9, 0x44, 0x4C, 0x78, 0xCB, 0x26, 0x5E, 0x05, 0x8D, 0x5E, 0x89, 0x44, 0xB4,
+ 0xD8, 0x4F, 0x96, 0x62, 0xBD, 0x26, 0xDB, 0x25, 0x7F, 0x89, 0x34, 0xA4, 0x43, 0xC7, 0x01, 0x61 },
+ 49 /* Bin Number */
+ },
+ {
+ /* Entrust_Root_Certification_Authority___G2 */
+ { 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D, 0x93, 0x1A, 0x7B, 0xED, 0xF1,
+ 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C, 0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 },
+ 163 /* Bin Number */
+ },
+ {
+ /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */
+ { 0x44, 0x04, 0xE3, 0x3B, 0x5E, 0x14, 0x0D, 0xCF, 0x99, 0x80, 0x51, 0xFD, 0xFC, 0x80, 0x28, 0xC7,
+ 0xC8, 0x16, 0x15, 0xC5, 0xEE, 0x73, 0x7B, 0x11, 0x1B, 0x58, 0x82, 0x33, 0xA9, 0xB5, 0x35, 0xA0 },
+ 54 /* Bin Number */
+ },
+ {
+ /* Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015 */
+ { 0x44, 0xB5, 0x45, 0xAA, 0x8A, 0x25, 0xE6, 0x5A, 0x73, 0xCA, 0x15, 0xDC, 0x27, 0xFC, 0x36, 0xD2,
+ 0x4C, 0x1C, 0xB9, 0x95, 0x3A, 0x06, 0x65, 0x39, 0xB1, 0x15, 0x82, 0xDC, 0x48, 0x7B, 0x48, 0x33 },
+ 175 /* Bin Number */
+ },
+ {
+ /* Go_Daddy_Root_Certificate_Authority___G2 */
+ { 0x45, 0x14, 0x0B, 0x32, 0x47, 0xEB, 0x9C, 0xC8, 0xC5, 0xB4, 0xF0, 0xD7, 0xB5, 0x30, 0x91, 0xF7,
+ 0x32, 0x92, 0x08, 0x9E, 0x6E, 0x5A, 0x63, 0xE2, 0x74, 0x9D, 0xD3, 0xAC, 0xA9, 0x19, 0x8E, 0xDA },
+ 106 /* Bin Number */
+ },
+ {
+ /* TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1 */
+ { 0x46, 0xED, 0xC3, 0x68, 0x90, 0x46, 0xD5, 0x3A, 0x45, 0x3F, 0xB3, 0x10, 0x4A, 0xB8, 0x0D, 0xCA,
+ 0xEC, 0x65, 0x8B, 0x26, 0x60, 0xEA, 0x16, 0x29, 0xDD, 0x7E, 0x86, 0x79, 0x90, 0x64, 0x87, 0x16 },
+ 188 /* Bin Number */
+ },
+ {
+ /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5 */
+ { 0x49, 0x35, 0x1B, 0x90, 0x34, 0x44, 0xC1, 0x85, 0xCC, 0xDC, 0x5C, 0x69, 0x3D, 0x24, 0xD8, 0x55,
+ 0x5C, 0xB2, 0x08, 0xD6, 0xA8, 0x14, 0x13, 0x07, 0x69, 0x9F, 0x4A, 0xF0, 0x63, 0x19, 0x9D, 0x78 },
+ 166 /* Bin Number */
+ },
+ {
+ /* D_TRUST_Root_Class_3_CA_2_2009 */
+ { 0x49, 0xE7, 0xA4, 0x42, 0xAC, 0xF0, 0xEA, 0x62, 0x87, 0x05, 0x00, 0x54, 0xB5, 0x25, 0x64, 0xB6,
+ 0x50, 0xE4, 0xF4, 0x9E, 0x42, 0xE3, 0x48, 0xD6, 0xAA, 0x38, 0xE0, 0x39, 0xE9, 0x57, 0xB1, 0xC1 },
+ 130 /* Bin Number */
+ },
+ {
+ /* thawte_Primary_Root_CA___G3 */
+ { 0x4B, 0x03, 0xF4, 0x58, 0x07, 0xAD, 0x70, 0xF2, 0x1B, 0xFC, 0x2C, 0xAE, 0x71, 0xC9, 0xFD, 0xE4,
+ 0x60, 0x4C, 0x06, 0x4C, 0xF5, 0xFF, 0xB6, 0x86, 0xBA, 0xE5, 0xDB, 0xAA, 0xD7, 0xFD, 0xD3, 0x4C },
+ 88 /* Bin Number */
+ },
+ {
+ /* Certification_Authority_of_WoSign */
+ { 0x4B, 0x22, 0xD5, 0xA6, 0xAE, 0xC9, 0x9F, 0x3C, 0xDB, 0x79, 0xAA, 0x5E, 0xC0, 0x68, 0x38, 0x47,
+ 0x9C, 0xD5, 0xEC, 0xBA, 0x71, 0x64, 0xF7, 0xF2, 0x2D, 0xC1, 0xD6, 0x5F, 0x63, 0xD8, 0x57, 0x08 },
+ 152 /* Bin Number */
+ },
+ {
+ /* Staat_der_Nederlanden_EV_Root_CA */
+ { 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C, 0xEF, 0xA6, 0xCF, 0x6F, 0x72,
+ 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F, 0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A },
+ 160 /* Bin Number */
+ },
+ {
+ /* GlobalSign_Root_R46 */
+ { 0x4F, 0xA3, 0x12, 0x6D, 0x8D, 0x3A, 0x11, 0xD1, 0xC4, 0x85, 0x5A, 0x4F, 0x80, 0x7C, 0xBA, 0xD6,
+ 0xCF, 0x91, 0x9D, 0x3A, 0x5A, 0x88, 0xB0, 0x3B, 0xEA, 0x2C, 0x63, 0x72, 0xD9, 0x3C, 0x40, 0xC9 },
+ 221 /* Bin Number */
+ },
+ {
+ /* USERTrust_ECC_Certification_Authority */
+ { 0x4F, 0xF4, 0x60, 0xD5, 0x4B, 0x9C, 0x86, 0xDA, 0xBF, 0xBC, 0xFC, 0x57, 0x12, 0xE0, 0x40, 0x0D,
+ 0x2B, 0xED, 0x3F, 0xBC, 0x4D, 0x4F, 0xBD, 0xAA, 0x86, 0xE0, 0x6A, 0xDC, 0xD2, 0xA9, 0xAD, 0x7A },
+ 156 /* Bin Number */
+ },
+ {
+ /* ComSign_Secured_CA */
+ { 0x50, 0x79, 0x41, 0xC7, 0x44, 0x60, 0xA0, 0xB4, 0x70, 0x86, 0x22, 0x0D, 0x4E, 0x99, 0x32, 0x57,
+ 0x2A, 0xB5, 0xD1, 0xB5, 0xBB, 0xCB, 0x89, 0x80, 0xAB, 0x1C, 0xB1, 0x76, 0x51, 0xA8, 0x44, 0xD2 },
+ 76 /* Bin Number */
+ },
+ {
+ /* OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP */
+ { 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85, 0x39, 0x1A, 0xDF, 0xC6, 0xC2,
+ 0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36, 0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 },
+ 118 /* Bin Number */
+ },
+ {
+ /* COMODO_RSA_Certification_Authority */
+ { 0x52, 0xF0, 0xE1, 0xC4, 0xE5, 0x8E, 0xC6, 0x29, 0x29, 0x1B, 0x60, 0x31, 0x7F, 0x07, 0x46, 0x71,
+ 0xB8, 0x5D, 0x7E, 0xA8, 0x0D, 0x5B, 0x07, 0x27, 0x34, 0x63, 0x53, 0x4B, 0x32, 0xB4, 0x02, 0x34 },
+ 154 /* Bin Number */
+ },
+ {
+ /* LuxTrust_Global_Root_2 */
+ { 0x54, 0x45, 0x5F, 0x71, 0x29, 0xC2, 0x0B, 0x14, 0x47, 0xC4, 0x18, 0xF9, 0x97, 0x16, 0x8F, 0x24,
+ 0xC5, 0x8F, 0xC5, 0x02, 0x3B, 0xF5, 0xDA, 0x5B, 0xE2, 0xEB, 0x6E, 0x1D, 0xD8, 0x90, 0x2E, 0xD5 },
+ 187 /* Bin Number */
+ },
+ {
+ /* DigiCert_Trusted_Root_G4 */
+ { 0x55, 0x2F, 0x7B, 0xDC, 0xF1, 0xA7, 0xAF, 0x9E, 0x6C, 0xE6, 0x72, 0x01, 0x7F, 0x4F, 0x12, 0xAB,
+ 0xF7, 0x72, 0x40, 0xC7, 0x8E, 0x76, 0x1A, 0xC2, 0x03, 0xD1, 0xD9, 0xD2, 0x0A, 0xC8, 0x99, 0x88 },
+ 151 /* Bin Number */
+ },
+ {
+ /* AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS */
+ { 0x55, 0x41, 0x53, 0xB1, 0x3D, 0x2C, 0xF9, 0xDD, 0xB7, 0x53, 0xBF, 0xBE, 0x1A, 0x4E, 0x0A, 0xE0,
+ 0x8D, 0x0A, 0xA4, 0x18, 0x70, 0x58, 0xFE, 0x60, 0xA2, 0xB8, 0x62, 0xB2, 0xE4, 0xB8, 0x7B, 0xCB },
+ 220 /* Bin Number */
+ },
+ {
+ /* Trustwave_Global_ECC_P384_Certification_Authority */
+ { 0x55, 0x90, 0x38, 0x59, 0xC8, 0xC0, 0xC3, 0xEB, 0xB8, 0x75, 0x9E, 0xCE, 0x4E, 0x25, 0x57, 0x22,
+ 0x5F, 0xF5, 0x75, 0x8B, 0xBD, 0x38, 0xEB, 0xD4, 0x82, 0x76, 0x60, 0x1E, 0x1B, 0xD5, 0x80, 0x97 },
+ 218 /* Bin Number */
+ },
+ {
+ /* Actalis_Authentication_Root_CA */
+ { 0x55, 0x92, 0x60, 0x84, 0xEC, 0x96, 0x3A, 0x64, 0xB9, 0x6E, 0x2A, 0xBE, 0x01, 0xCE, 0x0B, 0xA8,
+ 0x6A, 0x64, 0xFB, 0xFE, 0xBC, 0xC7, 0xAA, 0xB5, 0xAF, 0xC1, 0x55, 0xB3, 0x7F, 0xD7, 0x60, 0x66 },
+ 121 /* Bin Number */
+ },
+ {
+ /* Starfield_Services_Root_Certificate_Authority___G2 */
+ { 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 0x51, 0x90, 0xED, 0xCF, 0xED,
+ 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 },
+ 108 /* Bin Number */
+ },
+ {
+ /* OpenTrust_Root_CA_G1 */
+ { 0x56, 0xC7, 0x71, 0x28, 0xD9, 0x8C, 0x18, 0xD9, 0x1B, 0x4C, 0xFD, 0xFF, 0xBC, 0x25, 0xEE, 0x91,
+ 0x03, 0xD4, 0x75, 0x8E, 0xA2, 0xAB, 0xAD, 0x82, 0x6A, 0x90, 0xF3, 0x45, 0x7D, 0x46, 0x0E, 0xB4 },
+ 178 /* Bin Number */
+ },
+ {
+ /* BJCA_Global_Root_CA2 */
+ { 0x57, 0x4D, 0xF6, 0x93, 0x1E, 0x27, 0x80, 0x39, 0x66, 0x7B, 0x72, 0x0A, 0xFD, 0xC1, 0x60, 0x0F,
+ 0xC2, 0x7E, 0xB6, 0x6D, 0xD3, 0x09, 0x29, 0x79, 0xFB, 0x73, 0x85, 0x64, 0x87, 0x21, 0x28, 0x82 },
+ 251 /* Bin Number */
+ },
+ {
+ /* Telekom_Security_TLS_ECC_Root_2020 */
+ { 0x57, 0x8A, 0xF4, 0xDE, 0xD0, 0x85, 0x3F, 0x4E, 0x59, 0x98, 0xDB, 0x4A, 0xEA, 0xF9, 0xCB, 0xEA,
+ 0x8D, 0x94, 0x5F, 0x60, 0xB6, 0x20, 0xA3, 0x8D, 0x1A, 0x3C, 0x13, 0xB2, 0xBC, 0x7B, 0xA8, 0xE1 },
+ 266 /* Bin Number */
+ },
+ {
+ /* Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 */
+ { 0x57, 0xDE, 0x05, 0x83, 0xEF, 0xD2, 0xB2, 0x6E, 0x03, 0x61, 0xDA, 0x99, 0xDA, 0x9D, 0xF4, 0x64,
+ 0x8D, 0xEF, 0x7E, 0xE8, 0x44, 0x1C, 0x3B, 0x72, 0x8A, 0xFA, 0x9B, 0xCD, 0xE0, 0xF9, 0xB2, 0x6A },
+ 230 /* Bin Number */
+ },
+ {
+ /* TWCA_Global_Root_CA */
+ { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, 0x2F, 0x9F, 0x95, 0xD5, 0x75,
+ 0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B },
+ 139 /* Bin Number */
+ },
+ {
+ /* Hongkong_Post_Root_CA_3 */
+ { 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 0x60, 0x4B, 0x09, 0x88, 0x44,
+ 0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 },
+ 210 /* Bin Number */
+ },
+ {
+ /* TrustCor_ECA_1 */
+ { 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB,
+ 0xDF, 0x03, 0x1A, 0xB2, 0xD4, 0x8E, 0x91, 0xEE, 0x15, 0x58, 0x9B, 0x42, 0x97, 0x1D, 0x03, 0x9C },
+ 192 /* Bin Number */
+ },
+ {
+ /* Certum_Trusted_Network_CA */
+ { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 0x82, 0xD2, 0xB5, 0x00, 0x10,
+ 0xB6, 0xD1, 0x65, 0x37, 0x4A, 0xCF, 0x83, 0xA7, 0xD4, 0xA3, 0x2D, 0xB7, 0x68, 0xC4, 0x40, 0x8E },
+ 113 /* Bin Number */
+ },
+ {
+ /* CFCA_EV_ROOT */
+ { 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04, 0xE6, 0x87, 0x3E, 0x64, 0xF9,
+ 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC, 0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD },
+ 165 /* Bin Number */
+ },
+ {
+ /* IdenTrust_Commercial_Root_CA_1 */
+ { 0x5D, 0x56, 0x49, 0x9B, 0xE4, 0xD2, 0xE0, 0x8B, 0xCF, 0xCA, 0xD0, 0x8A, 0x3E, 0x38, 0x72, 0x3D,
+ 0x50, 0x50, 0x3B, 0xDE, 0x70, 0x69, 0x48, 0xE4, 0x2F, 0x55, 0x60, 0x30, 0x19, 0xE5, 0x28, 0xAE },
+ 161 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Primary_Certification_Authority___G2 */
+ { 0x5E, 0xDB, 0x7A, 0xC4, 0x3B, 0x82, 0xA0, 0x6A, 0x87, 0x61, 0xE8, 0xD7, 0xBE, 0x49, 0x79, 0xEB,
+ 0xF2, 0x61, 0x1F, 0x7D, 0xD7, 0x9B, 0xF9, 0x1C, 0x1C, 0x6B, 0x56, 0x6A, 0x21, 0x9E, 0xD7, 0x66 },
+ 89 /* Bin Number */
+ },
+ {
+ /* Equifax_Secure_Global_eBusiness_CA_1 */
+ { 0x5F, 0x0B, 0x62, 0xEA, 0xB5, 0xE3, 0x53, 0xEA, 0x65, 0x21, 0x65, 0x16, 0x58, 0xFB, 0xB6, 0x53,
+ 0x59, 0xF4, 0x43, 0x28, 0x0A, 0x4A, 0xFB, 0xD1, 0x04, 0xD7, 0x7D, 0x10, 0xF9, 0xF0, 0x4C, 0x07 },
+ 12 /* Bin Number */
+ },
+ {
+ /* SwissSign_Gold_CA___G2 */
+ { 0x62, 0xDD, 0x0B, 0xE9, 0xB9, 0xF5, 0x0A, 0x16, 0x3E, 0xA0, 0xF8, 0xE7, 0x5C, 0x05, 0x3B, 0x1E,
+ 0xCA, 0x57, 0xEA, 0x55, 0xC8, 0x68, 0x8F, 0x64, 0x7C, 0x68, 0x81, 0xF2, 0xC8, 0x35, 0x7B, 0x95 },
+ 56 /* Bin Number */
+ },
+ {
+ /* OU_certSIGN_ROOT_CA_G2_O_CERTSIGN_SA_C_RO */
+ { 0x65, 0x7C, 0xFE, 0x2F, 0xA7, 0x3F, 0xAA, 0x38, 0x46, 0x25, 0x71, 0xF3, 0x32, 0xA2, 0x36, 0x3A,
+ 0x46, 0xFC, 0xE7, 0x02, 0x09, 0x51, 0x71, 0x07, 0x02, 0xCD, 0xFB, 0xB6, 0xEE, 0xDA, 0x33, 0x05 },
+ 215 /* Bin Number */
+ },
+ {
+ /* Staat_der_Nederlanden_Root_CA___G2 */
+ { 0x66, 0x8C, 0x83, 0x94, 0x7D, 0xA6, 0x3B, 0x72, 0x4B, 0xEC, 0xE1, 0x74, 0x3C, 0x31, 0xA0, 0xE6,
+ 0xAE, 0xD0, 0xDB, 0x8E, 0xC5, 0xB3, 0x1B, 0xE3, 0x77, 0xBB, 0x78, 0x4F, 0x91, 0xB6, 0x71, 0x6F },
+ 93 /* Bin Number */
+ },
+ {
+ /* AddTrust_External_CA_Root */
+ { 0x68, 0x7F, 0xA4, 0x51, 0x38, 0x22, 0x78, 0xFF, 0xF0, 0xC8, 0xB1, 0x1F, 0x8D, 0x43, 0xD5, 0x76,
+ 0x67, 0x1C, 0x6E, 0xB2, 0xBC, 0xEA, 0xB4, 0x13, 0xFB, 0x83, 0xD9, 0x65, 0xD0, 0x6D, 0x2F, 0xF2 },
+ 15 /* Bin Number */
+ },
+ {
+ /* ISRG_Root_X2 */
+ { 0x69, 0x72, 0x9B, 0x8E, 0x15, 0xA8, 0x6E, 0xFC, 0x17, 0x7A, 0x57, 0xAF, 0xB7, 0x17, 0x1D, 0xFC,
+ 0x64, 0xAD, 0xD2, 0x8C, 0x2F, 0xCA, 0x8C, 0xF1, 0x50, 0x7E, 0x34, 0x45, 0x3C, 0xCB, 0x14, 0x70 },
+ 233 /* Bin Number */
+ },
+ {
+ /* VeriSign_Class_3_Public_Primary_Certification_Authority___G4 */
+ { 0x69, 0xDD, 0xD7, 0xEA, 0x90, 0xBB, 0x57, 0xC9, 0x3E, 0x13, 0x5D, 0xC8, 0x5E, 0xA6, 0xFC, 0xD5,
+ 0x48, 0x0B, 0x60, 0x32, 0x39, 0xBD, 0xC4, 0x54, 0xFC, 0x75, 0x8B, 0x2A, 0x26, 0xCF, 0x7F, 0x79 },
+ 91 /* Bin Number */
+ },
+ {
+ /* Visa_eCommerce_Root */
+ { 0x69, 0xFA, 0xC9, 0xBD, 0x55, 0xFB, 0x0A, 0xC7, 0x8D, 0x53, 0xBB, 0xEE, 0x5C, 0xF1, 0xD5, 0x97,
+ 0x98, 0x9F, 0xD0, 0xAA, 0xAB, 0x20, 0xA2, 0x51, 0x51, 0xBD, 0xF1, 0x73, 0x3E, 0xE7, 0xD1, 0x22 },
+ 26 /* Bin Number */
+ },
+ {
+ /* Certum_EC_384_CA */
+ { 0x6B, 0x32, 0x80, 0x85, 0x62, 0x53, 0x18, 0xAA, 0x50, 0xD1, 0x73, 0xC9, 0x8D, 0x8B, 0xDA, 0x09,
+ 0xD5, 0x7E, 0x27, 0x41, 0x3D, 0x11, 0x4C, 0xF7, 0x87, 0xA0, 0xF5, 0xD0, 0x6C, 0x03, 0x0C, 0xF6 },
+ 225 /* Bin Number */
+ },
+ {
+ /* OISTE_WISeKey_Global_Root_GB_CA */
+ { 0x6B, 0x9C, 0x08, 0xE8, 0x6E, 0xB0, 0xF7, 0x67, 0xCF, 0xAD, 0x65, 0xCD, 0x98, 0xB6, 0x21, 0x49,
+ 0xE5, 0x49, 0x4A, 0x67, 0xF5, 0x84, 0x5E, 0x7B, 0xD1, 0xED, 0x01, 0x9F, 0x27, 0xB8, 0x6B, 0xD6 },
+ 169 /* Bin Number */
+ },
+ {
+ /* NetLock_Arany__Class_Gold__F_tan_s_tv_ny */
+ { 0x6C, 0x61, 0xDA, 0xC3, 0xA2, 0xDE, 0xF0, 0x31, 0x50, 0x6B, 0xE0, 0x36, 0xD2, 0xA6, 0xFE, 0x40,
+ 0x19, 0x94, 0xFB, 0xD1, 0x3D, 0xF9, 0xC8, 0xD4, 0x66, 0x59, 0x92, 0x74, 0xC4, 0x46, 0xEC, 0x98 },
+ 92 /* Bin Number */
+ },
+ {
+ /* Certplus_Root_CA_G2 */
+ { 0x6C, 0xC0, 0x50, 0x41, 0xE6, 0x44, 0x5E, 0x74, 0x69, 0x6C, 0x4C, 0xFB, 0xC9, 0xF8, 0x0F, 0x54,
+ 0x3B, 0x7E, 0xAB, 0xBB, 0x44, 0xB4, 0xCE, 0x6F, 0x78, 0x7C, 0x6A, 0x99, 0x71, 0xC4, 0x2F, 0x17 },
+ 177 /* Bin Number */
+ },
+ {
+ /* Entrust_net_Certification_Authority__2048_ */
+ { 0x6D, 0xC4, 0x71, 0x72, 0xE0, 0x1C, 0xBC, 0xB0, 0xBF, 0x62, 0x58, 0x0D, 0x89, 0x5F, 0xE2, 0xB8,
+ 0xAC, 0x9A, 0xD4, 0xF8, 0x73, 0x80, 0x1E, 0x0C, 0x10, 0xB9, 0xC8, 0x37, 0xD2, 0x1E, 0xB1, 0x77 },
+ 10 /* Bin Number */
+ },
+ {
+ /* UTN_USERFirst_Hardware */
+ { 0x6E, 0xA5, 0x47, 0x41, 0xD0, 0x04, 0x66, 0x7E, 0xED, 0x1B, 0x48, 0x16, 0x63, 0x4A, 0xA3, 0xA7,
+ 0x9E, 0x6E, 0x4B, 0x96, 0x95, 0x0F, 0x82, 0x79, 0xDA, 0xFC, 0x8D, 0x9B, 0xD8, 0x81, 0x21, 0x37 },
+ 38 /* Bin Number */
+ },
+ {
+ /* AffirmTrust_Premium */
+ { 0x70, 0xA7, 0x3F, 0x7F, 0x37, 0x6B, 0x60, 0x07, 0x42, 0x48, 0x90, 0x45, 0x34, 0xB1, 0x14, 0x82,
+ 0xD5, 0xBF, 0x0E, 0x69, 0x8E, 0xCC, 0x49, 0x8D, 0xF5, 0x25, 0x77, 0xEB, 0xF2, 0xE9, 0x3B, 0x9A },
+ 111 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R4 */
+ { 0x71, 0xCC, 0xA5, 0x39, 0x1F, 0x9E, 0x79, 0x4B, 0x04, 0x80, 0x25, 0x30, 0xB3, 0x63, 0xE1, 0x21,
+ 0xDA, 0x8A, 0x30, 0x43, 0xBB, 0x26, 0x66, 0x2F, 0xEA, 0x4D, 0xCA, 0x7F, 0xC9, 0x51, 0xA4, 0xBD },
+ 202 /* Bin Number */
+ },
+ {
+ /* Entrust_Root_Certification_Authority */
+ { 0x73, 0xC1, 0x76, 0x43, 0x4F, 0x1B, 0xC6, 0xD5, 0xAD, 0xF4, 0x5B, 0x0E, 0x76, 0xE7, 0x27, 0x28,
+ 0x7C, 0x8D, 0xE5, 0x76, 0x16, 0xC1, 0xE6, 0xE6, 0x14, 0x1A, 0x2B, 0x2C, 0xBC, 0x7D, 0x8E, 0x4C },
+ 18 /* Bin Number */
+ },
+ {
+ /* DigiCert_High_Assurance_EV_Root_CA */
+ { 0x74, 0x31, 0xE5, 0xF4, 0xC3, 0xC1, 0xCE, 0x46, 0x90, 0x77, 0x4F, 0x0B, 0x61, 0xE0, 0x54, 0x40,
+ 0x88, 0x3B, 0xA9, 0xA0, 0x1E, 0xD0, 0x0B, 0xA6, 0xAB, 0xD7, 0x80, 0x6E, 0xD3, 0xB1, 0x18, 0xCF },
+ 50 /* Bin Number */
+ },
+ {
+ /* O_Government_Root_Certification_Authority_C_TW */
+ { 0x76, 0x00, 0x29, 0x5E, 0xEF, 0xE8, 0x5B, 0x9E, 0x1F, 0xD6, 0x24, 0xDB, 0x76, 0x06, 0x2A, 0xAA,
+ 0xAE, 0x59, 0x81, 0x8A, 0x54, 0xD2, 0x77, 0x4C, 0xD4, 0xC0, 0xB2, 0xC0, 0x11, 0x31, 0xE1, 0xB3 },
+ 46 /* Bin Number */
+ },
+ {
+ /* DST_ACES_CA_X6 */
+ { 0x76, 0x7C, 0x95, 0x5A, 0x76, 0x41, 0x2C, 0x89, 0xAF, 0x68, 0x8E, 0x90, 0xA1, 0xC7, 0x0F, 0x55,
+ 0x6C, 0xFD, 0x6B, 0x60, 0x25, 0xDB, 0xEA, 0x10, 0x41, 0x6D, 0x7E, 0xB6, 0x83, 0x1F, 0x8C, 0x40 },
+ 53 /* Bin Number */
+ },
+ {
+ /* America_Online_Root_Certification_Authority_1 */
+ { 0x77, 0x40, 0x73, 0x12, 0xC6, 0x3A, 0x15, 0x3D, 0x5B, 0xC0, 0x0B, 0x4E, 0x51, 0x75, 0x9C, 0xDF,
+ 0xDA, 0xC2, 0x37, 0xDC, 0x2A, 0x33, 0xB6, 0x79, 0x46, 0xE9, 0x8E, 0x9B, 0xFA, 0x68, 0x0A, 0xE3 },
+ 24 /* Bin Number */
+ },
+ {
+ /* Certainly_Root_R1 */
+ { 0x77, 0xB8, 0x2C, 0xD8, 0x64, 0x4C, 0x43, 0x05, 0xF7, 0xAC, 0xC5, 0xCB, 0x15, 0x6B, 0x45, 0x67,
+ 0x50, 0x04, 0x03, 0x3D, 0x51, 0xC6, 0x0C, 0x62, 0x02, 0xA8, 0xE0, 0xC3, 0x34, 0x67, 0xD3, 0xA0 },
+ 245 /* Bin Number */
+ },
+ {
+ /* Sonera_Class2_CA */
+ { 0x79, 0x08, 0xB4, 0x03, 0x14, 0xC1, 0x38, 0x10, 0x0B, 0x51, 0x8D, 0x07, 0x35, 0x80, 0x7F, 0xFB,
+ 0xFC, 0xF8, 0x51, 0x8A, 0x00, 0x95, 0x33, 0x71, 0x05, 0xBA, 0x38, 0x6B, 0x15, 0x3D, 0xD9, 0x27 },
+ 35 /* Bin Number */
+ },
+ {
+ /* A_Trust_nQual_03 */
+ { 0x79, 0x3C, 0xBF, 0x45, 0x59, 0xB9, 0xFD, 0xE3, 0x8A, 0xB2, 0x2D, 0xF1, 0x68, 0x69, 0xF6, 0x98,
+ 0x81, 0xAE, 0x14, 0xC4, 0xB0, 0x13, 0x9A, 0xC7, 0x88, 0xA7, 0x8A, 0x1A, 0xFC, 0xCA, 0x02, 0xFB },
+ 116 /* Bin Number */
+ },
+ {
+ /* Sectigo_Public_Server_Authentication_Root_R46 */
+ { 0x7B, 0xB6, 0x47, 0xA6, 0x2A, 0xEE, 0xAC, 0x88, 0xBF, 0x25, 0x7A, 0xA5, 0x22, 0xD0, 0x1F, 0xFE,
+ 0xA3, 0x95, 0xE0, 0xAB, 0x45, 0xC7, 0x3F, 0x93, 0xF6, 0x56, 0x54, 0xEC, 0x38, 0xF2, 0x5A, 0x06 },
+ 253 /* Bin Number */
+ },
+ {
+ /* DigiCert_Assured_ID_Root_G2 */
+ { 0x7D, 0x05, 0xEB, 0xB6, 0x82, 0x33, 0x9F, 0x8C, 0x94, 0x51, 0xEE, 0x09, 0x4E, 0xEB, 0xFE, 0xFA,
+ 0x79, 0x53, 0xA1, 0x14, 0xED, 0xB2, 0xF4, 0x49, 0x49, 0x45, 0x2F, 0xAB, 0x7D, 0x2F, 0xC1, 0x85 },
+ 147 /* Bin Number */
+ },
+ {
+ /* America_Online_Root_Certification_Authority_2 */
+ { 0x7D, 0x3B, 0x46, 0x5A, 0x60, 0x14, 0xE5, 0x26, 0xC0, 0xAF, 0xFC, 0xEE, 0x21, 0x27, 0xD2, 0x31,
+ 0x17, 0x27, 0xAD, 0x81, 0x1C, 0x26, 0x84, 0x2D, 0x00, 0x6A, 0xF3, 0x73, 0x06, 0xCC, 0x80, 0xBD },
+ 25 /* Bin Number */
+ },
+ {
+ /* DigiCert_Assured_ID_Root_G3 */
+ { 0x7E, 0x37, 0xCB, 0x8B, 0x4C, 0x47, 0x09, 0x0C, 0xAB, 0x36, 0x55, 0x1B, 0xA6, 0xF4, 0x5D, 0xB8,
+ 0x40, 0x68, 0x0F, 0xBA, 0x16, 0x6A, 0x95, 0x2D, 0xB1, 0x00, 0x71, 0x7F, 0x43, 0x05, 0x3F, 0xC2 },
+ 148 /* Bin Number */
+ },
+ {
+ /* NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado */
+ { 0x7F, 0x12, 0xCD, 0x5F, 0x7E, 0x5E, 0x29, 0x0E, 0xC7, 0xD8, 0x51, 0x79, 0xD5, 0xB7, 0x2C, 0x20,
+ 0xA5, 0xBE, 0x75, 0x08, 0xFF, 0xDB, 0x5B, 0xF8, 0x1A, 0xB9, 0x68, 0x4A, 0x7F, 0xC9, 0xF6, 0x67 },
+ 41 /* Bin Number */
+ },
+ {
+ /* AddTrust_Qualified_CA_Root */
+ { 0x80, 0x95, 0x21, 0x08, 0x05, 0xDB, 0x4B, 0xBC, 0x35, 0x5E, 0x44, 0x28, 0xD8, 0xFD, 0x6E, 0xC2,
+ 0xCD, 0xE3, 0xAB, 0x5F, 0xB9, 0x7A, 0x99, 0x42, 0x98, 0x8E, 0xB8, 0xF4, 0xDC, 0xD0, 0x60, 0x16 },
+ 17 /* Bin Number */
+ },
+ {
+ /* Atos_TrustedRoot_Root_CA_RSA_TLS_2021 */
+ { 0x81, 0xA9, 0x08, 0x8E, 0xA5, 0x9F, 0xB3, 0x64, 0xC5, 0x48, 0xA6, 0xF8, 0x55, 0x59, 0x09, 0x9B,
+ 0x6F, 0x04, 0x05, 0xEF, 0xBF, 0x18, 0xE5, 0x32, 0x4E, 0xC9, 0xF4, 0x57, 0xBA, 0x00, 0x11, 0x2F },
+ 257 /* Bin Number */
+ },
+ {
+ /* OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US */
+ { 0x83, 0xCE, 0x3C, 0x12, 0x29, 0x68, 0x8A, 0x59, 0x3D, 0x48, 0x5F, 0x81, 0x97, 0x3C, 0x0F, 0x91,
+ 0x95, 0x43, 0x1E, 0xDA, 0x37, 0xCC, 0x5E, 0x36, 0x43, 0x0E, 0x79, 0xC7, 0xA8, 0x88, 0x63, 0x8B },
+ 5 /* Bin Number */
+ },
+ {
+ /* OISTE_WISeKey_Global_Root_GC_CA */
+ { 0x85, 0x60, 0xF9, 0x1C, 0x36, 0x24, 0xDA, 0xBA, 0x95, 0x70, 0xB5, 0xFE, 0xA0, 0xDB, 0xE3, 0x6F,
+ 0xF1, 0x1A, 0x83, 0x23, 0xBE, 0x94, 0x86, 0x85, 0x4F, 0xB3, 0xF3, 0x4A, 0x55, 0x71, 0x19, 0x8D },
+ 198 /* Bin Number */
+ },
+ {
+ /* SSL_com_Root_Certification_Authority_RSA */
+ { 0x85, 0x66, 0x6A, 0x56, 0x2E, 0xE0, 0xBE, 0x5C, 0xE9, 0x25, 0xC1, 0xD8, 0x89, 0x0A, 0x6F, 0x76,
+ 0xA8, 0x7E, 0xC1, 0x6D, 0x4D, 0x7D, 0x5F, 0x29, 0xEA, 0x74, 0x19, 0xCF, 0x20, 0x12, 0x3B, 0x69 },
+ 193 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_CA_2 */
+ { 0x85, 0xA0, 0xDD, 0x7D, 0xD7, 0x20, 0xAD, 0xB7, 0xFF, 0x05, 0xF8, 0x3D, 0x54, 0x2B, 0x20, 0x9D,
+ 0xC7, 0xFF, 0x45, 0x28, 0xF7, 0xD6, 0x77, 0xB1, 0x83, 0x89, 0xFE, 0xA5, 0xE5, 0xC4, 0x9E, 0x86 },
+ 32 /* Bin Number */
+ },
+ {
+ /* UTN___DATACorp_SGC */
+ { 0x85, 0xFB, 0x2F, 0x91, 0xDD, 0x12, 0x27, 0x5A, 0x01, 0x45, 0xB6, 0x36, 0x53, 0x4F, 0x84, 0x02,
+ 0x4A, 0xD6, 0x8B, 0x69, 0xB8, 0xEE, 0x88, 0x68, 0x4F, 0xF7, 0x11, 0x37, 0x58, 0x05, 0xB3, 0x48 },
+ 37 /* Bin Number */
+ },
+ {
+ /* emSign_ECC_Root_CA___G3 */
+ { 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 0x34, 0xC6, 0x12, 0xBA, 0x34,
+ 0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B },
+ 207 /* Bin Number */
+ },
+ {
+ /* E_Tugra_Global_Root_CA_ECC_v3 */
+ { 0x87, 0x3F, 0x46, 0x85, 0xFA, 0x7F, 0x56, 0x36, 0x25, 0x25, 0x2E, 0x6D, 0x36, 0xBC, 0xD7, 0xF1,
+ 0x6F, 0xC2, 0x49, 0x51, 0xF2, 0x64, 0xE4, 0x7E, 0x1B, 0x95, 0x4F, 0x49, 0x08, 0xCD, 0xCA, 0x13 },
+ 248 /* Bin Number */
+ },
+ {
+ /* EC_ACC */
+ { 0x88, 0x49, 0x7F, 0x01, 0x60, 0x2F, 0x31, 0x54, 0x24, 0x6A, 0xE2, 0x8C, 0x4D, 0x5A, 0xEF, 0x10,
+ 0xF1, 0xD8, 0x7E, 0xBB, 0x76, 0x62, 0x6F, 0x4A, 0xE0, 0xB7, 0xF9, 0x5B, 0xA7, 0x96, 0x87, 0x99 },
+ 119 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_CA_3_G3 */
+ { 0x88, 0xEF, 0x81, 0xDE, 0x20, 0x2E, 0xB0, 0x18, 0x45, 0x2E, 0x43, 0xF8, 0x64, 0x72, 0x5C, 0xEA,
+ 0x5F, 0xBD, 0x1F, 0xC2, 0xD9, 0xD2, 0x05, 0x73, 0x07, 0x09, 0xC5, 0xD8, 0xB8, 0x69, 0x0F, 0x46 },
+ 146 /* Bin Number */
+ },
+ {
+ /* NAVER_Global_Root_Certification_Authority */
+ { 0x88, 0xF4, 0x38, 0xDC, 0xF8, 0xFF, 0xD1, 0xFA, 0x8F, 0x42, 0x91, 0x15, 0xFF, 0xE5, 0xF8, 0x2A,
+ 0xE1, 0xE0, 0x6E, 0x0C, 0x70, 0xC3, 0x75, 0xFA, 0xAD, 0x71, 0x7B, 0x34, 0xA4, 0x9E, 0x72, 0x65 },
+ 219 /* Bin Number */
+ },
+ {
+ /* vTrus_Root_CA */
+ { 0x8A, 0x71, 0xDE, 0x65, 0x59, 0x33, 0x6F, 0x42, 0x6C, 0x26, 0xE5, 0x38, 0x80, 0xD0, 0x0D, 0x88,
+ 0xA1, 0x8D, 0xA4, 0xC6, 0xA9, 0x1F, 0x0D, 0xCB, 0x61, 0x94, 0xE2, 0x06, 0xC5, 0xC9, 0x63, 0x87 },
+ 232 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_CA_1_G3 */
+ { 0x8A, 0x86, 0x6F, 0xD1, 0xB2, 0x76, 0xB5, 0x7E, 0x57, 0x8E, 0x92, 0x1C, 0x65, 0x82, 0x8A, 0x2B,
+ 0xED, 0x58, 0xE9, 0xF2, 0xF2, 0x88, 0x05, 0x41, 0x34, 0xB7, 0xF1, 0xF4, 0xBF, 0xC9, 0xCC, 0x74 },
+ 144 /* Bin Number */
+ },
+ {
+ /* CA_WoSign_ECC_Root */
+ { 0x8B, 0x45, 0xDA, 0x1C, 0x06, 0xF7, 0x91, 0xEB, 0x0C, 0xAB, 0xF2, 0x6B, 0xE5, 0x88, 0xF5, 0xFB,
+ 0x23, 0x16, 0x5C, 0x2E, 0x61, 0x4B, 0xF8, 0x85, 0x56, 0x2D, 0x0D, 0xCE, 0x50, 0xB2, 0x9B, 0x02 },
+ 171 /* Bin Number */
+ },
+ {
+ /* Root_CA_Generalitat_Valenciana */
+ { 0x8C, 0x4E, 0xDF, 0xD0, 0x43, 0x48, 0xF3, 0x22, 0x96, 0x9E, 0x7E, 0x29, 0xA4, 0xCD, 0x4D, 0xCA,
+ 0x00, 0x46, 0x55, 0x06, 0x1C, 0x16, 0xE1, 0xB0, 0x76, 0x42, 0x2E, 0xF3, 0x42, 0xAD, 0x63, 0x0E },
+ 115 /* Bin Number */
+ },
+ {
+ /* AddTrust_Class_1_CA_Root */
+ { 0x8C, 0x72, 0x09, 0x27, 0x9A, 0xC0, 0x4E, 0x27, 0x5E, 0x16, 0xD0, 0x7F, 0xD3, 0xB7, 0x75, 0xE8,
+ 0x01, 0x54, 0xB5, 0x96, 0x80, 0x46, 0xE3, 0x1F, 0x52, 0xDD, 0x25, 0x76, 0x63, 0x24, 0xE9, 0xA7 },
+ 14 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R2 */
+ { 0x8D, 0x25, 0xCD, 0x97, 0x22, 0x9D, 0xBF, 0x70, 0x35, 0x6B, 0xDA, 0x4E, 0xB3, 0xCC, 0x73, 0x40,
+ 0x31, 0xE2, 0x4C, 0xF0, 0x0F, 0xAF, 0xCF, 0xD3, 0x2D, 0xC7, 0x6E, 0xB5, 0x84, 0x1C, 0x7E, 0xA8 },
+ 237 /* Bin Number */
+ },
+ {
+ /* thawte_Primary_Root_CA */
+ { 0x8D, 0x72, 0x2F, 0x81, 0xA9, 0xC1, 0x13, 0xC0, 0x79, 0x1D, 0xF1, 0x36, 0xA2, 0x96, 0x6D, 0xB2,
+ 0x6C, 0x95, 0x0A, 0x97, 0x1D, 0xB4, 0x6B, 0x41, 0x99, 0xF4, 0xEA, 0x54, 0xB7, 0x8B, 0xFB, 0x9F },
+ 59 /* Bin Number */
+ },
+ {
+ /* TC_TrustCenter_Class_3_CA_II */
+ { 0x8D, 0xA0, 0x84, 0xFC, 0xF9, 0x9C, 0xE0, 0x77, 0x22, 0xF8, 0x9B, 0x32, 0x05, 0x93, 0x98, 0x06,
+ 0xFA, 0x5C, 0xB8, 0x11, 0xE1, 0xC8, 0x13, 0xF6, 0xA1, 0x08, 0xC7, 0xD3, 0x36, 0xB3, 0x40, 0x8E },
+ 73 /* Bin Number */
+ },
+ {
+ /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6 */
+ { 0x8D, 0xE7, 0x86, 0x55, 0xE1, 0xBE, 0x7F, 0x78, 0x47, 0x80, 0x0B, 0x93, 0xF6, 0x94, 0xD2, 0x1D,
+ 0x36, 0x8C, 0xC0, 0x6E, 0x03, 0x3E, 0x7F, 0xAB, 0x04, 0xBB, 0x5E, 0xB9, 0x9D, 0xA6, 0xB7, 0x00 },
+ 167 /* Bin Number */
+ },
+ {
+ /* Amazon_Root_CA_1 */
+ { 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 0x1A, 0xC3, 0xFC, 0xB1, 0x3D,
+ 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E },
+ 183 /* Bin Number */
+ },
+ {
+ /* SSL_com_TLS_RSA_Root_CA_2022 */
+ { 0x8F, 0xAF, 0x7D, 0x2E, 0x2C, 0xB4, 0x70, 0x9B, 0xB8, 0xE0, 0xB3, 0x36, 0x66, 0xBF, 0x75, 0xA5,
+ 0xDD, 0x45, 0xB5, 0xDE, 0x48, 0x0F, 0x8E, 0xA8, 0xD4, 0xBF, 0xE6, 0xBE, 0xBC, 0x17, 0xF2, 0xED },
+ 255 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_CA_2_G3 */
+ { 0x8F, 0xE4, 0xFB, 0x0A, 0xF9, 0x3A, 0x4D, 0x0D, 0x67, 0xDB, 0x0B, 0xEB, 0xB2, 0x3E, 0x37, 0xC7,
+ 0x1B, 0xF3, 0x25, 0xDC, 0xBC, 0xDD, 0x24, 0x0E, 0xA0, 0x4D, 0xAF, 0x58, 0xB4, 0x7E, 0x18, 0x40 },
+ 145 /* Bin Number */
+ },
+ {
+ /* T_TeleSec_GlobalRoot_Class_2 */
+ { 0x91, 0xE2, 0xF5, 0x78, 0x8D, 0x58, 0x10, 0xEB, 0xA7, 0xBA, 0x58, 0x73, 0x7D, 0xE1, 0x54, 0x8A,
+ 0x8E, 0xCA, 0xCD, 0x01, 0x45, 0x98, 0xBC, 0x0B, 0x14, 0x3E, 0x04, 0x1B, 0x17, 0x05, 0x25, 0x52 },
+ 142 /* Bin Number */
+ },
+ {
+ /* CA_Disig */
+ { 0x92, 0xBF, 0x51, 0x19, 0xAB, 0xEC, 0xCA, 0xD0, 0xB1, 0x33, 0x2D, 0xC4, 0xE1, 0xD0, 0x5F, 0xBA,
+ 0x75, 0xB5, 0x67, 0x90, 0x44, 0xEE, 0x0C, 0xA2, 0x6E, 0x93, 0x1F, 0x74, 0x4F, 0x2F, 0x33, 0xCF },
+ 94 /* Bin Number */
+ },
+ {
+ /* Trustwave_Global_ECC_P256_Certification_Authority */
+ { 0x94, 0x5B, 0xBC, 0x82, 0x5E, 0xA5, 0x54, 0xF4, 0x89, 0xD1, 0xFD, 0x51, 0xA7, 0x3D, 0xDF, 0x2E,
+ 0xA6, 0x24, 0xAC, 0x70, 0x19, 0xA0, 0x52, 0x05, 0x22, 0x5C, 0x22, 0xA7, 0x8C, 0xCF, 0xA8, 0xB4 },
+ 217 /* Bin Number */
+ },
+ {
+ /* Cybertrust_Global_Root */
+ { 0x96, 0x0A, 0xDF, 0x00, 0x63, 0xE9, 0x63, 0x56, 0x75, 0x0C, 0x29, 0x65, 0xDD, 0x0A, 0x08, 0x67,
+ 0xDA, 0x0B, 0x9C, 0xBD, 0x6E, 0x77, 0x71, 0x4A, 0xEA, 0xFB, 0x23, 0x49, 0xAB, 0x39, 0x3D, 0xA3 },
+ 77 /* Bin Number */
+ },
+ {
+ /* ISRG_Root_X1 */
+ { 0x96, 0xBC, 0xEC, 0x06, 0x26, 0x49, 0x76, 0xF3, 0x74, 0x60, 0x77, 0x9A, 0xCF, 0x28, 0xC5, 0xA7,
+ 0xCF, 0xE8, 0xA3, 0xC0, 0xAA, 0xE1, 0x1A, 0x8F, 0xFC, 0xEE, 0x05, 0xC0, 0xBD, 0xDF, 0x08, 0xC6 },
+ 181 /* Bin Number */
+ },
+ {
+ /* Trustwave_Global_Certification_Authority */
+ { 0x97, 0x55, 0x20, 0x15, 0xF5, 0xDD, 0xFC, 0x3C, 0x87, 0x88, 0xC0, 0x06, 0x94, 0x45, 0x55, 0x40,
+ 0x88, 0x94, 0x45, 0x00, 0x84, 0xF1, 0x00, 0x86, 0x70, 0x86, 0xBC, 0x1A, 0x2B, 0xB5, 0x8D, 0xC8 },
+ 216 /* Bin Number */
+ },
+ {
+ /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */
+ { 0x97, 0x8C, 0xD9, 0x66, 0xF2, 0xFA, 0xA0, 0x7B, 0xA7, 0xAA, 0x95, 0x00, 0xD9, 0xC0, 0x2E, 0x9D,
+ 0x77, 0xF2, 0xCD, 0xAD, 0xA6, 0xAD, 0x6B, 0xA7, 0x4A, 0xF4, 0xB9, 0x1C, 0x66, 0x59, 0x3C, 0x50 },
+ 129 /* Bin Number */
+ },
+ {
+ /* Buypass_Class_2_Root_CA */
+ { 0x9A, 0x11, 0x40, 0x25, 0x19, 0x7C, 0x5B, 0xB9, 0x5D, 0x94, 0xE6, 0x3D, 0x55, 0xCD, 0x43, 0x79,
+ 0x08, 0x47, 0xB6, 0x46, 0xB2, 0x3C, 0xDF, 0x11, 0xAD, 0xA4, 0xA0, 0x0E, 0xFF, 0x15, 0xFB, 0x48 },
+ 125 /* Bin Number */
+ },
+ {
+ /* GLOBALTRUST_2020 */
+ { 0x9A, 0x29, 0x6A, 0x51, 0x82, 0xD1, 0xD4, 0x51, 0xA2, 0xE3, 0x7F, 0x43, 0x9B, 0x74, 0xDA, 0xAF,
+ 0xA2, 0x67, 0x52, 0x33, 0x29, 0xF9, 0x0F, 0x9A, 0x0D, 0x20, 0x07, 0xC3, 0x34, 0xE2, 0x3C, 0x9A },
+ 223 /* Bin Number */
+ },
+ {
+ /* ACCVRAIZ1 */
+ { 0x9A, 0x6E, 0xC0, 0x12, 0xE1, 0xA7, 0xDA, 0x9D, 0xBE, 0x34, 0x19, 0x4D, 0x47, 0x8A, 0xD7, 0xC0,
+ 0xDB, 0x18, 0x22, 0xFB, 0x07, 0x1D, 0xF1, 0x29, 0x81, 0x49, 0x6E, 0xD1, 0x04, 0x38, 0x41, 0x13 },
+ 138 /* Bin Number */
+ },
+ {
+ /* VeriSign_Class_3_Public_Primary_Certification_Authority___G5 */
+ { 0x9A, 0xCF, 0xAB, 0x7E, 0x43, 0xC8, 0xD8, 0x80, 0xD0, 0x6B, 0x26, 0x2A, 0x94, 0xDE, 0xEE, 0xE4,
+ 0xB4, 0x65, 0x99, 0x89, 0xC3, 0xD0, 0xCA, 0xF1, 0x9B, 0xAF, 0x64, 0x05, 0xE4, 0x1A, 0xB7, 0xDF },
+ 60 /* Bin Number */
+ },
+ {
+ /* UCA_Global_G2_Root */
+ { 0x9B, 0xEA, 0x11, 0xC9, 0x76, 0xFE, 0x01, 0x47, 0x64, 0xC1, 0xBE, 0x56, 0xA6, 0xF9, 0x14, 0xB5,
+ 0xA5, 0x60, 0x31, 0x7A, 0xBD, 0x99, 0x88, 0x39, 0x33, 0x82, 0xE5, 0x16, 0x1A, 0xA0, 0x49, 0x3C },
+ 203 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Universal_CA_2 */
+ { 0xA0, 0x23, 0x4F, 0x3B, 0xC8, 0x52, 0x7C, 0xA5, 0x62, 0x8E, 0xEC, 0x81, 0xAD, 0x5D, 0x69, 0x89,
+ 0x5D, 0xA5, 0x68, 0x0D, 0xC9, 0x1D, 0x1C, 0xB8, 0x47, 0x7F, 0x33, 0xF8, 0x78, 0xB9, 0x5B, 0x0B },
+ 23 /* Bin Number */
+ },
+ {
+ /* Hellenic_Academic_and_Research_Institutions_RootCA_2015 */
+ { 0xA0, 0x40, 0x92, 0x9A, 0x02, 0xCE, 0x53, 0xB4, 0xAC, 0xF4, 0xF2, 0xFF, 0xC6, 0x98, 0x1C, 0xE4,
+ 0x49, 0x6F, 0x75, 0x5E, 0x6D, 0x45, 0xFE, 0x0B, 0x2A, 0x69, 0x2B, 0xCD, 0x52, 0x52, 0x3F, 0x36 },
+ 174 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Universal_CA */
+ { 0xA0, 0x45, 0x9B, 0x9F, 0x63, 0xB2, 0x25, 0x59, 0xF5, 0xFA, 0x5D, 0x4C, 0x6D, 0xB3, 0xF9, 0xF7,
+ 0x2F, 0xF1, 0x93, 0x42, 0x03, 0x35, 0x78, 0xF0, 0x73, 0xBF, 0x1D, 0x1B, 0x46, 0xCB, 0xB9, 0x12 },
+ 22 /* Bin Number */
+ },
+ {
+ /* SZAFIR_ROOT_CA2 */
+ { 0xA1, 0x33, 0x9D, 0x33, 0x28, 0x1A, 0x0B, 0x56, 0xE5, 0x57, 0xD3, 0xD3, 0x2B, 0x1C, 0xE7, 0xF9,
+ 0x36, 0x7E, 0xB0, 0x94, 0xBD, 0x5F, 0xA7, 0x2A, 0x7E, 0x50, 0x04, 0xC8, 0xDE, 0xD7, 0xCA, 0xFE },
+ 172 /* Bin Number */
+ },
+ {
+ /* OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP */
+ { 0xA2, 0x2D, 0xBA, 0x68, 0x1E, 0x97, 0x37, 0x6E, 0x2D, 0x39, 0x7D, 0x72, 0x8A, 0xAE, 0x3A, 0x9B,
+ 0x62, 0x96, 0xB9, 0xFD, 0xBA, 0x60, 0xBC, 0x2E, 0x11, 0xF6, 0x47, 0xF2, 0xC6, 0x75, 0xFB, 0x37 },
+ 68 /* Bin Number */
+ },
+ {
+ /* thawte_Primary_Root_CA___G2 */
+ { 0xA4, 0x31, 0x0D, 0x50, 0xAF, 0x18, 0xA6, 0x44, 0x71, 0x90, 0x37, 0x2A, 0x86, 0xAF, 0xAF, 0x8B,
+ 0x95, 0x1F, 0xFB, 0x43, 0x1D, 0x83, 0x7F, 0x1E, 0x56, 0x88, 0xB4, 0x59, 0x71, 0xED, 0x15, 0x57 },
+ 87 /* Bin Number */
+ },
+ {
+ /* QuoVadis_Root_Certification_Authority */
+ { 0xA4, 0x5E, 0xDE, 0x3B, 0xBB, 0xF0, 0x9C, 0x8A, 0xE1, 0x5C, 0x72, 0xEF, 0xC0, 0x72, 0x68, 0xD6,
+ 0x93, 0xA2, 0x1C, 0x99, 0x6F, 0xD5, 0x1E, 0x67, 0xCA, 0x07, 0x94, 0x60, 0xFD, 0x6D, 0x88, 0x73 },
+ 31 /* Bin Number */
+ },
+ {
+ /* WellsSecure_Public_Root_Certificate_Authority */
+ { 0xA7, 0x12, 0x72, 0xAE, 0xAA, 0xA3, 0xCF, 0xE8, 0x72, 0x7F, 0x7F, 0xB3, 0x9F, 0x0F, 0xB3, 0xD1,
+ 0xE5, 0x42, 0x6E, 0x90, 0x60, 0xB0, 0x6E, 0xE6, 0xF1, 0x3E, 0x9A, 0x3C, 0x58, 0x33, 0xCD, 0x43 },
+ 65 /* Bin Number */
+ },
+ {
+ /* OU_RSA_Security_2048_V3_O_RSA_Security_Inc */
+ { 0xAF, 0x8B, 0x67, 0x62, 0xA1, 0xE5, 0x28, 0x22, 0x81, 0x61, 0xA9, 0x5D, 0x5C, 0x55, 0x9E, 0xE2,
+ 0x66, 0x27, 0x8F, 0x75, 0xD7, 0x9E, 0x83, 0x01, 0x89, 0xA5, 0x03, 0x50, 0x6A, 0xBD, 0x6B, 0x4C },
+ 19 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0xB0, 0x85, 0xD7, 0x0B, 0x96, 0x4F, 0x19, 0x1A, 0x73, 0xE4, 0xAF, 0x0D, 0x54, 0xAE, 0x7A, 0x0E,
+ 0x07, 0xAA, 0xFD, 0xAF, 0x9B, 0x71, 0xDD, 0x08, 0x62, 0x13, 0x8A, 0xB7, 0x32, 0x5A, 0x24, 0xA2 },
+ 235 /* Bin Number */
+ },
+ {
+ /* E_Tugra_Certification_Authority */
+ { 0xB0, 0xBF, 0xD5, 0x2B, 0xB0, 0xD7, 0xD9, 0xBD, 0x92, 0xBF, 0x5D, 0x4D, 0xC1, 0x3D, 0xA2, 0x55,
+ 0xC0, 0x2C, 0x54, 0x2F, 0x37, 0x83, 0x65, 0xEA, 0x89, 0x39, 0x11, 0xF5, 0x5E, 0x55, 0xF2, 0x3C },
+ 141 /* Bin Number */
+ },
+ {
+ /* Atos_TrustedRoot_Root_CA_ECC_TLS_2021 */
+ { 0xB2, 0xFA, 0xE5, 0x3E, 0x14, 0xCC, 0xD7, 0xAB, 0x92, 0x12, 0x06, 0x47, 0x01, 0xAE, 0x27, 0x9C,
+ 0x1D, 0x89, 0x88, 0xFA, 0xCB, 0x77, 0x5F, 0xA8, 0xA0, 0x08, 0x91, 0x4E, 0x66, 0x39, 0x88, 0xA8 },
+ 258 /* Bin Number */
+ },
+ {
+ /* Certainly_Root_E1 */
+ { 0xB4, 0x58, 0x5F, 0x22, 0xE4, 0xAC, 0x75, 0x6A, 0x4E, 0x86, 0x12, 0xA1, 0x36, 0x1C, 0x5D, 0x9D,
+ 0x03, 0x1A, 0x93, 0xFD, 0x84, 0xFE, 0xBB, 0x77, 0x8F, 0xA3, 0x06, 0x8B, 0x0F, 0xC4, 0x2D, 0xC2 },
+ 246 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Primary_Certification_Authority___G3 */
+ { 0xB4, 0x78, 0xB8, 0x12, 0x25, 0x0D, 0xF8, 0x78, 0x63, 0x5C, 0x2A, 0xA7, 0xEC, 0x7D, 0x15, 0x5E,
+ 0xAA, 0x62, 0x5E, 0xE8, 0x29, 0x16, 0xE2, 0xCD, 0x29, 0x43, 0x61, 0x88, 0x6C, 0xD1, 0xFB, 0xD4 },
+ 86 /* Bin Number */
+ },
+ {
+ /* Deutsche_Telekom_Root_CA_2 */
+ { 0xB6, 0x19, 0x1A, 0x50, 0xD0, 0xC3, 0x97, 0x7F, 0x7D, 0xA9, 0x9B, 0xCD, 0xAA, 0xC8, 0x6A, 0x22,
+ 0x7D, 0xAE, 0xB9, 0x67, 0x9E, 0xC7, 0x0B, 0xA3, 0xB0, 0xC9, 0xD9, 0x22, 0x71, 0xC1, 0x70, 0xD3 },
+ 75 /* Bin Number */
+ },
+ {
+ /* Certum_Trusted_Network_CA_2 */
+ { 0xB6, 0x76, 0xF2, 0xED, 0xDA, 0xE8, 0x77, 0x5C, 0xD3, 0x6C, 0xB0, 0xF6, 0x3C, 0xD1, 0xD4, 0x60,
+ 0x39, 0x61, 0xF4, 0x9E, 0x62, 0x65, 0xBA, 0x01, 0x3A, 0x2F, 0x03, 0x07, 0xB6, 0xD0, 0xB8, 0x04 },
+ 173 /* Bin Number */
+ },
+ {
+ /* Buypass_Class_3_CA_1 */
+ { 0xB7, 0xB1, 0x2B, 0x17, 0x1F, 0x82, 0x1D, 0xAA, 0x99, 0x0C, 0xD0, 0xFE, 0x50, 0x87, 0xB1, 0x28,
+ 0x44, 0x8B, 0xA8, 0xE5, 0x18, 0x4F, 0x84, 0xC5, 0x1E, 0x02, 0xB5, 0xC8, 0xFB, 0x96, 0x2B, 0x24 },
+ 81 /* Bin Number */
+ },
+ {
+ /* OpenTrust_Root_CA_G3 */
+ { 0xB7, 0xC3, 0x62, 0x31, 0x70, 0x6E, 0x81, 0x07, 0x8C, 0x36, 0x7C, 0xB8, 0x96, 0x19, 0x8F, 0x1E,
+ 0x32, 0x08, 0xDD, 0x92, 0x69, 0x49, 0xDD, 0x8F, 0x57, 0x09, 0xA4, 0x10, 0xF7, 0x5B, 0x62, 0x92 },
+ 180 /* Bin Number */
+ },
+ {
+ /* IGC_A */
+ { 0xB9, 0xBE, 0xA7, 0x86, 0x0A, 0x96, 0x2E, 0xA3, 0x61, 0x1D, 0xAB, 0x97, 0xAB, 0x6D, 0xA3, 0xE2,
+ 0x1C, 0x10, 0x68, 0xB9, 0x7D, 0x55, 0x57, 0x5E, 0xD0, 0xE1, 0x12, 0x79, 0xC1, 0x1C, 0x89, 0x32 },
+ 67 /* Bin Number */
+ },
+ {
+ /* Hellenic_Academic_and_Research_Institutions_RootCA_2011 */
+ { 0xBC, 0x10, 0x4F, 0x15, 0xA4, 0x8B, 0xE7, 0x09, 0xDC, 0xA5, 0x42, 0xA7, 0xE1, 0xD4, 0xB9, 0xDF,
+ 0x6F, 0x05, 0x45, 0x27, 0xE8, 0x02, 0xEA, 0xA9, 0x2D, 0x59, 0x54, 0x44, 0x25, 0x8A, 0xFE, 0x71 },
+ 120 /* Bin Number */
+ },
+ {
+ /* emSign_ECC_Root_CA___C3 */
+ { 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 0x8C, 0xF4, 0xF9, 0x72, 0x6A,
+ 0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 },
+ 209 /* Bin Number */
+ },
+ {
+ /* AffirmTrust_Premium_ECC */
+ { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 0x7A, 0xDD, 0x25, 0x81, 0xB0,
+ 0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 },
+ 112 /* Bin Number */
+ },
+ {
+ /* Secure_Certificate_Services */
+ { 0xBD, 0x81, 0xCE, 0x3B, 0x4F, 0x65, 0x91, 0xD1, 0x1A, 0x67, 0xB5, 0xFC, 0x7A, 0x47, 0xFD, 0xEF,
+ 0x25, 0x52, 0x1B, 0xF9, 0xAA, 0x4E, 0x18, 0xB9, 0xE3, 0xDF, 0x2E, 0x34, 0xA7, 0x80, 0x3B, 0xE8 },
+ 29 /* Bin Number */
+ },
+ {
+ /* TrustAsia_Global_Root_CA_G4 */
+ { 0xBE, 0x4B, 0x56, 0xCB, 0x50, 0x56, 0xC0, 0x13, 0x6A, 0x52, 0x6D, 0xF4, 0x44, 0x50, 0x8D, 0xAA,
+ 0x36, 0xA0, 0xB5, 0x4F, 0x42, 0xE4, 0xAC, 0x38, 0xF7, 0x2A, 0xF4, 0x70, 0xE4, 0x79, 0x65, 0x4C },
+ 259 /* Bin Number */
+ },
+ {
+ /* SwissSign_Silver_CA___G2 */
+ { 0xBE, 0x6C, 0x4D, 0xA2, 0xBB, 0xB9, 0xBA, 0x59, 0xB6, 0xF3, 0x93, 0x97, 0x68, 0x37, 0x42, 0x46,
+ 0xC3, 0xC0, 0x05, 0x99, 0x3F, 0xA9, 0x8F, 0x02, 0x0D, 0x1D, 0xED, 0xBE, 0xD4, 0x8A, 0x81, 0xD5 },
+ 57 /* Bin Number */
+ },
+ {
+ /* e_Szigno_Root_CA_2017 */
+ { 0xBE, 0xB0, 0x0B, 0x30, 0x83, 0x9B, 0x9B, 0xC3, 0x2C, 0x32, 0xE4, 0x44, 0x79, 0x05, 0x95, 0x06,
+ 0x41, 0xF2, 0x64, 0x21, 0xB1, 0x5E, 0xD0, 0x89, 0x19, 0x8B, 0x51, 0x8A, 0xE2, 0xEA, 0x1B, 0x99 },
+ 214 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0xBE, 0xC9, 0x49, 0x11, 0xC2, 0x95, 0x56, 0x76, 0xDB, 0x6C, 0x0A, 0x55, 0x09, 0x86, 0xD7, 0x6E,
+ 0x3B, 0xA0, 0x05, 0x66, 0x7C, 0x44, 0x2C, 0x97, 0x62, 0xB4, 0xFB, 0xB7, 0x73, 0xDE, 0x22, 0x8C },
+ 157 /* Bin Number */
+ },
+ {
+ /* SecureSign_RootCA11 */
+ { 0xBF, 0x0F, 0xEE, 0xFB, 0x9E, 0x3A, 0x58, 0x1A, 0xD5, 0xF9, 0xE9, 0xDB, 0x75, 0x89, 0x98, 0x57,
+ 0x43, 0xD2, 0x61, 0x08, 0x5C, 0x4D, 0x31, 0x4F, 0x6F, 0x5D, 0x72, 0x59, 0xAA, 0x42, 0x16, 0x12 },
+ 97 /* Bin Number */
+ },
+ {
+ /* TWCA_Root_Certification_Authority */
+ { 0xBF, 0xD8, 0x8F, 0xE1, 0x10, 0x1C, 0x41, 0xAE, 0x3E, 0x80, 0x1B, 0xF8, 0xBE, 0x56, 0x35, 0x0E,
+ 0xE9, 0xBA, 0xD1, 0xA6, 0xB9, 0xBD, 0x51, 0x5E, 0xDC, 0x5C, 0x6D, 0x5B, 0x87, 0x11, 0xAC, 0x44 },
+ 117 /* Bin Number */
+ },
+ {
+ /* GDCA_TrustAUTH_R5_ROOT */
+ { 0xBF, 0xFF, 0x8F, 0xD0, 0x44, 0x33, 0x48, 0x7D, 0x6A, 0x8A, 0xA6, 0x0C, 0x1A, 0x29, 0x76, 0x7A,
+ 0x9F, 0xC2, 0xBB, 0xB0, 0x5E, 0x42, 0x0F, 0x71, 0x3A, 0x13, 0xB9, 0x92, 0x89, 0x1D, 0x38, 0x93 },
+ 189 /* Bin Number */
+ },
+ {
+ /* OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW */
+ { 0xC0, 0xA6, 0xF4, 0xDC, 0x63, 0xA2, 0x4B, 0xFD, 0xCF, 0x54, 0xEF, 0x2A, 0x6A, 0x08, 0x2A, 0x0A,
+ 0x72, 0xDE, 0x35, 0x80, 0x3E, 0x2F, 0xF5, 0xFF, 0x52, 0x7A, 0xE5, 0xD8, 0x72, 0x06, 0xDF, 0xD5 },
+ 78 /* Bin Number */
+ },
+ {
+ /* OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB */
+ { 0xC1, 0xB4, 0x82, 0x99, 0xAB, 0xA5, 0x20, 0x8F, 0xE9, 0x63, 0x0A, 0xCE, 0x55, 0xCA, 0x68, 0xA0,
+ 0x3E, 0xDA, 0x5A, 0x51, 0x9C, 0x88, 0x02, 0xA0, 0xD3, 0xA6, 0x73, 0xBE, 0x8F, 0x8E, 0x55, 0x7D },
+ 122 /* Bin Number */
+ },
+ {
+ /* SSL_com_TLS_ECC_Root_CA_2022 */
+ { 0xC3, 0x2F, 0xFD, 0x9F, 0x46, 0xF9, 0x36, 0xD1, 0x6C, 0x36, 0x73, 0x99, 0x09, 0x59, 0x43, 0x4B,
+ 0x9A, 0xD6, 0x0A, 0xAF, 0xBB, 0x9E, 0x7C, 0xF3, 0x36, 0x54, 0xF1, 0x44, 0xCC, 0x1B, 0xA1, 0x43 },
+ 256 /* Bin Number */
+ },
+ {
+ /* OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US */
+ { 0xC3, 0x84, 0x6B, 0xF2, 0x4B, 0x9E, 0x93, 0xCA, 0x64, 0x27, 0x4C, 0x0E, 0xC6, 0x7C, 0x1E, 0xCC,
+ 0x5E, 0x02, 0x4F, 0xFC, 0xAC, 0xD2, 0xD7, 0x40, 0x19, 0x35, 0x0E, 0x81, 0xFE, 0x54, 0x6A, 0xE4 },
+ 43 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R2 */
+ { 0xC4, 0x5D, 0x7B, 0xB0, 0x8E, 0x6D, 0x67, 0xE6, 0x2E, 0x42, 0x35, 0x11, 0x0B, 0x56, 0x4E, 0x5F,
+ 0x78, 0xFD, 0x92, 0xEF, 0x05, 0x8C, 0x84, 0x0A, 0xEA, 0x4E, 0x64, 0x55, 0xD7, 0x58, 0x5C, 0x60 },
+ 200 /* Bin Number */
+ },
+ {
+ /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */
+ { 0xC4, 0x70, 0xCF, 0x54, 0x7E, 0x23, 0x02, 0xB9, 0x77, 0xFB, 0x29, 0xDD, 0x71, 0xA8, 0x9A, 0x7B,
+ 0x6C, 0x1F, 0x60, 0x77, 0x7B, 0x03, 0x29, 0xF5, 0x60, 0x17, 0xF3, 0x28, 0xBF, 0x4F, 0x6B, 0xE6 },
+ 55 /* Bin Number */
+ },
+ {
+ /* Microsoft_RSA_Root_Certificate_Authority_2017 */
+ { 0xC7, 0x41, 0xF7, 0x0F, 0x4B, 0x2A, 0x8D, 0x88, 0xBF, 0x2E, 0x71, 0xC1, 0x41, 0x22, 0xEF, 0x53,
+ 0xEF, 0x10, 0xEB, 0xA0, 0xCF, 0xA5, 0xE6, 0x4C, 0xFA, 0x20, 0xF4, 0x18, 0x85, 0x30, 0x73, 0xE0 },
+ 213 /* Bin Number */
+ },
+ {
+ /* StartCom_Certification_Authority */
+ { 0xC7, 0x66, 0xA9, 0xBE, 0xF2, 0xD4, 0x07, 0x1C, 0x86, 0x3A, 0x31, 0xAA, 0x49, 0x20, 0xE8, 0x13,
+ 0xB2, 0xD1, 0x98, 0x60, 0x8C, 0xB7, 0xB7, 0xCF, 0xE2, 0x11, 0x43, 0xB8, 0x36, 0xDF, 0x09, 0xEA },
+ 45 /* Bin Number */
+ },
+ {
+ /* StartCom_Certification_Authority_G2 */
+ { 0xC7, 0xBA, 0x65, 0x67, 0xDE, 0x93, 0xA7, 0x98, 0xAE, 0x1F, 0xAA, 0x79, 0x1E, 0x71, 0x2D, 0x37,
+ 0x8F, 0xAE, 0x1F, 0x93, 0xC4, 0x39, 0x7F, 0xEA, 0x44, 0x1B, 0xB7, 0xCB, 0xE6, 0xFD, 0x59, 0x95 },
+ 124 /* Bin Number */
+ },
+ {
+ /* Sectigo_Public_Server_Authentication_Root_E46 */
+ { 0xC9, 0x0F, 0x26, 0xF0, 0xFB, 0x1B, 0x40, 0x18, 0xB2, 0x22, 0x27, 0x51, 0x9B, 0x5C, 0xA2, 0xB5,
+ 0x3E, 0x2C, 0xA5, 0xB3, 0xBE, 0x5C, 0xF1, 0x8E, 0xFE, 0x1B, 0xEF, 0x47, 0x38, 0x0C, 0x53, 0x83 },
+ 254 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Global_CA_2 */
+ { 0xCA, 0x2D, 0x82, 0xA0, 0x86, 0x77, 0x07, 0x2F, 0x8A, 0xB6, 0x76, 0x4F, 0xF0, 0x35, 0x67, 0x6C,
+ 0xFE, 0x3E, 0x5E, 0x32, 0x5E, 0x01, 0x21, 0x72, 0xDF, 0x3F, 0x92, 0x09, 0x6D, 0xB7, 0x9B, 0x85 },
+ 21 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0xCA, 0x42, 0xDD, 0x41, 0x74, 0x5F, 0xD0, 0xB8, 0x1E, 0xB9, 0x02, 0x36, 0x2C, 0xF9, 0xD8, 0xBF,
+ 0x71, 0x9D, 0xA1, 0xBD, 0x1B, 0x1E, 0xFC, 0x94, 0x6F, 0x5B, 0x4C, 0x99, 0xF4, 0x2C, 0x1B, 0x9E },
+ 7 /* Bin Number */
+ },
+ {
+ /* DigiCert_Global_Root_G2 */
+ { 0xCB, 0x3C, 0xCB, 0xB7, 0x60, 0x31, 0xE5, 0xE0, 0x13, 0x8F, 0x8D, 0xD3, 0x9A, 0x23, 0xF9, 0xDE,
+ 0x47, 0xFF, 0xC3, 0x5E, 0x43, 0xC1, 0x14, 0x4C, 0xEA, 0x27, 0xD4, 0x6A, 0x5A, 0xB1, 0xCB, 0x5F },
+ 149 /* Bin Number */
+ },
+ {
+ /* GlobalSign */
+ { 0xCB, 0xB5, 0x22, 0xD7, 0xB7, 0xF1, 0x27, 0xAD, 0x6A, 0x01, 0x13, 0x86, 0x5B, 0xDF, 0x1C, 0xD4,
+ 0x10, 0x2E, 0x7D, 0x07, 0x59, 0xAF, 0x63, 0x5A, 0x7C, 0xF4, 0x72, 0x0D, 0xC9, 0x63, 0xC5, 0x3B },
+ 101 /* Bin Number */
+ },
+ {
+ /* GlobalSign_Root_E46 */
+ { 0xCB, 0xB9, 0xC4, 0x4D, 0x84, 0xB8, 0x04, 0x3E, 0x10, 0x50, 0xEA, 0x31, 0xA6, 0x9F, 0x51, 0x49,
+ 0x55, 0xD7, 0xBF, 0xD2, 0xE2, 0xC6, 0xB4, 0x93, 0x01, 0x01, 0x9A, 0xD6, 0x1D, 0x9F, 0x50, 0x58 },
+ 222 /* Bin Number */
+ },
+ {
+ /* XRamp_Global_Certification_Authority */
+ { 0xCE, 0xCD, 0xDC, 0x90, 0x50, 0x99, 0xD8, 0xDA, 0xDF, 0xC5, 0xB1, 0xD2, 0x09, 0xB7, 0x37, 0xCB,
+ 0xE2, 0xC1, 0x8C, 0xFB, 0x2C, 0x10, 0xC0, 0xFF, 0x0B, 0xCF, 0x0D, 0x32, 0x86, 0xFC, 0x1A, 0xA2 },
+ 42 /* Bin Number */
+ },
+ {
+ /* Equifax_Secure_eBusiness_CA_1 */
+ { 0xCF, 0x56, 0xFF, 0x46, 0xA4, 0xA1, 0x86, 0x10, 0x9D, 0xD9, 0x65, 0x84, 0xB5, 0xEE, 0xB5, 0x8A,
+ 0x51, 0x0C, 0x42, 0x75, 0xB0, 0xE5, 0xF9, 0x4F, 0x40, 0xBB, 0xAE, 0x86, 0x5E, 0x19, 0xF6, 0x73 },
+ 13 /* Bin Number */
+ },
+ {
+ /* TrustCor_RootCert_CA_1 */
+ { 0xD4, 0x0E, 0x9C, 0x86, 0xCD, 0x8F, 0xE4, 0x68, 0xC1, 0x77, 0x69, 0x59, 0xF4, 0x9E, 0xA7, 0x74,
+ 0xFA, 0x54, 0x86, 0x84, 0xB6, 0xC4, 0x06, 0xF3, 0x90, 0x92, 0x61, 0xF4, 0xDC, 0xE2, 0x57, 0x5C },
+ 190 /* Bin Number */
+ },
+ {
+ /* Staat_der_Nederlanden_Root_CA */
+ { 0xD4, 0x1D, 0x82, 0x9E, 0x8C, 0x16, 0x59, 0x82, 0x2A, 0xF9, 0x3F, 0xCE, 0x62, 0xBF, 0xFC, 0xDE,
+ 0x26, 0x4F, 0xC8, 0x4E, 0x8B, 0x95, 0x0C, 0x5F, 0xF2, 0x75, 0xD0, 0x52, 0x35, 0x46, 0x95, 0xA3 },
+ 36 /* Bin Number */
+ },
+ {
+ /* UCA_Extended_Validation_Root */
+ { 0xD4, 0x3A, 0xF9, 0xB3, 0x54, 0x73, 0x75, 0x5C, 0x96, 0x84, 0xFC, 0x06, 0xD7, 0xD8, 0xCB, 0x70,
+ 0xEE, 0x5C, 0x28, 0xE7, 0x73, 0xFB, 0x29, 0x4E, 0xB4, 0x1E, 0xE7, 0x17, 0x22, 0x92, 0x4D, 0x24 },
+ 204 /* Bin Number */
+ },
+ {
+ /* Certification_Authority_of_WoSign_G2 */
+ { 0xD4, 0x87, 0xA5, 0x6F, 0x83, 0xB0, 0x74, 0x82, 0xE8, 0x5E, 0x96, 0x33, 0x94, 0xC1, 0xEC, 0xC2,
+ 0xC9, 0xE5, 0x1D, 0x09, 0x03, 0xEE, 0x94, 0x6B, 0x02, 0xC3, 0x01, 0x58, 0x1E, 0xD9, 0x9E, 0x16 },
+ 170 /* Bin Number */
+ },
+ {
+ /* Certigna_Root_CA */
+ { 0xD4, 0x8D, 0x3D, 0x23, 0xEE, 0xDB, 0x50, 0xA4, 0x59, 0xE5, 0x51, 0x97, 0x60, 0x1C, 0x27, 0x77,
+ 0x4B, 0x9D, 0x7B, 0x18, 0xC9, 0x4D, 0x5A, 0x05, 0x95, 0x11, 0xA1, 0x02, 0x50, 0xB9, 0x31, 0x68 },
+ 205 /* Bin Number */
+ },
+ {
+ /* CA______ */
+ { 0xD6, 0xF0, 0x34, 0xBD, 0x94, 0xAA, 0x23, 0x3F, 0x02, 0x97, 0xEC, 0xA4, 0x24, 0x5B, 0x28, 0x39,
+ 0x73, 0xE4, 0x47, 0xAA, 0x59, 0x0F, 0x31, 0x0C, 0x77, 0xF4, 0x8F, 0xDF, 0x83, 0x11, 0x22, 0x54 },
+ 153 /* Bin Number */
+ },
+ {
+ /* AAA_Certificate_Services */
+ { 0xD7, 0xA7, 0xA0, 0xFB, 0x5D, 0x7E, 0x27, 0x31, 0xD7, 0x71, 0xE9, 0x48, 0x4E, 0xBC, 0xDE, 0xF7,
+ 0x1D, 0x5F, 0x0C, 0x3E, 0x0A, 0x29, 0x48, 0x78, 0x2B, 0xC8, 0x3E, 0xE0, 0xEA, 0x69, 0x9E, 0xF4 },
+ 28 /* Bin Number */
+ },
+ {
+ /* Certum_CA */
+ { 0xD8, 0xE0, 0xFE, 0xBC, 0x1D, 0xB2, 0xE3, 0x8D, 0x00, 0x94, 0x0F, 0x37, 0xD2, 0x7D, 0x41, 0x34,
+ 0x4D, 0x99, 0x3E, 0x73, 0x4B, 0x99, 0xD5, 0x65, 0x6D, 0x97, 0x78, 0xD4, 0xD8, 0x14, 0x36, 0x24 },
+ 27 /* Bin Number */
+ },
+ {
+ /* GTS_Root_R1 */
+ { 0xD9, 0x47, 0x43, 0x2A, 0xBD, 0xE7, 0xB7, 0xFA, 0x90, 0xFC, 0x2E, 0x6B, 0x59, 0x10, 0x1B, 0x12,
+ 0x80, 0xE0, 0xE1, 0xC7, 0xE4, 0xE4, 0x0F, 0xA3, 0xC6, 0x88, 0x7F, 0xFF, 0x57, 0xA7, 0xF4, 0xCF },
+ 236 /* Bin Number */
+ },
+ {
+ /* HARICA_TLS_RSA_Root_CA_2021 */
+ { 0xD9, 0x5D, 0x0E, 0x8E, 0xDA, 0x79, 0x52, 0x5B, 0xF9, 0xBE, 0xB1, 0x1B, 0x14, 0xD2, 0x10, 0x0D,
+ 0x32, 0x94, 0x98, 0x5F, 0x0C, 0x62, 0xD9, 0xFA, 0xBD, 0x9C, 0xD9, 0x99, 0xEC, 0xCB, 0x7B, 0x1D },
+ 228 /* Bin Number */
+ },
+ {
+ /* Swisscom_Root_EV_CA_2 */
+ { 0xD9, 0x5F, 0xEA, 0x3C, 0xA4, 0xEE, 0xDC, 0xE7, 0x4C, 0xD7, 0x6E, 0x75, 0xFC, 0x6D, 0x1F, 0xF6,
+ 0x2C, 0x44, 0x1F, 0x0F, 0xA8, 0xBC, 0x77, 0xF0, 0x34, 0xB1, 0x9E, 0x5D, 0xB2, 0x58, 0x01, 0x5D },
+ 135 /* Bin Number */
+ },
+ {
+ /* Entrust_Root_Certification_Authority___G4 */
+ { 0xDB, 0x35, 0x17, 0xD1, 0xF6, 0x73, 0x2A, 0x2D, 0x5A, 0xB9, 0x7C, 0x53, 0x3E, 0xC7, 0x07, 0x79,
+ 0xEE, 0x32, 0x70, 0xA6, 0x2F, 0xB4, 0xAC, 0x42, 0x38, 0x37, 0x24, 0x60, 0xE6, 0xF0, 0x1E, 0x88 },
+ 211 /* Bin Number */
+ },
+ {
+ /* TeliaSonera_Root_CA_v1 */
+ { 0xDD, 0x69, 0x36, 0xFE, 0x21, 0xF8, 0xF0, 0x77, 0xC1, 0x23, 0xA1, 0xA5, 0x21, 0xC1, 0x22, 0x24,
+ 0xF7, 0x22, 0x55, 0xB7, 0x3E, 0x03, 0xA7, 0x26, 0x06, 0x93, 0xE8, 0xA2, 0x4B, 0x0F, 0xA3, 0x89 },
+ 140 /* Bin Number */
+ },
+ {
+ /* TrustAsia_Global_Root_CA_G3 */
+ { 0xE0, 0xD3, 0x22, 0x6A, 0xEB, 0x11, 0x63, 0xC2, 0xE4, 0x8F, 0xF9, 0xBE, 0x3B, 0x50, 0xB4, 0xC6,
+ 0x43, 0x1B, 0xE7, 0xBB, 0x1E, 0xAC, 0xC5, 0xC3, 0x6B, 0x5D, 0x5E, 0xC5, 0x09, 0x03, 0x9A, 0x08 },
+ 260 /* Bin Number */
+ },
+ {
+ /* StartCom_Certification_Authority */
+ { 0xE1, 0x78, 0x90, 0xEE, 0x09, 0xA3, 0xFB, 0xF4, 0xF4, 0x8B, 0x9C, 0x41, 0x4A, 0x17, 0xD6, 0x37,
+ 0xB7, 0xA5, 0x06, 0x47, 0xE9, 0xBC, 0x75, 0x23, 0x22, 0x72, 0x7F, 0xCC, 0x17, 0x42, 0xA9, 0x11 },
+ 123 /* Bin Number */
+ },
+ {
+ /* CA_Disig_Root_R2 */
+ { 0xE2, 0x3D, 0x4A, 0x03, 0x6D, 0x7B, 0x70, 0xE9, 0xF5, 0x95, 0xB1, 0x42, 0x20, 0x79, 0xD2, 0xB9,
+ 0x1E, 0xDF, 0xBB, 0x1F, 0xB6, 0x51, 0xA0, 0x63, 0x3E, 0xAA, 0x8A, 0x9D, 0xC5, 0xF8, 0x07, 0x03 },
+ 137 /* Bin Number */
+ },
+ {
+ /* CNNIC_ROOT */
+ { 0xE2, 0x83, 0x93, 0x77, 0x3D, 0xA8, 0x45, 0xA6, 0x79, 0xF2, 0x08, 0x0C, 0xC7, 0xFB, 0x44, 0xA3,
+ 0xB7, 0xA1, 0xC3, 0x79, 0x2C, 0xB7, 0xEB, 0x77, 0x29, 0xFD, 0xCB, 0x6A, 0x8D, 0x99, 0xAE, 0xA7 },
+ 84 /* Bin Number */
+ },
+ {
+ /* Amazon_Root_CA_4 */
+ { 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 0x38, 0xCD, 0x62, 0x39, 0x62,
+ 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 },
+ 186 /* Bin Number */
+ },
+ {
+ /* VeriSign_Class_4_Public_Primary_Certification_Authority___G3 */
+ { 0xE3, 0x89, 0x36, 0x0D, 0x0F, 0xDB, 0xAE, 0xB3, 0xD2, 0x50, 0x58, 0x4B, 0x47, 0x30, 0x31, 0x4E,
+ 0x22, 0x2F, 0x39, 0xC1, 0x56, 0xA0, 0x20, 0x14, 0x4E, 0x8D, 0x96, 0x05, 0x61, 0x79, 0x15, 0x06 },
+ 9 /* Bin Number */
+ },
+ {
+ /* Certigna */
+ { 0xE3, 0xB6, 0xA2, 0xDB, 0x2E, 0xD7, 0xCE, 0x48, 0x84, 0x2F, 0x7A, 0xC5, 0x32, 0x41, 0xC7, 0xB7,
+ 0x1D, 0x54, 0x14, 0x4B, 0xFB, 0x40, 0xC1, 0x1F, 0x3F, 0x1D, 0x0B, 0x42, 0xF5, 0xEE, 0xA1, 0x2D },
+ 71 /* Bin Number */
+ },
+ {
+ /* T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3 */
+ { 0xE4, 0xC7, 0x34, 0x30, 0xD7, 0xA5, 0xB5, 0x09, 0x25, 0xDF, 0x43, 0x37, 0x0A, 0x0D, 0x21, 0x6E,
+ 0x9A, 0x79, 0xB9, 0xD6, 0xDB, 0x83, 0x73, 0xA0, 0xC6, 0x9E, 0xB1, 0xCC, 0x31, 0xC7, 0xC5, 0x2A },
+ 79 /* Bin Number */
+ },
+ {
+ /* D_TRUST_BR_Root_CA_1_2020 */
+ { 0xE5, 0x9A, 0xAA, 0x81, 0x60, 0x09, 0xC2, 0x2B, 0xFF, 0x5B, 0x25, 0xBA, 0xD3, 0x7D, 0xF3, 0x06,
+ 0xF0, 0x49, 0x79, 0x7C, 0x1F, 0x81, 0xD8, 0x5A, 0xB0, 0x89, 0xE6, 0x57, 0xBD, 0x8F, 0x00, 0x44 },
+ 241 /* Bin Number */
+ },
+ {
+ /* e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi */
+ { 0xE6, 0x09, 0x07, 0x84, 0x65, 0xA4, 0x19, 0x78, 0x0C, 0xB6, 0xAC, 0x4C, 0x1C, 0x0B, 0xFB, 0x46,
+ 0x53, 0xD9, 0xD9, 0xCC, 0x6E, 0xB3, 0x94, 0x6E, 0xB7, 0xF3, 0xD6, 0x99, 0x97, 0xBA, 0xD5, 0x98 },
+ 100 /* Bin Number */
+ },
+ {
+ /* TC_TrustCenter_Class_2_CA_II */
+ { 0xE6, 0xB8, 0xF8, 0x76, 0x64, 0x85, 0xF8, 0x07, 0xAE, 0x7F, 0x8D, 0xAC, 0x16, 0x70, 0x46, 0x1F,
+ 0x07, 0xC0, 0xA1, 0x3E, 0xEF, 0x3A, 0x1F, 0xF7, 0x17, 0x53, 0x8D, 0x7A, 0xBA, 0xD3, 0x91, 0xB4 },
+ 72 /* Bin Number */
+ },
+ {
+ /* Security_Communication_ECC_RootCA1 */
+ { 0xE7, 0x4F, 0xBD, 0xA5, 0x5B, 0xD5, 0x64, 0xC4, 0x73, 0xA3, 0x6B, 0x44, 0x1A, 0xA7, 0x99, 0xC8,
+ 0xA6, 0x8E, 0x07, 0x74, 0x40, 0xE8, 0x28, 0x8B, 0x9F, 0xA1, 0xE5, 0x0E, 0x4B, 0xBA, 0xCA, 0x11 },
+ 250 /* Bin Number */
+ },
+ {
+ /* OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP */
+ { 0xE7, 0x5E, 0x72, 0xED, 0x9F, 0x56, 0x0E, 0xEC, 0x6E, 0xB4, 0x80, 0x00, 0x73, 0xA4, 0x3F, 0xC3,
+ 0xAD, 0x19, 0x19, 0x5A, 0x39, 0x22, 0x82, 0x01, 0x78, 0x95, 0x97, 0x4A, 0x99, 0x02, 0x6B, 0x6C },
+ 34 /* Bin Number */
+ },
+ {
+ /* USERTrust_RSA_Certification_Authority */
+ { 0xE7, 0x93, 0xC9, 0xB0, 0x2F, 0xD8, 0xAA, 0x13, 0xE2, 0x1C, 0x31, 0x22, 0x8A, 0xCC, 0xB0, 0x81,
+ 0x19, 0x64, 0x3B, 0x74, 0x9C, 0x89, 0x89, 0x64, 0xB1, 0x74, 0x6D, 0x46, 0xC3, 0xD4, 0xCB, 0xD2 },
+ 155 /* Bin Number */
+ },
+ {
+ /* OU_certSIGN_ROOT_CA_O_certSIGN_C_RO */
+ { 0xEA, 0xA9, 0x62, 0xC4, 0xFA, 0x4A, 0x6B, 0xAF, 0xEB, 0xE4, 0x15, 0x19, 0x6D, 0x35, 0x1C, 0xCD,
+ 0x88, 0x8D, 0x4F, 0x53, 0xF3, 0xFA, 0x8A, 0xE6, 0xD7, 0xC4, 0x66, 0xA9, 0x4E, 0x60, 0x42, 0xBB },
+ 83 /* Bin Number */
+ },
+ {
+ /* VeriSign_Class_3_Public_Primary_Certification_Authority___G3 */
+ { 0xEB, 0x04, 0xCF, 0x5E, 0xB1, 0xF3, 0x9A, 0xFA, 0x76, 0x2F, 0x2B, 0xB1, 0x20, 0xF2, 0x96, 0xCB,
+ 0xA5, 0x20, 0xC1, 0xB9, 0x7D, 0xB1, 0x58, 0x95, 0x65, 0xB8, 0x1C, 0xB9, 0xA1, 0x7B, 0x72, 0x44 },
+ 8 /* Bin Number */
+ },
+ {
+ /* OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES */
+ { 0xEB, 0xC5, 0x57, 0x0C, 0x29, 0x01, 0x8C, 0x4D, 0x67, 0xB1, 0xAA, 0x12, 0x7B, 0xAF, 0x12, 0xF7,
+ 0x03, 0xB4, 0x61, 0x1E, 0xBC, 0x17, 0xB7, 0xDA, 0xB5, 0x57, 0x38, 0x94, 0x17, 0x9B, 0x93, 0xFA },
+ 182 /* Bin Number */
+ },
+ {
+ /* GlobalSign_Root_CA */
+ { 0xEB, 0xD4, 0x10, 0x40, 0xE4, 0xBB, 0x3E, 0xC7, 0x42, 0xC9, 0xE3, 0x81, 0xD3, 0x1E, 0xF2, 0xA4,
+ 0x1A, 0x48, 0xB6, 0x68, 0x5C, 0x96, 0xE7, 0xCE, 0xF3, 0xC1, 0xDF, 0x6C, 0xD4, 0x33, 0x1C, 0x99 },
+ 6 /* Bin Number */
+ },
+ {
+ /* TC_TrustCenter_Universal_CA_I */
+ { 0xEB, 0xF3, 0xC0, 0x2A, 0x87, 0x89, 0xB1, 0xFB, 0x7D, 0x51, 0x19, 0x95, 0xD6, 0x63, 0xB7, 0x29,
+ 0x06, 0xD9, 0x13, 0xCE, 0x0D, 0x5E, 0x10, 0x56, 0x8A, 0x8A, 0x77, 0xE2, 0x58, 0x61, 0x67, 0xE7 },
+ 74 /* Bin Number */
+ },
+ {
+ /* Juur_SK */
+ { 0xEC, 0xC3, 0xE9, 0xC3, 0x40, 0x75, 0x03, 0xBE, 0xE0, 0x91, 0xAA, 0x95, 0x2F, 0x41, 0x34, 0x8F,
+ 0xF8, 0x8B, 0xAA, 0x86, 0x3B, 0x22, 0x64, 0xBE, 0xFA, 0xC8, 0x07, 0x90, 0x15, 0x74, 0xE9, 0x39 },
+ 95 /* Bin Number */
+ },
+ {
+ /* Buypass_Class_3_Root_CA */
+ { 0xED, 0xF7, 0xEB, 0xBC, 0xA2, 0x7A, 0x2A, 0x38, 0x4D, 0x38, 0x7B, 0x7D, 0x40, 0x10, 0xC6, 0x66,
+ 0xE2, 0xED, 0xB4, 0x84, 0x3E, 0x4C, 0x29, 0xB4, 0xAE, 0x1D, 0x5B, 0x93, 0x32, 0xE6, 0xB2, 0x4D },
+ 126 /* Bin Number */
+ },
+ {
+ /* D_TRUST_Root_Class_3_CA_2_EV_2009 */
+ { 0xEE, 0xC5, 0x49, 0x6B, 0x98, 0x8C, 0xE9, 0x86, 0x25, 0xB9, 0x34, 0x09, 0x2E, 0xEC, 0x29, 0x08,
+ 0xBE, 0xD0, 0xB0, 0xF3, 0x16, 0xC2, 0xD4, 0x73, 0x0C, 0x84, 0xEA, 0xF1, 0xF3, 0xD3, 0x48, 0x81 },
+ 131 /* Bin Number */
+ },
+ {
+ /* Global_Chambersign_Root */
+ { 0xEF, 0x3C, 0xB4, 0x17, 0xFC, 0x8E, 0xBF, 0x6F, 0x97, 0x87, 0x6C, 0x9E, 0x4E, 0xCE, 0x39, 0xDE,
+ 0x1E, 0xA5, 0xFE, 0x64, 0x91, 0x41, 0xD1, 0x02, 0x8B, 0x7D, 0x11, 0xC0, 0xB2, 0x29, 0x8C, 0xED },
+ 40 /* Bin Number */
+ },
+ {
+ /* E_Tugra_Global_Root_CA_RSA_v3 */
+ { 0xEF, 0x66, 0xB0, 0xB1, 0x0A, 0x3C, 0xDB, 0x9F, 0x2E, 0x36, 0x48, 0xC7, 0x6B, 0xD2, 0xAF, 0x18,
+ 0xEA, 0xD2, 0xBF, 0xE6, 0xF1, 0x17, 0x65, 0x5E, 0x28, 0xC4, 0x06, 0x0D, 0xA1, 0xA3, 0xF4, 0xC2 },
+ 247 /* Bin Number */
+ },
+ {
+ /* Telekom_Security_TLS_RSA_Root_2023 */
+ { 0xEF, 0xC6, 0x5C, 0xAD, 0xBB, 0x59, 0xAD, 0xB6, 0xEF, 0xE8, 0x4D, 0xA2, 0x23, 0x11, 0xB3, 0x56,
+ 0x24, 0xB7, 0x1B, 0x3B, 0x1E, 0xA0, 0xDA, 0x8B, 0x66, 0x55, 0x17, 0x4E, 0xC8, 0x97, 0x86, 0x46 },
+ 265 /* Bin Number */
+ },
+ {
+ /* HiPKI_Root_CA___G1 */
+ { 0xF0, 0x15, 0xCE, 0x3C, 0xC2, 0x39, 0xBF, 0xEF, 0x06, 0x4B, 0xE9, 0xF1, 0xD2, 0xC4, 0x17, 0xE1,
+ 0xA0, 0x26, 0x4A, 0x0A, 0x94, 0xBE, 0x1F, 0x0C, 0x8D, 0x12, 0x18, 0x64, 0xEB, 0x69, 0x49, 0xCC },
+ 234 /* Bin Number */
+ },
+ {
+ /* Swisscom_Root_CA_2 */
+ { 0xF0, 0x9B, 0x12, 0x2C, 0x71, 0x14, 0xF4, 0xA0, 0x9B, 0xD4, 0xEA, 0x4F, 0x4A, 0x99, 0xD5, 0x58,
+ 0xB4, 0x6E, 0x4C, 0x25, 0xCD, 0x81, 0x14, 0x0D, 0x29, 0xC0, 0x56, 0x13, 0x91, 0x4C, 0x38, 0x41 },
+ 134 /* Bin Number */
+ },
+ {
+ /* SecureTrust_CA */
+ { 0xF1, 0xC1, 0xB5, 0x0A, 0xE5, 0xA2, 0x0D, 0xD8, 0x03, 0x0E, 0xC9, 0xF6, 0xBC, 0x24, 0x82, 0x3D,
+ 0xD3, 0x67, 0xB5, 0x25, 0x57, 0x59, 0xB4, 0xE7, 0x1B, 0x61, 0xFC, 0xE9, 0xF7, 0x37, 0x5D, 0x73 },
+ 61 /* Bin Number */
+ },
+ {
+ /* Atos_TrustedRoot_2011 */
+ { 0xF3, 0x56, 0xBE, 0xA2, 0x44, 0xB7, 0xA9, 0x1E, 0xB3, 0x5D, 0x53, 0xCA, 0x9A, 0xD7, 0x86, 0x4A,
+ 0xCE, 0x01, 0x8E, 0x2D, 0x35, 0xD5, 0xF8, 0xF9, 0x6D, 0xDF, 0x68, 0xA6, 0xF4, 0x1A, 0xA4, 0x74 },
+ 143 /* Bin Number */
+ },
+ {
+ /* BJCA_Global_Root_CA1 */
+ { 0xF3, 0x89, 0x6F, 0x88, 0xFE, 0x7C, 0x0A, 0x88, 0x27, 0x66, 0xA7, 0xFA, 0x6A, 0xD2, 0x74, 0x9F,
+ 0xB5, 0x7A, 0x7F, 0x3E, 0x98, 0xFB, 0x76, 0x9C, 0x1F, 0xA7, 0xB0, 0x9C, 0x2C, 0x44, 0xD5, 0xAE },
+ 252 /* Bin Number */
+ },
+ {
+ /* CA_Disig_Root_R1 */
+ { 0xF9, 0x6F, 0x23, 0xF4, 0xC3, 0xE7, 0x9C, 0x07, 0x7A, 0x46, 0x98, 0x8D, 0x5A, 0xF5, 0x90, 0x06,
+ 0x76, 0xA0, 0xF0, 0x39, 0xCB, 0x64, 0x5D, 0xD1, 0x75, 0x49, 0xB2, 0x16, 0xC8, 0x24, 0x40, 0xCE },
+ 136 /* Bin Number */
+ },
+ {
+ /* Hongkong_Post_Root_CA_1 */
+ { 0xF9, 0xE6, 0x7D, 0x33, 0x6C, 0x51, 0x00, 0x2A, 0xC0, 0x54, 0xC6, 0x32, 0x02, 0x2D, 0x66, 0xDD,
+ 0xA2, 0xE7, 0xE3, 0xFF, 0xF1, 0x0A, 0xD0, 0x61, 0xED, 0x31, 0xD8, 0xBB, 0xB4, 0x10, 0xCF, 0xB2 },
+ 96 /* Bin Number */
+ },
+ {
+ /* ANF_Secure_Server_Root_CA */
+ { 0xFB, 0x8F, 0xEC, 0x75, 0x91, 0x69, 0xB9, 0x10, 0x6B, 0x1E, 0x51, 0x16, 0x44, 0xC6, 0x18, 0xC5,
+ 0x13, 0x04, 0x37, 0x3F, 0x6C, 0x06, 0x43, 0x08, 0x8D, 0x8B, 0xEF, 0xFD, 0x1B, 0x99, 0x75, 0x99 },
+ 224 /* Bin Number */
+ },
+ {
+ /* Certinomis___Autorit__Racine */
+ { 0xFC, 0xBF, 0xE2, 0x88, 0x62, 0x06, 0xF7, 0x2B, 0x27, 0x59, 0x3C, 0x8B, 0x07, 0x02, 0x97, 0xE1,
+ 0x2D, 0x76, 0x9E, 0xD1, 0x0E, 0xD7, 0x93, 0x07, 0x05, 0xA8, 0x09, 0x8E, 0xFF, 0xC1, 0x4D, 0x17 },
+ 114 /* Bin Number */
+ },
+ {
+ /* T_TeleSec_GlobalRoot_Class_3 */
+ { 0xFD, 0x73, 0xDA, 0xD3, 0x1C, 0x64, 0x4F, 0xF1, 0xB4, 0x3B, 0xEF, 0x0C, 0xCD, 0xDA, 0x96, 0x71,
+ 0x0B, 0x9C, 0xD9, 0x87, 0x5E, 0xCA, 0x7E, 0x31, 0x70, 0x7A, 0xF3, 0xE9, 0x6D, 0x52, 0x2B, 0xBD },
+ 127 /* Bin Number */
+ },
+ {
+ /* Certum_Trusted_Root_CA */
+ { 0xFE, 0x76, 0x96, 0x57, 0x38, 0x55, 0x77, 0x3E, 0x37, 0xA9, 0x5E, 0x7A, 0xD4, 0xD9, 0xCC, 0x96,
+ 0xC3, 0x01, 0x57, 0xC1, 0x5D, 0x31, 0x76, 0x5B, 0xA9, 0xB1, 0x57, 0x04, 0xE1, 0xAE, 0x78, 0xFD },
+ 226 /* Bin Number */
+ },
+ {
+ /* GeoTrust_Global_CA */
+ { 0xFF, 0x85, 0x6A, 0x2D, 0x25, 0x1D, 0xCD, 0x88, 0xD3, 0x66, 0x56, 0xF4, 0x50, 0x12, 0x67, 0x98,
+ 0xCF, 0xAB, 0xAA, 0xDE, 0x40, 0x79, 0x9C, 0x72, 0x2D, 0xE4, 0xD2, 0xB5, 0xDB, 0x36, 0xA7, 0x3A },
+ 20 /* Bin Number */
+ },
+ {
+ /* CommScope_Public_Trust_RSA_Root_02 */
+ { 0xFF, 0xE9, 0x43, 0xD7, 0x93, 0x42, 0x4B, 0x4F, 0x7C, 0x44, 0x0C, 0x1C, 0x3D, 0x64, 0x8D, 0x53,
+ 0x63, 0xF3, 0x4B, 0x82, 0xDC, 0x87, 0xAA, 0x7A, 0x9F, 0x11, 0x8F, 0xC5, 0xDE, 0xE1, 0x01, 0xF1 },
+ 261 /* Bin Number */
+ },
+};
+
diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp
new file mode 100644
index 0000000000..1a0c669579
--- /dev/null
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -0,0 +1,1134 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// During certificate authentication, we call CertVerifier::VerifySSLServerCert.
+// This function may make zero or more HTTP requests (e.g. to gather revocation
+// information). Our fetching logic for these requests processes them on the
+// socket transport service thread.
+//
+// Because the connection for which we are verifying the certificate is
+// happening on the socket transport thread, if our cert auth hook were to call
+// VerifySSLServerCert directly, there would be a deadlock: VerifySSLServerCert
+// would cause an event to be asynchronously posted to the socket transport
+// thread, and then it would block the socket transport thread waiting to be
+// notified of the HTTP response. However, the HTTP request would never actually
+// be processed because the socket transport thread would be blocked and so it
+// wouldn't be able process HTTP requests.
+//
+// Consequently, when we are asked to verify a certificate, we must always call
+// VerifySSLServerCert on another thread. To accomplish this, our auth cert hook
+// dispatches a SSLServerCertVerificationJob to a pool of background threads,
+// and then immediately returns SECWouldBlock to libssl. These jobs are where
+// VerifySSLServerCert is actually called.
+//
+// When our auth cert hook returns SECWouldBlock, libssl will carry on the
+// handshake while we validate the certificate. This will free up the socket
+// transport thread so that HTTP requests--including the OCSP requests needed
+// for cert verification as mentioned above--can be processed.
+//
+// Once VerifySSLServerCert returns, the cert verification job dispatches a
+// SSLServerCertVerificationResult to the socket transport thread; the
+// SSLServerCertVerificationResult will notify libssl that the certificate
+// authentication is complete. Once libssl is notified that the authentication
+// is complete, it will continue the TLS handshake (if it hasn't already
+// finished) and it will begin allowing us to send/receive data on the
+// connection.
+//
+// Timeline of events (for connections managed by the socket transport service):
+//
+// * libssl calls SSLServerCertVerificationJob::Dispatch on the socket
+// transport thread.
+// * SSLServerCertVerificationJob::Dispatch queues a job
+// (instance of SSLServerCertVerificationJob) to its background thread
+// pool and returns.
+// * One of the background threads calls CertVerifier::VerifySSLServerCert,
+// which may enqueue some HTTP request(s) onto the socket transport thread,
+// and then blocks that background thread waiting for the responses and/or
+// timeouts or errors for those requests.
+// * Once those HTTP responses have all come back or failed, the
+// CertVerifier::VerifySSLServerCert function returns a result indicating
+// that the validation succeeded or failed.
+// * If the validation succeeded, then a SSLServerCertVerificationResult
+// event is posted to the socket transport thread, and the cert
+// verification thread becomes free to verify other certificates.
+// * Otherwise, we do cert override processing to see if the validation
+// error can be convered by override rules. The result of this processing
+// is similarly dispatched in a SSLServerCertVerificationResult.
+// * The SSLServerCertVerificationResult event will either wake up the
+// socket (using SSL_AuthCertificateComplete) if validation succeeded or
+// there was an error override, or it will set an error flag so that the
+// next I/O operation on the socket will fail, causing the socket transport
+// thread to close the connection.
+//
+// SSLServerCertVerificationResult must be dispatched to the socket transport
+// thread because we must only call SSL_* functions on the socket transport
+// thread since they may do I/O, because many parts of NSSSocketControl and the
+// PSM NSS I/O layer are not thread-safe, and because we need the event to
+// interrupt the PR_Poll that may waiting for I/O on the socket for which we
+// are validating the cert.
+//
+// When socket process is enabled, libssl is running on socket process. To
+// perform certificate authentication with CertVerifier, we have to send all
+// needed information to parent process and send the result back to socket
+// process via IPC. The workflow is described below.
+// 1. In AuthCertificateHookInternal(), we call RemoteProcessCertVerification()
+// instead of SSLServerCertVerificationJob::Dispatch when we are on socket
+// process.
+// 2. In RemoteProcessCertVerification(), PVerifySSLServerCert actors will be
+// created on IPDL background thread for carrying needed information via IPC.
+// 3. On parent process, VerifySSLServerCertParent is created and it calls
+// SSLServerCertVerificationJob::Dispatch for doing certificate verification
+// on one of CertVerificationThreads.
+// 4. When validation is done, OnVerifiedSSLServerCertSuccess IPC message is
+// sent through the IPDL background thread when
+// CertVerifier::VerifySSLServerCert returns Success. Otherwise,
+// OnVerifiedSSLServerCertFailure is sent.
+// 5. After setp 4, PVerifySSLServerCert actors will be released. The
+// verification result will be dispatched via
+// SSLServerCertVerificationResult.
+
+#include "SSLServerCertVerification.h"
+
+#include <cstring>
+
+#include "CertVerifier.h"
+#include "CryptoTask.h"
+#include "ExtendedValidation.h"
+#include "NSSCertDBTrustDomain.h"
+#include "NSSSocketControl.h"
+#include "PSMRunnable.h"
+#include "RootCertificateTelemetryUtils.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "SharedSSLState.h"
+#include "VerifySSLServerCertChild.h"
+#include "cert.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Casting.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Unused.h"
+#include "mozilla/glean/GleanMetrics.h"
+#include "nsComponentManagerUtils.h"
+#include "nsContentUtils.h"
+#include "nsICertOverrideService.h"
+#include "nsIPublicKeyPinningService.h"
+#include "nsISiteSecurityService.h"
+#include "nsISocketProvider.h"
+#include "nsThreadPool.h"
+#include "nsNetUtil.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSComponent.h"
+#include "nsNSSIOLayer.h"
+#include "nsServiceManagerUtils.h"
+#include "nsString.h"
+#include "nsURLHelper.h"
+#include "nsXPCOMCIDInternal.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixutil.h"
+#include "secerr.h"
+#include "secport.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslexp.h"
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+using namespace mozilla::pkix;
+
+namespace mozilla {
+namespace psm {
+
+// do not use a nsCOMPtr to avoid static initializer/destructor
+nsIThreadPool* gCertVerificationThreadPool = nullptr;
+
+// Called when the socket transport thread starts, to initialize the SSL cert
+// verification thread pool. By tying the thread pool startup/shutdown directly
+// to the STS thread's lifetime, we ensure that they are *always* available for
+// SSL connections and that there are no races during startup and especially
+// shutdown. (Previously, we have had multiple problems with races in PSM
+// background threads, and the race-prevention/shutdown logic used there is
+// brittle. Since this service is critical to things like downloading updates,
+// we take no chances.) Also, by doing things this way, we avoid the need for
+// locks, since gCertVerificationThreadPool is only ever accessed on the socket
+// transport thread.
+void InitializeSSLServerCertVerificationThreads() {
+ // TODO: tuning, make parameters preferences
+ gCertVerificationThreadPool = new nsThreadPool();
+ NS_ADDREF(gCertVerificationThreadPool);
+
+ (void)gCertVerificationThreadPool->SetIdleThreadLimit(5);
+ (void)gCertVerificationThreadPool->SetIdleThreadTimeout(30 * 1000);
+ (void)gCertVerificationThreadPool->SetThreadLimit(5);
+ (void)gCertVerificationThreadPool->SetName("SSL Cert"_ns);
+}
+
+// Called when the socket transport thread finishes, to destroy the thread
+// pool. Since the socket transport service has stopped processing events, it
+// will not attempt any more SSL I/O operations, so it is clearly safe to shut
+// down the SSL cert verification infrastructure. Also, the STS will not
+// dispatch many SSL verification result events at this point, so any pending
+// cert verifications will (correctly) fail at the point they are dispatched.
+//
+// The other shutdown race condition that is possible is a race condition with
+// shutdown of the nsNSSComponent service. We use the
+// nsNSSShutdownPreventionLock where needed (not here) to prevent that.
+void StopSSLServerCertVerificationThreads() {
+ if (gCertVerificationThreadPool) {
+ gCertVerificationThreadPool->Shutdown();
+ NS_RELEASE(gCertVerificationThreadPool);
+ }
+}
+
+// A probe value of 1 means "no error".
+uint32_t MapOverridableErrorToProbeValue(PRErrorCode errorCode) {
+ switch (errorCode) {
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ return 2;
+ case SEC_ERROR_CA_CERT_INVALID:
+ return 3;
+ case SEC_ERROR_UNTRUSTED_ISSUER:
+ return 4;
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ return 5;
+ case SEC_ERROR_UNTRUSTED_CERT:
+ return 6;
+ case SEC_ERROR_INADEQUATE_KEY_USAGE:
+ return 7;
+ case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+ return 8;
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ return 9;
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ return 10;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+ return 11;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
+ return 12;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
+ return 13;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
+ return 14;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
+ return 15;
+ case SEC_ERROR_INVALID_TIME:
+ return 16;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
+ return 17;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+ return 18;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
+ return 19;
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
+ return 20;
+ }
+ NS_WARNING(
+ "Unknown certificate error code. Does MapOverridableErrorToProbeValue "
+ "handle everything in CategorizeCertificateError?");
+ return 0;
+}
+
+static uint32_t MapCertErrorToProbeValue(PRErrorCode errorCode) {
+ uint32_t probeValue;
+ switch (errorCode) {
+ // see security/pkix/include/pkix/Result.h
+#define MOZILLA_PKIX_MAP(name, value, nss_name) \
+ case nss_name: \
+ probeValue = value; \
+ break;
+ MOZILLA_PKIX_MAP_LIST
+#undef MOZILLA_PKIX_MAP
+ default:
+ return 0;
+ }
+
+ // Since FATAL_ERROR_FLAG is 0x800, fatal error values are much larger than
+ // non-fatal error values. To conserve space, we remap these so they start at
+ // (decimal) 90 instead of 0x800. Currently there are ~50 non-fatal errors
+ // mozilla::pkix might return, so saving space for 90 should be sufficient
+ // (similarly, there are 4 fatal errors, so saving space for 10 should also
+ // be sufficient).
+ static_assert(
+ FATAL_ERROR_FLAG == 0x800,
+ "mozilla::pkix::FATAL_ERROR_FLAG is not what we were expecting");
+ if (probeValue & FATAL_ERROR_FLAG) {
+ probeValue ^= FATAL_ERROR_FLAG;
+ probeValue += 90;
+ }
+ return probeValue;
+}
+
+// If the given PRErrorCode is an overridable certificate error, return which
+// category (trust, time, domain mismatch) it falls in. If it is not
+// overridable, return Nothing.
+Maybe<nsITransportSecurityInfo::OverridableErrorCategory>
+CategorizeCertificateError(PRErrorCode certificateError) {
+ switch (certificateError) {
+ case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ case SEC_ERROR_CA_CERT_INVALID:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
+ return Some(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST);
+
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ return Some(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN);
+
+ case SEC_ERROR_INVALID_TIME:
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
+ return Some(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME);
+
+ default:
+ break;
+ }
+ return Nothing();
+}
+
+// Helper function to determine if overrides are allowed for this host.
+// Overrides are not allowed for known HSTS hosts or hosts with pinning
+// information. However, IP addresses can never be HSTS hosts and don't have
+// pinning information.
+static nsresult OverrideAllowedForHost(
+ uint64_t aPtrForLog, const nsACString& aHostname,
+ const OriginAttributes& aOriginAttributes, /*out*/ bool& aOverrideAllowed) {
+ aOverrideAllowed = false;
+
+ // If this is an IP address, overrides are allowed, because an IP address is
+ // never an HSTS host. nsISiteSecurityService takes this into account
+ // already, but the real problem here is that calling NS_NewURI with an IPv6
+ // address fails. We do this to avoid that. A more comprehensive fix would be
+ // to have Necko provide an nsIURI to PSM and to use that here (and
+ // everywhere). However, that would be a wide-spanning change.
+ if (net_IsValidIPv6Addr(aHostname)) {
+ aOverrideAllowed = true;
+ return NS_OK;
+ }
+
+ // If this is an HTTP Strict Transport Security host or a pinned host and the
+ // certificate is bad, don't allow overrides (RFC 6797 section 12.1).
+ bool strictTransportSecurityEnabled = false;
+ bool isStaticallyPinned = false;
+ nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID));
+ if (!sss) {
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] Couldn't get nsISiteSecurityService to check HSTS",
+ aPtrForLog));
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_NewURI(getter_AddRefs(uri), "https://"_ns + aHostname);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] Creating new URI failed", aPtrForLog));
+ return rv;
+ }
+
+ rv =
+ sss->IsSecureURI(uri, aOriginAttributes, &strictTransportSecurityEnabled);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] checking for HSTS failed", aPtrForLog));
+ return rv;
+ }
+
+ nsCOMPtr<nsIPublicKeyPinningService> pkps =
+ do_GetService(NS_PKPSERVICE_CONTRACTID, &rv);
+ if (!pkps) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64
+ "] Couldn't get nsIPublicKeyPinningService to check pinning",
+ aPtrForLog));
+ return NS_ERROR_FAILURE;
+ }
+ rv = pkps->HostHasPins(uri, &isStaticallyPinned);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] checking for static pin failed", aPtrForLog));
+ return rv;
+ }
+
+ aOverrideAllowed = !strictTransportSecurityEnabled && !isStaticallyPinned;
+ return NS_OK;
+}
+
+// This function assumes that we will only use the SPDY connection coalescing
+// feature on connections where we have negotiated SPDY using NPN. If we ever
+// talk SPDY without having negotiated it with SPDY, this code will give wrong
+// and perhaps unsafe results.
+//
+// Returns SECSuccess on the initial handshake of all connections, on
+// renegotiations for any connections where we did not negotiate SPDY, or on any
+// SPDY connection where the server's certificate did not change.
+//
+// Prohibit changing the server cert only if we negotiated SPDY,
+// in order to support SPDY's cross-origin connection pooling.
+static SECStatus BlockServerCertChangeForSpdy(
+ NSSSocketControl* socketControl, const UniqueCERTCertificate& serverCert) {
+ if (!socketControl->IsHandshakeCompleted()) {
+ // first handshake on this connection, not a
+ // renegotiation.
+ return SECSuccess;
+ }
+
+ // Filter out sockets that did not neogtiate SPDY via NPN
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+ nsresult rv = socketControl->GetSecurityInfo(getter_AddRefs(securityInfo));
+ MOZ_ASSERT(NS_SUCCEEDED(rv), "GetSecurityInfo() failed during renegotiation");
+ if (NS_FAILED(rv) || !securityInfo) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+ nsAutoCString negotiatedNPN;
+ rv = securityInfo->GetNegotiatedNPN(negotiatedNPN);
+ MOZ_ASSERT(NS_SUCCEEDED(rv),
+ "GetNegotiatedNPN() failed during renegotiation");
+
+ if (NS_SUCCEEDED(rv) && !StringBeginsWith(negotiatedNPN, "spdy/"_ns)) {
+ return SECSuccess;
+ }
+ // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
+ " Assuming spdy."));
+ }
+
+ // Check to see if the cert has actually changed
+ nsCOMPtr<nsIX509Cert> cert(socketControl->GetServerCert());
+ if (!cert) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+ nsTArray<uint8_t> certDER;
+ if (NS_FAILED(cert->GetRawDER(certDER))) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+ if (certDER.Length() == serverCert->derCert.len &&
+ memcmp(certDER.Elements(), serverCert->derCert.data, certDER.Length()) ==
+ 0) {
+ return SECSuccess;
+ }
+
+ // Report an error - changed cert is confirmed
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("SPDY refused to allow new cert during renegotiation"));
+ PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0);
+ return SECFailure;
+}
+
+void GatherTelemetryForSingleSCT(const ct::VerifiedSCT& verifiedSct) {
+ // See SSL_SCTS_ORIGIN in Histograms.json.
+ uint32_t origin = 0;
+ switch (verifiedSct.origin) {
+ case ct::VerifiedSCT::Origin::Embedded:
+ origin = 1;
+ break;
+ case ct::VerifiedSCT::Origin::TLSExtension:
+ origin = 2;
+ break;
+ case ct::VerifiedSCT::Origin::OCSPResponse:
+ origin = 3;
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("Unexpected VerifiedSCT::Origin type");
+ }
+ Telemetry::Accumulate(Telemetry::SSL_SCTS_ORIGIN, origin);
+
+ // See SSL_SCTS_VERIFICATION_STATUS in Histograms.json.
+ uint32_t verificationStatus = 0;
+ switch (verifiedSct.status) {
+ case ct::VerifiedSCT::Status::Valid:
+ verificationStatus = 1;
+ break;
+ case ct::VerifiedSCT::Status::UnknownLog:
+ verificationStatus = 2;
+ break;
+ case ct::VerifiedSCT::Status::InvalidSignature:
+ verificationStatus = 3;
+ break;
+ case ct::VerifiedSCT::Status::InvalidTimestamp:
+ verificationStatus = 4;
+ break;
+ case ct::VerifiedSCT::Status::ValidFromDisqualifiedLog:
+ verificationStatus = 5;
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("Unexpected VerifiedSCT::Status type");
+ }
+ Telemetry::Accumulate(Telemetry::SSL_SCTS_VERIFICATION_STATUS,
+ verificationStatus);
+}
+
+void GatherCertificateTransparencyTelemetry(
+ const nsTArray<uint8_t>& rootCert, bool isEV,
+ const CertificateTransparencyInfo& info) {
+ if (!info.enabled) {
+ // No telemetry is gathered when CT is disabled.
+ return;
+ }
+
+ for (const ct::VerifiedSCT& sct : info.verifyResult.verifiedScts) {
+ GatherTelemetryForSingleSCT(sct);
+ }
+
+ // Decoding errors are reported to the 0th bucket
+ // of the SSL_SCTS_VERIFICATION_STATUS enumerated probe.
+ for (size_t i = 0; i < info.verifyResult.decodingErrors; ++i) {
+ Telemetry::Accumulate(Telemetry::SSL_SCTS_VERIFICATION_STATUS, 0);
+ }
+
+ // Handle the histogram of SCTs counts.
+ uint32_t sctsCount =
+ static_cast<uint32_t>(info.verifyResult.verifiedScts.size());
+ // Note that sctsCount can also be 0 in case we've received SCT binary data,
+ // but it failed to parse (e.g. due to unsupported CT protocol version).
+ Telemetry::Accumulate(Telemetry::SSL_SCTS_PER_CONNECTION, sctsCount);
+
+ // Report CT Policy compliance by CA.
+ switch (info.policyCompliance) {
+ case ct::CTPolicyCompliance::Compliant:
+ AccumulateTelemetryForRootCA(
+ Telemetry::SSL_CT_POLICY_COMPLIANT_CONNECTIONS_BY_CA, rootCert);
+ break;
+ case ct::CTPolicyCompliance::NotEnoughScts:
+ case ct::CTPolicyCompliance::NotDiverseScts:
+ AccumulateTelemetryForRootCA(
+ Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA, rootCert);
+ break;
+ case ct::CTPolicyCompliance::Unknown:
+ default:
+ MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
+ }
+}
+
+// This function collects telemetry about certs. It will be called on one of
+// CertVerificationThread. When the socket process is used this will be called
+// on the parent process.
+static void CollectCertTelemetry(
+ mozilla::pkix::Result aCertVerificationResult, EVStatus aEVStatus,
+ CertVerifier::OCSPStaplingStatus aOcspStaplingStatus,
+ KeySizeStatus aKeySizeStatus,
+ const PinningTelemetryInfo& aPinningTelemetryInfo,
+ const nsTArray<nsTArray<uint8_t>>& aBuiltCertChain,
+ const CertificateTransparencyInfo& aCertificateTransparencyInfo,
+ const IssuerSources& issuerSources) {
+ uint32_t evStatus = (aCertVerificationResult != Success) ? 0 // 0 = Failure
+ : (aEVStatus != EVStatus::EV) ? 1 // 1 = DV
+ : 2; // 2 = EV
+ Telemetry::Accumulate(Telemetry::CERT_EV_STATUS, evStatus);
+
+ if (aOcspStaplingStatus != CertVerifier::OCSP_STAPLING_NEVER_CHECKED) {
+ Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, aOcspStaplingStatus);
+ }
+
+ if (aKeySizeStatus != KeySizeStatus::NeverChecked) {
+ Telemetry::Accumulate(Telemetry::CERT_CHAIN_KEY_SIZE_STATUS,
+ static_cast<uint32_t>(aKeySizeStatus));
+ }
+
+ if (aPinningTelemetryInfo.accumulateForRoot) {
+ Telemetry::Accumulate(Telemetry::CERT_PINNING_FAILURES_BY_CA,
+ aPinningTelemetryInfo.rootBucket);
+ }
+
+ if (aPinningTelemetryInfo.accumulateResult) {
+ MOZ_ASSERT(aPinningTelemetryInfo.certPinningResultHistogram.isSome());
+ Telemetry::Accumulate(
+ aPinningTelemetryInfo.certPinningResultHistogram.value(),
+ aPinningTelemetryInfo.certPinningResultBucket);
+ }
+
+ if (aCertVerificationResult == Success && aBuiltCertChain.Length() > 0) {
+ const nsTArray<uint8_t>& rootCert = aBuiltCertChain.LastElement();
+ AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,
+ rootCert);
+ GatherCertificateTransparencyTelemetry(rootCert, aEVStatus == EVStatus::EV,
+ aCertificateTransparencyInfo);
+
+ mozilla::glean::tls::certificate_verifications.Add(1);
+ if (issuerSources.contains(IssuerSource::TLSHandshake)) {
+ mozilla::glean::verification_used_cert_from::tls_handshake.AddToNumerator(
+ 1);
+ }
+ if (issuerSources.contains(IssuerSource::PreloadedIntermediates)) {
+ mozilla::glean::verification_used_cert_from::preloaded_intermediates
+ .AddToNumerator(1);
+ }
+ if (issuerSources.contains(IssuerSource::ThirdPartyCertificates)) {
+ mozilla::glean::verification_used_cert_from::third_party_certificates
+ .AddToNumerator(1);
+ }
+ if (issuerSources.contains(IssuerSource::NSSCertDB)) {
+ mozilla::glean::verification_used_cert_from::nss_cert_db.AddToNumerator(
+ 1);
+ }
+ if (issuerSources.contains(IssuerSource::BuiltInRootsModule)) {
+ mozilla::glean::verification_used_cert_from::built_in_roots_module
+ .AddToNumerator(1);
+ }
+ }
+}
+
+// Note: Takes ownership of |peerCertChain| if SECSuccess is not returned.
+Result AuthCertificate(
+ CertVerifier& certVerifier, void* aPinArg,
+ const nsTArray<uint8_t>& certBytes,
+ const nsTArray<nsTArray<uint8_t>>& peerCertChain,
+ const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+ const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+ const Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags,
+ Time time, uint32_t certVerifierFlags,
+ /*out*/ nsTArray<nsTArray<uint8_t>>& builtCertChain,
+ /*out*/ EVStatus& evStatus,
+ /*out*/ CertificateTransparencyInfo& certificateTransparencyInfo,
+ /*out*/ bool& aIsBuiltCertChainRootBuiltInRoot,
+ /*out*/ bool& aMadeOCSPRequests) {
+ CertVerifier::OCSPStaplingStatus ocspStaplingStatus =
+ CertVerifier::OCSP_STAPLING_NEVER_CHECKED;
+ KeySizeStatus keySizeStatus = KeySizeStatus::NeverChecked;
+ PinningTelemetryInfo pinningTelemetryInfo;
+
+ nsTArray<nsTArray<uint8_t>> peerCertsBytes;
+ // Don't include the end-entity certificate.
+ if (!peerCertChain.IsEmpty()) {
+ std::transform(
+ peerCertChain.cbegin() + 1, peerCertChain.cend(),
+ MakeBackInserter(peerCertsBytes),
+ [](const auto& elementArray) { return elementArray.Clone(); });
+ }
+
+ IssuerSources issuerSources;
+ Result rv = certVerifier.VerifySSLServerCert(
+ certBytes, time, aPinArg, aHostName, builtCertChain, certVerifierFlags,
+ Some(std::move(peerCertsBytes)), stapledOCSPResponse,
+ sctsFromTLSExtension, dcInfo, aOriginAttributes, &evStatus,
+ &ocspStaplingStatus, &keySizeStatus, &pinningTelemetryInfo,
+ &certificateTransparencyInfo, &aIsBuiltCertChainRootBuiltInRoot,
+ &aMadeOCSPRequests, &issuerSources);
+
+ CollectCertTelemetry(rv, evStatus, ocspStaplingStatus, keySizeStatus,
+ pinningTelemetryInfo, builtCertChain,
+ certificateTransparencyInfo, issuerSources);
+
+ return rv;
+}
+
+PRErrorCode AuthCertificateParseResults(
+ uint64_t aPtrForLog, const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes,
+ const nsCOMPtr<nsIX509Cert>& aCert, mozilla::pkix::Time aTime,
+ PRErrorCode aCertVerificationError,
+ /* out */
+ nsITransportSecurityInfo::OverridableErrorCategory&
+ aOverridableErrorCategory) {
+ uint32_t probeValue = MapCertErrorToProbeValue(aCertVerificationError);
+ Telemetry::Accumulate(Telemetry::SSL_CERT_VERIFICATION_ERRORS, probeValue);
+
+ Maybe<nsITransportSecurityInfo::OverridableErrorCategory>
+ maybeOverridableErrorCategory =
+ CategorizeCertificateError(aCertVerificationError);
+ // If this isn't an overridable error, return it now. This will stop the
+ // connection and report the given error.
+ if (!maybeOverridableErrorCategory.isSome()) {
+ return aCertVerificationError;
+ }
+ aOverridableErrorCategory = *maybeOverridableErrorCategory;
+
+ bool overrideAllowed = false;
+ nsresult rv = OverrideAllowedForHost(aPtrForLog, aHostName, aOriginAttributes,
+ overrideAllowed);
+ if (NS_FAILED(rv)) {
+ return aCertVerificationError;
+ }
+
+ if (!overrideAllowed) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] HSTS or pinned host - no overrides allowed",
+ aPtrForLog));
+ return aCertVerificationError;
+ }
+
+ nsCOMPtr<nsICertOverrideService> overrideService =
+ do_GetService(NS_CERTOVERRIDE_CONTRACTID);
+ if (!overrideService) {
+ return aCertVerificationError;
+ }
+ bool haveOverride;
+ bool isTemporaryOverride;
+ rv = overrideService->HasMatchingOverride(aHostName, aPort, aOriginAttributes,
+ aCert, &isTemporaryOverride,
+ &haveOverride);
+ if (NS_FAILED(rv)) {
+ return aCertVerificationError;
+ }
+ Unused << isTemporaryOverride;
+ if (haveOverride) {
+ uint32_t probeValue =
+ MapOverridableErrorToProbeValue(aCertVerificationError);
+ Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[0x%" PRIx64 "] certificate error overridden", aPtrForLog));
+ return 0;
+ }
+
+ return aCertVerificationError;
+}
+
+static nsTArray<nsTArray<uint8_t>> CreateCertBytesArray(
+ const UniqueCERTCertList& aCertChain) {
+ nsTArray<nsTArray<uint8_t>> certsBytes;
+ for (CERTCertListNode* n = CERT_LIST_HEAD(aCertChain);
+ !CERT_LIST_END(n, aCertChain); n = CERT_LIST_NEXT(n)) {
+ nsTArray<uint8_t> certBytes;
+ certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len);
+ certsBytes.AppendElement(std::move(certBytes));
+ }
+ return certsBytes;
+}
+
+/*static*/
+SECStatus SSLServerCertVerificationJob::Dispatch(
+ uint64_t addrForLogging, void* aPinArg,
+ nsTArray<nsTArray<uint8_t>>&& peerCertChain, const nsACString& aHostName,
+ int32_t aPort, const OriginAttributes& aOriginAttributes,
+ Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, Time time,
+ uint32_t certVerifierFlags,
+ BaseSSLServerCertVerificationResult* aResultTask) {
+ // Runs on the socket transport thread
+ if (!aResultTask || peerCertChain.IsEmpty()) {
+ MOZ_ASSERT_UNREACHABLE(
+ "must have result task and non-empty peer cert chain");
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+
+ if (!gCertVerificationThreadPool) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ RefPtr<SSLServerCertVerificationJob> job(new SSLServerCertVerificationJob(
+ addrForLogging, aPinArg, std::move(peerCertChain), aHostName, aPort,
+ aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,
+ providerFlags, time, certVerifierFlags, aResultTask));
+
+ nsresult nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL);
+ if (NS_FAILED(nrv)) {
+ // We can't call SetCertVerificationResult here to change
+ // mCertVerificationState because SetCertVerificationResult will call
+ // libssl functions that acquire SSL locks that are already being held at
+ // this point. However, we can set an error with PR_SetError and return
+ // SECFailure, and the correct thing will happen (the error will be
+ // propagated and this connection will be terminated).
+ PRErrorCode error = nrv == NS_ERROR_OUT_OF_MEMORY ? PR_OUT_OF_MEMORY_ERROR
+ : PR_INVALID_STATE_ERROR;
+ PR_SetError(error, 0);
+ return SECFailure;
+ }
+
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return SECWouldBlock;
+}
+
+NS_IMETHODIMP
+SSLServerCertVerificationJob::Run() {
+ // Runs on a cert verification thread and only on parent process.
+ MOZ_ASSERT(XRE_IsParentProcess());
+
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("[%" PRIx64 "] SSLServerCertVerificationJob::Run\n", mAddrForLogging));
+
+ RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
+ if (!certVerifier) {
+ PR_SetError(SEC_ERROR_NOT_INITIALIZED, 0);
+ return NS_OK;
+ }
+
+ TimeStamp jobStartTime = TimeStamp::Now();
+ EVStatus evStatus;
+ CertificateTransparencyInfo certificateTransparencyInfo;
+ bool isCertChainRootBuiltInRoot = false;
+ bool madeOCSPRequests = false;
+ nsTArray<nsTArray<uint8_t>> builtChainBytesArray;
+ nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone());
+ Result rv = AuthCertificate(
+ *certVerifier, mPinArg, certBytes, mPeerCertChain, mHostName,
+ mOriginAttributes, mStapledOCSPResponse, mSCTsFromTLSExtension, mDCInfo,
+ mProviderFlags, mTime, mCertVerifierFlags, builtChainBytesArray, evStatus,
+ certificateTransparencyInfo, isCertChainRootBuiltInRoot,
+ madeOCSPRequests);
+
+ if (rv == Success) {
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX, jobStartTime,
+ TimeStamp::Now());
+ Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
+
+ mResultTask->Dispatch(
+ std::move(builtChainBytesArray), std::move(mPeerCertChain),
+ TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus(
+ certificateTransparencyInfo),
+ evStatus, true, 0,
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET,
+ isCertChainRootBuiltInRoot, mProviderFlags, madeOCSPRequests);
+ return NS_OK;
+ }
+
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX,
+ jobStartTime, TimeStamp::Now());
+
+ PRErrorCode error = MapResultToPRErrorCode(rv);
+ nsITransportSecurityInfo::OverridableErrorCategory overridableErrorCategory =
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET;
+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
+ PRErrorCode finalError = AuthCertificateParseResults(
+ mAddrForLogging, mHostName, mPort, mOriginAttributes, cert, mTime, error,
+ overridableErrorCategory);
+
+ // NB: finalError may be 0 here, in which the connection will continue.
+ mResultTask->Dispatch(
+ std::move(builtChainBytesArray), std::move(mPeerCertChain),
+ nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
+ EVStatus::NotEV, false, finalError, overridableErrorCategory, false,
+ mProviderFlags, madeOCSPRequests);
+ return NS_OK;
+}
+
+// Takes information needed for cert verification, does some consistency
+// checks and calls SSLServerCertVerificationJob::Dispatch.
+SECStatus AuthCertificateHookInternal(
+ CommonSocketControl* socketControl, const void* aPtrForLogging,
+ const nsACString& hostName, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+ Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags,
+ uint32_t certVerifierFlags) {
+ // Runs on the socket transport thread
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] starting AuthCertificateHookInternal\n", aPtrForLogging));
+
+ if (!socketControl || peerCertChain.IsEmpty()) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ bool onSTSThread;
+ nsresult nrv;
+ nsCOMPtr<nsIEventTarget> sts =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
+ if (NS_SUCCEEDED(nrv)) {
+ nrv = sts->IsOnCurrentThread(&onSTSThread);
+ }
+
+ if (NS_FAILED(nrv)) {
+ NS_ERROR("Could not get STS service or IsOnCurrentThread failed");
+ PR_SetError(PR_UNKNOWN_ERROR, 0);
+ return SECFailure;
+ }
+
+ MOZ_ASSERT(onSTSThread);
+
+ if (!onSTSThread) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ uint64_t addr = reinterpret_cast<uintptr_t>(aPtrForLogging);
+ RefPtr<SSLServerCertVerificationResult> resultTask =
+ new SSLServerCertVerificationResult(socketControl);
+
+ if (XRE_IsSocketProcess()) {
+ return RemoteProcessCertVerification(
+ std::move(peerCertChain), hostName, socketControl->GetPort(),
+ socketControl->GetOriginAttributes(), stapledOCSPResponse,
+ sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags,
+ resultTask);
+ }
+
+ // We *must* do certificate verification on a background thread because
+ // we need the socket transport thread to be free for our OCSP requests,
+ // and we *want* to do certificate verification on a background thread
+ // because of the performance benefits of doing so.
+ return SSLServerCertVerificationJob::Dispatch(
+ addr, socketControl, std::move(peerCertChain), hostName,
+ socketControl->GetPort(), socketControl->GetOriginAttributes(),
+ stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, Now(),
+ certVerifierFlags, resultTask);
+}
+
+// Extracts whatever information we need out of fd (using SSL_*) and passes it
+// to AuthCertificateHookInternal. AuthCertificateHookInternal will call
+// SSLServerCertVerificationJob::Dispatch. SSLServerCertVerificationJob
+// should never do anything with fd except logging.
+SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
+ PRBool isServer) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] starting AuthCertificateHook\n", fd));
+
+ // Modern libssl always passes PR_TRUE for checkSig, and we have no means of
+ // doing verification without checking signatures.
+ MOZ_ASSERT(checkSig, "AuthCertificateHook: checkSig unexpectedly false");
+
+ // PSM never causes libssl to call this function with PR_TRUE for isServer,
+ // and many things in PSM assume that we are a client.
+ MOZ_ASSERT(!isServer, "AuthCertificateHook: isServer unexpectedly true");
+
+ NSSSocketControl* socketInfo = static_cast<NSSSocketControl*>(arg);
+
+ UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd));
+
+ if (!checkSig || isServer || !socketInfo || !serverCert) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+ socketInfo->SetFullHandshake();
+
+ if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess) {
+ return SECFailure;
+ }
+
+ UniqueCERTCertList peerCertChain(SSL_PeerCertificateChain(fd));
+ if (!peerCertChain) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ nsTArray<nsTArray<uint8_t>> peerCertsBytes =
+ CreateCertBytesArray(peerCertChain);
+
+ // SSL_PeerStapledOCSPResponses will never return a non-empty response if
+ // OCSP stapling wasn't enabled because libssl wouldn't have let the server
+ // return a stapled OCSP response.
+ // We don't own these pointers.
+ const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd);
+ Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
+ // we currently only support single stapled responses
+ if (csa && csa->len == 1) {
+ stapledOCSPResponse.emplace();
+ stapledOCSPResponse->SetCapacity(csa->items[0].len);
+ stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len);
+ }
+
+ Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
+ const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
+ if (sctsFromTLSExtensionSECItem) {
+ sctsFromTLSExtension.emplace();
+ sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
+ sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
+ sctsFromTLSExtensionSECItem->len);
+ }
+
+ uint32_t providerFlags = 0;
+ socketInfo->GetProviderFlags(&providerFlags);
+
+ uint32_t certVerifierFlags = 0;
+ if (!socketInfo->SharedState().IsOCSPStaplingEnabled() ||
+ !socketInfo->SharedState().IsOCSPMustStapleEnabled()) {
+ certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
+ }
+
+ // Get DC information
+ Maybe<DelegatedCredentialInfo> dcInfo;
+ SSLPreliminaryChannelInfo channelPreInfo;
+ SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo,
+ sizeof(channelPreInfo));
+ if (rv != SECSuccess) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+ if (channelPreInfo.peerDelegCred) {
+ dcInfo.emplace(DelegatedCredentialInfo(channelPreInfo.signatureScheme,
+ channelPreInfo.authKeyBits));
+ }
+
+ // If we configured an ECHConfig and NSS returned the public name
+ // for verification, ECH was rejected. Proceed, verifying to the
+ // public name. The result determines how NSS will fail (i.e. with
+ // any provided retry_configs if successful). See draft-ietf-tls-esni-08.
+ nsCString echConfig;
+ nsresult nsrv = socketInfo->GetEchConfig(echConfig);
+ bool verifyToEchPublicName =
+ NS_SUCCEEDED(nsrv) && echConfig.Length() && channelPreInfo.echPublicName;
+
+ const nsCString echPublicName(channelPreInfo.echPublicName);
+ const nsACString& hostname =
+ verifyToEchPublicName ? echPublicName : socketInfo->GetHostName();
+ socketInfo->SetCertVerificationWaiting();
+ rv = AuthCertificateHookInternal(socketInfo, static_cast<const void*>(fd),
+ hostname, std::move(peerCertsBytes),
+ stapledOCSPResponse, sctsFromTLSExtension,
+ dcInfo, providerFlags, certVerifierFlags);
+ return rv;
+}
+
+// Takes information needed for cert verification, does some consistency
+// checks and calls SSLServerCertVerificationJob::Dispatch.
+// This function is used for Quic.
+SECStatus AuthCertificateHookWithInfo(
+ CommonSocketControl* socketControl, const nsACString& aHostName,
+ const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+ Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags) {
+ if (peerCertChain.IsEmpty()) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ // we currently only support single stapled responses
+ Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
+ if (stapledOCSPResponses && (stapledOCSPResponses->Length() == 1)) {
+ stapledOCSPResponse.emplace(stapledOCSPResponses->ElementAt(0).Clone());
+ }
+
+ uint32_t certVerifierFlags = 0;
+ // QuicSocketControl does not have a SharedState as NSSSocketControl.
+ // Here we need prefs for ocsp. This are prefs they are the same for
+ // PublicSSLState and PrivateSSLState, just take them from one of them.
+ if (!PublicSSLState()->IsOCSPStaplingEnabled() ||
+ !PublicSSLState()->IsOCSPMustStapleEnabled()) {
+ certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
+ }
+
+ // Need to update Quic stack to reflect the PreliminaryInfo fields
+ // for Delegated Credentials.
+ Maybe<DelegatedCredentialInfo> dcInfo;
+
+ return AuthCertificateHookInternal(socketControl, aPtrForLogging, aHostName,
+ std::move(peerCertChain),
+ stapledOCSPResponse, sctsFromTLSExtension,
+ dcInfo, providerFlags, certVerifierFlags);
+}
+
+NS_IMPL_ISUPPORTS_INHERITED0(SSLServerCertVerificationResult, Runnable)
+
+SSLServerCertVerificationResult::SSLServerCertVerificationResult(
+ CommonSocketControl* socketControl)
+ : Runnable("psm::SSLServerCertVerificationResult"),
+ mSocketControl(socketControl),
+ mCertificateTransparencyStatus(0),
+ mEVStatus(EVStatus::NotEV),
+ mSucceeded(false),
+ mFinalError(0),
+ mOverridableErrorCategory(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET),
+ mProviderFlags(0) {}
+
+void SSLServerCertVerificationResult::Dispatch(
+ nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
+ uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
+ bool aSucceeded, PRErrorCode aFinalError,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
+ bool aMadeOCSPRequests) {
+ mBuiltChain = std::move(aBuiltChain);
+ mPeerCertChain = std::move(aPeerCertChain);
+ mCertificateTransparencyStatus = aCertificateTransparencyStatus;
+ mEVStatus = aEVStatus;
+ mSucceeded = aSucceeded;
+ mFinalError = aFinalError;
+ mOverridableErrorCategory = aOverridableErrorCategory;
+ mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot;
+ mProviderFlags = aProviderFlags;
+ mMadeOCSPRequests = aMadeOCSPRequests;
+
+ if (mSucceeded && mBuiltChain.IsEmpty()) {
+ MOZ_ASSERT_UNREACHABLE(
+ "if the handshake succeeded, the built chain shouldn't be empty");
+ mSucceeded = false;
+ mFinalError = SEC_ERROR_LIBRARY_FAILURE;
+ }
+ if (!mSucceeded && mPeerCertChain.IsEmpty()) {
+ MOZ_ASSERT_UNREACHABLE(
+ "if the handshake failed, the peer chain shouldn't be empty");
+ mFinalError = SEC_ERROR_LIBRARY_FAILURE;
+ }
+
+ nsresult rv;
+ nsCOMPtr<nsIEventTarget> stsTarget =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
+ MOZ_ASSERT(stsTarget, "Failed to get socket transport service event target");
+ rv = stsTarget->Dispatch(this, NS_DISPATCH_NORMAL);
+ MOZ_ASSERT(NS_SUCCEEDED(rv),
+ "Failed to dispatch SSLServerCertVerificationResult");
+}
+
+NS_IMETHODIMP
+SSLServerCertVerificationResult::Run() {
+#ifdef DEBUG
+ bool onSTSThread = false;
+ nsresult nrv;
+ nsCOMPtr<nsIEventTarget> sts =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
+ if (NS_SUCCEEDED(nrv)) {
+ nrv = sts->IsOnCurrentThread(&onSTSThread);
+ }
+
+ MOZ_ASSERT(onSTSThread);
+#endif
+
+ if (mSucceeded && !XRE_IsSocketProcess() &&
+ !(mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE)) {
+ // This dispatches an event that will run when the socket thread is idle.
+ SaveIntermediateCerts(mBuiltChain);
+ }
+
+ mSocketControl->SetMadeOCSPRequests(mMadeOCSPRequests);
+
+ if (mSucceeded) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("SSLServerCertVerificationResult::Run setting NEW cert"));
+ nsTArray<uint8_t> certBytes(mBuiltChain.ElementAt(0).Clone());
+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
+ mSocketControl->SetServerCert(cert, mEVStatus);
+ mSocketControl->SetSucceededCertChain(std::move(mBuiltChain));
+
+ mSocketControl->SetIsBuiltCertChainRootBuiltInRoot(
+ mIsBuiltCertChainRootBuiltInRoot);
+ mSocketControl->SetCertificateTransparencyStatus(
+ mCertificateTransparencyStatus);
+ } else {
+ nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone());
+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
+ // Certificate validation failed; store the peer certificate chain on
+ // mSocketControl so it can be used for error reporting.
+ mSocketControl->SetFailedCertChain(std::move(mPeerCertChain));
+ if (mOverridableErrorCategory !=
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET) {
+ mSocketControl->SetStatusErrorBits(cert, mOverridableErrorCategory);
+ }
+ }
+
+ mSocketControl->SetCertVerificationResult(mFinalError);
+ return NS_OK;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/SSLServerCertVerification.h b/security/manager/ssl/SSLServerCertVerification.h
new file mode 100644
index 0000000000..694563152d
--- /dev/null
+++ b/security/manager/ssl/SSLServerCertVerification.h
@@ -0,0 +1,161 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _SSLSERVERCERTVERIFICATION_H
+#define _SSLSERVERCERTVERIFICATION_H
+
+#include "CertVerifier.h"
+#include "CommonSocketControl.h"
+#include "ScopedNSSTypes.h"
+#include "mozilla/Maybe.h"
+#include "mozpkix/pkix.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIX509Cert.h"
+#include "nsTArray.h"
+#include "nsThreadUtils.h"
+#include "prerror.h"
+#include "prio.h"
+#include "seccomon.h"
+#include "secoidt.h"
+
+using namespace mozilla::pkix;
+
+namespace mozilla {
+namespace psm {
+
+enum class EVStatus : uint8_t;
+
+SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
+ PRBool isServer);
+
+// This function triggers the certificate verification. The verification is
+// asynchronous and the info object will be notified when the verification has
+// completed via SetCertVerificationResult.
+SECStatus AuthCertificateHookWithInfo(
+ CommonSocketControl* socketControl, const nsACString& aHostName,
+ const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+ Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags);
+
+// Base class for dispatching the certificate verification result.
+class BaseSSLServerCertVerificationResult {
+ public:
+ NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING
+
+ virtual void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
+ uint16_t aCertificateTransparencyStatus,
+ EVStatus aEVStatus, bool aSucceeded,
+ PRErrorCode aFinalError,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot,
+ uint32_t aProviderFlags, bool aMadeOCSPRequests) = 0;
+};
+
+// Dispatched to the STS thread to notify the infoObject of the verification
+// result.
+//
+// This will cause the PR_Poll in the STS thread to return, so things work
+// correctly even if the STS thread is blocked polling (only) on the file
+// descriptor that is waiting for this result.
+class SSLServerCertVerificationResult final
+ : public BaseSSLServerCertVerificationResult,
+ public Runnable {
+ public:
+ NS_DECL_ISUPPORTS_INHERITED
+ NS_DECL_NSIRUNNABLE
+
+ explicit SSLServerCertVerificationResult(CommonSocketControl* socketControl);
+
+ void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
+ uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
+ bool aSucceeded, PRErrorCode aFinalError,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
+ bool aMadeOCSPRequests) override;
+
+ private:
+ ~SSLServerCertVerificationResult() = default;
+
+ const RefPtr<CommonSocketControl> mSocketControl;
+ nsTArray<nsTArray<uint8_t>> mBuiltChain;
+ nsTArray<nsTArray<uint8_t>> mPeerCertChain;
+ uint16_t mCertificateTransparencyStatus;
+ EVStatus mEVStatus;
+ bool mSucceeded;
+ PRErrorCode mFinalError;
+ nsITransportSecurityInfo::OverridableErrorCategory mOverridableErrorCategory;
+ bool mIsBuiltCertChainRootBuiltInRoot;
+ uint32_t mProviderFlags;
+ bool mMadeOCSPRequests;
+};
+
+class SSLServerCertVerificationJob : public Runnable {
+ public:
+ SSLServerCertVerificationJob(const SSLServerCertVerificationJob&) = delete;
+
+ // Must be called only on the socket transport thread
+ static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg,
+ nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes,
+ Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& dcInfo,
+ uint32_t providerFlags, Time time,
+ uint32_t certVerifierFlags,
+ BaseSSLServerCertVerificationResult* aResultTask);
+
+ private:
+ NS_DECL_NSIRUNNABLE
+
+ // Must be called only on the socket transport thread
+ SSLServerCertVerificationJob(uint64_t addrForLogging, void* aPinArg,
+ nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes,
+ Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& dcInfo,
+ uint32_t providerFlags, Time time,
+ uint32_t certVerifierFlags,
+ BaseSSLServerCertVerificationResult* aResultTask)
+ : Runnable("psm::SSLServerCertVerificationJob"),
+ mAddrForLogging(addrForLogging),
+ mPinArg(aPinArg),
+ mPeerCertChain(std::move(peerCertChain)),
+ mHostName(aHostName),
+ mPort(aPort),
+ mOriginAttributes(aOriginAttributes),
+ mProviderFlags(providerFlags),
+ mCertVerifierFlags(certVerifierFlags),
+ mTime(time),
+ mStapledOCSPResponse(std::move(stapledOCSPResponse)),
+ mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)),
+ mDCInfo(std::move(dcInfo)),
+ mResultTask(aResultTask) {}
+
+ uint64_t mAddrForLogging;
+ void* mPinArg;
+ nsTArray<nsTArray<uint8_t>> mPeerCertChain;
+ nsCString mHostName;
+ int32_t mPort;
+ OriginAttributes mOriginAttributes;
+ const uint32_t mProviderFlags;
+ const uint32_t mCertVerifierFlags;
+ const Time mTime;
+ Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
+ Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
+ Maybe<DelegatedCredentialInfo> mDCInfo;
+ RefPtr<BaseSSLServerCertVerificationResult> mResultTask;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/ScopedNSSTypes.h b/security/manager/ssl/ScopedNSSTypes.h
new file mode 100644
index 0000000000..6ae25db868
--- /dev/null
+++ b/security/manager/ssl/ScopedNSSTypes.h
@@ -0,0 +1,464 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This header provides smart pointers and various helpers for code that needs
+// to interact with NSS.
+
+#ifndef ScopedNSSTypes_h
+#define ScopedNSSTypes_h
+
+#include <limits>
+#include <memory>
+
+#include "cert.h"
+#include "cms.h"
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "mozilla/Likely.h"
+#include "mozilla/UniquePtr.h"
+#include "nsDebug.h"
+#include "nsError.h"
+#include "NSSErrorsService.h"
+#include "pk11hpke.h"
+#include "pk11pub.h"
+#include "pkcs12.h"
+#include "prerror.h"
+#include "prio.h"
+#include "prmem.h"
+#include "sechash.h"
+#include "secmod.h"
+#include "secpkcs7.h"
+#include "secport.h"
+
+#ifndef MOZ_NO_MOZALLOC
+# include "mozilla/mozalloc_oom.h"
+#endif
+
+// Normally this would be included from nsNSSComponent.h, but that file includes
+// this file.
+bool EnsureNSSInitializedChromeOrContent();
+
+namespace mozilla {
+
+// NSPR APIs use PRStatus/PR_GetError and NSS APIs use SECStatus/PR_GetError to
+// report success/failure. This function makes it more convenient and *safer*
+// to translate NSPR/NSS results to nsresult. It is safer because it
+// refuses to translate any bad PRStatus/SECStatus into an NS_OK, even when the
+// NSPR/NSS function forgot to call PR_SetError. The actual enforcement of
+// this happens in mozilla::psm::GetXPCOMFromNSSError.
+// IMPORTANT: This must be called immediately after the function returning the
+// SECStatus result. The recommended usage is:
+// nsresult rv = MapSECStatus(f(x, y, z));
+inline nsresult MapSECStatus(SECStatus rv) {
+ if (rv == SECSuccess) {
+ return NS_OK;
+ }
+
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+}
+
+namespace internal {
+
+inline void PK11_DestroyContext_true(PK11Context* ctx) {
+ PK11_DestroyContext(ctx, true);
+}
+
+inline void SECKEYEncryptedPrivateKeyInfo_true(
+ SECKEYEncryptedPrivateKeyInfo* epki) {
+ SECKEY_DestroyEncryptedPrivateKeyInfo(epki, true);
+}
+
+// If this was created via PK11_ListFixedKeysInSlot, we may have a list of keys,
+// in which case we have to free them all (and if not, this will still free the
+// one key).
+inline void FreeOneOrMoreSymKeys(PK11SymKey* keys) {
+ PK11SymKey* next;
+ while (keys) {
+ next = PK11_GetNextSymKey(keys);
+ PK11_FreeSymKey(keys);
+ keys = next;
+ }
+}
+
+} // namespace internal
+
+// Emulates MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE, but for UniquePtrs.
+#define MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(name, Type, Deleter) \
+ struct name##DeletePolicy { \
+ void operator()(Type* aValue) { Deleter(aValue); } \
+ }; \
+ typedef std::unique_ptr<Type, name##DeletePolicy> name;
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11Context, PK11Context,
+ internal::PK11_DestroyContext_true)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SlotInfo, PK11SlotInfo,
+ PK11_FreeSlot)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SymKey, PK11SymKey,
+ internal::FreeOneOrMoreSymKeys)
+
+// Common base class for Digest and HMAC. Should not be used directly.
+// Subclasses must implement a `Begin` function that initializes
+// `mDigestContext` and calls `SetLength`.
+class DigestBase {
+ protected:
+ explicit DigestBase() : mLen(0), mDigestContext(nullptr) {}
+
+ public:
+ nsresult Update(Span<const uint8_t> in) {
+ return Update(in.Elements(), in.Length());
+ }
+
+ nsresult Update(const unsigned char* buf, const uint32_t len) {
+ if (!mDigestContext) {
+ return NS_ERROR_NOT_INITIALIZED;
+ }
+ return MapSECStatus(PK11_DigestOp(mDigestContext.get(), buf, len));
+ }
+
+ nsresult End(/*out*/ nsTArray<uint8_t>& out) {
+ if (!mDigestContext) {
+ return NS_ERROR_NOT_INITIALIZED;
+ }
+ out.SetLength(mLen);
+ uint32_t len;
+ nsresult rv = MapSECStatus(
+ PK11_DigestFinal(mDigestContext.get(), out.Elements(), &len, mLen));
+ NS_ENSURE_SUCCESS(rv, rv);
+ mDigestContext = nullptr;
+ NS_ENSURE_TRUE(len == mLen, NS_ERROR_UNEXPECTED);
+
+ return NS_OK;
+ }
+
+ protected:
+ nsresult SetLength(SECOidTag hashType) {
+ switch (hashType) {
+ case SEC_OID_MD5:
+ mLen = MD5_LENGTH;
+ break;
+ case SEC_OID_SHA1:
+ mLen = SHA1_LENGTH;
+ break;
+ case SEC_OID_SHA256:
+ mLen = SHA256_LENGTH;
+ break;
+ case SEC_OID_SHA384:
+ mLen = SHA384_LENGTH;
+ break;
+ case SEC_OID_SHA512:
+ mLen = SHA512_LENGTH;
+ break;
+ default:
+ return NS_ERROR_INVALID_ARG;
+ }
+ return NS_OK;
+ }
+
+ private:
+ uint8_t mLen;
+
+ protected:
+ UniquePK11Context mDigestContext;
+};
+
+/** A more convenient way of dealing with digests calculated into
+ * stack-allocated buffers. NSS must be initialized on the main thread before
+ * use, and the caller must ensure NSS isn't shut down, typically by
+ * being within the lifetime of XPCOM.
+ *
+ * Typical usage, for digesting a buffer in memory:
+ *
+ * nsCOMPtr<nsISupports> nssDummy = do_GetService("@mozilla.org/psm;1", &rv);
+ * nsTArray<uint8_t> digestArray;
+ * nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, mybuffer, myBufferLen,
+ * digestArray);
+ * NS_ENSURE_SUCCESS(rv, rv);
+ *
+ * Less typical usage, for digesting while doing streaming I/O and similar:
+ *
+ * Digest digest;
+ * nsresult rv = digest.Begin(SEC_OID_SHA256);
+ * NS_ENSURE_SUCCESS(rv, rv);
+ * for (...) {
+ * rv = digest.Update(buf, len);
+ * NS_ENSURE_SUCCESS(rv, rv);
+ * }
+ * nsTArray<uint8_t> digestArray;
+ * rv = digest.End(digestArray);
+ * NS_ENSURE_SUCCESS(rv, rv)
+ */
+class Digest : public DigestBase {
+ public:
+ explicit Digest() = default;
+
+ static nsresult DigestBuf(SECOidTag hashAlg, Span<const uint8_t> buf,
+ /*out*/ nsTArray<uint8_t>& out) {
+ return Digest::DigestBuf(hashAlg, buf.Elements(), buf.Length(), out);
+ }
+
+ static nsresult DigestBuf(SECOidTag hashAlg, const uint8_t* buf, uint32_t len,
+ /*out*/ nsTArray<uint8_t>& out) {
+ Digest digest;
+
+ nsresult rv = digest.Begin(hashAlg);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = digest.Update(buf, len);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = digest.End(out);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return rv;
+ }
+
+ nsresult Begin(SECOidTag hashAlg) {
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ switch (hashAlg) {
+ case SEC_OID_SHA1:
+ case SEC_OID_SHA256:
+ case SEC_OID_SHA384:
+ case SEC_OID_SHA512:
+ break;
+
+ default:
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ mDigestContext = UniquePK11Context(PK11_CreateDigestContext(hashAlg));
+ if (!mDigestContext) {
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+ }
+
+ nsresult rv = SetLength(hashAlg);
+ NS_ENSURE_SUCCESS(rv, rv);
+ return MapSECStatus(PK11_DigestBegin(mDigestContext.get()));
+ }
+};
+
+// A helper class to calculate HMACs over some data given a key.
+// Only SHA256 and, sadly, MD5 are supported at the moment.
+// Typical usage:
+// (ensure NSS is initialized)
+// (obtain raw bytes for a key, some data to calculate the HMAC for)
+// HMAC hmac;
+// nsresult rv = hmac.Begin(SEC_OID_SHA256, Span(key));
+// NS_ENSURE_SUCCESS(rv, rv);
+// rv = hmac.Update(buf, len);
+// NS_ENSURE_SUCCESS(rv, rv);
+// nsTArray<uint8_t> calculatedHmac;
+// rv = hmac.End(calculatedHmac);
+// NS_ENSURE_SUCCESS(rv, rv);
+class HMAC : public DigestBase {
+ public:
+ explicit HMAC() = default;
+
+ nsresult Begin(SECOidTag hashAlg, Span<const uint8_t> key) {
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_FAILURE;
+ }
+ CK_MECHANISM_TYPE mechType;
+ switch (hashAlg) {
+ case SEC_OID_SHA256:
+ mechType = CKM_SHA256_HMAC;
+ break;
+ case SEC_OID_MD5:
+ mechType = CKM_MD5_HMAC;
+ break;
+ default:
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (key.Length() > std::numeric_limits<unsigned int>::max()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ // SECItem's data field is a non-const unsigned char*. The good news is the
+ // data won't be mutated, but the bad news is the constness needs to be
+ // casted away.
+ SECItem keyItem = {siBuffer, const_cast<unsigned char*>(key.Elements()),
+ static_cast<unsigned int>(key.Length())};
+ UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+ }
+ UniquePK11SymKey symKey(
+ PK11_ImportSymKey(slot.get(), CKM_GENERIC_SECRET_KEY_GEN,
+ PK11_OriginUnwrap, CKA_SIGN, &keyItem, nullptr));
+ if (!symKey) {
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+ }
+ SECItem emptyData = {siBuffer, nullptr, 0};
+ mDigestContext = UniquePK11Context(PK11_CreateContextBySymKey(
+ mechType, CKA_SIGN, symKey.get(), &emptyData));
+ if (!mDigestContext) {
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+ }
+
+ nsresult rv = SetLength(hashAlg);
+ NS_ENSURE_SUCCESS(rv, rv);
+ return MapSECStatus(PK11_DigestBegin(mDigestContext.get()));
+ }
+};
+
+namespace internal {
+
+inline void PORT_FreeArena_false(PLArenaPool* arena) {
+ // PL_FreeArenaPool can't be used because it doesn't actually free the
+ // memory, which doesn't work well with memory analysis tools.
+ return PORT_FreeArena(arena, false);
+}
+
+} // namespace internal
+
+// Wrapper around NSS's SECItem_AllocItem that handles OOM the same way as
+// other allocators.
+inline void SECITEM_AllocItem(SECItem& item, uint32_t len) {
+ if (MOZ_UNLIKELY(!SECITEM_AllocItem(nullptr, &item, len))) {
+#ifndef MOZ_NO_MOZALLOC
+ mozalloc_handle_oom(len);
+ if (MOZ_UNLIKELY(!SECITEM_AllocItem(nullptr, &item, len)))
+#endif
+ {
+ MOZ_CRASH();
+ }
+ }
+}
+
+class ScopedAutoSECItem final : public SECItem {
+ public:
+ explicit ScopedAutoSECItem(uint32_t initialAllocatedLen = 0) {
+ data = nullptr;
+ len = 0;
+ if (initialAllocatedLen > 0) {
+ SECITEM_AllocItem(*this, initialAllocatedLen);
+ }
+ }
+
+ void reset() { SECITEM_FreeItem(this, false); }
+
+ ~ScopedAutoSECItem() { reset(); }
+};
+
+class MOZ_RAII AutoSECMODListReadLock final {
+ public:
+ AutoSECMODListReadLock() : mLock(SECMOD_GetDefaultModuleListLock()) {
+ MOZ_ASSERT(mLock, "should have SECMOD lock (has NSS been initialized?)");
+ SECMOD_GetReadLock(mLock);
+ }
+
+ ~AutoSECMODListReadLock() { SECMOD_ReleaseReadLock(mLock); }
+
+ private:
+ SECMODListLock* mLock;
+};
+
+namespace internal {
+
+inline void SECITEM_FreeItem_true(SECItem* s) {
+ return SECITEM_FreeItem(s, true);
+}
+
+inline void SECOID_DestroyAlgorithmID_true(SECAlgorithmID* a) {
+ return SECOID_DestroyAlgorithmID(a, true);
+}
+
+inline void VFY_DestroyContext_true(VFYContext* ctx) {
+ VFY_DestroyContext(ctx, true);
+}
+
+inline void PK11_HPKE_DestroyContext_true(HpkeContext* cx) {
+ PK11_HPKE_DestroyContext(cx, true);
+}
+
+} // namespace internal
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificate, CERTCertificate,
+ CERT_DestroyCertificate)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateList,
+ CERTCertificateList,
+ CERT_DestroyCertificateList)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificatePolicies,
+ CERTCertificatePolicies,
+ CERT_DestroyCertificatePoliciesExtension)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateRequest,
+ CERTCertificateRequest,
+ CERT_DestroyCertificateRequest)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertList, CERTCertList,
+ CERT_DestroyCertList)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTName, CERTName,
+ CERT_DestroyName)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTOidSequence, CERTOidSequence,
+ CERT_DestroyOidSequence)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTSubjectPublicKeyInfo,
+ CERTSubjectPublicKeyInfo,
+ SECKEY_DestroySubjectPublicKeyInfo)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTUserNotice, CERTUserNotice,
+ CERT_DestroyUserNotice)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTValidity, CERTValidity,
+ CERT_DestroyValidity)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHASHContext, HASHContext,
+ HASH_Destroy)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueNSSCMSMessage, NSSCMSMessage,
+ NSS_CMSMessage_Destroy)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueNSSCMSSignedData, NSSCMSSignedData,
+ NSS_CMSSignedData_Destroy)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11GenericObject,
+ PK11GenericObject,
+ PK11_DestroyGenericObject)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SlotList, PK11SlotList,
+ PK11_FreeSlotList)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePLArenaPool, PLArenaPool,
+ internal::PORT_FreeArena_false)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePORTString, char, PORT_Free)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRFileDesc, PRFileDesc, PR_Close)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRString, char, PR_Free)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECAlgorithmID, SECAlgorithmID,
+ internal::SECOID_DestroyAlgorithmID_true)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItem, SECItem,
+ internal::SECITEM_FreeItem_true)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKey, SECKEYPrivateKey,
+ SECKEY_DestroyPrivateKey)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKeyList,
+ SECKEYPrivateKeyList,
+ SECKEY_DestroyPrivateKeyList)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPublicKey, SECKEYPublicKey,
+ SECKEY_DestroyPublicKey)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECMODModule, SECMODModule,
+ SECMOD_DestroyModule)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSGNDigestInfo, SGNDigestInfo,
+ SGN_DestroyDigestInfo)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueVFYContext, VFYContext,
+ internal::VFY_DestroyContext_true)
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSEC_PKCS12DecoderContext,
+ SEC_PKCS12DecoderContext,
+ SEC_PKCS12DecoderFinish)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSEC_PKCS12ExportContext,
+ SEC_PKCS12ExportContext,
+ SEC_PKCS12DestroyExportContext)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(
+ UniqueSECKEYEncryptedPrivateKeyInfo, SECKEYEncryptedPrivateKeyInfo,
+ internal::SECKEYEncryptedPrivateKeyInfo_true)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHpkeContext, HpkeContext,
+ internal::PK11_HPKE_DestroyContext_true)
+} // namespace mozilla
+
+#endif // ScopedNSSTypes_h
diff --git a/security/manager/ssl/SecretDecoderRing.cpp b/security/manager/ssl/SecretDecoderRing.cpp
new file mode 100644
index 0000000000..8cfebde8f9
--- /dev/null
+++ b/security/manager/ssl/SecretDecoderRing.cpp
@@ -0,0 +1,344 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "SecretDecoderRing.h"
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Services.h"
+#include "mozilla/ErrorResult.h"
+#include "mozilla/dom/Promise.h"
+#include "nsCOMPtr.h"
+#include "nsIInterfaceRequestor.h"
+#include "nsIInterfaceRequestorUtils.h"
+#include "nsIObserverService.h"
+#include "nsITokenPasswordDialogs.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "nsNetCID.h"
+#include "nsPK11TokenDB.h"
+#include "pk11func.h"
+#include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt
+
+static mozilla::LazyLogModule gSDRLog("sdrlog");
+
+using namespace mozilla;
+using dom::Promise;
+
+NS_IMPL_ISUPPORTS(SecretDecoderRing, nsISecretDecoderRing)
+
+void BackgroundSdrEncryptStrings(const nsTArray<nsCString>& plaintexts,
+ RefPtr<Promise>& aPromise) {
+ nsCOMPtr<nsISecretDecoderRing> sdrService =
+ do_GetService(NS_SECRETDECODERRING_CONTRACTID);
+ nsTArray<nsString> cipherTexts(plaintexts.Length());
+
+ nsresult rv = NS_ERROR_FAILURE;
+ for (const auto& plaintext : plaintexts) {
+ nsCString cipherText;
+ rv = sdrService->EncryptString(plaintext, cipherText);
+
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ break;
+ }
+
+ cipherTexts.AppendElement(NS_ConvertASCIItoUTF16(cipherText));
+ }
+
+ nsCOMPtr<nsIRunnable> runnable(
+ NS_NewRunnableFunction("BackgroundSdrEncryptStringsResolve",
+ [rv, aPromise = std::move(aPromise),
+ cipherTexts = std::move(cipherTexts)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(cipherTexts);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+void BackgroundSdrDecryptStrings(const nsTArray<nsCString>& encryptedStrings,
+ RefPtr<Promise>& aPromise) {
+ nsCOMPtr<nsISecretDecoderRing> sdrService =
+ do_GetService(NS_SECRETDECODERRING_CONTRACTID);
+ nsTArray<nsString> plainTexts(encryptedStrings.Length());
+
+ nsresult rv = NS_ERROR_FAILURE;
+ for (const auto& encryptedString : encryptedStrings) {
+ nsCString plainText;
+ rv = sdrService->DecryptString(encryptedString, plainText);
+
+ if (NS_FAILED(rv)) {
+ if (rv == NS_ERROR_NOT_AVAILABLE) {
+ // Master Password entry was canceled. Don't keep prompting again.
+ break;
+ }
+
+ // NS_ERROR_ILLEGAL_VALUE or NS_ERROR_FAILURE could be due to bad data for
+ // a single string but we still want to decrypt the others.
+ // Callers of `decryptMany` in crypto-SDR.js assume there will be an
+ // equal number of usernames and passwords so use an empty string to keep
+ // this assumption true.
+ MOZ_LOG(gSDRLog, LogLevel::Warning,
+ ("Couldn't decrypt string: %s", encryptedString.get()));
+ plainTexts.AppendElement(nullptr);
+ rv = NS_OK;
+ continue;
+ }
+
+ plainTexts.AppendElement(NS_ConvertUTF8toUTF16(plainText));
+ }
+
+ nsCOMPtr<nsIRunnable> runnable(
+ NS_NewRunnableFunction("BackgroundSdrDecryptStringsResolve",
+ [rv, aPromise = std::move(aPromise),
+ plainTexts = std::move(plainTexts)]() {
+ if (NS_FAILED(rv)) {
+ aPromise->MaybeReject(rv);
+ } else {
+ aPromise->MaybeResolve(plainTexts);
+ }
+ }));
+ NS_DispatchToMainThread(runnable.forget());
+}
+
+nsresult SecretDecoderRing::Encrypt(const nsACString& data,
+ /*out*/ nsACString& result) {
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ /* Make sure token is initialized. */
+ nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
+ nsresult rv = setPassword(slot.get(), ctx);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ /* Force authentication */
+ if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ /* Use default key id */
+ SECItem keyid;
+ keyid.data = nullptr;
+ keyid.len = 0;
+ SECItem request;
+ request.data = BitwiseCast<unsigned char*, const char*>(data.BeginReading());
+ request.len = data.Length();
+ ScopedAutoSECItem reply;
+ if (PK11SDR_Encrypt(&keyid, &request, &reply, ctx) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len);
+ return NS_OK;
+}
+
+nsresult SecretDecoderRing::Decrypt(const nsACString& data,
+ /*out*/ nsACString& result) {
+ /* Find token with SDR key */
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ /* Force authentication */
+ nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
+ if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ SECItem request;
+ request.data = BitwiseCast<unsigned char*, const char*>(data.BeginReading());
+ request.len = data.Length();
+ ScopedAutoSECItem reply;
+ if (PK11SDR_Decrypt(&request, &reply, ctx) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::EncryptString(const nsACString& text,
+ /*out*/ nsACString& encryptedBase64Text) {
+ nsAutoCString encryptedText;
+ nsresult rv = Encrypt(text, encryptedText);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = Base64Encode(encryptedText, encryptedBase64Text);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::AsyncEncryptStrings(const nsTArray<nsCString>& plaintexts,
+ JSContext* aCx, Promise** aPromise) {
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG(!plaintexts.IsEmpty());
+ NS_ENSURE_ARG_POINTER(aCx);
+ NS_ENSURE_ARG_POINTER(aPromise);
+
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (NS_WARN_IF(!globalObject)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ ErrorResult result;
+ RefPtr<Promise> promise = Promise::Create(globalObject, result);
+ if (NS_WARN_IF(result.Failed())) {
+ return result.StealNSResult();
+ }
+
+ // plaintexts are already expected to be UTF-8.
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundSdrEncryptStrings",
+ [promise, plaintexts = plaintexts.Clone()]() mutable {
+ BackgroundSdrEncryptStrings(plaintexts, promise);
+ }));
+
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ promise.forget(aPromise);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::DecryptString(const nsACString& encryptedBase64Text,
+ /*out*/ nsACString& decryptedText) {
+ nsAutoCString encryptedText;
+ nsresult rv = Base64Decode(encryptedBase64Text, encryptedText);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = Decrypt(encryptedText, decryptedText);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::AsyncDecryptStrings(
+ const nsTArray<nsCString>& encryptedStrings, JSContext* aCx,
+ Promise** aPromise) {
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG(!encryptedStrings.IsEmpty());
+ NS_ENSURE_ARG_POINTER(aCx);
+ NS_ENSURE_ARG_POINTER(aPromise);
+
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (NS_WARN_IF(!globalObject)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ ErrorResult result;
+ RefPtr<Promise> promise = Promise::Create(globalObject, result);
+ if (NS_WARN_IF(result.Failed())) {
+ return result.StealNSResult();
+ }
+
+ // encryptedStrings are expected to be base64.
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "BackgroundSdrDecryptStrings",
+ [promise, encryptedStrings = encryptedStrings.Clone()]() mutable {
+ BackgroundSdrDecryptStrings(encryptedStrings, promise);
+ }));
+
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ promise.forget(aPromise);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::ChangePassword() {
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ // nsPK11Token::nsPK11Token takes its own reference to slot, so we pass a
+ // non-owning pointer here.
+ nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get());
+
+ nsCOMPtr<nsITokenPasswordDialogs> dialogs;
+ nsresult rv = getNSSDialogs(getter_AddRefs(dialogs),
+ NS_GET_IID(nsITokenPasswordDialogs),
+ NS_TOKENPASSWORDSDIALOG_CONTRACTID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
+ bool canceled; // Ignored
+ return dialogs->SetPassword(ctx, token, &canceled);
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::Logout() {
+ PK11_LogoutAll();
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID));
+ if (!nssComponent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ return nssComponent->ClearSSLExternalAndInternalSessionCache();
+}
+
+NS_IMETHODIMP
+SecretDecoderRing::LogoutAndTeardown() {
+ PK11_LogoutAll();
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID));
+ if (!nssComponent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ // LogoutAuthenticatedPK11 also clears the SSL caches.
+ nsresult rv = nssComponent->LogoutAuthenticatedPK11();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // After we just logged out, we need to prune dead connections to make
+ // sure that all connections that should be stopped, are stopped. See
+ // bug 517584.
+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+ if (os) {
+ os->NotifyObservers(nullptr, "net:prune-dead-connections", nullptr);
+ }
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/SecretDecoderRing.h b/security/manager/ssl/SecretDecoderRing.h
new file mode 100644
index 0000000000..23187ae45d
--- /dev/null
+++ b/security/manager/ssl/SecretDecoderRing.h
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SecretDecoderRing_h
+#define SecretDecoderRing_h
+
+#include "nsISecretDecoderRing.h"
+#include "nsString.h"
+
+#define NS_SECRETDECODERRING_CONTRACTID "@mozilla.org/security/sdr;1"
+
+#define NS_SECRETDECODERRING_CID \
+ { \
+ 0x0c4f1ddc, 0x1dd2, 0x11b2, { \
+ 0x9d, 0x95, 0xf2, 0xfd, 0xf1, 0x13, 0x04, 0x4b \
+ } \
+ }
+
+class SecretDecoderRing : public nsISecretDecoderRing {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSISECRETDECODERRING
+
+ SecretDecoderRing() = default;
+
+ protected:
+ virtual ~SecretDecoderRing() = default;
+
+ private:
+ nsresult Encrypt(const nsACString& data, /*out*/ nsACString& result);
+ nsresult Decrypt(const nsACString& data, /*out*/ nsACString& result);
+};
+
+#endif // SecretDecoderRing_h
diff --git a/security/manager/ssl/SelectTLSClientAuthCertChild.h b/security/manager/ssl/SelectTLSClientAuthCertChild.h
new file mode 100644
index 0000000000..cdf8999cda
--- /dev/null
+++ b/security/manager/ssl/SelectTLSClientAuthCertChild.h
@@ -0,0 +1,42 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_
+#define SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_
+
+#include "mozilla/psm/PSelectTLSClientAuthCertChild.h"
+#include "TLSClientAuthCertSelection.h"
+
+namespace mozilla {
+namespace psm {
+
+// Socket process component of the SelectTLSClientAuthCert IPC protocol. When
+// the parent process selects a client authentication certificate (or opts for
+// no certificate), RecvTLSClientAuthCertSelected will be called via IPC with
+// the bytes of the certificate (and the bytes of the associated certificate
+// chain). That function dispatches an event to the socket thread that notifies
+// NSS that the associated connection can continue.
+class SelectTLSClientAuthCertChild : public PSelectTLSClientAuthCertChild {
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SelectTLSClientAuthCertChild, override)
+
+ explicit SelectTLSClientAuthCertChild(
+ ClientAuthCertificateSelected* continuation);
+
+ ipc::IPCResult RecvTLSClientAuthCertSelected(
+ ByteArray&& aSelectedCertBytes,
+ nsTArray<ByteArray>&& aSelectedCertChainBytes);
+
+ private:
+ ~SelectTLSClientAuthCertChild() = default;
+
+ RefPtr<ClientAuthCertificateSelected> mContinuation;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_
diff --git a/security/manager/ssl/SelectTLSClientAuthCertParent.h b/security/manager/ssl/SelectTLSClientAuthCertParent.h
new file mode 100644
index 0000000000..efe7aa8420
--- /dev/null
+++ b/security/manager/ssl/SelectTLSClientAuthCertParent.h
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_
+#define SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_
+
+#include "mozilla/OriginAttributes.h"
+#include "mozilla/psm/PSelectTLSClientAuthCertParent.h"
+
+namespace mozilla {
+namespace psm {
+
+// Parent process component of the SelectTLSClientAuthCert IPC protocol. When
+// the socket process encounters a TLS server that requests a client
+// authentication certificate, Dispatch will be called via IPC with the
+// information associated with that connection. That function dispatches an
+// event to the main thread that determines what certificate to select, if any
+// (usually by opening a dialog for the user to interact with). When a
+// certificate (or no certificate) has been selected, TLSClientAuthCertSelected
+// will be called on the IPC thread, which will cause
+// SelectTLSClientAuthCertChild::RecvTLSClientAuthCertSelected to be called via
+// IPC, which will get the appropriate information to NSS to continue the
+// connection.
+class SelectTLSClientAuthCertParent : public PSelectTLSClientAuthCertParent {
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SelectTLSClientAuthCertParent, override)
+
+ SelectTLSClientAuthCertParent() = default;
+
+ bool Dispatch(const nsACString& aHostName,
+ const OriginAttributes& aOriginAttributes, const int32_t& aPort,
+ const uint32_t& aProviderFlags,
+ const uint32_t& aProviderTlsFlags,
+ const ByteArray& aServerCertBytes,
+ nsTArray<ByteArray>&& aCANames,
+ const uint64_t& aBrowsingContextID);
+
+ void TLSClientAuthCertSelected(
+ const nsTArray<uint8_t>& aSelectedCertBytes,
+ nsTArray<nsTArray<uint8_t>>&& aSelectedCertChainBytes);
+
+ private:
+ ~SelectTLSClientAuthCertParent() = default;
+
+ void ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason aWhy) override;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_
diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h
new file mode 100644
index 0000000000..9c8b7534cc
--- /dev/null
+++ b/security/manager/ssl/SharedCertVerifier.h
@@ -0,0 +1,38 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SharedCertVerifier_h
+#define SharedCertVerifier_h
+
+#include "CertVerifier.h"
+#include "EnterpriseRoots.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/TimeStamp.h"
+
+namespace mozilla {
+namespace psm {
+
+class SharedCertVerifier : public mozilla::psm::CertVerifier {
+ protected:
+ ~SharedCertVerifier();
+
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
+
+ SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
+ mozilla::TimeDuration ocspSoftTimeout,
+ mozilla::TimeDuration ocspHardTimeout,
+ uint32_t certShortLifetimeInDays,
+ NetscapeStepUpPolicy netscapeStepUpPolicy,
+ CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
+ const nsTArray<EnterpriseCert>& thirdPartyCerts)
+ : mozilla::psm::CertVerifier(
+ odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,
+ netscapeStepUpPolicy, ctMode, crliteMode, thirdPartyCerts) {}
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // SharedCertVerifier_h
diff --git a/security/manager/ssl/SharedSSLState.cpp b/security/manager/ssl/SharedSSLState.cpp
new file mode 100644
index 0000000000..d0d9667472
--- /dev/null
+++ b/security/manager/ssl/SharedSSLState.cpp
@@ -0,0 +1,192 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "SharedSSLState.h"
+#include "nsClientAuthRemember.h"
+#include "nsComponentManagerUtils.h"
+#include "nsICertOverrideService.h"
+#include "mozilla/OriginAttributes.h"
+#include "nsNSSComponent.h"
+#include "nsIObserverService.h"
+#include "mozilla/Services.h"
+#include "nsThreadUtils.h"
+#include "nsCRT.h"
+#include "nsServiceManagerUtils.h"
+#include "PSMRunnable.h"
+#include "PublicSSL.h"
+#include "ssl.h"
+#include "nsNetCID.h"
+#include "mozilla/Atomics.h"
+#include "mozilla/Unused.h"
+
+using mozilla::Atomic;
+using mozilla::Unused;
+using mozilla::psm::SyncRunnableBase;
+
+namespace {
+
+static Atomic<bool> sCertOverrideSvcExists(false);
+
+class MainThreadClearer : public SyncRunnableBase {
+ public:
+ MainThreadClearer() : mShouldClearSessionCache(false) {}
+
+ void RunOnTargetThread() override {
+ // In some cases it's possible to cause PSM/NSS to initialize while XPCOM
+ // shutdown is in progress. We want to avoid this, since they do not handle
+ // the situation well, hence the flags to avoid instantiating the services
+ // if they don't already exist.
+
+ bool certOverrideSvcExists = sCertOverrideSvcExists.exchange(false);
+ if (certOverrideSvcExists) {
+ sCertOverrideSvcExists = true;
+ nsCOMPtr<nsICertOverrideService> icos =
+ do_GetService(NS_CERTOVERRIDE_CONTRACTID);
+ if (icos) {
+ icos->ClearValidityOverride("all:temporary-certificates"_ns, 0,
+ OriginAttributes());
+ }
+ }
+
+ // This needs to be checked on the main thread to avoid racing with NSS
+ // initialization.
+ mShouldClearSessionCache = mozilla::psm::PrivateSSLState() &&
+ mozilla::psm::PrivateSSLState()->SocketCreated();
+ }
+ bool mShouldClearSessionCache;
+};
+
+} // namespace
+
+namespace mozilla {
+
+void ClearPrivateSSLState() {
+ // This only works if it is called on the socket transport
+ // service thread immediately after closing all private SSL
+ // connections.
+#ifdef DEBUG
+ nsresult rv;
+ nsCOMPtr<nsIEventTarget> sts =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
+ MOZ_ASSERT(NS_SUCCEEDED(rv));
+ bool onSTSThread;
+ rv = sts->IsOnCurrentThread(&onSTSThread);
+ MOZ_ASSERT(NS_SUCCEEDED(rv) && onSTSThread);
+#endif
+
+ RefPtr<MainThreadClearer> runnable = new MainThreadClearer;
+ runnable->DispatchToMainThreadAndWait();
+
+ // If NSS isn't initialized, this throws an assertion. We guard it by checking
+ // if the session cache might even have anything worth clearing.
+ if (runnable->mShouldClearSessionCache) {
+ nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
+ }
+}
+
+namespace psm {
+
+namespace {
+class PrivateBrowsingObserver : public nsIObserver {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIOBSERVER
+ explicit PrivateBrowsingObserver(SharedSSLState* aOwner) : mOwner(aOwner) {}
+
+ protected:
+ virtual ~PrivateBrowsingObserver() = default;
+
+ private:
+ SharedSSLState* mOwner;
+};
+
+SharedSSLState* gPublicState;
+SharedSSLState* gPrivateState;
+} // namespace
+
+NS_IMPL_ISUPPORTS(PrivateBrowsingObserver, nsIObserver)
+
+NS_IMETHODIMP
+PrivateBrowsingObserver::Observe(nsISupports* aSubject, const char* aTopic,
+ const char16_t* aData) {
+ if (!nsCRT::strcmp(aTopic, "last-pb-context-exited")) {
+ mOwner->ResetStoredData();
+ }
+ return NS_OK;
+}
+
+SharedSSLState::SharedSSLState(uint32_t aTlsFlags)
+ : mIOLayerHelpers(aTlsFlags),
+ mMutex("SharedSSLState::mMutex"),
+ mSocketCreated(false),
+ mOCSPStaplingEnabled(false),
+ mOCSPMustStapleEnabled(false),
+ mSignedCertTimestampsEnabled(false) {
+ mIOLayerHelpers.Init();
+}
+
+SharedSSLState::~SharedSSLState() = default;
+
+void SharedSSLState::NotePrivateBrowsingStatus() {
+ MOZ_ASSERT(NS_IsMainThread(), "Not on main thread");
+ mObserver = new PrivateBrowsingObserver(this);
+ nsCOMPtr<nsIObserverService> obsSvc = mozilla::services::GetObserverService();
+ obsSvc->AddObserver(mObserver, "last-pb-context-exited", false);
+}
+
+void SharedSSLState::ResetStoredData() {
+ MOZ_ASSERT(NS_IsMainThread(), "Not on main thread");
+ mIOLayerHelpers.clearStoredData();
+}
+
+void SharedSSLState::NoteSocketCreated() {
+ MutexAutoLock lock(mMutex);
+ mSocketCreated = true;
+}
+
+bool SharedSSLState::SocketCreated() {
+ MutexAutoLock lock(mMutex);
+ return mSocketCreated;
+}
+
+/*static*/
+void SharedSSLState::GlobalInit() {
+ MOZ_ASSERT(NS_IsMainThread(), "Not on main thread");
+ gPublicState = new SharedSSLState();
+ gPrivateState = new SharedSSLState();
+ gPrivateState->NotePrivateBrowsingStatus();
+}
+
+/*static*/
+void SharedSSLState::GlobalCleanup() {
+ MOZ_ASSERT(NS_IsMainThread(), "Not on main thread");
+
+ if (gPrivateState) {
+ gPrivateState->Cleanup();
+ delete gPrivateState;
+ gPrivateState = nullptr;
+ }
+
+ if (gPublicState) {
+ gPublicState->Cleanup();
+ delete gPublicState;
+ gPublicState = nullptr;
+ }
+}
+
+/*static*/
+void SharedSSLState::NoteCertOverrideServiceInstantiated() {
+ sCertOverrideSvcExists = true;
+}
+
+void SharedSSLState::Cleanup() { mIOLayerHelpers.Cleanup(); }
+
+SharedSSLState* PublicSSLState() { return gPublicState; }
+
+SharedSSLState* PrivateSSLState() { return gPrivateState; }
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/SharedSSLState.h b/security/manager/ssl/SharedSSLState.h
new file mode 100644
index 0000000000..31562fc76b
--- /dev/null
+++ b/security/manager/ssl/SharedSSLState.h
@@ -0,0 +1,74 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SharedSSLState_h
+#define SharedSSLState_h
+
+#include "nsNSSIOLayer.h"
+
+class nsIObserver;
+
+namespace mozilla {
+namespace psm {
+
+class SharedSSLState {
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedSSLState)
+ explicit SharedSSLState(uint32_t aTlsFlags = 0);
+
+ static void GlobalInit();
+ static void GlobalCleanup();
+
+ nsSSLIOLayerHelpers& IOLayerHelpers() { return mIOLayerHelpers; }
+
+ // Main-thread only
+ void ResetStoredData();
+ void NotePrivateBrowsingStatus();
+ void SetOCSPStaplingEnabled(bool staplingEnabled) {
+ mOCSPStaplingEnabled = staplingEnabled;
+ }
+ void SetOCSPMustStapleEnabled(bool mustStapleEnabled) {
+ mOCSPMustStapleEnabled = mustStapleEnabled;
+ }
+ void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) {
+ mSignedCertTimestampsEnabled = signedCertTimestampsEnabled;
+ }
+
+ // The following methods may be called from any thread
+ bool SocketCreated();
+ void NoteSocketCreated();
+ static void NoteCertOverrideServiceInstantiated();
+ bool IsOCSPStaplingEnabled() const { return mOCSPStaplingEnabled; }
+ bool IsOCSPMustStapleEnabled() const { return mOCSPMustStapleEnabled; }
+ bool IsSignedCertTimestampsEnabled() const {
+ return mSignedCertTimestampsEnabled;
+ }
+
+ private:
+ ~SharedSSLState();
+
+ void Cleanup();
+
+ nsCOMPtr<nsIObserver> mObserver;
+ nsSSLIOLayerHelpers mIOLayerHelpers;
+
+ // True if any sockets have been created that use this shared data.
+ // Requires synchronization between the socket and main threads for
+ // reading/writing.
+ Mutex mMutex MOZ_UNANNOTATED;
+ bool mSocketCreated;
+ bool mOCSPStaplingEnabled;
+ bool mOCSPMustStapleEnabled;
+ bool mSignedCertTimestampsEnabled;
+};
+
+SharedSSLState* PublicSSLState();
+SharedSSLState* PrivateSSLState();
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/StaticHPKPins.errors b/security/manager/ssl/StaticHPKPins.errors
new file mode 100644
index 0000000000..72958f2291
--- /dev/null
+++ b/security/manager/ssl/StaticHPKPins.errors
@@ -0,0 +1,33 @@
+Can't find hash in builtin certs for Chrome nickname GoogleG2, inserting GOOGLE_PIN_GoogleG2
+Can't find hash in builtin certs for Chrome nickname RapidSSL, inserting GOOGLE_PIN_RapidSSL
+Can't find hash in builtin certs for Chrome nickname DigiCertSHA2HighAssuranceServerCA, inserting GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA
+Can't find hash in builtin certs for Chrome nickname VeriSignClass1, inserting GOOGLE_PIN_VeriSignClass1
+Can't find hash in builtin certs for Chrome nickname VeriSignClass4_G3, inserting GOOGLE_PIN_VeriSignClass4_G3
+Can't find hash in builtin certs for Chrome nickname VeriSignClass3_G2, inserting GOOGLE_PIN_VeriSignClass3_G2
+Can't find hash in builtin certs for Chrome nickname VeriSignClass2_G2, inserting GOOGLE_PIN_VeriSignClass2_G2
+Can't find hash in builtin certs for Chrome nickname GeoTrustGlobal2, inserting GOOGLE_PIN_GeoTrustGlobal2
+Can't find hash in builtin certs for Chrome nickname Entrust_SSL, inserting GOOGLE_PIN_Entrust_SSL
+Can't find hash in builtin certs for Chrome nickname AddTrustPublicCARoot, inserting GOOGLE_PIN_AddTrustPublicCARoot
+Can't find hash in builtin certs for Chrome nickname AddTrustQualifiedCARoot, inserting GOOGLE_PIN_AddTrustQualifiedCARoot
+Can't find hash in builtin certs for Chrome nickname SecureCertificateServices, inserting GOOGLE_PIN_SecureCertificateServices
+Can't find hash in builtin certs for Chrome nickname TrustedCertificateServices, inserting GOOGLE_PIN_TrustedCertificateServices
+Can't find hash in builtin certs for Chrome nickname UTNDATACorpSGC, inserting GOOGLE_PIN_UTNDATACorpSGC
+Can't find hash in builtin certs for Chrome nickname UTNUSERFirstHardware, inserting GOOGLE_PIN_UTNUSERFirstHardware
+Can't find hash in builtin certs for Chrome nickname UTNUSERFirstObject, inserting GOOGLE_PIN_UTNUSERFirstObject
+Can't find hash in builtin certs for Chrome nickname GTECyberTrustGlobalRoot, inserting GOOGLE_PIN_GTECyberTrustGlobalRoot
+Can't find hash in builtin certs for Chrome nickname GoDaddySecure, inserting GOOGLE_PIN_GoDaddySecure
+Can't find hash in builtin certs for Chrome nickname SymantecClass3EVG3, inserting GOOGLE_PIN_SymantecClass3EVG3
+Can't find hash in builtin certs for Chrome nickname DigiCertECCSecureServerCA, inserting GOOGLE_PIN_DigiCertECCSecureServerCA
+Can't find hash in builtin certs for Chrome nickname COMODORSADomainValidationSecureServerCA, inserting GOOGLE_PIN_COMODORSADomainValidationSecureServerCA
+Writing pinset test
+Writing pinset google
+Writing pinset tor
+Writing pinset twitterCom
+Writing pinset twitterCDN
+Writing pinset dropbox
+Writing pinset facebook
+Writing pinset spideroak
+Writing pinset yahoo
+Writing pinset swehackCom
+Writing pinset ncsccs
+Writing pinset tumblr
diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
new file mode 100644
index 0000000000..6b72b7a6bf
--- /dev/null
+++ b/security/manager/ssl/StaticHPKPins.h
@@ -0,0 +1,783 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*****************************************************************************/
+/* This is an automatically generated file. If you're not */
+/* PublicKeyPinningService.cpp, you shouldn't be #including it. */
+/*****************************************************************************/
+#include <stdint.h>
+/* AffirmTrust Commercial */
+static const char kAffirmTrust_CommercialFingerprint[] =
+ "bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU=";
+
+/* AffirmTrust Networking */
+static const char kAffirmTrust_NetworkingFingerprint[] =
+ "lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA=";
+
+/* AffirmTrust Premium */
+static const char kAffirmTrust_PremiumFingerprint[] =
+ "x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc=";
+
+/* AffirmTrust Premium ECC */
+static const char kAffirmTrust_Premium_ECCFingerprint[] =
+ "MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8=";
+
+/* Baltimore CyberTrust Root */
+static const char kBaltimore_CyberTrust_RootFingerprint[] =
+ "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=";
+
+/* COMODO Certification Authority */
+static const char kCOMODO_Certification_AuthorityFingerprint[] =
+ "AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4=";
+
+/* COMODO ECC Certification Authority */
+static const char kCOMODO_ECC_Certification_AuthorityFingerprint[] =
+ "58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU=";
+
+/* COMODO RSA Certification Authority */
+static const char kCOMODO_RSA_Certification_AuthorityFingerprint[] =
+ "grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=";
+
+/* Comodo AAA Services root */
+static const char kComodo_AAA_Services_rootFingerprint[] =
+ "vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM=";
+
+/* DigiCert Assured ID Root CA */
+static const char kDigiCert_Assured_ID_Root_CAFingerprint[] =
+ "I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o=";
+
+/* DigiCert Assured ID Root G2 */
+static const char kDigiCert_Assured_ID_Root_G2Fingerprint[] =
+ "8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik=";
+
+/* DigiCert Assured ID Root G3 */
+static const char kDigiCert_Assured_ID_Root_G3Fingerprint[] =
+ "Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw=";
+
+/* DigiCert Global Root CA */
+static const char kDigiCert_Global_Root_CAFingerprint[] =
+ "r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
+
+/* DigiCert Global Root G2 */
+static const char kDigiCert_Global_Root_G2Fingerprint[] =
+ "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=";
+
+/* DigiCert Global Root G3 */
+static const char kDigiCert_Global_Root_G3Fingerprint[] =
+ "uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc=";
+
+/* DigiCert High Assurance EV Root CA */
+static const char kDigiCert_High_Assurance_EV_Root_CAFingerprint[] =
+ "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
+
+/* DigiCert TLS ECC P384 Root G5 */
+static const char kDigiCert_TLS_ECC_P384_Root_G5Fingerprint[] =
+ "oC+voZLIy4HLE0FVT5wFtxzKKokLDRKY1oNkfJYe+98=";
+
+/* DigiCert TLS RSA4096 Root G5 */
+static const char kDigiCert_TLS_RSA4096_Root_G5Fingerprint[] =
+ "ape1HIIZ6T5d7GS61YBs3rD4NVvkfnVwELcCRW4Bqv0=";
+
+/* DigiCert Trusted Root G4 */
+static const char kDigiCert_Trusted_Root_G4Fingerprint[] =
+ "Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw=";
+
+/* End Entity Test Cert */
+static const char kEnd_Entity_Test_CertFingerprint[] =
+ "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
+
+/* Entrust Root Certification Authority */
+static const char kEntrust_Root_Certification_AuthorityFingerprint[] =
+ "bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU=";
+
+/* Entrust Root Certification Authority - EC1 */
+static const char kEntrust_Root_Certification_Authority___EC1Fingerprint[] =
+ "/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI=";
+
+/* Entrust Root Certification Authority - G2 */
+static const char kEntrust_Root_Certification_Authority___G2Fingerprint[] =
+ "du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U=";
+
+/* Entrust.net Premium 2048 Secure Server CA */
+static const char kEntrust_net_Premium_2048_Secure_Server_CAFingerprint[] =
+ "HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg=";
+
+/* FacebookBackup */
+static const char kFacebookBackupFingerprint[] =
+ "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=";
+
+/* GOOGLE_PIN_DigiCertECCSecureServerCA */
+static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] =
+ "PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=";
+
+/* GOOGLE_PIN_R3LetsEncrypt */
+static const char kGOOGLE_PIN_R3LetsEncryptFingerprint[] =
+ "jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=";
+
+/* GOOGLE_PIN_R4LetsEncrypt */
+static const char kGOOGLE_PIN_R4LetsEncryptFingerprint[] =
+ "5VReIRNHJBiRxVSgOTTN6bdJZkpZ0m1hX+WPd5kPLQM=";
+
+/* GOOGLE_PIN_RapidSSL */
+static const char kGOOGLE_PIN_RapidSSLFingerprint[] =
+ "lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM=";
+
+/* GOOGLE_PIN_SymantecClass3EVG3 */
+static const char kGOOGLE_PIN_SymantecClass3EVG3Fingerprint[] =
+ "gMxWOrX4PMQesK9qFNbYBxjBfjUvlkn/vN1n+L9lE5E=";
+
+/* GTS Root R1 */
+static const char kGTS_Root_R1Fingerprint[] =
+ "hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=";
+
+/* GTS Root R2 */
+static const char kGTS_Root_R2Fingerprint[] =
+ "Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=";
+
+/* GTS Root R3 */
+static const char kGTS_Root_R3Fingerprint[] =
+ "QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=";
+
+/* GTS Root R4 */
+static const char kGTS_Root_R4Fingerprint[] =
+ "mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=";
+
+/* GlobalSign ECC Root CA - R4 */
+static const char kGlobalSign_ECC_Root_CA___R4Fingerprint[] =
+ "CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=";
+
+/* GlobalSign ECC Root CA - R5 */
+static const char kGlobalSign_ECC_Root_CA___R5Fingerprint[] =
+ "fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8=";
+
+/* GlobalSign Root CA */
+static const char kGlobalSign_Root_CAFingerprint[] =
+ "K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=";
+
+/* GlobalSign Root CA - R3 */
+static const char kGlobalSign_Root_CA___R3Fingerprint[] =
+ "cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=";
+
+/* GlobalSign Root CA - R6 */
+static const char kGlobalSign_Root_CA___R6Fingerprint[] =
+ "aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4=";
+
+/* GlobalSign Root R46 */
+static const char kGlobalSign_Root_R46Fingerprint[] =
+ "rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w=";
+
+/* Go Daddy Class 2 CA */
+static const char kGo_Daddy_Class_2_CAFingerprint[] =
+ "VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=";
+
+/* Go Daddy Root Certificate Authority - G2 */
+static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] =
+ "Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=";
+
+/* GoogleBackup2048 */
+static const char kGoogleBackup2048Fingerprint[] =
+ "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA=";
+
+/* ISRG Root X1 */
+static const char kISRG_Root_X1Fingerprint[] =
+ "C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=";
+
+/* ISRG Root X2 */
+static const char kISRG_Root_X2Fingerprint[] =
+ "diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=";
+
+/* Let's Encrypt Authority X3 */
+static const char kLet_s_Encrypt_Authority_X3Fingerprint[] =
+ "YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
+
+/* Let's Encrypt Authority X4 */
+static const char kLet_s_Encrypt_Authority_X4Fingerprint[] =
+ "sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
+
+/* Starfield Class 2 CA */
+static const char kStarfield_Class_2_CAFingerprint[] =
+ "FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ=";
+
+/* Starfield Root Certificate Authority - G2 */
+static const char kStarfield_Root_Certificate_Authority___G2Fingerprint[] =
+ "gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ=";
+
+/* TestSPKI */
+static const char kTestSPKIFingerprint[] =
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+
+/* Tor1 */
+static const char kTor1Fingerprint[] =
+ "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo=";
+
+/* Tor2 */
+static const char kTor2Fingerprint[] =
+ "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w=";
+
+/* Tor3 */
+static const char kTor3Fingerprint[] =
+ "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";
+
+/* USERTrust ECC Certification Authority */
+static const char kUSERTrust_ECC_Certification_AuthorityFingerprint[] =
+ "ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs=";
+
+/* USERTrust RSA Certification Authority */
+static const char kUSERTrust_RSA_Certification_AuthorityFingerprint[] =
+ "x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=";
+
+/* Pinsets are each an ordered list by the actual value of the fingerprint */
+struct StaticFingerprints {
+ // See bug 1338873 about making these fields const.
+ size_t size;
+ const char* const* data;
+};
+
+/* PreloadedHPKPins.json pinsets */
+static const char* const kPinset_google_root_pems_Data[] = {
+ kEntrust_Root_Certification_Authority___EC1Fingerprint,
+ kCOMODO_ECC_Certification_AuthorityFingerprint,
+ kDigiCert_Assured_ID_Root_G2Fingerprint,
+ kCOMODO_Certification_AuthorityFingerprint,
+ kGlobalSign_ECC_Root_CA___R4Fingerprint,
+ kDigiCert_Assured_ID_Root_G3Fingerprint,
+ kStarfield_Class_2_CAFingerprint,
+ kEntrust_net_Premium_2048_Secure_Server_CAFingerprint,
+ kDigiCert_Assured_ID_Root_CAFingerprint,
+ kUSERTrust_ECC_Certification_AuthorityFingerprint,
+ kGlobalSign_Root_CAFingerprint,
+ kGo_Daddy_Root_Certificate_Authority___G2Fingerprint,
+ kAffirmTrust_Premium_ECCFingerprint,
+ kGTS_Root_R3Fingerprint,
+ kGTS_Root_R2Fingerprint,
+ kGo_Daddy_Class_2_CAFingerprint,
+ kDigiCert_Trusted_Root_G4Fingerprint,
+ kDigiCert_High_Assurance_EV_Root_CAFingerprint,
+ kBaltimore_CyberTrust_RootFingerprint,
+ kGlobalSign_Root_CA___R6Fingerprint,
+ kAffirmTrust_CommercialFingerprint,
+ kEntrust_Root_Certification_AuthorityFingerprint,
+ kGlobalSign_Root_CA___R3Fingerprint,
+ kEntrust_Root_Certification_Authority___G2Fingerprint,
+ kGlobalSign_ECC_Root_CA___R5Fingerprint,
+ kStarfield_Root_Certificate_Authority___G2Fingerprint,
+ kCOMODO_RSA_Certification_AuthorityFingerprint,
+ kGTS_Root_R1Fingerprint,
+ kDigiCert_Global_Root_G2Fingerprint,
+ kAffirmTrust_NetworkingFingerprint,
+ kGTS_Root_R4Fingerprint,
+ kDigiCert_Global_Root_CAFingerprint,
+ kDigiCert_Global_Root_G3Fingerprint,
+ kComodo_AAA_Services_rootFingerprint,
+ kAffirmTrust_PremiumFingerprint,
+ kUSERTrust_RSA_Certification_AuthorityFingerprint,
+};
+static const StaticFingerprints kPinset_google_root_pems = {
+ sizeof(kPinset_google_root_pems_Data) / sizeof(const char*),
+ kPinset_google_root_pems_Data
+};
+
+static const char* const kPinset_mozilla_services_Data[] = {
+ kISRG_Root_X1Fingerprint,
+ kDigiCert_High_Assurance_EV_Root_CAFingerprint,
+ kDigiCert_TLS_RSA4096_Root_G5Fingerprint,
+ kDigiCert_Global_Root_G2Fingerprint,
+ kDigiCert_TLS_ECC_P384_Root_G5Fingerprint,
+ kDigiCert_Global_Root_CAFingerprint,
+};
+static const StaticFingerprints kPinset_mozilla_services = {
+ sizeof(kPinset_mozilla_services_Data) / sizeof(const char*),
+ kPinset_mozilla_services_Data
+};
+
+static const char* const kPinset_mozilla_test_Data[] = {
+ kEnd_Entity_Test_CertFingerprint,
+};
+static const StaticFingerprints kPinset_mozilla_test = {
+ sizeof(kPinset_mozilla_test_Data) / sizeof(const char*),
+ kPinset_mozilla_test_Data
+};
+
+/* Chrome static pinsets */
+static const char* const kPinset_test_Data[] = {
+ kTestSPKIFingerprint,
+};
+static const StaticFingerprints kPinset_test = {
+ sizeof(kPinset_test_Data) / sizeof(const char*),
+ kPinset_test_Data
+};
+
+static const char* const kPinset_google_Data[] = {
+ kGlobalSign_ECC_Root_CA___R4Fingerprint,
+ kGoogleBackup2048Fingerprint,
+ kGTS_Root_R3Fingerprint,
+ kGTS_Root_R2Fingerprint,
+ kGTS_Root_R1Fingerprint,
+ kGTS_Root_R4Fingerprint,
+};
+static const StaticFingerprints kPinset_google = {
+ sizeof(kPinset_google_Data) / sizeof(const char*),
+ kPinset_google_Data
+};
+
+static const char* const kPinset_tor_Data[] = {
+ kGOOGLE_PIN_R4LetsEncryptFingerprint,
+ kTor3Fingerprint,
+ kDigiCert_High_Assurance_EV_Root_CAFingerprint,
+ kLet_s_Encrypt_Authority_X3Fingerprint,
+ kTor1Fingerprint,
+ kGOOGLE_PIN_R3LetsEncryptFingerprint,
+ kGOOGLE_PIN_RapidSSLFingerprint,
+ kLet_s_Encrypt_Authority_X4Fingerprint,
+ kTor2Fingerprint,
+};
+static const StaticFingerprints kPinset_tor = {
+ sizeof(kPinset_tor_Data) / sizeof(const char*),
+ kPinset_tor_Data
+};
+
+static const char* const kPinset_facebook_Data[] = {
+ kCOMODO_ECC_Certification_AuthorityFingerprint,
+ kISRG_Root_X1Fingerprint,
+ kUSERTrust_ECC_Certification_AuthorityFingerprint,
+ kGlobalSign_Root_CAFingerprint,
+ kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint,
+ kDigiCert_Trusted_Root_G4Fingerprint,
+ kDigiCert_High_Assurance_EV_Root_CAFingerprint,
+ kGlobalSign_Root_CA___R6Fingerprint,
+ kDigiCert_TLS_RSA4096_Root_G5Fingerprint,
+ kGlobalSign_Root_CA___R3Fingerprint,
+ kISRG_Root_X2Fingerprint,
+ kGOOGLE_PIN_SymantecClass3EVG3Fingerprint,
+ kCOMODO_RSA_Certification_AuthorityFingerprint,
+ kDigiCert_Global_Root_G2Fingerprint,
+ kDigiCert_TLS_ECC_P384_Root_G5Fingerprint,
+ kFacebookBackupFingerprint,
+ kDigiCert_Global_Root_CAFingerprint,
+ kGlobalSign_Root_R46Fingerprint,
+ kDigiCert_Global_Root_G3Fingerprint,
+ kUSERTrust_RSA_Certification_AuthorityFingerprint,
+};
+static const StaticFingerprints kPinset_facebook = {
+ sizeof(kPinset_facebook_Data) / sizeof(const char*),
+ kPinset_facebook_Data
+};
+
+/* Domainlist */
+struct TransportSecurityPreload {
+ // See bug 1338873 about making these fields const.
+ const char* mHost;
+ bool mIncludeSubdomains;
+ bool mTestMode;
+ bool mIsMoz;
+ int32_t mId;
+ const StaticFingerprints* pinset;
+};
+
+/* Sort hostnames for binary search. */
+static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "2mdn.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "accounts.firefox.com", true, false, true, 4, &kPinset_mozilla_services },
+ { "accounts.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla_services },
+ { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla_services },
+ { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "android.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
+ { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
+ { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
+ { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
+ { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "cdn.ampproject.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "cdn.mozilla.net", true, false, true, 16, &kPinset_mozilla_services },
+ { "cdn.mozilla.org", true, false, true, 17, &kPinset_mozilla_services },
+ { "check.torproject.org", true, false, false, -1, &kPinset_tor },
+ { "checkout.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chrome.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chromereporting-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "classroom.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "cloud.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "code.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "code.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "codereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "codereview.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "contributor.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "corp.goog", true, false, false, -1, &kPinset_google_root_pems },
+ { "crash-reports-xpsp2.mozilla.com", false, false, true, 11, &kPinset_mozilla_services },
+ { "crash-reports.mozilla.com", false, false, true, 10, &kPinset_mozilla_services },
+ { "crash-stats.mozilla.org", false, false, true, 12, &kPinset_mozilla_services },
+ { "crbug.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "crosbug.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "crrev.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
+ { "dl.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "dns.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "docs.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "domains.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "doubleclick.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "download.mozilla.org", false, false, true, 14, &kPinset_mozilla_services },
+ { "drive.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "encrypted.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "example.test", true, true, false, -1, &kPinset_test },
+ { "exclude-subdomains.pinning.example.com", false, false, false, -1, &kPinset_mozilla_test },
+ { "facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "fi.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "firefox.com", true, true, true, 15, &kPinset_mozilla_services },
+ { "g.co", false, false, false, -1, &kPinset_google_root_pems },
+ { "g4w.co", true, false, false, -1, &kPinset_google_root_pems },
+ { "ggpht.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "glass.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "gmail.com", false, false, false, -1, &kPinset_google_root_pems },
+ { "goo.gl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google", true, false, false, -1, &kPinset_google_root_pems },
+ { "google-analytics.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ac", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ad", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ae", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.af", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ag", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.am", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.as", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.at", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.az", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ba", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.be", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.bf", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.bg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.bi", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.bj", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.bs", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.by", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ca", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cat", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cc", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cd", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cf", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ch", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ci", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ao", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.bw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ck", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.cr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.hu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.id", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.il", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.im", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.in", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.je", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.jp", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ke", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.kr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ls", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ma", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.mz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.nz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.th", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.tz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ug", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.uk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.uz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.ve", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.vi", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.za", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.zm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.co.zw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.af", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ag", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ai", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ar", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.au", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.bd", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.bh", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.bn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.bo", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.br", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.by", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.bz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.cn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.co", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.cu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.cy", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.do", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ec", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.eg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.et", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.fj", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ge", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.gh", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.gi", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.gr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.gt", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.hk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.iq", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.jm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.jo", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.kh", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.kw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.lb", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ly", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.mt", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.mx", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.my", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.na", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.nf", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ng", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ni", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.np", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.nr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.om", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.pa", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.pe", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ph", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.pk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.pl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.pr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.py", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.qa", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ru", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.sa", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.sb", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.sg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.sl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.sv", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.tj", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.tn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.tr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.tw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ua", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.uy", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.vc", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.ve", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.com.vn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cv", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.cz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.de", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.dj", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.dk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.dm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.dz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ee", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.es", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.fi", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.fm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.fr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ga", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ge", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gp", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.gy", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.hk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.hn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.hr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ht", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.hu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ie", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.im", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.info", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.iq", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.is", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.it", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.it.ao", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.je", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.jo", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.jobs", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.jp", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.kg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ki", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.kz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.la", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.li", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.lk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.lt", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.lu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.lv", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.md", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.me", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ml", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ms", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mv", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.mw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ne", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ne.jp", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.nl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.no", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.nr", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.nu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.off.ai", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.pk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.pl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.pn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ps", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.pt", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ro", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.rs", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ru", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.rw", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.sc", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.se", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.sh", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.si", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.sk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.sm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.sn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.so", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.st", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.td", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tk", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tl", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tm", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tn", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.to", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.tt", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ua", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.us", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.uz", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.vg", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.vu", true, false, false, -1, &kPinset_google_root_pems },
+ { "google.ws", true, false, false, -1, &kPinset_google_root_pems },
+ { "googleadservices.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlecode.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlecommerce.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlegroups.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
+ { "googleplex.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlesource.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlesyndication.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googletagmanager.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googletagservices.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googleusercontent.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googlevideo.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "googleweblight.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "goto.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "groups.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "gstatic.cn", true, false, false, -1, &kPinset_google_root_pems },
+ { "gstatic.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "gvt1.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "gvt2.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "gvt3.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "hangout", true, false, false, -1, &kPinset_google_root_pems },
+ { "hangouts.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "history.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "hostedtalkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "inbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test },
+ { "lens.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "login.corp.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "m.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "mail-settings.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "mail.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "market.android.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "messenger.com", true, false, false, -1, &kPinset_facebook },
+ { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
+ { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
+ { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "profiles.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "remotedesktop.corp.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "research.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "script.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "secure.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "security.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "services.mozilla.com", true, false, true, 6, &kPinset_mozilla_services },
+ { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "static.googleadsserving.cn", true, false, false, -1, &kPinset_google_root_pems },
+ { "stats.g.doubleclick.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "sync.services.mozilla.com", true, false, true, 13, &kPinset_mozilla_services },
+ { "t.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "tablet.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "talk.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "talkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "telemetry.mozilla.org", true, true, true, 8, &kPinset_mozilla_services },
+ { "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test },
+ { "testpilot.firefox.com", false, false, true, 9, &kPinset_mozilla_services },
+ { "torproject.org", false, false, false, -1, &kPinset_tor },
+ { "touch.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "tunnel-staging.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "upload.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "urchin.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "w-spotlight.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wallet.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "webfilings-eu-mirror.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "webfilings-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "webfilings-mirror-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "webfilings.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-bigsky-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-demo-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-demo-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-dogfood-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-pentest.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-staging-hr.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "withgoogle.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "withyoutube.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "www.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "www.g.co", false, false, false, -1, &kPinset_google_root_pems },
+ { "www.gmail.com", false, false, false, -1, &kPinset_google_root_pems },
+ { "www.googlegroups.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
+ { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
+ { "www.torproject.org", true, false, false, -1, &kPinset_tor },
+ { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "youtu.be", true, false, false, -1, &kPinset_google_root_pems },
+ { "youtube-nocookie.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "youtube.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems },
+};
+
+// Pinning Preload List Length = 397;
+
+static const int32_t kUnknownId = -1;
+
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1718621549468000);
diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
new file mode 100644
index 0000000000..05636c83e9
--- /dev/null
+++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
@@ -0,0 +1,1050 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Implements the client authentication certificate selection callback for NSS.
+// nsNSSIOLayer.cpp sets the callback by calling SSL_GetClientAuthDataHook and
+// identifying SSLGetClientAuthDataHook as the function to call when a TLS
+// server requests a client authentication certificate.
+//
+// In the general case, SSLGetClientAuthDataHook (running on the socket thread),
+// dispatches an event to the main thread to ask the user to select a client
+// authentication certificate. Meanwhile, it returns SECWouldBlock so that other
+// network I/O can occur. When the user selects a client certificate (or opts
+// not to send one), an event is dispatched to the socket thread that gives NSS
+// the appropriate information to proceed with the TLS connection.
+//
+// If networking is being done on the socket process, SSLGetClientAuthDataHook
+// sends an IPC call to the parent process to ask the user to select a
+// certificate. Meanwhile, it again returns SECWouldBlock so other network I/O
+// can occur. When a certificate (or no certificate) has been selected, the
+// parent process sends an IPC call back to the socket process, which causes an
+// event to be dispatched to the socket thread to continue to the TLS
+// connection.
+
+#include "TLSClientAuthCertSelection.h"
+#include "cert_storage/src/cert_storage.h"
+#include "mozilla/Logging.h"
+#include "mozilla/dom/BrowsingContext.h"
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/net/SocketProcessBackgroundChild.h"
+#include "mozilla/psm/SelectTLSClientAuthCertChild.h"
+#include "mozilla/psm/SelectTLSClientAuthCertParent.h"
+#include "nsArray.h"
+#include "nsArrayUtils.h"
+#include "nsNSSComponent.h"
+#include "nsIClientAuthDialogService.h"
+#include "nsIMutableArray.h"
+#include "nsINSSComponent.h"
+#include "NSSCertDBTrustDomain.h"
+#include "nsIClientAuthRememberService.h"
+#include "nsIX509CertDB.h"
+#include "nsNSSHelper.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixutil.h"
+#include "mozpkix/pkix.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+mozilla::pkix::Result BuildChainForCertificate(
+ nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes,
+ const nsTArray<nsTArray<uint8_t>>& caNames,
+ const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates);
+
+// Possible behaviors for choosing a cert for client auth.
+enum class UserCertChoice {
+ // Ask the user to choose a cert.
+ Ask = 0,
+ // Automatically choose a cert.
+ Auto = 1,
+};
+
+// Returns the most appropriate user cert choice based on the value of the
+// security.default_personal_cert preference.
+UserCertChoice nsGetUserCertChoice() {
+ nsAutoCString value;
+ nsresult rv =
+ Preferences::GetCString("security.default_personal_cert", value);
+ if (NS_FAILED(rv)) {
+ return UserCertChoice::Ask;
+ }
+
+ // There are three cases for what the preference could be set to:
+ // 1. "Select Automatically" -> Auto.
+ // 2. "Ask Every Time" -> Ask.
+ // 3. Something else -> Ask. This might be a nickname from a migrated cert,
+ // but we no longer support this case.
+ return value.EqualsLiteral("Select Automatically") ? UserCertChoice::Auto
+ : UserCertChoice::Ask;
+}
+
+static bool hasExplicitKeyUsageNonRepudiation(CERTCertificate* cert) {
+ // There is no extension, v1 or v2 certificate
+ if (!cert->extensions) return false;
+
+ SECStatus srv;
+ SECItem keyUsageItem;
+ keyUsageItem.data = nullptr;
+
+ srv = CERT_FindKeyUsageExtension(cert, &keyUsageItem);
+ if (srv == SECFailure) return false;
+
+ unsigned char keyUsage = keyUsageItem.data[0];
+ PORT_Free(keyUsageItem.data);
+
+ return !!(keyUsage & KU_NON_REPUDIATION);
+}
+
+ClientAuthInfo::ClientAuthInfo(const nsACString& hostName,
+ const OriginAttributes& originAttributes,
+ int32_t port, uint32_t providerFlags,
+ uint32_t providerTlsFlags)
+ : mHostName(hostName),
+ mOriginAttributes(originAttributes),
+ mPort(port),
+ mProviderFlags(providerFlags),
+ mProviderTlsFlags(providerTlsFlags) {}
+
+ClientAuthInfo::ClientAuthInfo(ClientAuthInfo&& aOther) noexcept
+ : mHostName(std::move(aOther.mHostName)),
+ mOriginAttributes(std::move(aOther.mOriginAttributes)),
+ mPort(aOther.mPort),
+ mProviderFlags(aOther.mProviderFlags),
+ mProviderTlsFlags(aOther.mProviderTlsFlags) {}
+
+const nsACString& ClientAuthInfo::HostName() const { return mHostName; }
+
+const OriginAttributes& ClientAuthInfo::OriginAttributesRef() const {
+ return mOriginAttributes;
+}
+
+int32_t ClientAuthInfo::Port() const { return mPort; }
+
+uint32_t ClientAuthInfo::ProviderFlags() const { return mProviderFlags; }
+
+uint32_t ClientAuthInfo::ProviderTlsFlags() const { return mProviderTlsFlags; }
+
+nsTArray<nsTArray<uint8_t>> CollectCANames(CERTDistNames* caNames) {
+ MOZ_ASSERT(caNames);
+
+ nsTArray<nsTArray<uint8_t>> collectedCANames;
+ if (!caNames) {
+ return collectedCANames;
+ }
+
+ for (int i = 0; i < caNames->nnames; i++) {
+ nsTArray<uint8_t> caName;
+ caName.AppendElements(caNames->names[i].data, caNames->names[i].len);
+ collectedCANames.AppendElement(std::move(caName));
+ }
+ return collectedCANames;
+}
+
+// This TrustDomain only exists to facilitate the mozilla::pkix path building
+// algorithm. It considers any certificate with an issuer distinguished name in
+// the set of given CA names to be a trust anchor. It does essentially no
+// validation or verification (in particular, the signature checking function
+// always returns "Success").
+class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
+ public:
+ ClientAuthCertNonverifyingTrustDomain(
+ const nsTArray<nsTArray<uint8_t>>& caNames,
+ const nsTArray<nsTArray<uint8_t>>& thirdPartyCertificates)
+ : mCANames(caNames),
+ mCertStorage(do_GetService(NS_CERT_STORAGE_CID)),
+ mThirdPartyCertificates(thirdPartyCertificates) {}
+
+ virtual mozilla::pkix::Result GetCertTrust(
+ pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy,
+ pkix::Input candidateCertDER,
+ /*out*/ pkix::TrustLevel& trustLevel) override;
+ virtual mozilla::pkix::Result FindIssuer(pkix::Input encodedIssuerName,
+ IssuerChecker& checker,
+ pkix::Time time) override;
+
+ virtual mozilla::pkix::Result CheckRevocation(
+ EndEntityOrCA endEntityOrCA, const pkix::CertID& certID, Time time,
+ mozilla::pkix::Duration validityDuration,
+ /*optional*/ const Input* stapledOCSPresponse,
+ /*optional*/ const Input* aiaExtension,
+ /*optional*/ const Input* sctExtension) override {
+ return pkix::Success;
+ }
+
+ virtual mozilla::pkix::Result IsChainValid(
+ const pkix::DERArray& certChain, pkix::Time time,
+ const pkix::CertPolicyId& requiredPolicy) override;
+
+ virtual mozilla::pkix::Result CheckSignatureDigestAlgorithm(
+ pkix::DigestAlgorithm digestAlg, pkix::EndEntityOrCA endEntityOrCA,
+ pkix::Time notBefore) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result CheckRSAPublicKeyModulusSizeInBits(
+ pkix::EndEntityOrCA endEntityOrCA,
+ unsigned int modulusSizeInBits) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result VerifyRSAPKCS1SignedData(
+ pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
+ pkix::Input subjectPublicKeyInfo) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result VerifyRSAPSSSignedData(
+ pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
+ pkix::Input subjectPublicKeyInfo) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable(
+ pkix::EndEntityOrCA endEntityOrCA, pkix::NamedCurve curve) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result VerifyECDSASignedData(
+ pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
+ pkix::Input subjectPublicKeyInfo) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result CheckValidityIsAcceptable(
+ pkix::Time notBefore, pkix::Time notAfter,
+ pkix::EndEntityOrCA endEntityOrCA,
+ pkix::KeyPurposeId keyPurpose) override {
+ return pkix::Success;
+ }
+ virtual mozilla::pkix::Result NetscapeStepUpMatchesServerAuth(
+ pkix::Time notBefore,
+ /*out*/ bool& matches) override {
+ matches = true;
+ return pkix::Success;
+ }
+ virtual void NoteAuxiliaryExtension(pkix::AuxiliaryExtension extension,
+ pkix::Input extensionData) override {}
+ virtual mozilla::pkix::Result DigestBuf(pkix::Input item,
+ pkix::DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen) override {
+ return pkix::DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+ }
+
+ nsTArray<nsTArray<uint8_t>> TakeBuiltChain() {
+ return std::move(mBuiltChain);
+ }
+
+ private:
+ const nsTArray<nsTArray<uint8_t>>& mCANames; // non-owning
+ nsCOMPtr<nsICertStorage> mCertStorage;
+ const nsTArray<nsTArray<uint8_t>>& mThirdPartyCertificates; // non-owning
+ nsTArray<nsTArray<uint8_t>> mBuiltChain;
+};
+
+mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::GetCertTrust(
+ pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy,
+ pkix::Input candidateCertDER,
+ /*out*/ pkix::TrustLevel& trustLevel) {
+ // If the server did not specify any CA names, all client certificates are
+ // acceptable.
+ if (mCANames.Length() == 0) {
+ trustLevel = pkix::TrustLevel::TrustAnchor;
+ return pkix::Success;
+ }
+ BackCert cert(candidateCertDER, endEntityOrCA, nullptr);
+ mozilla::pkix::Result rv = cert.Init();
+ if (rv != pkix::Success) {
+ return rv;
+ }
+ // If this certificate's issuer distinguished name is in the set of acceptable
+ // CA names, we say this is a trust anchor so that the client certificate
+ // issued from this certificate will be presented as an option for the user.
+ // We also check the certificate's subject distinguished name to account for
+ // the case where client certificates that have the id-kp-OCSPSigning EKU
+ // can't be trust anchors according to mozilla::pkix, and thus we may be
+ // looking directly at the issuer.
+ pkix::Input issuer(cert.GetIssuer());
+ pkix::Input subject(cert.GetSubject());
+ for (const auto& caName : mCANames) {
+ pkix::Input caNameInput;
+ rv = caNameInput.Init(caName.Elements(), caName.Length());
+ if (rv != pkix::Success) {
+ continue; // probably too big
+ }
+ if (InputsAreEqual(issuer, caNameInput) ||
+ InputsAreEqual(subject, caNameInput)) {
+ trustLevel = pkix::TrustLevel::TrustAnchor;
+ return pkix::Success;
+ }
+ }
+ trustLevel = pkix::TrustLevel::InheritsTrust;
+ return pkix::Success;
+}
+
+// In theory this implementation should only need to consider intermediate
+// certificates, since in theory it should only need to look at the issuer
+// distinguished name of each certificate to determine if the client
+// certificate is considered acceptable to the server.
+// However, because we need to account for client certificates with the
+// id-kp-OCSPSigning EKU, and because mozilla::pkix doesn't allow such
+// certificates to be trust anchors, we need to consider the issuers of such
+// certificates directly. These issuers could be roots, so we have to consider
+// roots here.
+mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
+ pkix::Input encodedIssuerName, IssuerChecker& checker, pkix::Time time) {
+ // First try all relevant certificates known to Gecko, which avoids calling
+ // CERT_CreateSubjectCertList, because that can be expensive.
+ Vector<pkix::Input> geckoCandidates;
+ if (!mCertStorage) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ nsTArray<uint8_t> subject;
+ subject.AppendElements(encodedIssuerName.UnsafeGetData(),
+ encodedIssuerName.GetLength());
+ nsTArray<nsTArray<uint8_t>> certs;
+ nsresult rv = mCertStorage->FindCertsBySubject(subject, certs);
+ if (NS_FAILED(rv)) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ for (auto& cert : certs) {
+ pkix::Input certDER;
+ mozilla::pkix::Result rv = certDER.Init(cert.Elements(), cert.Length());
+ if (rv != pkix::Success) {
+ continue; // probably too big
+ }
+ if (!geckoCandidates.append(certDER)) {
+ return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY;
+ }
+ }
+
+ for (const auto& thirdPartyCertificate : mThirdPartyCertificates) {
+ pkix::Input thirdPartyCertificateInput;
+ mozilla::pkix::Result rv = thirdPartyCertificateInput.Init(
+ thirdPartyCertificate.Elements(), thirdPartyCertificate.Length());
+ if (rv != pkix::Success) {
+ continue; // probably too big
+ }
+ if (!geckoCandidates.append(thirdPartyCertificateInput)) {
+ return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY;
+ }
+ }
+
+ bool keepGoing = true;
+ for (pkix::Input candidate : geckoCandidates) {
+ mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing);
+ if (rv != pkix::Success) {
+ return rv;
+ }
+ if (!keepGoing) {
+ return pkix::Success;
+ }
+ }
+
+ SECItem encodedIssuerNameItem =
+ pkix::UnsafeMapInputToSECItem(encodedIssuerName);
+ // NSS seems not to differentiate between "no potential issuers found" and
+ // "there was an error trying to retrieve the potential issuers." We assume
+ // there was no error if CERT_CreateSubjectCertList returns nullptr.
+ UniqueCERTCertList candidates(CERT_CreateSubjectCertList(
+ nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameItem, 0, false));
+ Vector<pkix::Input> nssCandidates;
+ if (candidates) {
+ for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
+ !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
+ pkix::Input certDER;
+ mozilla::pkix::Result rv =
+ certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
+ if (rv != pkix::Success) {
+ continue; // probably too big
+ }
+ if (!nssCandidates.append(certDER)) {
+ return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY;
+ }
+ }
+ }
+
+ for (pkix::Input candidate : nssCandidates) {
+ mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing);
+ if (rv != pkix::Success) {
+ return rv;
+ }
+ if (!keepGoing) {
+ return pkix::Success;
+ }
+ }
+ return pkix::Success;
+}
+
+mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::IsChainValid(
+ const pkix::DERArray& certArray, pkix::Time, const pkix::CertPolicyId&) {
+ mBuiltChain.Clear();
+
+ size_t numCerts = certArray.GetLength();
+ for (size_t i = 0; i < numCerts; ++i) {
+ nsTArray<uint8_t> certBytes;
+ const pkix::Input* certInput = certArray.GetDER(i);
+ MOZ_ASSERT(certInput != nullptr);
+ if (!certInput) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ certBytes.AppendElements(certInput->UnsafeGetData(),
+ certInput->GetLength());
+ mBuiltChain.AppendElement(std::move(certBytes));
+ }
+
+ return pkix::Success;
+}
+
+nsTArray<nsTArray<uint8_t>> GetEnterpriseCertificates() {
+ nsTArray<nsTArray<uint8_t>> enterpriseCertificates;
+ nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (!component) {
+ return nsTArray<nsTArray<uint8_t>>{};
+ }
+ nsresult rv = component->GetEnterpriseIntermediates(enterpriseCertificates);
+ if (NS_FAILED(rv)) {
+ return nsTArray<nsTArray<uint8_t>>{};
+ }
+ nsTArray<nsTArray<uint8_t>> enterpriseRoots;
+ rv = component->GetEnterpriseRoots(enterpriseRoots);
+ if (NS_FAILED(rv)) {
+ return nsTArray<nsTArray<uint8_t>>{};
+ }
+ enterpriseCertificates.AppendElements(std::move(enterpriseRoots));
+ return enterpriseCertificates;
+}
+
+bool FindRememberedDecision(
+ const ClientAuthInfo& clientAuthInfo,
+ const nsTArray<nsTArray<uint8_t>>& caNames,
+ const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates,
+ nsTArray<uint8_t>& rememberedCertBytes,
+ nsTArray<nsTArray<uint8_t>>& rememberedCertChainBytes) {
+ rememberedCertBytes.Clear();
+ rememberedCertChainBytes.Clear();
+
+ if (clientAuthInfo.ProviderTlsFlags() != 0) {
+ return false;
+ }
+
+ nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService(
+ do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID));
+ if (!clientAuthRememberService) {
+ return false;
+ }
+
+ nsCString rememberedDBKey;
+ bool found;
+ nsresult rv = clientAuthRememberService->HasRememberedDecision(
+ clientAuthInfo.HostName(), clientAuthInfo.OriginAttributesRef(),
+ rememberedDBKey, &found);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+ if (!found) {
+ return false;
+ }
+ // An empty dbKey indicates that the user chose not to use a certificate
+ // and chose to remember this decision
+ if (rememberedDBKey.IsEmpty()) {
+ return true;
+ }
+ nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID));
+ if (!certdb) {
+ return false;
+ }
+ nsCOMPtr<nsIX509Cert> foundCert;
+ rv = certdb->FindCertByDBKey(rememberedDBKey, getter_AddRefs(foundCert));
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+ if (!foundCert) {
+ return false;
+ }
+ rv = foundCert->GetRawDER(rememberedCertBytes);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+ if (BuildChainForCertificate(rememberedCertBytes, rememberedCertChainBytes,
+ caNames, enterpriseCertificates) != Success) {
+ return false;
+ }
+ return true;
+}
+
+// Filter potential client certificates by the specified CA names, if any. This
+// operation potentially builds a certificate chain for each candidate client
+// certificate. Keeping those chains around means they don't have to be
+// re-built later when the user selects a particular client certificate.
+void FilterPotentialClientCertificatesByCANames(
+ UniqueCERTCertList& potentialClientCertificates,
+ const nsTArray<nsTArray<uint8_t>>& caNames,
+ const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates,
+ nsTArray<nsTArray<nsTArray<uint8_t>>>& potentialClientCertificateChains) {
+ if (!potentialClientCertificates) {
+ return;
+ }
+
+ CERTCertListNode* n = CERT_LIST_HEAD(potentialClientCertificates);
+ while (!CERT_LIST_END(n, potentialClientCertificates)) {
+ nsTArray<nsTArray<uint8_t>> builtChain;
+ nsTArray<uint8_t> certBytes;
+ certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len);
+ mozilla::pkix::Result result = BuildChainForCertificate(
+ certBytes, builtChain, caNames, enterpriseCertificates);
+ if (result != pkix::Success) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("removing cert '%s'", n->cert->subjectName));
+ CERTCertListNode* toRemove = n;
+ n = CERT_LIST_NEXT(n);
+ CERT_RemoveCertListNode(toRemove);
+ continue;
+ }
+ potentialClientCertificateChains.AppendElement(std::move(builtChain));
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("keeping cert '%s'\n", n->cert->subjectName));
+ n = CERT_LIST_NEXT(n);
+ }
+}
+
+void ClientAuthCertificateSelectedBase::SetSelectedClientAuthData(
+ nsTArray<uint8_t>&& selectedCertBytes,
+ nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes) {
+ mSelectedCertBytes = std::move(selectedCertBytes);
+ mSelectedCertChainBytes = std::move(selectedCertChainBytes);
+}
+
+NS_IMETHODIMP
+ClientAuthCertificateSelected::Run() {
+ mSocketInfo->ClientAuthCertificateSelected(mSelectedCertBytes,
+ mSelectedCertChainBytes);
+ return NS_OK;
+}
+
+void SelectClientAuthCertificate::DispatchContinuation(
+ nsTArray<uint8_t>&& selectedCertBytes) {
+ nsTArray<nsTArray<uint8_t>> selectedCertChainBytes;
+ // Attempt to find a pre-built certificate chain corresponding to the
+ // selected certificate.
+ for (const auto& clientCertificateChain : mPotentialClientCertificateChains) {
+ if (clientCertificateChain.Length() > 0 &&
+ clientCertificateChain[0] == selectedCertBytes) {
+ for (const auto& certificateBytes : clientCertificateChain) {
+ selectedCertChainBytes.AppendElement(certificateBytes.Clone());
+ }
+ break;
+ }
+ }
+ mContinuation->SetSelectedClientAuthData(std::move(selectedCertBytes),
+ std::move(selectedCertChainBytes));
+ nsCOMPtr<nsIEventTarget> socketThread(
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
+ if (socketThread) {
+ (void)socketThread->Dispatch(mContinuation, NS_DISPATCH_NORMAL);
+ }
+}
+
+// Helper function to build a certificate chain from the given certificate to a
+// trust anchor in the set indicated by the peer (mCANames). This is essentially
+// best-effort, so no signature verification occurs.
+mozilla::pkix::Result BuildChainForCertificate(
+ nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes,
+ const nsTArray<nsTArray<uint8_t>>& caNames,
+ const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates) {
+ ClientAuthCertNonverifyingTrustDomain trustDomain(caNames,
+ enterpriseCertificates);
+ pkix::Input certDER;
+ mozilla::pkix::Result result =
+ certDER.Init(certBytes.Elements(), certBytes.Length());
+ if (result != pkix::Success) {
+ return result;
+ }
+ // Client certificates shouldn't be CAs, but for interoperability reasons we
+ // attempt to build a path with each certificate as an end entity and then as
+ // a CA if that fails.
+ const pkix::EndEntityOrCA kEndEntityOrCAParams[] = {
+ pkix::EndEntityOrCA::MustBeEndEntity, pkix::EndEntityOrCA::MustBeCA};
+ // mozilla::pkix rejects certificates with id-kp-OCSPSigning unless it is
+ // specifically required. A client certificate should never have this EKU.
+ // Unfortunately, there are some client certificates in private PKIs that
+ // have this EKU. For interoperability, we attempt to work around this
+ // restriction in mozilla::pkix by first building the certificate chain with
+ // no particular EKU required and then again with id-kp-OCSPSigning required
+ // if that fails.
+ const pkix::KeyPurposeId kKeyPurposeIdParams[] = {
+ pkix::KeyPurposeId::anyExtendedKeyUsage,
+ pkix::KeyPurposeId::id_kp_OCSPSigning};
+ for (const auto& endEntityOrCAParam : kEndEntityOrCAParams) {
+ for (const auto& keyPurposeIdParam : kKeyPurposeIdParams) {
+ mozilla::pkix::Result result = BuildCertChain(
+ trustDomain, certDER, Now(), endEntityOrCAParam,
+ KeyUsage::noParticularKeyUsageRequired, keyPurposeIdParam,
+ pkix::CertPolicyId::anyPolicy, nullptr);
+ if (result == pkix::Success) {
+ certChainBytes = trustDomain.TakeBuiltChain();
+ return pkix::Success;
+ }
+ }
+ }
+ return mozilla::pkix::Result::ERROR_UNKNOWN_ISSUER;
+}
+
+class ClientAuthDialogCallback : public nsIClientAuthDialogCallback {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSICLIENTAUTHDIALOGCALLBACK
+
+ explicit ClientAuthDialogCallback(
+ SelectClientAuthCertificate* selectClientAuthCertificate)
+ : mSelectClientAuthCertificate(selectClientAuthCertificate) {}
+
+ private:
+ virtual ~ClientAuthDialogCallback() = default;
+
+ RefPtr<SelectClientAuthCertificate> mSelectClientAuthCertificate;
+};
+
+NS_IMPL_ISUPPORTS(ClientAuthDialogCallback, nsIClientAuthDialogCallback)
+
+NS_IMETHODIMP
+ClientAuthDialogCallback::CertificateChosen(nsIX509Cert* cert,
+ bool rememberDecision) {
+ MOZ_ASSERT(mSelectClientAuthCertificate);
+ if (!mSelectClientAuthCertificate) {
+ return NS_ERROR_FAILURE;
+ }
+ const ClientAuthInfo& info = mSelectClientAuthCertificate->Info();
+ nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService(
+ do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID));
+ if (info.ProviderTlsFlags() == 0 && rememberDecision &&
+ clientAuthRememberService) {
+ (void)clientAuthRememberService->RememberDecision(
+ info.HostName(), info.OriginAttributesRef(), cert);
+ }
+ nsTArray<uint8_t> selectedCertBytes;
+ if (cert) {
+ nsresult rv = cert->GetRawDER(selectedCertBytes);
+ if (NS_FAILED(rv)) {
+ selectedCertBytes.Clear();
+ mSelectClientAuthCertificate->DispatchContinuation(
+ std::move(selectedCertBytes));
+ return rv;
+ }
+ }
+ mSelectClientAuthCertificate->DispatchContinuation(
+ std::move(selectedCertBytes));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+SelectClientAuthCertificate::Run() {
+ // We check the value of a pref, so this should only be run on the main
+ // thread.
+ MOZ_ASSERT(NS_IsMainThread());
+
+ nsTArray<uint8_t> selectedCertBytes;
+ if (!mPotentialClientCertificates ||
+ CERT_LIST_EMPTY(mPotentialClientCertificates)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("no potential client certificates available"));
+ DispatchContinuation(std::move(selectedCertBytes));
+ return NS_OK;
+ }
+
+ // find valid user cert and key pair
+ if (nsGetUserCertChoice() == UserCertChoice::Auto) {
+ // automatically find the right cert
+ UniqueCERTCertificate lowPrioNonrepCert;
+ // loop through the list until we find a cert with a key
+ for (CERTCertListNode* node = CERT_LIST_HEAD(mPotentialClientCertificates);
+ !CERT_LIST_END(node, mPotentialClientCertificates);
+ node = CERT_LIST_NEXT(node)) {
+ UniqueSECKEYPrivateKey tmpKey(PK11_FindKeyByAnyCert(node->cert, nullptr));
+ if (tmpKey) {
+ if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
+ // Not a preferred cert
+ if (!lowPrioNonrepCert) { // did not yet find a low prio cert
+ lowPrioNonrepCert.reset(CERT_DupCertificate(node->cert));
+ }
+ } else {
+ // this is a good cert to present
+ selectedCertBytes.AppendElements(node->cert->derCert.data,
+ node->cert->derCert.len);
+ DispatchContinuation(std::move(selectedCertBytes));
+ return NS_OK;
+ }
+ }
+ if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) {
+ // problem with password: bail
+ break;
+ }
+ }
+
+ if (lowPrioNonrepCert) {
+ selectedCertBytes.AppendElements(lowPrioNonrepCert->derCert.data,
+ lowPrioNonrepCert->derCert.len);
+ }
+ DispatchContinuation(std::move(selectedCertBytes));
+ return NS_OK;
+ }
+
+ // Not Auto => ask the user to select a certificate
+ nsTArray<RefPtr<nsIX509Cert>> certArray;
+ for (CERTCertListNode* node = CERT_LIST_HEAD(mPotentialClientCertificates);
+ !CERT_LIST_END(node, mPotentialClientCertificates);
+ node = CERT_LIST_NEXT(node)) {
+ RefPtr<nsIX509Cert> tempCert(new nsNSSCertificate(node->cert));
+ certArray.AppendElement(tempCert);
+ }
+
+ nsCOMPtr<nsIClientAuthDialogService> clientAuthDialogService(
+ do_GetService(NS_CLIENTAUTHDIALOGSERVICE_CONTRACTID));
+ if (!clientAuthDialogService) {
+ DispatchContinuation(std::move(selectedCertBytes));
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsILoadContext> loadContext = nullptr;
+ if (mBrowserId != 0) {
+ loadContext =
+ mozilla::dom::BrowsingContext::GetCurrentTopByBrowserId(mBrowserId);
+ }
+ RefPtr<nsIClientAuthDialogCallback> callback(
+ new ClientAuthDialogCallback(this));
+ nsresult rv = clientAuthDialogService->ChooseCertificate(
+ mInfo.HostName(), certArray, loadContext, callback);
+ if (NS_FAILED(rv)) {
+ DispatchContinuation(std::move(selectedCertBytes));
+ return rv;
+ }
+ return NS_OK;
+}
+
+SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
+ CERTDistNames* caNamesDecoded,
+ CERTCertificate** pRetCert,
+ SECKEYPrivateKey** pRetKey) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] SSLGetClientAuthDataHook", socket));
+
+ if (!arg || !socket || !caNamesDecoded || !pRetCert || !pRetKey) {
+ PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+ return SECFailure;
+ }
+
+ *pRetCert = nullptr;
+ *pRetKey = nullptr;
+
+ RefPtr<NSSSocketControl> info(static_cast<NSSSocketControl*>(arg));
+ Telemetry::ScalarAdd(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE,
+ u"requested"_ns, 1);
+
+ if (info->GetDenyClientCert()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] Not returning client cert due to denyClientCert attribute",
+ socket));
+ return SECSuccess;
+ }
+
+ if (info->GetJoined()) {
+ // We refuse to send a client certificate when there are multiple hostnames
+ // joined on this connection, because we only show the user one hostname
+ // (mHostName) in the client certificate UI.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] Not returning client cert due to previous join", socket));
+ return SECSuccess;
+ }
+
+ UniqueCERTCertificate serverCert(SSL_PeerCertificate(socket));
+ if (!serverCert) {
+ PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
+ return SECFailure;
+ }
+
+ uint64_t browserId;
+ if (NS_FAILED(info->GetBrowserId(&browserId))) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+
+ nsTArray<nsTArray<uint8_t>> caNames(CollectCANames(caNamesDecoded));
+
+ // Currently, the IPC client certs module only refreshes its view of
+ // available certificates and keys if the platform issues a search for all
+ // certificates or keys. In the socket process, such a search may not have
+ // happened, so this ensures it has.
+ // Additionally, instantiating certificates in NSS is not thread-safe and has
+ // performance implications, so search for them here (on the socket thread)
+ // when not in the socket process.
+ UniqueCERTCertList potentialClientCertificates(
+ FindClientCertificatesWithPrivateKeys());
+
+ RefPtr<ClientAuthCertificateSelected> continuation(
+ new ClientAuthCertificateSelected(info));
+ // If this is the socket process, dispatch an IPC call to select a client
+ // authentication certificate in the parent process.
+ // Otherwise, dispatch an event to the main thread to do the selection.
+ // When those events finish, they will run the continuation, which gives the
+ // appropriate information to the NSSSocketControl, which then calls
+ // SSL_ClientCertCallbackComplete to continue the connection.
+ if (XRE_IsSocketProcess()) {
+ RefPtr<SelectTLSClientAuthCertChild> selectClientAuthCertificate(
+ new SelectTLSClientAuthCertChild(continuation));
+ nsAutoCString hostname(info->GetHostName());
+ nsTArray<uint8_t> serverCertBytes;
+ nsTArray<ByteArray> caNamesBytes;
+ for (const auto& caName : caNames) {
+ caNamesBytes.AppendElement(ByteArray(std::move(caName)));
+ }
+ serverCertBytes.AppendElements(serverCert->derCert.data,
+ serverCert->derCert.len);
+ OriginAttributes originAttributes(info->GetOriginAttributes());
+ int32_t port(info->GetPort());
+ uint32_t providerFlags(info->GetProviderFlags());
+ uint32_t providerTlsFlags(info->GetProviderTlsFlags());
+ nsCOMPtr<nsIRunnable> remoteSelectClientAuthCertificate(
+ NS_NewRunnableFunction(
+ "RemoteSelectClientAuthCertificate",
+ [selectClientAuthCertificate(
+ std::move(selectClientAuthCertificate)),
+ hostname(std::move(hostname)),
+ originAttributes(std::move(originAttributes)), port, providerFlags,
+ providerTlsFlags, serverCertBytes(std::move(serverCertBytes)),
+ caNamesBytes(std::move(caNamesBytes)),
+ browserId(browserId)]() mutable {
+ ipc::Endpoint<PSelectTLSClientAuthCertParent> parentEndpoint;
+ ipc::Endpoint<PSelectTLSClientAuthCertChild> childEndpoint;
+ PSelectTLSClientAuthCert::CreateEndpoints(&parentEndpoint,
+ &childEndpoint);
+ if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor(
+ "SendInitSelectTLSClientAuthCert",
+ [endpoint = std::move(parentEndpoint),
+ hostname(std::move(hostname)),
+ originAttributes(std::move(originAttributes)), port,
+ providerFlags, providerTlsFlags,
+ serverCertBytes(std::move(serverCertBytes)),
+ caNamesBytes(std::move(caNamesBytes)), browserId](
+ net::SocketProcessBackgroundChild* aActor) mutable {
+ Unused << aActor->SendInitSelectTLSClientAuthCert(
+ std::move(endpoint), hostname, originAttributes,
+ port, providerFlags, providerTlsFlags,
+ ByteArray(serverCertBytes), caNamesBytes,
+ browserId);
+ }))) {
+ return;
+ }
+
+ if (!childEndpoint.Bind(selectClientAuthCertificate)) {
+ return;
+ }
+ }));
+ info->SetPendingSelectClientAuthCertificate(
+ std::move(remoteSelectClientAuthCertificate));
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return SECWouldBlock;
+ }
+
+ ClientAuthInfo authInfo(info->GetHostName(), info->GetOriginAttributes(),
+ info->GetPort(), info->GetProviderFlags(),
+ info->GetProviderTlsFlags());
+ nsTArray<nsTArray<uint8_t>> enterpriseCertificates(
+ GetEnterpriseCertificates());
+ nsTArray<uint8_t> rememberedCertBytes;
+ nsTArray<nsTArray<uint8_t>> rememberedCertChainBytes;
+ if (FindRememberedDecision(authInfo, caNames, enterpriseCertificates,
+ rememberedCertBytes, rememberedCertChainBytes)) {
+ continuation->SetSelectedClientAuthData(
+ std::move(rememberedCertBytes), std::move(rememberedCertChainBytes));
+ nsresult rv = NS_DispatchToCurrentThread(continuation);
+ if (NS_FAILED(rv)) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return SECWouldBlock;
+ }
+
+ nsTArray<nsTArray<nsTArray<uint8_t>>> potentialClientCertificateChains;
+ FilterPotentialClientCertificatesByCANames(potentialClientCertificates,
+ caNames, enterpriseCertificates,
+ potentialClientCertificateChains);
+ if (!potentialClientCertificates ||
+ CERT_LIST_EMPTY(potentialClientCertificates)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] no client certificates available after filtering by CA",
+ socket));
+ return SECSuccess;
+ }
+ nsCOMPtr<nsIRunnable> selectClientAuthCertificate(
+ new SelectClientAuthCertificate(
+ std::move(authInfo), std::move(serverCert),
+ std::move(potentialClientCertificates),
+ std::move(potentialClientCertificateChains), continuation,
+ browserId));
+ info->SetPendingSelectClientAuthCertificate(
+ std::move(selectClientAuthCertificate));
+
+ // Meanwhile, tell NSS this connection is blocking for now.
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return SECWouldBlock;
+}
+
+// Helper continuation for when a client authentication certificate has been
+// selected in the parent process and the information needs to be sent to the
+// socket process.
+class RemoteClientAuthCertificateSelected
+ : public ClientAuthCertificateSelectedBase {
+ public:
+ explicit RemoteClientAuthCertificateSelected(
+ SelectTLSClientAuthCertParent* selectTLSClientAuthCertParent)
+ : mSelectTLSClientAuthCertParent(selectTLSClientAuthCertParent),
+ mEventTarget(GetCurrentSerialEventTarget()) {}
+
+ NS_IMETHOD Run() override;
+
+ private:
+ RefPtr<SelectTLSClientAuthCertParent> mSelectTLSClientAuthCertParent;
+ nsCOMPtr<nsISerialEventTarget> mEventTarget;
+};
+
+NS_IMETHODIMP
+RemoteClientAuthCertificateSelected::Run() {
+ // When this runs, it dispatches an event to the IPC thread it originally came
+ // from in order to send the IPC call to the socket process that a client
+ // authentication certificate has been selected.
+ return mEventTarget->Dispatch(
+ NS_NewRunnableFunction(
+ "psm::RemoteClientAuthCertificateSelected::Run",
+ [parent(mSelectTLSClientAuthCertParent),
+ certBytes(std::move(mSelectedCertBytes)),
+ builtCertChain(std::move(mSelectedCertChainBytes))]() mutable {
+ parent->TLSClientAuthCertSelected(certBytes,
+ std::move(builtCertChain));
+ }),
+ NS_DISPATCH_NORMAL);
+}
+
+namespace mozilla::psm {
+
+// Given some information from the socket process about a connection that
+// requested a client authentication certificate, this function dispatches an
+// event to the main thread to ask the user to select one. When the user does so
+// (or selects no certificate), the continuation runs and sends the information
+// back via IPC.
+bool SelectTLSClientAuthCertParent::Dispatch(
+ const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+ const int32_t& aPort, const uint32_t& aProviderFlags,
+ const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes,
+ nsTArray<ByteArray>&& aCANames, const uint64_t& aBrowserId) {
+ RefPtr<ClientAuthCertificateSelectedBase> continuation(
+ new RemoteClientAuthCertificateSelected(this));
+ ClientAuthInfo authInfo(aHostName, aOriginAttributes, aPort, aProviderFlags,
+ aProviderTlsFlags);
+ nsCOMPtr<nsIEventTarget> socketThread =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
+ if (NS_WARN_IF(!socketThread)) {
+ return false;
+ }
+ // Dispatch the work of instantiating a CERTCertificate and searching for
+ // client certificates to the socket thread.
+ nsresult rv = socketThread->Dispatch(NS_NewRunnableFunction(
+ "SelectTLSClientAuthCertParent::Dispatch",
+ [authInfo(std::move(authInfo)), continuation(std::move(continuation)),
+ serverCertBytes(aServerCertBytes), caNames(std::move(aCANames)),
+ browserId(aBrowserId)]() mutable {
+ SECItem serverCertItem{
+ siBuffer,
+ const_cast<uint8_t*>(serverCertBytes.data().Elements()),
+ static_cast<unsigned int>(serverCertBytes.data().Length()),
+ };
+ UniqueCERTCertificate serverCert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &serverCertItem, nullptr, false, true));
+ if (!serverCert) {
+ return;
+ }
+ nsTArray<nsTArray<uint8_t>> caNamesArray;
+ for (auto& caName : caNames) {
+ caNamesArray.AppendElement(std::move(caName.data()));
+ }
+ nsTArray<nsTArray<uint8_t>> enterpriseCertificates(
+ GetEnterpriseCertificates());
+ nsTArray<uint8_t> rememberedCertBytes;
+ nsTArray<nsTArray<uint8_t>> rememberedCertChainBytes;
+ if (FindRememberedDecision(authInfo, caNamesArray,
+ enterpriseCertificates, rememberedCertBytes,
+ rememberedCertChainBytes)) {
+ continuation->SetSelectedClientAuthData(
+ std::move(rememberedCertBytes),
+ std::move(rememberedCertChainBytes));
+ (void)NS_DispatchToCurrentThread(continuation);
+ return;
+ }
+ UniqueCERTCertList potentialClientCertificates(
+ FindClientCertificatesWithPrivateKeys());
+ nsTArray<nsTArray<nsTArray<uint8_t>>> potentialClientCertificateChains;
+ FilterPotentialClientCertificatesByCANames(
+ potentialClientCertificates, caNamesArray, enterpriseCertificates,
+ potentialClientCertificateChains);
+ RefPtr<SelectClientAuthCertificate> selectClientAuthCertificate(
+ new SelectClientAuthCertificate(
+ std::move(authInfo), std::move(serverCert),
+ std::move(potentialClientCertificates),
+ std::move(potentialClientCertificateChains), continuation,
+ browserId));
+ Unused << NS_DispatchToMainThread(selectClientAuthCertificate);
+ }));
+ return NS_SUCCEEDED(rv);
+}
+
+void SelectTLSClientAuthCertParent::TLSClientAuthCertSelected(
+ const nsTArray<uint8_t>& aSelectedCertBytes,
+ nsTArray<nsTArray<uint8_t>>&& aSelectedCertChainBytes) {
+ if (!CanSend()) {
+ return;
+ }
+
+ nsTArray<ByteArray> selectedCertChainBytes;
+ for (auto& certBytes : aSelectedCertChainBytes) {
+ selectedCertChainBytes.AppendElement(ByteArray(certBytes));
+ }
+
+ Unused << SendTLSClientAuthCertSelected(aSelectedCertBytes,
+ selectedCertChainBytes);
+ Close();
+}
+
+void SelectTLSClientAuthCertParent::ActorDestroy(
+ mozilla::ipc::IProtocol::ActorDestroyReason aWhy) {}
+
+SelectTLSClientAuthCertChild::SelectTLSClientAuthCertChild(
+ ClientAuthCertificateSelected* continuation)
+ : mContinuation(continuation) {}
+
+// When the user has selected (or not) a client authentication certificate in
+// the parent, this function receives that information in the socket process and
+// dispatches a continuation to the socket process to continue the connection.
+ipc::IPCResult SelectTLSClientAuthCertChild::RecvTLSClientAuthCertSelected(
+ ByteArray&& aSelectedCertBytes,
+ nsTArray<ByteArray>&& aSelectedCertChainBytes) {
+ nsTArray<uint8_t> selectedCertBytes(std::move(aSelectedCertBytes.data()));
+ nsTArray<nsTArray<uint8_t>> selectedCertChainBytes;
+ for (auto& certBytes : aSelectedCertChainBytes) {
+ selectedCertChainBytes.AppendElement(std::move(certBytes.data()));
+ }
+ mContinuation->SetSelectedClientAuthData(std::move(selectedCertBytes),
+ std::move(selectedCertChainBytes));
+
+ nsCOMPtr<nsIEventTarget> socketThread =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
+ if (NS_WARN_IF(!socketThread)) {
+ return IPC_OK();
+ }
+ nsresult rv = socketThread->Dispatch(mContinuation, NS_DISPATCH_NORMAL);
+ Unused << NS_WARN_IF(NS_FAILED(rv));
+
+ return IPC_OK();
+}
+
+} // namespace mozilla::psm
diff --git a/security/manager/ssl/TLSClientAuthCertSelection.h b/security/manager/ssl/TLSClientAuthCertSelection.h
new file mode 100644
index 0000000000..5ff311d272
--- /dev/null
+++ b/security/manager/ssl/TLSClientAuthCertSelection.h
@@ -0,0 +1,120 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
+#define SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
+
+#include "NSSSocketControl.h"
+#include "nsIX509Cert.h"
+#include "nsNSSIOLayer.h"
+#include "nsThreadUtils.h"
+#include "ssl.h"
+
+class NSSSocketControl;
+
+// NSS callback to select a client authentication certificate. See documentation
+// at the top of TLSClientAuthCertSelection.cpp.
+SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
+ CERTDistNames* caNames,
+ CERTCertificate** pRetCert,
+ SECKEYPrivateKey** pRetKey);
+
+// Base class for continuing the operation of selecting a client authentication
+// certificate. Should not be used directly.
+class ClientAuthCertificateSelectedBase : public mozilla::Runnable {
+ public:
+ ClientAuthCertificateSelectedBase()
+ : Runnable("ClientAuthCertificateSelectedBase") {}
+
+ // Call to indicate that a client authentication certificate has been
+ // selected.
+ void SetSelectedClientAuthData(
+ nsTArray<uint8_t>&& selectedCertBytes,
+ nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes);
+
+ protected:
+ nsTArray<uint8_t> mSelectedCertBytes;
+ // The bytes of the certificates that form a chain from the selected
+ // certificate to a root. Necessary so NSS can include them in the TLS
+ // handshake (see note about mClientCertChain in NSSSocketControl).
+ nsTArray<nsTArray<uint8_t>> mSelectedCertChainBytes;
+};
+
+class ClientAuthCertificateSelected : public ClientAuthCertificateSelectedBase {
+ public:
+ explicit ClientAuthCertificateSelected(NSSSocketControl* socketInfo)
+ : mSocketInfo(socketInfo) {}
+
+ NS_IMETHOD Run() override;
+
+ private:
+ RefPtr<NSSSocketControl> mSocketInfo;
+};
+
+// This class is used to store the needed information for invoking the client
+// cert selection UI.
+class ClientAuthInfo final {
+ public:
+ explicit ClientAuthInfo(const nsACString& hostName,
+ const mozilla::OriginAttributes& originAttributes,
+ int32_t port, uint32_t providerFlags,
+ uint32_t providerTlsFlags);
+ ~ClientAuthInfo() = default;
+ ClientAuthInfo(ClientAuthInfo&& aOther) noexcept;
+
+ const nsACString& HostName() const;
+ const mozilla::OriginAttributes& OriginAttributesRef() const;
+ int32_t Port() const;
+ uint32_t ProviderFlags() const;
+ uint32_t ProviderTlsFlags() const;
+
+ ClientAuthInfo(const ClientAuthInfo&) = delete;
+ void operator=(const ClientAuthInfo&) = delete;
+
+ private:
+ nsCString mHostName;
+ mozilla::OriginAttributes mOriginAttributes;
+ int32_t mPort;
+ uint32_t mProviderFlags;
+ uint32_t mProviderTlsFlags;
+};
+
+// Helper runnable to select a client authentication certificate. Gets created
+// on the socket thread or an IPC thread, runs on the main thread, and then runs
+// its continuation on the socket thread.
+class SelectClientAuthCertificate : public mozilla::Runnable {
+ public:
+ SelectClientAuthCertificate(
+ ClientAuthInfo&& info, mozilla::UniqueCERTCertificate&& serverCert,
+ mozilla::UniqueCERTCertList&& potentialClientCertificates,
+ nsTArray<nsTArray<nsTArray<uint8_t>>>&& potentialClientCertificateChains,
+ ClientAuthCertificateSelectedBase* continuation, uint64_t browserId)
+ : Runnable("SelectClientAuthCertificate"),
+ mInfo(std::move(info)),
+ mServerCert(std::move(serverCert)),
+ mPotentialClientCertificates(std::move(potentialClientCertificates)),
+ mPotentialClientCertificateChains(
+ std::move(potentialClientCertificateChains)),
+ mContinuation(continuation),
+ mBrowserId(browserId) {}
+
+ NS_IMETHOD Run() override;
+
+ const ClientAuthInfo& Info() { return mInfo; }
+ void DispatchContinuation(nsTArray<uint8_t>&& selectedCertBytes);
+
+ private:
+ ClientAuthInfo mInfo;
+ mozilla::UniqueCERTCertificate mServerCert;
+ mozilla::UniqueCERTCertList mPotentialClientCertificates;
+ nsTArray<nsTArray<nsTArray<uint8_t>>> mPotentialClientCertificateChains;
+ RefPtr<ClientAuthCertificateSelectedBase> mContinuation;
+
+ uint64_t mBrowserId;
+ nsCOMPtr<nsIInterfaceRequestor> mSecurityCallbacks;
+};
+
+#endif // SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
diff --git a/security/manager/ssl/TransportSecurityInfo.cpp b/security/manager/ssl/TransportSecurityInfo.cpp
new file mode 100644
index 0000000000..2bc39157e7
--- /dev/null
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -0,0 +1,1131 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "TransportSecurityInfo.h"
+
+#include "ipc/IPCMessageUtils.h"
+#include "mozilla/Base64.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsBase64Encoder.h"
+#include "nsIObjectInputStream.h"
+#include "nsIObjectOutputStream.h"
+#include "nsIWebProgressListener.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "nsReadableUtils.h"
+#include "nsServiceManagerUtils.h"
+#include "nsStringStream.h"
+#include "nsXULAppAPI.h"
+#include "nsIX509Cert.h"
+#include "secerr.h"
+#include "ssl.h"
+
+#include "mozilla/ipc/IPDLParamTraits.h"
+
+// nsITransportSecurityInfo should not be created via do_CreateInstance. This
+// stub prevents that.
+template <>
+already_AddRefed<nsISupports>
+mozCreateComponent<mozilla::psm::TransportSecurityInfo>() {
+ return nullptr;
+}
+
+namespace mozilla {
+namespace psm {
+
+TransportSecurityInfo::TransportSecurityInfo(
+ uint32_t aSecurityState, PRErrorCode aErrorCode,
+ nsTArray<RefPtr<nsIX509Cert>>&& aFailedCertChain,
+ nsCOMPtr<nsIX509Cert>& aServerCert,
+ nsTArray<RefPtr<nsIX509Cert>>&& aSucceededCertChain,
+ Maybe<uint16_t> aCipherSuite, Maybe<nsCString> aKeaGroupName,
+ Maybe<nsCString> aSignatureSchemeName, Maybe<uint16_t> aProtocolVersion,
+ uint16_t aCertificateTransparencyStatus, Maybe<bool> aIsAcceptedEch,
+ Maybe<bool> aIsDelegatedCredential,
+ Maybe<OverridableErrorCategory> aOverridableErrorCategory,
+ bool aMadeOCSPRequests, bool aUsedPrivateDNS, Maybe<bool> aIsEV,
+ bool aNPNCompleted, const nsCString& aNegotiatedNPN, bool aResumed,
+ bool aIsBuiltCertChainRootBuiltInRoot, const nsCString& aPeerId)
+ : mSecurityState(aSecurityState),
+ mErrorCode(aErrorCode),
+ mFailedCertChain(std::move(aFailedCertChain)),
+ mServerCert(aServerCert),
+ mSucceededCertChain(std::move(aSucceededCertChain)),
+ mCipherSuite(aCipherSuite),
+ mKeaGroupName(aKeaGroupName),
+ mSignatureSchemeName(aSignatureSchemeName),
+ mProtocolVersion(aProtocolVersion),
+ mCertificateTransparencyStatus(aCertificateTransparencyStatus),
+ mIsAcceptedEch(aIsAcceptedEch),
+ mIsDelegatedCredential(aIsDelegatedCredential),
+ mOverridableErrorCategory(aOverridableErrorCategory),
+ mMadeOCSPRequests(aMadeOCSPRequests),
+ mUsedPrivateDNS(aUsedPrivateDNS),
+ mIsEV(aIsEV),
+ mNPNCompleted(aNPNCompleted),
+ mNegotiatedNPN(aNegotiatedNPN),
+ mResumed(aResumed),
+ mIsBuiltCertChainRootBuiltInRoot(aIsBuiltCertChainRootBuiltInRoot),
+ mPeerId(aPeerId) {}
+
+NS_IMPL_ISUPPORTS(TransportSecurityInfo, nsITransportSecurityInfo)
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSecurityState(uint32_t* state) {
+ *state = mSecurityState;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetErrorCode(int32_t* state) {
+ *state = mErrorCode;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetErrorCodeString(nsAString& aErrorString) {
+ const char* codeName = PR_ErrorToName(mErrorCode);
+ aErrorString.Truncate();
+ if (codeName) {
+ aErrorString = NS_ConvertASCIItoUTF16(codeName);
+ }
+
+ return NS_OK;
+}
+
+// 16786594-0296-4471-8096-8f84497ca428
+#define TRANSPORTSECURITYINFO_CID \
+ { \
+ 0x16786594, 0x0296, 0x4471, { \
+ 0x80, 0x96, 0x8f, 0x84, 0x49, 0x7c, 0xa4, 0x28 \
+ } \
+ }
+static NS_DEFINE_CID(kTransportSecurityInfoCID, TRANSPORTSECURITYINFO_CID);
+
+// This is a new magic value. However, it re-uses the first 4 bytes
+// of the previous value. This is so when older versions attempt to
+// read a newer serialized TransportSecurityInfo, they will actually
+// fail and return NS_ERROR_FAILURE instead of silently failing.
+#define TRANSPORTSECURITYINFOMAGIC \
+ { \
+ 0xa9863a23, 0x1faa, 0x4169, { \
+ 0xb0, 0xd2, 0x81, 0x29, 0xec, 0x7c, 0xb1, 0xde \
+ } \
+ }
+static NS_DEFINE_CID(kTransportSecurityInfoMagic, TRANSPORTSECURITYINFOMAGIC);
+
+NS_IMETHODIMP
+TransportSecurityInfo::ToString(nsACString& aResult) {
+ RefPtr<nsBase64Encoder> stream(new nsBase64Encoder());
+ nsCOMPtr<nsIObjectOutputStream> objStream(NS_NewObjectOutputStream(stream));
+ nsresult rv = objStream->WriteID(kTransportSecurityInfoCID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = objStream->WriteID(NS_ISUPPORTS_IID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteID(kTransportSecurityInfoMagic);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->Write32(mSecurityState);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // mSubRequestsBrokenSecurity was removed in bug 748809
+ rv = objStream->Write32(0);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // mSubRequestsNoSecurity was removed in bug 748809
+ rv = objStream->Write32(0);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = objStream->Write32(static_cast<uint32_t>(mErrorCode));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Re-purpose mErrorMessageCached to represent serialization version
+ // If string doesn't match exact version it will be treated as older
+ // serialization.
+ rv = objStream->WriteWStringZ(NS_ConvertUTF8toUTF16("9").get());
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // moved from nsISSLStatus
+ rv = NS_WriteOptionalCompoundObject(objStream, mServerCert,
+ NS_GET_IID(nsIX509Cert), true);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->Write16(mCipherSuite.isSome() ? *mCipherSuite : 0);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->Write16(mProtocolVersion.isSome() ? *mProtocolVersion : 0);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->Write32(mOverridableErrorCategory.isSome()
+ ? *mOverridableErrorCategory
+ : OverridableErrorCategory::ERROR_UNSET);
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = objStream->WriteBoolean(mIsEV.isSome() ? *mIsEV : false);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->WriteBoolean(mIsEV.isSome()); // previously mHasIsEV
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = objStream->WriteBoolean(
+ mCipherSuite.isSome()); // previously mHaveCipherSuiteAndProtocol
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = objStream->WriteBoolean(
+ mOverridableErrorCategory.isSome()); // previously mHaveCertErrorBits
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->Write16(mCertificateTransparencyStatus);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->WriteStringZ(mKeaGroupName.isSome() ? (*mKeaGroupName).get()
+ : "");
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->WriteStringZ(
+ mSignatureSchemeName.isSome() ? (*mSignatureSchemeName).get() : "");
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = objStream->Write16(mSucceededCertChain.Length());
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ for (const auto& cert : mSucceededCertChain) {
+ rv = objStream->WriteCompoundObject(cert, NS_GET_IID(nsIX509Cert), true);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+ // END moved from nsISSLStatus
+ rv = objStream->Write16(mFailedCertChain.Length());
+ NS_ENSURE_SUCCESS(rv, rv);
+ for (const auto& cert : mFailedCertChain) {
+ rv = objStream->WriteCompoundObject(cert, NS_GET_IID(nsIX509Cert), true);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ rv = objStream->WriteBoolean(
+ mIsDelegatedCredential.isSome() ? *mIsDelegatedCredential : false);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mNPNCompleted);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteStringZ(mNegotiatedNPN.get());
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mResumed);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mIsBuiltCertChainRootBuiltInRoot);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mIsAcceptedEch.isSome() ? *mIsAcceptedEch
+ : false);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteStringZ(mPeerId.get());
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mMadeOCSPRequests);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->WriteBoolean(mUsedPrivateDNS);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = stream->Finish(aResult);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+nsresult TransportSecurityInfo::ReadOldOverridableErrorBits(
+ nsIObjectInputStream* aStream,
+ OverridableErrorCategory& aOverridableErrorCategory) {
+ bool isDomainMismatch;
+ nsresult rv = aStream->ReadBoolean(&isDomainMismatch);
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool isNotValidAtThisTime;
+ rv = aStream->ReadBoolean(&isNotValidAtThisTime);
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool isUntrusted;
+ rv = aStream->ReadBoolean(&isUntrusted);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (isUntrusted) {
+ aOverridableErrorCategory =
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST;
+ } else if (isDomainMismatch) {
+ aOverridableErrorCategory =
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN;
+ } else if (isNotValidAtThisTime) {
+ aOverridableErrorCategory =
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME;
+ } else {
+ aOverridableErrorCategory =
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET;
+ }
+
+ return NS_OK;
+}
+
+// This is for backward compatibility to be able to read nsISSLStatus
+// serialized object.
+nsresult TransportSecurityInfo::ReadSSLStatus(
+ nsIObjectInputStream* aStream, nsCOMPtr<nsIX509Cert>& aServerCert,
+ Maybe<uint16_t>& aCipherSuite, Maybe<uint16_t>& aProtocolVersion,
+ Maybe<OverridableErrorCategory>& aOverridableErrorCategory,
+ Maybe<bool>& aIsEV, uint16_t& aCertificateTransparencyStatus,
+ Maybe<nsCString>& aKeaGroupName, Maybe<nsCString>& aSignatureSchemeName,
+ nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain) {
+ bool nsISSLStatusPresent;
+ nsresult rv = aStream->ReadBoolean(&nsISSLStatusPresent);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!nsISSLStatusPresent) {
+ return NS_OK;
+ }
+ // nsISSLStatus present. Prepare to read elements.
+ // Throw away cid, validate iid
+ nsCID cid;
+ nsIID iid;
+ rv = aStream->ReadID(&cid);
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = aStream->ReadID(&iid);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ static const nsIID nsSSLStatusIID = {
+ 0xfa9ba95b,
+ 0xca3b,
+ 0x498a,
+ {0xb8, 0x89, 0x7c, 0x79, 0xcf, 0x28, 0xfe, 0xe8}};
+ if (!iid.Equals(nsSSLStatusIID)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ nsCOMPtr<nsISupports> cert;
+ rv = aStream->ReadObject(true, getter_AddRefs(cert));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (cert) {
+ aServerCert = do_QueryInterface(cert);
+ if (!aServerCert) {
+ return NS_NOINTERFACE;
+ }
+ }
+
+ uint16_t cipherSuite;
+ rv = aStream->Read16(&cipherSuite);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // The code below is a workaround to allow serializing new fields
+ // while preserving binary compatibility with older streams. For more details
+ // on the binary compatibility requirement, refer to bug 1248628.
+ // Here, we take advantage of the fact that mProtocolVersion was originally
+ // stored as a 16 bits integer, but the highest 8 bits were never used.
+ // These bits are now used for stream versioning.
+ uint16_t protocolVersionAndStreamFormatVersion;
+ rv = aStream->Read16(&protocolVersionAndStreamFormatVersion);
+ NS_ENSURE_SUCCESS(rv, rv);
+ const uint8_t streamFormatVersion =
+ (protocolVersionAndStreamFormatVersion >> 8) & 0xFF;
+
+ OverridableErrorCategory overridableErrorCategory;
+ rv = ReadOldOverridableErrorBits(aStream, overridableErrorCategory);
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool isEV;
+ rv = aStream->ReadBoolean(&isEV);
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool hasIsEVStatus;
+ rv = aStream->ReadBoolean(&hasIsEVStatus);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (hasIsEVStatus) {
+ aIsEV.emplace(isEV);
+ }
+ bool haveCipherSuiteAndProtocol;
+ rv = aStream->ReadBoolean(&haveCipherSuiteAndProtocol);
+ if (haveCipherSuiteAndProtocol) {
+ aCipherSuite.emplace(cipherSuite);
+ aProtocolVersion.emplace(protocolVersionAndStreamFormatVersion & 0xFF);
+ }
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool haveCertErrorBits;
+ rv = aStream->ReadBoolean(&haveCertErrorBits);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCertErrorBits) {
+ aOverridableErrorCategory.emplace(overridableErrorCategory);
+ }
+
+ // Added in version 1 (see bug 1305289).
+ if (streamFormatVersion >= 1) {
+ rv = aStream->Read16(&aCertificateTransparencyStatus);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // Added in version 2 (see bug 1304923).
+ if (streamFormatVersion >= 2) {
+ nsCString keaGroupName;
+ rv = aStream->ReadCString(keaGroupName);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCipherSuiteAndProtocol) {
+ aKeaGroupName.emplace(keaGroupName);
+ }
+
+ nsCString signatureSchemeName;
+ rv = aStream->ReadCString(signatureSchemeName);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCipherSuiteAndProtocol) {
+ aSignatureSchemeName.emplace(signatureSchemeName);
+ }
+ }
+
+ // Added in version 3 (see bug 1406856).
+ if (streamFormatVersion >= 3) {
+ rv = ReadCertList(aStream, aSucceededCertChain);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Read only to consume bytes from the stream.
+ nsTArray<RefPtr<nsIX509Cert>> failedCertChain;
+ rv = ReadCertList(aStream, failedCertChain);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+ return rv;
+}
+
+// This is for backward compatability to be able to read nsIX509CertList
+// serialized object.
+nsresult TransportSecurityInfo::ReadCertList(
+ nsIObjectInputStream* aStream, nsTArray<RefPtr<nsIX509Cert>>& aCertList) {
+ bool nsIX509CertListPresent;
+
+ nsresult rv = aStream->ReadBoolean(&nsIX509CertListPresent);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!nsIX509CertListPresent) {
+ return NS_OK;
+ }
+ // nsIX509CertList present. Prepare to read elements.
+ // Throw away cid, validate iid
+ nsCID cid;
+ nsIID iid;
+ rv = aStream->ReadID(&cid);
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = aStream->ReadID(&iid);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ static const nsIID nsIX509CertListIID = {
+ 0xae74cda5,
+ 0xcd2f,
+ 0x473f,
+ {0x96, 0xf5, 0xf0, 0xb7, 0xff, 0xf6, 0x2c, 0x68}};
+
+ if (!iid.Equals(nsIX509CertListIID)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ uint32_t certListSize;
+ rv = aStream->Read32(&certListSize);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ return ReadCertificatesFromStream(aStream, certListSize, aCertList);
+}
+
+nsresult TransportSecurityInfo::ReadCertificatesFromStream(
+ nsIObjectInputStream* aStream, uint32_t aSize,
+ nsTArray<RefPtr<nsIX509Cert>>& aCertList) {
+ nsresult rv;
+ for (uint32_t i = 0; i < aSize; ++i) {
+ nsCOMPtr<nsISupports> support;
+ rv = aStream->ReadObject(true, getter_AddRefs(support));
+ NS_ENSURE_SUCCESS(rv, rv);
+ nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(support);
+ if (!cert) {
+ return NS_ERROR_UNEXPECTED;
+ }
+ RefPtr<nsIX509Cert> castedCert(cert.get());
+ aCertList.AppendElement(castedCert);
+ }
+ return NS_OK;
+}
+
+static nsITransportSecurityInfo::OverridableErrorCategory
+IntToOverridableErrorCategory(uint32_t intVal) {
+ switch (intVal) {
+ case static_cast<uint32_t>(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST):
+ return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST;
+ case static_cast<uint32_t>(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN):
+ return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN;
+ case static_cast<uint32_t>(
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME):
+ return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME;
+ default:
+ break;
+ }
+ return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET;
+}
+
+nsresult TransportSecurityInfo::Read(const nsCString& aSerializedSecurityInfo,
+ nsITransportSecurityInfo** aResult) {
+ *aResult = nullptr;
+
+ nsCString decodedSecurityInfo;
+ nsresult rv = Base64Decode(aSerializedSecurityInfo, decodedSecurityInfo);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCOMPtr<nsIInputStream> inputStream;
+ rv = NS_NewCStringInputStream(getter_AddRefs(inputStream),
+ std::move(decodedSecurityInfo));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCOMPtr<nsIObjectInputStream> objStream(
+ NS_NewObjectInputStream(inputStream));
+ if (!objStream) {
+ return rv;
+ }
+
+ nsCID cid;
+ rv = objStream->ReadID(&cid);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!cid.Equals(kTransportSecurityInfoCID)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+ nsIID iid;
+ rv = objStream->ReadID(&iid);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!iid.Equals(NS_ISUPPORTS_IID)) {
+ return rv;
+ }
+
+ nsID id;
+ rv = objStream->ReadID(&id);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!id.Equals(kTransportSecurityInfoMagic)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ uint32_t aSecurityState = 0;
+ PRErrorCode aErrorCode = 0;
+ nsTArray<RefPtr<nsIX509Cert>> aFailedCertChain;
+ nsCOMPtr<nsIX509Cert> aServerCert;
+ nsTArray<RefPtr<nsIX509Cert>> aSucceededCertChain;
+ Maybe<uint16_t> aCipherSuite;
+ Maybe<nsCString> aKeaGroupName;
+ Maybe<nsCString> aSignatureSchemeName;
+ Maybe<uint16_t> aProtocolVersion;
+ uint16_t aCertificateTransparencyStatus;
+ Maybe<bool> aIsAcceptedEch;
+ Maybe<bool> aIsDelegatedCredential;
+ Maybe<OverridableErrorCategory> aOverridableErrorCategory;
+ bool aMadeOCSPRequests = false;
+ bool aUsedPrivateDNS = false;
+ Maybe<bool> aIsEV;
+ bool aNPNCompleted = false;
+ nsCString aNegotiatedNPN;
+ bool aResumed = false;
+ bool aIsBuiltCertChainRootBuiltInRoot = false;
+ nsCString aPeerId;
+ rv = objStream->Read32(&aSecurityState);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // mSubRequestsBrokenSecurity was removed in bug 748809
+ uint32_t unusedSubRequestsBrokenSecurity;
+ rv = objStream->Read32(&unusedSubRequestsBrokenSecurity);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // mSubRequestsNoSecurity was removed in bug 748809
+ uint32_t unusedSubRequestsNoSecurity;
+ rv = objStream->Read32(&unusedSubRequestsNoSecurity);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ uint32_t errorCode;
+ rv = objStream->Read32(&errorCode);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // PRErrorCode will be a negative value
+ aErrorCode = static_cast<PRErrorCode>(errorCode);
+
+ // Re-purpose mErrorMessageCached to represent serialization version
+ // If string doesn't match exact version it will be treated as older
+ // serialization.
+ nsAutoString serVersion;
+ rv = objStream->ReadString(serVersion);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ int32_t serVersionParsedToInt = 0;
+
+ if (!serVersion.IsEmpty()) {
+ char first = serVersion.First();
+ // Check whether the first character of serVersion is a number
+ // since ToInteger() skipps some non integer values.
+ if (first >= '0' && first <= '9') {
+ nsresult error = NS_OK;
+ serVersionParsedToInt = serVersion.ToInteger(&error);
+ if (NS_FAILED(error)) {
+ return error;
+ }
+ }
+ }
+
+ // moved from nsISSLStatus
+ if (serVersionParsedToInt < 1) {
+ // nsISSLStatus may be present
+ rv = ReadSSLStatus(objStream, aServerCert, aCipherSuite, aProtocolVersion,
+ aOverridableErrorCategory, aIsEV,
+ aCertificateTransparencyStatus, aKeaGroupName,
+ aSignatureSchemeName, aSucceededCertChain);
+ NS_ENSURE_SUCCESS(rv, rv);
+ } else {
+ nsCOMPtr<nsISupports> cert;
+ rv = NS_ReadOptionalObject(objStream, true, getter_AddRefs(cert));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (cert) {
+ aServerCert = do_QueryInterface(cert);
+ if (!aServerCert) {
+ return NS_NOINTERFACE;
+ }
+ }
+
+ uint16_t cipherSuite;
+ rv = objStream->Read16(&cipherSuite);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ uint16_t protocolVersion;
+ rv = objStream->Read16(&protocolVersion);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ OverridableErrorCategory overridableErrorCategory;
+ if (serVersionParsedToInt < 8) {
+ rv = ReadOldOverridableErrorBits(objStream, overridableErrorCategory);
+ NS_ENSURE_SUCCESS(rv, rv);
+ } else {
+ uint32_t overridableErrorCategoryInt;
+ rv = objStream->Read32(&overridableErrorCategoryInt);
+ NS_ENSURE_SUCCESS(rv, rv);
+ overridableErrorCategory =
+ IntToOverridableErrorCategory(overridableErrorCategoryInt);
+ }
+ bool isEV;
+ rv = objStream->ReadBoolean(&isEV);
+ NS_ENSURE_SUCCESS(rv, rv);
+ bool hasIsEVStatus;
+ rv = objStream->ReadBoolean(&hasIsEVStatus);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (hasIsEVStatus) {
+ aIsEV.emplace(isEV);
+ }
+ bool haveCipherSuiteAndProtocol;
+ rv = objStream->ReadBoolean(&haveCipherSuiteAndProtocol);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCipherSuiteAndProtocol) {
+ aCipherSuite.emplace(cipherSuite);
+ aProtocolVersion.emplace(protocolVersion);
+ }
+ bool haveCertErrorBits;
+ rv = objStream->ReadBoolean(&haveCertErrorBits);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCertErrorBits) {
+ aOverridableErrorCategory.emplace(overridableErrorCategory);
+ }
+
+ rv = objStream->Read16(&aCertificateTransparencyStatus);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsCString keaGroupName;
+ rv = objStream->ReadCString(keaGroupName);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCipherSuiteAndProtocol) {
+ aKeaGroupName.emplace(keaGroupName);
+ }
+
+ nsCString signatureSchemeName;
+ rv = objStream->ReadCString(signatureSchemeName);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (haveCipherSuiteAndProtocol) {
+ aSignatureSchemeName.emplace(signatureSchemeName);
+ }
+
+ if (serVersionParsedToInt < 3) {
+ // The old data structure of certList(nsIX509CertList) presents
+ rv = ReadCertList(objStream, aSucceededCertChain);
+ NS_ENSURE_SUCCESS(rv, rv);
+ } else {
+ uint16_t certCount;
+ rv = objStream->Read16(&certCount);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv =
+ ReadCertificatesFromStream(objStream, certCount, aSucceededCertChain);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+ }
+ // END moved from nsISSLStatus
+ if (serVersionParsedToInt < 3) {
+ // The old data structure of certList(nsIX509CertList) presents
+ rv = ReadCertList(objStream, aFailedCertChain);
+ NS_ENSURE_SUCCESS(rv, rv);
+ } else {
+ uint16_t certCount;
+ rv = objStream->Read16(&certCount);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = ReadCertificatesFromStream(objStream, certCount, aFailedCertChain);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // mIsDelegatedCredential added in bug 1562773
+ if (serVersionParsedToInt >= 2) {
+ bool isDelegatedCredential;
+ rv = objStream->ReadBoolean(&isDelegatedCredential);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If aCipherSuite is Some, the serialized TransportSecurityinfo had its
+ // cipher suite and protocol information, which means it has this
+ // information.
+ if (aCipherSuite.isSome()) {
+ aIsDelegatedCredential.emplace(isDelegatedCredential);
+ }
+ }
+
+ // mNPNCompleted, mNegotiatedNPN, mResumed added in bug 1584104
+ if (serVersionParsedToInt >= 4) {
+ rv = objStream->ReadBoolean(&aNPNCompleted);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->ReadCString(aNegotiatedNPN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->ReadBoolean(&aResumed);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ // mIsBuiltCertChainRootBuiltInRoot added in bug 1485652
+ if (serVersionParsedToInt >= 5) {
+ rv = objStream->ReadBoolean(&aIsBuiltCertChainRootBuiltInRoot);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ // mIsAcceptedEch added in bug 1678079
+ if (serVersionParsedToInt >= 6) {
+ bool isAcceptedEch;
+ rv = objStream->ReadBoolean(&isAcceptedEch);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If aCipherSuite is Some, the serialized TransportSecurityinfo had its
+ // cipher suite and protocol information, which means it has this
+ // information.
+ if (aCipherSuite.isSome()) {
+ aIsAcceptedEch.emplace(isAcceptedEch);
+ }
+ }
+
+ // mPeerId added in bug 1738664
+ if (serVersionParsedToInt >= 7) {
+ rv = objStream->ReadCString(aPeerId);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ if (serVersionParsedToInt >= 9) {
+ rv = objStream->ReadBoolean(&aMadeOCSPRequests);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = objStream->ReadBoolean(&aUsedPrivateDNS);
+ if (NS_FAILED(rv)) {
+ return rv;
+ };
+ }
+
+ RefPtr<nsITransportSecurityInfo> securityInfo(new TransportSecurityInfo(
+ aSecurityState, aErrorCode, std::move(aFailedCertChain), aServerCert,
+ std::move(aSucceededCertChain), aCipherSuite, aKeaGroupName,
+ aSignatureSchemeName, aProtocolVersion, aCertificateTransparencyStatus,
+ aIsAcceptedEch, aIsDelegatedCredential, aOverridableErrorCategory,
+ aMadeOCSPRequests, aUsedPrivateDNS, aIsEV, aNPNCompleted, aNegotiatedNPN,
+ aResumed, aIsBuiltCertChainRootBuiltInRoot, aPeerId));
+ securityInfo.forget(aResult);
+ return NS_OK;
+}
+
+void TransportSecurityInfo::SerializeToIPC(IPC::MessageWriter* aWriter) {
+ WriteParam(aWriter, mSecurityState);
+ WriteParam(aWriter, mErrorCode);
+ WriteParam(aWriter, mFailedCertChain);
+ WriteParam(aWriter, mServerCert);
+ WriteParam(aWriter, mSucceededCertChain);
+ WriteParam(aWriter, mCipherSuite);
+ WriteParam(aWriter, mKeaGroupName);
+ WriteParam(aWriter, mSignatureSchemeName);
+ WriteParam(aWriter, mProtocolVersion);
+ WriteParam(aWriter, mCertificateTransparencyStatus);
+ WriteParam(aWriter, mIsAcceptedEch);
+ WriteParam(aWriter, mIsDelegatedCredential);
+ WriteParam(aWriter, mOverridableErrorCategory);
+ WriteParam(aWriter, mMadeOCSPRequests);
+ WriteParam(aWriter, mUsedPrivateDNS);
+ WriteParam(aWriter, mIsEV);
+ WriteParam(aWriter, mNPNCompleted);
+ WriteParam(aWriter, mNegotiatedNPN);
+ WriteParam(aWriter, mResumed);
+ WriteParam(aWriter, mIsBuiltCertChainRootBuiltInRoot);
+ WriteParam(aWriter, mPeerId);
+}
+
+bool TransportSecurityInfo::DeserializeFromIPC(
+ IPC::MessageReader* aReader, RefPtr<nsITransportSecurityInfo>* aResult) {
+ uint32_t aSecurityState;
+ PRErrorCode aErrorCode;
+ nsTArray<RefPtr<nsIX509Cert>> aFailedCertChain;
+ nsCOMPtr<nsIX509Cert> aServerCert;
+ nsTArray<RefPtr<nsIX509Cert>> aSucceededCertChain;
+ Maybe<uint16_t> aCipherSuite;
+ Maybe<nsCString> aKeaGroupName;
+ Maybe<nsCString> aSignatureSchemeName;
+ Maybe<uint16_t> aProtocolVersion;
+ uint16_t aCertificateTransparencyStatus;
+ Maybe<bool> aIsAcceptedEch;
+ Maybe<bool> aIsDelegatedCredential;
+ Maybe<OverridableErrorCategory> aOverridableErrorCategory;
+ bool aMadeOCSPRequests;
+ bool aUsedPrivateDNS;
+ Maybe<bool> aIsEV;
+ bool aNPNCompleted;
+ nsCString aNegotiatedNPN;
+ bool aResumed;
+ bool aIsBuiltCertChainRootBuiltInRoot;
+ nsCString aPeerId;
+
+ if (!ReadParam(aReader, &aSecurityState) ||
+ !ReadParam(aReader, &aErrorCode) ||
+ !ReadParam(aReader, &aFailedCertChain) ||
+ !ReadParam(aReader, &aServerCert) ||
+ !ReadParam(aReader, &aSucceededCertChain) ||
+ !ReadParam(aReader, &aCipherSuite) ||
+ !ReadParam(aReader, &aKeaGroupName) ||
+ !ReadParam(aReader, &aSignatureSchemeName) ||
+ !ReadParam(aReader, &aProtocolVersion) ||
+ !ReadParam(aReader, &aCertificateTransparencyStatus) ||
+ !ReadParam(aReader, &aIsAcceptedEch) ||
+ !ReadParam(aReader, &aIsDelegatedCredential) ||
+ !ReadParam(aReader, &aOverridableErrorCategory) ||
+ !ReadParam(aReader, &aMadeOCSPRequests) ||
+ !ReadParam(aReader, &aUsedPrivateDNS) || !ReadParam(aReader, &aIsEV) ||
+ !ReadParam(aReader, &aNPNCompleted) ||
+ !ReadParam(aReader, &aNegotiatedNPN) || !ReadParam(aReader, &aResumed) ||
+ !ReadParam(aReader, &aIsBuiltCertChainRootBuiltInRoot) ||
+ !ReadParam(aReader, &aPeerId)) {
+ return false;
+ }
+
+ RefPtr<nsITransportSecurityInfo> securityInfo(new TransportSecurityInfo(
+ aSecurityState, aErrorCode, std::move(aFailedCertChain), aServerCert,
+ std::move(aSucceededCertChain), aCipherSuite, aKeaGroupName,
+ aSignatureSchemeName, aProtocolVersion, aCertificateTransparencyStatus,
+ aIsAcceptedEch, aIsDelegatedCredential, aOverridableErrorCategory,
+ aMadeOCSPRequests, aUsedPrivateDNS, aIsEV, aNPNCompleted, aNegotiatedNPN,
+ aResumed, aIsBuiltCertChainRootBuiltInRoot, aPeerId));
+ *aResult = std::move(securityInfo);
+ return true;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetFailedCertChain(
+ nsTArray<RefPtr<nsIX509Cert>>& aFailedCertChain) {
+ MOZ_ASSERT(aFailedCertChain.IsEmpty());
+ if (!aFailedCertChain.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ aFailedCertChain.AppendElements(mFailedCertChain);
+ return NS_OK;
+}
+
+NS_IMETHODIMP TransportSecurityInfo::GetServerCert(nsIX509Cert** aServerCert) {
+ NS_ENSURE_ARG_POINTER(aServerCert);
+ nsCOMPtr<nsIX509Cert> cert = mServerCert;
+ cert.forget(aServerCert);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSucceededCertChain(
+ nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain) {
+ MOZ_ASSERT(aSucceededCertChain.IsEmpty());
+ if (!aSucceededCertChain.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ aSucceededCertChain.AppendElements(mSucceededCertChain);
+ return NS_OK;
+}
+
+NS_IMETHODIMP TransportSecurityInfo::GetIsBuiltCertChainRootBuiltInRoot(
+ bool* aIsBuiltInRoot) {
+ NS_ENSURE_ARG_POINTER(aIsBuiltInRoot);
+ *aIsBuiltInRoot = mIsBuiltCertChainRootBuiltInRoot;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetCipherName(nsACString& aCipherName) {
+ if (mCipherSuite.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) !=
+ SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ aCipherName.Assign(cipherInfo.cipherSuiteName);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetKeyLength(uint32_t* aKeyLength) {
+ NS_ENSURE_ARG_POINTER(aKeyLength);
+
+ if (mCipherSuite.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) !=
+ SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ *aKeyLength = cipherInfo.symKeyBits;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSecretKeyLength(uint32_t* aSecretKeyLength) {
+ NS_ENSURE_ARG_POINTER(aSecretKeyLength);
+
+ if (mCipherSuite.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) !=
+ SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ *aSecretKeyLength = cipherInfo.effectiveKeyBits;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetKeaGroupName(nsACString& aKeaGroupName) {
+ if (mKeaGroupName.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ aKeaGroupName.Assign(*mKeaGroupName);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSignatureSchemeName(nsACString& aSignatureScheme) {
+ if (mSignatureSchemeName.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ aSignatureScheme.Assign(*mSignatureSchemeName);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetProtocolVersion(uint16_t* aProtocolVersion) {
+ if (mProtocolVersion.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ *aProtocolVersion = *mProtocolVersion;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetCertificateTransparencyStatus(
+ uint16_t* aCertificateTransparencyStatus) {
+ NS_ENSURE_ARG_POINTER(aCertificateTransparencyStatus);
+
+ *aCertificateTransparencyStatus = mCertificateTransparencyStatus;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetMadeOCSPRequests(bool* aMadeOCSPRequests) {
+ *aMadeOCSPRequests = mMadeOCSPRequests;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetUsedPrivateDNS(bool* aUsedPrivateDNS) {
+ *aUsedPrivateDNS = mUsedPrivateDNS;
+ return NS_OK;
+}
+
+// static
+uint16_t TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus(
+ const mozilla::psm::CertificateTransparencyInfo& info) {
+ using mozilla::ct::CTPolicyCompliance;
+
+ if (!info.enabled) {
+ // CT disabled.
+ return nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE;
+ }
+
+ switch (info.policyCompliance) {
+ case CTPolicyCompliance::Compliant:
+ return nsITransportSecurityInfo::
+ CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT;
+ case CTPolicyCompliance::NotEnoughScts:
+ return nsITransportSecurityInfo ::
+ CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS;
+ case CTPolicyCompliance::NotDiverseScts:
+ return nsITransportSecurityInfo ::
+ CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS;
+ case CTPolicyCompliance::Unknown:
+ default:
+ MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
+ }
+
+ return nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetOverridableErrorCategory(
+ OverridableErrorCategory* aOverridableErrorCategory) {
+ NS_ENSURE_ARG_POINTER(aOverridableErrorCategory);
+
+ if (mOverridableErrorCategory.isSome()) {
+ *aOverridableErrorCategory = *mOverridableErrorCategory;
+ } else {
+ *aOverridableErrorCategory = OverridableErrorCategory::ERROR_UNSET;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsExtendedValidation(bool* aIsEV) {
+ NS_ENSURE_ARG_POINTER(aIsEV);
+
+ *aIsEV = false;
+ // Never allow bad certs for EV, regardless of overrides.
+ if (mOverridableErrorCategory.isSome()) {
+ return NS_OK;
+ }
+
+ if (!mIsEV.isSome()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ *aIsEV = *mIsEV;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsAcceptedEch(bool* aIsAcceptedEch) {
+ NS_ENSURE_ARG_POINTER(aIsAcceptedEch);
+
+ if (mIsAcceptedEch.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ *aIsAcceptedEch = *mIsAcceptedEch;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsDelegatedCredential(bool* aIsDelegatedCredential) {
+ NS_ENSURE_ARG_POINTER(aIsDelegatedCredential);
+
+ if (mIsDelegatedCredential.isNothing()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ *aIsDelegatedCredential = *mIsDelegatedCredential;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetNegotiatedNPN(nsACString& aNegotiatedNPN) {
+ if (!mNPNCompleted) {
+ return NS_ERROR_NOT_CONNECTED;
+ }
+
+ aNegotiatedNPN = mNegotiatedNPN;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetResumed(bool* aResumed) {
+ NS_ENSURE_ARG_POINTER(aResumed);
+ *aResumed = mResumed;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetPeerId(nsACString& aResult) {
+ aResult.Assign(mPeerId);
+ return NS_OK;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/TransportSecurityInfo.h b/security/manager/ssl/TransportSecurityInfo.h
new file mode 100644
index 0000000000..648e80b7e2
--- /dev/null
+++ b/security/manager/ssl/TransportSecurityInfo.h
@@ -0,0 +1,107 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef TransportSecurityInfo_h
+#define TransportSecurityInfo_h
+
+#include "CertVerifier.h" // For CertificateTransparencyInfo, EVStatus
+#include "ScopedNSSTypes.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Components.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/ipc/TransportSecurityInfoUtils.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsIObjectInputStream.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIX509Cert.h"
+#include "nsString.h"
+
+namespace mozilla {
+namespace psm {
+
+// TransportSecurityInfo implements nsITransportSecurityInfo, which is a
+// collection of attributes describing the outcome of a TLS handshake. It is
+// constant - once created, it cannot be modified. It should probably not be
+// instantiated directly, but rather accessed via
+// nsITLSSocketControl.securityInfo.
+class TransportSecurityInfo : public nsITransportSecurityInfo {
+ public:
+ TransportSecurityInfo(
+ uint32_t aSecurityState, PRErrorCode aErrorCode,
+ nsTArray<RefPtr<nsIX509Cert>>&& aFailedCertChain,
+ nsCOMPtr<nsIX509Cert>& aServerCert,
+ nsTArray<RefPtr<nsIX509Cert>>&& aSucceededCertChain,
+ Maybe<uint16_t> aCipherSuite, Maybe<nsCString> aKeaGroupName,
+ Maybe<nsCString> aSignatureSchemeName, Maybe<uint16_t> aProtocolVersion,
+ uint16_t aCertificateTransparencyStatus, Maybe<bool> aIsAcceptedEch,
+ Maybe<bool> aIsDelegatedCredential,
+ Maybe<OverridableErrorCategory> aOverridableErrorCategory,
+ bool aMadeOCSPRequests, bool aUsedPrivateDNS, Maybe<bool> aIsEV,
+ bool aNPNCompleted, const nsCString& aNegotiatedNPN, bool aResumed,
+ bool aIsBuiltCertChainRootBuiltInRoot, const nsCString& aPeerId);
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSITRANSPORTSECURITYINFO
+
+ static bool DeserializeFromIPC(IPC::MessageReader* aReader,
+ RefPtr<nsITransportSecurityInfo>* aResult);
+ static nsresult Read(const nsCString& aSerializedSecurityInfo,
+ nsITransportSecurityInfo** aResult);
+ static uint16_t ConvertCertificateTransparencyInfoToStatus(
+ const mozilla::psm::CertificateTransparencyInfo& info);
+
+ private:
+ virtual ~TransportSecurityInfo() = default;
+
+ const uint32_t mSecurityState;
+ const PRErrorCode mErrorCode;
+ // Peer cert chain for failed connections.
+ const nsTArray<RefPtr<nsIX509Cert>> mFailedCertChain;
+ const nsCOMPtr<nsIX509Cert> mServerCert;
+ const nsTArray<RefPtr<nsIX509Cert>> mSucceededCertChain;
+ const mozilla::Maybe<uint16_t> mCipherSuite;
+ const mozilla::Maybe<nsCString> mKeaGroupName;
+ const mozilla::Maybe<nsCString> mSignatureSchemeName;
+ const mozilla::Maybe<uint16_t> mProtocolVersion;
+ const uint16_t mCertificateTransparencyStatus;
+ const mozilla::Maybe<bool> mIsAcceptedEch;
+ const mozilla::Maybe<bool> mIsDelegatedCredential;
+ const mozilla::Maybe<OverridableErrorCategory> mOverridableErrorCategory;
+ const bool mMadeOCSPRequests;
+ const bool mUsedPrivateDNS;
+ const mozilla::Maybe<bool> mIsEV;
+ const bool mNPNCompleted;
+ const nsCString mNegotiatedNPN;
+ const bool mResumed;
+ const bool mIsBuiltCertChainRootBuiltInRoot;
+ const nsCString mPeerId;
+
+ static nsresult ReadOldOverridableErrorBits(
+ nsIObjectInputStream* aStream,
+ OverridableErrorCategory& aOverridableErrorCategory);
+ static nsresult ReadSSLStatus(
+ nsIObjectInputStream* aStream, nsCOMPtr<nsIX509Cert>& aServerCert,
+ Maybe<uint16_t>& aCipherSuite, Maybe<uint16_t>& aProtocolVersion,
+ Maybe<OverridableErrorCategory>& aOverridableErrorCategory,
+ Maybe<bool>& aIsEV, uint16_t& aCertificateTransparencyStatus,
+ Maybe<nsCString>& aKeaGroupName, Maybe<nsCString>& aSignatureSchemeName,
+ nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain);
+
+ // This function is used to read the binary that are serialized
+ // by using nsIX509CertList
+ static nsresult ReadCertList(nsIObjectInputStream* aStream,
+ nsTArray<RefPtr<nsIX509Cert>>& aCertList);
+ static nsresult ReadCertificatesFromStream(
+ nsIObjectInputStream* aStream, uint32_t aSize,
+ nsTArray<RefPtr<nsIX509Cert>>& aCertList);
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // TransportSecurityInfo_h
diff --git a/security/manager/ssl/VerifySSLServerCertChild.cpp b/security/manager/ssl/VerifySSLServerCertChild.cpp
new file mode 100644
index 0000000000..6c9795486e
--- /dev/null
+++ b/security/manager/ssl/VerifySSLServerCertChild.cpp
@@ -0,0 +1,143 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "VerifySSLServerCertChild.h"
+
+#include "CertVerifier.h"
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/net/SocketProcessBackgroundChild.h"
+#include "mozilla/psm/PVerifySSLServerCertParent.h"
+#include "mozilla/psm/PVerifySSLServerCertChild.h"
+#include "nsNSSIOLayer.h"
+#include "nsSerializationHelper.h"
+
+#include "secerr.h"
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+namespace mozilla {
+namespace psm {
+
+VerifySSLServerCertChild::VerifySSLServerCertChild(
+ SSLServerCertVerificationResult* aResultTask,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)
+ : mResultTask(aResultTask),
+ mPeerCertChain(std::move(aPeerCertChain)),
+ mProviderFlags(aProviderFlags) {}
+
+ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess(
+ nsTArray<ByteArray>&& aBuiltCertChain,
+ const uint16_t& aCertTransparencyStatus, const uint8_t& aEVStatus,
+ const bool& aIsBuiltCertChainRootBuiltInRoot,
+ const bool& aMadeOCSPRequests) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess",
+ this));
+
+ nsTArray<nsTArray<uint8_t>> certBytesArray;
+ for (auto& cert : aBuiltCertChain) {
+ certBytesArray.AppendElement(std::move(cert.data()));
+ }
+
+ mResultTask->Dispatch(
+ std::move(certBytesArray), std::move(mPeerCertChain),
+ aCertTransparencyStatus, static_cast<EVStatus>(aEVStatus), true, 0,
+ nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET,
+ aIsBuiltCertChainRootBuiltInRoot, mProviderFlags, aMadeOCSPRequests);
+ return IPC_OK();
+}
+
+ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertFailure(
+ const int32_t& aFinalError, const uint32_t& aOverridableErrorCategory,
+ const bool& aMadeOCSPRequests) {
+ mResultTask->Dispatch(
+ nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain),
+ nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
+ EVStatus::NotEV, false, aFinalError,
+ static_cast<nsITransportSecurityInfo::OverridableErrorCategory>(
+ aOverridableErrorCategory),
+ false, mProviderFlags, aMadeOCSPRequests);
+ return IPC_OK();
+}
+
+SECStatus RemoteProcessCertVerification(
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName,
+ int32_t aPort, const OriginAttributes& aOriginAttributes,
+ Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags,
+ uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask) {
+ if (!aResultTask) {
+ PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+ return SECFailure;
+ }
+
+ nsTArray<ByteArray> peerCertBytes;
+ for (auto& certBytes : aPeerCertChain) {
+ peerCertBytes.AppendElement(ByteArray(certBytes));
+ }
+
+ Maybe<ByteArray> stapledOCSPResponse;
+ if (aStapledOCSPResponse) {
+ stapledOCSPResponse.emplace();
+ stapledOCSPResponse->data().Assign(*aStapledOCSPResponse);
+ }
+
+ Maybe<ByteArray> sctsFromTLSExtension;
+ if (aSctsFromTLSExtension) {
+ sctsFromTLSExtension.emplace();
+ sctsFromTLSExtension->data().Assign(*aSctsFromTLSExtension);
+ }
+
+ Maybe<DelegatedCredentialInfoArg> dcInfo;
+ if (aDcInfo) {
+ dcInfo.emplace();
+ dcInfo.ref().scheme() = static_cast<uint32_t>(aDcInfo->scheme);
+ dcInfo.ref().authKeyBits() = static_cast<uint32_t>(aDcInfo->authKeyBits);
+ }
+
+ ipc::Endpoint<PVerifySSLServerCertParent> parentEndpoint;
+ ipc::Endpoint<PVerifySSLServerCertChild> childEndpoint;
+ PVerifySSLServerCert::CreateEndpoints(&parentEndpoint, &childEndpoint);
+
+ // Create a dedicated nsCString, so that our lambda below can take an
+ // ownership stake in the underlying string buffer:
+ nsCString hostName(aHostName);
+
+ if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor(
+ "SendInitVerifySSLServerCert",
+ [endpoint = std::move(parentEndpoint),
+ peerCertBytes = std::move(peerCertBytes),
+ hostName = std::move(hostName), port(aPort),
+ originAttributes(aOriginAttributes),
+ stapledOCSPResponse = std::move(stapledOCSPResponse),
+ sctsFromTLSExtension = std::move(sctsFromTLSExtension),
+ dcInfo = std::move(dcInfo), providerFlags(aProviderFlags),
+ certVerifierFlags(aCertVerifierFlags)](
+ net::SocketProcessBackgroundChild* aActor) mutable {
+ Unused << aActor->SendInitVerifySSLServerCert(
+ std::move(endpoint), peerCertBytes, hostName, port,
+ originAttributes, stapledOCSPResponse, sctsFromTLSExtension,
+ dcInfo, providerFlags, certVerifierFlags);
+ }))) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+
+ RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild(
+ aResultTask, std::move(aPeerCertChain), aProviderFlags);
+ if (!childEndpoint.Bind(authCert)) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return SECWouldBlock;
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/VerifySSLServerCertChild.h b/security/manager/ssl/VerifySSLServerCertChild.h
new file mode 100644
index 0000000000..94fd5d48d0
--- /dev/null
+++ b/security/manager/ssl/VerifySSLServerCertChild.h
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_VerifySSLServerCertChild_h__
+#define mozilla_psm_VerifySSLServerCertChild_h__
+
+#include "mozilla/psm/PVerifySSLServerCertChild.h"
+
+#include "SSLServerCertVerification.h"
+#include "mozilla/RefPtr.h"
+#include "nsISupportsImpl.h"
+#include "nsString.h"
+#include "seccomon.h"
+
+namespace mozilla {
+namespace psm {
+
+class DelegatedCredentialInfo;
+
+// This class implements the socket process part of the server certificate
+// verification IPC protocol.
+class VerifySSLServerCertChild : public PVerifySSLServerCertChild {
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerifySSLServerCertChild, override);
+
+ explicit VerifySSLServerCertChild(
+ SSLServerCertVerificationResult* aResultTask,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags);
+
+ ipc::IPCResult RecvOnVerifiedSSLServerCertSuccess(
+ nsTArray<ByteArray>&& aBuiltCertChain,
+ const uint16_t& aCertTransparencyStatus, const uint8_t& aEVStatus,
+ const bool& aIsBuiltCertChainRootBuiltInRoot,
+ const bool& aMadeOCSPRequests);
+
+ ipc::IPCResult RecvOnVerifiedSSLServerCertFailure(
+ const int32_t& aFinalError, const uint32_t& aOverridableErrorCategory,
+ const bool& aMadeOCSPRequests);
+
+ private:
+ ~VerifySSLServerCertChild() = default;
+
+ RefPtr<SSLServerCertVerificationResult> mResultTask;
+ nsTArray<nsTArray<uint8_t>> mPeerCertChain;
+ uint32_t mProviderFlags;
+};
+
+SECStatus RemoteProcessCertVerification(
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName,
+ int32_t aPort, const OriginAttributes& aOriginAttributes,
+ Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,
+ Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension,
+ Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags,
+ uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask);
+
+} // namespace psm
+} // namespace mozilla
+
+#endif
diff --git a/security/manager/ssl/VerifySSLServerCertParent.cpp b/security/manager/ssl/VerifySSLServerCertParent.cpp
new file mode 100644
index 0000000000..5aaaba8197
--- /dev/null
+++ b/security/manager/ssl/VerifySSLServerCertParent.cpp
@@ -0,0 +1,179 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "VerifySSLServerCertParent.h"
+
+#include "cert.h"
+#include "nsNSSComponent.h"
+#include "secerr.h"
+#include "SharedCertVerifier.h"
+#include "NSSCertDBTrustDomain.h"
+#include "SSLServerCertVerification.h"
+#include "nsNSSIOLayer.h"
+#include "nsISocketProvider.h"
+#include "mozilla/Unused.h"
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+using namespace mozilla::pkix;
+
+namespace mozilla {
+namespace psm {
+
+VerifySSLServerCertParent::VerifySSLServerCertParent() {}
+
+void VerifySSLServerCertParent::OnVerifiedSSLServerCert(
+ const nsTArray<ByteArray>& aBuiltCertChain,
+ uint16_t aCertificateTransparencyStatus, uint8_t aEVStatus, bool aSucceeded,
+ PRErrorCode aFinalError, uint32_t aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests) {
+ if (!CanSend()) {
+ return;
+ }
+
+ if (aSucceeded) {
+ Unused << SendOnVerifiedSSLServerCertSuccess(
+ aBuiltCertChain, aCertificateTransparencyStatus, aEVStatus,
+ aIsBuiltCertChainRootBuiltInRoot, aMadeOCSPRequests);
+ } else {
+ Unused << SendOnVerifiedSSLServerCertFailure(
+ aFinalError, aOverridableErrorCategory, aMadeOCSPRequests);
+ }
+
+ Close();
+}
+
+namespace {
+
+class IPCServerCertVerificationResult final
+ : public BaseSSLServerCertVerificationResult {
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCServerCertVerificationResult,
+ override)
+
+ IPCServerCertVerificationResult(nsIEventTarget* aTarget,
+ VerifySSLServerCertParent* aParent)
+ : mTarget(aTarget), mParent(aParent) {}
+
+ void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
+ uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
+ bool aSucceeded, PRErrorCode aFinalError,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
+ bool aMadeOCSPRequests) override;
+
+ private:
+ ~IPCServerCertVerificationResult() = default;
+
+ nsCOMPtr<nsIEventTarget> mTarget;
+ RefPtr<VerifySSLServerCertParent> mParent;
+};
+
+void IPCServerCertVerificationResult::Dispatch(
+ nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+ nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
+ uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
+ bool aSucceeded, PRErrorCode aFinalError,
+ nsITransportSecurityInfo::OverridableErrorCategory
+ aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
+ bool aMadeOCSPRequests) {
+ nsTArray<ByteArray> builtCertChain;
+ if (aSucceeded) {
+ for (auto& cert : aBuiltChain) {
+ builtCertChain.AppendElement(ByteArray(cert));
+ }
+ }
+
+ nsresult nrv = mTarget->Dispatch(
+ NS_NewRunnableFunction(
+ "psm::VerifySSLServerCertParent::OnVerifiedSSLServerCert",
+ [parent(mParent), builtCertChain{std::move(builtCertChain)},
+ aCertificateTransparencyStatus, aEVStatus, aSucceeded, aFinalError,
+ aOverridableErrorCategory, aIsBuiltCertChainRootBuiltInRoot,
+ aMadeOCSPRequests, aProviderFlags]() {
+ if (aSucceeded &&
+ !(aProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE)) {
+ nsTArray<nsTArray<uint8_t>> certBytesArray;
+ for (const auto& cert : builtCertChain) {
+ certBytesArray.AppendElement(cert.data().Clone());
+ }
+ // This dispatches an event that will run when the socket thread
+ // is idle.
+ SaveIntermediateCerts(certBytesArray);
+ }
+ parent->OnVerifiedSSLServerCert(
+ builtCertChain, aCertificateTransparencyStatus,
+ static_cast<uint8_t>(aEVStatus), aSucceeded, aFinalError,
+ static_cast<uint32_t>(aOverridableErrorCategory),
+ aIsBuiltCertChainRootBuiltInRoot, aMadeOCSPRequests);
+ }),
+ NS_DISPATCH_NORMAL);
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(nrv));
+ Unused << nrv;
+}
+
+} // anonymous namespace
+
+bool VerifySSLServerCertParent::Dispatch(
+ nsTArray<ByteArray>&& aPeerCertChain, const nsACString& aHostName,
+ const int32_t& aPort, const OriginAttributes& aOriginAttributes,
+ const Maybe<ByteArray>& aStapledOCSPResponse,
+ const Maybe<ByteArray>& aSctsFromTLSExtension,
+ const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
+ const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("VerifySSLServerCertParent::Dispatch"));
+
+ mBackgroundThread = GetCurrentSerialEventTarget();
+
+ nsTArray<nsTArray<uint8_t>> peerCertBytes;
+ for (auto& certBytes : aPeerCertChain) {
+ nsTArray<uint8_t> bytes;
+ peerCertBytes.AppendElement(std::move(certBytes.data()));
+ }
+
+ Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
+ if (aStapledOCSPResponse) {
+ stapledOCSPResponse.emplace(aStapledOCSPResponse->data().Clone());
+ }
+
+ Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
+ if (aSctsFromTLSExtension) {
+ sctsFromTLSExtension.emplace(aSctsFromTLSExtension->data().Clone());
+ }
+
+ Maybe<DelegatedCredentialInfo> dcInfo;
+ if (aDcInfo) {
+ dcInfo.emplace();
+ dcInfo->scheme = static_cast<SSLSignatureScheme>(aDcInfo->scheme());
+ dcInfo->authKeyBits = aDcInfo->authKeyBits();
+ }
+
+ RefPtr<IPCServerCertVerificationResult> resultTask =
+ new IPCServerCertVerificationResult(mBackgroundThread, this);
+ SECStatus status = SSLServerCertVerificationJob::Dispatch(
+ 0, nullptr, std::move(peerCertBytes), aHostName, aPort, aOriginAttributes,
+ stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags, Now(),
+ aCertVerifierFlags, resultTask);
+
+ if (status != SECWouldBlock) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("VerifySSLServerCertParent::Dispatch - dispatch failed"));
+ return false;
+ }
+
+ return true;
+}
+
+void VerifySSLServerCertParent::ActorDestroy(ActorDestroyReason aWhy) {}
+
+VerifySSLServerCertParent::~VerifySSLServerCertParent() = default;
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/VerifySSLServerCertParent.h b/security/manager/ssl/VerifySSLServerCertParent.h
new file mode 100644
index 0000000000..de2c062935
--- /dev/null
+++ b/security/manager/ssl/VerifySSLServerCertParent.h
@@ -0,0 +1,60 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=8 et tw=80 : */
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_VerifySSLServerCertParent_h__
+#define mozilla_psm_VerifySSLServerCertParent_h__
+
+#include "mozilla/psm/PVerifySSLServerCertParent.h"
+#include "mozpkix/Time.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+
+namespace mozilla {
+namespace psm {
+
+// This class implements the main process side of the server certificate
+// verification for socket process.
+// SSLServerCertVerificationJob::Dispatch is called in
+// VerifySSLServerCertParent::Dispatch with IPCServerCertVerificationResult and
+// the result of the certificate verification will be sent to the socket process
+// via IPC.
+class VerifySSLServerCertParent : public PVerifySSLServerCertParent {
+ public:
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerifySSLServerCertParent, override)
+
+ VerifySSLServerCertParent();
+
+ bool Dispatch(nsTArray<ByteArray>&& aPeerCertChain,
+ const nsACString& aHostName, const int32_t& aPort,
+ const OriginAttributes& aOriginAttributes,
+ const Maybe<ByteArray>& aStapledOCSPResponse,
+ const Maybe<ByteArray>& aSctsFromTLSExtension,
+ const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
+ const uint32_t& aProviderFlags,
+ const uint32_t& aCertVerifierFlags);
+
+ void OnVerifiedSSLServerCert(const nsTArray<ByteArray>& aBuiltCertChain,
+ uint16_t aCertificateTransparencyStatus,
+ uint8_t aEVStatus, bool aSucceeded,
+ PRErrorCode aFinalError,
+ uint32_t aOverridableErrorCategory,
+ bool aIsBuiltCertChainRootBuiltInRoot,
+ bool aMadeOCSPRequests);
+
+ private:
+ virtual ~VerifySSLServerCertParent();
+
+ // PVerifySSLServerCertParent
+ void ActorDestroy(ActorDestroyReason aWhy) override;
+
+ nsCOMPtr<nsISerialEventTarget> mBackgroundThread;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // mozilla_psm_VerifySSLServerCertParent_h__
diff --git a/security/manager/ssl/X509.sys.mjs b/security/manager/ssl/X509.sys.mjs
new file mode 100644
index 0000000000..0d85ca5730
--- /dev/null
+++ b/security/manager/ssl/X509.sys.mjs
@@ -0,0 +1,641 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { DER } from "resource://gre/modules/psm/DER.sys.mjs";
+
+const ERROR_UNSUPPORTED_ASN1 = "unsupported asn.1";
+const ERROR_TIME_NOT_VALID = "Time not valid";
+const ERROR_LIBRARY_FAILURE = "library failure";
+
+const X509v3 = 2;
+
+/**
+ * Helper function to read a NULL tag from the given DER.
+ *
+ * @param {DER} der a DER object to read a NULL from
+ * @returns {null} an object representing an ASN.1 NULL
+ */
+function readNULL(der) {
+ return new NULL(der.readTagAndGetContents(DER.NULL));
+}
+
+/**
+ * Class representing an ASN.1 NULL. When encoded as DER, the only valid value
+ * is 05 00, and thus the contents should always be an empty array.
+ */
+class NULL {
+ /**
+ * @param {number[]} bytes the contents of the NULL tag (should be empty)
+ */
+ constructor(bytes) {
+ // Lint TODO: bytes should be an empty array
+ this._contents = bytes;
+ }
+}
+
+/**
+ * Helper function to read an OBJECT IDENTIFIER from the given DER.
+ *
+ * @param {DER} der the DER to read an OBJECT IDENTIFIER from
+ * @returns {OID} the value of the OBJECT IDENTIFIER
+ */
+function readOID(der) {
+ return new OID(der.readTagAndGetContents(DER.OBJECT_IDENTIFIER));
+}
+
+/** Class representing an ASN.1 OBJECT IDENTIFIER */
+class OID {
+ /**
+ * @param {number[]} bytes the encoded contents of the OBJECT IDENTIFIER
+ * (not including the ASN.1 tag or length bytes)
+ */
+ constructor(bytes) {
+ this._values = [];
+ // First octet has value 40 * value1 + value2
+ // Lint TODO: validate that value1 is one of {0, 1, 2}
+ // Lint TODO: validate that value2 is in [0, 39] if value1 is 0 or 1
+ let value1 = Math.floor(bytes[0] / 40);
+ let value2 = bytes[0] - 40 * value1;
+ this._values.push(value1);
+ this._values.push(value2);
+ bytes.shift();
+ let accumulator = 0;
+ // Lint TODO: prevent overflow here
+ while (bytes.length) {
+ let value = bytes.shift();
+ accumulator *= 128;
+ if (value > 128) {
+ accumulator += value - 128;
+ } else {
+ accumulator += value;
+ this._values.push(accumulator);
+ accumulator = 0;
+ }
+ }
+ }
+}
+
+/**
+ * Class that serves as an abstract base class for more specific classes that
+ * represent datatypes from RFC 5280 and others. Given an array of bytes
+ * representing the DER encoding of such types, this framework simplifies the
+ * process of making a new DER object, attempting to parse the given bytes, and
+ * catching and stashing thrown exceptions. Subclasses are to implement
+ * parseOverride, which should read from this._der to fill out the structure's
+ * values.
+ */
+class DecodedDER {
+ constructor() {
+ this._der = null;
+ this._error = null;
+ }
+
+ /**
+ * Returns the first exception encountered when decoding or null if none has
+ * been encountered.
+ *
+ * @returns {Error} the first exception encountered when decoding or null
+ */
+ get error() {
+ return this._error;
+ }
+
+ /**
+ * Does the actual work of parsing the data. To be overridden by subclasses.
+ * If an implementation of parseOverride throws an exception, parse will catch
+ * that exception and stash it in the error property. This enables parent
+ * levels in a nested decoding hierarchy to continue to decode as much as
+ * possible.
+ */
+ parseOverride() {
+ throw new Error(ERROR_LIBRARY_FAILURE);
+ }
+
+ /**
+ * Public interface to be called to parse all data. Calls parseOverride inside
+ * a try/catch block. If an exception is thrown, stashes the error, which can
+ * be obtained via the error getter (above).
+ *
+ * @param {number[]} bytes encoded DER to be decoded
+ */
+ parse(bytes) {
+ this._der = new DER.DERDecoder(bytes);
+ try {
+ this.parseOverride();
+ } catch (e) {
+ this._error = e;
+ }
+ }
+}
+
+/**
+ * Helper function for reading the next SEQUENCE out of a DER and creating a new
+ * DER out of the resulting bytes.
+ *
+ * @param {DER} der the underlying DER object
+ * @returns {DER} the contents of the SEQUENCE
+ */
+function readSEQUENCEAndMakeDER(der) {
+ return new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE));
+}
+
+/**
+ * Helper function for reading the next item identified by tag out of a DER and
+ * creating a new DER out of the resulting bytes.
+ *
+ * @param {DER} der the underlying DER object
+ * @param {number} tag the expected next tag in the DER
+ * @returns {DER} the contents of the tag
+ */
+function readTagAndMakeDER(der, tag) {
+ return new DER.DERDecoder(der.readTagAndGetContents(tag));
+}
+
+// Certificate ::= SEQUENCE {
+// tbsCertificate TBSCertificate,
+// signatureAlgorithm AlgorithmIdentifier,
+// signatureValue BIT STRING }
+class Certificate extends DecodedDER {
+ constructor() {
+ super();
+ this._tbsCertificate = new TBSCertificate();
+ this._signatureAlgorithm = new AlgorithmIdentifier();
+ this._signatureValue = [];
+ }
+
+ get tbsCertificate() {
+ return this._tbsCertificate;
+ }
+
+ get signatureAlgorithm() {
+ return this._signatureAlgorithm;
+ }
+
+ get signatureValue() {
+ return this._signatureValue;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ this._tbsCertificate.parse(contents.readTLV());
+ this._signatureAlgorithm.parse(contents.readTLV());
+
+ let signatureValue = contents.readBIT_STRING();
+ if (signatureValue.unusedBits != 0) {
+ throw new Error(ERROR_UNSUPPORTED_ASN1);
+ }
+ this._signatureValue = signatureValue.contents;
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// TBSCertificate ::= SEQUENCE {
+// version [0] EXPLICIT Version DEFAULT v1,
+// serialNumber CertificateSerialNumber,
+// signature AlgorithmIdentifier,
+// issuer Name,
+// validity Validity,
+// subject Name,
+// subjectPublicKeyInfo SubjectPublicKeyInfo,
+// issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+// -- If present, version MUST be v2 or v3
+// subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+// -- If present, version MUST be v2 or v3
+// extensions [3] EXPLICIT Extensions OPTIONAL
+// -- If present, version MUST be v3
+// }
+class TBSCertificate extends DecodedDER {
+ constructor() {
+ super();
+ this._version = null;
+ this._serialNumber = [];
+ this._signature = new AlgorithmIdentifier();
+ this._issuer = new Name();
+ this._validity = new Validity();
+ this._subject = new Name();
+ this._subjectPublicKeyInfo = new SubjectPublicKeyInfo();
+ this._extensions = [];
+ }
+
+ get version() {
+ return this._version;
+ }
+
+ get serialNumber() {
+ return this._serialNumber;
+ }
+
+ get signature() {
+ return this._signature;
+ }
+
+ get issuer() {
+ return this._issuer;
+ }
+
+ get validity() {
+ return this._validity;
+ }
+
+ get subject() {
+ return this._subject;
+ }
+
+ get subjectPublicKeyInfo() {
+ return this._subjectPublicKeyInfo;
+ }
+
+ get extensions() {
+ return this._extensions;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+
+ let versionTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 0;
+ if (!contents.peekTag(versionTag)) {
+ this._version = 1;
+ } else {
+ let versionContents = readTagAndMakeDER(contents, versionTag);
+ let versionBytes = versionContents.readTagAndGetContents(DER.INTEGER);
+ if (versionBytes.length == 1 && versionBytes[0] == X509v3) {
+ this._version = 3;
+ } else {
+ // Lint TODO: warn about non-v3 certificates (this INTEGER could take up
+ // multiple bytes, be negative, and so on).
+ this._version = versionBytes;
+ }
+ versionContents.assertAtEnd();
+ }
+
+ let serialNumberBytes = contents.readTagAndGetContents(DER.INTEGER);
+ this._serialNumber = serialNumberBytes;
+ this._signature.parse(contents.readTLV());
+ this._issuer.parse(contents.readTLV());
+ this._validity.parse(contents.readTLV());
+ this._subject.parse(contents.readTLV());
+ this._subjectPublicKeyInfo.parse(contents.readTLV());
+
+ // Lint TODO: warn about unsupported features
+ let issuerUniqueIDTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 1;
+ if (contents.peekTag(issuerUniqueIDTag)) {
+ contents.readTagAndGetContents(issuerUniqueIDTag);
+ }
+ let subjectUniqueIDTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 2;
+ if (contents.peekTag(subjectUniqueIDTag)) {
+ contents.readTagAndGetContents(subjectUniqueIDTag);
+ }
+
+ let extensionsTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 3;
+ if (contents.peekTag(extensionsTag)) {
+ let extensionsSequence = readTagAndMakeDER(contents, extensionsTag);
+ let extensionsContents = readSEQUENCEAndMakeDER(extensionsSequence);
+ while (!extensionsContents.atEnd()) {
+ // TODO: parse extensions
+ this._extensions.push(extensionsContents.readTLV());
+ }
+ extensionsContents.assertAtEnd();
+ extensionsSequence.assertAtEnd();
+ }
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// AlgorithmIdentifier ::= SEQUENCE {
+// algorithm OBJECT IDENTIFIER,
+// parameters ANY DEFINED BY algorithm OPTIONAL }
+class AlgorithmIdentifier extends DecodedDER {
+ constructor() {
+ super();
+ this._algorithm = null;
+ this._parameters = null;
+ }
+
+ get algorithm() {
+ return this._algorithm;
+ }
+
+ get parameters() {
+ return this._parameters;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ this._algorithm = readOID(contents);
+ if (!contents.atEnd()) {
+ if (contents.peekTag(DER.NULL)) {
+ this._parameters = readNULL(contents);
+ } else if (contents.peekTag(DER.OBJECT_IDENTIFIER)) {
+ this._parameters = readOID(contents);
+ }
+ }
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// Name ::= CHOICE { -- only one possibility for now --
+// rdnSequence RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+class Name extends DecodedDER {
+ constructor() {
+ super();
+ this._rdns = [];
+ }
+
+ get rdns() {
+ return this._rdns;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ while (!contents.atEnd()) {
+ let rdn = new RelativeDistinguishedName();
+ rdn.parse(contents.readTLV());
+ this._rdns.push(rdn);
+ }
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// RelativeDistinguishedName ::=
+// SET SIZE (1..MAX) OF AttributeTypeAndValue
+class RelativeDistinguishedName extends DecodedDER {
+ constructor() {
+ super();
+ this._avas = [];
+ }
+
+ get avas() {
+ return this._avas;
+ }
+
+ parseOverride() {
+ let contents = readTagAndMakeDER(this._der, DER.SET);
+ // Lint TODO: enforce SET SIZE restrictions
+ while (!contents.atEnd()) {
+ let ava = new AttributeTypeAndValue();
+ ava.parse(contents.readTLV());
+ this._avas.push(ava);
+ }
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+// type AttributeType,
+// value AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+class AttributeTypeAndValue extends DecodedDER {
+ constructor() {
+ super();
+ this._type = null;
+ this._value = new DirectoryString();
+ }
+
+ get type() {
+ return this._type;
+ }
+
+ get value() {
+ return this._value;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ this._type = readOID(contents);
+ // We don't support universalString or bmpString.
+ // IA5String is supported because it is valid if `type == id-emailaddress`.
+ // Lint TODO: validate that the type of string is valid given `type`.
+ this._value.parse(
+ contents.readTLVChoice([
+ DER.UTF8String,
+ DER.PrintableString,
+ DER.TeletexString,
+ DER.IA5String,
+ ])
+ );
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// DirectoryString ::= CHOICE {
+// teletexString TeletexString (SIZE (1..MAX)),
+// printableString PrintableString (SIZE (1..MAX)),
+// universalString UniversalString (SIZE (1..MAX)),
+// utf8String UTF8String (SIZE (1..MAX)),
+// bmpString BMPString (SIZE (1..MAX)) }
+class DirectoryString extends DecodedDER {
+ constructor() {
+ super();
+ this._type = null;
+ this._value = null;
+ }
+
+ get type() {
+ return this._type;
+ }
+
+ get value() {
+ return this._value;
+ }
+
+ parseOverride() {
+ if (this._der.peekTag(DER.UTF8String)) {
+ this._type = DER.UTF8String;
+ } else if (this._der.peekTag(DER.PrintableString)) {
+ this._type = DER.PrintableString;
+ } else if (this._der.peekTag(DER.TeletexString)) {
+ this._type = DER.TeletexString;
+ } else if (this._der.peekTag(DER.IA5String)) {
+ this._type = DER.IA5String;
+ }
+ // Lint TODO: validate that the contents are actually valid for the type
+ this._value = this._der.readTagAndGetContents(this._type);
+ this._der.assertAtEnd();
+ }
+}
+
+// Time ::= CHOICE {
+// utcTime UTCTime,
+// generalTime GeneralizedTime }
+class Time extends DecodedDER {
+ constructor() {
+ super();
+ this._type = null;
+ this._time = null;
+ }
+
+ get time() {
+ return this._time;
+ }
+
+ parseOverride() {
+ if (this._der.peekTag(DER.UTCTime)) {
+ this._type = DER.UTCTime;
+ } else if (this._der.peekTag(DER.GeneralizedTime)) {
+ this._type = DER.GeneralizedTime;
+ }
+ let contents = readTagAndMakeDER(this._der, this._type);
+ let year;
+ // Lint TODO: validate that the appropriate one of {UTCTime,GeneralizedTime}
+ // is used according to RFC 5280 and what the value of the date is.
+ // TODO TODO: explain this better (just quote the rfc).
+ if (this._type == DER.UTCTime) {
+ // UTCTime is YYMMDDHHMMSSZ in RFC 5280. If YY is greater than or equal
+ // to 50, the year is 19YY. Otherwise, it is 20YY.
+ let y1 = this._validateDigit(contents.readByte());
+ let y2 = this._validateDigit(contents.readByte());
+ let yy = y1 * 10 + y2;
+ if (yy >= 50) {
+ year = 1900 + yy;
+ } else {
+ year = 2000 + yy;
+ }
+ } else {
+ // GeneralizedTime is YYYYMMDDHHMMSSZ in RFC 5280.
+ year = 0;
+ for (let i = 0; i < 4; i++) {
+ let y = this._validateDigit(contents.readByte());
+ year = year * 10 + y;
+ }
+ }
+
+ let m1 = this._validateDigit(contents.readByte());
+ let m2 = this._validateDigit(contents.readByte());
+ let month = m1 * 10 + m2;
+ if (month == 0 || month > 12) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+
+ let d1 = this._validateDigit(contents.readByte());
+ let d2 = this._validateDigit(contents.readByte());
+ let day = d1 * 10 + d2;
+ if (day == 0 || day > 31) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+
+ let h1 = this._validateDigit(contents.readByte());
+ let h2 = this._validateDigit(contents.readByte());
+ let hour = h1 * 10 + h2;
+ if (hour > 23) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+
+ let min1 = this._validateDigit(contents.readByte());
+ let min2 = this._validateDigit(contents.readByte());
+ let minute = min1 * 10 + min2;
+ if (minute > 59) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+
+ let s1 = this._validateDigit(contents.readByte());
+ let s2 = this._validateDigit(contents.readByte());
+ let second = s1 * 10 + s2;
+ if (second > 60) {
+ // leap-seconds mean this can be as much as 60
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+
+ let z = contents.readByte();
+ if (z != "Z".charCodeAt(0)) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+ // Lint TODO: verify that the Time doesn't specify a nonsensical
+ // month/day/etc.
+ // months are zero-indexed in JS
+ this._time = new Date(Date.UTC(year, month - 1, day, hour, minute, second));
+
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+
+ /**
+ * Takes a byte that is supposed to be in the ASCII range for "0" to "9".
+ * Validates the range and then converts it to the range 0 to 9.
+ *
+ * @param {number} d the digit in question (as ASCII in the range ["0", "9"])
+ * @returns {number} the numerical value of the digit (in the range [0, 9])
+ */
+ _validateDigit(d) {
+ if (d < "0".charCodeAt(0) || d > "9".charCodeAt(0)) {
+ throw new Error(ERROR_TIME_NOT_VALID);
+ }
+ return d - "0".charCodeAt(0);
+ }
+}
+
+// Validity ::= SEQUENCE {
+// notBefore Time,
+// notAfter Time }
+class Validity extends DecodedDER {
+ constructor() {
+ super();
+ this._notBefore = new Time();
+ this._notAfter = new Time();
+ }
+
+ get notBefore() {
+ return this._notBefore;
+ }
+
+ get notAfter() {
+ return this._notAfter;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ this._notBefore.parse(
+ contents.readTLVChoice([DER.UTCTime, DER.GeneralizedTime])
+ );
+ this._notAfter.parse(
+ contents.readTLVChoice([DER.UTCTime, DER.GeneralizedTime])
+ );
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+// SubjectPublicKeyInfo ::= SEQUENCE {
+// algorithm AlgorithmIdentifier,
+// subjectPublicKey BIT STRING }
+class SubjectPublicKeyInfo extends DecodedDER {
+ constructor() {
+ super();
+ this._algorithm = new AlgorithmIdentifier();
+ this._subjectPublicKey = null;
+ }
+
+ get algorithm() {
+ return this._algorithm;
+ }
+
+ get subjectPublicKey() {
+ return this._subjectPublicKey;
+ }
+
+ parseOverride() {
+ let contents = readSEQUENCEAndMakeDER(this._der);
+ this._algorithm.parse(contents.readTLV());
+ let subjectPublicKeyBitString = contents.readBIT_STRING();
+ if (subjectPublicKeyBitString.unusedBits != 0) {
+ throw new Error(ERROR_UNSUPPORTED_ASN1);
+ }
+ this._subjectPublicKey = subjectPublicKeyBitString.contents;
+
+ contents.assertAtEnd();
+ this._der.assertAtEnd();
+ }
+}
+
+export var X509 = { Certificate };
diff --git a/security/manager/ssl/X509CertValidity.cpp b/security/manager/ssl/X509CertValidity.cpp
new file mode 100644
index 0000000000..1d5dc54aa6
--- /dev/null
+++ b/security/manager/ssl/X509CertValidity.cpp
@@ -0,0 +1,96 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "X509CertValidity.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+#include "nsComponentManagerUtils.h"
+#include "secder.h"
+
+NS_IMPL_ISUPPORTS(X509CertValidity, nsIX509CertValidity)
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+
+X509CertValidity::X509CertValidity(Input certDER)
+ : mNotBefore(0), mNotAfter(0), mTimesInitialized(false) {
+ using namespace mozilla::pkix::der;
+
+ // We're not building a verified certificate chain, so the EndEntityOrCA
+ // parameter doesn't matter.
+ BackCert cert(certDER, EndEntityOrCA::MustBeEndEntity, nullptr);
+ pkix::Result rv = cert.Init();
+ if (rv != Success) {
+ return;
+ }
+ // Validity ::= SEQUENCE {
+ // notBefore Time,
+ // notAfter Time }
+ //
+ // Time ::= CHOICE {
+ // utcTime UTCTime,
+ // generalTime GeneralizedTime }
+ //
+ // NB: BackCert::GetValidity returns the value of the Validity of the
+ // certificate (i.e. notBefore and notAfter, without the enclosing SEQUENCE
+ // and length)
+ Reader reader(cert.GetValidity());
+ uint8_t expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
+ Input notBefore;
+ pkix::Result result = ExpectTagAndGetValue(reader, expectedTag, notBefore);
+ if (result != Success) {
+ return;
+ }
+ SECItemType notBeforeType =
+ expectedTag == UTCTime ? siUTCTime : siGeneralizedTime;
+ SECItem notBeforeItem = {
+ notBeforeType, const_cast<unsigned char*>(notBefore.UnsafeGetData()),
+ notBefore.GetLength()};
+ SECStatus srv = DER_DecodeTimeChoice(&mNotBefore, &notBeforeItem);
+ if (srv != SECSuccess) {
+ return;
+ }
+ expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
+ Input notAfter;
+ result = ExpectTagAndGetValue(reader, expectedTag, notAfter);
+ if (result != Success) {
+ return;
+ }
+ SECItemType notAfterType =
+ expectedTag == UTCTime ? siUTCTime : siGeneralizedTime;
+ SECItem notAfterItem = {notAfterType,
+ const_cast<unsigned char*>(notAfter.UnsafeGetData()),
+ notAfter.GetLength()};
+ srv = DER_DecodeTimeChoice(&mNotAfter, &notAfterItem);
+ if (srv != SECSuccess) {
+ return;
+ }
+
+ mTimesInitialized = true;
+}
+
+NS_IMETHODIMP
+X509CertValidity::GetNotBefore(PRTime* aNotBefore) {
+ NS_ENSURE_ARG(aNotBefore);
+
+ if (!mTimesInitialized) {
+ return NS_ERROR_FAILURE;
+ }
+
+ *aNotBefore = mNotBefore;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+X509CertValidity::GetNotAfter(PRTime* aNotAfter) {
+ NS_ENSURE_ARG(aNotAfter);
+
+ if (!mTimesInitialized) {
+ return NS_ERROR_FAILURE;
+ }
+
+ *aNotAfter = mNotAfter;
+ return NS_OK;
+}
diff --git a/security/manager/ssl/X509CertValidity.h b/security/manager/ssl/X509CertValidity.h
new file mode 100644
index 0000000000..8201c52253
--- /dev/null
+++ b/security/manager/ssl/X509CertValidity.h
@@ -0,0 +1,31 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef X509CertValidity_h
+#define X509CertValidity_h
+
+#include "mozpkix/Input.h"
+#include "nsIX509CertValidity.h"
+#include "prtime.h"
+
+class X509CertValidity : public nsIX509CertValidity {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIX509CERTVALIDITY
+
+ explicit X509CertValidity(mozilla::pkix::Input certDER);
+
+ X509CertValidity(const X509CertValidity& x) = delete;
+ X509CertValidity& operator=(const X509CertValidity& x) = delete;
+
+ protected:
+ virtual ~X509CertValidity() = default;
+
+ private:
+ PRTime mNotBefore;
+ PRTime mNotAfter;
+ bool mTimesInitialized;
+};
+
+#endif // X509CertValidity_h
diff --git a/security/manager/ssl/addons-public-intermediate.crt b/security/manager/ssl/addons-public-intermediate.crt
new file mode 100644
index 0000000000..d37979bf38
--- /dev/null
+++ b/security/manager/ssl/addons-public-intermediate.crt
Binary files differ
diff --git a/security/manager/ssl/addons-public.crt b/security/manager/ssl/addons-public.crt
new file mode 100644
index 0000000000..6ab711b996
--- /dev/null
+++ b/security/manager/ssl/addons-public.crt
Binary files differ
diff --git a/security/manager/ssl/addons-stage.crt b/security/manager/ssl/addons-stage.crt
new file mode 100644
index 0000000000..73e48cadfe
--- /dev/null
+++ b/security/manager/ssl/addons-stage.crt
Binary files differ
diff --git a/security/manager/ssl/builtins/Cargo.toml b/security/manager/ssl/builtins/Cargo.toml
new file mode 100644
index 0000000000..b3f2e9c7b8
--- /dev/null
+++ b/security/manager/ssl/builtins/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "builtins-static"
+version = "0.1.0"
+authors = ["John Schanck <jschanck@mozilla.com>"]
+edition = "2021"
+license = "MPL-2.0"
+
+[dependencies]
+pkcs11-bindings = "0.1.1"
+smallvec = { version = "1.9.0", features = ["const_new"] }
+mozilla-central-workspace-hack = { version = "0.1", features = ["builtins-static"], optional = true }
+
+[build-dependencies]
+bindgen = { default-features = false, features = ["runtime"], version = "0.69" }
+nom = "7.1.1"
+
+[lib]
+crate-type = ["staticlib"]
diff --git a/security/manager/ssl/builtins/build.rs b/security/manager/ssl/builtins/build.rs
new file mode 100644
index 0000000000..8375f3368d
--- /dev/null
+++ b/security/manager/ssl/builtins/build.rs
@@ -0,0 +1,568 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+extern crate bindgen;
+extern crate nom;
+
+use bindgen::callbacks::*;
+use bindgen::*;
+
+use nom::branch::alt;
+use nom::bytes::complete::{tag, take_until};
+use nom::character::complete::{
+ char, multispace0, newline, not_line_ending, one_of, space0, space1,
+};
+use nom::combinator::{fail, recognize};
+use nom::multi::{many1, separated_list0};
+use nom::sequence::{delimited, separated_pair, terminated, tuple};
+use nom::IResult;
+
+use std::collections::HashMap;
+use std::env;
+use std::fmt;
+use std::fs::File;
+use std::io::{BufWriter, Write};
+use std::path::PathBuf;
+
+fn octal_block_to_vec_u8(octal_block: &str) -> Vec<u8> {
+ octal_block
+ .lines()
+ .flat_map(|x| x.split('\\').skip(1))
+ .map(|x| u8::from_str_radix(x, 8).expect("octal value out of range."))
+ .collect()
+}
+
+fn octal_block_to_hex_string(octal: &str) -> String {
+ octal_block_to_vec_u8(octal)
+ .iter()
+ .map(|x| format!("0x{:02X}, ", x))
+ .collect()
+}
+
+// Wrapper around values parsed out of certdata.txt
+enum Ck<'a> {
+ Class(&'a str),
+ Comment(&'a str),
+ DistrustAfter(Option<&'a str>),
+ Empty,
+ MultilineOctal(&'a str),
+ OptionBool(&'a str),
+ Trust(&'a str),
+ Utf8(&'a str),
+}
+
+// Translation of parsed values into the output rust code
+impl fmt::Display for Ck<'_> {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Ck::Class(s) => write!(f, "{s}_BYTES"),
+ Ck::Comment(s) => write!(f, "{}", s.replace('#', "//")),
+ Ck::DistrustAfter(None) => write!(f, "Some(CK_FALSE_BYTES)"),
+ Ck::DistrustAfter(Some(s)) => write!(f, "Some(&[{}])", octal_block_to_hex_string(s)),
+ Ck::Empty => write!(f, "None"),
+ Ck::MultilineOctal(s) => write!(f, "&[{}]", octal_block_to_hex_string(s)),
+ Ck::OptionBool(s) => write!(f, "Some({s}_BYTES)"),
+ Ck::Trust(s) => write!(f, "{s}_BYTES"),
+ Ck::Utf8(s) => write!(f, "\"{s}\\0\""),
+ }
+ }
+}
+
+impl PartialEq for Ck<'_> {
+ fn eq(&self, other: &Self) -> bool {
+ match (self, other) {
+ (Ck::Class(s), Ck::Class(t)) => s.eq(t),
+ (Ck::Comment(s), Ck::Comment(t)) => s.eq(t),
+ (Ck::DistrustAfter(None), Ck::DistrustAfter(None)) => true,
+ (Ck::DistrustAfter(Some(s)), Ck::DistrustAfter(Some(t))) => {
+ // compare the data rather than the presentation
+ let vec_s = octal_block_to_vec_u8(s);
+ let vec_t = octal_block_to_vec_u8(t);
+ vec_s.eq(&vec_t)
+ }
+ (Ck::Empty, Ck::Empty) => true,
+ (Ck::MultilineOctal(s), Ck::MultilineOctal(t)) => {
+ // compare the data rather than the presentation
+ let vec_s = octal_block_to_vec_u8(s);
+ let vec_t = octal_block_to_vec_u8(t);
+ vec_s.eq(&vec_t)
+ }
+ (Ck::Trust(s), Ck::Trust(t)) => s.eq(t),
+ (Ck::Utf8(s), Ck::Utf8(t)) => s.eq(t),
+ _ => false,
+ }
+ }
+}
+
+fn class(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_OBJECT_CLASS")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, class) = alt((
+ tag("CKO_NSS_BUILTIN_ROOT_LIST"),
+ tag("CKO_CERTIFICATE"),
+ tag("CKO_NSS_TRUST"),
+ ))(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Class(class)))
+}
+
+fn trust(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_TRUST")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, trust) = alt((
+ tag("CKT_NSS_TRUSTED_DELEGATOR"),
+ tag("CKT_NSS_MUST_VERIFY_TRUST"),
+ tag("CKT_NSS_NOT_TRUSTED"),
+ ))(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Trust(trust)))
+}
+
+// Parses a CK_BBOOL and wraps it with Ck::OptionBool so that it gets printed as
+// "Some(CK_TRUE_BYTES)" instead of "CK_TRUE_BYTES".
+fn option_bbool(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_BBOOL")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, b) = alt((tag("CK_TRUE"), tag("CK_FALSE")))(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::OptionBool(b)))
+}
+
+fn bbool_true(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_BBOOL")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, _) = tag("CK_TRUE")(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Empty))
+}
+
+fn bbool_false(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_BBOOL")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, _) = tag("CK_FALSE")(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Empty))
+}
+
+fn utf8(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("UTF8")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, _) = char('"')(i)?;
+ let (i, utf8) = take_until("\"")(i)?;
+ let (i, _) = char('"')(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Utf8(utf8)))
+}
+
+fn certificate_type(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("CK_CERTIFICATE_TYPE")(i)?;
+ let (i, _) = space1(i)?;
+ let (i, _) = tag("CKC_X_509")(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ Ok((i, Ck::Empty))
+}
+
+// A CKA_NSS_{EMAIL,SERVER}_DISTRUST_AFTER line in certdata.txt is encoded either as a CK_BBOOL
+// with value CK_FALSE (when there is no distrust after date) or as a MULTILINE_OCTAL block.
+fn distrust_after(i: &str) -> IResult<&str, Ck> {
+ let (i, value) = alt((multiline_octal, bbool_false))(i)?;
+ match value {
+ Ck::Empty => Ok((i, Ck::DistrustAfter(None))),
+ Ck::MultilineOctal(data) => Ok((i, Ck::DistrustAfter(Some(data)))),
+ _ => unreachable!(),
+ }
+}
+
+fn octal_octet(i: &str) -> IResult<&str, &str> {
+ recognize(tuple((
+ tag("\\"),
+ one_of("0123"), // 255 = \377
+ one_of("01234567"),
+ one_of("01234567"),
+ )))(i)
+}
+
+fn multiline_octal(i: &str) -> IResult<&str, Ck> {
+ let (i, _) = tag("MULTILINE_OCTAL")(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ let (i, lines) = recognize(many1(terminated(many1(octal_octet), newline)))(i)?;
+ let (i, _) = tag("END")(i)?;
+ let (i, _) = space0(i)?;
+ let (i, _) = newline(i)?;
+ return Ok((i, Ck::MultilineOctal(lines)));
+}
+
+fn distrust_comment(i: &str) -> IResult<&str, (&str, Ck)> {
+ let (i, comment) = recognize(delimited(
+ alt((
+ tag("# For Email Distrust After: "),
+ tag("# For Server Distrust After: "),
+ )),
+ not_line_ending,
+ newline,
+ ))(i)?;
+ Ok((i, ("DISTRUST_COMMENT", Ck::Comment(comment))))
+}
+
+fn comment(i: &str) -> IResult<&str, (&str, Ck)> {
+ let (i, comment) = recognize(many1(delimited(char('#'), not_line_ending, newline)))(i)?;
+ Ok((i, ("COMMENT", Ck::Comment(comment))))
+}
+
+fn certdata_line(i: &str) -> IResult<&str, (&str, Ck)> {
+ let (i, (attr, value)) = alt((
+ distrust_comment, // must be listed before `comment`
+ comment,
+ separated_pair(tag("CKA_CLASS"), space1, class),
+ separated_pair(tag("CKA_CERTIFICATE_TYPE"), space1, certificate_type),
+ separated_pair(alt((tag("CKA_ID"), tag("CKA_LABEL"))), space1, utf8),
+ separated_pair(
+ alt((
+ tag("CKA_ISSUER"),
+ tag("CKA_CERT_SHA1_HASH"),
+ tag("CKA_CERT_MD5_HASH"),
+ tag("CKA_SERIAL_NUMBER"),
+ tag("CKA_SUBJECT"),
+ tag("CKA_VALUE"),
+ )),
+ space1,
+ multiline_octal,
+ ),
+ separated_pair(
+ alt((
+ tag("CKA_NSS_SERVER_DISTRUST_AFTER"),
+ tag("CKA_NSS_EMAIL_DISTRUST_AFTER"),
+ )),
+ space1,
+ distrust_after,
+ ),
+ separated_pair(
+ alt((
+ tag("CKA_TRUST_EMAIL_PROTECTION"),
+ tag("CKA_TRUST_CODE_SIGNING"),
+ tag("CKA_TRUST_SERVER_AUTH"),
+ )),
+ space1,
+ trust,
+ ),
+ separated_pair(tag("CKA_NSS_MOZILLA_CA_POLICY"), space1, option_bbool),
+ separated_pair(tag("CKA_TOKEN"), space1, bbool_true),
+ separated_pair(
+ alt((
+ tag("CKA_TRUST_STEP_UP_APPROVED"),
+ tag("CKA_PRIVATE"),
+ tag("CKA_MODIFIABLE"),
+ )),
+ space1,
+ bbool_false,
+ ),
+ ))(i)?;
+ Ok((i, (attr, value)))
+}
+
+type Block<'a> = HashMap<&'a str, Ck<'a>>;
+
+fn attr<'a>(block: &'a Block, attr: &str) -> &'a Ck<'a> {
+ block.get(attr).unwrap_or(&Ck::Empty)
+}
+
+fn parse(i: &str) -> IResult<&str, Vec<Block>> {
+ let mut out: Vec<Block> = vec![];
+ let (i, _) = take_until("BEGINDATA\n")(i)?;
+ let (i, _) = tag("BEGINDATA\n")(i)?;
+ let (i, mut raw_blocks) = separated_list0(many1(char('\n')), many1(certdata_line))(i)?;
+ let (i, _) = multispace0(i)?; // allow trailing whitespace
+ if !i.is_empty() {
+ // The first line of i contains an error.
+ let (line, _) = i.split_once('\n').unwrap_or((i, ""));
+ fail::<_, &str, _>(line)?;
+ }
+ for raw_block in raw_blocks.drain(..) {
+ out.push(raw_block.into_iter().collect())
+ }
+ Ok((i, out))
+}
+
+#[derive(Debug)]
+struct PKCS11TypesParseCallbacks;
+
+impl ParseCallbacks for PKCS11TypesParseCallbacks {
+ fn int_macro(&self, _name: &str, _value: i64) -> Option<IntKind> {
+ Some(IntKind::U8)
+ }
+}
+
+// If we encounter a problem parsing certdata.txt we'll try to turn it into a compile time
+// error in builtins.rs. We need to output definitions for ROOT_LIST_LABEL and BUILTINS to
+// cut down on the number of errors the compiler produces.
+macro_rules! emit_build_error {
+ ($out:ident, $err:expr) => {
+ writeln!($out, "std::compile_error!(\"{}\");", $err)?;
+ writeln!($out, "pub static ROOT_LIST_LABEL: [u8; 0] = [];")?;
+ writeln!($out, "pub static BUILTINS: [Root; 0] = [];")?;
+ };
+}
+
+fn main() -> std::io::Result<()> {
+ println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/certdata.txt");
+ println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/nssckbi.h");
+
+ let bindings = Builder::default()
+ .header("../../../nss/lib/ckfw/builtins/nssckbi.h")
+ .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR")
+ .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MINOR")
+ .allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MAJOR")
+ .allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MINOR")
+ .allowlist_var("NSS_BUILTINS_HARDWARE_VERSION_MAJOR")
+ .allowlist_var("NSS_BUILTINS_HARDWARE_VERSION_MINOR")
+ .allowlist_var("NSS_BUILTINS_FIRMWARE_VERSION_MAJOR")
+ .allowlist_var("NSS_BUILTINS_FIRMWARE_VERSION_MINOR")
+ .parse_callbacks(Box::new(PKCS11TypesParseCallbacks))
+ .generate()
+ .expect("Unable to generate bindings.");
+
+ let out_path = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR should be set in env."));
+ bindings
+ .write_to_file(out_path.join("version.rs"))
+ .expect("Could not write version.rs.");
+
+ let mut out = BufWriter::new(
+ File::create(out_path.join("builtins.rs")).expect("Could not write builtins.rs."),
+ );
+
+ let input: &str = &std::fs::read_to_string("../../../nss/lib/ckfw/builtins/certdata.txt")
+ .expect("Unable to read certdata.txt.");
+
+ let blocks = match parse(input) {
+ Ok((_, blocks)) => blocks,
+ Err(e) => {
+ let input = match e {
+ nom::Err::Error(nom::error::Error { input, .. }) => input,
+ _ => "Unknown",
+ };
+ emit_build_error!(
+ out,
+ &format!(
+ "Could not parse certdata.txt. Failed at: \'{}\'\");",
+ input.escape_debug().to_string().escape_debug()
+ )
+ );
+ return Ok(());
+ }
+ };
+
+ let root_lists: Vec<&Block> = blocks
+ .iter()
+ .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_NSS_BUILTIN_ROOT_LIST"))
+ .collect();
+
+ if root_lists.len() != 1 {
+ emit_build_error!(
+ out,
+ "certdata.txt does not define a CKO_NSS_BUILTIN_ROOT_LIST object."
+ );
+ return Ok(());
+ }
+
+ let mut certs: Vec<&Block> = blocks
+ .iter()
+ .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_CERTIFICATE"))
+ .collect();
+
+ let trusts: Vec<&Block> = blocks
+ .iter()
+ .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_NSS_TRUST"))
+ .collect();
+
+ if certs.len() != trusts.len() {
+ emit_build_error!(
+ out,
+ "certdata.txt has a mismatched number of certificate and trust objects"
+ );
+ return Ok(());
+ }
+
+ // Ensure that every certificate has a CKA_SUBJECT attribute for the sort
+ for (i, cert) in certs.iter().enumerate() {
+ match cert.get("CKA_SUBJECT") {
+ Some(Ck::MultilineOctal(_)) => (),
+ _ => {
+ emit_build_error!(
+ out,
+ format!("Certificate {i} in certdata.txt has no CKA_SUBJECT attribute.")
+ );
+ return Ok(());
+ }
+ }
+ }
+
+ certs.sort_by_cached_key(|x| match x.get("CKA_SUBJECT") {
+ Some(Ck::MultilineOctal(data)) => octal_block_to_vec_u8(data),
+ _ => unreachable!(),
+ });
+
+ // Write out arrays for the DER encoded certificate, serial number, and subject of each root.
+ // Since the serial number and the subject are in the DER cert, we don't need to store
+ // additional data for them.
+ for (i, cert) in certs.iter().enumerate() {
+ // Preserve the comment from certdata.txt
+ match attr(cert, "COMMENT") {
+ Ck::Empty => (),
+ comment => write!(out, "{comment}")?,
+ };
+
+ let der = attr(cert, "CKA_VALUE");
+ writeln!(out, "static ROOT_{i}: &[u8] = {der};")?;
+
+ // Search for the serial number and subject in the DER cert. We want to search on the raw
+ // bytes, not the octal presentation, so we have to unpack the enums.
+ let der_data = match der {
+ Ck::MultilineOctal(x) => octal_block_to_vec_u8(x),
+ _ => unreachable!(),
+ };
+ let serial_data = match attr(cert, "CKA_SERIAL_NUMBER") {
+ Ck::MultilineOctal(x) => octal_block_to_vec_u8(x),
+ _ => unreachable!(),
+ };
+ let subject_data = match attr(cert, "CKA_SUBJECT") {
+ Ck::MultilineOctal(x) => octal_block_to_vec_u8(x),
+ _ => unreachable!(),
+ };
+
+ fn need_u16(out: &mut impl Write, attr: &str, what: &str, i: usize) -> std::io::Result<()> {
+ emit_build_error!(
+ out,
+ format!("Certificate {i} in certdata.txt has a {attr} whose {what} doesn't fit in a u8. Time to upgrade to u16 at the expense of size?")
+ );
+ Ok(())
+ }
+
+ let serial_len = serial_data.len();
+ if let Some(serial_offset) = &der_data.windows(serial_len).position(|s| s == serial_data) {
+ if *serial_offset > u8::MAX.into() {
+ return need_u16(&mut out, "CKA_SERIAL_NUMBER", "offset", i);
+ }
+ if serial_len > u8::MAX.into() {
+ return need_u16(&mut out, "CKA_SERIAL_NUMBER", "length", i);
+ }
+ writeln!(
+ out,
+ "const SERIAL_{i}: (u8, u8) = ({serial_offset}, {serial_len});"
+ )?;
+ } else {
+ emit_build_error!(
+ out,
+ format!("Certificate {i} in certdata.txt has a CKA_SERIAL_NUMBER that does not match its CKA_VALUE.")
+ );
+ return Ok(());
+ }
+
+ let subject_len = subject_data.len();
+ if let Some(subject_offset) = &der_data
+ .windows(subject_len)
+ .position(|s| s == subject_data)
+ {
+ if *subject_offset > u8::MAX.into() {
+ return need_u16(&mut out, "CKA_SUBJECT", "offset", i);
+ }
+ if subject_len > u8::MAX.into() {
+ return need_u16(&mut out, "CKA_SUBJECT", "length", i);
+ }
+ writeln!(
+ out,
+ "const SUBJECT_{i}: (u8, u8) = ({subject_offset}, {subject_len});"
+ )?;
+ } else {
+ emit_build_error!(
+ out,
+ format!("Certificate {i} in certdata.txt has a CKA_SUBJECT that does not match its CKA_VALUE.")
+ );
+ return Ok(());
+ }
+ }
+
+ let root_list_label = attr(root_lists[0], "CKA_LABEL");
+ let root_list_label_len = match root_list_label {
+ Ck::Utf8(x) => x.len() + 1,
+ _ => unreachable!(),
+ };
+ writeln!(
+ out,
+ "pub const ROOT_LIST_LABEL: [u8; {root_list_label_len}] = *b{root_list_label};"
+ )?;
+
+ writeln!(out, "pub static BUILTINS: [Root; {}] = [", certs.len())?;
+ for (i, cert) in certs.iter().enumerate() {
+ let subject = attr(cert, "CKA_SUBJECT");
+ let issuer = attr(cert, "CKA_ISSUER");
+ let label = attr(cert, "CKA_LABEL");
+ if !subject.eq(issuer) {
+ writeln!(out, "];")?; // end the definition of BUILTINS
+ let label = format!("{}", label);
+ writeln!(
+ out,
+ "std::compile_error!(\"Certificate with label {} is not self-signed\");",
+ label.escape_debug()
+ )?;
+ return Ok(());
+ }
+ let mozpol = attr(cert, "CKA_NSS_MOZILLA_CA_POLICY");
+ let server_distrust = attr(cert, "CKA_NSS_SERVER_DISTRUST_AFTER");
+ let email_distrust = attr(cert, "CKA_NSS_EMAIL_DISTRUST_AFTER");
+ let matching_trusts: Vec<&&Block> = trusts
+ .iter()
+ .filter(|trust| {
+ (attr(cert, "CKA_ISSUER") == attr(trust, "CKA_ISSUER"))
+ && (attr(cert, "CKA_SERIAL_NUMBER") == attr(trust, "CKA_SERIAL_NUMBER"))
+ })
+ .collect();
+ if matching_trusts.len() != 1 {
+ writeln!(out, "];")?; // end the definition of BUILTINS
+ let label = format!("{}", label);
+ writeln!(out, "std::compile_error!(\"Could not find unique trust object for {} in certdata.txt\");", label.escape_debug())?;
+ return Ok(());
+ }
+ let trust = *matching_trusts[0];
+ let sha1 = match attr(trust, "CKA_CERT_SHA1_HASH") {
+ Ck::MultilineOctal(x) => octal_block_to_hex_string(x),
+ _ => unreachable!(),
+ };
+ let md5 = match attr(trust, "CKA_CERT_MD5_HASH") {
+ Ck::MultilineOctal(x) => octal_block_to_hex_string(x),
+ _ => unreachable!(),
+ };
+ let server = attr(trust, "CKA_TRUST_SERVER_AUTH");
+ let email = attr(trust, "CKA_TRUST_EMAIL_PROTECTION");
+
+ writeln!(
+ out,
+ " Root {{
+ label: {label},
+ der_name: SUBJECT_{i},
+ der_serial: SERIAL_{i},
+ der_cert: ROOT_{i},
+ mozilla_ca_policy: {mozpol},
+ server_distrust_after: {server_distrust},
+ email_distrust_after: {email_distrust},
+ sha1: [{sha1}],
+ md5: [{md5}],
+ trust_server: {server},
+ trust_email: {email},
+ }},"
+ )?;
+ }
+ writeln!(out, "];")?;
+
+ let _ = out.flush();
+ Ok(())
+}
diff --git a/security/manager/ssl/builtins/dynamic-library/builtins.symbols b/security/manager/ssl/builtins/dynamic-library/builtins.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/builtins/dynamic-library/builtins.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/builtins/dynamic-library/moz.build b/security/manager/ssl/builtins/dynamic-library/moz.build
new file mode 100644
index 0000000000..2413a4c441
--- /dev/null
+++ b/security/manager/ssl/builtins/dynamic-library/moz.build
@@ -0,0 +1,38 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+USE_LIBS += ["builtins-static"]
+
+# see notes in ipcclientcerts/dynamic-library/moz.build
+
+if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android":
+ SOURCES += [
+ "stub.cpp",
+ ]
+else:
+ SOURCES += [
+ "stub.c",
+ ]
+
+if CONFIG["OS_TARGET"] == "Android":
+ OS_LIBS += ["m"]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+ OS_LIBS += [
+ "advapi32",
+ "userenv",
+ "ws2_32",
+ ]
+ OS_LIBS += [
+ "bcrypt",
+ "ntdll",
+ ]
+
+
+SharedLibrary("nssckbi")
+
+NoVisibilityFlags()
+SYMBOLS_FILE = "builtins.symbols"
diff --git a/security/manager/ssl/builtins/dynamic-library/stub.c b/security/manager/ssl/builtins/dynamic-library/stub.c
new file mode 100644
index 0000000000..75139c48bf
--- /dev/null
+++ b/security/manager/ssl/builtins/dynamic-library/stub.c
@@ -0,0 +1,27 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pkcs11.h"
+
+// see notes in ipcclientcerts/dynamic-library/stub.c
+
+CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ return BUILTINSC_GetFunctionList(ppFunctionList);
+}
+
+#ifdef __MINGW32__
+# include "mozilla/Assertions.h"
+void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); }
+void _Unwind_GetDataRelBase() { _Unwind_Resume(); }
+void _Unwind_GetTextRelBase() { _Unwind_Resume(); }
+void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); }
+void _Unwind_GetIPInfo() { _Unwind_Resume(); }
+void _Unwind_GetRegionStart() { _Unwind_Resume(); }
+void _Unwind_SetGR() { _Unwind_Resume(); }
+void _Unwind_SetIP() { _Unwind_Resume(); }
+void _GCC_specific_handler() { _Unwind_Resume(); }
+#endif
diff --git a/security/manager/ssl/builtins/dynamic-library/stub.cpp b/security/manager/ssl/builtins/dynamic-library/stub.cpp
new file mode 100644
index 0000000000..414f5a68c1
--- /dev/null
+++ b/security/manager/ssl/builtins/dynamic-library/stub.cpp
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pkcs11.h"
+
+// see notes in ipcclientcerts/dynamic-library/stub.cpp
+
+extern "C" {
+
+CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ return BUILTINSC_GetFunctionList(ppFunctionList);
+}
+}
diff --git a/security/manager/ssl/builtins/moz.build b/security/manager/ssl/builtins/moz.build
new file mode 100644
index 0000000000..f612798d79
--- /dev/null
+++ b/security/manager/ssl/builtins/moz.build
@@ -0,0 +1,9 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["dynamic-library"]
+
+RustLibrary("builtins-static")
diff --git a/security/manager/ssl/builtins/src/certdata.rs b/security/manager/ssl/builtins/src/certdata.rs
new file mode 100644
index 0000000000..211abce475
--- /dev/null
+++ b/security/manager/ssl/builtins/src/certdata.rs
@@ -0,0 +1,52 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use pkcs11_bindings::nss::*;
+use pkcs11_bindings::*;
+
+// We need to expand some PKCS#11 / NSS constants as byte arrays for pattern matching and
+// C_GetAttributeValue queries. We use native endianness, because PKCS#11 sits between an
+// application and a device driver that are running on the same machine.
+pub const CKC_X_509_BYTES: &[u8] = &CKC_X_509.to_ne_bytes();
+pub const CKO_CERTIFICATE_BYTES: &[u8] = &CKO_CERTIFICATE.to_ne_bytes();
+pub const CKO_NSS_BUILTIN_ROOT_LIST_BYTES: &[u8] = &CKO_NSS_BUILTIN_ROOT_LIST.to_ne_bytes();
+pub const CKO_NSS_TRUST_BYTES: &[u8] = &CKO_NSS_TRUST.to_ne_bytes();
+pub const CKT_NSS_MUST_VERIFY_TRUST_BYTES: &[u8] = &CKT_NSS_MUST_VERIFY_TRUST.to_ne_bytes();
+pub const CKT_NSS_NOT_TRUSTED_BYTES: &[u8] = &CKT_NSS_NOT_TRUSTED.to_ne_bytes();
+pub const CKT_NSS_TRUSTED_DELEGATOR_BYTES: &[u8] = &CKT_NSS_TRUSTED_DELEGATOR.to_ne_bytes();
+pub const CK_FALSE_BYTES: &[u8] = &CK_FALSE.to_ne_bytes();
+pub const CK_TRUE_BYTES: &[u8] = &CK_TRUE.to_ne_bytes();
+
+#[derive(PartialEq, Eq)]
+pub struct Root {
+ pub label: &'static str,
+ pub der_name: (u8, u8),
+ pub der_serial: (u8, u8),
+ pub der_cert: &'static [u8],
+ pub mozilla_ca_policy: Option<&'static [u8]>,
+ pub server_distrust_after: Option<&'static [u8]>,
+ pub email_distrust_after: Option<&'static [u8]>,
+ pub sha1: [u8; 20],
+ pub md5: [u8; 16],
+ pub trust_server: &'static [u8],
+ pub trust_email: &'static [u8],
+}
+
+impl Root {
+ pub fn der_name(&self) -> &'static [u8] {
+ &self.der_cert[self.der_name.0 as usize..][..self.der_name.1 as usize]
+ }
+ pub fn der_serial(&self) -> &'static [u8] {
+ &self.der_cert[self.der_serial.0 as usize..][..self.der_serial.1 as usize]
+ }
+}
+
+impl PartialOrd for Root {
+ fn partial_cmp(&self, other: &Root) -> Option<std::cmp::Ordering> {
+ self.der_name().partial_cmp(other.der_name())
+ }
+}
+
+include!(concat!(env!("OUT_DIR"), "/builtins.rs"));
diff --git a/security/manager/ssl/builtins/src/internal.rs b/security/manager/ssl/builtins/src/internal.rs
new file mode 100644
index 0000000000..30bd1fcea7
--- /dev/null
+++ b/security/manager/ssl/builtins/src/internal.rs
@@ -0,0 +1,344 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use pkcs11_bindings::nss::*;
+use pkcs11_bindings::*;
+
+use smallvec::SmallVec;
+
+use crate::certdata::*;
+
+// The token stores 2N+1 objects: one NSS root list object, N certificate objects, and N trust
+// objects.
+//
+// Internally, the token identifies each object by its ObjectClass (RootList, Certificate,
+// or Trust) and its index in the list of objects of the same class.
+//
+// The PKCS#11 interface, on the other hand, identifies each object with a unique, non-zero,
+// unsigned long. This ulong is referred to as the object's CK_OBJECT_HANDLE.
+//
+// We're free to choose the mapping between ObjectHandles and CK_OBJECT_HANDLEs. Currently we
+// encode the ObjectClass in the low 2 bits of the CK_OBJECT_HANDLE and the index in the higher
+// bits. We use the values 1, 2, and 3 for ObjectClass to avoid using 0 as a CK_OBJECT_HANDLE.
+//
+#[derive(Clone, Copy)]
+pub enum ObjectClass {
+ RootList = 1,
+ Certificate = 2,
+ Trust = 3,
+}
+
+#[derive(Clone, Copy)]
+pub struct ObjectHandle {
+ class: ObjectClass,
+ index: usize,
+}
+
+impl TryFrom<CK_OBJECT_HANDLE> for ObjectHandle {
+ type Error = ();
+ fn try_from(handle: CK_OBJECT_HANDLE) -> Result<Self, Self::Error> {
+ if let Ok(handle) = usize::try_from(handle) {
+ let index = handle >> 2;
+ let class = match handle & 3 {
+ 1 if index == 0 => ObjectClass::RootList,
+ 2 if index < BUILTINS.len() => ObjectClass::Certificate,
+ 3 if index < BUILTINS.len() => ObjectClass::Trust,
+ _ => return Err(()),
+ };
+ Ok(ObjectHandle { class, index })
+ } else {
+ Err(())
+ }
+ }
+}
+
+impl From<ObjectHandle> for CK_OBJECT_HANDLE {
+ fn from(object_handle: ObjectHandle) -> CK_OBJECT_HANDLE {
+ match CK_OBJECT_HANDLE::try_from(object_handle.index) {
+ Ok(index) => (index << 2) | (object_handle.class as CK_OBJECT_HANDLE),
+ Err(_) => 0,
+ }
+ }
+}
+
+pub fn get_attribute(attribute: CK_ATTRIBUTE_TYPE, object: &ObjectHandle) -> Option<&'static [u8]> {
+ match object.class {
+ ObjectClass::RootList => get_root_list_attribute(attribute),
+ ObjectClass::Certificate => get_cert_attribute(attribute, &BUILTINS[object.index]),
+ ObjectClass::Trust => get_trust_attribute(attribute, &BUILTINS[object.index]),
+ }
+}
+
+// Every attribute that appears in certdata.txt must have a corresponding match arm in one of the
+// get_*_attribute functions.
+//
+fn get_root_list_attribute(attribute: CK_ATTRIBUTE_TYPE) -> Option<&'static [u8]> {
+ match attribute {
+ CKA_CLASS => Some(CKO_NSS_BUILTIN_ROOT_LIST_BYTES),
+ CKA_TOKEN => Some(CK_TRUE_BYTES),
+ CKA_PRIVATE => Some(CK_FALSE_BYTES),
+ CKA_MODIFIABLE => Some(CK_FALSE_BYTES),
+ CKA_LABEL => Some(&ROOT_LIST_LABEL[..]),
+ _ => None,
+ }
+}
+
+fn get_cert_attribute(attribute: CK_ATTRIBUTE_TYPE, cert: &Root) -> Option<&[u8]> {
+ match attribute {
+ CKA_CLASS => Some(CKO_CERTIFICATE_BYTES),
+ CKA_TOKEN => Some(CK_TRUE_BYTES),
+ CKA_PRIVATE => Some(CK_FALSE_BYTES),
+ CKA_MODIFIABLE => Some(CK_FALSE_BYTES),
+ CKA_LABEL => Some(cert.label.as_bytes()),
+ CKA_CERTIFICATE_TYPE => Some(CKC_X_509_BYTES),
+ CKA_SUBJECT => Some(cert.der_name()),
+ CKA_ID => Some(b"0\0"), // null terminated to match C implementation
+ CKA_ISSUER => Some(cert.der_name()),
+ CKA_SERIAL_NUMBER => Some(cert.der_serial()),
+ CKA_VALUE => Some(cert.der_cert),
+ CKA_NSS_MOZILLA_CA_POLICY => cert.mozilla_ca_policy,
+ CKA_NSS_SERVER_DISTRUST_AFTER => cert.server_distrust_after,
+ CKA_NSS_EMAIL_DISTRUST_AFTER => cert.email_distrust_after,
+ _ => None,
+ }
+}
+
+fn get_trust_attribute(attribute: CK_ATTRIBUTE_TYPE, cert: &Root) -> Option<&[u8]> {
+ match attribute {
+ CKA_CLASS => Some(CKO_NSS_TRUST_BYTES),
+ CKA_TOKEN => Some(CK_TRUE_BYTES),
+ CKA_PRIVATE => Some(CK_FALSE_BYTES),
+ CKA_MODIFIABLE => Some(CK_FALSE_BYTES),
+ CKA_LABEL => Some(cert.label.as_bytes()),
+ CKA_CERT_SHA1_HASH => Some(&cert.sha1[..]),
+ CKA_CERT_MD5_HASH => Some(&cert.md5[..]),
+ CKA_ISSUER => Some(cert.der_name()),
+ CKA_SERIAL_NUMBER => Some(cert.der_serial()),
+ CKA_TRUST_STEP_UP_APPROVED => Some(CK_FALSE_BYTES),
+ CKA_TRUST_SERVER_AUTH => Some(cert.trust_server),
+ CKA_TRUST_EMAIL_PROTECTION => Some(cert.trust_email),
+ CKA_TRUST_CODE_SIGNING => Some(CKT_NSS_MUST_VERIFY_TRUST_BYTES),
+ _ => None,
+ }
+}
+
+// A query matches an object if each term matches some attribute of the object. A search result is
+// a list of object handles. Typical queries yield zero or one results, so we optimize for this
+// case.
+//
+pub type Query<'a> = [(CK_ATTRIBUTE_TYPE, &'a [u8])];
+pub type SearchResult = SmallVec<[ObjectHandle; 1]>;
+
+pub fn search(query: &Query) -> SearchResult {
+ // The BUILTINS list is sorted by name. So if the query includes a CKA_SUBJECT or CKA_ISSUER
+ // field we can binary search.
+ for &(attr, value) in query {
+ if attr == CKA_SUBJECT || attr == CKA_ISSUER {
+ return search_by_name(value, query);
+ }
+ }
+
+ let mut results: SearchResult = SearchResult::default();
+
+ // A query with no name term might match the root list object
+ if match_root_list(query) {
+ results.push(ObjectHandle {
+ class: ObjectClass::RootList,
+ index: 0,
+ });
+ }
+
+ // A query with a CKA_CLASS term matches exactly one type of object, and we should avoid
+ // iterating over BUILTINS when CKO_CLASS is neither CKO_CERTIFICATE_BYTES nor
+ // CKO_NSS_TRUST_BYTES.
+ let mut maybe_cert = true;
+ let mut maybe_trust = true;
+ for &(attr, value) in query {
+ if attr == CKA_CLASS {
+ maybe_cert = value.eq(CKO_CERTIFICATE_BYTES);
+ maybe_trust = value.eq(CKO_NSS_TRUST_BYTES);
+ break;
+ }
+ }
+
+ if !(maybe_cert || maybe_trust) {
+ return results; // The root list or nothing.
+ }
+
+ for (index, builtin) in BUILTINS.iter().enumerate() {
+ if maybe_cert && match_cert(query, builtin) {
+ results.push(ObjectHandle {
+ class: ObjectClass::Certificate,
+ index,
+ });
+ }
+ if maybe_trust && match_trust(query, builtin) {
+ results.push(ObjectHandle {
+ class: ObjectClass::Trust,
+ index,
+ });
+ }
+ }
+ results
+}
+
+fn search_by_name(name: &[u8], query: &Query) -> SearchResult {
+ let mut results: SearchResult = SearchResult::default();
+
+ let index = match BUILTINS.binary_search_by_key(&name, |r| r.der_name()) {
+ Ok(index) => index,
+ _ => return results,
+ };
+
+ // binary search returned a matching index, but maybe not the smallest
+ let mut min = index;
+ while min > 0 && name.eq(BUILTINS[min - 1].der_name()) {
+ min -= 1;
+ }
+
+ // ... and maybe not the largest.
+ let mut max = index;
+ while max < BUILTINS.len() - 1 && name.eq(BUILTINS[max + 1].der_name()) {
+ max += 1;
+ }
+
+ for (index, builtin) in BUILTINS.iter().enumerate().take(max + 1).skip(min) {
+ if match_cert(query, builtin) {
+ results.push(ObjectHandle {
+ class: ObjectClass::Certificate,
+ index,
+ });
+ }
+ if match_trust(query, builtin) {
+ results.push(ObjectHandle {
+ class: ObjectClass::Trust,
+ index,
+ });
+ }
+ }
+
+ results
+}
+
+fn match_root_list(query: &Query) -> bool {
+ for &(typ, x) in query {
+ match get_root_list_attribute(typ) {
+ Some(y) if x.eq(y) => (),
+ _ => return false,
+ }
+ }
+ true
+}
+
+fn match_cert(query: &Query, cert: &Root) -> bool {
+ for &(typ, x) in query {
+ match get_cert_attribute(typ, cert) {
+ Some(y) if x.eq(y) => (),
+ _ => return false,
+ }
+ }
+ true
+}
+
+fn match_trust(query: &Query, cert: &Root) -> bool {
+ for &(typ, x) in query {
+ match get_trust_attribute(typ, cert) {
+ Some(y) if x.eq(y) => (),
+ _ => return false,
+ }
+ }
+ true
+}
+
+#[cfg(test)]
+mod internal_tests {
+ use crate::certdata::BUILTINS;
+ use crate::internal::*;
+ use pkcs11_bindings::*;
+
+ // commented out to avoid vendoring x509_parser
+ // fn is_valid_utctime(utctime: &[u8]) -> bool {
+ // /* TODO: actual validation */
+ // utctime.len() == 13
+ // }
+ // #[test]
+ // fn test_certdata() {
+ // for root in BUILTINS {
+ // // the der_cert field is valid DER
+ // let parsed_cert = X509Certificate::from_der(root.der_cert);
+ // assert!(parsed_cert.is_ok());
+
+ // // the der_cert field has no trailing data
+ // let (trailing, parsed_cert) = parsed_cert.unwrap();
+ // assert!(trailing.is_empty());
+
+ // // the der_serial field matches the encoded serial
+ // assert!(root.der_serial.len() > 2);
+ // assert!(root.der_serial[0] == 0x02); // der integer
+ // assert!(root.der_serial[1] <= 20); // no more than 20 bytes long
+ // assert!(root.der_serial[1] as usize == root.der_serial.len() - 2);
+ // assert!(parsed_cert.raw_serial().eq(&root.der_serial[2..]));
+
+ // // the der_name field matches the encoded subject
+ // assert!(parsed_cert.subject.as_raw().eq(root.der_name));
+
+ // // the der_name field matches the encoded issuer
+ // assert!(parsed_cert.issuer.as_raw().eq(root.der_name));
+
+ // // The server_distrust_after field is None or a valid UTC time
+ // if let Some(utctime) = root.server_distrust_after {
+ // assert!(is_valid_utctime(&utctime));
+ // }
+
+ // // The email_distrust_after field is None or a valid UTC time
+ // if let Some(utctime) = root.email_distrust_after {
+ // assert!(is_valid_utctime(&utctime));
+ // }
+
+ // assert!(
+ // root.trust_server == CKT_NSS_MUST_VERIFY_TRUST_BYTES
+ // || root.trust_server == CKT_NSS_TRUSTED_DELEGATOR_BYTES
+ // || root.trust_server == CKT_NSS_NOT_TRUSTED_BYTES
+ // );
+ // assert!(
+ // root.trust_email == CKT_NSS_MUST_VERIFY_TRUST_BYTES
+ // || root.trust_email == CKT_NSS_TRUSTED_DELEGATOR_BYTES
+ // || root.trust_email == CKT_NSS_NOT_TRUSTED_BYTES
+ // );
+ // }
+ // }
+
+ #[test]
+ fn test_builtins_sorted() {
+ for i in 0..(BUILTINS.len() - 1) {
+ assert!(BUILTINS[i].der_name.le(BUILTINS[i + 1].der_name));
+ }
+ }
+
+ #[test]
+ fn test_search() {
+ // search for an element that will not be found
+ let result = search(&[(CKA_TOKEN, &[CK_FALSE])]);
+ assert_eq!(result.len(), 0);
+
+ // search for root list
+ let result = search(&[(CKA_CLASS, CKO_NSS_BUILTIN_ROOT_LIST_BYTES)]);
+ assert!(result.len() == 1);
+
+ // search by name
+ let result = search(&[
+ (CKA_CLASS, CKO_CERTIFICATE_BYTES),
+ (CKA_SUBJECT, BUILTINS[0].der_name),
+ ]);
+ assert!(result.len() >= 1);
+
+ // search by issuer and serial
+ let result = search(&[
+ (CKA_ISSUER, BUILTINS[0].der_name),
+ (CKA_SERIAL_NUMBER, BUILTINS[0].der_serial),
+ ]);
+ assert!(result.len() >= 1);
+ }
+}
diff --git a/security/manager/ssl/builtins/src/lib.rs b/security/manager/ssl/builtins/src/lib.rs
new file mode 100644
index 0000000000..17b05b454d
--- /dev/null
+++ b/security/manager/ssl/builtins/src/lib.rs
@@ -0,0 +1,9 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+mod certdata;
+mod internal;
+mod pkcs11;
+mod version;
diff --git a/security/manager/ssl/builtins/src/pkcs11.rs b/security/manager/ssl/builtins/src/pkcs11.rs
new file mode 100644
index 0000000000..fb60aee187
--- /dev/null
+++ b/security/manager/ssl/builtins/src/pkcs11.rs
@@ -0,0 +1,1229 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(non_snake_case)]
+
+use pkcs11_bindings::*;
+use std::slice;
+
+use std::collections::btree_map::Entry;
+use std::collections::{BTreeMap, BTreeSet};
+use std::sync::atomic::{AtomicU32, Ordering};
+use std::sync::{Mutex, MutexGuard};
+
+use crate::internal::{get_attribute, search};
+use crate::internal::{ObjectHandle, Query, SearchResult};
+
+use crate::version::*;
+
+const BUILTINS_VERSION: CK_VERSION = CK_VERSION {
+ major: NSS_BUILTINS_LIBRARY_VERSION_MAJOR,
+ minor: NSS_BUILTINS_LIBRARY_VERSION_MINOR,
+};
+
+const FIRMWARE_VERSION: CK_VERSION = CK_VERSION {
+ major: NSS_BUILTINS_FIRMWARE_VERSION_MAJOR,
+ minor: NSS_BUILTINS_FIRMWARE_VERSION_MINOR,
+};
+
+const CRYPTOKI_VERSION: CK_VERSION = CK_VERSION {
+ major: NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR,
+ minor: NSS_BUILTINS_CRYPTOKI_VERSION_MINOR,
+};
+const HARDWARE_VERSION: CK_VERSION = CK_VERSION {
+ major: NSS_BUILTINS_HARDWARE_VERSION_MAJOR,
+ minor: NSS_BUILTINS_HARDWARE_VERSION_MINOR,
+};
+
+const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Foundation ";
+const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"NSS Builtin Object Cryptoki Modu";
+
+const SLOT_COUNT: CK_ULONG = 1;
+const SLOT_ID_ROOTS: CK_SLOT_ID = 1;
+const SLOT_DESCRIPTION_ROOTS_BYTES: &[u8; 64] =
+ b"NSS Builtin Objects ";
+
+const TOKEN_LABEL_ROOTS_BYTES: &[u8; 32] = b"Builtin Object Token ";
+const TOKEN_MODEL_BYTES: &[u8; 16] = b"1 ";
+const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"1 ";
+const TOKEN_UTC_TIME: &[u8; 16] = b" ";
+
+#[derive(Debug)]
+struct PK11Error(CK_RV);
+
+// The token assigns session handles using a counter. It would make sense to use a 64 bit counter,
+// as there would then be no risk of exhausting the session handle space. However,
+// CK_SESSION_HANDLE is defined as a C unsigned long, which is a u32 on some platforms.
+//
+// We start the counter at 1 since PKCS#11 reserves 0 to signal an invalid handle
+//
+type SessionHandle = u32;
+static NEXT_HANDLE: AtomicU32 = AtomicU32::new(1);
+
+// The token needs to keep track of which sessions are open.
+//
+type SessionSet = BTreeSet<SessionHandle>;
+static OPEN_SESSIONS: Mutex<Option<SessionSet>> = Mutex::new(None);
+
+// Helper functions for accessing OPEN_SESSIONS
+//
+type SessionSetGuard = MutexGuard<'static, Option<SessionSet>>;
+
+fn get_open_sessions_guard() -> Result<SessionSetGuard, PK11Error> {
+ OPEN_SESSIONS
+ .lock()
+ .map_err(|_| PK11Error(CKR_DEVICE_ERROR))
+}
+
+fn get_open_sessions(guard: &mut SessionSetGuard) -> Result<&mut SessionSet, PK11Error> {
+ let sessions = guard
+ .as_mut()
+ .ok_or(PK11Error(CKR_CRYPTOKI_NOT_INITIALIZED))?;
+ Ok(sessions)
+}
+
+// The token needs to cache search results until the client reads them or closes the session.
+//
+type SearchCache = BTreeMap<SessionHandle, SearchResult>;
+static SEARCHES: Mutex<Option<SearchCache>> = Mutex::new(None);
+
+// Helper functions for accessing SEARCHES
+//
+type SearchCacheGuard = MutexGuard<'static, Option<SearchCache>>;
+
+fn get_search_cache_guard() -> Result<SearchCacheGuard, PK11Error> {
+ SEARCHES.lock().map_err(|_| PK11Error(CKR_DEVICE_ERROR))
+}
+
+fn get_search_cache(guard: &mut SearchCacheGuard) -> Result<&mut SearchCache, PK11Error> {
+ let searches = guard
+ .as_mut()
+ .ok_or(PK11Error(CKR_CRYPTOKI_NOT_INITIALIZED))?;
+ Ok(searches)
+}
+
+fn validate_session(handle: SessionHandle) -> Result<(), PK11Error> {
+ let mut guard = get_open_sessions_guard()?;
+ let sessions = get_open_sessions(&mut guard)?;
+ if sessions.contains(&handle) {
+ return Ok(());
+ }
+ if handle < NEXT_HANDLE.load(Ordering::SeqCst) {
+ Err(PK11Error(CKR_SESSION_CLOSED))
+ } else {
+ // Possible that NEXT_HANDLE wrapped and we should return CKR_SESSION_CLOSED.
+ // But this is best-effort.
+ Err(PK11Error(CKR_SESSION_HANDLE_INVALID))
+ }
+}
+
+// The internal implementation of C_Initialize
+fn initialize() -> Result<(), PK11Error> {
+ {
+ let mut search_cache_guard = get_search_cache_guard()?;
+ if (*search_cache_guard).is_some() {
+ return Err(PK11Error(CKR_CRYPTOKI_ALREADY_INITIALIZED));
+ }
+ *search_cache_guard = Some(SearchCache::default());
+ }
+
+ {
+ let mut session_guard = get_open_sessions_guard()?;
+ if (*session_guard).is_some() {
+ return Err(PK11Error(CKR_CRYPTOKI_ALREADY_INITIALIZED));
+ }
+ *session_guard = Some(SessionSet::default());
+ }
+
+ Ok(())
+}
+
+// The internal implementation of C_Finalize
+fn finalize() -> Result<(), PK11Error> {
+ {
+ let mut guard = get_search_cache_guard()?;
+ // Try to access the search cache to ensure we're initialized.
+ // Returns CKR_CRYPTOKI_NOT_INITIALIZED if we're not.
+ let _ = get_search_cache(&mut guard)?;
+ *guard = None;
+ }
+
+ let mut guard = get_open_sessions_guard()?;
+ let _ = get_open_sessions(&mut guard)?;
+ *guard = None;
+
+ Ok(())
+}
+
+// Internal implementation of C_OpenSession
+fn open_session() -> Result<SessionHandle, PK11Error> {
+ let mut handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst);
+ if handle == 0 {
+ // skip handle 0 if the addition wraps
+ handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst);
+ }
+
+ let mut guard = get_open_sessions_guard()?;
+ let sessions = get_open_sessions(&mut guard)?;
+ while !sessions.insert(handle) {
+ // this only executes if NEXT_HANDLE wraps while sessions with
+ // small handles are still open.
+ handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst);
+ }
+
+ Ok(handle)
+}
+
+// Internal implementation of C_CloseSession
+fn close_session(session: SessionHandle) -> Result<(), PK11Error> {
+ {
+ let mut guard = get_search_cache_guard()?;
+ let searches = get_search_cache(&mut guard)?;
+ searches.remove(&session);
+ }
+
+ {
+ let mut guard = get_open_sessions_guard()?;
+ let sessions = get_open_sessions(&mut guard)?;
+ if sessions.remove(&session) {
+ Ok(())
+ } else if session < NEXT_HANDLE.load(Ordering::SeqCst) {
+ Err(PK11Error(CKR_SESSION_CLOSED))
+ } else {
+ Err(PK11Error(CKR_SESSION_HANDLE_INVALID))
+ }
+ }
+}
+
+// Internal implementation of C_CloseAllSessions
+fn close_all_sessions() -> Result<(), PK11Error> {
+ {
+ let mut guard = get_search_cache_guard()?;
+ let searches = get_search_cache(&mut guard)?;
+ searches.clear();
+ }
+
+ {
+ let mut guard = get_open_sessions_guard()?;
+ let sessions = get_open_sessions(&mut guard)?;
+ sessions.clear();
+ }
+
+ Ok(())
+}
+
+// Internal implementation of C_FindObjectsInit
+fn find_objects_init(session: SessionHandle, query: &Query) -> Result<usize, PK11Error> {
+ validate_session(session)?;
+
+ let results = search(query);
+ let count = results.len();
+
+ let mut guard = get_search_cache_guard()?;
+ let searches = get_search_cache(&mut guard)?;
+ match searches.entry(session) {
+ Entry::Occupied(_) => Err(PK11Error(CKR_OPERATION_ACTIVE)),
+ Entry::Vacant(v) => {
+ v.insert(results);
+ Ok(count)
+ }
+ }
+}
+
+// Internal implementation of C_FindObjects
+fn find_objects(session: SessionHandle, out: &mut [CK_OBJECT_HANDLE]) -> Result<usize, PK11Error> {
+ validate_session(session)?;
+
+ let mut guard = get_search_cache_guard()?;
+ let searches = get_search_cache(&mut guard)?;
+ if let Some(objects) = searches.get_mut(&session) {
+ for (i, out_i) in out.iter_mut().enumerate() {
+ match objects.pop() {
+ Some(object) => *out_i = object.into(),
+ None => return Ok(i),
+ }
+ }
+ Ok(out.len())
+ } else {
+ Ok(0)
+ }
+}
+
+// Internal implementation of C_FindObjectsFinal
+fn find_objects_final(session: SessionHandle) -> Result<(), PK11Error> {
+ validate_session(session)?;
+
+ let mut guard = get_search_cache_guard()?;
+ let searches = get_search_cache(&mut guard)?;
+ searches.remove(&session);
+ Ok(())
+}
+
+extern "C" fn C_Initialize(_pInitArgs: CK_VOID_PTR) -> CK_RV {
+ match initialize() {
+ Ok(_) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_Finalize(pReserved: CK_VOID_PTR) -> CK_RV {
+ if !pReserved.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ match finalize() {
+ Ok(_) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV {
+ if pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ *pInfo = CK_INFO {
+ cryptokiVersion: CRYPTOKI_VERSION,
+ manufacturerID: *MANUFACTURER_ID_BYTES,
+ flags: 0,
+ libraryDescription: *LIBRARY_DESCRIPTION_BYTES,
+ libraryVersion: BUILTINS_VERSION,
+ };
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetSlotList(
+ _tokenPresent: CK_BBOOL,
+ pSlotList: CK_SLOT_ID_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if pulCount.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ if !pSlotList.is_null() {
+ if unsafe { *pulCount } < SLOT_COUNT {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ unsafe {
+ *pSlotList = SLOT_ID_ROOTS;
+ }
+ }
+ unsafe {
+ *pulCount = SLOT_COUNT;
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV {
+ if (slotID != SLOT_ID_ROOTS) || pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ *pInfo = CK_SLOT_INFO {
+ slotDescription: *SLOT_DESCRIPTION_ROOTS_BYTES,
+ manufacturerID: *MANUFACTURER_ID_BYTES,
+ flags: CKF_TOKEN_PRESENT,
+ hardwareVersion: HARDWARE_VERSION,
+ firmwareVersion: FIRMWARE_VERSION,
+ };
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV {
+ if (slotID != SLOT_ID_ROOTS) || pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ *pInfo = CK_TOKEN_INFO {
+ label: *TOKEN_LABEL_ROOTS_BYTES,
+ manufacturerID: *MANUFACTURER_ID_BYTES,
+ model: *TOKEN_MODEL_BYTES,
+ serialNumber: *TOKEN_SERIAL_NUMBER_BYTES,
+ flags: CKF_WRITE_PROTECTED,
+ ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION,
+ ulSessionCount: 0,
+ ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION,
+ ulRwSessionCount: 0,
+ ulMaxPinLen: CK_UNAVAILABLE_INFORMATION,
+ ulMinPinLen: CK_UNAVAILABLE_INFORMATION,
+ ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION,
+ ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION,
+ ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION,
+ ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION,
+ hardwareVersion: HARDWARE_VERSION,
+ firmwareVersion: FIRMWARE_VERSION,
+ utcTime: *TOKEN_UTC_TIME,
+ };
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetMechanismList(
+ slotID: CK_SLOT_ID,
+ _pMechanismList: CK_MECHANISM_TYPE_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if slotID != SLOT_ID_ROOTS || pulCount.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ *pulCount = 0;
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetMechanismInfo(
+ _slotID: CK_SLOT_ID,
+ _type: CK_MECHANISM_TYPE,
+ _pInfo: CK_MECHANISM_INFO_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitToken(
+ _slotID: CK_SLOT_ID,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+ _pLabel: CK_UTF8CHAR_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pOldPin: CK_UTF8CHAR_PTR,
+ _ulOldLen: CK_ULONG,
+ _pNewPin: CK_UTF8CHAR_PTR,
+ _ulNewLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_OpenSession(
+ slotID: CK_SLOT_ID,
+ flags: CK_FLAGS,
+ _pApplication: CK_VOID_PTR,
+ _Notify: CK_NOTIFY,
+ phSession: CK_SESSION_HANDLE_PTR,
+) -> CK_RV {
+ if slotID != SLOT_ID_ROOTS || phSession.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ // [pkcs11-base-v3.0, Section 5.6.1]
+ // For legacy reasons, the CKF_SERIAL_SESSION bit MUST always be set; if a call to
+ // C_OpenSession does not have this bit set, the call should return unsuccessfully with the
+ // error code CKR_SESSION_PARALLEL_NOT_SUPPORTED.
+ if flags & CKF_SERIAL_SESSION == 0 {
+ return CKR_SESSION_PARALLEL_NOT_SUPPORTED;
+ }
+ let session_id = match open_session() {
+ Ok(session_id) => session_id as CK_SESSION_HANDLE,
+ Err(PK11Error(e)) => return e,
+ };
+ unsafe { *phSession = session_id };
+ CKR_OK
+}
+
+extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let session: SessionHandle = match hSession.try_into() {
+ Ok(session) => session,
+ Err(_) => return CKR_SESSION_HANDLE_INVALID,
+ };
+ match close_session(session) {
+ Ok(_) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV {
+ if slotID != SLOT_ID_ROOTS {
+ return CKR_ARGUMENTS_BAD;
+ }
+ match close_all_sessions() {
+ Ok(_) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _pulOperationStateLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _ulOperationStateLen: CK_ULONG,
+ _hEncryptionKey: CK_OBJECT_HANDLE,
+ _hAuthenticationKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Login(
+ _hSession: CK_SESSION_HANDLE,
+ _userType: CK_USER_TYPE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_OK
+}
+
+extern "C" fn C_CreateObject(
+ _hSession: CK_SESSION_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CopyObject(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phNewObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetObjectSize(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pulSize: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ hObject: CK_OBJECT_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ let count: usize = match ulCount.try_into() {
+ Ok(count) => count,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+
+ // C_GetAttributeValue has a session handle parameter because PKCS#11 objects can have
+ // session-bound lifetimes and access controls. We don't have any session objects, and all of
+ // our token objects are public. So there's no good reason to validate the session handle.
+ //
+ //let session: SessionHandle = match hSession.try_into() {
+ // Ok(session) => session,
+ // Err(_) => return CKR_SESSION_HANDLE_INVALID,
+ //};
+ //
+ //if let Err(PK11Error(e)) = validate_session(session) {
+ // return e;
+ //}
+
+ let handle: ObjectHandle = match hObject.try_into() {
+ Ok(handle) => handle,
+ Err(_) => return CKR_OBJECT_HANDLE_INVALID,
+ };
+
+ let attrs: &mut [CK_ATTRIBUTE] = unsafe { slice::from_raw_parts_mut(pTemplate, count) };
+
+ let mut rv = CKR_OK;
+
+ // Handle requests with null pValue fields
+ for attr in attrs.iter_mut().filter(|x| x.pValue.is_null()) {
+ attr.ulValueLen = match get_attribute(attr.type_, &handle) {
+ None => {
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // 2. [...] if the specified value for the object is invalid (the object does not possess
+ // such an attribute), then the ulValueLen field in that triple is modified to hold the
+ // value CK_UNAVAILABLE_INFORMATION.
+ rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ CK_UNAVAILABLE_INFORMATION
+ }
+ Some(attr) => {
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // 3. [...] if the pValue field has the value NULL_PTR, then the ulValueLen field is modified
+ // to hold the exact length of the specified attribute for the object.
+ attr.len() as CK_ULONG
+ }
+ }
+ }
+
+ // Handle requests with non-null pValue fields
+ for attr in attrs.iter_mut().filter(|x| !x.pValue.is_null()) {
+ let dst_len: usize = match attr.ulValueLen.try_into() {
+ Ok(dst_len) => dst_len,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+ attr.ulValueLen = match get_attribute(attr.type_, &handle) {
+ None => {
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // 2. [...] if the specified value for the object is invalid (the object does not possess
+ // such an attribute), then the ulValueLen field in that triple is modified to hold the
+ // value CK_UNAVAILABLE_INFORMATION.
+ rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ CK_UNAVAILABLE_INFORMATION
+ }
+ Some(src) if dst_len >= src.len() => {
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // 4. [...] if the length specified in ulValueLen is large enough to hold the value
+ // of the specified attribute for the object, then that attribute is copied into
+ // the buffer located at pValue, and the ulValueLen field is modified to hold
+ // the exact length of the attribute.
+ let dst: &mut [u8] =
+ unsafe { slice::from_raw_parts_mut(attr.pValue as *mut u8, dst_len) };
+ dst[..src.len()].copy_from_slice(src);
+ src.len() as CK_ULONG
+ }
+ _ => {
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // 5. Otherwise, the ulValueLen field is modified to hold the value
+ // CK_UNAVAILABLE_INFORMATION.
+ rv = CKR_BUFFER_TOO_SMALL;
+ CK_UNAVAILABLE_INFORMATION
+ }
+ };
+ }
+
+ // [pkcs11-base-v3.0, Section 5.7.5]
+ // If case 2 applies to any of the requested attributes, then the call should return the value
+ // CKR_ATTRIBUTE_TYPE_INVALID. If case 5 applies to any of the requested attributes, then the
+ // call should return the value CKR_BUFFER_TOO_SMALL. As usual, if more than one of these
+ // error codes is applicable, Cryptoki may return any of them. Only if none of them applies to
+ // any of the requested attributes will CKR_OK be returned.
+ rv
+}
+
+extern "C" fn C_SetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_FindObjectsInit(
+ hSession: CK_SESSION_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let count: usize = match ulCount.try_into() {
+ Ok(count) => count,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+ let session: SessionHandle = match hSession.try_into() {
+ Ok(session) => session,
+ Err(_) => return CKR_SESSION_HANDLE_INVALID,
+ };
+
+ let raw_attrs: &[CK_ATTRIBUTE] = unsafe { slice::from_raw_parts_mut(pTemplate, count) };
+
+ let mut query: Vec<(CK_ATTRIBUTE_TYPE, &[u8])> = Vec::with_capacity(raw_attrs.len());
+ for attr in raw_attrs {
+ match usize::try_from(attr.ulValueLen) {
+ Ok(len) => query.push((attr.type_, unsafe {
+ slice::from_raw_parts_mut(attr.pValue as *mut u8, len)
+ })),
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ }
+ }
+
+ match find_objects_init(session, &query) {
+ Ok(_) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_FindObjects(
+ hSession: CK_SESSION_HANDLE,
+ phObject: CK_OBJECT_HANDLE_PTR,
+ ulMaxObjectCount: CK_ULONG,
+ pulObjectCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if phObject.is_null() || pulObjectCount.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let max_object_count: usize = match ulMaxObjectCount.try_into() {
+ Ok(max_object_count) => max_object_count,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+ let session: SessionHandle = match hSession.try_into() {
+ Ok(session) => session,
+ Err(_) => return CKR_SESSION_HANDLE_INVALID,
+ };
+ let out: &mut [CK_OBJECT_HANDLE] =
+ unsafe { slice::from_raw_parts_mut(phObject, max_object_count) };
+ match find_objects(session, out) {
+ Ok(num_found) => {
+ unsafe { *pulObjectCount = num_found as CK_ULONG };
+ CKR_OK
+ }
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let session: SessionHandle = match hSession.try_into() {
+ Ok(session) => session,
+ Err(_) => return CKR_SESSION_HANDLE_INVALID,
+ };
+ match find_objects_final(session) {
+ Ok(()) => CKR_OK,
+ Err(PK11Error(e)) => e,
+ }
+}
+
+extern "C" fn C_EncryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Encrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pEncryptedData: CK_BYTE_PTR,
+ _pulEncryptedDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastEncryptedPart: CK_BYTE_PTR,
+ _pulLastEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Decrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedData: CK_BYTE_PTR,
+ _ulEncryptedDataLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastPart: CK_BYTE_PTR,
+ _pulLastPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Digest(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Sign(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Verify(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptDigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptVerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKeyPair(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pPublicKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPublicKeyAttributeCount: CK_ULONG,
+ _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPrivateKeyAttributeCount: CK_ULONG,
+ _phPublicKey: CK_OBJECT_HANDLE_PTR,
+ _phPrivateKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hWrappingKey: CK_OBJECT_HANDLE,
+ _hKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _pulWrappedKeyLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_UnwrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hUnwrappingKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _ulWrappedKeyLen: CK_ULONG,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DeriveKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hBaseKey: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SeedRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _pSeed: CK_BYTE_PTR,
+ _ulSeedLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _RandomData: CK_BYTE_PTR,
+ _ulRandomLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WaitForSlotEvent(
+ _flags: CK_FLAGS,
+ _pSlot: CK_SLOT_ID_PTR,
+ _pRserved: CK_VOID_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+pub static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST {
+ version: CRYPTOKI_VERSION,
+ C_Initialize: Some(C_Initialize),
+ C_Finalize: Some(C_Finalize),
+ C_GetInfo: Some(C_GetInfo),
+ C_GetFunctionList: None,
+ C_GetSlotList: Some(C_GetSlotList),
+ C_GetSlotInfo: Some(C_GetSlotInfo),
+ C_GetTokenInfo: Some(C_GetTokenInfo),
+ C_GetMechanismList: Some(C_GetMechanismList),
+ C_GetMechanismInfo: Some(C_GetMechanismInfo),
+ C_InitToken: Some(C_InitToken),
+ C_InitPIN: Some(C_InitPIN),
+ C_SetPIN: Some(C_SetPIN),
+ C_OpenSession: Some(C_OpenSession),
+ C_CloseSession: Some(C_CloseSession),
+ C_CloseAllSessions: Some(C_CloseAllSessions),
+ C_GetSessionInfo: Some(C_GetSessionInfo),
+ C_GetOperationState: Some(C_GetOperationState),
+ C_SetOperationState: Some(C_SetOperationState),
+ C_Login: Some(C_Login),
+ C_Logout: Some(C_Logout),
+ C_CreateObject: Some(C_CreateObject),
+ C_CopyObject: Some(C_CopyObject),
+ C_DestroyObject: Some(C_DestroyObject),
+ C_GetObjectSize: Some(C_GetObjectSize),
+ C_GetAttributeValue: Some(C_GetAttributeValue),
+ C_SetAttributeValue: Some(C_SetAttributeValue),
+ C_FindObjectsInit: Some(C_FindObjectsInit),
+ C_FindObjects: Some(C_FindObjects),
+ C_FindObjectsFinal: Some(C_FindObjectsFinal),
+ C_EncryptInit: Some(C_EncryptInit),
+ C_Encrypt: Some(C_Encrypt),
+ C_EncryptUpdate: Some(C_EncryptUpdate),
+ C_EncryptFinal: Some(C_EncryptFinal),
+ C_DecryptInit: Some(C_DecryptInit),
+ C_Decrypt: Some(C_Decrypt),
+ C_DecryptUpdate: Some(C_DecryptUpdate),
+ C_DecryptFinal: Some(C_DecryptFinal),
+ C_DigestInit: Some(C_DigestInit),
+ C_Digest: Some(C_Digest),
+ C_DigestUpdate: Some(C_DigestUpdate),
+ C_DigestKey: Some(C_DigestKey),
+ C_DigestFinal: Some(C_DigestFinal),
+ C_SignInit: Some(C_SignInit),
+ C_Sign: Some(C_Sign),
+ C_SignUpdate: Some(C_SignUpdate),
+ C_SignFinal: Some(C_SignFinal),
+ C_SignRecoverInit: Some(C_SignRecoverInit),
+ C_SignRecover: Some(C_SignRecover),
+ C_VerifyInit: Some(C_VerifyInit),
+ C_Verify: Some(C_Verify),
+ C_VerifyUpdate: Some(C_VerifyUpdate),
+ C_VerifyFinal: Some(C_VerifyFinal),
+ C_VerifyRecoverInit: Some(C_VerifyRecoverInit),
+ C_VerifyRecover: Some(C_VerifyRecover),
+ C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate),
+ C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate),
+ C_SignEncryptUpdate: Some(C_SignEncryptUpdate),
+ C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate),
+ C_GenerateKey: Some(C_GenerateKey),
+ C_GenerateKeyPair: Some(C_GenerateKeyPair),
+ C_WrapKey: Some(C_WrapKey),
+ C_UnwrapKey: Some(C_UnwrapKey),
+ C_DeriveKey: Some(C_DeriveKey),
+ C_SeedRandom: Some(C_SeedRandom),
+ C_GenerateRandom: Some(C_GenerateRandom),
+ C_GetFunctionStatus: Some(C_GetFunctionStatus),
+ C_CancelFunction: Some(C_CancelFunction),
+ C_WaitForSlotEvent: Some(C_WaitForSlotEvent),
+};
+
+#[no_mangle]
+pub unsafe fn BUILTINSC_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
+ if ppFunctionList.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the
+ // specification, the caller must treat it as *const CK_FUNCTION_LIST.
+ *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR;
+ CKR_OK
+}
+
+#[cfg(test)]
+mod pkcs11_tests {
+ use crate::certdata::*;
+ use crate::internal::*;
+ use crate::pkcs11::*;
+
+ #[test]
+ fn test_main() {
+ // We need to run tests serially because of C_Initialize / C_Finalize calls.
+ test_simple();
+ test_c_get_function_list();
+ test_c_get_attribute();
+ }
+
+ fn test_simple() {
+ let query = &[(CKA_CLASS, CKO_CERTIFICATE_BYTES)];
+ initialize().expect("initialize should not fail.");
+ let hSession = open_session().expect("open_session should not fail.");
+ let count = find_objects_init(hSession, query).expect("find_objects_init should not fail.");
+ assert_eq!(count, BUILTINS.len());
+ let mut results: [CK_OBJECT_HANDLE; 10] = [0; 10];
+ let n_read =
+ find_objects(hSession, &mut results).expect("find_objects_init should not fail.");
+ assert_eq!(n_read, 10);
+ finalize().expect("finalize should not fail.");
+ }
+
+ fn test_c_get_function_list() {
+ let c_null = 0 as *mut std::ffi::c_void;
+ let mut pFunctionList: CK_FUNCTION_LIST_PTR = c_null as CK_FUNCTION_LIST_PTR;
+ let rv = unsafe { crate::pkcs11::BUILTINSC_GetFunctionList(&mut pFunctionList) };
+ assert_eq!(CKR_OK, rv);
+ if let Some(pC_Initialize) = unsafe { (*pFunctionList).C_Initialize } {
+ let rv = unsafe { pC_Initialize(c_null) };
+ assert_eq!(CKR_OK, rv);
+ } else {
+ assert!(false);
+ }
+
+ if let Some(pC_Finalize) = unsafe { (*pFunctionList).C_Finalize } {
+ let rv = unsafe { pC_Finalize(c_null) };
+ assert_eq!(CKR_OK, rv);
+ } else {
+ assert!(false);
+ }
+ }
+
+ fn test_c_get_attribute() {
+ let c_null = 0 as *mut std::ffi::c_void;
+ let template: &mut [CK_ATTRIBUTE] = &mut [CK_ATTRIBUTE {
+ type_: CKA_SUBJECT,
+ pValue: c_null,
+ ulValueLen: 0,
+ }];
+ let template_ptr = &mut template[0] as CK_ATTRIBUTE_PTR;
+ let object: CK_OBJECT_HANDLE = 2;
+ let mut session: CK_SESSION_HANDLE = 0;
+ assert_eq!(CKR_OK, C_Initialize(c_null));
+ assert_eq!(
+ CKR_OK,
+ C_OpenSession(
+ SLOT_ID_ROOTS,
+ CKF_SERIAL_SESSION,
+ c_null,
+ None,
+ &mut session as *mut CK_SESSION_HANDLE
+ )
+ );
+ assert_eq!(
+ CKR_OK,
+ C_GetAttributeValue(session, object, template_ptr, 1)
+ );
+ let len = template[0].ulValueLen as usize;
+ assert_eq!(len, BUILTINS[0].der_name.len());
+
+ let value: &mut [u8] = &mut vec![0; 1];
+ let value_ptr: *mut u8 = &mut value[0] as *mut u8;
+ template[0].pValue = value_ptr as *mut std::ffi::c_void;
+ template[0].ulValueLen = 1;
+ assert_eq!(
+ CKR_BUFFER_TOO_SMALL,
+ C_GetAttributeValue(session, object, template_ptr, 1)
+ );
+ assert_eq!(template[0].ulValueLen, CK_UNAVAILABLE_INFORMATION);
+
+ let value: &mut [u8] = &mut vec![0; len];
+ let value_ptr: *mut u8 = &mut value[0] as *mut u8;
+ template[0].pValue = value_ptr as *mut std::ffi::c_void;
+ template[0].ulValueLen = len as CK_ULONG;
+ assert_eq!(
+ CKR_OK,
+ C_GetAttributeValue(session, object, template_ptr, 1)
+ );
+ assert_eq!(value, BUILTINS[0].der_name);
+ assert_eq!(CKR_OK, C_Finalize(c_null));
+ }
+}
diff --git a/security/manager/ssl/builtins/src/version.rs b/security/manager/ssl/builtins/src/version.rs
new file mode 100644
index 0000000000..f4fc63711d
--- /dev/null
+++ b/security/manager/ssl/builtins/src/version.rs
@@ -0,0 +1,6 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+include!(concat!(env!("OUT_DIR"), "/version.rs"));
diff --git a/security/manager/ssl/cert_storage/Cargo.toml b/security/manager/ssl/cert_storage/Cargo.toml
new file mode 100644
index 0000000000..5d505843f5
--- /dev/null
+++ b/security/manager/ssl/cert_storage/Cargo.toml
@@ -0,0 +1,24 @@
+[package]
+name = "cert_storage"
+version = "0.0.1"
+authors = ["Dana Keeler <dkeeler@mozilla.com>", "Mark Goodwin <mgoodwin@mozilla.com"]
+license = "MPL-2.0"
+
+[dependencies]
+base64 = "0.21.0"
+byteorder = "1.2.7"
+crossbeam-utils = "0.8"
+cstr = "0.2"
+log = "0.4"
+moz_task = { path = "../../../../xpcom/rust/moz_task" }
+nserror = { path = "../../../../xpcom/rust/nserror" }
+nsstring = { path = "../../../../xpcom/rust/nsstring" }
+rkv = { version = "0.19", default-features = false }
+rust_cascade = "1.4.0"
+sha2 = "0.10.2"
+storage_variant = { path = "../../../../storage/variant" }
+tempfile = "3"
+thin-vec = { version = "0.2.1", features = ["gecko-ffi"] }
+time = "0.1"
+xpcom = { path = "../../../../xpcom/rust/xpcom" }
+wr_malloc_size_of = { path = "../../../../gfx/wr/wr_malloc_size_of" }
diff --git a/security/manager/ssl/cert_storage/src/cert_storage.h b/security/manager/ssl/cert_storage/src/cert_storage.h
new file mode 100644
index 0000000000..e420067b03
--- /dev/null
+++ b/security/manager/ssl/cert_storage/src/cert_storage.h
@@ -0,0 +1,24 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _cert_storage_h_
+#define _cert_storage_h_
+
+#include "nsISupportsUtils.h" // for nsresult, etc.
+
+// {16e5c837-f877-4e23-9c64-eddf905e30e6}
+#define NS_CERT_STORAGE_CID \
+ { \
+ 0x16e5c837, 0xf877, 0x4e23, { \
+ 0x9c, 0x64, 0xed, 0xdf, 0x90, 0x5e, 0x30, 0xe6 \
+ } \
+ }
+
+extern "C" {
+nsresult cert_storage_constructor(REFNSIID iid, void** result);
+};
+
+#endif // _cert_storage_h_
diff --git a/security/manager/ssl/cert_storage/src/lib.rs b/security/manager/ssl/cert_storage/src/lib.rs
new file mode 100644
index 0000000000..71c966fa4c
--- /dev/null
+++ b/security/manager/ssl/cert_storage/src/lib.rs
@@ -0,0 +1,1807 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+extern crate base64;
+extern crate byteorder;
+extern crate crossbeam_utils;
+#[macro_use]
+extern crate cstr;
+#[macro_use]
+extern crate log;
+extern crate moz_task;
+extern crate nserror;
+extern crate nsstring;
+extern crate rkv;
+extern crate rust_cascade;
+extern crate sha2;
+extern crate thin_vec;
+extern crate time;
+#[macro_use]
+extern crate xpcom;
+extern crate storage_variant;
+extern crate tempfile;
+
+extern crate wr_malloc_size_of;
+use wr_malloc_size_of as malloc_size_of;
+
+use base64::prelude::*;
+use byteorder::{LittleEndian, NetworkEndian, ReadBytesExt, WriteBytesExt};
+use crossbeam_utils::atomic::AtomicCell;
+use malloc_size_of::{MallocSizeOf, MallocSizeOfOps};
+use moz_task::{create_background_task_queue, is_main_thread, Task, TaskRunnable};
+use nserror::{
+ nsresult, NS_ERROR_FAILURE, NS_ERROR_NOT_SAME_THREAD, NS_ERROR_NULL_POINTER,
+ NS_ERROR_UNEXPECTED, NS_OK,
+};
+use nsstring::{nsACString, nsCStr, nsCString, nsString};
+use rkv::backend::{BackendEnvironmentBuilder, SafeMode, SafeModeDatabase, SafeModeEnvironment};
+use rkv::{StoreError, StoreOptions, Value};
+use rust_cascade::Cascade;
+use sha2::{Digest, Sha256};
+use std::collections::{HashMap, HashSet};
+use std::ffi::CString;
+use std::fmt::Display;
+use std::fs::{create_dir_all, remove_file, File, OpenOptions};
+use std::io::{BufRead, BufReader, Read, Write};
+use std::mem::size_of;
+use std::path::{Path, PathBuf};
+use std::str;
+use std::sync::{Arc, RwLock};
+use std::time::{SystemTime, UNIX_EPOCH};
+use storage_variant::VariantType;
+use thin_vec::ThinVec;
+use xpcom::interfaces::{
+ nsICRLiteCoverage, nsICRLiteTimestamp, nsICertInfo, nsICertStorage, nsICertStorageCallback,
+ nsIFile, nsIHandleReportCallback, nsIIssuerAndSerialRevocationState, nsIMemoryReporter,
+ nsIMemoryReporterManager, nsIProperties, nsIRevocationState, nsISerialEventTarget,
+ nsISubjectAndPubKeyRevocationState, nsISupports,
+};
+use xpcom::{nsIID, GetterAddrefs, RefPtr, ThreadBoundRefPtr, XpCom};
+
+const PREFIX_REV_IS: &str = "is";
+const PREFIX_REV_SPK: &str = "spk";
+const PREFIX_SUBJECT: &str = "subject";
+const PREFIX_CERT: &str = "cert";
+const PREFIX_DATA_TYPE: &str = "datatype";
+
+const LAST_CRLITE_UPDATE_KEY: &str = "last_crlite_update";
+
+const COVERAGE_SERIALIZATION_VERSION: u8 = 1;
+const COVERAGE_V1_ENTRY_BYTES: usize = 48;
+
+const ENROLLMENT_SERIALIZATION_VERSION: u8 = 1;
+const ENROLLMENT_V1_ENTRY_BYTES: usize = 32;
+
+type Rkv = rkv::Rkv<SafeModeEnvironment>;
+type SingleStore = rkv::SingleStore<SafeModeDatabase>;
+
+macro_rules! make_key {
+ ( $prefix:expr, $( $part:expr ),+ ) => {
+ {
+ let mut key = $prefix.as_bytes().to_owned();
+ $( key.extend_from_slice($part); )+
+ key
+ }
+ }
+}
+
+#[allow(non_camel_case_types, non_snake_case)]
+
+/// `SecurityStateError` is a type to represent errors in accessing or
+/// modifying security state.
+#[derive(Debug)]
+struct SecurityStateError {
+ message: String,
+}
+
+impl<T: Display> From<T> for SecurityStateError {
+ /// Creates a new instance of `SecurityStateError` from something that
+ /// implements the `Display` trait.
+ fn from(err: T) -> SecurityStateError {
+ SecurityStateError {
+ message: format!("{}", err),
+ }
+ }
+}
+
+struct EnvAndStore {
+ env: Rkv,
+ store: SingleStore,
+}
+
+impl MallocSizeOf for EnvAndStore {
+ fn size_of(&self, _ops: &mut MallocSizeOfOps) -> usize {
+ self.env
+ .read()
+ .and_then(|reader| {
+ let iter = self.store.iter_start(&reader)?.into_iter();
+ Ok(iter
+ .map(|r| {
+ r.map(|(k, v)| k.len() + v.serialized_size().unwrap_or(0) as usize)
+ .unwrap_or(0)
+ })
+ .sum())
+ })
+ .unwrap_or(0)
+ }
+}
+
+/// `SecurityState`
+struct SecurityState {
+ profile_path: PathBuf,
+ env_and_store: Option<EnvAndStore>,
+ crlite_filter: Option<Cascade>,
+ /// Maps issuer spki hashes to sets of serial numbers.
+ crlite_stash: Option<HashMap<Vec<u8>, HashSet<Vec<u8>>>>,
+ /// Maps an RFC 6962 LogID to a pair of 64 bit unix timestamps
+ crlite_coverage: Option<HashMap<Vec<u8>, (u64, u64)>>,
+ /// Set of `SHA256(subject || spki)` values for enrolled issuers
+ crlite_enrollment: Option<HashSet<Vec<u8>>>,
+ /// Tracks the number of asynchronous operations which have been dispatched but not completed.
+ remaining_ops: i32,
+}
+
+impl SecurityState {
+ pub fn new(profile_path: PathBuf) -> SecurityState {
+ // Since this gets called on the main thread, we don't actually want to open the DB yet.
+ // We do this on-demand later, when we're probably on a certificate verification thread.
+ SecurityState {
+ profile_path,
+ env_and_store: None,
+ crlite_filter: None,
+ crlite_stash: None,
+ crlite_coverage: None,
+ crlite_enrollment: None,
+ remaining_ops: 0,
+ }
+ }
+
+ pub fn db_needs_opening(&self) -> bool {
+ self.env_and_store.is_none()
+ }
+
+ pub fn open_db(&mut self) -> Result<(), SecurityStateError> {
+ if self.env_and_store.is_some() {
+ return Ok(());
+ }
+
+ let store_path = get_store_path(&self.profile_path)?;
+
+ // Open the store in read-write mode to create it (if needed) and migrate data from the old
+ // store (if any).
+ // If opening initially fails, try to remove and recreate the database. Consumers will
+ // repopulate the database as necessary if this happens (see bug 1546361).
+ let env = make_env(store_path.as_path()).or_else(|_| {
+ remove_db(store_path.as_path())?;
+ make_env(store_path.as_path())
+ })?;
+ let store = env.open_single("cert_storage", StoreOptions::create())?;
+
+ // if the profile has a revocations.txt, migrate it and remove the file
+ let mut revocations_path = self.profile_path.clone();
+ revocations_path.push("revocations.txt");
+ if revocations_path.exists() {
+ SecurityState::migrate(&revocations_path, &env, &store)?;
+ remove_file(revocations_path)?;
+ }
+
+ // We already returned early if env_and_store was Some, so this should take the None branch.
+ match self.env_and_store.replace(EnvAndStore { env, store }) {
+ Some(_) => Err(SecurityStateError::from(
+ "env and store already initialized? (did we mess up our threading model?)",
+ )),
+ None => Ok(()),
+ }?;
+ self.load_crlite_filter()?;
+ Ok(())
+ }
+
+ fn migrate(
+ revocations_path: &PathBuf,
+ env: &Rkv,
+ store: &SingleStore,
+ ) -> Result<(), SecurityStateError> {
+ let f = File::open(revocations_path)?;
+ let file = BufReader::new(f);
+ let value = Value::I64(nsICertStorage::STATE_ENFORCE as i64);
+ let mut writer = env.write()?;
+
+ // Add the data from revocations.txt
+ let mut dn: Option<Vec<u8>> = None;
+ for line in file.lines() {
+ let l = match line.map_err(|_| SecurityStateError::from("io error reading line data")) {
+ Ok(data) => data,
+ Err(e) => return Err(e),
+ };
+ if l.len() == 0 || l.starts_with("#") {
+ continue;
+ }
+ let leading_char = match l.chars().next() {
+ Some(c) => c,
+ None => {
+ return Err(SecurityStateError::from(
+ "couldn't get char from non-empty str?",
+ ));
+ }
+ };
+ // In future, we can maybe log migration failures. For now, ignore decoding and storage
+ // errors and attempt to continue.
+ // Check if we have a new DN
+ if leading_char != '\t' && leading_char != ' ' {
+ if let Ok(decoded_dn) = BASE64_STANDARD.decode(&l) {
+ dn = Some(decoded_dn);
+ }
+ continue;
+ }
+ let l_sans_prefix = match BASE64_STANDARD.decode(&l[1..]) {
+ Ok(decoded) => decoded,
+ Err(_) => continue,
+ };
+ if let Some(name) = &dn {
+ if leading_char == '\t' {
+ let _ = store.put(
+ &mut writer,
+ &make_key!(PREFIX_REV_SPK, name, &l_sans_prefix),
+ &value,
+ );
+ } else {
+ let _ = store.put(
+ &mut writer,
+ &make_key!(PREFIX_REV_IS, name, &l_sans_prefix),
+ &value,
+ );
+ }
+ }
+ }
+
+ writer.commit()?;
+ Ok(())
+ }
+
+ fn read_entry(&self, key: &[u8]) -> Result<Option<i16>, SecurityStateError> {
+ let env_and_store = match self.env_and_store.as_ref() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let reader = env_and_store.env.read()?;
+ match env_and_store.store.get(&reader, key) {
+ Ok(Some(Value::I64(i)))
+ if i <= (std::i16::MAX as i64) && i >= (std::i16::MIN as i64) =>
+ {
+ Ok(Some(i as i16))
+ }
+ Ok(None) => Ok(None),
+ Ok(_) => Err(SecurityStateError::from(
+ "Unexpected type when trying to get a Value::I64",
+ )),
+ Err(_) => Err(SecurityStateError::from(
+ "There was a problem getting the value",
+ )),
+ }
+ }
+
+ pub fn get_has_prior_data(&self, data_type: u8) -> Result<bool, SecurityStateError> {
+ if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL {
+ return Ok(self.crlite_filter.is_some()
+ && self.crlite_coverage.is_some()
+ && self.crlite_enrollment.is_some());
+ }
+ if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_INCREMENTAL {
+ return Ok(self.crlite_stash.is_some());
+ }
+
+ let env_and_store = match self.env_and_store.as_ref() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let reader = env_and_store.env.read()?;
+ match env_and_store
+ .store
+ .get(&reader, &make_key!(PREFIX_DATA_TYPE, &[data_type]))
+ {
+ Ok(Some(Value::Bool(true))) => Ok(true),
+ Ok(None) => Ok(false),
+ Ok(_) => Err(SecurityStateError::from(
+ "Unexpected type when trying to get a Value::Bool",
+ )),
+ Err(_) => Err(SecurityStateError::from(
+ "There was a problem getting the value",
+ )),
+ }
+ }
+
+ pub fn set_batch_state(
+ &mut self,
+ entries: &[EncodedSecurityState],
+ typ: u8,
+ ) -> Result<(), SecurityStateError> {
+ let env_and_store = match self.env_and_store.as_mut() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let mut writer = env_and_store.env.write()?;
+ // Make a note that we have prior data of the given type now.
+ env_and_store.store.put(
+ &mut writer,
+ &make_key!(PREFIX_DATA_TYPE, &[typ]),
+ &Value::Bool(true),
+ )?;
+
+ for entry in entries {
+ let key = match entry.key() {
+ Ok(key) => key,
+ Err(e) => {
+ warn!("error base64-decoding key parts - ignoring: {}", e.message);
+ continue;
+ }
+ };
+ env_and_store
+ .store
+ .put(&mut writer, &key, &Value::I64(entry.state() as i64))?;
+ }
+
+ writer.commit()?;
+ Ok(())
+ }
+
+ pub fn get_revocation_state(
+ &self,
+ issuer: &[u8],
+ serial: &[u8],
+ subject: &[u8],
+ pub_key: &[u8],
+ ) -> Result<i16, SecurityStateError> {
+ let mut digest = Sha256::default();
+ digest.update(pub_key);
+ let pub_key_hash = digest.finalize();
+
+ let subject_pubkey = make_key!(PREFIX_REV_SPK, subject, &pub_key_hash);
+ let issuer_serial = make_key!(PREFIX_REV_IS, issuer, serial);
+
+ let st: i16 = match self.read_entry(&issuer_serial) {
+ Ok(Some(value)) => value,
+ Ok(None) => nsICertStorage::STATE_UNSET,
+ Err(_) => {
+ return Err(SecurityStateError::from(
+ "problem reading revocation state (from issuer / serial)",
+ ));
+ }
+ };
+
+ if st != nsICertStorage::STATE_UNSET {
+ return Ok(st);
+ }
+
+ match self.read_entry(&subject_pubkey) {
+ Ok(Some(value)) => Ok(value),
+ Ok(None) => Ok(nsICertStorage::STATE_UNSET),
+ Err(_) => {
+ return Err(SecurityStateError::from(
+ "problem reading revocation state (from subject / pubkey)",
+ ));
+ }
+ }
+ }
+
+ fn issuer_is_enrolled(&self, subject: &[u8], pub_key: &[u8]) -> bool {
+ if let Some(crlite_enrollment) = self.crlite_enrollment.as_ref() {
+ let mut digest = Sha256::default();
+ digest.update(subject);
+ digest.update(pub_key);
+ let issuer_id = digest.finalize();
+ return crlite_enrollment.contains(&issuer_id.to_vec());
+ }
+ return false;
+ }
+
+ fn filter_covers_some_timestamp(&self, timestamps: &[CRLiteTimestamp]) -> bool {
+ if let Some(crlite_coverage) = self.crlite_coverage.as_ref() {
+ for entry in timestamps {
+ if let Some(&(low, high)) = crlite_coverage.get(entry.log_id.as_ref()) {
+ if low <= entry.timestamp && entry.timestamp <= high {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ fn note_crlite_update_time(&mut self) -> Result<(), SecurityStateError> {
+ let seconds_since_epoch = Value::U64(
+ SystemTime::now()
+ .duration_since(UNIX_EPOCH)
+ .map_err(|_| SecurityStateError::from("could not get current time"))?
+ .as_secs(),
+ );
+ let env_and_store = match self.env_and_store.as_mut() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let mut writer = env_and_store.env.write()?;
+ env_and_store
+ .store
+ .put(&mut writer, LAST_CRLITE_UPDATE_KEY, &seconds_since_epoch)
+ .map_err(|_| SecurityStateError::from("could not store timestamp"))?;
+ writer.commit()?;
+ Ok(())
+ }
+
+ fn is_crlite_fresh(&self) -> bool {
+ let now = match SystemTime::now().duration_since(UNIX_EPOCH) {
+ Ok(t) => t.as_secs(),
+ _ => return false,
+ };
+ let env_and_store = match self.env_and_store.as_ref() {
+ Some(env_and_store) => env_and_store,
+ None => return false,
+ };
+ let reader = match env_and_store.env.read() {
+ Ok(reader) => reader,
+ _ => return false,
+ };
+ match env_and_store.store.get(&reader, LAST_CRLITE_UPDATE_KEY) {
+ Ok(Some(Value::U64(last_update))) if last_update < u64::MAX / 2 => {
+ now < last_update + 60 * 60 * 24 * 10
+ }
+ _ => false,
+ }
+ }
+
+ pub fn set_full_crlite_filter(
+ &mut self,
+ filter: Vec<u8>,
+ enrolled_issuers: Vec<nsCString>,
+ coverage_entries: &[(nsCString, u64, u64)],
+ ) -> Result<(), SecurityStateError> {
+ // First drop any existing crlite filter and clear the accumulated stash.
+ {
+ let _ = self.crlite_filter.take();
+ let _ = self.crlite_stash.take();
+ let _ = self.crlite_coverage.take();
+ let _ = self.crlite_enrollment.take();
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.stash");
+ // Truncate the stash file if it exists.
+ if path.exists() {
+ File::create(path).map_err(|e| {
+ SecurityStateError::from(format!("couldn't truncate stash file: {}", e))
+ })?;
+ }
+ }
+ // Write the new full filter.
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.filter");
+ {
+ let mut filter_file = File::create(&path)?;
+ filter_file.write_all(&filter)?;
+ }
+
+ // Serialize the coverage metadata as a 1 byte version number followed by any number of 48
+ // byte entries. Each entry is a 32 byte (opaque) log id, followed by two 8 byte
+ // timestamps. Each timestamp is an 8 byte unsigned integer in little endian.
+ let mut coverage_bytes =
+ Vec::with_capacity(size_of::<u8>() + coverage_entries.len() * COVERAGE_V1_ENTRY_BYTES);
+ coverage_bytes.push(COVERAGE_SERIALIZATION_VERSION);
+ for (b64_log_id, min_t, max_t) in coverage_entries {
+ let log_id = match BASE64_STANDARD.decode(&b64_log_id) {
+ Ok(log_id) if log_id.len() == 32 => log_id,
+ _ => {
+ warn!("malformed log ID - skipping: {}", b64_log_id);
+ continue;
+ }
+ };
+ coverage_bytes.extend_from_slice(&log_id);
+ coverage_bytes.extend_from_slice(&min_t.to_le_bytes());
+ coverage_bytes.extend_from_slice(&max_t.to_le_bytes());
+ }
+ // Write the coverage file for the new filter
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.coverage");
+ {
+ let mut coverage_file = File::create(&path)?;
+ coverage_file.write_all(&coverage_bytes)?;
+ }
+
+ // Serialize the enrollment list as a 1 byte version number followed by:
+ // Version 1: any number of 32 byte values of the form `SHA256(subject || spki)`.
+ let mut enrollment_bytes = Vec::with_capacity(
+ size_of::<u8>() + enrolled_issuers.len() * ENROLLMENT_V1_ENTRY_BYTES,
+ );
+ enrollment_bytes.push(ENROLLMENT_SERIALIZATION_VERSION);
+ for b64_issuer_id in enrolled_issuers {
+ let issuer_id = match BASE64_STANDARD.decode(&b64_issuer_id) {
+ Ok(issuer_id) if issuer_id.len() == 32 => issuer_id,
+ _ => {
+ warn!("malformed issuer ID - skipping: {}", b64_issuer_id);
+ continue;
+ }
+ };
+ enrollment_bytes.extend_from_slice(&issuer_id);
+ }
+ // Write the enrollment file for the new filter
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.enrollment");
+ {
+ let mut enrollment_file = File::create(&path)?;
+ enrollment_file.write_all(&enrollment_bytes)?;
+ }
+
+ self.note_crlite_update_time()?;
+ self.load_crlite_filter()?;
+ Ok(())
+ }
+
+ fn load_crlite_filter(&mut self) -> Result<(), SecurityStateError> {
+ if self.crlite_filter.is_some() || self.crlite_coverage.is_some() {
+ return Err(SecurityStateError::from(
+ "Both crlite_filter and crlite_coverage should be None here",
+ ));
+ }
+
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.filter");
+ // Before we've downloaded any filters, this file won't exist.
+ if !path.exists() {
+ return Ok(());
+ }
+ let mut filter_file = File::open(path)?;
+ let mut filter_bytes = Vec::new();
+ let _ = filter_file.read_to_end(&mut filter_bytes)?;
+ let crlite_filter = Cascade::from_bytes(filter_bytes)
+ .map_err(|_| SecurityStateError::from("invalid CRLite filter"))?
+ .ok_or(SecurityStateError::from("expecting non-empty filter"))?;
+
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.coverage");
+ if !path.exists() {
+ return Ok(());
+ }
+
+ // Deserialize the coverage metadata.
+ // The format is described in `set_full_crlite_filter`.
+ let coverage_file = File::open(path)?;
+ let coverage_file_len = coverage_file.metadata()?.len() as usize;
+ let mut coverage_reader = BufReader::new(coverage_file);
+ match coverage_reader.read_u8() {
+ Ok(COVERAGE_SERIALIZATION_VERSION) => (),
+ _ => return Err(SecurityStateError::from("unknown CRLite coverage version")),
+ }
+ if (coverage_file_len - 1) % COVERAGE_V1_ENTRY_BYTES != 0 {
+ return Err(SecurityStateError::from("truncated CRLite coverage file"));
+ }
+ let coverage_count = (coverage_file_len - 1) / COVERAGE_V1_ENTRY_BYTES;
+ let mut crlite_coverage: HashMap<Vec<u8>, (u64, u64)> = HashMap::new();
+ for _ in 0..coverage_count {
+ let mut coverage_entry = [0u8; COVERAGE_V1_ENTRY_BYTES];
+ match coverage_reader.read_exact(&mut coverage_entry) {
+ Ok(()) => (),
+ _ => return Err(SecurityStateError::from("truncated CRLite coverage file")),
+ };
+ let log_id = &coverage_entry[0..32];
+ let min_timestamp: u64;
+ let max_timestamp: u64;
+ match (&coverage_entry[32..40]).read_u64::<LittleEndian>() {
+ Ok(value) => min_timestamp = value,
+ _ => return Err(SecurityStateError::from("truncated CRLite coverage file")),
+ }
+ match (&coverage_entry[40..48]).read_u64::<LittleEndian>() {
+ Ok(value) => max_timestamp = value,
+ _ => return Err(SecurityStateError::from("truncated CRLite coverage file")),
+ }
+ crlite_coverage.insert(log_id.to_vec(), (min_timestamp, max_timestamp));
+ }
+
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.enrollment");
+ if !path.exists() {
+ return Ok(());
+ }
+
+ // Deserialize the enrollment metadata.
+ // The format is described in `set_full_crlite_filter`.
+ let enrollment_file = File::open(path)?;
+ let enrollment_file_len = enrollment_file.metadata()?.len() as usize;
+ let mut enrollment_reader = BufReader::new(enrollment_file);
+ match enrollment_reader.read_u8() {
+ Ok(ENROLLMENT_SERIALIZATION_VERSION) => (),
+ _ => {
+ return Err(SecurityStateError::from(
+ "unknown CRLite enrollment version",
+ ))
+ }
+ }
+ if (enrollment_file_len - 1) % ENROLLMENT_V1_ENTRY_BYTES != 0 {
+ return Err(SecurityStateError::from("truncated CRLite enrollment file"));
+ }
+ let enrollment_count = (enrollment_file_len - 1) / ENROLLMENT_V1_ENTRY_BYTES;
+ let mut crlite_enrollment: HashSet<Vec<u8>> = HashSet::new();
+ for _ in 0..enrollment_count {
+ let mut enrollment_entry = [0u8; ENROLLMENT_V1_ENTRY_BYTES];
+ match enrollment_reader.read_exact(&mut enrollment_entry) {
+ Ok(()) => (),
+ _ => return Err(SecurityStateError::from("truncated CRLite enrollment file")),
+ };
+ let issuer_id = &enrollment_entry[..];
+ crlite_enrollment.insert(issuer_id.to_vec());
+ }
+
+ let old_crlite_filter_should_be_none = self.crlite_filter.replace(crlite_filter);
+ assert!(old_crlite_filter_should_be_none.is_none());
+ let old_crlite_coverage_should_be_none = self.crlite_coverage.replace(crlite_coverage);
+ assert!(old_crlite_coverage_should_be_none.is_none());
+ let old_crlite_enrollment_should_be_none =
+ self.crlite_enrollment.replace(crlite_enrollment);
+ assert!(old_crlite_enrollment_should_be_none.is_none());
+ Ok(())
+ }
+
+ pub fn add_crlite_stash(&mut self, stash: Vec<u8>) -> Result<(), SecurityStateError> {
+ // Append the update to the previously-seen stashes.
+ let mut path = get_store_path(&self.profile_path)?;
+ path.push("crlite.stash");
+ let mut stash_file = OpenOptions::new().append(true).create(true).open(path)?;
+ stash_file.write_all(&stash)?;
+ let crlite_stash = self.crlite_stash.get_or_insert(HashMap::new());
+ load_crlite_stash_from_reader_into_map(&mut stash.as_slice(), crlite_stash)?;
+ self.note_crlite_update_time()?;
+ Ok(())
+ }
+
+ pub fn is_cert_revoked_by_stash(
+ &self,
+ issuer_spki: &[u8],
+ serial: &[u8],
+ ) -> Result<bool, SecurityStateError> {
+ let crlite_stash = match self.crlite_stash.as_ref() {
+ Some(crlite_stash) => crlite_stash,
+ None => return Ok(false),
+ };
+ let mut digest = Sha256::default();
+ digest.update(issuer_spki);
+ let lookup_key = digest.finalize().to_vec();
+ let serials = match crlite_stash.get(&lookup_key) {
+ Some(serials) => serials,
+ None => return Ok(false),
+ };
+ Ok(serials.contains(&serial.to_vec()))
+ }
+
+ pub fn get_crlite_revocation_state(
+ &self,
+ issuer: &[u8],
+ issuer_spki: &[u8],
+ serial_number: &[u8],
+ timestamps: &[CRLiteTimestamp],
+ ) -> i16 {
+ if !self.is_crlite_fresh() {
+ return nsICertStorage::STATE_NO_FILTER;
+ }
+ if !self.issuer_is_enrolled(issuer, issuer_spki) {
+ return nsICertStorage::STATE_NOT_ENROLLED;
+ }
+ if !self.filter_covers_some_timestamp(timestamps) {
+ return nsICertStorage::STATE_NOT_COVERED;
+ }
+ let mut digest = Sha256::default();
+ digest.update(issuer_spki);
+ let mut lookup_key = digest.finalize().to_vec();
+ lookup_key.extend_from_slice(serial_number);
+ debug!("CRLite lookup key: {:?}", lookup_key);
+ let result = match &self.crlite_filter {
+ Some(crlite_filter) => crlite_filter.has(lookup_key),
+ // This can only happen if the backing file was deleted or if it or our database has
+ // become corrupted. In any case, we have no information.
+ None => return nsICertStorage::STATE_NO_FILTER,
+ };
+ match result {
+ true => nsICertStorage::STATE_ENFORCE,
+ false => nsICertStorage::STATE_UNSET,
+ }
+ }
+
+ // To store certificates, we create a Cert out of each given cert, subject, and trust tuple. We
+ // hash each certificate with sha-256 to obtain a unique* key for that certificate, and we store
+ // the Cert in the database. We also look up or create a CertHashList for the given subject and
+ // add the new certificate's hash if it isn't present in the list. If it wasn't present, we
+ // write out the updated CertHashList.
+ // *By the pigeon-hole principle, there exist collisions for sha-256, so this key is not
+ // actually unique. We rely on the assumption that sha-256 is a cryptographically strong hash.
+ // If an adversary can find two different certificates with the same sha-256 hash, they can
+ // probably forge a sha-256-based signature, so assuming the keys we create here are unique is
+ // not a security issue.
+ pub fn add_certs(
+ &mut self,
+ certs: &[(nsCString, nsCString, i16)],
+ ) -> Result<(), SecurityStateError> {
+ let env_and_store = match self.env_and_store.as_mut() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let mut writer = env_and_store.env.write()?;
+ // Make a note that we have prior cert data now.
+ env_and_store.store.put(
+ &mut writer,
+ &make_key!(PREFIX_DATA_TYPE, &[nsICertStorage::DATA_TYPE_CERTIFICATE]),
+ &Value::Bool(true),
+ )?;
+
+ for (cert_der_base64, subject_base64, trust) in certs {
+ let cert_der = match BASE64_STANDARD.decode(&cert_der_base64) {
+ Ok(cert_der) => cert_der,
+ Err(e) => {
+ warn!("error base64-decoding cert - skipping: {}", e);
+ continue;
+ }
+ };
+ let subject = match BASE64_STANDARD.decode(&subject_base64) {
+ Ok(subject) => subject,
+ Err(e) => {
+ warn!("error base64-decoding subject - skipping: {}", e);
+ continue;
+ }
+ };
+ let mut digest = Sha256::default();
+ digest.update(&cert_der);
+ let cert_hash = digest.finalize();
+ let cert_key = make_key!(PREFIX_CERT, &cert_hash);
+ let cert = Cert::new(&cert_der, &subject, *trust)?;
+ env_and_store
+ .store
+ .put(&mut writer, &cert_key, &Value::Blob(&cert.to_bytes()?))?;
+ let subject_key = make_key!(PREFIX_SUBJECT, &subject);
+ let empty_vec = Vec::new();
+ let old_cert_hash_list = match env_and_store.store.get(&writer, &subject_key)? {
+ Some(Value::Blob(hashes)) => hashes.to_owned(),
+ Some(_) => empty_vec,
+ None => empty_vec,
+ };
+ let new_cert_hash_list = CertHashList::add(&old_cert_hash_list, &cert_hash)?;
+ if new_cert_hash_list.len() != old_cert_hash_list.len() {
+ env_and_store.store.put(
+ &mut writer,
+ &subject_key,
+ &Value::Blob(&new_cert_hash_list),
+ )?;
+ }
+ }
+
+ writer.commit()?;
+ Ok(())
+ }
+
+ // Given a list of certificate sha-256 hashes, we can look up each Cert entry in the database.
+ // We use this to find the corresponding subject so we can look up the CertHashList it should
+ // appear in. If that list contains the given hash, we remove it and update the CertHashList.
+ // Finally we delete the Cert entry.
+ pub fn remove_certs_by_hashes(
+ &mut self,
+ hashes_base64: &[nsCString],
+ ) -> Result<(), SecurityStateError> {
+ let env_and_store = match self.env_and_store.as_mut() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let mut writer = env_and_store.env.write()?;
+ let reader = env_and_store.env.read()?;
+
+ for hash in hashes_base64 {
+ let hash = match BASE64_STANDARD.decode(&hash) {
+ Ok(hash) => hash,
+ Err(e) => {
+ warn!("error decoding hash - ignoring: {}", e);
+ continue;
+ }
+ };
+ let cert_key = make_key!(PREFIX_CERT, &hash);
+ if let Some(Value::Blob(cert_bytes)) = env_and_store.store.get(&reader, &cert_key)? {
+ if let Ok(cert) = Cert::from_bytes(cert_bytes) {
+ let subject_key = make_key!(PREFIX_SUBJECT, &cert.subject);
+ let empty_vec = Vec::new();
+ // We have to use the writer here to make sure we have an up-to-date view of
+ // the cert hash list.
+ let old_cert_hash_list = match env_and_store.store.get(&writer, &subject_key)? {
+ Some(Value::Blob(hashes)) => hashes.to_owned(),
+ Some(_) => empty_vec,
+ None => empty_vec,
+ };
+ let new_cert_hash_list = CertHashList::remove(&old_cert_hash_list, &hash)?;
+ if new_cert_hash_list.len() != old_cert_hash_list.len() {
+ env_and_store.store.put(
+ &mut writer,
+ &subject_key,
+ &Value::Blob(&new_cert_hash_list),
+ )?;
+ }
+ }
+ }
+ match env_and_store.store.delete(&mut writer, &cert_key) {
+ Ok(()) => {}
+ Err(StoreError::KeyValuePairNotFound) => {}
+ Err(e) => return Err(SecurityStateError::from(e)),
+ };
+ }
+ writer.commit()?;
+ Ok(())
+ }
+
+ // Given a certificate's subject, we look up the corresponding CertHashList. In theory, each
+ // hash in that list corresponds to a certificate with the given subject, so we look up each of
+ // these (assuming the database is consistent and contains them) and add them to the given list.
+ // If we encounter an inconsistency, we continue looking as best we can.
+ pub fn find_certs_by_subject(
+ &self,
+ subject: &[u8],
+ certs: &mut ThinVec<ThinVec<u8>>,
+ ) -> Result<(), SecurityStateError> {
+ let env_and_store = match self.env_and_store.as_ref() {
+ Some(env_and_store) => env_and_store,
+ None => return Err(SecurityStateError::from("env and store not initialized?")),
+ };
+ let reader = env_and_store.env.read()?;
+ certs.clear();
+ let subject_key = make_key!(PREFIX_SUBJECT, subject);
+ let empty_vec = Vec::new();
+ let cert_hash_list_bytes = match env_and_store.store.get(&reader, &subject_key)? {
+ Some(Value::Blob(hashes)) => hashes,
+ Some(_) => &empty_vec,
+ None => &empty_vec,
+ };
+ let cert_hash_list = CertHashList::new(cert_hash_list_bytes)?;
+ for cert_hash in cert_hash_list.into_iter() {
+ let cert_key = make_key!(PREFIX_CERT, cert_hash);
+ // If there's some inconsistency, we don't want to fail the whole operation - just go
+ // for best effort and find as many certificates as we can.
+ if let Some(Value::Blob(cert_bytes)) = env_and_store.store.get(&reader, &cert_key)? {
+ if let Ok(cert) = Cert::from_bytes(cert_bytes) {
+ let mut thin_vec_cert = ThinVec::with_capacity(cert.der.len());
+ thin_vec_cert.extend_from_slice(&cert.der);
+ certs.push(thin_vec_cert);
+ }
+ }
+ }
+ Ok(())
+ }
+}
+
+impl MallocSizeOf for SecurityState {
+ fn size_of(&self, ops: &mut MallocSizeOfOps) -> usize {
+ self.profile_path.size_of(ops)
+ + self.env_and_store.size_of(ops)
+ + self
+ .crlite_filter
+ .as_ref()
+ .map_or(0, |crlite_filter| crlite_filter.approximate_size_of())
+ + self.crlite_stash.size_of(ops)
+ + self.crlite_coverage.size_of(ops)
+ + self.remaining_ops.size_of(ops)
+ }
+}
+
+const CERT_SERIALIZATION_VERSION_1: u8 = 1;
+
+// A Cert consists of its DER encoding, its DER-encoded subject, and its trust (currently
+// nsICertStorage::TRUST_INHERIT, but in the future nsICertStorage::TRUST_ANCHOR may also be used).
+// The length of each encoding must be representable by a u16 (so 65535 bytes is the longest a
+// certificate can be).
+struct Cert<'a> {
+ der: &'a [u8],
+ subject: &'a [u8],
+ trust: i16,
+}
+
+impl<'a> Cert<'a> {
+ fn new(der: &'a [u8], subject: &'a [u8], trust: i16) -> Result<Cert<'a>, SecurityStateError> {
+ if der.len() > u16::max as usize {
+ return Err(SecurityStateError::from("certificate is too long"));
+ }
+ if subject.len() > u16::max as usize {
+ return Err(SecurityStateError::from("subject is too long"));
+ }
+ Ok(Cert {
+ der,
+ subject,
+ trust,
+ })
+ }
+
+ fn from_bytes(encoded: &'a [u8]) -> Result<Cert<'a>, SecurityStateError> {
+ if encoded.len() < size_of::<u8>() {
+ return Err(SecurityStateError::from("invalid Cert: no version?"));
+ }
+ let (mut version, rest) = encoded.split_at(size_of::<u8>());
+ let version = version.read_u8()?;
+ if version != CERT_SERIALIZATION_VERSION_1 {
+ return Err(SecurityStateError::from("invalid Cert: unexpected version"));
+ }
+
+ if rest.len() < size_of::<u16>() {
+ return Err(SecurityStateError::from("invalid Cert: no der len?"));
+ }
+ let (mut der_len, rest) = rest.split_at(size_of::<u16>());
+ let der_len = der_len.read_u16::<NetworkEndian>()? as usize;
+ if rest.len() < der_len {
+ return Err(SecurityStateError::from("invalid Cert: no der?"));
+ }
+ let (der, rest) = rest.split_at(der_len);
+
+ if rest.len() < size_of::<u16>() {
+ return Err(SecurityStateError::from("invalid Cert: no subject len?"));
+ }
+ let (mut subject_len, rest) = rest.split_at(size_of::<u16>());
+ let subject_len = subject_len.read_u16::<NetworkEndian>()? as usize;
+ if rest.len() < subject_len {
+ return Err(SecurityStateError::from("invalid Cert: no subject?"));
+ }
+ let (subject, mut rest) = rest.split_at(subject_len);
+
+ if rest.len() < size_of::<i16>() {
+ return Err(SecurityStateError::from("invalid Cert: no trust?"));
+ }
+ let trust = rest.read_i16::<NetworkEndian>()?;
+ if rest.len() > 0 {
+ return Err(SecurityStateError::from("invalid Cert: trailing data?"));
+ }
+
+ Ok(Cert {
+ der,
+ subject,
+ trust,
+ })
+ }
+
+ fn to_bytes(&self) -> Result<Vec<u8>, SecurityStateError> {
+ let mut bytes = Vec::with_capacity(
+ size_of::<u8>()
+ + size_of::<u16>()
+ + self.der.len()
+ + size_of::<u16>()
+ + self.subject.len()
+ + size_of::<i16>(),
+ );
+ bytes.write_u8(CERT_SERIALIZATION_VERSION_1)?;
+ if self.der.len() > u16::max as usize {
+ return Err(SecurityStateError::from("certificate is too long"));
+ }
+ bytes.write_u16::<NetworkEndian>(self.der.len() as u16)?;
+ bytes.extend_from_slice(&self.der);
+ if self.subject.len() > u16::max as usize {
+ return Err(SecurityStateError::from("subject is too long"));
+ }
+ bytes.write_u16::<NetworkEndian>(self.subject.len() as u16)?;
+ bytes.extend_from_slice(&self.subject);
+ bytes.write_i16::<NetworkEndian>(self.trust)?;
+ Ok(bytes)
+ }
+}
+
+// A CertHashList is a list of sha-256 hashes of DER-encoded certificates.
+struct CertHashList<'a> {
+ hashes: Vec<&'a [u8]>,
+}
+
+impl<'a> CertHashList<'a> {
+ fn new(hashes_bytes: &'a [u8]) -> Result<CertHashList<'a>, SecurityStateError> {
+ if hashes_bytes.len() % Sha256::output_size() != 0 {
+ return Err(SecurityStateError::from(
+ "unexpected length for cert hash list",
+ ));
+ }
+ let mut hashes = Vec::with_capacity(hashes_bytes.len() / Sha256::output_size());
+ for hash in hashes_bytes.chunks_exact(Sha256::output_size()) {
+ hashes.push(hash);
+ }
+ Ok(CertHashList { hashes })
+ }
+
+ fn add(hashes_bytes: &[u8], new_hash: &[u8]) -> Result<Vec<u8>, SecurityStateError> {
+ if hashes_bytes.len() % Sha256::output_size() != 0 {
+ return Err(SecurityStateError::from(
+ "unexpected length for cert hash list",
+ ));
+ }
+ if new_hash.len() != Sha256::output_size() {
+ return Err(SecurityStateError::from("unexpected cert hash length"));
+ }
+ for hash in hashes_bytes.chunks_exact(Sha256::output_size()) {
+ if hash == new_hash {
+ return Ok(hashes_bytes.to_owned());
+ }
+ }
+ let mut combined = hashes_bytes.to_owned();
+ combined.extend_from_slice(new_hash);
+ Ok(combined)
+ }
+
+ fn remove(hashes_bytes: &[u8], cert_hash: &[u8]) -> Result<Vec<u8>, SecurityStateError> {
+ if hashes_bytes.len() % Sha256::output_size() != 0 {
+ return Err(SecurityStateError::from(
+ "unexpected length for cert hash list",
+ ));
+ }
+ if cert_hash.len() != Sha256::output_size() {
+ return Err(SecurityStateError::from("unexpected cert hash length"));
+ }
+ let mut result = Vec::with_capacity(hashes_bytes.len());
+ for hash in hashes_bytes.chunks_exact(Sha256::output_size()) {
+ if hash != cert_hash {
+ result.extend_from_slice(hash);
+ }
+ }
+ Ok(result)
+ }
+}
+
+impl<'a> IntoIterator for CertHashList<'a> {
+ type Item = &'a [u8];
+ type IntoIter = std::vec::IntoIter<&'a [u8]>;
+
+ fn into_iter(self) -> Self::IntoIter {
+ self.hashes.into_iter()
+ }
+}
+
+// Helper struct for get_crlite_revocation_state.
+struct CRLiteTimestamp {
+ log_id: ThinVec<u8>,
+ timestamp: u64,
+}
+
+// Helper struct for set_batch_state. Takes a prefix, two base64-encoded key
+// parts, and a security state value.
+struct EncodedSecurityState {
+ prefix: &'static str,
+ key_part_1_base64: nsCString,
+ key_part_2_base64: nsCString,
+ state: i16,
+}
+
+impl EncodedSecurityState {
+ fn new(
+ prefix: &'static str,
+ key_part_1_base64: nsCString,
+ key_part_2_base64: nsCString,
+ state: i16,
+ ) -> EncodedSecurityState {
+ EncodedSecurityState {
+ prefix,
+ key_part_1_base64,
+ key_part_2_base64,
+ state,
+ }
+ }
+
+ fn key(&self) -> Result<Vec<u8>, SecurityStateError> {
+ let key_part_1 = BASE64_STANDARD.decode(&self.key_part_1_base64)?;
+ let key_part_2 = BASE64_STANDARD.decode(&self.key_part_2_base64)?;
+ Ok(make_key!(self.prefix, &key_part_1, &key_part_2))
+ }
+
+ fn state(&self) -> i16 {
+ self.state
+ }
+}
+
+fn get_path_from_directory_service(key: &str) -> Result<PathBuf, nserror::nsresult> {
+ let directory_service: RefPtr<nsIProperties> =
+ xpcom::components::Directory::service().map_err(|_| NS_ERROR_FAILURE)?;
+ let cs_key = CString::new(key).map_err(|_| NS_ERROR_FAILURE)?;
+
+ let mut requested_dir = GetterAddrefs::<nsIFile>::new();
+ unsafe {
+ (*directory_service)
+ .Get(
+ (&cs_key).as_ptr(),
+ &nsIFile::IID as *const nsIID,
+ requested_dir.void_ptr(),
+ )
+ .to_result()
+ }?;
+
+ let dir_path = requested_dir.refptr().ok_or(NS_ERROR_FAILURE)?;
+ let mut path = nsString::new();
+ unsafe { (*dir_path).GetPath(&mut *path).to_result() }?;
+ Ok(PathBuf::from(format!("{}", path)))
+}
+
+fn get_profile_path() -> Result<PathBuf, nserror::nsresult> {
+ get_path_from_directory_service("ProfD").or_else(|_| get_path_from_directory_service("TmpD"))
+}
+
+fn get_store_path(profile_path: &PathBuf) -> Result<PathBuf, SecurityStateError> {
+ let mut store_path = profile_path.clone();
+ store_path.push("security_state");
+ create_dir_all(store_path.as_path())?;
+ Ok(store_path)
+}
+
+fn make_env(path: &Path) -> Result<Rkv, SecurityStateError> {
+ let mut builder = Rkv::environment_builder::<SafeMode>();
+ builder.set_max_dbs(2);
+
+ // 16MB is a little over twice the size of the current dataset. When we
+ // eventually switch to the LMDB backend to create the builder above,
+ // we should set this as the map size, since it cannot currently resize.
+ // (The SafeMode backend warns when a map size is specified, so we skip it
+ // for now to avoid console spam.)
+
+ // builder.set_map_size(16777216);
+
+ // Bug 1595004: Migrate databases between backends in the future,
+ // and handle 32 and 64 bit architectures in case of LMDB.
+ Rkv::from_builder(path, builder).map_err(SecurityStateError::from)
+}
+
+fn unconditionally_remove_file(path: &Path) -> Result<(), SecurityStateError> {
+ match remove_file(path) {
+ Ok(()) => Ok(()),
+ Err(e) => match e.kind() {
+ std::io::ErrorKind::NotFound => Ok(()),
+ _ => Err(SecurityStateError::from(e)),
+ },
+ }
+}
+
+fn remove_db(path: &Path) -> Result<(), SecurityStateError> {
+ // Remove LMDB-related files.
+ let db = path.join("data.mdb");
+ unconditionally_remove_file(&db)?;
+ let lock = path.join("lock.mdb");
+ unconditionally_remove_file(&lock)?;
+
+ // Remove SafeMode-related files.
+ let db = path.join("data.safe.bin");
+ unconditionally_remove_file(&db)?;
+
+ Ok(())
+}
+
+// Helper function to read stash information from the given reader and insert the results into the
+// given stash map.
+fn load_crlite_stash_from_reader_into_map(
+ reader: &mut dyn Read,
+ dest: &mut HashMap<Vec<u8>, HashSet<Vec<u8>>>,
+) -> Result<(), SecurityStateError> {
+ // The basic unit of the stash file is an issuer subject public key info
+ // hash (sha-256) followed by a number of serial numbers corresponding
+ // to revoked certificates issued by that issuer. More specifically,
+ // each unit consists of:
+ // 4 bytes little-endian: the number of serial numbers following the issuer spki hash
+ // 1 byte: the length of the issuer spki hash
+ // issuer spki hash length bytes: the issuer spki hash
+ // as many times as the indicated serial numbers:
+ // 1 byte: the length of the serial number
+ // serial number length bytes: the serial number
+ // The stash file consists of any number of these units concatenated
+ // together.
+ loop {
+ let num_serials = match reader.read_u32::<LittleEndian>() {
+ Ok(num_serials) => num_serials,
+ Err(_) => break, // end of input, presumably
+ };
+ let issuer_spki_hash_len = reader.read_u8().map_err(|e| {
+ SecurityStateError::from(format!("error reading stash issuer_spki_hash_len: {}", e))
+ })?;
+ let mut issuer_spki_hash = vec![0; issuer_spki_hash_len as usize];
+ reader.read_exact(&mut issuer_spki_hash).map_err(|e| {
+ SecurityStateError::from(format!("error reading stash issuer_spki_hash: {}", e))
+ })?;
+ let serials = dest.entry(issuer_spki_hash).or_insert(HashSet::new());
+ for _ in 0..num_serials {
+ let serial_len = reader.read_u8().map_err(|e| {
+ SecurityStateError::from(format!("error reading stash serial_len: {}", e))
+ })?;
+ let mut serial = vec![0; serial_len as usize];
+ reader.read_exact(&mut serial).map_err(|e| {
+ SecurityStateError::from(format!("error reading stash serial: {}", e))
+ })?;
+ let _ = serials.insert(serial);
+ }
+ }
+ Ok(())
+}
+
+// This is a helper struct that implements the task that asynchronously reads the CRLite stash on a
+// background thread.
+struct BackgroundReadStashTask {
+ profile_path: PathBuf,
+ security_state: Arc<RwLock<SecurityState>>,
+}
+
+impl BackgroundReadStashTask {
+ fn new(
+ profile_path: PathBuf,
+ security_state: &Arc<RwLock<SecurityState>>,
+ ) -> BackgroundReadStashTask {
+ BackgroundReadStashTask {
+ profile_path,
+ security_state: Arc::clone(security_state),
+ }
+ }
+}
+
+impl Task for BackgroundReadStashTask {
+ fn run(&self) {
+ let mut path = match get_store_path(&self.profile_path) {
+ Ok(path) => path,
+ Err(e) => {
+ error!("error getting security_state path: {}", e.message);
+ return;
+ }
+ };
+ path.push("crlite.stash");
+ // Before we've downloaded any stashes, this file won't exist.
+ if !path.exists() {
+ return;
+ }
+ let stash_file = match File::open(path) {
+ Ok(file) => file,
+ Err(e) => {
+ error!("error opening stash file: {}", e);
+ return;
+ }
+ };
+ let mut stash_reader = BufReader::new(stash_file);
+ let mut crlite_stash = HashMap::new();
+ match load_crlite_stash_from_reader_into_map(&mut stash_reader, &mut crlite_stash) {
+ Ok(()) => {}
+ Err(e) => {
+ error!("error loading crlite stash: {}", e.message);
+ return;
+ }
+ }
+ let mut ss = match self.security_state.write() {
+ Ok(ss) => ss,
+ Err(_) => return,
+ };
+ match ss.crlite_stash.replace(crlite_stash) {
+ Some(_) => {
+ error!("replacing existing crlite stash when reading for the first time?");
+ return;
+ }
+ None => {}
+ }
+ }
+
+ fn done(&self) -> Result<(), nsresult> {
+ Ok(())
+ }
+}
+
+fn do_construct_cert_storage(
+ iid: *const xpcom::nsIID,
+ result: *mut *mut xpcom::reexports::libc::c_void,
+) -> Result<(), nserror::nsresult> {
+ let path_buf = get_profile_path()?;
+ let security_state = Arc::new(RwLock::new(SecurityState::new(path_buf.clone())));
+ let cert_storage = CertStorage::allocate(InitCertStorage {
+ security_state: security_state.clone(),
+ queue: create_background_task_queue(cstr!("cert_storage"))?,
+ });
+ let memory_reporter = MemoryReporter::allocate(InitMemoryReporter { security_state });
+
+ // Dispatch a task to the background task queue to asynchronously read the CRLite stash file (if
+ // present) and load it into cert_storage. This task does not hold the
+ // cert_storage.security_state mutex for the majority of its operation, which allows certificate
+ // verification threads to query cert_storage without blocking. This is important for
+ // performance, but it means that certificate verifications that happen before the task has
+ // completed will not have stash information, and thus may not know of revocations that have
+ // occurred since the last full CRLite filter was downloaded. As long as the last full filter
+ // was downloaded no more than 10 days ago, this is no worse than relying on OCSP responses,
+ // which have a maximum validity of 10 days.
+ // NB: because the background task queue is serial, this task will complete before other tasks
+ // later dispatched to the queue run. This means that other tasks that interact with the stash
+ // will do so with the correct set of preconditions.
+ let load_crlite_stash_task = Box::new(BackgroundReadStashTask::new(
+ path_buf,
+ &cert_storage.security_state,
+ ));
+ let runnable = TaskRunnable::new("LoadCrliteStash", load_crlite_stash_task)?;
+ TaskRunnable::dispatch(runnable, cert_storage.queue.coerce())?;
+
+ if let Some(reporter) = memory_reporter.query_interface::<nsIMemoryReporter>() {
+ if let Some(reporter_manager) = xpcom::get_service::<nsIMemoryReporterManager>(cstr!(
+ "@mozilla.org/memory-reporter-manager;1"
+ )) {
+ unsafe { reporter_manager.RegisterStrongReporter(&*reporter) };
+ }
+ }
+
+ unsafe { cert_storage.QueryInterface(iid, result).to_result() }
+}
+
+// This is a helper for creating a task that will perform a specific action on a background thread.
+struct SecurityStateTask<
+ T: Default + VariantType,
+ F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>,
+> {
+ callback: AtomicCell<Option<ThreadBoundRefPtr<nsICertStorageCallback>>>,
+ security_state: Arc<RwLock<SecurityState>>,
+ result: AtomicCell<(nserror::nsresult, T)>,
+ task_action: AtomicCell<Option<F>>,
+}
+
+impl<T: Default + VariantType, F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>>
+ SecurityStateTask<T, F>
+{
+ fn new(
+ callback: &nsICertStorageCallback,
+ security_state: &Arc<RwLock<SecurityState>>,
+ task_action: F,
+ ) -> Result<SecurityStateTask<T, F>, nsresult> {
+ let mut ss = security_state.write().or(Err(NS_ERROR_FAILURE))?;
+ ss.remaining_ops = ss.remaining_ops.wrapping_add(1);
+
+ Ok(SecurityStateTask {
+ callback: AtomicCell::new(Some(ThreadBoundRefPtr::new(RefPtr::new(callback)))),
+ security_state: Arc::clone(security_state),
+ result: AtomicCell::new((NS_ERROR_FAILURE, T::default())),
+ task_action: AtomicCell::new(Some(task_action)),
+ })
+ }
+}
+
+impl<T: Default + VariantType, F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>> Task
+ for SecurityStateTask<T, F>
+{
+ fn run(&self) {
+ let mut ss = match self.security_state.write() {
+ Ok(ss) => ss,
+ Err(_) => return,
+ };
+ // this is a no-op if the DB is already open
+ if ss.open_db().is_err() {
+ return;
+ }
+ if let Some(task_action) = self.task_action.swap(None) {
+ let rv = task_action(&mut ss)
+ .and_then(|v| Ok((NS_OK, v)))
+ .unwrap_or((NS_ERROR_FAILURE, T::default()));
+ self.result.store(rv);
+ }
+ }
+
+ fn done(&self) -> Result<(), nsresult> {
+ let threadbound = self.callback.swap(None).ok_or(NS_ERROR_FAILURE)?;
+ let callback = threadbound.get_ref().ok_or(NS_ERROR_FAILURE)?;
+ let result = self.result.swap((NS_ERROR_FAILURE, T::default()));
+ let variant = result.1.into_variant();
+ let nsrv = unsafe { callback.Done(result.0, &*variant) };
+
+ let mut ss = self.security_state.write().or(Err(NS_ERROR_FAILURE))?;
+ ss.remaining_ops = ss.remaining_ops.wrapping_sub(1);
+
+ match nsrv {
+ NS_OK => Ok(()),
+ e => Err(e),
+ }
+ }
+}
+
+#[no_mangle]
+pub extern "C" fn cert_storage_constructor(
+ iid: *const xpcom::nsIID,
+ result: *mut *mut xpcom::reexports::libc::c_void,
+) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ match do_construct_cert_storage(iid, result) {
+ Ok(()) => NS_OK,
+ Err(e) => e,
+ }
+}
+
+macro_rules! try_ns {
+ ($e:expr) => {
+ match $e {
+ Ok(value) => value,
+ Err(_) => return NS_ERROR_FAILURE,
+ }
+ };
+ ($e:expr, or continue) => {
+ match $e {
+ Ok(value) => value,
+ Err(err) => {
+ error!("{}", err);
+ continue;
+ }
+ }
+ };
+}
+
+// This macro is a way to ensure the DB has been opened while minimizing lock acquisitions in the
+// common (read-only) case. First we acquire a read lock and see if we even need to open the DB. If
+// not, we can continue with the read lock we already have. Otherwise, we drop the read lock,
+// acquire the write lock, open the DB, drop the write lock, and re-acquire the read lock. While it
+// is possible for two or more threads to all come to the conclusion that they need to open the DB,
+// this isn't ultimately an issue - `open_db` will exit early if another thread has already done the
+// work.
+macro_rules! get_security_state {
+ ($self:expr) => {{
+ let ss_read_only = try_ns!($self.security_state.read());
+ if !ss_read_only.db_needs_opening() {
+ ss_read_only
+ } else {
+ drop(ss_read_only);
+ {
+ let mut ss_write = try_ns!($self.security_state.write());
+ try_ns!(ss_write.open_db());
+ }
+ try_ns!($self.security_state.read())
+ }
+ }};
+}
+
+#[xpcom(implement(nsICertStorage), atomic)]
+struct CertStorage {
+ security_state: Arc<RwLock<SecurityState>>,
+ queue: RefPtr<nsISerialEventTarget>,
+}
+
+/// CertStorage implements the nsICertStorage interface. The actual work is done by the
+/// SecurityState. To handle any threading issues, we have an atomic-refcounted read/write lock on
+/// the one and only SecurityState. So, only one thread can use SecurityState's &mut self functions
+/// at a time, while multiple threads can use &self functions simultaneously (as long as there are
+/// no threads using an &mut self function). The Arc is to allow for the creation of background
+/// tasks that use the SecurityState on the queue owned by CertStorage. This allows us to not block
+/// the main thread.
+#[allow(non_snake_case)]
+impl CertStorage {
+ unsafe fn HasPriorData(
+ &self,
+ data_type: u8,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if callback.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.get_has_prior_data(data_type),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("HasPriorData", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn GetRemainingOperationCount(&self, state: *mut i32) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if state.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let ss = try_ns!(self.security_state.read());
+ *state = ss.remaining_ops;
+ NS_OK
+ }
+
+ unsafe fn SetRevocations(
+ &self,
+ revocations: *const ThinVec<Option<RefPtr<nsIRevocationState>>>,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if revocations.is_null() || callback.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+
+ let revocations = &*revocations;
+ let mut entries = Vec::with_capacity(revocations.len());
+
+ // By continuing when an nsIRevocationState attribute value is invalid,
+ // we prevent errors relating to individual blocklist entries from
+ // causing sync to fail. We will accumulate telemetry on these failures
+ // in bug 1254099.
+
+ for revocation in revocations.iter().flatten() {
+ let mut state: i16 = 0;
+ try_ns!(revocation.GetState(&mut state).to_result(), or continue);
+
+ if let Some(revocation) =
+ (*revocation).query_interface::<nsIIssuerAndSerialRevocationState>()
+ {
+ let mut issuer = nsCString::new();
+ try_ns!(revocation.GetIssuer(&mut *issuer).to_result(), or continue);
+
+ let mut serial = nsCString::new();
+ try_ns!(revocation.GetSerial(&mut *serial).to_result(), or continue);
+
+ entries.push(EncodedSecurityState::new(
+ PREFIX_REV_IS,
+ issuer,
+ serial,
+ state,
+ ));
+ } else if let Some(revocation) =
+ (*revocation).query_interface::<nsISubjectAndPubKeyRevocationState>()
+ {
+ let mut subject = nsCString::new();
+ try_ns!(revocation.GetSubject(&mut *subject).to_result(), or continue);
+
+ let mut pub_key_hash = nsCString::new();
+ try_ns!(revocation.GetPubKey(&mut *pub_key_hash).to_result(), or continue);
+
+ entries.push(EncodedSecurityState::new(
+ PREFIX_REV_SPK,
+ subject,
+ pub_key_hash,
+ state,
+ ));
+ }
+ }
+
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.set_batch_state(&entries, nsICertStorage::DATA_TYPE_REVOCATION),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("SetRevocations", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn GetRevocationState(
+ &self,
+ issuer: *const ThinVec<u8>,
+ serial: *const ThinVec<u8>,
+ subject: *const ThinVec<u8>,
+ pub_key: *const ThinVec<u8>,
+ state: *mut i16,
+ ) -> nserror::nsresult {
+ // TODO (bug 1541212): We really want to restrict this to non-main-threads only in non-test
+ // contexts, but we can't do so until bug 1406854 is fixed.
+ if issuer.is_null() || serial.is_null() || subject.is_null() || pub_key.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ *state = nsICertStorage::STATE_UNSET;
+ let ss = get_security_state!(self);
+ match ss.get_revocation_state(&*issuer, &*serial, &*subject, &*pub_key) {
+ Ok(st) => {
+ *state = st;
+ NS_OK
+ }
+ _ => NS_ERROR_FAILURE,
+ }
+ }
+
+ unsafe fn SetFullCRLiteFilter(
+ &self,
+ filter: *const ThinVec<u8>,
+ enrolled_issuers: *const ThinVec<nsCString>,
+ coverage: *const ThinVec<Option<RefPtr<nsICRLiteCoverage>>>,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if filter.is_null()
+ || coverage.is_null()
+ || callback.is_null()
+ || enrolled_issuers.is_null()
+ {
+ return NS_ERROR_NULL_POINTER;
+ }
+
+ let filter_owned = (*filter).to_vec();
+ let enrolled_issuers_owned = (*enrolled_issuers).to_vec();
+
+ let coverage = &*coverage;
+ let mut coverage_entries = Vec::with_capacity(coverage.len());
+ for entry in coverage.iter().flatten() {
+ let mut b64_log_id = nsCString::new();
+ try_ns!((*entry).GetB64LogID(&mut *b64_log_id).to_result(), or continue);
+ let mut min_timestamp: u64 = 0;
+ try_ns!((*entry).GetMinTimestamp(&mut min_timestamp).to_result(), or continue);
+ let mut max_timestamp: u64 = 0;
+ try_ns!((*entry).GetMaxTimestamp(&mut max_timestamp).to_result(), or continue);
+ coverage_entries.push((b64_log_id, min_timestamp, max_timestamp));
+ }
+
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.set_full_crlite_filter(
+ filter_owned,
+ enrolled_issuers_owned,
+ &coverage_entries
+ ),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("SetFullCRLiteFilter", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn AddCRLiteStash(
+ &self,
+ stash: *const ThinVec<u8>,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if stash.is_null() || callback.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let stash_owned = (*stash).to_vec();
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.add_crlite_stash(stash_owned),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("AddCRLiteStash", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn IsCertRevokedByStash(
+ &self,
+ issuer_spki: *const ThinVec<u8>,
+ serial_number: *const ThinVec<u8>,
+ is_revoked: *mut bool,
+ ) -> nserror::nsresult {
+ if issuer_spki.is_null() || serial_number.is_null() || is_revoked.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let ss = get_security_state!(self);
+ *is_revoked = match ss.is_cert_revoked_by_stash(&*issuer_spki, &*serial_number) {
+ Ok(is_revoked) => is_revoked,
+ Err(_) => return NS_ERROR_FAILURE,
+ };
+ NS_OK
+ }
+
+ unsafe fn GetCRLiteRevocationState(
+ &self,
+ issuer: *const ThinVec<u8>,
+ issuerSPKI: *const ThinVec<u8>,
+ serialNumber: *const ThinVec<u8>,
+ timestamps: *const ThinVec<Option<RefPtr<nsICRLiteTimestamp>>>,
+ state: *mut i16,
+ ) -> nserror::nsresult {
+ // TODO (bug 1541212): We really want to restrict this to non-main-threads only, but we
+ // can't do so until bug 1406854 is fixed.
+ if issuer.is_null()
+ || issuerSPKI.is_null()
+ || serialNumber.is_null()
+ || state.is_null()
+ || timestamps.is_null()
+ {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let timestamps = &*timestamps;
+ let mut timestamp_entries = Vec::with_capacity(timestamps.len());
+ for timestamp_entry in timestamps.iter().flatten() {
+ let mut log_id = ThinVec::with_capacity(32);
+ try_ns!(timestamp_entry.GetLogID(&mut log_id).to_result(), or continue);
+ let mut timestamp: u64 = 0;
+ try_ns!(timestamp_entry.GetTimestamp(&mut timestamp).to_result(), or continue);
+ timestamp_entries.push(CRLiteTimestamp { log_id, timestamp });
+ }
+ let ss = get_security_state!(self);
+ *state = ss.get_crlite_revocation_state(
+ &*issuer,
+ &*issuerSPKI,
+ &*serialNumber,
+ &timestamp_entries,
+ );
+ NS_OK
+ }
+
+ unsafe fn AddCerts(
+ &self,
+ certs: *const ThinVec<Option<RefPtr<nsICertInfo>>>,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if certs.is_null() || callback.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let certs = &*certs;
+ let mut cert_entries = Vec::with_capacity(certs.len());
+ for cert in certs.iter().flatten() {
+ let mut der = nsCString::new();
+ try_ns!((*cert).GetCert(&mut *der).to_result(), or continue);
+ let mut subject = nsCString::new();
+ try_ns!((*cert).GetSubject(&mut *subject).to_result(), or continue);
+ let mut trust: i16 = 0;
+ try_ns!((*cert).GetTrust(&mut trust).to_result(), or continue);
+ cert_entries.push((der, subject, trust));
+ }
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.add_certs(&cert_entries),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("AddCerts", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn RemoveCertsByHashes(
+ &self,
+ hashes: *const ThinVec<nsCString>,
+ callback: *const nsICertStorageCallback,
+ ) -> nserror::nsresult {
+ if !is_main_thread() {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ if hashes.is_null() || callback.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let hashes = (*hashes).to_vec();
+ let task = Box::new(try_ns!(SecurityStateTask::new(
+ &*callback,
+ &self.security_state,
+ move |ss| ss.remove_certs_by_hashes(&hashes),
+ )));
+ let runnable = try_ns!(TaskRunnable::new("RemoveCertsByHashes", task));
+ try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));
+ NS_OK
+ }
+
+ unsafe fn FindCertsBySubject(
+ &self,
+ subject: *const ThinVec<u8>,
+ certs: *mut ThinVec<ThinVec<u8>>,
+ ) -> nserror::nsresult {
+ // TODO (bug 1541212): We really want to restrict this to non-main-threads only, but we
+ // can't do so until bug 1406854 is fixed.
+ if subject.is_null() || certs.is_null() {
+ return NS_ERROR_NULL_POINTER;
+ }
+ let ss = get_security_state!(self);
+ match ss.find_certs_by_subject(&*subject, &mut *certs) {
+ Ok(()) => NS_OK,
+ Err(_) => NS_ERROR_FAILURE,
+ }
+ }
+}
+
+extern "C" {
+ fn cert_storage_malloc_size_of(ptr: *const xpcom::reexports::libc::c_void) -> usize;
+}
+
+#[xpcom(implement(nsIMemoryReporter), atomic)]
+struct MemoryReporter {
+ security_state: Arc<RwLock<SecurityState>>,
+}
+
+#[allow(non_snake_case)]
+impl MemoryReporter {
+ unsafe fn CollectReports(
+ &self,
+ callback: *const nsIHandleReportCallback,
+ data: *const nsISupports,
+ _anonymize: bool,
+ ) -> nserror::nsresult {
+ let ss = try_ns!(self.security_state.read());
+ let mut ops = MallocSizeOfOps::new(cert_storage_malloc_size_of, None);
+ let size = ss.size_of(&mut ops);
+ let callback = match RefPtr::from_raw(callback) {
+ Some(ptr) => ptr,
+ None => return NS_ERROR_UNEXPECTED,
+ };
+ // This does the same as MOZ_COLLECT_REPORT
+ callback.Callback(
+ &nsCStr::new() as &nsACString,
+ &nsCStr::from("explicit/cert-storage/storage") as &nsACString,
+ nsIMemoryReporter::KIND_HEAP,
+ nsIMemoryReporter::UNITS_BYTES,
+ size as i64,
+ &nsCStr::from("Memory used by certificate storage") as &nsACString,
+ data,
+ );
+ NS_OK
+ }
+}
diff --git a/security/manager/ssl/components.conf b/security/manager/ssl/components.conf
new file mode 100644
index 0000000000..7bdcae356a
--- /dev/null
+++ b/security/manager/ssl/components.conf
@@ -0,0 +1,155 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Headers = [
+ '/security/manager/ssl/nsNSSModule.h',
+]
+
+Classes = [
+ {
+ 'cid': '{4cb64dfd-ca98-4e24-befd-0d9285a33bcb}',
+ 'contract_ids': ['@mozilla.org/psm;1'],
+ 'type': 'nsNSSComponent',
+ 'headers': ['nsNSSComponent.h'],
+ 'init_method': 'Init',
+ },
+ {
+ 'cid': '{9ef18451-a157-4d17-8132-47afef213689}',
+ 'contract_ids': ['@mozilla.org/nss_errors_service;1'],
+ 'type': 'mozilla::psm::NSSErrorsService',
+ 'headers': ['NSSErrorsService.h'],
+ 'init_method': 'Init',
+ },
+ {
+ 'cid': '{23ad3531-11d2-4e8e-805a-6a752e91681a}',
+ 'contract_ids': ['@mozilla.org/security/nssversion;1'],
+ 'type': 'nsNSSVersion',
+ 'headers': ['/security/manager/ssl/nsNSSVersion.h'],
+ },
+ {
+ 'cid': '{0c4f1ddc-1dd2-11b2-9d95-f2fdf113044b}',
+ 'contract_ids': ['@mozilla.org/security/sdr;1'],
+ 'type': 'SecretDecoderRing',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<SecretDecoderRing>',
+ },
+ {
+ 'cid': '{b084a2ce-1dd1-11b2-bf10-8324f8e065cc}',
+ 'contract_ids': ['@mozilla.org/security/pk11tokendb;1'],
+ 'type': 'nsPK11TokenDB',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsPK11TokenDB>',
+ },
+ {
+ 'cid': '{ff9fbcd7-9517-4334-b97a-ceed78909974}',
+ 'contract_ids': ['@mozilla.org/security/pkcs11moduledb;1'],
+ 'type': 'mozilla::psm::PKCS11ModuleDB',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<mozilla::psm::PKCS11ModuleDB>',
+ },
+ {
+ 'cid': '{660a3226-915c-4ffb-bb20-8985a632df05}',
+ 'contract_ids': [],
+ 'type': 'nsNSSCertificate',
+ 'headers': ['nsNSSCertificate.h'],
+ },
+ {
+ 'cid': '{fb0bbc5c-452e-4783-b32c-80124693d871}',
+ 'contract_ids': ['@mozilla.org/security/x509certdb;1'],
+ 'type': 'nsNSSCertificateDB',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsNSSCertificateDB>',
+ },
+ {
+ 'cid': '{1dbc6eb6-0972-4bdb-9dc4-acd0abf72369}',
+ 'contract_ids': ['@mozilla.org/security/clientAuthRememberService;1'],
+ 'type': 'nsClientAuthRememberService',
+ 'headers': ['nsClientAuthRemember.h'],
+ 'init_method': 'Init',
+ },
+ {
+ 'cid': '{36a1d3b3-d886-4317-96ff-87b0005cfef7}',
+ 'contract_ids': ['@mozilla.org/security/hash;1'],
+ 'headers': ['/security/manager/ssl/crypto_hash/crypto_hash.h'],
+ 'legacy_constructor': 'crypto_hash_constructor',
+ },
+ {
+ 'cid': '{45a5fe2f-c350-4b86-962d-02d5aaaa955a}',
+ 'contract_ids': ['@mozilla.org/security/contentsignatureverifier;1'],
+ 'type': 'ContentSignatureVerifier',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<ContentSignatureVerifier>',
+ },
+ {
+ 'cid': '{67ba681d-5485-4fff-952c-2ee337ffdcd6}',
+ 'contract_ids': ['@mozilla.org/security/certoverride;1'],
+ 'type': 'nsCertOverrideService',
+ 'headers': ['/security/manager/ssl/nsCertOverrideService.h'],
+ 'init_method': 'Init',
+ },
+ {
+ 'cid': '{be65e2b7-fe46-4e0f-88e0-4b385db4d68a}',
+ 'contract_ids': ['@mozilla.org/security/random-generator;1'],
+ 'type': 'nsRandomGenerator',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsRandomGenerator>',
+ },
+ {
+ 'cid': '{16786594-0296-4471-8096-8f84497ca428}',
+ 'contract_ids': ['@mozilla.org/security/transportsecurityinfo;1'],
+ 'type': 'mozilla::psm::TransportSecurityInfo',
+ },
+ {
+ 'cid': '{16955eee-6c48-4152-9309-c42a465138a1}',
+ 'contract_ids': ['@mozilla.org/ssservice;1'],
+ 'type': 'nsSiteSecurityService',
+ 'headers': ['/security/manager/ssl/nsSiteSecurityService.h'],
+ 'init_method': 'Init',
+ 'processes': ProcessSelector.MAIN_PROCESS_ONLY,
+ },
+ {
+ 'cid': '{57972956-5718-42d2-8070-b3fc72212eaf}',
+ 'contract_ids': ['@mozilla.org/security/oskeystore;1'],
+ 'type': 'OSKeyStore',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<OSKeyStore>',
+ },
+ {
+ 'cid': '{4fe082ae-6ff0-4b41-b24f-eaa664f6e46a}',
+ 'contract_ids': ['@mozilla.org/security/osreauthenticator;1'],
+ 'type': 'OSReauthenticator',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<OSReauthenticator>',
+ },
+ {
+ 'cid': '{16e5c837-f877-4e23-9c64-eddf905e30e6}',
+ 'contract_ids': ['@mozilla.org/security/certstorage;1'],
+ 'headers': ['/security/manager/ssl/cert_storage/src/cert_storage.h'],
+ 'legacy_constructor': 'cert_storage_constructor',
+ },
+ {
+ 'cid': '{f64432b9-e8c6-41b4-b2da-8eb004344bba}',
+ 'contract_ids': ['@mozilla.org/security/publickeypinningservice;1'],
+ 'type': 'psm::PublicKeyPinningService',
+ 'headers': ['/security/manager/ssl/PublicKeyPinningService.h'],
+ },
+ {
+ 'cid': '{4ea60761-31d6-491d-9e34-4b53a26c416c}',
+ 'contract_ids': ['@mozilla.org/security/nsCertTree;1'],
+ 'type': 'nsCertTree',
+ 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsCertTree>',
+ },
+ {
+ 'cid': '{9676cfc4-6e84-11ec-a30d-d3cd0af86e01}',
+ 'contract_ids': ['@mozilla.org/security/CRLiteTimestamp;1'],
+ 'type': 'mozilla::psm::CRLiteTimestamp',
+ 'headers': ['/security/certverifier/CRLiteTimestamp.h'],
+ },
+ {
+ 'cid': '{71b49926-fd4e-43e2-ab8d-d9b049413c0b}',
+ 'contract_ids': ['@mozilla.org/security/datastoragemanager;1'],
+ 'type': 'mozilla::DataStorageManager',
+ 'headers': ['/security/manager/ssl/DataStorageManager.h'],
+ },
+ {
+ 'cid': '{d7d2490d-2640-411b-9f09-a538803c11ee}',
+ 'contract_ids': ['@mozilla.org/security/ClientAuthDialogService;1'],
+ 'esModule': 'resource://gre/modules/psm/ClientAuthDialogService.sys.mjs',
+ 'constructor': 'ClientAuthDialogService',
+ },
+]
diff --git a/security/manager/ssl/content-signature-local.crt b/security/manager/ssl/content-signature-local.crt
new file mode 100644
index 0000000000..2acff7d7d6
--- /dev/null
+++ b/security/manager/ssl/content-signature-local.crt
Binary files differ
diff --git a/security/manager/ssl/content-signature-prod.crt b/security/manager/ssl/content-signature-prod.crt
new file mode 100644
index 0000000000..6ab711b996
--- /dev/null
+++ b/security/manager/ssl/content-signature-prod.crt
Binary files differ
diff --git a/security/manager/ssl/content-signature-stage.crt b/security/manager/ssl/content-signature-stage.crt
new file mode 100644
index 0000000000..38d36cb3f4
--- /dev/null
+++ b/security/manager/ssl/content-signature-stage.crt
Binary files differ
diff --git a/security/manager/ssl/crashtests/398665-1.html b/security/manager/ssl/crashtests/398665-1.html
new file mode 100644
index 0000000000..85afb1137f
--- /dev/null
+++ b/security/manager/ssl/crashtests/398665-1.html
@@ -0,0 +1 @@
+<html><body><keygen></keygen></body></html>
diff --git a/security/manager/ssl/crashtests/crashtests.list b/security/manager/ssl/crashtests/crashtests.list
new file mode 100644
index 0000000000..fbc5b85043
--- /dev/null
+++ b/security/manager/ssl/crashtests/crashtests.list
@@ -0,0 +1 @@
+load 398665-1.html
diff --git a/security/manager/ssl/crypto_hash/Cargo.toml b/security/manager/ssl/crypto_hash/Cargo.toml
new file mode 100644
index 0000000000..f842368d4b
--- /dev/null
+++ b/security/manager/ssl/crypto_hash/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "crypto_hash"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+base64 = "0.21"
+digest = "0.10.2"
+libc = "0.2"
+md-5 = "0.10.2"
+nserror = { path = "../../../../xpcom/rust/nserror" }
+nsstring = { path = "../../../../xpcom/rust/nsstring" }
+sha1 = "0.10.2"
+sha2 = "0.10.2"
+xpcom = { path = "../../../../xpcom/rust/xpcom" }
diff --git a/security/manager/ssl/crypto_hash/crypto_hash.h b/security/manager/ssl/crypto_hash/crypto_hash.h
new file mode 100644
index 0000000000..a85993b041
--- /dev/null
+++ b/security/manager/ssl/crypto_hash/crypto_hash.h
@@ -0,0 +1,46 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsICryptoHash.h"
+
+extern "C" {
+nsresult crypto_hash_constructor(REFNSIID iid, void** result);
+};
+
+nsresult NS_NewCryptoHash(uint32_t aHashType, nsICryptoHash** aOutHasher) {
+ MOZ_ASSERT(aOutHasher);
+
+ nsCOMPtr<nsICryptoHash> hasher;
+ nsresult rv =
+ crypto_hash_constructor(NS_ICRYPTOHASH_IID, getter_AddRefs(hasher));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->Init(aHashType);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ hasher.forget(aOutHasher);
+
+ return NS_OK;
+}
+
+nsresult NS_NewCryptoHash(const nsACString& aHashType,
+ nsICryptoHash** aOutHasher) {
+ MOZ_ASSERT(aOutHasher);
+
+ nsCOMPtr<nsICryptoHash> hasher;
+ nsresult rv =
+ crypto_hash_constructor(NS_ICRYPTOHASH_IID, getter_AddRefs(hasher));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->InitWithString(aHashType);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ hasher.forget(aOutHasher);
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/crypto_hash/src/lib.rs b/security/manager/ssl/crypto_hash/src/lib.rs
new file mode 100644
index 0000000000..9303f3cfd9
--- /dev/null
+++ b/security/manager/ssl/crypto_hash/src/lib.rs
@@ -0,0 +1,177 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+extern crate base64;
+extern crate digest;
+extern crate libc;
+extern crate md5;
+extern crate nsstring;
+extern crate sha1;
+extern crate sha2;
+#[macro_use]
+extern crate xpcom;
+
+use base64::Engine;
+use digest::{Digest, DynDigest};
+use nserror::{
+ nsresult, NS_ERROR_FAILURE, NS_ERROR_INVALID_ARG, NS_ERROR_NOT_AVAILABLE,
+ NS_ERROR_NOT_INITIALIZED, NS_OK,
+};
+use nsstring::{nsACString, nsCString};
+use xpcom::interfaces::{nsICryptoHash, nsIInputStream};
+use xpcom::xpcom_method;
+
+use std::borrow::Borrow;
+use std::sync::Mutex;
+
+enum Algorithm {
+ Md5,
+ Sha1,
+ Sha256,
+ Sha384,
+ Sha512,
+}
+
+impl TryFrom<u32> for Algorithm {
+ type Error = nsresult;
+
+ fn try_from(value: u32) -> Result<Self, Self::Error> {
+ match value {
+ nsICryptoHash::MD5 => Ok(Algorithm::Md5),
+ nsICryptoHash::SHA1 => Ok(Algorithm::Sha1),
+ nsICryptoHash::SHA256 => Ok(Algorithm::Sha256),
+ nsICryptoHash::SHA384 => Ok(Algorithm::Sha384),
+ nsICryptoHash::SHA512 => Ok(Algorithm::Sha512),
+ _ => Err(NS_ERROR_INVALID_ARG),
+ }
+ }
+}
+
+impl TryFrom<&nsACString> for Algorithm {
+ type Error = nsresult;
+
+ fn try_from(value: &nsACString) -> Result<Self, Self::Error> {
+ match value.to_utf8().borrow() {
+ "md5" => Ok(Algorithm::Md5),
+ "sha1" => Ok(Algorithm::Sha1),
+ "sha256" => Ok(Algorithm::Sha256),
+ "sha384" => Ok(Algorithm::Sha384),
+ "sha512" => Ok(Algorithm::Sha512),
+ _ => Err(NS_ERROR_INVALID_ARG),
+ }
+ }
+}
+
+#[xpcom(implement(nsICryptoHash), atomic)]
+struct CryptoHash {
+ digest: Mutex<Option<Box<dyn DynDigest>>>,
+}
+
+impl CryptoHash {
+ xpcom_method!(init => Init(algorithm: u32));
+ fn init(&self, algorithm: u32) -> Result<(), nsresult> {
+ let algorithm = algorithm.try_into()?;
+ self.init_with_algorithm(algorithm)
+ }
+
+ xpcom_method!(init_with_string => InitWithString(algorithm: *const nsACString));
+ fn init_with_string(&self, algorithm: &nsACString) -> Result<(), nsresult> {
+ let algorithm = algorithm.try_into()?;
+ self.init_with_algorithm(algorithm)
+ }
+
+ fn init_with_algorithm(&self, algorithm: Algorithm) -> Result<(), nsresult> {
+ let digest = match algorithm {
+ Algorithm::Md5 => Box::new(md5::Md5::new()) as Box<dyn DynDigest>,
+ Algorithm::Sha1 => Box::new(sha1::Sha1::new()) as Box<dyn DynDigest>,
+ Algorithm::Sha256 => Box::new(sha2::Sha256::new()) as Box<dyn DynDigest>,
+ Algorithm::Sha384 => Box::new(sha2::Sha384::new()) as Box<dyn DynDigest>,
+ Algorithm::Sha512 => Box::new(sha2::Sha512::new()) as Box<dyn DynDigest>,
+ };
+ let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?;
+ if let Some(_expected_none_digest) = (*guard).replace(digest) {
+ return Err(NS_ERROR_FAILURE);
+ }
+ Ok(())
+ }
+
+ xpcom_method!(update => Update(data: *const u8, len: u32));
+ fn update(&self, data: *const u8, len: u32) -> Result<(), nsresult> {
+ let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?;
+ let digest = match (*guard).as_mut() {
+ Some(digest) => digest,
+ None => return Err(NS_ERROR_NOT_INITIALIZED),
+ };
+ // Safety: this is safe as long as xpcom gave us valid arguments.
+ let data = unsafe {
+ std::slice::from_raw_parts(data, len.try_into().map_err(|_| NS_ERROR_INVALID_ARG)?)
+ };
+ digest.update(data);
+ Ok(())
+ }
+
+ xpcom_method!(update_from_stream => UpdateFromStream(stream: *const nsIInputStream, len: u32));
+ fn update_from_stream(&self, stream: &nsIInputStream, len: u32) -> Result<(), nsresult> {
+ let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?;
+ let digest = match (*guard).as_mut() {
+ Some(digest) => digest,
+ None => return Err(NS_ERROR_NOT_INITIALIZED),
+ };
+ let mut available = 0u64;
+ unsafe { stream.Available(&mut available as *mut u64).to_result()? };
+ let mut to_read = if len == u32::MAX { available } else { len as u64 };
+ if available == 0 || available < to_read {
+ return Err(NS_ERROR_NOT_AVAILABLE);
+ }
+ let mut buf = vec![0u8; 4096];
+ let buf_len = buf.len() as u64;
+ while to_read > 0 {
+ let chunk_len = if to_read >= buf_len { buf_len as u32 } else { to_read as u32 };
+ let mut read = 0u32;
+ unsafe {
+ stream
+ .Read(
+ buf.as_mut_ptr() as *mut libc::c_char,
+ chunk_len,
+ &mut read as *mut u32,
+ )
+ .to_result()?
+ };
+ if read > chunk_len {
+ return Err(NS_ERROR_FAILURE);
+ }
+ digest.update(&buf[0..read.try_into().map_err(|_| NS_ERROR_FAILURE)?]);
+ to_read -= read as u64;
+ }
+ Ok(())
+ }
+
+ xpcom_method!(finish => Finish(ascii: bool) -> nsACString);
+ fn finish(&self, ascii: bool) -> Result<nsCString, nsresult> {
+ let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?;
+ let digest = match (*guard).take() {
+ Some(digest) => digest,
+ None => return Err(NS_ERROR_NOT_INITIALIZED),
+ };
+ let result = digest.finalize();
+ if ascii {
+ Ok(nsCString::from(
+ base64::engine::general_purpose::STANDARD.encode(result),
+ ))
+ } else {
+ Ok(nsCString::from(result))
+ }
+ }
+}
+
+#[no_mangle]
+pub extern "C" fn crypto_hash_constructor(
+ iid: *const xpcom::nsIID,
+ result: *mut *mut xpcom::reexports::libc::c_void,
+) -> nserror::nsresult {
+ let crypto_hash = CryptoHash::allocate(InitCryptoHash {
+ digest: Mutex::new(None),
+ });
+ unsafe { crypto_hash.QueryInterface(iid, result) }
+}
diff --git a/security/manager/ssl/data_storage/Cargo.toml b/security/manager/ssl/data_storage/Cargo.toml
new file mode 100644
index 0000000000..a90b44c69d
--- /dev/null
+++ b/security/manager/ssl/data_storage/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "data_storage"
+version = "0.0.1"
+edition = "2021"
+license = "MPL-2.0"
+
+[dependencies]
+byteorder = "1"
+cstr = "0.2"
+firefox-on-glean = { path = "../../../../toolkit/components/glean/api" }
+log = "0.4"
+malloc_size_of_derive = { path = "../../../../xpcom/rust/malloc_size_of_derive" }
+moz_task = { path = "../../../../xpcom/rust/moz_task" }
+nserror = { path = "../../../../xpcom/rust/nserror" }
+nsstring = { path = "../../../../xpcom/rust/nsstring" }
+thin-vec = { version = "0.2.1", features = ["gecko-ffi"] }
+wr_malloc_size_of = { path = "../../../../gfx/wr/wr_malloc_size_of" }
+xpcom = { path = "../../../../xpcom/rust/xpcom" }
diff --git a/security/manager/ssl/data_storage/src/lib.rs b/security/manager/ssl/data_storage/src/lib.rs
new file mode 100644
index 0000000000..8cbbf05563
--- /dev/null
+++ b/security/manager/ssl/data_storage/src/lib.rs
@@ -0,0 +1,1017 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+extern crate byteorder;
+#[macro_use]
+extern crate cstr;
+extern crate firefox_on_glean;
+#[macro_use]
+extern crate log;
+#[macro_use]
+extern crate malloc_size_of_derive;
+extern crate moz_task;
+extern crate nserror;
+extern crate thin_vec;
+extern crate wr_malloc_size_of;
+#[macro_use]
+extern crate xpcom;
+
+use wr_malloc_size_of as malloc_size_of;
+
+use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
+use firefox_on_glean::metrics::data_storage;
+use malloc_size_of::{MallocSizeOf, MallocSizeOfOps};
+use moz_task::{create_background_task_queue, RunnableBuilder};
+use nserror::{
+ nsresult, NS_ERROR_FAILURE, NS_ERROR_ILLEGAL_INPUT, NS_ERROR_INVALID_ARG,
+ NS_ERROR_NOT_AVAILABLE, NS_OK,
+};
+use nsstring::{nsACString, nsAString, nsCStr, nsCString, nsString};
+use thin_vec::ThinVec;
+use xpcom::interfaces::{
+ nsIDataStorage, nsIDataStorageItem, nsIFile, nsIHandleReportCallback, nsIMemoryReporter,
+ nsIMemoryReporterManager, nsIObserverService, nsIProperties, nsISerialEventTarget, nsISupports,
+};
+use xpcom::{xpcom_method, RefPtr, XpCom};
+
+use std::collections::HashMap;
+use std::ffi::CStr;
+use std::fs::{File, OpenOptions};
+use std::io::{BufRead, BufReader, ErrorKind, Read, Seek, SeekFrom, Write};
+use std::os::raw::{c_char, c_void};
+use std::path::PathBuf;
+use std::sync::{Condvar, Mutex};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
+
+/// Helper type for turning the nsIDataStorage::DataType "enum" into a rust
+/// enum.
+#[derive(Copy, Clone, Eq, PartialEq)]
+enum DataType {
+ Persistent,
+ Private,
+}
+
+impl From<u8> for DataType {
+ fn from(value: u8) -> Self {
+ match value {
+ nsIDataStorage::Persistent => DataType::Persistent,
+ nsIDataStorage::Private => DataType::Private,
+ _ => panic!("invalid nsIDataStorage::DataType"),
+ }
+ }
+}
+
+impl From<DataType> for u8 {
+ fn from(value: DataType) -> Self {
+ match value {
+ DataType::Persistent => nsIDataStorage::Persistent,
+ DataType::Private => nsIDataStorage::Private,
+ }
+ }
+}
+
+/// Returns the current day in days since the unix epoch, to a maximum of
+/// u16::MAX days.
+fn now_in_days() -> u16 {
+ const SECONDS_PER_DAY: u64 = 60 * 60 * 24;
+ let now = SystemTime::now()
+ .duration_since(UNIX_EPOCH)
+ .unwrap_or(Duration::ZERO);
+ (now.as_secs() / SECONDS_PER_DAY)
+ .try_into()
+ .unwrap_or(u16::MAX)
+}
+
+/// An entry in some DataStorageTable.
+#[derive(Clone, MallocSizeOf)]
+struct Entry {
+ /// The number of unique days this Entry has been accessed on.
+ score: u16,
+ /// The number of days since the unix epoch this Entry was last accessed.
+ last_accessed: u16,
+ /// The key.
+ key: Vec<u8>,
+ /// The value.
+ value: Vec<u8>,
+ /// The slot index of this Entry.
+ slot_index: usize,
+}
+
+impl Entry {
+ /// Constructs an Entry given a line of text from the old DataStorage format.
+ fn from_old_line(line: &str, slot_index: usize, value_length: usize) -> Result<Self, nsresult> {
+ // the old format is <key>\t<score>\t<last accessed>\t<value>
+ let parts: Vec<&str> = line.split('\t').collect();
+ if parts.len() != 4 {
+ return Err(NS_ERROR_ILLEGAL_INPUT);
+ }
+ let score = parts[1]
+ .parse::<u16>()
+ .map_err(|_| NS_ERROR_ILLEGAL_INPUT)?;
+ let last_accessed = parts[2]
+ .parse::<u16>()
+ .map_err(|_| NS_ERROR_ILLEGAL_INPUT)?;
+ let key = Vec::from(parts[0]);
+ if key.len() > KEY_LENGTH {
+ return Err(NS_ERROR_ILLEGAL_INPUT);
+ }
+ let value = Vec::from(parts[3]);
+ if value.len() > value_length {
+ return Err(NS_ERROR_ILLEGAL_INPUT);
+ }
+ Ok(Entry {
+ score,
+ last_accessed,
+ key,
+ value,
+ slot_index,
+ })
+ }
+
+ /// Constructs an Entry given the parsed parts from the current format.
+ fn from_slot(
+ score: u16,
+ last_accessed: u16,
+ key: Vec<u8>,
+ value: Vec<u8>,
+ slot_index: usize,
+ ) -> Self {
+ Entry {
+ score,
+ last_accessed,
+ key,
+ value,
+ slot_index,
+ }
+ }
+
+ /// Constructs a new Entry given a key, value, and index.
+ fn new(key: Vec<u8>, value: Vec<u8>, slot_index: usize) -> Self {
+ Entry {
+ score: 1,
+ last_accessed: now_in_days(),
+ key,
+ value,
+ slot_index,
+ }
+ }
+
+ /// Constructs a new, empty `Entry` with the given index. Useful for clearing
+ /// slots on disk.
+ fn new_empty(slot_index: usize) -> Self {
+ Entry {
+ score: 0,
+ last_accessed: 0,
+ key: Vec::new(),
+ value: Vec::new(),
+ slot_index,
+ }
+ }
+
+ /// Returns whether or not this is an empty `Entry` (an empty `Entry` has
+ /// been created with `Entry::new_empty()` or cleared with
+ /// `Entry::clear()`, has 0 `score` and `last_accessed`, and has an empty
+ /// `key` and `value`.
+ fn is_empty(&self) -> bool {
+ self.score == 0 && self.last_accessed == 0 && self.key.is_empty() && self.value.is_empty()
+ }
+
+ /// If this Entry was last accessed on a day different from today,
+ /// increments its score (as well as its last accessed day).
+ /// Returns `true` if the score did in fact change, and `false` otherwise.
+ fn update_score(&mut self) -> bool {
+ let now_in_days = now_in_days();
+ if self.last_accessed != now_in_days {
+ self.last_accessed = now_in_days;
+ self.score += 1;
+ true
+ } else {
+ false
+ }
+ }
+
+ /// Clear the data stored in this Entry. Useful for clearing a single slot
+ /// on disk.
+ fn clear(&mut self) {
+ // Note: it's important that this preserves slot_index - the writer
+ // needs it to know where to write out the zeroed Entry
+ *self = Self::new_empty(self.slot_index);
+ }
+}
+
+/// Strips all trailing 0 bytes from the end of the given vec.
+/// Useful for converting 0-padded keys and values to their original, non-padded
+/// state.
+fn strip_zeroes(vec: &mut Vec<u8>) {
+ let mut length = vec.len();
+ while length > 0 && vec[length - 1] == 0 {
+ length -= 1;
+ }
+ vec.truncate(length);
+}
+
+/// Given a slice of entries, returns a Vec<Entry> consisting of each Entry
+/// with score equal to the minimum score among all entries.
+fn get_entries_with_minimum_score(entries: &[Entry]) -> Vec<&Entry> {
+ let mut min_score = u16::MAX;
+ let mut min_score_entries = Vec::new();
+ for entry in entries.iter() {
+ if entry.score < min_score {
+ min_score = entry.score;
+ min_score_entries.clear();
+ }
+ if entry.score == min_score {
+ min_score_entries.push(entry);
+ }
+ }
+ min_score_entries
+}
+
+const MAX_SLOTS: usize = 2048;
+const KEY_LENGTH: usize = 256;
+
+/// Helper type to map between an entry key and the slot it is stored on.
+type DataStorageTable = HashMap<Vec<u8>, usize>;
+
+/// The main structure of this implementation. Keeps track of persistent
+/// and private entries.
+#[derive(MallocSizeOf)]
+struct DataStorageInner {
+ /// The key to slot index mapping table for persistent data.
+ persistent_table: DataStorageTable,
+ /// The persistent entries that are stored on disk.
+ persistent_slots: Vec<Entry>,
+ /// The key to slot index mapping table for private, temporary data.
+ private_table: DataStorageTable,
+ /// The private, temporary entries that are not stored on disk.
+ /// This data is cleared upon observing "last-pb-context-exited", and is
+ /// forgotten when the program shuts down.
+ private_slots: Vec<Entry>,
+ /// The name of the table (e.g. "SiteSecurityServiceState").
+ name: String,
+ /// The maximum permitted length of values.
+ value_length: usize,
+ /// A PathBuf holding the location of the profile directory, if available.
+ maybe_profile_path: Option<PathBuf>,
+ /// A serial event target to post tasks to, to write out changed persistent
+ /// data in the background.
+ #[ignore_malloc_size_of = "not implemented for nsISerialEventTarget"]
+ write_queue: Option<RefPtr<nsISerialEventTarget>>,
+}
+
+impl DataStorageInner {
+ fn new(
+ name: String,
+ value_length: usize,
+ maybe_profile_path: Option<PathBuf>,
+ ) -> Result<Self, nsresult> {
+ Ok(DataStorageInner {
+ persistent_table: DataStorageTable::new(),
+ persistent_slots: Vec::new(),
+ private_table: DataStorageTable::new(),
+ private_slots: Vec::new(),
+ name,
+ value_length,
+ maybe_profile_path,
+ write_queue: Some(create_background_task_queue(cstr!("data_storage"))?),
+ })
+ }
+
+ /// Initializes the DataStorageInner. If the profile directory is not
+ /// present, does nothing. If the backing file is available, processes it.
+ /// Otherwise, if the old backing file is available, migrates it to the
+ /// current format.
+ fn initialize(&mut self) -> Result<(), nsresult> {
+ let Some(profile_path) = self.maybe_profile_path.as_ref() else {
+ return Ok(());
+ };
+ let mut backing_path = profile_path.clone();
+ backing_path.push(format!("{}.bin", &self.name));
+ let mut old_backing_path = profile_path.clone();
+ old_backing_path.push(format!("{}.txt", &self.name));
+ if backing_path.exists() {
+ self.read(backing_path)
+ } else if old_backing_path.exists() {
+ self.read_old_format(old_backing_path)
+ } else {
+ Ok(())
+ }
+ }
+
+ /// Reads the backing file, processing each slot.
+ fn read(&mut self, path: PathBuf) -> Result<(), nsresult> {
+ let f = OpenOptions::new()
+ .read(true)
+ .write(true)
+ .create(true)
+ .open(path)
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ let mut backing_file = BufReader::new(f);
+ let mut slots = Vec::new();
+ // First read each entry into the persistent slots list.
+ while slots.len() < MAX_SLOTS {
+ if let Some(entry) = self.process_slot(&mut backing_file, slots.len())? {
+ slots.push(entry);
+ } else {
+ break;
+ }
+ }
+ self.persistent_slots = slots;
+ // Then build the key -> slot index lookup table.
+ self.persistent_table = self
+ .persistent_slots
+ .iter()
+ .filter(|slot| !slot.is_empty())
+ .map(|slot| (slot.key.clone(), slot.slot_index))
+ .collect();
+ let num_entries = self.persistent_table.len() as i64;
+ match self.name.as_str() {
+ "AlternateServices" => data_storage::alternate_services.set(num_entries),
+ "ClientAuthRememberList" => data_storage::client_auth_remember_list.set(num_entries),
+ "SiteSecurityServiceState" => {
+ data_storage::site_security_service_state.set(num_entries)
+ }
+ _ => panic!("unknown nsIDataStorageManager::DataStorage"),
+ }
+ Ok(())
+ }
+
+ /// Processes a slot (via a reader) by reading its metadata, key, and
+ /// value. If the checksum fails or if the score or last accessed fields
+ /// are 0, this is an empty slot. Otherwise, un-0-pads the key and value,
+ /// creates a new Entry, and puts it in the persistent table.
+ fn process_slot<R: Read>(
+ &mut self,
+ reader: &mut R,
+ slot_index: usize,
+ ) -> Result<Option<Entry>, nsresult> {
+ // Format is [checksum][score][last accessed][key][value], where
+ // checksum is 2 bytes big-endian, score and last accessed are 2 bytes
+ // big-endian, key is KEY_LENGTH bytes (currently 256), and value is
+ // self.value_length bytes (1024 for most instances, but 24 for
+ // SiteSecurityServiceState - see DataStorageManager::Get).
+ let mut checksum = match reader.read_u16::<BigEndian>() {
+ Ok(checksum) => checksum,
+ // The file may be shorter than expected due to unoccupied slots.
+ // Every slot after the last read slot is unoccupied.
+ Err(e) if e.kind() == ErrorKind::UnexpectedEof => return Ok(None),
+ Err(_) => return Err(NS_ERROR_FAILURE),
+ };
+ let score = reader
+ .read_u16::<BigEndian>()
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ checksum ^= score;
+ let last_accessed = reader
+ .read_u16::<BigEndian>()
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ checksum ^= last_accessed;
+
+ let mut key = vec![0u8; KEY_LENGTH];
+ reader.read_exact(&mut key).map_err(|_| NS_ERROR_FAILURE)?;
+ for mut chunk in key.chunks(2) {
+ checksum ^= chunk
+ .read_u16::<BigEndian>()
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ }
+ strip_zeroes(&mut key);
+ let mut value = vec![0u8; self.value_length];
+ reader
+ .read_exact(&mut value)
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ for mut chunk in value.chunks(2) {
+ checksum ^= chunk
+ .read_u16::<BigEndian>()
+ .map_err(|_| NS_ERROR_FAILURE)?;
+ }
+ strip_zeroes(&mut value);
+
+ // If this slot is incomplete, corrupted, or empty, treat it as empty.
+ if checksum != 0 || score == 0 || last_accessed == 0 {
+ // This slot is empty.
+ return Ok(Some(Entry::new_empty(slot_index)));
+ }
+
+ Ok(Some(Entry::from_slot(
+ score,
+ last_accessed,
+ key,
+ value,
+ slot_index,
+ )))
+ }
+
+ /// Migrates from the old format to the current format.
+ fn read_old_format(&mut self, path: PathBuf) -> Result<(), nsresult> {
+ let file = File::open(path).map_err(|_| NS_ERROR_FAILURE)?;
+ let reader = BufReader::new(file);
+ // First read each line in the old file into the persistent slots list.
+ // The old format was limited to 1024 lines, so only expect that many.
+ for line in reader.lines().flatten().take(1024) {
+ match Entry::from_old_line(&line, self.persistent_slots.len(), self.value_length) {
+ Ok(entry) => {
+ if self.persistent_slots.len() >= MAX_SLOTS {
+ warn!("too many lines in old DataStorage format");
+ break;
+ }
+ if !entry.is_empty() {
+ self.persistent_slots.push(entry);
+ } else {
+ warn!("empty entry in old DataStorage format?");
+ }
+ }
+ Err(_) => {
+ warn!("failed to migrate a line from old DataStorage format");
+ }
+ }
+ }
+ // Then build the key -> slot index lookup table.
+ self.persistent_table = self
+ .persistent_slots
+ .iter()
+ .filter(|slot| !slot.is_empty())
+ .map(|slot| (slot.key.clone(), slot.slot_index))
+ .collect();
+ // Finally, write out the migrated data to the new backing file.
+ self.async_write_entries(self.persistent_slots.clone())?;
+ let num_entries = self.persistent_table.len() as i64;
+ match self.name.as_str() {
+ "AlternateServices" => data_storage::alternate_services.set(num_entries),
+ "ClientAuthRememberList" => data_storage::client_auth_remember_list.set(num_entries),
+ "SiteSecurityServiceState" => {
+ data_storage::site_security_service_state.set(num_entries)
+ }
+ _ => panic!("unknown nsIDataStorageManager::DataStorage"),
+ }
+ Ok(())
+ }
+
+ /// Given an `Entry` and `DataType`, this function updates the internal
+ /// list of slots and the mapping from keys to slot indices. If the slot
+ /// assigned to the `Entry` is already occupied, the existing `Entry` is
+ /// evicted.
+ /// After updating internal state, if the type of this entry is persistent,
+ /// this function dispatches an event to asynchronously write the data out.
+ fn put_internal(&mut self, entry: Entry, type_: DataType) -> Result<(), nsresult> {
+ let (table, slots) = self.get_table_and_slots_for_type_mut(type_);
+ if entry.slot_index < slots.len() {
+ let entry_to_evict = &slots[entry.slot_index];
+ if !entry_to_evict.is_empty() {
+ table.remove(&entry_to_evict.key);
+ }
+ }
+ let _ = table.insert(entry.key.clone(), entry.slot_index);
+ if entry.slot_index < slots.len() {
+ slots[entry.slot_index] = entry.clone();
+ } else if entry.slot_index == slots.len() {
+ slots.push(entry.clone());
+ } else {
+ panic!(
+ "put_internal should not have been given an Entry with slot_index > slots.len()"
+ );
+ }
+ if type_ == DataType::Persistent {
+ self.async_write_entry(entry)?;
+ }
+ Ok(())
+ }
+
+ /// Returns the total length of each slot on disk.
+ fn slot_length(&self) -> usize {
+ // Checksum is 2 bytes, and score and last accessed are 2 bytes each.
+ 2 + 2 + 2 + KEY_LENGTH + self.value_length
+ }
+
+ /// Gets the next free slot index, or determines a slot to evict (but
+ /// doesn't actually perform the eviction - the caller must do that).
+ fn get_free_slot_or_slot_to_evict(&self, type_: DataType) -> usize {
+ let (_, slots) = self.get_table_and_slots_for_type(type_);
+ let maybe_unoccupied_slot = slots
+ .iter()
+ .enumerate()
+ .find(|(_, maybe_empty_entry)| maybe_empty_entry.is_empty());
+ if let Some((unoccupied_slot, _)) = maybe_unoccupied_slot {
+ return unoccupied_slot;
+ }
+ // If `slots` isn't full, the next free slot index is one more than the
+ // current last index.
+ if slots.len() < MAX_SLOTS {
+ return slots.len();
+ }
+ // If there isn't an unoccupied slot, evict the entry with the lowest score.
+ let min_score_entries = get_entries_with_minimum_score(&slots);
+ // `min_score_entry` is the oldest Entry with the minimum score.
+ // There must be at least one such Entry, so unwrap it or abort.
+ let min_score_entry = min_score_entries
+ .iter()
+ .min_by_key(|e| e.last_accessed)
+ .unwrap();
+ min_score_entry.slot_index
+ }
+
+ /// Helper function to get a handle on the slot list and key to slot index
+ /// mapping for the given `DataType`.
+ fn get_table_and_slots_for_type(&self, type_: DataType) -> (&DataStorageTable, &[Entry]) {
+ match type_ {
+ DataType::Persistent => (&self.persistent_table, &self.persistent_slots),
+ DataType::Private => (&self.private_table, &self.private_slots),
+ }
+ }
+
+ /// Helper function to get a mutable handle on the slot list and key to
+ /// slot index mapping for the given `DataType`.
+ fn get_table_and_slots_for_type_mut(
+ &mut self,
+ type_: DataType,
+ ) -> (&mut DataStorageTable, &mut Vec<Entry>) {
+ match type_ {
+ DataType::Persistent => (&mut self.persistent_table, &mut self.persistent_slots),
+ DataType::Private => (&mut self.private_table, &mut self.private_slots),
+ }
+ }
+
+ /// Helper function to look up an `Entry` by its key and type.
+ fn get_entry(&mut self, key: &[u8], type_: DataType) -> Option<&mut Entry> {
+ let (table, slots) = self.get_table_and_slots_for_type_mut(type_);
+ let slot_index = table.get(key)?;
+ Some(&mut slots[*slot_index])
+ }
+
+ /// Gets a value by key, if available. Updates the Entry's score when appropriate.
+ fn get(&mut self, key: &[u8], type_: DataType) -> Result<Vec<u8>, nsresult> {
+ let Some(entry) = self.get_entry(key, type_) else {
+ return Err(NS_ERROR_NOT_AVAILABLE);
+ };
+ let value = entry.value.clone();
+ if entry.update_score() && type_ == DataType::Persistent {
+ let entry = entry.clone();
+ self.async_write_entry(entry)?;
+ }
+ Ok(value)
+ }
+
+ /// Inserts or updates a value by key. Updates the Entry's score if applicable.
+ fn put(&mut self, key: Vec<u8>, value: Vec<u8>, type_: DataType) -> Result<(), nsresult> {
+ if key.len() > KEY_LENGTH || value.len() > self.value_length {
+ return Err(NS_ERROR_INVALID_ARG);
+ }
+ if let Some(existing_entry) = self.get_entry(&key, type_) {
+ let data_changed = existing_entry.value != value;
+ if data_changed {
+ existing_entry.value = value;
+ }
+ if (existing_entry.update_score() || data_changed) && type_ == DataType::Persistent {
+ let entry = existing_entry.clone();
+ self.async_write_entry(entry)?;
+ }
+ Ok(())
+ } else {
+ let slot_index = self.get_free_slot_or_slot_to_evict(type_);
+ let entry = Entry::new(key.clone(), value, slot_index);
+ self.put_internal(entry, type_)
+ }
+ }
+
+ /// Removes an Entry by key, if it is present.
+ fn remove(&mut self, key: &Vec<u8>, type_: DataType) -> Result<(), nsresult> {
+ let (table, slots) = self.get_table_and_slots_for_type_mut(type_);
+ let Some(slot_index) = table.remove(key) else {
+ return Ok(());
+ };
+ let entry = &mut slots[slot_index];
+ entry.clear();
+ if type_ == DataType::Persistent {
+ let entry = entry.clone();
+ self.async_write_entry(entry)?;
+ }
+ Ok(())
+ }
+
+ /// Clears all tables and the backing persistent file.
+ fn clear(&mut self) -> Result<(), nsresult> {
+ self.persistent_table.clear();
+ self.private_table.clear();
+ self.persistent_slots.clear();
+ self.private_slots.clear();
+ let Some(profile_path) = self.maybe_profile_path.clone() else {
+ return Ok(());
+ };
+ let Some(write_queue) = self.write_queue.clone() else {
+ return Ok(());
+ };
+ let name = self.name.clone();
+ RunnableBuilder::new("data_storage::remove_backing_files", move || {
+ let old_backing_path = profile_path.join(format!("{name}.txt"));
+ let _ = std::fs::remove_file(old_backing_path);
+ let backing_path = profile_path.join(format!("{name}.bin"));
+ let _ = std::fs::remove_file(backing_path);
+ })
+ .may_block(true)
+ .dispatch(write_queue.coerce())
+ }
+
+ /// Clears only data in the private table.
+ fn clear_private_data(&mut self) {
+ self.private_table.clear();
+ self.private_slots.clear();
+ }
+
+ /// Asynchronously writes the given entry on the background serial event
+ /// target.
+ fn async_write_entry(&self, entry: Entry) -> Result<(), nsresult> {
+ self.async_write_entries(vec![entry])
+ }
+
+ /// Asynchronously writes the given entries on the background serial event
+ /// target.
+ fn async_write_entries(&self, entries: Vec<Entry>) -> Result<(), nsresult> {
+ let Some(mut backing_path) = self.maybe_profile_path.clone() else {
+ return Ok(());
+ };
+ let Some(write_queue) = self.write_queue.clone() else {
+ return Ok(());
+ };
+ backing_path.push(format!("{}.bin", &self.name));
+ let value_length = self.value_length;
+ let slot_length = self.slot_length();
+ RunnableBuilder::new("data_storage::write_entries", move || {
+ let _ = write_entries(entries, backing_path, value_length, slot_length);
+ })
+ .may_block(true)
+ .dispatch(write_queue.coerce())
+ }
+
+ /// Drop the write queue to prevent further writes.
+ fn drop_write_queue(&mut self) {
+ let _ = self.write_queue.take();
+ }
+
+ /// Takes a callback that is run for each entry in each table.
+ fn for_each<F>(&self, mut f: F)
+ where
+ F: FnMut(&Entry, DataType),
+ {
+ for entry in &self.persistent_slots {
+ f(entry, DataType::Persistent);
+ }
+ for entry in &self.private_slots {
+ f(entry, DataType::Private);
+ }
+ }
+
+ /// Collects the memory used by this DataStorageInner.
+ fn collect_reports(
+ &self,
+ ops: &mut MallocSizeOfOps,
+ callback: &nsIHandleReportCallback,
+ data: Option<&nsISupports>,
+ ) -> Result<(), nsresult> {
+ let size = self.size_of(ops);
+ let data = match data {
+ Some(data) => data as *const nsISupports,
+ None => std::ptr::null() as *const nsISupports,
+ };
+ unsafe {
+ callback
+ .Callback(
+ &nsCStr::new() as &nsACString,
+ &nsCString::from(format!("explicit/data-storage/{}", self.name)) as &nsACString,
+ nsIMemoryReporter::KIND_HEAP,
+ nsIMemoryReporter::UNITS_BYTES,
+ size as i64,
+ &nsCStr::from("Memory used by PSM data storage cache") as &nsACString,
+ data,
+ )
+ .to_result()
+ }
+ }
+}
+
+#[xpcom(implement(nsIDataStorageItem), atomic)]
+struct DataStorageItem {
+ key: nsCString,
+ value: nsCString,
+ type_: u8,
+}
+
+impl DataStorageItem {
+ xpcom_method!(get_key => GetKey() -> nsACString);
+ fn get_key(&self) -> Result<nsCString, nsresult> {
+ Ok(self.key.clone())
+ }
+
+ xpcom_method!(get_value => GetValue() -> nsACString);
+ fn get_value(&self) -> Result<nsCString, nsresult> {
+ Ok(self.value.clone())
+ }
+
+ xpcom_method!(get_type => GetType() -> u8);
+ fn get_type(&self) -> Result<u8, nsresult> {
+ Ok(self.type_)
+ }
+}
+
+type VoidPtrToSizeFn = unsafe extern "C" fn(ptr: *const c_void) -> usize;
+
+/// Helper struct that coordinates xpcom access to the DataStorageInner that
+/// actually holds the data.
+#[xpcom(implement(nsIDataStorage, nsIMemoryReporter, nsIObserver), atomic)]
+struct DataStorage {
+ ready: (Mutex<bool>, Condvar),
+ data: Mutex<DataStorageInner>,
+ size_of_op: VoidPtrToSizeFn,
+ enclosing_size_of_op: VoidPtrToSizeFn,
+}
+
+impl DataStorage {
+ xpcom_method!(get => Get(key: *const nsACString, type_: u8) -> nsACString);
+ fn get(&self, key: &nsACString, type_: u8) -> Result<nsCString, nsresult> {
+ self.wait_for_ready()?;
+ let mut storage = self.data.lock().unwrap();
+ storage
+ .get(&Vec::from(key.as_ref()), type_.into())
+ .map(|data| nsCString::from(data))
+ }
+
+ xpcom_method!(put => Put(key: *const nsACString, value: *const nsACString, type_: u8));
+ fn put(&self, key: &nsACString, value: &nsACString, type_: u8) -> Result<(), nsresult> {
+ self.wait_for_ready()?;
+ let mut storage = self.data.lock().unwrap();
+ storage.put(
+ Vec::from(key.as_ref()),
+ Vec::from(value.as_ref()),
+ type_.into(),
+ )
+ }
+
+ xpcom_method!(remove => Remove(key: *const nsACString, type_: u8));
+ fn remove(&self, key: &nsACString, type_: u8) -> Result<(), nsresult> {
+ self.wait_for_ready()?;
+ let mut storage = self.data.lock().unwrap();
+ storage.remove(&Vec::from(key.as_ref()), type_.into())?;
+ Ok(())
+ }
+
+ xpcom_method!(clear => Clear());
+ fn clear(&self) -> Result<(), nsresult> {
+ self.wait_for_ready()?;
+ let mut storage = self.data.lock().unwrap();
+ storage.clear()?;
+ Ok(())
+ }
+
+ xpcom_method!(is_ready => IsReady() -> bool);
+ fn is_ready(&self) -> Result<bool, nsresult> {
+ let ready = self.ready.0.lock().unwrap();
+ Ok(*ready)
+ }
+
+ xpcom_method!(get_all => GetAll() -> ThinVec<Option<RefPtr<nsIDataStorageItem>>>);
+ fn get_all(&self) -> Result<ThinVec<Option<RefPtr<nsIDataStorageItem>>>, nsresult> {
+ self.wait_for_ready()?;
+ let storage = self.data.lock().unwrap();
+ let mut items = ThinVec::new();
+ let add_item = |entry: &Entry, data_type: DataType| {
+ let item = DataStorageItem::allocate(InitDataStorageItem {
+ key: entry.key.clone().into(),
+ value: entry.value.clone().into(),
+ type_: data_type.into(),
+ });
+ items.push(Some(RefPtr::new(item.coerce())));
+ };
+ storage.for_each(add_item);
+ Ok(items)
+ }
+
+ fn indicate_ready(&self) -> Result<(), nsresult> {
+ let (ready_mutex, condvar) = &self.ready;
+ let mut ready = ready_mutex.lock().unwrap();
+ *ready = true;
+ condvar.notify_all();
+ Ok(())
+ }
+
+ fn wait_for_ready(&self) -> Result<(), nsresult> {
+ let (ready_mutex, condvar) = &self.ready;
+ let mut ready = ready_mutex.lock().unwrap();
+ while !*ready {
+ ready = condvar.wait(ready).unwrap();
+ }
+ Ok(())
+ }
+
+ fn initialize(&self) -> Result<(), nsresult> {
+ let mut storage = self.data.lock().unwrap();
+ // If this fails, the implementation is "ready", but it probably won't
+ // store any data persistently. This is expected in cases where there
+ // is no profile directory.
+ let _ = storage.initialize();
+ self.indicate_ready()
+ }
+
+ xpcom_method!(collect_reports => CollectReports(callback: *const nsIHandleReportCallback, data: *const nsISupports, anonymize: bool));
+ fn collect_reports(
+ &self,
+ callback: &nsIHandleReportCallback,
+ data: Option<&nsISupports>,
+ _anonymize: bool,
+ ) -> Result<(), nsresult> {
+ let storage = self.data.lock().unwrap();
+ let mut ops = MallocSizeOfOps::new(self.size_of_op, Some(self.enclosing_size_of_op));
+ storage.collect_reports(&mut ops, callback, data)
+ }
+
+ xpcom_method!(observe => Observe(_subject: *const nsISupports, topic: *const c_char, _data: *const u16));
+ unsafe fn observe(
+ &self,
+ _subject: Option<&nsISupports>,
+ topic: *const c_char,
+ _data: *const u16,
+ ) -> Result<(), nsresult> {
+ let mut storage = self.data.lock().unwrap();
+ let topic = CStr::from_ptr(topic);
+ // Observe shutdown - prevent any further writes.
+ // The backing file is in the profile directory, so stop writing when
+ // that goes away.
+ // "xpcom-shutdown-threads" is a backstop for situations where the
+ // "profile-before-change" notification is not emitted.
+ if topic == cstr!("profile-before-change") || topic == cstr!("xpcom-shutdown-threads") {
+ storage.drop_write_queue();
+ } else if topic == cstr!("last-pb-context-exited") {
+ storage.clear_private_data();
+ }
+ Ok(())
+ }
+}
+
+/// Given some entries, the path of the backing file, and metadata about Entry
+/// length, writes an Entry to the backing file in the appropriate slot.
+/// Creates the backing file if it does not exist.
+fn write_entries(
+ entries: Vec<Entry>,
+ backing_path: PathBuf,
+ value_length: usize,
+ slot_length: usize,
+) -> Result<(), std::io::Error> {
+ let mut backing_file = OpenOptions::new()
+ .write(true)
+ .create(true)
+ .open(backing_path)?;
+ let Some(max_slot_index) = entries.iter().map(|entry| entry.slot_index).max() else {
+ return Ok(()); // can only happen if entries is empty
+ };
+ let necessary_len = ((max_slot_index + 1) * slot_length) as u64;
+ if backing_file.metadata()?.len() < necessary_len {
+ backing_file.set_len(necessary_len)?;
+ }
+ let mut buf = vec![0u8; slot_length];
+ for entry in entries {
+ let mut buf_writer = buf.as_mut_slice();
+ buf_writer.write_u16::<BigEndian>(0)?; // set checksum to 0 for now
+ let mut checksum = entry.score;
+ buf_writer.write_u16::<BigEndian>(entry.score)?;
+ checksum ^= entry.last_accessed;
+ buf_writer.write_u16::<BigEndian>(entry.last_accessed)?;
+ for mut chunk in entry.key.chunks(2) {
+ if chunk.len() == 1 {
+ checksum ^= (chunk[0] as u16) << 8;
+ } else {
+ checksum ^= chunk.read_u16::<BigEndian>()?;
+ }
+ }
+ if entry.key.len() > KEY_LENGTH {
+ continue;
+ }
+ buf_writer.write_all(&entry.key)?;
+ let (key_remainder, mut buf_writer) = buf_writer.split_at_mut(KEY_LENGTH - entry.key.len());
+ key_remainder.fill(0);
+ for mut chunk in entry.value.chunks(2) {
+ if chunk.len() == 1 {
+ checksum ^= (chunk[0] as u16) << 8;
+ } else {
+ checksum ^= chunk.read_u16::<BigEndian>()?;
+ }
+ }
+ if entry.value.len() > value_length {
+ continue;
+ }
+ buf_writer.write_all(&entry.value)?;
+ buf_writer.fill(0);
+
+ backing_file.seek(SeekFrom::Start((entry.slot_index * slot_length) as u64))?;
+ backing_file.write_all(&buf)?;
+ backing_file.flush()?;
+ backing_file.seek(SeekFrom::Start((entry.slot_index * slot_length) as u64))?;
+ backing_file.write_u16::<BigEndian>(checksum)?;
+ }
+ Ok(())
+}
+
+/// Uses the xpcom directory service to try to obtain the profile directory.
+fn get_profile_path() -> Result<PathBuf, nsresult> {
+ let directory_service: RefPtr<nsIProperties> =
+ xpcom::components::Directory::service().map_err(|_| NS_ERROR_FAILURE)?;
+ let mut profile_dir = xpcom::GetterAddrefs::<nsIFile>::new();
+ unsafe {
+ directory_service
+ .Get(
+ cstr!("ProfD").as_ptr(),
+ &nsIFile::IID,
+ profile_dir.void_ptr(),
+ )
+ .to_result()?;
+ }
+ let profile_dir = profile_dir.refptr().ok_or(NS_ERROR_FAILURE)?;
+ let mut profile_path = nsString::new();
+ unsafe {
+ (*profile_dir).GetPath(&mut *profile_path).to_result()?;
+ }
+ let profile_path = String::from_utf16(profile_path.as_ref()).map_err(|_| NS_ERROR_FAILURE)?;
+ Ok(PathBuf::from(profile_path))
+}
+
+fn make_data_storage_internal(
+ basename: &str,
+ value_length: usize,
+ size_of_op: VoidPtrToSizeFn,
+ enclosing_size_of_op: VoidPtrToSizeFn,
+) -> Result<RefPtr<nsIDataStorage>, nsresult> {
+ let maybe_profile_path = get_profile_path().ok();
+ let data_storage = DataStorage::allocate(InitDataStorage {
+ ready: (Mutex::new(false), Condvar::new()),
+ data: Mutex::new(DataStorageInner::new(
+ basename.to_string(),
+ value_length,
+ maybe_profile_path,
+ )?),
+ size_of_op,
+ enclosing_size_of_op,
+ });
+ // Initialize the DataStorage on a background thread.
+ let data_storage_for_background_initialization = data_storage.clone();
+ RunnableBuilder::new("data_storage::initialize", move || {
+ let _ = data_storage_for_background_initialization.initialize();
+ })
+ .may_block(true)
+ .dispatch_background_task()?;
+
+ // Observe shutdown and when the last private browsing context exits.
+ if let Ok(observer_service) = xpcom::components::Observer::service::<nsIObserverService>() {
+ unsafe {
+ observer_service
+ .AddObserver(
+ data_storage.coerce(),
+ cstr!("profile-before-change").as_ptr(),
+ false,
+ )
+ .to_result()?;
+ observer_service
+ .AddObserver(
+ data_storage.coerce(),
+ cstr!("xpcom-shutdown-threads").as_ptr(),
+ false,
+ )
+ .to_result()?;
+ observer_service
+ .AddObserver(
+ data_storage.coerce(),
+ cstr!("last-pb-context-exited").as_ptr(),
+ false,
+ )
+ .to_result()?;
+ }
+ }
+
+ // Register the DataStorage as a memory reporter.
+ if let Some(memory_reporter_manager) = xpcom::get_service::<nsIMemoryReporterManager>(cstr!(
+ "@mozilla.org/memory-reporter-manager;1"
+ )) {
+ unsafe {
+ memory_reporter_manager
+ .RegisterStrongReporter(data_storage.coerce())
+ .to_result()?;
+ }
+ }
+
+ Ok(RefPtr::new(data_storage.coerce()))
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn make_data_storage(
+ basename: *const nsAString,
+ value_length: usize,
+ size_of_op: VoidPtrToSizeFn,
+ enclosing_size_of_op: VoidPtrToSizeFn,
+ result: *mut *const xpcom::interfaces::nsIDataStorage,
+) -> nsresult {
+ if basename.is_null() || result.is_null() {
+ return NS_ERROR_INVALID_ARG;
+ }
+ let basename = &*basename;
+ let basename = basename.to_string();
+ match make_data_storage_internal(&basename, value_length, size_of_op, enclosing_size_of_op) {
+ Ok(val) => val.forget(&mut *result),
+ Err(e) => return e,
+ }
+ NS_OK
+}
diff --git a/security/manager/ssl/gen_cert_header.py b/security/manager/ssl/gen_cert_header.py
new file mode 100644
index 0000000000..a141a9b54b
--- /dev/null
+++ b/security/manager/ssl/gen_cert_header.py
@@ -0,0 +1,46 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+def _file_byte_generator(filename):
+ with open(filename, "rb") as f:
+ contents = f.read()
+
+ # Treat empty files the same as a file containing a lone 0;
+ # a single-element array will fail cert verifcation just as an
+ # empty array would.
+ if not contents:
+ return ["\0"]
+
+ return contents
+
+
+def _create_header(array_name, cert_bytes):
+ hexified = ["0x%02x" % byte for byte in cert_bytes]
+
+ substs = {"array_name": array_name, "bytes": ", ".join(hexified)}
+ return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
+
+
+# Create functions named the same as the data arrays that we're going to
+# write to the headers, so we don't have to duplicate the names like so:
+#
+# def arrayName(header, cert_filename):
+# header.write(_create_header("arrayName", cert_filename))
+array_names = [
+ "addonsPublicIntermediate",
+ "addonsPublicRoot",
+ "addonsStageRoot",
+ "contentSignatureDevRoot",
+ "contentSignatureLocalRoot",
+ "contentSignatureProdRoot",
+ "contentSignatureStageRoot",
+ "xpcshellRoot",
+]
+
+for n in array_names:
+ # Make sure the lambda captures the right string.
+ globals()[n] = lambda header, cert_filename, name=n: header.write(
+ _create_header(name, _file_byte_generator(cert_filename))
+ )
diff --git a/security/manager/ssl/ipcclientcerts/Cargo.toml b/security/manager/ssl/ipcclientcerts/Cargo.toml
new file mode 100644
index 0000000000..9dcfc8c3b7
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "ipcclientcerts-static"
+version = "0.1.0"
+authors = ["Dana Keeler <dkeeler@mozilla.com>"]
+edition = "2018"
+license = "MPL-2.0"
+
+[dependencies]
+byteorder = "1.3"
+pkcs11-bindings = "0.1"
+rsclientcerts = { path = "../rsclientcerts" }
+sha2 = "0.10.2"
+mozilla-central-workspace-hack = { version = "0.1", features = ["ipcclientcerts-static"], optional = true }
+
+[lib]
+crate-type = ["staticlib"]
diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols b/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build b/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build
new file mode 100644
index 0000000000..7f2ab5e27f
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build
@@ -0,0 +1,40 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+USE_LIBS += ["ipcclientcerts-static"]
+
+# On Linux (but not when building for Android), this needs to use the C++
+# version to avoid linking against the wrong libc symbols.
+# On Android, this needs to use the C version to avoid multiple definitions
+# of symbols caused by their presence in libgcc and ipcclientcerts-static.
+if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android":
+ SOURCES += [
+ "stub.cpp",
+ ]
+else:
+ SOURCES += [
+ "stub.c",
+ ]
+
+if CONFIG["OS_TARGET"] == "Android":
+ OS_LIBS += ["m"]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+ OS_LIBS += [
+ "advapi32",
+ "userenv",
+ "ws2_32",
+ ]
+ OS_LIBS += [
+ "bcrypt",
+ "ntdll",
+ ]
+
+
+SharedLibrary("ipcclientcerts")
+
+NoVisibilityFlags()
+SYMBOLS_FILE = "ipcclientcerts.symbols"
diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c
new file mode 100644
index 0000000000..f679e5dfd4
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c
@@ -0,0 +1,43 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pkcs11.h"
+
+// The build system builds the rust library ipcclientcerts as a static library
+// called ipcclientcerts_static. On macOS and Windows, that static library can
+// be linked with an empty file and turned into a shared library with the
+// function C_GetFunctionList exposed. This allows that shared library to be
+// used as a PKCS#11 module (see osclientcerts).
+// Unfortunately, on Linux, exposing the C_GetFunctionList in the static
+// library doesn't work for some unknown reason. As a workaround, this file
+// declares its own C_GetFunctionList that can be exposed in the shared
+// library. It then calls the function IPCCC_GetFunctionList exposed
+// (internally to the linkage in question) by ipcclientcerts. This enables
+// the build system to ultimately turn ipcclientcerts into a shared library
+// that exposes a C_GetFunctionList function, meaning it can be used as a
+// PKCS#11 module.
+
+CK_RV IPCCC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ return IPCCC_GetFunctionList(ppFunctionList);
+}
+
+// On MinGW there's a toolchain mismatch that results in _Unwind_Resume being
+// undefined. It's never going to get called here anyway, so this defines it to
+// satisfy the linker. See bug 1745855 and
+// https://github.com/rust-lang/rust/issues/79609#issuecomment-987107562.
+#ifdef __MINGW32__
+# include "mozilla/Assertions.h"
+void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); }
+void _Unwind_GetDataRelBase() { _Unwind_Resume(); }
+void _Unwind_GetTextRelBase() { _Unwind_Resume(); }
+void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); }
+void _Unwind_GetIPInfo() { _Unwind_Resume(); }
+void _Unwind_GetRegionStart() { _Unwind_Resume(); }
+void _Unwind_SetGR() { _Unwind_Resume(); }
+void _Unwind_SetIP() { _Unwind_Resume(); }
+void _GCC_specific_handler() { _Unwind_Resume(); }
+#endif
diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp
new file mode 100644
index 0000000000..e50f867574
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp
@@ -0,0 +1,29 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pkcs11.h"
+
+// The build system builds the rust library ipcclientcerts as a static library
+// called ipcclientcerts_static. On macOS and Windows, that static library can
+// be linked with an empty file and turned into a shared library with the
+// function C_GetFunctionList exposed. This allows that shared library to be
+// used as a PKCS#11 module (see osclientcerts).
+// Unfortunately, on Linux, exposing the C_GetFunctionList in the static
+// library doesn't work for some unknown reason. As a workaround, this file
+// declares its own C_GetFunctionList that can be exposed in the shared
+// library. It then calls the function IPCCC_GetFunctionList exposed
+// (internally to the linkage in question) by ipcclientcerts. This enables
+// the build system to ultimately turn ipcclientcerts into a shared library
+// that exposes a C_GetFunctionList function, meaning it can be used as a
+// PKCS#11 module.
+
+extern "C" {
+
+CK_RV IPCCC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ return IPCCC_GetFunctionList(ppFunctionList);
+}
+}
diff --git a/security/manager/ssl/ipcclientcerts/moz.build b/security/manager/ssl/ipcclientcerts/moz.build
new file mode 100644
index 0000000000..1d24bdea31
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/moz.build
@@ -0,0 +1,9 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["dynamic-library"]
+
+RustLibrary("ipcclientcerts-static")
diff --git a/security/manager/ssl/ipcclientcerts/src/backend.rs b/security/manager/ssl/ipcclientcerts/src/backend.rs
new file mode 100644
index 0000000000..534eecd47e
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/src/backend.rs
@@ -0,0 +1,373 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use pkcs11_bindings::*;
+use rsclientcerts::error::{Error, ErrorType};
+use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType};
+use rsclientcerts::util::*;
+use sha2::{Digest, Sha256};
+use std::ffi::c_void;
+
+use crate::FindObjectsFunction;
+use crate::SignFunction;
+
+pub struct Cert {
+ class: Vec<u8>,
+ token: Vec<u8>,
+ id: Vec<u8>,
+ label: Vec<u8>,
+ value: Vec<u8>,
+ issuer: Vec<u8>,
+ serial_number: Vec<u8>,
+ subject: Vec<u8>,
+ slot_type: SlotType,
+}
+
+impl Cert {
+ fn new(der: &[u8], slot_type: SlotType) -> Result<Cert, Error> {
+ let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(der)?;
+ let id = Sha256::digest(der).to_vec();
+ Ok(Cert {
+ class: serialize_uint(CKO_CERTIFICATE)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ label: b"IPC certificate".to_vec(),
+ value: der.to_vec(),
+ issuer,
+ serial_number,
+ subject,
+ slot_type,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn label(&self) -> &[u8] {
+ &self.label
+ }
+
+ fn value(&self) -> &[u8] {
+ &self.value
+ }
+
+ fn issuer(&self) -> &[u8] {
+ &self.issuer
+ }
+
+ fn serial_number(&self) -> &[u8] {
+ &self.serial_number
+ }
+
+ fn subject(&self) -> &[u8] {
+ &self.subject
+ }
+}
+
+impl CryptokiObject for Cert {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ if self.slot_type != slot_type {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ let result = match attribute {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return None,
+ };
+ Some(result)
+ }
+}
+
+pub struct Key {
+ cert: Vec<u8>,
+ class: Vec<u8>,
+ token: Vec<u8>,
+ id: Vec<u8>,
+ private: Vec<u8>,
+ key_type: Vec<u8>,
+ modulus: Option<Vec<u8>>,
+ ec_params: Option<Vec<u8>>,
+ slot_type: SlotType,
+ sign: SignFunction,
+}
+
+impl Key {
+ fn new(
+ modulus: Option<&[u8]>,
+ ec_params: Option<&[u8]>,
+ cert: &[u8],
+ slot_type: SlotType,
+ sign: SignFunction,
+ ) -> Result<Key, Error> {
+ let id = Sha256::digest(cert).to_vec();
+ let key_type = if modulus.is_some() { CKK_RSA } else { CKK_EC };
+ Ok(Key {
+ cert: cert.to_vec(),
+ class: serialize_uint(CKO_PRIVATE_KEY)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ private: serialize_uint(CK_TRUE)?,
+ key_type: serialize_uint(key_type)?,
+ modulus: modulus.map(|b| b.to_vec()),
+ ec_params: ec_params.map(|b| b.to_vec()),
+ slot_type,
+ sign,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ pub fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn private(&self) -> &[u8] {
+ &self.private
+ }
+
+ fn key_type(&self) -> &[u8] {
+ &self.key_type
+ }
+
+ fn modulus(&self) -> Option<&[u8]> {
+ match &self.modulus {
+ Some(modulus) => Some(modulus.as_slice()),
+ None => None,
+ }
+ }
+
+ fn ec_params(&self) -> Option<&[u8]> {
+ match &self.ec_params {
+ Some(ec_params) => Some(ec_params.as_slice()),
+ None => None,
+ }
+ }
+}
+
+impl CryptokiObject for Key {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ if self.slot_type != slot_type {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_ID => self.id(),
+ CKA_PRIVATE => self.private(),
+ CKA_KEY_TYPE => self.key_type(),
+ CKA_MODULUS => {
+ if let Some(modulus) = self.modulus() {
+ modulus
+ } else {
+ return false;
+ }
+ }
+ CKA_EC_PARAMS => {
+ if let Some(ec_params) = self.ec_params() {
+ ec_params
+ } else {
+ return false;
+ }
+ }
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ match attribute {
+ CKA_CLASS => Some(self.class()),
+ CKA_TOKEN => Some(self.token()),
+ CKA_ID => Some(self.id()),
+ CKA_PRIVATE => Some(self.private()),
+ CKA_KEY_TYPE => Some(self.key_type()),
+ CKA_MODULUS => self.modulus(),
+ CKA_EC_PARAMS => self.ec_params(),
+ _ => None,
+ }
+ }
+}
+
+impl Sign for Key {
+ fn get_signature_length(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<usize, Error> {
+ // Unfortunately we don't have a way of getting the length of a signature without creating
+ // one.
+ let dummy_signature_bytes = self.sign(data, params)?;
+ Ok(dummy_signature_bytes.len())
+ }
+
+ fn sign(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error> {
+ let mut signature = Vec::new();
+ let (params_len, params) = match params {
+ Some(params) => (
+ std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>(),
+ params as *const _ as *const u8,
+ ),
+ None => (0, std::ptr::null()),
+ };
+ (self.sign)(
+ self.cert.len(),
+ self.cert.as_ptr(),
+ data.len(),
+ data.as_ptr(),
+ params_len,
+ params,
+ Some(sign_callback),
+ &mut signature as *mut _ as *mut c_void,
+ );
+ if signature.len() > 0 {
+ Ok(signature)
+ } else {
+ Err(error_here!(ErrorType::LibraryFailure))
+ }
+ }
+}
+
+unsafe extern "C" fn sign_callback(data_len: usize, data: *const u8, ctx: *mut c_void) {
+ let signature: &mut Vec<u8> = std::mem::transmute(ctx);
+ signature.clear();
+ signature.extend_from_slice(std::slice::from_raw_parts(data, data_len));
+}
+
+unsafe extern "C" fn find_objects_callback(
+ typ: u8,
+ data_len: usize,
+ data: *const u8,
+ extra_len: usize,
+ extra: *const u8,
+ slot_type: u32,
+ ctx: *mut c_void,
+) {
+ let data = std::slice::from_raw_parts(data, data_len);
+ let extra = std::slice::from_raw_parts(extra, extra_len);
+ let slot_type = match slot_type {
+ 1 => SlotType::Modern,
+ 2 => SlotType::Legacy,
+ _ => return,
+ };
+ let find_objects_context: &mut FindObjectsContext = std::mem::transmute(ctx);
+ match typ {
+ 1 => match Cert::new(data, slot_type) {
+ Ok(cert) => find_objects_context.certs.push(cert),
+ Err(_) => {}
+ },
+ 2 => match Key::new(
+ Some(data),
+ None,
+ extra,
+ slot_type,
+ find_objects_context.sign,
+ ) {
+ Ok(key) => find_objects_context.keys.push(key),
+ Err(_) => {}
+ },
+ 3 => match Key::new(
+ None,
+ Some(data),
+ extra,
+ slot_type,
+ find_objects_context.sign,
+ ) {
+ Ok(key) => find_objects_context.keys.push(key),
+ Err(_) => {}
+ },
+ _ => {}
+ }
+}
+
+struct FindObjectsContext {
+ certs: Vec<Cert>,
+ keys: Vec<Key>,
+ sign: SignFunction,
+}
+
+impl FindObjectsContext {
+ fn new(sign: SignFunction) -> FindObjectsContext {
+ FindObjectsContext {
+ certs: Vec::new(),
+ keys: Vec::new(),
+ sign,
+ }
+ }
+}
+
+pub struct Backend {
+ find_objects: FindObjectsFunction,
+ sign: SignFunction,
+}
+
+impl Backend {
+ pub fn new(find_objects: FindObjectsFunction, sign: SignFunction) -> Backend {
+ Backend { find_objects, sign }
+ }
+}
+
+impl ClientCertsBackend for Backend {
+ type Cert = Cert;
+ type Key = Key;
+
+ fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> {
+ let mut find_objects_context = FindObjectsContext::new(self.sign);
+ (self.find_objects)(
+ Some(find_objects_callback),
+ &mut find_objects_context as *mut _ as *mut c_void,
+ );
+ Ok((find_objects_context.certs, find_objects_context.keys))
+ }
+}
diff --git a/security/manager/ssl/ipcclientcerts/src/lib.rs b/security/manager/ssl/ipcclientcerts/src/lib.rs
new file mode 100644
index 0000000000..cc2580d9d4
--- /dev/null
+++ b/security/manager/ssl/ipcclientcerts/src/lib.rs
@@ -0,0 +1,1049 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(non_snake_case)]
+
+extern crate byteorder;
+extern crate pkcs11_bindings;
+#[macro_use]
+extern crate rsclientcerts;
+extern crate sha2;
+
+use pkcs11_bindings::*;
+use rsclientcerts::manager::{Manager, SlotType};
+use std::ffi::{c_void, CStr};
+use std::sync::Mutex;
+
+mod backend;
+
+use backend::Backend;
+
+type FindObjectsCallback = Option<
+ unsafe extern "C" fn(
+ typ: u8,
+ data_len: usize,
+ data: *const u8,
+ extra_len: usize,
+ extra: *const u8,
+ slot_type: u32,
+ ctx: *mut c_void,
+ ),
+>;
+
+type FindObjectsFunction = extern "C" fn(callback: FindObjectsCallback, ctx: *mut c_void);
+
+type SignCallback =
+ Option<unsafe extern "C" fn(data_len: usize, data: *const u8, ctx: *mut c_void)>;
+
+type SignFunction = extern "C" fn(
+ cert_len: usize,
+ cert: *const u8,
+ data_len: usize,
+ data: *const u8,
+ params_len: usize,
+ params: *const u8,
+ callback: SignCallback,
+ ctx: *mut c_void,
+);
+
+/// The singleton `Manager` that handles state with respect to PKCS #11. Only one thread
+/// may use it at a time, but there is no restriction on which threads may use it.
+static MANAGER: Mutex<Option<Manager<Backend>>> = Mutex::new(None);
+
+// Obtaining a handle on the manager is a two-step process. First the mutex must be locked, which
+// (if successful), results in a mutex guard object. We must then get a mutable refence to the
+// underlying manager (if set - otherwise we return an error). This can't happen all in one macro
+// without dropping a reference that needs to live long enough for this to be safe. In
+// practice, this looks like:
+// let mut manager_guard = try_to_get_manager_guard!();
+// let manager = manager_guard_to_manager!(manager_guard);
+macro_rules! try_to_get_manager_guard {
+ () => {
+ match MANAGER.lock() {
+ Ok(maybe_manager) => maybe_manager,
+ Err(_) => return CKR_DEVICE_ERROR,
+ }
+ };
+}
+
+macro_rules! manager_guard_to_manager {
+ ($manager_guard:ident) => {
+ match $manager_guard.as_mut() {
+ Some(manager) => manager,
+ None => return CKR_DEVICE_ERROR,
+ }
+ };
+}
+
+/// This gets called to initialize the module. For this implementation, this consists of
+/// instantiating the `Manager`.
+extern "C" fn C_Initialize(pInitArgs: CK_VOID_PTR) -> CK_RV {
+ // pInitArgs.pReserved will be a c-string containing the base-16
+ // stringification of the addresses of the functions to call to communicate
+ // with the main process.
+ if pInitArgs.is_null() {
+ return CKR_DEVICE_ERROR;
+ }
+ let serialized_addresses_ptr = unsafe { (*(pInitArgs as CK_C_INITIALIZE_ARGS_PTR)).pReserved };
+ if serialized_addresses_ptr.is_null() {
+ return CKR_DEVICE_ERROR;
+ }
+ let serialized_addresses_cstr =
+ unsafe { CStr::from_ptr(serialized_addresses_ptr as *mut std::os::raw::c_char) };
+ let serialized_addresses = match serialized_addresses_cstr.to_str() {
+ Ok(serialized_addresses) => serialized_addresses,
+ Err(_) => return CKR_DEVICE_ERROR,
+ };
+ let function_addresses: Vec<usize> = serialized_addresses
+ .split(',')
+ .filter_map(|serialized_address| usize::from_str_radix(serialized_address, 16).ok())
+ .collect();
+ if function_addresses.len() != 2 {
+ return CKR_DEVICE_ERROR;
+ }
+ let find_objects: FindObjectsFunction = unsafe { std::mem::transmute(function_addresses[0]) };
+ let sign: SignFunction = unsafe { std::mem::transmute(function_addresses[1]) };
+ let mut manager_guard = try_to_get_manager_guard!();
+ let _unexpected_previous_manager =
+ manager_guard.replace(Manager::new(Backend::new(find_objects, sign)));
+ CKR_OK
+}
+
+extern "C" fn C_Finalize(_pReserved: CK_VOID_PTR) -> CK_RV {
+ // Drop the manager. When C_Finalize is called, there should be only one
+ // reference to this module (which is going away), so there shouldn't be
+ // any concurrency issues.
+ let mut manager_guard = try_to_get_manager_guard!();
+ match manager_guard.take() {
+ Some(_) => CKR_OK,
+ None => CKR_CRYPTOKI_NOT_INITIALIZED,
+ }
+}
+
+// The specification mandates that these strings be padded with spaces to the appropriate length.
+// Since the length of fixed-size arrays in rust is part of the type, the compiler enforces that
+// these byte strings are of the correct length.
+const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Corporation ";
+const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"IPC Client Cert Module ";
+
+/// This gets called to gather some information about the module. In particular, this implementation
+/// supports (portions of) cryptoki (PKCS #11) version 2.2.
+extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV {
+ if pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut info = CK_INFO::default();
+ info.cryptokiVersion.major = 2;
+ info.cryptokiVersion.minor = 2;
+ info.manufacturerID = *MANUFACTURER_ID_BYTES;
+ info.libraryDescription = *LIBRARY_DESCRIPTION_BYTES;
+ unsafe {
+ *pInfo = info;
+ }
+ CKR_OK
+}
+
+/// This module has two slots.
+const SLOT_COUNT: CK_ULONG = 2;
+/// The slot with ID 1 supports modern mechanisms like RSA-PSS.
+const SLOT_ID_MODERN: CK_SLOT_ID = 1;
+/// The slot with ID 2 only supports legacy mechanisms.
+const SLOT_ID_LEGACY: CK_SLOT_ID = 2;
+
+/// This gets called twice: once with a null `pSlotList` to get the number of slots (returned via
+/// `pulCount`) and a second time to get the ID for each slot.
+extern "C" fn C_GetSlotList(
+ _tokenPresent: CK_BBOOL,
+ pSlotList: CK_SLOT_ID_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if pulCount.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ if !pSlotList.is_null() {
+ if unsafe { *pulCount } < SLOT_COUNT {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ unsafe {
+ *pSlotList = SLOT_ID_MODERN;
+ *pSlotList.offset(1) = SLOT_ID_LEGACY;
+ }
+ };
+ unsafe {
+ *pulCount = SLOT_COUNT;
+ }
+ CKR_OK
+}
+
+const SLOT_DESCRIPTION_MODERN_BYTES: &[u8; 64] =
+ b"IPC Client Cert Slot (Modern) ";
+const SLOT_DESCRIPTION_LEGACY_BYTES: &[u8; 64] =
+ b"IPC Client Cert Slot (Legacy) ";
+
+/// This gets called to obtain information about slots. In this implementation, the tokens are
+/// always present in the slots.
+extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV {
+ if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let description = if slotID == SLOT_ID_MODERN {
+ SLOT_DESCRIPTION_MODERN_BYTES
+ } else {
+ SLOT_DESCRIPTION_LEGACY_BYTES
+ };
+ let slot_info = CK_SLOT_INFO {
+ slotDescription: *description,
+ manufacturerID: *MANUFACTURER_ID_BYTES,
+ flags: CKF_TOKEN_PRESENT,
+ hardwareVersion: CK_VERSION::default(),
+ firmwareVersion: CK_VERSION::default(),
+ };
+ unsafe {
+ *pInfo = slot_info;
+ }
+ CKR_OK
+}
+
+const TOKEN_LABEL_MODERN_BYTES: &[u8; 32] = b"IPC Client Cert Token (Modern) ";
+const TOKEN_LABEL_LEGACY_BYTES: &[u8; 32] = b"IPC Client Cert Token (Legacy) ";
+const TOKEN_MODEL_BYTES: &[u8; 16] = b"ipcclientcerts ";
+const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"0000000000000000";
+
+/// This gets called to obtain some information about tokens. This implementation has two slots,
+/// so it has two tokens. This information is primarily for display purposes.
+extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV {
+ if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pInfo.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut token_info = CK_TOKEN_INFO::default();
+ let label = if slotID == SLOT_ID_MODERN {
+ TOKEN_LABEL_MODERN_BYTES
+ } else {
+ TOKEN_LABEL_LEGACY_BYTES
+ };
+ token_info.label = *label;
+ token_info.manufacturerID = *MANUFACTURER_ID_BYTES;
+ token_info.model = *TOKEN_MODEL_BYTES;
+ token_info.serialNumber = *TOKEN_SERIAL_NUMBER_BYTES;
+ unsafe {
+ *pInfo = token_info;
+ }
+ CKR_OK
+}
+
+/// This gets called to determine what mechanisms a slot supports. The modern slot supports ECDSA,
+/// RSA PKCS, and RSA PSS. The legacy slot only supports RSA PKCS.
+extern "C" fn C_GetMechanismList(
+ slotID: CK_SLOT_ID,
+ pMechanismList: CK_MECHANISM_TYPE_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pulCount.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mechanisms = if slotID == SLOT_ID_MODERN {
+ vec![CKM_ECDSA, CKM_RSA_PKCS, CKM_RSA_PKCS_PSS]
+ } else {
+ vec![CKM_RSA_PKCS]
+ };
+ if !pMechanismList.is_null() {
+ if unsafe { *pulCount as usize } < mechanisms.len() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ for i in 0..mechanisms.len() {
+ unsafe {
+ *pMechanismList.offset(i as isize) = mechanisms[i];
+ }
+ }
+ }
+ unsafe {
+ *pulCount = mechanisms.len() as CK_ULONG;
+ }
+ CKR_OK
+}
+
+extern "C" fn C_GetMechanismInfo(
+ _slotID: CK_SLOT_ID,
+ _type: CK_MECHANISM_TYPE,
+ _pInfo: CK_MECHANISM_INFO_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitToken(
+ _slotID: CK_SLOT_ID,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+ _pLabel: CK_UTF8CHAR_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pOldPin: CK_UTF8CHAR_PTR,
+ _ulOldLen: CK_ULONG,
+ _pNewPin: CK_UTF8CHAR_PTR,
+ _ulNewLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to create a new session. This module defers to the `ManagerProxy` to implement
+/// this.
+extern "C" fn C_OpenSession(
+ slotID: CK_SLOT_ID,
+ _flags: CK_FLAGS,
+ _pApplication: CK_VOID_PTR,
+ _Notify: CK_NOTIFY,
+ phSession: CK_SESSION_HANDLE_PTR,
+) -> CK_RV {
+ if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || phSession.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ let slot_type = if slotID == SLOT_ID_MODERN {
+ SlotType::Modern
+ } else {
+ SlotType::Legacy
+ };
+ let session_handle = match manager.open_session(slot_type) {
+ Ok(session_handle) => session_handle,
+ Err(_) => return CKR_DEVICE_ERROR,
+ };
+ unsafe {
+ *phSession = session_handle;
+ }
+ CKR_OK
+}
+
+/// This gets called to close a session. This is handled by the `ManagerProxy`.
+extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ if manager.close_session(hSession).is_err() {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ CKR_OK
+}
+
+/// This gets called to close all open sessions at once. This is handled by the `ManagerProxy`.
+extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV {
+ if slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ let slot_type = if slotID == SLOT_ID_MODERN {
+ SlotType::Modern
+ } else {
+ SlotType::Legacy
+ };
+ match manager.close_all_sessions(slot_type) {
+ Ok(()) => CKR_OK,
+ Err(_) => CKR_DEVICE_ERROR,
+ }
+}
+
+extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _pulOperationStateLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _ulOperationStateLen: CK_ULONG,
+ _hEncryptionKey: CK_OBJECT_HANDLE,
+ _hAuthenticationKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Login(
+ _hSession: CK_SESSION_HANDLE,
+ _userType: CK_USER_TYPE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to log out and drop any authenticated resources. Because this module does not
+/// hold on to authenticated resources, this module "implements" this by doing nothing and
+/// returning a success result.
+extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_OK
+}
+
+extern "C" fn C_CreateObject(
+ _hSession: CK_SESSION_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CopyObject(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phNewObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetObjectSize(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pulSize: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to obtain the values of a number of attributes of an object identified by the
+/// given handle. This module implements this by requesting that the `ManagerProxy` find the object
+/// and attempt to get the value of each attribute. If a specified attribute is not defined on the
+/// object, the length of that attribute is set to -1 to indicate that it is not available.
+/// This gets called twice: once to obtain the lengths of the attributes and again to get the
+/// values.
+extern "C" fn C_GetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ hObject: CK_OBJECT_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut attr_types = Vec::with_capacity(ulCount as usize);
+ for i in 0..ulCount {
+ let attr = unsafe { &*pTemplate.offset(i as isize) };
+ attr_types.push(attr.type_);
+ }
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ let values = match manager.get_attributes(hObject, attr_types) {
+ Ok(values) => values,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+ if values.len() != ulCount as usize {
+ return CKR_DEVICE_ERROR;
+ }
+ for i in 0..ulCount as usize {
+ let attr = unsafe { &mut *pTemplate.offset(i as isize) };
+ // NB: the safety of this array access depends on the length check above
+ if let Some(attr_value) = &values[i] {
+ if attr.pValue.is_null() {
+ attr.ulValueLen = attr_value.len() as CK_ULONG;
+ } else {
+ let ptr: *mut u8 = attr.pValue as *mut u8;
+ if attr_value.len() != attr.ulValueLen as usize {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ std::ptr::copy_nonoverlapping(attr_value.as_ptr(), ptr, attr_value.len());
+ }
+ }
+ } else {
+ attr.ulValueLen = (0 - 1) as CK_ULONG;
+ }
+ }
+ CKR_OK
+}
+
+extern "C" fn C_SetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to initialize a search for objects matching a given list of attributes. This
+/// module implements this by gathering the attributes and passing them to the `ManagerProxy` to
+/// start the search.
+extern "C" fn C_FindObjectsInit(
+ hSession: CK_SESSION_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut attrs = Vec::new();
+ for i in 0..ulCount {
+ let attr = unsafe { &*pTemplate.offset(i as isize) };
+ let slice = unsafe {
+ std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize)
+ };
+ attrs.push((attr.type_, slice.to_owned()));
+ }
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ match manager.start_search(hSession, attrs) {
+ Ok(()) => {}
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ }
+ CKR_OK
+}
+
+/// This gets called after `C_FindObjectsInit` to get the results of a search. This module
+/// implements this by looking up the search in the `ManagerProxy` and copying out the matching
+/// object handles.
+extern "C" fn C_FindObjects(
+ hSession: CK_SESSION_HANDLE,
+ phObject: CK_OBJECT_HANDLE_PTR,
+ ulMaxObjectCount: CK_ULONG,
+ pulObjectCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if phObject.is_null() || pulObjectCount.is_null() || ulMaxObjectCount == 0 {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ let handles = match manager.search(hSession, ulMaxObjectCount as usize) {
+ Ok(handles) => handles,
+ Err(_) => return CKR_ARGUMENTS_BAD,
+ };
+ if handles.len() > ulMaxObjectCount as usize {
+ return CKR_DEVICE_ERROR;
+ }
+ unsafe {
+ *pulObjectCount = handles.len() as CK_ULONG;
+ }
+ for (index, handle) in handles.iter().enumerate() {
+ if index < ulMaxObjectCount as usize {
+ unsafe {
+ *(phObject.add(index)) = *handle;
+ }
+ }
+ }
+ CKR_OK
+}
+
+/// This gets called after `C_FindObjectsInit` and `C_FindObjects` to finish a search. The module
+/// tells the `ManagerProxy` to clear the search.
+extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ // It would be an error if there were no search for this session, but we can be permissive here.
+ match manager.clear_search(hSession) {
+ Ok(()) => CKR_OK,
+ Err(_) => CKR_DEVICE_ERROR,
+ }
+}
+
+extern "C" fn C_EncryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Encrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pEncryptedData: CK_BYTE_PTR,
+ _pulEncryptedDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastEncryptedPart: CK_BYTE_PTR,
+ _pulLastEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Decrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedData: CK_BYTE_PTR,
+ _ulEncryptedDataLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastPart: CK_BYTE_PTR,
+ _pulLastPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Digest(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to set up a sign operation. The module essentially defers to the
+/// `ManagerProxy`.
+extern "C" fn C_SignInit(
+ hSession: CK_SESSION_HANDLE,
+ pMechanism: CK_MECHANISM_PTR,
+ hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ if pMechanism.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ // Presumably we should validate the mechanism against hKey, but the specification doesn't
+ // actually seem to require this.
+ let mechanism = unsafe { *pMechanism };
+ let mechanism_params = if mechanism.mechanism == CKM_RSA_PKCS_PSS {
+ if mechanism.ulParameterLen as usize != std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ Some(unsafe { *(mechanism.pParameter as *const CK_RSA_PKCS_PSS_PARAMS) })
+ } else {
+ None
+ };
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ match manager.start_sign(hSession, hKey, mechanism_params) {
+ Ok(()) => {}
+ Err(_) => return CKR_GENERAL_ERROR,
+ };
+ CKR_OK
+}
+
+/// NSS calls this after `C_SignInit` (there are more ways in the PKCS #11 specification to sign
+/// data, but this is the only way supported by this module). The module essentially defers to the
+/// `ManagerProxy` and copies out the resulting signature.
+extern "C" fn C_Sign(
+ hSession: CK_SESSION_HANDLE,
+ pData: CK_BYTE_PTR,
+ ulDataLen: CK_ULONG,
+ pSignature: CK_BYTE_PTR,
+ pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ if pData.is_null() || pulSignatureLen.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let data = unsafe { std::slice::from_raw_parts(pData, ulDataLen as usize) };
+ if pSignature.is_null() {
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ match manager.get_signature_length(hSession, data.to_vec()) {
+ Ok(signature_length) => unsafe {
+ *pulSignatureLen = signature_length as CK_ULONG;
+ },
+ Err(_) => return CKR_GENERAL_ERROR,
+ }
+ } else {
+ let mut manager_guard = try_to_get_manager_guard!();
+ let manager = manager_guard_to_manager!(manager_guard);
+ match manager.sign(hSession, data.to_vec()) {
+ Ok(signature) => {
+ let signature_capacity = unsafe { *pulSignatureLen } as usize;
+ if signature_capacity < signature.len() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ let ptr: *mut u8 = pSignature as *mut u8;
+ unsafe {
+ std::ptr::copy_nonoverlapping(signature.as_ptr(), ptr, signature.len());
+ *pulSignatureLen = signature.len() as CK_ULONG;
+ }
+ }
+ Err(_) => return CKR_GENERAL_ERROR,
+ }
+ }
+ CKR_OK
+}
+
+extern "C" fn C_SignUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Verify(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptDigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptVerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKeyPair(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pPublicKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPublicKeyAttributeCount: CK_ULONG,
+ _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPrivateKeyAttributeCount: CK_ULONG,
+ _phPublicKey: CK_OBJECT_HANDLE_PTR,
+ _phPrivateKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hWrappingKey: CK_OBJECT_HANDLE,
+ _hKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _pulWrappedKeyLen: CK_ULONG_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_UnwrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hUnwrappingKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _ulWrappedKeyLen: CK_ULONG,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DeriveKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hBaseKey: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SeedRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _pSeed: CK_BYTE_PTR,
+ _ulSeedLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _RandomData: CK_BYTE_PTR,
+ _ulRandomLen: CK_ULONG,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WaitForSlotEvent(
+ _flags: CK_FLAGS,
+ _pSlot: CK_SLOT_ID_PTR,
+ _pRserved: CK_VOID_PTR,
+) -> CK_RV {
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// To be a valid PKCS #11 module, this list of functions must be supported. At least cryptoki 2.2
+/// must be supported for this module to work in NSS.
+static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST {
+ version: CK_VERSION { major: 2, minor: 2 },
+ C_Initialize: Some(C_Initialize),
+ C_Finalize: Some(C_Finalize),
+ C_GetInfo: Some(C_GetInfo),
+ C_GetFunctionList: None,
+ C_GetSlotList: Some(C_GetSlotList),
+ C_GetSlotInfo: Some(C_GetSlotInfo),
+ C_GetTokenInfo: Some(C_GetTokenInfo),
+ C_GetMechanismList: Some(C_GetMechanismList),
+ C_GetMechanismInfo: Some(C_GetMechanismInfo),
+ C_InitToken: Some(C_InitToken),
+ C_InitPIN: Some(C_InitPIN),
+ C_SetPIN: Some(C_SetPIN),
+ C_OpenSession: Some(C_OpenSession),
+ C_CloseSession: Some(C_CloseSession),
+ C_CloseAllSessions: Some(C_CloseAllSessions),
+ C_GetSessionInfo: Some(C_GetSessionInfo),
+ C_GetOperationState: Some(C_GetOperationState),
+ C_SetOperationState: Some(C_SetOperationState),
+ C_Login: Some(C_Login),
+ C_Logout: Some(C_Logout),
+ C_CreateObject: Some(C_CreateObject),
+ C_CopyObject: Some(C_CopyObject),
+ C_DestroyObject: Some(C_DestroyObject),
+ C_GetObjectSize: Some(C_GetObjectSize),
+ C_GetAttributeValue: Some(C_GetAttributeValue),
+ C_SetAttributeValue: Some(C_SetAttributeValue),
+ C_FindObjectsInit: Some(C_FindObjectsInit),
+ C_FindObjects: Some(C_FindObjects),
+ C_FindObjectsFinal: Some(C_FindObjectsFinal),
+ C_EncryptInit: Some(C_EncryptInit),
+ C_Encrypt: Some(C_Encrypt),
+ C_EncryptUpdate: Some(C_EncryptUpdate),
+ C_EncryptFinal: Some(C_EncryptFinal),
+ C_DecryptInit: Some(C_DecryptInit),
+ C_Decrypt: Some(C_Decrypt),
+ C_DecryptUpdate: Some(C_DecryptUpdate),
+ C_DecryptFinal: Some(C_DecryptFinal),
+ C_DigestInit: Some(C_DigestInit),
+ C_Digest: Some(C_Digest),
+ C_DigestUpdate: Some(C_DigestUpdate),
+ C_DigestKey: Some(C_DigestKey),
+ C_DigestFinal: Some(C_DigestFinal),
+ C_SignInit: Some(C_SignInit),
+ C_Sign: Some(C_Sign),
+ C_SignUpdate: Some(C_SignUpdate),
+ C_SignFinal: Some(C_SignFinal),
+ C_SignRecoverInit: Some(C_SignRecoverInit),
+ C_SignRecover: Some(C_SignRecover),
+ C_VerifyInit: Some(C_VerifyInit),
+ C_Verify: Some(C_Verify),
+ C_VerifyUpdate: Some(C_VerifyUpdate),
+ C_VerifyFinal: Some(C_VerifyFinal),
+ C_VerifyRecoverInit: Some(C_VerifyRecoverInit),
+ C_VerifyRecover: Some(C_VerifyRecover),
+ C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate),
+ C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate),
+ C_SignEncryptUpdate: Some(C_SignEncryptUpdate),
+ C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate),
+ C_GenerateKey: Some(C_GenerateKey),
+ C_GenerateKeyPair: Some(C_GenerateKeyPair),
+ C_WrapKey: Some(C_WrapKey),
+ C_UnwrapKey: Some(C_UnwrapKey),
+ C_DeriveKey: Some(C_DeriveKey),
+ C_SeedRandom: Some(C_SeedRandom),
+ C_GenerateRandom: Some(C_GenerateRandom),
+ C_GetFunctionStatus: Some(C_GetFunctionStatus),
+ C_CancelFunction: Some(C_CancelFunction),
+ C_WaitForSlotEvent: Some(C_WaitForSlotEvent),
+};
+
+/// This is the only function this module exposes. The C stub calls it when NSS
+/// calls its exposed C_GetFunctionList function to obtain the list of functions
+/// comprising this module.
+#[no_mangle]
+pub extern "C" fn IPCCC_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
+ if ppFunctionList.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the
+ // specification, the caller must treat it as *const CK_FUNCTION_LIST.
+ *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR;
+ }
+ CKR_OK
+}
+
+#[cfg_attr(target_os = "macos", link(name = "Security", kind = "framework"))]
+extern "C" {}
diff --git a/security/manager/ssl/md4.c b/security/manager/ssl/md4.c
new file mode 100644
index 0000000000..ed2369f1fa
--- /dev/null
+++ b/security/manager/ssl/md4.c
@@ -0,0 +1,179 @@
+/* vim:set ts=2 sw=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * "clean room" MD4 implementation (see RFC 1320)
+ */
+
+#include <string.h>
+#include "md4.h"
+
+/* the "conditional" function */
+#define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
+
+/* the "majority" function */
+#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+
+/* the "parity" function */
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+
+/* rotate n-bits to the left */
+#define ROTL(x, n) (((x) << (n)) | ((x) >> (0x20 - n)))
+
+/* round 1: [abcd k s]: a = (a + F(b,c,d) + X[k]) <<< s */
+#define RD1(a, b, c, d, k, s) \
+ a += F(b, c, d) + X[k]; \
+ a = ROTL(a, s)
+
+/* round 2: [abcd k s]: a = (a + G(b,c,d) + X[k] + MAGIC) <<< s */
+#define RD2(a, b, c, d, k, s) \
+ a += G(b, c, d) + X[k] + 0x5A827999; \
+ a = ROTL(a, s)
+
+/* round 3: [abcd k s]: a = (a + H(b,c,d) + X[k] + MAGIC) <<< s */
+#define RD3(a, b, c, d, k, s) \
+ a += H(b, c, d) + X[k] + 0x6ED9EBA1; \
+ a = ROTL(a, s)
+
+/* converts from word array to byte array, len is number of bytes */
+static void w2b(uint8_t* out, const uint32_t* in, uint32_t len) {
+ uint8_t* bp;
+ const uint32_t *wp, *wpend;
+
+ bp = out;
+ wp = in;
+ wpend = wp + (len >> 2);
+
+ for (; wp != wpend; ++wp, bp += 4) {
+ bp[0] = (uint8_t)((*wp) & 0xFF);
+ bp[1] = (uint8_t)((*wp >> 8) & 0xFF);
+ bp[2] = (uint8_t)((*wp >> 16) & 0xFF);
+ bp[3] = (uint8_t)((*wp >> 24) & 0xFF);
+ }
+}
+
+/* converts from byte array to word array, len is number of bytes */
+static void b2w(uint32_t* out, const uint8_t* in, uint32_t len) {
+ uint32_t* wp;
+ const uint8_t *bp, *bpend;
+
+ wp = out;
+ bp = in;
+ bpend = in + len;
+
+ for (; bp != bpend; bp += 4, ++wp) {
+ *wp = (uint32_t)bp[0] | ((uint32_t)bp[1] << 8) | ((uint32_t)bp[2] << 16) |
+ ((uint32_t)bp[3] << 24);
+ }
+}
+
+/* update state: data is 64 bytes in length */
+static void md4step(uint32_t state[4], const uint8_t* data) {
+ uint32_t A, B, C, D, X[16];
+
+ b2w(X, data, 64);
+
+ A = state[0];
+ B = state[1];
+ C = state[2];
+ D = state[3];
+
+ RD1(A, B, C, D, 0, 3);
+ RD1(D, A, B, C, 1, 7);
+ RD1(C, D, A, B, 2, 11);
+ RD1(B, C, D, A, 3, 19);
+ RD1(A, B, C, D, 4, 3);
+ RD1(D, A, B, C, 5, 7);
+ RD1(C, D, A, B, 6, 11);
+ RD1(B, C, D, A, 7, 19);
+ RD1(A, B, C, D, 8, 3);
+ RD1(D, A, B, C, 9, 7);
+ RD1(C, D, A, B, 10, 11);
+ RD1(B, C, D, A, 11, 19);
+ RD1(A, B, C, D, 12, 3);
+ RD1(D, A, B, C, 13, 7);
+ RD1(C, D, A, B, 14, 11);
+ RD1(B, C, D, A, 15, 19);
+
+ RD2(A, B, C, D, 0, 3);
+ RD2(D, A, B, C, 4, 5);
+ RD2(C, D, A, B, 8, 9);
+ RD2(B, C, D, A, 12, 13);
+ RD2(A, B, C, D, 1, 3);
+ RD2(D, A, B, C, 5, 5);
+ RD2(C, D, A, B, 9, 9);
+ RD2(B, C, D, A, 13, 13);
+ RD2(A, B, C, D, 2, 3);
+ RD2(D, A, B, C, 6, 5);
+ RD2(C, D, A, B, 10, 9);
+ RD2(B, C, D, A, 14, 13);
+ RD2(A, B, C, D, 3, 3);
+ RD2(D, A, B, C, 7, 5);
+ RD2(C, D, A, B, 11, 9);
+ RD2(B, C, D, A, 15, 13);
+
+ RD3(A, B, C, D, 0, 3);
+ RD3(D, A, B, C, 8, 9);
+ RD3(C, D, A, B, 4, 11);
+ RD3(B, C, D, A, 12, 15);
+ RD3(A, B, C, D, 2, 3);
+ RD3(D, A, B, C, 10, 9);
+ RD3(C, D, A, B, 6, 11);
+ RD3(B, C, D, A, 14, 15);
+ RD3(A, B, C, D, 1, 3);
+ RD3(D, A, B, C, 9, 9);
+ RD3(C, D, A, B, 5, 11);
+ RD3(B, C, D, A, 13, 15);
+ RD3(A, B, C, D, 3, 3);
+ RD3(D, A, B, C, 11, 9);
+ RD3(C, D, A, B, 7, 11);
+ RD3(B, C, D, A, 15, 15);
+
+ state[0] += A;
+ state[1] += B;
+ state[2] += C;
+ state[3] += D;
+}
+
+void md4sum(const uint8_t* input, uint32_t inputLen, uint8_t* result) {
+ uint8_t final[128];
+ uint32_t i, n, m, state[4];
+ uint64_t inputLenBits;
+ uint32_t inputLenBitsLow;
+ uint32_t inputLenBitsHigh;
+
+ /* magic initial states */
+ state[0] = 0x67452301;
+ state[1] = 0xEFCDAB89;
+ state[2] = 0x98BADCFE;
+ state[3] = 0x10325476;
+
+ /* compute number of complete 64-byte segments contained in input */
+ m = inputLen >> 6;
+
+ /* digest first m segments */
+ for (i = 0; i < m; ++i) md4step(state, (input + (i << 6)));
+
+ /* build final buffer */
+ n = inputLen % 64;
+ memcpy(final, input + (m << 6), n);
+ final[n] = 0x80;
+ memset(final + n + 1, 0, 120 - (n + 1));
+
+ /* Append the original input length in bits as a 64-bit number. This is done
+ * in two 32-bit chunks, with the least-significant 32 bits first.
+ * w2b will handle endianness. */
+ inputLenBits = inputLen << 3;
+ inputLenBitsLow = (uint32_t)(inputLenBits & 0xFFFFFFFF);
+ w2b(final + (n >= 56 ? 120 : 56), &inputLenBitsLow, 4);
+ inputLenBitsHigh = (uint32_t)((inputLenBits >> 32) & 0xFFFFFFFF);
+ w2b(final + (n >= 56 ? 124 : 60), &inputLenBitsHigh, 4);
+
+ md4step(state, final);
+ if (n >= 56) md4step(state, final + 64);
+
+ /* copy state to result */
+ w2b(result, state, 16);
+}
diff --git a/security/manager/ssl/md4.h b/security/manager/ssl/md4.h
new file mode 100644
index 0000000000..6e56a4ffdc
--- /dev/null
+++ b/security/manager/ssl/md4.h
@@ -0,0 +1,38 @@
+/* vim:set ts=2 sw=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef md4_h__
+#define md4_h__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+
+/**
+ * md4sum - computes the MD4 sum over the input buffer per RFC 1320
+ *
+ * @param input
+ * buffer containing input data
+ * @param inputLen
+ * length of input buffer (number of bytes)
+ * @param result
+ * 16-byte buffer that will contain the MD4 sum upon return
+ *
+ * NOTE: MD4 is superceded by MD5. do not use MD4 unless required by the
+ * protocol you are implementing (e.g., NTLM requires MD4).
+ *
+ * NOTE: this interface is designed for relatively small buffers. A streaming
+ * interface would make more sense if that were a requirement. Currently, this
+ * is good enough for the applications we care about.
+ */
+void md4sum(const uint8_t* input, uint32_t inputLen, uint8_t* result);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* md4_h__ */
diff --git a/security/manager/ssl/metrics.yaml b/security/manager/ssl/metrics.yaml
new file mode 100644
index 0000000000..a03682affb
--- /dev/null
+++ b/security/manager/ssl/metrics.yaml
@@ -0,0 +1,180 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# Adding a new metric? We have docs for that!
+# https://firefox-source-docs.mozilla.org/toolkit/components/glean/user/new_definitions_file.html
+
+---
+$schema: moz://mozilla.org/schemas/glean/metrics/2-0-0
+$tags:
+ - 'Core :: Security: PSM'
+
+data_storage:
+ alternate_services:
+ type: quantity
+ description:
+ The number of entries stored in the AlternateServices nsIDataStorage
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_sensitivity:
+ - interaction
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ unit: entries
+ client_auth_remember_list:
+ type: quantity
+ description:
+ The number of entries stored in the ClientAuthRememberList nsIDataStorage
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_sensitivity:
+ - interaction
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ unit: entries
+ site_security_service_state:
+ type: quantity
+ description:
+ The number of entries stored in the SiteSecurityServiceState nsIDataStorage
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080
+ data_sensitivity:
+ - interaction
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ unit: entries
+
+oskeystore:
+ self_test:
+ type: labeled_boolean
+ description:
+ Whether or not each step of the OSKeyStore self test succeeded.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1855759
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1855759
+ data_sensitivity:
+ - interaction
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: 126
+ labels:
+ - generate
+ - available
+ - encrypt
+ - decrypt
+
+tls:
+ certificate_verifications:
+ type: counter
+ description: >
+ The total number of successful TLS server certificate verifications.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ xyber_intolerance_reason:
+ type: labeled_counter
+ description: >
+ The error that was returned from a failed TLS 1.3 handshake in which the client sent a Xyber key share (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp).
+ data_sensitivity:
+ - technical
+ bugs:
+ - https://bugzilla.mozilla.org/1874963
+ data_reviews:
+ - https://bugzilla.mozilla.org/1874963
+ notification_emails:
+ - jschanck@mozilla.com
+ expires: 136
+ labels:
+ - PR_CONNECT_RESET_ERROR
+ - PR_END_OF_FILE_ERROR
+ - SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE
+ - SSL_ERROR_BAD_MAC_ALERT
+ - SSL_ERROR_BAD_MAC_READ
+ - SSL_ERROR_DECODE_ERROR_ALERT
+ - SSL_ERROR_HANDSHAKE_FAILED
+ - SSL_ERROR_HANDSHAKE_FAILURE_ALERT
+ - SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT
+ - SSL_ERROR_ILLEGAL_PARAMETER_ALERT
+ - SSL_ERROR_INTERNAL_ERROR_ALERT
+ - SSL_ERROR_KEY_EXCHANGE_FAILURE
+ - SSL_ERROR_NO_CYPHER_OVERLAP
+ - SSL_ERROR_PROTOCOL_VERSION_ALERT
+ - SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE
+ - SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE
+ - SSL_ERROR_UNSUPPORTED_VERSION
+
+verification_used_cert_from:
+ tls_handshake:
+ type: rate
+ description: >
+ How many successfully-built certificate chains used a certificate from the TLS handshake.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ denominator_metric: tls.certificate_verifications
+ preloaded_intermediates:
+ type: rate
+ description: >
+ How many successfully-built certificate chains used a certificate from preloaded intermediates.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ denominator_metric: tls.certificate_verifications
+ third_party_certificates:
+ type: rate
+ description: >
+ How many successfully-built certificate chains used a third-party certificate from the OS.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ denominator_metric: tls.certificate_verifications
+ nss_cert_db:
+ type: rate
+ description: >
+ How many successfully-built certificate chains used a certificate from the NSS cert DB.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ denominator_metric: tls.certificate_verifications
+ built_in_roots_module:
+ type: rate
+ description: >
+ How many successfully-built certificate chains used a certificate from the built-in roots module.
+ bugs:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ data_reviews:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435
+ notification_emails:
+ - dkeeler@mozilla.com
+ expires: never
+ denominator_metric: tls.certificate_verifications
diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build
new file mode 100644
index 0000000000..676652db28
--- /dev/null
+++ b/security/manager/ssl/moz.build
@@ -0,0 +1,273 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# osclientcerts is currently only implemented for Windows
+# osclientcerts transitively depends on winapi 0.2.8, which doesn't work with
+# AArch64
+if (CONFIG["OS_ARCH"] == "WINNT" and CONFIG["TARGET_CPU"] != "aarch64") or CONFIG[
+ "OS_ARCH"
+] == "Darwin":
+ DIRS += ["osclientcerts"]
+
+DIRS += ["ipcclientcerts"]
+DIRS += ["builtins"]
+
+TEST_DIRS += ["tests"]
+
+XPIDL_SOURCES += [
+ "nsICertificateDialogs.idl",
+ "nsICertOverrideService.idl",
+ "nsICertStorage.idl",
+ "nsICertTree.idl",
+ "nsIClientAuthDialogService.idl",
+ "nsIClientAuthRememberService.idl",
+ "nsIContentSignatureVerifier.idl",
+ "nsICryptoHash.idl",
+ "nsIDataStorage.idl",
+ "nsINSSComponent.idl",
+ "nsINSSErrorsService.idl",
+ "nsINSSVersion.idl",
+ "nsIOSKeyStore.idl",
+ "nsIOSReauthenticator.idl",
+ "nsIPK11Token.idl",
+ "nsIPK11TokenDB.idl",
+ "nsIPKCS11Module.idl",
+ "nsIPKCS11ModuleDB.idl",
+ "nsIPKCS11Slot.idl",
+ "nsIPublicKeyPinningService.idl",
+ "nsISecretDecoderRing.idl",
+ "nsISecurityUITelemetry.idl",
+ "nsISiteSecurityService.idl",
+ "nsITLSSocketControl.idl",
+ "nsITokenPasswordDialogs.idl",
+ "nsITransportSecurityInfo.idl",
+ "nsIX509Cert.idl",
+ "nsIX509CertDB.idl",
+ "nsIX509CertValidity.idl",
+]
+
+XPIDL_MODULE = "pipnss"
+
+XPCOM_MANIFESTS += [
+ "components.conf",
+]
+
+EXTRA_JS_MODULES.psm += [
+ "ClientAuthDialogService.sys.mjs",
+ "DER.sys.mjs",
+ "RemoteSecuritySettings.sys.mjs",
+ "X509.sys.mjs",
+]
+
+EXPORTS += [
+ "CommonSocketControl.h",
+ "CryptoTask.h",
+ "EnterpriseRoots.h",
+ "nsClientAuthRemember.h",
+ "nsNSSCallbacks.h",
+ "nsNSSCertificate.h",
+ "nsNSSComponent.h",
+ "nsNSSHelper.h",
+ "nsRandomGenerator.h",
+ "nsSecureBrowserUI.h",
+ "nsSecurityHeaderParser.h",
+ "NSSErrorsService.h",
+ "nsSSLSocketProvider.h",
+ "nsTLSSocketProvider.h",
+ "RootCertificateTelemetryUtils.h",
+ "ScopedNSSTypes.h",
+ "SharedCertVerifier.h",
+ "SSLServerCertVerification.h",
+ "TransportSecurityInfo.h",
+]
+
+EXPORTS.mozilla += [
+ "PublicSSL.h",
+]
+
+EXPORTS.mozilla.psm += [
+ "IPCClientCertsChild.h",
+ "IPCClientCertsParent.h",
+ "SelectTLSClientAuthCertChild.h",
+ "SelectTLSClientAuthCertParent.h",
+ "TransportSecurityInfo.h",
+ "VerifySSLServerCertChild.h",
+ "VerifySSLServerCertParent.h",
+]
+
+UNIFIED_SOURCES += [
+ "AppSignatureVerification.cpp",
+ "AppTrustDomain.cpp",
+ "CertStorageMemoryReporting.cpp",
+ "CommonSocketControl.cpp",
+ "ContentSignatureVerifier.cpp",
+ "CryptoTask.cpp",
+ "DataStorageManager.cpp",
+ "EnterpriseRoots.cpp",
+ "IPCClientCertsChild.cpp",
+ "IPCClientCertsParent.cpp",
+ "md4.c",
+ "nsCertOverrideService.cpp",
+ "nsCertTree.cpp",
+ "nsClientAuthRemember.cpp",
+ "nsNSSCallbacks.cpp",
+ "nsNSSCertHelper.cpp",
+ "nsNSSCertificate.cpp",
+ "nsNSSCertificateDB.cpp",
+ "nsNSSCertTrust.cpp",
+ "nsNSSComponent.cpp",
+ "nsNSSIOLayer.cpp",
+ "nsNSSModule.cpp",
+ "nsNSSVersion.cpp",
+ "nsNTLMAuthModule.cpp",
+ "nsPK11TokenDB.cpp",
+ "nsPKCS11Slot.cpp",
+ "nsPKCS12Blob.cpp",
+ "nsRandomGenerator.cpp",
+ "nsSecureBrowserUI.cpp",
+ "nsSecurityHeaderParser.cpp",
+ "NSSErrorsService.cpp",
+ "nsSiteSecurityService.cpp",
+ "NSSKeyStore.cpp",
+ "nsSSLSocketProvider.cpp",
+ "NSSSocketControl.cpp",
+ "nsTLSSocketProvider.cpp",
+ "OSKeyStore.cpp",
+ "PKCS11ModuleDB.cpp",
+ "PSMRunnable.cpp",
+ "PublicKeyPinningService.cpp",
+ "RootCertificateTelemetryUtils.cpp",
+ "SecretDecoderRing.cpp",
+ "SharedSSLState.cpp",
+ "SSLServerCertVerification.cpp",
+ "TLSClientAuthCertSelection.cpp",
+ "TransportSecurityInfo.cpp",
+ "VerifySSLServerCertChild.cpp",
+ "VerifySSLServerCertParent.cpp",
+ "X509CertValidity.cpp",
+]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+ # On Windows this file includes ntsecapi.h, which contains definitions that
+ # conflict with headers included in remaining source files. We compile this
+ # one independently to prevent that interferance.
+ SOURCES += [
+ "OSReauthenticator.cpp",
+ ]
+else:
+ UNIFIED_SOURCES += [
+ "OSReauthenticator.cpp",
+ ]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+ UNIFIED_SOURCES += [
+ "LibSecret.cpp",
+ ]
+ CFLAGS += CONFIG["GLIB_CFLAGS"]
+ CXXFLAGS += CONFIG["GLIB_CFLAGS"]
+
+if CONFIG["OS_ARCH"] == "Darwin":
+ UNIFIED_SOURCES += [
+ "KeychainSecret.cpp",
+ "OSReauthenticatorDarwin.mm",
+ ]
+ OS_LIBS += [
+ "-framework LocalAuthentication",
+ "-framework Security",
+ ]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+ OS_LIBS += ["credui"]
+ UNIFIED_SOURCES += [
+ "CredentialManagerSecret.cpp",
+ ]
+
+IPDL_SOURCES += [
+ "PIPCClientCerts.ipdl",
+ "PSelectTLSClientAuthCert.ipdl",
+ "PSMIPCTypes.ipdlh",
+ "PVerifySSLServerCert.ipdl",
+]
+
+FINAL_LIBRARY = "xul"
+
+LOCAL_INCLUDES += [
+ "!/dist/public/nss",
+ "/dom/base",
+ "/dom/crypto",
+ "/netwerk/base",
+ "/security/certverifier",
+ "/third_party/rust/cose-c/include",
+ "/xpcom/build",
+]
+
+GeneratedFile(
+ "nsSTSPreloadListGenerated.inc",
+ script="../../../xpcom/ds/tools/make_dafsa.py",
+ inputs=["nsSTSPreloadList.inc"],
+)
+
+DEFINES["SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES"] = "True"
+DEFINES["NSS_ENABLE_ECC"] = "True"
+
+# mozpkix is linked statically from the in-tree sources independent of whether
+# system NSS is used or not.
+USE_LIBS += ["mozpkix"]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+if CONFIG["CC_TYPE"] in ("clang", "gcc"):
+ CXXFLAGS += [
+ "-Wextra",
+ # -Wextra enables this warning, but it's too noisy to be useful.
+ "-Wno-missing-field-initializers",
+ ]
+
+ # Gecko headers aren't warning-free enough for us to enable these warnings.
+ CXXFLAGS += [
+ "-Wno-unused-parameter",
+ ]
+
+headers_arrays_certs = [
+ (
+ "xpcshell.inc",
+ "xpcshellRoot",
+ "tests/unit/test_signed_apps/xpcshellTestRoot.der",
+ ),
+ ("addons-public.inc", "addonsPublicRoot", "addons-public.crt"),
+ (
+ "addons-public-intermediate.inc",
+ "addonsPublicIntermediate",
+ "addons-public-intermediate.crt",
+ ),
+ ("addons-stage.inc", "addonsStageRoot", "addons-stage.crt"),
+ (
+ "content-signature-prod.inc",
+ "contentSignatureProdRoot",
+ "content-signature-prod.crt",
+ ),
+ (
+ "content-signature-stage.inc",
+ "contentSignatureStageRoot",
+ "content-signature-stage.crt",
+ ),
+ # The dev root is the same as the stage root.
+ (
+ "content-signature-dev.inc",
+ "contentSignatureDevRoot",
+ "content-signature-stage.crt",
+ ),
+ (
+ "content-signature-local.inc",
+ "contentSignatureLocalRoot",
+ "content-signature-local.crt",
+ ),
+]
+
+for header, array_name, cert in headers_arrays_certs:
+ GeneratedFile(
+ header, script="gen_cert_header.py", entry_point=array_name, inputs=[cert]
+ )
diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp
new file mode 100644
index 0000000000..b8d0bbc3a1
--- /dev/null
+++ b/security/manager/ssl/nsCertOverrideService.cpp
@@ -0,0 +1,757 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsCertOverrideService.h"
+
+#include "NSSCertDBTrustDomain.h"
+#include "ScopedNSSTypes.h"
+#include "SharedSSLState.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/TaskQueue.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/TextUtils.h"
+#include "mozilla/Tokenizer.h"
+#include "mozilla/Unused.h"
+#include "mozilla/dom/ToJSValue.h"
+#include "nsAppDirectoryServiceDefs.h"
+#include "nsCRT.h"
+#include "nsILineInputStream.h"
+#ifdef ENABLE_WEBDRIVER
+# include "nsIMarionette.h"
+#endif
+#include "nsIObserver.h"
+#include "nsIObserverService.h"
+#include "nsIOutputStream.h"
+#ifdef ENABLE_WEBDRIVER
+# include "nsIRemoteAgent.h"
+#endif
+#include "nsISafeOutputStream.h"
+#include "nsIX509Cert.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSComponent.h"
+#include "nsNetUtil.h"
+#include "nsStreamUtils.h"
+#include "nsStringBuffer.h"
+#include "nsThreadUtils.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+#define CERT_OVERRIDE_FILE_NAME "cert_override.txt"
+
+class WriterRunnable : public Runnable {
+ public:
+ WriterRunnable(nsCertOverrideService* aService, nsCString& aData,
+ nsCOMPtr<nsIFile> aFile)
+ : Runnable("nsCertOverrideService::WriterRunnable"),
+ mCertOverrideService(aService),
+ mData(aData),
+ mFile(std::move(aFile)) {}
+
+ NS_IMETHOD
+ Run() override {
+ mCertOverrideService->AssertOnTaskQueue();
+ nsresult rv;
+
+ auto removeShutdownBlockerOnExit =
+ MakeScopeExit([certOverrideService = mCertOverrideService]() {
+ NS_DispatchToMainThread(NS_NewRunnableFunction(
+ "nsCertOverrideService::RemoveShutdownBlocker",
+ [certOverrideService] {
+ certOverrideService->RemoveShutdownBlocker();
+ }));
+ });
+
+ nsCOMPtr<nsIOutputStream> outputStream;
+ rv = NS_NewSafeLocalFileOutputStream(
+ getter_AddRefs(outputStream), mFile,
+ PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ const char* ptr = mData.get();
+ uint32_t remaining = mData.Length();
+ uint32_t written = 0;
+ while (remaining > 0) {
+ rv = outputStream->Write(ptr, remaining, &written);
+ NS_ENSURE_SUCCESS(rv, rv);
+ remaining -= written;
+ ptr += written;
+ }
+
+ nsCOMPtr<nsISafeOutputStream> safeStream = do_QueryInterface(outputStream);
+ MOZ_ASSERT(safeStream);
+ rv = safeStream->Finish();
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ return NS_OK;
+ }
+
+ private:
+ const RefPtr<nsCertOverrideService> mCertOverrideService;
+ nsCString mData;
+ const nsCOMPtr<nsIFile> mFile;
+};
+
+NS_IMPL_ISUPPORTS(nsCertOverride, nsICertOverride)
+
+NS_IMETHODIMP
+nsCertOverride::GetAsciiHost(/*out*/ nsACString& aAsciiHost) {
+ aAsciiHost = mAsciiHost;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverride::GetFingerprint(/*out*/ nsACString& aFingerprint) {
+ aFingerprint = mFingerprint;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverride::GetPort(/*out*/ int32_t* aPort) {
+ *aPort = mPort;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverride::GetHostPort(/*out*/ nsACString& aHostPort) {
+ nsCertOverrideService::GetHostWithPort(mAsciiHost, mPort, aHostPort);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverride::GetOriginAttributes(
+ JSContext* aCtx, /*out*/ JS::MutableHandle<JS::Value> aValue) {
+ if (ToJSValue(aCtx, mOriginAttributes, aValue)) {
+ return NS_OK;
+ }
+ return NS_ERROR_FAILURE;
+}
+
+NS_IMPL_ISUPPORTS(nsCertOverrideService, nsICertOverrideService, nsIObserver,
+ nsISupportsWeakReference, nsIAsyncShutdownBlocker)
+
+nsCertOverrideService::nsCertOverrideService()
+ : mMutex("nsCertOverrideService.mutex"),
+ mDisableAllSecurityCheck(false),
+ mPendingWriteCount(0) {
+ nsCOMPtr<nsIEventTarget> target =
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID);
+ MOZ_ASSERT(target);
+
+ mWriterTaskQueue = TaskQueue::Create(target.forget(), "CertOverrideService");
+}
+
+nsCertOverrideService::~nsCertOverrideService() = default;
+
+static nsCOMPtr<nsIAsyncShutdownClient> GetShutdownBarrier() {
+ MOZ_ASSERT(NS_IsMainThread());
+ nsCOMPtr<nsIAsyncShutdownService> svc =
+ mozilla::services::GetAsyncShutdownService();
+ MOZ_RELEASE_ASSERT(svc);
+
+ nsCOMPtr<nsIAsyncShutdownClient> barrier;
+ nsresult rv = svc->GetProfileBeforeChange(getter_AddRefs(barrier));
+
+ MOZ_RELEASE_ASSERT(NS_SUCCEEDED(rv));
+ MOZ_RELEASE_ASSERT(barrier);
+ return barrier;
+}
+
+nsresult nsCertOverrideService::Init() {
+ if (!NS_IsMainThread()) {
+ MOZ_ASSERT_UNREACHABLE("nsCertOverrideService initialized off main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+
+ // If we cannot add ourselves as a profile change observer, then we will not
+ // attempt to read/write any settings file. Otherwise, we would end up
+ // reading/writing the wrong settings file after a profile change.
+ if (observerService) {
+ observerService->AddObserver(this, "profile-do-change", true);
+ // simulate a profile change so we read the current profile's settings file
+ Observe(nullptr, "profile-do-change", nullptr);
+ }
+
+ SharedSSLState::NoteCertOverrideServiceInstantiated();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::Observe(nsISupports*, const char* aTopic,
+ const char16_t* aData) {
+ if (!nsCRT::strcmp(aTopic, "profile-do-change")) {
+ // The profile has already changed.
+ // Now read from the new profile location.
+ // we also need to update the cached file location
+
+ MutexAutoLock lock(mMutex);
+
+ nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
+ getter_AddRefs(mSettingsFile));
+ if (NS_SUCCEEDED(rv)) {
+ mSettingsFile->AppendNative(nsLiteralCString(CERT_OVERRIDE_FILE_NAME));
+ } else {
+ mSettingsFile = nullptr;
+ }
+ Read(lock);
+ CountPermanentOverrideTelemetry(lock);
+ }
+
+ return NS_OK;
+}
+
+void nsCertOverrideService::RemoveAllTemporaryOverrides() {
+ MutexAutoLock lock(mMutex);
+ bool removedAny = false;
+ for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
+ nsCertOverrideEntry* entry = iter.Get();
+ if (entry->mSettings->mIsTemporary) {
+ iter.Remove();
+ removedAny = true;
+ }
+ }
+ if (removedAny) {
+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+ if (os) {
+ os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr);
+ }
+ }
+ // no need to write, as temporaries are never written to disk
+}
+
+static const char sSHA256OIDString[] = "OID.2.16.840.1.101.3.4.2.1";
+nsresult nsCertOverrideService::Read(const MutexAutoLock& aProofOfLock) {
+ mMutex.AssertCurrentThreadOwns();
+ // If we don't have a profile, then we won't try to read any settings file.
+ if (!mSettingsFile) return NS_OK;
+
+ nsresult rv;
+ nsCOMPtr<nsIInputStream> fileInputStream;
+ rv = NS_NewLocalFileInputStream(getter_AddRefs(fileInputStream),
+ mSettingsFile);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsILineInputStream> lineInputStream =
+ do_QueryInterface(fileInputStream, &rv);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsAutoCString buffer;
+ bool isMore = true;
+
+ // Each line is of the form:
+ // host:port:originAttributes \t sSHA256OIDString \t fingerprint \t
+ // There may be some "bits" identifiers and "dbKey" after the `fingerprint`
+ // field in 'fingerprint \t \t dbKey' format, but these are now ignored.
+ // Lines that don't match this form are silently dropped.
+
+ while (isMore && NS_SUCCEEDED(lineInputStream->ReadLine(buffer, &isMore))) {
+ if (buffer.IsEmpty() || buffer.First() == '#') {
+ continue;
+ }
+
+ Tokenizer parser(buffer);
+ nsDependentCSubstring host;
+ if (parser.CheckChar('[')) { // this is a IPv6 address
+ if (!parser.ReadUntil(Tokenizer::Token::Char(']'), host) ||
+ host.Length() == 0 || !parser.CheckChar(':')) {
+ continue;
+ }
+ } else if (!parser.ReadUntil(Tokenizer::Token::Char(':'), host) ||
+ host.Length() == 0) {
+ continue;
+ }
+ int32_t port = -1;
+ if (!parser.ReadInteger(&port)) {
+ continue;
+ }
+ OriginAttributes attributes;
+ if (parser.CheckChar(':')) {
+ nsDependentCSubstring attributesString;
+ if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), attributesString) ||
+ !attributes.PopulateFromSuffix(attributesString)) {
+ continue;
+ }
+ } else if (!parser.CheckWhite()) {
+ continue;
+ }
+ nsDependentCSubstring algorithm;
+ if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), algorithm) ||
+ algorithm != sSHA256OIDString) {
+ continue;
+ }
+ nsDependentCSubstring fingerprint;
+ if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), fingerprint) ||
+ fingerprint.Length() == 0) {
+ continue;
+ }
+
+ AddEntryToList(host, port, attributes,
+ false, // not temporary
+ fingerprint, aProofOfLock);
+ }
+
+ return NS_OK;
+}
+
+nsresult nsCertOverrideService::Write(const MutexAutoLock& aProofOfLock) {
+ mMutex.AssertCurrentThreadOwns();
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ // If we don't have any profile, then we won't try to write any file
+ if (!mSettingsFile) {
+ return NS_OK;
+ }
+
+ nsCString output;
+
+ static const char kHeader[] =
+ "# PSM Certificate Override Settings file" NS_LINEBREAK
+ "# This is a generated file! Do not edit." NS_LINEBREAK;
+
+ /* see ::Read for file format */
+
+ output.Append(kHeader);
+
+ static const char kTab[] = "\t";
+ for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
+ nsCertOverrideEntry* entry = iter.Get();
+
+ RefPtr<nsCertOverride> settings = entry->mSettings;
+ if (settings->mIsTemporary) {
+ continue;
+ }
+
+ output.Append(entry->mKeyString);
+ output.Append(kTab);
+ output.Append(sSHA256OIDString);
+ output.Append(kTab);
+ output.Append(settings->mFingerprint);
+ output.Append(kTab);
+ // the "bits" string used to go here, but it no longer exists
+ // the "\t dbKey" string used to go here, but it no longer exists
+ output.Append(NS_LINEBREAK);
+ }
+
+ // Make a clone of the file to pass to the WriterRunnable.
+ nsCOMPtr<nsIFile> file;
+ nsresult rv;
+ rv = mSettingsFile->Clone(getter_AddRefs(file));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsCOMPtr<nsIRunnable> runnable = new WriterRunnable(this, output, file);
+ rv = mWriterTaskQueue->Dispatch(runnable.forget());
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ mPendingWriteCount++;
+
+ if (mPendingWriteCount == 1) {
+ rv = GetShutdownBarrier()->AddBlocker(
+ this, NS_LITERAL_STRING_FROM_CSTRING(__FILE__), __LINE__,
+ u"nsCertOverrideService writing data"_ns);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ return NS_OK;
+}
+
+nsresult GetCertSha256Fingerprint(nsIX509Cert* aCert, nsCString& aResult) {
+ nsAutoString fpStrUTF16;
+ nsresult rv = aCert->GetSha256Fingerprint(fpStrUTF16);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::RememberValidityOverride(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert,
+ bool aTemporary) {
+ if (aHostName.IsEmpty() || !IsAscii(aHostName) || !aCert) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (aPort < -1) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ UniqueCERTCertificate nsscert(aCert->GetCert());
+ if (!nsscert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsAutoCString fpStr;
+ nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ {
+ MutexAutoLock lock(mMutex);
+ AddEntryToList(aHostName, aPort, aOriginAttributes, aTemporary, fpStr,
+ lock);
+ if (!aTemporary) {
+ Write(lock);
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::RememberValidityOverrideScriptable(
+ const nsACString& aHostName, int32_t aPort,
+ JS::Handle<JS::Value> aOriginAttributes, nsIX509Cert* aCert,
+ bool aTemporary, JSContext* aCx) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ return RememberValidityOverride(aHostName, aPort, attrs, aCert, aTemporary);
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::HasMatchingOverride(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert,
+ bool* aIsTemporary, bool* aRetval) {
+ bool disableAllSecurityCheck = false;
+ {
+ MutexAutoLock lock(mMutex);
+ disableAllSecurityCheck = mDisableAllSecurityCheck;
+ }
+ if (disableAllSecurityCheck) {
+ *aIsTemporary = false;
+ *aRetval = true;
+ return NS_OK;
+ }
+
+ if (aHostName.IsEmpty() || !IsAscii(aHostName)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (aPort < -1) return NS_ERROR_INVALID_ARG;
+
+ NS_ENSURE_ARG_POINTER(aCert);
+ NS_ENSURE_ARG_POINTER(aIsTemporary);
+ NS_ENSURE_ARG_POINTER(aRetval);
+ *aRetval = false;
+
+ RefPtr<nsCertOverride> settings(
+ GetOverrideFor(aHostName, aPort, aOriginAttributes));
+ // If there is no corresponding override and the given OriginAttributes isn't
+ // the default, try to look up an override using the default OriginAttributes.
+ if (!settings && aOriginAttributes != OriginAttributes()) {
+ settings = GetOverrideFor(aHostName, aPort, OriginAttributes());
+ }
+ if (!settings) {
+ return NS_OK;
+ }
+
+ *aIsTemporary = settings->mIsTemporary;
+
+ nsAutoCString fpStr;
+ nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ *aRetval = settings->mFingerprint.Equals(fpStr);
+ return NS_OK;
+}
+
+already_AddRefed<nsCertOverride> nsCertOverrideService::GetOverrideFor(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes) {
+ nsAutoCString keyString;
+ GetKeyString(aHostName, aPort, aOriginAttributes, keyString);
+ MutexAutoLock lock(mMutex);
+ nsCertOverrideEntry* entry = mSettingsTable.GetEntry(keyString.get());
+ if (!entry) {
+ return nullptr;
+ }
+ return do_AddRef(entry->mSettings);
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::HasMatchingOverrideScriptable(
+ const nsACString& aHostName, int32_t aPort,
+ JS::Handle<JS::Value> aOriginAttributes, nsIX509Cert* aCert,
+ bool* aIsTemporary, JSContext* aCx, bool* aRetval) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ return HasMatchingOverride(aHostName, aPort, attrs, aCert, aIsTemporary,
+ aRetval);
+}
+
+nsresult nsCertOverrideService::AddEntryToList(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes, const bool aIsTemporary,
+ const nsACString& fingerprint, const MutexAutoLock& aProofOfLock) {
+ mMutex.AssertCurrentThreadOwns();
+ nsAutoCString keyString;
+ GetKeyString(aHostName, aPort, aOriginAttributes, keyString);
+
+ nsCertOverrideEntry* entry = mSettingsTable.PutEntry(keyString.get());
+
+ if (!entry) {
+ NS_ERROR("can't insert a null entry!");
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ entry->mKeyString = keyString;
+
+ RefPtr<nsCertOverride> settings(new nsCertOverride());
+
+ settings->mAsciiHost = aHostName;
+ settings->mPort = aPort;
+ settings->mOriginAttributes = aOriginAttributes;
+ settings->mIsTemporary = aIsTemporary;
+ settings->mFingerprint = fingerprint;
+ entry->mSettings = settings;
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::ClearValidityOverride(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes) {
+ if (aHostName.IsEmpty() || !IsAscii(aHostName)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ if (aPort == 0 && aHostName.EqualsLiteral("all:temporary-certificates")) {
+ RemoveAllTemporaryOverrides();
+ return NS_OK;
+ }
+ nsAutoCString keyString;
+ GetKeyString(aHostName, aPort, aOriginAttributes, keyString);
+ {
+ MutexAutoLock lock(mMutex);
+ mSettingsTable.RemoveEntry(keyString.get());
+ Write(lock);
+ }
+
+ nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (nss) {
+ nss->ClearSSLExternalAndInternalSessionCache();
+ } else {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+ if (os) {
+ os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr);
+ }
+
+ return NS_OK;
+}
+NS_IMETHODIMP
+nsCertOverrideService::ClearValidityOverrideScriptable(
+ const nsACString& aHostName, int32_t aPort,
+ JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ return ClearValidityOverride(aHostName, aPort, attrs);
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::ClearAllOverrides() {
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ {
+ MutexAutoLock lock(mMutex);
+ mSettingsTable.Clear();
+ Write(lock);
+ }
+
+ nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (nss) {
+ nss->ClearSSLExternalAndInternalSessionCache();
+ } else {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+ if (os) {
+ os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr);
+ }
+
+ return NS_OK;
+}
+
+void nsCertOverrideService::CountPermanentOverrideTelemetry(
+ const MutexAutoLock& aProofOfLock) {
+ mMutex.AssertCurrentThreadOwns();
+ uint32_t overrideCount = 0;
+ for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
+ if (!iter.Get()->mSettings->mIsTemporary) {
+ overrideCount++;
+ }
+ }
+ Telemetry::Accumulate(Telemetry::SSL_PERMANENT_CERT_ERROR_OVERRIDES,
+ overrideCount);
+}
+
+static bool IsDebugger() {
+#ifdef ENABLE_WEBDRIVER
+ nsCOMPtr<nsIMarionette> marionette = do_GetService(NS_MARIONETTE_CONTRACTID);
+ if (marionette) {
+ bool marionetteRunning = false;
+ marionette->GetRunning(&marionetteRunning);
+ if (marionetteRunning) {
+ return true;
+ }
+ }
+
+ nsCOMPtr<nsIRemoteAgent> agent = do_GetService(NS_REMOTEAGENT_CONTRACTID);
+ if (agent) {
+ bool remoteAgentRunning = false;
+ agent->GetRunning(&remoteAgentRunning);
+ if (remoteAgentRunning) {
+ return true;
+ }
+ }
+#endif
+
+ return false;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::
+ SetDisableAllSecurityChecksAndLetAttackersInterceptMyData(bool aDisable) {
+ if (!(PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR") || IsDebugger())) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ {
+ MutexAutoLock lock(mMutex);
+ mDisableAllSecurityCheck = aDisable;
+ }
+
+ nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (nss) {
+ nss->ClearSSLExternalAndInternalSessionCache();
+ } else {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::GetSecurityCheckDisabled(bool* aDisabled) {
+ MutexAutoLock lock(mMutex);
+ *aDisabled = mDisableAllSecurityCheck;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::GetOverrides(
+ /*out*/ nsTArray<RefPtr<nsICertOverride>>& retval) {
+ MutexAutoLock lock(mMutex);
+ for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
+ const RefPtr<nsICertOverride> settings = iter.Get()->mSettings;
+
+ retval.AppendElement(settings);
+ }
+ return NS_OK;
+}
+
+void nsCertOverrideService::GetHostWithPort(const nsACString& aHostName,
+ int32_t aPort,
+ nsACString& aRetval) {
+ nsAutoCString hostPort;
+ if (aHostName.Contains(':')) {
+ // if aHostName is an IPv6 address, add brackets to match the internal
+ // representation, which always stores IPv6 addresses with brackets
+ hostPort.Append('[');
+ hostPort.Append(aHostName);
+ hostPort.Append(']');
+ } else {
+ hostPort.Append(aHostName);
+ }
+ if (aPort == -1) {
+ aPort = 443;
+ }
+ if (!hostPort.IsEmpty()) {
+ hostPort.Append(':');
+ hostPort.AppendInt(aPort);
+ }
+ aRetval.Assign(hostPort);
+}
+
+void nsCertOverrideService::GetKeyString(
+ const nsACString& aHostName, int32_t aPort,
+ const OriginAttributes& aOriginAttributes, nsACString& aRetval) {
+ nsAutoCString keyString;
+ GetHostWithPort(aHostName, aPort, keyString);
+ keyString.Append(':');
+ OriginAttributes strippedAttributes(aOriginAttributes);
+ strippedAttributes.StripAttributes(
+ ~OriginAttributes::STRIP_PRIVATE_BROWSING_ID);
+ nsAutoCString attributeSuffix;
+ strippedAttributes.CreateSuffix(attributeSuffix);
+ keyString.Append(attributeSuffix);
+ aRetval.Assign(keyString);
+}
+
+// nsIAsyncShutdownBlocker implementation
+NS_IMETHODIMP
+nsCertOverrideService::GetName(nsAString& aName) {
+ aName = u"nsCertOverrideService: shutdown"_ns;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::GetState(nsIPropertyBag** aState) {
+ if (!aState) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ *aState = nullptr;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::BlockShutdown(nsIAsyncShutdownClient*) { return NS_OK; }
+
+void nsCertOverrideService::RemoveShutdownBlocker() {
+ MOZ_ASSERT(NS_IsMainThread());
+ MOZ_ASSERT(mPendingWriteCount > 0);
+ mPendingWriteCount--;
+ if (mPendingWriteCount == 0) {
+ nsresult rv = GetShutdownBarrier()->RemoveBlocker(this);
+ MOZ_RELEASE_ASSERT(NS_SUCCEEDED(rv));
+ }
+}
diff --git a/security/manager/ssl/nsCertOverrideService.h b/security/manager/ssl/nsCertOverrideService.h
new file mode 100644
index 0000000000..21cff56300
--- /dev/null
+++ b/security/manager/ssl/nsCertOverrideService.h
@@ -0,0 +1,152 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsCertOverrideService_h
+#define nsCertOverrideService_h
+
+#include <utility>
+
+#include "mozilla/HashFunctions.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/OriginAttributes.h"
+#include "mozilla/TaskQueue.h"
+#include "nsIAsyncShutdown.h"
+#include "nsICertOverrideService.h"
+#include "nsIFile.h"
+#include "nsIObserver.h"
+#include "nsString.h"
+#include "nsTHashtable.h"
+#include "nsWeakReference.h"
+#include "secoidt.h"
+
+class nsCertOverride final : public nsICertOverride {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSICERTOVERRIDE
+
+ nsCertOverride() : mPort(-1), mIsTemporary(false) {}
+
+ nsCString mAsciiHost;
+ int32_t mPort;
+ mozilla::OriginAttributes mOriginAttributes;
+ bool mIsTemporary; // true: session only, false: stored on disk
+ nsCString mFingerprint;
+
+ private:
+ ~nsCertOverride() = default;
+};
+
+// hash entry class
+class nsCertOverrideEntry final : public PLDHashEntryHdr {
+ public:
+ // Hash methods
+ typedef const char* KeyType;
+ typedef const char* KeyTypePointer;
+
+ // do nothing with aHost - we require mHead to be set before we're live!
+ explicit nsCertOverrideEntry(KeyTypePointer aHostWithPortUTF8) {}
+
+ nsCertOverrideEntry(nsCertOverrideEntry&& toMove)
+ : PLDHashEntryHdr(std::move(toMove)),
+ mSettings(std::move(toMove.mSettings)),
+ mKeyString(std::move(toMove.mKeyString)) {}
+
+ ~nsCertOverrideEntry() = default;
+
+ KeyType GetKey() const { return KeyStringPtr(); }
+
+ KeyTypePointer GetKeyPointer() const { return KeyStringPtr(); }
+
+ bool KeyEquals(KeyTypePointer aKey) const {
+ return !strcmp(KeyStringPtr(), aKey);
+ }
+
+ static KeyTypePointer KeyToPointer(KeyType aKey) { return aKey; }
+
+ static PLDHashNumber HashKey(KeyTypePointer aKey) {
+ return mozilla::HashString(aKey);
+ }
+
+ enum { ALLOW_MEMMOVE = false };
+
+ // get methods
+ inline const nsCString& KeyString() const { return mKeyString; }
+
+ inline KeyTypePointer KeyStringPtr() const { return mKeyString.get(); }
+
+ RefPtr<nsCertOverride> mSettings;
+ nsCString mKeyString;
+};
+
+class nsCertOverrideService final : public nsICertOverrideService,
+ public nsIObserver,
+ public nsSupportsWeakReference,
+ public nsIAsyncShutdownBlocker {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSICERTOVERRIDESERVICE
+ NS_DECL_NSIOBSERVER
+ NS_DECL_NSIASYNCSHUTDOWNBLOCKER
+
+ nsCertOverrideService();
+
+ nsresult Init();
+ void RemoveAllTemporaryOverrides();
+
+ // Concatenates host name and the port number. If the port number is -1 then
+ // port 443 is automatically used. This method ensures there is always a port
+ // number separated with colon.
+ static void GetHostWithPort(const nsACString& aHostName, int32_t aPort,
+ nsACString& aRetval);
+
+ // Concatenates host name, port number, and origin attributes.
+ static void GetKeyString(const nsACString& aHostName, int32_t aPort,
+ const mozilla::OriginAttributes& aOriginAttributes,
+ nsACString& aRetval);
+
+ void AssertOnTaskQueue() const {
+ MOZ_ASSERT(mWriterTaskQueue->IsOnCurrentThread());
+ }
+
+ void RemoveShutdownBlocker();
+
+ private:
+ ~nsCertOverrideService();
+
+ mozilla::Mutex mMutex;
+ bool mDisableAllSecurityCheck MOZ_GUARDED_BY(mMutex);
+ nsCOMPtr<nsIFile> mSettingsFile MOZ_GUARDED_BY(mMutex);
+ nsTHashtable<nsCertOverrideEntry> mSettingsTable MOZ_GUARDED_BY(mMutex);
+
+ void CountPermanentOverrideTelemetry(
+ const mozilla::MutexAutoLock& aProofOfLock);
+
+ nsresult Read(const mozilla::MutexAutoLock& aProofOfLock);
+ nsresult Write(const mozilla::MutexAutoLock& aProofOfLock);
+ nsresult AddEntryToList(const nsACString& host, int32_t port,
+ const mozilla::OriginAttributes& aOriginAttributes,
+ const bool aIsTemporary,
+ const nsACString& fingerprint,
+ const mozilla::MutexAutoLock& aProofOfLock);
+ already_AddRefed<nsCertOverride> GetOverrideFor(
+ const nsACString& aHostName, int32_t aPort,
+ const mozilla::OriginAttributes& aOriginAttributes);
+
+ // Set in constructor only
+ RefPtr<mozilla::TaskQueue> mWriterTaskQueue;
+
+ // Only accessed on the main thread
+ uint64_t mPendingWriteCount;
+};
+
+#define NS_CERTOVERRIDE_CID \
+ { /* 67ba681d-5485-4fff-952c-2ee337ffdcd6 */ \
+ 0x67ba681d, 0x5485, 0x4fff, { \
+ 0x95, 0x2c, 0x2e, 0xe3, 0x37, 0xff, 0xdc, 0xd6 \
+ } \
+ }
+
+#endif // nsCertOverrideService_h
diff --git a/security/manager/ssl/nsCertTree.cpp b/security/manager/ssl/nsCertTree.cpp
new file mode 100644
index 0000000000..0448cf4566
--- /dev/null
+++ b/security/manager/ssl/nsCertTree.cpp
@@ -0,0 +1,844 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsCertTree.h"
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/intl/AppDateTimeFormat.h"
+#include "nsArray.h"
+#include "nsArrayUtils.h"
+#include "nsHashKeys.h"
+#include "nsISupportsPrimitives.h"
+#include "nsIX509CertDB.h"
+#include "nsIX509Cert.h"
+#include "nsIX509CertValidity.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSCertificate.h"
+#include "nsComponentManagerUtils.h"
+#include "nsNSSCertificateDB.h"
+#include "nsNSSHelper.h"
+#include "nsReadableUtils.h"
+#include "nsTHashtable.h"
+#include "nsUnicharUtils.h"
+#include "nsXPCOMCID.h"
+#include "nsString.h"
+#include "nsTreeColumns.h"
+#include "mozpkix/pkixtypes.h"
+
+using namespace mozilla;
+
+extern LazyLogModule gPIPNSSLog;
+
+// treeArrayElStr
+//
+// structure used to hold map of tree. Each thread (an organization
+// field from a cert) has an element in the array. The numChildren field
+// stores the number of certs corresponding to that thread.
+struct treeArrayElStr {
+ nsString orgName; /* heading for thread */
+ bool open; /* toggle open state for thread */
+ int32_t certIndex; /* index into cert array for 1st cert */
+ int32_t numChildren; /* number of chidren (certs) for thread */
+};
+
+CompareCacheHashEntryPtr::CompareCacheHashEntryPtr() {
+ entry = new CompareCacheHashEntry;
+}
+
+CompareCacheHashEntryPtr::~CompareCacheHashEntryPtr() { delete entry; }
+
+CompareCacheHashEntry::CompareCacheHashEntry() : key(nullptr), mCritInit() {
+ for (int i = 0; i < max_criterions; ++i) {
+ mCritInit[i] = false;
+ mCrit[i].SetIsVoid(true);
+ }
+}
+
+static bool CompareCacheMatchEntry(const PLDHashEntryHdr* hdr,
+ const void* key) {
+ const CompareCacheHashEntryPtr* entryPtr =
+ static_cast<const CompareCacheHashEntryPtr*>(hdr);
+ return entryPtr->entry->key == key;
+}
+
+static void CompareCacheInitEntry(PLDHashEntryHdr* hdr, const void* key) {
+ new (hdr) CompareCacheHashEntryPtr();
+ CompareCacheHashEntryPtr* entryPtr =
+ static_cast<CompareCacheHashEntryPtr*>(hdr);
+ entryPtr->entry->key = (void*)key;
+}
+
+static void CompareCacheClearEntry(PLDHashTable* table, PLDHashEntryHdr* hdr) {
+ CompareCacheHashEntryPtr* entryPtr =
+ static_cast<CompareCacheHashEntryPtr*>(hdr);
+ entryPtr->~CompareCacheHashEntryPtr();
+}
+
+static const PLDHashTableOps gMapOps = {
+ PLDHashTable::HashVoidPtrKeyStub, CompareCacheMatchEntry,
+ PLDHashTable::MoveEntryStub, CompareCacheClearEntry, CompareCacheInitEntry};
+
+NS_IMPL_ISUPPORTS(nsCertTreeDispInfo, nsICertTreeItem)
+
+nsCertTreeDispInfo::~nsCertTreeDispInfo() = default;
+
+NS_IMETHODIMP
+nsCertTreeDispInfo::GetCert(nsIX509Cert** aCert) {
+ NS_ENSURE_ARG(aCert);
+ nsCOMPtr<nsIX509Cert> cert = mCert;
+ cert.forget(aCert);
+ return NS_OK;
+}
+
+NS_IMPL_ISUPPORTS(nsCertTree, nsICertTree, nsITreeView)
+
+nsCertTree::nsCertTree()
+ : mTreeArray(nullptr),
+ mNumOrgs(0),
+ mNumRows(0),
+ mCompareCache(&gMapOps, sizeof(CompareCacheHashEntryPtr),
+ kInitialCacheLength) {
+ mCellText = nullptr;
+}
+
+void nsCertTree::ClearCompareHash() {
+ mCompareCache.ClearAndPrepareForLength(kInitialCacheLength);
+}
+
+nsCertTree::~nsCertTree() { delete[] mTreeArray; }
+
+void nsCertTree::FreeCertArray() { mDispInfo.Clear(); }
+
+CompareCacheHashEntry* nsCertTree::getCacheEntry(void* cache, void* aCert) {
+ PLDHashTable& aCompareCache = *static_cast<PLDHashTable*>(cache);
+ auto entryPtr = static_cast<CompareCacheHashEntryPtr*>(
+ aCompareCache.Add(aCert, fallible));
+ return entryPtr ? entryPtr->entry : nullptr;
+}
+
+void nsCertTree::RemoveCacheEntry(void* key) { mCompareCache.Remove(key); }
+
+// CountOrganizations
+//
+// Count the number of different organizations encountered in the cert
+// list.
+int32_t nsCertTree::CountOrganizations() {
+ uint32_t i, certCount;
+ certCount = mDispInfo.Length();
+ if (certCount == 0) return 0;
+ nsCOMPtr<nsIX509Cert> orgCert = mDispInfo.ElementAt(0)->mCert;
+ nsCOMPtr<nsIX509Cert> nextCert = nullptr;
+ int32_t orgCount = 1;
+ for (i = 1; i < certCount; i++) {
+ nextCert = mDispInfo.SafeElementAt(i, nullptr)->mCert;
+ // XXX we assume issuer org is always criterion 1
+ if (CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None,
+ sort_None) != 0) {
+ orgCert = nextCert;
+ orgCount++;
+ }
+ }
+ return orgCount;
+}
+
+// GetThreadDescAtIndex
+//
+// If the row at index is an organization thread, return the collection
+// associated with that thread. Otherwise, return null.
+treeArrayEl* nsCertTree::GetThreadDescAtIndex(int32_t index) {
+ int i, idx = 0;
+ if (index < 0) return nullptr;
+ for (i = 0; i < mNumOrgs; i++) {
+ if (index == idx) {
+ return &mTreeArray[i];
+ }
+ if (mTreeArray[i].open) {
+ idx += mTreeArray[i].numChildren;
+ }
+ idx++;
+ if (idx > index) break;
+ }
+ return nullptr;
+}
+
+// GetCertAtIndex
+//
+// If the row at index is a cert, return that cert. Otherwise, return null.
+already_AddRefed<nsIX509Cert> nsCertTree::GetCertAtIndex(
+ int32_t index, int32_t* outAbsoluteCertOffset) {
+ RefPtr<nsCertTreeDispInfo> certdi(
+ GetDispInfoAtIndex(index, outAbsoluteCertOffset));
+ if (!certdi) return nullptr;
+
+ nsCOMPtr<nsIX509Cert> ret = certdi->mCert;
+ return ret.forget();
+}
+
+// If the row at index is a cert, return that cert. Otherwise, return null.
+already_AddRefed<nsCertTreeDispInfo> nsCertTree::GetDispInfoAtIndex(
+ int32_t index, int32_t* outAbsoluteCertOffset) {
+ int i, idx = 0, cIndex = 0, nc;
+ if (index < 0) return nullptr;
+ // Loop over the threads
+ for (i = 0; i < mNumOrgs; i++) {
+ if (index == idx) return nullptr; // index is for thread
+ idx++; // get past the thread
+ nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
+ if (index < idx + nc) { // cert is within range of this thread
+ int32_t certIndex = cIndex + index - idx;
+ if (outAbsoluteCertOffset) *outAbsoluteCertOffset = certIndex;
+ RefPtr<nsCertTreeDispInfo> certdi(
+ mDispInfo.SafeElementAt(certIndex, nullptr));
+ if (certdi) {
+ return certdi.forget();
+ }
+ break;
+ }
+ if (mTreeArray[i].open) idx += mTreeArray[i].numChildren;
+ cIndex += mTreeArray[i].numChildren;
+ if (idx > index) break;
+ }
+ return nullptr;
+}
+
+nsCertTree::nsCertCompareFunc nsCertTree::GetCompareFuncFromCertType(
+ uint32_t aType) {
+ switch (aType) {
+ case nsIX509Cert::ANY_CERT:
+ case nsIX509Cert::USER_CERT:
+ return CmpUserCert;
+ case nsIX509Cert::EMAIL_CERT:
+ return CmpEmailCert;
+ case nsIX509Cert::CA_CERT:
+ default:
+ return CmpCACert;
+ }
+}
+
+nsresult nsCertTree::GetCertsByTypeFromCertList(
+ const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType,
+ nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetCertsByTypeFromCertList"));
+
+ nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;
+
+ if (aWantedType == nsIX509Cert::SERVER_CERT) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ int count = 0;
+ for (const auto& cert : aCertList) {
+ bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT);
+
+ if (!wantThisCert) {
+ uint32_t thisCertType;
+ nsresult rv = cert->GetCertType(&thisCertType);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (thisCertType == aWantedType) {
+ wantThisCert = true;
+ }
+ }
+
+ if (wantThisCert) {
+ int InsertPosition = 0;
+ for (; InsertPosition < count; ++InsertPosition) {
+ nsCOMPtr<nsIX509Cert> otherCert = nullptr;
+ RefPtr<nsCertTreeDispInfo> elem(
+ mDispInfo.SafeElementAt(InsertPosition, nullptr));
+ if (elem) {
+ otherCert = elem->mCert;
+ }
+ if ((*aCertCmpFn)(aCertCmpFnArg, cert, otherCert) < 0) {
+ break;
+ }
+ }
+ nsCertTreeDispInfo* certdi = new nsCertTreeDispInfo(cert);
+ mDispInfo.InsertElementAt(InsertPosition, certdi);
+ ++count;
+ ++InsertPosition;
+ }
+ }
+
+ return NS_OK;
+}
+
+// LoadCerts
+//
+// Load all of the certificates in the DB for this type. Sort them
+// by token, organization, then common name.
+NS_IMETHODIMP
+nsCertTree::LoadCertsFromCache(const nsTArray<RefPtr<nsIX509Cert>>& aCache,
+ uint32_t aType) {
+ if (mTreeArray) {
+ FreeCertArray();
+ delete[] mTreeArray;
+ mTreeArray = nullptr;
+ mNumRows = 0;
+ }
+ ClearCompareHash();
+
+ nsresult rv = GetCertsByTypeFromCertList(
+ aCache, aType, GetCompareFuncFromCertType(aType), &mCompareCache);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return UpdateUIContents();
+}
+
+nsresult nsCertTree::UpdateUIContents() {
+ uint32_t count = mDispInfo.Length();
+ mNumOrgs = CountOrganizations();
+ mTreeArray = new treeArrayEl[mNumOrgs];
+
+ mCellText = nsArrayBase::Create();
+
+ if (count) {
+ uint32_t j = 0;
+ nsCOMPtr<nsIX509Cert> orgCert = mDispInfo.ElementAt(j)->mCert;
+ for (int32_t i = 0; i < mNumOrgs; i++) {
+ nsString& orgNameRef = mTreeArray[i].orgName;
+ if (!orgCert) {
+ GetPIPNSSBundleString("CertOrgUnknown", orgNameRef);
+ } else {
+ orgCert->GetIssuerOrganization(orgNameRef);
+ if (orgNameRef.IsEmpty()) orgCert->GetCommonName(orgNameRef);
+ }
+ mTreeArray[i].open = true;
+ mTreeArray[i].certIndex = j;
+ mTreeArray[i].numChildren = 1;
+ if (++j >= count) break;
+ nsCOMPtr<nsIX509Cert> nextCert =
+ mDispInfo.SafeElementAt(j, nullptr)->mCert;
+ while (0 == CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg,
+ sort_None, sort_None)) {
+ mTreeArray[i].numChildren++;
+ if (++j >= count) break;
+ nextCert = mDispInfo.SafeElementAt(j, nullptr)->mCert;
+ }
+ orgCert = nextCert;
+ }
+ }
+ if (mTree) {
+ mTree->BeginUpdateBatch();
+ mTree->RowCountChanged(0, -mNumRows);
+ }
+ mNumRows = count + mNumOrgs;
+ if (mTree) mTree->EndUpdateBatch();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::DeleteEntryObject(uint32_t index) {
+ if (!mTreeArray) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIX509CertDB> certdb =
+ do_GetService("@mozilla.org/security/x509certdb;1");
+ if (!certdb) {
+ return NS_ERROR_FAILURE;
+ }
+
+ int i;
+ uint32_t idx = 0, cIndex = 0, nc;
+ // Loop over the threads
+ for (i = 0; i < mNumOrgs; i++) {
+ if (index == idx) return NS_OK; // index is for thread
+ idx++; // get past the thread
+ nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
+ if (index < idx + nc) { // cert is within range of this thread
+ int32_t certIndex = cIndex + index - idx;
+
+ RefPtr<nsCertTreeDispInfo> certdi(
+ mDispInfo.SafeElementAt(certIndex, nullptr));
+ if (certdi) {
+ nsCOMPtr<nsIX509Cert> cert = certdi->mCert;
+ RemoveCacheEntry(cert);
+ certdb->DeleteCertificate(cert);
+ }
+
+ mDispInfo.RemoveElementAt(certIndex);
+
+ delete[] mTreeArray;
+ mTreeArray = nullptr;
+ return UpdateUIContents();
+ }
+ if (mTreeArray[i].open) idx += mTreeArray[i].numChildren;
+ cIndex += mTreeArray[i].numChildren;
+ if (idx > index) break;
+ }
+ return NS_ERROR_FAILURE;
+}
+
+//////////////////////////////////////////////////////////////////////////////
+//
+// Begin nsITreeView methods
+//
+/////////////////////////////////////////////////////////////////////////////
+
+NS_IMETHODIMP
+nsCertTree::GetCert(uint32_t aIndex, nsIX509Cert** _cert) {
+ NS_ENSURE_ARG(_cert);
+ *_cert = GetCertAtIndex(aIndex).take();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetTreeItem(uint32_t aIndex, nsICertTreeItem** _treeitem) {
+ NS_ENSURE_ARG(_treeitem);
+
+ RefPtr<nsCertTreeDispInfo> certdi(GetDispInfoAtIndex(aIndex));
+ if (!certdi) return NS_ERROR_FAILURE;
+
+ *_treeitem = certdi;
+ NS_IF_ADDREF(*_treeitem);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetRowCount(int32_t* aRowCount) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ uint32_t count = 0;
+ for (int32_t i = 0; i < mNumOrgs; i++) {
+ if (mTreeArray[i].open) {
+ count += mTreeArray[i].numChildren;
+ }
+ count++;
+ }
+ *aRowCount = count;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetSelection(nsITreeSelection** aSelection) {
+ *aSelection = mSelection;
+ NS_IF_ADDREF(*aSelection);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::SetSelection(nsITreeSelection* aSelection) {
+ mSelection = aSelection;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetRowProperties(int32_t index, nsAString& aProps) { return NS_OK; }
+
+NS_IMETHODIMP
+nsCertTree::GetCellProperties(int32_t row, nsTreeColumn* col,
+ nsAString& aProps) {
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetColumnProperties(nsTreeColumn* col, nsAString& aProps) {
+ return NS_OK;
+}
+NS_IMETHODIMP
+nsCertTree::IsContainer(int32_t index, bool* _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ treeArrayEl* el = GetThreadDescAtIndex(index);
+ if (el) {
+ *_retval = true;
+ } else {
+ *_retval = false;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::IsContainerOpen(int32_t index, bool* _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ treeArrayEl* el = GetThreadDescAtIndex(index);
+ if (el && el->open) {
+ *_retval = true;
+ } else {
+ *_retval = false;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::IsContainerEmpty(int32_t index, bool* _retval) {
+ *_retval = !mTreeArray;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::IsSeparator(int32_t index, bool* _retval) {
+ *_retval = false;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetParentIndex(int32_t rowIndex, int32_t* _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ int i, idx = 0;
+ for (i = 0; i < mNumOrgs && idx < rowIndex; i++, idx++) {
+ if (mTreeArray[i].open) {
+ if (rowIndex <= idx + mTreeArray[i].numChildren) {
+ *_retval = idx;
+ return NS_OK;
+ }
+ idx += mTreeArray[i].numChildren;
+ }
+ }
+ *_retval = -1;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::HasNextSibling(int32_t rowIndex, int32_t afterIndex,
+ bool* _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+
+ int i, idx = 0;
+ for (i = 0; i < mNumOrgs && idx <= rowIndex; i++, idx++) {
+ if (mTreeArray[i].open) {
+ idx += mTreeArray[i].numChildren;
+ if (afterIndex <= idx) {
+ *_retval = afterIndex < idx;
+ return NS_OK;
+ }
+ }
+ }
+ *_retval = false;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetLevel(int32_t index, int32_t* _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ treeArrayEl* el = GetThreadDescAtIndex(index);
+ if (el) {
+ *_retval = 0;
+ } else {
+ *_retval = 1;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetImageSrc(int32_t row, nsTreeColumn* col, nsAString& _retval) {
+ _retval.Truncate();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetCellValue(int32_t row, nsTreeColumn* col, nsAString& _retval) {
+ _retval.Truncate();
+ return NS_OK;
+}
+
+static void PRTimeToLocalDateString(PRTime time, nsAString& result) {
+ PRExplodedTime explodedTime;
+ PR_ExplodeTime(time, PR_LocalTimeParameters, &explodedTime);
+ intl::DateTimeFormat::StyleBag style;
+ style.date = Some(intl::DateTimeFormat::Style::Long);
+ style.time = Nothing();
+ Unused << intl::AppDateTimeFormat::Format(style, &explodedTime, result);
+}
+
+NS_IMETHODIMP
+nsCertTree::GetCellText(int32_t row, nsTreeColumn* col, nsAString& _retval) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+
+ nsresult rv = NS_OK;
+ _retval.Truncate();
+
+ const nsAString& colID = col->GetId();
+
+ treeArrayEl* el = GetThreadDescAtIndex(row);
+ if (el) {
+ if (u"certcol"_ns.Equals(colID))
+ _retval.Assign(el->orgName);
+ else
+ _retval.Truncate();
+ return NS_OK;
+ }
+
+ int32_t absoluteCertOffset;
+ RefPtr<nsCertTreeDispInfo> certdi(
+ GetDispInfoAtIndex(row, &absoluteCertOffset));
+ if (!certdi) return NS_ERROR_FAILURE;
+
+ nsCOMPtr<nsIX509Cert> cert = certdi->mCert;
+
+ int32_t colIndex = col->Index();
+ uint32_t arrayIndex = absoluteCertOffset + colIndex * (mNumRows - mNumOrgs);
+ uint32_t arrayLength = 0;
+ if (mCellText) {
+ mCellText->GetLength(&arrayLength);
+ }
+ if (arrayIndex < arrayLength) {
+ nsCOMPtr<nsISupportsString> myString(
+ do_QueryElementAt(mCellText, arrayIndex));
+ if (myString) {
+ myString->GetData(_retval);
+ return NS_OK;
+ }
+ }
+
+ if (u"certcol"_ns.Equals(colID)) {
+ if (!cert) {
+ rv = GetPIPNSSBundleString("CertNotStored", _retval);
+ } else {
+ rv = cert->GetDisplayName(_retval);
+ }
+ } else if (u"tokencol"_ns.Equals(colID) && cert) {
+ rv = cert->GetTokenName(_retval);
+ } else if (u"emailcol"_ns.Equals(colID) && cert) {
+ rv = cert->GetEmailAddress(_retval);
+ } else if (u"issuedcol"_ns.Equals(colID) && cert) {
+ nsCOMPtr<nsIX509CertValidity> validity;
+
+ rv = cert->GetValidity(getter_AddRefs(validity));
+ if (NS_SUCCEEDED(rv)) {
+ PRTime notBefore;
+ rv = validity->GetNotBefore(&notBefore);
+ if (NS_SUCCEEDED(rv)) {
+ PRTimeToLocalDateString(notBefore, _retval);
+ }
+ }
+ } else if (u"expiredcol"_ns.Equals(colID) && cert) {
+ nsCOMPtr<nsIX509CertValidity> validity;
+
+ rv = cert->GetValidity(getter_AddRefs(validity));
+ if (NS_SUCCEEDED(rv)) {
+ PRTime notAfter;
+ rv = validity->GetNotAfter(&notAfter);
+ if (NS_SUCCEEDED(rv)) {
+ PRTimeToLocalDateString(notAfter, _retval);
+ }
+ }
+ } else if (u"serialnumcol"_ns.Equals(colID) && cert) {
+ rv = cert->GetSerialNumber(_retval);
+ } else {
+ return NS_ERROR_FAILURE;
+ }
+ if (mCellText) {
+ nsCOMPtr<nsISupportsString> text(
+ do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID, &rv));
+ NS_ENSURE_SUCCESS(rv, rv);
+ text->SetData(_retval);
+ mCellText->ReplaceElementAt(text, arrayIndex);
+ }
+ return rv;
+}
+
+NS_IMETHODIMP
+nsCertTree::SetTree(mozilla::dom::XULTreeElement* tree) {
+ mTree = tree;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::ToggleOpenState(int32_t index) {
+ if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED;
+ treeArrayEl* el = GetThreadDescAtIndex(index);
+ if (el) {
+ el->open = !el->open;
+ int32_t newChildren = (el->open) ? el->numChildren : -el->numChildren;
+ if (mTree) {
+ mTree->RowCountChanged(index + 1, newChildren);
+ mTree->InvalidateRow(index);
+ }
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::CycleHeader(nsTreeColumn* col) { return NS_OK; }
+
+NS_IMETHODIMP
+nsCertTree::SelectionChangedXPCOM() { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+nsCertTree::CycleCell(int32_t row, nsTreeColumn* col) { return NS_OK; }
+
+NS_IMETHODIMP
+nsCertTree::IsEditable(int32_t row, nsTreeColumn* col, bool* _retval) {
+ *_retval = false;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::SetCellValue(int32_t row, nsTreeColumn* col,
+ const nsAString& value) {
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::SetCellText(int32_t row, nsTreeColumn* col,
+ const nsAString& value) {
+ return NS_OK;
+}
+
+//
+// CanDrop
+//
+NS_IMETHODIMP nsCertTree::CanDrop(int32_t index, int32_t orientation,
+ mozilla::dom::DataTransfer* aDataTransfer,
+ bool* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ *_retval = false;
+
+ return NS_OK;
+}
+
+//
+// Drop
+//
+NS_IMETHODIMP nsCertTree::Drop(int32_t row, int32_t orient,
+ mozilla::dom::DataTransfer* aDataTransfer) {
+ return NS_OK;
+}
+
+//
+// IsSorted
+//
+// ...
+//
+NS_IMETHODIMP nsCertTree::IsSorted(bool* _retval) {
+ *_retval = false;
+ return NS_OK;
+}
+
+#define RETURN_NOTHING
+
+void nsCertTree::CmpInitCriterion(nsIX509Cert* cert,
+ CompareCacheHashEntry* entry,
+ sortCriterion crit, int32_t level) {
+ NS_ENSURE_TRUE(cert && entry, RETURN_NOTHING);
+
+ entry->mCritInit[level] = true;
+ nsString& str = entry->mCrit[level];
+
+ switch (crit) {
+ case sort_IssuerOrg:
+ cert->GetIssuerOrganization(str);
+ if (str.IsEmpty()) cert->GetCommonName(str);
+ break;
+ case sort_Org:
+ cert->GetOrganization(str);
+ break;
+ case sort_Token:
+ cert->GetTokenName(str);
+ break;
+ case sort_CommonName:
+ cert->GetCommonName(str);
+ break;
+ case sort_IssuedDateDescending: {
+ nsresult rv;
+ nsCOMPtr<nsIX509CertValidity> validity;
+ PRTime notBefore;
+
+ rv = cert->GetValidity(getter_AddRefs(validity));
+ if (NS_SUCCEEDED(rv)) {
+ rv = validity->GetNotBefore(&notBefore);
+ }
+
+ if (NS_SUCCEEDED(rv)) {
+ PRExplodedTime explodedTime;
+ PR_ExplodeTime(notBefore, PR_GMTParameters, &explodedTime);
+ char datebuf[20]; // 4 + 2 + 2 + 2 + 2 + 2 + 1 = 15
+ if (0 != PR_FormatTime(datebuf, sizeof(datebuf), "%Y%m%d%H%M%S",
+ &explodedTime)) {
+ str = NS_ConvertASCIItoUTF16(nsDependentCString(datebuf));
+ }
+ }
+ } break;
+ case sort_Email:
+ cert->GetEmailAddress(str);
+ break;
+ case sort_None:
+ default:
+ break;
+ }
+}
+
+int32_t nsCertTree::CmpByCrit(nsIX509Cert* a, CompareCacheHashEntry* ace,
+ nsIX509Cert* b, CompareCacheHashEntry* bce,
+ sortCriterion crit, int32_t level) {
+ NS_ENSURE_TRUE(a && ace && b && bce, 0);
+
+ if (!ace->mCritInit[level]) {
+ CmpInitCriterion(a, ace, crit, level);
+ }
+
+ if (!bce->mCritInit[level]) {
+ CmpInitCriterion(b, bce, crit, level);
+ }
+
+ nsString& str_a = ace->mCrit[level];
+ nsString& str_b = bce->mCrit[level];
+
+ int32_t result;
+ if (!str_a.IsVoid() && !str_b.IsVoid())
+ result = Compare(str_a, str_b, nsCaseInsensitiveStringComparator);
+ else
+ result = str_a.IsVoid() ? (str_b.IsVoid() ? 0 : -1) : 1;
+
+ if (sort_IssuedDateDescending == crit) result *= -1; // reverse compare order
+
+ return result;
+}
+
+int32_t nsCertTree::CmpBy(void* cache, nsIX509Cert* a, nsIX509Cert* b,
+ sortCriterion c0, sortCriterion c1,
+ sortCriterion c2) {
+ // This will be called when comparing items for display sorting.
+ // Some items might have no cert associated, so either a or b is null.
+ // We want all those orphans show at the top of the list,
+ // so we treat a null cert as "smaller" by returning -1.
+ // We don't try to sort within the group of no-cert entries,
+ // so we treat them as equal wrt sort order.
+
+ if (!a && !b) return 0;
+
+ if (!a) return -1;
+
+ if (!b) return 1;
+
+ NS_ENSURE_TRUE(cache && a && b, 0);
+
+ CompareCacheHashEntry* ace = getCacheEntry(cache, a);
+ CompareCacheHashEntry* bce = getCacheEntry(cache, b);
+
+ int32_t cmp;
+ cmp = CmpByCrit(a, ace, b, bce, c0, 0);
+ if (cmp != 0) return cmp;
+
+ if (c1 != sort_None) {
+ cmp = CmpByCrit(a, ace, b, bce, c1, 1);
+ if (cmp != 0) return cmp;
+
+ if (c2 != sort_None) {
+ return CmpByCrit(a, ace, b, bce, c2, 2);
+ }
+ }
+
+ return cmp;
+}
+
+int32_t nsCertTree::CmpCACert(void* cache, nsIX509Cert* a, nsIX509Cert* b) {
+ // XXX we assume issuer org is always criterion 1
+ return CmpBy(cache, a, b, sort_IssuerOrg, sort_Org, sort_Token);
+}
+
+int32_t nsCertTree::CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b) {
+ // XXX we assume issuer org is always criterion 1
+ return CmpBy(cache, a, b, sort_IssuerOrg, sort_Token,
+ sort_IssuedDateDescending);
+}
+
+int32_t nsCertTree::CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b) {
+ // XXX we assume issuer org is always criterion 1
+ return CmpBy(cache, a, b, sort_IssuerOrg, sort_Email, sort_CommonName);
+}
diff --git a/security/manager/ssl/nsCertTree.h b/security/manager/ssl/nsCertTree.h
new file mode 100644
index 0000000000..d7fd86216c
--- /dev/null
+++ b/security/manager/ssl/nsCertTree.h
@@ -0,0 +1,131 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _NS_CERTTREE_H_
+#define _NS_CERTTREE_H_
+
+#include "nsCOMPtr.h"
+#include "nsICertTree.h"
+#include "nsITreeSelection.h"
+#include "nsIMutableArray.h"
+#include "nsNSSComponent.h"
+#include "nsTArray.h"
+#include "PLDHashTable.h"
+#include "mozilla/Attributes.h"
+
+/* Disable the "base class XXX should be explicitly initialized
+ in the copy constructor" warning. */
+#if defined(__clang__)
+# pragma clang diagnostic push
+# pragma clang diagnostic ignored "-Wextra"
+#elif defined(__GNUC__)
+# pragma GCC diagnostic push
+# pragma GCC diagnostic ignored "-Wextra"
+#endif // __clang__ || __GNUC__
+
+#include "mozilla/dom/XULTreeElement.h"
+
+#if defined(__clang__)
+# pragma clang diagnostic pop
+#elif defined(__GNUC__)
+# pragma GCC diagnostic pop
+#endif // __clang__ || __GNUC__
+
+typedef struct treeArrayElStr treeArrayEl;
+
+struct CompareCacheHashEntry {
+ enum { max_criterions = 3 };
+ CompareCacheHashEntry();
+
+ void* key; // no ownership
+ bool mCritInit[max_criterions];
+ nsString mCrit[max_criterions];
+};
+
+struct CompareCacheHashEntryPtr : PLDHashEntryHdr {
+ CompareCacheHashEntryPtr();
+ ~CompareCacheHashEntryPtr();
+ CompareCacheHashEntry* entry;
+};
+
+class nsCertTreeDispInfo : public nsICertTreeItem {
+ protected:
+ virtual ~nsCertTreeDispInfo();
+
+ public:
+ explicit nsCertTreeDispInfo(nsIX509Cert* aCert) : mCert(aCert) {}
+
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSICERTTREEITEM
+
+ nsCOMPtr<nsIX509Cert> mCert;
+};
+
+class nsCertTree : public nsICertTree {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSICERTTREE
+ NS_DECL_NSITREEVIEW
+
+ nsCertTree();
+
+ enum sortCriterion {
+ sort_IssuerOrg,
+ sort_Org,
+ sort_Token,
+ sort_CommonName,
+ sort_IssuedDateDescending,
+ sort_Email,
+ sort_None
+ };
+
+ protected:
+ virtual ~nsCertTree();
+
+ void ClearCompareHash();
+ void RemoveCacheEntry(void* key);
+
+ typedef int (*nsCertCompareFunc)(void*, nsIX509Cert* a, nsIX509Cert* b);
+
+ static CompareCacheHashEntry* getCacheEntry(void* cache, void* aCert);
+ static void CmpInitCriterion(nsIX509Cert* cert, CompareCacheHashEntry* entry,
+ sortCriterion crit, int32_t level);
+ static int32_t CmpByCrit(nsIX509Cert* a, CompareCacheHashEntry* ace,
+ nsIX509Cert* b, CompareCacheHashEntry* bce,
+ sortCriterion crit, int32_t level);
+ static int32_t CmpBy(void* cache, nsIX509Cert* a, nsIX509Cert* b,
+ sortCriterion c0, sortCriterion c1, sortCriterion c2);
+ static int32_t CmpCACert(void* cache, nsIX509Cert* a, nsIX509Cert* b);
+ static int32_t CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b);
+ static int32_t CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b);
+ nsCertCompareFunc GetCompareFuncFromCertType(uint32_t aType);
+ int32_t CountOrganizations();
+
+ private:
+ static const uint32_t kInitialCacheLength = 64;
+
+ nsTArray<RefPtr<nsCertTreeDispInfo>> mDispInfo;
+ RefPtr<mozilla::dom::XULTreeElement> mTree;
+ nsCOMPtr<nsITreeSelection> mSelection;
+ treeArrayEl* mTreeArray;
+ int32_t mNumOrgs;
+ int32_t mNumRows;
+ PLDHashTable mCompareCache;
+
+ treeArrayEl* GetThreadDescAtIndex(int32_t _index);
+ already_AddRefed<nsIX509Cert> GetCertAtIndex(
+ int32_t _index, int32_t* outAbsoluteCertOffset = nullptr);
+ already_AddRefed<nsCertTreeDispInfo> GetDispInfoAtIndex(
+ int32_t index, int32_t* outAbsoluteCertOffset = nullptr);
+ void FreeCertArray();
+ nsresult UpdateUIContents();
+
+ nsresult GetCertsByTypeFromCertList(
+ const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType,
+ nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg);
+
+ nsCOMPtr<nsIMutableArray> mCellText;
+};
+
+#endif /* _NS_CERTTREE_H_ */
diff --git a/security/manager/ssl/nsClientAuthRemember.cpp b/security/manager/ssl/nsClientAuthRemember.cpp
new file mode 100644
index 0000000000..91fd774c91
--- /dev/null
+++ b/security/manager/ssl/nsClientAuthRemember.cpp
@@ -0,0 +1,435 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsClientAuthRemember.h"
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/RefPtr.h"
+#include "nsCRT.h"
+#include "nsINSSComponent.h"
+#include "nsPrintfCString.h"
+#include "nsNSSComponent.h"
+#include "nsIDataStorage.h"
+#include "nsIObserverService.h"
+#include "nsNetUtil.h"
+#include "nsPromiseFlatString.h"
+#include "nsThreadUtils.h"
+#include "nsStringBuffer.h"
+#include "cert.h"
+#include "nspr.h"
+#include "pk11pub.h"
+#include "certdb.h"
+#include "sechash.h"
+#include "SharedSSLState.h"
+
+#include "nsJSUtils.h"
+
+#ifdef XP_MACOSX
+# include <CoreFoundation/CoreFoundation.h>
+# include <Security/Security.h>
+# include "KeychainSecret.h" // for ScopedCFType
+#endif // XP_MACOSX
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+NS_IMPL_ISUPPORTS(nsClientAuthRememberService, nsIClientAuthRememberService)
+NS_IMPL_ISUPPORTS(nsClientAuthRemember, nsIClientAuthRememberRecord)
+
+const nsCString nsClientAuthRemember::SentinelValue =
+ "no client certificate"_ns;
+
+NS_IMETHODIMP
+nsClientAuthRemember::GetAsciiHost(/*out*/ nsACString& aAsciiHost) {
+ aAsciiHost = mAsciiHost;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsClientAuthRemember::GetDbKey(/*out*/ nsACString& aDBKey) {
+ aDBKey = mDBKey;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsClientAuthRemember::GetEntryKey(/*out*/ nsACString& aEntryKey) {
+ aEntryKey.Assign(mAsciiHost);
+ aEntryKey.Append(',');
+ // This used to include the SHA-256 hash of the server certificate.
+ aEntryKey.Append(',');
+ aEntryKey.Append(mOriginAttributesSuffix);
+ return NS_OK;
+}
+
+nsresult nsClientAuthRememberService::Init() {
+ if (!NS_IsMainThread()) {
+ NS_ERROR("nsClientAuthRememberService::Init called off the main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ nsCOMPtr<nsIDataStorageManager> dataStorageManager(
+ do_GetService("@mozilla.org/security/datastoragemanager;1"));
+ if (!dataStorageManager) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv =
+ dataStorageManager->Get(nsIDataStorageManager::ClientAuthRememberList,
+ getter_AddRefs(mClientAuthRememberList));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!mClientAuthRememberList) {
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::ForgetRememberedDecision(const nsACString& key) {
+ nsresult rv = mClientAuthRememberList->Remove(
+ PromiseFlatCString(key), nsIDataStorage::DataType::Persistent);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID));
+ if (!nssComponent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ return nssComponent->ClearSSLExternalAndInternalSessionCache();
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::GetDecisions(
+ nsTArray<RefPtr<nsIClientAuthRememberRecord>>& results) {
+ nsTArray<RefPtr<nsIDataStorageItem>> decisions;
+ nsresult rv = mClientAuthRememberList->GetAll(decisions);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ for (const auto& decision : decisions) {
+ nsIDataStorage::DataType type;
+ rv = decision->GetType(&type);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (type == nsIDataStorage::DataType::Persistent) {
+ nsAutoCString key;
+ rv = decision->GetKey(key);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsAutoCString value;
+ rv = decision->GetValue(value);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ RefPtr<nsIClientAuthRememberRecord> tmp =
+ new nsClientAuthRemember(key, value);
+
+ results.AppendElement(tmp);
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::ClearRememberedDecisions() {
+ nsresult rv = mClientAuthRememberList->Clear();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID));
+ if (!nssComponent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ return nssComponent->ClearSSLExternalAndInternalSessionCache();
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::DeleteDecisionsByHost(
+ const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes,
+ JSContext* aCx) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsIDataStorage::DataType storageType = GetDataStorageType(attrs);
+
+ nsTArray<RefPtr<nsIDataStorageItem>> decisions;
+ nsresult rv = mClientAuthRememberList->GetAll(decisions);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ for (const auto& decision : decisions) {
+ nsIDataStorage::DataType type;
+ nsresult rv = decision->GetType(&type);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (type == storageType) {
+ nsAutoCString key;
+ rv = decision->GetKey(key);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsAutoCString value;
+ rv = decision->GetValue(value);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ RefPtr<nsIClientAuthRememberRecord> tmp =
+ new nsClientAuthRemember(key, value);
+ nsAutoCString asciiHost;
+ tmp->GetAsciiHost(asciiHost);
+ if (asciiHost.Equals(aHostName)) {
+ rv = mClientAuthRememberList->Remove(key, type);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+ }
+ }
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID));
+ if (!nssComponent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ return nssComponent->ClearSSLExternalAndInternalSessionCache();
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::RememberDecisionScriptable(
+ const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes,
+ nsIX509Cert* aClientCert, JSContext* aCx) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ return RememberDecision(aHostName, attrs, aClientCert);
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::RememberDecision(
+ const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+ nsIX509Cert* aClientCert) {
+ if (aHostName.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // aClientCert == nullptr means: remember that user does not want to use a
+ // cert
+ if (aClientCert) {
+ nsAutoCString dbkey;
+ nsresult rv = aClientCert->GetDbKey(dbkey);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return AddEntryToList(aHostName, aOriginAttributes, dbkey);
+ }
+ return AddEntryToList(aHostName, aOriginAttributes,
+ nsClientAuthRemember::SentinelValue);
+}
+
+#ifdef XP_MACOSX
+// On macOS, users can add "identity preference" items in the keychain. These
+// can be added via the Keychain Access tool. These specify mappings from
+// URLs/wildcards like "*.mozilla.org" to specific client certificates. This
+// function retrieves the preferred client certificate for a hostname by
+// querying a system API that checks for these identity preferences.
+nsresult CheckForPreferredCertificate(const nsACString& aHostName,
+ nsACString& aCertDBKey) {
+ aCertDBKey.Truncate();
+ // SecIdentityCopyPreferred seems to expect a proper URI which it can use
+ // for prefix and wildcard matches.
+ // We don't have the full URL but we can turn the hostname into a URI with
+ // an authority section, so that it matches against macOS identity preferences
+ // like `*.foo.com`. If we know that this connection is always going to be
+ // https, then we should put that in the URI as well, so that it matches
+ // identity preferences like `https://foo.com/` as well. If we can plumb
+ // the path or the full URL into this function we could also match identity
+ // preferences like `https://foo.com/bar/` but for now we cannot.
+ nsPrintfCString fakeUrl("//%s/", PromiseFlatCString(aHostName).get());
+ ScopedCFType<CFStringRef> host(::CFStringCreateWithCString(
+ kCFAllocatorDefault, fakeUrl.get(), kCFStringEncodingUTF8));
+ if (!host) {
+ return NS_ERROR_UNEXPECTED;
+ }
+ ScopedCFType<SecIdentityRef> identity(
+ ::SecIdentityCopyPreferred(host.get(), NULL, NULL));
+ if (!identity) {
+ // No preferred identity for this hostname, leave aCertDBKey empty and
+ // return
+ return NS_OK;
+ }
+ SecCertificateRef certRefRaw = NULL;
+ OSStatus copyResult =
+ ::SecIdentityCopyCertificate(identity.get(), &certRefRaw);
+ ScopedCFType<SecCertificateRef> certRef(certRefRaw);
+ if (copyResult != errSecSuccess || certRef.get() == NULL) {
+ return NS_ERROR_UNEXPECTED;
+ }
+ ScopedCFType<CFDataRef> der(::SecCertificateCopyData(certRef.get()));
+ if (!der) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ nsTArray<uint8_t> derArray(::CFDataGetBytePtr(der.get()),
+ ::CFDataGetLength(der.get()));
+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(derArray)));
+ return cert->GetDbKey(aCertDBKey);
+}
+#endif
+
+void nsClientAuthRememberService::Migrate() {
+ auto migrated = mMigrated.Lock();
+ if (*migrated) {
+ return;
+ }
+ *migrated = true;
+
+ nsTArray<RefPtr<nsIDataStorageItem>> decisions;
+ nsresult rv = mClientAuthRememberList->GetAll(decisions);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ for (const auto& decision : decisions) {
+ nsIDataStorage::DataType type;
+ if (NS_FAILED(decision->GetType(&type))) {
+ continue;
+ }
+ if (type != nsIDataStorage::DataType::Persistent) {
+ continue;
+ }
+ nsAutoCString key;
+ if (NS_FAILED(decision->GetKey(key))) {
+ continue;
+ }
+ nsAutoCString value;
+ if (NS_FAILED(decision->GetValue(value))) {
+ continue;
+ }
+ RefPtr<nsClientAuthRemember> entry(new nsClientAuthRemember(key, value));
+ nsAutoCString newKey;
+ if (NS_FAILED(entry->GetEntryKey(newKey))) {
+ continue;
+ }
+ if (newKey != key) {
+ if (NS_FAILED(mClientAuthRememberList->Remove(
+ key, nsIDataStorage::DataType::Persistent))) {
+ continue;
+ }
+ if (NS_FAILED(mClientAuthRememberList->Put(
+ newKey, value, nsIDataStorage::DataType::Persistent))) {
+ continue;
+ }
+ }
+ }
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::HasRememberedDecision(
+ const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+ nsACString& aCertDBKey, bool* aRetVal) {
+ NS_ENSURE_ARG_POINTER(aRetVal);
+ if (aHostName.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ *aRetVal = false;
+ aCertDBKey.Truncate();
+
+ Migrate();
+
+ nsAutoCString entryKey;
+ RefPtr<nsClientAuthRemember> entry(
+ new nsClientAuthRemember(aHostName, aOriginAttributes));
+ nsresult rv = entry->GetEntryKey(entryKey);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsIDataStorage::DataType storageType = GetDataStorageType(aOriginAttributes);
+
+ nsAutoCString listEntry;
+ rv = mClientAuthRememberList->Get(entryKey, storageType, listEntry);
+ if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) {
+ return rv;
+ }
+ if (NS_SUCCEEDED(rv) && !listEntry.IsEmpty()) {
+ if (!listEntry.Equals(nsClientAuthRemember::SentinelValue)) {
+ aCertDBKey = listEntry;
+ }
+ *aRetVal = true;
+ return NS_OK;
+ }
+
+#ifdef XP_MACOSX
+ rv = CheckForPreferredCertificate(aHostName, aCertDBKey);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!aCertDBKey.IsEmpty()) {
+ *aRetVal = true;
+ return NS_OK;
+ }
+#endif
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsClientAuthRememberService::HasRememberedDecisionScriptable(
+ const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes,
+ nsACString& aCertDBKey, JSContext* aCx, bool* aRetVal) {
+ OriginAttributes attrs;
+ if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ return HasRememberedDecision(aHostName, attrs, aCertDBKey, aRetVal);
+}
+
+nsresult nsClientAuthRememberService::AddEntryToList(
+ const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+ const nsACString& aDBKey) {
+ nsAutoCString entryKey;
+ RefPtr<nsClientAuthRemember> entry(
+ new nsClientAuthRemember(aHostName, aOriginAttributes));
+ nsresult rv = entry->GetEntryKey(entryKey);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsIDataStorage::DataType storageType = GetDataStorageType(aOriginAttributes);
+
+ nsCString tmpDbKey(aDBKey);
+ rv = mClientAuthRememberList->Put(entryKey, tmpDbKey, storageType);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+bool nsClientAuthRememberService::IsPrivateBrowsingKey(
+ const nsCString& entryKey) {
+ const int32_t separator = entryKey.Find(":");
+ nsCString suffix;
+ if (separator >= 0) {
+ entryKey.Left(suffix, separator);
+ } else {
+ suffix = entryKey;
+ }
+ return OriginAttributes::IsPrivateBrowsing(suffix);
+}
+
+nsIDataStorage::DataType nsClientAuthRememberService::GetDataStorageType(
+ const OriginAttributes& aOriginAttributes) {
+ if (aOriginAttributes.mPrivateBrowsingId > 0) {
+ return nsIDataStorage::DataType::Private;
+ }
+ return nsIDataStorage::DataType::Persistent;
+}
diff --git a/security/manager/ssl/nsClientAuthRemember.h b/security/manager/ssl/nsClientAuthRemember.h
new file mode 100644
index 0000000000..ec9101739a
--- /dev/null
+++ b/security/manager/ssl/nsClientAuthRemember.h
@@ -0,0 +1,101 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __NSCLIENTAUTHREMEMBER_H__
+#define __NSCLIENTAUTHREMEMBER_H__
+
+#include <utility>
+
+#include "mozilla/Attributes.h"
+#include "mozilla/DataMutex.h"
+#include "mozilla/HashFunctions.h"
+#include "mozilla/ReentrantMonitor.h"
+#include "nsIClientAuthRememberService.h"
+#include "nsIDataStorage.h"
+#include "nsIObserver.h"
+#include "nsNSSCertificate.h"
+#include "nsString.h"
+#include "nsTHashtable.h"
+#include "nsWeakReference.h"
+
+namespace mozilla {
+class OriginAttributes;
+}
+
+using mozilla::OriginAttributes;
+
+class nsClientAuthRemember final : public nsIClientAuthRememberRecord {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSICLIENTAUTHREMEMBERRECORD
+
+ nsClientAuthRemember(const nsACString& aHostName,
+ const OriginAttributes& aOriginAttributes) {
+ mAsciiHost.Assign(aHostName);
+ aOriginAttributes.CreateSuffix(mOriginAttributesSuffix);
+ }
+
+ nsClientAuthRemember(const nsCString& aEntryKey, const nsCString& aDBKey) {
+ if (!aDBKey.Equals(nsClientAuthRemember::SentinelValue)) {
+ mDBKey = aDBKey;
+ }
+
+ size_t field_index = 0;
+ for (const auto& field : aEntryKey.Split(',')) {
+ switch (field_index) {
+ case 0:
+ mAsciiHost.Assign(field);
+ break;
+ case 1:
+ break;
+ case 2:
+ mOriginAttributesSuffix.Assign(field);
+ break;
+ default:
+ break;
+ }
+ field_index++;
+ }
+ }
+
+ nsCString mAsciiHost;
+ nsCString mOriginAttributesSuffix;
+ nsCString mDBKey;
+ static const nsCString SentinelValue;
+
+ protected:
+ ~nsClientAuthRemember() = default;
+};
+
+class nsClientAuthRememberService final : public nsIClientAuthRememberService {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSICLIENTAUTHREMEMBERSERVICE
+
+ nsClientAuthRememberService()
+ : mMigrated(false, "nsClientAuthRememberService::mMigrated") {}
+
+ nsresult Init();
+
+ static bool IsPrivateBrowsingKey(const nsCString& entryKey);
+
+ protected:
+ ~nsClientAuthRememberService() = default;
+
+ static nsIDataStorage::DataType GetDataStorageType(
+ const OriginAttributes& aOriginAttributes);
+
+ nsCOMPtr<nsIDataStorage> mClientAuthRememberList;
+
+ nsresult AddEntryToList(const nsACString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ const nsACString& aDBKey);
+
+ mozilla::DataMutex<bool> mMigrated;
+ void Migrate();
+};
+
+#endif
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl
new file mode 100644
index 0000000000..6dfd07d6b6
--- /dev/null
+++ b/security/manager/ssl/nsICertOverrideService.idl
@@ -0,0 +1,143 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509Cert;
+
+[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
+
+%{C++
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
+
+namespace mozilla {
+class OriginAttributes;
+}
+%}
+
+[scriptable, builtinclass, uuid(ed735e24-fa55-4163-906d-17fb78851fe1)]
+interface nsICertOverride : nsISupports {
+
+ /**
+ * The hostname of the server the override is used for.
+ */
+ readonly attribute ACString asciiHost;
+
+ /**
+ * The port of the server the override is used for.
+ */
+ readonly attribute int32_t port;
+
+ /**
+ * A combination of hostname and port in the form host:port.
+ * Since the port can be -1 which is equivalent to port 433 we use an
+ * existing function of nsCertOverrideService to create this property.
+ */
+ readonly attribute ACString hostPort;
+
+ /**
+ * The fingerprint for the associated certificate.
+ */
+ readonly attribute ACString fingerprint;
+
+ /**
+ * The origin attributes associated with this override.
+ */
+ [implicit_jscontext]
+ readonly attribute jsval originAttributes;
+};
+
+[scriptable, builtinclass, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
+interface nsICertOverrideService : nsISupports {
+ /**
+ * When making a TLS connection to the given hostname and port (in the
+ * context of the given origin attributes), if the certificate verifier
+ * encounters an overridable error when verifying the given certificate, the
+ * connection will continue (provided overrides are allowed for that host).
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to. If it is -1 then it
+ * is internaly treated as 443.
+ * @param aOriginAttributes the origin attributes of the mapping
+ * @param aCert The certificate used by the server
+ * @param aTemporary Whether or not to only store the mapping for the session
+ */
+ [binaryname(RememberValidityOverride), noscript, must_use]
+ void rememberValidityOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes,
+ in nsIX509Cert aCert,
+ in boolean aTemporary);
+ [binaryname(RememberValidityOverrideScriptable), implicit_jscontext, must_use]
+ void rememberValidityOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes,
+ in nsIX509Cert aCert,
+ in boolean aTemporary);
+
+ /**
+ * Return whether this host, port, cert triple has a stored override.
+ * If so, the outparams will contain the specific errors that were
+ * overridden, and whether the override is permanent, or only for the current
+ * session.
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to, if it is -1 then it
+ * is internally treated as 443
+ * @param aCert The certificate this mapping belongs to
+ * @param aIsTemporary Whether the stored override is session-only,
+ * or permanent
+ * @return Whether an override has been stored for this host+port+cert
+ */
+ [binaryname(HasMatchingOverride), noscript, must_use]
+ boolean hasMatchingOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes,
+ in nsIX509Cert aCert,
+ out boolean aIsTemporary);
+ [binaryname(HasMatchingOverrideScriptable), implicit_jscontext, must_use]
+ boolean hasMatchingOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes,
+ in nsIX509Cert aCert,
+ out boolean aIsTemporary);
+
+ /**
+ * Remove a override for the given hostname:port.
+ *
+ * @param aHostName The host (punycode) whose entry should be cleared.
+ * @param aPort The port whose entry should be cleared.
+ * If it is -1, then it is internaly treated as 443.
+ * If it is 0 and aHostName is "all:temporary-certificates",
+ * then all temporary certificates should be cleared.
+ */
+ [binaryname(ClearValidityOverride), noscript]
+ void clearValidityOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes);
+ [binaryname(ClearValidityOverrideScriptable), implicit_jscontext]
+ void clearValidityOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes);
+
+ /**
+ * Remove all overrides.
+ */
+ void clearAllOverrides();
+
+ Array<nsICertOverride> getOverrides();
+
+ /**
+ * NOTE: This function is used only for testing!
+ *
+ * @param aDisable If true, disable all security check and make
+ * hasMatchingOverride always return true.
+ */
+ void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable);
+
+ readonly attribute boolean securityCheckDisabled;
+};
diff --git a/security/manager/ssl/nsICertStorage.idl b/security/manager/ssl/nsICertStorage.idl
new file mode 100644
index 0000000000..3379aaafe7
--- /dev/null
+++ b/security/manager/ssl/nsICertStorage.idl
@@ -0,0 +1,265 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsIVariant.idl"
+
+%{C++
+#define NS_CERTSTORAGE_CONTRACTID "@mozilla.org/security/certstorage;1"
+%}
+
+/**
+ * Callback type used to notify callers that an operation performed by
+ * nsICertStorage has completed. Indicates the result of the requested
+ * operation, as well as any data returned by the operation.
+ */
+[scriptable, function, uuid(3f8fe26a-a436-4ad4-9c1c-a53c60973c31)]
+interface nsICertStorageCallback : nsISupports {
+ [must_use]
+ void done(in nsresult rv, in nsIVariant result);
+};
+
+/**
+ * A base interface for representing the revocation state of a certificate.
+ * Implementing this interface by itself is insufficient; your type must
+ * implement an inheriting interface that specifies the certificate by issuer
+ * and serial number or by subject and public key hash.
+ * Set state to nsICertStorage.STATE_UNSET to mark the certificate as not revoked.
+ * Set state to nsICertStorage.STATE_ENFORCE to mark the certificate as revoked.
+ */
+[scriptable, uuid(96db6fd7-6b64-4a5a-955d-310bd9ca4234)]
+interface nsIRevocationState : nsISupports {
+ readonly attribute short state;
+};
+
+/**
+ * An interface representing the revocation state of a certificate by issuer
+ * and serial number. Both issuer name and serial number are base64-encoded.
+ */
+[scriptable, uuid(23ce3546-f1b9-46f6-8de3-77704da5702f)]
+interface nsIIssuerAndSerialRevocationState : nsIRevocationState {
+ readonly attribute ACString issuer;
+ readonly attribute ACString serial;
+};
+
+/**
+ * An interface representing the revocation state of a certificate by subject
+ * and pub key hash (the hash algorithm should be SHA-256). Both subject name
+ * and public key hash are base64-encoded.
+ */
+[scriptable, uuid(e78b51b4-6fa4-41e2-92ce-e9404f541e96)]
+interface nsISubjectAndPubKeyRevocationState : nsIRevocationState {
+ readonly attribute ACString subject;
+ readonly attribute ACString pubKey;
+};
+
+/**
+ * An interface representing a set of certificates that are covered by a CRLite
+ * filter. The set is represented by a certificate transparency log ID and a
+ * pair of timestamps. The timestamps are such that the CRLite aggregator has
+ * seen every certificate from the specified log with an SCT between the two
+ * timestamps.
+ * b64LogID is a base 64-encoded RFC 6962 LogID.
+ * minTimestamp is the smallest timestamp that the CRLite filter covers.
+ * maxTimestamp is the largest timestamp that the CRLite filter covers.
+ */
+[scriptable, uuid(416453f7-29bd-4820-a039-9c2e055d3715)]
+interface nsICRLiteCoverage : nsISupports {
+ readonly attribute ACString b64LogID;
+ readonly attribute unsigned long long minTimestamp;
+ readonly attribute unsigned long long maxTimestamp;
+};
+
+/**
+ * An interface representing the id and timestamp fields from an RFC 6962
+ * SignedCertificateTimestamp struct.
+ * logID is the id field.
+ * timestamp is the timestamp field.
+ */
+[uuid(9676cfc4-6e84-11ec-a30d-d3cd0af86e01)]
+interface nsICRLiteTimestamp: nsISupports {
+ readonly attribute Array<octet> logID;
+ readonly attribute unsigned long long timestamp;
+};
+
+/**
+ * An interface representing a certificate to add to storage. Consists of the
+ * base64-encoded DER bytes of the certificate (cert), the base64-encoded DER
+ * bytes of the subject distinguished name of the certificate (subject), and the
+ * trust of the certificate (one of the nsICertStorage.TRUST_* constants).
+ * (Note that this implementation does not validate that the given subject DN
+ * actually matches the subject DN of the certificate, nor that the given cert
+ * is a valid DER X.509 certificate.)
+ */
+[scriptable, uuid(27b66f5e-0faf-403b-95b4-bc11691ac50d)]
+interface nsICertInfo : nsISupports {
+ readonly attribute ACString cert;
+ readonly attribute ACString subject;
+ readonly attribute short trust;
+};
+
+[scriptable, uuid(327100a7-3401-45ef-b160-bf880f1016fd)]
+interface nsICertStorage : nsISupports {
+ const octet DATA_TYPE_REVOCATION = 1;
+ const octet DATA_TYPE_CERTIFICATE = 2;
+ const octet DATA_TYPE_CRLITE = 3;
+ const octet DATA_TYPE_CRLITE_FILTER_FULL = 4;
+ const octet DATA_TYPE_CRLITE_FILTER_INCREMENTAL = 5;
+
+ /**
+ * Asynchronously check if the backing storage has stored data of the given
+ * type in the past. This is useful if the backing storage may have had to
+ * have been deleted and recreated (as in bug 1546361 when we discovered that
+ * moving from a 32-bit binary to a 64-bit binary caused the DB to become
+ * unreadable, thus necessitating its deletion and recreation).
+ */
+ [must_use]
+ void hasPriorData(in octet type, in nsICertStorageCallback callback);
+
+ const short STATE_UNSET = 0;
+ const short STATE_ENFORCE = 1;
+ const short STATE_NOT_ENROLLED = 2;
+ const short STATE_NOT_COVERED = 3;
+ const short STATE_NO_FILTER = 4;
+
+ /**
+ * Asynchronously set the revocation states of a set of certificates.
+ * The given callback is called with the result of the operation when it
+ * completes.
+ * Must only be called from the main thread.
+ */
+ [must_use]
+ void setRevocations(in Array<nsIRevocationState> revocations,
+ in nsICertStorageCallback callback);
+
+ /**
+ * Get the revocation state of a certificate. STATE_UNSET indicates the
+ * certificate is not revoked. STATE_ENFORCE indicates the certificate is
+ * revoked.
+ * issuer - issuer name, DER encoded
+ * serial - serial number, DER encoded
+ * subject - subject name, DER encoded
+ * pubkey - public key, DER encoded
+ * In gecko, must not be called from the main thread. See bug 1541212.
+ * xpcshell tests may call this from the main thread.
+ */
+ [must_use]
+ short getRevocationState(in Array<octet> issuer,
+ in Array<octet> serial,
+ in Array<octet> subject,
+ in Array<octet> pubkey);
+
+ /**
+ * Given the contents of a new CRLite filter, a list containing
+ * `base64(sha256(subject DN || subject SPKI))` for each enrolled issuer, and
+ * the filter's timestamp coverage, replaces any existing filter with the new
+ * one. Also clears any previously-set incremental revocation updates
+ * ("stashes").
+ */
+ [must_use]
+ void setFullCRLiteFilter(in Array<octet> filter,
+ in Array<ACString> enrolledIssuers,
+ in Array<nsICRLiteCoverage> coverage,
+ in nsICertStorageCallback callback);
+
+ /**
+ * Given the DER-encoded issuer distinguished name, DER-encoded issuer subject public key info,
+ * the bytes of the value of the serial number (so, not including the DER tag and length) of a
+ * certificate, and the timestamps from that certificate's embedded SCTs, returns the result of
+ * looking up the corresponding entry in the currently-saved CRLite filter (if any).
+ * Returns
+ * - STATE_ENFORCE if the lookup indicates the certificate is revoked via CRLite,
+ * - STATE_UNSET if the lookup indicates the certificate is not revoked via CRLite,
+ * - STATE_NOT_ENROLLED if the issuer is not enrolled in CRLite, or
+ * - STATE_NOT_COVERED if the issuer is enrolled but the provided timestamps indicate
+ * that the serial number is not covered by the current CRLite filter.
+ * - STATE_NO_FILTER if there is no (usable) CRLite filter.
+ * No lookup is performed in the STATE_NOT_ENROLLED and STATE_NOT_COVERED cases.
+ */
+ [must_use]
+ short getCRLiteRevocationState(in Array<octet> issuer,
+ in Array<octet> issuerSPKI,
+ in Array<octet> serialNumber,
+ in Array<nsICRLiteTimestamp> timestamps);
+
+ /**
+ * Given the contents of a CRLite incremental revocation update ("stash"), adds the revocation
+ * information to the current set of stashed revocations. The basic unit of the stash file is an
+ * issuer subject public key info hash (sha-256) followed by a number of serial numbers
+ * corresponding to revoked certificates issued by that issuer. More specifically, each unit
+ * consists of:
+ * 4 bytes little-endian: the number of serial numbers following the issuer spki hash
+ * 1 byte: the length of the issuer spki hash
+ * issuer spki hash length bytes: the issuer spki hash
+ * as many times as the indicated serial numbers:
+ * 1 byte: the length of the serial number
+ * serial number length bytes: the serial number
+ * The stash file consists of any number of these units concatenated together.
+ */
+ [must_use]
+ void addCRLiteStash(in Array<octet> stash, in nsICertStorageCallback callback);
+
+ /**
+ * Given a DER-encoded issuer subject public key info and the bytes of the value of the serial
+ * number (so, not including the DER tag and length), determines if the certificate identified by
+ * this issuer SPKI and serial number is revoked according to the current set of stashed CRLite
+ * revocation information.
+ */
+ [must_use]
+ bool isCertRevokedByStash(in Array<octet> issuerSPKI, in Array<octet> serialNumber);
+
+ /**
+ * Trust flags to use when adding a adding a certificate.
+ * TRUST_INHERIT indicates a certificate inherits trust from another
+ * certificate.
+ * TRUST_ANCHOR indicates the certificate is a root of trust.
+ */
+ const short TRUST_INHERIT = 0;
+ const short TRUST_ANCHOR = 1;
+
+ /**
+ * Asynchronously add a list of certificates to the backing storage.
+ * See the documentation for nsICertInfo.
+ * The given callback is called with the result of the operation when it
+ * completes.
+ * Must only be called from the main thread.
+ */
+ [must_use]
+ void addCerts(in Array<nsICertInfo> certs, in nsICertStorageCallback callback);
+
+ /**
+ * Asynchronously remove the certificates with the given sha-256 hashes from
+ * the backing storage.
+ * hashes is an array of base64-encoded bytes of the sha-256 hashes of each
+ * certificate's bytes (DER-encoded).
+ * The given callback is called with the result of the operation when it
+ * completes.
+ * Must only be called from the main thread.
+ */
+ [must_use]
+ void removeCertsByHashes(in Array<ACString> hashes,
+ in nsICertStorageCallback callback);
+
+ /**
+ * Find all certificates in the backing storage with the given subject
+ * distinguished name.
+ * subject is the DER-encoded bytes of the subject distinguished name.
+ * Returns an array of arrays of bytes, where each inner array corresponds to
+ * the DER-encoded bytes of a certificate that has the given subject (although
+ * as these certificates were presumably added via addCertBySubject, this
+ * aspect is never actually valided by nsICertStorage).
+ * Must not be called from the main thread. See bug 1541212.
+ */
+ [must_use]
+ Array<Array<octet> > findCertsBySubject(in Array<octet> subject);
+
+ /**
+ * Get the count of remaining async operations. Called to ensure we don't skip
+ * or interrupt any operations during fast shutdown.
+ * Must only be called from the main thread.
+ */
+ [must_use]
+ int32_t GetRemainingOperationCount();
+};
diff --git a/security/manager/ssl/nsICertTree.idl b/security/manager/ssl/nsICertTree.idl
new file mode 100644
index 0000000000..8b506882c3
--- /dev/null
+++ b/security/manager/ssl/nsICertTree.idl
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsITreeView.idl"
+
+interface nsIX509Cert;
+
+[scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)]
+interface nsICertTreeItem : nsISupports {
+ [must_use]
+ readonly attribute nsIX509Cert cert;
+};
+
+[scriptable, uuid(55d5ad6b-5572-47fe-941c-f01fe723659e)]
+interface nsICertTree : nsITreeView {
+ [must_use]
+ void loadCertsFromCache(in Array<nsIX509Cert> cache, in unsigned long type);
+
+ [must_use]
+ nsIX509Cert getCert(in unsigned long index);
+ [must_use]
+ nsICertTreeItem getTreeItem(in unsigned long index);
+
+ [must_use]
+ void deleteEntryObject(in unsigned long index);
+};
+
+%{C++
+
+#define NS_CERTTREE_CID { 0x4ea60761, 0x31d6, 0x491d, \
+ { 0x9e, 0x34, 0x4b, 0x53, 0xa2, 0x6c, 0x41, 0x6c } }
+
+#define NS_CERTTREE_CONTRACTID "@mozilla.org/security/nsCertTree;1"
+
+%}
diff --git a/security/manager/ssl/nsICertificateDialogs.idl b/security/manager/ssl/nsICertificateDialogs.idl
new file mode 100644
index 0000000000..7df24d94e0
--- /dev/null
+++ b/security/manager/ssl/nsICertificateDialogs.idl
@@ -0,0 +1,68 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIInterfaceRequestor;
+interface nsIX509Cert;
+
+/**
+ * Functions that implement user interface dialogs to manage certificates.
+ */
+[scriptable, uuid(da871dab-f69e-4173-ab26-99fcd47b0e85)]
+interface nsICertificateDialogs : nsISupports
+{
+ /**
+ * UI shown when a user is asked to download a new CA cert.
+ * Provides user with ability to choose trust settings for the cert.
+ * Asks the user to grant permission to import the certificate.
+ *
+ * @param ctx A user interface context.
+ * @param cert The certificate that is about to get installed.
+ * @param trust A bit mask of trust flags.
+ * See nsIX509CertDB for possible values.
+ *
+ * @return true if the user allows to import the certificate.
+ */
+ [must_use]
+ boolean confirmDownloadCACert(in nsIInterfaceRequestor ctx,
+ in nsIX509Cert cert,
+ out unsigned long trust);
+
+ /**
+ * UI shown when a user's personal certificate is going to be
+ * exported to a backup file.
+ * The implementation of this dialog should make sure to prompt the user to
+ * type the password twice in order to confirm correct input.
+ * The wording in the dialog should also motivate the user to enter a strong
+ * password.
+ *
+ * @param ctx A user interface context.
+ * @param password The password provided by the user.
+ *
+ * @return false if the user requests to cancel.
+ */
+ [must_use]
+ boolean setPKCS12FilePassword(in nsIInterfaceRequestor ctx,
+ out AString password);
+
+ /**
+ * UI shown when a user is about to restore a personal
+ * certificate from a backup file.
+ * The user is requested to enter the password
+ * that was used in the past to protect that backup file.
+ *
+ * @param ctx A user interface context.
+ * @param password The password provided by the user.
+ *
+ * @return false if the user requests to cancel.
+ */
+ [must_use]
+ boolean getPKCS12FilePassword(in nsIInterfaceRequestor ctx,
+ out AString password);
+};
+
+%{C++
+#define NS_CERTIFICATEDIALOGS_CONTRACTID "@mozilla.org/nsCertificateDialogs;1"
+%}
diff --git a/security/manager/ssl/nsIClientAuthDialogService.idl b/security/manager/ssl/nsIClientAuthDialogService.idl
new file mode 100644
index 0000000000..e5e0f9f407
--- /dev/null
+++ b/security/manager/ssl/nsIClientAuthDialogService.idl
@@ -0,0 +1,43 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsILoadContext;
+interface nsIX509Cert;
+
+[scriptable, function, uuid(6b00d96d-fb8a-4c9f-9632-c9e1235befce)]
+interface nsIClientAuthDialogCallback : nsISupports
+{
+ void certificateChosen(in nsIX509Cert cert, in bool rememberDecision);
+};
+
+/**
+ * Provides UI when a server requests a TLS client authentication certificate.
+ */
+[scriptable, uuid(fa4c7520-1433-11d5-ba24-00108303b117)]
+interface nsIClientAuthDialogService : nsISupports
+{
+ /**
+ * Called when a user is asked to choose a certificate for client auth.
+ *
+ * @param hostname Hostname of the server.
+ * @param certArray Array of certificates the user can choose from.
+ * @param loadContext The nsILoadContext of the connection requesting a
+ * certificate. May be null, in which case the
+ * implementation will use the most recent window to show
+ * UI.
+ * @param callback The nsIClientAuthDialogCallback to call when a certificate
+ * has been chosen (or no certificate).
+ */
+ [must_use]
+ void chooseCertificate(in AUTF8String hostname,
+ in Array<nsIX509Cert> certArray,
+ in nsILoadContext loadContext,
+ in nsIClientAuthDialogCallback callback);
+};
+
+%{C++
+#define NS_CLIENTAUTHDIALOGSERVICE_CONTRACTID "@mozilla.org/security/ClientAuthDialogService;1"
+%}
diff --git a/security/manager/ssl/nsIClientAuthRememberService.idl b/security/manager/ssl/nsIClientAuthRememberService.idl
new file mode 100644
index 0000000000..8797bae869
--- /dev/null
+++ b/security/manager/ssl/nsIClientAuthRememberService.idl
@@ -0,0 +1,65 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{ C++
+#include "mozilla/OriginAttributes.h"
+
+#define NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID "@mozilla.org/security/clientAuthRememberService;1"
+%}
+
+interface nsIX509Cert;
+
+[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
+
+[scriptable, uuid(e92825af-7e81-4b5c-b412-8e1dd36d14fe)]
+interface nsIClientAuthRememberRecord : nsISupports
+{
+ readonly attribute ACString asciiHost;
+ readonly attribute ACString dbKey;
+ readonly attribute ACString entryKey;
+};
+
+[scriptable, uuid(1dbc6eb6-0972-4bdb-9dc4-acd0abf72369)]
+interface nsIClientAuthRememberService : nsISupports
+{
+
+ [must_use]
+ void forgetRememberedDecision(in ACString key);
+
+
+ [must_use]
+ Array<nsIClientAuthRememberRecord> getDecisions();
+
+
+ [must_use, noscript]
+ void rememberDecision(in ACString aHostName,
+ in const_OriginAttributesRef aOriginAttributes,
+ in nsIX509Cert aClientCert);
+
+ [implicit_jscontext]
+ void rememberDecisionScriptable(in ACString aHostName,
+ in jsval originAttributes,
+ in nsIX509Cert aClientCert);
+
+ [must_use, noscript]
+ bool hasRememberedDecision(in ACString aHostName,
+ in const_OriginAttributesRef aOriginAttributes,
+ out ACString aCertDBKey);
+
+ [implicit_jscontext]
+ bool hasRememberedDecisionScriptable(in ACString aHostName,
+ in jsval originAttributes,
+ out ACString aCertDBKey);
+
+ [must_use]
+ void clearRememberedDecisions();
+
+ [implicit_jscontext]
+ void deleteDecisionsByHost(in ACString aHostName,
+ in jsval aOriginAttributes);
+};
diff --git a/security/manager/ssl/nsIContentSignatureVerifier.idl b/security/manager/ssl/nsIContentSignatureVerifier.idl
new file mode 100644
index 0000000000..e5442845d5
--- /dev/null
+++ b/security/manager/ssl/nsIContentSignatureVerifier.idl
@@ -0,0 +1,49 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+
+#include "nsISupports.idl"
+#include "nsIX509CertDB.idl"
+
+interface nsIContentSignatureReceiverCallback;
+
+/**
+ * An interface for verifying content-signatures, inspired by
+ * https://tools.ietf.org/html/draft-thomson-http-content-signature-00
+ * described here https://github.com/franziskuskiefer/content-signature/tree/pki
+ */
+[scriptable, uuid(45a5fe2f-c350-4b86-962d-02d5aaaa955a)]
+interface nsIContentSignatureVerifier : nsISupports
+{
+ const AppTrustedRoot ContentSignatureProdRoot = 1;
+ const AppTrustedRoot ContentSignatureStageRoot = 2;
+ const AppTrustedRoot ContentSignatureDevRoot = 3;
+ const AppTrustedRoot ContentSignatureLocalRoot = 4;
+
+ /**
+ * Verifies that the data matches the data that was used to generate the
+ * signature.
+ *
+ * @param aData The data to be tested.
+ * @param aContentSignatureHeader The content-signature header,
+ * url-safe base64 encoded.
+ * @param aCertificateChain The certificate chain to use for verification.
+ * PEM encoded string.
+ * @param aHostname The hostname for which the end entity must
+ * be valid.
+ * @param aTrustedRoot The identifier corresponding to the
+ * expected root certificate of the
+ * certificate chain (note that the root need
+ * not actually be included in the chain).
+ * @returns Promise that resolves with the value true if the signature
+ * matches the data and aCertificateChain is valid within aContext,
+ * and false if not. Rejects if another error occurred.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncVerifyContentSignature(in ACString aData,
+ in ACString aContentSignatureHeader,
+ in ACString aCertificateChain,
+ in ACString aHostname,
+ in AppTrustedRoot aTrustedRoot);
+};
diff --git a/security/manager/ssl/nsICryptoHash.idl b/security/manager/ssl/nsICryptoHash.idl
new file mode 100644
index 0000000000..2aa0ebb242
--- /dev/null
+++ b/security/manager/ssl/nsICryptoHash.idl
@@ -0,0 +1,109 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIInputStream;
+
+/**
+ * nsICryptoHash
+ * This interface provides crytographic hashing algorithms.
+ */
+
+[builtinclass, scriptable, uuid(1e5b7c43-4688-45ce-92e1-77ed931e3bbe)]
+interface nsICryptoHash : nsISupports
+{
+ /**
+ * Hashing Algorithms. These values are to be used by the
+ * |init| method to indicate which hashing function to
+ * use. These values must be identical to the values defined
+ * in security/nss/lib/util/hasht.h in type HASH_HashType.
+ * This allows us to use NSS mapping functions like
+ * HASH_GetHashOidTagByHashType with these values.
+ */
+ const unsigned long MD5 = 2; /* String value: "md5" */
+ const unsigned long SHA1 = 3; /* String value: "sha1" */
+ const unsigned long SHA256 = 4; /* String value: "sha256" */
+ const unsigned long SHA384 = 5; /* String value: "sha384" */
+ const unsigned long SHA512 = 6; /* String value: "sha512" */
+
+ /**
+ * Initialize the hashing object. This method may be
+ * called multiple times with different algorithm types.
+ *
+ * @param aAlgorithm the algorithm type to be used.
+ * This value must be one of the above valid
+ * algorithm types.
+ *
+ * @throws NS_ERROR_INVALID_ARG if an unsupported algorithm
+ * type is passed.
+ *
+ * NOTE: This method or initWithString must be called
+ * before any other method on this interface is called.
+ */
+ void init(in unsigned long aAlgorithm);
+
+ /**
+ * Initialize the hashing object. This method may be
+ * called multiple times with different algorithm types.
+ *
+ * @param aAlgorithm the algorithm type to be used.
+ *
+ * @throws NS_ERROR_INVALID_ARG if an unsupported algorithm
+ * type is passed.
+ *
+ * NOTE: This method or init must be called before any
+ * other method on this interface is called.
+ */
+ [must_use]
+ void initWithString(in ACString aAlgorithm);
+
+ /**
+ * @param aData a buffer to calculate the hash over
+ *
+ * @param aLen the length of the buffer |aData|
+ *
+ * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called.
+ */
+ void update([const, array, size_is(aLen)] in octet aData, in unsigned long aLen);
+
+ /**
+ * Calculates and updates a new hash based on a given data stream.
+ *
+ * @param aStream an input stream to read from.
+ *
+ * @param aLen How much to read from the given |aStream|. Passing UINT32_MAX
+ * indicates that all data available will be used to update the hash.
+ *
+ * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called.
+ *
+ * @throws NS_ERROR_NOT_AVAILABLE If the requested amount of
+ * data to be calculated into the hash is not available.
+ *
+ */
+ [must_use]
+ void updateFromStream(in nsIInputStream aStream, in unsigned long aLen);
+
+ /**
+ * Completes this hash object and produces the actual hash data.
+ *
+ * @param aASCII If true then the returned value is a base64 encoded string.
+ * If false, then the returned value is binary data.
+ *
+ * @return a hash of the data that was read by this object. This can
+ * be either binary data or base 64 encoded.
+ *
+ * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called.
+ *
+ * NOTE: This method may be called any time after |init|
+ * is called. This call resets the object to its
+ * pre-init state.
+ */
+ ACString finish(in boolean aASCII);
+};
+
+%{C++
+nsresult NS_NewCryptoHash(uint32_t aHashType, nsICryptoHash** aOutHasher);
+nsresult NS_NewCryptoHash(const nsACString& aHashType, nsICryptoHash** aOutHasher);
+%}
diff --git a/security/manager/ssl/nsIDataStorage.idl b/security/manager/ssl/nsIDataStorage.idl
new file mode 100644
index 0000000000..3fe2c87f77
--- /dev/null
+++ b/security/manager/ssl/nsIDataStorage.idl
@@ -0,0 +1,119 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIDataStorage;
+interface nsIDataStorageItem;
+
+[scriptable, uuid(71b49926-fd4e-43e2-ab8d-d9b049413c0b)]
+interface nsIDataStorageManager : nsISupports {
+ // Because of its specialized nature, nsIDataStorage instances are limited to
+ // the following pre-defined set. To add a new type of data storage, add an
+ // entry to the enum and get review from someone on the security and privacy
+ // engineering team.
+ cenum DataStorage : 8 {
+ AlternateServices,
+ ClientAuthRememberList,
+ SiteSecurityServiceState,
+ };
+
+ nsIDataStorage get(in nsIDataStorageManager_DataStorage dataStorage);
+};
+
+/**
+ * nsIDataStorage is a threadsafe, generic, narrow string-based hash map that
+ * persists data on disk and additionally handles private (temporary) data.
+ * The file format is portable across architectures. If used in a context where
+ * there is no profile directory, data will not be persisted.
+ *
+ * Its lifecycle is as follows:
+ * - Use nsIDataStorageManager to obtain the nsIDataStorage of a particular
+ * purpose. Its backing file will be read on a background thread.
+ * - Should the profile directory not be available, (e.g. in xpcshell),
+ * nsIDataStorage will not read any persistent data.
+ * - When data in the nsIDataStorage changes, those changes will be written
+ * to the backing file on a background thread. If the program crashes or is
+ * closed unexpectedly before the write completes, the changes may be lost.
+ * If the changes were an update to previously stored data, the original data
+ * may be lost as well. A checksum associated with each entry helps identify
+ * incompletely written entries.
+ * - nsIDataStorage does not support transactions. Each entry is independent of
+ * the others.
+ * - When an nsIDataStorage instance observes the topic "profile-before-change"
+ * in anticipation of shutdown, no more changes will be written to the
+ * backing file. To ensure no data is lost, users of nsIDataStorage should
+ * not attempt to change any data after this point.
+ * If "profile-before-change" is not observed, this happens upon observing
+ * "xpcom-shutdown-threads".
+ * - To prevent unbounded memory and disk use, the number of entries in each
+ * table is limited to 2048. Evictions are handled in by a modified LRU scheme
+ * (see implementation comments).
+ * - Note that instances of nsIDataStorage have long lifetimes because they are
+ * strong observers of events and won't go away until the observer service
+ * does.
+ *
+ * For each key/value:
+ * - The key must have a length no more than 256.
+ * - The value have a length no more than 1024 (24 for the site security
+ * service state).
+ * The length limits are to prevent unbounded disk and memory usage, and
+ * nsIDataStorage will throw/return an error if given keys or values of
+ * excess length.
+ * Take care when storing data containing bytes that may be 0. When read
+ * from disk, all trailing 0 bytes from keys and values are stripped.
+ */
+[scriptable, uuid(fcbb5ec4-7134-4069-91c6-9378eff51e03)]
+interface nsIDataStorage : nsISupports {
+ /**
+ * Data that is Persistent is saved on disk. Data that is Private is not
+ * saved. Private is meant to only be set and accessed from private contexts.
+ * It will be cleared upon observing the event "last-pb-context-exited".
+ */
+ cenum DataType : 8 {
+ Persistent,
+ Private,
+ };
+
+ // Given a key and a type of data, returns a value. Returns
+ // NS_ERROR_NOT_AVAILABLE if the key is not present for that type of data.
+ // This operation may block the current thread until the background task
+ // reading the backing file from disk has completed.
+ ACString get(in ACString key, in nsIDataStorage_DataType type);
+
+ // Give a key, value, and type of data, adds an entry as appropriate.
+ // Updates existing entries.
+ // This operation may block the current thread until the background task
+ // reading the backing file from disk has completed.
+ void put(in ACString key, in ACString value, in nsIDataStorage_DataType type);
+
+ // Given a key and type of data, removes an entry if present.
+ // This operation may block the current thread until the background task
+ // reading the backing file from disk has completed.
+ void remove(in ACString key, in nsIDataStorage_DataType type);
+
+ // Removes all entries of all types of data.
+ // This operation may block the current thread until the background task
+ // reading the backing file from disk has completed.
+ void clear();
+
+ // Returns true if this data storage is ready to be used. To avoid blocking
+ // when calling other nsIDataStorage functions, callers may wish to first
+ // ensure this function returns true.
+ bool isReady();
+
+ // Read all of the data items.
+ // This operation may block the current thread until the background task
+ // reading the backing file from disk has completed.
+ Array<nsIDataStorageItem> getAll();
+};
+
+[scriptable, uuid(4501f984-0e3a-4199-a67e-7753649e93f1)]
+interface nsIDataStorageItem : nsISupports {
+ readonly attribute ACString key;
+ readonly attribute ACString value;
+ readonly attribute nsIDataStorage_DataType type;
+};
diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl
new file mode 100644
index 0000000000..9c45a84090
--- /dev/null
+++ b/security/manager/ssl/nsINSSComponent.idl
@@ -0,0 +1,107 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{C++
+#include "cert.h"
+#include "SharedCertVerifier.h"
+#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+%}
+
+[ptr] native CERTCertificatePtr(CERTCertificate);
+[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
+
+[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
+interface nsINSSComponent : nsISupports {
+ /**
+ * When we log out of a PKCS#11 token, any TLS connections that may have
+ * involved a client certificate stored on that token must be closed. Since we
+ * don't have a fine-grained way to do this, we basically cancel everything.
+ * More speficially, this clears all temporary certificate exception overrides
+ * and any remembered client authentication certificate decisions, and then
+ * cancels all network connections (strictly speaking, this last part is
+ * overzealous - we only need to cancel all https connections (see bug
+ * 1446645)).
+ */
+ [noscript] void logoutAuthenticatedPK11();
+
+ /**
+ * Used to determine if the given certificate (represented as an array of
+ * bytes) is the certificate we use in tests to simulate a built-in root
+ * certificate. Returns false in non-debug builds.
+ */
+ [noscript] bool isCertTestBuiltInRoot(in Array<octet> cert);
+
+ /**
+ * If enabled by the preference "security.enterprise_roots.enabled", returns
+ * an array of arrays of bytes representing the imported enterprise root
+ * certificates (i.e. root certificates gleaned from the OS certificate
+ * store). Returns an empty array otherwise.
+ * Currently this is only implemented on Windows and MacOS X, so this
+ * function returns an empty array on all other platforms.
+ */
+ Array<Array<octet> > getEnterpriseRoots();
+ ACString getEnterpriseRootsPEM();
+
+ /**
+ * Similarly, but for intermediate certificates.
+ */
+ Array<Array<octet> > getEnterpriseIntermediates();
+ ACString getEnterpriseIntermediatesPEM();
+
+ /**
+ * Test utility for adding an intermediate certificate to the current set of
+ * imported enterprise intermediates, if any. Additions to the set made using
+ * this function will be cleared when the value of the preference
+ * "security.enterprise_roots.enabled" changes.
+ */
+ void addEnterpriseIntermediate(in Array<octet> intermediateBytes);
+
+ /**
+ * For performance reasons, the builtin roots module is loaded on a background
+ * thread. When any code that depends on the builtin roots module runs, it
+ * must first wait for the module to be loaded.
+ */
+ [noscript] void blockUntilLoadableCertsLoaded();
+
+ /**
+ * In theory a token on a PKCS#11 module can be inserted or removed at any
+ * time. Operations that may depend on resources on external tokens should
+ * call this to ensure they have a recent view of the token.
+ */
+ [noscript] void checkForSmartCardChanges();
+
+ /**
+ * Used to potentially detect when a user's internet connection is being
+ * intercepted. When doing an update ping, if certificate verification fails,
+ * we make a note of the issuer distinguished name of that certificate.
+ * If a subsequent certificate verification fails, we compare issuer
+ * distinguished names. If they match, something may be intercepting the
+ * user's traffic (if they don't match, the server is likely misconfigured).
+ * This function succeeds if the given DN matches the noted DN and fails
+ * otherwise (e.g. if the update ping never failed).
+ */
+ [noscript] void issuerMatchesMitmCanary(in string certIssuer);
+
+ /**
+ * Returns an already-adrefed handle to the currently configured shared
+ * certificate verifier.
+ */
+ [noscript] SharedCertVerifierPtr getDefaultCertVerifier();
+
+ /**
+ * For clearing both SSL internal and external session cache from JS.
+ * WARNING: May be racy when using the socket process.
+ */
+ void clearSSLExternalAndInternalSessionCache();
+
+ /**
+ * For clearing both SSL internal and external session cache from JS.
+ */
+ [implicit_jscontext]
+ Promise asyncClearSSLExternalAndInternalSessionCache();
+};
diff --git a/security/manager/ssl/nsINSSErrorsService.idl b/security/manager/ssl/nsINSSErrorsService.idl
new file mode 100644
index 0000000000..e68cba3a05
--- /dev/null
+++ b/security/manager/ssl/nsINSSErrorsService.idl
@@ -0,0 +1,72 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(12f60021-e14b-4020-99d1-ed2c795be66a)]
+interface nsINSSErrorsService : nsISupports
+{
+ /**
+ * @param aNSPRCode An error code obtained using PR_GetError()
+ * @return True if it is error code defined by the NSS library
+ */
+ [must_use]
+ boolean isNSSErrorCode(in int32_t aNSPRCode);
+
+ /**
+ * Function will fail if aNSPRCode is not an NSS error code.
+ * @param aNSPRCode An error code obtained using PR_GetError()
+ * @return The result of the conversion, an XPCOM error code
+ */
+ [must_use]
+ nsresult getXPCOMFromNSSError(in int32_t aNSPRCode);
+
+ /**
+ * Function will fail if aXPCOMErrorCode is not an NSS error code.
+ * @param aXPCOMErrorCode An error code obtained using getXPCOMFromNSSError
+ * return A localized human readable error explanation.
+ */
+ AString getErrorMessage(in nsresult aXPCOMErrorCode);
+
+ /**
+ * Function will fail if aXPCOMErrorCode is not an NSS error code.
+ * @param aXPCOMErrorCode An error code obtained using getXPCOMFromNSSError
+ * return the error class of the code, either ERROR_CLASS_BAD_CERT
+ * or ERROR_CLASS_SSL_PROTOCOL
+ */
+ [must_use]
+ uint32_t getErrorClass(in nsresult aXPCOMErrorCode);
+
+ const unsigned long ERROR_CLASS_SSL_PROTOCOL = 1;
+ const unsigned long ERROR_CLASS_BAD_CERT = 2;
+
+ /**
+ * The following values define the range of NSPR error codes used by NSS.
+ * NSS remains the authorative source for these numbers, as a result,
+ * the values might change in the future.
+ * The security module will perform a runtime check and assertion
+ * to ensure the values are in synch with NSS.
+ */
+ const long NSS_SEC_ERROR_BASE = -(0x2000);
+ const long NSS_SEC_ERROR_LIMIT = (NSS_SEC_ERROR_BASE + 1000);
+ const long NSS_SSL_ERROR_BASE = -(0x3000);
+ const long NSS_SSL_ERROR_LIMIT = (NSS_SSL_ERROR_BASE + 1000);
+
+ /**
+ * The error codes within each module must fit in 16 bits. We want these
+ * errors to fit in the same module as the NSS errors but not overlap with
+ * any of them. Converting an NSS SEC, NSS SSL, or mozilla::pkix error to
+ * an NS error involves negating the value of the error and then
+ * synthesizing an error in the NS_ERROR_MODULE_SECURITY module. Hence,
+ * mozilla::pkix errors will start at a negative value that both doesn't
+ * overlap with the current value ranges for NSS errors and that will fit
+ * in 16 bits when negated.
+ *
+ * Keep these in sync with pkixnss.h.
+ */
+ const long MOZILLA_PKIX_ERROR_BASE = -(0x4000);
+ const long MOZILLA_PKIX_ERROR_LIMIT = (MOZILLA_PKIX_ERROR_BASE + 1000);
+};
diff --git a/security/manager/ssl/nsINSSVersion.idl b/security/manager/ssl/nsINSSVersion.idl
new file mode 100644
index 0000000000..000f221e61
--- /dev/null
+++ b/security/manager/ssl/nsINSSVersion.idl
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{C++
+#define NS_NSSVERSION_CONTRACTID "@mozilla.org/security/nssversion;1"
+%}
+
+[scriptable, uuid(a8a53a2b-75cc-4c68-a9bb-9791dbddaa00)]
+interface nsINSSVersion : nsISupports {
+ /* Minimal required versions as used at build time */
+ [must_use]
+ readonly attribute AString NSPR_MinVersion;
+ [must_use]
+ readonly attribute AString NSS_MinVersion;
+ [must_use]
+ readonly attribute AString NSSUTIL_MinVersion;
+ [must_use]
+ readonly attribute AString NSSSSL_MinVersion;
+ [must_use]
+ readonly attribute AString NSSSMIME_MinVersion;
+
+ /* Versions of libraries currently in use */
+ [must_use]
+ readonly attribute AString NSPR_Version;
+ [must_use]
+ readonly attribute AString NSS_Version;
+ [must_use]
+ readonly attribute AString NSSUTIL_Version;
+ [must_use]
+ readonly attribute AString NSSSSL_Version;
+ [must_use]
+ readonly attribute AString NSSSMIME_Version;
+};
diff --git a/security/manager/ssl/nsIOSKeyStore.idl b/security/manager/ssl/nsIOSKeyStore.idl
new file mode 100644
index 0000000000..1306ba4ae1
--- /dev/null
+++ b/security/manager/ssl/nsIOSKeyStore.idl
@@ -0,0 +1,112 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(57972956-5718-42d2-8070-b3fc72212eaf)]
+interface nsIOSKeyStore: nsISupports {
+ /**
+ * This interface provides encryption and decryption operations for data at
+ * rest. The key used to encrypt and decrypt the data is stored in the OS
+ * key store.
+ *
+ * NB: To first authenticate the user to the system, use
+ * nsIOSReauthenticator.
+ *
+ * Usage:
+ *
+ * // obtain the singleton OSKeyStore instance
+ * const oskeystore = Cc["@mozilla.org/security/oskeystore;1"].getService(Ci.nsIOSKeyStore);
+ *
+ * const PASSWORD_LABEL = "mylabel1";
+ *
+ * // Check if there's a secret for your label already.
+ * if (!await oskeystore.asyncSecretAvailable(PASSWORD_LABEL)) {
+ * // Fail or generate a new secret for your label.
+ * // If you want to generate a new secret, do.
+ * // Hold onto `recoveryPhrase` to present to the user.
+ * let recoveryPhrase = await oskeystore.asyncGenerateSecret(PASSWORD_LABEL);
+ * }
+ *
+ * // Assuming there's a secret with your label. Encrypt/Decrypt as follows.
+ * let encryptedPasswordBytes = await oskeystore.asyncEncryptBytes(PASSWORD_LABEL, passwordBytes);
+ * let newPasswordBytes = await oskeystore.asyncDecryptBytes(PASSWORD_LABEL, encryptedPasswordBytes);
+ *
+ * // Delete the secret from the key store.
+ * await oskeystore.asyncDeleteSecret(PASSWORD_LABEL);
+ *
+ * // Recover a secret from a recovery code.
+ * await oskeystore.asyncRecoverSecret(PASSWORD_LABEL, recoveryPhrase);
+ */
+
+ /**
+ * Generate a new secret and store it in the OS key store with the given label.
+ * The caller should make sure that no other secrets with the same label are
+ * present before calling this function.
+ * This invalidates all previous ciphertexts created with the key
+ * corresponding to the given label.
+ *
+ * @param label The label to use for the secret.
+ * @return Promise that resolves to the recoveryPhrase string used to generate
+ * the secret.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncGenerateSecret(in ACString label);
+
+ /**
+ * Check whether a secret for a given label exists.
+ *
+ * @param label The label to lookup.
+ * @return Promise that resolves to a bool (whether a secret with label is
+ * known or not) or an error.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncSecretAvailable(in ACString label);
+
+ /**
+ * Set a secret from a given recovery phrase.
+ * This might not be implemented on all platforms.
+ * This invalidates all previous ciphertexts.
+ *
+ * @param label The label to use for the secret.
+ * @param recoveryPhrase The recovery phrase that's used to generate the secret.
+ * @return Promise that resolves to undefined or an error.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncRecoverSecret(in ACString label, in ACString recoveryPhrase);
+
+ /**
+ * Delete secret with a given label. If there is no secret with the given
+ * label, no action is taken.
+ *
+ * @param label The label of the secret to delete.
+ * @return Promise that resolves to undefined or an error.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncDeleteSecret(in ACString label);
+
+
+ /**
+ * Encrypt the given data and then return the result as a base64-encoded
+ * string.
+ *
+ * @param label The label of the key to use to encrypt.
+ * @param inBytes The bytes to encrypt.
+ * @return Promise resolving to the encrypted text, encoded as Base64, or an
+ * error.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncEncryptBytes(in ACString label, in Array<uint8_t> inBytes);
+
+ /**
+ * Decode and then decrypt the given base64-encoded string.
+ *
+ * @param label The label of the key to use to decrypt.
+ * @param encryptedBase64Text Encrypted input text, encoded as Base64.
+ * @return Promise resolving to the plaintext bytes or an error.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncDecryptBytes(in ACString label, in ACString encryptedBase64Text);
+};
diff --git a/security/manager/ssl/nsIOSReauthenticator.idl b/security/manager/ssl/nsIOSReauthenticator.idl
new file mode 100644
index 0000000000..753322ced5
--- /dev/null
+++ b/security/manager/ssl/nsIOSReauthenticator.idl
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface mozIDOMWindow;
+
+[scriptable, uuid(4fe082ae-6ff0-4b41-b24f-eaa664f6e46a)]
+interface nsIOSReauthenticator: nsISupports {
+ /**
+ * This interface provides an abstract way to request that the user
+ * reauthenticate themselves to the operating system. It may be useful in
+ * conjunction with nsIOSKeyStore, whereby consumers of these APIs may
+ * consider some secrets too sensitive to access without first
+ * reauthenticating the user.
+ *
+ * Usage:
+ *
+ * // obtain the singleton nsIOSReauthenticator instance
+ * const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"]
+ * .getService(Ci.nsIOSReauthenticator);
+ * if (await reauthenticator.asyncReauthenticate()) {
+ * // do something only authenticated users are allowed to do...
+ * } else {
+ * // show a "sorry, this isn't allowed" error
+ * }
+ */
+
+ /**
+ * Asynchronously cause the operating system to request that the user
+ * reauthenticate. This is typically in the form of a dialog box asking the
+ * user for their login password. The actual behaviour of this depends on the
+ * OS.
+ *
+ * @param prompt A short string that may be incorporated in the dialog
+ * @param caption A short string that may be shown as the dialog caption (usually Product Name)
+ * @param parentWindow Used to associate the OS dialog with the calling window.
+ * @return Promise resolving to true if the user successfully authenticated
+ * and false otherwise.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncReauthenticateUser(in AString prompt, in AString caption, in mozIDOMWindow parentWindow);
+};
diff --git a/security/manager/ssl/nsIPK11Token.idl b/security/manager/ssl/nsIPK11Token.idl
new file mode 100644
index 0000000000..ae8fc2e994
--- /dev/null
+++ b/security/manager/ssl/nsIPK11Token.idl
@@ -0,0 +1,81 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(51191434-1dd2-11b2-a17c-e49c4e99a4e3)]
+interface nsIPK11Token : nsISupports
+{
+ /*
+ * The name of the token
+ */
+ [must_use]
+ readonly attribute AUTF8String tokenName;
+ [must_use]
+ readonly attribute boolean isInternalKeyToken;
+ /**
+ * Manufacturer ID of the token.
+ */
+ [must_use]
+ readonly attribute AUTF8String tokenManID;
+ /**
+ * Hardware version of the token.
+ */
+ [must_use]
+ readonly attribute AUTF8String tokenHWVersion;
+ /**
+ * Firmware version of the token.
+ */
+ [must_use]
+ readonly attribute AUTF8String tokenFWVersion;
+ [must_use]
+ readonly attribute AUTF8String tokenSerialNumber;
+
+ /*
+ * Login information
+ */
+ [must_use]
+ boolean isLoggedIn();
+ [must_use]
+ void login(in boolean force);
+ [must_use]
+ void logoutSimple();
+ [must_use]
+ void logoutAndDropAuthenticatedResources();
+ [must_use]
+ boolean needsLogin();
+ [must_use]
+ readonly attribute boolean needsUserInit;
+
+ /*
+ * Reset password
+ */
+ [must_use]
+ void reset();
+
+ /**
+ * Checks whether the given password is correct. Logs the token out if an
+ * incorrect password is given.
+ *
+ * @param password The password to check.
+ * @return true if the password was correct, false otherwise.
+ */
+ [must_use]
+ boolean checkPassword(in AUTF8String password);
+ [must_use]
+ void initPassword(in AUTF8String initialPassword);
+ [must_use]
+ void changePassword(in AUTF8String oldPassword, in AUTF8String newPassword);
+
+ /*
+ * True if a password has been configured for this token, and false otherwise.
+ * (Whether or not the user is currently logged in makes no difference.)
+ * In particular, this can be used to determine if a user has set a master
+ * password (if this is the internal key token).
+ */
+ [must_use]
+ readonly attribute boolean hasPassword;
+};
diff --git a/security/manager/ssl/nsIPK11TokenDB.idl b/security/manager/ssl/nsIPK11TokenDB.idl
new file mode 100644
index 0000000000..c493e0c57c
--- /dev/null
+++ b/security/manager/ssl/nsIPK11TokenDB.idl
@@ -0,0 +1,31 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIPK11Token;
+
+/**
+ * The PK11 Token Database provides access to the PK11 modules
+ * that are installed, and the tokens that are available.
+ * Interfaces: nsIPK11TokenDB
+ * Threading: ??
+ */
+%{C++
+#define NS_PK11TOKENDB_CONTRACTID "@mozilla.org/security/pk11tokendb;1"
+%}
+
+/**
+ * nsIPK11TokenDB - Manages PK11 Tokens
+ */
+[scriptable, uuid(4ee28c82-1dd2-11b2-aabf-bb4017abe395)]
+interface nsIPK11TokenDB : nsISupports
+{
+ /*
+ * Get the internal key database token
+ */
+ nsIPK11Token getInternalKeyToken();
+};
diff --git a/security/manager/ssl/nsIPKCS11Module.idl b/security/manager/ssl/nsIPKCS11Module.idl
new file mode 100644
index 0000000000..0446b7ddaa
--- /dev/null
+++ b/security/manager/ssl/nsIPKCS11Module.idl
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIPKCS11Slot;
+interface nsISimpleEnumerator;
+
+[scriptable, uuid(8a44bdf9-d1a5-4734-bd5a-34ed7fe564c2)]
+interface nsIPKCS11Module : nsISupports
+{
+ [must_use]
+ readonly attribute AUTF8String name;
+ [must_use]
+ readonly attribute AUTF8String libName;
+ [must_use]
+ nsISimpleEnumerator listSlots();
+};
diff --git a/security/manager/ssl/nsIPKCS11ModuleDB.idl b/security/manager/ssl/nsIPKCS11ModuleDB.idl
new file mode 100644
index 0000000000..9221fd26c6
--- /dev/null
+++ b/security/manager/ssl/nsIPKCS11ModuleDB.idl
@@ -0,0 +1,40 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIPKCS11Module;
+interface nsIPKCS11Slot;
+interface nsISimpleEnumerator;
+
+%{C++
+#define NS_PKCS11MODULEDB_CONTRACTID "@mozilla.org/security/pkcs11moduledb;1"
+%}
+
+[scriptable, uuid(ff9fbcd7-9517-4334-b97a-ceed78909974)]
+interface nsIPKCS11ModuleDB : nsISupports
+{
+ [must_use]
+ void deleteModule(in AString moduleName);
+
+ [must_use]
+ void addModule(in AString moduleName,
+ in AString libraryFullPath,
+ in long cryptoMechanismFlags,
+ in long cipherFlags);
+
+ [must_use]
+ nsISimpleEnumerator listModules();
+
+ [must_use]
+ readonly attribute boolean canToggleFIPS;
+
+ [must_use]
+ void toggleFIPSMode();
+
+ [must_use]
+ readonly attribute boolean isFIPSEnabled;
+};
diff --git a/security/manager/ssl/nsIPKCS11Slot.idl b/security/manager/ssl/nsIPKCS11Slot.idl
new file mode 100644
index 0000000000..20c82729c1
--- /dev/null
+++ b/security/manager/ssl/nsIPKCS11Slot.idl
@@ -0,0 +1,52 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIPK11Token;
+
+[scriptable, uuid(c2d4f296-ee60-11d4-998b-00b0d02354a0)]
+interface nsIPKCS11Slot : nsISupports {
+ [must_use]
+ readonly attribute AUTF8String name;
+ [must_use]
+ readonly attribute AUTF8String desc;
+ /**
+ * Manufacturer ID of the slot.
+ */
+ [must_use]
+ readonly attribute AUTF8String manID;
+ /**
+ * Hardware version of the slot.
+ */
+ [must_use]
+ readonly attribute AUTF8String HWVersion;
+ /**
+ * Firmware version of the slot.
+ */
+ [must_use]
+ readonly attribute AUTF8String FWVersion;
+
+ const unsigned long SLOT_DISABLED = 0;
+ const unsigned long SLOT_NOT_PRESENT = 1;
+ const unsigned long SLOT_UNINITIALIZED = 2;
+ const unsigned long SLOT_NOT_LOGGED_IN = 3;
+ const unsigned long SLOT_LOGGED_IN = 4;
+ const unsigned long SLOT_READY = 5;
+ [must_use]
+ readonly attribute unsigned long status;
+
+ /* This is really a workaround for now. All of the "slot" functions
+ * (isTokenPresent(), etc.) are in nsIPK11Token. For now, return the
+ * token and handle those things there.
+ */
+ [must_use]
+ nsIPK11Token getToken();
+
+ /* more fun with workarounds - we're referring to everything by token name */
+ [must_use]
+ readonly attribute AUTF8String tokenName;
+};
diff --git a/security/manager/ssl/nsIPublicKeyPinningService.idl b/security/manager/ssl/nsIPublicKeyPinningService.idl
new file mode 100644
index 0000000000..b48f86dbb7
--- /dev/null
+++ b/security/manager/ssl/nsIPublicKeyPinningService.idl
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIURI;
+
+[scriptable, uuid(f64432b9-e8c6-41b4-b2da-8eb004344bba), builtinclass]
+interface nsIPublicKeyPinningService : nsISupports
+{
+ /**
+ * Returns true if the host of the given URI has pinning information, and
+ * false otherwise.
+ */
+ [must_use]
+ bool hostHasPins(in nsIURI aURI);
+};
+
+%{C++
+#define NS_PKPSERVICE_CONTRACTID "@mozilla.org/security/publickeypinningservice;1"
+%}
diff --git a/security/manager/ssl/nsISecretDecoderRing.idl b/security/manager/ssl/nsISecretDecoderRing.idl
new file mode 100644
index 0000000000..caa70b2f3b
--- /dev/null
+++ b/security/manager/ssl/nsISecretDecoderRing.idl
@@ -0,0 +1,77 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(0EC80360-075C-11d4-9FD4-00C04F1B83D8)]
+interface nsISecretDecoderRing: nsISupports {
+ /**
+ * Encrypt to Base64 output.
+ * Note that the input must basically be a byte array (i.e. the code points
+ * must be within the range [0, 255]). Hence, using this method directly to
+ * encrypt passwords (or any text, really) won't work as expected.
+ * Instead, use something like nsIScriptableUnicodeConverter to first convert
+ * the desired password or text to UTF-8, then encrypt that. Remember to
+ * convert back when calling decryptString().
+ *
+ * @param text The text to encrypt.
+ * @return The encrypted text, encoded as Base64.
+ */
+ [must_use]
+ ACString encryptString(in ACString text);
+
+ /**
+ * Run encryptString on multiple strings, asynchronously. This will allow you
+ * to not jank the browser if you need to encrypt a large number of strings
+ * all at once. This method accepts an array of wstrings which it will convert
+ * to UTF-8 internally before encrypting.
+ *
+ * @param plaintexts the strings to encrypt.
+ * @return A promise for the list of encrypted strings, encoded as Base64.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncEncryptStrings(in Array<AUTF8String> plaintexts);
+
+ /**
+ * Decrypt Base64 input.
+ * See the encryptString() documentation - this method has basically the same
+ * limitations.
+ *
+ * @param encryptedBase64Text Encrypted input text, encoded as Base64.
+ * @return The decoded text.
+ */
+ [must_use]
+ ACString decryptString(in ACString encryptedBase64Text);
+
+ /**
+ * Run decryptString on multiple strings, asynchronously. This will allow you
+ * to not jank the browser if you need to decrypt a large number of strings
+ * all at once.
+ *
+ * @param encryptedStrings the strings to decrypt, encoded as Base64.
+ * @return A promise that resolves with the list of decrypted strings in Unicode.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncDecryptStrings(in Array<ACString> encryptedStrings);
+
+ /**
+ * Prompt the user to change the password on the SDR key.
+ */
+ [must_use]
+ void changePassword();
+
+ /**
+ * Logout of the security device that protects the SDR key.
+ */
+ [must_use]
+ void logout();
+
+ /**
+ * Logout of the security device that protects the SDR key and tear
+ * down authenticated objects.
+ */
+ [must_use]
+ void logoutAndTeardown();
+};
diff --git a/security/manager/ssl/nsISecurityUITelemetry.idl b/security/manager/ssl/nsISecurityUITelemetry.idl
new file mode 100644
index 0000000000..5c550bd897
--- /dev/null
+++ b/security/manager/ssl/nsISecurityUITelemetry.idl
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(5d1acf82-223a-46fb-a8f3-a1b16e2ceb04)]
+interface nsISecurityUITelemetry : nsISupports {
+
+/*
+ * Addon installation warnings
+ */
+
+// Firefox prevented this site from asking you to install addon
+const uint32_t WARNING_ADDON_ASKING_PREVENTED = 1;
+// User clicks through and allows site to ask to install addons
+const uint32_t WARNING_ADDON_ASKING_PREVENTED_CLICK_THROUGH = 2;
+// Are you sure you want to install this addon? Only install addons you trust
+const uint32_t WARNING_CONFIRM_ADDON_INSTALL = 3;
+// User clicked she is sure after waiting 3secs
+const uint32_t WARNING_CONFIRM_ADDON_INSTALL_CLICK_THROUGH = 4;
+
+
+/*
+ * modal dialogs/warnings
+ */
+
+// User encountered a POST to an insecure context from a secure context.
+const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE = 9;
+// User clicked through to POST to an insecure context from a secure context.
+const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE_CLICK_THROUGH = 10;
+};
diff --git a/security/manager/ssl/nsISiteSecurityService.idl b/security/manager/ssl/nsISiteSecurityService.idl
new file mode 100644
index 0000000000..882dbb78ad
--- /dev/null
+++ b/security/manager/ssl/nsISiteSecurityService.idl
@@ -0,0 +1,145 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIURI;
+
+[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
+
+[scriptable, uuid(275127f8-dbd7-4681-afbf-6df0c6587a01)]
+interface nsISiteSecurityService : nsISupports
+{
+ const uint32_t Success = 0;
+ const uint32_t ERROR_UNKNOWN = 1;
+ // ERROR_UNTRUSTWORTHY_CONNECTION was 2 (the caller is now responsible for
+ // checking this)
+ const uint32_t ERROR_COULD_NOT_PARSE_HEADER = 3;
+ const uint32_t ERROR_NO_MAX_AGE = 4;
+ const uint32_t ERROR_MULTIPLE_MAX_AGES = 5;
+ const uint32_t ERROR_INVALID_MAX_AGE = 6;
+ const uint32_t ERROR_MULTIPLE_INCLUDE_SUBDOMAINS = 7;
+ const uint32_t ERROR_INVALID_INCLUDE_SUBDOMAINS = 8;
+ // The constants that were removed below were used in HPKP processing
+ // (which has been removed entirely).
+ // ERROR_INVALID_PIN was 9
+ // ERROR_MULTIPLE_REPORT_URIS was 10
+ // ERROR_PINSET_DOES_NOT_MATCH_CHAIN was 11
+ // ERROR_NO_BACKUP_PIN was 12
+ const uint32_t ERROR_COULD_NOT_SAVE_STATE = 13;
+ // ERROR_ROOT_NOT_BUILT_IN was 14
+
+ /**
+ * Parses a given HTTP header and records the results internally.
+ * Currently one header type is supported: HSTS (aka STS).
+ * The format of the HSTS header is defined by the HSTS specification:
+ * https://tools.ietf.org/html/rfc6797
+ * and allows a host to specify that future HTTP requests should be
+ * upgraded to HTTPS.
+ * The caller is responsible for first determining that the header was
+ * delivered via a trustworthy connection (namely, https with no errors).
+ *
+ * @param aSourceURI the URI of the resource with the HTTP header.
+ * @param aHeader the HTTP response header specifying security data.
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ * If mPrivateBrowsingId > 0, information gathered
+ * from this header will not be saved persistently.
+ * @param aMaxAge the parsed max-age directive of the header.
+ * @param aIncludeSubdomains the parsed includeSubdomains directive.
+ * @param aFailureResult a more specific failure result if NS_ERROR_FAILURE
+ was returned.
+ * @return NS_OK if it succeeds
+ * NS_ERROR_FAILURE if it can't be parsed
+ * NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
+ * if there are unrecognized tokens in the header.
+ */
+ [binaryname(ProcessHeader), noscript, must_use]
+ void processHeaderNative(in nsIURI aSourceURI,
+ in ACString aHeader,
+ in const_OriginAttributesRef aOriginAttributes,
+ [optional] out unsigned long long aMaxAge,
+ [optional] out boolean aIncludeSubdomains,
+ [optional] out uint32_t aFailureResult);
+
+ [binaryname(ProcessHeaderScriptable), implicit_jscontext, optional_argc,
+ must_use]
+ void processHeader(in nsIURI aSourceURI,
+ in ACString aHeader,
+ [optional] in jsval aOriginAttributes,
+ [optional] out unsigned long long aMaxAge,
+ [optional] out boolean aIncludeSubdomains,
+ [optional] out uint32_t aFailureResult);
+
+ // Helper enum for use with resetState.
+ cenum ResetStateBy : 8 {
+ // reset state for the exact domain
+ ExactDomain,
+ // reset state for any domain rooted by the given domain
+ // (e.g. foo.example.com if given example.com)
+ RootDomain,
+ // reset all state associated with the given base domain (e.g. data
+ // partitioned by total cookie protection)
+ BaseDomain,
+ };
+
+ /**
+ * Resets HSTS state a host, including the includeSubdomains state that
+ * would affect subdomains. This essentially removes the state for the
+ * domain tree rooted at this host. If any preloaded information is present
+ * for that host, that information will then be used instead of any other
+ * previously existing state.
+ *
+ * @param aURI the URI of the target host
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ * @param aScope The scope of state to reset. See ResetStateBy. Defaults
+ * to ExactDomain.
+ */
+ [implicit_jscontext, optional_argc, must_use]
+ void resetState(in nsIURI aURI,
+ [optional] in jsval aOriginAttributes,
+ [optional] in nsISiteSecurityService_ResetStateBy aScope);
+
+ /**
+ * Checks whether or not the URI's hostname has HSTS set.
+ * For example:
+ * The URI is an HSTS URI if either the host has the HSTS state set, or one
+ * of its super-domains has the HSTS "includeSubdomains" flag set.
+ * NOTE: this function makes decisions based only on the
+ * host contained in the URI, and disregards other portions of the URI
+ * such as path and port.
+ *
+ * @param aURI the URI to query for STS state.
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ */
+ [binaryname(IsSecureURI), noscript, must_use]
+ boolean isSecureURINative(in nsIURI aURI,
+ in const_OriginAttributesRef aOriginAttributes);
+
+ [binaryname(IsSecureURIScriptable), implicit_jscontext, optional_argc,
+ must_use]
+ boolean isSecureURI(in nsIURI aURI, [optional] in jsval aOriginAttributes);
+
+ /**
+ * Removes all non-preloaded HSTS state by resetting to factory-original
+ * settings.
+ */
+ [must_use]
+ void clearAll();
+};
+
+%{C++
+#define NS_SSSERVICE_CONTRACTID "@mozilla.org/ssservice;1"
+%}
diff --git a/security/manager/ssl/nsITLSSocketControl.idl b/security/manager/ssl/nsITLSSocketControl.idl
new file mode 100644
index 0000000000..42d1b4bcd7
--- /dev/null
+++ b/security/manager/ssl/nsITLSSocketControl.idl
@@ -0,0 +1,195 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIInterfaceRequestor;
+interface nsITlsHandshakeCallbackListener;
+interface nsITransportSecurityInfo;
+interface nsIX509Cert;
+
+%{C++
+#include "nsStringFwd.h"
+#include "nsTArrayForwardDeclare.h"
+%}
+[ref] native nsCStringTArrayRef(nsTArray<nsCString>);
+
+// An interface describing an object that controls and holds information about
+// a TLS handshake.
+// NB: The implementations of this interface may only be used on the socket
+// thread (except for asyncGetSecurityInfo);
+[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)]
+interface nsITLSSocketControl : nsISupports {
+ void proxyStartSSL();
+ void StartTLS();
+
+ /* NPN (Next Protocol Negotiation) is a mechanism for
+ negotiating the protocol to be spoken inside the SSL
+ tunnel during the SSL handshake. The NPNList is the list
+ of offered client side protocols. setNPNList() needs to
+ be called before any data is read or written (including the
+ handshake to be setup correctly. The server determines the
+ priority when multiple matches occur, but if there is no overlap
+ the first protocol in the list is used. */
+
+ [noscript] void setNPNList(in nsCStringTArrayRef aNPNList);
+
+ /* For 0RTT we need to know the alpn protocol selected for the last tls
+ * session. This function will return a value if applicable or an error
+ * NS_ERROR_NOT_AVAILABLE.
+ */
+ ACString getAlpnEarlySelection();
+
+ /* If 0RTT handshake was applied and some data has been sent, as soon as
+ * the handshake finishes this attribute will be set to appropriate value.
+ */
+ readonly attribute bool earlyDataAccepted;
+
+ /* When 0RTT is performed, PR_Write will not drive the handshake forward.
+ * It must be forced by calling this function.
+ */
+ void driveHandshake();
+
+ /* Determine if a potential SSL connection to hostname:port with
+ * a desired NPN negotiated protocol of npnProtocol can use the socket
+ * associated with this object instead of making a new one. And if so, combine
+ * them.
+ */
+ boolean joinConnection(
+ in ACString npnProtocol, /* e.g. "h2" */
+ in ACString hostname,
+ in long port);
+
+ /* just like JoinConnection() except do not mark a successful test as joined.
+ */
+ boolean testJoinConnection(
+ in ACString npnProtocol, /* e.g. "h2" */
+ in ACString hostname,
+ in long port);
+
+ /* Determine if existing connection should be trusted to convey information about
+ * a hostname.
+ */
+ boolean isAcceptableForHost(in ACString hostname);
+
+ /* The Key Exchange Algorithm is used when determining whether or
+ not HTTP/2 can be used.
+
+ After a handshake is complete it can be read from KEAUsed.
+ The values correspond to the SSLKEAType enum in NSS or the
+ KEY_EXCHANGE_UNKNOWN constant defined below.
+
+ KEAKeyBits is the size/security-level used for the KEA.
+ */
+
+ [infallible] readonly attribute short KEAUsed;
+ [infallible] readonly attribute unsigned long KEAKeyBits;
+
+ const short KEY_EXCHANGE_UNKNOWN = -1;
+
+ /*
+ * The original flags from the socket provider.
+ */
+ readonly attribute uint32_t providerFlags;
+
+ /* These values are defined by TLS. */
+ const short SSL_VERSION_3 = 0x0300;
+ const short TLS_VERSION_1 = 0x0301;
+ const short TLS_VERSION_1_1 = 0x0302;
+ const short TLS_VERSION_1_2 = 0x0303;
+ const short TLS_VERSION_1_3 = 0x0304;
+ const short SSL_VERSION_UNKNOWN = -1;
+
+ [infallible] readonly attribute short SSLVersionUsed;
+ [infallible] readonly attribute short SSLVersionOffered;
+
+ /* These values match the NSS defined values in sslt.h */
+ const short SSL_MAC_UNKNOWN = -1;
+ const short SSL_MAC_NULL = 0;
+ const short SSL_MAC_MD5 = 1;
+ const short SSL_MAC_SHA = 2;
+ const short SSL_HMAC_MD5 = 3;
+ const short SSL_HMAC_SHA = 4;
+ const short SSL_HMAC_SHA256 = 5;
+ const short SSL_MAC_AEAD = 6;
+
+ [infallible] readonly attribute short MACAlgorithmUsed;
+
+ /**
+ * If set to true before the server requests a client cert
+ * no cert will be sent.
+ */
+ [notxpcom, nostdcall] attribute boolean denyClientCert;
+
+ /**
+ * True iff a client cert has been sent to the server - i.e. this
+ * socket has been client-cert authenticated.
+ */
+ [infallible] readonly attribute boolean clientCertSent;
+
+ /*
+ * failedVerification is true if any enforced certificate checks have failed.
+ * Connections that have not yet tried to verify, or are using acceptable
+ * exceptions will all return false.
+ */
+ [infallible] readonly attribute boolean failedVerification;
+
+ /*
+ * esniTxt is a string that consists of the concatenated _esni. TXT records.
+ * This is a base64 encoded ESNIKeys structure.
+ */
+ attribute ACString esniTxt;
+
+ /*
+ * echConfig is defined for conveying the ECH configuration.
+ * This is encoded in base64.
+ */
+ attribute ACString echConfig;
+
+ /**
+ * The echConfig that should be used to retry for the connection setup.
+ */
+ readonly attribute ACString retryEchConfig;
+
+ /**
+ * Disable early data.
+ */
+ [noscript] void disableEarlyData();
+
+ [noscript] void setHandshakeCallbackListener(in nsITlsHandshakeCallbackListener callback);
+
+ /**
+ * The id used to uniquely identify the connection to the peer.
+ */
+ readonly attribute ACString peerId;
+
+ /**
+ * The securityInfo of the TLS handshake.
+ */
+ readonly attribute nsITransportSecurityInfo securityInfo;
+
+ /**
+ * Asynchronously obtain the securityInfo of the TLS handshake. Resolves
+ * with an nsITransportSecurityInfo. This should probably only be used in
+ * tests, where JS running on the main thread cannot access any of the
+ * other fields of nsITLSSocketControl.
+ */
+ [implicit_jscontext, must_use]
+ Promise asyncGetSecurityInfo();
+
+ /**
+ * Claim a speculative connection.
+ */
+ void claim();
+
+ /**
+ * The top-level outer content window ID (called "browserId" in networking
+ * code) associated with this connection, if any (otherwise, 0). Useful for
+ * associating this connection with a browser tab in order to show UI (e.g.
+ * the client authentication certificate selection dialog).
+ */
+ attribute uint64_t browserId;
+};
diff --git a/security/manager/ssl/nsITokenPasswordDialogs.idl b/security/manager/ssl/nsITokenPasswordDialogs.idl
new file mode 100644
index 0000000000..1e5475e6dd
--- /dev/null
+++ b/security/manager/ssl/nsITokenPasswordDialogs.idl
@@ -0,0 +1,30 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIInterfaceRequestor;
+interface nsIPK11Token;
+
+/**
+ * This is the interface for setting and changing password
+ * on a PKCS11 token.
+ */
+[scriptable, uuid(87dbd64a-4466-474e-95f5-1ad1cee5702c)]
+interface nsITokenPasswordDialogs : nsISupports
+{
+ /**
+ * Brings up a dialog to set the password on a token.
+ *
+ * @param ctx A user interface context.
+ * @param token {nsIPK11Token} The token.
+ * @return true if the user canceled the dialog, false otherwise.
+ */
+ [must_use]
+ boolean setPassword(in nsIInterfaceRequestor ctx, in nsIPK11Token token);
+};
+
+%{C++
+#define NS_TOKENPASSWORDSDIALOG_CONTRACTID "@mozilla.org/nsTokenPasswordDialogs;1"
+%}
diff --git a/security/manager/ssl/nsITransportSecurityInfo.idl b/security/manager/ssl/nsITransportSecurityInfo.idl
new file mode 100644
index 0000000000..8fe5879e4a
--- /dev/null
+++ b/security/manager/ssl/nsITransportSecurityInfo.idl
@@ -0,0 +1,137 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIObjectOutputStream;
+interface nsIX509Cert;
+
+%{ C++
+namespace IPC {
+class MessageWriter;
+}
+%}
+
+[ptr] native IpcMessageWriterPtr(IPC::MessageWriter);
+
+[builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
+interface nsITransportSecurityInfo : nsISupports {
+ cenum OverridableErrorCategory : 32 {
+ ERROR_UNSET,
+ ERROR_TRUST,
+ ERROR_DOMAIN,
+ ERROR_TIME,
+ };
+
+ readonly attribute unsigned long securityState;
+ readonly attribute long errorCode; // PRErrorCode
+ // errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER")
+ readonly attribute AString errorCodeString;
+
+ /**
+ * The following parameters are only valid after the TLS handshake
+ * has completed. Check securityState first.
+ */
+
+ /**
+ * If certificate verification failed, this will be the peer certificate
+ * chain provided in the handshake, so it can be used for error reporting.
+ * If verification succeeded, this will be empty.
+ */
+ readonly attribute Array<nsIX509Cert> failedCertChain;
+
+ readonly attribute nsIX509Cert serverCert;
+ readonly attribute Array<nsIX509Cert> succeededCertChain;
+
+ [must_use]
+ readonly attribute ACString cipherName;
+ [must_use]
+ readonly attribute unsigned long keyLength;
+ [must_use]
+ readonly attribute unsigned long secretKeyLength;
+ [must_use]
+ readonly attribute ACString keaGroupName;
+ [must_use]
+ readonly attribute ACString signatureSchemeName;
+
+ const short SSL_VERSION_3 = 0;
+ const short TLS_VERSION_1 = 1;
+ const short TLS_VERSION_1_1 = 2;
+ const short TLS_VERSION_1_2 = 3;
+ const short TLS_VERSION_1_3 = 4;
+ [must_use]
+ readonly attribute unsigned short protocolVersion;
+
+ const short CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE = 0;
+ const short CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT = 5;
+ const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS = 6;
+ const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS = 7;
+ [must_use]
+ readonly attribute unsigned short certificateTransparencyStatus;
+
+ [must_use]
+ readonly attribute boolean isAcceptedEch;
+ [must_use]
+ readonly attribute boolean isDelegatedCredential;
+ [must_use]
+ readonly attribute nsITransportSecurityInfo_OverridableErrorCategory overridableErrorCategory;
+
+ /**
+ * True if OCSP requests were made to query the status of certificates
+ * used in this connection.
+ */
+ [must_use]
+ readonly attribute boolean madeOCSPRequests;
+
+ /**
+ * True if the DNS record used for this connection was fetched over an encrypted connection.
+ */
+ [must_use]
+ readonly attribute boolean usedPrivateDNS;
+
+ /**
+ * True only if (and after) serverCert was successfully validated as
+ * Extended Validation (EV).
+ */
+ [must_use]
+ readonly attribute boolean isExtendedValidation;
+
+ [notxpcom, noscript]
+ void SerializeToIPC(in IpcMessageWriterPtr aWriter);
+
+ /**
+ * Serializes the data represented in this interface to a base64-encoded
+ * string that can be deserialized using TransportSecurityInfo::Read.
+ */
+ [must_use]
+ ACString toString();
+
+ /* negotiatedNPN is '' if no NPN list was provided by the client,
+ * or if the server did not select any protocol choice from that
+ * list. That also includes the case where the server does not
+ * implement NPN.
+ *
+ * If negotiatedNPN is read before NPN has progressed to the point
+ * where this information is available NS_ERROR_NOT_CONNECTED is
+ * raised.
+ */
+ readonly attribute ACString negotiatedNPN;
+
+ /**
+ * True iff the connection was resumed using the resumption token.
+ */
+ readonly attribute boolean resumed;
+
+ /**
+ * True iff the succeededCertChain is built in root.
+ */
+ readonly attribute boolean isBuiltCertChainRootBuiltInRoot;
+
+ /**
+ * The id used to uniquely identify the connection to the peer.
+ */
+ readonly attribute ACString peerId;
+};
diff --git a/security/manager/ssl/nsIX509Cert.idl b/security/manager/ssl/nsIX509Cert.idl
new file mode 100644
index 0000000000..c97dcd33f5
--- /dev/null
+++ b/security/manager/ssl/nsIX509Cert.idl
@@ -0,0 +1,200 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509CertValidity;
+interface nsICertVerificationListener;
+
+%{ C++
+namespace IPC {
+class MessageReader;
+class MessageWriter;
+}
+
+ /* forward declaration */
+ typedef struct CERTCertificateStr CERTCertificate;
+%}
+
+[ptr] native CERTCertificatePtr(CERTCertificate);
+[ptr] native IpcMessageReaderPtr(IPC::MessageReader);
+[ptr] native IpcMessageWriterPtr(IPC::MessageWriter);
+
+/**
+ * This represents a X.509 certificate.
+ *
+ * NOTE: Service workers persist x.509 certs in object form on disk. If you
+ * change this uuid you probably need a hack in nsBinaryInputStream to
+ * read the old uuid. If you change the format of the object
+ * serialization then more complex changes will be needed.
+ */
+[scriptable, builtinclass, uuid(bdc3979a-5422-4cd5-8589-696b6e96ea83)]
+interface nsIX509Cert : nsISupports {
+
+ /**
+ * The primary email address of the certificate, if present.
+ */
+ readonly attribute AString emailAddress;
+
+ /**
+ * Obtain a list of all email addresses
+ * contained in the certificate.
+ *
+ * @return An array of email addresses.
+ */
+ [must_use]
+ Array<AString> getEmailAddresses();
+
+ /**
+ * Check whether a given address is contained in the certificate.
+ * The comparison will convert the email address to lowercase.
+ * The behaviour for non ASCII characters is undefined.
+ *
+ * @param aEmailAddress The address to search for.
+ *
+ * @return True if the address is contained in the certificate.
+ */
+ [must_use]
+ boolean containsEmailAddress(in AString aEmailAddress);
+
+ /**
+ * The subject owning the certificate.
+ */
+ readonly attribute AString subjectName;
+
+ /**
+ * The subject's common name.
+ */
+ readonly attribute AString commonName;
+
+ /**
+ * The subject's organization.
+ */
+ readonly attribute AString organization;
+
+ /**
+ * The subject's organizational unit.
+ */
+ [must_use]
+ readonly attribute AString organizationalUnit;
+
+ /**
+ * The fingerprint of the certificate's DER encoding,
+ * calculated using the SHA-256 algorithm.
+ */
+ readonly attribute AString sha256Fingerprint;
+
+ /**
+ * The fingerprint of the certificate's DER encoding,
+ * calculated using the SHA1 algorithm.
+ */
+ [must_use]
+ readonly attribute AString sha1Fingerprint;
+
+ /**
+ * A human readable name identifying the hardware or
+ * software token the certificate is stored on.
+ */
+ readonly attribute AString tokenName;
+
+ /**
+ * The subject identifying the issuer certificate.
+ */
+ readonly attribute AString issuerName;
+
+ /**
+ * The serial number the issuer assigned to this certificate.
+ */
+ [must_use]
+ readonly attribute AString serialNumber;
+
+ /**
+ * The issuer subject's common name.
+ */
+ [must_use]
+ readonly attribute AString issuerCommonName;
+
+ /**
+ * The issuer subject's organization.
+ */
+ readonly attribute AString issuerOrganization;
+
+ /**
+ * The issuer subject's organizational unit.
+ */
+ [must_use]
+ readonly attribute AString issuerOrganizationUnit;
+
+ /**
+ * This certificate's validity period.
+ */
+ readonly attribute nsIX509CertValidity validity;
+
+ /**
+ * A unique identifier of this certificate within the local storage.
+ */
+ [must_use]
+ readonly attribute ACString dbKey;
+
+ /**
+ * A human readable identifier to label this certificate.
+ */
+ [must_use]
+ readonly attribute AString displayName;
+
+ /**
+ * Constants to classify the type of a certificate.
+ */
+ const unsigned long UNKNOWN_CERT = 0;
+ const unsigned long CA_CERT = 1 << 0;
+ const unsigned long USER_CERT = 1 << 1;
+ const unsigned long EMAIL_CERT = 1 << 2;
+ const unsigned long SERVER_CERT = 1 << 3;
+ const unsigned long ANY_CERT = 0xffff;
+
+ /**
+ * Type of this certificate
+ */
+ readonly attribute unsigned long certType;
+
+ /**
+ * Obtain a raw binary encoding of this certificate
+ * in DER format.
+ *
+ * @return The bytes representing the DER encoded certificate.
+ */
+ [must_use]
+ Array<octet> getRawDER();
+
+ /**
+ * Obtain a base 64 string representation of this certificate
+ * in DER format.
+ *
+ * @return The DER encoded certificate as a string.
+ */
+ [must_use]
+ ACString getBase64DERString();
+
+ /**
+ * The base64 encoding of the DER encoded public key info using the specified
+ * digest.
+ */
+ [must_use]
+ readonly attribute ACString sha256SubjectPublicKeyInfoDigest;
+
+ /**
+ * Retrieves the NSS certificate object wrapped by this interface
+ */
+ [notxpcom, noscript, must_use]
+ CERTCertificatePtr getCert();
+
+ [notxpcom, noscript]
+ void SerializeToIPC(in IpcMessageWriterPtr aWriter);
+
+ [notxpcom, noscript]
+ bool DeserializeFromIPC(in IpcMessageReaderPtr aReader);
+};
diff --git a/security/manager/ssl/nsIX509CertDB.idl b/security/manager/ssl/nsIX509CertDB.idl
new file mode 100644
index 0000000000..fe72c78f40
--- /dev/null
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -0,0 +1,351 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509Cert;
+interface nsIFile;
+interface nsIInterfaceRequestor;
+interface nsIZipReader;
+interface nsIInputStream;
+
+%{C++
+#define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
+%}
+
+typedef uint32_t AppTrustedRoot;
+
+[scriptable, function, uuid(fc2b60e5-9a07-47c2-a2cd-b83b68a660ac)]
+interface nsIOpenSignedAppFileCallback : nsISupports
+{
+ void openSignedAppFileFinished(in nsresult rv,
+ in nsIZipReader aZipReader,
+ in nsIX509Cert aSignerCert);
+};
+
+[scriptable, function, uuid(07c08655-8b11-4650-b6c4-0c145595ceb5)]
+interface nsIAsyncBoolCallback : nsISupports
+{
+ void onResult(in bool result);
+};
+
+/**
+ * Callback type for use with asyncVerifyCertAtTime.
+ * If aPRErrorCode is PRErrorCodeSuccess (i.e. 0), aVerifiedChain represents the
+ * verified certificate chain determined by asyncVerifyCertAtTime. aHasEVPolicy
+ * represents whether or not the end-entity certificate verified as EV.
+ * If aPRErrorCode is non-zero, it represents the error encountered during
+ * verification. aVerifiedChain is null in that case and aHasEVPolicy has no
+ * meaning.
+ */
+[scriptable, function, uuid(49e16fc8-efac-4f57-8361-956ef6b960a4)]
+interface nsICertVerificationCallback : nsISupports {
+ void verifyCertFinished(in int32_t aPRErrorCode,
+ in Array<nsIX509Cert> aVerifiedChain,
+ in bool aHasEVPolicy);
+};
+
+/**
+ * This represents a service to access and manipulate
+ * X.509 certificates stored in a database.
+ */
+[scriptable, uuid(5c16cd9b-5a73-47f1-ab0f-11ede7495cce)]
+interface nsIX509CertDB : nsISupports {
+
+ /**
+ * Constants that define which usages a certificate
+ * is trusted for.
+ */
+ const unsigned long UNTRUSTED = 0;
+ const unsigned long TRUSTED_SSL = 1 << 0;
+ const unsigned long TRUSTED_EMAIL = 1 << 1;
+
+ /**
+ * Will find a certificate based on its dbkey
+ * retrieved by getting the dbKey attribute of
+ * the certificate.
+ *
+ * @param aDBkey Database internal key, as obtained using
+ * attribute dbkey in nsIX509Cert.
+ */
+ [must_use]
+ nsIX509Cert findCertByDBKey(in ACString aDBkey);
+
+ /**
+ * Use this to import a stream sent down as a mime type into
+ * the certificate database on the default token.
+ * The stream may consist of one or more certificates.
+ *
+ * @param data The raw data to be imported
+ * @param length The length of the data to be imported
+ * @param type The type of the certificate, see constants in nsIX509Cert
+ * @param ctx A UI context.
+ */
+ void importCertificates([array, size_is(length)] in octet data,
+ in unsigned long length,
+ in unsigned long type,
+ in nsIInterfaceRequestor ctx);
+
+ /**
+ * Import another person's email certificate into the database.
+ *
+ * @param data The raw data to be imported
+ * @param length The length of the data to be imported
+ * @param ctx A UI context.
+ */
+ void importEmailCertificate([array, size_is(length)] in octet data,
+ in unsigned long length,
+ in nsIInterfaceRequestor ctx);
+
+ /**
+ * Import a personal certificate into the database, assuming
+ * the database already contains the private key for this certificate.
+ *
+ * @param data The raw data to be imported
+ * @param length The length of the data to be imported
+ * @param ctx A UI context.
+ */
+ void importUserCertificate([array, size_is(length)] in octet data,
+ in unsigned long length,
+ in nsIInterfaceRequestor ctx);
+
+ /**
+ * Delete a certificate stored in the database.
+ *
+ * @param aCert Delete this certificate.
+ */
+ void deleteCertificate(in nsIX509Cert aCert);
+
+ /**
+ * Modify the trust that is stored and associated to a certificate within
+ * a database. Separate trust is stored for
+ * One call manipulates the trust for one trust type only.
+ * See the trust type constants defined within this interface.
+ *
+ * @param cert Change the stored trust of this certificate.
+ * @param type The type of the certificate. See nsIX509Cert.
+ * @param trust A bitmask. The new trust for the possible usages.
+ * See the trust constants defined within this interface.
+ */
+ [must_use]
+ void setCertTrust(in nsIX509Cert cert,
+ in unsigned long type,
+ in unsigned long trust);
+
+ /**
+ * @param cert The certificate for which to modify trust.
+ * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated
+ * characters, indicating SSL, Email, and Object signing
+ * trust. The object signing trust flags are effectively
+ * ignored by gecko, but they still must be specified (at
+ * least by a final trailing comma) because this argument
+ * is passed to CERT_DecodeTrustString.
+ */
+ [must_use]
+ void setCertTrustFromString(in nsIX509Cert cert, in ACString trustString);
+
+ /**
+ * Query whether a certificate is trusted for a particular use.
+ *
+ * @param cert Obtain the stored trust of this certificate.
+ * @param certType The type of the certificate. See nsIX509Cert.
+ * @param trustType A single bit from the usages constants defined
+ * within this interface.
+ *
+ * @return Returns true if the certificate is trusted for the given use.
+ */
+ [must_use]
+ boolean isCertTrusted(in nsIX509Cert cert,
+ in unsigned long certType,
+ in unsigned long trustType);
+
+ /**
+ * Import certificate(s) from file
+ *
+ * @param aFile Identifies a file that contains the certificate
+ * to be imported.
+ * @param aType Describes the type of certificate that is going to
+ * be imported. See type constants in nsIX509Cert.
+ */
+ [must_use]
+ void importCertsFromFile(in nsIFile aFile,
+ in unsigned long aType);
+
+ const uint32_t Success = 0;
+ const uint32_t ERROR_UNKNOWN = 1;
+ const uint32_t ERROR_PKCS12_NOSMARTCARD_EXPORT = 2;
+ const uint32_t ERROR_PKCS12_RESTORE_FAILED = 3;
+ const uint32_t ERROR_PKCS12_BACKUP_FAILED = 4;
+ const uint32_t ERROR_PKCS12_CERT_COLLISION = 5;
+ const uint32_t ERROR_BAD_PASSWORD = 6;
+ const uint32_t ERROR_DECODE_ERROR = 7;
+ const uint32_t ERROR_PKCS12_DUPLICATE_DATA = 8;
+
+ /**
+ * Import a PKCS#12 file containing cert(s) and key(s) into the database.
+ *
+ * @param aFile Identifies a file that contains the data to be imported.
+ * @param password The password used to protect the file.
+ * @return Success or the specific error code on failure. The return
+ * values are defined in this file.
+ */
+ [must_use]
+ uint32_t importPKCS12File(in nsIFile aFile, in AString aPassword);
+
+ /**
+ * Export a set of certs and keys from the database to a PKCS#12 file.
+ *
+ * @param aFile Identifies a file that will be filled with the data to be
+ * exported.
+ * @param count The number of certificates to be exported.
+ * @param aCerts The array of all certificates to be exported.
+ * @param password The password used to protect the file.
+ * @return Success or the specific error code on failure
+ */
+ [must_use]
+ uint32_t exportPKCS12File(in nsIFile aFile,
+ in Array<nsIX509Cert> aCerts,
+ in AString aPassword);
+
+ /*
+ * Decode a raw data presentation and instantiate an object in memory.
+ *
+ * @param base64 The raw representation of a certificate,
+ * encoded as Base 64.
+ * @return The new certificate object.
+ */
+ [must_use]
+ nsIX509Cert constructX509FromBase64(in ACString base64);
+
+ /*
+ * Decode a raw data presentation and instantiate an object in memory.
+ *
+ * @param certDER The raw representation of a certificate,
+ * encoded as raw DER.
+ * @return The new certificate object.
+ */
+ [must_use]
+ nsIX509Cert constructX509(in Array<uint8_t> certDER);
+
+ /**
+ * Verifies the signature on the given JAR file to verify that it has a
+ * valid signature. To be considered valid, there must be exactly one
+ * signature on the JAR file and that signature must have signed every
+ * entry. Further, the signature must come from a certificate that
+ * is trusted for code signing.
+ *
+ * On success, NS_OK, a nsIZipReader, and the trusted certificate that
+ * signed the JAR are returned.
+ *
+ * On failure, an error code is returned.
+ *
+ * This method returns a nsIZipReader, instead of taking an nsIZipReader
+ * as input, to encourage users of the API to verify the signature as the
+ * first step in opening the JAR.
+ */
+ // 1 used to be AppMarketplaceProdPublicRoot.
+ // 2 used to be AppMarketplaceProdReviewersRoot.
+ // 3 used to be AppMarketplaceDevPublicRoot.
+ // 4 used to be AppMarketplaceDevReviewersRoot.
+ // 5 used to be AppMarketplaceStageRoot.
+ const AppTrustedRoot AppXPCShellRoot = 6;
+ const AppTrustedRoot AddonsPublicRoot = 7;
+ const AppTrustedRoot AddonsStageRoot = 8;
+ [must_use]
+ void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
+ in nsIFile aJarFile,
+ in nsIOpenSignedAppFileCallback callback);
+
+ /*
+ * Add a cert to a cert DB from a binary string.
+ *
+ * @param certDER The raw DER encoding of a certificate.
+ * @param trust String describing the trust settings to assign the
+ * certificate. Decoded by CERT_DecodeTrustString. Consists of 3
+ * comma separated sets of characters, indicating SSL, Email, and
+ * Object signing trust. The object signing trust flags are
+ * effectively ignored by gecko, but they still must be specified
+ * (at least by a final trailing comma) because this argument is
+ * passed to CERT_DecodeTrustString.
+ * @return nsIX509Cert the resulting certificate
+ */
+ [must_use]
+ nsIX509Cert addCert(in ACString certDER, in ACString trust);
+
+ // Flags for asyncVerifyCertAtTime (these must match the values in
+ // CertVerifier.cpp):
+ // Prevent network traffic.
+ const uint32_t FLAG_LOCAL_ONLY = 1 << 0;
+ // Do not fall back to DV verification after attempting EV validation.
+ const uint32_t FLAG_MUST_BE_EV = 1 << 1;
+
+ /*
+ * Asynchronously verify a certificate given a set of parameters. Calls the
+ * `verifyCertFinished` function on the provided `nsICertVerificationCallback`
+ * with the results of the verification operation.
+ * See the documentation for nsICertVerificationCallback.
+ *
+ * @param aCert the certificate to verify
+ * @param aUsage an integer representing the usage to verify for (see
+ * SECCertificateUsage in certt.h from NSS)
+ * @param aFlags flags as described above
+ * @param aHostname the (optional) hostname to verify for
+ * @param aTime the time at which to verify, in seconds since the epoch
+ * @param aCallback the nsICertVerificationCallback that will receive the
+ results of this verification
+ * @return a succeeding nsresult if the job was dispatched successfully
+ */
+ [must_use]
+ void asyncVerifyCertAtTime(in nsIX509Cert aCert,
+ in int64_t /*SECCertificateUsage*/ aUsage,
+ in uint32_t aFlags,
+ in ACString aHostname,
+ in uint64_t aTime,
+ in nsICertVerificationCallback aCallback);
+
+ // Clears the OCSP cache for the current certificate verification
+ // implementation.
+ [must_use]
+ void clearOCSPCache();
+
+ /*
+ * Add a cert to a cert DB from a base64 encoded string.
+ *
+ * @param base64 The raw representation of a certificate, encoded as Base 64.
+ * @param trust String describing the trust settings to assign the
+ * certificate. Decoded by CERT_DecodeTrustString. Consists of 3
+ * comma separated sets of characters, indicating SSL, Email, and
+ * Object signing trust. The object signing trust flags are
+ * effectively ignored by gecko, but they still must be specified
+ * (at least by a final trailing comma) because this argument is
+ * passed to CERT_DecodeTrustString.
+ * @return nsIX509Cert the resulting certificate
+ */
+ [must_use]
+ nsIX509Cert addCertFromBase64(in ACString base64, in ACString trust);
+
+ /*
+ * Get all the known certs in the database
+ */
+ [must_use]
+ Array<nsIX509Cert> getCerts();
+
+ /**
+ * Encode the list of certificates as a PKCS#7 SignedData structure. No data
+ * is actually signed - this is merely a way of exporting a collection of
+ * certificates.
+ */
+ [must_use]
+ ACString asPKCS7Blob(in Array<nsIX509Cert> certList);
+
+ /**
+ * Iterates through all the certs and returns false if any of the trusted
+ * CA certs are not built-in roots; and true otherwise.
+ */
+ [must_use]
+ void asyncHasThirdPartyRoots(in nsIAsyncBoolCallback callback);
+};
diff --git a/security/manager/ssl/nsIX509CertValidity.idl b/security/manager/ssl/nsIX509CertValidity.idl
new file mode 100644
index 0000000000..b27e1b3847
--- /dev/null
+++ b/security/manager/ssl/nsIX509CertValidity.idl
@@ -0,0 +1,25 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+/**
+ * Information on the validity period of a X.509 certificate.
+ */
+[scriptable, uuid(e701dfd8-1dd1-11b2-a172-ffa6cc6156ad)]
+interface nsIX509CertValidity : nsISupports {
+ /**
+ * The earliest point in time where
+ * a certificate is valid.
+ */
+ readonly attribute PRTime notBefore;
+
+ /**
+ * The latest point in time where
+ * a certificate is valid.
+ */
+ readonly attribute PRTime notAfter;
+};
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
new file mode 100644
index 0000000000..c3a23213c5
--- /dev/null
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -0,0 +1,1152 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCallbacks.h"
+
+#include "NSSSocketControl.h"
+#include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "SharedSSLState.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/Span.h"
+#include "mozilla/SpinEventLoopUntil.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/Unused.h"
+#include "mozilla/intl/Localization.h"
+#include "nsContentUtils.h"
+#include "nsIChannel.h"
+#include "nsIHttpChannel.h"
+#include "nsIHttpChannelInternal.h"
+#include "nsIPrompt.h"
+#include "nsIProtocolProxyService.h"
+#include "nsISupportsPriority.h"
+#include "nsIStreamLoader.h"
+#include "nsIUploadChannel.h"
+#include "nsIWebProgressListener.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "nsNSSIOLayer.h"
+#include "nsNetUtil.h"
+#include "nsProxyRelease.h"
+#include "nsStringStream.h"
+#include "mozpkix/pkixtypes.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "SSLTokensCache.h"
+
+#include "TrustOverrideUtils.h"
+#include "TrustOverride-SymantecData.inc"
+#include "TrustOverride-AppleGoogleDigiCertData.inc"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+namespace {
+
+// Bits in bit mask for SSL_REASONS_FOR_NOT_FALSE_STARTING telemetry probe
+// These bits are numbered so that the least subtle issues have higher values.
+// This should make it easier for us to interpret the results.
+const uint32_t POSSIBLE_VERSION_DOWNGRADE = 4;
+const uint32_t POSSIBLE_CIPHER_SUITE_DOWNGRADE = 2;
+const uint32_t KEA_NOT_SUPPORTED = 1;
+
+} // namespace
+
+class OCSPRequest final : public nsIStreamLoaderObserver, public nsIRunnable {
+ public:
+ OCSPRequest(const nsACString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ const uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH],
+ size_t ocspRequestLength, TimeDuration timeout);
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSISTREAMLOADEROBSERVER
+ NS_DECL_NSIRUNNABLE
+
+ nsresult DispatchToMainThreadAndWait();
+ nsresult GetResponse(/*out*/ Vector<uint8_t>& response);
+
+ private:
+ ~OCSPRequest() = default;
+
+ static void OnTimeout(nsITimer* timer, void* closure);
+ nsresult NotifyDone(nsresult rv, MonitorAutoLock& proofOfLock);
+
+ // mMonitor provides the memory barrier protecting these member variables.
+ // What happens is the originating thread creates an OCSPRequest object with
+ // the information necessary to perform an OCSP request. It sends the object
+ // to the main thread and waits on the monitor for the operation to complete.
+ // On the main thread, a channel is set up to perform the request. This gets
+ // dispatched to necko. At the same time, a timeout timer is initialized. If
+ // the necko request completes, the response data is filled out, mNotifiedDone
+ // is set to true, and the monitor is notified. The original thread then wakes
+ // up and continues with the results that have been filled out. If the request
+ // times out, again the response data is filled out, mNotifiedDone is set to
+ // true, and the monitor is notified. The first of these two events wins. That
+ // is, if the timeout timer fires but the request completes shortly after, the
+ // caller will see the request as having timed out.
+ // When the request completes (i.e. OnStreamComplete runs), the timer will be
+ // cancelled. This is how we know the closure in OnTimeout is valid. If the
+ // timer fires before OnStreamComplete runs, it should be safe to not cancel
+ // the request because necko has a strong reference to it.
+ Monitor mMonitor MOZ_UNANNOTATED;
+ bool mNotifiedDone;
+ nsCOMPtr<nsIStreamLoader> mLoader;
+ const nsCString mAIALocation;
+ const OriginAttributes mOriginAttributes;
+ const mozilla::Span<const char> mPOSTData;
+ const TimeDuration mTimeout;
+ nsCOMPtr<nsITimer> mTimeoutTimer;
+ TimeStamp mStartTime;
+ nsresult mResponseResult;
+ Vector<uint8_t> mResponseBytes;
+};
+
+NS_IMPL_ISUPPORTS(OCSPRequest, nsIStreamLoaderObserver, nsIRunnable)
+
+OCSPRequest::OCSPRequest(const nsACString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ const uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH],
+ size_t ocspRequestLength, TimeDuration timeout)
+ : mMonitor("OCSPRequest.mMonitor"),
+ mNotifiedDone(false),
+ mLoader(nullptr),
+ mAIALocation(aiaLocation),
+ mOriginAttributes(originAttributes),
+ mPOSTData(reinterpret_cast<const char*>(ocspRequest), ocspRequestLength),
+ mTimeout(timeout),
+ mTimeoutTimer(nullptr),
+ mResponseResult(NS_ERROR_FAILURE) {
+ MOZ_ASSERT(ocspRequestLength <= OCSP_REQUEST_MAX_LENGTH);
+}
+
+nsresult OCSPRequest::DispatchToMainThreadAndWait() {
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+ nsresult rv = NS_DispatchToMainThread(this);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ while (!mNotifiedDone) {
+ lock.Wait();
+ }
+
+ TimeStamp endTime = TimeStamp::Now();
+ // CERT_VALIDATION_HTTP_REQUEST_RESULT:
+ // 0: request timed out
+ // 1: request succeeded
+ // 2: request failed
+ // 3: internal error
+ // If mStartTime was never set, we consider this an internal error.
+ // Otherwise, we managed to at least send the request.
+ if (mStartTime.IsNull()) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
+ } else if (mResponseResult == NS_ERROR_NET_TIMEOUT) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME, mStartTime,
+ endTime);
+ } else if (NS_SUCCEEDED(mResponseResult)) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME, mStartTime,
+ endTime);
+ } else {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME, mStartTime,
+ endTime);
+ }
+ return rv;
+}
+
+nsresult OCSPRequest::GetResponse(/*out*/ Vector<uint8_t>& response) {
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+ if (!mNotifiedDone) {
+ return NS_ERROR_IN_PROGRESS;
+ }
+ if (NS_FAILED(mResponseResult)) {
+ return mResponseResult;
+ }
+ response.clear();
+ if (!response.append(mResponseBytes.begin(), mResponseBytes.length())) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ return NS_OK;
+}
+
+static constexpr auto OCSP_REQUEST_MIME_TYPE = "application/ocsp-request"_ns;
+static constexpr auto OCSP_REQUEST_METHOD = "POST"_ns;
+
+NS_IMETHODIMP
+OCSPRequest::Run() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+
+ nsCOMPtr<nsIIOService> ios = do_GetIOService();
+ if (!ios) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_NewURI(getter_AddRefs(uri), mAIALocation);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(NS_ERROR_MALFORMED_URI, lock);
+ }
+ nsAutoCString scheme;
+ rv = uri->GetScheme(scheme);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (!scheme.LowerCaseEqualsLiteral("http")) {
+ return NotifyDone(NS_ERROR_MALFORMED_URI, lock);
+ }
+
+ // See bug 1219935.
+ // We should not send OCSP request if the PAC is still loading.
+ nsCOMPtr<nsIProtocolProxyService> pps =
+ do_GetService(NS_PROTOCOLPROXYSERVICE_CONTRACTID, &rv);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ if (pps->GetIsPACLoading()) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ nsCOMPtr<nsIChannel> channel;
+ rv = ios->NewChannel(mAIALocation, nullptr, nullptr,
+ nullptr, // aLoadingNode
+ nsContentUtils::GetSystemPrincipal(),
+ nullptr, // aTriggeringPrincipal
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
+ nsIContentPolicy::TYPE_OTHER, getter_AddRefs(channel));
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ // Security operations scheduled through normal HTTP channels are given
+ // high priority to accommodate real time OCSP transactions.
+ nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(channel);
+ if (priorityChannel) {
+ priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
+ }
+
+ channel->SetLoadFlags(
+ nsIRequest::LOAD_ANONYMOUS | nsIRequest::LOAD_BYPASS_CACHE |
+ nsIRequest::INHIBIT_CACHING | nsIChannel::LOAD_BYPASS_SERVICE_WORKER |
+ nsIChannel::LOAD_BYPASS_URL_CLASSIFIER);
+
+ nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo();
+
+ // Prevent HTTPS-Only Mode from upgrading the OCSP request.
+ uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus();
+ httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT;
+ loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
+
+ // allow deprecated HTTP request from SystemPrincipal
+ loadInfo->SetAllowDeprecatedSystemRequests(true);
+
+ // For OCSP requests, only the first party domain and private browsing id
+ // aspects of origin attributes are used. This means that:
+ // a) if first party isolation is enabled, OCSP requests will be isolated
+ // according to the first party domain of the original https request
+ // b) OCSP requests are shared across different containers as long as first
+ // party isolation is not enabled and none of the containers are in private
+ // browsing mode.
+ if (mOriginAttributes != OriginAttributes()) {
+ OriginAttributes attrs;
+ attrs.mFirstPartyDomain = mOriginAttributes.mFirstPartyDomain;
+ attrs.mPrivateBrowsingId = mOriginAttributes.mPrivateBrowsingId;
+
+ rv = loadInfo->SetOriginAttributes(attrs);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ }
+
+ nsCOMPtr<nsIInputStream> uploadStream;
+ rv = NS_NewByteInputStream(getter_AddRefs(uploadStream), mPOSTData,
+ NS_ASSIGNMENT_COPY);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(channel));
+ if (!uploadChannel) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+ rv = uploadChannel->SetUploadStream(uploadStream, OCSP_REQUEST_MIME_TYPE, -1);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ // Do not use SPDY or HTTP3 for internal security operations. It could result
+ // in the silent upgrade to ssl, which in turn could require an SSL
+ // operation to fulfill something like an OCSP fetch, which is an
+ // endless loop.
+ nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(channel);
+ if (!internalChannel) {
+ return NotifyDone(rv, lock);
+ }
+ rv = internalChannel->SetAllowSpdy(false);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ rv = internalChannel->SetAllowHttp3(false);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ rv = internalChannel->SetIsOCSP(true);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(channel);
+ if (!hchan) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+ rv = hchan->SetAllowSTS(false);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ rv = hchan->SetRequestMethod(OCSP_REQUEST_METHOD);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ rv = NS_NewStreamLoader(getter_AddRefs(mLoader), this);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ rv = NS_NewTimerWithFuncCallback(
+ getter_AddRefs(mTimeoutTimer), OCSPRequest::OnTimeout, this,
+ mTimeout.ToMilliseconds(), nsITimer::TYPE_ONE_SHOT, "OCSPRequest::Run");
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ rv = hchan->AsyncOpen(this->mLoader);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ mStartTime = TimeStamp::Now();
+ return NS_OK;
+}
+
+nsresult OCSPRequest::NotifyDone(nsresult rv, MonitorAutoLock& lock) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (mNotifiedDone) {
+ return mResponseResult;
+ }
+ mLoader = nullptr;
+ mResponseResult = rv;
+ if (mTimeoutTimer) {
+ Unused << mTimeoutTimer->Cancel();
+ }
+ mNotifiedDone = true;
+ lock.Notify();
+ return rv;
+}
+
+NS_IMETHODIMP
+OCSPRequest::OnStreamComplete(nsIStreamLoader* aLoader, nsISupports* aContext,
+ nsresult aStatus, uint32_t responseLen,
+ const uint8_t* responseBytes) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+
+ nsCOMPtr<nsIRequest> req;
+ nsresult rv = aLoader->GetRequest(getter_AddRefs(req));
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ if (NS_FAILED(aStatus)) {
+ return NotifyDone(aStatus, lock);
+ }
+
+ nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(req);
+ if (!hchan) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ bool requestSucceeded;
+ rv = hchan->GetRequestSucceeded(&requestSucceeded);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (!requestSucceeded) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ unsigned int rcode;
+ rv = hchan->GetResponseStatus(&rcode);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (rcode != 200) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ mResponseBytes.clear();
+ if (!mResponseBytes.append(responseBytes, responseLen)) {
+ return NotifyDone(NS_ERROR_OUT_OF_MEMORY, lock);
+ }
+ mResponseResult = aStatus;
+
+ return NotifyDone(NS_OK, lock);
+}
+
+void OCSPRequest::OnTimeout(nsITimer* timer, void* closure) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
+ }
+
+ // We know the OCSPRequest is still alive because if the request had completed
+ // (i.e. OnStreamComplete ran), the timer would have been cancelled in
+ // NotifyDone.
+ OCSPRequest* self = static_cast<OCSPRequest*>(closure);
+ MonitorAutoLock lock(self->mMonitor);
+ self->mTimeoutTimer = nullptr;
+ self->NotifyDone(NS_ERROR_NET_TIMEOUT, lock);
+}
+
+mozilla::pkix::Result DoOCSPRequest(
+ const nsCString& aiaLocation, const OriginAttributes& originAttributes,
+ uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH], size_t ocspRequestLength,
+ TimeDuration timeout, /*out*/ Vector<uint8_t>& result) {
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return mozilla::pkix::Result::ERROR_OCSP_UNKNOWN_CERT;
+ }
+
+ if (ocspRequestLength > OCSP_REQUEST_MAX_LENGTH) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+
+ result.clear();
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("DoOCSPRequest to '%s'", aiaLocation.get()));
+
+ nsCOMPtr<nsIEventTarget> sts =
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
+ MOZ_ASSERT(sts);
+ if (!sts) {
+ return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE;
+ }
+ bool onSTSThread;
+ nsresult rv = sts->IsOnCurrentThread(&onSTSThread);
+ if (NS_FAILED(rv)) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ MOZ_ASSERT(!onSTSThread);
+ if (onSTSThread) {
+ return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ RefPtr<OCSPRequest> request(new OCSPRequest(
+ aiaLocation, originAttributes, ocspRequest, ocspRequestLength, timeout));
+ rv = request->DispatchToMainThreadAndWait();
+ if (NS_FAILED(rv)) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ rv = request->GetResponse(result);
+ if (NS_FAILED(rv)) {
+ if (rv == NS_ERROR_MALFORMED_URI) {
+ return mozilla::pkix::Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+ }
+ return mozilla::pkix::Result::ERROR_OCSP_SERVER_ERROR;
+ }
+ return Success;
+}
+
+static char* ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIPrompt* prompt) {
+ MOZ_ASSERT(NS_IsMainThread());
+ MOZ_ASSERT(slot);
+ MOZ_ASSERT(prompt);
+ if (!NS_IsMainThread() || !slot || !prompt) {
+ return nullptr;
+ }
+
+ // Dispatch a background task to (eventually) call C_Login. The call will
+ // block until the protected authentication succeeds or fails.
+ Atomic<bool> done;
+ Atomic<SECStatus> result;
+ nsresult rv =
+ NS_DispatchBackgroundTask(NS_NewRunnableFunction(__func__, [&]() mutable {
+ result = PK11_CheckUserPassword(slot, nullptr);
+ done = true;
+ }));
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+
+ nsTArray<nsCString> resIds = {
+ "security/pippki/pippki.ftl"_ns,
+ };
+ RefPtr<mozilla::intl::Localization> l10n =
+ mozilla::intl::Localization::Create(resIds, true);
+ auto l10nId = "protected-auth-alert"_ns;
+ auto l10nArgs = mozilla::dom::Optional<intl::L10nArgs>();
+ l10nArgs.Construct();
+ auto dirArg = l10nArgs.Value().Entries().AppendElement();
+ dirArg->mKey = "tokenName"_ns;
+ dirArg->mValue.SetValue().SetAsUTF8String().Assign(PK11_GetTokenName(slot));
+ nsAutoCString promptString;
+ ErrorResult errorResult;
+ l10n->FormatValueSync(l10nId, l10nArgs, promptString, errorResult);
+ if (NS_FAILED(errorResult.StealNSResult())) {
+ return nullptr;
+ }
+ rv = prompt->Alert(nullptr, NS_ConvertUTF8toUTF16(promptString).get());
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+
+ MOZ_ALWAYS_TRUE(SpinEventLoopUntil(
+ "ShowProtectedAuthPrompt"_ns, [&]() { return static_cast<bool>(done); }));
+
+ switch (result) {
+ case SECSuccess:
+ return ToNewCString(nsDependentCString(PK11_PW_AUTHENTICATED));
+ case SECWouldBlock:
+ return ToNewCString(nsDependentCString(PK11_PW_RETRY));
+ default:
+ return nullptr;
+ }
+}
+
+class PK11PasswordPromptRunnable : public SyncRunnableBase {
+ public:
+ PK11PasswordPromptRunnable(PK11SlotInfo* slot, nsIInterfaceRequestor* ir)
+ : mResult(nullptr), mSlot(slot), mIR(ir) {}
+ virtual ~PK11PasswordPromptRunnable() = default;
+
+ char* mResult; // out
+ virtual void RunOnTargetThread() override;
+
+ private:
+ static bool mRunning;
+
+ PK11SlotInfo* mSlot;
+ nsIInterfaceRequestor* mIR;
+};
+
+bool PK11PasswordPromptRunnable::mRunning = false;
+
+void PK11PasswordPromptRunnable::RunOnTargetThread() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
+ }
+
+ // If we've reentered due to the nested event loop implicit in using
+ // nsIPrompt synchronously (or indeed the explicit nested event loop in the
+ // protected authentication case), bail early, cancelling the password
+ // prompt. This will probably cause the operation that resulted in the prompt
+ // to fail, but this is better than littering the screen with a bunch of
+ // password prompts that the user will probably just cancel anyway.
+ if (mRunning) {
+ return;
+ }
+ mRunning = true;
+ auto setRunningToFalseOnExit = MakeScopeExit([&]() { mRunning = false; });
+
+ nsresult rv;
+ nsCOMPtr<nsIPrompt> prompt;
+ if (!mIR) {
+ rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ } else {
+ prompt = do_GetInterface(mIR);
+ MOZ_ASSERT(prompt, "Interface requestor should implement nsIPrompt");
+ }
+
+ if (!prompt) {
+ return;
+ }
+
+ if (PK11_ProtectedAuthenticationPath(mSlot)) {
+ mResult = ShowProtectedAuthPrompt(mSlot, prompt);
+ return;
+ }
+
+ nsAutoString promptString;
+ if (PK11_IsInternal(mSlot)) {
+ rv = GetPIPNSSBundleString("CertPasswordPromptDefault", promptString);
+ } else {
+ AutoTArray<nsString, 1> formatStrings = {
+ NS_ConvertUTF8toUTF16(PK11_GetTokenName(mSlot))};
+ rv = PIPBundleFormatStringFromName("CertPasswordPrompt", formatStrings,
+ promptString);
+ }
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ nsString password;
+ bool userClickedOK = false;
+ rv = prompt->PromptPassword(nullptr, promptString.get(),
+ getter_Copies(password), &userClickedOK);
+ if (NS_FAILED(rv) || !userClickedOK) {
+ return;
+ }
+
+ mResult = ToNewUTF8String(password);
+}
+
+char* PK11PasswordPrompt(PK11SlotInfo* slot, PRBool /*retry*/, void* arg) {
+ if (!slot) {
+ return nullptr;
+ }
+ RefPtr<PK11PasswordPromptRunnable> runnable(new PK11PasswordPromptRunnable(
+ slot, static_cast<nsIInterfaceRequestor*>(arg)));
+ runnable->DispatchToMainThreadAndWait();
+ return runnable->mResult;
+}
+
+nsCString getKeaGroupName(uint32_t aKeaGroup) {
+ nsCString groupName;
+ switch (aKeaGroup) {
+ case ssl_grp_ec_secp256r1:
+ groupName = "P256"_ns;
+ break;
+ case ssl_grp_ec_secp384r1:
+ groupName = "P384"_ns;
+ break;
+ case ssl_grp_ec_secp521r1:
+ groupName = "P521"_ns;
+ break;
+ case ssl_grp_ec_curve25519:
+ groupName = "x25519"_ns;
+ break;
+ case ssl_grp_kem_xyber768d00:
+ groupName = "xyber768d00"_ns;
+ break;
+ case ssl_grp_ffdhe_2048:
+ groupName = "FF 2048"_ns;
+ break;
+ case ssl_grp_ffdhe_3072:
+ groupName = "FF 3072"_ns;
+ break;
+ case ssl_grp_none:
+ groupName = "none"_ns;
+ break;
+ case ssl_grp_ffdhe_custom:
+ groupName = "custom"_ns;
+ break;
+ // All other groups are not enabled in Firefox. See namedGroups in
+ // nsNSSIOLayer.cpp.
+ default:
+ // This really shouldn't happen!
+ MOZ_ASSERT_UNREACHABLE("Invalid key exchange group.");
+ groupName = "unknown group"_ns;
+ }
+ return groupName;
+}
+
+nsCString getSignatureName(uint32_t aSignatureScheme) {
+ nsCString signatureName;
+ switch (aSignatureScheme) {
+ case ssl_sig_none:
+ signatureName = "none"_ns;
+ break;
+ case ssl_sig_rsa_pkcs1_sha1:
+ signatureName = "RSA-PKCS1-SHA1"_ns;
+ break;
+ case ssl_sig_rsa_pkcs1_sha256:
+ signatureName = "RSA-PKCS1-SHA256"_ns;
+ break;
+ case ssl_sig_rsa_pkcs1_sha384:
+ signatureName = "RSA-PKCS1-SHA384"_ns;
+ break;
+ case ssl_sig_rsa_pkcs1_sha512:
+ signatureName = "RSA-PKCS1-SHA512"_ns;
+ break;
+ case ssl_sig_ecdsa_secp256r1_sha256:
+ signatureName = "ECDSA-P256-SHA256"_ns;
+ break;
+ case ssl_sig_ecdsa_secp384r1_sha384:
+ signatureName = "ECDSA-P384-SHA384"_ns;
+ break;
+ case ssl_sig_ecdsa_secp521r1_sha512:
+ signatureName = "ECDSA-P521-SHA512"_ns;
+ break;
+ case ssl_sig_rsa_pss_sha256:
+ signatureName = "RSA-PSS-SHA256"_ns;
+ break;
+ case ssl_sig_rsa_pss_sha384:
+ signatureName = "RSA-PSS-SHA384"_ns;
+ break;
+ case ssl_sig_rsa_pss_sha512:
+ signatureName = "RSA-PSS-SHA512"_ns;
+ break;
+ case ssl_sig_ecdsa_sha1:
+ signatureName = "ECDSA-SHA1"_ns;
+ break;
+ case ssl_sig_rsa_pkcs1_sha1md5:
+ signatureName = "RSA-PKCS1-SHA1MD5"_ns;
+ break;
+ // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes
+ // in nsNSSIOLayer.cpp.
+ default:
+ // This really shouldn't happen!
+ MOZ_ASSERT_UNREACHABLE("Invalid signature scheme.");
+ signatureName = "unknown signature"_ns;
+ }
+ return signatureName;
+}
+
+static void PreliminaryHandshakeDone(PRFileDesc* fd) {
+ NSSSocketControl* socketControl = (NSSSocketControl*)fd->higher->secret;
+ if (!socketControl) {
+ return;
+ }
+ if (socketControl->IsPreliminaryHandshakeDone()) {
+ return;
+ }
+
+ SSLChannelInfo channelInfo;
+ if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) {
+ return;
+ }
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof(cipherInfo)) != SECSuccess) {
+ return;
+ }
+ socketControl->SetPreliminaryHandshakeInfo(channelInfo, cipherInfo);
+ socketControl->SetSSLVersionUsed(channelInfo.protocolVersion);
+ socketControl->SetEarlyDataAccepted(channelInfo.earlyDataAccepted);
+ socketControl->SetKEAUsed(channelInfo.keaType);
+ socketControl->SetKEAKeyBits(channelInfo.keaKeyBits);
+ socketControl->SetMACAlgorithmUsed(cipherInfo.macAlgorithm);
+
+ // Get the NPN value.
+ SSLNextProtoState state;
+ unsigned char npnbuf[256];
+ unsigned int npnlen;
+
+ if (SSL_GetNextProto(fd, &state, npnbuf, &npnlen,
+ AssertedCast<unsigned int>(ArrayLength(npnbuf))) ==
+ SECSuccess) {
+ if (state == SSL_NEXT_PROTO_NEGOTIATED ||
+ state == SSL_NEXT_PROTO_SELECTED) {
+ socketControl->SetNegotiatedNPN(
+ BitwiseCast<char*, unsigned char*>(npnbuf), npnlen);
+ } else {
+ socketControl->SetNegotiatedNPN(nullptr, 0);
+ }
+ mozilla::Telemetry::Accumulate(Telemetry::SSL_NPN_TYPE, state);
+ } else {
+ socketControl->SetNegotiatedNPN(nullptr, 0);
+ }
+
+ socketControl->SetPreliminaryHandshakeDone();
+}
+
+SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
+ PRBool* canFalseStart) {
+ *canFalseStart = false;
+
+ NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret;
+ if (!infoObject) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ infoObject->SetFalseStartCallbackCalled();
+
+ PreliminaryHandshakeDone(fd);
+
+ uint32_t reasonsForNotFalseStarting = 0;
+
+ SSLChannelInfo channelInfo;
+ if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) {
+ return SECSuccess;
+ }
+
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof(cipherInfo)) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] failed - "
+ " KEA %d\n",
+ fd, static_cast<int32_t>(channelInfo.keaType)));
+ return SECSuccess;
+ }
+
+ // Prevent version downgrade attacks from TLS 1.2, and avoid False Start for
+ // TLS 1.3 and later. See Bug 861310 for all the details as to why.
+ if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_2) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] failed - "
+ "SSL Version must be TLS 1.2, was %x\n",
+ fd, static_cast<int32_t>(channelInfo.protocolVersion)));
+ reasonsForNotFalseStarting |= POSSIBLE_VERSION_DOWNGRADE;
+ }
+
+ // See bug 952863 for why ECDHE is allowed, but DHE (and RSA) are not.
+ // Also note that ecdh_hybrid groups are not supported in TLS 1.2 and are out
+ // of scope.
+ if (channelInfo.keaType != ssl_kea_ecdh) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] failed - "
+ "unsupported KEA %d\n",
+ fd, static_cast<int32_t>(channelInfo.keaType)));
+ reasonsForNotFalseStarting |= KEA_NOT_SUPPORTED;
+ }
+
+ // Prevent downgrade attacks on the symmetric cipher. We do not allow CBC
+ // mode due to BEAST, POODLE, and other attacks on the MAC-then-Encrypt
+ // design. See bug 1109766 for more details.
+ if (cipherInfo.macAlgorithm != ssl_mac_aead) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] failed - non-AEAD cipher used, %d, "
+ "is not supported with False Start.\n",
+ fd, static_cast<int32_t>(cipherInfo.symCipher)));
+ reasonsForNotFalseStarting |= POSSIBLE_CIPHER_SUITE_DOWNGRADE;
+ }
+
+ // XXX: An attacker can choose which protocols are advertised in the
+ // NPN extension. TODO(Bug 861311): We should restrict the ability
+ // of an attacker leverage this capability by restricting false start
+ // to the same protocol we previously saw for the server, after the
+ // first successful connection to the server.
+
+ Telemetry::Accumulate(Telemetry::SSL_REASONS_FOR_NOT_FALSE_STARTING,
+ reasonsForNotFalseStarting);
+
+ if (reasonsForNotFalseStarting == 0) {
+ *canFalseStart = PR_TRUE;
+ infoObject->SetFalseStarted();
+ infoObject->NoteTimeUntilReady();
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] ok\n", fd));
+ }
+
+ return SECSuccess;
+}
+
+static void AccumulateNonECCKeySize(Telemetry::HistogramID probe,
+ uint32_t bits) {
+ unsigned int value = bits < 512 ? 1
+ : bits == 512 ? 2
+ : bits < 768 ? 3
+ : bits == 768 ? 4
+ : bits < 1024 ? 5
+ : bits == 1024 ? 6
+ : bits < 1280 ? 7
+ : bits == 1280 ? 8
+ : bits < 1536 ? 9
+ : bits == 1536 ? 10
+ : bits < 2048 ? 11
+ : bits == 2048 ? 12
+ : bits < 3072 ? 13
+ : bits == 3072 ? 14
+ : bits < 4096 ? 15
+ : bits == 4096 ? 16
+ : bits < 8192 ? 17
+ : bits == 8192 ? 18
+ : bits < 16384 ? 19
+ : bits == 16384 ? 20
+ : 0;
+ Telemetry::Accumulate(probe, value);
+}
+
+// XXX: This attempts to map a bit count to an ECC named curve identifier. In
+// the vast majority of situations, we only have the Suite B curves available.
+// In that case, this mapping works fine. If we were to have more curves
+// available, the mapping would be ambiguous since there could be multiple
+// named curves for a given size (e.g. secp256k1 vs. secp256r1). We punt on
+// that for now. See also NSS bug 323674.
+static void AccumulateECCCurve(Telemetry::HistogramID probe, uint32_t bits) {
+ unsigned int value = bits == 255 ? 29 // Curve25519
+ : bits == 256 ? 23 // P-256
+ : bits == 384 ? 24 // P-384
+ : bits == 521 ? 25 // P-521
+ : 0; // Unknown
+ Telemetry::Accumulate(probe, value);
+}
+
+static void AccumulateCipherSuite(const SSLChannelInfo& channelInfo) {
+ uint32_t value;
+ // Note: this list must include every cipher suite it is possible to enable
+ // in nsNSSComponent.cpp (see sCipherPrefs and sDeprecatedTLS1CipherPrefs).
+ switch (channelInfo.cipherSuite) {
+ case TLS_RSA_WITH_3DES_EDE_CBC_SHA: // 0x000A
+ value = 1;
+ break;
+ case TLS_RSA_WITH_AES_128_CBC_SHA: // 0x002F
+ value = 2;
+ break;
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: // 0x0033
+ value = 3;
+ break;
+ case TLS_RSA_WITH_AES_256_CBC_SHA: // 0x0035
+ value = 4;
+ break;
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: // 0x0039
+ value = 5;
+ break;
+ case TLS_RSA_WITH_AES_128_GCM_SHA256: // 0x009C
+ value = 6;
+ break;
+ case TLS_RSA_WITH_AES_256_GCM_SHA384: // 0x009D
+ value = 7;
+ break;
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: // 0xC009
+ value = 8;
+ break;
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: // 0xC00A
+ value = 9;
+ break;
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: // 0xC013
+ value = 10;
+ break;
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: // 0xC014
+ value = 11;
+ break;
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: // 0xC02B
+ value = 12;
+ break;
+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: // 0xC02C
+ value = 13;
+ break;
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: // 0xC02F
+ value = 14;
+ break;
+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: // 0xC030
+ value = 15;
+ break;
+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA8
+ value = 16;
+ break;
+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA9
+ value = 17;
+ break;
+
+ // TLS 1.3 cipher suites
+ case TLS_AES_128_GCM_SHA256: // 0x1301
+ value = 18;
+ break;
+ case TLS_AES_256_GCM_SHA384: // 0x1302
+ value = 19;
+ break;
+ case TLS_CHACHA20_POLY1305_SHA256: // 0x1303
+ value = 20;
+ break;
+
+ // unknown
+ default:
+ value = 0;
+ break;
+ }
+ MOZ_ASSERT(value != 0);
+ Telemetry::Accumulate(Telemetry::TLS_CIPHER_SUITE, value);
+}
+
+void HandshakeCallback(PRFileDesc* fd, void* client_data) {
+ // Do the bookkeeping that needs to be done after the
+ // server's ServerHello...ServerHelloDone have been processed, but that
+ // doesn't need the handshake to be completed.
+ PreliminaryHandshakeDone(fd);
+
+ NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret;
+ nsSSLIOLayerHelpers& ioLayerHelpers =
+ infoObject->SharedState().IOLayerHelpers();
+
+ SSLVersionRange versions(infoObject->GetTLSVersionRange());
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] HandshakeCallback: succeeded using TLS version range "
+ "(0x%04x,0x%04x)\n",
+ fd, static_cast<unsigned int>(versions.min),
+ static_cast<unsigned int>(versions.max)));
+
+ // If the handshake completed, then we know the site is TLS tolerant
+ ioLayerHelpers.rememberTolerantAtVersion(infoObject->GetHostName(),
+ infoObject->GetPort(), versions.max);
+
+ SSLChannelInfo channelInfo;
+ SECStatus rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv != SECSuccess) {
+ return;
+ }
+ AccumulateCipherSuite(channelInfo);
+
+ // Get the protocol version for telemetry
+ // 1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3
+ unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
+ MOZ_ASSERT(versionEnum > 0);
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum);
+
+ SSLCipherSuiteInfo cipherInfo;
+ rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof cipherInfo);
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv != SECSuccess) {
+ return;
+ }
+ // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4, ecdh_hybrid=8
+ Telemetry::Accumulate(infoObject->IsFullHandshake()
+ ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
+ : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
+ channelInfo.keaType);
+
+ if (infoObject->IsFullHandshake()) {
+ switch (channelInfo.keaType) {
+ case ssl_kea_rsa:
+ AccumulateNonECCKeySize(Telemetry::SSL_KEA_RSA_KEY_SIZE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ case ssl_kea_dh:
+ AccumulateNonECCKeySize(Telemetry::SSL_KEA_DHE_KEY_SIZE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ case ssl_kea_ecdh:
+ AccumulateECCCurve(Telemetry::SSL_KEA_ECDHE_CURVE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ case ssl_kea_ecdh_hybrid:
+ // Bug 1874963: Add probes for Xyber768d00
+ break;
+ default:
+ MOZ_CRASH("impossible KEA");
+ break;
+ }
+
+ Telemetry::Accumulate(Telemetry::SSL_AUTH_ALGORITHM_FULL,
+ channelInfo.authType);
+
+ // RSA key exchange doesn't use a signature for auth.
+ if (channelInfo.keaType != ssl_kea_rsa) {
+ switch (channelInfo.authType) {
+ case ssl_auth_rsa:
+ case ssl_auth_rsa_sign:
+ AccumulateNonECCKeySize(Telemetry::SSL_AUTH_RSA_KEY_SIZE_FULL,
+ channelInfo.authKeyBits);
+ break;
+ case ssl_auth_ecdsa:
+ AccumulateECCCurve(Telemetry::SSL_AUTH_ECDSA_CURVE_FULL,
+ channelInfo.authKeyBits);
+ break;
+ default:
+ MOZ_CRASH("impossible auth algorithm");
+ break;
+ }
+ }
+ }
+
+ PRBool siteSupportsSafeRenego;
+ if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) {
+ rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
+ &siteSupportsSafeRenego);
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv != SECSuccess) {
+ siteSupportsSafeRenego = false;
+ }
+ } else {
+ // TLS 1.3 dropped support for renegotiation.
+ siteSupportsSafeRenego = true;
+ }
+ bool renegotiationUnsafe = !siteSupportsSafeRenego &&
+ ioLayerHelpers.treatUnsafeNegotiationAsBroken();
+
+ bool deprecatedTlsVer =
+ (channelInfo.protocolVersion < SSL_LIBRARY_VERSION_TLS_1_2);
+
+ uint32_t state;
+ if (renegotiationUnsafe || deprecatedTlsVer) {
+ state = nsIWebProgressListener::STATE_IS_BROKEN;
+ } else {
+ state = nsIWebProgressListener::STATE_IS_SECURE;
+ SSLVersionRange defVersion;
+ rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
+ if (rv == SECSuccess && versions.max >= defVersion.max) {
+ // we know this site no longer requires a version fallback
+ ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
+ infoObject->GetPort());
+ }
+ }
+
+ if (infoObject->HasServerCert()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("HandshakeCallback KEEPING existing cert\n"));
+ } else {
+ infoObject->RebuildCertificateInfoFromSSLTokenCache();
+ }
+
+ // Check if the user has added an override for a certificate error.
+ if (infoObject->HasUserOverriddenCertificateError()) {
+ state |= nsIWebProgressListener::STATE_CERT_USER_OVERRIDDEN;
+ }
+
+ infoObject->SetSecurityState(state);
+
+ // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
+ // we should set a flag on the channel that higher (UI) level code can check
+ // to log the warning. In particular, these warnings should go to the web
+ // console instead of to the error console. Also, the warning is not
+ // localized.
+ if (!siteSupportsSafeRenego) {
+ NS_ConvertASCIItoUTF16 msg(infoObject->GetHostName());
+ msg.AppendLiteral(" : server does not support RFC 5746, see CVE-2009-3555");
+
+ nsContentUtils::LogSimpleConsoleError(
+ msg, "SSL"_ns, !!infoObject->GetOriginAttributes().mPrivateBrowsingId,
+ true /* from chrome context */);
+ }
+
+ infoObject->NoteTimeUntilReady();
+ infoObject->SetHandshakeCompleted();
+}
+
+void SecretCallback(PRFileDesc* fd, PRUint16 epoch, SSLSecretDirection dir,
+ PK11SymKey* secret, void* arg) {
+ // arg must be set to an NSSSocketControl* in SSL_SecretCallback
+ MOZ_ASSERT(arg);
+ NSSSocketControl* infoObject = (NSSSocketControl*)arg;
+ if (epoch == 2 && dir == ssl_secret_read) {
+ // |secret| is the server_handshake_traffic_secret. Set a flag to indicate
+ // that the Server Hello has been processed successfully. We use this when
+ // deciding whether to retry a connection in which a Xyber share was sent.
+ infoObject->SetHasTls13HandshakeSecrets();
+ }
+}
diff --git a/security/manager/ssl/nsNSSCallbacks.h b/security/manager/ssl/nsNSSCallbacks.h
new file mode 100644
index 0000000000..f8fdbdb5ed
--- /dev/null
+++ b/security/manager/ssl/nsNSSCallbacks.h
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSCallbacks_h
+#define nsNSSCallbacks_h
+
+#include "mozilla/Attributes.h"
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/TimeStamp.h"
+#include "mozilla/Vector.h"
+#include "nspr.h"
+#include "nsString.h"
+#include "pk11func.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsIX509Cert.h"
+#include "ssl.h"
+
+using mozilla::OriginAttributes;
+using mozilla::TimeDuration;
+using mozilla::Vector;
+
+class nsILoadGroup;
+
+char* PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg);
+
+void HandshakeCallback(PRFileDesc* fd, void* client_data);
+void SecretCallback(PRFileDesc* fd, PRUint16 epoch, SSLSecretDirection dir,
+ PK11SymKey* secret, void* arg);
+SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
+ PRBool* canFalseStart);
+
+mozilla::pkix::Result DoOCSPRequest(
+ const nsCString& aiaLocation, const OriginAttributes& originAttributes,
+ uint8_t (&ocspRequest)[mozilla::pkix::OCSP_REQUEST_MAX_LENGTH],
+ size_t ocspRequestLength, TimeDuration timeout,
+ /*out*/ Vector<uint8_t>& result);
+
+nsCString getKeaGroupName(uint32_t aKeaGroup);
+nsCString getSignatureName(uint32_t aSignatureScheme);
+
+#endif // nsNSSCallbacks_h
diff --git a/security/manager/ssl/nsNSSCertHelper.cpp b/security/manager/ssl/nsNSSCertHelper.cpp
new file mode 100644
index 0000000000..2a21400cb6
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertHelper.cpp
@@ -0,0 +1,99 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCertHelper.h"
+
+#include <algorithm>
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Casting.h"
+#include "mozilla/NotNull.h"
+#include "mozilla/Sprintf.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Utf8.h"
+#include "mozilla/net/DNS.h"
+#include "nsCOMPtr.h"
+#include "nsIStringBundle.h"
+#include "nsNSSCertificate.h"
+#include "nsReadableUtils.h"
+#include "nsServiceManagerUtils.h"
+#include "nsThreadUtils.h"
+#include "prerror.h"
+#include "prnetdb.h"
+#include "secder.h"
+
+using namespace mozilla;
+
+// To avoid relying on localized strings in PSM, we hard-code the root module
+// name internally. When we display it to the user in the list of modules in the
+// front-end, we look up the localized value and display that instead of this.
+const char* kRootModuleName = "Builtin Roots Module";
+const size_t kRootModuleNameLen = strlen(kRootModuleName);
+
+static nsresult GetPIPNSSBundle(nsIStringBundle** pipnssBundle) {
+ nsCOMPtr<nsIStringBundleService> bundleService(
+ do_GetService(NS_STRINGBUNDLE_CONTRACTID));
+ if (!bundleService) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ return bundleService->CreateBundle("chrome://pipnss/locale/pipnss.properties",
+ pipnssBundle);
+}
+
+nsresult GetPIPNSSBundleString(const char* stringName, nsAString& result) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ MOZ_ASSERT(stringName);
+ if (!stringName) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsCOMPtr<nsIStringBundle> pipnssBundle;
+ nsresult rv = GetPIPNSSBundle(getter_AddRefs(pipnssBundle));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ result.Truncate();
+ return pipnssBundle->GetStringFromName(stringName, result);
+}
+
+nsresult GetPIPNSSBundleString(const char* stringName, nsACString& result) {
+ nsAutoString tmp;
+ nsresult rv = GetPIPNSSBundleString(stringName, tmp);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ result.Assign(NS_ConvertUTF16toUTF8(tmp));
+ return NS_OK;
+}
+
+nsresult PIPBundleFormatStringFromName(const char* stringName,
+ const nsTArray<nsString>& params,
+ nsAString& result) {
+ MOZ_ASSERT(stringName);
+ MOZ_ASSERT(!params.IsEmpty());
+ if (!stringName || params.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsCOMPtr<nsIStringBundle> pipnssBundle;
+ nsresult rv = GetPIPNSSBundle(getter_AddRefs(pipnssBundle));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ result.Truncate();
+ return pipnssBundle->FormatStringFromName(stringName, params, result);
+}
+
+void LossyUTF8ToUTF16(const char* str, uint32_t len,
+ /*out*/ nsAString& result) {
+ auto span = Span(str, len);
+ if (IsUtf8(span)) {
+ CopyUTF8toUTF16(span, result);
+ } else {
+ // Actually Latin1 despite ASCII in the legacy name
+ CopyASCIItoUTF16(span, result);
+ }
+}
diff --git a/security/manager/ssl/nsNSSCertHelper.h b/security/manager/ssl/nsNSSCertHelper.h
new file mode 100644
index 0000000000..453e2e21eb
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertHelper.h
@@ -0,0 +1,31 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSCertHelper_h
+#define nsNSSCertHelper_h
+
+#ifndef INET6_ADDRSTRLEN
+# define INET6_ADDRSTRLEN 46
+#endif
+
+#include "certt.h"
+#include "nsString.h"
+
+extern const char* kRootModuleName;
+extern const size_t kRootModuleNameLen;
+
+class nsIX509Cert;
+
+// If input is valid UTF-8, converts from UTF-8 to UTF-16. Otherwise,
+// converts from Latin1 to UTF-16.
+void LossyUTF8ToUTF16(const char* str, uint32_t len, /*out*/ nsAString& result);
+
+// Must be used on the main thread only.
+nsresult GetPIPNSSBundleString(const char* stringName, nsAString& result);
+nsresult GetPIPNSSBundleString(const char* stringName, nsACString& result);
+nsresult PIPBundleFormatStringFromName(const char* stringName,
+ const nsTArray<nsString>& params,
+ nsAString& result);
+
+#endif // nsNSSCertHelper_h
diff --git a/security/manager/ssl/nsNSSCertTrust.cpp b/security/manager/ssl/nsNSSCertTrust.cpp
new file mode 100644
index 0000000000..f5855c92c6
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertTrust.cpp
@@ -0,0 +1,121 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCertTrust.h"
+
+#include "certdb.h"
+
+void nsNSSCertTrust::AddCATrust(bool ssl, bool email) {
+ if (ssl) {
+ addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
+ addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
+ }
+ if (email) {
+ addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
+ addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
+ }
+}
+
+void nsNSSCertTrust::AddPeerTrust(bool ssl, bool email) {
+ if (ssl) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
+ if (email) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
+}
+
+nsNSSCertTrust::nsNSSCertTrust() { memset(&mTrust, 0, sizeof(CERTCertTrust)); }
+
+nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email) {
+ memset(&mTrust, 0, sizeof(CERTCertTrust));
+ addTrust(&mTrust.sslFlags, ssl);
+ addTrust(&mTrust.emailFlags, email);
+}
+
+nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust* t) {
+ if (t)
+ memcpy(&mTrust, t, sizeof(CERTCertTrust));
+ else
+ memset(&mTrust, 0, sizeof(CERTCertTrust));
+}
+
+nsNSSCertTrust::~nsNSSCertTrust() = default;
+
+void nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer, bool ca, bool tCA,
+ bool tClientCA, bool user, bool warn) {
+ mTrust.sslFlags = 0;
+ if (peer || tPeer) addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
+ if (tPeer) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
+ if (ca || tCA) addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
+ if (tClientCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
+ if (tCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
+ if (user) addTrust(&mTrust.sslFlags, CERTDB_USER);
+ if (warn) addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
+}
+
+void nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer, bool ca, bool tCA,
+ bool tClientCA, bool user, bool warn) {
+ mTrust.emailFlags = 0;
+ if (peer || tPeer) addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
+ if (tPeer) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
+ if (ca || tCA) addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
+ if (tClientCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
+ if (tCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
+ if (user) addTrust(&mTrust.emailFlags, CERTDB_USER);
+ if (warn) addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
+}
+
+void nsNSSCertTrust::SetValidCA() {
+ SetSSLTrust(false, false, true, false, false, false, false);
+ SetEmailTrust(false, false, true, false, false, false, false);
+}
+
+void nsNSSCertTrust::SetValidPeer() {
+ SetSSLTrust(true, false, false, false, false, false, false);
+ SetEmailTrust(true, false, false, false, false, false, false);
+}
+
+bool nsNSSCertTrust::HasAnyCA() {
+ if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
+ hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
+ hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
+ return true;
+ return false;
+}
+
+bool nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail) {
+ if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
+ return false;
+ if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
+ return false;
+ return true;
+}
+
+bool nsNSSCertTrust::HasAnyUser() {
+ if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
+ hasTrust(mTrust.emailFlags, CERTDB_USER) ||
+ hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
+ return true;
+ return false;
+}
+
+bool nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail) {
+ if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
+ hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
+ return false;
+ if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
+ hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
+ return false;
+ return true;
+}
+
+bool nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail) {
+ if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) return false;
+ if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
+ return false;
+ return true;
+}
+
+void nsNSSCertTrust::addTrust(unsigned int* t, unsigned int v) { *t |= v; }
+
+bool nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) {
+ return !!(t & v);
+}
diff --git a/security/manager/ssl/nsNSSCertTrust.h b/security/manager/ssl/nsNSSCertTrust.h
new file mode 100644
index 0000000000..3f05d28993
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertTrust.h
@@ -0,0 +1,55 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSCertTrust_h
+#define nsNSSCertTrust_h
+
+#include "certt.h"
+
+/*
+ * Class for maintaining trust flags for an NSS certificate.
+ */
+class nsNSSCertTrust {
+ public:
+ nsNSSCertTrust();
+ nsNSSCertTrust(unsigned int ssl, unsigned int email);
+ explicit nsNSSCertTrust(CERTCertTrust* t);
+ virtual ~nsNSSCertTrust();
+
+ /* query */
+ bool HasAnyCA();
+ bool HasAnyUser();
+ bool HasPeer(bool checkSSL = true, bool checkEmail = true);
+ bool HasTrustedCA(bool checkSSL = true, bool checkEmail = true);
+ bool HasTrustedPeer(bool checkSSL = true, bool checkEmail = true);
+
+ /* common defaults */
+ /* equivalent to "c,c,c" */
+ void SetValidCA();
+ /* equivalent to "p,p,p" */
+ void SetValidPeer();
+
+ /* general setters */
+ /* read: "p, P, c, C, T, u, w" */
+ void SetSSLTrust(bool peer, bool tPeer, bool ca, bool tCA, bool tClientCA,
+ bool user, bool warn);
+
+ void SetEmailTrust(bool peer, bool tPeer, bool ca, bool tCA, bool tClientCA,
+ bool user, bool warn);
+
+ /* set c <--> CT */
+ void AddCATrust(bool ssl, bool email);
+ /* set p <--> P */
+ void AddPeerTrust(bool ssl, bool email);
+
+ CERTCertTrust& GetTrust() { return mTrust; }
+
+ private:
+ void addTrust(unsigned int* t, unsigned int v);
+ void removeTrust(unsigned int* t, unsigned int v);
+ bool hasTrust(unsigned int t, unsigned int v);
+ CERTCertTrust mTrust;
+};
+
+#endif // nsNSSCertTrust_h
diff --git a/security/manager/ssl/nsNSSCertificate.cpp b/security/manager/ssl/nsNSSCertificate.cpp
new file mode 100644
index 0000000000..d0413c0340
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -0,0 +1,686 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCertificate.h"
+
+#include "CertVerifier.h"
+#include "ExtendedValidation.h"
+#include "NSSCertDBTrustDomain.h"
+#include "X509CertValidity.h"
+#include "certdb.h"
+#include "ipc/IPCMessageUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/NotNull.h"
+#include "mozilla/Span.h"
+#include "mozilla/TextUtils.h"
+#include "mozilla/Unused.h"
+#include "mozilla/ipc/TransportSecurityInfoUtils.h"
+#include "mozilla/ipc/IPDLParamTraits.h"
+#include "mozilla/net/DNS.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixutil.h"
+#include "nsArray.h"
+#include "nsCOMPtr.h"
+#include "nsIClassInfoImpl.h"
+#include "nsIObjectInputStream.h"
+#include "nsIObjectOutputStream.h"
+#include "nsIX509Cert.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSCertTrust.h"
+#include "nsPK11TokenDB.h"
+#include "nsPKCS12Blob.h"
+#include "nsProxyRelease.h"
+#include "nsReadableUtils.h"
+#include "nsString.h"
+#include "nsThreadUtils.h"
+#include "nsUnicharUtils.h"
+#include "nspr.h"
+#include "prerror.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secerr.h"
+#include "ssl.h"
+
+#ifdef XP_WIN
+# include <winsock.h> // for htonl
+#endif
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+NS_IMPL_ISUPPORTS(nsNSSCertificate, nsIX509Cert, nsISerializable, nsIClassInfo)
+
+nsNSSCertificate::nsNSSCertificate() : mCert("nsNSSCertificate::mCert") {}
+
+nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert)
+ : mCert("nsNSSCertificate::mCert") {
+ if (cert) {
+ mDER.AppendElements(cert->derCert.data, cert->derCert.len);
+ auto lock = mCert.Lock();
+ auto& maybeCert = lock.ref();
+ maybeCert.emplace(UniqueCERTCertificate(CERT_DupCertificate(cert)));
+ }
+}
+
+nsNSSCertificate::nsNSSCertificate(nsTArray<uint8_t>&& der)
+ : mDER(std::move(der)), mCert("nsNSSCertificate::mCert") {}
+
+UniqueCERTCertificate nsNSSCertificate::GetOrInstantiateCert() {
+ auto lock = mCert.Lock();
+ auto& maybeCert = lock.ref();
+ if (maybeCert.isSome()) {
+ return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get()));
+ }
+
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return nullptr;
+ }
+
+ SECItem derItem = {siBuffer, mDER.Elements(),
+ static_cast<unsigned int>(mDER.Length())};
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &derItem, nullptr, false, true));
+ if (!cert) {
+ return nullptr;
+ }
+ maybeCert.emplace(std::move(cert));
+
+ return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get()));
+}
+
+nsresult nsNSSCertificate::GetCertType(uint32_t* aCertType) {
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ CERTCertTrust certTrust{0, 0, 0};
+ // If there is no stored trust information, CERT_GetCertTrust will return
+ // SECFailure. This isn't a failure. In this case, all trust bits will remain
+ // unset.
+ Unused << CERT_GetCertTrust(cert.get(), &certTrust);
+ nsNSSCertTrust trust(&certTrust);
+ if (cert->nickname && trust.HasAnyUser()) {
+ *aCertType = nsIX509Cert::USER_CERT;
+ return NS_OK;
+ }
+ if (trust.HasAnyCA()) {
+ *aCertType = nsIX509Cert::CA_CERT;
+ return NS_OK;
+ }
+ if (trust.HasPeer(true, false)) {
+ *aCertType = nsIX509Cert::SERVER_CERT;
+ return NS_OK;
+ }
+ if (trust.HasPeer(false, true) && cert->emailAddr) {
+ *aCertType = nsIX509Cert::EMAIL_CERT;
+ return NS_OK;
+ }
+ if (CERT_IsCACert(cert.get(), nullptr)) {
+ *aCertType = nsIX509Cert::CA_CERT;
+ return NS_OK;
+ }
+ if (cert->emailAddr) {
+ *aCertType = nsIX509Cert::EMAIL_CERT;
+ return NS_OK;
+ }
+ *aCertType = nsIX509Cert::UNKNOWN_CERT;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetDbKey(nsACString& aDbKey) {
+ static_assert(sizeof(uint64_t) == 8, "type size consistency check");
+ static_assert(sizeof(uint32_t) == 4, "type size consistency check");
+
+ pkix::Input certInput;
+ pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length());
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ // NB: since we're not building a trust path, the endEntityOrCA parameter is
+ // irrelevant.
+ pkix::BackCert cert(certInput, pkix::EndEntityOrCA::MustBeEndEntity, nullptr);
+ result = cert.Init();
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // The format of the key is the base64 encoding of the following:
+ // 4 bytes: {0, 0, 0, 0} (this was intended to be the module ID, but it was
+ // never implemented)
+ // 4 bytes: {0, 0, 0, 0} (this was intended to be the slot ID, but it was
+ // never implemented)
+ // 4 bytes: <serial number length in big-endian order>
+ // 4 bytes: <DER-encoded issuer distinguished name length in big-endian order>
+ // n bytes: <bytes of serial number>
+ // m bytes: <DER-encoded issuer distinguished name>
+ nsAutoCString buf;
+ const char leadingZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
+ buf.Append(leadingZeroes, sizeof(leadingZeroes));
+ uint32_t serialNumberLen = htonl(cert.GetSerialNumber().GetLength());
+ buf.Append(BitwiseCast<const char*, const uint32_t*>(&serialNumberLen),
+ sizeof(uint32_t));
+ uint32_t issuerLen = htonl(cert.GetIssuer().GetLength());
+ buf.Append(BitwiseCast<const char*, const uint32_t*>(&issuerLen),
+ sizeof(uint32_t));
+ buf.Append(BitwiseCast<const char*, const unsigned char*>(
+ cert.GetSerialNumber().UnsafeGetData()),
+ cert.GetSerialNumber().GetLength());
+ buf.Append(BitwiseCast<const char*, const unsigned char*>(
+ cert.GetIssuer().UnsafeGetData()),
+ cert.GetIssuer().GetLength());
+
+ return Base64Encode(buf, aDbKey);
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetDisplayName(nsAString& aDisplayName) {
+ aDisplayName.Truncate();
+
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ UniquePORTString commonName(CERT_GetCommonName(&cert->subject));
+ UniquePORTString organizationalUnitName(CERT_GetOrgUnitName(&cert->subject));
+ UniquePORTString organizationName(CERT_GetOrgName(&cert->subject));
+
+ // Only use the nickname for built-in roots where we already have a hard-coded
+ // reasonable display name (unfortunately we have to strip off the leading
+ // slot identifier followed by a ':'). Otherwise, attempt to use the following
+ // in order:
+ // - the common name, if present
+ // - an organizational unit name, if present
+ // - an organization name, if present
+ // - the entire subject distinguished name, if non-empty
+ // - an email address, if one can be found
+ // In the unlikely event that none of these fields are present and non-empty
+ // (the subject really shouldn't be empty), an empty string is returned.
+ nsAutoCString builtInRootNickname;
+ nsAutoCString fullNickname(cert->nickname);
+ static const nsLiteralCString kBuiltinObjectTokenPrefix =
+ "Builtin Object Token:"_ns;
+ if (StringBeginsWith(fullNickname, kBuiltinObjectTokenPrefix)) {
+ // Substring will gracefully handle the case where index is the last
+ // character in the string (that is, if the nickname is just
+ // "Builtin Object Token:"). In that case, we'll get an empty string.
+ builtInRootNickname =
+ Substring(fullNickname, kBuiltinObjectTokenPrefix.Length());
+ }
+ const char* nameOptions[] = {builtInRootNickname.get(),
+ commonName.get(),
+ organizationalUnitName.get(),
+ organizationName.get(),
+ cert->subjectName,
+ cert->emailAddr};
+
+ for (auto nameOption : nameOptions) {
+ if (nameOption) {
+ size_t len = strlen(nameOption);
+ if (len > 0) {
+ LossyUTF8ToUTF16(nameOption, len, aDisplayName);
+ return NS_OK;
+ }
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress) {
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ if (cert->emailAddr) {
+ CopyUTF8toUTF16(MakeStringSpan(cert->emailAddr), aEmailAddress);
+ } else {
+ GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetEmailAddresses(nsTArray<nsString>& aAddresses) {
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ uint32_t length = 0;
+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;
+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) {
+ ++(length);
+ }
+
+ aAddresses.SetCapacity(length);
+
+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;
+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) {
+ CopyASCIItoUTF16(MakeStringSpan(aAddr), *aAddresses.AppendElement());
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress,
+ bool* result) {
+ NS_ENSURE_ARG(result);
+ *result = false;
+
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;
+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) {
+ nsAutoString certAddr;
+ LossyUTF8ToUTF16(aAddr, strlen(aAddr), certAddr);
+ ToLowerCase(certAddr);
+
+ nsAutoString testAddr(aEmailAddress);
+ ToLowerCase(testAddr);
+
+ if (certAddr == testAddr) {
+ *result = true;
+ break;
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetCommonName(nsAString& aCommonName) {
+ aCommonName.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString commonName(CERT_GetCommonName(&cert->subject));
+ if (commonName) {
+ LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetOrganization(nsAString& aOrganization) {
+ aOrganization.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString organization(CERT_GetOrgName(&cert->subject));
+ if (organization) {
+ LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),
+ aOrganization);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName) {
+ aCommonName.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString commonName(CERT_GetCommonName(&cert->issuer));
+ if (commonName) {
+ LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization) {
+ aOrganization.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString organization(CERT_GetOrgName(&cert->issuer));
+ if (organization) {
+ LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),
+ aOrganization);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit) {
+ aOrganizationUnit.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString organizationUnit(CERT_GetOrgUnitName(&cert->issuer));
+ if (organizationUnit) {
+ LossyUTF8ToUTF16(organizationUnit.get(), strlen(organizationUnit.get()),
+ aOrganizationUnit);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit) {
+ aOrganizationalUnit.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString orgunit(CERT_GetOrgUnitName(&cert->subject));
+ if (orgunit) {
+ LossyUTF8ToUTF16(orgunit.get(), strlen(orgunit.get()), aOrganizationalUnit);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetSubjectName(nsAString& _subjectName) {
+ _subjectName.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ if (cert->subjectName) {
+ LossyUTF8ToUTF16(cert->subjectName, strlen(cert->subjectName),
+ _subjectName);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIssuerName(nsAString& _issuerName) {
+ _issuerName.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ if (cert->issuerName) {
+ LossyUTF8ToUTF16(cert->issuerName, strlen(cert->issuerName), _issuerName);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber) {
+ _serialNumber.Truncate();
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePORTString tmpstr(
+ CERT_Hexify(&cert->serialNumber, true /* use colon delimiters */));
+ if (tmpstr) {
+ _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get());
+ return NS_OK;
+ }
+ return NS_ERROR_FAILURE;
+}
+
+nsresult nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint,
+ SECOidTag aHashAlg) {
+ aFingerprint.Truncate();
+
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ nsTArray<uint8_t> digestArray;
+ nsresult rv =
+ Digest::DigestBuf(aHashAlg, mDER.Elements(), mDER.Length(), digestArray);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ SECItem digestItem = {siBuffer, digestArray.Elements(),
+ static_cast<unsigned int>(digestArray.Length())};
+
+ UniquePORTString fpStr(
+ CERT_Hexify(&digestItem, true /* use colon delimiters */));
+ if (!fpStr) {
+ return NS_ERROR_FAILURE;
+ }
+
+ aFingerprint.AssignASCII(fpStr.get());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetSha256Fingerprint(nsAString& aSha256Fingerprint) {
+ return GetCertificateHash(aSha256Fingerprint, SEC_OID_SHA256);
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint) {
+ return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetTokenName(nsAString& aTokenName) {
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+ UniquePK11SlotInfo internalSlot(PK11_GetInternalSlot());
+ if (!internalSlot) {
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIPK11Token> token(
+ new nsPK11Token(cert->slot ? cert->slot : internalSlot.get()));
+ nsAutoCString tmp;
+ nsresult rv = token->GetTokenName(tmp);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ aTokenName.Assign(NS_ConvertUTF8toUTF16(tmp));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(
+ nsACString& aSha256SPKIDigest) {
+ aSha256SPKIDigest.Truncate();
+
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ pkix::Input certInput;
+ pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length());
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ // NB: since we're not building a trust path, the endEntityOrCA parameter is
+ // irrelevant.
+ pkix::BackCert cert(certInput, pkix::EndEntityOrCA::MustBeEndEntity, nullptr);
+ result = cert.Init();
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ pkix::Input derPublicKey = cert.GetSubjectPublicKeyInfo();
+ nsTArray<uint8_t> digestArray;
+ nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(),
+ derPublicKey.GetLength(), digestArray);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = Base64Encode(nsDependentCSubstring(
+ reinterpret_cast<const char*>(digestArray.Elements()),
+ digestArray.Length()),
+ aSha256SPKIDigest);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetRawDER(nsTArray<uint8_t>& aArray) {
+ aArray.SetLength(mDER.Length());
+ memcpy(aArray.Elements(), mDER.Elements(), mDER.Length());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetBase64DERString(nsACString& base64DERString) {
+ nsDependentCSubstring derString(
+ reinterpret_cast<const char*>(mDER.Elements()), mDER.Length());
+ nsresult rv = Base64Encode(derString, base64DERString);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return NS_OK;
+}
+
+CERTCertificate* nsNSSCertificate::GetCert() {
+ UniqueCERTCertificate cert(GetOrInstantiateCert());
+ return cert.release(); // caller takes ownership
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity) {
+ NS_ENSURE_ARG(aValidity);
+ pkix::Input certInput;
+ pkix::Result rv = certInput.Init(mDER.Elements(), mDER.Length());
+ if (rv != pkix::Success) {
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIX509CertValidity> validity = new X509CertValidity(certInput);
+ validity.forget(aValidity);
+ return NS_OK;
+}
+
+// NB: Any updates (except disk-only fields) must be kept in sync with
+// |SerializeToIPC|.
+NS_IMETHODIMP
+nsNSSCertificate::Write(nsIObjectOutputStream* aStream) {
+ // This field used to be the cached EV status, but it is no longer necessary.
+ nsresult rv = aStream->Write32(0);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = aStream->Write32(mDER.Length());
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return aStream->WriteBytes(Span(mDER));
+}
+
+// NB: Any updates (except disk-only fields) must be kept in sync with
+// |DeserializeFromIPC|.
+NS_IMETHODIMP
+nsNSSCertificate::Read(nsIObjectInputStream* aStream) {
+ auto lock = mCert.Lock();
+ auto& maybeCert = lock.ref();
+ if (!mDER.IsEmpty() || maybeCert.isSome()) {
+ return NS_ERROR_ALREADY_INITIALIZED;
+ }
+
+ // This field is no longer used.
+ uint32_t unusedCachedEVStatus;
+ nsresult rv = aStream->Read32(&unusedCachedEVStatus);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ uint32_t len;
+ rv = aStream->Read32(&len);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = aStream->ReadByteArray(len, mDER);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return NS_OK;
+}
+
+void nsNSSCertificate::SerializeToIPC(IPC::MessageWriter* aWriter) {
+ bool hasCert = !mDER.IsEmpty();
+ WriteParam(aWriter, hasCert);
+
+ if (!hasCert) {
+ return;
+ }
+
+ WriteParam(aWriter, mDER);
+}
+
+bool nsNSSCertificate::DeserializeFromIPC(IPC::MessageReader* aReader) {
+ auto lock = mCert.Lock();
+ auto& maybeCert = lock.ref();
+ if (!mDER.IsEmpty() || maybeCert.isSome()) {
+ return false;
+ }
+
+ bool hasCert = false;
+ if (!ReadParam(aReader, &hasCert)) {
+ return false;
+ }
+
+ if (!hasCert) {
+ return true;
+ }
+
+ if (!ReadParam(aReader, &mDER)) {
+ return false;
+ }
+ return true;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetInterfaces(nsTArray<nsIID>& array) {
+ array.Clear();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetScriptableHelper(nsIXPCScriptable** _retval) {
+ *_retval = nullptr;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetContractID(nsACString& aContractID) {
+ aContractID.SetIsVoid(true);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetClassDescription(nsACString& aClassDescription) {
+ aClassDescription.SetIsVoid(true);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetClassID(nsCID** aClassID) {
+ *aClassID = (nsCID*)moz_xmalloc(sizeof(nsCID));
+ return GetClassIDNoAlloc(*aClassID);
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetFlags(uint32_t* aFlags) {
+ *aFlags = nsIClassInfo::THREADSAFE;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetClassIDNoAlloc(nsCID* aClassIDNoAlloc) {
+ static NS_DEFINE_CID(kNSSCertificateCID, NS_X509CERT_CID);
+
+ *aClassIDNoAlloc = kNSSCertificateCID;
+ return NS_OK;
+}
diff --git a/security/manager/ssl/nsNSSCertificate.h b/security/manager/ssl/nsNSSCertificate.h
new file mode 100644
index 0000000000..cec7331c6b
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertificate.h
@@ -0,0 +1,50 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSCertificate_h
+#define nsNSSCertificate_h
+
+#include "ScopedNSSTypes.h"
+#include "certt.h"
+#include "mozilla/DataMutex.h"
+#include "mozilla/Maybe.h"
+#include "nsCOMPtr.h"
+#include "nsIClassInfo.h"
+#include "nsISerializable.h"
+#include "nsIX509Cert.h"
+#include "nsStringFwd.h"
+
+class nsNSSCertificate final : public nsIX509Cert,
+ public nsISerializable,
+ public nsIClassInfo {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIX509CERT
+ NS_DECL_NSISERIALIZABLE
+ NS_DECL_NSICLASSINFO
+
+ nsNSSCertificate();
+ explicit nsNSSCertificate(CERTCertificate* cert);
+ explicit nsNSSCertificate(nsTArray<uint8_t>&& der);
+
+ private:
+ virtual ~nsNSSCertificate() = default;
+ nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg);
+ mozilla::UniqueCERTCertificate GetOrInstantiateCert();
+
+ nsTArray<uint8_t> mDER;
+ // There may be multiple threads running when mCert is actually instantiated,
+ // so it must be protected by a mutex.
+ mozilla::DataMutex<mozilla::Maybe<mozilla::UniqueCERTCertificate>> mCert;
+};
+
+#define NS_X509CERT_CID \
+ { /* 660a3226-915c-4ffb-bb20-8985a632df05 */ \
+ 0x660a3226, 0x915c, 0x4ffb, { \
+ 0xbb, 0x20, 0x89, 0x85, 0xa6, 0x32, 0xdf, 0x05 \
+ } \
+ }
+
+#endif // nsNSSCertificate_h
diff --git a/security/manager/ssl/nsNSSCertificateDB.cpp b/security/manager/ssl/nsNSSCertificateDB.cpp
new file mode 100644
index 0000000000..fc3caf29b5
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -0,0 +1,1375 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCertificateDB.h"
+
+#include "CertVerifier.h"
+#include "CryptoTask.h"
+#include "ExtendedValidation.h"
+#include "NSSCertDBTrustDomain.h"
+#include "SharedSSLState.h"
+#include "certdb.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Services.h"
+#include "mozilla/Unused.h"
+#include "mozpkix/Time.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsArray.h"
+#include "nsArrayUtils.h"
+#include "nsCOMPtr.h"
+#include "nsComponentManagerUtils.h"
+#include "nsICertificateDialogs.h"
+#include "nsIFile.h"
+#include "nsIMutableArray.h"
+#include "nsIObserverService.h"
+#include "nsIPrompt.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSCertTrust.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "nsPKCS12Blob.h"
+#include "nsPromiseFlatString.h"
+#include "nsProxyRelease.h"
+#include "nsReadableUtils.h"
+#include "nsThreadUtils.h"
+#include "nspr.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secerr.h"
+#include "ssl.h"
+
+#ifdef XP_WIN
+# include <winsock.h> // for ntohl
+#endif
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
+
+NS_IMETHODIMP
+nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey,
+ /*out*/ nsIX509Cert** _cert) {
+ NS_ENSURE_ARG_POINTER(_cert);
+ *_cert = nullptr;
+
+ if (aDBKey.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ UniqueCERTCertificate cert;
+ rv = FindCertByDBKey(aDBKey, cert);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If we can't find the certificate, that's not an error. Just return null.
+ if (!cert) {
+ return NS_OK;
+ }
+ nsCOMPtr<nsIX509Cert> nssCert = new nsNSSCertificate(cert.get());
+ nssCert.forget(_cert);
+ return NS_OK;
+}
+
+nsresult nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey,
+ UniqueCERTCertificate& cert) {
+ static_assert(sizeof(uint64_t) == 8, "type size sanity check");
+ static_assert(sizeof(uint32_t) == 4, "type size sanity check");
+ // (From nsNSSCertificate::GetDbKey)
+ // The format of the key is the base64 encoding of the following:
+ // 4 bytes: {0, 0, 0, 0} (this was intended to be the module ID, but it was
+ // never implemented)
+ // 4 bytes: {0, 0, 0, 0} (this was intended to be the slot ID, but it was
+ // never implemented)
+ // 4 bytes: <serial number length in big-endian order>
+ // 4 bytes: <DER-encoded issuer distinguished name length in big-endian order>
+ // n bytes: <bytes of serial number>
+ // m bytes: <DER-encoded issuer distinguished name>
+ nsAutoCString decoded;
+ nsAutoCString tmpDBKey(aDBKey);
+ // Filter out any whitespace for backwards compatibility.
+ tmpDBKey.StripWhitespace();
+ nsresult rv = Base64Decode(tmpDBKey, decoded);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (decoded.Length() < 16) {
+ return NS_ERROR_ILLEGAL_INPUT;
+ }
+ const char* reader = decoded.BeginReading();
+ uint64_t zeroes = *BitwiseCast<const uint64_t*, const char*>(reader);
+ if (zeroes != 0) {
+ return NS_ERROR_ILLEGAL_INPUT;
+ }
+ reader += sizeof(uint64_t);
+ // Note: We surround the ntohl() argument with parentheses to stop the macro
+ // from thinking two arguments were passed.
+ uint32_t serialNumberLen =
+ ntohl((*BitwiseCast<const uint32_t*, const char*>(reader)));
+ reader += sizeof(uint32_t);
+ uint32_t issuerLen =
+ ntohl((*BitwiseCast<const uint32_t*, const char*>(reader)));
+ reader += sizeof(uint32_t);
+ if (decoded.Length() != 16ULL + serialNumberLen + issuerLen) {
+ return NS_ERROR_ILLEGAL_INPUT;
+ }
+ CERTIssuerAndSN issuerSN;
+ issuerSN.serialNumber.len = serialNumberLen;
+ issuerSN.serialNumber.data = BitwiseCast<unsigned char*, const char*>(reader);
+ reader += serialNumberLen;
+ issuerSN.derIssuer.len = issuerLen;
+ issuerSN.derIssuer.data = BitwiseCast<unsigned char*, const char*>(reader);
+ reader += issuerLen;
+ MOZ_ASSERT(reader == decoded.EndReading());
+
+ cert.reset(CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN));
+ return NS_OK;
+}
+
+SECStatus collect_certs(void* arg, SECItem** certs, int numcerts) {
+ nsTArray<nsTArray<uint8_t>>* certsArray =
+ reinterpret_cast<nsTArray<nsTArray<uint8_t>>*>(arg);
+
+ while (numcerts--) {
+ nsTArray<uint8_t> certArray;
+ SECItem* cert = *certs;
+ certArray.AppendElements(cert->data, cert->len);
+ certsArray->AppendElement(std::move(certArray));
+ certs++;
+ }
+ return (SECSuccess);
+}
+
+nsresult nsNSSCertificateDB::getCertsFromPackage(
+ nsTArray<nsTArray<uint8_t>>& collectArgs, uint8_t* data, uint32_t length) {
+ if (CERT_DecodeCertPackage(BitwiseCast<char*, uint8_t*>(data), length,
+ collect_certs, &collectArgs) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+// When using the sql-backed softoken, trust settings are authenticated using a
+// key in the secret database. Thus, if the user has a password, we need to
+// authenticate to the token in order to be able to change trust settings.
+SECStatus ChangeCertTrustWithPossibleAuthentication(
+ const UniqueCERTCertificate& cert, CERTCertTrust& trust, void* ctx) {
+ MOZ_ASSERT(cert, "cert must be non-null");
+ if (!cert) {
+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+ return SECFailure;
+ }
+ // NSS ignores the first argument to CERT_ChangeCertTrust
+ SECStatus srv = CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
+ if (srv == SECSuccess || PR_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
+ return srv;
+ }
+ if (cert->slot) {
+ // If this certificate is on an external PKCS#11 token, we have to
+ // authenticate to that token.
+ srv = PK11_Authenticate(cert->slot, PR_TRUE, ctx);
+ } else {
+ // Otherwise, the certificate is on the internal module.
+ UniquePK11SlotInfo internalSlot(PK11_GetInternalKeySlot());
+ srv = PK11_Authenticate(internalSlot.get(), PR_TRUE, ctx);
+ }
+ if (srv != SECSuccess) {
+ return srv;
+ }
+ return CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
+}
+
+static nsresult ImportCertsIntoPermanentStorage(
+ const UniqueCERTCertList& certChain) {
+ bool encounteredFailure = false;
+ PRErrorCode savedErrorCode = 0;
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
+ !CERT_LIST_END(chainNode, certChain);
+ chainNode = CERT_LIST_NEXT(chainNode)) {
+ UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
+ SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert,
+ CK_INVALID_HANDLE, nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ encounteredFailure = true;
+ savedErrorCode = PR_GetError();
+ }
+ }
+
+ if (encounteredFailure) {
+ return GetXPCOMFromNSSError(savedErrorCode);
+ }
+
+ return NS_OK;
+}
+
+nsresult nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs,
+ nsIInterfaceRequestor* ctx) {
+ // First thing we have to do is figure out which certificate we're
+ // gonna present to the user. The CA may have sent down a list of
+ // certs which may or may not be a chained list of certs. Until
+ // the day we can design some solid UI for the general case, we'll
+ // code to the > 90% case. That case is where a CA sends down a
+ // list that is a hierarchy whose root is either the first or
+ // the last cert. What we're gonna do is compare the first
+ // 2 entries, if the second was signed by the first, we assume
+ // the root cert is the first cert and display it. Otherwise,
+ // we compare the last 2 entries, if the second to last cert was
+ // signed by the last cert, then we assume the last cert is the
+ // root and display it.
+
+ uint32_t numCerts;
+
+ x509Certs->GetLength(&numCerts);
+
+ if (numCerts == 0) return NS_OK; // Nothing to import, so nothing to do.
+
+ nsCOMPtr<nsIX509Cert> certToShow;
+ uint32_t selCertIndex;
+ if (numCerts == 1) {
+ // There's only one cert, so let's show it.
+ selCertIndex = 0;
+ certToShow = do_QueryElementAt(x509Certs, selCertIndex);
+ } else {
+ nsCOMPtr<nsIX509Cert> cert0; // first cert
+ nsCOMPtr<nsIX509Cert> cert1; // second cert
+ nsCOMPtr<nsIX509Cert> certn_2; // second to last cert
+ nsCOMPtr<nsIX509Cert> certn_1; // last cert
+
+ cert0 = do_QueryElementAt(x509Certs, 0);
+ cert1 = do_QueryElementAt(x509Certs, 1);
+ certn_2 = do_QueryElementAt(x509Certs, numCerts - 2);
+ certn_1 = do_QueryElementAt(x509Certs, numCerts - 1);
+
+ nsAutoString cert0SubjectName;
+ nsAutoString cert1IssuerName;
+ nsAutoString certn_2IssuerName;
+ nsAutoString certn_1SubjectName;
+
+ cert0->GetSubjectName(cert0SubjectName);
+ cert1->GetIssuerName(cert1IssuerName);
+ certn_2->GetIssuerName(certn_2IssuerName);
+ certn_1->GetSubjectName(certn_1SubjectName);
+
+ if (cert1IssuerName.Equals(cert0SubjectName)) {
+ // In this case, the first cert in the list signed the second,
+ // so the first cert is the root. Let's display it.
+ selCertIndex = 0;
+ certToShow = cert0;
+ } else if (certn_2IssuerName.Equals(certn_1SubjectName)) {
+ // In this case the last cert has signed the second to last cert.
+ // The last cert is the root, so let's display it.
+ selCertIndex = numCerts - 1;
+ certToShow = certn_1;
+ } else {
+ // It's not a chain, so let's just show the first one in the
+ // downloaded list.
+ selCertIndex = 0;
+ certToShow = cert0;
+ }
+ }
+
+ if (!certToShow) return NS_ERROR_FAILURE;
+
+ nsCOMPtr<nsICertificateDialogs> dialogs;
+ nsresult rv = ::getNSSDialogs(getter_AddRefs(dialogs),
+ NS_GET_IID(nsICertificateDialogs),
+ NS_CERTIFICATEDIALOGS_CONTRACTID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ UniqueCERTCertificate tmpCert(certToShow->GetCert());
+ if (!tmpCert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (!CERT_IsCACert(tmpCert.get(), nullptr)) {
+ DisplayCertificateAlert(ctx, "NotACACert", certToShow);
+ return NS_ERROR_FAILURE;
+ }
+
+ if (tmpCert->isperm) {
+ DisplayCertificateAlert(ctx, "CaCertExists", certToShow);
+ return NS_ERROR_FAILURE;
+ }
+
+ uint32_t trustBits;
+ bool allows;
+ rv = dialogs->ConfirmDownloadCACert(ctx, certToShow, &trustBits, &allows);
+ if (NS_FAILED(rv)) return rv;
+
+ if (!allows) return NS_ERROR_NOT_AVAILABLE;
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("trust is %d\n", trustBits));
+ UniquePORTString nickname(CERT_MakeCANickname(tmpCert.get()));
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Created nick \"%s\"\n", nickname.get()));
+
+ nsNSSCertTrust trust;
+ trust.SetValidCA();
+ trust.AddCATrust(!!(trustBits & nsIX509CertDB::TRUSTED_SSL),
+ !!(trustBits & nsIX509CertDB::TRUSTED_EMAIL));
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
+ nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ srv =
+ ChangeCertTrustWithPossibleAuthentication(tmpCert, trust.GetTrust(), ctx);
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+
+ // Import additional delivered certificates that can be verified.
+
+ // build a CertList for filtering
+ UniqueCERTCertList certList(CERT_NewCertList());
+ if (!certList) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // get all remaining certs into temp store
+
+ for (uint32_t i = 0; i < numCerts; i++) {
+ if (i == selCertIndex) {
+ // we already processed that one
+ continue;
+ }
+
+ nsCOMPtr<nsIX509Cert> remainingCert = do_QueryElementAt(x509Certs, i);
+ if (!remainingCert) {
+ continue;
+ }
+
+ UniqueCERTCertificate tmpCert2(remainingCert->GetCert());
+ if (!tmpCert2) {
+ continue; // Let's try to import the rest of 'em
+ }
+
+ if (CERT_AddCertToListTail(certList.get(), tmpCert2.get()) != SECSuccess) {
+ continue;
+ }
+
+ Unused << tmpCert2.release();
+ }
+
+ return ImportCertsIntoPermanentStorage(certList);
+}
+
+nsresult nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(
+ const UniqueCERTCertList& aCertListIn,
+ nsTArray<RefPtr<nsIX509Cert>>& aCertListOut) {
+ if (!aCertListIn.get()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ for (CERTCertListNode* node = CERT_LIST_HEAD(aCertListIn.get());
+ !CERT_LIST_END(node, aCertListIn.get()); node = CERT_LIST_NEXT(node)) {
+ RefPtr<nsIX509Cert> cert = new nsNSSCertificate(node->cert);
+ aCertListOut.AppendElement(cert);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
+ uint32_t type,
+ nsIInterfaceRequestor* ctx) {
+ // We currently only handle CA certificates.
+ if (type != nsIX509Cert::CA_CERT) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsTArray<nsTArray<uint8_t>> certsArray;
+ nsresult rv = getCertsFromPackage(certsArray, data, length);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
+ if (!array) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // Now let's create some certs to work with
+ for (nsTArray<uint8_t>& certDER : certsArray) {
+ nsCOMPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certDER));
+ nsresult rv = array->AppendElement(cert);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ return handleCACertDownload(WrapNotNull(array), ctx);
+}
+
+/**
+ * Decodes a given array of DER-encoded certificates into temporary storage.
+ *
+ * @param certs
+ * Array in which the decoded certificates are stored as arrays of
+ * unsigned chars.
+ * @param temporaryCerts
+ * List of decoded certificates.
+ */
+static nsresult ImportCertsIntoTempStorage(
+ nsTArray<nsTArray<uint8_t>>& certs,
+ /*out*/ const UniqueCERTCertList& temporaryCerts) {
+ NS_ENSURE_ARG_POINTER(temporaryCerts);
+
+ for (nsTArray<uint8_t>& certDER : certs) {
+ CERTCertificate* certificate;
+ SECItem certItem;
+ certItem.len = certDER.Length();
+ certItem.data = certDER.Elements();
+ certificate = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certItem,
+ nullptr, false, true);
+
+ UniqueCERTCertificate cert(certificate);
+ if (!cert) {
+ continue;
+ }
+
+ if (CERT_AddCertToListTail(temporaryCerts.get(), cert.get()) ==
+ SECSuccess) {
+ Unused << cert.release();
+ }
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
+ nsIInterfaceRequestor* ctx) {
+ nsTArray<nsTArray<uint8_t>> certsArray;
+
+ nsresult rv = getCertsFromPackage(certsArray, data, length);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ UniqueCERTCertList temporaryCerts(CERT_NewCertList());
+ if (!temporaryCerts) {
+ return NS_ERROR_FAILURE;
+ }
+
+ rv = ImportCertsIntoTempStorage(certsArray, temporaryCerts);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return ImportCertsIntoPermanentStorage(temporaryCerts);
+}
+
+nsresult nsNSSCertificateDB::ImportCACerts(nsTArray<nsTArray<uint8_t>>& caCerts,
+ nsIInterfaceRequestor* ctx) {
+ UniqueCERTCertList temporaryCerts(CERT_NewCertList());
+ if (!temporaryCerts) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsresult rv = ImportCertsIntoTempStorage(caCerts, temporaryCerts);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return ImportCertsIntoPermanentStorage(temporaryCerts);
+}
+
+void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor* ctx,
+ const char* stringID,
+ nsIX509Cert* certToShow) {
+ if (!NS_IsMainThread()) {
+ NS_ERROR(
+ "nsNSSCertificateDB::DisplayCertificateAlert called off the main "
+ "thread");
+ return;
+ }
+
+ nsCOMPtr<nsIInterfaceRequestor> my_ctx = ctx;
+ if (!my_ctx) {
+ my_ctx = new PipUIContext();
+ }
+
+ // This shall be replaced by embedding ovverridable prompts
+ // as discussed in bug 310446, and should make use of certToShow.
+
+ nsAutoString tmpMessage;
+ GetPIPNSSBundleString(stringID, tmpMessage);
+ nsCOMPtr<nsIPrompt> prompt(do_GetInterface(my_ctx));
+ if (!prompt) {
+ return;
+ }
+
+ prompt->Alert(nullptr, tmpMessage.get());
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length,
+ nsIInterfaceRequestor* ctx) {
+ if (!NS_IsMainThread()) {
+ NS_ERROR(
+ "nsNSSCertificateDB::ImportUserCertificate called off the main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ nsTArray<nsTArray<uint8_t>> certsArray;
+
+ nsresult rv = getCertsFromPackage(certsArray, data, length);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ SECItem certItem;
+
+ if (certsArray.IsEmpty()) {
+ return NS_OK;
+ }
+
+ certItem.len = certsArray.ElementAt(0).Length();
+ certItem.data = certsArray.ElementAt(0).Elements();
+
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &certItem, nullptr, false, true));
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert.get(), nullptr, ctx));
+ if (!slot) {
+ nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(cert.get());
+ DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow);
+ return NS_ERROR_FAILURE;
+ }
+ slot = nullptr;
+
+ /* pick a nickname for the cert */
+ nsAutoCString nickname;
+ if (cert->nickname) {
+ nickname = cert->nickname;
+ } else {
+ get_default_nickname(cert.get(), ctx, nickname);
+ }
+
+ /* user wants to import the cert */
+ slot.reset(PK11_ImportCertForKey(cert.get(), nickname.get(), ctx));
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+ slot = nullptr;
+
+ {
+ nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(cert.get());
+ DisplayCertificateAlert(ctx, "UserCertImported", certToShow);
+ }
+
+ rv = NS_OK;
+ if (!certsArray.IsEmpty()) {
+ certsArray.RemoveElementAt(0);
+ rv = ImportCACerts(certsArray, ctx);
+ }
+
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (observerService) {
+ observerService->NotifyObservers(nullptr, "psm:user-certificate-added",
+ nullptr);
+ }
+
+ return rv;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::DeleteCertificate(nsIX509Cert* aCert) {
+ NS_ENSURE_ARG_POINTER(aCert);
+ UniqueCERTCertificate cert(aCert->GetCert());
+ if (!cert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // Temporary certificates aren't on a slot and will go away when the
+ // nsIX509Cert is destructed.
+ if (cert->slot) {
+ uint32_t certType;
+ nsresult rv = aCert->GetCertType(&certType);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+ if (certType == nsIX509Cert::USER_CERT) {
+ SECStatus srv = PK11_Authenticate(cert->slot, true, nullptr);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ srv = PK11_DeleteTokenCertAndKey(cert.get(), nullptr);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ } else {
+ // For certificates that can't be deleted (e.g. built-in roots), un-set
+ // all trust bits.
+ nsNSSCertTrust trust(0, 0);
+ SECStatus srv = ChangeCertTrustWithPossibleAuthentication(
+ cert, trust.GetTrust(), nullptr);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ if (!PK11_IsReadOnly(cert->slot)) {
+ srv = SEC_DeletePermCertificate(cert.get());
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+ }
+ }
+
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (observerService) {
+ observerService->NotifyObservers(nullptr, "psm:user-certificate-deleted",
+ nullptr);
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::SetCertTrust(nsIX509Cert* cert, uint32_t type,
+ uint32_t trusted) {
+ NS_ENSURE_ARG_POINTER(cert);
+ nsNSSCertTrust trust;
+ switch (type) {
+ case nsIX509Cert::CA_CERT:
+ trust.SetValidCA();
+ trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
+ !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
+ break;
+ case nsIX509Cert::SERVER_CERT:
+ trust.SetValidPeer();
+ trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false);
+ break;
+ case nsIX509Cert::EMAIL_CERT:
+ trust.SetValidPeer();
+ trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
+ break;
+ default:
+ // Ignore any other type of certificate (including invalid types).
+ return NS_OK;
+ }
+
+ UniqueCERTCertificate nsscert(cert->GetCert());
+ SECStatus srv = ChangeCertTrustWithPossibleAuthentication(
+ nsscert, trust.GetTrust(), nullptr);
+ return MapSECStatus(srv);
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::IsCertTrusted(nsIX509Cert* cert, uint32_t certType,
+ uint32_t trustType, bool* _isTrusted) {
+ NS_ENSURE_ARG_POINTER(_isTrusted);
+ *_isTrusted = false;
+
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ SECStatus srv;
+ UniqueCERTCertificate nsscert(cert->GetCert());
+ CERTCertTrust nsstrust;
+ srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
+ if (srv != SECSuccess) {
+ // CERT_GetCertTrust returns SECFailure if given a temporary cert that
+ // doesn't have any trust information yet. This isn't an error.
+ return NS_OK;
+ }
+
+ nsNSSCertTrust trust(&nsstrust);
+ if (certType == nsIX509Cert::CA_CERT) {
+ if (trustType & nsIX509CertDB::TRUSTED_SSL) {
+ *_isTrusted = trust.HasTrustedCA(true, false);
+ } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
+ *_isTrusted = trust.HasTrustedCA(false, true);
+ } else {
+ return NS_ERROR_FAILURE;
+ }
+ } else if (certType == nsIX509Cert::SERVER_CERT) {
+ if (trustType & nsIX509CertDB::TRUSTED_SSL) {
+ *_isTrusted = trust.HasTrustedPeer(true, false);
+ } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
+ *_isTrusted = trust.HasTrustedPeer(false, true);
+ } else {
+ return NS_ERROR_FAILURE;
+ }
+ } else if (certType == nsIX509Cert::EMAIL_CERT) {
+ if (trustType & nsIX509CertDB::TRUSTED_SSL) {
+ *_isTrusted = trust.HasTrustedPeer(true, false);
+ } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
+ *_isTrusted = trust.HasTrustedPeer(false, true);
+ } else {
+ return NS_ERROR_FAILURE;
+ }
+ } /* user: ignore */
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType) {
+ NS_ENSURE_ARG(aFile);
+ switch (aType) {
+ case nsIX509Cert::CA_CERT:
+ case nsIX509Cert::EMAIL_CERT:
+ // good
+ break;
+
+ default:
+ // not supported (yet)
+ return NS_ERROR_FAILURE;
+ }
+
+ PRFileDesc* fd = nullptr;
+ nsresult rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!fd) {
+ return NS_ERROR_FAILURE;
+ }
+
+ PRFileInfo fileInfo;
+ if (PR_GetOpenFileInfo(fd, &fileInfo) != PR_SUCCESS) {
+ return NS_ERROR_FAILURE;
+ }
+
+ auto buf = MakeUnique<unsigned char[]>(fileInfo.size);
+ int32_t bytesObtained = PR_Read(fd, buf.get(), fileInfo.size);
+ PR_Close(fd);
+
+ if (bytesObtained != fileInfo.size) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
+
+ switch (aType) {
+ case nsIX509Cert::CA_CERT:
+ return ImportCertificates(buf.get(), bytesObtained, aType, cxt);
+ case nsIX509Cert::EMAIL_CERT:
+ return ImportEmailCertificate(buf.get(), bytesObtained, cxt);
+ default:
+ MOZ_ASSERT(false, "Unsupported type should have been filtered out");
+ break;
+ }
+
+ return NS_ERROR_FAILURE;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile, const nsAString& aPassword,
+ uint32_t* aError) {
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ NS_ENSURE_ARG(aFile);
+ nsPKCS12Blob blob;
+ rv = blob.ImportFromFile(aFile, aPassword, *aError);
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (NS_SUCCEEDED(rv) && observerService) {
+ observerService->NotifyObservers(nullptr, "psm:user-certificate-added",
+ nullptr);
+ }
+
+ return rv;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ExportPKCS12File(
+ nsIFile* aFile, const nsTArray<RefPtr<nsIX509Cert>>& aCerts,
+ const nsAString& aPassword, uint32_t* aError) {
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ NS_ENSURE_ARG(aFile);
+ if (aCerts.IsEmpty()) {
+ return NS_OK;
+ }
+ nsPKCS12Blob blob;
+ return blob.ExportToFile(aFile, aCerts, aPassword, *aError);
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64,
+ /*out*/ nsIX509Cert** _retval) {
+ if (!_retval) {
+ return NS_ERROR_INVALID_POINTER;
+ }
+
+ // Base64Decode() doesn't consider a zero length input as an error, and just
+ // returns the empty string. We don't want this behavior, so the below check
+ // catches this case.
+ if (base64.Length() < 1) {
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
+
+ nsAutoCString certDER;
+ nsresult rv = Base64Decode(base64, certDER);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return ConstructX509FromSpan(AsBytes(Span(certDER)), _retval);
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ConstructX509(const nsTArray<uint8_t>& certDER,
+ nsIX509Cert** _retval) {
+ return ConstructX509FromSpan(Span(certDER.Elements(), certDER.Length()),
+ _retval);
+}
+
+nsresult nsNSSCertificateDB::ConstructX509FromSpan(
+ Span<const uint8_t> aInputSpan, nsIX509Cert** _retval) {
+ if (NS_WARN_IF(!_retval)) {
+ return NS_ERROR_INVALID_POINTER;
+ }
+
+ if (aInputSpan.Length() > std::numeric_limits<unsigned int>::max()) {
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
+
+ SECItem certData;
+ certData.type = siDERCertBuffer;
+ certData.data = const_cast<unsigned char*>(
+ reinterpret_cast<const unsigned char*>(aInputSpan.Elements()));
+ certData.len = aInputSpan.Length();
+
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &certData, nullptr, false, true));
+ if (!cert)
+ return (PORT_GetError() == SEC_ERROR_NO_MEMORY) ? NS_ERROR_OUT_OF_MEMORY
+ : NS_ERROR_FAILURE;
+
+ nsCOMPtr<nsIX509Cert> nssCert = new nsNSSCertificate(cert.get());
+ nssCert.forget(_retval);
+ return NS_OK;
+}
+
+void nsNSSCertificateDB::get_default_nickname(CERTCertificate* cert,
+ nsIInterfaceRequestor* ctx,
+ nsCString& nickname) {
+ nickname.Truncate();
+
+ CK_OBJECT_HANDLE keyHandle;
+
+ if (NS_FAILED(BlockUntilLoadableCertsLoaded())) {
+ return;
+ }
+
+ CERTCertDBHandle* defaultcertdb = CERT_GetDefaultCertDB();
+ nsAutoCString username;
+ UniquePORTString tempCN(CERT_GetCommonName(&cert->subject));
+ if (tempCN) {
+ username = tempCN.get();
+ }
+
+ nsAutoCString caname;
+ UniquePORTString tempIssuerOrg(CERT_GetOrgName(&cert->issuer));
+ if (tempIssuerOrg) {
+ caname = tempIssuerOrg.get();
+ }
+
+ nsAutoString tmpNickFmt;
+ GetPIPNSSBundleString("nick_template", tmpNickFmt);
+ NS_ConvertUTF16toUTF8 nickFmt(tmpNickFmt);
+
+ nsAutoCString baseName;
+ baseName.AppendPrintf(nickFmt.get(), username.get(), caname.get());
+ if (baseName.IsEmpty()) {
+ return;
+ }
+
+ nickname = baseName;
+
+ /*
+ * We need to see if the private key exists on a token, if it does
+ * then we need to check for nicknames that already exist on the smart
+ * card.
+ */
+ UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx));
+ if (!slot) return;
+
+ if (!PK11_IsInternal(slot.get())) {
+ nsAutoCString tmp;
+ tmp.AppendPrintf("%s:%s", PK11_GetTokenName(slot.get()), baseName.get());
+ if (tmp.IsEmpty()) {
+ nickname.Truncate();
+ return;
+ }
+ baseName = tmp;
+ nickname = baseName;
+ }
+
+ int count = 1;
+ while (true) {
+ if (count > 1) {
+ nsAutoCString tmp;
+ tmp.AppendPrintf("%s #%d", baseName.get(), count);
+ if (tmp.IsEmpty()) {
+ nickname.Truncate();
+ return;
+ }
+ nickname = tmp;
+ }
+
+ UniqueCERTCertificate dummycert;
+
+ if (PK11_IsInternal(slot.get())) {
+ /* look up the nickname to make sure it isn't in use already */
+ dummycert.reset(CERT_FindCertByNickname(defaultcertdb, nickname.get()));
+ } else {
+ // Check the cert against others that already live on the smart card.
+ dummycert.reset(PK11_FindCertFromNickname(nickname.get(), ctx));
+ if (dummycert) {
+ // Make sure the subject names are different.
+ if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual) {
+ /*
+ * There is another certificate with the same nickname and
+ * the same subject name on the smart card, so let's use this
+ * nickname.
+ */
+ dummycert = nullptr;
+ }
+ }
+ }
+ if (!dummycert) {
+ break;
+ }
+ count++;
+ }
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::AddCertFromBase64(const nsACString& aBase64,
+ const nsACString& aTrust,
+ nsIX509Cert** addedCertificate) {
+ // Base64Decode() doesn't consider a zero length input as an error, and just
+ // returns the empty string. We don't want this behavior, so the below check
+ // catches this case.
+ if (aBase64.Length() < 1) {
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
+
+ nsAutoCString aCertDER;
+ nsresult rv = Base64Decode(aBase64, aCertDER);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return AddCert(aCertDER, aTrust, addedCertificate);
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::AddCert(const nsACString& aCertDER,
+ const nsACString& aTrust,
+ nsIX509Cert** addedCertificate) {
+ MOZ_ASSERT(addedCertificate);
+ if (!addedCertificate) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ *addedCertificate = nullptr;
+
+ nsNSSCertTrust trust;
+ if (CERT_DecodeTrustString(&trust.GetTrust(),
+ PromiseFlatCString(aTrust).get()) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIX509Cert> newCert;
+ nsresult rv =
+ ConstructX509FromSpan(AsBytes(Span(aCertDER)), getter_AddRefs(newCert));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ UniqueCERTCertificate tmpCert(newCert->GetCert());
+ if (!tmpCert) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // If there's already a certificate that matches this one in the database, we
+ // still want to set its trust to the given value.
+ if (tmpCert->isperm) {
+ rv = SetCertTrustFromString(newCert, aTrust);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ newCert.forget(addedCertificate);
+ return NS_OK;
+ }
+
+ UniquePORTString nickname(CERT_MakeCANickname(tmpCert.get()));
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Created nick \"%s\"\n", nickname.get()));
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
+ nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ srv = ChangeCertTrustWithPossibleAuthentication(tmpCert, trust.GetTrust(),
+ nullptr);
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ newCert.forget(addedCertificate);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert,
+ const nsACString& trustString) {
+ NS_ENSURE_ARG(cert);
+
+ CERTCertTrust trust;
+ SECStatus srv =
+ CERT_DecodeTrustString(&trust, PromiseFlatCString(trustString).get());
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ UniqueCERTCertificate nssCert(cert->GetCert());
+
+ srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr);
+ return MapSECStatus(srv);
+}
+
+NS_IMETHODIMP nsNSSCertificateDB::AsPKCS7Blob(
+ const nsTArray<RefPtr<nsIX509Cert>>& certList, nsACString& _retval) {
+ if (certList.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ UniqueNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr));
+ if (!cmsg) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - can't create CMS message"));
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ UniqueNSSCMSSignedData sigd(nullptr);
+ for (const auto& cert : certList) {
+ // We need an owning handle when calling nsIX509Cert::GetCert().
+ UniqueCERTCertificate nssCert(cert->GetCert());
+ if (!sigd) {
+ sigd.reset(
+ NSS_CMSSignedData_CreateCertsOnly(cmsg.get(), nssCert.get(), false));
+ if (!sigd) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - can't create SignedData"));
+ return NS_ERROR_FAILURE;
+ }
+ } else if (NSS_CMSSignedData_AddCertificate(sigd.get(), nssCert.get()) !=
+ SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - can't add cert"));
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ NSSCMSContentInfo* cinfo = NSS_CMSMessage_GetContentInfo(cmsg.get());
+ if (NSS_CMSContentInfo_SetContent_SignedData(cmsg.get(), cinfo, sigd.get()) !=
+ SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - can't attach SignedData"));
+ return NS_ERROR_FAILURE;
+ }
+ // cmsg owns sigd now.
+ Unused << sigd.release();
+
+ UniquePLArenaPool arena(PORT_NewArena(1024));
+ if (!arena) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - out of memory"));
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ SECItem certP7 = {siBuffer, nullptr, 0};
+ NSSCMSEncoderContext* ecx = NSS_CMSEncoder_Start(
+ cmsg.get(), nullptr, nullptr, &certP7, arena.get(), nullptr, nullptr,
+ nullptr, nullptr, nullptr, nullptr);
+ if (!ecx) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - can't create encoder"));
+ return NS_ERROR_FAILURE;
+ }
+
+ if (NSS_CMSEncoder_Finish(ecx) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSCertificateDB::AsPKCS7Blob - failed to add encoded data"));
+ return NS_ERROR_FAILURE;
+ }
+
+ _retval.Assign(nsDependentCSubstring(
+ reinterpret_cast<const char*>(certP7.data), certP7.len));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::GetCerts(nsTArray<RefPtr<nsIX509Cert>>& _retval) {
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = CheckForSmartCardChanges();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
+ UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx));
+ if (!certList) {
+ return NS_ERROR_FAILURE;
+ }
+ return nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(certList,
+ _retval);
+}
+
+nsresult IsCertBuiltInRoot(const RefPtr<nsIX509Cert>& cert,
+ bool& isBuiltInRoot) {
+ nsTArray<uint8_t> der;
+ nsresult rv = cert->GetRawDER(der);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ pkix::Input certInput;
+ pkix::Result result = certInput.Init(der.Elements(), der.Length());
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_FAILURE;
+ }
+ result = IsCertBuiltInRoot(certInput, isBuiltInRoot);
+ if (result != pkix::Result::Success) {
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::AsyncHasThirdPartyRoots(nsIAsyncBoolCallback* aCallback) {
+ NS_ENSURE_ARG_POINTER(aCallback);
+ nsMainThreadPtrHandle<nsIAsyncBoolCallback> callback(
+ new nsMainThreadPtrHolder<nsIAsyncBoolCallback>("AsyncHasThirdPartyRoots",
+ aCallback));
+
+ return NS_DispatchBackgroundTask(
+ NS_NewRunnableFunction(
+ "nsNSSCertificateDB::AsyncHasThirdPartyRoots",
+ [cb = std::move(callback), self = RefPtr{this}] {
+ bool hasThirdPartyRoots = [self]() -> bool {
+ nsTArray<RefPtr<nsIX509Cert>> certs;
+ nsresult rv = self->GetCerts(certs);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ for (const auto& cert : certs) {
+ bool isTrusted = false;
+ nsresult rv =
+ self->IsCertTrusted(cert, nsIX509Cert::CA_CERT,
+ nsIX509CertDB::TRUSTED_SSL, &isTrusted);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ if (!isTrusted) {
+ continue;
+ }
+
+ bool isBuiltInRoot = false;
+ rv = IsCertBuiltInRoot(cert, isBuiltInRoot);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ if (!isBuiltInRoot) {
+ return true;
+ }
+ }
+
+ return false;
+ }();
+
+ NS_DispatchToMainThread(NS_NewRunnableFunction(
+ "nsNSSCertificateDB::AsyncHasThirdPartyRoots callback",
+ [cb, hasThirdPartyRoots]() {
+ cb->OnResult(hasThirdPartyRoots);
+ }));
+ }),
+ NS_DISPATCH_EVENT_MAY_BLOCK);
+}
+
+nsresult VerifyCertAtTime(nsIX509Cert* aCert,
+ int64_t /*SECCertificateUsage*/ aUsage,
+ uint32_t aFlags, const nsACString& aHostname,
+ mozilla::pkix::Time aTime,
+ nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain,
+ bool* aHasEVPolicy,
+ int32_t* /*PRErrorCode*/ _retval) {
+ NS_ENSURE_ARG_POINTER(aCert);
+ NS_ENSURE_ARG_POINTER(aHasEVPolicy);
+ NS_ENSURE_ARG_POINTER(_retval);
+
+ if (!aVerifiedChain.IsEmpty()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ *aHasEVPolicy = false;
+ *_retval = PR_UNKNOWN_ERROR;
+
+ RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
+ NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
+
+ nsTArray<nsTArray<uint8_t>> resultChain;
+ EVStatus evStatus;
+ mozilla::pkix::Result result;
+
+ nsTArray<uint8_t> certBytes;
+ nsresult nsrv = aCert->GetRawDER(certBytes);
+ if (NS_FAILED(nsrv)) {
+ return nsrv;
+ }
+
+ if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
+ result =
+ certVerifier->VerifySSLServerCert(certBytes, aTime,
+ nullptr, // Assume no context
+ aHostname, resultChain, aFlags,
+ Nothing(), // extraCertificates
+ Nothing(), // stapledOCSPResponse
+ Nothing(), // sctsFromTLSExtension
+ Nothing(), // dcInfo
+ OriginAttributes(), &evStatus);
+ } else {
+ const nsCString& flatHostname = PromiseFlatCString(aHostname);
+ result = certVerifier->VerifyCert(
+ certBytes, aUsage, aTime,
+ nullptr, // Assume no context
+ aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
+ Nothing(), // extraCertificates
+ Nothing(), // stapledOCSPResponse
+ Nothing(), // sctsFromTLSExtension
+ OriginAttributes(), &evStatus);
+ }
+
+ if (result == mozilla::pkix::Success) {
+ for (auto& certDER : resultChain) {
+ RefPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certDER));
+ aVerifiedChain.AppendElement(cert);
+ }
+
+ if (evStatus == EVStatus::EV) {
+ *aHasEVPolicy = true;
+ }
+ }
+
+ *_retval = mozilla::pkix::MapResultToPRErrorCode(result);
+
+ return NS_OK;
+}
+
+class VerifyCertAtTimeTask final : public CryptoTask {
+ public:
+ VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags,
+ const nsACString& aHostname, uint64_t aTime,
+ nsICertVerificationCallback* aCallback)
+ : mCert(aCert),
+ mUsage(aUsage),
+ mFlags(aFlags),
+ mHostname(aHostname),
+ mTime(aTime),
+ mCallback(new nsMainThreadPtrHolder<nsICertVerificationCallback>(
+ "nsICertVerificationCallback", aCallback)),
+ mPRErrorCode(SEC_ERROR_LIBRARY_FAILURE),
+ mHasEVPolicy(false) {}
+
+ private:
+ virtual nsresult CalculateResult() override {
+ nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
+ if (!certDB) {
+ return NS_ERROR_FAILURE;
+ }
+ return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname,
+ mozilla::pkix::TimeFromEpochInSeconds(mTime),
+ mVerifiedCertList, &mHasEVPolicy, &mPRErrorCode);
+ }
+
+ virtual void CallCallback(nsresult rv) override {
+ if (NS_FAILED(rv)) {
+ nsTArray<RefPtr<nsIX509Cert>> tmp;
+ Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE, tmp,
+ false);
+ } else {
+ Unused << mCallback->VerifyCertFinished(mPRErrorCode, mVerifiedCertList,
+ mHasEVPolicy);
+ }
+ }
+
+ nsCOMPtr<nsIX509Cert> mCert;
+ int64_t mUsage;
+ uint32_t mFlags;
+ nsCString mHostname;
+ uint64_t mTime;
+ nsMainThreadPtrHandle<nsICertVerificationCallback> mCallback;
+ int32_t mPRErrorCode;
+ nsTArray<RefPtr<nsIX509Cert>> mVerifiedCertList;
+ bool mHasEVPolicy;
+};
+
+NS_IMETHODIMP
+nsNSSCertificateDB::AsyncVerifyCertAtTime(
+ nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags,
+ const nsACString& aHostname, uint64_t aTime,
+ nsICertVerificationCallback* aCallback) {
+ RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(
+ aCert, aUsage, aFlags, aHostname, aTime, aCallback));
+ return task->Dispatch();
+}
+
+NS_IMETHODIMP
+nsNSSCertificateDB::ClearOCSPCache() {
+ RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
+ NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
+ certVerifier->ClearOCSPCache();
+ return NS_OK;
+}
diff --git a/security/manager/ssl/nsNSSCertificateDB.h b/security/manager/ssl/nsNSSCertificateDB.h
new file mode 100644
index 0000000000..125bb32acd
--- /dev/null
+++ b/security/manager/ssl/nsNSSCertificateDB.h
@@ -0,0 +1,71 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSCertificateDB_h
+#define nsNSSCertificateDB_h
+
+#include "ScopedNSSTypes.h"
+#include "certt.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/NotNull.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtr.h"
+#include "nsIX509CertDB.h"
+#include "nsString.h"
+
+class nsIArray;
+
+class nsNSSCertificateDB final : public nsIX509CertDB
+
+{
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIX509CERTDB
+
+ // This is a separate static method so nsNSSComponent can use it during NSS
+ // initialization. Other code should probably not use it.
+ static nsresult FindCertByDBKey(const nsACString& aDBKey,
+ mozilla::UniqueCERTCertificate& cert);
+
+ static nsresult ConstructCertArrayFromUniqueCertList(
+ const mozilla::UniqueCERTCertList& aCertListIn,
+ nsTArray<RefPtr<nsIX509Cert>>& aCertListOut);
+
+ protected:
+ virtual ~nsNSSCertificateDB() = default;
+
+ private:
+ // Use this function to generate a default nickname for a user
+ // certificate that is to be imported onto a token.
+ static void get_default_nickname(CERTCertificate* cert,
+ nsIInterfaceRequestor* ctx,
+ nsCString& nickname);
+
+ static nsresult ImportCACerts(nsTArray<nsTArray<uint8_t>>& CACerts,
+ nsIInterfaceRequestor* ctx);
+
+ static void DisplayCertificateAlert(nsIInterfaceRequestor* ctx,
+ const char* stringID,
+ nsIX509Cert* certToShow);
+
+ nsresult getCertsFromPackage(nsTArray<nsTArray<uint8_t>>& collectArgs,
+ uint8_t* data, uint32_t length);
+ nsresult handleCACertDownload(mozilla::NotNull<nsIArray*> x509Certs,
+ nsIInterfaceRequestor* ctx);
+ nsresult ConstructX509FromSpan(const mozilla::Span<const uint8_t> aInputSpan,
+ nsIX509Cert** _retval);
+};
+
+#define NS_X509CERTDB_CID \
+ { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \
+ 0xfb0bbc5c, 0x452e, 0x4783, { \
+ 0xb3, 0x2c, 0x80, 0x12, 0x46, 0x93, 0xd8, 0x71 \
+ } \
+ }
+
+SECStatus ChangeCertTrustWithPossibleAuthentication(
+ const mozilla::UniqueCERTCertificate& cert, CERTCertTrust& trust,
+ void* ctx);
+
+#endif // nsNSSCertificateDB_h
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
new file mode 100644
index 0000000000..5f3792fd52
--- /dev/null
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -0,0 +1,2551 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSComponent.h"
+
+#include "BinaryPath.h"
+#include "CryptoTask.h"
+#include "EnterpriseRoots.h"
+#include "ExtendedValidation.h"
+#include "NSSCertDBTrustDomain.h"
+#include "SSLTokensCache.h"
+#include "ScopedNSSTypes.h"
+#include "SharedSSLState.h"
+#include "cert.h"
+#include "cert_storage/src/cert_storage.h"
+#include "certdb.h"
+#include "mozilla/AppShutdown.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/EndianUtils.h"
+#include "mozilla/FilePreferences.h"
+#include "mozilla/PodOperations.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/ProfilerLabels.h"
+#include "mozilla/ProfilerMarkers.h"
+#include "mozilla/PublicSSL.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/Services.h"
+#include "mozilla/StaticMutex.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/StaticPtr.h"
+#include "mozilla/SyncRunnable.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/TimeStamp.h"
+#include "mozilla/Unused.h"
+#include "mozilla/Vector.h"
+#include "mozilla/dom/Promise.h"
+#include "mozilla/net/SocketProcessParent.h"
+#include "mozpkix/pkixnss.h"
+#include "nsAppDirectoryServiceDefs.h"
+#include "nsCRT.h"
+#include "nsClientAuthRemember.h"
+#include "nsComponentManagerUtils.h"
+#include "nsDirectoryServiceDefs.h"
+#include "nsICertOverrideService.h"
+#include "nsIFile.h"
+#include "nsILocalFileWin.h"
+#include "nsIOService.h"
+#include "nsIObserverService.h"
+#include "nsIPrompt.h"
+#include "nsIProperties.h"
+#include "nsISerialEventTarget.h"
+#include "nsISiteSecurityService.h"
+#include "nsITimer.h"
+#include "nsITokenPasswordDialogs.h"
+#include "nsIWindowWatcher.h"
+#include "nsIXULRuntime.h"
+#include "nsLiteralString.h"
+#include "nsNSSHelper.h"
+#include "nsNetCID.h"
+#include "nsPK11TokenDB.h"
+#include "nsPrintfCString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsThreadUtils.h"
+#include "nsXULAppAPI.h"
+#include "nss.h"
+#include "p12plcy.h"
+#include "pk11pub.h"
+#include "prmem.h"
+#include "secerr.h"
+#include "secmod.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+
+#if defined(XP_LINUX) && !defined(ANDROID)
+# include <linux/magic.h>
+# include <sys/vfs.h>
+#endif
+
+#ifdef XP_WIN
+# include "nsILocalFileWin.h"
+#endif
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+LazyLogModule gPIPNSSLog("pipnss");
+
+int nsNSSComponent::mInstanceCount = 0;
+
+// Forward declaration.
+nsresult CommonInit();
+
+// Take an nsIFile and get a UTF-8-encoded c-string representation of the
+// location of that file (encapsulated in an nsACString).
+// This operation is generally to be avoided, except when interacting with
+// third-party or legacy libraries that cannot handle `nsIFile`s (such as NSS).
+// |result| is encoded in UTF-8.
+nsresult FileToCString(const nsCOMPtr<nsIFile>& file, nsACString& result) {
+#ifdef XP_WIN
+ nsAutoString path;
+ nsresult rv = file->GetPath(path);
+ if (NS_SUCCEEDED(rv)) {
+ CopyUTF16toUTF8(path, result);
+ }
+ return rv;
+#else
+ return file->GetNativePath(result);
+#endif
+}
+
+void TruncateFromLastDirectorySeparator(nsCString& path) {
+ static const nsAutoCString kSeparatorString(
+ mozilla::FilePreferences::kPathSeparator);
+ int32_t index = path.RFind(kSeparatorString);
+ if (index == kNotFound) {
+ return;
+ }
+ path.Truncate(index);
+}
+
+bool LoadIPCClientCerts() {
+ // This returns the path to the binary currently running, which in most
+ // cases is "plugin-container".
+ UniqueFreePtr<char> pluginContainerPath(BinaryPath::Get());
+ if (!pluginContainerPath) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("failed to get get plugin-container path"));
+ return false;
+ }
+ nsAutoCString ipcClientCertsDirString(pluginContainerPath.get());
+ // On most platforms, ipcclientcerts is in the same directory as
+ // plugin-container. To obtain the path to that directory, truncate from
+ // the last directory separator.
+ // On macOS, plugin-container is in
+ // Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/,
+ // whereas ipcclientcerts is in Firefox.app/Contents/MacOS/. Consequently,
+ // this truncation from the last directory separator has to happen 4 times
+ // total. Normally this would be done using nsIFile APIs, but due to when
+ // this is initialized in the socket process, those aren't available.
+ TruncateFromLastDirectorySeparator(ipcClientCertsDirString);
+#ifdef XP_MACOSX
+ TruncateFromLastDirectorySeparator(ipcClientCertsDirString);
+ TruncateFromLastDirectorySeparator(ipcClientCertsDirString);
+ TruncateFromLastDirectorySeparator(ipcClientCertsDirString);
+#endif
+ if (!LoadIPCClientCertsModule(ipcClientCertsDirString)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("failed to load ipcclientcerts from '%s'",
+ ipcClientCertsDirString.get()));
+ return false;
+ }
+ return true;
+}
+
+// This function can be called from chrome or content or socket processes
+// to ensure that NSS is initialized.
+bool EnsureNSSInitializedChromeOrContent() {
+ static Atomic<bool> initialized(false);
+
+ if (initialized) {
+ return true;
+ }
+
+ // If this is not the main thread (i.e. probably a worker) then forward this
+ // call to the main thread.
+ if (!NS_IsMainThread()) {
+ nsCOMPtr<nsIThread> mainThread;
+ nsresult rv = NS_GetMainThread(getter_AddRefs(mainThread));
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ // Forward to the main thread synchronously.
+ mozilla::SyncRunnable::DispatchToThread(
+ mainThread,
+ NS_NewRunnableFunction("EnsureNSSInitializedChromeOrContent", []() {
+ EnsureNSSInitializedChromeOrContent();
+ }));
+
+ return initialized;
+ }
+
+ if (XRE_IsParentProcess()) {
+ nsCOMPtr<nsISupports> nss = do_GetService(PSM_COMPONENT_CONTRACTID);
+ if (!nss) {
+ return false;
+ }
+ initialized = true;
+ return true;
+ }
+
+ if (NSS_IsInitialized()) {
+ initialized = true;
+ return true;
+ }
+
+ if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+ return false;
+ }
+
+ if (XRE_IsSocketProcess()) {
+ if (NS_FAILED(CommonInit())) {
+ return false;
+ }
+ // If ipcclientcerts fails to load, client certificate authentication won't
+ // work (if networking is done on the socket process). This is preferable
+ // to stopping the program entirely, so treat this as best-effort.
+ Unused << NS_WARN_IF(!LoadIPCClientCerts());
+ initialized = true;
+ return true;
+ }
+
+ if (NS_FAILED(mozilla::psm::InitializeCipherSuite())) {
+ return false;
+ }
+
+ mozilla::psm::DisableMD5();
+ mozilla::pkix::RegisterErrorTable();
+ initialized = true;
+ return true;
+}
+
+static const uint32_t OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX = 5000;
+static const uint32_t OCSP_TIMEOUT_MILLISECONDS_HARD_MAX = 20000;
+
+void nsNSSComponent::GetRevocationBehaviorFromPrefs(
+ /*out*/ CertVerifier::OcspDownloadConfig* odc,
+ /*out*/ CertVerifier::OcspStrictConfig* osc,
+ /*out*/ uint32_t* certShortLifetimeInDays,
+ /*out*/ TimeDuration& softTimeout,
+ /*out*/ TimeDuration& hardTimeout) {
+ MOZ_ASSERT(NS_IsMainThread());
+ MOZ_ASSERT(odc);
+ MOZ_ASSERT(osc);
+ MOZ_ASSERT(certShortLifetimeInDays);
+
+ // 0 = disabled
+ // 1 = enabled for everything (default)
+ // 2 = enabled for EV certificates only
+ uint32_t ocspLevel = StaticPrefs::security_OCSP_enabled();
+ switch (ocspLevel) {
+ case 0:
+ *odc = CertVerifier::ocspOff;
+ break;
+ case 2:
+ *odc = CertVerifier::ocspEVOnly;
+ break;
+ default:
+ *odc = CertVerifier::ocspOn;
+ break;
+ }
+
+ *osc = StaticPrefs::security_OCSP_require() ? CertVerifier::ocspStrict
+ : CertVerifier::ocspRelaxed;
+
+ *certShortLifetimeInDays =
+ StaticPrefs::security_pki_cert_short_lifetime_in_days();
+
+ uint32_t softTimeoutMillis =
+ StaticPrefs::security_OCSP_timeoutMilliseconds_soft();
+ softTimeoutMillis =
+ std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX);
+ softTimeout = TimeDuration::FromMilliseconds(softTimeoutMillis);
+
+ uint32_t hardTimeoutMillis =
+ StaticPrefs::security_OCSP_timeoutMilliseconds_hard();
+ hardTimeoutMillis =
+ std::min(hardTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_HARD_MAX);
+ hardTimeout = TimeDuration::FromMilliseconds(hardTimeoutMillis);
+}
+
+nsNSSComponent::nsNSSComponent()
+ : mLoadableCertsLoadedMonitor("nsNSSComponent.mLoadableCertsLoadedMonitor"),
+ mLoadableCertsLoaded(false),
+ mLoadableCertsLoadedResult(NS_ERROR_FAILURE),
+ mMutex("nsNSSComponent.mMutex"),
+ mMitmDetecionEnabled(false) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::ctor\n"));
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+
+ MOZ_ASSERT(mInstanceCount == 0,
+ "nsNSSComponent is a singleton, but instantiated multiple times!");
+ ++mInstanceCount;
+}
+
+nsNSSComponent::~nsNSSComponent() {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor\n"));
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+
+ // All cleanup code requiring services needs to happen in xpcom_shutdown
+
+ PrepareForShutdown();
+ SharedSSLState::GlobalCleanup();
+ --mInstanceCount;
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor finished\n"));
+}
+
+void nsNSSComponent::UnloadEnterpriseRoots() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("UnloadEnterpriseRoots"));
+ MutexAutoLock lock(mMutex);
+ mEnterpriseCerts.Clear();
+ setValidationOptions(false, lock);
+ ClearSSLExternalAndInternalSessionCache();
+}
+
+class BackgroundImportEnterpriseCertsTask final : public CryptoTask {
+ public:
+ explicit BackgroundImportEnterpriseCertsTask(nsNSSComponent* nssComponent)
+ : mNSSComponent(nssComponent) {}
+
+ private:
+ virtual nsresult CalculateResult() override {
+ mNSSComponent->ImportEnterpriseRoots();
+ mNSSComponent->UpdateCertVerifierWithEnterpriseRoots();
+ return NS_OK;
+ }
+
+ virtual void CallCallback(nsresult rv) override {
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (observerService) {
+ observerService->NotifyObservers(nullptr, "psm:enterprise-certs-imported",
+ nullptr);
+ }
+ }
+
+ RefPtr<nsNSSComponent> mNSSComponent;
+};
+
+void nsNSSComponent::MaybeImportEnterpriseRoots() {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
+ }
+ bool importEnterpriseRoots = StaticPrefs::security_enterprise_roots_enabled();
+ if (importEnterpriseRoots) {
+ RefPtr<BackgroundImportEnterpriseCertsTask> task =
+ new BackgroundImportEnterpriseCertsTask(this);
+ Unused << task->Dispatch();
+ }
+}
+
+void nsNSSComponent::ImportEnterpriseRoots() {
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return;
+ }
+
+ nsTArray<EnterpriseCert> enterpriseCerts;
+ nsresult rv = GatherEnterpriseCerts(enterpriseCerts);
+ if (NS_SUCCEEDED(rv)) {
+ MutexAutoLock lock(mMutex);
+ mEnterpriseCerts = std::move(enterpriseCerts);
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed gathering enterprise roots"));
+ }
+}
+
+nsresult nsNSSComponent::CommonGetEnterpriseCerts(
+ nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots) {
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ enterpriseCerts.Clear();
+ MutexAutoLock nsNSSComponentLock(mMutex);
+ for (const auto& cert : mEnterpriseCerts) {
+ nsTArray<uint8_t> certCopy;
+ // mEnterpriseCerts includes both roots and intermediates.
+ if (cert.GetIsRoot() == getRoots) {
+ cert.CopyBytes(certCopy);
+ enterpriseCerts.AppendElement(std::move(certCopy));
+ }
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSComponent::GetEnterpriseRoots(
+ nsTArray<nsTArray<uint8_t>>& enterpriseRoots) {
+ return CommonGetEnterpriseCerts(enterpriseRoots, true);
+}
+
+nsresult BytesArrayToPEM(const nsTArray<nsTArray<uint8_t>>& bytesArray,
+ nsACString& pemArray) {
+ for (const auto& bytes : bytesArray) {
+ nsAutoCString base64;
+ nsresult rv = Base64Encode(reinterpret_cast<const char*>(bytes.Elements()),
+ bytes.Length(), base64);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!pemArray.IsEmpty()) {
+ pemArray.AppendLiteral("\n");
+ }
+ pemArray.AppendLiteral("-----BEGIN CERTIFICATE-----\n");
+ for (size_t i = 0; i < base64.Length() / 64; i++) {
+ pemArray.Append(Substring(base64, i * 64, 64));
+ pemArray.AppendLiteral("\n");
+ }
+ if (base64.Length() % 64 != 0) {
+ size_t chunks = base64.Length() / 64;
+ pemArray.Append(Substring(base64, chunks * 64));
+ pemArray.AppendLiteral("\n");
+ }
+ pemArray.AppendLiteral("-----END CERTIFICATE-----");
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSComponent::GetEnterpriseRootsPEM(nsACString& enterpriseRootsPEM) {
+ nsTArray<nsTArray<uint8_t>> enterpriseRoots;
+ nsresult rv = GetEnterpriseRoots(enterpriseRoots);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return BytesArrayToPEM(enterpriseRoots, enterpriseRootsPEM);
+}
+
+NS_IMETHODIMP
+nsNSSComponent::GetEnterpriseIntermediates(
+ nsTArray<nsTArray<uint8_t>>& enterpriseIntermediates) {
+ return CommonGetEnterpriseCerts(enterpriseIntermediates, false);
+}
+
+NS_IMETHODIMP
+nsNSSComponent::GetEnterpriseIntermediatesPEM(
+ nsACString& enterpriseIntermediatesPEM) {
+ nsTArray<nsTArray<uint8_t>> enterpriseIntermediates;
+ nsresult rv = GetEnterpriseIntermediates(enterpriseIntermediates);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return BytesArrayToPEM(enterpriseIntermediates, enterpriseIntermediatesPEM);
+}
+
+NS_IMETHODIMP
+nsNSSComponent::AddEnterpriseIntermediate(
+ const nsTArray<uint8_t>& intermediateBytes) {
+ nsresult rv = BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ EnterpriseCert intermediate(intermediateBytes.Elements(),
+ intermediateBytes.Length(), false);
+ {
+ MutexAutoLock nsNSSComponentLock(mMutex);
+ mEnterpriseCerts.AppendElement(std::move(intermediate));
+ }
+
+ UpdateCertVerifierWithEnterpriseRoots();
+ return NS_OK;
+}
+
+class LoadLoadableCertsTask final : public Runnable {
+ public:
+ LoadLoadableCertsTask(nsNSSComponent* nssComponent,
+ bool importEnterpriseRoots,
+ Vector<nsCString>&& possibleLoadableRootsLocations,
+ Maybe<nsCString>&& osClientCertsModuleLocation)
+ : Runnable("LoadLoadableCertsTask"),
+ mNSSComponent(nssComponent),
+ mImportEnterpriseRoots(importEnterpriseRoots),
+ mPossibleLoadableRootsLocations(
+ std::move(possibleLoadableRootsLocations)),
+ mOSClientCertsModuleLocation(std::move(osClientCertsModuleLocation)) {
+ MOZ_ASSERT(nssComponent);
+ }
+
+ ~LoadLoadableCertsTask() = default;
+
+ nsresult Dispatch();
+
+ private:
+ NS_IMETHOD Run() override;
+ nsresult LoadLoadableRoots();
+ RefPtr<nsNSSComponent> mNSSComponent;
+ bool mImportEnterpriseRoots;
+ Vector<nsCString> mPossibleLoadableRootsLocations; // encoded in UTF-8
+ Maybe<nsCString> mOSClientCertsModuleLocation; // encoded in UTF-8
+};
+
+nsresult LoadLoadableCertsTask::Dispatch() {
+ // The stream transport service (note: not the socket transport service) can
+ // be used to perform background tasks or I/O that would otherwise block the
+ // main thread.
+ nsCOMPtr<nsIEventTarget> target(
+ do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID));
+ if (!target) {
+ return NS_ERROR_FAILURE;
+ }
+ return target->Dispatch(this, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+LoadLoadableCertsTask::Run() {
+ Telemetry::AutoScalarTimer<Telemetry::ScalarID::NETWORKING_LOADING_CERTS_TASK>
+ timer;
+
+ nsresult loadLoadableRootsResult = LoadLoadableRoots();
+ if (NS_WARN_IF(NS_FAILED(loadLoadableRootsResult))) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed"));
+ // We don't return loadLoadableRootsResult here because then
+ // BlockUntilLoadableCertsLoaded will just wait forever. Instead we'll save
+ // its value (below) so we can inform code that relies on the roots module
+ // being present that loading it failed.
+ }
+
+ // Loading EV information will only succeed if we've successfully loaded the
+ // loadable roots module.
+ if (NS_SUCCEEDED(loadLoadableRootsResult)) {
+ if (NS_FAILED(LoadExtendedValidationInfo())) {
+ // This isn't a show-stopper in the same way that failing to load the
+ // roots module is.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to load EV info"));
+ }
+ }
+
+ if (mImportEnterpriseRoots) {
+ mNSSComponent->ImportEnterpriseRoots();
+ mNSSComponent->UpdateCertVerifierWithEnterpriseRoots();
+ }
+ if (mOSClientCertsModuleLocation.isSome()) {
+ bool success = LoadOSClientCertsModule(*mOSClientCertsModuleLocation);
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("loading OS client certs module %s",
+ success ? "succeeded" : "failed"));
+ }
+ {
+ MonitorAutoLock rootsLoadedLock(mNSSComponent->mLoadableCertsLoadedMonitor);
+ mNSSComponent->mLoadableCertsLoaded = true;
+ // Cache the result of LoadLoadableRoots so BlockUntilLoadableCertsLoaded
+ // can return it to all callers later (we use that particular result because
+ // if that operation fails, it's unlikely that any TLS connection will
+ // succeed whereas the browser may still be able to operate if the other
+ // tasks fail).
+ mNSSComponent->mLoadableCertsLoadedResult = loadLoadableRootsResult;
+ mNSSComponent->mLoadableCertsLoadedMonitor.NotifyAll();
+ }
+ return NS_OK;
+}
+
+// Returns by reference the path to the desired directory, based on the current
+// settings in the directory service.
+// |result| is encoded in UTF-8.
+static nsresult GetDirectoryPath(const char* directoryKey, nsCString& result) {
+ MOZ_ASSERT(NS_IsMainThread());
+
+ nsCOMPtr<nsIProperties> directoryService(
+ do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID));
+ if (!directoryService) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not get directory service"));
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIFile> directory;
+ nsresult rv = directoryService->Get(directoryKey, NS_GET_IID(nsIFile),
+ getter_AddRefs(directory));
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("could not get '%s' from directory service", directoryKey));
+ return rv;
+ }
+ return FileToCString(directory, result);
+}
+
+class BackgroundLoadOSClientCertsModuleTask final : public CryptoTask {
+ public:
+ explicit BackgroundLoadOSClientCertsModuleTask(const nsCString&& libraryDir)
+ : mLibraryDir(std::move(libraryDir)) {}
+
+ private:
+ virtual nsresult CalculateResult() override {
+ bool success = LoadOSClientCertsModule(mLibraryDir);
+ return success ? NS_OK : NS_ERROR_FAILURE;
+ }
+
+ virtual void CallCallback(nsresult rv) override {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("loading OS client certs module %s",
+ NS_SUCCEEDED(rv) ? "succeeded" : "failed"));
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (observerService) {
+ observerService->NotifyObservers(
+ nullptr, "psm:load-os-client-certs-module-task-ran", nullptr);
+ }
+ }
+
+ nsCString mLibraryDir;
+};
+
+void AsyncLoadOrUnloadOSClientCertsModule(bool load) {
+ if (load) {
+ nsCString libraryDir;
+ nsresult rv = GetDirectoryPath(NS_GRE_BIN_DIR, libraryDir);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ RefPtr<BackgroundLoadOSClientCertsModuleTask> task =
+ new BackgroundLoadOSClientCertsModuleTask(std::move(libraryDir));
+ Unused << task->Dispatch();
+ } else {
+ UniqueSECMODModule osClientCertsModule(
+ SECMOD_FindModule(kOSClientCertsModuleName));
+ if (osClientCertsModule) {
+ SECMOD_UnloadUserModule(osClientCertsModule.get());
+ }
+ }
+}
+
+nsresult nsNSSComponent::BlockUntilLoadableCertsLoaded() {
+ MonitorAutoLock rootsLoadedLock(mLoadableCertsLoadedMonitor);
+ while (!mLoadableCertsLoaded) {
+ rootsLoadedLock.Wait();
+ }
+ MOZ_ASSERT(mLoadableCertsLoaded);
+
+ return mLoadableCertsLoadedResult;
+}
+
+#ifndef MOZ_NO_SMART_CARDS
+static StaticMutex sCheckForSmartCardChangesMutex MOZ_UNANNOTATED;
+static TimeStamp sLastCheckedForSmartCardChanges = TimeStamp::Now();
+#endif
+
+nsresult nsNSSComponent::CheckForSmartCardChanges() {
+#ifndef MOZ_NO_SMART_CARDS
+ {
+ StaticMutexAutoLock lock(sCheckForSmartCardChangesMutex);
+ // Do this at most once every 3 seconds.
+ TimeStamp now = TimeStamp::Now();
+ if (now - sLastCheckedForSmartCardChanges <
+ TimeDuration::FromSeconds(3.0)) {
+ return NS_OK;
+ }
+ sLastCheckedForSmartCardChanges = now;
+ }
+
+ // SECMOD_UpdateSlotList attempts to acquire the list lock as well, so we
+ // have to do this in three steps.
+ Vector<UniqueSECMODModule> modulesWithRemovableSlots;
+ {
+ AutoSECMODListReadLock secmodLock;
+ SECMODModuleList* list = SECMOD_GetDefaultModuleList();
+ while (list) {
+ if (SECMOD_LockedModuleHasRemovableSlots(list->module)) {
+ UniqueSECMODModule module(SECMOD_ReferenceModule(list->module));
+ if (!modulesWithRemovableSlots.append(std::move(module))) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ }
+ list = list->next;
+ }
+ }
+ for (auto& module : modulesWithRemovableSlots) {
+ // Best-effort.
+ Unused << SECMOD_UpdateSlotList(module.get());
+ }
+ AutoSECMODListReadLock secmodLock;
+ for (auto& module : modulesWithRemovableSlots) {
+ for (int i = 0; i < module->slotCount; i++) {
+ // We actually don't care about the return value here - we just need to
+ // call this to get NSS to update its view of this slot.
+ Unused << PK11_IsPresent(module->slots[i]);
+ }
+ }
+#endif
+
+ return NS_OK;
+}
+
+// Returns by reference the path to the directory containing the file that has
+// been loaded as MOZ_DLL_PREFIX nss3 MOZ_DLL_SUFFIX.
+// |result| is encoded in UTF-8.
+static nsresult GetNSS3Directory(nsCString& result) {
+ MOZ_ASSERT(NS_IsMainThread());
+
+ UniquePRString nss3Path(
+ PR_GetLibraryFilePathname(MOZ_DLL_PREFIX "nss3" MOZ_DLL_SUFFIX,
+ reinterpret_cast<PRFuncPtr>(NSS_Initialize)));
+ if (!nss3Path) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nss not loaded?"));
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIFile> nss3File(do_CreateInstance(NS_LOCAL_FILE_CONTRACTID));
+ if (!nss3File) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't create a file?"));
+ return NS_ERROR_FAILURE;
+ }
+ nsAutoCString nss3PathAsString(nss3Path.get());
+ nsresult rv = nss3File->InitWithNativePath(nss3PathAsString);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("couldn't initialize file with path '%s'", nss3Path.get()));
+ return rv;
+ }
+ nsCOMPtr<nsIFile> nss3Directory;
+ rv = nss3File->GetParent(getter_AddRefs(nss3Directory));
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't get parent directory?"));
+ return rv;
+ }
+ return FileToCString(nss3Directory, result);
+}
+
+// The loadable roots library is probably in the same directory we loaded the
+// NSS shared library from, but in some cases it may be elsewhere. This function
+// enumerates and returns the possible locations as nsCStrings.
+// |possibleLoadableRootsLocations| is encoded in UTF-8.
+static nsresult ListPossibleLoadableRootsLocations(
+ Vector<nsCString>& possibleLoadableRootsLocations) {
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ // First try in the directory where we've already loaded
+ // MOZ_DLL_PREFIX nss3 MOZ_DLL_SUFFIX, since that's likely to be correct.
+ nsAutoCString nss3Dir;
+ nsresult rv = GetNSS3Directory(nss3Dir);
+ if (NS_SUCCEEDED(rv)) {
+ if (!possibleLoadableRootsLocations.append(std::move(nss3Dir))) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ } else {
+ // For some reason this fails on android. In any case, we should try with
+ // the other potential locations we have.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("could not determine where nss was loaded from"));
+ }
+ nsAutoCString currentProcessDir;
+ rv = GetDirectoryPath(NS_XPCOM_CURRENT_PROCESS_DIR, currentProcessDir);
+ if (NS_SUCCEEDED(rv)) {
+ if (!possibleLoadableRootsLocations.append(std::move(currentProcessDir))) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("could not get current process directory"));
+ }
+ nsAutoCString greDir;
+ rv = GetDirectoryPath(NS_GRE_DIR, greDir);
+ if (NS_SUCCEEDED(rv)) {
+ if (!possibleLoadableRootsLocations.append(std::move(greDir))) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not get gre directory"));
+ }
+ // As a last resort, this will cause the library loading code to use the OS'
+ // default library search path.
+ nsAutoCString emptyString;
+ if (!possibleLoadableRootsLocations.append(std::move(emptyString))) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ return NS_OK;
+}
+
+nsresult LoadLoadableCertsTask::LoadLoadableRoots() {
+ for (const auto& possibleLocation : mPossibleLoadableRootsLocations) {
+ if (mozilla::psm::LoadLoadableRoots(possibleLocation)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("loaded CKBI from %s", possibleLocation.get()));
+ return NS_OK;
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not load loadable roots"));
+ return NS_ERROR_FAILURE;
+}
+
+// Table of pref names and SSL cipher ID
+typedef struct {
+ const char* pref;
+ int32_t id;
+ bool (*prefGetter)();
+} CipherPref;
+
+// Update the switch statement in AccumulateCipherSuite in nsNSSCallbacks.cpp
+// when you add/remove cipher suites here.
+static const CipherPref sCipherPrefs[] = {
+ {"security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ StaticPrefs::security_ssl3_ecdhe_rsa_aes_128_gcm_sha256},
+ {"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_128_gcm_sha256},
+ {"security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256",
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ StaticPrefs::security_ssl3_ecdhe_ecdsa_chacha20_poly1305_sha256},
+ {"security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256",
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ StaticPrefs::security_ssl3_ecdhe_rsa_chacha20_poly1305_sha256},
+ {"security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384",
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_256_gcm_sha384},
+ {"security.ssl3.ecdhe_rsa_aes_256_gcm_sha384",
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ StaticPrefs::security_ssl3_ecdhe_rsa_aes_256_gcm_sha384},
+ {"security.ssl3.ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ StaticPrefs::security_ssl3_ecdhe_rsa_aes_128_sha},
+ {"security.ssl3.ecdhe_ecdsa_aes_128_sha",
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_128_sha},
+ {"security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ StaticPrefs::security_ssl3_ecdhe_rsa_aes_256_sha},
+ {"security.ssl3.ecdhe_ecdsa_aes_256_sha",
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_256_sha},
+ {"security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ StaticPrefs::security_ssl3_dhe_rsa_aes_128_sha},
+ {"security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ StaticPrefs::security_ssl3_dhe_rsa_aes_256_sha},
+ {"security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256,
+ StaticPrefs::security_tls13_aes_128_gcm_sha256},
+ {"security.tls13.chacha20_poly1305_sha256", TLS_CHACHA20_POLY1305_SHA256,
+ StaticPrefs::security_tls13_chacha20_poly1305_sha256},
+ {"security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384,
+ StaticPrefs::security_tls13_aes_256_gcm_sha384},
+ {"security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256,
+ StaticPrefs::security_ssl3_rsa_aes_128_gcm_sha256},
+ {"security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384,
+ StaticPrefs::security_ssl3_rsa_aes_256_gcm_sha384},
+ {"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA,
+ StaticPrefs::security_ssl3_rsa_aes_128_sha},
+ {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,
+ StaticPrefs::security_ssl3_rsa_aes_256_sha},
+};
+
+// These ciphersuites can only be enabled if deprecated versions of TLS are
+// also enabled (via the preference "security.tls.version.enable-deprecated").
+static const CipherPref sDeprecatedTLS1CipherPrefs[] = {
+ {"security.ssl3.deprecated.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ StaticPrefs::security_ssl3_deprecated_rsa_des_ede3_sha},
+};
+
+// This function will convert from pref values like 1, 2, ...
+// to the internal values of SSL_LIBRARY_VERSION_TLS_1_0,
+// SSL_LIBRARY_VERSION_TLS_1_1, ...
+/*static*/
+void nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
+ uint32_t minFromPrefs,
+ uint32_t maxFromPrefs,
+ SSLVersionRange defaults) {
+ rangeOut = defaults;
+ // determine what versions are supported
+ SSLVersionRange supported;
+ if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) !=
+ SECSuccess) {
+ return;
+ }
+
+ // Clip the defaults by what NSS actually supports to enable
+ // working with a system NSS with different ranges.
+ rangeOut.min = std::max(rangeOut.min, supported.min);
+ rangeOut.max = std::min(rangeOut.max, supported.max);
+
+ // convert min/maxFromPrefs to the internal representation
+ minFromPrefs += SSL_LIBRARY_VERSION_3_0;
+ maxFromPrefs += SSL_LIBRARY_VERSION_3_0;
+ // if min/maxFromPrefs are invalid, use defaults
+ if (minFromPrefs > maxFromPrefs || minFromPrefs < supported.min ||
+ maxFromPrefs > supported.max ||
+ minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) {
+ return;
+ }
+
+ // fill out rangeOut
+ rangeOut.min = (uint16_t)minFromPrefs;
+ rangeOut.max = (uint16_t)maxFromPrefs;
+}
+
+static void ConfigureTLSSessionIdentifiers() {
+ bool disableSessionIdentifiers =
+ StaticPrefs::security_ssl_disable_session_identifiers();
+ SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers);
+ SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers);
+}
+
+nsresult CommonInit() {
+ SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
+ SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
+
+ nsresult rv = nsNSSComponent::SetEnabledTLSVersions();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ ConfigureTLSSessionIdentifiers();
+
+ SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION,
+ StaticPrefs::security_ssl_require_safe_negotiation());
+ SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN);
+ SSL_OptionSetDefault(SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
+ SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK,
+ StaticPrefs::security_tls_hello_downgrade_check());
+ SSL_OptionSetDefault(SSL_ENABLE_FALSE_START,
+ StaticPrefs::security_ssl_enable_false_start());
+ // SSL_ENABLE_ALPN also requires calling SSL_SetNextProtoNego in order for
+ // the extensions to be negotiated.
+ // WebRTC does not do that so it will not use ALPN even when this preference
+ // is true.
+ SSL_OptionSetDefault(SSL_ENABLE_ALPN,
+ StaticPrefs::security_ssl_enable_alpn());
+ SSL_OptionSetDefault(SSL_ENABLE_0RTT_DATA,
+ StaticPrefs::security_tls_enable_0rtt_data());
+ SSL_OptionSetDefault(SSL_ENABLE_POST_HANDSHAKE_AUTH,
+ StaticPrefs::security_tls_enable_post_handshake_auth());
+ SSL_OptionSetDefault(
+ SSL_ENABLE_DELEGATED_CREDENTIALS,
+ StaticPrefs::security_tls_enable_delegated_credentials());
+
+ rv = InitializeCipherSuite();
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("Unable to initialize cipher suite settings\n"));
+ return rv;
+ }
+
+ DisableMD5();
+
+ mozilla::pkix::RegisterErrorTable();
+ SharedSSLState::GlobalInit();
+ SetValidationOptionsCommon();
+
+ return NS_OK;
+}
+
+void PrepareForShutdownInSocketProcess() {
+ MOZ_ASSERT(XRE_IsSocketProcess());
+ SharedSSLState::GlobalCleanup();
+}
+
+bool HandleTLSPrefChange(const nsCString& prefName) {
+ // Note that the code in this function should be kept in sync with
+ // gCallbackSecurityPrefs in nsIOService.cpp.
+ bool prefFound = true;
+ if (prefName.EqualsLiteral("security.tls.version.min") ||
+ prefName.EqualsLiteral("security.tls.version.max") ||
+ prefName.EqualsLiteral("security.tls.version.enable-deprecated")) {
+ Unused << nsNSSComponent::SetEnabledTLSVersions();
+ } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
+ SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK,
+ StaticPrefs::security_tls_hello_downgrade_check());
+ } else if (prefName.EqualsLiteral("security.ssl.require_safe_negotiation")) {
+ SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION,
+ StaticPrefs::security_ssl_require_safe_negotiation());
+ } else if (prefName.EqualsLiteral("security.ssl.enable_false_start")) {
+ SSL_OptionSetDefault(SSL_ENABLE_FALSE_START,
+ StaticPrefs::security_ssl_enable_false_start());
+ } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) {
+ SSL_OptionSetDefault(SSL_ENABLE_ALPN,
+ StaticPrefs::security_ssl_enable_alpn());
+ } else if (prefName.EqualsLiteral("security.tls.enable_0rtt_data")) {
+ SSL_OptionSetDefault(SSL_ENABLE_0RTT_DATA,
+ StaticPrefs::security_tls_enable_0rtt_data());
+ } else if (prefName.EqualsLiteral(
+ "security.tls.enable_post_handshake_auth")) {
+ SSL_OptionSetDefault(
+ SSL_ENABLE_POST_HANDSHAKE_AUTH,
+ StaticPrefs::security_tls_enable_post_handshake_auth());
+ } else if (prefName.EqualsLiteral(
+ "security.tls.enable_delegated_credentials")) {
+ SSL_OptionSetDefault(
+ SSL_ENABLE_DELEGATED_CREDENTIALS,
+ StaticPrefs::security_tls_enable_delegated_credentials());
+ } else if (prefName.EqualsLiteral(
+ "security.ssl.disable_session_identifiers")) {
+ ConfigureTLSSessionIdentifiers();
+ } else {
+ prefFound = false;
+ }
+ return prefFound;
+}
+
+void SetValidationOptionsCommon() {
+ // Note that the code in this function should be kept in sync with
+ // gCallbackSecurityPrefs in nsIOService.cpp.
+ bool ocspStaplingEnabled = StaticPrefs::security_ssl_enable_ocsp_stapling();
+ PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
+ PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
+
+ bool ocspMustStapleEnabled =
+ StaticPrefs::security_ssl_enable_ocsp_must_staple();
+ PublicSSLState()->SetOCSPMustStapleEnabled(ocspMustStapleEnabled);
+ PrivateSSLState()->SetOCSPMustStapleEnabled(ocspMustStapleEnabled);
+
+ const CertVerifier::CertificateTransparencyMode defaultCTMode =
+ CertVerifier::CertificateTransparencyMode::TelemetryOnly;
+ CertVerifier::CertificateTransparencyMode ctMode =
+ static_cast<CertVerifier::CertificateTransparencyMode>(
+ StaticPrefs::security_pki_certificate_transparency_mode());
+ switch (ctMode) {
+ case CertVerifier::CertificateTransparencyMode::Disabled:
+ case CertVerifier::CertificateTransparencyMode::TelemetryOnly:
+ break;
+ default:
+ ctMode = defaultCTMode;
+ break;
+ }
+ bool sctsEnabled =
+ ctMode != CertVerifier::CertificateTransparencyMode::Disabled;
+ PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
+ PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
+}
+
+namespace {
+
+class CipherSuiteChangeObserver : public nsIObserver {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIOBSERVER
+
+ static nsresult StartObserve();
+
+ protected:
+ virtual ~CipherSuiteChangeObserver() = default;
+
+ private:
+ static StaticRefPtr<CipherSuiteChangeObserver> sObserver;
+ CipherSuiteChangeObserver() = default;
+};
+
+NS_IMPL_ISUPPORTS(CipherSuiteChangeObserver, nsIObserver)
+
+// static
+StaticRefPtr<CipherSuiteChangeObserver> CipherSuiteChangeObserver::sObserver;
+
+// static
+nsresult CipherSuiteChangeObserver::StartObserve() {
+ MOZ_ASSERT(NS_IsMainThread(),
+ "CipherSuiteChangeObserver::StartObserve() can only be accessed "
+ "on the main thread");
+ if (!sObserver) {
+ RefPtr<CipherSuiteChangeObserver> observer =
+ new CipherSuiteChangeObserver();
+ nsresult rv = Preferences::AddStrongObserver(observer.get(), "security.");
+ if (NS_FAILED(rv)) {
+ sObserver = nullptr;
+ return rv;
+ }
+
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ observerService->AddObserver(observer, NS_XPCOM_SHUTDOWN_OBSERVER_ID,
+ false);
+
+ sObserver = observer;
+ }
+ return NS_OK;
+}
+
+// Enables or disabled ciphersuites from deprecated versions of TLS as
+// appropriate. If security.tls.version.enable-deprecated is true, these
+// ciphersuites may be enabled, if the corresponding preference is true.
+// Otherwise, these ciphersuites will be disabled.
+void SetDeprecatedTLS1CipherPrefs() {
+ if (StaticPrefs::security_tls_version_enable_deprecated()) {
+ for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
+ SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id,
+ deprecatedTLS1CipherPref.prefGetter());
+ }
+ } else {
+ for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
+ SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, false);
+ }
+ }
+}
+
+// static
+void SetKyberPolicy() {
+ if (StaticPrefs::security_tls_enable_kyber()) {
+ NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, NSS_USE_ALG_IN_SSL_KX, 0);
+ } else {
+ NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, 0, NSS_USE_ALG_IN_SSL_KX);
+ }
+}
+
+nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
+ const char* aTopic,
+ const char16_t* someData) {
+ MOZ_ASSERT(NS_IsMainThread(),
+ "CipherSuiteChangeObserver::Observe can only be accessed on main "
+ "thread");
+ if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
+ NS_ConvertUTF16toUTF8 prefName(someData);
+ // Look through the cipher table and set according to pref setting
+ for (const auto& cipherPref : sCipherPrefs) {
+ if (prefName.Equals(cipherPref.pref)) {
+ SSL_CipherPrefSetDefault(cipherPref.id, cipherPref.prefGetter());
+ break;
+ }
+ }
+ SetDeprecatedTLS1CipherPrefs();
+ SetKyberPolicy();
+ nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
+ } else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
+ Preferences::RemoveObserver(this, "security.");
+ MOZ_ASSERT(sObserver.get() == this);
+ sObserver = nullptr;
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ observerService->RemoveObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
+ }
+ return NS_OK;
+}
+
+} // namespace
+
+void nsNSSComponent::setValidationOptions(
+ bool isInitialSetting, const mozilla::MutexAutoLock& proofOfLock) {
+ // We access prefs so this must be done on the main thread.
+ mMutex.AssertCurrentThreadOwns();
+ MOZ_ASSERT(NS_IsMainThread());
+ if (NS_WARN_IF(!NS_IsMainThread())) {
+ return;
+ }
+
+ SetValidationOptionsCommon();
+
+ const CertVerifier::CertificateTransparencyMode defaultCTMode =
+ CertVerifier::CertificateTransparencyMode::TelemetryOnly;
+ CertVerifier::CertificateTransparencyMode ctMode =
+ static_cast<CertVerifier::CertificateTransparencyMode>(
+ StaticPrefs::security_pki_certificate_transparency_mode());
+ switch (ctMode) {
+ case CertVerifier::CertificateTransparencyMode::Disabled:
+ case CertVerifier::CertificateTransparencyMode::TelemetryOnly:
+ break;
+ default:
+ ctMode = defaultCTMode;
+ break;
+ }
+
+ // This preference controls whether we do OCSP fetching and does not affect
+ // OCSP stapling.
+ // 0 = disabled, 1 = enabled, 2 = only enabled for EV
+ uint32_t ocspEnabled = StaticPrefs::security_OCSP_enabled();
+
+ bool ocspRequired = ocspEnabled > 0 && StaticPrefs::security_OCSP_require();
+
+ // We measure the setting of the pref at startup only to minimize noise by
+ // addons that may muck with the settings, though it probably doesn't matter.
+ if (isInitialSetting) {
+ Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
+ Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
+ }
+
+ NetscapeStepUpPolicy netscapeStepUpPolicy = static_cast<NetscapeStepUpPolicy>(
+ StaticPrefs::security_pki_netscape_step_up_policy());
+ switch (netscapeStepUpPolicy) {
+ case NetscapeStepUpPolicy::AlwaysMatch:
+ case NetscapeStepUpPolicy::MatchBefore23August2016:
+ case NetscapeStepUpPolicy::MatchBefore23August2015:
+ case NetscapeStepUpPolicy::NeverMatch:
+ break;
+ default:
+ netscapeStepUpPolicy = NetscapeStepUpPolicy::AlwaysMatch;
+ break;
+ }
+
+ CRLiteMode defaultCRLiteMode = CRLiteMode::Disabled;
+ CRLiteMode crliteMode =
+ static_cast<CRLiteMode>(StaticPrefs::security_pki_crlite_mode());
+ switch (crliteMode) {
+ case CRLiteMode::Disabled:
+ case CRLiteMode::TelemetryOnly:
+ case CRLiteMode::Enforce:
+ case CRLiteMode::ConfirmRevocations:
+ break;
+ default:
+ crliteMode = defaultCRLiteMode;
+ break;
+ }
+
+ CertVerifier::OcspDownloadConfig odc;
+ CertVerifier::OcspStrictConfig osc;
+ uint32_t certShortLifetimeInDays;
+ TimeDuration softTimeout;
+ TimeDuration hardTimeout;
+
+ GetRevocationBehaviorFromPrefs(&odc, &osc, &certShortLifetimeInDays,
+ softTimeout, hardTimeout);
+
+ mDefaultCertVerifier = new SharedCertVerifier(
+ odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays,
+ netscapeStepUpPolicy, ctMode, crliteMode, mEnterpriseCerts);
+}
+
+void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
+ MutexAutoLock lock(mMutex);
+ if (!mDefaultCertVerifier) {
+ return;
+ }
+
+ RefPtr<SharedCertVerifier> oldCertVerifier = mDefaultCertVerifier;
+ mDefaultCertVerifier = new SharedCertVerifier(
+ oldCertVerifier->mOCSPDownloadConfig,
+ oldCertVerifier->mOCSPStrict ? CertVerifier::ocspStrict
+ : CertVerifier::ocspRelaxed,
+ oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard,
+ oldCertVerifier->mCertShortLifetimeInDays,
+ oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode,
+ oldCertVerifier->mCRLiteMode, mEnterpriseCerts);
+}
+
+// Enable the TLS versions given in the prefs, defaulting to TLS 1.0 (min) and
+// TLS 1.2 (max) when the prefs aren't set or set to invalid values.
+nsresult nsNSSComponent::SetEnabledTLSVersions() {
+ // Keep these values in sync with all.js.
+ // 1 means TLS 1.0, 2 means TLS 1.1, etc.
+ static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 3;
+ static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4;
+ static const uint32_t PSM_DEPRECATED_TLS_VERSION = 1;
+
+ uint32_t minFromPrefs = StaticPrefs::security_tls_version_min();
+ uint32_t maxFromPrefs = StaticPrefs::security_tls_version_max();
+
+ // This override should be removed some time after
+ // PSM_DEFAULT_MIN_TLS_VERSION is increased to 3.
+ bool enableDeprecated = StaticPrefs::security_tls_version_enable_deprecated();
+ if (enableDeprecated) {
+ minFromPrefs = std::min(minFromPrefs, PSM_DEPRECATED_TLS_VERSION);
+ }
+
+ SSLVersionRange defaults = {
+ SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
+ SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
+ SSLVersionRange filledInRange;
+ FillTLSVersionRange(filledInRange, minFromPrefs, maxFromPrefs, defaults);
+
+ SECStatus srv =
+ SSL_VersionRangeSetDefault(ssl_variant_stream, &filledInRange);
+ if (srv != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+#if defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID))
+// If the profile directory is on a networked drive, we want to set the
+// environment variable NSS_SDB_USE_CACHE to yes (as long as it hasn't been set
+// before).
+static void SetNSSDatabaseCacheModeAsAppropriate() {
+ MOZ_ASSERT(NS_IsMainThread());
+
+ nsCOMPtr<nsIFile> profileFile;
+ nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
+ getter_AddRefs(profileFile));
+ if (NS_FAILED(rv)) {
+ // We're probably running without a profile directory, so this is
+ // irrelevant.
+ return;
+ }
+
+ static const char sNSS_SDB_USE_CACHE[] = "NSS_SDB_USE_CACHE";
+ static const char sNSS_SDB_USE_CACHE_WITH_VALUE[] = "NSS_SDB_USE_CACHE=yes";
+ auto profilePath = profileFile->NativePath();
+
+# if defined(XP_LINUX) && !defined(ANDROID)
+ struct statfs statfs_s;
+ if (statfs(profilePath.get(), &statfs_s) == 0 &&
+ statfs_s.f_type == NFS_SUPER_MAGIC && !PR_GetEnv(sNSS_SDB_USE_CACHE)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("profile is remote (and NSS_SDB_USE_CACHE wasn't set): "
+ "setting NSS_SDB_USE_CACHE"));
+ PR_SetEnv(sNSS_SDB_USE_CACHE_WITH_VALUE);
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("not setting NSS_SDB_USE_CACHE"));
+ }
+# endif // defined(XP_LINUX) && !defined(ANDROID)
+
+# ifdef XP_WIN
+ wchar_t volPath[MAX_PATH];
+ if (::GetVolumePathNameW(profilePath.get(), volPath, MAX_PATH) &&
+ ::GetDriveTypeW(volPath) == DRIVE_REMOTE &&
+ !PR_GetEnv(sNSS_SDB_USE_CACHE)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("profile is remote (and NSS_SDB_USE_CACHE wasn't set): "
+ "setting NSS_SDB_USE_CACHE"));
+ PR_SetEnv(sNSS_SDB_USE_CACHE_WITH_VALUE);
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("not setting NSS_SDB_USE_CACHE"));
+ }
+# endif // XP_WIN
+}
+#endif // defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID))
+
+static nsresult GetNSSProfilePath(nsAutoCString& aProfilePath) {
+ aProfilePath.Truncate();
+ nsCOMPtr<nsIFile> profileFile;
+ nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
+ getter_AddRefs(profileFile));
+ if (NS_FAILED(rv)) {
+ NS_WARNING(
+ "NSS will be initialized without a profile directory. "
+ "Some things may not work as expected.");
+ return NS_OK;
+ }
+
+#if defined(XP_WIN)
+ // SQLite always takes UTF-8 file paths regardless of the current system
+ // code page.
+ nsCOMPtr<nsILocalFileWin> profileFileWin(do_QueryInterface(profileFile));
+ if (!profileFileWin) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("Could not get nsILocalFileWin for profile directory.\n"));
+ return NS_ERROR_FAILURE;
+ }
+ nsAutoString u16ProfilePath;
+ rv = profileFileWin->GetPath(u16ProfilePath);
+ CopyUTF16toUTF8(u16ProfilePath, aProfilePath);
+#else
+ rv = profileFile->GetNativePath(aProfilePath);
+#endif
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("Could not get native path for profile directory.\n"));
+ return rv;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("NSS profile at '%s'\n", aProfilePath.get()));
+ return NS_OK;
+}
+
+#ifndef ANDROID
+// Given a profile path, attempt to rename the PKCS#11 module DB to
+// "pkcs11.txt.fips". In the case of a catastrophic failure (e.g. out of
+// memory), returns a failing nsresult. If execution could conceivably proceed,
+// returns NS_OK even if renaming the file didn't work. This simplifies the
+// logic of the calling code.
+// |profilePath| is encoded in UTF-8.
+static nsresult AttemptToRenamePKCS11ModuleDB(const nsACString& profilePath) {
+ nsCOMPtr<nsIFile> profileDir = do_CreateInstance("@mozilla.org/file/local;1");
+ if (!profileDir) {
+ return NS_ERROR_FAILURE;
+ }
+# ifdef XP_WIN
+ // |profilePath| is encoded in UTF-8 because SQLite always takes UTF-8 file
+ // paths regardless of the current system code page.
+ nsresult rv = profileDir->InitWithPath(NS_ConvertUTF8toUTF16(profilePath));
+# else
+ nsresult rv = profileDir->InitWithNativePath(profilePath);
+# endif
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ const char* moduleDBFilename = "pkcs11.txt";
+ nsAutoCString destModuleDBFilename(moduleDBFilename);
+ destModuleDBFilename.Append(".fips");
+ nsCOMPtr<nsIFile> dbFile;
+ rv = profileDir->Clone(getter_AddRefs(dbFile));
+ if (NS_FAILED(rv) || !dbFile) {
+ return NS_ERROR_FAILURE;
+ }
+ rv = dbFile->AppendNative(nsAutoCString(moduleDBFilename));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If the PKCS#11 module DB doesn't exist, renaming it won't help.
+ bool exists;
+ rv = dbFile->Exists(&exists);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // This is strange, but not a catastrophic failure.
+ if (!exists) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("%s doesn't exist?", moduleDBFilename));
+ return NS_OK;
+ }
+ nsCOMPtr<nsIFile> destDBFile;
+ rv = profileDir->Clone(getter_AddRefs(destDBFile));
+ if (NS_FAILED(rv) || !destDBFile) {
+ return NS_ERROR_FAILURE;
+ }
+ rv = destDBFile->AppendNative(destModuleDBFilename);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If the destination exists, presumably we've already tried this. Doing it
+ // again won't help.
+ rv = destDBFile->Exists(&exists);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // Unfortunate, but not a catastrophic failure.
+ if (exists) {
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("%s already exists - not overwriting", destModuleDBFilename.get()));
+ return NS_OK;
+ }
+ // Now do the actual move.
+ // This may fail on, e.g., a read-only file system. This would be unfortunate,
+ // but again it isn't catastropic and we would want to fall back to
+ // initializing NSS in no-DB mode.
+ Unused << dbFile->MoveToNative(profileDir, destModuleDBFilename);
+ return NS_OK;
+}
+#endif // ifndef ANDROID
+
+// Given a profile directory, attempt to initialize NSS. If nocertdb is true,
+// (or if we don't have a profile directory) simply initialize NSS in no DB mode
+// and return. Otherwise, first attempt to initialize in read/write mode, and
+// then read-only mode if that fails. If both attempts fail, we may be failing
+// to initialize an NSS DB collection that has FIPS mode enabled. Attempt to
+// ascertain if this is the case, and if so, rename the offending PKCS#11 module
+// DB so we can (hopefully) initialize NSS in read-write mode. Again attempt
+// read-only mode if that fails. Finally, fall back to no DB mode. On Android
+// we can skip the FIPS workaround since it was never possible to enable FIPS
+// there anyway.
+// |profilePath| is encoded in UTF-8.
+static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
+ bool nocertdb, bool safeMode) {
+ if (nocertdb || profilePath.IsEmpty()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nocertdb mode or empty profile path -> NSS_NoDB_Init"));
+ SECStatus srv = NSS_NoDB_Init(nullptr);
+#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ if (srv != SECSuccess) {
+ MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d",
+ PR_GetError());
+ }
+#endif
+ return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE;
+ }
+
+ // Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules.
+#ifndef ANDROID
+ PRErrorCode savedPRErrorCode1;
+#endif // ifndef ANDROID
+ PKCS11DBConfig safeModeDBConfig =
+ safeMode ? PKCS11DBConfig::DoNotLoadModules : PKCS11DBConfig::LoadModules;
+ SECStatus srv = ::mozilla::psm::InitializeNSS(
+ profilePath, NSSDBConfig::ReadWrite, safeModeDBConfig);
+ if (srv == SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
+ return NS_OK;
+ }
+#ifndef ANDROID
+ savedPRErrorCode1 = PR_GetError();
+ PRErrorCode savedPRErrorCode2;
+#endif // ifndef ANDROID
+ // That failed. Try read-only mode.
+ srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
+ safeModeDBConfig);
+ if (srv == SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode"));
+ return NS_OK;
+ }
+#ifndef ANDROID
+ savedPRErrorCode2 = PR_GetError();
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("failed to initialize NSS with codes %d %d", savedPRErrorCode1,
+ savedPRErrorCode2));
+#endif // ifndef ANDROID
+
+#ifndef ANDROID
+ // That failed as well. Maybe we're trying to load a PKCS#11 module DB that is
+ // in FIPS mode, but we don't support FIPS? Test load NSS without PKCS#11
+ // modules. If that succeeds, that's probably what's going on.
+ if (!safeMode && (savedPRErrorCode1 == SEC_ERROR_LEGACY_DATABASE ||
+ savedPRErrorCode2 == SEC_ERROR_LEGACY_DATABASE ||
+ savedPRErrorCode1 == SEC_ERROR_PKCS11_DEVICE_ERROR ||
+ savedPRErrorCode2 == SEC_ERROR_PKCS11_DEVICE_ERROR)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("attempting no-module db init"));
+ // It would make sense to initialize NSS in read-only mode here since this
+ // is just a test to see if the PKCS#11 module DB being in FIPS mode is the
+ // problem, but for some reason the combination of read-only and no-moddb
+ // flags causes NSS initialization to fail, so unfortunately we have to use
+ // read-write mode.
+ srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
+ PKCS11DBConfig::DoNotLoadModules);
+ if (srv == SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem"));
+ // Unload NSS so we can attempt to fix this situation for the user.
+ srv = NSS_Shutdown();
+ if (srv != SECSuccess) {
+# ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d",
+ PR_GetError());
+# endif
+ return NS_ERROR_FAILURE;
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("trying to rename module db"));
+ // If this fails non-catastrophically, we'll attempt to initialize NSS
+ // again in r/w then r-o mode (both of which will fail), and then we'll
+ // fall back to NSS_NoDB_Init, which is the behavior we want.
+ nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath);
+ if (NS_FAILED(rv)) {
+# ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ // An nsresult is a uint32_t, but at least one of our compilers doesn't
+ // like this format string unless we include the cast. <shruggie emoji>
+ MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %u",
+ (uint32_t)rv);
+# endif
+ return rv;
+ }
+ srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
+ PKCS11DBConfig::LoadModules);
+ if (srv == SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode"));
+ return NS_OK;
+ }
+ srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
+ PKCS11DBConfig::LoadModules);
+ if (srv == SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode"));
+ return NS_OK;
+ }
+ }
+ }
+#endif
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("last-resort NSS_NoDB_Init"));
+ srv = NSS_NoDB_Init(nullptr);
+#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ if (srv != SECSuccess) {
+ MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d",
+ PR_GetError());
+ }
+#endif
+ return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE;
+}
+
+#if defined(NIGHTLY_BUILD) && !defined(ANDROID)
+// dbType is either "cert9.db" or "key4.db"
+void UnmigrateOneCertDB(const nsCOMPtr<nsIFile>& profileDirectory,
+ const nsACString& dbType) {
+ nsCOMPtr<nsIFile> dbFile;
+ nsresult rv = profileDirectory->Clone(getter_AddRefs(dbFile));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ rv = dbFile->AppendNative(dbType);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ bool exists;
+ rv = dbFile->Exists(&exists);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ // If the unprefixed DB already exists, don't overwrite it.
+ if (exists) {
+ return;
+ }
+ nsCOMPtr<nsIFile> prefixedDBFile;
+ rv = profileDirectory->Clone(getter_AddRefs(prefixedDBFile));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ nsAutoCString prefixedDBName("gecko-no-share-");
+ prefixedDBName.Append(dbType);
+ rv = prefixedDBFile->AppendNative(prefixedDBName);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ Unused << prefixedDBFile->MoveToNative(nullptr, dbType);
+}
+
+void UnmigrateFromPrefixedCertDBs() {
+ nsCOMPtr<nsIFile> profileDirectory;
+ nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
+ getter_AddRefs(profileDirectory));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ UnmigrateOneCertDB(profileDirectory, "cert9.db"_ns);
+ UnmigrateOneCertDB(profileDirectory, "key4.db"_ns);
+}
+#endif // defined(NIGHTLY_BUILD) && !defined(ANDROID)
+
+nsresult nsNSSComponent::InitializeNSS() {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::InitializeNSS\n"));
+ AUTO_PROFILER_LABEL("nsNSSComponent::InitializeNSS", OTHER);
+ AUTO_PROFILER_TRACING_MARKER("NSS", "nsNSSComponent::InitializeNSS", OTHER);
+
+ static_assert(
+ nsINSSErrorsService::NSS_SEC_ERROR_BASE == SEC_ERROR_BASE &&
+ nsINSSErrorsService::NSS_SEC_ERROR_LIMIT == SEC_ERROR_LIMIT &&
+ nsINSSErrorsService::NSS_SSL_ERROR_BASE == SSL_ERROR_BASE &&
+ nsINSSErrorsService::NSS_SSL_ERROR_LIMIT == SSL_ERROR_LIMIT,
+ "You must update the values in nsINSSErrorsService.idl");
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("NSS Initialization beginning\n"));
+
+ nsAutoCString profileStr;
+ nsresult rv = GetNSSProfilePath(profileStr);
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+#if defined(NIGHTLY_BUILD) && !defined(ANDROID)
+ if (!profileStr.IsEmpty()) {
+ UnmigrateFromPrefixedCertDBs();
+ }
+#endif
+
+#if defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID))
+ SetNSSDatabaseCacheModeAsAppropriate();
+#endif
+
+ bool nocertdb = StaticPrefs::security_nocertdb_AtStartup();
+ bool inSafeMode = true;
+ nsCOMPtr<nsIXULRuntime> runtime(do_GetService("@mozilla.org/xre/runtime;1"));
+ // There might not be an nsIXULRuntime in embedded situations. This will
+ // default to assuming we are in safe mode (as a result, no external PKCS11
+ // modules will be loaded).
+ if (runtime) {
+ rv = runtime->GetInSafeMode(&inSafeMode);
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("inSafeMode: %u\n", inSafeMode));
+
+ rv = InitializeNSSWithFallbacks(profileStr, nocertdb, inSafeMode);
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed to initialize NSS"));
+ return rv;
+ }
+
+ PK11_SetPasswordFunc(PK11PasswordPrompt);
+
+ // Register an observer so we can inform NSS when these prefs change
+ Preferences::AddStrongObserver(this, "security.");
+
+ rv = CommonInit();
+
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ nsCOMPtr<nsICertOverrideService> certOverrideService(
+ do_GetService(NS_CERTOVERRIDE_CONTRACTID));
+ nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService(
+ do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID));
+ nsCOMPtr<nsISiteSecurityService> siteSecurityService(
+ do_GetService(NS_SSSERVICE_CONTRACTID));
+ nsCOMPtr<nsICertStorage> certStorage(do_GetService(NS_CERT_STORAGE_CID));
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("NSS Initialization done\n"));
+
+ {
+ MutexAutoLock lock(mMutex);
+
+ // ensure we have initial values for various root hashes
+#ifdef DEBUG
+ mTestBuiltInRootHash.Truncate();
+ Preferences::GetCString("security.test.built_in_root_hash",
+ mTestBuiltInRootHash);
+#endif
+ mMitmCanaryIssuer.Truncate();
+ Preferences::GetString("security.pki.mitm_canary_issuer",
+ mMitmCanaryIssuer);
+ mMitmDetecionEnabled =
+ Preferences::GetBool("security.pki.mitm_canary_issuer.enabled", true);
+
+ // Set dynamic options from prefs.
+ setValidationOptions(true, lock);
+
+ bool importEnterpriseRoots =
+ StaticPrefs::security_enterprise_roots_enabled();
+ Vector<nsCString> possibleLoadableRootsLocations;
+ rv = ListPossibleLoadableRootsLocations(possibleLoadableRootsLocations);
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ bool loadOSClientCertsModule =
+ StaticPrefs::security_osclientcerts_autoload();
+ Maybe<nsCString> maybeOSClientCertsModuleLocation;
+ if (loadOSClientCertsModule) {
+ nsAutoCString libraryDir;
+ if (NS_SUCCEEDED(GetDirectoryPath(NS_GRE_BIN_DIR, libraryDir))) {
+ maybeOSClientCertsModuleLocation.emplace(libraryDir);
+ }
+ }
+ RefPtr<LoadLoadableCertsTask> loadLoadableCertsTask(
+ new LoadLoadableCertsTask(this, importEnterpriseRoots,
+ std::move(possibleLoadableRootsLocations),
+ std::move(maybeOSClientCertsModuleLocation)));
+ rv = loadLoadableCertsTask->Dispatch();
+ MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+ }
+}
+
+void nsNSSComponent::PrepareForShutdown() {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::PrepareForShutdown"));
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+
+ PK11_SetPasswordFunc((PK11PasswordFunc) nullptr);
+
+ Preferences::RemoveObserver(this, "security.");
+
+ if (mIntermediatePreloadingHealerTimer) {
+ mIntermediatePreloadingHealerTimer->Cancel();
+ mIntermediatePreloadingHealerTimer = nullptr;
+ }
+
+ // Release the default CertVerifier. This will cause any held NSS resources
+ // to be released.
+ MutexAutoLock lock(mMutex);
+ mDefaultCertVerifier = nullptr;
+ // We don't actually shut down NSS - XPCOM does, after all threads have been
+ // joined and the component manager has been shut down (and so there shouldn't
+ // be any XPCOM objects holding NSS resources).
+}
+
+// The aim of the intermediate preloading healer is to remove intermediates
+// that were previously cached by PSM in the NSS certdb that are now preloaded
+// in cert_storage. When cached by PSM, these certificates will have no
+// particular trust set - they are intended to inherit their trust. If, upon
+// examination, these certificates do have trust bits set that affect
+// certificate validation, they must have been modified by the user, so we want
+// to leave them alone.
+bool CertHasDefaultTrust(CERTCertificate* cert) {
+ CERTCertTrust trust;
+ if (CERT_GetCertTrust(cert, &trust) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CERT_GetCertTrust failed"));
+ return false;
+ }
+ // This is the active distrust test for CA certificates (this is expected to
+ // be an intermediate).
+ if ((trust.sslFlags & (CERTDB_TRUSTED_CA | CERTDB_TERMINAL_RECORD)) ==
+ CERTDB_TERMINAL_RECORD) {
+ return false;
+ }
+ // This is the trust anchor test.
+ if (trust.sslFlags & CERTDB_TRUSTED_CA) {
+ return false;
+ }
+ // This is the active distrust test for CA certificates (this is expected to
+ // be an intermediate).
+ if ((trust.emailFlags & (CERTDB_TRUSTED_CA | CERTDB_TERMINAL_RECORD)) ==
+ CERTDB_TERMINAL_RECORD) {
+ return false;
+ }
+ // This is the trust anchor test.
+ if (trust.emailFlags & CERTDB_TRUSTED_CA) {
+ return false;
+ }
+ return true;
+}
+
+void IntermediatePreloadingHealerCallback(nsITimer*, void*) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("IntermediatePreloadingHealerCallback"));
+
+ if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Exiting healer due to app shutdown"));
+ return;
+ }
+
+ // Get the slot corresponding to the NSS certdb.
+ UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot());
+ if (!softokenSlot) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("PK11_GetInternalKeySlot failed"));
+ return;
+ }
+ // List the certificates in the NSS certdb.
+ UniqueCERTCertList softokenCertificates(
+ PK11_ListCertsInSlot(softokenSlot.get()));
+ if (!softokenCertificates) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("PK11_ListCertsInSlot failed"));
+ return;
+ }
+ nsCOMPtr<nsICertStorage> certStorage(do_GetService(NS_CERT_STORAGE_CID));
+ if (!certStorage) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't get cert_storage"));
+ return;
+ }
+ Vector<UniqueCERTCertificate> certsToDelete;
+ // For each certificate, look it up in cert_storage. If there's a match, this
+ // is a preloaded intermediate.
+ for (CERTCertListNode* n = CERT_LIST_HEAD(softokenCertificates);
+ !CERT_LIST_END(n, softokenCertificates); n = CERT_LIST_NEXT(n)) {
+ if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Exiting healer due to app shutdown"));
+ return;
+ }
+
+ nsTArray<uint8_t> subject;
+ subject.AppendElements(n->cert->derSubject.data, n->cert->derSubject.len);
+ nsTArray<nsTArray<uint8_t>> certs;
+ nsresult rv = certStorage->FindCertsBySubject(subject, certs);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FindCertsBySubject failed"));
+ break;
+ }
+ for (const auto& encodedCert : certs) {
+ if (encodedCert.Length() != n->cert->derCert.len) {
+ continue;
+ }
+ if (memcmp(encodedCert.Elements(), n->cert->derCert.data,
+ encodedCert.Length()) != 0) {
+ continue;
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("found preloaded intermediate in certdb"));
+ if (!CertHasDefaultTrust(n->cert)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("certificate doesn't have default trust - skipping"));
+ continue;
+ }
+ UniqueCERTCertificate certCopy(CERT_DupCertificate(n->cert));
+ if (!certCopy) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CERT_DupCertificate failed"));
+ continue;
+ }
+ // Note that we want to remove this certificate from the NSS certdb
+ // because it also exists in preloaded intermediate storage and is thus
+ // superfluous.
+ if (!certsToDelete.append(std::move(certCopy))) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("append failed - out of memory?"));
+ return;
+ }
+ break;
+ }
+ // Only delete 20 at a time.
+ if (certsToDelete.length() >= 20) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("found limit of 20 preloaded intermediates in certdb"));
+ break;
+ }
+ }
+ for (const auto& certToDelete : certsToDelete) {
+ if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("Exiting healer due to app shutdown"));
+ return;
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("attempting to delete preloaded intermediate '%s'",
+ certToDelete->subjectName));
+ if (SEC_DeletePermCertificate(certToDelete.get()) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("SEC_DeletePermCertificate failed"));
+ }
+ }
+
+ // This is for tests - notify that this ran.
+ nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
+ "IntermediatePreloadingHealerCallbackDone", []() -> void {
+ nsCOMPtr<nsIObserverService> observerService =
+ mozilla::services::GetObserverService();
+ if (observerService) {
+ observerService->NotifyObservers(
+ nullptr, "psm:intermediate-preloading-healer-ran", nullptr);
+ }
+ }));
+ Unused << NS_DispatchToMainThread(runnable.forget());
+}
+
+nsresult nsNSSComponent::Init() {
+ MOZ_RELEASE_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ MOZ_ASSERT(XRE_IsParentProcess());
+ if (!XRE_IsParentProcess()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ Telemetry::AutoScalarTimer<Telemetry::ScalarID::NETWORKING_NSS_INITIALIZATION>
+ timer;
+ uint32_t zero = 0; // Directly using 0 makes the call to ScalarSet ambiguous.
+ Telemetry::ScalarSet(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE,
+ u"requested"_ns, zero);
+ Telemetry::ScalarSet(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE,
+ u"sent"_ns, zero);
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Beginning NSS initialization\n"));
+
+ nsresult rv = InitializeNSS();
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("nsNSSComponent::InitializeNSS() failed\n"));
+ return rv;
+ }
+
+ rv = RegisterObservers();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = MaybeEnableIntermediatePreloadingHealer();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ return NS_OK;
+}
+
+nsresult nsNSSComponent::MaybeEnableIntermediatePreloadingHealer() {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSComponent::MaybeEnableIntermediatePreloadingHealer"));
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ if (mIntermediatePreloadingHealerTimer) {
+ mIntermediatePreloadingHealerTimer->Cancel();
+ mIntermediatePreloadingHealerTimer = nullptr;
+ }
+
+ if (!StaticPrefs::security_intermediate_preloading_healer_enabled()) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIEventTarget> socketThread(
+ do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
+ if (!socketThread) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("couldn't get socket thread?"));
+ return NS_ERROR_FAILURE;
+ }
+ uint32_t timerDelayMS =
+ StaticPrefs::security_intermediate_preloading_healer_timer_interval_ms();
+ nsresult rv = NS_NewTimerWithFuncCallback(
+ getter_AddRefs(mIntermediatePreloadingHealerTimer),
+ IntermediatePreloadingHealerCallback, nullptr, timerDelayMS,
+ nsITimer::TYPE_REPEATING_SLACK_LOW_PRIORITY,
+ "IntermediatePreloadingHealer", socketThread);
+ if (NS_FAILED(rv)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("NS_NewTimerWithFuncCallback failed"));
+ return rv;
+ }
+ return NS_OK;
+}
+
+// nsISupports Implementation for the class
+NS_IMPL_ISUPPORTS(nsNSSComponent, nsINSSComponent, nsIObserver)
+
+static const char* const PROFILE_BEFORE_CHANGE_TOPIC = "profile-before-change";
+
+NS_IMETHODIMP
+nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
+ const char16_t* someData) {
+ // In some tests, we don't receive a "profile-before-change" topic. However,
+ // we still have to shut down before the storage service shuts down, because
+ // closing the sql-backed softoken requires sqlite still be available. Thus,
+ // we observe "xpcom-shutdown" just in case.
+ if (nsCRT::strcmp(aTopic, PROFILE_BEFORE_CHANGE_TOPIC) == 0 ||
+ nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("receiving profile change or XPCOM shutdown notification"));
+ PrepareForShutdown();
+ } else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
+ bool clearSessionCache = true;
+ NS_ConvertUTF16toUTF8 prefName(someData);
+
+ if (HandleTLSPrefChange(prefName)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HandleTLSPrefChange done"));
+ } else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
+ prefName.EqualsLiteral("security.OCSP.require") ||
+ prefName.EqualsLiteral(
+ "security.pki.cert_short_lifetime_in_days") ||
+ prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
+ prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
+ prefName.EqualsLiteral(
+ "security.pki.certificate_transparency.mode") ||
+ prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||
+ prefName.EqualsLiteral(
+ "security.OCSP.timeoutMilliseconds.soft") ||
+ prefName.EqualsLiteral(
+ "security.OCSP.timeoutMilliseconds.hard") ||
+ prefName.EqualsLiteral("security.pki.crlite_mode")) {
+ MutexAutoLock lock(mMutex);
+ setValidationOptions(false, lock);
+#ifdef DEBUG
+ } else if (prefName.EqualsLiteral("security.test.built_in_root_hash")) {
+ MutexAutoLock lock(mMutex);
+ mTestBuiltInRootHash.Truncate();
+ Preferences::GetCString("security.test.built_in_root_hash",
+ mTestBuiltInRootHash);
+#endif // DEBUG
+ } else if (prefName.Equals("security.enterprise_roots.enabled")) {
+ UnloadEnterpriseRoots();
+ MaybeImportEnterpriseRoots();
+ } else if (prefName.Equals("security.osclientcerts.autoload")) {
+ bool loadOSClientCertsModule =
+ StaticPrefs::security_osclientcerts_autoload();
+ AsyncLoadOrUnloadOSClientCertsModule(loadOSClientCertsModule);
+ } else if (prefName.EqualsLiteral("security.pki.mitm_canary_issuer")) {
+ MutexAutoLock lock(mMutex);
+ mMitmCanaryIssuer.Truncate();
+ Preferences::GetString("security.pki.mitm_canary_issuer",
+ mMitmCanaryIssuer);
+ } else if (prefName.EqualsLiteral(
+ "security.pki.mitm_canary_issuer.enabled")) {
+ MutexAutoLock lock(mMutex);
+ mMitmDetecionEnabled =
+ Preferences::GetBool("security.pki.mitm_canary_issuer.enabled", true);
+ } else {
+ clearSessionCache = false;
+ }
+ if (clearSessionCache) {
+ ClearSSLExternalAndInternalSessionCache();
+ }
+
+ // Preferences that don't affect certificate verification.
+ if (prefName.Equals("security.intermediate_preloading_healer.enabled") ||
+ prefName.Equals(
+ "security.intermediate_preloading_healer.timer_interval_ms")) {
+ MaybeEnableIntermediatePreloadingHealer();
+ }
+ }
+
+ return NS_OK;
+}
+
+/*static*/
+nsresult nsNSSComponent::GetNewPrompter(nsIPrompt** result) {
+ NS_ENSURE_ARG_POINTER(result);
+ *result = nullptr;
+
+ if (!NS_IsMainThread()) {
+ NS_ERROR("nsSDRContext::GetNewPrompter called off the main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ nsresult rv;
+ nsCOMPtr<nsIWindowWatcher> wwatch(
+ do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = wwatch->GetNewPrompter(0, result);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ return rv;
+}
+
+nsresult nsNSSComponent::LogoutAuthenticatedPK11() {
+ nsCOMPtr<nsICertOverrideService> icos =
+ do_GetService("@mozilla.org/security/certoverride;1");
+ if (icos) {
+ icos->ClearValidityOverride("all:temporary-certificates"_ns, 0,
+ OriginAttributes());
+ }
+
+ ClearSSLExternalAndInternalSessionCache();
+
+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+ if (os) {
+ os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr);
+ }
+
+ return NS_OK;
+}
+
+nsresult nsNSSComponent::RegisterObservers() {
+ nsCOMPtr<nsIObserverService> observerService(
+ do_GetService("@mozilla.org/observer-service;1"));
+ if (!observerService) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSComponent: couldn't get observer service\n"));
+ return NS_ERROR_FAILURE;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent: adding observers\n"));
+ // Using false for the ownsweak parameter means the observer service will
+ // keep a strong reference to this component. As a result, this will live at
+ // least as long as the observer service.
+ observerService->AddObserver(this, PROFILE_BEFORE_CHANGE_TOPIC, false);
+ observerService->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
+
+ return NS_OK;
+}
+
+nsresult DoesCertMatchFingerprint(const nsTArray<uint8_t>& cert,
+ const nsCString& fingerprint, bool& result) {
+ result = false;
+
+ if (cert.Length() > std::numeric_limits<uint32_t>::max()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsTArray<uint8_t> digestArray;
+ nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert.Elements(),
+ cert.Length(), digestArray);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ SECItem digestItem = {siBuffer, digestArray.Elements(),
+ static_cast<unsigned int>(digestArray.Length())};
+ UniquePORTString certFingerprint(
+ CERT_Hexify(&digestItem, true /* use colon delimiters */));
+ if (!certFingerprint) {
+ return NS_ERROR_FAILURE;
+ }
+
+ result = fingerprint.Equals(certFingerprint.get());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSComponent::IsCertTestBuiltInRoot(const nsTArray<uint8_t>& cert,
+ bool* result) {
+ NS_ENSURE_ARG_POINTER(result);
+ *result = false;
+
+#ifdef DEBUG
+ MutexAutoLock lock(mMutex);
+ nsresult rv = DoesCertMatchFingerprint(cert, mTestBuiltInRootHash, *result);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+#endif // DEBUG
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSComponent::IssuerMatchesMitmCanary(const char* aCertIssuer) {
+ MutexAutoLock lock(mMutex);
+ if (mMitmDetecionEnabled && !mMitmCanaryIssuer.IsEmpty()) {
+ nsString certIssuer = NS_ConvertUTF8toUTF16(aCertIssuer);
+ if (mMitmCanaryIssuer.Equals(certIssuer)) {
+ return NS_OK;
+ }
+ }
+
+ return NS_ERROR_FAILURE;
+}
+
+SharedCertVerifier::~SharedCertVerifier() = default;
+
+NS_IMETHODIMP
+nsNSSComponent::GetDefaultCertVerifier(SharedCertVerifier** result) {
+ MutexAutoLock lock(mMutex);
+ NS_ENSURE_ARG_POINTER(result);
+ RefPtr<SharedCertVerifier> certVerifier(mDefaultCertVerifier);
+ certVerifier.forget(result);
+ return NS_OK;
+}
+
+// static
+void nsNSSComponent::DoClearSSLExternalAndInternalSessionCache() {
+ SSL_ClearSessionCache();
+ mozilla::net::SSLTokensCache::Clear();
+}
+
+NS_IMETHODIMP
+nsNSSComponent::ClearSSLExternalAndInternalSessionCache() {
+ MOZ_ASSERT(XRE_IsParentProcess());
+ if (!XRE_IsParentProcess()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ if (mozilla::net::nsIOService::UseSocketProcess()) {
+ if (mozilla::net::gIOService) {
+ mozilla::net::gIOService->CallOrWaitForSocketProcess([]() {
+ Unused << mozilla::net::SocketProcessParent::GetSingleton()
+ ->SendClearSessionCache();
+ });
+ }
+ }
+ DoClearSSLExternalAndInternalSessionCache();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSComponent::AsyncClearSSLExternalAndInternalSessionCache(
+ JSContext* aCx, ::mozilla::dom::Promise** aPromise) {
+ MOZ_ASSERT(XRE_IsParentProcess());
+ if (!XRE_IsParentProcess()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
+ if (NS_WARN_IF(!globalObject)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ ErrorResult result;
+ RefPtr<mozilla::dom::Promise> promise =
+ mozilla::dom::Promise::Create(globalObject, result);
+ if (NS_WARN_IF(result.Failed())) {
+ return result.StealNSResult();
+ }
+
+ if (mozilla::net::nsIOService::UseSocketProcess() &&
+ mozilla::net::gIOService) {
+ mozilla::net::gIOService->CallOrWaitForSocketProcess(
+ [p = RefPtr{promise}]() {
+ Unused << mozilla::net::SocketProcessParent::GetSingleton()
+ ->SendClearSessionCache()
+ ->Then(
+ GetCurrentSerialEventTarget(), __func__,
+ [promise = RefPtr{p}] {
+ promise->MaybeResolveWithUndefined();
+ },
+ [promise = RefPtr{p}] {
+ promise->MaybeReject(NS_ERROR_UNEXPECTED);
+ });
+ });
+ } else {
+ promise->MaybeResolveWithUndefined();
+ }
+ DoClearSSLExternalAndInternalSessionCache();
+ promise.forget(aPromise);
+ return NS_OK;
+}
+
+namespace mozilla {
+namespace psm {
+
+already_AddRefed<SharedCertVerifier> GetDefaultCertVerifier() {
+ static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
+
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID));
+ if (!nssComponent) {
+ return nullptr;
+ }
+ nsresult rv = nssComponent->BlockUntilLoadableCertsLoaded();
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+ RefPtr<SharedCertVerifier> result;
+ rv = nssComponent->GetDefaultCertVerifier(getter_AddRefs(result));
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+ return result.forget();
+}
+
+// Helper for FindClientCertificatesWithPrivateKeys. Copies all
+// CERTCertificates from `from` to `to`.
+static inline void CopyCertificatesTo(UniqueCERTCertList& from,
+ UniqueCERTCertList& to) {
+ MOZ_ASSERT(from);
+ MOZ_ASSERT(to);
+ for (CERTCertListNode* n = CERT_LIST_HEAD(from.get());
+ !CERT_LIST_END(n, from.get()); n = CERT_LIST_NEXT(n)) {
+ UniqueCERTCertificate cert(CERT_DupCertificate(n->cert));
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" provisionally adding '%s'", n->cert->subjectName));
+ if (CERT_AddCertToListTail(to.get(), cert.get()) == SECSuccess) {
+ Unused << cert.release();
+ }
+ }
+}
+
+// Lists all private keys on all modules and returns a list of any corresponding
+// client certificates. Returns null if no such certificates can be found. Also
+// returns null if an error is encountered, because this is called as part of
+// the client auth data callback, and NSS ignores any errors returned by the
+// callback.
+UniqueCERTCertList FindClientCertificatesWithPrivateKeys() {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("FindClientCertificatesWithPrivateKeys"));
+
+ (void)BlockUntilLoadableCertsLoaded();
+ (void)CheckForSmartCardChanges();
+
+ UniqueCERTCertList certsWithPrivateKeys(CERT_NewCertList());
+ if (!certsWithPrivateKeys) {
+ return nullptr;
+ }
+
+ UniquePK11SlotInfo internalSlot(PK11_GetInternalKeySlot());
+
+ AutoSECMODListReadLock secmodLock;
+ SECMODModuleList* list = SECMOD_GetDefaultModuleList();
+ while (list) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" module '%s'", list->module->commonName));
+ for (int i = 0; i < list->module->slotCount; i++) {
+ PK11SlotInfo* slot = list->module->slots[i];
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" slot '%s'", PK11_GetSlotName(slot)));
+ // If this is the internal certificate/key slot or the slot on the
+ // builtin roots module, there may be many more certificates than private
+ // keys, so search by private keys (PK11_HasRootCerts will be true if the
+ // slot contains an object with the vendor-specific CK_CLASS
+ // CKO_NSS_BUILTIN_ROOT_LIST, which should only be the case for the NSS
+ // builtin roots module).
+ if (internalSlot.get() == slot || PK11_HasRootCerts(slot)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" (looking at internal/builtin slot)"));
+ if (PK11_Authenticate(slot, true, nullptr) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (couldn't authenticate)"));
+ continue;
+ }
+ UniqueSECKEYPrivateKeyList privateKeys(
+ PK11_ListPrivKeysInSlot(slot, nullptr, nullptr));
+ if (!privateKeys) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (no private keys)"));
+ continue;
+ }
+ for (SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privateKeys);
+ !PRIVKEY_LIST_END(node, privateKeys);
+ node = PRIVKEY_LIST_NEXT(node)) {
+ UniqueCERTCertList certs(PK11_GetCertsMatchingPrivateKey(node->key));
+ if (!certs) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" PK11_GetCertsMatchingPrivateKey encountered an "
+ "error "));
+ continue;
+ }
+ if (CERT_LIST_EMPTY(certs)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (no certs for key)"));
+ continue;
+ }
+ CopyCertificatesTo(certs, certsWithPrivateKeys);
+ }
+ } else {
+ // ... otherwise, optimistically assume that searching by certificate
+ // won't take too much time. Since "friendly" slots expose certificates
+ // without needing to be authenticated to, this results in fewer PIN
+ // dialogs shown to the user.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" (looking at non-internal slot)"));
+
+ if (!PK11_IsPresent(slot)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (not present)"));
+ continue;
+ }
+ // If this isn't a "friendly" slot, authenticate to expose certificates.
+ if (!PK11_IsFriendly(slot) &&
+ PK11_Authenticate(slot, true, nullptr) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (couldn't authenticate)"));
+ continue;
+ }
+ UniqueCERTCertList certsInSlot(PK11_ListCertsInSlot(slot));
+ if (!certsInSlot) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" (couldn't list certs in slot)"));
+ continue;
+ }
+ // When NSS decodes a certificate, if that certificate has a
+ // corresponding private key (or public key, if the slot it's on hasn't
+ // been logged into), it notes it as a "user cert".
+ if (CERT_FilterCertListForUserCerts(certsInSlot.get()) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" (couldn't filter certs)"));
+ continue;
+ }
+ CopyCertificatesTo(certsInSlot, certsWithPrivateKeys);
+ }
+ }
+ list = list->next;
+ }
+
+ if (CERT_FilterCertListByUsage(certsWithPrivateKeys.get(), certUsageSSLClient,
+ false) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ (" CERT_FilterCertListByUsage encountered an error - returning"));
+ return nullptr;
+ }
+
+ if (MOZ_UNLIKELY(MOZ_LOG_TEST(gPIPNSSLog, LogLevel::Debug))) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" returning:"));
+ for (CERTCertListNode* n = CERT_LIST_HEAD(certsWithPrivateKeys);
+ !CERT_LIST_END(n, certsWithPrivateKeys); n = CERT_LIST_NEXT(n)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" %s", n->cert->subjectName));
+ }
+ }
+
+ if (CERT_LIST_EMPTY(certsWithPrivateKeys)) {
+ return nullptr;
+ }
+
+ return certsWithPrivateKeys;
+}
+
+} // namespace psm
+} // namespace mozilla
+
+NS_IMPL_ISUPPORTS(PipUIContext, nsIInterfaceRequestor)
+
+PipUIContext::PipUIContext() = default;
+
+PipUIContext::~PipUIContext() = default;
+
+NS_IMETHODIMP
+PipUIContext::GetInterface(const nsIID& uuid, void** result) {
+ NS_ENSURE_ARG_POINTER(result);
+ *result = nullptr;
+
+ if (!NS_IsMainThread()) {
+ NS_ERROR("PipUIContext::GetInterface called off the main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ if (!uuid.Equals(NS_GET_IID(nsIPrompt))) return NS_ERROR_NO_INTERFACE;
+
+ nsIPrompt* prompt = nullptr;
+ nsresult rv = nsNSSComponent::GetNewPrompter(&prompt);
+ *result = prompt;
+ return rv;
+}
+
+nsresult getNSSDialogs(void** _result, REFNSIID aIID, const char* contract) {
+ if (!NS_IsMainThread()) {
+ NS_ERROR("getNSSDialogs called off the main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ nsresult rv;
+
+ nsCOMPtr<nsISupports> svc = do_GetService(contract, &rv);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ rv = svc->QueryInterface(aIID, _result);
+
+ return rv;
+}
+
+nsresult setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx) {
+ MOZ_ASSERT(slot);
+ MOZ_ASSERT(ctx);
+ NS_ENSURE_ARG_POINTER(slot);
+ NS_ENSURE_ARG_POINTER(ctx);
+
+ if (PK11_NeedUserInit(slot)) {
+ nsCOMPtr<nsITokenPasswordDialogs> dialogs;
+ nsresult rv = getNSSDialogs(getter_AddRefs(dialogs),
+ NS_GET_IID(nsITokenPasswordDialogs),
+ NS_TOKENPASSWORDSDIALOG_CONTRACTID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ bool canceled;
+ nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot);
+ rv = dialogs->SetPassword(ctx, token, &canceled);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (canceled) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ }
+
+ return NS_OK;
+}
+
+static PRBool ConvertBetweenUCS2andASCII(PRBool toUnicode, unsigned char* inBuf,
+ unsigned int inBufLen,
+ unsigned char* outBuf,
+ unsigned int maxOutBufLen,
+ unsigned int* outBufLen,
+ PRBool swapBytes) {
+ std::unique_ptr<unsigned char[]> inBufDup(new unsigned char[inBufLen]);
+ if (!inBufDup) {
+ return PR_FALSE;
+ }
+ std::memcpy(inBufDup.get(), inBuf, inBufLen * sizeof(unsigned char));
+
+ // If converting Unicode to ASCII, swap bytes before conversion as neccessary.
+ if (!toUnicode && swapBytes) {
+ if (inBufLen % 2 != 0) {
+ return PR_FALSE;
+ }
+ mozilla::NativeEndian::swapFromLittleEndianInPlace(
+ reinterpret_cast<char16_t*>(inBufDup.get()), inBufLen / 2);
+ }
+ return PORT_UCS2_UTF8Conversion(toUnicode, inBufDup.get(), inBufLen, outBuf,
+ maxOutBufLen, outBufLen);
+}
+
+namespace mozilla {
+namespace psm {
+
+nsresult InitializeCipherSuite() {
+ MOZ_ASSERT(NS_IsMainThread(),
+ "InitializeCipherSuite() can only be accessed on the main thread");
+
+ if (NSS_SetDomesticPolicy() != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // Disable any ciphers that NSS might have enabled by default
+ for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+ uint16_t cipher_id = SSL_ImplementedCiphers[i];
+ SSL_CipherPrefSetDefault(cipher_id, false);
+ }
+
+ // Now only set SSL/TLS ciphers we knew about at compile time
+ for (const auto& cipherPref : sCipherPrefs) {
+ SSL_CipherPrefSetDefault(cipherPref.id, cipherPref.prefGetter());
+ }
+
+ SetDeprecatedTLS1CipherPrefs();
+
+ // Enable ciphers for PKCS#12
+ SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
+ SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
+ SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
+ SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
+ SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
+ SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1);
+ SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
+ PORT_SetUCS2_ASCIIConversionFunction(ConvertBetweenUCS2andASCII);
+
+ // PSM enforces a minimum RSA key size of 1024 bits, which is overridable.
+ // NSS has its own minimum, which is not overridable (the default is 1023
+ // bits). This sets the NSS minimum to 512 bits so users can still connect to
+ // devices like wifi routers with woefully small keys (they would have to add
+ // an override to do so, but they already do for such devices).
+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 512);
+
+ SetKyberPolicy();
+
+ // Observe preference change around cipher suite setting.
+ return CipherSuiteChangeObserver::StartObserve();
+}
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/nsNSSComponent.h b/security/manager/ssl/nsNSSComponent.h
new file mode 100644
index 0000000000..3c4e59abc5
--- /dev/null
+++ b/security/manager/ssl/nsNSSComponent.h
@@ -0,0 +1,165 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _nsNSSComponent_h_
+#define _nsNSSComponent_h_
+
+#include "nsINSSComponent.h"
+
+#include "EnterpriseRoots.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "mozilla/Monitor.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/RefPtr.h"
+#include "nsCOMPtr.h"
+#include "nsIObserver.h"
+#include "nsNSSCallbacks.h"
+#include "nsServiceManagerUtils.h"
+#include "prerror.h"
+#include "sslt.h"
+
+#ifdef XP_WIN
+# include <windows.h> // this needs to be before the following includes
+# include <wincrypt.h>
+#endif // XP_WIN
+
+class nsIDOMWindow;
+class nsIPrompt;
+class nsISerialEventTarget;
+class nsITimer;
+
+namespace mozilla {
+namespace psm {
+
+[[nodiscard]] ::already_AddRefed<mozilla::psm::SharedCertVerifier>
+GetDefaultCertVerifier();
+UniqueCERTCertList FindClientCertificatesWithPrivateKeys();
+
+} // namespace psm
+} // namespace mozilla
+
+#define NS_NSSCOMPONENT_CID \
+ { \
+ 0x4cb64dfd, 0xca98, 0x4e24, { \
+ 0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb \
+ } \
+ }
+
+bool EnsureNSSInitializedChromeOrContent();
+bool HandleTLSPrefChange(const nsCString& aPref);
+void SetValidationOptionsCommon();
+void PrepareForShutdownInSocketProcess();
+
+// Implementation of the PSM component interface.
+class nsNSSComponent final : public nsINSSComponent, public nsIObserver {
+ public:
+ // LoadLoadableCertsTask updates mLoadableCertsLoaded and
+ // mLoadableCertsLoadedResult and then signals mLoadableCertsLoadedMonitor.
+ friend class LoadLoadableCertsTask;
+ // BackgroundImportEnterpriseCertsTask calls ImportEnterpriseRoots and
+ // UpdateCertVerifierWithEnterpriseRoots.
+ friend class BackgroundImportEnterpriseCertsTask;
+
+ nsNSSComponent();
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSINSSCOMPONENT
+ NS_DECL_NSIOBSERVER
+
+ nsresult Init();
+
+ static nsresult GetNewPrompter(nsIPrompt** result);
+
+ static void FillTLSVersionRange(SSLVersionRange& rangeOut,
+ uint32_t minFromPrefs, uint32_t maxFromPrefs,
+ SSLVersionRange defaults);
+
+ static nsresult SetEnabledTLSVersions();
+
+ // This function does the actual work of clearing the session cache. It is to
+ // be used by the socket process (where there is no nsINSSComponent) and
+ // internally by nsNSSComponent.
+ // NB: NSS must have already been initialized before this is called.
+ static void DoClearSSLExternalAndInternalSessionCache();
+
+ protected:
+ virtual ~nsNSSComponent();
+
+ private:
+ nsresult InitializeNSS();
+ void PrepareForShutdown();
+
+ void setValidationOptions(bool isInitialSetting,
+ const mozilla::MutexAutoLock& proofOfLock);
+ void GetRevocationBehaviorFromPrefs(
+ /*out*/ mozilla::psm::CertVerifier::OcspDownloadConfig* odc,
+ /*out*/ mozilla::psm::CertVerifier::OcspStrictConfig* osc,
+ /*out*/ uint32_t* certShortLifetimeInDays,
+ /*out*/ TimeDuration& softTimeout,
+ /*out*/ TimeDuration& hardTimeout);
+ void UpdateCertVerifierWithEnterpriseRoots();
+ nsresult RegisterObservers();
+
+ void MaybeImportEnterpriseRoots();
+ void ImportEnterpriseRoots();
+ void UnloadEnterpriseRoots();
+ nsresult CommonGetEnterpriseCerts(
+ nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots);
+
+ nsresult MaybeEnableIntermediatePreloadingHealer();
+
+ // mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded.
+ mozilla::Monitor mLoadableCertsLoadedMonitor;
+ bool mLoadableCertsLoaded MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
+ nsresult mLoadableCertsLoadedResult
+ MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
+
+ // mMutex protects all members that are accessed from more than one thread.
+ mozilla::Mutex mMutex;
+
+ // The following members are accessed from more than one thread:
+
+#ifdef DEBUG
+ nsCString mTestBuiltInRootHash MOZ_GUARDED_BY(mMutex);
+#endif
+ RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier
+ MOZ_GUARDED_BY(mMutex);
+ nsString mMitmCanaryIssuer MOZ_GUARDED_BY(mMutex);
+ bool mMitmDetecionEnabled MOZ_GUARDED_BY(mMutex);
+ nsTArray<EnterpriseCert> mEnterpriseCerts MOZ_GUARDED_BY(mMutex);
+
+ // The following members are accessed only on the main thread:
+ static int mInstanceCount;
+ // If the intermediate preloading healer is enabled, the following timer
+ // periodically dispatches events to the socket thread. Each of these
+ // events scans the NSS certdb for preloaded intermediates that are in
+ // cert_storage and thus can be removed. By default, the interval is 5
+ // minutes.
+ nsCOMPtr<nsITimer> mIntermediatePreloadingHealerTimer;
+};
+
+inline nsresult BlockUntilLoadableCertsLoaded() {
+ nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (!component) {
+ return NS_ERROR_FAILURE;
+ }
+ return component->BlockUntilLoadableCertsLoaded();
+}
+
+inline nsresult CheckForSmartCardChanges() {
+#ifndef MOZ_NO_SMART_CARDS
+ nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (!component) {
+ return NS_ERROR_FAILURE;
+ }
+ return component->CheckForSmartCardChanges();
+#else
+ return NS_OK;
+#endif
+}
+
+#endif // _nsNSSComponent_h_
diff --git a/security/manager/ssl/nsNSSHelper.h b/security/manager/ssl/nsNSSHelper.h
new file mode 100644
index 0000000000..5f3f5ea9b4
--- /dev/null
+++ b/security/manager/ssl/nsNSSHelper.h
@@ -0,0 +1,32 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSHelper_h
+#define nsNSSHelper_h
+
+#include "nsIInterfaceRequestor.h"
+#include "nsIInterfaceRequestorUtils.h"
+#include "pk11func.h"
+
+// Implementation of an nsIInterfaceRequestor for use as context for NSS calls.
+class PipUIContext : public nsIInterfaceRequestor {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIINTERFACEREQUESTOR
+
+ PipUIContext();
+
+ protected:
+ virtual ~PipUIContext();
+};
+
+// Function to get the implementor for a certain set of NSS specific dialogs.
+nsresult getNSSDialogs(void** _result, REFNSIID aIID, const char* contract);
+
+// A function that sets the password on an unitialized slot.
+nsresult setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx);
+
+#endif // nsNSSHelper_h
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
new file mode 100644
index 0000000000..508eafa0c5
--- /dev/null
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -0,0 +1,1804 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSIOLayer.h"
+
+#include <algorithm>
+#include <utility>
+#include <vector>
+
+#include "NSSCertDBTrustDomain.h"
+#include "NSSErrorsService.h"
+#include "NSSSocketControl.h"
+#include "PSMRunnable.h"
+#include "SSLServerCertVerification.h"
+#include "ScopedNSSTypes.h"
+#include "SharedSSLState.h"
+#include "TLSClientAuthCertSelection.h"
+#include "keyhi.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/RandomNum.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/glean/GleanMetrics.h"
+#include "mozilla/net/SSLTokensCache.h"
+#include "mozilla/net/SocketProcessChild.h"
+#include "mozilla/psm/IPCClientCertsChild.h"
+#include "mozilla/psm/PIPCClientCertsChild.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixutil.h"
+#include "nsArray.h"
+#include "nsArrayUtils.h"
+#include "nsCRT.h"
+#include "nsCharSeparatedTokenizer.h"
+#include "nsClientAuthRemember.h"
+#include "nsContentUtils.h"
+#include "nsISocketProvider.h"
+#include "nsIWebProgressListener.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSComponent.h"
+#include "nsNSSHelper.h"
+#include "nsPrintfCString.h"
+#include "nsServiceManagerUtils.h"
+#include "prmem.h"
+#include "prnetdb.h"
+#include "secder.h"
+#include "secerr.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslexp.h"
+#include "sslproto.h"
+
+#if defined(__arm__)
+# include "mozilla/arm.h"
+#endif
+
+using namespace mozilla;
+using namespace mozilla::psm;
+using namespace mozilla::ipc;
+
+// #define DEBUG_SSL_VERBOSE //Enable this define to get minimal
+// reports when doing SSL read/write
+
+// #define DUMP_BUFFER //Enable this define along with
+// DEBUG_SSL_VERBOSE to dump SSL
+// read/write buffer to a log.
+// Uses PR_LOG except on Mac where
+// we always write out to our own
+// file.
+
+namespace {
+
+// The NSSSocketInfo tls flags are meant to be opaque to most calling
+// applications but provide a mechanism for direct TLS manipulation when
+// experimenting with new features in the scope of a single socket. They do not
+// create a persistent ABI.
+//
+// Use of these flags creates a new 'sharedSSLState' so existing states for
+// intolerance are not carried to sockets that use these flags (and intolerance
+// they discover does not impact other normal sockets not using the flags.)
+//
+// Their current definitions are:
+//
+// bits 0-2 (mask 0x07) specify the max tls version
+// 0 means no override 1->4 are 1.0, 1.1, 1.2, 1.3, 4->7 unused
+// bits 3-5 (mask 0x38) specify the tls fallback limit
+// 0 means no override, values 1->4 match prefs
+// bit 6 (mask 0x40) was used to specify compat mode. Temporarily reserved.
+
+enum {
+ kTLSProviderFlagMaxVersion10 = 0x01,
+ kTLSProviderFlagMaxVersion11 = 0x02,
+ kTLSProviderFlagMaxVersion12 = 0x03,
+ kTLSProviderFlagMaxVersion13 = 0x04,
+};
+
+static uint32_t getTLSProviderFlagMaxVersion(uint32_t flags) {
+ return (flags & 0x07);
+}
+
+static uint32_t getTLSProviderFlagFallbackLimit(uint32_t flags) {
+ return (flags & 0x38) >> 3;
+}
+
+void getSiteKey(const nsACString& hostName, uint16_t port,
+ /*out*/ nsACString& key) {
+ key = hostName;
+ key.AppendLiteral(":");
+ key.AppendInt(port);
+}
+
+} // unnamed namespace
+
+extern LazyLogModule gPIPNSSLog;
+
+void nsSSLIOLayerHelpers::Cleanup() {
+ MutexAutoLock lock(mutex);
+ mTLSIntoleranceInfo.Clear();
+ mInsecureFallbackSites.Clear();
+}
+
+namespace {
+
+enum Operation { reading, writing, not_reading_or_writing };
+
+int32_t checkHandshake(int32_t bytesTransfered, bool wasReading,
+ PRFileDesc* ssl_layer_fd, NSSSocketControl* socketInfo);
+
+NSSSocketControl* getSocketInfoIfRunning(PRFileDesc* fd, Operation op) {
+ if (!fd || !fd->lower || !fd->secret ||
+ fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) {
+ NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning");
+ PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0);
+ return nullptr;
+ }
+
+ NSSSocketControl* socketInfo = (NSSSocketControl*)fd->secret;
+
+ if (socketInfo->IsCanceled()) {
+ PRErrorCode err = socketInfo->GetErrorCode();
+ PR_SetError(err, 0);
+ if (op == reading || op == writing) {
+ // We must do TLS intolerance checks for reads and writes, for timeouts
+ // in particular.
+ (void)checkHandshake(-1, op == reading, fd, socketInfo);
+ }
+
+ // If we get here, it is probably because cert verification failed and this
+ // is the first I/O attempt since that failure.
+ return nullptr;
+ }
+
+ return socketInfo;
+}
+
+} // namespace
+
+static PRStatus nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr,
+ PRIntervalTime timeout) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] connecting SSL socket\n", (void*)fd));
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ PRStatus status = fd->lower->methods->connect(fd->lower, addr, timeout);
+ if (status != PR_SUCCESS) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] Lower layer connect error: %d\n", (void*)fd, PR_GetError()));
+ return status;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Connect\n", (void*)fd));
+ return status;
+}
+
+void nsSSLIOLayerHelpers::rememberTolerantAtVersion(const nsACString& hostName,
+ int16_t port,
+ uint16_t tolerant) {
+ nsCString key;
+ getSiteKey(hostName, port, key);
+
+ MutexAutoLock lock(mutex);
+
+ IntoleranceEntry entry;
+ if (mTLSIntoleranceInfo.Get(key, &entry)) {
+ entry.AssertInvariant();
+ entry.tolerant = std::max(entry.tolerant, tolerant);
+ if (entry.intolerant != 0 && entry.intolerant <= entry.tolerant) {
+ entry.intolerant = entry.tolerant + 1;
+ entry.intoleranceReason = 0; // lose the reason
+ }
+ } else {
+ entry.tolerant = tolerant;
+ entry.intolerant = 0;
+ entry.intoleranceReason = 0;
+ }
+
+ entry.AssertInvariant();
+
+ mTLSIntoleranceInfo.InsertOrUpdate(key, entry);
+}
+
+void nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
+ int16_t port) {
+ nsCString key;
+ getSiteKey(hostName, port, key);
+
+ MutexAutoLock lock(mutex);
+
+ IntoleranceEntry entry;
+ if (mTLSIntoleranceInfo.Get(key, &entry)) {
+ entry.AssertInvariant();
+
+ entry.intolerant = 0;
+ entry.intoleranceReason = 0;
+
+ entry.AssertInvariant();
+ mTLSIntoleranceInfo.InsertOrUpdate(key, entry);
+ }
+}
+
+bool nsSSLIOLayerHelpers::fallbackLimitReached(const nsACString& hostName,
+ uint16_t intolerant) {
+ if (isInsecureFallbackSite(hostName)) {
+ return intolerant <= SSL_LIBRARY_VERSION_TLS_1_0;
+ }
+ return intolerant <= mVersionFallbackLimit;
+}
+
+// returns true if we should retry the handshake
+bool nsSSLIOLayerHelpers::rememberIntolerantAtVersion(
+ const nsACString& hostName, int16_t port, uint16_t minVersion,
+ uint16_t intolerant, PRErrorCode intoleranceReason) {
+ if (intolerant <= minVersion || fallbackLimitReached(hostName, intolerant)) {
+ // We can't fall back any further. Assume that intolerance isn't the issue.
+ forgetIntolerance(hostName, port);
+ return false;
+ }
+
+ nsCString key;
+ getSiteKey(hostName, port, key);
+
+ MutexAutoLock lock(mutex);
+
+ IntoleranceEntry entry;
+ if (mTLSIntoleranceInfo.Get(key, &entry)) {
+ entry.AssertInvariant();
+ if (intolerant <= entry.tolerant) {
+ // We already know the server is tolerant at an equal or higher version.
+ return false;
+ }
+ if ((entry.intolerant != 0 && intolerant >= entry.intolerant)) {
+ // We already know that the server is intolerant at a lower version.
+ return true;
+ }
+ } else {
+ entry.tolerant = 0;
+ }
+
+ entry.intolerant = intolerant;
+ entry.intoleranceReason = intoleranceReason;
+ entry.AssertInvariant();
+ mTLSIntoleranceInfo.InsertOrUpdate(key, entry);
+
+ return true;
+}
+
+void nsSSLIOLayerHelpers::adjustForTLSIntolerance(
+ const nsACString& hostName, int16_t port,
+ /*in/out*/ SSLVersionRange& range) {
+ IntoleranceEntry entry;
+
+ {
+ nsCString key;
+ getSiteKey(hostName, port, key);
+
+ MutexAutoLock lock(mutex);
+ if (!mTLSIntoleranceInfo.Get(key, &entry)) {
+ return;
+ }
+ }
+
+ entry.AssertInvariant();
+
+ if (entry.intolerant != 0) {
+ // We've tried connecting at a higher range but failed, so try at the
+ // version we haven't tried yet, unless we have reached the minimum.
+ if (range.min < entry.intolerant) {
+ range.max = entry.intolerant - 1;
+ }
+ }
+}
+
+PRErrorCode nsSSLIOLayerHelpers::getIntoleranceReason(
+ const nsACString& hostName, int16_t port) {
+ IntoleranceEntry entry;
+
+ {
+ nsCString key;
+ getSiteKey(hostName, port, key);
+
+ MutexAutoLock lock(mutex);
+ if (!mTLSIntoleranceInfo.Get(key, &entry)) {
+ return 0;
+ }
+ }
+
+ entry.AssertInvariant();
+ return entry.intoleranceReason;
+}
+
+bool nsSSLIOLayerHelpers::nsSSLIOLayerInitialized = false;
+PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity;
+PRDescIdentity nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity;
+PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods;
+PRIOMethods nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods;
+
+static PRStatus nsSSLIOLayerClose(PRFileDesc* fd) {
+ if (!fd) {
+ return PR_FAILURE;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Shutting down socket", fd));
+
+ // Take the owning reference from the layer. See the corresponding comment in
+ // nsSSLIOLayerAddToSocket where this gets set.
+ RefPtr<NSSSocketControl> socketInfo(
+ already_AddRefed((NSSSocketControl*)fd->secret));
+ fd->secret = nullptr;
+ if (!socketInfo) {
+ return PR_FAILURE;
+ }
+
+ return socketInfo->CloseSocketAndDestroy();
+}
+
+#if defined(DEBUG_SSL_VERBOSE) && defined(DUMP_BUFFER)
+// Dumps a (potentially binary) buffer using SSM_DEBUG. (We could have used
+// the version in ssltrace.c, but that's specifically tailored to SSLTRACE.)
+# define DUMPBUF_LINESIZE 24
+static void nsDumpBuffer(unsigned char* buf, int len) {
+ char hexbuf[DUMPBUF_LINESIZE * 3 + 1];
+ char chrbuf[DUMPBUF_LINESIZE + 1];
+ static const char* hex = "0123456789abcdef";
+ int i = 0;
+ int l = 0;
+ char ch;
+ char* c;
+ char* h;
+ if (len == 0) return;
+ hexbuf[DUMPBUF_LINESIZE * 3] = '\0';
+ chrbuf[DUMPBUF_LINESIZE] = '\0';
+ (void)memset(hexbuf, 0x20, DUMPBUF_LINESIZE * 3);
+ (void)memset(chrbuf, 0x20, DUMPBUF_LINESIZE);
+ h = hexbuf;
+ c = chrbuf;
+
+ while (i < len) {
+ ch = buf[i];
+
+ if (l == DUMPBUF_LINESIZE) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("%s%s\n", hexbuf, chrbuf));
+ (void)memset(hexbuf, 0x20, DUMPBUF_LINESIZE * 3);
+ (void)memset(chrbuf, 0x20, DUMPBUF_LINESIZE);
+ h = hexbuf;
+ c = chrbuf;
+ l = 0;
+ }
+
+ // Convert a character to hex.
+ *h++ = hex[(ch >> 4) & 0xf];
+ *h++ = hex[ch & 0xf];
+ h++;
+
+ // Put the character (if it's printable) into the character buffer.
+ if ((ch >= 0x20) && (ch <= 0x7e)) {
+ *c++ = ch;
+ } else {
+ *c++ = '.';
+ }
+ i++;
+ l++;
+ }
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("%s%s\n", hexbuf, chrbuf));
+}
+
+# define DEBUG_DUMP_BUFFER(buf, len) nsDumpBuffer(buf, len)
+#else
+# define DEBUG_DUMP_BUFFER(buf, len)
+#endif
+
+namespace {
+
+uint32_t tlsIntoleranceTelemetryBucket(PRErrorCode err) {
+ // returns a numeric code for where we track various errors in telemetry
+ // only errors that cause version fallback are tracked,
+ // so this is also used to determine which errors can cause version fallback
+ switch (err) {
+ case SSL_ERROR_BAD_MAC_ALERT:
+ return 1;
+ case SSL_ERROR_BAD_MAC_READ:
+ return 2;
+ case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
+ return 3;
+ case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
+ return 4;
+ case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
+ return 6;
+ case SSL_ERROR_NO_CYPHER_OVERLAP:
+ return 7;
+ case SSL_ERROR_UNSUPPORTED_VERSION:
+ return 10;
+ case SSL_ERROR_PROTOCOL_VERSION_ALERT:
+ return 11;
+ case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
+ return 13;
+ case SSL_ERROR_DECODE_ERROR_ALERT:
+ return 14;
+ case PR_CONNECT_RESET_ERROR:
+ return 16;
+ case PR_END_OF_FILE_ERROR:
+ return 17;
+ case SSL_ERROR_INTERNAL_ERROR_ALERT:
+ return 18;
+ default:
+ return 0;
+ }
+}
+
+bool retryDueToTLSIntolerance(PRErrorCode err, NSSSocketControl* socketInfo) {
+ // This function is supposed to decide which error codes should
+ // be used to conclude server is TLS intolerant.
+ // Note this only happens during the initial SSL handshake.
+
+ if (StaticPrefs::security_tls_ech_disable_grease_on_fallback() &&
+ socketInfo->GetEchExtensionStatus() == EchExtensionStatus::kGREASE) {
+ // Don't record any intolerances if we used ECH GREASE but force a retry.
+ return true;
+ }
+
+ if (!socketInfo->IsPreliminaryHandshakeDone() &&
+ !socketInfo->HasTls13HandshakeSecrets() && socketInfo->SentXyberShare()) {
+ nsAutoCString errorName;
+ const char* prErrorName = PR_ErrorToName(err);
+ if (prErrorName) {
+ errorName.AppendASCII(prErrorName);
+ }
+ mozilla::glean::tls::xyber_intolerance_reason.Get(errorName).Add(1);
+ // Don't record version intolerance if we sent Xyber, just force a retry.
+ return true;
+ }
+
+ SSLVersionRange range = socketInfo->GetTLSVersionRange();
+ nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers();
+
+ if (err == SSL_ERROR_UNSUPPORTED_VERSION &&
+ range.min == SSL_LIBRARY_VERSION_TLS_1_0) {
+ socketInfo->SetSecurityState(nsIWebProgressListener::STATE_IS_INSECURE |
+ nsIWebProgressListener::STATE_USES_SSL_3);
+ }
+
+ // NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if anti-downgrade
+ // detected the downgrade.
+ if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT ||
+ err == SSL_ERROR_RX_MALFORMED_SERVER_HELLO) {
+ // This is a clear signal that we've fallen back too many versions. Treat
+ // this as a hard failure, but forget any intolerance so that later attempts
+ // don't use this version (i.e., range.max) and trigger the error again.
+
+ // First, track the original cause of the version fallback. This uses the
+ // same buckets as the telemetry below, except that bucket 0 will include
+ // all cases where there wasn't an original reason.
+ PRErrorCode originalReason = helpers.getIntoleranceReason(
+ socketInfo->GetHostName(), socketInfo->GetPort());
+ Telemetry::Accumulate(Telemetry::SSL_VERSION_FALLBACK_INAPPROPRIATE,
+ tlsIntoleranceTelemetryBucket(originalReason));
+
+ helpers.forgetIntolerance(socketInfo->GetHostName(), socketInfo->GetPort());
+
+ return false;
+ }
+
+ // When not using a proxy we'll see a connection reset error.
+ // When using a proxy, we'll see an end of file error.
+
+ // Don't allow STARTTLS connections to fall back on connection resets or
+ // EOF.
+ if ((err == PR_CONNECT_RESET_ERROR || err == PR_END_OF_FILE_ERROR) &&
+ socketInfo->GetForSTARTTLS()) {
+ return false;
+ }
+
+ uint32_t reason = tlsIntoleranceTelemetryBucket(err);
+ if (reason == 0) {
+ return false;
+ }
+
+ Telemetry::HistogramID pre;
+ Telemetry::HistogramID post;
+ switch (range.max) {
+ case SSL_LIBRARY_VERSION_TLS_1_3:
+ pre = Telemetry::SSL_TLS13_INTOLERANCE_REASON_PRE;
+ post = Telemetry::SSL_TLS13_INTOLERANCE_REASON_POST;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ pre = Telemetry::SSL_TLS12_INTOLERANCE_REASON_PRE;
+ post = Telemetry::SSL_TLS12_INTOLERANCE_REASON_POST;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_1:
+ pre = Telemetry::SSL_TLS11_INTOLERANCE_REASON_PRE;
+ post = Telemetry::SSL_TLS11_INTOLERANCE_REASON_POST;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_0:
+ pre = Telemetry::SSL_TLS10_INTOLERANCE_REASON_PRE;
+ post = Telemetry::SSL_TLS10_INTOLERANCE_REASON_POST;
+ break;
+ default:
+ MOZ_CRASH("impossible TLS version");
+ return false;
+ }
+
+ // The difference between _PRE and _POST represents how often we avoided
+ // TLS intolerance fallback due to remembered tolerance.
+ Telemetry::Accumulate(pre, reason);
+
+ if (!helpers.rememberIntolerantAtVersion(socketInfo->GetHostName(),
+ socketInfo->GetPort(), range.min,
+ range.max, err)) {
+ return false;
+ }
+
+ Telemetry::Accumulate(post, reason);
+
+ return true;
+}
+
+// Ensure that we haven't added too many errors to fit.
+static_assert((SSL_ERROR_END_OF_LIST - SSL_ERROR_BASE) <= 256,
+ "too many SSL errors");
+static_assert((SEC_ERROR_END_OF_LIST - SEC_ERROR_BASE) <= 256,
+ "too many SEC errors");
+static_assert((PR_MAX_ERROR - PR_NSPR_ERROR_BASE) <= 128,
+ "too many NSPR errors");
+static_assert((mozilla::pkix::ERROR_BASE - mozilla::pkix::END_OF_LIST) < 31,
+ "too many moz::pkix errors");
+
+static void reportHandshakeResult(int32_t bytesTransferred, bool wasReading,
+ PRErrorCode err,
+ NSSSocketControl* socketInfo) {
+ uint32_t bucket;
+
+ // A negative bytesTransferred or a 0 read are errors.
+ if (bytesTransferred > 0) {
+ bucket = 0;
+ } else if ((bytesTransferred == 0) && !wasReading) {
+ // PR_Write() is defined to never return 0, but let's make sure.
+ // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_Write.
+ MOZ_ASSERT(false);
+ bucket = 671;
+ } else if (IS_SSL_ERROR(err)) {
+ bucket = err - SSL_ERROR_BASE;
+ MOZ_ASSERT(bucket > 0); // SSL_ERROR_EXPORT_ONLY_SERVER isn't used.
+ } else if (IS_SEC_ERROR(err)) {
+ bucket = (err - SEC_ERROR_BASE) + 256;
+ } else if ((err >= PR_NSPR_ERROR_BASE) && (err < PR_MAX_ERROR)) {
+ bucket = (err - PR_NSPR_ERROR_BASE) + 512;
+ } else if ((err >= mozilla::pkix::ERROR_BASE) &&
+ (err < mozilla::pkix::ERROR_LIMIT)) {
+ bucket = (err - mozilla::pkix::ERROR_BASE) + 640;
+ } else {
+ bucket = 671;
+ }
+
+ uint32_t flags = socketInfo->GetProviderFlags();
+ if (!(flags & nsISocketProvider::IS_RETRY)) {
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_FIRST_TRY, bucket);
+ }
+
+ if (flags & nsISocketProvider::BE_CONSERVATIVE) {
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_CONSERVATIVE, bucket);
+ }
+
+ switch (socketInfo->GetEchExtensionStatus()) {
+ case EchExtensionStatus::kGREASE:
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_ECH_GREASE, bucket);
+ break;
+ case EchExtensionStatus::kReal:
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_ECH, bucket);
+ break;
+ default:
+ break;
+ }
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT, bucket);
+
+ if (bucket == 0) {
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+ if (NS_FAILED(socketInfo->GetSecurityInfo(getter_AddRefs(securityInfo))) ||
+ !securityInfo) {
+ return;
+ }
+ // Web Privacy Telemetry for successful connections.
+ bool success = true;
+
+ bool usedPrivateDNS = false;
+ success &= securityInfo->GetUsedPrivateDNS(&usedPrivateDNS) == NS_OK;
+
+ bool madeOCSPRequest = false;
+ success &= securityInfo->GetMadeOCSPRequests(&madeOCSPRequest) == NS_OK;
+
+ uint16_t protocolVersion = 0;
+ success &= securityInfo->GetProtocolVersion(&protocolVersion) == NS_OK;
+ bool usedTLS13 = protocolVersion == 4;
+
+ bool usedECH = false;
+ success &= securityInfo->GetIsAcceptedEch(&usedECH) == NS_OK;
+
+ // As bucket is 0 we are reporting the results of a sucessful connection
+ // and so TransportSecurityInfo should be populated. However, this isn't
+ // happening in all cases, see Bug 1789458.
+ if (success) {
+ uint8_t TLSPrivacyResult = 0;
+ TLSPrivacyResult |= usedTLS13 << 0;
+ TLSPrivacyResult |= !madeOCSPRequest << 1;
+ TLSPrivacyResult |= usedPrivateDNS << 2;
+ TLSPrivacyResult |= usedECH << 3;
+
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_PRIVACY, TLSPrivacyResult);
+ }
+ }
+}
+
+// Check the status of the handshake. This is where PSM checks for TLS
+// intolerance and potentially sets up TLS intolerance fallback by noting the
+// intolerance, setting the NSPR error to PR_CONNECT_RESET_ERROR, and returning
+// -1 as the bytes transferred so that necko retries the connection.
+// Otherwise, PSM returns the bytes transferred unchanged.
+int32_t checkHandshake(int32_t bytesTransferred, bool wasReading,
+ PRFileDesc* ssl_layer_fd, NSSSocketControl* socketInfo) {
+ const PRErrorCode originalError = PR_GetError();
+
+ // If the connection would block, return early.
+ if (bytesTransferred < 0 && originalError == PR_WOULD_BLOCK_ERROR) {
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return bytesTransferred;
+ }
+
+ // We only need to do TLS intolerance checking for the first transfer.
+ bool handleHandshakeResultNow = socketInfo->IsHandshakePending();
+ if (!handleHandshakeResultNow) {
+ // If we've encountered an error since the handshake, ensure the socket
+ // control is cancelled, so that getSocketInfoIfRunning will correctly
+ // cause us to fail if another part of Gecko (erroneously) calls an I/O
+ // function (PR_Send/PR_Recv/etc.) again on this socket.
+ if (bytesTransferred < 0) {
+ if (!socketInfo->IsCanceled()) {
+ socketInfo->SetCanceled(originalError);
+ }
+ PR_SetError(originalError, 0);
+ }
+ return bytesTransferred;
+ }
+
+ // TLS intolerant servers only cause the first transfer to fail, so let's
+ // set the HandshakePending attribute to false so that we don't try this logic
+ // again in a subsequent transfer.
+ socketInfo->SetHandshakeNotPending();
+ // Report the result once for each handshake. Note that this does not
+ // get handshakes which are cancelled before any reads or writes
+ // happen.
+ reportHandshakeResult(bytesTransferred, wasReading, originalError,
+ socketInfo);
+
+ // If there was no error, return early. The case where we read 0 bytes is not
+ // considered an error by NSS, but PSM interprets this as TLS intolerance, so
+ // we turn it into an error. Writes of 0 bytes are an error, because PR_Write
+ // is never supposed to return 0.
+ if (bytesTransferred > 0) {
+ return bytesTransferred;
+ }
+
+ // There was some sort of error. Determine what it was and if we want to
+ // retry the connection due to TLS intolerance.
+ PRErrorCode errorToUse = originalError;
+ // Turn zero-length reads into errors and handle zero-length write errors.
+ if (bytesTransferred == 0) {
+ if (wasReading) {
+ errorToUse = PR_END_OF_FILE_ERROR;
+ } else {
+ errorToUse = SEC_ERROR_LIBRARY_FAILURE;
+ }
+ bytesTransferred = -1;
+ }
+ bool wantRetry = retryDueToTLSIntolerance(errorToUse, socketInfo);
+ // Set the error on the socket control and cancel it.
+ if (!socketInfo->IsCanceled()) {
+ socketInfo->SetCanceled(errorToUse);
+ }
+
+ if (wantRetry) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] checkHandshake: will retry with lower max TLS version",
+ ssl_layer_fd));
+ // Setting the error PR_CONNECT_RESET_ERROR causes necko to retry the
+ // connection.
+ PR_SetError(PR_CONNECT_RESET_ERROR, 0);
+ } else {
+ PR_SetError(originalError, 0);
+ }
+
+ return bytesTransferred;
+}
+
+} // namespace
+
+static int16_t nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags,
+ int16_t* out_flags) {
+ if (!out_flags) {
+ NS_WARNING("nsSSLIOLayerPoll called with null out_flags");
+ return 0;
+ }
+
+ *out_flags = 0;
+
+ NSSSocketControl* socketInfo =
+ getSocketInfoIfRunning(fd, not_reading_or_writing);
+
+ if (!socketInfo) {
+ // If we get here, it is probably because certificate validation failed
+ // and this is the first I/O operation after the failure.
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("[%p] polling SSL socket right after certificate verification failed "
+ "or NSS shutdown or SDR logout %d\n",
+ fd, (int)in_flags));
+
+ MOZ_ASSERT(in_flags & PR_POLL_EXCEPT,
+ "Caller did not poll for EXCEPT (canceled)");
+ // Since this poll method cannot return errors, we want the caller to call
+ // PR_Send/PR_Recv right away to get the error, so we tell that we are
+ // ready for whatever I/O they are asking for. (See getSocketInfoIfRunning).
+ *out_flags = in_flags | PR_POLL_EXCEPT; // see also bug 480619
+ return in_flags;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ (socketInfo->IsWaitingForCertVerification()
+ ? "[%p] polling SSL socket during certificate verification "
+ "using lower %d\n"
+ : "[%p] poll SSL socket using lower %d\n",
+ fd, (int)in_flags));
+
+ socketInfo->MaybeDispatchSelectClientAuthCertificate();
+
+ // We want the handshake to continue during certificate validation, so we
+ // don't need to do anything special here. libssl automatically blocks when
+ // it reaches any point that would be unsafe to send/receive something before
+ // cert validation is complete.
+ int16_t result = fd->lower->methods->poll(fd->lower, in_flags, out_flags);
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] poll SSL socket returned %d\n", (void*)fd, (int)result));
+ return result;
+}
+
+nsSSLIOLayerHelpers::nsSSLIOLayerHelpers(uint32_t aTlsFlags)
+ : mTreatUnsafeNegotiationAsBroken(false),
+ mVersionFallbackLimit(SSL_LIBRARY_VERSION_TLS_1_0),
+ mutex("nsSSLIOLayerHelpers.mutex"),
+ mTlsFlags(aTlsFlags) {}
+
+// PSMAvailable and PSMAvailable64 are reachable, but they're unimplemented in
+// PSM, so we set an error and return -1.
+static int32_t PSMAvailable(PRFileDesc*) {
+ PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+ return -1;
+}
+
+static int64_t PSMAvailable64(PRFileDesc*) {
+ PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+ return -1;
+}
+
+static PRStatus PSMGetsockname(PRFileDesc* fd, PRNetAddr* addr) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ return fd->lower->methods->getsockname(fd->lower, addr);
+}
+
+static PRStatus PSMGetpeername(PRFileDesc* fd, PRNetAddr* addr) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ return fd->lower->methods->getpeername(fd->lower, addr);
+}
+
+static PRStatus PSMGetsocketoption(PRFileDesc* fd, PRSocketOptionData* data) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ return fd->lower->methods->getsocketoption(fd, data);
+}
+
+static PRStatus PSMSetsocketoption(PRFileDesc* fd,
+ const PRSocketOptionData* data) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ return fd->lower->methods->setsocketoption(fd, data);
+}
+
+static int32_t PSMRecv(PRFileDesc* fd, void* buf, int32_t amount, int flags,
+ PRIntervalTime timeout) {
+ NSSSocketControl* socketInfo = getSocketInfoIfRunning(fd, reading);
+ if (!socketInfo) return -1;
+
+ if (flags != PR_MSG_PEEK && flags != 0) {
+ PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+ return -1;
+ }
+
+ int32_t bytesRead =
+ fd->lower->methods->recv(fd->lower, buf, amount, flags, timeout);
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] read %d bytes\n", (void*)fd, bytesRead));
+
+#ifdef DEBUG_SSL_VERBOSE
+ DEBUG_DUMP_BUFFER((unsigned char*)buf, bytesRead);
+#endif
+
+ return checkHandshake(bytesRead, true, fd, socketInfo);
+}
+
+static int32_t PSMSend(PRFileDesc* fd, const void* buf, int32_t amount,
+ int flags, PRIntervalTime timeout) {
+ NSSSocketControl* socketInfo = getSocketInfoIfRunning(fd, writing);
+ if (!socketInfo) return -1;
+
+ if (flags != 0) {
+ PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+ return -1;
+ }
+
+#ifdef DEBUG_SSL_VERBOSE
+ DEBUG_DUMP_BUFFER((unsigned char*)buf, amount);
+#endif
+
+ if (socketInfo->IsShortWritePending() && amount > 0) {
+ // We got "SSL short write" last time, try to flush the pending byte.
+#ifdef DEBUG
+ socketInfo->CheckShortWrittenBuffer(static_cast<const unsigned char*>(buf),
+ amount);
+#endif
+
+ buf = socketInfo->GetShortWritePendingByteRef();
+ amount = 1;
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] pushing 1 byte after SSL short write", fd));
+ }
+
+ int32_t bytesWritten =
+ fd->lower->methods->send(fd->lower, buf, amount, flags, timeout);
+
+ // NSS indicates that it can't write all requested data (due to network
+ // congestion, for example) by returning either one less than the amount
+ // of data requested or 16383, if the requested amount is greater than
+ // 16384. We refer to this as a "short write". If we simply returned
+ // the amount that NSS did write, the layer above us would then call
+ // PSMSend with a very small amount of data (often 1). This is inefficient
+ // and can lead to alternating between sending large packets and very small
+ // packets. To prevent this, we alert the layer calling us that the operation
+ // would block and that it should be retried later, with the same data.
+ // When it does, we tell NSS to write the remaining byte it didn't write
+ // in the previous call. We then return the total number of bytes written,
+ // which is the number that caused the short write plus the additional byte
+ // we just wrote out.
+
+ // The 16384 value is based on libssl's maximum buffer size:
+ // MAX_FRAGMENT_LENGTH - 1
+ //
+ // It's in a private header, though, filed bug 1394822 to expose it.
+ static const int32_t kShortWrite16k = 16383;
+
+ if ((amount > 1 && bytesWritten == (amount - 1)) ||
+ (amount > kShortWrite16k && bytesWritten == kShortWrite16k)) {
+ // This is indication of an "SSL short write", block to force retry.
+ socketInfo->SetShortWritePending(
+ bytesWritten + 1, // The amount to return after the flush
+ *(static_cast<const unsigned char*>(buf) + bytesWritten));
+
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] indicated SSL short write for %d bytes (written just %d bytes)",
+ fd, amount, bytesWritten));
+
+ bytesWritten = -1;
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+
+#ifdef DEBUG
+ socketInfo->RememberShortWrittenBuffer(
+ static_cast<const unsigned char*>(buf));
+#endif
+
+ } else if (socketInfo->IsShortWritePending() && bytesWritten == 1) {
+ // We have now flushed all pending data in the SSL socket
+ // after the indicated short write. Tell the upper layer
+ // it has sent all its data now.
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] finished SSL short write", fd));
+
+ bytesWritten = socketInfo->ResetShortWritePending();
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Verbose,
+ ("[%p] wrote %d bytes\n", fd, bytesWritten));
+
+ return checkHandshake(bytesWritten, false, fd, socketInfo);
+}
+
+static PRStatus PSMBind(PRFileDesc* fd, const PRNetAddr* addr) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE;
+
+ return fd->lower->methods->bind(fd->lower, addr);
+}
+
+static int32_t nsSSLIOLayerRead(PRFileDesc* fd, void* buf, int32_t amount) {
+ return PSMRecv(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT);
+}
+
+static int32_t nsSSLIOLayerWrite(PRFileDesc* fd, const void* buf,
+ int32_t amount) {
+ return PSMSend(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT);
+}
+
+static PRStatus PSMConnectcontinue(PRFileDesc* fd, int16_t out_flags) {
+ if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) {
+ return PR_FAILURE;
+ }
+
+ return fd->lower->methods->connectcontinue(fd, out_flags);
+}
+
+namespace {
+
+class PrefObserver : public nsIObserver {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIOBSERVER
+ explicit PrefObserver(nsSSLIOLayerHelpers* aOwner) : mOwner(aOwner) {}
+
+ protected:
+ virtual ~PrefObserver() = default;
+
+ private:
+ nsSSLIOLayerHelpers* mOwner;
+};
+
+} // unnamed namespace
+
+NS_IMPL_ISUPPORTS(PrefObserver, nsIObserver)
+
+NS_IMETHODIMP
+PrefObserver::Observe(nsISupports* aSubject, const char* aTopic,
+ const char16_t* someData) {
+ if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
+ NS_ConvertUTF16toUTF8 prefName(someData);
+
+ if (prefName.EqualsLiteral(
+ "security.ssl.treat_unsafe_negotiation_as_broken")) {
+ bool enabled;
+ Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken",
+ &enabled);
+ mOwner->setTreatUnsafeNegotiationAsBroken(enabled);
+ } else if (prefName.EqualsLiteral("security.tls.version.fallback-limit")) {
+ mOwner->loadVersionFallbackLimit();
+ } else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts")) {
+ // Changes to the allowlist on the public side will update the pref.
+ // Don't propagate the changes to the private side.
+ if (mOwner->isPublic()) {
+ mOwner->initInsecureFallbackSites();
+ }
+ }
+ }
+ return NS_OK;
+}
+
+static int32_t PlaintextRecv(PRFileDesc* fd, void* buf, int32_t amount,
+ int flags, PRIntervalTime timeout) {
+ NSSSocketControl* socketInfo = nullptr;
+
+ int32_t bytesRead =
+ fd->lower->methods->recv(fd->lower, buf, amount, flags, timeout);
+ if (fd->identity == nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity) {
+ socketInfo = (NSSSocketControl*)fd->secret;
+ }
+
+ if ((bytesRead > 0) && socketInfo) {
+ socketInfo->AddPlaintextBytesRead(bytesRead);
+ }
+ return bytesRead;
+}
+
+nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers() {
+ // mPrefObserver will only be set if this->Init was called. The GTest tests
+ // do not call Init.
+ if (mPrefObserver) {
+ Preferences::RemoveObserver(
+ mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken");
+ Preferences::RemoveObserver(mPrefObserver,
+ "security.tls.version.fallback-limit");
+ Preferences::RemoveObserver(mPrefObserver,
+ "security.tls.insecure_fallback_hosts");
+ }
+}
+
+template <typename R, R return_value, typename... Args>
+static R InvalidPRIOMethod(Args...) {
+ MOZ_ASSERT_UNREACHABLE("I/O method is invalid");
+ PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+ return return_value;
+}
+
+nsresult nsSSLIOLayerHelpers::Init() {
+ if (!nsSSLIOLayerInitialized) {
+ MOZ_ASSERT(NS_IsMainThread());
+ nsSSLIOLayerInitialized = true;
+ nsSSLIOLayerIdentity = PR_GetUniqueIdentity("NSS layer");
+ nsSSLIOLayerMethods = *PR_GetDefaultIOMethods();
+
+ nsSSLIOLayerMethods.fsync =
+ InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*>;
+ nsSSLIOLayerMethods.seek =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, int32_t, PRSeekWhence>;
+ nsSSLIOLayerMethods.seek64 =
+ InvalidPRIOMethod<int64_t, -1, PRFileDesc*, int64_t, PRSeekWhence>;
+ nsSSLIOLayerMethods.fileInfo =
+ InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, PRFileInfo*>;
+ nsSSLIOLayerMethods.fileInfo64 =
+ InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, PRFileInfo64*>;
+ nsSSLIOLayerMethods.writev =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, const PRIOVec*, int32_t,
+ PRIntervalTime>;
+ nsSSLIOLayerMethods.accept =
+ InvalidPRIOMethod<PRFileDesc*, nullptr, PRFileDesc*, PRNetAddr*,
+ PRIntervalTime>;
+ nsSSLIOLayerMethods.listen =
+ InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, int>;
+ nsSSLIOLayerMethods.shutdown =
+ InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, int>;
+ nsSSLIOLayerMethods.recvfrom =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, void*, int32_t, int,
+ PRNetAddr*, PRIntervalTime>;
+ nsSSLIOLayerMethods.sendto =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, const void*, int32_t, int,
+ const PRNetAddr*, PRIntervalTime>;
+ nsSSLIOLayerMethods.acceptread =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRFileDesc**, PRNetAddr**,
+ void*, int32_t, PRIntervalTime>;
+ nsSSLIOLayerMethods.transmitfile =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRFileDesc*, const void*,
+ int32_t, PRTransmitFileFlags, PRIntervalTime>;
+ nsSSLIOLayerMethods.sendfile =
+ InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRSendFileData*,
+ PRTransmitFileFlags, PRIntervalTime>;
+
+ nsSSLIOLayerMethods.available = PSMAvailable;
+ nsSSLIOLayerMethods.available64 = PSMAvailable64;
+ nsSSLIOLayerMethods.getsockname = PSMGetsockname;
+ nsSSLIOLayerMethods.getpeername = PSMGetpeername;
+ nsSSLIOLayerMethods.getsocketoption = PSMGetsocketoption;
+ nsSSLIOLayerMethods.setsocketoption = PSMSetsocketoption;
+ nsSSLIOLayerMethods.recv = PSMRecv;
+ nsSSLIOLayerMethods.send = PSMSend;
+ nsSSLIOLayerMethods.connectcontinue = PSMConnectcontinue;
+ nsSSLIOLayerMethods.bind = PSMBind;
+
+ nsSSLIOLayerMethods.connect = nsSSLIOLayerConnect;
+ nsSSLIOLayerMethods.close = nsSSLIOLayerClose;
+ nsSSLIOLayerMethods.write = nsSSLIOLayerWrite;
+ nsSSLIOLayerMethods.read = nsSSLIOLayerRead;
+ nsSSLIOLayerMethods.poll = nsSSLIOLayerPoll;
+
+ nsSSLPlaintextLayerIdentity = PR_GetUniqueIdentity("Plaintxext PSM layer");
+ nsSSLPlaintextLayerMethods = *PR_GetDefaultIOMethods();
+ nsSSLPlaintextLayerMethods.recv = PlaintextRecv;
+ }
+
+ loadVersionFallbackLimit();
+
+ // non main thread helpers will need to use defaults
+ if (NS_IsMainThread()) {
+ bool enabled = false;
+ Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken",
+ &enabled);
+ setTreatUnsafeNegotiationAsBroken(enabled);
+
+ initInsecureFallbackSites();
+
+ mPrefObserver = new PrefObserver(this);
+ Preferences::AddStrongObserver(
+ mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken");
+ Preferences::AddStrongObserver(mPrefObserver,
+ "security.tls.version.fallback-limit");
+ Preferences::AddStrongObserver(mPrefObserver,
+ "security.tls.insecure_fallback_hosts");
+ } else {
+ MOZ_ASSERT(mTlsFlags, "Only per socket version can ignore prefs");
+ }
+
+ return NS_OK;
+}
+
+void nsSSLIOLayerHelpers::loadVersionFallbackLimit() {
+ // see nsNSSComponent::SetEnabledTLSVersions for pref handling rules
+ uint32_t limit = 3; // TLS 1.2
+
+ if (NS_IsMainThread()) {
+ limit = Preferences::GetUint("security.tls.version.fallback-limit",
+ 3); // 3 = TLS 1.2
+ }
+
+ // set fallback limit if it is set in the tls flags
+ uint32_t tlsFlagsFallbackLimit = getTLSProviderFlagFallbackLimit(mTlsFlags);
+
+ if (tlsFlagsFallbackLimit) {
+ limit = tlsFlagsFallbackLimit;
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("loadVersionFallbackLimit overriden by tlsFlags %d\n", limit));
+ }
+
+ SSLVersionRange defaults = {SSL_LIBRARY_VERSION_TLS_1_2,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ SSLVersionRange filledInRange;
+ nsNSSComponent::FillTLSVersionRange(filledInRange, limit, limit, defaults);
+ if (filledInRange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
+ filledInRange.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+
+ mVersionFallbackLimit = filledInRange.max;
+}
+
+void nsSSLIOLayerHelpers::clearStoredData() {
+ MOZ_ASSERT(NS_IsMainThread());
+ initInsecureFallbackSites();
+
+ MutexAutoLock lock(mutex);
+ mTLSIntoleranceInfo.Clear();
+}
+
+void nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str) {
+ MutexAutoLock lock(mutex);
+
+ mInsecureFallbackSites.Clear();
+
+ for (const nsACString& host : nsCCharSeparatedTokenizer(str, ',').ToRange()) {
+ if (!host.IsEmpty()) {
+ mInsecureFallbackSites.PutEntry(host);
+ }
+ }
+}
+
+void nsSSLIOLayerHelpers::initInsecureFallbackSites() {
+ MOZ_ASSERT(NS_IsMainThread());
+ nsAutoCString insecureFallbackHosts;
+ Preferences::GetCString("security.tls.insecure_fallback_hosts",
+ insecureFallbackHosts);
+ setInsecureFallbackSites(insecureFallbackHosts);
+}
+
+bool nsSSLIOLayerHelpers::isPublic() const {
+ return this == &PublicSSLState()->IOLayerHelpers();
+}
+
+class FallbackPrefRemover final : public Runnable {
+ public:
+ explicit FallbackPrefRemover(const nsACString& aHost)
+ : mozilla::Runnable("FallbackPrefRemover"), mHost(aHost) {}
+ NS_IMETHOD Run() override;
+
+ private:
+ nsCString mHost;
+};
+
+NS_IMETHODIMP
+FallbackPrefRemover::Run() {
+ MOZ_ASSERT(NS_IsMainThread());
+ nsAutoCString oldValue;
+ Preferences::GetCString("security.tls.insecure_fallback_hosts", oldValue);
+ nsCString newValue;
+ for (const nsACString& host :
+ nsCCharSeparatedTokenizer(oldValue, ',').ToRange()) {
+ if (host.Equals(mHost)) {
+ continue;
+ }
+ if (!newValue.IsEmpty()) {
+ newValue.Append(',');
+ }
+ newValue.Append(host);
+ }
+ Preferences::SetCString("security.tls.insecure_fallback_hosts", newValue);
+ return NS_OK;
+}
+
+void nsSSLIOLayerHelpers::removeInsecureFallbackSite(const nsACString& hostname,
+ uint16_t port) {
+ forgetIntolerance(hostname, port);
+ {
+ MutexAutoLock lock(mutex);
+ if (!mInsecureFallbackSites.Contains(hostname)) {
+ return;
+ }
+ mInsecureFallbackSites.RemoveEntry(hostname);
+ }
+ if (!isPublic()) {
+ return;
+ }
+ RefPtr<Runnable> runnable = new FallbackPrefRemover(hostname);
+ if (NS_IsMainThread()) {
+ runnable->Run();
+ } else {
+ NS_DispatchToMainThread(runnable);
+ }
+}
+
+bool nsSSLIOLayerHelpers::isInsecureFallbackSite(const nsACString& hostname) {
+ MutexAutoLock lock(mutex);
+ return mInsecureFallbackSites.Contains(hostname);
+}
+
+void nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken) {
+ MutexAutoLock lock(mutex);
+ mTreatUnsafeNegotiationAsBroken = broken;
+}
+
+bool nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken() {
+ MutexAutoLock lock(mutex);
+ return mTreatUnsafeNegotiationAsBroken;
+}
+
+nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc** fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t flags,
+ uint32_t tlsFlags) {
+ PRFileDesc* sock = PR_OpenTCPSocket(family);
+ if (!sock) return NS_ERROR_OUT_OF_MEMORY;
+
+ nsresult rv =
+ nsSSLIOLayerAddToSocket(family, host, port, proxy, originAttributes, sock,
+ tlsSocketControl, forSTARTTLS, flags, tlsFlags);
+ if (NS_FAILED(rv)) {
+ PR_Close(sock);
+ return rv;
+ }
+
+ *fd = sock;
+ return NS_OK;
+}
+
+static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
+ NSSSocketControl* infoObject,
+ const char* host, bool haveHTTPSProxy) {
+ // Memory allocated here is released when fd is closed, regardless of the
+ // success of this function.
+ PRFileDesc* sslSock = SSL_ImportFD(nullptr, fd);
+ if (!sslSock) {
+ return nullptr;
+ }
+ if (SSL_SetPKCS11PinArg(sslSock, infoObject) != SECSuccess) {
+ return nullptr;
+ }
+ if (SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject) !=
+ SECSuccess) {
+ return nullptr;
+ }
+ if (SSL_SecretCallback(sslSock, SecretCallback, infoObject) != SECSuccess) {
+ return nullptr;
+ }
+ if (SSL_SetCanFalseStartCallback(sslSock, CanFalseStartCallback,
+ infoObject) != SECSuccess) {
+ return nullptr;
+ }
+
+ // Disable this hook if we connect anonymously. See bug 466080.
+ uint32_t flags = infoObject->GetProviderFlags();
+ SSLGetClientAuthData clientAuthDataHook = SSLGetClientAuthDataHook;
+ // Provide the client cert to HTTPS proxy no matter if it is anonymous.
+ if (flags & nsISocketProvider::ANONYMOUS_CONNECT && !haveHTTPSProxy &&
+ !(flags & nsISocketProvider::ANONYMOUS_CONNECT_ALLOW_CLIENT_CERT)) {
+ clientAuthDataHook = nullptr;
+ }
+ if (SSL_GetClientAuthDataHook(sslSock, clientAuthDataHook, infoObject) !=
+ SECSuccess) {
+ return nullptr;
+ }
+
+ if (SSL_AuthCertificateHook(sslSock, AuthCertificateHook, infoObject) !=
+ SECSuccess) {
+ return nullptr;
+ }
+ if (SSL_SetURL(sslSock, host) != SECSuccess) {
+ return nullptr;
+ }
+
+ return sslSock;
+}
+
+// Please change getSignatureName in nsNSSCallbacks.cpp when changing the list
+// here. See NOTE at SSL_SignatureSchemePrefSet call site.
+static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
+ ssl_sig_ecdsa_secp256r1_sha256,
+ ssl_sig_ecdsa_secp384r1_sha384,
+ ssl_sig_ecdsa_secp521r1_sha512,
+ ssl_sig_rsa_pss_sha256,
+ ssl_sig_rsa_pss_sha384,
+ ssl_sig_rsa_pss_sha512,
+ ssl_sig_rsa_pkcs1_sha256,
+ ssl_sig_rsa_pkcs1_sha384,
+ ssl_sig_rsa_pkcs1_sha512,
+#if !defined(EARLY_BETA_OR_EARLIER)
+ ssl_sig_ecdsa_sha1,
+#endif
+ ssl_sig_rsa_pkcs1_sha1,
+};
+
+static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
+ bool haveProxy, const char* host,
+ int32_t port,
+ NSSSocketControl* infoObject) {
+ if (forSTARTTLS || haveProxy) {
+ if (SECSuccess != SSL_OptionSet(fd, SSL_SECURITY, false)) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ SSLVersionRange range;
+ if (SSL_VersionRangeGet(fd, &range) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // Set TLS 1.3 compat mode.
+ if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd));
+ }
+
+ // setting TLS max version
+ uint32_t versionFlags =
+ getTLSProviderFlagMaxVersion(infoObject->GetProviderTlsFlags());
+ if (versionFlags) {
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("[%p] nsSSLIOLayerSetOptions: version flags %d\n", fd, versionFlags));
+ if (versionFlags == kTLSProviderFlagMaxVersion10) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (versionFlags == kTLSProviderFlagMaxVersion11) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ } else if (versionFlags == kTLSProviderFlagMaxVersion12) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ } else if (versionFlags == kTLSProviderFlagMaxVersion13) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_3;
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+ ("[%p] nsSSLIOLayerSetOptions: unknown version flags %d\n", fd,
+ versionFlags));
+ }
+ }
+
+ if ((infoObject->GetProviderFlags() & nsISocketProvider::BE_CONSERVATIVE) &&
+ (range.max > SSL_LIBRARY_VERSION_TLS_1_2)) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to "
+ "BE_CONSERVATIVE flag\n",
+ fd));
+ range.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+
+ uint16_t maxEnabledVersion = range.max;
+ infoObject->SharedState().IOLayerHelpers().adjustForTLSIntolerance(
+ infoObject->GetHostName(), infoObject->GetPort(), range);
+ MOZ_LOG(
+ gPIPNSSLog, LogLevel::Debug,
+ ("[%p] nsSSLIOLayerSetOptions: using TLS version range (0x%04x,0x%04x)\n",
+ fd, static_cast<unsigned int>(range.min),
+ static_cast<unsigned int>(range.max)));
+
+ // If the user has set their minimum version to something higher than what
+ // we've now set the maximum to, this will result in an inconsistent version
+ // range unless we fix it up. This will override their preference, but we only
+ // do this for sites critical to the operation of the browser (e.g. update
+ // servers) and telemetry experiments.
+ if (range.min > range.max) {
+ range.min = range.max;
+ }
+
+ if (SSL_VersionRangeSet(fd, &range) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ infoObject->SetTLSVersionRange(range);
+
+ // when adjustForTLSIntolerance tweaks the maximum version downward,
+ // we tell the server using this SCSV so they can detect a downgrade attack
+ if (range.max < maxEnabledVersion) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] nsSSLIOLayerSetOptions: enabling TLS_FALLBACK_SCSV\n", fd));
+ // Some servers will choke if we send the fallback SCSV with TLS 1.2.
+ if (range.max < SSL_LIBRARY_VERSION_TLS_1_2) {
+ if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+ // tell NSS the max enabled version to make anti-downgrade effective
+ if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ // Enable ECH GREASE if suitable. Has no impact if 'real' ECH is being used.
+ if (range.max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+ !(infoObject->GetProviderFlags() & (nsISocketProvider::BE_CONSERVATIVE |
+ nsISocketProvider::DONT_TRY_ECH)) &&
+ StaticPrefs::security_tls_ech_grease_probability()) {
+ if ((RandomUint64().valueOr(0) % 100) >=
+ 100 - StaticPrefs::security_tls_ech_grease_probability()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] nsSSLIOLayerSetOptions: enabling TLS ECH Grease\n", fd));
+ if (SECSuccess != SSL_EnableTls13GreaseEch(fd, PR_TRUE)) {
+ return NS_ERROR_FAILURE;
+ }
+ // ECH Padding can be between 1 and 255
+ if (SECSuccess !=
+ SSL_SetTls13GreaseEchSize(
+ fd, std::clamp(StaticPrefs::security_tls_ech_grease_size(), 1U,
+ 255U))) {
+ return NS_ERROR_FAILURE;
+ }
+ infoObject->UpdateEchExtensionStatus(EchExtensionStatus::kGREASE);
+ }
+ }
+
+ // Include a modest set of named groups.
+ // Please change getKeaGroupName in nsNSSCallbacks.cpp when changing the lists
+ // here.
+ if (StaticPrefs::security_tls_enable_kyber() &&
+ range.max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+ !(infoObject->GetProviderFlags() &
+ (nsISocketProvider::BE_CONSERVATIVE | nsISocketProvider::IS_RETRY))) {
+ const SSLNamedGroup namedGroups[] = {
+ ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1,
+ ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048,
+ ssl_grp_ffdhe_3072};
+ if (SECSuccess != SSL_NamedGroupConfig(fd, namedGroups,
+ mozilla::ArrayLength(namedGroups))) {
+ return NS_ERROR_FAILURE;
+ }
+ // This ensures that we send key shares for Xyber768D00, X25519, and P-256
+ // in TLS 1.3, so that servers are less likely to use HelloRetryRequest.
+ if (SECSuccess != SSL_SendAdditionalKeyShares(fd, 2)) {
+ return NS_ERROR_FAILURE;
+ }
+ infoObject->WillSendXyberShare();
+ } else {
+ const SSLNamedGroup namedGroups[] = {
+ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
+ ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
+ // Skip the |ssl_grp_kem_xyber768d00| entry.
+ if (SECSuccess != SSL_NamedGroupConfig(fd, namedGroups,
+ mozilla::ArrayLength(namedGroups))) {
+ return NS_ERROR_FAILURE;
+ }
+ // This ensures that we send key shares for X25519 and P-256 in TLS 1.3, so
+ // that servers are less likely to use HelloRetryRequest.
+ if (SECSuccess != SSL_SendAdditionalKeyShares(fd, 1)) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ // NOTE: Should this list ever include ssl_sig_rsa_pss_pss_sha* (or should
+ // it become possible to enable this scheme via a pref), it is required
+ // to test that a Delegated Credential containing a small-modulus RSA-PSS SPKI
+ // is properly rejected. NSS will not advertise PKCS1 or RSAE schemes (which
+ // the |ssl_sig_rsa_pss_*| defines alias, meaning we will not currently accept
+ // any RSA DC.
+ if (SECSuccess != SSL_SignatureSchemePrefSet(
+ fd, sEnabledSignatureSchemes,
+ mozilla::ArrayLength(sEnabledSignatureSchemes))) {
+ return NS_ERROR_FAILURE;
+ }
+
+ bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
+ if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, enabled)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ bool sctsEnabled = infoObject->SharedState().IsSignedCertTimestampsEnabled();
+ if (SECSuccess !=
+ SSL_OptionSet(fd, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, sctsEnabled)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (SECSuccess != SSL_OptionSet(fd, SSL_HANDSHAKE_AS_CLIENT, true)) {
+ return NS_ERROR_FAILURE;
+ }
+
+#if defined(__arm__)
+ if (!mozilla::supports_arm_aes()) {
+ unsigned int enabledCiphers = 0;
+ std::vector<uint16_t> ciphers(SSL_GetNumImplementedCiphers());
+
+ // Returns only the enabled (reflecting prefs) ciphers, ordered
+ // by their occurence in
+ // https://hg.mozilla.org/projects/nss/file/a75ea4cdacd95282c6c245ebb849c25e84ccd908/lib/ssl/ssl3con.c#l87
+ if (SSL_CipherSuiteOrderGet(fd, ciphers.data(), &enabledCiphers) !=
+ SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ // On ARM, prefer (TLS_CHACHA20_POLY1305_SHA256) over AES when hardware
+ // support for AES isn't available. However, it may be disabled. If enabled,
+ // it will either be element [0] or [1]*. If [0], we're done. If [1], swap
+ // it with [0] (TLS_AES_128_GCM_SHA256).
+ // *(assuming the compile-time order remains unchanged)
+ if (enabledCiphers > 1) {
+ if (ciphers[0] != TLS_CHACHA20_POLY1305_SHA256 &&
+ ciphers[1] == TLS_CHACHA20_POLY1305_SHA256) {
+ std::swap(ciphers[0], ciphers[1]);
+
+ if (SSL_CipherSuiteOrderSet(fd, ciphers.data(), enabledCiphers) !=
+ SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+ }
+ }
+#endif
+
+ // Set the Peer ID so that SSL proxy connections work properly and to
+ // separate anonymous and/or private browsing connections.
+ nsAutoCString peerId;
+ infoObject->GetPeerId(peerId);
+ if (SECSuccess != SSL_SetSockPeerID(fd, peerId.get())) {
+ return NS_ERROR_FAILURE;
+ }
+
+ uint32_t flags = infoObject->GetProviderFlags();
+ if (flags & nsISocketProvider::NO_PERMANENT_STORAGE) {
+ if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, false) ||
+ SECSuccess != SSL_OptionSet(fd, SSL_NO_CACHE, true)) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ return NS_OK;
+}
+
+SECStatus StoreResumptionToken(PRFileDesc* fd, const PRUint8* resumptionToken,
+ unsigned int len, void* ctx) {
+ PRIntn val;
+ if (SSL_OptionGet(fd, SSL_ENABLE_SESSION_TICKETS, &val) != SECSuccess ||
+ val == 0) {
+ return SECFailure;
+ }
+
+ NSSSocketControl* infoObject = (NSSSocketControl*)ctx;
+ if (!infoObject) {
+ return SECFailure;
+ }
+
+ nsAutoCString peerId;
+ infoObject->GetPeerId(peerId);
+ if (NS_FAILED(
+ net::SSLTokensCache::Put(peerId, resumptionToken, len, infoObject))) {
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc* fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t providerFlags,
+ uint32_t providerTlsFlags) {
+ SharedSSLState* sharedState = nullptr;
+ RefPtr<SharedSSLState> allocatedState;
+ if (providerTlsFlags) {
+ allocatedState = new SharedSSLState(providerTlsFlags);
+ sharedState = allocatedState.get();
+ } else {
+ bool isPrivate = providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE ||
+ originAttributes.mPrivateBrowsingId !=
+ OriginAttributes().mPrivateBrowsingId;
+ sharedState = isPrivate ? PrivateSSLState() : PublicSSLState();
+ }
+
+ RefPtr<NSSSocketControl> infoObject(
+ new NSSSocketControl(nsDependentCString(host), port, *sharedState,
+ providerFlags, providerTlsFlags));
+ if (!infoObject) {
+ return NS_ERROR_FAILURE;
+ }
+
+ infoObject->SetForSTARTTLS(forSTARTTLS);
+ infoObject->SetOriginAttributes(originAttributes);
+ if (allocatedState) {
+ infoObject->SetSharedOwningReference(allocatedState);
+ }
+
+ bool haveProxy = false;
+ bool haveHTTPSProxy = false;
+ if (proxy) {
+ nsAutoCString proxyHost;
+ nsresult rv = proxy->GetHost(proxyHost);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ haveProxy = !proxyHost.IsEmpty();
+ nsAutoCString type;
+ haveHTTPSProxy = haveProxy && NS_SUCCEEDED(proxy->GetType(type)) &&
+ type.EqualsLiteral("https");
+ }
+
+ // A plaintext observer shim is inserted so we can observe some protocol
+ // details without modifying nss
+ PRFileDesc* plaintextLayer =
+ PR_CreateIOLayerStub(nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity,
+ &nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods);
+ if (!plaintextLayer) {
+ return NS_ERROR_FAILURE;
+ }
+ plaintextLayer->secret = (PRFilePrivate*)infoObject.get();
+ if (PR_PushIOLayer(fd, PR_TOP_IO_LAYER, plaintextLayer) != PR_SUCCESS) {
+ plaintextLayer->dtor(plaintextLayer);
+ return NS_ERROR_FAILURE;
+ }
+ auto plaintextLayerCleanup = MakeScopeExit([&fd] {
+ // Note that PR_*IOLayer operations may modify the stack of fds, so a
+ // previously-valid pointer may no longer point to what we think it points
+ // to after calling PR_PopIOLayer. We must operate on the pointer returned
+ // by PR_PopIOLayer.
+ PRFileDesc* plaintextLayer =
+ PR_PopIOLayer(fd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+ if (plaintextLayer) {
+ plaintextLayer->dtor(plaintextLayer);
+ }
+ });
+
+ PRFileDesc* sslSock =
+ nsSSLIOLayerImportFD(fd, infoObject, host, haveHTTPSProxy);
+ if (!sslSock) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsresult rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, haveProxy, host,
+ port, infoObject);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Now, layer ourselves on top of the SSL socket...
+ PRFileDesc* layer =
+ PR_CreateIOLayerStub(nsSSLIOLayerHelpers::nsSSLIOLayerIdentity,
+ &nsSSLIOLayerHelpers::nsSSLIOLayerMethods);
+ if (!layer) {
+ return NS_ERROR_FAILURE;
+ }
+ // Give the layer an owning reference to the NSSSocketControl.
+ // This is the simplest way to prevent the layer from outliving the
+ // NSSSocketControl (otherwise, the layer could potentially use it in
+ // nsSSLIOLayerClose after it has been released).
+ // nsSSLIOLayerClose takes the owning reference when the underlying fd gets
+ // closed. If the fd never gets closed (as in, leaks), the NSSSocketControl
+ // will also leak.
+ layer->secret = (PRFilePrivate*)do_AddRef(infoObject).take();
+
+ if (PR_PushIOLayer(sslSock, PR_GetLayersIdentity(sslSock), layer) !=
+ PR_SUCCESS) {
+ layer->dtor(layer);
+ return NS_ERROR_FAILURE;
+ }
+ auto layerCleanup = MakeScopeExit([&fd] {
+ PRFileDesc* layer =
+ PR_PopIOLayer(fd, nsSSLIOLayerHelpers::nsSSLIOLayerIdentity);
+ if (layer) {
+ layer->dtor(layer);
+ }
+ });
+
+ // We are going use a clear connection first //
+ if (forSTARTTLS || haveProxy) {
+ infoObject->SetHandshakeNotPending();
+ }
+
+ infoObject->SharedState().NoteSocketCreated();
+
+ rv = infoObject->SetResumptionTokenFromExternalCache(sslSock);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (SSL_SetResumptionTokenCallback(sslSock, &StoreResumptionToken,
+ infoObject) != SECSuccess) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Socket set up", (void*)sslSock));
+
+ (void)infoObject->SetFileDescPtr(sslSock);
+ layerCleanup.release();
+ plaintextLayerCleanup.release();
+ *tlsSocketControl = infoObject.forget().take();
+ return NS_OK;
+}
+
+extern "C" {
+
+const uint8_t kIPCClientCertsObjectTypeCert = 1;
+const uint8_t kIPCClientCertsObjectTypeRSAKey = 2;
+const uint8_t kIPCClientCertsObjectTypeECKey = 3;
+
+// This function is provided to the IPC client certs module so it can cause the
+// parent process to find certificates and keys and send identifying
+// information about them over IPC.
+void DoFindObjects(FindObjectsCallback cb, void* ctx) {
+ net::SocketProcessChild* socketChild =
+ net::SocketProcessChild::GetSingleton();
+ if (!socketChild) {
+ return;
+ }
+
+ RefPtr<IPCClientCertsChild> ipcClientCertsActor(
+ socketChild->GetIPCClientCertsActor());
+ if (!ipcClientCertsActor) {
+ return;
+ }
+ nsTArray<IPCClientCertObject> objects;
+ if (!ipcClientCertsActor->SendFindObjects(&objects)) {
+ return;
+ }
+ for (const auto& object : objects) {
+ switch (object.type()) {
+ case IPCClientCertObject::TECKey:
+ cb(kIPCClientCertsObjectTypeECKey, object.get_ECKey().params().Length(),
+ object.get_ECKey().params().Elements(),
+ object.get_ECKey().cert().Length(),
+ object.get_ECKey().cert().Elements(), object.get_ECKey().slotType(),
+ ctx);
+ break;
+ case IPCClientCertObject::TRSAKey:
+ cb(kIPCClientCertsObjectTypeRSAKey,
+ object.get_RSAKey().modulus().Length(),
+ object.get_RSAKey().modulus().Elements(),
+ object.get_RSAKey().cert().Length(),
+ object.get_RSAKey().cert().Elements(),
+ object.get_RSAKey().slotType(), ctx);
+ break;
+ case IPCClientCertObject::TCertificate:
+ cb(kIPCClientCertsObjectTypeCert,
+ object.get_Certificate().der().Length(),
+ object.get_Certificate().der().Elements(), 0, nullptr,
+ object.get_Certificate().slotType(), ctx);
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("unhandled IPCClientCertObject type");
+ break;
+ }
+ }
+}
+
+// This function is provided to the IPC client certs module so it can cause the
+// parent process to sign the given data using the key corresponding to the
+// given certificate, using the given parameters.
+void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len,
+ const uint8_t* data, size_t params_len, const uint8_t* params,
+ SignCallback cb, void* ctx) {
+ net::SocketProcessChild* socketChild =
+ net::SocketProcessChild::GetSingleton();
+ if (!socketChild) {
+ return;
+ }
+
+ RefPtr<IPCClientCertsChild> ipcClientCertsActor(
+ socketChild->GetIPCClientCertsActor());
+ if (!ipcClientCertsActor) {
+ return;
+ }
+ ByteArray certBytes(nsTArray<uint8_t>(cert, cert_len));
+ ByteArray dataBytes(nsTArray<uint8_t>(data, data_len));
+ ByteArray paramsBytes(nsTArray<uint8_t>(params, params_len));
+ ByteArray signature;
+ if (!ipcClientCertsActor->SendSign(certBytes, dataBytes, paramsBytes,
+ &signature)) {
+ return;
+ }
+ cb(signature.data().Length(), signature.data().Elements(), ctx);
+}
+} // extern "C"
diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h
new file mode 100644
index 0000000000..c819889257
--- /dev/null
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -0,0 +1,134 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSIOLayer_h
+#define nsNSSIOLayer_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/TimeStamp.h"
+#include "mozilla/UniquePtr.h"
+#include "nsCOMPtr.h"
+#include "nsIProxyInfo.h"
+#include "nsITLSSocketControl.h"
+#include "nsITlsHandshakeListener.h"
+#include "nsNSSCertificate.h"
+#include "nsTHashMap.h"
+#include "nsTHashtable.h"
+#include "sslt.h"
+
+namespace mozilla {
+class OriginAttributes;
+namespace psm {
+class SharedSSLState;
+} // namespace psm
+} // namespace mozilla
+
+const uint32_t kIPCClientCertsSlotTypeModern = 1;
+const uint32_t kIPCClientCertsSlotTypeLegacy = 2;
+
+using mozilla::OriginAttributes;
+
+class nsIObserver;
+
+// Order matters for UpdateEchExtensioNStatus.
+enum class EchExtensionStatus {
+ kNotPresent, // No ECH Extension was sent
+ kGREASE, // A GREASE ECH Extension was sent
+ kReal // A 'real' ECH Extension was sent
+};
+
+class nsSSLIOLayerHelpers {
+ public:
+ explicit nsSSLIOLayerHelpers(uint32_t aTlsFlags = 0);
+ ~nsSSLIOLayerHelpers();
+
+ nsresult Init();
+ void Cleanup();
+
+ static bool nsSSLIOLayerInitialized;
+ static PRDescIdentity nsSSLIOLayerIdentity;
+ static PRDescIdentity nsSSLPlaintextLayerIdentity;
+ static PRIOMethods nsSSLIOLayerMethods;
+ static PRIOMethods nsSSLPlaintextLayerMethods;
+
+ bool mTreatUnsafeNegotiationAsBroken;
+
+ void setTreatUnsafeNegotiationAsBroken(bool broken);
+ bool treatUnsafeNegotiationAsBroken();
+
+ private:
+ struct IntoleranceEntry {
+ uint16_t tolerant;
+ uint16_t intolerant;
+ PRErrorCode intoleranceReason;
+
+ void AssertInvariant() const {
+ MOZ_ASSERT(intolerant == 0 || tolerant < intolerant);
+ }
+ };
+ nsTHashMap<nsCStringHashKey, IntoleranceEntry> mTLSIntoleranceInfo;
+ // Sites that require insecure fallback to TLS 1.0, set by the pref
+ // security.tls.insecure_fallback_hosts, which is a comma-delimited
+ // list of domain names.
+ nsTHashtable<nsCStringHashKey> mInsecureFallbackSites;
+
+ public:
+ void rememberTolerantAtVersion(const nsACString& hostname, int16_t port,
+ uint16_t tolerant);
+ bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant);
+ bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
+ uint16_t intolerant, uint16_t minVersion,
+ PRErrorCode intoleranceReason);
+ void forgetIntolerance(const nsACString& hostname, int16_t port);
+ void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
+ /*in/out*/ SSLVersionRange& range);
+ PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
+
+ void clearStoredData();
+ void loadVersionFallbackLimit();
+ void setInsecureFallbackSites(const nsCString& str);
+ void initInsecureFallbackSites();
+ bool isPublic() const;
+ void removeInsecureFallbackSite(const nsACString& hostname, uint16_t port);
+ bool isInsecureFallbackSite(const nsACString& hostname);
+
+ uint16_t mVersionFallbackLimit;
+
+ private:
+ mozilla::Mutex mutex MOZ_UNANNOTATED;
+ nsCOMPtr<nsIObserver> mPrefObserver;
+ uint32_t mTlsFlags;
+};
+
+nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc** fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t flags,
+ uint32_t tlsFlags);
+
+nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc* fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t flags,
+ uint32_t tlsFlags);
+
+extern "C" {
+using FindObjectsCallback = void (*)(uint8_t type, size_t id_len,
+ const uint8_t* id, size_t data_len,
+ const uint8_t* data, uint32_t slotType,
+ void* ctx);
+void DoFindObjects(FindObjectsCallback cb, void* ctx);
+using SignCallback = void (*)(size_t data_len, const uint8_t* data, void* ctx);
+void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len,
+ const uint8_t* data, size_t params_len, const uint8_t* params,
+ SignCallback cb, void* ctx);
+}
+
+#endif // nsNSSIOLayer_h
diff --git a/security/manager/ssl/nsNSSModule.cpp b/security/manager/ssl/nsNSSModule.cpp
new file mode 100644
index 0000000000..ec62d25fc7
--- /dev/null
+++ b/security/manager/ssl/nsNSSModule.cpp
@@ -0,0 +1,107 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSModule.h"
+
+#include "ContentSignatureVerifier.h"
+#include "OSKeyStore.h"
+#include "OSReauthenticator.h"
+#include "PKCS11ModuleDB.h"
+#include "SecretDecoderRing.h"
+#include "mozilla/MacroArgs.h"
+#include "mozilla/ModuleUtils.h"
+#include "mozilla/SyncRunnable.h"
+#include "nsCertTree.h"
+#include "nsNSSCertificateDB.h"
+#include "nsPK11TokenDB.h"
+#include "nsRandomGenerator.h"
+#include "nsXULAppAPI.h"
+
+namespace mozilla {
+namespace psm {
+
+// Many of the implementations in this module call NSS functions and as a result
+// require that PSM has successfully initialized NSS before being used.
+// Additionally, some of the implementations have various restrictions on which
+// process and threads they can be used on (e.g. some can only be used in the
+// parent process and some must be initialized only on the main thread).
+// The following initialization framework allows these requirements to be
+// succinctly expressed and implemented.
+
+template <class InstanceClass, nsresult (InstanceClass::*InitMethod)()>
+MOZ_ALWAYS_INLINE static nsresult Instantiate(REFNSIID aIID, void** aResult) {
+ InstanceClass* inst = new InstanceClass();
+ NS_ADDREF(inst);
+ nsresult rv = InitMethod != nullptr ? (inst->*InitMethod)() : NS_OK;
+ if (NS_SUCCEEDED(rv)) {
+ rv = inst->QueryInterface(aIID, aResult);
+ }
+ NS_RELEASE(inst);
+ return rv;
+}
+
+enum class ThreadRestriction {
+ // must be initialized on the main thread (but can be used on any thread)
+ MainThreadOnly,
+ // can be initialized and used on any thread
+ AnyThread,
+};
+
+enum class ProcessRestriction {
+ ParentProcessOnly,
+ AnyProcess,
+};
+
+template <class InstanceClass,
+ nsresult (InstanceClass::*InitMethod)() = nullptr,
+ ProcessRestriction processRestriction =
+ ProcessRestriction::ParentProcessOnly,
+ ThreadRestriction threadRestriction = ThreadRestriction::AnyThread>
+static nsresult Constructor(REFNSIID aIID, void** aResult) {
+ *aResult = nullptr;
+
+ if (processRestriction == ProcessRestriction::ParentProcessOnly &&
+ !XRE_IsParentProcess()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ if (!EnsureNSSInitializedChromeOrContent()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (threadRestriction == ThreadRestriction::MainThreadOnly &&
+ !NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ return Instantiate<InstanceClass, InitMethod>(aIID, aResult);
+}
+
+#define IMPL(type, ...) \
+ template <> \
+ nsresult NSSConstructor<type>(const nsIID& aIID, void** aResult) { \
+ return Constructor<type, __VA_ARGS__>(aIID, aResult); \
+ }
+
+// Components that require main thread initialization could cause a deadlock
+// in necko code (bug 1418752). To prevent it we initialize all such components
+// on main thread in advance in net_EnsurePSMInit(). Update that function when
+// new component with ThreadRestriction::MainThreadOnly is added.
+IMPL(SecretDecoderRing, nullptr)
+IMPL(nsPK11TokenDB, nullptr)
+IMPL(PKCS11ModuleDB, nullptr)
+IMPL(nsNSSCertificateDB, nullptr)
+IMPL(nsCertTree, nullptr)
+IMPL(ContentSignatureVerifier, nullptr)
+IMPL(nsRandomGenerator, nullptr, ProcessRestriction::AnyProcess)
+IMPL(OSKeyStore, nullptr, ProcessRestriction::ParentProcessOnly,
+ ThreadRestriction::MainThreadOnly)
+IMPL(OSReauthenticator, nullptr, ProcessRestriction::ParentProcessOnly,
+ ThreadRestriction::MainThreadOnly)
+#undef IMPL
+
+} // namespace psm
+} // namespace mozilla
diff --git a/security/manager/ssl/nsNSSModule.h b/security/manager/ssl/nsNSSModule.h
new file mode 100644
index 0000000000..85d2c74209
--- /dev/null
+++ b/security/manager/ssl/nsNSSModule.h
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSModule_h
+#define nsNSSModule_h
+
+#include "nsID.h"
+
+class nsISupports;
+
+namespace mozilla {
+namespace psm {
+template <typename T>
+nsresult NSSConstructor(const nsIID& aIID, void** aInstancePtr);
+}
+} // namespace mozilla
+
+#endif // nsNSSModule_h
diff --git a/security/manager/ssl/nsNSSVersion.cpp b/security/manager/ssl/nsNSSVersion.cpp
new file mode 100644
index 0000000000..4ad5046a96
--- /dev/null
+++ b/security/manager/ssl/nsNSSVersion.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSVersion.h"
+#include "nsString.h"
+#include "prinit.h"
+#include "nss.h"
+#include "nssutil.h"
+#include "ssl.h"
+#include "smime.h"
+
+NS_IMPL_ISUPPORTS(nsNSSVersion, nsINSSVersion)
+
+nsNSSVersion::nsNSSVersion() = default;
+
+nsNSSVersion::~nsNSSVersion() = default;
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSPR_Version(nsAString& v) {
+ v.AssignASCII(PR_GetVersion());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSS_Version(nsAString& v) {
+ v.AssignASCII(NSS_GetVersion());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSUTIL_Version(nsAString& v) {
+ v.AssignASCII(NSSUTIL_GetVersion());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSSSL_Version(nsAString& v) {
+ v.AssignASCII(NSSSSL_GetVersion());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSSMIME_Version(nsAString& v) {
+ v.AssignASCII(NSSSMIME_GetVersion());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSPR_MinVersion(nsAString& v) {
+ v.AssignLiteral(PR_VERSION);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSS_MinVersion(nsAString& v) {
+ v.AssignLiteral(NSS_VERSION);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSUTIL_MinVersion(nsAString& v) {
+ v.AssignLiteral(NSSUTIL_VERSION);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSSSL_MinVersion(nsAString& v) {
+ v.AssignLiteral(NSS_VERSION);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSVersion::GetNSSSMIME_MinVersion(nsAString& v) {
+ v.AssignLiteral(NSS_VERSION);
+ return NS_OK;
+}
diff --git a/security/manager/ssl/nsNSSVersion.h b/security/manager/ssl/nsNSSVersion.h
new file mode 100644
index 0000000000..de8dc15dd3
--- /dev/null
+++ b/security/manager/ssl/nsNSSVersion.h
@@ -0,0 +1,30 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _NS_NSSVERSION_H_
+#define _NS_NSSVERSION_H_
+
+#include "nsINSSVersion.h"
+#include "mozilla/Attributes.h"
+
+class nsNSSVersion final : public nsINSSVersion {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSINSSVERSION
+
+ nsNSSVersion();
+
+ private:
+ ~nsNSSVersion();
+};
+
+#define NS_NSSVERSION_CID \
+ { \
+ 0x23ad3531, 0x11d2, 0x4e8e, { \
+ 0x80, 0x5a, 0x6a, 0x75, 0x2e, 0x91, 0x68, 0x1a \
+ } \
+ }
+
+#endif
diff --git a/security/manager/ssl/nsNTLMAuthModule.cpp b/security/manager/ssl/nsNTLMAuthModule.cpp
new file mode 100644
index 0000000000..0bb9452548
--- /dev/null
+++ b/security/manager/ssl/nsNTLMAuthModule.cpp
@@ -0,0 +1,1040 @@
+/* vim:set ts=2 sw=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNTLMAuthModule.h"
+
+#include <time.h>
+
+#include "ScopedNSSTypes.h"
+#include "md4.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Casting.h"
+#include "mozilla/CheckedInt.h"
+#include "mozilla/EndianUtils.h"
+#include "mozilla/Likely.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Sprintf.h"
+#include "mozilla/StaticPrefs_network.h"
+#include "mozilla/Telemetry.h"
+#include "nsCOMPtr.h"
+#include "nsComponentManagerUtils.h"
+#include "nsICryptoHash.h"
+#include "nsNativeCharsetUtils.h"
+#include "nsNetCID.h"
+#include "nsUnicharUtils.h"
+#include "pk11pub.h"
+#include "prsystem.h"
+
+static mozilla::LazyLogModule sNTLMLog("NTLM");
+
+#define LOG(x) MOZ_LOG(sNTLMLog, mozilla::LogLevel::Debug, x)
+#define LOG_ENABLED() MOZ_LOG_TEST(sNTLMLog, mozilla::LogLevel::Debug)
+
+static void des_makekey(const uint8_t* raw, uint8_t* key);
+static void des_encrypt(const uint8_t* key, const uint8_t* src, uint8_t* hash);
+
+//-----------------------------------------------------------------------------
+// this file contains a cross-platform NTLM authentication implementation. it
+// is based on documentation from: http://davenport.sourceforge.net/ntlm.html
+//-----------------------------------------------------------------------------
+
+#define NTLM_NegotiateUnicode 0x00000001
+#define NTLM_NegotiateOEM 0x00000002
+#define NTLM_RequestTarget 0x00000004
+#define NTLM_Unknown1 0x00000008
+#define NTLM_NegotiateSign 0x00000010
+#define NTLM_NegotiateSeal 0x00000020
+#define NTLM_NegotiateDatagramStyle 0x00000040
+#define NTLM_NegotiateLanManagerKey 0x00000080
+#define NTLM_NegotiateNetware 0x00000100
+#define NTLM_NegotiateNTLMKey 0x00000200
+#define NTLM_Unknown2 0x00000400
+#define NTLM_Unknown3 0x00000800
+#define NTLM_NegotiateDomainSupplied 0x00001000
+#define NTLM_NegotiateWorkstationSupplied 0x00002000
+#define NTLM_NegotiateLocalCall 0x00004000
+#define NTLM_NegotiateAlwaysSign 0x00008000
+#define NTLM_TargetTypeDomain 0x00010000
+#define NTLM_TargetTypeServer 0x00020000
+#define NTLM_TargetTypeShare 0x00040000
+#define NTLM_NegotiateNTLM2Key 0x00080000
+#define NTLM_RequestInitResponse 0x00100000
+#define NTLM_RequestAcceptResponse 0x00200000
+#define NTLM_RequestNonNTSessionKey 0x00400000
+#define NTLM_NegotiateTargetInfo 0x00800000
+#define NTLM_Unknown4 0x01000000
+#define NTLM_Unknown5 0x02000000
+#define NTLM_Unknown6 0x04000000
+#define NTLM_Unknown7 0x08000000
+#define NTLM_Unknown8 0x10000000
+#define NTLM_Negotiate128 0x20000000
+#define NTLM_NegotiateKeyExchange 0x40000000
+#define NTLM_Negotiate56 0x80000000
+
+// we send these flags with our type 1 message
+#define NTLM_TYPE1_FLAGS \
+ (NTLM_NegotiateUnicode | NTLM_NegotiateOEM | NTLM_RequestTarget | \
+ NTLM_NegotiateNTLMKey | NTLM_NegotiateAlwaysSign | NTLM_NegotiateNTLM2Key)
+
+static const char NTLM_SIGNATURE[] = "NTLMSSP";
+static const char NTLM_TYPE1_MARKER[] = {0x01, 0x00, 0x00, 0x00};
+static const char NTLM_TYPE2_MARKER[] = {0x02, 0x00, 0x00, 0x00};
+static const char NTLM_TYPE3_MARKER[] = {0x03, 0x00, 0x00, 0x00};
+
+#define NTLM_TYPE1_HEADER_LEN 32
+#define NTLM_TYPE2_HEADER_LEN 48
+#define NTLM_TYPE3_HEADER_LEN 64
+
+/**
+ * We don't actually send a LM response, but we still have to send something in
+ * this spot
+ */
+#define LM_RESP_LEN 24
+
+#define NTLM_CHAL_LEN 8
+
+#define NTLM_HASH_LEN 16
+#define NTLMv2_HASH_LEN 16
+#define NTLM_RESP_LEN 24
+#define NTLMv2_RESP_LEN 16
+#define NTLMv2_BLOB1_LEN 28
+
+//-----------------------------------------------------------------------------
+
+/**
+ * Prints a description of flags to the NSPR Log, if enabled.
+ */
+static void LogFlags(uint32_t flags) {
+ if (!LOG_ENABLED()) return;
+#define TEST(_flag) \
+ if (flags & NTLM_##_flag) \
+ PR_LogPrint(" 0x%08x (" #_flag ")\n", NTLM_##_flag)
+
+ TEST(NegotiateUnicode);
+ TEST(NegotiateOEM);
+ TEST(RequestTarget);
+ TEST(Unknown1);
+ TEST(NegotiateSign);
+ TEST(NegotiateSeal);
+ TEST(NegotiateDatagramStyle);
+ TEST(NegotiateLanManagerKey);
+ TEST(NegotiateNetware);
+ TEST(NegotiateNTLMKey);
+ TEST(Unknown2);
+ TEST(Unknown3);
+ TEST(NegotiateDomainSupplied);
+ TEST(NegotiateWorkstationSupplied);
+ TEST(NegotiateLocalCall);
+ TEST(NegotiateAlwaysSign);
+ TEST(TargetTypeDomain);
+ TEST(TargetTypeServer);
+ TEST(TargetTypeShare);
+ TEST(NegotiateNTLM2Key);
+ TEST(RequestInitResponse);
+ TEST(RequestAcceptResponse);
+ TEST(RequestNonNTSessionKey);
+ TEST(NegotiateTargetInfo);
+ TEST(Unknown4);
+ TEST(Unknown5);
+ TEST(Unknown6);
+ TEST(Unknown7);
+ TEST(Unknown8);
+ TEST(Negotiate128);
+ TEST(NegotiateKeyExchange);
+ TEST(Negotiate56);
+
+#undef TEST
+}
+
+/**
+ * Prints a hexdump of buf to the NSPR Log, if enabled.
+ * @param tag Description of the data, will be printed in front of the data
+ * @param buf the data to print
+ * @param bufLen length of the data
+ */
+static void LogBuf(const char* tag, const uint8_t* buf, uint32_t bufLen) {
+ int i;
+
+ if (!LOG_ENABLED()) return;
+
+ PR_LogPrint("%s =\n", tag);
+ char line[80];
+ while (bufLen > 0) {
+ int count = bufLen;
+ if (count > 8) count = 8;
+
+ strcpy(line, " ");
+ for (i = 0; i < count; ++i) {
+ int len = strlen(line);
+ snprintf(line + len, sizeof(line) - len, "0x%02x ", int(buf[i]));
+ }
+ for (; i < 8; ++i) {
+ int len = strlen(line);
+ snprintf(line + len, sizeof(line) - len, " ");
+ }
+
+ int len = strlen(line);
+ snprintf(line + len, sizeof(line) - len, " ");
+ for (i = 0; i < count; ++i) {
+ len = strlen(line);
+ if (isprint(buf[i])) {
+ snprintf(line + len, sizeof(line) - len, "%c", buf[i]);
+ } else {
+ snprintf(line + len, sizeof(line) - len, ".");
+ }
+ }
+ PR_LogPrint("%s\n", line);
+
+ bufLen -= count;
+ buf += count;
+ }
+}
+
+/**
+ * Print base64-encoded token to the NSPR Log.
+ * @param name Description of the token, will be printed in front
+ * @param token The token to print
+ * @param tokenLen length of the data in token
+ */
+static void LogToken(const char* name, const void* token, uint32_t tokenLen) {
+ if (!LOG_ENABLED()) {
+ return;
+ }
+
+ nsDependentCSubstring tokenString(static_cast<const char*>(token), tokenLen);
+ nsAutoCString base64Token;
+ nsresult rv = mozilla::Base64Encode(tokenString, base64Token);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ PR_LogPrint("%s: %s\n", name, base64Token.get());
+}
+
+//-----------------------------------------------------------------------------
+
+// byte order swapping
+#define SWAP16(x) ((((x) & 0xff) << 8) | (((x) >> 8) & 0xff))
+#define SWAP32(x) ((SWAP16((x) & 0xffff) << 16) | (SWAP16((x) >> 16)))
+
+static void* WriteBytes(void* buf, const void* data, uint32_t dataLen) {
+ memcpy(buf, data, dataLen);
+ return (uint8_t*)buf + dataLen;
+}
+
+static void* WriteDWORD(void* buf, uint32_t dword) {
+#ifdef IS_BIG_ENDIAN
+ // NTLM uses little endian on the wire
+ dword = SWAP32(dword);
+#endif
+ return WriteBytes(buf, &dword, sizeof(dword));
+}
+
+static void* WriteSecBuf(void* buf, uint16_t length, uint32_t offset) {
+#ifdef IS_BIG_ENDIAN
+ length = SWAP16(length);
+ offset = SWAP32(offset);
+#endif
+ buf = WriteBytes(buf, &length, sizeof(length));
+ buf = WriteBytes(buf, &length, sizeof(length));
+ buf = WriteBytes(buf, &offset, sizeof(offset));
+ return buf;
+}
+
+#ifdef IS_BIG_ENDIAN
+/**
+ * WriteUnicodeLE copies a unicode string from one buffer to another. The
+ * resulting unicode string is in little-endian format. The input string is
+ * assumed to be in the native endianness of the local machine. It is safe
+ * to pass the same buffer as both input and output, which is a handy way to
+ * convert the unicode buffer to little-endian on big-endian platforms.
+ */
+static void* WriteUnicodeLE(void* buf, const char16_t* str, uint32_t strLen) {
+ // convert input string from BE to LE
+ uint8_t *cursor = (uint8_t*)buf, *input = (uint8_t*)str;
+ for (uint32_t i = 0; i < strLen; ++i, input += 2, cursor += 2) {
+ // allow for the case where |buf == str|
+ uint8_t temp = input[0];
+ cursor[0] = input[1];
+ cursor[1] = temp;
+ }
+ return buf;
+}
+#endif
+
+static uint16_t ReadUint16(const uint8_t*& buf) {
+ uint16_t x = ((uint16_t)buf[0]) | ((uint16_t)buf[1] << 8);
+ buf += sizeof(x);
+ return x;
+}
+
+static uint32_t ReadUint32(const uint8_t*& buf) {
+ uint32_t x = ((uint32_t)buf[0]) | (((uint32_t)buf[1]) << 8) |
+ (((uint32_t)buf[2]) << 16) | (((uint32_t)buf[3]) << 24);
+ buf += sizeof(x);
+ return x;
+}
+
+//-----------------------------------------------------------------------------
+
+static void ZapBuf(void* buf, size_t bufLen) { memset(buf, 0, bufLen); }
+
+static void ZapString(nsString& s) { ZapBuf(s.BeginWriting(), s.Length() * 2); }
+
+/**
+ * NTLM_Hash computes the NTLM hash of the given password.
+ *
+ * @param password
+ * null-terminated unicode password.
+ * @param hash
+ * 16-byte result buffer
+ */
+static void NTLM_Hash(const nsString& password, unsigned char* hash) {
+ uint32_t len = password.Length();
+ uint8_t* passbuf;
+
+#ifdef IS_BIG_ENDIAN
+ passbuf = (uint8_t*)malloc(len * 2);
+ WriteUnicodeLE(passbuf, password.get(), len);
+#else
+ passbuf = (uint8_t*)password.get();
+#endif
+
+ md4sum(passbuf, len * 2, hash);
+
+#ifdef IS_BIG_ENDIAN
+ ZapBuf(passbuf, len * 2);
+ free(passbuf);
+#endif
+}
+
+//-----------------------------------------------------------------------------
+
+/**
+ * LM_Response generates the LM response given a 16-byte password hash and the
+ * challenge from the Type-2 message.
+ *
+ * @param hash
+ * 16-byte password hash
+ * @param challenge
+ * 8-byte challenge from Type-2 message
+ * @param response
+ * 24-byte buffer to contain the LM response upon return
+ */
+static void LM_Response(const uint8_t* hash, const uint8_t* challenge,
+ uint8_t* response) {
+ uint8_t keybytes[21], k1[8], k2[8], k3[8];
+
+ memcpy(keybytes, hash, 16);
+ ZapBuf(keybytes + 16, 5);
+
+ des_makekey(keybytes, k1);
+ des_makekey(keybytes + 7, k2);
+ des_makekey(keybytes + 14, k3);
+
+ des_encrypt(k1, challenge, response);
+ des_encrypt(k2, challenge, response + 8);
+ des_encrypt(k3, challenge, response + 16);
+}
+
+//-----------------------------------------------------------------------------
+
+static nsresult GenerateType1Msg(void** outBuf, uint32_t* outLen) {
+ //
+ // verify that bufLen is sufficient
+ //
+ *outLen = NTLM_TYPE1_HEADER_LEN;
+ *outBuf = moz_xmalloc(*outLen);
+
+ //
+ // write out type 1 msg
+ //
+ void* cursor = *outBuf;
+
+ // 0 : signature
+ cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE));
+
+ // 8 : marker
+ cursor = WriteBytes(cursor, NTLM_TYPE1_MARKER, sizeof(NTLM_TYPE1_MARKER));
+
+ // 12 : flags
+ cursor = WriteDWORD(cursor, NTLM_TYPE1_FLAGS);
+
+ //
+ // NOTE: it is common for the domain and workstation fields to be empty.
+ // this is true of Win2k clients, and my guess is that there is
+ // little utility to sending these strings before the charset has
+ // been negotiated. we follow suite -- anyways, it doesn't hurt
+ // to save some bytes on the wire ;-)
+ //
+
+ // 16 : supplied domain security buffer (empty)
+ cursor = WriteSecBuf(cursor, 0, 0);
+
+ // 24 : supplied workstation security buffer (empty)
+ cursor = WriteSecBuf(cursor, 0, 0);
+
+ return NS_OK;
+}
+
+struct Type2Msg {
+ uint32_t flags; // NTLM_Xxx bitwise combination
+ uint8_t challenge[NTLM_CHAL_LEN]; // 8 byte challenge
+ const uint8_t* target; // target string (type depends on flags)
+ uint32_t targetLen; // target length in bytes
+ const uint8_t*
+ targetInfo; // target Attribute-Value pairs (DNS domain, et al)
+ uint32_t targetInfoLen; // target AV pairs length in bytes
+};
+
+static nsresult ParseType2Msg(const void* inBuf, uint32_t inLen,
+ Type2Msg* msg) {
+ // make sure inBuf is long enough to contain a meaningful type2 msg.
+ //
+ // 0 NTLMSSP Signature
+ // 8 NTLM Message Type
+ // 12 Target Name
+ // 20 Flags
+ // 24 Challenge
+ // 32 targetInfo
+ // 48 start of optional data blocks
+ //
+ if (inLen < NTLM_TYPE2_HEADER_LEN) return NS_ERROR_UNEXPECTED;
+
+ const auto* cursor = static_cast<const uint8_t*>(inBuf);
+
+ // verify NTLMSSP signature
+ if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ cursor += sizeof(NTLM_SIGNATURE);
+
+ // verify Type-2 marker
+ if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ cursor += sizeof(NTLM_TYPE2_MARKER);
+
+ // Read target name security buffer: ...
+ // ... read target length.
+ uint32_t targetLen = ReadUint16(cursor);
+ // ... skip next 16-bit "allocated space" value.
+ ReadUint16(cursor);
+ // ... read offset from inBuf.
+ uint32_t offset = ReadUint32(cursor);
+ mozilla::CheckedInt<uint32_t> targetEnd = offset;
+ targetEnd += targetLen;
+ // Check the offset / length combo is in range of the input buffer, including
+ // integer overflow checking.
+ if (MOZ_LIKELY(targetEnd.isValid() && targetEnd.value() <= inLen)) {
+ msg->targetLen = targetLen;
+ msg->target = static_cast<const uint8_t*>(inBuf) + offset;
+ } else {
+ // Do not error out, for (conservative) backward compatibility.
+ msg->targetLen = 0;
+ msg->target = nullptr;
+ }
+
+ // read flags
+ msg->flags = ReadUint32(cursor);
+
+ // read challenge
+ memcpy(msg->challenge, cursor, sizeof(msg->challenge));
+ cursor += sizeof(msg->challenge);
+
+ LOG(("NTLM type 2 message:\n"));
+ LogBuf("target", msg->target, msg->targetLen);
+ LogBuf("flags",
+ mozilla::BitwiseCast<const uint8_t*, const uint32_t*>(&msg->flags), 4);
+ LogFlags(msg->flags);
+ LogBuf("challenge", msg->challenge, sizeof(msg->challenge));
+
+ // Read (and skip) the reserved field
+ ReadUint32(cursor);
+ ReadUint32(cursor);
+ // Read target name security buffer: ...
+ // ... read target length.
+ uint32_t targetInfoLen = ReadUint16(cursor);
+ // ... skip next 16-bit "allocated space" value.
+ ReadUint16(cursor);
+ // ... read offset from inBuf.
+ offset = ReadUint32(cursor);
+ mozilla::CheckedInt<uint32_t> targetInfoEnd = offset;
+ targetInfoEnd += targetInfoLen;
+ // Check the offset / length combo is in range of the input buffer, including
+ // integer overflow checking.
+ if (MOZ_LIKELY(targetInfoEnd.isValid() && targetInfoEnd.value() <= inLen)) {
+ msg->targetInfoLen = targetInfoLen;
+ msg->targetInfo = static_cast<const uint8_t*>(inBuf) + offset;
+ } else {
+ NS_ERROR("failed to get NTLMv2 target info");
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ return NS_OK;
+}
+
+static nsresult GenerateType3Msg(const nsString& domain,
+ const nsString& username,
+ const nsString& password, const void* inBuf,
+ uint32_t inLen, void** outBuf,
+ uint32_t* outLen) {
+ // inBuf contains Type-2 msg (the challenge) from server
+ MOZ_ASSERT(NS_IsMainThread());
+ nsresult rv;
+ Type2Msg msg{};
+
+ rv = ParseType2Msg(inBuf, inLen, &msg);
+ if (NS_FAILED(rv)) return rv;
+
+ bool unicode = (msg.flags & NTLM_NegotiateUnicode);
+
+ // There is no negotiation for NTLMv2, so we just do it unless we are forced
+ // by explict user configuration to use the older DES-based cryptography.
+ bool ntlmv2 = !mozilla::StaticPrefs::network_auth_force_generic_ntlm_v1();
+
+ // temporary buffers for unicode strings
+#ifdef IS_BIG_ENDIAN
+ nsAutoString ucsDomainBuf, ucsUserBuf;
+#endif
+ nsAutoCString hostBuf;
+ nsAutoString ucsHostBuf;
+ // temporary buffers for oem strings
+ nsAutoCString oemDomainBuf, oemUserBuf, oemHostBuf;
+ // pointers and lengths for the string buffers; encoding is unicode if
+ // the "negotiate unicode" flag was set in the Type-2 message.
+ const void *domainPtr, *userPtr, *hostPtr;
+ uint32_t domainLen, userLen, hostLen;
+
+ // This is for NTLM, for NTLMv2 we set the new full length once we know it
+ mozilla::CheckedInt<uint16_t> ntlmRespLen = NTLM_RESP_LEN;
+
+ //
+ // get domain name
+ //
+ if (unicode) {
+#ifdef IS_BIG_ENDIAN
+ ucsDomainBuf = domain;
+ domainPtr = ucsDomainBuf.get();
+ domainLen = ucsDomainBuf.Length() * 2;
+ WriteUnicodeLE(const_cast<void*>(domainPtr),
+ static_cast<const char16_t*>(domainPtr),
+ ucsDomainBuf.Length());
+#else
+ domainPtr = domain.get();
+ domainLen = domain.Length() * 2;
+#endif
+ } else {
+ NS_CopyUnicodeToNative(domain, oemDomainBuf);
+ domainPtr = oemDomainBuf.get();
+ domainLen = oemDomainBuf.Length();
+ }
+
+ //
+ // get user name
+ //
+ if (unicode) {
+#ifdef IS_BIG_ENDIAN
+ ucsUserBuf = username;
+ userPtr = ucsUserBuf.get();
+ userLen = ucsUserBuf.Length() * 2;
+ WriteUnicodeLE(const_cast<void*>(userPtr),
+ static_cast<const char16_t*>(userPtr), ucsUserBuf.Length());
+#else
+ userPtr = username.get();
+ userLen = username.Length() * 2;
+#endif
+ } else {
+ NS_CopyUnicodeToNative(username, oemUserBuf);
+ userPtr = oemUserBuf.get();
+ userLen = oemUserBuf.Length();
+ }
+
+ //
+ // get workstation name
+ // (do not use local machine's hostname after bug 1046421)
+ //
+ rv = mozilla::Preferences::GetCString("network.generic-ntlm-auth.workstation",
+ hostBuf);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (unicode) {
+ CopyUTF8toUTF16(hostBuf, ucsHostBuf);
+ hostPtr = ucsHostBuf.get();
+ hostLen = ucsHostBuf.Length() * 2;
+#ifdef IS_BIG_ENDIAN
+ WriteUnicodeLE(const_cast<void*>(hostPtr),
+ static_cast<const char16_t*>(hostPtr), ucsHostBuf.Length());
+#endif
+ } else {
+ hostPtr = hostBuf.get();
+ hostLen = hostBuf.Length();
+ }
+
+ //
+ // now that we have generated all of the strings, we can allocate outBuf.
+ //
+ //
+ // next, we compute the NTLM or NTLM2 responses.
+ //
+ uint8_t lmResp[LM_RESP_LEN];
+ uint8_t ntlmResp[NTLM_RESP_LEN];
+ uint8_t ntlmv2Resp[NTLMv2_RESP_LEN];
+ uint8_t ntlmHash[NTLM_HASH_LEN];
+ uint8_t ntlmv2_blob1[NTLMv2_BLOB1_LEN];
+ if (ntlmv2) {
+ // NTLMv2 mode, the default
+ nsString userUpper, domainUpper;
+
+ // temporary buffers for unicode strings
+ nsAutoString ucsDomainUpperBuf;
+ nsAutoString ucsUserUpperBuf;
+ const void* domainUpperPtr;
+ const void* userUpperPtr;
+ uint32_t domainUpperLen;
+ uint32_t userUpperLen;
+
+ if (msg.targetInfoLen == 0) {
+ NS_ERROR("failed to get NTLMv2 target info, can not do NTLMv2");
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ ToUpperCase(username, ucsUserUpperBuf);
+ userUpperPtr = ucsUserUpperBuf.get();
+ userUpperLen = ucsUserUpperBuf.Length() * 2;
+#ifdef IS_BIG_ENDIAN
+ WriteUnicodeLE(const_cast<void*>(userUpperPtr),
+ static_cast<const char16_t*>(userUpperPtr),
+ ucsUserUpperBuf.Length());
+#endif
+ ToUpperCase(domain, ucsDomainUpperBuf);
+ domainUpperPtr = ucsDomainUpperBuf.get();
+ domainUpperLen = ucsDomainUpperBuf.Length() * 2;
+#ifdef IS_BIG_ENDIAN
+ WriteUnicodeLE(const_cast<void*>(domainUpperPtr),
+ static_cast<const char16_t*>(domainUpperPtr),
+ ucsDomainUpperBuf.Length());
+#endif
+
+ NTLM_Hash(password, ntlmHash);
+
+ mozilla::HMAC ntlmv2HashHmac;
+ rv = ntlmv2HashHmac.Begin(SEC_OID_MD5,
+ mozilla::Span(ntlmHash, NTLM_HASH_LEN));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = ntlmv2HashHmac.Update(static_cast<const uint8_t*>(userUpperPtr),
+ userUpperLen);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = ntlmv2HashHmac.Update(static_cast<const uint8_t*>(domainUpperPtr),
+ domainUpperLen);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsTArray<uint8_t> ntlmv2Hash;
+ rv = ntlmv2HashHmac.End(ntlmv2Hash);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ uint8_t client_random[NTLM_CHAL_LEN];
+ PK11_GenerateRandom(client_random, NTLM_CHAL_LEN);
+
+ mozilla::HMAC lmv2ResponseHmac;
+ rv = lmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = lmv2ResponseHmac.Update(msg.challenge, NTLM_CHAL_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = lmv2ResponseHmac.Update(client_random, NTLM_CHAL_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsTArray<uint8_t> lmv2Response;
+ rv = lmv2ResponseHmac.End(lmv2Response);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (lmv2Response.Length() != NTLMv2_HASH_LEN) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ memcpy(lmResp, lmv2Response.Elements(), NTLMv2_HASH_LEN);
+ memcpy(lmResp + NTLMv2_HASH_LEN, client_random, NTLM_CHAL_LEN);
+
+ memset(ntlmv2_blob1, 0, NTLMv2_BLOB1_LEN);
+
+ time_t unix_time;
+ uint64_t nt_time = time(&unix_time);
+ nt_time += 11644473600LL; // Number of seconds betwen 1601 and 1970
+ nt_time *= 1000 * 1000 * 10; // Convert seconds to 100 ns units
+
+ ntlmv2_blob1[0] = 1;
+ ntlmv2_blob1[1] = 1;
+ mozilla::LittleEndian::writeUint64(&ntlmv2_blob1[8], nt_time);
+ PK11_GenerateRandom(&ntlmv2_blob1[16], NTLM_CHAL_LEN);
+
+ mozilla::HMAC ntlmv2ResponseHmac;
+ rv = ntlmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = ntlmv2ResponseHmac.Update(msg.challenge, NTLM_CHAL_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = ntlmv2ResponseHmac.Update(ntlmv2_blob1, NTLMv2_BLOB1_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = ntlmv2ResponseHmac.Update(msg.targetInfo, msg.targetInfoLen);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsTArray<uint8_t> ntlmv2Response;
+ rv = ntlmv2ResponseHmac.End(ntlmv2Response);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ if (ntlmv2Response.Length() != NTLMv2_RESP_LEN) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ memcpy(ntlmv2Resp, ntlmv2Response.Elements(), NTLMv2_RESP_LEN);
+ ntlmRespLen = NTLMv2_RESP_LEN + NTLMv2_BLOB1_LEN;
+ ntlmRespLen += msg.targetInfoLen;
+ if (!ntlmRespLen.isValid()) {
+ NS_ERROR("failed to do NTLMv2: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ } else if (msg.flags & NTLM_NegotiateNTLM2Key) {
+ // compute NTLM2 session response
+ nsCString sessionHashString;
+
+ PK11_GenerateRandom(lmResp, NTLM_CHAL_LEN);
+ memset(lmResp + NTLM_CHAL_LEN, 0, LM_RESP_LEN - NTLM_CHAL_LEN);
+
+ nsCOMPtr<nsICryptoHash> hasher =
+ do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->Init(nsICryptoHash::MD5);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->Update(msg.challenge, NTLM_CHAL_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->Update(lmResp, NTLM_CHAL_LEN);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ rv = hasher->Finish(false, sessionHashString);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ const auto* sessionHash = mozilla::BitwiseCast<const uint8_t*, const char*>(
+ sessionHashString.get());
+
+ LogBuf("NTLM2 effective key: ", sessionHash, 8);
+
+ NTLM_Hash(password, ntlmHash);
+ LM_Response(ntlmHash, sessionHash, ntlmResp);
+ } else {
+ NTLM_Hash(password, ntlmHash);
+ LM_Response(ntlmHash, msg.challenge, ntlmResp);
+
+ // According to http://davenport.sourceforge.net/ntlm.html#ntlmVersion2,
+ // the correct way to not send the LM hash is to send the NTLM hash twice
+ // in both the LM and NTLM response fields.
+ LM_Response(ntlmHash, msg.challenge, lmResp);
+ }
+
+ mozilla::CheckedInt<uint32_t> totalLen = NTLM_TYPE3_HEADER_LEN + LM_RESP_LEN;
+ totalLen += hostLen;
+ totalLen += domainLen;
+ totalLen += userLen;
+ totalLen += ntlmRespLen.value();
+
+ if (!totalLen.isValid()) {
+ NS_ERROR("failed preparing to allocate NTLM response: integer overflow?!?");
+ return NS_ERROR_FAILURE;
+ }
+ *outBuf = moz_xmalloc(totalLen.value());
+ *outLen = totalLen.value();
+
+ //
+ // finally, we assemble the Type-3 msg :-)
+ //
+ void* cursor = *outBuf;
+ mozilla::CheckedInt<uint32_t> offset;
+
+ // 0 : signature
+ cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE));
+
+ // 8 : marker
+ cursor = WriteBytes(cursor, NTLM_TYPE3_MARKER, sizeof(NTLM_TYPE3_MARKER));
+
+ // 12 : LM response sec buf
+ offset = NTLM_TYPE3_HEADER_LEN;
+ offset += domainLen;
+ offset += userLen;
+ offset += hostLen;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ cursor = WriteSecBuf(cursor, LM_RESP_LEN, offset.value());
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), lmResp, LM_RESP_LEN);
+
+ // 20 : NTLM or NTLMv2 response sec buf
+ offset += LM_RESP_LEN;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ cursor = WriteSecBuf(cursor, ntlmRespLen.value(), offset.value());
+ if (ntlmv2) {
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmv2Resp,
+ NTLMv2_RESP_LEN);
+ offset += NTLMv2_RESP_LEN;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmv2_blob1,
+ NTLMv2_BLOB1_LEN);
+ offset += NTLMv2_BLOB1_LEN;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), msg.targetInfo,
+ msg.targetInfoLen);
+ } else {
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmResp,
+ NTLM_RESP_LEN);
+ }
+ // 28 : domain name sec buf
+ offset = NTLM_TYPE3_HEADER_LEN;
+ cursor = WriteSecBuf(cursor, domainLen, offset.value());
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), domainPtr, domainLen);
+
+ // 36 : user name sec buf
+ offset += domainLen;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ cursor = WriteSecBuf(cursor, userLen, offset.value());
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), userPtr, userLen);
+
+ // 44 : workstation (host) name sec buf
+ offset += userLen;
+ if (!offset.isValid()) {
+ NS_ERROR("failed preparing to write NTLM response: integer overflow?!?");
+ return NS_ERROR_UNEXPECTED;
+ }
+ cursor = WriteSecBuf(cursor, hostLen, offset.value());
+ memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), hostPtr, hostLen);
+
+ // 52 : session key sec buf (not used)
+ cursor = WriteSecBuf(cursor, 0, 0);
+
+ // 60 : negotiated flags
+ cursor = WriteDWORD(cursor, msg.flags & NTLM_TYPE1_FLAGS);
+
+ return NS_OK;
+}
+
+//-----------------------------------------------------------------------------
+
+NS_IMPL_ISUPPORTS(nsNTLMAuthModule, nsIAuthModule)
+
+nsNTLMAuthModule::~nsNTLMAuthModule() { ZapString(mPassword); }
+
+nsresult nsNTLMAuthModule::InitTest() {
+ // disable NTLM authentication when FIPS mode is enabled.
+ return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
+}
+
+NS_IMETHODIMP
+nsNTLMAuthModule::Init(const nsACString& serviceName, uint32_t serviceFlags,
+ const nsAString& domain, const nsAString& username,
+ const nsAString& password) {
+ MOZ_ASSERT((serviceFlags & ~nsIAuthModule::REQ_PROXY_AUTH) ==
+ nsIAuthModule::REQ_DEFAULT,
+ "Unexpected service flags");
+
+ mDomain = domain;
+ mUsername = username;
+ mPassword = password;
+ mNTLMNegotiateSent = false;
+
+ static bool sTelemetrySent = false;
+ if (!sTelemetrySent) {
+ mozilla::Telemetry::Accumulate(mozilla::Telemetry::NTLM_MODULE_USED_2,
+ serviceFlags & nsIAuthModule::REQ_PROXY_AUTH
+ ? NTLM_MODULE_GENERIC_PROXY
+ : NTLM_MODULE_GENERIC_DIRECT);
+ sTelemetrySent = true;
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNTLMAuthModule::GetNextToken(const void* inToken, uint32_t inTokenLen,
+ void** outToken, uint32_t* outTokenLen) {
+ nsresult rv;
+
+ // disable NTLM authentication when FIPS mode is enabled.
+ if (PK11_IsFIPS()) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ if (mNTLMNegotiateSent) {
+ // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1),
+ // then the NTLMSSP_CHALLENGE (type 2) is expected
+ if (inToken) {
+ LogToken("in-token", inToken, inTokenLen);
+ // Now generate the NTLMSSP_AUTH (type 3)
+ rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken, inTokenLen,
+ outToken, outTokenLen);
+ } else {
+ LOG(
+ ("NTLMSSP_NEGOTIATE already sent and presumably "
+ "rejected by the server, refusing to send another"));
+ rv = NS_ERROR_UNEXPECTED;
+ }
+ } else {
+ if (inToken) {
+ LOG(("NTLMSSP_NEGOTIATE not sent but NTLM reply already received?!?"));
+ rv = NS_ERROR_UNEXPECTED;
+ } else {
+ rv = GenerateType1Msg(outToken, outTokenLen);
+ if (NS_SUCCEEDED(rv)) {
+ mNTLMNegotiateSent = true;
+ }
+ }
+ }
+
+ if (NS_SUCCEEDED(rv)) LogToken("out-token", *outToken, *outTokenLen);
+
+ return rv;
+}
+
+NS_IMETHODIMP
+nsNTLMAuthModule::Unwrap(const void* inToken, uint32_t inTokenLen,
+ void** outToken, uint32_t* outTokenLen) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNTLMAuthModule::Wrap(const void* inToken, uint32_t inTokenLen,
+ bool confidential, void** outToken,
+ uint32_t* outTokenLen) {
+ return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+//-----------------------------------------------------------------------------
+// DES support code
+
+// set odd parity bit (in least significant bit position)
+static uint8_t des_setkeyparity(uint8_t x) {
+ if ((((x >> 7) ^ (x >> 6) ^ (x >> 5) ^ (x >> 4) ^ (x >> 3) ^ (x >> 2) ^
+ (x >> 1)) &
+ 0x01) == 0) {
+ x |= 0x01;
+ } else {
+ x &= 0xfe;
+ }
+ return x;
+}
+
+// build 64-bit des key from 56-bit raw key
+static void des_makekey(const uint8_t* raw, uint8_t* key) {
+ key[0] = des_setkeyparity(raw[0]);
+ key[1] = des_setkeyparity((raw[0] << 7) | (raw[1] >> 1));
+ key[2] = des_setkeyparity((raw[1] << 6) | (raw[2] >> 2));
+ key[3] = des_setkeyparity((raw[2] << 5) | (raw[3] >> 3));
+ key[4] = des_setkeyparity((raw[3] << 4) | (raw[4] >> 4));
+ key[5] = des_setkeyparity((raw[4] << 3) | (raw[5] >> 5));
+ key[6] = des_setkeyparity((raw[5] << 2) | (raw[6] >> 6));
+ key[7] = des_setkeyparity((raw[6] << 1));
+}
+
+// run des encryption algorithm (using NSS)
+static void des_encrypt(const uint8_t* key, const uint8_t* src, uint8_t* hash) {
+ CK_MECHANISM_TYPE cipherMech = CKM_DES_ECB;
+ PK11SymKey* symkey = nullptr;
+ PK11Context* ctxt = nullptr;
+ SECItem keyItem;
+ mozilla::UniqueSECItem param;
+ SECStatus rv;
+ unsigned int n;
+
+ mozilla::UniquePK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr));
+ if (!slot) {
+ NS_ERROR("no slot");
+ goto done;
+ }
+
+ keyItem.data = const_cast<uint8_t*>(key);
+ keyItem.len = 8;
+ symkey = PK11_ImportSymKey(slot.get(), cipherMech, PK11_OriginUnwrap,
+ CKA_ENCRYPT, &keyItem, nullptr);
+ if (!symkey) {
+ NS_ERROR("no symkey");
+ goto done;
+ }
+
+ // no initialization vector required
+ param = mozilla::UniqueSECItem(PK11_ParamFromIV(cipherMech, nullptr));
+ if (!param) {
+ NS_ERROR("no param");
+ goto done;
+ }
+
+ ctxt =
+ PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, symkey, param.get());
+ if (!ctxt) {
+ NS_ERROR("no context");
+ goto done;
+ }
+
+ rv = PK11_CipherOp(ctxt, hash, (int*)&n, 8, (uint8_t*)src, 8);
+ if (rv != SECSuccess) {
+ NS_ERROR("des failure");
+ goto done;
+ }
+
+ rv = PK11_DigestFinal(ctxt, hash + 8, &n, 0);
+ if (rv != SECSuccess) {
+ NS_ERROR("des failure");
+ goto done;
+ }
+
+done:
+ if (ctxt) PK11_DestroyContext(ctxt, true);
+ if (symkey) PK11_FreeSymKey(symkey);
+}
diff --git a/security/manager/ssl/nsNTLMAuthModule.h b/security/manager/ssl/nsNTLMAuthModule.h
new file mode 100644
index 0000000000..25a96a09d8
--- /dev/null
+++ b/security/manager/ssl/nsNTLMAuthModule.h
@@ -0,0 +1,33 @@
+/* vim:set ts=2 sw=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNTLMAuthModule_h__
+#define nsNTLMAuthModule_h__
+
+#include "nsIAuthModule.h"
+#include "nsString.h"
+
+class nsNTLMAuthModule : public nsIAuthModule {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIAUTHMODULE
+
+ nsNTLMAuthModule() : mNTLMNegotiateSent(false) {}
+
+ nsresult InitTest();
+
+ static void SetSendLM(bool sendLM);
+
+ protected:
+ virtual ~nsNTLMAuthModule();
+
+ private:
+ nsString mDomain;
+ nsString mUsername;
+ nsString mPassword;
+ bool mNTLMNegotiateSent;
+};
+
+#endif // nsNTLMAuthModule_h__
diff --git a/security/manager/ssl/nsPK11TokenDB.cpp b/security/manager/ssl/nsPK11TokenDB.cpp
new file mode 100644
index 0000000000..d13f39fc18
--- /dev/null
+++ b/security/manager/ssl/nsPK11TokenDB.cpp
@@ -0,0 +1,287 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "nsPK11TokenDB.h"
+
+#include <string.h>
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Unused.h"
+#include "mozilla/Logging.h"
+#include "nsISupports.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSComponent.h"
+#include "nsPromiseFlatString.h"
+#include "nsReadableUtils.h"
+#include "nsServiceManagerUtils.h"
+#include "prerror.h"
+#include "secerr.h"
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token)
+
+nsPK11Token::nsPK11Token(PK11SlotInfo* slot) : mUIContext(new PipUIContext()) {
+ MOZ_ASSERT(slot);
+ mSlot.reset(PK11_ReferenceSlot(slot));
+ mIsInternalCryptoToken =
+ PK11_IsInternal(mSlot.get()) && !PK11_IsInternalKeySlot(mSlot.get());
+ mIsInternalKeyToken = PK11_IsInternalKeySlot(mSlot.get());
+ mSeries = PK11_GetSlotSeries(slot);
+ mozilla::Unused << refreshTokenInfo();
+}
+
+nsresult nsPK11Token::refreshTokenInfo() {
+ if (mIsInternalCryptoToken) {
+ nsresult rv;
+ if (PK11_IsFIPS()) {
+ rv = GetPIPNSSBundleString("Fips140TokenDescription", mTokenName);
+ } else {
+ rv = GetPIPNSSBundleString("TokenDescription", mTokenName);
+ }
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else if (mIsInternalKeyToken) {
+ nsresult rv = GetPIPNSSBundleString("PrivateTokenDescription", mTokenName);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else {
+ mTokenName.Assign(PK11_GetTokenName(mSlot.get()));
+ }
+
+ CK_TOKEN_INFO tokInfo;
+ nsresult rv = mozilla::MapSECStatus(PK11_GetTokenInfo(mSlot.get(), &tokInfo));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Set the Manufacturer field
+ if (mIsInternalCryptoToken || mIsInternalKeyToken) {
+ rv = GetPIPNSSBundleString("ManufacturerID", mTokenManufacturerID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else {
+ const char* ccManID =
+ mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(tokInfo.manufacturerID);
+ mTokenManufacturerID.Assign(
+ ccManID, strnlen(ccManID, sizeof(tokInfo.manufacturerID)));
+ mTokenManufacturerID.Trim(" ", false, true);
+ }
+
+ // Set the Hardware Version field
+ mTokenHWVersion.Truncate();
+ mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.major);
+ mTokenHWVersion.Append('.');
+ mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.minor);
+
+ // Set the Firmware Version field
+ mTokenFWVersion.Truncate();
+ mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.major);
+ mTokenFWVersion.Append('.');
+ mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.minor);
+
+ // Set the Serial Number field
+ const char* ccSerial =
+ mozilla::BitwiseCast<char*, CK_CHAR*>(tokInfo.serialNumber);
+ mTokenSerialNum.Assign(ccSerial,
+ strnlen(ccSerial, sizeof(tokInfo.serialNumber)));
+ mTokenSerialNum.Trim(" ", false, true);
+
+ return NS_OK;
+}
+
+nsresult nsPK11Token::GetAttributeHelper(const nsACString& attribute,
+ /*out*/ nsACString& xpcomOutParam) {
+ // Handle removals/insertions.
+ if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
+ nsresult rv = refreshTokenInfo();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ xpcomOutParam = attribute;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetTokenName(/*out*/ nsACString& tokenName) {
+ return GetAttributeHelper(mTokenName, tokenName);
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetIsInternalKeyToken(/*out*/ bool* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ *_retval = mIsInternalKeyToken;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetTokenManID(/*out*/ nsACString& tokenManufacturerID) {
+ return GetAttributeHelper(mTokenManufacturerID, tokenManufacturerID);
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetTokenHWVersion(/*out*/ nsACString& tokenHWVersion) {
+ return GetAttributeHelper(mTokenHWVersion, tokenHWVersion);
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetTokenFWVersion(/*out*/ nsACString& tokenFWVersion) {
+ return GetAttributeHelper(mTokenFWVersion, tokenFWVersion);
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetTokenSerialNumber(/*out*/ nsACString& tokenSerialNum) {
+ return GetAttributeHelper(mTokenSerialNum, tokenSerialNum);
+}
+
+NS_IMETHODIMP
+nsPK11Token::IsLoggedIn(bool* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ *_retval = PK11_IsLoggedIn(mSlot.get(), 0);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::Login(bool force) {
+ nsresult rv;
+ bool test;
+ rv = this->NeedsLogin(&test);
+ if (NS_FAILED(rv)) return rv;
+ if (test && force) {
+ rv = this->LogoutSimple();
+ if (NS_FAILED(rv)) return rv;
+ }
+ rv = setPassword(mSlot.get(), mUIContext);
+ if (NS_FAILED(rv)) return rv;
+
+ return mozilla::MapSECStatus(
+ PK11_Authenticate(mSlot.get(), true, mUIContext));
+}
+
+NS_IMETHODIMP
+nsPK11Token::LogoutSimple() {
+ // PK11_Logout() can fail if the user wasn't logged in beforehand. We want
+ // this method to succeed even in this case, so we ignore the return value.
+ mozilla::Unused << PK11_Logout(mSlot.get());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::LogoutAndDropAuthenticatedResources() {
+ static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
+
+ nsresult rv = LogoutSimple();
+
+ if (NS_FAILED(rv)) return rv;
+
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
+ if (NS_FAILED(rv)) return rv;
+
+ return nssComponent->LogoutAuthenticatedPK11();
+}
+
+NS_IMETHODIMP
+nsPK11Token::Reset() {
+ return mozilla::MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr));
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit) {
+ NS_ENSURE_ARG_POINTER(aNeedsUserInit);
+ *aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::CheckPassword(const nsACString& password, bool* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ SECStatus srv =
+ PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get());
+ if (srv != SECSuccess) {
+ *_retval = false;
+ PRErrorCode error = PR_GetError();
+ if (error != SEC_ERROR_BAD_PASSWORD) {
+ /* something really bad happened - throw an exception */
+ return mozilla::psm::GetXPCOMFromNSSError(error);
+ }
+ } else {
+ *_retval = true;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::InitPassword(const nsACString& initialPassword) {
+ const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
+ // PSM initializes the sqlite-backed softoken with an empty password. The
+ // implementation considers this not to be a password (GetHasPassword returns
+ // false), but we can't actually call PK11_InitPin again. Instead, we call
+ // PK11_ChangePW with the empty password.
+ bool hasPassword;
+ nsresult rv = GetHasPassword(&hasPassword);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!PK11_NeedUserInit(mSlot.get()) && !hasPassword) {
+ return mozilla::MapSECStatus(
+ PK11_ChangePW(mSlot.get(), "", passwordCStr.get()));
+ }
+ return mozilla::MapSECStatus(
+ PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
+}
+
+NS_IMETHODIMP
+nsPK11Token::ChangePassword(const nsACString& oldPassword,
+ const nsACString& newPassword) {
+ // PK11_ChangePW() has different semantics for the empty string and for
+ // nullptr. In order to support this difference, we need to check IsVoid() to
+ // find out if our caller supplied null/undefined args or just empty strings.
+ // See Bug 447589.
+ return mozilla::MapSECStatus(PK11_ChangePW(
+ mSlot.get(),
+ oldPassword.IsVoid() ? nullptr : PromiseFlatCString(oldPassword).get(),
+ newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get()));
+}
+
+NS_IMETHODIMP
+nsPK11Token::GetHasPassword(bool* hasPassword) {
+ NS_ENSURE_ARG_POINTER(hasPassword);
+ // PK11_NeedLogin returns true if the token is currently configured to require
+ // the user to log in (whether or not the user is actually logged in makes no
+ // difference).
+ *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPK11Token::NeedsLogin(bool* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ *_retval = PK11_NeedLogin(mSlot.get());
+ return NS_OK;
+}
+
+/*=========================================================*/
+
+NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB)
+
+NS_IMETHODIMP
+nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ mozilla::UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get());
+ token.forget(_retval);
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/nsPK11TokenDB.h b/security/manager/ssl/nsPK11TokenDB.h
new file mode 100644
index 0000000000..36f54354ad
--- /dev/null
+++ b/security/manager/ssl/nsPK11TokenDB.h
@@ -0,0 +1,67 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsPK11TokenDB_h
+#define nsPK11TokenDB_h
+
+#include "nsCOMPtr.h"
+#include "nsIPK11Token.h"
+#include "nsIPK11TokenDB.h"
+#include "nsISupports.h"
+#include "nsNSSHelper.h"
+#include "nsString.h"
+#include "pk11func.h"
+#include "ScopedNSSTypes.h"
+
+class nsPK11Token : public nsIPK11Token {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIPK11TOKEN
+
+ explicit nsPK11Token(PK11SlotInfo* slot);
+
+ protected:
+ virtual ~nsPK11Token() = default;
+
+ private:
+ friend class nsPK11TokenDB;
+ nsresult refreshTokenInfo();
+
+ nsCString mTokenName;
+ nsCString mTokenManufacturerID;
+ nsCString mTokenHWVersion;
+ nsCString mTokenFWVersion;
+ nsCString mTokenSerialNum;
+ mozilla::UniquePK11SlotInfo mSlot;
+ // True if this is the "PKCS#11 token" that provides cryptographic functions.
+ bool mIsInternalCryptoToken;
+ // True if this is the "PKCS#11 token" where private keys are stored.
+ bool mIsInternalKeyToken;
+ int mSeries;
+ nsCOMPtr<nsIInterfaceRequestor> mUIContext;
+ nsresult GetAttributeHelper(const nsACString& attribute,
+ /*out*/ nsACString& xpcomOutParam);
+};
+
+class nsPK11TokenDB : public nsIPK11TokenDB {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIPK11TOKENDB
+
+ nsPK11TokenDB() = default;
+
+ protected:
+ virtual ~nsPK11TokenDB() = default;
+};
+
+#define NS_PK11TOKENDB_CID \
+ { \
+ 0xb084a2ce, 0x1dd1, 0x11b2, { \
+ 0xbf, 0x10, 0x83, 0x24, 0xf8, 0xe0, 0x65, 0xcc \
+ } \
+ }
+
+#endif // nsPK11TokenDB_h
diff --git a/security/manager/ssl/nsPKCS11Slot.cpp b/security/manager/ssl/nsPKCS11Slot.cpp
new file mode 100644
index 0000000000..130e79033d
--- /dev/null
+++ b/security/manager/ssl/nsPKCS11Slot.cpp
@@ -0,0 +1,277 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsPKCS11Slot.h"
+
+#include <string.h>
+
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/Unused.h"
+#include "nsCOMPtr.h"
+#include "nsIMutableArray.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSComponent.h"
+#include "nsPK11TokenDB.h"
+#include "nsPromiseFlatString.h"
+#include "nsComponentManagerUtils.h"
+#include "secmod.h"
+
+using mozilla::LogLevel;
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot)
+
+nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot) {
+ MOZ_ASSERT(slot);
+ mSlot.reset(PK11_ReferenceSlot(slot));
+ mIsInternalCryptoSlot =
+ PK11_IsInternal(mSlot.get()) && !PK11_IsInternalKeySlot(mSlot.get());
+ mIsInternalKeySlot = PK11_IsInternalKeySlot(mSlot.get());
+ mSeries = PK11_GetSlotSeries(slot);
+ mozilla::Unused << refreshSlotInfo();
+}
+
+nsresult nsPKCS11Slot::refreshSlotInfo() {
+ CK_SLOT_INFO slotInfo;
+ nsresult rv = mozilla::MapSECStatus(PK11_GetSlotInfo(mSlot.get(), &slotInfo));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ // Set the Description field
+ if (mIsInternalCryptoSlot) {
+ nsresult rv;
+ if (PK11_IsFIPS()) {
+ rv = GetPIPNSSBundleString("Fips140SlotDescription", mSlotDesc);
+ } else {
+ rv = GetPIPNSSBundleString("SlotDescription", mSlotDesc);
+ }
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else if (mIsInternalKeySlot) {
+ rv = GetPIPNSSBundleString("PrivateSlotDescription", mSlotDesc);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else {
+ const char* ccDesc =
+ mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(slotInfo.slotDescription);
+ mSlotDesc.Assign(ccDesc, strnlen(ccDesc, sizeof(slotInfo.slotDescription)));
+ mSlotDesc.Trim(" ", false, true);
+ }
+
+ // Set the Manufacturer field
+ if (mIsInternalCryptoSlot || mIsInternalKeySlot) {
+ rv = GetPIPNSSBundleString("ManufacturerID", mSlotManufacturerID);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ } else {
+ const char* ccManID =
+ mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(slotInfo.manufacturerID);
+ mSlotManufacturerID.Assign(
+ ccManID, strnlen(ccManID, sizeof(slotInfo.manufacturerID)));
+ mSlotManufacturerID.Trim(" ", false, true);
+ }
+
+ // Set the Hardware Version field
+ mSlotHWVersion.Truncate();
+ mSlotHWVersion.AppendInt(slotInfo.hardwareVersion.major);
+ mSlotHWVersion.Append('.');
+ mSlotHWVersion.AppendInt(slotInfo.hardwareVersion.minor);
+
+ // Set the Firmware Version field
+ mSlotFWVersion.Truncate();
+ mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.major);
+ mSlotFWVersion.Append('.');
+ mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor);
+
+ return NS_OK;
+}
+
+nsresult nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute,
+ /*out*/ nsACString& xpcomOutParam) {
+ if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
+ nsresult rv = refreshSlotInfo();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ xpcomOutParam = attribute;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetName(/*out*/ nsACString& name) {
+ if (mIsInternalCryptoSlot) {
+ if (PK11_IsFIPS()) {
+ return GetPIPNSSBundleString("Fips140TokenDescription", name);
+ }
+ return GetPIPNSSBundleString("TokenDescription", name);
+ }
+ if (mIsInternalKeySlot) {
+ return GetPIPNSSBundleString("PrivateTokenDescription", name);
+ }
+ name.Assign(PK11_GetSlotName(mSlot.get()));
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetDesc(/*out*/ nsACString& desc) {
+ return GetAttributeHelper(mSlotDesc, desc);
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetManID(/*out*/ nsACString& manufacturerID) {
+ return GetAttributeHelper(mSlotManufacturerID, manufacturerID);
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetHWVersion(/*out*/ nsACString& hwVersion) {
+ return GetAttributeHelper(mSlotHWVersion, hwVersion);
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetFWVersion(/*out*/ nsACString& fwVersion) {
+ return GetAttributeHelper(mSlotFWVersion, fwVersion);
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetToken(nsIPK11Token** _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get());
+ token.forget(_retval);
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName) {
+ if (!PK11_IsPresent(mSlot.get())) {
+ tokenName.SetIsVoid(true);
+ return NS_OK;
+ }
+
+ if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
+ nsresult rv = refreshSlotInfo();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ if (mIsInternalCryptoSlot) {
+ if (PK11_IsFIPS()) {
+ return GetPIPNSSBundleString("Fips140TokenDescription", tokenName);
+ }
+ return GetPIPNSSBundleString("TokenDescription", tokenName);
+ }
+ if (mIsInternalKeySlot) {
+ return GetPIPNSSBundleString("PrivateTokenDescription", tokenName);
+ }
+
+ tokenName.Assign(PK11_GetTokenName(mSlot.get()));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Slot::GetStatus(uint32_t* _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+ if (PK11_IsDisabled(mSlot.get())) {
+ *_retval = SLOT_DISABLED;
+ } else if (!PK11_IsPresent(mSlot.get())) {
+ *_retval = SLOT_NOT_PRESENT;
+ } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) {
+ *_retval = SLOT_UNINITIALIZED;
+ } else if (PK11_NeedLogin(mSlot.get()) &&
+ !PK11_IsLoggedIn(mSlot.get(), nullptr)) {
+ *_retval = SLOT_NOT_LOGGED_IN;
+ } else if (PK11_NeedLogin(mSlot.get())) {
+ *_retval = SLOT_LOGGED_IN;
+ } else {
+ *_retval = SLOT_READY;
+ }
+ return NS_OK;
+}
+
+NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module)
+
+nsPKCS11Module::nsPKCS11Module(SECMODModule* module) {
+ MOZ_ASSERT(module);
+ mModule.reset(SECMOD_ReferenceModule(module));
+}
+
+// Convert the UTF8 internal name of the module to how it should appear to the
+// user. In most cases this involves simply passing back the module's name.
+// However, the builtin roots module has a non-localized name internally that we
+// must map to the localized version when we display it to the user.
+static nsresult NormalizeModuleNameOut(const char* moduleNameIn,
+ nsACString& moduleNameOut) {
+ // Easy case: this isn't the builtin roots module.
+ if (strnlen(moduleNameIn, kRootModuleNameLen + 1) != kRootModuleNameLen ||
+ strncmp(kRootModuleName, moduleNameIn, kRootModuleNameLen) != 0) {
+ moduleNameOut.Assign(moduleNameIn);
+ return NS_OK;
+ }
+
+ nsAutoString localizedRootModuleName;
+ nsresult rv =
+ GetPIPNSSBundleString("RootCertModuleName", localizedRootModuleName);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ moduleNameOut.Assign(NS_ConvertUTF16toUTF8(localizedRootModuleName));
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Module::GetName(/*out*/ nsACString& name) {
+ return NormalizeModuleNameOut(mModule->commonName, name);
+}
+
+NS_IMETHODIMP
+nsPKCS11Module::GetLibName(/*out*/ nsACString& libName) {
+ if (mModule->dllName) {
+ libName = mModule->dllName;
+ } else {
+ libName.SetIsVoid(true);
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval) {
+ NS_ENSURE_ARG_POINTER(_retval);
+
+ nsresult rv = CheckForSmartCardChanges();
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
+ if (!array) {
+ return NS_ERROR_FAILURE;
+ }
+
+ /* applications which allow new slot creation (which Firefox now does
+ * since it uses the WaitForSlotEvent call) need to hold the
+ * ModuleList Read lock to prevent the slot array from changing out
+ * from under it. */
+ mozilla::AutoSECMODListReadLock lock;
+ for (int i = 0; i < mModule->slotCount; i++) {
+ if (mModule->slots[i]) {
+ nsCOMPtr<nsIPKCS11Slot> slot = new nsPKCS11Slot(mModule->slots[i]);
+ rv = array->AppendElement(slot);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+ }
+
+ return array->Enumerate(_retval, NS_GET_IID(nsIPKCS11Slot));
+}
diff --git a/security/manager/ssl/nsPKCS11Slot.h b/security/manager/ssl/nsPKCS11Slot.h
new file mode 100644
index 0000000000..3f532d7064
--- /dev/null
+++ b/security/manager/ssl/nsPKCS11Slot.h
@@ -0,0 +1,58 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsPKCS11Slot_h
+#define nsPKCS11Slot_h
+
+#include "ScopedNSSTypes.h"
+#include "nsIPKCS11Module.h"
+#include "nsIPKCS11Slot.h"
+#include "nsISupports.h"
+#include "nsString.h"
+#include "pk11func.h"
+
+class nsPKCS11Slot : public nsIPKCS11Slot {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIPKCS11SLOT
+
+ explicit nsPKCS11Slot(PK11SlotInfo* slot);
+
+ protected:
+ virtual ~nsPKCS11Slot() = default;
+
+ private:
+ mozilla::UniquePK11SlotInfo mSlot;
+ // True if this is the "PKCS#11 slot" that provides cryptographic functions.
+ bool mIsInternalCryptoSlot;
+ // True if this is the "PKCS#11 slot" where private keys are stored.
+ bool mIsInternalKeySlot;
+ nsCString mSlotDesc;
+ nsCString mSlotManufacturerID;
+ nsCString mSlotHWVersion;
+ nsCString mSlotFWVersion;
+ int mSeries;
+
+ nsresult refreshSlotInfo();
+ nsresult GetAttributeHelper(const nsACString& attribute,
+ /*out*/ nsACString& xpcomOutParam);
+};
+
+class nsPKCS11Module : public nsIPKCS11Module {
+ public:
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIPKCS11MODULE
+
+ explicit nsPKCS11Module(SECMODModule* module);
+
+ protected:
+ virtual ~nsPKCS11Module() = default;
+
+ private:
+ mozilla::UniqueSECMODModule mModule;
+};
+
+#endif // nsPKCS11Slot_h
diff --git a/security/manager/ssl/nsPKCS12Blob.cpp b/security/manager/ssl/nsPKCS12Blob.cpp
new file mode 100644
index 0000000000..2814626cfc
--- /dev/null
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@@ -0,0 +1,357 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsPKCS12Blob.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Unused.h"
+#include "mozpkix/pkixtypes.h"
+#include "nsIFile.h"
+#include "nsIInputStream.h"
+#include "nsIX509CertDB.h"
+#include "nsNetUtil.h"
+#include "nsNSSCertHelper.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSHelper.h"
+#include "nsReadableUtils.h"
+#include "nsTArray.h"
+#include "nsThreadUtils.h"
+#include "p12plcy.h"
+#include "ScopedNSSTypes.h"
+#include "secerr.h"
+
+using namespace mozilla;
+extern LazyLogModule gPIPNSSLog;
+
+#define PIP_PKCS12_BUFFER_SIZE 2048
+#define PIP_PKCS12_NOSMARTCARD_EXPORT 4
+#define PIP_PKCS12_RESTORE_FAILED 5
+#define PIP_PKCS12_BACKUP_FAILED 6
+#define PIP_PKCS12_NSS_ERROR 7
+
+nsPKCS12Blob::nsPKCS12Blob() : mUIContext(new PipUIContext()) {}
+
+// Given a file handle, read a PKCS#12 blob from that file, decode it, and
+// import the results into the internal database.
+nsresult nsPKCS12Blob::ImportFromFile(nsIFile* aFile,
+ const nsAString& aPassword,
+ uint32_t& aError) {
+ uint32_t passwordBufferLength;
+ UniquePtr<uint8_t[]> passwordBuffer;
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+
+ passwordBuffer = stringToBigEndianBytes(aPassword, passwordBufferLength);
+
+ // initialize the decoder
+ SECItem unicodePw = {siBuffer, passwordBuffer.get(), passwordBufferLength};
+ UniqueSEC_PKCS12DecoderContext dcx(
+ SEC_PKCS12DecoderStart(&unicodePw, slot.get(), nullptr, nullptr, nullptr,
+ nullptr, nullptr, nullptr));
+ if (!dcx) {
+ return NS_ERROR_FAILURE;
+ }
+ // read input aFile and feed it to the decoder
+ PRErrorCode nssError;
+ nsresult rv = inputToDecoder(dcx, aFile, nssError);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (nssError != 0) {
+ aError = handlePRErrorCode(nssError);
+ return NS_OK;
+ }
+ // verify the blob
+ SECStatus srv = SEC_PKCS12DecoderVerify(dcx.get());
+ if (srv != SECSuccess) {
+ aError = handlePRErrorCode(PR_GetError());
+ return NS_OK;
+ }
+ // validate bags
+ srv = SEC_PKCS12DecoderValidateBags(dcx.get(), nicknameCollision);
+ if (srv != SECSuccess) {
+ aError = handlePRErrorCode(PR_GetError());
+ return NS_OK;
+ }
+ // import cert and key
+ srv = SEC_PKCS12DecoderImportBags(dcx.get());
+ if (srv != SECSuccess) {
+ aError = handlePRErrorCode(PR_GetError());
+ return NS_OK;
+ }
+ aError = nsIX509CertDB::Success;
+ return NS_OK;
+}
+
+static bool isExtractable(UniqueSECKEYPrivateKey& privKey) {
+ ScopedAutoSECItem value;
+ SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey.get(),
+ CKA_EXTRACTABLE, &value);
+ if (rv != SECSuccess) {
+ return false;
+ }
+
+ bool isExtractable = false;
+ if ((value.len == 1) && value.data) {
+ isExtractable = !!(*(CK_BBOOL*)value.data);
+ }
+ return isExtractable;
+}
+
+// Having already loaded the certs, form them into a blob (loading the keys
+// also), encode the blob, and stuff it into the file.
+nsresult nsPKCS12Blob::ExportToFile(nsIFile* aFile,
+ const nsTArray<RefPtr<nsIX509Cert>>& aCerts,
+ const nsAString& aPassword,
+ uint32_t& aError) {
+ nsCString passwordUtf8 = NS_ConvertUTF16toUTF8(aPassword);
+ uint32_t passwordBufferLength = passwordUtf8.Length();
+ aError = nsIX509CertDB::Success;
+ // The conversion to UCS2 is executed by sec_pkcs12_encode_password when
+ // necessary (for some older PKCS12 algorithms). The NSS 3.31 and newer
+ // expects password to be in the utf8 encoding to support modern encoders.
+ UniquePtr<unsigned char[]> passwordBuffer(
+ reinterpret_cast<unsigned char*>(ToNewCString(passwordUtf8)));
+ if (!passwordBuffer.get()) {
+ return NS_OK;
+ }
+ UniqueSEC_PKCS12ExportContext ecx(
+ SEC_PKCS12CreateExportContext(nullptr, nullptr, nullptr, nullptr));
+ if (!ecx) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ // add password integrity
+ SECItem unicodePw = {siBuffer, passwordBuffer.get(), passwordBufferLength};
+ SECStatus srv =
+ SEC_PKCS12AddPasswordIntegrity(ecx.get(), &unicodePw, SEC_OID_SHA1);
+ if (srv != SECSuccess) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ for (auto& cert : aCerts) {
+ UniqueCERTCertificate nssCert(cert->GetCert());
+ if (!nssCert) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ // We can probably only successfully export certs that are on the internal
+ // token. Most, if not all, smart card vendors won't let you extract the
+ // private key (in any way shape or form) from the card. So let's punt if
+ // the cert is not in the internal db.
+ if (nssCert->slot && !PK11_IsInternal(nssCert->slot)) {
+ // We aren't the internal token, see if the key is extractable.
+ UniqueSECKEYPrivateKey privKey(
+ PK11_FindKeyByDERCert(nssCert->slot, nssCert.get(), mUIContext));
+ if (privKey && !isExtractable(privKey)) {
+ // This is informative. If a serious error occurs later it will
+ // override it later and return.
+ aError = nsIX509CertDB::ERROR_PKCS12_NOSMARTCARD_EXPORT;
+ continue;
+ }
+ }
+
+ // certSafe and keySafe are owned by ecx.
+ SEC_PKCS12SafeInfo* certSafe;
+ SEC_PKCS12SafeInfo* keySafe = SEC_PKCS12CreateUnencryptedSafe(ecx.get());
+ bool useModernCrypto = Preferences::GetBool(
+ "security.pki.use_modern_crypto_with_pkcs12", false);
+ // We use SEC_OID_AES_128_CBC for the password and SEC_OID_AES_256_CBC
+ // for the certificate because it's a default for openssl an pk12util
+ // command.
+ if (!SEC_PKCS12IsEncryptionAllowed() || PK11_IsFIPS()) {
+ certSafe = keySafe;
+ } else {
+ SECOidTag privAlg =
+ useModernCrypto ? SEC_OID_AES_128_CBC
+ : SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+ certSafe =
+ SEC_PKCS12CreatePasswordPrivSafe(ecx.get(), &unicodePw, privAlg);
+ }
+ if (!certSafe || !keySafe) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ // add the cert and key to the blob
+ SECOidTag algorithm =
+ useModernCrypto
+ ? SEC_OID_AES_256_CBC
+ : SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
+ srv = SEC_PKCS12AddCertAndKey(ecx.get(), certSafe, nullptr, nssCert.get(),
+ CERT_GetDefaultCertDB(), keySafe, nullptr,
+ true, &unicodePw, algorithm);
+ if (srv != SECSuccess) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ }
+
+ UniquePRFileDesc prFile;
+ PRFileDesc* rawPRFile;
+ nsresult rv = aFile->OpenNSPRFileDesc(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE,
+ 0664, &rawPRFile);
+ if (NS_FAILED(rv) || !rawPRFile) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ return NS_OK;
+ }
+ prFile.reset(rawPRFile);
+ // encode and write
+ srv = SEC_PKCS12Encode(ecx.get(), writeExportFile, prFile.get());
+ if (srv != SECSuccess) {
+ aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED;
+ }
+ return NS_OK;
+}
+
+// For the NSS PKCS#12 library, must convert PRUnichars (shorts) to a buffer of
+// octets. Must handle byte order correctly.
+UniquePtr<uint8_t[]> nsPKCS12Blob::stringToBigEndianBytes(
+ const nsAString& uni, uint32_t& bytesLength) {
+ if (uni.IsVoid()) {
+ bytesLength = 0;
+ return nullptr;
+ }
+
+ uint32_t wideLength = uni.Length() + 1; // +1 for the null terminator.
+ bytesLength = wideLength * 2;
+ auto buffer = MakeUnique<uint8_t[]>(bytesLength);
+
+ // We have to use a cast here because on Windows, uni.get() returns
+ // char16ptr_t instead of char16_t*.
+ mozilla::NativeEndian::copyAndSwapToBigEndian(
+ buffer.get(), static_cast<const char16_t*>(uni.BeginReading()),
+ wideLength);
+
+ return buffer;
+}
+
+// Given a decoder, read bytes from file and input them to the decoder.
+nsresult nsPKCS12Blob::inputToDecoder(UniqueSEC_PKCS12DecoderContext& dcx,
+ nsIFile* file, PRErrorCode& nssError) {
+ nssError = 0;
+
+ nsCOMPtr<nsIInputStream> fileStream;
+ nsresult rv = NS_NewLocalFileInputStream(getter_AddRefs(fileStream), file);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ char buf[PIP_PKCS12_BUFFER_SIZE];
+ uint32_t amount;
+ while (true) {
+ rv = fileStream->Read(buf, PIP_PKCS12_BUFFER_SIZE, &amount);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // feed the file data into the decoder
+ SECStatus srv =
+ SEC_PKCS12DecoderUpdate(dcx.get(), (unsigned char*)buf, amount);
+ if (srv != SECSuccess) {
+ nssError = PR_GetError();
+ return NS_OK;
+ }
+ if (amount < PIP_PKCS12_BUFFER_SIZE) {
+ break;
+ }
+ }
+ return NS_OK;
+}
+
+// What to do when the nickname collides with one already in the db.
+SECItem* nsPKCS12Blob::nicknameCollision(SECItem* oldNick, PRBool* cancel,
+ void* wincx) {
+ *cancel = false;
+ int count = 1;
+ nsCString nickname;
+ nsAutoString nickFromProp;
+ nsresult rv = GetPIPNSSBundleString("P12DefaultNickname", nickFromProp);
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+ NS_ConvertUTF16toUTF8 nickFromPropC(nickFromProp);
+ // The user is trying to import a PKCS#12 file that doesn't have the
+ // attribute we use to set the nickname. So in order to reduce the
+ // number of interactions we require with the user, we'll build a nickname
+ // for the user. The nickname isn't prominently displayed in the UI,
+ // so it's OK if we generate one on our own here.
+ // XXX If the NSS API were smarter and actually passed a pointer to
+ // the CERTCertificate* we're importing we could actually just
+ // call default_nickname (which is what the issuance code path
+ // does) and come up with a reasonable nickname. Alas, the NSS
+ // API limits our ability to produce a useful nickname without
+ // bugging the user. :(
+ while (1) {
+ // If we've gotten this far, that means there isn't a certificate
+ // in the database that has the same subject name as the cert we're
+ // trying to import. So we need to come up with a "nickname" to
+ // satisfy the NSS requirement or fail in trying to import.
+ // Basically we use a default nickname from a properties file and
+ // see if a certificate exists with that nickname. If there isn't, then
+ // create update the count by one and append the string '#1' Or
+ // whatever the count currently is, and look for a cert with
+ // that nickname. Keep updating the count until we find a nickname
+ // without a corresponding cert.
+ // XXX If a user imports *many* certs without the 'friendly name'
+ // attribute, then this may take a long time. :(
+ nickname = nickFromPropC;
+ if (count > 1) {
+ nickname.AppendPrintf(" #%d", count);
+ }
+ UniqueCERTCertificate cert(
+ CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname.get()));
+ if (!cert) {
+ break;
+ }
+ count++;
+ }
+ UniqueSECItem newNick(
+ SECITEM_AllocItem(nullptr, nullptr, nickname.Length() + 1));
+ if (!newNick) {
+ return nullptr;
+ }
+ memcpy(newNick->data, nickname.get(), nickname.Length());
+ newNick->data[nickname.Length()] = 0;
+
+ return newNick.release();
+}
+
+// write bytes to the exported PKCS#12 file
+void nsPKCS12Blob::writeExportFile(void* arg, const char* buf,
+ unsigned long len) {
+ PRFileDesc* file = static_cast<PRFileDesc*>(arg);
+ MOZ_RELEASE_ASSERT(file);
+ PR_Write(file, buf, len);
+}
+
+// Translate PRErrorCode to nsIX509CertDB error
+uint32_t nsPKCS12Blob::handlePRErrorCode(PRErrorCode aPrerr) {
+ MOZ_ASSERT(aPrerr != 0);
+ uint32_t error = nsIX509CertDB::ERROR_UNKNOWN;
+ switch (aPrerr) {
+ case SEC_ERROR_PKCS12_CERT_COLLISION:
+ error = nsIX509CertDB::ERROR_PKCS12_DUPLICATE_DATA;
+ break;
+ // INVALID_ARGS is returned on bad password when importing cert
+ // exported from firefox or generated by openssl
+ case SEC_ERROR_INVALID_ARGS:
+ case SEC_ERROR_BAD_PASSWORD:
+ error = nsIX509CertDB::ERROR_BAD_PASSWORD;
+ break;
+ case SEC_ERROR_BAD_DER:
+ case SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE:
+ case SEC_ERROR_PKCS12_INVALID_MAC:
+ error = nsIX509CertDB::ERROR_DECODE_ERROR;
+ break;
+ case SEC_ERROR_PKCS12_DUPLICATE_DATA:
+ error = nsIX509CertDB::ERROR_PKCS12_DUPLICATE_DATA;
+ break;
+ }
+ return error;
+}
diff --git a/security/manager/ssl/nsPKCS12Blob.h b/security/manager/ssl/nsPKCS12Blob.h
new file mode 100644
index 0000000000..e764481999
--- /dev/null
+++ b/security/manager/ssl/nsPKCS12Blob.h
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsPKCS12Blob_h
+#define nsPKCS12Blob_h
+
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtr.h"
+#include "nsCOMPtr.h"
+#include "nsIInterfaceRequestor.h"
+#include "nsString.h"
+#include "nsTArray.h"
+#include "p12.h"
+#include "prerror.h"
+#include "ScopedNSSTypes.h"
+#include "seccomon.h"
+
+class nsIFile;
+class nsIX509Cert;
+
+// Class for importing/exporting PKCS#12 blobs
+class nsPKCS12Blob {
+ public:
+ nsPKCS12Blob();
+ ~nsPKCS12Blob() = default;
+
+ // PKCS#12 Import
+ nsresult ImportFromFile(nsIFile* file, const nsAString& password,
+ uint32_t& error);
+
+ // PKCS#12 Export
+ nsresult ExportToFile(nsIFile* file,
+ const nsTArray<RefPtr<nsIX509Cert>>& certs,
+ const nsAString& password, uint32_t& error);
+
+ private:
+ nsCOMPtr<nsIInterfaceRequestor> mUIContext;
+
+ // local helper functions
+ nsresult inputToDecoder(mozilla::UniqueSEC_PKCS12DecoderContext& dcx,
+ nsIFile* file, PRErrorCode& nssError);
+ mozilla::UniquePtr<uint8_t[]> stringToBigEndianBytes(const nsAString& uni,
+ uint32_t& bytesLength);
+ uint32_t handlePRErrorCode(PRErrorCode prerr);
+
+ static SECItem* nicknameCollision(SECItem* oldNick, PRBool* cancel,
+ void* wincx);
+ static void writeExportFile(void* arg, const char* buf, unsigned long len);
+};
+
+#endif // nsPKCS12Blob_h
diff --git a/security/manager/ssl/nsRandomGenerator.cpp b/security/manager/ssl/nsRandomGenerator.cpp
new file mode 100644
index 0000000000..0f56b2b4e3
--- /dev/null
+++ b/security/manager/ssl/nsRandomGenerator.cpp
@@ -0,0 +1,41 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsRandomGenerator.h"
+
+#include "ScopedNSSTypes.h"
+#include "nsNSSComponent.h"
+#include "pk11pub.h"
+#include "prerror.h"
+#include "secerr.h"
+#include "mozilla/UniquePtrExtensions.h"
+
+NS_IMPL_ISUPPORTS(nsRandomGenerator, nsIRandomGenerator)
+
+NS_IMETHODIMP
+nsRandomGenerator::GenerateRandomBytes(uint32_t aLength, uint8_t** aBuffer) {
+ NS_ENSURE_ARG_POINTER(aBuffer);
+ *aBuffer = nullptr;
+
+ mozilla::UniqueFreePtr<uint8_t> buf(
+ static_cast<uint8_t*>(moz_xmalloc(aLength)));
+ nsresult rv = GenerateRandomBytesInto(buf.get(), aLength);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ *aBuffer = buf.release();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRandomGenerator::GenerateRandomBytesInto(uint8_t* aBuffer, uint32_t aLength) {
+ NS_ENSURE_ARG_POINTER(aBuffer);
+
+ mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return NS_ERROR_FAILURE;
+ }
+
+ SECStatus srv = PK11_GenerateRandomOnSlot(slot.get(), aBuffer, aLength);
+ return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE;
+}
diff --git a/security/manager/ssl/nsRandomGenerator.h b/security/manager/ssl/nsRandomGenerator.h
new file mode 100644
index 0000000000..4ae3fc82f4
--- /dev/null
+++ b/security/manager/ssl/nsRandomGenerator.h
@@ -0,0 +1,29 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsRandomGenerator_h
+#define nsRandomGenerator_h
+
+#include "mozilla/Attributes.h"
+#include "nsIRandomGenerator.h"
+
+#define NS_RANDOMGENERATOR_CID \
+ { \
+ 0xbe65e2b7, 0xfe46, 0x4e0f, { \
+ 0x88, 0xe0, 0x4b, 0x38, 0x5d, 0xb4, 0xd6, 0x8a \
+ } \
+ }
+
+#define NS_RANDOMGENERATOR_CONTRACTID "@mozilla.org/security/random-generator;1"
+
+class nsRandomGenerator final : public nsIRandomGenerator {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIRANDOMGENERATOR
+
+ private:
+ ~nsRandomGenerator() = default;
+};
+
+#endif // nsRandomGenerator_h
diff --git a/security/manager/ssl/nsSSLSocketProvider.cpp b/security/manager/ssl/nsSSLSocketProvider.cpp
new file mode 100644
index 0000000000..41fa50add8
--- /dev/null
+++ b/security/manager/ssl/nsSSLSocketProvider.cpp
@@ -0,0 +1,46 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/BasePrincipal.h"
+#include "nsSSLSocketProvider.h"
+#include "nsNSSIOLayer.h"
+#include "nsError.h"
+
+using mozilla::OriginAttributes;
+
+nsSSLSocketProvider::nsSSLSocketProvider() = default;
+
+nsSSLSocketProvider::~nsSSLSocketProvider() = default;
+
+NS_IMPL_ISUPPORTS(nsSSLSocketProvider, nsISocketProvider)
+
+NS_IMETHODIMP
+nsSSLSocketProvider::NewSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ uint32_t flags, uint32_t tlsFlags,
+ PRFileDesc** _result,
+ nsITLSSocketControl** tlsSocketControl) {
+ nsresult rv =
+ nsSSLIOLayerNewSocket(family, host, port, proxy, originAttributes,
+ _result, tlsSocketControl, false, flags, tlsFlags);
+ return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
+}
+
+// Add the SSL IO layer to an existing socket
+NS_IMETHODIMP
+nsSSLSocketProvider::AddToSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ uint32_t flags, uint32_t tlsFlags,
+ PRFileDesc* aSocket,
+ nsITLSSocketControl** tlsSocketControl) {
+ nsresult rv = nsSSLIOLayerAddToSocket(
+ family, host, port, proxy, originAttributes, aSocket, tlsSocketControl,
+ false, flags, tlsFlags);
+
+ return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
+}
diff --git a/security/manager/ssl/nsSSLSocketProvider.h b/security/manager/ssl/nsSSLSocketProvider.h
new file mode 100644
index 0000000000..690c911bd5
--- /dev/null
+++ b/security/manager/ssl/nsSSLSocketProvider.h
@@ -0,0 +1,32 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _NSSSLSOCKETPROVIDER_H_
+#define _NSSSLSOCKETPROVIDER_H_
+
+#include "nsISocketProvider.h"
+
+/* 217d014a-1dd2-11b2-999c-b0c4df79b324 */
+#define NS_SSLSOCKETPROVIDER_CID \
+ { \
+ 0x217d014a, 0x1dd2, 0x11b2, { \
+ 0x99, 0x9c, 0xb0, 0xc4, 0xdf, 0x79, 0xb3, 0x24 \
+ } \
+ }
+
+class nsSSLSocketProvider : public nsISocketProvider {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSISOCKETPROVIDER
+
+ // nsSSLSocketProvider methods:
+ nsSSLSocketProvider();
+
+ protected:
+ virtual ~nsSSLSocketProvider();
+};
+
+#endif /* _NSSSLSOCKETPROVIDER_H_ */
diff --git a/security/manager/ssl/nsSTSPreloadList.inc b/security/manager/ssl/nsSTSPreloadList.inc
new file mode 100644
index 0000000000..a2a0b03969
--- /dev/null
+++ b/security/manager/ssl/nsSTSPreloadList.inc
@@ -0,0 +1,158718 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*****************************************************************************/
+/* This is an automatically generated file. If you're not */
+/* nsSiteSecurityService.cpp, you shouldn't be #including it. */
+/*****************************************************************************/
+
+#include <stdint.h>
+const PRTime gPreloadListExpirationTime = INT64_C(1721040743743000);
+%%
+0--1.de, 1
+0-0.io, 1
+0-0.lt, 1
+0-1.party, 1
+0-24.com, 1
+0-24.net, 1
+0-9.com, 1
+0.com.ms, 1
+0.sb, 1
+00.eco, 1
+00000000-0000-0000-0000-000000000000.xyz, 1
+00010110.nl, 1
+0007552.com, 1
+000814.com, 1
+000a1.com, 1
+000a2.com, 1
+000a3.com, 1
+000a5.com, 1
+000a6.com, 1
+000a7.com, 1
+000a8.com, 1
+000a9.com, 1
+000aicai.com, 1
+000g.ru, 1
+000x2.com, 1
+0011011.xyz, 1
+00120012.net, 1
+00140014.net, 1
+00168365.com, 1
+0017552.com, 1
+0017d88.com, 1
+001yapan.com, 1
+002.ro, 0
+00228.am, 0
+00228555.com, 1
+00228999.com, 1
+00228vip5.com, 1
+00228vip6.com, 1
+00228vip8.com, 1
+00228vv.com, 0
+00228w.com, 1
+00228ww.com, 0
+00228xx.com, 0
+00228yy.com, 0
+00228zz.com, 0
+003.mx, 1
+00321365.com, 1
+00365t.com, 1
+0037552.com, 1
+003d88.com, 1
+003dyw.com, 1
+0047552.com, 1
+00484.com, 1
+005184.xyz, 1
+0057552.com, 1
+0066.in, 1
+0067552.com, 1
+007d88.com, 1
+007kf.com, 1
+007sascha.de, 1
+0087552.com, 1
+00880088.net, 1
+008yingshi.com, 1
+009597.com, 0
+00971.net, 1
+0097552.com, 1
+009cc.com, 1
+009zl.com, 1
+00b31.com, 0
+00b58.com, 1
+00bet86.com, 1
+00c.org, 1
+00d88.com, 1
+00dani.me, 1
+00f.net, 1
+00ffaaa.com, 1
+00ffbbb.com, 1
+00ffccc.com, 1
+00ffddd.com, 1
+00ffeee.com, 1
+00fffaa.com, 1
+00fffbb.com, 1
+00fffcc.com, 1
+00fffdd.com, 1
+00fffee.com, 1
+00fffgg.com, 1
+00fffhh.com, 1
+00fffii.com, 1
+00fffjj.com, 1
+00fffkk.com, 1
+00fffll.com, 1
+00fffmm.com, 1
+00fffnn.com, 1
+00fffoo.com, 1
+00fffpp.com, 1
+00fffqq.com, 1
+00fffrr.com, 1
+00fffss.com, 1
+00ffftt.com, 1
+00fffuu.com, 1
+00fffvv.com, 1
+00fffww.com, 1
+00fffxx.com, 1
+00fffyy.com, 1
+00fffzz.com, 1
+00ffggg.com, 1
+00ffhhh.com, 1
+00ffiii.com, 1
+00ffjjj.com, 1
+00ffkkk.com, 1
+00fflll.com, 1
+00ffmmm.com, 1
+00ffnnn.com, 1
+00ffooo.com, 1
+00ffppp.com, 1
+00ffqqq.com, 1
+00ffrrr.com, 1
+00ffsss.com, 1
+00ffttt.com, 1
+00ffuuu.com, 1
+00ffvvv.com, 1
+00ffwww.com, 1
+00ffxxx.com, 1
+00ffyyy.com, 1
+00ffzzz.com, 1
+00o00.top, 1
+00wbf.com, 1
+01011970.xyz, 1
+010203.ru, 1
+01100010011001010111001101110100.com, 1
+01110000011100110111001001100111.ca, 1
+01110000011100110111001001100111.com, 1
+011100110110010101110010011001110110100101101111.com, 1
+011101.xyz, 1
+0116288.com, 1
+011631.com, 1
+0117552.com, 0
+011ks.com, 1
+012345678365.com, 1
+0127552.com, 0
+01337.tech, 1
+013458.com, 1
+01365t.com, 1
+0137552.com, 1
+0138365.com, 0
+0139365.com, 0
+015kb.com, 1
+018zl.com, 1
+019ks.com, 1
+01electronica.com.ar, 1
+01seguridad.com.ar, 1
+01smh.com, 1
+01tools.com, 1
+01up.co.za, 1
+021002.com, 1
+0222z6.com, 1
+022367.com, 1
+022391.com, 1
+022501.com, 1
+022503.com, 1
+022507.com, 1
+022571.com, 1
+022601.com, 1
+022609.com, 1
+022610.com, 1
+02327.net, 1
+02349898.xyz, 1
+02365t.com, 1
+02375.net, 1
+023sec.com, 1
+025500.xyz, 1
+02638.net, 1
+026637.com, 1
+027862.com, 1
+029637.com, 1
+02d88.net, 1
+02n.cn, 1
+02smh.com, 1
+03-09-2016.wedding, 1
+03012.net, 1
+03018.net, 1
+031373.com, 1
+03170317.com, 1
+032ks.com, 1
+0335z6.com, 1
+035711630.xyz, 1
+0376z6.com, 1
+0377z6.com, 1
+038663.com, 1
+038799.com, 0
+038dev.nl, 1
+0391315.com, 1
+03region.ga, 1
+040552.com, 0
+041552.com, 0
+0420.ec, 1
+042230.com, 1
+042552.com, 0
+04365t.com, 1
+046552.com, 0
+046569.com, 1
+047329.com, 1
+048661.com, 1
+04911701.cn, 1
+049552.com, 0
+04d88.com, 1
+04d88.net, 1
+04pk.cn, 1
+04sun.com, 1
+050.ca, 1
+050a1.com, 1
+050a2.com, 1
+050a3.com, 1
+050a4.com, 1
+050a5.com, 1
+050a6.com, 1
+050ks.com, 1
+051014.com, 1
+0511315.net, 1
+0513z6.com, 1
+0514.chat, 1
+051552.com, 0
+0517z6.com, 1
+051ks.com, 1
+052ks.com, 1
+05365t.com, 1
+053ks.com, 1
+054552.com, 0
+055268.com, 1
+0553z6.com, 1
+0555z6.com, 1
+056687.com, 0
+056697.com, 0
+057180.com, 0
+0571z6.com, 1
+0575z6.com, 1
+0597z6.com, 1
+059958.com, 1
+06006.vip, 0
+060258.com, 1
+060579.com, 1
+060757.com, 1
+060796.com, 1
+060798.com, 1
+06091994.xyz, 1
+06365t.com, 1
+065l.com, 1
+066630.com, 1
+06804.com, 0
+0681a.com, 1
+0681h.com, 1
+068552.com, 0
+06d88.com, 1
+06d88.net, 1
+06se.com, 1
+070709.net, 1
+070930.com, 1
+0712z6.com, 1
+071552.com, 0
+071615.com, 1
+0737399.com, 1
+074696.com, 1
+074758.com, 1
+076.ne.jp, 1
+0760ks.com, 1
+078663.com, 1
+078895.com, 1
+0788yh.com, 1
+0792112.com, 1
+0798rcw.com, 0
+07d88.com, 1
+07d88.net, 1
+07f.de, 1
+08000113.nl, 1
+080261.com, 1
+081115.com, 1
+081752.com, 1
+081763.com, 1
+081769.com, 1
+081783.com, 1
+081925.com, 1
+081927.com, 1
+081957.com, 1
+082159.com, 1
+082167.com, 1
+082173.com, 1
+082175.com, 1
+082179.com, 1
+082192.com, 1
+082193.com, 1
+082195.com, 1
+082359.com, 1
+083321.com, 1
+083326.com, 1
+083329.com, 1
+08365t.com, 1
+083967.com, 1
+084552.com, 1
+084709.com, 1
+085035.com, 1
+085851.com, 0
+086486.com, 1
+08845.cc, 1
+089818.com, 1
+08detaxe.fr, 1
+09.ag, 0
+09000113.nl, 1
+090124.xyz, 1
+090136.com, 1
+0906-clan.tk, 1
+09115.com, 0
+091630.com, 1
+091k8.com, 0
+0935792342.tw, 1
+09365t.com, 1
+095598.cc, 1
+097712.com, 1
+09892.net, 1
+0998z6.com, 1
+0999z6.com, 1
+09elektrik.com, 1
+09kanagawa.jp, 1
+0akarma.me, 1
+0au.de, 0
+0c.mom, 1
+0carbon.com, 1
+0cdn.ga, 1
+0cdn.net, 1
+0cean.tk, 1
+0chan.pl, 1
+0cp8778.com, 1
+0culus.tk, 1
+0d111.com, 1
+0day.agency, 1
+0dayexploits.gq, 1
+0des.com, 1
+0i0.nl, 1
+0ii0.cf, 1
+0iz.net, 1
+0knowledge.de, 1
+0milemarathon.com, 1
+0n3b1t.com, 1
+0nnn.top, 1
+0o0.edu.pl, 1
+0o0.ooo, 1
+0o0o.biz, 1
+0okmnbvcxzx.tk, 1
+0ooo0.xyz, 1
+0paste.com, 1
+0q0.eu, 1
+0r3.de, 1
+0rap.tk, 1
+0system.tk, 1
+0trust.cloud, 1
+0trust.pro, 1
+0ut3r.space, 1
+0verall.tk, 1
+0vi.org, 1
+0w.al, 1
+0w0.wiki, 1
+0wx.cat, 1
+0wx.es, 1
+0wx.eu, 1
+0wx.net, 1
+0wx.org, 1
+0x.cx, 1
+0x.lu, 1
+0x.sk, 1
+0x0.cloud, 1
+0x0.li, 1
+0x00c.de, 1
+0x00ff00ff.com, 1
+0x0a.team, 1
+0x1.ink, 1
+0x12.de, 1
+0x15.ca, 1
+0x17.de, 1
+0x21.consulting, 1
+0x22.de, 1
+0x27.fr, 1
+0x28.de, 1
+0x2a.ninja, 1
+0x378.net, 1
+0x3a.net, 1
+0x41.us, 1
+0x52.net, 1
+0x52.org, 1
+0x53.de, 1
+0x5d.de, 1
+0x5f3759df.net, 1
+0x7.io, 1
+0x76.de, 1
+0x7d7b.net, 1
+0x7fffffff.net, 0
+0x80.org, 1
+0x90.io, 1
+0x90.space, 1
+0xaa55.me, 1
+0xacab.org, 1
+0xaf.tk, 1
+0xda.de, 1
+0xdefaced.de, 1
+0xedward.io, 1
+0xee.eu, 1
+0xf00.ch, 1
+0xfc.de, 1
+0xff.se, 1
+0xfn.eu, 1
+0xheuts.nl, 1
+0xn.de, 1
+0xnotes.me, 0
+0xnull.de, 1
+0xspa.de, 1
+0xword.com, 1
+0yen.org, 1
+1-2-3bounce.co.uk, 1
+1-800-mattress.com, 1
+1-ae.com, 1
+1-inv.com, 1
+1-pujcky-uvery.tk, 1
+1-x-bet.com, 1
+1-x-bet.ke, 1
+1-x-mirror.com, 1
+1-xbet-tj.com, 1
+1-xbet.ke, 1
+1-xbet13.com, 1
+1-xbet20.com, 1
+100-downloads.com, 1
+10000hits.tk, 1
+10000lab.net, 1
+10000rub.gq, 1
+10000spoons.tk, 1
+10001000.xyz, 1
+100048.com, 1
+1000cp5.cc, 1
+1000inf.ru, 1
+1000ps.at, 1
+1000ps.de, 1
+1000rubley.ml, 1
+1000serien.com, 1
+1000wordsevents.com, 0
+1001cachimbas.es, 1
+1001fonts.com, 1
+1001home.cf, 1
+1001kartini.com, 1
+1001mv.com, 1
+1001n.com, 1
+1001reasonstolearnspanish.com, 1
+1001telecommandes.com, 1
+1007337.com, 1
+10086.id, 1
+10086.ru, 1
+100baksov.tk, 1
+100ballov.tk, 1
+100beauty.com, 1
+100bib.ru, 1
+100fast.com, 1
+100fss.com, 1
+100fss.marketing, 1
+100k.eu, 1
+100kraz.ga, 1
+100kredite.de, 1
+100lib.ru, 1
+100mani.it, 1
+100nome.com, 1
+100onrainkajino.com, 1
+100pay.com, 1
+100pour100print.com, 1
+100pudov.tk, 1
+100reach.com, 1
+100refer.tk, 1
+100sapog.tk, 1
+100skidok.ga, 1
+100sovetov.info, 1
+100time.ru, 1
+100tur.tk, 1
+100up.de, 1
+100up.net, 1
+100up.org, 1
+100v.org, 1
+100visits.tk, 1
+100voprosov.tk, 1
+100zakladok.tk, 1
+10101.io, 1
+101010.hopto.org, 1
+101010.pl, 1
+101023.xyz, 1
+10198.com, 1
+101android.ru, 1
+101st-airborne.tk, 1
+101st.tk, 1
+101warehousing.com.au, 1
+1020310.com, 1
+1020311.com, 1
+1020312.com, 1
+1020313.com, 1
+1020314.com, 1
+1020316.com, 1
+1020318.com, 1
+1020319.com, 1
+1020320.com, 1
+10218.com, 1
+10218app10218.com, 1
+10218b.com, 0
+10218c.com, 0
+10218cj.com, 1
+10218d.com, 0
+10218e.com, 0
+10218f.com, 0
+10218g.com, 0
+10218h.com, 0
+10218i.com, 0
+1024.ee, 1
+1024.kr, 1
+1025.ga, 1
+10365e.com, 1
+10365f.com, 1
+10365h.com, 1
+1037thefoxrocks.com, 1
+104.ua, 1
+1040taxfirm.com, 1
+1041263497.rsc.cdn77.org, 1
+10414.org, 0
+10430.net, 1
+10435.net, 1
+10436.net, 1
+10438.net, 1
+10439.net, 1
+10453.net, 1
+104760.com, 1
+10495.net, 1
+105318.com, 1
+105861.com, 1
+106.hi.cn, 1
+10628.com, 1
+1068511.com, 1
+10705.ml, 1
+107996.com, 1
+1079fm.ga, 1
+10840.net, 1
+10961096.xyz, 1
+109k8.com, 1
+10er-friseur.de, 1
+10gbit.ovh, 1
+10hz.de, 1
+10ktotalent.com, 1
+10mach.com, 1
+10media.ru, 1
+10mijlvanijmuiden.tk, 1
+10milliondollarpage.com, 1
+10must.com, 1
+10news.com, 1
+10og.de, 1
+10pearls.com, 1
+10ppm.com, 1
+10seos.com, 1
+10ten.study, 1
+10tv.in, 1
+10ve.live, 1
+10web.io, 1
+10wtac.tk, 1
+10x.to, 1
+10xnation.com, 1
+1100.so, 1
+1100110.xyz, 1
+11018vip.com, 1
+11018xpj.com, 1
+11046.com, 1
+11082.com, 1
+110838.com, 1
+110cl.com, 1
+110na.com, 1
+111011.xyz, 1
+1111365t.com, 1
+111365t.com, 1
+11168365.com, 1
+111814.com, 1
+11182.com, 1
+11183.com, 1
+11185.com, 1
+111aicai.com, 1
+111bet86.com, 1
+111novosti.tk, 1
+111plus.design, 1
+1120301.com, 1
+1120302.com, 1
+1120303.com, 1
+1120305.com, 1
+1120306.com, 1
+1120307.com, 1
+1120308.com, 1
+1120309.com, 1
+1120311.com, 1
+1120312.com, 1
+1120313.com, 1
+1120314.com, 1
+1120315.com, 1
+1120316.com, 1
+1120317.com, 1
+1120320.com, 1
+1120321.com, 1
+1120322.com, 1
+1120323.com, 1
+1120324.com, 1
+1120325.com, 1
+1120326.com, 1
+1120327.com, 1
+1120328.com, 1
+1120330.com, 1
+1120331.com, 1
+1120332.com, 1
+1120334.com, 1
+1120335.com, 1
+1120336.com, 1
+1120337.com, 1
+1120338.com, 1
+1120339.com, 1
+1120341.com, 1
+1120342.com, 1
+1120343.com, 1
+1120344.com, 1
+1120345.com, 1
+1120346.com, 1
+1120347.com, 1
+1120348.com, 1
+1120349.com, 1
+1120350.com, 1
+11221jz.com, 1
+11223837.com, 0
+1126.blog, 1
+112app.nl, 1
+112hz.com, 1
+112it.ro, 0
+112krimpen.tk, 1
+112madgamer.tk, 1
+11321365.com, 1
+11333837.com, 1
+11365t.com, 1
+113k8.com, 1
+113z6.com, 1
+11400.com, 1
+11443837.com, 0
+114514ss.com, 1
+114job.com, 1
+114online.com, 1
+115.one, 1
+115z6.com, 1
+11665835.com, 0
+1174healing.com, 1
+117766.xyz, 1
+1177z6.com, 1
+11792.com, 1
+118400.com, 0
+1190america.tk, 1
+1199bet.vip, 1
+11aaee.com, 1
+11aagg.com, 1
+11aajj.com, 1
+11aaqq.com, 1
+11aazz.com, 1
+11academianetworks.com, 1
+11b31.com, 0
+11b58.com, 1
+11bbjj.com, 1
+11bbpp.com, 1
+11bbqq.com, 1
+11bbss.com, 1
+11bbzz.com, 1
+11bet86.com, 1
+11ccee.com, 1
+11ccgg.com, 1
+11ccjj.com, 1
+11ccpp.com, 1
+11ccqq.com, 1
+11cctt.com, 1
+11cczz.com, 1
+11cloud.ch, 1
+11ddbb.com, 1
+11ddcc.com, 1
+11ddjj.com, 1
+11ddkk.com, 1
+11ddpp.com, 1
+11dzon.com, 1
+11eebb.com, 1
+11eegg.com, 1
+11eejj.com, 1
+11eeqq.com, 1
+11eess.com, 1
+11eexx.com, 1
+11eeyy.com, 1
+11eezz.com, 1
+11ffaaa.com, 1
+11ffbbb.com, 1
+11ffcc.com, 1
+11ffccc.com, 1
+11ffddd.com, 1
+11ffeee.com, 1
+11fffaa.com, 1
+11fffbb.com, 1
+11fffcc.com, 1
+11fffdd.com, 1
+11fffee.com, 1
+11fffgg.com, 1
+11fffhh.com, 1
+11fffii.com, 1
+11fffjj.com, 1
+11fffkk.com, 1
+11fffll.com, 1
+11fffmm.com, 1
+11fffnn.com, 1
+11fffoo.com, 1
+11fffpp.com, 1
+11fffqq.com, 1
+11fffrr.com, 1
+11fffss.com, 1
+11ffftt.com, 1
+11fffuu.com, 1
+11fffvv.com, 1
+11fffww.com, 1
+11fffxx.com, 1
+11fffyy.com, 1
+11fffzz.com, 1
+11ffggg.com, 1
+11ffhhh.com, 1
+11ffiii.com, 1
+11ffjjj.com, 1
+11ffkk.com, 1
+11ffkkk.com, 1
+11fflll.com, 1
+11ffmmm.com, 1
+11ffnnn.com, 1
+11ffooo.com, 1
+11ffppp.com, 1
+11ffqqq.com, 1
+11ffrr.com, 1
+11ffrrr.com, 1
+11ffsss.com, 1
+11fftt.com, 1
+11ffttt.com, 1
+11ffuuu.com, 1
+11ffvvv.com, 1
+11ffwww.com, 1
+11ffxx.com, 1
+11ffxxx.com, 1
+11ffyy.com, 1
+11ffyyy.com, 1
+11ffzz.com, 1
+11ffzzz.com, 1
+11ggbb.com, 1
+11ggcc.com, 1
+11ggee.com, 1
+11ggjj.com, 1
+11ggrr.com, 1
+11ggss.com, 1
+11ggyy.com, 1
+11ggzz.com, 1
+11hhee.com, 1
+11hhff.com, 1
+11hhgg.com, 1
+11hhqq.com, 1
+11hhrr.com, 1
+11hhzz.com, 1
+11it.ru, 1
+11jjaa.com, 1
+11jjcc.com, 1
+11jjrr.com, 1
+11jjyy.com, 1
+11jjzz.com, 1
+11kkee.com, 1
+11kkff.com, 1
+11men.tk, 1
+11ppbb.com, 1
+11ppee.com, 1
+11pphh.com, 1
+11ppjj.com, 1
+11ppqq.com, 1
+11ppss.com, 1
+11pptt.com, 1
+11ppyy.com, 1
+11ppzz.com, 1
+11qqbb.com, 1
+11qqdd.com, 1
+11qqgg.com, 1
+11qqhh.com, 1
+11qqpp.com, 1
+11qqss.com, 1
+11rrcc.com, 1
+11rree.com, 1
+11rrff.com, 1
+11rrhh.com, 1
+11rrjj.com, 1
+11rrkk.com, 1
+11rrqq.com, 1
+11rrss.com, 1
+11rrzz.com, 1
+11sshh.com, 1
+11ssjj.com, 1
+11sskk.com, 1
+11sspp.com, 1
+11ssqq.com, 1
+11ssrr.com, 1
+11sstt.com, 1
+11traders.com, 1
+11ttbb.com, 1
+11tthh.com, 1
+11ttpp.com, 1
+11ttqq.com, 1
+11ttxx.com, 1
+11ttzz.com, 1
+11tv.dp.ua, 1
+11u15.com, 1
+11urss.com, 1
+11yycc.com, 1
+11yydd.com, 1
+11yyee.com, 1
+11yyjj.com, 1
+11yykk.com, 1
+11yyqq.com, 1
+11zzkk.com, 1
+11zztt.com, 1
+12.ag, 1
+12.digital, 1
+1200.cf, 1
+12006.com, 1
+120percent-inc.com, 1
+1212.tk, 1
+1212873467.rsc.cdn77.org, 1
+1218641649.rsc.cdn77.org, 1
+1220310.com, 1
+1220321.com, 1
+1220322.com, 1
+1220323.com, 1
+1220324.com, 1
+1220325.com, 1
+1220326.com, 1
+1220327.com, 1
+1220328.com, 1
+1220329.com, 1
+1220330.com, 1
+1220331.com, 1
+1220332.com, 1
+1220334.com, 1
+1220335.com, 1
+1220336.com, 1
+1220337.com, 1
+1220338.com, 1
+1220339.com, 1
+1220340.com, 1
+1220342.com, 1
+1220343.com, 1
+1220344.com, 1
+1220345.com, 1
+1220346.com, 1
+1220347.com, 1
+1220348.com, 1
+1220349.com, 1
+1220350.com, 1
+1222z6.com, 1
+1223.tk, 1
+123-d.com, 1
+123-ticketsystem.com, 1
+123.chat, 1
+123.gg, 1
+123110.com, 1
+123365t.com, 1
+1234.link, 1
+123410.xyz, 1
+12345.lv, 1
+12345678365.com, 1
+123456789365.com, 1
+12345porn.com, 1
+12365t.com, 1
+123apps.com, 1
+123birthdaygreetings.com, 1
+123comparer.be, 1
+123comparer.fr, 1
+123derivatives.com, 1
+123djdrop.com, 1
+123e.tk, 1
+123freebrushes.com, 1
+123freevectors.com, 1
+123gostovanje.si, 1
+123greeting.tk, 1
+123hpcom.co.uk, 1
+123midterm.com, 1
+123noticias.com.br, 1
+123nutricion.es, 1
+123pay.ir, 1
+123petitspas.com, 1
+123seo.ml, 1
+123site.tk, 1
+123sportpassion.com, 1
+123start.pl, 1
+123start.tk, 1
+123storage.com.au, 1
+123termpapers.com, 1
+123verhuislift.nl, 1
+123viajando.com, 1
+123writings.com, 1
+124133.com, 1
+1244.tk, 1
+1244546066.rsc.cdn77.org, 1
+125-rue.com, 1
+12517.com, 1
+12554.com, 1
+12557.com, 1
+12558.com, 1
+12559.com, 1
+12588.com, 1
+125colours.tk, 1
+125m125.de, 1
+127011.ch, 1
+127661.com, 1
+12778.com, 1
+1277bet.com, 1
+128012.com, 0
+128612.com, 1
+12877.com, 1
+1288366.com, 1
+128bitar.net, 1
+129.co, 1
+12ag8.com, 1
+12apostleshotel.com, 1
+12go.asia, 1
+12go.co, 1
+12gramu.cz, 1
+12grid.co.jp, 1
+12l.nl, 1
+12lasee.com, 1
+12nomos.tk, 1
+12photos.eu, 0
+12socialsmansa.tk, 1
+12train.com, 1
+12u15.com, 1
+12vpx.com, 1
+13-th.com, 1
+130.ua, 0
+1300.cf, 1
+130kb.com, 1
+130ks.com, 1
+130ks.net, 1
+131365a.com, 0
+131365qq.com, 1
+1313z6.com, 1
+13214.cc, 1
+132813.com, 1
+132kv.ch, 1
+133.casino, 1
+13318522.com, 1
+1333.cf, 1
+133335.xyz, 1
+1333z6.com, 1
+1337.ax, 1
+133769.xyz, 1
+1337ersprime.com, 1
+133ks.com, 1
+133ks.net, 1
+133z6.com, 1
+13411-111.com, 1
+134ks.net, 1
+1359826938.rsc.cdn77.org, 1
+135vv.com, 1
+136814.com, 0
+136book.com, 1
+137724.com, 1
+137kb.com, 1
+137z6.com, 1
+138.hk, 1
+13826145000.com, 1
+138z6.com, 1
+1395kj.com, 1
+139z6.com, 1
+13ad.de, 1
+13ag8.com, 1
+13cloudmike.duckdns.org, 1
+13th-dover.uk, 1
+13u15.com, 1
+140.social, 1
+14000.cz, 1
+141-94-142-218.xyz, 1
+141-95-156-101.xyz, 1
+141145.com, 0
+14159.gb.net, 1
+142552.com, 0
+142710.com, 1
+144-217-180-114.xyz, 1
+144chan.ml, 1
+1453914078.rsc.cdn77.org, 1
+1459.io, 1
+145ks.net, 1
+1464424382.rsc.cdn77.org, 1
+146552.com, 0
+1481481.com, 0
+1481486.com, 1
+1481486.net, 1
+148663.com, 1
+149481.com, 1
+14er.jp, 1
+14er.net, 1
+14erc.com, 1
+14ercooper.com, 1
+14fbr.com, 1
+14flags.de, 1
+14it.de, 1
+14thwief.org, 1
+14u15.com, 1
+14x3.de, 1
+15-montorgueil.com, 1
+1511774230.rsc.cdn77.org, 1
+1517.ch, 1
+1517598.com, 1
+1517668.com, 1
+1517669.com, 1
+1517883.com, 1
+1517886.com, 1
+1517889.com, 1
+151farmers.org, 1
+1520301.com, 1
+1520302.com, 1
+1520303.com, 1
+1520304.com, 1
+1520305.com, 1
+1520306.com, 1
+1520310.com, 1
+1520316.com, 1
+1520318.com, 1
+1520319.com, 1
+1520320.com, 1
+1520322.com, 1
+1520323.com, 1
+1520324.com, 1
+1520325.com, 1
+1520326.com, 1
+1520327.com, 1
+1520328.com, 1
+1520329.com, 1
+1520330.com, 1
+1520331.com, 1
+1520332.com, 1
+1520333.com, 1
+1520334.com, 1
+1520335.com, 1
+1520336.com, 1
+1520337.com, 1
+1520338.com, 1
+1520339.com, 1
+1520340.com, 1
+1520341.com, 1
+1520342.com, 1
+1520343.com, 1
+1520344.com, 1
+1520345.com, 1
+1520346.com, 1
+1520347.com, 1
+1520348.com, 1
+1520349.com, 1
+1520350.com, 1
+1527web.com, 1
+152z6.com, 1
+1536.cf, 1
+153z6.com, 1
+154379.com, 1
+154922.com, 0
+155175.com, 0
+155ks.net, 1
+155z6.com, 1
+156k66.com, 1
+156z6.com, 1
+157z6.com, 1
+158.nl, 1
+158306.com, 0
+158bg.com, 1
+1590284872.rsc.cdn77.org, 1
+159ks.net, 1
+159z6.com, 1
+15k.me, 1
+15montorgueil.com, 1
+15ruemontorgueil.com, 1
+15u15.com, 1
+16-qw.tk, 1
+161.sh, 1
+161233.com, 0
+161263.com, 0
+16164f.com, 1
+16195.com, 1
+1620301.com, 1
+1620302.com, 1
+1620303.com, 1
+1620304.com, 1
+1620305.com, 1
+1620306.com, 1
+1620307.com, 1
+1620308.com, 1
+1620309.com, 1
+1620310.com, 1
+1620311.com, 1
+1620312.com, 1
+1620313.com, 1
+1620314.com, 1
+1620315.com, 1
+1620316.com, 1
+1620317.com, 1
+1620318.com, 1
+1620319.com, 1
+1620320.com, 1
+1620321.com, 1
+1620323.com, 1
+1620324.com, 1
+1620325.com, 1
+1620326.com, 1
+1620328.com, 1
+1620329.com, 1
+1620330.com, 1
+1620331.com, 1
+1620332.com, 1
+1620333.com, 1
+1620334.com, 1
+1620335.com, 1
+1620336.com, 1
+1620337.com, 1
+1620338.com, 1
+1620339.com, 1
+1620340.com, 1
+1620341.com, 1
+1620342.com, 1
+1620343.com, 1
+1620349.com, 1
+1620350.com, 1
+162263.com, 0
+162361.com, 0
+162632.com, 1
+162cr.com, 1
+162ea.com, 1
+162jonesrd.ca, 1
+163.gd, 1
+16321.tk, 1
+163pay.com, 1
+164.co, 1
+1644091933.rsc.cdn77.org, 1
+1650thefan.com, 1
+16561155.com, 1
+16561166.com, 1
+16561177.com, 1
+16561188.com, 1
+1661237.com, 1
+166166.com, 1
+166jk.cc, 1
+167clan.net, 1
+1682019.co, 1
+16836500.com, 1
+1683651.com, 1
+16836511.com, 1
+1683652.com, 1
+16836522.com, 1
+1683653.com, 1
+16836533.com, 1
+1683654.com, 1
+16836544.com, 1
+16836555.com, 1
+16836577.com, 1
+16836588.com, 1
+1683659.com, 1
+16836599.com, 1
+168365t.com, 1
+168esb.com, 1
+16974.cc, 1
+169xpj.com, 1
+16megablast.tk, 1
+16packets.com, 1
+16qw.tk, 1
+16region.tk, 1
+16u15.com, 1
+16valerienicolas.tk, 1
+171365a.com, 1
+171365b.com, 1
+171365c.com, 1
+171365d.com, 1
+171365e.com, 1
+171365f.com, 1
+171365g.com, 1
+171365h.com, 1
+171365i.com, 1
+171365j.com, 1
+171365k.com, 1
+171365m.com, 1
+171365n.com, 1
+171365p.com, 1
+171365q.com, 1
+171365r.com, 1
+171365s.com, 1
+171365t.com, 1
+171365u.com, 1
+171365v.com, 1
+171365w.com, 1
+171365x.com, 1
+171365y.com, 1
+171365z.com, 1
+17187q.com, 1
+17190.com, 1
+1720301.com, 1
+1720302.com, 1
+1720303.com, 1
+1720304.com, 1
+1720305.com, 1
+1720306.com, 1
+1720307.com, 1
+1720308.com, 1
+1720309.com, 1
+1720312.com, 1
+1720313.com, 1
+1720314.com, 1
+1720315.com, 1
+1720316.com, 1
+1720317.com, 1
+1720318.com, 1
+1720319.com, 1
+1720320.com, 1
+1720321.com, 1
+1720322.com, 1
+1720323.com, 1
+1720324.com, 1
+1720325.com, 1
+1720326.com, 1
+1720327.com, 1
+1720328.com, 1
+1720329.com, 1
+1720330.com, 1
+1720331.com, 1
+1720332.com, 1
+1720333.com, 1
+1720334.com, 1
+1720335.com, 1
+1720336.com, 1
+1720337.com, 1
+1720338.com, 1
+1720339.com, 1
+1720340.com, 1
+1720341.com, 1
+1720342.com, 1
+1720343.com, 1
+1720344.com, 1
+1720345.com, 1
+1720346.com, 1
+1720347.com, 1
+1720348.com, 1
+1720349.com, 1
+1720350.com, 1
+172792.com, 1
+173.studio, 1
+173yg.com, 1
+174.net.nz, 1
+174343.com, 1
+1750studios.com, 0
+175dt.com, 1
+17901.com, 1
+17920.com, 1
+17921.com, 1
+17kpw.cc, 1
+17kpw.com, 1
+17ta.com, 1
+17th-airborne.tk, 1
+17u15.com, 1
+17xile.com, 1
+1800-mattress.net, 1
+1800baskets.com, 1
+1800flowers.com, 1
+1800matress.net, 1
+1800mattress.co, 1
+1800mattress.net, 1
+1800petmeds.com, 1
+180btt.com, 1
+181k8.com, 1
+181ks.net, 1
+181z6.com, 1
+1820301.com, 1
+1820302.com, 1
+1820303.com, 1
+1820304.com, 1
+1820305.com, 1
+1820306.com, 1
+1820307.com, 1
+1820308.com, 1
+1820309.com, 1
+1820310.com, 1
+1820311.com, 1
+1820313.com, 1
+1820314.com, 1
+1820315.com, 1
+1820316.com, 1
+1820317.com, 1
+1820318.com, 1
+1820319.com, 1
+1820320.com, 1
+1820321.com, 1
+1820322.com, 1
+1820323.com, 1
+1820324.com, 1
+1820325.com, 1
+1820326.com, 1
+1820327.com, 1
+1820328.com, 1
+1820329.com, 1
+1820330.com, 1
+1820331.com, 1
+1820332.com, 1
+1820333.com, 1
+1820334.com, 1
+1820335.com, 1
+1820336.com, 1
+1820337.com, 1
+1820338.com, 1
+1820340.com, 1
+1820341.com, 1
+1820342.com, 1
+1820343.com, 1
+1820344.com, 1
+1820345.com, 1
+1820346.com, 1
+1820347.com, 1
+1820348.com, 1
+1820349.com, 1
+1820350.com, 1
+182wh.com, 1
+182zlong.com, 1
+1831365.com, 1
+1832365.com, 1
+1834365.com, 1
+1837365.com, 1
+183cm.tk, 1
+183zlong.com, 1
+184325.com, 1
+1844329061.rsc.cdn77.org, 1
+18521.com, 1
+185k8.com, 1
+186526.club, 1
+186526.xyz, 1
+186588.xyz, 1
+1869365.com, 0
+186ks.com, 1
+1876365.com, 0
+1876996.com, 1
+18836.com, 1
+1888zr.com, 0
+188cn-sb.com, 1
+188da.com, 0
+188wei.com, 1
+189fc.com, 1
+18f.gov, 1
+18f.gsa.gov, 1
+18kit.com, 1
+18onlypixel.com, 1
+18onlypixels.com, 1
+18pee.com, 1
+18pioners.tk, 1
+18teensporn.pro, 1
+18upchat.com, 1
+18vr.com, 1
+1911trust.com, 1
+1912x.com, 1
+1920.tk, 1
+1920301.com, 1
+1920302.com, 1
+1920303.com, 1
+1920304.com, 1
+1920305.com, 1
+192080.com, 1
+19216811-sifre.com, 1
+19216811.mobi, 1
+192168ll.repair, 1
+1921958389.rsc.cdn77.org, 1
+1926lesoleil.com, 1
+1939365.com, 1
+1941-45.ru, 1
+1965.ml, 1
+196flavors.com, 1
+19770620.xyz, 1
+1981365.com, 1
+1981612088.rsc.cdn77.org, 1
+1986ventures.ph, 1
+1989-bmw-e30-forsale-in-norcal.com, 1
+1989studio.tk, 1
+198wei.com, 1
+1990.ee, 1
+1994.io, 0
+1999.rs, 1
+19990bb.com, 1
+19990c.com, 1
+19990cc.com, 1
+19990d.com, 0
+19990dd.com, 1
+19990e.com, 1
+19990ee.com, 1
+19990ff.com, 1
+19990g.com, 1
+19990gg.com, 1
+19990h.com, 1
+19990hh.com, 1
+19990i.com, 1
+19990ii.com, 1
+19990j.com, 1
+19990jj.com, 1
+19990kk.com, 1
+19990ll.com, 1
+19990m.com, 1
+19990mm.com, 1
+19990o.com, 1
+19990oo.com, 1
+19990p.com, 1
+19990q.com, 1
+19990r.com, 1
+19990rr.com, 1
+19990s.com, 1
+19990ss.com, 1
+19990tt.com, 1
+19990u.com, 1
+19990uu.com, 1
+19990v.com, 1
+19990vv.com, 1
+19990ww.com, 1
+19990x.com, 1
+19990xx.com, 1
+19990y.com, 1
+19990yy.com, 0
+19990zz.com, 1
+199ks.com, 1
+19area.cn, 1
+19hundert84.de, 1
+1a-diamantscheiben.de, 1
+1a-hyp.de, 1
+1a-media.com, 1
+1a-werkstattgeraete.de, 1
+1ab-machinery.com, 1
+1abcicka.ru, 1
+1adda.tk, 1
+1ae86.com, 1
+1ago.be, 1
+1ahyp.de, 1
+1allhosting.com, 1
+1android.de, 1
+1apple.com, 1
+1art.tk, 1
+1atelie.ru, 1
+1autoparts.com, 1
+1aweb.de, 1
+1b1.pl, 1
+1baks.tk, 1
+1bha7uk0.com, 1
+1bitcoinprice.com, 1
+1blazing.cf, 1
+1bps.eu.org, 1
+1bps.io, 1
+1brd.com, 1
+1breadcrumb.com, 1
+1breadcrumb.com.au, 1
+1c-power.ru, 1
+1cbit.ru, 1
+1chan.pl, 1
+1codex.online, 1
+1cover.co.nz, 1
+1cover.com.au, 1
+1cp.org, 1
+1cprosto.tk, 1
+1cswd.com, 1
+1d-lsd.shop, 1
+1datatec.com, 1
+1day.cc, 0
+1day1ac.red, 1
+1dispatch.com, 1
+1dollar.ml, 1
+1dollarwebsite.gq, 1
+1dot1dot1dot1.cf, 1
+1dt.ltd, 1
+1dv.link, 1
+1e9.nl, 1
+1eanda.com, 1
+1earn.com, 1
+1er-secours.ch, 0
+1f123.net, 1
+1f616emo.xyz, 1
+1fastcourse.com, 1
+1fc0.org, 1
+1fresh.com, 1
+1g.gg, 1
+1gp.us, 1
+1hc.be, 1
+1heart.tk, 1
+1heiz-pellets.de, 1
+1hfree.tk, 1
+1huiszoeken.nl, 1
+1ii.im, 1
+1it.click, 1
+1js.de, 1
+1kando.com, 0
+1kdui.com, 1
+1ki174.com, 1
+1kilise.com, 1
+1kilise.net, 1
+1kilise.org, 1
+1kmi.co, 1
+1kv.com.pl, 1
+1lc1.com, 0
+1ll.uk, 1
+1m.duckdns.org, 1
+1malaysian.tk, 1
+1masquepourtous.com, 1
+1me.cz, 1
+1mgt.ru, 1
+1montre.fr, 1
+1my.me, 1
+1naturalway.com, 1
+1nf.me, 1
+1nian.vip, 1
+1node.site, 1
+1nza.net, 1
+1on1on1.de, 1
+1on1on1.tv, 1
+1onehouse.com, 1
+1onestrong.com, 1
+1opochkah.ru, 1
+1p.cl, 1
+1p.ro, 0
+1pair.com, 1
+1panorama.ru, 1
+1para.net, 1
+1password.ca, 1
+1password.com, 1
+1password.community, 1
+1password.eu, 1
+1picture.hu, 1
+1plus.red, 1
+1pluss.ee, 1
+1profile.ru, 1
+1project.com, 1
+1pw.ca, 1
+1q2w.nl, 1
+1q365a.com, 1
+1r.is, 1
+1rs.nl, 1
+1rust.net, 1
+1sand0s.nl, 1
+1scope.com, 1
+1se.co, 0
+1se2or3.com, 1
+1secretaire.com, 1
+1serial.tv, 1
+1sociaaldomein.nl, 1
+1st-bounce.co.uk, 1
+1st-community.de, 1
+1st-online-academy.com, 1
+1st2bounce.com, 1
+1stav.dk, 1
+1stcalldfw.com, 1
+1stchoicelodging.com, 1
+1stchoicewaterproofing.com, 1
+1stclassbouncycastles.co.uk, 1
+1stclasschauffeurs.co.uk, 1
+1stforfun.co.uk, 1
+1stopfloor.com, 1
+1stpeninsulabouncers.co.uk, 1
+1strecipes.com, 1
+1ststop.co.uk, 1
+1sttix.org, 1
+1ticks.com, 1
+1tip.com, 1
+1tomplumber.com, 1
+1u0m.com, 1
+1up.it, 1
+1uptick.com, 1
+1v-lsd.eu, 1
+1v1.xyz, 1
+1v9.im, 1
+1v9.io, 1
+1voz.org, 1
+1vpns.com, 1
+1vs2.by, 1
+1way.faith, 1
+1whw.co.uk, 1
+1whw.uk, 1
+1wirelog.de, 1
+1x-00.com, 1
+1x-01.com, 1
+1x-04.com, 1
+1x-bet-co.com, 1
+1x-bet-ua.com, 1
+1x-bet-uz.com, 1
+1x-bet.com, 1
+1x-bet.ke, 1
+1x-bet2021.com, 1
+1x-bet93432.world, 1
+1x-betua.com, 1
+1x-bit.mobi, 1
+1x-kor.com, 1
+1x-korbet.com, 1
+1x-krbet.com, 1
+1x-mirrors.com, 1
+1x-th.com, 1
+1x1.re, 1
+1x2020.xyz, 1
+1x2betwinner.com, 1
+1x2magazine.eu, 1
+1x88.net, 1
+1xaja.com, 1
+1xb88.net, 1
+1xbenar.com, 1
+1xbet-015.com, 1
+1xbet-66669.top, 0
+1xbet-china.com, 1
+1xbet-ro.com, 1
+1xbet-s.com, 1
+1xbet-se.com, 1
+1xbet-sw.com, 1
+1xbet-uz.com, 1
+1xbet-viet.com, 1
+1xbet.ac, 1
+1xbet.ae, 1
+1xbet.af, 1
+1xbet.bo, 1
+1xbet.cd, 1
+1xbet.cg, 1
+1xbet.ci, 1
+1xbet.cm, 1
+1xbet.co.ke, 1
+1xbet.co.ls, 1
+1xbet.co.mu, 1
+1xbet.co.rw, 1
+1xbet.co.zw, 1
+1xbet.com, 1
+1xbet.com.gh, 1
+1xbet.com.gn, 1
+1xbet.com.mx, 1
+1xbet.com.na, 1
+1xbet.com.tw, 1
+1xbet.com.zm, 1
+1xbet.cr, 1
+1xbet.do, 1
+1xbet.ec, 1
+1xbet.fi, 1
+1xbet.games, 1
+1xbet.gd, 1
+1xbet.gf, 1
+1xbet.global, 1
+1xbet.gm, 1
+1xbet.go.ug, 1
+1xbet.gq, 1
+1xbet.gs, 1
+1xbet.gt, 1
+1xbet.gw, 1
+1xbet.hk, 1
+1xbet.hn, 1
+1xbet.ht, 1
+1xbet.in, 1
+1xbet.ke, 1
+1xbet.kz, 1
+1xbet.lat, 1
+1xbet.mg, 1
+1xbet.mq, 1
+1xbet.mw, 1
+1xbet.na, 1
+1xbet.ne.ug, 1
+1xbet.net.za, 1
+1xbet.ng, 1
+1xbet.nu, 1
+1xbet.org.mw, 1
+1xbet.org.na, 1
+1xbet.pe, 1
+1xbet.ph, 1
+1xbet.pk, 1
+1xbet.pn, 1
+1xbet.ps, 1
+1xbet.rw, 1
+1xbet.sb, 1
+1xbet.sc, 1
+1xbet.sc.ug, 1
+1xbet.sh, 1
+1xbet.sl, 1
+1xbet.sn, 1
+1xbet.sr, 1
+1xbet.tc, 1
+1xbet.td, 1
+1xbet.tj, 1
+1xbet.tl, 1
+1xbet.to, 1
+1xbet.ug, 1
+1xbet.vg, 1
+1xbet.vu, 1
+1xbet1.com, 1
+1xbet101.com, 1
+1xbet102.com, 1
+1xbet105.com, 1
+1xbet12.com, 1
+1xbet13.com, 1
+1xbet14.com, 1
+1xbet15.com, 1
+1xbet2.com, 1
+1xbet26.com, 1
+1xbet27.com, 1
+1xbet3.com, 1
+1xbet359348.top, 1
+1xbet36.com, 1
+1xbet4.com, 1
+1xbet50.com, 1
+1xbet6.com, 1
+1xbet7.com, 1
+1xbet733390.top, 0
+1xbet8.com, 1
+1xbet82.com, 1
+1xbet84.com, 1
+1xbet88.net, 1
+1xbet9.com, 1
+1xbetasia2018.com, 1
+1xbetasia2018.net, 1
+1xbetasia2018.space, 1
+1xbetbk16.com, 1
+1xbetbk17.com, 1
+1xbetbk2.com, 1
+1xbetbk4.com, 1
+1xbetbk6.com, 1
+1xbetbola.com, 1
+1xbetet.com, 1
+1xbetga.com, 1
+1xbethp.com, 1
+1xbetjap.com, 1
+1xbetkk.com, 1
+1xbetkor.com, 1
+1xbetkr.com, 1
+1xbetkr1.com, 1
+1xbetmm.com, 1
+1xbetqq.com, 1
+1xbetsd.com, 1
+1xbetst.com, 1
+1xbetsz.com, 1
+1xbettz.com, 1
+1xbetua.com, 1
+1xbit.com, 1
+1xbit1.com, 1
+1xbit4.com, 1
+1xbit5.com, 1
+1xbk.mobi, 1
+1xbkbet3.com, 1
+1xbkbet4.com, 1
+1xcinta.com, 1
+1xde.com, 1
+1xfast.com, 1
+1xfifa.com, 1
+1xgames.online, 1
+1xgokil.com, 1
+1xir-red.com, 1
+1xj.net, 1
+1xjago.com, 1
+1xjkt.com, 1
+1xjuara.com, 1
+1xmakati.com, 1
+1xmalaysia.com, 1
+1xmaubix.com, 1
+1xmenang.com, 1
+1xmob1pl.top, 1
+1xmobi.com, 1
+1xmyanmar.net, 1
+1xpartners.com, 1
+1xraja.com, 1
+1xraya.com, 1
+1xrindu.com, 1
+1xsinga.com, 1
+1xslot-ua.com, 1
+1xslot.casino, 1
+1xslot.space, 1
+1xslot2.xyz, 1
+1xslot3.com, 1
+1xslot6.xyz, 1
+1xslot7.xyz, 1
+1xslot76161.com, 1
+1xslotpartners.com, 1
+1xslotspartners.com, 1
+1xsport.mobi, 1
+1xspport.mobi, 1
+1xstavka.ru, 1
+1xsukan.com, 1
+1xsultan.com, 1
+1xsultanah.com, 1
+1xtranslate.com, 1
+1xvhy.xyz, 1
+1zagon.tk, 1
+1zavse.si, 1
+1zwolle.nl, 1
+2-ae.com, 1
+2-euromuenzen.de, 1
+2-faktor-betaling.dk, 1
+2.pe, 1
+2.wtf, 1
+20-jahre-auslandsdienst.tk, 1
+200.ee, 1
+200.network, 1
+2000.is, 1
+2000feet.tk, 1
+2000meter.no, 0
+2001y.me, 0
+200201.xyz, 1
+2007-g8.tk, 1
+20071019780415.com, 1
+2007nea.tk, 1
+200fcw.com, 1
+200mmx.net, 1
+200pppp.com, 1
+2012review.tk, 1
+2013review.tk, 1
+20140301.xyz, 1
+2015review.tk, 1
+2016.ga, 1
+2016.tk, 1
+2018-frisuren.tk, 1
+2018.wales, 1
+2018fifaworldcup.tk, 1
+2020cadillac.com, 1
+2020spaces.com, 1
+2021.dog, 1
+2021bleibtsernst.at, 1
+2022.dog, 1
+20220228.xyz, 1
+2022class1.ga, 1
+202jj.com, 0
+2030404.com, 1
+2030411.com, 1
+2033002.com, 1
+2033003.com, 1
+2033004.com, 1
+2033005.com, 1
+2033006.com, 1
+2033007.com, 1
+2033008.com, 1
+2033009.com, 1
+2033010.com, 1
+2033011.com, 1
+2033a.com, 1
+2033c.com, 1
+2033z.com, 1
+203700.com, 1
+204504byse.info, 1
+2048-spiel.de, 1
+207169.com, 1
+207708.com, 1
+208.es, 1
+2083236893.com, 1
+208930.com, 1
+208garfield.com, 1
+208medical.org, 1
+20at.com, 1
+20denier.com, 1
+20four7va.com, 1
+20gg.de, 1
+20plus.com, 1
+20sights.tk, 1
+21-school.ru, 1
+21.co.uk, 1
+2113.ch, 1
+2132vip.com, 1
+2137.eu, 1
+2138vip.com, 0
+213k8.com, 1
+21566365.com, 0
+215advisors.com, 0
+2182am.com, 1
+218strand.com, 1
+21ce.com, 1
+21domain.com, 1
+21done.ph, 1
+21eb.com, 1
+21er.com, 1
+21expo.com, 1
+21football.com, 1
+21god.com, 1
+21gou.com, 1
+21green.com, 1
+21jobs.com, 1
+21kampus.com, 1
+21lab.co, 1
+21love.com, 1
+21nurse.com, 1
+21ol.com, 1
+21photo.com, 1
+21risk.com, 0
+21run.com, 0
+21soccer.com, 1
+21stcenturycarpentry.com.au, 1
+21stcenturyoptics.com, 1
+21stnc.us, 1
+21tax.com, 1
+21up.com, 1
+21venture.com, 1
+22-bets.org, 1
+22007apply.gov, 1
+220220.de, 1
+220control.ru, 1
+2211.cf, 1
+22168365.com, 1
+221791.com, 1
+221b.store, 1
+222001.com, 1
+222138vip.com, 1
+222321365.com, 0
+2226321.com, 1
+2227552.com, 1
+222aicai.com, 1
+222bet86.com, 1
+222tips.com, 1
+223742.com, 1
+225225.jp, 1
+2255motion.com, 1
+225950.com, 1
+2264707.ru, 1
+2277bet.com, 1
+228668.com, 1
+2288422.com, 1
+2288499.com, 1
+22884a.com, 0
+22884b.com, 0
+22884c.com, 0
+22884d.com, 0
+22884e.com, 0
+22884f.com, 0
+22884g.com, 0
+22884h.com, 0
+2299411.com, 1
+2299422.com, 1
+2299433.com, 1
+2299455.com, 1
+2299466.com, 1
+2299477.com, 1
+2299488.com, 1
+22b58.com, 1
+22bet-top.com, 1
+22bet.co.ke, 1
+22bet.com, 1
+22bet.ng, 1
+22bet86.com, 1
+22betglobal.com, 1
+22betpartners.com, 1
+22bets.me, 1
+22ccaa.com, 1
+22d.io, 1
+22delta.com, 1
+22emesiecle.com, 1
+22ffaaa.com, 1
+22ffbbb.com, 1
+22ffccc.com, 1
+22ffddd.com, 1
+22ffeee.com, 1
+22fffaa.com, 1
+22fffbb.com, 1
+22fffcc.com, 1
+22fffdd.com, 1
+22fffee.com, 1
+22fffgg.com, 1
+22fffhh.com, 1
+22fffii.com, 1
+22fffjj.com, 1
+22fffkk.com, 1
+22fffll.com, 1
+22fffmm.com, 1
+22fffnn.com, 1
+22fffoo.com, 1
+22fffpp.com, 1
+22fffqq.com, 1
+22fffrr.com, 1
+22fffss.com, 1
+22ffftt.com, 1
+22fffuu.com, 1
+22fffvv.com, 1
+22fffww.com, 1
+22fffxx.com, 1
+22fffyy.com, 1
+22fffzz.com, 1
+22ffggg.com, 1
+22ffhhh.com, 1
+22ffiii.com, 1
+22ffjjj.com, 1
+22ffkkk.com, 1
+22fflll.com, 1
+22ffmmm.com, 1
+22ffnnn.com, 1
+22ffooo.com, 1
+22ffppp.com, 1
+22ffqqq.com, 1
+22ffrrr.com, 1
+22ffsss.com, 1
+22ffttt.com, 1
+22ffuuu.com, 1
+22ffvvv.com, 1
+22ffwww.com, 1
+22ffxxx.com, 1
+22ffyyy.com, 1
+22ffzzz.com, 1
+22hd.ru, 1
+22i.co.uk, 1
+22lc8.com, 0
+22momo.com, 1
+22nd.com, 0
+22ndcircuitil.gov, 1
+22ssbb.com, 1
+22ssjj.com, 1
+22sskk.com, 1
+22sstt.com, 1
+22tete.com, 1
+22times.com, 1
+22ttgg.com, 1
+22vetter.st, 1
+22xxjj.com, 1
+22xxyy.com, 1
+22yybb.com, 1
+22yydd.com, 1
+22yyii.com, 1
+22yyjj.com, 1
+22yykk.com, 1
+22yypp.com, 1
+22yyqq.com, 1
+22yyrr.com, 1
+22yyss.com, 1
+22yytt.com, 1
+22zt.com, 1
+230beats.com, 1
+232192.com, 1
+233.be, 1
+233.land, 1
+233.services, 1
+2333.press, 1
+233333.ga, 1
+233356.xyz, 0
+2333blog.com, 1
+2333boy.com, 1
+2333hub.com, 1
+2333z6.com, 1
+23365t.com, 1
+233abc.com, 0
+233blog.com, 1
+233boy.com, 1
+233boy.net, 1
+233boy.org, 1
+233hub.com, 1
+233hub.net, 1
+233hub.org, 1
+233hugo.com, 1
+233image.land, 1
+233leyuan.top, 1
+233ss.net, 1
+233try.com, 1
+233v2.com, 1
+233vps.com, 1
+234.fi, 1
+2340365.com, 0
+2345.lgbt, 1
+2345666365.com, 0
+2345678365.com, 1
+23456789365.com, 0
+2346321.com, 1
+2347porthcawlatc.tk, 1
+235u.net, 1
+236530.com, 1
+236560.com, 1
+236570.com, 1
+23andme.com, 1
+23andme.io, 1
+23ks.app, 1
+24-7.fi, 1
+24-7.jp, 1
+24-7intouch.com, 1
+24-restore.com, 1
+240525.com, 1
+240786.com, 1
+241552.com, 1
+242552.com, 1
+242846.com, 1
+243581.com, 1
+2444.cf, 1
+244821.com, 1
+245990.xyz, 1
+245meadowvistaway.com, 0
+246060.ru, 1
+247a.co.uk, 1
+247able.com, 1
+247analsex.com, 1
+247asiansex.com, 1
+247bar.fr, 1
+247bigboobs.com, 1
+247butts.com, 1
+247cumshots.com, 1
+247dns.net, 1
+247healthshop.com, 1
+247maturesex.com, 1
+247medplan.com, 1
+247megamart.com.au, 1
+247naijabuzz.com, 1
+247vision.com, 1
+247xchanger.com, 1
+248000.xyz, 1
+24848168.com, 0
+24848188.com, 0
+24848588.com, 0
+24848918.com, 0
+24848966.com, 0
+24848988.com, 0
+24848a.vip, 1
+24848b.vip, 1
+24848c.vip, 1
+24848d.vip, 1
+24848e.vip, 0
+24848h.vip, 0
+24848rr.com, 0
+24848v.vip, 0
+24848w.vip, 0
+24848x.vip, 0
+24848y.vip, 0
+24848z.vip, 0
+248663.com, 1
+2495dentalimplants.com, 1
+249722.com, 1
+249cq.com, 1
+24action.com, 1
+24active.com, 1
+24alarm.com, 1
+24ball.com, 1
+24beauty.com, 1
+24bel.ru, 0
+24chance.tk, 1
+24control.com, 1
+24fair.com, 1
+24fan.com, 1
+24gazette.ga, 1
+24gis.com, 1
+24go.me, 1
+24h.com.br, 0
+24hod.com, 1
+24hour-locksmithsanantonio.com, 1
+24hourcyclist.co.uk, 1
+24hourlocksmithdallastx.com, 1
+24hourlocksmithspring.com, 1
+24hourscienceprojects.com, 1
+24hrbrandbash.com, 1
+24images.com, 1
+24k.co.jp, 1
+24livene.com, 1
+24london.com, 1
+24meg.com, 1
+24monitor.com, 1
+24onlain.tk, 1
+24read.com, 1
+24see.com, 1
+24share.com, 1
+24slides.com, 1
+24slot.com, 1
+24status.com, 1
+24vod.com, 1
+24webservice.nl, 1
+24x7aircargoservices.co.in, 1
+2500.cf, 1
+2502.net, 1
+250708.com, 1
+2525admin.nl, 1
+253007.com, 1
+253325.com, 1
+254vc.ml, 1
+2555z6.com, 1
+256br.com, 1
+256k.me, 1
+258management.cf, 1
+258management.ga, 1
+258management.ml, 1
+259454.com, 1
+259885.com, 1
+25api.com, 1
+25lotto.co.ke, 1
+25lotto.com, 1
+25may.tk, 1
+25oclock.com, 1
+25percent.me, 1
+25refer.tk, 1
+25reinyan25.net, 1
+2600edinburgh.org, 1
+2600hq.com, 1
+2601.de, 1
+260150.com, 1
+262569.com, 1
+263email.com, 1
+263mail.com, 1
+267326.com, 1
+269196.com, 1
+2698pacificave.com, 1
+26bbc.com, 1
+26ck.com, 1
+26uuu.mobi, 1
+26uuu.us, 1
+27.gay, 1
+27000.best, 1
+271624.com, 1
+2718282.net, 1
+272live.com, 1
+275004.com, 1
+275763.com, 1
+27726.eu, 1
+27728522.com, 1
+277z6.com, 1
+27lx.me, 1
+27skycake.com, 1
+28-industries.com, 1
+280.social, 1
+281180.de, 1
+281ks.com, 1
+282ks.com, 1
+283228.com, 1
+28359.eu, 1
+28365cn-365.com, 1
+283928.com, 1
+28428.com, 0
+284365.com, 1
+285128.com, 1
+287628.com, 1
+2881dh.com, 1
+288628.com, 0
+28865.de, 1
+28865.eu, 1
+288cn-563.com, 1
+288game.net, 1
+2890.ltd, 1
+289728.com, 1
+28spots.net, 1
+291167.xyz, 1
+2912.nl, 1
+293685.com, 1
+2948.ca, 1
+297computers.com, 1
+2991236.com, 1
+299zzz.com, 1
+29a.ch, 1
+29dejuniode1997.tk, 1
+29zw.com, 1
+2ae86.com, 1
+2b2b.pro, 1
+2b2t.fi, 1
+2bas.nl, 1
+2bcompany.ch, 0
+2bet86.com, 1
+2bis10.de, 1
+2bitboer.com, 1
+2bitout.com, 1
+2blazing.cf, 1
+2bu2t.online, 1
+2bu2t.ru, 1
+2buldzha2t.ru, 1
+2business.ml, 1
+2c-b.com, 1
+2c-d.com, 1
+2c-e.com, 1
+2c-t-2.com, 1
+2c-t-7.com, 1
+2c-t-8.com, 1
+2c.lol, 1
+2cars.com, 1
+2cat.cc, 1
+2cb.rocks, 1
+2chan.eu, 1
+2chan.jp, 1
+2chi1.com, 1
+2choose.com, 1
+2class.eu.org, 1
+2cv-co.be, 1
+2cvclubdepicardie.tk, 1
+2daysmood.asia, 1
+2daysmood.eu, 1
+2daysmood.nl, 1
+2daysmood.us, 1
+2diets.ru, 1
+2dk.info, 1
+2dns.com, 1
+2driver-ok.ml, 1
+2earn-online.com, 0
+2fa.directory, 1
+2finish.com, 1
+2fm.ie, 1
+2fm.radio, 1
+2fr3.com, 1
+2fraud.pro, 1
+2free.com, 1
+2g1s.net, 1
+2gallery.com, 1
+2gen.com, 1
+2gether.fr, 1
+2gisparser.tk, 1
+2gmedia.de, 1
+2h-nagoya.org, 1
+2habc.com, 1
+2head.com, 1
+2heartsbookings.co.uk, 1
+2hypeenterprises.com, 1
+2img.net, 1
+2impact.com, 1
+2innovateit.com, 0
+2insights.com, 1
+2isk.in, 1
+2jhb.com, 1
+2jtech.net, 1
+2k2solutions.com, 1
+2k7.link, 1
+2kgwf.fi, 1
+2kinds.tk, 1
+2krueger.de, 1
+2ladd.com, 1
+2lafel.ro, 1
+2learncomputing.ga, 1
+2learncomputing.ml, 1
+2li.ch, 1
+2link.ga, 1
+2logical.net, 1
+2manydits.com, 1
+2manydots.nl, 1
+2mb.solutions, 1
+2mfitnessduo.com, 1
+2milebridge.com, 1
+2mileservice.com, 1
+2mir.com, 1
+2mkz.eu, 1
+2mp.ca, 1
+2nains.ch, 0
+2ndface.info, 1
+2ndmileservice.com, 1
+2ndtivertonscouts.tk, 1
+2nerds1bit.com, 1
+2nimpresores.es, 1
+2nodez.com, 1
+2of.me, 1
+2one.one, 1
+2or3.tk, 1
+2pi.finance, 1
+2pi.network, 1
+2rsc.com, 1
+2rsc.net, 1
+2sendai.net, 1
+2serious.com, 1
+2steel.com, 1
+2stv.net, 0
+2target.com, 1
+2tausend19.de, 1
+2th.me, 1
+2think.org, 1
+2travel8.world, 1
+2url.link, 1
+2ustyle.com, 1
+2value.com, 1
+2vnews.com, 1
+2vp-an.online, 1
+2wheel.com, 0
+2x.nu, 1
+2xgraphik.com, 1
+2y.fi, 1
+2y3x.com, 1
+2yar.tk, 1
+2yy.nl, 1
+3-ae.com, 1
+3.sb, 1
+30-v-minutu.ml, 1
+3000security.co.uk, 1
+30019cc.com, 1
+3007337.com, 1
+300jjjj.com, 1
+300m.com, 1
+301.moe, 1
+301.one, 0
+301.sh, 1
+301.technology, 1
+301334.com, 1
+30375500.com, 1
+30375533.com, 1
+3056999.com, 1
+305westendassistedliving.com, 1
+3078i.com, 0
+308274.com, 1
+3090.eu, 1
+30bet365.com, 1
+30daystosoc.com, 1
+30deagosto.tk, 1
+30for30podcasts.com, 1
+30minut.com, 1
+30nama1.tk, 1
+30region.tk, 1
+30ta.com, 1
+31-elagage.fr, 1
+31.to, 1
+3100.cf, 1
+3133bet.com, 1
+313xpj.com, 0
+314257.com, 1
+314553.com, 1
+315422.com, 1
+315xpj.com, 0
+317811111.com, 0
+317822222.com, 0
+31783333.com, 1
+317833333.com, 0
+317844444.com, 0
+317855555.com, 0
+31786666.com, 0
+317866666.com, 0
+3178666666.com, 1
+317877777.com, 0
+3178888888.com, 1
+31789999.com, 0
+317899999.com, 0
+3178b.com, 0
+3178c.com, 0
+3178dd.com, 1
+3178e.com, 0
+3178f.com, 0
+3178g.com, 0
+3178h.com, 0
+3178i.com, 0
+3178l.com, 0
+3178m.com, 0
+3178n.com, 0
+3178o.com, 0
+3178p.com, 0
+3178ppp.com, 0
+3178qqq.com, 0
+3178rrr.com, 0
+3178tt.com, 0
+3178ttt.com, 0
+3178uuu.com, 0
+3178vvv.com, 0
+3178ww.com, 0
+3178www.com, 0
+3178xx.com, 0
+3178xxx.com, 0
+3178yy.com, 0
+3178yyy.com, 1
+3178zzz.com, 0
+319064.com, 1
+319k3.com, 1
+319xpj.com, 1
+31fss.marketing, 1
+31fss.net, 1
+31fss.support, 1
+320281.net, 1
+321132.com, 0
+321666365.com, 1
+321live.nl, 1
+3233bet.com, 1
+323kkk.com, 1
+325fss.marketing, 1
+326243.com, 1
+3265623.com, 1
+32bet365.com, 1
+32bit.com.tr, 1
+32h.de, 1
+32kk.edu.ee, 1
+33-couvreur.fr, 1
+33-km.ru, 1
+3306.io, 1
+33132.com, 1
+33138app.com, 0
+33138vip.com, 1
+33168365.com, 1
+331977.com, 0
+3332444.com, 0
+333321365.com, 0
+3333365t.com, 1
+333365t.com, 1
+3333ylc.cc, 1
+3336321.com, 1
+333aicai.com, 1
+333bet86.com, 1
+333capital.com, 1
+333capital.com.au, 1
+33445111.com, 1
+33445222.com, 1
+33445444.com, 1
+335a.cc, 0
+336yh.com, 1
+3389p.com, 1
+338da.com, 1
+338sa.com, 1
+339999.top, 1
+33acac.com, 1
+33b58.com, 1
+33devici.ml, 1
+33ffaaa.com, 1
+33ffbbb.com, 1
+33ffccc.com, 1
+33ffddd.com, 1
+33ffeee.com, 1
+33fffaa.com, 1
+33fffbb.com, 1
+33fffcc.com, 1
+33fffdd.com, 1
+33fffee.com, 1
+33fffgg.com, 1
+33fffhh.com, 1
+33fffii.com, 1
+33fffjj.com, 1
+33fffkk.com, 1
+33fffll.com, 1
+33fffmm.com, 1
+33fffnn.com, 1
+33fffoo.com, 1
+33fffpp.com, 1
+33fffqq.com, 1
+33fffrr.com, 1
+33fffss.com, 1
+33ffftt.com, 1
+33fffuu.com, 1
+33fffvv.com, 1
+33fffww.com, 1
+33fffxx.com, 1
+33fffyy.com, 1
+33fffzz.com, 1
+33ffggg.com, 1
+33ffhhh.com, 1
+33ffiii.com, 1
+33ffjjj.com, 1
+33ffkkk.com, 1
+33fflll.com, 1
+33ffmmm.com, 1
+33ffnnn.com, 1
+33ffooo.com, 1
+33ffppp.com, 1
+33ffqqq.com, 1
+33ffrrr.com, 1
+33ffsss.com, 1
+33ffttt.com, 1
+33ffuuu.com, 1
+33ffvvv.com, 1
+33ffwww.com, 1
+33ffxxx.com, 1
+33ffyyy.com, 1
+33ffzzz.com, 1
+33knkn.com, 1
+33zv.com, 0
+33zxzx.com, 1
+3400.cf, 1
+342960.com, 1
+3433bet.com, 1
+34365t.com, 1
+3444.cf, 1
+34536565.com, 0
+3455bet.com, 1
+345666365.com, 0
+3456666365.com, 0
+345678365.com, 1
+3456789365.com, 1
+3466bet.com, 1
+3473-wiki.de, 1
+347552.com, 1
+3477bet.com, 1
+348663.com, 1
+34bg.com, 1
+34ja.com, 1
+34jw.com, 1
+34metiza.ru, 1
+34nh.com, 1
+34nj.com, 1
+350.org, 1
+35089y.com, 1
+351079.com, 1
+351365.com, 0
+3539783.com, 1
+3555500.com, 1
+3559365.com, 1
+355fss.com, 1
+356338.com, 1
+356338a.com, 1
+356338b.com, 1
+357601.com, 1
+35898a.com, 1
+35898b.com, 1
+35898c.com, 1
+35898d.com, 1
+35898e.com, 1
+35898f.com, 1
+35898g.com, 1
+35898h.com, 1
+35898j.com, 1
+35898k.com, 1
+35898m.com, 1
+35898s.com, 1
+35898w.com, 1
+35898x.com, 1
+35898y.com, 1
+35mm.im, 1
+35uj.com, 1
+35wsolutions.com, 1
+360-ot.de, 1
+3602020.xyz, 1
+360365.com, 1
+360bcty.com, 1
+360cycling.com.br, 1
+360degreecloud.com, 1
+360dental.com, 1
+360dialog.com, 1
+360e-commerce.de, 1
+360e-commerce.net, 1
+360ecogroup.com, 0
+360ecommerce.de, 1
+360ecommerce.net, 1
+360faces.com, 1
+360fcu.org, 1
+360gradus.com, 0
+360hosting.com.au, 1
+360islam.com, 1
+360kuvia.fi, 1
+360now.com, 1
+360organic.com, 1
+360primeview.ie, 1
+360prokuvat.fi, 1
+360rail.nl, 1
+360spider.com, 1
+360system.com, 1
+360tr.com, 1
+360trust.com, 1
+360videoshare.com, 1
+360vrs.com, 1
+361116.com, 1
+3615jacky.fr, 1
+364553.com, 1
+365.systems, 1
+36506088.com, 1
+36506099.com, 1
+3651145.com, 1
+3651147.com, 1
+3651149.com, 1
+3651201.com, 1
+3651202.com, 1
+3651203.com, 1
+3651204.com, 1
+3651205.com, 1
+3651267.com, 0
+3652389.com, 0
+36525.hk, 1
+36533c.com, 1
+36533d.com, 1
+36533e.com, 1
+36533f.com, 1
+36533h.com, 1
+36533i.com, 1
+36533j.com, 1
+36533k.com, 1
+36533l.com, 1
+36533m.com, 1
+36533n.com, 1
+36533o.com, 1
+36533r.com, 1
+36533s.com, 1
+36533t.com, 1
+36533u.com, 1
+365365.com, 1
+3653650000.com, 0
+3653651111.com, 1
+36536533.vip, 0
+3653654444.com, 1
+36536555.vip, 0
+36536566.vip, 0
+36536588.vip, 0
+36536599.vip, 0
+3655053.com, 1
+36554ll.com, 0
+3655612.com, 0
+3655623.com, 0
+3655634.com, 0
+3655645.com, 0
+365600dl.com, 1
+36565123.com, 0
+36565234.com, 0
+36565345.com, 0
+365654321.com, 0
+36565456.com, 0
+36565567.com, 0
+36565678.com, 1
+36565789.com, 0
+36565b.com, 1
+36565f.com, 0
+3656701.com, 0
+3656712.com, 0
+3656723.com, 0
+3656734.com, 0
+3656745.com, 0
+3656778.com, 0
+36587654321.com, 1
+365886.com, 1
+3658887654.com, 0
+36594a.com, 1
+36594b.com, 1
+36594c.com, 1
+3659868.com, 1
+3659869.com, 1
+3659980.com, 1
+365a1.com, 0
+365air.com, 1
+365beautyworld.com, 1
+365blog.com, 1
+365canvas.com, 1
+365check.com, 1
+365clo.com, 1
+365cn-288.com, 1
+365coupon.com, 1
+365eib.com, 1
+365eif.com, 1
+365eil.com, 1
+365eiq.com, 1
+365eis.com, 1
+365eiv.com, 1
+365eiw.com, 1
+365fast.com, 1
+365healthworld.com, 1
+365iosapp.com, 0
+365labs.cloud, 1
+365nnnn.com, 0
+365pet.com, 1
+365proxy.com, 1
+365q01.com, 1
+365r.co, 0
+365renovations.com, 1
+365sb-cn.com, 1
+365skulls.com, 1
+365vision.com, 1
+365y0.com, 0
+365y00.com, 0
+365y11.com, 0
+365y2.com, 0
+365y22.com, 0
+365y3.com, 0
+365y33.com, 1
+365y5.com, 0
+365y55.com, 0
+365y6.com, 0
+365y66.com, 0
+365y7.com, 0
+365y77.com, 0
+365y9.com, 0
+365y99.com, 0
+365yapan.com, 1
+365ypw.com, 1
+365zg.org, 1
+369369.xyz, 1
+369bin.com, 1
+369dp.com, 1
+369eq.com, 1
+369ex.com, 1
+369ra.com, 1
+369rr.com, 1
+36ga.com, 1
+36ja.com, 1
+36jn.com, 1
+36kn.com, 1
+36ky.com, 1
+36pd.com, 1
+36pg.com, 1
+36xk.com, 1
+36xn.com, 1
+36yf.com, 1
+370385.com, 1
+371437.com, 1
+371cloud.com, 0
+372bbb.com, 1
+373.moe, 1
+374161.com, 1
+375337.com, 1
+375575.xyz, 1
+375realty.com, 1
+377625.com, 1
+377632.com, 1
+377837.com, 1
+377854.com, 1
+377ks.com, 1
+377zzz.com, 1
+37889658.com, 0
+378901.com, 1
+378902.com, 1
+379237.com, 1
+379437.com, 1
+379637.com, 1
+379700.com, 1
+379737.com, 1
+3798.com, 0
+37987.com, 1
+37987d.com, 1
+37987e.com, 0
+37987f.com, 0
+379efss.com, 1
+37zk.com, 1
+37zw.com, 1
+3800.cf, 1
+380111000.com, 1
+380111777.com, 1
+380222444.com, 0
+380805.com, 1
+38138938.com, 1
+38317.tk, 1
+3837k.com, 0
+3837x.com, 0
+383838.plus, 1
+3839.ca, 1
+383aaa.com, 1
+384854.com, 1
+385833.com, 1
+3880p.com, 1
+38888msc.com, 1
+388da.com, 1
+38irkutsk.tk, 1
+390539.com, 1
+390trains.com, 1
+391231.com, 1
+392365.com, 0
+393335.ml, 0
+394553.com, 1
+3957b.com, 1
+3957d.com, 1
+3957g.com, 1
+396228.com, 0
+396301.com, 0
+396303.com, 0
+396304.com, 0
+396305.com, 0
+3963bb.com, 1
+3963cc.com, 0
+3963dd.com, 0
+396539.com, 1
+397039.com, 1
+3970a.com, 1
+3970aa.com, 1
+3970abc.com, 1
+3970b.com, 1
+3970bb.com, 1
+3970cc.com, 1
+3970ccc.com, 1
+3970d.com, 1
+3970dd.com, 1
+3970f.com, 1
+3970fa.com, 1
+3970ff.com, 1
+3970g.com, 1
+3970gg.com, 1
+3970go.com, 1
+3970h.com, 1
+3970hh.com, 1
+3970ii.com, 1
+3970j.com, 1
+3970jj.com, 1
+3970ku.com, 1
+3970l.com, 1
+3970ll.com, 1
+3970mm.com, 1
+3970n.com, 1
+3970o.com, 1
+3970oo.com, 1
+3970p.com, 1
+3970pp.com, 1
+3970q.com, 1
+3970qq.com, 1
+3970r.com, 1
+3970ss.com, 1
+3970tt.com, 1
+3970u.com, 1
+3970uu.com, 1
+3970v.com, 1
+3970vv.com, 1
+3970w.com, 1
+3970win.com, 1
+3970ww.com, 1
+3970xx.com, 1
+3970y.com, 1
+3970yes.com, 1
+3970ylc.com, 1
+3970yy.com, 1
+3970z.com, 1
+3970zz.com, 1
+397542.com, 1
+398039.com, 1
+39news.tk, 1
+39sihu.com, 0
+39w66.com, 1
+3aa365.com, 1
+3abnstore.com, 1
+3accounts.ml, 1
+3ae86.com, 1
+3aexpert.com.ua, 1
+3ags.de, 1
+3ameldaw.ml, 1
+3amtoolbox.se, 1
+3arena.ie, 1
+3b-concept.fr, 1
+3b.pm, 1
+3bb365.com, 1
+3bet86.com, 1
+3bigking.com, 1
+3blazing.cf, 1
+3candy.com, 1
+3cbalance.pl, 1
+3cc365.com, 1
+3changtrai.com, 1
+3countiescastlehire.co.uk, 1
+3creation.com, 1
+3cs.ch, 0
+3ct.group, 1
+3cup90.com, 1
+3d-animator.net, 1
+3d-glow.de, 1
+3d-station.fr, 1
+3d47.com, 1
+3dadvance.fr, 1
+3dall.ro, 1
+3danimation.tk, 1
+3dapartment.com, 1
+3dc9.jp, 1
+3dcaipiao.com, 1
+3dcollective.es, 1
+3dcopy.com, 1
+3dd365.com, 1
+3degreedesign.co.uk, 1
+3deni.com, 1
+3dexpose.tk, 1
+3dfeel.com, 1
+3dfiguur.nl, 0
+3dflat.tk, 1
+3dflipbook.net, 1
+3dgep.com, 1
+3dinosaurs.com, 1
+3dissue.com, 1
+3djapan.com, 1
+3djava.ml, 1
+3dlab.team, 1
+3dlan.com, 1
+3dm.audio, 1
+3dmedium.de, 1
+3dmetalprinting.tk, 1
+3dmili.com, 1
+3dmusiclab.nl, 1
+3dnovedades.com, 0
+3do3dont.com, 1
+3down.com, 1
+3dprintedobjects.be, 1
+3dprintsondemand.eu, 1
+3dranger.com, 1
+3dreal.tk, 1
+3ds-max.org, 1
+3dscanners.co.uk, 1
+3dshards.com, 1
+3dsites.tk, 1
+3dstandard.com, 1
+3dstore.dk, 1
+3dsupplies.be, 1
+3dtech.pt, 1
+3dvf.com, 1
+3dvisual.studio, 1
+3dzip.org, 1
+3ecpa.com.hk, 1
+3ecpa.com.my, 1
+3ecpa.com.sg, 1
+3ee365.com, 1
+3einfrastructure.com, 1
+3elife.vn, 0
+3em1.pt, 1
+3eyonetim.com, 1
+3ff365.com, 1
+3foto.at, 1
+3g-bandet.tk, 1
+3gdev.com, 1
+3gdu.tk, 1
+3gg365.com, 1
+3h-co.de, 1
+3haeuserprojekt.org, 1
+3haueserprojekt.org, 1
+3hh365.com, 1
+3huan.com, 1
+3i-infotech.com, 1
+3ieimpact.org, 1
+3ii365.com, 1
+3isk.today, 1
+3james.com, 1
+3jj365.com, 1
+3ks.pl, 1
+3link.com, 1
+3links.com, 1
+3lmnyblogger.ga, 1
+3logic.ru, 1
+3lot.ru, 1
+3marilynthemedia.cf, 1
+3mediaweb.com, 1
+3mind-solutions.com, 1
+3ml.org.uk, 0
+3moorcrescent.online, 1
+3ne.fun, 1
+3newsnow.com, 1
+3nickels.com, 1
+3niu007.com, 1
+3niu010.com, 1
+3niu100.com, 1
+3niu111.com, 1
+3niu126.com, 1
+3niu161.com, 1
+3niu1688.com, 1
+3niu178.com, 1
+3niu186.com, 1
+3niu222.com, 1
+3niu226.com, 1
+3niu282.com, 1
+3niu333.com, 1
+3niu353.com, 1
+3niu388.com, 1
+3niu505.com, 1
+3niu568.com, 1
+3niu57.com, 1
+3niu58.com, 1
+3niu588.com, 1
+3niu599.com, 1
+3niu636.com, 1
+3niu64.com, 1
+3niu66.com, 1
+3niu666.com, 1
+3niu6666.com, 1
+3niu668.com, 1
+3niu67.com, 1
+3niu686.com, 1
+3niu699.com, 1
+3niu72.com, 1
+3niu727.com, 1
+3niu768.com, 1
+3niu770.com, 1
+3niu771.com, 1
+3niu777.com, 1
+3niu7777.com, 1
+3niu855.com, 1
+3niu868.com, 1
+3niu880.com, 1
+3niu885.com, 1
+3niu888.com, 1
+3niu89.com, 1
+3niu922.com, 1
+3niu99.com, 1
+3niusurl.com, 1
+3niuurls.com, 1
+3orod.ml, 1
+3os.ooo, 1
+3os.org, 1
+3pestki.org, 1
+3phase.pw, 1
+3pif.de, 1
+3pillarglobal.com, 1
+3plusdesign.gr, 1
+3pm.tw, 1
+3prn.com, 1
+3pro.ca, 1
+3proxy.org, 1
+3proxy.ru, 1
+3queens.cz, 1
+3queens.io, 1
+3r.co.nz, 1
+3r.org.uk, 1
+3rabsite.tk, 1
+3rd.fi, 1
+3rr0r.com, 1
+3rr0r.net, 1
+3rr0r.org, 1
+3s-datasolution.de, 1
+3s-datasolutions.de, 1
+3s-ddns.de, 1
+3s-dns.de, 1
+3s-hosting.de, 1
+3s-mail.de, 1
+3sa.aero, 1
+3scort.tk, 1
+3sd.it, 1
+3sdatasolution.de, 1
+3sdatasolutions.de, 1
+3sddns.de, 1
+3sdns.de, 1
+3shosting.de, 1
+3sisecurity.com, 1
+3sixtydutyfree.com, 1
+3smail.de, 1
+3speak.tv, 1
+3techjournal.cf, 1
+3tiers.xyz, 1
+3trees.tk, 1
+3u15.com, 1
+3v3s.tk, 1
+3v4l.org, 1
+3varta.com.ua, 0
+3vensen.no, 1
+3vlnaeet.cz, 1
+3w-solutions.fr, 1
+3we.org, 1
+3wid.com.br, 1
+3wideclub.com, 1
+3wincorp.com, 1
+3xx.click, 1
+3xx.link, 1
+3zm-cheats.de, 1
+3zm-hacks.de, 1
+3zm.de, 1
+3zzbet.com, 1
+4-0-4.ga, 1
+4-ae.com, 1
+4.com.ms, 1
+4.sb, 1
+4000milestare.com, 1
+4000ok.com, 1
+4000sf.com, 1
+40010monogatari.com, 1
+4005365.com, 1
+4008810.com, 1
+400yaahc.gov, 1
+401go.com, 1
+401ksite.com, 1
+4025360.com, 1
+4025361.com, 1
+4025362.com, 1
+4025363.com, 1
+4025364.com, 1
+4025365.com, 1
+4025366.com, 1
+4025367.com, 1
+4025368.com, 1
+4025369.com, 1
+403.ch, 1
+403page.com, 1
+404.blue, 0
+404.city, 1
+404.guide, 1
+404888.xyz, 1
+4048kkk.com, 1
+4048v.com, 1
+404group.tk, 1
+404notfound.com.br, 1
+408663.com, 1
+409564.com, 1
+40acts.org.uk, 1
+40anospaguemenos.com.br, 1
+40daysnutrition.com, 1
+40percentpapermache.com, 1
+4100.cf, 1
+41199.com, 1
+413504.com, 1
+4144bet.com, 1
+414553.com, 1
+414store.com, 1
+415.ai, 1
+4151365.com, 1
+418.im, 1
+418663.com, 1
+419213.com, 1
+419sport.tk, 1
+41southbar.com, 1
+420.nerdpol.ovh, 1
+420screen.com, 1
+420weedcenter.com, 1
+4222.cf, 1
+4233065.com, 1
+4233068.com, 1
+4233069.com, 1
+4233330.com, 1
+4233331.com, 1
+4233332.com, 1
+4233334.com, 1
+4233335.com, 1
+4233336.com, 1
+4233337.com, 1
+4233338.com, 1
+4233339.com, 1
+424102.com, 1
+4245pay.com, 1
+4251365.com, 0
+425degree.com, 1
+426773.com, 0
+428northampton.com, 1
+42bit.io, 1
+42ch.com, 1
+42day.info, 1
+42degrees.com, 1
+42entrepreneurs.fr, 0
+42fss.us, 1
+42gears.com, 1
+42l.fr, 1
+42t.ru, 1
+4305design.com.au, 0
+432666365.com, 1
+4333.cf, 1
+434365.com, 1
+4344bet.com, 1
+4345.me, 0
+4351365.com, 0
+436773.com, 1
+437348.com, 1
+437844.com, 1
+438663.com, 1
+439050.com, 1
+439182.com, 1
+43klive.com, 1
+44-k.com, 1
+440313.com, 1
+44168365.com, 1
+443.one, 0
+443.org, 1
+443658.com, 0
+44365t.com, 1
+443782.com, 1
+444321365.com, 0
+4444.com.tw, 1
+4447552.com, 1
+444aicai.com, 1
+444bet86.com, 1
+446072.com, 1
+44ada.pl, 1
+44bet86.com, 1
+44feelings.com, 1
+44ffaaa.com, 1
+44ffbbb.com, 1
+44ffccc.com, 1
+44ffddd.com, 1
+44ffeee.com, 1
+44fffaa.com, 1
+44fffbb.com, 1
+44fffcc.com, 1
+44fffdd.com, 1
+44fffee.com, 1
+44fffgg.com, 1
+44fffhh.com, 1
+44fffii.com, 1
+44fffjj.com, 1
+44fffkk.com, 1
+44fffll.com, 1
+44fffmm.com, 1
+44fffnn.com, 1
+44fffoo.com, 1
+44fffpp.com, 1
+44fffqq.com, 1
+44fffrr.com, 1
+44fffss.com, 1
+44ffftt.com, 1
+44fffuu.com, 1
+44fffvv.com, 1
+44fffww.com, 1
+44fffxx.com, 1
+44fffyy.com, 1
+44fffzz.com, 1
+44ffggg.com, 1
+44ffhhh.com, 1
+44ffiii.com, 1
+44ffjjj.com, 1
+44ffkkk.com, 1
+44fflll.com, 1
+44ffmmm.com, 1
+44ffnnn.com, 1
+44ffooo.com, 1
+44ffppp.com, 1
+44ffqqq.com, 1
+44ffrrr.com, 1
+44ffsss.com, 1
+44ffttt.com, 1
+44ffuuu.com, 1
+44ffvvv.com, 1
+44ffwww.com, 1
+44ffxxx.com, 1
+44ffyyy.com, 1
+44ffzzz.com, 1
+451.ooo, 1
+451365.com, 0
+452895.com, 1
+45365t.com, 1
+4544bet.com, 1
+4551365.com, 1
+4553.com, 1
+455327.com, 1
+455328.com, 1
+4553s.com, 1
+4553vip.com, 1
+455555.xyz, 1
+45636565.com, 1
+456365t.com, 1
+4566321.com, 1
+4567.plus, 1
+4567666365.com, 0
+4567989.com, 1
+457552.com, 1
+458663.com, 1
+45b.org, 1
+45min.ga, 1
+45secondes.fr, 1
+463855.com, 1
+4661049.com, 1
+467413.com, 1
+46bf.com, 1
+46bl.com, 1
+46fn.com, 1
+47.rs, 1
+476470.com, 1
+476773.com, 1
+47essays.com, 1
+47tech.com, 1
+47yr.com, 1
+480ptvseries.com, 1
+482449.com, 1
+483329.com, 1
+483610.com, 1
+48365365cn.com, 1
+48365cn-365.com, 1
+486662.xyz, 1
+486773.com, 1
+487511.com, 1
+487552.com, 1
+48coin.cf, 1
+48d88.com, 1
+48hr.com, 1
+48lipetsk.tk, 1
+48times.online, 1
+491783.com, 1
+491mhz.net, 1
+4927a.com, 0
+492977.com, 0
+492y.com, 0
+497552.com, 0
+49889.com, 1
+49948522.com, 1
+499ks.net, 1
+49ko.com, 1
+4ads.de, 1
+4ae86.com, 1
+4allpromos.com, 1
+4am.click, 1
+4armed.com, 1
+4b.gg, 1
+4baby.com.br, 1
+4beats.ml, 1
+4best.tk, 1
+4bet86.com, 1
+4bmt-vld.xyz, 1
+4budget.ga, 1
+4cavaleiros.com.br, 1
+4chairs.bg, 1
+4chan.com, 1
+4child.tk, 1
+4cloud.cf, 1
+4creative.net, 1
+4cut.tk, 1
+4d2.xyz, 1
+4daagse.nl, 1
+4dbuild.net, 1
+4dclub.com, 1
+4devs.com.br, 1
+4digital.it, 1
+4digitiq.nl, 1
+4dillusion.tk, 1
+4dimension.net, 1
+4dplay.com, 1
+4dsignworx.com, 1
+4dstyle.com, 1
+4e8.net, 1
+4everdosti.tk, 1
+4everproxy.com, 1
+4exchange.ru, 1
+4filtre.com, 1
+4filtre.com.tr, 1
+4fit.ro, 1
+4flex.info, 1
+4freepress.com, 1
+4freeprintable.com, 1
+4g-server.eu, 0
+4game.my.id, 1
+4garage.com.br, 1
+4gnews.pt, 1
+4grad.in.ua, 1
+4hmediaproductions.com, 1
+4host.ch, 1
+4hourcourse.com, 1
+4hourmini.com, 1
+4hw.ru, 1
+4hypo.cz, 1
+4infra.com.br, 1
+4investors.de, 1
+4iplatform.com, 1
+4iq.lt, 1
+4k3dyptt.com, 1
+4kpi.eu, 1
+4kprojektory.cz, 1
+4lados.tk, 1
+4lephants.tk, 1
+4list.ml, 1
+4loc.us, 1
+4lock.com.br, 1
+4mama.ua, 1
+4maniacos.tk, 1
+4meizu.ru, 0
+4mm.org, 1
+4motionsgmbh.de, 1
+4n3.net, 1
+4nature.com, 1
+4netguides.org, 1
+4nikola.de, 1
+4o.pw, 1
+4obgyne.com, 1
+4ourbest.tk, 1
+4pals.org, 1
+4paws.co.uk, 1
+4peace.gent, 1
+4played.de, 1
+4played.vip, 1
+4project.co.il, 1
+4q-quartet.tk, 1
+4racers.jp, 1
+4ree.tk, 1
+4screens.net, 1
+4season-flowers.com, 1
+4seasonz.co.nz, 1
+4seeds.co.za, 1
+4seo.ml, 1
+4server.ch, 1
+4share.tv, 1
+4sics.se, 1
+4sjnc.org, 1
+4smart.cz, 1
+4smart.house, 1
+4sun.cf, 1
+4tgw34.tk, 1
+4th-ave-studio.com, 1
+4thfebruary.tk, 1
+4thjdcar.gov, 1
+4true.com, 1
+4u.services, 0
+4u2ore.net, 1
+4uwatch.cf, 1
+4vector.com, 1
+4vf.de, 1
+4vio.com, 1
+4voip.ru, 1
+4web-hosting.com, 1
+4wrd.cc, 1
+4x.fi, 1
+4x4-27mc.nl, 1
+4x4.lk, 1
+4x4coatingen.nl, 1
+4x4tt.com, 1
+4y4.me, 1
+4y4a-arts.space, 1
+4yowipes10yo.gq, 1
+4yuz.net, 1
+50-ottenkov.tk, 1
+50.gy, 1
+5000164.com, 1
+5000164.jp, 1
+5000yz.com, 1
+5002888.com, 1
+5007999.com, 1
+500f500.com, 1
+500fcw.com, 1
+500k.nl, 1
+500wordessay.gq, 1
+501371.com, 1
+5017501.com, 1
+5017502.com, 1
+5017503.com, 1
+5017505.com, 1
+5017701.com, 1
+5017702.com, 1
+5017703.com, 1
+5017704.com, 1
+5017705.com, 1
+5017801.com, 1
+5017802.com, 1
+5017803.com, 1
+5017804.com, 1
+5017805.com, 1
+501stcl.tk, 1
+502312.com, 1
+502fss.marketing, 1
+5060711.com, 1
+5060715.com, 1
+50balles.com, 1
+50firstavenue.com.au, 1
+50hertz.tk, 1
+50lakeshore.com, 1
+50ma.xyz, 1
+50miners.tk, 1
+50plusdating.ml, 1
+50plusdating.tk, 1
+50plusmusikfestival.ch, 1
+50plusnet.nl, 1
+50refer.tk, 1
+50ten40.com, 1
+51-83-136-132.xyz, 1
+511.org, 1
+511in.org, 1
+51365a.com, 0
+51365aa.com, 1
+51365b.com, 0
+51365bb.com, 1
+51365c.com, 0
+51365cc.com, 1
+51365d.com, 0
+51365ee.com, 0
+513maximus.site, 1
+513x.cc, 1
+514-media.co.uk, 1
+514-media.com, 1
+514-media.de, 1
+514-media.fr, 1
+514.moe, 1
+514622.com, 1
+515188.xyz, 1
+5155bet.com, 1
+517vpn.cn, 1
+518.com.tw, 1
+518k8.com, 1
+5197aa.co, 1
+5197bb.co, 1
+5197cc.co, 1
+5197dd.co, 1
+5197dh.co, 0
+5197dns.com, 1
+5197ee.co, 1
+5197ff.co, 1
+5197gg.co, 1
+5197hd.co, 1
+5197hh.co, 1
+5197ii.co, 1
+5197jj.co, 1
+5197kk.co, 1
+5197ll.co, 1
+5197m.co, 1
+5197mm.co, 1
+5197n.co, 1
+5197nn.co, 1
+5197o.co, 1
+5197oo.co, 1
+5197p.co, 1
+5197pp.co, 1
+5197q.co, 1
+5197qq.co, 1
+5197r.co, 1
+5197rr.co, 1
+5197s.co, 1
+5197ss.co, 1
+5197t.co, 1
+5197tt.co, 1
+5197u.co, 1
+5197uu.co, 1
+5197v.co, 1
+5197vv.co, 1
+5197w.co, 1
+5197ww.co, 1
+5197x.co, 1
+5197xx.co, 1
+5197y.co, 1
+5197yy.co, 1
+5197z.co, 1
+5197zz.co, 1
+51acg.eu.org, 1
+51aifuli.com, 1
+51cls.tw, 1
+51club8.com, 1
+51dinghuo.com, 1
+51fish.com, 1
+51fishing.com, 1
+51flower.com, 1
+51flowers.com, 1
+51free.com, 1
+51fss.marketing, 1
+51guaq.com, 1
+51ku.com, 1
+51life.com, 1
+51logo.com, 1
+51motor.com, 1
+51photos.com, 1
+51pic.com, 1
+51pig.com, 1
+51pinpai.com, 1
+51power.com, 1
+51resume.com, 1
+51senluo.com, 1
+51share.com, 1
+51shoes.com, 1
+51space.com, 1
+51talk.ph, 1
+51tiaojiu.com, 1
+51train.com, 1
+51xiongmao.cn, 1
+52002a.com, 1
+52002b.com, 1
+52002c.com, 1
+52002d.com, 1
+52002e.com, 1
+52002f.com, 1
+52002g.com, 1
+52002h.com, 1
+52002i.com, 1
+52002j.com, 1
+52002k.com, 1
+52002l.com, 1
+52002m.com, 1
+52002n.com, 1
+52002o.com, 1
+52002p.com, 1
+52002q.com, 1
+52002r.com, 1
+52002s.com, 1
+52002t.com, 1
+52002u.com, 1
+52002v.com, 1
+52002w.com, 1
+52002x.com, 1
+52002y.com, 1
+5201365.com, 0
+52051.com, 1
+52051a.com, 1
+5205365.com, 0
+52062z.com, 1
+5206365.com, 0
+5209365.com, 0
+520xpjxpj.com, 0
+521.dog, 1
+5219.ml, 1
+521keyvista.com, 1
+521ssl.com, 1
+5225sf.com, 1
+528sss.com, 1
+529kb.com, 1
+529sss.com, 1
+52b9.com, 1
+52b9.net, 1
+52danji.cc, 1
+52dashboard.com, 1
+52evar.com, 1
+52fanpai.com, 1
+52fish.com, 1
+52fss.marketing, 1
+52hentai.ml, 1
+52itt.com, 1
+52kb1.com, 1
+52kb365.com, 0
+52ncp.net, 1
+52pojie.cn, 1
+52sykb.com, 0
+52xuanmi.com, 1
+52yanhao.com, 1
+531k8.com, 1
+533sss.com, 1
+534365.com, 1
+535kb.com, 1
+5364b.com, 1
+5364c.com, 1
+5364d.com, 1
+5364jc.com, 1
+538507.com, 1
+53ningen.com, 0
+53pluk.cz, 1
+540interactive.com, 1
+541651.com, 1
+5454app.com, 1
+5455bet.com, 1
+54below.com, 0
+54cuatro.com, 1
+5518k3.com, 1
+55321365.com, 0
+5533445.com, 1
+55365t.com, 1
+5536z.com, 1
+555321365.com, 0
+555554.xyz, 1
+5557552.com, 1
+555aicai.com, 1
+555bet86.com, 1
+555btt.com, 1
+555kb.com, 1
+555w.org, 1
+555xl.com, 1
+555zlong.com, 1
+556185.com, 1
+5566bet.vip, 1
+556777.cc, 1
+557.pm, 1
+557bbb.com, 1
+558137.com, 1
+55bet86.com, 1
+55club.com, 1
+55ffaaa.com, 1
+55ffbbb.com, 1
+55ffccc.com, 1
+55ffddd.com, 1
+55ffeee.com, 1
+55fffaa.com, 1
+55fffbb.com, 1
+55fffcc.com, 1
+55fffdd.com, 1
+55fffee.com, 1
+55fffgg.com, 1
+55fffhh.com, 1
+55fffii.com, 1
+55fffjj.com, 1
+55fffkk.com, 1
+55fffll.com, 1
+55fffmm.com, 1
+55fffnn.com, 1
+55fffoo.com, 1
+55fffpp.com, 1
+55fffqq.com, 1
+55fffrr.com, 1
+55fffss.com, 1
+55ffftt.com, 1
+55fffuu.com, 1
+55fffvv.com, 1
+55fffww.com, 1
+55fffxx.com, 1
+55fffyy.com, 1
+55fffzz.com, 1
+55ffggg.com, 1
+55ffhhh.com, 1
+55ffiii.com, 1
+55ffjjj.com, 1
+55ffkkk.com, 1
+55fflll.com, 1
+55ffmmm.com, 1
+55ffnnn.com, 1
+55ffooo.com, 1
+55ffppp.com, 1
+55ffqqq.com, 1
+55ffrrr.com, 1
+55ffsss.com, 1
+55ffttt.com, 1
+55ffuuu.com, 1
+55ffvvv.com, 1
+55ffwww.com, 1
+55ffxxx.com, 1
+55ffyyy.com, 1
+55ffzzz.com, 1
+55fss.net, 1
+55goal.com, 1
+55k66.vip, 1
+55opt.org, 1
+56011s.com, 0
+56011v.com, 0
+5611.cf, 1
+5611bet.com, 1
+5622bet.com, 1
+562656.com, 1
+562956.com, 1
+563398.com, 1
+5633bet.com, 1
+56365t.com, 1
+5663.cc, 1
+5663.co, 1
+566380.com, 0
+56736565.com, 1
+5676321.com, 1
+567666365.com, 1
+5677.cf, 1
+5678666365.com, 0
+568756.com, 1
+572223.com, 1
+572kb.com, 1
+573sss.com, 1
+5758cp.com, 1
+5765.io, 1
+578064.com, 1
+5781.org, 1
+578173.com, 1
+578380.com, 1
+5792.org, 1
+579514.com, 1
+5795444.com, 1
+5795887.com, 1
+582303.com, 1
+585380.com, 1
+588e.com, 1
+589174.com, 1
+5898657.com, 1
+589team.com, 1
+592227.com, 1
+593380.com, 1
+593398.com, 1
+594795.com, 1
+595380.com, 1
+5981168.com, 1
+5981611.com, 1
+5981622.com, 1
+5981644.com, 1
+5981655.com, 1
+5981667.com, 1
+5981668.com, 1
+5981669.com, 1
+5981677.com, 1
+5981688.com, 1
+5981699.com, 1
+5981800.com, 1
+5981811.com, 1
+5981822.com, 1
+5981833.com, 1
+5981844.com, 1
+5981855.com, 1
+5981866.com, 1
+5981877.com, 1
+5981899.com, 1
+5981918.com, 1
+5981b.com, 1
+5981c.com, 1
+5981d.com, 1
+5981e.com, 1
+5981f.com, 1
+5981g.com, 1
+5981h.com, 1
+5981i.com, 1
+5981k.com, 1
+5981l.com, 1
+5981m.com, 1
+5981o.com, 1
+5981p.com, 1
+5981q.com, 1
+5981r.com, 1
+5981s.com, 1
+5981u.com, 1
+5981v.com, 1
+5981w.com, 1
+5981x.com, 1
+5981y.com, 0
+5981z.com, 1
+598598598.net, 1
+59859h.vip, 1
+59859j.vip, 1
+59859k.vip, 1
+59859l.vip, 1
+59859y.vip, 1
+5986fc.com, 1
+5997891.com, 0
+59dcmi.gov, 1
+59rus.tk, 1
+59yanhao.com, 1
+5aelettroni.ga, 1
+5agks.com, 1
+5am.is, 1
+5apps.com, 1
+5baiwan.com, 1
+5bet86.com, 1
+5c1fd0f31022cbc40af9f785847baaf9.space, 1
+5ca.com, 1
+5cake.com, 1
+5ccapitalinvestments.com, 1
+5chat.it, 1
+5dm.link, 1
+5dm.one, 1
+5dm.tv, 1
+5drachenschule.de, 1
+5e.tools, 1
+5eki.jp, 0
+5elementostudio.co, 1
+5escorts.com, 1
+5fm.nu, 1
+5francs.com, 1
+5g.co.uk, 1
+5goglobal.com, 1
+5h0r7.com, 1
+5icsb.com, 1
+5iforum.com, 1
+5ilg.com, 1
+5in.win, 0
+5long88.com, 1
+5minutemystery.com, 1
+5n.be, 1
+5net.ga, 1
+5ososea.com, 1
+5peciali5t.tk, 1
+5penazi.sk, 1
+5percentperweek.com, 1
+5snb.club, 1
+5sporn.com, 1
+5starcruises.com.au, 1
+5stardesigner.tk, 1
+5starexterior.com, 0
+5stars.tv, 1
+5startree.com, 1
+5startrucksales.us, 1
+5tar.jp, 1
+5tart.tk, 1
+5thchichesterscouts.org.uk, 1
+5thfloormedia.com, 1
+5thgenrams.com, 1
+5tiptop.com, 1
+5top.nl, 1
+5u15.com, 1
+5y.fi, 1
+5yeb.com, 0
+6-bros.com, 1
+6-d.cc, 1
+6.vu, 1
+600cao.com, 1
+600k8.com, 0
+604windswell.ca, 1
+6060fm.tk, 1
+6080.ga, 1
+608245.com, 1
+608460.com, 1
+608854.com, 1
+608vets.com, 1
+60d.cn, 1
+60i.cn, 1
+60n13.com, 1
+60w.co, 1
+610.co, 1
+6132pk.com, 1
+6132vip.com, 1
+614989.com, 1
+616578.com, 1
+616675.com, 1
+616728.com, 0
+616758.com, 0
+616798.com, 1
+616btt.net, 1
+616f88.com, 1
+61730123.com, 0
+618034.xyz, 1
+61ag8.com, 1
+61d88.com, 1
+61fss.net, 1
+620207.com, 1
+620862.com, 1
+621424.com, 1
+621kb.com, 1
+621nn.com, 0
+625kb.com, 1
+626562.com, 1
+628062.com, 1
+628462.com, 1
+632025.com, 1
+632026.com, 1
+632027.com, 1
+632035.com, 0
+632040.com, 1
+632045.com, 1
+632046.com, 1
+632047.com, 1
+6321000.com, 0
+6321007.com, 0
+6321008.com, 0
+6321009.com, 0
+6321222.com, 0
+6321333.com, 0
+632140.com, 1
+632143.com, 1
+632144.com, 1
+632148.com, 0
+632174.com, 0
+632365.com, 1
+632863.com, 1
+633663.net, 1
+633663.vip, 1
+635-488.com, 0
+635-588.com, 0
+635-788.com, 0
+635-888.com, 1
+635-988.com, 1
+636051.com, 1
+637663.com, 1
+638566.com, 1
+6396000.com, 1
+63960000.com, 1
+63961111.com, 1
+639611111.com, 0
+6396222.com, 1
+63962222.com, 1
+639622222.com, 0
+6396333.com, 1
+63963333.com, 1
+639633333.com, 0
+6396444.com, 1
+63964444.com, 1
+639644444.com, 0
+63965555.com, 0
+639655555.com, 0
+639666666.com, 0
+63967777.com, 1
+639677777.com, 0
+63968888.com, 0
+639688888.com, 1
+63969999.com, 0
+639699999.com, 0
+6396aaa.com, 1
+6396bbb.com, 1
+6396ccc.com, 1
+6396ddd.com, 1
+6396eee.com, 0
+6396fff.com, 1
+6396iii.com, 0
+6396jjj.com, 0
+6396ooo.com, 0
+6396qqq.com, 0
+6396rrr.com, 0
+6396sss.com, 0
+6396ttt.com, 1
+6396vvv.com, 0
+6396www.com, 0
+6396xxx.com, 0
+6396yyy.com, 1
+6396zzz.com, 0
+63fg.com, 1
+63gaming.com, 1
+645ds.cn, 0
+645ds.com, 0
+64970.com, 1
+64bitgaming.de, 1
+64stacks.com, 1
+650.org, 1
+65131a.com, 1
+65131b.com, 1
+65131c.com, 1
+65131d.com, 1
+65131h.com, 1
+65131i.com, 1
+65131j.com, 1
+65131t.com, 1
+65131u.com, 1
+65131v.com, 1
+65131w.com, 1
+65131x.com, 1
+65131y.com, 1
+65131z.com, 1
+6541166.com, 1
+6542277.com, 1
+6543399.com, 1
+6547700.com, 1
+6547711.com, 1
+6547722.com, 1
+6547733.com, 1
+6547744.com, 1
+6547755.com, 1
+6547766.com, 1
+6548855.com, 1
+6548877.com, 1
+654pk.cn, 1
+655ks.com, 1
+656265.com, 1
+658565.com, 1
+659265.com, 1
+65d88.com, 1
+6601.cf, 1
+6602.cf, 1
+6602p.com, 1
+6603.cf, 1
+6604.cf, 1
+6605.cf, 1
+6606.cf, 1
+6607.cf, 1
+6608.cf, 1
+6609.cf, 1
+6610.cf, 1
+6612.cf, 1
+6613.cf, 1
+661326.com, 1
+6614.cf, 1
+6615.cf, 1
+6616.cf, 1
+66168365.com, 1
+6616fc.com, 1
+6617.cf, 1
+6618.cf, 1
+6619.cf, 1
+661z6.com, 1
+6620.cf, 1
+6623.cf, 1
+6624.cf, 1
+6625.cf, 1
+6626.cf, 1
+6627.cf, 1
+66321365.com, 0
+6633445.com, 1
+663365666.com, 1
+663365777.com, 1
+663365888.com, 1
+663365a.vip, 1
+663365b.vip, 1
+663365c.vip, 1
+663365d.vip, 1
+663365e.vip, 1
+663365f.vip, 1
+663365g.vip, 1
+663365h.vip, 1
+663365i.vip, 1
+663365j.vip, 1
+663365k.vip, 1
+663651.com, 0
+6660.cf, 1
+6660111.ru, 1
+6661.cf, 1
+666111bet.com, 1
+666222bet.com, 1
+666321365.com, 0
+666333bet.com, 1
+666365app.com, 0
+666365ios.com, 0
+666365iosapp.com, 0
+666365t.com, 1
+6664553.com, 1
+666668722.com, 1
+666689999.xyz, 1
+666777bet.com, 1
+666888bet.com, 1
+666999bet.com, 1
+666aicai.com, 1
+666b58.com, 0
+666bet86.com, 1
+666btt.net, 1
+6677.us, 1
+6688.ovh, 1
+668825.vip, 1
+668k8.net, 1
+66bet86.com, 1
+66bwf.com, 1
+66ffaaa.com, 1
+66ffbbb.com, 1
+66ffccc.com, 1
+66ffddd.com, 1
+66ffeee.com, 1
+66fffaa.com, 1
+66fffbb.com, 1
+66fffcc.com, 1
+66fffdd.com, 1
+66fffee.com, 1
+66fffgg.com, 1
+66fffhh.com, 1
+66fffii.com, 1
+66fffjj.com, 1
+66fffkk.com, 1
+66fffll.com, 1
+66fffmm.com, 1
+66fffnn.com, 1
+66fffoo.com, 1
+66fffpp.com, 1
+66fffqq.com, 1
+66fffrr.com, 1
+66fffss.com, 1
+66ffftt.com, 1
+66fffuu.com, 1
+66fffvv.com, 1
+66fffww.com, 1
+66fffxx.com, 1
+66fffyy.com, 1
+66fffzz.com, 1
+66ffggg.com, 1
+66ffhhh.com, 1
+66ffiii.com, 1
+66ffjjj.com, 1
+66ffkkk.com, 1
+66fflll.com, 1
+66ffmmm.com, 1
+66ffnnn.com, 1
+66ffooo.com, 1
+66ffppp.com, 1
+66ffqqq.com, 1
+66ffrrr.com, 1
+66ffsss.com, 1
+66ffttt.com, 1
+66ffuuu.com, 1
+66ffvvv.com, 1
+66ffwww.com, 1
+66ffxxx.com, 1
+66ffyyy.com, 1
+66ffzzz.com, 1
+66gal.com, 1
+66k66.vip, 1
+6700.ar, 1
+670102.com, 1
+671660.com, 1
+671990.com, 1
+672367.com, 1
+6729.co, 0
+672990.com, 0
+6729a.co, 1
+6729aa.co, 1
+6729aa.com, 1
+6729apk.com, 1
+6729app.com, 1
+6729b.co, 1
+6729bb.co, 1
+6729bb.com, 1
+6729c.co, 1
+6729c.com, 1
+6729cc.co, 1
+6729cc.com, 1
+6729d.co, 1
+6729d.com, 1
+6729dd.co, 1
+6729dd.com, 1
+6729dh.co, 1
+6729dns.com, 1
+6729e.co, 1
+6729e.com, 0
+6729ee.co, 1
+6729ee.com, 0
+6729f.co, 1
+6729f.com, 0
+6729ff.co, 1
+6729ff.com, 0
+6729g.co, 1
+6729g.com, 0
+6729gg.co, 1
+6729gg.com, 0
+6729h.co, 1
+6729h.com, 0
+6729hb.com, 0
+6729hh.co, 1
+6729hh.com, 0
+6729i.co, 1
+6729i.com, 0
+6729ii.co, 1
+6729ii.com, 0
+6729ipa.com, 1
+6729j.co, 1
+6729j.com, 1
+6729jj.co, 1
+6729jj.com, 1
+6729k.co, 1
+6729k.com, 0
+6729kk.co, 1
+6729kk.com, 0
+6729l.co, 1
+6729l.com, 0
+6729ll.co, 1
+6729ll.com, 1
+6729m.co, 1
+6729m.com, 0
+6729mm.co, 1
+6729mm.com, 0
+6729n.co, 1
+6729n.com, 0
+6729nn.co, 1
+6729nn.com, 0
+6729o.co, 1
+6729o.com, 1
+6729oo.co, 1
+6729oo.com, 0
+6729p.co, 1
+6729p.com, 1
+6729pp.co, 1
+6729pp.com, 1
+6729q.co, 1
+6729q.com, 1
+6729qq.co, 1
+6729qq.com, 0
+6729r.co, 1
+6729rr.co, 1
+6729rr.com, 1
+6729s.co, 1
+6729s.com, 0
+6729ss.co, 1
+6729ss.com, 0
+6729t.co, 1
+6729t.com, 0
+6729tt.co, 1
+6729tt.com, 0
+6729u.co, 1
+6729u.com, 0
+6729uu.co, 1
+6729uu.com, 0
+6729v.co, 1
+6729v.com, 0
+6729vv.co, 1
+6729vv.com, 0
+6729w.co, 1
+6729w.com, 1
+6729ww.co, 1
+6729ww.com, 0
+6729x.co, 1
+6729x.com, 1
+6729xx.co, 1
+6729xx.com, 0
+6729xy.com, 0
+6729y.co, 1
+6729y.com, 0
+6729yy.co, 1
+6729yy.com, 1
+6729z.co, 1
+6729z.com, 1
+6729zz.co, 1
+6729zz.com, 0
+672bbb.com, 1
+673395.com, 1
+673569.com, 1
+673660.com, 1
+673bbb.com, 1
+676812.com, 1
+677314.com, 1
+677340.com, 1
+677341.com, 1
+677346.com, 1
+677347.com, 1
+677354.com, 1
+677364.com, 1
+677384.com, 1
+6777.cf, 1
+67836565.com, 1
+678365app.com, 0
+678365cc.com, 0
+678365t.com, 1
+678678365.com, 1
+67877777.com, 1
+6789666365.com, 0
+679470.com, 1
+67y7.com, 0
+682368.com, 1
+68277.me, 1
+683168.com, 1
+683968.com, 1
+684781.com, 1
+68522c.com, 1
+68522k.com, 1
+68522m.com, 1
+68522s.com, 1
+68622.com, 1
+68622a.com, 1
+68622b.com, 1
+68636.cc, 1
+68636.com, 1
+68636.vip, 1
+689368.com, 1
+68reg.tk, 1
+692241.com, 1
+692b8c32.de, 1
+694640.com, 1
+695346.com, 1
+695660.com, 1
+6957.co, 1
+6957a.co, 1
+6957aa.co, 1
+6957apk.com, 1
+6957app.com, 1
+6957b.co, 1
+6957bb.co, 1
+6957c.co, 1
+6957cc.co, 1
+6957d.co, 1
+6957dd.co, 1
+6957dh.co, 1
+6957e.co, 1
+6957ee.co, 1
+6957f.co, 1
+6957ff.co, 1
+6957g.co, 1
+6957gg.co, 1
+6957h.co, 1
+6957hh.co, 1
+6957i.co, 1
+6957ii.co, 1
+6957j.co, 1
+6957jj.co, 1
+6957k.co, 1
+6957kk.co, 1
+6957l.co, 1
+6957ll.co, 1
+6957m.co, 1
+6957mm.co, 1
+6957n.co, 1
+6957nn.co, 1
+6957o.co, 1
+6957oo.co, 1
+6957p.co, 1
+6957pp.co, 1
+6957q.co, 1
+6957qq.co, 1
+6957r.co, 1
+6957rr.co, 1
+6957rr.com, 0
+6957s.co, 1
+6957ss.co, 1
+6957t.co, 1
+6957tt.co, 1
+6957u.co, 1
+6957uu.co, 1
+6957v.co, 1
+6957vv.co, 1
+6957vv.com, 0
+6957w.co, 1
+6957ww.co, 1
+6957x.co, 1
+6957xx.co, 1
+6957xy.com, 0
+6957y.co, 1
+6957yy.co, 1
+6957z.co, 1
+6957z.com, 1
+6957zz.co, 1
+69759.com, 0
+698134.com, 1
+6997896.com, 1
+69asmr.com, 1
+69butterfly.com, 1
+69games.xxx, 1
+69kzvm3f.com, 1
+69level.com, 1
+69mentor.com, 1
+69wasted.net, 1
+6a.nz, 1
+6b.com.au, 1
+6bet86.com, 1
+6bwcp.com, 1
+6dec.gc.ca, 1
+6f.com.au, 1
+6i.com.au, 1
+6ird.com, 0
+6lo.zgora.pl, 1
+6meter.tk, 1
+6play.fr, 1
+6t-montjoye.org, 1
+6thmarch.com, 1
+6wbz.com, 1
+7-it.ml, 1
+7-zip.de, 1
+700.az, 1
+700creditsolution.com, 1
+700dealer.com, 1
+700wns.com, 1
+701squad.tk, 1
+702341.win, 1
+702343.win, 1
+702344.win, 1
+702345.win, 1
+70365365.com, 0
+703700.com, 1
+705994.com, 1
+708090.ru, 1
+70872.com, 0
+709611.com, 1
+70mpg.org, 1
+7100.cf, 1
+712kb.com, 1
+713367.com, 0
+71365365.com, 0
+713kb.com, 1
+716176.com, 0
+7177bet.com, 1
+717966833.xyz, 1
+718113.com, 0
+7183.org, 0
+71fss.marketing, 1
+71tuiguang.com, 1
+7203.ru, 1
+7203.xn--p1ai, 1
+721010.xyz, 1
+721172.com, 1
+7214.cc, 1
+721aa.com, 0
+722201.com, 0
+723421.com, 1
+724go.com, 1
+724online.com, 1
+725134.com, 1
+725741.com, 1
+7261696e626f77.net, 1
+727877.com, 0
+727sss.com, 1
+730.no, 1
+732273.com, 1
+732473.com, 1
+733575.com, 0
+73365365.com, 0
+733673.com, 1
+734365.com, 1
+734551.com, 1
+735973.com, 1
+736373.com, 1
+736416.com, 1
+736573.com, 1
+739373.com, 1
+739673.com, 1
+73fy.com, 0
+740424.ml, 1
+740660.com, 1
+740cashbuyers.com, 1
+743365.com, 1
+74365365.com, 1
+7444.cf, 1
+746104.com, 1
+7478vip1.cc, 1
+7478vip2.cc, 1
+74d88.com, 1
+74dy.org, 1
+74th.jp, 1
+750375.com, 1
+750475.com, 1
+751175.com, 1
+751930.com, 1
+753345.com, 1
+7552001.com, 1
+7552002.com, 1
+7552005.com, 1
+7552006.com, 1
+7552008.com, 1
+7552009.com, 1
+7552010.com, 1
+7552011.com, 1
+7552012.com, 1
+7552013.com, 1
+755204.com, 1
+755243.com, 1
+755245.com, 1
+755246.com, 1
+755249.com, 1
+755274.com, 1
+755294.com, 0
+755364.com, 1
+755k3.com, 1
+756975.com, 1
+757409.com, 1
+758375.com, 1
+758393.com, 1
+759375.com, 1
+759419.com, 1
+759675.com, 1
+75codes.com, 1
+75refer.tk, 1
+76.to, 1
+761.com, 1
+761link.net, 1
+763361.com, 1
+76365365.com, 1
+7654654.xyz, 1
+7666321.com, 1
+76668.com, 1
+7666898.com, 1
+76669.com, 1
+766788.xyz, 1
+7699.org, 1
+769k.com, 0
+769sc.com, 0
+76networks.tk, 1
+76o.cn, 1
+77018dd.com, 0
+77018vip.com, 0
+77168365.com, 1
+77177.de, 1
+77321365.com, 0
+7733445.com, 1
+775018.com, 0
+777365t.com, 1
+7776321.com, 0
+777aicai.com, 1
+777bet86.com, 1
+777coin.com, 1
+777mage.com, 1
+777tv.tv, 1
+77909a.com, 0
+77909b.com, 0
+77909c.com, 0
+77909d.com, 0
+77909dhz.com, 1
+77909e.com, 0
+77909f.com, 0
+77909g.com, 0
+77909h.com, 0
+77909i.com, 0
+77999xl.com, 1
+77b58.com, 1
+77bet86.com, 1
+77ffaaa.com, 1
+77ffbbb.com, 1
+77ffccc.com, 1
+77ffddd.com, 1
+77ffeee.com, 1
+77fffaa.com, 1
+77fffbb.com, 1
+77fffcc.com, 1
+77fffdd.com, 1
+77fffee.com, 1
+77fffgg.com, 1
+77fffhh.com, 1
+77fffii.com, 1
+77fffjj.com, 1
+77fffkk.com, 1
+77fffll.com, 1
+77fffmm.com, 1
+77fffnn.com, 1
+77fffoo.com, 1
+77fffpp.com, 1
+77fffqq.com, 1
+77fffrr.com, 1
+77fffss.com, 1
+77ffftt.com, 1
+77fffuu.com, 1
+77fffvv.com, 1
+77fffww.com, 1
+77fffxx.com, 1
+77fffyy.com, 1
+77fffzz.com, 1
+77ffggg.com, 1
+77ffhhh.com, 1
+77ffiii.com, 1
+77ffjjj.com, 1
+77ffkkk.com, 1
+77fflll.com, 1
+77ffmmm.com, 1
+77ffnnn.com, 1
+77ffooo.com, 1
+77ffppp.com, 1
+77ffqqq.com, 1
+77ffrrr.com, 1
+77ffsss.com, 1
+77ffttt.com, 1
+77ffuuu.com, 1
+77ffvvv.com, 1
+77ffwww.com, 1
+77ffxxx.com, 1
+77ffyyy.com, 1
+77ffzzz.com, 1
+77online.com, 1
+78-couvreur.fr, 1
+78.to, 1
+780aa.com, 1
+783306.com, 1
+783346.com, 1
+78365b.com, 0
+783lab.com, 1
+787637.com, 1
+7877bet.com, 1
+787k3.com, 1
+787kb.com, 1
+7885765.com, 1
+7888815.com, 1
+788zzz.com, 1
+7891553.com, 1
+7891997.com, 1
+78936565.com, 0
+789365t.com, 1
+789zr.com, 0
+790951.com, 1
+793703.com, 1
+795sss.com, 1
+797715.com, 1
+797sss.com, 1
+798392.com, 1
+798sss.com, 1
+799146.com, 1
+7992.org, 1
+799713.com, 1
+799ks.com, 1
+799z6.com, 1
+79ch.com, 1
+7across.com, 1
+7aga7.mk, 1
+7akawyna.tk, 1
+7b.gg, 1
+7bandarqq.com, 1
+7bet86.com, 1
+7daystodie.top, 1
+7delights.in, 1
+7dies.net, 1
+7eastgenetics.com, 1
+7emka.tk, 1
+7eo.mk, 1
+7extranews.tk, 1
+7f.is, 1
+7gr.uk, 1
+7graus.pt, 1
+7hills.us, 1
+7hq.ru, 1
+7im.co.uk, 1
+7in0.me, 1
+7ki.photography, 1
+7kicks.com, 1
+7kovrikov.ru, 1
+7kvadratov.by, 1
+7l00p.com, 1
+7learnings.com, 1
+7links.com.br, 1
+7milesglobal.com, 1
+7money.co, 1
+7net.uk, 1
+7networking.com, 1
+7pets.net, 1
+7plus.com.au, 1
+7pm.studio, 1
+7proxies.com, 1
+7qly.com, 1
+7quark.xyz, 1
+7sdre.am, 1
+7sisters.tk, 1
+7sotok.info, 1
+7starhealth.ga, 1
+7th-heaven.me, 1
+7thcircledesigns.com, 1
+7url.ml, 1
+7x24servis.com, 1
+7x7cajalosandes.cl, 1
+7zet.ml, 1
+80001234.com, 1
+8000plus.si, 1
+8001d.com, 1
+8001d88.com, 1
+8003pay.com, 1
+8006d88.com, 1
+800999.xyz, 1
+800bar.com, 1
+800email.com, 1
+800ink.com, 1
+800live.com, 1
+800mattress.com, 1
+800perkins.com, 1
+800sports.com, 1
+800tea.com, 1
+800tutor.com, 1
+8010d88.com, 1
+8012d88.com, 1
+8017d88.com, 1
+8019d88.com, 1
+8021d.com, 1
+8022d.com, 1
+8027d.com, 1
+8028d.com, 1
+8029d.com, 1
+8029d88.com, 1
+803001.com, 1
+8032d88.com, 1
+8033d88.com, 1
+8035d88.com, 1
+80365365.com, 0
+8036d88.com, 1
+8038d88.com, 1
+803970.com, 1
+8039d.com, 1
+804265.com, 1
+805084.com, 1
+8050d.com, 1
+8059d88.com, 1
+8060d88.com, 1
+80630.com, 1
+8069d88.com, 1
+8071d.com, 1
+807252.com, 1
+8077d.com, 1
+80780780.com, 1
+8078d.com, 1
+807software.com, 1
+8081d.com, 1
+808cleanups.org, 1
+808gutterking.com, 1
+808mao.com, 1
+809088.cc, 1
+8091.info, 1
+8092d88.com, 1
+8093d.com, 1
+8097d.com, 1
+80993.net, 1
+80bin.com, 1
+80motorsclub.tk, 1
+80smaniacs.nl, 1
+80thcork.com, 1
+81.cz, 1
+8100.cf, 1
+8102d.com, 1
+8102d88.com, 1
+8106365.com, 0
+8109d88.com, 1
+811121.com, 0
+8113d.com, 1
+8115d88.com, 1
+8116d88.com, 1
+811fsspentagon.com, 1
+8121d.com, 1
+8121d88.com, 1
+8128d.com, 1
+8130d88.com, 1
+8135d88.com, 1
+81365365.com, 0
+81365s.com, 1
+8139d.com, 1
+8151d.com, 1
+8153365.com, 0
+8153d.com, 1
+8156d.com, 1
+8159d88.com, 1
+815jz.com, 1
+8160d.com, 1
+8160d88.com, 1
+8161d.com, 1
+8161d88.com, 1
+8162d.com, 1
+8167365.com, 0
+816jz.com, 1
+817181.com, 1
+8171d.com, 1
+817209.com, 0
+8173d.com, 1
+817615.com, 1
+8176d.com, 1
+8178d.com, 1
+81818app.com, 0
+81818d.com, 1
+81818z.com, 1
+8181d88.com, 1
+8182d.com, 1
+8182d88.com, 1
+8183d.com, 1
+8183d88.com, 1
+8186d.com, 1
+818bwf.com, 1
+8190d.com, 1
+8190d88.com, 1
+819323.com, 1
+8193d.com, 1
+8193d88.com, 1
+8196d.com, 1
+8197d.com, 1
+8197d88.com, 1
+8198d.com, 1
+8198d88.com, 1
+81alarm.cz, 1
+81klima.cz, 1
+81klima.sk, 1
+81uc.com, 1
+8202d.com, 1
+8203d88.com, 1
+8206d.com, 1
+8207d88.com, 1
+8208d88.com, 1
+8210d88.com, 1
+8211d88.com, 1
+8216d.com, 1
+8216d88.com, 1
+8217d88.com, 1
+8218d88.com, 1
+8219d88.com, 1
+8221d88.com, 1
+8222d88.com, 1
+8225.com, 1
+8225d.com, 1
+8226d.com, 1
+8228d.com, 1
+8229d88.com, 1
+823582.com, 1
+82365a.com, 1
+82365b.com, 1
+82365c.com, 1
+82365d.com, 1
+82365e.com, 1
+82365f.com, 1
+82365g.com, 1
+82365h.com, 1
+82365i.com, 1
+82365j.com, 1
+82365k.com, 1
+82365l.com, 1
+82365m.com, 1
+82365n.com, 1
+82365o.com, 1
+82365p.com, 1
+82365q.com, 1
+82365r.com, 1
+82365s.com, 1
+82365t.com, 1
+82365u.com, 1
+82365v.com, 1
+82365w.com, 1
+82365x.com, 1
+82365y.com, 1
+82365z.com, 1
+824886.com, 1
+825148.com, 1
+825382.com, 1
+826282.com, 1
+82781111.com, 0
+82783333.com, 0
+82784444.com, 0
+82785555.com, 0
+82786666.com, 0
+82789999.com, 0
+8278b.com, 0
+8278bb.com, 0
+8278ee.com, 0
+8278eee.com, 1
+8278ff.com, 0
+8278jj.com, 0
+8278jjj.com, 1
+8278kk.com, 0
+8278rr.com, 0
+8278tt.com, 0
+8278yy.com, 0
+829917.com, 1
+82fss.marketing, 1
+82kb88.com, 1
+830891.com, 0
+830res.com, 1
+831783.com, 1
+83365365.com, 1
+833792.com, 0
+833z6.com, 1
+834365.com, 1
+8349822.com, 1
+835183.com, 1
+836436.com, 1
+838180.com, 1
+838888.net, 1
+83i.de, 1
+83ir2k8b.duckdns.org, 1
+83kb88.com, 1
+84036.ml, 1
+842844.com, 1
+8444.cf, 1
+846773.com, 1
+848jz.com, 1
+848sf.com, 1
+84ag.com, 1
+84aj.com, 1
+84an.com, 1
+84ar.com, 1
+84az.com, 1
+84bn.com, 1
+84bp.com, 1
+84cl.com, 1
+84cx.com, 1
+84dp.com, 1
+84dt.com, 1
+84ek.com, 1
+84et.com, 1
+84ew.com, 1
+84fe.com, 1
+84fi.com, 1
+84ft.com, 1
+84fz.com, 1
+84ga.com, 1
+84gf.com, 1
+84gi.com, 1
+84gk.com, 1
+84gt.com, 1
+84he.com, 1
+84hp.com, 1
+84hs.com, 1
+84ia.com, 1
+84jt.com, 1
+84kc.com, 1
+84kn.com, 1
+84kq.com, 1
+84lb.com, 1
+84pg.com, 1
+84rd.com, 1
+84rn.com, 1
+84sg.com, 1
+84tn.com, 1
+84tp.com, 1
+84tw.com, 1
+84tx.com, 1
+84xa.com, 1
+84xe.com, 1
+84xl.com, 1
+84xm.com, 1
+84xp.com, 1
+84yd.com, 1
+84yj.com, 1
+84yp.com, 1
+84yv.com, 1
+84yw.com, 1
+84zb.com, 1
+850226.com, 1
+8521.co, 0
+8522hk.com, 1
+8522ph.com, 1
+8522top.com, 1
+8522tw.com, 1
+8522usa.com, 1
+8560.be, 1
+8586cp.com, 1
+86001688.com, 1
+8602010.com, 1
+862.tv, 1
+863479.com, 1
+8649955.com, 1
+8649966.com, 1
+8649977.com, 1
+86606.com, 1
+866300.vip, 1
+866305.vip, 1
+866308.vip, 1
+8666321.com, 1
+867104.com, 1
+8688fc.com, 1
+868z6.com, 1
+869293.com, 1
+8699bet.com, 1
+86kb88.com, 1
+86metro.ru, 1
+870.cc, 0
+870718.xyz, 1
+872291.com, 0
+8722ph.com, 1
+8722usa.com, 1
+872787.com, 1
+873394.com, 1
+87365365.com, 0
+877027.com, 0
+877287.com, 1
+877791.com, 1
+878365cn.com, 1
+878431.com, 1
+878989.com, 1
+8796.jp, 1
+8799bet.com, 1
+87kb88.com, 1
+8800.ru, 1
+880557.com, 1
+8809d.com, 1
+8809d88.com, 1
+8809ks.com, 1
+88168365.com, 1
+8816d88.com, 1
+88178.top, 1
+8817d88.com, 1
+881z6.com, 1
+8826d.com, 1
+8826d88.com, 1
+88321365.com, 0
+8832ks.com, 1
+8833445.com, 1
+8835365.com, 0
+88365.net, 1
+88365t.com, 1
+88518.com, 0
+88522am.com, 1
+885287.com, 1
+8858ks.com, 1
+885kb.com, 1
+885z6.com, 1
+8860d.com, 1
+88661234.com, 1
+886666f.com, 0
+886666l.com, 0
+886666n.com, 1
+886666p.com, 1
+886666q.com, 1
+886666r.com, 0
+886666s.com, 1
+886666t.com, 0
+886666u.com, 0
+886666v.com, 0
+8866d88.com, 1
+8868ty8.com, 1
+8869ks.com, 1
+886k8.com, 0
+886z6.com, 1
+887.ag, 1
+8871d.com, 1
+8872d.com, 1
+88740b.com, 1
+88740e.com, 1
+88740f.com, 1
+88740i.com, 1
+88740j.com, 1
+88740k.com, 1
+88740l.com, 1
+88740m.com, 1
+88740n.com, 1
+88740o.com, 1
+88740p.com, 1
+88740q.com, 1
+88740r.com, 1
+88740s.com, 1
+88740t.com, 1
+88740u.com, 1
+88740v.com, 1
+88740w.com, 1
+88740x.com, 1
+88740z.com, 1
+887d.com, 1
+8881ks.com, 1
+888321365.com, 0
+8884553.com, 1
+8885asknick.com, 1
+8885ks.com, 1
+888666pj.com, 1
+888700.xyz, 1
+888789j.com, 1
+888806.xyz, 1
+888888722.com, 1
+88889822.com, 1
+888900.xyz, 1
+888aicai.com, 1
+888bet86.com, 1
+888bwf.com, 1
+888casino-canada.com, 1
+888lots.com, 1
+888starz-5b.bet, 1
+888starz.bet, 1
+888starz22.bet, 1
+888xpjxpj.com, 0
+8890d.com, 1
+8891d.com, 1
+8891ks.com, 1
+8892d.com, 1
+8895d.com, 1
+8898ks.com, 1
+889999vip.com, 1
+889vip1.com, 1
+889vip10.com, 1
+889vip2.com, 1
+889vip3.com, 1
+889vip4.com, 1
+889vip5.com, 1
+889vip6.com, 1
+889vip7.com, 1
+889vip8.com, 1
+889vip9.com, 1
+889w889.com, 1
+889w889.net, 1
+88acesmaritime.com, 1
+88bet86.com, 1
+88bill.com, 1
+88cakescorner.com, 1
+88d.com, 1
+88djl.cc, 1
+88ffaaa.com, 1
+88ffbbb.com, 1
+88ffccc.com, 1
+88ffddd.com, 1
+88ffeee.com, 1
+88fffaa.com, 1
+88fffbb.com, 1
+88fffcc.com, 1
+88fffdd.com, 1
+88fffee.com, 1
+88fffgg.com, 1
+88fffhh.com, 1
+88fffii.com, 1
+88fffjj.com, 1
+88fffkk.com, 1
+88fffll.com, 1
+88fffmm.com, 1
+88fffnn.com, 1
+88fffoo.com, 1
+88fffpp.com, 1
+88fffqq.com, 1
+88fffrr.com, 1
+88fffss.com, 1
+88ffftt.com, 1
+88fffuu.com, 1
+88fffvv.com, 1
+88fffww.com, 1
+88fffxx.com, 1
+88fffyy.com, 1
+88fffzz.com, 1
+88ffggg.com, 1
+88ffhhh.com, 1
+88ffiii.com, 1
+88ffjjj.com, 1
+88ffkkk.com, 1
+88fflll.com, 1
+88ffmmm.com, 1
+88ffnnn.com, 1
+88ffooo.com, 1
+88ffppp.com, 1
+88ffqqq.com, 1
+88ffrrr.com, 1
+88ffsss.com, 1
+88ffttt.com, 1
+88ffuuu.com, 1
+88ffvvv.com, 1
+88ffwww.com, 1
+88ffxxx.com, 1
+88ffyyy.com, 1
+88ffzzz.com, 1
+88home9.com, 1
+88kb88.com, 1
+88laohu.cc, 1
+88laohu.com, 1
+88thpolarisscouts.ca, 1
+88yabo.com, 1
+88yule11.com, 1
+88yule112.com, 1
+88yule113.com, 1
+88yule12.com, 1
+88yule13.com, 1
+88yule15.com, 1
+88yule16.com, 1
+88yule7.com, 1
+88yule9.com, 1
+8900.cf, 1
+8900d.com, 1
+890238.com, 1
+8906d.com, 1
+890789d.com, 0
+8908d.com, 1
+8921d.com, 1
+8925d.com, 1
+8925d88.com, 1
+8926d88.com, 1
+8927d88.com, 1
+8929d88.com, 1
+893067.com, 0
+89386.com, 1
+89386b.com, 0
+89386d.com, 0
+89386e.com, 1
+89386l.com, 1
+8938885.com, 1
+893fm.com.au, 1
+894324.com, 1
+895865.com, 1
+8966bet.com, 1
+8977bet.com, 1
+8989k3.com, 1
+899ks.com, 1
+8a.pw, 1
+8ack.de, 1
+8ag8.org, 1
+8b8888.com, 1
+8ballbombom.uk, 1
+8balls.nl, 1
+8bb.org, 1
+8bet86.com, 1
+8bit.ltd, 1
+8bitpickle.com, 1
+8bitsafe.com, 1
+8cent.com, 1
+8crafty.com, 1
+8dabet.com, 1
+8daysaweek.tk, 1
+8duhu.com, 1
+8e8z.com, 1
+8fit.com, 1
+8freeporn.com, 1
+8fs000.com, 1
+8fs333.com, 1
+8fs444.com, 1
+8fs555.com, 1
+8fs666.com, 1
+8fs999.com, 1
+8gaming.net, 1
+8gerd.tk, 1
+8hrs.net, 1
+8i3m2a67.com, 1
+8l.com.au, 1
+8link.com, 1
+8maerz.at, 1
+8me.nl, 1
+8mpay.com, 1
+8shequapp.com, 1
+8show.com, 1
+8t8.eu, 1
+8tech.com.hk, 1
+8thportsmouth.org.uk, 1
+8thstreetlatinas.com, 1
+8time.com, 1
+8tuffbeers.com, 1
+8ung.online, 1
+8xx888.com, 1
+8xxxxxxx.com, 1
+8y.network, 1
+8yabo.com, 0
+8yun.cf, 1
+8yun.ga, 0
+9-11commission.gov, 1
+9.lviv.ua, 1
+90.cx, 1
+9002.cf, 1
+9003.cf, 1
+9004.cf, 1
+9005.cf, 1
+9005424.com, 1
+9006.cf, 1
+9007.cf, 1
+9009019.com, 0
+900hosting.com, 1
+9011.cf, 1
+9012.cf, 1
+9013.cf, 1
+9014.cf, 1
+9015.cf, 1
+901543.com, 1
+9016.cf, 1
+9018.cf, 1
+9019.cf, 1
+902.gr, 1
+9020.cf, 1
+9021.cf, 1
+9021.io, 1
+9022.cf, 1
+9023.cf, 1
+9023n.com, 0
+9023w.com, 0
+9024.cf, 1
+9025.cf, 1
+9026.cf, 1
+9028.cf, 1
+9029.cf, 1
+9030.cf, 1
+9031.cf, 1
+9032.cf, 1
+9033.cf, 1
+9034.cf, 1
+9035.cf, 1
+9036.cf, 1
+9037.cf, 1
+9038.cf, 1
+9039.cf, 1
+9040.cf, 1
+9041.cf, 1
+9042.cf, 1
+9043.cf, 1
+9044.cf, 1
+9045.cf, 1
+9046.cf, 1
+9047.cf, 1
+9048.cf, 1
+9049.cf, 1
+9050.cf, 1
+9051.cf, 1
+9052.cf, 1
+9053.cf, 1
+9055.cf, 1
+9056.cf, 1
+9057.cf, 1
+9058.cf, 1
+9059.cf, 1
+9060.cf, 1
+9061.cf, 1
+9062.cf, 1
+9063.cf, 1
+9064.cf, 1
+9065.cf, 1
+9066.cf, 1
+9067.cf, 1
+9068.cf, 1
+9069.cf, 1
+9070.cf, 1
+9070989.com, 1
+9071.cf, 1
+9073.cf, 1
+9074.cf, 1
+9075.cf, 1
+9076.cf, 1
+9077.cf, 1
+9078.cf, 1
+907856.com, 1
+9079.cf, 1
+9080.cf, 1
+9081.cf, 1
+9082.cf, 1
+9085.cf, 1
+9086.cf, 1
+9087.cf, 1
+9088.cf, 1
+9090.cf, 1
+9091.cf, 1
+90920.cn, 1
+9093.cf, 1
+9094.cf, 1
+9095.cf, 1
+9096.cf, 1
+9097.cf, 1
+9098.cf, 1
+90daydiet.org, 1
+90minut.com, 1
+90r.jp, 1
+90splease.com, 1
+91-cg.com, 1
+91-short.com, 1
+9100.cf, 1
+9100.ga, 1
+9100.gq, 1
+9100.ml, 1
+9101.cf, 1
+9102.cf, 1
+9103.cf, 1
+9104.cf, 1
+9105.cf, 1
+9106.cf, 1
+910635.com, 1
+9107.cf, 1
+9108.cf, 1
+9109.cf, 1
+911.gov, 1
+9111s.ru, 1
+911216.xyz, 1
+9113.cf, 1
+9114.cf, 1
+9115.cf, 1
+9116.cf, 1
+9117.cf, 1
+9118.com, 1
+9118.hk, 0
+9118.la, 1
+91181.cc, 1
+91186.cc, 1
+9118inc.com, 0
+911commission.gov, 1
+911dispatcheredu.org, 1
+9120.cf, 1
+9121.cf, 1
+9122.cf, 1
+9123.cf, 1
+9124.cf, 1
+9125.cf, 1
+9126.cf, 1
+9127.cf, 1
+912891.com, 1
+9129.cf, 1
+9130.cf, 1
+9131.cf, 1
+9132.cf, 1
+913291.com, 1
+9133.cf, 1
+9134.cf, 1
+9135.cf, 1
+9136.cf, 1
+9137.cf, 1
+9139.cf, 1
+9140.cf, 1
+9141.cf, 1
+9142.cf, 1
+9143.cf, 1
+9144.cf, 1
+9145.cf, 1
+9146.cf, 1
+9147.cf, 1
+9148.cf, 1
+9149.cf, 1
+9150.cf, 1
+9151.cf, 1
+9152.cf, 1
+9153.cf, 1
+9154.cf, 1
+9155.cf, 1
+9156.cf, 1
+9157.cf, 1
+9159.cf, 1
+9160.cf, 1
+9161.cf, 1
+9162.cf, 1
+916294.com, 1
+9164.cf, 1
+9165.cf, 1
+9166.cf, 1
+9167.cf, 1
+9168.cf, 1
+9169.cf, 1
+9170.cf, 1
+9171.cf, 1
+9172.cf, 1
+9173.cf, 1
+9174.cf, 1
+9175.cf, 1
+9176.cf, 1
+9177.cf, 1
+9179.cf, 1
+917991.com, 1
+9180.cf, 1
+9181.cf, 1
+9181181.com, 1
+9181182.com, 1
+9181183.com, 1
+9181184.com, 1
+9181185.com, 1
+9181186.com, 1
+9181187.com, 1
+9181189.com, 1
+9182.cf, 1
+9182289.com, 1
+9183.cf, 1
+9184.cf, 1
+9185.cf, 1
+9186.fun, 0
+9186119.com, 1
+9187.cf, 1
+918991a.com, 0
+918991b.com, 0
+918991c.com, 0
+918991d.com, 0
+918991dhz.com, 0
+918991e.com, 0
+918bbm.co, 1
+918bcf.co, 1
+918bcw.co, 1
+918bio.co, 1
+918bip.co, 1
+918bis.co, 1
+918dc04.com, 1
+918dc19.com, 1
+918kisse.com, 1
+918kissinw.com, 1
+9190.cf, 1
+9193.cf, 1
+919391.com, 1
+9194.cf, 1
+9195.cf, 1
+9197.cf, 1
+9198.cf, 1
+91bbr.com, 1
+91beauty.com, 1
+91cg.com, 1
+91d52.com, 1
+91d72.com, 1
+91d81.com, 1
+91d83.com, 1
+91d85.com, 0
+91dh.cc, 0
+91fashion.com, 1
+91fldz.com, 1
+91imh.com, 1
+91milk.net, 0
+91news.tk, 1
+91quanji.com, 1
+91short.com, 1
+91tianmi.com, 0
+91tvg.com, 1
+9200.cf, 1
+9200.ml, 1
+9201.cf, 1
+9202.cf, 1
+9203.cf, 1
+920392.com, 1
+9204.cf, 1
+9205.cf, 1
+9206.cf, 1
+9207.cf, 1
+9208.cf, 1
+9209.cf, 1
+9210.cf, 1
+9212.cf, 1
+9214.cf, 1
+9215.cf, 1
+9216.cf, 1
+9217.cf, 1
+921792.com, 1
+9218.cf, 1
+921892.com, 1
+9219.cf, 1
+9220.cf, 1
+9221.cf, 1
+9223.cf, 1
+9224.cf, 1
+9225.cf, 1
+9226.cf, 1
+9227.cf, 1
+9228.cf, 1
+9230.cf, 1
+9231.cf, 1
+9232.cf, 1
+9233.cf, 1
+9234.cf, 1
+9235.cf, 1
+9236.cf, 1
+9237.cf, 1
+9239.cf, 1
+9240.cf, 1
+9241.cf, 1
+9242.cf, 1
+9243.cf, 1
+9245.cf, 1
+924592.com, 1
+9246.cf, 1
+9247.cf, 1
+924892.com, 1
+924992.com, 1
+925892.com, 1
+925silverjewelry.com, 1
+926792.com, 1
+927092.com, 1
+928092.com, 1
+929349.com, 1
+929592.com, 1
+9297.co, 1
+9297a.co, 1
+9297aa.co, 1
+9297b.co, 1
+9297bb.co, 1
+9297c.co, 1
+9297cc.co, 1
+9297d.co, 1
+9297dd.co, 1
+9297dh.co, 1
+9297dns.com, 1
+9297e.co, 1
+9297ee.co, 1
+9297f.co, 1
+9297ff.co, 1
+9297g.co, 1
+9297gg.co, 1
+9297h.co, 1
+9297hb.com, 0
+9297hd.co, 1
+9297hd.com, 1
+9297hh.co, 1
+9297i.co, 1
+9297ii.co, 1
+9297j.co, 1
+9297jj.co, 1
+9297k.co, 1
+9297kk.co, 1
+9297l.co, 1
+9297ll.co, 1
+9297m.co, 1
+9297mm.co, 1
+9297n.co, 1
+9297nn.co, 1
+9297o.co, 1
+9297oo.co, 1
+9297p.co, 1
+9297pp.co, 1
+9297q.co, 1
+9297qq.co, 1
+9297r.co, 1
+9297rr.co, 1
+9297s.co, 1
+9297ss.co, 1
+9297t.co, 1
+9297tt.co, 1
+9297u.co, 1
+9297uu.co, 1
+9297v.co, 1
+9297vv.co, 1
+9297w.co, 1
+9297ww.co, 1
+9297x.co, 1
+9297xx.co, 1
+9297y.co, 1
+9297yy.co, 1
+9297z.co, 1
+9297zz.co, 1
+92url.com, 1
+9301.cf, 1
+9302.cf, 1
+9303.cf, 1
+9304.cf, 1
+9305.cf, 1
+9306.cf, 1
+9307.cf, 1
+9308.cf, 1
+9309.cf, 1
+9310.cf, 1
+9311.cf, 1
+9312.cf, 1
+9313.cf, 1
+9314.cf, 1
+9315.cf, 1
+931593.com, 1
+9316.cf, 1
+9317.cf, 1
+9318.cf, 1
+9319.cf, 1
+9320.cf, 1
+9321.cf, 1
+9322.cf, 1
+9323.cf, 1
+9324.cf, 1
+9325.cf, 1
+9326.cf, 1
+9327.cf, 1
+9328.cf, 1
+9329.cf, 1
+932993.com, 1
+9330.cf, 1
+9331.cf, 1
+9332.cf, 1
+9334.cf, 1
+9335.cf, 1
+9336.cf, 1
+9337.cf, 1
+9338.cf, 1
+9339.cf, 1
+9340.cf, 1
+9341.cf, 1
+9342.cf, 1
+9343.cf, 1
+934365.com, 1
+934377.com, 1
+9344.cf, 1
+9345.cf, 1
+9347.cf, 1
+9348.cf, 1
+9349.cf, 1
+9351.cf, 1
+9352.cf, 1
+9353.cf, 1
+9354.cf, 1
+9355.cf, 1
+9356.cf, 1
+9357.cf, 1
+9358.cf, 1
+9359.cf, 1
+935themix.com, 1
+9360.cf, 1
+9361.cf, 1
+9362.cf, 1
+9363.cf, 1
+9364.cf, 1
+93644a.com, 0
+93644b.com, 0
+93644c.com, 0
+93644d.com, 0
+93644x.com, 0
+93644y.com, 0
+93644z.com, 0
+9365.cf, 1
+9366.cf, 1
+9367.cf, 1
+9368.cf, 1
+9369.cf, 1
+9370.cf, 1
+937093.com, 1
+9371.cf, 1
+9372.cf, 1
+9373.cf, 1
+9374.cf, 1
+9375.cf, 1
+9376.cf, 1
+937693.com, 1
+9377.cf, 1
+9378.cf, 1
+937893.com, 1
+9379.cf, 1
+9381.cf, 1
+938193.com, 1
+9382.cf, 1
+9383.cf, 1
+9384.cf, 1
+9385.cf, 1
+9386.cf, 1
+9387.cf, 1
+9388.cf, 1
+9389.cf, 1
+9390.cf, 1
+9391.cf, 1
+9392.cf, 1
+9393.cf, 1
+939394.org, 1
+939394.xyz, 1
+9395.cf, 1
+9396.cf, 1
+9397.cf, 1
+9397a.com, 1
+9397b.com, 1
+9397c.com, 1
+9397e.com, 1
+9397hb.com, 1
+9397hd.com, 1
+9397i.com, 1
+9397r.com, 1
+9398.cf, 1
+939wns.com, 1
+93ag8.com, 1
+93cq.com, 1
+93jc.cn, 1
+9401.cf, 1
+9402.cf, 1
+9403.cf, 1
+9404.cf, 1
+9405.cf, 1
+9406.cf, 1
+9407.cf, 1
+9409.cf, 1
+9410.cf, 1
+9411.cf, 1
+9412220.de, 1
+9417k.cf, 1
+9417k.com, 1
+941988.cn, 1
+943359.com, 1
+9444.cf, 1
+9449-27a1-22a1-e0d9-4237-dd99-e75e-ac85-2f47-9d34.de, 1
+947cq.com, 1
+9499060.com, 0
+9499066.com, 0
+9499068.com, 0
+9499113.com, 0
+9499115.com, 0
+9499118.com, 0
+9499125.com, 0
+9499137.com, 1
+9499151.com, 0
+9499212.com, 0
+9499232.com, 0
+9499238.com, 0
+9499263.com, 0
+9499278.com, 0
+9499343.com, 0
+9499369.com, 0
+9499399.com, 0
+9499403.com, 0
+9499459.com, 0
+9499518.com, 0
+9499558.com, 0
+9499565.com, 0
+9499568.com, 0
+9499575.com, 0
+9499668.com, 0
+9499676.com, 0
+9499682.com, 0
+9499737.com, 1
+9499757.com, 0
+9499835.com, 0
+9499855.com, 0
+9499869.com, 0
+9499958.com, 0
+9499jjj.com, 0
+9499l.com, 0
+9499mmmm.com, 1
+9499ttt.com, 0
+9499xxx.com, 0
+9499yl.com, 1
+95-the-mix.com, 1
+9500.cf, 1
+9501.cf, 1
+9502.cf, 1
+9503.cf, 1
+9504.cf, 1
+9505.cf, 1
+9506.cf, 1
+9507.cf, 1
+9508.cf, 1
+9509.cf, 1
+9510.cf, 1
+95105.com, 1
+95107.com, 1
+95108.com, 1
+9511.cf, 1
+9512.cf, 1
+9513.cf, 1
+9514.cf, 1
+9515.cf, 1
+951562.com, 1
+9516.cf, 1
+9517.cf, 1
+9519.cf, 1
+951thebull.com, 1
+9522.cf, 1
+9523.cf, 1
+9524.cf, 1
+9525.cf, 1
+9528.cf, 1
+9529.cf, 1
+9531.cf, 1
+9532.cf, 1
+9533.cf, 1
+9534.cf, 1
+9535.cf, 1
+9536.cf, 1
+9537.cf, 1
+9538.cf, 1
+9539.cf, 1
+9540.cf, 1
+9541.cf, 1
+9542.cf, 1
+9543.cf, 1
+9544.cf, 1
+9545.cf, 1
+9546.cf, 1
+9547.cf, 1
+9548.cf, 1
+9549.cf, 1
+9550.cf, 1
+95500.com, 1
+9551.cf, 1
+95518.com, 1
+95519.com, 1
+9552.cf, 1
+9553.cf, 1
+9554.cf, 1
+95544.com, 1
+95558.com, 1
+95559.com, 1
+9556.cf, 1
+95566.com, 1
+95568.com, 1
+9557.cf, 1
+95577.com, 1
+9558.cf, 1
+9559.cf, 1
+9560.cf, 1
+9561.cf, 1
+9562.cf, 1
+9564.cf, 1
+9565.cf, 1
+9566.cf, 1
+9567.cf, 1
+9568.cf, 1
+9569.cf, 1
+956jj.com, 0
+9570.cf, 1
+95700.com, 1
+9571.cf, 1
+9572.cf, 1
+9573.cf, 1
+9574.cf, 1
+9575.cf, 1
+9576.cf, 1
+9578.cf, 1
+9579.cf, 1
+9580.cf, 1
+95808.com, 1
+9581.cf, 1
+9582.cf, 1
+95828.com, 1
+9584.cf, 1
+9585.cf, 1
+9586.cf, 1
+95868457.xyz, 1
+9587.cf, 1
+9588.com.cn, 1
+9590.cf, 1
+9591.cf, 1
+9592.cf, 1
+9593.cf, 1
+9594.cf, 1
+9595.cf, 1
+9596.cf, 1
+959606.com, 1
+9597.cf, 1
+95996.com, 1
+9600.cf, 1
+96002.com, 0
+9601.cf, 1
+9602.cf, 1
+9603.cf, 1
+9604.cf, 1
+9605.cf, 1
+9606.cf, 1
+9607.cf, 1
+9608.cf, 1
+9609.cf, 1
+960server.net.co, 1
+9610.cf, 1
+9611.cf, 1
+9612.cf, 1
+9613.cf, 1
+9614.cf, 1
+9615.cf, 1
+9616.cf, 1
+9617.cf, 1
+9617818.com, 1
+9617818.net, 1
+9618.cf, 1
+96181.com, 1
+9619.cf, 1
+9620.cf, 1
+96200.com, 1
+9621.cf, 1
+9622.cf, 1
+96220.com, 1
+96229.com, 1
+9623.cf, 1
+9624.cf, 1
+9625.cf, 1
+9626.cf, 1
+9628.cf, 1
+9629.cf, 1
+9630.cf, 1
+9631.cf, 1
+96316.com, 1
+9632.cf, 1
+9633.cf, 1
+96448.com, 1
+964515.com, 1
+96577.com, 1
+96606.com, 1
+96607.com, 1
+96658.com, 1
+9666ks.com, 1
+96678.com, 0
+96685.com, 1
+966ty.com, 1
+967606.com, 1
+967you.com, 1
+968860.com, 1
+96896.com, 1
+96961.com, 1
+9697cp.com, 1
+9700.cf, 1
+9701.cf, 1
+9702.cf, 1
+9703.cf, 1
+9705.cf, 1
+9706.cf, 1
+9707.cf, 1
+9708.cf, 1
+9709.cf, 1
+970locksmithservices.tech, 0
+9710.cf, 1
+9711.cf, 1
+9712.cf, 1
+9714.cf, 1
+9716.cf, 1
+9717.cf, 1
+9718.cf, 1
+9719.cf, 1
+9720.cf, 1
+9721dh.com, 1
+9721hd.com, 1
+9721o.com, 1
+9721ss.com, 0
+9722.cf, 1
+9723.cf, 1
+9724.cf, 1
+9725.cf, 1
+9726.cf, 1
+9727.cf, 1
+9728.cf, 1
+9728.com, 1
+9728a.co, 1
+9728aa.co, 1
+9728b.co, 1
+9728bb.co, 0
+9728c.co, 1
+9728cc.co, 1
+9728d.co, 1
+9728dd.co, 1
+9728dh.com, 1
+9728dns.com, 1
+9728dz.com, 1
+9728e.co, 1
+9728ee.co, 1
+9728f.co, 1
+9728ff.co, 1
+9728g.co, 1
+9728gg.co, 1
+9728h.co, 1
+9728hb.com, 0
+9728hd.com, 1
+9728hh.co, 1
+9728i.co, 1
+9728ii.co, 1
+9728j.co, 1
+9728jj.co, 1
+9728k.co, 1
+9728kk.co, 1
+9728l.co, 1
+9728ll.co, 1
+9728m.co, 1
+9728mm.co, 1
+9728n.co, 1
+9728nn.co, 1
+9728o.co, 1
+9728oo.co, 1
+9728p.co, 1
+9728pp.co, 1
+9728q.co, 1
+9728qq.co, 1
+9728r.co, 1
+9728rr.co, 1
+9728s.co, 1
+9728ss.co, 1
+9728sx.com, 1
+9728t.co, 1
+9728tt.co, 1
+9728u.co, 1
+9728uu.co, 1
+9728v.co, 1
+9728vv.co, 1
+9728w.co, 1
+9728ww.co, 1
+9728x.co, 1
+9728xx.co, 1
+9728y.co, 1
+9728yy.co, 1
+9728z.co, 1
+9728zz.co, 1
+9729.cf, 1
+972citizenjournalism.org, 1
+972mag.com, 1
+9730.cf, 1
+9731.cf, 1
+9732.cf, 1
+9733.cf, 1
+973325.com, 1
+9734.cf, 1
+9735.cf, 1
+9736.cf, 1
+9737.cf, 1
+9738.cf, 1
+9739.cf, 1
+9740.cf, 1
+9741.cf, 1
+9742.cf, 1
+9743.cf, 1
+9744.cf, 1
+9745.cf, 1
+9746.cf, 1
+9747.cf, 1
+9748.cf, 1
+9749.cf, 1
+9750.cf, 1
+9751.cf, 1
+9752.cf, 1
+9753.cf, 1
+9754.cf, 1
+9756.cf, 1
+9757.cf, 1
+9758.cf, 1
+9759.cf, 1
+976-tuna.com, 1
+9760.cf, 1
+9761.cf, 1
+9764.cf, 1
+9765.cf, 1
+9766.cf, 1
+9767.cf, 1
+97736.com, 1
+97738.com, 0
+977395.com, 1
+977kb.com, 1
+97bros.com, 1
+97m.cc, 1
+9800.cc, 1
+9801.cf, 1
+980709.xyz, 1
+9822.bz, 0
+9822am.com, 1
+9822cn.com, 1
+9822hk.com, 1
+9822ph.com, 1
+9822tw.com, 1
+9822usa.com, 1
+982453.com, 1
+982zzz.com, 1
+984.ch, 1
+9859365.com, 0
+985ccc.com, 1
+986ccc.com, 1
+9877bet.com, 1
+987987.com, 1
+987kisscountry.com, 1
+988.gov, 1
+9882258.com, 1
+9883358.com, 1
+9884458.com, 1
+98877.com, 1
+98944448.com, 1
+98944449.com, 1
+98944555.com, 1
+98944666.com, 1
+98944888.com, 1
+98999555.com, 1
+98999666.com, 1
+98e.site, 1
+98laba.com, 0
+98laba.net, 0
+9901.cf, 1
+9901.ml, 1
+9902.cf, 1
+9902.ml, 1
+9903.cf, 1
+990313.xyz, 1
+9904.cf, 1
+9904.ml, 1
+9905.cf, 1
+9905.ml, 1
+9906.cf, 1
+9906.ml, 1
+9907.cf, 1
+9908.cf, 1
+9908.ml, 1
+9909.cf, 1
+9910.cf, 1
+9912.cf, 1
+9913.cf, 1
+9914.cf, 1
+9915.cf, 1
+9917.cf, 1
+9918.cf, 1
+9920.cf, 1
+9921.cf, 1
+9923.cf, 1
+9925.cf, 1
+9926.cf, 1
+9927.cf, 1
+9928.cf, 1
+992ccc.com, 1
+9930.cf, 1
+9931.cf, 1
+9932.cf, 1
+99321365.com, 0
+9933445.com, 1
+9934.cf, 1
+9935.cf, 1
+9936.cf, 1
+99365t.com, 1
+9937.cf, 1
+9938.cf, 1
+9939.cf, 1
+9940.cf, 1
+9941.cf, 1
+9941y.top, 1
+9942.cf, 1
+9943.cf, 1
+99456j.com, 0
+9946.cf, 1
+9947.cf, 1
+9948.cf, 1
+9949.cf, 1
+9950.cf, 1
+9951.cf, 1
+99511.fi, 1
+9952.cf, 1
+9953.cf, 1
+9954.cf, 1
+9957.cf, 1
+9958.cf, 1
+9959.cf, 1
+99599.fi, 0
+99599.net, 0
+995ccc.com, 1
+9961.cf, 1
+9962.cf, 1
+9963.cf, 1
+9964.cf, 1
+9965.cf, 1
+9967.cf, 1
+9968.cf, 1
+9968101.com, 0
+9968110.com, 0
+9968121.com, 0
+9968159.com, 0
+9968161.com, 0
+9968202.com, 0
+9968232.com, 0
+9968235.com, 0
+9968285.com, 0
+9968303.com, 0
+9968321.com, 0
+9968343.com, 1
+9968359.com, 0
+9968368.com, 0
+9968383.com, 0
+9968454.com, 0
+9968565.com, 0
+9968595.com, 0
+9968606.com, 0
+9968676.com, 1
+9968678.com, 0
+9968787.com, 0
+9968808.com, 0
+9968909.com, 0
+9968959.com, 0
+9968989.com, 0
+9968aaa.com, 1
+9968good.com, 0
+9968live.com, 0
+9968love.com, 0
+9968xl.com, 1
+9968xpj.com, 0
+9969.cf, 1
+9970.cf, 1
+9971.cf, 1
+9972.cf, 1
+9973.cf, 1
+9974.cf, 1
+9975.cf, 1
+9976.cf, 1
+9977432.com, 1
+9978.cf, 1
+9979.cf, 1
+997z6.com, 1
+9980.cf, 1
+9982.cf, 1
+9983.cf, 1
+9984.cf, 1
+9986.cf, 1
+998sa.com, 1
+998wei.com, 1
+998wns.com, 1
+999003.xyz, 1
+999004.xyz, 1
+999005.xyz, 1
+9990058.com, 1
+999006.xyz, 1
+999008.xyz, 1
+999011.xyz, 1
+999014.xyz, 1
+999015.xyz, 1
+999016.xyz, 1
+999017.xyz, 1
+999018.xyz, 1
+999019.xyz, 1
+999021.xyz, 1
+999023.xyz, 1
+999024.xyz, 1
+999025.xyz, 1
+999026.xyz, 1
+999027.xyz, 1
+999028.xyz, 1
+999029.xyz, 1
+999030.xyz, 1
+999031.xyz, 1
+999032.xyz, 1
+999033.xyz, 1
+999034.xyz, 1
+999035.xyz, 1
+999036.xyz, 1
+999037.xyz, 1
+999038.xyz, 1
+999040.xyz, 1
+999041.xyz, 1
+999042.xyz, 1
+999043.xyz, 1
+999044.xyz, 1
+999045.xyz, 1
+999046.xyz, 1
+999047.xyz, 1
+999048.xyz, 1
+999049.xyz, 1
+999050.xyz, 1
+999051.xyz, 1
+999052.xyz, 1
+999053.xyz, 1
+999054.xyz, 1
+999055.xyz, 1
+999056.xyz, 1
+999057.xyz, 1
+999058.xyz, 1
+999059.xyz, 1
+999060.xyz, 1
+999061.xyz, 1
+999062.xyz, 1
+999063.xyz, 1
+999064.xyz, 1
+999065.xyz, 1
+999067.xyz, 1
+999068.xyz, 1
+999070.xyz, 1
+999072.xyz, 1
+999073.xyz, 1
+999074.xyz, 1
+999075.xyz, 1
+999076.xyz, 1
+999078.xyz, 1
+999079.xyz, 1
+999080.xyz, 1
+999081.xyz, 1
+999082.xyz, 1
+999083.xyz, 1
+999084.xyz, 1
+999085.xyz, 1
+999086.xyz, 1
+999089.xyz, 1
+999092.xyz, 1
+999093.xyz, 1
+999094.xyz, 1
+999095.xyz, 1
+999096.xyz, 1
+999097.xyz, 1
+999098.xyz, 1
+9991.cf, 1
+9991158.com, 1
+9992258.com, 1
+999321365.com, 1
+9993358.com, 1
+999365t.com, 1
+9994.cf, 1
+9994553.com, 1
+9995558.com, 1
+999700.xyz, 1
+999814.com, 1
+9998722.com, 1
+9998k8.com, 1
+99998522.com, 1
+99999822.com, 1
+999998722.com, 1
+999aicai.com, 1
+999bet86.com, 1
+999btt.net, 1
+999salon.co, 1
+999salon.com, 1
+999zlong.com, 1
+99bt.com, 1
+99buffets.com, 1
+99casinos.com, 1
+99dog.com, 1
+99ffaaa.com, 1
+99ffbbb.com, 1
+99ffccc.com, 1
+99ffddd.com, 1
+99ffeee.com, 1
+99fffaa.com, 1
+99fffbb.com, 1
+99fffcc.com, 1
+99fffdd.com, 1
+99fffee.com, 1
+99fffgg.com, 1
+99fffhh.com, 1
+99fffii.com, 1
+99fffjj.com, 1
+99fffkk.com, 1
+99fffll.com, 1
+99fffmm.com, 1
+99fffnn.com, 1
+99fffoo.com, 1
+99fffpp.com, 1
+99fffqq.com, 1
+99fffrr.com, 1
+99fffss.com, 1
+99ffftt.com, 1
+99fffuu.com, 1
+99fffvv.com, 1
+99fffww.com, 1
+99fffxx.com, 1
+99fffyy.com, 1
+99fffzz.com, 1
+99ffggg.com, 1
+99ffhhh.com, 1
+99ffiii.com, 1
+99ffjjj.com, 1
+99ffkkk.com, 1
+99fflll.com, 1
+99ffmmm.com, 1
+99ffnnn.com, 1
+99ffooo.com, 1
+99ffppp.com, 1
+99ffqqq.com, 1
+99ffrrr.com, 1
+99ffsss.com, 1
+99ffttt.com, 1
+99ffuuu.com, 1
+99ffvvv.com, 1
+99ffwww.com, 1
+99ffxxx.com, 1
+99ffyyy.com, 1
+99ffzzz.com, 1
+99furnitureideasandtips.gq, 1
+99furnitureideasexamples.ga, 1
+99laptops.com, 1
+99lib.net, 1
+99music.com, 1
+99naturalfoods.de, 1
+99perf.com, 1
+99qp.org, 1
+99rst.org, 1
+99sitedesign.com, 1
+99spokes.com, 1
+99wxt.com, 1
+9ag88.com, 1
+9articles.org, 1
+9baka.top, 1
+9bet86.com, 1
+9ccn.top, 1
+9de.net, 1
+9elements.com, 0
+9etl.com, 1
+9fruit.com, 1
+9fvip.net, 1
+9gag.com, 1
+9hosts.net, 1
+9i0.com, 1
+9iwan.net, 1
+9jajuice.com, 1
+9k262.com, 1
+9k267.com, 0
+9k268.com, 1
+9k269.com, 1
+9k282.com, 1
+9k285.com, 1
+9k323.com, 1
+9k329.com, 1
+9k337.com, 1
+9k339.com, 1
+9k373.com, 1
+9k376.com, 1
+9k379.com, 1
+9k387.com, 1
+9k388.com, 1
+9k389.com, 1
+9k392.com, 1
+9k393.com, 1
+9k397.com, 1
+9k562.com, 1
+9k566.com, 1
+9k568.com, 1
+9k569.com, 1
+9k572.com, 1
+9k573.com, 1
+9k585.com, 1
+9k586.com, 1
+9k587.com, 1
+9k626.com, 1
+9k632.com, 1
+9k636.com, 1
+9k638.com, 1
+9k653.com, 1
+9k658.com, 1
+9k662.com, 1
+9k663.com, 1
+9k665.com, 1
+9k667.com, 1
+9k668.com, 1
+9k669.com, 1
+9k675.com, 1
+9k682.com, 1
+9k686.com, 1
+9k689.com, 1
+9k693.com, 1
+9k696.com, 1
+9k698.com, 1
+9k823.com, 1
+9k825.com, 1
+9k826.com, 1
+9k828.com, 1
+9k829.com, 1
+9k832.com, 1
+9k833.com, 1
+9k835.com, 1
+9k836.com, 1
+9k837.com, 1
+9k852.com, 1
+9k855.com, 1
+9k857.com, 1
+9k858.com, 1
+9k859.com, 1
+9k862.com, 1
+9k865.com, 1
+9k866.com, 1
+9k867.com, 1
+9k869.com, 1
+9k872.com, 1
+9k873.com, 0
+9k875.com, 1
+9k877.com, 1
+9k879.com, 1
+9k883.com, 1
+9k885.com, 1
+9k886.com, 1
+9k889.com, 1
+9k892.com, 1
+9k893.com, 1
+9k895.com, 0
+9k896.com, 1
+9k897.com, 1
+9k898.com, 1
+9k899.com, 1
+9kb.xyz, 1
+9l.com.au, 1
+9lab.jp, 1
+9mp.ro, 1
+9nu.org, 0
+9ostech.com, 1
+9pkfz.com, 1
+9pm.com.vn, 1
+9point6.com, 1
+9riddles.com, 1
+9sw.de, 1
+9tailedkitsune.com, 1
+9tl.ru, 1
+9to5linux.com, 1
+9to5notes.in, 1
+9uelle.jp, 0
+9ungnir.xyz, 1
+9vx.org, 1
+9xbuddy.com, 1
+9xbuddy.xyz, 1
+9xmoviesapp.com, 1
+9yw.me, 1
+9zlatan9.tk, 1
+a-1waterproofing.com, 1
+a-allard.be, 0
+a-b.ee, 1
+a-better-planet.com, 0
+a-busty.com, 1
+a-care.net, 1
+a-classinflatables.co.uk, 1
+a-dish.com, 1
+a-frique.com, 1
+a-gokan.com, 1
+a-h-p.de, 1
+a-hitoduma.com, 1
+a-invest.de, 1
+a-ix.net, 1
+a-lexx.de, 1
+a-little-linux-box.at, 1
+a-louest.info, 1
+a-moe.com, 1
+a-oben.org, 1
+a-players.team, 1
+a-pools.com.ua, 0
+a-raven.corsica, 1
+a-s-motors.ru, 1
+a-shirouto.com, 1
+a-starbouncycastles.co.uk, 1
+a-systems.ru.com, 1
+a-up.info, 1
+a-wife.net, 1
+a.ac, 1
+a.tt, 1
+a.wtf, 1
+a00228.com, 1
+a01sa01to.com, 1
+a04gameapp.com, 1
+a04webapp.com, 1
+a05webapp.com, 1
+a06.ch, 1
+a06.me, 1
+a06gameapp.com, 1
+a06webapp.com, 1
+a1.ro, 1
+a11ybadges.com, 1
+a11ywatch.com, 1
+a122.cc, 1
+a12k.nz, 0
+a13x.uk, 1
+a163.top, 1
+a1bouncycastlehire.com, 1
+a1cashforcar.com.au, 1
+a1cdrinks.com, 1
+a1cookingequipment.com.au, 1
+a1expresscarremoval.com.au, 1
+a1hypnosis.ga, 1
+a1jumpandbounce.co.uk, 1
+a1post.bg, 1
+a1qualityspareparts.com.au, 1
+a1scrapmetalrecyclers.com.au, 1
+a1scuba.com, 1
+a1seowebdirectory.com, 0
+a1solarstore.com, 1
+a1speedyrooter.com, 1
+a1viplimo.com, 1
+a1websitepro.com, 1
+a210.online, 1
+a22z.xyz, 1
+a24dmng.de, 1
+a24help.ru, 1
+a2a.me, 1
+a2c-co.net, 1
+a2censo.com, 1
+a2ch.ru, 1
+a2g.io, 1
+a2gamer.com, 1
+a2n-expertise.com, 1
+a2ssrl.duckdns.org, 1
+a2zplumbing.com.au, 1
+a2zva.com, 1
+a30.tokyo, 0
+a340.com, 1
+a356.top, 1
+a36533.com, 1
+a365vip2.com, 0
+a365vip3.com, 0
+a365vip5.com, 0
+a365vip9.com, 0
+a3m.gmbh, 1
+a3mobile.com, 1
+a3sys-elodie.fr, 1
+a4.com, 1
+a4pmu.net, 1
+a4sound.com, 1
+a5197.co, 1
+a632079.me, 1
+a64.me, 1
+a66.la, 0
+a6619.com, 1
+a6621.com, 1
+a6623.com, 1
+a6627.com, 1
+a6631.com, 1
+a6651.com, 1
+a6652.com, 1
+a6657.com, 0
+a6659.com, 0
+a6671.com, 0
+a6672.com, 0
+a6673.com, 0
+a6675.com, 0
+a6682.com, 0
+a6683.com, 0
+a6687.com, 0
+a6691.com, 0
+a6692.com, 0
+a6695.com, 0
+a6729.co, 1
+a6729.com, 0
+a6957.co, 1
+a77018.com, 0
+a7m2.me, 1
+a7sa2eat.com, 1
+a82365.com, 1
+a8438pb3.com, 1
+a88fc.com, 1
+a899365.com, 0
+a9-9.top, 1
+a9297.co, 1
+a9721.com, 1
+a9728.co, 1
+aa00228.com, 0
+aa43d.cn, 1
+aa5197.co, 1
+aa6688.net, 0
+aa6729.co, 1
+aa6729.com, 0
+aa6957.co, 1
+aa793.com, 0
+aa9297.co, 1
+aa9728.co, 1
+aaa-racing.com, 1
+aaa-racing.net, 1
+aaa.ma, 1
+aaa.my, 1
+aaa.ua, 1
+aaablindfactory.com, 1
+aaacomms.com, 1
+aaahosting70.de, 1
+aaainfosystems.com, 1
+aaapl.com, 1
+aaaplumbers.com, 1
+aaapo.com.br, 1
+aaapucrio.com.br, 1
+aabanet.com.br, 1
+aabeltech.com, 1
+aabenjaminjewelry.com, 0
+aacc.ac, 1
+aachen-quiz.de, 1
+aacs-design.com, 1
+aad-gp.com, 1
+aadl.ga, 1
+aadv.com.br, 1
+aaflalo.me, 1
+aagetransport.no, 1
+aahhbali.com, 1
+aaic.ca, 1
+aajkakavi.in, 0
+aalalbayt.com, 1
+aalalbayt.net, 1
+aalaslearninglibrary.org, 1
+aalen.tk, 1
+aalianbinhaider.ml, 1
+aalright.org, 1
+aalstmotors-usedcars.be, 1
+aaltocapital.com, 1
+aaltocapital.de, 1
+aaltocapital.fi, 1
+aama.tk, 1
+aamlive.com, 1
+aamt.es, 1
+aan-shop.co.il, 1
+aandachtsmeditatie.nl, 1
+aandeautobody.com, 1
+aandkevents.co.uk, 1
+aanhuisgebakken.tk, 1
+aanlynskool.co.za, 1
+aanwp.com, 1
+aanyasri.com, 1
+aaogaragedoorrepairaustin.com, 1
+aaomidi.com, 1
+aaoth.xyz, 1
+aapant.org.au, 0
+aapifund.org, 1
+aapipower.org, 0
+aappb.org, 1
+aappe.fr, 0
+aaprotocol.tk, 1
+aarailfan.com, 1
+aardvarksoep.nl, 1
+aareptan.ch, 1
+aarestation.ch, 1
+aarhus-protein.dk, 1
+aarhusinside.dk, 1
+aariefhaafiz.com, 1
+aarisings.com, 1
+aarklendoia.com, 1
+aaron-gustafson.com, 0
+aaron-russell.co.uk, 1
+aaron-schaal.de, 1
+aaron-smith-cpa.com, 1
+aaronbonine.com, 1
+aaronburrows.com, 1
+aaronchiangmd.com, 1
+aaronfurtado.com, 1
+aaronhorler.com, 1
+aaronmaar.de, 1
+aaronosmani.com, 1
+aaronr.digital, 1
+aarons.law, 1
+aaronsilber.me, 1
+aaronsmunpra.com, 1
+aaronspain.tk, 1
+aarontechnology.net, 1
+aarquiteta.com.br, 1
+aarsen.me, 1
+aarsunwoods.com, 0
+aartbouman.nl, 1
+aarvinproperties.com, 1
+aarwer.com, 1
+aarwer.jp, 1
+aasumitro.id, 1
+aasvets.co.uk, 1
+aatf.us, 1
+aati.be, 1
+aati.info, 1
+aatq.eu, 1
+aatq.nl, 1
+aattrans.com, 1
+aau.edu, 1
+aautoline.tk, 1
+aavaa.org, 1
+aave.com, 0
+aavienna.com, 1
+aawt.net.au, 0
+aayan.com, 1
+aayub.xyz, 1
+ab-design.tk, 1
+ab-pflege.de, 1
+ab-solutepilates.com, 1
+ab-uk.com, 1
+ab-west.tk, 1
+ab288.com, 1
+ab2888.cn, 1
+ab2web.com, 1
+ab91corp.com, 1
+abaapplianceservice.com, 1
+abaaustin.com, 1
+abaca.bar, 1
+abaco.cr, 1
+abaconappliancerepairs.co.za, 1
+abacross.com, 1
+abacus-essen.de, 1
+abacus-marketing.uk, 1
+abacus.ai, 0
+abacus.com, 1
+abacusbouncycastle.co.uk, 1
+abacusfi.com, 1
+abacuslouisville.com, 1
+abacusnt.es, 1
+abacuste.ch, 1
+abacustech.co.jp, 1
+abacustech.jp, 1
+abacustech.net, 1
+abacustech.org, 1
+abadie-architecture.com, 1
+abaev.uk, 1
+abag.nu, 1
+abahanavillas.com, 1
+abalsa.tk, 1
+abambo.tk, 1
+abancommercials.com, 1
+abandoned-zone.tk, 1
+abandoned.tk, 1
+abandonedmines.gov, 1
+abanico.tk, 1
+abanilla.tk, 1
+abantoclub.com, 1
+abantos.tk, 1
+abaranov.cf, 1
+abaranov.gq, 1
+abarquinha.tk, 1
+abas-erp.com, 1
+abasalehngo.com, 1
+abashevo.ml, 1
+abashevo.tk, 1
+abasite.tk, 1
+abasky.net, 1
+abasteo.mx, 1
+abastor.tk, 1
+abateroad66.it, 1
+abattepeluqueriacitas.com, 1
+abay-today.tk, 1
+abbas.ch, 1
+abbaye-chaise-dieu.com, 1
+abbevillecountysc.gov, 1
+abbeycarefoundation.com, 1
+abbeyvetspets.co.uk, 1
+abbl.com, 1
+abborsjo.fi, 1
+abbotkinneys.com, 1
+abbottscastles.co.uk, 1
+abbreviated-adult-course.com, 1
+abbuc.de, 1
+abbyairsoft.tk, 1
+abbystrange.com, 1
+abbyvangrinsven.co.nz, 1
+abc-kinderbetreuung.at, 1
+abc-people.tk, 1
+abc-pneupascher.eu, 1
+abc-rz.de, 1
+abc.li, 1
+abc001.ga, 1
+abc123autumn.com, 1
+abc15.com, 1
+abcbouncyfactory.co.uk, 1
+abcc.dk, 1
+abccomputerservices.com, 0
+abcdreamusa.com, 1
+abcdthesis.net, 1
+abcensax.tk, 1
+abcfinance.co.uk, 0
+abcgruppen.se, 1
+abch2o.net, 1
+abcheck.se, 1
+abcideabased.com, 1
+abcine.tk, 1
+abckam.com, 1
+abclyrics.tk, 1
+abcode.ml, 1
+abcorporate-aviation.com, 1
+abcorporate-aviation.fr, 1
+abcpartyhire.com, 1
+abcprodutosvirtuais.com.br, 1
+abcrcm.com, 1
+abcstudio.com.au, 1
+abcsystem.ml, 1
+abctaylor.com, 1
+abctwenty.xyz, 1
+abcum.com, 1
+abdel.me, 1
+abdelali.tk, 1
+abdelalidev.ml, 1
+abdelaliezzyn.tk, 1
+abdelsater.net, 1
+abdened.tk, 1
+abdesign.tk, 1
+abdijmale.tk, 1
+abdl.link, 1
+abdsirketim.com, 0
+abdul.cloud, 1
+abdul.win, 1
+abdulawal.tk, 1
+abdulazizgolca.com, 1
+abdulkarimm.tk, 1
+abdullaeff.net, 1
+abdullahavci.com, 1
+abdullahavci.com.tr, 1
+abdullahavci.net, 1
+abdullahavci.net.tr, 1
+abdullahavci.org, 1
+abdullahavci.org.tr, 1
+abdullahki.com, 1
+abdullahzubayerofficial.ml, 1
+abdulraheem.org, 1
+abdulraheemalick.com, 1
+abdulrahman.eu, 1
+abdulwahaab.ca, 1
+abduramshad.ml, 1
+abdurrahmangazidis.tk, 1
+abdurrehman.tk, 1
+abe-elektro.de, 1
+abe-medical.jp, 1
+abecedarios.co, 1
+abecodes.net, 1
+abecon.com.br, 1
+abeervinum.it, 1
+abeestrada.com, 0
+abeilleduhain.be, 1
+abelbarretto.tk, 1
+abella.ro, 1
+abellagranitecountertops.com, 1
+abellao.com, 1
+abelles.cf, 1
+abelles.gq, 1
+abelles.ml, 1
+abelles.tk, 1
+abelrubio.me, 1
+abelsflooringandtile.com, 1
+abemarx.hu, 1
+abenteuer-kindheit.com, 1
+abenteuerschule4u.eu, 1
+abenteuerteam.de, 1
+abeontech.com, 1
+aber.travel, 1
+aberdeenairportparking24.co.uk, 1
+aberdeenalmeras.com, 1
+aberdeencriticalmass.tk, 1
+aberon.pl, 1
+aberrantvascular.tk, 1
+aberson.nl, 1
+abetterdeath.com, 1
+abetterwichita.org, 1
+abeus.com, 1
+abfluss.com, 1
+abg.com.sa, 1
+abg.ninja, 1
+abgeo.ga, 1
+abgrafstenen.nl, 1
+abhaken.com, 1
+abhaldus.ee, 1
+abhayaranya.com, 1
+abhijit.today, 1
+abhijitvalluri.com, 1
+abhisharma.me, 1
+abhishekkabdijain.tk, 1
+abhy.net, 1
+abi-2017.tk, 1
+abi-fvs.de, 1
+abi95oha.de, 1
+abiapp.net, 1
+abibliasagrada.tk, 1
+abicem.co.uk, 1
+abidinginhesed.com, 1
+abierta.cr, 1
+abigailfriedland.com, 1
+abigailstark.com, 1
+abigisp.com, 1
+abigruppe.de, 1
+abileneef.org, 1
+abilenemachine.com, 0
+abilities-inc.jp, 1
+abilityone.gov, 1
+abilix.tk, 1
+abilma.com, 1
+abilymp06.net, 1
+abilympics.org.au, 1
+abimelec.com, 0
+abinferis.com, 1
+abinmetall.ru, 1
+abinyah.com, 1
+abirmas.com, 1
+abitaspringsla.gov, 1
+abitech.tk, 1
+abitextra.eu, 1
+abitextra.org, 1
+abitidalavoro.roma.it, 1
+abitidasposa.roma.it, 1
+abiturient-test.tk, 1
+abivert-piscines.fr, 1
+abk.com.tr, 1
+abkhazianews.tk, 1
+abl.com, 0
+ablauf.com, 1
+ablebits.com, 1
+ablecha.tk, 1
+ablehorsehandlers.au, 1
+ablehorsehandlers.com, 1
+ablehorsehandlers.com.au, 1
+ablehorsehandlers.net.au, 1
+ablehorsetransport.au, 1
+ablehorsetransport.com, 1
+ablehorsetransport.com.au, 1
+ablehorsetransport.net.au, 1
+ableitungsrechner.net, 1
+ableprop.net, 1
+abli.at, 1
+abli.eu, 1
+abli.info, 1
+abli.li, 1
+ablmultiservice.nl, 1
+abloop.com, 1
+ablx.de, 1
+abmackenzie.com, 1
+abmahnhelfer.de, 1
+abmc.gov, 1
+abmelden.com, 1
+abminiplex.in, 1
+abminv.com, 1
+abmledger.ca, 1
+abn-consultants.ie, 1
+abnamropensioenen.nl, 0
+abnarnro.com, 0
+abnbfcu.org, 1
+abnehmen-sport-fitness.de, 1
+abnobapetstore.co.uk, 1
+abnradiofm.tk, 1
+abo-iptv.com, 1
+aboces.org, 1
+abogadoperu.com, 1
+abogadophd.com, 1
+abogadoscav.com, 1
+abogadosescobarysanchez.es, 1
+abogehad.tk, 1
+abol.us, 1
+abolicionistas.com, 1
+abolition.net, 1
+abolitionism.ca, 1
+abolitionism.co.uk, 1
+abolitionism.com, 1
+abolitionism.in, 1
+abolitionism.net, 1
+abolitionism.us, 1
+abolitionist-movement.com, 1
+abolitionist-project.com, 1
+abolitionist-society.com, 1
+abolitionist.ca, 1
+abolitionist.co.uk, 1
+abolitionist.com, 1
+abolitionist.in, 1
+abolitionist.net, 1
+abolitionist.us, 1
+abolitionistparty.com, 1
+abolitionistproject.com, 1
+abolitionistsociety.com, 1
+abolitionniste.com, 1
+abolitionofspeciesism.tk, 1
+abolizionista.com, 1
+abona24.de, 1
+abonegma.com, 1
+abonemnet.tk, 1
+abonentka.tk, 1
+abonilla.com, 0
+aborla.net, 1
+abormez.es, 1
+aborto.tk, 1
+abortopr.com, 1
+abos.eu, 0
+aboticaprodutosnaturais.com, 1
+abouncycastleman.co.uk, 1
+about-bangladesh.tk, 1
+about-e-bags.tk, 1
+about-it.pl, 1
+about-jewelry.tk, 1
+about-sects-and-cults.tk, 1
+about.gq, 1
+about.photos, 1
+aboutadhd.com, 1
+aboutajax.tk, 1
+aboutamit.com, 1
+aboutandroid.tk, 1
+aboutconstruction.ga, 1
+aboutconstruction.gq, 1
+aboutconstruction.ml, 1
+aboutdelphi.tk, 1
+aboutdiabetesinfo.gq, 1
+aboutearning.tk, 1
+aboutfranciscomartinez.tk, 1
+aboutgrills.tk, 1
+abouthistory.tk, 1
+abouthrm.nl, 1
+aboutict.nl, 1
+aboutislam.tk, 1
+aboutlaserremoval.com, 1
+aboutlegal.nl, 1
+aboutlevi.ga, 1
+aboutmarketing.ga, 1
+aboutmedia.nl, 1
+aboutmedicine.tk, 1
+aboutmoney.tk, 1
+aboutmusicals.tk, 1
+aboutmyip.info, 1
+aboutmyproperty.ca, 1
+aboutpublishers.nl, 1
+aboutrom.tk, 1
+aboutshakil.cf, 1
+aboutshakil.tk, 1
+aboutsk.tk, 1
+aboutsleep.com.ua, 1
+abouttablewares.tk, 1
+abouttime.gq, 1
+abouttravel.gq, 1
+aboutwealthcreation.tk, 1
+aboutyou.at, 1
+aboutyou.be, 1
+aboutyou.bg, 1
+aboutyou.ch, 1
+aboutyou.com, 1
+aboutyou.cz, 1
+aboutyou.de, 1
+aboutyou.dk, 1
+aboutyou.ee, 1
+aboutyou.es, 1
+aboutyou.fi, 1
+aboutyou.gr, 1
+aboutyou.hr, 1
+aboutyou.hu, 1
+aboutyou.ie, 1
+aboutyou.it, 1
+aboutyou.lt, 1
+aboutyou.lv, 1
+aboutyou.nl, 1
+aboutyou.no, 1
+aboutyou.pl, 1
+aboutyou.pt, 1
+aboutyou.ro, 1
+aboutyou.se, 1
+aboutyou.si, 1
+aboutyou.sk, 1
+aboveall.love, 1
+abovethefirehouse.com, 1
+abox-kb.com, 1
+abpages.com, 1
+abpis.hr, 1
+abplive.com, 1
+abplusz.hu, 1
+abr.ru, 1
+abracadabramagicas.com.br, 1
+abrah.am, 1
+abrahamboray.tk, 1
+abrahametalero.tk, 1
+abram-lab.ir, 1
+abramochkin.tk, 1
+abramovich.tk, 1
+abramowskimi.tk, 1
+abramsand.co, 1
+abraofilho.blog.br, 1
+abrarahmed.tk, 1
+abraxan.pro, 1
+abraxas-apis.ch, 1
+abraxas-apps.ch, 1
+abre.cloud, 1
+abreactive.com, 1
+abreactive.net, 1
+abreactive.org, 1
+abrec.cf, 1
+abrec.ga, 1
+abrecenze.cz, 1
+abri29.com, 0
+abrilect.com, 1
+abritek.ca, 1
+abrody.com, 1
+abroferlendo.tk, 1
+abrolhosoctopus.com, 1
+abrupt.co, 1
+abruptgames.com, 1
+absat.tk, 1
+abschleppdienst-in-recklinghausen.de, 1
+abseher-technology.com, 1
+abseits.org, 0
+absentia.cf, 1
+absinsurance.com, 1
+absolab.xyz, 1
+absolem.cc, 1
+absoluav.com, 1
+absoluconseils.com, 1
+absolucopine.com, 1
+absolugroupe.com, 1
+absoluphoto.com, 1
+absoluteblack.cc, 1
+absolutebritney.com, 1
+absolutechristmas.com, 1
+absolutedouble.co.uk, 1
+absolutegames.ga, 1
+absolutepondcare.com, 1
+absoluterush.net, 1
+absoluteup.com.au, 1
+absolutezero.tk, 1
+absolution.ga, 1
+absolutperm.tk, 1
+absolutweb.tk, 1
+abssoft.tk, 1
+abstechs.ae, 1
+abstimmen.online, 1
+abstract27.com, 1
+abstractbarista.com, 1
+abstractbarista.net, 0
+abstractive.ai, 1
+abstudio.de, 1
+absurdia.tk, 1
+absurdopedia.wiki, 1
+absyscyborg.com, 1
+abteam.tk, 1
+abtech.link, 1
+abteutonia.de, 1
+abth.tk, 1
+abtherapy.co.uk, 1
+abthorpe.org, 1
+abtinheydari.tk, 1
+abu-auftrag.ch, 1
+abu-nour.tk, 1
+abuahmed.ga, 1
+abulanov.com, 1
+abun-motorsport.tk, 1
+abundent.com, 1
+abusamraphotography.tk, 1
+abuse.cat, 1
+abuse.ch, 1
+abuse.fi, 1
+abuse.io, 1
+abusive-host.tk, 1
+abuzihipnoterapi.com, 1
+abuziyadhsds.com, 1
+abvent.net, 0
+abvlbasketviganello.ch, 0
+aby-action.com, 1
+abyaction.net, 1
+abys.se, 1
+abysra.com, 1
+abyss.moe, 1
+abysse.tk, 1
+abyssinian.ga, 1
+abyssproject.net, 1
+abysswebsite.tk, 1
+abzarkosaran.ir, 1
+abzunraid.com, 1
+ac-admin.pl, 1
+ac-booster.net, 1
+ac-evalar.ru, 1
+ac-spain.tk, 1
+ac-town.com, 1
+ac-trust.ru, 1
+ac.id.au, 1
+ac.milan.it, 1
+ac0g.dyndns.org, 1
+ac8.es, 1
+acab.love, 1
+acachau.synology.me, 1
+acacia-gardens.co.uk, 1
+academiacivilbalonmano.tk, 1
+academiacomercialalpina.com, 1
+academiadelmolino.com.uy, 1
+academiadeufologia.com.br, 1
+academiaeureka.tk, 1
+academiaofimage.com, 1
+academiasdemodelos.com, 0
+academic-master.com, 1
+academica.nl, 1
+academicassignmentexperts.com, 1
+academichealthscience.net, 1
+academichelp.gq, 1
+academie-angoumois.org, 1
+academie-de-police.ch, 0
+academika.tk, 1
+academkin.com, 1
+academy-awards.ml, 1
+academyonlinetoyou.tk, 1
+academyruins.com, 1
+academytv.com.au, 1
+acadiate.com, 1
+acaeum.com, 0
+acafellas.com, 1
+acalcio.ga, 1
+acallawayroofing.com, 1
+acaltair.com, 1
+acandroid.top, 1
+acani.xyz, 1
+acaonegocios.com.br, 1
+acapadena.co, 1
+acapana.com, 1
+acapara.net, 1
+acapellalanguage.tk, 1
+acapetahua.tk, 1
+acaptureservices.com, 1
+acara.edu.au, 1
+acasadavella.tk, 1
+acasadoprodutor.com.br, 1
+acaseta.com, 1
+acat.io, 1
+acatec.de, 1
+acatiimi.fi, 1
+acb.com.vn, 1
+acbcoop.com, 1
+acbrussels-used.be, 1
+acbug2018.com, 1
+accademia24.it, 1
+accademiacimarosa.tk, 1
+accademiadelgolden.com, 1
+accademiaditruccoblog.it, 1
+accademiaprati.tk, 1
+accademiapugilistica.it, 1
+accadia.academy, 1
+accalendar17.net, 1
+accc.gov.au, 1
+acccnyc.org, 0
+accedeainternet.gov, 1
+accedia-distribution.com, 1
+accedia.net, 1
+accelaway.com, 1
+acceldigital.com.au, 1
+acceleratedreading.cf, 1
+acceleratethesale.com, 1
+accelerateyourworld.org, 1
+accelerationsummit.com, 1
+accelerator.nyc, 1
+accelerator.tk, 1
+accelsnow.com, 1
+accent-homedecor.com, 1
+accentchair.net, 1
+accentsduterroir.fr, 1
+accentwebs.ie, 1
+acces-elevation.fr, 1
+accesloges.com, 1
+accesoriiutilaje.ro, 1
+access-board.gov, 1
+access-nl.org, 1
+access-not-allowed.gq, 1
+access-odata.com, 1
+access-techniques.com, 1
+access-token.tk, 1
+accessacab.co.uk, 1
+accessauto-occasions.be, 0
+accessauto.co.uk, 1
+accessbankplc.com, 1
+accesseap.com.au, 1
+accessibility.gov, 1
+accessibilityguidelines.com, 1
+accessibledigitallearning.org, 1
+accessibletravelclub.com, 1
+accessingram.com, 1
+accessiware.com, 1
+accesskeycloning.com, 1
+accesslogisticgroup.com, 1
+accessmania.com, 0
+accessnetworks.com, 1
+accessoh.gov, 1
+accessoirescheveuxchic.com, 1
+accessoklahoma.gov, 1
+accessories-for-women.tk, 1
+accessoriesautoparts.tk, 1
+accessoripersmartphone.it, 1
+accesspress.org, 1
+accesstosystem.cf, 1
+acchan-fun.com, 1
+acchiappasognibedandbreakfast.it, 1
+accio.be, 1
+accionesyreacciones.com, 1
+accioninmobiliaria.tk, 1
+acclivity.pro, 1
+accme.co, 1
+accolade.com.br, 0
+accoladescreens.com.au, 1
+accomexico.com, 1
+accord-application.com, 1
+accordable.gq, 1
+accordimento.de, 1
+accordinnovation.org, 1
+accordproject.tk, 1
+account.gov.mo, 1
+account.gov.uk, 1
+accountancymanager.co.uk, 1
+accountingedu.org, 1
+accountmover.io, 1
+accountryclub.com, 1
+accounts.firefox.com, 1
+accounts.google.com, 1
+accountsfilingmadesimple.com, 1
+accpl.co, 1
+accpressurewashing.com, 1
+accreditamento.net, 1
+accreditedbuildingservices.com, 1
+accretech.vn, 1
+accretexperience.com, 1
+accrosoft.com, 1
+acct-affiliate.com, 1
+accubitsdemo.ml, 1
+accudemia.net, 1
+accueil-paysan.com, 1
+accueillons.org, 1
+acculex.co.uk, 1
+acculongrange.com, 1
+accuphotography.com, 1
+accuracast.com, 1
+accurainspection.com, 1
+accurateinfosolutions.in, 1
+accuride.com, 1
+accuritconsulting.com, 1
+accurx.nhs.uk, 1
+accurxinc.com, 1
+accustandard.com, 1
+accustomedicals.ga, 1
+accutint.com, 1
+accutone.com.mx, 1
+accwing.com, 1
+acd-c.ru, 1
+acdc-tech.eu, 1
+acdc-tech.lv, 1
+acdcbrasil.net, 1
+acdesignsolution.com, 1
+acdk2.de, 1
+ace-aegon.cloud, 1
+ace-clan.tk, 1
+ace-familydental.com, 1
+ace-translations.tk, 1
+ace-uk.net, 1
+ace-wiki.com, 1
+ace.one, 1
+ace0328.com, 1
+aceai.com, 1
+acealters.com, 0
+aceanswering.com, 1
+acebeam.com, 1
+acebovirtual.tk, 1
+acecardiologyclinic.com, 1
+acecerts.co.uk, 1
+acectamentit.tk, 1
+acedstudy.com, 1
+acefishing.tk, 1
+acefront.co.uk, 1
+aceinflatables.com, 1
+aceinstituteonline.com, 1
+acejunkpros.com, 1
+aceleracaodigital.com, 1
+aceleraguria.com.br, 1
+acelpb.com, 1
+acely.se, 1
+acem.org.au, 1
+acemadeira.pt, 1
+acemsa.ga, 1
+acemypaper.com, 1
+acen.edu.au, 1
+acendas.com, 1
+acendealuz.com.br, 1
+aceofdiamondspainting.com, 1
+aceofheartsgiftbaskets.com, 1
+aceparking.com, 1
+acepi.pt, 1
+acercapartners.com, 1
+acerosfortuna.com.mx, 1
+acertenoalvo.com, 1
+aceshop702.com, 1
+acetaiavaleri.it, 1
+acetudy.com, 1
+acevalar.ru, 1
+aceweb.ga, 1
+aceycity.ml, 1
+acftienda.tk, 1
+acfun.eu.org, 1
+acg.ac, 1
+acg.mn, 1
+acg.sb, 0
+acgaudio.com, 1
+acgc.nl, 1
+acgpiano.club, 1
+acgqwq.gq, 1
+acgroupvoyages.com, 1
+acgtalktw.com, 1
+acgxi.tk, 1
+achalay.org, 0
+achat-volets-roulants.fr, 1
+achatroom.co.uk, 1
+acheconcursos.com.br, 1
+achered.cf, 1
+acheter-ethylotest.fr, 1
+acheter-louer.fr, 1
+achicrip.org, 1
+achiesa.fr, 1
+achievablewellbeing.com, 1
+achievenewsfrance.tk, 1
+achiever.ga, 1
+achievingheightsacademy.com, 1
+achiksongs.tk, 1
+achildshome.com, 1
+achildshome.org, 1
+achill.org, 1
+achinsk.tk, 1
+achintyaesbee.tk, 1
+achireland.com, 1
+achkandiro.ml, 1
+achkandiro.tk, 1
+achl.fr, 1
+achlochan.tk, 1
+achmadfamily.com, 1
+achmazstore.ir, 1
+achmea.com.au, 1
+achousaude.com.br, 1
+achromatisch.de, 0
+acht-pfade.de, 1
+achtenhagen.me, 1
+achterblog.de, 1
+achterhoekseveiligheidsbeurs.nl, 1
+achtpfade.de, 1
+achtzehn.de, 1
+achtzehn.eu, 1
+achtzig20.de, 0
+aciclovir.ga, 1
+acidchrist.tk, 1
+acidoascorbico.com, 1
+acidtool.com, 1
+acierto.com, 1
+acihotel.vn, 1
+aciksite.com, 1
+acilicraft.cn, 1
+acina.fr, 1
+acingov.pt, 1
+acinq.co, 1
+acionistadevalor.com.br, 1
+acipayam.bel.tr, 1
+acisms.es, 1
+ack.tax, 1
+ackermann.ch, 1
+ackermannevents.de, 1
+ackersplastering.co.uk, 1
+acklandstainless.com.au, 1
+acl.gov, 1
+aclandia.fr, 1
+aclhire.com, 1
+aclipt.com, 0
+acloud.one, 1
+acls13.fr, 1
+aclu.org, 0
+acm.vc, 1
+acmebookkeepingsolutions.com, 1
+acmilan.gq, 1
+acmilan.ml, 1
+acnenaturalhealing.com, 1
+acnj.gov, 1
+acnjpolice.gov, 1
+acnoventa.it, 1
+acobex.be, 1
+acode.one, 1
+acodess.com, 1
+acodonline.be, 1
+acoip.net, 1
+acolicy.com, 1
+acomerygozar.cam, 1
+acompanhantes.com.pt, 1
+acomplia20mg.cf, 1
+acopatableware.com, 1
+acordes.online, 1
+acorespro.com, 1
+acorncastles.co.uk, 1
+acornmetal.com.au, 1
+acotadecalle.tk, 1
+acourse.io, 1
+acousticalsolutions.com, 1
+acousticandfire.co.uk, 1
+acoustics.network, 1
+acoustics.tech, 1
+acousticsoundrecords.com, 1
+acoustictabs.tk, 1
+acoustique-tardy.com, 0
+acovadamoura.tk, 1
+acpbenefit.gov, 1
+acpcoils.com, 0
+acperu.ch, 0
+acpinformatique.fr, 1
+acpny.com, 1
+acquadiparma.kr, 1
+acquaparrucchieri.it, 1
+acquari.roma.it, 1
+acquasuisse.tk, 1
+acquire.co.nz, 1
+acquirebpo.com, 1
+acquireit.com.au, 1
+acquisition.gov, 1
+acquisitiongateway.gov, 1
+acraftedpassion.com, 1
+acrealamendolara.tk, 1
+acreinfoco.com, 1
+acrepairgeorgetown.com, 1
+acrepairhutto.com, 1
+acrepairroundrocktx.com, 1
+acrhnc2020.dedyn.io, 1
+acriticismlab.org, 1
+acroaccounting.au, 1
+acroballe-circus.fr, 0
+acrobatic.cf, 1
+acrobatic.tk, 1
+acrolife.cz, 0
+acronis.com, 1
+acronis.events, 1
+acronis.org, 0
+acronis.work, 1
+acrorock.tk, 1
+across-community.tk, 1
+acrossgw.com, 1
+acroteam.tk, 1
+acroyoga-nuernberg.de, 1
+acrylbilder-acrylmalerei.de, 1
+acrylicstyle.xyz, 1
+acrylicwifi.com, 1
+acs-nettoyage-entretien-immeuble.com, 1
+acsb.ro, 0
+acsbbs.org, 1
+acsc.gov.au, 1
+acsd-az.gov, 1
+acse.net, 1
+acsemb.org, 1
+acsihostingsolutions.com, 0
+acsiresearch.com, 1
+acsmuhendislik.com.tr, 1
+acsports.ca, 1
+act-interactive.com, 1
+act-news.com, 1
+act-on.com, 1
+act-web-sa.com, 1
+actabg.net, 1
+actacapital.com.au, 1
+actaflytt.se, 1
+actc.org.uk, 1
+acte2immo.com, 1
+actelsershop.com, 1
+acteon.com, 1
+actexpo.com, 1
+actfleetforum.com, 1
+actforcanada.ca, 1
+actgruppe.de, 1
+actheater.com, 1
+acticu.com, 1
+actiefgeld.nl, 0
+actieplaza.tk, 1
+actifii.com, 1
+actifyleads.com, 1
+actigamer.pt, 1
+actilove.ch, 1
+actimap.ga, 1
+acting.by, 1
+actingcxo.com, 1
+action-education.org, 1
+action-intell.com, 1
+action-verite.fr, 1
+action.eu, 1
+action.nl, 1
+actioncameraaccessories.ga, 1
+actioncleaningnd.com, 1
+actioncovid.nl, 1
+actioncutprint.com, 1
+actionglasshouston.com, 1
+actionlabs.net, 1
+actionmadagascar.ch, 0
+actionminecraft.tk, 1
+actions.today, 1
+actionsack.com, 1
+actionsandreactions.com, 1
+actionsecuritycameras.com, 1
+actionverb.com, 1
+actiumhealth.com, 1
+activat3rs.com, 1
+activate.swiss, 1
+activatenow.com, 1
+activationkeys.org, 1
+activators.ml, 1
+active-english.tk, 1
+active247.info, 1
+activeaerogels.com, 1
+activecare-monitor.com, 0
+activeclearweb.com, 1
+activeexcavator.com, 0
+activegateball.tk, 1
+activehealth.com, 1
+activehire.co.uk, 1
+activeleisure.ie, 1
+activelife.travel, 1
+activenl.co.uk, 1
+activephysiohealth.com.au, 1
+activeplatesystem.ga, 1
+activeprospect.com, 1
+activespaceautomation.com, 1
+activespacetech.com, 1
+activetk.cf, 1
+activetk.jp, 1
+activexperts.com, 1
+activeyogi.tk, 1
+activism.cf, 1
+activiteithardenberg.nl, 1
+activitesagadir.com, 1
+activitesaintnicaise.org, 1
+activiteschiens.be, 1
+activiti.alfresco.com, 1
+activities.rocks, 1
+activitycellsers.ga, 1
+activityhub.cloud, 1
+activityhub.xyz, 1
+activityinfo.org, 1
+activitypub.cyou, 1
+activityshelter.com, 1
+activlux.pt, 1
+activpilot.at, 1
+activs.ru, 1
+actom.cc, 1
+actonsoft.com, 1
+actonwoodworks.com, 1
+actopan.tk, 1
+actoragecheck.com, 1
+actoralcareprofessional.com, 1
+actoresonlinevenezuela.tk, 1
+actorsanthosh.tk, 1
+actorshop.co.uk, 1
+actransit.gov, 1
+actrices.tk, 1
+actris.ac.cy, 1
+actro.ga, 1
+actro.gq, 1
+actronx.tk, 1
+actserv.co.ke, 1
+actu-itech.cf, 1
+actualadmins.com, 1
+actualidad-rt.com, 1
+actualite-videos.com, 1
+actualizarapp.com, 0
+actualizarwordpress.es, 1
+actuallykabouters.com, 1
+actualprogressivevotersguide.com, 1
+actualsizemusic.tk, 1
+actualsolutions.am, 1
+actus-banque.fr, 1
+actuse.tk, 1
+actzero.ai, 0
+acuarios.tk, 1
+acuarismo-iquique.tk, 1
+acuarius.tk, 1
+acuica.co.uk, 0
+acuityfinishing.com, 1
+acul.me, 1
+aculocity.com, 1
+acupofsalt.tv, 1
+acupuncture.ml, 1
+acupuncturecornwall.co.uk, 1
+acupuncturefoundation.com, 1
+acupuncturefoundation.org, 1
+acupuntura.coach, 1
+acupuntura.doctor, 1
+acupuntura.institute, 1
+acupunturamadrid.xyz, 1
+acupunturavalencia.xyz, 1
+acurapartswarehouse.com, 1
+acus.gov, 1
+acutabovetherestbarbers.com, 1
+acutane.cf, 1
+acutane.ga, 1
+acutane.gq, 1
+acutewealthadvisors.com, 1
+acutica.ro, 1
+acutron.net, 1
+acutron.org, 1
+acvan.net, 1
+acvilnius.tk, 1
+acwcerts.co.uk, 1
+acwdca.gov, 1
+acwi.gov, 1
+acworth-ga.gov, 1
+acy.com, 1
+acyclovir-cream.cf, 1
+acyclovir400mg.ml, 1
+acytec.cl, 1
+ad-bp.top, 1
+ad-disruptio.fr, 0
+ad-education.com, 1
+ad-notam.asia, 1
+ad-notam.ch, 1
+ad-notam.co.uk, 1
+ad-notam.com, 1
+ad-notam.de, 1
+ad-notam.fr, 1
+ad-notam.it, 1
+ad-notam.pt, 1
+ad-notam.uk, 1
+ad-notam.us, 1
+ad-s.cn, 1
+ad-web.tk, 1
+ad.nl, 1
+ad13.in, 1
+ad4tube.com, 1
+ada.eco, 1
+ada.gov, 1
+adab-mans.tk, 1
+adac-musikreisen.de, 1
+adachi.work, 1
+adacomputerscience.org, 1
+adacprod.fr, 1
+adaera.com, 1
+adaeze-wolf.com, 1
+adagia.eu, 1
+adalis.org, 1
+adalite-staging-testnet.herokuapp.com, 1
+adalite.io, 1
+adam-ant.co.uk, 1
+adam-kostecki.de, 1
+adam.com, 1
+adam.id.au, 1
+adam.pt, 1
+adamabernathy.com, 1
+adamant.ua, 1
+adamante.com.br, 1
+adamas-magicus.ru, 1
+adamaveray.com.au, 1
+adambryant.ca, 0
+adamcarbonell.com, 1
+adamcoffee.net, 0
+adamdixon.co.uk, 1
+adamdorman.com, 1
+adameveplus.com, 1
+adamevevod.com, 1
+adamfontenot.com, 1
+adamgian.com, 1
+adamh.us, 1
+adamj.eu, 1
+adamjeelukmanjee.com, 1
+adamjoycegames.co.uk, 1
+adamkissee.com, 1
+adamkostecki.de, 1
+adamlevine.ga, 1
+adamliu.net, 0
+adamoutler.com, 1
+adamov.tk, 1
+adamradocz.com, 1
+adamraoof.tk, 1
+adamricheimer.com, 1
+adams-gonczi.fun, 1
+adams.dk, 1
+adamscampcolorado.org, 1
+adamschmuck.de, 1
+adamscountyco.gov, 1
+adamscountycoelections.gov, 1
+adamscountyemsoh.gov, 1
+adamscountyil.gov, 1
+adamscountyne.gov, 1
+adamscountypa.gov, 1
+adamstas.com, 1
+adamsweb.tk, 1
+adamwallington.co.uk, 1
+adaoconde.art, 1
+adapt-elektronik.com, 1
+adapt-iq.co.nz, 1
+adapt-iq.com, 1
+adapti.de, 1
+adaptimmune.com, 1
+adaptiv.ltd, 1
+adaptivecenter.net, 1
+adaptiveexercisegroup.com, 1
+adaptiveicons.com, 1
+adaptivemechanics.edu.au, 1
+adaptivesite.cf, 1
+adaptivesite.gq, 1
+adaptiveu.io, 1
+adaptyourlifeacademy.com, 1
+adarixconsultores.com, 1
+adarshcloud.in, 1
+adarsvidler.me, 1
+adasbench.com, 1
+adaselin.com, 1
+adasiacorp.com, 1
+adata-c.kz, 1
+adata.kz, 1
+adatitleiii.com, 1
+adativos.com.br, 1
+adawolfa.cz, 1
+adbexcavation.ca, 1
+adbglobal.com, 1
+adblock.ee, 1
+adblockextreme.com, 1
+adblockextreme.net, 1
+adblockextreme.org, 1
+adbpub.com, 1
+adc-dentalcare.com, 1
+adc64.com, 1
+adceuta.tk, 1
+adclickmedia.com, 1
+adcnvs.com, 1
+adcoglazing.co.uk, 1
+adcpressurewashing.co.uk, 1
+add-image.tk, 1
+add-in-express.com, 1
+add-ons.co.uk, 1
+add.pics, 1
+addag.de, 1
+addall.com, 1
+addax.com.tr, 1
+addbonus.ml, 1
+addcrazy.com, 1
+adder.ml, 1
+adderall.ml, 1
+adderall.space, 1
+addict.tk, 1
+addictedtotravel.pl, 1
+addiction-counselors.com, 1
+addictioncounsellors.co.nz, 1
+addictionsolutionsllc.com, 1
+addictlaw.com, 1
+addictless.ru, 1
+addictstore.it, 1
+addiko.net, 1
+addisoncrump.info, 1
+addisonwi.gov, 1
+addition.ml, 1
+addlink.ga, 1
+addlink.gq, 1
+addly.se, 1
+addmefast.tk, 1
+addnewsite.tk, 1
+addnine.com, 1
+addon.watch, 1
+addones.org, 1
+addownit.com, 1
+addr.space, 1
+addresstobe.com, 1
+addscoop.ml, 1
+addstar.jp, 0
+addtelegrammember.com, 1
+addtoany.com, 1
+adducation.info, 1
+adduono.com, 1
+addurls.tk, 1
+addviseo.com, 1
+addy.io, 1
+addy.to, 1
+addydari.us, 1
+addymail.com, 1
+addyourlink.tk, 1
+addyto.me, 1
+ade-power.com, 1
+adea.mx, 1
+adeabramihza.com, 1
+adec-emsa.ae, 1
+adeelshahid.tk, 1
+adeex.co.uk, 1
+adeex.in, 1
+adeex.us, 1
+adeexaustralia.com, 1
+adek.uz, 1
+adek24.uz, 1
+adelaidamountainresidences.ph, 1
+adelaidecoldlaser.com.au, 1
+adelaidefestivalsquare.com.au, 1
+adelaidelaundromats.com.au, 1
+adelapereira.com, 1
+adeldz-foot.cf, 1
+adelebeals.com, 1
+adelgace.top, 1
+adelicious.co, 1
+adelie.org.uk, 1
+adelightfulglow.com, 1
+adelina.com.br, 0
+adeline.mobi, 1
+adelonline.tk, 1
+adelphiawines.com, 1
+ademaulana.tk, 1
+adenhurra.cf, 1
+adenhurra.ml, 1
+adenoma.tk, 1
+adenopatia.com, 1
+adenos.in, 1
+adenplus1.com, 0
+adeon.ml, 1
+adept-elearning.com, 1
+adept.org.pl, 1
+adescb.ga, 1
+adese.es, 1
+adesex.in, 1
+adesignguy.co.uk, 1
+adespresso.com, 1
+adevel.eu, 1
+adevo.be, 1
+adex.network, 1
+adextremadurafs.tk, 1
+adf-safetytools.com, 1
+adf.gov, 1
+adfconsumer.gov.au, 1
+adfinternational.org, 1
+adfisicateca.org, 1
+adfs.pro, 1
+adftrasporti.it, 1
+adfyl.tk, 1
+adg-devochtspecialist.be, 1
+adg.is, 1
+adgh.ml, 1
+adgift.ro, 1
+adglue.io, 1
+adgreetz.com, 1
+adh.org.au, 1
+adhadse.com, 1
+adhd-explained.com, 1
+adhd-inattentive.com, 1
+adhdyoga.ca, 1
+adhetron.com, 1
+adhigamindia.com, 1
+adhockery.ga, 1
+adhocracy.plus, 1
+adhs.fyi, 1
+adi.com.au, 1
+adi.net.au, 1
+adiaz.us, 1
+adib.family, 1
+adictosdominantescdls.tk, 1
+adidas-2020-spring.com, 1
+adiehard.party, 1
+adiesyndrome.tk, 1
+adigolifestyle.com, 1
+adiguezel-bau-gmbh.de, 1
+adihomes.com, 1
+adilsabri.tk, 1
+adimaja.com, 1
+adimo.com.pl, 1
+adimplere.com.br, 1
+adinaporter.com, 1
+adinfinitum.gq, 1
+adinternational.com.au, 1
+adiph.fr, 1
+adiph.org, 1
+adiprospero.it, 1
+adiraku.co.id, 1
+adiscorduser.com, 1
+adit.com, 1
+adityaes.eu.org, 1
+adityatelange.in, 1
+adiyamandanal.com, 1
+adiyamanhaberleri.tk, 1
+adje-fansite.tk, 1
+adjudicating.tk, 1
+adjustablebedfactory.com, 1
+adjustablebeds.ca, 1
+adjustablebeds.org, 1
+adjusterpro.com, 1
+adjutor.xyz, 1
+adkinvest.co.il, 1
+adld.center, 1
+adler-international.pl, 1
+adlerneves.com, 1
+adlerneves.com.br, 1
+adlerosn.com, 1
+adlerosn.com.br, 1
+adlershop.ch, 1
+adlignum.se, 1
+adliomar.tk, 1
+adm-sarov.ru, 1
+admanmedia.fr, 1
+admglass.co.uk, 1
+admicos.cf, 1
+admin-gator.com, 1
+admin-gator.net, 1
+admin-rbb-ugc-prod.azurewebsites.net, 1
+admin-rbb-ugc.azurewebsites.net, 1
+admin-serv.net, 1
+admin-wp.com, 1
+admin-wp.pl, 1
+admin.academy, 1
+admin.fedoraproject.org, 1
+admin.google.com, 1
+admin.se, 1
+admin.stg.fedoraproject.org, 1
+adminconnection.net, 1
+admindaily.com, 1
+adminforge.de, 1
+admingator.net, 1
+admini.cl, 1
+administracionessaez.es, 1
+administradoresdefincasvalencia.net, 1
+administradorvalencia.es, 0
+administraitor.video, 1
+administrarmeusite.tk, 1
+administratiekantoorblom.nl, 1
+administrator.de, 1
+administratorhandal.cf, 1
+adminless.ovh, 1
+adminlinux.pl, 1
+admino.cz, 1
+adminova.tk, 1
+adminplus.bg, 1
+adminresurs.tk, 1
+adminrezo.fr, 1
+adminwells.com, 1
+admirable.pro, 0
+admody.com, 1
+admongo.gov, 1
+admstudio.co.uk, 1
+admus.pl, 1
+adn-recrutement.fr, 0
+adnanotoyedekparca.com, 1
+adndigital.com.br, 1
+adnempresa.es, 1
+adnexa.it, 1
+adney.land, 1
+adnfiscal.com, 1
+adnolesh.com, 1
+adnotam.ch, 1
+adnscript.tk, 1
+adnseguros.es, 1
+adnsolutions.com, 1
+adofestival.com, 1
+adoll.ml, 1
+adomani-italia.com, 1
+adomicilio.gt, 1
+adonairelogios.com.br, 1
+adondevamosmundo.com, 1
+adonis.hosting, 1
+adonisgrup.ro, 1
+adonizer.science, 1
+adonnante.com, 0
+adontenchambers.com, 1
+adoperator.com, 1
+adopt-dont-shop.de, 1
+adopt.tk, 1
+adoptabeehive.co.uk, 1
+adoptabeehive.com, 1
+adoptabeehive.org, 1
+adoptabeehive.org.uk, 1
+adoptas.org, 1
+adopting.tk, 1
+adoption.tk, 1
+adoptionpregnancycenter.com, 1
+adoptionpregnancycenter.net, 1
+adoptium.net, 1
+adorable-home.com, 1
+adorade.ro, 0
+adorai.tk, 1
+adoran.ga, 1
+adorecricket.com, 1
+adores.gq, 1
+adorez.tk, 1
+adoric.com, 1
+adorkable.eu, 1
+adorkable.social, 1
+adorned.ga, 1
+adotta.me, 1
+adoucishop.fr, 1
+adoxy.com.br, 1
+adpesp.org.br, 1
+adphotography.pl, 1
+adplist.org, 1
+adpot.xyz, 0
+adr-stock.com, 1
+adr.gov, 1
+adrabataille.fr, 0
+adrafinil.wiki, 1
+adreaminsteel.tk, 1
+adreana.com, 1
+adregain.com, 1
+adregain.ru, 1
+adrenalin.is, 1
+adrenalin.od.ua, 0
+adrenalinhunters.tk, 1
+adresse-ip-publique.fr, 1
+adressendata.nl, 1
+adresults.com, 1
+adresults.nl, 1
+adrian-riemer.tk, 1
+adrian.web.id, 1
+adrian2023.com, 1
+adrian2023.de, 1
+adrianadelrossi.com, 1
+adrianadelrossi.net, 1
+adrianagonzalez.tk, 1
+adrianajewelry.my, 1
+adrianasantos.me, 1
+adrianbechtold.de, 1
+adrianbotes.com, 1
+adrianbrad.com, 1
+adriancitu.com, 1
+adriancostin.ro, 1
+adrianfeliciano.com, 0
+adrianhardy.com, 0
+adrianiacobus.com, 1
+adrianjensen.com, 1
+adrianmejias.com, 1
+adrianobarbosa.xyz, 1
+adrianpetcu.tk, 1
+adrianpole.tk, 1
+adrianseo.ro, 0
+adrianspeyer.com, 1
+adriantwpmi.gov, 1
+adrianwalls.tk, 1
+adrianweb.ml, 1
+adriarae.xyz, 1
+adriatic.hr, 1
+adriatika.tk, 1
+adriatrans.ga, 1
+adrienfelsmann.fr, 1
+adrieng.fr, 1
+adrienkohlbecker.com, 1
+adriennekiss.net, 1
+adriennesmiles.com, 1
+adrinet.tk, 1
+adrino.cf, 1
+adrino.gq, 1
+adrino.ml, 1
+adrup.com, 1
+ads-kuwait.net, 1
+adsamcik.com, 1
+adsb.lol, 1
+adsbouncycastles.co.uk, 1
+adscambodia.com, 1
+adsense-arbitrage.com, 1
+adseye.tk, 1
+adsforcash.ga, 1
+adshooter.com, 1
+adsib.gob.bo, 1
+adsl2meg.fr, 1
+adsmarketing.tk, 1
+adsmobilefor.win, 1
+adsmodels.com, 1
+adsnetwork.pro, 1
+adsnn.com, 1
+adson.at, 1
+adson.cz, 1
+adson.de, 1
+adson.ee, 1
+adson.eu, 0
+adson.fi, 1
+adson.fr, 1
+adson.hu, 1
+adson.ie, 1
+adson.li, 1
+adson.lt, 1
+adson.lv, 1
+adson.nl, 1
+adson.no, 1
+adson.pt, 1
+adspire.tk, 1
+adspottest.tk, 1
+adspu.org, 1
+adst.dk, 1
+adstop.ga, 1
+adstop.ml, 1
+adstune.com, 1
+adsviews.gq, 1
+adswoo.com, 1
+adt.co.za, 1
+adt.pl, 1
+adtelligent.com, 1
+adtgroup.com, 1
+adti.pt, 0
+aduanasgama.com, 1
+adubosvidere.com.br, 1
+adultbizz.eu, 1
+adultdvdparadise.com, 1
+adulteducation.org.uk, 1
+adultforum.gr, 1
+adultgames.pro, 1
+adultmalecontent.com, 1
+adultshop.com.au, 0
+adultwebcams1.com, 1
+aduro.com.tr, 1
+adurra.com, 1
+adutoras.com.br, 1
+adv.cr, 0
+advair-generic.ga, 1
+advairgeneric.ga, 1
+advairprice.ga, 1
+advaitghaisas.in, 1
+advaith.fun, 1
+advaith.io, 1
+advaith.link, 1
+advaithbot.xyz, 1
+advaithnikhi.ml, 1
+advaithnikhi.tk, 1
+advance.hr, 1
+advancealabama.gov, 1
+advanced-online.eu, 1
+advancedacupuncture.net, 1
+advancedaquaticservice.com, 1
+advancedboilers.com, 1
+advancedbotoxclinic.com, 1
+advancedbuildings.com.au, 1
+advancedconcrete.construction, 1
+advanceddermmohssurgery.com, 1
+advanceddermtribeca.com, 1
+advanceddieselspokane.com, 0
+advanceddisposables.co.uk, 0
+advancedelectricalservicesqld.com.au, 1
+advancedfueladditives.com, 1
+advancedhealthmedical.com.au, 1
+advancedinteg.com, 1
+advancedmd.com, 1
+advancedmedicalcertification.com, 1
+advancednetflowtraining.com, 1
+advancedob-gyn.com, 1
+advancedoneroofing.com, 1
+advancedridertraining.co.uk, 1
+advancedroofingmuskoka.com, 1
+advancedseo.io, 1
+advancedsepticandpumping.com, 0
+advancedsurgicalconsultantsllc.com, 1
+advancedturf.tk, 1
+advancedurologyca.com, 1
+advancedurologyswla.com, 1
+advancedwriters.com, 1
+advancemoversnc.com, 1
+advanceoptical.com, 1
+advanceworx.com, 1
+advania.info, 1
+advanqi.se, 1
+advantagehomeinteriors.com, 1
+advantagemechanicalinc.com, 1
+advantageroofer.com, 1
+advantagetowing.com.au, 1
+advantis.ai, 1
+advantis.cf, 1
+advantis.ga, 1
+advantis.gq, 1
+advantis.tk, 1
+advantmed.com, 1
+advapacs.com, 1
+advara.com, 1
+advarra.com, 1
+advasa.jp, 1
+advasa.net, 1
+advbizintel.com, 1
+advenacs.com, 1
+advenacs.com.au, 1
+advenapay.com, 1
+adventaholdings.com, 1
+adventalley.com, 1
+adventistai.lt, 1
+adventisthomemaker.com, 1
+advento.bg, 1
+adventry.tk, 1
+adventure-runner.tk, 1
+adventureally.com, 1
+adventurealpinetreks.com, 1
+adventurearts.tk, 1
+adventureboy.co.uk, 1
+adventurecorps.cf, 1
+adventurecorps.ga, 1
+adventurecorps.gq, 1
+adventurecorps.ml, 1
+adventurecreators.com, 1
+adventuredental.com, 1
+adventuredrives.com, 0
+adventureforest.co.nz, 1
+adventureforest.nz, 1
+adventuregamers.com, 1
+adventureprooutdoors.com, 1
+adventureprovisionco.com, 1
+adventures.com, 1
+adventuretoursbend.com, 1
+adventuringup.com, 1
+adventurousway.com, 1
+adventus.space, 1
+advercarte.com, 1
+adverganda.com, 1
+adverganda.de, 1
+adversus-test.tk, 0
+adversus-web-staging.tk, 0
+advertise-ment.tk, 1
+advertising-design.tk, 1
+advertisingcompany.tk, 1
+advertisingindustry.ga, 1
+advertisingphonesest.ga, 1
+advertisment.ga, 1
+advertizer.com, 1
+advery.tk, 1
+advgyan.com, 1
+advice24.tk, 1
+advicepay.com, 1
+adviceprime.tk, 1
+adviesfactuur.nl, 1
+adviesgv.nl, 1
+advinix.fr, 1
+advirk.tk, 1
+adviserplus.com, 1
+advisorperspectives.com, 1
+advmaster.cf, 1
+advocaat-dejonge.be, 1
+advocaatzoeken.nl, 1
+advocatae.com, 1
+advocatburo.tk, 1
+advocatealliancegroup.com, 1
+advocateanakha.com, 1
+advocatechannel.com, 1
+advocatize.com, 1
+advocator.ca, 1
+advoervice.ga, 1
+advogadavaleria.com.br, 1
+advogatech.com.br, 1
+advokat-dtp.cf, 1
+advokat-dtp.ga, 1
+advokat-dtp.gq, 1
+advokat-dtp.ml, 1
+advokat-dtp.tk, 1
+advokat-malinovskii.ml, 1
+advokat-romanov.com, 1
+advokat-teigstad.no, 1
+advokat-vvp.com.ua, 1
+advokat73.gq, 1
+advokati-ceva.cz, 1
+advokatkonsult.cf, 1
+advokatmorgunov.ml, 1
+advokatonline.ml, 1
+advokatskoe-byuro.ml, 1
+advokaty-onlajn.cf, 1
+advokaty-onlajn.ga, 1
+advokaty-onlajn.gq, 1
+advokaty-onlajn.ml, 1
+advokaty-onlajn.tk, 1
+advokaty-yuristy.ga, 1
+advokaty-yuristy.ml, 1
+advokaty-yuristy.tk, 1
+advokaty.cf, 1
+advokaty.gq, 1
+advritujeph.in, 1
+advst.uk, 1
+advtran.com, 0
+adwallgate.com, 1
+adware.pl, 0
+adwokatkosterka.pl, 1
+adwokatzdunek.pl, 1
+adxperience.com, 1
+adygeya.cf, 1
+adzie.xyz, 1
+adzuna.at, 1
+adzuna.ca, 1
+adzuna.co.nz, 1
+adzuna.co.za, 1
+adzuna.com, 1
+adzuna.com.au, 1
+adzuna.com.br, 1
+adzuna.de, 1
+adzuna.fr, 1
+adzuna.in, 1
+adzuna.it, 1
+adzuna.nl, 1
+adzuna.pl, 1
+adzuna.ru, 1
+adzuna.sg, 1
+ae-dir.com, 1
+ae-dir.org, 1
+ae.com, 1
+ae.edu.rs, 1
+ae86.de, 1
+ae86.dog, 0
+ae86.in, 1
+ae86.plus, 0
+ae86.pro, 1
+ae86.pw, 1
+ae86.run, 0
+ae86.vip, 1
+ae86a.com, 1
+ae86c.com, 1
+ae86dy.com, 1
+ae86j.com, 1
+ae86k.com, 1
+ae86t.com, 1
+ae86tt.com, 1
+ae86u.com, 1
+ae86uu.com, 1
+ae86x.com, 0
+ae86y.com, 1
+ae86yy.com, 1
+ae86zx.net, 1
+ae86zy.com, 1
+aeb.io, 1
+aebba.org, 1
+aebian.org, 1
+aebleskoven.dk, 1
+aec-security.eu, 1
+aece.ro, 1
+aechelon.net, 1
+aecis.org, 1
+aecnewstoday.com, 1
+aecom.digital, 1
+aecom.io, 1
+aecord.com, 1
+aedollon.com, 1
+aedus-design.ru, 1
+aefas.com, 1
+aegcl.co.in, 1
+aegeanmep.com, 1
+aegee-academy.eu, 1
+aegee-academy.org, 1
+aegee-utrecht.nl, 1
+aegee.eu, 1
+aegee.org, 1
+aegis.moe, 1
+aegisaccounting.co.uk, 1
+aegisalarm.co.uk, 1
+aegisalarm.com, 1
+aegisalarms.co.uk, 1
+aegisalarms.com, 1
+aegisys.com, 1
+aegon.hu, 1
+aegrel.ee, 1
+aeh5134.cc, 1
+aeha.tk, 1
+aehe.us, 1
+aeht.eu, 1
+aeis-api-stg.azurewebsites.net, 1
+aeis-api.azurewebsites.net, 1
+aeksantcugat.tk, 1
+aeksistem.com, 1
+aelgame.com, 1
+aelia.cc, 1
+aelia.im, 1
+aelia.is, 1
+aelintx.com, 1
+aelisya.net, 0
+aelurus.com, 1
+aenes.com, 1
+aenmail.com, 1
+aeolservice.es, 1
+aeon.co, 0
+aeon.wiki, 0
+aeonc.com, 1
+aeonct.org, 1
+aeonian.live, 0
+aeonmall.global, 1
+aep-digital.com, 1
+aeperocovilha.pt, 1
+aeperodacovilha.pt, 1
+aequometer.de, 1
+aeradesign.com, 1
+aeradoresgaivota.com.br, 1
+aerandir.fr, 1
+aere.com, 1
+aereco.com, 1
+aerelon.de, 1
+aergia.eu, 1
+aerialawesome.com, 1
+aerialforce.co.uk, 1
+aerialworks.ddns.net, 1
+aerisnetwork.com, 1
+aerlux.md, 1
+aeroalbrook.com, 1
+aerobasegroup.com, 1
+aerobatt.com, 1
+aerobiconline.tk, 1
+aerobotz.com, 1
+aeroclub-tolhuin.tk, 1
+aeroelectronics.net, 1
+aeroequity.com, 1
+aeroexpress.tk, 1
+aerofarms.com, 1
+aeroflot.gq, 1
+aeroframe.tk, 1
+aeroglass.ml, 1
+aerogrill.tk, 1
+aeroklub.tk, 1
+aerolineasvenezolanas.net, 1
+aerolog.co, 0
+aeromot.com, 1
+aeron.aero, 1
+aeronautix.com, 1
+aeronote.net, 1
+aeropetz.com.br, 1
+aeroplan.tk, 1
+aeropole.de, 1
+aeropole.eu, 1
+aeroport.gq, 1
+aeropostale.com.ar, 1
+aerosail.fr, 1
+aerosoul.tk, 1
+aerospace-schools.com, 1
+aerospacearchives.tk, 1
+aerospacescience.ml, 1
+aerospeceng.com.au, 1
+aerotrans-service.eu, 1
+aerotrophy.fr, 1
+aerowillys.tk, 1
+aerozone.tk, 1
+aertel.ie, 1
+aerztezentrum.io, 1
+aes-freundeskreis.de, 0
+aes.org.pt, 1
+aesculapliterature.com, 1
+aeslifesciences.com, 1
+aesmoris.es, 1
+aesre.com, 1
+aesre.de, 1
+aesre.net, 1
+aessencia.com.br, 1
+aestheticsplus.xyz, 1
+aesthetikpiercing.de, 1
+aesthetix.icu, 1
+aesthetx.com, 1
+aesthway.com, 1
+aestore.by, 1
+aesvalanalys.com, 1
+aesyours.com, 1
+aeterna-ufa.ru, 1
+aeternus-darkermonument.tk, 1
+aeternus.tech, 1
+aether.industries, 1
+aetherc0r3.eu, 1
+aetherdigitalplatform.com, 1
+aethereahealth.com, 0
+aetherlink.de, 1
+aethernia.net, 1
+aethon.com, 1
+aethonan.pro, 1
+aethopy.ga, 1
+aetna-medicareplans.com, 1
+aevo-vergleich.de, 1
+aevpn.org, 1
+aextron.com, 1
+aextron.de, 1
+aextron.org, 1
+aezw.at, 1
+af-clan.tk, 1
+af.link, 1
+afadansedeparis.com, 1
+afadvantage.gov, 1
+afanasev.tk, 1
+afandou.com, 1
+afanias.org, 1
+afas-apps.nl, 1
+afasim.tk, 1
+afasstatus.nl, 1
+afbct.de, 1
+afbouw-gevelsupport.nl, 1
+afbrunswick.com, 1
+afc-capital.mx, 1
+afcmrstest.org, 1
+afd-bedburg.de, 1
+afd-bergheim.de, 1
+afd-elsdorf.de, 1
+afd-frechen.de, 1
+afd-huerth.de, 1
+afd-kerpen.de, 1
+afd-pulheim.de, 1
+afd-rheinerft.de, 1
+afdah.se, 1
+afdbedburg.de, 1
+afdbruehl.de, 1
+afdelsdorf.de, 1
+afderftstadt.de, 1
+afdfrechen.de, 1
+afdhuerth.de, 1
+afdkerpen.de, 1
+afdpulheim.de, 1
+afdrek.de, 1
+afdrhein-erft.de, 1
+afearlessventure.com, 1
+aferagetback.eu, 1
+aff1xstavka.com, 1
+aff1xstavka.top, 1
+affaire.com, 1
+affairefacile.net, 1
+affairemateriaux.fr, 1
+affairs.com, 1
+affarsnatverk.nu, 0
+affcreations.com, 1
+affect3d.com, 1
+affect3dstore.com, 1
+affectionate.tk, 1
+affengine.com, 1
+affengine.net, 1
+affibody.se, 1
+affidea.ie, 1
+affilatura.it, 1
+affilia.tk, 1
+affiliatebeeers.ga, 1
+affiliatebeest.ga, 1
+affiliatebitz.com, 1
+affiliatedphysicians.com, 1
+affiliatep.com, 1
+affiliateprogram.ga, 1
+affiliateprograms.cf, 1
+affiliateprograms.gq, 1
+affiliates-psychicsource.com, 1
+affiliates.trade, 1
+affine.ai, 1
+affine.space, 1
+affinipay.com, 0
+affinity.co, 1
+affinity.com, 1
+affinity.vc, 1
+affinitycu.ca, 1
+affinityplus.org, 1
+affinitysync.com, 1
+affinityweb.co, 1
+affirm-stage.com, 1
+affissioni.roma.it, 1
+affittacamere.roma.it, 1
+affittialmare.it, 1
+affittibreviliguria.it, 1
+affittisalento.it, 1
+affle.com, 1
+afflictedquarter.tk, 1
+affordable.icu, 1
+affordableasphaltcompany.com, 1
+affordableautoglass.com, 1
+affordableblindsexpress.com, 1
+affordablecameras.tk, 1
+affordableconnectivity.gov, 1
+affordableelectronics.tk, 1
+affordablehealthquotesforyou.com, 1
+affordablemedicalusa.com, 1
+affordablepapers.com, 1
+affordableracingparts.com.au, 1
+affordablevaccinesest.ga, 1
+affordacode.com, 1
+affpa.top, 1
+affpass.com, 1
+affping.com, 1
+affproduct.com, 1
+affsoft.cc, 1
+affumico.it, 1
+affusio.com, 1
+afg-team.tk, 1
+afganistan.cf, 1
+afghan-media.tk, 1
+afghan-sites.tk, 1
+afghan.gq, 1
+afghandonia.tk, 1
+afghanen4life.tk, 1
+afghangreetings.tk, 1
+afghanlink.tk, 1
+afghanraps.tk, 1
+afghansite.tk, 1
+afgphotographers.com, 1
+afgraphic.tk, 1
+afiador.com.br, 1
+afiawealth.com, 0
+aficards.com, 1
+aficionados.com.br, 1
+afilio.de, 1
+afinaudio.com, 1
+afishablogs.tk, 1
+afive.us, 1
+afiyetolsun.jp, 1
+aflam-online.tk, 1
+aflattr.com, 1
+aflebedevo.tk, 1
+afoikrali.gr, 1
+aforadearrastu.tk, 1
+aforism.tk, 1
+afp548.com, 1
+afrag.fr, 1
+afreelancersworld.com, 1
+afres.com, 1
+afreshperspective.com, 1
+africaclassifieds.ga, 1
+africaindemander.tk, 1
+africalebanon.tk, 1
+african-artmosphere.tk, 1
+africanbiblesafari.org, 1
+africanewstest0.ml, 1
+africangazda.tk, 1
+africangreyparrotscare.com, 1
+africanheritage.tk, 1
+africanhosting.ml, 1
+africankingsclothing.com, 1
+africankitchen.gallery, 1
+africanmangoforum.ga, 1
+africanmangoforum.gq, 1
+africansafaris.co.nz, 1
+africantourer.com, 1
+africaone-publishing.com, 1
+africaricecenter.org, 1
+afrijet.ga, 1
+afrilatest.com, 1
+afrimarket.ci, 1
+afrique.buzz, 1
+afriregister.com.ss, 1
+afriregister.et, 1
+afriregister.eu, 1
+afriregister.sn, 1
+afrodigital.uk, 1
+afrodisiac.tk, 1
+afrodita.tk, 1
+afroditafirm.tk, 1
+afroditehotel.tk, 1
+afrogospel.tk, 1
+afroludi.tk, 1
+afroto.com, 1
+afseguros.com, 1
+afslankstudiovelserbroek.nl, 1
+aftamurae.com, 1
+after-whoru.tk, 1
+afterblokrock.tk, 1
+afterburnerjs.com, 1
+afterdarklabs.net, 1
+afterdwi.info, 1
+afterfostercare.tk, 1
+afterhate.fr, 1
+afterhoursglass.com.au, 1
+aftermagic.com, 1
+aftermix.com, 1
+afternoonhereyes.tk, 1
+afteroblivion.tk, 1
+afterpay.com, 1
+afterschool.tk, 1
+afterskool.eu, 1
+afterstack.net, 1
+aftodioikisi.gr, 1
+aftonbladet.se, 1
+aftontickets.com, 1
+afute.fr, 1
+afuturewithoutfear.org, 1
+afuturewithoutfear.us, 1
+afva.net, 1
+afwd.international, 1
+afxsoft.ml, 1
+afzaalace.com, 1
+afzetbak.nl, 1
+ag066.vip, 1
+ag123.la, 1
+ag13842.com, 1
+ag1386.com, 1
+ag158.cc, 0
+ag1603.com, 0
+ag1604.com, 1
+ag1607.com, 1
+ag3.la, 1
+ag3232g.com, 1
+ag388.vip, 1
+ag399.vip, 1
+ag4.app, 0
+ag518518.net, 1
+ag6.im, 1
+ag6.pub, 1
+ag6.vc, 1
+ag6.vip, 1
+ag600.la, 1
+ag618.la, 1
+ag6215.com, 1
+ag6225.com, 1
+ag66321.com, 1
+ag666.vip, 1
+ag68ks.com, 1
+ag69000.com, 1
+ag72.vip, 1
+ag8-game.com, 1
+ag8.im, 1
+ag8.vip, 1
+ag80808.com, 1
+ag80880.com, 1
+ag812.tv, 1
+ag818.net, 1
+ag819.tv, 1
+ag82011.vip, 1
+ag82018.cc, 1
+ag82018.com, 1
+ag8500.com, 1
+ag8600.com, 1
+ag88.com, 1
+ag880.win, 1
+ag8808.com, 1
+ag88080.com, 1
+ag88110.com, 1
+ag8819-livechat.com, 1
+ag8859.com, 0
+ag8876.com, 1
+ag888818.com, 1
+ag889.com, 1
+ag8890.com, 1
+ag8891.com, 1
+ag88dc22.com, 1
+ag88ks.com, 1
+ag89000.com, 1
+ag898.cc, 1
+ag8vip.com, 1
+ag9.im, 0
+ag9100.com, 1
+ag918.cc, 1
+ag918.co, 1
+ag918.top, 1
+ag96.win, 1
+ag9757.com, 1
+ag98.tv, 0
+ag9800.com, 1
+ag9815.com, 1
+ag9835.com, 1
+ag98ks.com, 1
+ag9999.co, 1
+ag9ks.com, 1
+ag9vip.com, 1
+aga-eiken.tk, 1
+aga.gov.au, 1
+agabucheros.tk, 1
+agad.tk, 1
+agagent.vip, 1
+agahimax.com, 1
+against.tk, 1
+againstgynexams.tk, 1
+againsttheneighbour.tk, 1
+againsttheodds.es, 1
+agalia.com, 1
+agalloch.tk, 1
+agambition.eu, 1
+agamsecurity.ch, 0
+agapelove.tk, 1
+agar.kr, 1
+agarcat.com, 1
+agargiulo.com, 1
+agari-mj.com, 1
+agarioforum.ga, 1
+agas.com, 1
+agasport.nl, 0
+agastia.com, 1
+agatajanik.de, 1
+agate.pw, 1
+agateh.com.au, 1
+agaveandpine.com, 1
+agavesurgery.com, 1
+agbremen.de, 0
+agcdn.cc, 1
+agcdn.top, 1
+agceauditores.cl, 1
+agcegroup.cl, 1
+agcpapp.com, 1
+agdalieso.com.ba, 1
+agds.pw, 1
+agdsenice.cz, 1
+age-encryption.org, 1
+agearo.com, 1
+ageasagentessummit.pt, 1
+agechecker.net, 1
+agedcaredentistry.com.au, 1
+agedefying.net, 1
+agedgamer.com, 1
+agefriendlyri.org, 1
+ageg.ca, 1
+agehotel.com, 1
+ageless-world.tk, 1
+agelesscitizen.com, 1
+agelesscitizens.com, 1
+agellonia.com, 1
+agen62.asia, 1
+agen62.cc, 1
+agen62.info, 1
+agen62.org, 1
+agen62.site, 1
+agen62.top, 1
+agenbandarq.cf, 1
+agenbandarq.ga, 1
+agenbandarq.gq, 1
+agenbandarq.ml, 1
+agenbandarq.tk, 1
+agence-immobiliere-hossegor.com, 1
+agence-initiale.fr, 1
+agence-matrimoniale-paris.com, 1
+agence.tw, 1
+agenceimmoselect.com, 1
+agencelcinvestigations.com, 1
+agences-cegee.fr, 1
+agencesaintpierre.fr, 1
+agencestaff.fr, 1
+agencetourismemali.ml, 1
+agenciacanina.tk, 1
+agenciacoder.com, 1
+agenciacolors.com.br, 1
+agenciacorujadesign.com.br, 1
+agenciacrown.es, 1
+agenciahangar.com.br, 1
+agenciaingenium.cl, 1
+agenciakarazai.com.br, 1
+agenciaonnmarketing.com, 1
+agenciapixelnove.com.br, 1
+agenciaplanner.com.br, 1
+agenciarse.com, 1
+agenciarubik.com, 1
+agenciatecben.com.br, 1
+agencja-interaktywna.ga, 1
+agencja-interaktywna.tk, 1
+agencxy.ga, 1
+agencybeam.com, 1
+agencyeve.com, 1
+agencygood.tk, 1
+agencyinmotion.com, 1
+agencymanager.be, 1
+agenda-loto.net, 0
+agenda21senden.de, 1
+agendadelvolo.info, 1
+agendamuslim.tk, 1
+agendaspectacles.fr, 1
+agendatelefonica.net, 1
+agendominoq.tk, 1
+agenslot128.com, 1
+agent-007.tk, 1
+agent-grow.com, 1
+agent.sk, 1
+agent47.tk, 1
+agent4fl.com, 1
+agentabuseest.ga, 1
+agenter.cf, 1
+agenter.tk, 1
+agentesevillanocooper.tk, 1
+agentfirewall.com, 1
+agentpak.com, 1
+agentpatrolest.ga, 1
+agentpoint.website, 1
+agentprovocateur.com, 1
+agentrisk.com, 0
+agentsmith.tk, 1
+agentum.ga, 1
+agentur-pottkinder.de, 1
+agentz.ga, 1
+agenux.org, 1
+agenziaimmobiliarezeta.it, 1
+agenziapubblicitaria.milano.it, 1
+agenziapubblicitaria.roma.it, 1
+agenziefunebri.it, 1
+ageofreason.tk, 1
+agesofarda.net, 1
+agfmedia.com, 1
+agg097.com, 1
+agg88.com, 1
+aggeneralconstruction.com, 1
+aggielandtutoring.com, 1
+agglo-sion.ch, 1
+aggn.info, 1
+aggression.tk, 1
+aggressionpvp.com, 1
+aggressivecarwraps.com, 1
+aggtechconcrete.com, 1
+aghayeva-edler.de, 1
+agiairini.cz, 1
+agic-geneve.ch, 1
+agiftinside.com, 1
+agilan.nl, 1
+agile.coach, 1
+agileacademy.technology, 1
+agilebits.com, 1
+agilebits.net, 0
+agilecoldstorage.com, 1
+agilecraft.com, 1
+agilee.io, 1
+agilepeopleopsframework.com, 1
+agileui.com, 0
+agilewalls.com, 1
+agilextra.com.au, 1
+agilicus.ca, 1
+agilicus.com, 1
+agility-westvlaanderen.tk, 1
+agilityconsulting.be, 1
+agill.me, 1
+agilob.net, 1
+agiloo.tk, 1
+agilusdiagnostics.com, 1
+aging.gov, 1
+agingstats.gov, 1
+agingstop.net, 1
+aginion.com, 1
+aginion.net, 1
+agioanmark.tk, 1
+agiosthomas.tk, 1
+agirc-arrco.fr, 1
+agirlknows.com, 1
+agitmedia.ru, 1
+agk.co.com, 1
+agks02.com, 1
+agks1.com, 1
+agks116.com, 1
+agks136.com, 1
+agks16.com, 1
+agks188.com, 1
+agks19.com, 1
+agks23.com, 1
+agks27.com, 1
+agks35.com, 1
+agks38.com, 1
+agks4.com, 1
+agks45.com, 1
+agks53.com, 1
+agks57.com, 1
+agks59.com, 1
+agks60.com, 1
+agks63.com, 1
+agks67.com, 1
+agks68.com, 1
+agks69.com, 1
+agks7.com, 1
+agks70.com, 1
+agks71.com, 1
+agks72.com, 1
+agks78.com, 1
+agks79.com, 1
+agks8.com, 1
+agks82.com, 1
+agks83.com, 1
+agks86.com, 1
+agks87.com, 1
+agks888.com, 0
+agks89.com, 1
+agks9.com, 1
+agks92.com, 1
+agktest1.ga, 1
+aglar.com.ec, 1
+aglar.tk, 1
+agleventis.com, 1
+aglow.nl, 1
+agm4545.com, 1
+agmuscle.com, 1
+agnconnect.com, 1
+agnesk.blog, 1
+agnesmatilda.tk, 1
+agnestakeaway.be, 1
+agneta.tk, 1
+agnosia.tk, 1
+agnosticism.tk, 1
+agnusbostel.tk, 1
+agocs.me, 1
+agora-energiewende.de, 1
+agora-soft.cf, 1
+agora-verkehrswende.de, 1
+agora.co.il, 1
+agora.ru, 1
+agorabet.com.br, 1
+agoracupom.com.br, 1
+agoradanza.tk, 1
+agoradesk.com, 1
+agorapulse.com, 1
+agoratek.fr, 1
+agoravisitasguiadas.com, 1
+agoravm.tk, 1
+agoravox.it, 1
+agorism.eu.org, 1
+agoshop.de, 1
+agossearch.tk, 1
+agostonegro.tk, 1
+agouraelectrical.com, 1
+agouraelectrician.com, 1
+agouraexteriorlighting.com, 1
+agourahillselectric.com, 1
+agourahillselectrical.com, 1
+agourahillselectrician.com, 1
+agourahillsexteriorlighting.com, 1
+agourahillslandscapelighting.com, 1
+agourahillslighting.com, 1
+agourahillsoutdoorlighting.com, 1
+agouralandscapelighting.com, 1
+agouralighting.com, 1
+agouraoutdoorlighting.com, 1
+agowa338.de, 1
+agpandit.in, 1
+agpideas.com, 1
+agr.asia, 1
+agrabah.com, 1
+agradi.nl, 1
+agralines.tk, 1
+agrarking.com, 1
+agrarking.de, 1
+agrarkredit.de, 1
+agrartermine-deggendorf.de, 1
+agrartermine-straubing-bogen.de, 1
+agravery.com, 1
+agraw.tk, 1
+agregator.tk, 1
+agrekov.ru, 1
+agremo.com, 0
+agreor.com, 1
+agressief.com, 1
+agri-meet.com, 1
+agri.ee, 0
+agricult.tk, 1
+agricultural-technology.tk, 1
+agriculture-schools.com, 1
+agriculture.vic.gov.au, 1
+agrifoglio.com, 1
+agrifoodtoday.it, 1
+agrifutures.com.au, 1
+agrigentonotizie.it, 1
+agrikulturchic.com, 1
+agrinous.com, 1
+agrinous.com.au, 1
+agripartner.fr, 1
+agripick.com, 1
+agriportal.online, 1
+agrippa.tk, 1
+agriprofocus.com, 1
+agriresearch.tk, 1
+agrish.tk, 1
+agrisicilia.it, 0
+agritatrade.bg, 1
+agro-dom.solutions, 1
+agro-ferma.tk, 1
+agro-forestry.net, 1
+agro-market24.ru, 1
+agro-portal.info, 1
+agrobank.uz, 1
+agrobase.uz, 1
+agrobaza.com.ua, 1
+agrocare.tk, 1
+agroclan.tk, 1
+agroclimat.tk, 1
+agroconsultoraplus.com, 1
+agrodoki.hu, 1
+agrofind.com.br, 1
+agrogrup79.com, 1
+agroguia.com.co, 1
+agroinsider.com, 1
+agrokomi.tk, 1
+agrokredit.ga, 1
+agroland.tk, 1
+agrolife.tk, 1
+agroma.com, 1
+agromotorsburzaco.com, 1
+agron.tk, 1
+agronomi.tk, 1
+agronomict.tk, 1
+agropark.tk, 1
+agroplas.cf, 1
+agropool.tk, 1
+agropotter.com.ua, 1
+agrosanus.pt, 0
+agrospan.ga, 1
+agrosvit.kz, 1
+agroteam.tk, 1
+agrotek.lt, 1
+agrotender.com.ua, 1
+agrotraktor.gq, 1
+agrowbio.com, 0
+agroyard.com.ua, 1
+agrus-wow.tk, 1
+agscapeslandscaping.com, 1
+agscinemas.com, 1
+agscinemasapp.com, 1
+agsun6.com, 1
+aguaazul.com.co, 1
+aguajero.com, 1
+aguantepimpinero.tk, 1
+aguarani.com.br, 1
+aguaviva.tk, 1
+aguiascarecas.org, 1
+aguidetolovelossanddesperation.com, 1
+agujetas.tk, 1
+agul.tk, 1
+agullo.tk, 1
+agung-furniture.com, 1
+agurskie-vodopadi.ru, 1
+agusandelsur.gov.ph, 1
+agusik.com.ua, 1
+agustian.tk, 1
+agusticarmona.tk, 1
+agustin.cf, 1
+agustin.ml, 1
+agusto.tk, 1
+aguz.tk, 1
+agviet88.com, 1
+agvins.fr, 1
+agvip1000.com, 1
+agvip168.com, 1
+agvip2001.com, 1
+agvip2008.com, 1
+agvip88.com, 0
+agvip986.com, 1
+agwa.name, 1
+agwin1.com, 0
+agwin7.com, 1
+agwin8.com, 1
+agwin9.com, 1
+agworkers.com, 1
+agzlapp.com, 1
+agzy.tw, 1
+agzy.vip, 1
+ahanet.tk, 1
+ahansen.is, 0
+ahbap.org, 1
+ahccorleone.tk, 1
+ahcpb.com, 1
+ahcpr.gov, 1
+ahd.com, 0
+ahealthyjourney.ca, 1
+ahegaoroulette.com, 1
+ahelos.tk, 1
+ahezu.com, 1
+ahg-offices.fr, 1
+ahhcomfortshoes.com, 1
+ahidta.gov, 1
+ahiha-design.com, 1
+ahima.org, 1
+ahityayinlari.com, 1
+ahityayinlari.org, 1
+ahj.no, 1
+ahjy.com, 1
+ahl.gov.au, 0
+ahl.im, 1
+ahlac.tk, 1
+ahlaejaba.com, 1
+ahli-antenatv.tk, 1
+ahli.io, 1
+ahlibank.com.qa, 1
+ahlz.sk, 1
+ahm.com.au, 1
+ahmad.space, 1
+ahmadfathy.ml, 1
+ahmadjakfar.tk, 1
+ahmadmaher.tk, 1
+ahmadonline.tk, 1
+ahmadov.tk, 1
+ahmadrafiq.tk, 1
+ahmadramadan.tk, 1
+ahmadtea.lk, 1
+ahmed-alasadi.tk, 1
+ahmed.tk, 1
+ahmedcorp.tk, 1
+ahmedelgamalanimations.tk, 1
+ahmedszaidi.com, 1
+ahmerjamilkhan.org, 1
+ahmetazgin.net, 1
+ahmetcadirci.com.tr, 1
+ahmetshina.tk, 1
+ahmt.net, 1
+ahmu.com, 1
+ahmud.net, 1
+ahoefer.de, 1
+ahoeheng.com, 1
+ahoj.email, 1
+ahoj.hu, 1
+ahomeconcept.com, 1
+ahorasalud.com, 1
+ahornblatt.org, 1
+ahosamuel.com, 1
+ahosenjoni.fi, 1
+ahosi.com, 1
+ahouansou.cz, 1
+ahqf.com, 1
+ahrefs.com, 1
+ahroproject.org, 1
+ahrora.com, 1
+ahrq.gov, 1
+ahs.com, 1
+ahscarolinas.com, 1
+ahsinsaleem.tk, 1
+ahstrem.com, 1
+ahswarranty.com, 1
+ahsyg.com, 1
+ahtuxpk.ru, 1
+ahughes03.com, 1
+ahwah.net, 1
+ahwahnee.today, 1
+ai-english.jp, 1
+ai-genit.com, 1
+ai-powered-learning.com, 1
+ai-practitioners.com, 1
+ai-soft.co.jp, 1
+ai.gov, 1
+ai.gov.ae, 1
+ai.market, 1
+ai.moda, 1
+ai.mr, 0
+ai00.vip, 1
+ai1989.com, 1
+ai2-jp.com, 1
+ai5.me, 1
+aia-alkmaar.nl, 1
+aiaccinu.eu.org, 1
+aiaidaxue.com, 1
+aiaidou.com, 1
+aiainiu.com, 1
+aianetwork.net, 1
+aianipid.ee, 1
+aiasesoriainmobiliaria.com, 1
+aiat.net, 1
+aiatsis.gov.au, 1
+aibaoyou.com, 1
+aibes-staging.com, 1
+aibes.org, 1
+aibili.pt, 1
+aibiying.com, 1
+aibolit-apteka.tk, 1
+aibolit.ga, 1
+aibolit.md, 1
+aibolit.ml, 1
+aibolitik.tk, 1
+aibot.tk, 1
+aibsoftware.mx, 1
+aicampo.com, 1
+aiccc.com.au, 1
+aiccorp.com, 1
+aicfb.in, 1
+aichat.io, 1
+aichat.site, 1
+aichi-tokko-shien.com, 1
+aichou.com, 1
+aicial.co.uk, 1
+aickelin.eu, 1
+aicr.org, 1
+aicv.io, 1
+aid-web.ch, 1
+aida.org.au, 1
+aidablanco.tk, 1
+aidaccess.org, 1
+aidanamavi.com, 1
+aidanapple.com, 1
+aidanmitchell.uk, 0
+aidanmontare.net, 1
+aidanpr.com, 1
+aidanpr.net, 1
+aidarikako.com, 1
+aidco.net, 1
+aide-hebergement.ca, 1
+aide-valais.ch, 1
+aide.com, 1
+aideenmonaghan.com, 1
+aidenlx.top, 1
+aidenoliver.au, 1
+aidhan.net, 1
+aidi-ahmi.com, 1
+aidliveers.ga, 1
+aido.gq, 1
+aidoc.com, 1
+aidoru.net, 1
+aids-dissidents.tk, 1
+aids.gov, 1
+aidventurers.com, 1
+aie.de, 1
+aiecosystem.com.au, 1
+aiesecarad.ro, 1
+aievaluare.ro, 1
+aifartsakh.com, 1
+aifob.tk, 1
+aifriccampbell.com, 1
+aifx.ml, 0
+aigcev.org, 1
+aigenpul.se, 1
+aigner-club.com, 1
+aigner-club.de, 1
+aignerimage.de, 1
+aignermunich.com, 1
+aignermunich.de, 1
+aignermunich.jp, 1
+aigu.io, 1
+aiguemarine-spa.fr, 1
+aiguilhe-querre.com, 1
+aiha.com, 1
+aihaamua.tk, 1
+aiho.stream, 1
+aihschgo.org, 1
+aiinsurance.xyz, 1
+aikareborn.com, 1
+aiken.golf, 1
+aikenpromotions.com, 1
+aiki.de, 1
+aiki.do, 1
+aiki.tk, 0
+aikido-club-limburg.de, 1
+aikido-kiel.de, 1
+aikido-linz.at, 1
+aikido-wels.at, 1
+aikidoaalst.tk, 1
+aikidoboskovice.cz, 1
+aikidoinfo.tk, 1
+aikidosaltadojo.tk, 1
+aikijutsu.tk, 1
+aikiva.com, 1
+aikoly.com, 1
+aila.org, 1
+aileenwatt.co.uk, 1
+ailife.blog, 1
+ailitonia.com, 1
+ailitonia.xyz, 1
+ailladearousa.com, 1
+aim.org.pt, 1
+aimare-web.tk, 1
+aimarketingdesk.com, 1
+aimax.com, 1
+aimaye.com, 1
+aimbot.games, 1
+aimdigital.tk, 1
+aimeeandalec.com, 1
+aimeisi.com, 1
+aimgroup.co.tz, 1
+aiminet.com, 1
+aimless.tk, 1
+aimlessempire.tk, 1
+aimmuneinstitute.org, 1
+aimoda.bid, 1
+aimoda.click, 1
+aimoda.cloud, 1
+aimoda.download, 1
+aimoda.io, 1
+aimoda.loan, 1
+aimoda.space, 1
+aimoda.stream, 1
+aimoda.trade, 1
+aimotive.com, 1
+aimreply.com, 1
+aimrom.org, 1
+aina.moi, 1
+ainaishi.com, 1
+ainameals.com, 1
+ainamoroms.com, 1
+aine.com.br, 1
+ainewsto.com, 1
+ainfographie.com, 1
+aini99.club, 0
+ainong.com, 1
+ainrm.cn, 1
+ainsa.tk, 1
+ainutrition.co.uk, 1
+ainvest.de, 1
+ainzu.net, 1
+aioboot.com, 1
+aiois.com, 1
+aioj.ac, 1
+aiom.tk, 1
+aion.fi, 1
+aiosetups.com, 1
+aiot.pw, 1
+aipcardio.ai, 1
+aipcardio.hu, 1
+aipderm.com.mx, 1
+aipderm.eu, 1
+aipderm.mx, 1
+aipderm.ro, 1
+aipdev.kz, 1
+aipee.org, 1
+aiphyron.com, 1
+aipi.at, 1
+aipi.ch, 1
+aipi.de, 1
+aipi.tel, 1
+aipi.uk, 1
+aipor.pt, 0
+aiporn666.com, 1
+aipregnancy.com, 1
+aipregnant.com, 1
+aiqinggu.com, 1
+aiqingli.com, 1
+air-business.tk, 1
+air-clan.tk, 1
+air-flot.tk, 1
+air-planning.co.jp, 1
+air-rishon.tk, 1
+air-soft.ga, 1
+air-swift.com, 1
+air-techniques.fr, 1
+air-ticket.ga, 1
+airalarm.com, 1
+airaplus.ca, 1
+airbender.tk, 1
+airbnb.ae, 1
+airbnb.at, 1
+airbnb.be, 1
+airbnb.biz, 1
+airbnb.ca, 1
+airbnb.cat, 1
+airbnb.ch, 1
+airbnb.cl, 1
+airbnb.cn, 1
+airbnb.co.cr, 1
+airbnb.co.id, 1
+airbnb.co.il, 1
+airbnb.co.in, 1
+airbnb.co.kr, 1
+airbnb.co.nz, 1
+airbnb.co.uk, 1
+airbnb.co.ve, 1
+airbnb.com, 1
+airbnb.com.ar, 1
+airbnb.com.au, 1
+airbnb.com.bo, 1
+airbnb.com.br, 1
+airbnb.com.bz, 1
+airbnb.com.cn, 1
+airbnb.com.co, 1
+airbnb.com.ec, 1
+airbnb.com.gt, 1
+airbnb.com.hk, 1
+airbnb.com.hn, 1
+airbnb.com.hr, 1
+airbnb.com.kh, 1
+airbnb.com.mt, 1
+airbnb.com.my, 1
+airbnb.com.ni, 1
+airbnb.com.pa, 1
+airbnb.com.pe, 1
+airbnb.com.ph, 1
+airbnb.com.py, 1
+airbnb.com.sg, 1
+airbnb.com.sv, 1
+airbnb.com.tr, 1
+airbnb.com.tw, 1
+airbnb.com.ua, 1
+airbnb.com.vn, 1
+airbnb.cz, 1
+airbnb.de, 1
+airbnb.dk, 1
+airbnb.es, 1
+airbnb.fi, 1
+airbnb.fr, 1
+airbnb.gr, 1
+airbnb.gy, 1
+airbnb.hu, 1
+airbnb.ie, 1
+airbnb.is, 1
+airbnb.it, 1
+airbnb.jp, 1
+airbnb.la, 1
+airbnb.lu, 1
+airbnb.mx, 1
+airbnb.nl, 1
+airbnb.no, 1
+airbnb.org, 1
+airbnb.pl, 1
+airbnb.pt, 1
+airbnb.ru, 1
+airbnb.se, 1
+airbnb.tools, 1
+airbnbchina.cn, 1
+airborne-clan.tk, 1
+airborne-commando.tk, 1
+airborne-inflatables.co.uk, 1
+airborneexperience.com, 1
+airbossofamerica.com, 1
+airburners.com, 1
+airburners.com.au, 1
+airburners.net, 1
+airbusters.com, 1
+aircareair.tk, 1
+airchartervirginislands.com, 1
+aircheapfare.com, 1
+aircheapfares.com, 1
+aircomet.tk, 1
+aircompressormachine.com, 1
+airconditioning.tk, 1
+airconditioningcondensers.tk, 1
+airconditioningservicejohannesburg.co.za, 1
+airconsboksburg.co.za, 1
+airconservicingcapetown.co.za, 1
+airconsfourways.co.za, 1
+aircraft-database.com, 1
+aircraftnoisemodel.org, 1
+aircraftspruce.ca, 1
+aircraftspruce.com, 1
+aircrewportpages.com, 1
+aircs.racing, 1
+airday.tk, 1
+airdeer.com, 1
+airdropics.com, 1
+airdropkings.com, 1
+airductcleaninggrandprairie.com, 1
+airdur.eu, 1
+aireaseleaks.org, 1
+airedaleterrier.com.br, 1
+airensmuseum.com, 1
+aires-autoroute-areas.com, 1
+airesourcezone.com, 1
+airethilien.tk, 1
+airetvie.com, 0
+aireuropeflights.com, 1
+airez.tk, 1
+airfal.com, 1
+airfan.cf, 1
+airfarecheapdeal.com, 1
+airfarecheapeurope.com, 1
+airfarecompareprices.com, 1
+airfaredealstoindia.com, 1
+airfarefrom.com, 1
+airfarehonolulu.com, 1
+airfarehoteldeals.com, 1
+airfaremexicocity.com, 1
+airfareorlando.com, 1
+airfaresdomestic.com, 1
+airfareseconomy.com, 1
+airfaresfrom.com, 1
+airfareshotels.com, 1
+airfarestoamerica.com, 1
+airfarestogermany.com, 1
+airfareticketsdeals.com, 1
+airfaretousa.com, 1
+airfaretracking.com, 1
+airfield.gq, 1
+airflightsdeals.com, 1
+airforce.com, 1
+airformosa.com, 1
+airfoto.tk, 1
+airfox.cf, 1
+airfox.gq, 1
+airgreen.com, 1
+airgun.tk, 1
+airgundepot.com, 1
+airhart.me, 1
+airhelp.com, 1
+airhorn.de, 1
+airi-tabei.com, 1
+airi.ga, 1
+airicy.com, 1
+airikai.com, 1
+airism.com, 1
+airit.de, 1
+airixfood.com, 1
+airjet.cf, 1
+airjordan11.cc, 1
+airjordan1phatwhite.info, 1
+airjordan2017.site, 1
+airjordanpascher.tk, 1
+airjordansshoes.us, 1
+airjordanwholesale.us, 1
+airkiss.ga, 1
+airknowledge.gov, 1
+airlapse.net, 0
+airline-rabota.tk, 1
+airlineairlines.com, 1
+airlineairplane.com, 1
+airlineairports.com, 1
+airlineairways.com, 1
+airlineandhotels.com, 1
+airlineandtickets.com, 1
+airlinebe.com, 1
+airlineblue.com, 1
+airlinebookingtickets.com, 1
+airlinebuyticket.com, 1
+airlineby.com, 1
+airlinec.com, 1
+airlinecheapflightinternationalticket.com, 1
+airlinecheapflightticket.com, 1
+airlinecheapprices.com, 1
+airlinecheaptravel.com, 1
+airlinechicago.com, 1
+airlinedallas.com, 1
+airlinedenmark.com, 1
+airlinedomestic.com, 1
+airlineeconomy.com, 1
+airlinefarecheap.com, 1
+airlinefarediscount.com, 1
+airlinefarelow.com, 1
+airlinefareprices.com, 1
+airlinefaresdiscount.com, 1
+airlinefee.com, 1
+airlinefirstclass.com, 1
+airlineflight.biz, 1
+airlineflightcheap.com, 1
+airlineflights.biz, 1
+airlineflightsdeals.com, 1
+airlineflightsdiscount.com, 1
+airlineflightsfares.com, 1
+airlineflightsinternational.com, 1
+airlineflightsprices.com, 1
+airlineflightsreservations.com, 1
+airlineflyingclub.tk, 1
+airlineforsale.com, 1
+airlinefr.com, 1
+airlinegermany.com, 1
+airlinehawaii.com, 1
+airlinekorea.com, 1
+airlinelondon.com, 1
+airlinenationwide.com, 1
+airlinenews.tk, 1
+airlinenewzealand.com, 1
+airlineoil.com, 1
+airlinep.com, 1
+airlineplanetickets.com, 1
+airlinesair.com, 1
+airlinesamsterdam.com, 1
+airlinesandhotel.com, 1
+airlinesandtickets.com, 1
+airlinesandtravel.com, 1
+airlinesargentina.com, 1
+airlinesau.com, 1
+airlinesaustralia.com, 1
+airlinesboston.com, 1
+airlinesbritish.com, 1
+airlinesbrussels.com, 1
+airlinesby.com, 1
+airlinesca.com, 1
+airlinescheapfare.com, 1
+airlinescheapflights.com, 1
+airlinescheapticket.com, 1
+airlineschicago.com, 1
+airlinescincinnati.com, 1
+airlinesdallas.com, 1
+airlinesdc.com, 1
+airlinesdetroit.com, 1
+airlinesdomestic.com, 1
+airlineseast.com, 1
+airlineseconomy.com, 1
+airlinesettlement.com, 1
+airlinesfirstclass.com, 1
+airlinesfleet.com, 1
+airlinesfrom.com, 1
+airlineshouston.com, 1
+airlinesincanada.com, 1
+airlinesingapore.com, 1
+airlinesinlasvegas.com, 1
+airlinesinsingapore.com, 1
+airlinesit.com, 1
+airlinesjordan.com, 1
+airlineslasvegas.com, 1
+airlineslosangeles.com, 1
+airlineslowfare.com, 1
+airlinesmiddleeast.com, 1
+airlinesname.com, 1
+airlinesnashville.com, 1
+airlinesnewyork.com, 1
+airlinesnorthamerica.com, 1
+airlinesnyc.com, 1
+airlinesofdubai.com, 1
+airlinesofmexico.com, 1
+airlinespackages.com, 1
+airlinesparis.com, 1
+airlinesphonenumber.com, 1
+airlinessa.com, 1
+airlinessanfrancisco.com, 1
+airlinesseating.com, 1
+airlinessingapore.com, 1
+airlinestexas.com, 1
+airlinesticketbooking.com, 1
+airlinesto.com, 1
+airlinestoalaska.com, 1
+airlinestoamerica.com, 1
+airlinestoatlanta.com, 1
+airlinestocanada.com, 1
+airlinestochicago.com, 1
+airlinestocostarica.com, 1
+airlinestoeurope.com, 1
+airlinestoflorida.com, 1
+airlinestofrance.com, 1
+airlinestogermany.com, 1
+airlinestoitaly.com, 1
+airlinestojapan.com, 1
+airlinestolasvegas.com, 1
+airlinestolosangeles.com, 1
+airlinestomiami.com, 1
+airlinestoorlando.com, 1
+airlinestophoenix.com, 1
+airlinestosingapore.com, 1
+airlinestoturkey.com, 1
+airlinestousa.com, 1
+airlinestovegas.com, 1
+airlinesturkey.com, 1
+airlinesunitedstates.com, 1
+airlinesvegas.com, 1
+airlinesvietnam.com, 1
+airlineti.com, 1
+airlinetic.com, 1
+airlineticketscheapflights.com, 1
+airlineticketsfrom.com, 1
+airlineticketspurchase.com, 1
+airlineticketswith.com, 1
+airlineto.com, 1
+airlinetocanada.com, 1
+airlinetohawaii.com, 1
+airlinetolasvegas.com, 1
+airlinetolondon.com, 1
+airlinetomiami.com, 1
+airlinetovegas.com, 1
+airlinetravelinternational.com, 1
+airlinetravelnetwork.com, 1
+airlinetx.com, 1
+airlinevegas.com, 1
+airlinewholesale.com, 1
+airm.aero, 1
+airmag.tk, 1
+airmail.cc, 0
+airman.cf, 1
+airmap.com, 0
+airmap.io, 1
+airmash.online, 1
+airmaxinflatables.com, 1
+airnet.tk, 1
+airnode.ga, 1
+airnow.gov, 1
+airpark-roissy.fr, 1
+airplaneairline.com, 1
+airplanepictures.tk, 1
+airplanestatsers.ga, 1
+airplanestatsest.ga, 1
+airplanet.tk, 1
+airplanetic.com, 1
+airplanetick.com, 1
+airplaneticketcheap.com, 1
+airplay-inflatable-hire.co.uk, 1
+airplayradio.nl, 1
+airpoint-compressors.nl, 1
+airport-acap.eu, 1
+airport-car-rental.tk, 1
+airport-charlotte.com, 1
+airportairline.com, 1
+airportal.cn, 1
+airportbarking.eu, 1
+airportcdgparis.com, 1
+airportcoc.cf, 1
+airportcoc.ga, 1
+airportcoc.ml, 1
+airportcyprus.com, 1
+airportdc.com, 1
+airportfrankfurtgermany.com, 1
+airportgatwick.com, 1
+airportgrandhotel.com, 1
+airportguam.com, 1
+airportholiday.com, 1
+airporthotelsgatwick.com, 1
+airportinrome.com, 1
+airportknoxville.com, 1
+airportlas.com, 1
+airportnz.com, 1
+airportofdubai.com, 1
+airportparkingschiphol.nl, 1
+airportperth.com, 1
+airportsbarcelona.com, 1
+airportsdc.com, 1
+airportsflights.com, 1
+airportsflorida.com, 1
+airportsfo.com, 1
+airportstickets.com, 1
+airportstockholm.com, 1
+airportstuttgart.com, 1
+airportturkey.com, 1
+airportzo.net.in, 1
+airportzostage.in, 1
+airpurifierproductsonline.com, 1
+airquestion.org, 1
+airrestoration.ch, 1
+airscope.ae, 1
+airscorp.com, 1
+airsculpture.us, 1
+airsculptureballoonart.com, 1
+airsculptureballoonart.net, 1
+airsculptureballoonart.org, 1
+airsculptureballoons.com, 1
+airseatac.net, 1
+airship.com, 1
+airship.eu, 1
+airsial.com, 1
+airslate.com, 1
+airsoft.fr, 1
+airsofthub.fr, 1
+airsoftpark.cz, 1
+airsoftpinoso.tk, 1
+airstop.cz, 1
+airstrike.tk, 1
+airswap.io, 1
+airtable.com, 1
+airtame.cloud, 1
+airtec-france.fr, 1
+airtel.co.tz, 1
+airtel.com.ng, 1
+airterms.cf, 1
+airticketstravel.com, 1
+airtimerewards.co.uk, 0
+airtrain.gq, 1
+airtrolinc.com, 1
+airventuri.com, 1
+airvida.sg, 1
+airvpn.org, 1
+airwayz.co, 1
+airweb.top, 0
+airwolf.tk, 1
+airwolfthemes.com, 1
+airwudhu.id, 1
+airzone.tk, 1
+airzox.com, 1
+aisawa22.com, 1
+aiscale.fr, 1
+aischepervers-porn.com, 1
+aisedomains.ga, 1
+aisera.com, 1
+aish.ml, 1
+aishatibetanterriers.ca, 1
+aisi316l.net, 1
+aisp.sg, 1
+aispirit.tk, 1
+aisrvs.net, 1
+aisselkolm.com, 1
+aistdent.ru, 1
+aisthesthai.tk, 1
+aistockcharts.com, 1
+aistrope.com, 1
+aistsist.ga, 1
+aistsist.tk, 1
+ait.com.ar, 1
+aita.global, 1
+aitanaedu.org, 1
+aitidings.com, 1
+aitindo.com, 1
+aitkincountymn.gov, 1
+aitokyolab.com, 1
+aitosoftware.com, 1
+aitrading.uk, 1
+aitrust.ro, 1
+aitsl.edu.au, 1
+aiui10.cn, 1
+aiutodomestico.ch, 0
+aiva.ai, 1
+aivan.ai, 1
+aivd.lol, 1
+aivsasociacion.org, 1
+aiwadubai.com, 1
+aiwo.ai, 1
+aiwosq.cn, 1
+aiwriter.tools, 1
+aixlab.de, 1
+aixm.aero, 1
+aixploringprovence.com, 1
+aixue.net, 1
+aizhuan.com, 1
+aizxxs.com, 1
+aizxxs.net, 1
+aj-laixada.tk, 1
+ajancctv.com, 1
+ajansmanisa.com, 1
+ajansseo.com, 1
+ajarope.com, 1
+ajatelier.com, 1
+ajax-fanatics.tk, 1
+ajax-magazine.tk, 1
+ajaxboys.tk, 1
+ajaxed.net, 1
+ajaxfansforever.tk, 1
+ajaxfansite.tk, 1
+ajaxfansonly.tk, 1
+ajaxforever.tk, 1
+ajaxified.com, 1
+ajaxmasterdam.tk, 1
+ajaxmfs.com, 1
+ajaxnetwerk.tk, 1
+ajaxnow.tk, 1
+ajaxplaza.tk, 1
+ajaxposter.tk, 1
+ajaxsites.tk, 1
+ajaxtime.tk, 1
+ajaxtraining.tk, 1
+ajaxworld.tk, 1
+ajces.com, 1
+ajdiaz.me, 1
+ajedrezbolivia.tk, 1
+ajetaci.cz, 1
+ajeventhire.co.uk, 1
+ajfite.com, 0
+ajforum.tk, 1
+ajhstamps.co.uk, 1
+ajiboye.com, 1
+ajiloot.com, 1
+ajinabraham.com, 1
+ajitp.com, 1
+ajl.io, 1
+ajman-realty.ga, 1
+ajmanded.com, 1
+ajmanepay.ae, 1
+ajmanpay.gov.ae, 1
+ajmansewerage.ae, 1
+ajmara.pl, 1
+ajnah.net, 1
+ajnasz.hu, 1
+ajoke.eu, 1
+ajoliveira.com, 1
+ajoliveira.net, 1
+ajoliveira.org, 1
+ajoneuvokeskitys.fi, 1
+ajop.loan, 1
+ajramos.tk, 1
+ajsb85.com, 1
+ajscred.online, 1
+ajto.pro, 1
+ajvandeven.com, 1
+ajvco.com.hk, 1
+ajvco.net, 1
+ajvocab.com, 1
+ajwebsolutions.com, 1
+ak-design.tk, 1
+ak-online.tk, 1
+ak-varazdin.hr, 1
+ak-wohnen.de, 1
+ak.sb, 1
+ak2000.tk, 1
+ak47-miyamoto.spdns.org, 1
+ak68.tk, 1
+ak85.tk, 1
+ak96.tk, 1
+aka.ms, 1
+aka.pw, 1
+akaattorneys.co.za, 1
+akabandokonlamierda.tk, 1
+akachanikuji.com, 1
+akachanwebsite.tk, 1
+akaconvention.org, 1
+akad.com.br, 1
+akademiaantykorupcyjna.pl, 1
+akademiamarleen.pl, 1
+akademiawawer.pl, 1
+akademiawellbeing.pl, 1
+akademie-frankfurt.de, 1
+akadseguros.com.br, 0
+akaike.co.jp, 1
+akamon.ac.jp, 1
+akamu.de, 1
+akaratasker.com, 1
+akari.net, 1
+akarisoftware.com, 1
+akaritakai.net, 1
+akasa.red, 1
+akasha.world, 1
+akashdsouza.now.sh, 1
+akashi-kiharu.com, 1
+akashiya-b.com, 1
+akashstephen.com, 1
+akasi.cf, 1
+akasmedikal.com, 1
+akasmedikal.net, 1
+akatsukainuneko.co.jp, 1
+akaxaka.tk, 1
+akayu.com, 1
+akaziya.cf, 1
+akbam.co.uk, 1
+akbarsempoi.tk, 1
+akbas.tk, 1
+akblasch.com.au, 1
+akbtv.ru, 1
+akcenty.com.ua, 1
+akconciergerie.fr, 1
+akcs.one, 1
+akdenizim.tk, 1
+akdigitalegesellschaft.de, 0
+akdusekbudil.cz, 1
+akeenext.com, 1
+akeldam.tk, 1
+akelius.com, 1
+akemineko.tk, 1
+akemisp.com.br, 1
+akerberri.tk, 1
+akerboom.family, 1
+akerboom.me, 1
+akerboom.org, 1
+akeroh.com, 1
+akeroh.nl, 1
+akesinti.tk, 1
+aketzasantacoloma.tk, 1
+akfoundationindia.com, 1
+akhabar.tk, 1
+akhbaralam.cf, 1
+akhbareldesh.tk, 1
+akhbarmisr.tk, 1
+akhealthconnection.com, 0
+akhepcat.com, 1
+akhilindurti.com, 0
+akhomesforyou.com, 1
+akiadalia.com, 1
+akiakira-nsn.gov, 1
+akiba-server.info, 1
+akiba-souken.com, 1
+akiekintveld.com, 1
+akihi.ink, 1
+akihi.me, 1
+akihito.com, 1
+akijo.de, 1
+akikat.tk, 1
+akilimob.com, 0
+akilli-devre.com, 1
+akillitelefon.com, 1
+akimeder.tk, 1
+akimitsu.co.jp, 1
+aking.com.my, 1
+akinix.com, 1
+akinokae.de, 1
+akiranet.tk, 1
+akisazame.tk, 1
+akita-boutique.com, 1
+akita-stream.com, 1
+akita.cloud, 1
+akitacyber.com, 1
+akitra.net, 1
+akiym.com, 1
+akj.io, 1
+akkerwinde.tk, 1
+akko.wtf, 1
+akkordy-skachat.ga, 1
+akkoremaji.club, 1
+akkorturizm.com, 1
+akl.city, 1
+aklagare.se, 1
+akmatrix.org, 1
+akmens.id, 1
+ako-world.com, 1
+akoben.cloud, 1
+akoch.net, 1
+akoestischafbouwen.nl, 1
+akonlineworks.tk, 1
+akoofs.com, 0
+akordeoiak.tk, 1
+akostecki.de, 1
+akouryy.net, 1
+akoya.fi, 1
+akp.photos, 1
+akplates.org, 1
+akpp1.com.ua, 1
+akr.io, 1
+akr.services, 1
+akracing.se, 1
+akramvet.tk, 1
+akrasa.com.au, 1
+akrasa.pro, 1
+akrasa.xyz, 1
+akrep.com, 1
+akrilikhavuz.com, 1
+akritikos.info, 1
+akrobat.cf, 1
+akrochem.com, 1
+akronhousing.gov, 1
+akronohiorescue.gov, 1
+akropolis-ravensburg.de, 1
+akrzon.com, 1
+aksehir.bel.tr, 1
+akselinurmio.fi, 1
+aksenov.tk, 1
+aksenovalexey.tk, 1
+aksesuarai.com, 1
+akshavitrends.com, 1
+akshay.in.eu.org, 1
+akshit.me, 1
+aksnapshots.com, 1
+aksnwn.com, 1
+aksot.com, 1
+akt.health, 1
+aktaspompa.com, 1
+aktelectric.com.co, 1
+aktia.fi, 0
+aktin.cz, 1
+aktin.sk, 1
+aktion-vielfalt.ch, 1
+aktiv-naturheilmittel.at, 1
+aktiv-naturheilmittel.ch, 1
+aktiv-naturheilmittel.de, 1
+aktiv.pl, 1
+aktivace.eu, 1
+aktive-arbeitslose.at, 1
+aktivierungscenter.de, 1
+aktivitetatil.com, 1
+aktivpark-lumdatal.de, 1
+aktransmission.com, 1
+aktuel-urunler.com, 1
+aktuelfirsat.com, 1
+aktuelleprospekte.at, 1
+aktueller.com, 1
+aktuellsakerhet.se, 1
+akuislam.com, 1
+akuku-parkitka.pl, 1
+akumarjain.com, 1
+akumat.com.pl, 1
+akumat.eu, 1
+akumat.pl, 1
+akuntansilengkap.com, 1
+akupunktur-akupunktoer.dk, 1
+akupunktura.tk, 1
+akura.cf, 1
+akura.tk, 1
+akuston.eu, 1
+akustyka.tk, 1
+akutun.cl, 1
+akvakm.eu, 1
+akvaristika.cf, 1
+akvilon.tk, 1
+akvorrat.at, 1
+akyildiz.net, 1
+akzio.cl, 1
+al-abdal.tk, 1
+al-bahrain.tk, 1
+al-capone.ga, 1
+al-capone.tk, 1
+al-craft.info, 1
+al-hekka.com.ua, 1
+al-monitor.com, 1
+al-salam.tk, 1
+al-wood.it, 1
+al-yawm.ga, 1
+al2schaos.tk, 1
+al3abmizo.com, 1
+al3ilm.com, 1
+al3xpro.com, 1
+alaattinkaraca.tk, 1
+alab.space, 1
+alabalaporto.tk, 1
+alabamaable.gov, 1
+alabamaag.gov, 1
+alabamabuys.gov, 1
+alabamacoastalradiology.com, 1
+alabamadebtrelief.org, 1
+alabamafurs.com, 1
+alabamanet.tk, 1
+alabamaonlinedivorce.com, 1
+alabamasoilandwater.gov, 1
+alabn.com, 1
+alaboard.com, 1
+alabordage.fr, 1
+alabuena.com, 1
+alacatim.cf, 1
+alachuacounty.gov, 1
+alachuacountyfl.gov, 1
+alachuacountyfla.gov, 1
+alachuacountyflorida.gov, 1
+alacriti.com, 1
+alacritylaw.com, 1
+aladdin.ie, 1
+aladdinschools.appspot.com, 1
+aladintechnologies.tk, 1
+alain-webcreator.cf, 1
+alainfrancois.eu, 1
+alainfrancois.nl, 0
+alainmargot.ch, 0
+alainodea.com, 1
+alainwolf.ch, 1
+alainwolf.net, 1
+alais.com.do, 1
+alajv.com, 1
+alalivre.cf, 1
+alamad.cf, 1
+alamalsahara.co, 1
+alamanceconstruction.com, 1
+alamancecountync.gov, 1
+alamanceinsulationllc.com, 1
+alamancetv.com, 1
+alamani.tk, 1
+alambazarmath.tk, 1
+alambique.tk, 1
+alamitosbaytraders.com, 1
+alamo-analytics.com, 1
+alamoranchhandyman.com, 1
+alamotownshipmi.gov, 1
+alamowellnessalliance.com, 1
+alan-lam.co.uk, 0
+alan-turnbull.co.uk, 1
+alana.com.ua, 1
+alanberger.me.uk, 1
+alanbleiweiss.com, 1
+alanburr.us.eu.org, 1
+alancabrera.com, 1
+alancat.ml, 1
+alancolephotography.com, 1
+aland.co.uk, 1
+alandoyle.com, 1
+alanet.org, 0
+alanhua.ng, 1
+alanhuang.name, 1
+alanina.com, 1
+alaninkenya.org, 1
+alaniz-law.com, 1
+alankardresswalla.tk, 1
+alankatona.com, 1
+alankritstories.com, 1
+alanokling.nl, 1
+alanonsantabarbara.info, 1
+alanpearce.eu, 1
+alanpearce.uk, 1
+alanrogers.com, 1
+alansilson.tk, 1
+alantica.ga, 1
+alanyaescmagazin.tk, 1
+alanyatur.tk, 1
+alaoui.eu.org, 1
+alapa-tatsuno.com, 1
+alapetite.fr, 1
+alarab.chat, 1
+alarabiyanow.com, 1
+alarbnet.tk, 1
+alargarlavida.com, 1
+alarko-carrier.com.tr, 1
+alarm.net.tr, 1
+alarmat.pl, 1
+alarme-bateau-yacht.com, 1
+alarmmessageest.ga, 1
+alarmnewengland.com, 1
+alarna.de, 1
+alas-negras.tk, 1
+alasdelalma.com.co, 1
+alasdupur.tk, 1
+alaska.com.tr, 1
+alaskabuylocal.org, 1
+alaskacapitol.gov, 1
+alaskacruises.com, 1
+alaskadentalcare.com, 1
+alaskafishinglodges.net, 1
+alaskafolkarts.tk, 1
+alaskajewelry.com, 1
+alaskanmalamute.tk, 1
+alasta.info, 1
+alastairs-place.net, 1
+alatest.com, 1
+alatienne.fr, 1
+alatkesehatan.tk, 1
+alaturkaonline.com, 0
+alaunus.com, 1
+alavieestbelle.be, 1
+alazaherah.net, 1
+alb-flirt.de, 1
+alb-media.tk, 1
+albaadani.com, 1
+albadon.tk, 1
+albaform.com, 1
+albagold.tk, 1
+albagora.nl, 1
+albakham.eu.org, 1
+albakos.tk, 1
+albaladejodelcuende.tk, 1
+albalatedelarzobispo.tk, 1
+albalew.is, 1
+albalinks.tk, 1
+albamiss.com, 1
+albamusic.tk, 1
+albanacupuncture.com, 1
+albaneselorenzo.com, 0
+albaniachat.tk, 1
+albaniaonline.tk, 1
+albanien.tk, 1
+albanildedios.tk, 1
+albanskpaskhare.tk, 1
+albanyca.gov, 1
+albanycountywy.gov, 1
+albanylaser.ca, 1
+albanyoregon.gov, 1
+albarius.ga, 1
+albaronventures.com, 1
+albarugby.tk, 1
+albatrosboat.it, 1
+albatrostercume.com, 1
+albayan.ae, 1
+albemarlehistory.org, 1
+albendazole.ga, 1
+albendazole.ml, 1
+albergolafiorita.com, 1
+alberguecovadonga.es, 1
+albert-yu.com, 1
+albertathome.org, 1
+albertcuyp-markt.amsterdam, 1
+alberteinsteinbiography.tk, 1
+albertforfuture.de, 0
+albertgibb.tk, 1
+albertify.xyz, 1
+albertocarvalhosa.pt, 1
+albertofarina.tk, 1
+albertolopezaroca.tk, 1
+albertonplumber24-7.co.za, 1
+albertosobrino.tk, 1
+albertovr.com, 1
+albertovr.net, 1
+albertpedersen.com, 1
+alberts-blatt.de, 0
+albertspahiu.tk, 1
+alberttwpmi.gov, 1
+albertvillemn.gov, 1
+albeso.ml, 1
+albhof-wasserfall.de, 1
+albi-tourisme.fr, 1
+albilaga.id, 1
+albinonderdelen.nl, 1
+albinvega.tk, 1
+albion2.org, 1
+albionfaeries.org.uk, 1
+albleuchten.de, 1
+albme.gov, 1
+albourne.com, 1
+albrocar.com, 1
+albstaedter-kids-cup.de, 1
+albufeira-car-hire.com, 1
+albuic.tk, 1
+alburquerquerock.tk, 1
+albuterol.ga, 1
+albuterolonline.ga, 1
+albuterolwithoutprescription.gq, 1
+albylane.com.au, 1
+alca31.com, 0
+alcalainos.tk, 1
+alcanaan.com, 1
+alcanaplata.com, 1
+alcantara.cf, 1
+alcapalis.tk, 1
+alcapone.gq, 1
+alcar.tk, 1
+alcaralifusi.tk, 1
+alcatelonetouch.us, 1
+alcatraz-webdesign.tk, 1
+alcatrazeast.com, 1
+alcatraztourtickets.com, 1
+alchakov.tk, 1
+alchemist-heaven.tk, 1
+alchemisten.tk, 1
+alchemiya.ru, 1
+alchemy.gr, 1
+alchemy.net, 1
+alchiemy.com, 1
+alchimic.ch, 0
+alchimist-paulo-coelho.tk, 1
+alchosting.net, 0
+alcites.com, 1
+alcnutrition.com, 1
+alcobendas.tk, 1
+alcoclinica.ru, 1
+alcogolizmstop.ru, 1
+alcoholapi.com, 1
+alcoholia.tk, 1
+alcoholicbeverages.tk, 1
+alcoholismtreatment.tk, 1
+alcoleadetajo.tk, 1
+alcolecapital.com, 1
+alcor.tk, 1
+alcorncountyms.gov, 1
+alcove.cf, 1
+alcovidvaccine.gov, 1
+alctel.com.br, 0
+alcubillas.tk, 1
+aldanpa.gov, 1
+aldarcake.com, 1
+aldastv.tk, 1
+alday.de, 1
+aldeal.gq, 1
+aldealices.tk, 1
+aldebaranbm.com, 1
+aldersgatemontgomery.org, 1
+aldersgateumc.org, 1
+aldervets.co.uk, 1
+aldevadigital.com, 1
+aldien.com.br, 1
+aldino-redagno.com, 1
+aldipresscentre.co.uk, 1
+aldo-saputra.ga, 1
+aldo-shop.tk, 1
+aldolafontana.be, 1
+aldomedia.com, 1
+aldorlocal.gov, 1
+aldot.gov, 1
+aldous-huxley.com, 1
+aldridge-ringers.tk, 1
+aldridge.com, 1
+aldyputra.net, 1
+ale5000.altervista.org, 1
+alea-prevention.com, 1
+alea.xyz, 1
+aleax.me, 1
+alecel.de, 1
+alecpap.com, 1
+alecpapierniak.com, 1
+alecrimacessorios.com.br, 1
+alector.com, 1
+aledoil.gov, 1
+aledotx.gov, 1
+aleftinka.tk, 1
+alegriafm.tk, 1
+alegromania.tk, 1
+alehinta.fi, 1
+alejandrocruz.es, 1
+alejandromateoconde.tk, 1
+alejandropernett.tk, 1
+alejandrophones.com.mx, 1
+alejohnramirez.com, 1
+alek.in, 1
+alekos2go.com, 1
+aleks.com, 1
+aleksa.ga, 1
+aleksa.tk, 1
+aleksac.me, 1
+aleksandar-vukmirovic.tk, 1
+aleksanderkilinski.tk, 1
+aleksanders.tk, 1
+alekseevaleksandr.cf, 1
+alekseevski.tk, 1
+aleksejjocic.tk, 1
+alelectricista.es, 1
+alelin.ml, 1
+alemagia.pl, 1
+alemangranada.tk, 1
+alen.nl, 1
+alena.ga, 1
+alena.tk, 1
+alenafugueroa.tk, 1
+alenaserezhina.cf, 1
+alenbadel.com, 1
+alendronate.gq, 1
+alendronato.com, 1
+alentaja.com, 1
+alentaja.fi, 1
+alenvlahovljak.com, 1
+alenwich.com, 1
+aleph.land, 1
+alephindia.in, 1
+alerbon.net, 1
+aleromtrowbank.tk, 1
+alerque.com, 1
+alert-software.com, 1
+alertaenlinea.gov, 1
+alertaspopup.com, 1
+alertes.biz, 1
+alertlogic.com, 1
+alertmedia.com, 1
+alertoc.gov, 1
+alerts.sg, 1
+alertsclk.com, 1
+alertwire.com, 1
+ales.fr, 0
+alesagglo-expo.com, 1
+alesagglo.net, 1
+alescan.it, 1
+alesha.tk, 1
+alesraa-academy.com, 1
+aless.io, 1
+alessandraoliva.tk, 1
+alessandrobasi.it, 1
+alessandrolapiana.com, 1
+alessandroonline.com.br, 1
+alessandrotravel.com, 1
+alessandroz.ddns.net, 1
+aletm.it, 0
+alevel.tech, 0
+alevi-forum.tk, 1
+alevi.tk, 1
+alevro.com, 1
+alex-n.net, 1
+alex-ross.co.uk, 1
+alex-werbung.de, 1
+alex-wohl.fr, 1
+alex.net.co, 1
+alex3.tk, 1
+alex97000.de, 0
+alexaconnect.tk, 1
+alexada.ms, 1
+alexadamsddns.com, 1
+alexalist.tk, 1
+alexaminers.gov, 1
+alexander-beck.eu, 1
+alexander-net.tk, 1
+alexander-van-nieuwenhoven.tk, 1
+alexander.dk, 1
+alexanderandwilks.co.uk, 1
+alexanderb.info, 1
+alexandererber.com, 0
+alexanderg.tk, 1
+alexanderiwan.de, 1
+alexanderjshapiro.com, 1
+alexanderkarstens-fotografie.de, 1
+alexanderkhen.tk, 1
+alexanderlau.ga, 1
+alexanderneng.de, 1
+alexandernorth.ch, 1
+alexanderpiatigorsky.tk, 1
+alexanderplatz.tk, 1
+alexanderpopov.tk, 1
+alexandersavvidis.de, 1
+alexandertechniquenow.com, 1
+alexandertutoring.com, 1
+alexanderwagner.tk, 1
+alexandra-schulze.de, 1
+alexandra-siegel.com, 1
+alexandraandnicolay.com, 1
+alexandraschick.at, 1
+alexandraschmidt.coach, 1
+alexandrastrauss.fr, 1
+alexandrawett.org, 1
+alexandre-acaries.fr, 1
+alexandre-barret.fr, 1
+alexandreguarita.com.br, 1
+alexandremottier.tk, 1
+alexandrevicente.net, 1
+alexandrianh.gov, 1
+alexandrin.com, 1
+alexandrite.cf, 1
+alexandros.io, 0
+alexandryimmobilier.fr, 1
+alexaprinting.tk, 1
+alexauto.tk, 1
+alexberts.ch, 1
+alexblanck.com, 1
+alexblock.io, 1
+alexbogovich.com, 0
+alexbosch.net, 1
+alexbresnahan.com, 1
+alexcoman.com, 1
+alexcpp.tk, 1
+alexdaniel.org, 1
+alexdelpiero.ru, 1
+alexdesigner.tk, 1
+alexdowns.tk, 1
+alexdutton.co.uk, 1
+alexdutton.com, 1
+alexeimolina.com, 1
+alexeydrach.ru, 1
+alexeykamalov.tk, 1
+alexeykopytko.com, 1
+alexgaynor.net, 1
+alexgonzalez-online.tk, 1
+alexguti.com, 1
+alexhd.de, 1
+alexhodgkinson.tk, 1
+alexia.fr, 1
+alexia.lol, 1
+alexidls.com, 1
+alexio.ml, 1
+alexion.nl, 1
+alexischaussy.xyz, 1
+alexismeza.com.mx, 1
+alexismeza.dk, 1
+alexismeza.es, 1
+alexispoficial.tk, 1
+alexisquero.tk, 1
+alexisshaw.com, 1
+alexistexaspornstar.com, 1
+alexjacinto.com, 1
+alexjsully.me, 1
+alexkoala.com, 1
+alexkuleshov.com, 0
+alexlambertz.de, 1
+alexlombardo.tk, 1
+alexlouden.com, 1
+alexmainz.com, 1
+alexmathews.blog, 1
+alexmedia.tk, 1
+alexmerkel.com, 1
+alexmerkel.me, 1
+alexmerkel.xyz, 1
+alexmol.tk, 1
+alexmunroe.co.uk, 1
+alexn.org, 1
+alexnedea.ro, 1
+alexpavel.com, 1
+alexpetryk.com, 1
+alexpotter.net, 1
+alexridevski.net, 1
+alexridge.tk, 1
+alexs.de, 1
+alexsandrasverden.cf, 1
+alexsantos.tk, 1
+alexsavin.me, 1
+alexschokker.tk, 1
+alexsergeyev.com, 1
+alexserver.cloud, 1
+alexsexton.com, 0
+alexstudio.tk, 1
+alextaffe.com, 1
+alexthayne.co.uk, 1
+alextsang.net, 1
+alextweewielers.tk, 1
+alexustinoff.cf, 1
+alexvdveen.nl, 1
+alexveil.com, 1
+alexvetter.de, 0
+alexwardweb.com, 1
+alexweber.tk, 1
+alexyang.me, 1
+alexzeta.tk, 1
+aleymedya.ga, 1
+aleymedya.gq, 1
+aleymedya.ml, 1
+aleynadavetiye.com, 1
+aleynamasajsalonu.gq, 1
+alfa-auto.tk, 1
+alfa-books.ga, 1
+alfa-host.ml, 1
+alfa-music.tk, 1
+alfa-pack.com.ua, 1
+alfa-tech.su, 1
+alfaair.aero, 1
+alfabetajuega.com, 1
+alfabuster.com, 1
+alfacharlie.co, 1
+alfadecor.ml, 1
+alfadefiant.tk, 1
+alfadoc.dk, 1
+alfadoc.pl, 1
+alfadoc.se, 1
+alfafile.net, 1
+alfalasteenyia.cf, 1
+alfambra.tk, 1
+alfapack-shop.com, 1
+alfaproweb.fr, 1
+alfardanexchange.com, 1
+alfastone.com.ua, 1
+alfateks.com.ua, 1
+alfavipambulans.com, 1
+alfavit.cf, 1
+alfawedding.com, 1
+alfonso-baya.tk, 1
+alfonsostriano.it, 1
+alfordbenefits.com, 1
+alforto.nl, 0
+alfred-figge.de, 1
+alfred-g-fischer.de, 1
+alfred.co.in, 1
+alfredapp.com, 1
+alfredlin015.com, 1
+alfredo-misael.tk, 1
+alfredopotena.it, 1
+alfromuez.es, 1
+alfryadi.my.id, 1
+alftrain.com, 1
+alfu.rs, 1
+alg-fotografie.de, 1
+algarmatic-automatismos.pt, 1
+algarve-1.com, 1
+algarve-carhire.net, 1
+algarve-transfers.co.uk, 1
+algbee.com, 1
+algbra.com, 1
+alge.xyz, 1
+algebra-quiz.com, 1
+algercounty.gov, 1
+algerianportal.tk, 1
+algeriaweb.tk, 1
+algerie-music.tk, 1
+algerie360.com, 1
+alghadpowersolutions.com, 1
+alghanimcatering.com, 1
+algibranstore.id, 1
+algo-invest.in, 1
+algoarmada.com, 1
+algoentremanos.com, 1
+algoexplorer.io, 1
+algofactory.de, 1
+algolia.com, 1
+algonaiowa.gov, 1
+algopix.com, 1
+algorista.tk, 1
+algorithmen-lernen.de, 1
+algorithmic.ml, 1
+algorithms-visual.com, 1
+algorithms.guide, 1
+algoritm.gq, 1
+algoritmika.org, 1
+algoritmususpechu.cz, 1
+algorytm.tk, 1
+algotest.in, 1
+alhamedeia.tk, 1
+alhareth.net, 1
+alhomaidani.com, 1
+alhost.ml, 1
+alhothary.com, 1
+alhs-archives.com, 1
+alhuqul-kh.com, 1
+ali-shariati.tk, 1
+ali360.com, 1
+alia-helianthi.tk, 1
+aliaakademi.com.tr, 1
+aliads.com, 1
+aliakpoyraz.com, 1
+alialkurdy.tk, 1
+aliamakeup.com, 1
+aliancadesentupidora.com.br, 1
+alianet.org, 1
+aliantsoft.pl, 1
+aliasbox.org, 1
+aliasbox.ovh, 1
+aliasinfoforums.tk, 1
+aliaswp.com, 1
+alibabau.tk, 1
+alibamu.com, 1
+alibamu.org, 1
+alibangash.com, 1
+alibi-ua.com.ua, 1
+alibiloungelv.com, 0
+alibip.de, 1
+alicante-spain.tk, 1
+alice-memorial.de, 1
+alice.tw, 1
+alicebaldenegro.tk, 1
+alicecastle.com, 1
+alicedepret.com, 1
+alicehairstyling.tk, 1
+alicehartley.com, 1
+alicejewelry.bg, 1
+alicekinkycat.net, 1
+alicekinkycat.org, 1
+alicestudio.it, 1
+alicevardel.fr, 1
+alicialab.org, 1
+alicjacezary.eu, 1
+alicomalimentari.com, 1
+alidanbao.com, 1
+aliefirfany.com, 1
+alieke.design, 1
+aliel.fr, 1
+alien-life.tk, 1
+alien.net.au, 1
+alienantfarm.tk, 1
+alienclicker.ml, 1
+alienemporium.tk, 1
+alienflight.com, 1
+alieninternet.be, 1
+alieninternet.eu, 1
+alieninvasion.fun, 1
+alienmag.io, 1
+alienresidence.tk, 1
+alienslab.net, 1
+alienstat.com, 1
+alienstatsers.ga, 1
+aliexfantaisies.com, 1
+alifan.tk, 1
+alifarnam.ir, 1
+alifeadjacent.com, 1
+alifnasiya.uz, 1
+alighierirescaldina.it, 1
+alightwell.com, 1
+alignedchiro.org, 1
+alignedweb.com, 1
+alignminds.com, 1
+alignrs.com, 1
+alignthoughts.com, 1
+alihashemrasheed.com, 1
+aliibrahimov.tk, 1
+aliim.gdn, 1
+alikarslanov.tk, 1
+alikasimoglu.com, 1
+alikgriffin.com, 1
+alikorooki.ir, 1
+alikulov.me, 1
+alila.dog, 1
+alilepro.cf, 1
+alilialili.ga, 1
+alilog.com, 1
+alimahmood.com, 1
+alimanaka-rabesata.tk, 1
+alimate.com, 1
+aliment-covid19.com, 1
+alimentosmcf.com, 1
+alimentsduquebecaumenu.com, 1
+alimenty.tk, 1
+alimeta.it, 1
+alimtyaz.estate, 1
+alimwilliams.tk, 1
+alinalamour.com, 1
+alinasmusicstudio.com, 1
+alinatinen.cf, 1
+alinatinen.gq, 1
+aline-cannabis.com, 1
+alinecordeiro.adv.br, 1
+alinemello.com.br, 1
+alineonline.tk, 1
+alingroove.com, 1
+alinneata.com, 1
+alinode.com, 1
+alio.lt, 1
+aliorange.com, 1
+aliosmanyuksel.com.tr, 1
+alireza2love.tk, 1
+alirezahesari.com, 1
+alis-test.tk, 1
+alisblog.ml, 1
+alisearch.com, 1
+aliseihotelspa.com, 1
+alishanova.tk, 1
+alisoft.gq, 1
+alisondavenport.ga, 1
+alisondemarco.com, 1
+alisonlitchfield.com, 1
+alisonmatter.tk, 1
+alissa-group.com, 1
+alissanoir.net, 1
+alisstyle.tk, 1
+alistaku.tk, 1
+alisync.com, 1
+alitabergert.tk, 1
+alitajran.com, 1
+alitec.it, 1
+alitpedia.ga, 1
+alittledelightful.com, 1
+aliv.biz, 1
+alix-board.de, 1
+alix.energy, 1
+aliyasin.org, 1
+alizah.id, 1
+alizeemedia.tk, 1
+aljaspod.ch, 1
+aljaspod.com, 1
+aljaspod.hu, 1
+aljaspod.net, 1
+aljaspod.org, 1
+aljullusims.tk, 1
+aljweb.com, 1
+alkaabi.io, 1
+alkacoin.net, 1
+alkamitech.com, 1
+alkanbelgelendirme.com.tr, 1
+alkel.info, 1
+alkemy.mx, 1
+alkesznevelde.hu, 1
+alko-centr.ru, 1
+alko-stop.cf, 1
+alko-stop.ml, 1
+alkoferma.gq, 1
+alkogol.ga, 1
+alkopedia.tk, 1
+alkor.tk, 1
+all-bikes.fr, 1
+all-blogs.tk, 1
+all-bronza.ru, 1
+all-connect.net, 0
+all-credits.cf, 1
+all-ebooks.gq, 1
+all-eu-recruitment.com, 1
+all-fashion-schools.com, 1
+all-for-u.tk, 1
+all-gsm-solutions.tk, 1
+all-inhealth.com, 1
+all-music.ml, 1
+all-music.tk, 1
+all-pics.tk, 1
+all-rating.tk, 1
+all-seo.tk, 1
+all-stuff.tk, 1
+all-tec.com.mx, 1
+all-things.tk, 1
+all-top.tk, 1
+all-waystraining.com.au, 1
+all-wot.ml, 1
+all.li, 1
+all4hardware4u.de, 1
+all4phones.de, 1
+all4running.nl, 1
+all4web.tk, 1
+all878.com, 1
+alla-famiglia-p-otto.de, 1
+alla.tk, 1
+allaboutcovers.co.za, 1
+allabouteyes.com, 1
+allabouteyesvet.com, 1
+allaboutfunuk.com, 1
+allaboutgoats.com, 1
+allaboutgreg.net, 1
+allabouthome.ml, 1
+allabouthtml.com, 1
+allaboutmadonna.tk, 1
+allaboutnothing.cf, 1
+allaboutnothing.ga, 1
+allaboutnothing.gq, 1
+allaboutreligions.tk, 1
+allaboutswing.co.uk, 1
+allaboutswing.com, 1
+allabouttechh.tk, 1
+allaboutthekink.org, 1
+allaboutyouspa.co.uk, 1
+allaccessglobal.tech, 1
+allaccountingcareers.com, 1
+allactioneventhire.co.uk, 1
+allactionsecurity.com, 1
+allamakee.k12.ia.us, 1
+allamericangutterprotection.com, 1
+allamericanprotection.net, 1
+allamericatrans.com, 1
+allandrich.ml, 1
+allandrichonline.tk, 1
+allangirvan.net, 1
+allanlopez.tk, 1
+allanta.be, 1
+allapresenter.com, 1
+allarmi.roma.it, 1
+allarticles.tk, 1
+allas.se, 1
+allas.tk, 1
+allasianpics.com, 1
+allatoonadiesel.com, 1
+allattaremoda.com.br, 1
+allauthor.com, 1
+allazohealth.com, 1
+allbenjoy.de, 1
+allbestby.tk, 1
+allbetgame.cn, 1
+allbetgaming.com, 1
+allbetnet.com, 1
+allbets.tv, 1
+allboard.tk, 1
+allbookmark.cf, 1
+allbooks.cf, 1
+allbouncesurrey.co.uk, 1
+allboxes.ru, 1
+allboymodeling.com, 1
+allbrestby.tk, 1
+allbrestorg.tk, 1
+allbridges.tk, 1
+allbs.pt, 1
+allbuttpics.com, 1
+allcapa.org, 1
+allcarecorrectionalpharmacy.com, 1
+allcarepharmacy.com, 1
+allcarespecialty.pharmacy, 1
+allcelebs.tk, 1
+allchan.io, 1
+allcinema.net, 1
+allcitynews.net, 1
+allcleanservices.ca, 1
+allcloud.com, 1
+allcomic.com, 1
+allcompanycorp.com, 1
+allcooking.tk, 1
+allcourts.tk, 1
+allcoveredbyac.com, 1
+allcrimea.tk, 1
+allcumshotpics.com, 1
+alldesign.ai, 1
+alldewall.de, 1
+alldigitalsolutions.com, 1
+alldm.ru, 1
+alldogs.tk, 1
+alldrives.tk, 1
+alle-zonvakanties.nl, 1
+alle.bg, 1
+alle.com, 1
+allefrisuren.de, 1
+alleganyco.gov, 1
+allegiancemd.com, 1
+allegorymetal.tk, 1
+allegra.ga, 1
+allegra180.ga, 1
+allegra180mg.ga, 1
+allegrapark.ga, 1
+allegreto.com, 1
+allegrettoresort.com, 1
+allegrettoresortandvineyard.com, 1
+allegrettoresortandvineyardbyayres.com, 1
+allegrettovineyard.com, 1
+allegrettovineyardresort.com, 1
+allegrettovineyards.com, 1
+allegrettowine.com, 1
+allegrettowines.com, 1
+allemanniamarburg.at, 1
+allemoz.com, 1
+allemoz.fr, 1
+allenacampbell.tk, 1
+allenarchive.com, 1
+allencountyinvoters.gov, 1
+allencountykentucky.gov, 1
+allendalecounty.gov, 1
+allenivory.com, 1
+allensun.org, 1
+allentertainment.de, 0
+allentherapeuticmassage.com, 1
+allenturley.com, 1
+allenwillis.ga, 1
+allerbestefreunde.de, 1
+allergento.shop, 1
+allergento.store, 0
+allergictoidiots.tk, 1
+allergy.university, 1
+allergyweb.cf, 1
+allergyweb.ga, 1
+allerlei-havelte.nl, 1
+allerstorfer.at, 1
+allerzeiten.com, 1
+alles-kan.be, 1
+alles-nur-ge.cloud, 1
+alles.cx, 1
+allesisgezondheid.nl, 1
+allesisonline.nl, 1
+alleskan.gent, 1
+alleskomtgoed.org, 1
+allesley.com, 1
+allesmartphonehoesjes.nl, 1
+allesovercrypto.nl, 1
+allesoverdieren.tk, 1
+allesoverhondentraining.tk, 1
+allesoversport.nl, 1
+allesrocknroll.de, 1
+allesuitdekast.be, 1
+allesvoorbeton.be, 1
+allesvoorniets.tk, 1
+alletattoo.de, 1
+allette.com.au, 1
+allevamentoticinella.tk, 1
+alleyread.com, 1
+allfaithsfoodbank.org, 1
+allfansleak.net, 1
+allfashionews.tk, 1
+allfatpics.com, 1
+allfaucet.ml, 1
+allfoodrecipes.ga, 1
+allforcreate.ru, 1
+allforex.ml, 1
+allforhon.tk, 1
+allforlocal.com, 1
+allfortips.com, 1
+allfreelancers.su, 0
+allfundsconnect.com, 1
+allfur.love, 1
+allgadgetsfree.tk, 1
+allgaragedoorandgates.com, 1
+allgaragefloors.com, 1
+allgemeinarzt-wenta-bralla.de, 1
+allgemeine-zeitung.de, 1
+allglobal.net, 1
+allgooddeedshomes.com, 1
+allgrass.net, 1
+allgreek.tk, 1
+allgreenlawncare.ca, 1
+allhallows.tk, 1
+allhard.org, 1
+allhits.ml, 1
+allhonest.com, 1
+allhsa.com, 1
+alli-diet-pill.cf, 1
+alli-pills.cf, 1
+alliaancebiotech.com, 1
+alliance-immobilier-service-neuf.fr, 1
+alliance-psychiatry.com, 0
+allianceairlinesflights.com, 1
+allianceautomation.com.au, 1
+alliancebank.com, 1
+allianceblock.io, 1
+allianceborderservices.com, 1
+allianceforafreesociety.com, 1
+allianceforafreesociety.net, 1
+allianceforafreesociety.org, 1
+alliancehealthcareservices-us.com, 1
+alliances-globalsolutions.com, 0
+alliancetrading.ch, 1
+allianskyrkan.se, 1
+allianz-pro-schiene.de, 1
+allianzdirect.com, 1
+allianzdirect.de, 1
+allianzdirect.it, 1
+allianzdirect.nl, 1
+alliedartistswv.org, 1
+alliedmedia.org, 1
+allier-vichy-moulins-expert-comptable.fr, 1
+allindiacityguide.com, 1
+allindiajobs.ga, 1
+allindiatanzeem.ml, 1
+allindustriessolutions.com.au, 1
+allinform.ga, 1
+allinoutfits.com, 1
+allinpdf.com, 1
+allinsuranceinformation.com, 1
+allis.co.jp, 1
+allis.jp, 1
+allis.studio, 1
+allisonsite.tk, 1
+allitcrm.sytes.net, 1
+allius.de, 1
+alliymacorp.com, 1
+alljamin.com, 1
+alljokesaside.tk, 1
+alllaboutchickens.tk, 1
+alllatinapics.com, 1
+allline.shop, 1
+allmagic.tk, 1
+allmandlaw.com, 1
+allmaps.tk, 1
+allmaster.ga, 1
+allmba.cf, 1
+allmemy.com, 0
+allmen.tk, 1
+allmendenetz.de, 1
+allmessedup.tk, 1
+allmobilenews.tk, 1
+allmousepads.com, 1
+allmoviesonline.tk, 1
+allnaijagists.com.ng, 1
+allnations4christ.org, 1
+allnodes.com, 1
+allnovosibirsk.tk, 1
+allns.fr, 1
+allnumis.com, 1
+allo-luxembourg.tk, 1
+allofthestops.com, 1
+allohol.de, 1
+alloldpics.com, 1
+allontanamentovolatili.it, 1
+allontanamentovolatili.milano.it, 1
+alloprof.qc.ca, 1
+allopurinal.tk, 1
+allopurinol.gq, 1
+allopurinol100mg.tk, 1
+allopurinol300mg.ml, 1
+alloutauto1.com, 1
+allpantypics.com, 1
+allpaydirect.com, 1
+allpedia.tk, 1
+allpinouts.org, 1
+allpointsblog.com, 1
+allporn.pics, 1
+allporncomic.com, 1
+allpornvids.com, 1
+allpost.co, 1
+allprices.world, 1
+allprints.tk, 1
+allproformation.com, 1
+allpropertyservices.com, 1
+allproptonline.com, 1
+allpussynow.com, 1
+allrad-buck.de, 1
+allram.info, 1
+allreptiles.tk, 1
+allresorts.tk, 1
+allright.tk, 1
+allriteseptic.com, 1
+allroundtechnology.com, 1
+allroundtechnology.nl, 1
+allsafemd.com, 1
+allsaints.church, 1
+allsaintspreschoolyj.com.au, 1
+allsarms.com, 1
+allscammers.exposed, 1
+allscholarship.com.ng, 1
+allschool.com.ng, 1
+allscience.tk, 1
+allsearch.io, 1
+allseasons-cleaning.co.uk, 1
+allseasonschimney.com, 1
+allseasonswaterproofing.com, 1
+allset.ml, 1
+allshapes.co.nz, 1
+allshousedesigns.com, 0
+allsmart.gr, 1
+allsouls.co.za, 1
+allspinecare.com, 1
+allstakesupply.com.au, 1
+allstar-janitorial.com, 1
+allstarautokiaparts.com, 1
+allstarcustompools.com, 1
+allstargraphics.com.au, 1
+allstarink.com.au, 1
+allstarquilts.com, 1
+allstatedealerservices.com, 1
+allsun.online, 1
+allsurpl.us, 1
+allsurplus.com, 1
+allsync.com, 1
+allsync.nl, 1
+allthatblings.online, 1
+allthebots.com, 1
+allthefallen.moe, 1
+alltheplaces2go.com, 1
+alltherapies.tk, 1
+alltherooms.es, 1
+allthethings.co.nz, 1
+allthewaynorth.xyz, 1
+allthings.me, 0
+allthingshealthy.org, 1
+allthingsroyal.nl, 1
+allthingzit.com, 1
+alltimespost.com, 1
+alltourism.tk, 1
+alltrade.ga, 1
+alltrippers.com, 1
+alltwwk.tk, 1
+alluance.nl, 1
+allucinati.tk, 1
+alluel.com, 1
+allur-club.cf, 1
+allurebikerental.com, 1
+allurechiro.com, 1
+allureclinic.pt, 1
+alluremedicalaesthetic.com, 1
+allurescarves.com, 1
+alluringdesigns.tk, 1
+alluvion.studio, 1
+allvideofoot.tk, 1
+allvips.ru, 1
+allwaterjet.com, 1
+allways.tk, 1
+allweatherheatingandairconditioning.com, 1
+allwebkeys.gr, 1
+allwebsites.tk, 1
+allwebtuts.com, 1
+allwiki.tk, 1
+allwithinmyhands.org, 1
+allwordpress.tk, 1
+allworld.ga, 1
+allwrestling.ga, 1
+allxon.com, 1
+allyachts.cf, 1
+allyachts.gq, 1
+allyfile.com, 1
+allyoucanstyle.de, 1
+allyspot.com, 1
+allyweds.com, 1
+almaarkansas.gov, 1
+almaascosmetics.com, 1
+almaatlantica.com, 1
+almablanca.tk, 1
+almacenterwi.gov, 1
+almadaria.com, 1
+almadeviajante.com, 1
+almagalla.com, 1
+almajaniyate.ga, 1
+almamarket.com, 0
+almanea.email, 1
+almanea.family, 1
+almanea.net, 1
+almanea.org, 1
+almanilan.com, 1
+almanshood.com, 1
+almanyacv.com, 1
+almarail.tk, 1
+almargen.ga, 1
+almargen.tk, 1
+almarin.es, 1
+almasoft.ga, 1
+almastabriz.com, 1
+almasteb.com, 1
+almatinki.com, 1
+almatybusiness.gov.kz, 1
+almatytips.com, 1
+almayadeen.education, 1
+almayoreo.com.co, 1
+almaz-host.ml, 1
+almaz-host.tk, 1
+almaz-sait-rp.ml, 1
+almeera.online, 1
+almeerajtour.com, 1
+almeeraloyalty.com, 1
+almeezangroup.com, 1
+almeidaesilvaseguros.com.br, 1
+almenatownship.gov, 1
+almenrausch-pirkhof.de, 1
+almeriaplayer.tk, 1
+almette.pl, 1
+almeva.swiss, 1
+almhtnews.com, 1
+almirall.com, 1
+almiriatechstore.co.ke, 1
+almlab.tk, 1
+almlc.gov, 1
+almokhlifoud.com, 1
+almorafestival.com, 1
+almosis.tk, 1
+almost.cf, 1
+almost.fit, 1
+almost.gq, 1
+almostobjective.com, 1
+almudenallacer.com, 1
+almukhtar.se, 0
+almurtaqa.com, 1
+almusbahperfume.com, 1
+almushealth.com, 1
+almut-zielonka.de, 1
+almx.net, 1
+alnaierh.com, 1
+alng.me, 1
+alnilam.co.uk, 1
+alnitech.com, 0
+alnoorintl.com, 1
+aloalosalomao.com.br, 1
+alodavetiye.com.tr, 1
+alodokita.com, 1
+aloe-care.tk, 1
+aloe-vera-info.tk, 1
+aloemeda.de, 1
+aloesbienetre.be, 1
+aloesoluciones.com.ar, 1
+aloeveralisboa.pt, 1
+alofone.vn, 1
+alohapartyevents.co.uk, 1
+alohotel.com, 1
+alohotelorange.com, 1
+alohotels.com, 1
+alojadalu.com.br, 1
+alola.co.uk, 1
+alolabor.org, 1
+alomch.gq, 1
+alomendia.tk, 1
+alonaku.com, 1
+alonarodeh.com, 1
+aloneg.ovh, 1
+alonephoenix.tk, 1
+alonetone.com, 1
+alonsoluzgas.es, 1
+alonuocsuoi.com, 1
+aloo.ga, 1
+aloomic.com.au, 1
+aloop.cloud, 1
+alopezlawfirm.com, 1
+alorica.com, 0
+aloris-controle.fr, 1
+aloro.io, 1
+alotso.com, 1
+alottajava.com, 1
+alov.blog, 1
+aloys233.top, 1
+alp-eastlink-portal-model.azurewebsites.net, 1
+alp-samsungca-portal-model.azurewebsites.net, 1
+alp-spectrum-portal-model.azurewebsites.net, 1
+alp.od.ua, 1
+alpa.is, 1
+alpaca.haus, 1
+alpahandling.com, 1
+alpan.ml, 1
+alpan.tk, 1
+alpca.org, 1
+alpe-d-or.dyn-o-saur.com, 1
+alpencams.at, 1
+alpencams.ch, 1
+alpencams.com, 1
+alpencams.de, 1
+alpencams.fr, 1
+alpencams.it, 1
+alpencams.net, 1
+alpencams.nl, 1
+alpenguides.de, 1
+alpenhof-suedtirol.com, 1
+alpenjuice.com, 1
+alpenrose.de, 1
+alpenschmarrn.de, 1
+alpensternderl.de, 1
+alperenremziunal.me, 1
+alperozmen.kim, 1
+alpertron.com.ar, 1
+alpes-deis-tools.com, 1
+alpes-deis.fr, 1
+alpetrov.cf, 1
+alpha-ag.ru, 1
+alpha-assistant.com, 1
+alpha-associates.ch, 1
+alpha-bet.com.ua, 1
+alpha-centauri.tk, 1
+alpha-force.net, 0
+alpha-kamera.de, 1
+alpha-protein.de, 1
+alpha-shop.gr, 1
+alpha.ch, 1
+alpha91.co.za, 1
+alphaassurances.com, 1
+alphabet-z.xyz, 1
+alphabetsigns.com, 1
+alphabetworksheetsfree.com, 1
+alphabouncycastles.co.uk, 1
+alphabrasloja.com.br, 1
+alphabytes.uk, 0
+alphachannel.tk, 1
+alphachat.net, 1
+alphacity.tk, 1
+alphacodingskills.com, 1
+alphacomputersllc.com, 0
+alphaconsult.sk, 0
+alphacorp.tk, 1
+alphadance.tk, 1
+alphadefense.co.za, 1
+alphadetroit.com.au, 1
+alphadronten.tk, 1
+alphaetomega3d.fr, 1
+alphafoo.dk, 1
+alphagames.tk, 1
+alphageek.blog, 1
+alphahosting.hu, 1
+alphahunks.com, 1
+alphainflatablehire.com, 1
+alphakites.de, 1
+alphalab.tk, 1
+alphalibraries.com, 1
+alphamosa.fr, 1
+alphanodes.com, 1
+alphapengu.in, 1
+alphapoker.ru, 1
+alpharail.se, 1
+alpharettaga.gov, 1
+alpharoofga.com, 1
+alpharotary.com, 1
+alphasall.com, 0
+alphasoft-i.net, 1
+alphassl.de, 1
+alphastrip.com, 1
+alphat.net, 1
+alphatam.com, 1
+alphatrading.tk, 1
+alphatrash.de, 1
+alphatv.cf, 1
+alphatv.ga, 1
+alphavit.ru, 1
+alphaworks.it, 1
+alphaxb.com, 1
+alphazure.co.uk, 1
+alphazure.com, 1
+alphera.nl, 1
+alphie.me, 1
+alphimedia.com, 1
+alphipneux.fr, 1
+alphline.com.sg, 1
+alphotelmilano.it, 1
+alpilean.com, 1
+alpinar.tk, 1
+alpinatours.nl, 1
+alpine-holiday.de, 1
+alpine-tuning.de, 1
+alpinebank.com, 1
+alpinedentalhealth.com, 1
+alpinehighlandrealty.com, 1
+alpineplanet.com, 1
+alpinepubliclibrary.org, 1
+alpinestarmassage.com, 1
+alpinewy.gov, 1
+alpis.fr, 1
+alplogopedia.it, 1
+alpparts.com, 1
+alquiler-de-coches.tk, 1
+alquiler-de-furgonetas.tk, 1
+alquran-online.tk, 1
+alrahman.ch, 1
+alrahman.de, 1
+alre-outillage.fr, 1
+alredho.com, 1
+alrehmantech.tk, 1
+alrioart.com, 1
+alrobotics.net, 1
+alroniks.com, 0
+alsaagency.tk, 1
+alsabil.tk, 1
+alsace-informatique.shop, 1
+alsetat.com, 1
+alshabab.tk, 1
+alshamil.tk, 1
+alsharkest.net, 1
+alskar.co, 0
+alsol.fr, 1
+alsops.cf, 1
+alsteadnh.gov, 1
+alstertouch.com, 1
+alstertouch.de, 1
+alt-bookings.com, 1
+alt-pannekow.de, 1
+alt-three.com, 0
+alt-til-windows.dk, 1
+alt-wien.com, 1
+alt.org, 1
+alta-densidad.tk, 1
+alta-ict.nl, 1
+altabadia.com, 1
+altabadia.it, 1
+altabash.tk, 1
+altabg.com, 1
+altabib.me, 1
+altabooks.ga, 1
+altacomunicazione.tk, 1
+altahrim.net, 1
+altai-info.ga, 1
+altai-voyage.tk, 1
+altai-zemlya.cf, 1
+altai-zemlya.ga, 1
+altai-zemlya.ml, 1
+altai-zemlya.tk, 1
+altai22.tk, 1
+altair.com, 0
+altairfp.es, 1
+altairlyh.com, 1
+altaiscience.com, 1
+altaizemlya.cf, 1
+altaizemlya.ga, 1
+altaizemlya.ml, 1
+altaizemlya.tk, 1
+altana.com, 1
+altaplana.be, 1
+altasierra.co.uk, 1
+altavaldinon.com, 1
+altavoces.guru, 1
+altcoaching.fr, 1
+altcodes.nl, 1
+altd.cz, 1
+altdforyou.tk, 1
+alte-wassermuehle-friesoythe.de, 1
+altea.it, 1
+altec.pl, 1
+altecgmbh.de, 1
+altedirect.com, 1
+altenagala.nl, 1
+altenheim.it, 1
+alteralife.eu, 1
+alteraro.com, 1
+alteraro.org, 1
+alterbaum.net, 1
+altered.network, 1
+altered.si, 1
+alterego.tk, 1
+alterenergy.tk, 1
+alterengine.tk, 1
+altergalaxy.tk, 1
+alteria.xyz, 1
+alterian.com, 1
+alterlinks.com, 1
+alterlinks.fr, 1
+alterlinks.it, 1
+alterlinks.nl, 1
+altermidya.net, 1
+altern-in-wuerde.com, 1
+alternador.com.br, 1
+alternahaircare.com, 1
+alternatieva.tk, 1
+alternatifin.com, 1
+alternativa-kaluga.ru, 1
+alternativagospel.tk, 1
+alternative-e-energy.tk, 1
+alternative-kultur.tk, 1
+alternative-reussite.org, 1
+alternative.hosting, 1
+alternativebit.fr, 1
+alternativedev.ca, 1
+alternativeenergy.tk, 1
+alternativefacts.cf, 1
+alternativehosting.ca, 1
+alternativehosting.com, 1
+alternativeinternet.ca, 1
+alternativet.party, 1
+alternativetomeds.com, 1
+alternativewireless.com, 1
+alternativnizivot.tk, 1
+alternatiwa.tk, 1
+alternatoru.com, 1
+alternego.com, 1
+alternet.ml, 1
+alterspalter.de, 1
+altertek.org, 1
+altes-sportamt.de, 1
+altesses.eu, 1
+altestore.com, 1
+althacare.com, 1
+altharis.net, 1
+althi.nl, 1
+althistory.ga, 1
+alti-global.com, 1
+altidrabat.dk, 1
+altieresgomes.com.br, 1
+altijdleroy.nl, 1
+altijdleroy.online, 1
+altimetrique.ca, 1
+altimetry.com, 1
+altinea.fr, 1
+altinity.com, 1
+altinopoliscervejaria.com.br, 1
+altiplano.travel, 1
+altisnet.ga, 1
+altitude-dev.com, 1
+altitudeco.com.au, 1
+altitudehauling.com, 1
+altiup.ch, 0
+altiup.com, 0
+altius-europe.com, 1
+altius.com.pa, 1
+altiusconsulting.com, 1
+altiusconsulting.net, 1
+altiusondemand.com, 1
+altkia.com, 1
+altkremsmuensterer.at, 1
+altmann-systems.de, 1
+altmedicine.tk, 1
+altoa.cz, 1
+altoinsuranceagency.com, 1
+altoona-wi.gov, 1
+altopartners.com, 0
+altopia.com, 1
+altoplan.de, 1
+altos.tk, 1
+altospam.net, 1
+altovalemarmoraria.com.br, 1
+altovoltaggio.tk, 1
+altoweb.tk, 1
+altphotos.com, 1
+altralamezia.tk, 1
+altramarsala.tk, 1
+altransport.ca, 1
+altratella.tk, 1
+altravita-ivf.ru, 1
+altrei.ch, 1
+altrui.st, 1
+altsdigital.com, 0
+altsetup.com, 1
+altspacex.com, 1
+altstadt-it.de, 1
+alttrackr.com, 1
+altunbas.info, 1
+altur.tk, 1
+alturiak.net, 1
+altusbiologics.com, 1
+altusgroup.com, 0
+altview.gq, 1
+altyazur.com, 1
+alua.com, 1
+aluchta.tk, 1
+alugha.com, 1
+aluguer-rodagigante.pt, 0
+alukard.gq, 1
+alukard.ml, 1
+alukard.pro, 1
+alulasails.com, 1
+aluminaty.com, 1
+aluminium-giesserei.de, 1
+aluminumfencestlouis.com, 1
+alumni-kusa.jp, 1
+alumni-skensa.tk, 1
+alumni.education, 1
+alumnispecialers.ga, 1
+alumnivilleest.ga, 1
+alunara.eu, 1
+alunyc.gq, 1
+alupferd.de, 1
+aluroof.eu, 1
+alushta-vostorg.ml, 1
+alushta-vostorg.tk, 1
+alushta.tk, 1
+alusib.ga, 1
+alusim.ga, 1
+aluta.de, 1
+alvarez.tk, 1
+alvarezmorales.tk, 1
+alvaritoeresnuestradulcelocura.tk, 1
+alvaro-smith.link, 1
+alvarovega.tk, 1
+alvastonauto.fi, 1
+alves-avocat.com, 1
+alviano.com, 0
+alvicom.hu, 1
+alvies-laufbus.de, 1
+alvimedika.com.ua, 1
+alvinalvelino.com, 1
+alvinaonline.com, 1
+alvinhu.com, 0
+alvirzy.tk, 1
+alvn.ga, 1
+alvordtx.gov, 1
+alvosec.com, 1
+alware.ca, 1
+alwaysdata.com, 1
+alwayshowher.tk, 1
+alwayslookingyourbest.com, 1
+alwaysmine.fi, 1
+alwayswanderlust.com, 1
+alwiam.info, 1
+alwistra.eu, 1
+alwuz.com, 1
+alxclub.tk, 1
+alxn-congress-2022.com, 1
+alxpresentes.com.br, 1
+alxu.ca, 1
+aly.pet, 1
+alykkelife.com, 1
+alyoung.com, 1
+alyssamilano.tk, 1
+alyusr.com.sa, 1
+alza.at, 1
+alza.co.uk, 1
+alza.cz, 1
+alza.de, 1
+alza.sk, 1
+alzashop.com, 1
+alzheimers.gov, 0
+alziamoiltetto.it, 1
+alzlogarforensics.com, 1
+alzon.cf, 1
+alzulej.pt, 1
+am-39.com, 1
+am-dd.com, 1
+am-executive-consulting.com, 1
+am-i-on-am-i-on-drugs-dot-com.com, 1
+am-i-on-drugs.com, 1
+am-liaotian.com, 0
+am-schlossgarten.haus, 1
+am-sonnenblick.de, 1
+am-sonnengarten.de, 1
+am-yu.jp, 1
+am190.com, 1
+am22i6xaf1m2a5m9k.xyz, 1
+am3.se, 1
+am5188.com, 1
+am7000.com, 1
+am8009.com, 1
+am8028.com, 1
+am8213.com, 1
+am8811.net, 1
+am8898.net, 1
+am8900.com, 1
+ama.ne.jp, 1
+amabiligranilhas.com, 1
+amac.tv, 1
+amademy.com, 1
+amadera.com, 1
+amaderforum.tk, 1
+amadeusproject.cf, 1
+amadin.tk, 1
+amadispa.com.br, 0
+amadoraslindas.com, 1
+amadorcounty.gov, 1
+amadvice.com, 1
+amaeruinc.com, 1
+amaforro.com, 1
+amagdic.com, 1
+amagical.net, 0
+amagraduates.tk, 1
+amagroup.io, 1
+amaisd.org, 1
+amaiz.com, 0
+amalbansode.com, 1
+amalfi5stars.com, 1
+amalfipositanoboatrental.com, 1
+amalgaamvrij.tk, 1
+amalgaamziekte.tk, 1
+amalgamma.ml, 1
+amalou-photografie.de, 1
+amambebe.com, 1
+amandablain.com, 1
+amandadamsphotography.com, 1
+amandahamilton.tk, 1
+amandamachado.nl, 1
+amandasage.ca, 1
+amandaworldstudies.com, 1
+amanduscommunication.com, 1
+amanet.ro, 1
+amango.se, 1
+amani-kinderdorf.de, 1
+amanmerceria.com, 1
+amansinghbhogal.com, 0
+amanydesignstudio.com, 1
+amapspa.it, 1
+amaranth.gq, 1
+amaranth.tk, 1
+amaranthinewanderlust.com, 1
+amaranthus.com.ph, 1
+amarasbutterflies.com, 1
+amaresq.com, 1
+amarilio.com.mx, 1
+amarillosquare.com, 1
+amarinbabyandkids.com, 1
+amaris-pr.ru, 1
+amarrada.com, 1
+amarresdeamorconelbrujoguillermo.com, 1
+amarresperuanos.com, 1
+amartaramitramandal.tk, 1
+amartours.pt, 1
+amaruddinmufid.com, 1
+amaruz.tk, 1
+amarylis.com, 1
+amasea.yachts, 1
+amasing.tk, 1
+amateku.jp, 1
+amateri.com, 1
+amateur-boxing.tk, 1
+amateur.cash, 1
+amateur.cf, 1
+amateur101.tk, 1
+amateureuro.com, 1
+amateurplayerstour.com, 1
+amateurradionotes.com, 1
+amateurs.ga, 1
+amateurs.gq, 1
+amateurtuning.tk, 1
+amateurvoicetalent.com, 1
+amati.solutions, 1
+amato.tk, 1
+amatoryasamak.tk, 1
+amatutis.lt, 1
+amatya.co.uk, 1
+amauf.de, 1
+amaurijogos.tk, 1
+amavis.org, 1
+amavo.tk, 1
+amaxa.com, 1
+amaxautomotive.com.au, 1
+amazcode.ooo, 1
+amazdriver.com, 1
+amazetimberfurniture.com.au, 1
+amazhot.com, 1
+amazinations.com, 1
+amazing-cars98.tk, 1
+amazing-castles.co.uk, 1
+amazing-maids.com, 1
+amazingraymond.com, 1
+amazingraymond.com.au, 1
+amazingribs.com, 1
+amazingstore.gq, 1
+amazingtattooideas.com, 1
+amazon, 1
+amazon.ae, 1
+amazon.at, 1
+amazon.care, 1
+amazon.com.tr, 1
+amazon.eg, 1
+amazon.pl, 1
+amazon.sa, 1
+amazon.se, 1
+amazonseoservices.com, 1
+amazonteckathon.com, 1
+amazstaff.com, 1
+amaztravail.com, 1
+amazwerk.com, 1
+amb.tf, 1
+ambarbyarihant.com, 1
+ambasador-dibo.pl, 1
+ambasady.cz, 1
+ambassadordayslevis2023.com, 1
+ambassify.com, 1
+ambassify.eu, 1
+amber-teething-necklace.com, 1
+amberba.tk, 1
+ambercaravalho.com, 1
+amberesdetective.be, 1
+amberhouse.cf, 1
+amberhouse.ga, 1
+amberhouse.gq, 1
+amberoad.tk, 1
+amberonline.tk, 1
+ambersafety.info, 1
+ambersoftware.co.uk, 1
+ambertears.tk, 1
+amberwiz.com, 1
+ambiancewindowcoverings.com, 1
+ambident.cz, 1
+ambient.digital, 1
+ambient.wtf, 1
+ambiente.one, 1
+ambientskies.tk, 1
+ambigramasdecarmela.tk, 1
+ambion.am, 1
+ambisonia.com, 1
+ambitionbox.com, 1
+ambivalence.tk, 1
+amblin.com, 1
+ambor.com, 1
+ambor.org, 1
+ambouncyhire.com, 1
+ambra.net.nz, 1
+ambrosia.cafe, 1
+ambrosiamosaicos.co, 1
+ambrosio.tk, 1
+ambtpay.com, 1
+ambulanceplus.cz, 1
+ambulancieros.tk, 1
+ambulanza.it, 1
+ambulanza.milano.it, 1
+ambulanza.roma.it, 1
+ambulanzaprivata.roma.it, 1
+ambulari.cz, 1
+ambulatori.it, 1
+amburgo.com, 1
+amcanalense.tk, 1
+amcangroup.com, 1
+amcasia.com, 1
+amcchemical.com, 0
+amchainitiative.org, 1
+amcharts.com, 1
+amcs.website, 0
+amdelisi.tk, 1
+amdental.lv, 1
+amdiving.ru, 1
+amdm.ru, 1
+amdrumors.com, 1
+amdukis-bordercollies.tk, 1
+ameba-capital.com, 1
+amebavirtual.tk, 1
+amebolounge.tk, 1
+amechancez.work, 1
+amecopress.net, 1
+amedeo.pro, 1
+ameego.com, 1
+ameego.it, 1
+ameego.net, 1
+ameego.nl, 1
+ameego.org, 1
+ameeradubai.com, 1
+amees.me, 0
+ameeventos.pt, 1
+amefrec.co.jp, 1
+ameho.me, 0
+ameinteriores.pt, 1
+ameisenbaer.tk, 1
+amelanchiers.tk, 1
+amelia-wedding.pl, 1
+amelielei.net, 1
+ameliemarieintokyo.com, 1
+amello.de, 1
+amemei-lists.top, 1
+amempire.tk, 1
+amendine.fr, 1
+ameninalaceira.com.br, 1
+amenoskuarto.tk, 1
+amenta.in, 1
+ameresco.com, 1
+ameri.capital, 1
+america.gov, 1
+america250.gov, 1
+americabiznews.tk, 1
+americafamilylawcenter.org, 1
+americafc.tk, 1
+americahealthcare.tk, 1
+americamilitar.com, 1
+american-automotive.tk, 1
+american-school-search.com, 1
+americanacrylicaward.com, 1
+americanartwarehouse.com, 1
+americanbooks.cf, 1
+americanbuzz.tk, 1
+americancasinoguide.shop, 1
+americancomfortexperts.com, 1
+americandisinfectingassociation.com, 1
+americandisinfectingassociation.org, 1
+americanews.ml, 1
+americanflooring.co, 1
+americanflooringservicesinc.com, 1
+americanfootball.ml, 1
+americanfootball.tk, 1
+americanfreight.com, 1
+americangods.tk, 1
+americanimageawards.com, 1
+americaninsuranceplus.ml, 1
+americankickoff.ga, 1
+americanmessaging.net, 1
+americanmusical.com, 1
+americanpop.be, 1
+americanreservations.us, 1
+americans.cam, 1
+americanstrategic.com, 0
+americantowers.org, 0
+americanunicornparty.tk, 1
+americanwalkincoolers.com, 1
+americanwater.lk, 1
+americapitalfunding.com, 1
+americasbasementcontractor.com, 1
+americasblackprophet.com, 1
+americasdirector.com, 1
+americasgottalentauditions.com, 1
+americathebeautifulquarters.gov, 1
+americatracker.com, 1
+americavip.tk, 1
+americawiki.tk, 1
+americolorcorp.com, 1
+americorps.gov, 1
+americorpsoig.gov, 1
+ameriglasscontractors.com, 1
+amerigroup.com, 1
+amerigrouphealthyliving.com, 1
+ameriikanpoijat.org, 1
+amerikanloto.tk, 1
+amerikanpaketim.com, 1
+amerikasepetim.com, 1
+amerikeli.tk, 1
+amerimex.cc, 1
+amerimex.org, 1
+amerion.nl, 1
+ameriondental.nl, 1
+ameripacfund.com, 1
+ames-fzco.ae, 1
+amesagesse.com, 1
+amesgen.de, 1
+amessage.de, 1
+amessage.eu, 1
+amessage.info, 1
+amesvacuumrepair.com, 1
+amethystbodyart.co.za, 1
+amethystcards.co.uk, 1
+amethystdevelopment.co.uk, 1
+amethystwebsitedesign.com, 1
+ametinsurance.com, 1
+ametrin.biz, 1
+amevoice.com, 1
+amex.ua, 1
+amexemp.com, 1
+amf.to, 1
+amfelt.dk, 1
+amfiteatr.tk, 1
+amfora.gq, 1
+amforst.ddns.net, 1
+amg.work, 1
+amgreatness.com, 1
+amh-entertainments.co.uk, 1
+ami-de-bastanes.fr, 1
+ami.com, 1
+amiabot.ca, 1
+amiabot.com, 1
+amianto.milano.it, 1
+amianto.roma.it, 1
+amiatlanticare.com, 1
+amica-travel.com, 1
+amicalecanyon.ch, 0
+amicare.fr, 1
+amicipadrealdo.tk, 1
+amiciperibambini.org, 1
+amiciperlatesta.it, 1
+amicon.com, 1
+amicosauro.tk, 1
+amicus-webdesign.de, 1
+amicusjunior.ro, 1
+amie.so, 1
+amiez.com, 1
+amifoundation.net, 1
+amigatraktor.tk, 1
+amightyoakbedandbreakfast.com, 1
+amigodeltoro.tk, 1
+amigoenergy.com, 1
+amigosdelvalenciadeastorga.tk, 1
+amigosencanada.com, 1
+amigosgranada4050.tk, 1
+amigucrochet.com, 1
+amikton.ru, 1
+amilaresort.com, 1
+amilcalcados.com.br, 1
+amilesportes.com.br, 1
+amilum.org, 1
+amimi.tk, 1
+amin.one, 1
+aminafrance.com, 1
+amineamellouk.com, 1
+amineptine.com, 1
+aminfarhoodi.tk, 1
+aminformatica.ml, 1
+aminformatica.tk, 1
+aminko.ga, 1
+aminoro.de, 1
+aminos.tk, 1
+aminsabeti.com, 1
+aminullrouted.com, 1
+amion.com.ua, 1
+amionamiondrugsdotcom.com, 1
+amiondrugs.com, 1
+amionvpn.com, 1
+amir-nadlan.co.il, 1
+amir-tataloo.tk, 1
+amirarsalan.tk, 1
+amirasyraf.com, 0
+amirautos.com, 0
+amirhanova-a.ru, 1
+amirkaraj.tk, 1
+amirmahdy.com, 1
+amis-du-cinema.com, 1
+amis-sh.fr, 1
+amiserver.de, 1
+amisharingstuff.com, 1
+amishra.tk, 1
+amisoft.co.jp, 1
+amisoft.tk, 1
+amissing.link, 1
+amisun.com, 1
+amithvijayan.in, 1
+amitopia.tk, 1
+amitpatra.com, 0
+amitriptyline-hydrochloride.ga, 1
+amitriptyline25mg.cf, 1
+amitriptylineonline.tk, 1
+amitt.ga, 1
+amityvillepdny.gov, 1
+amitywebsitedesign.com, 1
+amiv.ch, 1
+amj-smart-energy.com, 1
+amjaadabdullah.com, 1
+amjesusdespojado.tk, 1
+amjinc.ca, 1
+amlakzibakenar.com, 1
+amlameiras.pt, 0
+amleather.pl, 1
+amliorefemme.tk, 1
+amliyatdua.com, 0
+amlops.com.au, 1
+amm6e.com, 1
+ammanagingdirectors.com, 1
+ammex.com, 1
+amministratore.biz, 1
+amministratore.roma.it, 1
+amministratorecondominiale.it, 1
+amministratorecondominio.roma.it, 1
+amministratoredicondominio.roma.it, 1
+amministratoristabilitorino.tk, 1
+amministrazioni.roma.it, 1
+ammoland.com, 0
+ammsystems.pl, 1
+amnathrig.com, 1
+amnepal.ml, 1
+amnesia-zone.tk, 1
+amnesty.cf, 1
+amnesty.org.au, 1
+amnesy.fr, 1
+amnion.tk, 1
+amniotic.tk, 1
+amniowell.com, 1
+amnistiya.tk, 1
+amoatuaexistencia.com.br, 1
+amobileway.co.uk, 1
+amoc.org, 1
+amodeocarlo.com, 1
+amoderm.com, 1
+amogus.cloud, 1
+amokinio.com, 1
+amolaccum.tk, 1
+amolador.com.br, 1
+amolare.com.br, 1
+amoliogames.com, 1
+amollare.com.br, 1
+amon.tech, 1
+amondial.com, 1
+among-us.me, 1
+amongtheflora.com, 1
+amongus-guru.ru, 1
+amongusmerch.co, 1
+amoozesh98.ir, 1
+amoralizm.tk, 1
+amoraquatropatas.org, 1
+amordoce.com, 1
+amorekids.es, 1
+amorfestival.com, 1
+amorgos-aegialis.com, 1
+amorgosrentandgo.gr, 1
+amorim.ca, 1
+amoroso-vivace.ch, 1
+amorph.aero, 1
+amorphis.tk, 1
+amorphsys.com, 1
+amorszexshop.hu, 1
+amortyzator.tk, 1
+amorxyoga.com, 1
+amorymerced.tk, 1
+amoryurgentcare.com, 1
+amos.ovh, 1
+amosca.tk, 1
+amotarget.com, 1
+amoursucre.com, 1
+amoxicillin-500mg.ga, 1
+amoxicillin.cf, 1
+amoxicillin.ga, 1
+amoxicillincapsules.tk, 1
+amoxicillinonline.tk, 1
+amoxil.cf, 1
+amoxil.ga, 1
+amoxil875.ga, 1
+amoxilonline.gq, 1
+amp-logistics.com, 1
+amp-wp.org, 1
+amp.chat, 1
+ampact.co, 1
+amped4ski.co.nz, 0
+ampedairsoft.com, 1
+amper.kharkov.ua, 1
+ampersandnbspsemicolon.com, 1
+ampersandsmallbusiness.com, 1
+ampetronic.com, 1
+ampflower.gay, 1
+amphetamines.org, 1
+amphibo.ly, 1
+amphora.jp, 1
+amphora.tk, 1
+amphost.tk, 1
+ampicillin.ga, 1
+ampicillin.ml, 1
+ampicillin24.com, 1
+ampicilliniv.tk, 1
+ampicillinonline.gq, 1
+amplead.com, 1
+ampledesigners.com, 1
+ampleinfographics.com, 1
+ampleitsolutions.com.au, 1
+ampleroads.com, 1
+amplifi.io, 1
+amplifiedit.com, 1
+amplifier-technics.tk, 1
+amplifire.com, 1
+ampparit.com, 1
+ampproject.com, 1
+ampproject.org, 1
+ampselectricsolar.com, 1
+ampullen.tk, 1
+amputated.tk, 1
+amputatedgenitals.tk, 1
+amr.de, 1
+amrealtypr.com, 1
+amref.org, 1
+amrita.club, 1
+amritps.com, 1
+amroelkhatib.fi, 1
+amroz.xyz, 1
+amrun-verlag.de, 1
+amruta.org, 1
+ams-web-qa.azurewebsites.net, 1
+ams.co.rs, 1
+amsconnectapp.com, 1
+amscrosscomp.nl, 1
+amsel305nc.ddnss.de, 1
+amsmart.hu, 1
+amst.io, 1
+amstat.org, 0
+amstelradio.tk, 1
+amstelveentje.nl, 1
+amsterdam.nl, 1
+amsterdam4u.tk, 1
+amsterdam5.nl, 1
+amsterdamian.com, 1
+amsterdamtype.nl, 1
+amsterdamtypography.nl, 1
+amstudiorecording.com, 1
+amsuisse.com, 0
+amt-taxfrance.com, 1
+amtheone.com, 1
+amtrakoig.gov, 1
+amule.cf, 1
+amumtomum.com, 1
+amunanalytics.eu, 1
+amundi-ca-assurances.com, 1
+amundi-ee.com, 1
+amundi-tc.com, 1
+amundsensports.com, 1
+amunoz.org, 1
+amuq.net, 1
+amur-photo.ml, 1
+amur.tk, 1
+amusa.cl, 1
+amuzante.com, 1
+amva.it, 1
+amvip9.com, 1
+amvisor.com, 1
+amvisualgraphics.com, 1
+amwake.com, 1
+amwine.ru, 1
+amxm.aero, 1
+amxpj888.com, 0
+amy-nichols.ga, 1
+amyapets.tk, 1
+amyfoundhermann.com, 1
+amymabel.com, 1
+amyred.net, 1
+amyria.jp, 1
+amyrussellhair.com, 1
+amytuarez.ga, 1
+amytuarez.gq, 1
+amytuarez.ml, 1
+amywinehouseaddicted.tk, 1
+amyyeung.com, 1
+amz-tas.ba, 1
+amzik.tk, 1
+amzinfotech.com, 0
+amzn.com, 1
+amzn.rocks, 1
+amznworks.com, 1
+an-alles-gedacht.de, 1
+an0ns.ru, 0
+an0ns.tk, 1
+an7hrax.se, 1
+anaal-nathrakh.tk, 1
+anaaldea.tk, 1
+anaalmeisjes.tk, 1
+anaalnathrakh.tk, 1
+anaalontmaagd.tk, 1
+anaar.ml, 1
+anabarata.tk, 1
+anabecoaj.org, 1
+anabijou.com.br, 1
+anabolic-stresser.ga, 1
+anabolic.co, 1
+anabolickdieta.ga, 1
+anabolics.tk, 1
+anabolika.ga, 1
+anabolika.gq, 1
+anabolika.ml, 1
+anachristinarodriguez.com, 1
+anachronaeon.tk, 1
+anachronis.gq, 1
+anacom.pt, 1
+anacondasc.co.uk, 1
+anacondaswimmingclub.org.uk, 1
+anacron.pl, 1
+anacruz.es, 1
+anadiuvo.fi, 1
+anadlelkheir.com, 1
+anaelog.com.au, 1
+anaethelion.fr, 1
+anafranil.cf, 1
+anafranil.ga, 1
+anagir.tk, 1
+anagramma.tk, 1
+anahitascribe.tk, 1
+anahtarfikir.com, 0
+anahwaftah.ga, 1
+anaiscoachpersonal.es, 1
+anaisfae.art, 1
+anak-pontianak.tk, 1
+anakart.tk, 1
+anakin.ca, 1
+anakliarmalam.ml, 1
+analbabsi.com, 1
+analebear.com, 1
+analfistula.com.sg, 1
+analgesia.ga, 1
+analgesia.net, 1
+analinsting.tk, 1
+analisi-grammaticale.biz, 1
+analisi-logica.it, 1
+analisi-periodo.it, 1
+analisi.roma.it, 1
+analitik.ml, 1
+analizator.tk, 1
+analizufa.ru, 1
+analogfreeers.ga, 1
+analogical.ga, 1
+analogist.net, 1
+analogman.com, 1
+analpantyhose.org, 1
+analpics.com, 1
+analyser-mon-site.fr, 1
+analystexamers.ga, 1
+analysts.com, 1
+analytics-media.com, 1
+analyticscanvas.com, 1
+analyticsinmotion.com, 1
+analyticsinsight.net, 1
+analyticum.at, 1
+analyticum.com, 1
+analyticum.de, 1
+analyticum.eu, 1
+analyticum.net, 1
+analytik.news, 1
+analyzemyfriends.com, 1
+analyzepoker.com, 1
+anamelikian.com, 1
+anamterminal.tk, 1
+ananas.gq, 1
+ananasposter.ru, 1
+anangeix.tk, 1
+anankecosmetics.com, 1
+anantshri.info, 1
+ananyagupta.tk, 1
+anaprieto.com, 1
+anapsi.tk, 1
+anar.biz, 1
+anarajaoui.ma, 1
+anarcasmetalicos.tk, 1
+anarchapulco.com, 1
+anarchie-in-lippe.tk, 1
+anarchie.tk, 1
+anarchista.top, 1
+anarchistfederation.net, 1
+anarchistischefoderation.de, 1
+anarchistos.tk, 1
+anarchotv.tk, 1
+anarchy.eu.org, 1
+anarchyhax.ml, 1
+anarchyrp.life, 1
+anarchyweb.tk, 1
+anarhia.tk, 1
+anarhija.tk, 1
+anarhist.net, 1
+anarhist.org, 1
+anaricompras.com, 1
+anarka.org, 1
+anarkhe.net, 1
+anarky.tk, 1
+anarshist.tk, 1
+anarticle.gq, 1
+anasaci.com, 1
+anasahr.be, 1
+anassiriphotography.com, 0
+anastasiaweb.tk, 1
+anastasis.studio, 1
+anastasiyasivayeva.ru, 1
+anastore.com, 1
+anatoliarles.com, 1
+anatoly.tk, 1
+anatomized.tk, 1
+anatoray.com, 1
+anatorywap.gq, 1
+anaxios.ga, 1
+anaxvip-sp.gr, 1
+anayahuasca.com.br, 1
+anayarealm.com, 1
+anbaicreative.com, 1
+anbank.pl, 1
+anbigift.nl, 1
+anblife.com, 1
+anborn.tk, 1
+ancade.es, 1
+ancaebacia.pt, 1
+ancarda.net, 1
+ancardukids.tk, 1
+anccg.ca, 1
+ance.lv, 0
+ancentury.com, 1
+ancestral.beer, 1
+ancestramil.fr, 1
+ancestry.ca, 1
+ancestry.co.uk, 1
+ancestry.com, 1
+ancestry.com.au, 1
+ancestry.de, 1
+ancestry.fr, 1
+ancestry.mx, 1
+ancestry.se, 1
+ancestrycdn.com, 1
+ancestryinstitution.com, 1
+anchev.net, 1
+anchorbvfs.com, 1
+anchorit.gov, 1
+anchoritsg.com, 1
+anchovy.nz, 0
+anchr.io, 1
+anciennes-automobiles.fr, 1
+anciens.org, 1
+ancient-gates.de, 1
+ancientnorth.com, 1
+ancientnorth.nl, 1
+anclarma.fr, 1
+ancolies-andre.com, 0
+anconatoday.it, 1
+ancroma.ro, 1
+ancuong.com, 1
+and-stuff.nl, 1
+and-tax.jp, 1
+andain.com, 1
+andalosse.tk, 1
+andalucia.com, 1
+andaluciaboard.tk, 1
+andalusiaal.gov, 1
+andamancapitalpartners.com, 1
+andantepiano.studio, 1
+andefang.com, 1
+andel.info, 0
+anderbelt.com.br, 1
+anders.hamburg, 1
+anderskp.dk, 0
+andersoncountytn.gov, 1
+andersonenergy.com.au, 1
+andersonlegal.co, 1
+andersonmanufacturing.com, 1
+andersonpowerservices.com, 1
+andersonshatch.com, 1
+andersontownshipoh.gov, 1
+andersraagaard.dk, 1
+anderstoneel.tk, 1
+anderstornkvist.se, 1
+andesnevadotours.com, 1
+andesoftconsulting.com, 1
+andeticaret.com, 1
+andfaraway.tk, 1
+andfrankly.com, 1
+andhrawishesh.com, 1
+andibo.net, 1
+andinapets.pe, 1
+andiplusben.com, 1
+andisadhdspot.com, 1
+andiscyber.space, 1
+andnet.tk, 1
+andoaingo-gaztetxea.tk, 1
+andobil.com, 1
+andoms.fi, 1
+andonivr.com, 1
+andonix.com, 1
+andorraimperial.tk, 1
+andorrainsiders.com, 1
+andos.tk, 1
+andouillette-thierry.fr, 1
+andoyasuyuki.com, 1
+andr-mobile.tk, 1
+andradealbuquerque.pt, 1
+andragon.tk, 1
+andrasnagy.com, 1
+andrasnagy.eu, 1
+andrasnagy.net, 1
+andrazaharia.com, 1
+andre-ballensiefen.de, 1
+andre-baum.com, 1
+andre-otto.com, 1
+andre-schlichting.de, 1
+andrea-kiaora.de, 1
+andrea-m.me, 1
+andrea-wirthensohn.at, 0
+andreaalloway.com, 1
+andreaassenti.it, 1
+andreaboero.it, 0
+andreacarreno.com, 1
+andreadraghetti.it, 1
+andreae.nl, 1
+andreafranceschini.org, 1
+andreafruggi.it, 1
+andreagiusti.tk, 1
+andreagobetti.com, 1
+andreagourmet.it, 1
+andrealand.sk, 1
+andreamcnett.com, 1
+andreapalermo.tk, 1
+andreapavone.com, 1
+andreas-hildebrandt.com, 1
+andreas-kluge.eu, 1
+andreas-kurtz.de, 1
+andreaseracleous.com, 0
+andreasfeusi.ch, 1
+andreashartmann.net, 1
+andreashellkvist.tk, 1
+andreasjanker.de, 1
+andreaskluge.eu, 1
+andreaskrasa.com, 1
+andreaslicht.nl, 1
+andreasolsson.se, 1
+andreasr.com, 1
+andreaswirth.com, 1
+andreasxp.me, 1
+andreatedeschi.it, 1
+andrecanuto.com.br, 1
+andrecarvalho.net.br, 1
+andredaus.com, 1
+andree.cloud, 1
+andreeapasat.ro, 1
+andreferreira.website, 1
+andrehartensveld.tk, 1
+andrehazeswinactie.nl, 1
+andreichira.ro, 1
+andreihodorog.com, 1
+andreina-atencio.com, 1
+andrejbenz.com, 1
+andrejstefanovski.com, 1
+andremaciel.pt, 1
+andrematosband.tk, 1
+andreoliveira.io, 1
+andreotti-furniture.com, 1
+andrepicard.de, 1
+andresbandb.tk, 1
+andrescuartas.tk, 1
+andresgarciapersonal.com, 1
+andresgarciapersonal.es, 1
+andresgarzon.net, 1
+andresguiarealtor.com, 1
+andrespaz.com, 1
+andrespr.es, 1
+andresrios.nl, 1
+andressaflores.com.br, 1
+andresvillanueva.mx, 1
+andreundnina.de, 1
+andrew-lazarev.com, 1
+andrew.fi, 1
+andrewbennett.ltd, 1
+andrewcountymo.gov, 1
+andrewdaws.co, 1
+andrewdaws.info, 1
+andrewdaws.io, 1
+andrewdaws.me, 1
+andrewdaws.tv, 1
+andrewensley.com, 1
+andrewfergusonbooks.com, 1
+andrewglucas.com, 1
+andrewglucas.net, 1
+andrewhowden.com, 0
+andrewimeson.com, 1
+andrewin.ru, 1
+andrewjphotography.com, 1
+andrewmcfarlane.tk, 1
+andrewmichaelsmith.com, 1
+andrewmichaud.me, 1
+andrewnet.net, 1
+andrewpeng.net, 1
+andrewpucci.com, 0
+andrewrdaws.com, 1
+andrewreaganm.com, 1
+andrewrgoss.com, 1
+andrewryno.com, 1
+andrews-waste.co.uk, 0
+andrewsandford.com, 1
+andrewsfasteners.uk, 1
+andrewsfss.marketing, 1
+andrewsnc.gov, 1
+andrewsoutar.com, 1
+andrewsun.com, 1
+andrewtasso.com, 1
+andrewtaylor.eu, 1
+andrewtran.xyz, 1
+andrewwiggins.ca, 1
+andrey.red, 1
+andrey1p.ru, 1
+andreyborisov.cf, 1
+andreyjuravlev.ga, 1
+andreypopp.com, 1
+andreysmirnov.tk, 1
+andrian.ga, 1
+andrian.io, 1
+andrian.tk, 1
+andriano.net, 1
+andrianova.ml, 1
+andriekus.tk, 1
+andrienko.tk, 1
+andrija-i-andjelka.com, 1
+andro4all.com, 1
+androgain.in, 1
+android, 1
+android-10-inch-tablets.tk, 1
+android-center.tk, 1
+android-club.cf, 1
+android-gamers.tk, 1
+android-hit.ml, 1
+android-it.cf, 1
+android-soft.gq, 1
+android-tv.3utilities.com, 1
+android-tv.ml, 1
+android.com.pl, 1
+android.re, 1
+android1.co.id, 1
+androidcrunch.com, 1
+androide.com, 1
+androidfactory.io, 1
+androidfinal.com, 1
+androidgadgematic.com, 1
+androidgaming.tk, 1
+androidhack.tk, 1
+androidhry.cz, 1
+androidinfotech.com, 1
+androidioswindows18378.ml, 1
+androidkatalog.cz, 1
+androidlab.tk, 1
+androidmafia.ru, 1
+androidmarket.gq, 1
+androidmarketturkiye.tk, 1
+androidmax.tk, 1
+androidnovinky.cz, 1
+androidphones.ga, 1
+androidplanet.nl, 1
+androidplay.tk, 1
+androidru.ml, 1
+androidservicetool.com, 1
+androidtamer.com, 1
+androidtcpdump.com, 1
+androidtelefony.cz, 1
+androidtools.gq, 1
+androidtorrent.info, 1
+androidtotal.ml, 1
+androidwale.ga, 1
+androidwedakarayo.com, 1
+androidweekly.net, 1
+androidzone.me, 1
+androlab.tk, 1
+andromeda.se, 1
+andropia-online.fr, 1
+androscoggincountyema.gov, 1
+androtics.com, 1
+androtix.com, 1
+andrush.eu, 1
+andschwa.com, 1
+andsecure.ch, 0
+andsoul.nl, 1
+andthisismyodyssey.tk, 1
+anduril.de, 1
+anduril.eu, 1
+andy-hagans.tk, 1
+andyante.cz, 1
+andyattorney.com, 1
+andybrett.com, 1
+andycatteceur.tk, 1
+andyclark.io, 0
+andyconcreting.com.au, 1
+andycraftz.eu, 1
+andycrockett.io, 1
+andykenward.com, 1
+andymoore.info, 0
+andyscubepage.tk, 1
+andyseducation.com, 1
+andysmith.tk, 1
+andyson.at, 1
+andysroom.dynu.net, 1
+andysroom.net, 1
+andyt.eu, 1
+andythomasonline.tk, 1
+andythomsonbooks.ca, 1
+andytownsendphotography.com, 1
+andytsoi.nyc, 1
+andyvandermeyde.tk, 1
+andywalkeronline.tk, 1
+andywilliamsonline.tk, 1
+andzia.art.pl, 1
+aneclab.cz, 1
+anecuni-club.com, 1
+anecuni-rec.com, 1
+anedot-sandbox.com, 1
+anedot.com, 1
+anedot.space, 1
+anedot.xyz, 1
+aneducationuto.tk, 1
+anefi.com.ec, 0
+anegabawa.com, 0
+anehost.com, 1
+anehtaconseil.com, 1
+aneirin.net, 1
+anekdot-pr.tk, 1
+anekdotik.tk, 1
+anekdotiki.tk, 1
+anelik.tk, 1
+anelki.net, 1
+aneslix.com, 0
+anesmebeli.com, 1
+anessex.wedding, 1
+anesterov.xyz, 1
+anetaben.nl, 1
+anetofwellness.com, 1
+anetteolzon.tk, 1
+anewperspectiveconstruction.com, 1
+anex.us, 1
+anexperimentedblog.tk, 1
+anextraordinaryday.net, 1
+anfadern.com, 1
+anfalas.ddnss.de, 1
+anfarabic.com, 1
+anfei.com, 1
+anfieldbc.co.uk, 1
+anfloors.ru, 0
+anfr.fr, 1
+angablade.com, 1
+angazajamii.com, 1
+ange-de-bonheur444.com, 1
+angeben.com, 1
+angel-body.com, 1
+angel-jrk.com, 1
+angel-wing.jp, 1
+angel163.ru, 0
+angela.baby, 1
+angeladietrich.com, 1
+angelaheck.com, 1
+angelalombardo.it, 1
+angelarellano.tk, 1
+angelbulldog.tk, 1
+angelcastellanos.tk, 1
+angelcorpus.tk, 1
+angelcreations.tk, 1
+angeldjmix.tk, 1
+angelefloramendy.org, 1
+angelesdelabismo.com, 1
+angelesydemonios.es, 1
+angelfood.org, 1
+angelhaken.com, 1
+angelhammer.tk, 1
+angelic.icu, 1
+angelic47.com, 1
+angelicapanganibansite.tk, 1
+angelicare.co.uk, 1
+angelicsphynx.tk, 1
+angelikaclothing.com, 1
+angelinadevil.tk, 1
+angelinafilipski.tk, 1
+angelineroguel.com, 1
+angeliquewoudenberg.tk, 1
+angeljmadrid.com, 1
+angelkeepers.net, 1
+angelnumber.faith, 1
+angelnumber.one, 1
+angelo4ek.tk, 1
+angeloangioi.tk, 1
+angelok.ru, 1
+angeloroelen.tk, 1
+angelpowwow.com, 1
+angelremigene.com, 0
+angelsanctum.tk, 1
+angelsandairwaves.tk, 1
+angelsandfriends.com, 1
+angelschlesser.tk, 1
+angelsdecay.tk, 1
+angelsgirl.eu.org, 1
+angelsmile.tk, 1
+angelsmithphotography.com, 1
+angelspabeauty.co.uk, 1
+angelswar.ga, 1
+angeltorri.tk, 1
+angelvisionary.com, 1
+angem.gq, 1
+angem.tk, 1
+angepsychedelices.tk, 1
+angeredmoon.tk, 1
+angermanalvorna.tk, 1
+angesehen.com, 1
+angestoepselt.de, 1
+angie-webdesign.ch, 0
+angiejones.com, 1
+angielynx.net, 1
+angiesite.tk, 1
+angiewickes.com, 1
+anginf.de, 1
+angiolinikids.it, 1
+angione.ca, 1
+angione.se, 1
+angisonline.cz, 1
+angkapaito.net, 1
+angkasa.net.id, 1
+anglais-angouleme.com, 1
+anglarsports.com, 1
+angleline.cn, 1
+anglersconservation.net, 1
+anglertanke.de, 1
+anglesya.win, 1
+anglictina-sojcak.cz, 1
+anglictinasojcak.cz, 1
+anglingactive.co.uk, 0
+anglingnewfoundlandlabrador.com, 1
+anglirl.eu.org, 1
+anglogoldashanti.com, 1
+anglopoltransport.pl, 1
+angolo.com, 1
+angolo.ga, 1
+angop.ao, 1
+angora.id, 1
+angorarabbitsaspets.com, 1
+angristan.fr, 1
+angristan.xyz, 1
+angry-monk.com, 1
+angry.im, 1
+angryaf.com, 1
+angrybear.tk, 1
+angrybug.com, 1
+angrydragonproductions.com, 1
+angrymoulinex.tk, 1
+angrysnarl.com, 1
+angryteeth.net, 0
+angstakademie.com, 1
+angstrommold.com, 1
+angular-js.ga, 1
+anguloconsulting.com, 1
+angusandperthpgl.tk, 1
+angusbarn.com, 1
+anh-dv.com, 1
+anhaffen.lu, 0
+anhangabau.com, 1
+anhdvboot.com, 1
+anhdvshop.com, 1
+anhembi.br, 1
+anhqv.es, 1
+ani-man.de, 1
+aniababan.com, 1
+aniabuduje.pl, 1
+aniaimichal.eu, 1
+anian.ch, 0
+aniblizzard.tk, 1
+anichief.com, 1
+anicloud.com.br, 1
+anievo.id, 1
+aniforprez.net, 1
+anightmareonelmstreet.tk, 1
+anihilated.tk, 1
+anihonetwallpaper.com, 1
+anikabyaabi.com, 1
+anikaras.ga, 1
+anikschwall.com, 1
+anilom.tk, 1
+anim.ee, 1
+anima.digital, 1
+anima.nz, 1
+animaalternative.it, 1
+animacionclub.tk, 1
+animadoc.cl, 1
+animaeducacao.com.br, 1
+animaemundi.be, 0
+animal-clothing.com, 1
+animal-liberation.com, 1
+animal-paris.fr, 1
+animal-rights.com, 1
+animal-world.cf, 1
+animal-world.tk, 1
+animalarkvets.co.uk, 1
+animalcenterunomas.tk, 1
+animalcrossingwiki.de, 1
+animalkingdom.cl, 1
+animalliberation.tk, 1
+animallog.tk, 1
+animalnutritionwizard.org, 1
+animalpetblog.ml, 1
+animalpetgroup.ml, 1
+animalpix.ch, 0
+animalplace.tk, 1
+animalratingsers.ga, 1
+animalratingsest.ga, 1
+animals-world.tk, 1
+animalshelter.tk, 1
+animalsphoto.tk, 1
+animalstropic.com, 1
+animaltesting.fr, 1
+animalworld.gq, 1
+animalz.ga, 1
+animalz.ml, 1
+animalz.tk, 1
+animamega.tk, 1
+animan.ca, 1
+animanganetwork.tk, 1
+animaproduksiyon.com.tr, 1
+animari.at, 1
+animari.ch, 1
+animari.de, 1
+animari.eu, 1
+animasencia.tk, 1
+animashka.tk, 1
+animataz.ga, 1
+animate.de, 1
+animatedtimes.com, 1
+animazul.tk, 1
+anime-and-manga-news.tk, 1
+anime-best.tk, 1
+anime-cafe.tk, 1
+anime-dragoon.tk, 1
+anime-drift.tk, 1
+anime-list.ga, 1
+anime-news.tk, 1
+anime-rg.com, 1
+anime-tip.com, 1
+anime-tv.tk, 1
+anime.my, 0
+anime1.me, 1
+anime1.moe, 1
+anime1.pw, 1
+anime74.ru, 1
+animeai.com, 1
+animebits.moe, 1
+animecasepremium.id, 1
+animecreed.ga, 1
+animeday.ml, 1
+animeday.tk, 1
+animedescarga.ml, 1
+animedesuga.com, 1
+animedon.tk, 1
+animeelite.tk, 1
+animefire.net, 0
+animefluxxx.com, 1
+animefun.cf, 1
+animegroup.tk, 1
+animeheaven.ml, 1
+animehomeworld.tk, 1
+animeinsights.net, 1
+animekun.tk, 1
+animelandia.tk, 1
+animelatino.tk, 1
+animelesson.ga, 1
+animelily.com, 1
+animelime.ru, 1
+animelolipop.com, 1
+animemotivation.com, 1
+animeonsen.xyz, 1
+animeplus1.tk, 1
+animepower.gq, 1
+animepower.tk, 1
+animequest.tk, 1
+animeronews.tk, 1
+animeru.org, 1
+animes-portal.info, 1
+animesbrasil.tk, 1
+animesconsteemplee.tk, 1
+animesekken.tk, 1
+animesharp.com, 1
+animeshka.tk, 1
+animeslayer.ga, 1
+animeslayer.ml, 1
+animesoftcream.com, 1
+animestash.tk, 1
+animestreamingfr.fr, 1
+animesun.tk, 1
+animetosho.org, 1
+animetriad.com, 1
+animeuknews.net, 1
+animewallpapers.tk, 1
+animixplays.net, 1
+animmouse.com, 1
+animofluteandpiano.co.uk, 1
+animonda.de, 1
+animotica.com, 1
+animoxavilorza.tk, 1
+aninews.tk, 1
+anip.icu, 1
+anipassion.com, 0
+aniplus.cf, 1
+aniplus.gq, 1
+anishnayak.com, 1
+anisiaclinic.ro, 1
+anisimov.ml, 1
+anisotomatikkapi.com, 1
+anitaalbersen.nl, 1
+anitahebe.com, 1
+anitalk.dk, 1
+anitaxcph.dk, 1
+anitklib.ml, 1
+anitop.ga, 1
+anitop.tk, 1
+anitube-nocookie.ch, 1
+aniviasport.store, 1
+anivision.tk, 1
+aniwatch.me, 1
+aniwhen.com, 1
+aniya.moe, 1
+anja-vastgoed.nl, 1
+anjadethurah.dk, 1
+anjaliandthekid.com, 1
+anjanbiswas.in, 1
+anjara.eu, 1
+anjiurine.top, 1
+anjocerdena.com, 1
+anjoola.com, 1
+anjtransportsolutions.com.au, 1
+ankalash.com, 1
+ankam.com, 1
+ankane.org, 1
+ankanetworks.net, 1
+ankaraarabakiralama.com.tr, 1
+ankaraarabakiralama.name.tr, 1
+ankaraarackiralama.name.tr, 1
+ankarabolcahindi.com.tr, 1
+ankaraciftkabin.com, 1
+ankaracikma.com.tr, 1
+ankaracikmaparca.com.tr, 1
+ankaradaozelders.tk, 1
+ankaraevdenevenakliyat.name.tr, 1
+ankarafiziktedavimerkezi.com.tr, 1
+ankarahavaalaniarackiralama.com.tr, 1
+ankarahavalimaniarackiralama.com.tr, 1
+ankarajeneratorkiralama.com.tr, 1
+ankarakurumsalwebtasarim.com, 1
+ankaramotosikletyedekparca.com, 1
+ankaraotocikmaparca.com.tr, 1
+ankaraotokiralama.name.tr, 1
+ankaraotokiralama.tk, 1
+ankaraotomobilcikmaparca.com, 1
+ankaraotomobilcikmaparca.com.tr, 1
+ankaraotomobilyedekparca.com, 1
+ankaraotomobilyedekparca.com.tr, 1
+ankaraotoparca.com.tr, 1
+ankararentacar.name.tr, 1
+ankaraseo.name.tr, 1
+ankarasoket.com.tr, 1
+ankarasondajkuyusutemizleme.com, 1
+ankarauzmanlarnakliyat.com, 0
+ankaravinckiralama.com.tr, 1
+ankarawebtasarim.name.tr, 1
+ankarawebtasarim.tk, 1
+ankarayedek.com.tr, 1
+ankastremerkezi.com, 1
+anker-wladyslawowo.pl, 1
+anketlekazan.net, 1
+ankitha.in, 1
+ankitpati.in, 1
+ankiuser.net, 1
+ankiweb.net, 1
+ankos.cf, 1
+ankya9.com, 1
+anleitung-deutsch-lernen.de, 1
+anleitung-zum-flechten.de, 1
+anleitung-zum-haekeln.de, 1
+anleitung-zum-schreiben.de, 1
+anleitung-zum-schweissen.de, 1
+anleitung-zum-toepfern.de, 1
+anlikdoviz.co, 1
+anlikhaber.tk, 1
+anliting.com, 1
+anmelden.io, 1
+anmriers.ga, 1
+anna-beauty.ga, 1
+anna-beauty.gq, 1
+anna-center.tk, 1
+anna-dance.ru, 1
+anna-mai.net, 1
+anna.info, 1
+annaaurora.eu, 1
+annabelcinemas.com, 1
+annabelmassina.net, 1
+annabet.com, 1
+annadebrux.cf, 1
+annadebrux.ga, 1
+annadebrux.gq, 1
+annadebrux.ml, 1
+annaenemma.nl, 1
+annafiore.com.br, 1
+annainstitute.org, 1
+annalaudel.gallery, 1
+annaleon.tk, 1
+annalisefashion.ga, 1
+annalitvinova.pro, 1
+annalouise.tk, 1
+annaluizaferreira.com.br, 1
+annandaleonline.net, 1
+annandaleonline.org, 1
+annangela.cn, 1
+annangela.moe, 0
+annarborplasticsurgery.com, 1
+annarokina.com, 1
+annat.cf, 1
+annat.tk, 1
+annavissi.tk, 1
+annawagner.pl, 1
+annaweb.tk, 1
+annazweglinska.pl, 1
+anne-gb.ch, 1
+anne-marie.tk, 1
+annedaniels.co.uk, 1
+anneeden-porn.com, 1
+anneeden.com, 1
+annefit.ro, 1
+annefrank.org, 1
+annefried-hahn.de, 1
+annejan.com, 1
+annekleinert.de, 1
+annelida.com, 1
+annelies-monsere.tk, 1
+anneliesvanhoof.tk, 1
+annelisetouya.com, 1
+annema.biz, 1
+annemakeslovelycandles.co.uk, 1
+annemarielaponder.com, 1
+annesfotografie.de, 1
+annetardif.ca, 1
+annetta.com, 1
+annetta.net, 1
+annettewindlin.ch, 1
+annevankesteren.nl, 1
+annevankesteren.org, 1
+anney-life.com, 1
+anniangel-porn.com, 1
+annicascakes.nl, 1
+anniecloth.com, 1
+anniegagnonphotographie.com, 1
+anniesdollhouse.com, 1
+annihilation-squad.tk, 1
+annikarose-porn.com, 1
+annitrinity.com, 1
+annitrinity.net, 1
+anniversaryforumers.ga, 1
+annonasoftware.com, 1
+annoncer.ga, 1
+annonces-immobilier.tk, 1
+annonces-moto.org, 1
+annonces-vacances.info, 1
+annonces34.tk, 1
+annonseringonline.se, 1
+announcement.tk, 1
+annoyinggui.de, 1
+annoyingguide.de, 1
+annrusnak.com, 1
+anns.eu, 1
+annthegran.com, 1
+annu.tk, 1
+annuaire-auto-ecole.com, 1
+annuaire-express.tk, 1
+annual.ga, 1
+annuire.org, 1
+annuitycommunity.com, 1
+annuityequityers.ga, 1
+annulleret.tk, 1
+annunciationbvmchurch.org, 1
+annuncisesso.tk, 1
+annyaurora.net, 1
+annygraces.com, 1
+anodas.lt, 1
+anohana.org, 1
+anokacountybuys.gov, 1
+anol.loan, 1
+anomalous.eu, 1
+anomaly.tk, 1
+anon-gap.tk, 1
+anon-net.tk, 1
+anon-next.de, 1
+anon-tipz.tk, 1
+anon-ways.tk, 1
+anonaddy.com, 1
+anonaddy.me, 1
+anonase.com, 1
+anoncrypto.org, 1
+anoneko.com, 1
+anongoth.pl, 0
+anonhq.com, 1
+anonicloud.ch, 1
+anoniem-domein.nl, 1
+anonimizers.tk, 1
+anonmega.tk, 1
+anonofficial.tk, 1
+anonrea.ch, 1
+anons.fr, 0
+anonser.tk, 1
+anontekno.com, 1
+anonwonders.tk, 1
+anonybus.com, 1
+anonym-surfen.de, 0
+anonym-surfen.online, 1
+anonyme-spieler.at, 1
+anonymous.com.pt, 1
+anonymousbitcoinexchange.org, 1
+anonymousemail.me, 1
+anonymshare.com, 1
+anoopcnair.com, 1
+anopan.tk, 1
+anora.ai, 1
+anoracdn.net, 1
+anorak.tech, 1
+anordinaryhousewife.com, 1
+anorexia-nervosa.tk, 1
+another.ch, 1
+anotherfatgeek.net, 1
+anotherinvest.pl, 1
+anothermilan.net, 1
+anothermusic.tk, 1
+anotheronedead.tk, 1
+anothersupersite.com, 1
+anothersupersociety.com, 1
+anothervps.com, 1
+anoual-lycee.tk, 1
+anoujaa.com, 1
+anouncer.ga, 1
+anova.com, 1
+anowicki.pl, 1
+anoxinon.de, 1
+anoxinon.media, 1
+anpaju.gq, 1
+anpigabon.ga, 1
+anquankongjian.com, 1
+anquanssl.com, 1
+ans-ge.ch, 0
+ans-solutions.com, 1
+ansas.net, 0
+ansdell.net, 1
+ansellchallenge.azurewebsites.net, 1
+anseo.ninja, 1
+ansermet.net, 0
+ansgar-sonntag.de, 1
+ansgar.tk, 1
+ansgarsonntag.de, 1
+anshar.eu, 1
+anshlag.co.il, 1
+ansibeast.net, 1
+ansichtssache.at, 1
+ansogning-sg.dk, 1
+anson.ru, 1
+ansoncountync.gov, 1
+ansperformance.eu, 1
+anstaskforce.gov, 1
+anster.org, 1
+anstorino.tk, 1
+answerbookstore.tk, 1
+answerconnect.co.uk, 1
+answerconnect.com, 1
+answerforce.com, 1
+answering365.com, 0
+answernow.cf, 1
+answers-online.ru, 1
+answersincme.com, 1
+antabuse.ga, 1
+antabuse500mg.ga, 1
+antabuskaufen1.gq, 1
+antagning-vn.se, 1
+antagning.se, 1
+antagonist1.tk, 1
+antalya-taxi.cf, 1
+antalya-turkey.tk, 1
+antalya-yesim.cf, 1
+antalyaduvarkagidi.com.tr, 1
+antalyaescmagazin.tk, 1
+antalyaescortyaren.tk, 1
+antalyahomes.com, 1
+antalyamasajsalonu.gq, 1
+antama.eu, 1
+antama.nl, 1
+antanavagefarbiarz.com, 1
+antani.cloud, 1
+antarcti.co, 1
+antarctida.tk, 1
+antaresmedia.com.py, 1
+antarktida.ru, 1
+antarktida.tk, 1
+antarlina.com, 1
+antavo.com, 1
+antcas.com, 0
+antechrista.tk, 1
+antecim.fr, 1
+antecipa.com, 1
+antelope.ai, 1
+antena.ga, 1
+antenaplay.ro, 1
+antenasmundosat.com, 1
+antenasmundosat.com.br, 1
+antenaweb.tk, 1
+antenna-lyubertsy.cf, 1
+antennajunkies.com, 1
+antennaweb.tk, 1
+antennekaart.nl, 1
+antennista.bari.it, 1
+antennista.catania.it, 1
+antennista.it, 1
+antennista.milano.it, 1
+antennista.pavia.it, 1
+antennista.roma.it, 1
+antennista.tv, 1
+antennistaroma.it, 1
+antennisti.milano.it, 1
+antennisti.palermo.it, 1
+antennisti.roma.it, 1
+anteny.ml, 1
+antephaber.tk, 1
+anteros.shop, 0
+antfarm.cf, 1
+anthes.is, 1
+anthiago.com, 1
+anthisis.tv, 1
+anthisnes.org, 1
+anthony-bardon.eu, 1
+anthonychampagne.me, 1
+anthonydegrande.tk, 1
+anthonyellis.com, 1
+anthonyfontanez.com, 1
+anthonylaberge.tk, 1
+anthonyloop.com, 1
+anthonymineo.com, 0
+anthonytimbers.com, 1
+anthonytutorials.tk, 1
+anthonyvadala.me, 1
+anthrene-traitement.fr, 1
+anthro.asia, 1
+anthro.icu, 1
+anthrocon.com, 1
+anthrocon.net, 1
+anthrocon.org, 1
+anthroper.com, 1
+anthropoid.ca, 1
+anti-akw-ac.de, 1
+anti-civilisation.tk, 1
+anti-ddos.group, 1
+anti-depressants.tk, 1
+anti-doping.tk, 1
+anti-eniologia.ml, 1
+anti-eniologiya.ml, 1
+anti-gololed.ga, 1
+anti-iupac.tk, 1
+anti-lohotron.tk, 1
+anti-nsa.tk, 1
+anti-radar.org, 1
+anti-spy.net, 0
+anti-stop.cf, 1
+antiage.ml, 1
+antianti.nl, 1
+antiaz.com, 1
+antibanner.tk, 1
+antibioticaugmentin.cf, 1
+antibioticaugmentin.ml, 1
+antibioticaugmentin.tk, 1
+antibioticsadvice.cf, 1
+anticapitalist.party, 1
+anticensorship-russia.tk, 1
+antichat.tk, 1
+antichatresources.ga, 1
+anticipating.tk, 1
+anticonceptieportaal.nl, 1
+anticopyright.com, 1
+anticorruption.tk, 1
+antics.tk, 1
+antidayton.com, 1
+antidepressants.tk, 1
+antidopamine.com, 1
+antidope.tk, 1
+antidoping.tk, 1
+antidott.fr, 1
+antiekboerderijgraafland.nl, 1
+antielectoral.tk, 1
+antifa-bernau.tk, 1
+antifa.sh, 0
+antifabus.tk, 1
+antifake-funko.fr, 1
+antifaschistisch-reisen.tk, 1
+antifaschistische-linke.tk, 1
+antifaschistischeaktioncelle.tk, 1
+antifilter.network, 1
+antifraud.cf, 1
+antifraudcentre-centreantifraude.ca, 1
+antifurti.roma.it, 1
+antigravity.cf, 1
+antihelp-tomsk.tk, 1
+antihistaminico.com, 1
+antihistory.cf, 1
+antihistory.ga, 1
+antihistory.gq, 1
+antihistory.ml, 1
+antihype.space, 1
+antijob.tk, 1
+antik-trodelmarkt.de, 1
+antikeo.com, 1
+antikfloors.ga, 1
+antikfloors.gq, 1
+antikfloors.ml, 1
+antikpest.hu, 0
+antikskupka.ru, 1
+antikvar-i-ya.tk, 1
+antikvar-net.tk, 1
+antikvariat22.cz, 1
+antikvarshop.tk, 1
+antilaserpriority.com, 1
+antiled.by, 1
+antimateri.com, 1
+antimaterie.tk, 1
+antimine.me, 1
+antiminutemen5.tk, 1
+antinatalism.com, 1
+antinatalists.com, 1
+antinazi.org, 1
+antincendio.it, 1
+antincendio.roma.it, 1
+antiochtechnologies.com, 1
+antipa.ch, 1
+antipodi.ga, 1
+antipolygraph.org, 1
+antiquario.roma.it, 1
+antique-pedalcars.ch, 1
+antiquecenter.gq, 1
+antiquefirearms.tk, 1
+antiquemotorcycle.org, 1
+antiquesinvestorsest.ga, 1
+antireklams.tk, 1
+antirepressionbayarea.com, 1
+antiseptik.me, 1
+antishell.ru, 1
+antisocialist.tk, 1
+antispamcloud.dk, 1
+antispeciesism.com, 1
+antispeciesist.com, 1
+antistarenie.tk, 1
+antistate.ch, 1
+antistatik.tk, 1
+antisystem.tk, 1
+antitabak.tk, 1
+antiuser.tk, 1
+antivandal.tk, 1
+antivigilancia.tk, 1
+antivirus.com, 1
+antivirus.cz, 1
+antivirusnet.tk, 1
+antivirusnik.tk, 1
+antiwarsongs.org, 1
+antize.tk, 1
+antizon.net, 1
+antlerprojects.com, 1
+antnetwork.tk, 1
+antocom.com, 1
+antoga.eu, 1
+antoinat.fr, 1
+antoine-data.tk, 1
+antoine-soscouverture.fr, 1
+antoined.fr, 0
+antoinedeschenes.com, 1
+antoinelounis.com, 1
+antoinelounis.xyz, 1
+antoineschaller.ch, 0
+anton-media.tk, 1
+anton-nb.com, 1
+antonchen.com, 1
+antonellabb.eu, 1
+antoni.xyz, 1
+antoniamaria.tk, 1
+antonianolocura.tk, 1
+antonimos.com.br, 1
+antonin.one, 1
+antoninocardillo.com, 1
+antonio-gartenbau.de, 0
+antonioantunesefilhos.pt, 1
+antonioffernandez.com, 1
+antoniojr.adv.br, 1
+antoniolatimore.com, 1
+antoniomarques.eu, 0
+antoniorodriguesadv.com.br, 1
+antonios.ch, 1
+antonioso.ng, 1
+antonioucabinets.com.au, 1
+antonis.cy, 1
+antonis.org, 1
+antonjuulnaber.dk, 1
+antonoff.tk, 1
+antonok.com, 1
+antonovka.ga, 1
+antonygeorge.tk, 1
+antonyraz.de, 1
+antopie.org, 1
+antoshka-net.tk, 1
+antota.lt, 1
+antr.me, 1
+antragsgruen.de, 1
+antraxx.ee, 1
+antrimnh.gov, 1
+antrodiulisse.eu, 0
+antropico.com, 1
+antroposboutique.it, 1
+antroposofica.com.br, 1
+ants-and-me.ml, 1
+ants-carte-grise.fr, 1
+antsa.duckdns.org, 1
+antstoolbox.com, 1
+antti.codes, 1
+antts.uk, 1
+antts.xyz, 1
+anturis.com, 1
+antwire.net, 1
+antyblokada.pl, 1
+antyware.pl, 1
+anubandarage.com, 1
+anubislinux.tk, 1
+anubisz.tk, 1
+anubixx.com, 1
+anujag.tk, 1
+anukaweb.com, 1
+anuke.eu.org, 1
+anulowano.pl, 1
+anunciosclasificados.co, 1
+anuntulmeu.tk, 1
+anunturitv.ro, 1
+anvilmetal.tk, 1
+anvilsales.tk, 1
+anvilsecure.com, 1
+anvish.in, 1
+anwalt-website.de, 1
+anwalt.us, 1
+anwarulislam.tk, 1
+anwarverdict.ml, 1
+anweshpatel.tk, 1
+anxietydisorderexplained.com, 1
+anxietyspace.com, 1
+anxiolytics.com, 1
+anxtlevel.nl, 1
+any-download.cf, 1
+any-download.ga, 1
+any-download.gq, 1
+any-download.ml, 1
+any-download.tk, 1
+any-id.be, 1
+any-id.eu, 1
+any-id.nl, 1
+any-id.online, 1
+any-id.store, 1
+any-link-page.de, 1
+any6.com, 1
+anya-carter.com, 1
+anya.moe, 1
+anyad.at, 1
+anyboat.com.au, 1
+anybus.com, 0
+anycoindirect.eu, 1
+anydaytour.cf, 1
+anyduchildren.tk, 1
+anyebooks.cf, 1
+anyebooks.ga, 1
+anyebooks.gq, 1
+anyebooks.ml, 1
+anyfood.fi, 1
+anyhobby.ga, 1
+anyi.in, 1
+anyid.be, 1
+anyid.uk, 1
+anyid.us, 1
+anyilin.cn, 1
+anyma.it, 1
+anymatch.ai, 1
+anyone.cf, 1
+anypeer.net, 1
+anyplant.ga, 1
+anyprime.net, 1
+anyquestions.govt.nz, 1
+anyradio.ga, 1
+anyrisk.ru, 1
+anyrose.ga, 1
+anysale.ga, 1
+anyshapemusic.com, 1
+anyshow.ga, 1
+anystack.xyz, 1
+anythingforsports.com, 1
+anytimefitness.co.in, 1
+anytimefitness.co.uk, 1
+anytimefitness.nl, 1
+anytimefundingers.ga, 1
+anytimefundingest.ga, 1
+anytimeicon.io, 1
+anytimeoffices.ga, 1
+anytimesewerrepair.com, 1
+anytots.com, 1
+anyuta-mebel.tk, 1
+anywayanyday.com, 1
+anywhereworks.com, 1
+anz.co.nz, 1
+anzalikala.com, 1
+anzeiger.ag, 1
+anztb.org, 1
+ao-vivo.net, 1
+ao2.it, 1
+ao27.net, 1
+ao2law.com, 1
+ao6.works, 1
+aoa.gov, 1
+aoa2.ch, 1
+aoadatacommunity.us, 1
+aoaprograms.net, 1
+aobogo.com, 1
+aocai.com, 1
+aoconsultoria.com, 1
+aod-tech.com, 1
+aodisco.co.uk, 1
+aodnovel.com, 0
+aoe9.com, 1
+aoeuaoeu.com, 1
+aofusa.me, 1
+aofusa.net, 1
+aohao.com, 1
+aoicprobationil.gov, 1
+aoil.gr, 1
+aojf.fr, 1
+aok-bv.de, 0
+aokae.com, 1
+aoku3d.com, 0
+aolcollege.com, 1
+aomar-mohammedi.tk, 1
+aomi.com, 1
+aonedatasolution.com, 1
+aonhewitt.com.cy, 1
+aonhewitt.gr, 1
+aonsolutions.com.cy, 1
+aonsolutions.gr, 1
+aooobo.com, 1
+aopa.org, 1
+aopedeure.nl, 1
+aorangi-debt.co.nz, 1
+aorhan.com, 1
+aori.com, 1
+aorui.com, 1
+aosc.kz, 1
+aosclan.tk, 1
+aoshiya.com, 1
+aosika.com, 1
+aospa.co, 1
+aostacarnavals.it, 1
+aosus.org, 1
+aotearoa.maori.nz, 1
+aotearoafreepress.com, 1
+aotearoaleaks.org, 1
+aotopo.com, 1
+aotuo.com, 1
+aova.loan, 1
+aoyagi-farm.jp, 1
+aoyamacc.co.jp, 1
+aozora.moe, 1
+ap-auto-rege.com, 1
+ap-auto.pl, 1
+ap-bg.eu, 1
+ap.icu, 1
+apa-canal.ro, 1
+apac-fxcm.com, 1
+apache-portal.com, 1
+apachecountyaz.gov, 1
+apachehaus.de, 0
+apachelounge.com, 1
+apachetoday.com, 1
+apadmi.com, 0
+apadrinaunolivo.org, 1
+apadvantage.com, 1
+apaesthetics.com, 1
+apambiente.pt, 1
+apaniwebsite.xyz, 1
+apannpyaymedia.com, 1
+apapinspection.ca, 1
+aparaatti.org, 1
+aparistravel.com, 0
+apart-hotel-weimar.de, 1
+apartamentoslostejos.tk, 1
+apartamentscalpatoi.cat, 1
+apartamentsvituri.com, 1
+apartment-in-rijeka.com, 1
+apartment-market.ml, 1
+apartment.loans, 1
+apartmentkroatien.at, 1
+apartmentregister.com.au, 1
+apartments-promajna.tk, 1
+apartments.co.nz, 1
+apartrentrotterdam.nl, 1
+apartyakamoz.com, 1
+apasaja.tech, 1
+apassodarte.com, 1
+apatransport.com, 1
+apbassettsolicitors.co.uk, 1
+apbforum.tk, 1
+apbio.org, 1
+apbox.de, 1
+apcassistant.com, 1
+apcdistri.com, 1
+apcmc.pt, 1
+apcube.com, 1
+apcw.org, 1
+apdfawl.com, 0
+apdtalents.org.tw, 1
+apdx.com, 1
+apea.com, 1
+apeasternpower.com, 1
+apecsustain.com, 1
+apedreira.com, 1
+apef.ch, 0
+apefrog.tk, 1
+apeiri.de, 1
+apeironassets.com, 1
+apelcinchik.ru, 1
+apelsin.ml, 1
+apem.com, 1
+aperature.com, 1
+apercloud.es, 1
+aperioadvice.ga, 1
+aperiomoney.ga, 1
+aperiotaxation.ga, 1
+apert.be, 1
+aperta.ro, 1
+aperta.shop, 1
+apertis.org, 0
+aperto-nota.eu, 0
+aperto.de, 1
+apertura.tk, 1
+aperture-science.net, 1
+aperture.gr, 1
+apertureimaging.com, 1
+aperturelabs.tk, 1
+aperturescience.cf, 1
+aperturesciencelabs.de, 1
+apertvre.tk, 1
+apex-parts.com, 1
+apex-promotion.com, 1
+apex-writers.com, 1
+apex.ac, 1
+apex.aw, 1
+apexchain-dev.com, 1
+apexchimneyrepairs.com, 1
+apexconsulting.io, 1
+apexfacades.com.au, 1
+apexitsolutions.ca, 1
+apexnc.gov, 1
+apexperformancegym.com, 1
+apexpreciousmetals.com, 1
+apexsupplies.com.sa, 1
+apextrailers.co.za, 1
+apfhaiti.org, 1
+apfm.fr, 1
+apfnxg.com, 1
+apfulfilment.com, 1
+apgw.jp, 1
+aphantasiac.com, 1
+aphelionband.ga, 1
+aphelionentertainment.com, 1
+aphelis.net, 1
+aphorismen-archiv.de, 1
+api-agri.ga, 1
+api-bitrefill.com, 1
+api-hany.cf, 1
+api.biz.tr, 1
+api.lookout.com, 1
+api.recurly.com, 1
+api42.ch, 1
+api64.com, 1
+apiary.shop, 1
+apiary.supplies, 1
+apiary.supply, 1
+apicep.com, 1
+apico-fish.ru, 1
+apiculture.net, 1
+apido.de, 1
+apienergisahomol.com, 1
+apigb.com, 1
+apiinfotech.com, 1
+apil.org.uk, 1
+apila.care, 1
+apiled.io, 1
+apilicens.nu, 1
+apimon.de, 1
+apimoveisorocaba.com.br, 1
+apinat.de, 1
+apination.com, 1
+apio.systems, 1
+apiora.ru, 1
+apiordie.com, 1
+apiplus.fr, 1
+apipsandiego.ga, 1
+apipsandiego.gq, 1
+apipsandiego.ml, 1
+apirie.uk, 1
+apiris.fr, 1
+apis.blue, 1
+apis.google.com, 1
+apit-kovrov.ru, 1
+apitodemestre.com.br, 1
+apiu.me, 1
+apix.se, 1
+apix.uz, 1
+apixmessaging.com, 1
+apixplatform.com, 1
+apk-world.cf, 1
+apk.li, 1
+apk4fun.com, 1
+apkclup.com, 1
+apkcunk.com, 1
+apkdv.com, 0
+apkfame.com, 1
+apkfree.com, 1
+apkfuse.com, 1
+apkindirsene.com, 1
+apkmaze.com, 1
+apkmint.co, 1
+apkmodders.com, 0
+apkmody.io, 1
+apknut.com, 1
+apkoc.com, 1
+apkpokemongo.ga, 1
+apkpokemongo.gq, 1
+apkpokemongo.tk, 1
+apktechy.com, 1
+apkteen.com, 1
+apkxi.com, 1
+aplaceforpops.com, 1
+aplausse.tk, 1
+aplazame.com, 0
+aplcare.com, 1
+aplibrary.org, 1
+aplicaciones.ai, 1
+aplis-online.de, 0
+aplpackaging.co.uk, 1
+aplteam.tk, 1
+aplu.fr, 1
+aplus.mn, 1
+aplusdownload.com, 1
+aplusteachingresources.com.au, 1
+aplusz.nl, 1
+apm.com.tw, 1
+apn-dz.org, 1
+apn-einstellungen.de, 1
+apnagujarkhan.tk, 1
+apnakhattak.tk, 1
+apnanaudero.tk, 1
+apnee-sommeil.ml, 1
+apnews.com, 1
+apnic.network, 1
+apnisites.tk, 1
+apobot.de, 1
+apocalipsisdot.tk, 1
+apocalypseboard.tk, 1
+apocalypseclan.tk, 1
+apocalypsje.ga, 1
+apod.com.au, 1
+apod.ml, 1
+apodis.pro, 1
+apogaea.com, 1
+apogeephoto.com, 1
+apoia.se, 1
+apoiocoletivo.com, 1
+apokalipsis.tk, 1
+apolitical.co, 1
+apollodiet.com, 1
+apollogames.cz, 1
+apolloheatingandair.com, 1
+apollointeractive.com, 1
+apollomobile.ga, 1
+apollomobile.gq, 1
+apollonas.tk, 1
+apollonia.tk, 1
+apollowallet.org, 1
+apollux.ro, 1
+apollyon.work, 1
+apoly.de, 1
+aponkral.com, 1
+aponkral.com.tr, 1
+aponkral.dev, 1
+aponkral.net, 1
+aponkral.net.tr, 1
+aponkral.org, 1
+aponkral.org.tr, 1
+aponte-systems.com, 1
+apopka.gov, 1
+apopov.tk, 1
+apordi.fr, 1
+aposan.de, 1
+aposke.com, 1
+aposke.net, 1
+aposke.org, 1
+apostalegal.com, 1
+apostalegal.pt, 1
+apostascomvalor.com, 1
+apostasdesportivas.tv, 1
+apostasolida.com, 1
+apostasonline.guru, 1
+apostillelondon.com, 1
+apothecarydouglasville.com, 1
+apotheek-ict.nl, 1
+apotheke.social, 1
+apothekeonline.tk, 1
+apotom.tk, 1
+apoyoentareas.tk, 1
+apozitivenergiasport.hu, 1
+app, 1
+app-alp-cp-boost-model.azurewebsites.net, 1
+app-at.work, 1
+app-capacitymanager-v1-pro-crd-hd.azurewebsites.net, 1
+app-cinveninfostream-qa.azurewebsites.net, 1
+app-colissimo.fr, 1
+app-control-fcu.de, 1
+app-finanzas-services-v1-pro-ol.azurewebsites.net, 1
+app-internalapps-v1-uat-crd-hd.azurewebsites.net, 1
+app-online.cloud, 1
+app-scantech.com, 1
+app-scope.com, 1
+app-sharepoint-v1-pro-crd-hd.azurewebsites.net, 1
+app-uks-stg-projectb-website.azurewebsites.net, 1
+app.do, 1
+app.gp, 1
+app.lookout.com, 1
+app.ps, 1
+app.recurly.com, 1
+app.yinxiang.com, 0
+app00228.com, 1
+app11018.com, 1
+app2get.de, 1
+app3w.nl, 1
+app666365.com, 0
+app77018.com, 1
+appac.com.tr, 1
+appac.ltd, 1
+appagility.co.nz, 1
+apparatrechose.tk, 1
+apparatus.ga, 1
+apparelfashionwiki.com, 1
+apparelmusic.com, 1
+appartamento.tk, 1
+appartement-andrea.at, 1
+appartement-evolene.net, 0
+appartement-oostduinkerke.tk, 1
+appartementhaus-am-uke.de, 1
+appartementmarsum.nl, 1
+appartementspanje.tk, 1
+appartementvlissingen.tk, 1
+appartenfrance.com, 1
+appbet43.com, 1
+appbot.co, 1
+appbydl.com, 1
+appcoins.io, 1
+appcraver.com, 1
+appdividend.com, 1
+appdrinks.com, 1
+appearinsequel.tk, 1
+appel-aide.ch, 1
+appelboom.com, 1
+appelboomdefilm.nl, 1
+appelerintrt.tk, 1
+appelhof.com, 1
+appemployees.tk, 1
+appen.com.cn, 1
+appengine.google.com, 1
+appetiser.com.au, 1
+appetitesanonymous.com, 1
+appfollow.io, 1
+appgeek.com.br, 1
+appgrowth.com, 1
+appgurus.com.au, 1
+apphr.io, 1
+appian-cdn-gov.com, 1
+appian-cdn.com, 1
+appiancloud-dynamic.com, 1
+appiancloud-static.com, 1
+appiancloud.com, 1
+appify.org, 1
+appimlab.it, 1
+appingrove.com.au, 1
+appinplace.com.au, 1
+appinvalley.com.au, 1
+appisoftsas.com, 1
+appjobs.com, 1
+applaus-kornwestheim.de, 1
+apple-droid.com, 1
+apple-droid.ru, 1
+apple-watch-zubehoer.de, 1
+apple.ax, 1
+apple.markets, 1
+apple.tf, 1
+apple.wf, 1
+apple77.net, 1
+applebee1558.com, 1
+applecare.cz, 1
+appledestek.net, 1
+appledroid.ru, 1
+appleedu.com, 1
+appleexterminating.com, 1
+applefeel.com, 1
+appleglasscompany.com, 1
+applegun.com, 1
+appleii-box.de, 1
+applejacks-bouncy-castles.co.uk, 1
+applelp.com, 1
+applemaclover.tk, 1
+applemon.com, 1
+applemon.net, 1
+applemon.org, 1
+appleoosa.com, 1
+appleric.tk, 1
+applesaph.nl, 1
+applesencia.com, 1
+appleslayer.cf, 1
+applet.cyou, 1
+appletonmn.gov, 1
+appletonwi.gov, 1
+appletoy.com, 1
+appletree.is, 1
+appletreelanewm.com, 0
+appletreemedicalgroup.com, 1
+applevalleyca.gov, 1
+applewatch.co.nz, 1
+applian.com, 1
+appliancedoctorofwestmichigan.com, 1
+appliancepronwi.com, 1
+appliancerepairtime.com, 1
+appliances-for-home.tk, 1
+appliancist.com, 1
+applicablesecurity.net, 1
+application-travel.us.com, 1
+applicationmanager.gov, 1
+applicationtracker.com, 1
+applied-privacy.net, 1
+appliedbehavioranalysisedu.org, 1
+appliedbiomath.com, 1
+appliedmaths.lk, 1
+appliedtesting.com, 1
+applingcounty.gov, 1
+applique.co.jp, 0
+appliquette.com.au, 1
+appllio.com, 1
+apply-esta.us.com, 1
+apply-eta.org, 1
+apply-visa.us.com, 1
+apply.eu, 1
+apply55gx.com, 1
+applybe.com, 1
+applydirect.org, 1
+applythis.net, 1
+applytofaceblog.com, 1
+appmania.cf, 1
+appmania.gq, 1
+appmedia.tk, 1
+appmeucredito.com.br, 1
+appmobile.io, 1
+appninjas.com, 1
+appo.nl, 1
+appodeal.com, 1
+appoggiature.fr, 1
+appointible.com, 1
+appointment.ga, 1
+apponic.com, 1
+apponline.com, 1
+appopay.com, 1
+apppage.net, 1
+appperformance.com.br, 1
+appraf.com, 1
+appraisalroomest.ga, 1
+apprank.in, 1
+apprendre-le-russe-avec-ania.fr, 1
+apprenticedocs.com.au, 1
+apprenticeship.gov, 1
+apprenticeships.gov, 1
+apprentimillionnaire.com, 1
+approbo.com, 1
+approval-workflow.com, 1
+approve.me, 1
+approvedcashmax.com, 1
+approvedlawyersers.ga, 1
+approveme.com, 1
+apps.facebook.com, 0
+apps.fedoraproject.org, 1
+apps.stg.fedoraproject.org, 1
+apps4all.sytes.net, 1
+apps4inter.net, 0
+appsafrica.com, 1
+appsbaladyg.org, 1
+appsbd.com, 1
+appsbud.com, 1
+appscan360.com, 1
+appscan360.net, 1
+appscan360.org, 1
+appscem.mx, 1
+appscloudplus.com, 1
+appsdock.de, 1
+appsecmonkey.com, 0
+appservice.ru, 1
+appshuttle.com, 1
+appsimplex.pt, 1
+appsmith.com, 1
+appsoda.net, 1
+appson.co.uk, 1
+appspcwiki.com, 1
+appsren.com, 1
+appstory.co.kr, 1
+appt.ch, 0
+appt.to, 1
+apptesters.com, 1
+apptio.com, 1
+apptoutou.com, 1
+appuals.com, 1
+appub.co.jp, 1
+appugo.tk, 1
+appui-de-fenetre.fr, 1
+appuntidallarete.com, 1
+appunwrapped.com, 1
+appveyor.com, 1
+appwardbeta.com, 1
+appworld.ga, 1
+appy.us, 1
+appypie.com, 1
+appzoojoo.be, 1
+aprazivel.com.br, 1
+aprendadesign.com, 1
+aprendaingles123.com, 1
+aprendaviaweb.com.br, 1
+aprende-a-programar.com, 1
+aprende.com, 1
+aprendejainternet.tk, 1
+aprenderexcel.com.br, 1
+aprenderjuntos.cl, 1
+aprendiendoforexhoy.com, 1
+apresski-pictures.tk, 1
+apresskistuntteam.tk, 1
+apretatuercas.es, 1
+apriadirect.com, 1
+apricavia.com, 1
+apricaviabranding.com, 1
+apricotactuaries.com.au, 1
+aprilagentur.de, 1
+aprileporte.it, 1
+aprilspecialsest.ga, 1
+aprimatic.msk.ru, 1
+aprofunda.art.br, 1
+apropotv.ro, 1
+apropotv.tk, 1
+aprovatotal.com.br, 1
+aprpullmanportermuseum.org, 0
+aprsdroid.org, 1
+apruvd.com, 1
+aprz.de, 1
+apsa.paris, 1
+apsb.cz, 1
+apsbengdubi.org, 1
+apse.ga, 1
+apsistemas.info, 1
+apsl.sk, 1
+apsnewcastle.com, 0
+apspayroll.com, 1
+apsportseditors.org, 1
+apsprofessions.gov.au, 1
+apsreform.gov.au, 0
+apsreview.gov.au, 1
+apssb.in, 1
+apssolucoesfinanceiras.online, 1
+apstats.tk, 1
+apstudynotes.org, 1
+apstylebook.com, 1
+apsua.tk, 1
+apt-one.com, 1
+aptcaust.com.au, 1
+aptechka.ga, 1
+apteka-evalar.ru, 1
+apteka38.com, 1
+aptekaevalar.ru, 1
+aptekakolska.pl, 1
+aptekas.tk, 1
+aptern.pt, 1
+apthesys.com, 1
+aptient.com, 1
+aptinjectiontraining.com, 1
+aptitudetests.org, 1
+aptos.com, 1
+apu-board.de, 1
+apuestaes.tv, 1
+apuestalegal.com, 1
+apuestalegal.mx, 1
+apuestalegal.pe, 1
+apuestalegalchile.com, 1
+apunkt.dk, 1
+apur.org, 1
+apuraytravel.com, 1
+apuvalinetekniikka.fi, 1
+apuyou.io, 0
+apv-ollon.ch, 1
+apviz.io, 1
+apw-dortmund.de, 1
+aqarategypt.com, 1
+aqarbab.com, 1
+aqdance.com.sg, 1
+aqdlt.tv, 1
+aqdun.com, 0
+aqenglish.pk, 1
+aqlivia.com, 1
+aqqrate.com, 1
+aqsiq.net, 1
+aqu.com, 1
+aqua-academy.at, 1
+aqua-accelerator.com, 1
+aqua-dom33.ru, 1
+aqua-ferra.co.uk, 1
+aqua-fitness-nacht.de, 1
+aqua-fm.tk, 1
+aqua-fotowelt.de, 1
+aqua-minsk.tk, 1
+aqua-print.com.ua, 1
+aqua-richtig.de, 1
+aquababy.at, 1
+aquabio.ch, 0
+aquabiodesign.tk, 1
+aquablue.tk, 1
+aquabotanic.tk, 1
+aquabyte.co.uk, 1
+aquacapsule.cf, 1
+aquacitylands.com, 1
+aquaconcepts.be, 1
+aquadarts.tk, 1
+aquadecor.cf, 1
+aquadrom.cz, 1
+aquaexpo.com.ec, 1
+aquafc.com, 1
+aquafilm.cf, 1
+aquafirm.com, 1
+aquagino.nl, 1
+aquahill.net, 1
+aquaholic.tk, 1
+aquaist.com, 1
+aqualantic.de, 1
+aqualife.cf, 1
+aqualift.uk.com, 1
+aqualogis.co.uk, 1
+aqualysis.nl, 0
+aquamarin.icu, 1
+aquamart.tk, 1
+aquantia.com, 1
+aquapets.tk, 1
+aquaphor.com, 1
+aquaphor.ru, 1
+aquaplaning.tk, 1
+aquaplays.net, 1
+aquapoint.kiev.ua, 1
+aquaponics.ga, 1
+aquapool.es, 1
+aquapraat.tk, 1
+aquarel-games.tk, 1
+aquarel.tk, 1
+aquarelleren.tk, 1
+aquarillon.fr, 1
+aquariu.ms, 1
+aquarium-supplement.net, 1
+aquariumhobby.tk, 1
+aquariumhome.tk, 1
+aquariymist.tk, 1
+aquaron.tk, 1
+aquasaur.tk, 1
+aquascaping.tk, 1
+aquaselect.eu, 1
+aquasplash.ae, 1
+aquastudios.games, 1
+aquasun.pl, 1
+aquatherm72.ru, 1
+aquatiq.com, 1
+aquato.com.ua, 1
+aquatropical.tk, 1
+aquaviaspa.es, 1
+aquaworld.tk, 1
+aquedim.com, 1
+aqueducttech.com, 1
+aquienguate.com, 1
+aquila.co.uk, 1
+aquila.earth, 1
+aquimisa.com, 1
+aquiparoxetina.gq, 1
+aquivardenafilo.gq, 1
+aqwire.io, 1
+aqworlds.cf, 1
+ar-1xbet.com, 1
+ar-android.com, 1
+ar-informatique.ch, 0
+ar-oma.tk, 1
+ar-vernet.fr, 1
+ar.al, 1
+araadvocats.net, 1
+arab-romance.tk, 1
+arab1info.cf, 1
+arab2cam.com, 1
+arabafenicespa.com, 1
+arabakiralama.name.tr, 1
+arabam.com, 1
+arabapps.org, 1
+arabbook.ga, 1
+arabearthcommunity.ml, 1
+arabedia.tk, 1
+arabeyes.com, 1
+arabi-news.ml, 1
+arabi-online.net, 1
+arabia-news.gq, 1
+arabia.fi, 1
+arabian-gulf.tk, 1
+arabic-for-nerds.com, 1
+arabic-shirts.com, 1
+arabicbayan.tk, 1
+arabicdress.com, 1
+arabicpost.live, 1
+arabictranslation.tk, 1
+arabicxz.com, 1
+arabigolestan.tk, 1
+arabmusic.tk, 1
+arabschools.edu.sa, 1
+arabseed.cf, 1
+arabska.tk, 1
+arabskills.tk, 1
+arabstar.ml, 1
+arabstar.tk, 1
+arabstreamsystem.tk, 1
+arabtones.tk, 1
+arabwomen.ml, 1
+aracbul.com, 1
+arachnid.tk, 1
+arachnida.ml, 1
+arackiralama.name.tr, 1
+aradiantlife.org, 1
+aradiantlyhealthylife.com, 1
+arados.de, 1
+aradpulse.tk, 1
+aragotownshipmn.gov, 1
+arai21.net, 1
+arainfo.org, 1
+arais.com, 1
+arakanis.tk, 1
+arakomputer.com, 1
+aral.ml, 1
+araluenvalleyhotel.ga, 1
+aralun.net, 1
+aralys.com, 1
+aram-designs.com, 1
+aramido.de, 1
+aramloebmd.com, 1
+aramsco.com, 1
+aramyayinevi.com, 1
+aranchhomes.com, 1
+arandinacf.tk, 1
+arandomsite.tk, 1
+aranel.me, 1
+aranycsillag.net, 1
+aranykornyp.hu, 1
+arapahoeco.gov, 1
+arapahoesheriff.gov, 1
+arapahoevotes.gov, 1
+araqnid.org, 1
+ararat-rp.tk, 1
+araratour.com, 1
+arargo.cf, 1
+araro.ch, 0
+ararrl.com, 1
+ararrl.net, 1
+ararrl.org, 1
+arasozgun.net, 1
+aravitor.com, 1
+aravo.com, 1
+arawaza.info, 1
+araxis.com, 1
+araya.ga, 1
+arbaiten.tk, 1
+arbaswedan.id, 1
+arbat.media, 1
+arbautocare.com, 1
+arbavere.ee, 1
+arbeidsplassen.no, 1
+arbeiten.ga, 1
+arbeiterkammer.at, 1
+arbeitskraft.de, 1
+arbeitskreis-asyl-eningen.de, 1
+arbeitslosenverwaltung.de, 1
+arbejdsdag.dk, 1
+arbitrarion.com, 1
+arbitrary.ch, 1
+arbitrations.tk, 1
+arbitrazh.tk, 1
+arbobille.es, 1
+arboleda-hurtado.com, 1
+arbolesdenavidad.info, 1
+arbolesdenavidad.site, 1
+arbologic.nl, 1
+arborio.com.ua, 1
+arboristadvice.com, 1
+arboristic.de, 1
+arbounie.nl, 1
+arbousier.com, 1
+arbradio.com, 1
+arbschg.com, 1
+arbu.eu, 0
+arbucks.io, 1
+arc-relight.com, 1
+arc.run, 1
+arca.am, 1
+arca.info.ro, 1
+arca.live, 1
+arcada-company.com, 1
+arcadami.gov, 1
+arcadegame.ga, 1
+arcadegames.com, 1
+arcadia.com.ph, 1
+arcadiaca.gov, 1
+arcadiaeng.com, 1
+arcaik.net, 1
+arcana-noctis.tk, 1
+arcandadults.org, 1
+arcane.no, 1
+arcanefrost.de, 1
+arcanehardware.com, 1
+arcanetides.com, 1
+arcanoid.com, 1
+arcantel.ch, 1
+arcbouncycastles.co.uk, 1
+arcdesantmarti.net, 1
+arcenergy.co.uk, 1
+arcese.com, 1
+arch-design.com, 1
+archaeoadventures.com, 1
+archaeology.lk, 1
+archambault.paris, 1
+archangelbio.com, 1
+archbishop.ga, 1
+archdetal.com.ua, 1
+archeologicatoscana.it, 1
+archerconsulting.llc, 1
+archerlong.com, 1
+archerlongx.com, 1
+archerxlong.com, 1
+archery.land, 1
+archerytaghuren.be, 1
+archeton.ga, 1
+archframe.net, 1
+archi.ve.it, 1
+archibuilt.net.au, 1
+archief-ocmwgent.be, 1
+archina.ir, 1
+archined.nl, 1
+archion.ro, 1
+archipelagoperfarecasa.it, 1
+archispace.com.cn, 1
+archistart.net, 1
+archit.in, 1
+architect-cassiman.be, 1
+architectphd.tk, 1
+architectryan.com, 1
+architecturaldesignschool.com, 1
+architecture-colleges.com, 1
+architectureblog.ml, 1
+architectus.ga, 1
+architekt-website.de, 1
+architekt.tk, 1
+architekten.tk, 1
+architektur.ga, 1
+architektur.tk, 1
+architekturwiki.tk, 1
+archival-services.gov.ge, 1
+archive.gov.ge, 1
+archivero.es, 1
+archives.cf, 1
+archives.gov, 1
+archivesdelavieordinaire.ch, 1
+archivesfoundation.org, 1
+archivestesting.tk, 1
+archivi.ddns.net, 1
+archivistas.tk, 1
+archivium.biz, 1
+archivosmercury.com, 1
+archivosstl.com, 1
+archiweb.pl, 0
+archlinux.de, 1
+archlinux.org, 1
+archlinuxcn.org, 1
+archmacro.ga, 1
+archmirror.it, 1
+archoit.org, 0
+archphila.org, 1
+archsec.info, 1
+archtekton.com.ve, 1
+arcinapoli.it, 1
+arcj.es, 1
+arclookup.com, 1
+arcloud.com.tw, 1
+arcmarine.eu, 1
+arco.lu, 1
+arcobalabs.ca, 1
+arcogb.co, 1
+arcoidaho.gov, 1
+arcoiriscastellon.tk, 1
+arcolapdtx.gov, 1
+arcolasecurities.com, 1
+arcolatexas.gov, 1
+arcopay.io, 1
+arcosa.com, 1
+arcosdelallana.tk, 1
+arcosdequejana.com, 1
+arcourts1st.gov, 1
+arcourts6th.gov, 1
+arcovix.com, 1
+arcproject.org.uk, 1
+arcsar.eu, 1
+arcserv.com, 1
+arcskoru.com, 1
+arcthelad.com, 1
+arctic-charge.tk, 1
+arctic.ca, 1
+arctica.io, 0
+arcticfiber.net, 0
+arcticfox.email, 0
+arcticfoxes.net, 1
+arcticpolitics.com, 1
+arcticvillage.gov, 1
+arcticwolf.com, 1
+arctus-security.com, 1
+arcueil-cachan.fr, 0
+arcza.com, 1
+arcza.net, 0
+ardabil.tk, 1
+ardacar.com, 1
+ardadanal.com, 1
+ardakannews.tk, 1
+ardania.de, 1
+ardennes.com, 1
+ardenwolfsky.com, 1
+arditech.ml, 1
+ardmoreok.gov, 1
+ardo.tk, 1
+ardor.noip.me, 1
+ardtrade.ru, 1
+arduino.cc, 1
+are-you-experienced.tk, 1
+area.ge, 1
+area21.ga, 1
+area3.org, 1
+area4pro.com, 1
+area51.dyndns1.de, 1
+area51.social, 1
+area51bit.com, 1
+area51bit.it, 1
+areacinquentaeum.tk, 1
+areallyneatwebsite.com, 1
+arealsultan.ga, 1
+areanet.tk, 1
+areata.tk, 1
+areatrend.com, 1
+areavoipers.ga, 1
+areavoipest.ga, 1
+areeb.live, 1
+areege.tk, 1
+arefidgetspinnersgay.com, 1
+arefly.com, 1
+aregus.tk, 1
+areins.com, 1
+areinsmuseum.com, 1
+arekatieandchrisgettingmarried.com, 1
+arekatieandchrisgettingmarried.today, 1
+arekatieandchrismarriedyet.com, 1
+arekkusu.net, 1
+arelektribuneriske.lv, 1
+arellak.de, 1
+areminder.co, 1
+arena-news.tk, 1
+arenaalbionu.pl, 1
+arenadagon.tk, 1
+arenaforum.ru, 1
+arenatennis.ga, 1
+arenda-auto.com, 0
+arenda-bez-agenta.ml, 1
+arenda247.by, 0
+arendabotov.tk, 1
+arendadoma.tk, 1
+arendakemper.by, 1
+arendakrana.tk, 1
+arendaskuterov.cf, 1
+arendburgers.nl, 1
+arenlor.com, 1
+arenlor.info, 1
+arenns.com, 1
+arenzana.org, 1
+arenzanaphotography.com, 1
+areproduktioqn.tk, 1
+areqgaming.com, 1
+ares.systems, 1
+ares.watch, 1
+aresico.cz, 1
+aresproject.org, 1
+arest.web.id, 1
+aresztowany.pl, 1
+aresztsledczy.pl, 1
+aret.eu.org, 1
+arete.net, 1
+areteaudit.pl, 1
+aretemusic.tk, 1
+areteortho.com.sg, 1
+arezzonotizie.it, 1
+arforingenieria.com, 1
+arfulus.com, 1
+arfycat.com, 1
+arg.zone, 1
+argama-nature.com, 1
+arganaddict.com, 1
+arganaddict.net, 1
+arganaderm.ch, 0
+argb.de, 1
+argekultur.at, 1
+argentinachat.tk, 1
+argentinatrabaja.org, 1
+argentinaxp.com, 1
+argentinetownship.gov, 1
+argentumonline.tk, 1
+argico.com, 1
+argilo.net, 1
+argo-vision.com, 1
+argo-vision.it, 1
+argo.vision, 1
+argocasino.com, 1
+argon2.online, 1
+argonmail.com, 1
+argonnewi.gov, 1
+argos.co.uk, 1
+argosasist.co.uk, 1
+argosrisk.com, 1
+argotplan.com, 1
+argovpay.com, 1
+argovpn.com, 1
+argrafiche.it, 1
+argumentative-essay.gq, 1
+argumentplus.ru, 1
+argus01.bg, 1
+argxentakato.me, 1
+argyrouminas.digital, 1
+argyrouminas.eu, 1
+arheh.com, 1
+arhgrille.com, 1
+arhipka.tk, 1
+arhivpalanka.rs, 1
+ari.beauty, 1
+ari.gg, 1
+ari.lt, 1
+aria-best.ru, 1
+aria-best.su, 1
+aria-sante.org, 1
+aria2.cf, 1
+ariaartgallery.com, 1
+ariacreations.net, 1
+ariacres.ca, 1
+ariadermspa.com, 1
+ariag.tk, 1
+ariajourney.com, 0
+ariamag.com, 0
+ariaman.tk, 1
+arian.io, 1
+ariana.wtf, 1
+ariashii.tk, 1
+ariba.info, 1
+aribicara.tk, 1
+aric-assurances.fr, 1
+aricabus.tk, 1
+aricaluchalibre.tk, 1
+aridhia.com, 1
+aridhia.io, 1
+arielasher.cf, 1
+arielhr.ca, 1
+arielpereira.tk, 1
+ariens.com, 1
+ariensco.com, 1
+ariensco.uk, 1
+arienscohospitality.com, 1
+arienscompany.com, 1
+arienscompanydealer.com, 1
+ariensconordiccenter.com, 1
+arienscorp.com, 1
+ariensfamilyfoundation.org, 1
+ariensfoundation.org, 1
+ariensmuseum.com, 1
+ariensnordiccenter.com, 1
+arienssnotek.com, 1
+ariensstore.com, 1
+aries.it, 1
+ariesclark.com, 0
+arieswdd.com, 1
+arifarma.com, 1
+arifburhan.online, 1
+arifer.tk, 1
+arifp.me, 1
+arifrachmanhakim.tk, 1
+arigato-java.download, 1
+arihantabode.com, 1
+arihantarden.com, 1
+arihantbuildcon.com, 1
+arihantone.com, 1
+arihantone.in, 1
+arihantsouthwinds.com, 1
+arihunt.com.au, 1
+arij.net, 1
+arilto.com, 1
+arima.co.ke, 1
+arima.tk, 1
+arimarie.com, 1
+arina.is, 1
+arina.moscow, 0
+arinahashimoto.com, 1
+arinde.ee, 1
+arinflatablefun.co.uk, 1
+arionta.com, 1
+arious.uk, 1
+aripiprazolee.gq, 1
+arirabinowitz.com, 1
+arirex.me, 1
+aris.io, 1
+arisaka.tk, 1
+ariseconference.org.nz, 1
+arisevendor.net, 1
+arishastyle.tk, 1
+arissait.com, 1
+aristidebouix.cloud, 1
+aristocrates.co, 1
+aristokratia.tk, 1
+ariston-center.gq, 1
+aristotle.tk, 1
+aritec-la.com, 1
+arithmetic.ga, 1
+arithmetica.at, 1
+aritmetic.com, 1
+aritworld.tk, 1
+arivo.com.br, 1
+arizona-fake.tk, 1
+arizonaautomobileclub.com, 1
+arizonabondedtitle.com, 1
+arizonaonlinedivorce.com, 0
+arizonatech.tk, 1
+arjan.nl, 1
+arjandejong.eu, 1
+arjanenthijs.nl, 1
+arjansteevels.nl, 1
+arjanvaartjes.net, 1
+arjen-robben.tk, 1
+arjunasdaughter.pub, 0
+arjweb.co.uk, 1
+arkaan.tk, 1
+arkadaslik.tk, 1
+arkadelphia.gov, 1
+arkadiahill.tk, 1
+arkadian.tk, 1
+arkadien.com, 1
+arkadium.com.br, 1
+arkadiyt.com, 1
+arkagis.com, 1
+arkagt.ir, 1
+arkaic.dyndns.org, 1
+arkantos.agency, 1
+arkenstone.ml, 1
+arkforum.de, 1
+arkfoundationrepair.com, 1
+arkhamasylum.tk, 1
+arkhangelsk.cf, 1
+arkhangelsk.gq, 1
+arkhangelsk.tk, 1
+arkholmevillage.ml, 1
+arkhvoid.xyz, 1
+arklow.io, 0
+arkm6.gq, 1
+arknights.work, 0
+arknodejs.com, 1
+arkomaok.gov, 1
+arkontechnologies.com, 1
+arkrowd.eu.com, 1
+arks.cards, 1
+arksan.com.tr, 1
+arkulagunak.com, 0
+arkutinofamilyresort.com, 1
+arlatools.com, 1
+arle.moe, 1
+arlenarmageddon.com, 1
+arlenitas.com, 1
+arleo.eu, 1
+arlingtonmn.gov, 1
+arlingtonva.gov, 1
+arlingtonwine.net, 1
+arllab.co.nz, 1
+arlon.com, 1
+arm.gov, 1
+arma3.com, 1
+armacom.tk, 1
+armadale.au, 1
+armadale.wa.gov.au, 1
+armadalelearningpathways.co.uk, 1
+armadaquadrat.com, 1
+armadateam.tk, 1
+armadilloscubatx.com, 1
+armadix.net, 1
+armado.tk, 1
+armageddonclan.tk, 1
+armahackers.tk, 1
+armamentevolved.com, 1
+armand-colin.com, 1
+armanddesign.com, 1
+armanddesign.nl, 1
+armandmusic.nl, 1
+armando.info, 1
+armandocorazones.tk, 1
+armandsdiscount.com, 1
+armanozak.com, 1
+armansazehradis.com, 1
+armaplatform.com, 1
+armarinhovirtual.com.br, 1
+armaselektronik.com, 1
+armateursderhum.fr, 1
+armatura.kiev.ua, 1
+armazemdaminiatura.com.br, 1
+armazemdeminasmg.com.br, 1
+armazone.tk, 1
+armbrust.me, 1
+armcar.ga, 1
+armchairwarlord.com, 1
+armchess.tk, 1
+armculturaltv.cf, 1
+armdirectoryers.ga, 1
+armdirectoryest.ga, 1
+armenia.cf, 1
+armeniaweb.tk, 1
+armeo.top, 1
+armeria.roma.it, 1
+armfilm.co, 1
+armhistory.tk, 1
+armiantichesanmarino.eu, 1
+armida.tk, 1
+armil.it, 1
+arminc.tk, 1
+arminpech.de, 1
+arminreiter.com, 1
+arminsure.com, 1
+armleads.com, 0
+armo.re, 1
+armo.sk, 1
+armoedebeleidgent.be, 1
+armond.tk, 1
+armorsoft.fr, 1
+armour.ventures, 1
+armourroofcolorado.com, 1
+armourroofinc.com, 1
+armsco.fr, 1
+armstrong.com.mx, 1
+armstrongremovals.com.au, 1
+armstrongsengineering.com, 1
+armtopnews.tk, 1
+army.ca, 1
+army.gov.lb, 1
+armyburza.cz, 1
+armycyberchallenge.xyz, 1
+armyholidays.com.au, 1
+armyofflyingmonkeys.com, 1
+armyrtf.com.au, 1
+armyuniversity.edu, 1
+armywear.ga, 1
+arn0.cc, 1
+arnados.tk, 1
+arnamur.be, 1
+arnaqueoufiable.com, 1
+arnaudb.net, 1
+arnaudlanna.com, 1
+arnaudligny.fr, 1
+arnaudmarketing.fr, 1
+arnaudminable.net, 1
+arne-gammelby.dk, 1
+arne.cool, 1
+arneheise.com, 1
+arnesegers.be, 1
+arnested.dk, 1
+arnevankauter.com, 0
+arnews.nl, 1
+arniescastles.co.uk, 1
+arno-klein.com, 1
+arno-klein.de, 1
+arno-klein.eu, 1
+arno-klein.fr, 1
+arno-klein.it, 1
+arno-klein.net, 1
+arno.digital, 0
+arno.pm, 1
+arnoklein.eu, 1
+arnoklein.fr, 1
+arnoklein.it, 1
+arnold-schwarzenegger.tk, 1
+arnoldkontz-occasions.lu, 0
+arnonerba.com, 1
+arnor.org, 0
+arnottindustries.ga, 1
+arnoudraeven.nl, 1
+arnove.fr, 1
+arnove.net, 1
+arnoweterings.nl, 1
+arnstein.it, 1
+arny.ru, 1
+aroablog.tk, 1
+arobaz-informatique.org, 1
+arockets.ru, 1
+arod.tk, 1
+arofabric.com, 1
+arogov.com, 1
+arokha.com, 1
+aroma-therapy.tk, 1
+aroma-wave.com, 1
+aroma24.ml, 1
+aromachat.eu, 1
+aromacoffee.bg, 1
+aromacos.ch, 1
+aromacraft.uk, 1
+aromaduft.at, 1
+aromaecocandles.ca, 1
+aromahookah.gr, 0
+aromaimportado.com.br, 1
+aromaonlinestore-korat.com, 1
+aromateque.com.ua, 1
+aromatherapy.cf, 1
+aromatlas.com, 1
+aromatraining.com, 1
+aromex.ml, 1
+aroncull.de, 1
+aronsonrosenthal.com, 1
+aroofing.net, 1
+aroonchande.com, 0
+arooshi.website, 1
+aros.pl, 1
+arose.io, 1
+arounddeal.com, 1
+arouparia.com, 1
+arouzing.xyz, 1
+arowsoft.tk, 1
+arox.eu, 1
+aroya.io, 1
+arp-arena.ml, 1
+arp-mb.de, 1
+arpa-h.gov, 1
+arpagian.com, 1
+arpah.gov, 1
+arpamip.org, 1
+arpasix.com, 1
+arpasix.email, 1
+arpasix.eu, 1
+arpasix.net, 1
+arpasix.org, 1
+arphotography.tk, 1
+arpnet.co.jp, 1
+arpnet.net, 1
+arpnet.us, 1
+arpsel.de, 1
+arpsel.ws, 1
+arpteamdiabolo.tk, 1
+arpuff.eu, 1
+arqpericial.es, 1
+arqueo-ecuatoriana.ec, 1
+arquipielago.tk, 1
+arquitectura-ilimitada.tk, 1
+arquitet.com.br, 1
+arr.icu, 1
+arrakis.se, 1
+arrangeme.com, 1
+arraudi.be, 1
+arraudi.eu, 1
+array.io, 1
+arrazane.com.br, 1
+arrazola.org, 1
+arrestageinternational.com, 1
+arrival.com, 1
+arrive.by, 0
+arrivedconsulting.com, 1
+arrmaforum.com, 1
+arroba.digital, 1
+arrotatore.roma.it, 1
+arrow-api.nl, 1
+arrowad.com, 1
+arrowduty.ml, 1
+arrowfastener.com, 1
+arrowgrove.com, 0
+arrowsmithil.gov, 1
+arrowwebprojects.nl, 1
+arrt.xyz, 1
+ars-online.pl, 1
+arsake.cf, 1
+arsalba.com, 1
+arsalbania.tk, 1
+arschkrebs.org, 1
+arselvarol.com.tr, 1
+arsenal-of-wisdom.org, 1
+arsenal-trans.tk, 1
+arsenalestate.tk, 1
+arsenalperu.tk, 1
+arsenideas.ga, 1
+arsenyan.cf, 1
+arset.net, 1
+arshdeepsingh.tk, 1
+arshia.cf, 1
+arshidazarine.tk, 1
+arshina.su, 1
+arshispana.com, 1
+arsigroup.com, 1
+arsindecor.com, 1
+arsk1.com, 1
+arslankaynakmetal.com, 1
+arslonga.ovh, 1
+arsmagazine.tk, 1
+arsmedika.ru, 1
+arsmundi.de, 1
+arsmuseum.com, 1
+arsrenacer.com, 1
+arstudentloanhelp.com, 1
+art-athens.com, 1
+art-auction.jp, 1
+art-boeden.ch, 1
+art-creative.tk, 1
+art-design.tk, 1
+art-dolls.com.ua, 1
+art-et-psyche.com, 1
+art-et-tonneaux.fr, 1
+art-illustration.tk, 1
+art-khotyn.tk, 1
+art-kuchni.tk, 1
+art-news.tk, 1
+art-okno.com, 1
+art-online.tk, 1
+art-pix.de, 1
+art-pix.net, 1
+art-polynesien.com, 1
+art-rca.cf, 1
+art-school.tk, 1
+art-shinbi.com, 1
+art-voronov.tk, 1
+art.art, 1
+art21tv-armenian.tk, 1
+art30.ro, 1
+art93.com, 1
+artabrian.com, 1
+artadagroup.com, 1
+artakids.tk, 1
+artane.gq, 1
+artaurium.com, 1
+artbalsam.com, 1
+artbees.co.uk, 1
+artboja.com, 1
+artbygarr.com, 1
+artc.at, 1
+artcartels.com, 1
+artcenter.tk, 1
+artclasscontent.com, 1
+artcoefficient.com, 1
+artcommunity.tk, 1
+artcravers.in, 1
+artdeco-photo.com, 0
+artdecoration.tk, 1
+artdigital.tk, 1
+artdigitalmedia.co.uk, 1
+arte-actual.tk, 1
+artea.ga, 1
+arteaga.co.uk, 1
+arteaga.eu, 1
+arteaga.me, 1
+arteaga.tech, 1
+arteaga.uk, 1
+artebel.com.br, 1
+artecat.ch, 1
+artechip.net, 1
+artededition.tk, 1
+artedellavetrina.it, 1
+artedmachado.tk, 1
+artedona.com, 1
+artefeitaessencias.com.br, 1
+arteinstudio.it, 1
+artel.od.ua, 1
+artelignum.tk, 1
+artelista.com, 1
+artem.se, 1
+artembusiness.tk, 1
+artemida-dot.tk, 1
+artemis-fowl.tk, 1
+artemisgroup.ga, 1
+artemislena.eu, 1
+artemiy-plus.com.ua, 1
+artemiz.tk, 1
+artemoon.ml, 1
+artemweb.tk, 1
+artepinas.tk, 1
+arteproducciones.tk, 1
+arteq.ga, 1
+artera.spb.ru, 1
+arteriamagazine.tk, 1
+arterienundvenen.ch, 1
+arterydb.ru, 1
+artesacraloreto.it, 1
+artesaniafenix.cl, 1
+artesaniascym.com.ar, 1
+artesaniastonalaytlaquepaque.com, 1
+arteseideias.com.pt, 1
+arteshesorkh.tk, 1
+artesial.com, 1
+artesoft.gr, 1
+artestetica.tk, 1
+artetbalade.tk, 1
+artetculture.tk, 1
+arteventinews.it, 1
+artevos.com, 1
+artevos.de, 1
+artex.com.br, 1
+artexhibition.jp, 1
+artextasia.com, 1
+arteya.net, 1
+artfabrics.com, 1
+artfullyelegant.com, 1
+artgaragecrewe.com, 1
+artgorod.tk, 1
+artgranit.tk, 1
+arthritisgrouppa.com, 1
+arthritisrheumaticdiseases.com, 1
+arthrosis.ml, 1
+arthur.cn, 1
+arthurdejong.org, 1
+arthurdev.cf, 1
+arthurhoefer.com, 1
+arthurlaw.ca, 1
+arthurlewis.me, 1
+arthuro.ca, 1
+arthuryidi.com, 1
+arti-group.ml, 1
+arti-islam.tk, 1
+artibirteknikbilisim.com, 1
+articaexports.com, 1
+articlebyte.ga, 1
+articlefr.cf, 1
+articlepub.ga, 1
+articlesplanet.tk, 1
+articlestack.tk, 1
+articlesutiles.cf, 1
+articu.no, 1
+articulo19.org, 1
+artifact.center, 1
+artifact.spb.ru, 1
+artifacthub.io, 1
+artifactsblog.com, 1
+artifex.com, 1
+artifex21.fr, 1
+artifexnet.com, 1
+artifice.tk, 1
+artificethefilm.com, 1
+artificial.army, 1
+artificiala.gq, 1
+artificialaxis.com, 1
+artificialdiffusion.com, 1
+artificialplants.tk, 1
+artificialpoetry.com, 1
+artifort.com, 1
+artifuse.ch, 1
+artigianociao.jp, 1
+artigoagency.com, 1
+artikel5ev.de, 1
+artikel9.com, 1
+artilect.studio, 1
+artinfo.ge, 0
+artinfo.tk, 1
+artintend.com, 0
+artioml.net, 1
+artionet.ch, 1
+artis-game.net, 1
+artisan-cheminees-poeles-design.fr, 0
+artisan-emmanuel.fr, 1
+artisan-ravalement-facade.fr, 1
+artisan.tk, 1
+artisanat2france.fr, 1
+artisanhd.com, 1
+artisanportrait.com, 1
+artisansbottega.com.au, 1
+artisansofstone.com, 1
+artisansoftaste.com, 1
+artisavotins.com, 1
+artishevski.com, 1
+artismist.com, 1
+artiso.pl, 1
+artistagenda.com, 1
+artistcorporation.com, 1
+artistedeparis.fr, 1
+artistieq.com, 1
+artistiquementvotre.tk, 1
+artistiqueweddingphotography.com.au, 1
+artistmovieers.ga, 1
+artistrunwebsite.com, 1
+artiwear.com.tw, 1
+artizlibranza.com, 1
+artj.jp, 1
+artk-co.ir, 1
+artlab.tk, 1
+artlantis.nl, 1
+artleading.ru, 1
+artlifeisgood.com, 1
+artlinestix.com.au, 1
+artlogo.biz, 1
+artlogo.cz, 1
+artlogo.sk, 1
+artmaker.kiev.ua, 1
+artmark.ro, 1
+artmarketingnews.com, 1
+artmaterials.com.ua, 1
+artmaxi.eu, 1
+artmo.com, 1
+artnazar.org.ua, 1
+arto.group, 1
+artofcode.co.uk, 1
+artofeyes.nl, 1
+artofhappyliving.com, 1
+artoflinesmd.ca, 1
+artofmonitoring.com, 0
+artofstonegardening.com, 1
+artofwhere.com, 1
+artofzoo.com, 1
+artomalu.tk, 1
+artomili.com, 1
+artouch.com, 1
+artozoul.fr, 1
+artplaneta-leto.by, 1
+artprojectsforkids.org, 1
+artpsd.com, 1
+artransparency.gov, 1
+artrapid.com, 1
+artratio.co.uk, 1
+artrick.ch, 1
+artrofisio.com.br, 1
+artroom-design.com, 1
+artroot.jp, 1
+artroscopiaperlosport.it, 1
+artru.tk, 1
+arts-polynesiens.com, 1
+arts.gov, 1
+artsalon.tk, 1
+artsautomotive.com, 1
+artschmidtoptical.com, 1
+artsguide.ca, 0
+artslife.com, 1
+artsmagazine.com, 1
+artsmeet.com, 1
+artspac.es, 0
+artspark.tk, 1
+artstudioweb.tk, 1
+artsy.cloud, 1
+artsygrl.ca, 1
+artteacheredu.org, 1
+arttel-media.ru, 1
+arttill.com, 1
+artucation.eu, 1
+artup.company, 1
+artup.gallery, 1
+arturgaweda.de, 1
+arturkraak.duckdns.org, 1
+arturoemilio.tk, 1
+arturojimenez.es, 1
+arturrossa.de, 1
+arturszalak.com, 1
+arturweb.tk, 1
+artushak.ru, 1
+artuu.me, 1
+artuu.pl, 1
+artvaastu.ru, 1
+artvertising.tk, 1
+artvinhaberleri.tk, 1
+artwar.tk, 1
+artweby.cz, 1
+artwhale.ph, 1
+artwhoredistro.tk, 1
+artworkpath.com, 1
+artworks.gd, 1
+artworksthatlookgood.com, 0
+arty.name, 1
+artycoz.fr, 1
+artyengine.com, 1
+artyhouse.be, 0
+aru.fi, 1
+aruanaseguradora.com.br, 1
+arubasunsetbeach.com, 1
+arul.io, 1
+arunchullikkal.tk, 1
+arunjoshua.com, 1
+arunmor.net, 1
+arunsunner.tk, 1
+aruntech.cloud, 1
+arunyaresidenceklnorth.com, 1
+aruo.net, 1
+aruson.tk, 1
+arvadaco.gov, 1
+arvadafireco.gov, 1
+arveex.eu, 1
+arviamedspa.com, 1
+arviksa.co.uk, 1
+arvindhariharan.com, 1
+arvindhariharan.me, 1
+arvinovoyage.com, 1
+arvutiladu.ee, 1
+arvyncerezo.com, 1
+arw-bw.de, 1
+arw.me, 1
+arwensiberian.tk, 1
+arweth.com, 1
+arx-libertatis.org, 1
+arx.vg, 1
+arxarios.tk, 1
+aryalaroca.de, 1
+aryan-nation.com, 1
+aryani-fitriana.tk, 1
+aryasenna.net, 1
+aryescommercial.com, 1
+aryesgroup.net, 1
+arysports.ml, 1
+arytmicznie.pl, 1
+arz-florian.tk, 1
+arz-online.ml, 1
+arzid.com, 1
+arzinfo.pw, 1
+arzmercury.tk, 1
+arztpraxis-kubalok.de, 1
+arzua.gal, 1
+as-evalar.ru, 1
+as.roma.it, 1
+as0.it, 1
+as136964.com, 1
+as136964.net, 1
+as198768.eu.org, 1
+as200351.net, 1
+as202413.net, 1
+as203145.com, 1
+as204982.net, 1
+as205794.net, 1
+as207618.net, 1
+as207960.net, 1
+as211960.net, 1
+as212993.net, 1
+as216318.net, 1
+as400566.com, 1
+as400566.net, 1
+as41073.net, 1
+as41405.net, 1
+as6369.com, 1
+as6369.net, 1
+as8423.net, 1
+asabacortoscaseros.tk, 1
+asadatec.de, 1
+asaduddinowaisi.tk, 1
+asafaweb.com, 1
+asafilm.co, 1
+asafomba.com, 0
+asahi-tax.or.jp, 1
+asak.xyz, 1
+asakoh.co.jp, 1
+asal.tk, 1
+asana.biz, 1
+asana.com, 1
+asana.plus, 1
+asananutrition.co.uk, 1
+asancharge.tk, 1
+asandu.eu, 1
+asankomara.tk, 1
+asansol.tk, 1
+asantosdev.com, 1
+asanuma-clinic.jp, 1
+asap-advice.com.au, 1
+asap.gov, 1
+asapboardshop.com, 1
+asaphomeinspect.com, 1
+asapstory.com, 1
+asara.tk, 1
+asart.bg, 1
+asas-tn.org, 1
+asasesoria.cl, 1
+asatahvieh.com, 1
+asato-jewelry.com, 1
+asatys-partners.com, 1
+asb.edu.my, 1
+asba2023.jp, 1
+asbaces.com, 1
+asbestos-awareness.cf, 1
+asbestos-awareness.ga, 1
+asbestos-awareness.gq, 1
+asbestos-awareness.ml, 1
+asbestosthedarkarts.com, 1
+asbf-rambouillet.fr, 1
+asbito.de, 1
+asburyparkreporter.com, 1
+asbweb.org, 1
+asc.es, 1
+ascamo.tk, 1
+ascannes-non-officiel.tk, 1
+ascar.us, 1
+ascard.net, 1
+ascauctions.com, 1
+ascc.sg, 1
+ascend.com.sa, 1
+ascenderhcm.com, 1
+ascendix.com, 1
+ascension.run, 1
+ascensiongt.com, 1
+ascensionnyc.org, 1
+ascensionparishla.gov, 1
+ascensori.biz, 1
+ascentlogistics.com, 1
+ascgathering.com, 1
+aschaefer.net, 0
+aschc.co.uk, 1
+aschismatic.com, 1
+aschool.kiev.ua, 1
+asciitable.tips, 1
+ascirno.com, 1
+ascl.org.uk, 1
+asco.com.mx, 0
+ascolibasi.tk, 1
+ascolympia.nl, 0
+ascom.vi.it, 1
+ascon-profi.ru, 1
+ascormovies.com, 1
+ascpaphilatelie.eu, 1
+ascultaonlineradio.ml, 1
+asd.gov.au, 0
+asdchieti.tk, 1
+asdetrifolium.com, 1
+asdf.one, 1
+asdfqwerty.duckdns.org, 1
+asdwfwqd.com, 1
+asdyx.de, 1
+asec01.net, 1
+asecla.com, 1
+asecus.ch, 1
+asegem.es, 1
+aseglobal.com, 1
+aseint.com.co, 1
+aseith.com, 1
+aseityresearch.com, 1
+aselectionoffice.gov, 1
+aselo.org, 1
+asenaru.id, 1
+asennemedia.fi, 1
+asennestudio.fi, 1
+asenno.com, 1
+aseoblog.com, 1
+aserbx.ga, 1
+asersagua.es, 1
+aserver.eu, 1
+asesecours.com, 1
+asesinosdeltarot.tk, 1
+asesor.live, 1
+asesorialigorred.es, 1
+asessiglo21.es, 1
+asexualitat.cat, 1
+asfaleianet.gr, 1
+asfalteros.cz, 1
+asfalti.it, 1
+asfberbagi.org, 1
+asfono.gov, 1
+asg-egy.com, 1
+asgard-engineering.com, 1
+asgeirolafs.com, 1
+asgrep.com, 1
+ashastalent.com, 0
+ashburnconsulting.com, 1
+ashburnr.com, 1
+ashbusters.net, 1
+ashbyhq.com, 1
+ashbymail.com, 1
+ashbyprd.com, 1
+ashbystg.com, 1
+ashcombe.surrey.sch.uk, 1
+ashd1.goip.de, 1
+ashd2.goip.de, 1
+ashd3.goip.de, 1
+ashdodisrael.com, 1
+ashenc.gov, 1
+ashenm.ml, 1
+asher.tools, 1
+asherosborne.com, 1
+asheroto.com, 1
+ashesheriff.gov, 1
+ashesi.edu.gh, 1
+ashevillemenshealth.com, 1
+ashfak.tk, 1
+ashfordcastle.com, 1
+ashgroveclinic.com.au, 1
+ashiba-kagu.com, 1
+ashikajewellers.com.au, 1
+ashimwe.com, 1
+ashisharma.tk, 1
+ashishchamoli.com, 1
+ashlandcountywi.gov, 1
+ashlee-club.tk, 1
+ashley.net.in, 1
+ashleyadum.com, 1
+ashleyanderson.co.uk, 1
+ashleykaryl.com, 1
+ashleymadison.com, 1
+ashleynicholsboudoir.com, 1
+ashleythouret.com, 1
+ashlingonline.com, 1
+ashmportfolio.com, 1
+ashotofadrenaline.net, 1
+ashraful-islam.ml, 1
+ashtabulacountyprosecutoroh.gov, 1
+ashtar.tk, 1
+ashtech.tk, 1
+ashtonbromleyceramics.co.uk, 1
+ashtonc.ca, 1
+ashtoncityid.gov, 1
+ashtonid.gov, 1
+ashtonwealth.com, 1
+ashtronaut.space, 1
+ashucg.com, 1
+ashutoshmishra.org, 1
+ashutov.rocks, 0
+ashwainfo.in, 1
+ashwaubenon.gov, 1
+asia-fhjt.com, 1
+asia-fuhui.com, 1
+asiacan.com, 1
+asiaceo.com, 1
+asiadirect.co.th, 1
+asiafaninfo.net, 1
+asiafood-curator.com, 1
+asiagate.ga, 1
+asiagps.com, 1
+asiahabit.com, 1
+asiakartu.tk, 1
+asialeonding.at, 1
+asialivenewscafe.gq, 1
+asian-goku.tk, 1
+asian-industry.eu, 1
+asian-sexfree.com, 1
+asian-sirens.net, 1
+asian.school, 1
+asianbeautywholesale.com, 1
+asianbusinesscards.com, 1
+asiancolor.com, 1
+asiandickfor.me, 1
+asiandubfoundation.tk, 1
+asianet.tk, 1
+asianetbroadband.in, 1
+asianfuckables.com, 1
+asiangroceronline.com.au, 1
+asianinside.tk, 1
+asianmoney.biz, 1
+asianpavilion.com, 1
+asianray.com, 1
+asianshop.com.pe, 1
+asiansnus.com, 1
+asiansongs.tk, 1
+asianspa.co.uk, 1
+asiantube.tv, 1
+asianwebcams.webcam, 1
+asiaproductsdirect.tk, 1
+asiashop.com.br, 1
+asiasmi.tk, 1
+asiaticas.cf, 1
+asiaview.ml, 1
+asiaview.tk, 1
+asiaviews.com, 1
+asiayuan.com, 1
+asiba.com.au, 1
+asier.tk, 1
+asifinclusives.tk, 1
+asiiro.com, 1
+asikoo.com, 1
+asikoo.xyz, 1
+asikpasagazetesi.tk, 1
+asile-colis.fr, 1
+asilo.roma.it, 1
+asilomar.com, 1
+asinat.by, 1
+asinetasima.com, 1
+asisee.co.il, 1
+asistencialegal.tk, 1
+asistentecx.com, 1
+asitanc.com, 1
+asitanc.cz, 1
+asitt.nl, 1
+asiyasia.tk, 1
+ask-thenutritionist.com, 1
+ask.fi, 1
+ask.stg.fedoraproject.org, 1
+ask1.org, 1
+askapkmod.com, 1
+askaret.cz, 1
+askart.com, 1
+askartza.com, 1
+askatechnicalquestion.com, 1
+askatechnicalquestion.eu, 1
+askatrans.tk, 1
+askbill.org.uk, 1
+askcaisse.com, 1
+askcascade.com, 0
+askdeliver.tk, 1
+asker-massasje.no, 1
+askerweb.cf, 1
+askeverythingonline.com, 1
+askeygeek.com, 1
+askgamblers.com, 1
+askhow.co.il, 1
+askimsin.com, 1
+askindia.tk, 1
+askjan.org, 1
+askkaren.gov, 1
+asklyrics.com, 1
+askmagicconch.com, 0
+askme-events.vip, 0
+askme-fast.tk, 1
+askme24.de, 1
+askmetutoring.com, 1
+askmetutoring.org, 1
+asko-nabytek.cz, 1
+asko-nabytok.sk, 1
+askollelectric.bg, 1
+askpam.ai, 1
+asktanzania.com, 1
+askvg.com, 1
+askwhy.cz, 1
+askwhy.eu, 1
+asla.info, 1
+aslanadam.com, 1
+aslansigorta.net, 1
+aslinfinity.com, 1
+asm.io, 1
+asm802.com, 1
+asm802.es, 1
+asmbsurvey.com, 1
+asmdz.com, 1
+asmeets.nl, 1
+asmess.com, 1
+asmgroup.rs, 1
+asmm.cc, 0
+asmobox.ga, 1
+asmood.net, 1
+asmpt.com, 1
+asmr-100.com, 1
+asmr-200.com, 1
+asmr-300.com, 1
+asmr.one, 1
+asmrbuluo.com, 0
+asmui.ml, 1
+asmuncandle.com, 1
+asna.host, 1
+aso.com, 1
+asoagroca.com, 1
+asoccu.ga, 1
+asocedune.com, 1
+asociacionatlas.tk, 1
+asociaciones.tk, 1
+asociacionlarueda.tk, 1
+asokan.org, 1
+asonaderi2002.tk, 1
+asoul.tw, 1
+asoziales-netzwerk.net, 1
+asp-progress.tk, 1
+asp.net, 1
+aspec-md.de, 1
+aspectcontext.com, 1
+aspen.gov, 1
+aspencat.tk, 1
+aspenhillsdesign.com, 1
+aspenvocational.com, 1
+asperatechnology.com, 1
+asperatechnology.cz, 1
+asperatechnology.de, 1
+aspernallee.at, 1
+asperti.com, 1
+aspet.org, 1
+aspews.org, 1
+asphaltfruehling.de, 1
+asphaltsolutionsnc.com, 1
+asphyxia.su, 1
+aspi.cz, 1
+aspiechattr.me, 1
+aspietechygamer.tk, 1
+aspiracloud.com, 1
+aspirantum.com, 1
+aspirateur-anti-pollution.fr, 1
+aspirateur-univers.com, 1
+aspiration.marketing, 1
+aspire-dev2.com, 1
+aspirecig.bg, 1
+aspirevc-prod.com, 1
+aspirevc.com, 1
+aspisdata.com, 1
+aspjvm.com, 1
+asportnoy.com, 1
+aspr.gov, 1
+asprion.org, 1
+asprivacy.com, 1
+asprobet.com, 1
+asproni.it, 1
+asps.biz, 1
+aspviress.gq, 1
+asr.cloud, 1
+asr.li, 1
+asr.rocks, 1
+asr.solar, 1
+asr9k.de, 1
+asra.gr, 1
+asral7.com, 1
+asremanoto.tk, 1
+asri.org, 1
+asriyatno.tk, 1
+asrob.eu, 0
+asrtechnology.tk, 1
+assaabloy-partnerportal.com, 1
+assaabloygaragedoors.ca, 1
+assafashowroom.com, 1
+assai.com.br, 1
+assamtenders.gov.in, 1
+assanti.com, 1
+assassinasian.tk, 1
+assdecoeur.org, 1
+assecuro.com.ua, 1
+assedo.tk, 1
+asseenontvonline.ru, 1
+assegaimedia.com, 1
+asselin.fr, 1
+assemblage.gq, 1
+assemblee-copropriete.fr, 1
+assemblyai.com, 0
+assemblywithoutthewalls.org, 1
+assendelft.com, 1
+assens.dk, 1
+assentfitness.com, 1
+assentis.ch, 1
+assentis.com, 1
+assentis.de, 1
+assentis.net, 1
+assentooriginal.com.br, 1
+assertion.de, 1
+assertstack.com, 1
+assessmentpractitioner.co.za, 1
+assessments.careers, 1
+assessoriati.com.br, 1
+assessorindie.tk, 1
+asset-metrix.com, 1
+assetbacked.capital, 0
+asseti.co, 1
+assetinvesting.com, 1
+assets.schwarz, 1
+assetsec.io, 1
+assetsman-assetsvalue.com, 1
+assettocorsa.tk, 1
+assguidesporrentruy.ch, 0
+assicurare.it, 1
+assid.com, 1
+assignacii.ml, 1
+assignmenthelper.org, 1
+assignmenthelponline.co.uk, 1
+assignmenthelpservices.com, 1
+assignments4u.com, 1
+assikerujked.tk, 1
+assinare.com, 1
+assinare.eu, 1
+assinare.pt, 1
+assiplan.it, 1
+assis.partners, 1
+assist-team.co.il, 1
+assistance-personnes-agees.ch, 1
+assistanceinparadise.com, 1
+assistantdemocraticleader.gov, 1
+assistel.com, 1
+assistentesanitario.it, 1
+assistenzaferrodastiro.org, 1
+assistenzafrigorifero.org, 1
+assistenzamicroonde.org, 1
+assistere-a-casa.it, 1
+assistere-a-domicilio.it, 1
+assistere-in-famiglia.it, 1
+assistivebathing.co.uk, 1
+assistouest.fr, 1
+assistouest.net, 1
+assistouest.shop, 1
+assmb.ly, 1
+assmgp.com, 1
+asso.com.ua, 1
+associatedgamer.com, 1
+associationguillaume.com, 1
+associationhorizon.tk, 1
+associazionerimborsi.it, 1
+associazioneterra.it, 1
+assoft.co, 1
+assomydesk.fr, 1
+assoservicesweb.org, 1
+asspoop.com, 1
+assr-online.com, 1
+assta.ga, 1
+assumptionla.gov, 1
+assumptionoep-la.gov, 1
+assurance-emprunteur.bzh, 1
+assurances-brg.com, 1
+assured.se, 0
+assuredspc.com, 1
+assyriatwpmi.gov, 1
+ast-nabytek.cz, 1
+asta-bar.de, 0
+astacreative.nl, 0
+astal.rs, 1
+astana.cf, 1
+astanainform.tk, 1
+astanakz.tk, 1
+astaninki.com, 1
+astano.com, 1
+astano.tk, 1
+astaoffshore.com.au, 1
+astaraday.com, 1
+astarforu.com, 1
+astarfrommosul.cf, 1
+astarfrommosul.ga, 1
+astarfrommosul.ml, 1
+astarmathsandphysics.com, 1
+astateoftrance.tk, 1
+asteelflash.com, 1
+astekbet.com, 1
+astellaria.ee, 1
+astengox.com, 1
+astenotarili.online, 0
+astenretail.com, 1
+astera-led.com, 1
+astera.com, 1
+asterhu.com, 1
+asterix-obelix.ga, 1
+asterobot.net, 1
+asteronline.com, 1
+astettner.de, 1
+asthamishra.com, 1
+asthma-explained.com, 1
+asthowen.com, 1
+asthowen.fr, 1
+asthrdp.com, 1
+astiamministrazioni.it, 1
+asticon.de, 1
+asticonnectedservices.com, 1
+astifan.online, 1
+astigmatic.gq, 1
+astilleroslagos.es, 1
+astleyplumbing.com, 1
+astmatiki.ru, 1
+astolfo.cool, 1
+astonbysqli.com, 1
+astonishing.tk, 1
+astore.co.uk, 1
+astorfoodservice.com, 1
+astorhospitality.com, 1
+astormueble.tk, 1
+astorship.com, 1
+astour.ee, 1
+astqx.com, 1
+astra.software, 1
+astraalivankila.net, 0
+astrakhan-gorod.ga, 1
+astrakhan.cf, 1
+astrakhan.ga, 1
+astrakhan.gq, 1
+astrakhan.ml, 1
+astrakhan.tk, 1
+astral-imperium.com, 1
+astral-prime.com, 1
+astral.com.ar, 1
+astral.gq, 1
+astral.org.pl, 1
+astralrank.com, 1
+astralriders.tk, 1
+astralus.com, 1
+astralus.de, 1
+astramundo.com, 1
+astrategicedgecoaching.com, 1
+astrath.net, 1
+astrati.com.br, 1
+astrawebhost.com, 1
+astrea-voetbal-groningen.nl, 1
+astrid-stolz.de, 1
+astro-com.co.uk, 1
+astro-libre.fr, 1
+astro22.com, 1
+astro4u.tk, 1
+astroalloys.com.au, 0
+astroanaliz.com, 1
+astrociencia.tk, 1
+astrogate.tk, 1
+astrogift.cf, 1
+astrogift.ga, 1
+astrogift.gq, 1
+astrogift.ml, 1
+astrogift.tk, 1
+astrograph.io, 1
+astrojunkies.com, 1
+astrolab.tk, 1
+astroloeches.tk, 1
+astrologeminesolakoglu.com, 1
+astrologerumesh.com, 1
+astrologic.cf, 1
+astrologics.in, 1
+astrologie12.tk, 1
+astrologify.com, 1
+astrology-for-beginners.com, 1
+astrology42.com, 1
+astrolojiyorumcusu.com, 1
+astroluna.cz, 1
+astroluxe.io, 1
+astrong.pl, 1
+astronomiadecolombia.tk, 1
+astronomija.cf, 1
+astronomija.tk, 1
+astronomygcse.cf, 1
+astropackgulf.com, 1
+astropar.tk, 1
+astroscopy.ch, 0
+astrosnail.pt.eu.org, 1
+astrosoc.ml, 1
+astrosociety.org, 1
+astrosofa.com, 1
+astrostart.tk, 1
+astroteam.tk, 1
+astrovandalistas.cc, 1
+astroze.it, 1
+astrumadvies.nl, 1
+astsummer.tk, 1
+astucas.com, 1
+astucedirecte.tk, 1
+astucewebmaster.com, 1
+astuna.de, 1
+astur.school, 1
+asturhackers.es, 1
+astutetm.com, 1
+astutikhonda.com, 1
+astutr.co, 1
+astyork.com, 1
+astypic.fr, 1
+asual.com, 1
+asuamaytinh.com, 1
+asuclassfinder.com, 1
+asucrews.com, 1
+asufte.com, 1
+asugsvsummit.com, 1
+asuikit.com, 1
+asukalangley.tk, 1
+asun.co, 1
+asuntospropios.com, 1
+asura.in.th, 1
+asurbernardo.com, 1
+asurgiant.ca, 1
+asuro.de, 1
+asustor.com, 1
+asustreiber.de, 1
+asvsa.ch, 0
+aswakbladi.com, 1
+asweetsmile.com, 1
+aswish.com, 1
+asws.nl, 1
+asyadexpress.com, 1
+asyaturk.org, 1
+asyikbelanja.com, 1
+asylbarn.no, 1
+asylinfo.no, 1
+asylumguild.tk, 1
+asynchrono.cf, 1
+asyotec.es, 1
+asystent-dzierzawy.pl, 1
+asztrologus.eu, 1
+aszurkolassport.com, 1
+at-consulting.pl, 1
+at.search.yahoo.com, 0
+at.vg, 1
+at2-architecten.be, 1
+at5.nl, 1
+at7s.me, 1
+atabekkoleji.k12.tr, 1
+ataber.pw, 1
+atabor.tk, 1
+atacado.com.vc, 1
+atacadocervejeiro.com.br, 1
+atacadoclube.com.br, 1
+atacadodesandalias.com.br, 1
+atacul.ro, 1
+atadawul.com, 1
+atafu-village.tk, 1
+atahualpa.com, 1
+atakac.com, 1
+atakac.net, 1
+atalandportal.com, 1
+atalantapsicologia.es, 1
+atallo.es, 1
+atam-academy.com, 1
+atanas.ch, 1
+atanet.it, 1
+atapindonesia.com, 1
+atarinew.tk, 1
+atary.tk, 1
+ataton.ch, 0
+atayia.com, 1
+atc-fr.com, 1
+atc.cuneo.it, 1
+atc.io, 0
+atcg.cc, 0
+atchisonkspolice.gov, 1
+atchleyjazz.com, 1
+atchleyjazz.org, 1
+atchleylab.org, 1
+atclan.tk, 1
+atcreform.gov, 1
+atcstl.org, 1
+atcworldaviation.com, 1
+atds.ch, 0
+ateamsport.dk, 1
+atease-salon.jp, 1
+ateasesystems.net, 1
+atebaa.ga, 1
+atec.pt, 1
+ateli.com, 1
+atelier-aleph.fr, 0
+atelier-lebreton.fr, 1
+atelier-naruby.cz, 1
+atelier-rk.com, 1
+atelier-viennois-cannes.fr, 1
+atelier20.ch, 1
+atelieraphelion.com, 1
+atelierbw.com, 1
+atelierdelacreation.com, 1
+atelierdelarobotique.fr, 1
+atelierdeloulou.fr, 1
+atelierdesflammesnoires.fr, 1
+atelierfantazie.sk, 1
+atelierferro.be, 1
+atelierhsn.com, 1
+atelierjs.com, 1
+atelierkuni.jp, 1
+atelierlk.art, 1
+ateliernaruby.cz, 1
+ateliernox.com, 1
+atelierquersin.fr, 1
+atelierssud.swiss, 1
+atelierverbeelding.nl, 1
+atenasconservadora.com.br, 1
+atencionbimbo.com, 0
+ateneumontbui.tk, 1
+ateneupalafrugell.tk, 1
+atenolol25mg.ga, 1
+atenolol50mg.ga, 1
+atentadocumbiero.tk, 1
+aterlectric.com, 1
+ateus.net, 1
+atev.tk, 1
+atf.gov, 1
+atfonline.gov, 1
+atfstudios.tk, 1
+atgmaildotcom.ca, 1
+atgnet.com, 1
+atgoetschel.ch, 0
+atgresultat.com, 1
+atgseed.co.uk, 1
+atgseed.uk, 1
+atgweb.es, 0
+ath0.org, 0
+atheatac.com, 1
+atheism.org, 1
+atheist-refugees.com, 1
+atheistfoundation.org.au, 1
+atheistfrontier.com, 1
+athekiu.com, 1
+athelstanewiclerk.gov, 1
+athemis.de, 1
+athena-security.net, 1
+athenadynamics.com, 1
+athenainvestmentsystems.com, 1
+athenainvsys.com, 1
+athenainvsys.net, 1
+athenaspark.com, 1
+athenasystems.com, 1
+athenasystems.net, 1
+atheneum-partners.cn, 1
+athenrymusicschool.net, 1
+athensdrunktour.com, 1
+athensil.gov, 1
+athenstn.gov, 1
+athensvantours.gr, 1
+athensvillageny.gov, 1
+athensvintagetours.com, 1
+athensvt.gov, 1
+atherosense.ga, 1
+athicart.com, 1
+athleticstore.bg, 1
+athlin.de, 1
+athome-nextcloud.ddns.net, 1
+athomedeco.fr, 1
+athorcis.ovh, 1
+athoris.net, 1
+athritisexplained.com, 1
+atide.cf, 1
+atigerseye.com, 1
+atik.kr, 0
+atiku2007.tk, 1
+atila.io, 1
+atilo.sh, 1
+atimba.com, 1
+atimevis.com, 1
+atimo.dj, 1
+atinylittle.space, 1
+atiparts.com.tr, 1
+atis-ars.ru, 0
+atis.net, 1
+atishchenko.com, 1
+atisoft.biz.tr, 1
+atisoft.com.tr, 1
+atisoft.name.tr, 1
+atisoft.net, 1
+atisoft.net.tr, 1
+atisoft.web.tr, 1
+atisoftbarkodetiket.com.tr, 1
+atisoftseo.com, 1
+atisoftwebtasarim.com, 1
+atisoftwebyazilim.com, 1
+ativaplayfitness.com.br, 1
+ativapsicologia.com.br, 1
+atix.tk, 1
+atizanvip.com, 1
+atk-huolto.com, 1
+atk-nexus.tech, 1
+atk.me, 1
+atkinshealthcenter.com.au, 1
+atkstore.com, 1
+atl-paas.net, 0
+atlacademy.org, 1
+atlan.digital, 1
+atlan.nl, 1
+atlantacustomfab.com, 1
+atlantahealthcare.tk, 1
+atlantajewishconnector.com, 1
+atlantajewishlifefestival.com, 1
+atlantareroof.com, 1
+atlantatai.org, 1
+atlantclinical.com, 1
+atlantica.tk, 1
+atlanticbeachacademy.com, 1
+atlanticcitycasino.news, 1
+atlanticcitycasinonews.com, 1
+atlanticcityweekly.com, 1
+atlanticdatastream.ca, 1
+atlanticfcu.com, 1
+atlantichearingcare.com, 1
+atlantichomes.com.au, 1
+atlanticmarina.com, 1
+atlanticpediatricortho.com, 1
+atlanticradio.fr, 1
+atlanticwatches.ch, 1
+atlantida-amber.org, 1
+atlantik.ml, 1
+atlantik.tk, 1
+atlantikwall.ga, 1
+atlantischild.hu, 1
+atlantishop.si, 1
+atlantismd.com, 1
+atlantiswaterproofing.com, 0
+atlantium.tk, 1
+atlarytm1x.com, 1
+atlas-5.site, 1
+atlas-multimedia.de, 1
+atlas-sat.tk, 1
+atlas-staging.ml, 1
+atlas.computer, 1
+atlas.net.co, 1
+atlasams.com, 1
+atlasauthority.com, 1
+atlasbridge.com, 1
+atlasbrown.com, 1
+atlasbus.by, 1
+atlasbus.pl, 1
+atlasbus.ru, 1
+atlascloud.cn, 1
+atlascoffeeclub.com, 1
+atlascultural.com, 1
+atlasdev.io, 1
+atlasdog.org, 1
+atlasescorts.com, 1
+atlasgaming.ma, 0
+atlasleeuwen.tk, 1
+atlasminertool.com, 1
+atlaso.cz, 1
+atlasone.us, 1
+atlasrealestates.com, 1
+atlasreclame.nl, 1
+atlassen.com, 1
+atlassian.net, 1
+atlassignsandplaques.com, 1
+atlastax.ga, 1
+atlastaxi.eu, 1
+atlastravelvic.com.au, 1
+atlastube.com, 1
+atlasuno.com, 1
+atlaswu.com, 1
+atlcoaters.com, 1
+atlcranetrucks.com.au, 1
+atletico-guacuano.tk, 1
+atleticocearense.com.br, 1
+atletika.hu, 1
+atletismomacotera.tk, 1
+atlon-nn.ru, 0
+atm-erasmus.com, 1
+atm.net, 1
+atmalta.com, 1
+atmelook.com, 1
+atmetalwork.com, 1
+atmi-zo.gr, 1
+atmilanomoda.com, 1
+atmind.nl, 1
+atmmantenimiento.co, 1
+atmmasterplan.eu, 1
+atmocdn.com, 0
+atmondigital.com, 0
+atmos.tk, 1
+atmosferno.cf, 1
+atmospheremarketingwy.com, 1
+atmox.eu, 1
+atmoz.tk, 1
+atmseminar.org, 1
+atmydesk.tech, 1
+atnis.com, 1
+atnteam.tk, 1
+atobtransfer.com, 1
+atolm.net, 1
+atom-china.org, 1
+atom86.net, 1
+atombase.org, 1
+atomeus.nl, 1
+atomic-bounce.com, 1
+atomic-corals.de, 1
+atomic.radio, 1
+atomicanet.tk, 1
+atomicbounce.co.uk, 1
+atomicecho.com, 1
+atomicheart.tk, 1
+atomichomehealth.com, 1
+atomickitteninternational.tk, 1
+atomictag.com, 1
+atomik.biz, 1
+atomism.com, 1
+aton-ensemble.tk, 1
+atonibai.com, 1
+atope.art, 1
+atopy-sendai.com, 1
+atorcidabrasileira.com.br, 1
+atovelin.gq, 1
+atovelin.tk, 1
+atoz-gc.com, 1
+atozeventrentalsofpa.com, 1
+atp-autoteile.de, 1
+atplonline.co, 1
+atproducts.xyz, 1
+atpx.com, 1
+atraining.ru, 1
+atrands.com, 1
+atresclick.com, 0
+atrevillot.com, 1
+atrexservices.com, 1
+atriaresort.ro, 1
+atrias.net, 1
+atriballi.com.br, 1
+atrinik.org, 1
+atris-qa.media, 1
+atris.media, 1
+atriumschool.gr, 1
+atrogi.com, 1
+atrs2023kobe.com, 1
+ats.net, 1
+atspeeds.com, 1
+att-lda.pt, 1
+attac.us, 0
+attanasioluigi.tk, 1
+attatroll.de, 1
+attawauganfirect.gov, 1
+attcleaning.com, 1
+atte.fi, 1
+attechnical.co.uk, 1
+attekaleva.fi, 1
+attendanceondemand.com, 1
+attendantdesign.com, 1
+attendhealth.com, 1
+attendu.cz, 0
+attengo.ga, 1
+attention.horse, 1
+attentionpleats.com.tw, 1
+attesawp.com, 1
+atthehelmins.com, 1
+attic-design.com, 1
+atticlightstudio.net, 1
+atticusblog.com, 1
+attilavandervelde.nl, 1
+attiliospagnolo.it, 1
+attinderdhillon.com, 1
+attireaccessories.com, 1
+attiremr.tk, 1
+attitudefraiche.com, 1
+attitudes-bureaux.fr, 1
+attivazioneveloce.it, 1
+attlane.fr, 1
+attly.cn, 1
+attoch.org, 1
+attogtech.com, 1
+attorneybiographies.ga, 1
+attorneybiographiesest.ga, 1
+attorneyrebeccawhittington.com, 1
+attosoft.tk, 1
+attractant.com, 1
+attractieparken.tk, 1
+atttrainings.com, 1
+attuned.se, 1
+attwood.org, 1
+attyhub.com, 1
+atuallemoveis.ind.br, 1
+atuendomr.com, 1
+atugan.com, 1
+atunel.tk, 1
+atvirtual.at, 1
+atvlifesaver.net, 1
+atvsafety.gov, 1
+atwatermn.gov, 1
+atwel.de, 1
+atwey.fr, 1
+atwk.io, 1
+atwonline.org, 1
+atworktechnology.com.au, 1
+atxchirocoverage.com, 1
+atyourleisureculinary.com, 1
+atyourprice.net, 1
+atyourscreen.com, 1
+atyourscreen.events, 1
+atypicom.es, 1
+atypicom.it, 1
+atypicom.pt, 1
+atyuan.me, 1
+atyuan.one, 1
+atyum.com, 1
+atzenchefin.de, 1
+atzeneta.tk, 1
+atzzz.com, 1
+au-be.net, 1
+au-inter.net, 1
+au.by, 1
+au.search.yahoo.com, 0
+au.zj.cn, 1
+au2pb.net, 1
+au2pb.org, 1
+aubassadeurs-airfly.fr, 1
+aubassadeurs.fr, 1
+aubay.it, 1
+aubcon.com, 1
+aubepine-restaurant.com, 1
+aubergegilly.ch, 0
+aubio.org, 1
+auburn-housekeeper.com, 1
+auburnma.gov, 1
+auburnmi.gov, 1
+auburnpub.com, 1
+auc.ch, 1
+aucarresainteloi.com, 1
+aucc.org.nz, 1
+aucem.com, 1
+auchan.fr, 1
+aucielrose.com, 1
+auckland-lawyer.co.nz, 1
+auckland-painter.co.nz, 1
+aucklandadventurejet.co.nz, 0
+aucklandcastles.co.uk, 1
+aucoindubloc.com, 1
+aucoindufruit.fr, 1
+auction.com, 1
+auctionbv.tk, 1
+audacityland.com, 1
+audatopaz.com, 1
+audazsolucoes.com.br, 1
+aude-mdb-hypnose.fr, 1
+audencia.com, 0
+audian.com, 1
+audible, 1
+audiclubbahrain.com, 1
+audifs.com, 1
+audilio.it, 1
+audio-extractor.net, 1
+audio-joiner.com, 1
+audio.servemp3.com, 1
+audiobit.es, 1
+audioblackmagic.com, 1
+audiobone.com, 1
+audiobookstudio.com, 1
+audioboom.com, 1
+audioboomers.ga, 1
+audiocards.ru, 1
+audiocd.tk, 1
+audiocinemateca.com, 1
+audioconspiracy.tk, 1
+audiofrases.com, 1
+audiohub.com, 1
+audiohub.de, 1
+audiohub.fr, 1
+audiokinetic.com, 1
+audiolegendsny.com, 1
+audiolibri.org, 1
+audiologistdirectory.com, 1
+audiolot.com, 1
+audiomedica.com, 1
+audiomind.tk, 1
+audiomir.tk, 1
+audion.cc, 1
+audionamix.com, 1
+audionpack.de, 1
+audioonly.stream, 1
+audioplugin.deals, 1
+audiorental.net, 1
+audios.tk, 1
+audioscenic.co.uk, 1
+audioscenic.uk, 1
+audioschoolonline.com, 1
+audiosciencereview.com, 1
+audioslave.tk, 1
+audiotools.in, 1
+audiotrace.tk, 1
+audiovegas.com, 1
+audiovisualmurciano.tk, 1
+audisto.com, 1
+audit.one, 1
+audit.ovh, 1
+auditeorganum.cz, 1
+auditingfirm.tk, 1
+audition-radio.tk, 1
+auditiontapes.co.uk, 1
+auditmatrix.com, 1
+auditore-host.tk, 1
+auditorwashingtoncountyohio.gov, 1
+auditos.com, 1
+auditsquare.com, 1
+audleyconstruction.tk, 1
+audreyhossepian.fr, 0
+audreyjudson.com, 1
+audumakrasas.lv, 1
+auenhof-agrar.de, 1
+auerbach-verlag.de, 1
+auf-feindgebiet.de, 1
+aufeergroup.eu, 1
+aufeerjob.cz, 1
+aufildemesidees.fr, 1
+aufmerksamkeitsstudie.com, 1
+aufprise.de, 1
+aufschieben.com, 1
+aufwachzeit.at, 1
+aufwachzeit.com, 1
+aufwecken.dynu.net, 1
+augendre.info, 1
+augenklappe.com, 1
+augenlaser-chemnitz.de, 1
+augenlaser-dresden.de, 1
+augenlasercenter-dresden.de, 1
+augenlaserzentrum-dresden.com, 1
+augenlaserzentrum-dresden.de, 1
+augenlaserzentrum-dresden.eu, 1
+augeo.pt, 1
+augesen.tk, 1
+augix.net, 1
+augmedia.com, 1
+augmedix.com, 1
+augmentable.de, 0
+augmentin.ga, 1
+augmentin.gq, 1
+augmentines600.ga, 1
+augredutemps.ca, 1
+augur.us, 1
+auguri-shop.ro, 1
+august-hoegn.tk, 1
+august.me, 1
+augusta-apotheke.nrw, 1
+augustaky.gov, 1
+augustanews.tk, 1
+augustian-life.cz, 1
+augustiner-kantorei-erfurt.de, 1
+augustiner-kantorei.de, 1
+augustus.lt, 1
+auk.hopto.org, 1
+aukanaw.tk, 1
+aukaraoke.su, 1
+aukcioon-domenov.cf, 1
+aukcioon-domenov.gq, 1
+aukcioon-domenov.ml, 1
+aukhygiene.com, 1
+auksnest.ca, 1
+aulacaribemar.com, 1
+auladerepaso.com, 0
+aulaschrank.gq, 1
+aulasprofdanilo.com.br, 1
+aulialaundry.cf, 1
+aulica-conseil.com, 1
+aulio.fi, 1
+aultcolorado.gov, 1
+aum.edu.kw, 1
+aumigona.com, 1
+aumilieudumonde.gf, 1
+aunali1.com, 1
+auntiesnorkel.com, 1
+auntmia.com, 1
+aunto.xyz, 1
+aupadenis.com, 1
+aupair.com, 1
+aupapa.com, 1
+aupaysdesanes.com, 1
+auplidespages.fr, 1
+auqi.com, 1
+aur.rocks, 1
+aura.moe, 1
+aura7chakr.com, 1
+aurabasketball.com, 1
+aurabasketball.fr, 1
+aurabeautyhub.com, 1
+aurac.org.nz, 1
+aurahiemis.tk, 1
+auralia.cloud, 1
+auralia.net, 1
+auraliafirst.com, 1
+auraliamusic.com, 1
+auralinna.blog, 1
+aurantis.it, 1
+aurbrowser.tk, 1
+aurelharmoniebeaute.fr, 1
+aureliavelvet.org, 1
+aurelie-valognes.com, 1
+aurelieburn.fr, 1
+aurelien-duchene.fr, 1
+aurelienaltarriba.fr, 1
+aurelvoica.ro, 1
+aureshotels.com, 1
+aureusinvest.eu, 1
+auribus.io, 1
+auricblue.com, 1
+auricom.tk, 1
+auriga.com, 1
+aurigaapp.org, 1
+aurigadebtadvice.org.uk, 1
+aurigafuel.co.uk, 1
+aurigaservicesapp.co.uk, 1
+aurika.ag, 1
+auriko-games.de, 1
+auristelasaavedra.tk, 1
+aurnik.com, 1
+aurobindodash.tk, 1
+auronfencing.com.au, 1
+aurora-nexus.org, 1
+aurora.net.au, 0
+aurora403.com, 1
+aurora911.net, 1
+auroracloud.com.au, 1
+auroramarionvillepd-mo.gov, 1
+auroranianoxx.net, 1
+auroraofficefurniture.com.au, 1
+aurorarecordings.com, 1
+auroravtc.com, 1
+aurory.io, 1
+auroz.video, 1
+aurtho.com, 1
+aurumkoins.tk, 1
+ausat.net, 1
+ausbildung-rbg.de, 1
+ausbildungsmesse-digital.de, 1
+ausbrightfacilities.com.au, 1
+auscanalliancecorp.com, 1
+auscert.org.au, 1
+auscube.tk, 1
+auscultador.com, 1
+auscultador.net, 1
+auscultador.org, 1
+auscultadores.net, 1
+auscultadores.org, 1
+auseal.au, 1
+ausec.ch, 0
+auservicedeschiens.com, 1
+ausfin.com, 1
+ausfinex.com, 1
+ausgesprochen.com, 1
+ausielogistics.com.au, 1
+auskast.com, 1
+auskate.tk, 1
+auskunftsbegehren.at, 1
+ausmwoid.de, 1
+ausncp.gov.au, 1
+auspicacious.org, 1
+ausruestungen.com, 1
+aussagen.com, 1
+ausschreibungen-suedtirol.it, 1
+ausset.me, 1
+aussiebum.com, 1
+aussiefinances.com.au, 1
+aussiefunadvisor.com, 0
+aussiemilfs.com, 1
+aussieofficefitout.com.au, 1
+aussieofficefurniture.com, 1
+aussieservicedown.com, 1
+aussiesmostlifted.com.au, 1
+aussiesnus.com, 1
+aussiestoresonline.com, 0
+austcm.com.au, 1
+austenplumbing.com, 1
+austercita.tk, 1
+austin-dumpsters.com, 1
+austin-pearce.com, 1
+austin-security-cameras.com, 1
+austinbestdjs.com, 1
+austincardiac.com, 1
+austincosmetic.com, 1
+austinhartzheim.me, 1
+austinlaw.co.uk, 1
+austinonline.tk, 1
+austinoverheaddoorcompany.com, 1
+austinsutphin.com, 1
+austinuniversityhouse.com, 1
+australiabusinessblog.com, 1
+australiadaily.ga, 1
+australiaday.com.au, 1
+australiainvest.info, 1
+australiajetcharter.com, 1
+australian.tk, 1
+australianairbrushedtattoos.com, 1
+australianairbrushedtattoos.com.au, 1
+australianattractions.com.au, 1
+australiancattle.dog, 1
+australiancurriculum.edu.au, 1
+australianhimalayanfoundation.org.au, 1
+australianhomemade.com, 1
+australianimmigrationadvisors.com.au, 1
+australianjewishnews.com, 1
+australianonlineappliances.ga, 1
+australianpropertyanalytics.ga, 1
+australiantales.com, 0
+australiantemporarytattoos.com, 1
+australiantemporarytattoos.com.au, 1
+australien-tipps.info, 1
+austriablog.de, 0
+austriaguide.tk, 1
+austriahikingtours.tk, 1
+austriantekken.tk, 1
+austriatravel.tk, 1
+austromorph.space, 1
+auszeit-lanzarote.com, 1
+auszeit-walsrode.de, 1
+auszeit.bio, 1
+autantic.fr, 1
+auteldesbrumes.com, 1
+autenti.com, 1
+autenticismo.tk, 1
+autenticoperfumes.com.br, 1
+autereband.tk, 1
+auth.adult, 1
+auth.mail.ru, 1
+authanet.ga, 1
+authcom.ca, 1
+authcom.com, 1
+authenteak.com, 1
+authenticate.be, 1
+authenticate.computer, 1
+authentication.directory, 1
+authentick.online, 1
+authentick.systems, 1
+authic.io, 1
+authinfo-bestellen.de, 1
+authinity.com, 0
+authland.com, 1
+author-it.com, 1
+author.cn, 1
+author24.info, 1
+authorise.computer, 1
+authorise.network, 1
+authoritysolutions.com, 1
+authorize.computer, 1
+authorize.network, 1
+authorwise.com, 1
+authress.io, 1
+authsrv.nl.eu.org, 1
+autism-explained.com, 1
+autisme-france.fr, 1
+autismewoerden.nl, 1
+autismspectrum.shop, 1
+autista.roma.it, 1
+autisten.club, 1
+autistici.org, 1
+auto-albrecht.de, 1
+auto-anleitung.de, 1
+auto-arsenal.tk, 1
+auto-borse.tk, 1
+auto-dealership-news.com, 1
+auto-delchev.com, 1
+auto-ecole-remparts.fr, 1
+auto-help.tk, 1
+auto-i-dat.ch, 1
+auto-market.tk, 1
+auto-none.com, 1
+auto-parts-store.tk, 1
+auto-plus.tn, 1
+auto-profy.com.ua, 1
+auto-quote.ga, 1
+auto-rahbari.de, 1
+auto-reklame.tk, 1
+auto-res.ru, 1
+auto-skills.ru, 1
+auto-specifikacio.hu, 1
+auto1.fi, 1
+auto10dacte.com, 1
+auto2019.net, 1
+auto365haiphong.com, 1
+autoallys.com, 1
+autoambulanza.it, 1
+autoamor.com.br, 1
+autoangels.ga, 1
+autoankaufen.com, 1
+autoapk.com, 1
+autoarena.fr, 1
+autoauctionsarizona.com, 1
+autoauctionsohio.com, 1
+autoauctionsvirginia.com, 1
+autoaudio.pt, 0
+autobarn.co.nz, 1
+autobazarcentrum.cz, 1
+autobedrijfgarant.nl, 1
+autobella-hurtownia.pl, 1
+autobelle.it, 1
+autobelt.com, 1
+autobiz.tk, 1
+autoblog-de.com, 1
+autoblogs.ml, 1
+autobot.com.ua, 1
+autobourcier.com, 1
+autobraga.ru, 1
+autobus.roma.it, 1
+autobuseros4ever.tk, 1
+autobusesonline.tk, 1
+autobusiness.ml, 1
+autocadperfmon.azurewebsites.net, 1
+autocardesign.org, 1
+autocartruck.com, 1
+autocashmachine.tk, 1
+autocenters.ca, 1
+autocheck.co.nz, 1
+autocirkel.tk, 1
+autoclassics.com, 1
+autocmall.com, 1
+autocoder.chat, 1
+autoconcept.ga, 1
+autoconcept.tk, 1
+autocorner.com, 1
+autocross.tk, 1
+autocrossfoto.tk, 1
+autocrossonline.tk, 1
+autocrossteam-martens.tk, 1
+autocrossteam-monein.tk, 1
+autocrossteam.tk, 1
+autocrypt.org, 1
+autodach.com, 1
+autodalas.com, 1
+autodeal.com.ph, 1
+autodekor.com, 1
+autodemolizioni.roma.it, 1
+autodidactic.ai, 1
+autodidacticstudios.com, 1
+autodidacticstudios.net, 1
+autodidacticstudios.org, 1
+autodocument.tk, 1
+autodynamics.tk, 1
+autoecoledumontblanc.com, 1
+autoeet.cz, 1
+autoelettricaperbambini.com, 1
+autoentrepreneurinfo.com, 1
+autoepc.ro, 1
+autoescolapontual.com.br, 1
+autoeshop.eu, 1
+autoexprez.com, 1
+autofficina.roma.it, 1
+autofinancing.ga, 1
+autofornal.pl, 1
+autofresh.tk, 1
+autogalerie-bader.ch, 1
+autogarag.ru, 1
+autogard.cz, 1
+autogear.ga, 1
+autogenai.com, 1
+autoglascenter.com, 1
+autoglass.com.my, 1
+autoglasskobra.bg, 1
+autohaus-brueggemann.de, 1
+autohausmf-nord.de, 1
+autohaussued.de, 0
+autohaussued.gmbh, 1
+autohero.com.au, 1
+autohit.ro, 1
+autohomehub.com, 1
+autohunt.ga, 1
+autohut.ca, 1
+autohuttruckcenter.ca, 1
+autoi.ch, 1
+autoidc.com, 1
+autoinfa.tk, 1
+autoinkoop.tk, 1
+autoinsurancehavasu.com, 1
+autojur.com.br, 1
+autokasko.tk, 1
+autokino-sachsen.de, 1
+autoklub.cz, 1
+autoknife.cf, 1
+autokontinent.ml, 1
+autokovrik-diskont.ru, 1
+autokredit.org, 1
+autolackierung-sadiki.de, 1
+autolatex.cf, 1
+autolawetawroclaw.pl, 1
+autoleaders.gr, 1
+autoledky.sk, 1
+autolet.tk, 1
+autologix.io, 1
+automaatic.com, 1
+automacro.com, 1
+automagischeberegening.nl, 1
+automasrl.it, 1
+automastercastlerock.com, 1
+automatecodes.com, 1
+automatentest.de, 1
+automaticmsp.com, 1
+automation-tools.stream, 1
+automationpro.me, 1
+automationstore.ga, 1
+automatyczna-identyfikacja.pl, 1
+automaxcovington.com, 1
+automechanicschooledu.org, 1
+automeeting.com, 1
+automekano.com, 0
+automekbromma.se, 1
+automiata.de, 1
+automir.online, 1
+automobile-detail.com, 1
+automobile-gadgets.ru, 1
+automobile-propre.com, 1
+automobile.fr, 1
+automobileescrowers.ga, 1
+automobileescrowest.ga, 1
+automobiliteit.nl, 1
+automods.com.au, 1
+automotive.org.ua, 1
+automotiveabundant.ga, 1
+automotiveadaptive.ga, 1
+automotiveagenda.ga, 1
+automotiveamazing.ga, 1
+automotiveanchor.ga, 1
+automotiveappeal.ga, 1
+automotivearrow.ga, 1
+automotiveatlantic.ga, 1
+automotiveavatar.ga, 1
+automotivebad.ga, 1
+automotiveblaster.ga, 1
+automotiveboulevard.ga, 1
+automotivebounce.ga, 1
+automotivebrands.tk, 1
+automotivebrowse.ga, 1
+automotivebuller.ga, 1
+automotivecarnival.ga, 1
+automotivecaster.ga, 1
+automotivecharm.ga, 1
+automotivecheapest.ga, 1
+automotivecircus.ga, 1
+automotivecity.tk, 1
+automotiveclassy.ga, 1
+automotiveclearance.ga, 1
+automotiveclient.ga, 1
+automotivecommission.ga, 1
+automotiveconnect.tk, 1
+automotivecorporation.ga, 1
+automotivecrawler.ga, 1
+automotivecrunch.ga, 1
+automotivecurious.ga, 1
+automotivedelta.ga, 1
+automotivedepot.ga, 1
+automotivedesigning.ga, 1
+automotivedestination.ga, 1
+automotivedodge.ga, 1
+automotivedollar.ga, 1
+automotiveduck.ga, 1
+automotiveeagle.ga, 1
+automotiveeastside.ga, 1
+automotiveepic.ga, 1
+automotiveexcel.ga, 1
+automotivefame.ga, 1
+automotivefeature.ga, 1
+automotiveflag.ga, 1
+automotiveflower.ga, 1
+automotivegang.ga, 1
+automotivegecko.ga, 1
+automotivegeo.ga, 1
+automotiveglory.ga, 1
+automotivego.tk, 1
+automotivegoddess.ga, 1
+automotivegorilla.ga, 1
+automotivegrace.ga, 1
+automotivegratis.ga, 1
+automotivegroove.ga, 1
+automotivegroup-usedcars.be, 1
+automotivegun.ga, 1
+automotivehands.ga, 1
+automotivehard.ga, 1
+automotivehotrod.ga, 1
+automotiveinfo.tk, 1
+automotiveintergrity.ga, 1
+automotivejackpot.ga, 1
+automotivejewel.ga, 1
+automotivejoker.ga, 1
+automotiveknight.ga, 1
+automotiveletter.ga, 1
+automotivelightning.ga, 1
+automotiveloco.ga, 1
+automotivelucky.ga, 1
+automotivemain.ga, 1
+automotivemanagementnetwork.com, 1
+automotivemarks.ga, 1
+automotivemeasure.ga, 1
+automotivemechanic.org, 0
+automotivemessenger.ga, 1
+automotivemeta.ga, 1
+automotivemetric.ga, 1
+automotivemillions.ga, 1
+automotivenano.ga, 1
+automotivenatural.ga, 1
+automotivenature.ga, 1
+automotivenetwork.tk, 1
+automotivenight.ga, 1
+automotivenobel.ga, 1
+automotivenormal.ga, 1
+automotiveocity.ga, 1
+automotiveoffline.ga, 1
+automotiveomatic.ga, 1
+automotiveonline.tk, 1
+automotiveopedia.ga, 1
+automotiveopplis.ga, 1
+automotiveoriginal.ga, 1
+automotiveouter.ga, 1
+automotivephase.ga, 1
+automotivepirates.ga, 1
+automotiveplatinum.ga, 1
+automotivepositive.ga, 1
+automotiveprecision.ga, 1
+automotivepremium.ga, 1
+automotivepriority.ga, 1
+automotivepronto.ga, 1
+automotivepure.ga, 1
+automotiverainforest.ga, 1
+automotiverapid.ga, 1
+automotiverater.ga, 1
+automotiverates.ga, 1
+automotiveraven.ga, 1
+automotivereadset.ga, 1
+automotivereps.ga, 1
+automotiverex.ga, 1
+automotiverings.ga, 1
+automotiveroom.tk, 1
+automotiverunners.ga, 1
+automotivescapes.ga, 1
+automotivescribe.ga, 1
+automotivesedona.ga, 1
+automotivesession.ga, 1
+automotiveshake.ga, 1
+automotiveshuffle.ga, 1
+automotivesleuth.ga, 1
+automotivesource.tk, 1
+automotivesouthbeach.ga, 1
+automotivespicy.ga, 1
+automotivesplash.ga, 1
+automotivesprint.ga, 1
+automotivestick.ga, 1
+automotivestore.tk, 1
+automotivestreaming.ga, 1
+automotivestyle.tk, 1
+automotivesugar.ga, 1
+automotivesunflower.ga, 1
+automotivesurprise.ga, 1
+automotivesustain.ga, 1
+automotivethunder.ga, 1
+automotivetimes.tk, 1
+automotivetreat.ga, 1
+automotiveturbo.ga, 1
+automotiveuk.tk, 1
+automotiveultra.ga, 1
+automotiveurban.ga, 1
+automotivevariety.ga, 1
+automotivevector.ga, 1
+automotivevisual.ga, 1
+automotivewidget.ga, 1
+automotivewish.ga, 1
+automotiveworth.ga, 1
+automotiveyankee.ga, 1
+automoto-tom.net, 1
+automuovifix.fi, 1
+automuse.com, 1
+autonewsreview.com, 1
+autonewssite.com, 1
+autonoleggio.milano.it, 1
+autonome-netze.de, 1
+autonome-treinen.tk, 1
+autoofficina.it, 1
+autoopravarjunior.cz, 1
+autopacking.com, 1
+autopapo.com.br, 1
+autopark-ost-fichtner.de, 1
+autoparts-for-foreigncars.tk, 1
+autoparts-russia.ru, 1
+autoparts.im, 1
+autoparts.sh, 1
+autoparts.wf, 1
+autopartso.com, 1
+autopartsprime.com, 1
+autopartsu.com, 1
+autopaulito.pt, 1
+autopilotapp.com, 1
+autopistadelitata.cl, 1
+autopneusdacovilha.pt, 1
+autopocket.co, 1
+autopod.com, 1
+autoporn.com, 1
+autoportal.tk, 1
+autopril.com, 1
+autoprogconsortium.ga, 1
+autopsy.com, 1
+autopsyhouston.com, 1
+autorabit.com, 1
+autorai.nl, 1
+autorama.cf, 1
+autorecoveryandtowing.com, 1
+autorefuellings.com, 1
+autorefuellings.ru, 1
+autoreinigung-noack.de, 1
+autorepguide.com, 1
+autorepmans.com, 1
+autoresponderilimitado.tk, 1
+autoreview.ml, 1
+autorijschooljohanbos.nl, 1
+autorijschoolrichardschut.nl, 1
+autorisweb.com, 1
+autorizaciones.com, 1
+autos-mertens.com, 1
+autos-motos.fr, 1
+autosalesmachine.net, 1
+autosalone.roma.it, 1
+autosan-vykup.ru, 1
+autosbodyest.ga, 1
+autoschade-mosman.nl, 1
+autoschadeschreuder.nl, 1
+autoschadevdberg.tk, 1
+autoschool.ga, 1
+autoscoops.tk, 1
+autoscreens.com.au, 1
+autoscuola.roma.it, 1
+autosdsg.ca, 1
+autosecurityfinance.com, 1
+autoshopsolutions.com, 0
+autosiero.nl, 1
+autoskolaplzen.cz, 1
+autosneed.com, 1
+autosoftdms.com, 1
+autosolution.tk, 1
+autospadetail.sk, 1
+autosprint.tk, 1
+autospurghi.milano.it, 1
+autospurgo.com, 1
+autospurgo.it, 1
+autospurgo.milano.it, 1
+autospurgo.name, 1
+autosrivada.com, 0
+autostationsest.ga, 1
+autostodulky.cz, 1
+autostop-occasions.be, 1
+autostrady.tk, 1
+autostramites.com, 1
+autostramites.com.ar, 1
+autosupirkimas.tk, 1
+autoteplo.org, 1
+autoterminus-used.be, 0
+autotimez.com, 1
+autotitleloansnu.ga, 1
+autoto.hr, 1
+autotonic.tk, 1
+autotrac.com.br, 1
+autotransportquoteservices.com, 1
+autotras.com, 1
+autotriumph.ru, 1
+autouncle.at, 1
+autouncle.co.uk, 1
+autouncle.com, 1
+autouncle.de, 1
+autouncle.dk, 1
+autouncle.fi, 1
+autouncle.fr, 1
+autouncle.it, 1
+autouncle.pl, 1
+autouncle.pt, 1
+autouncle.ro, 1
+autouncle.se, 1
+autovalepinturas.com.br, 1
+autoverhuur-tilburg.nl, 0
+autovesti.cf, 1
+autovesti.tk, 1
+autoviral.cf, 1
+autoviral.ga, 1
+autoviral.gq, 1
+autoviral.ml, 1
+autoviral.tk, 1
+autowallpapers.tk, 1
+autowatch.tk, 1
+autoweek.nl, 1
+autowerkstatt-puchheim.de, 1
+autozaz.ml, 1
+autozuki.com, 1
+autres-talents.fr, 1
+autumnhungary.tk, 1
+autumnmanor.com, 1
+autya.ga, 1
+auverdrift.ovh, 1
+auvernet.org, 1
+auversum.com, 1
+auvicom.nl, 1
+auvidos.ru, 1
+auviewpoint.tk, 1
+aux-arts-de-la-table.com, 1
+aux-scape.tk, 1
+auxbrinstresses.fr, 1
+auxessenceselfiques.fr, 1
+auxiliame.com, 1
+auxilius.be, 1
+auxmode.com, 1
+auzpro.au, 1
+av-dnepr.com.ua, 1
+av-planet.si, 0
+av-th.net, 1
+av-yummy.com, 1
+av01.tv, 1
+av0ndale.de, 1
+av163.cc, 1
+ava-creative.de, 0
+ava-sky.ga, 1
+ava-software.at, 1
+avaamo.com, 1
+avaaz.org, 1
+avacariu.me, 1
+avacatossiu.tk, 1
+avaclub.ga, 1
+avacourcelles.com, 1
+avaemr-development-environment.ca, 1
+avaeon.com, 1
+avagroup.ga, 1
+avai.la, 1
+available.direct, 1
+availablecastles.com, 1
+availablereportsest.ga, 1
+avakore.com, 0
+avalancha.tk, 1
+avaland.tk, 1
+avalaunchmedia.com, 1
+avalon-ami.tk, 1
+avalon-rpg.com, 1
+avalon-studios.de, 1
+avalonaccess.com, 1
+avalonartstudio.com, 1
+avalonbelltown.com, 0
+avalondevelopment.tk, 1
+avalontechsv.com, 1
+avalyuan.com, 1
+avamax.cz, 1
+avaminoo.com, 1
+avamix.com, 1
+avanad.biz, 1
+avanad.com, 1
+avanade-consulting.com, 1
+avanade.biz, 1
+avanade.ca, 1
+avanade.cm, 1
+avanade.co.in, 1
+avanade.com.br, 1
+avanade.com.es, 1
+avanade.com.sg, 1
+avanade.consulting, 1
+avanade.in, 1
+avanade.info, 1
+avanade.jobs, 1
+avanade.name, 1
+avanade.net, 1
+avanade.org, 1
+avanadeblog.com, 1
+avanadeconsulting.com, 1
+avanadeonline.com, 1
+avancen.com, 1
+avangard-bg.com, 1
+avangard-tovar.tk, 1
+avangard.tk, 1
+avangardmobile.ru, 1
+avanguardia.tk, 1
+avangvpn.ga, 1
+avanovum.de, 1
+avanse.com, 1
+avansyourself.nl, 1
+avantagetaxi.ru, 1
+avantcoequipment.com, 1
+avantcoice.com, 1
+avantcorefrigeration.com, 1
+avanteinversiones.es, 1
+avantikachair.com, 1
+avanza.ps, 0
+avanzagrupo.com, 1
+avanzbanc.com, 1
+avaralar.tk, 1
+avarcom.tk, 1
+avarie.ru, 1
+avariya.tk, 1
+avarom.ir, 1
+avarty.com, 1
+avastantivirus.ro, 1
+avasu.com, 1
+avatarka.tk, 1
+avatedu.com, 1
+avaxprices.com, 1
+avay.vn, 1
+avcipets.com, 1
+avclub.com, 1
+avcone.co.uk, 1
+avdagic.net, 1
+avday.tv, 1
+ave.zone, 1
+aveamcorp.com, 1
+aveapps.com, 0
+aveclunettesoleil.fr, 1
+avedesk.org, 0
+avelecollege.edu.ws, 1
+avelengo.org, 1
+avelinodiaz.gal, 1
+avellinotoday.it, 1
+aveloair.com, 1
+avelon.cloud, 1
+avelux.ru, 1
+avenad.com, 1
+avenad.net, 1
+avenade.com, 1
+avenade.net, 1
+avenade.org, 1
+avengehub.com, 1
+avengepet.eu.org, 1
+avengersonline.ml, 1
+avengersonlinemovie.ga, 1
+avenida7.com, 1
+avenir-now.at, 1
+avenir-now.ch, 1
+avenir-now.com, 1
+avenir-now.de, 1
+avensure.com, 1
+aventure-chasse-peche.com, 1
+avenue5.com, 1
+avenuedesbebes.com, 1
+avepoint.com, 1
+avepol.cz, 1
+avepol.eu, 1
+averageinspired.com, 1
+averen.co.uk, 1
+averge.co.za, 1
+avernis.de, 1
+avertoni.ru, 1
+avery.com, 1
+aves.asso.fr, 1
+avestagames.tk, 1
+avevad.com, 1
+avexon.com, 1
+avexongroup.com, 1
+avexonsecurity.com, 1
+avg.club, 1
+avg7.de, 1
+avgindiantech.com, 1
+avi-web.com, 1
+avi12.com, 0
+avi9526.pp.ua, 1
+avia-krasnoyarsk.ru, 0
+avia-ufa.ru, 0
+aviabilet.tk, 1
+avianbrands.com, 1
+aviandirectory.uk, 1
+avianotravel.com, 1
+aviaphoto.tk, 1
+aviapic.com, 1
+aviapic.eu, 1
+aviapic.fr, 1
+aviapic.info, 1
+aviapic.net, 1
+aviapic.org, 1
+aviareis.tk, 1
+aviarycourthotel.co.uk, 1
+aviasales.gq, 1
+aviasalon.spb.ru, 1
+aviasg.com, 1
+aviaskan.ru, 1
+aviationcareerpal.com, 1
+aviationlearning.aero, 1
+aviationlearning.lu, 1
+aviationmilitaire.tk, 1
+aviationonline.tk, 1
+aviations-engineering.tk, 1
+aviationsafetywiki.org, 1
+aviationstrategies.aero, 1
+aviationstrategy.aero, 1
+aviationweather.gov, 1
+aviationzone.tk, 1
+aviciibook.ru, 1
+aviconverter.tk, 1
+avidmode-dev.com, 1
+avidmode-staging.com, 1
+avidmode.com, 1
+avidtv.ie, 1
+avie.de, 1
+avilas-style.com, 1
+avilauto.com.es, 1
+avilauto.net, 1
+avincouture.de, 1
+avinguard.com, 1
+avinilo.com, 1
+avintivmedia.com, 1
+avio.rest, 1
+aviodrome.nl, 1
+aviokarte.rs, 1
+avionicbooks.tk, 1
+avions.ga, 1
+aviprime.by, 1
+aviraantivirusreviews.com, 1
+aviruptribedi.com, 1
+avisbabes.com, 1
+avishanx.com, 1
+avishwebsoft.com, 1
+avisodeprivacidad.info, 1
+avisofi-credit-immobilier.fr, 1
+avisoshuaraz.tk, 1
+avisoversigten.dk, 1
+avispl.com, 1
+avitahealth.org, 1
+avitus.hu, 1
+aviv-group.at, 1
+avivanuestroscorazones.com, 1
+avivaplasticsurgery.com, 1
+aviweisfogelinfo.org, 1
+avlasov.tk, 1
+avlhostel.com, 1
+avlover.com, 1
+avm-multimedia.com, 1
+avm99963.com, 1
+avmemo.com, 1
+avmtn.net, 1
+avmup.com, 1
+avn-buses.tk, 1
+avnet.ws, 1
+avninternational.tk, 1
+avo.lt, 0
+avoandco.com, 1
+avocad.studio, 1
+avocadooo.stream, 1
+avocadopress.ru, 0
+avocadostore.at, 1
+avocadostore.de, 1
+avocat-alina-szilaghi.ro, 1
+avocat-bourgogne.fr, 1
+avocat-divort-constanta.ro, 1
+avocat-droit-du-travail.org, 1
+avocat-karsenti.fr, 1
+avocatcivil.net, 1
+avocatpenal.net, 1
+avocatro.net, 1
+avodart.ml, 1
+avogel-company.ch, 1
+avogel.ca, 1
+avogel.ch, 1
+avogel.co.uk, 1
+avogel.de, 1
+avogel.gr, 1
+avogel.ie, 1
+avogel.nl, 1
+avogel.pt, 1
+avogel.si, 1
+avogelusa.com, 1
+avoids-troops.gq, 1
+avoinna24.fi, 1
+avondaleestatesga.gov, 1
+avonindiana.gov, 1
+avonlearningcampus.com, 1
+avontuurlijk-natuurlijk.be, 1
+avonvets.co.uk, 1
+avoonix.com, 1
+avounossoupes.be, 1
+avp-emobility.de, 1
+avpres.net, 0
+avqueen.cn, 0
+avrilhouse.tk, 1
+avrilshine.tk, 1
+avris.it, 1
+avrora-nov.ru, 1
+avroramine.tk, 1
+avrrom.com, 1
+avstack.io, 1
+avt-ukraine.com, 1
+avtecmedia.com, 0
+avtek.pl, 1
+avthelsinki.fi, 1
+avto-bazar.tk, 1
+avto-signal.cf, 1
+avto-signal.ga, 1
+avto-signal.gq, 1
+avto-signal.ml, 1
+avtochip.tk, 1
+avtodoki.tk, 1
+avtodot.tk, 1
+avtoforex.ru, 1
+avtogara-isperih.com, 1
+avtojurist.ml, 1
+avtojurist.tk, 1
+avtomaniya.ml, 1
+avtomaniya.tk, 1
+avtomarket.ru, 1
+avtoobzor.tk, 1
+avtoritet78.ru, 1
+avtorspb.ru, 1
+avtoshini.md, 1
+avtostolica.tk, 1
+avtoucheba.tk, 1
+avtours.gr, 1
+avtoveles.by, 1
+avtovikup.ml, 1
+avtovokzaly.ru, 1
+avtoyurist.cf, 1
+avtoyurist.ga, 1
+avtoyurist.gq, 1
+avtoyurist.ml, 1
+avtoyurist.tk, 1
+avus-automobile.com, 1
+avv.li, 1
+avvaterra.ch, 1
+avvnicolaurbani.ch, 1
+avvocato.bologna.it, 1
+avvocatoinlinea.it, 1
+avvoka.com, 1
+avweb.tk, 1
+aw.gov.pl, 1
+aw.net, 1
+awac.com, 1
+awakenaija.com, 1
+awakengr.com, 0
+awakening-guild.com, 1
+awakenplace.tk, 1
+awakenplace.top, 1
+awakenwow.ga, 1
+awakinn.co.in, 1
+awangardaszkola.pl, 1
+awanteverde.tk, 1
+award.ga, 1
+aware.org.sg, 0
+awaremi-tai.com, 1
+awarenessadvisor.ga, 1
+awarenessadvisorest.ga, 1
+awaresec.com, 1
+awaresec.no, 1
+awareservices.com, 0
+awarify.io, 1
+awarify.me, 1
+awarity.be, 1
+awarner.co.uk, 1
+awaro.net, 1
+awaua.nl, 0
+awawa.cf, 1
+awaybot.com, 1
+awaygroundguide.com, 1
+awayword.cf, 1
+awconsulting.com.sg, 1
+awe130.com, 1
+awebsome.fr, 1
+awei.pub, 1
+awena.me, 1
+awena.xyz, 1
+awersomecreatorfromrussia.tk, 1
+awesome-coconut-software.fr, 1
+awesomebible.de, 1
+awesomelifedeals.today, 1
+awesomenamegenerator.com, 1
+awesomeperfumes.com, 1
+awesomesheep48.ca, 1
+awesomesit.es, 0
+awf0.xyz, 1
+awfulsport-news.tk, 1
+awh.ink, 1
+awk.tw, 1
+awksolutions.com, 1
+awlonline.tk, 1
+awmb.uk, 1
+awningcleaningchicago.com, 1
+awningpressurewashing.com, 1
+awningsaboveus.com, 1
+awo-bremen.de, 1
+awo-sh.de, 1
+awoau.com.au, 1
+awomansplacenj.com, 1
+awrd.cz, 1
+awsbs.de, 1
+awscloudrecipes.com, 1
+awsl.blog, 1
+awsl.tech, 0
+awsnuke.com, 1
+awsome-books.co.uk, 1
+awsumchan.org, 1
+awtogid.com, 1
+awwwcats.com, 1
+awxg.com, 1
+awxg.email, 1
+awxg.eu.org, 1
+awxg.net, 1
+awxg.org, 1
+awxg.zone, 1
+ax.mk, 1
+ax25.org, 1
+ax4health.nl, 1
+axa.ch, 1
+axa.de, 1
+axavalon.tk, 1
+axchap.ir, 1
+axcient.com, 1
+axe-formation.com, 1
+axe.io, 1
+axeapi.au, 1
+axel-faure.eu, 1
+axel-fischer.net, 0
+axel-fischer.science, 1
+axel-stettner.de, 1
+axel-voss.eu, 0
+axel.red, 1
+axelcalle.com, 1
+axeldavid.fr, 1
+axeligence.com, 1
+axelname.ru, 1
+axelr.me, 1
+axeltheune.de, 1
+axelvoss.eu, 0
+axenhus.com, 1
+axeonline.tk, 1
+axessgroup.com, 1
+axesslab.com, 1
+axesslab.se, 1
+axfr.se, 1
+axg.io, 1
+axialhouse.cf, 1
+axiam-pc.co.uk, 1
+axiams.co.uk, 1
+axidocepabid.tk, 1
+axin888.vip, 1
+axiniteguitars.ca, 1
+axiniteguitars.com, 1
+axioinvest.com, 1
+axiom-networks.org, 1
+axiom4.net, 1
+axiomecpa.com, 1
+axiomtechnologies.tk, 1
+axios.tk, 1
+axiosint.com, 1
+axis-of-evil.tk, 1
+axis-stralis.co.uk, 1
+axis.kiev.ua, 1
+axis2ofevil.com, 1
+axiscapital.com, 0
+axisdesignarchitects.co.uk, 1
+axisdesignarchitects.com, 1
+axishw.com, 1
+axisinteriors.net, 1
+axislinx.com, 1
+axisortho.com.sg, 1
+axist.com.co, 1
+axisunderwriting.com.au, 1
+axl.net, 1
+axmedmessi.tk, 1
+axoftglobal.com, 1
+axoftglobal.ru, 1
+axolotagencia.com, 1
+axomatic.com, 1
+axomatic.it, 1
+axon-toumpa.gr, 1
+axon.link, 1
+axoncoho.tk, 1
+axone-computers.fr, 0
+axonholdingse.eu, 1
+axre.de, 1
+axrec.de, 1
+axstet.de, 1
+axton.ink, 0
+axtra.digital, 1
+axtux.tk, 1
+axx.ax, 1
+axxemble.nl, 0
+axxeptinq.tk, 1
+axxess-marine.com, 1
+axxial.tk, 1
+axyl.cloud, 1
+axzq.com, 1
+ay-net.jp, 1
+ayahya.me, 0
+ayakatenshi.tk, 1
+ayamchikchik.com, 1
+ayanomimi.com, 1
+ayatosuzuki.com, 1
+aycacankurt.com, 1
+aycasac.com, 1
+aycomba.de, 1
+aydacosmetics.com, 1
+aydesignco.com, 1
+aydinescmagazin.tk, 1
+aydinhaberleri.tk, 1
+aye.sh, 1
+ayersanaheim.com, 1
+ayerscoronaeast.com, 1
+ayersgroup.net, 1
+ayershawthorne.com, 1
+ayershotelsealbeach.com, 1
+ayerslagunawoods.com, 1
+ayersorange.com, 1
+ayerssuites.com, 1
+ayerssuitesmillsmall.com, 1
+ayesh.win, 1
+ayhankaraman.com, 1
+ayj.solutions, 1
+aykiri.com.tr, 1
+aykutcevik.com, 1
+aykyamultifest.com, 1
+aylak.com, 1
+aylesburycastlehire.co.uk, 1
+aylett.co.uk, 1
+ayltoninacio.com.br, 1
+aymerick-dupouey.fr, 1
+aymericlagier.com, 1
+aymhome.top, 0
+ayoa.com, 1
+ayomi.com, 1
+ayon-games.tk, 1
+ayothemes.com, 1
+ayovaksindinkeskdi.id, 1
+ayresalpine.com, 1
+ayresanaheim.com, 1
+ayresapline.com, 1
+ayresbarstow.com, 1
+ayresboutiquesuites.com, 1
+ayrescalabasas.com, 1
+ayrescares.com, 1
+ayreschinohills.com, 1
+ayreschulavista.com, 1
+ayrescommercial.com, 1
+ayresconstructioncompany.com, 1
+ayrescoronaeast.com, 1
+ayrescoronawest.com, 1
+ayrescostamesa.com, 1
+ayresdevelopment.com, 1
+ayresdiamondbar.com, 1
+ayresfountainvalley.com, 1
+ayresgroup.net, 1
+ayreshawthorne.com, 1
+ayreshotel.com, 1
+ayreshotelanaheim.com, 1
+ayreshotelbarstow.com, 1
+ayreshotelchulavista.com, 1
+ayreshotelgroup.com, 1
+ayreshotellagunawoods.com, 1
+ayreshotelmanhattanbeach.com, 1
+ayreshotelmillenia.com, 1
+ayreshotelmorenovalley.com, 1
+ayreshotelorange.com, 1
+ayreshotelrialto.com, 1
+ayreshotels.com, 1
+ayreshotelsealbeach.com, 1
+ayreshotelvista.com, 1
+ayreshr.com, 1
+ayresinnorange.com, 1
+ayreslagunawoods.com, 1
+ayreslodgealpine.com, 1
+ayresmillenia.com, 1
+ayresmillsmall.com, 1
+ayresmissionviejo.com, 1
+ayresmissionviejospa.com, 1
+ayresmorenovalley.com, 1
+ayresolympiclodge.com, 1
+ayresontario.com, 1
+ayresontarioairport.com, 1
+ayresontariomillsmall.com, 1
+ayresorange.com, 1
+ayrespasorobles.com, 1
+ayresredlands.com, 1
+ayresresortandvineyard.com, 1
+ayresrialto.com, 1
+ayressealbeach.com, 1
+ayresselfstorage.com, 1
+ayresspamorenovalley.com, 1
+ayressuites.com, 1
+ayressuitescoronawest.com, 1
+ayressuitescostamesa.com, 1
+ayressuitesdiamondbar.com, 1
+ayressuitesmissionviejo.com, 1
+ayressuitesmorenovalley.com, 1
+ayressuitesontario.com, 1
+ayressuitesontarioairport.com, 1
+ayressuitesyorbalinda.com, 1
+ayressupport.com, 1
+ayresvista.com, 1
+ayresyorbalinda.com, 1
+ayrohq.com, 1
+ayrom.io, 1
+ayrshirebouncycastlehire.co.uk, 1
+ayruu.com, 1
+ayselonia.onl, 1
+ayshaflix.com.br, 1
+aysima.com, 1
+ayubesportes.com.br, 1
+ayudacloud.com, 1
+ayudaconmibanco.gov, 1
+ayudalabs.com, 1
+ayudamineduc.cl, 1
+ayudamutua.red, 1
+ayudapreview.com, 1
+ayudaprogramacion.net, 1
+ayudasocialmex.com, 1
+ayumi.network, 1
+ayumindev.net, 1
+ayumix3.xyz, 1
+ayuntamientoarenoso.gob.do, 1
+ayuntamientoazua.gob.do, 1
+ayuntamientobocachica.gob.do, 1
+ayur-veda.tk, 1
+ayurveda-france.com, 0
+ayuwidodari.my.id, 1
+ayvalikgezgini.com, 1
+ayyildizgrup.com, 1
+ayyz66.cc, 1
+az-flag.com, 1
+az-forum.ga, 1
+az-moga.bg, 1
+az-raven.com, 1
+az-vinyl-boden.de, 1
+az.net.au, 1
+az.search.yahoo.com, 0
+az.st, 1
+az.support, 1
+az11018.com, 1
+azadblog.tk, 1
+azadliq.info, 1
+azadliq.online, 1
+azairline.com, 1
+azaleos.com, 1
+azaleos.net, 1
+azallon.com.br, 1
+azami.com, 1
+azaria.blog, 1
+azarkepic.com, 1
+azartmania.ga, 1
+azartmania.tk, 1
+azarus.ch, 1
+azarweb.tk, 1
+azbuka-bp.ru, 1
+azcensus2020.gov, 1
+azcontech.com, 1
+azdailysun.com, 1
+azdevsmartviewwebportal.azurewebsites.net, 1
+aze.dk, 1
+azehosting.net, 1
+azemardstephanie.com, 1
+azenot.com, 0
+azeo.com, 1
+azeo.fr, 1
+azerbelarbi.tk, 1
+azerigenocide.tk, 1
+azeriinfo.tk, 1
+azeriland.tk, 1
+azerinews.ga, 1
+azerinews.tk, 1
+azeronline.tk, 1
+azertyjobs.com, 1
+azfreaks.tk, 1
+azh-kunden.de, 1
+azhamevents.com, 1
+azhapasa.com, 1
+azhappytails.com, 1
+azhibo18.com, 1
+azia.info, 0
+azianpride.tk, 1
+aziatki.tk, 1
+azicostar.com, 1
+azienda-tv.tk, 1
+aziendaagricolapagano.it, 1
+azimech.net, 1
+azimut.fr, 1
+azimuth-ast.ru, 1
+azingostar.tk, 1
+azinmadaar.com, 1
+azinmahab.com, 1
+azirevpn.com, 1
+azithromycin.ga, 1
+azithromycinbuy.ga, 1
+azithromycine.gq, 1
+azitromicina.gq, 1
+azizfirat.com, 0
+azizidevelopments.com, 1
+azjlbc.gov, 1
+azkunazentroa.eus, 1
+azl-app.be, 1
+azl.ink, 1
+azlink.tk, 1
+azlk-team.ru, 1
+azmt.de, 1
+azmun.com, 1
+aznaetelivy.ru, 1
+azoang.com, 1
+azoft.com, 1
+azon.gr, 1
+azonicinfotech.com, 1
+azoogi.com.au, 1
+azora.cf, 1
+azorin.tk, 1
+azort.com, 1
+azotobacter.nl, 1
+azoulaygroup.org, 1
+azplayersclub.com, 1
+azpogomap.com, 1
+azquality.com, 1
+azrangers.gov, 1
+azrazalea.net, 1
+azreal.com, 1
+azredistricting.gov, 1
+azrevolutionizingckd.com, 1
+azrhymes.com, 1
+azs-nw.ru, 1
+azsalud.gov, 1
+azsec.biz, 1
+azso.pro, 1
+azsoriginal.pw, 0
+azsupport.com, 1
+azsupport.host, 1
+azsupport.org, 1
+aztecahome.com, 1
+aztekium.com, 1
+aztestsmartviewwebapp.azurewebsites.net, 1
+azton.tk, 1
+aztraslochi.it, 1
+aztrix.me, 1
+aztummytuck.com, 1
+azu-l.com, 0
+azu-l.jp, 0
+azudream.tk, 1
+azuki.cloud, 1
+azul-elijah.tk, 1
+azula.tk, 1
+azulimparcial.pt, 1
+azulweb.tk, 1
+azur.ovh, 1
+azure, 1
+azure-informatique.cloud, 1
+azurecraft.ga, 1
+azurecrimson.com, 1
+azurecup.cz, 1
+azurecup.online, 1
+azurefabric.com, 1
+azurenorth.com.ph, 1
+azuriasky.com, 1
+azuriasky.net, 1
+azuriom.com, 1
+azurlane.cool, 1
+azurpedia.cf, 1
+azuxul.fr, 1
+azvirtualschool.com, 0
+azvpn.tk, 1
+azzurrapelletterie.it, 1
+b-angel.info, 1
+b-b-law.com, 1
+b-coal.com, 0
+b-cyclesshop.ch, 0
+b-designer.tk, 1
+b-digital.cf, 1
+b-digital.ga, 1
+b-digital.gq, 1
+b-entropy.com, 1
+b-freerobux.ga, 1
+b-honey.gr, 1
+b-institute.ml, 1
+b-landia.net, 1
+b-root-force.de, 1
+b-services.net, 0
+b-swiss.com, 1
+b-ticket.ch, 1
+b-tje.nl, 1
+b-tree.be, 1
+b-utstore.com, 1
+b-wartburg.de, 1
+b.ee, 1
+b.wtf, 1
+b00de.ga, 1
+b03aa.com, 0
+b03cc.com, 0
+b0hr.ai, 1
+b0k.org, 1
+b0r.ch, 1
+b0rk.com, 1
+b1.work, 1
+b1031.com, 1
+b11p.com, 1
+b131000.com, 0
+b17turkiye.com, 1
+b1c1l1.com, 1
+b1drivers.com, 1
+b1ggi.ovh, 1
+b1nzy-pinged.me, 1
+b1r0d4l0m.com, 1
+b1rd.tk, 1
+b24.pt, 1
+b2b-leads.nl, 1
+b2b-nestle.com.br, 1
+b2bchiemihara.com, 1
+b2bhint.com, 1
+b2binpay.com, 1
+b2bleadhub.com, 1
+b2bmail.ga, 1
+b2bmuzikbank.com, 1
+b2bpoke.com, 1
+b2btaz.com, 1
+b2c-engineering.com, 1
+b2markt.de, 1
+b2music.asia, 1
+b3.nu, 1
+b3103.com, 0
+b31aa.com, 0
+b31cc.com, 0
+b31dd.com, 0
+b31ee.com, 0
+b31ff.com, 0
+b3390.com, 0
+b33app.com, 0
+b36512.com, 0
+b3b4.com, 1
+b3bra.win, 1
+b3pacific.com, 1
+b3tec.fr, 1
+b422edu.com, 1
+b4bouncycastles.co.uk, 1
+b4ckbone.de, 1
+b4ifund.it, 1
+b4lint.hu, 1
+b4r7.de, 1
+b4z.eu, 1
+b5189.com, 0
+b5197.co, 1
+b5901.com, 0
+b5902.com, 1
+b5903.com, 0
+b5904.com, 0
+b5906.com, 1
+b5907.com, 1
+b5908.com, 0
+b5909.com, 1
+b5910.com, 0
+b5dev.com, 1
+b5i.net, 1
+b61688.com, 1
+b62aa.com, 1
+b62b.com, 1
+b62bb.com, 1
+b62cc.com, 1
+b62d.com, 1
+b62dd.com, 1
+b62ee.com, 1
+b6701.com, 1
+b6703.com, 1
+b6704.com, 1
+b6705.com, 1
+b6729.co, 1
+b67701.com, 1
+b67702.com, 1
+b67703.com, 1
+b67704.com, 1
+b67705.com, 1
+b67801.com, 1
+b67802.com, 1
+b67803.com, 1
+b67805.com, 1
+b67901.com, 0
+b67902.com, 0
+b67903.com, 0
+b67904.com, 0
+b67905.com, 0
+b6957.co, 1
+b70301.com, 1
+b70302.com, 1
+b70305.com, 1
+b70661.com, 1
+b70663.com, 1
+b70664.com, 1
+b70884.com, 1
+b70885.com, 1
+b70991.com, 1
+b70992.com, 1
+b70993.com, 1
+b70994.com, 1
+b70995.com, 1
+b72.com, 1
+b72.net, 1
+b7306.com, 0
+b73bb.com, 0
+b73dd.com, 0
+b767.net, 1
+b8-e.de, 1
+b82365.com, 1
+b86255.com, 1
+b8831.com, 0
+b88vip1.com, 1
+b88vip10.com, 1
+b88vip2.com, 1
+b88vip3.com, 1
+b88vip4.com, 1
+b88vip5.com, 1
+b88vip6.com, 1
+b88vip7.com, 1
+b88vip8.com, 1
+b88vip9.com, 1
+b89gg.com, 0
+b89hh.com, 1
+b8a.me, 1
+b9168.com, 1
+b9297.co, 1
+b9498.com, 1
+b9586.net, 1
+b9588.net, 1
+b95888.net, 1
+b9589.net, 1
+b96899.com, 1
+b9728.co, 1
+b979365.com, 0
+b979666.com, 1
+b9883.net, 1
+b9884.net, 1
+b9885.net, 1
+b9886.com, 1
+b9886.net, 1
+b9887.net, 1
+b9888.net, 0
+b98886.com, 1
+b9889.net, 1
+b99011.com, 0
+b99022.com, 1
+b99033.com, 1
+b9904.com, 0
+b99044.com, 1
+b9905.com, 0
+b99055.com, 1
+b99066.com, 1
+b99077.com, 1
+b99088.com, 1
+b99099.com, 1
+b99118.com, 0
+b9912.com, 0
+b99218.com, 0
+b9930.com, 1
+b99318.com, 1
+b99418.com, 1
+b9951.com, 0
+b99518.com, 0
+b9954.com, 1
+b9957.com, 0
+b9961.com, 0
+b99618.com, 0
+b9962.com, 0
+b9970.com, 0
+b99718.com, 1
+b9973.com, 0
+b9976.com, 0
+b99818.com, 0
+b99881.com, 1
+b99882.com, 1
+b99883.com, 1
+b99885.com, 1
+b99886.com, 1
+b99918.com, 0
+b9999ff.com, 0
+b9999hh.com, 0
+b9999ii.com, 0
+b9999jj.com, 0
+b9999ll.com, 0
+b9999mm.com, 0
+b9999nn.com, 0
+b9999oo.com, 1
+b9999pp.com, 1
+b9999qq.com, 0
+b9999tt.com, 1
+b9999vv.com, 1
+b9999ww.com, 0
+b9999yy.com, 1
+b9999zz.com, 0
+b99iosapp.com, 0
+b9winner.com, 1
+ba7jcm.live, 1
+ba7jcm.top, 1
+ba7rain.tk, 1
+baaam.se, 1
+baac-dewellmed.com, 1
+baaiai.com, 1
+baalajimaestro.me, 1
+baams.tk, 1
+baaradvies.nl, 1
+baas-becking.biology.utah.edu, 1
+baas-sabiogroup.com, 1
+baas.agency, 1
+baatar.idv.hk, 1
+baazee.de, 1
+baba.wiki, 1
+babacloud.ddns.net, 1
+babacsalogato.hu, 0
+babacuhocica.tk, 1
+babadag.tk, 1
+babaei.net, 1
+babaei.org, 1
+babaganousha.net, 1
+babai.ru, 1
+babakhanalia.tk, 1
+babakortane.ga, 1
+babakshaabani.tk, 1
+babamamatermek.hu, 1
+babaog.com, 1
+babarkata.com, 1
+babaroxi4j2.com, 0
+babaseo.ml, 1
+babavan.ga, 1
+babayaga-bg.ga, 1
+babb.is, 1
+babbel.tk, 1
+babbelchat.tk, 1
+babblefeed.tk, 1
+babeeclothingandoutfits.com, 1
+babehunt.tk, 1
+babekids.tk, 1
+babel.es, 1
+babeleo.com, 1
+babelfisch.eu, 1
+babelfish.money, 1
+babes.com, 1
+babesnetwork.com, 1
+babet365.com, 1
+babetta.tk, 1
+babettelandmesser.de, 0
+babevr.com, 1
+babia.to, 1
+babibonami.tk, 1
+babichsteriliser.com.au, 1
+babico.name.tr, 1
+babindo.com, 1
+babineaux.zone, 1
+babitaji.tk, 1
+babki-mgnovenno.ga, 1
+babki-mgnovenno.ml, 1
+babkitut.ga, 1
+bablodel.biz, 1
+bablodel.com, 1
+babo.ooo, 1
+babo.tk, 1
+babolsar.tk, 1
+baboo.com.br, 1
+babsbibs.com, 1
+babuccu.com, 1
+baburhat.tk, 1
+babursahvizeofisi.com, 1
+babushkin-mir.tk, 1
+baby-doll.tk, 1
+baby-massage.tk, 1
+baby-skin-care.ga, 1
+baby-tester.tk, 1
+babyandchild.ae, 1
+babyandmoms.tk, 1
+babyappear.com, 1
+babybed.tk, 1
+babyboom.pl, 1
+babyboomer.org, 1
+babyboomer.ro, 1
+babybuddah.ga, 1
+babybunnypictures.tk, 1
+babycaring.com, 1
+babycat.tk, 1
+babycezi.ro, 1
+babychou.me, 1
+babycr.net, 1
+babyfights.tk, 1
+babyfotograf-schweiz.ch, 1
+babygearlab.com, 1
+babygirlholidaydresses.tk, 1
+babyinthehouse.com.br, 1
+babykappy.com, 1
+babylonclub.cf, 1
+babymall.hk, 1
+babymasaze.cz, 1
+babymozg.ga, 1
+babynamen.nl, 1
+babynames.net, 1
+babynoise.tk, 1
+babynow.org, 1
+babypaparadise.com, 0
+babypharm.ga, 1
+babyphototime.com, 1
+babypibu.com, 1
+babypoppen.tk, 1
+babyportal.net, 1
+babyprice.fr, 0
+babysafety.tk, 1
+babysdishes-bowls.tk, 1
+babysface.com, 1
+babyshopsupport.com.au, 1
+babyshower.cf, 1
+babystrollers.ml, 1
+babyvillagegt.com, 1
+babyz.tk, 1
+babyzen.tk, 1
+babyzoet.com, 1
+bac-fiches.tk, 1
+bacamanga.id, 1
+bacanal-intruder.tk, 1
+bacanaskincare.com, 1
+bacaneriahlg.com, 1
+bacanora.tk, 1
+bacanovel.id, 1
+bacardi.cf, 1
+bacardicola.tk, 1
+baccarat.tk, 1
+bacchus.report, 1
+baccredomatic.voyage, 1
+bacgp.com, 1
+bacgroup.digital, 1
+bacgroupdigital.com, 1
+bacgroupinc.com, 1
+bacgrouppublishing.com, 1
+bach-frederiksen.dk, 1
+bachata.berlin, 1
+bachata.info, 1
+bache-barre.fr, 1
+bache-bulle.fr, 1
+bache-de-piscine.fr, 1
+bache-ete-piscine.com, 1
+bache-hiver-piscine.com, 1
+bache-hivernage.com, 1
+bachelorampel.de, 1
+bachelornation.com, 1
+baches-piscines.com, 1
+bachlongbeach.com, 1
+bachlongmobile.com, 1
+bachmannyachts.com, 1
+bachmatt-baar.ch, 1
+bachokiro.com, 1
+bachoodesign.com, 1
+bachweid-baar.ch, 1
+baciu.ch, 0
+back-links.ga, 1
+back-stage.tk, 1
+back-streets.tk, 1
+back-yard.tk, 1
+backd00red.org, 1
+backenmachtgluecklich.de, 0
+backfront.com, 1
+background-checks-systems.com, 1
+background-checks.asia, 1
+background-checks.biz, 1
+background-checks.mobi, 1
+backgroundscreenersofamerica.com, 1
+backgroundz.net, 1
+backingtrackbrasil.com, 1
+backinstockalerts.com, 1
+backjump.tk, 1
+backlashband.tk, 1
+backlink-builder.tk, 1
+backlink.gd, 1
+backlinkboss.com, 1
+backlinktr.tk, 1
+backlog.jp, 1
+backlogapp.io, 1
+backlogs.org, 1
+backmark.tk, 1
+backmigo.com, 1
+backmitra.com, 1
+backmitra.mx, 1
+backmitra.nl, 1
+backpacken.org, 1
+backpackinglight.com, 1
+backpackingtours.com, 1
+backpacktour.ru, 1
+backpagegals.com, 1
+backporchartists.com, 1
+backrestored.gq, 1
+backrip.tk, 1
+backscattering.de, 0
+backschues.com, 1
+backschues.de, 1
+backschues.net, 1
+backseatbandits.com, 1
+backslash-n.com, 1
+backsliderz.uk, 1
+backspace.dev, 1
+backspace.rocks, 1
+backstage.click, 1
+backstienkboys.tk, 1
+backstreetbrasil.tk, 1
+backstreets-corner.tk, 1
+backterris.com, 1
+backtest.org, 1
+backtheeffup.com, 1
+backtobed.com, 1
+backup-kurumsal.com, 1
+backupassist.de, 1
+backupauthentication.com, 1
+backwardsalphabet.tk, 1
+backwpup.com, 1
+backyardaddict.com, 1
+backyardbella.com, 1
+backyardchickens.com, 1
+backyardtaco.com, 1
+backzoneterapi.dk, 1
+baclofen.ga, 1
+baclofen.gq, 1
+bacom1.com, 1
+bacon-monitoring.org, 1
+baconismagic.ca, 0
+baconsultores.co, 1
+bacoux.com, 1
+bacq.pro, 1
+bacri.eu, 1
+bacsmegye.hu, 1
+bacteri.com, 1
+bacteriakit.com, 1
+bactrim-antibiotic.gq, 1
+bactrim-antibiotic.ml, 1
+bactrim-ds.ga, 1
+bactrim-medicine.ml, 1
+bactrim.ga, 1
+bactrim.gq, 1
+bactrimds.cf, 1
+bactrimprice.tk, 1
+bacula.jp, 1
+bacus.ga, 1
+bad-homburg.tk, 1
+bad-influence.rocks, 1
+bad.horse, 1
+bad.pet, 1
+bad.spdns.de, 1
+badaa.info, 1
+badante.it, 1
+badanteinfamiglia.it, 1
+badaparda.com, 1
+badass-women.club, 1
+badassdallascondo.com, 1
+badassfantastico.tk, 1
+badasslistings.com, 1
+badbee.cc, 1
+badbird.tk, 1
+badblock.fr, 1
+badboy-club.tk, 1
+badboyz.org, 1
+badboyzclub.de, 1
+badcarma.tk, 1
+badcomputer.tk, 1
+badcyber.com, 1
+baddrones.llc, 1
+badeand.net, 1
+badekappen.com, 1
+baderscott.com, 1
+badeurlaub.tk, 1
+badf00d.de, 1
+badge.rs, 1
+badges.fedoraproject.org, 1
+badges.stg.fedoraproject.org, 1
+badgirlfoto.ga, 1
+badgirlsbible.com, 1
+badhabits.tk, 1
+badhusky.com, 0
+badkamerconcurrent.be, 1
+badkamerconcurrent.nl, 1
+badkamermarkt.be, 1
+badkamermarkt.com, 1
+badkamermarkt.net, 1
+badkamermarkt.nl, 1
+badkeys.info, 1
+badmania.fr, 1
+badmessage.tk, 1
+badmice.tk, 1
+badminton-forum.tk, 1
+badmintonargentina.tk, 1
+badmintonbeersheva.co.il, 1
+badmintonclubwaarschoot.tk, 1
+badmintondk.cz, 1
+badmintonoverdag.tk, 1
+badmintonracketreview.com, 1
+badmonkey.fr, 1
+badmood.tk, 1
+badmusic.tk, 1
+badnails.tk, 1
+badnat.tk, 1
+badnjar.rs, 1
+badodds.ga, 1
+badoinkvr.com, 1
+badoo.com, 1
+badoo.com.ar, 1
+badoo.de, 1
+badoo.eu, 1
+badoo.us, 1
+badpc.net, 1
+badpinguin.gq, 1
+badpreachers.tk, 1
+badrap.io, 1
+badreichenhall.tk, 1
+badreligion.tk, 1
+badrequest.me, 1
+badri-taxi-vtc.com, 1
+badrock.tk, 1
+badseacoffee.com, 1
+badsl.nl, 1
+badstar.tk, 1
+badudeal.lk, 1
+badules.tk, 1
+badwi.com, 1
+badwolf.tk, 1
+bae.st, 1
+baecker-know-how.de, 1
+baeconhills.tk, 1
+baeder-luboss.de, 1
+baederlacke.eu, 0
+baehost.com, 1
+baells.tk, 1
+baer-concepts.de, 1
+baer-holger.de, 1
+baer.com, 1
+baer.space, 1
+baerkarrer.ch, 1
+baesystems-she.com, 1
+baeten.com, 1
+baevserver.ddns.net, 1
+bafito.com, 1
+baframedya.tk, 1
+bafus.ru, 1
+bag.bg, 1
+bagdagul.tk, 1
+bagelbrands.com, 1
+bagelsbakery.com, 0
+baggy.me.uk, 1
+bagheera.me.uk, 1
+baghtelecom.net, 1
+baginfo.com, 1
+bagiobella.com, 1
+bagirahome.bg, 1
+bagleytownshipmi.gov, 1
+bagmutskiy.com, 1
+bagni-chimici.roma.it, 1
+bagnichimici.milano.it, 1
+bagnichimici.roma.it, 1
+bagnichimici.veneto.it, 1
+bagol.tk, 1
+bags.bg, 1
+bagsbanny.de, 1
+bagshop.ua, 1
+bagso.bg, 1
+bagsofbounce.co.uk, 1
+bagspecialist.nl, 1
+bagssale.ga, 1
+bagtobag.com.gr, 1
+bagu.biz, 1
+bagu.fr, 1
+bagui.com, 1
+bagwrap.com, 1
+bah.im, 0
+bahadirh.ml, 1
+bahaiprayers.io, 1
+bahami.com, 1
+bahana.net, 1
+baharmusic24.tk, 1
+bahcehavuz.com, 1
+bahena.be, 0
+bahisbonus.work, 1
+bahnenimbild.de, 1
+bahnenimbild.eu, 1
+bahnhelden.de, 1
+bahninrotweissrot.at, 1
+bahnmagazine.de, 1
+bahrain.gq, 1
+bahraincredit.com.bh, 1
+bahrainmarina.bh, 1
+bahrainonline.tk, 1
+bahrep.com, 1
+bahri.sa, 1
+bai-bao.fr, 1
+baiask.com, 1
+baichi.cf, 1
+baichi.ml, 1
+baidu-s.com, 0
+baiduo.com, 1
+baier-michels.com, 1
+baif.hr, 1
+baifubao.com, 1
+baikal.cf, 1
+baikalfond.ml, 1
+baikalppk.tk, 1
+baiki.ch, 1
+baildonbouncycastles.co.uk, 1
+baildonhottubs.co.uk, 1
+baileebee.com, 1
+baileyh.xyz, 1
+baileyladders.com.au, 1
+baileysafetyconsultants.com, 1
+baileysharborwi.gov, 1
+bailiang.com, 1
+bailleux.be, 1
+bailodromo.tk, 1
+bailong.kr.ua, 1
+bailonga.com, 1
+baimail.com, 1
+baimed.com.au, 1
+bainba.com, 1
+baindayman.com, 1
+baindetoile.fr, 1
+baipay.com, 1
+baircentral.com, 1
+bairuo.net, 0
+bairuo.top, 0
+bairwell.com, 1
+baise.cf, 1
+baise.ml, 1
+baise3x.com, 1
+baishitie.com, 1
+bait55.ru, 0
+baitable.ml, 1
+baitapsgk.com, 1
+baithuti.com, 1
+baitnaservices.com, 1
+baitulongbaycruises.com, 1
+baixadordemusica.tk, 1
+baixarbluray.tk, 1
+baixarvideosgratis.com.br, 1
+baiyangliu.com, 0
+bajacalifornia.tk, 1
+bajajplasticsurgery.com, 1
+bajalotodo.tk, 1
+bajanowski-fotografie.de, 0
+bajaprogramas.tk, 1
+bajarjuegos.com, 1
+bajic.ch, 1
+bajiotec.com, 1
+bajj.de, 1
+bajofondoradio.tk, 1
+bajominimos.tk, 1
+bajune.tk, 1
+bak.my.id, 0
+baka-gamer.net, 1
+baka.ms, 1
+baka.network, 1
+baka.org.cn, 1
+baka.red, 1
+bakabt.info, 1
+bakanin.ru, 1
+bakaproxy.moe, 1
+bakbi.tk, 1
+bakchich.biz, 1
+bakcor.com, 1
+baker-street.tk, 1
+bakerandfarmer.com.au, 1
+bakerbasements.com, 1
+bakercity.gov, 1
+bakercitypd.gov, 1
+bakercosheriffor.gov, 1
+bakercounty911or.gov, 1
+bakercountyor.gov, 1
+bakercountysheriffor.gov, 1
+bakersafari.co, 1
+bakersfieldhomeoffer.com, 1
+bakerviewdentalcentre.com, 1
+bakerymazowsze.co.uk, 1
+bakesy.shop, 1
+bakeup.be, 1
+bakibal.com, 1
+bakira.eu, 1
+bakivaxti.az, 1
+bakj.com, 1
+bakkerij-janschrieks.nl, 1
+bakkerinjebuurt.be, 1
+bakkerpanden.nl, 1
+bakkersmolen.tk, 1
+bakkerstraatfeesten.tk, 1
+bakkt.com, 1
+bakkus.tk, 1
+bakla.ml, 1
+baklavabg.com, 1
+bakoma.pl, 1
+bakongcondo.com, 1
+bakrypt.io, 1
+baks.cf, 1
+baksclub.cf, 1
+baksclub.gq, 1
+baku-club.tk, 1
+baku.news, 1
+bakubest.tk, 1
+bakupka.de, 1
+bakuze.net, 1
+bakxnet.com, 0
+balaam-black.tk, 1
+balabarsakhtemani.com, 1
+balade-commune.ch, 0
+baladecommune.ch, 0
+balador.io, 1
+balafon.cloud, 1
+balaga.pl, 1
+balaganlimited.cf, 1
+balaganoff.tk, 1
+balagne-corsica.com, 1
+balaisnomad.com, 0
+balakovo-news.tk, 1
+balala.com, 1
+balancascia.com.br, 1
+balance.courses, 1
+balance.education, 1
+balance.equipment, 1
+balance.technology, 1
+balanceadosmendoza.com, 1
+balancecreamers.ga, 1
+balancecreamest.ga, 1
+balancedbrawl.net, 1
+balancehairrestoration.com, 1
+balancehits.com.br, 1
+balancenaturalhealthclinic.ca, 1
+balancer.gq, 1
+balancingbird.net, 1
+balancingbirthbaby.com, 1
+balanda.ga, 1
+balashiha-podmoskovie.ml, 1
+balasingandaru.cf, 1
+balaskas.gr, 1
+balatarin.com, 1
+balatonlelleapartman.tk, 1
+balboa.io, 1
+balboa.org.uk, 1
+balboacapital.com, 1
+balbus.tk, 1
+balca.ga, 1
+balcaonet.com.br, 1
+balconnr.com, 1
+balconsverdun.com, 0
+balcony.cf, 1
+baldinger.tk, 1
+baldolinitraslochiroma.it, 1
+baldpreventioners.ga, 1
+baldvinringsted.com, 1
+baldwin-mania.tk, 1
+baleen.us, 1
+baleinesendirect.org, 1
+balelabs.id, 1
+balerma.tk, 1
+balesetvedelem.hu, 1
+balester.com, 1
+balezovolley.fr, 1
+balhamrm.co.uk, 1
+balia.de, 1
+balicekzdravi.cz, 0
+balicyclingtours.id, 1
+balikesireftotoekspertiz.com, 1
+balikesirhaberleri.tk, 1
+baliklar.tk, 1
+balikturleri.com, 1
+balilingo.ooo, 0
+balimoves.com, 1
+balingwiredirect.com, 1
+balintjanvari.com, 1
+balirentalku.com, 1
+balist.es, 1
+balivacationhomes.com, 1
+balivakantiewoning.nl, 1
+balivillassanur.com, 0
+baliwebsitedesign.info, 1
+balkan-observatory.net, 1
+balkannightlife.ga, 1
+balkanpharmstore.com, 1
+balkenbushmechanical.com, 1
+balkoni.gq, 1
+balkonien.org, 1
+balkonov.com.ua, 1
+ball-bizarr.com, 1
+ball-bizarr.de, 1
+ball3d.es, 1
+ball4training.com, 1
+ballajuraafc.com, 1
+ballamor.com, 1
+ballarin.cc, 1
+ballast.tk, 1
+ballbusting-cbt.com, 1
+ballcancan.tk, 1
+ballejaune.com, 1
+ballensiefen.net, 1
+ballerkneipe.com, 1
+ballettstudio-ost.de, 1
+ballinw.com, 1
+ballisticbrass.tk, 1
+ballitolocksmith.com, 1
+ballmusikband.de, 1
+ballonnenopdakpannen.tk, 1
+balloon.gq, 1
+ballotapi.com, 1
+ballparkbuns.com, 0
+ballpythonsaspets.com, 1
+ballroompages.com, 1
+balluncar.tk, 1
+balneariodearchena.com, 1
+baloch-intelligence.tk, 1
+balochism.tk, 1
+balogkrisztian.hu, 1
+baloncestoarqueros.tk, 1
+baloncestolliria.tk, 1
+balonsiparis.com, 1
+balopal.tk, 1
+balsamaiso.es, 1
+balsara.com, 1
+balski.com, 1
+balslev.io, 1
+balt.net, 1
+balter.com, 1
+baltialcoholicos.tk, 1
+baltimorecashflow.com, 1
+baltimorecitybnmd.gov, 1
+baltimorecolonrectal.com, 1
+baltimorejetcharter.com, 1
+baltimoreroofingservices.com, 1
+baltlex.de, 1
+baltoe.com, 0
+baluarte.com, 1
+bam.com.gt, 1
+bamaland.org, 1
+bamberger-maelzerei.de, 1
+bambergerdatenschutz.de, 1
+bamboehof.nl, 1
+bamboo-team.online, 1
+bambooagile.eu, 1
+bambooforest.nl, 1
+bamboohr.co.uk, 1
+bamboohr.com, 1
+bambooplywood.com, 1
+bamboorose.com, 1
+bamboostage.com, 1
+bambrick.com.au, 0
+bambuitalia.it, 1
+bambukshop.ml, 1
+bambulab.com, 1
+bambumania.com.br, 1
+bambusushibar.com, 0
+bamfacts.tk, 1
+bamifm.tk, 1
+bamily.rocks, 1
+baming.com, 1
+bammatta.ch, 1
+bampers.tk, 1
+ban-list.gq, 1
+banabarka.tk, 1
+banajanitorialservices.com, 1
+bananabeer.xyz, 1
+banananet.work, 1
+bananathrash.tk, 1
+bananatreenews.today, 1
+bananatrunkingprotocol.com, 1
+bananavapes.com, 1
+bananenbr0t.de, 1
+bananice.moe, 1
+banatearab.tk, 1
+banbaog.com, 1
+bancacrs.it, 1
+bancamiga.com, 1
+bancastato.ch, 1
+bancatransilvania.ro, 1
+banch.io, 1
+banchungcu.com, 1
+bancoagricola.com, 1
+bancobai.ao, 0
+bancobica.com.ar, 1
+bancobpm.it, 1
+bancoctt.pt, 1
+bancodeloja.fin.ec, 1
+bancontinental.com.py, 1
+bancosdominicanos.net, 1
+bancoserfinanza.com, 1
+bancosol.com.bo, 1
+band.us, 1
+banda-car-service.com, 1
+bandaancha.eu, 1
+bandademusicacarrion.tk, 1
+bandadestino.tk, 1
+bandally.net, 1
+bandamirandadeebro.tk, 1
+bandarifamily.com, 1
+bandaronline.ml, 1
+bandarqonline.ga, 1
+bandarqonline.ml, 1
+bandaumnikov.ru, 1
+bandbattle.tk, 1
+bandbelievo.tk, 1
+bandbwestport.com, 1
+bandeaux.com, 1
+bandeira1.com.br, 1
+bandeiraimoveisitu.com.br, 1
+bandeirasnacionais.com, 1
+banderas-mundo.es, 1
+banderasdelmundo.xyz, 1
+banderatx.gov, 1
+banderol.tk, 1
+bandhanbank.com, 1
+bandidosmc.com, 1
+bandiere-mondo.it, 1
+bandiga.it, 1
+bandirmaevdenevenakliyat.tk, 1
+bandmentor.com, 1
+bandnames.tk, 1
+bando.de, 1
+bandolino-bewind.nl, 1
+bandoom.tk, 1
+bandtcollections.com.au, 1
+bandures.tk, 1
+bandvideos.tk, 1
+bandwagon.tk, 1
+bandwagonok.tk, 1
+bandwh.com, 1
+bandymasarna.tk, 1
+baneh-academic.com, 1
+banerka.tk, 1
+banes.ch, 1
+banffcanmorespeedskating.ca, 1
+banfieldentertowin.com, 0
+banfieldtravel.it, 1
+banfun.org, 1
+bang.com.au, 1
+bangabandhu.tk, 1
+bangaichi.no-ip.org, 0
+bangandscrew.com, 1
+bangbangboys.tk, 1
+bangberlin.tk, 1
+bangdaiviet.tk, 1
+bangkok-thailand.org, 1
+bangkokcookingclass.com, 1
+bangkokflightservices.com, 1
+bangkoklife.com, 1
+bangku.tk, 1
+bangladesimagi.tk, 1
+banglahotstory.tk, 1
+banglargolpo.tk, 1
+banglatec.tk, 1
+banglatypography.com, 1
+banglets.com, 1
+bangsparks.com, 1
+bangujero.tk, 1
+bangyu.wang, 1
+banh.am, 1
+banham.co.uk, 0
+banham.com, 1
+banhphongtomquangtran.com, 1
+bani-hashem.tk, 1
+banimarket.by, 0
+baniuliuukis.lt, 1
+banja-kulasi.ga, 1
+banjonelson.tk, 1
+bank, 1
+bank-credit.org, 1
+bank-laan.dk, 1
+bank-yahav.co.il, 1
+bank34.ua, 1
+banka.space, 0
+bankanswers.gov, 1
+bankassafa.com, 1
+bankasubeleri.tk, 1
+bankbranchlocator.com, 1
+bankcardoffer.com, 1
+bankcustomer.gov, 1
+bankcustomerassistance.gov, 1
+bankeasternct.com, 1
+bankee.us, 1
+banker.vn, 1
+bankera.com, 1
+banket-furshet-spb.ru, 1
+banketbesteld.nl, 1
+bankffin.kz, 0
+bankfreeoffers.com, 1
+bankheadvegetables.com, 1
+bankhelp.gov, 1
+banki-finance-credit.ru, 1
+bankid.com, 1
+bankimsk.cf, 1
+banking-services.tk, 1
+bankingheralders.ga, 1
+bankinter.pt, 1
+bankiros.ru, 1
+bankislami.com.pk, 1
+bankitt.network, 1
+bankja.net, 1
+bankmno.ga, 1
+bankmoney.cf, 1
+banknet.gov, 1
+banknews.ga, 1
+banknn.ru, 1
+banknottakip.com, 1
+bankofguilin.com, 1
+bankofharbin.com, 1
+bankofireland.com, 1
+bankofrealty.review, 1
+bankofshaanxi.com, 1
+bankpolicies.com, 1
+bankrbk.kz, 1
+bankruptcy.ky, 1
+banksite.ga, 1
+banksmalaysia.com, 1
+banksouthern.com, 0
+banksulselbar.co.id, 1
+banktatigebon.cf, 1
+banktender.ga, 1
+banktool.com, 1
+bankvanbreda.be, 1
+bankwithfidelity.com, 1
+banland.net, 1
+banlinhdanong.com, 0
+banmapvn.com, 1
+banned-bitches.tk, 1
+banner-design.tk, 1
+banner.ga, 1
+bannerbangbang.com.au, 1
+bannercountyne.gov, 1
+bannerexchange.tk, 1
+bannermarquees.ie, 1
+bannerpagina.tk, 1
+bannerrealty.com, 1
+bannervaners.ga, 1
+bannerworld.co.uk, 1
+banning.gq, 1
+banningca.gov, 1
+banninglibraryca.gov, 1
+bannisbierblog.de, 1
+bannockcounty.gov, 1
+bannockcountyidaho.gov, 1
+bannsecurity.com, 1
+banquevanbreda.be, 1
+banri.me, 1
+bans.info, 1
+bantaihost.com, 1
+bantchev.com, 1
+bantchev.net, 1
+bantenmien.tk, 1
+banter.city, 1
+bantik.by, 1
+bantiki.ga, 1
+bantoa.com, 1
+bantuanteknis.id, 1
+banuakodi.com, 1
+banyan-advantech.com, 1
+banyarukami.ru, 1
+banzay.ml, 1
+banzhuti.com, 1
+bao-in.net, 1
+baobabgroup.com, 1
+baobaoquming.net, 0
+baobiao.com, 1
+baocheng.tech, 1
+baofuzhuan.com, 1
+baogao.store, 1
+baoge55.com, 1
+baogiathicongnoithat.com, 1
+baogougou.com, 0
+baokhangfood.com, 1
+baoqiang.com, 1
+baoshun.com, 1
+baoxue5.com, 0
+bapco.com, 1
+bapeel.tk, 1
+bapha.be, 1
+baptiste-peugnez.fr, 1
+baptistecabrera.com, 1
+baptisteplanckaert.tk, 1
+baptistesale.tk, 1
+bar-event.tk, 1
+bar-rique.de, 1
+bar-valhalla.tk, 1
+bar38.tk, 1
+baraboowi.gov, 1
+barabrume.fr, 1
+baracca.es, 1
+barakayu.com, 1
+baraklava.com, 1
+baran-shop.ga, 1
+baransys.com, 1
+baranyavar.hu, 1
+barao.tk, 1
+barataeletrica.tk, 1
+baratzegrowshop.com, 1
+baravalle.com, 1
+baraxolka.ga, 1
+baraxolka.ml, 1
+barbaderespeito.com.br, 1
+barbara-bertagnolli.co.uk, 1
+barbara-fuchs-gruene-fuerth.de, 1
+barbarabowersrealty.com, 1
+barbarabryce.com, 1
+barbaraedanielsantos.ga, 1
+barbarafabbri.com, 1
+barbarafeldman.com, 1
+barbaramoorman.tk, 1
+barbarareynoldsphotography.com, 1
+barbarasymmons.com, 1
+barbarianbear.art, 1
+barbarians.com, 0
+barbaros.info, 1
+barbate.fr, 1
+barberscorner.tk, 1
+barbershop-harmony.org, 0
+barbershopbabo.com, 1
+barbiecollectorjapan.cf, 1
+barbiecollectorjapan.ga, 1
+barbiecollectorjapan.gq, 1
+barbieforteza.tk, 1
+barbinlaw.com, 1
+barbonnetje.nl, 1
+barborakucerova.cz, 1
+barbosha.ru, 1
+barbourcountyal.gov, 1
+barbourcountyhdwv.gov, 1
+barbu.family, 1
+barburas.com, 1
+barca-movie.jp, 1
+barcamp.koeln, 1
+barcelonapremium.es, 1
+barcelonapremiummini.es, 1
+barcelonatours.net, 1
+barcelonawinewalk.com, 1
+barchetta.org, 1
+barcicuvele.tk, 1
+barcitizen.eu, 1
+barclaybonitaranch.com, 1
+barclays.net, 1
+barcodelookup.com, 1
+barcoder.tk, 1
+barcodewiz.com, 1
+bard-college.com, 1
+bard-college.net, 1
+bardak.ga, 1
+bardcollege.net, 1
+bardcollege.org, 1
+bardes.org, 1
+bardfarm.org, 1
+bardian.net, 1
+bardian.org, 1
+bardiharborow.com, 1
+bardtech.com, 1
+barduschinamusic.org, 1
+barefoodinrome.it, 1
+barelias.tk, 1
+barentsz.co, 1
+barer.me, 1
+barexam.jp, 1
+bargaindentistsers.ga, 1
+bargaindentistsest.ga, 1
+bargainsettelement.com, 1
+bargainusa.tk, 1
+barganhanaweb.ml, 1
+bargenarenji.com, 1
+bargerveen.tk, 1
+bargfeldt.de, 1
+bargrill.ga, 1
+bargroup.ga, 1
+barhan-sarykum.ru, 1
+barichara.com, 1
+barihandin.tk, 1
+barikell.be, 1
+barinasknot.tk, 1
+barinov.ga, 1
+barinov.ml, 1
+barinov.tk, 1
+baripedia.org, 0
+baris-sagdic.com, 1
+bariseau-mottrie.be, 1
+barisi.me, 1
+baristabetter.com, 1
+baristador.com, 1
+baritoday.it, 1
+barke-schaltanlagen.de, 1
+barkerandstonehouse.co.uk, 1
+barkerjr.xyz, 1
+barkingspidersaspets.com, 1
+barkio.com, 1
+barklanepets.com, 0
+barkstop.net, 1
+barkysupplies.com, 1
+barlettaviva.it, 1
+barlex.pl, 1
+barleyandbirch.com, 1
+barlijst.net, 1
+barlotta.net, 1
+barlow-media.club, 1
+barmenteros.com, 1
+barmusic.tk, 1
+barnabasgolf.org, 1
+barnabycolby.io, 1
+barnacional.com.au, 1
+barnaul-altai.tk, 1
+barnesvilleohio.gov, 1
+barneveldcentrum.nl, 1
+barney-media.com, 1
+barneydavey.com, 1
+barnflix.net, 1
+barnhomega.com, 1
+barnumiidev.com, 1
+barnunnwy.gov, 1
+barnvaensveitarfelog.is, 1
+barnvets.co.uk, 1
+barnwellcountysc.gov, 1
+barobax.tk, 1
+baroccofashion.it, 1
+baroclean.fr, 1
+barok.tk, 1
+baroloboys.de, 1
+baron14.be, 1
+baronbunny.cn, 1
+baronet.cf, 1
+baronspices.com, 1
+baroquemath.net, 1
+baroqueworksstudio.com, 1
+barpodsosnami.pl, 1
+barprive.com, 1
+barqo.co, 1
+barr.com.au, 1
+barrack.cf, 1
+barrack.ga, 1
+barrack.gq, 1
+barrack.tk, 1
+barracuda.blog, 1
+barracuda.com.tr, 0
+barracudaswimmingclub.tk, 1
+barrahome.org, 1
+barrancos.tk, 1
+barrankest.ga, 1
+barranquillero.tk, 1
+barraqueirotransportes.pt, 1
+barreiroappraisals.com, 1
+barrencountyky.gov, 1
+barrenwuffett.com, 1
+barricader.com, 1
+barricader.network, 1
+barrierefreie-medien.info, 1
+barrierpestservices.com, 1
+barrikade.tk, 1
+barro.ga, 1
+barruntos.tk, 1
+barrydenicola.com, 1
+barrymarkus.tk, 1
+barrytownshipmn.gov, 1
+barsashop.com.br, 1
+barsgroup.com, 1
+barsleaks.com, 1
+barsopen.ga, 1
+barsukas.net, 1
+bart-f.com, 1
+bart-f.net, 1
+bart1ebee.com, 1
+barta.me, 1
+bartavi.nl, 1
+bartbania.com, 1
+bartcoppens.be, 1
+bartdaelman.tk, 1
+bartdesign.tk, 1
+bartekbv.be, 1
+bartel.ws, 1
+bartelt.name, 1
+barter.me, 1
+barter.vg, 1
+bartershift.com, 1
+bartg95.nl, 1
+bartgroeneveld.nl, 1
+barth-herzberger.de, 1
+barth.services, 1
+bartholf.nu, 1
+bartlamboo.nl, 1
+bartlettil.gov, 1
+bartoliconsulting.com, 1
+bartolomebellido.com, 1
+bartonmohealth.gov, 1
+bartowcountyga.gov, 1
+bartula.de, 1
+bartvandamme.tk, 1
+baruch.me, 1
+barwaldesigns.com, 1
+barwave.com, 1
+barzallof.com, 1
+barzza.tk, 1
+bas.bio, 1
+bas.codes, 1
+bas.coffee, 1
+bas.surf, 1
+bas.work, 1
+basar-horrheim.de, 1
+basauristudios.com, 1
+basaveshwaraborewells.tk, 1
+basculasconfiables.com, 1
+basdferty.cf, 1
+base-autonome-durable.com, 0
+base-people.ml, 1
+base-radio.cf, 1
+base27.eu, 0
+base2face.tk, 1
+base48.systems, 1
+basebalance.net, 1
+baseballcrank.com, 1
+baseballjapan.org, 1
+baseballpitchingmachine.tk, 1
+baseballsapka.hu, 1
+baseballsavings.com, 1
+basebyte.nl, 1
+basecamp.cf, 1
+basecampstudios.com, 1
+basechat.com, 1
+basechat.jp, 1
+baseconvert.com, 1
+basecore.co, 1
+based.gr, 1
+basedonline.nl, 1
+basedriver.com, 1
+baseerapp.com, 1
+basel-gynaecology.com, 1
+basel-gynaekologie.ch, 1
+basel-onlinemarketing.de, 1
+baselang.com, 1
+baselnazifrei.info, 0
+basement961.co.nz, 1
+basementdefender.net, 1
+basementdoctorwestvirginia.com, 1
+basementfinishingohio.com, 1
+basementwaterproofingasheville.com, 1
+basementwaterproofingdesmoines.com, 1
+basementwaterproofingknoxvilletn.com, 1
+basementwaterproofingsaintlouis.com, 1
+basementwaterproofingwi.com, 1
+basenio.de, 1
+baserverz.ga, 1
+basetherm.com, 1
+basetruck.cn, 1
+baseweb.design, 1
+basf-vcar.com, 1
+bash.news, 1
+bashari.tk, 1
+bashc.at, 0
+bashhack.cf, 1
+bashkimi.com, 1
+bashkiri.cf, 1
+bashkiria.cf, 1
+bashkiria.ga, 1
+bashkiria.ml, 1
+bashkirlife.tk, 1
+bashoutter.link, 1
+bashsoftware.tk, 1
+bashstreetband.co.uk, 1
+bashtel.tk, 1
+bashyconsulting.se, 1
+basic.is, 1
+basic.space, 1
+basicapparel.de, 1
+basicattentiontoken.org, 1
+basicguitarlessons.com, 1
+basicknowledge101.com, 1
+basiclimits.tk, 1
+basicports.com, 1
+basicports.eu, 1
+basicports.net, 1
+basicports.org, 1
+basics.domains, 1
+basics.net, 1
+basicskillstest.co.uk, 1
+basictools.tk, 1
+basicwallpapers.tk, 1
+basilicaknights.org, 1
+basilicproduction.fr, 1
+basilm.co, 1
+basilsys.com, 1
+basis-online.eu, 1
+basisbedarf.de, 1
+basisofcare.com, 1
+basisonline.nl, 1
+basisonlinefiles.nl, 1
+basisschoolhundelgem.be, 1
+basisvaardigheden.nl, 1
+basitplan.com, 1
+basket-ballworld.fr, 1
+basket-malaunay.fr, 1
+basket-sint-truiden.tk, 1
+basketball-malavan.tk, 1
+basketballnewz.tk, 1
+basketforex.com, 1
+basketsandmore.bg, 1
+baskibu.com, 0
+baskideposu.com.tr, 1
+baskingalkin.tk, 1
+basllp.co.uk, 1
+basmacioglu.com, 1
+basmp.ml, 1
+basnachtegaal.tk, 1
+basnoslovno.ru, 1
+basonlinemarketing.nl, 0
+basradio.tk, 1
+bass-pro.ru, 1
+bassanova.tk, 1
+bassbase.tk, 1
+bassblog.net, 1
+bassculture.tk, 1
+bassdentistry.com, 1
+basse-chaine.info, 1
+bassethound.tk, 1
+bassguy.tk, 1
+bassislandline.com.au, 1
+basskickers.tk, 1
+bassment.org, 1
+bassment.ph, 1
+bassotto.it, 1
+bassresource.com, 1
+bassrhymeposse.tk, 1
+bassrider.eu, 1
+bassstraitmaritimecentre.com.au, 1
+bassys.com.co, 1
+bastakka.eu, 0
+bastanet.tk, 1
+bastardator.tk, 1
+bastelstu.be, 1
+basteltips.tk, 1
+bastelwelt.ch, 1
+bastelzauberwelt.de, 1
+bastionadvokat.ml, 1
+bastionentifo.tk, 1
+bastolino.de, 1
+bastotrekking.pt, 1
+bastter.com, 1
+bastun.com, 1
+basuramarina.com, 1
+baswetter.photography, 1
+basyrova.ml, 1
+basysconsulting.com, 1
+basyspro.net, 1
+bata.co.zm, 1
+batacas.com, 1
+batailleros.tk, 1
+bataminnovationhub.com, 1
+bataviail.gov, 1
+bataviaoh.gov, 1
+batca.ca, 1
+batcave.tech, 1
+batch.com, 0
+batdongsancongnghiep.vn, 0
+bateaux-sans-permis.com, 0
+batelco.com, 1
+baterias.com, 1
+baterioverolety.cz, 1
+batescountymo.gov, 1
+batesvillearkansas.gov, 1
+batextiles.tk, 1
+bath.limited, 1
+bath.ltd.uk, 1
+bath.men, 1
+bathbodyshop.tk, 1
+bathcountyva.gov, 1
+bathok.tk, 1
+bathost.net, 1
+bathrobes.tk, 1
+bathroomremodelinggeorgia.com, 1
+bathroomsinkcabinet.tk, 1
+bathscobensraker.ga, 1
+bati-alu.fr, 1
+batiburrillo.net, 1
+batiim.co.il, 1
+batipiscine.com, 1
+batipresta.ch, 0
+batitrakya.org, 1
+batiweb.tv, 1
+batiwebgroup.com, 0
+batka-stealer.tk, 1
+batkhonjon.com, 1
+batkonjon.com, 1
+batmanvsupermanfullmovie.ga, 1
+batmod.com, 1
+batoit.gq, 1
+batonchik.tk, 1
+batonger.com, 1
+bats.gov, 1
+batten-family.uk, 1
+batten.eu.org, 1
+batterie-au-top.com, 1
+batterman.ch, 1
+battery-center.fr, 1
+batteryboys.ca, 1
+batteryboys.com, 1
+batterymax.org, 1
+batteryreconditioning.ml, 1
+batterystaple.pw, 1
+battle-arena.tk, 1
+battle-game.com, 1
+battlefield1942.tk, 1
+battleforkhashuri.tk, 1
+battlefrontoldschool.cf, 1
+battleguard.net, 1
+battleofthegridiron.com, 1
+battlerealms.cc, 1
+battlerite.tk, 1
+battletech.tk, 1
+battreil.tk, 1
+batualam88.id, 1
+batualam88.online, 1
+batucadastore.nl, 1
+batucilegon.com, 1
+batukhan.tk, 1
+batulicin.tk, 1
+batwatt.com, 1
+bau.ua, 1
+baubau.bg, 1
+bauchtanz.tk, 1
+bauer-plus.de, 1
+bauer-reininghorses.com, 1
+bauer.network, 0
+bauernhof-koch-edingen.de, 1
+bauernhof-lercher.at, 1
+bauernmarkt-fernitz.at, 1
+baufi-express.ag, 1
+baufi-express.biz, 1
+baufi-express.com, 1
+baufi-express.de, 1
+baufi-express.eu, 1
+baufi-express.info, 1
+baufi-express.net, 1
+baufi-express.org, 1
+baufi24.de, 0
+baufiexpress.ag, 1
+baufiexpress.biz, 1
+baufiexpress.com, 1
+baufiexpress.de, 1
+baufiexpress.eu, 1
+baufiexpress.info, 1
+baufiexpress.net, 1
+baufiexpress.org, 1
+baugelitt.eu, 1
+baugemeinschaftbernstein.de, 1
+baugeshite.de, 1
+bauhaus.cz, 1
+bauhaus.sk, 1
+baukebies.nl, 1
+baukelek.tk, 1
+baumannfabrice.com, 1
+baumansound.com, 1
+baumbet.ro, 1
+baumfreund.ch, 1
+baumkletterschule.de, 1
+baumkuchen-aus-dresden.de, 0
+baummer.com.br, 1
+baur.de, 1
+bausep.de, 1
+bausparkassen.tk, 1
+baustils.com, 1
+bauthier-occasions.be, 0
+bautizodelucia.com, 1
+bav.com, 1
+bavaria-feuerloeschershop.de, 1
+bavaropuntacanahotels.com, 1
+bavarovillage.com, 1
+bavartec.de, 1
+bavi.tk, 1
+bavoogi.com, 1
+bawag.at, 1
+bawbby.com, 1
+bawsiebezpiecznie.pl, 1
+baxir.fr, 1
+baxleyga.gov, 1
+baxomilowa.tk, 1
+baxtercountyar.gov, 1
+baxterstorey.online, 1
+baxterstoreyirelandonline.com, 1
+baxx.eu.org, 1
+bayanbennett.com, 1
+bayanradio.tk, 1
+bayarea.ga, 1
+bayarea.gq, 1
+bayarea.ml, 1
+bayarea.tk, 1
+bayareagynecology.com, 1
+bayareamustangs.tk, 1
+bayareaplasticsurgery.com, 1
+bayashi.net, 1
+bayburtgazetecilercemiyeti.org.tr, 1
+bayburtmanset.com, 1
+baycialis.net, 1
+baycitymi.gov, 1
+baycountyfltax.gov, 1
+bayden.com, 1
+baydreamer.tk, 1
+bayer-stefan.com, 1
+bayer-stefan.de, 1
+bayer-stefan.eu, 1
+bayer.earth, 1
+bayerhazard.de, 1
+bayernwaage.de, 1
+bayerstefan.com, 1
+bayerstefan.de, 1
+bayerstefan.eu, 1
+bayfly.net, 1
+bayhauling.net, 1
+bayherbalist.com, 1
+bayilelakiku.com, 1
+bayliss.aero, 1
+bayliss.co.uk, 1
+bayliss.uk, 1
+bayly.eu, 1
+baymard.com, 1
+baymark.com, 1
+bayofseo.com, 1
+bayou.energy, 1
+bayraklar.info, 1
+bayramov.tk, 1
+bayrampasa.bel.tr, 1
+bayrisch-fuer-anfaenger.de, 1
+bayscollisionrepairs.co.nz, 1
+bayshore.ca, 1
+baysidefamilydentist.com.au, 1
+baysidemedicalgroup.net, 1
+baysidephotography.ga, 1
+bayt.com, 1
+baytobayaircon.com.au, 1
+baytv.it, 1
+bayvotesfl.gov, 1
+baywatbemacom.cf, 1
+baywatch.io, 1
+bayyanainmuebles.com, 1
+baz.nl, 1
+baza-gai.com.ua, 1
+bazaarbhaav.com, 1
+bazaarcompass.com, 1
+bazaart.me, 1
+bazaclub.ru, 0
+bazaleev.ru, 1
+bazar-online.tk, 1
+bazar-pc.tk, 1
+bazar.bg, 0
+bazardunet.tk, 1
+bazarfds.com.br, 1
+bazari.com.pl, 1
+bazarmag.ir, 1
+bazarotehijos.com, 1
+bazdell.com, 0
+bazdidaval.ir, 1
+baze.cz, 1
+bazel.build, 1
+bazhan.wang, 1
+bazinga-events.nl, 1
+bazos.at, 1
+bazos.cz, 1
+bazos.pl, 1
+bazos.sk, 1
+bazziergraphik.com, 1
+bb-aroundtheworld.se, 1
+bb.church, 1
+bb00228.com, 0
+bb057.com, 0
+bb087.com, 0
+bb168.cc, 0
+bb2-group.com, 1
+bb37roma.it, 1
+bb5197.co, 1
+bb6729.co, 1
+bb6729.com, 1
+bb6957.co, 1
+bb9297.co, 1
+bb9728.co, 1
+bbaccademia.it, 1
+bbalposticino.it, 1
+bbamsch.com, 0
+bbb1991.me, 0
+bbbb.loan, 1
+bbbff.net, 1
+bbc.co.uk, 0
+bbc.com, 0
+bbc67.fr, 1
+bbcastles.com, 1
+bbcincorp.com, 1
+bbclyra.tk, 1
+bbcomcdn.com, 1
+bbcsuk.co.uk, 1
+bbcustomremodeling.com, 1
+bbfandom.com, 1
+bbfxtraders.com, 1
+bbg.org, 1
+bbgeschenke.ch, 0
+bbh-kreislauf.de, 1
+bbhsolutions.com, 1
+bbimarketing.com, 1
+bbinsure.com, 0
+bbiny.edu, 1
+bbk365m.com, 1
+bbk365t.com, 1
+bbk365zz.com, 1
+bbka.co.uk, 1
+bbka.org.uk, 1
+bbkanews.co.uk, 1
+bbkanews.com, 1
+bbkanews.org, 1
+bbkanews.uk, 1
+bbkworldwide.jp, 1
+bblsa.ch, 0
+bbmagnagrecia.it, 0
+bbmak.tk, 1
+bbmsarauniteam.com, 1
+bbnx.net, 1
+bbp.ng, 1
+bbpnas.win, 1
+bbqs-algarve.com, 1
+bbrassart.fr, 1
+bbrigittae.hu, 1
+bbrmonza.it, 1
+bbrp.org, 1
+bbs-buchholz.com, 1
+bbs-buchholz.eu, 1
+bbschat.tk, 1
+bbsec.xyz, 1
+bbtk.com, 1
+bbunits.de, 1
+bbusa.tk, 1
+bbw-wrestling.com, 1
+bbwanalsex.com, 1
+bbwhale.org, 1
+bbwmellon.com, 1
+bbwmovies.com, 1
+bbwpictures.com, 1
+bbwpornpics.com, 1
+bbwpussytube.com, 1
+bbwsexclips.com, 1
+bbwteens.org, 1
+bbx.bike, 1
+bbxin9.net, 1
+bbxy.buzz, 1
+bc-bd.org, 0
+bc-cdc.org, 1
+bc-diffusion.com, 1
+bcabs.com, 1
+bcaf.uk, 1
+bcakuwait.com, 1
+bcalabsokc.com, 1
+bcalles.dk, 1
+bcalles.eu, 1
+bcallesen.dk, 1
+bcallesen.eu, 1
+bcansw.com.au, 1
+bcarpentrypro.com, 1
+bcbsfepvision.com, 1
+bcbudonline.com, 1
+bcccremeno.it, 1
+bccx.eu.org, 1
+bccxo.com, 1
+bcdiesel.ca, 1
+bcdn.me, 1
+bcdonadio.com, 1
+bcdonadio.com.br, 1
+bcdonadio.org, 1
+bceaf.org, 1
+bcfp.gov, 1
+bcgefatap.com, 1
+bchep.com, 1
+bcis.co.uk, 0
+bck-koethen.de, 1
+bck-lelystad.nl, 1
+bckl.me, 1
+bclserver.se, 1
+bcmguide.com, 1
+bcmhire.co.uk, 1
+bcn.cv, 1
+bcnation.com, 1
+bcnet.com.hk, 1
+bcoffices.com.mx, 1
+bcomm.com.au, 1
+bconcept.be, 1
+bcoverart.com, 1
+bcpc-ccgpfcheminots.com, 1
+bcrnews.tk, 1
+bcrook.com, 1
+bcrypt.online, 1
+bcs-talk.com, 1
+bcschool.cn, 1
+bcsnygroup.com, 1
+bcsytv.com, 0
+bctraducciones.org, 1
+bcu.ac.uk, 1
+bcubeanalytics.com, 1
+bcutah.gov, 1
+bcvps.com, 1
+bcyw56.live, 0
+bcyw56.top, 1
+bcz.ca, 1
+bczeeland.tk, 1
+bd-friend.com, 1
+bd-media.tk, 1
+bd.foundation, 1
+bd4d.org, 1
+bda-boulevarddesairs.com, 0
+bdasites.in, 1
+bdbe.ga, 1
+bdbxml.net, 1
+bdcdev.in, 1
+bdd.fi, 1
+bddam.fr, 1
+bddam.one, 1
+bdeducator.com, 1
+bdeep.org, 1
+bdew.net, 1
+bdfriends.tk, 1
+bdgroup-lab.com, 1
+bdix.link, 1
+bdli.de, 1
+bdmusic25.us, 1
+bdo-tools.jp, 1
+bdocfurniture.com, 1
+bdpachicago.tech, 1
+bdpestsolutionsstlouis.com, 1
+bdpn.ru, 1
+bdragon.com, 1
+bdrmedia.rs, 1
+bdsdonghanh.com, 1
+bdsmbibliothek.net, 1
+bdsmcontrol.com, 1
+bdsmdating.tk, 1
+bdsmwiki.hu, 1
+bdsu-connect.de, 1
+bdsu-kongress.de, 1
+bdsu.de, 1
+bdtc.com.bd, 1
+bdtd.nl, 1
+bdtechnews.tk, 1
+be-bellence.com, 1
+be-craft.de, 1
+be-free.gq, 1
+be-nice.digital, 1
+be-real.life, 0
+be-sigsol.fr, 1
+be-up-developpement.com, 1
+be-wear.ch, 1
+be-webdesign.com, 1
+be.ax, 1
+be.search.yahoo.com, 0
+be.st, 1
+be2cloud.de, 1
+be9418.com, 1
+be9418.info, 1
+be9418.net, 1
+be9418.org, 1
+be9458.net, 0
+be9458.org, 0
+be958.info, 1
+be958.org, 1
+be9966.com, 1
+bea.expert, 0
+bea.gov, 1
+beabadoartesanato.com.br, 1
+beable.com, 1
+beacham.online, 1
+beachcitiestaxandaccounting.com, 1
+beachcitybody.com, 1
+beachcitycastles.com, 1
+beachcruisers.tk, 1
+beachlife4life.cf, 1
+beachmonster.tk, 1
+beachpoint.tk, 1
+beachsmile.com, 1
+beachsoccer.tk, 1
+beachvolley.tk, 1
+beachvolleyball.tk, 1
+beachworldchampion.tk, 1
+beacinsight.com, 1
+beaconcart.com, 1
+beaconfed.org, 1
+beaconhealthoptions.com, 1
+beaconhouse.org.uk, 1
+beaconny.gov, 1
+beaconstac.com, 1
+beadaptive.ca, 1
+beadare.com, 1
+beadare.nl, 1
+beadedcouture.tk, 1
+beadings.tk, 1
+beadseh.ca, 1
+beadsxbeans.com, 1
+beager.ga, 1
+beagles.tk, 1
+beaglesaspets.com, 1
+beaglesecurity.com, 1
+beagstudio.ie, 1
+beakbirds.com, 1
+beaker.coffee, 1
+beal.edu, 1
+bealefss.marketing, 1
+bealeslandscaping.co.uk, 1
+bealpha.pl, 1
+beam-life.tk, 1
+beam-to.me, 1
+beama.org, 1
+beambdi.com, 1
+beamitaly.tk, 1
+beamitapp.com, 1
+beamy-lake.com, 1
+bean-jam.jp, 1
+beanbot.party, 1
+beanboygames.com, 1
+beancount.io, 1
+beanilla.com, 1
+beanjuice.me, 1
+beansgalore.com.au, 1
+beaoriflame.hu, 1
+beapieceofart.com, 1
+beaquarium.com, 1
+bearblinds.com.au, 1
+bearbonesenterprises.com, 1
+bearcosports.com.br, 1
+bearcreekcubschildcare.com, 1
+bearcreektownshipmi.gov, 1
+beard.se, 1
+beardboys.co.za, 1
+bearded.sexy, 1
+bearden.io, 1
+beardic.cn, 0
+beardsome.me, 1
+beardsorcery.com, 1
+bearfactory.tk, 1
+bearfarm.tk, 1
+beargarden.club, 1
+beargorilla.com, 1
+bearings.tk, 1
+bearingworks.com, 1
+bearlakelife.com, 1
+bearrecords.tk, 1
+bearrun.com, 1
+bearslakeinn.com, 1
+bearsunderland.com, 1
+bearzoutdoor.com, 1
+beasel.biz, 1
+beast-books.com, 1
+beast.rent, 1
+beastiejob.com, 1
+beastlog.tk, 1
+beastnet.works, 1
+beastnet.xyz, 1
+beastowner.com, 1
+beastowner.li, 1
+beatachoroszynska.pl, 1
+beatbreaker.tk, 1
+beatfeld.de, 1
+beatfreaks.tk, 1
+beatle.tk, 1
+beatmaker.ml, 1
+beatmalaria.org, 1
+beaton.tk, 1
+beatquantum.com, 1
+beatrice-nightscout.herokuapp.com, 1
+beatrice-raws.org, 1
+beatricedailysun.com, 1
+beatriz-urbano-vega.tk, 1
+beatrizaebischer.ch, 0
+beatrizmartinez.tk, 1
+beatsaberchampionship.eu, 1
+beatsdope.com, 1
+beatsearch.net, 0
+beatsnbits.nl, 1
+beatsta.tk, 1
+beatthebastards.tk, 1
+beatuprobot.net, 1
+beatzone.tk, 1
+beau.cat, 1
+beaufortcastawaycharter.com, 1
+beaufortcountync.gov, 1
+beauhilton.com, 1
+beaulieu.ch, 1
+beaumontcabusiness.gov, 1
+beaute-eternelle.ch, 0
+beautiful-lingerie.tk, 1
+beautiful.ai, 1
+beautifulart.ml, 1
+beautifulplaces.tk, 1
+beautifulreflectionsmedspa.com, 1
+beautifulrussianwomen.cf, 1
+beautifulsouth.tk, 1
+beauty-blog.gq, 1
+beauty-form.ir, 1
+beauty-haircare.tk, 1
+beauty-salon-lino.com, 1
+beauty-stories.tk, 1
+beauty-style.ml, 1
+beauty-town.tk, 1
+beauty-woman.tk, 1
+beauty-yan-enterprise.com, 1
+beauty.moe, 0
+beauty24.de, 1
+beauty2home.net, 1
+beauty77.ch, 1
+beautyandboutique.tk, 1
+beautyandfashionadvice.com, 1
+beautyandthebeast.tk, 1
+beautyanna.ga, 1
+beautyanna.gq, 1
+beautyarticles.tk, 1
+beautybism.com, 1
+beautybox.ro, 1
+beautyboxes.net, 1
+beautyby.tv, 1
+beautycarepack.com.ng, 1
+beautycom.club, 1
+beautycon.ir, 1
+beautyeyewear.ga, 1
+beautyforce.bg, 1
+beautyforceacademy.bg, 1
+beautyindistress.tk, 1
+beautyinweb.net, 1
+beautyisfine.tk, 1
+beautykiss.com, 1
+beautylookz.nl, 1
+beautyoverture.com, 1
+beautyschool.od.ua, 1
+beautyseasons.ru, 1
+beautyspaceshop.com, 1
+beautyspacestore.com, 1
+beautyspot.tk, 1
+beautytechpro.ro, 1
+beaver-creek.ga, 1
+beaver.com.br, 1
+beaverdamautos.com, 1
+beaverheadcountymt.gov, 1
+beavertales.ca, 1
+beavillabea.it, 1
+beavivo.de, 0
+bebaspedia.com, 1
+bebbiboni.tk, 1
+bebe2luxe.fr, 1
+bebeautiful.business, 1
+bebebebra.bid, 1
+bebecar.com, 1
+bebechegou.com, 1
+bebechegou.com.br, 1
+bebef.de, 1
+bebefofuxo.com.br, 1
+bebemamae.com, 1
+bebes.uno, 1
+bebesreborns.com, 1
+bebest.gov, 1
+bebetrotteur.com, 1
+bebidasrd.com, 1
+bebodywise.com, 1
+beboldpr.com, 1
+bebout.domains, 1
+bebout.pw, 1
+bebr.loan, 1
+bebra.ai, 1
+bebra.loan, 1
+bebrenok.trade, 1
+bebrev.trade, 1
+bebrik.men, 1
+bebrina.date, 1
+bebro.loan, 1
+bebrochka.loan, 1
+becallgroup.com, 1
+because.co.il, 1
+becausecapitalism.org, 1
+beccaanne.photography, 1
+beccajoshwedding.com, 1
+bech32.net, 1
+beck.pl, 1
+beckdesign.tk, 1
+becker-annika.de, 1
+becker.wales, 1
+beckerpumps.com, 1
+becklove.cn, 1
+beckmandxapps.com, 1
+beckylicious.tk, 1
+beclan.tk, 1
+becleverwithyourcash.com, 1
+becli.com, 1
+beclick.co.il, 1
+becoairandheat.com, 1
+becollective.com, 1
+become-a-bounty-hunter.com, 1
+become-lucky.com, 1
+becomeaparalegal.org, 1
+becomebravehorsemanship.nl, 1
+becomewebdeveloper.tk, 1
+beconnect.cf, 1
+beconstructive.com, 1
+becquerelgroup.com, 1
+becs.ch, 0
+becubed.co, 0
+becydog.cz, 1
+bed-and-breakfast-elz.de, 1
+bedamedia.com, 1
+bedandbreakfast.dk, 1
+bedandbreakfasteuropa.com, 1
+bedandbreakfasthoekvanholland.com, 1
+bedavainternet.club, 1
+bedavakodlar.com, 1
+bedavaoyunkod.com, 1
+beddingexperts.com, 1
+bede.fr, 1
+bedeiah.tk, 1
+bedels.nl, 1
+bedenica.hr, 1
+bedford-hotel.co.uk, 1
+bedford911.com, 1
+bedfordnissanparts.com, 1
+bedful.com, 1
+bedienungsanleitung24.de, 1
+bedinfo.com, 1
+bedlingtonterrier.com.br, 1
+bedofcorpses.tk, 1
+bedouille.com, 1
+bedpage.com, 1
+bedrijfs-feesten.nl, 1
+bedrijfsfeesten.tk, 1
+bedrijfsfotoreportages.nl, 1
+bedrijfswasmachine.nl, 1
+bedrockcommunity.ml, 1
+bedrocklinux.org, 1
+bedrukt.nl, 1
+bedstecasinobonusser.dk, 1
+bedtimeflirt.com, 1
+bedum-blues.tk, 1
+bedwettingyoungsters.tk, 1
+bee-creative.nl, 1
+bee-line.org.uk, 1
+bee-removal-dublin.com, 1
+bee.tools, 1
+beebeads.ga, 1
+beebruh.bid, 1
+beebuy.online, 1
+beebuy.restaurant, 1
+beecambio.com.br, 1
+beecare.ch, 1
+beechwoodindustrial.com, 1
+beechwoodmetalworks.com, 1
+beedsolyjas.tk, 1
+beeebraa.download, 1
+beefclan.tk, 1
+beeg.hu, 1
+beegarage.com, 1
+beehive.govt.nz, 1
+beehive.systems, 1
+beehive42.com, 1
+beehive42.eu, 1
+beehive42.net, 1
+beehive42.nl, 1
+beehive42.org, 1
+beekbier.nl, 1
+beekeeper.supply, 1
+beekeeper.tools, 1
+beekeepingfiji.com, 1
+beekman-relatietherapie.nl, 1
+beeksnetwork.nl, 1
+beeldbankgent.be, 1
+beeliarspirit.org, 1
+beelikeus.pl, 1
+beeline.am, 1
+beelit.com, 0
+beeming.co.za, 1
+beeming.com.au, 1
+beeming.net, 1
+beeming.org, 1
+beemprimelogistics.com, 1
+beeone.nl, 1
+beepcar.ru, 1
+beeportfolio.com, 1
+beer-sheva.city, 1
+beer9.com, 1
+beerbruhs.com, 1
+beercast.co.uk, 1
+beeremovaljohannesburg.co.za, 1
+beeremovalpretoria.co.za, 1
+beeremovalspretoria.co.za, 1
+beergifts.tk, 1
+beerglasses.tk, 1
+beerhouse.tk, 1
+beerians.com, 1
+beerians.info, 1
+beerjet.bg, 1
+beerloga.tk, 1
+beernews.ga, 1
+beerradar.no, 1
+beerradar.party, 1
+beerre.com, 1
+beersandco.ch, 1
+beersconf.com, 1
+beersheba.co.il, 1
+beersheva.city, 1
+beersheva.co.il, 1
+beerview.ga, 1
+beerwallpa.com, 1
+beerxa.cz, 1
+beescloud.com, 1
+beesco.us, 1
+beesex.xyz, 1
+beesnoosa.com, 1
+beestar.it, 1
+beestation13.com, 1
+beestech.fr, 0
+beeswarmrehoming.com.au, 1
+beesweethoney.co.za, 1
+beet-und-balkonpflanze-des-jahres.de, 1
+beetech.global, 1
+beetgroup.id, 1
+beethoveninlove.com, 1
+beetsforyou.xyz, 1
+beeutifulparties.co.uk, 1
+beeweighed.co.uk, 1
+beezkneezcastles.co.uk, 1
+beeznest.com, 1
+befantasy.tk, 1
+befoodsafe.gov, 1
+beforeafter.gq, 1
+beforethedawn.tk, 1
+beforeyoueatoc.com, 1
+befreewifi.info, 1
+befunddolmetscher.de, 1
+befundonline.de, 1
+befunky.in, 1
+bega-dc.gov, 1
+begabungsfoerderung.info, 1
+begemoth.tk, 1
+begethost.cf, 1
+begin-motorcycling.co.uk, 1
+beginnercampingguide.top, 1
+beginwp.tips, 1
+begleitung-zuhause.at, 1
+begonias.tk, 1
+begoth.boutique, 1
+begovel.shop, 1
+begravningsbyranhumana.se, 1
+begundal.tk, 1
+behamepresrdce.sk, 1
+behamzdarma.cz, 1
+behappyonlinetanfolyam.hu, 1
+behar-selimi.tk, 1
+behatech.tk, 1
+behavenet.com, 1
+behavhealth.ml, 1
+behaving.tk, 1
+behaviorchangeimpact.org, 1
+behead.de, 1
+behealthandrehab.com, 1
+behealthoncologia.com, 1
+behealthyeveryday.eu, 1
+behemoth.cf, 1
+beherit.pl, 1
+behinam.co.il, 1
+behind-the-mask.tk, 1
+behindenemyminds.be, 1
+behindenemyminds.eu, 1
+behindertenagentur.de, 1
+behindsong.com, 1
+behindthedesk.tk, 1
+behindthemars.de, 1
+behleem.tk, 1
+behoerden-online-dienste.de, 1
+behold.gq, 1
+behomewithlove.com.br, 1
+behoreal.cz, 1
+behotelmalta.com, 1
+behrami.com, 1
+behrer.se, 1
+beiduofu.com, 1
+beiersdorf-svz.ch, 1
+beijing.bj, 1
+beijinglug.club, 1
+beijiquan.com, 1
+beikeil.de, 1
+beimchristoph.de, 1
+beinad.com, 1
+beinghuman.tk, 1
+beinghumanpsychotherapy.com.au, 1
+beingmad.org, 1
+beinsports.pro, 1
+beinsured.cloud, 0
+beinteractive.pl, 1
+beiqilai.com, 1
+beira.pt, 1
+beiramar.tk, 1
+beirasumos.pt, 1
+beirel.ru, 1
+beitmidrashrambam.com, 1
+beizsoft.co.uk, 1
+bejago.com, 1
+bejarano.io, 1
+bejbi.net, 1
+bejo.be, 0
+bejo.bg, 0
+bejo.by, 0
+bejo.cl, 0
+bejo.cn, 0
+bejo.com, 0
+bejo.com.au, 0
+bejo.com.br, 0
+bejo.com.mx, 0
+bejo.cz, 0
+bejo.es, 0
+bejo.hr, 0
+bejo.jp, 0
+bejo.kz, 0
+bejo.ma, 0
+bejo.nl, 0
+bejo.pl, 0
+bejo.pt, 0
+bejo.ro, 0
+bejo.ru, 0
+bejo.sk, 0
+bejo.ua, 0
+bejo.vn, 0
+bejoandes.cl, 0
+bejogt.com, 0
+bejoindia.in, 0
+bejoindonesia.com, 0
+bejoitalia.it, 0
+bejosamen.de, 0
+bejoseeds.com, 0
+bekabazar.cz, 1
+bekeltetes.hu, 1
+beklenengazete.com, 1
+bekmekci.tk, 1
+beko.co.uk, 1
+beko.ie, 1
+bekolite.com, 1
+bekoplc.com, 1
+bel-air1998.com, 1
+bel-assainissement-service.fr, 1
+bel-snegirek.ru, 0
+belacapa.com.br, 1
+belacine.com, 1
+belafonte.co, 1
+belajarcarabelajar.com, 1
+belajarpsikology.tk, 1
+belak.se, 1
+belanews.tk, 1
+belani.eu, 1
+belanja.express, 1
+belaradio.tk, 1
+belarbykora.tk, 1
+belardoinstrumentos.tk, 1
+belarto.es, 1
+belarto.pl, 1
+belarus-mtz.gq, 1
+belarus.tk, 1
+belarusmemorials.com, 1
+belarustoday.tk, 1
+belarustravel.tk, 1
+belastingmiddeling.nl, 1
+belayarus.tk, 1
+belcanto.cz, 1
+beleadsteam.com, 1
+belebey.city, 1
+beleefheemstede.nl, 1
+beleggingspanden-financiering.nl, 0
+belegit.org, 1
+belevingsboerderijdekoolberg.nl, 1
+belezadateresa.com.br, 1
+belezashopping.com.br, 1
+belf.ml, 1
+belfastbounce.co.uk, 1
+belfastjujitsu.tk, 1
+belfastlocks.com, 1
+belfasttechservices.co.uk, 1
+belfix.be, 1
+belfor-probleme.de, 1
+belga.tk, 1
+belge.rs, 1
+belger.tk, 1
+belgers.com, 1
+belgia.tk, 1
+belgian-investor.be, 1
+belgian-naturists.tk, 1
+belgian-swimmers-united.tk, 1
+belgianbirdalerts.be, 1
+belgianfilipinolovers.be, 1
+belgiantennis.tk, 1
+belgianwaffleironstore.com, 1
+belgianwesthoekclassic.tk, 1
+belgicaservices.be, 1
+belgie-postcodes.be, 1
+belgischekeizer.nl, 1
+belgischerijpony.tk, 1
+belgiumwi.gov, 1
+belgive.by, 1
+belgorod-host.cf, 1
+belgorod.ml, 1
+belgrademt.gov, 1
+belgradestatebank.com, 1
+belgraver.email, 1
+belgraver.eu, 1
+belgraver.xyz, 1
+belic.net, 1
+belichtungswert.de, 1
+belics.com, 1
+belidi.tk, 1
+belidzs.hu, 0
+belieber.tk, 1
+belien-tweedehandswagens.be, 1
+believablebook.com, 0
+believeinyourmind.com, 1
+beliishko.tk, 1
+belindaweb.tk, 1
+belinks.tk, 1
+belinsky.tk, 1
+beliyo.tk, 1
+belizemap.tk, 1
+belk.io, 1
+belka.online, 1
+belki.tk, 1
+belknapcounty.gov, 1
+belkys.net, 0
+bell-meet.de, 1
+bell.id.au, 1
+bella-abyssinia.tk, 1
+bella-klein.org, 1
+bella.network, 1
+bellaaroma.com.tw, 1
+bellacasarealtyaz.com, 1
+belladeluxxe.net, 1
+bellafashion.tk, 1
+bellaireroofinginc.com, 1
+bellamama.biz, 1
+bellamodeling.com, 1
+bellamy.cloud, 1
+bellamy.md, 1
+bellanews.tk, 1
+bellaslokal.de, 1
+bellassubsandpizza.com, 1
+bellastate.ca, 1
+bellatight.com, 1
+bellavistaoutdoor.com, 1
+bellcarrington.com, 1
+bellcomp.co.uk, 1
+belle-bete.ca, 1
+belle-epoque-toys.com, 1
+belle-lingerie.co.uk, 0
+bellebakes.blog, 1
+bellebaum.eu, 1
+bellecarmen.tk, 1
+bellehorizon.co.za, 1
+bellenews.com, 1
+bellenundballern.de, 1
+belleplaineiowa.gov, 1
+belleplainemn.gov, 1
+bellesetrebelles.tk, 1
+bellevilleboot.com, 1
+bellevueduilawyers.com, 1
+bellezanatural.life, 1
+bellezon-shop.com, 1
+bellezzasenzalimiti.it, 1
+bellflowerlactation.com, 1
+bellhowell.net, 1
+bellisima.com.co, 1
+bellissime.tk, 1
+bellmeadtx.gov, 1
+belloo.date, 1
+bellop.top, 1
+belloweb.tk, 1
+bellowsafs.marketing, 1
+belloy.net, 0
+bellpi.com, 0
+bellreguard.tk, 1
+bellsweets.com, 1
+bellthrogh.com, 1
+belltownfarms.com, 1
+belltownpower.com, 1
+bellware.io, 0
+bellyaccessoriesest.ga, 1
+belmontgoessolar.org, 1
+belmontnh.gov, 1
+belmontsheriffohio.gov, 1
+belmount.com.br, 1
+belmundo.org, 1
+belocallyseo.com, 1
+beloevino.ml, 1
+belos.at, 1
+belouga.org, 1
+belovedbumps.sg, 1
+belowaverage.tk, 1
+belowzero.tk, 1
+belquant.cf, 1
+belrosstrakh.tk, 1
+belrybalka.cf, 1
+bels-lijntje.nl, 1
+belsilos.com, 1
+belt.black, 1
+beltanelabrosse.tk, 1
+beltar.nl, 1
+beltbuckle.pw, 1
+beltman-shipping.tk, 1
+beltramifashion.be, 1
+beltsystemu.com, 1
+belug.de, 1
+belugadev.ml, 1
+belveb24.by, 1
+belvidereil.gov, 1
+belviderepoliceil.gov, 1
+belvideretownshipmi.gov, 1
+belvitajoreggelt.hu, 1
+belvo.com, 1
+belvoc.be, 1
+belvoirbouncycastles.co.uk, 1
+belwederczykow.eu, 1
+belzlongroup.com, 1
+bembee.tk, 1
+bemcorp.de, 1
+bemergroup.com, 1
+bemindly.com, 1
+bempensadoconsul.com.br, 1
+bemsoft.pl, 1
+bemvindoaolar.com.br, 1
+ben-deneme.gq, 1
+ben-energy.com, 0
+ben-escort-hh.com, 1
+ben-stock.de, 1
+ben.ge, 1
+ben.org.uk, 1
+ben2.co.il, 1
+benabbott.nz, 1
+benabrams.it, 1
+benadryl.ml, 1
+benadryld.tk, 1
+benaldirma.net, 1
+benary.org, 1
+benas.tk, 1
+benatarfanclub.com, 1
+benatherton.com, 1
+benatskezrkadla.sk, 1
+benazir-reaction.tk, 1
+benbalter.com, 1
+benbenben.loan, 1
+benbozsa.ca, 1
+benc.io, 1
+benceskorka.com, 1
+bencheetham.me.uk, 1
+benchling.com, 1
+benchmark-dental.com, 1
+benchmark-ip.com, 1
+benchmarkmonument.com, 1
+benclarkphotography.com.au, 1
+bencrump.com, 1
+bendechrai.com, 0
+bendemaree.com, 1
+bender.ga, 1
+benderssportsandspirits.com, 0
+bendingtheending.com, 1
+bendjadid.com, 1
+bendminding.com, 1
+bendwebs.com, 1
+bendyworks.com, 1
+beneathvt.com, 1
+beneazy.cf, 1
+benedetti.ca, 1
+benedict-system.eu, 1
+benedict-system.hu, 1
+benedict.systems, 1
+benedict.tk, 1
+benedicthanshenwang.com, 1
+benedictoaguilar.tech, 1
+benedikto.tk, 1
+benee-awraham.nl, 1
+benefeds.com, 1
+benefitboys.com, 1
+benefits.gov, 1
+benefitsbookcase.com, 1
+benefitsystems.ro, 1
+benefitz.cf, 1
+benefitz.ga, 1
+benefitz.gq, 1
+benefitz.ml, 1
+benekill.tk, 1
+benemortasia.com, 1
+benemortasia.eu, 1
+benemortasia.nl, 1
+benemortasia.us, 1
+benepla.com, 1
+benetcasablancas.tk, 1
+benevisim.com, 1
+benevita.bio, 1
+benevita.life, 1
+benevita.live, 1
+benevita.organic, 1
+benewahcountyid.gov, 1
+bengalcat.tk, 1
+bengalcatscare.com, 1
+bengaldisom.tk, 1
+bengalen.tk, 1
+bengalifake.tk, 1
+bengaltourism.ml, 1
+bengalurugifts.com, 1
+bengaratei.com, 1
+bengcao.com, 1
+bengisureklam.com, 1
+bengkelkeramik.tk, 1
+bengou.tk, 1
+bengt.org, 1
+benhammoutex.com, 1
+benhamplateau.tk, 1
+benhaney.com, 1
+benhartmann.de, 0
+benhavenarchives.org, 1
+benhocking.com, 1
+benhoeg.com, 0
+benia.cz, 1
+beniajan.tk, 1
+benicee.com, 1
+benidormcd.tk, 1
+benify.com, 1
+benify.se, 1
+benimhedefim.net, 1
+benimseom.com, 1
+benimsetin.com, 1
+benimsetin.org, 1
+beninca.link, 1
+beniskala.com, 1
+benjamin-horvath.com, 1
+benjamin-suess.de, 1
+benjamin-thomsen.de, 1
+benjaminbedard.com, 1
+benjaminblack.net, 1
+benjamindietrich.com, 1
+benjamindietrich.de, 1
+benjaminfox.net, 1
+benjaminjurke.com, 1
+benjaminkopelke.com, 1
+benjaminleupold.com, 1
+benjaminpiquet.fr, 0
+benjaminprevot.fr, 1
+benjaminrancourt.ca, 1
+benjaminvasel.de, 1
+benjamorphism.com, 1
+benjii.me, 1
+benjijaldoner.nl, 1
+benjilopez.com, 1
+benjonline.tk, 1
+benkelmed.com, 1
+benken.tk, 1
+benleb.de, 1
+benleemd.com, 1
+benleggiero.me, 1
+benmack.net, 1
+benmarron.co.uk, 1
+benmatthews.com.au, 1
+benmedia.nl, 1
+bennet.org, 0
+bennettsbouncycastlehire.co.uk, 1
+bennettshire.co.uk, 1
+benni1.eu, 1
+bennie.com, 1
+bennierobinson.com, 1
+benningtonne.gov, 1
+benningtontownshipmi.gov, 1
+bennink.me, 1
+benno.frl, 1
+bennygommers.nl, 1
+bennythink.com, 1
+benobi.one, 0
+benoit.jp.net, 1
+benoitchantre.com, 1
+benprisby.com, 1
+benpro.fr, 1
+benq.com, 1
+benq.eu, 1
+benrogers.tk, 1
+bensbouncycastles.co.uk, 1
+benschnarr.com, 1
+benscobie.com, 1
+benshoof.org, 1
+bensinflatables.co.uk, 1
+bensjamtracks.com, 1
+bensokol.com, 1
+bensonvermont.gov, 1
+benstevinson.com, 1
+bensvpn.com, 1
+bensvriend.tk, 1
+bent-nails.com, 1
+bentallgreenoak.com, 0
+bentaylorforcroydonsouth.online, 1
+bentcreekfarm.us, 1
+bentebogholder.dk, 1
+bentek.fr, 1
+bentertain.de, 0
+benthanhtourist.com, 1
+bentina.com, 1
+bentley.blog, 1
+bentley.link, 1
+bentleyks.gov, 1
+bento-kurumaya.co.jp, 1
+bentoncountyia.gov, 1
+bentoncountyor.gov, 1
+bentoncountywa.gov, 1
+bentongroup.co.uk, 1
+bentonweatherstone.co.uk, 1
+bentonwi.gov, 1
+bentpunk.tk, 1
+bentrask.com, 1
+benu.cz, 1
+benu.rs, 1
+benulekaren.sk, 1
+benunapredpis.cz, 1
+benward.physio, 1
+benwoo.org, 1
+benz-hikaku.com, 1
+benzblog.tk, 1
+benzi.io, 1
+benzieco.gov, 1
+benzin.tk, 1
+benzonestore.tk, 1
+benzou-space.com, 1
+beonas.ddns.net, 1
+beonline.ml, 1
+beornish.com, 1
+beospain.tk, 1
+bep.gov, 1
+bepayd.com, 1
+bephoenix.org.uk, 0
+bepick.blog, 1
+bepiratedo.gay, 1
+bepositive.ml, 1
+beptutotnhat.com, 1
+bepzi.com, 1
+beq.cc, 1
+bequ1ck.com, 1
+bequiia.com, 1
+berakal.com, 1
+beran.tk, 1
+berandalcorp.tk, 1
+beranovi.com, 1
+beraru.tk, 1
+berasavocate.com, 1
+beraten-entwickeln-steuern.de, 1
+beratungswelt.dvag, 1
+berbatov.ga, 1
+berbervandenberg.tk, 1
+berchtesgaden-hilft.de, 1
+berdan.tk, 1
+berdu.id, 1
+bereaplumber.co.za, 1
+bereelcorporation.com, 1
+bereginy.com.ua, 1
+bereginya-lada.ru, 1
+beregite-zdorovje.ru, 1
+beregusha.com, 1
+bereikbaargent.be, 1
+berekenen.nl, 1
+berekenhet.nl, 1
+berend.tk, 1
+bereregisdental.co.uk, 1
+beresbalazs.tk, 1
+berete.de, 1
+beretinec.hr, 1
+berg-tal.com, 1
+berg.social, 1
+berge.tk, 1
+bergelevrad.tk, 1
+bergencountyclerk.gov, 1
+bergenfieldnj.gov, 1
+bergerandgreen.com, 1
+bergevoet-fa.nl, 0
+bergfex.at, 1
+bergfex.ch, 1
+bergfex.com, 1
+bergfex.de, 1
+bergfex.it, 1
+berggeit.tk, 1
+berghof-foundation.org, 1
+berghuus.ch, 1
+berglust-pur.de, 1
+bergmanbeachproperties.com, 1
+bergside.pl, 1
+bergsjomannen.tk, 1
+bergstation.eu, 1
+bergstoneware.com, 1
+bergvallsmassage.se, 1
+bergwandercamp.de, 1
+bergwandercamp.eu, 1
+bergwandercamp.info, 1
+berhampore-gateway.tk, 1
+berichtsheft-vorlage.de, 1
+berighthere.com, 1
+berightthere.eu, 1
+berikod.ru, 1
+beris.us, 1
+beritalaptop.com, 1
+beritamotor.tk, 1
+beritanow.tk, 1
+beritatopbanten.com, 0
+beritavirall.com, 1
+berjadagar.is, 1
+berjou.me, 1
+berk.tk, 1
+berkadia.com, 1
+berkat-luqs.ddns.net, 1
+berkbrands.com, 1
+berkeleyca.gov, 1
+berkeleypolitical.review, 1
+berkhills.com, 1
+berksabstract.com, 1
+berksestateplanning.com, 1
+berkshire.com, 1
+berkshireesupply.com, 0
+berkspa.gov, 1
+berkswatertech.com, 1
+berkvensgm.nl, 1
+berlin-cuisine.com, 1
+berlin-flirt.de, 1
+berlin-hotel.tk, 1
+berlin-starlight-orchestra.de, 1
+berlinal.gov, 1
+berlincreators.de, 1
+berlinct.gov, 1
+berlindecouverte.fr, 1
+berlingeriresort.it, 1
+berlinnhpd.gov, 1
+berlintwpioniami.gov, 1
+berlintwpmi.gov, 1
+berlinvt.gov, 1
+berluga.com, 1
+berluskoni.tk, 1
+bermatrix.hu, 1
+bermeitinger.eu, 0
+bermellar.tk, 1
+bermos.net, 1
+bermudabathtub-retard.cf, 1
+bermytraq.bm, 1
+bern.bz, 1
+berna.fr, 1
+bernack.ga, 1
+bernadette.tk, 1
+bernadetteanderes.ch, 0
+bernadettehermsen.nl, 1
+bernama.com.my, 1
+bernar.do, 1
+bernard.fr, 1
+bernardbeneito.com, 1
+bernardcontainers.be, 0
+bernardez-photo.com, 1
+bernarditadiaz.tk, 1
+bernardocoelho.com.br, 1
+bernardsville.gov, 1
+bernardwatch.com, 1
+bernat.ch, 1
+bernat.im, 1
+bernayslab.com, 1
+bernbrucher.com, 0
+bernbrucher.de, 0
+berncoclerk.gov, 1
+bernd-leitner-fotodesign.com, 1
+bernd-leitner-fotodesign.de, 1
+bernd-leitner.de, 1
+bernd-schnitter.de, 1
+bernd-ungerer.com, 0
+berndartmueller.com, 0
+berndtgen.org, 1
+bernerland.cf, 1
+bernerland.tk, 1
+bernersennen.tk, 1
+bernhard-eicher.ch, 1
+bernhard-seidenspinner.de, 1
+bernhardluginbuehl.ch, 1
+bernhardluginbuehl.com, 1
+bernie.lol, 1
+bernie.pics, 1
+bernieware.de, 1
+bernius.eu, 1
+bernius.xyz, 1
+bernmail.ch, 1
+bernoldi.com.ar, 1
+berntmuurling.nl, 1
+bernyweb.net, 1
+beroepenhuis.gent, 1
+berr.yt, 1
+berra.se, 0
+berria.fi, 1
+berriabot.com, 1
+berriabot.fi, 1
+berriacast.com, 1
+berriacast.fi, 1
+berriainfo.com, 1
+berriainfo.fi, 1
+berriencountyga.gov, 1
+berries.com, 1
+berrnd.net, 1
+berrus.com, 1
+berry.cat, 1
+berrycheapers.ga, 1
+berryevent.es, 0
+berryvillear.gov, 1
+bersatu.com.my, 1
+berserk.gq, 1
+berserk.tk, 1
+bersier.net, 1
+bersierservices.ch, 0
+berst.cz, 1
+bert-dijkink.tk, 1
+bert.org, 1
+bertaudarthur.fr, 1
+bertbrockham.org.uk, 1
+bertgroup.com, 1
+berthabailey.com, 1
+berthaphil.com, 1
+berthaundcarlbenzpreis.de, 1
+berthelier.me, 1
+berthoudeconomicdevelopment.com, 1
+bertlight.com, 1
+bertold.org, 1
+bertoliniodontoiatria.it, 1
+bertr.am, 1
+bertrand.bio, 0
+bertrandkeller.info, 0
+bertrell.com, 1
+bertsmithvwparts.com, 1
+bertusengelbrecht.com, 1
+berwickpa.gov, 1
+berz.one, 1
+berzkalne.co.uk, 1
+besanowsky.de, 1
+besarfe.com, 0
+besb66.club, 1
+besb66.me, 1
+besb66.ninja, 1
+besb66.rocks, 1
+besb66.us, 1
+bescoutednow.com, 1
+bescover.com, 1
+besdev.uk, 1
+besedovichi.tk, 1
+besensi.com, 1
+besiconstruct.be, 1
+besidemetal.tk, 1
+besikta.se, 1
+besiktasmtsk.com, 1
+besir.com, 1
+beskiden.com, 1
+besnard.me, 1
+besnik.de, 0
+besnik.tk, 1
+besola.de, 1
+besolov.tk, 1
+besonderheit.com, 1
+besonders-s.at, 1
+besox.be, 1
+bespaarbazaar.nl, 1
+bespaarenergie.click, 1
+bespaarnu.click, 1
+bespoiled.nl, 1
+bespokebathrooms.com.au, 1
+bespokespeaker.uk, 1
+bespredel.tk, 1
+bessels.tk, 1
+bessems.com, 1
+bessems.eu, 1
+besser-beissen.de, 1
+besser-golfen.tk, 1
+besslavnye-ublyudki.tk, 1
+bessmertie.ml, 1
+best-accounting-schools.com, 1
+best-art-colleges.com, 1
+best-book.gq, 1
+best-business-colleges.com, 1
+best-cat.tk, 1
+best-cats.tk, 1
+best-chiter.tk, 1
+best-community-colleges.com, 1
+best-education-schools.com, 1
+best-engineering-colleges.com, 1
+best-essay-service.com, 1
+best-games.cf, 1
+best-graduate-programs.com, 1
+best-hvac-schools.com, 1
+best-lutheran-colleges.com, 1
+best-management-schools.com, 1
+best-marketing-schools.com, 1
+best-mum.fr, 1
+best-nursing-colleges.com, 1
+best-of-bounce.co.uk, 1
+best-party.ru, 1
+best-pdf.com, 1
+best-photobooth.ro, 1
+best-seminar.gq, 1
+best-seminar.ml, 1
+best-software.tk, 1
+best-stroy.ru, 1
+best-ticket.it, 1
+best-tickets.co.uk, 1
+best-tickets.com.au, 1
+best-trucking-schools.com, 1
+best-wedding-quotes.com, 1
+best10resumewriters.com, 1
+best66.me, 1
+besta.tk, 1
+bestaction.tk, 1
+bestafricaradio.tk, 1
+bestallgame.co, 1
+bestallid06.se, 1
+bestarts.tk, 1
+bestasquadradas.org, 1
+bestatos.com, 1
+bestatter.de, 1
+bestattungen-kammerer.de, 1
+bestattungshaus-kammerer.de, 0
+bestaucasinosites.com, 1
+bestaustraliancasinosites.com, 1
+bestautoinsurance.com, 1
+bestbatteriesonline.com, 1
+bestbefore.com, 1
+bestbestbitcoin.com, 1
+bestbonuses.co.uk, 1
+bestbookmark.cf, 1
+bestbookmark.gq, 1
+bestbookmark.ml, 1
+bestboot.cf, 1
+bestbox.be, 1
+bestbrakes.com, 1
+bestbudseedbank.com, 1
+bestbureau.fr, 1
+bestbuyzone.com, 1
+bestcamshow.tk, 1
+bestcanvaswallart.com, 1
+bestcarscyprus.com, 1
+bestcash2020.com, 1
+bestcasinositesonline.com, 1
+bestchoicehomeinspections.com, 1
+bestclassifiedsusa.com, 1
+bestclix.ml, 1
+bestcms.tk, 1
+bestcollegeaid.com, 1
+bestcreditcards.biz, 1
+bestcreditcards.me, 1
+bestcreditcards.news, 1
+bestcreditcards.tv, 1
+bestcreditcards.xyz, 1
+bestcriminallawyerinsingapore.com, 1
+bestcrossbowguide.com, 1
+bestdatingsite.ml, 1
+bestdatingsite.tk, 1
+bestdeal-umzug.de, 1
+bestdeal.co.in, 1
+bestdealstrips.com, 1
+bestdiabeteshealth.com, 1
+bestdlsites2.tk, 1
+bestdownloadscenter.com, 1
+bestdslrcameras.tk, 1
+bestecbdolie.com, 1
+bestech.de, 1
+bestechgadgets.tk, 1
+besteckliste.com, 1
+bestedeal.nl, 1
+besteenergieleverancier.com, 1
+bestehen.com, 1
+bestehostingproviders.nl, 1
+bestelhetmaar.nl, 1
+bestellipticalmachinereview.info, 1
+bestelsportprijzen.nl, 1
+bestemailmarketingsoftware.org, 1
+bestenlogin.com, 1
+bestertagderwelt.de, 1
+bestesb.net, 1
+bestescortmallorca.com, 1
+bestescortsdirectory.com, 1
+bestessayhelp.com, 1
+bestestquote.com, 1
+bestethereumcasinos.io, 1
+besteto.cz, 1
+besteto.sk, 1
+besteuitvaartverzekering.com, 1
+bestfacts.ru, 1
+bestfewo.de, 1
+bestfitnesswatchreview.info, 1
+bestfornutrition.com, 1
+bestfotostudio.com, 1
+bestfriend.ga, 1
+bestfriendsequality.org, 1
+bestgardener.info, 1
+bestgiftever.ca, 1
+bestgolftrips.ca, 1
+bestgriefbooks.com, 1
+besthemes.tk, 1
+besthobi.com, 1
+besthorsebedding.com, 0
+besthost.cz, 1
+besthouse.co.il, 1
+besthumorsite.tk, 1
+besti.it, 1
+bestiahosting.com, 1
+besties4life.ml, 1
+bestincservices.com, 1
+bestinductioncooktop.us, 1
+bestinsider.net, 0
+bestinsulatedwaterbottle.tk, 1
+bestinver.es, 0
+bestitwork.tk, 1
+bestjigsawreview.net, 1
+bestjumptrampolines.be, 1
+bestkbeauty.com, 1
+bestkenmoredentists.com, 1
+bestkeys.ga, 1
+bestladyshaver.co.uk, 0
+bestlawabundant.tk, 1
+bestlawafter.tk, 1
+bestlawamazing.tk, 1
+bestlawanchor.tk, 1
+bestlawarrow.tk, 1
+bestlawatlantic.tk, 1
+bestlawavatar.tk, 1
+bestlawbattle.tk, 1
+bestlawblaster.tk, 1
+bestlawblod.tk, 1
+bestlawbody.tk, 1
+bestlawbounce.tk, 1
+bestlawbrite.tk, 1
+bestlawbrowse.tk, 1
+bestlawbrowser.tk, 1
+bestlawbuddies.tk, 1
+bestlawbuller.tk, 1
+bestlawbunny.tk, 1
+bestlawcache.tk, 1
+bestlawcalculator.tk, 1
+bestlawcamel.tk, 1
+bestlawcaptive.tk, 1
+bestlawcarnival.tk, 1
+bestlawcatch.tk, 1
+bestlawcatcher.tk, 1
+bestlawcellar.tk, 1
+bestlawcharm.tk, 1
+bestlawcharte.tk, 1
+bestlawcharts.tk, 1
+bestlawcheaper.tk, 1
+bestlawconstruct.tk, 1
+bestlawcorporation.tk, 1
+bestlawcounty.tk, 1
+bestlawcreativity.tk, 1
+bestlawcrunch.tk, 1
+bestlawcrystal.tk, 1
+bestlawctktom.tk, 1
+bestlawcupid.tk, 1
+bestlawcuriotk.tk, 1
+bestlawdepot.tk, 1
+bestlawdesigning.tk, 1
+bestlawdestination.tk, 1
+bestlawdivine.tk, 1
+bestlawdodge.tk, 1
+bestlawdollars.tk, 1
+bestlawdowntown.tk, 1
+bestlawduck.tk, 1
+bestlaweagle.tk, 1
+bestlawebony.tk, 1
+bestlawecho.tk, 1
+bestlawecono.tk, 1
+bestlawelectra.tk, 1
+bestlawenvy.tk, 1
+bestlawepic.tk, 1
+bestlawfalcon.tk, 1
+bestlawfame.tk, 1
+bestlawfighter.tk, 1
+bestlawflavor.tk, 1
+bestlawfolder.tk, 1
+bestlawgang.tk, 1
+bestlawgecko.tk, 1
+bestlawgeo.tk, 1
+bestlawglamour.tk, 1
+bestlawglory.tk, 1
+bestlawgoddess.tk, 1
+bestlawgorilla.tk, 1
+bestlawgrab.tk, 1
+bestlawgrabber.tk, 1
+bestlawgrace.tk, 1
+bestlawgram.tk, 1
+bestlawgratis.tk, 1
+bestlawgroove.tk, 1
+bestlawgrow.tk, 1
+bestlawguerilla.tk, 1
+bestlawguerrilla.tk, 1
+bestlawgun.tk, 1
+bestlawhands.tk, 1
+bestlawhandsome.tk, 1
+bestlawhandy.tk, 1
+bestlawhard.tk, 1
+bestlawhotrod.tk, 1
+bestlawhtkky.tk, 1
+bestlawice.tk, 1
+bestlawimagine.tk, 1
+bestlawintergrity.tk, 1
+bestlawiron.tk, 1
+bestlawjackpot.tk, 1
+bestlawjewel.tk, 1
+bestlawjoker.tk, 1
+bestlawjtkt.tk, 1
+bestlawkayak.tk, 1
+bestlawkiss.tk, 1
+bestlawknight.tk, 1
+bestlawlast.tk, 1
+bestlawlastminute.tk, 1
+bestlawlegacy.tk, 1
+bestlawless.tk, 1
+bestlawlightning.tk, 1
+bestlawlimited.tk, 1
+bestlawlion.tk, 1
+bestlawlittle.tk, 1
+bestlawloco.tk, 1
+bestlawlowprice.tk, 1
+bestlawlucky.tk, 1
+bestlawmain.tk, 1
+bestlawmarks.tk, 1
+bestlawmatche.tk, 1
+bestlawmeasure.tk, 1
+bestlawmember.tk, 1
+bestlawmessenger.tk, 1
+bestlawmeta.tk, 1
+bestlawmetric.tk, 1
+bestlawmillions.tk, 1
+bestlawminer.tk, 1
+bestlawmtkcle.tk, 1
+bestlawmystical.tk, 1
+bestlawnano.tk, 1
+bestlawnational.tk, 1
+bestlawnations.tk, 1
+bestlawnatural.tk, 1
+bestlawnight.tk, 1
+bestlawnobel.tk, 1
+bestlawnormal.tk, 1
+bestlawnorthamerican.tk, 1
+bestlawnumber.tk, 1
+bestlawocity.tk, 1
+bestlawoffline.tk, 1
+bestlawoftheday.tk, 1
+bestlawomatic.tk, 1
+bestlawomega.tk, 1
+bestlawoneday.tk, 1
+bestlawopedia.tk, 1
+bestlawopplis.tk, 1
+bestlaworama.tk, 1
+bestlaworiginal.tk, 1
+bestlawother.tk, 1
+bestlawouter.tk, 1
+bestlawover.tk, 1
+bestlawyernear.com, 1
+bestleftwild.com, 1
+bestliege.be, 1
+bestlifek9training.com, 1
+bestlyrics.tk, 1
+bestmasterofscienceinnursing.com, 1
+bestmastersinpsychology.com, 1
+bestmattressabout.com, 1
+bestmattresses.tk, 1
+bestmaturepics.com, 1
+bestmedsmmj.com, 1
+bestmicro.fr, 1
+bestmodels.ua, 1
+bestmotherfucking.website, 1
+bestmotorcyclehelmets.net, 1
+bestnetentcasino.info, 1
+bestnetflowanalyzer.com, 1
+bestnewsmag.com, 1
+bestnovelbooks.ga, 1
+bestnursingdegree.com, 1
+bestnursingmasters.com, 1
+besto.cf, 1
+besto.ga, 1
+besto.tk, 1
+bestofbooks.gq, 1
+bestofdate.com, 1
+bestofjazz.org, 1
+bestofnuevovallarta.com, 1
+bestofrooftop.com, 1
+bestoldmusic.tk, 1
+bestoliveoils.com, 1
+bestomania.tk, 1
+bestonlinestuffs.com, 1
+bestparking.com, 1
+bestpartyhire.com, 1
+bestpig.fr, 1
+bestplus.ml, 1
+bestplus.tk, 1
+bestpneu.cz, 1
+bestporn.pics, 1
+bestporn2022.com, 1
+bestpornclip.com, 1
+bestporngirls.com, 1
+bestpornpictures.com, 1
+bestportablegeneratorratings.com, 1
+bestpost.org, 1
+bestpressurewashingchicago.com, 1
+bestpsychologydegrees.com, 1
+bestpsychologydegrees.org, 1
+bestreleases.tk, 1
+bestremote.io, 1
+bestroofinginkansascity.com, 1
+bestroutes.net, 1
+bestsatoshifaucet.ga, 1
+bestschools.io, 1
+bestseo4u.co.uk, 1
+bestsextoys.com, 1
+bestshoesmix.com, 1
+bestshopping.ga, 1
+bestshops.ga, 1
+bestsidelka.ru, 1
+bestsingingbowls.com, 1
+bestsiteporn.com, 1
+bestsolution.at, 1
+beststock.kr, 1
+beststudio.ru, 1
+besttechnews.ml, 1
+besttipsntricks.tk, 1
+besttrade.tk, 1
+besttrannytube.com, 1
+besttraveluk.ga, 1
+bestvape.ie, 1
+bestvpns.co.uk, 0
+bestvpnsoftware.org, 1
+bestwebcams.ga, 1
+bestwebcams.ml, 1
+bestwebsite.gallery, 1
+bestweleenbeetje.nl, 0
+bestwigs.ga, 1
+bestwirelessdoorbell.ml, 1
+bestwriterjobs.tk, 1
+bestzoo.tk, 1
+besured.nl, 1
+besv.com, 1
+beszerzokozpont.hu, 1
+bet-platform.com, 1
+bet031.com, 0
+bet03vip.com, 0
+bet064.com, 0
+bet06vip.com, 1
+bet074.com, 0
+bet08vip.com, 1
+bet166111.com, 1
+bet166333.com, 1
+bet166444.com, 1
+bet166555.com, 1
+bet166888.com, 1
+bet1668888.com, 1
+bet166999.com, 1
+bet166b.com, 1
+bet166c.com, 1
+bet166uu.com, 1
+bet166ww.com, 1
+bet166yy.com, 1
+bet1x-th.com, 1
+bet1x-thai.com, 1
+bet1x-thailand.com, 1
+bet333111.com, 1
+bet333123.com, 1
+bet333222.com, 1
+bet333321.com, 0
+bet333345.com, 0
+bet333432.com, 0
+bet333444.com, 1
+bet333456.com, 1
+bet333567.com, 1
+bet333666.com, 1
+bet333678.com, 1
+bet333789.com, 0
+bet333h.com, 1
+bet333k.com, 0
+bet333l.com, 1
+bet333m.com, 1
+bet333n.com, 1
+bet333o.com, 1
+bet333p.com, 0
+bet333q.com, 1
+bet333r.com, 0
+bet333s.com, 1
+bet333t.com, 1
+bet333w.com, 0
+bet333x.com, 1
+bet333y.com, 1
+bet333z.com, 1
+bet338c.com, 1
+bet3639.com, 0
+bet365-fixed-matches.com, 1
+bet365bc.net, 1
+bet365bet2020.com, 1
+bet365cn-casino.com, 1
+bet365cn-game.com, 1
+bet365cn-keno.com, 1
+bet365cn-livecasino.com, 1
+bet365cn-poker.com, 1
+bet365cn-sports.com, 1
+bet365cn-vegas.com, 1
+bet365cnq.com, 1
+bet365cnr.com, 1
+bet365cnt.com, 1
+bet365cnu.com, 1
+bet365cnv.com, 1
+bet365cnw.com, 1
+bet365cnx.com, 1
+bet365cny.com, 1
+bet365cnz.com, 1
+bet365g8.com, 1
+bet365n1.com, 1
+bet365n2.com, 1
+bet365n6.com, 1
+bet365n8.com, 1
+bet365n9.com, 1
+bet365q0.com, 1
+bet365q6.com, 1
+bet365q8.com, 1
+bet365q9.com, 1
+bet365r8.com, 1
+bet365vip1.com, 0
+bet365vip2.com, 1
+bet365vip2020.com, 0
+bet365vip7.com, 1
+bet365x0.com, 1
+bet365x1.com, 1
+bet365x2.com, 1
+bet365x3.com, 1
+bet365x6.com, 1
+bet365x9.com, 1
+bet391.com, 0
+bet392.com, 0
+bet397.com, 0
+bet3xx.com, 1
+bet3zz.com, 1
+bet43app.com, 1
+bet44410.com, 1
+bet444403.com, 0
+bet444424.com, 0
+bet444425.com, 0
+bet444426.com, 0
+bet444429.com, 0
+bet444430.com, 1
+bet5119.com, 1
+bet5234.com, 1
+bet531.com, 0
+bet5757.com, 1
+bet600.co.uk, 1
+bet631.com, 0
+bet66.com, 1
+bet66669999.com, 1
+bet666888.vip, 1
+bet7234.com, 1
+bet819.com, 0
+bet86ah.com, 1
+bet86am.com, 1
+bet86cq.com, 1
+bet86fj.com, 1
+bet86gs.com, 1
+bet86gx.com, 1
+bet86gz.com, 1
+bet86hlj.com, 1
+bet86hn.com, 1
+bet86jl.com, 1
+bet86js.com, 1
+bet86jx.com, 1
+bet86ln.com, 1
+bet86nmg.com, 1
+bet86nx.com, 1
+bet86qh.com, 1
+bet86sc.com, 1
+bet86sd.com, 1
+bet86sh.com, 1
+bet86sx.com, 1
+bet86tj.com, 1
+bet86tw.com, 1
+bet86xj.com, 1
+bet86xz.com, 1
+bet86yn.com, 1
+bet86zj.com, 1
+bet909.com, 1
+beta-cell.com, 1
+beta-site-staging.azurewebsites.net, 1
+beta.pw, 0
+betaa0.com, 1
+betaa2.com, 1
+betaa3.com, 1
+betaa5.com, 1
+betaa6.com, 1
+betaa8.com, 1
+betaa9.com, 1
+betaal.my, 1
+betaams.net, 1
+betabar.dk, 1
+betacalc.com, 1
+betaclouds.net, 1
+betacommand.tk, 1
+betadelivery.co.uk, 1
+betahyp.de, 1
+betalingsservice.dk, 1
+betandslots.com, 1
+betandyou.com, 1
+betandyou.mobi, 1
+betandyou1.com, 1
+betanoapp.com, 1
+betaoptimize.com, 1
+betaprofiles.com, 1
+betasozluk.com, 1
+betata.tk, 1
+betatester.ml, 1
+betawi.com, 1
+betaworx.de, 1
+betaworx.eu, 1
+betb33.com, 0
+betb73.com, 0
+betbed.ml, 1
+betbravo.et, 1
+betc.com, 1
+betcn-mart.com, 1
+betecnet.de, 1
+betel.tk, 1
+betelgeus.com, 1
+betelnatural.com, 1
+betemyja.tk, 1
+betenemy.com, 1
+beteroud.nl, 1
+betexperts.tk, 1
+betfair.com.co, 1
+betformular.com, 1
+bethanyhome.org, 1
+bethanymo.com, 1
+bethanytownshipmi.gov, 1
+bethatkinson.tk, 1
+bethelparkpa.gov, 1
+bethelparkpapolice.gov, 1
+betheltwplebanon.gov, 1
+bethematch.org, 1
+bethematchclinical.org, 1
+betheredge.us, 1
+bethlehemnj.gov, 1
+bethlehempa.org, 1
+bethlehemwv.gov, 1
+bethpage.net, 1
+bethphageanimalclinic.com, 1
+bethulietourism.co.za, 1
+bethzone.tk, 1
+beticaret.com, 1
+betingsite.com, 1
+betish.tk, 1
+betkorea1.com, 1
+betleakbot.com, 1
+betmobilenigeria.com, 1
+betobaccofree.gov, 1
+betolerant.fr, 1
+beton-vloer.nl, 1
+beton.ie, 1
+betonbewerkingsmachines.be, 1
+betondrew.com, 1
+betongereedschap.be, 1
+betoniera.org, 1
+betonline.bz, 1
+betonmachines.be, 1
+betonmarkets.info, 1
+betonperkasa.com, 1
+betonsport.ga, 1
+betonvloerpolijsten.com, 1
+betop-lab.com, 1
+betor.cz, 1
+betor.sk, 1
+betordertr.com, 1
+betoskip.tk, 1
+betpokies.com, 1
+betreut.at, 1
+betreut.de, 1
+betrifft-mich-dsgvo.ch, 1
+betrimus.xyz, 1
+betrisey.net, 1
+betrouwbarewifi.nl, 1
+bets.de, 1
+betsafe.lt, 1
+betseven.pt, 1
+betseybuckheit.com, 1
+betsfortoday.com, 1
+betsharpangles.com, 1
+betshoot.com, 1
+betsonlinefree.com.au, 1
+betspin.com, 1
+betstop.gov.au, 1
+betsys.de, 1
+bett1.at, 1
+bett1.ch, 1
+bett1.de, 1
+bett1.fr, 1
+bett1.pl, 1
+bettaline.com.au, 1
+bettashoerepairs.com.au, 1
+bettendorf.gov, 1
+better.com, 0
+better.fyi, 1
+betterbaseball.com, 1
+betterbedding.com, 1
+betterbladders.com, 1
+betterboards.net, 1
+betterbuiltbasements.com, 1
+betterbuiltkitchensandbathrooms.com, 1
+bettercallsully.com, 1
+bettercareclinic.co.uk, 1
+bettercleaningcompany.co.uk, 1
+bettercommunication.org.uk, 1
+bettercrypto.org, 1
+betterdecoratingbible.com, 1
+betterhealthatworkaward.org.uk, 1
+betterhelp.com, 1
+betterhelp.com.au, 1
+betterhelporg.com, 1
+betterhelpteens.com, 1
+betterhome.ml, 1
+betterjapanese.blog, 1
+betterjapanese.org, 1
+betterjapanese.xyz, 1
+betterlifekidsclub.com, 1
+betterlovestore.com, 1
+betterna.me, 1
+betternews.eu, 1
+betteroffed.com, 1
+betterplace.restaurant, 1
+betterscience.org, 1
+bettersecurity.co, 1
+bettersocialmedia.co.uk, 1
+betterteam.com, 1
+bettertech.pt, 1
+bettertechsoftware.com, 1
+bettertest.it, 1
+bettertime.jetzt, 1
+betterviewrentals.com, 1
+betterworlded.org, 1
+bettflaschen.ch, 1
+bettie.tk, 1
+betting-magic.com, 1
+bettingbangladesh.online, 1
+bettingbasket.com, 1
+bettingbusiness.ru, 1
+bettingmalaysia.online, 1
+bettingonaverage.com, 1
+bettingphilippines.online, 1
+bettolinokitchen.com, 1
+betty-baloo.com, 1
+bettyblue.tk, 1
+bettysseafoodshack.com, 1
+betulashop.ch, 1
+betus.tk, 1
+betvisa.com, 1
+betweenthehills.be, 1
+betweenthesheets.tk, 1
+betwin9.net, 0
+betwinner-india.com, 1
+betwinner-ua.com, 1
+betwinner-zerkalo.ru, 1
+betwinner.cm, 1
+betwinner.co.it, 1
+betwinner.co.ug, 1
+betwinner.co.zm, 1
+betwinner.com.gh, 1
+betwinner.de.com, 1
+betwinner.ng, 1
+betwinner1.com, 1
+betwinner2.com, 1
+betwinner5.mobi, 1
+betwinnerbahis.net, 1
+betwinnerfrance.net, 1
+betwinnerkenya.com, 1
+betwinnerlive.com, 1
+betwinnermobileapp.com, 1
+betwinnernigeria.com, 1
+betwinnerperu.com, 1
+betwinnerportugal.com, 1
+betwinnerpromocode.net, 1
+betwinners.in, 1
+betwinnertanzania.com, 1
+betwinneruganda.com, 1
+betxx1.com, 1
+betxx2.com, 1
+betza.online, 1
+betzgmbh.de, 1
+betzwhite.com, 1
+beudelbingers.nl, 1
+beugelbekkie.tk, 1
+beulahparks.com, 1
+beulen.email, 1
+beulen.link, 1
+beulen.pro, 1
+beurettes-en-chaleur.tk, 1
+beursbever.be, 1
+beurteilt.com, 1
+beus.ink, 1
+beusefulbook.ru, 1
+beuteugeu.com, 1
+beutner.de, 1
+beuty-flowers.tk, 1
+bevallarta.com, 1
+bevcrushesit.ca, 1
+bevedo.cz, 1
+bevedo.sk, 1
+beveiligingscamerawestland.nl, 1
+bevelbeer.com, 1
+bevelpix.com, 1
+beveragemobileest.ga, 1
+beverb.org, 1
+beverhof.nl, 1
+beverley.tk, 1
+beverleycounselling.co.uk, 1
+beverleymoneyman.com, 1
+beverly.tk, 1
+beverlydrive.tk, 1
+beverlyhillstx.gov, 1
+beverlyhospital.org, 1
+beverlyinternational.com, 1
+bevestor.de, 1
+bevhost.com, 1
+bevif.com, 1
+bevinco2020.com, 1
+bevinsco.org, 1
+beviu.com, 1
+bevmoir.com, 1
+bevnut.com, 1
+bewaredevapi.azurewebsites.net, 1
+bewegigsruum.ch, 1
+bewegtes-lagern.at, 1
+bewegtes-lagern.ch, 1
+bewegtes-lagern.com, 1
+bewegtes-lagern.de, 1
+bewegteslagern.ch, 1
+bewegteslagern.com, 1
+bewegteslagern.de, 1
+bewegungsfluss.com, 0
+bewerbung.net, 1
+bewerbungsfibel.de, 1
+bewerbungsfoto-deinfoto.ch, 1
+bewildered.gq, 1
+beworksite.com, 1
+bewustwinkelen.nl, 1
+bexit-hosting.nl, 1
+bexit-security.eu, 1
+bexit-security.nl, 1
+bexit.nl, 1
+bexithosting.nl, 1
+bexleycastles.co.uk, 1
+bey.io, 1
+beybiz.com, 1
+beybladesource.tk, 1
+beyerautomation.com, 1
+beyerm.de, 1
+beyers.io, 0
+beylkin.tk, 1
+beyond-destiny.tk, 1
+beyond-infinity.org, 0
+beyond-rational.com, 1
+beyond.com.br, 0
+beyond3dview.com, 1
+beyond3dviews.com, 1
+beyondalderaan.net, 1
+beyondauth.io, 1
+beyondbounce.co.uk, 1
+beyondfrosting.com, 1
+beyondgameplay.com, 1
+beyondinfinite.com, 1
+beyondmydoor.com, 1
+beyonds.fr, 1
+beyondthecode.io, 1
+beyondthecreek.com, 1
+beyondthefive.org, 0
+beyondthemoments.com, 1
+beyondthepitch.net, 1
+beyondtherealm.tk, 1
+beyondthisrealm.com.au, 1
+beyondtrust.com, 1
+beyondtv.ga, 1
+beyondweb.net, 1
+beyondzeroacademy-reservations.fr, 1
+beyonsolutions.com, 1
+bezagentstva.cf, 1
+bezahlbare-praemien.ch, 1
+bezbik.tk, 1
+bezdech.tk, 1
+bezdomny.tk, 1
+bezin.ga, 1
+bezoek-benidorm.tk, 1
+bezoomnyville.com, 1
+bezopasna-rabota.tk, 1
+bezpaliuk.com, 1
+bezpecnostsiti.cf, 1
+bezpieczny.pl, 1
+bezpiecznyiphone.pl, 1
+bezpiecznykierowca.info, 1
+bezposrednio.net.pl, 1
+bezpredel.tk, 1
+bf-foto.eu, 1
+bf2statistics.eu, 1
+bfam.tv, 1
+bfas237blog.com, 1
+bfbet365.com, 1
+bfbs.com, 1
+bfc-expertcomptable.com, 1
+bfcgermania88.de, 1
+bfelob.gov, 1
+bfem.gov, 1
+bferal.cl, 1
+bffr.wtf, 1
+bfh.science, 1
+bfharrison.com, 1
+bfi.is, 1
+bfkcloud.ddns.net, 1
+bflix.tv, 0
+bflw.pl, 1
+bfly.tech, 1
+bfob.gg, 1
+bfoliver.com, 1
+bforb.sk, 1
+bforben.uk, 1
+bfp-mail.de, 1
+bfpg.org, 1
+bfrailwayclub.cf, 1
+bfsasia.com, 1
+bft-media.com, 0
+bfw-online.de, 1
+bg-1xbet.com, 1
+bg-sexologia.com, 1
+bg2kuj.com, 1
+bgbaby.net, 1
+bgbet365.com, 1
+bgbhsf.top, 1
+bgd-info.tk, 1
+bgdesign.de, 0
+bgemi.net, 1
+bgeo.io, 1
+bget.org.uk, 1
+bgetfuel.co.uk, 1
+bgfashion.net, 1
+bggcapital.com, 1
+bgh.sh, 1
+bghddevelopment.com, 1
+bghope.com, 1
+bghost.xyz, 1
+bgjargon.com, 1
+bgkoleda.bg, 1
+bglsingles.de, 1
+bgm.bg, 1
+bgmall.tk, 1
+bgmedia.tk, 1
+bgmn.me, 1
+bgmontaggi.com, 1
+bgmsquad.com, 1
+bgp.co, 1
+bgr34.cz, 1
+bgs-game.com, 1
+bgtraffic.tk, 1
+bh-oberland.de, 1
+bh.sb, 1
+bhacit.com, 0
+bhaiben.com, 1
+bhameshwarigraphics.com, 1
+bhanaphotography.co.nz, 1
+bharat-media.tk, 1
+bharatanatyam-dancer.tk, 1
+bharath-g.in, 1
+bharatskills.gov.in, 1
+bhat.vn, 1
+bhatia.at, 1
+bhavansvidyamandir.tk, 1
+bhaweshkumar.com, 1
+bhbet365.com, 1
+bhcarroll.edu, 1
+bhf.im, 1
+bhfseo.com, 1
+bhi.consulting, 1
+bhiglu.com, 1
+bhitnews.tk, 1
+bhitti.in, 1
+bhodisoft.com, 1
+bhogavati.tk, 1
+bhosted.nl, 1
+bhpropco.com, 1
+bhrenovations.com, 1
+bhserralheria.com.br, 1
+bhsooq.com, 1
+bhtechconnection.com, 0
+bhtelecom.ba, 1
+bhub.tk, 1
+bhuntr.com, 1
+bhuvanreddy.space, 1
+bhvapers.com, 1
+bhxch.moe, 1
+bi-fazlasi.com, 1
+bi-in-beeld.nl, 1
+bi-jenny.net, 1
+bi-medien.de, 1
+bi.search.yahoo.com, 0
+bi1gif.radio, 1
+bi3e.ma, 1
+bi4sb.com, 1
+bi8cku.club, 1
+bi8cku.tech, 1
+bia.gov, 1
+bia3consultores.es, 1
+biaform.be, 1
+biagiowineandspirits.com, 1
+biahposter.com, 1
+bialamydlarnia.pl, 0
+biancadark.tk, 1
+biancapulizie.it, 1
+biancasalgueiro.tk, 1
+biancavandenberg.nl, 1
+biancazapatka.com, 1
+bianco-band.tk, 1
+bianinapiccanovias.com, 1
+biano-ai.com, 1
+biantai.cf, 1
+biantai.ml, 1
+biantti.md, 1
+bianyanan.xyz, 1
+biaoxiong.com, 1
+biaozi.cf, 1
+biaozi.ml, 1
+biarritzboys.tk, 1
+biaservice.cz, 1
+biasmath.es, 1
+biathloncup.ru, 1
+biaxin.cf, 1
+biaxin.ml, 1
+bibanks.com, 1
+biber-bike.de, 1
+biberonshop.bg, 1
+bibet365.com, 1
+bibi-xxx.com, 1
+bibica.net, 1
+bibimanga.com, 1
+bibit.id, 1
+bibitbunga.com, 1
+bible-maroc.com, 1
+bible4u.net, 1
+biblebrainhealth.com, 1
+bibleforchildren.ru, 1
+bibleinsiderest.ga, 1
+biblereadlist.com, 1
+biblesearch.tw, 1
+biblesignposts.com, 1
+bibleversesfordailyliving.com, 1
+biblia.es, 1
+bibliaon.com, 1
+bibliatodo.com, 1
+biblicalbeliefs.org, 1
+biblicalcounseling.com, 1
+biblicaudio.org, 1
+biblico.tk, 1
+biblicom.org, 1
+biblinfo.com, 1
+bibliobaldur.tk, 1
+biblioblog.fr, 1
+bibliobus.ch, 1
+bibliomarkt.ch, 1
+biblionaut.net, 1
+biblionix.com, 1
+biblionix.info, 1
+biblionix.net, 1
+biblionix.org, 1
+biblionix.us, 1
+biblioporn.com, 1
+bibliotecadeseguranca.com.br, 1
+bibliotecaguate.ml, 1
+bibliotecasantaoliva.tk, 1
+bibliotecaumana.it, 1
+biblioteka-online.tk, 1
+biblioteka17.tk, 1
+bibliotekarien.se, 1
+bibliotekasnow.org, 1
+bibliotekha.org, 1
+bibliotheka.tk, 1
+bibloteka.com, 1
+biblura.com, 1
+biboran.ga, 1
+bibra.bid, 1
+bibuch.com, 1
+bibun.gq, 1
+bicaraviral.com, 1
+bicecontracting.com, 1
+bicestore.cl, 1
+bicha.net, 1
+bichonfrise.com.br, 1
+bichonmaltes.com.br, 1
+bicicletassym.com, 1
+bicignet.ga, 1
+bicommarketing.com, 1
+bicranial.io, 0
+bicromoestudio.com, 1
+bicstone.me, 1
+bicubic.tk, 1
+bicycle-events.com, 1
+bicyclesoftheworld.com, 1
+bidaah.tk, 1
+bidadari.my, 1
+bidc.ltd, 1
+biddl.com, 1
+biddle.co, 1
+biddr.com, 1
+biddulphinbloom.org.uk, 1
+bidenstopdeportations.com, 1
+bidlab.org, 1
+bidmachine.io, 1
+bidman.cz, 1
+bidman.eu, 1
+bidoluindirim.com, 1
+bidonline.tk, 1
+bidviewmarketing.com, 1
+bie.edu, 1
+bieg.tk, 1
+biegal.ski, 1
+biegi.tk, 1
+biegner-technik.de, 1
+biehlsoft.info, 1
+biekos.com, 1
+bielefailed.de, 1
+bielemenklen.tk, 1
+bielik.io, 1
+biempire.com, 1
+bien-etre-beaute.fr, 1
+bien-etre-sante.info, 1
+bienbailao.com, 1
+biene.rocks, 1
+bienenfreunde.tk, 1
+bienestarinmobiliarioyaliadas.com, 1
+bienhacerlimpiezas.es, 1
+bienici.com, 1
+bienoubien.org, 1
+biensenvue.com, 1
+bienstar.tv, 1
+biensup.com, 1
+biensur.ch, 1
+bienvenidoamerica.com, 1
+bienvenue.tk, 1
+bier-brothers.tk, 1
+bier.law, 1
+bier.legal, 1
+bierbaumer.net, 1
+bierbringer.at, 1
+bierbrouwerijderoos.nl, 1
+bieresamanger.fr, 1
+bierlegal.com, 1
+bierochs.org, 1
+bierrunde.de, 1
+bierwebshop.be, 1
+bieser.ch, 1
+biester.pro, 1
+bietigheim-digital.tk, 1
+bietinidesign.be, 1
+bieville-beuville.fr, 1
+biewen.me, 0
+biffo.com, 1
+biflosgknm.tk, 1
+bifrost.cz, 1
+bifrostwallet.com, 1
+biftin.net, 1
+big-black.de, 1
+big-books.gq, 1
+big-brother.ga, 1
+big-daishowa.co.jp, 1
+big-daishowa.com, 1
+big-file.tk, 1
+big-music.tk, 1
+big-office.lviv.ua, 1
+big-orange.com.ua, 1
+big-papa.tk, 1
+big-tits-video.ru, 1
+big-travel.tk, 1
+big.ua, 1
+big.wtf, 1
+big80s.tk, 1
+bigalba.ga, 1
+bigambitions.co.za, 1
+bigart.tk, 1
+bigassmonster.com, 1
+bigasstubes.com, 1
+bigband-a.com, 1
+bigband.tk, 1
+bigbarbe.com, 1
+bigbearkh.com, 0
+bigbearlakecoins.com, 1
+bigbeats.tk, 1
+bigbeautysecrets.tk, 1
+bigbendcoffeeroasters.com, 0
+bigbendguide.com, 1
+bigbendsentinel.com, 1
+bigbenny.tk, 1
+bigbit.tk, 1
+bigblockmotors.ru, 1
+bigblue.co.il, 1
+bigbluecomputers.tk, 1
+bigbluedoor.net, 1
+bigboard.tk, 1
+bigboobporn.com, 1
+bigbooty.tv, 1
+bigbootytube.net, 1
+bigboris.tk, 1
+bigbouncebouncycastles.co.uk, 1
+bigbouncetheory.co.uk, 1
+bigbounceuk.com, 1
+bigboyhub.com, 1
+bigbroeyes.com, 1
+bigbuild.vic.gov.au, 1
+bigbunce.ru, 0
+bigbyte.com.np, 1
+bigcakes.dk, 1
+bigchance.tk, 1
+bigchris.tk, 1
+bigcitylife.fr, 1
+bigclassaction.com, 1
+bigcomputerchair.gq, 1
+bigcorestintas.com.br, 1
+bigcountry.com.br, 1
+bigdaddyslash.tk, 1
+bigdatatop.cf, 1
+bigdayproductions.biz, 1
+bigdesiresolutions.co.za, 1
+bigdiff.co.uk, 1
+bigdinosaur.org, 1
+bigdiscounts.tk, 1
+bigeaglesacademy.gq, 1
+bigeasyfences.com, 1
+bigeasygrille.com, 0
+bigfreebet.com, 1
+bigfreebielist.tk, 1
+biggernews.gq, 1
+biggerpicture.agency, 1
+biggerpockets.com, 1
+biggive.org, 1
+biggles.io, 1
+biggsconstruction.com, 1
+biggy.kiev.ua, 1
+bighappy.com, 1
+bighome.ml, 1
+bighorn.co.jp, 1
+bighugbotanicals.com, 1
+bigid.com, 1
+bigideachallenge.org, 1
+bigio.com.br, 1
+bigland.com, 1
+biglapa.ru, 1
+biglistofporn.com, 1
+biglu.eu.org, 1
+bigmoney.nu, 1
+bigmonsters.tk, 1
+bigmountainmail.com, 1
+bigmuff.duckdns.org, 1
+bignaturals.com, 1
+bignet.bid, 0
+bigone.com, 1
+bigopr.com, 1
+bigorangelab.com, 1
+bigpage.tk, 1
+bigpanparties.co.uk, 1
+bigphilsrubbishremoval.com, 1
+bigpicturerecords.com, 1
+bigprintinglasvegas.com, 1
+bigpurse.tk, 1
+bigrapidstownshipmi.gov, 1
+bigrender.tk, 1
+bigrivercn.com, 1
+bigriverintl.com, 1
+bigriverjp.com, 1
+bigriverservs.com, 1
+bigsam.us, 1
+bigseo.ml, 1
+bigseo.tk, 1
+bigshare.ga, 1
+bigshopper.com, 1
+bigshort.org, 1
+bigsister.tk, 1
+bigskyhomebuyers.com, 1
+bigskylifestylerealestate.com, 1
+bigskymontanalandforsale.com, 1
+bigsmallhosting.com, 1
+bigsolar.com, 1
+bigspark.it, 1
+bigstonecounty.gov, 1
+bigstr.com, 1
+bigthree.ga, 1
+bigthunder.ca, 1
+bigtimeiq.com, 1
+bigtitsmilf.com, 1
+bigtix.io, 0
+bigtown.tk, 1
+bigtstexasbbq.com, 1
+bigudi.ee, 1
+bigudi.eu, 1
+biguz.net, 1
+bigwaterut.gov, 1
+bigwicks.co.uk, 1
+bigzoo.com.br, 1
+biigtigconsulting.ca, 1
+biip.lt, 1
+bij-juud.nl, 1
+bijlesbart.nl, 1
+bijlesportal.nl, 1
+bijloke.gent, 1
+bijlokesite.be, 1
+bijlokesite.gent, 1
+bijou.be, 1
+bijoux-fantaisies.eu, 1
+bijoux.com.br, 1
+bijouxbrasil.com.br, 1
+bijouxcherie.com, 1
+bijuteria-venetia.ro, 1
+bijuteriavenetia.ro, 1
+bijzonderekoorprojecten.nl, 1
+bike-kurse.ch, 1
+bike-liptov.tk, 1
+bike-shack.com, 1
+bike-style.tk, 1
+bikebay.it, 1
+bikebristol.com, 1
+bikeclub.tk, 1
+bikehistory.org, 1
+bikemaniacs.tk, 1
+bikemi.com, 1
+bikemod.de, 1
+bikerawardsers.ga, 1
+bikerawardsest.ga, 1
+bikerebel.com, 1
+bikerestart.com, 1
+bikersclub.tk, 1
+bikersmadrid.es, 1
+bikerteeshop.com, 1
+bikesandbits.tk, 1
+bikeshopitalia.com, 1
+bikesquadron.com, 1
+bikestream.tk, 1
+bikesupermarket.it, 1
+biketalk.ga, 1
+biketrainer.tk, 1
+bikhof.com, 1
+biki.com, 1
+bikini-shop.tk, 1
+bikini.tk, 1
+bikinibich.tk, 1
+bikinis.ga, 1
+bikinis.tk, 1
+bikkelbroeders.com, 0
+bikkelbroeders.nl, 0
+biknet.tk, 1
+bikyaku.fun, 1
+bilalozdemir.me, 1
+bilanca.com.hr, 1
+bilar.tk, 1
+bilbao.tk, 1
+bilbud.tk, 1
+bilder-designs.de, 1
+bilderload.com, 1
+bildermachr.de, 1
+bilderrahmen-baer.de, 1
+bilderrahmen-schluechtern-sinntal.de, 1
+bildiri.ci, 1
+bildkomponist.de, 1
+bildschirmflackern.de, 1
+bildung-mv.de, 0
+bilecikhaberleri.tk, 1
+biletkesfet.com, 1
+biletru.net, 1
+biletturk.tk, 1
+biletvkrym.ga, 1
+biletyplus.by, 1
+biletyplus.com, 1
+biletyplus.ru, 1
+biletyplus.ua, 1
+bilgehan.net, 1
+bilgiliksel.com, 1
+bilgireis.com, 1
+bilgisayarkursu.tk, 1
+bilgo.com, 1
+bilhos.com.tr, 1
+bilibili.link, 1
+bilibili.party, 1
+bilimal.kz, 1
+bilimoe.com, 1
+bilingualunit.tk, 1
+bilirrubina.com, 1
+bilisimdanismani.com, 1
+biliwind.com, 1
+biljettmonster.se, 1
+bilke.org, 1
+bilkovita.bg, 1
+bilkovitinkturi.bg, 1
+billaltermatt.com, 1
+billarpool.cl, 1
+billaud.eu, 1
+billaud.eu.org, 1
+billboard-panama.ml, 1
+billbuddy.co.uk, 1
+billchen.win, 0
+billcompare.ga, 1
+billcomparison.ga, 1
+billetes.gov, 1
+billets-avion.tk, 1
+billetto.co.uk, 1
+billetto.dk, 1
+billetto.eu, 1
+billetto.it, 1
+billetto.se, 1
+billfazz.com, 1
+billgatos.tk, 1
+billgoldstein.name, 1
+billgradywebdesign.com, 1
+billhartzer.com, 1
+billiardmaster.com.ua, 1
+billiebikes.com, 1
+billigastehemsidan.se, 1
+billiger-mietwagen.de, 1
+billigerfinder.de, 1
+billigesommerhuse.nu, 1
+billigflug.tk, 1
+billigpoker.dk, 1
+billigtech.tk, 1
+billingsgazette.com, 1
+billingsgroup.com, 0
+billingsmtpublicworks.gov, 1
+billionaire.ml, 1
+billionaire365.com, 1
+billionkiaparts.com, 1
+billkochman.com, 1
+billo.life, 1
+billogram.com, 1
+billpay.com, 1
+billpro.com.au, 1
+billrobinson.io, 1
+billusherwood.com, 1
+billview.com.au, 1
+billwebb.com.au, 1
+billy.pictures, 1
+billybluerecords.com, 1
+billybob.tk, 1
+billyjamrecords.com, 1
+billykwok.me, 1
+billyoh.com, 1
+billywig.stream, 1
+biloxihistoricalsociety.org, 0
+biloxisportfishing.com, 1
+bilsho.com, 1
+biltullen.com, 1
+bim.finance, 1
+bim.physio, 1
+bim0s.com, 1
+bimacitizen.com, 1
+bimatoprostrx.com, 1
+bimbingan.tk, 1
+bimbobakeriesusa.com, 0
+bimedis.com, 1
+bimhomes.vn, 1
+bimibroccoli.co.uk, 1
+bimibroccoli.com, 1
+bimibroccoli.dk, 1
+bimibroccoli.it, 1
+bimibroccoli.nl, 1
+bimibroccoli.se, 1
+bimibrocoli.es, 1
+bimibrocoli.fr, 1
+bimibrokkoli.de, 1
+bimigroup.org, 1
+bimmerlabs.com, 1
+bimoge.tk, 1
+bimsynergistics.com, 1
+bimtec.jp, 1
+bin-laden.org, 1
+bin95.com, 1
+bina.az, 1
+binaa.co.il, 1
+binairy.com, 1
+binairy.nl, 1
+binam.center, 0
+binans.com, 1
+binans.com.tr, 1
+binans.io, 1
+binans.net, 1
+binaries.fr, 1
+binaries.tk, 1
+binarization.net, 1
+binary.house, 1
+binary.ninja, 1
+binaryabstraction.com, 1
+binaryappdev.com, 1
+binarycom.ch, 1
+binarycreations.scot, 1
+binaryevolved.com, 1
+binarypuzzle.nl, 1
+binarystud.io, 1
+binaryvision.tk, 1
+binbaz.org.sa, 1
+binbin9.com, 1
+binbo.cz, 1
+binbo.sk, 1
+bind.ch, 1
+bindb.com, 1
+binding-problem.com, 1
+bindingspines.com, 1
+binds.co, 1
+bindsolutions.com, 1
+binezalohar.tk, 1
+binf.tk, 1
+bing, 1
+bing-cdn.com, 1
+bing-cdn.xyz, 1
+bing.com, 1
+bingcheung.com, 1
+bingchunmoli.com, 1
+bingebooks.com, 1
+binggun.com, 1
+binghamcountyid.gov, 1
+binghamid.gov, 1
+bingning.com, 1
+bingo-wear.com, 1
+bingo9.net, 1
+bingobank.org, 1
+bingoblue.com, 1
+bingoclub.ga, 1
+bingocounterers.ga, 1
+bingoela.com, 1
+bingofriends.com, 1
+bingohalls.ca, 1
+bingoporno.com, 1
+bingospelen.tk, 1
+bingothemesers.ga, 1
+bingothemesest.ga, 1
+bingyou.com, 1
+binhdang.me, 0
+binhex.net, 1
+binhminhpc.com, 1
+binimo.com, 1
+biniou.net, 1
+binkanhada.biz, 1
+binkconsulting.be, 1
+binkert-treuhand.ch, 1
+binnacle.mx, 1
+binnen-buten.de, 1
+binnenmeer.de, 1
+binoculars.ga, 1
+binoqlo.com, 1
+binoro.de, 1
+binpress.com, 1
+binson-museum.tk, 1
+binsp.net, 1
+bintach.com, 1
+bintanglautplatinum.com, 1
+bintangtop.com, 1
+bintelligence.cl, 1
+bintelligence.info, 1
+bintelligence.nl, 1
+bintra.directory, 1
+bintube.com, 1
+bio-disinfestazione.it, 1
+bio-dolt-aveyron.fr, 1
+bio-farma.net, 1
+bio-feed.org, 1
+bio-kertem.hu, 1
+bio-place.com, 1
+bio-plus.cz, 1
+bio-verzeichnis.de, 1
+bio24.si, 0
+bioadva.com, 1
+bioarc.com.au, 1
+bioarchlinux.org, 1
+bioatrium.com, 1
+bioaufvorrat.de, 1
+bioblog.tk, 1
+biobone.net, 1
+biobuttons.ch, 1
+biocal.eu, 1
+biocal.nl, 1
+biocarbonregistry.com, 1
+biocentricinc.com, 1
+biochart.ga, 1
+biocheminee.com, 1
+bioclaudia.it, 1
+biocrafting.net, 0
+biodaan.com, 1
+biodieselbr.com, 1
+biodieseldata.com, 1
+biodieselpumps.com, 1
+biodit.com, 0
+biodobavki.tk, 1
+biodots.at, 1
+biodots.eu, 1
+biodots.info, 1
+biodots.it, 1
+bioedilizia.roma.it, 1
+bioemsan.cz, 0
+bioenergie-eferding.at, 1
+bioenergy-solutions.eco, 1
+bioequivalence.design, 1
+bioetco.ch, 1
+bioexistencialismo.tk, 1
+bioexploratorium.pl, 1
+biofattorietoscane.it, 1
+biofeedback-luzern.ch, 1
+biofizpribor.ru, 1
+bioforce.tk, 1
+biogaspuxin.es, 1
+biogecho.ch, 0
+biogeist.de, 1
+biogenius.ca, 0
+biogiardinaggio.it, 1
+biographyseriesers.ga, 1
+biographyseriesest.ga, 1
+biohappiness.com, 1
+bioharmony.ca, 1
+biohazardland.tk, 1
+biohazardonline.tk, 1
+biohazardous.tk, 1
+bioinfo-diag.fr, 1
+bioinformaticsweb.tk, 1
+biointelligence-explosion.com, 1
+biokal-labsystems.eu, 1
+biokal-labsystems.nl, 1
+biokal.com, 1
+biokal.eu, 1
+biokal.nl, 1
+biokemonline.com, 1
+bioknowme.com, 1
+biokoxomodding.tk, 1
+biol.moscow, 1
+biol.spb.ru, 1
+biolack.cf, 1
+biolact.tk, 1
+bioleev.sklep.pl, 1
+biolegsanonims.tk, 1
+bioligo.ch, 0
+biolika.ua, 1
+biolingzhipro.my.id, 1
+biolink.vn, 1
+biolinky.co, 0
+biolmarket.ru, 1
+biologiaygeologia.tk, 1
+biologie-seite.de, 1
+biologis.ch, 1
+biologo.club, 1
+biology-colleges.com, 1
+biologymusicvideos.com, 1
+biologynest.com, 1
+biologyoftrauma.com, 1
+biomarket24.pl, 1
+biomasscore.com, 1
+biomassinfo.jp, 1
+biomathalliance.org, 1
+biomax-mep.com.br, 1
+biomechanics.tk, 1
+biomechanoid.tk, 1
+biomed-hospital.ch, 1
+biomed-sparepart.com, 1
+biomed.ch, 1
+biomedsciinstrum.org, 1
+biomedyczne.pl, 1
+biometriccoe.gov, 1
+biometrics.gov, 1
+biometservices.com, 1
+biomin.co.uk, 1
+biomod.tk, 1
+biomodra.cz, 1
+bionic-karnage.tk, 1
+bionicman.name, 1
+bionovanaturalpools.com, 1
+biontech24.pl, 1
+biontechworld.com, 1
+biopreferred.gov, 1
+biopro-st.com, 1
+biopsychiatry.com, 1
+bioreference.com, 1
+bioresonanz-ibiza.com, 1
+biosafe.ch, 0
+biosalts.it, 1
+biosbits.org, 1
+bioscience.co.uk, 1
+biosearch.tk, 1
+bioseguridad.gob.pa, 1
+bioselect.com.cy, 1
+bioshine.com.sg, 1
+bioshome.de, 1
+biosignalanalytics.com, 1
+biosky.tk, 1
+biospw.com, 1
+biostaffic.com, 1
+biostar.com.tw, 1
+biosuit.ga, 1
+biosupplyalliance.com, 1
+biot.tk, 1
+biotal.ua, 1
+biotanquesbts.com, 1
+biotec.tk, 1
+biotecommunity.com, 1
+bioteebook.com, 1
+biotin.ch, 1
+biotin24.cf, 1
+biotorrents.de, 1
+biotraxx.com, 1
+biouhli.com, 1
+biouhli.cz, 1
+biouhli.sk, 1
+bioweingut-baumann.de, 1
+biowtage.cf, 1
+biowtage.gq, 1
+bip-online.tk, 1
+bip.gov.sa, 0
+bipart.eu, 1
+bipartisanreport.com, 1
+bipedecurieux.com, 1
+bipolardisorderexplained.com, 1
+bipolargeek.com, 1
+bipolargeek.net, 1
+bipolargeek.org, 1
+bipolarworld.us, 1
+bippassistant.com, 1
+birahugo.tk, 1
+birchbarkfurniture.ch, 1
+birchbarkfurniture.com, 0
+birchbarkfurniture.fr, 0
+birchtree.me, 1
+bird-tech.co.uk, 1
+bird.engineer, 1
+birdbox.party, 1
+birdbrowser.com, 1
+birdbutt.com, 1
+birdgifs.nz, 1
+birdiehosting.nl, 1
+birdist.com, 1
+birdrave.com, 1
+birdsite.ga, 1
+birdslabel.com, 1
+birdsnow.com, 1
+birdwatchireland.ie, 1
+birdymanbestreviews.com, 1
+birebirvilla.com, 1
+birenbaum.se, 1
+birgit-rydlewski.de, 1
+birgitandmerlin.com, 1
+birjdid.tk, 1
+birkanpusa.com.tr, 1
+birkengarten.ch, 1
+birkenstab.de, 1
+birkhoff.me, 0
+birkilise.com, 1
+birkilise.net, 1
+birkilise.org, 1
+birkman.com, 0
+birlikdayanisma.com, 1
+birman.tk, 1
+birminghamairportparking24.co.uk, 1
+birminghamal911.gov, 1
+birminghammoneyman.com, 1
+birminghamorthospine.com, 1
+birminghamsunset.com, 1
+birnenhain.de, 1
+birobidjan.tk, 1
+birone.tk, 1
+bironthemes.com, 1
+birosuli.hu, 1
+birouldeimagine.ro, 1
+birpufnoktasi.com, 1
+birra.tk, 1
+birrapenombra.tk, 1
+birtamode.tk, 1
+birtebrorson.dk, 1
+birthday-to-you.com, 1
+birthdayapp.io, 1
+birthdayapp.today, 1
+birthdaybuzz.org, 1
+birthdayinsiderest.ga, 1
+birthlight-austria.com, 1
+birthright.host, 1
+birtles.blog, 1
+birulevo.tk, 1
+birwa.tk, 1
+birzan.org, 1
+birzman.ga, 1
+bis-jeddah.com, 1
+bis.gov, 1
+bisa-sis.net, 1
+bischoff-mathey.family, 1
+biscuit.town, 1
+biscuitcute.com.br, 1
+biscuitflatsopenhouse.com, 1
+biscuits-rec.com, 1
+biscuits-shop.com, 1
+biser-borisov.eu, 1
+biser.online, 1
+biserica-antiohia.ro, 1
+bishopjordan.com, 1
+bishopscourt-hawarden.co.uk, 1
+bishopston.net, 1
+bishoptx.com, 1
+bisigorta.com, 1
+bisik.ml, 1
+bisix.tk, 1
+bismantova.tk, 1
+bismarck-tb.de, 1
+bismarcktribune.com, 1
+bismi.solutions, 0
+bismuth.it, 1
+bisnis.com, 1
+bisnisesteen.tk, 1
+bisnisfmcg.com, 1
+bisnisinternetgratis.tk, 1
+bisnismuda.id, 1
+bisnisonlinecerdas.tk, 1
+biso.ga, 1
+bisoga.ga, 1
+bisq.chat, 1
+bisq.community, 1
+bisq.markets, 1
+bisq.ninja, 1
+bisq.services, 1
+bisq.wiki, 1
+bisrockloverclan.tk, 1
+bisrockonline.tk, 1
+bissalama.org, 1
+bisschopssteeg.nl, 1
+bissokush.cf, 1
+bistro-dengi.ml, 1
+bistrocean.com, 0
+bistrodeminas.com, 1
+bistrozaim.ml, 1
+bit-cloud.de, 1
+bit-flex.com, 1
+bit-rapid.com, 0
+bit-saar.de, 1
+bit-sentinel.com, 1
+bit.cloud, 1
+bit.li, 1
+bit8.com, 0
+bitaccelerate.com, 1
+bitace.com, 0
+bitazza.com, 1
+bitbank.cc, 1
+bitbank.cf, 1
+bitbincomputers.com, 1
+bitbonus.cf, 1
+bitbonusss.tk, 1
+bitbotster.com, 1
+bitbox.me, 1
+bitbroker.exchange, 1
+bitbucket.com, 1
+bitbucket.io, 1
+bitbucket.org, 1
+bitburner.de, 1
+bitcalt.eu.org, 1
+bitcalt.ga, 1
+bitchesabroad.com, 1
+bitchyjana.com, 1
+bitclusive.de, 1
+bitcoin-2go.de, 1
+bitcoin-about.tk, 1
+bitcoin-casino-no-deposit-bonus.com, 1
+bitcoin-casino.monster, 1
+bitcoin-class.com, 1
+bitcoin-daijin.com, 1
+bitcoin-exchange.ga, 1
+bitcoin-fauset.cf, 1
+bitcoin-india.net, 1
+bitcoin-india.org, 1
+bitcoin-news.info, 1
+bitcoin-newsbiz.com, 1
+bitcoin-now.ga, 1
+bitcoin-only.com, 1
+bitcoin-wizards.com, 1
+bitcoin-youtube.net, 1
+bitcoin.asia, 1
+bitcoin.ch, 1
+bitcoin.co.nz, 1
+bitcoin.de, 1
+bitcoin.foundation, 1
+bitcoin.im, 1
+bitcoin.info, 1
+bitcoin.ninja, 1
+bitcoin.org, 1
+bitcoin.us, 1
+bitcoinapi.de, 1
+bitcoinbitcoin.com, 1
+bitcoinbot.cf, 1
+bitcoinbot.ga, 1
+bitcoinbot.tk, 1
+bitcoincasino.link, 1
+bitcoincasino.monster, 1
+bitcoincasino.tech, 1
+bitcoincasino.today, 1
+bitcoincasinos.pro, 1
+bitcoincore.org, 1
+bitcoineffect.ml, 1
+bitcoinfaucet.tech, 1
+bitcoinfax.net, 1
+bitcoinfees.net, 1
+bitcoinforthe.lol, 1
+bitcoinforthe.world, 1
+bitcoinfy.net, 1
+bitcoingambling.pro, 1
+bitcoingames.world, 1
+bitcoingroup.ga, 1
+bitcoinheaders.net, 1
+bitcoinheaders.org, 1
+bitcoinindy.com, 1
+bitcoinissafe.com, 1
+bitcoinjpn.com, 1
+bitcoinkaufen.me, 1
+bitcoinkaufen.news, 1
+bitcoinku.sh, 1
+bitcoinkurs.news, 1
+bitcoinkurs.world, 1
+bitcoinnews.digital, 1
+bitcoinnews.guru, 1
+bitcoinnews.world, 1
+bitcoinprice.buzz, 1
+bitcoinprice.international, 1
+bitcoinprice.news, 1
+bitcoinprice.pizza, 1
+bitcoinprice.rocks, 1
+bitcoinprice.world, 1
+bitcoinreserve.com, 1
+bitcoinseed.net, 1
+bitcoinset.pl, 1
+bitcoinskoers.nl, 1
+bitcoinslots.info, 1
+bitcoinstandard.jp, 1
+bitcoinstock.ga, 1
+bitcointask.net, 1
+bitcointech.ga, 1
+bitcointransfer.tk, 1
+bitcointv.com, 1
+bitcoinwalletscript.tk, 1
+bitcoinwarszawa.pl, 1
+bitcoinx.ro, 1
+bitcork.io, 1
+bitcrazy.org, 1
+bitdefender.de, 1
+bitdelta.com, 1
+bitdizzle.xyz, 1
+bitdocs.xyz, 1
+bitdynamics.au, 1
+bitech-ec.com, 1
+bitedu.pt, 1
+bitehazard.cz, 1
+bitenose.com, 1
+bitenose.org, 1
+bitewinggames.com, 1
+bitex.la, 1
+bitfarm-archiv.com, 1
+bitfarm-archiv.de, 1
+bitfasching.de, 0
+bitfashion.pt, 1
+bitfehler.net, 1
+bitfinder.nl, 1
+bitforge.tk, 1
+bitforming.com, 1
+bitfortune.fund, 1
+bitfuse.net, 1
+bitga.in, 1
+bitgarant.tk, 1
+bitgo.com, 1
+bithosting.pt, 1
+bititrain.com, 1
+bitix.tk, 1
+bitjunkiehosting.com, 1
+bitkan.com, 1
+bitkiselreyonum.com, 1
+bitkub-app.com, 1
+bitkub-int.com, 1
+bitlair.nl, 1
+bitlaunch.io, 1
+bitlink.id, 1
+bitljettnu.gq, 1
+bitlo.com, 1
+bitlo.com.tr, 1
+bitlo.io, 1
+bitlo.org, 1
+bitloco.net, 1
+bitmag.ml, 1
+bitmaincare.com.ua, 1
+bitmaincare.ru, 1
+bitmainwarranty.com.ua, 1
+bitmainwarranty.ru, 1
+bitmarket.net, 1
+bitmart.com, 1
+bitmart.cool, 1
+bitmessage.ch, 1
+bitmexin.com, 1
+bitmidi.com, 1
+bitmine.gq, 1
+bitmix.biz, 1
+bitmoe.com, 1
+bitmoji.com, 1
+bitms.tk, 1
+bitname.it, 1
+bitnoder.com, 1
+bitnoise.nl, 1
+bitnovo.com, 1
+bito3d.com.br, 1
+bitovayatehn.tk, 1
+bitpod.de, 1
+bitpumpe.net, 1
+bitradius.com, 1
+bitrate.tk, 1
+bitredirixe.top, 1
+bitref.com, 1
+bitrefill.com, 1
+bitrefill.info, 1
+bitrefill.me, 1
+bitrush.nl, 1
+bits-chips.nl, 1
+bits-hr.de, 0
+bitsafe.com.my, 1
+bitsalt.com, 1
+bitsellx.com, 1
+bitseo.ga, 1
+bitseo.tk, 1
+bitshaker.net, 1
+bitsight.net, 1
+bitsimnow.com, 1
+bitsimnow.se, 1
+bitsinex.com, 1
+bitsite.com, 1
+bitski.com, 1
+bitsler.ie, 1
+bitso.com, 1
+bitsoffreedom.nl, 1
+bitspaceonline.ml, 1
+bitstack.nz, 1
+bitstage.uk, 1
+bitstorm.nl, 1
+bitstorm.org, 1
+bitsync.nl, 1
+bitten.pw, 1
+bittentechsolutions.in, 1
+bitterley.org.uk, 1
+bitterspringscabins.com.au, 1
+bittersweetcandybowl.com, 1
+bittervault.xyz, 1
+bittimaatti.fi, 1
+bittiraha.fi, 1
+bitton.com.au, 1
+bittounsi.com, 1
+bittrend.ga, 1
+bittrust.com, 1
+bittylicious.com, 1
+bitunit.tk, 1
+bitvest.io, 1
+bitvise.com, 1
+bitwarden.com, 1
+bitwardit.com, 1
+bitwards.io, 1
+bitwardsdev.com, 1
+bitwoci.pt, 1
+bitwolk.nl, 1
+bitwrought.net, 1
+bitxel.com.co, 1
+bityes.org, 1
+biupay.com.br, 1
+biurokarier.edu.pl, 1
+biuropulawy.pl, 1
+bivg.ru, 1
+bivvy.com, 1
+bixbasement.com, 1
+bixbydevelopers.com, 1
+bixservice.com, 1
+biysk.ml, 1
+biz-academy.it, 1
+biz-pak.ml, 1
+biz-secrety.cf, 1
+biz-secrety.ga, 1
+biz-secrety.gq, 1
+biz-secrety.ml, 1
+biz-seecrets.gq, 1
+biz4solutions.com, 1
+biz4x.com, 0
+bizapps.lv, 1
+bizarrefuture.cf, 1
+bizbelarus.tk, 1
+bizboatest.ga, 1
+bizcalcs.com, 1
+bizcatalyst360.com, 1
+bizcope.com, 1
+bizdemevcut.com.tr, 1
+bizdir.tk, 1
+bizeau.ch, 1
+bizedge.co.nz, 1
+bizequals.com, 1
+bizfavor.ml, 1
+bizgo.nl, 1
+bizify.co.uk, 1
+bizlatinhub.com, 1
+bizleal.com, 1
+bizmax.ltd, 1
+bizmonthly.com, 1
+biznes-bum.tk, 1
+biznes-sekrety.gq, 1
+biznes-sekrety.tk, 1
+biznes.cf, 1
+biznes4you.ml, 1
+biznesone.ga, 1
+biznesonline.info, 1
+biznesowe.pl, 1
+biznet.tk, 1
+bizniskatalog.mk, 1
+biznotes.ru, 1
+biznpro.ru, 1
+bizoneplan.com, 1
+bizontrip.com, 1
+bizophub.com, 1
+bizopia.com, 1
+bizor.tk, 1
+bizpay.su, 1
+bizprom.ga, 1
+bizstart.ga, 1
+bizstarter.cz, 1
+bizsugar.ga, 1
+bizteam.ga, 1
+biztera.com, 1
+biztok.eu, 1
+biztositok.com, 1
+biztouch.work, 1
+biztrend.ru, 1
+bizuteria-laoni.tk, 1
+bizuteria-naprezent-szczecin.ml, 1
+bizval.co, 1
+bizzdesign.com, 1
+bizzix.tk, 1
+bizzseo.tk, 1
+bizzvisor.site, 0
+bizzybee.buzz, 1
+bizzysites.gr, 1
+bj-caffe.tk, 1
+bja.gov, 1
+bjargradakerfi.is, 1
+bjarnerest.de, 0
+bjarno.xyz, 1
+bjbybbs.com, 1
+bjc.hu, 1
+bjcw.com, 1
+bjecard.buzz, 1
+bjelimici.com, 1
+bjerregaard.me, 1
+bjfuli.com, 1
+bjgwyj.com, 1
+bjjmississauga.com, 1
+bjl688.cc, 1
+bjm-gembas.be, 1
+bjmgeek.science, 1
+bjoern-thoroe.de, 1
+bjolanta.pl, 1
+bjordanov.com, 1
+bjorknet.com, 1
+bjornerastrefelling.no, 1
+bjornhelmersson.se, 1
+bjornjohansen.no, 1
+bjs.com.au, 1
+bjs.gov, 1
+bjsbouncycastles.com, 1
+bjshare.com, 1
+bjsms.de, 1
+bjtxl.cn, 1
+bjugard.io, 1
+bjut.photos, 1
+bjxx.com, 1
+bk-art.ru, 1
+bk-info.lt, 1
+bk1x.mobi, 1
+bk1xbet.mobi, 1
+bk27.ru, 1
+bk622.com, 1
+bk725.com, 1
+bka.li, 1
+bkentertainments.co.uk, 1
+bkfplaner.com, 1
+bkgatl.com, 1
+bkhonnun.is, 1
+bkhpilates.co.uk, 1
+bkin-15340.space, 1
+bkin-15451.space, 1
+bkin-15530.website, 1
+bkin-15777.website, 1
+bkin-16490.space, 1
+bkin-16543.website, 1
+bkin-16836.space, 1
+bkin-17242.website, 1
+bkin-18126.website, 1
+bkin-18399.space, 1
+bkin-18734.top, 1
+bkin-18822.space, 1
+bkin-18825.space, 1
+bkin-18888.space, 1
+bkin-19138.website, 1
+bkin-19335.website, 1
+bkin-19342.space, 1
+bkin-19827.space, 1
+bkin-20245.space, 1
+bkin-20467.website, 1
+bkin-20855.space, 1
+bkin-21332.website, 1
+bkin-21703.space, 1
+bkin-21882.website, 1
+bkin-22350.website, 1
+bkin-22808.website, 1
+bkin-22962.space, 1
+bkin-23261.website, 1
+bkin-23612.space, 1
+bkin-23658.website, 1
+bkin-23906.website, 1
+bkin-24119.space, 1
+bkin-24239.space, 1
+bkin-24456.space, 1
+bkin-25297.space, 1
+bkin-25798.website, 1
+bkin-25982.xyz, 1
+bkin-26191.top, 1
+bkin-26470.xyz, 1
+bkin-27135.xyz, 1
+bkin-27185.xyz, 1
+bkin-27262.xyz, 1
+bkin-27733.top, 1
+bkin-27825.space, 1
+bkin-28035.xyz, 1
+bkin-28589.xyz, 1
+bkin-28659.xyz, 1
+bkin-28749.xyz, 1
+bkin-28767.space, 1
+bkin-28946.xyz, 1
+bkin-29253.xyz, 1
+bkin-29349.xyz, 1
+bkin-29531.xyz, 1
+bkin-29696.xyz, 1
+bkin-29957.space, 1
+bkin-29993.xyz, 1
+bkin-30246.xyz, 1
+bkin-30429.xyz, 1
+bkin-30668.xyz, 1
+bkin-30794.xyz, 1
+bkin-30845.xyz, 1
+bkin-30862.xyz, 1
+bkin-30883.xyz, 1
+bkin-31087.website, 1
+bkin-31170.xyz, 1
+bkin-31436.xyz, 1
+bkin-31447.xyz, 1
+bkin-31656.xyz, 1
+bkin-31789.xyz, 1
+bkin-31972.xyz, 1
+bkin-32482.xyz, 1
+bkin-32486.xyz, 1
+bkin-32744.xyz, 1
+bkin-32863.xyz, 1
+bkin-33383.xyz, 1
+bkin-33544.xyz, 1
+bkin-33740.xyz, 1
+bkin-33813.xyz, 1
+bkin-33970.xyz, 1
+bkin-34233.xyz, 1
+bkin-34299.xyz, 1
+bkin-34456.xyz, 1
+bkin-34797.xyz, 1
+bkin-35189.xyz, 1
+bkin-35365.xyz, 1
+bkin-35372.xyz, 1
+bkin-35499.xyz, 1
+bkin-35692.xyz, 1
+bkin-36700.xyz, 1
+bkin-36749.xyz, 1
+bkin-37699.xyz, 1
+bkin-37873.xyz, 1
+bkin-37968.xyz, 1
+bkin-38134.xyz, 1
+bkin-38325.xyz, 1
+bkin-38877.xyz, 1
+bkin-39139.xyz, 1
+bkin-39933.xyz, 1
+bkin-40545.xyz, 1
+bkin-41419.xyz, 1
+bkin-41934.xyz, 1
+bkin-41976.xyz, 1
+bkin-42525.xyz, 1
+bkin-42740.xyz, 1
+bkin-43450.xyz, 1
+bkin-46680.xyz, 1
+bkk24.de, 1
+bkkposn.com, 1
+bklaindia.com, 1
+bkmexpress.com.tr, 1
+bkms-system.com, 1
+bkositspartytime.co.uk, 1
+bkphcoop.com, 1
+bkpm.tj, 1
+bksites.tk, 1
+bkt.to, 1
+bl-builder.tk, 1
+bl0ck.org, 1
+bl4ckb0x.biz, 1
+bl4ckb0x.com, 1
+bl4ckb0x.de, 1
+bl4ckb0x.eu, 1
+bl4ckb0x.info, 1
+bl4ckb0x.net, 1
+bl4ckb0x.org, 1
+blaa-arme.tk, 1
+blaarmeersen.be, 1
+blaasmuziek-laarbeek.nl, 1
+blaauwgeers.pro, 1
+blaauwgeers.wiki, 1
+blabber.im, 1
+blabla.rocks, 0
+blablacar.co.uk, 1
+blablacar.com, 1
+blablacar.com.br, 1
+blablacar.com.tr, 1
+blablacar.com.ua, 1
+blablacar.cz, 1
+blablacar.de, 1
+blablacar.es, 1
+blablacar.fr, 1
+blablacar.hr, 1
+blablacar.hu, 1
+blablacar.in, 1
+blablacar.it, 1
+blablacar.mx, 1
+blablacar.nl, 1
+blablacar.pl, 1
+blablacar.pt, 1
+blablacar.ro, 1
+blablacar.rs, 1
+black-air-rpg.com, 1
+black-diamonds.cf, 1
+black-flirt.de, 1
+black-friday.org.il, 1
+black-ghost.tk, 1
+black-goldautokozmetika.hu, 1
+black-hair-extension.tk, 1
+black-holes.org, 1
+black-magic-love-spells.com, 1
+black-mail.nl, 1
+black-market.ga, 1
+black-pool.net, 1
+black-rider-studio.eu, 1
+black-rosella.tk, 1
+black-side.tk, 1
+blackandblond.tk, 1
+blackandwhite.tk, 1
+blackapron.com.br, 1
+blackarch.org, 1
+blackarts.co.za, 1
+blackashstudio.com, 1
+blackassassins.tk, 1
+blackbag.nl, 1
+blackbam.at, 1
+blackbbwvideos.com, 1
+blackbean.tk, 1
+blackbird-whitebird.com, 1
+blackbirdproperties.tk, 1
+blackbox.earth, 1
+blackboxcity.tk, 1
+blackbrookwi.gov, 1
+blackbyrne.com, 1
+blackbyte.it, 1
+blackcastle.tk, 1
+blackcat.ca, 1
+blackcatcard.com, 1
+blackcatinformatics.ca, 1
+blackcatinformatics.com, 1
+blackcatwanderlust.com, 1
+blackchristmas.tk, 1
+blackchrome.com.au, 1
+blackcicada.com, 1
+blackco.ga, 1
+blackcountrymusicband.co.uk, 1
+blackdiam.net, 1
+blackdoordc.com, 1
+blackdown.de, 1
+blackdragoninc.org, 1
+blackeaglenet.tk, 1
+blackedbyte.com, 1
+blackenedsoil.com, 1
+blackestdespondency.tk, 1
+blackeyes.gq, 1
+blackeyes.tk, 1
+blackfeather.in, 1
+blackfire.io, 1
+blackfirecrew.tk, 1
+blackfold.ca, 1
+blackforeststheoriginal.cf, 1
+blackforeststheoriginal.ga, 1
+blackforeststheoriginal.ml, 1
+blackforlife.me, 1
+blackfriday-sales.co.uk, 1
+blackfridaynew.com, 1
+blackgamelp.de, 1
+blackgoat.tk, 1
+blackhail.tk, 1
+blackhat.dk, 1
+blackhat.nz, 1
+blackhawk.io, 1
+blackheads.tk, 1
+blackheartbar.com, 1
+blackhelicopters.net, 1
+blackhillsinfosec.com, 1
+blackhistorymonth.gov, 1
+blackidfound.org, 1
+blackisbetter.com, 1
+blackjackballroomcasino.info, 1
+blackjackprogramest.ga, 1
+blackjaguar.tk, 1
+blackjaxamity.com, 1
+blackkeg.ca, 1
+blackl.net, 1
+blacklane.com, 1
+blacklava.tk, 1
+blacklightparty.be, 1
+blacklist.support, 1
+blacklodge.tk, 1
+blacklotusaudio.com, 1
+blackmagick-candles.com, 1
+blackmagickwitch.com, 1
+blackmagicshaman.com, 1
+blackmaleme.com, 1
+blackmark.me, 1
+blackmarlinship.com, 1
+blackmaskpro.gq, 1
+blackmesa.com, 1
+blackmetalencyclopedia.tk, 1
+blackmetalist.tk, 1
+blackmetaller.tk, 1
+blackmilftube.com, 1
+blackminds.tk, 1
+blackmistery.tk, 1
+blackmodelsusa.tk, 1
+blackoutzone.tk, 1
+blackpapermoon.de, 1
+blackpayment.ru, 1
+blackphantom.de, 1
+blackphoenix.de, 1
+blackpi.dedyn.io, 1
+blackpooltransport.com, 1
+blackportal.tk, 1
+blackpurl.com, 1
+blackriverfalls.tk, 1
+blackriverfallswi.gov, 1
+blackrockvet.ie, 1
+blackroses.tk, 1
+blacksamantha.tk, 1
+blackscytheconsulting.com, 1
+blackseals.net, 1
+blacksega.ga, 1
+blacksentry.io, 1
+blackshark.cf, 1
+blackslots.club, 1
+blacksniffer.tk, 1
+blackspark.tk, 1
+blackspider.tk, 1
+blacksport.ru, 1
+blacksprut.com, 1
+blackstoneone.net, 1
+blackstonepress.tk, 1
+blackstonetubrefinishers.ca, 1
+blackstrapsecurity.com, 1
+blackstudio.fr, 1
+blackstump.xyz, 1
+blacksuitmedia.com, 0
+blacksvets.co.uk, 1
+blackswan.tk, 1
+blackswancompany.com, 1
+blackswirl.com, 1
+blackteam.org, 1
+blacktemplars.tk, 1
+blacktown.eu, 1
+blacktownbuildingsupplies.com.au, 1
+blacktube.tv, 1
+blacktubes.cf, 1
+blacktubes.ga, 1
+blacktubes.ml, 1
+blacktype.bet, 1
+blackvinegarcollection.com, 0
+blackwaterlounge.com, 1
+blackwaterutilities.tk, 1
+blackwellsupport.com, 1
+blackwidow.tk, 1
+blackwire.tk, 1
+blackwoodrugby.tk, 1
+blackwoodseventcenter.com, 1
+blackwoodsprotector.co.nz, 1
+blackworld.ga, 1
+blackwot.ru, 0
+blackyau.cc, 0
+blackys-chamber.de, 0
+blackzebra.audio, 1
+blade-online.tk, 1
+bladencountync.gov, 1
+blaetter.de, 1
+blaeu.com, 1
+blagger.tk, 1
+blaggo.com, 1
+blago-sostoyanie.ga, 1
+blago-sostoyanie.gq, 1
+blago-sostoyanie.ml, 1
+blago.tk, 1
+blagomed.by, 1
+blagosvet.ml, 1
+blague.tk, 1
+blahaj.eu, 1
+blaindalefarms.com, 1
+blainecosheriff-ok.gov, 1
+blairmitchelmore.com, 1
+blairtalbotmotors.com, 1
+blairtownshipmi.gov, 1
+blaise.io, 1
+blaizer.tk, 1
+blake-thickbroom.co.uk, 1
+blakecoin.org, 1
+blakecommagere.com, 1
+blakekhan.com, 1
+blakeminer.com, 1
+blakenichols.com, 1
+blakescrepes.com, 1
+blakezone.com, 1
+blako-squad.tk, 1
+blakylle.de, 1
+blan.tk, 1
+blanboom.org, 1
+blancamartinez.com, 1
+blanchardandcalhoun.com, 1
+blanchardinstitute.org, 1
+blanchardla.gov, 1
+blanchardvillewi.gov, 1
+blanchescornwall.co.uk, 1
+blancmeteore.com, 1
+blancoltd.co.uk, 1
+blanickymanifest.eu, 1
+blankersfamily.com, 1
+blanket.technology, 1
+blanketsofhopepa.org, 1
+blankhang.com, 1
+blankpage.link, 1
+blanksreload.com, 1
+blankstore.com.pe, 1
+blankstyle.com, 1
+blantik.net, 1
+blantr.com, 1
+blanx.de, 1
+blanzastore.com.br, 1
+blasdelamo.es, 1
+blaser.com, 1
+blasflittchen.net, 1
+blasorchester-runkel.de, 1
+blastentertainment.co.nz, 1
+blastentertainment.com.au, 1
+blastersklan.com, 1
+blastoffbuisness.in, 1
+blastofftherapy.com, 1
+blastoise186.co.uk, 1
+blasunafotocadadia.com, 1
+blathinwheatens.tk, 1
+blatino.com, 1
+blatnic.eu, 1
+blatnice.cf, 1
+blatnice.fun, 1
+blatnice.ga, 1
+blatnice.gq, 1
+blatnice.ml, 1
+blatnice.online, 1
+blatnice.tk, 1
+blau-weiss-aachen.de, 1
+blau-weiss-stolberg.de, 1
+blaudev.es, 1
+blauesschwarz.de, 0
+blauglockenbaum.de, 1
+blaumedia.com, 1
+blautiefe.de, 1
+blauwereigercoaching.nl, 1
+blauwgras.nl, 1
+blauwwit.be, 1
+blavandbike.de, 1
+blavandbike.dk, 1
+blavaty.tk, 1
+blayne.me, 0
+blayneallan.com, 0
+blazebd.com, 1
+blazeeria.com, 1
+blazefire.tk, 1
+blazeweb.ml, 1
+blazing.cz, 1
+blazingsaddles.ga, 1
+blazingsuns.tk, 1
+blazor.nl, 1
+blbet365.com, 1
+blblblblbl.fr, 0
+blc.net.au, 1
+blcandleco.com, 1
+bleachbattalion.tk, 1
+bleaching-tipps.de, 1
+bleaklyrics.tk, 1
+bleatingsheep.org, 1
+bleche-onlineshop.at, 1
+bleche-onlineshop.de, 1
+blechschmidt.saarland, 1
+bledina.com, 1
+bleedingcool.com, 1
+bleedmoneyest.ga, 1
+bleekerenbleeker.nl, 1
+bleep.zone, 1
+blegalservicespty.com, 1
+blekingeopen.tk, 1
+blend.works, 1
+blender.io, 1
+blenderinsider.com, 1
+blenderrecipereviews.com, 1
+blendessencial.com, 1
+blending.kr, 1
+blendle.nl, 1
+blenneros.net, 0
+blero.tk, 1
+blessedgeeks.org, 1
+blessedgeeks.social, 1
+blessedguy.com, 1
+blessings24x7.com, 1
+blessingtransportbromoijen.com, 1
+blessrank.com, 1
+bleta.io, 1
+bleuwire.com, 1
+blevinstirepros.com, 1
+blewebprojects.com, 1
+bleyershoes.com, 1
+blheritage-tours.com, 0
+blic-zajm.gq, 1
+blichmann.eu, 1
+blicy.net, 1
+blideobames.com, 1
+blids.nl, 1
+blidz.com, 0
+blieque.co.uk, 1
+bliesener.com, 1
+blijfbij.com, 1
+blijfbij.eu, 1
+bliker.ga, 1
+blikund.swedbank.se, 1
+blinblin.la, 1
+blind-iq.at, 1
+blind-iq.com, 1
+blind-iq.cz, 1
+blind-iq.de, 1
+blind-iq.dk, 1
+blind-iq.es, 1
+blind-iq.eu, 1
+blind-iq.fr, 1
+blind-iq.it, 1
+blind-iq.nl, 1
+blind-iq.pl, 1
+blind-iq.se, 1
+blind-iq.sk, 1
+blindaryproduction.tk, 1
+blindenfreizeiten.de, 1
+blindfold.cf, 1
+blindfold.ga, 1
+blindler.net, 1
+blindpigandtheacorn.com, 1
+blindscribblings.com, 1
+blindsjoburg.com, 1
+blindspotstg.wpenginepowered.com, 1
+blingbusinessest.ga, 1
+blingsparkleshine.com, 1
+blink-security.com, 1
+blink.mortgage, 1
+blinkdir.tk, 1
+blinkdrivex.com, 1
+blinken.co, 1
+blinkenlight.com.au, 1
+blinking.life, 1
+blinking.ml, 1
+blinkspeed.eu, 1
+blinniza.tk, 1
+blinq.me, 1
+blio.tk, 1
+blippr.com, 1
+blissbox.com, 1
+blissdrive.com, 1
+blissfulsmile.com, 1
+blissplan.com, 1
+blissso.com, 1
+blissway.tk, 1
+blissy.com.br, 1
+blist.xyz, 1
+blisterreview.com, 1
+blistertrackandtrace.com, 1
+blitz-idee24.de, 1
+blitzarena.io, 1
+blitzga.me, 1
+blitzkrieg.tk, 1
+blitzlotto.tk, 1
+blitzpaintball.net, 1
+blitztesting.com, 1
+blitzvendor.com, 1
+blivawesome.dk, 1
+blivdj.dk, 1
+blivvektor.dk, 1
+blix.tk, 1
+blixpage.tk, 1
+blixtv.com, 1
+blizhost.com, 1
+blizhost.com.br, 1
+blizko.tk, 1
+blk-intern.ch, 1
+blk-kriens.ch, 1
+blkbx.eu, 1
+blkj.com, 1
+bllb.ru, 0
+bllmnn.de, 1
+bllmnn.eu, 1
+bllmnn.net, 1
+blm.gov, 1
+blm36.cc, 1
+blm69.cc, 1
+blnc.gov, 1
+blnsoftware.com, 1
+blo-melchiorshausen.de, 1
+blobby.com, 1
+blobemoji.com, 1
+blobfolio.com, 1
+blobfox.coffee, 1
+blobs.gg, 1
+bloch.sh, 1
+block-planet.xyz, 1
+block-this.com, 1
+block.xyz, 1
+block65.com, 1
+blockchain.com, 1
+blockchain.info, 1
+blockchain.poker, 1
+blockchainbulteni.com.tr, 1
+blockchainreporter.net, 1
+blockchaintech.ga, 1
+blockcheck.network, 1
+blockcreams.com, 1
+blocked.fun, 1
+blocked.icu, 1
+blockedservers.com, 1
+blockedyourcar.com, 1
+blockedyourcar.net, 1
+blockedyourcar.org, 1
+blockhost.net, 1
+blockified.io, 1
+blockinx.com, 1
+blockmetry.com, 1
+blockmomsest.ga, 1
+blocksettle.com, 1
+blockshopauto.com, 1
+blockstream.com, 1
+blockstream.info, 1
+blockstrom.com, 1
+blockstudio.it, 1
+blocktab.io, 1
+blockthis.xyz, 1
+blockvideo.live, 1
+blockwatch.cc, 0
+blockxit.de, 1
+blockyflare.com, 1
+blodeuyn.com, 1
+bloemenbesteld.nl, 1
+bloemendaalsamen.nl, 1
+bloemendal.me, 1
+blog-investimenti.it, 1
+blog-ludmily.ml, 1
+blog-page.tk, 1
+blog-preview.ml, 1
+blog-sat.com, 1
+blog-story.tk, 1
+blog-trawnikowy.pl, 1
+blog.fo, 1
+blog.gov.uk, 1
+blog.gparent.org, 1
+blog.gt, 1
+blog.je, 1
+blog.torproject.org, 0
+blog.vu, 1
+blogabout.ru, 1
+blogabouthealthy.tk, 1
+blogabr.it, 1
+blogaid.net, 1
+bloganchoi.com, 1
+blogaram.tk, 1
+blogarts.net, 1
+blogbegin.xyz, 1
+blogbookcassiopee.fr, 1
+blogbooker.com, 1
+blogbrew.org, 1
+blogbuz.org, 1
+blogcast.com, 0
+blogclouds.com, 1
+blogcosmeticsurgeon.ga, 1
+blogcrimesnews.tk, 1
+blogcuaviet.com, 1
+blogdelgloton.com, 1
+blogdelosjuguetes.com, 1
+blogdeyugioh.com, 1
+blogdieconomia.it, 1
+blogdimoda.com, 1
+blogdimotori.it, 1
+blogdiva.org, 1
+blogdosimoveis.com.br, 1
+blogexpress.org, 1
+blogext.com, 1
+blogfeng.tk, 1
+blogforprofit.tk, 1
+bloggermobile.tk, 1
+bloggermoney.ml, 1
+bloggermumofthreeboys.com, 1
+bloggerse.com, 1
+bloggersonlinetrainings.tk, 1
+bloggervent.com, 1
+bloggerzarausa.ga, 1
+blogging-life.com, 1
+bloggingfusion.com, 1
+bloggingkits.org, 1
+bloggingqna.com, 1
+bloggingtriggers.com, 1
+bloggingwithchildren.com, 1
+blogguitar.tk, 1
+bloggyaani.com, 1
+bloggymoms.com, 1
+bloggytalky.com, 1
+bloghogger.tk, 1
+blogidol.tk, 1
+bloginformatique.ml, 1
+blogit.fi, 1
+blogke.cn, 1
+bloglogistics.com, 1
+blogman.com, 1
+blognews.cf, 1
+blognik.pl, 1
+blognone.com, 1
+blogofapps.com, 1
+blogom.at, 1
+blogotomia.tk, 1
+blogpark.tk, 1
+blogpress.co.il, 1
+blogpronto.com.br, 1
+blogpsy.net, 1
+blogreen.org, 1
+blogsnote.xyz, 1
+blogspasest.ga, 1
+blogssl.com, 0
+blogstar.tk, 1
+blogtechnologiczny.pl, 1
+blogthedata.com, 1
+blogtienao.com, 1
+blogtroterzy.pl, 1
+bloguerrilla.it, 1
+blogvadim.ga, 1
+blogworm.eu, 1
+blokada.org, 1
+blokino.org, 0
+blokmap.be, 1
+blokuhaka.fr, 1
+blomberg.name, 1
+blomberguk.com, 1
+bloms.de, 1
+blonde-hexe.net, 1
+blondish.net, 0
+bloobasket.com, 1
+blood-kirsche.tk, 1
+blood4pets.tk, 1
+bloodandbones.tk, 1
+bloodandhonourcentral.tk, 1
+bloodhaven.tk, 1
+bloodhunt.eu, 1
+bloodmeter.com, 1
+bloodmine.ga, 1
+bloodmissionsest.ga, 1
+bloodpop.tk, 1
+bloodsports.org, 1
+bloodteam.tk, 1
+bloody-hosting.tk, 1
+bloody.pw, 1
+bloodybiz-news.tk, 1
+bloodycraft.ml, 1
+bloodyhawks.tk, 1
+bloom.sh, 1
+bloom.study, 1
+bloomberg.com, 0
+bloombergadria.com, 1
+bloomberglp.com, 0
+bloombergtv.mn, 1
+bloomfield-investment.com, 1
+bloomfire.com, 1
+bloomingpink.in, 1
+bloomingtonelectionsil.gov, 1
+bloomingtonil.gov, 1
+bloomingwoods.tk, 1
+bloomnail.net, 1
+bloomppm.com, 1
+bloomscape.com, 1
+blopezabogado.es, 1
+blorbo.link, 1
+bloscheck.com, 1
+bloscheck.de, 1
+bloscheck.eu, 1
+bloscheck.net, 1
+bloscheck.org, 1
+blossomtexas.gov, 1
+blountsherifftn.gov, 1
+blounttn.gov, 1
+blowingrock.gov, 1
+bloxtimes.com, 1
+blrjmt.com, 1
+blsattestation.com, 1
+blsgermanyvisa.com, 1
+blsindiavisa-uae.com, 1
+blt-avocat-nantes.fr, 1
+bltc.co.uk, 1
+bltc.com, 1
+bltc.net, 1
+bltc.org, 1
+bltc.org.uk, 1
+bltdirect.com, 1
+bluavido.ml, 1
+blubop.fr, 1
+blubracket.com, 1
+blubux.tk, 1
+blucoat.com, 1
+bluconductor.com, 1
+blucouriers.com.au, 1
+bludiode.com, 1
+bludnykoren.ml, 1
+blue-gmbh-erfahrungen.de, 1
+blue-gmbh.de, 1
+blue-olive.co.za, 1
+blue-pool.de, 1
+blue-python.tk, 1
+blue2purple.com, 1
+blue3investimentos.com.br, 1
+blueangel.org.tw, 1
+bluebahari.gq, 1
+bluebird.com, 1
+bluebirdservice.us, 1
+bluebnc.com, 1
+blueboybernie.com, 1
+bluecam.com, 1
+bluecanvas.io, 1
+bluecat.tk, 1
+bluecatnetworks.com, 1
+bluecherry.tk, 1
+bluecoastelectric.com, 1
+bluecoatnetflowsupport.com, 1
+bluecollarfetishwear.com, 1
+bluecosmetics.tk, 1
+bluecrossmn.com, 1
+blued.moe, 1
+bluedeck.org, 1
+bluedivision.tk, 1
+bluedog-security.com, 1
+blueenergy.tk, 1
+blueeyesworld.tk, 1
+bluefieldwv.gov, 1
+bluefieldwvpd.gov, 1
+blueflare.org, 1
+blueflow.pl, 1
+bluefrontier.co.uk, 1
+bluefuzz.nl, 1
+bluegifts.ro, 1
+bluegoat.jp, 1
+bluegolf.com, 1
+bluegorilla.es, 1
+bluegrassprizes.com, 1
+bluehillme.gov, 1
+bluehr.ph, 1
+blueimp.net, 1
+blueinc.com.au, 1
+blueisafety.com, 1
+bluejeans.com, 1
+blueknights6.eu, 1
+bluekrypt.com, 1
+bluelighter.tk, 1
+bluelily.ga, 1
+bluelime.it, 1
+bluelockchapters.com, 0
+bluemagnetinteractive.com, 1
+bluemail24.com, 0
+bluemango-studios.com, 1
+bluemodus.com, 1
+bluemonte.com, 0
+bluemoonrescue.org, 1
+bluemosh.com, 1
+bluemoundtexas.gov, 1
+bluemountain-ms.gov, 1
+bluemtnrentalmanagement.ca, 1
+bluenetworks.xyz, 1
+blueneuron.tk, 1
+blueoakart.com, 1
+blueoceanbrain.com, 1
+blueparrotpainting.com, 1
+bluepearl.tk, 1
+blueperil.de, 1
+blueplanet.social, 1
+blueport.com, 0
+bluepostbox.de, 1
+blueprintrealtytn.com, 1
+blueprintsdogstudio.com, 1
+blueprotocol-cn.com, 1
+bluerange.io, 1
+blueride.se, 1
+blueridge.social, 1
+blueridgemachinery.com, 1
+blueridgeplans.com, 1
+bluerootsmarketing.com, 1
+blues-and-pictures.com, 1
+blues.at, 1
+bluesbarn.tk, 1
+bluesbuyers.com, 1
+bluescape.com, 1
+bluescape.io, 1
+blueshouse.ro, 1
+blueskiesmassage.com, 1
+bluesky-it.uk, 1
+blueskybrokerage.tk, 1
+blueskycantina.com, 1
+blueskycoverage.com, 1
+blueskyinsure.com, 1
+blueskywebdesign.net, 1
+bluesnews.tk, 1
+bluesoap.com.au, 1
+bluespace.ng, 1
+bluespirit.com, 1
+bluestarbus.co.uk, 1
+bluestardiabetes.com, 1
+bluestoneconstruction.com, 1
+bluestrigger.tk, 1
+bluesunhotels.com, 1
+blueswandaily.com, 1
+bluesystem.tk, 1
+bluetape.com, 1
+bluetape.tk, 1
+bluetexservice.com, 1
+bluetime.com, 1
+bluetoothlasersers.ga, 1
+bluetoothspecialist.ga, 1
+bluetrout.nl, 0
+bluewire.ca, 1
+bluewizardart.net, 1
+bluex.im, 1
+bluex.info, 1
+bluex.net, 1
+bluex.org, 1
+blueyonder.com, 1
+bluffcitytn.gov, 1
+bluffplumber.co.za, 1
+bluffsbyowner.com, 1
+bluheron.ca, 1
+blui.co, 1
+blui.ml, 0
+bluiandaj.ml, 1
+bluicraft.tk, 1
+bluimedia.com, 1
+bluinsights.aws, 1
+blumagine.de, 1
+blumando.de, 1
+blumen-garage.de, 1
+blumen-pusch.de, 1
+blumenbasteln.ml, 1
+blumenfeldart.com, 1
+blumenversand.tk, 1
+blumiges-fischbachtal.de, 0
+blummedia.de, 1
+blundell.wedding, 1
+bluntandsnakes.com, 1
+bluntpark.com, 1
+bluprintoncology.com, 1
+bluproducts.com.es, 1
+blur.io, 1
+blurbhack.com, 1
+blurringexistence.net, 1
+blurt.cf, 1
+blushbymounika.com, 1
+blushingweb.tk, 1
+blusmurf.net, 1
+blutooth.ga, 1
+blutspende.de, 1
+bluware.com, 1
+bluxus.com, 1
+bluzone.io, 1
+blv38.fr, 1
+blw-eschwege.de, 1
+blw.moe, 0
+blyat.science, 1
+blyth.me.uk, 1
+blythwood.com, 1
+bm-academy.fr, 1
+bm-dataprotect.ch, 1
+bm-i.ch, 0
+bm-pc.ddns.net, 1
+bm-trading.nl, 1
+bm1.nl, 1
+bmac.cloud, 1
+bmak.me, 1
+bmak.xyz, 1
+bmbfiltration.com, 1
+bmblawfirm.com, 1
+bmelecevolution.com, 1
+bmhglobal.com.au, 1
+bmipestcontrol.com, 1
+bmjphotography.tk, 1
+bmk-kramsach.at, 1
+bmm.com.co, 1
+bmoattachments.org, 1
+bmoe.eu.org, 1
+bmone.net, 1
+bmotorsports.com, 1
+bmr.ar, 1
+bmriv.com, 1
+bmros.com.ar, 1
+bms-cleaning.ro, 1
+bmskibaru.com, 1
+bmsupermercados.es, 1
+bmw-motorradclub-seefeld.de, 1
+bmwcolors.com, 1
+bmwhocking.com, 1
+bmwhocking.nz, 1
+bmwpartsdeal.com, 1
+bmyjacks.cn, 0
+bmzm.nl, 0
+bn9.com.br, 1
+bnb-buddy.nl, 1
+bnbhome.com, 1
+bnboy.cn, 1
+bnbsinflatablehire.co.uk, 1
+bnc.sh, 1
+bnct.us, 1
+bnd.house, 1
+bnews.vn, 1
+bnext.tech, 1
+bngdigital.com, 1
+bngs.pl, 1
+bngsecure.com, 1
+bnin.org, 1
+bnjscastles.co.uk, 1
+bnkconsulting.info, 1
+bnnuy.com, 1
+bnpl.kz, 1
+bnpparibas-am.com, 0
+bnpparibas.be, 1
+bnpparibas.bg, 1
+bnpparibas.co.uk, 1
+bnpparibas.com.hk, 1
+bnpparibas.de, 1
+bnpparibas.es, 1
+bnpparibas.it, 1
+bnpparibas.lu, 1
+bnpparibas.no, 1
+bnpparibas.pt, 1
+bnpparibas.ru, 0
+bnpparibascardif.com.ar, 1
+bnrailstories.com, 1
+bnssigns.com, 1
+bnstree.com, 0
+bnty.net, 1
+bnwrdil.gov, 1
+bo-1xbet.com, 1
+bo-rad.de, 1
+bo.ke, 1
+bo1689.com, 0
+bo4tracker.com, 1
+boa.rw, 1
+boam.nu, 1
+boanastudio.com, 1
+board-portal.org, 1
+board-room.ca, 1
+boardcloud.org, 1
+boardfree.tk, 1
+boardgameforces.com, 1
+boardgamegeeks.de, 1
+boardgameshots.com, 1
+boardingschoolreview.com, 1
+boardlinks.gov.au, 1
+boardroommind.com, 1
+boards.ie, 1
+boardsoftware.net, 1
+boardspot.com, 1
+boardusersers.ga, 1
+boat-engines.eu, 1
+boatandsailboat.com, 1
+boathut.com.au, 1
+boats.com, 0
+boatsandoats.com, 1
+boatsdonated.com, 1
+boatseller.org, 1
+boatsforveterans.org, 1
+boattour.ru, 1
+boattrader.com.au, 1
+boatyardx.com, 1
+boauganda.com, 0
+boazwi.gov, 1
+bob-dylan.tk, 1
+bob-fuchs.de, 1
+bob.nl, 1
+bob.pe, 1
+bobaly.es, 0
+bobancoamigo.com, 1
+bobandbrians.com.au, 1
+bobandducky.com, 0
+bobaobei.net, 1
+bobaobei.org, 1
+bobasy.pl, 1
+bobbyfischer.tk, 1
+bobbyhensley.com, 1
+bobbyoriginal.tk, 1
+bobbyrobinson.tk, 1
+bobcat.com, 1
+bobcoffee.com.br, 1
+bobcopeland.com, 1
+bobek.cz, 1
+bobep.ru, 1
+bobet.it, 1
+bobfilm.ml, 1
+bobigames.com, 1
+bobiji.com, 0
+bobijoel.ml, 1
+bobkidbob.com, 1
+boblog.tk, 1
+boboboboboaji.xyz, 1
+bobobox.net, 1
+bobotie.ga, 1
+bobra.bid, 1
+bobruysk.tk, 1
+bobseven.com, 1
+bobsfhairstyles.ga, 1
+bobstenancycleaning.co.uk, 1
+bobstikkers.be, 1
+bobstronomie.fr, 1
+bobvincent.com, 1
+bocaaboca.ml, 1
+bocabeats.tk, 1
+bocada.com, 1
+bocahkampus.com, 1
+bocal.cf, 1
+bocamo.it, 1
+bocawa.es, 1
+bocbot.tk, 1
+boccabell.com, 0
+bocciatitanium.com, 1
+bochs.info, 1
+bocloud.eu, 1
+boctok.space, 1
+bocusedormauritius.com, 1
+bodas.com.mx, 1
+bodas.net, 1
+bodascartagena.com, 1
+bodclansite.tk, 1
+boddunan.com, 1
+bodegademuebles.com, 1
+bodegagarces.tk, 1
+bodemplaten4x4.nl, 1
+boden.co.uk, 1
+boden.com, 1
+boden.eu, 1
+boden.fr, 1
+bodenclothing.com.au, 1
+bodendirect.at, 1
+bodendirect.de, 1
+bodenpreview.co.uk, 1
+bodenpreview.com, 1
+bodenpreview.de, 1
+bodenusa.com, 1
+bodesi.com, 1
+bodhi.fedoraproject.org, 1
+bodhionline.com, 1
+bodin.cz, 1
+bodivo.vn, 1
+bodixite.com, 1
+bodlsc.com, 1
+bodrumescmagazin.tk, 1
+bodrumfarm.com, 1
+bodrus.com, 1
+bodsch.com, 1
+bodusod.bg, 1
+body-demo.tk, 1
+bodyblockarcade.com, 1
+bodyblog.nl, 1
+bodybuilding.com, 0
+bodybuilding.events, 1
+bodybuilding.nl, 1
+bodybuildingstyle.tk, 1
+bodybuildingsupplementsexplained.com, 1
+bodybuildingworld.com, 1
+bodycare.cn, 1
+bodyecology.com, 1
+bodygearguide.com, 1
+bodyhealthcare.tk, 1
+bodymassage.cf, 1
+bodymfr.com, 1
+bodymod.tk, 1
+bodymusclejournal.com, 1
+bodypad.com, 1
+bodypainting.waw.pl, 1
+bodyshaping.ml, 1
+bodyshopnews.net, 1
+bodytechautomotive.com.au, 1
+bodyweb.com.br, 1
+bodyweightsolution.com, 1
+boealpinelounge.it, 1
+boegli.tk, 1
+boehm.sh, 1
+boehs.org, 1
+boeing747.tk, 1
+boeleo.ru, 1
+boelsen.net, 1
+boem.gov, 1
+boensite.tk, 1
+boenyc.gov, 1
+boerandolphcountyga.gov, 1
+boerderijspel.nl, 1
+boeren.de, 0
+boerger.com, 1
+boesckens.de, 1
+boese.one, 1
+boevik.ml, 1
+boew.de, 1
+bof.fo, 1
+bofashion.site, 1
+boffin.tk, 1
+bofn.com.tr, 1
+bofoxdesign.com, 0
+bogatyizhenih.tk, 1
+bogdanbiris.com, 1
+bogdancornianu.com, 1
+bogdanepureanu.ro, 1
+bogdanov.ga, 1
+bogdanow.tk, 1
+bogdatrend.ml, 1
+bogenexten.com, 1
+bogner.sh, 1
+bogolyandras.com, 1
+bogosity.tv, 1
+bogoslov.tk, 1
+bogozi.com, 1
+bogs.de, 1
+bogtom.tk, 1
+bogus.ltd, 1
+bogwitch.tk, 1
+bohaishibei.com, 1
+bohemiantooers.ga, 1
+bohoprime.com, 1
+bohramt.de, 1
+bohyn.cz, 1
+boikhor.com, 1
+boilermechhr.com, 1
+boilesen.com, 0
+boiliai.lt, 1
+boilingpoint.net, 1
+boimmobilier.ch, 0
+boingboing.net, 1
+boingo00.wtf, 1
+bointon.com, 1
+boip.in, 1
+boira.tk, 1
+boisebirthdoula.com, 1
+boisehomeoffers.com, 1
+boizeau.fr, 1
+bojan.tk, 1
+bojanowskiszkolka.pl, 1
+bojiu99.cc, 1
+bojoproductions.tk, 1
+bokaldo.com, 1
+bokatas.tk, 1
+boke112.com, 1
+bokehandbows.ca, 1
+bokentau-company.kz, 1
+bokhaldari.is, 1
+bokhylle.eu, 1
+bokkeriders.com, 1
+bokkun.jp, 1
+bokov.gq, 1
+boksburgplumbing.co.za, 1
+bokutake.com, 1
+bol.io, 1
+bolalocobrews.co.uk, 1
+bolaodarico.com.br, 1
+bolbilisim.com, 1
+bolcaparca.com.tr, 1
+boldandbra.sh, 1
+boldare.com, 1
+boldbeau.pt, 1
+bolderly.com, 1
+boldhaus.de, 1
+boldinsight.com, 0
+boldium.com, 1
+boldogsagadni.hu, 1
+boldorion.com, 1
+boldsmartlock.com, 0
+bolehvpn.net, 1
+bolektro.de, 1
+bolele.org, 1
+boleleboyz.org, 1
+boleros.tk, 1
+boletosdeavionbaratos.tk, 1
+boleyn.su, 1
+bolgarnyelv.hu, 1
+bolgarus.ru, 0
+bolha.one, 1
+bolicforum.com, 1
+bolid.tk, 1
+bolivar-circuit-clerk.ms, 1
+bolivar80.com, 0
+bolivarchurch.tk, 1
+bolivarfm.com.ve, 1
+boliviaverde.tk, 1
+bolivin.ga, 1
+bollardstreet.com, 1
+bollervilla.de, 1
+bolli.tech, 1
+bollymarket.com, 1
+bollywoodacapellas4djs.tk, 1
+bollywoodfans.tk, 1
+bollywoodgk.tk, 1
+bollywoodhdsongs.tk, 1
+bollywoodstrot.tk, 1
+bologna-disinfestazioni.it, 1
+bolognatoday.it, 1
+bolognatsrmpstrp.it, 0
+bologoe.tk, 1
+bololo.fun, 1
+bolonapps.com, 1
+bolos.tk, 1
+bolosbatiente.tk, 1
+bolsa.tk, 1
+bolsasbellagio.com.br, 1
+bolshevik.tk, 1
+bolshoi.tk, 1
+bolshoy.tk, 1
+bolt.cm, 0
+bolt.com, 1
+bolte.org, 1
+boltmobile.ca, 1
+bolton-consulting.org, 1
+boltonct.gov, 1
+boltreplassen.no, 1
+boluhaberleri.tk, 1
+bolur.is, 1
+boluwebtasarim.cf, 1
+bolverin.tk, 1
+bolzano-bozen.it, 1
+bolzanoavvocati.it, 1
+bolzanoinfo.it, 1
+boma.ml, 1
+bomanufacture.com, 1
+bombard.ga, 1
+bombe-lacrymogene.fr, 1
+bomberosceuta.tk, 1
+bomberus.de, 1
+bombgame.tk, 1
+bombgirls.cf, 1
+bombgirls.ga, 1
+bombgirls.gq, 1
+bombgirls.ml, 1
+bombiaturkiye.cf, 1
+bombo.xyz, 1
+bomboniere.roma.it, 1
+bomenzoeker.nl, 1
+bomhard.de, 1
+bomhard.net, 1
+bomhard.org, 1
+bomnegocioveiculosrs.com.br, 1
+bomnet.tk, 1
+bompus.com, 1
+bon-appetit-wesel.de, 1
+bonaccordpestcontrol.co.uk, 1
+bonaccorso.eu, 1
+bonaemi.ga, 1
+bonami.cz, 1
+bonami.hr, 1
+bonami.hu, 1
+bonami.lt, 1
+bonami.lv, 1
+bonami.pl, 1
+bonami.ro, 1
+bonami.si, 1
+bonami.sk, 1
+bonami.tech, 1
+bonamihome.ro, 1
+bonanzateam.tk, 1
+bonaparte.com.co, 1
+bonapati.tk, 1
+bonapeti.ml, 1
+bonapp.restaurant, 0
+bonaselect.lv, 1
+bonawehouse.co.uk, 1
+bonbonka.best, 1
+bonbonmania.com, 1
+bonbonshop.ro, 1
+bonchaboncha.com.tw, 1
+bondagefetishstore.com, 1
+bondarenko.dn.ua, 1
+bondarenko.tk, 1
+bondcountyil.gov, 1
+bondcountysa.gov, 1
+bondcouponers.ga, 1
+bondingwithbaby.ca, 1
+bondlink.com, 1
+bondmaster.tk, 1
+bondpro.gov, 1
+bondscript.tk, 1
+bondvigilantes.com, 1
+boneanu.tk, 1
+bonebreakers.tk, 1
+bonebunny.de, 1
+boneinlayinteriorfurniture.com, 1
+boneros.tk, 1
+bonesserver.com, 1
+bonexio.tk, 1
+bonfi.net, 1
+bonfire.co.uk, 1
+bonfireleads.com, 0
+bong--brothers.tk, 1
+bongbong-irl.com, 1
+bongbongirl.com, 1
+bongbongmarcos.com, 1
+bonghuyn.com, 1
+bongit.de, 1
+bongjukim.com, 1
+bongloy.com, 1
+bongo.cat, 1
+bongocams.webcam, 1
+bongoland.tk, 1
+bongoo.fr, 1
+bonic.tk, 1
+bonifatius-friedrich.de, 1
+bonify.de, 1
+bonita.com.br, 1
+bonitadesax.com, 1
+bonitamacas.tk, 1
+bonitaslecturas.ml, 1
+bonitasoft.com, 1
+bonitech.co.uk, 1
+bonito.pl, 1
+bonjour.cm, 1
+bonjourimmo.tv, 1
+bonjourmademoiselle.fr, 1
+bonk.pw, 1
+bonkleagues.ml, 1
+bonkotsua.net, 1
+bonn.digital, 1
+bonneannee.tk, 1
+bonnepart.fr, 1
+bonnetmoda.com, 1
+bonnevillecountyidaho.gov, 1
+bonniecoloring.com, 1
+bonniedraw.com, 1
+bonniekitchen.com, 1
+bonnieradvocaten.nl, 1
+bonniestylez.net, 1
+bonnsustainabilityportal.de, 1
+bonnydevil.com, 1
+bono3.ir, 1
+bonobo.cz, 1
+bonprix.co.uk, 1
+bonsai-uk.cf, 1
+bonsaiclubkengai.tk, 1
+bonsaiclubsanvi.tk, 1
+bonsaicrm.com, 1
+bonsaimedia.nl, 1
+bonsaitree.tv, 1
+bonsaj.tk, 1
+bonte.tk, 1
+bonukset.cf, 1
+bonukset.tk, 1
+bonus-club.gq, 1
+bonus-kran.tk, 1
+bonus.ca, 1
+bonus.net.nz, 1
+bonus7.ro, 1
+bonusdigital.id, 1
+bonusov.tk, 1
+bonusup.tk, 1
+bonviveur.com, 1
+bonvorur.is, 1
+bonwari.com, 1
+boo, 1
+boobsgirls.com, 1
+boodmo.com, 1
+boof.com, 0
+boogiedown.tk, 1
+booglobal.com, 1
+boogschutters-perk.tk, 1
+boojiboysbasement.tk, 1
+book-excursion.com, 1
+book-in-hotel.com, 1
+book-online.tk, 1
+book-sites.cf, 1
+book24.ru, 1
+bookameeting.se, 1
+bookb.com, 1
+bookbazar.co.in, 1
+bookcheapairline.com, 1
+bookchums.com, 1
+bookcreator.com, 1
+bookfirm.com, 1
+bookgeek.ga, 1
+bookginawest.com, 1
+bookingdjparis.fr, 1
+bookinghealth.com, 1
+bookingplacecostarica.com, 1
+bookingpressplugin.com, 1
+bookingready.com, 1
+bookingslog.com, 1
+bookingsrit.tk, 1
+bookingtool.com, 1
+bookingtool.net, 1
+bookingworldspeakers.com, 1
+bookitlive.net, 1
+bookmaker.expert, 1
+bookmark.gq, 1
+bookmarkblog.tk, 1
+bookmarkclub.ga, 1
+bookmarkclub.gq, 1
+bookmarkclub.tk, 1
+bookmarked.cf, 1
+bookmarking.ml, 1
+bookmarkingyourbusiness.ga, 1
+bookmarklive.cf, 1
+bookmarklive.tk, 1
+bookmarkseo.gq, 1
+bookmarkseo.tk, 1
+bookmarkup.gq, 1
+bookmarkup.ml, 1
+bookmarkup.tk, 1
+bookmysplash.com, 1
+booknooktutor.com, 1
+bookourdjs.com, 1
+bookposh.com, 1
+bookreport.ga, 1
+books-dowload.tk, 1
+books-ru.tk, 1
+books.co.ua, 1
+booksales.tk, 1
+booksandcoffee.ml, 1
+bookshopofindia.com, 1
+booksinthefridge.at, 1
+booksky.com, 1
+bookslibrarybooks.gq, 1
+booksoncamping.com, 1
+bookstores.gq, 1
+bookstrap.ga, 1
+booksy.com, 1
+booktruestorys.com, 1
+bookvuz.tk, 1
+bookwear.com, 1
+bookwhen.com, 1
+bookworld.gr, 1
+bookwormstory.social, 1
+bookwritingbureau.com, 1
+bookyourdata.com, 1
+bookzaga.com, 1
+bool.be, 1
+booldamm.llc, 1
+boolypan.com, 1
+boom2.network, 1
+boombangcreditos.tk, 1
+boomboomboat.com, 1
+boomcloud.net, 0
+boomerangwater.com, 1
+boomersurf.com, 1
+boomfestival.org, 1
+boomfinity.xyz, 1
+boomingnewtech.com, 1
+boomingofthings.com, 1
+boomshadow.net, 1
+boomshine.de, 1
+boomsocial.com, 1
+boomstyle.com, 1
+boomsual.com, 1
+boomtheme.com, 1
+boomtownevents.com, 1
+boomvm.pw, 1
+boonecountyfpdmo.gov, 1
+boonecountyil.gov, 1
+boonecountyne.gov, 1
+boonecountywv.gov, 1
+boonecsdia.gov, 1
+booneiowa.gov, 1
+boonemo.gov, 1
+boonshoft.com, 1
+booox.biz, 1
+booox.cc, 1
+booox.net, 1
+booox.org, 1
+booox.pw, 1
+boop.gq, 1
+boop.icu, 1
+booq.org, 1
+booquiz.com, 1
+booshka.ga, 1
+boosinflatablegames.co.uk, 1
+boosman.nu, 1
+boosmanpoolservice.com, 1
+boost-collective.com, 0
+boost.ink, 1
+boostdesign.tk, 1
+boostermachine.com, 1
+boostertonbusiness.com, 1
+boostgame.win, 1
+boostitco.com, 1
+boostplm.com, 1
+boostport.com, 1
+boostport.com.au, 1
+boostroom.com, 1
+boostup.com.tr, 1
+booths.cyou, 1
+bootlesshacker.com, 1
+boots-shop.tk, 1
+bootsa.ga, 1
+bootsa.tk, 1
+bootswinter.tk, 1
+bootsy.org, 1
+bootytube.net, 1
+boozinyan.com, 1
+bopiweb.com, 1
+bopyx.com, 0
+boraarat.com, 1
+boraboraphotos.com, 0
+boracay.tk, 1
+boraclub.com, 1
+boraescolher.com.br, 1
+borafalardeguito.com, 1
+borahan.net, 0
+boranco.tk, 1
+borasol.tk, 1
+borba-umov.tk, 1
+borche-imm.eu, 1
+borchers-media.de, 1
+borchers.ninja, 1
+bordadoenpedreria.com, 1
+borde.network, 1
+bordeiu.ro, 1
+bordelique.tk, 1
+bordercolli.tk, 1
+bordercollie.tk, 1
+bordercolliesworkingdogs.tk, 1
+bordercrossingux.com, 1
+borderfever.cf, 1
+borderfever.ga, 1
+borderfever.ml, 1
+borderlens.com, 1
+borderless.ro, 1
+borderless360.com, 0
+borderpatroledu.org, 1
+bordersbuses.co.uk, 1
+borderzoo.tk, 1
+bordes.me, 1
+bordo.com.au, 1
+bordoeurope.com, 1
+bordonisport.com, 1
+borduurcadeau.tk, 1
+borduurpatronen.tk, 1
+borduurshophengelo.nl, 1
+bore.lt, 1
+borealis.gg, 1
+borealis.su, 1
+boredhackers.com, 1
+boredhoard.com, 1
+boredhousewifeconfessions.cf, 1
+boredhousewifeconfessions.ga, 1
+boredhousewifeconfessions.ml, 1
+borein.cf, 1
+boreo.si, 1
+boresmail.ru, 1
+borfin.com, 1
+borgcube.com, 1
+borgmann-krankenfahrten.de, 1
+borgmestervangen.xyz, 1
+borgoaureo.com, 1
+borgodigatteraia.it, 1
+borgshof.tk, 1
+borhunter.pl, 0
+boringnews.tk, 1
+boringpoll.com, 1
+boringsmith.com, 1
+borisenko-alexander.com, 1
+borisenko.by, 1
+borislam.tk, 1
+borisof.tk, 1
+borja.io, 1
+borjaacost.com, 1
+borjalucero.es, 1
+borlangefk.tk, 1
+borman.biz, 1
+born2bounce.co.uk, 1
+born2dance.tk, 1
+bornandgrazed.com, 1
+borneodictionary.com, 1
+bornfiber.dk, 1
+bornhack.dk, 1
+bornreality.tk, 1
+borntobetogether.eu, 1
+borntocover.pl, 1
+borntoraid.com, 1
+boros.tk, 1
+borowski.pw, 1
+borraxeiros.tk, 1
+borriquillacuenca.tk, 1
+borsa2k.com.tr, 1
+borsodsakk.hu, 1
+bortebest.no, 1
+bortoto.asia, 1
+bortoto.fans, 1
+bortoto.net, 1
+bortoto.org, 1
+borygoai.org, 1
+borysek.net, 1
+borysenko.se, 1
+borzamalta.com.mt, 1
+borzaresearch.com, 1
+borzov.tk, 1
+bosabosa.org, 0
+bosanski-forum.com, 1
+bosanskinovi.tk, 1
+bosattondskap.tk, 1
+bosbandarq.cc, 1
+bosbandarq.info, 1
+bosbandarq.net, 1
+bosbandarq.org, 1
+bosburyhistoryresource.org.uk, 1
+boscawennh.gov, 1
+boschee.net, 1
+boschhirtshals.dk, 1
+boschveldtuin.nl, 1
+boscobelwi.gov, 1
+bosconation.tk, 1
+boscq.fr, 1
+bosdubica.tk, 1
+bosekarmelitky.cz, 1
+bosengineering.be, 1
+bosiquanao.vn, 1
+boskant.tk, 1
+bosnia-online.tk, 1
+bosniaks.com, 1
+bosonogka.tk, 1
+bospiraat.tk, 1
+bospor.tk, 1
+bosquedelasimagenes.tk, 1
+boss.az, 1
+bossefors.tk, 1
+bossurl.tk, 1
+bostan.com, 1
+boston-molly.tk, 1
+boston-sailing.com, 1
+bostonadvisors.com, 0
+bostonaoii.com, 1
+bostonblockchainassociation.org, 1
+bostonews.tk, 1
+bostonfast.com, 1
+bostonivy.co, 1
+bostonmedicalgroup.com, 1
+bostonsportsmedicinemd.com, 1
+bosun.io, 1
+boswellboropd-pa.gov, 1
+bot-manager.pl, 1
+botanical-design.nl, 1
+botanical.house, 1
+botanicoved.com, 1
+botanischkunstenaarsnederland.nl, 1
+botarticle.ga, 1
+botbrother.ml, 1
+botdiril.com, 1
+botealis.ch, 0
+botelegram.tk, 1
+botguard.net, 1
+bothive.io, 1
+boticadiservicio.com, 1
+botija.tk, 1
+botika.online, 1
+botikadiservisio.com, 1
+botipedia.tk, 1
+botmaker.tk, 1
+botmanager.pl, 1
+botmedia.cf, 1
+botnam.com, 1
+botoes-primor.pt, 1
+botoks.tk, 1
+botox.bz, 1
+botpago.cl, 1
+botsa.com, 1
+botschaften-an-das-volk-gottes.de, 0
+botserver.de, 1
+botsindiscord.me, 1
+botstack.host, 1
+botticelli.tk, 1
+bottinquebec.com, 1
+bottke.berlin, 1
+bottle.li, 1
+bottlecapsbev.com, 1
+bottlerockshuttles.com, 1
+bottly.in, 1
+bottom9clothing.com, 1
+bottomfeedings.tk, 1
+bou.cloud, 1
+bou.ke, 1
+bouah.net, 0
+bouallaoui.tk, 1
+boubyranol-biere.com, 1
+bouchard-mathieux.com, 1
+boucherie-charcuterie.ca, 1
+boucherie-restaurant-les-provinces.fr, 1
+bouchonville-knifemaker.com, 1
+bouckaert-usedcars.be, 0
+bouckaert.co, 1
+boudah.pl, 1
+bouffartigue.fr, 1
+bougeer.gent, 1
+bougepourtoi.tk, 1
+bougeret.fr, 1
+bougerpourmasante.com, 1
+bougharios.com, 1
+boughariosbros.com, 1
+bouldercounty.gov, 1
+bouldercountyassessor.gov, 1
+bouldercountydronepilot.com, 1
+bouldercountyhhs.gov, 1
+bouldercountynavigatingdisaster.gov, 1
+bouldercountyrecovery.gov, 1
+bouldercountytreasurer.gov, 1
+bouldercountyvotes.gov, 1
+boulderdowntown.com, 1
+boulderodm.gov, 1
+bouldersheriff.gov, 1
+boulderswap.com, 1
+boulderwagonroad.org, 1
+boulebar.duckdns.org, 1
+boulevard-ruijschenbergh.nl, 1
+boulstory.ru, 1
+boulzicourt.fr, 1
+boumstudio.com, 1
+bounce-a-roo.co.uk, 1
+bounce-abouts.com, 1
+bounce-n-go.co.uk, 1
+bounce-on.co.uk, 1
+bounce-r-us.co.uk, 1
+bounce-xtreme.co.uk, 1
+bounce4fun.co.uk, 1
+bounce4kidz.com, 1
+bounce4less.ie, 1
+bouncea-bout.com, 1
+bounceaboutnewark.co.uk, 1
+bounceaboutsussex.co.uk, 1
+bouncealotnorthwest.co.uk, 1
+bounceapp.com, 1
+bouncearoundinflatable.com, 1
+bouncearoundsheffield.co.uk, 1
+bounceawaycastles.com, 1
+bouncebackcastles.co.uk, 1
+bouncebookings.com.au, 1
+bouncecrazy.ie, 1
+bouncemaniaevents.co.uk, 1
+bouncemaniainflatables.co.uk, 1
+bouncenortheast.co.uk, 1
+bouncenpaint.co.uk, 1
+bounceroos-bouncycastles.co.uk, 1
+bounceroosevents.co.uk, 1
+bouncers-bouncycastlehire.co.uk, 1
+bouncesquad.co.uk, 1
+bouncetasticuk.co.uk, 1
+bouncetheparty.co.uk, 1
+bouncetothebeat.tk, 1
+bounceunlimited.co.uk, 1
+bouncewithbovells.com, 0
+bouncincastles.co.uk, 1
+bouncing4joy.co.uk, 1
+bouncingbuzzybees.co.uk, 1
+bouncinghigher.co.uk, 1
+bouncingscotland.com, 1
+bouncourseplanner.net, 1
+bouncy-castles-surrey.co.uk, 1
+bouncy-tots.co.uk, 1
+bouncybaileys.co.uk, 1
+bouncyball.eu, 1
+bouncyballs.org, 1
+bouncybouncyboocastlehire.co.uk, 1
+bouncycastle.net.au, 1
+bouncycastlehire-norwich.com, 1
+bouncycastlehire.co.uk, 1
+bouncycastlehireauckland.co.nz, 1
+bouncycastlehirebexley.co.uk, 1
+bouncycastlehirechelmsford.org.uk, 1
+bouncycastlehirehull.co.uk, 1
+bouncycastlehirelouth.co.uk, 1
+bouncycastlehiremalvern.co.uk, 1
+bouncycastlehiresurrey.co.uk, 1
+bouncycastlehirewinchester.co.uk, 1
+bouncycastleman.co.uk, 1
+bouncycastleparade.com, 1
+bouncycastlesgalway.com, 1
+bouncycastleshire.co.uk, 1
+bouncycastlesin.co.uk, 1
+bouncycastlesinderby.co.uk, 1
+bouncycastlesisleofwight.co.uk, 1
+bouncycastlesmonaghan.com, 1
+bouncycastlesperth.net, 1
+bouncycastlessheerness.co.uk, 1
+bouncydays.co.uk, 1
+bouncygiggles.com.au, 1
+bouncyhigher.co.uk, 1
+bouncykingdom.co.uk, 1
+bouncykings.co.uk, 1
+bouncykingsnortheast.co.uk, 1
+bouncykingsofleicester.co.uk, 1
+bouncymacs.co.uk, 1
+bouncyrainbows.co.uk, 1
+bouncytime.co.uk, 1
+bound2bounce.co.uk, 1
+boundaryford.com, 1
+boundaryvets.co.uk, 1
+boundladies.ga, 1
+boundless-designs.com, 1
+boundlessmediausa.com, 1
+bounouh.tk, 1
+bountiful.ag, 1
+bountiful.gov, 1
+bounty.fund, 1
+bounty.software, 1
+bountyfactory.io, 0
+bountyhunter.tk, 1
+bountyhunteredu.org, 1
+bountyhuntermetaldetector.tk, 1
+bourangstudios.com, 1
+bourasse.fr, 1
+bourbo.net, 1
+bourbonridgeretreat.com, 1
+bourestonmedia.com, 1
+bourgeoisdoor.com, 1
+bourgeoisdoorco.com, 1
+bourhis.info, 1
+bourne-ma.gov, 1
+bournefun.co.uk, 1
+bourrasque-info.org, 1
+bourrelier.be, 1
+bourse-aux-jouets.org, 0
+bourse-aux-vetements.org, 0
+bourse-puericulture.org, 0
+bourseauxservices.com, 1
+bourtalm.fr, 1
+boutibag.com, 1
+boutique-pcland.fr, 1
+boutique.be, 1
+boutiquecoureurdesbois.ca, 1
+boutiquedecanetas.com.br, 1
+boutiquedelhogar.cl, 1
+boutiquedoartista.com.br, 1
+boutiqueguenaelleverdin.com, 1
+boutiqueinove.com.br, 1
+boutiquesette.bg, 1
+boutoncoupdepoing.fr, 1
+bouvier-des-flanders.com, 1
+bouville.fr, 0
+bouw.live, 1
+bouwbedrijfdesmet.be, 1
+bouwbedrijfjstam.nl, 1
+bouwbedrijfkorstanje.nl, 1
+bouwma.nl, 1
+bouwplaatscheckin.nl, 1
+bouwstenen.com, 1
+bouzouada.com, 1
+bouzouks.net, 1
+bovender.de, 1
+bovenwebdesign.nl, 1
+bovileva.com.ua, 1
+bovworkplacepensions.com, 1
+bowdens.me, 1
+bowdoinmaine.gov, 1
+bowelcontroltherapy.com, 1
+bowhill.me, 1
+bowhunter-ahorn.de, 0
+bowlcake.fr, 1
+bowldirectoryest.ga, 1
+bowlidex.com, 1
+bowling.com, 1
+bowmanwilliams.com, 0
+bowmar.gov, 1
+bownhpd.gov, 1
+bowntycdn.net, 1
+bowwowinsurance.com.au, 1
+box.bz, 1
+box.lol, 1
+box2.cz, 1
+boxalouer78.fr, 1
+boxbuttecountyne.gov, 1
+boxclaw.com, 1
+boxclub-marburg.de, 1
+boxcritters.wiki, 1
+boxcryptor.com, 0
+boxdevigneron.fr, 1
+boxdroplacrosse.com, 1
+boxeomexicano.tk, 1
+boxer-shorts.net, 1
+boxerdogdiaries.com, 1
+boxerdogsaspets.com, 1
+boxfly.com, 1
+boxhall.co.uk, 1
+boxhostserver.com, 1
+boxing-kangaroo.ga, 1
+boxing-videos.com, 1
+boxing247.com, 1
+boxingclubduval.com, 1
+boxingnews.co, 1
+boxingnews24.com, 1
+boxingrankings.co, 1
+boxingschedule.co, 1
+boxintense.com, 0
+boxiruem.ru, 1
+boxlegal.es, 1
+boxmail.cn, 1
+boxmania.tk, 1
+boxofficebengal.tk, 1
+boxofficefunding.com, 1
+boxofninjas.ca, 1
+boxoptions.com, 1
+boxpark.co.uk, 1
+boxpirates.to, 0
+boxsite.ga, 1
+boxtub.com, 1
+boxturtlesaspets.com, 1
+boxview.com, 1
+boyard.tk, 1
+boycewire.com, 1
+boydcorp.com, 1
+boydstree.com, 1
+boydwi.gov, 1
+boygirl.tk, 1
+boyhost.cn, 1
+boyinglanguage.com, 1
+boykovo.tk, 1
+boylecountyky.gov, 1
+boyo.cloud, 1
+boyscoutcampcars.cf, 1
+boyscouts.tk, 1
+boyscoutschile.tk, 1
+boyson.tech, 1
+boysontech.com, 1
+boysorebro.tk, 1
+boywife.space, 1
+bozdech.eu, 1
+bozenadusseau.tk, 1
+bozhok.tk, 1
+bozit.com.au, 1
+bp-app.de, 1
+bp-systems.ovh, 1
+bpa.gov, 1
+bpadvisors.eu, 1
+bparlay.com, 1
+bpastudies.org, 1
+bpbdpadangsidimpuan.id, 1
+bpconsulting.kz, 1
+bpd.nl, 1
+bphostels.com, 1
+bpinvest.ch, 1
+bpisites.eu, 1
+bplan.tk, 1
+bpo.or.jp, 1
+bpo.ovh, 1
+bpol-forum.de, 1
+bpreguica.com.br, 1
+bpsdev.org.uk, 1
+bpsis.fr, 1
+bpvgoncalves.com, 1
+bpvr.ddns.net, 1
+bpvr.nl, 1
+bqcp.net, 1
+bqp.io, 0
+bqr.ch, 0
+bqtoolbox.com, 1
+br-1xbet.com, 1
+br-hq.net, 1
+br-miyamoto.spdns.org, 1
+br.search.yahoo.com, 0
+br.to, 1
+br1334shop.com.br, 1
+br3in.nl, 0
+br7.ru, 1
+br8.pl, 1
+bra-horapparat.se, 1
+bra360.com, 1
+braathe.no, 1
+brabantia.com, 1
+braccialini.tk, 1
+bracebridgechiro.com, 1
+bracelet-chakras.com, 1
+braces-supports.tk, 1
+bracesbyberry.com, 1
+bracesjourney.com, 1
+brachotelborak.com, 1
+bracken.jp, 1
+bracket.land, 1
+bracketofficial.com, 1
+brackets-salad.com, 1
+brackettvilletx.gov, 1
+bracknellvets.co.uk, 1
+bractwogothica.ml, 1
+brad.fi, 1
+bradeales.com, 1
+bradentonfl.gov, 1
+bradfordcountypa.gov, 1
+bradfordhottubhire.co.uk, 1
+bradfordwoods.gov, 1
+bradler.net, 0
+bradleybeeming.com, 1
+bradturveyofficial.tk, 1
+bradyosborne.com, 1
+bradypatterson.com, 1
+braemer-it-consulting.de, 1
+bragasoft.com.br, 0
+bragaweb.com.br, 1
+braggalabel.cf, 1
+bragis.nl, 1
+brahammn.gov, 1
+brahma.world, 1
+brahmins.com, 1
+braiampeguero.xyz, 1
+braidice.ga, 1
+brailsford.xyz, 1
+brain-club.info, 1
+brain-e.co, 1
+brain-force.ch, 1
+brain-storm.ml, 1
+brain.gov, 1
+brainatwork.it, 1
+brainball.fr, 0
+brainbashers.com, 1
+brainboxai.com, 1
+brainburger101.tk, 1
+brainbus.com, 1
+braincandy.com, 1
+brainchasm.com, 1
+braincorebismarck.com, 1
+brainefive.com, 1
+brainfeed.nl, 1
+brainfirm.com, 1
+brainguru.co.in, 1
+brainguru.in, 1
+brainhealth.gov, 1
+brainhub.nl, 1
+brainit.at, 1
+brainjuice.tk, 1
+brainmade.tk, 1
+brainmanager.io, 1
+brainobeat.com, 1
+brainotony.com, 1
+brainoutlevel.com, 1
+brainporteindhoven.com, 1
+brainps.org, 1
+brainrush.ga, 1
+brainserve.ch, 0
+brainserve.com, 0
+brainserve.swiss, 0
+brainshare.tk, 1
+brainshit.fr, 1
+brainsik.net, 1
+brainsoftict.nl, 1
+brainspawn.tk, 1
+brainstache.com, 1
+brainstew.tk, 1
+brainstormproductions.tk, 1
+braintensive.com, 1
+braintonus.tk, 1
+braintree.gov.uk, 1
+braintreevt.gov, 1
+brainup-clinic.com, 1
+brainvation.de, 1
+brainware-india.com, 1
+brakebills.org, 1
+brakemanpro.com, 1
+brakesystemu.com, 1
+brakomecov.tk, 1
+brallog.tk, 1
+bralnik.com, 1
+bramberheights.com, 1
+brambevers.tk, 1
+bramblerealestate.com, 1
+brambles.com, 1
+brambleski.com, 1
+bramburek.net, 1
+bramfri.dk, 1
+bramhallsamusements.com, 1
+bramhopetails.uk, 1
+bramois.tk, 1
+bramptonaikikai.tk, 1
+bramptonscrapcarremoval.com, 1
+bramsikkens.be, 1
+bramstaps.nl, 1
+bramvanaken.be, 1
+bramygrozy.pl, 1
+bran.cool, 1
+bran.land, 1
+bran.pw, 1
+bran.soy, 1
+bran.to, 1
+branaher.cz, 1
+branch-bookkeeper.com, 1
+branch.ga, 1
+branchchristianschool.org.uk, 1
+branchenbuch-potsdam.com, 1
+branchrvparktexas.com, 1
+branchtobox.com, 1
+branchtrack.com, 1
+brand-design.studio, 1
+brandabaski.tk, 1
+brandand.co.uk, 1
+brandarkitekt.com, 1
+brandathon.be, 1
+brandathon.nl, 1
+brandbags.gr, 1
+brandbastion.com, 1
+brandbook.io, 1
+brandcodestyle.com, 0
+brandeps.com, 1
+brandfactory.ml, 1
+brandfeatured.com, 1
+brandfolder.com, 1
+brandfoto.com, 1
+brandhost.tk, 1
+brandhout-b-tree.be, 1
+brandingclick.com, 1
+brandingcoapps.com, 1
+brandingforthepeople.com, 1
+brandinspiration.fr, 1
+brandjapan.com, 1
+brandketers.com, 1
+brandmixer.ru, 1
+brandmovers.co, 1
+brandnous.ca, 1
+brandnucreations.com, 1
+brando753.xyz, 1
+brandon-manilow.tk, 1
+brandon.so, 0
+brandonbonine.com, 1
+brandoncricket.tk, 1
+brandondivorcelawyer.com, 1
+brandongevallen.tk, 1
+brandongomez.me, 1
+brandonhaynesmd.com, 1
+brandonhubbard.com, 1
+brandonjacksonphoto.com, 1
+brandonlin.me, 1
+brandonlui.com, 1
+brandonlui.ml, 1
+brandons.site, 1
+brandontaylor-black.com, 1
+brandonwalker.me, 1
+brandosvault111.ca, 1
+brandrocket.dk, 1
+brands-clothings.tk, 1
+brands-polo.cf, 1
+brands-polo.gq, 1
+brands-sports.com, 1
+brandsafe.io, 1
+brandsclub.tk, 1
+brandstead.com, 1
+brandstof-prijzen.nl, 1
+brandt.tech, 1
+brandtechdesign.co.uk, 1
+brandtrapselfie.nl, 1
+brandweer-almelo.tk, 1
+brandweer-sgravendeel.tk, 1
+brandweerbarboek.nl, 1
+brandweercapcodes.tk, 1
+brandweeredam.tk, 1
+brandweerfraneker.nl, 1
+brandweergent.be, 1
+brandweergrijpskerk.tk, 1
+brandweerhalsteren.tk, 1
+brandweermodelbouw.tk, 1
+brandweerpuch.tk, 1
+brandweerrooster.nl, 1
+brandweertrainingen.nl, 1
+brandweeruitgeest.nl, 1
+brandweerweb.tk, 1
+brandwizo.com, 1
+branefive.com, 1
+branemusic.com, 1
+braniebananie.nl, 1
+brank.as, 1
+brankor.net, 1
+brankor.rs, 1
+branobratoz.tk, 1
+bransive.com.au, 1
+bransonwestmo.gov, 1
+brantleycounty-ga.gov, 1
+branw.xyz, 0
+brard.it, 1
+brasas.ec, 1
+brasco.tk, 1
+brasdir.com, 1
+brashear.me, 1
+brasil66.tk, 1
+brasilandia.tk, 1
+brasilcheats.tk, 1
+brasilduino.tk, 1
+brasiliademinasnet.tk, 1
+brasilianskbikini.se, 1
+brasillifeoficial.tk, 1
+brasilmatamata.ml, 1
+brasilmedia.com, 1
+brasilmobi.cf, 1
+brasiltopnews.tk, 1
+brasilwear.biz, 1
+brasilweb.tk, 1
+braslet-bianshi.tk, 1
+braspetdf.com.br, 1
+brasrede.com.br, 1
+brass.host, 1
+brassbandwarmond.tk, 1
+brasseursdubois.com, 1
+brasshow.com.br, 1
+brasspipedreams.org, 1
+bratan.ga, 1
+bratkartoffelking.de, 1
+bratstvo.tk, 1
+bratt.tk, 1
+bratteng.com, 0
+bratteng.me, 1
+bratteng.solutions, 1
+brattleboro.gov, 1
+bratunaconline.tk, 1
+brau-ingenieur.de, 1
+braudoktor.de, 1
+brauer-augenoptik.de, 1
+brauingenieur.de, 1
+braun-russia.ru, 1
+braunbergerfreelance.com, 1
+braunsteinpc.com, 1
+braunwarth.info, 0
+brausch.co.nz, 1
+brauschtrucking.co.nz, 1
+brausestube.de, 1
+brave-foods.ch, 0
+brave-foods.com, 0
+brave.com, 1
+braveagency.com.au, 1
+bravebaby.com.au, 1
+bravebiz-news.tk, 1
+bravegk.com.ua, 1
+bravelittlesquirrel.com, 1
+bravelocation.com, 1
+bravelychoc.com, 1
+bravenboer.tk, 1
+bravewiki.tk, 1
+bravga.com, 1
+bravica.tk, 1
+bravo.bi, 1
+bravoasociados.com, 1
+bravobet.et, 1
+bravodeal.com, 1
+bravodescuento.es, 1
+bravogutschein.at, 1
+bravogutschein.de, 1
+bravokorting.nl, 1
+bravokupony.pl, 1
+bravopromo.be, 1
+bravopromo.fr, 1
+bravosconto.it, 1
+bravovoucher.co.uk, 1
+bravurabusinessconsulting.com, 1
+bravurasolutions.com, 1
+brawin.cf, 1
+brawlstarsitalia.com, 1
+braxtoncountywv.gov, 1
+braxtonehle.com, 1
+braychappell.com, 1
+brayden.gq, 1
+braynblog.ml, 1
+brazenfol.io, 1
+brazilh2.com.br, 1
+brazilian-human-hair-extension.tk, 1
+brazilianbikinishop.com, 1
+braziliantop.com, 1
+braziliaskincare.com, 1
+brazillens.com, 1
+brazoriacountyclerktx.gov, 1
+brazzers.com, 1
+brazzersnetwork.com, 1
+brazzersvod.com, 1
+brb.city, 1
+brba.nl, 1
+brbt.eu, 1
+brbt.net, 1
+brc.fj.cn, 1
+brck.nl, 1
+brcshipsupply.com, 1
+breachdata.io, 1
+breachlock.com, 1
+breachmedia.ca, 0
+bread.fish, 1
+breadandlife.org, 0
+breadheads.net, 1
+breadmash.tk, 1
+breadpirates.chat, 1
+breakberlin.tk, 1
+breakcraft.tk, 1
+breakdancer.tk, 1
+breakerlink.com, 1
+breakeven.tk, 1
+breakfastcafe.tk, 1
+breakfree.tk, 1
+breakingdeal.fr, 1
+breakingnewskenya.tk, 1
+breakingthesilence.org.il, 1
+breakinoutpr.com, 1
+breakmaps.net, 1
+breakofdawn.tk, 1
+breakpoint.at, 1
+breaksome.tech, 1
+breakthroughenergy.org, 1
+breakwall.ml, 1
+breaky.de, 1
+breard.tf, 1
+breastaugmentationky.com, 1
+breastbuysers.ga, 1
+breastbuysest.ga, 1
+breastdensitynj.com, 1
+breastenlargement.gq, 1
+breathe-easy.tk, 1
+breathedreamgo.com, 0
+breathingblanket.com, 0
+breathingsound.ml, 1
+breathlesssheranda.tk, 1
+brechadigital.tk, 1
+brecht.ch, 1
+breckle.com.ua, 1
+brecknell.biz, 1
+brecknell.com, 1
+brecknell.info, 1
+brecknell.name, 1
+brecknell.net, 1
+brecknell.org, 1
+breda.computer, 1
+bredabeds.com, 1
+bredahooligans.tk, 1
+bredband.fi, 1
+breechdepot.com, 1
+breederpodcast.com, 1
+breederworld.dog, 1
+breen.com.br, 1
+breezyapp.hu, 1
+breezypointmn.gov, 1
+breffa.pl, 1
+brefy.com, 1
+brege.org, 1
+bregmanfance.com, 1
+bregnedal.dk, 1
+bregnedalsystems.dk, 1
+bregroup.com, 1
+brehoni.cz, 0
+breinify.ai, 1
+breinify.com, 1
+breitband.bz.it, 1
+breizh.pm, 1
+breizhetho.com, 1
+breizhpuffy.org, 1
+breket.ml, 1
+brelin.tk, 1
+brellich.eu, 1
+breloque.com, 1
+bremen-restaurants.de, 1
+bremerfriedensforum.de, 1
+breml.com, 1
+bremsscheiben.com, 1
+brenbarnes.com, 1
+brenbarnes.com.au, 0
+brendabecker.com, 1
+brendanbatliner.com, 1
+brendancroker.tk, 1
+brendanfarmer.ga, 1
+brendanreev.es, 1
+brendanscherer.com, 1
+brendasartstudio.com, 1
+brentalbright.tk, 1
+brentfieldschools.cf, 1
+brentnewbury.com, 1
+brentonico.com, 1
+brentsoslibraries.org.uk, 1
+bresciatoday.it, 1
+breshka.be, 1
+bressem.com, 0
+bresslerriskblog.com, 1
+brest-bel.tk, 1
+brest-biz-belarus.tk, 1
+brest-brest.tk, 1
+brest-master.tk, 1
+brest-news.tk, 1
+brest-region.tk, 1
+brest.fr, 0
+brest24.tk, 1
+brestnews.tk, 1
+brestradio.tk, 1
+brestshop.tk, 1
+bretcarmichael.com, 1
+breteuilcommerceartisanat.com, 1
+breton.pm, 1
+bretonhouse.ca, 1
+bretonstripe.com, 1
+brett.ml, 1
+brettabel.com, 1
+brettcornwall.com, 1
+bretti.net, 1
+brettlawyer.com, 1
+brettlfohra.tk, 1
+brettpostin.com, 1
+brettw.xyz, 1
+bretzner.fr, 0
+brevboxar.se, 1
+breve-tufvassons.ru, 1
+brevent.sh, 1
+brew.fi, 1
+brew.sh, 1
+brewcentralny.com, 1
+brewin.ml, 1
+brewit.online, 1
+brewmovers.com, 1
+brewsouth.com, 1
+brewspark.co, 0
+brex.money, 1
+brex.pw, 1
+brexit.tk, 1
+breyerslakeshoreresort.com, 1
+breyerslakesideresort.com, 1
+breyersresort.com, 1
+brezani.tk, 1
+breznet.com, 0
+brf-tradgarden.se, 1
+brferramentas.com.br, 1
+brfvh24.se, 1
+brg.to, 1
+brgins.com, 1
+brgsmartcity.com, 1
+brguk.com, 1
+brhanhaki.org, 1
+bri.fyi, 1
+bri.net.br, 1
+brian-ormond.tk, 1
+brian-wee.com, 1
+brian.gq, 0
+brianalaway.com, 1
+brianalawayconsulting.com, 1
+briandwells.com, 0
+brianfanzo.com, 1
+brianfoshee.com, 1
+briangarcia.ga, 1
+brianjohnson.co.za, 1
+brianjosephdavis.tk, 1
+briankanode.com, 1
+briankavanaugh.com, 1
+brianlachapelle.tk, 1
+brianlanders.us, 1
+brianleejackson.com, 1
+brianleemarketing.com, 1
+brianm.com, 1
+brianmwaters.net, 1
+brianna.tk, 1
+brianoost.com, 1
+brianpagan.net, 1
+brianregan.com, 0
+brianroadifer.com, 1
+briansemrau.com, 1
+briansmith.org, 1
+briantafoya.com, 1
+brianum.de, 1
+brianum.net, 1
+brianvalente.tk, 1
+brianwesaala.com, 0
+brianwilson.tk, 1
+briarcliffmanor.gov, 1
+briarpatchfrenchiesandpugs.com, 1
+briarproject.org, 1
+bribriescolawfirm.com, 1
+brickadia.com, 1
+brickell.com, 1
+brickfilmfestival.tk, 1
+brickftp.com, 1
+brickland.tk, 1
+bricks-clicks.com, 1
+bricks4kidzelearn.com, 1
+bricksandmotor.co.uk, 1
+brickstreettrio.com, 1
+brickvortex.com, 1
+brickweb.co.uk, 1
+brickwerks.io, 1
+bricmon.tk, 1
+bricolajeux.ch, 0
+bricomag-media.com, 1
+bricomium.com, 1
+brid.gy, 0
+bridal.tk, 1
+bridalfabrics.ru, 1
+bridalgallerysalem.com, 1
+bridalreflections.com, 1
+bridalshoes.com, 1
+bridalweddingshow.ga, 1
+bride.vn, 1
+bridebook.com, 1
+bridesbouquet.ml, 1
+bridestarco.com, 1
+bridge-online.cloud, 1
+bridge-to-knowledge.nl, 1
+bridge-xs.com, 1
+bridge.nl, 1
+bridgecitytx.gov, 1
+bridgecon.com.au, 1
+bridgedigest.cf, 1
+bridgedigest.tk, 1
+bridgedigestest.ga, 1
+bridgedirectoutreach.com, 1
+bridgefield.de, 1
+bridgeforcefinancial.com, 1
+bridgeitsolutions.com.au, 1
+bridgemanualest.ga, 1
+bridgement.com, 1
+bridgeout.com, 1
+bridgepayday.ph, 1
+bridgeportlaboratory.tk, 1
+bridgeportne.gov, 1
+bridgeportwv.gov, 1
+bridgercanyonfiremt.gov, 1
+bridges.ml, 1
+bridgesinbelize.org, 1
+bridgethailand28chidlom.com, 1
+bridgetmcauliffe.ie, 1
+bridgetonmo.gov, 1
+bridgetownrecords.tk, 1
+bridgetroll.org, 1
+bridgewaterma.gov, 1
+bridholm.se, 1
+bridozia.com, 1
+briefassistant.com, 1
+briefbiz-news.tk, 1
+briefly.ru, 1
+briefs.in.th, 1
+briefvorlagen-papierformat.de, 1
+briellenj.gov, 1
+briffoud.fr, 1
+brigadasazules.tk, 1
+brigady.tk, 1
+brigantinebeach.org, 1
+briggsandlittle.com, 1
+briggsleroux.com, 1
+brighouse-leisure.co.uk, 1
+bright-s.net, 1
+brightback.com, 1
+brightbiz-news.tk, 1
+brightblue.cf, 1
+brightbock.co.uk, 1
+brightbock.com, 1
+brightbock.net, 1
+brightbock.org, 1
+brightbock.tw, 1
+brightbock.uk, 1
+brightday.bz, 1
+brightendofleasecleaning.com.au, 0
+brighterimagelab.com, 1
+brightfuturemadebyme.com, 1
+brightgk.com, 1
+brightideaspromotional.co.uk, 1
+brightmachines.com, 1
+brightmls.com, 1
+brightmovers.com, 1
+brighton-canoes.co.uk, 1
+brightonbank.com, 1
+brightonbouncycastles.net, 1
+brightonchilli.org.uk, 1
+brightonfc.tk, 1
+brightongrowlights.ga, 1
+brightonncmachine.com, 1
+brightonvt.gov, 1
+brightonvt.org, 1
+brightpool-markets.com, 1
+brightside.com, 1
+brightsparks.com.sg, 1
+brightsport-news.tk, 1
+brighttax.com, 1
+brighttomorrowproductions.com, 1
+brightvalley.com.au, 1
+brightview.net.cn, 1
+brightwakeintranet.co.uk, 1
+brightzonecleaning.com.au, 1
+brightzoneofficecleaning.com.au, 1
+brigidaarie.com, 1
+brigittaseasons.com, 1
+brigittaspromise.org, 1
+brigittebutt.tk, 1
+brigittefontaine.tk, 1
+brignier.com, 1
+brilalux.pe, 1
+brileytownshipmi.gov, 1
+briliant.tk, 1
+brilliancesecuritymagazine.com, 1
+brilliant-minds.tk, 1
+brilliantbouncyfun.co.uk, 1
+brilliantproductions.co.nz, 1
+brillie.tk, 1
+brillio.com, 1
+brillionwi.gov, 1
+brillionworks.com, 1
+brimspark.com, 1
+brimspark.systems, 1
+brindabantheatre.tk, 1
+brindesgrafica.com.br, 1
+brindisireport.it, 1
+brindocorp.tk, 1
+bring-heaven.com, 1
+bringfido.com, 1
+bringform.ml, 1
+bringonbusiness.com, 1
+brinker.com, 1
+brinkhu.is, 1
+brinksurl.com, 1
+brinokidzonline.tk, 1
+brio-shop.ch, 1
+brio-ukraine.store, 1
+brio.news, 1
+briograce.com.mx, 1
+brioukraine.store, 1
+brisamar8.de, 1
+brisbanecashforcars.com.au, 1
+brisbanelogistics.com.au, 1
+brisbanerecordbar.com.au, 1
+brisbine.cloud, 1
+brisceremony.com, 1
+brisignshop.com.au, 1
+brisp.nl, 1
+brisq.design, 1
+bristebein.com, 1
+bristolandwestonsuperbounce.com, 1
+bristolctwatersewer.gov, 1
+bristolmoneyman.com, 1
+bristowpoliceok.gov, 1
+brit-thoracic.org.uk, 1
+britania.tk, 1
+britanicasalud.com.ar, 1
+britannia-jewellery.co.uk, 1
+britannia.no, 1
+britanniapandi.com, 1
+britanniawellness.com, 1
+britelocate.com, 1
+british-assessment.co.uk, 1
+britishairlinesflights.com, 1
+britishantiquefurniture.co.uk, 1
+britishbee.org.uk, 1
+britishbee.uk, 1
+britishbeef.com, 1
+britishbeekeepers.com, 1
+britishbeekeepers.net, 1
+britishbeekeepers.org, 1
+britishbeekeepers.org.uk, 1
+britishbeekeepers.uk, 1
+britishbeekeepersassociation.org.uk, 1
+britishbookmakers.co.uk, 1
+britishbullshitfoundation.cf, 1
+britishbullshitfoundation.ga, 1
+britishbullshitfoundation.ml, 1
+britishchronicles.com, 1
+britishgeneralelection.cf, 1
+britishgeneralelection.ga, 1
+britishgeneralelection.ml, 1
+britishgroupsg.com, 1
+britishmeat.com, 1
+britishpearl.com, 1
+britishpropoliss.my.id, 1
+britishrafting.com, 1
+britishsfaward.org, 1
+britishsnoring.co.uk, 1
+britney-galaxy.com, 1
+britneyclause.com, 1
+britneymanias.tk, 1
+britneyuniverse.com, 1
+britofootball.com, 1
+britsoc.co.uk, 1
+brittainconsulting.ca, 1
+brittany.com.ph, 1
+brittanyferriesnewsroom.com, 1
+brittas-world.tk, 1
+brivawn.com, 1
+brix-central.tk, 1
+brixxonline.nl, 0
+brizawen.com, 1
+brizz.com.co, 1
+brizzo.net, 1
+brk-t.com, 1
+brk-t.org, 1
+brk.dk, 1
+brk.st, 1
+brkt.cc, 1
+brkt.church, 1
+brktkiliseleri.com, 1
+brktkiliseleri.org, 1
+brlcontracting.com.au, 1
+brmascots.com, 1
+brmnn.de, 1
+brmsalescommunity.com, 1
+brn.by, 1
+brn.is, 0
+brnogame.com, 1
+brnogame.cz, 1
+brnogame.online, 1
+brnohra.com, 1
+brnohra.cz, 1
+brnohra.online, 1
+brnojebozi.cz, 1
+brnr.link, 1
+brnrx.com, 1
+broadax.ml, 1
+broadbandchoices.co.uk, 1
+broadbandexposed.co.uk, 1
+broadbandmap.gov, 1
+broadbiz-news.tk, 1
+broadcastlistingers.ga, 1
+broadcastlistingest.ga, 1
+broadcastrealtimeest.ga, 1
+broadcasttowerers.ga, 1
+broadfoundation.org, 1
+broadjournalest.ga, 1
+broadleft.org, 1
+broadsheet.com.au, 1
+broadstreetalerts.com, 1
+broadwayfamilydentalpc.com, 1
+broadwaytravel.com, 1
+broadwayva.gov, 1
+broadwayvets.co.uk, 1
+broansunited.tk, 1
+broca.dk, 1
+broca.io, 0
+brock.guide, 1
+brockenhurstguide.com, 1
+brockenhurstonline.com, 1
+brockwayministorage.com, 1
+brockwaytwpmn.gov, 1
+brocos.io, 1
+brodahose.com.au, 0
+brodowski.cc, 1
+brody.digital, 1
+brody.ninja, 1
+broe.ie, 1
+broedersvanliefde.be, 1
+broemp.de, 1
+broerbv.nl, 0
+broerendasbouwbedrijf.nl, 1
+broersma.com, 1
+broerweb.nl, 1
+broeselei.at, 0
+broilertrade.com, 1
+brojagraphics.de, 1
+broke.network, 1
+brokeinkorea.tk, 1
+brokenbiz-news.tk, 1
+brokenbowokpd.gov, 1
+brokencityllc.ga, 1
+brokendollsmuseum.com, 1
+brokenhands.io, 1
+brokenminds.tk, 1
+brokenneckgang.com, 1
+brokenrevolution.com, 1
+brokenships.com, 1
+brokensword.tk, 1
+brokentoaster.tk, 1
+broker.id, 1
+broker.vn, 1
+broker4u.com, 1
+brokerdecredite.ro, 1
+brokerlink.ca, 1
+brokernews.com.au, 1
+brokernotes.co, 1
+brokerpro.com, 1
+brokerstalk.com, 1
+brokeryouers.ga, 1
+brokeryouest.ga, 1
+brokfolio.com, 1
+brokgency.com, 1
+brollopsfotografkalmar.com, 1
+brols.eu, 1
+bromfietsman.tk, 1
+bromideas.ga, 1
+bromo.com, 1
+bromonetwork.com, 1
+brompton-cocktail.com, 1
+bronco-atodogalope.tk, 1
+bronevichok.ru, 1
+brontech.com, 1
+bronwynlewis.com, 1
+bronx-ny-dentist.com, 1
+bronya.moe, 1
+broochwithme.com, 1
+broodbesteld.nl, 1
+broodingblogger.com, 1
+brookecountywv.gov, 1
+brookfordnc.gov, 1
+brookframework.org, 1
+brooklakeevents.com, 1
+brooklinenh.gov, 1
+brooklynboyblues.cf, 1
+brooklynboyblues.ga, 1
+brooklynboyblues.ml, 1
+brooklyncentermn.gov, 1
+brooklyndecker.tk, 1
+brooklynentdoc.com, 1
+brooklynparkmn.gov, 1
+brooklynrealestateblog.com, 1
+brooklyntheborough.com, 1
+brooklyntownwashburnwi.gov, 1
+brooklynveinandvascular.com, 1
+brookscountyga.gov, 1
+brookshirebrothers.com, 1
+brooksideas.ga, 1
+brookskolb.com, 1
+brooksrents.com, 1
+brookstonelc.com, 1
+brookstowingoregon.com, 1
+brookvillepoliceny.gov, 1
+brookz.nl, 1
+broomcastle.com, 1
+broomcastle.eu, 1
+broomcastle.net, 1
+broomcastle.org, 1
+broomcastle.social, 1
+broomecountyny.gov, 1
+broomorchard.com, 1
+brosay-legko.ml, 1
+brossman.it, 1
+brossmanit.com, 1
+brotaufstriche.com, 1
+brother.com.hk, 1
+brothersinbeetles.tk, 1
+brottsfiltret.tk, 1
+brotwurz.de, 1
+brou.com.uy, 1
+brouillard.ch, 0
+brouskat.be, 1
+brouwer-greonterp.nl, 1
+brouwerijdeblauweijsbeer.nl, 0
+brovelton.com, 0
+browardvotes.gov, 1
+browfai.casa, 1
+brown-bros.ca, 1
+brownacres.nz, 1
+brownandjoseph.com, 1
+brownavto-news.tk, 1
+brownbagdinner.org, 1
+browncoil.gov, 1
+browncountyne.gov, 1
+browncountytx.gov, 1
+browndeerwi.gov, 1
+brownforces.desi, 1
+brownforces.org, 1
+brownie.plus, 1
+brownpipe.app.br, 1
+brownstownmi.gov, 1
+brownsville360.org, 1
+brownsvillewi.gov, 1
+browntiger.tk, 1
+browntowncountryclub.com, 1
+brownwolfstudio.com, 0
+brownwoodnews.cf, 1
+browsbybecca.ca, 1
+browse-china.com, 1
+browse-tutorials.com, 1
+browselog.com, 1
+browsemycity.com, 1
+browser.style, 1
+browserleaks.com, 1
+brpmanuals.com, 1
+brq.com, 1
+brr.fyi, 1
+brrr.fr, 1
+brsvcs.in, 1
+brtve.tk, 1
+bru6.de, 1
+brubaker.ac, 1
+brubaker.cc, 1
+brubakerairconditioningrepair.com, 1
+brubankv1-staging.azurewebsites.net, 1
+bruce-springsteen.tk, 1
+brucebenes.com, 1
+bruceleeitems.com, 1
+brucemillerauto.com, 1
+brucemines.ca, 1
+bruckner.li, 1
+brudevelopments.ca, 1
+brudkista.nu, 1
+brudkista.se, 1
+brudkistan.nu, 1
+brudkistan.se, 1
+brueche-rechner.de, 1
+bruechner.net, 1
+brueggers.com, 1
+brueggi.tk, 1
+brueser-gmbh.de, 1
+brugerklub.info, 1
+brugia.com, 1
+brugpensioen.tk, 1
+bruh.ltd, 1
+bruhcontent.ru, 1
+bruidstaarten.tk, 1
+bruitparif.fr, 1
+bruk2fa.no, 1
+brukalai.lt, 1
+brulewi.gov, 1
+brun-despagne.com, 1
+brun.rocks, 1
+bruna-cdn.nl, 1
+brunamarquezine.tk, 1
+brunanet.tk, 1
+brunchandmatch.be, 1
+bruneaufamily.digital, 1
+brunella.tk, 1
+brunetderochebrune.com, 0
+brunettipesco.com, 1
+brunhild.com, 1
+brunhilde.ml, 1
+brunner.ninja, 1
+bruno-pelletier.tk, 1
+brunoamaral.eu, 1
+brunobattaglia.tk, 1
+brunobeauvoir.com, 1
+brunocesarlima.com.br, 1
+brunodomingos.com, 1
+brunofontes.net, 1
+brunohenc.from.hr, 1
+brunolt.nl, 1
+brunoperetti.com.br, 1
+brunoramos.com, 0
+brunoreno.be, 1
+brunoriguzzi.io, 1
+brunorogerioadvocacia.com.br, 1
+brunosampaioblog.com, 1
+brunroom.tk, 1
+brunswick.com, 0
+brunswickcove.com, 1
+brunswickncsheriff.gov, 1
+brush.ninja, 1
+brushcreekyachts.com, 1
+brushscene.de, 1
+brushyourideas.com, 1
+brusselsairlines.com, 1
+brusselsbe.tk, 1
+brusselsexpolive.ga, 1
+brusselsexpoloft.ga, 1
+brusselsexpostudio.ga, 1
+brusselslouisepenthouse.ga, 1
+brusselslouisestudio.ga, 1
+brusselsmidiapartment.ga, 1
+brusselsmidistudio.ga, 1
+brusselspackagesers.ga, 1
+brusselspackagesest.ga, 1
+brusselswestapartment.ga, 1
+brust-zentrum.ch, 1
+brutal.systems, 1
+brutalica.tk, 1
+brutality.cf, 1
+brutdecom.fr, 1
+brutecloud.com, 1
+brutosanetos.com, 1
+brutosshopping.com, 1
+brutus2.ga, 0
+bruun.co, 1
+bruxserv.net, 1
+bruyerre.eu, 1
+brw-shop.by, 1
+brweb.tk, 1
+brwebsolutions.tk, 1
+brwn.loan, 1
+brws.to, 1
+bryanarmijomd.com, 1
+bryancastillo.site, 1
+bryancountyga.gov, 1
+bryandesrosiers.com, 1
+bryandrakedrivingschool.co.nz, 1
+bryandunnewald.com, 1
+bryanfalchuk.com, 1
+bryankaplan.com, 1
+bryanley.com, 1
+bryanquigley.com, 1
+bryanski.tk, 1
+bryantluk.com, 1
+bryantx.gov, 1
+bryceml.us, 1
+bryggebladet.dk, 1
+bryte-rp.tk, 1
+brzc.st, 1
+brztec.com, 1
+bs-facilityservice.ch, 0
+bs-network.net, 1
+bs-security.com, 1
+bs.sb, 1
+bs.to, 1
+bs09.de, 1
+bs2k.me, 1
+bsa-dom.ru, 1
+bsa157.org, 1
+bsaab.se, 1
+bsaft.ml, 1
+bsale.com.au, 1
+bsalyzer.com, 1
+bsapack564.org, 1
+bsatroop1003.com, 1
+bsatroop3.com, 1
+bsatroop794.org, 1
+bsawiberg.com, 1
+bsbet365.com, 1
+bsbnet.nl, 1
+bsc-rietz.at, 1
+bsc01.dyndns.org, 1
+bscc.support, 1
+bscquimicos.com.br, 1
+bscyb.ch, 1
+bsd-box.net, 1
+bsd-sec.com, 1
+bsd-unix.org, 1
+bsd.com.ro, 1
+bsd.gay, 1
+bsdbox.de, 1
+bsdex.de, 1
+bsdfreak.dk, 0
+bsdguru.net, 1
+bsdly.net, 1
+bsdracing.ca, 1
+bsdug.org, 1
+bsdunix.xyz, 1
+bsee.gov, 1
+bserved.de, 0
+bseuc.eu, 1
+bsf-knowledgecity.com, 1
+bsg.ro, 1
+bsgamanet.ro, 1
+bsgcredit.com, 1
+bsgcredit.ro, 1
+bsgexchange.ro, 1
+bsidesf.com, 1
+bsidesf.org, 1
+bsidessf.com, 1
+bskhq.tk, 1
+bsktweetup.info, 1
+bslim-e-boutique.com, 1
+bslinguistics.co.uk, 1
+bslnow.co.uk, 1
+bsmsl.com, 1
+bsmsummit.com, 1
+bsn.cloud, 1
+bsnedu.org, 1
+bsociabl.com, 1
+bsod.me, 1
+bsolut.com, 1
+bsolut.de, 1
+bsolut.org, 1
+bsp-southpool.com, 1
+bspecialfx.nl, 1
+bsq1492.com, 1
+bsrueti.ch, 1
+bss-solutions.net, 1
+bss-systems.net, 1
+bss.com.ph, 1
+bss.net.ph, 1
+bss.solutions, 1
+bss.systems, 1
+bss01.de, 1
+bsskorcz.pl, 1
+bssolvfagen-pre-storeswa-wap.azurewebsites.net, 1
+bsstainless.com, 1
+bst-brandschutz.at, 1
+bsteele.tk, 1
+bstoked.net, 1
+bsuess.de, 1
+bsurfcr.com, 1
+bsuru.xyz, 1
+bsw-solution.de, 1
+bswears.com, 1
+bt-kc.de, 1
+bt121.com, 0
+bt123.xyz, 1
+bt3655.com, 0
+bt3657.com, 0
+bt3658.com, 0
+bt780.com, 1
+bt85.cn, 0
+bt9.cc, 0
+btarts.com.br, 1
+btbb.net, 1
+btc-alpha.com, 1
+btc-doge.ga, 1
+btc-wallet.tk, 1
+btcanalyse.com, 1
+btcarg.com.ar, 1
+btcarmory.com, 1
+btclients.tk, 1
+btcp.space, 1
+btcpop.co, 1
+btcrit.com, 1
+btcwip.com, 1
+btcx.com, 1
+btddd.com, 1
+btdirect.uk, 1
+btdproductions.tk, 1
+btea.online, 1
+btec.ae, 1
+bth.dance, 1
+bth.wtf, 1
+bticoin3king.cf, 1
+btid.tk, 1
+btine.tk, 1
+btleasing.md, 1
+btleasing.ro, 1
+btln.cloud, 1
+btln.de, 1
+btmic.ro, 1
+btnissanparts.com, 1
+btool.eu.org, 1
+btorrent.xyz, 1
+btrade.io, 1
+btrans.by, 1
+btraviswright.com, 1
+btraviswrightmps.com, 1
+btraviswrightmps.org, 1
+btrb.ml, 1
+btrfs.no, 1
+btsapem.com, 1
+btsline.co.id, 1
+btsoft.eu, 1
+btsou.org, 1
+btsource.tk, 1
+btsous.org, 1
+btsresearch.com, 1
+btssiou.xyz, 1
+btssl.com, 1
+btsybt.com, 0
+btt-39.com, 1
+btt-59.com, 1
+btt882.com, 1
+btta13.com, 1
+btta16.com, 1
+btth.live, 1
+btth.pl, 1
+bttorj45.com, 1
+bttrade.com, 1
+bturboo.com, 1
+btvw.de, 1
+btwj.com, 1
+btwsa.tk, 1
+btxchange.io, 1
+bu-e.com, 1
+buai.cf, 1
+buai.gq, 1
+buai.ml, 1
+buai.tk, 1
+buatcvonline.com, 1
+buayacorp.com, 1
+bubalova.com, 1
+bubba.cc, 1
+bubbelwafel.nl, 1
+bubblebuttpics.com, 1
+bubbleclips.com, 1
+bubbleclips.net, 1
+bubbleclips.org, 1
+bubbleclipsnetwork.com, 1
+bubblegumblog.com, 1
+bubblelist.tk, 1
+bubblemedia.com, 1
+bubblesco.tk, 1
+bubblespetspa.com, 1
+bubblin.io, 1
+bubhub.io, 1
+bubnovsky.org, 1
+bubok.com.ar, 1
+bubok.es, 1
+bubra.stream, 1
+bubsngrubs.com.au, 1
+bubty.com, 1
+bubu1.eu, 1
+bubulazi.com, 0
+bubulazy.com, 0
+bucapositano.it, 1
+bucek.cz, 1
+buch-angucken.de, 1
+buchanancountyvirginia.gov, 1
+buchananga.gov, 1
+buchanantwpmi.gov, 1
+buchangroupinc.com, 1
+bucharestbachelorparty.com, 1
+buchdata.it, 1
+buchelstore.com.br, 0
+buchhaltung-muehelos.de, 1
+buchhammer.tk, 1
+buchholz-coaching.de, 1
+buchkatalog.de, 1
+buchwegweiser.com, 1
+buck-hydro.de, 1
+buck.com, 1
+buckenmaier.xyz, 1
+bucket.tk, 1
+buckethead.tk, 1
+buckfast.tk, 1
+buckglobal.com, 1
+bucklinmo.gov, 1
+buckmans.com, 1
+buckscounty.gov, 1
+bucksfund.com, 1
+buckthorn.ml, 1
+buckypaper.com, 1
+buda.com, 1
+budapestairport.tk, 1
+budapestgraphics.hu, 1
+budapestjazzclub.hu, 1
+budapesttaxi.de, 0
+budapesttaxi.fr, 0
+budapesttaxi.nl, 0
+budapesttaxi.uk, 1
+budatx.gov, 1
+budbringerne.tk, 1
+buddhas.tk, 1
+buddhism.cf, 1
+buddhismedia.com, 1
+buddhistische-weisheiten.org, 1
+buddie5.com, 1
+buddiescomputers.com.au, 1
+buddingoptimist.com, 1
+buddlycrafts.com, 1
+buddobot.com, 1
+buddy-acceptance-authentication-frontend.azurewebsites.net, 1
+buddy-acceptance-backoffice-frontend.azurewebsites.net, 1
+buddy-acceptance-web-frontend.azurewebsites.net, 1
+buddy-development-backoffice-webapp.azurewebsites.net, 1
+buddy-development-rabodirectconnect-api.azurewebsites.net, 1
+buddy-locator.com, 1
+buddy.net, 1
+buddyme.me, 1
+budeanu.com, 1
+buderus-family.be, 1
+budget-box.com, 1
+budget-cuts.tk, 1
+budget.gouv.fr, 1
+budget.gov, 1
+budget.ie, 1
+budget.ovh, 1
+budgetfitter.com, 1
+budgetimize.com, 1
+budgetlob.gov, 1
+budgetlovers.nl, 1
+budgetrf.tk, 1
+budgow.com, 1
+budhimaan.com, 1
+budidayatani.com, 1
+budilnik.ml, 1
+budofjoy.com, 1
+budolangnau.ch, 1
+budolfs.de, 1
+budomalsch.de, 1
+budpolimer.com, 0
+budpop.com, 1
+budscope.com, 1
+budtraffic.net, 1
+budulanradu.ro, 1
+buehler.rocks, 1
+bueltge.de, 1
+buena.me, 1
+buenavistawinery.com, 1
+buenosairesconnect.com, 1
+buenosproductos.net, 1
+buentaller.com, 1
+bueny.com, 1
+bueny.net, 1
+buergerwehr-ettlingen.de, 1
+buerliag.ch, 1
+buero13-design.de, 1
+buerstaedter-zeitung.de, 1
+buesiforquo.cf, 1
+buettgens.net, 1
+buetzer.ch, 1
+bufete.tk, 1
+bufeteesquire.com, 1
+buff-buff.tk, 1
+buff360.xyz, 1
+buffalo-ny-gay-chat.com, 1
+buffaloautomation.com, 1
+buffalobakeriesers.ga, 1
+buffalobakeriesest.ga, 1
+buffalobill.idv.tw, 1
+buffalocountywi.gov, 1
+buffalodrycleanerers.ga, 1
+buffalodrycleanerest.ga, 1
+buffalogaptx.gov, 1
+buffalohomerepairs.com, 1
+buffalojewishfederation.org, 1
+buffalonews.com, 1
+buffaloskillgames.com, 1
+buffaloturf.com.au, 0
+buffandtan.com, 1
+buffbarbell.com, 1
+buffetbouc.com, 1
+buffl.co, 1
+buffup.media, 1
+buffus.cz, 1
+bufla.net, 1
+bufo.tk, 1
+bug.blue, 1
+bug.ee, 1
+bug321.com, 1
+bugalert.org, 1
+bugbounty.ch, 1
+bugbountytip.tech, 1
+bugcrowd.com, 0
+bugfender.com, 1
+bugfuzz.com, 1
+buggiano.com, 1
+buggy777.me, 1
+buggymaven.com, 1
+buggywonderland.tk, 1
+bugprove.com, 1
+bugraseyhan.tk, 1
+bugrayildiz.av.tr, 1
+bugreader.com, 1
+bugs.chromium.org, 1
+bugwie.com, 1
+bugzilla.mozilla.org, 1
+buharkeyf1.com, 1
+buharlikoltukyikama.com.tr, 1
+buharlikoltukyikama.org, 1
+buhayprincipal.com, 1
+buhsantoandre.vip, 1
+buhunov.tk, 1
+buicha.social, 1
+buick1958.tk, 1
+build-marrakech.org, 1
+build-up.tk, 1
+build.chromium.org, 1
+build.gov, 1
+buildbackbetter.gov, 1
+buildbytes.com, 1
+buildconcierge.ga, 1
+buildcor.com.au, 1
+builddesygner.xyz, 1
+buildersdiscount.net, 1
+buildersofthesilentcities.tk, 1
+buildfood.com, 1
+buildgp.com, 1
+buildherers.ga, 1
+buildherest.ga, 1
+building-cost-estimators.com, 1
+building-materials.tk, 1
+buildingbitcoin.org, 1
+buildingchemistry.tk, 1
+buildingcleaningchicago.com, 1
+buildingcostestimators.co.uk, 1
+buildingdesign.tk, 1
+buildinginspectionmandurah.ga, 1
+buildingmaterials.tk, 1
+buildingpassport.com, 1
+buildingpoint.pt, 1
+buildingpointne.com, 1
+buildingprojectsswanseama.gov, 1
+buildingqueries.com, 1
+buildingresiliency.org, 1
+buildkite.com, 1
+buildmate.ml, 1
+buildmorebuslanes.com, 1
+buildnews.tk, 1
+buildplease.com, 1
+builds.gg, 1
+buildstaging.com, 1
+buildwealth.uk, 1
+buileo.com, 1
+builterra2.azurewebsites.net, 1
+builtin.com, 1
+builtinaustin.com, 1
+builtinboston.com, 1
+builtinchicago.org, 1
+builtincolorado.com, 1
+builtingym.com, 1
+builtinla.com, 1
+builtinnyc.com, 1
+builtinseattle.com, 1
+builtinsf.com, 1
+builtinvacuum.com, 1
+builtory.my, 1
+builttosell.com, 1
+builtvisible.com, 1
+builtwith.com, 1
+buissonchardin.fr, 1
+buitenposter.nl, 1
+buitex.lt, 1
+buitrong.net, 1
+buka.jp, 1
+buketnevesti.cf, 1
+bukiko.net, 1
+bukinist.tk, 1
+bukiskola.hu, 1
+bukkenfan.jp, 1
+bukn.uk, 1
+bukowski.se, 1
+bukowski.tk, 1
+bukpcszerviz.hu, 1
+buksu.edu.ph, 1
+bukularis.ga, 1
+bul3seas.eu, 1
+bulabanews.com.ng, 1
+bulario.com, 1
+bulario.net, 1
+bularmas.com, 1
+bulatlat.com, 1
+bulatlat.org, 1
+bulavki.tk, 1
+bulba.download, 1
+bulbagram.ml, 1
+bulbcompare.com, 1
+bulbidea.com, 1
+bulbonidos.tk, 1
+bulbuly.tk, 1
+buldogueingles.com.br, 1
+bulentcirakli.tk, 1
+bulevard-residence.com, 1
+bulgakov.ga, 1
+bulgakov.ml, 1
+bulgakov.tk, 1
+bulgariablog.tk, 1
+bulgarianhouse.tk, 1
+bulgarianmale.com, 1
+bulgarianproperties.com, 1
+bulgariya.cf, 1
+bulhost.com, 1
+bulindir.tk, 1
+bulkowespacerkowo.nl, 1
+bull.id.au, 0
+bulldog-buss.tk, 1
+bulldog-hosting.de, 0
+bulldogdriveways.com, 1
+bulldogfrances.tk, 1
+bulldogkennel.tk, 1
+bulldogmarketinggroup.com, 1
+bulldogs-sipoo.tk, 1
+bulledair-savons.ch, 0
+bulledart.ga, 1
+bullesdeculture.com, 1
+bullesdelaube.com, 1
+bulletbabu.com, 0
+bulletfrog.tk, 1
+bulletpoint.cz, 1
+bullettags.com, 1
+bullfitta.tk, 1
+bullfrogpooltilecleaning.com, 1
+bulli.tk, 1
+bullionexus.com, 1
+bullish.com, 1
+bullmarketing.nl, 1
+bullockcountyal.gov, 1
+bullpendaily.com, 1
+bullseyecleaning.com.au, 1
+bullshithost.nl, 1
+bullshitmail.nl, 1
+bullterrierspain.tk, 1
+bullvalleyil.gov, 1
+bullyprotection.ml, 1
+bulmanat.tk, 1
+bulmastife.com.br, 1
+bultdatabasen.se, 1
+bulten.com, 1
+bultink.tk, 1
+bulutkey.com, 1
+bulvar.tk, 1
+bumble.com, 1
+bumblebee.cf, 1
+bumblebee.co.za, 1
+bumblebeekids.uk, 1
+bumenn.is, 1
+bumirc.tk, 1
+bummelwelt.ch, 1
+bummelwelt.com, 1
+bummelwelt.de, 1
+bumpi.gq, 1
+bumsbesuch.com, 1
+bumsbuero.com, 1
+bumsbus.com, 1
+bunadarbankinn.is, 1
+bunaken.tk, 1
+bunbun.be, 1
+bunburydad.tk, 1
+bunchful.com, 1
+buncombecounty.org, 1
+buncranacarndonaghgreenway.ie, 1
+bundesamtsozialesicherung.de, 1
+bundesanzeieger.com, 1
+bundespolizei-forum.de, 1
+bundesrepublikneu.land, 1
+bundesverband-krisenintervention.de, 1
+bundesverbandkrisenintervention.de, 1
+bundesvvehr.de, 1
+bundle.tools, 1
+bundlejs.com, 1
+bune.city, 1
+bungalowseljardin.com, 0
+bungeeireland.tk, 1
+bungotai.ga, 1
+buniq.com.br, 1
+bunix.de, 0
+bunker307.tk, 1
+bunkerhilltx.gov, 1
+bunkyo-life.com, 1
+bunlarateist.space, 1
+bunny-rabbits.com, 1
+bunny.tk, 1
+bunnybloythost.com, 1
+bunnycarenotes.com, 1
+bunnydiamond.de, 1
+bunnymaxim.com, 1
+bunnymud.com, 1
+bunnyvishal.com, 1
+bunnyworld.xyz, 1
+bunq.love, 1
+buns.cc, 1
+bunsnbagels.com, 1
+bunto-import.tk, 1
+buongiornolatina.it, 1
+buonventosbt.eu, 1
+bupa.com.au, 1
+bupamedical.com.au, 1
+bupamedicalvisaservices.com.au, 1
+bupamvs.com.au, 1
+buphachat.com, 1
+bupropion.com, 1
+bupropionhclsr.ga, 1
+buqi.cc, 1
+buquesdeguerra.tk, 1
+buraksercanercin.co, 1
+burakuckun.com, 1
+burakurer.com, 1
+buralteria.tk, 1
+burasicanakkale.com, 1
+buratino.tk, 1
+buratiya.tk, 1
+burb.social, 1
+burbaguena.tk, 1
+burbankdental.com, 1
+burberry-outlet.cf, 1
+burberry-outlets.ca, 1
+burcevo.info, 1
+burchfabrics.com, 0
+burdurhaber.tk, 1
+burdursondakika.tk, 1
+bureau-store.fr, 1
+bureaubolster.nl, 0
+bureaubraam.nl, 0
+bureaudirectoryers.ga, 1
+bureaunouveau.eu, 1
+bureauzelfstandigenfryslan.nl, 1
+burenservice.nl, 1
+burenvoorburen.gent, 1
+burevestnik.tk, 1
+burewala.com, 1
+burewala.tk, 1
+burewalanews.tk, 1
+burg-esslingen.de, 1
+burg-hohnstein.com, 0
+burg-hohnstein.info, 0
+burgas.bg, 1
+burgawnc.gov, 1
+burger.eu.org, 1
+burger.fitness, 1
+burgerbudget.gent, 1
+burgerking.eu.org, 1
+burgernet.nl, 0
+burgers.io, 1
+burgesspetcare.com, 1
+burghardt-neumann.de, 1
+burghardt.pl, 1
+burghtstam.tk, 1
+burgoslacrosse.tk, 1
+burguesinhas.com.br, 1
+burhan-autosattlerei.de, 1
+burhanionlinestore.com, 1
+buricloud.fr, 1
+burienergy.com, 1
+burina.net, 1
+buriramradio.com, 1
+burke.services, 1
+burkebarclaylawoffice.com, 1
+burkhardt.at, 0
+burkitech.com, 1
+burkoff.tk, 1
+burkow.ru, 1
+burlaka.net, 1
+burlapsac.ca, 1
+burlesonconstructioninc.com, 1
+burlesontx.gov, 1
+burling.cz, 1
+burma-we-care.tk, 1
+burmalin.ml, 1
+burmania.tk, 1
+burmeister-gmbh.de, 1
+burmesecatscare.com, 1
+burmesepythonpet.com, 1
+burncorp.org, 1
+burndyt3.com, 1
+burnedyouers.ga, 1
+burnedyouest.ga, 1
+burner.gay, 1
+burnerfitness.com, 1
+burnettcountywi.gov, 1
+burnimage.co.uk, 1
+burning-team.tk, 1
+burning-wheels.tk, 1
+burningbase.com, 0
+burningbooks.org, 1
+burningducks.com, 1
+burningflame.tk, 1
+burningflipside.com, 0
+burningseries.co, 1
+burningseries.cx, 1
+burningseries.sx, 1
+burnit.tk, 1
+burnsland.com, 1
+burntfish.com, 1
+burnus.net, 1
+burnworks.com, 0
+buro86.be, 1
+buronducouderc.fr, 1
+buronewsmobilya.com, 1
+buronwater.com, 1
+buroviz.nl, 1
+burr.is, 1
+burree.xyz, 1
+burreli.tk, 1
+burritosalsa.com, 1
+burritosband.tk, 1
+burroughsid.com, 1
+bursamusik.tk, 1
+bursapartner.tk, 1
+burstequity.com, 1
+burstequity.net, 1
+burstequity.org, 1
+burstsocial.com, 1
+burstsocial.net, 1
+burstsocial.org, 1
+burtai.com, 1
+burtcheboyganmi.gov, 1
+burtcountyne.gov, 1
+burtrum.family, 1
+burtrum.me, 1
+burtrum.name, 1
+burtrum.org, 1
+burtsbees.ca, 1
+burttownshipcheboyganmi.gov, 1
+burunucu.ga, 1
+buryat-mongol.cf, 1
+buryatia.tk, 1
+burybox.co.uk, 1
+burz.eu.com, 1
+burz.net, 1
+burz.one, 1
+burz.ro, 1
+burzcast.com, 1
+burzcast.media, 1
+burzgroup.com, 1
+burzmali.com, 1
+burzmedia.ro, 1
+burzstudios.com, 1
+burzum.ch, 1
+bus-hit.me, 1
+bus2talent.eu, 1
+busanhs.bid, 1
+buscaaviena.com, 1
+buscacpf.se, 1
+buscaebooks.tk, 1
+buscagenealogia.tk, 1
+buscahost.com, 1
+buscalotodo.com, 1
+buscandolosmejores.com, 1
+buscatea.com, 1
+buscatodo.tk, 1
+buschavdar.tk, 1
+buscolu.tk, 1
+buselefante.tk, 1
+buserror.cn, 1
+buses.co.uk, 1
+busesurbanoschile.tk, 1
+busflag.tk, 1
+bush41library.gov, 1
+bushbaby.com, 1
+bushbeats.com, 1
+bushcraftfriends.com, 1
+bushfirerecovery.gov.au, 1
+bushingsandbars.com, 1
+bushland.tk, 1
+busindre.com, 1
+business-creators.ru, 1
+business-events.org.uk, 1
+business-explosion-fortune.tk, 1
+business-garden.com, 1
+business-institute.sk, 1
+business-network.or.jp, 1
+business-secreti.cf, 1
+business-secreti.ga, 1
+business-secreti.gq, 1
+business-secreti.tk, 1
+business-swiss.ch, 0
+business.facebook.com, 0
+business.gov, 0
+business.medbank.com.mt, 1
+business.vic.gov.au, 1
+business4all.gr, 1
+business4beginners.co.uk, 1
+business808.com, 1
+businessactivities.tk, 1
+businessadaptive.ga, 1
+businessadvance.tk, 1
+businessafter.ga, 1
+businessamongus.com, 1
+businessanalyst.ml, 1
+businessarrow.ga, 1
+businessbad.ga, 1
+businessbasecamp.eu, 1
+businessbetter.tk, 1
+businessblod.ga, 1
+businessbody.ga, 1
+businessbrite.ga, 1
+businessbrowse.ga, 1
+businessbuller.ga, 1
+businessbunny.ga, 1
+businesscards4free.tk, 1
+businesscaster.ga, 1
+businesscellar.ga, 1
+businesscharm.ga, 1
+businesscharts.ga, 1
+businesscircus.ga, 1
+businesscisco.tk, 1
+businesscloud.co.uk, 1
+businesscollect.ga, 1
+businesscollections.ga, 1
+businesscolor.ga, 1
+businesscommission.ga, 1
+businessconnect.ml, 1
+businesscorp.tk, 1
+businesscorporation.ga, 1
+businesscourier.ga, 1
+businesscrafter.ga, 1
+businesscupcake.ga, 1
+businesscupid.ga, 1
+businesscurious.ga, 1
+businesscutter.com, 1
+businessdelta.ga, 1
+businessdevelopmentagency.tk, 1
+businessdevelopmentarea.tk, 1
+businessdevelopmentasia.tk, 1
+businessdevelopmentinfo.tk, 1
+businessdevelopmentnews.tk, 1
+businessdevelopmentsystem.tk, 1
+businessdirect.ml, 1
+businessdodge.ga, 1
+businessdollar.ga, 1
+businessdollars.ga, 1
+businessdragon.ga, 1
+businessdrive.biz, 1
+businessduck.ga, 1
+businesseagle.ga, 1
+businesseastside.ga, 1
+businessecho.ga, 1
+businesselectra.ga, 1
+businessenterpriseteam.com, 1
+businessepic.ga, 1
+businessethics.ml, 1
+businessetmarketing.com, 1
+businessexcel.ga, 1
+businessfactors.de, 1
+businessfalcon.ga, 1
+businessfame.ga, 1
+businessfeature.ga, 1
+businessfeedback.ga, 1
+businessfiesta.ga, 1
+businessfighter.ga, 1
+businessflag.ga, 1
+businessfleet.ga, 1
+businessflower.ga, 1
+businessfurs.info, 1
+businessgang.ga, 1
+businessgoddess.ga, 1
+businessgold.no, 1
+businessgrace.ga, 1
+businessgroove.ga, 1
+businessgrowth.ga, 1
+businessgrowthleaders.com, 1
+businessguide.co.ke, 1
+businessgun.ga, 1
+businesshandsome.ga, 1
+businesshome.ml, 1
+businesshosting.nl, 0
+businesshotrod.ga, 1
+businesshub.cz, 0
+businessideaarea.tk, 1
+businessideaasia.tk, 1
+businessideacompany.tk, 1
+businessideadevelopment.tk, 1
+businessideainfo.tk, 1
+businessideainfonews.tk, 1
+businessideainsurancenews.tk, 1
+businessideal.tk, 1
+businessimmigration-eu.com, 1
+businessimmigration-eu.ru, 1
+businessinaustin.ga, 1
+businessinboston.ga, 1
+businessinchicago.ga, 1
+businessinchicago.tk, 1
+businessincolumbus.ga, 1
+businessincolumbus.tk, 1
+businessindallas.ga, 1
+businessindallas.tk, 1
+businessindenver.ga, 1
+businessindenver.tk, 1
+businessindetroit.ga, 1
+businessindetroit.tk, 1
+businessindia.tk, 1
+businessinelpaso.ga, 1
+businessinelpaso.tk, 1
+businessinfonews.tk, 1
+businessinfortworth.ga, 1
+businessinfortworth.tk, 1
+businessinhouston.ga, 1
+businessinindianapolis.ga, 1
+businessinjacksonville.ga, 1
+businessinjacksonville.tk, 1
+businessinlosangeles.tk, 1
+businessinmemphis.ga, 1
+businessinmemphis.tk, 1
+businessinnashville.ga, 1
+businessinnashville.tk, 1
+businessinnewyork.ga, 1
+businessinphiladelphia.ga, 1
+businessinphoenix.ga, 1
+businessinsanantonio.ga, 1
+businessinsandiego.ga, 1
+businessinsandiego.tk, 1
+businessinsanfrancisco.ga, 1
+businessinsanfrancisco.tk, 1
+businessinsanjose.ga, 1
+businessinseattle.ga, 1
+businessinside.ml, 1
+businessinsurancemanagement.tk, 1
+businessinvest.cf, 1
+businessinvestment.tk, 1
+businessinwashington.ga, 1
+businessk.ml, 1
+businesskanada.tk, 1
+businesskayak.ga, 1
+businesskiss.ga, 1
+businessknight.ga, 1
+businesslabs.space, 1
+businesslead.tk, 1
+businessleadsworld.com, 1
+businesslegacy.ga, 1
+businessless.ga, 1
+businesslion.ga, 1
+businesslite.pl, 1
+businessloanconnection.org, 0
+businessloco.ga, 1
+businesslondon.tk, 1
+businesslowprice.ga, 1
+businessmarks.ga, 1
+businessmetric.ga, 1
+businessmind.ml, 1
+businessmystical.ga, 1
+businessnames.ga, 1
+businessnations.ga, 1
+businessnatural.ga, 1
+businessnet.cf, 1
+businessnetworks.tk, 1
+businessnews-nigeria.com, 1
+businessnewsera.tk, 1
+businessnight.ga, 1
+businessoftheday.ga, 1
+businessomatic.ga, 1
+businessomega.ga, 1
+businessoneday.ga, 1
+businessones.tk, 1
+businessopedia.ga, 1
+businessopplis.ga, 1
+businessother.ga, 1
+businessouter.ga, 1
+businessparis.tk, 1
+businesspart.ga, 1
+businesspartner.tk, 1
+businesspassport.ga, 1
+businesspatch.ga, 1
+businesspeace.ga, 1
+businesspearl.ga, 1
+businesspersonal.ga, 1
+businessphase.ga, 1
+businesspicker.ga, 1
+businesspipe.ga, 1
+businessplanidea.tk, 1
+businessplus.ie, 1
+businessportal.tk, 1
+businesspremium.ga, 1
+businesspride.ga, 1
+businesspure.ga, 1
+businessquality.ml, 1
+businessrainforest.ga, 1
+businessraven.ga, 1
+businessreborn.tk, 1
+businessremarkable.ga, 1
+businessreps.ga, 1
+businessrequest.ga, 1
+businessrex.ga, 1
+businessrhino.ga, 1
+businessroll.ga, 1
+businessrunners.ga, 1
+businesssalzburg.tk, 1
+businessscaler.co.uk, 1
+businessscapes.ga, 1
+businesssend.ga, 1
+businessshoot.ga, 1
+businessslide.ga, 1
+businesssonic.ga, 1
+businesssouthbeach.ga, 1
+businesssparkle.ga, 1
+businessspicy.ga, 1
+businesssplash.ga, 1
+businessstamp.ga, 1
+businessstudent.com, 1
+businesssupportbywilma.nl, 1
+businesssurreal.ga, 1
+businesstalking.tk, 1
+businesstexas.tk, 1
+businessthunder.ga, 1
+businesstimes.ga, 1
+businesstool.no, 1
+businesstravelmelbourne.ga, 1
+businesstrip.ml, 1
+businessunder.ga, 1
+businessup.tk, 1
+businessuprise.com, 1
+businessusa.gov, 1
+businessusa.tk, 1
+businessvalue.com, 1
+businessvisual.ga, 1
+businesswaterfront.ga, 1
+businesswebadmin.com, 1
+businesswish.ga, 1
+businessworth.ga, 1
+businessx.in, 1
+businesszachod.pl, 1
+businka.tk, 1
+busit.be, 1
+busiteyiengelle.com, 1
+buskompass.de, 1
+busmaster.com.ua, 1
+busned.tk, 1
+busnews.tk, 1
+buspark.com, 1
+buspark.cz, 1
+buspatrol.com, 1
+busphotos.tk, 1
+busqnet.com, 1
+bussi.at, 1
+bussinesconsulting.tk, 1
+bussinesinsurance.tk, 1
+bussinesman.tk, 1
+bussinesnews.tk, 1
+bussinessofware.tk, 1
+bussinessupport.tk, 1
+busstation.tk, 1
+bustany.org, 1
+bustaura.lt, 1
+bustepaga.it, 1
+buster.me.uk, 1
+bustickets.ph, 1
+bustillodeloro.tk, 1
+bustimes.org, 1
+bustmold.com, 1
+bustmovesest.ga, 1
+busty-milf.net, 1
+bustyarchive.com, 1
+bustymilftube.com, 1
+bustypassion.com, 1
+bustypics.com, 1
+bustyrack.com, 1
+busuan.com, 1
+busuttil.org.uk, 1
+buswiki.ml, 1
+busybee.nl, 1
+busyon.cloud, 1
+but-it-actually.work, 1
+but-its-not-your.business, 1
+butarque.es, 1
+butcherboymarket.com, 1
+butcherpaxtattoo.com, 1
+butenhofbomster.com, 1
+buter-petersen.dk, 1
+butfirstkoffee.in, 1
+butik-mechty.tk, 1
+butikk-nesoddkatten.no, 1
+butikvip.ru, 1
+butl.nl, 1
+butlaroo.com, 1
+butlercountyne.gov, 1
+butlerdisposal.com, 1
+butlerfm.dk, 1
+butlins.com, 1
+butongshidai.com, 1
+butorkatalog.hu, 1
+butorvasarlas.hu, 1
+butowka.tk, 1
+butsa.tk, 1
+butserdocumentary.tk, 1
+butt.repair, 0
+buttedesmortssd1wi.gov, 1
+butter.horse, 1
+butter.ml, 1
+butterhost.ga, 1
+buttermilk.cf, 1
+butternutbox.com, 1
+buttertea.shop, 1
+buttertrick.com, 1
+buttgun-tattoo.de, 1
+buttonizer.pro, 1
+buttonline.ch, 1
+buttonsmashers.tk, 1
+butts-are.cool, 1
+butttexters.ga, 1
+butunoyunlar.net, 1
+butyric.com, 1
+butz.cloud, 1
+butzies.ddnss.org, 1
+buumibar.fi, 1
+buurtbusboskoop.nl, 1
+buurtgenotencollectief.nl, 1
+buurtkeukens.nl, 1
+buurtpreventiefraneker.nl, 1
+buurtschapdemarkt.tk, 1
+buvik.gov.in, 1
+buviva.com, 1
+buvocastings.nl, 1
+buxru.tk, 1
+buxum-communication.ch, 0
+buy-aleve.gq, 1
+buy-amitriptyline.tk, 1
+buy-amoxil.ml, 1
+buy-an-essay.gq, 1
+buy-apartment.tk, 1
+buy-avodart.ga, 1
+buy-camera-cases.ga, 1
+buy-cozaar.tk, 1
+buy-decadron.tk, 1
+buy-deltasone.tk, 1
+buy-essay-online.ga, 1
+buy-express-vpn.asia, 1
+buy-human-hair-extension.tk, 1
+buy-indocin.cf, 1
+buy-invertor.shop, 1
+buy-jeansbiz.tk, 1
+buy-lasix-without-a-doctor-s-prescription.ga, 1
+buy-lingerie.tk, 1
+buy-lipitor.tk, 1
+buy-prednisolone.ga, 1
+buy-premarin.ml, 1
+buy-robaxin.gq, 1
+buy-rumalaya.gq, 1
+buy-seroquel.tk, 1
+buy-skelaxin.ml, 1
+buy-stuffed-toys.tk, 1
+buy-terramycin.gq, 1
+buy-topamax.tk, 1
+buy-zimulti.ga, 1
+buy-zofran.ga, 1
+buyaccessible.gov, 1
+buyaccutane.gq, 1
+buyacompliaonline.ga, 1
+buyalbendazole.cf, 1
+buyalbuterolonline.ga, 1
+buyallopurinol.tk, 1
+buyamerican.gov, 1
+buyamoxicillin875mg.tk, 1
+buyamoxil.ml, 1
+buyantabuse.gq, 1
+buyasheep.tw, 1
+buyatarax.gq, 1
+buyazithromycin.gq, 1
+buybaclofen.ga, 1
+buybitmain.com, 1
+buybuspar.ga, 1
+buybutton.store, 1
+buycafergot.ml, 1
+buycbd.store, 1
+buycheapandlow.tk, 1
+buychristmastoys.com, 1
+buycialissmx.tk, 1
+buycitalopram.ga, 1
+buyclaritin.ml, 1
+buycook.shop, 1
+buycostarica.tk, 1
+buycultureboxesers.ga, 1
+buydataonline.tk, 1
+buydeltasone.ga, 1
+buydeltasone.ml, 1
+buydiamox.cf, 1
+buydiflucan.ga, 1
+buydiflucan.ml, 1
+buydissertations.com, 1
+buyeba.xyz, 1
+buyebooks.tk, 1
+buyeffexor.tk, 1
+buyer.pro, 1
+buyessay.org, 1
+buyessays.net, 1
+buyessayscheap.com, 1
+buyfluoxetineonline.gq, 1
+buyharpoon.com, 1
+buyhydrochlorothiazide.ml, 1
+buyingstatus.com, 1
+buyingtvsers.ga, 1
+buyingtvsest.ga, 1
+buyiptv.tech, 1
+buyitmalta.online, 1
+buyjewel.shop, 1
+buylasix.ml, 1
+buylevaquin.tk, 1
+buymetforminonline.tk, 1
+buymobic.ml, 1
+buymyvoip.com, 1
+buynairobi.com, 1
+buyneurontin.ml, 1
+buyonmov.online, 1
+buyornot.tk, 1
+buyorsellcampers.com, 1
+buypal.com.pe, 1
+buypapercheap.net, 1
+buypersonalproxy.com, 1
+buyplore.com, 1
+buyplussize.shop, 1
+buyprednisolone24h.ml, 1
+buyprednisoloneonline.ga, 1
+buyprilosec.tk, 1
+buyprofessional.shop, 1
+buyproiptv.store, 1
+buypropecia.cf, 1
+buyproperty.az, 1
+buyproscaronlinecanada.ga, 1
+buyprovera.tk, 1
+buyprozac.cf, 1
+buypurenature.ga, 1
+buyr.com, 1
+buyretinamicro.cf, 1
+buyrimonabant.cf, 1
+buyrogaine.ga, 1
+buyru.net, 1
+buyselldonothing.com, 1
+buyshine.com, 1
+buyshoe.org, 1
+buysildenafil.ml, 1
+buystromectol.cf, 1
+buystromectol.ml, 1
+buysuisse.shop, 1
+buytermpaper.com, 1
+buytetracycline.cf, 1
+buytramadol.ga, 1
+buytramadol.ml, 1
+buyucoin.com, 1
+buyusa.gov, 1
+buyventolin.cf, 1
+buyventolininhaler.ga, 1
+buywellbutrinonline.gq, 1
+buywifi.tk, 1
+buywood.shop, 1
+buyzithromax.ga, 1
+buyzithromaxonline.ml, 1
+buyzofranonline.tk, 1
+buyzoloft.cf, 1
+buziaczki.pl, 1
+buzinessmarket.ml, 1
+buzko.pl, 1
+buzt.cn, 0
+buzzage.fr, 1
+buzzard.org, 1
+buzzclub.com.br, 1
+buzzconcert.com, 1
+buzzcontent.com, 1
+buzzeditora.com.br, 1
+buzzenginegroup.com, 1
+buzzfeast.com, 1
+buzzhub.tk, 1
+buzzman.ga, 1
+buzzpost.tk, 1
+buzzprint.it, 1
+buzzsmithmusic.com, 1
+buzzspace.net, 1
+buzztalk.tk, 1
+buzzthemuddypyrador.com, 1
+buzztrending.tk, 1
+buzzword24.de, 1
+buzzworld.tk, 1
+buzzworthy.biz, 1
+buzzybites.com, 1
+bv-driver.tk, 1
+bv-ferreiradozezere.pt, 1
+bvb.moe, 0
+bvblaboratory.hu, 1
+bvbmedia.nl, 1
+bvdp-saturn-prod.appspot.com, 1
+bvexplained.co.uk, 1
+bvfz.pt, 1
+bvgg.eu, 1
+bvgt.org, 1
+bvionline.eu, 1
+bviphotovideo.com, 1
+bvlos.com.pl, 1
+bvlp.com, 1
+bvng.nl, 1
+bvonesource.com, 1
+bvop.org, 1
+bvr-nsn.gov, 1
+bvrd.com.do, 1
+bvrlodge.com, 1
+bvrlodge.ro, 1
+bvrpd-pa.gov, 1
+bvv-europe.eu, 1
+bvwphotography.com, 1
+bw.codes, 1
+bwa.wroc.pl, 1
+bwanglab.com, 1
+bwashing.tk, 1
+bwasoimoveis.net, 1
+bwcscorecard.org, 1
+bweston.ga, 1
+bwf11.com, 1
+bwf55.com, 1
+bwf6.com, 0
+bwf77.com, 1
+bwf99.com, 1
+bwfc.nl, 1
+bwgjms.com, 1
+bwgjms.net, 1
+bwgjms.org, 1
+bwh1.net, 0
+bwhbwh.net, 1
+bwigroup.com.au, 1
+bwilkinson.co.uk, 1
+bwin18.cc, 0
+bwin2288.com, 1
+bwin369.cc, 1
+bwin58.cc, 1
+bwinvestments.com.au, 1
+bwired.ca, 1
+bwl-earth.club, 1
+bwmcnc.com, 1
+bwmlaser.com, 1
+bwmovies.tk, 1
+bws16.de, 1
+bwsolar.com.au, 1
+bx-n.de, 1
+bx.ee, 1
+bx49.cc, 1
+bxctrust.com, 1
+bxdj3.com, 1
+bxin.de, 1
+bxp40.at, 1
+by-g.ch, 1
+by-pixcl.com, 1
+by-robyn.nl, 1
+by-the-sword.com, 1
+by-yesilbag.com, 1
+by.city, 1
+by.cx, 0
+by.place, 1
+by1u.com, 1
+byalexia.gr, 1
+byanabelen.com, 1
+byange.pro, 1
+byanjushka.com, 0
+byatte.com, 1
+byblog.tk, 1
+bybym.ml, 1
+bycafeonline.com, 1
+bycatch.com, 1
+bycialis.com, 1
+bycorefi.com, 1
+bydik.com, 1
+bydisk.com, 0
+bydoora.com, 1
+byedzhang.tk, 1
+byemediaers.ga, 1
+byemediaest.ga, 1
+byemedsers.ga, 1
+byeskille.no, 1
+byfare.com, 1
+byfeldt.dk, 1
+byggindrustrin.ga, 1
+byggonline.ga, 1
+bygningsregistrering.dk, 1
+bygogmiljoe.dk, 1
+bygonegames.com, 1
+bygoselink.nl, 1
+byhenryvera.com, 1
+byhoag.com, 1
+byjamesrush.com, 1
+byji.com, 1
+byjudasarrieta.tk, 1
+byjus.com, 1
+byjuschennai.com, 1
+byken.cn, 1
+byll.de, 1
+byluthier.com, 1
+bylz.me, 1
+bymike.co, 1
+bymogarna.se, 1
+bynder.com, 1
+bynono.pt, 1
+bynumlaw.net, 1
+byootify.com, 1
+bypass-link.ga, 1
+bypass.kr, 1
+bypassgfw.tk, 1
+bypetula.cz, 1
+byraje.com, 1
+byrddogpaving.com, 1
+byredo.com, 1
+byrest.com, 1
+byrko.sk, 1
+byronkg.us, 1
+byrtz.de, 1
+byrut.org, 1
+byrutor.org, 1
+bysb.net, 0
+byshep.com, 1
+byshop.tk, 1
+byskafasi.com, 1
+byst.by, 1
+bystryj-zajm.gq, 1
+bystryj-zajm.tk, 1
+byte-lab.tk, 1
+byte.nl, 1
+byte.surf, 1
+byte128.com, 0
+bytebiter.io, 1
+bytebodega.com, 1
+bytebolt.at, 1
+bytebucket.org, 1
+byteflick.org, 1
+bytelink.pro, 1
+bytema.cz, 1
+bytema.eu, 1
+bytema.re, 1
+bytema.sk, 1
+bytemethod.ca, 1
+bytemix.cloud, 1
+bytenews.org, 1
+byteofdev.com, 1
+bytepen.com, 1
+bytes.co, 1
+bytes.fyi, 1
+bytesec.net, 1
+byteshift.ca, 1
+bytesign.de, 1
+bytesizedalex.com, 1
+bytesofcode.de, 1
+bytesoftech.ml, 1
+bytespace.co.uk, 1
+bytesund.biz, 1
+byteswave.cl, 1
+bytesystems.com, 1
+bytetechy.com, 1
+bytetime.net, 0
+byteultra.com, 1
+bytexd.com, 1
+bytez.tk, 1
+bytheglass.gr, 1
+bythen.cn, 0
+bytheswordinc.com, 1
+bytrain.net, 1
+byuro.org, 1
+byw.cymru, 1
+bywencke.nl, 1
+byzhihuo.com, 1
+bzbet365.com, 1
+bzfit.ru, 1
+bzh.tf, 1
+bzhserv.ovh, 1
+bzhub.bid, 1
+bziaks.xyz, 1
+bzik.cf, 1
+bzkj.de, 1
+bzsparks.com, 0
+bztech.com.br, 1
+bztech.ru, 1
+bztraveler.com, 1
+bztraveler.net, 1
+bzv-fr.eu, 1
+c-137.me, 1
+c-14.de, 1
+c-3po.fr, 1
+c-aeroconsult.com, 1
+c-c-europeen.org, 1
+c-chaud.com, 1
+c-data.nl, 0
+c-dome.com, 1
+c-g-h.net, 1
+c-ma-copro.com, 1
+c-ovidiu.tk, 1
+c-resource.tech, 0
+c-rpg.eu, 1
+c-rtx.com, 1
+c-sagaseru.com, 1
+c-shock.org, 1
+c-solarcity.com, 1
+c-style.net, 0
+c-three.jp, 1
+c-world.co.uk, 1
+c.cc, 1
+c.im, 1
+c.lu, 1
+c.sl, 1
+c.wtf, 1
+c00ke.com, 1
+c057cl7.com, 1
+c0mplicated.tk, 1
+c0nfigurati0n.com, 0
+c0rn3j.com, 1
+c10.cz, 1
+c16t.uk, 0
+c19adoption.com, 1
+c19aspirin.com, 1
+c19bromhexine.com, 1
+c19budesonide.com, 1
+c19colchicine.com, 1
+c19curcumin.com, 1
+c19early.com, 1
+c19early.org, 1
+c19favipiravir.com, 1
+c19fluvoxamine.com, 1
+c19hcq.com, 1
+c19hcq.org, 1
+c19ic.com, 1
+c19ivermectin.com, 1
+c19ivermectin.org, 1
+c19ivm.org, 1
+c19legacy.com, 1
+c19ly.com, 1
+c19melatonin.com, 1
+c19mp.com, 1
+c19nitazoxanide.com, 1
+c19ns.com, 1
+c19probiotics.com, 1
+c19proxalutamide.com, 1
+c19pvpi.com, 1
+c19quercetin.com, 1
+c19regn.com, 1
+c19rmd.com, 1
+c19study.com, 1
+c19sv.com, 1
+c19vitaminc.com, 1
+c19vitamind.com, 1
+c19zinc.com, 1
+c1cdn.com, 1
+c21first.co.il, 1
+c2athletics.com, 1
+c2cdn.xyz, 1
+c2lab.net, 1
+c2o2.xyz, 1
+c3.io, 1
+c3.pm, 1
+c35.design, 1
+c36533.com, 1
+c3boc.com, 1
+c3hv.cn, 1
+c3sinc.com, 1
+c3soc.de, 1
+c3speak.com, 1
+c3speak.de, 1
+c3stream.de, 1
+c3vo.de, 0
+c3w.at, 1
+c3wien.at, 1
+c4164.com, 1
+c41ee55a-da20-4cff-8075-24afd0f22aac.com, 1
+c4539.com, 1
+c4b.tools, 1
+c4k3.net, 1
+c4me.online, 1
+c5197.co, 1
+c5h8no4na.net, 1
+c5y.moe, 1
+c6729.co, 1
+c6729.com, 0
+c6957.co, 1
+c7dn.com, 1
+c7n.ch, 1
+c7ra.com, 1
+c82365.com, 1
+c86255.com, 1
+c899365.com, 0
+c9297.co, 1
+c9728.co, 1
+c9n.xyz, 1
+ca-canovelles.tk, 1
+ca-els.com, 1
+ca-immobilier.fr, 1
+ca-key.de, 1
+ca-saintdie.fr, 1
+ca.gparent.org, 1
+ca.search.yahoo.com, 0
+ca3ahhet.tk, 1
+ca5.de, 1
+caa.ca, 1
+caalmn.org, 1
+caarecord.org, 1
+caasd.org, 1
+caasda.tk, 1
+caasz.com, 1
+cabaladada.org, 0
+cabale.fr, 1
+cabalistic.tk, 1
+caball.com, 1
+caballeroalba.cf, 1
+caballerosdeltablero.tk, 1
+cabanactf.com, 1
+cabaretadanowskyfan.tk, 1
+cabazon-tu.com, 1
+cabbage.software, 1
+cabcard.services, 1
+cabeceirasdebasto.pt, 0
+cabecera-descendimiento.tk, 1
+cabelgrano.tk, 1
+cabenoap.com.br, 1
+cabezadeframontanos.tk, 1
+cabezadelcaballo.tk, 1
+cabina-photobooth.ro, 1
+cabincrewcareercenter.com, 1
+cabineritten.nl, 1
+cabinet-bedin.com, 0
+cabinet-life.fr, 0
+cabinet-voyance-orca.tk, 1
+cabinetlm.com, 1
+cabinetm.com, 1
+cabinetmtc.com, 1
+cabinetoumaima.tk, 1
+cabinetselect.com, 1
+cable.ru, 1
+cableatierra.tk, 1
+cablefibreoptique.fr, 1
+cablehighspeed.net, 1
+cableiran.com, 1
+cablemadrid.tk, 1
+cablemod.com, 1
+cables-pro.com, 1
+cablesandkits.com, 1
+cablogrammes.fr, 1
+cabodream.ml, 1
+caboleisurerealestate.com, 1
+cabooneconstruction.com, 1
+cabosaferide.com, 1
+cabotagem.com, 1
+caboverde.tk, 1
+cabphysio.ch, 1
+cabr.al, 1
+cabrachicagritona.tk, 1
+cabrils.com, 1
+cabvertising.it, 1
+cac-hc.org, 1
+cac-ua.com, 1
+cacao-besos.com, 1
+cacao-chocolate.com, 1
+cacao-gang.ml, 1
+cacao.supply, 1
+cacaobesos.bg, 1
+cacaobesos.ro, 1
+cacaolalina.com, 1
+cacareerzone.org, 1
+cacaumidade.com.br, 1
+caccc.com, 1
+cachacasantaterezinha.com.br, 1
+cachaceros.tk, 1
+cache-checker.com, 1
+cachecounty.gov, 1
+cachesheriff.gov, 1
+cachetur.no, 1
+cachorrosboss.com, 1
+caciquecigars.com.br, 1
+cackette.com, 0
+cackl.io, 1
+cacko.tk, 1
+cacnverslavingszorg.nl, 1
+cacombos.com, 1
+cacommenceavecmoi.ca, 1
+cacoriccionline.tk, 1
+cacr.pw, 1
+cacrm.com, 1
+cactus-search.com, 1
+cactusarium.tk, 1
+cactusdentrepair.com, 1
+cactusgreen.com.br, 1
+cactuspedia.cf, 1
+cactuspedia.ga, 1
+cactuspedia.gq, 1
+cactuspedia.ml, 1
+cactusplumbingandair.com, 1
+cad-noerdlingen.de, 1
+cadafalso.tk, 1
+cadams.io, 0
+cadastroloteamento.com.br, 1
+cadaunoescomoes.tk, 1
+cadaver.tk, 1
+cadavre-exquis-musical.tk, 1
+cadconcrete.ca, 1
+cadcrowd.com, 1
+caddo.gov, 1
+caddr.org, 1
+caddyfashionshop.com, 1
+cadeaux-anniversaires.net, 1
+cadeauxfolies.fr, 1
+cadecobots.com, 1
+cadeengineering.com, 1
+cadeirasparaescritorio.ind.br, 1
+cadenadereferidos.tk, 1
+cadencescience.com, 1
+cadetsge.ch, 0
+cadflow.pt, 1
+cadiar.tk, 1
+cadici.ga, 1
+cadifit.ga, 1
+cadillacfairview.com, 1
+cadillacitalia.it, 1
+cadiskitchen.ca, 1
+cadmail.nl, 1
+cadman.pw, 1
+cadman.uk, 1
+cadmechanic.com, 1
+cadonau.net, 1
+cadonet.tk, 1
+cadooz.com, 1
+cadovod.tk, 1
+cadra.nl, 1
+cadre.com, 1
+cadreok.com, 1
+cadsys.net, 1
+caduceuslane.com, 1
+cadusilva.com, 1
+caduta-capelli.tk, 1
+cadvending.ch, 1
+cadwalk.de, 1
+cady-jennifer.tk, 1
+cadynce.com, 1
+caenergyprograms.com, 1
+caerostris.com, 1
+caesar.today, 1
+caesarkabalan.com, 1
+caetanobenet.es, 1
+caetanoflotas.es, 1
+caetanoformula.es, 1
+caetanoformulacadiz.es, 1
+caetanoformulagalicia.es, 1
+caetanomotorsmalaga.es, 1
+caetanoreicomsa.es, 1
+caetanoretail.pt, 1
+caetanotec.pt, 1
+caeterra.com, 1
+caf.ma, 1
+cafe-bg.com, 1
+cafe-cliche.tk, 1
+cafe-georges.cf, 1
+cafe-hamlet.fr, 1
+cafe-musica.org, 1
+cafe-pauline.de, 1
+cafe-service.ru, 0
+cafead.de, 1
+cafeamazon.tk, 1
+cafebab.com, 1
+cafebeauty.com, 1
+cafebeirut.tk, 1
+cafecentraal.tk, 1
+cafecentral.tk, 1
+cafechesscourt.com, 1
+cafechroma.tk, 1
+cafecobus.tk, 1
+cafedelcielo.co, 1
+cafedesignbooks.com, 1
+cafedospescadores.tk, 1
+cafedupont.be, 1
+cafedupont.co.uk, 1
+cafedupont.de, 1
+cafedupont.nl, 1
+cafefacil.com.br, 1
+cafehaventje.tk, 1
+cafeimsueden.de, 1
+cafeitalia.tk, 1
+cafekleuskens.tk, 1
+cafelandia.net, 1
+cafelegenda.cz, 1
+cafemadrid.tk, 1
+cafemandala.hu, 0
+cafemodi.cz, 0
+cafenix.tk, 1
+cafenoorderzon.tk, 1
+cafeobscura.nl, 1
+cafeplacedumarche.ch, 1
+cafepress.com.au, 1
+cafesforonda.com, 1
+cafetaste.com, 1
+cafeterya.tk, 1
+cafethevibes.com, 1
+cafethrive.co.uk, 1
+cafevelo.org, 1
+caffe.ga, 1
+caffein.cf, 1
+caffeinate.co.uk, 1
+caffeineandconcrete.com, 1
+caffeinebookly.com, 1
+caffeinefiend.org, 1
+caffelatte.tk, 1
+cafferata.tk, 1
+caffeservice.hu, 1
+caffewasyl.pl, 1
+cafled.org, 1
+caflou.com, 1
+caflou.cz, 1
+cafpatronato.it, 1
+caftan.tk, 1
+cag.legal, 1
+cagalogluhamami.com.tr, 1
+cagao.com, 1
+cagbuzau.ro, 1
+cageworld.tk, 1
+cagir.eu, 1
+cagivaclub.tk, 1
+caglarcakici.com, 1
+cagranollers.tk, 1
+cagrierdogdu.com, 1
+cagrimerkezinumarasi.com, 1
+cahabadigital.com, 1
+cahfee.com, 1
+cahn-achn.ca, 1
+cahuilla-nsn.gov, 1
+cai-ti.com.tw, 1
+caian.com, 1
+caiben.org, 1
+caibi.io, 1
+caic.com.sg, 1
+caidao.com, 1
+caifan.com, 1
+caihuan.com, 1
+caijunyi.net, 0
+caikuai.com, 1
+caillou.eu, 1
+cailoli.com, 1
+caimin.com, 1
+caindelhi.in, 1
+cainesjannif.com, 1
+cainiao.moe, 1
+caio.moe, 1
+caipai.fm, 1
+caipiao.com.cn, 1
+caipsnotes.com, 1
+caiqu.com, 1
+caiqueparrot.com, 1
+cairan.com, 1
+cairnterrier.com.br, 1
+cairohost.ml, 1
+cairokebab.com, 1
+cairui.com, 1
+cais.de, 1
+caise.tk, 1
+caissefrancaisedefinancementlocal.fr, 1
+caivps.com, 1
+caiwenjian.xyz, 1
+caixiange.com, 1
+caixideal-serralharia.pt, 1
+caiyi.com, 1
+caiyou.com, 1
+caizx.com, 0
+caj-eichstaett.de, 1
+caja-pdf.es, 0
+cajadecoloreshome.com, 1
+cajadelparque.tk, 1
+cajamarca.blog, 1
+cajaregionalserrana.com.mx, 1
+cajas.zone, 1
+cajio.ru, 1
+cak.nl, 1
+cakalnedobe.si, 1
+cakaveterinerklinigi.com, 1
+cake-n-go.com, 1
+cakearific.com, 1
+cakedeliver.com, 1
+cakedeveloperers.ga, 1
+cakedeveloperest.ga, 1
+cakelaces.com, 1
+cakeoffencesact.uk, 1
+cakes.ga, 1
+cakes.tk, 1
+cakesbyzoey.com, 1
+cakeshop.xyz, 1
+cakesoverseas.com, 1
+cakessl.com, 1
+cakestandscarriers.tk, 1
+caketoindia.com, 1
+cakeup.in.ua, 1
+cakir.info.tr, 1
+cakko.ml, 1
+caknowledge.com, 1
+cal-pacpainting.com, 1
+cal.goip.de, 1
+cal9000.com, 1
+calaad.net, 1
+calabasaselectric.com, 1
+calabasaselectrical.com, 1
+calabasaselectrician.com, 1
+calabasasexteriorlighting.com, 1
+calabasaslandscapelighting.com, 1
+calabasaslighting.com, 1
+calabasasoutdoorlighting.com, 1
+calaborlawnews.com, 1
+calabozo.tk, 1
+caladan.tk, 1
+calaficirecords.cf, 1
+calaix.click, 1
+calamidad.tk, 1
+calamp.com, 1
+calancamassages.ch, 0
+calandrahosting.tk, 1
+calantonieta.tk, 1
+calasiaoplantcoop.com.ph, 1
+calaverascounty.gov, 1
+calaverasmedicalcannabis.com, 1
+calc.center, 1
+calcasieu.gov, 1
+calcasieuclerk.gov, 1
+calcasieuparish.gov, 1
+calcasieusheriff.gov, 1
+calcedge.com, 1
+calcettomania.com, 1
+calcinacci.com, 1
+calcinacci.roma.it, 1
+calcionews24.com, 1
+calcioragusa.tk, 1
+calcioweb.eu, 1
+calconcontractors.com, 1
+calcoolator.pl, 1
+calcsoft.tk, 1
+calcsub.net, 1
+calculadora-de-derivadas.com, 1
+calculadora-de-integrales.com, 1
+calculadoraconversor.com, 1
+calcularis.ch, 1
+calculaseguros.com.br, 1
+calculate.co.kr, 1
+calculateaspectratio.com, 1
+calculates.org, 1
+calculatetoday.com, 1
+calculator-app.com, 1
+calculator-imt.com, 1
+calculator.aws, 1
+calculator.tf, 1
+calculatorspace.com, 1
+calculatortvers.ga, 1
+calculatortvest.ga, 1
+calcworkshop.com, 1
+caldaia.roma.it, 1
+caldaro.de, 1
+caldaro.org, 1
+caldecotevillagehall.co.uk, 1
+calderagallery.com, 1
+calderasgranada.cf, 1
+caldercenter.org, 1
+caldervets.co.uk, 1
+caldoletto.com, 1
+caldwell.com, 1
+caleaders.cf, 1
+caleatoxic.org, 1
+caledoniaoh.gov, 1
+caledonie.tech, 1
+calefones-electricos.com, 1
+calendar.cf, 0
+calendar.google.com, 1
+calendarinspiration.com, 1
+calendariodecorrida.com.br, 1
+calendarpensers.ga, 1
+calendarpensest.ga, 1
+calendarr.com, 1
+calendarsnow.com, 1
+calendly.com, 1
+calendriergn.ch, 1
+calendriergratuit.fr, 1
+caletka.cz, 1
+caletka.nl, 1
+calgarydermatologisters.ga, 1
+calhoun.tk, 1
+calhouncityms.gov, 1
+calhouncountyfl.gov, 1
+calhouncountyflsheriff.gov, 1
+calhouncountyil.gov, 1
+calhounfalls.gov, 1
+calhounmi911.gov, 1
+caliber.to, 1
+calibermind.com, 1
+calibrationrecall.com, 1
+calibreapp.com, 1
+calibso.net, 1
+calidadbio.com, 1
+calidoinvierno.com, 1
+californiabalsamic.com, 1
+californiabudgetfinance.tk, 1
+californiabuilding.ma, 1
+californiahairmd.com, 0
+californiahealth.tk, 1
+californiahumanrights.tk, 1
+californiakingsnakepet.com, 1
+californialemonlaw-lawyers.com, 1
+californiamusicacademy.com, 1
+californianet.tk, 1
+californiaonlinedivorce.com, 0
+californiapa.gov, 1
+californiavalues.cf, 1
+calim.com.ar, 1
+calimero.tk, 1
+calindairy.com, 1
+calinetworks.com, 1
+caliph.one, 1
+calisteniaperu.ga, 1
+calisthenicroutines.com, 1
+calitateavietii-ardeal.ro, 1
+call.me, 1
+call2counter.com, 0
+calla.pl, 1
+callabs.net, 1
+callahancountytx.gov, 1
+callamnow.com, 0
+callan.com, 1
+callanenglish.tk, 1
+callanetica.ru, 1
+callanjg.co.uk, 1
+callantonia.com, 1
+callawaymn.gov, 1
+callawayracing.se, 0
+callaworker.ml, 1
+callbackform.tk, 1
+callbell.eu, 1
+callcenterdeluxecalls.nl, 1
+callcriteria.com, 1
+callear.org, 1
+callerid4u.com, 1
+callerstrom.se, 1
+calleveryday.com, 1
+callflex.com.br, 1
+callfordataspeakers.com, 1
+callforkunst.de, 0
+callfunc.com, 1
+callhappyhive.com, 1
+callhippo.com, 1
+callhome.link, 1
+callhub.io, 1
+calliesalls.com, 1
+calligraph.gq, 1
+calligraphychic.com, 1
+callisabel.fr, 1
+callmebetty.com, 1
+callmewhatever.com, 1
+callmewhatever.de, 1
+callmewhatever.net, 1
+calloway.us, 1
+callowaycountyky.gov, 1
+callrail.com, 0
+callsign.com, 0
+callsigns.ca, 1
+calltoar.ms, 1
+callum.au, 1
+callummoore.au, 1
+callumsilcock.me, 1
+calluro.hr, 1
+callvip.tk, 1
+callwork.tk, 1
+cally.tk, 1
+callychat.tk, 1
+calmaririshmusicfestival.tk, 1
+calmer-cloud.de, 1
+calminteractive.fr, 1
+calomel.org, 1
+calonmahasiswa.com, 1
+calotte-academy.com, 1
+calpaterson.com, 1
+calposa.ml, 1
+calref.ca, 1
+calsense.net, 1
+calu.me, 1
+calucon.de, 1
+caluette.com, 1
+calumcrawford.com, 1
+calumetcounty.gov, 1
+calvario.tk, 1
+calvaryhospital.org, 1
+calverleyparish.church, 1
+calvertcityky.gov, 1
+calverttx.gov, 1
+calvin.my, 1
+calvusconsultancy.nl, 1
+calystral.com, 1
+calyxinstitute.org, 1
+calzadonline1.com, 1
+camago.dk, 1
+camanoislandpilates.com, 1
+camaradecomerciosiguatepeque.hn, 1
+camaras.uno, 1
+camarilla.tk, 1
+camarilloelectric.com, 1
+camarilloelectrical.com, 1
+camarilloexteriorlighting.com, 1
+camarillolandscapelighting.com, 1
+camarillolighting.com, 1
+camarillooutdoorlighting.com, 1
+camaronazo.com, 1
+camarzanadetera.tk, 1
+camashop.de, 1
+camastowncar.com, 1
+cambados.tk, 1
+cambait.tk, 1
+camberford.com, 1
+cambiamenti-climatici.it, 1
+cambiamos.tk, 1
+cambiata.io, 1
+cambier.org, 1
+cambioeuro.es, 1
+cambioeuro.it, 1
+cambiowatch.ch, 0
+cambodiainfo.tk, 1
+cambopost.tk, 1
+cambramanresa.cat, 1
+cambridge-security.com, 1
+cambridgeanalytica.cz, 1
+cambridgeanalytica.net, 1
+cambridgemoneyman.com, 1
+cambridgesecuritygroup.org, 1
+cambridgetutors.com, 1
+cambuslangharriers.org, 1
+camcelebs.com, 1
+camconn.cc, 0
+camcookies.com, 1
+camdenhistory.com, 1
+camdennj.gov, 1
+camdenny.gov, 1
+camdenpaws.com.au, 1
+camdesign.pl, 1
+camel2243.com, 1
+camelcrush.cf, 1
+camelflight.tk, 1
+camelforensics.com, 1
+camelia-poezii.tk, 1
+camelia.bg, 1
+camelion.tk, 1
+camella.com.ph, 1
+camelotestatehomes.com, 1
+camelservers.com, 1
+camenisch.ws, 1
+cameo-membership.uk, 0
+cameo.ee, 1
+cameos.bo, 1
+camera-podvod.tk, 1
+camerahire.com.au, 1
+cameraman.tk, 1
+cameramark.nl, 1
+camerashot.tk, 1
+cameraslyphotography.tk, 1
+camerata.com, 1
+cameraviva.com.br, 1
+camerawisata.com, 1
+cameria.tk, 1
+cameriere.it, 1
+cameroncountytx.gov, 1
+cameronherold.com, 1
+cameronphotographyok.com, 1
+cameronsiguenza.com, 1
+cameronstar.tk, 1
+cameronwince.com, 1
+cameronwv.gov, 1
+cameroonlounge.com, 1
+camerweb.es, 1
+camfire.family, 1
+camfire.school, 1
+camfire.team, 1
+camgirl-info.net, 1
+camgirl.ga, 1
+camgirldata.com, 1
+camgo.org, 1
+camhavuz.com, 1
+camilamoreno.tk, 1
+camilaporto.tk, 1
+camilat.tk, 1
+camileonline.tk, 1
+camilia.io, 1
+caminoneocatecumenal.tk, 1
+caminopicoseuropa.com, 1
+caminosalavida.com, 1
+caminreal.tk, 1
+camionerosdecoslada.tk, 1
+camionesdesegundamano.net, 1
+camipress.ga, 1
+camisado.tk, 1
+camisantiago.tk, 1
+camisetas-bones.com.br, 1
+camisetas4fun.com.br, 1
+camisetasbichopreguica.com.br, 1
+camisetasmalwee.com.br, 1
+camisetasparatodos.tk, 1
+camit.tk, 1
+camixo.tk, 1
+camjackson.net, 0
+cammamam.gq, 1
+camnews.tk, 1
+camolist.com, 1
+camon.si, 1
+camouflaged.tk, 1
+camp-pleinsoleil.ch, 0
+camp.zone, 1
+campaign-ad.com, 1
+campaign-center.net, 1
+campaign.gov.scot, 1
+campaign.gov.uk, 1
+campaigner.gq, 1
+campaignlake.com, 1
+campaignwiki.org, 1
+campaignzee.com, 1
+campalhilal.org, 1
+campamentos.info, 1
+campamerika.de, 1
+campanhamamypoko.com.br, 1
+campbellcountywy.gov, 1
+campcambodia.org, 1
+campcar-location.com, 1
+campdesante.com, 1
+campdetarragona.tk, 1
+campeonatoalemao.com.br, 1
+camperdays.de, 1
+camperdirectoryers.ga, 1
+camperdirectoryest.ga, 1
+camperlist.com, 1
+campermanaustralia.com, 1
+campertrailerfinance.com.au, 1
+camperverzekerd.nl, 1
+campfire.moe, 1
+campfiretails.org, 1
+campfourpaws.com, 0
+campguaikinima.com, 1
+camping-aupigeonnier.fr, 1
+camping-chantemerle.com, 1
+camping-dulac-dordogne.com, 1
+camping-everywhere.fun, 1
+camping-le-pasquier.com, 1
+camping-seilershof.de, 1
+camping-trentino.it, 1
+camping.it, 1
+campingbuffs.com, 1
+campingcarlovers.com, 1
+campingdebergboer.tk, 1
+campingdekoolberg.nl, 1
+campingdewatermolen.nl, 1
+campingfontanelle.it, 1
+campinggadgetest.ga, 1
+campinghuntingshooting.com, 1
+campingpasseiermeran.com, 1
+campingprofessionalsest.ga, 1
+campingshop.pl, 1
+campingwatchest.ga, 1
+campistry.net, 1
+camplaza.tk, 1
+campmackinaw.com, 1
+campo-salado.com, 1
+campofant.com, 1
+campogrande.ms, 1
+campograndenews.com.br, 1
+campolivillagebakery.com, 1
+campona.hu, 1
+camposolillo.tk, 1
+camppisos.com.br, 1
+camprunamutt.dog, 1
+campsite-explorer.top, 1
+campsoulfestival.com, 1
+campstuffs.com, 1
+camptonnh.gov, 1
+camptuk.org, 1
+campula.cz, 1
+campus-finance.com, 1
+campuscom.jp, 1
+campuscore.eu, 1
+campusdrugprevention.gov, 1
+campuskota.com, 1
+campuspodsers.ga, 1
+campuspodsest.ga, 1
+campvana.com, 1
+camrecord.ml, 1
+camreviews.org, 1
+camrosewebservices.com, 1
+camsangels.com, 1
+camsexia.com, 1
+camsexia.net, 1
+camsexia.org, 1
+camshort.com, 1
+camshowhub.com, 1
+camsky.de, 0
+camslurp.com, 1
+camslurp.net, 1
+camslurp.org, 1
+camsupplier.ml, 1
+camsupplierers.ga, 1
+camtor.ml, 1
+camtu.com, 1
+camuri.com, 1
+camview.nz, 1
+camworld.com, 1
+camzroofing.ca, 0
+can-amchains.com, 1
+can-fleet.com, 1
+can-tran.com, 1
+canabeinternacional.com, 1
+canada-tourisme.ch, 0
+canadaabroad.com, 0
+canadacloudpharmacy.com, 1
+canadaclub.tk, 1
+canadacommunity.org, 1
+canadacouncil.ca, 1
+canadafactcheck.ca, 0
+canadagoosejacketscanada.ca, 1
+canadahustle.com, 0
+canadalife.de, 1
+canadamails.tk, 1
+canadapet.club, 1
+canadapets.club, 1
+canadapost-postescanada.ca, 1
+canadapropertyexpert.ca, 1
+canadianatheists.ca, 1
+canadianatheists.com, 1
+canadianbusiness.com, 1
+canadianfraudlaw.com, 1
+canadianfriendsofyadsarah.com, 1
+canadianlandscapeart.ca, 1
+canadianlawyermag.com, 1
+canadianmetalworking.com, 1
+canadianmilitaryspouse.tk, 1
+canadianoutdoorequipment.com, 1
+canadianpharmacyonline.com, 1
+canadianpointerclub.tk, 1
+canadiansinternet.com, 1
+canadiansrit.tk, 1
+canadiantouristboard.com, 1
+canae.org, 1
+canajoana.eu, 1
+canal-onanismo.org, 1
+canal4.com.ni, 1
+canalbpv.com, 1
+canalconfidencial.com.br, 1
+canaldeintegridade.com.br, 1
+canaldelaespartera.tk, 1
+canalecontracting.com, 1
+canalescape.tk, 1
+canalinterativo.cf, 1
+canalinterativo.ml, 1
+canalinterativo.tk, 1
+canalpatriotas.tk, 1
+canalrivertrust.org.uk, 1
+canalspa.cl, 1
+canamo-solidario.tk, 1
+canarabankcsis.in, 1
+canaresidences.com, 1
+canaria.ga, 1
+canariasport.com, 0
+canariculturacolor.com, 1
+canaryaspets.com, 1
+canarymod.net, 1
+canarypower.tk, 1
+canarys.cf, 1
+canastasderegalointernacionales.com, 1
+canavilage.com, 1
+canavillage.net, 1
+canavillagepuntacana.com, 1
+canavillageresidences.com, 1
+canberraoutletcentre.com.au, 1
+canberrarunners.org.au, 1
+cancan.ml, 1
+cancer-info.org, 1
+cancer.gov, 1
+canceraid.coach, 1
+canceraid.com, 1
+canceraid.com.au, 1
+canceraid.io, 1
+cancerdata.nhs.uk, 1
+cancersintomas.com, 1
+cancertherapy.tk, 1
+cancomputers.hn, 1
+cancunhealthers.ga, 1
+cancunvacationexperts.com, 1
+candaceplayforth.com, 1
+candas.tk, 1
+candelaguatemala.tk, 1
+candex.com, 1
+candicecity.com, 0
+candidasa.com, 1
+candidateexperiencemarketing.nl, 1
+candidatlibre.net, 1
+candidcard.ga, 1
+candidcarders.ga, 1
+candidcardest.ga, 1
+candinya.com, 1
+candinya.me, 1
+candlcastles.co.uk, 1
+candlelightchallenge.tk, 1
+candlelightediting.com, 1
+candlemakingexplained.com, 1
+candlepro.cf, 1
+candlevn.com, 1
+cando.eu, 1
+candogiveguide.org, 1
+candorhealthed.org, 1
+candy-pop.tk, 1
+candyalexa.net, 1
+candyboulevard.tk, 1
+candybouquet.tk, 1
+candybygrant.com, 1
+candydol.xyz, 1
+candydoll11.com, 1
+candydoll12.com, 1
+candydoll13.com, 1
+candydoll14.com, 1
+candydoll15.com, 1
+candydoll3.com, 1
+candydoll7.com, 1
+candydoll8.com, 1
+candydoll9.com, 1
+candyflavor.com, 1
+candykidsentertainment.co.uk, 1
+candykurs.ru, 1
+candylion.rocks, 1
+candypalace.tk, 1
+candysailing.ml, 1
+candysamira.org, 1
+candytip.ru, 1
+candyxs.org, 1
+canecorsodogguide.com, 1
+canek.es, 0
+canelaimobiliaria.com.br, 1
+canellayachts.com, 1
+canetelareal.tk, 1
+canfazz.com, 1
+canfield.gov, 1
+canfleet.ca, 1
+canfleet.com, 1
+canfleet.info, 1
+canfleetglobal.com, 1
+canfleetlogistics.com, 1
+cangku.in, 1
+cangurin.com, 1
+canhas.report, 1
+canhazip.com, 1
+canhq.tk, 1
+canhtuaone.com, 0
+cani-compostelle.fr, 1
+canibrowse.net, 1
+canidelite-toulouse.fr, 1
+canihavesome.coffee, 0
+canile.it, 1
+caninecompilation.com, 1
+caninejournal.com, 1
+caniuse.email, 1
+canjo.gov, 1
+cankado.com, 1
+canker.org, 1
+cankhon.tk, 1
+cankirihaber.tk, 1
+cankutahya.com.tr, 1
+canlidiziizlesene.org, 1
+canliradyodinle.fm, 1
+canlitelefonhatti.ga, 1
+canlom.tk, 1
+canmipai.com, 1
+cannabis-marijuana.com, 1
+cannabisdiscounter.ca, 1
+cannabishouseyeg.com, 1
+cannabislegality.info, 1
+cannabisoffers.net, 1
+cannabisreports.org, 1
+cannabistraininguniversity.com, 1
+cannabiz.tk, 1
+cannabytes.net, 1
+cannacards.ca, 1
+cannagoals.com, 1
+cannamaca.com, 1
+cannamx.online, 1
+cannaseedsonline.com, 1
+cannature.eu, 1
+cannedcyberlabs.org, 1
+cannellecitron86-biomonde.fr, 1
+canningcityfc.org.au, 1
+canningpartners.com.au, 1
+cannoli.london, 1
+cannon.org.cn, 1
+cannoncountytn.gov, 1
+cannonriverwatershedmn.gov, 1
+cannonsforsale.com, 1
+canntinas.com, 0
+cannyfoxx.me, 1
+canobag.es, 1
+canondrivers-support.com, 1
+canondrivers.org, 1
+canonisti.fi, 1
+canoonic.se, 1
+canopy.ninja, 1
+canopycleaning.com.au, 1
+canopycleaningmelbourne.com.au, 1
+canopyservicing.com, 0
+canopytax.com, 1
+canossagardens.org.au, 0
+canossahospital.org.au, 1
+canovamedical.co.uk, 1
+canovamedical.com, 1
+canperclinicaveterinaria.com, 1
+canrarantra.tk, 1
+canstar.co.nz, 1
+canstar.com.au, 1
+canstarblue.co.nz, 1
+canstarblue.com.au, 1
+cantaloupe.ga, 1
+cantalupo.tk, 1
+cantando.nl, 1
+cantarefacile.com, 1
+cantarella.tk, 1
+cantatio.ch, 0
+cantautores.tk, 1
+cantdecidename.com, 1
+canterbury.ws, 1
+canterburycrest.org, 1
+canterburynh.gov, 1
+canters.tk, 1
+cantinhodabia.com, 1
+cantongroup.com, 1
+cantonmi.gov, 1
+cantonmopolice.gov, 1
+cantonms.gov, 1
+cantoo.fr, 1
+cantor.cloud, 1
+cantosdisidentes.tk, 1
+cantrack.com, 1
+cantstopart.com, 1
+canukseeds.com, 1
+canuluduz.tk, 1
+canv4s.com, 1
+canva-dev.com, 1
+canva-staging.cn, 1
+canva-staging.com, 1
+canva.cn, 1
+canva.com, 1
+canvas-art.tk, 1
+canvaspersonalized.com, 1
+canveganseat.com, 1
+canyoncreekjeep.com, 1
+canyonisd.net, 1
+canyonshoa.com, 1
+canyontx.gov, 1
+canyou.ai, 1
+canyou.com.au, 1
+canyoupwn.me, 1
+cao.bi, 1
+cao.gov, 1
+cao.la, 1
+caocao.cf, 1
+caodecristachines.com.br, 0
+caodesantohumberto.com.br, 1
+caos.ch, 0
+caoshanhu.com, 1
+caoshe.com, 1
+caostura.com, 1
+caoyao.com, 1
+caozuo.com, 1
+cap-study.com, 1
+cap21-lrc.fr, 1
+cap73.fr, 1
+cap75.com, 1
+capa.digital, 1
+capacityproject.org, 1
+capari.co, 1
+caparicasurfing.com, 1
+caparis.nl, 1
+capeannpediatrics.com, 1
+capebretonpiper.com, 1
+capecanaveral.gov, 1
+capecod.gov, 1
+capecoral.gov, 1
+capecycles.co.za, 1
+capehipandknee.co.za, 1
+capekeen.com, 1
+capellan.pe, 1
+capellen.tk, 1
+capeprivacy.com, 0
+capetown.travel, 1
+capetownelite.co.za, 1
+caph.info, 1
+caphane.com, 1
+caphapupolas.ga, 1
+caphapupolas.ml, 1
+caphefin.com, 1
+capicibera.tk, 1
+capike.cf, 1
+capillary.io, 1
+capimlimaoflores.com.br, 1
+capitainebaggy.ch, 0
+capitains.tk, 1
+capital-electronics.ml, 1
+capital-match.com, 1
+capitalcap.com, 1
+capitalcollections.org.uk, 1
+capitalcounselor.com, 1
+capitalendurancegroup.com, 1
+capitalibre.com, 1
+capitalindustrygroup.com.au, 1
+capitalise.ai, 1
+capitalism.party, 1
+capitalism.rip, 1
+capitalist.cf, 1
+capitalmarkets.online, 1
+capitalmatters.cf, 1
+capitalmatters.ga, 1
+capitalmatters.gq, 1
+capitalmatters.ml, 1
+capitalmediaventures.co.uk, 1
+capitalmedicals.co.nz, 1
+capitalnativenations.org, 1
+capitaloneshopping.com, 1
+capitalontap.com, 1
+capitalp.jp, 1
+capitalpay.ml, 1
+capitalpipeline.tech, 1
+capitalquadatv.org.nz, 1
+capitalrooms.ga, 1
+capitalroomsers.ga, 1
+capitalscum.tk, 1
+capitalsejours.fr, 1
+capitalspiderers.ga, 1
+capitalstakepool.info, 1
+capitaltruepartner.hk, 1
+capitaltruepartnertechnology.cn, 1
+capitalwin.com, 1
+capitan.ml, 1
+capitanbeilinson.tk, 1
+capitapeskanova.tk, 1
+capitein.tk, 1
+capitolavenue62.co.in, 1
+capitolnational.com, 1
+capitolpathways.org, 1
+capitolrisk.tk, 1
+capitoltrades.com, 1
+capitone.fr, 1
+caplinbouncycastles.co.uk, 1
+caponestudiolegale.it, 1
+caponte.io, 1
+caporalmktdigital.com.br, 1
+capota.tk, 1
+capper.de, 1
+cappp.cz, 1
+capradip.in, 0
+caprell.com, 1
+capriccio.to, 1
+caprichosdevicky.com, 1
+caprigo.ru, 1
+capris.cr, 0
+capro.global, 1
+caps-hats.tk, 1
+caps.equipment, 1
+caps.is, 1
+caps.solutions, 1
+caps.systems, 1
+capsdelhi.com, 1
+capseo.id, 1
+capsicle.tk, 1
+capslock.ch, 1
+capsogusto.com, 1
+capstansecurity.co.uk, 1
+capstansecurity.com, 1
+capstonehcm.com, 1
+capsuladigital.tk, 1
+capsulafinanciera.com, 1
+capsule.org, 0
+capsulekitchen.co, 1
+capsulezone.tk, 1
+captain-dandelion.com, 1
+captain-droid.com, 1
+captainark.net, 1
+captainclaw.tk, 1
+captaincontributor.com, 1
+captainjanks.tk, 1
+captainratnesh.tk, 1
+captainsavage.lt, 1
+captainscarlet.tk, 1
+captainsinn.com, 1
+captainsonic.com, 1
+captainsunshine.tk, 1
+captalize.com, 1
+captchafox.com, 1
+captify.ca, 1
+captivationscience.com, 1
+captivationtheory.com, 1
+capturebilling.com, 1
+captured-symphonies.com, 1
+capturelead.tk, 1
+capturis.com, 1
+capuchinox.com, 1
+caputo.com, 1
+capybaraowner.com, 1
+car-alarm.tk, 1
+car-clean-nord.de, 1
+car-diagnose.com, 1
+car-dismantling.tk, 1
+car-expresso.com, 1
+car-hire-lisbon.com, 1
+car-keys.tk, 1
+car-market.tk, 1
+car-seats-store.ga, 1
+car-speed.tk, 1
+car-touch.tk, 1
+car.info, 1
+car24portal.de, 1
+car3d.gq, 1
+car4rent.fr, 1
+cara-bisnis.tk, 1
+cara-mudah-hidup-sehat.tk, 1
+carabin.cf, 1
+caraccidentlawyersaltlake.com, 1
+caraccidentslawyer.tk, 1
+caraccio.li, 1
+caracterizacion.tk, 1
+caradaftarakun.ga, 1
+caragame.id, 1
+carajas.tk, 1
+caralarm.cf, 1
+caralarm.tk, 1
+caraliadeluxe.net, 1
+caralina.com, 1
+caramelldansen.com, 1
+caramellespinell.tk, 1
+caramplifier.com, 1
+caratennison.net, 1
+carauctionnetwork.com, 1
+carauctionsalabama.com, 1
+carauctionscarolina.com, 1
+carauctionsgeorgia.com, 1
+carauctionsillinois.com, 1
+carauctionsnewyork.com, 1
+caraudiostore.tk, 1
+caravaca.tk, 1
+caravansciences.tk, 1
+caravelairclub.tk, 1
+caraz.tk, 1
+carballeira.tk, 1
+carbaza.ru, 1
+carberra.io, 1
+carberra.xyz, 1
+carbeso.co.network, 1
+carbeso.site, 1
+carbgrent.com, 1
+carbon-project.org, 1
+carbon.coop, 1
+carbon12.org, 1
+carbon12.software, 1
+carbonadvantage.tk, 1
+carbonaphta.com, 1
+carboncountypa.gov, 1
+carboncountywy.gov, 1
+carbondix.com, 1
+carboneventsupport.be, 1
+carboneventsupport.lu, 1
+carbonholic.org, 1
+carbonkiller.org, 1
+carbonlib.com, 0
+carbonmapper.org, 1
+carbonmonoxidelawyer.net, 1
+carbonnel.me, 0
+carbono.uy, 1
+carbonopuro.es, 0
+carbonswap.exchange, 1
+carbonswap.finance, 1
+carbontv.com, 1
+carbonvision.cn, 0
+carcare.net.au, 1
+carcatron.org, 1
+carceloinfierno.tk, 1
+carcheck123.com, 1
+carck.co.uk, 1
+carcleannord.de, 1
+carcloud.ch, 1
+carcluesest.ga, 1
+carcrushe.rs, 1
+carcrushers.cc, 1
+cardanalysisers.ga, 1
+cardano.eco, 1
+cardbouns.tk, 1
+cardcaptorsakura.jp, 1
+cardcollectors.ch, 1
+carddelivery.com, 1
+cardexaminerers.ga, 1
+cardexaminerest.ga, 1
+cardiagnose.nl, 1
+cardiagnostics.tk, 1
+cardiffmoneyman.com, 1
+cardijn-athus.be, 1
+cardinauto.fr, 1
+cardington.tk, 1
+cardinus.com, 1
+cardioagainstcancer.nl, 1
+cardiology.academy, 1
+cardiology.gq, 1
+cardios.srv.br, 1
+cardiosportsilvinadelgado.com, 0
+cardiothinklab.com, 1
+cardity.de, 1
+cardliquidatorsers.ga, 1
+cardloan-center.jp, 1
+cardloan-manual.net, 1
+cardmarketersers.ga, 1
+cardmarketersest.ga, 1
+cardmart.tk, 1
+cardmates.com.br, 1
+cardmates.net, 1
+cardmates.org, 1
+cardmates.ru, 1
+cardmates.ua, 1
+cardmetricsers.ga, 1
+cardmetricsest.ga, 1
+cardoni.net, 1
+cardozovargas.com, 1
+cardozovargas.com.br, 1
+cardozovargas.me, 1
+cardpaymentoptions.com, 1
+cardprinter.co.il, 1
+cardpyramiders.ga, 1
+cardranking.jp, 1
+cardrecovery.fr, 1
+cards4jobs.com, 1
+cardschat.com, 1
+cardsite.ca, 1
+cardsolutionsbh.com.br, 1
+cardstesting.tk, 1
+cardstream.com, 1
+cardswith.love, 1
+cardtrekers.ga, 1
+cardtrekest.ga, 1
+cardtronics.com, 1
+cardwar.tk, 1
+cardwars.hu, 1
+care-pack.eu, 1
+care-q.net, 1
+care.com, 1
+care4all.com, 1
+care4homecare.nl, 1
+careapp.com.au, 1
+carear.com, 1
+carecm.de, 1
+career-conduct.jp, 1
+career-guidance.com, 1
+career-log.jp, 1
+careerandjobsearch.tk, 1
+careercapital.co.za, 1
+careerdiary.co.uk, 1
+careergigo.com, 1
+careerminds.com, 1
+careernet.in, 1
+careeroptionscoach.com, 1
+careerpower.co.in, 1
+careersinpsychology.org, 1
+careerslevel.com, 1
+careertransformed.com, 1
+carefix.pro, 1
+carefree-creative.com, 1
+carefu.link, 1
+carefy.ph, 1
+caregoportal.com, 1
+carehomejob.co.uk, 1
+careium.co.uk, 1
+carekleen.com.au, 1
+carelancerportfolio.ga, 1
+careloco.tk, 1
+caremad.io, 1
+caremobi-prod.herokuapp.com, 1
+carepan.ga, 1
+carepassport.com, 1
+caresco.nl, 1
+careshields.sg, 1
+carespot.com, 1
+carespottravelmedicine.mobi, 1
+caretaker.com, 1
+carethehealth.com, 1
+caretoyou.com, 1
+caretta.co.uk, 1
+carevan.org, 1
+carevic.eu, 1
+carevo.id, 1
+careyohio.gov, 1
+careyolsen.com, 1
+carezza.net, 1
+carfamily.com, 1
+carfashion.com.mx, 1
+carfax.ca, 1
+carfaxcanadaappgateway.azurewebsites.net, 1
+carfinancehelp.com, 1
+carfinans.ru, 1
+carforme.gr, 1
+carfraemill.co.uk, 1
+cargo.build, 1
+cargobas.com, 1
+cargobay.net, 1
+cargoio.com, 1
+cargomaps.com, 1
+cargorestraintsystems.com.au, 1
+cargosapiens.com.br, 1
+cargotariff.ml, 1
+cargotransinfo.ru, 1
+carhunters.cz, 1
+caribank.org, 1
+caribbeancinemas.com, 1
+caribbeansolutionslab.com, 1
+caribeeficiente.com.co, 1
+caribuku.tk, 1
+caricature.fr, 1
+caricatureavenue.com, 1
+carien.eu, 1
+carif-idf.net, 0
+carigami.fr, 1
+cariki.gq, 1
+carikiv.gq, 1
+carillon.tk, 1
+carinaklijn.nl, 1
+carine.ml, 1
+caringkitsforkids.org.uk, 1
+caringmedicine.ga, 1
+caringpups.com, 1
+carinsuranceliveest.ga, 1
+carinthia.eu, 1
+carioca-romania.ro, 1
+cariproperti.com, 1
+carisenda.com, 1
+carium.com, 1
+carkeysanantonio.com, 1
+carkeysystem.com, 1
+carl-blum-haus.tk, 1
+carl-otto.it, 1
+carl-topham.com, 0
+carl.land, 1
+carlansell.co.uk, 1
+carlapoggioli.com, 1
+carlaschiavone.tk, 1
+carlasecrets.com, 1
+carlcsaposs.com, 1
+carlelo.com, 1
+carlesribot.tk, 1
+carleycounselingservices.com, 1
+carlgo11.com, 1
+carlicahn.com, 1
+carlife-at.jp, 1
+carlijnottens.nl, 1
+carlili.fr, 0
+carlingfordapartments.com.au, 1
+carlingforddental.com.au, 1
+carlinmack.com, 1
+carlislebrass.com, 1
+carlislecounty.gov, 1
+carlite.at, 1
+carlitoxxpro.com, 1
+carlmjohnson.net, 0
+carloancalculator.tk, 1
+carlobiagi.de, 1
+carlocksmith--dallas.com, 1
+carlocksmithbaltimore.com, 1
+carlocksmithcarrollton.com, 1
+carlocksmithellicottcity.com, 1
+carlocksmithfallbrook.com, 1
+carlocksmithkey.com, 1
+carlocksmithlewisville.com, 1
+carlocksmithmesquite.com, 1
+carlocksmithsjohannesburg.co.za, 1
+carlocksmithtucson.com, 1
+carloelectrical.com, 1
+carlolacana.tk, 1
+carlolander.se, 1
+carlons.cf, 1
+carlos-moreira.com, 1
+carlosabarbamd.com, 1
+carlosbronze.com.br, 1
+carloscar.art, 1
+carloscar.co, 1
+carloscar.com, 1
+carloscar.se, 1
+carloscolina.com, 1
+carlosfelic.io, 1
+carlosgago.tk, 1
+carlosguadian.tk, 1
+carloshbcabral.com, 1
+carloshmm.com, 1
+carloshmm.stream, 1
+carloshmoreira.com, 1
+carlosjeurissen.com, 1
+carlosjeurissen.nl, 1
+carlospiga.fr, 1
+carlosvelezmarketing.com, 1
+carlot-j.com, 1
+carls-fallout-4-guide.com, 1
+carlsbadluxuryhotels.ga, 1
+carlshamnbageri.com, 1
+carlshamnbageri.se, 1
+carlshamnmejeri.com, 1
+carlshamnmejeri.se, 1
+carlshamnsvaxtrike.se, 1
+carlshamnvaxtrike.se, 1
+carlsonfonder.se, 1
+carlsonfund.de, 1
+carlsonfunds.com, 1
+carlsonsw.com, 1
+carltoncountymn.gov, 1
+carltonelitetravel.ga, 1
+carltontownfc.tk, 1
+carlvanderlaan.com, 1
+carlysgarden.net, 1
+carmageddon.tk, 1
+carmarthenradiocontrolledcarclub.tk, 1
+carmela.tk, 1
+carmelrise.co.uk, 1
+carmelss.edu.hk, 1
+carmeltownship-mi.gov, 1
+carmen1996.com, 1
+carmengrayfanclub.tk, 1
+carmeni.tk, 1
+carmeny.org, 1
+carminemastropierro.com, 1
+carna.tk, 1
+carnageheart.tk, 1
+carnagevisors.tk, 1
+carnaticalifornia.com, 1
+carnavaldeltoro.tk, 1
+carnavales.tk, 1
+carnavalinrothem.tk, 1
+carnedelmercado.com, 1
+carnell.com, 1
+carnet-du-voyageur.com, 1
+carnetdeconducir.club, 1
+carni.tk, 1
+carnica.tk, 1
+carniceriaserrador.es, 1
+carnildo.com, 1
+carnivalcostumes.tk, 1
+carnivalkingsupplies.com, 1
+carnivorediet.gr, 1
+carnivorousplants.co.uk, 1
+carobme.de, 1
+carocream.org, 1
+caroffer.ch, 1
+carohq.com, 1
+caroinstitute.cf, 1
+carol-lambert.com, 1
+carolcestas.com, 1
+caroli.biz, 1
+caroli.com, 1
+caroli.info, 1
+caroli.name, 1
+caroli.net, 1
+carolicious.tk, 1
+carolina.cz, 1
+carolinaharboe.baby, 1
+carolinaharboe.com, 1
+carolinaoliveira.tk, 1
+carolinarice.com, 1
+carolinasaddictionfellows.com, 1
+carolinashoe.com, 1
+carolinavarletaarriagada.tk, 1
+carolineball.com, 1
+carolinebazin.fr, 1
+carolineeball.com, 1
+carolinegirvan.com, 1
+carolinehanania.com, 1
+carolinehoule.com, 1
+carolinelanglois.fr, 1
+carolineovercash.com, 1
+carolinepleuvret.fr, 1
+carolmolinari.tk, 1
+carontetourist.hr, 1
+carontetouristisoleminori.it, 1
+carottage-beton.com, 1
+carousel.ga, 1
+carouselbuses.co.uk, 1
+carouselinsights.com, 1
+carp-world.tk, 1
+carp-zeeland.tk, 1
+carp4life.tk, 1
+carparo.net, 0
+carpeleo.com, 1
+carpeleo.mobi, 1
+carpeleo.se, 1
+carpentersvilleil.gov, 1
+carpet24.gr, 1
+carpetandhardwoodflooringpros.com, 1
+carpetcleanerswilmington.com, 1
+carpetcleaning-cypress.com, 1
+carpetcleaningtomball.com, 1
+carpetcobblers.ga, 1
+carpio.tk, 1
+carplus.es, 1
+carplus.net, 1
+carportus.com, 1
+carpostal.com, 1
+carprice.auction, 1
+carprice.ru, 1
+carproof.com, 1
+carpticon.tk, 1
+carpuya.ga, 1
+carrabiners.tk, 1
+carraboucrafts.com, 1
+carre-jardin.com, 1
+carre-lutz.com, 1
+carre.nl, 1
+carrelageetmosaique.fr, 1
+carreraspopularescalendario.com, 1
+carrgroup.co.nz, 1
+carrgroup.com.au, 1
+carriage.fun, 1
+carriedin.com, 1
+carrier.tools, 1
+carrieunderwood.tk, 1
+carrion.tk, 1
+carrmachines.co.nz, 1
+carrmachines.com.au, 1
+carrnorthamerica.com, 1
+carroattrezzi.it, 1
+carroattrezzi.lazio.it, 1
+carroattrezzimilanodaluiso.it, 1
+carroceriascarluis.com, 1
+carrolcountyohioelections.gov, 1
+carrollcotne911.gov, 1
+carrollcountyil.gov, 1
+carrollcountyiowa.gov, 1
+carrollcountynh.gov, 1
+carrollcountynhdeeds.gov, 1
+carrolltontx.gov, 1
+carroseletricosbh.com.br, 1
+carrosserie-delaval.be, 1
+carrouselcompany.fr, 1
+carrozzeria.roma.it, 1
+carrozziere.roma.it, 1
+carrumhealth.com, 1
+carry.luxe, 1
+carryvanbruggen.tk, 1
+cars-project.ru, 1
+cars4salecy.com, 1
+carsandstars.com.au, 1
+carseatchecks.ca, 1
+carshippingcarriers.com, 1
+carsinsuranceis.com, 1
+carsmate.com, 1
+carsoft.tk, 1
+carson-matthews.co.uk, 1
+carsonca.gov, 1
+carsonkoziol.com, 1
+carsonmorrow.com, 1
+carsoug.com, 1
+carspicture.tk, 1
+carspneu.cz, 1
+carsreborn.com, 1
+carstar.com.ua, 1
+carstub.com, 1
+carsurance.net, 1
+carsworld.cf, 1
+cartadeviajes.cl, 1
+cartadeviajes.co, 1
+cartadeviajes.com, 1
+cartadeviajes.com.ar, 1
+cartadeviajes.com.ve, 1
+cartadeviajes.de, 1
+cartadeviajes.ec, 1
+cartadeviajes.es, 1
+cartadeviajes.fr, 1
+cartadeviajes.mx, 1
+cartadeviajes.pe, 1
+cartadeviajes.uk, 1
+cartago.co.cr, 1
+cartaisapre.com, 1
+carte-resident.ci, 1
+cartegrise.com, 1
+cartegrise.xyz, 1
+carteles.tk, 1
+cartelloni.roma.it, 1
+carteltec.com, 1
+cartercountymo.gov, 1
+carterdan.net, 1
+carterjonas.co.uk, 1
+carterkosturos.com, 1
+carterstad.se, 1
+cartertonscouts.org.nz, 1
+cartes-voyance.fr, 1
+cartesfrance.fr, 1
+cartesy.de, 1
+cartfilm.tk, 1
+cartft.com, 1
+carthagecement.com.tn, 1
+carthedral.com, 1
+cartierplan.ga, 0
+cartomancieperso.tk, 1
+cartongesso.roma.it, 1
+cartons-cheap.tk, 1
+cartooncastles.ie, 1
+cartooncollections.com, 1
+cartoonlists.com, 1
+cartoonstock.com, 1
+cartoontube69.com, 1
+cartoonvibe.com, 1
+cartoonwap.tk, 1
+cartoradio.fr, 1
+cartorio4oficiojuazeiro.com.br, 1
+cartorios.tk, 1
+cartoservice.tk, 1
+cartouche24.eu, 1
+cartridge.bg, 1
+cartridge.gq, 1
+cartridgereviewers.ga, 1
+cartridgereviewsers.ga, 1
+cartridgereviewsest.ga, 1
+cartridgesave.co.uk, 1
+cartturbo.com, 1
+cartucce24.it, 1
+cartuchoonline.com.br, 1
+cartunings.tk, 1
+cartwrightrealestate.com, 1
+carty.bg, 1
+carun.us, 0
+carunion.nl, 1
+carver.tk, 1
+carvercountymn.gov, 1
+carvoeiro-car-hire.com, 1
+carwashdruten.nl, 1
+carwashkampen.nl, 1
+carwreckcowboy.com, 1
+caryl.fr, 1
+carymedicalgroup.com, 1
+caryvilletn.gov, 1
+cas-chauxdefonds.ch, 0
+cas-ebbers.nl, 1
+casa-app.de, 0
+casa-brel.ml, 1
+casa-carla.it, 1
+casa-due-pur.com, 1
+casa-due-pur.de, 1
+casa-due.com, 1
+casa-familia.com, 0
+casa-indigo.com, 1
+casa-laguna.net, 1
+casa-lunch-break.de, 1
+casa-lunchbreak.de, 1
+casa-mea-inteligenta.ro, 1
+casa-mitica.com, 1
+casa-prince.tk, 1
+casaasia.cat, 1
+casaasia.es, 1
+casaasia.eu, 1
+casabella.com.tw, 1
+casacampolima.com, 1
+casacapalbio.com, 1
+casacazoleiro.com, 1
+casachameleonhotels.com, 1
+casachronicles.com, 1
+casacochecurro.com, 1
+casacoleccionistagaldar.tk, 1
+casacolosseo.com, 1
+casacomcharme.com.br, 1
+casacoscolo.tk, 1
+casadasmolas.tk, 1
+casadedios.tk, 1
+casadegomes.com, 1
+casadelasvinas.com, 1
+casadetiteres.tk, 1
+casadoarbitro.com.br, 1
+casadomarketingdigital.com.br, 1
+casadopulpo.com, 1
+casaessencias.com.br, 1
+casafina.tk, 1
+casagami.ga, 1
+casagyn.com.br, 1
+casajeannine.tk, 1
+casalacabra.com, 1
+casalborgo.it, 1
+casalcrevillent.tk, 1
+casaledibuccole.it, 1
+casalinghedisperate.ga, 1
+casalopez.tk, 1
+casalor.ro, 1
+casalunchbreak.de, 1
+casamariano.es, 1
+casamentos.com.br, 1
+casamentos.pt, 1
+casamiento.com.uy, 1
+casamientos.com.ar, 1
+casandraemge.tk, 1
+casanuova.tk, 1
+casaoggidomani.it, 1
+casapalla.com.br, 1
+casapedra.tk, 1
+casaplorer.com, 1
+casaruralsantamaria.tk, 1
+casasbandeirantes.com.br, 1
+casascomdesign.com, 1
+casashops.com, 1
+casasparaperross.com, 1
+casasuara.com, 1
+casasuleletrodomesticos.com.br, 1
+casatendeiro.tk, 1
+casavacanze.estate, 1
+casavaleria.tk, 1
+casavlas.ro, 1
+casbia.info, 0
+casbuijs.nl, 1
+casburggraaf.com, 0
+casc.cz, 1
+casca.tk, 1
+cascadenos.tk, 1
+cascadewindows.com, 1
+cascadinglounge.tk, 1
+cascavelle.fr, 1
+cascavelle.nl, 1
+cascd.pt, 1
+case-vacanza-salento.com, 1
+case4you.bg, 1
+case4you.ro, 1
+casecandy.in, 1
+casecurity.org, 1
+caseform.de, 1
+caseificio.roma.it, 1
+caselemnbarat.ro, 1
+casemaka.com, 1
+caseof.fr, 1
+casepariurionline.ro, 1
+caseplus-daem.de, 1
+casertanews.it, 1
+cases.lu, 1
+casetech.com, 1
+casewarecloud.com, 1
+caseycapitalpartners.com, 1
+caseykeith.me, 1
+casgp.com, 0
+cash-bot.tk, 1
+cash-generator.tk, 1
+cash-pos.com, 1
+cash.app, 1
+cash.me, 1
+cash.nyc, 1
+cashamerican.tk, 1
+cashati.com, 1
+cashbackcow.us, 1
+cashbacksummit.com, 1
+cashblog.ga, 1
+cashbook.co.tz, 1
+cashbot.sk, 1
+cashbuild.co.za, 1
+cashcode.ga, 1
+cashcoin.tk, 1
+cashconverters.co.uk, 1
+cashconverters.com, 1
+cashconverters.com.au, 1
+cashdo.co.il, 1
+cashdrop.ga, 1
+cashenvoy.com, 1
+cashewmanufacturers.com, 1
+cashflowstrategist.com, 0
+cashforcarremovalsipswich.com.au, 1
+cashfortulsahouses.com, 1
+cashjankari.com, 1
+cashline.tk, 1
+cashlink.de, 0
+cashlogic.ch, 0
+cashmanagerbg.com, 1
+cashmaxtexas.com, 1
+cashortrade.org, 1
+cashper.de, 1
+cashplk.com, 1
+cashregistry.tk, 1
+cashsector.ga, 1
+cashservices.com.au, 1
+cashwave.com, 1
+cashworks.ga, 1
+cashworks.tk, 1
+cashyourcar.sydney, 1
+casian.ir, 1
+casillasdecoria.tk, 1
+casino-apps.dk, 1
+casino-cash-flow.com.ru, 1
+casino-cash-flow.info, 1
+casino-cash-flow.pro, 1
+casino-cash-flow.ru, 1
+casino-cash-flow.su, 1
+casino-cashflow.ru, 1
+casino-hero.de, 0
+casino-online.info, 1
+casino-r.com, 1
+casino-spelletjes.com, 1
+casino-trio.com, 1
+casino-z-top.ru, 1
+casino.guide, 1
+casino.org, 1
+casinobonus360.de, 1
+casinobonuscodes365.com, 1
+casinobuyersguide.com, 1
+casinocashflow.ru, 1
+casinocashflow.su, 1
+casinochecking.com, 0
+casinocity.africa, 1
+casinocity.ag, 1
+casinocity.al, 1
+casinocity.am, 1
+casinocity.ar, 1
+casinocity.asia, 1
+casinocity.ax, 1
+casinocity.ba, 1
+casinocity.bg, 1
+casinocity.bi, 1
+casinocity.bj, 1
+casinocity.bz, 1
+casinocity.ci, 1
+casinocity.cl, 1
+casinocity.cm, 1
+casinocity.co, 1
+casinocity.co.at, 1
+casinocity.co.bw, 1
+casinocity.co.hu, 1
+casinocity.co.il, 1
+casinocity.co.im, 1
+casinocity.co.na, 1
+casinocity.co.nl, 1
+casinocity.co.tz, 1
+casinocity.com.au, 1
+casinocity.com.br, 1
+casinocity.com.by, 1
+casinocity.com.de, 1
+casinocity.com.gr, 1
+casinocity.com.jm, 1
+casinocity.com.ng, 1
+casinocity.com.ni, 1
+casinocity.com.pa, 1
+casinocity.com.pr, 1
+casinocity.com.ru, 1
+casinocity.com.tt, 1
+casinocity.com.ve, 1
+casinocity.cr, 1
+casinocity.cy, 1
+casinocity.cz, 1
+casinocity.dj, 1
+casinocity.do, 1
+casinocity.ee, 1
+casinocity.es, 1
+casinocity.eu, 1
+casinocity.fi, 1
+casinocity.fr, 1
+casinocity.gd, 1
+casinocity.ge, 1
+casinocity.gp, 1
+casinocity.gs, 1
+casinocity.gt, 1
+casinocity.gy, 1
+casinocity.hk, 1
+casinocity.hn, 1
+casinocity.hr, 1
+casinocity.ie, 1
+casinocity.im, 1
+casinocity.in, 1
+casinocity.it, 1
+casinocity.jp, 1
+casinocity.ke, 1
+casinocity.kr, 1
+casinocity.la, 1
+casinocity.lc, 1
+casinocity.li, 1
+casinocity.lk, 1
+casinocity.lt, 1
+casinocity.ltd.uk, 1
+casinocity.lu, 1
+casinocity.lv, 1
+casinocity.ma, 1
+casinocity.md, 1
+casinocity.me, 1
+casinocity.mk, 1
+casinocity.ms, 1
+casinocity.mt, 1
+casinocity.mu, 1
+casinocity.mw, 1
+casinocity.mx, 1
+casinocity.no, 1
+casinocity.nz, 1
+casinocity.ph, 1
+casinocity.pl, 1
+casinocity.pt, 1
+casinocity.re, 1
+casinocity.ro, 1
+casinocity.rs, 1
+casinocity.sb, 1
+casinocity.sc, 1
+casinocity.se, 1
+casinocity.sg, 1
+casinocity.si, 1
+casinocity.sk, 1
+casinocity.sl, 1
+casinocity.sn, 1
+casinocity.st, 1
+casinocity.sx, 1
+casinocity.tg, 1
+casinocity.tv, 1
+casinocity.ug, 1
+casinocity.uy, 1
+casinocity.vc, 1
+casinocity.vn, 1
+casinocity.vu, 1
+casinocity.web.za, 1
+casinocity.ws, 1
+casinocitytimes.com, 1
+casinocosmopol.se, 1
+casinocrit.com, 1
+casinofollower.com, 1
+casinoindex.io, 1
+casinoleader.com, 1
+casinolistings.com, 1
+casinologinaustralia.com, 1
+casinomucho.com, 1
+casinomucho.org, 1
+casinomucho.se, 1
+casinonieuws.nl, 1
+casinoonline39.com, 1
+casinoonlineprova.com, 1
+casinoportugal.pt, 1
+casinopromote.com, 1
+casinoreal.com, 1
+casinorewards.info, 1
+casinorobots.com, 1
+casinosanalyzer.com, 1
+casinosblockchain.io, 1
+casinoscout.ca, 1
+casinoscout.nl, 1
+casinoscryptos.com, 1
+casinoslotsww.com, 1
+casinosnederland.com, 1
+casinospesialisten.net, 1
+casinotokelau.tk, 1
+casinotop10.net, 1
+casinotopplistan.com, 1
+casinotopplisten.com, 1
+casinotopsonline.com, 1
+casinoua.club, 1
+casinovendors.com, 1
+casio-caisses-enregistreuses.fr, 1
+casio.bg, 0
+casitawn.cf, 1
+casjay.cloud, 0
+casjay.com, 0
+casjay.info, 0
+casjenprome.cz, 1
+casko-insurance.tk, 1
+casman.tk, 1
+casnoviatownshipmi.gov, 1
+caso.co.jp, 1
+casovi.cf, 1
+casperfect.com, 1
+casperpanel.com, 1
+caspi.org.il, 1
+caspianrentcar.com, 1
+caspicards.com, 1
+casscoroadmi.gov, 1
+casscountyia.gov, 1
+casscountyil.gov, 1
+casscountymn.gov, 1
+casscountyne.gov, 1
+cassembly.fr, 1
+cassia.gov, 1
+cassies.com.au, 1
+cassilandianoticias.com.br, 1
+cassimo.com, 0
+cassini.ro, 1
+casso.ml, 1
+casso.tk, 1
+cassvilletwpwi.gov, 1
+cassvillevlgwi.gov, 1
+cast-london.co.uk, 1
+castagnino.net, 1
+castagnola.tk, 1
+castagnonavocats.com, 1
+castalie.tk, 1
+castaneatownshippa.gov, 1
+castaneda.tk, 1
+castedart.com, 1
+castelflowers.it, 1
+castella.tk, 1
+castellet.tk, 1
+castelletto.tk, 1
+castelli-media.de, 1
+casteloinformatica.com.br, 1
+castelsardo.tk, 1
+casterleyrock.com, 1
+castglobal-china.biz, 1
+casthull.co.uk, 1
+castiana.xyz, 1
+castible.de, 1
+castiel.cf, 1
+castilla-comunera.tk, 1
+castillo.club, 1
+castillosohail.es, 1
+casting-vote.tk, 1
+castingallaitaliana.com, 1
+castingfrancais.com, 1
+castingnetworks.com, 1
+castings.tk, 1
+castit.biz, 1
+castlabs.com, 0
+castle-emarketing.com, 1
+castle-engine.io, 1
+castlebuilder.com, 1
+castlecapers.com.au, 1
+castlehack.ga, 1
+castlekingdomstockport.co.uk, 1
+castlekingkent.co.uk, 1
+castlemania.tk, 1
+castleoblivion.tk, 1
+castles-in-the-sky.co.uk, 1
+castleswa.com.au, 1
+castlevaniaspain.tk, 1
+castorio.tk, 1
+castrillodelavalduerna.tk, 1
+castrillodelavega.tk, 1
+castrillodevillavega.tk, 1
+castroverde.tk, 1
+castrovirreyna.tk, 1
+casualclubdating.ml, 1
+casualiswebs.com, 1
+casuallab.com, 1
+casuallyblue.xyz, 1
+casualtime.ga, 1
+casusgrillcaribbean.com, 1
+cat-encyclopedia.ml, 1
+cat-problems.ml, 1
+cat.casa, 1
+cat.fo, 1
+cat.ne, 1
+cat.net, 1
+cataclysmal.org, 1
+catalog-bookinist.tk, 1
+catalog-clothing.tk, 1
+catalog-lingerie.tk, 1
+catalog-lingeries.tk, 1
+catalog-serverov.ml, 1
+catalog-serverov.tk, 1
+catalog-underwear.tk, 1
+catalogador.ml, 1
+catalogcomputerhardware.tk, 1
+catalogingpro.com, 1
+catalogobiblioteca.com, 1
+catalogobiblioteca.net, 1
+catalogosvirtualesonline.com, 1
+catalogueau.com, 0
+catalojic.tk, 1
+catalonia.tk, 1
+catalyseurs-territoriaux.org, 1
+catalyst-ecommerce.com, 1
+catalystapp.co, 1
+catandmoonalchemy.com.au, 1
+cataniatoday.it, 1
+catanzarotoday.it, 1
+catapa.com, 1
+catapultgroup.ca, 1
+catarrhalfuns.tk, 1
+catartofsweden.se, 1
+catastrofy.tk, 1
+catatau.tk, 1
+catawiki.com, 1
+catawiki.de, 1
+catawiki.net, 1
+catawiki.nl, 1
+catb.on.ca, 1
+catbat.rocks, 1
+catbeautifulanimal.tk, 1
+catbold.space, 1
+catbop.com, 1
+catbox.moe, 1
+catbull.com, 1
+catcafe.gg, 1
+catcat.cc, 1
+catcatnya.com, 1
+catchall.tw, 1
+catchers.cc, 1
+catchhimandkeephim.com, 1
+catchief.com, 1
+catchteamca.gov, 1
+catchup-enschede.tk, 1
+catcontent.cloud, 1
+catcoxx.com, 1
+catech.au, 1
+catechese-ressources.com, 1
+catedraderechonotarial.es, 1
+catedraloscura.tk, 1
+catedralsantodomingo.org, 1
+catego.info, 1
+catenacondos.com, 1
+caterbing.com, 1
+catering-fantasia.tk, 1
+catering-xanadu.cz, 1
+catfish.gq, 1
+catfishworld.tk, 1
+catflap.org, 1
+catfood.cf, 1
+catfood.ga, 1
+catfoto.cf, 1
+catfun-foto.de, 1
+catgarden.tk, 1
+catgirl.center, 0
+catgirl.cloud, 1
+catharinalingeries.com.br, 1
+catharinaparkieten.tk, 1
+catharinaziekenhuis.nl, 1
+cathcartandwinn.com, 1
+cathcartconsulting.com.au, 1
+cathedralappointments.co.uk, 1
+cathedralofsatan.tk, 1
+cathelp.cf, 1
+cathelp.cn, 1
+cathelp.xyz, 1
+catherinejf.com, 1
+catherinesarasin.com, 1
+catherinesofpartick.co.uk, 0
+catholic8964.org, 1
+catholicjobs.com, 1
+catholicprayers.tk, 1
+catholicteuchtar.cf, 1
+catholicteuchtar.ga, 1
+catholicteuchtar.ml, 1
+cathosa.nl, 1
+cathosting.org, 1
+cathouse.me, 1
+cathrine.tk, 1
+cathy.best, 1
+cathy.guru, 1
+cathy.legal, 1
+cathy.lgbt, 1
+cathy.link, 1
+cathy.website, 1
+cathyfitzpatrick.com, 1
+cathyjf.ca, 1
+cathyjf.com, 1
+cathyjf.net, 1
+cathyjf.org, 1
+cathyjfitzpatrick.com, 1
+cathylean.tk, 1
+cathymcquaid.co.uk, 1
+catio.network, 1
+cativa.net, 1
+catl.st, 1
+catland.club, 1
+catlettsburgky.gov, 1
+catlicking.com, 1
+catlive.com, 1
+catlovingcare.com, 1
+catlowe.com, 1
+catmash.tk, 0
+catmatchers.org, 1
+catme.org, 1
+catmonad.xyz, 1
+catmoose.ca, 1
+catmoz.fr, 1
+catnetworks.co.jp, 1
+catnmeow.com, 1
+catnsofa.com, 1
+catphysics.com, 1
+catpic.xyz, 1
+catplay.tk, 1
+catprincess.com.tw, 1
+catprint.com, 1
+catram.org, 1
+catransportation.net, 1
+catrinasporelmundo.com, 1
+catrins-kunst.de, 1
+cats-dom.ru, 1
+catsarch.com, 1
+catscreativecakes.ga, 1
+catskillselfstorage.com, 1
+catsmagic.pp.ua, 1
+catsnow.com, 1
+catsofcapetown.com, 1
+catsoft.me, 1
+catstv.tk, 1
+cattellar.tk, 1
+cattery-mundilfari.tk, 1
+cattery.work, 1
+catterydelmoria.tk, 1
+catterydumagasin.tk, 1
+cattiau.com, 1
+cattleplay.gq, 1
+catto.win, 1
+cattsgym.co.uk, 1
+catu-bikes.se, 1
+catus.moe, 1
+catvibers.me, 1
+catvsmice.com, 1
+catwilliford.com, 1
+catylist.com, 1
+catz-productions.tk, 1
+caucasusandmercury.com, 1
+caucus.fr, 1
+caueteam.tk, 1
+caughtredhanded.co.nz, 1
+caulacbonuochoa.tk, 1
+caulfieldeastapartments.com.au, 1
+caulkingexperts.com, 1
+caulong-ao.net, 1
+caumont-normandie.fr, 0
+cauquenes.tk, 1
+cavac.at, 1
+cavalassur.com, 1
+cavaleirocity.com.br, 1
+cavaliernd.gov, 1
+cavallochiropractic.com, 1
+cavalryscout.com, 1
+cave-reynard.ch, 1
+cave-vet-specialists.co.uk, 1
+cavecreekaz.gov, 1
+cavediverharry.com, 1
+cavemax.com, 1
+caviarmultimedia.com, 1
+cavinesswealth.com, 1
+cavisson.com, 1
+cavistenancy.fr, 1
+cavzodiaco.com.br, 1
+caw.be, 1
+cawagiras.ga, 1
+caxaa.mx, 1
+caycehouse.com, 1
+caymart.com, 1
+cazadordebuenaonda.com, 1
+cazaviajes.es, 1
+cazes.info, 1
+cazfire.gov, 1
+cazinoz.ru, 1
+cazizi.com, 1
+cazoo-dev.co.uk, 1
+cazoo-dev.com, 1
+cazoo-test.co.uk, 1
+cazoo-test.com, 1
+cazoo.co.uk, 1
+cazoo.com, 1
+cb1388.com, 1
+cb1588.com, 1
+cb96net.ru, 1
+cba.gov.pl, 1
+cbaamaga.com, 1
+cbbio.fr, 1
+cbc-hire.co.uk, 1
+cbca.gov, 1
+cbcembalagens.com.br, 1
+cbcentelles.tk, 1
+cbcf.info, 1
+cbcnet.co.za, 1
+cbcnet.info, 1
+cbd-natural.de, 1
+cbd-world-online.com, 1
+cbd.supply, 1
+cbd181.com, 1
+cbd2050.com, 1
+cbdbflo.com, 1
+cbdcontact.eu, 1
+cbdcontact.pl, 1
+cbdd.eu.org, 1
+cbddo.gov.tr, 1
+cbdecoshop.lt, 1
+cbdev.de, 1
+cbdication.com, 1
+cbdlession.com, 1
+cbdoilcures.co, 1
+cbdtelegram.com, 1
+cbeal-fumeirodetrancoso.pt, 1
+cbeal.pt, 1
+cbecrft.net, 1
+cbet.lt, 1
+cbflleida.cat, 1
+cbh.org, 1
+cbhcfl.gov, 1
+cbhq.net, 1
+cbi-epa.gov, 1
+cbin168.com, 1
+cbintermountainrealty.com, 1
+cbk.kg, 1
+cbl.express, 1
+cbl.sk, 1
+cblocallocksmiths.co.uk, 1
+cbmc.store, 1
+cbmusa.com, 1
+cbnegocial.com.br, 1
+cboard.ml, 1
+cboard.net, 1
+cboost.nl, 1
+cboss.xyz, 1
+cbpay.com, 1
+cbplus.tn, 1
+cbpridecenter.org, 1
+cbr-rcb.ca, 1
+cbr-xml-daily.ru, 1
+cbrbuildingrepairs.com.au, 1
+cbrtrainer.com, 1
+cbs-engineering.com, 1
+cbs-engineering.it, 1
+cbs.nl, 1
+cbs3design.it, 1
+cbsr.ru, 1
+cbt.quest, 1
+cbt.tj, 1
+cbtest.de, 1
+cbw.sh, 1
+cbxp.in, 1
+cby.im, 0
+cc-customer.de, 1
+cc.ag, 1
+cc.hn, 1
+cc00228.com, 0
+cc5197.co, 1
+cc6729.co, 1
+cc6729.com, 0
+cc6957.co, 1
+cc8822.cc, 1
+cc8833.cc, 1
+cc9297.co, 1
+cc9728.co, 1
+cc98.eu.org, 1
+cca.com.br, 1
+cca.ky, 1
+ccaa.gg, 1
+ccaag.link, 1
+ccaag.me, 1
+ccaag.mx, 1
+ccaag.net, 1
+ccaag.us, 0
+ccac.gov, 1
+ccaguavivadonaciones.org, 1
+ccaj.io, 1
+ccak.training, 1
+ccarps.com, 1
+ccatpracticetest.com, 1
+ccatpracticetests.com, 1
+ccattestprep.com, 1
+ccautomobil.de, 1
+ccayearbook.com, 1
+ccb.gov, 1
+ccbin.tk, 1
+ccc-ch.ch, 1
+ccc-checker.cn, 1
+ccc-cloud.de, 1
+ccc-ffm.de, 1
+ccc.eu, 1
+ccc.gov, 1
+ccc.org, 1
+ccc.xxx, 1
+cccc.loan, 1
+cccleaner.tk, 1
+cccp-o.tk, 1
+cccpublishing.com, 1
+cccwien.at, 1
+ccdcoe.org, 0
+ccddos.club, 1
+ccdgaia.pt, 0
+ccdiscussion.com, 1
+ccdlab.ooo, 1
+ccdnederland.org, 1
+ccdohnj.gov, 1
+cceifame.com, 1
+ccelectricaldrafting.ca, 1
+cceputnam360.com, 1
+ccestaque.tk, 1
+ccgx.de, 1
+cchat.de, 1
+cchim.ca, 1
+cciiblog.tk, 1
+cciofficial.com, 1
+cck-law.com, 1
+ccl776o.tk, 0
+cclasabana.com.co, 1
+ccli.com, 1
+ccmg.com, 1
+ccnadesdecero.com, 1
+ccnbikes.com, 1
+ccnda.net, 1
+ccnda.org, 0
+ccnexus.global, 1
+ccnm.cc, 1
+ccoo.cat, 1
+ccorca.org, 1
+ccover.ru, 1
+ccpaas.net, 1
+ccparishwilmington.org, 1
+ccpdata.org, 1
+ccpe.net, 1
+ccpgmpo.gov, 1
+ccpinturas.com, 1
+ccpinvestments.com, 1
+ccplot.org, 1
+ccprwebsite.org, 1
+ccrun.tk, 1
+ccsaposs.com, 1
+ccshire.ga, 1
+ccsk.training, 1
+ccskills.org.uk, 1
+ccslt.org.nz, 1
+ccsrv.eu, 1
+ccsys.com, 1
+cctld.com, 1
+ccts-cprst.ca, 1
+cctv-camera.cf, 1
+cctv-supraveghere.ro, 1
+cctv-systems.tk, 1
+cctvlaw.ga, 1
+cctvsecurityjohannesburg.co.za, 1
+cctvview.info, 0
+ccu.plus, 1
+ccuanj.gov, 1
+ccv-deutschland.de, 0
+ccv.eu, 0
+ccv.nl, 0
+ccvr6smarthome.de, 1
+ccwallet.io, 1
+ccwebdevelopment.com, 1
+ccxperience.com, 1
+cd-shopware.de, 1
+cd-sport.com, 1
+cd.net.tr, 1
+cd.search.yahoo.com, 0
+cd89.com, 1
+cda-aigle.ch, 0
+cdaid.gov, 1
+cdaldeano.tk, 1
+cdasiaonline.com, 0
+cdasphalt.com, 1
+cdavis.xyz, 1
+cdawoerden.org, 1
+cdbp.pro, 1
+cdbtech.com, 1
+cdc-security.com, 1
+cdc.cx, 1
+cdc.gov, 1
+cdcflix.xyz, 1
+cdconnect.net, 1
+cdcpartners.gov, 1
+cdd.go.th, 0
+cdda.ch, 0
+cdeeply.com, 1
+cdf.fyi, 1
+cdf.wiki, 1
+cdfnature2019.fr, 1
+cdg30.fr, 1
+cdga.org, 1
+cdhb.health.nz, 1
+cdhome.ga, 1
+cdhqt.com, 1
+cdigitale.com, 1
+cdirectory.tk, 1
+cdkeyprices.com, 1
+cdkpatterns.com, 1
+cdkrot.me, 1
+cdlandb1.com, 1
+cdlaserena.tk, 1
+cdlinares.tk, 1
+cdm.guru, 1
+cdmdisinfestazioni.it, 1
+cdmhp.org.nz, 1
+cdmon.tech, 1
+cdn-reichelt.de, 1
+cdn.ampproject.org, 1
+cdn.ink, 1
+cdn.lk, 1
+cdn1.com.br, 1
+cdnaval.tk, 1
+cdncompanies.com, 1
+cdndepo.com, 1
+cdnjs.com, 1
+cdnpkg.com, 1
+cdnrecords.com, 1
+cdnsys.net, 1
+cdny.de, 1
+cdnya.com, 1
+cdo.gov, 1
+cdocs.ml, 1
+cdom.de, 1
+cdp-poznan.pl, 1
+cdpn.io, 1
+cdrom.ch, 1
+cds-infra.de, 1
+cds-inquirer.tk, 1
+cdscsuc.gq, 1
+cdseditora.com.br, 1
+cdsf.tk, 1
+cdsfinancial.ca, 1
+cdshining.com, 0
+cdsportal.uk, 1
+cdt.cz, 1
+cdt.org, 0
+cdusapps.eu.org, 1
+cduspages.eu.org, 1
+cdvl.org, 1
+ce-agentur.de, 0
+ce-design.eu, 1
+ce-na.ru, 1
+ce-tuifrance.com, 1
+ce-webdesign.de, 1
+cea.ru, 1
+ceafinney.com, 1
+ceannard.net, 1
+cearaagora.com.br, 1
+cearaleste.com.br, 1
+cearl.cc, 1
+ceatheneum.com, 1
+ceaunulbunicii.ro, 1
+ceba-cuec.ca, 1
+cebolinha-imaginaria.com, 1
+cebrita.tk, 1
+cec.org.es, 1
+cec.org.pt, 1
+cecalivo.tk, 1
+cecame.ch, 1
+cecamericas.com, 1
+cecilandlou.com, 1
+ceciledekock.tk, 1
+cecilga.gov, 1
+cecilia-online.nl, 1
+ceciliacolombara.com, 1
+cecilsheriffmd.gov, 1
+cecilstatesattorneymd.gov, 1
+cecilwalker.com.au, 1
+cecipu.gob.cl, 1
+ceco.cf, 1
+ced-services.nl, 1
+ceda-fi.tk, 1
+cedarcitydining.com, 1
+cedarcityut.gov, 1
+cedarcountyne.gov, 1
+cedarcoveassistedliving.com, 1
+cedarmanagementgroup.com, 1
+cedarrockalliance.com, 1
+cedric-garcia.tk, 1
+cedricbonhomme.org, 1
+cedriccassimo.ch, 0
+cedriccassimo.com, 0
+cedricpim.com, 1
+cedsp.fr, 1
+cee3.net, 1
+ceebee.com, 1
+ceecosmetic.com.br, 1
+ceefaastresources.com, 1
+ceenic.ltd, 1
+ceet.biz, 1
+ceetzie.net, 1
+ceew.in, 1
+cefaction.pt, 1
+cefi.work, 1
+cefonline.com, 1
+cegfw.com, 1
+ceiba.com.co, 1
+ceicer.eu, 1
+ceidf-vie-cooperative.fr, 1
+ceiexam.sg, 1
+ceifx.com, 1
+ceilimoss.tk, 1
+ceilingpac.org, 1
+ceinorme.it, 1
+ceiphr.com, 1
+cejgsd.org, 1
+cejhon.cz, 0
+cejky.cz, 1
+cekabajio.com, 1
+cekgacor.com, 1
+cekgacor.net, 1
+celadas.tk, 1
+celarsports.fr, 1
+celayix.com, 1
+celcelulares.com, 1
+celcomhomefibre.com.my, 1
+cele.bi, 1
+celebavirus.com, 1
+celebcritics.com, 1
+celebdaily.ga, 1
+celebi-forest.tk, 1
+celebjacket.com, 1
+celebjury.com, 1
+celebmasta.com, 1
+celebrasianconference.com, 1
+celebrate-creativity.com, 1
+celebratesportsnetwork.com, 1
+celebratingloveministry.com, 1
+celebratoday.com, 0
+celebraze.tk, 1
+celebrex.ga, 1
+celebrex100mg.cf, 1
+celebritiesblog.tk, 1
+celebritydailynews.ml, 1
+celebrityfakes.tk, 1
+celebrityguard.co, 1
+celebritynakeds.com, 1
+celebritypic.tk, 1
+celebritypics.club, 1
+celebrityscope.net, 1
+celebritysrit.tk, 1
+celebritytoob.com, 1
+celebritytopnews.tk, 1
+celebrityviralbug.com, 1
+celebxx.com, 1
+celectro-pro.com, 1
+celendo.ga, 1
+celeraindustries.tk, 1
+celesco.eu, 1
+celeste-energie.fr, 1
+celestia.tk, 1
+celestialdental.com, 1
+celestialenergies.com.au, 1
+celestialmusic.tk, 1
+celex-machinery.tk, 1
+celexa365.tk, 1
+celiac.com, 1
+celinaohiopd.gov, 1
+celine-patisserie.fr, 1
+celineitalia.tk, 1
+celinepsychotherapie.com, 1
+celinesrecipes.com, 1
+cell-wellbeing.com.br, 1
+cellboost.cf, 1
+cellebrite.com, 1
+cellecci.com, 1
+cellgames.com, 1
+celliberate.co.uk, 1
+cellmart.ru, 1
+cellnatsci.com, 1
+cellopasorobles.com, 1
+cellrg.org, 1
+cellsheet.me, 1
+cellsites.nz, 1
+celltek-server.de, 1
+celltick.com, 1
+celltraders.ga, 1
+cellufit.ga, 1
+cellul19.com, 1
+cellulare.tk, 1
+cellulit.tk, 1
+celluliteorangeskin.com, 1
+celluliteremovaldiet.com, 1
+cellulitetreatment.tk, 1
+cellypso.com, 1
+celseven.com, 1
+celsoazevedo.com, 1
+celtacad.tk, 1
+celti.ie.eu.org, 1
+celti.name, 1
+celticangel.org, 1
+celticconnections.com, 1
+celticdream.tk, 1
+celtigafutbolclub.com, 1
+celulares.com, 1
+celuliteonline.com, 1
+cemac.int, 1
+cemada.cz, 1
+cemarks.com, 1
+cemcerkez.com, 1
+cementplas.es, 0
+cementscience.com, 1
+cemetary.tk, 1
+ceml.ch, 1
+cemporcentocliente.com.br, 1
+cemregulveren.com, 1
+cenatorium.pl, 1
+cendata.co.uk, 1
+cendi.gov, 1
+cendis.cz, 1
+cennelley.com, 1
+cennelly.com, 1
+cennetfm.tk, 1
+cennetforum.tk, 1
+censamatil.net, 1
+censeo-financial.com, 1
+censored.ml, 1
+censurfridns.dk, 1
+censurfridns.nu, 1
+centariuss.ga, 1
+centella.tw, 1
+centenariodeuncampeon.tk, 1
+centenera.tk, 1
+centennialrewards.com, 1
+center-elite.ml, 1
+center-mts.ru, 1
+center-strategy.ru, 1
+centeragro.com.br, 1
+centerforamericangreatness.com, 1
+centerforcreativeconsciousness.com, 1
+centergate.se, 0
+centerhancockin.gov, 1
+centerharbornh.gov, 1
+centermk.ru, 1
+centeronhunger.org, 1
+centerpoint.ovh, 1
+centerpointwest.com, 1
+centerpointwestapartments.com, 1
+centervilleutah.gov, 1
+centio.bg, 1
+centipedegraphics.com, 1
+centolos.tk, 1
+centos.pub, 1
+centr.dn.ua, 1
+central-apartman.tk, 1
+central4.me, 1
+centralbank.ae, 1
+centralbank.ie, 0
+centralbetsers.ga, 1
+centralbetsest.ga, 1
+centralcityjuniorkindergarten.com, 1
+centralclinic.science, 1
+centralcoasthomeloans.com.au, 1
+centralconvergence.com, 1
+centralcountiesservices.org, 0
+centraldegovernanca.com.br, 1
+centraldeseguro.com.br, 1
+centraldoencanador.com.br, 1
+centrale-vapeur.pro, 1
+centralebigmat.eu, 1
+centralegedimat.eu, 1
+centralesnucleaires.fr, 1
+centralex.io, 1
+centralfor.me, 1
+centralhome.com, 1
+centralhq.tk, 1
+centralisgroup.com, 1
+centralitasbaratas.es, 1
+centralkladno.cz, 1
+centrallaketownshipmi.gov, 1
+centrallead.net, 1
+centrallondonaesthetics.co.uk, 0
+centralmarket.com, 1
+centralmissourifoundationrepair.com, 1
+centralnic.com, 1
+centralnicregistry.com, 1
+centralpaellera.com, 1
+centralpinesnc.gov, 1
+centralsite.tk, 1
+centralsoft.tk, 1
+centralspyers.ga, 1
+centralstatecu.org, 1
+centralstor.ga, 1
+centraltime.com, 1
+centraltoken.io, 1
+centralvalleyharness.org, 1
+centralvoice.org, 1
+centrationgame.com, 1
+centre-commercial.fr, 1
+centre-equestre.net, 1
+centre-maiakovski.fr, 1
+centreagree.com, 1
+centreal.gov, 1
+centrecountyvotes.gov, 1
+centreimageriedunord.com, 1
+centremanagement.eu, 1
+centrenationaldulivre.fr, 1
+centrepointorguk-dev.azurewebsites.net, 1
+centrepresseaveyron.fr, 1
+centretownshipin.gov, 1
+centricagency.co.uk, 1
+centricient.com, 1
+centrmebeli.by, 0
+centroavant.com, 1
+centroculturalostuncalco.tk, 1
+centrodavida.com.br, 1
+centrodeeportesbarco.tk, 1
+centrodefisioterapia.com.br, 1
+centrodemediacionconcepcion.cl, 1
+centrodememoriahistorica.gov.co, 1
+centrodemioma.com.br, 1
+centroecuestrecastellar.com, 1
+centrofotostudija.lt, 1
+centrokiri.cl, 1
+centrolavoro.org, 1
+centromedico.tk, 1
+centromotion.com, 1
+centropagina.it, 1
+centros.ml, 1
+centros.tk, 1
+centrosocialferrel.pt, 1
+centrselstroy.ru, 1
+centrum-bz.it, 1
+centrum-edukacji.tk, 1
+centrum.church, 1
+centrumgarten.de, 1
+centrumhodinek.cz, 1
+centrumkulturyslowianskiej.pl, 1
+centrumpieknairelaksu.pl, 1
+centrumpodpora.pl, 1
+centruvechisv.ro, 1
+centsay.info, 1
+centsay.io, 0
+centsay.net, 1
+centsay.org, 1
+centsi.io, 1
+centsiwallet.com, 1
+centura.de, 1
+centuria.co.nz, 1
+centuria.com.au, 1
+centurialeonina.com, 1
+centurion-consulting-cie.eu, 1
+centurion-consulting.eu, 1
+centurion-consulting.net, 1
+centurion-consulting.tech, 1
+centurion-it.site, 1
+centurion-meet.site, 1
+centurion.ovh, 1
+centurioninfosec.com, 0
+centurionlaboratories.com.ua, 1
+centurionunderground.com, 1
+century-properties.com, 1
+century21.es, 1
+century21.pt, 1
+centuryfighters.tk, 1
+centuryforum.tk, 1
+centurykiaparts.com, 1
+centurylink.cf, 1
+centurystudios.com, 1
+ceo-consulting.eu, 1
+ceomonthlyest.ga, 1
+ceopedia.org, 1
+cephalexin.ga, 1
+cephalexincapsules.ml, 1
+cephalexincapsules.tk, 1
+cephalexine.gq, 1
+cepheid.com, 0
+cephx.com, 1
+cepmarket.com.tr, 0
+ceprenomnexistepas.ovh, 1
+cepsychologie.com, 1
+cepxuo.tk, 1
+ceramahit.ru, 1
+ceramic-glazes.com, 1
+ceramica.roma.it, 1
+ceramiche.roma.it, 1
+ceramicoatingspecialists.com, 1
+cerammind.com, 1
+ceranity.au, 1
+cerastar.com, 1
+cerber.re, 1
+cerberusecurity.com, 1
+cerberusftp.com, 1
+cerbos.cloud, 1
+cerbottana.duckdns.org, 1
+cercanos.co, 1
+cerchio.com, 1
+cercidiana.pt, 0
+cercle-duclos.fr, 1
+cercle-helvetia.ch, 0
+cercrid.fr, 1
+cerda-avocats.com, 1
+cerebelo.info, 1
+cerebrosano.gov, 1
+cerecup.com, 0
+ceredowv.gov, 1
+ceremonial-magic.com, 1
+ceremonialcastings.tk, 1
+ceremonialvirtualphd.com, 1
+ceremonybydesign.com.au, 1
+cerena-silver.ru, 0
+ceres-corp.org, 1
+cerezacomunicacion.com, 1
+cerfid.com.pe, 1
+cerivo.co.uk, 1
+cermak.photos, 1
+cernac.cz, 1
+cernakova.eu, 1
+cernalistina.eu, 1
+cernko.de, 1
+cerok.cl, 1
+ceroresiduo.com, 0
+cerovica.tk, 1
+cerpus-course.com, 1
+cerquitamio.com, 1
+cerrajeriaamericadelquindio.com, 1
+cerrajeriaenvillavicencio.com, 1
+cerritosca.gov, 1
+cerstve-korenie.sk, 1
+cerstvekorenie.sk, 1
+cert.ee, 0
+cert.govt.nz, 1
+cert.je, 1
+cert.or.id, 1
+cert.se, 1
+certain.com, 0
+certainbiz-news.tk, 1
+certaintelligence.com, 1
+certaireland.ie, 1
+certasenergy.co.uk, 1
+certbus.com, 1
+certcenter.com, 0
+certevia.com, 1
+certfa.com, 1
+certfica4u.com, 1
+certidao-nascimento-pt.org, 1
+certidaonc.com.br, 1
+certificadodigitalpari.com.br, 1
+certificados.edu.do, 1
+certificatedetails.com, 1
+certificateoflogistics.ga, 1
+certificateofpurchasing.ga, 1
+certificatespending.com, 1
+certificatetools.com, 0
+certificationacademy.com, 1
+certificationmap.com, 1
+certificato-prevenzione-incendi.it, 1
+certificazione.it, 1
+certificazioni-energetiche.it, 0
+certified-parts.com, 1
+certifiedbb.com, 1
+certifiedfieldassociate.com, 1
+certifiedmerchandiseest.ga, 1
+certifiednurses.org, 1
+certifix.eu, 1
+certifycrm.com, 1
+certifylogin.com, 1
+certiquali.fr, 1
+certivac.ch, 1
+certly.co, 1
+certnazionale.it, 1
+certo-escrow.com, 1
+certprep.fr, 0
+certpro.uk, 1
+certready.tk, 1
+certreg.eu, 1
+certsign.fr, 1
+certspotter.com, 1
+certspotter.org, 1
+certum.cn, 1
+certum.shop, 1
+certusquartz.com, 1
+certyhukil.ga, 1
+cervejista.com, 1
+cervek.me, 1
+cervellomorto.tk, 1
+cerveny.ch, 1
+cervenyjezek.eu, 1
+cervera.com.br, 1
+ces-ltd.co.uk, 0
+cesar-hector.tk, 1
+cesarecirugiaplastica.com, 1
+cesarfotos.com.br, 1
+cesarparedespacora.com, 1
+cesarpinto.com, 1
+cesarteixeiraimoveis.com.br, 1
+cesboard.com, 1
+cesc.shop, 1
+cescfortuny.tk, 1
+cesclam.org, 1
+cesdb.com, 1
+cesenatoday.it, 1
+cesibo.com, 1
+cesipagano.com, 1
+cesium.ml, 1
+cesjo.pl, 1
+ceska-polygraficka.cz, 1
+ceska-polygraficka.eu, 1
+ceskaexpedice.org, 1
+ceskasit.cz, 1
+ceskepivnesety.sk, 1
+ceskepivnisety.cz, 1
+cesobaly.cz, 1
+cesonia.io, 1
+cespedes.fr, 1
+cesservices.net, 1
+cestasdepresente.com.br, 1
+cestasedelicias.com.br, 1
+cestaswmonline.com.br, 1
+cestlaviegeorgia.com, 1
+cestpasviolent.com, 1
+cestujnamiru.cz, 1
+cestujtenamiru.cz, 1
+cestunamiru.cz, 1
+cesurteknikservis.com, 1
+cesusc.edu.br, 1
+cetak.com.my, 1
+cetamol.com, 1
+cetelon.tk, 1
+ceti.ga, 1
+cetong.se, 1
+cetorebe.tk, 1
+ceu.edu, 0
+ceu.edu.ph, 1
+ceuniverse.com, 1
+ceva-dsp.com, 1
+cevaplari.net, 1
+ceverett.io, 0
+cevin.at, 1
+cevo.com.hr, 1
+cevpu.com, 1
+cevrimicidiyet.com, 1
+cevt.ar, 1
+cewek.ml, 1
+cewood.xyz, 1
+cexplorer.io, 1
+ceyizlikelisleri.com, 1
+ceylondigital.co.uk, 1
+ceylontea.org, 1
+cezdent.com, 1
+cf-connect.nl, 1
+cf-ide.de, 1
+cf-tm.net, 1
+cf.nl.eu.org, 1
+cf11.de, 0
+cfa.gov, 1
+cfaimpact.com, 1
+cfan.space, 1
+cfar.org, 1
+cfasync.ga, 1
+cfbenchmarks.com, 1
+cfc-swc.gc.ca, 1
+cfcbigideas.com, 1
+cfchiropractic.com, 1
+cfcpestcontrol.com, 1
+cfcproperties.com, 1
+cfda.gov, 1
+cfdata.lol, 1
+cfdcre5.org, 1
+cfdtrading.com, 1
+cfenns.ath.cx, 1
+cfent.xyz, 1
+cfgllc.us, 1
+cfh.com, 1
+cfigura.com, 1
+cflblaw.com, 1
+cfnibelize.com, 1
+cfnmpics.com, 1
+cfno.org, 0
+cfo.gov, 1
+cfotech.asia, 1
+cfotech.co.nz, 1
+cfotech.com.au, 1
+cfpa-formation.fr, 1
+cfpa.gov, 1
+cfpb.gov, 1
+cfr-culturism.tk, 1
+cfrench.cc, 1
+cfse.biz, 1
+cfsh.tk, 1
+cfsrportal.org, 1
+cfst.eu.org, 1
+cftc.gov, 1
+cftcarouge.com, 0
+cfurl.cf, 1
+cfxdesign.com, 1
+cg-consult.fr, 1
+cg-design.tk, 1
+cg-n.fr, 1
+cg.al, 1
+cg.search.yahoo.com, 0
+cgal.org, 1
+cgan.de, 1
+cgan.pw, 1
+cgarchives.com, 1
+cgbassurances.ch, 0
+cgbf.org, 1
+cgbh3.gq, 1
+cgbproduction.tk, 1
+cgbunch.com, 1
+cgconsulting.digital, 1
+cgdct.moe, 1
+cgdquizzes.com, 1
+cgelves.com, 1
+cges.xyz, 1
+cgestiona.com, 1
+cgha.us, 1
+cgilfirenze.it, 1
+cgionline.tk, 1
+cgiq.ca, 1
+cgise.com, 1
+cgknieuwpoort.nl, 1
+cglib.xyz, 1
+cgmbacklot.com, 1
+cgminc.net, 1
+cgmllc.net, 1
+cgmote.com, 1
+cgo-it.de, 1
+cgp.moe, 1
+cgpa-de.org, 1
+cgpcollective.com, 1
+cgplumbing.com, 1
+cgpn.fr, 1
+cgps.ch, 1
+cgsmart.com, 1
+cgsmotors.com, 1
+cgstprayagraj.gov.in, 1
+cgt-univ-nantes.fr, 1
+cgtcaixabank.es, 1
+cgtips.org, 1
+cgtsoft.com, 1
+cgtv.ml, 1
+cgtx.us, 1
+cgu-ingenieria.tk, 1
+cgunited.com, 1
+ch-ariege-couserans.fr, 1
+ch-axlesthermes.fr, 1
+ch-investor.tk, 1
+ch-laborit.fr, 1
+ch-poitiers.fr, 1
+ch-stjunien.fr, 1
+ch.bzh, 1
+ch.search.yahoo.com, 0
+ch225.com, 1
+ch341.com, 1
+ch47f.com, 1
+ch4bb.org, 1
+cha-ta.com, 1
+chaacantik.tk, 1
+chaacker.tk, 1
+chaanddavid.ca, 1
+chabliscadillac.com, 1
+chaboisseau.net, 1
+chacoonline.com.py, 1
+chacraexperimental.com.py, 1
+chad-online.tk, 1
+chad.ch, 1
+chadis.com, 1
+chadlenz.ca, 1
+chadpugsley.com, 1
+chadslive.com, 1
+chadstoneapartments.com.au, 1
+chadtaljaardt.com, 1
+chagahq.com, 0
+chaghi.tk, 1
+chaghionline.tk, 1
+chagrindads.com, 1
+chahal.blog, 1
+chaidu.com, 1
+chaifeng.com, 1
+chaikaclub.tk, 1
+chaikinanalytics.com, 1
+chain-reaction.org.au, 1
+chainataun.ru, 1
+chainedunion.info, 1
+chainels.com, 0
+chainex.io, 1
+chainge-re.com, 1
+chaingpt.org, 1
+chainlinkfencestlouis.com, 1
+chainmail.cc, 1
+chainwhy.com, 0
+chainz.tk, 1
+chaip.org, 1
+chairtech-yellowpages.ga, 1
+chaisystems.net, 1
+chaitanyapandit.com, 1
+chaizhikang.com, 1
+chakanaherb.be, 1
+chalanbiltv.net, 1
+chaldal.com, 1
+chalet-gerard.com, 1
+chalet-maubuisson.tk, 1
+chaletapartmentrentals.com, 1
+chaletdemontagne.org, 1
+chaletmanager.com, 1
+chaletpierrot.ch, 0
+chaletsusi.it, 1
+chaletverzekeringen.nl, 1
+challenge-magazine.org, 1
+challenge.gov, 1
+challengerinvestors.tk, 1
+challenges.gov, 1
+challengeskins.com, 1
+chalons-agglo.fr, 1
+chalonsenchampagne.fr, 1
+chalov.ml, 1
+chamartin.tk, 1
+chamath.co.uk, 1
+chamath.eu, 1
+chamath.ie, 1
+chamath.link, 1
+chamath.lk, 1
+chamath.no, 1
+chamath.uk, 1
+chamathinfotech.com, 1
+chamathj.com, 1
+chambas.com.mx, 1
+chamber.sa, 1
+chamberlinfoundation.org, 1
+chamberscountytx.gov, 1
+chameleon-ents.co.uk, 1
+chameleon.io, 1
+chameth.com, 1
+chamicro.com, 1
+chaminadeonline.org, 1
+chamonixcamera.cn, 1
+champagne-guilleminot.fr, 1
+champagneandcoconuts.com, 1
+champagneandcoffeestains.com, 0
+champaigncountyclerkil.gov, 1
+champaigncountyil.gov, 1
+champdogs.co.uk, 1
+champdogs.com, 1
+championbet.ug, 1
+championcastles.ie, 1
+championnat-romand-cuisiniers-amateurs.ch, 1
+champions.co, 1
+championsofpowerfulliving.com, 0
+championsofregnum.com, 1
+championweb.co.nz, 0
+championweb.com, 0
+championweb.com.au, 0
+championweb.com.sg, 0
+championweb.nz, 0
+championweb.sg, 0
+champsglobal.org, 1
+champslearning.co.uk, 1
+champw.com, 1
+chamsocdidong.com, 1
+chamsocial.com, 1
+chamudi.lk, 1
+chamudi.net, 1
+chamurliyski.com, 1
+chanakyanewz.com, 1
+chanchi.idv.hk, 1
+chanddriving.co.uk, 1
+chanderson.com.au, 1
+chandlerazpd.gov, 1
+chandlersales.ca, 1
+chandr1000.ga, 1
+chandracenter.com, 1
+chandradeepdey.com, 1
+chandramani.tk, 1
+change10000lives.com.ph, 1
+changeactivation.com, 1
+changeanalytics.us, 1
+changecopyright.ru, 1
+changeforfuture.cf, 1
+changemywifipassword.com, 1
+changenow.io, 1
+changeplan.co, 1
+changesfor.life, 1
+changethislater.com, 1
+changetowellness.com, 1
+changeupinc.com, 1
+changing-cities.org, 1
+chanhassenmn.gov, 1
+chankin.tk, 1
+channalinflatables.com, 1
+channel, 1
+channel-7.net, 1
+channelingranny.com, 1
+channelist.tk, 1
+channellife.asia, 1
+channellife.co.nz, 1
+channellife.com.au, 1
+channelpro.es, 1
+channingmotorsport.tk, 1
+chantage.tk, 1
+chantellbeauty.co.uk, 1
+chantuong.org, 1
+chanz.com, 1
+chaos-darmstadt.de, 1
+chaos-wg.net, 1
+chaos.run, 1
+chaos.stream, 1
+chaoschemnitz.de, 1
+chaoscommunication.camp, 1
+chaoscycle.tk, 1
+chaosdorf.de, 1
+chaosfield.at, 1
+chaosme.su, 1
+chaospott.de, 1
+chaosprocess.com, 1
+chaoticevil.tk, 1
+chaoticgamers.net, 1
+chaotichive.com, 1
+chaoticlab.io, 1
+chaoticonline.tk, 1
+chaouby.com, 0
+chaowan.cf, 1
+chaoxi.io, 1
+chaoxi.link, 1
+chaoyansuo.com, 1
+chaparral.com.au, 1
+chapek9.com, 1
+chapel.tk, 1
+chapelaria.tf, 1
+chapelfordbouncers.co.uk, 1
+chapelhillobgyn.com, 1
+chapelhousevet.co.uk, 1
+chapelle.co.uk, 1
+chapellerie-traclet.com, 1
+chapiteauxduleman.fr, 1
+chapleau.ca, 1
+chapmanstreeservice.com, 1
+chapnews.id, 1
+chapstick.life, 1
+chaqueteros.tk, 1
+char.press, 1
+character-count.com, 1
+charbonnel.eu, 1
+charcoal-se.org, 1
+charcoalvenice.com, 1
+chardik.tk, 1
+charge.ga, 1
+charge.gq, 1
+chargebacks911.com, 1
+chargeover.com, 1
+chargifi.com, 1
+chargify.com, 1
+chariots.tk, 1
+charisma.ai, 1
+charismadesign.ie, 1
+charisse.id, 1
+charity.cz, 1
+chariz.com, 1
+charl.eu, 1
+charlageneral.tk, 1
+charleliphile.tk, 1
+charlenevondell.com, 1
+charleroi-duty-free.com, 1
+charles-darwin.com, 1
+charles-migaud.fr, 1
+charlesbordet.com, 1
+charlesbwise.com, 1
+charlescwcooke.com, 1
+charlesdickens.tk, 1
+charlesmarsan.com, 1
+charlesperkinsacademy.com.au, 1
+charlesrogers.co.uk, 1
+charlestonfacialplastic.com, 1
+charlestonpersonalinjurylawyer.com, 1
+charlestonsecuritysystems.net, 1
+charlevoixtownship.gov, 1
+charley.tk, 1
+charlie-liveshow.com, 0
+charlie.im, 1
+charlie2alpha.org, 1
+charlie4change.com, 1
+charlieblog.tk, 1
+charliedillon.com, 1
+charliegarrod.com, 1
+charlieharbourtattoos.tk, 1
+charliehr.com, 1
+charliejonas.co.uk, 1
+charliejonas.com, 1
+charlientoi.fr, 1
+charlierogers.co.uk, 1
+charlierogers.com, 1
+charliescomputerservice.com, 1
+charliez0.cf, 1
+charliez0.ga, 1
+charliez0.gq, 1
+charliez0.ml, 1
+charliez0.tk, 1
+charliez0sp.cf, 1
+charliez0sp.ga, 1
+charliez0sp.gq, 1
+charliez0sp.ml, 1
+charliez0sp.tk, 1
+charlotte-touati.ch, 1
+charlotteanne.tk, 1
+charlottecountyva.gov, 1
+charlottejulienne.com, 1
+charlottemi.gov, 1
+charlottesvillegolfcommunities.com, 1
+charlottesvillehorsefarms.com, 1
+charlotteswimmingpoolbuilder.com, 1
+charlubermensch.com, 1
+charlws.com, 1
+charlylou.de, 1
+charmander.me, 1
+charmanterelefant.at, 0
+charmcitytech.com, 1
+charming-powers.tk, 1
+charmingarsehole.tk, 1
+charmingsaul.com, 1
+charmpets.ru, 1
+charnego.tk, 1
+charon.tk, 1
+charonsecurity.com, 1
+charpy.cc, 1
+charqawi.tk, 1
+charset.org, 1
+chartafzar.com, 1
+chartbox.tk, 1
+charteredsurveyorinlondon.co.uk, 1
+charteroak.org, 1
+charthop.com, 1
+chartkick.com, 1
+chartlands.org, 1
+chartmogul.com, 1
+chartpixel.com, 1
+chartsy.de, 1
+charuga.com.au, 1
+charuni.ru, 1
+charuru.moe, 1
+chasalin.nl, 1
+chascrazycreations.com, 1
+chase.co.nz, 1
+chaseandzoey.de, 1
+chasecorp.com, 1
+chasecountyne.gov, 1
+chasetrails.co.uk, 1
+chaskafire.gov, 1
+chaskamn.gov, 1
+chaskapolice.gov, 1
+chasoslov.tk, 1
+chasse-au-tresor.eu, 1
+chasse-maree.com, 1
+chasseurdetruites.com, 1
+chastitybelts.tk, 1
+chat-buddy.com, 1
+chat-cam.tk, 1
+chat-edu.org.uk, 1
+chat-libera.com, 1
+chat-porc.eu, 1
+chat.cz, 1
+chat2.cf, 1
+chat36.ga, 1
+chat40.net, 1
+chat4me.tk, 1
+chataberan.cz, 1
+chatacademies.org.uk, 1
+chatagoralskalipowa.pl, 1
+chataynazz.ga, 1
+chatbarran.tk, 1
+chatbelgie.eu, 1
+chatbizsol.com, 1
+chatbo.de, 1
+chatbot.one, 1
+chatbotclic.com, 1
+chatbotclick.com, 1
+chatbots.email, 1
+chatbots.systems, 1
+chatcentral.tk, 1
+chatcontrol.se, 1
+chatcuck.com, 1
+chatdoguaxinim.tk, 1
+chatdrop.org, 1
+chateau-belvoir.com, 1
+chateau-de-fresnois.com, 1
+chateau-de-fresnois.fr, 1
+chateau-dela-salle.fr, 1
+chateau-patris.com, 1
+chateaudelachaize.fr, 1
+chateauderoncourt.fr, 1
+chateaudestrainchamps.com, 0
+chateaulabrede.com, 1
+chateaulacordeliere.fr, 1
+chatedit.org.uk, 1
+chatelaine.com, 1
+chateroids.com, 1
+chatforskning.no, 1
+chatfreespeech.com, 1
+chatgayitalia.it, 1
+chatgen.ai, 1
+chatgptv.net, 1
+chatgptwith.me, 1
+chatgratis40.it, 1
+chatgtd.net, 1
+chathamcountync.gov, 1
+chathamil.gov, 1
+chathund.de, 1
+chatify.com, 1
+chatinsieme.it, 1
+chatkisskiss.tk, 1
+chatkitty.com, 1
+chatline.cf, 1
+chatline.ga, 1
+chatline.ml, 1
+chatlol.org, 1
+chatloupe.org, 1
+chatmaus.ml, 1
+chatnaweb.cz, 1
+chatnederland.eu, 1
+chatomg.com, 1
+chatons.org, 1
+chatopia.tk, 1
+chatounerie.com, 1
+chatovod.tk, 1
+chatphp.com, 1
+chatplanet.com, 1
+chatpoint.tk, 1
+chatreplay.stream, 1
+chatroomfans.tk, 1
+chatshort.com, 1
+chatsupport.co, 1
+chatsworthil.gov, 1
+chattahoocheefl.gov, 1
+chattergallery.com, 1
+chatteron.io, 1
+chatticketsers.ga, 1
+chattogether.tk, 1
+chattomania.it, 1
+chatu.io, 1
+chatu.me, 1
+chatucomputers.com, 1
+chatup.cf, 1
+chaturbate.com, 1
+chaturbate.eu, 1
+chaturbate.global, 1
+chaturbates.org, 1
+chaturfier.com, 1
+chatvizor.tk, 1
+chatweb.online, 1
+chatzimanolis.com, 0
+chatzimanolis.gr, 1
+chaudierecogeneration.com, 1
+chauffage-budget.fr, 1
+chauffeurandbeyond.com, 1
+chaumiere.ddns.net, 0
+chaurocks.com, 1
+chaussenot.net, 1
+chaussurerunning.fr, 1
+chautauquacountyks.gov, 1
+chaveirogrimaldi.com, 1
+chaverde.org, 1
+chazalet.fr, 0
+chbs.me, 1
+chcblog.tk, 1
+chcemradost.sk, 1
+chch.it, 1
+chcheaptech.nz, 1
+chcisezeptat.cz, 1
+chckr.co, 1
+chcoc.gov, 1
+chcuscojungle.com, 1
+chda.fr, 1
+chdauk.co.uk, 1
+chdg.gq, 1
+chdg.tk, 1
+chdgaming.xyz, 1
+cheap-airtickets.ru, 1
+cheap-colleges.com, 1
+cheap-mattresses.co.uk, 1
+cheapacyclovir.ml, 1
+cheapairfarefrom.com, 1
+cheapairfaresdeals.com, 1
+cheapairfaresticket.com, 1
+cheapairlinesuk.com, 1
+cheapairplaneticket.biz, 1
+cheapalarmparts.com.au, 0
+cheapandbesthosting.com, 1
+cheapautoinsuranceblog.com, 1
+cheapbloggingers.ga, 1
+cheapchiaplotting.com, 1
+cheapessay.net, 1
+cheapestdirectdebit.co.uk, 1
+cheapestgamecards.com, 1
+cheapestwaytofly.com, 1
+cheapexpenseers.ga, 1
+cheapexpenseest.ga, 1
+cheapfareto.com, 1
+cheapflightatlanta.com, 1
+cheapflightla.com, 1
+cheapflightmexico.com, 1
+cheapflightsengland.com, 1
+cheapflightsticketstoindia.com, 1
+cheapflightsunitedstates.com, 1
+cheapgeekts.com, 0
+cheapiesystems.com, 1
+cheapinternationalair.com, 1
+cheaplasix.tk, 1
+cheaplookers.ga, 1
+cheaplookest.ga, 1
+cheapmessengersers.ga, 1
+cheapmessengersest.cf, 1
+cheapmessengersest.ga, 1
+cheapmixesers.ga, 1
+cheapnolvadex.ml, 1
+cheapsmall.tk, 1
+cheapspecialistsers.ga, 1
+cheapspecialistsest.ga, 1
+cheapsshop.tk, 1
+cheapsslsecurity.com, 1
+cheapsslsecurity.com.au, 1
+cheapsslsecurity.com.ph, 1
+cheapsyrupers.ga, 1
+cheaptadalafil.tk, 1
+cheapticket.in, 1
+cheapticketsfrom.com, 1
+cheaptucsoners.ga, 1
+cheaptucsonest.ga, 1
+cheapvaltrex.ml, 1
+cheapwarrantsers.ga, 1
+cheapwebcallsers.ga, 1
+cheapwebcallsest.ga, 1
+cheapwipesest.ga, 1
+cheapwritinghelp.com, 1
+cheapwritingservice.com, 1
+cheat-files.ml, 1
+cheatengine.ml, 1
+cheatengine.pro, 1
+cheaterbios.ga, 1
+cheatersanonymousers.ga, 1
+cheathamcountyclerk.gov, 1
+cheathax.com, 1
+cheatmasters.tk, 1
+cheatomania.tk, 1
+cheatraiders.tk, 1
+cheats.is, 1
+cheatsupreme.com, 1
+cheazey.co, 1
+cheazey.net, 1
+cheazey.org, 1
+chebotarevkk.tk, 1
+chebwebb.com, 1
+checalaweb.com, 1
+chechencity.tk, 1
+check-redirect.com, 1
+check.gd, 1
+check.torproject.org, 0
+checkandreportlive.com, 1
+checkblau.de, 1
+checkbot.ml, 1
+checkccnumber.tk, 1
+checkchina.org, 1
+checkda.be, 1
+checkdithuis.nl, 1
+checkecert.nl, 1
+checkercab.tk, 1
+checkfreescore.com, 1
+checkfresh.com, 1
+checkiday.com, 1
+checkissuing.com, 1
+checkjehuis.be, 1
+checkjehuis.gent, 1
+checkjelinkje.nl, 1
+checklistbuilder.herokuapp.com, 1
+checklytics.com, 1
+checkmack.cf, 1
+checkmack.ga, 1
+checkmack.gq, 1
+checkmarket.com, 1
+checkmarx.com, 1
+checkme.gq, 1
+checkme.ml, 1
+checkmedia.org, 1
+checkmin.cf, 1
+checkmk.com, 1
+checkmyhttps.net, 1
+checkmypsoriasis.com, 1
+checknetworks.com.au, 1
+checkngo.com, 0
+checkout.google.com, 1
+checkr.com, 0
+checkra.in, 1
+checkras.tk, 1
+checkrente.nl, 1
+checkreview.in, 1
+checkrz.com, 1
+checkspf.net, 1
+checktls.nl, 0
+checktype.com, 1
+checkui.com, 1
+checkurinsurance.com, 1
+checkusernames.com, 1
+checkyourmath.com, 1
+checkyourprivilege.org, 1
+checkyourreps.org, 1
+checookies.com, 1
+cheddarpayments.com, 1
+cheekboss.com, 1
+cheekycharliessoftplay.co.uk, 1
+cheela.org, 1
+cheem.co.uk, 1
+cheems.rip, 1
+cheers.bio, 1
+cheese-storeroom.tk, 1
+cheeseemergency.co.uk, 1
+cheesefusion.com, 1
+cheeseginie.com, 1
+cheeth.am, 1
+cheetham.me.uk, 1
+cheetham.social, 1
+cheez.systems, 1
+cheezflix.uk, 1
+chefaa.com, 1
+chefcuisto.com, 1
+chefdehome.com, 1
+chefdondari.com, 1
+chefforaday.it, 1
+chefkoch.de, 1
+cheflindseyfarr.com, 1
+chefnardulli.com, 1
+chefpablito.tk, 1
+chefscraftgourmet.com, 0
+chefshooba.com, 1
+chefsuccess.com, 1
+cheftasy.com, 1
+cheguevaraclub.tk, 1
+chehalemgroup.com, 1
+cheholchik.tk, 1
+cheibegaudi.ch, 1
+cheiloplasty.tk, 1
+chekaonline.com, 1
+chekhov.gq, 1
+chel.ga, 1
+cheladmin.ru, 1
+chelema.xyz, 1
+chellame.fr, 1
+chellescourt.tk, 1
+chelmsz.ml, 1
+chelpogoda.tk, 1
+chelsea98.com, 1
+chelseafs.co.uk, 1
+chelseagroton.com, 1
+chelseahgaul.com, 1
+chelseaok.gov, 1
+cheltenhambouncycastles.co.uk, 1
+cheltenhampa.gov, 1
+cheltik.ru, 1
+chelyaba.tk, 1
+chema.ga, 1
+chemapool.bg, 1
+chemaxon.com, 1
+chemgenes.com, 1
+chemical-shark.de, 1
+chemicalcrux.org, 1
+chemicalguys-ruhrpott.de, 1
+chemicalpharm.com, 1
+chemicalromance.tk, 1
+chemie-schule.de, 0
+cheminsderando.fr, 0
+chemiphys.com, 0
+chemistry-schools.com, 1
+chemolak.pl, 1
+chenangocountyny.gov, 1
+chenapartment.com, 1
+chenbo.tk, 1
+chendhurcollections.com, 1
+chendhurcollections.in, 1
+chenequawi.gov, 1
+cheneypartners.com, 1
+cheng.pet, 1
+chengfayun.com, 1
+chenghao360.top, 1
+chengl.com, 1
+chengmach.com, 1
+chengren.cf, 1
+chengren.ml, 1
+chengta-money.com.tw, 1
+chengxindong.com, 1
+chengyutrading.com, 1
+chenky.com, 1
+chenna.me, 1
+chennai.nic.in, 1
+chennaimetrorail.org, 1
+chennaiskills.cf, 1
+chennien.com, 1
+chennuo.xyz, 1
+chenpei.org, 1
+chenqiang.com, 1
+chentianyi.cn, 1
+chenui.design, 1
+chenx221.cyou, 0
+chenx221.ml, 1
+chenx221.xyz, 1
+chenx2210.xyz, 1
+chenyin.work, 1
+chenzhi.idv.hk, 1
+chenzhipeng.com.cn, 1
+cheque-transitionactive.fr, 1
+chequeo.de, 1
+chequeraccounting.com.au, 1
+cheratocono.tk, 1
+cherbourg.website, 1
+cherevoiture.com, 0
+cherhenri.com, 1
+cherie-belle.com, 1
+cherie-eyelash.com, 1
+cherienoir.net, 1
+cheriny.com, 1
+cherkasskiy.ml, 1
+cherkassy.ml, 1
+cherkes.tk, 1
+cherkess.tk, 1
+chernikova.tk, 1
+chernogoriya.tk, 1
+chernyak.id.au, 1
+cherokee.net.br, 1
+cherokeecountyga.gov, 1
+cherrett.digital, 0
+cherry-green.ch, 1
+cherry-handmade.ml, 1
+cherryband.space, 1
+cherrybread.net, 1
+cherrycountyne.gov, 1
+cherrycredits.com, 1
+cherrycreeknorth.com, 1
+cherryjimbo.sucks, 1
+cherryonit.com, 0
+cherryq.com.my, 1
+cherubicsoft.com, 1
+cheryforum.net, 1
+cheryls.com, 1
+cheryltweedy.tk, 1
+cherysunzhang.com, 1
+chesapeakecluttercontrol.com, 1
+chesapeakeopticallab.com, 1
+chesapeakewv.gov, 1
+chescommessa.it, 1
+cheshirex.com, 0
+chess.katowice.pl, 1
+chesslovin.com, 1
+chessmatesny.com, 1
+chesspoint.ch, 1
+chessresult.ru, 1
+chesstempo.com, 1
+chessustron.pl, 1
+chessveterinary.co.uk, 1
+chesswiki.org, 1
+chesterbennington.tk, 1
+chestercountypediatrics.com, 1
+chestercountysc.gov, 1
+chesterfieldmayfair.com, 1
+chesterultimatefrisbee.tk, 1
+chestnut.cf, 1
+chetin-orlov.ga, 1
+cheto.io, 1
+chetori.tk, 1
+chetu.com, 1
+chetwood.se, 1
+cheviron.org, 1
+chevius.tk, 1
+chevroletitalia.com, 1
+chevychaseviewmd.gov, 1
+chewey.de, 1
+chewey.org, 1
+chewinggumremovalchicago.com, 1
+cheyannism.tk, 1
+chez-gaillard.fr, 1
+chez-janine.de, 1
+chez-merlin.com, 1
+chez-oim.org, 1
+chezbernard.tk, 1
+cheztitine.tk, 1
+chfr.search.yahoo.com, 0
+chg.codes, 1
+chhlayban.tk, 1
+chhory.com, 1
+chhy.at, 1
+chialab.eu, 1
+chialab.info, 1
+chialab.io, 1
+chialab.it, 1
+chialab.net, 1
+chialab.srl, 1
+chiamami.online, 1
+chiamatehot.com, 1
+chiangdao.com, 1
+chiangli.ml, 1
+chiangmaimontessori.com, 1
+chianti2002.jp, 1
+chiapasfutbol.com, 1
+chiara.net.au, 1
+chiaraiuola.com, 0
+chiasang.tk, 1
+chiaseek.com, 1
+chiavistello.it, 1
+chiba-shika.jp, 1
+chiboard.co, 1
+chiboost.net, 1
+chibr.eu, 1
+chic-leather.com, 1
+chicago-mold.com, 1
+chicagobasementblog.com, 1
+chicagobreastaugdrs.com, 1
+chicagoconcretecleaning.com, 1
+chicagoemergencyclosings.com, 1
+chicagoillinois.gq, 1
+chicagopowercleaning.com, 1
+chicagopowerwashing.net, 1
+chicagopowerwashingservices.com, 1
+chicagopressurewashing.net, 1
+chicagopressurewashingservices.com, 1
+chicagoprivatejets.com, 1
+chicagostudentactivists.org, 1
+chicaman.tk, 1
+chicas.tk, 1
+chicasgo.ga, 1
+chicasloca.com, 1
+chichi-cats.com, 1
+chichijane.com, 1
+chichoverboard.online, 1
+chicinttim.gq, 1
+chicjrajeevalochana.com, 1
+chick-goo-ewe-farm.com, 1
+chickencentral.tk, 1
+chickencoop.ml, 1
+chickenfarms.tk, 1
+chickensaladchick.com, 1
+chicki.tk, 1
+chickteam.tk, 1
+chicofc.tk, 1
+chicorec.gov, 1
+chicospanico.tk, 1
+chicurrichi.com, 1
+chief.tools, 1
+chieffamilyofficer.info, 1
+chiefworks.com, 1
+chielonline.tk, 1
+chiemgauflirt.de, 1
+chienluoc.tk, 1
+chiesanuova.nl, 1
+chietitoday.it, 1
+chifeng.com.tw, 1
+chiffer.nu, 1
+chiffrer.info, 1
+chifumi.net, 1
+chihuahuaalinstante.com, 1
+chijb.cc, 1
+chikahaku1001vr.jp, 1
+chikakei.com, 1
+chikan-beacon.net, 1
+chikenweb.jp, 1
+chiki.tk, 1
+chikory.com, 1
+chilapaweb.tk, 1
+chilbert.co, 1
+child-theater-bs.co.il, 1
+childcare.gov, 1
+childcarealgoma.ca, 1
+childcaremanagementcompany.ga, 1
+childcaresolutionscny.org, 1
+childchaos.cf, 1
+childchaos.ga, 1
+childchaos.ml, 1
+childchaos.tk, 1
+childcounseling.org, 1
+childish.wtf, 1
+childno.de, 1
+children-toys.tk, 1
+children1st.jp, 1
+childrenandmedia.org.au, 1
+childrenfirstalways.org, 1
+childreninadversity.gov, 1
+childrenoftheshadow.org, 1
+childrens-museum.org, 1
+childrens-room.com, 1
+childrensdentalranch.com, 1
+childrensentertainmentleicester.co.uk, 1
+childrensfurniture.co.uk, 1
+childrensheartfoundation.org, 1
+childrensmentalhealthcampaign.org, 1
+childrensrecipes.tk, 1
+childstats.gov, 1
+childswear.tk, 1
+childtaxcredit.gov, 1
+childwelfare.gov, 1
+chile.tk, 1
+chileprevencion.cl, 1
+chiletrenes.tk, 1
+chilhowieva.gov, 1
+chili.ml, 1
+chilian.de, 1
+chilihosting.eu, 1
+chilikin.pro, 1
+chilimathwords.com, 1
+chilio.net, 1
+chilipy.ga, 1
+chilis.com, 1
+chill-house.ga, 1
+chill.bet, 1
+chillcicada.com, 1
+chillebever.nl, 1
+chillhop.com, 1
+chillipadi.tk, 1
+chilliwackchurchofgod.com, 1
+chillpay.co, 1
+chillplanet.nl, 1
+chillybin.co, 1
+chillybin.com.sg, 1
+chiloesinpuente.tk, 1
+chiltanfm88.tk, 1
+chilternfarming.com, 1
+chiltonwi.gov, 1
+chimaeraconsulting.eu, 1
+chimaira.tk, 1
+chimcanhcut.tk, 1
+chime.com, 1
+chimebank.com, 1
+chimera.sh, 1
+chimeratool.com, 1
+chimerity.com, 1
+chimm.cc, 1
+chimneytec.se, 1
+chimpanzee.cf, 1
+chimpanzee.net, 1
+chimpmatic.com, 1
+china-midas.net, 1
+china-online-news.tk, 1
+chinabank.ph, 1
+chinabelt.com, 1
+chinablows.com, 1
+chinacbd.com, 1
+chinacdn.org, 1
+chinacheers.com, 1
+chinaclone.com, 1
+chinadiy.com, 1
+chinadream404.com, 1
+chinadrilling.com, 1
+chinafree.online, 1
+chinafree.site, 1
+chinaglobalsecurities.cn, 1
+chinahd.com, 1
+chinahealthcareblog.cf, 1
+chinahitech.com, 1
+chinaicpower.org, 0
+chinaindexfund.cn, 1
+chinajingkun.com, 1
+chinalike.com, 1
+chinalosers.com, 1
+chinamediaproject.org, 1
+chinaneed.com, 1
+chinanurse.com, 1
+chinaoptionsfund.cn, 1
+chinaoptionsfund.com, 1
+chinaprices.com, 1
+chinaprofit.com, 1
+chinapsych.com, 1
+chinaqueue.com, 1
+chinasay.com, 1
+chinasearch.tk, 1
+chinaspa.com, 1
+chinastory.tk, 1
+chinasucksass.com, 1
+chinati.org, 1
+chinava.com, 1
+chinavegan.com, 1
+chinawatchinstitute.org, 1
+chinawhale.com, 1
+chinawicker.com, 1
+chinchillas.tk, 1
+chinees.restaurant, 1
+chinefrancophonie.fr, 1
+chinen-hs41.com, 1
+chinese-fuhui.com, 1
+chinese-fxcm.com, 1
+chinese.sc, 1
+chinesebrides.ml, 1
+chinesedishes.tk, 1
+chinesefu.com, 1
+chinesepen.org, 1
+chinesephones.tk, 1
+chineseplease.moe, 1
+chinfolk.tk, 1
+ching.tv, 1
+chiniiki.com, 1
+chinohills.gov, 1
+chinookmt.gov, 1
+chinookwebdesign.ca, 1
+chinovalleyaz.gov, 1
+chinplugins.com, 1
+chinplugins.net, 1
+chinplugins.xyz, 1
+chintaparthi.tk, 1
+chintaparthihome.tk, 1
+chinteni.com, 1
+chinwag.im, 1
+chip.icu, 1
+chipdig.com, 1
+chipollinko.com.ua, 1
+chippewa.com, 1
+chippewacountywi.gov, 1
+chippy.ch, 0
+chiprender.com, 1
+chips-scheduler.de, 1
+chips.gov, 1
+chipset.no, 1
+chipsfuck.fish, 1
+chiquian.tk, 1
+chirality.de, 1
+chiralsoftware.com, 1
+chireiden.me, 1
+chiriri.top, 1
+chirkunov.tk, 1
+chiro-doctor.com, 1
+chiro-merksplas.tk, 1
+chiro.org, 1
+chiroharbalorifa.tk, 1
+chiroherne.tk, 1
+chirointellect.com, 0
+chirojap.tk, 1
+chirolokalenfonteintjekoersel.be, 1
+chiromeisjes-boxberg.tk, 1
+chiron.care, 0
+chiropractic.gr, 1
+chiropracticwpb.com, 0
+chiropractorlongmontgpa.com, 1
+chiropraktik-riemann.de, 1
+chiropraktik-wildner.de, 0
+chirotestelt.tk, 1
+chirototem.tk, 1
+chirowij.tk, 1
+chirpset.com, 1
+chiru.no, 1
+chirurgoplastico.roma.it, 1
+chisagocountymn.gov, 1
+chiselgems.com, 1
+chispita.tk, 1
+chistesdesebas.tk, 1
+chistim.info, 1
+chit.search.yahoo.com, 0
+chita.cf, 1
+chita.tk, 1
+chitaem.tk, 1
+chitashop.ml, 1
+chitchok.com, 1
+chitinfo.tk, 1
+chitlar.ml, 1
+chitraltune.tk, 1
+chittagongtextile.tk, 1
+chiucainlaw.co.nz, 1
+chiusa-klausen.com, 1
+chiva-ariege.fr, 1
+chizouworld.tk, 1
+chizra.com, 1
+chk-ccs.com, 1
+chkmkt.com, 1
+chkserv.com, 0
+chksite.com, 1
+chl.la, 1
+chliine.ch, 1
+chlo-products.biz, 1
+chlo-products.net, 1
+chloehorler.com, 1
+chloes.gr, 1
+chloescastles.co.uk, 1
+chloeting.com, 1
+chlopes.com, 1
+chlorca.es, 1
+chlth.com, 1
+chmfin.com, 1
+chmielarz.it, 1
+chmsoft.com.ua, 1
+chmsoft.ru, 1
+chmurakotori.ml, 1
+chndrb.in, 1
+chngold.com, 1
+chnj.gov, 1
+chnlib.com, 1
+chobble.com, 1
+chobitool.com, 1
+choccychox.com, 1
+chochos.tk, 1
+choco-championship.jp, 1
+choco.run, 1
+chocoband.cf, 1
+chocodecor.com.br, 1
+chocolat-lp2.com, 1
+chocolat-suisse.ch, 0
+chocolat.work, 1
+chocolate-express.co.uk, 1
+chocolate.wiki, 1
+chocolatesandhealth.com, 1
+chocolateslim.gq, 1
+chocolatesonline.com, 1
+chocolatier-tristan.ch, 0
+chocolatier.co.uk, 0
+chocolatos.tk, 1
+chocolay.gov, 1
+chocolytech.info, 1
+chocope-peru.tk, 1
+chocudan.tk, 1
+chodaczek.pl, 1
+choe.fi, 1
+choesfirm.tk, 1
+chofan.tk, 1
+choice-design.com.tw, 1
+choiceautoloan.com, 1
+choiceuniontown.org, 1
+choirofbeirut.cf, 1
+choisirmoneau.blog, 1
+chokladfantasi.net, 1
+cholleria.es, 1
+chollima.pro, 1
+chollospain.cf, 1
+choloforo.tk, 1
+chonghe.org, 1
+chonglang.cfd, 1
+chongming.tk, 1
+chongthamsika.tk, 1
+chongwukong.com, 1
+choochooworld.com, 0
+choootto.net, 1
+choosealicense.com, 1
+choosemypc.net, 1
+chooserealleather.cn, 1
+choosetech.com.br, 1
+choosevalley.co.uk, 1
+chooseyourdesinty.tk, 1
+chopnotch.com, 1
+chopper-parts.ru, 1
+chopperdesign.com, 1
+chopperforums.com, 1
+chopradionet.tk, 1
+chordify.net, 1
+chordmag.com, 1
+chordpage.com, 1
+choreographytogo.com, 1
+chorkley.co.uk, 1
+chorkley.com, 1
+chorkley.me, 1
+chorkley.uk, 1
+chorleycaninesolutions.co.uk, 1
+chornobyl.tk, 1
+chorpinkpoemps.de, 1
+choruru.jp, 1
+choruscall.com, 1
+chorverband-region-kocher.de, 1
+chosenofstarclan.com, 1
+chosenos.tk, 1
+chosenplaintext.org, 1
+choservices.com, 1
+chosting.dk, 1
+chou-chinois.com, 1
+chouchouweb.com, 1
+chovancova.sk, 1
+chowchowugo.com, 1
+chowtime.chat, 1
+choylifut.tk, 1
+choyri.com, 1
+chpa.org, 1
+chpwmedicare.org, 1
+chr0me.sh, 1
+chrawrizard.org, 1
+chrestos.de, 1
+chrg-server.de, 1
+chris-edwards.net, 1
+chris-siedler.at, 1
+chris.land, 1
+chrisahrweileryoga.com, 1
+chrisaitch.com, 1
+chrisandian.com, 1
+chrisb.me, 0
+chrisb.xyz, 0
+chrisbrockdiving.com, 1
+chrisbrowntherapies.co.uk, 1
+chrisbryant.me.uk, 1
+chrisburnell.com, 1
+chriscarey.com, 1
+chriscelkins.com, 1
+chriscutts.uk, 1
+chrisdasie.com, 1
+chriseldon.com, 1
+chrisfinazzo.com, 0
+chrisgieger.com, 1
+chrisirwin.ca, 1
+chrisjean.com, 1
+chriskthomas.com, 1
+chrislane.com, 1
+chrislauderback.com, 1
+chrislauderback.net, 1
+chrislauderback.org, 1
+chrisliebaer.de, 1
+chrisluen.com, 1
+chrismax89.com, 1
+chrismcclendon.com, 1
+chrismckee.co.uk, 1
+chrismiller.xyz, 1
+chrismorgan.info, 1
+chrismurray.co.uk, 1
+chrismurrayfilm.com, 1
+chrisnekarda.com, 1
+chrisogedengbe.org, 1
+chrispaul.ml, 1
+chrispontius.tk, 1
+chrisrude.com, 1
+chrisshort.me, 1
+chrisshort.net, 1
+chrisspencercreative.com, 1
+chrisspencermusic.com, 1
+chrissx.de, 1
+chrissx.eu, 1
+chrissx.ga, 1
+chrissytechaira.tk, 1
+christ.cm, 1
+christadelphians.eu, 1
+christcostum.tk, 1
+christec.net, 1
+christengroei.tk, 1
+christensenplace.us, 1
+christerwaren.com, 1
+christerwaren.fi, 1
+christiaanconover.com, 1
+christian-folini.ch, 1
+christian-gredig.de, 1
+christian-laubender.de, 1
+christian-liebel.com, 1
+christian-oette.de, 1
+christian-stadelmann.de, 1
+christianadventurecamps.org, 1
+christianaknudsen.com, 1
+christianbecker.name, 1
+christianblog.ml, 1
+christianbro.gq, 1
+christianbsl.com, 1
+christianchat.ml, 1
+christiancleva.com, 1
+christiancoleman.info, 1
+christianconcepts.cf, 1
+christianconcepts.ga, 1
+christianconcepts.gq, 1
+christiancountyil.gov, 1
+christiandiorsneakers.shop, 1
+christiandiscourse.net, 1
+christianfilms.net, 1
+christiangaro.com, 1
+christiangaro.email, 1
+christiangaro.info, 1
+christiangaro.me, 1
+christiangaro.us, 1
+christiangehring.org, 1
+christianhaugen.tk, 1
+christianhoffmann.info, 0
+christianimweb.tk, 1
+christianitas.ga, 1
+christianitas.gq, 1
+christianitas.tk, 1
+christianjens.com, 1
+christianjoachim.de, 1
+christianleedunn.tk, 1
+christianliebel.com, 1
+christianlis.org.uk, 1
+christianlis.uk, 1
+christianmoore.me, 1
+christianmorales.tk, 1
+christianoliff.com, 1
+christianotero.co, 1
+christianplumbingservices.com, 1
+christianr.me, 1
+christianrasch.de, 1
+christianreimold.de, 1
+christiansayswords.com, 1
+christiansburgva.gov, 1
+christiansciencevancouverwa.org, 1
+christiansrit.tk, 1
+christianwenz.de, 1
+christianwitts.tech, 1
+christiehawkes.com, 1
+christinabjoern-nilsson.dk, 1
+christinacrawford.cf, 1
+christinacrawford.ga, 1
+christinacrawford.gq, 1
+christinacrawford.ml, 1
+christinarosenvinge.tk, 1
+christinasattler.com, 1
+christine-kraemer.de, 0
+christineandcie.fr, 1
+christineblachford.com, 1
+christinecloma.com, 1
+christineglaeser.de, 1
+christineprayon.de, 1
+christmasinelmhurst.org, 1
+christmasloansvet.com, 1
+christmaspages.tk, 1
+christmaspartyhire.co.uk, 1
+christmasrecipe.tk, 1
+christo.ga, 1
+christoph.media, 1
+christophbartschat.com, 1
+christophe-dubois.tk, 1
+christophebarbezat.ch, 1
+christophedavid.tk, 1
+christopher-simon.de, 0
+christopher-wright.com, 1
+christopher-zentgraf.de, 1
+christopher.sh, 0
+christopherbillo.com, 1
+christopherburg.com, 1
+christophercolumbusfoundation.gov, 1
+christopherd.me, 1
+christophergowerjohnson.com, 1
+christopherjferguson.com, 1
+christopherkardas.me, 1
+christopherkennelly.com, 1
+christopherpritchard.co.uk, 1
+christopherterryweddings.co.uk, 1
+christophertruncer.com, 1
+christopherzoukis.com, 1
+christophfink.com, 1
+christophheich.me, 1
+christophkranebitter.at, 1
+christophkreileder.com, 1
+christophsackl.de, 1
+christreformedchurchdfw.org, 1
+christthegoodshepherd.org, 1
+christthekingparish.net, 1
+christtheredeemer.us, 1
+christtheshepherdvineland.org, 1
+christwaycounseling.com, 1
+christysstampingspot.com, 1
+chrisupjohn.xyz, 1
+chrisvannooten.tk, 1
+chriswald.com, 1
+chriswarbo.tk, 1
+chriswarrick.com, 1
+chriswbarry.com, 0
+chriswells.io, 1
+chriswiggin.cf, 1
+chriswiggin.ga, 1
+chriswiggin.gq, 1
+chriswiggin.ml, 1
+chriswilding.co.uk, 1
+chriswservers.com, 1
+chrisx.xyz, 1
+chriszarb.tk, 1
+chrixonline.tk, 1
+chromaitaly.com, 1
+chromamastering.com, 1
+chromaphile.tk, 1
+chromarea.fr, 1
+chromaryu.net, 0
+chromcraft-revington.com, 1
+chrome, 1
+chrome-devtools-frontend.appspot.com, 1
+chrome-stats.com, 1
+chrome.com, 1
+chrome.google.com, 1
+chrome.pt, 1
+chromebookchart.com, 1
+chromebookcompare.com, 1
+chromebooksforwork.com, 1
+chromereporting-pa.googleapis.com, 1
+chromestatus.com, 1
+chromiumbugs.appspot.com, 1
+chromiumcodereview.appspot.com, 1
+chromopho.be, 1
+chronic101.xyz, 1
+chronicals.de, 1
+chronicbuilt.com, 1
+chronicled.tk, 1
+chronicles.tk, 1
+chroniclesofgeorge.com, 1
+chronik-kramsach.at, 1
+chronoc.de, 1
+chronocarpe.com, 1
+chronocolis.ml, 1
+chronodelivery.com, 1
+chronology.no, 1
+chronometre-en-ligne.com, 1
+chronoshop.cz, 1
+chronotech.fr, 1
+chronusgov.com, 1
+chrony.tk, 1
+chroot.co.uk, 1
+chrpaul.de, 0
+chrsmtc.com, 1
+chrstn.eu, 1
+chrstngr.cm, 1
+chrt-tcdp.gc.ca, 1
+chrudim-city.cz, 1
+chrxw.com, 1
+chrysanthos.net, 1
+chryslerbuilding.tk, 1
+chrystajewelry.com, 1
+chrystofer.com, 0
+chrystus.pl, 1
+chsamuel.net, 1
+chsh.moe, 0
+chshealthcare.co.uk, 1
+chshouyu.com, 1
+chsmedical.com, 1
+chsterz.de, 1
+chstrategies.com.au, 1
+chsvotes.gov, 1
+chtj.uk, 1
+chtodelat.ga, 1
+chtsi.uk, 1
+chtyvo.tk, 1
+chuangyi.com, 1
+chuanxinlian.com, 1
+chubbygirlpics.com, 1
+chubr.cf, 1
+chubuhokenservice.com, 1
+chuckame.fr, 1
+chuckecheese.com, 1
+chuckval.tk, 1
+chudnov.tk, 1
+chuhe.xyz, 1
+chukardin.tk, 1
+chukcha.ru, 1
+chukotka.ml, 1
+chukou.cf, 1
+chukou.ga, 1
+chukou.gq, 1
+chukou.ml, 1
+chukou.tk, 1
+chukwunyere-chambers.org, 1
+chulinkuei.org.tw, 1
+chun.pro, 1
+chunabhatti.tk, 1
+chundelac.com, 1
+chunga.tk, 1
+chungachyan.ga, 1
+chunghwamc.com, 1
+chungnguyenblog.tk, 1
+chungsir.com.pa, 1
+chunk.science, 1
+chunkeat.cyou, 1
+chunkeat.me, 1
+chunkeat.ml, 1
+chuongle.com, 1
+chupacabra-drift.pl, 1
+chupadelfrasco.com, 1
+chupanhcotrang.com, 1
+chuppa.com.au, 1
+chur-arosa-bahn.de, 1
+chur-arosa-bahn.nl, 1
+churakov.tk, 1
+church360.co.ke, 1
+churchaid.ml, 1
+churchforeveryone.info, 1
+churchforum.tk, 1
+churchhouse.io, 1
+churchill.co.za, 1
+churchillcountynv.gov, 1
+churchlinkpro.com, 1
+churchlw.tk, 1
+churchm.ag, 1
+churchofchrist.tk, 1
+churchofcyprus.org.cy, 1
+churchofsaintbenedict.com, 1
+churchofsmyrna.com, 1
+churchofsmyrna.org, 1
+churchplaza.com, 1
+churchssja.org, 1
+churchsuite.com, 1
+churchthemes.com, 1
+churchwebcanada.ca, 1
+churchwebsupport.com, 1
+churnfree.com, 1
+churrascariacampogrande.com.br, 1
+chuskocity.tk, 1
+chuspace.com, 1
+chutingstar.com, 1
+chutisant.tk, 1
+chutoriaru.com, 1
+chuvash-republic.tk, 1
+chuvash.tk, 1
+chuvashia.tk, 1
+chuvashiya.tk, 1
+chuyentien247.com.vn, 1
+chwempower.com, 1
+chwilrank.pl, 1
+chytraauta.cz, 1
+chytris.cf, 1
+chytris.cz, 1
+chziq.com, 1
+ci-fo.org, 1
+ci-suite.com, 1
+ci.com.br, 1
+cia-gaming.de, 1
+cia-landlords.co.uk, 1
+cia.gov, 1
+ciaagentedu.org, 1
+ciadocultivo.com.br, 1
+ciagutek.pl, 1
+ciahalim.tk, 1
+ciai.cf, 1
+ciai.ga, 1
+ciai.gq, 1
+ciai.ml, 1
+ciai.tk, 1
+cialde.it, 1
+cialis-trial.gq, 1
+cialisfreetrial.ga, 1
+cialismarketim.net, 1
+cialismarketing.net, 1
+cialisonlinee.com, 0
+cialisusapills.com, 1
+cialisvtr.com, 1
+cialisworld.net, 1
+cialisworld.org, 1
+ciallo.work, 1
+cianmawhinney.me, 1
+cianmawhinney.xyz, 1
+ciao.ro, 1
+ciaracode.com, 1
+ciaran.tk, 1
+ciasa.se, 1
+ciasademunt.com, 0
+ciat.no, 0
+cibcclearygull.com, 1
+cibdol.com, 1
+cibdol.nl, 1
+cibercat.tk, 1
+cibercheck.com, 1
+cibernicola.es, 1
+cible-recrutement.ma, 1
+cibopdx.com, 0
+cica.es, 1
+cicavkleci.cz, 1
+ciceksohbet.com, 1
+ciceron.cloud, 1
+cicerony.gov, 1
+ciceronypd.gov, 1
+cicery.com, 1
+cichol.com, 1
+ciclimattio.com, 1
+ciclismoyrendimiento.com, 1
+ciclista.roma.it, 1
+ciclodekrebs.com, 1
+ciclodelcarbono.com, 1
+ciclohidrologico.com, 1
+ciclopico.it, 1
+cidcca.com, 1
+cideaassociation.com, 1
+cidersus.com.ec, 1
+cidgomes.com.br, 1
+cidikit.tk, 1
+cidones.tk, 1
+cie-theatre-montfaucon.ch, 0
+ciekawi.com, 1
+ciekwestronki.cf, 1
+ciekwestronki.ga, 1
+ciekwestronki.gq, 1
+ciekwestronki.ml, 1
+ciel.coffee, 1
+ciel.luxe, 1
+ciel.pro, 1
+ciel.si, 1
+ciele.com, 1
+cielo-thefilm.com, 1
+cienciasempresariais.pt, 1
+cienegaspa.com, 1
+cierreperimetral.com, 1
+cifop-numerique.fr, 1
+ciftkabincikmaparca.com.tr, 1
+ciftkabinyedekparca.com.tr, 1
+ciftlikesintisi.com, 1
+cigar-cartel.com, 1
+cigarafterten.com, 1
+cigarette-electronique.tk, 1
+cigarettes-electronik.fr, 1
+cigarren-colleg.de, 1
+cigarterminal.com, 0
+cigdelivery.com, 1
+cign.nl, 1
+cigniti.com, 1
+cignium.com, 1
+cigotracker.com, 1
+cigrowthhack.com, 0
+cihanmedya.ga, 1
+cihar.com, 1
+cihr-irsc.gc.ca, 1
+cihucm.com, 1
+ciicutini.ro, 1
+cilacapnews.ml, 1
+cile.cf, 1
+cile.tk, 1
+cilipa.com, 1
+cilkamail.cloud, 1
+cilkanet.cloud, 1
+cilt.tk, 1
+ciltskillnet.ie, 0
+cim.se, 1
+cima-alfa.com, 1
+cima-idf.fr, 1
+cimaroom.com, 1
+cimbalino.org, 1
+cimballa.com, 1
+cimfax.com, 1
+cimice.it, 1
+cimtools.net, 1
+cin.net.au, 1
+cinafilm.com, 1
+cinay.pw, 1
+cinccapital.com, 1
+cincinnati.gov, 1
+cincinnaticasinonight.com, 1
+cincinnatijapanesechurch.com, 1
+cincosf.com, 1
+cincy.gov, 1
+cincydeckandpatio.com, 1
+cindey.io, 1
+cindy.cn, 1
+cine-music.de, 1
+cine-passion16.fr, 1
+cine.to, 1
+cinecat.de, 1
+cinedarkwolf.tk, 1
+cinefilia.tk, 1
+cineforge.com, 1
+cinefun.net, 1
+cinegore.tk, 1
+cinejoia.tv, 1
+cinelandia.tk, 1
+cinema-rulem.tk, 1
+cinemaclub.co, 1
+cinemadoma.tk, 1
+cinemafrix.cf, 1
+cinemaperto.tk, 1
+cinemarxism.com, 1
+cinemaschool.by, 1
+cinemasetfree.com, 1
+cinematherapy.org, 1
+cinematic.asia, 1
+cinematriz.cl, 1
+cinemaz.to, 1
+cinemaza.tk, 1
+cinemotion.by, 1
+cinemysticism.com, 1
+cinenote.link, 1
+cineping.com, 1
+cineplex.my, 1
+cineramen.gr, 1
+cinet.jp, 1
+cineterror.tk, 1
+cineworld.co.in, 1
+cinexilio.tk, 1
+cinicloud.com, 1
+cinicostudio.com, 1
+cinicsystems.tk, 1
+ciniticket.com, 1
+ciniticket.in, 1
+cink.hu, 1
+cinkciarz.pl, 1
+cinn.ml, 1
+cinnagar.tk, 1
+cinnamon.bot, 1
+cinnamon.gq, 1
+cinnamonsnail.com, 1
+cinnamonspiceandeverythingnice.com, 1
+cinq-elements.com, 0
+cinq-elements.net, 1
+cinquecentoclubholland.tk, 1
+cinqueportsvets.co.uk, 1
+cins.rs, 1
+cinsels.com, 1
+cinshine.nl, 1
+cint.com, 1
+cintactimber.com, 1
+cintamanilingerie.co.uk, 1
+cintapersonalizada.es, 1
+cintaraso.es, 1
+cinteo.com, 1
+cinthia.tk, 1
+cio-spirit.de, 1
+cio.gov, 1
+ciochina.com, 1
+cionir.fr, 1
+cioscloud.com, 1
+cioudways.pro, 1
+cioxhealth.com, 1
+cip.md, 1
+cipa.com.co, 0
+cipartyhire.co.uk, 1
+cipf.ca, 0
+ciph.zone, 1
+cipher.team, 1
+cipherboy.com, 1
+cipherli.st, 0
+ciphermail.com, 1
+ciphersuite.info, 1
+ciphertech.com.tw, 1
+ciplerli.st, 1
+cippus.tk, 1
+cipri.com, 1
+cipri.net, 1
+cipri.nl, 1
+cipri.org, 1
+cipria.no, 1
+ciproantibiotic.gq, 1
+ciprofloxacin.cf, 1
+ciprofloxacin.ga, 1
+ciprogeneric.gq, 1
+cipy.com, 1
+cir.is, 1
+cira.email, 1
+cirasul.com, 1
+cirasync.com, 1
+circady.com, 1
+circara.com, 1
+circle-people.com, 1
+circlebox.rocks, 1
+circleci.com, 1
+circlelytics.com, 1
+circleofhealthlongmont.com, 1
+circlepluscircle.me, 1
+circlevilleoh.gov, 1
+circu.ml, 0
+circues.com, 1
+circuit.co.uk, 1
+circuitcityelectricaladelaide.com.au, 1
+circuitclerkmarioncountyms.gov, 1
+circuitdesertmaroc.com, 1
+circular.fashion, 1
+circularity.id, 1
+circulosocial77.com, 1
+circumstances.ir, 1
+circus-maximus.de, 1
+circusdays.tk, 1
+circuses.tk, 1
+cirdcil.gov, 1
+cirfi.com, 1
+cirocunato.tk, 1
+cirriton.de, 1
+cirro.io, 1
+cirroenergy.com, 1
+cirruslab.ch, 0
+cirruslabs.ch, 0
+cirurgicagervasio.com.br, 1
+cirurgicalucena.com.br, 1
+cirurgicasaopaulo.com.br, 1
+cirurgicavirtual.com.br, 1
+cisa.gov, 1
+cisabroad.com, 0
+cisco-training.net, 1
+ciscoasanetflow.com, 1
+ciscobrewers.com, 1
+ciscocyberthreatdefense.com, 1
+ciscodude.net, 0
+ciscom.tk, 1
+cisconetflowleader.com, 1
+cisconetflowpartners.com, 1
+cisconetflowreporting.com, 1
+cisconetflowsupport.com, 1
+cisi.org, 1
+cisin.com, 1
+cisincometax.ca, 1
+cisindia.tk, 1
+cision.one, 1
+ciso.social, 1
+cisoaid.com, 1
+cisofy.com, 1
+cisopoland.org, 1
+cisowianki.tk, 1
+cisprague.org, 1
+ciss.ltd, 1
+cissofitness.com, 1
+cistenikoberculiberec.net, 1
+cistit.tk, 1
+cistoaracnoide.org, 1
+cisum-cycling.com, 1
+cisylik.gq, 1
+citacatastro.es, 1
+citace.com, 1
+citacepro.com, 1
+citadelpark.be, 1
+citadni.online, 1
+citae.ga, 1
+citafogasa.es, 1
+citafun.tk, 1
+citakon.cz, 1
+citalopram-20-mg.ml, 1
+citalopram20.ga, 1
+citalopramgeneric.ga, 1
+citalopramhbr.ga, 1
+citans.tk, 1
+citap.gov, 1
+citaprevia-medico.es, 1
+citas-adultas.com, 1
+citationgurus.com, 1
+citations.tk, 1
+citazioni.tk, 1
+citfin.cz, 1
+citharas.org, 1
+citidirect.com, 1
+cities.cl, 1
+citiledger.ga, 1
+citimarinestore.com, 0
+citiswich.com.au, 1
+citius.gal, 1
+citizen428.net, 1
+citizenewatch.tk, 1
+citizenkevin.com, 0
+citizens.pt, 1
+citizensbank.net, 1
+citizensbankal.com, 1
+citizenscience.gov, 1
+citizensgbr.org, 1
+citizenside.fr, 1
+citizenslasvegas.com, 1
+citizensleague.org, 1
+citizentruth.org, 1
+citizing.org, 1
+citos.ga, 1
+citoyen.eu, 1
+citroner.blog, 1
+citrusbocc.gov, 1
+citruscounty.gov, 1
+citruspi.com, 1
+citruspi.io, 1
+citsc.de, 1
+citti.de, 1
+cittinfo.com, 1
+citto.ru, 1
+city-adm.lviv.ua, 1
+city-glas.com, 1
+city-home.tk, 1
+city-nn.com, 1
+city-online.tk, 1
+city-walks.info, 1
+city.kharkov.ua, 1
+cityapparels.com, 1
+citybusexpress.com, 0
+citycalculator.ml, 1
+citycardgand.com, 1
+citycardgante.com, 1
+citycardgent.be, 1
+citycardgent.com, 1
+citycardghent.com, 1
+citycarremovals.com.au, 1
+citycell.ml, 1
+cityconsultants.tk, 1
+citycreek.studio, 1
+citycricket.tk, 1
+cityfacialplastics.com, 1
+cityhide.tk, 1
+cityhotel.tk, 1
+cityjam.tk, 1
+citylift.com.ua, 1
+citylocal.cf, 1
+citymagazine.si, 1
+citymeats.com, 1
+cityofadelga.gov, 1
+cityofallisonia.gov, 1
+cityofaltonil.gov, 1
+cityofamoryms.gov, 1
+cityofarcolatx.gov, 1
+cityofaudubonmn.gov, 1
+cityofbambergsc.gov, 1
+cityofbathmaine.gov, 1
+cityofbayardnm.gov, 1
+cityofbaylakefl.gov, 1
+cityofbayminetteal.gov, 1
+cityofbinghamton.gov, 1
+cityofblairwi.gov, 1
+cityofblancotx.gov, 1
+cityofboydtx.gov, 1
+cityofbridgetonnj.gov, 1
+cityofbristowok.gov, 1
+cityofbrodheadwi.gov, 1
+cityofbrookings-sd.gov, 1
+cityofbrookwoodal.gov, 1
+cityofburnsor.gov, 1
+cityofcarsonca.gov, 1
+cityofcharlottetn.gov, 1
+cityofchinagrovetx.gov, 1
+cityofclare.gov, 1
+cityofclintoniowa.gov, 1
+cityofconroe.gov, 1
+cityofcottonwoodmn.gov, 1
+cityofcrandonwi.gov, 1
+cityofdelafieldwi.gov, 1
+cityofdelcity.gov, 1
+cityofdixonca.gov, 1
+cityofeastpointemi.gov, 1
+cityofeatonrapids.gov, 1
+cityofellisks.gov, 1
+cityofelynv.gov, 1
+cityoferintn.gov, 1
+cityofeuporams.gov, 1
+cityoffergusonky.gov, 1
+cityofflorencesc.gov, 1
+cityofgibraltarmi.gov, 1
+cityofgigharborwa.gov, 1
+cityofgirardoh.gov, 1
+cityofglasgowcollege.ac.uk, 1
+cityofglendora.gov, 1
+cityofgolden.gov, 1
+cityofgrandblancmi.gov, 1
+cityofgrossepointemi.gov, 1
+cityofguttenbergia.gov, 1
+cityofhackensackmn.gov, 1
+cityofherculaneum.gov, 1
+cityofhughsonca.gov, 1
+cityofioneoregon.gov, 1
+cityofirvineca.gov, 1
+cityofithacany.gov, 1
+cityofjuneauwi.gov, 1
+cityofkandiyohimn.gov, 1
+cityofkasaanak.gov, 1
+cityofkewauneewi.gov, 1
+cityoflakebuenavistafl.gov, 1
+cityoflakegeneva.gov, 1
+cityoflancasterca.gov, 1
+cityoflancasterpa.gov, 1
+cityoflfp.gov, 1
+cityoflodiwi.gov, 1
+cityoflompoc.gov, 1
+cityoflorettotn.gov, 1
+cityoflouisvillems.gov, 1
+cityofmadera.gov, 1
+cityofmanchestertn.gov, 1
+cityofmargaretalabama.gov, 1
+cityofmarionia.gov, 1
+cityofmaysvilleky.gov, 1
+cityofmaywoodparkor.gov, 1
+cityofmebanenc.gov, 1
+cityofmerced.gov, 1
+cityofminatarene.gov, 1
+cityofmitchellsd.gov, 1
+cityofmonroewi.gov, 1
+cityofmorgantonga.gov, 1
+cityofmte.gov, 1
+cityofmusic.be, 1
+cityofnewbuffalomi.gov, 1
+cityofnewkirkok.gov, 1
+cityofnewman.gov, 1
+cityofnichollsga.gov, 1
+cityofnovi.gov, 1
+cityofocontowi.gov, 1
+cityofpagedalemo.gov, 1
+cityofpalmdaleca.gov, 1
+cityofpearidgear.gov, 1
+cityofpeople.gent, 1
+cityofperris.gov, 1
+cityofpetersburgwv.gov, 1
+cityofpevelymo.gov, 1
+cityofpinconningmi.gov, 1
+cityofpinebluff-ar.gov, 1
+cityoframseymn.gov, 1
+cityofredding.gov, 1
+cityofrobertsidaho.gov, 1
+cityofroncevertewv.gov, 1
+cityofroyaltonmn.gov, 1
+cityofsacramento.gov, 1
+cityofsalemky.gov, 1
+cityofsanmateoca.gov, 1
+cityofsantamariaca.gov, 1
+cityofsebastopol.gov, 1
+cityofsenatobiams.gov, 1
+cityofsourlake.gov, 1
+cityofspoonerwi.gov, 1
+cityofthorp.gov, 1
+cityoftitans.com, 1
+cityoftulsa.gov, 1
+cityoftybee.gov, 1
+cityofvacaville.gov, 1
+cityofvermilionohio.gov, 1
+cityofwadley-ga.gov, 1
+cityofwakefieldmi.gov, 1
+cityofwashburnwi.gov, 1
+cityofwasilla.gov, 1
+cityofwaterfordca.gov, 1
+cityofwauchula.gov, 1
+cityofwhitneytx.gov, 1
+cityofwinonamo.gov, 1
+cityofwoodland.gov, 1
+cityofwoodward-ok.gov, 1
+cityonfire.com, 1
+citypress.cf, 1
+citypress.ga, 1
+citypress.gq, 1
+citypro.tk, 1
+cityradiusmaps.com, 1
+cityscapeinsurance.com, 1
+cityseeker.com, 1
+citysmartdmc.com, 1
+citysmile.ro, 1
+cityspin.org, 1
+citysportapp.com, 0
+citysquarenews.tk, 1
+citysteambrewery.com, 1
+citytaxiandtours.ga, 1
+citytel.ga, 1
+citytireservice.com, 1
+citytoday.it, 1
+citytourgirls.com, 1
+cityuproject.com, 1
+cityutilities.com, 1
+cityvets.co.uk, 1
+cityview.tk, 1
+cityvision.co.nz, 1
+cityvision.net.nz, 1
+cityvision.nz, 1
+cityvision.org.nz, 1
+citywalkr.com, 1
+citywidealarms.com, 1
+citywisdom.tk, 1
+cityworksonline.com, 1
+ciubotaru.tk, 1
+ciuci.us, 1
+ciuciucadou.ro, 1
+ciucobirbone.it, 1
+ciudadanosbo.com, 1
+ciudadrealtrabaja.com, 1
+ciulea.ro, 1
+civ.social, 1
+civey.com, 1
+civfund.org, 1
+civic-europe.eu, 1
+civicamente.cl, 1
+civicconnectiongroup.com, 1
+civicforum.pl, 1
+civicphotos.com, 1
+civics.us, 1
+civics.world, 1
+civictech.ngo, 1
+civicunicorn.com, 1
+civicunicorn.us, 1
+civil-works-sri.com, 1
+civilbikes.com, 1
+civilconcretellc.com, 1
+civilengineeringhandbook.tk, 1
+civilhost.tk, 1
+civillines.nl, 1
+civilsociety.su, 1
+civiltoday.com, 1
+civilunfold.com, 1
+civilvirus.tk, 1
+civmob.com, 1
+cizgikod.ga, 1
+cizz.uk, 1
+cj-espace-vert.fr, 1
+cj-jackson.com, 1
+cj26.club, 1
+cj8.de, 1
+cjc.gob.es, 1
+cjc.org.es, 1
+cjcanarias.es, 1
+cjcanarias.eu, 1
+cjcanarias.net, 1
+cjcanarias.org, 1
+cjdby.net, 1
+cjdpenterprises.com, 1
+cjdpenterprises.com.au, 1
+cjean.fr, 0
+cjenni.ch, 1
+cjey.me, 1
+cjfinance.fr, 1
+cjhzp.net, 1
+cjimmobilier.com, 1
+cjis.gov, 1
+cjr.host, 1
+cjri.uk, 1
+cjs8866.cc, 1
+cjsm.net, 1
+cjswoodworking.com, 1
+cjwagner.net, 1
+ck-energy.info, 1
+ck-la.tk, 1
+ck-pms.com, 1
+ck.cx, 1
+ck0.eu, 1
+ck1020.cc, 1
+ck12.org, 1
+ckbc.com.sg, 1
+ckcameron.net, 1
+ckcg.tk, 1
+ckdb.de, 1
+ckeke.com, 1
+ckenel.com, 1
+ckenell.com, 1
+ckenelley.com, 1
+ckenelly.com, 1
+ckenely.com, 1
+ckennel.com, 1
+ckenneley.com, 1
+ckennell.com, 1
+ckennelley.com, 1
+ckennelly.com, 1
+ckennely.com, 1
+ckgr.me, 1
+cklie.de, 1
+ckliemann.com, 1
+ckliemann.net, 1
+ckna.ca, 1
+ckostecki.de, 1
+ckp.ie, 1
+ckpl.io, 1
+ckpl.us, 1
+ckprofessionalbookkeeping.ca, 1
+ckrobotics.tk, 1
+cktennis.com, 1
+ckyalliancefinland.tk, 1
+cl-1xbet.com, 1
+cl-automotive.com, 1
+cl-cloud.spdns.org, 1
+cl.search.yahoo.com, 0
+cl0ud.hopto.org, 1
+cl0ud.space, 0
+claarycherry.com, 1
+clacetandil.com.ar, 1
+clactonfencingsupplies.co.uk, 1
+clad.cf, 1
+clague.moe, 1
+claibornecountyms.gov, 1
+claibornecountytn.gov, 1
+claim-justice.com, 1
+claimconnect.us, 1
+claimflights.at, 1
+claimflights.co.uk, 0
+claimflights.com, 0
+claimflights.de, 0
+claimflights.it, 0
+claimflights.pl, 0
+claimflights.ro, 0
+claimfreemusic.com, 1
+claimit.ml, 1
+claimitar.gov, 1
+claimittexas.gov, 1
+claimmosaic.com, 1
+claimnote.com, 1
+claimpilot.com, 1
+claims-bot-webchat-itest.azurewebsites.net, 1
+claimspharmacy.services, 1
+claimyourvoicenow.com, 1
+clairebabai.nl, 1
+clairegold.com, 1
+clairelefort-architectes.com, 1
+clairescastles.co.uk, 1
+clairette-de-die-lantheaume.fr, 1
+clairevoyance.tk, 1
+claitec.com, 1
+clak.io, 1
+clalbit-checknet.co.il, 1
+clallamcountywa.gov, 1
+clamatohalloffame.com, 1
+clan-afa.tk, 1
+clan-behh.tk, 1
+clan-destin.tk, 1
+clan-doom.tk, 1
+clan-finaldestination.tk, 1
+clan-hosting.tk, 1
+clan-ogm.tk, 1
+clan-ready4war.tk, 1
+clan-wars.ml, 1
+clan-ww.com, 1
+clan-zone.dk, 1
+clancrazy.tk, 1
+clandarkworld.tk, 1
+clanebouncycastles.com, 1
+claneros.tk, 1
+clankron.tk, 1
+clanlaw.tk, 1
+clanlegends.tk, 1
+clanmacbran.tk, 1
+clanrose.org.uk, 1
+clansty.com, 1
+clantemplates.tk, 1
+clanto.shop, 1
+clantonal.gov, 1
+clanwarz.com, 1
+clanwub.dk, 1
+clapbacks.com, 1
+clapcafe.com, 1
+clapping-rhymes.com, 1
+claptrap.tk, 1
+clara-solis.eu, 1
+clara.de, 1
+claraanalytics.com, 1
+clarachampbell.com, 1
+clarasegura.tk, 1
+clare3dx.com, 1
+claremontyachtclub.org.au, 1
+clarendon.network, 1
+clarendonvt.gov, 1
+claresderibota.tk, 1
+claretandbluearmy.tk, 1
+clarilog.com, 1
+clarinet.ga, 1
+clarinexonline.gq, 1
+clario.co, 1
+clarionpolicepa.gov, 1
+clarisights.com, 0
+clarisonicmiareview.tk, 1
+clarissalund.com, 1
+clariti-health.com, 1
+claritician.com, 1
+claritin.gq, 1
+claritin.ml, 1
+clarity-c2ced.appspot.com, 1
+claritydesignworks.com, 1
+clarityskin.com, 1
+clark.de, 1
+clarkassociatesinc.biz, 1
+clarkbuildersllc.com, 1
+clarkcoky.gov, 1
+clarkcommagere.com, 1
+clarkcountyar.gov, 1
+clarkcountynv.gov, 1
+clarkcountywi.gov, 1
+clarkecoenergy.com, 1
+clarkelectricalservices.com.au, 1
+clarkfoodserviceequipment.biz, 1
+clarkhowell.com, 1
+clarkinc.biz, 1
+clarkltl.com, 1
+clarkmerrick.com, 1
+clarknationalaccounts.com, 1
+clarkpro.biz, 1
+clarksburgma.gov, 1
+clarksgreenhouse.com, 1
+clarkstatecontract.com, 1
+clarkstown.gov, 1
+clarksvilletn.gov, 1
+clarkturnkey.com, 1
+clarktwpmi.gov, 1
+clarkwinkelmann.com, 1
+clarotvpromocao.com.br, 1
+claroty.com, 1
+clarr.tk, 1
+claryssabarbosa.com.br, 1
+clasa-mea.tk, 1
+clase3.tk, 1
+clash-movies.de, 1
+clashclans.pl, 1
+clashersrepublic.com, 1
+clashoflights.ga, 1
+clashpost.com, 1
+class-zone.tk, 1
+class.com.au, 1
+class66.tk, 1
+classbasic.com, 1
+classcreator.io, 1
+classdesignhome.com, 1
+classdojo.com, 1
+classentials.com, 1
+classic-diva.cf, 1
+classic-diva.ga, 1
+classic-diva.ml, 1
+classicalchaos.tk, 1
+classicalpilates.ca, 1
+classicbakes.com, 1
+classiccrew.tk, 1
+classiccrewhaiti.tk, 1
+classiccutstupelo.com, 1
+classicdriver.com, 1
+classicfg.com.au, 1
+classichits.tk, 1
+classichorrormovie.tk, 1
+classichorrornetwork.tk, 1
+classichost.gq, 1
+classicmagazine.ml, 1
+classicnova.com, 1
+classicnovaandperformance.com, 1
+classics.io, 1
+classicstories.tk, 1
+classictheatrecumbria.co.uk, 1
+classificadostodaoferta.tk, 1
+classifiedspoint.tk, 1
+classiques-garnier.com, 1
+classlastsforever.co.nz, 1
+classpoint.cz, 1
+classroom.google.com, 1
+classroomconductor.com, 1
+classsitterers.ga, 1
+classsitterest.ga, 1
+classx.tk, 1
+classyng.com, 1
+claster.it, 1
+clatsopcounty.gov, 1
+claude.me, 1
+claude.photo, 1
+claudeleveille.com, 0
+claudia-halfter.de, 1
+claudia-makeup.com, 1
+claudiahalfter.de, 1
+claudiasnederlandsehangoordwergjes.tk, 1
+claudiney.eti.br, 1
+claudiney.id, 1
+claudiney.info, 1
+claudiohdz.com, 1
+claumarservice.com, 1
+claunchdesign.com, 1
+claus-bahr.de, 1
+claus-cremer.tk, 1
+clausematch.com, 1
+clauseriksen.net, 0
+clausewitz-gesellschaft.de, 1
+claustrofobia.tk, 1
+clautopieces.fr, 1
+clav1d.com, 1
+clavit4.zone, 1
+clawe.de, 1
+clawedfrogs.tk, 1
+claycountyne.gov, 1
+clayelections.gov, 1
+claygregory.com, 1
+claypenblanks.com, 1
+claytonca.gov, 1
+claytoncapolice.gov, 1
+claytoncondon.com, 1
+claytonjunior.tk, 1
+claytwpmi.gov, 1
+clb.org.hk, 1
+clbmconsultancy.com, 1
+clco.fr, 1
+clcv-brest.fr, 1
+cldejessey.com, 1
+cldfile.com, 1
+cldinc.com, 1
+cldly.com, 1
+clean-cubes.com, 1
+clean-mailbox.com, 1
+clean-servicee.com, 1
+clean-water-and-sanitation.tk, 1
+cleanclearwater.co.uk, 1
+cleandetroit.org, 1
+cleandrains.com.au, 1
+cleanenergy.gov, 1
+cleanenergywire.org, 1
+cleanequip.com.au, 1
+cleaner-en.com, 1
+cleaner.tk, 1
+cleanertoday.com, 1
+cleanertool.co.uk, 1
+cleanfacesest.ga, 1
+cleanforce.ca, 1
+cleanhortihigienizados.com.br, 1
+cleaningbyrosie.com, 0
+cleaningcarpet.ga, 1
+cleaningservicejulai.com, 1
+cleaningsolutioncorp.com, 1
+cleaningwarehouse.ie, 1
+cleankey.jp, 0
+cleanmycurtains.ie, 1
+cleanmyfloor.ie, 1
+cleanmymattress.ie, 1
+cleanmyupholstery.ie, 1
+cleanrun.com, 1
+cleansheetsaz.com, 1
+cleanshield99.com, 1
+cleanslate.sh, 1
+cleanspeak.com, 1
+cleansweepaa.com, 1
+cleanuri.com, 1
+cleanway.dk, 1
+cleanweb.solutions, 1
+cleanzer.id, 1
+clear-eyes.se, 1
+clearbit.com, 1
+clearbooks.co.uk, 1
+clearbookscdn.uk, 1
+clearbrand.com, 1
+clearbreezesecuritydoors.com.au, 1
+clearchatsandbox.com, 1
+clearcreekcountyco.gov, 1
+clearcreekcountydronepilot.com, 1
+cleared.io, 1
+clearer.cloud, 1
+clearfieldcountypa.gov, 1
+clearfieldpa.gov, 1
+cleargage.com, 1
+cleargoals.com, 1
+cleargrain.com.au, 1
+cleargrowshine.com, 1
+clearhumor.tk, 1
+clearip.com, 1
+clearlakechildrenscenter.com, 1
+clearlawinstitute.com, 1
+clearmatics.com, 1
+clearpay.co.uk, 1
+clearsafetalk.com, 1
+clearsailingproperties.com, 1
+clearsoftcomputacion.com, 1
+clearspringinsurance.com, 1
+clearstep.health, 1
+clearstoneip.com, 1
+cleartheear.co.uk, 1
+clearview-creative.com, 1
+clearviewok.gov, 1
+clearviewwealthprojector.com.au, 1
+clearvoice.com, 1
+clearvoice.org, 0
+clearvoice1.com, 1
+clearvoiceu.com, 0
+clearwateragency.com.au, 1
+clearwaterbidets.com, 1
+clearwatercountyid.gov, 1
+clearwatercountymn.gov, 1
+clearwaterseries.tk, 1
+clearwatersexhealth.com, 1
+cleary.xyz, 1
+cleelandspecialists.com.au, 1
+cleelum.gov, 1
+clegc-gckey.gc.ca, 1
+clemdesign.eu, 1
+clemenceroofing.co.uk, 1
+clemency.com, 1
+clemens-bartz.de, 1
+clemensbartz.de, 1
+clemenscompanies.com, 1
+clemenshermanns.de, 1
+clement-gruin.fr, 1
+clementavenue.co.uk, 1
+clementfevrier.fr, 1
+clementlodge.co.uk, 1
+clementluck.com, 1
+clementsfamily.co, 1
+clendeninwv.gov, 1
+cleo.com, 1
+cleocinonline.gq, 1
+cleova.com, 1
+cles-asso.fr, 1
+cles.jp, 1
+clevelandheights.gov, 1
+clevelandokla.com, 1
+clever-datenschutz.de, 1
+clever-invest.cf, 1
+clever-invest.ga, 1
+clever-invest.gq, 1
+clever-reisen.tk, 1
+cleverbots.ru, 1
+cleverbowling.com, 1
+clevercoaching.nl, 1
+cleverdarts.com, 1
+cleverdeal.tk, 1
+cleverlance.de, 1
+cleverlance.es, 1
+cleverlance.sk, 1
+clevermemo.com, 1
+clevermo.gov, 1
+cleveroad.com, 1
+cleveronmobility.com, 1
+cleverskateboard.com, 1
+clevertarget.ru, 1
+cleververmarkten.com, 1
+cleververmarkten.de, 1
+clevisto.com, 1
+clevon.com, 1
+clevon.us, 1
+clevoninvestors.com, 1
+clevvi.com.au, 0
+clevyr.ai, 1
+clevyr.biz, 1
+clevyr.careers, 1
+clevyr.co, 1
+clevyr.com, 1
+clevyr.email, 1
+clevyr.expert, 1
+clevyr.info, 1
+clevyr.me, 1
+clevyr.mobi, 1
+clevyr.ninja, 1
+clevyr.org, 1
+clevyr.shop, 1
+clevyr.store, 1
+clevyr.us, 1
+clevyr.work, 1
+clevyrapps.com, 1
+clevyrcares.com, 1
+clevyrcreative.com, 1
+clevyrgames.com, 1
+clevyrhosting.com, 1
+clevyrhub.com, 1
+clevyrlabs.com, 1
+clevyrnode.com, 1
+clevyrnodejs.com, 1
+clevyrstream.com, 1
+clevyrstreamjs.com, 1
+clevyrstudios.com, 1
+clevyrvr.com, 1
+cleysense.com, 0
+clic-music.com, 1
+clic29.fr, 1
+clica.net, 1
+click-7979.com, 1
+click-cat.tk, 1
+click-generator.com, 1
+click2affiliate.xyz, 1
+click4click.ga, 1
+clickandclaim.me, 1
+clickapro.com, 1
+clickbasin.co.uk, 1
+clickcell.tk, 1
+clickclickfish.com, 1
+clickclickmalware.com, 1
+clickclickphish.com, 1
+clickclickvirus.com, 1
+clickclock.cc, 1
+clickcollect.boutique, 1
+clickdebateest.ga, 1
+clickdefense.io, 1
+clickdocs.ca, 1
+clickedu.net, 1
+clickenergy.com.au, 1
+clickfinger.net, 1
+clickforum.cf, 1
+clickfreescore.com, 1
+clickhelp.com, 1
+clickheretobegin.tk, 1
+clickhost.com.au, 1
+clickhouse.tech, 1
+clickinfo.tk, 1
+clickingmad.com, 1
+clickipo.com, 1
+clickkon.ml, 1
+clickmeeting.com, 1
+clickpeak.digital, 1
+clickphobia.ga, 1
+clickpress.tk, 1
+clickrecados.tk, 1
+clickrising.com, 1
+clicks24.cf, 1
+clicksacolas.com, 1
+clickseek.in, 1
+clicksengage.com, 1
+clickspeedtest.net, 1
+clickstart.ml, 1
+clicktenisdemesa.com.br, 0
+clicktest.cf, 1
+clicktheright.top, 0
+clicktodiscount.com, 1
+clicktolinkb.gq, 1
+clicktrans.com, 1
+clicktrans.de, 1
+clicktrans.es, 1
+clicktrans.it, 1
+clicktrans.pl, 1
+clickzone.ga, 1
+clicoclick.com, 1
+clien.net, 1
+client.coach, 0
+client.photos, 1
+client24.tk, 1
+clientboss.com, 1
+clientcms.co.uk, 1
+clientify.com, 1
+clientpay.com, 0
+clientportal.com, 1
+clientportal.photo, 1
+cliff-rilly-website.tk, 1
+cliffbreak.de, 1
+cliffburton.tk, 1
+clifflu.net, 1
+cliftonaz.gov, 1
+clik.ga, 1
+clima.vip, 1
+climaencusco.com, 1
+climaffaires.com, 1
+climamulti.com.br, 1
+climate.biz, 1
+climatecrafters.com, 1
+climatejustice.nyc, 1
+climatetax.com, 1
+climatgate.tk, 1
+climaticequipment.tk, 1
+climatizzatore.it, 0
+climatizzatore.roma.it, 1
+climatizzatoriprezzi.it, 1
+climaventa.net, 1
+climaverde.gr, 1
+climb4achild.org, 1
+climbernews.com, 1
+climbing.tk, 1
+climbinggear.info, 1
+climbinghouse.com, 1
+climbsoill.com, 1
+climeradar.com, 1
+clinchcountyga.gov, 1
+clindamycin-150mg.ga, 1
+clindamycin-phosphate.ga, 1
+clindamycin.gq, 1
+clindamycinantibiotic.cf, 1
+clindamycinantibiotic.ga, 1
+clindamycinantibiotic.gq, 1
+clindamycinantibiotic.tk, 1
+clindamycinprice.tk, 1
+clindoeilmontagne.com, 0
+clingout.com, 1
+clinic-manager.academy, 1
+clinic-narcom.ru, 1
+clinica.zapto.org, 1
+clinicaarques.es, 1
+clinicadeesteticacontagem.com.br, 1
+clinicadentalados.com, 1
+clinicadentalayomunoz.com, 1
+clinicadentalhome.com, 1
+clinicadoctormit.ro, 1
+clinicaeiger.cl, 1
+clinicaeliana.com, 1
+clinicaesteticabhprime.com.br, 1
+clinicaferrusbratos.com, 0
+clinicalrehabilitation.info, 1
+clinicalstats.ga, 1
+clinicaltrialpodcast.com, 1
+clinicaltrials.gov, 1
+clinicamagdalena.com.co, 1
+clinicarayanelacerda.com.br, 1
+clinicaresplandecer.com.br, 1
+clinicasantodomingo.cl, 1
+clinicaschirmer.com, 1
+clinicasesteticas.com.br, 1
+clinicasmedicas.com.br, 1
+clinicasveterinarias.info, 1
+clinicatorino.com.br, 1
+clinicortinascali.com, 1
+clinicos.cl, 1
+cliniko.com, 1
+clinique-ser.ca, 1
+cliniquecomplementaire.com, 1
+cliniquedacupuncturelajeunesse.com, 1
+cliniquevethuy.be, 1
+clinlife.com, 1
+clinlife.de, 1
+clinlife.us, 1
+clinpharm.vn, 1
+clinsoftcsd.com, 1
+clinstatdevice.com, 1
+clintburnett.com, 1
+clinthorne.com, 1
+clintonbloodworth.com, 1
+clintoncomo.gov, 1
+clintoncountyin.gov, 1
+clintoncountyny.gov, 1
+clintoncountypa.gov, 1
+clintonlibrary.gov, 1
+clintonoh.gov, 1
+clintonohfire.gov, 1
+clintonsavings.com, 1
+clintontwpnj.gov, 1
+clintonvillewi.gov, 1
+clio-dev2.com, 1
+cliomi.gov, 1
+clip-hair.net, 1
+clip.cafe, 1
+clipchamp.com, 1
+clipclip.com, 1
+clips.ga, 1
+cliqit.com.au, 1
+cliquetis.ddns.net, 1
+cliqz.com, 1
+clirnet.com, 1
+clive.io, 1
+cliveptr.cc, 1
+clkbw.com, 1
+clkdmg.site, 1
+clmbr.ch, 0
+clmde.de, 1
+clmz.nl, 1
+clnc.to, 1
+clnlboard.co.uk, 1
+clnnet.ch, 1
+clnshrk.club, 0
+cloaked.ch, 0
+clochix.net, 1
+clock3.com, 1
+clockcaster.com, 1
+clockka.com, 1
+clockka.it, 1
+clocklab.design, 1
+clocklink.com, 1
+clockster.com, 0
+clodo.it, 1
+clodoteam.ga, 1
+cloeri.com, 1
+clojurefactory.io, 1
+clojurescript.ru, 1
+clokdways.com, 1
+clomid100mg.ga, 1
+clomid50mg.cf, 1
+clomid50mg.ml, 1
+clomidformen.tk, 1
+clomidonline.tk, 1
+clomiphene.gq, 1
+clonekicks.nu, 1
+cloneprint.com, 1
+cloneuniverse.com, 1
+cloneuniverse.de, 1
+clonidine-hydrochloride.ga, 1
+clonix.tk, 1
+clonoe.tk, 1
+clonyitaly.tk, 1
+clooi.tk, 1
+cloppenburg-autmobil.com, 1
+cloppenburg-automobil.com, 1
+cloppenburg-gruppe.de, 1
+clorinda.tk, 1
+clorophilla.net, 1
+cloroxpro.com, 1
+closecross.com, 1
+closeli.cn, 1
+closeli.com, 1
+closelinksecurity.co.uk, 1
+closelinksecurity.com, 1
+closernow.tk, 1
+closetedsoul.com, 1
+closets-cheap.tk, 1
+closingholding.com, 1
+closingthegap.gov.au, 1
+closrr.cloud, 1
+closrr.com, 1
+clothes-for-school.tk, 1
+clothilde-wattelier.fr, 1
+clothing-2010.tk, 1
+clothing-for-women.tk, 1
+clothingforcamping.com, 1
+clothingjeans.tk, 1
+clothoff.io, 1
+cloturefrost.net, 1
+cloud-glaeser.dedyn.io, 1
+cloud-hair.jp, 1
+cloud-lines.ml, 1
+cloud-screen.com, 1
+cloud-world.tk, 1
+cloud.bugatti, 1
+cloud.fail, 1
+cloud.google.com, 1
+cloud.gov, 1
+cloud1.nl, 1
+cloud10.io, 1
+cloud10solutions.technology, 1
+cloud24.kz, 1
+cloud24x7.us, 1
+cloud255.com, 1
+cloud42.ch, 0
+cloud4c.com, 1
+cloud9bouncycastlehire.com, 1
+cloud9vets.co.uk, 1
+cloudads.ga, 1
+cloudads.ml, 1
+cloudalice.com, 1
+cloudalice.net, 1
+cloudapps.digital, 1
+cloudatabases.com, 1
+cloudatedge.com, 1
+cloudav.pt, 1
+cloudbees.ai, 1
+cloudbees.com, 1
+cloudbees.io, 1
+cloudberlin.goip.de, 1
+cloudbleed.info, 1
+cloudboard.fr, 1
+cloudbook.wiki, 1
+cloudbool.com, 1
+cloudbreaker.net, 1
+cloudbrothers.info, 0
+cloudbytesconnect.com, 1
+cloudcaprice.net, 1
+cloudcastles.xyz, 1
+cloudcert.org, 1
+cloudchart.site, 1
+cloudcloudcloud.cloud, 1
+cloudcomputingtechnologies.com, 1
+cloudcraftmc.de, 1
+cloudcybersecure.com, 1
+clouddark.xyz, 1
+clouddaten.de, 1
+clouddesk.co.uk, 1
+clouddog.com.br, 1
+clouddomain.tk, 1
+clouddownloader.net, 1
+cloudeezy.com, 1
+cloudengage.com, 1
+cloudera.com, 1
+cloudevolutionforum.com.br, 1
+cloudey.net, 1
+cloudfast.cf, 1
+cloudfilecomputer.ga, 1
+cloudfiles.at, 1
+cloudfinders.cf, 1
+cloudfit.tech, 1
+cloudflare-dns.com, 1
+cloudflare.com, 1
+cloudflare.irish, 1
+cloudflareonazure.com, 1
+cloudforce.com, 1
+cloudfree.shop, 1
+cloudfree.top, 1
+cloudfudge.com, 1
+cloudhero.ai, 1
+cloudia.org, 1
+cloudily.com, 1
+cloudimproved.com, 1
+cloudimprovedtest.com, 1
+cloudindex.io, 1
+cloudinfinit.com, 1
+cloudinnovation.design, 1
+cloudit.co, 1
+cloudix.cf, 1
+cloudlandmark.com, 1
+cloudlessdreams.com, 0
+cloudlfront.net, 1
+cloudlight.biz, 1
+cloudmanagedbuilding.com, 1
+cloudmanagedbuildings.com, 1
+cloudmarathi.work, 1
+cloudmarket.com.br, 0
+cloudmax.es, 1
+cloudmigrator365.com, 1
+cloudmoney.tk, 1
+cloudmyhome.site, 1
+cloudmyhome.top, 1
+cloudnexusit.com, 1
+cloudnote.cc, 1
+cloudnovi.com, 1
+cloudns.net, 1
+cloudofertas.com.br, 1
+cloudoptimizedsmb.com, 1
+cloudoptimus.com, 1
+cloudpagesforwork.com, 1
+cloudpengu.in, 1
+cloudplan.nl, 1
+cloudpole.de, 1
+cloudpublic.pro, 1
+cloudrive.cf, 1
+cloudscribe.com, 1
+cloudse.co.uk, 1
+cloudsec.tk, 1
+cloudsecurityalliance-europe.org, 1
+cloudsecurityalliance.ai, 1
+cloudsecurityalliance.ca, 1
+cloudsecurityalliance.cloud, 1
+cloudsecurityalliance.cn, 1
+cloudsecurityalliance.com, 1
+cloudsecurityalliance.events, 1
+cloudsecurityalliance.net, 1
+cloudsecurityalliance.org, 1
+cloudsecurityalliance.training, 1
+cloudsecurityalliancelabs.com, 1
+cloudsecuritycommunity.org, 1
+cloudsecuritycongress.net, 1
+cloudsecuritycongress.org, 1
+cloudseptam.fr, 1
+cloudsharp.io, 1
+cloudshiftgroup.co.uk, 1
+cloudsign.jp, 1
+cloudskill.in, 1
+cloudsmart.tech, 1
+cloudsmith.com, 0
+cloudsms.com, 1
+cloudspace-analytics.com, 1
+cloudspeedy.net, 1
+cloudspire.net, 1
+cloudstoragecompare.com, 1
+cloudstored.nl, 1
+cloudstress.ga, 1
+cloudsweeper.com, 1
+cloudsweeper.de, 1
+cloudsys.dnsalias.net, 1
+cloudteam.de, 1
+cloudtelemanagement.com, 1
+cloudtocloud.ddns.net, 0
+cloudtocloud.tk, 1
+cloudtropia.de, 1
+cloudtskr.com, 1
+cloudturing.chat, 1
+cloudturing.com, 1
+cloudu.de, 1
+cloudup.com, 1
+cloudvoor.eu, 1
+cloudvoor.net, 1
+cloudvoor.nl, 1
+cloudwajs.com, 1
+cloudwalk.io, 0
+cloudwave.fr, 1
+cloudwayc.com, 1
+cloudwayds.com, 1
+cloudwayq.com, 1
+cloudways.cm, 1
+cloudwebservices.nl, 1
+cloudwellmarketing.com, 1
+cloudwithlightning.net, 1
+cloudyun.top, 1
+cloudzentechnologies.com, 1
+clouglobal.com, 0
+cloutcloset.ga, 1
+clouvways.com, 1
+clouwways.com, 1
+clouz.de, 1
+clover-sendai.com, 1
+cloverleafmoving.com, 1
+cloversonoma.com, 1
+clovertwo.com, 1
+clovisoncology.com, 1
+clovisplumbingservices.com, 1
+clovorin.gq, 1
+clowd.haus, 1
+clowd.ovh, 1
+clown-clan.tk, 1
+clown-workshop.de, 1
+clown-zappo.de, 1
+clownish.co.il, 1
+cloxy.com, 1
+cloydnco.com, 1
+cloydnco.com.jm, 1
+cloydncojamaica.com.jm, 1
+cloyes.com, 1
+cloze.com, 1
+clpoule.nl, 1
+clr3.com, 1
+cls.im, 1
+clsimage.com, 1
+clsmalta.eu, 1
+clsoft.ch, 1
+clu-in.org, 1
+cluadmin.de, 1
+club-adulti.ro, 1
+club-creole.com, 1
+club-dieta.ru, 1
+club-dresses.cf, 1
+club-duomo.com, 1
+club-eclipse.tk, 1
+club-ed.com, 1
+club-leondehuanuco.tk, 1
+club-nautique-sainte-maxime.fr, 1
+club-night.tk, 1
+club-no4.de, 1
+club-oz.tk, 1
+club-premiere.com, 1
+club-reduc.com, 1
+club-slow.jp, 1
+club-soul.tk, 1
+club-transformation-digitale.com, 1
+club.zj.cn, 1
+club10x.com, 1
+clubanimal.cl, 1
+clubapk.com, 1
+clubarbuz.ru, 1
+clubatleticonacionalpotosi.tk, 1
+clubauto.guru, 1
+clubbers-comtois.tk, 1
+clubcollinssquare.com.au, 1
+clubcompetition.co.uk, 1
+clubcorolla.cf, 1
+clubcorsavenezuela.com, 0
+clubcupido.com.br, 1
+clubdeportivocieza.tk, 1
+clubdeslecteurs.net, 1
+clubduvieuxmanoir.fr, 1
+clubeamizade.com, 1
+clubeamizade.com.pt, 1
+clubeamizade.pt, 1
+clubedalutashop.com, 1
+clubedaquimica.tk, 1
+clubedegeografia.tk, 1
+clubedoberloque.com.br, 1
+clubedohardware.com.br, 1
+clubedores.com.br, 1
+clubeflor.com.br, 1
+clubegls.com, 1
+clubegls.com.pt, 1
+clubegolfpt.com, 1
+clubeighteen.tk, 1
+clubempleos.com, 1
+clubeohara.com, 1
+cluberiks.cf, 1
+cluberiks.ga, 1
+cluberiks.gq, 1
+clubetravel.biz, 1
+clubetravel.com, 1
+clubetravel.com.br, 1
+clubetravel.com.pt, 1
+clubetravel.net, 1
+clubetravel.org, 1
+clubexpress.com, 1
+clubfactory.ml, 1
+clubfailed.tk, 1
+clubfamily.de, 1
+clubforce.com, 1
+clubfunday.ga, 1
+clubgalileo.com.ec, 1
+clubgenesis.tk, 1
+clubgls.com, 1
+clubhouseohio.org, 1
+clubhousetownhomes.com, 0
+clubic.com, 1
+clubinhodobaby.com.br, 1
+clubkalinka.tk, 1
+clubkuzmich.ru, 1
+clublevelsports.com, 1
+clublibertad.tk, 1
+clublime.com.au, 1
+clubmagellan.tk, 1
+clubmahindra.com, 1
+clubmania.tk, 1
+clubmarina.store, 1
+clubmate.rocks, 1
+clubmini.jp, 1
+clubminimansiones.tk, 1
+clubnature.tk, 1
+clubni.tk, 1
+clubnoetig-ink2g.de, 1
+cluboc.site, 1
+clubon.space, 1
+clubpes.tk, 1
+clubpeugeot405.tk, 1
+clubserveers.ga, 1
+clubsuccessjapan.com, 1
+clubtamarugal.tk, 1
+clubtecknocore.tk, 1
+clubtraining.com.au, 1
+clubtravel.com.pt, 1
+clubtur.dk, 1
+clubvodoley.ru, 1
+clubvttlesloupsdemaixe.tk, 1
+clubvwgolf.com, 1
+clubzap.org, 1
+clubzero.co, 1
+clubzul.com, 1
+cluedosenvivo.com, 1
+cluefluest.ga, 1
+clueless.ga, 1
+clueless.tk, 1
+cluelesscraft.com, 1
+cluin.org, 1
+cluj.apartments, 1
+cluj.help, 1
+clush.pw, 1
+cluster.biz.tr, 1
+cluster446.fr, 1
+clusterfuck.nz, 1
+clustermaze.net, 1
+clutch.ua, 1
+clvr.sh, 1
+clvs7.com, 0
+clweb.ch, 1
+clwrota.com, 1
+clycat.ru, 1
+clyde-tx.gov, 1
+clydewi.gov, 1
+cm-agueda.pt, 1
+cm-funchal.pt, 1
+cm-law.eu, 1
+cm-loures.pt, 1
+cm-penalvadocastelo.pt, 1
+cm-pombal.pt, 1
+cm-portimao.pt, 1
+cm-ribeiragrande.pt, 1
+cm-terrasdebouro.pt, 0
+cm-valenca.pt, 0
+cm-viladobispo.pt, 1
+cm-vizela.pt, 1
+cm-vpaguiar.pt, 1
+cm1xbet.com, 1
+cm3.pw, 0
+cmaa.it, 1
+cmadeangelis.it, 1
+cmalet-avocat.fr, 1
+cmavs.com, 1
+cmbeautiful.com, 1
+cmbs.loans, 1
+cmc.pt, 0
+cmcbank.co.in, 1
+cmcc.network, 1
+cmcjanuary.in, 1
+cmcressy.ch, 1
+cmd2021acm.com, 1
+cme-colleg.de, 1
+cmetana.tk, 1
+cmf.qc.ca, 1
+cmfaccounting.com, 0
+cmfcuro.com, 1
+cmftech.com, 1
+cmfuchs.de, 1
+cmi.no, 1
+cmillrehab.com, 1
+cmkr.at, 1
+cmlachapelle.ch, 1
+cmlcpa.ca, 1
+cmlex.com, 1
+cmlignon.ch, 1
+cmmcinfo.org, 1
+cmn-group.com, 0
+cmn-groupe.com, 0
+cmngroup.com, 0
+cmngroupe.com, 0
+cmonlien.fr, 1
+cmperalta.tk, 1
+cmplainpalais.ch, 1
+cmprecisiontech.com, 1
+cmrconstructions.com.au, 1
+cmrlink.org, 1
+cmrnw.com, 1
+cms-mania.tk, 1
+cms-service24.de, 1
+cms-weble.jp, 1
+cms-world.co.jp, 1
+cmsasia.co, 1
+cmscompany.de, 1
+cmsdca.gov, 1
+cmserviscz.cz, 0
+cmskeyholding.co.uk, 1
+cmskeyholding.com, 1
+cmskh.co.uk, 1
+cmsnl.com, 1
+cmsonline.com, 1
+cmsua.ca, 1
+cmtportal.co.uk, 1
+cmtso.com, 1
+cmv.gr, 1
+cmweb.xyz, 1
+cn.search.yahoo.com, 0
+cn2euportugal.com, 1
+cn8522.com, 1
+cna-ecuador.com, 1
+cna.com.br, 1
+cnabogota.tk, 1
+cnairgroupstore.com, 1
+cnam-idf.fr, 1
+cnatraining.network, 1
+cnb.ie, 1
+cnb1901.com, 1
+cnbs.ch, 1
+cnc-lehrgang.de, 1
+cncexplorer.com, 1
+cncfraises.fr, 1
+cncn3.cn, 1
+cncollege.tk, 1
+cncr.ga, 1
+cncs.gov.pt, 1
+cnetw.xyz, 1
+cnews.ru, 1
+cnexchange.com, 1
+cnfei.com, 1
+cnfree.xyz, 1
+cngf.com, 1
+cngvp.org, 1
+cni-certing.it, 1
+cni.net.id, 1
+cniec.com, 1
+cnil.fr, 1
+cnipv6.com, 1
+cnitdog.com, 1
+cnki.com, 1
+cnlic.com, 1
+cnlongtex.com, 1
+cnmi.gov, 1
+cnmilaw.gov, 1
+cnnet.in, 1
+cnnumerique.fr, 1
+cnocsp.com, 1
+cnopera.com, 1
+cnp.ovh, 1
+cnpkg.org, 1
+cnpy.gdn, 1
+cnslub.ru, 1
+cnss.gob.do, 1
+cntraveller.com, 1
+cnvt.fr, 1
+cnxiangxian.com, 1
+co-construisonsdemain.org, 1
+co-founder-stuttgart.de, 1
+co-store.com, 1
+co-yutaka.com, 1
+co.fo, 1
+co.lu, 1
+co.search.yahoo.com, 0
+co.td, 1
+co2eco.cn, 0
+co2fr.ee, 0
+co3app.com, 1
+coa.gov.ph, 1
+coach-enligne.fr, 1
+coach-hpe.ch, 0
+coach.org.uk, 1
+coachablebyabel.nl, 1
+coachbakery.com, 1
+coaches-website.de, 1
+coachinfopreneur.com, 1
+coaching-aus-leidenschaft.com, 1
+coaching-harmonique.fr, 1
+coaching-impulse.ch, 0
+coaching-in-veenendaal.nl, 1
+coaching-oberhavel.de, 1
+coachingausbildungde.com, 1
+coachingforleaders.com, 1
+coachingmillenium.com, 1
+coachingsantcugat.cat, 1
+coachjehond.nl, 1
+coachment.dk, 1
+coactive.ai, 1
+coag.gov.au, 1
+coagclinic.com, 1
+coalitieduurzamedigitalisering.nl, 1
+coalition.tk, 1
+coalmen.ga, 1
+coalpointcottage.com, 1
+coalvillebasketball.tk, 1
+coaojarlos.tk, 1
+coasa.me, 1
+coassessment.com, 1
+coast.tk, 1
+coastalmotorcoach.com, 1
+coastalpayroll.net, 1
+coastalphysie.com, 1
+coastalpointe.com, 1
+coastalsignsplus.com, 1
+coastline.net.au, 1
+coastnews.cf, 1
+coathangastrangla.com, 1
+coathangastrangler.com, 1
+coathangerstrangla.com, 1
+coathangerstrangler.com, 1
+coating-equipment.com, 1
+coats-and-jackets.tk, 1
+coatsandcocktails.org, 1
+cobaka.tk, 1
+cobaltia.org, 1
+cobbcountygeorgia.ml, 1
+coberturaplus.com, 1
+cobitis.net, 1
+cobiz.nl, 1
+coboxviagens.com.br, 1
+cobracastles.co.uk, 1
+cobralelie.nl, 1
+cobranzasimg.com, 1
+coc.de, 1
+cocaine.ninja, 1
+cocaine.wiki, 1
+cocalc.com, 1
+cocareonline.com, 1
+coccinellaskitchen.com, 1
+coccinellaskitchen.de, 1
+coccinellaskitchen.it, 1
+coccinellepratas.com.br, 1
+coccolebenessere.it, 1
+cochem-zell-online.de, 1
+cochem-zell.de, 1
+cocheriagori.com.ar, 1
+cochesaescala.tk, 1
+cochesteledirigidos.net, 1
+cochin-brahma.tk, 1
+cochise.gov, 1
+cochranwriting.com, 1
+cocina.guru, 1
+cocinaconalegria.shop, 1
+cocinandoenelsalnes.com, 1
+cocinasazahara.tk, 1
+cocinoyo.com, 1
+cock.lt, 1
+cockedey.in, 1
+cockerspanielamericano.com.br, 1
+cockerspanielingles.com.br, 1
+cockfile.com, 1
+cockmonkey.tk, 1
+cocktail.network, 1
+cocktailwebbook.com, 1
+cockybot.com, 1
+coco-01.gq, 1
+coco-apo.de, 1
+coco-cool.fr, 1
+coco-line.ch, 1
+coco.one, 1
+cocoa-job.jp, 1
+cocoafl.gov, 1
+cocoamexico.com, 1
+cocobollo-sallanches.com, 1
+cocobrother.ddnss.de, 1
+cocodroid.com, 0
+cocogoat.work, 1
+cocogolfcarts.com, 1
+cocokmobi.ga, 1
+cocolink.jp, 1
+cocomelody.com, 0
+cocomelody.jp, 1
+coconutguy.gq, 1
+coconutoil.ml, 1
+coconuts-fashion.gr, 1
+cocopah.gov, 1
+cocopipeline-br-development.herokuapp.com, 1
+cocoscastles.co.uk, 1
+cocosunbeds.co.uk, 1
+cocounty.org, 1
+cocowine.com, 1
+cocresa.tk, 1
+cocula.net, 1
+cocyou.ooo, 1
+cocytus.services, 1
+cod-ggw.ml, 1
+cod4mw.fr, 1
+cod88.cc, 1
+coda-erfurt.de, 1
+coda.io, 1
+coda.world, 1
+coda18.gov, 1
+coda23.gov, 1
+codabix.com, 1
+codabix.de, 1
+codandn.com, 1
+code-35.com, 0
+code-in-plate.tk, 1
+code-judge.tk, 1
+code-maze.com, 1
+code-poets.co.uk, 1
+code-server.host, 1
+code-vikings.de, 1
+code-well.com, 1
+code.cool, 1
+code.facebook.com, 0
+code.fm, 1
+code.google.com, 1
+code.gov, 1
+code4.hk, 1
+code9000.be, 1
+codeandpeace.com, 1
+codeandsupply.co, 1
+codeberg.org, 1
+codebot.tk, 1
+codebrahma.com, 0
+codebrasileiro.tk, 1
+codebreak.tk, 1
+codebreakers.it, 1
+codecatalyst.aws, 1
+codeclouds.com, 1
+codeclub.gq, 1
+codecolliders.com, 1
+codecommunity.io, 1
+codecool.com, 1
+codecrew.us, 1
+codectron.com, 1
+codedbyjim.nl, 1
+codedelarouteenligne.fr, 1
+codedo.info, 0
+codedump.net, 1
+codeeclipse.com, 1
+codefaq.org, 1
+codefather.ml, 1
+codeferm.com, 1
+codefionn.eu, 1
+codefive.co.uk, 1
+codefordus.de, 1
+codefordus.nrw, 1
+codefoundry.it, 0
+codegen.ca, 1
+codegirl.tk, 1
+codeguided.com, 1
+codehangar.io, 1
+codehelper.ml, 1
+codeheroes.fr, 1
+codehupy.org.py, 1
+codehz.one, 1
+codeidea.ga, 1
+codeine.co.uk, 1
+codeit.guru, 1
+codeit.pro, 1
+codeit.us, 1
+codejumper.ml, 1
+codekk.com, 1
+codelinchpin.com, 1
+codeloop.pw, 1
+codemahrt.com, 1
+codemanbd.com, 1
+codemperium.com, 1
+codename-infinity.de, 1
+codename-infinity.org, 1
+codename24.tk, 1
+codenamelungo.tk, 1
+codenetwork.com, 1
+codeninja.me, 1
+codenlife.kr, 1
+codenlife.xyz, 1
+codenode.io, 1
+codeofhonor.tech, 1
+codeparva.com, 1
+codepen.com, 1
+codepen.io, 1
+codepoint.ml, 1
+codepoints.net, 1
+codepref.com, 1
+codeprotocols.com, 1
+codeproxy.net, 1
+codepwn.win, 1
+codercross.com, 1
+codered.sh, 1
+codereduction.promo, 1
+coderema.de, 1
+coderema.eu, 1
+coderescue.com, 1
+codereview.appspot.com, 1
+codereview.chromium.org, 1
+coderhangout.com, 1
+coderjesus.com, 1
+coderme.com, 1
+codero.com, 1
+coderoute-enligne.com, 1
+coderpad.io, 1
+codersatlas.co, 1
+codersatlas.xyz, 1
+codersharing.com, 1
+coderus.com, 1
+codes.pk, 1
+codesgroup.tk, 1
+codeslaw.com, 1
+codesplain.in, 1
+codesport.io, 1
+codesquad.com.au, 1
+codessale.com, 1
+codestats.net, 1
+codestudies.net, 1
+codetahiche.com, 1
+codetheweb.blog, 1
+codetheworld.com, 1
+codetrack.se, 1
+codetricked.com, 1
+codetripping.net, 1
+codeupstudios.com, 1
+codeux.com, 1
+codeux.info, 1
+codeux.net, 1
+codev.com.tr, 1
+codevat.com, 1
+codewaifu.com, 1
+codewild.de, 1
+codewitchbella.com, 0
+codewithalisha.ga, 1
+codewithlove.blog, 1
+codewrecks.com, 1
+codex.online, 1
+codezenith.com, 1
+codezeno.com.au, 1
+codicicer.it, 1
+codifi.com, 1
+codific.com, 1
+codifique.tk, 1
+codigodelbonusbet365.com, 1
+codigoexactodearea.com, 1
+codigojose.com, 1
+codigomusical.tk, 1
+coding-aloud.nz, 1
+coding-basic.tk, 1
+coding-treff.de, 1
+coding.lv, 1
+coding.net, 1
+codingale.com, 1
+codingame.com, 1
+codingame.eu, 1
+codingblog.org, 1
+codingforspeed.com, 1
+codingfromhell.net, 1
+codinginfinity.me, 1
+codingissimple.com, 1
+codingnbb.com, 1
+codish.ml, 1
+codista.com, 1
+cododigital.co.uk, 1
+codowned.com, 1
+coduca88.com, 1
+codulrutier.tk, 1
+coduzion.com, 1
+cody.sh, 1
+codydostal.com, 1
+codywy.gov, 1
+coeburnva.gov, 1
+coecho.net, 1
+coedpictures.com, 1
+coefficient.com.au, 1
+coeminna.edu.ng, 0
+coenjutte.tk, 1
+coens.me.uk, 1
+coentropic.com, 1
+coenzima.com, 1
+coequals.tk, 1
+cofense.at, 1
+cofetaria-narcisa.ro, 1
+coffee-break.cc, 1
+coffee-like.com, 1
+coffee-webstore.com, 1
+coffee.co.uk, 1
+coffeebean.cf, 1
+coffeebeanstudios.tk, 1
+coffeebiz.co.nz, 1
+coffeebreak.bg, 1
+coffeechi.ir, 1
+coffeeciel.com, 1
+coffeeciel.com.tr, 1
+coffeeholic.tk, 1
+coffeehousewriters.com, 1
+coffeemoment.nl, 1
+coffeeplazahamburg.com, 1
+coffeeruta.ru, 1
+coffeestain.ltd, 1
+coffeestory.in.ua, 1
+coffeetom.de, 1
+coffeist.com, 1
+coffstotalroofing.com.au, 1
+cofidis-group.com, 1
+cofidur.com, 1
+cofigs.com, 1
+cofinco.nl, 1
+cofob.ru, 1
+cofradiaqueimada.tk, 1
+cogent.cc, 1
+cogetop.com.br, 1
+coggeshall.io, 1
+coggeshall.us, 1
+coggin.church, 1
+coggle.it, 1
+coginti.tk, 1
+cogknockers.com, 1
+cogknockers.net, 1
+cognac-oenologie.com, 1
+cognac-tasting-tour.com, 0
+cognigennetwork.tk, 1
+cognitiveapplications.net, 1
+cognitivehealthintl.com, 1
+cognitohq.com, 0
+cognixia.us, 1
+cognosweb.net, 1
+cogolloelegante.com, 1
+cogsquad.house, 1
+cogstate.com, 1
+cogumelosmagicos.org, 1
+coharushika.com, 1
+cohassetfirema.gov, 1
+cohassetma.gov, 1
+cohassetpolicema.gov, 1
+cohenandcohen.net, 1
+cohere.io, 1
+cohob.de, 1
+coiffbot.fr, 1
+coiffeurschnittstelle.ch, 1
+coiffure-website.de, 1
+coil.gov, 1
+coimmvest.com, 1
+coin-exchange.cz, 1
+coin-miners.info, 1
+coin-money.tk, 1
+coin.dance, 1
+coin.space, 1
+coinamount.com, 0
+coinauctionshelp.com, 1
+coinbase.com, 1
+coinbit.trade, 0
+coinbrain.com, 1
+coincabin.io, 1
+coincalc.tk, 1
+coinchapter.com, 1
+coincircle.com, 1
+coincity.ga, 1
+coinclickz.fun, 1
+coincoele.com.br, 1
+coincoin.eu.org, 1
+coinf.it, 1
+coinflux.com, 1
+coinfundit.com, 1
+coingate.com, 1
+coinjar-sandbox.com, 1
+coinjar.com, 1
+coinlend.org, 1
+coinliq.com, 1
+coinloan.io, 1
+coinmarketturkiye.com, 1
+coinmotion.com, 1
+coinnector.com, 1
+coinnewspulse.com, 1
+coinpaprika.com, 1
+coinpedia.org, 1
+coinplay.com, 1
+coinroom.com, 1
+coins2001.ru, 1
+coinsales.net, 1
+coinscatalog.net, 1
+coinsconnect.co.uk, 1
+coinsmat.com, 1
+coinsuggest.com, 1
+cointosh.jp, 1
+coinwind.vip, 1
+coinx.pro, 1
+coiracom.net, 1
+cojam.ru, 1
+cojo.eu, 1
+cok.hu, 1
+cokebar.info, 0
+coker.com.au, 1
+cokestudiosongs.tk, 1
+cokisiregar.com, 1
+cokomi.com, 1
+col.la, 0
+cola-host.tk, 1
+colaborame.tk, 1
+colaborativa.tv, 1
+colaboratorija.lt, 1
+colabore.com, 1
+colabug.com, 1
+colafoodcritic.com, 1
+colah.com.au, 1
+colapsys.net, 1
+colarelli.ch, 1
+colarose.tk, 1
+colazxk.xyz, 1
+colbert.ml, 1
+colburnadamswi.gov, 1
+colchesterglobal.co.nz, 1
+colchesterglobal.com, 1
+colchesterglobal.com.au, 1
+colcomm.com, 1
+cold.world, 1
+coldcardwallet.com, 1
+coldcaserecords.gov, 1
+coldecan.edu.co, 1
+colder.one, 1
+coldfff.com, 1
+coldfusion.co.jp, 1
+coldhak.ca, 0
+coldice.tk, 1
+coldjetconnect.com, 1
+coldlasers.org, 1
+coldpaste.com, 1
+coldspegll.gq, 1
+coldspringsrancheria.gov, 1
+coldsteelsolutions.com, 1
+coldstreamcreekfarm.com, 1
+coldtomato.ga, 1
+coldtomatoest.ga, 1
+coldwater.tk, 1
+coldwateraustin.com, 1
+colearning.world, 1
+colecountymo.gov, 1
+colectivaradio.tk, 1
+colectivo.tk, 1
+colectivomackandal.tk, 1
+colectivovictorjara.tk, 1
+coleg.gov, 1
+colegiocuauhtzin.com.mx, 1
+colegiojaimebalmes.es, 1
+colegiorecanto.com, 1
+colegios.net, 1
+colegiosantaursula.com.br, 1
+colegiotalenti.com, 1
+colegiotavera.tk, 1
+colemak.com, 1
+colengo.com, 1
+colerainemn.gov, 1
+coletrain.com, 1
+colfaxcountyne.gov, 1
+colfaxia.gov, 1
+colibri.jp, 1
+colibriexpress.tk, 1
+coligo.fr, 1
+colinasdog.com.br, 1
+colincogle.name, 1
+colinespinas.com, 0
+colinhouston.com, 1
+colink.fi, 1
+colinobrien.online, 1
+colinsnaith.co.uk, 1
+colinstark.ca, 1
+colinyoung.scot, 1
+colis-collecte.re, 1
+colisfrais.com, 0
+colivevalues.com, 1
+collab.ddnss.org, 1
+collabora-office.com, 1
+collabora.ca, 0
+collabora.co.kr, 1
+collabora.co.uk, 1
+collabora.com, 1
+collabora.kr, 1
+collabora.ninja, 0
+collabora.social, 0
+collabora.uk, 0
+collaboracloudsuite.com, 0
+collaboraoffice.co.uk, 1
+collaboraoffice.com, 1
+collaboration.cafe, 1
+collaborativedrug.com, 0
+collabornation.net, 1
+collacott.org, 1
+collaction.hk, 1
+collada.org, 1
+collage.me, 1
+collagecrafting.com, 1
+collagepartners.com, 1
+collalloc.com, 1
+collapsed.de, 1
+collar.place, 1
+collard.tk, 1
+collare.com.mx, 1
+collare.mx, 1
+collarslab.com, 1
+collateral360.com, 1
+collateralmurder.com, 1
+collbox.co, 0
+colleadimari.com, 1
+collectaction.com, 1
+collectdocs.com, 1
+collecter.tk, 1
+collectfood.com, 1
+collectiblebeans.com, 1
+collectibles.tk, 1
+collectif-laicite-yallah.be, 1
+collectif85.com, 1
+collectifpinceoreilles.com, 1
+collectionru.com, 1
+collective-incubator.de, 1
+collectivedg.com, 1
+collectiverecyclers.com, 1
+collectivesupply.com, 1
+collector.cf, 1
+collectorknives.net, 1
+collectorscorner.com, 1
+collectorsystems.com, 1
+college-chagall.tk, 1
+collegeeducation.ml, 1
+collegegirlhd.com, 1
+collegeinlouisiana.com, 1
+collegeinoklahoma.com, 1
+collegeinoregon.com, 1
+collegeinpennsylvania.com, 1
+collegematchmaking.org, 1
+collegemate.eu, 1
+collegemoccassin.com, 1
+collegenavigator.gov, 1
+collegepaperworld.com, 1
+collegephysicsanswers.com, 1
+collegeprospectsofcentralindiana.com, 1
+collegereligionandphilosophy.com, 1
+collegesecretary.cn, 1
+collegesecretary.com, 1
+collegesexvid.com, 1
+collegesidekick.com, 1
+collegesrit.tk, 1
+collegestationhomes.com, 1
+collegetimes.co, 1
+collegetownstudios.tk, 1
+collepietra.it, 1
+collerosso.com, 1
+collettando.it, 1
+colley.tk, 1
+collezione.it, 1
+collideascope.co, 1
+collierlunaire.fr, 1
+colliervotes.gov, 1
+collin.us, 1
+collin.xyz, 1
+collinel-hossari.com, 1
+collinelhossari.com, 1
+collinklippel.com, 0
+collinlove.ca, 1
+collinlove.ch, 1
+collinlove.co.uk, 1
+collinlove.com, 1
+collinlove.de, 1
+collinlove.net, 1
+collinlove.nl, 1
+collinlove.org, 1
+collinlove.se, 1
+collinlove.uk, 1
+collinlove.us, 1
+collinlove.xyz, 1
+collinmbarrett.com, 1
+collins.kg, 1
+collins4mayor.co.nz, 1
+collins4mayor.nz, 1
+collins4mayor.org, 1
+collins4mayor.org.nz, 1
+collinsdictionary.com, 1
+collinssquare.com.au, 1
+collinssquarecatering.com.au, 1
+collinswyatt.com, 1
+collobrieres.restaurant, 1
+colloquio.tk, 1
+colloquy.mobi, 1
+colmena.biz, 1
+colo-tech.com, 1
+colocolochile.tk, 1
+coloffmedia.com, 1
+cololi.moe, 1
+colombiajobstoday.com, 1
+colombian.cam, 1
+colombianas.webcam, 1
+colombianbride.net, 1
+colombyinai.ga, 1
+coloniae.de, 1
+colonialbeachva.gov, 1
+colonialfilings.com, 1
+colonialfurniturestripping.com, 1
+colonize.africa, 1
+coloquiocentrooeste.mat.br, 1
+color-mixer.tk, 1
+color01.net, 1
+colorado-locksmith.com, 1
+coloradobluebook.gov, 1
+coloradochildrep.gov, 1
+coloradoer.tk, 1
+coloradofamli.gov, 1
+coloradolottery.com, 1
+coloradorangers.gov, 1
+coloradoseodesign.com, 1
+coloradosos.gov, 1
+colorblindfilms.com, 1
+colorblindprogramming.com, 1
+colorbrightongreen.org, 1
+colorcodedlyrics.com, 1
+colorcomm.com, 1
+colorfularchive.eu.org, 1
+colorfulcloud.eu.org, 1
+colorfuldots.com, 0
+colorfulworld.ru, 1
+colorguni.com, 1
+colorhexa.com, 1
+colorideas.net, 1
+coloringbooknook.org, 1
+coloristcafe.com, 1
+colorjungle.co.za, 1
+colorlib.com, 0
+colorline.com.br, 1
+colorpalette.org, 1
+colorpicker.fr, 1
+colorsbycarin.com, 1
+colortronic.tk, 1
+colorunhas.com.br, 1
+colorwow.cf, 1
+colorwow.ga, 1
+colossean.com, 1
+colosseumticket.cz, 1
+colostral.com, 1
+colotimes.com, 1
+colourblast.com.au, 1
+colourfulcastles.co.uk, 1
+colourmanagementpro.com, 1
+colourmeren.com, 1
+colourtohtml.tk, 1
+colpatriaws.azurewebsites.net, 1
+colposcopy.com.sg, 1
+colquittcountyga.gov, 1
+colquittga.gov, 1
+colson-occasions.be, 0
+coltellisurvival.com, 1
+coltonrb.com, 1
+columbiacountyor.gov, 1
+columbiacountywi.gov, 1
+columbiail.gov, 1
+columbialawreview.org, 1
+columbiamemorialhealth.org, 1
+columbiamspd.gov, 1
+columbiaproemergencymovers.com, 1
+columbiascaffolding.com, 1
+columbiathreadneedle.com, 1
+columbiatwpmi.gov, 1
+columbuscoffeefest.com, 1
+columbuscomedyfest.com, 1
+columbushydroxide.com, 1
+columbushydroxide.net, 1
+columbushydroxide.org, 1
+columbusks.gov, 1
+columbustelegram.com, 1
+columbusunderground.com, 1
+columbuswi.gov, 1
+colwichks.gov, 1
+colwyn.me, 1
+colwynfm.com, 1
+colyakoomusic.com, 1
+com-b.vn, 1
+com-news.io, 1
+com-tic.africa, 1
+com.cc, 1
+com.com.tr, 1
+com.fo, 1
+com4.no, 0
+comactor.com, 1
+comactor.fr, 1
+comagexinvoice.com, 1
+comalia.com, 1
+comanchecountyks.gov, 1
+comanchenationpolice.gov, 1
+comanchetexas.gov, 1
+comanis.fr, 1
+comaporter.com, 1
+comarcadelaranda.tk, 1
+comarch.com, 1
+comarch.es, 1
+comarch.pl, 1
+comarch.ru, 1
+comarkinstruments.cloud, 1
+comarkinstruments.net, 1
+comasystem.dk, 1
+combatix.io, 1
+combattrecellulite.com, 1
+combidarlehen.de, 1
+combineconquer.com, 1
+combineid.com, 1
+combines.world, 1
+combloux.com, 1
+combos-2020.tk, 1
+combron.be, 1
+combron.co.uk, 1
+combron.com, 1
+combron.nl, 1
+combustion.tk, 1
+comcenter.com, 1
+comchezmeme.com, 1
+comcol.nl, 1
+comdirect.de, 1
+comdmedias.fr, 1
+comdotgame.com, 1
+comdurav.com, 1
+come.ga, 1
+come2cook.com, 1
+comealong.org, 1
+comeals.com, 1
+comebookmark.cf, 1
+comebookmark.ga, 1
+comebookmark.ml, 1
+comedimagrire.it, 1
+comedonchisciotte.org, 1
+comedy.co.uk, 1
+comedybox.ro, 1
+comedyhuis.nl, 1
+comedyillusions.com, 1
+comefareper.online, 1
+comelibro.org, 1
+comenc.ddns.net, 1
+comengpt.com, 1
+comenityremediation.com, 1
+comeoishii.com, 1
+comeoneileen.tk, 1
+comeratope.com, 1
+comercialcolombia.tk, 1
+comercialmattos.com, 1
+comercialroxana.com, 1
+comercialtrading.eu, 1
+comeros.be, 1
+comestoarra.com, 1
+comet-pct.com, 1
+comet-xray.com, 1
+comet.eu.org, 1
+comet.tech, 1
+cometbot.cf, 1
+cometcache.com, 1
+comete-electricite.fr, 1
+cometer.co, 1
+cometer.io, 1
+cometonovascotia.ca, 1
+comevius.com, 1
+comevius.org, 1
+comevius.xyz, 1
+comfandivirtual.com.co, 1
+comff.net, 1
+comfintouch.com, 0
+comfis.nl, 1
+comfitsweets.co.uk, 1
+comflores.com.br, 1
+comfort-light.ru, 1
+comfortablelife.tk, 1
+comfriesland.tk, 1
+comfun.net, 1
+comfuzztible.tk, 1
+comfy-court.com, 1
+comfy.cafe, 0
+comfyliving.net, 1
+comhack.com, 1
+comical.ml, 1
+comicbooktreasury.com, 1
+comicborgs.com, 1
+comiccrusaders.com, 1
+comicsans.tk, 0
+comicsanshouse.ddns.net, 1
+comicslate.org, 1
+comicspornos.com, 1
+comicspornow.com, 1
+comicspornoxxx.com, 1
+comicsymanga.com, 0
+comicwiki.dk, 1
+comidasaludablehoy.com, 1
+comidasperuanas.net, 0
+comidina.com, 1
+comingto.icu, 1
+comiq.io, 1
+comistar.ee, 1
+comita.ru, 1
+comita.su, 1
+comitedal974.re, 1
+comiteexpertes.gc.ca, 1
+comitesaustria.at, 0
+comlipa.gq, 1
+comm-works.com, 1
+comm.cx, 1
+commagere.com, 1
+command53.fr, 1
+commandeleven.com, 0
+commander-seo.com, 1
+commanderone.net, 1
+commanderx.cf, 1
+commanderx.ml, 1
+commanderx.tk, 1
+commania.co.kr, 1
+commbox.io, 1
+commboxtest.com, 1
+commco.nl, 1
+commencepayments.com, 1
+commentgagnerdelargentsurlenet.com, 1
+commentjaichangedevie.fr, 1
+comments.app, 1
+commentutiliser.com, 1
+commerce.gov, 1
+commercega.gov, 1
+commercegurus.com, 1
+commercepartnerhub.com, 1
+commercetwpmi.gov, 1
+commercia.srl, 1
+commercial.lviv.ua, 1
+commercialfinancepartners.com, 1
+commercialfundinggroupllc.us, 1
+commercialkitchensusa.com, 1
+commercialstainless.com, 1
+commercialzone.cf, 1
+commercialzone.ga, 1
+commercialzone.ml, 1
+commeunamour.com, 1
+commeunefleche.com, 1
+commfortchat.tk, 1
+commhealthcollab.com, 1
+commissaris-vraagbaak.nl, 1
+commissionagenda.com, 1
+commissionaires.ca, 1
+commissioner.tk, 1
+commitsandrebases.com, 1
+commlabindia.com, 0
+commloan.com, 1
+commonapp.org, 1
+commoncode.com.au, 0
+commoncode.io, 0
+commoncog.com, 1
+commoncore4kids.com, 1
+commongoodit.com, 1
+commongrave.tk, 1
+commoninf.com, 1
+commons-mayflower.tk, 1
+commonsenseamericanpolitics.com, 1
+commonsensedivorce.ca, 0
+commonsenseinactie.nl, 1
+commonstock.com, 1
+commonsubdoc.com, 1
+commonsubdoc.io, 1
+commonvoice.tk, 1
+commonwarest.ga, 1
+commonwealthsl.com, 1
+communalconsulting.org, 1
+communebouteille.org, 1
+communi.biz, 1
+communic.tk, 1
+communicate2lead.com, 1
+communication-services.tk, 1
+communications-major.com, 1
+communiquons.org, 1
+communist-party.tk, 1
+community-mall.com, 1
+community-pro.de, 1
+community-pro.net, 1
+community-services.cz, 0
+communityaligned.com, 1
+communitybangladesh.tk, 1
+communitybridgesaz.org, 1
+communitycodeofconduct.com, 1
+communitycollegereview.com, 1
+communitydirectory.tk, 1
+communitydriving.com, 1
+communityflow.info, 1
+communityfunded.com, 1
+communitylivingalgoma.org, 1
+communityparentsinc.com, 1
+communitypowernh.gov, 1
+communitypreventionpartnership.org, 1
+communote.net, 1
+commuty.net, 1
+commvnion.com, 1
+comnaviosaka.com, 1
+como-se-escribe.com, 1
+comoaliviareldolor.de, 1
+comocomprarumcarro.tk, 1
+comoculosdesol.pt, 1
+comodio.com, 0
+comodo.nl, 1
+comodosslstore.com, 1
+comoentrenarperros.tk, 1
+comogene.com, 0
+comohacerblog.net, 1
+comohacerpara.com, 1
+comoimportar.net, 1
+comomoraremportugal.ga, 1
+comomurio.info, 1
+comoperdonar.tk, 1
+comoreconquistaroex.com, 1
+comorecuperaratumujerpdf.com, 1
+comosecarabarriga.com, 1
+comosediceesto.com, 1
+comoseduzir.net, 1
+comosefazisto.com.br, 1
+comosehace.online, 1
+comovenderpelowhatsapp.com.br, 1
+comoviajarcontumascota.com, 1
+comp4u.de, 1
+compact.pt, 0
+compactador-vendetta.tk, 1
+compagnidimerenda.tk, 1
+compagniecoupable.fr, 1
+compagniedesateliers.com, 1
+compagniedesvoyageurs.com, 1
+compagniemartin.com, 0
+compalliance.com, 1
+companion-web.net, 1
+company-bike.com, 1
+company-info-plugins.nl, 1
+companyaneksta.tk, 1
+companycam.com, 1
+companycleaninghome.com, 1
+comparai.com.br, 1
+comparatif-moto.fr, 1
+compare-energie.fr, 1
+compareairfaredeals.com, 1
+compareandrecycle.co.uk, 0
+compareceleb.com, 1
+compareer.com, 1
+compareleasedlines.co.uk, 1
+comparemymobile.com, 1
+comparendossimit.com, 0
+compareshow.com, 1
+comparesoft.com, 1
+comparetheproject.com, 1
+comparewatch.com, 1
+compareweddinginsurance.org.uk, 1
+comparexcloudcenter.com, 1
+comparic.pl, 1
+compartirtrenmesaave.com, 1
+compassbest.com, 1
+compassdirectportal.com, 1
+compassfinance.com, 1
+compassintladv.com, 1
+compassionandchoices.org, 0
+compassionate-biology.com, 1
+compasslos.com, 1
+compassregroup.com, 1
+compdermcenter.com, 1
+compdev.ru, 1
+compelloid-staging-client-b2c.azurewebsites.net, 1
+compensadosbello.com.br, 1
+compeon.de, 1
+competencyassessment.ca, 1
+competis.cf, 1
+competitor.com, 1
+compeuphoria.com, 1
+compibus.fr, 1
+compilenix.org, 0
+complaint.tk, 1
+complang.se, 1
+complasplasticos.com.br, 1
+compleet.com, 1
+complete-concrete-concise.com, 1
+complete-privacy.tk, 1
+completeanon.tk, 1
+completecareair.com, 1
+completecase.com, 1
+completecomps.au, 1
+completecontrol.tk, 1
+completed.com, 1
+completehub.com, 1
+completeonlinepharmacy.com, 1
+completeprivacy.tk, 1
+completesecurityessex.co.uk, 1
+completesecurityessex.com, 1
+completewordsest.ga, 1
+complex-kaspiy.tk, 1
+complex-news.com, 1
+complex-organization.com, 1
+complexart.ro, 1
+complexcoral.ro, 1
+complexorganization.com, 1
+complexsystems.fail, 1
+compliance-risk.com, 1
+compliance-systeme.de, 1
+compliancebox.co, 1
+compliancedictionary.com, 1
+complianceinsight.ca, 1
+compliancerisksoftware.co.uk, 1
+complianz.io, 1
+compliment.cf, 1
+complt.xyz, 1
+complyadvantage.com, 1
+complycheck.co, 1
+complyportal.uk, 1
+componentcore.com, 1
+composersforum.org, 1
+composite-isfahan.ir, 1
+compositedevtec.tk, 1
+compostelle-bouddha.fr, 1
+compoundc.eu, 1
+compra-deuna.com, 1
+compraapartamentomoema.com.br, 1
+comprachida.com, 1
+compraenpijama.com, 1
+comprafasil.com, 1
+comprajuguete.com, 1
+comprando.tk, 1
+compraporinternet.online, 1
+comprar.club, 1
+comprarefiereygana.com, 1
+comprarpapelhigienico.online, 1
+comprascuba.online, 1
+comprauncelular.com, 1
+comprax.nl, 1
+comprebrindes.com.br, 1
+compree.com, 1
+comprehensiveihc.com, 1
+compressor.io, 1
+comprising.de, 1
+comprofacil.es, 1
+compromis-promesse-vente.fr, 1
+compservice.in.ua, 1
+comptoir-hardware.com, 1
+comptoirducycle.com, 1
+comptonslespetitescroix.tk, 1
+comptrollerofthecurrency.gov, 1
+comptu.com, 1
+compu-ofertas.tk, 1
+compubench.com, 1
+compucastell.ch, 1
+compucorner.mx, 1
+compucorner.tk, 1
+compudoc.tk, 1
+compunet.biz, 1
+compunetics.com, 1
+compunetix.com, 1
+compusrit.tk, 1
+compustore.pe, 1
+compustuff.tk, 1
+computec.ch, 1
+computechcorp.com, 1
+computel.nl, 0
+computer-acquisti.com, 1
+computer-forensics-recruiter.com, 1
+computer-kleinmachnow.de, 1
+computer-menschen.de, 1
+computer-science-schools.com, 1
+computer-service-24.de, 1
+computer-service.ch, 1
+computer-world.pro, 1
+computer-worlds.tk, 1
+computer4me.tk, 1
+computeradvance.tk, 1
+computerandaccessories.com, 1
+computerbas.nl, 1
+computerbase.de, 1
+computerforum.tk, 1
+computerforums.net, 1
+computerhelpbutton.com, 1
+computerhilfe-feucht.de, 1
+computerinfobits.com, 1
+computerjet.ru, 1
+computernerd.es, 1
+computernetwerkwestland.nl, 1
+computernetwork.be, 1
+computerpackages.com, 1
+computerpoint.net, 0
+computerscience.guide, 1
+computersforlearning.gov, 1
+computersneversleep.art, 1
+computersoftware.tk, 1
+computersolutions.cn, 1
+computersystems.guru, 0
+computertechreviews.com, 1
+computerthings.net, 1
+computertips.tk, 1
+computerwerk.org, 1
+computexrio.com, 1
+computime.com, 1
+computing.land, 1
+computingaustralia.com.au, 1
+computingaustralia.group, 1
+computingessentials.tk, 1
+computingsociety.co.uk, 1
+computingwarehouse.com, 1
+computop.com, 1
+computron.ga, 1
+compuvate.com, 1
+comquadro.com.br, 1
+comquestmed.com, 1
+comradesofmight.tk, 1
+comsoli.com.br, 1
+comsolibrasil.com.br, 1
+comswp.com, 1
+comtex.com.au, 1
+comtois.hk, 1
+comumlab.org, 1
+comunal.co, 1
+comunate.com, 1
+comune.palermo.it, 1
+comunic.io, 1
+comunicat.global, 1
+comunicazionenellaristorazione.it, 1
+comunidadmontepinar.es, 1
+comunidadreparando.com, 1
+comunidadvegetariana.com, 1
+comuniondelucia.com, 1
+comunismo.tk, 1
+comunistas.tk, 1
+comunitas.com, 1
+comunitateonline.tk, 1
+comunityflashgame.cf, 1
+comvert.com, 1
+comw.cc, 1
+comwwwcomcom.com, 1
+comyuno.com, 0
+con-ca.jp, 1
+con-con.nl, 1
+con-vivencia.es, 1
+conall.io, 1
+conalpedis.tk, 1
+conbida.co, 1
+conbrio.tk, 1
+concealoutfitters.com, 1
+concellodoparamo.tk, 1
+concepcion-futbol-club.tk, 1
+concept-web.ch, 0
+concept4photography.com, 1
+concept5.co.il, 1
+conceptatelier.de, 1
+conceptec.de, 1
+conceptfoundation.org, 1
+conceptground.com, 1
+conceptual.ga, 1
+concern.cloud, 1
+concert.ga, 1
+concertcrushers.ga, 1
+concertparkingest.ga, 1
+concerts-metal.ch, 0
+concertsenboite.fr, 1
+concertsponent.tk, 1
+concertsto.com, 1
+conciencianimal.tk, 1
+concierge.diet, 1
+conciertoscolombia.tk, 1
+concilioderivendel.tk, 1
+conciliumnotaire.ca, 1
+conclave.gq, 1
+conclave.rocks, 1
+conclave.tk, 1
+conclude.ga, 1
+conclusion.nl, 0
+conclusive.co.za, 1
+concor.ne.jp, 1
+concord.sh, 1
+concordance.bible, 1
+concrefy.com, 1
+concretedreamsoftexas.com, 1
+concretehermit.com, 0
+concretemachines.be, 1
+concretepressurewashing.com, 1
+concreterepairatlanta.com, 1
+concreterepairconcreteleveling.com, 1
+concreterepairconcreteraising.com, 1
+concreteworksohio.com, 1
+concreteworksplus.com, 1
+concurseirosdeplantao.com.br, 1
+concursocultural.com.br, 0
+concursos.com.br, 1
+concursosabertos.com.br, 1
+concursuri.biz, 0
+condemnity.net, 1
+condenast.co.uk, 1
+condensacion.com, 1
+condictor.pl, 1
+condignum.com, 1
+condit.cf, 1
+condit.gq, 1
+condit.ml, 1
+conditionyellowacademy.com, 1
+condizionatore.roma.it, 1
+condo.do, 1
+condolencemessages.net, 1
+condominiosi.it, 1
+condominioweb.com, 1
+condonescadistas.tk, 1
+condonline.app.br, 1
+condosforcash.com, 1
+condroz-motors.be, 0
+coneall.com, 1
+conectada.tk, 1
+conectadev.com, 1
+conectens.com, 1
+conectumfinanse.pl, 1
+conejicos.tk, 1
+conejovalleyelectrical.com, 1
+conejovalleyelectrician.com, 1
+conejovalleyexteriorlighting.com, 1
+conejovalleylandscapelighting.com, 1
+conejovalleylighting.com, 1
+conejovalleyoutdoorlighting.com, 1
+coneo.eu, 1
+coneser2gl.com, 1
+conesin.com, 1
+conews.ml, 1
+conexionok.com, 1
+conexiontransporte.com, 1
+conexionvegana.com, 1
+conexresearch.com, 1
+coney.tk, 1
+conf.tn, 1
+confer.ch, 1
+conference-expert.eu, 1
+conference.cafe, 1
+conference.dnsfor.me, 1
+conferencemanager.ch, 1
+conferencemanager.co.uk, 1
+conferencemanager.de, 1
+conferencemanager.dk, 1
+conferencemanager.es, 1
+conferencemanager.fr, 1
+conferencemanager.lt, 1
+conferencemanager.lv, 1
+conferencemanager.nl, 1
+conferencemanager.se, 1
+conferencemanager.uk, 1
+conferencemanager.us, 1
+conferencemanagerpro.com, 1
+conferencemonkey.org, 1
+conferenciaepiscopal.es, 1
+confettidogs.com, 1
+confia.co.cr, 1
+confianza.pe, 1
+confidentielsn.com, 1
+confidentliving.gq, 1
+confidentliving.tk, 1
+config.schokokeks.org, 1
+configcat.com, 1
+configpoint.group, 1
+configserverfirewall.com, 1
+configurat.cf, 1
+configurat.tk, 1
+configwizard.xyz, 1
+confio.gmbh, 0
+confio.pt, 1
+confirmit.ca, 1
+confirmit.com.au, 1
+confirmit.de, 1
+confiscate.ga, 1
+confiscation.tk, 1
+confiwall.de, 1
+conflictspecialist.com, 1
+conflidentliving.cf, 1
+confluent.cloud, 1
+conformal.group, 1
+conformat.com, 1
+conformax.com.br, 1
+conformist.jp, 1
+conformitykills.tk, 1
+confort-bebe.fr, 1
+confort-sante.com, 1
+conftree.com, 1
+confucio.cl, 1
+confused.com, 1
+confusion-band.ch, 1
+confygo.com, 1
+congafasdesol.com, 1
+congdongnhatviet.com, 0
+congelado.tk, 1
+congelationpunaisedelit.com, 1
+congenio.com, 0
+congenio.de, 0
+congineer.com, 1
+congnghe.so, 1
+congoproject.tk, 1
+congregacionmitacol.org, 0
+congresistas-ap.tk, 1
+congresodermatologia2019.com, 1
+congressmankirk.com, 1
+congresso.tk, 1
+congye.com, 1
+coniectoinvestments.com, 1
+coniglione.tk, 1
+conju.cat, 0
+conjugacao.com.br, 1
+conjunctions.com, 1
+conjurer.tk, 1
+conjurosamarresytrabajosespirituales.com, 1
+conjurosyhechizosfuertes.com, 1
+conkret.ch, 1
+conkret.co.uk, 1
+conkret.eu, 1
+conkret.mobi, 1
+conmatic.tk, 1
+connect-ed.network, 1
+connect-me.com, 1
+connect.facebook.net, 1
+connect.gov, 1
+connect.net.pk, 1
+connecta.store, 1
+connectaimpianti.it, 1
+connectall.tk, 1
+connectavid.com, 1
+connectedbynexus.com, 1
+connectedinvestors.com, 1
+connectedmind.me, 1
+connectfss.com, 1
+connecticare.com, 1
+connecticutnet.tk, 1
+connectika.io, 1
+connecting-software.com, 1
+connectingcultures.dk, 1
+connectingrentals.com, 1
+connectingup.org, 1
+connection-sggz.nl, 1
+connectionplanet.nl, 1
+connectionstrings.com, 1
+connective.com.au, 1
+connectivia.it, 0
+connectivityinnovationnetwork.com, 1
+connectivityparty.tk, 1
+connectmath.com, 1
+connectme.com.mx, 1
+connectmy.car, 1
+connectnow.nl, 1
+connecto.group, 1
+connectthedoc.com, 1
+connectto.com, 1
+connectum.eu, 1
+connectusa.com, 0
+connelink.fr, 1
+connell.co.nz, 1
+conner.work, 1
+conneropticals.ga, 1
+connexas.eu, 1
+connexio.digital, 1
+connext.de, 1
+connictro.de, 1
+connies-diner.de, 1
+conniesacademy.com, 1
+connor.nl, 1
+connorhatch.com, 1
+connorjc.io, 1
+connorlim.net, 1
+connornoddin.com, 1
+conntrack.com, 1
+connyandthecrazydogs.com, 1
+connyduck.art, 0
+connyduck.at, 1
+conocchialidasole.it, 1
+conocedordigital.com, 1
+conoha.vip, 1
+conorboyd.info, 1
+conorjwryan.com, 1
+conory.com, 1
+conotoxia.com, 1
+conova.com, 1
+conpins.nl, 1
+conpsy.ro, 1
+conpulpademanzana.es, 1
+conpunk.tk, 1
+conqi.net, 1
+conque.sk, 1
+conquistar30dias.com.br, 1
+conrad-kostecki.de, 1
+conrad.am, 1
+conradcartagena.com, 1
+conradkostecki.de, 1
+conradkroencke.com, 1
+conrads.it, 1
+conrail.blue, 1
+conrasd.tk, 1
+conrazon.me, 1
+consagracionamariasantisima.org, 1
+conscia.com, 1
+consciente.ch, 1
+consciente.ngo, 1
+consciente.ong, 1
+conscientia.com.mx, 1
+consegnafioridomicilio.net, 1
+consegne.it, 1
+conseildesarts.ca, 1
+conseils-immo.fr, 1
+consejoescolardecanarias.org, 1
+conselljoventutillesbalears.org, 1
+consens.us.org, 1
+consensoprivacy.it, 1
+consertodeeletrodomesticosembh.com, 1
+conservadoraembh.com.br, 1
+conservaschato.com, 1
+conservationfreedivers.com, 1
+conservationgeography.com, 1
+conserviengenharia.com.br, 1
+consiglidisalute.com, 1
+consilio.com, 1
+consilium-ifa.co.uk, 1
+consilium-vitae.ch, 1
+consiliumvitae.ch, 1
+consill.com, 1
+consoe.com, 1
+console.rest, 1
+consolemania.com, 1
+consoletech.tk, 1
+consoleuniverse.tk, 1
+consolezone.tk, 1
+consommation-locale.fr, 1
+consonare.de, 1
+consoom.soy, 1
+consorcionacionalideal.com.br, 1
+consortium.chat, 1
+consortiumhealthplans.com, 1
+consorzio.org, 1
+conspiracionweb.tk, 1
+conspiracy.gq, 1
+conspiracytheorypal.com, 1
+conssales.com, 1
+constablevilleny.gov, 1
+constant-rough.de, 1
+constant.ga, 1
+constantinocontabilidade.com, 1
+constantinschreiber.me, 1
+constcorrect.com, 1
+constellatio.com, 1
+constellationinternational.ml, 1
+constellations.ga, 1
+constern.de, 1
+consteval.org, 1
+constexpr.org, 1
+constinit.org, 1
+constipationrecords.tk, 1
+constitution.website, 0
+constru-vegas.com.mx, 1
+construccionesceyve.com, 1
+construct.net, 1
+constructexpres.ro, 1
+construction-colleges.com, 1
+construction-digitale.fr, 0
+construction-group.ga, 1
+constructionstudent.uk, 1
+constructive.men, 1
+constructoraisaba.com, 1
+construguia.co, 1
+construred.tk, 1
+construyetuempresa.com, 1
+consul-coton.ru, 1
+consul-novocherkassk.ml, 1
+consul.io, 0
+consuldat.com, 1
+consulenteambientale.it, 1
+consulentedellavoro.it, 1
+consulenza.pro, 1
+consulplan.net, 1
+consult-altius.co.uk, 1
+consultadepsicoterapia.com, 1
+consultancyistanbul.com, 1
+consultation.ai, 1
+consultation.biz.tr, 1
+consultimator.com, 1
+consultimedia.de, 1
+consulting-brokerage.tk, 1
+consultinghero.es, 1
+consultinghouse.tk, 1
+consultinghousenet.tk, 1
+consultingnurseest.ga, 1
+consultor.marketing, 1
+consultoresrey.cl, 1
+consultoriaandrade.com.br, 1
+consultoriadeseguranca.com.br, 1
+consultoriadigital.pt, 1
+consultoriosodontologicos.com.br, 1
+consultorseobr.com.br, 1
+consultpetkov.com, 1
+consultum.com, 1
+consulvation.com, 1
+consumer.ee, 1
+consumer.gov, 1
+consumer.gov.au, 1
+consumer.gq, 1
+consumer.org.nz, 1
+consumeraction.gov, 1
+consumerattorneys.com, 1
+consumerbureau.gov, 1
+consumerdatastandards.gov.au, 1
+consumerfiles.com, 1
+consumerfinance.gov, 1
+consumerfinancial.gov, 1
+consumerfinancialbureau.gov, 1
+consumerfinancialprotectionbureau.gov, 1
+consumerindex.ga, 1
+consumerlaw.gov.au, 1
+consumerprotection.gov, 1
+consumerprotectionbureau.gov, 1
+consumersentinel.gov, 1
+consumertesting.com, 1
+consumidor.gov, 1
+consumptionjunction.com, 1
+consuwijzer.nl, 1
+consyltec.de, 1
+contabilidadebhpampulha.com.br, 1
+contabilidadebrooklin.com.br, 1
+contabilidademassarelli.com.br, 1
+contact-checker.tk, 1
+contact.inc, 1
+contact.xyz, 1
+contactaffix.com, 1
+contactangle.com, 1
+contactbadger.com, 1
+contactelus88.fr, 1
+contactlimo.com, 1
+contactmcr.com, 0
+contactme.cards, 1
+contactsrl.it, 1
+contadorespublicos.co, 1
+contagiousaf.com, 1
+contailor.de, 1
+contalbi.pt, 1
+contaminatie.nl, 1
+contango.xyz, 1
+contato.vip, 1
+contemplativeeducation.org, 1
+contemptevoke.com, 1
+contenedoresdereciclaje.online, 1
+contenized.com, 0
+contentmaaksters.nl, 1
+contentmarathon.com, 1
+contentq.nl, 1
+contents.ga, 1
+contermis.com, 1
+contessa32experience.com, 0
+contestreviewest.ga, 1
+contextolog.cf, 1
+conti-profitlink.co.uk, 1
+continental-landscapes.co.uk, 1
+continuernom.tk, 1
+continuousinksupplysystem.com.au, 1
+continuum.memorial, 0
+continuum.sbs, 1
+continuumdesign.net, 1
+continuumm-tech.com, 1
+contiprint.com.ec, 0
+contortion.tk, 1
+contos.cz, 1
+contotudo.online, 1
+contrabass.net, 1
+contracostacr.gov, 1
+contracostacre.gov, 1
+contracostavote.gov, 1
+contractalerters.ga, 1
+contractdigital.co.uk, 0
+contractdirectory.gov, 1
+contractormountain.com, 1
+contractorswestga.com, 1
+contractstore.com, 1
+contractwriters.com, 1
+contrafactos.tk, 1
+contralaespeculacioninmobiliaria.tk, 1
+contrarianoutlook.com, 1
+contrarreforma.tk, 1
+contraspin.co.nz, 1
+contrastchecker.online, 1
+contrastecolombia.com, 1
+contrastly.com, 1
+contrastsecurity.com, 1
+contratderatisation.com, 1
+contratti.it, 1
+contrebande-metz.fr, 1
+contreraslandscaping.com, 1
+contributopia.org, 1
+contributor.google.com, 1
+contro.cf, 1
+contro.ga, 1
+contro.gq, 1
+contro.ml, 1
+contro.tk, 1
+controlautocom.com.br, 1
+controlbooth.com, 1
+controld.com, 1
+controle-exportations.fr, 1
+controle-technique-ales.fr, 1
+controlecelular.com.br, 1
+controleer-maar-een-ander.nl, 1
+controleert.nl, 1
+controlewiki.be, 1
+controlit.eu, 1
+controllertech.com, 1
+controlpad.com, 1
+controlpro.mx, 1
+controlshiftlabs.com, 1
+controltvpodcast.tk, 1
+controlup.com, 1
+controlvisitas.com.mx, 1
+controsoffitti.milano.it, 1
+controversialrisks.com, 1
+controversialrisks.se, 1
+contucara.tk, 1
+contuestilo.tk, 1
+contunda.de, 0
+conv2pdf.com, 1
+convecteurs.net, 1
+convent-mensing.de, 1
+convergence.fi, 1
+convergencela.com, 1
+convergent.tn, 1
+convergnce.com, 1
+conversationexchange.com, 1
+conversatis.cf, 1
+conversechucktaylor.us, 1
+converser.tk, 1
+conversionsciences.com, 1
+convert.im, 1
+convert.io, 1
+convert2sql.com, 1
+converter.ml, 1
+convertire-documenti.it, 1
+convertkit.com, 1
+convertr.io, 1
+convexic.com, 1
+conveyance.pro, 1
+convicted-driver-insurance.com, 1
+conviction.org.uk, 1
+convierteenabudancia.com, 1
+convocatoriafundacionpepsicomexico.org, 0
+convoluted.solutions, 1
+convoyin.com, 1
+conwaymedicalcenter.com, 1
+conwaymi.gov, 1
+conwaypdnh.gov, 1
+conwayregional.org, 0
+conwaysc.gov, 1
+conwood.best, 1
+conxcon.de, 1
+cooalliance.com, 1
+coochiehacks.io, 1
+coocook.org, 1
+cooferro.tk, 1
+cooink.net, 0
+cook-maestro.com, 1
+cook.gg, 1
+cookcountyclerkil.gov, 1
+cookcountysheriffil.gov, 1
+cookescastles.co.uk, 1
+cookgem.com, 1
+cookicons.co, 1
+cookie-directive.cf, 1
+cookie4.com, 1
+cookieandkate.com, 1
+cookiecorner.com, 1
+cookiecrook.com, 1
+cookiedatabase.org, 1
+cookielaw.org, 1
+cookiepedia.co.uk, 1
+cookiepro.com, 1
+cookiesmoquirida.com.br, 1
+cookiesoft.de, 1
+cookiestudies.cf, 1
+cooking-food.cf, 1
+cookingandme.com, 1
+cookingbooks.es, 1
+cookingcrusade.com, 1
+cookingiseasy.tk, 1
+cookingperfected.com, 1
+cookingperformancegroup.com, 1
+cookingreporter.com, 1
+cookinsumos.com, 1
+cooko.at, 1
+cooks.house, 1
+cooksite.tk, 1
+cooktoprepairaustin.com, 1
+cookwithmanali.com, 1
+cool-parties.co.uk, 1
+cool-wallpapers.jp, 1
+cool110.tk, 1
+cool110.xyz, 1
+coolabaroo.com.au, 1
+coolagent-dokumenty.cz, 1
+coolansplanet.com, 1
+coolattractions.co.uk, 1
+coolblockschool.org, 1
+coolboys.ga, 1
+coolcamping.com, 1
+coolcloud.tk, 1
+coolcomputers.info, 1
+cooldan.com, 1
+cooldomains.tk, 1
+cooldown.club, 1
+coole-fete.de, 1
+coolefehler.de, 1
+coolerssr.space, 1
+coolexpo.com, 1
+coolfilm.cf, 1
+coolgeography.co.uk, 1
+coolgifs.de, 1
+coolink.pub, 1
+cooljs.me, 1
+cooljv.com, 1
+coolkidsbouncycastles.co.uk, 1
+coolkidsparty.nl, 1
+coolleader.com, 1
+coolmath.cf, 1
+coolpi.nl, 1
+coolplus.com, 1
+coolprylar.se, 1
+cools.tech, 1
+coolsculptingmanhattanbeach.com, 1
+coolshirt.tk, 1
+coolsochi.ru, 1
+coolsoftware.tk, 1
+coolspeak.com, 1
+cooltang.ooo, 1
+coolulder.net, 1
+coolutils.com, 1
+coolvox.com, 1
+coolweirdfacts.ga, 1
+coombsinc.com, 1
+coomer.su, 1
+coomonte.tk, 1
+coonelnel.net, 1
+coonlink.fun, 1
+coop-land.ru, 1
+coop.com.py, 1
+coopal.jp, 1
+coopcityinfo.com, 1
+coopcoa.pt, 1
+coopemep.live, 0
+cooperativecogohio.gov, 1
+coopercity.gov, 1
+coopercityfl.gov, 1
+coopermais.tk, 1
+coopsoc.com.au, 1
+coor.info, 1
+coordonnees-gps.fr, 1
+coore.jp, 1
+coorpacademy.com, 1
+coosbayor.gov, 1
+cooznacza.pl, 1
+copa.cf, 1
+copabarena.tk, 1
+copacabanafc.tk, 1
+copadata.be, 1
+copasulassessoria.com.br, 1
+copdfoundation.org, 1
+copdrop.ga, 1
+cope.finance, 1
+copedeportes.tk, 1
+cophumouraustralia.com, 1
+copiermarket.com, 1
+copiisiparinti.ro, 1
+copilotgps.com, 1
+copilotpro.com, 1
+coppelmansmakelaardij.nl, 1
+copper.co, 1
+copperart.ca, 1
+copperexports.tk, 1
+copperheados.com, 1
+copperlantern.tk, 1
+coppermein.co.za, 1
+coppermine-kickers.tk, 1
+copperplate.tk, 1
+coppidesentupidora.com.br, 1
+coproduzindo.com.br, 1
+coprotag.com, 1
+coprotag.fr, 1
+coptkm.cz, 1
+copurhoca.com, 1
+copybysophie.com.au, 1
+copycats.tk, 1
+copycaught.co, 1
+copycaught.xyz, 1
+copycenter.cf, 1
+copycrafter.net, 1
+copyfast.cf, 1
+copygeneral.pl, 1
+copyhandler.com, 1
+copymundo.cr, 1
+copypoison.com, 1
+copyright-watch.org, 1
+copyright.gov, 1
+copyrightclaimsboard.gov, 1
+copyrightcoins.com, 1
+copyrightcoins.help, 1
+copyrighted.com, 0
+copyrighter.tk, 1
+copyrightforabout.tk, 1
+copyrightservice.co.uk, 1
+copyshrug.ca, 1
+copysyncest.ga, 1
+copytext.ml, 1
+copywriting-on-demand.tk, 1
+coral-study.eu, 1
+coral.tech, 1
+coralenergy.gr, 1
+coralpress.com, 1
+coralreef.blue, 1
+coralreef.tk, 1
+coralsprings.gov, 1
+coralspringsfl.gov, 1
+coramdeoclassical.com, 1
+corarain.me, 1
+coratxa.tk, 1
+corazoncaliente.tk, 1
+corazondemelon.es, 1
+corbax.com, 1
+corbettparadise.com, 1
+corbi.net.au, 1
+corbuloacademyofmilitaryscience.com, 1
+corbusier.gq, 1
+corcoranmn.gov, 1
+cord-blood.tk, 1
+cordeirosolutions.ga, 1
+cordejong.nl, 0
+cordelia.tk, 1
+cordemar.info, 1
+corder.tech, 1
+corderosa.tk, 1
+corderoscleaning.com, 0
+cordeydesign.ch, 0
+cordis.io, 1
+cordlessdog.com, 1
+corduroyproducts-velvetjackets.tk, 1
+core-concepts.de, 0
+core-networks.de, 1
+core.md, 1
+core.mx, 1
+core.org.pt, 1
+core300.org, 1
+core3k.biz, 1
+core3k.com, 1
+core3k.info, 1
+core3k.mobi, 1
+core3k.net, 1
+core3k.org, 1
+core3k.us, 1
+coreapm.com, 1
+coreapm.org, 1
+corebit.nl, 1
+corecapital.cz, 1
+corecdn.org, 1
+corecore.com, 1
+cored.al, 1
+coredna.com, 1
+coredns.rocks, 1
+coredrive.com, 1
+coredroid.com, 1
+corefy.com, 1
+coreg.tk, 1
+corehealthberks.com, 1
+corehealthcare.com.au, 1
+corelationinc.com, 1
+coreless-initiative.net, 1
+coremcnetwork.ml, 1
+coremicro.com, 1
+coremove.tk, 1
+corentin-et-rosalie.fr, 1
+corepacks.tk, 1
+corepartners.com.ua, 1
+corephysicians.org, 1
+corerad.net, 1
+corescientific.com, 1
+coresos.com, 1
+corestack.io, 1
+coresystems.hu, 1
+coretechnology.ie, 1
+coretema.eu, 1
+coreum.ca, 1
+coreup.de, 1
+corevetconnect.co.uk, 1
+corexpert.com, 1
+coreyjmahler.com, 1
+coreylmartin.com, 1
+corfuny.gov, 1
+corgal.com, 1
+corgi.party, 1
+corgiaspets.com, 1
+corgiclub.art, 1
+corgspace.com, 1
+corhellemons.tk, 1
+cori.tk, 1
+coribi.com, 1
+corima.it, 1
+corinastefan.ro, 1
+corinnanese.de, 1
+corinsamsterdam.com, 1
+corintech.net, 1
+corinthfilms.com, 1
+coriolis.ch, 1
+corisu.co, 1
+corkcityfc.tk, 1
+corkedwinebar.com, 1
+corky.tk, 1
+corleoncatering.com, 1
+corlija.com, 1
+corlinde.nl, 1
+cormed-heverlee.tk, 1
+corn.az, 1
+cornday.org, 1
+cornel1801.com, 1
+cornelia-kaufmann.tk, 1
+corner-cabinets.tk, 1
+corner-marburg.de, 1
+corneranimal.com, 1
+cornercafe.tk, 1
+cornercircle.co.uk, 1
+cornergarage.coop, 0
+cornerperk.com, 1
+cornerstone.network, 1
+cornerstone.photography, 1
+cornerstone.rocks, 1
+cornerstoneefree.org, 1
+cornerstonefoundationrepairllc.com, 1
+cornerstonenorthwest.com, 1
+cornertoyshop.ga, 1
+corniche.com, 1
+corningcu.org, 1
+cornips.nl, 1
+cornitek.tk, 1
+cornmachine.com, 1
+cornodo.com, 1
+cornut.fr, 1
+cornwallct.gov, 1
+cornwallda.co.uk, 1
+coroas10.tk, 1
+coroimagen.tk, 1
+corona-data.eu, 1
+corona-renderer.cloud, 1
+corona-renderer.com, 1
+corona-stats.online, 0
+coronacheck.nl, 1
+coronasafe.network, 1
+coronastationphotography.com, 1
+coronatestalmere.nl, 1
+coronavaccinatiedatum.nl, 1
+coronavirus-19.es, 1
+coronavirus-journal.fr, 1
+coronavirus.de, 1
+coronavirus.gov, 1
+coronavirusfortbend.gov, 1
+coronavirustesting.gov, 1
+coronersconnect.co.uk, 1
+cororocierodebelen.tk, 1
+corovan.com, 1
+corp.goog, 1
+corpfin.net, 1
+corpheuss.ga, 1
+corpio.nl, 1
+corplex.com, 1
+corpoflow.nl, 1
+corpomotriztokio.com, 1
+corpora.ga, 1
+corpora.tk, 1
+corporate-advisory.com, 1
+corporate-electric.ky, 1
+corporateclash.net, 1
+corporateclubaustralia.com.au, 1
+corporatecompany.cz, 1
+corporatecomputingsolutions.com, 1
+corporategift.com, 1
+corporatehitech.com.au, 1
+corporateinbound.com, 1
+corporatevisions.com, 1
+corporativoarval.info, 1
+corposeditora.tk, 1
+corpsepaint.life, 1
+corpulant.coffee, 1
+corpulantcoffee.com, 1
+corpulent.coffee, 1
+corpulentcoffee.com, 1
+corpus-hermeticum.pl, 1
+corpuschristisouthriver.org, 1
+corpuschristitx.gov, 1
+corpusslayer.com, 1
+corr-met.pl, 1
+corrales-sanchez.tk, 1
+correct.cf, 1
+correctconstructions.com.au, 1
+correcthorse.cf, 1
+correcthorse.pw, 1
+correctionalofficer.org, 1
+correctionalofficeredu.org, 1
+correctiv.org, 1
+correctlydesign.com, 1
+corrector.com.ua, 1
+corredorampr.com, 1
+correo-e.mx, 1
+correo.club, 1
+correotemporal.org, 1
+correspond.gq, 1
+correspondent.ga, 1
+corrick.io, 1
+corride.at, 1
+corridorsands.com.au, 1
+corriere.roma.it, 1
+corrieresalentino.it, 1
+corrigan.xyz, 1
+corrupt-republicans.com, 1
+corruptcatz.com, 1
+corruptos.tk, 1
+corry-new.cloud, 1
+cors-proxy.cf, 1
+corsa-b.uk, 1
+corsac.nl, 1
+corsectra.com, 1
+corsepro.com, 1
+corservsolutions.com, 1
+corsetacademy.tk, 1
+corsi.tk, 1
+corsica.ovh, 1
+corsicalaw.com, 1
+corsicanatx.gov, 1
+corsihaccpsicurezzalavoro.it, 1
+corsisicurezza.it, 1
+corso.cf, 1
+corsohaccp.roma.it, 1
+corsorspp.roma.it, 1
+cortadoradeplasma.online, 1
+cortadorplasma.com, 1
+cortapelos.site, 1
+corte.tk, 1
+cortealcastello.it, 1
+cortege.cf, 1
+cortemadera.gov, 1
+cortep.fr, 1
+cortestesisat.net, 1
+cortex-development.de, 1
+cortezco.gov, 1
+cortezsanitation.gov, 1
+corthouts.pl, 1
+cortino.ga, 1
+cortis-consulting.ch, 1
+cortizo.com.ar, 1
+cortizocampillo.com.mx, 1
+cortlandcountyny.gov, 1
+cortlandreview.com, 1
+cortlandvoice.com, 1
+cortonaeranieri.com.br, 1
+corum.fr, 1
+corus-xuam.eu, 1
+corus.lt, 1
+corvaglia.com, 1
+corvax.kiev.ua, 1
+corvetto.tk, 1
+corvus.eu.org, 1
+corvuscorax.info, 1
+coryadum.com, 1
+coryellcountytx.gov, 1
+corykoz.com, 1
+coryluba.com, 1
+corytennison.net, 1
+cos.rent, 1
+cosasnuevas.tk, 1
+cosasque.com, 1
+cosavederein1giorno.it, 1
+cosavederein5giorni.it, 1
+cosec.cn, 0
+coshima.cf, 1
+coshima.ga, 1
+coshima.gq, 1
+coshima.tk, 1
+cosirex.com, 1
+coskun.tk, 1
+coslinker.com, 0
+cosmasiakraft.tk, 1
+cosmatic.it, 1
+cosmeagardens.com, 1
+cosmekaitori.jp, 0
+cosmetic-pack.com, 1
+cosmetic-surgery-prices.co.uk, 1
+cosmeticasimple.com, 1
+cosmeticenter.com.br, 1
+cosmeticosdelivery.com.br, 1
+cosmeticosfuerth.de, 1
+cosmeticosnet.com.br, 1
+cosmeticosprofissionais.com.br, 1
+cosmeticsurgeon.ga, 1
+cosmetify.com, 1
+cosmetiq.tk, 1
+cosmetix-ndsf.fr, 1
+cosmiatria.pe, 1
+cosmic-relations.co.jp, 1
+cosmic-service.com, 1
+cosmicdrifters.com, 1
+cosmichpc.com, 1
+cosmichpc.systems, 1
+cosmick9.net, 1
+cosmicnetworks.cf, 1
+cosmictourist.de, 1
+cosmicworlds.mobi, 1
+cosmocode.de, 1
+cosmodacollection.com, 1
+cosmohit.ua, 1
+cosmohost.info, 0
+cosmohosting.site, 1
+cosmoiler.com, 1
+cosmonaut.tk, 1
+cosmos-indirekt.de, 1
+cosmos-ink.net, 1
+cosmos-software.tk, 1
+cosmoschaos.net, 1
+cosmosdogbakery.com, 1
+cosmosearch-azerbaijan.tk, 1
+cosmosenalerta.tk, 1
+cosmosmkt.com.mx, 1
+cosmoz.ga, 1
+cosms.com, 1
+cosmundi.de, 1
+cosmv.org, 1
+cosni.co, 1
+cosos.gov, 1
+cosplayer.com, 1
+cosplaygif.com, 1
+cospol.ch, 0
+cosset.com.tw, 1
+costa-ballena.tk, 1
+costablancavoorjou.com, 1
+costalinux.tk, 1
+costarellos.com, 1
+costaricanvillas.com, 1
+costazulinmobiliaria.com, 1
+costco.co.jp, 1
+costco.co.kr, 1
+costco.co.nz, 1
+costco.co.uk, 1
+costco.com.au, 1
+costco.com.mx, 1
+costco.com.tw, 1
+costco.is, 1
+costcoinsider.com, 1
+costel.tk, 1
+costelino.tk, 1
+costellofc.co.uk, 0
+costflow.ga, 1
+costi.cf, 1
+costi.eu, 1
+costinesti.tk, 1
+costoflipitor.gq, 1
+costplusdrugs.com, 1
+costravel.ru, 1
+costreportdata.com, 0
+costruzioni.milano.it, 1
+costum-for-men.tk, 1
+costumestylesers.ga, 1
+cosude.org.pe, 1
+cosumnescsd.gov, 1
+cosuno.com, 1
+cosy-interior.com, 1
+cosyden.tk, 1
+cotak.gov, 1
+cotandoseguro.com, 1
+coteax.com, 1
+coteax.nl, 1
+cotehy.com, 1
+cotejardin.gent, 1
+cotennis.net, 1
+coteouestmedia.com, 1
+coth.ml, 1
+cothurnes.fr, 1
+cotofoto.tk, 1
+coton.tk, 1
+cotonni.tk, 1
+cotrugli.social, 1
+cotswoldgrangehotel.co.uk, 1
+cotsworth.com, 1
+cotta.dk, 1
+cottagegroveor.gov, 1
+cottagelife.com, 1
+cottagessw.co.uk, 1
+cottier-angeli.swiss, 1
+cottonage.tk, 1
+cottonwoodcountymn.gov, 1
+cottonwoodimprovement.gov, 1
+cotwe-ge.ch, 0
+coubron-escrime.fr, 1
+couchidiomas.com, 1
+couchscreen.de, 1
+cougar-bordeaux.fr, 1
+cougargrades.io, 1
+cougarlyon.fr, 1
+coughlan.de, 1
+could.jp, 1
+couleur-lavande.com, 1
+couleursorgue.tk, 1
+coun.be, 1
+counseling4students.com, 1
+counselingforstudents.com, 1
+counsellingtime.co.uk, 1
+counsellingtime.com, 1
+counsellink.net, 1
+counstellor.com, 0
+counter-strike.net.cn, 1
+countercloud.com, 1
+counterenlol.com, 1
+counterespionage.com, 1
+countermats.net, 1
+countermentors.com, 1
+counterstrikeonline.org, 1
+countertopapothecary.com, 1
+countertrade.com, 0
+countexact.com, 1
+countingdues.com, 1
+countingup.com, 1
+countrify.net, 1
+country-candles.co.uk, 1
+country-creativ.de, 1
+country-dancers.tk, 1
+country-games.tk, 1
+country-house.ga, 1
+country-muziek.nl, 1
+countrybrewer.com.au, 1
+countrylife.cz, 1
+countrymountaininn.com, 1
+countryoutlaws.ca, 1
+countrysaloon.tk, 1
+countryshopradio.tk, 1
+countrysidebar.tk, 1
+countrysidemarquees.co.uk, 1
+countrysmile.org, 0
+county10.com, 1
+countybankdel.com, 1
+countyjailinmatesearch.com, 1
+countyofbarton.gov, 1
+countyofkingsca.gov, 1
+countyofmonterey.gov, 1
+countyofmontereyca.gov, 1
+coup-dun-soir.ch, 1
+coupa.com, 1
+coupedevils.tk, 1
+coupestanley.com, 1
+couplay.org, 1
+couplesapp.co, 1
+couponarea.com, 1
+couponava.com, 1
+couponchief.com, 0
+couponcodefind.com, 1
+couponcodesme.com, 1
+couponfollow.co.uk, 1
+couponsale.tk, 1
+couponzil.com, 1
+cour4g3.me, 1
+courage-sachsen.org, 1
+courage.cf, 1
+couraqe.tk, 1
+courier.lk, 1
+couriergrey.com, 1
+couriersrs.com, 1
+couriertrackers.com, 1
+coursables.com, 1
+coursdejaponais.com, 1
+course5i.com, 0
+courseconfidence.com, 1
+coursehero.com, 1
+coursehero.ph, 1
+coursehunter.net, 1
+courselore.org, 1
+courseorbit.com, 1
+coursera.org, 1
+coursereleases.com, 1
+courses.nl, 1
+coursesanswer.com, 1
+coursesidekick.com, 1
+coursesweb.net, 1
+courseworkbank.info, 1
+coursingweb.tk, 1
+coursocean.co, 1
+courstoujours.be, 1
+court1tickets.co.uk, 1
+court1tickets.com, 1
+court23taylormi.gov, 1
+courthousedirect.com, 1
+courtlandtwpmi.gov, 1
+courtonetickets.co.uk, 1
+courtonetickets.com, 1
+courtreporteredu.org, 1
+courttranscriptontario.ca, 1
+courvix.com, 1
+couscous.recipes, 1
+cousine.tk, 1
+cousins.tk, 1
+couteauxsurvie.fr, 1
+couverture-barre.fr, 1
+couverture-saint-nazaire.fr, 1
+couvreur-hinault.fr, 1
+covar.com.co, 1
+covbounce.co.uk, 1
+cove.chat, 1
+covechat.xyz, 1
+covenantbattle.net, 1
+covenco.com, 1
+coventry.com, 1
+coventrycollege.ac.uk, 1
+coventryfdri.gov, 1
+coventrymoneyman.com, 1
+coventryuk.tk, 1
+cover-fashion.de, 1
+coverage-db.org, 1
+coveragecareservices.co.uk, 1
+coveragent.de, 1
+covercrust.com, 1
+covercupboard.co.uk, 1
+coveredinspiders.com, 1
+covering.com.py, 1
+covermusik-band.de, 1
+covermytrip.com.au, 1
+covers.com, 1
+covershousing.nl, 1
+covert.sh, 1
+covery.ai, 1
+coveteur.com, 1
+coviacorp.com, 1
+covid-19.nhs.uk, 1
+covid-19advice.com, 1
+covid.gov, 1
+covid19-tracing.ch, 1
+covid19.gov.ph, 1
+covid19.melbourne, 1
+covid19.nhs.uk, 1
+covid19dataportal.si, 1
+covid19details.com, 1
+covid19resilience.org, 1
+covid19responsepod.com, 1
+covid19scotland.co.uk, 0
+covid19statstracker.com, 1
+covidactnow.org, 1
+covidcoldfacts.com, 1
+coviddiary.live, 1
+coviddrawings.org.uk, 1
+covidfreeathome.org, 1
+covidinfo.com.br, 1
+covidlive.com.au, 1
+covidmodel.net, 1
+covidpppstore.co.za, 1
+covidservicepoint.de, 1
+covidstats.gr, 1
+covidtest.gov, 1
+covidtesthonolulu.org, 1
+covidtests.gov, 1
+covidtracker.fr, 1
+covisa.cl, 1
+covisian.com, 1
+covybrat.cz, 1
+cow-ims.herokuapp.com, 1
+cowbird.org, 1
+cowcreek-nsn.gov, 1
+cowleycountyks.gov, 1
+cowleysexeter.co.uk, 1
+cowlitzwa.gov, 1
+coworkanywhere.ch, 1
+coworking-luzern.ch, 1
+coworking-space.tk, 1
+coxcapitalmanagement.com, 1
+coxhealthfoundation.com, 1
+coxxs.me, 1
+coxxs.moe, 1
+coya.tw, 1
+coyo.tl, 1
+coyocloud.com, 1
+coyote.cf, 1
+coyote105.com, 1
+coz-artistic.net, 1
+cozanne.fr, 1
+coze.zone, 1
+cozinharaz.com, 1
+cozmoapp.com, 1
+cozmoyachts.com, 1
+cozo.me, 1
+coztacukrzyca.pl, 1
+cozumelairlines.com, 1
+cozumelflight.com, 1
+cozumelisparadise.com, 1
+cozy.town, 1
+cozyeggdesigns.com, 1
+cozynergy.com, 1
+cozzack.com, 1
+cp-st-martin.be, 1
+cp061.com, 0
+cpacharge.com, 1
+cpadollar.cf, 1
+cpagray.com, 0
+cpan.org, 1
+cpanels.us, 1
+cpaneltips.com, 1
+cpap.com, 1
+cpaporttraining.org, 0
+cpars.gov, 1
+cparta.pro, 1
+cpaspecialisters.ga, 1
+cpasperdu.com, 1
+cpatoday.club, 1
+cpbanq.com, 1
+cpcbegin.tk, 1
+cpchur.ch, 0
+cpd-education.co.uk, 1
+cpd.org.au, 1
+cpe-colleg.de, 1
+cpe-registry.com, 1
+cpe-registry.org, 1
+cpegypt.tk, 1
+cpeip.cl, 1
+cpelighting.tk, 1
+cperegistry.com, 1
+cperegistry.net, 1
+cperegistry.org, 1
+cpfpa.com, 1
+cpfrancophonie.org, 1
+cpfs-group.com, 1
+cpfurni.com, 0
+cpg.de, 1
+cpgiiaragon.es, 1
+cphollywoodproduct.ml, 1
+cphpvb.net, 1
+cpifilters.com, 1
+cpish.id.au, 1
+cplconsult.com, 1
+cpls.me, 1
+cplsearch.com, 1
+cpm-steuerberater.de, 1
+cpm-steuerberater.pro, 1
+cpm-steuerberater.support, 1
+cpme-industrial.com, 1
+cpost.com.tr, 1
+cppaste.org, 1
+cppressinc.com, 1
+cpro.pt, 1
+cprportal.com, 1
+cps-ecobati.com, 1
+cps-sante.ml, 1
+cpsa.co.uk, 1
+cpsc.gov, 1
+cpsecureapp.com, 1
+cpsq.fr, 1
+cpstest.live, 1
+cpstest.org, 1
+cpsurvey.com, 1
+cptoon.com, 1
+cptvl.de, 1
+cpu.biz.tr, 1
+cpu.wiki, 1
+cpucheu.com, 1
+cpufanshop.ga, 1
+cpws.gov, 1
+cpxz.nl, 1
+cpy.pt, 1
+cqep.com, 1
+cqfuchen.com, 1
+cqoicebordel.tk, 1
+cqradio.tk, 1
+cqre.business, 1
+cqswxx.com, 1
+cqvradio.ddns.net, 0
+cr.search.yahoo.com, 0
+cr05.fr, 1
+cr3zyblog.com, 1
+cr8haven.com, 1
+cr9499.com, 1
+cra-bank.com, 1
+cra-search.net, 1
+cra-zy.tk, 1
+crabfactory.com.my, 1
+crabgrasslawn.com, 1
+crabo3d.de, 1
+crabrave.space, 1
+crabtreestore.nl, 1
+cracedkey.com, 1
+crackajack.cf, 1
+crackbros.com, 1
+crackcat.de, 1
+crackedlink.com, 1
+crackedsoftware.cf, 1
+cracker.in.th, 1
+crackerjohn.tk, 1
+crackheros.site, 1
+crackhomes.com, 1
+cracklab.tk, 1
+crackle.io, 1
+crackpfer.de, 1
+cracksarkariexam.com, 1
+cracksarkarinaukri.com, 1
+crackserialkey.co, 1
+cracksnet.tk, 1
+crackspro.co, 1
+crackstation.net, 1
+cracky-chan.com, 1
+cracky.art, 1
+cracky.win, 1
+crackychan.cc, 1
+crackychan.net, 1
+crackychan.org, 1
+crackyhouse.com, 1
+crackypedia.uk, 1
+crackzoom.com, 1
+cradio.tk, 1
+cradleaccounting.com, 1
+cradleofaviation.org, 1
+cradletocareer.org.uk, 1
+craft-beer.life, 1
+craft-me-in.com, 1
+craft.eu.org, 1
+craftandbuild.de, 1
+craftbyhand.com, 1
+craftcms.com, 1
+crafted.cat, 1
+crafterbase.de, 1
+crafters.co.jp, 1
+craftfocus.com, 1
+craftgalore.com.au, 1
+craftgate.io, 1
+crafthead.net, 1
+craftination.net, 1
+craftinghand.com, 0
+craftist.de, 1
+craftmachinec.com, 1
+craftmenu.ru, 1
+craftmeow.com, 1
+craftmeow.support, 1
+craftngo.hu, 1
+craftottawa.ca, 1
+craftshiponline.tk, 1
+craftsmandruggets.com, 1
+craftsmany.net, 1
+craftsofcleo.com, 1
+crafttalk.tk, 1
+craftutor.com, 1
+craftwarehouse.com, 1
+craftwmcp.xyz, 1
+craftydev.design, 1
+craftyguy.net, 0
+craftyphotons.net, 1
+craftyun.cn, 1
+craig-mullins.com, 1
+craigary.net, 0
+craigbates.co.uk, 0
+craigdavis.ga, 1
+craigfrancis.co.uk, 1
+craigheadcountyar.gov, 1
+craigleclaireteam.com, 1
+craignewmarkphilanthropies.org, 0
+craigphillips-work.cf, 1
+craigrouse.com, 1
+craigsaper.com, 1
+craigwfox.com, 0
+cramersoft.com, 1
+cran-automobiles.fr, 1
+cranems.com.ua, 1
+cranenburgh.nl, 1
+cranenburgh.tk, 1
+cranepedia.com, 1
+cranes.ga, 1
+cranforddental.com, 1
+crangasi.tk, 1
+cranioo.nl, 1
+crankshaft.space, 1
+cranstonri.gov, 1
+craphound.com, 1
+crapitalism.biz, 1
+crapmail.tk, 1
+crapouill.es, 1
+crash-de-1929-et-grande-depression.tk, 1
+crash.net, 1
+crashbolsa.com, 1
+crashcomputer.tk, 1
+crashcoursecenter.com, 1
+crashcrafter.de, 1
+crashday.tk, 1
+crashdummy.tk, 1
+crashedata.tk, 1
+crashgambler.io, 1
+crashpaint.cf, 1
+cratedb-dev.cloud, 1
+cratedb.cloud, 1
+cratedb.net, 1
+crates-io.cn, 1
+cratexcalgary.com, 1
+cratexedm.com, 1
+cratexind.com, 1
+cratitadelicioasa.ro, 1
+cratss.co.uk, 1
+cravatar.cn, 0
+cravecraftonline.com, 1
+crawcial.de, 1
+crawdadrepublic.com, 1
+crawford.cloud, 1
+crawfordcountyin.gov, 1
+crawfordcountyohioboe.gov, 1
+crawfordcountytcc.org, 1
+crawfordcountywi.gov, 1
+crawfordtx.gov, 1
+crawler.ninja, 1
+crax.tube, 1
+craxpro.io, 1
+crayon.co, 1
+craytos.jp, 1
+crazedknitters.com, 1
+crazilyeverafter.com, 1
+crazy-cake.tk, 1
+crazy-coders.com, 1
+crazy-fox.cf, 1
+crazy-project.ml, 1
+crazyachmed.de, 1
+crazybear-underground.tk, 1
+crazycastles.ie, 1
+crazycen.com, 0
+crazychicken.tk, 1
+crazycouple.ml, 1
+crazycube.fr, 1
+crazycube.tk, 1
+crazydrivers.tk, 1
+crazydude.tk, 1
+crazyfly.tk, 1
+crazyfrog.biz, 1
+crazyfrog.com, 1
+crazygifts.cf, 1
+crazyhost.ga, 1
+crazyhost.tk, 1
+crazymadness.tk, 1
+crazymarvin.com, 1
+crazymeeshu.com, 1
+crazymonkey.gq, 1
+crazynetwork.it, 1
+crazypaul.com, 1
+crazypellas.tk, 1
+crazypete.ga, 1
+crazypong.tk, 1
+crazypotato.tk, 1
+crazysavings.ga, 1
+crazysexpics.com, 1
+crazystories.tk, 1
+crazytunaaz.com, 1
+crbug.com, 1
+crc-bank.com, 1
+crc-online.nl, 1
+crc-search.com, 1
+crc.net.br, 1
+crc32.online, 1
+crca911co.gov, 1
+crcdatatech.com, 1
+crcncc.org, 1
+crcr.pw, 0
+cre8iveco.com, 1
+cre8ivedeals.com, 1
+cre8studios.net, 1
+crea-etc.net, 0
+crea-shops.ch, 0
+crea-that.fr, 1
+crea.bg, 1
+crea.me, 1
+creacioneslri.com, 1
+creacode.tech, 1
+creactivatecomfandi.com, 1
+creadoc.fr, 1
+creadordenoticias.com, 1
+creadstudy.com, 1
+creafitchile.cl, 1
+creaintel.net, 1
+creaketing.com, 1
+crealabs.it, 1
+crealogix-online.com, 1
+creamcastles.co.uk, 1
+creamfields.com, 1
+creamless.com, 1
+creampiepornvids.com, 1
+creampiepussytube.com, 1
+creamsoft.com, 1
+creamyfox.com, 1
+creandoydesarrollando.com, 1
+crear-webs-baratas.com, 0
+creared.edu.co, 1
+crearesiteweb.tk, 1
+creareup.com, 1
+creartcol.tk, 1
+creartsynergy.org, 1
+creasetheband.tk, 1
+creastic.com, 1
+create-it.cz, 1
+create-ls.jp, 1
+create-website.ga, 1
+create2.be, 1
+createbeauty.tk, 1
+createbeing.com, 1
+createbot.ml, 1
+createcode.pt, 1
+createconline.de, 1
+createcpanama.com, 1
+creategyx.ga, 1
+creately.com, 1
+createme.com.pl, 1
+createmvp.com, 1
+createstudios.com.au, 0
+createuniforms.co.za, 1
+createwithcynthia.com, 1
+creati.me, 1
+creatiefcoaching.nl, 1
+creatieven.com, 1
+creation-photos.com, 1
+creationfox.gq, 1
+creations-edita.com, 1
+creationsgate.com, 1
+creative-wave.fr, 1
+creative2.ru, 1
+creativeangles.in, 1
+creativeartifice.com, 0
+creativebaccha.ga, 1
+creativebathroomsandinteriors.com.au, 1
+creativebenefits.ca, 1
+creativebitsandpieces.com, 1
+creativebloq.tk, 1
+creativechili.com, 1
+creativecityofmusic.be, 1
+creativecommons.gr, 1
+creativecommonscatpictures.com, 1
+creativeconceptsvernon.com, 1
+creativeconsult.com, 1
+creativedijital.com.tr, 1
+creativeeducation.tk, 1
+creativeexpertdesigner.com, 1
+creativefocus.com, 1
+creativegraphix.com, 1
+creativeground.com, 1
+creativeground.com.au, 1
+creativeideasagency.com, 1
+creativeink.de, 1
+creativekitchens.co.nz, 1
+creativekkids.com, 1
+creativelaw.eu, 1
+creativeliquid.com, 1
+creativelysustainable.com, 1
+creativemarket.com, 1
+creativematters.ch, 0
+creativemindslms.tk, 1
+creativenz.govt.nz, 1
+creativepatterns.io, 1
+creativephs.com, 1
+creativephysics.ml, 1
+creativeqc.com, 1
+creativeradiance.com, 1
+creativescastle.com, 1
+creativescorpio.tk, 1
+creativesectors.tk, 1
+creativestories.me, 1
+creativevietnam.com.vn, 1
+creativeweb.biz, 1
+creativewolf.net, 1
+creativeworks.com.hk, 1
+creativika.it, 1
+creativityalliance.com, 1
+creativlabor.ch, 1
+creatix.tk, 1
+creatixx-network.de, 0
+creatormetrics.io, 1
+creators-design.com, 1
+creators.direct, 1
+creatorswave.com, 1
+creattic.tk, 1
+creatuasociacion.es, 1
+creayes.com, 1
+crebita.de, 1
+crecips.com, 1
+crecman.fr, 1
+crecycle.eco, 1
+credello.com, 1
+credentsys.cloud, 0
+credex.bg, 1
+credify.tech, 1
+credigo.io, 1
+credimax.com.bh, 1
+credin.com.tr, 1
+credit-10.com, 1
+credit-default-swaps.tk, 1
+credit-mgmt.biz, 1
+credit.in.th, 1
+creditcard.run, 1
+creditcardgenerator.money, 1
+crediteurope.ru, 1
+credithelpinfo.com, 1
+creditif.tk, 1
+creditjunkie.com, 1
+creditkarma.ca, 1
+creditkarma.com, 1
+creditkarma.pro, 1
+creditoconsolidado.pt, 1
+creditopessoal.pt, 1
+creditor.ga, 1
+creditor.tk, 1
+creditorapido.pt, 1
+creditos-rapidos.com, 1
+creditozen.es, 0
+creditozen.mx, 0
+creditreport.tk, 1
+creditriskmonitor.com, 1
+creditscoresmart.com, 1
+creditshanghai.com, 1
+creditshop.com, 1
+creditsummerevent.eu, 1
+creditxpert.com, 1
+crednox.com, 1
+credot.ru, 1
+creekie.me, 1
+creeks-coworking.com, 1
+creeksidebiblechurch.org, 1
+creeksidecentre.org.uk, 1
+creeksideduluth.com, 1
+creelandgow.com, 1
+creep.tk, 1
+creepnt.stream, 1
+creepycraft.nl, 1
+creepypastas.com, 1
+creepystories.tk, 1
+creer-mon-business-plan.fr, 1
+creer-une-boutique-en-ligne.com, 1
+creermonsite-wp.com, 1
+creerunblog.net, 1
+cremalleradenuria.tk, 1
+crematory.tk, 1
+cremedigital.com, 1
+cremicro.com, 0
+crena.ch, 1
+crepa.ch, 0
+crepusculofansmexico.tk, 1
+crescendo.ai, 1
+crescendo.ventures, 1
+crescent-moon.tk, 1
+crescentchc.org, 1
+cresoweb.it, 1
+cresserons.fr, 1
+cressetcapital.com, 1
+crest.com, 1
+crestalepropiedades.com.ar, 1
+crestaproject.com, 1
+crestasantos.com, 1
+crestataustin.com.my, 1
+crestaurant.com.au, 1
+crestdatasys.com, 1
+crestoncottage.com, 0
+crestor20mg.ml, 1
+crestorgeneric.ml, 1
+crestresearch.ac.uk, 1
+crestrockadvisors.com, 1
+crestron.com, 1
+crestwoodky.gov, 1
+cretdupuy.com, 0
+creteangle.com, 1
+cretica.no, 1
+creusalp.ch, 0
+crew.moe, 1
+crewextension.com, 1
+crewnetwork.com, 1
+crewresourcesinternational.group, 1
+crewsing.tk, 1
+crewvision.pt, 1
+crex24.com, 1
+crfcap.org, 0
+crgalvin.com, 1
+crgm.net, 1
+crh.org, 0
+cria.jp, 1
+criandosites.com.br, 1
+crianma.com, 0
+criaraposta.com.br, 1
+crias.fr, 1
+criativedesign.com.br, 1
+cribboker.net, 1
+cribcore.com, 1
+cric-grenoble.info, 1
+cricheroes.in, 1
+cricket-betting-online.in, 1
+cricketarena.ml, 1
+cricketnmore.com, 1
+cricketwatch.org, 1
+crickey.eu, 1
+crickits.co.uk, 1
+cricklewood.condos, 1
+cricmela.com, 1
+cricpa.com, 1
+crictechs.com, 1
+cridem.org, 1
+cridigital.net, 1
+criena.com, 1
+criena.net, 1
+crigler-najjar.fr, 1
+criglernajjarday.com, 1
+criktrik.com, 1
+crimalelov.gq, 1
+crimeadsers.ga, 1
+crimeadsest.ga, 1
+crimeainspire.com, 1
+crimeamet.ml, 1
+crimean-wines.tk, 1
+crimeandwar.com, 1
+crimefreeliving.com, 1
+crimemuseum.org, 1
+crimes.media, 1
+crimesceneinvestigatoredu.org, 1
+crimethincx.tk, 1
+crimewatch.net, 1
+crimewatchfl.com, 1
+crimewatchpa.com, 1
+crimewatchus.com, 1
+criminal-attorney.ru, 1
+criminal-market.ml, 1
+criminal-news.tk, 1
+criminal.enterprises, 1
+criminalcasecheats.ml, 1
+criminaljusticeprograms.com, 1
+criminaljusticeprogramsonline.com, 1
+criminallawyerjobdescription.ga, 1
+criminallawyerjobdescription.gq, 1
+criminallawyerjobdescription.ml, 1
+criminallawyersingapore.com, 1
+criminalminds.tk, 1
+criminalnote.tk, 1
+criminalskin.tk, 1
+criminologia.or.cr, 1
+crimsh.com, 0
+crimson.no, 0
+crimsonconnect.co.uk, 1
+crimsoncoward.com, 1
+crimsondragoncosplay.tk, 1
+crimsoninators.ga, 1
+crimsonlettersmusic.com, 1
+crimsonmedia.co.uk, 1
+crimtan.com, 1
+crinesdanzantes.be, 1
+crioestaminal.pt, 1
+crip-usk.ba, 1
+criptex.tk, 1
+criptocert.com, 1
+criptofy.com, 1
+criptoinvest.pt, 1
+criptomonedas365.com, 1
+criptomonedasworld.com, 1
+criptomonedaz.com, 1
+criptomoneylite.tk, 1
+criptozoologia.tk, 1
+cris.org.in, 1
+cris2006.com, 1
+crisantacademy.com, 1
+crisisactual.com, 1
+crisisclubers.ga, 1
+crisisdelos40.tk, 1
+crisisnextdoor.gov, 1
+crismar-flora.tk, 1
+crismatthews.com, 1
+crisp.chat, 1
+crisp.email, 1
+crisp.help, 1
+crisp.im, 1
+crisp.nl, 1
+crisp.watch, 1
+crispinplasticsurgery.com, 1
+crispinusphotography.com, 1
+crispybacon.ml, 1
+crisssmanmix.tk, 1
+cristaleslitios.com.mx, 1
+cristalgema.ga, 1
+cristalid.com, 1
+cristals.ga, 1
+cristaltercos.com.br, 1
+cristau.org, 1
+cristenberens.tk, 1
+cristiaen.nl, 1
+cristian-alexander.tk, 1
+cristiandumitru.tk, 1
+cristianhares.com, 1
+cristianonascimento.ml, 1
+cristiengoller.ga, 1
+cristiengoller.gq, 1
+cristina.tk, 1
+cristinafigueroa.tk, 1
+cristnasar.tk, 1
+cristomisina.tk, 1
+cristomoradocusco.tk, 1
+critcola.com, 1
+criteriaproducciones.tk, 1
+criterion.ga, 1
+criterionsystems.co.uk, 1
+critfc.org, 1
+critical-scientists.net, 1
+critical.software, 1
+criticalculture.cf, 1
+criticalculture.gq, 1
+criticalculture.ml, 1
+criticalgenesis.tk, 1
+criticalmention.com, 1
+criticalmetalscorp.com, 1
+criticalminerals.gov, 1
+criticalrace.org, 1
+criticalsurveys.co.uk, 1
+criticcoos.tk, 1
+criticizetheworld.tk, 1
+critiker.com, 1
+critiquejeu.info, 1
+critiquejeu.org, 1
+critterculture.com, 1
+crivitz.gov, 1
+crix.ro, 1
+crixto.io, 1
+crl-autos.com, 1
+crlna.com, 1
+crm-dialog.com, 1
+crm-dialog.de, 1
+crm-gestion-relation-client.com, 1
+crm.onlime.ch, 0
+crm114d.com, 1
+crm911.com, 1
+crmall.com, 1
+crmdumariage.com, 1
+crmforce.mil, 1
+crmot.com, 1
+crmplace.com, 1
+crmtaxi.ml, 1
+crmzz.com, 1
+crnajobsite.com, 1
+crobeauty.com, 1
+croceverdevb.it, 1
+crocheclube.com, 1
+crocheteursdefrance.fr, 1
+crochetkim.com, 1
+crocia.com, 1
+crockettdoodles.com, 0
+crockettmyers.com, 1
+crocky.tk, 1
+crocop.tk, 1
+crocuscoaching.co.uk, 1
+croeder.net, 1
+croftsvetsurgery.co.uk, 1
+croissant.casa, 1
+cromavista.tk, 1
+cromefire.de, 1
+cromefire.myds.me, 1
+cromosceltavigo.tk, 1
+cromosomax.com, 1
+cromwell-intl.com, 1
+cromwellarc.co.uk, 1
+cromwellvets.co.uk, 1
+cron.com, 1
+cron.uz, 1
+cronberg.ch, 1
+croncron.io, 1
+cronenberg.cc, 1
+cronicademuro.tk, 1
+cronicanet.com.br, 1
+cronix.cc, 1
+cronjob.de, 1
+cronobox.one, 1
+cronologie.de, 1
+cronometer.com, 1
+cronoscentral.be, 1
+crookcountyor.gov, 1
+crookedcru.tk, 1
+crookedtower.com, 1
+crooklibraryor.gov, 1
+crookpublichealthor.gov, 1
+croonix.one, 1
+croonix.tech, 1
+crop-alert.com, 1
+cropdiagnosis.com, 1
+cropme.net, 1
+cropwizarders.ga, 1
+croquementbon.fr, 1
+croquetgolf.tk, 1
+croquis.tk, 1
+crosbug.com, 1
+cross-culture.tk, 1
+cross-games.tk, 1
+cross-led-sign.com, 1
+cross-x.com, 1
+crossair.tk, 1
+crosschq.com, 1
+crosscom.ch, 1
+crossconnected.co.uk, 1
+crossdresscontest.com, 1
+crossedwires.net, 1
+crossfiremovies.tk, 1
+crossfitbesafe.com, 1
+crossformer.com, 1
+crossfunctional.com, 1
+crosslaketech.com, 1
+crosslifenutrition.co.uk, 0
+crosslimit.ga, 1
+crosslink.ae, 1
+crossmediahouse.nl, 1
+crossorange.jp, 1
+crossover.tk, 1
+crossoverit.com, 1
+crosspeakoms.com, 1
+crossplainstn.gov, 1
+crosspointmn.org, 1
+crossriver.com, 0
+crossroads-gmbh.ch, 1
+crossroadsdentalgroup.org, 1
+crosstitch.com, 1
+crossuniverse.net, 1
+crossway.nl, 1
+crosswayz.tk, 1
+crosswordarchive.org, 1
+crosty.tk, 1
+crotchrockets.tk, 1
+croviz.com, 1
+crow.tw, 1
+crowcloud.com, 1
+crowdamp.live, 1
+crowdbank.jp, 1
+crowdbox.net, 1
+crowdcloud.be, 1
+crowdfavorite.com, 1
+crowdfiber.com, 1
+crowdfundingdream.com, 1
+crowdfundinggent.be, 1
+crowdpress.it, 1
+crowdsim3d.com, 1
+crowdstack.com, 1
+crowdstack.io, 1
+crowdsupply.com, 1
+crowleybrynn.com, 1
+crown-beverage.com, 1
+crown-building.com, 1
+crown-trading.ru, 1
+crownaffairs.ch, 1
+crowncastles.co.uk, 1
+crownchessclub.com, 1
+crownedhijab.com, 1
+crownednetwork.com, 1
+crownmarqueehire.co.uk, 1
+crownpoint.com, 0
+crownsterling.io, 1
+crowter.li, 1
+crowwing.gov, 1
+croxu.com, 1
+croydonapartments.com.au, 1
+croydonbouncycastles.co.uk, 1
+crpcentroradiologico.com.br, 1
+crrapi.cf, 1
+crrapi.xyz, 1
+crrev.com, 1
+crrow777radio.com, 1
+crsngthsswthy.com, 1
+crsoresina.it, 1
+crsserviceogkloak.dk, 1
+crstat.ru, 1
+crt.cloud, 1
+crt.sh, 1
+crt2014-2024review.gov, 1
+crtalleres.com, 1
+crti.dz, 1
+crti.tech, 1
+crtified.me, 1
+crucerosplus.com, 1
+crucial.com, 1
+crucial.de, 1
+crucial.es, 1
+crucial.fr, 1
+crucial.in, 1
+crucial.jp, 1
+crucial.tw, 1
+cruelalice.net, 1
+cruelcarbon.tk, 1
+cruelgirls.tk, 1
+crufad.org, 0
+cruicky.co.uk, 1
+cruicky.uk, 1
+cruiseamerica.com, 1
+cruisecheap.com, 1
+cruisecontrolnovels.com, 1
+cruisefashion.tk, 1
+cruiseguy.com, 1
+cruiselookout.com, 1
+cruisemoab.com, 1
+cruisemongers.com, 1
+cruisequotes.com, 1
+cruises.tk, 1
+cruisezoom.com, 1
+crumbcontrol.com, 1
+crumbscorkscrews.com, 1
+crumobr.com, 1
+crunchopedia.com, 1
+crunchr.com, 1
+crunchrapps.com, 1
+crunchreviews.com, 1
+crunchy.rocks, 1
+crunchybetty.com, 1
+crunchybridge.com, 1
+crushthelsatexam.com, 1
+crushthepmexam.com, 1
+crushxp.tk, 1
+crustytoothpaste.net, 1
+crute.me, 1
+crutic.gq, 1
+cruzadamorada.tk, 1
+crvegas.com, 1
+crvenikrst.tk, 1
+cry-sys.de, 0
+cryne.me, 1
+cryo-fit.com, 1
+cryoflesh.com, 1
+cryogeni.fr, 1
+cryosite.com, 1
+cryothanasia.com, 1
+cryovex.com, 1
+cryozenic.com, 1
+cryp.no, 1
+crypt-app.net, 1
+crypt0cloud.ddns.net, 0
+cryptcex.com, 0
+cryptcheck.fr, 1
+cryptearth.de, 1
+crypted.chat, 0
+crypteianetworks.com, 1
+cryptenet.com, 1
+crypterium.com.br, 1
+cryptex.net, 1
+crypticdeath.tk, 1
+crypticface.tk, 1
+crypticonseattle.com, 1
+crypticstench.tk, 1
+cryptii.com, 0
+cryptin-it.com, 1
+cryptingup.com, 1
+cryptitan.live, 1
+cryptme.in, 1
+crypto-ads.ga, 1
+crypto-clix.xyz, 1
+crypto-gambling.tv, 1
+crypto-gaming.tk, 1
+crypto-trade.org, 1
+crypto-unveil.com, 0
+crypto-wiki.tk, 1
+crypto.cat, 1
+crypto.graphics, 1
+crypto.is, 0
+cryptoafternoon.com, 1
+cryptoanarchist.tk, 1
+cryptoarabsolar.tk, 1
+cryptobells.com, 0
+cryptobet.guru, 1
+cryptobin.co, 1
+cryptobonus.ga, 1
+cryptobonus.tk, 1
+cryptobot.dk, 1
+cryptoclix.website, 1
+cryptocon.org, 1
+cryptocurrencylatestnews.today, 1
+cryptocurrencynews.today, 1
+cryptocurrencyservices.com, 1
+cryptodogsnft.com, 1
+cryptodore.com, 1
+cryptodredge.org, 1
+cryptoearnblog.xyz, 1
+cryptoeighty.com, 1
+cryptofacilities.co.uk, 1
+cryptofacilities.com, 1
+cryptofan.org, 1
+cryptofinance.ai, 1
+cryptofomo.capital, 1
+cryptofomocapital.com, 1
+cryptoforo.com, 1
+cryptofox.nl, 1
+cryptogazette.com, 1
+cryptography.blue, 1
+cryptography.ch, 1
+cryptography.io, 1
+cryptoguidemap.com, 1
+cryptohinge.com, 1
+cryptoinvoke.com, 1
+cryptoisnotacrime.org, 1
+cryptojacks.io, 1
+cryptoki.fr, 1
+cryptolab.tk, 1
+cryptoleed.com, 1
+cryptolinchpin.com, 1
+cryptolocalatm.com, 1
+cryptology.ch, 1
+cryptolot.ru, 1
+cryptomail.nl, 1
+cryptomaniaks.com, 1
+cryptomarketrade.com, 1
+cryptomining.mobi, 1
+cryptomixer.io, 0
+cryptomkt.com, 1
+cryptomonnaies.io, 1
+crypton.academy, 1
+crypton.help, 1
+crypton.info, 1
+crypton.vercel.app, 1
+crypton.wiki, 1
+crypton.xyz, 1
+cryptonaire.ga, 1
+cryptonit.cf, 1
+cryptonom.org, 1
+cryptonym.com, 1
+cryptool.org, 1
+cryptop.ml, 1
+cryptoparty.at, 1
+cryptoparty.dk, 1
+cryptoparty.in, 1
+cryptoparty.tv, 1
+cryptopartynewcastle.org, 1
+cryptopartyutah.org, 1
+cryptopaste.org, 1
+cryptophobia.nl, 1
+cryptopuppers.co, 1
+cryptorival.com, 1
+cryptoruay.com, 1
+cryptoscope.io, 1
+cryptoseb.pw, 1
+cryptosender.io, 1
+cryptoshot.pw, 1
+cryptosolicitations.com, 1
+cryptostarz.online, 1
+cryptostorm.is, 1
+cryptotabworks.ml, 1
+cryptotoken.site, 1
+cryptotrendclub.com, 1
+cryptoviet.com, 1
+cryptowat.ch, 1
+cryptowhitelists.com, 1
+cryptoya.io, 1
+cryptozoologyguide.com, 1
+cryptpad.cz, 1
+cryptsetup.com, 1
+cryptulo.com, 1
+crys.cloud, 1
+crys.email, 1
+crys.hu, 1
+crys.me, 1
+crys.ovh, 1
+crys.pw, 1
+crys.tv, 1
+crystal-media.tk, 1
+crystal-zone.com, 1
+crystal.com.co, 1
+crystalapp.ca, 1
+crystalball.photo, 1
+crystalblockchain.com, 1
+crystalcave.nl, 0
+crystalcaves.tk, 1
+crystalchandelierservices.com, 1
+crystalcherryonline.tk, 1
+crystalcleaningservicing.com, 1
+crystalcube.tk, 1
+crystaldesign.tk, 1
+crystaldown.de, 0
+crystalglass.ml, 1
+crystallake.tk, 1
+crystalprinting.com.au, 1
+crystalsdollz.tk, 1
+crystalsky.tk, 1
+crystalspringsms.gov, 1
+crystone.me, 1
+cryz.ru, 1
+cs-algeria.tk, 1
+cs-bot.tk, 1
+cs-colorscreed-betongulve.dk, 1
+cs-escom.tk, 1
+cs-ice.tk, 1
+cs-lite.tk, 1
+cs-mania.tk, 1
+cs-master.tk, 1
+cs-nri.com, 1
+cs-powa.tk, 1
+cs-top.tk, 1
+cs-tops.tk, 1
+cs-unlimited.tk, 1
+cs-westside.tk, 1
+cs.money, 1
+cs2.ac.cn, 1
+cs2.chat, 1
+cs2.net.cn, 1
+cs2.org.cn, 1
+cs2.pub, 1
+cs2.ren, 1
+csa-clan.tk, 1
+csa-library.org, 1
+csa.co.za, 1
+csa.support, 1
+csaapac.com, 1
+csaapac.org, 1
+csab.nic.in, 1
+csabg.org, 1
+csabinext.dyndns.org, 1
+csachapter.io, 1
+csacloudbytes.com, 1
+csacloudtrustsummit.com, 1
+csacongress.com, 1
+csacongress.org, 1
+csacongress.us, 1
+csadc.org, 1
+csaemeacongress.com, 1
+csaemeasummit.com, 1
+csaerotherm.com, 1
+csafederalsummit.com, 1
+csale.co.il, 1
+csapa.com, 1
+csaposs.com, 1
+csasummit.net, 1
+csasummit.org, 1
+csatestdomain.com, 1
+csaurl.org, 1
+csb-consultancy.com, 1
+csbs.org, 1
+csbya.com, 1
+csc-muenchen.de, 1
+cscau.com, 0
+cscholz.io, 1
+cschreiber.llc, 1
+cschristmas.com.au, 1
+csci571.com, 1
+cscmotors.com, 1
+cscred.online, 1
+csd-sevnica.si, 1
+csd-slovenije.si, 1
+csdacadcv.ga, 1
+csdcab.ca, 1
+csdcareerday.com, 1
+csdisco.com, 1
+csds.md, 1
+csdurant.com, 1
+cse-sna78.fr, 1
+cse-uniserve.com.au, 1
+csedsp.fr, 1
+csedu.com, 1
+csehnyelv.hu, 1
+cselzer.com, 1
+csengle.de, 1
+csevolution.tk, 1
+csexy.ml, 1
+csfcloud.com, 1
+csfd.cz, 1
+csfd.sk, 1
+csfm.com, 1
+csgbusiness.co.uk, 1
+csghomedesignbuild.com, 1
+csgo-roulette.ru, 1
+csgo.ac.cn, 1
+csgo.help, 1
+csgo.net, 1
+csgo.su, 1
+csgoba.cn, 1
+csgodb.net, 1
+csgoempire.com, 1
+csgoempire.gg, 1
+csgofile.tk, 1
+csgofinder.eu, 1
+csgomtr.com, 1
+csgostash.com, 1
+csgoswap.com, 1
+csgotwister.com, 1
+csgoyournal.com, 1
+csharp.love, 1
+csharpfactory.io, 1
+csharpmarc.net, 1
+cshe.de, 1
+cshive-img.com, 1
+cshive-static.com, 1
+cshm-schm.ca, 1
+cshostorg.tk, 1
+cshs.edu, 1
+csilies.de, 1
+csillagoszpumi.se, 1
+csirt.ee, 0
+csitarz.com, 1
+cskentertainment.co.uk, 1
+cskt.gov, 1
+cslbbs.net, 1
+cslbuild.com, 1
+csmainframe.com, 1
+csn3366.ga, 1
+csnet.live, 1
+csodaorszagovoda.hu, 1
+csokolozos-jatekok.tk, 1
+csolar.com, 1
+csorncss.ca, 1
+csosa.gov, 1
+csowt.gq, 1
+csp-tohoku.co.jp, 1
+csper.io, 1
+cspeti.hu, 1
+cspvalidator.org, 1
+csreturn.com.au, 1
+csrichter.com, 1
+csroot.cf, 1
+csrtci.com, 1
+csrtech.com, 1
+csrtech.support, 0
+csru.net, 1
+css-krebs.ch, 1
+css-tricks.com, 1
+css-tricks.tk, 1
+css.direct, 1
+cssai.eu, 1
+cssbmb.gov, 1
+csspsverify.com, 1
+csspublic.tk, 1
+csssr.com, 1
+csszamotuly.pl, 1
+cst-vbg.ru, 0
+cst188.cc, 1
+cstanley.net, 1
+cstevens.cc, 1
+cstg.com, 1
+cstmadrid.tk, 1
+cstmo.org, 1
+cstoredecisions.com, 1
+cstp-marketing.com, 1
+cstromblad.com, 1
+csty.ltd, 1
+csu.st, 1
+csub.edu, 1
+csuchen.com, 1
+csulb-cmp-eir.com, 1
+csumathtutor.com, 1
+csupe.hu, 1
+csusop.gov, 1
+csuw.net, 1
+csvalpha.nl, 1
+csvlombardia.it, 1
+csvplot.com, 1
+cswapps.com, 1
+cswatch.org, 1
+cswrld.com, 1
+csx.co.za, 1
+csy.hu, 1
+csyxy.fi, 1
+ct-static.com, 1
+ct-watches.dk, 0
+ct.search.yahoo.com, 0
+ctafo.com, 0
+ctauditors.gov, 1
+ctbirding.org, 1
+ctcloud.ml, 1
+ctcom-peru.com, 1
+ctcp.pt, 1
+ctd.to, 1
+ctdi.pl, 1
+ctech.cf, 1
+ctes.cz, 1
+ctet.nic.in, 1
+ctf-albstadt.de, 1
+ctf-archive.com, 0
+ctf.link, 1
+cthomas.work, 1
+cthulhuden.com, 1
+ctir.gov.br, 1
+ctj.im, 1
+ctjk.com, 1
+ctknight.me, 1
+ctkwwri.org, 1
+ctl.fi, 1
+ctliu.com, 1
+ctm.community, 1
+ctmlightning.co.uk, 1
+ctmportal.co.uk, 1
+ctmrepository.com, 1
+ctnguyen.de, 1
+ctnguyen.net, 1
+ctns.de, 0
+ctoin.tw, 1
+ctonovenkogo.tk, 1
+ctoresms.com, 1
+ctpe.info, 1
+ctpe.net, 1
+ctpro.net, 1
+ctr-sante.eu, 1
+ctrl.blog, 1
+ctrl.gr, 0
+ctrlaltstream.com, 1
+ctrlcvz.tk, 1
+cts-companies.com, 1
+ctsu.org, 1
+cttso.gov, 1
+ctu.cz, 1
+ctyrisinkneri.cz, 1
+cu247secure.ie, 1
+cua911.gov, 1
+cuarentagrados.tk, 1
+cuaresmaysemanasanta.tk, 1
+cuartaraiz.com, 1
+cuartetocontinental.tk, 1
+cuartob.tk, 1
+cuasotinhyeu.vn, 1
+cuatroporcuatro.tk, 1
+cuatroymedia.com, 1
+cuban.wiki, 1
+cubanchino.tk, 1
+cubanda.de, 1
+cubatel.com, 1
+cubatravel.cu, 1
+cubazineers.ga, 1
+cubazineest.ga, 1
+cube-cloud.com, 1
+cube-filing.com, 1
+cube.builders, 1
+cube.guide, 1
+cube.scot, 1
+cube64128.xyz, 1
+cubebik.com, 1
+cubebuilders.net, 1
+cubecraft.net, 1
+cubecraftcdn.com, 1
+cubecraftstore.net, 1
+cubefreak.tk, 1
+cubegame.tk, 1
+cubeinfo.tk, 1
+cubekrowd.net, 1
+cubela.tech, 1
+cubelify.com, 1
+cubepasses.com, 1
+cubeperformancecentre.com.au, 1
+cubestudio.website, 1
+cubetech.co.jp, 1
+cubflaica.it, 1
+cubia.com, 1
+cubia4.com, 1
+cubic-lynx.com, 1
+cubicempire.com, 1
+cubicle.tk, 1
+cubiest.com, 1
+cubigames.tk, 1
+cubikus.fr, 1
+cubile.xyz, 1
+cubilo.fi, 1
+cubing.net, 1
+cubistmediagroup.com, 1
+cubitt.cz, 1
+cublick.com, 1
+cubminnesota.org, 1
+cubocell.com, 1
+cubotabacaria.com.br, 1
+cuboxmovies.ga, 1
+cubrebocas.tk, 1
+cubsbestteaminbaseball.com, 1
+cubsradio.tk, 1
+cubyhome.com, 1
+cubyn.com, 1
+cuc-cayman.com, 1
+cucabot.tk, 1
+cucaracha.tk, 1
+cuchichi.es, 1
+cuckoo.ee, 1
+cuckoohallacademy.org.uk, 1
+cucumber.io, 1
+cuddlecat.io, 1
+cuddlecomfort.com, 1
+cuddlingyaks.com, 1
+cuddlybeardaycare.org, 1
+cudesa.gq, 1
+cudesyb.tk, 1
+cudoo.de, 1
+cueca.com.br, 1
+cuecasonline.com.br, 1
+cuegee.com, 1
+cuentadias.cl, 1
+cuentamecomopaso.es, 1
+cuentas-gratis.ga, 1
+cuentasmutualamr.org.ar, 1
+cues.org.uk, 1
+cuesplus.com, 1
+cuestiondetiempo.tk, 1
+cuetoems.com, 1
+cuevafelina.tk, 1
+cufe.com.au, 1
+cufoon.com, 1
+cugetliber.ro, 1
+cuhadardokuma.com, 1
+cuhawaii.com, 1
+cuidade.fr, 1
+cuio.net, 1
+cuir-lipari.fr, 1
+cuisine-ultime.fr, 1
+cuitrau.tk, 1
+cujanovic.com, 1
+cujo.com, 1
+cukrinelape.com, 1
+cukurbag.ml, 1
+culan.dk, 0
+culetto.at, 1
+culha.net, 1
+culinary.ga, 1
+culpoilu.tk, 1
+cult.games, 1
+cultivariable.com, 1
+cultofperf.org.uk, 1
+cultrix.co.uk, 1
+cultrixdigital.co.uk, 1
+culturaanarquista.tk, 1
+culturaarabe.tk, 1
+culturabrasilia.tk, 1
+culturaeuropea.tk, 1
+culturagenial.com, 1
+culturahack.tk, 1
+culturaldistrict.org, 1
+culturaldiversity.tk, 1
+culturalmaninhos.tk, 1
+culturalparadiso.tk, 1
+culturalsabotage.cf, 1
+culturama.tk, 1
+cultureetsoft.tk, 1
+cultureforward.online, 1
+culturehatti.com, 1
+culturelivresque.fr, 1
+culturerain.com, 1
+culturesgames.tk, 1
+cultureshift.co, 1
+culturesouthwest.org.uk, 1
+culturestraveled.com, 1
+culturevision.com, 1
+culturism.ml, 1
+cultuur.gent, 1
+cultuurinonderwijs.be, 1
+cumberlandcoil.gov, 1
+cumberlandcountyhealthnj.gov, 1
+cumberlandcountyme.gov, 1
+cumberlandcountync.gov, 1
+cumberlandcountynj.gov, 1
+cumberlandcountypa.gov, 1
+cumberlandrivertales.com, 1
+cumberlink.com, 1
+cumbiaperuana.tk, 1
+cumbreamazonica.tk, 1
+cumfiesta.com, 1
+cuminas.com, 1
+cumingcountyne.gov, 1
+cumlaudegent.be, 1
+cumman.life, 1
+cummiesin.me, 1
+cumnock.name, 1
+cumnock.org, 1
+cumplegenial.com, 1
+cumseface.eu, 1
+cumsext.me, 1
+cumshots-video.ru, 1
+cumtd.com, 1
+cumulogranite.fr, 1
+cumulonembo.com, 1
+cumulus.photo, 1
+cungnhauhoctap.tk, 1
+cunha.be, 1
+cunninghamfs.ie, 1
+cunova.cf, 1
+cunova.tk, 1
+cuo.net, 1
+cuoc.org.uk, 1
+cuongthach.com, 1
+cuongthach.net, 1
+cuongtran.xyz, 1
+cuoredesigns.tk, 1
+cuorineri.tk, 1
+cupabonita.com, 1
+cupcake.com, 0
+cupcake.io, 1
+cupcake.pt, 1
+cupcakestatus.com, 1
+cupcakestatus.net, 1
+cupcao.gov, 1
+cupclub.com, 0
+cupdunarea.ro, 1
+cupertino.gov, 1
+cupid789.co, 1
+cupie.tk, 1
+cupoane-reducere.net, 1
+cupom.net, 1
+cupomia.com.br, 1
+cuponesmasdescuentos.tk, 1
+cuppen.de, 1
+cuppen.marketing, 1
+cuppen.me, 1
+cuppen.pro, 1
+cuppen.support, 1
+cuppycakes.fi, 1
+cur.by, 1
+curacao.tk, 1
+curacaodiveguide.com, 1
+curamail.co.uk, 1
+curamcare.ml, 1
+curaprox.co.th, 1
+curareldolordeespalda.com, 1
+curatednews.xyz, 1
+curatednow.ca, 1
+curationsblog.com, 1
+curbsoftware.com, 1
+curbza.com, 1
+cureatr.com, 1
+cureine.com, 1
+cureyou.com.tw, 1
+curieux.digital, 0
+curinline.com, 1
+curio-shiki.com, 1
+curio.lk, 1
+curio.nl, 1
+curiocity.com, 1
+curiocity.tk, 1
+curiosidadeanimal.cf, 1
+curiosity-driven.org, 1
+curiositytrained.com, 1
+curiosoando.com, 1
+curious.host, 1
+curiouscast.ca, 1
+curiousduck.com, 1
+curiousspoonfoods.com, 1
+curioustea.com, 1
+curiozitate.com, 1
+curis-health.com, 1
+curl.tw, 0
+curlie.tk, 1
+curlify.com, 1
+curlingbelgium.tk, 1
+curlingclass.com, 1
+curlingclubpwa.tk, 1
+curly-hair-extentions.tk, 1
+curlybracket.co.uk, 1
+curlyhumanhairextensions.tk, 1
+currency-one.com, 1
+currency-strength.com, 1
+currency-toolkit.com, 1
+currencyfreaks.com, 1
+currencyreader.gov, 1
+currencyreaderapplication.gov, 1
+current-ip.com, 1
+current.com, 0
+currentbitcoin.news, 1
+currentchaos.tk, 1
+currentcryptocurrency.news, 1
+currentcryptocurrencynews.com, 1
+currenthaus.com, 1
+currentlystreaming.com, 1
+currentos.foundation, 1
+currycountynm.gov, 1
+currycountyor.gov, 1
+currynissanmaparts.com, 1
+currytech.cn, 1
+cursedpine.studio, 1
+curseus.com, 1
+cursillosdezaragoza.tk, 1
+cursoalia.com, 0
+cursoandroid.com, 1
+cursocatolico.com, 1
+cursocomunicacionnoverbal.com, 1
+cursodehipnosis.tk, 1
+cursodememorizacao.ml, 1
+cursointeractivo.com, 1
+cursomente.online, 1
+cursorcam.tk, 1
+cursos-trabajadores.net, 1
+cursos.com, 1
+cursosemmaus.es, 1
+cursosforex.com, 1
+cursosgratuitos.pe, 1
+cursosingles.com, 1
+cursosprogramacion.online, 1
+cursossena.co, 1
+cursosypostgrados.com, 1
+curtacircuitos.com.br, 0
+curtis-ne.gov, 1
+curtis-smith.me.uk, 1
+curtis-smith.uk, 1
+curtisint.com, 0
+curtisleejones.tk, 1
+curtispope.com, 0
+curtissmith.me.uk, 1
+curtissmith.uk, 1
+curts-showcars.com, 1
+curva.co, 0
+curvaverde02.tk, 1
+curvemedia.co, 1
+curveprotect.cz, 1
+curvissa.co.uk, 1
+curvyjessi.com, 1
+curvysarah.com, 1
+cuscoloko.com.br, 1
+cusfit.com, 1
+cusgpwoerden.nl, 1
+cushlaofgullion.com, 1
+cushytushiediapers.com, 1
+custer.tk, 1
+custercounty-co.gov, 1
+custercountymt.gov, 1
+custercountymttransit.gov, 1
+custercountyne.gov, 1
+custify.com, 1
+custodiamobili.roma.it, 1
+custodian.nl, 1
+custodyxchange.com, 1
+custom-wear.ua, 1
+customanarchy.tk, 1
+custombps.com, 1
+custombrokers.com.au, 1
+custombuttonco.com, 1
+customcircuitsltd.co.uk, 1
+customcraft.tk, 1
+customdissertation.com, 1
+customeessay.com, 1
+customer2you.com, 1
+customerfocus.co.za, 1
+customerservicemanager.com, 1
+customerservicepal.com, 1
+customerware.com.au, 0
+customessaystation.gq, 1
+customfiberglasscoaches.com, 1
+customfoodtruckgraphics.com, 1
+customhealthplans.com, 1
+customhomerealty.com, 1
+customisable.net, 0
+customizedcelebrations.co.uk, 1
+customleads.net, 1
+customlogoit.com, 1
+custommadecasino.com, 1
+custommadegolfevents.com, 1
+custompainted.ca, 1
+custompapers.com, 1
+custompoolsbydesign.com, 1
+customradio.tk, 1
+customromlist.com, 1
+customsandals.tk, 1
+customshort.link, 1
+customsportsocks.com, 1
+customtel.com.au, 1
+customwebsitesplus.com, 1
+customwritings.com, 1
+customwritingservice.com, 1
+customwritten.com, 1
+custosd.com, 1
+custosd.io, 1
+custosd.net, 1
+custosd.org, 1
+cut-piehler.de, 1
+cutads.ml, 1
+cutaneon.com, 1
+cutaquigusa.com, 1
+cute-urls.ml, 1
+cute2u.com, 1
+cuteboibutt.ml, 1
+cutehost.ga, 1
+cutemodel.ml, 1
+cutephil.com, 1
+cuthe.re, 1
+cutie-viewty.tk, 1
+cuties.chat, 1
+cutimbo.ovh, 1
+cutlinks.ml, 1
+cutme.fr, 1
+cutmylink.gq, 1
+cutner.co, 1
+cutout.ml, 1
+cutpasteprofit.tk, 1
+cutter.li, 1
+cuttingedgedoorandtrim.com, 1
+cuttingedgeoptronics.com, 0
+cuttingedgeperiodontist.com, 1
+cuttingedges.tk, 1
+cuubconsultancy.com, 1
+cuvantul.tk, 1
+cuve-ibc.be, 1
+cuvva.co, 1
+cuvva.co.uk, 1
+cuvva.com, 1
+cuvva.eu, 1
+cuvva.insure, 1
+cuvva.io, 1
+cuvva.it, 1
+cuvva.me, 1
+cuvva.net, 1
+cuvva.org, 1
+cuvva.uk, 1
+cuvva.us, 1
+cuwcd.gov, 1
+cuxpool.club, 1
+cuxpool.net, 1
+cuyahogacommunitycollege.tk, 1
+cuyahogacountyvotesoh.gov, 1
+cuzmall.com, 1
+cvalda.tk, 1
+cvazquez.es, 1
+cvbp.nl, 1
+cvc.digital, 1
+cvdeexpo.com, 1
+cvdesignr.com, 1
+cve-le-carrousel.ch, 0
+cvec.org, 1
+cvedetails.com, 1
+cvetpodokonnik.tk, 1
+cvglobal.cf, 1
+cvgt.com.au, 1
+cvhunter.hu, 1
+cvj.me, 1
+cvjd.me, 0
+cvlibrary.co.uk, 1
+cvlid.com, 1
+cvmatch.me, 1
+cvmu.jp, 1
+cvninja.pl, 1
+cvpartner.com, 1
+cvps.top, 0
+cvrn.cc, 1
+cvsec.org, 1
+cvsmash.io, 1
+cvtemplatemaster.com, 1
+cvtenerife.tk, 1
+cvv.cn, 1
+cvwdwater.gov, 1
+cvwizard.com, 1
+cvwrfut.gov, 1
+cw-bw.de, 0
+cw.center, 1
+cw3.fr, 1
+cwa-online.nl, 1
+cwaclub.tk, 1
+cwage.com, 0
+cwalla.com, 1
+cwallpapersheb.tk, 1
+cwaurora.top, 1
+cwbc-bearing.com, 1
+cwbrtrust.ca, 1
+cwc.gov, 1
+cwchristerw.com, 1
+cwchristerw.fi, 1
+cwcloudtest.com, 1
+cweagans.net, 1
+cwebdesign.tk, 1
+cwgallery.de, 0
+cwgaming.co.uk, 1
+cwglass.pl, 1
+cwgpllc.com, 1
+cwi.fi, 1
+cwinfo.eu, 1
+cwinfo.fi, 1
+cwinfo.net, 1
+cwinfo.org, 1
+cwmart.in, 1
+cwmcpe.tk, 1
+cwo.fi, 1
+cwp.com.sg, 1
+cwr.gov, 1
+cwrau.com, 1
+cwrau.de, 1
+cwrau.info, 1
+cwrau.io, 1
+cwrau.rocks, 1
+cwtsamplecenter.com, 1
+cwwise.com, 1
+cx100.io, 1
+cxbmystore.com, 1
+cxcarepro.com, 1
+cxense.com, 1
+cxfund.com.cn, 1
+cxologic.com, 1
+cxologic.io, 1
+cxologic.net, 1
+cxologic.org, 1
+cxorisks.com, 1
+cxotrustsummit.com, 1
+cy.ax, 1
+cy.technology, 1
+cyanhexagon.com, 1
+cybbh.space, 1
+cybeautiful.com.br, 1
+cybelesoft.com, 1
+cyber-anon.tk, 1
+cyber-article.tk, 1
+cyber-computer.club, 1
+cyber-core.co.uk, 1
+cyber-links.tk, 1
+cyber-m.net, 1
+cyber-mech.tk, 1
+cyber-party.tk, 1
+cyber-resear.ch, 1
+cyber-shield.de, 0
+cyber-swiat.pl, 1
+cyber-travel.com, 1
+cyber-world.tk, 1
+cyber-yaroslavl.tk, 1
+cyber.cl, 1
+cyber.gov, 1
+cyber.info, 1
+cyber.je, 1
+cyber72.com, 1
+cyberab.org, 1
+cyberalternance.com, 1
+cyberark.com, 1
+cyberarmy.cc, 1
+cyberassurance.run, 1
+cyberattackincidentresponse.com, 1
+cyberautomobile.tk, 1
+cyberbangla.com, 1
+cyberblog.cn, 1
+cyberbook.ml, 1
+cyberbotx.com, 1
+cyberboy.tk, 1
+cyberburek.tk, 1
+cybercareers.gov, 1
+cybercat-tver.tk, 1
+cybercic.com, 1
+cyberclaw.tk, 1
+cybercloud.cc, 0
+cybercrew.cc, 1
+cybercrew.rocks, 1
+cybercrime-forschung.de, 1
+cybercrime.gov, 1
+cybercustodian.com, 1
+cyberdean.fr, 1
+cyberdevelopment.es, 1
+cyberdiscoverycommunity.uk, 1
+cyberdns.com, 1
+cyberdog.ch, 1
+cyberdragon.tk, 1
+cyberduck.io, 1
+cyberdyne.ie, 1
+cyberdyne.llc, 1
+cyberexplained.info, 1
+cyberfebrio.tk, 1
+cyberfla.me, 1
+cyberforensics.com, 1
+cyberforge.ml, 1
+cyberfruit.tk, 1
+cybergame-host.tk, 1
+cybergordon.com, 1
+cybergroup.cf, 1
+cyberhaus.ch, 1
+cyberhelden.nl, 1
+cyberhipsters.nl, 1
+cyberhost.uk, 1
+cyberianhusky.com, 0
+cyberis.com, 1
+cyberislam.tk, 1
+cyberium-planet.cf, 1
+cyberjake.xyz, 1
+cyberknife-sigulda.com, 1
+cyberkov.com, 1
+cyberlab.team, 1
+cyberlin.org, 1
+cyberlinchpin.com, 1
+cyberlocos.tk, 1
+cyberlounge.ga, 1
+cyberlux.cz, 1
+cybermall.ga, 1
+cybermaniac.tk, 1
+cybermaretique.fr, 1
+cybermatrixone.tk, 1
+cyberme.sh, 1
+cybermeldpunt.nl, 1
+cybermonday.org.il, 1
+cybermotives.com, 1
+cybern.tk, 1
+cybernews.com, 1
+cybernode.host, 1
+cyberogism.com, 1
+cyberon.it, 1
+cyberoptic.de, 1
+cyberoptions.ca, 1
+cyberpanel.cf, 1
+cyberpanelsetup.com, 1
+cyberpathogen.me, 1
+cyberpcforum.com, 1
+cyberpedia.wiki, 1
+cyberphoenix.tk, 1
+cyberplus.net.id, 1
+cyberpoint.az, 1
+cyberpro.club, 1
+cyberproducciones.tk, 1
+cyberprogramming.tk, 1
+cyberpuerta.mx, 1
+cyberpunk.guru, 1
+cyberquest.cf, 1
+cyberregister.nl, 1
+cyberregister.org, 1
+cyberrepair.de, 1
+cyberresilience.io, 1
+cyberry.eu, 1
+cybersafesolutions.com, 0
+cybersafetn.gov, 1
+cybersails.co.za, 1
+cybersamurai.tk, 1
+cyberscan.io, 1
+cyberschmiede.at, 1
+cyberschmiede.com, 1
+cyberschmiede.de, 1
+cybersec.help, 1
+cybersecurite-info.fr, 1
+cybersecurity.gov, 1
+cybersecurity.gr, 1
+cybersecurity.nz, 1
+cybersecurity.run, 1
+cybersecuritychallenge.be, 0
+cybersecuritydefence.co.uk, 1
+cybersecuritydegreeguide.com, 1
+cybersecurityeducationguides.org, 1
+cybersecurityforum.com.br, 1
+cybersecurityguide.in, 1
+cybersecurityincidentresponse.com, 1
+cybersecuritywerkt.nl, 1
+cybershark.space, 1
+cybershot.tk, 1
+cybersins.com, 1
+cyberskyline.com, 1
+cybersmart.co.uk, 1
+cybersmartdefence.com, 1
+cybersolution.tk, 1
+cybersound.tk, 1
+cyberspace.community, 1
+cyberspect.com, 1
+cyberspect.io, 1
+cyberspot-ci.net, 1
+cyberstatus.de, 1
+cybertalents.com, 1
+cyberteam.info, 1
+cybertinus.nl, 1
+cybertn.gov, 1
+cybertorsk.org, 1
+cybertrinity.co.uk, 1
+cybertron.cf, 1
+cybertronics.tk, 1
+cybertu.be, 1
+cyberwandelendetakjes.tk, 1
+cyberwarhq.com, 1
+cyberwars.dk, 1
+cyberwebeyeos.com, 1
+cyberweightloss.com, 1
+cyberwire.nl, 1
+cyberworldexpert.tk, 1
+cyberxpert.nl, 1
+cyberzone.ml, 1
+cyberzones.gq, 1
+cybiko123.com, 1
+cyborgtheory.tk, 1
+cybozu.cn, 1
+cybozu.com, 1
+cybrient.com, 1
+cybrix.io, 1
+cybrossec.com, 1
+cybsafe.com, 1
+cyburbia.org, 1
+cycc.cloud, 1
+cyclamen.tk, 1
+cyclecoach.co.za, 1
+cycledownunder.com, 1
+cyclehackluxembourgcity.lu, 1
+cyclemasters.com, 1
+cycleshop.com.ua, 1
+cycleterrace.jp, 1
+cycling74.com, 1
+cyclingmonthlyest.ga, 1
+cyclisjumper.gallery, 1
+cyclize.cf, 1
+cyclonedesign.ca, 1
+cyclonemetals.com, 1
+cyclos.org, 1
+cycomm.ro, 1
+cyconet.org, 1
+cydetec.com, 1
+cydogbrowser.com, 1
+cyelint.com, 1
+cyesec.com, 1
+cyfly.org, 1
+cygnaltech.com, 1
+cygnan.com, 1
+cygnatus.com, 1
+cygnius.net, 1
+cyjm.com, 1
+cykelbanor.se, 1
+cyklistika24.cz, 1
+cylex-italia.it, 1
+cylex.noip.me, 1
+cyllos.me, 1
+cynchealth.org, 1
+cynetco.com, 1
+cynicaloptimist.me, 1
+cynology.ga, 1
+cynop.me, 1
+cynrgie.fr, 1
+cynthiacherry.com, 1
+cyon.ch, 1
+cyoubook.com, 1
+cype.dedyn.io, 1
+cyph.com, 1
+cyph.healthcare, 1
+cyph.ws, 1
+cyphar.com, 1
+cypherbot.org, 1
+cypherpunk.observer, 1
+cypherpunk.ws, 1
+cypressca.gov, 1
+cypressinheritancesaga.com, 1
+cypresslegacy.com, 1
+cyprus-company-for.gr, 1
+cyprus-company-service.com, 1
+cyptechost.co.ke, 1
+cyqual.com, 1
+cyraco.com, 1
+cyrenianhouse.com, 1
+cyrex.tech, 0
+cyril-leytsihovich.ml, 1
+cyriletsophie.fr, 1
+cyrilmurphy.com, 1
+cyrilstoll.ch, 1
+cyrix-systems.tk, 1
+cyroco.fr, 1
+cyrokx.com, 1
+cyrozap.com, 1
+cyrusdaily.tk, 1
+cysecure.co, 1
+cysi.in, 1
+cyson.tech, 1
+cyspro.ch, 1
+cystotech.com, 1
+cytat.tk, 1
+cytegic-update-packages.com, 1
+cytn.xyz, 1
+cytophil.com, 1
+cyumus.com, 1
+cyvault.io, 1
+cyware.com, 1
+cz.ma, 1
+cz.nl, 1
+czakey.net, 1
+czarni-czarne.tk, 1
+czaw.org, 1
+czbix.com, 1
+czbtm.com, 1
+czc.cz, 1
+czdoll2.com, 1
+czdoll4.com, 1
+czdoll5.com, 1
+czdoll6.com, 1
+czdoll7.com, 1
+czdoll8.com, 1
+czdoll9.com, 1
+czebox.cz, 1
+czech.is, 1
+czechcrystals.co.uk, 1
+czechglaskralen.nl, 1
+czechhunter.com, 1
+czechpoint.cz, 1
+czechps.cz, 1
+czechvirus.cz, 1
+czeh.us, 1
+czewo-data.de, 1
+czihak.at, 0
+czirnich.org, 1
+czk.mk, 1
+czl.net, 0
+czlx.co, 0
+cznburak.co.uk, 1
+czprothz.tk, 1
+czqu.cc, 1
+czqu.net, 1
+czqu.xyz, 1
+czteryporyroku.edu.pl, 1
+czwartybrat.pl, 1
+czymamdzisimieniny.pl, 1
+czzs.org, 1
+d-20.fr, 1
+d-consultant.ru, 1
+d-cuba.com, 1
+d-day.tk, 1
+d-diabetiki.ru, 1
+d-eisenbahn.com, 1
+d-influencers.com, 1
+d-ku.de, 1
+d-macindustries.com, 1
+d-mind.de, 1
+d-shed.tk, 1
+d-soft.tk, 1
+d-solutions.com.au, 1
+d-systems.tk, 1
+d-tousei.co.jp, 1
+d-toys.com.ua, 1
+d-training.de, 1
+d-uhlig.de, 1
+d-va.cf, 1
+d-vision-create.com, 1
+d.ac, 1
+d.nf, 1
+d.nr, 1
+d00228.com, 0
+d00d.de, 1
+d0g.cc, 1
+d0xq.net, 1
+d10ses.com, 1
+d166.net, 1
+d1b2k93bahaw3s.cloudfront.net, 1
+d1gital.org, 1
+d1iwhdc6scsqsn.cloudfront.net, 1
+d1pbyafuxn3mkm.cloudfront.net, 1
+d1pyhxxwnnp9rt.cloudfront.net, 1
+d1qvlbepn0kduz.cloudfront.net, 1
+d1v7neu4o1h4vp.cloudfront.net, 1
+d2.gg, 1
+d21laxujm54z8h.cloudfront.net, 1
+d24zgh0u05bzjw.cloudfront.net, 1
+d25sxbgdpzj1st.cloudfront.net, 1
+d2evs.net, 1
+d2m3-uat.azurewebsites.net, 1
+d2ph.com, 1
+d2toledo.com, 1
+d2trade.tk, 1
+d2woj1dt0tk6sn.cloudfront.net, 1
+d36533.com, 1
+d36594.com, 1
+d39rl9amo4q27v.cloudfront.net, 1
+d3d3.tk, 1
+d3dev.cf, 1
+d3lab.net, 1
+d3scene.org, 1
+d3x.pw, 1
+d3xt3r01.tk, 1
+d4done.com, 1
+d4fx.de, 1
+d4h.live, 1
+d4insight.com, 1
+d4wson.com, 1
+d4x.de, 1
+d500world.tk, 1
+d5197.co, 1
+d58beu28.com, 1
+d5k.one, 1
+d64.nl, 1
+d6729.co, 1
+d6729.com, 0
+d6957.co, 1
+d6c5yfulmsbv6.cloudfront.net, 1
+d8.io, 1
+d8181.com, 1
+d82365.com, 1
+d88.ag, 1
+d88.cc, 0
+d88.cn.com, 1
+d88118.com, 1
+d8812.com, 1
+d8814.com, 1
+d8816.com, 1
+d8819.com, 1
+d8834.com, 1
+d883vip.com, 1
+d8845.com, 1
+d8846.com, 1
+d8847.com, 1
+d884vip.com, 1
+d8859.com, 1
+d885vip.com, 1
+d886vip.com, 1
+d8870.net, 1
+d8874.com, 1
+d8878.com, 1
+d887vip.com, 1
+d88818.com, 1
+d8886.net, 1
+d88869.com, 1
+d8891.net, 1
+d88agent.com, 1
+d88siteintro.com, 1
+d898.app, 1
+d899365.com, 0
+d8studio.net, 1
+d9297.co, 1
+d9397.com, 1
+d9728.co, 1
+d9and10sports.com, 1
+da-schaewel.de, 1
+da-tex.com.ua, 1
+da-tixe.ml, 1
+da-tixe.tk, 1
+da42foripad.com, 1
+da4colorado.gov, 1
+daadn.cn, 0
+daaje-und-andre.de, 1
+daallexx.eu, 1
+daanbanaan.tk, 1
+daanial.tk, 1
+daann-wch.com.tw, 1
+daaxit.com, 1
+dabai.cf, 1
+dabai.ga, 1
+dabai.ml, 1
+dabai.photo, 1
+dabaixiong.com, 1
+dabasstacija.lv, 1
+dabbagam.tk, 1
+dabhand.studio, 1
+dabi.tk, 1
+dabrecords.co.uk, 1
+dabro.tk, 1
+dabuzz.tk, 1
+dacada-porn.com, 1
+dacangku.com, 1
+daceurope.co.uk, 1
+dacgroup.com, 1
+dacha-letom.ml, 1
+dacha.today, 0
+dachb0den.net, 1
+dachdecker-ranzenberger.de, 1
+dachdeckerei-hagen.de, 0
+dachdeckermeister-egon-weiss.de, 1
+dachdeckermeister-moeller.de, 1
+dachet.com, 1
+dachlaeufer.com, 1
+dachnie-reshenia.ru, 1
+dachnyvopros.info, 1
+dachshundsaspets.com, 1
+dachshundtalk.com, 1
+daciaforum.nl, 1
+daciamodellen.nl, 1
+daconsult.uk, 1
+dacsanchatviet.com, 1
+dacsansach.com, 1
+dad, 1
+dad256.tk, 1
+dada.is, 0
+dadafterforty.be, 1
+dadcentral.ca, 1
+daddarios.tk, 1
+daddybio.com, 1
+daddyfinger.me, 1
+daddyhax.ml, 1
+daddylive.link, 1
+daddylonglegs.tk, 1
+daddyschickenshack.com, 1
+daddysfranchising.com, 1
+daddysluder.net, 1
+dadecityfl.gov, 1
+dadecountymo911.gov, 1
+dado.cloud, 1
+dado.fr, 1
+dado.me, 1
+dado.virtual.museum, 1
+dadoilustrado.pt, 1
+dadons-laserdiscs.com, 1
+dadoresanguepsiria.pt, 1
+dadosch.de, 0
+dadrian.io, 1
+dadsarmy.tk, 1
+daduke.org, 1
+daedalusdesigns.co, 1
+daemen.org, 1
+daemon-hentai.tk, 1
+daemon.xin, 1
+daemons.ml, 1
+daemonslayer.net, 1
+daemwool.ch, 1
+daer.cloud, 1
+daevel.com, 1
+daevel.fr, 1
+daevel.net, 1
+dafassl.com, 1
+dafater.sa, 1
+dafe2021.ee, 1
+dafengche.com, 1
+dafengding.com, 1
+daffodilusa.org, 1
+dafmeyda.com, 1
+dafong.com, 1
+dafont.com, 1
+dafunda.com, 1
+dafuq.xyz, 1
+dafyddcrosby.com, 1
+dag-berlin.tk, 1
+dag-konsult.com, 1
+dag-ogni.tk, 1
+dagallemaal.be, 1
+daganghalal.com, 1
+daganzo.tk, 1
+dagbestedingwarrie.nl, 1
+dagensannonser.se, 1
+dagestan-guide.ru, 1
+dagestan.cf, 1
+dagestanci.tk, 1
+dagestanec.tk, 1
+daggas.life, 1
+daggastest.com, 1
+dagirl.uno, 1
+dagjetreinen.nl, 1
+daglar-domany.tk, 1
+dagmar2018.cz, 1
+dagmarhamalova.cz, 1
+dagrands.com, 1
+dagrs.se, 1
+dagsell.ga, 1
+daha.net, 1
+dahaboffers.tk, 1
+dahag-status.de, 1
+dahl-pind.dk, 1
+dahlberg.cologne, 1
+dahlem.info, 1
+dahobo.tk, 1
+dai.top, 0
+daidogei.com, 1
+daidothi.vn, 1
+daidr.me, 1
+daie-inc.com, 1
+daijin.com, 1
+daikokuyajp.com, 1
+daikonsystems.com, 1
+daikoz.com, 1
+daili.eu, 1
+daily-puzzle.tk, 1
+daily-solution.pro, 0
+daily-sudoku.tk, 1
+daily.it, 1
+dailyalerts.ga, 1
+dailybihar.com, 1
+dailybits.be, 1
+dailyblocks.com, 1
+dailyblogged.com, 1
+dailybusiness.tk, 1
+dailycricnews.tk, 1
+dailydealika.com, 1
+dailydodge.com, 1
+dailydote.com, 1
+dailydoze.com, 1
+dailyfictive.com, 1
+dailyfish.ru, 1
+dailygamemoments.com, 1
+dailyhealthylife.ml, 1
+dailyhealthylife.tk, 1
+dailyhomestore.cl, 1
+dailyjigsawpuzzles.net, 1
+dailyjoy.com, 1
+dailykos.com, 1
+dailykosbeta.com, 1
+dailylime.kr, 1
+dailylviv.com, 1
+dailymedicalinfo.com, 1
+dailymotion.com, 1
+dailynewsclubs.ga, 1
+dailynewsfrommedjugorje.ml, 1
+dailyotovinfast.com.vn, 1
+dailyphototips.com, 0
+dailypop.ru, 1
+dailyporncams.com, 1
+dailypost.ng, 1
+dailyprogress.com, 1
+dailyreels.ga, 1
+dailyrenewblog.com, 1
+dailyroverr.com, 1
+dailysomething.site, 1
+dailysportfan.com, 1
+dailysuperheroes.com, 1
+dailytrip.de, 1
+dailyusbusiness.tk, 1
+dailywarteg.com, 1
+dailywealth.com, 1
+dailywork.ga, 1
+dailyxenang.com, 1
+daimonikos.com, 1
+dairikab.go.id, 1
+daisidaniels.co.uk, 1
+daisuki.pw, 1
+daisy-peanut.com, 1
+daisydevbi.net, 1
+daisydollyandme-dev.com, 1
+daisydollyandme.com, 1
+daisyindia.org, 1
+daisypeanut.com, 1
+daisypeel.com, 1
+daisyscars.cf, 1
+daja.ml, 1
+dajaks.tk, 1
+dajaskincare.nl, 1
+daji.ba, 1
+dajiale.org, 1
+dajjal.org, 1
+dak.org, 1
+dakartmarket.com, 1
+dakcess.net, 1
+daken.hu, 1
+daki-host.tk, 1
+dakin.nyc, 1
+dakindesign.com, 1
+daknam.tk, 1
+daknob.net, 1
+dakota-fanning.tk, 1
+dakota-spain.tk, 1
+dakota911mn.gov, 1
+dakotacil.org, 1
+dakotas.com, 1
+dakotavalleyrecyclingmn.gov, 1
+dal-loop.xyz, 1
+dal.net.sa, 1
+dalagore.com, 1
+dalaran.city, 1
+dalb.in, 1
+dalbar.com, 1
+dalbarsqm.com, 1
+dalbitresb.com, 1
+daldropsbb.com, 1
+daleanddollops.com, 1
+dalecountyal.gov, 1
+dalek.co.nz, 1
+dalevuelta.tk, 1
+daleworley.com, 1
+dalfsennet.nl, 1
+dali-boli.me, 1
+dalianbbq.com, 1
+dalil.tk, 1
+dalingk.com, 1
+dalkhola-city.tk, 1
+dalkhola.tk, 1
+dalkholaphotos.tk, 1
+dallapartedeltorto.tk, 1
+dallas.gov, 1
+dallas.lu, 1
+dallascaraccidentlawyers.net, 1
+dallascowboys.tk, 1
+dallasfire.gov, 1
+dallaslife.org, 1
+dallaslu.com, 1
+dallaslu.eu.org, 1
+dallasobgynpa.com, 1
+dallasor.biz, 1
+dallaspolice.gov, 1
+dallastexas.ml, 1
+dallaswater.gov, 1
+dallaswestinternational.ga, 1
+dallatana.tk, 1
+dallatur.com.br, 1
+dallemon.dk, 1
+dalliard.ch, 1
+dallinbryce.com, 1
+dallincooper.com, 1
+dalliope.com, 1
+dallmeier.net, 0
+dallydushigrill.com, 0
+dalmatians.tk, 1
+dalsin.ir, 1
+daltoncraven.com, 1
+daltonohio.gov, 1
+daltons.tk, 1
+dalux.com, 1
+dalycity.gov, 1
+damadam.pk, 1
+damades.com, 1
+damag.net, 1
+damaged.org, 1
+damanlu.com, 1
+damanlv.com, 1
+damarsarkilar.tk, 1
+damasgonzalezabogados.com, 1
+damassimo.bg, 1
+dambachpeacebuilderfellowships.org, 1
+dambo.tk, 1
+dame.cf, 1
+damedrogy.cz, 1
+dameeq.cf, 1
+dameisports.com, 0
+damgoodmedia.com, 1
+damianmalrechauffe.tk, 1
+damianus.hr, 1
+damibaby.com.br, 1
+damicris.ro, 1
+damienchicotphotographe.fr, 1
+damienduhamel.tk, 1
+damiengobron.com, 1
+damienoreilly.org, 1
+damifph.com, 1
+damirsystems.com, 1
+damjanovic.work, 1
+dammekens.be, 1
+dammu.tk, 1
+damnation.tk, 1
+damnednation.tk, 1
+damngoodpepper.com, 0
+damnkid.ml, 1
+damnmodz.com, 1
+damonline.dk, 1
+dampedia.com, 1
+dampfbahn-leverkusen.com, 1
+dampfbahn-leverkusen.de, 1
+dampferchef.ch, 1
+dampoo.com, 1
+damsafety.co.nz, 1
+damscheid.de, 1
+damuhan.tk, 1
+damvdolg.gq, 1
+dan-bureau.com, 1
+dan-informacijske-varnosti.si, 1
+dan-maskiner.tk, 1
+dan-saba.com, 1
+dan.me.uk, 1
+dan124.com, 1
+dana-hilliot.tk, 1
+danaandnathan.com, 1
+danadameson.tk, 1
+danads.com, 1
+danalpay.com, 1
+danalytics.com.pe, 1
+danamica.dk, 1
+danandkatiegetmarried.com, 1
+danandrum.com, 1
+danangcitytours.com, 1
+danarozmarin.com, 1
+danashamsters.tk, 1
+danasweed.com, 1
+danbailey.com, 1
+danbaldwinart.com, 1
+danbao.com, 1
+danbarrett.com.au, 0
+danbergen.com, 1
+danbolig.dk, 1
+danca.com, 1
+dance-colleges.com, 1
+dance-school.tk, 1
+dancechart.tk, 1
+dancefm.tk, 1
+dancehome.com, 1
+dancehubsa.com.au, 1
+danceonline.fi, 1
+danceordienet.tk, 1
+danceproducciones.com, 1
+dancerzone.tk, 1
+danceworld.tk, 1
+danchen.org, 1
+danchestertonphoto.co.uk, 1
+dancingangels.tk, 1
+dancingcubs.co.uk, 1
+danclassroom.com, 1
+dandan101.com, 1
+danddy.eu, 1
+dandelikaliadventure.com, 1
+dandelion-seeds.com, 1
+dandelionjunkqueens.tk, 1
+dandenongroadapartments.com.au, 1
+danderco.in, 1
+dandia.ro, 1
+dandie.tk, 1
+dandsplumbers.com, 1
+danduran.me, 1
+dandymodz.tk, 1
+dandymrsb.com, 1
+danecounty.gov, 1
+danejones.com, 1
+danelska.pl, 1
+danelski.pl, 1
+danesara.com, 1
+daneshtools.tk, 1
+danfromit.co.uk, 1
+danfromit.com, 1
+dangeredwolf.com, 1
+dangerscience.com, 1
+dangmai.tk, 1
+dangr.zone, 0
+danhalliday.com, 1
+danhotels.co.il, 1
+danhotels.com, 1
+dania.gq, 1
+dania.ml, 1
+danibooks.de, 1
+daniel-ayala.tk, 1
+daniel-baumann.ch, 1
+daniel-beilharz.com, 1
+daniel-beilharz.de, 1
+daniel-cholewa.de, 1
+daniel-leblanc.tk, 1
+daniel-milnes.co.uk, 1
+daniel-milnes.uk, 1
+daniel-monaghan.co.uk, 1
+daniel-ruf.de, 1
+daniel-san.de, 1
+daniel-stahl.net, 1
+daniel-topalov.ga, 1
+daniel.priv.no, 1
+daniel.sb, 1
+danielacocco.it, 1
+danielacorahansson.com, 1
+danieladentista.com, 1
+danielaeichberger.com, 1
+danielaferpe.tk, 1
+danielalvarez.net, 1
+danielaswish.org, 1
+danielbankhead.com, 1
+danielbarros.com.br, 1
+danielbeilharz.com, 1
+danielbeilharz.de, 1
+danielbeltejar.es, 1
+danielcardoso.net, 1
+danielcolquitt.com, 1
+danieldavies.co.uk, 1
+danielderidderfansite.tk, 1
+danieldevine.tk, 1
+danielduran.tk, 1
+daniele.tech, 1
+danielehniss.de, 0
+danieleluttazzi.tk, 1
+danieleoneta.it, 0
+danielepestilli.com, 0
+danielg0.co.uk, 1
+danielg0.com, 1
+danielgil.pt, 1
+danielgorr.de, 1
+danielgray.email, 1
+danielgray.me, 1
+danielgraziano.ca, 1
+danielhammond.tk, 1
+danielheal.net, 0
+danielhinterlechner.eu, 1
+danielhurley.com, 1
+danielhurley.eu, 1
+danielhurley.ie, 1
+danielhurley.info, 1
+danielhurley.org, 1
+danielittlewood.xyz, 1
+danielj.tk, 1
+danieljamesscott.org, 1
+danielkanchev.com, 1
+danielkoster.nl, 1
+daniellecavazos.com, 1
+danielleskosky.com, 1
+daniellespringer.tk, 1
+daniellesteel.com, 1
+danielluisrodriguezs.com, 1
+danielmartin.de, 1
+danielmicay.ca, 1
+danielmicay.com, 1
+danielmoch.com, 1
+danielmorales917.com, 1
+danielmorell.com, 1
+danielnaaman.com, 1
+danielnaaman.org, 1
+danielnet.co, 1
+danielparker.com.au, 1
+danielpeukert.cz, 1
+danielportfolio.es, 1
+danielran.com, 1
+danielroelsontwerp.nl, 1
+danielrozenberg.com, 1
+danielruiz.tk, 1
+danielsblog.org, 1
+danielshaw.co.nz, 1
+danielshealth.com.au, 1
+danielstach.cz, 1
+danielstiner.me, 1
+danielt.co.uk, 0
+danielthompson.info, 1
+danieltollot.de, 0
+danielvaduva.tk, 1
+danielve.ga, 1
+danielverlaan.nl, 1
+danielwayman.co.uk, 1
+danielwelty.com, 1
+danielwildhaber.ch, 1
+danielzuzevich.com, 1
+danifabi.eu, 1
+danilapisarev.com, 1
+danilov-abrosimov.org.ua, 1
+danish.cf, 1
+danish.events, 1
+danishbytes.club, 1
+danishiqbal.tk, 1
+danispage.tk, 1
+danituuu7.tk, 1
+daniweb.com, 1
+daniya.tk, 1
+danjesensky.com, 1
+dankburritofranchise.com, 1
+danke.moe, 1
+dankeroni.de, 1
+dankevich.ru, 1
+dankie.com.br, 1
+dankim.de, 0
+dankojunasevic.tk, 1
+dankrpg.xyz, 1
+danla.nl, 1
+danlockton.tk, 1
+danloona.nl, 1
+danmaby.com, 1
+danmarksbedstefredagsbar.dk, 1
+danmassarano.com, 1
+danminkevitch.com, 0
+danmoldovan.tk, 1
+danndorf.com, 0
+dannemora.tk, 1
+dannhanks.com, 1
+dannicholas.net, 1
+danniellealbrechtdesigns.com, 1
+dannon.com, 1
+danny-rohde.de, 1
+danny.fm, 1
+dannycairns.com, 0
+dannycavanagh.tk, 1
+dannydiamondsconcrete.com, 1
+dannygaidateraelgar.com, 1
+dannyhoekstra.tk, 1
+dannyhorne.com, 1
+dannyjota.tk, 1
+dannymoran.com, 1
+dannyoficial.tk, 1
+dannyroh.de, 1
+dannyrohde.de, 1
+dannyscloud.tk, 1
+dannystevens.co.uk, 1
+dannytemming.tk, 1
+dannyvanwamelen.tk, 1
+danoji.cf, 1
+danone.es, 1
+danonenorthamerica.com, 0
+danotage.tv, 1
+danovamix.com.br, 1
+danpiel.net, 1
+danportik.com, 1
+danq.me, 1
+danramer.tk, 1
+dansage.co, 0
+dansasphaltmaintenance.com, 1
+dansaunders.me, 1
+dansedesalonsaintave.fr, 1
+danselibre.net, 1
+danselibre.org, 1
+dansemacabre.tk, 1
+danseressen.nl, 1
+dansk8bit.dk, 1
+danske.events, 1
+danskemedier.dk, 1
+danskoya.com, 1
+danslan.org, 1
+danslavieyadescactus.ch, 1
+danstillman.com, 1
+danstoncu.be, 1
+dantana.de, 1
+dante.ms, 1
+dantesinferno.tk, 1
+danthecloudman.com, 1
+dantikap.tk, 1
+danux.co.uk, 1
+danvillein.gov, 1
+danvillevt.gov, 1
+danw.io, 1
+danwaibel.com, 1
+danwelty.co, 1
+danwelty.me, 1
+danwelty.net, 1
+danwelty.org, 1
+danwillenberg.com, 1
+danwin.de, 1
+danwin1210.de, 1
+danwise.online, 1
+danwolff.se, 1
+danya.ml, 1
+danyabanya.com, 1
+danyasa.com, 1
+danzavila.com, 1
+danzenyogadaycare.com, 1
+danzka.tk, 1
+dao.spb.su, 1
+daofficers.com, 1
+daojian.com, 1
+daole.com, 1
+daomo.com, 1
+daoplattunhien.com.vn, 1
+daoro.net, 0
+daoudi.it, 1
+dapasten.com, 1
+daphne.informatik.uni-freiburg.de, 1
+daphnedietz.com, 1
+dapoxetinagenerico.cf, 1
+dapoxetine.gq, 1
+dapperdom.net, 1
+dapps.earth, 1
+dappui.com, 1
+daprint.tk, 1
+dapss-ut.gov, 1
+dapursolo.tk, 1
+daqq.com, 1
+daracokorilo.com, 1
+darador.net, 0
+darajambili.com, 1
+daramad-telegram.ga, 1
+daravk.ch, 1
+darbi.org, 1
+darc-mak.de, 1
+darci.tech, 1
+darcyinspired.com, 1
+darcymarshall.com, 1
+dare.deals, 1
+darean.ml, 1
+daredorm.com, 1
+dareechayhome.com.pk, 1
+darenc.gov, 1
+darenet.org, 1
+daresay.games, 1
+daresay.studio, 1
+daresaygames.com, 1
+daretogain.com, 1
+darf.nl, 1
+darfurwall.org, 1
+dari.wiki, 1
+daricaun.com, 1
+dariela.tk, 1
+darientownwi.gov, 1
+darienvillagewi.gov, 1
+dario.gq, 1
+dariosirangelo.me, 1
+darioturchetti.me, 1
+darioush.com, 0
+dariusheghbali.tk, 1
+darix.tk, 1
+dark-ages.tk, 1
+dark-crystal.tk, 1
+dark-dreams.tk, 1
+dark-infection.de, 1
+dark-lake.com, 1
+dark-legion.tk, 1
+dark-nova.me, 1
+dark-nova.tk, 1
+dark-programs.com, 1
+dark-vision.cz, 1
+dark-wolf.tk, 1
+dark.direct, 1
+dark.fail, 1
+darkag.ovh, 1
+darkartstudios.tk, 1
+darkbeam.com, 1
+darkbit.gr, 1
+darkboysmedia.com, 1
+darkbyte.com, 1
+darkcelebration.tk, 1
+darkcodes.icu, 1
+darkcores.net, 1
+darkct.com, 1
+darkcure.tk, 1
+darkdestiny.ch, 1
+darkengine.io, 1
+darkengine.net, 1
+darkenluster.space, 1
+darkerlystormy.com, 0
+darkerstormy.com, 0
+darkestproductions.net, 1
+darkfeeling.tk, 1
+darkfilm.tk, 1
+darkfire.ch, 1
+darkfirestudios.tk, 1
+darkforceofhappiness.tk, 1
+darkgames.cf, 1
+darkgrid.eu, 1
+darkhall.tk, 1
+darkhuntersworld.tk, 1
+darkinvasion.tk, 1
+darkishgreen.com, 1
+darkkeepers.tk, 1
+darklang.com, 1
+darklaunch.com, 1
+darkleia.com, 1
+darklite.ml, 1
+darklybasic.com, 1
+darkmail.cf, 1
+darkmanthra.tk, 1
+darkmattertechnology.com, 1
+darkmattertechnology.net, 1
+darkmemo.com, 1
+darkmilknyeremeny.hu, 1
+darkness-and-light.tk, 1
+darkness.sk, 1
+darknessflickers.com, 0
+darknessinme.tk, 1
+darknight.blog, 1
+darkoctoberseance.com, 1
+darkoff.tk, 1
+darkotip.tk, 1
+darkovepredmety.cz, 1
+darkpassionsite.tk, 1
+darkperu.tk, 1
+darkphantom.tk, 1
+darkprince.tk, 1
+darkrain.nl, 1
+darkrisks.com, 1
+darkscience.tk, 1
+darksecret.dk, 1
+darkserver.fedoraproject.org, 1
+darkserver.stg.fedoraproject.org, 1
+darksideprod.tk, 1
+darksignsgame.tk, 1
+darkskymap.com, 1
+darksoilcbd.com, 1
+darksonic.tk, 1
+darkspacelab.com, 1
+darkspike.tk, 1
+darkstar-digital.com, 1
+darksystems.tk, 1
+darktechnology.tk, 1
+darktide.tk, 1
+darktime.ru, 1
+darkwater.info, 1
+darkwater.tk, 1
+darkweb.wtf, 1
+darkwebkittens.xyz, 0
+darkwoods.tk, 1
+darkx.me, 1
+darkxxxtube.com, 1
+darlehen-ratgeber.de, 1
+darlen.com, 1
+darlene.hu, 1
+darlenenbocek.com, 1
+darlingdownscoffee.com.au, 1
+darlington.tk, 1
+darlingtonia.nl, 1
+darlingtonwi.gov, 1
+darmowy-tarot.pl, 1
+darnashop.fr, 1
+darom.jp, 1
+darosen.eu, 1
+darpa.mil, 1
+darrenflemingphotography.co.uk, 1
+darrenlines.uk, 1
+darrenm.net, 1
+darrouzettisd.gov, 1
+darshanalytics.com, 1
+dart-tanke.com, 1
+dart-tanke.de, 1
+dartagnan.com, 1
+dartbeginners.tk, 1
+dartcarrousel.tk, 1
+dartcode.org, 0
+dartdriving.com, 1
+dartergroup.com, 1
+darthbraden.com, 1
+dartmold.com, 1
+dartmouth-health.org, 1
+dartmouth-hitchcock.org, 1
+dartnallministorage.com, 1
+dartstart.tk, 1
+dartydiscount.fr, 1
+darululum.ga, 1
+darwinkel.net, 1
+darwinpark.tk, 1
+darwinport.com.au, 1
+darwinsearch.org, 1
+darxx.com, 1
+darya.tk, 1
+daryl-wilcher.tk, 1
+daryl.moe, 1
+darylcumbo.net, 1
+darylwilcher.tk, 1
+darysvet.ru, 1
+das-clanpage.tk, 1
+das-efx.tk, 1
+das-forum24.de, 1
+das-maennermagazin.com, 1
+das-mediale-haus.de, 1
+das-pna.ao, 1
+das-sommercamp.de, 1
+das.nl, 1
+dasabomobil.de, 1
+dasble.com, 1
+dascan.com.br, 1
+dasdanny.de, 1
+daseinsfreu.de, 1
+daservajesus.com, 1
+daservajesus.net, 1
+dasfest.com, 1
+dasgeestig.nl, 1
+dash.com.co, 1
+dashboard.gov.ph, 1
+dashboard.run, 1
+dashboardph.com, 1
+dashboardphilippines.com, 1
+dashdoc.eu, 1
+dashdrive.net, 1
+dasher.co.za, 1
+dashice.com, 1
+dashipping.com, 1
+dashlane.com, 1
+dashofmedia.com, 1
+dashofting.com, 1
+dashwebconsulting.com, 1
+dasignsource.com, 1
+dasinternetluegt.at, 1
+daskirschhaus.com, 1
+dasler.eu, 1
+dasmailarchiv.ch, 1
+dasolindustrialpark.tk, 1
+dastchin.live, 1
+dastchin.shop, 1
+dasteichwerk.at, 0
+dastelefonbuch.de, 1
+dastomize.com, 1
+dasug.de, 1
+data-access-point.com, 1
+data-analyse.nl, 1
+data-detox.de, 1
+data-exchange.tk, 1
+data-jt.de, 1
+data-loader.com, 1
+data-mail.tk, 1
+data-mining.co.uk, 1
+data-privacy.tk, 1
+data-reader.de, 1
+data-replicator.cloud, 1
+data-replicator.com, 1
+data-servers.com, 1
+data-wing.ga, 0
+data.gov, 1
+data.govt.nz, 1
+data.haus, 1
+data.world, 1
+data18.com, 1
+data3w.nl, 1
+dataadvantage.se, 1
+database-excel-integration.com, 1
+database-word-integration.com, 1
+database.com, 1
+databasedrivers.cloud, 1
+databasez.net, 1
+databeam.de, 0
+databiz.ga, 1
+datablender.nl, 1
+databutlr.com, 1
+databutlr.net, 1
+datacalle.com, 1
+datacandy.com, 0
+datacaptive.com, 1
+datacave.is, 1
+datacenterbrasil.ga, 1
+datacenternews.asia, 1
+datacenternews.co.nz, 1
+datacenternews.us, 1
+datacenterunited.com, 1
+datacentrenews.eu, 1
+datacentresupport.com, 1
+datacloud.gq, 1
+datacomm.com, 1
+datacommissioner.gov.au, 0
+datacool.tk, 1
+datadefendersforum.com, 1
+datadoghq.com, 1
+datadorf.de, 1
+datadraugen.no, 1
+datadyne.technology, 1
+dataentry.top, 1
+datafarms.com, 1
+datafloq.com, 1
+dataformers.at, 0
+datagate.com.br, 1
+datagir.ir, 0
+datagrail.io, 1
+datagrid.ga, 1
+dataguidance.com, 1
+dataguru.lv, 1
+dataharvest.at, 1
+datahaus.construction, 1
+datahoarder.xyz, 1
+datahove.no, 1
+datainvest.pl, 1
+datakick.org, 1
+datakl.com, 1
+datalich.com, 1
+datalife.gr, 1
+datalift.io, 0
+dataloft.tk, 1
+datalogistics.lt, 1
+datalok.de, 0
+datalysis.ch, 0
+dataman.ml, 1
+datamationgroup.com, 1
+datamish.com, 1
+datapathadmin.com, 1
+datapiped.com, 1
+dataprivacyframework.gov, 1
+dataprivacysolution.com, 1
+dataproject.com, 1
+datapun.ch, 1
+datarails.com, 1
+dataregister.info, 1
+datarobot.com, 1
+dataroom-online.org, 1
+datarooms-advisor.org, 1
+datarooms.com, 1
+datasat.solutions, 1
+datascience.cafe, 1
+datasciencedojo.com, 1
+datasciocean.tech, 1
+datashock.com, 1
+datasite.com, 1
+dataskydd.net, 1
+datasourcenj.org, 1
+dataspace.pl, 1
+datastack.design, 1
+datastar.net, 1
+datastream.org, 1
+datastream.re, 0
+datastudio.google.com, 1
+datasubject.com, 1
+datasubjects.com, 1
+datasunrise.com, 1
+datasupporthub.com, 1
+dataswamp.org, 1
+datateknologsektionen.se, 0
+datatips.cl, 1
+datatree.nl, 1
+datatrics.com, 0
+datatruckers.com, 1
+datatruckers.email, 1
+datatruckers.eu, 1
+datatruckers.net, 1
+datatruckers.nl, 1
+datatruckers.org, 1
+datatruckers.social, 1
+datatube.tk, 1
+datatypes.net, 1
+datavitec.com, 1
+datavizable.org, 1
+datavoiceoptions.com, 1
+datawar.tk, 1
+datax-cloud.de, 1
+dataxl.net, 1
+datazoo.asia, 1
+datazoo.com, 1
+datdt.com, 1
+date-hijri.net, 1
+dateien.at, 1
+dateierweiterung.com, 1
+datelligent.com, 1
+datema.no, 1
+datememe.com, 1
+datenbitch.org, 0
+datengrab.ws, 1
+datengrab.xyz, 1
+datenightmovies.com, 1
+datenkeks.de, 1
+dateno1.com, 1
+datenreiter.cf, 1
+datenreiter.gq, 1
+datenretter.tk, 1
+datenrettung360.at, 1
+datenrettung360.de, 1
+datensalat.info, 1
+datenschutz-consult.de, 1
+datenschutz-gruenwald.de, 1
+datenschutz-individuell.de, 1
+datenschutz-isny.de, 1
+datenschutz-leutkirch.de, 1
+datenschutz-luebbecke.de, 1
+datenschutz-oberschwaben.de, 1
+datenschutz-ravensburg.de, 1
+datenschutz-recht-medizin.de, 1
+datenschutz-wangen.de, 1
+datenschutz-weingarten.de, 1
+datenschutzgrundverordnung.de, 1
+datenschutztag.org, 1
+datenschutzzentrum.de, 1
+datenwerkstatt.net, 1
+datessrit.tk, 1
+dating.wedding, 1
+datingadvice.gq, 1
+datingbedrog.tk, 1
+datingblog.tk, 1
+datingfakecheck.com, 1
+datinglocalgirls.com, 1
+datingonlinecheck.com, 1
+datingopportunitiesest.ga, 1
+datingru.ml, 1
+datingru.tk, 1
+datingsite.ml, 1
+datingsrit.tk, 1
+datingswagger.ga, 1
+datingticino.ch, 0
+datingwebsitesforteenagers.cf, 1
+datingyourmate.ga, 1
+datj.net, 1
+datmancrm.com, 1
+datnenhamiltongarden.com, 1
+datomize.com, 1
+datorb.com, 1
+datorhjalp-stockholm.se, 1
+datorhjalpen.link, 1
+datorhjalptaby.se, 1
+datos-quimsaitw.es, 1
+datosfreak.tk, 1
+datovy-portal.cz, 1
+datovy-portal.sk, 1
+datovyaudit.cz, 1
+datovyportal.cz, 1
+datovyportal.sk, 1
+dattelking.com, 1
+dattelking.de, 1
+datumplus.co.uk, 1
+datumstudio.jp, 1
+datumvandaag.eu, 1
+dature.cloud, 1
+datustribe.tk, 1
+datutoday.tk, 1
+datutorials.tk, 1
+datzen.com, 1
+daubecity.de, 1
+daubehosting.de, 1
+dauenhauer.de, 1
+daughertyplasticsurgery.com, 1
+daughtridgeenergy.com, 1
+daugoitot.com, 1
+daum-group.de, 1
+daunatotala.ro, 1
+daunt.link, 1
+dauphincounty.gov, 1
+dausendschoen.de, 1
+davalochki.tk, 1
+davar1.co.il, 1
+davd.cf, 1
+dave-pearce.com, 1
+daveaglick.com, 0
+daveaustin.xyz, 1
+davebelton.com, 1
+davebodnar.tk, 1
+davebuis.tk, 1
+davecardwell.com, 1
+daveedave.de, 0
+davelucia.com, 1
+davemusic.tk, 1
+davenportok.gov, 1
+daveoc64.co.uk, 1
+davepearce.com, 1
+davepermen.net, 1
+davepullig.co.uk, 1
+daveredfern.com, 1
+daveroverts.nl, 0
+davesharpe.com, 1
+davesplace.tk, 1
+davetempleton.com, 1
+davewardle.com, 1
+daveyconstructions.com, 1
+davichete.me, 1
+david-almeida.co.uk, 1
+david-andrawos.fr, 1
+david-beckham-online.tk, 1
+david-clarke.id.au, 1
+david-corry.com, 1
+david-edu.com, 1
+david-jeffery.co.uk, 1
+david-merkel.de, 1
+david-nextcloud.ddns.net, 1
+david-osipov.me, 1
+david-osipov.vision, 1
+david-pearce.com, 1
+david-reess.de, 1
+david-schiffmann.de, 1
+david.kitchen, 1
+davidadrian.org, 1
+davidalbert.me, 1
+davidandersson.se, 1
+davidbach.com, 1
+davidband.com.au, 1
+davidbranco.me, 1
+davidbrito.tech, 1
+davidbrookes.me, 0
+davidbyrne.tk, 1
+davidcityne.gov, 1
+davidcraft.de, 1
+davidcrousehouse.com, 1
+davidczihak.at, 0
+daviddesberg.com, 1
+daviddietrich.com, 1
+davidebaraglia.it, 1
+davidebasile.tk, 1
+davidelstob.com, 1
+davideonlain.tk, 1
+davidepalma.it, 1
+davidereinato.tk, 1
+davidetmagali.fr, 1
+davidfarland.com, 1
+davidfindlay.org, 1
+davidforward.net, 1
+davidfuentes.es, 1
+davidgarza.email, 1
+davidgarza.me, 1
+davidgouveia.net, 1
+davidgreig.uk, 1
+davidgroup.co.id, 1
+davidgroup.id, 1
+davidgrudl.com, 1
+davidhanle.com, 1
+davidinteriors.tk, 1
+davidje13.com, 1
+davidjktofan.com, 1
+davidjusto.com, 1
+davidkatz.tk, 1
+davidkeane.com, 1
+davidkennardphotography.com, 1
+davidking.xyz, 1
+davidknoll.me.uk, 1
+davidkyburz.ch, 1
+davidlamprea.com, 1
+davidlamprea.eu, 1
+davidlane.io, 0
+davidlemler.me, 1
+davidlillo.com, 1
+davidlindekilde.dk, 1
+davidlouisedelman.com, 1
+davidlyness.com, 1
+davidmanouchehri.com, 1
+davidmcevoy.org.uk, 1
+davidmessenger.co.uk, 1
+davidmgarvin.com, 1
+davidmlujan.com, 1
+davidmocq.com, 1
+davidn.cz, 1
+davidnadaski.com, 1
+davidnoren.com, 0
+davidops.com, 0
+davidorsot.com, 1
+davidovskakreu.tk, 1
+davidpatrickwilson.us, 1
+davidpearce.com, 1
+davidpearce.org, 1
+davidpescarolo.it, 1
+davidrichardson.com, 1
+davidritchie.tk, 1
+davidrteixeira.com, 1
+davids.online, 1
+davidsanker.com, 1
+davidschadlich.com, 1
+davidscherzer.at, 1
+davidsdika.com, 1
+davidsimner.me.uk, 1
+davidson-berquist.com, 1
+davidsonberquist.com, 1
+davidsopas.com, 0
+davidstark.name, 1
+davidstrickler.net, 1
+davidstuff.net, 1
+davidsun.info, 1
+davidsun.name, 1
+davidtiffany.com, 1
+davidtorres4congress.com, 1
+davidvilla.tk, 1
+davidzarza.tk, 1
+davidzeegers.nl, 1
+davidzimmerman3.com, 1
+davie3.com, 1
+daviesscountyin.gov, 1
+daviesscountyinsheriff.gov, 1
+davimun.org, 1
+davinamccall.tk, 1
+davinciwaldorfschool.org, 1
+davisboroga.gov, 1
+daviscannabisco.com, 1
+daviscountyelectionsutah.gov, 1
+daviscountyiowa.gov, 1
+davisdieselandautorepair.com, 1
+davisgrana.tk, 1
+davison.tech, 1
+davisontwp-mi.gov, 1
+davisvision.com, 1
+davmimer-mercerie.ro, 1
+davorin.cf, 1
+davosalestax.com, 1
+davros.eu, 1
+davros.ru, 1
+davulcuyuz.com, 1
+davy-server.com, 1
+davyatletiek.tk, 1
+davyjonesatacado.com.br, 1
+davypropper.com, 1
+dawaai.pk, 1
+daware.io, 1
+dawg.eu, 1
+dawgs.ga, 1
+dawidpotocki.com, 1
+dawidwrobel.com, 1
+dawnbringer.eu, 1
+dawnbringer.net, 1
+dawnbyte.ch, 1
+dawnlydialnyc.com, 1
+dawnofhope.tk, 1
+dawnson.is, 1
+dawnzine.com, 1
+dawonelectron.com, 1
+dawonmedax.com, 1
+dawprogram.org, 1
+dawrimiz.com, 1
+dawson-floridavilla.co.uk, 1
+dawsoncountyga.gov, 1
+dawsoncountyne.gov, 1
+dawsonmt.gov, 1
+dax.do, 1
+dax.guide, 1
+daxenexpress.com, 1
+daxis.io, 1
+daxisweb.net, 1
+daxo.io, 1
+daxoptimizer.com, 1
+daxos.tk, 1
+daxpatterns.com, 1
+daxperience.eu, 1
+daxrunbase.com, 1
+day, 1
+day-of-battlecats.blog, 1
+day.marketing, 1
+dayachts.com, 1
+daybreaklearning.com.au, 1
+daybuy.tw, 1
+daycomtech.com, 1
+daycontactlens.com, 1
+daycubrem.com, 1
+daydream.team, 1
+dayekelly.com, 1
+dayesh.tk, 1
+daygametraining.com, 1
+daylafit.com, 1
+daylightpirates.org, 1
+daymail.io, 1
+dayman.net, 1
+daymarksi.com, 1
+daymi.co, 1
+daymprove.life, 1
+daynia.net, 1
+daynightdrugs.com, 1
+dayoadetiloye.com, 1
+dayofdays.be, 1
+dayofthegirl.gc.ca, 1
+dayslater.tk, 1
+daysnews.tk, 1
+daysoftheyear.com, 1
+dayswithnostabbings.ca, 1
+daytonahealthsolutions.com, 1
+daytonaparadise.tk, 1
+daytonpcrepair.com, 1
+dayuse-hotels.it, 1
+dayuse.co.uk, 1
+dayuse.com, 1
+dayuse.com.hk, 1
+dayuse.cz, 1
+dayuse.de, 1
+dayuse.es, 1
+dayuse.fr, 1
+dayuse.se, 1
+dayvillefire.gov, 1
+daywind.com, 1
+daywindmusicgroup.com, 1
+daywindrecordingstudio.com, 1
+daywindrecords.com, 1
+daywindworship.com, 1
+dayz.com, 1
+daz8activator.com, 1
+dazenelevator.ph, 1
+dazz.it, 1
+dazzit.ca, 1
+dazzit.com, 1
+dazzit.io, 1
+dazzit.net, 1
+dazzit.org, 1
+dazzit.xyz, 1
+dazzledrive.tk, 1
+dazzlepulse.tk, 1
+dazzlestart.com, 1
+dazzleworks.tk, 1
+db-sanity.com, 1
+db-works.nl, 1
+db.ci, 1
+dba-support.nl, 1
+dbapress.org, 1
+dbaron.org, 1
+dbas.cz, 1
+dbase.cf, 1
+dbasolucoesadministrativas.com.br, 1
+dbautoservice.nl, 1
+dbb.wtf, 1
+dbcartography.com, 1
+dbdisco.co.uk, 1
+dbeilharz.com, 1
+dbeilharz.de, 1
+dbeilharz.eu, 1
+dbentertainment.co.uk, 1
+dbfopraga-pn.waw.pl, 1
+dbgames.info, 1
+dbhome.org, 1
+dbhouse.tk, 1
+dbic.ro, 1
+dbildungscloud.de, 1
+dbinderbilling.com, 1
+dbjc.tk, 1
+dbjg.com, 1
+dblabsite.net, 1
+dblcastles.co.uk, 1
+dbldub.net, 1
+dblsuretybonds.com, 1
+dbmiller.org, 1
+dbmnet.be, 1
+dbnext.de, 1
+dboptical.com, 1
+dbox.ga, 1
+dbpkg.com, 0
+dbplanview.com, 1
+dbq.com, 1
+dbradley771.com, 1
+dbrand.com, 0
+dbrgn.ch, 1
+dbs.cl, 0
+dbsalon.beauty, 1
+dbsbeautystore.cl, 1
+dbsinergy.tk, 1
+dbsinternational.org, 1
+dbt3ch.com, 1
+dbtechreviews.com, 1
+dbtest5.com, 1
+dbtotalnet.tk, 1
+dbtsai.com, 0
+dbtunder.tk, 1
+dbushell.com, 1
+dbw678.com, 1
+dbxtopstconverter.org, 1
+dc-acupuncture.com, 0
+dc-design.tk, 1
+dc-elektro.com, 1
+dc-elektro.de, 1
+dc-elektro.eu, 1
+dc-forum.tk, 1
+dc-occasies.be, 1
+dc-service.by, 1
+dc-solutions.at, 1
+dc-texas.com, 1
+dc-zone.com, 1
+dc7342.im, 1
+dcain.me, 1
+dcampusbd.com, 1
+dcards.in.th, 1
+dcareer.tk, 1
+dcave.net, 1
+dcboe.org, 1
+dcbouncycastles.co.uk, 1
+dcc.cat, 1
+dcc.moe, 1
+dcc.name, 1
+dccdurgor1nbl.cloudfront.net, 1
+dccode.gov, 1
+dccomputerrepair.com, 1
+dccpropane.com, 1
+dccwiki.com, 0
+dcdestetica.it, 1
+dcgprecisionpainters.co.nz, 1
+dchatelain.ch, 0
+dchauriga.com, 0
+dchest.org, 1
+dci.com.br, 1
+dcimpianti.it, 1
+dckd.nl, 1
+dcklvr.fr, 1
+dcl.re, 1
+dclaisse.fr, 1
+dclm.org, 1
+dclmwp.com, 1
+dcm.com, 1
+dcmarvelunited.com, 1
+dcmcleanair.com, 1
+dcmediahosting.com, 1
+dcmeventmanagement.com, 1
+dcmt.co, 1
+dcnews.jp, 1
+dcnews.ro, 1
+dco.sg, 1
+dcomedieta.it, 1
+dcoremassagechairs.com, 1
+dcparts.com.br, 1
+dcpl.bt, 1
+dcpower.eu, 1
+dcpro.pt, 1
+dcpudwa.gov, 1
+dcrdev.com, 1
+dcs.pp.ua, 1
+dcso.de, 1
+dcsoky.gov, 1
+dctrl.ch, 1
+dcustody.xyz, 1
+dcvc.com, 1
+dcw.io, 1
+dcyph.de, 1
+dd-groupinc.com, 1
+dd.art.pl, 1
+dd.center, 1
+dd00228.com, 0
+dd11d.net, 1
+dd202d.com, 1
+dd207d.com, 1
+dd214.gov, 1
+dd215d.com, 1
+dd23project.com, 1
+dd33d.net, 1
+dd3ah.de, 1
+dd5197.co, 1
+dd6729.co, 1
+dd6729.com, 0
+dd6957.co, 1
+dd9297.co, 1
+dd9728.co, 1
+dda.gov.ae, 1
+ddatsh.com, 1
+ddays2008.org, 1
+ddcakedeliveryservice.co.uk, 1
+dddd.loan, 1
+dddmelbourne.com, 1
+ddeaejwa.ml, 1
+ddel.de, 1
+dden.ca, 0
+dden.website, 1
+ddf.net, 1
+ddhlawyers.com, 1
+ddhosted.com, 0
+ddi.one, 1
+ddiaz.tk, 1
+ddinox.be, 1
+ddjia.com, 0
+ddjlawtampa.com, 1
+ddk.dn.ua, 1
+ddkdoradztwo.pl, 1
+ddkkitchens.com, 1
+ddma.nl, 1
+ddmail.se, 1
+ddmeportal.com, 1
+ddns-anbieter.de, 1
+ddns-test.de, 1
+ddnsip.cn, 1
+ddnsweb.com, 0
+ddog-gov.com, 1
+ddos-mitigation.co.uk, 1
+ddos-mitigation.info, 1
+ddosguard.cf, 1
+ddosolitary.org, 1
+ddproxy.cf, 1
+ddracepro.net, 1
+ddraum.de, 1
+ddsdiscounts.com, 1
+ddy.tw, 1
+de-basiliek.tk, 1
+de-ella.com, 1
+de-google-ify.org, 1
+de-groot.it, 1
+de-haas.dk, 1
+de-kramers.nl, 1
+de-lucadesigns.com.au, 1
+de-medici.nl, 1
+de-mossadeq.tk, 1
+de-ooyevaar.be, 1
+de-ooyevaar.com, 1
+de-ooyevaar.de, 1
+de-ooyevaar.nl, 1
+de-osopanda.com, 1
+de-penaranda.be, 1
+de-rwa.de, 1
+de-servers.de, 1
+de-spil.be, 1
+de.gt, 1
+de.ls, 1
+de.md, 1
+de.search.yahoo.com, 0
+de.vg, 1
+dea.gov, 1
+dead-letter.email, 1
+dead-parrot.de, 1
+deadbeef.ninja, 1
+deadboyskilling.tk, 1
+deadbybeats.tk, 1
+deadc0de.re, 1
+deadcode.ca, 1
+deadcoderssociety.tk, 1
+deadescape.tk, 1
+deadhead.tk, 1
+deadlift.tk, 1
+deadlockcoaching.com, 1
+deadpixel.tk, 1
+deadpoolonline.ga, 1
+deadpulse.com, 1
+deadpvp.eu, 1
+deadroot.tk, 1
+deadsamaritan.tk, 1
+deadsea.tk, 1
+deadshortaudio.com, 1
+deadspin.com, 1
+deadvoltage.com, 1
+deaecom.gov, 1
+deaf.eu.org, 1
+deafsound.tk, 1
+deaktualisierung.org, 0
+deal-runners.cf, 1
+deal45.ga, 1
+dealandgo.co.il, 1
+dealapp.nl, 1
+dealbanana.no, 1
+dealchip.tk, 1
+dealcoupons.in, 1
+dealcruiser.nl, 1
+dealdump.nl, 1
+dealerselectric.com, 1
+dealerwriter.com, 1
+dealinflatables.co.uk, 1
+dealjumbo.com, 1
+deallix.com, 1
+dealnxt.com, 1
+dealogic.com, 1
+dealpost.it, 1
+dealproject.org.au, 1
+dealroom.co, 1
+dealschief.com, 1
+dealsfinders.blog, 1
+dealsfromheaven.com, 1
+dealsinaz.com, 1
+dealsmagnet.com, 1
+dealsomart.com, 1
+dealsoncart.com, 1
+dealsonhealth.net, 1
+dealstreet.fr, 1
+dealzme.com, 1
+deamonmail.tk, 1
+deamsterdam.ml, 1
+deanandnatalia.co.za, 1
+deanbank.com, 1
+deanconsultancy.co.uk, 1
+deane.li, 1
+deano-s.co.uk, 1
+deanvending.com, 1
+dear-children.ga, 1
+dear-olivia.com, 1
+dearborn.gov, 1
+dearbornheightsmi.gov, 1
+dearburma.com, 1
+dearktiel.nl, 1
+deasserstadsloop.nl, 1
+deasy-store.com, 1
+deasyvow.com, 1
+death.social, 1
+deathberry.ddns.net, 1
+deathclub.eu, 1
+deathcult.fun, 1
+deathlords.tk, 1
+deathmarch.tk, 1
+deathofspring.com, 0
+deathrockstar.tk, 1
+deathsdomain.com, 1
+deathwar.tk, 1
+deathwarrior.tk, 1
+deathy.ro, 1
+deavel.com, 1
+deavel.fr, 1
+deavel.net, 1
+deavon.tk, 1
+debacker.biz, 1
+debarbas.com, 1
+debarkader34.tk, 1
+debarras-diogene.paris, 1
+debarrasantony.com, 1
+debarrasasnieressurseine.com, 1
+debarrasboulognebillancourt.com, 1
+debarrasclichy.com, 1
+debarrascolombes.com, 1
+debarrasnanterre.com, 1
+debashishsahu.com, 1
+debateisland.com, 1
+debats.tk, 1
+debattinnlegg.no, 1
+debatyun.jp, 0
+debauchery.ml, 1
+debbiesblog.nl, 1
+debbiessieraden.tk, 1
+debedstedanskecasinoer.dk, 1
+debeer.tech, 1
+debelareabogados.es, 1
+debelicd.tk, 1
+debesiukas.lt, 1
+debesteaedwinkel.nl, 1
+debesteehbodoos.nl, 1
+debewaker.tk, 1
+debian.link, 1
+debianizzati.org, 1
+debigare.com, 1
+debijloke.be, 1
+debijloke.gent, 1
+debitcloud.com, 1
+debitterballetjes.tk, 1
+deblender.be, 1
+deblender.shop, 1
+deblier.dynv6.net, 1
+deblocking.ga, 1
+deboekaniers.be, 1
+debofnight.com, 1
+deboo.info, 1
+debora-singkreis.de, 1
+deborahkaty.tk, 1
+deborahmarinelli.eu, 1
+debostero.tk, 1
+deboutpourlemali.ml, 1
+debraj.in, 1
+debraj.xyz, 0
+debraydesign.com.au, 1
+debricked.com, 1
+debrunet.nl, 1
+debruns.ie, 1
+debt-consolidation-reviews.org, 1
+debtdandy.com, 1
+debtmetricest.ga, 1
+debtpaypro.com, 1
+debtrecycling.com.au, 1
+debtsolution.cf, 1
+debtsolution.tk, 1
+debtsupportcentre.co.uk, 1
+debtsy.com, 1
+debuemon.com, 1
+debugging.tk, 1
+deburen.tk, 1
+debut-mebel.ru, 1
+debutaredead.tk, 1
+debuyer.com, 1
+debyte.com, 1
+debzsh.tk, 1
+dec-ced.gc.ca, 1
+dec6.gc.ca, 1
+decadentdvices.com, 1
+decal-times.com, 1
+decalquai.ch, 0
+decamidea.it, 1
+decarrouseloss.nl, 1
+decathlon.ca, 1
+decathlon.co.il, 1
+decathlon.com.co, 1
+decathlon.in, 1
+decathlon.lt, 1
+decathlon.lv, 1
+decathlon.my, 1
+decathlon.ph, 1
+decathlon.vn, 1
+decathlonag2r.com, 1
+decaturcountyiowa.gov, 1
+decaturcountytn.gov, 1
+decaturhistory.com, 1
+decaturish.com, 1
+deceasedonline.com, 1
+decentrala.org, 1
+dechan.com, 1
+dechat.nl, 1
+decherdtn.gov, 1
+dechetor.fr, 1
+dechow.ddns.net, 1
+decibelnewmusic.com, 1
+decide.hopto.org, 1
+decidetreatment.org, 1
+decima.bg, 1
+decimatechnologies.eu, 1
+decimation.tk, 1
+decipe.com, 1
+decis.fr, 1
+decisif-pacifique.com, 1
+decisionssometimes.ml, 1
+decisiontime.online, 0
+decisivetactics.com, 1
+deciso.eu, 1
+decisora.com, 1
+deckerville-mi.gov, 1
+deckfix.co.nz, 1
+deckshop.pro, 1
+deckzone.fr, 1
+declarando.es, 1
+declarativ.ga, 1
+declivitas.com, 1
+declutteringmymess.com, 1
+deco-parisienne.fr, 1
+decoating.pl, 1
+decock-usedcars.be, 1
+decode.ga, 1
+decodeanddestroy.com, 1
+decofire.pl, 0
+decokeuken.nl, 1
+decologisticsgh.com, 1
+decompression.tk, 1
+decompressneuroma.com, 1
+deconstructind.ro, 1
+decontentmaaksters.nl, 1
+decopros.fr, 1
+decor-anna.com, 1
+decor-essentials.com, 0
+decor-live.ru, 1
+decor-prazdnik.ru, 1
+decorahia.gov, 1
+decoral.org, 1
+decorarei.com, 1
+decoratingadvice.co.uk, 1
+decorations-elmotamaiz.com, 1
+decoratiunidulci.ro, 1
+decorativeconcretewa.com.au, 1
+decorativecosmetics.tk, 1
+decorator.uk, 1
+decoratore.roma.it, 1
+decorestilo.com.br, 1
+decorlux.bg, 1
+decorluxmuebles.com, 1
+decormiernissanparts.com, 1
+decorno.tk, 1
+decorpol-renovation.fr, 1
+decorsolucionesgraficas.es, 1
+decorumcomics.com, 1
+decosoftware.com, 1
+decotax.com, 1
+decotonic.com, 1
+decotrend.ro, 1
+decoyoctopus.tk, 1
+decrousaz-ceramique.ch, 0
+decrypt.co, 1
+decrypto.net, 1
+decs.es, 1
+decstasy.de, 1
+decsys.work, 1
+decubex.com, 1
+dedal.store, 0
+dedede.ro, 1
+dedektor.com, 1
+dedelta.net, 1
+dedeo.tk, 1
+dedg3.com, 1
+dedge.org, 1
+dedicatedservers.cf, 1
+dedmoroz.ga, 1
+dedmoroz.gq, 1
+dedmorozrzn.ru, 0
+dedns.com, 1
+dedoho.pw, 1
+dedoles.at, 1
+dedoles.com, 1
+dedoles.cz, 1
+dedoles.de, 1
+dedoles.hu, 1
+dedoles.pl, 1
+dedoles.ro, 1
+dedoles.sk, 1
+deduijventil.nl, 1
+dedurpsidioten.tk, 1
+dedyk.gq, 1
+dee.pe, 1
+dee.su, 1
+deechtebakkers.nl, 1
+deedixservice.com, 1
+deedoo.com, 1
+deedyinc.com, 1
+deeezy.com, 1
+deegeeinflatables.co.uk, 1
+deejayladen.de, 1
+deejayz.tk, 1
+deelmee.nl, 1
+deelmijnreis.nl, 1
+deelodge.art, 0
+deemasfashion.co.uk, 1
+deemasfashion.com, 1
+deemasfashion.us, 1
+deenergiecentrale.be, 1
+deenergiecentrale.gent, 1
+deeonix.eu, 1
+deep-core.tk, 1
+deep-labs.com, 1
+deep-wave-hair-extensions.tk, 1
+deep6.ai, 1
+deepaero.com, 1
+deeparamaraj.com, 1
+deepbluecrafting.co.uk, 1
+deepblueemail.com, 1
+deepbuy.tech, 1
+deepcreampie.com, 1
+deepgame.tk, 1
+deephill.com, 1
+deephustlellc.com, 1
+deepid.com, 1
+deepinnov.com, 1
+deepinsight.io, 1
+deepl.com, 1
+deeplink-medical.com, 1
+deepmountains.tk, 1
+deepnote.com, 1
+deeps.cat, 1
+deepserve.info, 1
+deepset.ai, 1
+deepset.com, 1
+deepsingh.tk, 1
+deepsky.tk, 1
+deepsoulutions.cf, 1
+deepsoulutions.ga, 1
+deepsoulutions.gq, 1
+deepsoulutions.ml, 1
+deepspace.dedyn.io, 1
+deepu-mathew.tk, 1
+deepumathew.tk, 1
+deepvalley.tech, 1
+deepwoodshop.com, 1
+deerfieldknoll.com, 1
+deeringnh.gov, 1
+deerlycke.tk, 1
+deesse-gaia.fr, 1
+def-pos.ru, 1
+defamiliehagen.com, 1
+defaultisafault.com, 1
+defcon.org, 1
+defcon.social, 1
+defcongame.tk, 1
+defcongroups.org, 1
+defectivebydesign.org, 1
+defeestboek.nl, 1
+defeestridders.tk, 1
+defelo.de, 1
+defelo.ml, 1
+defence.pk, 1
+defencemilcis2022.com.au, 1
+defend2.org, 1
+defendanimals.com, 1
+defender-pro.com, 1
+defendinnovation.org, 1
+defendtheweb.co.uk, 1
+defendtheweb.net, 1
+defenestrazionedipra.ga, 1
+defensefrontit.com, 1
+defenseweapon.tk, 1
+defensie.tk, 1
+defensivefirearmsinstruction.org, 1
+defensoresunidos.tk, 1
+defero.io, 1
+defesa.gov.br, 1
+defesaaereanaval.com.br, 1
+deffo.com.au, 0
+defi-metier.com, 0
+defi-metier.fr, 0
+defi-metier.org, 0
+defi-metiers.com, 0
+defi-metiers.org, 0
+defiant.com, 1
+defichain.com, 1
+defietsambassade.be, 1
+defietsambassade.gent, 1
+defietsambassadegent.be, 1
+defifa.ga, 1
+defile.ml, 1
+defiler.tk, 1
+defimetier.fr, 0
+defimetier.org, 0
+defimetiers.com, 0
+defimetiers.fr, 0
+define-atheism.com, 1
+define-atheist.com, 1
+defineatheism.com, 1
+defineatheist.com, 1
+definethenoise.tk, 1
+definingterms.com, 1
+definitely.cn, 0
+definitions360.com, 1
+definitivepressurewashing.com, 1
+defiscalisation.ml, 1
+defiscan.live, 0
+defisolutions.ch, 0
+defkey.com, 1
+deflumeri.com, 1
+deflumeriker.com, 1
+defme.eu, 1
+defont.nl, 1
+defreitas.no, 1
+defriesezaak.nl, 1
+deftek.com, 1
+defterikebir.tk, 1
+deftig-und-fein.de, 1
+defunct-engineers.ml, 1
+defuse.ca, 1
+degala.tk, 1
+degasten.tk, 1
+dege.me, 1
+degeberg.com, 1
+degeberg.dk, 1
+degeeks.xyz, 1
+degen-elektrotechnik.de, 1
+degenerativediscdiseaseexplained.com, 1
+degens.io, 1
+degentseflikkenzoekenu.be, 1
+degeo.cf, 1
+degeo.ml, 1
+degestamptepot.nl, 1
+degewonegezondemeid.nl, 1
+degilde.tk, 1
+degirmenkasi.tk, 1
+degit.de, 1
+dego.biz.id, 0
+degoeiewebsite.cf, 1
+degooglisons-internet.com, 1
+degooglisons-internet.fr, 1
+degooglisons-internet.org, 1
+degooglisons.org, 1
+degooglisonsinternet.org, 1
+degooglize.org, 1
+degoulet.net, 1
+degraafschapdierenartsen.nl, 1
+degracetechnologie.com, 1
+degradarium.com, 1
+degraissagehotte.fr, 1
+degrasboom.org, 1
+degravel.net, 1
+degreecollege.tk, 1
+degreeducation.tk, 1
+degreequalified.com, 1
+degreesofcomfort.com, 1
+degreesonline.com, 1
+degressif.com, 1
+degroetenvanrosaline.nl, 1
+degrootenslot.nl, 0
+degrootsteshop.nl, 1
+degustuju.cz, 1
+dehaagsehogeschool.nl, 1
+dehaanadvocatenkantoor.nl, 1
+dehaancaravans.nl, 1
+dehippeouder.nl, 1
+dehkade3.ml, 1
+dehoga-reisen.de, 1
+dehop.re, 1
+dehopre.com, 1
+dehumanizer.com, 1
+deiaprint.com, 1
+deidee.nl, 1
+deimos.gq, 1
+dein-baumdienst.de, 1
+dein-trueffel.de, 1
+dein.mx, 1
+deinballon.de, 1
+deindeal.ch, 1
+deineagentur.de, 1
+deinelakaien.tk, 1
+deinewebsite.de, 1
+deinhardt.com, 1
+deinjoghurt.de, 1
+deinsparen24.de, 1
+deionized.ga, 1
+deisedigital.com, 1
+deitec-global.com, 1
+deitti.net, 1
+deja-lu.de, 1
+dejandayoff.com, 1
+dejaren80.tk, 1
+dejavu.ml, 1
+dejected.ga, 1
+dejfcold.cz, 1
+dejie.com, 1
+dejiren.com, 1
+dejmidarek.cz, 1
+dejon-whirlpools.de, 1
+dejongonline.eu, 1
+dejorisenkeesshow.tk, 1
+dejoylandschools.com, 1
+dejure.org, 0
+dejuzconsults.com, 1
+dekalbcountyclerkil.gov, 1
+dekalbcountymo.gov, 1
+dekampioenen.tk, 1
+dekasegi-kansai.com, 1
+dekasegifuzoku.com, 1
+dekasseguiempregos.com, 1
+dekel.co.il, 1
+dekeurslagers.nl, 1
+dekhanyalcalde.com, 1
+dekinai.moe, 1
+dekko.io, 1
+dekleinezeppos.be, 0
+dekonijnenburcht.tk, 1
+dekorasyonu.net, 1
+dekoration.cf, 1
+dekoration.gq, 1
+dekoration.ml, 1
+dekoration.tk, 1
+dekordiyon.com, 1
+dekulk.nl, 0
+del-ex.de, 1
+delahrzolder.nl, 1
+delam.site, 1
+delamoreretirement.com.au, 1
+delanomn.gov, 1
+delaquila.com.co, 1
+delartouducocon.com, 1
+delasamericas.tk, 1
+delavega.ua, 1
+delavska-hranilnica.si, 1
+delavska.si, 1
+delawarehealth.tk, 1
+delawarenation-nsn.gov, 1
+delawaretwpmi.gov, 1
+delay-dengi.cf, 1
+delaydengy.tk, 1
+delaysoft.tk, 1
+delcan.ga, 1
+delcan.gq, 1
+delcan.ml, 1
+delcity.gov, 1
+delcopa.gov, 1
+delcopalandbank.gov, 1
+deldadegan.tk, 1
+delduca.casa, 1
+deleesanghers.tk, 1
+delegao.moe, 1
+deleidscheflesch.nl, 1
+delete.cf, 1
+deletebin.com, 1
+deletebin.org, 1
+delfi.ee, 1
+delfi.lt, 1
+delfi.net, 1
+delfic.org, 1
+delfinus.tk, 1
+delftstudy.nl, 1
+delhi-escorts.in, 1
+delhi.edu, 1
+delhicleanairforum.tk, 1
+delhitourism.gov.in, 1
+delhitownshipmi.gov, 1
+deli-fuzoku.jp, 1
+deliacreates.com, 1
+deliandiver.org, 1
+delicaclubphils.tk, 1
+delicadosonico.tk, 1
+delicale.com.br, 1
+delicatewonders.com, 1
+delici.art.br, 1
+deliciascomercial.com, 1
+deliciaskitchen.com, 1
+delicious-audio.com, 1
+delicious.gq, 1
+deliciousmedia.co.uk, 1
+deliciousmedia.net, 1
+delicioustable.com, 1
+delicon.jp, 1
+delijan24.ir, 1
+delika.io, 1
+delikom.de, 1
+delio.tk, 1
+delirio.tk, 1
+delisoft.ca, 1
+delistudio.cf, 1
+delitefully.com, 1
+delitto.top, 1
+deliuksta.lt, 1
+deliverability.guru, 1
+delivereasy.tk, 1
+delivery.it, 1
+deliveryman.site, 1
+delivr.com, 1
+deljeconiah.com, 1
+delker.com, 1
+delkomrockdrill.com, 1
+dellacasapizzasemassas.com.br, 1
+dellamorte.tk, 1
+dellasano.com, 1
+dellie.com, 1
+dellipaoli.com, 1
+dellirium.tk, 1
+delmarsumter.nl, 0
+delofderonvolmaaktheid.tk, 1
+delogo.nl, 1
+delontewest.tk, 1
+delorenzi.dk, 1
+deloretta.com, 1
+delosgaia.nl, 1
+delpark.de, 1
+delphia.ai, 1
+delphia.com, 1
+delphibasics.tk, 1
+delphij.net, 1
+delphinarabic.tk, 1
+delphine.dance, 1
+delphinewong.com, 1
+delprete.me, 1
+delpuertohealth.gov, 1
+delrayengineering.ca, 1
+delsfranchise.com, 1
+delsolphotography.com, 1
+delta-data.ch, 1
+delta-electric.net, 1
+delta-games.tk, 1
+delta-hawks.tk, 1
+delta-host.ml, 1
+delta-market.ru, 1
+delta.ai, 1
+delta.ru, 1
+delta24.ml, 1
+deltacity.net, 1
+deltacomputer.com, 1
+deltacomputer.de, 1
+deltacountyco.gov, 1
+deltacountymi.gov, 1
+deltacountymi.org, 1
+deltadentalmo.com, 1
+deltadentalsc.com, 1
+deltafm.tk, 1
+deltaloja.com.br, 1
+deltamusik.tk, 1
+deltamvcd.gov, 1
+deltanio.nl, 0
+deltaonlineguards.com, 1
+deltaphiepsilon.tk, 1
+deltaprise-events.de, 1
+deltarisk.com, 0
+deltaserat.tk, 1
+deltaservers.blog.br, 1
+deltaservers.com.br, 1
+deltasigmachi.org, 1
+deltasigmaxi1971.tk, 1
+deltasul.com.br, 1
+deltasuprimentos.com.br, 1
+deltav.ml, 1
+deltava.org, 1
+deltawolf.net, 1
+deltaworkssecurity.com, 1
+deltaworkssecurity.nl, 1
+delugarnenhum.com, 1
+delugerpg.com, 1
+delunee.co, 1
+deluxe-bot.tk, 1
+deluxe-dubai.com, 1
+deluxeblogtips.com, 1
+deluxecar.fr, 1
+delvemagazine.ca, 1
+delvinoadegas.com.br, 1
+delycate.com, 1
+delycate.fr, 1
+delzottolink.com, 1
+demaison.pro, 1
+demandbase.com, 1
+demander.tk, 1
+demandmatrix.com, 1
+demannen.tk, 1
+demarestnj.gov, 1
+demarit.fi, 1
+demascotas.es, 0
+demcra.com, 1
+demedx.at, 1
+demenagement-chalon.fr, 1
+demenagement-sfd.fr, 1
+demenagementagb.com, 1
+dementiacaring.com.au, 1
+dementiafactsexplained.com, 1
+dementiapraecox.de, 1
+dementieva-pennetta.tk, 1
+dementievriendelijk.gent, 1
+dementievriendelijkgent.be, 1
+demes.tk, 1
+demesos.tk, 1
+demetra-site.com.ua, 1
+demeubelmakelaar.nl, 1
+demeyere-usedcars.be, 1
+demfloro.ru, 1
+demicon.biz, 1
+demijn.nl, 1
+demilletech.net, 1
+demilovatomexico.tk, 1
+demine.freeboxos.fr, 1
+deminglaw.com, 1
+deminormaastricht.tk, 1
+demirdokum.tk, 1
+demisch-tim.de, 1
+demischtim.de, 1
+demish.tk, 1
+demmakina.com, 1
+demmarket.ru, 1
+demmer.one, 1
+demo-awl.com, 1
+demo-ferma.ga, 1
+demo.com.my, 1
+demo.sb, 1
+demo.swedbank.se, 1
+demobiliteitfinancier.nl, 1
+democracy-news.tk, 1
+democracy.cf, 1
+democracychronicles.com, 1
+democracydirect.com, 1
+democracyineurope.eu, 1
+democratherald.com, 1
+democratie.tk, 1
+democraziaineuropa.eu, 1
+demografia.tk, 1
+demohubglobal.com, 1
+demokisisel.tk, 1
+demokrasi.tk, 1
+demolandia.net, 1
+demolitetuto.fr, 1
+demomanca.com, 1
+demonbuster.tk, 1
+demondms.com, 1
+demonforums.tk, 1
+demoniak.ch, 1
+demonicademorte.tk, 1
+demonicresurrection.tk, 1
+demonics.tk, 1
+demonized.tk, 1
+demonmassacre.tk, 1
+demonoid.is, 1
+demonstrably.live, 1
+demontage.tk, 1
+demonwav.com, 1
+demonwithin.tk, 1
+demonwolfdev.com, 1
+demopanel.tk, 1
+demorgen.be, 1
+demostweb.ga, 1
+demotivatorbi.ru, 1
+demotrjct.online, 1
+demoussage-drone.fr, 1
+dempe.tk, 1
+dempsters.ca, 0
+demsh.org, 1
+demuzere.be, 1
+demuzere.eu, 1
+demuzere.net, 1
+demuzere.nl, 1
+demuzere.org, 1
+demxausa.com, 1
+den-fi.com, 1
+den.vc, 1
+dena.pro, 1
+denabot.pw, 1
+denachtegaalferwert.tk, 1
+denaehula.com, 1
+denali.net, 1
+denalisculpture.com, 1
+denarium.com, 1
+denatured.tk, 1
+denbar.org, 1
+dencel.lv, 1
+denchik.tk, 1
+dendi.tk, 1
+dendibanget.tk, 1
+dendra.io, 1
+dendrite.fail, 1
+denegka-mgnovenno.cf, 1
+denegmnogo.tk, 1
+denejki.tk, 1
+denet.pro, 0
+denformlab.lt, 1
+dengg.name, 1
+dengidoma24.ml, 1
+dengisrazu.tk, 1
+dengivdolg.ml, 1
+dengivdolg.tk, 1
+dengivdom.tk, 1
+dengjunhui.cn, 1
+dengyt.net, 1
+denhartogracing.com, 1
+denhotels.com, 1
+denied.gr, 1
+denieuwenederlandsevlag.tk, 1
+denimtoday.com, 1
+denince.net, 1
+denisaadolfova.com, 1
+denisadinu.com, 1
+denisdftnewyorklife.com, 1
+denisdimoski.tk, 1
+deniseeisenhauer.de, 1
+denisewakeman.com, 1
+denisglobal.com, 1
+denisgrandverger.de, 1
+denismusic.ga, 1
+denisontx.gov, 1
+denispiknjac.com, 1
+denissalignat.fr, 1
+denissealatinsoul.com, 1
+denistruffaut.fr, 0
+denisyakovlev.ga, 1
+denisyakovlev.ml, 1
+denisyan.ml, 1
+deniszczuk.pl, 1
+deniz.uk, 1
+denizdesign.co.uk, 1
+denizkutan.com, 1
+denizlicilingir.org, 1
+denizlihaber.tk, 1
+denizlihaberleri.tk, 1
+denizlisohbet.tk, 1
+denizuydur.nl, 1
+denk-it.be, 1
+denkeandersblog.de, 1
+denker.tk, 1
+denkerstube.net, 1
+denkit.com, 1
+denkmalagentur.ch, 1
+denkmalsetzung.at, 1
+denknowles.com, 1
+denkorolev.ga, 1
+denkubator.de, 1
+denner.ch, 1
+denninger.jp, 1
+denningny.gov, 1
+dennis-carpenter.com, 1
+dennisang.com, 1
+denniscsl.com, 1
+dennishenrique.com.br, 1
+dennishzg.com, 1
+denniskoot.nl, 1
+dennislicht.tk, 1
+dennismurphy.biz, 1
+dennisrubin.tk, 1
+dennisswiers.tk, 1
+dennistyfus.tk, 1
+dennisvandenbos.nl, 1
+dennmart.me, 1
+dennogumi.org, 1
+deno.com, 1
+denous.nl, 1
+denovo.energy, 1
+denovocorp.com, 1
+denrei.com, 1
+denshub.com, 1
+densocean.net, 1
+dent-academ.ru, 1
+dent.uy, 1
+denta-ua.com, 1
+dentad.com.ua, 1
+dentadir.com, 0
+dental-cloud.eu, 1
+dental-colleges.com, 1
+dental-fitness.co.jp, 1
+dental.gq, 1
+dentalcareerfinder.com, 1
+dentalcareersedu.org, 1
+dentalcolleges.tk, 1
+dentalimplantscost.com.au, 1
+dentalmonitoring.com, 1
+dentalnasser.com, 0
+dentaloptimizer.com, 1
+dentalqore.com, 1
+dentalqoretemp.com, 1
+dentalreklamlari.tk, 1
+dentals.cf, 1
+dentalsupportuk.com, 1
+dentalturism.com, 1
+dentalunion.ru, 1
+dentcountyhealth.gov, 1
+dentdelion-plugin.com, 1
+dented.gq, 1
+dentelegan.com, 1
+dentisalut.com, 1
+dentislabor.lt, 1
+dentist-profi.ga, 1
+dentistaaroma.com, 1
+dentistabarbarajaqueline.com.br, 1
+dentistalagoasanta.com.br, 1
+dentistesdarveauetrioux.com, 1
+dentistree.in.ua, 1
+dentistsgainesvillega.com, 1
+dentistslilburnga.com, 1
+dentoncounty.gov, 1
+dentoncountysheriffjobs.gov, 1
+dentonolab.lt, 1
+dentrassi.de, 1
+dentsugrantgroup.com, 1
+dentystabirmingham.co.uk, 1
+denuevestore.com, 1
+denugka-vezde.gq, 1
+denugka-vezde.tk, 1
+denunzieren.tk, 1
+denver-design.cf, 1
+denver.show, 1
+denver.tk, 1
+denver7.com, 1
+denverautoinsurancecompany.com, 1
+denverclassifieds.net, 1
+denverescorts.net, 1
+denverilluminations.com, 1
+denvernews.ml, 1
+denverroot.com, 1
+denvillenj.gov, 1
+denvillepolice.gov, 1
+denydarko.tk, 1
+deobandi.tk, 1
+deobandimazhab.tk, 1
+deonlineadvocaat.nl, 1
+deonlineassistente.nl, 1
+deonlinedrogist.nl, 1
+deontology.com, 1
+deoostfrees.com, 1
+deooyevaar.be, 1
+deooyevaar.com, 1
+deooyevaar.de, 1
+deooyevaar.es, 1
+deooyevaar.fr, 1
+deooyevaar.nl, 0
+deoremann.com, 0
+deoxy.org, 1
+depaco.com, 1
+depak.de, 1
+depannage-traceur.fr, 1
+depapboeren.tk, 1
+deparis.me, 1
+departamentosenventaen.com, 1
+departamentosenventaentulum.com, 1
+departamentoslosolivos.tk, 1
+departmentofdefense.tk, 1
+departmentofoncology.com, 1
+departureboard.io, 1
+depaulmanorestate.com.au, 1
+depcoa.date, 1
+depcompower.com, 1
+depd.rocks, 1
+depdesign.com, 1
+depeche.ga, 1
+depechemode-live.com, 1
+depechemode.de, 1
+deped.blog, 0
+deped.io, 1
+depedcommons.com, 1
+depedcommons.org, 1
+depedept.com, 0
+depedsurigaodelnorte.com, 1
+depedtambayan.blog, 0
+depedtambayan.net, 1
+depedtayo.ph, 1
+depelos.co, 1
+depelteau.com, 1
+dependonplus.com, 1
+dependopolis.com, 1
+deperewi.gov, 1
+dephoro.com, 1
+depicus.com, 1
+depijl-mz.nl, 0
+depijp.tk, 1
+depilazione.roma.it, 1
+depilestil.es, 1
+depiratas.com.es, 0
+depistage-bejune.ch, 0
+depleteduranium.tk, 1
+deplis.fr, 0
+deplorablesdaily.com, 1
+depokcity.tk, 1
+depolauncher.cf, 1
+depone.net, 0
+depop.com, 1
+deported.ml, 1
+deportes.in, 1
+deportescr.net, 1
+deportestalcahuano.tk, 1
+deportivo-pasto.tk, 1
+depositart.com, 1
+depositomerci.it, 1
+depositomobili.it, 1
+depository.ml, 1
+depotaraf.com.tr, 1
+depotchronicle.com, 1
+depotly.io, 1
+depotronik.com, 1
+depotsquarekerrville.com, 1
+depotter-usedcars.be, 1
+deprecate.de, 1
+depressionadvice.gq, 1
+deprobe.pro, 1
+deprofundis.tk, 1
+deps.com.br, 1
+depthsofdepravity.tk, 1
+depuberteit.tk, 1
+depuratore.it, 1
+dequency.io, 1
+der-bank-blog.de, 1
+der-beste-schumpeter-vortrag.de, 1
+der-elite.blog, 1
+der-gardinenmann.de, 1
+der-lan.de, 1
+derailer.org, 1
+derakkers.tk, 1
+derango.tk, 1
+deratisation-prix.fr, 1
+deratisation.maison, 1
+deratisation.paris, 1
+derattizzare.it, 1
+derattizzazione.name, 1
+derattizzazioni.biz, 1
+derattizzazioni.it, 1
+derattizzazioni.milano.it, 1
+derattizzazioni.org, 1
+derbuntering.de, 1
+derby.ge, 1
+derbybouncycastles.com, 1
+derbylegalassistance.com, 1
+derbymoneyman.com, 1
+derbyshire-language-scheme.co.uk, 1
+derbysound.com, 1
+derbyware.com, 1
+derchris.me, 1
+derdevel.de, 1
+derdewereldrommelmarkt.nl, 1
+derechosanimales.tk, 1
+dereddingsklos.nl, 1
+dereferenced.net, 1
+derejilla.online, 1
+derekbarnes.consulting, 1
+derekgendron.com, 1
+derekheld.com, 1
+derekkent.com, 1
+dereklow.co, 1
+derekseaman.com, 1
+derekseaman.studio, 1
+deremeavocats.be, 1
+derewonko.com, 1
+derf.fr, 1
+derfritz.at, 1
+dergon.club, 1
+derguns.town, 1
+derhaeuptling.de, 1
+derhil.de, 1
+derinsular.tk, 1
+derivative-calculator.net, 1
+derivativeshub.pro, 1
+derive.cc, 0
+derive.cf, 1
+derkach.io, 1
+derkarl.tk, 1
+derkbarten.nl, 1
+derkuki.de, 1
+derlux.tk, 1
+dermacarecomplex.com, 1
+dermafeelstudio.com, 1
+dermaldistinction.com, 1
+dermalenzburg.ch, 1
+dermapaz.net, 1
+dermaprocollagen.com, 1
+dermapuur.nl, 1
+dermarollerbest.com, 1
+dermato.floripa.br, 1
+dermatolog-ivanova.com, 1
+dermatologie-morges.ch, 0
+dermatologistmumbai.com, 1
+dermatologyandlasergroup.com, 1
+dermax.tk, 1
+dermedia.tk, 1
+dermediq.nl, 1
+dermko.cz, 1
+dermnet.ai, 1
+dermody.ga, 1
+dermopigmentista.it, 1
+dermot.org.uk, 1
+dermscc.com, 1
+dermsf.com, 1
+dermu.ai, 1
+deroo.org, 1
+deroo.tk, 1
+derou.com, 1
+derp.army, 1
+derp.chat, 1
+derpibooru.org, 1
+derpicdn.net, 1
+derpy.pp.ua, 1
+derre.fr, 1
+derreichesack.com, 1
+derricofinancialservices.com, 1
+derrigimlaghtokylemoregreenway.ie, 1
+derrybasketball.tk, 1
+dersimizmatematik.cf, 1
+dersoundhunter.de, 1
+derssonu.com, 1
+derstulle.de, 1
+derventzis.gr, 1
+derw.pw, 1
+derwaldschrat.net, 1
+derze.cloud, 1
+des-hommes-et-des-clous.com, 1
+desacanggu.id, 1
+desafiomovilidadsustentable.com, 1
+desagaz.com, 1
+desakatorock.tk, 1
+desalas.org, 1
+desant.com, 1
+desapego.com.br, 1
+desarrollamosweb.com, 1
+descargapormega.ml, 1
+descargar-apk.org, 1
+descobrim.com, 1
+desconfiats.tk, 1
+descopera.ro, 1
+descubre.ml, 1
+descuentomi.es, 1
+desec.io, 1
+desecsecurity.com, 1
+deseneonline.tk, 1
+desensitized.tk, 1
+desentupidorakazumi.com.br, 1
+desenvolvimentolocalvfa.com.br, 1
+deseosvip.tk, 1
+desergo.com, 0
+desert.cf, 1
+desertbloomplasticsurgery.com, 0
+desertbloomskincare.com, 1
+desertbluffs.com, 1
+desertdogtechnology.com, 1
+desertfiredesigns.com, 1
+desertfury.tk, 1
+desertgrove.com, 1
+desertheroesteam.com, 1
+deserti.tk, 1
+desertlinealuminium.com, 1
+desertlinegroup.com, 1
+desertmarocsafari.com, 1
+desertmedaesthetics.com, 1
+desertnaturals.me, 1
+desertofoldies.tk, 1
+desertsounds.org, 1
+desgenst.ch, 1
+desguacesbarcelonacat.com, 1
+desguacesdecamiones.es, 1
+deshalb.de, 1
+deshevle-net.com, 1
+deshobi.cloud, 1
+desic-sl.com, 1
+desiderantes.tk, 1
+desideriushogeschool.be, 1
+design-in-bad.eu, 1
+design-n-art.tk, 1
+design-production.jp, 1
+design-tooning.de, 1
+design-tricks.gq, 1
+design-your-life.info, 1
+design2u.eu, 1
+designacademy.ru, 1
+designanyware.com.br, 1
+designarea.tk, 1
+designartepublicidad.com, 1
+designbro.com, 1
+designburners.com, 1
+designbymargot.com, 1
+designbymargot.fr, 1
+designbymargot.pro, 1
+designcanada.com, 1
+designdecoration.info, 1
+designdecorativ.ro, 1
+designdept.com.au, 1
+designdirective.ca, 1
+designengineering.com, 1
+designer-drug.com, 1
+designerjoe.gq, 1
+designerrateest.ga, 1
+designeus.ga, 1
+designeus.gq, 1
+designeus.tk, 1
+designforchangetaiwan.org, 1
+designformanufacturability.net, 1
+designgraphic.fr, 1
+designgurus.org, 0
+designhill.com, 1
+designhoheit.de, 1
+designhuddle.com, 1
+designmodernideas.tk, 1
+designnprint.nl, 1
+designpro.tk, 1
+designrhome.com, 1
+designsbyjanith.com, 1
+designsbyscott.ca, 1
+designsite.tk, 1
+designsociety.tk, 1
+designstripe.com, 1
+designsystem.gov.scot, 1
+designtagebuch.com, 1
+designtrc.com, 1
+designville.cz, 1
+designville.sk, 1
+desimpelaere.eu, 1
+desinfectantemanos.org, 1
+desinfection-gale.fr, 1
+desinfectionfrance.com, 1
+desingslash.tk, 1
+desinsectisation-punaise-de-lit.com, 1
+desinsectisation.ma, 1
+desinsectisation.paris, 1
+desiplex.tk, 1
+desire-host.tk, 1
+desirememory.cf, 1
+desirenet.ro, 1
+desish.cf, 1
+desitorrents.tv, 1
+desiunderground.com, 1
+desivideos.tk, 1
+desize.com, 1
+deskaservices.com, 1
+deskdesign.nl, 1
+deskeen.fr, 1
+desktopcentral.ath.cx, 1
+desktopd.eu.org, 0
+desktopfibra.com, 1
+desktopfx.net, 0
+desktopia.tk, 1
+desktopsolos.tk, 1
+deskture.com, 1
+deskvip.com, 1
+desmo.gg, 1
+desmon.blog, 1
+desmu.fr, 1
+desna.tk, 1
+desonnemannen.tk, 1
+desormiers.com, 1
+despachomariscal.com, 1
+desperate.solutions, 1
+desperatesailors.com, 1
+despertarparavida.org, 1
+desplainesil.gov, 1
+despoina-vandi.tk, 1
+despondentrock.tk, 1
+despora.de, 1
+desportvriendenoverijse.tk, 1
+despotika.de, 1
+desserteagleselvenar.tk, 1
+dessinemoilademocratie.ch, 0
+dest-gottskar-nidingen.se, 1
+destcyr.com, 1
+destech.nl, 1
+desteniiprocess.com, 1
+desteptarea.com, 1
+desterman.ru, 1
+desterproducts.nl, 1
+desterrada.tk, 1
+destguides.com, 1
+destileria.net.br, 1
+destilteomarmd.be, 1
+destinattorneyjohngreene.com, 1
+destinomistico.com, 1
+destinopiriapolis.com, 0
+destinotecnologico.ml, 1
+destinyofthephoenix.me, 0
+destinypedia.com, 1
+destinytemplates.tk, 1
+destock-poitou.fr, 1
+destom.be, 1
+destreekboer.ml, 1
+destroyed.ga, 1
+destroyed.tk, 1
+destroysilence.cf, 1
+destroysilence.ga, 1
+destroysilence.gq, 1
+destroysilence.ml, 1
+destruction-frelon-asiatique.com, 1
+destructive-revolution.tk, 1
+destructoradepapel.com.es, 1
+destudio.org.ua, 1
+destuurmanskolk.nl, 1
+destyntek.com, 1
+desu.ne.jp, 1
+desuchan.eu, 1
+desuchan.org, 1
+desucla.com, 1
+desvan.tk, 1
+deswaffelaars.tk, 1
+desy.tk, 1
+desyatnichenko.ml, 1
+desygner.com, 1
+desynced.rocks, 1
+det-blev-ingen-cd.se, 1
+det-te.ch, 1
+detailedimage.com, 1
+detailingsp.com, 1
+detakhukum.com, 1
+detalika.ru, 1
+detao.org, 1
+detc.tk, 1
+detceptam.com, 1
+detdom-48.ru, 1
+detdom.tk, 1
+detecte-fuite.ch, 0
+detecte.ch, 0
+detectefuite.ch, 0
+detectify.com, 1
+detectivedesk.com.au, 1
+detectiveedu.org, 1
+detectro.cc, 1
+deteken.be, 1
+detekenmuze.nl, 1
+detektywtd24.pl, 0
+determapp.de, 1
+determinatie.tk, 1
+detfagligehus.dk, 1
+dethemium.com, 1
+deti-online.com, 1
+deti.ga, 1
+detiklife.com, 1
+detiks.cf, 1
+detishki.ga, 1
+detki.cf, 1
+detki24.ru, 0
+detodojuegos.com, 1
+detoxic.vn, 1
+detoxtorehab.com, 1
+detrapdoor.com, 1
+detrazioni.it, 1
+detreannamaria.tk, 1
+detrimental.tk, 1
+detroit-english.de, 1
+detroit.gov, 1
+detroitcrackteam.com, 1
+detroitfastest.org, 1
+detroitlocksmiths.net, 1
+detroitnews.tk, 1
+detroitzoo.org, 1
+detsad.ml, 1
+detsad.tk, 1
+detska-boticka.cz, 1
+detski.center, 1
+detskie-avto-kresla.tk, 1
+detskysad.com, 1
+detuinmuze.nl, 1
+detusmascotas.com, 1
+detweedekans.tk, 1
+detyamobuv.tk, 1
+detyobuv.tk, 1
+detype.nl, 1
+deu.sh, 1
+deuchnord.fr, 1
+deude.de, 1
+deuelcountyne.gov, 1
+deunanube.com, 1
+deurenfabriek.nl, 1
+deuro.net, 1
+deurwaarderhelmond.nl, 1
+deustech-media.tk, 1
+deustech.tk, 1
+deutsche-finanzagentur.de, 1
+deutsche-tageszeitungen.de, 1
+deutschebusiness.com, 0
+deutscheibank.com, 1
+deutscher-bericht.de, 1
+deutscherquidditchbund.de, 1
+deutscheshoponline.com, 0
+deutschland-dsl.de, 1
+deutschlandreport.com, 1
+deux.solutions, 1
+deuxfleurs.fr, 1
+deuxsol.co, 1
+deuxsol.com, 1
+dev, 1
+dev-advancedservicesportal.com, 1
+dev-brandywineglobal.com, 1
+dev-digibtw.nl, 1
+dev-gutools.co.uk, 1
+dev-lab.net.pl, 1
+dev-mail.net, 1
+dev-pmcc.net, 1
+dev-soft.pl, 1
+dev-tek.de, 1
+dev-test.nl, 1
+dev-vip.com, 1
+dev-woenenn-node-server.herokuapp.com, 1
+dev-ylinternal.com, 1
+dev.moe, 1
+dev.tw, 1
+dev.vu, 1
+devafterdark.com, 1
+devagency.fr, 1
+devahi.gq, 1
+devalbert.com, 1
+devalkincentives.nl, 1
+devalps.eu, 1
+devanstavern.tk, 1
+devapi.pro, 1
+devastacion.tk, 1
+devbay.cc, 1
+devcf.com, 1
+devcftc.gov, 1
+devchuli.ml, 1
+devcontainer.com, 1
+devcourseweb.com, 1
+devdeb.com, 1
+devdesco.com, 1
+devdiggers.com, 1
+devdomain.cf, 1
+devdoodle.net, 1
+deve.software, 1
+develify.co, 1
+develmaster.tk, 1
+develooper.com, 1
+develope.cz, 1
+developedbygayuh.my.id, 1
+developer.android.com, 1
+developer.moe, 1
+developer.mydigipass.com, 0
+developerdan.com, 1
+developerinsider.co, 1
+developers.facebook.com, 0
+developmentsites.melbourne, 1
+developnorthportfl.gov, 1
+developpeur-freelance.io, 1
+developpeur-web.tech, 0
+developpeur-web2.com, 1
+develops.co.il, 1
+develoself.ga, 1
+develotica.com, 1
+develoupe.com, 1
+develux.net, 1
+devendradox.ml, 1
+devendrameena.tk, 1
+devenirconseillerbienetre.com, 1
+devensys.com, 1
+devenv.ml, 1
+devet-slunci.cz, 1
+devflop.fr, 1
+devgo.ca, 1
+devh.de, 1
+devh.net, 1
+devhjz.com, 0
+deviant.email, 1
+deviante.com, 1
+devianthardcore.com, 1
+deviation.tk, 1
+devicebattle.ai, 1
+devicenow.com, 1
+devicom.mx, 1
+devignstudios.co.uk, 1
+devil-may-cry.tk, 1
+devil-radio.tk, 1
+devil.wtf, 1
+devilbyte.tk, 1
+devildog.tk, 1
+devillers-occasions.be, 0
+devilmaycry.ga, 1
+devilmaycry.tk, 1
+devilrecords.tk, 1
+devils-co.tk, 1
+devils-point.de, 1
+devilshakerz.com, 1
+devilsophie.net, 1
+devindavid.com, 1
+devinfo.net, 0
+devinite.com, 1
+devinlasarre.com, 1
+devinslick.com, 1
+devirc.net, 1
+devise-host.com, 1
+devisnow.fr, 1
+devkid.net, 1
+devksingh.com, 1
+devlabroid.com, 1
+devlist.tk, 1
+devlogr.com, 1
+devloope.com, 1
+devmanagersest.ga, 1
+devmode.fm, 1
+devnet.ma, 1
+devnet.tk, 1
+devnull.team, 1
+devnull.win, 1
+devnull.zone, 1
+devoc.net, 1
+devochki.ga, 1
+devolution.ws, 1
+devoncycles.co.uk, 1
+devonport.tas.gov.au, 1
+devonportairport.com.au, 1
+devonsawatzky.ca, 1
+devonvintagechina.co.uk, 1
+devoo.tn, 1
+devopedia.org, 1
+devopers.com.br, 1
+devops-playtest.net, 1
+devops.co.za, 1
+devopsish.com, 1
+devos.ml, 1
+devoted-atheist.tk, 1
+devoteschlampe.net, 1
+devotional.tk, 1
+devpage.lv, 1
+devpost.com, 1
+devpp.com.br, 1
+devpsy.info, 1
+devragu.com, 1
+devrekarti.com, 1
+devrekgazetesi.com, 0
+devries.frl, 1
+devries.one, 1
+devrijejansenist.nl, 1
+devrim.io, 1
+devs-from.asia, 1
+devs.men, 1
+devs4.com, 1
+devsectools.com, 1
+devsjournal.com, 1
+devskyport.com, 1
+devslash.net, 1
+devsrvr.ru, 1
+devstarops.com, 1
+devstores.io, 1
+devstroke.io, 1
+devsurveyorcloud.com, 1
+devswag.io, 1
+devtambayan.com, 1
+devtea.cz, 1
+devtechgroup.com, 1
+devtestfan1.gov, 1
+devtoys.ru, 1
+devtty.org, 1
+devuan.org, 0
+devurandom.tk, 1
+devushki.cf, 1
+devvg.co.uk, 1
+devyanijayakar.com, 1
+devz.life, 0
+devzero.io, 0
+dewalch.net, 1
+dewapress.com, 1
+dewberry.com, 0
+dewblog.ml, 1
+dewereldvankina.be, 1
+dewereldwerktthuis.com, 1
+dewereldwerktthuis.eu, 1
+dewereldwerktthuis.net, 1
+dewereldwerktthuis.nl, 1
+dewereldwerktthuis.org, 1
+dewerveling.tk, 1
+deweybeachpolice.gov, 1
+dewijkpraktijk.nl, 1
+dewijnclubonline.nl, 1
+dewingerdfreinet.be, 1
+dewittcountyil.gov, 1
+dewittmi.gov, 1
+dewka.tk, 1
+dewolden.nl, 0
+dexalo.de, 1
+dexauto.fr, 1
+dexcellentesidees.tk, 1
+dexerto.com, 1
+dexerto.es, 1
+dexerto.fr, 1
+dexhost.nl, 1
+dexie.space, 1
+dexign.ro, 1
+dexigner.com, 1
+dexlex.nl, 1
+dexon.ws, 1
+dexonservicedeskws.azurewebsites.net, 1
+dextermarket.com, 1
+dextra.tk, 1
+dextrahedelmallisyysklinikka.fi, 1
+deyute.com, 1
+dezea.net, 1
+dezeregio.nl, 1
+dezet-ev.de, 1
+dezevenster.com, 1
+dezinsekcija.online, 1
+dezshop.com.ua, 1
+dezzoroofing.co.za, 1
+df-clan.tk, 1
+df-team.tk, 1
+df1nif.de, 1
+df1paw.de, 1
+df3313.com, 1
+df3314.com, 1
+df3315.com, 1
+df3316.com, 1
+df3317.com, 1
+df3318.com, 1
+df3319.com, 1
+df5.se, 1
+df5104.com, 1
+df5aa.com, 1
+df5bb.com, 1
+df5cc.com, 1
+df5dd.com, 1
+df63.cc, 0
+dfafacts.gov, 1
+dfagent.com, 0
+dfc.gov, 1
+dfc52.com, 0
+dfctaiwan.org, 1
+dfg.re, 1
+dfilip.click, 1
+dflcares.com, 1
+dfm.ae, 0
+dfmn.berlin, 1
+dfmvf.org, 1
+dfpblog.com, 1
+dfranke.com, 1
+dfspdfl.gov, 1
+dfstoryteller.com, 1
+dfwfasthomebuyers.com, 1
+dfwm.vote, 1
+dfwmv.com, 1
+dfwmv.org, 1
+dfwmv.us, 1
+dfwmv.vote, 1
+dfwork.lt, 1
+dfwrvroofmasters.com, 1
+dfwwp.com, 1
+dfzone.tk, 1
+dg-1.jp, 1
+dg-hyp.ag, 1
+dg-hyp.biz, 1
+dg-hyp.com, 1
+dg-hyp.eu, 1
+dg-hyp.info, 1
+dg-hyp.net, 1
+dg-hyp.org, 1
+dg-komm.com, 1
+dg-pic.tk, 1
+dg1-test.com, 1
+dg1.com, 1
+dg1.services, 1
+dg1298.com, 0
+dg1jp-test.com, 1
+dg68.cc, 0
+dgangsta.net, 1
+dgap.org, 1
+dggb.co.in, 1
+dghyp-immobrief.de, 1
+dghyp-info.de, 1
+dghyp-kiel.de, 1
+dghyp-press.de, 1
+dghyp.ag, 1
+dghyp.at, 1
+dghyp.biz, 1
+dghyp.com.tw, 1
+dghyp.in, 1
+dghyp.info, 1
+dghyp.net.cn, 1
+dgli.org, 1
+dgmedia.tk, 1
+dgmenergy.com, 1
+dgmutual.co.uk, 1
+dgn.de, 1
+dgo.co.il, 1
+dgou.de, 1
+dgpot.com, 1
+dgpro.click, 1
+dgr-wpg.de, 1
+dgries.de, 1
+dgroups.org, 1
+dgschell.com, 1
+dgt-portal.de, 1
+dgtakano.co.jp, 0
+dgtcitaprevia.es, 1
+dgtl.hosting, 1
+dgtl.tools, 1
+dgtl.work, 1
+dgund.com, 1
+dh-leasing.si, 1
+dh.si, 1
+dh26a.com, 0
+dh6729.com, 1
+dh75975.com, 0
+dh9397.com, 1
+dh9721.com, 1
+dha.gov.ae, 1
+dhakabankltd.com, 1
+dhamdhamaanchalikcollege.tk, 1
+dhammacitta.org, 1
+dhanushtechno.in, 1
+dharma-clinic.com, 1
+dharveydev.com, 1
+dhautefeuille.eu, 1
+dhauwer.nl, 1
+dhavalvira.com, 1
+dhaynes.xyz, 1
+dhconcept.ch, 0
+dhde.de, 1
+dhdmdkd.com, 1
+dheart.net, 1
+dhelixnet.de, 1
+dhemant.de, 1
+dhhs.gov, 1
+dhirendrayadav.com, 1
+dhit.pl, 1
+dhl-smart.ch, 1
+dhlcotizadorexpo-qa.azurewebsites.net, 1
+dhlinux.org, 1
+dhlkh.com, 1
+dhlparcel.nl, 1
+dhome.at, 1
+dhrupad.tk, 1
+dhruv.nz, 1
+dhtr.pw, 1
+dhuboeuf.be, 1
+dhurbabaral.com.np, 1
+dhuy.net, 1
+dhwx.de, 1
+dhxxls.com, 1
+di-basketballscouting.com, 1
+di2pra.com, 0
+di2pra.fr, 0
+dia-de.com, 1
+dia.com.br, 1
+diaakademi.com, 1
+diabetessucks.net, 1
+diableros.tk, 1
+diables-noirs.tk, 1
+diablescastell.tk, 1
+diabline.tk, 1
+diablocarpet.com, 1
+diablos-obon.tk, 1
+diabolic.chat, 1
+diabolique.pt, 1
+diacritical.net, 1
+diadiemdangsong.com, 1
+diadorafitness.es, 1
+diadorafitness.it, 1
+diagilev.ml, 1
+diagno.cl, 1
+diagnocentro.cl, 1
+diagnoseo.com, 1
+diagnoseo.se, 1
+diagnosingfiction.com, 1
+diagnost-auto.com, 1
+diagnostics.stream, 1
+diagnostix.org, 1
+diai.cf, 1
+diai.gq, 1
+diai.ml, 1
+diai.tk, 1
+diaiai.com, 1
+diakonie-michaelshoven.de, 1
+dial.directory, 1
+dialadigger.net.au, 1
+dialectic-og.com, 1
+dialoegue.com, 1
+dialog.co, 1
+dialogue.co, 1
+dialoguecorp.com, 1
+dialoguecorp.eu, 1
+dialradio24.tk, 1
+dialybiendong.tk, 1
+diamant.family, 1
+diamant.nyc, 1
+diamante.ro, 1
+diamantiques.com, 1
+diamantovaburza.cz, 1
+diamgroup.pl, 1
+diamond-cutting.kiev.ua, 1
+diamond-hairstyle.dk, 1
+diamondblueair.com, 1
+diamondbluffwi.gov, 1
+diamondcargotrailers.org, 1
+diamondforms.net, 1
+diamondgoldmarkcity.cf, 1
+diamondgrid.ga, 1
+diamondiscaudio.com, 1
+diamondit.com.au, 1
+diamondsystem.ro, 1
+diamondyacca.co.uk, 1
+diamorphine.com, 1
+diamwall.com, 1
+dian7la.space, 1
+diana-und-aaron.de, 1
+dianaconsultancy.com, 1
+dianaconta.pt, 1
+dianadeluxe.net, 1
+dianadrive.com, 0
+dianafaraj.de, 0
+dianakaarina.tk, 1
+diananeves.pt, 0
+dianaqueeny.tk, 1
+dianas.sk, 1
+dianaundaaron.de, 1
+dianavanderplas.tk, 1
+dianchoi.vn, 1
+diane-marstboom.tk, 1
+dianefriedli.ch, 0
+diankou.cn, 1
+diankou.com, 1
+diankou.com.cn, 1
+diankpi.com, 1
+diankpi.ws, 1
+dianoxofficiel.tk, 1
+dianshangyi.net, 1
+dianshuju.com, 1
+diansung.com, 1
+diaoyu8.com, 1
+diapazon.kz, 1
+diapuls.ru, 1
+diare-na-miru.cz, 1
+diario-egipto.com, 1
+diariocibao.com, 1
+diariodearaxa.com.br, 1
+diariodebalsas.com.br, 1
+diariodicucina.it, 1
+diarionet.tk, 1
+diarionoticia.pe, 1
+diariopergaminoaustral.tk, 1
+diariosurnoticias.com, 1
+diaroma.it, 1
+diaryspace.tk, 1
+diasdasemana.com, 1
+diasporan.cf, 1
+diasporan.ga, 1
+diasporan.gq, 1
+diasporan.ml, 1
+diaspordc.com, 1
+diatechusa.com, 1
+diatr.us, 1
+diatrofi-ygeia.gr, 1
+diaweb.nl, 1
+diazpubli.tk, 1
+diba.org.cn, 1
+dibacode.com, 1
+dibal.ua, 1
+dibiphp.com, 1
+dibo-ambasador.pl, 1
+dic.ae, 1
+dicaprio.tk, 1
+dicasgostosas.com, 1
+diccionarioabierto.com, 1
+diccionariodedudas.com, 1
+diccionariomexico.com, 1
+diccionarioperu.com, 1
+diccionarqui.com, 1
+dice.ml, 1
+dice.tokyo, 1
+dicelab-rhul.org, 1
+dicelab.co.uk, 1
+dicemer.com, 1
+dicesites.com, 1
+dicgaming.net, 1
+dichvuchuyentien247.com, 1
+dichvudangkygiayphep.com, 1
+dicio.com.br, 1
+dicionario.org, 1
+dicionariodegirias.com.br, 1
+dicionariodelatim.com.br, 1
+dicionariodenomesproprios.com.br, 1
+dicionariodesimbolos.com.br, 1
+dicionarioetimologico.com.br, 1
+dicionariofinanceiro.com, 1
+dicionariopopular.com, 1
+dicionarios.cc, 1
+dicipa.com.mx, 1
+dick.red, 1
+dickord.cloud, 1
+dickp.it, 1
+dickpics.ru, 1
+dicksakowicz.com, 1
+diclofenac-75mg.ga, 1
+diclofenacgel.cf, 1
+diclofenacgel.ml, 1
+diclofenacgel1.tk, 1
+diclofenaconline.gq, 1
+diclofenactopical.ga, 1
+diclofenactopical.tk, 1
+dico-charentais.tk, 1
+dicoado.org, 1
+dicoeste.com, 1
+dicomed.tk, 1
+dicomsoftware.com, 1
+diconium.biz, 1
+diconium.com, 0
+diconium.de, 1
+diconium.jobs, 1
+diconium.org, 1
+diconium.pt, 1
+diconium.wtf, 1
+diconium42.com, 1
+diconium42.de, 1
+dictators-encyclopedia.tk, 1
+dictatronics.com, 1
+dictatube.com, 1
+dictionarybook.org, 1
+dictionaryofsydney.org, 1
+dictionarypro.net, 1
+dictum-gardentools.com, 1
+dictum-gartenwerkzeug.de, 1
+dictzone.com, 1
+dida.xin, 1
+didactic.ml, 1
+didaktik4you.de, 1
+didc.cz, 1
+didche.net, 0
+diddens.de, 1
+diddlworld.tk, 1
+dideeducacion.com, 1
+didefamilia.com, 1
+didelikarpiai.lt, 1
+didesalud.com, 1
+didi-online.tk, 1
+dididiamond.net, 1
+didier-equipereussite.com, 1
+didierfle-decibel.fr, 1
+didierfle-latelier.fr, 1
+didierfle.com, 1
+didierghez.com, 0
+didierlaumen.be, 1
+didigotoffer.com, 1
+didiwinata.com, 1
+didiwinata.my.id, 1
+didonshop.tn, 1
+didtrumpopengovernmentyet.com, 1
+didtweb.com, 1
+die-bergfuehrer.de, 1
+die-besten-weisheiten.de, 1
+die-borts.ch, 1
+die-cms-manufaktur.de, 1
+die-gruenen-teufel.de, 1
+die-herrenschneider.com, 1
+die-machons.de, 1
+die-partei-reutlingen.de, 1
+die-pizzabaeckerei.de, 1
+die-seide.de, 1
+die-seiler.de, 1
+die-sinlosen.de, 1
+die-speisekammer-reutlingen.de, 1
+die-sputniks.de, 1
+die.de, 1
+die.one, 1
+diebasis-partei.de, 1
+diebesban.de, 1
+diecieventi.com, 1
+diecke.nu, 1
+diecourier.co.za, 1
+diedenhofen.tk, 1
+diedesigntante.de, 1
+diedrich.co, 1
+dieecpd.org, 1
+dieetfabels.tk, 1
+dieffe.tech, 1
+diefotogruppe.de, 1
+dieg.info, 1
+diegelernten.de, 1
+diegentlemenbittenzurkasse.tk, 1
+diegerbers.de, 1
+diegobarrosmaia.com.br, 1
+diegocastagna.com, 1
+diegodelaprada.com, 1
+diegoforlan.tk, 1
+diegogelin.com, 0
+diegogranada.tk, 1
+diegoisla.ga, 1
+diegomeza.tk, 1
+diegosalgado.tk, 1
+diegott.ddns.net, 1
+diegovasconcelos.com.br, 1
+diegovisual.tk, 1
+diehildebrands.de, 1
+diehumanisten.de, 1
+diekleinekartenfabrik.de, 1
+diekperaiwseis.gr, 1
+dielinke-igb.de, 1
+diem25.org, 1
+diemattels.at, 1
+diemperu.com, 1
+dienaturbinderei.at, 1
+dienchaninstitute.com, 1
+diengiolachoa.com, 1
+dienkenijboer.nl, 1
+dienmattroichonthanh.com, 1
+dienna.nl, 1
+diennhienshop.com, 1
+diennobi.com, 1
+dienstplan.cc, 1
+dierabenmutti.de, 1
+dieradvies.nl, 1
+dierenartsdeconinck.be, 1
+dierenpagina.tk, 1
+dierenrijk.nl, 1
+dierenschilderijen.tk, 1
+dierenwiki.nl, 1
+diesdasananas.spdns.de, 1
+dieselanimals.lt, 1
+dieselfiltersonline.com, 1
+dieselndust.com, 1
+dieselor.bg, 1
+dieselor.com, 1
+diesicheremail.de, 1
+dieslowhtx.com, 1
+diesse.nl, 0
+diet-hack.bg, 1
+dieta-figura.tk, 1
+dieta-vita.com, 1
+dietandexercises.tk, 1
+dietaryguidelines.gov, 1
+dietbrand.eu, 1
+dieter.one, 1
+dieterglas.de, 1
+dietfordiabetics.tk, 1
+dietherapie.tirol, 1
+diethood.com, 1
+dieti-natura.com, 1
+dieti.ga, 1
+dieti.gq, 1
+dieti.net, 1
+dietitianmeetsmom.com, 1
+dietitiansidehustle.com, 1
+dietlein.tech, 1
+dietlist.ga, 1
+dietmoikiensinh.tk, 1
+dietolog.gq, 1
+dietpi.com, 1
+dietrich-bonhoeffer.net, 1
+dietrich.cx, 1
+dieumfrage.com, 1
+dievozodis.lt, 1
+dievturi.lv, 1
+difc.ae, 0
+diferenca.com, 1
+diferenciador.com, 1
+differentgirleveryday.ml, 1
+differenziare.it, 1
+differt.be, 1
+difficulty.ga, 1
+diffnow.com, 1
+diflora.it, 1
+diflucangeneric.ml, 1
+diflucanonline.tk, 1
+diflucanpill.ga, 1
+difon.tk, 1
+difusionesnocomerciales.tk, 1
+difusionmetalera.tk, 1
+difuzevox.com, 0
+dig.cat, 1
+digaloahidigital.com, 1
+digar.ee, 1
+digbin.com.br, 1
+digchip.com, 1
+digchip.info, 1
+digchip.net, 1
+digchip.org, 1
+digchips.com, 1
+digdata.de, 1
+diggerlandusa.com, 1
+digginsmo.gov, 1
+dighans.com, 1
+digi-typ.fi, 1
+digi-typa.fi, 1
+digiaika.com, 1
+digiaika.fi, 1
+digiarc.net, 1
+digibean.com.au, 0
+digibild.ch, 1
+digiboxx.com, 1
+digibtw.nl, 1
+digibull.email, 1
+digibull.gmbh, 1
+digibull.link, 1
+digicamchart.com, 1
+digicelidgy.com, 1
+digicert-support.com, 1
+digicert.com.ru, 1
+digicert.nl, 0
+digichefs.com, 1
+digicode.hu, 1
+digicomtel.com.br, 1
+digicy.cloud, 1
+digidaigaku.com, 1
+digidroom.be, 1
+digifloat.io, 1
+digijoy.com, 1
+digilabs.fr, 1
+digiland.tk, 1
+digilicious.com, 1
+digilirapay.com, 1
+digilock.com, 1
+digimaat.agency, 1
+digimagical.com, 1
+digimedia.cd, 0
+digimen.cn, 1
+digimen.icu, 1
+digimen.love, 1
+digimen.store, 1
+digimen.top, 1
+digimen.xyz, 1
+digimind-evolution.com, 1
+digimobee.info, 1
+digimoncard.io, 1
+digimortals.nl, 1
+digino.jp, 1
+digino.us, 1
+digino.xyz, 1
+digiparse.com, 1
+digipartindex.ch, 1
+digipeak.org, 1
+digipitch.com, 1
+digipolis.gent, 1
+digipost.no, 1
+digirechnung.de, 1
+digirence.org, 1
+digiriik.ee, 1
+digiscrap.nl, 1
+digiscrap.plus, 0
+digiscrap.shop, 1
+digisecmalta.com, 1
+digisfil.fr, 1
+digisign.tk, 1
+digit.ec, 1
+digitaal-atelier.tk, 1
+digitaaltalent.be, 1
+digitador.tk, 1
+digitai.net, 1
+digital-agency360.com, 1
+digital-compounds.com, 1
+digital-cs.tk, 1
+digital-e-library.tk, 1
+digital-eastside.de, 1
+digital-echo.io, 1
+digital-garden.us, 1
+digital-home.tk, 1
+digital-insurance-engine.com, 1
+digital-insurance-engine.de, 1
+digital-insurance-platform.com, 1
+digital-insurance-platform.de, 1
+digital-insure.fr, 1
+digital-liberal.ch, 1
+digital-mu.tk, 1
+digital-park.de, 1
+digital-rainbow-dolls.tk, 1
+digital-sculpture.org, 1
+digital-sky.it, 1
+digital-vorwaerts.de, 1
+digital-watchdog.com, 1
+digital.democrat, 1
+digital.gov, 1
+digital.govt.nz, 1
+digital1st.co.uk, 1
+digital4starazagora.com, 1
+digitaladl.com.au, 1
+digitalagencynetwork.com, 1
+digitalakatsuki.com, 1
+digitalalektioner.se, 1
+digitalallies.co.uk, 1
+digitalandsocialmediaacademy.com, 1
+digitalarchitecture.com, 1
+digitalbang.gr, 1
+digitalbd.tk, 1
+digitalbeachbrasil.com.br, 1
+digitalbitbox.com, 1
+digitalblood.eu, 1
+digitalbox.jp, 0
+digitalbuero.eu, 1
+digitalcanvas.com.br, 0
+digitalcarbide.com, 1
+digitalcash.cf, 1
+digitalcashpalace.com, 1
+digitalch.ng, 1
+digitalchurch.ng, 1
+digitalcitizen.life, 1
+digitalcoffeepodcast.com, 1
+digitalcomponents.de, 1
+digitalconcrete.co.uk, 1
+digitalcourage.de, 1
+digitalcraftmarketing.co.uk, 1
+digitalcrisis.com, 1
+digitalcrisis.us, 1
+digitaldashboard.gov, 1
+digitaldeli.com, 1
+digitaldeli.org, 1
+digitaldeli.tv, 1
+digitaldeli.us, 1
+digitaldeliarchive.com, 1
+digitaldem.it, 1
+digitaldesign.ga, 1
+digitaldisaster.tk, 1
+digitaldoor.com.au, 1
+digitaldruck.info, 1
+digitale-afvalscheiding.nl, 1
+digitale-ausleihe.de, 1
+digitale-bibliothek.tk, 1
+digitale-oekonomie.ch, 1
+digitaleducationarea.tk, 1
+digitaleducationpro.tk, 1
+digitalehandtekeningen.nl, 1
+digitaleplus.fr, 1
+digitalerror.net, 1
+digitaletanker.com, 1
+digitaletelevisie.tk, 1
+digitalewelten.de, 1
+digitalexpertsdirectory.com.au, 1
+digitalezukunft-hagen.de, 1
+digitalezukunft.nrw, 1
+digitalfoodbook.com, 1
+digitalforensicsdubai.com, 1
+digitalfortress.tech, 1
+digitalfoster.org, 1
+digitalfury.co.uk, 1
+digitalgeckos.com, 1
+digitalgeek.social, 1
+digitalgenius.com, 0
+digitalgov.gov, 1
+digitalgyan.org, 1
+digitalgymnastics.tk, 1
+digitalhabitat.io, 1
+digitalhack.ro, 1
+digitalhands.tk, 1
+digitalhealth.gov.au, 1
+digitalheart.tk, 1
+digitalhurricane.io, 0
+digitaliandm.com, 1
+digitalid-sandbox.com, 1
+digitalid.com, 1
+digitalid.com.au, 1
+digitalillusion.pt, 1
+digitalimpactlab.org, 1
+digitalindiatalent.com, 1
+digitalis.fr, 1
+digitalistan.tk, 1
+digitalizer.my.id, 1
+digitalizzazioneverona.it, 0
+digitalkashmir.ml, 1
+digitalkey.pro, 1
+digitalkoran.com, 1
+digitalks.com.br, 1
+digitallife.tk, 1
+digitallink.be, 1
+digitalliteracy.gov, 1
+digitallolitayume.tk, 1
+digitalmahleracademy.com, 1
+digitalmanager.guru, 1
+digitalmaniac.co.uk, 1
+digitalmarketingindallas.com, 1
+digitalmarketingnetic.com, 1
+digitalmind.su, 1
+digitalmove.co.uk, 1
+digitalninja.tk, 1
+digitalnomadsunderground.com, 1
+digitalphone.tk, 1
+digitalphoto.group, 1
+digitalphoto.tech, 1
+digitalpilipinas.ph, 1
+digitalpiloten.org, 1
+digitalplayground.com, 1
+digitalplaygroundnetwork.com, 1
+digitalplaymakers.co.uk, 1
+digitalpocketpedometer.tk, 1
+digitalposition.com, 1
+digitalproduct.ga, 1
+digitalproductivity.online, 1
+digitalprojects.com.au, 1
+digitalradio.ie, 1
+digitalrealitybbs.com, 1
+digitalreborn.com, 1
+digitalredshirts.com, 0
+digitalrhino.eu, 1
+digitalrights.center, 1
+digitalroma.tk, 1
+digitalsearchgroup.ie, 1
+digitalsearchlab.com, 1
+digitalservices.lk, 1
+digitalside.com.br, 1
+digitalsignagedisplay.com, 1
+digitalskillswap.com, 1
+digitalsolutionsonline.co.uk, 1
+digitalsphere.tk, 1
+digitalsuply.com.br, 1
+digitalsupporter.ml, 1
+digitalsurge.io, 1
+digitaltbyra.no, 1
+digitaltcertifikat.dk, 1
+digitaltech.vip, 1
+digitaltechupdates.com, 1
+digitaltechviews.com, 1
+digitaltry.tk, 1
+digitalupcoming.tk, 1
+digitalutilities.net, 1
+digitalvag.tk, 1
+digitalwasteland.net, 1
+digitalworkplaceforum.com.br, 1
+digitalzenworks.com, 1
+digitalzylinder-shop.com, 1
+digite.com, 1
+digitec.ch, 1
+digitecgalaxus.ch, 1
+digitechseo.com, 1
+digitecno.com, 1
+digitese.pt, 1
+digithub.tk, 1
+digitise.io, 0
+digitium.fr, 1
+digitizer.co.il, 1
+digitkon.com, 1
+digitogy.com, 1
+digitoimistopipeline.fi, 1
+digitoucan.com, 1
+digitra.com, 1
+digitreads.com, 1
+digityp.fi, 1
+digitypa.fi, 1
+digivan.ml, 1
+digminecraft.com, 1
+dignilog.com, 1
+dignited.com, 1
+dignity.tk, 1
+digpubdev.org, 1
+digpubprd.org, 1
+digpubqa.org, 1
+digsys.bg, 1
+digwiz.biz, 0
+digwp.com, 1
+dih-technology.com, 1
+dih-technology.info, 1
+dih-technology.net, 1
+dih-technology.org, 1
+dih.email, 1
+dihinternational.com, 1
+dihinternational.info, 1
+dihinternational.net, 1
+dihinternational.org, 1
+dihmedical.info, 1
+dihmedical.net, 1
+dihmedical.org, 1
+dihydrotestosteron.pl, 1
+diipoo.com, 1
+diirekt.de, 1
+diis.plus, 1
+dijispin.com, 1
+dijitaller.com, 1
+dijitalsaray.com, 1
+dijitalzade.com, 1
+dijks.com, 1
+dijks.nl, 1
+dijoncter.info, 1
+dik-manusch.tk, 1
+dikerastore.com, 1
+dikkevettescania.tk, 1
+diktatur.tk, 1
+dilation.party, 1
+dild.loan, 1
+dildoexperten.se, 1
+dilfed.com, 1
+dilibel.be, 1
+diligence.cloud, 1
+diligo.ch, 0
+dillewijnzwapak.nl, 1
+dillon-mcnamara.com, 1
+dillonco.gov, 1
+dillonm.io, 1
+dillynbarber.com, 0
+dilmahtea.com, 1
+dilmahtea.me, 1
+dilmarames.com, 1
+dima.pm, 0
+dimagrimentoincorso.it, 1
+dimamergel.com, 1
+dimanss47.net, 1
+dimaweb.tk, 1
+dimdata.com, 1
+dime-staging.com, 1
+dimension-pc.com, 1
+dimensiondigital.net, 1
+dimensionjapon.tk, 1
+dimensions-ohs.com, 1
+dimensionweb.tk, 1
+dimeponline.com.br, 1
+dimesanmedical.com, 1
+dimeven.tk, 1
+dimez.ru, 1
+dimiro.co.tz, 1
+dimiskovska.de, 1
+dimism.eu, 1
+dimitri-davies.com, 1
+dimitri-papadimitriou.com, 1
+dimitri-papadimitriou.eu, 1
+dimitri-papadimitriou.gr, 1
+dimitris.tk, 1
+dimitrovi.tk, 1
+dimmak.com, 0
+dimmersagourahills.com, 1
+dimmerscalabasas.com, 1
+dimmersdosvientos.com, 1
+dimmershiddenhills.com, 1
+dimmerslakesherwood.com, 1
+dimmersnewburypark.com, 1
+dimmersoakpark.com, 1
+dimmersthousandoaks.com, 1
+dimmerswestlakevillage.com, 1
+dimo-analytics.fr, 1
+dimo-crm.fr, 1
+dimo-dematerialisation.com, 1
+dimo-tresorerie.fr, 1
+dimomaint.com, 1
+dimomaint.de, 1
+dimomaint.es, 1
+dimonz.com, 1
+dimosoftware.fr, 1
+dimseklubben.dk, 1
+dimspith.com, 1
+dinamikarosta.ml, 1
+dinamofilms.cl, 1
+dinarys.com, 1
+dincemlakmerkez.ga, 1
+dind.one, 1
+dinda.tk, 1
+dindarkocer.tk, 1
+dindludovic.design, 0
+dineniagara.ca, 1
+dinepont.fr, 1
+dinerolibre.tk, 1
+dinerroboticurology.com, 1
+diners.mk, 1
+dinevigroup.bg, 1
+ding.com.co, 1
+ding.gent, 1
+dingcc.com, 1
+dingcc.me, 1
+dingdong-shop.ru, 1
+dingelbob-schuhcreme.gq, 1
+dingeldein-messtechnik.de, 1
+dinghuo.com, 1
+dinglecottage.co.uk, 1
+dinglishuzi.com, 1
+dingos.tk, 1
+dingsbums.shop, 1
+dingss.com, 1
+dinheirolucrar.com, 1
+dinimizislam.tk, 1
+dinira-bg.com, 1
+dinitabir.tk, 1
+dinkoreskolesilkeborg.dk, 0
+dinkoreskoleviborg.dk, 1
+dinmtb.dk, 1
+dinnerandmurder.com, 1
+dinnerclub.tk, 1
+dinocarrozzeria.com, 1
+dinos-mag.tk, 1
+dinotv.at, 1
+dintrafic.net, 1
+diodo.me, 1
+dioesfoto.com, 1
+diogbatech.tk, 1
+diogenenettoyage.com, 1
+diogeneshoy.com, 1
+diogof.pt, 1
+diogofmedeiros.com, 1
+dionera.com, 1
+dionmirrors.nl, 1
+dionysos-ios.gr, 1
+dioris.net, 1
+dios.ga, 1
+diospersonal.tk, 1
+diouf.tk, 1
+dioxido.com.ar, 1
+diozoid.com, 1
+dip.digital, 1
+dipakgajjar.com, 1
+dipalma.me, 1
+dipanshuparashar.ml, 1
+dipietro.id.au, 1
+dipling.de, 1
+diplom-ru.tk, 1
+diplomatcruises.co.uk, 1
+diplomatiegabon.ga, 1
+dipnot.tv, 1
+dipro.id, 1
+dipsytroller.com, 1
+dipuma.com, 1
+dir2epub.com, 1
+dir2epub.org, 1
+dirch.tk, 1
+dirdet.co.uk, 1
+dirdur.cf, 1
+direc-tory.tk, 1
+direct-aesthetics.com, 1
+direct-sel.com, 1
+direct.cz, 0
+direct2trade.co.nz, 1
+direct365.es, 1
+directadmin.com, 1
+directairlineflights.com, 1
+directb2b.ca, 1
+directcouriers.com.au, 1
+directelectricalltd.co.uk, 1
+directfinance.cz, 1
+directfitnesssolutions.com, 1
+directholidaysuae.com, 1
+directhomeremodelinginc.com, 1
+directinspectionskc.com, 1
+directions.ee, 1
+directlendingsolutions.com, 1
+directlook.tk, 1
+directly.ga, 1
+directmailctr.com, 1
+directmedica.fr, 1
+directnews.be, 1
+directnic.com, 1
+directories.cf, 1
+directoriodemedios.com, 1
+directorioempresarial.com.co, 1
+directoriomedico.com.co, 1
+directorios.tk, 1
+directorioweb.co, 1
+directorwebseo.tk, 1
+directory-aldo.tk, 1
+directory-ecco.tk, 1
+directory-sunglasses.tk, 1
+directorydashboard.ga, 1
+directorydisc.cf, 1
+directorydisc.ga, 1
+directoryworld.tk, 1
+directpaydayloansonline.ga, 1
+directright.ca, 1
+directright.com, 1
+directright.net, 1
+directrightcartage.com, 1
+directstreet.tk, 1
+directtwo.solutions, 1
+directtwosolutions.org, 0
+directvacations.com, 1
+directverify.in, 1
+directview.ddns.net, 1
+direitonovo.com, 0
+direitoproacademy.com.br, 1
+direj.tk, 1
+direktundonline.de, 1
+direktvermarktung-schmitzberger.at, 1
+diretonoponto.gq, 1
+direwolfsoftware.ca, 1
+dirhami.com, 1
+dirk-dogs.tk, 1
+dirk-weise.de, 1
+dirkdavid.org, 1
+dirki.tk, 1
+dirkjonker.nl, 1
+dirkkok.nl, 1
+dirkmurschall.de, 1
+dirko.net, 0
+dirkwolf.de, 0
+dirot7.co.il, 1
+dirt-street.tk, 1
+dirtcraft.ca, 1
+dirtinmyshoes.com, 1
+dirty-tina.net, 1
+dirtyboyreviews.com, 1
+dirtycat.ru, 1
+dirtycode.tk, 1
+dirtycosplay.com, 1
+dirtygeek.ovh, 1
+dirtygirl.ml, 1
+dirtyherri.de, 1
+dirtymusic.tk, 1
+dirtyporno.tk, 1
+dirtypretties.cf, 1
+dirtypretties.ga, 1
+dirtypretties.gq, 1
+dirtypretties.ml, 1
+dirtyprettyartwear.com, 1
+dirtypriscilla.com, 1
+dirtyscout.com, 1
+dirtysindy.com, 1
+dirtytiles.xyz, 1
+dirtywoman.tk, 1
+dirtywork.net, 1
+dirunreddy.tk, 1
+disability-card.com, 1
+disability.gov, 1
+disabilitydischarge.com, 1
+disabilityscoop.com, 1
+disabled-world.com, 1
+disabled.gay, 1
+disableipv4.se, 1
+disabuse.cf, 1
+disadattamentolavorativo.it, 1
+disain.tk, 1
+disassemble.website, 1
+disasterrific.tk, 1
+disastertalkest.ga, 1
+disavowfile.com, 1
+disboard.org, 1
+disbug.io, 1
+disc.uz, 1
+discarica.bari.it, 1
+discarica.bologna.it, 1
+discarica.firenze.it, 1
+discarica.it, 1
+discarica.milano.it, 1
+discarica.napoli.it, 1
+discarica.roma.it, 1
+discarsl.com, 1
+discdash.ga, 1
+discdash.tk, 1
+discgolf.com, 1
+disch.com.de, 1
+disciples.io, 1
+disciplescloud.com, 1
+disciplesmakingdisciples.ca, 1
+disco-crazy-world.de, 1
+discodoener.de, 1
+discofitta.com, 1
+discohook.org, 1
+disconformity.net, 1
+disconnect.tk, 1
+disconter.tk, 1
+discord-chan.net, 1
+discord.com, 1
+discord.do, 1
+discord.gg, 1
+discord.gift, 1
+discord.me, 1
+discord4j.com, 1
+discordapp.com, 1
+discordapp.gay, 1
+discordbee.com, 1
+discordextremelist.xyz, 1
+discordghost.space, 1
+discordhome.com, 1
+discordjs-japan.org, 1
+discordservers.com, 1
+discordsworld.tk, 1
+discotek.club, 1
+discotheque.tk, 1
+discount-course.com, 1
+discountdimmers.com, 1
+discountforelectronics.tk, 1
+discountisolatie.nl, 1
+discounto.de, 1
+discountoffice.be, 1
+discountoffice.nl, 1
+discountpark.fr, 1
+discountpowertx.com, 1
+discountravel.tk, 1
+discover-mercure.com, 1
+discover-shaken.com, 1
+discoverapp.com, 1
+discoveraustralia.tk, 1
+discoverbrampton.co.uk, 1
+discoverchinanow.cf, 1
+discoverchinanow.ga, 1
+discoverchinanow.gq, 1
+discoverchinanow.ml, 1
+discoverfloridasprings.com, 1
+discoverglo.com, 1
+discovergy.com, 1
+discoverhealthage.com, 0
+discoveringdocker.com, 1
+discoverkeesler.com, 1
+discoverkeesler.marketing, 1
+discoverlutruwita.com, 1
+discovermodus.com, 1
+discovernavajo.com, 1
+discoverradiance.com, 1
+discoverthetech.com, 1
+discoverthreejs.com, 1
+discoverucg.co.uk, 1
+discoveryaima.com, 1
+discoveryballoon.org, 1
+discoverybehavioralhealth.com, 1
+discoveryottawa.ca, 1
+discrede.tk, 1
+discrypt.ca, 1
+discshop.co.nz, 1
+disctranulis.gq, 1
+discus-communications.dk, 1
+discuss-data.net, 1
+discuzturkiye.tk, 1
+disengaged.tk, 1
+disenialia.com, 1
+disenian.com, 1
+disenosyestructurasdelbajio.com.mx, 1
+disenowebakus.net, 1
+disenowebgalicia.tk, 1
+disenowebseoolmisur.com, 1
+disepho.cl, 1
+diseworth.uk, 1
+disfigured.tk, 1
+disgruntledcode.com, 1
+disguise.cf, 1
+dishcrawl.com, 0
+dishwashermagic.tk, 1
+dishwasherrepair-austin.com, 1
+disidencia.tk, 1
+disinclined.org, 1
+disinfectingassociation.com, 1
+disinfectingassociation.org, 1
+disinfectingdoctor.com, 1
+disinfectingdoctors.com, 1
+disinfectiondoctor.com, 1
+disinfectiondoctors.com, 1
+disinfesta.it, 1
+disinfestando.info, 1
+disinfestare.it, 1
+disinfestatore.roma.it, 1
+disinfestatori.com, 1
+disinfestazione-roma.org, 1
+disinfestazione.brescia.it, 1
+disinfestazione.napoli.it, 1
+disinfestazione.roma.it, 1
+disinfestazione.torino.it, 1
+disinfestazione.venezia.it, 1
+disinfestazione.verona.it, 1
+disinfestazione24.it, 1
+disinfestazioneblatte.it, 1
+disinfestazionecimici.napoli.it, 1
+disinfestazionecimici.roma.it, 1
+disinfestazionemilano.it, 1
+disinfestazionezanzare.it, 1
+disinfestazioni-sardegna.org, 1
+disinfestazioni-umbria.it, 1
+disinfestazioni.bari.it, 1
+disinfestazioni.bergamo.it, 1
+disinfestazioni.cagliari.it, 1
+disinfestazioni.caserta.it, 1
+disinfestazioni.catania.it, 1
+disinfestazioni.co, 1
+disinfestazioni.firenze.it, 1
+disinfestazioni.genova.it, 1
+disinfestazioni.gorizia.it, 1
+disinfestazioni.info, 1
+disinfestazioni.it, 1
+disinfestazioni.milano.it, 1
+disinfestazioni.modena.it, 1
+disinfestazioni.napoli.it, 1
+disinfestazioni.net, 1
+disinfestazioni.padova.it, 1
+disinfestazioni.rimini.it, 1
+disinfestazioni.roma.it, 1
+disinfestazioni.torino.it, 1
+disinfestazioni.treviso.it, 1
+disinfestazioni.udine.it, 1
+disinfestazioni.venezia.it, 1
+disinfestazioni.verona.it, 1
+disinfestazioni.viterbo.it, 1
+disinfestazioni24.it, 1
+disinfestazionivespe.milano.it, 1
+disinfestazionizanzare.milano.it, 1
+disinfestazionizanzare.roma.it, 1
+disinisharing.com, 1
+disisto-schiesser.com, 1
+disisto.de, 1
+disisto.nl, 1
+diskbit.com, 1
+diskbit.nl, 1
+diskdoctors.tk, 1
+disketa.cf, 1
+disketteetikette.tk, 1
+diskgem.info, 1
+disking.co.uk, 1
+diskonsepatu.ga, 1
+diskotekflashback.dk, 0
+diskusi.cf, 1
+diskusi.tk, 1
+diskussionsbereich.de, 1
+dislepsia.tk, 1
+dismail.de, 1
+dismed.fr, 1
+disney-stitch.com, 1
+disneywallpapers.tk, 1
+disobey.net, 1
+disoluto.tk, 1
+disostruzioni.it, 1
+disougstroy.com.ua, 1
+disparada.com.br, 1
+dispatched.tk, 1
+dispel-photo.com, 1
+dispensarygta.com, 1
+displayrd.com, 1
+displaysandholders.com, 1
+disposable.link, 1
+dispur.nic.in, 1
+disroot.org, 1
+disrupters.ch, 0
+disruptglobal.com, 1
+disruption.tk, 1
+dissensionclub.net, 1
+dissertation-editor.com, 1
+dissertationhelp.com, 1
+dissidence.ovh, 1
+dissident.host, 1
+dissieux.com, 1
+dissolution-sci.com, 1
+dist-it.com, 1
+dist.torproject.org, 0
+distance-learning-courses.co.uk, 1
+distancelove.cf, 1
+distancelove.ml, 1
+distancelove.tk, 1
+distancionno.com, 1
+distant.land, 1
+distekinc.com, 1
+distelbentelo.nl, 1
+distempered.tk, 1
+disti.com, 1
+distiduffer.org, 1
+distilleren.tk, 1
+distinctdesign2009.com, 1
+distinguishedlegal.com, 1
+distinguishedprisoner.com, 1
+disto.tk, 1
+distopias.tk, 1
+distortionx.tk, 1
+distract09.be, 1
+distract09.gent, 1
+distracteddriving.gov, 1
+distraction.gov, 1
+distraction.tk, 1
+distractors.tk, 1
+distratus.com, 1
+distri.com.ua, 1
+distribucionmayorista.online, 1
+distribucionstunel.es, 1
+distribuidora-online.com, 1
+distribuidoracristal.com.br, 1
+distribuidoradecierres.com, 1
+distribuidoraplus.com, 1
+distribuidorguarani.com.br, 1
+distribuidormaster.com.br, 1
+distribute.gov.sg, 1
+distributed.cafe, 1
+distributedsource.com, 1
+distributedsystems.science, 1
+distributordd.com, 1
+distributore.it, 1
+distributori.roma.it, 1
+district08cnca.org, 1
+district09.be, 1
+district09.gent, 1
+districtcourtislamabad.tk, 1
+districttownship.org, 1
+distrigenosa.tk, 1
+distrikia.com.co, 0
+distrilogservices.com, 1
+distrim.pt, 1
+distrim2.pt, 1
+distritoae.com, 1
+distritotres.tk, 1
+distritoxic.tk, 1
+distro.fr, 1
+distro.re, 0
+distrophy-grind.tk, 1
+distrust.co, 1
+disturbedwarriors.tk, 1
+disturbmenot.co, 1
+dit.moe, 1
+ditaconsultora.com, 1
+ditdot.hr, 1
+ditec.sk, 1
+diterzafra.tk, 1
+ditex.ddns.net, 1
+dities.tk, 1
+ditissaskia.nl, 1
+dittvertshus.no, 1
+div.energy, 1
+div12.org, 1
+divacresent.tk, 1
+divanogiusto.it, 1
+divari.nl, 1
+divas.joburg, 1
+divatri.tk, 1
+divcoder.com, 1
+dive-japan.com, 1
+divedigital.id, 1
+divegearexpress.com, 1
+divegearexpress.net, 1
+diveidc.com, 1
+diveleasia.tk, 1
+divelement.ro, 1
+divelyon.fr, 1
+diveplan.org, 1
+diver-equipment.eu, 1
+divergences.eu.org, 1
+divernet.com, 1
+diverscott.com, 1
+diversificarte.com, 1
+diversify.cf, 1
+diversify.ga, 1
+diversity-otherwise.tk, 1
+diversityflags.com.au, 1
+diversityflags.nz, 1
+diversitywatch.asia, 0
+diversitywatch.co.nz, 1
+diversovariable.tk, 1
+diversual.com, 1
+divertidores.tk, 1
+divestos.org, 1
+divewithfrank.com, 1
+divicar.com.br, 1
+divided.si, 1
+dividedstates.tk, 1
+dividendosfiis.com.br, 1
+dividendz.net, 1
+divider.tk, 1
+divienna.nl, 1
+diviflash.com, 1
+divigear.com, 1
+divihosting.nl, 1
+divinaoracion.com, 0
+divinasaiamodas.com.br, 1
+divineangel.tk, 1
+divinedecay.tk, 1
+divinefeminineyoga.com, 1
+divinegames.studio, 1
+divinemercyparishvld.com, 1
+divinemercyparishvlds.com, 1
+divineprovidenceorphanage.org, 1
+divinerooms.com, 1
+divinglive.ru, 1
+divinho.com.br, 1
+divinitas.tk, 1
+divinoafeto.com.br, 1
+divinoaffetto.com.br, 1
+divisuite.com, 1
+diviworx.com, 1
+divizja.tk, 1
+divjak.at, 1
+divo-remont.tk, 1
+divorce.com, 1
+divorceattorneyschicago.com, 1
+divorceattorneyshouston.com, 1
+divorceformsfiller.com, 1
+divorcelawyer365.com, 1
+divorceonline.com, 1
+divort.org, 1
+divstack.io, 1
+divviup.org, 1
+divvy.tk, 1
+divxonline.ro, 1
+dixa.tech, 1
+dixeo.fr, 1
+dixibox.com, 1
+dixiepest.com, 1
+dixieweld.com, 1
+dixifuar.com, 1
+dixoncountyne.gov, 1
+dixonfireca.gov, 1
+dixonmo.gov, 1
+dixonpoliceca.gov, 1
+dixuant.com, 1
+diy-business-marketing.co.za, 1
+diy-kitchens.com, 1
+diyadinnet.com, 1
+diyanetruya.tk, 1
+diyarbakirescmagazin.tk, 1
+diycc.org, 1
+diycraft.ga, 1
+diycrafts.ml, 1
+diyeat.com, 1
+diyeta.cf, 1
+diyetlife.com, 1
+diyeventhire.co.nz, 1
+diygeek.com, 1
+diymediahome.org, 1
+diysec.tk, 1
+diysonline.com, 1
+diyzealot.com, 1
+dizainkyhni.ml, 1
+dizayn-cheloveka.ru, 1
+dizayner.tk, 1
+dizaynspor.com, 1
+dizhome.net, 1
+dizihastasi.com, 1
+dizirix.net, 1
+dizkartes.nl, 1
+dizkofloor.com, 1
+dizlexiqa.tk, 1
+dizmatt.tk, 1
+dizzidecalz.com.au, 1
+dizzie.org, 1
+dizzyskills.tk, 1
+dizzythewizard.co.uk, 1
+dj-damm.tk, 1
+dj-dfo.tk, 1
+dj-eran.tk, 1
+dj-guillaume.tk, 1
+dj-iliri.tk, 1
+dj-jackson.tk, 1
+dj-kupidon.gq, 1
+dj-leszwolle.nl, 1
+dj-morfu.tk, 1
+dj-ocean.tk, 1
+dj-phil.fr, 1
+dj-wout.tk, 1
+dj-x.info, 1
+dj16888a.com, 1
+dj16888b.com, 1
+dj16888c.com, 1
+dj16888d.com, 1
+dj62.tk, 1
+djaad.tk, 1
+djabad.tk, 1
+djafe.tk, 1
+djakil.tk, 1
+djakuza.tk, 1
+djalberto.tk, 1
+djalessandrobrain.tk, 1
+djamelkokene.com, 1
+djamiroquai.tk, 1
+djang.tk, 1
+django.baby, 1
+django.city, 1
+django.cyou, 1
+djangobirthday.com, 0
+djangogolf.com, 1
+djangoproject.com, 1
+djangoproject.tk, 1
+djangosnippets.org, 1
+djangowebstudio.com, 1
+djanneli.tk, 1
+djarman.tk, 1
+djattack.com, 1
+djav.org, 1
+djawabna.ga, 1
+djax.tk, 1
+djazair.ml, 1
+djazair.tk, 1
+djazim.tk, 1
+djbardhi.tk, 1
+djbell.tk, 1
+djbessi.tk, 1
+djbobbytables.com, 1
+djboi.tk, 1
+djboomarang.tk, 1
+djboris.com, 1
+djbrixx.tk, 1
+djcaz.tk, 1
+djcezar.tk, 1
+djcheka.tk, 1
+djcirce.tk, 1
+djconde.tk, 1
+djconker.tk, 1
+djcontact.tk, 1
+djcritikal.tk, 1
+djcursuszwolle.nl, 1
+djdan.tk, 1
+djdarkz.tk, 1
+djdavid98.art, 1
+djddt.tk, 1
+djdebayanofficial.ga, 1
+djdennis.tk, 1
+djdiego.tk, 1
+djduckie.tk, 1
+djefsane.tk, 1
+djembeforum.tk, 1
+djerba-tunisie.tk, 1
+djfafafa.com, 1
+djfantum.com, 1
+djfaruk.tk, 1
+djfed.tk, 1
+djfede.tk, 1
+djfelix.tk, 1
+djfilms.tk, 1
+djfrenchy.com, 1
+djfunkyju.de, 1
+djgarcia.tk, 1
+djh-nordmark.de, 1
+djharun.tk, 1
+djhooligan.tk, 1
+djhouse.tk, 1
+djhozby.tk, 1
+djhypnoticstate.tk, 1
+djichtus.tk, 1
+djieno.com, 1
+djinstinct.tk, 1
+djjacs.tk, 1
+djjck.com, 1
+djjck.net, 1
+djjonimix.tk, 1
+djkemal.tk, 1
+djkhalid.tk, 1
+djkonor.tk, 1
+djl188.cc, 1
+djl63.com, 1
+djl63001.com, 1
+djleon.net, 1
+djlifemusic.tk, 1
+djlinux.cz, 1
+djlive.ga, 1
+djlmk.tk, 1
+djlogic.tk, 1
+djlove.tk, 1
+djluca.tk, 1
+djmafia.tk, 1
+djmania.es, 1
+djmanikbd.gq, 1
+djmathew.tk, 1
+djmetrix.tk, 1
+djmilad.tk, 1
+djmissynthia.tk, 1
+djmullet.tk, 1
+djmus.tk, 1
+djnandoalmenara.tk, 1
+djnash.tk, 1
+djnefret.tk, 1
+djnext.tk, 1
+djogani.tk, 1
+djoiasoficial.com.br, 1
+djoos.de, 1
+djosu.tk, 1
+djoszee.tk, 1
+djovanov.tk, 1
+djpatrik.tk, 1
+djpiere.tk, 1
+djpippoalpar.tk, 1
+djpromo.tk, 1
+djpump-diaphragmpump.com, 1
+djpyerr.tk, 1
+djramage.tk, 1
+djrider.tk, 1
+djrizwan.tk, 1
+djrofex.tk, 1
+djroynomden.nl, 1
+djrunaway.tk, 1
+djrush134.tk, 1
+djsamurai.tk, 1
+djsciencecollege.tk, 1
+djsearch.tk, 1
+djselo.tk, 1
+djsetitalia.tk, 1
+djshivbabu.tk, 1
+djshox.tk, 1
+djsina.tk, 1
+djsk.nl, 1
+djskippy.tk, 1
+djslash.tk, 1
+djsm.ga, 1
+djspacies.com, 1
+djt-vom-chausseehaus.de, 1
+djtavo.tk, 1
+djthibodeau.com, 1
+djtiago.tk, 1
+djtime.fr, 1
+djtourist.tk, 1
+djurensvanner.tk, 1
+djurklinikenangelholm.se, 1
+djursland-psykologen.dk, 1
+djvampire.tk, 1
+djviks-rap.tk, 1
+djvintagevinyl.com, 1
+djvintagevinyl.de, 1
+djvintagevinyl.nl, 1
+djvirus.tk, 1
+djwaynepryke.com, 1
+djwilson.tk, 1
+djyaman.tk, 1
+djyoungcruse.tk, 1
+dk-kromeriz.cz, 1
+dk.com, 1
+dk.search.yahoo.com, 0
+dk1818.cc, 1
+dkay.me, 1
+dkbilliards.com, 1
+dkcoks.gov, 1
+dkcomputers.com.au, 1
+dkdigital.tk, 1
+dkds.us, 1
+dkec2.space, 1
+dkgamers.tk, 1
+dkhf.ir, 1
+dkim-validator.com, 1
+dkk-gaming.de, 1
+dknoops.xyz, 1
+dko-steiermark.ml, 1
+dkonline.tk, 1
+dkos10.com, 1
+dkos2.com, 1
+dkos3.com, 1
+dkos4.com, 1
+dkos5.com, 1
+dkos6.com, 1
+dkos7.com, 1
+dkos8.com, 1
+dkos9.com, 1
+dkproducts.nl, 1
+dkravchenko.su, 0
+dksh.com, 1
+dksinger.tk, 1
+dksoft-2130.ddns.net, 1
+dksoft.online, 1
+dkstage.com, 1
+dkweb.ml, 1
+dkweb.tk, 1
+dkwedding.gr, 1
+dl-navigator.by, 1
+dl-protect.tk, 1
+dl.google.com, 1
+dl444.net, 1
+dlaces.it, 1
+dlagos.com, 1
+dlagoss.com, 1
+dlandroid24.com, 1
+dlatego.com, 1
+dlazmyslow.pl, 1
+dlbouncers.co.uk, 1
+dlcompare.co.uk, 1
+dlcompare.com, 1
+dlcompare.de, 1
+dlcompare.fr, 1
+dlcompare.it, 1
+dlcompare.pt, 1
+dlcompare.ru, 1
+dlcwilson.com, 1
+dlde.ru, 1
+dleet.com, 1
+dleger.space, 1
+dler.at, 1
+dlevans.com, 1
+dlf.exchange, 1
+dlfsymposium.nl, 1
+dlg.im, 1
+dlgf.com, 1
+dlitz.net, 1
+dll4free.com, 1
+dlld.biz, 1
+dlld.com, 1
+dlld.org, 1
+dlld.us, 1
+dllsearch.net, 1
+dlmarket.jp, 1
+dlmeto.com, 1
+dlmixcloud.com, 1
+dlouwrink.nl, 0
+dlp-demo.com, 1
+dlrg-cux-ohz.de, 0
+dlscomputers.com.au, 1
+dlslab.com, 1
+dlslab.org, 1
+dlsmdportal.com, 1
+dlsolutions-inc.com, 1
+dlt.green, 1
+dlttrading.com, 1
+dluxelab.com, 1
+dlv-registry.com, 1
+dlv-registry.net, 1
+dlyabega.tk, 1
+dlyaribalki.tk, 1
+dlyatepla.ml, 1
+dlyl888.com, 1
+dm-0.com, 1
+dm-918kiss.com, 1
+dm-drogeriemarkt.at, 1
+dm-drogeriemarkt.ba, 1
+dm-drogeriemarkt.bg, 1
+dm-drogeriemarkt.cz, 1
+dm-drogeriemarkt.de, 1
+dm-drogeriemarkt.hr, 1
+dm-drogeriemarkt.hu, 1
+dm-drogeriemarkt.it, 1
+dm-drogeriemarkt.mk, 1
+dm-drogeriemarkt.ro, 1
+dm-drogeriemarkt.rs, 1
+dm-drogeriemarkt.si, 1
+dm-drogeriemarkt.sk, 1
+dm-poepperl.de, 1
+dm-ppp.jp, 1
+dm-tools.co.uk, 1
+dm.at, 1
+dm.cw, 1
+dm.cz, 1
+dm.de, 1
+dm.gov.ae, 1
+dm.hr, 1
+dm.hu, 1
+dm.mk, 1
+dm.pl, 1
+dm.ro, 1
+dm.rs, 1
+dm.si, 1
+dm1.in, 1
+dm4productions.com, 1
+dm6.co, 1
+dm7ds.de, 1
+dm8.link, 1
+dmaglobal.com, 1
+dmarc-hd.org, 1
+dmarc.dk, 1
+dmarc.io, 1
+dmarcexperts.com, 1
+dmarcian.com, 1
+dmarcpal.com, 1
+dmartpreneur.com, 1
+dmautomek.no, 1
+dmc-cc.de, 1
+dmc-commerce-consultants.de, 1
+dmc.ae, 1
+dmc.cc, 1
+dmc030.de, 1
+dmccommerceconsultants.de, 1
+dmclix.com, 1
+dmcw.de, 1
+dmd.lv, 1
+dmdata.jp, 1
+dmdc.mil, 1
+dmdd.org.uk, 1
+dmdiamonds.tk, 1
+dme.net, 1
+dme.web.id, 1
+dmehub.com, 1
+dmesg.sk, 1
+dmfd.net, 1
+dmfj.io, 1
+dmforcesupport.com, 1
+dmforcesupport.marketing, 1
+dmfss.com, 1
+dmfss.tv, 1
+dmg.st, 1
+dmhomedesign.pl, 1
+dmhoteles.pe, 1
+dmhy.com, 1
+dmi.es, 1
+dmi.gov.lb, 1
+dmiapis.id, 1
+dmilb.org, 1
+dmillerlaw.com, 1
+dmitryg.name, 1
+dmitrysnotes.ru, 1
+dmitrysyrov.com, 1
+dmix.ca, 1
+dmlaser.nl, 1
+dmlive.wiki, 1
+dmma.be, 1
+dmmedya.com, 1
+dmmkenya.co.ke, 0
+dmn.sh, 1
+dmni.my, 1
+dmoj.ca, 1
+dmosk.ru, 1
+dmparish.com, 1
+dmr446.fr, 1
+dmrhub.cloud, 1
+dmrhub.net, 1
+dmrhub.network, 1
+dmrhub.org, 1
+dms-technik.de, 1
+dmshynk.com, 1
+dmslog.com, 1
+dmslog.com.br, 1
+dmstechnology.com, 1
+dmtcustoms.co.za, 1
+dmu.ac.ae, 1
+dmvape.us, 1
+dmvhomesgroup.com, 1
+dmvivienda.pe, 1
+dmwall.cn, 1
+dmwaste.com, 0
+dmwclan.tk, 1
+dmx.xyz, 1
+dmxclan.tk, 1
+dmz.rs, 1
+dmze.tk, 1
+dmzlab.se, 1
+dmzr.be, 1
+dn3s.me, 1
+dn42.us, 1
+dna-technology.ua, 1
+dna.li, 0
+dnabler.eu, 1
+dnadk.com, 1
+dnalounge.com, 1
+dnapagamentos.com.br, 1
+dnapizza.com, 1
+dnash.tk, 1
+dnastaffinginc.com, 1
+dnb.co.in, 1
+dnb.dk, 1
+dnb.no, 1
+dnb.se, 1
+dnbalpha.com, 1
+dnbbedrift.no, 1
+dnbeiendom.no, 1
+dnbfeed.no, 1
+dnbfinans.se, 1
+dnbfonder.se, 1
+dnbgroup.lu, 1
+dnbnor.co.uk, 1
+dnbnor.com, 1
+dnbnor.com.cn, 1
+dnbnor.no, 1
+dnbnor.se, 1
+dnbnorbedrift.no, 1
+dnbnord.com, 1
+dnbnorfinance.eu, 1
+dnbnorfinans.com, 1
+dnbnorfinans.eu, 1
+dnbnorfinans.no, 1
+dnbnorfond.no, 1
+dnbnorkort.no, 1
+dnbnorprivat.no, 1
+dnbprivat.no, 1
+dnbung.no, 1
+dnc.org.nz, 1
+dndblog.tk, 1
+dnddobbelstenen.nl, 1
+dndtools.net, 1
+dnel.me, 1
+dneprfilm.top, 1
+dnepropetrovck.tk, 1
+dneprovski.tk, 1
+dnestr.tk, 1
+dnevnichok.club, 1
+dnfc.rocks, 1
+dnfsb.gov, 1
+dngrexplorer.cf, 1
+dngsnl.com, 1
+dnhome.net, 0
+dnjwpa.com.pl, 1
+dnk.company, 1
+dnmlab.it, 1
+dnns.no, 1
+dnplegal.com, 1
+dnpprogramstudies.com, 1
+dnratthee.me, 1
+dnrt-esports.nl, 1
+dns-check.nl, 0
+dns-control.eu, 1
+dns-free.link, 1
+dns-swiss.ch, 1
+dns.expert, 1
+dns.google.com, 1
+dns.gov, 1
+dns.sb, 1
+dns.sh, 1
+dns0.eu, 1
+dnsaio.com, 1
+dnsbird.org, 1
+dnsbl-servers.org, 1
+dnscaa.com, 1
+dnscrawler.com, 1
+dnscrypt-blacklist.tk, 1
+dnscrypt.info, 1
+dnscrypt.nl, 1
+dnscurve.io, 1
+dnsdns.today, 1
+dnsecho.net, 1
+dnsecho.org, 1
+dnshallinta.fi, 1
+dnshelper.com, 1
+dnshotel.dk, 1
+dnsinfo.ml, 1
+dnsipv6.srv.br, 0
+dnskeep.com, 1
+dnskeeper.com, 1
+dnslog.com, 1
+dnslow.me, 1
+dnslytics.com, 1
+dnsman.se, 1
+dnsmate.net, 1
+dnsmonitor.com, 1
+dnsnox.com, 1
+dnspod.ml, 1
+dnspropagation.net, 1
+dnsrate.com, 1
+dnsrevolve.com, 1
+dnsscience.org, 1
+dnssecandipv6.se, 1
+dnssecunsigned.com, 1
+dnssex.com, 1
+dnsspeed.com, 1
+dnstwister.report, 1
+dnsvrfy.com, 1
+dnsvrfy.eu, 1
+dnsvrfy.net, 1
+dnsvrfy.org, 1
+dnswarden.com, 0
+dnt1egh97ehxx.cloudfront.net, 1
+dnvod.ml, 1
+do-do.tk, 1
+do-it-service.de, 1
+do-not.click, 1
+do-prod.com, 0
+do.gd, 1
+do.ne, 1
+do.search.yahoo.com, 0
+do13.net, 1
+do67.de, 1
+do67.net, 1
+doanhai.tk, 1
+doanhnhankhanhhoa.vn, 0
+dob46.mazowsze.pl, 1
+dobavki.club, 1
+dobbshvac.com, 1
+dobledemichaeljackson.tk, 1
+doblejewel.shop, 1
+dobleseo.pro, 1
+dobookmark.ml, 1
+doboszynski.com, 1
+dobramagia.pl, 1
+dobraprace.cz, 0
+dobrekupony.cz, 1
+dobrekupony.pl, 1
+dobrekupony.sk, 1
+dobreoknaszczecin.pl, 1
+dobrev.family, 1
+dobrinya.tk, 1
+dobrisan.ro, 1
+dobrisan.uk, 1
+dobro.ml, 1
+dobrodar.tk, 1
+dobrodruzi.tk, 1
+dobrynyastyle.ru, 1
+dobryprezident.sk, 1
+doc-baza.tk, 1
+doc.ai, 1
+doc.new, 1
+doc.python.org, 1
+doc8643.com, 1
+docabo.ch, 1
+docbox.ch, 1
+docbrown.dk, 1
+doccafe.com, 1
+docdoc.tel, 1
+docedic.com, 1
+docemeldoces.com, 1
+docesmartini.com.br, 1
+docfusioncloud.com, 1
+docguide.com, 1
+docha.tk, 1
+dochimera.com, 1
+dochub.com, 1
+dock-bar.com, 1
+dock.tech, 1
+dock23.de, 1
+dockerbook.com, 0
+dockerm.com, 1
+dockerup.net, 1
+dockeryarmory.com, 1
+dockflow.com, 1
+dockmastersonline.com, 1
+dockstarter.com, 1
+dockysearch.com, 1
+doclassworks.com, 1
+docline.gov, 1
+docloudu.info, 1
+doclures.com, 1
+docmartinchiropractic.com, 1
+docmbs.com, 1
+docmode.org, 1
+docogo.ga, 1
+docplexus.com, 1
+docpost.ml, 1
+docs-kelis.fr, 1
+docs.google.com, 1
+docs.moe, 1
+docs.python.org, 1
+docs.tw, 1
+docsend.com, 1
+docsity.com, 1
+docsunited.net, 1
+docswallet.com, 1
+doctabaila.com, 1
+doctaforum-diferidos.com, 1
+doctaforum-events.org, 1
+doctaforum-test.com, 1
+docteur-delorme.fr, 1
+doctoblog.fr, 1
+doctor-locks.co.uk, 1
+doctorako.com, 1
+doctorbini.com, 1
+doctorcalefon.com, 1
+doctordabbah.com, 1
+doctordangond.com, 1
+doctorebonie.com, 1
+doctorfox.co.uk, 1
+doctoriko.tk, 1
+doctoripfix.com, 1
+doctorkaraca.com, 1
+doctorlab.am, 1
+doctormahamudul.tk, 1
+doctormartinclavo.tk, 1
+doctormit.ro, 1
+doctornaima.ml, 1
+doctornet.ml, 1
+doctorofnursingpracticednp.org, 1
+doctorpage.info, 1
+doctorperu.com, 1
+doctorpower.ga, 1
+doctorpup.com, 1
+doctorradio.tk, 1
+doctorsarfarazdo.ga, 1
+doctorsexplain.net, 1
+doctorshealthfund.com.au, 1
+doctorsinternet.com, 1
+doctorswithoutborders.org, 1
+doctorwho.cz, 1
+doctour.eu, 1
+doctour.fr, 1
+doctrine.fr, 1
+docu.io, 1
+docubox.info, 1
+docucopies.com, 1
+docufiel.com, 0
+docugate.cloud, 1
+docugatetest.cloud, 1
+documaniatv.com, 1
+document-translation-nationwide.com, 1
+documentalista.cat, 1
+documentat.ga, 1
+documentations-sociales.com, 1
+documentationsite.net, 1
+documentforce.com, 1
+documentnode.io, 1
+documods.com, 1
+docupaymentuat.xyz, 1
+docupub.com, 1
+docusearch.com, 1
+docusend.biz, 1
+docusign.ca, 1
+docusign.co.uk, 1
+docusign.com, 1
+docusign.com.au, 1
+docusign.com.br, 1
+docusign.com.es, 1
+docusign.de, 1
+docusign.fr, 1
+docusign.in, 1
+docusign.jp, 1
+docusign.mx, 1
+docusign.nl, 1
+docutayho.com, 1
+docxtemplater.com, 1
+doczlo.tk, 1
+doda.space, 1
+dodabrothers.com, 1
+dodacommunity.tk, 1
+dodalf.com, 1
+dodard.link, 1
+doddridgecountywv.gov, 1
+dodds.cc, 1
+doddy.tk, 1
+dodecaedro.tk, 1
+dodelf.com, 1
+dodgecountymn.gov, 1
+dodgecountyne.gov, 1
+dodgevillewi.gov, 1
+dodi-alhelo.tk, 1
+dodi-repacks.site, 1
+dodiedods.fr, 1
+dodikod.tk, 1
+dodolle.co.uk, 1
+dodotool.ru, 1
+dodylesmana.com, 1
+doedelzakken-jsh.tk, 1
+doegirls.com, 1
+doehle-group.com, 1
+doeleman.nl, 1
+doencadobeijo.com, 1
+doener-curator.com, 1
+doenets.lk, 1
+doenjoylife.com, 1
+doeprojects.com, 1
+doerz.com, 1
+doesburg-comp.nl, 1
+doesinfotech.com, 1
+doesmycodehavebugs.today, 1
+doetwat.nl, 1
+dof.gov.ph, 1
+dofashion.tk, 1
+dofedex.com, 1
+dofrancais.com, 1
+dofus-aide.tk, 1
+dofus.market, 1
+dofux.org, 1
+dog-likeeyes.tk, 1
+doga-osusume.jp, 1
+doga.tk, 1
+dogadostuambalaj.com, 1
+dogaicincal.com, 1
+dogalsoyamumu.com, 1
+dogan.ch, 0
+doganoglu.net, 1
+dogcat.vn, 1
+dogcratereview.info, 1
+dogday.tk, 1
+dogdayafternoons.biz, 1
+doge-fa.tk, 1
+dogear.ch, 0
+dogecdn.wtf, 1
+dogecoinnews.net, 1
+dogecoinnews.org, 1
+dogespeed.gq, 1
+dogespeed.ml, 1
+dogfights.tk, 1
+dogforum.de, 1
+dogfriendly.co.uk, 1
+dogfriendlyplaces.eu, 1
+dogft.com, 1
+doggingclub.tk, 1
+doggo-staging.herokuapp.com, 1
+doggo.cloud, 1
+doggo.email, 1
+doggroomingcourse.com, 0
+doghandling.tk, 1
+doghousedigital.com, 1
+doginaflat.com, 1
+dogingtonpost.com, 1
+dogite.org, 1
+doglifejacket.tk, 1
+doglist.ga, 1
+doglog.com, 1
+dogma.it, 1
+dogma2000.tk, 1
+dogmagic.tk, 1
+dogmap.jp, 1
+dogmazic.net, 1
+dogodki.today, 1
+dogofwar.tk, 1
+dogoo.com, 1
+dogpawstudio.com, 1
+dogprograms.net, 1
+dogrupara.com, 1
+dogscare.tk, 1
+dogsforfun.tk, 1
+dogsite.tk, 1
+dogsnaturallymagazine.com, 1
+dogsnow.com, 1
+dogsport.org, 1
+dogsunderstood.shop, 1
+dogtowneastpowell.com, 1
+dogtrack.tk, 1
+dogtrainingnaples.com, 1
+dogualp.com, 1
+dogvolution.com, 1
+dogwoodceramics.com, 1
+dogworld.com.br, 1
+doh.pub, 1
+doh.sb, 1
+dohanews.co, 1
+dohertyconsulting.tk, 1
+doi.org, 1
+doihavetoputonpants.com, 1
+doinaruscior.eu, 1
+doineedanmdm.com, 1
+doinwp.com, 1
+doioig.gov, 1
+doist.com, 1
+doit-intl.com, 1
+doit.com, 1
+doitauto.de, 1
+doj.gov.in, 1
+doja-cat.ru, 1
+dojah.io, 1
+dojifish.space, 1
+dojihomes.vn, 1
+dojin.nagoya, 1
+dojki.cf, 1
+dojki.ga, 1
+dojki.gq, 1
+dojmt.gov, 1
+dojocasts.com, 1
+dojodigital.co.uk, 1
+dojozendebourges.fr, 1
+dokanline.com, 1
+dokcar.com.br, 1
+dokee.cn, 1
+dokelio-idf.fr, 1
+dokipy.no, 1
+doklinik.com, 1
+dokonline.tk, 1
+dokspot.cf, 1
+dokspot.ga, 1
+doktererectie.com, 1
+doktorplyusheva.ml, 1
+doku-gilde.de, 1
+dokuboard.com, 1
+dokuev.ga, 1
+dokument.tk, 1
+dokuraum.de, 1
+dokutech.fr, 1
+dolbyatmosmusiclist.com, 1
+dolce-vita-mia.tk, 1
+dolcesalatoweb.it, 1
+dolceuvita.com, 1
+dolchhut.tk, 1
+dolci-delizie.de, 1
+dolciariasimonini.com, 1
+dolciterapie.com, 1
+doldersumenzoon.tk, 1
+doleta.gov, 1
+dolezalpartners.com, 1
+dolfotransport.com, 1
+dolg.cf, 1
+dolg.ga, 1
+dolg.gq, 1
+dolg.ml, 1
+dolg.tk, 1
+dolgopolova.ga, 1
+dolgorukovo.cf, 1
+dolice.net, 1
+dolinathome.com, 1
+dolkfm.tk, 1
+doll.gq, 1
+doll.ml, 1
+dollarads.cf, 1
+dollarads.ga, 1
+dollareast.tk, 1
+dollarhero.ga, 1
+dollarprofit.tk, 1
+dollarrp.pl, 1
+dollarweb.cf, 1
+dolle-shop.com.ua, 1
+dolledout.co.ke, 1
+dollemore.com, 1
+dollestieren.tk, 1
+dolliesmaker.tk, 1
+dolly.ga, 1
+dollylox.tk, 1
+dollz-world.tk, 1
+dollz.tk, 1
+dolmencleanroom.com, 1
+dolmenejecutores.com, 1
+dolmeningenieria.com, 1
+dolmentree.tk, 1
+dolnolinevo.tk, 1
+dolo.tk, 1
+dolomititour.com, 1
+dolonki.beauty, 1
+dolorism.com, 1
+dolph.de, 1
+dolphin-cloud.com, 1
+dolphin-hosting.com, 1
+dolphin-it.de, 1
+dolphinbraces.com, 1
+dolphins.tk, 1
+dolphyserver.tk, 1
+dolys.fr, 1
+dom-byt.tk, 1
+dom-desertov.tk, 1
+dom-riviere.tk, 1
+dom.blog, 1
+dom2news.gq, 1
+dom2news.tk, 1
+dom2seychelles.tk, 1
+dom2tnt.tk, 1
+doma.in, 1
+domacikavarna.cz, 1
+domadillo.com, 1
+domagovic.tk, 1
+domain-comparison.com, 1
+domain-ermittlung.de, 1
+domain-skachat.cf, 1
+domain-speicher.com, 0
+domain-swiss.ch, 1
+domain.ch, 1
+domaine-aigoual-cevennes.com, 1
+domaine-de-garbelle.com, 1
+domaine-de-vermoise.fr, 1
+domainedebichery.com, 1
+domainedemanville.fr, 1
+domainevanina.fr, 1
+domainexpress.de, 0
+domainforfree.gq, 1
+domainhostingcompany.tk, 1
+domainics.ml, 1
+domainify.ca, 1
+domainlions.com, 1
+domainmonitor.net, 1
+domainoo.com, 0
+domainoo.fr, 1
+domainops.gov, 1
+domainproactive.com, 1
+domainregistry.ie, 1
+domainresidential.com.au, 1
+domains-hoarden-ist-ein-ernstes-problem-suchen-sie-sich-hilfe.jetzt, 1
+domains.google.com, 1
+domains.lt, 1
+domainsearchindia.com, 1
+domainservice.cf, 1
+domainsetup.email, 1
+domainsilk.com, 1
+domainstaff.com, 1
+domaintm.in, 1
+domainvoider.cf, 1
+domakidis.com, 1
+domarkperu.com, 1
+domashnij-pk.ru, 1
+domashnijpk.ru, 1
+domashniy-server.tk, 1
+domaxpoker.com, 1
+domaza.gq, 1
+domaza.ml, 1
+domcc.tel, 1
+domeconseil.fr, 1
+domein-direct.com, 1
+domein-direct.nl, 1
+domeindns.nl, 1
+domeinhub.nl, 1
+domeinquarantaine.nl, 1
+domekklimkowka.com, 1
+domen-reg.ru, 1
+domenaru.ga, 1
+domenic.me, 1
+domenick-lieneweg.de, 1
+domenico.lviv.ua, 1
+domenicods.tk, 1
+domhaase.me, 1
+domharmonia.bg, 1
+domhos.tk, 1
+domialt.de, 1
+domian.cz, 1
+dominanta-law.com, 1
+dominateyourmarket247.com, 1
+dominationgame.co.uk, 1
+dominatorauckland.co.nz, 1
+dominctheroofguy.com, 1
+dominguezchiropractic.com, 1
+dominicana-lux.cf, 1
+dominicandfelixroco.tk, 1
+dominicanisimo.tk, 1
+dominicanosenpr.com, 1
+dominichoward.tk, 1
+dominicinc.com, 1
+dominicjackson.cf, 1
+dominicjackson.ga, 1
+dominicjackson.gq, 1
+dominicself.co.uk, 1
+dominicself.com, 1
+dominicself.uk, 1
+dominictaylor.co.uk, 1
+dominik-bergmann.de, 1
+dominik-steiner.at, 1
+dominik.st, 1
+dominikaner-vechta.de, 1
+dominikconrads.de, 1
+dominikriedig.de, 1
+dominioanimal.com.br, 1
+dominionlending.ca, 1
+dominionpayroll.net, 1
+dominiopruebados.ml, 1
+dominiostk.tk, 1
+dominique-haas.fr, 0
+domino.com.ge, 1
+domino99.ml, 1
+domino99.tk, 1
+dominobot.ir, 1
+dominobreaker.ml, 1
+dominoknihy.cz, 0
+dominolessons.ga, 1
+dominomatrix.com, 1
+dominoqq.asia, 1
+dominoz.tk, 1
+domitori.tk, 1
+domix.fun, 1
+domizx.de, 1
+domjh.com, 1
+domkiwgrodku.pl, 1
+domlist.tk, 1
+dommaster.info, 1
+dommistrza.pl, 1
+dommod.tk, 1
+domnaslonecznej.pl, 1
+domob.eu, 1
+domodeco.fr, 1
+domofon.io, 0
+domokode.ru, 1
+domop.org, 1
+domoplus.ca, 1
+domostroiy.tk, 1
+domostroydon.ru, 1
+domostroynn.ru, 1
+domostroyrf.ru, 1
+domotek.pl, 1
+domotics101.com, 1
+domovik-magz.tk, 1
+domovitae.io, 1
+domowe-potrawy.pl, 1
+domowejroboty.pl, 1
+domowezrodlozdrowia.pl, 1
+domp.pl, 1
+domparts.com.au, 1
+dompetdhuafa.org, 1
+domprojects.com, 1
+domps.fr, 1
+domreg.lt, 1
+domsamogona.ru, 1
+domscripting.com, 1
+domt.com, 1
+domu.ro, 1
+domucmayintainha.com.vn, 1
+domus-global.com, 1
+domus-global.cz, 1
+domus-rely.com, 1
+domyassignments.com, 1
+domycasestudy.com, 1
+domycoding.com, 1
+domycoursework.com, 1
+domycreativewritings.com, 1
+domydissertations.com, 1
+domyessay.net, 1
+domyhomework123.com, 1
+domyiadaptacje.pl, 1
+domynetwork.com, 1
+domypapers.com, 1
+domyresearchpaper.com, 1
+domyreview.net, 1
+domyspeech.com, 1
+domytermpaper.com, 1
+domythesis.net, 1
+domyzitrka.cz, 1
+domznak.ru, 1
+don-news.tk, 1
+donabeneko.jp, 1
+donacarlota.net.br, 1
+donacije.rs, 1
+donaciondeorganos.gov, 1
+donalblaney.cf, 1
+donalblaney.ga, 1
+donalblaney.gq, 1
+donaldduck.nl, 1
+donaldtrump.ga, 1
+donaldwarner.com, 1
+donamflor.com, 1
+donarmany.online, 1
+donat.cloud, 1
+donate-streamer.com, 1
+donate.lol, 1
+donateabox.org, 1
+donateaday.net, 1
+donateers.org, 1
+donateforcharity.com, 1
+donatellapratas.com.br, 1
+donation.ph, 1
+donationexecutor.com, 1
+donazione.it, 1
+doncastermoneyman.com, 1
+dondiabolo.com, 1
+donec.tk, 1
+donegalhistory.ie, 1
+doneinteriorerp.com, 1
+donera.tk, 1
+donerite.us, 1
+donewhen.email, 1
+donewhen.eu, 1
+donewhen.net, 1
+donewhen.nl, 1
+donewhen.org, 1
+donfelino.tk, 0
+donga.tk, 1
+dongbd.com, 1
+dongcdn.com, 1
+dongchenyue.art, 1
+donge.fr, 1
+dongha.org, 1
+donghochinhhang.store, 1
+donghua-europe.com, 1
+donghuapiandaquan.com, 1
+dongjian.com, 1
+dongkepu.com, 1
+dongor.tk, 1
+donhoward.org, 0
+doninformatico.ga, 1
+doniramdoni.tk, 1
+donislawdev.com, 1
+donkerslootjes.nl, 1
+donkeytrekkingkefalonia.com, 1
+donnaandscottmcelweerealestate.com, 1
+donnabotanica.com.br, 1
+donnabrothers.com, 1
+donnacha.blog, 1
+donnachie.net, 1
+donnahay.com.au, 1
+donnapepe.tk, 1
+donnerhollenconstruction.com, 1
+donnerwetter.tk, 1
+donngle.com, 1
+donnons.org, 0
+donnoval.ru, 0
+donorscape.com, 1
+donostiweb.tk, 1
+donotcall.gov, 1
+donotdepart.com, 1
+donpanda.cz, 1
+donpi.it, 1
+donpietraos.tk, 1
+donplafon.ru, 1
+donpomodoro.com.co, 1
+donquix.nl, 1
+donsgroupattire.com, 1
+donsremovals.com.au, 1
+dont.re, 1
+dont.watch, 1
+dontarriva.org.uk, 1
+dontasktoask.com, 1
+dontbeevil.com, 1
+dontbreakme.com, 1
+dontbubble.me, 1
+dontcageus.org, 1
+donteaetcrayons.tk, 1
+donteffwithmyvote.com, 1
+donteffwithmyvote.org, 1
+donteffwithmyvote.us, 1
+dontefwithmyvote.com, 1
+dontefwithmyvote.org, 1
+dontefwithmyvote.us, 1
+dontenedor.com, 1
+dontfuckwithmy.vote, 1
+dontfuckwithmyvote.com, 1
+dontfuckwithmyvote.net, 1
+dontfuckwithmyvote.org, 1
+dontfuckwithmyvote.us, 1
+dontfwithmy.vote, 1
+dontfwithmyvote.com, 1
+dontfwithmyvote.net, 1
+dontfwithmyvote.org, 1
+dontfwithmyvote.us, 1
+donthedragonwilson.com, 1
+dontkeylog.me, 1
+dontkillspike.tk, 1
+dontpayfull.com, 1
+dontstopcoffee.com, 1
+dontvisit.me, 1
+dontwastethewood.com, 1
+donumanimo.pl, 1
+donutcompany.co.jp, 1
+donwhen.com, 1
+donwhen.email, 1
+donwhen.eu, 1
+donwhen.net, 1
+donwhen.nl, 1
+donwhen.org, 1
+donwilkssculptor.com, 1
+doo.is, 1
+dooby.fr, 1
+doodle.com, 1
+doodlecorn.com, 1
+doodlegames.tk, 1
+doodletips.com, 1
+doogej.nl, 1
+doolac.com, 1
+dooleylabs.com, 1
+doomsdaymag.tk, 1
+doomsworld.com, 1
+doomtech.net, 1
+doonvalleytrail.co.uk, 1
+doooooops.com, 1
+doop.im, 1
+doorchaser.tk, 1
+doordash.com, 1
+doordash.news, 1
+doordash.red, 1
+doordecor.bg, 1
+doorframe.com, 1
+doorin.tk, 1
+doorlinekktc.tk, 1
+doornmore.com, 1
+doors-and-windows.tk, 1
+doorservice.ml, 1
+doorsystemsweden.se, 1
+doortodoor.ml, 1
+doottrucks.com.au, 1
+dopamine.tk, 1
+dopefile.cf, 1
+dopefile.tk, 1
+dopei.com, 1
+dopeillustrators.com, 1
+dopesoft.de, 1
+dopewars.tk, 1
+dopfer-fenstertechnik.de, 1
+dopiatku.pl, 1
+doppeleinhorn.de, 1
+doppenpost.nl, 1
+doppler-manufaktur.com, 1
+doppler.com, 1
+doppler.team, 1
+dopplerschirme.com, 1
+dor-tak.com, 1
+dor-tak.ru, 1
+dora.cat, 1
+dora.moe, 1
+dorados.tk, 1
+doradoscampeon.tk, 1
+doraemonchile.tk, 1
+dorama.gq, 1
+doramamusic.gq, 1
+doramiru.com, 1
+doranobi-fansub.id, 1
+dorcelvision.com, 1
+dorco.be, 1
+dordtpas.nl, 1
+doremy.be, 1
+dorfbrunnen.eu, 0
+dorfkultur.net, 1
+dorfpark-falkenburg.de, 1
+dorfzittig.de, 1
+doriangardes.fr, 1
+doriangirod.ch, 0
+dorianharmans.nl, 1
+dorianmuthig.com, 1
+doridian.com, 1
+doridian.de, 1
+doridian.net, 1
+doridian.org, 1
+dorier-digiplace.com, 1
+dorisdeluxe.com, 1
+dorizonline.tk, 1
+dorkface.tk, 1
+dormi.hu, 1
+dormilaine.fr, 1
+dorminyeremenyjatek.hu, 1
+dormirmucho.com, 0
+dormitengernyikaland.hu, 1
+dormiu.com, 1
+dormiu.com.br, 1
+dormkitty.com, 1
+dorogaminina.tk, 1
+dorotaorlowska.pl, 1
+dorpshuis-dwarsgracht.nl, 1
+dorpsoverlegboskoop.nl, 1
+dorpsparade.tk, 1
+dorquelle.com, 1
+dorrtownshipmi.gov, 1
+dorsavi.com, 1
+dorsaycreative.com, 1
+dorsethouselyme.com, 1
+dorsetthotels.com, 1
+dorth.nl, 1
+dortmund.de, 1
+dortmund.directory, 1
+dorys.ga, 1
+dos-team.tk, 1
+dos.lol, 1
+dosavor.com, 1
+dosbox.tk, 1
+dosdiasenlavida.es, 1
+dosei.net, 1
+dosenkiwi.at, 1
+dosenpendidikan.co.id, 1
+dosenpintar.com, 1
+dosensosiologi.com, 1
+doserres.tk, 1
+dosevue.com, 1
+dosgame.club, 1
+dosgratus.tk, 1
+dosimabag.com, 1
+dosimapress.com, 1
+dosite.gq, 1
+dosje.org, 1
+doska.by, 1
+doska.cf, 1
+doska.ru, 1
+doskapozora.tk, 1
+dosomeworks.biz, 1
+dosorbonne.com, 1
+dossierbaudet.nl, 1
+dossierweb.tk, 1
+dostal.co, 0
+dostalsecurity.com, 1
+dostat.de, 1
+dostav.tk, 1
+dostavkakurierom.ru, 1
+dostips.com, 1
+dostkuijper.nl, 1
+dosug.gq, 1
+dosug.so, 1
+dosugru.gq, 1
+dosvientoselectric.com, 1
+dosvientoselectrical.com, 1
+dosvientoselectrician.com, 1
+dosvientosexteriorlighting.com, 1
+dosvientoslandscapelighting.com, 1
+dosvientoslighting.com, 1
+dosvientosoutdoorlighting.com, 1
+doswap.com, 1
+doswo-design.at, 1
+dosyaa.tk, 1
+dosyakurtarma.com, 1
+dosyanet.cf, 1
+dosyanet.tk, 1
+doszkocs-zsuzsa.hu, 1
+dot.sb, 1
+dota2expert.ru, 0
+dota2free.tk, 1
+dotadotaman.tk, 1
+dotatic.com, 1
+dotbox.org, 1
+dotcircle.co, 1
+dotcomdesigns.biz, 1
+dotcompetentdigital.com, 1
+dotcomtest02-single.azurewebsites.net, 1
+dotconnor.com, 0
+dotfile.tk, 1
+dotgov.gov, 1
+dothaneagle.com, 1
+dotheevolution.tk, 1
+dothegangnamstyle.tk, 1
+dotjesper.com, 1
+dotjesper.dk, 1
+dotjesper.net, 1
+dotjs.party, 1
+dotker.com, 1
+dotkniseandroida.cz, 1
+dotkod.pl, 1
+dotlab.net, 1
+dotlab.nl, 1
+dotlakevillagecouncil-nsn.gov, 1
+dotlaw.co, 1
+dotless.tk, 1
+dotlight.ga, 1
+dotlimino.tk, 1
+dotneko.net, 1
+dotnetdocs.ir, 1
+dotnetfoundation.org, 0
+dotnetsandbox.ca, 1
+dotnext.co.za, 1
+dotovh.ovh, 1
+dotphoto.com, 1
+dotplex.com, 1
+dotpoint.ga, 1
+dotprime.by, 1
+dotrel.com, 0
+dotridmeto.cz, 1
+dotrox.net, 1
+dotsbuy.com, 1
+dotshule.ug, 1
+dotsiam.co.th, 1
+dotsiam.com, 1
+dotsiam.in.th, 1
+dotsmesh.com, 1
+dottore.roma.it, 1
+dottormarc.it, 1
+dotweb.com, 1
+dotxyz.lol, 1
+dotya.ml, 1
+dotyk-snov.tk, 1
+dotyk.me, 1
+dotzauer-stb.de, 1
+douai.me, 1
+douban.city, 1
+double20.gg, 1
+doublearm.in, 1
+doubleaste.com, 0
+doublebass-solo.com, 1
+doubled.ml, 1
+doubledranch.tk, 1
+doublefun.net, 1
+doublejack.online, 1
+doubleness.gq, 1
+doublespeak.chat, 1
+doublestat.me, 1
+doubletex.de, 1
+doubleup.com.au, 1
+doubleupgaming.tk, 1
+doublewide.tk, 1
+doublewood.tk, 1
+doubllexchange.com, 1
+doubllexchange.site, 1
+doubllexchange.website, 1
+doubloin.com, 1
+doubly.tk, 1
+doubtaboutwill.org, 1
+doucebnice.cz, 1
+douceurcarlet.com, 1
+doucheba.gs, 0
+doucheoftheweek.com, 1
+doughseeker.com, 1
+doughstory.cf, 1
+douglas-ma.gov, 1
+douglascounty-oregon.gov, 1
+douglascountybar.com, 1
+douglascountycolorado.gov, 1
+douglascountyga.gov, 1
+douglascountyil.gov, 1
+douglascountymn.gov, 1
+douglascountyor.gov, 1
+douglascovotes.gov, 1
+douglascuddletoy.com, 1
+douglascustodio.com.br, 1
+douglasgreenberg.org, 1
+douglasmi.gov, 1
+douglasresende.tk, 1
+douglassimons.com, 1
+douglegomovie.tk, 1
+dougley.com, 1
+dougsnugs.love, 1
+doujin-domain.cz, 1
+doujin.nagoya, 1
+doujinrepublic.com, 1
+doujinshi.info, 1
+doujinspot.com, 1
+douzer.de, 1
+douzer.earth, 1
+douzer.industries, 1
+dovebuttare.it, 1
+doveconviene.it, 1
+dovecraft.com.ua, 1
+doveholesband.co.uk, 1
+dovemoe.com, 1
+dovenzorgmalawi.nl, 1
+doverfcu.com, 1
+doveriestom.com, 1
+doverma.gov, 1
+dovermotion.com, 1
+doverye.tk, 1
+doveskyger.site, 1
+doveskyger.tk, 1
+dovetail.com, 1
+dovetailapp.com, 1
+doveweekend.com, 1
+dovizborsa.com, 1
+dovolena-ihned.cz, 1
+dowdscatfishandbbq.com, 1
+dowell.media, 1
+dowhatmakegood.de, 1
+dowhatyoucannow.com, 1
+dowina.com, 1
+dowling.nz, 1
+dowling.tk, 1
+down-load.dynu.net, 1
+down.pm, 1
+downalarm.cz, 1
+downalarm.sk, 1
+downandouts.tk, 1
+downbook.org, 1
+downestan.ga, 1
+downfall-records.tk, 1
+downfreak.tk, 1
+downgratis.tk, 1
+download-image.ga, 1
+download-knigi.gq, 1
+download-lagu-mp3.com, 1
+downloadabc.cf, 1
+downloadapkpokemongo.ga, 1
+downloadapkpure.tk, 1
+downloadasik.com, 1
+downloadcounter-strike16.com, 1
+downloadfestival.co.uk, 1
+downloadfiles.cf, 1
+downloadforum.ml, 1
+downloadforum.tk, 1
+downloadhindimovie.net, 1
+downloadhindimovies.net, 1
+downloadmoremousepad.ml, 1
+downloads.zdnet.com, 1
+downloadsoftwaregratisan.com, 1
+downloadvipgames.tk, 1
+downset.tk, 1
+downthebayoucharters.com, 1
+downtoagony.tk, 1
+downtoearthjewelry.com, 1
+downtownafrica.com, 1
+downtownboise.org, 1
+downtowncharm.is, 1
+downtownindy.org, 1
+downtownla.com, 1
+downtownmesa.com, 1
+downtownpdx.dog, 1
+downtownraleigh.org, 1
+downtownsuiteliving.com, 1
+downtowntucson.org, 1
+downtownvernon.com, 1
+downunderporn.com, 1
+downwithchina.com, 1
+dowow.tv, 1
+dox-box.eu, 1
+doxa.tk, 1
+doxal.ro, 1
+doxepin1.gq, 1
+doxepinonline.gq, 1
+doxyciclin.ga, 1
+doxyciclin.gq, 1
+doxyciclin.tk, 1
+doxycyclin.gq, 1
+doxycycline-online.cf, 1
+doxycycline1.gq, 1
+doxycyclinehyclate100mgcap.cf, 1
+doxycyclineprices.cf, 1
+doyarki.ga, 1
+doylesalewski.ca, 1
+doylestownborough.net, 1
+doyo.email, 1
+doyo.tech, 1
+doyogawithlina.com, 1
+doyoucheck.com, 0
+doyoulyft.com, 1
+doyoutax.com, 0
+doypacky.cz, 1
+doze-cloud.tech, 1
+dozecloud.com, 1
+dozor.ga, 1
+dozor.gq, 1
+dozor.tk, 1
+dp-clan.tk, 1
+dp-films.de, 1
+dp.cx, 1
+dp7.ro, 1
+dpangerl.de, 0
+dpanosian.com, 1
+dpasn-afpa.fr, 1
+dpath.com, 1
+dpatyk.com, 1
+dpc-pca.org, 1
+dpc-software.de, 1
+dpc.ae, 1
+dpcp.fr, 1
+dpcs.xyz, 0
+dpcyourhome.com, 1
+dpd.com.pl, 1
+dpecuador.com, 1
+dpereira.net, 1
+dperson.net, 1
+dpeter.me, 1
+dpfsolutionsfl.com, 1
+dpg.no, 1
+dphipartner.com, 1
+dpi-design.de, 1
+dpim.org.my, 1
+dpinse.com, 1
+dpisecuretests.com, 1
+dpjuse.tk, 1
+dpk.es, 1
+dpkk.ph, 1
+dplpmtud.com, 1
+dpmr446.fr, 1
+dpoairport.au, 1
+dpoairport.com.au, 1
+dpomax.com.br, 1
+dponapratica.com.br, 1
+dpower.tk, 1
+dppstar.com, 1
+dprb.biz, 1
+dpress24.it, 1
+dprmp.org, 1
+dps.srl, 1
+dpsengineers.com.au, 1
+dpsg-hohenlinden.de, 1
+dpsmassage.nl, 1
+dpucarriersma.gov, 1
+dpwsweeps.co.uk, 1
+dqfilesonline.com, 1
+dr-amar.tk, 1
+dr-beyer.de, 1
+dr-dedet.com, 1
+dr-detailing.com, 1
+dr-diffusion.fr, 1
+dr-ermilov.com, 1
+dr-feldman.com, 1
+dr-it.co.uk, 0
+dr-karagenska.com, 1
+dr-kissler.de, 1
+dr-maike-juergens.de, 1
+dr-mgeorgieva.com, 1
+dr-nope.de, 1
+dr-nosrat.tk, 1
+dr-notemann.de, 1
+dr-schlamminger.de, 1
+dr-schuessler.de, 1
+dr-vlasak.cz, 1
+dr-www.de, 1
+dr.mg, 1
+dr2dr.ca, 1
+draabe-nyt.dk, 1
+draadloos-besturen.nl, 1
+draadloze-noodstop.nl, 1
+draagmerriecentrale.nl, 1
+draakjefosfor.be, 1
+drabbin.com, 1
+drabim.org, 1
+drace.biz, 1
+drach.xyz, 1
+dracheisolation.tk, 1
+drachenchronik.com, 1
+drachenleder.de, 1
+dracisvet.cz, 1
+dracoon.team, 1
+dracox.com, 0
+dracula.city, 1
+drafatimagarcia.com, 1
+draftguru.com.au, 1
+drafton.com, 1
+draftposts.com, 1
+dragcave.net, 1
+dragdroplearning.com, 1
+dragfiles.com, 1
+draghive.asia, 1
+draghive.ca, 1
+draghive.co.uk, 1
+draghive.com, 1
+draghive.net, 0
+draghive.org, 1
+draghive.tv, 1
+dragon-aspect.com, 1
+dragon-ballz.tk, 1
+dragon-chem.eu, 1
+dragon-craft.tk, 1
+dragon-hearts.co.uk, 1
+dragon-hearts.com, 1
+dragon-hearts.net, 1
+dragon-team.tk, 1
+dragon.nu, 1
+dragon00.com, 1
+dragon26.com, 1
+dragon95.com, 1
+dragon98.com, 1
+dragonballzfigures.com, 1
+dragonballzstore.com, 1
+dragonbike.by, 1
+dragonboatfestival.tk, 1
+dragonbox.de, 1
+dragoncave.me, 1
+dragoncityhack.tips, 1
+dragonclean.gr, 1
+dragonclicker.ml, 1
+dragonesymazmorras.tk, 1
+dragonfly.co.uk, 0
+dragonflycms.cf, 1
+dragonfosfor.be, 1
+dragonheartsrpg.com, 1
+dragonhill.tk, 1
+dragonkin.net, 1
+dragonlord.tk, 1
+dragonmoviesz.ga, 1
+dragonoid.tk, 1
+dragonpi.ga, 1
+dragonprogrammer.com, 1
+dragonqueen.fi, 1
+dragonradar.tk, 1
+dragonraja.tk, 1
+dragonreal.estate, 1
+dragonroost.tk, 1
+dragonscale.tk, 1
+dragonsgate.ml, 1
+dragonshare.tk, 1
+dragonsorcerers.tk, 1
+dragonsunited.at, 1
+dragonsunited.be, 1
+dragonsunited.ch, 1
+dragonsunited.de, 1
+dragonsunited.eu, 1
+dragonsunited.info, 1
+dragonsunited.li, 1
+dragonsunited.lu, 1
+dragonsunited.net, 1
+dragonsunited.org, 1
+dragontail.tk, 1
+dragonwolfpackaquaria.com, 1
+dragonwork.me, 1
+dragowebdesign.com, 0
+drahcro.uk, 1
+drainagedirect.com, 1
+drainwllc.com, 1
+drak.tk, 1
+drake.partners, 1
+drakecommercial.com, 1
+drakencan.gq, 1
+drakenprospero.com, 0
+drakenson.de, 1
+drakfot.se, 1
+drakia.com, 1
+drakiada.tk, 1
+drakkarbilbao.com, 1
+draknet.eu, 1
+draliabadi.com, 0
+draljarallah.com, 1
+dralucilavolasco.com.br, 1
+drama-live.tv, 1
+drama.tk, 1
+dramacooltv.org, 1
+dramakorea.tk, 1
+dramaquarter.com, 1
+dramaqueer.ch, 1
+dramaslayer.ga, 1
+dramatherapie.tk, 1
+dramaticpeople.com, 1
+drambikarathi.com, 1
+dramyalderman.com, 1
+dranderle.com, 1
+drandrewarnold.com, 1
+drandrewlofman.com, 1
+dranik.ga, 1
+dranik.ml, 1
+drankenweb.tk, 1
+drankkoning.nl, 1
+drantonov.bg, 1
+drap-pa.org, 1
+drapeauxdespays.fr, 1
+draper.wtf, 1
+draperutah.gov, 1
+dras.hu, 1
+drasocalzado.com, 1
+drasoclothes.com, 1
+drastik.cz, 1
+drasyl.org, 0
+drata.com, 1
+drathaisdentista.com.br, 1
+dratini0.hu, 1
+draughts64.org, 1
+draugr.de, 1
+draup.com, 1
+draussen.tk, 1
+draw-bonus.ml, 1
+draw.uy, 1
+drawbridgeconnect.com, 1
+drawchan.org, 1
+drawesome.uy, 1
+drawguess.fun, 1
+drawing.tk, 1
+drawingcode.net, 1
+drawtwo.gg, 1
+drawvesly.ovh, 1
+drawxp.com, 1
+drawzit.com, 1
+draycotthotel.com, 0
+drbadnick.tk, 1
+drbanerjeecures.in, 1
+drbarnabus.com, 0
+drbaxter.com, 1
+drbenbarry.com, 1
+drbet.it, 1
+drblend.com, 1
+drblog.tk, 1
+drbonine.com, 1
+drbooks-accounting.com, 1
+drbresnick.com, 1
+drcardiofit.com, 1
+drcarolynquist.com, 1
+drcbxlpundw8t.cloudfront.net, 1
+drchapin.com, 1
+drchrislivingston.com, 1
+drchristaengelbrecht.com, 1
+drchrono.com, 1
+drclub.tk, 1
+drcommodore.it, 1
+drcorderocirujanoplastico.com, 1
+drdca.gov, 1
+drdeath.tk, 1
+drdegenhart.de, 1
+drdenisvincenzi.com.br, 1
+drdibbus.nl, 1
+drdipilla.com, 1
+drdispatch.com, 1
+drdripplumbingsydney.com.au, 1
+drduru.com, 1
+dreadd.org, 1
+dreadfully.cf, 1
+dreadfulsanity.com, 1
+dreadlocks.tk, 1
+dreadlord.tk, 1
+dreadnews.ga, 1
+dream-design.tk, 1
+dream-domain.tk, 1
+dream-factory.tk, 1
+dream-pools.cf, 1
+dreamaholic.club, 1
+dreamawake.tk, 1
+dreambbs.tk, 1
+dreambed.com, 1
+dreamboxpro.com, 1
+dreamcartransport.be, 1
+dreamcast-world.tk, 1
+dreamcatchers-events.com, 1
+dreamcrack.tk, 1
+dreamcraft.su, 1
+dreamdale-fans.net, 1
+dreamdale.info, 1
+dreamdeity.com, 1
+dreamdivers.com, 1
+dreamelegant.ml, 1
+dreamersgiftshopec.com, 1
+dreamfm.gr, 1
+dreamhostremixer.com, 1
+dreamimd.com, 1
+dreaminformatique.tk, 1
+dreaming.solutions, 1
+dreaminjewelz.tk, 1
+dreamkids-bysiska.com, 1
+dreamlab.co.jp, 1
+dreamlandsdesign.com, 1
+dreamlifeproperty.cf, 1
+dreamlight.cloud, 1
+dreamlinks.tk, 1
+dreamlordpress.it, 1
+dreamlux.cz, 1
+dreamlux.sk, 1
+dreamms.gg, 1
+dreamofice.cn, 1
+dreamoza.com, 1
+dreampages.tk, 1
+dreampointech.com, 1
+dreamqueen.tk, 1
+dreamrae.net, 1
+dreamreality.tk, 1
+dreams-2-reality.com, 1
+dreamsbythelake.com, 0
+dreamsea.tk, 1
+dreamsindigital.tk, 1
+dreamsjob.cf, 1
+dreamsofalostsoul.tk, 1
+dreamsolution.nl, 1
+dreamsphere.tk, 1
+dreamstarter.ml, 1
+dreamstudio.com, 1
+dreamstudios.tk, 1
+dreamsubmitting.tk, 1
+dreamswelcome.com, 1
+dreamsxxl.com, 1
+dreamsystems.tk, 1
+dreamtapestry.ga, 1
+dreamtechie.com, 1
+dreamweavers.live, 1
+dreamwork.financial, 1
+dreamworldstudio.tk, 1
+dreamy-flat-lyon.fr, 1
+dreamytheatre.com, 1
+dreamz-staging.zone, 1
+dreamz.com, 1
+dreatho.com, 1
+dreax.win, 1
+drechsel.xyz, 1
+drechsler-forum.de, 1
+dredwerkz.tk, 1
+dreemurr.com, 1
+drehabkhalifa.com, 1
+drehpartner-werden.net, 1
+drei01.com, 1
+drei01.de, 1
+drei01.technology, 1
+dreibock.com, 1
+dreid.org, 1
+dreieich.schule, 1
+dreifaltigkeitsgemeinde-leipzig.de, 1
+dreifaltigkeitskirchgemeinde-leipzig.de, 1
+dreifaltigkeitskirchgemeinde.de, 1
+dreigold.de, 1
+dreischneidiger.de, 1
+dreiskemoving.com, 1
+dreizwosechs.de, 0
+drema.tk, 1
+drendermobilyaservisi.com, 1
+drenergysaveror.com, 1
+drenergysaverpdx.com, 1
+drenergysaverpnw.com, 1
+dresden-kaffee-24.de, 1
+dresden-kaffeeroesterei.de, 1
+dresdens-pfefferkuchenprinzessin.de, 0
+dresdner-christstollen-von-reimann.de, 1
+dresdner-kaffeeroesterei.de, 1
+dresdner-mandelstollen.de, 0
+dresdner-stollen.shop, 0
+dress-cons.com, 1
+dressabelle.tk, 1
+dresscodeny.com, 1
+dressesbal.tk, 1
+dressestore.tk, 1
+dresstique.in, 1
+dreumesshakira.tk, 1
+drevoline.com.ua, 1
+drew.beer, 1
+drew.ga, 1
+drewapianostudio.com, 1
+drewfuller.tk, 1
+drewsilcock.co.uk, 1
+drewtransportllc.com, 1
+drewuniverse.net, 1
+drewzar.com, 1
+drexelwood.com, 1
+dreyfussplasticsurgery.com, 1
+drezzy.it, 1
+drfirst.com, 1
+drfranciscofonseca.com.br, 1
+drfrey.ch, 0
+drfuhrman.com, 1
+drgabrielschmitt.com, 1
+drgeadsdavinci.com, 1
+drghomi.com, 1
+drgn.li, 1
+drgn.no, 1
+drguyfacialplastics.com, 1
+drhathazi.hu, 1
+drheibel.com, 1
+drherndonent.com, 1
+drhildebrand.net, 1
+drhopeson.com, 1
+drhosting.com, 1
+drhowardaubert.com, 1
+drhyler.com, 1
+drianpublishing.tk, 1
+drica.tk, 1
+dricka.tk, 1
+driesjtuver.nl, 1
+driessoftsec.tk, 1
+driestwegkerk.nl, 1
+driftdude.nl, 1
+drifter.tk, 1
+driftingruby.com, 1
+driftkikker.tk, 1
+driftsjournal.dk, 1
+drikaartesanato.com, 1
+drikuansvarligt.dk, 1
+drill.st, 1
+drillcalendar.ga, 1
+drillingsupply.info, 1
+drillingsupplystore.com, 1
+drillion.net, 1
+drillshackresort.com, 1
+drillster.ai, 1
+drillster.be, 1
+drillster.biz, 1
+drillster.cn, 1
+drillster.co, 1
+drillster.co.in, 1
+drillster.co.za, 1
+drillster.com, 1
+drillster.com.br, 1
+drillster.de, 1
+drillster.es, 1
+drillster.eu, 1
+drillster.fr, 1
+drillster.info, 1
+drillster.it, 1
+drillster.mobi, 1
+drillster.net, 1
+drillster.nl, 1
+drillster.org, 1
+drillster.ro, 1
+drillster.se, 1
+drillster.us, 1
+drilster.com, 1
+drilster.nl, 1
+dring.tf, 1
+drink-team.tk, 1
+drinkablegifts.com, 1
+drinkcontrolapp.com, 1
+drinkgo.vn, 1
+drinking.tk, 1
+drinklife.tk, 1
+drinkplanet.eu, 1
+drinks.my, 1
+drinksontap.co.uk, 1
+drinkvhemp.com, 1
+dripflow.co, 1
+dripnaija.com, 1
+dripshop.live, 1
+drishtibeats.com, 1
+drishtiias.com, 1
+drison.com, 1
+drissner.me, 0
+driv.io, 1
+drive.google.com, 1
+driveandpark.com, 1
+driveandpark.de, 1
+driveandpark.nl, 1
+drivebespokelab.media, 1
+drivebolt.co.uk, 1
+drivechat.com.au, 1
+drivecrestwood.com, 1
+drivedannyherman.com, 1
+drivedavis.com, 1
+drivedmbowman.com, 1
+drivedvv.ru, 1
+driveelectric.gov, 1
+driveexport.com, 1
+driveforadtransport.com, 1
+driveforartur.com, 1
+driveincleveland.com, 1
+drivemorganvanlines.com, 1
+driven2shine.eu, 1
+drivencollision.com, 1
+drivenes.net, 1
+driventheatre.com, 1
+driventoday.com, 1
+driveoakleytransport.com, 1
+drivepaultransportation.com, 1
+driver.ru, 1
+driveral.com, 1
+driveral.hu, 1
+driverhome.com, 1
+driverinthebox.it, 1
+drivermerkezi.tk, 1
+driversandsoftware.com, 1
+driverscollection.com, 1
+drivestarfreight.com, 1
+drivetonortheast.com, 1
+drivewaygateopener.com, 1
+drivewaymaintenance.repair, 1
+driveyouradblockcounterup.com, 1
+driving-lessons.co.uk, 1
+drivingacademy.tk, 1
+drivingcalculator.ga, 1
+drivinginstruction.tk, 1
+drivingschoolnearmelbourne.com.au, 1
+drivio.co.uk, 1
+drivio.uk, 1
+drivya.be, 1
+drivya.ch, 1
+drivya.com, 1
+drivya.nl, 1
+driwch.tk, 1
+drixn.com, 0
+drixn.info, 1
+drixn.net, 1
+drizz.com.br, 0
+drjacquesmalan.com, 1
+drjaensch.de, 1
+drjaisejoy.com, 1
+drjart.com, 0
+drjoaquimserraodecastro.com.br, 1
+drjoe.ca, 1
+drjosebarrera.com, 1
+drjulianneil.com, 1
+drjungspine.com, 1
+drk-blutspende.de, 1
+drk-oberhausen-rheinhausen.de, 1
+drkashany.ir, 1
+drkazim.com, 1
+drkbri.ru, 1
+drkhsh.at, 1
+drksachsen.de, 1
+drlarakiortho.com, 1
+drleoplasticsurgery.com, 1
+drlevi.cf, 1
+drlevi.ga, 1
+drlinkcheck.com, 1
+drloizides.com, 1
+drlp.link, 1
+drlynnehinkle.com, 1
+drmartindentistry.com, 1
+drmarwanbaroud.com, 1
+drmcdaniel.com, 1
+drmiltenbergermd.com, 1
+drminev.com, 1
+drms.us, 1
+drmtransit.com, 1
+drmvl.org, 1
+drnatura.fr, 1
+drnjewels.com, 1
+drobina.top, 1
+drogaleste.com.br, 1
+drogariasnovafarma.com.br, 1
+drogoz.moe, 1
+drohnen-camp.de, 1
+droid101.com, 1
+droidafrica.net, 0
+droidandy.com, 1
+droidapp.nl, 1
+droidchart.com, 1
+droidguide.ga, 1
+droidhere.com, 1
+droidific.com, 1
+droidtrix.ga, 1
+droidwars.tk, 1
+droidwiki.de, 1
+droitalecole.org, 1
+droitdunet.fr, 1
+dromax.hu, 1
+dromotique.com, 1
+dronalti.fr, 1
+drone-it.net, 0
+drone-laws.com, 1
+drone-mapping.expert, 1
+drone-traveller.com, 1
+drone33.fr, 1
+dronebase.cf, 1
+dronebl.org, 1
+dronedeploy.com, 1
+droneland.nl, 1
+dronepanorama.net, 1
+dronepanorama.nl, 1
+dronepilotgeorgia.com, 1
+dronepit.dk, 1
+droneservices.com.fj, 1
+droneshield.com.br, 1
+droneson.com.br, 1
+dronesquadcoptersales.ga, 1
+droneup.pl, 1
+droneways.tech, 1
+dronix.tk, 1
+dronografia.es, 1
+droom.in, 1
+droomhuis-in-zuid-holland-kopen.nl, 1
+drop-zone.tk, 1
+drop.com, 1
+dropbox.com, 1
+dropboxer.net, 1
+dropchat.cf, 1
+dropchat.ga, 1
+dropchat.ml, 1
+dropcop.com, 1
+dropden.com, 1
+droperplus.com, 1
+dropeverythingrecords.com, 1
+droply.host, 1
+dropmb.com, 1
+droppia.io, 1
+dropq.nl, 1
+dropscloud.spdns.de, 1
+dropsdesign.tk, 1
+dropshell.net, 1
+dropshipp.site, 1
+dropshippers.gq, 1
+dropsite.com.au, 1
+droso.dk, 1
+drosophila.tk, 1
+drost.la, 1
+drought.gov, 1
+drowz.ee, 1
+drpetervoigt.ddns.net, 1
+drpetervoigt.de, 1
+drpico.com.au, 1
+drpil.nl, 1
+drponciano.com, 1
+drpure.top, 1
+drpush.ru, 1
+drrachellemeaux.com, 1
+drradin.com, 1
+drricardofretes.com, 1
+drros.ru, 1
+drrr.chat, 1
+drrr.com, 1
+drrr.wiki, 1
+drryanstanton.com, 1
+drsajjadian.com, 1
+drsamkelojiyana.co.za, 1
+drsamuelkoo.com, 1
+drschusterman.com, 1
+drsejf.cz, 1
+drshadankabiri.com, 1
+drshefalibatra.com, 1
+drsimonematousek.com, 1
+drsiv.com, 1
+drsoul.band, 1
+drspiro.com, 1
+drsports.bet, 1
+drstephanieteotia.com, 1
+drsteveart.com, 1
+drstevenwarnock.com, 1
+drsturgeonfreitas.com, 1
+drt.org.nz, 1
+drtanyaescobedo.com, 1
+drthalhammer.at, 1
+drthiagopinheiro.com.br, 1
+drthiagorighetto.com.br, 1
+drtimmarch.com, 1
+drtimothysteel.com.au, 1
+drtimothysteeljournal.com, 1
+drtimothysteelnetwork.com, 1
+drtimothysteelresults.com, 1
+drtimothysteelscholarship.com.au, 1
+drtimothysteelvideos.com, 1
+drtragency.com, 1
+drtsaiclinic.com, 1
+drtti.io, 1
+drturner.com.au, 1
+drubn.de, 1
+druckerei-huesgen.de, 1
+druckereiclassen.de, 1
+druckerfehlermeldungen.de, 1
+drugenforcementedu.org, 1
+drugfreeworkplaces.com, 1
+drugpromosers.ga, 1
+drugrehabjohannesburg.co.za, 1
+drugs.com, 1
+drugsindustry.tk, 1
+drugstore.bg, 1
+drugtestingcourses.com, 1
+drugwars.tk, 1
+drugzone.tk, 1
+druides.tk, 1
+druidry.org, 1
+druids.site, 1
+druidwebdesign.com, 1
+druko.cf, 1
+druko.ga, 1
+druko.gq, 1
+drum-majo-ijsselstrand.tk, 1
+drum.tk, 1
+drumbe.at, 1
+drummachines.ga, 1
+drummer.cf, 1
+drummondframing.com, 1
+drumnbass.tk, 1
+drunkcalc.com, 1
+drunkendropkes.tk, 1
+drupal.org, 1
+drupalfr.be, 1
+drusantia.net, 1
+drusillas.co.uk, 1
+druwe.net, 1
+druznek.rocks, 1
+druznek.xyz, 1
+druzya.store, 1
+drvanessaphua.com, 1
+drwang.group, 0
+drweissbrot.com, 1
+drweissbrot.de, 1
+drweissbrot.net, 1
+drwilfredbrown.com, 1
+drwongsuni.com.sg, 1
+drwoods.com, 1
+dry-cleaning.tk, 1
+dryashplasticsurgery.com, 1
+dryasinakgul.com, 1
+drybjed.net, 1
+drybysuperior.com, 1
+drycreekphoto.com, 1
+drydensfairfax.com, 1
+dryerrepairaustin.com, 1
+dryerventcleaningarlington.com, 1
+dryerventcleaningcarrollton.com, 1
+drymx.cn, 1
+dryskin.cf, 1
+dryskin.ga, 1
+dryskin.gq, 1
+dryskin.ml, 1
+dryskin.tk, 1
+dryusdan.space, 1
+drywall.com.co, 1
+drywallresponse.gov, 1
+dryzgov.tk, 1
+drzhnn.com, 1
+drziyayavuz.com, 1
+ds-networks.at, 1
+ds-networks.eu, 1
+ds-srv.net, 1
+ds-statistik.de, 1
+ds-ultimate.de, 1
+ds.lol, 1
+ds.me, 1
+ds1.io, 1
+ds138.cc, 1
+ds28s.com, 1
+ds388.cc, 1
+ds67.de, 1
+ds915.com, 1
+dsa.cy, 1
+dsac.gov, 1
+dsad209.ml, 1
+dsaengineering.com, 1
+dsanborndesign.com, 1
+dsar.info, 1
+dsbc.tk, 1
+dsblog.biz, 1
+dscharrer.com, 1
+dschwarzachtaler.de, 1
+dscsigncert.com, 1
+dsdlove.com, 1
+dsdomains.com, 1
+dsds-ltd.com, 0
+dse-assessments.co.uk, 0
+dsebastien.net, 1
+dsecure.me, 1
+dseg.org, 1
+dsektionen.se, 0
+dsfc.net, 1
+dsfzsq.com, 1
+dsg.ac.cn, 1
+dsg.gd.cn, 1
+dsg.lol, 1
+dsgnet.hu, 1
+dsgnwrld.com, 1
+dsgv.de, 1
+dsgvo-addon.eu, 1
+dsgvo-analyse.de, 1
+dsgvo.name, 1
+dsh.io, 1
+dshield.org, 1
+dsimonitor.online, 1
+dsiteam.in, 1
+dsjbvba.be, 1
+dskbank.bg, 1
+dskrecords.tk, 1
+dslz.tk, 1
+dsm5.com, 1
+dsmjs.com, 1
+dsmnet.org, 1
+dsn-it.com, 1
+dsn-k.com, 1
+dso-izlake.si, 1
+dsobook.club, 1
+dsol.hu, 1
+dsorter.com.ng, 1
+dsosbelasek.cz, 1
+dsouzamusic.com, 1
+dsp-audiovisueel.nl, 1
+dsp-wiki.com, 1
+dspace.pl, 1
+dspbz.ro, 1
+dspnor.com, 1
+dspretoria.co.za, 1
+dspropertyservicesltd.co.uk, 1
+dsreal.de, 1
+dssresearch.com, 1
+dsswise.org, 1
+dstamou.de, 1
+dsteiner.at, 1
+dstnct.co, 1
+dstnutec.in, 1
+dstvnearme.co.za, 1
+dsu4.ru, 1
+dsuinnovation.com, 1
+dsv-gruppe.de, 1
+dsv-salesmanager.de, 1
+dsy4567.cf, 1
+dsysav.com, 1
+dsysav.lol, 1
+dsysav.xyz, 1
+dsysav01.com, 1
+dsysav02.com, 1
+dsyunmall.com, 1
+dt-privacyportal-ui.azurewebsites.net, 1
+dt2rmc.pt, 1
+dtbouncycastles.co.uk, 1
+dtbw.eu, 1
+dtbw.net, 1
+dtbw.org, 1
+dtconsoles.tk, 1
+dtdi.com, 1
+dtdsh.com, 1
+dte.vn, 1
+dtf.digital, 1
+dtg-fonds.com, 1
+dtg-fonds.de, 1
+dtg-fonds.net, 1
+dtgmns.com, 1
+dtguide.ga, 1
+dths.dk, 1
+dtinel.org, 1
+dtk-vom-chausseehaus.de, 1
+dtleague.eu, 1
+dtmbnl.com, 1
+dtmbx.com, 1
+dtmbx.email, 1
+dtmbx.eu, 1
+dtmbx.net, 1
+dtmbx.nl, 1
+dtmbx.org, 1
+dtmedia.se, 1
+dtmf.io, 1
+dtmlnp.com, 1
+dtngny.com, 1
+dtnx.email, 1
+dtnx.eu, 1
+dtnx.net, 1
+dtnx.org, 1
+dtnx.social, 1
+dtnxny.com, 1
+dtrifonov.cf, 1
+dtto.com, 1
+dtuaarsfest.dk, 1
+dtune.me, 1
+dtx.sk, 1
+dual-aspect.com, 1
+dual-universe.ga, 1
+dual.cat, 1
+dual.pw, 0
+dualascent.com, 1
+dualbix.com, 1
+dualcore.tk, 1
+dualexistence.xyz, 1
+dualias.xyz, 0
+dualize.io, 1
+dualsimadapter.com, 1
+dualuniverse.game, 1
+duama.top, 1
+duan-dky.me, 1
+duanemorrisinstitute.com, 1
+duanre.tk, 1
+duanyong.com, 1
+duarteeleiteconsultoria.com.br, 1
+dubai-fashions.com, 1
+dubai-realestate.space, 1
+dubaiaerospace.com, 1
+dubaiaward.link, 1
+dubaibliss.com, 1
+dubaicourses.com, 0
+dubaifitnesschallenge.com, 1
+dubaigrandsale.com, 1
+dubaiprivatejetcharter.com, 1
+dubairanking.com, 1
+dubairun.com, 1
+dubaisc.ae, 1
+dubaistudiocity.ae, 1
+dubaitourism.gov.ae, 1
+dubaivisa.net, 1
+dubaizone.cf, 1
+dubawa.org, 1
+dubboskills.com.au, 1
+dubcowa.tk, 1
+dubex.de, 1
+dubious-website.com, 1
+dubl.tk, 1
+dublinguide.ie, 1
+dublinrail.tk, 1
+dublinseocompany.ie, 1
+duboeuf.com, 1
+duboisinternational.com, 1
+duboisinvestissements.com, 1
+dubolom.tk, 1
+dubrava.tk, 1
+dubreuilville.ca, 1
+dubridgeweb.be, 1
+dubrovnik.tours, 1
+dubrovnikfoodtours.com, 1
+dubrovskiy.cf, 1
+dubrovskiy.net, 1
+dubrovskiy.pro, 1
+dubslow.tk, 1
+dubstep.fr, 1
+dubtrack.fm, 1
+dubuquecountyiowa.gov, 1
+dubyou.tw, 1
+ducadu.com, 0
+ducalendars.com, 1
+duch.cloud, 1
+duchyoffeann.com, 1
+ducite.ga, 1
+ducius.net, 1
+duckbase.com, 1
+duckblade.com, 1
+duckcorp.org, 1
+duckduckstart.com, 1
+duckeight.win, 1
+duckerings.com, 1
+duckeringstransport.biz, 1
+duckeringstransport.com, 1
+duckfam.us, 1
+duckfx.tk, 1
+duckhub.io, 1
+duckinc.net, 0
+duckman.tk, 1
+duckmapr.com, 1
+duckonthepond.com, 1
+duckside.tk, 1
+ducksify.com, 1
+ducksoft.fi, 1
+duckstad.net, 1
+duckyubuntu.com, 1
+duckyubuntu.tk, 1
+ductcare.com, 1
+dudedood.tk, 1
+dudeexpert.cf, 1
+dudesunderwear.com.br, 0
+dudleypolicema.gov, 1
+dudushu.com, 1
+due-diligence-security.com, 1
+duediligencedataroom.com, 1
+duelhost.dk, 1
+duelingaces.com, 1
+duellin.tv, 1
+duelsow.eu, 1
+duenas.cat, 1
+duepuntozero.tk, 1
+duerlund-falkenberg.dk, 1
+duerlundfalkenberg.dk, 1
+duerme.net, 1
+dues-eckert.com, 1
+duesee.org, 1
+duesseldorf.tk, 1
+duesseldorferheineburschenschaft.tk, 1
+duesterhus.eu, 1
+duewestsc.gov, 1
+duffau.net, 1
+duffdignity.tk, 1
+duffel.com, 1
+dufortassociates.com, 1
+dufrei.com, 1
+dug.net.pl, 1
+dugehstonline.de, 1
+duggtec.com, 1
+dugle80.com, 1
+dugnet.io, 0
+dugnet.net, 0
+dugnet.tech, 0
+dugongo.tk, 1
+dugoutsports.com, 1
+dugunedavet.com, 1
+duh.se, 1
+duhanic.com, 1
+duhanic.de, 1
+duhivip.ml, 1
+duhurensohn.de, 1
+duhy.sk, 1
+duijf.info, 1
+duijf.io, 1
+duijfathome.nl, 1
+duiker101.tk, 1
+duitse-herders.tk, 1
+duizhangs.tk, 1
+duka.bg, 1
+duka.com.gr, 1
+duka.com.ro, 1
+dukaj.org, 1
+dukaj.tk, 1
+dukan-recepty.ru, 1
+duke-nukem.tk, 1
+dukeandduchessdrivingschool.co.uk, 1
+dukefox.com, 0
+dukegat.de, 0
+dukeipai.org, 0
+dukeofmetal.tk, 1
+dukers-baelemans.nl, 0
+dukes-london.com, 1
+dukes.ca, 1
+dukin.tk, 1
+dukkanacmak.com, 1
+dukun.de, 1
+dulanic.com, 1
+dulce-reverie.ro, 1
+dulcehome.ch, 1
+dulceysalado.tk, 1
+dulcinea.eu.org, 1
+dulcinea.tk, 1
+dulei.si, 1
+duleos.com.br, 1
+duloxetinbestellen.gq, 1
+duloxetine.gq, 1
+dulse.fr, 1
+dulurtekno.co.id, 1
+dulux.co.nz, 1
+dulux.com.au, 1
+dum.moe, 1
+dum.tw, 1
+dumax.fr, 1
+dumb-laws.net.ru, 1
+dumbcryptopunks.com, 1
+dumbdrinker.com, 1
+dumbeartech.com, 1
+dumberger-bau.de, 1
+dumbfunded.co.uk, 1
+dumbmeta.com, 1
+dumek.com, 1
+dumek.it, 1
+dumeng.org, 1
+dummo.tk, 1
+dumnezeu.tk, 1
+dumping.tk, 1
+dumpper.ch, 1
+dumpper.com, 1
+dumpsterdudez.com, 1
+dumspiro.ch, 1
+dunamiscommunity.com, 1
+dunangel.com, 1
+dunassyn.com, 1
+dunatos.tk, 1
+dunbarboropa.gov, 1
+dunbarmoving.com, 1
+dunberghof.tk, 1
+duncancmt.com, 1
+duncanfamilytrust.org, 1
+duncanwinfrey.com, 1
+dunce.cf, 1
+duncm.com, 1
+dundalk.ie, 0
+dundalkdonnie.com, 1
+dundalkskillnet.ie, 1
+dundeeutility.tk, 1
+dunedot.tk, 1
+dunesadventure.net, 1
+dunescorporation.tk, 1
+dungbui.co, 0
+dungbui.net, 1
+dungchata.com, 1
+dungeon-bbs.de, 1
+dungeoncity.com, 1
+dungeonedraghi.it, 1
+dungeonfire.tk, 1
+dungeonline.com, 1
+dunia-news.tk, 1
+dunkelmann.eu, 1
+dunkerhosting.nl, 1
+dunkirkin.gov, 1
+dunklau.fr, 1
+dunkle-seite.org, 1
+dunlaptn.gov, 1
+dunmanelectric.com, 1
+dunmanpoolandspa.com, 1
+dunningtonaudio.co.uk, 1
+dunwellgroup.info, 1
+dunyahalleri.com, 1
+duo-tauceti.com, 1
+duo.com, 1
+duobus.nl, 1
+duocircle.com, 0
+duodeno.tk, 1
+duoduocha.com, 1
+duoduodazhe.com, 1
+duohao.xyz, 0
+duolife.us, 1
+duoluodeyu.com, 1
+duonganhtuan.com, 1
+duoqichina.cn, 1
+duoqichina.com, 1
+duoquadragintien.fr, 1
+duoyin.com, 1
+dupagecounty.gov, 1
+dupagecourts.gov, 1
+dupageresults.gov, 1
+dupfx.com, 1
+duplicazionechiavi.it, 1
+duplika.com, 1
+dupontdentistry.com, 1
+dupuis.xyz, 1
+duquess.com.br, 1
+duquoinil.gov, 1
+dura.si, 1
+durabletravailler.tk, 1
+durad.in.rs, 1
+durad.xyz, 1
+duraes.pt, 0
+durakinesis.tk, 1
+duramaximportaciones.com, 1
+duranceofhate.com, 1
+durand.com.br, 1
+durand.tf, 1
+durand.tk, 1
+durandeau.org, 1
+durandwi.gov, 1
+durangoaldezaharra.tk, 1
+durangoenergyllc.com, 1
+durantchamber.org, 1
+durastudio.com, 1
+durcal.tk, 1
+durchblick-shop.de, 1
+durcoin.org, 1
+duredo.com, 1
+dureuil.info, 1
+durexwinkel.nl, 1
+durfteparticiperen.nl, 1
+durganews.com, 1
+durhammaine.gov, 1
+durhammoneyman.com, 1
+durhamnh.gov, 1
+duria.de, 1
+duriandelivery.net, 1
+durianexpressdelivery.com.sg, 1
+duriantech.net, 1
+duriemas.com, 1
+duroterm.ro, 1
+durtk.com, 1
+durvalpereira.com.br, 0
+durys.be, 1
+dusablemuseum.org, 1
+duschfiltershop.de, 1
+dushu.cat, 1
+duskraven.tk, 1
+dusmomente.com, 1
+dusnan.com, 1
+dust.tk, 1
+dust4you.tk, 1
+dustbox.tk, 1
+dustinbrett.com, 1
+dustindecker.com, 1
+dustman.tk, 1
+dustpla.net, 1
+dustplanet.de, 1
+dustri.org, 1
+dustshop.tk, 1
+dusty.gr, 1
+dustycloth.com, 1
+dustygroove.com, 1
+dustyro.se, 1
+dustyspokesbnb.ca, 1
+dusupov.gq, 1
+dutabisniz.com, 0
+dutch-alliance.tk, 1
+dutch-physiotherapy.com, 1
+dutch.desi, 1
+dutch1.nl, 1
+dutchassistancedogs.nl, 1
+dutchavifauna.nl, 1
+dutchbeautyacademy.nl, 1
+dutchbeercollective.nl, 1
+dutchbird.tk, 1
+dutchbirdalerts.nl, 1
+dutchbirding.nl, 1
+dutchbodybuilding.com, 1
+dutchcariblaw.nl, 0
+dutchcichlidplanet.tk, 1
+dutchconcreations.com, 1
+dutchdungeon.tk, 1
+dutchessuganda.com, 1
+dutchfoodie.nl, 1
+dutchforkrunners.com, 1
+dutchglover.tk, 1
+dutchie.info, 1
+dutchmobilityinnovations.com, 1
+dutchpentathlon.nl, 1
+dutchperformanceproducts.nl, 1
+dutchplayers.com, 1
+dutchrocksite.tk, 1
+dutchsailors.com, 1
+dutchwanderers.nl, 1
+dutify.com, 1
+dutkoteam.com, 1
+dutrac.co.id, 1
+dutt.ch, 1
+dutton.uk, 1
+duttonmt.gov, 1
+dutyfreeperfumes.tk, 1
+duurzaamgww.nl, 1
+duurzaamheidskaart.nl, 1
+duv.al, 1
+duval.info, 1
+duval.li, 1
+duval.ovh, 1
+duval.paris, 1
+duval.pm, 1
+duval.re, 1
+duvalelections.gov, 1
+duvalo.eu, 1
+duvalo.info, 1
+duvalo.net, 1
+duvalo.org, 1
+duvalo.sk, 1
+duvessa.tk, 1
+duwitmu.com, 1
+duxbow.de, 1
+duxbury-ma.gov, 1
+duxi-s-feromonami.ga, 1
+duysondang.name.vn, 1
+duzavo.cz, 1
+duzcehaberleri.tk, 1
+duzcesondakika.tk, 1
+dv-project.ru, 1
+dv.cn, 1
+dvbris.co.uk, 1
+dvbris.com, 1
+dvbtmap.eu, 1
+dvclub.tk, 1
+dvd.wtf, 1
+dvdassistanceers.ga, 1
+dvdforum.ga, 1
+dvdinmotion.com, 1
+dvdland.com.au, 1
+dvdmania.ga, 1
+dvdmusic.ga, 1
+dvdrein.net, 1
+dvds.casa, 1
+dveretti.com, 1
+dveri-lugansk.tk, 1
+dvgsites.com, 1
+dvhosting.be, 1
+dvipadmin.com, 1
+dvkg.de, 1
+dvminsight.com, 1
+dvn.pt, 1
+dvnatura.ch, 0
+dvor.ml, 1
+dvorek-karlin.cz, 1
+dvorekkarlin.cz, 1
+dvoretsvramoni.ru, 1
+dvorupotocnych.sk, 1
+dvotx.org, 1
+dvpc.net, 1
+dvprogram.us, 1
+dvu.com.tr, 1
+dvwc.org, 1
+dvx.cloud, 1
+dw-connect.org, 1
+dw-loewe.de, 0
+dw-software.de, 1
+dw6.cn, 1
+dwarf.com.tw, 1
+dweb.link, 1
+dweilorkest-frederikshaven.tk, 1
+dwgeneralcontractors.com, 1
+dwgf.xyz, 1
+dwienzek.de, 1
+dwightd.com, 1
+dwightgunning.com, 1
+dwihn.org, 1
+dwiminneapolislawyer.com, 1
+dwnld.me, 1
+dwood.store, 1
+dworzak.ch, 1
+dwservice.net, 1
+dwt-inc.com, 1
+dwt-onderwijsencoaching.nl, 1
+dwtonline.com, 0
+dwu21.net, 1
+dww.hu, 1
+dwwt.eu, 1
+dwwt.net, 1
+dwwt.nl, 1
+dwwt.org, 1
+dwz-solutions.com, 1
+dwz-solutions.de, 0
+dwz-solutions.eu, 0
+dwz-solutions.net, 0
+dwz.wtf, 1
+dx-revision.com, 1
+dxa.io, 0
+dxcv.net, 1
+dxfootball.tk, 1
+dxgl.info, 1
+dxgl.org, 1
+dxm.no-ip.biz, 1
+dxrating.net, 1
+dxsigner.com, 1
+dxzl.org, 1
+dxzsj.cn, 1
+dy.express, 1
+dy.me, 0
+dy1d.com, 1
+dyachenko.ml, 1
+dyarakotijobs.com, 1
+dybuster.at, 1
+dybuster.ch, 1
+dybuster.com, 1
+dybuster.de, 1
+dybuster.es, 1
+dybuster.it, 1
+dybuster.se, 1
+dycoa.com, 1
+dydesign.space, 1
+dyeager.org, 1
+dyedurhamterrain.com, 1
+dyingflame.tk, 1
+dykebaby.tk, 1
+dyktig.as, 1
+dylan-motorcross.tk, 1
+dylancl.cf, 1
+dylancl.fr, 1
+dylandeconinck.cf, 1
+dylandulaney.com, 1
+dylanhansch.net, 1
+dylankatz.com, 1
+dylanknoll.ca, 1
+dylanlogan.xyz, 1
+dylansevier.com, 1
+dylanspcrepairs.com, 1
+dylantjb.com, 1
+dylanuwr.pl, 1
+dylanwise.net, 1
+dylanwolff.com, 1
+dylmye.me, 1
+dylnuge.com, 1
+dym.asia, 1
+dym2012.com, 1
+dym2013.com, 1
+dym2014.com, 1
+dym2017.com, 1
+dyma.fr, 1
+dymdajce.ovh, 1
+dymension-uat.co.uk, 1
+dymension.co.uk, 1
+dymfbbs.com, 1
+dymmo.tk, 1
+dymmovie.com, 1
+dymond.net, 1
+dymov.tk, 1
+dymovskiy.ru, 1
+dymowski.de, 0
+dyn-dnhensel.de, 1
+dyn-nserve.net, 1
+dyn.net, 1
+dynabob.tk, 1
+dynacast.com, 1
+dynacrop.space, 1
+dynadns.de, 1
+dynah.net, 1
+dynalab.pl, 1
+dynaloop.net, 0
+dynamic-movie.com, 1
+dynamic-networks.be, 1
+dynamicalsystem.work, 1
+dynamicasoft.com, 1
+dynamicathletes.ga, 1
+dynamicbusinessconsultants.ga, 1
+dynamicdesignuk.com, 1
+dynamicdiesupply.com, 1
+dynamicenergy.co, 1
+dynamicini.org, 1
+dynamiclogodesigns.com, 1
+dynamicmart.pk, 1
+dynamicpl.us, 1
+dynamicplus.it, 1
+dynamicquantum.net, 1
+dynamicsdays.info, 1
+dynamicservers.co.uk, 1
+dynamicsnetwork.net, 1
+dynamicsretailnotes.com, 1
+dynamictesting.co.uk, 1
+dynamictostatic.com, 1
+dynamicyou.co.uk, 1
+dynamis.tk, 1
+dynamitejobs.com, 1
+dynamix-tec.com, 1
+dynamixsolutions.com, 1
+dynamofanforum.de, 1
+dynasend.com, 1
+dynasoft.co.ke, 1
+dynastic.co, 1
+dynasty-warriors.net, 1
+dynastyredzone.com, 1
+dynatos-cloud.com, 1
+dyncdn.me, 1
+dyncdn2.com, 1
+dyneco.io, 1
+dynet.ru, 1
+dynn.be, 0
+dynorphin.com, 1
+dynorphins.com, 1
+dynsoundmax.tk, 1
+dynts.pro, 1
+dynx.pl, 1
+dypromed.com, 1
+dyregrave.dk, 1
+dyremyhr.no, 1
+dyrenesverden.no, 1
+dyreplassen.no, 1
+dyrkar.se, 1
+dyrkshop.com, 1
+dysautonomia-postsyndrome.com, 1
+dyscalculia-blog.com, 1
+dysco.tk, 1
+dysgucymraeg.cymru, 1
+dyslexicfish.com, 1
+dyslexicfish.net, 1
+dysthymia.com, 1
+dyuimovochka.tk, 1
+dyve.me, 1
+dyykkarit.tk, 1
+dyyn.de, 1
+dyz.pw, 1
+dz-hyp.ag, 1
+dz-hyp.com, 1
+dz-hyp.de, 1
+dz6729.com, 1
+dz68.cc, 1
+dz6957.com, 1
+dz7337.com, 1
+dzar.nsupdate.info, 1
+dzet.de, 1
+dzhyp.ag, 1
+dziaduch.pl, 1
+dziecismoka.pl, 1
+dziekonski.com, 1
+dzimchuk.net, 1
+dzingel-personaldienst.de, 1
+dziscover.com, 1
+dziura.email, 0
+dziurdzia.pl, 1
+dziv.net, 1
+dzivniekubriviba.lv, 0
+dzmonarchie.tk, 1
+dzndk.com, 1
+dzndk.net, 1
+dzndk.org, 1
+dzogchentoday.org, 1
+dzomo.org, 0
+dzpc3.site, 1
+dzsi.bi, 0
+dzsibi.com, 1
+dzsula.hu, 1
+dzu.fund, 1
+dzu.life, 1
+dzuka.sk, 1
+dzus.tk, 1
+dzworld.com, 1
+dzyabchenko.com, 0
+dzyszla.pl, 1
+e-account.by, 0
+e-alink.com, 1
+e-antikvar.tk, 1
+e-arteria.pl, 1
+e-bags.tk, 1
+e-balloons.tk, 1
+e-bap.net, 1
+e-baraxolka.ru, 1
+e-belgia.tk, 1
+e-bikesdirect.co.uk, 1
+e-bill.ovh, 1
+e-blueprint.co.uk, 1
+e-bodybuilding.tk, 1
+e-boekhouden.nl, 1
+e-bookshelf.de, 1
+e-borneoshop.com, 1
+e-boss.tk, 1
+e-branchekoden.dk, 1
+e-buro.tk, 1
+e-classroom.tk, 1
+e-coduct.eu, 1
+e-coexist.com, 1
+e-colle.info, 1
+e-copys.com, 1
+e-cottage.com.br, 1
+e-dechet.com, 1
+e-dengi.tk, 1
+e-diabolo.tk, 1
+e-diapers.tk, 1
+e-diasporan.cf, 1
+e-diasporan.ga, 1
+e-diasporan.gq, 1
+e-diasporan.ml, 1
+e-dnevnik.hr, 1
+e-driver.fr, 1
+e-dv.eu, 1
+e-e.icu, 1
+e-emploi.be, 1
+e-enterprise.gov, 1
+e-estonia.com, 0
+e-estonians.ee, 1
+e-facture.net, 1
+e-farm.com, 1
+e-fireplaces.tk, 1
+e-fishing.tk, 1
+e-fitnes.tk, 1
+e-flotila.cz, 1
+e-frontier.systems, 1
+e-games-board.tk, 1
+e-gc.de, 1
+e-generator.tk, 1
+e-geologia.tk, 1
+e-goi.com, 1
+e-gso.com, 1
+e-guestbooks.com, 1
+e-guvence.com, 1
+e-hair.tk, 1
+e-havenotime.tk, 1
+e-homebiz.tk, 1
+e-house.tk, 1
+e-id.ee, 1
+e-ideamagazine.ga, 1
+e-informatyk.tk, 1
+e-insportline.pl, 1
+e-instalator.pl, 1
+e-interactivenet.tk, 1
+e-interview.tk, 1
+e-islam.tk, 1
+e-jackets.tk, 1
+e-jasiecki.pl, 1
+e-jewelrys.tk, 1
+e-kartinki.tk, 1
+e-klempir.cz, 1
+e-knitting.tk, 1
+e-knitwear.tk, 1
+e-kultura.tk, 1
+e-lambre.com, 1
+e-lamp.tk, 1
+e-latvenergo.lv, 1
+e-launch.nl, 1
+e-learningbs.com, 1
+e-lexia.com, 1
+e-lifetechnology.com, 1
+e-loshadka.tk, 1
+e-loukidis.gr, 1
+e-lupo.pl, 1
+e-mak.eu, 1
+e-massage.tk, 1
+e-matras.ua, 1
+e-medicines.tk, 1
+e-mieszkania.org.pl, 1
+e-migration.ch, 0
+e-nail.tk, 1
+e-name.tk, 1
+e-nanum.kr, 1
+e-nature.tk, 1
+e-networks.jp, 1
+e-node.ru, 1
+e-ops.bg, 1
+e-otdyx.tk, 1
+e-peeling.tk, 1
+e-peets.tk, 1
+e-petition-petitions.net, 1
+e-petition-support-us.net, 1
+e-petition.net, 1
+e-petitions.by, 1
+e-placement.tk, 1
+e-planshet.tk, 1
+e-plus-m.de, 1
+e-pns.com, 1
+e-pokupki.eu, 1
+e-polygraphy.tk, 1
+e-privat.info, 1
+e-promotion.tk, 1
+e-ptn.com, 1
+e-quip.cz, 1
+e-random.com, 1
+e-receta.cl, 1
+e-recruitment.tk, 1
+e-redes.pt, 1
+e-referendum.cz, 1
+e-repairs.tk, 1
+e-resident.gov.ee, 1
+e-resident.me, 1
+e-rest.tk, 1
+e-rober.tk, 1
+e-sauna.tk, 1
+e-scraper.com, 1
+e-sell.tk, 1
+e-sell.today, 1
+e-servicerms.com, 1
+e-shobai.com, 1
+e-shonai.com, 1
+e-sisyu.com, 0
+e-sklep.biz, 1
+e-slots.tk, 1
+e-smile.tk, 1
+e-sneakers.tk, 1
+e-standardstore.org, 1
+e-streams.tv, 1
+e-student.tk, 1
+e-styling.tk, 1
+e-sweaters.tk, 1
+e-tables.tk, 1
+e-tablets.tk, 1
+e-tarotlasky.cz, 1
+e-teacher.pl, 1
+e-tech-solution.com, 1
+e-tech-solution.net, 1
+e-technology.tk, 1
+e-techsolution.com, 1
+e-techsolutions.net, 1
+e-ticaret.site, 1
+e-tires.tk, 1
+e-tmf.org, 0
+e-top.uz, 1
+e-traceur-france.fr, 1
+e-transformer.tk, 1
+e-trucking.tk, 1
+e-typ.eu, 1
+e-umbrellas.tk, 1
+e-underwear.tk, 1
+e-uteplitel.ru, 1
+e-vau.de, 0
+e-verify.gov, 1
+e-virtus.blog, 1
+e-virtus.com, 1
+e-vykladkaret.cz, 1
+e-walks.tk, 1
+e-wish.tk, 1
+e-wishlist.net, 1
+e-worksmedia.com, 0
+e-yachts.tk, 1
+e-zine.tk, 1
+e.gg, 1
+e.mail.ru, 1
+e00228.com, 0
+e02.cn, 1
+e15r.co, 1
+e1e0.net, 0
+e27.co, 1
+e2b.com.au, 1
+e2ebrindes.com.br, 1
+e2ee-meet.de, 1
+e2epartners.org, 1
+e2essentialelements.com, 0
+e2feed.com, 1
+e2save.com, 1
+e30.ee, 1
+e30gruppe.com, 1
+e34club.com.ua, 1
+e365.vip, 1
+e36533.com, 1
+e3lan.net, 1
+e4.chat, 1
+e42.org, 0
+e4a.org, 1
+e4mc.link, 1
+e4work.com.br, 1
+e5197.co, 1
+e5tv.hu, 1
+e5xbps.com, 1
+e621.download, 1
+e6729.co, 1
+e6729.com, 1
+e6957.co, 1
+e6e.io, 1
+e7180.com, 1
+e7d.io, 1
+e7fun.net, 1
+e82365.com, 1
+e899365.com, 0
+e8bet.net, 1
+e8space.co.nz, 1
+e8space.com, 1
+e8space.nz, 1
+e901.com, 0
+e9297.co, 1
+e9582.com, 1
+e9728.co, 1
+ea-lateleassistance.com, 1
+ea-ru.org, 1
+ea2drocks.com, 1
+eaa-online.org, 1
+eaanderson.com, 1
+eac.gov, 1
+eac0935.com, 1
+eac555.com, 1
+each.tk, 1
+ead-italia.it, 1
+eadea.net, 1
+eaganmn.gov, 1
+eagar.com.au, 1
+eagenda.com.br, 1
+eagle-yard.de, 1
+eaglecounty.gov, 1
+eaglecountyco.gov, 1
+eaglecrest.us, 1
+eaglecustomapparel.com, 1
+eaglefireid.gov, 1
+eaglegrove.gov, 1
+eaglehaslended.com, 1
+eaglelakefl.gov, 1
+eagleled.us, 1
+eaglemoe.com, 1
+eaglemtn.com, 0
+eaglenation.net, 1
+eaglenusa.my.id, 1
+eaglepasstx.gov, 1
+eagleplanners.agency, 1
+eagler.tk, 1
+eagleriverwi.gov, 1
+eagleseven.com, 1
+eaglesightproperties.tech, 1
+eagletechz.com.br, 1
+eaglevilletn.gov, 1
+eaglewreck.info, 1
+eagleyecs.com, 1
+eahea.org, 1
+eaimty.com, 1
+eaip.aero, 1
+eajmail.com, 1
+eakes.com, 1
+eaktarim.com, 1
+ealadel.com, 0
+ealarm-safemode.ch, 1
+ealc.aero, 1
+ealc.lu, 1
+ealekseyev.ml, 1
+ealev.de, 1
+eali.com.ph, 1
+eamadit.com, 1
+eames-clayton.us, 1
+eamigo.com, 1
+eamproperties.com, 1
+eamu.fun, 1
+eandata.com, 1
+eanraig.top, 1
+eaofarlington.com, 1
+eaofaustin.com, 1
+eaofcarrollton.com, 1
+eaofdallas.com, 1
+eaofdfw.com, 1
+eaoffrisco.com, 1
+eaofhouston.com, 1
+eaofirving.com, 1
+eaoftarrantcounty.com, 1
+earfolds.com, 1
+earl-plak.de, 1
+earlsttech.ca, 1
+early-etudes.com, 1
+earlychildhoodteacher.org, 1
+earlytime.com, 1
+earlyvoting.cf, 1
+earlyvoting.gq, 1
+earlyvoting.ml, 1
+earlyyearshub.com, 1
+earmarks.gov, 1
+earnet.tk, 1
+earni.fi, 1
+earningsgames.tk, 1
+earningthatis.tk, 1
+earnosethroat.co.za, 1
+earpconsult.co.uk, 1
+earth-quake.tk, 1
+earthbound.tk, 1
+earthbox.com, 1
+earthcam.com, 1
+earthcam.net, 1
+earthcore.com, 1
+earthcorporation.cf, 1
+eartheld.tk, 1
+earthiq.news, 1
+earthjustice.org, 1
+earthlink.net, 1
+earthpixz.com, 1
+earthpoints.org, 1
+earthshotprize.org, 1
+earthsocialism.org, 1
+earthsolidarity.org, 1
+earthsystemprediction.gov, 1
+earthvoice.ru, 1
+earthwatch.org, 1
+earthytales.in, 1
+eas.ee, 0
+easaccounting.com, 1
+ease.io, 0
+easew.com, 1
+easez.net, 1
+eashwar.com, 1
+easierexams.com, 1
+easiest-way.de, 1
+easlerlaw.com, 1
+easol.com, 1
+east-line.su, 1
+east-westlogistics.com, 1
+east.baby, 1
+eastafricafeed.ga, 1
+eastarm.net, 1
+eastblue.org, 1
+eastcairo-egypt.com, 1
+eastchesternyfd.gov, 1
+eastcoastbubbleandbounce.co.uk, 1
+eastcoastexports.tk, 1
+eastcobbhoa.com, 1
+eastcottvets.co.uk, 1
+eastdream.tk, 1
+eastendonline.tk, 1
+eastendtastemagazine.com, 1
+easternbreezes.com, 1
+easternmontanafair.gov, 1
+easternskatesupply.com, 1
+eastfordct.gov, 1
+eastgreenwichnews.com, 1
+eastgrmi.gov, 1
+easthaddamct.gov, 1
+easthamptonctha.gov, 1
+easthaven-ct.gov, 1
+eastheaven.ml, 1
+eastlandcountytexas.gov, 1
+eastleigh.online, 1
+eastlothianbouncycastles.co.uk, 1
+eastmaintech.com, 1
+eastman.com, 1
+eastmedo.pl, 1
+eastnatfoods.com, 1
+eastnorschool.co.uk, 1
+easton.ga, 1
+eastpeoria-il.gov, 1
+eastpershingdental.com, 1
+eastping.com, 1
+eastplan.co.kr, 1
+eastportcorp.tk, 1
+eastprovidenceri.gov, 1
+eastridgeresidence.com, 1
+easts.in, 1
+eastshare.ml, 1
+eastshore.xyz, 1
+eastside.tk, 1
+eastsidecottages.co.uk, 1
+eastspace.org.uk, 1
+eastspencer.gov, 1
+eaststudios.net, 1
+easttamakiauto.co.nz, 1
+easttea.com, 1
+easttowereg.com, 1
+eastvalleyendo.com, 1
+eastvalleywater.gov, 1
+eastwashingtonpa.gov, 1
+eastwindsorhistory.tk, 1
+eastyorkshirebuses.co.uk, 1
+easukasbestos.co.uk, 1
+easy-affiliations.tk, 1
+easy-company.tk, 1
+easy-design.tk, 1
+easy-drop.co, 1
+easy-factures.fr, 1
+easy-feedback.com, 1
+easy-feedback.de, 1
+easy-katka.ga, 1
+easy-pornvideos.com, 1
+easy-rpg.org, 1
+easy2bathe.co.uk, 1
+easy4ssl.com, 1
+easyaddress.io, 1
+easyadsnbanners.tk, 0
+easybank.at, 1
+easybaufi.com, 1
+easybill.de, 1
+easybiztech.co.za, 1
+easybom.com, 1
+easybot.tk, 1
+easybranches.com, 1
+easybrazilianrecipes.com, 1
+easycater.com, 1
+easycoding.org, 1
+easycom.tk, 1
+easyconstat.com, 1
+easycontentplan.com, 1
+easycrochet.tk, 1
+easydmarc.am, 1
+easydonate.tk, 1
+easydrawingguides.com, 1
+easydumpsterrental.com, 0
+easyenrollment.net, 1
+easyescortwebsites.com, 1
+easyfiles.ch, 1
+easyfiles.gq, 1
+easyfoto.tk, 1
+easygenerator.com, 1
+easygrow.tk, 1
+easyhacks.net, 1
+easyhome.org, 1
+easyhomebiz.tk, 1
+easyhousing.dk, 1
+easyhtml.tk, 1
+easyishare.com, 1
+easyit.ga, 1
+easyit.tk, 1
+easyjumping.tk, 1
+easykash.net, 1
+easykitchens.co.in, 1
+easykonto.de, 0
+easylinker.tk, 1
+easylogics.tk, 1
+easymarketing.uk, 1
+easymeditation.tk, 1
+easymotionskin-japan.jp, 1
+easymun.com, 1
+easynm.cn, 1
+easynotary.ch, 1
+easyocm.hu, 1
+easyonlinetest.tk, 1
+easypay.bg, 1
+easypayment.cf, 1
+easypaymentnow.com, 1
+easypayments.pro, 1
+easypets.fr, 0
+easypost.com, 1
+easypricebook.com, 1
+easypv.ch, 1
+easyqr.codes, 0
+easyradio.gq, 1
+easyreal.ru, 1
+easyretro.io, 1
+easyrpg.org, 1
+easyshare.gq, 1
+easysignup.com, 1
+easyska.tk, 1
+easyslide.be, 1
+easysoft.tk, 1
+easysubmit.tk, 1
+easytamil.tk, 1
+easytap.sv, 1
+easytechguides.com, 1
+easytestonline.tk, 1
+easytext.ga, 1
+easytfa.com, 1
+easytokill.tk, 1
+easytrackghana.com, 1
+easytube.ga, 1
+easywebhosting.tk, 1
+easyweenies.com, 1
+easywin.ml, 1
+easywio.com, 1
+easywrite.com.tw, 1
+eat, 1
+eat-sleep-code.com, 1
+eat-that.tk, 1
+eat-the-world.ch, 1
+eat-vegan.rocks, 0
+eatandsleep.jp, 1
+eatdrinktalk.net, 1
+eatechled.com, 1
+eatery.co.il, 1
+eatfitoutlet.com.br, 1
+eatingasturias.com, 1
+eatinglinks.tk, 1
+eatmebudapest.hu, 1
+eatmportal.eu, 1
+eaton-daitron.jp, 1
+eaton-works.com, 1
+eatonbrowncountywi.gov, 1
+eatry.io, 1
+eats.soy, 1
+eatsleeprepeat.net, 1
+eatson.com, 1
+eatwith.com, 1
+eauclairecounty.gov, 1
+eaucube.com, 1
+eaugenethomas.cf, 1
+eauto-cash.de, 1
+eautocash.de, 1
+eautocollision.com, 1
+eautolease.com, 1
+eauxdevienne.fr, 1
+eava.ga, 1
+eazy.gr, 1
+eazyfreight.co.uk, 1
+eazyg.tk, 1
+eazyinvoice.tk, 1
+eazyproject.net, 1
+eazytailors.ga, 1
+eazzy.tk, 1
+eb-net.de, 1
+eb66.com, 1
+eb7.jp, 1
+eba.com.au, 1
+eba.com.ua, 1
+ebag-solar.com.tr, 1
+ebagroup.tk, 1
+ebakery.de, 1
+eban.bzh, 1
+ebanca.com, 1
+ebanking.indovinabank.com.vn, 1
+ebanking.raiffeisen.ch, 1
+ebankingabersicher.ch, 1
+ebankingbutsecure.ch, 1
+ebankingentoutesecurite.ch, 1
+ebankingmasicuro.ch, 1
+ebarer.com, 1
+ebas.ch, 1
+ebashim.tk, 1
+ebassradiante.cl, 1
+ebataw.com, 1
+ebatech-energiemanagement.nl, 1
+ebatech.be, 1
+ebatech.eu, 1
+ebatech.net, 1
+ebatech.nl, 1
+ebatech.org, 1
+ebatechenergiedisplay.nl, 1
+ebatechenergiemanagement.nl, 1
+ebayinc.com, 1
+ebcfx.com, 1
+ebci-nsn.gov, 1
+ebcired-nsn.gov, 1
+ebdaa-business.com, 1
+eben18.net, 1
+ebenda.org, 1
+ebenisterie-de-villenouvelle.fr, 1
+ebenvloedaanleggen.nl, 1
+eberharter-steine.at, 1
+eberspacher-rus.ru, 1
+ebertlang.com, 0
+eberwe.in, 1
+ebest.co.jp, 1
+ebetbananom.tk, 1
+ebics.cz, 1
+ebics.hu, 1
+ebics.sk, 1
+ebikeanswers.com, 1
+ebikemod.de, 1
+ebilanzplus.de, 1
+ebino.pl, 1
+ebiografia.com, 1
+ebiografias.com.br, 1
+ebis.cloud, 1
+ebis.info, 1
+ebisee.com, 1
+ebizarts.com, 1
+ebiznespro.pl, 1
+ebjork.se, 1
+ebki-nsn.gov, 1
+eblan.gq, 1
+eblandscaping.com.au, 1
+eblog.cf, 1
+eblog.ink, 1
+eboardsolutions.com, 1
+ebola-hosting.cz, 1
+ebola.cz, 1
+ebolacharts.ga, 1
+ebolavirus.tk, 1
+ebony.social, 1
+ebonyfantasies.com, 1
+ebonylog.com, 1
+ebonymgp.com, 1
+ebonymilftube.com, 1
+ebonyriddle.com, 1
+ebonytube.tv, 1
+eboocker.de, 1
+ebookabc.tk, 1
+ebookdep.com, 1
+ebookdrive.tk, 1
+ebooki.eu.org, 1
+ebooknetworking.net, 1
+ebookpdf.com, 1
+ebooks-pdf.cf, 1
+ebooks4all.tk, 1
+ebooks4gate.tk, 1
+ebooksgratis.tk, 1
+ebooksgratuits.org, 1
+ebooksinfocus.com, 1
+ebookspy.tk, 1
+ebookweb.gq, 1
+ebop.ch, 1
+eboxgroup.tk, 1
+eboxtenders.com, 1
+ebpc.com.au, 1
+ebpgateway.com, 1
+ebrahimhadimarket.com, 1
+ebrdbusinessguide.com, 1
+ebrea.ch, 1
+ebrnd.de, 1
+ebrofoods.es, 0
+ebrows.md, 1
+ebru-gundes.tk, 1
+ebrununkasnagi.com, 1
+ebs.to, 1
+ebscomedical.com, 1
+ebuha.ga, 1
+ebuku.tk, 1
+eburg.ml, 1
+ec-baran.de, 1
+ec-current.com, 1
+ec.ath.cx, 1
+ec.mine.nu, 1
+ec2software.com, 1
+eca.nb.ca, 1
+ecamisetas.com.br, 1
+ecampusontario.ca, 1
+ecard.ml, 1
+ecardoo.com, 1
+ecardoo.de, 1
+ecardoo.net, 1
+ecardoo.org, 1
+ecargo.co.nz, 1
+ecarscash.com, 1
+ecat.ua, 1
+ecaterina.tk, 1
+ecbt.co.il, 1
+ecchidreams.com, 1
+eccma.org, 1
+ecco-verde.at, 1
+ecco-verde.com, 1
+ecco-verde.de, 1
+ecco-verde.it, 1
+eccoholiday.com, 1
+eccoilmenu.it, 1
+eccologic.net, 1
+eccoplastic.com, 1
+eccouncil.org, 1
+eccu.edu, 1
+ecdn.cz, 1
+ece-inc.net, 1
+ecelembrou.ovh, 1
+ecemella.com, 1
+ecency.com, 1
+ecenglishlive.com, 0
+ecenter.bg, 1
+ecetechsol.com, 1
+ecetiner.com, 1
+ecfunstalls.com, 1
+ecgclic.fr, 1
+echarity.ae, 1
+echbay.com, 1
+echi.pw, 1
+echidna-usa.com, 1
+echidna.com.au, 1
+echidnalock.com.au, 1
+echima.ca, 1
+echinus.solutions, 1
+echo-in.info, 1
+echo-n.nz, 0
+echo-online.de, 1
+echo-security.co, 1
+echo.cc, 1
+echoanalytics.com, 1
+echobridgepartners.com, 1
+echocolate.xyz, 1
+echodio.com, 1
+echoeshq.com, 0
+echofoxtrot.co, 1
+echoit.net, 1
+echoit.net.au, 1
+echoit.services, 1
+echomail.org, 1
+echopaper.com, 1
+echorecovery.org, 1
+echosdg.com, 1
+echosearch.co, 1
+echoserver.org, 1
+echoship.com, 1
+echosixmonkey.com, 1
+echosystem.fr, 1
+echotango.fr, 1
+echoteam.eu.org, 1
+echoteam.gq, 1
+echoteam.ml, 1
+echotone.tk, 1
+echovintage.com.br, 1
+echowave.io, 1
+echt.ga, 1
+echtcache.ga, 1
+echtebbq.nl, 1
+echternach-immobilien.de, 1
+echtes-hutzelbrot.de, 1
+ecirtam.net, 0
+eciso.io, 1
+ecity.hu, 1
+eck.cologne, 1
+eckel-edv.de, 1
+eckel-kieser-gbr.de, 1
+eckel.co, 1
+eckerl.org, 1
+eckerle-gruppe.com, 1
+eckfordtownshipmi.gov, 1
+eckindustries.com, 1
+eckler.ca, 1
+eckotech.fr, 1
+eckstein.tech, 1
+eclectic-al.gov, 1
+eclecticbeaver.com, 1
+eclectiv.com, 1
+eclipse-cross.info, 1
+eclipse4academia-startups.com, 1
+eclipseforum.tk, 1
+eclipsegame.tk, 1
+eclipseide.org, 1
+eclipseinspectionservices.co.uk, 1
+ecn.ir, 1
+ecnetworker.com, 1
+eco-derattizzazione.it, 1
+eco-doors.co.uk, 1
+eco-price.ru, 1
+eco-rubber.ru, 1
+eco-solu.co.jp, 1
+eco-web.com, 1
+eco-wiki.com, 1
+eco-work.it, 1
+eco2u.ru, 1
+eco69.com, 1
+eco69.eu, 1
+eco69.pl, 1
+ecobalispa.com, 1
+ecobunker.co.uk, 1
+ecobunkerusa.com, 1
+ecocanada.jobs, 1
+ecoceutics.com, 1
+ecochannel-ve.com, 1
+ecochiccottages.com, 1
+ecoconut.org, 1
+ecocoolrooms.co.uk, 1
+ecocreativity.org, 1
+ecocuisinedesign.com, 1
+ecodedi.com, 1
+ecodepur.co.ao, 1
+ecodepur.fr, 1
+ecodesign-labo.jp, 1
+ecodesigns.nl, 1
+ecoeat.ru, 1
+ecoefficience.com, 1
+ecoelectricsandiego.com, 1
+ecoeuropa.cf, 1
+ecofinancing.com, 1
+ecofoolad.com, 1
+ecoformeurope.com, 1
+ecofriendlytravels.com, 1
+ecogarden.design, 1
+ecogen.com.au, 1
+ecogen.net.au, 1
+ecohaus-pinklao-salaya.com, 0
+ecoheatcool.co.uk, 1
+ecohimdv.tk, 1
+ecohomebuild.org, 1
+ecohostingservices.uk, 1
+ecoindia.tk, 1
+ecojob.ga, 1
+ecolala.my, 1
+ecolan37.ru, 1
+ecole-attalens.ch, 0
+ecole-du-digital.com, 1
+ecole-eac.com, 1
+ecole-iaf.fr, 0
+ecole-parfum.com, 1
+ecole-saint-yves-rennes.fr, 1
+ecoledusabbat.org, 0
+ecolelacime.be, 1
+ecolenotredame.tk, 1
+ecolequebec.com, 1
+ecoles-conde.com, 1
+ecolive.pl, 1
+ecolodgedebosuil.nl, 1
+ecologeek.tk, 1
+ecologiahoy.com, 1
+ecologiapolitica.info, 1
+ecologic-france.com, 1
+ecologica.it, 1
+ecologistasenaccion.org, 1
+ecologiya.tk, 1
+ecologs.ie, 1
+ecoloriptv.tk, 1
+ecombustibil.ro, 0
+ecometal.bg, 1
+ecometalsrl.com, 1
+ecomia.dk, 1
+ecommerce-bikinsistem.tk, 1
+ecommerce-optimizer.com, 1
+ecommercedb.com, 1
+ecommercenews.asia, 1
+ecommercenews.co.nz, 1
+ecommercenews.com.au, 1
+ecommerceuropa.eu, 1
+ecompen.co.za, 1
+ecomuuu.com, 1
+ecomweb.ro, 1
+ecomycie.com, 1
+econativa.pt, 1
+econfia.cf, 1
+econmarketingdigital.com, 1
+economia.cl, 1
+economias.pt, 1
+economic-sanctions.com, 1
+economicnews.ga, 1
+economics-colleges.com, 1
+economie.gouv.fr, 1
+economie2.alsace, 1
+economie2.fr, 1
+economiefidu.ch, 0
+economies.ch, 0
+economixportal.tk, 1
+economycarrentalscyprus.com, 1
+economydiva.com, 1
+economyroofingco.com, 1
+econsorzio.com, 1
+econstitution.bg, 1
+econsumer.gov, 1
+ecoo.top, 1
+ecoon.net, 1
+ecopak.org, 1
+ecopark.asia, 1
+ecopark.co, 1
+ecopark.tv, 1
+ecopiscines.fr, 1
+ecopowerenginewash.com, 1
+ecopy.ir, 1
+ecorak.de, 1
+ecored.pl, 1
+ecoresina.com, 1
+ecorp-australia.tk, 1
+ecos-ev.de, 1
+ecosas.org, 1
+ecoscanapp.eu, 1
+ecosdesociedad.tk, 1
+ecosfti.tk, 1
+ecoshare.info, 1
+ecosial.org, 1
+ecoskif.ru, 1
+ecosoftconsult.com, 0
+ecostarfoam.com, 1
+ecostroika.ru, 1
+ecostruxureit.com, 1
+ecosuds.co.uk, 1
+ecosuds.uk, 1
+ecosystem.atlassian.net, 1
+ecosystemmanager-uat1.azurewebsites.net, 1
+ecotecelevator.com, 1
+ecotrade-disinfestazioni.it, 1
+ecotsa.com, 1
+ecotur.org, 1
+ecoturismo.tk, 1
+ecounselling.nic.in, 1
+ecoupakovka.ga, 1
+ecourbano.tk, 1
+ecoute.tv, 1
+ecowater.com, 1
+ecowoman-armenian.tk, 1
+ecowoman-bengalian.tk, 1
+ecowoman-indonezian.tk, 1
+ecowoman-turkey.tk, 1
+ecowoman-ukraine.tk, 1
+ecozip.it, 1
+ecozona.tk, 1
+ecpa-eg.com, 1
+ecpc.org, 1
+ecpic.gov, 1
+ecpl.ru, 1
+ecr-test-partnapp.azurewebsites.net, 1
+ecrangamer.fr, 1
+ecredits-dev-app-backoffice01.azurewebsites.net, 1
+ecredits-dev-app-partner01.azurewebsites.net, 1
+ecrehabandwellness.com, 1
+ecrehou.com, 1
+ecrequipamientos.com, 1
+ecriminalrecords.com, 1
+ecrownoffire.com, 1
+ecrums.gov, 1
+ecsafety.com, 1
+ecscoutgroup.cf, 1
+ecstaticentertainment.com, 1
+ecsupplyinc.com, 1
+ect-cpg.com, 1
+ect-telecoms.com, 1
+ectfsaz.com, 1
+ectora.com, 1
+ectpro.co.th, 1
+ecttaz.com, 1
+ecuadorbienesraices.com, 1
+ecuadorlibrered.tk, 1
+ecuadorwillana.com, 1
+ecuashop.ec, 1
+ecubr.com, 1
+ecup.mx, 1
+ecupcafe.com, 0
+ecv.fr, 1
+ecvma.fr, 1
+ecvtd.gov, 1
+ecxforum.com, 1
+ecyy.net, 1
+eczacionline.com, 1
+ed-medications.ml, 1
+ed-studios.tk, 1
+ed.gs, 1
+ed394jed.fr, 1
+eda-ah.com, 1
+eda.cooking, 0
+eda.gov, 1
+eda72.com, 1
+edacsoft.com, 1
+edalat.tk, 1
+edanalytics.org, 1
+edapt.org.uk, 1
+edas.info, 0
+edatech.com, 1
+edb.cz, 1
+edb.eu, 1
+edb.gov.sg, 1
+edcaptain.com, 1
+edcdn.net, 1
+edd-miles.com, 1
+eddesign.ch, 1
+eddi.org.au, 1
+eddie.website, 1
+eddmil.es, 1
+eddokloosterman.com, 1
+eddriesen.tk, 1
+eddsworld.tk, 1
+eddyn.net, 0
+eddysystem.tk, 1
+eddyworld.tk, 1
+edeals.co.com, 1
+edeals.com.co, 1
+edeca.net, 1
+ededdeddy.tk, 1
+edegembicycleclub.tk, 1
+edegulkoyu.tk, 1
+edehsa.com, 1
+edeka-peper.de, 1
+edel-suff.de, 1
+edelveiys.tk, 1
+edelvivesdigital.com, 1
+edelvivesdigitalplus.com, 1
+edelweiskapel.tk, 1
+edelweiss-pinzolo.com, 1
+edelweiss-service.ru, 1
+edelweissalternatives.com, 1
+eden-project-insight.tk, 1
+eden.bz, 1
+eden.co.uk, 1
+edenaya.com, 0
+edencollie.com, 1
+edenfactory.tk, 1
+edenming.info, 1
+edennc.gov, 1
+edenprairiemn.gov, 1
+edenpureheater.tk, 1
+edenredbenefits.com, 1
+edenvaleplumber24-7.co.za, 1
+edenverses.com, 1
+eder-steiner.at, 1
+ederasrl.it, 1
+edesseglabor.hu, 1
+edevletkapisi.org, 1
+edfdentalcenter.tk, 1
+edgar.mx, 1
+edgarcountyillinois.gov, 1
+edgarpierre.fr, 1
+edgarsmission.org.au, 1
+edgarsonderwaterwereld.tk, 1
+edgartamarit.com, 1
+edgarwi.gov, 1
+edgarz.tk, 1
+edgebilisim.com, 1
+edgecase.ru, 1
+edgeconnectnj.net, 1
+edgecustomersportal.com, 1
+edgedynasty.com, 1
+edgeimpulse.com, 1
+edgeless.pp.ua, 0
+edgelogs.com, 1
+edgemagazine.net, 1
+edgemasterspaint.com, 1
+edgeofnoservers.com, 1
+edgerton.us, 1
+edgeservices.co.uk, 1
+edgetalk.net, 1
+edgetechig.co.uk, 0
+edgewaterco.gov, 1
+edging.tech, 1
+edh.email, 1
+edholm.pub, 1
+edi-gate.com, 1
+edi-gate.de, 1
+edibarcode.com, 1
+ediberto.tk, 1
+edibleforest.co, 1
+edicct.com, 1
+edicionescrimentales.tk, 1
+edihair.com, 1
+edik.tk, 1
+edikacomptabilite.com, 1
+edilane.com, 1
+edilane.de, 1
+edilians-group.com, 1
+ediliovo.com, 1
+edilondon.com, 1
+edilservizivco.it, 1
+edinburghcastle.scot, 1
+edinburghcyclehire.co.uk, 1
+edinburghcyclehire.com, 1
+edinburghopenworkshop.co.uk, 1
+edirnehaber.tk, 1
+edirnehaberleri.tk, 1
+edison.moe, 1
+edisonchee.com, 1
+edisongroup.ru, 1
+edisonlee55.com, 1
+edisonluiz.com, 1
+edisonnj.gov, 1
+edisonstreet.com, 1
+edist.ro, 1
+edit.co.uk, 1
+edit.org, 1
+edit.yahoo.com, 0
+edited.at, 1
+edited.be, 1
+edited.ch, 1
+edited.cz, 1
+edited.de, 1
+edited.nl, 1
+edited.pl, 1
+edithlouw.tk, 1
+edition-sonblom.de, 0
+editions-campanile.fr, 1
+editionsnoiretrouge.com, 1
+editionsz.com, 1
+editorakanope.com.br, 1
+editorialexpress.com, 1
+editorsguild.com, 1
+editspace.tk, 1
+editus.it, 1
+edityeet.com, 1
+edje.com, 1
+edjo.us, 1
+edl.com.ph, 1
+edlinger.at, 1
+edlinger.mobi, 1
+edman007.com, 1
+edmates.com, 1
+edmedications.tk, 1
+edmedsonline.tk, 1
+edmilia.tk, 1
+edmoncu.com, 1
+edmondok.gov, 1
+edmontonwellness.ca, 1
+edmundcelis.com, 1
+edmundy.tk, 1
+edmwaves.org, 1
+ednarstore.com, 1
+edocperso.fr, 1
+edocr.com, 1
+edok.com.br, 1
+edopomoga.gov.ua, 1
+edoss.co.za, 0
+edp.com, 1
+edpgassu.pt, 1
+edpnc.com, 1
+edpr.com, 1
+edpubs.gov, 1
+edr-d.expert, 1
+edragneainpuscarie.ro, 1
+edremith.com, 1
+edremitweb.site, 1
+edrepay.com, 1
+edrgroup.nl, 1
+edri.org, 1
+edrosd.cf, 1
+edrost.tk, 1
+edrtravel.com, 1
+edsby.com, 0
+edscha.com, 1
+edscolors.com, 1
+edservicing.com, 1
+edshogg.co.uk, 1
+edsm.net, 1
+edstem.org, 1
+edstep.com, 1
+edsys.com.au, 1
+edtech-hub.com, 1
+edtech.ee, 1
+edtechwebb.com, 1
+edtravel.ga, 1
+edu-kingdom.com, 1
+edu3w.at, 1
+edu6.cloud, 1
+eduanimal.tk, 1
+eduard-dopler.de, 1
+eduardbaas.com, 1
+eduardnikolenko.com, 1
+eduardochang.tk, 1
+eduardofranco-luthier.tk, 1
+eduardomaio.net, 1
+eduardosuarez.tk, 1
+eduart.tk, 1
+eduba.se, 1
+edubase.link, 1
+edubase.net, 1
+edubirdie.com, 1
+edublognews.tk, 1
+educa-cao.pt, 1
+educa2.es, 1
+educabis.tk, 1
+educacionit.com, 1
+educacionnm.ml, 1
+educacionvirtual.com.ar, 1
+educaestado.com, 1
+educanada.in, 1
+educard.co.at, 1
+educasis.tk, 1
+educatek.es, 1
+educatie.tk, 1
+education-colleges.com, 1
+education-info.cf, 1
+education4paper.tk, 1
+educationarea.tk, 1
+educationboard.ml, 1
+educationconnect.tk, 1
+educationdepartment.ml, 1
+educationet.tk, 1
+educationfirst.ml, 1
+educationgov.tk, 1
+educationhighquality.ml, 1
+educationism.tk, 1
+educationmalaysia.co.uk, 1
+educationone.ml, 1
+educationportal.ga, 1
+educationportal.tk, 1
+educationstandards.nsw.edu.au, 1
+educationstatistic.tk, 1
+educationstudent.tk, 1
+educationsupport.org.uk, 0
+educationtopics.tk, 1
+educationtree.tk, 1
+educationtrust.tk, 1
+educationweek.tk, 1
+educative.io, 1
+educator-one.com, 1
+educatorretirementsolutions.com, 1
+educators.co.nz, 1
+educatoys.com.br, 1
+educbook.ga, 1
+educheck.tech, 1
+educlove.com, 1
+educourse.nl, 1
+edudip-next.com, 1
+edudip.com, 1
+edudip.de, 1
+edufever.com, 1
+edufever.in, 1
+eduflow.at, 1
+edugeton.com, 1
+edugram.com, 1
+eduhub.lol, 1
+eduhub.ml, 1
+eduhublisbon.com, 1
+eduid.se, 1
+eduif.nl, 0
+eduium.io, 1
+eduki.com, 1
+edukle.com, 0
+edularidea.com, 1
+edularism.com, 1
+edulayer.net, 1
+edulinks.ml, 1
+edumanage.tk, 1
+edumaritime.net, 1
+edumerson.com, 1
+edunaut.com.au, 1
+edunet.gq, 1
+edunet.training, 1
+edunian.com, 1
+edunoor.tk, 1
+eduoneschool.tk, 1
+edupay.co.at, 1
+edupesa.com, 1
+eduproject.tk, 1
+eduproquality.tk, 1
+eduqfix.com, 1
+eduradiadores.com.br, 1
+eduresultbd.com, 1
+eduroam.no, 1
+eduroam.uy, 1
+edusanjal.com, 1
+eduschool.ml, 1
+edusektor.de, 0
+edusercontent.com, 1
+eduson.pl, 1
+eduspot.co.uk, 1
+edusson.com, 1
+edusuite.at, 1
+edutech.group, 1
+edutour.ml, 1
+edutrum.com, 1
+eduxon.in, 1
+eduxpro.com, 1
+eduzaurus.com, 1
+edv-biela.de, 1
+edv-lehrgang.de, 1
+edv-ringhofer.de, 1
+edv-schmittner.de, 1
+edvan.com.br, 1
+edvestinu.com, 1
+edvgarbe.de, 1
+edvision.ga, 1
+edvmesstec.de, 1
+edward-tagle.tk, 1
+edwardbrowninvestment.tk, 1
+edwardcastrillon.com, 1
+edwarddekker.nl, 1
+edwardkong.top, 1
+edwards.me.uk, 1
+edwardscommercialcleaning.com, 1
+edwardsgrounds.co.uk, 1
+edwardwall.me, 1
+edware.ga, 1
+edweb.tk, 1
+edwellbrook.com, 1
+edwinlinda.tk, 1
+edwinlugo.gq, 1
+edwinmattiacci.com, 1
+edwinroelvink.tk, 1
+edxg.de, 0
+edxn.de, 1
+edyhenry.tk, 1
+edyou.org, 0
+edytabania.com, 1
+edzo.dk, 1
+edzo.fr, 1
+ee-terminals.com, 1
+ee00228.com, 0
+ee362.com, 0
+ee367.com, 0
+ee372.com, 0
+ee396.com, 0
+ee397.com, 0
+ee5197.co, 1
+ee6729.co, 1
+ee6729.com, 0
+ee6957.co, 1
+ee9297.co, 1
+ee951.com, 0
+ee9728.co, 1
+ee973.com, 0
+eebt.hu, 1
+eeeb.loan, 1
+eeeeeeeeee.de, 1
+eeehh.com, 1
+eeetrust.org, 1
+eegaming.org, 1
+eegaming.tk, 1
+eehitus.ee, 1
+eeia.com, 1
+eeiletudiant.com, 1
+eekelen.net, 1
+eelabs.eu, 1
+eelcapone.nl, 1
+eellak.gr, 1
+eelsden.net, 1
+eelzak.nl, 1
+eemcevn.com, 1
+een-eenvoudige-test-voor-de-maximum-lengte-van-een-nederlandse.nl, 1
+een.com, 1
+eenfotowaard.nl, 1
+eenmailsturen.nl, 0
+eennieuwepc.nl, 1
+eentweevijf.be, 1
+eenvren.com, 1
+eenvxing.com, 1
+eeqj.com, 1
+eer.io, 1
+eeri.org, 1
+eerstemaanlanding.tk, 1
+eery.de, 1
+eesti.id, 1
+eet.nu, 1
+eetestingcenter.com, 1
+eetimestv.com, 1
+eevie.io, 1
+eevpn.com, 1
+eewna.org, 1
+eeyo.uk, 1
+eez.ee, 0
+eezepc.com, 1
+ef.gy, 1
+efaas.nl, 1
+efag.com, 1
+efcpharma.com, 1
+efcross.com, 1
+efectococuyo.com, 0
+efeel.info, 1
+efeen.nl, 1
+efeindonesia.com, 1
+efektfoto.cz, 1
+efektyvnist.pro, 1
+eferro.ca, 1
+efeso.co.nz, 1
+efeso.nz, 1
+efeso.org.nz, 1
+efeso4mayor.co.nz, 1
+efeso4mayor.nz, 1
+efeso4mayor.org, 1
+efeso4mayor.org.nz, 1
+efesocollins.org, 1
+efesocollins.org.nz, 1
+efesoformayor.co.nz, 1
+efesoformayor.nz, 1
+efesoformayor.org, 1
+efesoformayor.org.nz, 1
+eff.org, 1
+effdocs.com, 1
+effe.ch, 0
+effecotto.it, 1
+effective-altruist.com, 1
+effectivecommunication.tk, 1
+effectiveconsulting.ca, 1
+effectivelist.com, 1
+effectivepapers.com, 1
+effectory.com, 1
+effectpointphotography.cf, 1
+effectualness.co.za, 1
+effectualness.web.za, 1
+effelzburgfilms.com, 1
+effer.me, 1
+effex.ru, 1
+effexorgeneric.ml, 1
+effiasoft.com, 0
+effic.es, 1
+efficientip.com, 0
+efficientsolutions.tk, 1
+effigos.com, 1
+effigos.de, 1
+effinfun.com, 1
+effinghamcountyil.gov, 1
+efflam.net, 1
+effmio.de, 1
+effortlesshr.com, 1
+effortlesshr.net, 1
+effra.pl, 1
+efi.com, 0
+eficsolar.com, 1
+efiglobal.com, 1
+efiledcsuperiorcourt.gov, 1
+efirma.com, 1
+eflorashop.be, 1
+eflorashop.ch, 1
+eflorashop.co.uk, 1
+eflorashop.com, 1
+eflorashop.de, 1
+eflorashop.es, 1
+eflorashop.fr, 1
+eflorashop.it, 1
+eflorashop.mx, 1
+eflorashop.net, 1
+eflorashop.us, 1
+efmcredentialing.org, 1
+efmo.de, 1
+efoood.org, 1
+efootball4u.es, 1
+eformost.ca, 1
+eforw.com, 1
+efp.nl, 1
+efran-eliyev.gq, 1
+efsanesi.tk, 1
+eft.boutique, 1
+eftcorp.biz, 1
+eftelingcraft.net, 1
+efterfest.tk, 1
+eftotoekspertizbalikesir.com, 1
+efutbol.tk, 1
+eg-dev.net, 1
+eg22.com, 1
+eg7.co.jp, 1
+eg7.jp, 1
+egablo.black, 1
+egabroaventuras.tk, 1
+egais.ml, 1
+egal24.de, 1
+egarden.it, 1
+egb.at, 0
+egbeautybar.nl, 1
+egbert.net, 1
+egbertsen.tk, 1
+egc.ink, 1
+egdsk.ru, 1
+egegesh.ru, 1
+egekbb.org, 1
+egeozcan.com, 0
+egestor.com.br, 1
+egevpare.tk, 1
+egfl.org.uk, 1
+egg-ortho.ch, 1
+eggblast.com, 1
+eggc.at, 1
+egge.com, 0
+eggel.ch, 1
+eggen.dk, 1
+eggendorfer.at, 1
+eggendorfer.be, 1
+eggendorfer.biz, 1
+eggendorfer.ch, 1
+eggendorfer.co.uk, 1
+eggendorfer.de, 1
+eggendorfer.info, 1
+eggendorfer.it, 1
+eggendorfer.li, 1
+eggendorfer.name, 1
+eggendorfer.net, 1
+eggendorfer.online, 1
+eggendorfer.org, 1
+eggendorfer.pro, 1
+eggendorfer.rocks, 1
+eggendorfer.tv, 1
+eggendorfer.uk, 1
+eggendorfer.us, 1
+eggendorfer.wine, 1
+eggertsvillefiredistrict.gov, 1
+egglestonyouthcenter.org, 1
+eggman.tk, 1
+eggplantsoftware.com, 1
+eggqvq.com, 1
+eggrolls.ml, 1
+eggy.com.au, 0
+eggzr.com, 1
+egh.ir, 1
+egiftcards.be, 1
+egilopaseryh.tk, 1
+egins.tk, 1
+egipet-tiz.tk, 1
+egiptwakacje.tk, 1
+egitim.academy, 1
+egitimpusulam.com, 1
+egito.pl, 1
+egittophilia.tk, 1
+eglantier.eu, 1
+egles.eu, 1
+eglinlife.net, 1
+eglise-crc.be, 1
+egliseclichy92.fr, 1
+eglisedenantes.fr, 1
+egm-sakura.com, 1
+ego4u.com, 1
+ego4u.de, 1
+egoclan.tk, 1
+egold-keeper.com, 1
+egomania.tk, 1
+egomaniaque.tk, 1
+egonews.ga, 1
+egophobia.tk, 1
+egorazarkevich.ga, 1
+egorka.ml, 1
+egoroskope.tk, 1
+egos-online.com, 1
+egoscolumn.tk, 1
+egotickets.com, 1
+egotripproductions.org, 1
+egov.digital, 1
+egov4.ch, 1
+egproduction.com, 1
+egreensvape.com, 1
+egregius.be, 0
+egres.xyz, 1
+egretail.no, 0
+egrojsoft.info, 1
+egrouen.net, 1
+egroupware.org, 1
+egrow.io, 1
+egt-bg.com, 1
+egt-digital.com, 1
+egt.ee, 0
+eguchi-dc.com, 1
+egvilparks.gov, 1
+egw-ceramica.de, 1
+egy-boy.tk, 1
+egypt-tourism.ga, 1
+egypt-tours.tk, 1
+egypt-turism.ru, 1
+egyptcrops.com, 1
+egypte.tk, 1
+egyptenet.tk, 1
+egypteweb.tk, 1
+egyptexposed.tk, 1
+egypthomemaintenance.com, 1
+egyptian.gq, 1
+egyptianeuphoria.com, 1
+egyptianhak.tk, 1
+egytimes.tk, 1
+egzekucija.tk, 1
+egzotique.com, 1
+eh-huebner-stiftung.de, 1
+ehaccp.it, 1
+ehazi.hu, 1
+ehbsecuritydavy.be, 1
+ehcommerce.com, 1
+ehdata.net, 1
+ehealth.gov.au, 1
+ehealth.kg, 1
+eheartspecialist.com, 1
+eheliche-disziplin.schule, 1
+eheya.net, 1
+ehipaa.com, 1
+ehlers-net.de, 1
+ehlersdanlos.dk, 1
+ehlersdanlos.tk, 1
+ehliyetsinavsorulari.org, 1
+ehmsen.nu, 1
+ehmtheblueline.com, 1
+ehne.de, 1
+ehome.im, 1
+ehometools.com, 1
+ehomusicgear.com, 1
+ehorizon.jp, 1
+ehpad-ariege.fr, 1
+ehr.bg, 1
+ehr.gov, 1
+ehrby.se, 1
+ehrdata.com, 1
+ehrenburg.info, 1
+ehrlichesbier.de, 1
+ehsehk.com.ph, 1
+ehtgov.org, 1
+ehtp.pt, 1
+ehtu.tk, 1
+ehub.cz, 1
+ehub.hu, 1
+ehub.pl, 1
+ehub.sk, 1
+ehuber.info, 1
+ei-bo.org, 1
+eiacampoguamal.com, 1
+eiao.me, 1
+eiber.net, 1
+eibich.de, 1
+eichel.eu, 1
+eichendorffschule.online, 1
+eichenrund.de, 1
+eichinger-stelzl.com, 1
+eichinger-stelzl.de, 1
+eichler.work, 1
+eickhof.co, 1
+eickhof.us, 1
+eickhofcolumbaria.com, 1
+eidelpes.info, 1
+eientei.org, 1
+eifach.top, 1
+eifel.website, 1
+eifelstuebchen.de, 1
+eiffage.com, 1
+eiga.com, 1
+eigenaardig.tk, 1
+eigenbubi.de, 1
+eigenetiket.tk, 1
+eigenpul.se, 1
+eigenpulse.com, 1
+eigentech.com, 1
+eigenvector.space, 1
+eigenvector.systems, 1
+eightballde.luxe, 1
+eightvirtues.tk, 1
+eighty-aid.com, 1
+eightyfour.ca, 1
+eightysoft.de, 1
+eigpropertyauctions.co.uk, 1
+eihaikyo.com, 1
+eihei.net, 1
+eiji.fr, 1
+eikenskaden.tk, 1
+eikentafels.nl, 1
+eiklandenergy.com, 1
+eiko-dch.ac.jp, 1
+eikoh.nsw.edu.au, 1
+eikones.tk, 1
+eikounoayumi.jp, 1
+eileen.ml, 1
+eilhan.com, 1
+eim.one, 1
+eimacs.com, 1
+eimeko.ch, 1
+eimmigration.com, 1
+ein-itin.com, 1
+einarkallevig.tk, 1
+einaros.is, 1
+eindex.me, 1
+eine-andere-welt.org, 1
+einfach-fitz.at, 1
+einfachkiss.at, 1
+einheizpreis.de, 1
+einhorn.space, 1
+einmonolog.de, 1
+einreiseanmeldung.de, 1
+einrichtenonline.com, 1
+einsatzstiefel.info, 1
+einstein-themanandhismind.net, 1
+einsteinathome.org, 1
+einsteinbros.com, 1
+einsteinium.fr, 1
+einsteinmishra.com, 1
+einsteins.tk, 1
+einstokbeer.com, 1
+eintageinzug.de, 1
+eintoepfe-bruchsal.de, 1
+eintracht-rodde.de, 1
+einvestment.com, 1
+einwie.com, 1
+eipione.com, 1
+eirastudios.co.uk, 1
+eirb.fr, 1
+eirgroup.com.au, 1
+eirik.eu, 1
+eirikyrolae.tk, 1
+eis.org.uk, 1
+eisaev.ru, 1
+eisblau.org, 1
+eisei-iinkai.com, 1
+eisen-biomed.ch, 1
+eisenbahnfreunde-lengerich.de, 1
+eisenberg.co.za, 1
+eisenhowerlibrary.gov, 1
+eisenhut.family, 1
+eisenstark.de, 1
+eisenzelt.de, 1
+eisernes-kreuz.tk, 1
+eiskratzer-bedrucken.de, 0
+eit-solutions.com.au, 1
+eit-web.de, 0
+eitbtaldea.eus, 1
+eitt.pl, 1
+eivanec.com, 1
+eiyoushi-shigoto.com, 1
+ej.gov, 1
+ej.uz, 1
+ejabi-infosec.com, 1
+ejbelectrical.com, 1
+ejcabinets.com, 1
+ejderrapgott.de, 1
+ejdv-anmeldung.de, 1
+ejelectrical-qld.com.au, 1
+ejerciciosmemoria.com, 1
+ejit.eu, 1
+ejkathome.nl, 1
+ejkatwork.nl, 1
+ejkenergie.nl, 1
+ejkgemist.nl, 1
+ejkgroep.nl, 1
+ejkholding.nl, 1
+ejkhosting.nl, 1
+ejkinternet.nl, 1
+ejkitservices.nl, 1
+ejkmedia.nl, 1
+ejkmuseum.nl, 1
+ejknet.nl, 1
+ejknieuws.nl, 1
+ejkproducties.nl, 1
+ejkradio.nl, 1
+ejkrail.nl, 1
+ejkrailshop.nl, 1
+ejksport.nl, 1
+ejktelecom.nl, 1
+ejktv.nl, 1
+ejkuniversiteit.nl, 1
+ejkweb.nl, 1
+ejkwebdesign.nl, 1
+ejsc.co.jp, 1
+ek-networks.de, 0
+ekadry.info, 1
+ekalisch.de, 1
+ekamfoundationmumbai.org, 1
+ekamus.tk, 1
+ekatalendra.com, 1
+ekatavirghost.com, 1
+ekati.ru, 1
+ekawaiishop.com, 1
+ekb-avia.ru, 0
+ekcomp.com, 1
+ekcrags.ru, 1
+ekd.de, 1
+ekdoseis.gr, 1
+ekeblock.com, 1
+ekedc.com, 1
+ekedp.com, 1
+ekf.ee, 1
+ekfgroup.com, 1
+ekgh.dk, 1
+ekhabar.ml, 1
+ekho.tk, 1
+ekimaeseitai.com, 1
+ekimma.com, 1
+ekimturkgurme.com, 1
+ekinyalincak.com, 1
+ekiphost.com, 1
+eklepka.com, 1
+eklitzke.org, 1
+ekmanager.tk, 1
+eko69.pl, 1
+ekobudisantoso.net, 1
+ekocleaningllc.com, 1
+ekoclin.com, 1
+ekocyber.com, 1
+ekogroszekpieklo.pl, 1
+ekokpandm.tk, 1
+ekol-2001.tk, 1
+ekologie.tk, 1
+ekologija.tk, 1
+ekonbenefits.com, 1
+ekonomika.tk, 1
+ekonomipolitik.tk, 1
+ekonomival.se, 1
+ekonomska.tk, 1
+ekophone.bg, 1
+ekoport.ru, 1
+ekopromet.com, 1
+ekosaltis.lt, 1
+ekosf.ru, 1
+ekospajzka.cz, 1
+ekostecki.de, 1
+ekouniejow.pl, 1
+ekowibowo.com, 1
+ekozercy.pl, 1
+ekpj.jp, 1
+ekranoplan-lun.ru, 1
+ekranos.me, 1
+ekransystem.com, 1
+ekre.club, 1
+ekron.at, 1
+eks.news, 1
+eksibition.org, 1
+eksik.com, 0
+eksisozluk.com, 0
+eksperiments.lv, 1
+ekspert.tk, 1
+ekspertemerytalny.pl, 1
+eksploraz.com, 1
+ekspress.ee, 1
+ektefa.sa, 1
+ekvastra.in, 1
+ekwador.com, 1
+ekyu.moe, 1
+ekzcrosstour.ch, 1
+ekzotika.tk, 1
+el-cell.com, 1
+el-hossari.com, 1
+el-masri.bg, 1
+el-mass.com, 1
+el-mundo.tk, 1
+el-tatwer.tk, 1
+ela-n.de, 1
+elaax.de, 0
+elabib.com, 1
+elaboratefiction.com, 1
+elad.wtf, 1
+eladalfassa.com, 1
+eladerezo.com, 1
+eladgames.com, 1
+elahejalilvand.com, 1
+elaheze.com, 0
+elahuehuete.art, 1
+elainerock.com, 1
+elakiri.cf, 1
+elalmibar.com, 1
+elana.lt, 1
+elandador.com.mx, 0
+elanterna.ro, 1
+elanusparts.com, 1
+elaon.de, 0
+elar.tk, 1
+elarcoreu.com, 0
+elariannews.ml, 1
+elartedelaguerra.tk, 1
+elartedelapaz.org, 1
+elarvee.xyz, 1
+elasten.eu, 1
+elastiekschieten.tk, 1
+elatinoamericano.tk, 1
+elauricielo.tk, 1
+elaxy-online.de, 1
+elayog.bt, 1
+elazafran.com, 1
+elazighaber.tk, 1
+elb500ttl.nl, 1
+elba-elba.tk, 1
+elba-hotel.tk, 1
+elbaal.gov, 1
+elbersdometechniek.tk, 1
+elbetech.net, 1
+elbiaadmin.sk, 1
+elbiahosting.sk, 1
+elbir.tk, 1
+elbitsystems.com, 1
+elblogdezoe.es, 1
+elbrus360.ru, 1
+elbrutoconeloso.tk, 1
+elburnfire.gov, 1
+elbvision.de, 1
+elbwiese.de, 1
+elcactus.tk, 1
+elcajon.gov, 1
+elcambioavanza.co, 1
+elcanonjusto.tk, 1
+elcarajo.tk, 1
+elchamandelaprosperidad.org, 1
+elcheapoflags.com, 1
+elcient.com, 1
+elcigaro.bg, 1
+elcin.tk, 1
+elcirculo.mx, 1
+elcontadorsac.com, 1
+elcontenido.news, 1
+elcontrol.tk, 1
+elcosmos.tk, 1
+elcosteno.tk, 1
+elcozinante.com, 1
+elcuadernodefilosofia.tk, 1
+eldarom.ro, 1
+eldeneleokuldaneveoyun.com, 1
+eldercare.gov, 1
+eldercare.net.au, 1
+elderdevelopmentgroup.com, 1
+elderindex.org, 1
+elderjustice.gov, 1
+elderplan.org, 1
+elderreviews.gq, 1
+elderscrolls.tk, 1
+eldevo.com, 1
+eldhestar.is, 1
+eldiedesign.com, 1
+eldisagjapi.de, 1
+eldoradocylinders.com, 1
+eldoradoil.gov, 1
+eldoradotechnical.com, 1
+eldrid.ge, 1
+ele-sm.com, 1
+eleanorleightrio.com, 1
+elearningi.pl, 1
+elearningpilot.com, 1
+eleather.it, 1
+elecbuz.com, 0
+eleconomista.com.ar, 1
+electerious.com, 1
+electicofficial.com, 0
+electionpresidentiellegabon2009.ga, 1
+electionrunners.com, 1
+elections.ca, 1
+elections.nz, 1
+electionsbycounty.com, 1
+electionsdatabase.com, 1
+electionsshelbytn.gov, 1
+electmikewaters.com, 1
+electr0sheep.com, 1
+electra.co.nz, 1
+electragirl.com, 1
+electras.cf, 1
+electrastart.nz, 1
+electric-clippers.tk, 1
+electric-samara.tk, 1
+electric-vault.co.uk, 1
+electricagoura.com, 1
+electricagourahills.com, 1
+electrical-schools.com, 1
+electrical.cn, 1
+electricalagoura.com, 1
+electricalagourahills.com, 1
+electricalandelectronicsengineerinformation.ga, 1
+electricalcalabasas.com, 1
+electricalcamarillo.com, 1
+electricalconejovalley.com, 1
+electricaldosvientos.com, 1
+electricalengineers.tk, 1
+electricalhiddenhills.com, 1
+electricallakesherwood.com, 1
+electricalmalibu.com, 1
+electricalmoorpark.com, 1
+electricalnewburypark.com, 1
+electricaloakpark.com, 1
+electricalpacificpalisades.com, 1
+electricalsimivalley.com, 1
+electricalthousandoaks.com, 1
+electricalwestlakevillage.com, 1
+electricannihilation.tk, 1
+electricbeast.co, 1
+electriccalabasas.com, 1
+electriccamarillo.com, 1
+electriccitysf.com, 1
+electriccoin.co, 1
+electricconejovalley.com, 1
+electricdosvientos.com, 1
+electricdreams.xyz, 1
+electricfencingpinetown.co.za, 1
+electricfireplaces.tk, 1
+electricgatemotoralberton.co.za, 1
+electricgatemotorboksburg.co.za, 1
+electricgatemotorgermiston.co.za, 1
+electricgatemotorshillcrest.co.za, 1
+electricgatemotorsroodepoort.co.za, 1
+electricgypsies.nl, 1
+electrichiddenhills.com, 1
+electrichome.fr, 0
+electricianagoura.com, 1
+electricianagourahills.com, 1
+electriciancalabasas.com, 1
+electriciancamarillo.com, 1
+electricianconejovalley.com, 1
+electriciandosvientos.com, 1
+electricianforum.co.uk, 1
+electricianhiddenhills.com, 1
+electricianlakesherwood.com, 1
+electricianmalibu.com, 1
+electricianmoorpark.com, 1
+electriciannewburypark.com, 1
+electricianoakpark.com, 1
+electricianpacificpalisades.com, 1
+electricianpretoria24-7.co.za, 1
+electricians-roodepoort.co.za, 1
+electricianschooledu.org, 1
+electriciansimivalley.com, 1
+electricianthousandoaks.com, 1
+electricianwestlakevillage.com, 1
+electricienasnieres.fr, 1
+electricimagination.co.uk, 1
+electricity.tk, 1
+electricityplans.com, 1
+electriclakesherwood.com, 1
+electricmalibu.com, 1
+electricmoorpark.com, 1
+electricnewburypark.com, 1
+electrico.tk, 1
+electricoakpark.com, 1
+electricpower.tk, 1
+electricsimivalley.com, 1
+electricthousandoaks.com, 1
+electricwestlakevillage.com, 1
+electricwokstore.com, 1
+electriczone.tk, 1
+electrobraid.com, 1
+electrocity.ie, 0
+electrocomplect.com.ua, 1
+electrocuted.com, 1
+electrodomesticos.tk, 1
+electrodomesticosmiro.com, 1
+electroforum.tk, 1
+electrofreakz.tk, 1
+electrogenic.co.uk, 1
+electrohelp.ga, 1
+electrolandia.tk, 1
+electrolivefest.spb.ru, 1
+electromagnetichealth.org, 1
+electromagnetism.gq, 1
+electromec.biz, 1
+electromec.eu, 1
+electromec.info, 1
+electromec.net, 1
+electromec.org, 1
+electromenager.tk, 1
+electrominati.com, 1
+electromotor.tk, 1
+electronic-ignition-system.com, 1
+electronicafacil.net, 1
+electronicaripol.es, 1
+electronicfasteners.com, 0
+electronicssrit.tk, 1
+electronictucuman.com, 1
+electroniko.cf, 1
+electronis.ru, 1
+electronmag.tk, 1
+electronsweatshop.com, 1
+electroschematics.com, 1
+electrosoftcloud.com, 0
+electrostatics.com, 1
+electrostore.com.ec, 1
+electrotainment.com, 1
+electrotounes.tn, 1
+electroyclima.es, 1
+electrum.org, 1
+eled.io, 1
+elefanten-cup.de, 1
+elefsisport.gr, 0
+elegance-lingerie.com, 1
+elegance-sm.com, 1
+elegance96.tk, 1
+elegancecement.com, 1
+elegansia-piscine.fr, 1
+elegant-design.tk, 1
+elegant-techno.com, 1
+eleganta.ga, 1
+elegantanal.com, 1
+elegantbrows.com, 1
+elegantfamilyhotelsandresorts.com, 1
+elegantlatex.tk, 1
+elegantly-clean.co.uk, 1
+eleganza.ga, 1
+elegro.cz, 1
+eleicoes2018.com, 1
+elejordemarketingconsultancy.com, 1
+eleken.jp, 1
+elekner.tk, 1
+elektiriklidireksiyontamiri.com, 1
+elektiriktasarruf.tk, 1
+elektriker-notdienst-zentrale.de, 1
+elektrikumraniye.com, 1
+elektrikvesukesintileri.com, 1
+elektrilevi.com, 1
+elektrilevi.ee, 1
+elektrilevi.eu, 1
+elektro-adam.de, 1
+elektro-diehm.de, 1
+elektro-doerr.com, 1
+elektro-feichtner.at, 1
+elektro-hammes.net, 1
+elektro-hofmann-gmbh.de, 1
+elektro-hornetz.de, 1
+elektro-koehl.de, 1
+elektro-liebeskind.de, 1
+elektro-metz.de, 1
+elektro-pfeiffer.de, 1
+elektro-praha10.cz, 1
+elektro-reibsch.de, 1
+elektro-stock.de, 1
+elektro-wandelt.de, 1
+elektro-woerdehoff.de, 1
+elektrobusch.com, 1
+elektroclauberg.de, 1
+elektroclub.tk, 1
+elektroepilation-stuttgart.de, 1
+elektrofinke.de, 1
+elektroistrument.tk, 1
+elektrokarges.de, 1
+elektrolety.com, 1
+elektrolety.cz, 1
+elektromet.com.pl, 1
+elektromet.pl, 1
+elektrometz.de, 1
+elektromobil-zubehoer.de, 1
+elektromosev.cz, 1
+elektromotor.tk, 1
+elektron-elektrotechnik.de, 1
+elektronickakancelar.cz, 1
+elektroniksigarasehri1.com, 1
+elektronische-post.org, 1
+elektronix.tk, 1
+elektronomi.com, 1
+elektropartner.nu, 1
+elektropost.org, 1
+elektroprom.tk, 1
+elektrosety.com.ua, 1
+elektrotango.tk, 1
+elektrotechnik-heisel.de, 1
+elektrotechnik-kaetzel.de, 1
+elektrotechnik-schreck.de, 1
+elektrotechniker-beck.de, 1
+elektrownie-tanio.net, 1
+elektryczka.pl, 1
+elelenin.cf, 1
+elemanpersonelalimi.com, 1
+elemenik.com, 1
+elemenop.tk, 1
+element.hr, 1
+element.io, 1
+elemental.software, 1
+elementalengine.com, 1
+elementalengine.org, 1
+elementalengines.com, 1
+elementalengines.org, 1
+elementalrobotics.com, 1
+elementalsoftware.net, 1
+elementalsoftware.org, 1
+elementarewatson.it, 1
+elementarium.cf, 1
+elementarium.ga, 1
+elementarywave.com, 1
+elementblend.com, 1
+elementbookings.com, 1
+elementedigitale.ro, 1
+elementmea.com, 1
+elementorfa.ir, 1
+elements-space-time.com, 1
+elements.guide, 1
+elementshop.co.uk, 1
+elementsoftware.tk, 1
+elemistlarp.com, 1
+elena-paparizou.tk, 1
+elena-risteska.tk, 1
+elena-soset.cf, 1
+elena-soset.ga, 1
+elena-soset.ml, 1
+elena-soset.tk, 1
+elenagherta.ga, 1
+elenapulizieroma.it, 1
+elenaristeska.tk, 1
+elenaristeskaweb.tk, 1
+elenashilko.ga, 1
+elenaskincarespa.com, 1
+elenatranslations.nl, 0
+elenatroncone.tk, 1
+elenavoce.cf, 1
+elenayulkina.ru, 1
+elencantotecate.com, 1
+elencinar.tk, 1
+eleni.no, 1
+elenorsmadness.org, 1
+elenta.lt, 1
+eleonardo.tk, 1
+eleonora.gay, 1
+eleonoraanzini.tk, 1
+eleonoramazzola.com, 1
+eleonorapapallo.tk, 1
+eleonorengland.com, 1
+eleonrp.tk, 1
+elephant-orchestra.com, 1
+elephant-orchestra.cz, 1
+elephantartonline.com, 1
+elephantbasslab.tk, 1
+elephantia.cf, 1
+elephantorchestra.cz, 1
+elephants.net, 1
+elephants.tk, 1
+eleplant.fi, 1
+elepover.com, 1
+elesconditedelola.com, 1
+eletminosegert.ro, 1
+eletom.pl, 1
+eletor.com, 1
+eletor.pl, 1
+eletrati.com, 1
+eletromaxautopecas.com.br, 1
+eletroquipsp.com.br, 1
+eletrotel.com, 1
+elettrauto.roma.it, 1
+elettricista-roma.it, 1
+elettricista-roma.org, 1
+elettricista.roma.it, 1
+elettricisti.roma.it, 1
+elettrodomestici.roma.it, 1
+elettrolinkimpianti.it, 1
+elettronew.com, 1
+eleusis-zur-verschwiegenheit.de, 1
+elev8fashion.ca, 1
+elevacionesrama.com, 1
+elevanhairdressing.co.uk, 1
+elevatewebdesigns.com, 1
+elevationcreative.net, 1
+elevationplumbingandheating.com, 1
+elevationxstudios.com, 1
+elevator.ee, 1
+elevatoraptitudetest.com, 1
+elevaweb.cl, 1
+elevelo.eu, 1
+elevenbeta.tk, 1
+elevenensemble.tk, 1
+elevenpaths.com, 1
+eleventhhouraltar.com, 1
+eleventhhourwatch.com, 1
+elexel.ru, 1
+elexon.co.uk, 1
+elexprimidor.com, 1
+elfe.de, 1
+elfejoyeux.com, 1
+elfi.com, 1
+elfix.sk, 1
+elforat.tk, 1
+elforno.gr, 1
+elforo.tk, 1
+elfranco.tk, 1
+elfrancotirador.tk, 1
+elfring.eu, 1
+elfussports.com, 1
+elgancho.tk, 1
+elgargajo.tk, 1
+elgenero.com, 1
+elgin.ga, 1
+elgin.tk, 1
+elgintexas.gov, 1
+elgoog.im, 1
+elgraffo.tk, 1
+elgrecohotel.gr, 1
+elguillatun.cl, 1
+elgustdecreixer.cat, 1
+elgustodecrecer.es, 1
+elhall.pro, 0
+elhamadimi.com, 1
+elhim-iskra.com, 1
+elhombrepez.tk, 1
+elhorizontal.com, 1
+elhossari.com, 1
+elhuesero.com, 1
+eliamakingmemories.co.nz, 1
+eliamakingmemories.com, 1
+eliang.tk, 1
+elias-erdmann.tk, 1
+eliasfgabriel.com, 1
+eliasfox.com, 1
+eliasfranklinn.tk, 1
+eliasojala.me, 1
+eliasong.com, 0
+eliaswendt.com, 0
+eliaustvarjaspomine.si, 1
+eliav.tk, 1
+elibidore.ml, 1
+elicdn.com, 1
+elie.net, 0
+elielaloum.com, 1
+elifelabs.com, 1
+elifesciences.org, 1
+elifo.com.cn, 1
+eligasht.com, 1
+eligibilis.com, 1
+eligibility.com, 1
+eligibleapi.com, 1
+eligrey.com, 1
+eliis.eu, 1
+elijahbrown.tk, 1
+elijahgrey.com, 1
+elikers.ml, 1
+elimidrol.com, 1
+eliminations.tk, 1
+eliminercellulite.com, 1
+elimit.eu, 1
+elimitecreamforsale.ga, 1
+elimperiolatino.com, 1
+elina.pp.ua, 1
+elinaflower.com, 1
+eline168.com, 1
+elinevanhaaften.nl, 1
+elinformatico.tk, 1
+elink.io, 1
+elinks.tk, 1
+elinspector.tk, 1
+elinternadolagunanegra.tk, 1
+eliolita.com, 1
+eliotchs.org, 1
+eliott.cc, 1
+eliottlavier.com, 1
+elisa.ee, 1
+elisabeth-kostecki.de, 1
+elisabeth-raendel.de, 1
+elisabeth-strunz.de, 1
+elisabethbegle.at, 1
+elisabethborgermans.com, 1
+elisabethcasanova.ch, 1
+elisabethkostecki.de, 1
+elisabethrene.com, 1
+eliseadams.com.au, 1
+eliseshivamber.com, 1
+elisetriestocook.com, 1
+elisity.com, 1
+eliskamyskova.cz, 1
+elit-fitnes.tk, 1
+elit-host.tk, 1
+elit-logistic.ru, 1
+elit.ro, 1
+elitatasehirescort.com, 1
+elitav.be, 1
+elite-design.tk, 1
+elite-enc.tk, 1
+elite-forums.tk, 1
+elite-fuite.fr, 1
+elite-magazin.de, 1
+elite-nakhodka.tk, 1
+elite-porno.ru, 1
+elite-tools.tk, 1
+elite-units.tk, 1
+elite.memorial, 1
+elitebike.com.co, 1
+elitecleaningservices.com.cy, 1
+eliteco.tk, 1
+elitecontentmarketer.com, 1
+elitedns.info, 1
+elitedns.org, 1
+elitefintechglobal.com, 1
+elitegameservers.net, 1
+elitegaragedoors247.com, 1
+eliteholidaylights.com, 1
+elitehouse.tk, 1
+eliteimsolutions.com, 1
+elitelandscapedesigns.ca, 1
+elitemdsupply.com, 1
+elitemud.tk, 1
+elitenovice.tk, 1
+elitephysiotherapy.com.au, 1
+eliteprofit.fr, 1
+elitepsychiatryandwellness.com, 1
+elitepumps.net, 1
+eliterequestboard.tk, 1
+elitesim.ga, 1
+elitesquadmodz.tk, 1
+elitetopic.com, 1
+elitetoy.com.br, 1
+elitewealth.in, 1
+elitexcomputing.com, 1
+elitexxx.com, 1
+elithayat.com, 1
+elithus.se, 1
+elitrahealth.com, 1
+elitsa.gr, 1
+elivenet.com, 1
+elixi.re, 1
+elixir.bzh, 1
+elixirfactory.io, 1
+elizabethcitync.gov, 1
+elizabethgeren.com, 1
+elizabethgreenfield.com, 1
+elizabethhospeech.com, 1
+elizabethrominski.com, 1
+elizabethtaderera.me, 1
+elizabethtown-ny.gov, 1
+elizafranklin.com, 1
+elizaminami.com.br, 1
+eljay.cc, 1
+eljef.me, 1
+elk.moe, 1
+elka-piter.ga, 1
+elkampeuzo-musique.tk, 1
+elkarizan.com, 1
+elkgroveil.gov, 1
+elkhaus.de, 1
+elki-musik.ch, 1
+elkim.cz, 1
+elkmontal.gov, 1
+elkmotel.at, 1
+elkodaily.com, 1
+elkonsults.com, 1
+elkovplus.cz, 1
+elkvalley-nsn.gov, 1
+ell-net.tokyo, 1
+ella-kwikmed.com, 0
+ellanurse.co.il, 1
+ellas-haarshop.nl, 1
+ellasbubbles.com, 1
+ellatotal.com, 1
+elle-fanning.info, 1
+elle-weine.de, 1
+elle.se, 1
+elledecor.tk, 1
+ellegaard.dk, 1
+ellemental.me, 1
+ellencorddry.com, 1
+ellendalend.gov, 1
+ellenkesters.be, 1
+ellenpage.tk, 1
+ellensburgwa.gov, 1
+ellesoft-freeware.tk, 1
+ellevate.com, 1
+ellhofen-peccioli.de, 1
+elliboettcher.de, 1
+ellierider.com, 1
+elligre.tk, 1
+ellinaras.tk, 1
+ellingworth.co.uk, 1
+elliot.cat, 1
+elliotbrandwein.com, 1
+elliotlewisms.com, 1
+elliottbernstein.com, 1
+elliottgaming.ga, 1
+elliottinsuranceservices.com, 1
+elliottwoodworking.com, 1
+ellipsoid.cf, 1
+ellipticalmachine.tk, 1
+elliquiy.com, 1
+ellisamusements.co.uk, 1
+elliscoscanner.com, 1
+ellisleisure.co.uk, 1
+ellisvanlaarhoven.tk, 1
+elliteshop.vn, 1
+elliyoung.com, 1
+elloadingjr.ga, 1
+ellty.com, 1
+ellyscakes.com, 1
+elm-dental.com, 1
+elmaci.net, 1
+elmagdclean.com, 1
+elmahost.net, 1
+elmandria.com, 1
+elmarchive.ir, 1
+elmejorcortapelos.com, 1
+elmejordance.tk, 1
+elmenreich.tk, 1
+elmerboroughnj.gov, 1
+elmermx.ch, 1
+elmeson.tk, 1
+elmetodofuncional.com, 1
+elmion.cloud, 1
+elmolar.tk, 1
+elmolist.tk, 1
+elmoro.mx, 1
+elmresan.ir, 1
+elmundodeloso.tk, 1
+elmwoodmi.gov, 1
+elnan.do, 1
+elnegocioperfecto.tk, 1
+elnodiacademy.com, 1
+elo-forum.org, 1
+elo-rocket.com, 1
+elobservador.tk, 1
+eloca.ls, 1
+elocals.me, 1
+elodees.com, 1
+elodieclerc.ch, 1
+elodrias.de, 1
+elog.tokyo, 1
+eloge.se, 1
+elohellp.com, 0
+eloiseponnau.com, 1
+elok.eu.org, 1
+elon.gov, 1
+elona-wvw.de, 1
+elonaspitze.de, 1
+elonbase.com, 1
+elonma.gov, 1
+elontime.de, 1
+elorbe.com, 1
+elorrieta.eus, 1
+elosoavila.tk, 1
+elosrah.com, 0
+elovip.com.br, 1
+eloxt.com, 1
+elpac.info, 1
+elpactest.com, 1
+elpactest.eu, 1
+elpactest.info, 1
+elpactest.org, 1
+elpandemonio.tk, 1
+elpcnc.com, 1
+elpellejodelabreva.tk, 1
+elperdigon.tk, 1
+elphnt.io, 1
+elpincho.tk, 1
+elpitazo.net, 1
+elplugins.xyz, 1
+elpo.net, 1
+elposconflicto.org, 1
+elpreciosostud.com, 1
+elprincipevegeta.tk, 1
+elprofeshows.com, 1
+elpromaucae.tk, 1
+elpueblo.com.do, 1
+elquintoas.tk, 1
+elradiobuffet.tk, 1
+elradix.be, 1
+elradix.eu, 1
+elranchofeliz.org, 1
+elrebollar.tk, 1
+elrenook.gov, 1
+elreportero.tk, 1
+elri.blog, 1
+elrincondelasplacas.com, 1
+elrincondelotaku.tk, 1
+elrinconderovica.com, 1
+elron.ee, 0
+elrubio.tk, 1
+elsadonaire.tk, 1
+elsas.tk, 1
+elsbouslanostraaficio.tk, 1
+elsector7.tk, 1
+elsemanariodesalamanca.tk, 1
+elsenzhafen.de, 1
+elsg.co.uk, 1
+elshop1eu.com, 1
+elshou.com, 1
+elstravato.com, 1
+elsuccionador.com, 1
+elsvanderlugt.nl, 1
+elsvanmerhaeghe.be, 1
+elsweb.net, 1
+elsword.moe, 0
+elsylist.com, 1
+elta.com.ua, 1
+eltair.com, 1
+eltar.pl, 1
+eltconsultants.com.mx, 1
+eltec.es, 1
+eltern-verein.ch, 1
+elternbeiratswahl.online, 1
+elternverein-utzenstorf.ch, 1
+elternzimmer.de, 1
+eltip.click, 1
+eltjon.duckdns.org, 1
+eltlaw.com, 1
+elto.ch, 0
+eltohsurgery.com.sg, 1
+eltonpastilha.me, 1
+eltormo.tk, 1
+eltoroweakly.com, 1
+eltransportquevolem.org, 1
+eltrompomedia.com, 1
+eltron.com.ua, 1
+eltuito.tk, 1
+eluancm.net, 1
+elucron.com, 1
+eluhome.de, 1
+elusivetranslations.com, 1
+eluvade.com, 1
+eluvio.com, 1
+elvac.eu, 1
+elvalordelsaliments.cat, 1
+elvcino.com, 0
+elverdaderoamor.tk, 1
+elvikom.co.uk, 1
+elviraszabo.com, 1
+elvis-atouchofgold.com, 0
+elvis-presley.tk, 1
+elvismania.tk, 1
+elvispresley.net, 1
+elvisvrconnect.co.uk, 1
+elvonet.hr, 1
+elvorti.bg, 1
+elvorti.com, 1
+elvtr.com, 1
+elwave.org, 1
+elweronete.tk, 1
+elwix.com, 1
+elyazmusic.com, 1
+elycoin.io, 0
+elysiandigital.co, 1
+elysiria.fr, 1
+elysium-team.tk, 1
+elysium.coop, 1
+elysiumware.com, 1
+em-biotek.cz, 0
+em-racing.com, 1
+em-racing.de, 1
+em888.vip, 0
+emabot.tk, 1
+emacitylife.com, 1
+emad7.tk, 1
+emagazine.com, 1
+emaging-productions.fr, 1
+emaging.fr, 1
+email-pipeline.xyz, 1
+email-verifier.tk, 1
+email.repair, 0
+email24.cf, 1
+email4u.at, 1
+emailable.com, 1
+emailablev.com, 1
+emailalaperformance.fr, 1
+emailalias.nl, 1
+emailbusters.tk, 1
+emailconfiguration.com, 1
+emailexpress.ga, 1
+emailfreeshop.tk, 1
+emailgonderim.tk, 1
+emailhunter.co, 1
+emailing.alsace, 1
+emailing.ga, 1
+emaillagebaingenial.ca, 1
+emailmasker.nl, 1
+emailmeform.com, 1
+emailprivacytester.com, 1
+emailprocessorpro.gq, 1
+emailpursuits.com, 1
+emailroundup.com, 1
+emailservers.tk, 1
+emailspedia.com, 1
+emailtemporal.org, 0
+emakicms.com, 1
+emaks.tk, 1
+emalm.com, 1
+emamiltd.in, 1
+emanaclinic.com, 0
+emancipator.com, 1
+emanol.co.uk, 1
+emanuel.photography, 1
+emanuela-gabriela.co.uk, 0
+emanuelachiriaco.tk, 1
+emanuelduss.ch, 1
+emanuelemazzotta.com, 1
+emaps.tk, 1
+emaratalyoum.com, 1
+emarhotel.bg, 1
+emarketingmatters.com, 1
+emas-beja.pt, 1
+emater.com, 1
+emavending.club, 1
+emavok.eu, 1
+emaygroup.co, 1
+emazrin.tk, 1
+emazzanti.net, 1
+embarcados.com.br, 1
+embark.studio, 1
+embawood.az, 1
+embedded.com, 1
+embelgium.org, 1
+embelize.com, 1
+embellir-aroma.com, 1
+embellir-kyujin.com, 1
+embellishop.com, 1
+ember-is.gay, 1
+ember.co, 1
+emberit.com, 1
+emberlife.com, 1
+embien.co, 1
+embodiaacademy.com, 1
+embodiaapp.com, 1
+embodied.vision, 1
+embonus.dk, 1
+emboque.tk, 1
+embouts-et-bouchons.fr, 1
+embox.net, 1
+embracecontext.com, 1
+embracer.com, 1
+embracethedarkness.co.uk, 1
+embracezine.tk, 1
+embraco.com, 0
+embryologist.info, 1
+embryooptions.com, 1
+embuscadasintonia.com, 1
+emby.cloud, 1
+emby.live, 1
+emccglobal.org, 1
+emceemanic.tk, 1
+emcentrix-com-site-mvc.azurewebsites.net, 1
+emcloud.io, 1
+emcspotlight.com, 1
+emdad-persian.ir, 1
+emdadkhodrokaraj.ir, 1
+emdadulislam.tk, 1
+emdbonlinehelp.tk, 1
+emdep.com, 1
+emdesigns.tk, 1
+emdrupholm.dk, 1
+emdvcorasia.com, 1
+emdynint.io, 1
+emed.com, 0
+emeetattd.ddns.net, 1
+emeklifinans.com, 1
+emeliecrystal.net, 1
+emeliefalk.se, 1
+emeliemai.com, 1
+emelies-inspiration.tk, 1
+ememsei.com, 1
+emenaspa.com, 1
+emenshop.cf, 1
+emenshop.ga, 1
+emenshop.ml, 1
+emenshop.tk, 1
+emeralda.tk, 1
+emeraldcbdshop.com, 0
+emeraldcoastrideshare.com, 1
+emeraldcoasturgentcare.com, 1
+emeraldheights.tk, 1
+emeraldshield.com, 1
+emeres.tk, 1
+emergency-broadcast-system.tk, 1
+emergency-federal-register.gov, 1
+emergencycommand.us, 1
+emergencymanagementedu.org, 1
+emergencyportal.tk, 1
+emergenzaduepuntozero.it, 1
+emergingafricagroup.com, 0
+emergingindustryprofessionals.com, 1
+emeria.in, 1
+emero.de, 0
+emersoncanada.ca, 1
+emersonreview.tk, 1
+emersya.com, 1
+emex.ro, 1
+emffren.com.tr, 1
+emi.im, 1
+emielraaijmakers.nl, 1
+emigrantes.tk, 1
+emigratieplanner.com, 1
+emil-dein-baecker.com, 1
+emil-dein-baecker.de, 1
+emil-reimann.com, 1
+emil-reimann.de, 1
+emil.click, 0
+emil.one, 0
+emilecourriel.com, 1
+emileon.gr, 1
+emilianojeff.com, 1
+emilianomaccaferri.com, 1
+emiliaperkkola.fi, 1
+emiliaromagnaeconomy.it, 1
+emiliederavinspain.tk, 1
+emiliehouse.net, 1
+emiliendevos.be, 1
+emilieporte.fr, 1
+emilio.media, 1
+emilioadani.com, 1
+emiliopj.es, 1
+emiliops.com, 1
+emilong.com, 1
+emilreimann.de, 1
+emils-1910.de, 1
+emils-chemnitz.de, 1
+emils1910.de, 1
+emilsleker.no, 1
+emilstahl.com, 1
+emilstahl.de, 1
+emilstahl.dk, 1
+emilstahl.eu, 1
+emilstahl.se, 1
+emilvanderwal.tk, 1
+emilvarga.com, 1
+emily-website.tk, 1
+emily.moe, 1
+emilybellydance.com.au, 1
+emilymarques.ga, 1
+emilypennock.co.uk, 1
+emilypennock.com, 1
+emilysweet.com, 1
+emilywufaith.tk, 1
+emina-arapovic.tk, 1
+eminafans.tk, 1
+emindweb.com, 1
+eminem.kim, 1
+eminem50cent.com, 1
+eminencepools.com, 1
+emirates247.com, 1
+emiratesairline.co.uk, 1
+emirefek.net, 1
+emirichardson.com, 1
+emisia.com, 1
+emisoralavozdedios.tk, 1
+emissionsgroup.com, 1
+emissionssafe.org, 1
+emita.ee, 1
+emivauthey.com, 0
+emkan-furniture.com, 1
+emkanrecords.com, 0
+emkode.pl, 1
+emla.info, 1
+emlakforum.com.tr, 1
+emlcloud.com, 1
+emls.fr, 1
+emma-central.tk, 1
+emma-o.com, 1
+emma-secret.com, 1
+emma-und-felix-heiraten.de, 1
+emmababy420.com, 1
+emmadreams.net, 1
+emmagarland.com, 1
+emmajayne.tk, 1
+emmalegalnurse.com, 1
+emmaliddell.com, 0
+emmanuelle-et-julien.ch, 1
+emmanuelorocker.com, 1
+emmaowl.com, 1
+emmastarr.net, 1
+emmaste.edu.ee, 1
+emmastree.com, 1
+emmauspa.gov, 1
+emmawatsonking.tk, 1
+emmawatsononline.tk, 1
+emmdy.com, 0
+emmedicom.ml, 1
+emmedicom.tk, 1
+emmepole.tk, 1
+emmerdale.me.uk, 1
+emmetcountyia.gov, 1
+emmilein.com, 1
+emmiwelentain.com, 1
+emmynet.de, 1
+emo-poris.com, 1
+emo.ie, 1
+emocionado.com, 1
+emocionestlp.com, 1
+emocionypensamiento.com, 1
+emocje.com, 1
+emoforum.tk, 1
+emoji-meaning.org, 1
+emoji-symbols.org, 1
+emoji.web.tr, 1
+emoji.wf, 1
+emojikeyboard.top, 1
+emojiteka.pl, 1
+emojiterra.com, 1
+emolafarm.com, 1
+emolar.com, 1
+emond-usedcars.net, 0
+emoneycircle.com, 1
+emonovo.com, 1
+emonsarkar.tk, 1
+emopics.com, 1
+emotality.com, 1
+emote.bot, 1
+emotebank.com, 1
+emotebot.com, 1
+emotionalonlinestorytelling.com, 1
+emotionsanonymous.org, 1
+emotionsgroup.kz, 1
+emotive.productions, 1
+emoxie.com, 0
+empathhouse.com, 1
+empathogen.com, 1
+empathogens.com, 1
+empathy.ca, 1
+empathyband.tk, 1
+empatify.com, 1
+empatify.pl, 1
+empatos.cf, 1
+empeltd.com, 1
+emperola.com, 1
+emperor-penguin.com, 1
+emperor-penguins.com, 1
+emperoranimeindo.tk, 1
+emperors.net, 1
+empfrm.com, 1
+empherino.net, 1
+empietraining.com, 1
+empire-events.nl, 1
+empire-forum.tk, 1
+empire-group.co.nz, 1
+empire-univ.com, 1
+empire24.co, 1
+empireauto-2000.com, 1
+empiredenham.ga, 1
+empirehall.com.ua, 1
+empireking.us, 1
+empirelevel.eu, 1
+empireliverfoundation.org, 1
+empirestatejazzcafe.com, 1
+emplifi.io, 1
+emploi-collectivites.fr, 0
+emploi-international.net, 1
+emploi-saintefoytarentaise.fr, 1
+employeeexpress.gov, 1
+employeemanual.com.au, 1
+employer.gov, 1
+employer411.com, 1
+employeradmin.com, 1
+employersolutionsgroup.com, 1
+employersupport.co.uk, 1
+employflorida.com, 1
+employmax.co.za, 1
+employmaxcampus.co.za, 1
+employmaxetd.co.za, 1
+employment-applicant.com, 1
+employment-solutions.ca, 1
+employment.uk.com, 1
+employmentguide.com, 1
+employmenttracking.ga, 1
+emporiaks.gov, 1
+emporikonathenshotel.com, 1
+emporioarchitect.com, 1
+emporiodosperfumes.com.br, 1
+emporioguarani.com.br, 1
+emporiohortinatura.com.br, 1
+emporioonline.com.br, 1
+emporiopurochile.com.br, 1
+emporium-italy.com, 1
+emporiumbeverages.com, 1
+empoweraces.com, 1
+empowerdb.com, 1
+empowered-decision.com.au, 1
+empoweren.com, 1
+empoweringdifferences.com, 1
+empowernation.org, 1
+empowersimcoe.ca, 1
+empoweryou.ca, 1
+emprechtinger.com, 1
+empregosrj.com, 1
+empreinte.ca, 1
+emprendecausa.com, 1
+emprendeconchrisfx.com, 1
+emprendedoresdesevilla.es, 1
+emprendimientoweb.co, 1
+emprendimientoyformacion.com, 1
+empresa365.com, 1
+empresautil.tk, 1
+emprestimodedinheiro.com, 1
+emprestimosemcomprovar.com, 1
+emprunterlivre.ci, 1
+empsi-sup.com, 1
+emptiness.cf, 1
+empty.host, 1
+emptybox.org, 1
+emptypath.com, 1
+emptysmile.tk, 1
+empyreanrule.com, 1
+emq.io, 1
+emrah.io, 1
+emrawi.org, 1
+emreaydinfan.tk, 1
+emrecicekmuhendislik.com, 1
+emresaglam.com, 1
+emrgnc.co.uk, 1
+emrullahsahin.com, 1
+ems.gov, 1
+emsa-casm.ca, 0
+emsd.tw, 1
+emsdinghies.com, 1
+emse.fr, 1
+emsliespharmacy.com.au, 1
+emsnow.com, 1
+emsrealfood.nl, 0
+emta.ee, 0
+emtex.at, 1
+emtex.co.jp, 1
+emtofis.com, 1
+emtpigging.com, 1
+emtpigging.my, 1
+emtradingacademy.com, 1
+emtreview.com, 1
+emu.dk, 1
+emu.land, 1
+emulation-archive.org, 1
+emulationking.com, 1
+emulator.ml, 1
+emulator.wtf, 1
+emulatronic.tk, 1
+emulefans.com, 1
+emulovers.com, 1
+emulsifier.ga, 1
+emunet.net, 1
+emurom.net, 1
+emuser.tk, 1
+emusicuz.tk, 1
+emvoiceapp.com, 1
+emw3.com, 1
+emxvn.co.za, 1
+emyr.net, 1
+emyself.org, 1
+emystars.tk, 1
+emzi0767.com, 1
+emzy.de, 1
+en-crypt.me, 1
+en-maktoob.search.yahoo.com, 0
+en-pc.jp, 1
+en-wp.com, 1
+en-wp.org, 1
+en0.io, 1
+en4rab.co.uk, 1
+en4u.org, 1
+enaah.de, 1
+enable-javascript.com, 1
+enableyourlife.com, 1
+enabling.ga, 1
+enablingcommunities.com.au, 1
+enactor.co, 1
+enactusteesside.org, 1
+enago.com, 1
+enagramm.com, 1
+enalean.com, 1
+enam.gov.in, 1
+enamae.net, 1
+enamelpin.club, 1
+enaminestore.com, 1
+enamonada.com, 1
+enattendantpauline.ca, 1
+enaturelive.com, 1
+enbecom.net, 1
+enboarder.com, 1
+enbulleiugnen.com, 1
+enby.army, 1
+encd.life, 1
+ence.es, 1
+encelaya.com.mx, 0
+encenna.com.br, 1
+encfs.win, 1
+enchantedcode.co.uk, 1
+enchantedcottage.tk, 1
+enchong.com, 1
+encinitastrainer.com, 1
+encirca.com, 1
+encircleapp.com, 1
+encode.host, 1
+encodecloud.net, 1
+encontra-me.org, 1
+encontreumagp.com, 1
+encontro.online, 1
+encontroespiritadeinverno.com.br, 1
+encore.tech, 1
+encoreglobal.com, 1
+encoro.org, 1
+encorp.com.my, 1
+encotentin.fr, 1
+encountercss.com, 1
+encouragemarketing.com, 1
+encredible.de, 0
+encredible.org, 0
+encres-nelly.fr, 1
+encretplomb.ch, 0
+encryp.ch, 1
+encrypt.cf, 1
+encrypt.my.id, 1
+encrypted.at, 1
+encrypted.google.com, 1
+encryptedaudience.com, 1
+encryptedconnection.net, 1
+encryptionweb.tk, 1
+encryptmy.site, 1
+encryptmycard.com, 1
+encryptographs.com, 1
+encuentra-todo.tk, 1
+encuentra.tk, 1
+encuentraapoyo.gov, 1
+encuestaspagadas.com.mx, 1
+encuestaspagadas.org, 1
+encurta.ml, 1
+encycarpedia.com, 1
+end.tf, 1
+endangeredwatch.com, 1
+endavantstap9b.tk, 1
+endbegins.tk, 1
+endbox.email, 1
+endcottagevets.co.uk, 1
+ende-x.com, 1
+endeal.nl, 1
+endean.com, 1
+endeavourbiz.com, 1
+endee.de, 1
+endeksa.com, 1
+endener.com, 1
+ender.co.at, 1
+ender.fr, 1
+ender.moe, 1
+ender3.info, 1
+enderandrew.com, 1
+enderbycamping.com, 0
+enderdrachelp.ddns.net, 1
+enderhost.tk, 1
+enderle.cloud, 1
+enderman.eu, 1
+enderszone.com, 0
+endiana.cf, 1
+endiana.ga, 1
+endiana.gq, 1
+endiana.ml, 1
+endingthedocumentgame.gov, 1
+endless.pet, 1
+endlessdiy.ca, 1
+endlessfashion.tk, 1
+endlessgrind.com, 1
+endlesshorizons.info, 1
+endlessvideo.com, 1
+endlesswebsite.tk, 1
+endofevolution.com, 1
+endofinternet.goip.de, 1
+endoflife.date, 1
+endofodo.goip.de, 1
+endoftenancycleaninglondon.co.uk, 1
+endohaus.us, 1
+endometriu.ml, 1
+endondehay.com, 1
+endoscope.bg, 1
+endpipe.com, 1
+endplasticwaste.org, 1
+endpointclinical.com, 1
+endrinas.com, 1
+endrust.com.au, 1
+endspamwith.us, 1
+enduranceseries.ca, 1
+enduroxtrem.tk, 1
+endustriyelfirinlar.com, 1
+endviolence.gc.ca, 1
+enecivilela.com, 1
+enefit.com, 1
+enefitgreen.ee, 1
+enefitvolt.com, 1
+eneko.com, 1
+enekogarrido.com, 0
+enel.com, 1
+enelgreenpower.com, 1
+enemybase.tk, 1
+enemyofman.com, 1
+enemyterritory.tk, 1
+enercon.co.il, 1
+enercontechltd.com, 1
+energaia.de, 1
+energetic-root-medicine.net, 1
+energetic.cc, 1
+energetica.ga, 1
+energeticafemenina.com, 1
+energetikasmantojums.lv, 1
+energetikasmuzejs.lv, 1
+energialibre.tk, 1
+energianuclear.tk, 1
+energiatalgud.ee, 1
+energiaurbana.tk, 1
+energicertifikat.fi, 1
+energie-sante.ch, 0
+energiecentrale.gent, 1
+energieconsultonline.nl, 1
+energiekeurplus.nl, 1
+energielabelbinneneenweek.nl, 1
+energiemines.ma, 1
+energiewende.com.br, 1
+energikompetens.se, 1
+energizer.eu, 1
+energoproff.com, 1
+energoset-spb.ru, 1
+energozrouti.cz, 0
+energy-drink-magazin.de, 1
+energy-fm.tk, 1
+energy-healings.com, 1
+energy-in-balance.eu, 0
+energy-robotics.com, 1
+energy.eu, 1
+energyatlas.com, 1
+energyaupair.dk, 1
+energyaupair.nl, 1
+energyaupair.no, 1
+energyaupair.se, 1
+energybooster.ml, 1
+energybooster.tk, 1
+energycodes.gov, 1
+energycommunities.gov, 1
+energyconsultonline.nl, 1
+energycrewing.com, 1
+energydrinkblog.de, 1
+energyefficientservices.com, 1
+energyelephant.com, 1
+energyforum.tk, 1
+energygenie.com.au, 1
+energygroup.gq, 1
+energygroup.tk, 1
+energyguru.tk, 1
+energyhomeservice.ca, 1
+energyhybrid.ga, 1
+energylink.com, 1
+energylocal.com.au, 1
+energylocals.au, 1
+energylocals.com, 1
+energylocals.com.au, 1
+energylocals.org, 1
+energymedia.tk, 1
+energysaveroregon.com, 1
+energysite.tk, 1
+energystar.gov, 1
+energysystems.com, 1
+energytrust.tk, 1
+energyuse.net, 1
+energywisdom.tk, 1
+enerity.eu, 1
+enerity.io, 1
+enerot.com, 1
+eneroths.se, 1
+enerpac.com, 1
+enersaveapp.org, 1
+enerte.ru, 1
+enerypa.tk, 1
+enescrackmerkezi.tk, 1
+enet-navigator.de, 1
+enet.eu, 1
+enett.team, 1
+enewspapers.tk, 1
+enfant.tk, 1
+enfants-terribles.tk, 1
+enfantsdelarue.ch, 1
+enfasyperfumarias.com, 1
+enfermedaddelbeso.com, 1
+enfermeira.pt, 1
+enfieldheightsacademy.org.uk, 1
+enflow.nl, 1
+enforcement-trends-dev.azurewebsites.net, 1
+enforcement-trends-test.azurewebsites.net, 1
+enforcement-trends.azurewebsites.net, 1
+eng-erlangen.de, 1
+eng3corp.com, 1
+eng4arab.tk, 1
+engageapp.net, 1
+engagelogic.com, 1
+engagewarnerrobinsga.gov, 1
+engagewell.com, 1
+engagingmuscles.com, 1
+engagio.com, 1
+engalego.tk, 1
+enganchesevilla.es, 1
+engbers.com, 1
+engelandautohuur.nl, 1
+engeldasein.at, 1
+engeldasein.com, 1
+engelk.de, 1
+engelmann.com, 0
+engelorchester.de, 1
+engelsism.tk, 1
+engelundlicht.ch, 1
+engelzicht.com, 1
+engen.co.za, 0
+engg.ca, 1
+enggar.tk, 1
+enghero.com, 1
+engie-laadpalen.nl, 1
+engima.nl, 1
+engineer-kobe.ga, 1
+engineer-route.com, 1
+engineer.org.my, 1
+engineeringclicks.com, 1
+engineeringidea.ga, 1
+engineertaplin.co.uk, 1
+enginefirefighter.com, 1
+enginemoves.com, 1
+engineowning.com, 1
+enginepit.com, 1
+enginsight.com, 1
+enginx.net, 1
+enginytech.com, 1
+engione.com, 1
+engl-amps.com, 1
+engl-amps.net, 1
+engl-customshop.com, 1
+engl-customshop.de, 1
+engl-customshop.net, 1
+engl-distribution.com, 1
+engl-distribution.de, 1
+engl-distribution.net, 1
+engl-server.de, 1
+engl-systems.de, 1
+england-fixed-matches.com, 1
+englandairportcars.com, 1
+englandbeach.com, 1
+englandlearn.com, 1
+englandschool.tk, 1
+englesh.org, 1
+english-e-reader.net, 1
+english-to-russian-translation.tk, 1
+english-training.tk, 1
+english.events, 1
+englishbulgaria.net, 1
+englishcast.com.br, 1
+englishclassworksheets.com, 1
+englishclub.com, 1
+englishcompany-mobile.jp, 1
+englishcompany.jp, 1
+englishdirectory.de, 1
+englishfamilyzone.tk, 1
+englishit.io, 1
+englishll.com, 1
+englishlol.com, 1
+englishouse.tk, 1
+englishprovence.com, 1
+englishschoolforkids.com.ua, 1
+englishteacheredu.org, 1
+englishtofrench.eu, 1
+englishvit.com, 1
+engodnat.dk, 1
+engraffo.com, 1
+engrama.tk, 1
+engrepair.com, 1
+engrish.ml, 1
+engso-education.eu, 1
+engso.com, 1
+engso.eu, 1
+engsoyouth.eu, 1
+engsubjav.com, 1
+engution.biz, 0
+engvid.com, 1
+engweld.co.uk, 1
+engym.com.tw, 1
+engz.icu, 1
+enhanced-mail.tk, 1
+enhancemedia.co.uk, 1
+enia.com, 1
+enigheten.tk, 1
+enigma.swiss, 0
+enigmacpt.com, 0
+enigmamusic.tk, 1
+enigmatry-website-test.azurewebsites.net, 1
+enigmatry.com, 1
+enigmavault.io, 1
+enip2.ru, 1
+enitso.de, 1
+enity.tk, 1
+eniwa-eye.com, 1
+enixgaming.com, 0
+eniyicrmprogramlari.tk, 1
+enizioshop.com, 1
+enji-sendai.com, 1
+enjieding.com, 1
+enjin.io, 1
+enjin.zone, 1
+enjincoin.io, 1
+enjinwallet.io, 1
+enjoy-drive.com, 1
+enjoyangels.com, 1
+enjoybeer.dk, 1
+enjoytransferitalia.com, 1
+enka-works.com, 1
+enka-works.jp, 1
+enka-works.net, 1
+enkelanmalan.se, 1
+enkelpaamelding.no, 1
+enker.tk, 1
+enkolaysertifika.com, 1
+enkrypt.com, 1
+enky.be, 1
+enlacemedik.com, 1
+enlacesgranotas.tk, 1
+enlamochiladeadri.com, 1
+enlasnubes.tk, 1
+enlaztravel.com, 1
+enlightenspeech.com, 1
+enlightio.com, 1
+enlightsec.se, 1
+enlnf.link, 1
+enloestatebank.com, 1
+enlr.ru, 1
+enlyft.com, 0
+enmieux.be, 1
+enmowe.co.ke, 1
+enmowe.tech, 1
+ennd.com, 1
+enno.mom, 0
+ennori.jp, 1
+ennova.com, 0
+enoahinc.com, 1
+enodais.gr, 1
+enoenergy.com, 1
+enofmusic.com, 1
+enoisdaturma.tk, 1
+enolalingerie.com, 1
+enomada.net, 1
+enoou.com, 1
+enosiseurotrade.com, 1
+enosistrade.com, 1
+enot32.ru, 1
+enotar.ch, 1
+enoteca.do, 1
+enoteca.roma.it, 1
+enotecabortone.it, 1
+enotecastore.it, 1
+enotefile.com, 1
+enotovil.ru, 1
+enotrosmundos.tk, 1
+enpalmademallorca.info, 1
+enpasenerji.com.tr, 1
+enputu.tk, 1
+enquetebeteiligung.de, 1
+enquos.com, 1
+enrack.tk, 1
+enrega.com, 1
+enrich.email, 1
+enrichdata.ai, 1
+enriched.news, 1
+enrique-monroy.tk, 1
+enrique.wtf, 1
+enriqueamaro.com, 1
+enriqueferreira.com, 1
+enriquezdomenech.ninja, 1
+enroll2control.com, 1
+enrollapp.com, 1
+enroo-tech.com, 1
+enrouleur-bache.fr, 1
+enroutedeliveryservice.com, 1
+ensage.io, 1
+ensaladasvinagreta.com, 1
+ensap.gouv.fr, 1
+ensayistas.org, 1
+ensemble-conseils-et-services.fr, 1
+ensemble-rubato.de, 1
+enshin-karate.tk, 1
+ensightpharma.com, 1
+ensightsolutions.us, 1
+ensilencio.tk, 1
+ensingpodotherapie.nl, 1
+enskat.de, 1
+enslavedplantationclub.com, 1
+ensley.tech, 1
+ensma.fr, 1
+ensons.de, 1
+ensonyan.com, 1
+enstep.ru, 1
+enstroga.at, 1
+ensured.com, 1
+ensured.nl, 1
+ensurtec.com, 1
+ensy.cz, 1
+ent.cat, 1
+entabe.com, 1
+entabe.jp, 1
+entactogen.com, 1
+entactogens.com, 1
+entasyonline.com, 1
+entdeckertouren.com, 1
+enteente.com, 1
+entegrations.io, 1
+enter.co, 1
+enter.eco, 1
+enteratesoria.tk, 1
+enterclaim.com, 1
+enterdev.co, 1
+enterdown.com, 1
+enteronline.tk, 1
+enterprise-hr.com, 1
+enterprisenetworksecurity.net, 1
+enterpriseoregon.gov, 1
+enterpriset.cf, 1
+enterprisey.enterprises, 1
+entersoftsecurity.com, 1
+entersynapse.com, 1
+entertaiment-news.tk, 1
+entertainerzone.tk, 1
+entertainmentblog.tk, 1
+entertainmentmesh.com, 1
+entertainmentsrit.tk, 1
+enterthehollow.com, 1
+enteweb.tk, 1
+enthasso.gr, 1
+entheo-worldeyes.org, 1
+entheogens.com, 1
+entheorie.net, 1
+enthrallinggumption.com, 1
+enticingai.com, 1
+entityelevation.com, 1
+entityfiling.com, 1
+entomologia.it, 1
+entorangecounty.com, 1
+entouchgo.com, 1
+entpe.fr, 1
+entradacaminitorey.com, 1
+entradasrealmadrid.com, 1
+entrainchat.it, 1
+entrainr.com, 1
+entranceinfo.tk, 1
+entranz.nl, 1
+entreamigos.tk, 1
+entregarapida.cf, 1
+entremass.com, 1
+entrenossocialinfo.com, 1
+entreprenet.gq, 1
+entrepreneuretlibre.com, 1
+entrepreneurialopensource.org, 1
+entrepreneurnight.com, 1
+entreprise-innovante.fr, 1
+entreprises.gouv.fr, 1
+entreterse.com.br, 1
+entretien-roche.fr, 1
+entretien-vmc-professionnel.com, 1
+entretiendevmc.net, 1
+entretienvmc.com, 1
+entreutilidades.com.br, 1
+entrevistadesucesso.ga, 1
+entrezdansladanse.fr, 1
+entronica.co.th, 1
+entropy.su, 1
+entropyofdelicatewonders.com, 1
+entropytcg.com, 1
+entruempelung-berlin.de, 1
+entrup.io, 1
+entryboss.cc, 1
+entryscape.at, 1
+entryscape.ch, 1
+entryscape.com, 1
+entryscape.de, 1
+entryscape.net, 1
+entryscape.se, 1
+entserv.eu, 0
+entwickler.land, 1
+entwicklung.center, 1
+entzoneplan.com, 1
+enuchi.com, 1
+enuchi.jp, 1
+enumasecurity.com, 1
+enuygun.com, 1
+enuygunaucakbileti.com, 1
+envaldemoro.com, 1
+envant.co.uk, 1
+envelope.co.nz, 1
+envelopeartisans.com, 1
+envelopegroup.com, 1
+enveloppenopmaat.nl, 1
+enverid.com, 1
+envescent.com, 1
+envia.com.gt, 1
+enviam.de, 1
+enviarcurriculumvitae.com, 0
+enviartucurriculumvitae.com, 1
+enviatufoto.com, 0
+envide.no, 1
+enviesdeville.fr, 1
+enviodedinero.online, 1
+enviosnegocios.tk, 1
+envir.ee, 0
+envirhom.com, 1
+enviro-clear.co.uk, 1
+enviroli.ch, 1
+enviroli.co.nz, 1
+enviroli.co.uk, 1
+enviroli.cz, 1
+enviroli.dk, 1
+enviroli.eu, 1
+enviroli.li, 1
+enviroli.org.uk, 1
+enviroli.pl, 1
+enviroli.ro, 1
+enviroli.se, 1
+enviroli.uk, 1
+environcom.co.uk, 1
+environment.ai, 1
+environmental-colleges.com, 1
+environmentaljustice.gov, 1
+environmentalscience.org, 1
+envirotecstructures.com.au, 1
+envirotivity.com, 1
+envisionmedicalgroup.com, 0
+envisionsproperty.com, 1
+envisolarvind.tk, 1
+envistacu.com, 1
+enviyatar.tk, 1
+envoie.moi, 1
+envoyair.com, 1
+envoybrain.com, 1
+envoyez.moi, 1
+envoyglobal.com, 1
+envoypresents.com, 1
+envydesigns.tk, 1
+envygeeks.io, 1
+enweb.ml, 1
+enwikipedia.tk, 1
+enwillyado.tk, 1
+enwo.co, 1
+enwo.io, 1
+enxadahost.com, 1
+enzedonline.com, 1
+enzofardone.ga, 1
+enzosoares.com, 1
+enzyme-sensor.net, 1
+eo-literaturo.tk, 1
+eoa.live, 1
+eocka.com, 1
+eocservices.co.uk, 1
+eod.su, 1
+eohima.org, 0
+eol-team.tk, 1
+eola.co, 1
+eoliennedetoit.com, 1
+eomnneo.cz, 1
+eon.tech, 1
+eonclub.tk, 1
+eongame.tk, 1
+eonhive.com, 1
+eons.io, 1
+eonwavesstudio.com, 1
+eooe.me, 1
+eoonglobalresources.jp, 1
+eopac.net, 1
+eoperth.com.au, 1
+eos-croatia.com, 0
+eos-utvalget.no, 0
+eosagonline.ru, 1
+eoscryptocurrency.com, 1
+eosguru.ru, 1
+eosinofilos.com, 1
+eosol.de, 1
+eosol.net, 1
+eosol.services, 1
+eov2.com, 1
+ep-cortex.com, 1
+ep-plus.jp, 1
+epa.com.es, 1
+epagos.com.ar, 1
+epal.pt, 1
+epaoig.gov, 1
+epasar.my, 0
+epaslaugos.lt, 1
+epavape.eu, 1
+epave.paris, 1
+epawnatl.com, 1
+epay.bg, 1
+epaygateway.net, 1
+epcomputacion.com.ar, 1
+epcreation.nl, 1
+epcwd-ca.gov, 1
+epdemo.selfip.com, 1
+epdeveloperchallenge.com, 1
+epdiekirch.tk, 1
+epdigital.biz, 1
+ephemia.com, 1
+ephesusbreeze.com, 1
+epi.one, 0
+epic-semiconductors.com, 1
+epic-vistas.com, 1
+epic-vistas.de, 1
+epic.ca, 1
+epic.gl, 1
+epic.org, 1
+epica.tk, 1
+epicapos.cz, 1
+epicawesomemods.com, 1
+epicdesign1.tk, 1
+epicdesign2.tk, 1
+epicdowney.com, 1
+epicentar.mk, 1
+epicenter.ga, 1
+epicenter.work, 1
+epicentre-amsterdam.tk, 1
+epicentre.works, 1
+epicerie-raccourci.com, 1
+epiceriedici.ch, 1
+epicfail.be, 1
+epicforums.tk, 1
+epicginger.fi, 1
+epichouse.net, 0
+epicinflatables.co.uk, 1
+epiclawnpro.com, 1
+epiclegends.ml, 1
+epicmoney.tk, 1
+epicmusicradio.ml, 1
+epicpages.com, 1
+epicridesbahamas.com, 1
+epicsecure.de, 1
+epicserver.ru, 1
+epicsoft.de, 1
+epicteam.tk, 1
+epicteller.com, 0
+epicvideofactory.com, 1
+epicvistas.com, 1
+epicvistas.de, 1
+epidastudio.com, 1
+epidauros.be, 1
+epieos.com, 1
+epigrafes-led-farmakeia.gr, 1
+epikchat.com, 1
+epilis.gr, 1
+epinesdeparadis.com, 1
+epiphaniusmacar.com, 1
+epiphanyofourlordchurch.com, 1
+episails.com, 1
+episkevh-plaketas.gr, 1
+episode.tk, 1
+epistas.com, 1
+epistas.de, 1
+epistula.com, 1
+epitafija.ru, 1
+epitelial.com, 1
+epitesti.ro, 1
+epitesz.co, 1
+epiteugma.com, 1
+epizentrum.work, 1
+epizentrum.works, 1
+epl.ee, 1
+eplayer.cz, 1
+eplayer.sk, 1
+eplenet.tk, 1
+epliar.com, 1
+eplus.group, 1
+epluse.com, 1
+epm-bg.com, 1
+epmcentroitalia.it, 1
+epmonthly.com, 1
+epoch-film.ml, 1
+epochcg.pt, 1
+epolitiker.com, 1
+epos.az, 1
+eposbirmingham.co.uk, 1
+eposbrighton.co.uk, 1
+eposbristol.co.uk, 1
+eposcardiff.co.uk, 1
+eposig.net, 1
+eposkent.co.uk, 1
+eposleeds.co.uk, 1
+eposleicester.co.uk, 1
+eposliverpool.co.uk, 1
+eposlondon.co.uk, 1
+eposmidlands.co.uk, 1
+eposnottingham.co.uk, 1
+eposreading.co.uk, 1
+epossheffield.co.uk, 1
+epossussex.co.uk, 1
+eposswansea.co.uk, 1
+epost.pub, 1
+epost.tw, 1
+epostplus.li, 1
+eposyork.co.uk, 1
+eposzilos.nl, 1
+epoxyfloor.com.my, 1
+epoxyflooringperth.com.au, 1
+eppelblei.lu, 0
+eppelduerferjugend.lu, 0
+eppelpress.lu, 0
+eprdco.gov, 1
+epreskripce.cz, 1
+eprezto.com, 1
+eprimego.com, 1
+eprint-grimsby.co.uk, 1
+eprom.cf, 1
+eprosto.cf, 1
+eprzybornik.pl, 1
+epsamsg.com, 1
+epsi.io, 1
+epsilogix.com, 1
+epsilontel.com, 1
+epsmil.it, 1
+epsomnhpolice.gov, 1
+epson.ru, 1
+epsonstore.ae, 1
+epspolymer.com, 1
+eptirgotajs.lv, 1
+epublibre.org, 1
+epvd.tk, 1
+epyonsuniverse.net, 1
+eq-serve.com, 1
+eqassociates.com, 1
+eqbal.org, 1
+eqibank.com, 1
+eqlplayground.io, 1
+eqrx.net, 1
+eqs.com, 1
+equalifica.com.br, 1
+equalone.co.jp, 1
+equals.com.br, 1
+equalscollective.com, 1
+equans-kaelte.de, 1
+equasea.com, 0
+equate.net.au, 1
+equatetechnologies.com.au, 0
+equeim.ru, 0
+equestrianvaulting.co.uk, 1
+equi.ac, 1
+equiac.com, 1
+equicom.com, 1
+equidam.com, 1
+equifaxobjection.com, 1
+equilibratura.roma.it, 1
+equilibrium.med.br, 1
+equilibriumx.com, 0
+equine-dentistry-endoscope.com, 1
+equine-dentistry-scope.com, 1
+equinenow.com, 1
+equinetherapy.ca, 1
+equinox.io, 1
+equinoxe.de, 1
+equip.cz, 1
+equipamentosparapostos.com.br, 1
+equipandoloja.net.br, 1
+equipecarriere.ca, 1
+equipedefrance.tv, 0
+equipedefrente.tk, 1
+equipeferramentas.com.br, 1
+equipment-pool.tk, 1
+equipomorado.tk, 1
+equipoweb.info, 1
+equippers.de, 1
+equipsys.net, 1
+equisa-verpackung.com, 1
+equisecu.com, 1
+equitable-igwm.com, 1
+equitablehealthycities.org, 1
+equitazionepertutti.it, 1
+equity.today, 1
+equitybank.com, 1
+equityelevate.com, 1
+equityloupe.ru, 1
+equityyes.org, 1
+equivid.ga, 1
+equmeniakyrkanhallunda.se, 1
+equt.cloud, 1
+er-mgmt.com, 1
+er-music.com, 1
+er.pl, 1
+er.tl, 1
+era.fi, 1
+eradoom.net, 1
+erafat.com, 1
+eraiescrow.com, 1
+erandymoreira.cf, 1
+erandymoreira.ga, 1
+erandymoreira.gq, 1
+erandymoreira.ml, 1
+erapotensia.com, 1
+erasmo.info, 1
+erasmusantoine.tk, 1
+erasmusbari.tk, 1
+erasmusplusrooms.com, 1
+erasure.tk, 1
+erasyou.com, 1
+erate.fi, 1
+eraterm.com, 1
+eravurnet.tk, 1
+erb.org, 1
+erboristeria.milano.it, 1
+erboristeria.roma.it, 1
+erbt.tk, 1
+ercio.com, 1
+erciyesspor.tk, 1
+erclab.kr, 1
+erclaim.com, 1
+erctra.com, 1
+erda.gov, 1
+erdekesseg.com, 1
+erdethamburgeronsdag.no, 1
+ereader.uno, 1
+erebuildings.com, 1
+erechimimoveis.com.br, 1
+erectiepillenwinkel.nl, 1
+erector.cf, 1
+erector.tk, 1
+eredmenye.xyz, 1
+erefredag.se, 1
+eregma.tk, 1
+erektion1.gq, 1
+eremex.ru, 1
+erenvakfi.org, 1
+erethon.com, 1
+erfgoedeisden.tk, 1
+erfolgsmaschine.ch, 0
+ergaomnes.cz, 1
+ergaran.tk, 1
+ergobaby.com, 1
+ergobyte.eu, 1
+ergobyte.gr, 1
+ergodark.com, 1
+ergometrics.org, 1
+ergonomic-products.com, 0
+ergoseo.com, 1
+ergotopia.de, 1
+ergovita.com.br, 1
+erhvervsposten.dk, 1
+erhydro.com, 1
+eriandevan.com, 1
+eric-huber.de, 1
+eric-kolelas.tk, 1
+eric-masters.tk, 1
+eric.gg, 1
+eric1932.tk, 1
+ericabrahamsen.net, 1
+ericacastano.com, 1
+ericaftereric.top, 1
+ericairwin.com, 1
+ericccheng.com, 1
+ericdiao.com, 1
+ericdobson.com, 1
+ericfm.tk, 1
+ericfo.cf, 1
+ericfra.nz, 1
+erich-lessing-theater.tk, 1
+erichoekstra.com, 1
+erichoekstra.nl, 1
+erichorstmanshof.nl, 1
+erichuber.de, 1
+erichware.tk, 1
+ericisaweso.me, 0
+ericjohnltd.com, 1
+erick.blog, 1
+ericksonvasquez.com, 1
+ericksonvilleta.com, 1
+ericktello.tk, 1
+ericleuthardt.com, 1
+ericleuthardtphotography.club, 1
+ericloud.tk, 1
+erico-hm.com, 1
+ericoc.com, 1
+erics.email, 1
+erics.site, 1
+ericsaadeonline.tk, 1
+ericseankennedy.com, 1
+ericsilva.me, 1
+ericsilva.org, 1
+ericspeidel.de, 1
+ericvantijn.tk, 1
+ericwie.se, 0
+eridan.me, 1
+eridanus.uk, 1
+eridas.ml, 1
+erider.bg, 1
+eriecountyohioboe.gov, 1
+erigrid.eu, 1
+eriix.org, 1
+erik-stomp.de, 1
+erik.dedyn.io, 1
+erik1erik1.com, 1
+erikaepedro.ga, 1
+erikdslater.com, 1
+erikheemskerk.nl, 1
+erikhubers.nl, 1
+erikkruithof.nl, 1
+erikrji.me, 1
+eriksen.com, 1
+eriksen.im, 1
+erikserver2.tk, 1
+erikswan.com, 1
+erinaceinae.com, 1
+erinalinks.org, 1
+erinandken.net, 1
+erincarmody.cf, 1
+erindesu.cz, 1
+eriner.me, 1
+eringmaguire.com, 1
+erinias.net, 1
+erinmyers.us, 1
+eris-bj.com, 1
+erisa.uk, 1
+erisinfo.com, 1
+eristajanmutka.com, 1
+erisws.com, 1
+erisys.net, 1
+erito.com, 1
+eritonetwork.com, 1
+eritropoyetina.com, 1
+erium.fr, 1
+erkaelderbarenaaben.dk, 1
+erkeklersoruyor.com, 1
+erkemeij.com, 1
+erkenntniswen.de, 1
+erkiss.club, 1
+erkiss.live, 1
+erkiss12.com, 1
+erkkiaronen.fi, 1
+erlebe-salsa.de, 1
+erlebnisarchaeologie-bayern.de, 1
+erli.pl, 1
+ermak.tk, 1
+erman.ga, 1
+ermeglio.com, 1
+ermitano.cf, 1
+ernal.net, 1
+ernelit.com.br, 1
+ernest.ly, 1
+ernestchemists.com, 1
+ernotek.se, 1
+ernst-fuchs.tk, 1
+ero-like.online, 1
+ero-video.net, 1
+ero.ink, 0
+erodvd.com, 0
+erogen.org, 1
+erogen.su, 1
+eroimatome.com, 1
+erokat.ga, 1
+erol.se, 1
+erolib.ga, 1
+erolmobilya.com, 1
+eromanga.com, 1
+eromasajes.com, 1
+eron.info, 1
+eropics.to, 1
+erosbeautyandwellness.com, 1
+eroscomixitalia.tk, 1
+erosofia.tk, 1
+erosveneziani.cz, 1
+eroticjuggs.com, 1
+eroticmassagevegas.com, 1
+eroticom.hr, 1
+eroticspice.com, 1
+erotiksexgeschichten.net, 1
+erotikstahrtseite.cf, 1
+erotikstahrtseite.ga, 1
+erotikstahrtseite.gq, 1
+erotikstahrtseite.tk, 1
+erotismo.co, 1
+erozine.jp, 1
+erp-band.ru, 1
+erp-systems.ovh, 1
+erp.band, 1
+erpband.ru, 1
+erpcargo.com, 0
+erpcloud.systems, 1
+erpelstolz.at, 1
+erperium.com, 1
+erperium.nl, 1
+erpid.info, 1
+erpollo.com, 1
+erpsolutionsmart.com, 1
+erraen.org.ua, 1
+erreguete.gal, 1
+errekaweb.tk, 1
+errietta.me, 1
+errlytics.com, 1
+errolmarkland.com, 1
+errolstambler.com, 1
+erronort.com, 1
+error.fail, 1
+error.org, 1
+error418.nl, 1
+errror.org, 1
+ersa-shop.com, 1
+ersankaucuk.com, 1
+ersdfaredsaeem.tk, 1
+ersei.net, 1
+erseni.net, 1
+ershiwo.com, 1
+ersinbiltekin.tk, 1
+ersinerce.com, 0
+erspro.net, 1
+erste-hilfe-sbh.de, 1
+erste.guru, 1
+erstehilfeprodukte.at, 1
+erstiwiki.de, 1
+ert.ovh, 1
+ertekmakina.com.tr, 1
+ertel.xyz, 0
+erthisa.tk, 1
+ertvag.no, 1
+eru.cz, 1
+eru.im, 1
+erudicia.com, 1
+erudicia.de, 1
+erudicia.es, 1
+erudicia.fr, 1
+erudicia.it, 1
+erudicia.nl, 1
+erudicia.se, 1
+erudicia.uk, 1
+erudikum.cz, 1
+erudio-usluge.hr, 1
+erulezz.nl, 1
+eruzione.us, 1
+ervirmaison.tk, 1
+erwannlaflute.tk, 1
+erwerbslosenforum.de, 1
+erwin.saarland, 1
+erwinmi.gov, 1
+erwinonline.tk, 1
+erwinpaal.nl, 1
+erwinschmaeh.ch, 1
+erwinsite.tk, 1
+erwinwensveen.nl, 1
+erythromycinonline.gq, 1
+erythroxylum-coca.com, 1
+eryxmail.de, 1
+erzaehlwerkstatt-heilbronn.de, 1
+erzbistum-bamberg.de, 1
+es-geenen.de, 1
+es-ostan.tk, 1
+es-ramonage.fr, 1
+es-sharing.eu, 1
+es-sicherheit.ch, 1
+es-standart.com.ua, 1
+es-tools.at, 1
+es-tools.com, 1
+es-tools.de, 1
+es-vps.eu, 1
+es.ax, 1
+es.search.yahoo.com, 0
+es8888.net, 1
+es888999.com, 1
+esaborit.ddns.net, 0
+esadnext.cloud, 1
+esagente.com, 1
+esajokinen.net, 1
+esale.co, 1
+esalesclub.com, 1
+esame-di-professione-cinestetica.ch, 1
+esamsur.tk, 1
+esasafe.com, 1
+esasite.com, 1
+esatn.gov, 1
+esautotech.com.au, 1
+esb-platte.de, 1
+esb1314.net, 1
+esb1668.com, 1
+esb16888.com, 1
+esb369.com, 0
+esb518.com, 1
+esb556.com, 1
+esb5889.com, 1
+esb688.com, 1
+esb68888.com, 1
+esb777.me, 1
+esb777.us, 1
+esb888.net, 1
+esb8886.com, 1
+esb999.com, 1
+esb999.info, 1
+esb999.us, 1
+esba11.cc, 1
+esba11.com, 1
+esba11.in, 1
+esball.in, 0
+esball.online, 1
+esbuilders.co.nz, 0
+esc-romania.tk, 1
+esc-turkey.tk, 1
+esc18.net, 1
+esc3.net, 1
+esc9.net, 1
+escae.ml, 1
+escael.org, 1
+escalando.tk, 1
+escale-communication.bzh, 0
+escale33bienetre.fr, 1
+escalesensorielle.com, 1
+escambiacountyal.gov, 1
+escanabatownshipmi.gov, 1
+escancia.tk, 1
+escandell.cat, 1
+escaparate.tk, 1
+escape-house.be, 1
+escapeforyou.com, 1
+escapejunk.com, 1
+escapely.com, 1
+escapeplaza.de, 1
+escaperoomla.com, 1
+escaperoompsl.com, 1
+escapio.com, 1
+escarpe.com, 1
+escavador.com, 1
+escg.digital, 1
+escif.com, 1
+esclinux.tk, 1
+escmatrix.com, 1
+escobarservice7000.com, 1
+escobeira.pt, 1
+escoben.tk, 1
+escoffier.mu, 1
+escogitasrls.com, 1
+escoladejudo.com.br, 1
+escoladepilota.tk, 1
+escolamais.com.br, 1
+escolanacionaldejudo.com.br, 1
+escolatop.com.br, 1
+escolibri.com, 1
+escondido.gov, 1
+escondidoca.gov, 1
+escontact.ch, 0
+escordilla.tk, 1
+escort-fashion.com, 1
+escort.it, 1
+escortaccess.net, 1
+escortbee.com, 1
+escortcreampie.com, 1
+escortdelhi.net, 1
+escortdisplay.com, 1
+escortes.xyz, 1
+escortjessy.tk, 1
+escortlistings.ca, 1
+escortlistings.eu, 1
+escortlistings.fr, 1
+escortlistings.ph, 1
+escortlistingsuk.co.uk, 1
+escorts.works, 1
+escortslittleblackbook.com, 1
+escortz.gq, 1
+escoteiros.tk, 1
+escovator-records.tk, 1
+escritoresdelcomahue.tk, 1
+escritoriohs.com.br, 1
+escriva.org, 1
+escrocratie.tk, 1
+escrowalliance.com, 1
+escspain.tk, 1
+escuelabiblica.com, 1
+escuelacaninalatejera.es, 1
+escueladego.tk, 1
+escueladelsabor.com, 1
+escueladeministerioytecnologia.com, 1
+escuelagobierno.org, 1
+escuelakaesport.es, 1
+escuelaparapapas.tk, 1
+escuelasargento.tk, 1
+escuelitasansebastian.cl, 1
+escuelotika-online.tk, 1
+escursione.it, 1
+escyr.top, 0
+esdacademy.eu, 1
+esdarat.ml, 1
+esden.com, 1
+esdenera.com, 1
+esdiscuss.org, 1
+esdrasluna.com, 1
+esds.com.br, 1
+eseances.ch, 1
+esecuredata.com, 1
+esemtia.com, 1
+esenaskincare.com, 1
+eservices-greece.com, 1
+eset.ml, 1
+esexchange.ga, 1
+esferipol.pt, 1
+esfiledecrypter.com, 1
+esg-abi2001.de, 1
+esgen.org, 1
+esgforum.com.br, 1
+esginside.com.br, 1
+esgr.in, 1
+esgresearch.pro, 1
+esh.ink, 1
+esher.ac.uk, 1
+eshoeft.com, 1
+eshop-prices.com, 1
+eshop-ptz.ru, 1
+eshopriver.com, 1
+eshoprzd.ru, 1
+eshotsaatleri.com, 1
+eshtapay.com, 1
+esicia.rw, 1
+esideshop.com, 1
+esignandpay.net, 1
+esignering.se, 1
+esignprod.herokuapp.com, 1
+esigtorg.ru, 0
+esiliati.org, 1
+esilva.me, 1
+esite.ch, 1
+esj.org, 1
+eskapi.fr, 1
+eskdale.net, 1
+eskiceviri.cf, 1
+eskiegaming.com, 1
+eskimosboards.ga, 1
+eskimuzikatolyesi.org, 1
+eskisehirhaberleri.tk, 1
+esko.bar, 1
+eskriett.com, 0
+eskritt.ca, 1
+eskurye.com, 1
+eskypartners.com, 1
+eslamahmed.tk, 1
+eslbuzz.com, 1
+esleme.com, 1
+eslgrammar.org, 1
+eslightinghire.co.uk, 1
+eslint.org, 0
+eslove.jp, 1
+eslteacheredu.org, 1
+eslutt.cc, 1
+esm.run, 1
+esmalglass-itaca.com, 0
+esmart.ro, 1
+esmejor.tk, 1
+esmincg2t1.com, 1
+esmoker.bg, 1
+esmtp-mx.com, 1
+esmuefektivs.lv, 1
+esnekkaucuk.com, 1
+esnlpr.fi, 1
+eso-database.com, 1
+eso-skillfactory.com, 1
+eso3.eu.org, 1
+esoa.net, 1
+esocite.la, 1
+esoko.eu, 1
+esolcourses.com, 1
+esolitos.com, 1
+esomeprazole1.gq, 1
+eson.eu, 1
+esono.de, 1
+esopticallabs.com, 1
+esormestt.fr, 1
+esote.net, 1
+esoteric.website, 1
+esoterik.link, 1
+esoterikerforum.de, 1
+espace-caen.fr, 0
+espace-gestion.fr, 1
+espace-habitat-francais.fr, 1
+espace-orenda.ch, 0
+espace-vet.fr, 1
+espace.network, 1
+espacefragil.be, 1
+espacejabugo.com, 0
+espacepiscine51.fr, 1
+espaceroseauteinturiers.fr, 0
+espacetendance.fr, 1
+espacetheosophie.fr, 1
+espachavo.tk, 1
+espacioantiguo.com, 1
+espacioseideas.mx, 1
+espacioweb.tk, 1
+espacoalimentoesaude.com.br, 1
+espacoentreletras.com.br, 0
+espacosaudesuplementos.com.br, 1
+espaiblancandorra.ga, 1
+espaiblancandorra.gq, 1
+espaiblancandorra.ml, 1
+espaider.com.br, 1
+espairecer.pt, 1
+espanol.search.yahoo.com, 0
+espanyoldebarna.tk, 1
+espass.gq, 1
+espci.fr, 1
+especials.co.za, 1
+especificosba.com.ar, 1
+espectro.tk, 1
+espectrometria.com, 1
+espejo.tk, 1
+espejocofrade.tk, 1
+espeleogel.tk, 1
+espen.cz, 1
+espenandersen.no, 1
+espeo.eu, 1
+esperantio.tk, 1
+esperanto.co, 1
+espgg.org, 1
+espigol.org, 1
+espiragen.com, 1
+espiritismo.gay, 1
+espiritismo.lgbt, 1
+espiritismo.tk, 1
+espirituracer.com, 1
+espiv.net, 1
+espivblogs.net, 1
+esplendorecosmeticos.com.br, 1
+espocada.com, 1
+espoonkumi.fi, 0
+esport-agency.fr, 1
+esporters.it, 1
+esporters.today, 1
+esportsbattles.ga, 1
+espower.com.sg, 1
+espressonews.gr, 1
+espressoservicesplus.com.au, 1
+esprihealth.com, 1
+espub.org, 1
+esq, 1
+esquelario.tk, 1
+esquirebrotherhood.tk, 1
+esquirelaw.com, 1
+esquirelawfirm.com, 1
+esquirelawservices.com, 1
+esra.gq, 1
+esrarengizkasabahd.tk, 1
+esrhd.com, 1
+esrinfo.com, 1
+esrs.gov, 1
+ess-ecologica.cat, 1
+essaandmore.com.au, 1
+essay-writing-topics-fce.tk, 1
+essayads.com, 1
+essaybrand.com, 1
+essaychat.com, 1
+essaycoupons.com, 1
+essaydirectory.com, 0
+essayforsale.net, 1
+essayforum.com, 1
+essayhave.com, 1
+essayjob.com, 1
+essaykeeper.com, 1
+essaylib.com, 1
+essaymaker.gq, 1
+essaynews.com, 1
+essaypro.net, 1
+essayscam.org, 1
+essayservices.org, 1
+essayshark.com, 1
+essaytalk.com, 1
+essaywebsite.com, 1
+essecharlie.com, 1
+essenah.com, 1
+essencesdeprana.org, 1
+essencespresso.es, 0
+essenciasparis.com.br, 1
+essente.pl, 1
+essentialfoods.pt, 1
+essentialinteriors.ga, 1
+essentialliving.co.uk, 1
+essentialoils.co.za, 1
+essentialoils.nl, 1
+essentialsource.net, 1
+essentiapura.com, 1
+essentiate.com, 1
+essentiel-du-mariage.com, 1
+essentiel-physique.com, 1
+essentry.com, 1
+essentta.com, 1
+essenttamarketplace-essenttamarketplaceqa.azurewebsites.net, 1
+esseriumani.com, 1
+essex.cc, 1
+essexcountyvermont.gov, 1
+essexelectricaltraining.co.uk, 1
+essexgardenstudios.co.uk, 1
+essexhighways.org, 1
+essexmoneyman.com, 1
+essexregionalnj.gov, 1
+essextimbercraft.co.uk, 1
+essilorpse.com, 1
+essite.net, 1
+essjayericsson.com, 1
+esslm.sk, 1
+esslym.com, 1
+essnet.co.jp, 1
+essoduke.org, 1
+essplusmed.org, 1
+essr.org.uk, 1
+essteebee.ch, 0
+esswp.com, 1
+est-it.de, 1
+est8.ai, 1
+establo.pro, 1
+estacion3d.ar, 1
+estada.ch, 1
+estadoreclamos.com, 1
+estafallando.es, 1
+estafallando.mx, 1
+estahl.dk, 1
+estallidodigital.cl, 1
+estampascriativas.com.br, 1
+estampille-paris.fr, 1
+estanciasgauchas.com.br, 1
+estate360.co.tz, 1
+estatebud.com, 1
+estateczech-eu.ru, 1
+estateways.com, 1
+estcequemonordinateurestallume.fr, 1
+estcequemontelephoneestallume.fr, 1
+estcequonmetenprodaujourdhui.info, 1
+esteban-abadahs.tk, 1
+estebanborges.com, 1
+estebanoria.net, 1
+estedafah.com, 1
+esteladigital.com, 1
+estelarix.com, 1
+estellaequipment.com, 1
+estenio.com.mx, 1
+esteniomexico.com, 1
+esteria.eu, 0
+esteriliza-me.org, 1
+esterilizacion-perros.es, 1
+estespr.com, 0
+estet.tk, 1
+estetica-bilbao.com, 1
+estetica.host, 1
+esteticamicali.com.ar, 1
+esteticanorte.com.br, 1
+esteticaprofana.it, 1
+estetici.com, 1
+esteticka-chirurgie-nohy.cz, 1
+estetista.net, 1
+esthe-zukan.com, 1
+esthergoh.com, 1
+estherlew.is, 1
+esthesoleil.jp, 1
+estheticianedu.org, 1
+esthetiqueboissiere.fr, 1
+estila.co, 1
+estiloelevadores.com.br, 1
+estilopack-loja.com.br, 1
+estimateone.com, 1
+estintori.roma.it, 1
+estiv-ales.fr, 1
+estlat.eu, 0
+estoense.com, 1
+estomp.de, 1
+estonia.ee, 0
+estonia.net, 1
+estoniananonymous.tk, 1
+estoniantrade.ee, 1
+estonoentraenelexamen.com, 1
+estopero.tk, 1
+estopwatch.net, 1
+estradatech.org, 1
+estradiolbestellen.gq, 1
+estrasol.com.mx, 1
+estrategiasfm.net, 1
+estreetshuffle.com, 1
+estrella.tk, 1
+estrietoit.com, 0
+estrogenonline.gq, 1
+estrogens.gq, 1
+estruendo.tk, 1
+estuarystudent.tv, 1
+estudantetorcedor.com.br, 1
+estudiarparaser.com, 1
+estudiaryaprenderingles.com, 1
+estudiemosvirtualmente.com, 1
+estudio21pattern.com, 0
+estudioaany.com.br, 1
+estudiogarcia-rada.com, 1
+estudiomantis.tk, 1
+estudionale.com, 1
+estudios-biblicos.tk, 1
+estudiosalmogavares.tk, 1
+estudiosmart.com, 1
+estudosnacionais.com, 1
+esu.dog, 1
+esu.moe, 1
+esu.wiki, 1
+esu.zone, 1
+esunapena.tk, 1
+esunenin.tk, 1
+esuretynew.azurewebsites.net, 1
+esurveynordic.com, 1
+esv.se, 1
+esvaco.cf, 1
+esw.com, 1
+esy.nl, 1
+esyno.nl, 1
+esyoil.com, 1
+esys.ga, 1
+esystems.tk, 1
+eszkola.pl, 1
+et-inf.de, 1
+et.al, 1
+et420nrw.tk, 1
+etablissement.com, 1
+etaconic.com, 1
+etaes.eu, 1
+etajerka-spb.ru, 1
+etajerka.spb.ru, 1
+etaldelune.fr, 1
+etalent.net, 1
+etalentos.com.br, 1
+etalktome.com, 1
+etanol.tk, 1
+etarskaikozmetickaulja.rs, 1
+etath.com, 1
+etaxigraz.com, 1
+etccooperative.org, 0
+etch.co, 1
+etch44.com, 1
+etcivil.com, 1
+etctop.tk, 1
+etdcampus.com, 1
+etdp.co.za, 1
+etech-solution.com, 1
+etech-solution.net, 1
+etech-solutions.com, 1
+etech.com.my, 1
+etechsolution.net, 1
+eteradia.dynv6.net, 1
+eternal-chaos.tk, 1
+eternal-con.de, 1
+eternal-dementia.tk, 1
+eternal-warriors.de, 1
+eternalabyss.int.eu.org, 1
+eternalaugust.com, 1
+eternalflame.cn, 1
+eternalflame.info, 1
+eternalguild.tk, 1
+eternalmountains.tk, 1
+eternalparking.com, 1
+eternalparking.eu, 1
+eternalparking.net, 1
+eternalparking.org, 1
+eternalsymbols.com, 1
+eternegy.co, 1
+eternit.roma.it, 1
+eternitdesio.it, 1
+eternl.io, 1
+etestyonline.tk, 1
+etf.nu, 1
+etf2l.org, 1
+etfacta.com, 0
+etfcentral.com, 1
+etflife.com, 1
+eth-news.info, 1
+eth-services.de, 1
+eth0.nl, 0
+etha.nz, 1
+ethaligan.fr, 1
+ethan-hanlon.xyz, 1
+ethan.pm, 1
+ethanjones.me, 1
+ethanlew.is, 1
+ethanopp.com, 0
+ethanrjones.name, 1
+ethansailant.com, 1
+ethanyoo.com, 1
+ethelbrooks.es, 1
+ether.school, 1
+etherandir.com, 1
+etherapeut.de, 1
+ethercalc.net, 1
+etherderbies.com, 1
+etherdream.com, 1
+ethereal-skies.tk, 1
+ethereal.games, 1
+etherealcollapse.tk, 1
+ethereum-news.info, 1
+ethereumnews.best, 1
+ethereumnews.digital, 1
+ethereumnews.io, 1
+ethereumnews.live, 1
+ethereumnews.news, 1
+ethereumnews.site, 1
+ethereumnews.xyz, 1
+ethergeist.de, 1
+etheria-software.tk, 1
+etherium.design, 1
+ethermine.org, 1
+ethernium.fun, 1
+etheron.com, 1
+etherpad.nl, 1
+etherpoap.xyz, 1
+ethers.news, 1
+ethiack.com, 1
+ethical-home.co.uk, 1
+ethical.quest, 1
+ethicalconsumer.org, 1
+ethicaldata.co.uk, 1
+ethicalescorts.com, 1
+ethicallogistics.com, 1
+ethicalpolitics.org, 1
+ethicaltek.com, 0
+ethics.org, 1
+ethicsburg.gov, 1
+ethicsfirst.org, 1
+ethicsforhumans.org, 1
+ethika.com, 1
+ethil-faer.fr, 1
+ethioconsulate-la.org, 1
+ethiqueadvisory.com, 1
+ethitter.com, 1
+ethnews.today, 1
+ethniki-antistasi-dse.gr, 1
+ethnopsychoanalyse.tk, 1
+ethosinfo.com, 1
+ethotupala.tk, 1
+ethpool.org, 1
+eticket.cr, 1
+etienne.cc, 1
+etiennes.work, 1
+etigold.com, 1
+etiketten.tk, 1
+etikus-hacker.hu, 1
+etil.wtf, 1
+etil2jz.lol, 1
+etincelle.ml, 1
+etincelle.tk, 1
+etindustries.com, 1
+etiqa.tk, 1
+etisrl.net, 1
+etkarle.de, 1
+etlaq.com, 1
+etmtobik.eu, 1
+etnis.id, 1
+etnoforum.tk, 1
+etnoria.com, 1
+etoile-rc.jp, 1
+etoile-usedcars.com, 0
+etopa.de, 1
+etopedia.com, 1
+etoro-openbook.tk, 1
+etororeviews.com, 1
+etos.tk, 1
+etowahwaterga.gov, 1
+etrades.tk, 1
+etre-belle.tk, 1
+etre-vivant.fr, 0
+etrecosmeticderm.com, 1
+etresmant.es, 1
+etrolleybizstore.com, 1
+ets-etos.azurewebsites.net, 1
+ets-software.de, 1
+etsduova.dedyn.io, 1
+etselquemenges.cat, 1
+etsmarconi.be, 0
+etspuka.de, 1
+etsradio.org, 1
+etsu.edu, 1
+ettbattreinternet.se, 1
+etterforsker1.no, 1
+etterretningstjenesten.no, 1
+ettgottliv.com, 1
+ettip.com, 1
+ettlinger-tor.de, 1
+ettoday.org, 1
+ettoremirarchifilms.it, 1
+ettyproject.org, 1
+etudepresse.tk, 1
+etudes.ru, 1
+etudesbibliques.fr, 0
+etudesbibliques.net, 0
+etudesbibliques.org, 0
+etula.ga, 1
+etulasin.tk, 1
+etury.online, 1
+etutsplus.com, 1
+etv.cx, 1
+etyd.org, 1
+etyka.cz, 1
+eu-darlehen-finanzierung.de, 1
+eu-datenbank.de, 1
+eu-election.eu, 1
+eu-gamers.com, 1
+eu-prodaja.com, 1
+eu-secured.com, 1
+eu-stellenangebot.de, 1
+eu.ax, 1
+eu4ua.org, 1
+euaaaio.ru, 1
+euanbarrett.com, 1
+euassisti.com.br, 1
+euc.world, 1
+euchance.hu, 1
+euchre.us, 1
+eucimen.com, 0
+euclidian.com, 1
+euclidinnovations.com, 1
+eucollegetours.com, 1
+eucustody.com, 1
+eucybernet.eu, 0
+eudiakok.hu, 1
+eudore.org, 1
+eufair.com, 1
+euflight.info, 1
+eufraimidis.com, 1
+eugenegamelan.org, 1
+eugenekay.com, 0
+eugeneorourke.com, 1
+eugenesia.org, 1
+eugeneyeosurgery.sg, 1
+eugenics.org, 1
+eugeniocorso.com, 1
+eugenioperez.tk, 1
+eugostodefilmesbrasileiros.tk, 1
+eugster.se, 1
+eujobs.hu, 1
+eujobsgmbh.de, 1
+eujobshrgroup.com, 1
+eujobshrgroup.hu, 1
+eujuicers.bg, 1
+eujuicers.com, 1
+eujuicers.com.hr, 1
+eujuicers.com.tr, 1
+eujuicers.com.ua, 1
+eujuicers.cz, 1
+eujuicers.de, 1
+eujuicers.es, 1
+eujuicers.fr, 1
+eujuicers.hu, 1
+eujuicers.it, 1
+eujuicers.pl, 1
+eujuicers.pt, 1
+eujuicers.ro, 1
+eujuicers.rs, 1
+eujuicers.ru, 1
+eujuicers.si, 1
+eujuicers.sk, 1
+euklems.eu, 1
+eule82.de, 1
+eulen.com, 1
+eulenberg.com, 1
+eulenschmiede.de, 1
+euleres.tk, 1
+eulessplumbers.com, 1
+euman.ml, 1
+eumananc.ro, 1
+eumk6.ml, 1
+eung.ga, 1
+eunicetan.com, 1
+eunomy.io, 1
+eunow.com, 1
+eupay.de, 1
+euphoriaonline.tk, 1
+eupm.org, 1
+euporos.ch, 0
+euprapeace.org, 1
+eurasierwelpen.tk, 1
+eurazeo.com, 1
+eurban.life, 1
+eurbanos.tk, 1
+eurekaca.gov, 1
+eurekagames.tk, 1
+eurekanetwork.org, 1
+eurekatech.eti.br, 1
+eurekatownshipmi.gov, 1
+eurelectric.org, 1
+euren.se, 1
+eurmarketing.com, 1
+euro-cdm.org, 1
+euro-construction.co.uk, 1
+euro-issues.tk, 1
+euro-servers.de, 1
+euro.se, 1
+euroairport.com, 1
+euroalter.com, 1
+euroasia-tm.com, 1
+eurobattle.tk, 1
+eurobeaute.be, 1
+eurobilltracker.tk, 1
+eurocertificazione.it, 1
+eurocleanfrance.fr, 1
+eurococos.com.ua, 1
+eurocom.bg, 1
+eurocomcompany.cz, 1
+euroconti.com, 1
+eurocontrol.aero, 1
+eurocontrol.eu, 1
+eurocontrol.in, 1
+eurocontrol.lu, 1
+eurocontrol.me, 1
+eurocontrol.xxx, 1
+eurocure.com, 1
+eurodanceperu.tk, 1
+eurodentaire.com, 1
+eurodesk.eu, 1
+eurodontic.co.uk, 0
+euroecho.com, 1
+euroenergy.tk, 1
+euroestetica.ec, 1
+eurofinance.com, 1
+eurofire.tk, 1
+euroflora.com, 1
+euroflora.mobi, 1
+euroflorist.cf, 1
+euroflorist.ga, 1
+euroflorist.tk, 1
+eurofoods.gr, 1
+eurofoot.cf, 1
+eurofrank.eu, 1
+eurofunk.at, 1
+eurofunk.com, 1
+eurogarden-parts.de, 1
+eurogarden.be, 1
+eurogarden.com, 1
+eurogarden.nl, 1
+eurohell-design.com, 1
+eurohell-design.de, 1
+euroherp.com, 1
+eurohouse.tk, 1
+eurokid.com, 1
+eurokiss.com, 1
+eurolink.tk, 1
+eurolocarno.es, 1
+eurologix.com, 1
+euromalha.com.br, 1
+euroman.ga, 1
+euromas.com, 1
+euromexde.com, 1
+euromuseumcoins.com, 1
+euronic.fi, 1
+eurookna.tk, 1
+europa-passage.de, 1
+europabio.org, 1
+europack.kiev.ua, 1
+europainchemnitz.de, 1
+europapier.net, 1
+europarts-sd.com, 1
+europastudien-chemnitz.de, 1
+europastudien.de, 1
+europatour2005.tk, 1
+europatrans.com.tr, 1
+europavilion.com, 1
+european-accreditation.org, 1
+european-agency.org, 1
+european-alternatives.eu, 1
+european-hospital.ga, 1
+european-hospital.ml, 1
+european-hospital.tk, 1
+european-silk-road.eu, 1
+european-village.com, 1
+europeananomalouswave.tk, 1
+europeancuisine.tk, 1
+europeancupinline.eu, 1
+europeangaming.eu, 1
+europeanpolice.net, 1
+europeanpreppers.com, 1
+europeanstudies-chemnitz.de, 1
+europeantransportmanagement.com, 1
+europeluxuryweddings.com, 1
+europeonline.tk, 1
+europeontrack.org, 1
+europesearbeiders.be, 1
+europesrit.tk, 1
+europetraveler.tk, 1
+europetravelservice.co.uk, 1
+europop.com, 1
+europrise.ie, 0
+euroregister.com, 1
+euroroad17.dk, 1
+euroscot.de, 1
+euroshop.or.at, 1
+euroshop.tk, 1
+eurosight.com, 1
+euroskano.nl, 1
+euroskulpa.de, 1
+eurosnap.com, 1
+eurosos.com, 1
+eurospecautowerks.com, 1
+eurosquad.tk, 1
+eurostoc.ro, 1
+eurostrategy.vn.ua, 1
+eurosun.tk, 1
+euroswapper.tk, 1
+euroteam.tk, 1
+eurotechme.com, 1
+eurotechnology-group.com, 1
+eurotecvfs.com, 1
+eurotest.tk, 1
+eurotoerist.nl, 1
+eurotop.net.pl, 1
+eurotour.tk, 1
+eurotracs.com, 1
+eurotramp.com, 0
+eurousa.us, 1
+eurovision-romania.tk, 1
+eurovision.ie, 1
+eurowave.com, 1
+eurowijskids.nl, 0
+eurowish.com, 1
+eurozhartleys.com, 1
+eurseo.com, 1
+euruni.edu, 1
+eusalesman.hu, 1
+eusarse.tk, 1
+eusebiu.com, 1
+euskalstakepool.win, 1
+euskaltzaleak.tk, 1
+eusou.ml, 1
+eustaquio.tk, 1
+eustomamc.net, 1
+eusv.net, 1
+eusystemic.com, 1
+eutawal.gov, 1
+euterpiaradio.ch, 1
+eutotal.com, 1
+euvo.tk, 0
+euwid.de, 1
+euzissima.com.br, 1
+ev-zertifikate.de, 1
+eva-briegel-fanpage.tk, 1
+eva.cz, 1
+eva24h.tk, 1
+eva42.com, 1
+evaali.fi, 1
+evaalordiah.tk, 1
+evaberg.net, 1
+evacs.net, 1
+evacs.org, 1
+evacuumstore.com, 1
+evadi.ca, 1
+evafernandez.tk, 1
+evafojtova.cz, 1
+evaisanta-mariaalmudever.tk, 1
+evaisanta.tk, 1
+evaks.az, 1
+evakuator-kharkov.kh.ua, 1
+evakuator-tut.by, 1
+evakuator.ltd, 1
+evalar-apteka.ru, 1
+evalarapteka.ru, 1
+evalarmarket.ru, 1
+evalcom.co, 1
+evalcorp.com, 1
+evalesc.com, 1
+evalinux.com, 1
+evalopezzz.org, 1
+evaluasi.com, 1
+evaluation.gov, 1
+evalueit.eu, 1
+evaluer2.pl, 1
+evamachkova.cz, 0
+evamathil.de, 1
+evamlakar.si, 1
+evananderi.com, 1
+evanbaker.xyz, 1
+evanescenceisfallen.tk, 1
+evanescencenorge.tk, 1
+evanescenceturkey.tk, 1
+evanfiddes.com, 1
+evang.at, 1
+evangelicalmagazine.com, 1
+evangelicalplatform.com, 1
+evangelietuin.tk, 1
+evangelionmagi.tk, 1
+evangelise.asia, 1
+evangersdogfood.com, 1
+evanreev.es, 1
+evansfmm.org, 1
+evansfox.com, 1
+evanspoliceny.gov, 1
+evanstonnow.com, 0
+evansville-wy.gov, 1
+evansvillewi.gov, 1
+evantageglobal.com, 1
+evanwang0.com, 1
+evaolson.se, 1
+evar2.com, 1
+evaria-network.fr, 1
+evasioncreole.com, 1
+evasionteam.tk, 1
+evasovova.cz, 1
+evatantricmassagelondon.uk, 1
+evavolfova.cz, 1
+evbox.com, 1
+evdenevenakliyatankara.name.tr, 1
+evdenevenakliyatistanbul.gen.tr, 1
+evdeneyapilir.com, 1
+eve-online-com.ru, 1
+eve-ua.com, 1
+eve.tax, 1
+eve0s.com, 1
+eveandi.health, 1
+eveapk.com, 1
+eveaz.com, 1
+eveco-mebel.ga, 1
+evedanjailbreak.com, 1
+eveetcie.com, 1
+evehryday.com, 1
+eveil-et-savoirs.com, 1
+evelethpd.gov, 1
+evelienstormzangcoach.nl, 1
+evelienuitvaartverzorging.nl, 1
+evelienzorgt.nl, 1
+evelin.tk, 1
+evelyn.com, 1
+evenbijproaten.online, 1
+evendesign.com, 1
+evendesign.gq, 1
+evenementenpartner.nl, 1
+evenimenteromania.tk, 1
+eveningstar.tk, 1
+eveningtaxservices.com, 1
+evenstar-gaming.com, 1
+evenstargames.com, 1
+event-blick.de, 1
+event-fullyyours.com, 1
+event-register.jp, 1
+event-reisen.tk, 1
+event-trac.com, 1
+event-tyrlig.no, 1
+event1teamstore.com, 0
+event4fun.no, 1
+event64.ru, 1
+eventact.com, 0
+eventaro.com, 1
+eventblog2017.tk, 1
+eventcore.tk, 1
+eventdata.co.uk, 1
+eventdata.uk, 1
+eventdays.tk, 1
+eventex-rentals.com, 1
+eventfoto.com, 1
+eventfun.tk, 1
+eventide.space, 1
+eventive.org, 0
+eventlista.no, 1
+eventlocation2.de, 1
+eventmake.es, 1
+eventnexus.co.uk, 1
+eventosbgp.com, 1
+eventosdeluchalibre.tk, 1
+eventosenmendoza.com.ar, 1
+eventosformativos.tk, 1
+eventospremium.es, 0
+eventpark.cz, 1
+eventpay.jp, 1
+eventplanner.be, 1
+eventplanner.co.uk, 1
+eventplanner.de, 1
+eventplanner.es, 1
+eventplanner.fr, 1
+eventplanner.ie, 1
+eventplanner.lu, 1
+eventplanner.net, 1
+eventplanner.nl, 1
+eventprazdnik.ru, 1
+events.bt, 1
+events1.co.il, 1
+eventsbytma.com, 1
+eventseeker.com, 1
+eventservicestockholm.se, 1
+eventsforyou.fr, 1
+eventsframe.com, 1
+eventtech.com, 0
+eventticketscenter.com, 1
+eveonline.com, 1
+ever.sale, 0
+ever4cats.de, 1
+everaerts.eu, 1
+everain.me, 1
+everand.com, 1
+everberg.tk, 1
+evercheck.com, 1
+everdivemarine.com, 1
+everestbankltd.com, 1
+everettduiattorneys.com, 1
+everettsautorepair.com, 0
+everfine.com.tw, 1
+everfreecoloring.com, 1
+evergarden.cn, 1
+evergladesfarmequipment.com, 1
+everglow.co.jp, 1
+evergreenal.gov, 1
+evergreenilder.tk, 1
+evergreenlangladewi.gov, 1
+evergreentlc.com, 1
+evergreenweedshop.com, 1
+evergrowthdc.com, 1
+everhome.cloud, 1
+everhome.de, 1
+everichspice.com, 1
+everifile.com, 1
+everify.gov, 1
+everisland.com, 1
+everitoken.io, 1
+everling.lu, 1
+everlong.org, 1
+everly.market, 1
+evermade.fi, 1
+evermed.au, 1
+evermed.com.au, 1
+evernaut.com, 1
+everpcpc.com, 1
+everready.tk, 1
+everride.com, 1
+everseo.tk, 1
+eversightwealth.com, 1
+evertonarentwe.com, 1
+evertradeelectronics.com, 1
+evertz.com, 1
+evervitjuice.com, 1
+everwaking.com, 0
+everwinter.tk, 1
+every-day-life.com, 0
+everyarti.st, 1
+everycorneroftheworld.cf, 1
+everycorneroftheworld.de, 1
+everycorneroftheworld.ml, 1
+everycorneroftheworld.tk, 1
+everyday.eu.org, 1
+everydaycaitfitness.com, 1
+everydaydishes.com, 0
+everydaygary.com, 1
+everydaylifeinsurance.com, 1
+everydaypower.com, 1
+everydaypsychology.org, 1
+everydaytherich.com, 1
+everydaywot.com, 1
+everyex.com, 1
+everyeye.it, 1
+everyfad.com, 1
+everyhq.com, 1
+everykidoutdoors.gov, 1
+everymail.me, 1
+everymanandhisdogvineyard.com, 1
+everyoneadmins.tk, 1
+everyonefit.com, 1
+everysaving.ae, 1
+everysaving.ca, 1
+everysaving.co.uk, 1
+everysaving.com, 1
+everysaving.com.au, 1
+everysaving.ie, 1
+everysaving.sg, 1
+everystudent.bg, 1
+everystudent.com.tw, 1
+everysync.co.jp, 1
+everything-as-code.com, 1
+everything-everywhere.com, 1
+everything-mdaemon.com, 1
+everythingaccess.com, 1
+everythingcovid-19.com, 1
+everythingfree.tk, 1
+everythinginoneblog.gq, 1
+everythinglidia.com, 1
+everythinq.com, 1
+everytrycounts.gov, 1
+everyveterancountsohio.gov, 1
+eveshaiwu.com, 1
+eveshamglass.co.uk, 1
+eveswell.com, 1
+evetdermisin.com, 1
+evetech.net, 1
+evezqurbanli.tk, 1
+evga.com, 1
+evhoeft.com, 1
+eviction.cf, 1
+evidecor.com.br, 1
+evidencebased.net, 1
+evidencija.ba, 1
+evidenze.com, 1
+evies.tk, 1
+evil-empire.tk, 1
+evilbeasts.ru, 1
+evilbrood.tk, 1
+evilcodes.tk, 1
+evildarkness.tk, 1
+evilduck.tk, 1
+evilla.ru, 0
+evilmartians.com, 1
+evilmoisture.tk, 1
+evilnolo.tk, 1
+evilofsociety.tk, 1
+evilolive.tk, 1
+evilsay.com, 0
+evilscience.tk, 1
+evilsite.cf, 1
+eviltricks.tk, 1
+evilways.tk, 1
+evin.ml, 1
+evin.tk, 1
+evisa.us.com, 1
+evisky.com, 1
+evisos.cl, 1
+evisos.com, 1
+evisos.com.ar, 1
+evisos.com.mx, 1
+evisos.es, 1
+evitacion.com, 1
+eviz.co, 1
+evkitdigital.com.br, 1
+evl.one, 1
+evlilikilan.com, 1
+evlqa1sp1tzb05zo-reoo0vhj9a1t5pousfudnkg.com, 0
+evntage.com, 1
+evobox.store, 1
+evocate.com.au, 1
+evoco.vc, 1
+evodation.com, 1
+evodation.org, 1
+evoffer.com, 1
+evojska.tk, 1
+evoke.ie, 1
+evokeearlylearning.com.au, 1
+evolucioneducativa.com.ec, 1
+evolucionestudios.com.bo, 1
+evolucionradio.tk, 1
+evolusis.fr, 1
+evolutiespirituala.ro, 1
+evolution-gaming.tk, 1
+evolution-host.ga, 1
+evolution-x.org, 1
+evolutionbiote.com, 1
+evolutioninflatables.co.uk, 1
+evolutionosteopathy.co.uk, 1
+evolutive-records.tk, 1
+evoluxion.co, 1
+evoluzione.fr, 0
+evolve-mma.com, 1
+evolve-university.com, 1
+evolve-vacation.com, 1
+evolve.com, 0
+evolvedevlabs.de, 1
+evolvetechnologies.co.uk, 1
+evolvicity.org, 1
+evolvingseo.com, 1
+evolvingthoughts.net, 1
+evonet.co.za, 1
+evony.eu, 1
+evonys.com, 1
+evopack.net, 1
+evoplay.gq, 1
+evoqion.se, 1
+evosyn.com, 1
+evote-ch.ch, 1
+evotec.pl, 1
+evoting-test.ch, 1
+evoting.ch, 1
+evri.com, 1
+evrial.com, 1
+evromandie.ch, 1
+evronews.ga, 1
+evropaedu.ru, 1
+evscicats.com, 1
+evscstudentwifi.com, 1
+evsinemasistemleri.tk, 1
+evstatus.com, 1
+evtasima.name.tr, 1
+evthing.se, 0
+evtripping.com, 1
+evu-pe.tk, 1
+evulka.eu, 1
+evv.ee, 1
+evxp.it, 1
+evyn.eu, 1
+evz.ro, 1
+ewa-hayward.co.uk, 1
+ewacforum.tk, 1
+ewaf.club, 1
+ewaipiotr.pl, 1
+ewananga.ac.nz, 1
+ewanm89.co.uk, 1
+ewanm89.com, 1
+ewanm89.uk, 1
+ewansinclair.tk, 1
+ewanto.de, 1
+ewaroeng.com, 1
+ewatchers.org, 1
+ewddlacity.com, 1
+ewebcreative.com, 1
+ewelinagrochowina.pl, 1
+ewen-bara.com, 1
+ewesparky.com, 1
+ewgri.gov, 1
+ewhitehat.com, 1
+ewhowell.com, 1
+ewie.name, 1
+ewigetrauringe.de, 1
+ewighost.com, 1
+ewinstore.com, 1
+ewizja.info, 1
+ewizmo.com, 1
+ewon.biz, 0
+eworkflow.ca, 1
+eworksmedia.com, 0
+eworldmedia.ml, 1
+eworldmedia.tk, 1
+ewoutpool.tk, 1
+ewritingservice.com, 1
+ewsfeed.com, 1
+ewtl.es, 1
+ewuchuan.com, 1
+ewycena.pl, 1
+ex-deli.jp, 1
+ex-links.net, 1
+ex.co, 1
+ex2technology.com, 1
+ex78.com, 1
+exabike.com, 1
+exablue.de, 1
+exact-distribution.com, 1
+exact-online-apps-by-invantive.com, 1
+exact.realty, 1
+exactlibris.com, 1
+exactlyinfinite.com, 1
+exactphilosophy.net, 1
+exactrealty.co.uk, 1
+exactrealty.no, 1
+exactrealty.us, 1
+exactverify.com, 1
+exadime.net, 1
+exaduosport.fr, 1
+exagoni.com, 1
+exagoni.com.au, 1
+exagoni.com.my, 1
+exalthost.com, 1
+exam4.us, 1
+exambot.cf, 1
+exambot.ga, 1
+exambot.gq, 1
+exambot.tk, 1
+examedge.com, 1
+examesrush.com, 0
+examesrush.com.br, 0
+examhq.net, 1
+examika.ru, 1
+examity.com, 1
+examly.io, 1
+examone.com, 1
+exampaperarchive.com, 1
+example.li, 1
+exampleessays.com, 1
+examroll.fr, 1
+examroo.nl, 0
+examsite.tk, 1
+examsmate.in, 1
+examsoft.com, 1
+examsplanner.in, 1
+examticket.tk, 1
+exaplac.com, 1
+exarcheia.com, 1
+exarcheia.link, 1
+exarcheia.online, 1
+exarcheia.ru, 1
+exarius.org, 1
+exasapiens.com, 1
+exashop.tn, 1
+exatmiseis.net, 0
+exatom.io, 1
+excaliburmatrix.tk, 1
+excaliburtitle.com, 0
+excavation.ga, 1
+exceed-clan.tk, 1
+exceed.global, 1
+excel-mechanical.com, 1
+excelbroadcast.com, 1
+excelcenter.org, 1
+exceldatapro.com, 1
+exceldor.ca, 1
+exceldor.com, 1
+exceldorcooperative.ca, 1
+exceldorcooperative.com, 1
+excelenteawards.com, 1
+exceleron.in, 1
+excelgum.ca, 1
+excelindonesia.com, 1
+excelindonesia.id, 1
+excelkursdirekt.eu, 1
+excellarate.com, 1
+excellence-eventos.com, 1
+excellence-redefined.org, 1
+excellence.corsica, 1
+excellenceandcreativity.com, 1
+excellenceriviera.com, 1
+excellentrencontrer.tk, 1
+excellentsurferers.ga, 1
+excellentsurferest.ga, 1
+excellentweb.site, 1
+excelnutritional.com.br, 1
+excelsiorcomics.com.br, 0
+excelsis.rs, 1
+exceltechoman.com, 1
+exceltobarcode.com, 1
+excentos.com, 1
+exceptionalfirm.com, 1
+exceptionalservices.us, 1
+exceptionalstack.com, 1
+exceptionnotfound.net, 1
+excess-baggage.com, 1
+excessive-software.tk, 1
+exchangedobem.com, 1
+exchangemarketplace.com, 1
+exchanger.ml, 1
+exchanger.tk, 1
+exchangeratingest.ga, 1
+exchangesolutions.com, 1
+exchangetrading.tk, 1
+exchangeview.ga, 1
+exchangevisits.tk, 1
+exchaser.com, 1
+excimerlaser.com, 1
+excite.co.id, 1
+exciters.tk, 1
+excitingbulgaria.com, 0
+excitoninteractive.com, 1
+exclaimer.com, 1
+exclusivacademy.com, 1
+exclusive-okno.ru, 1
+exclusive-world.tk, 1
+exclusivedesignz.com, 1
+exclusivelyuk.co.uk, 1
+exclusivemilf.com, 1
+exclusiveresorts.com, 1
+excluzive.ml, 1
+excoins.biz, 1
+excontinuum.de, 1
+excursiones.tk, 1
+exdomo.com, 1
+exe-boss.tech, 1
+execbar.com, 1
+exechip.com, 1
+execom68.tk, 1
+execupharm.jp, 1
+execution.biz.tr, 1
+executivemarketing.co.za, 1
+executiveseatsers.ga, 1
+executivoshotel.com.br, 1
+exedo.nl, 1
+exeest.com, 1
+exegese.ch, 0
+exegol.co.uk, 1
+exehack.net, 1
+exeintel.com, 1
+exemplarypainting.com, 1
+exemples-de-stands.com, 1
+exentio.sexy, 1
+exentrify.com, 1
+exer.fr, 1
+exercisekingers.ga, 1
+exercisekingest.ga, 1
+exerforge.net, 1
+exerph.com, 1
+exerpm.tk, 1
+exescan.net, 1
+exesoft.ml, 1
+exeterfit.com, 1
+exeunt.tk, 1
+exexcarriers.com, 1
+exeypanteleev.com, 1
+exforo.tk, 1
+exfuga.com, 1
+exhalewell.com, 1
+exhibitionsupplies.net.au, 1
+exhumationindia.tk, 1
+exiahost.com, 1
+exiled.land, 1
+exiled.world, 1
+exiletattoo.net, 1
+exiletower.tk, 1
+eximbank.gov.tr, 1
+exip.ga, 1
+exipure.com, 1
+exira.com, 1
+exitooutdoor.com, 1
+exitoseguro.tk, 1
+exitreality.tk, 1
+exizent.com, 1
+exizent.tk, 1
+exline.pro, 1
+exmart.ng, 1
+exmoe.com, 1
+exo-chanyeol.tk, 1
+exodiac.ph, 1
+exodium.tk, 1
+exodus-net.pl, 1
+exodus.com, 1
+exodus.io, 1
+exogenous.ga, 1
+exomind.cf, 1
+exomind.gq, 1
+exon.io, 1
+exonip.de, 1
+exonovov.tk, 1
+exordiumconcepts.com, 1
+exosama.com, 1
+exoscale.ch, 1
+exoscale.com, 1
+exoten-spezialist.de, 1
+exotic-animals.tk, 1
+exotic-bengal-cattery.ml, 1
+exotic.report, 1
+exoticads.com, 1
+exotical.tk, 1
+exoticaz.to, 1
+exotictravel.tk, 1
+exousiakaidunamis.pw, 1
+exousiamg.com, 1
+exoweb.ca, 1
+exowellness.com, 1
+exp.gg, 1
+exp4all.com, 1
+expancio.com, 0
+expanda.org, 0
+expandabil.cf, 1
+expanddigital.media, 1
+expandor.cz, 1
+expansehost.de, 1
+expansion-lidl.es, 1
+expansive.info, 1
+expart.com, 1
+expatfinancial.com.hk, 1
+expatinpoland.com, 1
+expatmortgage.uk, 1
+expatriate.pl, 0
+expatwealthatwork.com, 1
+expe.voyage, 1
+expectful.com, 0
+expecting.com.br, 1
+expediteplus-asia.com, 1
+expediteplus.biz, 1
+expediteplus.ca, 1
+expediteplus.com, 1
+expediteplus.com.mx, 1
+expediteplus.info, 1
+expediteplus.mobi, 1
+expediteplus.mx, 1
+expediteplus.net, 1
+expediteplus.org, 1
+expediteplus.pro, 1
+expediteplus.us, 1
+expeditiegrensland.nl, 0
+expedition247.com.au, 1
+expelliarmus.tk, 1
+expensify.com, 1
+expensivejewelsest.ga, 1
+exper.gr, 1
+experiencealula.com, 1
+experienceoutdoors.org.uk, 1
+experienceoz.com.au, 1
+experiment-626.tk, 1
+experimentalguruji.cf, 1
+experimentaltheatreclub.tk, 1
+experimentator.cz, 1
+experimentoscongaseosa.tk, 1
+experimentrak.com, 1
+experiments.lv, 1
+experimentworld.io, 1
+experimetrix.com, 1
+experise.fr, 1
+experpento.tk, 1
+expert-batiment-rouen.fr, 1
+expert-comptable-vichy-moulins-allier.fr, 1
+expert-korovin.ru, 1
+expert-market.com, 1
+expert-voronezh.tk, 1
+expert.cz, 1
+expert96.cf, 1
+expertclub.tk, 1
+expertcomics.ca, 1
+experteasy.com.au, 1
+expertembeleza.com, 1
+expertembeleza.com.br, 1
+expertestate.org, 1
+experthive.co.za, 1
+expertmarketer.ro, 1
+expertmarktrg.com, 1
+expertofficefitouts.com.au, 1
+expertowears.com, 1
+expertpaintersvt.com, 1
+expertpanel.gc.ca, 1
+expertpensions.co.uk, 1
+expertplumbingandsolarservicesbathurst.com.au, 1
+experts-united.tk, 1
+expertvagabond.com, 1
+expertviolinteacher.com, 1
+expicare.com, 1
+expii.com, 1
+expireddomains.net, 1
+expis.tk, 1
+explane.org, 1
+explode.tk, 1
+explodie.org, 1
+exploit-db.com, 1
+exploit.cz, 0
+exploit.party, 1
+exploit.ph, 1
+exploited.cz, 1
+exploithe.net, 1
+exploitit.com.au, 1
+exploodo.rocks, 1
+explorance.com, 1
+exploraturuta.com, 1
+exploravacations.in, 1
+explore-being-human.org, 1
+explore-malaysia.ga, 1
+explore-visions.com, 1
+explore.beer, 1
+explorea1a.com, 1
+explorebigideas.com, 1
+explorecrack.com, 1
+exploreeurope.de, 1
+exploregulf.ga, 1
+exploreit.online, 1
+explorerdispatch.com, 1
+exploretock.com, 1
+exploretravellife.com, 1
+exploretsp.gov, 1
+exploring-memory.org, 1
+exploringmorocco.tours, 1
+exploristics.com, 1
+explorium.tk, 1
+explosion-cs.tk, 1
+explosionstereo.tk, 1
+expo58.tk, 1
+expoavanza.com, 1
+expobeds.com, 1
+expocom.online, 1
+expodat.com, 1
+expodom.hu, 1
+expodom.ro, 1
+expodom.sk, 1
+expodum.cz, 1
+expoesiavisual.tk, 1
+expoexports.tk, 1
+expomac.tk, 1
+exponential.fi, 1
+exponentialnews.net, 1
+exponentialsoft.cf, 1
+exponentialsoft.ga, 1
+exponentialsoft.gq, 1
+exponline.ga, 1
+exponline.tk, 1
+expoort.co.uk, 1
+expoort.com, 1
+expoort.com.br, 1
+expoort.es, 1
+expopodium.com, 1
+expoprime.tk, 1
+expopro24.ru, 1
+exporta.cz, 1
+exposedcasting.com, 1
+exposethetruth.tk, 1
+exposurecompensation.co.uk, 1
+exposurethrash.tk, 1
+expouniverse.tk, 1
+expoxl.nl, 1
+express-delivery.co.il, 1
+express-hosting.org, 1
+express-shina.ru, 1
+express-shop.tk, 1
+express-vpn.com, 1
+express1040.com, 1
+expressarte.tk, 1
+expressdebanat.ro, 1
+expressemotion.net, 1
+expressglobal.co.kr, 1
+expresshosting.org, 1
+expresshsp.com, 1
+expressinfo.cz, 1
+expressinfo.sk, 1
+expressionexpress.net, 1
+expressionfunerals.co.nz, 1
+expressivee.com, 1
+expressmarket.ru, 1
+expressodasilhas.cv, 1
+expresspak.co.nz, 1
+expressramps.com, 1
+expressstairliftssw.co.uk, 1
+expressstore.ga, 1
+expressvpn.com, 1
+expressvpn.net, 1
+expressvpn.works, 1
+expressvpn.xyz, 1
+expresvpn-private-analytics.net, 1
+exprimo.tk, 1
+expungement.law, 1
+expxkcd.com, 1
+exquisique.tk, 1
+exquisito.tk, 1
+exs.lv, 1
+exside.com, 1
+exstirpo.com, 1
+extact.com, 1
+extelicast.com, 1
+extendedteam.co, 1
+extendedteam.net, 1
+extendet.tk, 1
+extendgroup.com, 1
+extendresources.com, 0
+extendwings.com, 1
+extenselizzembalagens.com.br, 1
+extensia.it, 1
+extensibility.biz.tr, 1
+extensibleweb.org, 1
+extensiblewebmanifesto.org, 1
+extensiblewebsummit.org, 1
+extensionciglia.roma.it, 1
+extensions-chrome.ru, 1
+extensionschallenge.com, 1
+extensionworkshop.com, 1
+exteriorlightingagoura.com, 1
+exteriorlightingagourahills.com, 1
+exteriorlightingcalabasas.com, 1
+exteriorlightingcamarillo.com, 1
+exteriorlightingconejovalley.com, 1
+exteriorlightingdosvientos.com, 1
+exteriorlightinghiddenhills.com, 1
+exteriorlightinglakesherwood.com, 1
+exteriorlightingmoorpark.com, 1
+exteriorlightingnewburypark.com, 1
+exteriorlightingoakpark.com, 1
+exteriorlightingsimivalley.com, 1
+exteriorlightingthousandoaks.com, 1
+exteriorlightingwestlakevillage.com, 1
+exteriorroofwindowguttercleaning.com, 1
+exteriorservices.io, 1
+exterminateur-punaise-de-lit.fr, 1
+exterminateur-quebec.ca, 1
+exterminator.com.ua, 1
+external-share.com, 1
+externalapps.com, 1
+externalfb.com, 1
+externer-datenschutzbeauftragter-bochum.de, 0
+externeverslaggeving.nl, 1
+externevoorzitter.nl, 1
+extienso.com, 1
+extinctionrebellion.de, 1
+extirosli.ga, 1
+extmatrix.com, 0
+extra.ie, 1
+extrabits.pt, 0
+extrabusiness.tk, 1
+extract.me, 1
+extracting.tk, 1
+extradiely.sk, 1
+extradivers-worldwide.com, 1
+extraeasycash.com, 1
+extraefficiency.tk, 1
+extraefficient.tk, 1
+extrafrei.at, 1
+extrafuerdich.tk, 1
+extrainsiderest.ga, 1
+extraligamasters.cz, 1
+extraloud.tk, 1
+extrapagetab.com, 1
+extraspaces.co.uk, 1
+extratext.at, 1
+extratv.com, 1
+extraupdate.com, 1
+extreemhost.nl, 1
+extreme-addicts.tk, 1
+extreme-gaming.de, 1
+extreme-gaming.us, 1
+extreme.co.th, 1
+extremebaking.com, 1
+extremeforces.tk, 1
+extremelawsers.ga, 1
+extremelawsest.ga, 1
+extremeleadprogram.com, 1
+extremelycorporate.ca, 0
+extrememusclepump.com, 1
+extremepeptides.com, 1
+extremeprojects.tk, 1
+extremeservicesandrestoration.com, 1
+extremesports.tk, 1
+extremetreeandlandscape.com, 1
+extremetunedcars.tk, 1
+extremfrank.tk, 1
+extrolife.ml, 1
+extromail.de, 1
+extstore.com, 1
+extua.pw, 1
+exudestudios.tk, 1
+exum.tk, 1
+exusi.ai, 1
+exvisits.tk, 1
+exvs.org, 1
+exwaiti.com, 1
+exway.com, 1
+exxoncannabis.com, 1
+exxpozed-image.de, 1
+exxpozed.ch, 1
+exxpozed.co.uk, 1
+exxpozed.com, 1
+exxpozed.de, 1
+exxpozed.eu, 1
+exzibit.net, 1
+eyasc.nl, 1
+eye-move.nl, 1
+eye.do, 1
+eye.security, 1
+eyeandfire.com, 1
+eyebagdoctor.com.sg, 1
+eyeball.ml, 1
+eyebrowsmicroblading.co.uk, 1
+eyecandy.gr, 1
+eyecon.gr, 1
+eyedea.ga, 1
+eyedesignuniversity.com, 1
+eyeglasses.com, 0
+eyelash-mc.com, 1
+eyelash-navi.com, 1
+eyelash.tk, 1
+eyelashconcept.com, 1
+eyelashextensions.tk, 1
+eyelidsphoenix.com, 1
+eyemagic.net, 1
+eyemedica.de, 0
+eyeniyasam.com, 1
+eyenote.gov, 1
+eyeonid.com, 0
+eyep.me, 0
+eyeratereviews.com, 1
+eyes-berg.com, 0
+eyesandearsrescue.org, 1
+eyesaveopticalinc.com, 1
+eyescratch.tk, 1
+eyesee.fr, 1
+eyesfans.com, 1
+eyeshield-informatique.tech, 1
+eyesome.com, 1
+eyespecialistsofla.com, 1
+eyestrainexplained.com, 1
+eyesurgery.tk, 1
+eyetooth.ga, 1
+eyfari.com, 1
+eyktasarim.tk, 1
+eylea.us, 1
+eylog.co.uk, 1
+eylulsohbet.net, 1
+eynio.com, 1
+eyona.com, 1
+eyps.net, 1
+eytosh.net, 1
+eyy.co, 1
+eyyit.com, 0
+eyyubyilmaz.com, 1
+ezabalium.tk, 1
+ezakazivanje.rs, 1
+ezalba.com, 0
+ezcater.com, 1
+ezcater.io, 1
+ezcesspoollongisland.com, 1
+ezcourseonline.com, 1
+ezdog.press, 1
+ezec.com.tw, 1
+ezee-fix.co.uk, 1
+ezekia.com, 1
+ezercommerce.com, 1
+ezeviral.com, 1
+ezgif.com, 1
+ezhub.de, 1
+ezidox.com, 1
+ezifin.com, 1
+ezik-ido.tk, 1
+ezinezone.tk, 1
+ezinternet.com.au, 1
+ezitech.com, 1
+ezmob.com, 1
+ezmoddingz.tk, 1
+ezochat.com, 1
+ezorgportaal.nl, 1
+ezoterizm.info, 1
+ezpb.com, 1
+ezprints.com, 0
+ezpublish-france.fr, 1
+ezrent.tk, 1
+ezsavers.ga, 1
+ezsaversers.ga, 1
+ezsaversest.ga, 1
+ezscrapbooksest.ga, 1
+ezshopper.co.uk, 1
+ezsun.co, 1
+ezvolt.com.br, 1
+ezwebsearch.com, 1
+ezybook.co.nz, 1
+ezybook.net, 1
+ezyfitdoors.com.au, 1
+ezygentechnology.com, 1
+ezz-drops.tk, 1
+ezzarware.nl, 1
+ezzhole.net, 1
+f-401.com, 1
+f-centre.ru, 1
+f-csc.org, 1
+f-droid.org, 0
+f-hd.net, 1
+f-mebel-na-zakaz.ru, 1
+f-sulzmann.de, 1
+f-thie.de, 1
+f-u-c-k.wien, 1
+f00228.com, 1
+f00f.org, 1
+f0x.es, 1
+f1-onlineliga.com, 1
+f1318.net, 1
+f1bigpicture.com, 1
+f1classement.com, 0
+f1collection.com, 1
+f1distribution.com, 1
+f1ex.org, 1
+f1fever.co.uk, 1
+f1fever.net, 1
+f1grandprix.tk, 1
+f1ltr0.com, 1
+f1minute.com, 1
+f1nal-lap.be, 1
+f1nalboss.de, 1
+f1nn.space, 1
+f1pr.com, 1
+f1report.net, 1
+f1rstparking.co.uk, 1
+f1sh.de, 1
+f1simulator.tk, 1
+f1solutionslb.com, 1
+f1sport.tk, 1
+f1worldwide.tk, 1
+f2h.io, 1
+f2pool.com, 1
+f36533.com, 1
+f3m.pt, 1
+f3r.xyz, 1
+f42.net, 1
+f43.me, 1
+f45challenge.com, 1
+f45training.com, 1
+f4bkv.net, 1
+f4jsl.fr, 1
+f5.hk, 1
+f51365.com, 0
+f5197.co, 1
+f6729.co, 1
+f6729.com, 0
+f6957.co, 1
+f6queer.org, 1
+f82365.com, 1
+f88288.com, 1
+f8842.com, 1
+f88fine.com, 1
+f88good.com, 1
+f88ll.com, 1
+f88qin.com, 1
+f88vip1.com, 1
+f88vip101.com, 1
+f88vip102.cc, 1
+f88vip107.com, 1
+f88vip108.com, 1
+f88vip29.com, 1
+f88vip8.com, 1
+f88vip804.com, 1
+f88vip851.com, 1
+f88vip878.com, 1
+f88vip895.com, 1
+f88yule111.com, 1
+f88yule122.com, 1
+f88yule7.com, 1
+f88yule9.com, 1
+f8906.com, 1
+f8908.com, 1
+f8921.com, 1
+f899365.com, 0
+f8cp1.com, 0
+f8cp2.com, 0
+f8cp3.com, 0
+f8cp5.com, 0
+f8cp6.com, 0
+f8cp7.com, 0
+f8cp8.com, 0
+f8s.co, 1
+f9297.co, 1
+f9728.co, 1
+f9852.com, 0
+f9883.com, 0
+f9884.com, 1
+f9885.com, 0
+fa-fa.tk, 1
+faac-sloupy.cz, 1
+faac-zavory.cz, 1
+faaog.com, 1
+faapart107certifiedpilot.com, 1
+faaq.ru, 1
+faasviddy.nl, 1
+faavem.org, 1
+faazadvocatenkantoor.nl, 1
+faazmusic.com, 1
+fabao.in, 1
+fabarm.fr, 1
+fabbro-roma.org, 1
+fabbro.roma.it, 1
+fabconvert.com, 1
+fabelturen.tk, 1
+faber.org.ru, 0
+faberoclub.tk, 1
+fabfrenchinsurance.com, 1
+fabian-fingerle.de, 1
+fabian-ising.de, 1
+fabian-klose.com, 1
+fabian-klose.de, 1
+fabian-klose.net, 1
+fabian-kluge.de, 1
+fabian-praschl.de, 1
+fabian-zoske.de, 1
+fabian.gq, 1
+fabianackle.ch, 1
+fabianbeiner.com, 0
+fabianbeiner.de, 0
+fabianegli.ch, 1
+fabianfranke.de, 1
+fabiankoeppen.com, 1
+fabianni.tk, 1
+fabickcat.com, 1
+fabien-eigenmann.ch, 1
+fabien-hebuterne.fr, 0
+fabienbaker.com, 1
+fabienne-roux.org, 1
+fabil.id, 1
+fabilnatural.co.id, 1
+fabilpages.com, 1
+fabim.de, 1
+fabio.gg, 1
+fabiobier.com, 1
+fabiokrug.de, 1
+fabiolamolinastore.com, 1
+fabiooliveirapr.com.br, 1
+fabiopaiva.pt, 1
+fabledsolutions.com, 1
+fableforge.nl, 1
+fableheartmedia.com, 1
+fabpilot.com, 1
+fabricademonstros.com.br, 1
+fabricadesolados.com.br, 1
+fabricalaser.com.br, 1
+fabricandoclientes.com.br, 1
+fabriceleroux.com, 0
+fabricemannuelphotography.fr, 1
+fabricio.adv.br, 1
+fabricio.eti.br, 1
+fabriciokleinadvocacia.com.br, 1
+fabriciomoreira.ga, 1
+fabrik.de, 1
+fabrika-himchistki.ru, 1
+fabrika-jaluzi.ru, 1
+fabrikafilmes.com.br, 1
+fabriknet.de, 1
+fabrilec.tk, 1
+fabrinet.co.th, 1
+fabriziofaniello.tk, 1
+fabriziorocca.it, 1
+fabriziorocca.tk, 1
+fabrykazabawy1.pl, 1
+fabse.net, 1
+fabseal.de, 1
+fabslabour.uk, 1
+fabtechexpo.com, 1
+fabulosa.com.br, 0
+fabulous.com, 1
+fabulouseventsmiami.com, 1
+fabulousfarmgirl.com, 1
+fabulouslyyouthfulskin.com, 1
+fabulouslyyouthfulskineyeserum.com, 1
+fabuye.cf, 1
+fabuye.ga, 1
+fabuye.gq, 1
+fabuye.ml, 1
+fabuye.tk, 1
+fac.fi, 1
+fac.gov, 1
+faca.gov, 1
+facaca.com, 1
+facadatabase.gov, 1
+facan-godollo.hu, 1
+facanabota.com, 1
+facanabota.com.br, 1
+facarospauls.com, 1
+facchinaggio.it, 1
+facchinaggio.milano.it, 1
+facchinaggio.roma.it, 1
+facchinetti.cloud, 1
+facchino.it, 1
+face-art.tk, 1
+face-fashion.de, 1
+face.yoga, 1
+face2faith-vechta.de, 1
+facealacrise.fr, 0
+facebeautyhq.com, 1
+facebook-atom.appspot.com, 1
+facebook-program.com, 1
+facebook.ax, 1
+facebook.com, 0
+facebookcareers.com, 1
+facebookenterprise.com, 1
+facebookmail.com, 1
+facebookrecruiting.com, 1
+faceboom.tk, 1
+facebylouise.co.uk, 1
+facedaily.tk, 1
+facedeplook.tk, 1
+faceegypt.tk, 1
+faceitsalon.com, 1
+facekhande.tk, 1
+facelimousin.fr, 1
+facemaze.io, 1
+facenews.ml, 1
+facepainting.gr, 1
+facepalmsecurity.com, 1
+faces4watch.com, 1
+facescertification.com, 1
+facesdr.com, 1
+faceside.com, 1
+facesnf.com, 1
+facevietpro.tk, 1
+facevitalityers.ga, 1
+fach-journalist.de, 1
+fachcar.ma, 1
+fachfusspflege-exner.de, 1
+fachim.tk, 1
+fachinformatiker.com, 1
+fachiri.tk, 1
+fachschaften.org, 0
+fachschaftslisten.at, 1
+fachschaftslisten.org, 1
+fachversand-hennes.de, 1
+facialcare.tk, 1
+facialexercising.com, 1
+facialparalysisnetwork.ga, 1
+facialplasticsurgeryofaustin.com, 1
+facil.services, 0
+facilecommebonjour.com, 1
+facilit-info.fr, 1
+facilitate.tech, 1
+facilities.fr, 1
+facilitiessurvey.org, 1
+facilitrak.com, 1
+facilitron.com, 1
+facility-service-muenchen.de, 1
+fackovcova.cz, 1
+fackovcova.eu, 1
+fackovcova.fun, 1
+fackovcova.online, 1
+fackovcova.sk, 1
+fackovec.cz, 1
+fackovec.eu, 1
+fackovec.fun, 1
+fackovec.online, 1
+fackovec.sk, 1
+facorne.com, 1
+fact.cat, 1
+factbros.com, 0
+factbusterers.ga, 1
+factbusterest.ga, 1
+factbytefactbox.com, 1
+facteurcheval.com, 1
+factis.com, 1
+factor.cc, 0
+factorchave.com, 1
+factoriadifacil.com, 1
+factorio.tools, 1
+factoriobin.com, 1
+factoriotools.com, 1
+factoriotools.net, 1
+factoriotools.org, 1
+factorit.fr, 1
+factorway.com, 1
+factory-f.net, 1
+factory-fan.com, 1
+factoryalimentos.com.br, 1
+factorypark.com, 1
+factorypartsdirect.com, 1
+factozia.tk, 1
+facts-about-bees.ml, 1
+factslider.tk, 1
+factsvision.sr, 1
+factua.nl, 1
+factum-info.net, 1
+facturama.pt, 1
+facturare.online, 1
+factureenlinea.com, 0
+factuur.pro, 1
+factuursturen.be, 1
+factuursturen.nl, 1
+facty.com, 1
+factys.do, 1
+factys.es, 1
+facucosta.com.ar, 1
+facvest.com, 1
+fadaex.org, 1
+fadaru.ml, 1
+fadecloud.com, 1
+fadedave.com, 1
+fadednet.com, 0
+fademusic.tk, 1
+fadergs.edu.br, 1
+faderweb.de, 1
+fads-center.online, 1
+fae.watch, 1
+faedefencesociety.com, 1
+faedefensesociety.com, 1
+faehler.de, 1
+faehling.space, 1
+faelix.ch, 1
+faelix.eu, 1
+faelix.fr, 1
+faelix.im, 1
+faelix.net, 1
+faelix.uk, 1
+faerb.it, 1
+faeriebabe.com, 1
+faeriecakes.be, 1
+faeservice.eu, 1
+faeton.tk, 1
+fafarishoptrading.com, 1
+fafers.tk, 1
+fafscloud.com, 0
+fagdag.dk, 1
+faggut.gg, 1
+fagor.com, 1
+fagott.pw, 1
+fagus.hopto.org, 1
+fagyottvilag.hu, 1
+fahadbook.com, 1
+fahnamporn.com, 1
+fahrenwal.de, 1
+fahrenwalde.de, 1
+fahrradreisen-wanderreisen.de, 1
+fahrschule-laux.de, 1
+fahrservice-herrmann.de, 1
+fahrwerk.io, 1
+fahrzeug-talk.de, 1
+fai.gov, 1
+faidanoi.it, 1
+faidatefacile.it, 1
+faieurope.it, 1
+fail.cf, 1
+failed-banks.com, 1
+failforward.tech, 1
+failover.de, 1
+failover.eu, 1
+failoverplan.it, 1
+failstats.net, 0
+faimdevoyages.com, 1
+faimmobiliare.it, 1
+fainlogistics.com, 1
+fairbairnrealty.com, 1
+fairbill.com, 1
+fairbot.cf, 1
+fairbot.gq, 1
+fairbot.ml, 1
+fairbot.tk, 1
+fairbroker.com, 1
+fairchildband.tk, 1
+fairchildfun.com, 0
+fairchildfun.marketing, 1
+fairchildfun.tv, 1
+fairchildstx.gov, 1
+fairdata.ga, 1
+fairedeseconomies.info, 1
+fairelements.net, 1
+faireum.win, 1
+fairewindenergie-sh.de, 1
+fairfaxcountypartners.gov, 1
+fairfaxsc.gov, 1
+fairfield-me.gov, 1
+fairfieldcountyohioworkforcecenter.gov, 1
+fairfieldmt.gov, 1
+fairfieldschool.tk, 1
+fairfieldtexas.gov, 1
+fairfieldtwplenaweemi.gov, 1
+fairfly.com, 1
+fairgaming.ml, 1
+fairgaming.tk, 1
+fairgolfteams.com, 1
+fairhavenvt.gov, 1
+fairleevt.gov, 1
+fairlesslaw.com, 1
+fairline.com, 1
+fairmates.tk, 1
+fairmontnc.gov, 1
+fairmonttamarak.cf, 1
+fairmonttamarak.ga, 1
+fairmonttamarak.ml, 1
+fairmountfireco.gov, 1
+fairplanner.net, 1
+fairplay-trading.com, 1
+fairplay.im, 1
+fairprice.com.sg, 1
+fairtrade010.nl, 1
+fairtradegemeentegent.be, 1
+fairviewcounseling.org, 1
+fairviewevents.ca, 0
+fairviewfarmacy.com, 1
+fairviewfcss.com, 0
+fairviewheightsil.gov, 1
+fairviewmotel-simcoe.com, 1
+fairwayhomebuyers.com, 1
+fairwork.gov.au, 1
+fairyballet.ga, 1
+fairydust.space, 1
+fairyth.tk, 1
+faisia.tk, 1
+faithadvisorers.ga, 1
+faithadvisorest.ga, 1
+faithbulletin.tk, 1
+faithcentercogop.net, 1
+faithfuladvisor.com, 1
+faithfulcounseling.com, 1
+faithfulfaye.nl, 1
+faithfully.tk, 1
+faithfulroad.org, 1
+faithleaks.org, 0
+faixaazul.com, 1
+faizan.net, 1
+faizanullah.com, 0
+fajarafriansh.cf, 1
+fajarilahi.sch.id, 1
+fajasreductoras.top, 1
+fajita.party, 1
+fajn-shop.cz, 1
+fajnshop.sk, 1
+fajode.net, 1
+fakat.tk, 1
+fake-show.ga, 1
+fake.creditcard, 1
+fakeaddress.net, 1
+fakeapple.nl, 1
+fakeballon.shop, 1
+fakebusters.club, 1
+fakecheck.com, 1
+faked.org, 1
+fakeemergency.com, 1
+fakeframes.ga, 1
+fakeframesers.ga, 1
+fakeframesest.ga, 1
+fakehostel.com, 1
+fakehouse.tk, 1
+fakehub.com, 1
+fakel.ga, 1
+fakemoney.ga, 1
+fakeroses.tk, 1
+fakes-ru.tk, 1
+fakescreen.org, 1
+faketaxi.com, 1
+fakhrudin.tk, 1
+fakinga.tk, 1
+fakir-show.nl, 1
+fakt.tk, 1
+faktenfaktenfakten.tk, 1
+faktotum.tech, 1
+fakturi.com, 1
+faktury.co, 0
+fal.moe, 1
+falaeapp.org, 1
+falastin.tk, 1
+falbros.com, 1
+falcatus-dalmatians.hu, 1
+falce.in, 1
+falcema.com, 1
+falchion.tk, 1
+falck.dk, 1
+falcn.io, 1
+falconcrest-lippert.com, 1
+falconerny.gov, 1
+falconfrag.com, 1
+falconi.com, 1
+falconicapital.com, 1
+falconieri.it, 1
+falconinsurance.com.hk, 1
+falconstap.tk, 1
+falconvintners.com, 0
+falcoz.net, 1
+faldoria.de, 1
+fale.io, 1
+falegname-roma.it, 1
+falegname.roma.it, 1
+falegnameria.milano.it, 1
+falixnodes.net, 1
+falkenbergthomsen.dk, 1
+falkenthal.org, 1
+falkentyre.com, 1
+falkus.net, 1
+fall.ga, 1
+fallen-evolution.com, 1
+fallenangeldrinks.co.uk, 1
+fallenangeldrinks.com, 0
+fallenangeldrinks.eu, 1
+fallenangelspirits.co.uk, 1
+fallenangelspirits.com, 1
+fallenlondon.wiki, 1
+fallenmoons.nl, 1
+fallens-home.de, 1
+fallenspirits.co.uk, 1
+fallfishtenkara.com, 0
+falling.se, 1
+fallingbrick.co.uk, 1
+fallofthecitadel.com, 1
+fallonarrocho.tk, 1
+fallout-craft.ru, 1
+fallout-tattoo.de, 1
+fallout4london.com, 1
+fallriverbiblechapel.tk, 1
+fallriverma.gov, 1
+fallspa.gov, 1
+fallvegermdfharder.gq, 1
+falmouthpublicsafetyma.gov, 1
+falmouthretirementma.gov, 1
+falscher-kellner.de, 1
+false.in.net, 1
+falsepattern.com, 1
+falsesecurity.org, 1
+falsterhus.de, 1
+falsterhus.dk, 1
+falstoneshow.com, 1
+falsum.net, 1
+fam-borsch.de, 1
+fam-kreibich.de, 1
+fam-roos.com, 1
+fam-stemmer.de, 0
+famacweb.no, 1
+famcloud.de, 1
+famdouma.nl, 1
+fameng.nl, 1
+famep.gov, 1
+fameska.com, 1
+fameslook.tk, 1
+fameus.fr, 1
+fameuxhosting.co.uk, 1
+famgdigital.com, 1
+famigliafiorini.it, 1
+familialchercher.tk, 1
+familiaperez.net, 0
+familie-keil.de, 1
+familie-kruithof.nl, 1
+familie-kupschke.de, 1
+familie-mischak.de, 1
+familie-monka.de, 1
+familie-mueller.com.de, 1
+familie-oberlander.de, 1
+familie-poeppinghaus.de, 1
+familie-remke.de, 1
+familie-sprink.de, 0
+familie-witzik.eu, 1
+familiearchivaris.nl, 1
+familiebaehr.eu, 1
+familiebies.nl, 1
+familiedelwicheferrari.tk, 1
+familiekiekjes.nl, 1
+familiekusch.de, 1
+familienoase-koenigstein.de, 1
+familienportal.de, 1
+familienrat.com, 1
+familienzone.at, 1
+familiereimann.com, 0
+familieretshuset.dk, 1
+familietandarts.nl, 1
+familievisscher.tk, 1
+familjenm.se, 1
+familjenosterlund.se, 1
+familleenfete.fr, 1
+familleseux.net, 1
+familleshilton.com, 1
+family-clinic.tk, 1
+familyclinicstl.com, 1
+familyconventioners.ga, 1
+familyd-c.com, 1
+familydoctor.ru, 1
+familyframeworks.com, 1
+familyhookups.com, 1
+familyparties.co.uk, 1
+familyrecipe.co.uk, 1
+familysinners.com, 1
+familystockexchangeers.ga, 1
+familytreehq.com, 1
+familytrees.net, 1
+familytreewebinars.com, 1
+familyworld.gr, 0
+familyzone.ga, 1
+famion.eu, 1
+famlefeber.nl, 1
+famonitor.com, 1
+famosas.cf, 1
+famous-models.tk, 1
+famousandfaded.com, 1
+famousbirthdays.com, 1
+famousit.nl, 1
+famousmodels.tk, 1
+famouspdf.gq, 1
+famre.de, 1
+famreijnen.nl, 1
+famschaefer.ddns.net, 1
+famvsomeren.nl, 1
+fan-sport.com, 1
+fan-sport25.com, 1
+fan.gov, 1
+fan4all.de, 1
+fanart.ru, 1
+fanaticamandafans.tk, 1
+fanaticosdehectorlavoeenperu.tk, 1
+fanatka.tk, 1
+fanbike.de, 1
+fanboi.ch, 1
+fanbooster.com, 1
+fancars.ru, 1
+fancentro.com, 1
+fanclubblackhills.tk, 1
+fanclubmariaciobanu.tk, 1
+fanclubs.tk, 1
+fancy-bridge.com, 1
+fancy.org.uk, 1
+fancygaming.dk, 1
+fancypanty.cf, 1
+fancywow.com, 1
+fandars.com, 1
+fandeev.tk, 1
+fander.it, 1
+fandt.me, 1
+fanera.tk, 1
+fanescu.ro, 1
+faneuil.com, 1
+fanfareokselaar.tk, 1
+fanfareunion.ch, 0
+fanfiction.tk, 1
+fanflix.co, 1
+fang-den-sommer.de, 1
+fangan.com, 1
+fangbing.me, 1
+fangd.net, 1
+fangjingdian.com, 1
+fangkehou.tk, 1
+fangshu.com, 1
+fanidrakopoulou.tk, 1
+fanjingbo.com, 1
+fanmerchstore.com, 1
+fanniemaeloans.tk, 1
+fanning.tk, 1
+fannyips.tk, 1
+fanohus.de, 1
+fanohus.dk, 1
+fanorama.tk, 1
+fanosak.tk, 1
+fanqia.ng, 1
+fans-darkangel.tk, 1
+fans-lily-allen.tk, 1
+fansale.de, 1
+fansdefoot.fr, 1
+fanshenzhiyi.com, 1
+fansport.space, 1
+fansta.jp, 1
+fanstuff.ru, 1
+fantacast.it, 1
+fantasiatravel.hr, 1
+fantasmma.tk, 1
+fantasticcleaners.com.au, 1
+fantasticcleanersbristol.co.uk, 1
+fantasticgrassers.ga, 1
+fantasticgrassest.ga, 1
+fantastichandymanmelbourne.com.au, 1
+fantastici.de, 1
+fantasticservices.com, 1
+fantasticservicesgroup.com.au, 1
+fantastictricks.gq, 1
+fantastictricks.tk, 1
+fantasy-football.org, 1
+fantasy-judo.com, 1
+fantasyadventures.tk, 1
+fantasybarsers.ga, 1
+fantasybarsest.ga, 1
+fantasybet.co, 1
+fantasycastles.co.uk, 1
+fantasycdn.com, 1
+fantasychronicleonline.com, 1
+fantasydreams.tk, 1
+fantasyempires.net, 1
+fantasyempires.nl, 1
+fantasyescortsbirmingham.co.uk, 1
+fantasyfoot.gq, 1
+fantasyfoot.tk, 1
+fantasyforever.tk, 1
+fantasymina.de, 1
+fantasypartyhire.com.au, 1
+fantasypartyrental.com, 1
+fantasyprojections.com, 1
+fantasyspectrum.com, 1
+fantasysports.tk, 1
+fantasysportsnews.org, 1
+fantgames.com, 1
+fantinisfantasy.cf, 1
+fantinishop.com, 1
+fantraxhq.com, 1
+fanty-online.com, 0
+fanyue123.tk, 1
+fanz.pro, 1
+fanzade.com, 1
+fanzapers.ga, 1
+fanzhuang.com, 1
+fanzine-nimbus.tk, 1
+fanzlive.com, 1
+fap.link, 1
+fap.no, 1
+fapcoholic.com, 1
+fapdrop.com, 1
+fapiis.gov, 1
+fapplejuice.com, 1
+fapplepie.com, 1
+fapplesauce.com, 1
+fapzone.tk, 1
+faq.ie, 1
+faqbite.com, 1
+faqexchangeest.ga, 1
+faqin-hr.info, 1
+faqiteam.tk, 1
+far-east.tk, 1
+far3link.tk, 1
+fara.gov, 1
+faradji.nu, 1
+faradome.ws, 1
+faradrive.ir, 1
+farafaratodonuevoleon.com, 1
+farallonesrentacar.com, 1
+faraloda.tk, 1
+faraonplay5.com, 1
+faraonplay7.com, 1
+faraonplay8.com, 1
+faraslot8.com, 1
+faraslot8.net, 1
+faraso.org, 1
+farb-tabelle.de, 1
+farberplasticsurgery.com, 1
+farbyin10.com, 1
+farcecrew.de, 0
+farcon.com, 1
+farda.gov, 1
+fardinarafat.tk, 0
+fareast.cf, 1
+fareast.ga, 1
+fareast.gq, 1
+fareast.tk, 1
+fareinternational.com, 1
+farenheit.net, 1
+faresair.com, 1
+farescan.com, 1
+faresfrom.com, 1
+fareto.com, 1
+faretravel.co.uk, 1
+fareuntrasloco.it, 1
+farexpress.it, 0
+farfallapets.com.br, 1
+farfor.tk, 1
+farhadexchange.com, 1
+farhamaghdasi.ir, 1
+farhandanish.tk, 1
+farian.tk, 1
+faribanx-porn.com, 1
+faribanx-xxx.com, 1
+faridathaimassage.com.au, 1
+farikaporselen.com, 1
+farisre.com, 1
+farizhan.com, 1
+farizizhan.com, 0
+farizstore.tk, 1
+farkas.ws, 1
+farleybrass.com.au, 1
+farleymetals.com.au, 1
+farlitesolutions.com, 1
+farm-catalog.ga, 1
+farm-dogecoin.tk, 1
+farm-vacations.com, 1
+farm24.co.uk, 1
+farmaceuticainternazionale.it, 1
+farmacia.pt, 1
+farmaciacomunalelacchiarella.it, 1
+farmaciadejaime.es, 1
+farmacologiaonline.com, 1
+farmacovigilancia-exeltis.com.mx, 0
+farmako.net, 1
+farmakon.tk, 1
+farmasimahaganesha.ac.id, 1
+farmaspeed.it, 1
+farmauna.com, 1
+farmaweb.be, 1
+farmbureauinsurance-mi.com, 1
+farmcloud.fr, 1
+farmer-miniaturen.tk, 1
+farmerfairness.gov, 1
+farmers.gov, 1
+farmersfridge.com, 0
+farmersgirlkitchen.co.uk, 1
+farming.co.uk, 1
+farmingtonlaxwi.gov, 1
+farmkazuto.com, 1
+farmmaximizer.com, 1
+farmocracy.in, 1
+farmqa.com, 1
+farmscbdoil.com, 1
+farmtogether.com, 1
+farmvilleva.gov, 1
+farnboroughairshow.com, 1
+faro-car-hire.co.uk, 1
+faro.com, 1
+farodistribuidora.com.br, 1
+faroes.net, 1
+faroes.org, 1
+faroit.tk, 1
+faroitalia.it, 1
+farol.cz, 1
+faros-studio.gr, 1
+faroutsolutions.com, 0
+farrel-f.cf, 1
+farrel-f.id, 1
+farrel-f.tk, 1
+farrelf.blog, 1
+farrelly.nz, 1
+farringtonfoundation.org, 1
+farringtongurneyvillagehall.org, 1
+farsiight.com, 1
+farsil.eu, 1
+fart.cafe, 1
+fartoclose.tk, 1
+fartypants.com, 1
+faryaz.tk, 1
+fasab-portcenter.se, 1
+fasad.eu, 1
+fasam.edu.br, 1
+fascat.com, 1
+fashion-buttons.tk, 1
+fashion-family.cf, 1
+fashion-hunters.pl, 1
+fashion-swimwear.tk, 1
+fashion-world.tk, 1
+fashion.bg, 1
+fashionactivation.com, 1
+fashionadvice.tk, 1
+fashionagent.tk, 1
+fashionblogs.tk, 1
+fashioncatalogues.tk, 1
+fashionchanel.tk, 1
+fashioncourses.tk, 1
+fashiondaily.tk, 1
+fashiondays.bg, 1
+fashiondays.hu, 1
+fashiondays.ro, 1
+fashiondesign.ml, 1
+fashiondistrict.org, 1
+fashiondock.de, 0
+fashiondot.ga, 1
+fashioneditor.gr, 1
+fashionflavorph.com, 1
+fashionforward.tk, 1
+fashionforyou.ga, 1
+fashionfreaks.tk, 1
+fashionfuture.tk, 1
+fashionhome.tk, 1
+fashioninitaly.tk, 1
+fashionlink.tk, 1
+fashionlistify.tk, 1
+fashionmagazine.com, 1
+fashionmagz.tk, 1
+fashionmasala.tk, 1
+fashionmovie.tk, 1
+fashionone.tk, 1
+fashionopenstudio.com, 1
+fashionoutlets.tk, 1
+fashionplus.ml, 1
+fashionrecovery.co.nz, 1
+fashionreview.ml, 1
+fashionstylenews.tk, 1
+fashionsuits.tk, 1
+fashionsummer.tk, 1
+fashiontrendsetter.com, 1
+fashionunited.at, 1
+fashionunited.be, 1
+fashionunited.ch, 1
+fashionunited.cl, 1
+fashionunited.cn, 1
+fashionunited.co, 1
+fashionunited.co.uk, 1
+fashionunited.com, 1
+fashionunited.com.ar, 1
+fashionunited.com.br, 1
+fashionunited.com.pe, 1
+fashionunited.de, 1
+fashionunited.es, 1
+fashionunited.fi, 1
+fashionunited.fr, 1
+fashionunited.hk, 1
+fashionunited.hu, 1
+fashionunited.ie, 1
+fashionunited.in, 1
+fashionunited.info, 1
+fashionunited.it, 1
+fashionunited.jp, 1
+fashionunited.lu, 1
+fashionunited.mx, 1
+fashionunited.nl, 1
+fashionunited.no, 1
+fashionunited.nz, 1
+fashionunited.pl, 1
+fashionunited.pt, 1
+fashionunited.ru, 1
+fashionunited.se, 1
+fashionunited.uk, 1
+fashionusa.gq, 1
+fashionweb.ml, 1
+fashionweek.tk, 1
+fashionweekweb.com, 1
+fashionworlds.ml, 1
+fashionxmas.gq, 1
+fasigbrooks.com, 1
+fasmaritime.com, 1
+faspirits.co.uk, 1
+faspirits.com, 1
+faspsych.com, 1
+fasqu.com, 1
+fassaden-selleng.de, 1
+fassadenverkleidung24.de, 1
+fassi-sport.it, 1
+fassiportugal.pt, 1
+fast-cargo.ml, 1
+fast-drops.cf, 1
+fast-events.eu, 1
+fast-growth.fr, 1
+fast-host.gq, 1
+fast-host.net, 1
+fast-mobile.tk, 1
+fast-pro.co.jp, 1
+fast-rabbit.tw, 1
+fast-silver.tk, 1
+fast4ever.tk, 1
+fastaim.de, 1
+fastamundi.com, 1
+fastandtuning.tk, 1
+fastbackmbg.be, 1
+fastbackmbm.be, 1
+fastbet.it, 1
+fastblit.com, 1
+fastblob.com, 1
+fastbob.cf, 1
+fastbob.ga, 1
+fastbob.gq, 1
+fastbob.ml, 1
+fastbob.tk, 1
+fastbuilder.pro, 1
+fastcash.com.br, 1
+fastcast.ga, 1
+fastcats.tk, 1
+fastcdn.info, 1
+fastcloud.ge, 1
+fastcommerce.org, 1
+fastconfirm.com, 1
+fastcp.top, 1
+fastcup.net, 1
+fastcustomboxes.com, 1
+fastdronespro.com, 1
+fastener.tk, 1
+fastensorozo.hu, 1
+faster-disinfestazioni.it, 1
+faster.cz, 1
+fasterblogsers.ga, 1
+fasterblogsest.ga, 1
+fasterci.com, 1
+fasterfront.com, 1
+fasterfront.com.br, 1
+fasternie.tk, 1
+fastestknowntime.com, 1
+fastfast.click, 1
+fastfix.nl, 1
+fastfloorscreed.ie, 1
+fastforwardsociety.nl, 1
+fastforwardthemes.com, 1
+fastfox.tk, 1
+fastfwd.co.za, 1
+fastgamingro.tk, 1
+fasthost.com.br, 1
+fastighetsekonomi.com, 0
+fastknighki.ga, 1
+fastknigi.ml, 1
+fastlaneimportautorepair.com, 1
+fastmail.com, 0
+fastme.co, 1
+fastmeet.tk, 1
+fastmetrics.com, 1
+fastonline.ro, 1
+fastopen.ml, 1
+fastos.com, 1
+fastos.de, 1
+fastpaper.gq, 1
+fastpeoplesearch.com, 1
+fastphox.com, 1
+fastpresence.com, 1
+fastproxycat.ml, 1
+fastproxyforfree.gq, 1
+fastrocket.pl, 1
+fastscanapp.com, 1
+fastserv.pl, 1
+fastshop.com.pl, 1
+faststage.ch, 1
+fasttracconsulting.com, 1
+fasturl.ml, 1
+fastvanya.com, 1
+fastvelocityers.ga, 1
+fastvelocityest.ga, 1
+fastvisit.tk, 1
+fastvistorias.com.br, 1
+fastworx.com, 1
+faszination-fankurve.de, 1
+fatal-beauty.tk, 1
+fatal.ga, 1
+fatalchat.tk, 1
+fatalerrorcoded.eu, 1
+fatalityimmortals.ga, 1
+fatalsunrise.com, 1
+fatassbooty.com, 1
+fatcat.tk, 1
+fate-srd.com, 0
+fatecdevday.com.br, 1
+fatemaalhabsi.com, 1
+fates.online, 1
+fatetx.gov, 1
+fatfueled.com, 1
+fatherhood.gov, 1
+fatidique.com, 1
+fatig.com, 1
+fatiguesyndrome.com, 1
+fatihingemisi.com, 1
+fatimamoldes.com.br, 1
+fatlabwebsupport.com, 1
+fatmixx.com, 1
+fator25.com.br, 1
+fatowltees.com, 1
+fatpussytube.com, 1
+fattailcall.com, 0
+fattoriabio.jp, 1
+fattorino.it, 1
+fatturegeko.eu, 1
+fattyburgers.com, 1
+fattyink.com, 1
+fatumagro.bg, 1
+fatvalley.at, 1
+fatzebra.com.au, 1
+fau-bremen.tk, 1
+fau8.ml, 1
+fauceton.cf, 1
+fauceton.tk, 1
+faucetslist.tk, 1
+faulhaber.com, 1
+faulkner2020.com, 1
+faulknercountyar.gov, 1
+faultyserver.com, 1
+faunahotel.cl, 1
+faunathreads.com, 1
+faunatrek.com, 1
+faure.link, 1
+fautchen.eu, 1
+fauteuil-bebe.fr, 1
+fauvettes.be, 1
+fauwater.com, 1
+fauxcams.com, 1
+fauxil.shop, 1
+fauxreal.com, 1
+fav-hosting.online, 1
+favalart.com, 1
+favarica.com, 1
+favicone.com, 1
+favirei.com, 1
+favor-group.ru, 1
+favorai.com, 1
+favorislotgiris.com, 1
+favorit-stroy-snab.ru, 1
+favoritenewspaperers.ga, 1
+favoritenewspaperest.ga, 1
+favoritestudent.ml, 1
+favoritestudenters.ga, 1
+favoritestudentest.ga, 1
+favoritetechers.ga, 1
+favouritequotations.ca, 1
+favourperfect.com.au, 1
+favro.com, 1
+favrotest.com, 1
+faw-club.cf, 1
+fawong.com, 1
+fawter.online, 1
+fawx.news, 1
+faxfarmers.ga, 1
+faxfarmest.ga, 1
+faxreader.net, 1
+faxvorlagen-druckvorlagen.de, 1
+fayalove.com, 1
+fayamovies.tk, 1
+fayettecountyillinois.gov, 1
+fayettecountyoh.gov, 1
+fayettecountytn.gov, 1
+fayettecountywv.gov, 1
+fayettemopd.gov, 1
+fayettevilleflyer.com, 1
+fayettevillewv.gov, 1
+fayffersons.com, 1
+fayfilms.com, 1
+fayntic.com, 1
+faysalabdi.fi, 1
+fazal.tv, 1
+fazet.tk, 1
+fazhion.tk, 1
+fazo.gq, 1
+fazrin.tk, 1
+fazz.fun, 1
+fazz.id, 1
+fb.audio, 1
+fb.gg, 1
+fb.me, 1
+fb.watch, 1
+fbaun.dk, 1
+fbausch.de, 1
+fbcdn.net, 1
+fbcfairburn.com, 1
+fbcopy.com, 1
+fbctx.gov, 1
+fbe.to, 1
+fbf.gov, 1
+fbfwd.email, 1
+fbi.gov, 1
+fbiagentedu.org, 1
+fbigame.com, 1
+fbihr.gov, 1
+fbiic.gov, 1
+fbijobs.gov, 1
+fbilab.gov, 1
+fbk.moe, 1
+fbmedia-ckl.com, 1
+fbo.gov, 1
+fbo.network, 1
+fboerman.nl, 1
+fbrief.org, 1
+fbsbx.com, 1
+fbscontenttest.com, 1
+fbthirdpartypixel.com, 1
+fburl.com, 1
+fbwat.ch, 1
+fbwifi.com, 1
+fc-corvinul.tk, 1
+fc-rostov.ru, 1
+fc8882.net, 1
+fca-tools.com, 1
+fcapartsdb.com, 1
+fcapollo.tk, 1
+fcarrascosa.es, 1
+fcbarcelona.cz, 1
+fcbasel.info, 1
+fcblueboys.be, 1
+fcbrasov.tk, 1
+fccaracciolo-solution.tk, 1
+fccarbon.com, 0
+fcd.im, 1
+fcdauwendaele-dames.tk, 1
+fcdekampioenen.tk, 1
+fcdemuis.tk, 1
+fcdenhaag-holi.tk, 1
+fcdg.com.br, 1
+fcdordrecht.tk, 1
+fcforum.net, 1
+fcg.fyi, 1
+fcgmd.gov, 1
+fcht.fr, 1
+fcic.gov, 1
+fcijobportalodisha.com, 1
+fcingolstadt.de, 0
+fcitasc.com, 1
+fcm.org.co, 1
+fcmoorsel.tk, 1
+fcode.tk, 1
+fcosinus.com, 1
+fcporto.ws, 1
+fcprovadia.com, 1
+fcrrijswijk.nl, 1
+fcs-embedded.com, 1
+fcsarajevo.tk, 1
+fcsic.gov, 1
+fcsm.gov, 1
+fcts.ml, 1
+fd-telecom.ru, 1
+fd.gov, 1
+fdalawboston.com, 1
+fdaregs.com, 1
+fdereplace.tk, 1
+fdevs.ch, 1
+fdfz.edu.cn, 1
+fdg-98.de, 1
+fdic.exposed, 1
+fdicig.gov, 1
+fdicoig.gov, 1
+fdimmo24.com, 1
+fdis.net.cn, 1
+fdj.fr, 1
+fdkm.eu, 1
+fdlibre.eu, 1
+fdlp.gov, 1
+fdlpl.org, 1
+fdltcc.edu, 1
+fdmg.nl, 1
+fdms.gov, 1
+fdnsc.net, 1
+fdp-alsdorf.de, 1
+fdp-heinsberg.de, 1
+fdpbrig.ch, 1
+fdresearch.ca, 1
+fdsys.gov, 1
+fdx-insurance.com, 1
+feac.us, 1
+feaden.me, 1
+feandc.com, 1
+fear-crowd.tk, 1
+fearedcreation.tk, 1
+fearfactory.tk, 1
+fearghus.org, 1
+fearlessmusic.tk, 1
+fearnley.uk, 1
+fearstyle.tk, 1
+fearunknown.tk, 1
+feast-day.tk, 1
+feast.info, 1
+feastofplants.com, 1
+feastr-dev.de, 1
+feastr.de, 1
+feastr.io, 1
+feastshare.com, 1
+feat.agency, 1
+feath.net, 1
+featherfan.io, 1
+feathermc.com, 1
+feathersbtq.com, 1
+featherweightlabs.com, 1
+feature-branch.nl, 1
+featured.tk, 1
+featuredcarders.ga, 1
+featuredmen.com, 1
+feb.gov, 1
+febeditora.com.br, 1
+febooti.com, 1
+fed-shashek.spb.ru, 1
+fed51.com, 1
+fedbizopps.gov, 1
+fedcenter.gov, 1
+fedefutbol.tk, 1
+fedel.tk, 1
+fedema.com, 1
+federacaoanarquista.com.br, 1
+federacaofutebolmesa.pt, 1
+federacaomatraquilhos.pt, 1
+federacaoportuguesafutebolmesa.pt, 1
+federaciocatalanapipaclubs.tk, 1
+federacionanarquista.net, 1
+federalbus.ga, 1
+federalbusers.ga, 1
+federalbusest.ga, 1
+federalcalendarest.ga, 1
+federalcriminaldefenseattorney.com, 1
+federalinvestments.gov, 1
+federaljob.net, 1
+federaljobs.gov, 1
+federallawenforcement.org, 1
+federalprisonforums.com, 1
+federalregister.gov, 1
+federalreserve.gov, 1
+federalreserveconsumerhelp.gov, 1
+federalsignal.com, 1
+federasco.ga, 1
+federation.gov.au, 1
+federica.tk, 1
+federico.ro, 1
+federicomigliavacca.it, 1
+fedextrackingservices.com, 1
+fedidcard.gov, 1
+fedifeed.net, 1
+fedinvest.gov, 0
+fedistatus.com, 1
+fedistatus.eu, 1
+fedistatus.net, 1
+fedistatus.org, 1
+fedistatus.social, 1
+fediver.city, 1
+fediver.com, 1
+fediver.eu, 1
+fediver.net, 1
+fediver.org, 1
+fediver.social, 1
+fedivercity.com, 1
+fedivercity.eu, 1
+fedivercity.net, 1
+fedivercity.org, 1
+fedivercity.social, 1
+fediverse.observer, 1
+fedjobs.gov, 1
+fedlocatorers.ga, 1
+fedlocatorest.ga, 1
+fedn.it, 1
+fednat.com, 1
+fedorahosted.org, 1
+fedoralinux.or.kr, 1
+fedoranews.org, 1
+fedorapeople.org, 1
+fedoraproject.org, 1
+fedorblog.tk, 1
+fedpartnership.gov, 1
+fedramp.gov, 1
+fedres.gov, 1
+fedrigoni.com, 1
+fedrooms.gov, 1
+fedrtc.org, 1
+fedshat.space, 1
+fedshirevets.gov, 1
+feeblebridges.nl, 1
+feecotec.com, 1
+feed-back.com, 1
+feedback-project.eu, 1
+feedbackproduction.tk, 1
+feedbin.com, 0
+feedetailsers.ga, 1
+feedetailsest.ga, 1
+feedfall.com, 1
+feedhq.org, 1
+feedinghouse.tk, 1
+feedingmethodsers.ga, 1
+feedingmethodsest.ga, 1
+feedingmynewbaby.com, 1
+feedkovacs.hu, 1
+feedmail.org, 1
+feedough.com, 1
+feedstringer.com, 1
+feedthefood.com, 1
+feedthefuture.gov, 1
+feedthegreek.tk, 1
+feedtube.com, 1
+feedvisor.com, 1
+feeg-wage.gc.ca, 1
+feegg.com.br, 1
+feehla.com, 1
+feek.org, 1
+feel-events.com, 1
+feel.aero, 1
+feelamazing.com.au, 1
+feelbycubanas.com, 1
+feeld.cloud, 1
+feelerfolg.com, 1
+feelgood-workouts.de, 1
+feelgood.com.tw, 1
+feelgoodcasino.com, 1
+feeling.com.mx, 1
+feelingdesperate.net, 1
+feelingdesperate.org, 1
+feelmingo.com, 1
+feelnet.top, 1
+feelnice.com.br, 1
+feeltennis.net, 1
+feelya.com, 1
+feen.us, 1
+feepod.com, 1
+feeriedesign-event.com, 1
+feest.com, 1
+feestbierfusten.nl, 1
+feestfactory.tk, 1
+feestgids.nl, 1
+feetek.net, 1
+feetnesclub.tk, 1
+feetpa.ws, 1
+feezmodo.com, 1
+fef.moe, 1
+fefacaram.com.br, 1
+fefelovalex.ru, 1
+feg-wge.gc.ca, 1
+fegame.eu, 1
+fegame.mobi, 1
+fegame.net, 1
+fegame.nl, 1
+fegc-wgec.gc.ca, 1
+fegli.gov, 1
+fehlerqultur.net, 1
+fehngarten.de, 1
+fehr-online.eu, 1
+fehrm.gov, 1
+feibiaowang.com, 0
+feigling.net, 0
+feignandfolly.tk, 1
+feiki.tk, 1
+feikuai.tv, 1
+feildel.fr, 1
+feilen.de, 1
+feilestrokestown.com, 1
+feinform.com, 1
+feip.co, 1
+feirlane.org, 0
+feiromo.com, 1
+feistore.com.tw, 1
+feistyduck.com, 1
+feisworld.com, 0
+feitam.es, 1
+feittinf.org.br, 1
+feixiang.eu.org, 1
+feixiang.pp.ua, 1
+feiya.ng, 1
+fejervar.hu, 1
+fejo.dk, 1
+fekepp.net, 1
+fekir.info, 1
+felcas.com.co, 1
+felcraperak.com.my, 1
+feld.saarland, 1
+feldbogenclub-hamburg.de, 1
+feldgut.de, 1
+feldkirchen.tk, 1
+feldmangallery.com, 1
+feldmaraesthetics.com, 1
+felett.es, 1
+felger-times.fr, 1
+felgitscher.xyz, 1
+felicifia.org, 1
+felid.gay, 1
+felidas.net, 1
+felin.es, 1
+feline.ro, 1
+felinefriend.co.uk, 1
+felinepc.com, 1
+felipesexto.tk, 1
+felipesuri.com, 0
+feliratok.eu, 1
+felis.com.mx, 1
+feliscatus.tk, 1
+felistirnavia.sk, 1
+felix-amez.tk, 1
+felix-hirner.de, 1
+felixbarta.de, 1
+felixbrand.de, 1
+felixbroekhuizen.tk, 1
+felixc.at, 1
+felixcabrol.com, 1
+felixcrux.com, 1
+felixgerschau.com, 1
+felixharo.es, 0
+felixhollitzer.de, 1
+felixkauer.de, 1
+felixklenner.de, 1
+felixlatscha.ch, 1
+felixmendez.com, 1
+felixsanchez.tk, 1
+felixschuermeyer.de, 1
+felixseele.de, 1
+felixsworld.tk, 1
+felixturgeon.ca, 1
+felixvelarde.com, 1
+felixweb.tk, 1
+feliz.tk, 1
+felko-tech.de, 1
+fellas.com.tr, 1
+fellpony.org, 0
+felmodrj.com, 1
+felonymath.com, 1
+felonymath.net, 1
+felonymath.org, 1
+felsare3.com, 1
+felsefe.tk, 1
+felsenheimer.tk, 1
+feltencie.com, 1
+feltons.me, 0
+feluck.de, 1
+female-costumes.tk, 1
+femalecare.tk, 1
+femalefoodie.com, 1
+femalehumorers.ga, 1
+femalehumorest.ga, 1
+femaleteamest.ga, 1
+femastudios.com, 1
+femboy.clothing, 1
+femboy.fan, 1
+femboys.pics, 1
+femcompany.nl, 1
+femik.net, 1
+femina.se, 1
+feminina.eu, 1
+feminina.pt, 1
+feminique.tk, 1
+feministreview.cf, 1
+feministreview.ga, 1
+feministreview.gq, 1
+feministreview.ml, 1
+feministspectrum.org, 1
+feminteligencia.com, 1
+femiwiki.com, 1
+femme.fitness, 1
+femmes-women.gc.ca, 1
+femmes.gc.ca, 1
+femmesaupluriel.com, 1
+femtomind.com, 1
+fena.jp, 1
+fenagav.ga, 1
+fenatrigo.com.br, 1
+fence-stlouis.com, 1
+fencebutlers.com, 1
+fencekirkwood.com, 1
+fencestlouis.co, 1
+fencestlouis.com, 1
+fencethisyard.com, 1
+fenciblelaw.co.nz, 1
+fencingmarters.ga, 1
+fencingmartest.ga, 1
+feng.si, 1
+feng18.vip, 0
+feng88.vip, 0
+fengchuiyudaqu.ml, 1
+fenghuangcheng.tk, 1
+fengmar.com, 1
+fengrui.me, 0
+fengshuimeta.com, 1
+fengyadi.com, 1
+fengyi.tel, 1
+fengying.co, 1
+fenhl.net, 1
+fenichelar.com, 1
+fenitriatnica.tk, 1
+fenix-site.tk, 1
+fenix-zone.tk, 1
+fenixcorporative.tk, 1
+fenixmetal.tk, 1
+fenixonlinevirtual.com.br, 1
+fenj.nl, 1
+fenn.moe, 1
+fennec.wtf, 1
+fenns.co.za, 1
+fennville.gov, 1
+fennydewit.nl, 1
+fenom.ga, 1
+fenotipo.com, 1
+fenris.ovh, 1
+fenritec.eu, 1
+fenritec.fr, 1
+fense.cf, 1
+fense.ml, 1
+fenster-bank.at, 1
+fenster-bank.de, 1
+fensterbau-mutscheller.de, 1
+fenwickisland-de.gov, 1
+fenzas.com, 1
+feodosiya.cf, 1
+feodosiya.tk, 1
+fepun.com, 1
+ferad.net, 1
+feras-alhajjaji.com, 1
+feraz.com.mx, 1
+ferc.gov, 1
+ferca.pt, 1
+ferchup.com, 1
+ferdi-is.gay, 1
+ferenczi.ch, 1
+ferestre-bucuresti.ro, 1
+fereum.com, 1
+ferfer.ga, 1
+fergtm.com, 1
+fergusfallsmn.gov, 1
+fergusonroofing.com, 1
+ferhatsurer.com, 1
+feria-ales.fr, 1
+feriadelvellon.tk, 1
+feribotlines.com, 1
+feridun.tk, 1
+feriehus-danmark.no, 1
+ferien-haus-mittelpunkt.de, 1
+ferien-netzwerk.de, 1
+ferien-zweibruecken.tk, 1
+ferienhaeuser-krummin.de, 1
+ferienhaus-danemark-hund.de, 1
+ferienhaus-danemark-privat.de, 1
+ferienhaus-laesoe.de, 1
+ferienhaus-montenegro.tk, 1
+ferienhaus-polchow-ruegen.de, 0
+ferienhaus-urlaub-danemark.de, 1
+ferienhausprovence.ch, 1
+ferienwohnung-hafeninsel-stralsund.de, 1
+ferienwohnung-ruegen.tk, 1
+ferienwohnung-wiesengrund.eu, 1
+ferienwohnung-wilmersdorf.de, 1
+ferienwohnungen-lastminute.de, 1
+ferienwohnungen-willingen.de, 1
+ferienwohnunglanger.de, 1
+ferieservice.dk, 1
+ferio-fuu.tk, 1
+ferlc.org, 1
+ferluxilluminazione.it, 1
+fermabel.com.br, 1
+fermanacuratampaparts.com, 1
+fermanaghomagh.com, 1
+fermani.ar, 1
+fermani.com.ar, 1
+fermastore.cf, 1
+fermastore.tk, 1
+fermateh.com.ua, 1
+fermemarineau.com, 1
+fermentcerealesbio.fr, 1
+fermenteana.com, 1
+fermier-mag.ro, 1
+fernandes.org, 1
+fernandezvilar.es, 1
+fernandoalonso.tk, 1
+fernandob.com, 1
+fernandobarata.pt, 1
+fernandobarillas.com, 1
+fernandolucas.info, 1
+fernandomiguel.net, 1
+fernandomorientes-zone.tk, 1
+fernandosuarez.cf, 1
+fernatura.tk, 1
+ferngas.de, 1
+fernheim.com.py, 1
+fernhowe.co.uk, 0
+fernland.com.au, 1
+fernvenue.com, 1
+fernweh.tk, 1
+ferociousmass.tk, 1
+feross.net, 1
+feross.org, 1
+ferozes.com.br, 1
+ferrada.org, 0
+ferrari.com, 1
+ferrariadvisor.it, 1
+ferrariale.tk, 1
+ferrarichat.fr, 1
+ferreh.com, 1
+ferreira.ovh, 1
+ferreirabordinhao.adv.br, 1
+ferreteriaferreiro.com, 1
+ferrets.tk, 1
+ferretslife.com, 1
+ferriday.gov, 1
+ferrikomm.de, 1
+ferrin.tk, 1
+ferrisfox.me, 1
+ferriswheelofficial.us, 1
+ferro-design.tk, 1
+ferrodata.de, 1
+ferrousmoon.com, 1
+ferrovial.com, 1
+ferrumformat.com, 1
+ferrybig.me, 1
+fersedo.mk, 1
+fersumalin.cf, 1
+fersumalin.ga, 1
+fersumalin.gq, 1
+fersumalin.ml, 1
+fersumalin.tk, 1
+ferticare.pt, 1
+fertile.fund, 1
+fertilityquick.ga, 1
+fertilityquickers.ga, 1
+fertilityquickest.ga, 1
+fertilityspace.io, 1
+fertilitytreatmentcenter.com, 1
+fertilizers.tk, 1
+ferwor.studio, 1
+ferydoonzandi.tk, 1
+fes.at, 1
+fescuesodsouthernindiana.com, 1
+feseev.ml, 1
+fesne.com, 1
+festaprylar.se, 1
+festar.tk, 1
+festasdosenhordocalvario.pt, 1
+festesuniversitaries.tk, 1
+festfabriken.se, 1
+festin.tk, 1
+festival-tipps.com, 1
+festival365.ml, 1
+festivalcarpark.com.au, 1
+festivaldays.tk, 1
+festivaldecinedemallorca.tk, 1
+festivaldelumieresgand.be, 1
+festivaldelumieresgand.com, 1
+festivaldimouamaroussiou.gr, 1
+festivalfumo.tk, 1
+festivalgourmet.com, 1
+festivaljapon.com, 1
+festivalplaza.com.au, 1
+festivalpopayan.tk, 1
+festivalsalmondeoro.tk, 1
+festivalsquare.com.au, 1
+festivalsrit.tk, 1
+festivaltower.au, 1
+festivaltower.com.au, 1
+festmaniastore.com.br, 1
+festo.net, 1
+festo.online, 1
+festrentcar.pl, 1
+festusmo.gov, 1
+festx.co.za, 1
+fetanbus.com, 1
+fetawerelddans.tk, 1
+fetchease.com, 1
+fetchmag.com, 1
+fetchmonitors.com, 1
+fetclips.se, 1
+fethtv.com, 1
+fetichedecaramelo.tk, 1
+fetih1453.tk, 1
+fetish-x.com, 1
+fetishbazar.cz, 1
+fetishblend.com, 1
+fetishvips.com, 1
+fetishzone.org, 1
+fetlife.com, 1
+fetlinks.ga, 1
+fettbrot.tk, 1
+fettings.com, 1
+feudalisten.de, 1
+feudaltactics.com, 1
+feuerhuhn.de, 1
+feuerloescher-test.de, 1
+feuerwehr-dachaufsetzer.de, 1
+feuerwehr-e-learning.de, 1
+feuerwehr-gebirge.de, 1
+feuerwehr-heiligenberg.de, 1
+feuerwehr-mehring.de, 1
+feuerwehr-offenbach-bieber.de, 0
+feuerwehr-solms.de, 1
+feuerwehr-vechta.de, 1
+feuerwerksmanufaktur.de, 1
+feuerwolke.spdns.de, 1
+feuetgloire.com, 0
+feurich.tk, 1
+fever.ch, 1
+fevo.us, 1
+fevolden.com, 1
+fewo-groden.de, 1
+fewo-hafeninsel-stralsund.de, 1
+fewo-thueringer-wald.de, 1
+fewo-wildrosenpfad.de, 1
+fewo.plus, 1
+fewo.reise, 1
+fewo32.de, 1
+fexopay.com, 1
+fey-web.tk, 1
+feyenoordrotterdam.tk, 1
+feyenoordsite.tk, 1
+feyenoordvakz.tk, 1
+fezbet.net, 1
+fezlee.com, 1
+ff-bg.xyz, 1
+ff-koenigstein-opf.de, 1
+ff-obersunzing-niedersunzing.de, 1
+ff-tostedt.de, 1
+ff15.ddns.net, 1
+ff326.com, 0
+ff5197.co, 1
+ff5g.com, 1
+ff6729.co, 1
+ff6729.com, 1
+ff6957.co, 1
+ff9297.co, 1
+ff9397.com, 1
+ff9728.co, 1
+ff976.com, 0
+ffaaa00.com, 1
+ffaaa11.com, 1
+ffaaa22.com, 1
+ffaaa33.com, 1
+ffaaa44.com, 1
+ffaaa55.com, 1
+ffaaa66.com, 1
+ffaaa77.com, 1
+ffaaa88.com, 1
+ffaaa99.com, 1
+ffamranteatime.com, 1
+ffb.gov, 1
+ffbans.org, 1
+ffbbb00.com, 1
+ffbbb11.com, 1
+ffbbb22.com, 1
+ffbbb33.com, 1
+ffbbb44.com, 1
+ffbbb55.com, 1
+ffbbb66.com, 1
+ffbbb77.com, 1
+ffbbb88.com, 1
+ffbbb99.com, 1
+ffbsee.net, 0
+ffc-gerlingen.de, 1
+ffccc00.com, 1
+ffccc11.com, 1
+ffccc22.com, 1
+ffccc33.com, 1
+ffccc44.com, 1
+ffccc55.com, 1
+ffccc66.com, 1
+ffccc88.com, 1
+ffccc99.com, 1
+ffddd00.com, 1
+ffddd11.com, 1
+ffddd22.com, 1
+ffddd33.com, 1
+ffddd44.com, 1
+ffddd55.com, 1
+ffddd66.com, 1
+ffddd77.com, 1
+ffddd88.com, 1
+ffddd99.com, 1
+ffeee00.com, 1
+ffeee11.com, 1
+ffeee22.com, 1
+ffeee33.com, 1
+ffeee44.com, 1
+ffeee55.com, 1
+ffeee66.com, 1
+ffeee77.com, 1
+ffeee88.com, 1
+ffeee99.com, 1
+fff-du.de, 1
+fff-musique.fr, 1
+fffaa00.com, 1
+fffaa11.com, 1
+fffaa22.com, 1
+fffaa33.com, 1
+fffaa44.com, 1
+fffaa55.com, 1
+fffaa66.com, 1
+fffaa77.com, 1
+fffaa88.com, 1
+fffaa99.com, 1
+fffbb00.com, 1
+fffbb11.com, 1
+fffbb22.com, 1
+fffbb33.com, 1
+fffbb44.com, 1
+fffbb55.com, 1
+fffbb66.com, 1
+fffbb77.com, 1
+fffbb88.com, 1
+fffbb99.com, 1
+fffbhv.de, 1
+fffcc00.com, 1
+fffcc11.com, 1
+fffcc22.com, 1
+fffcc33.com, 1
+fffcc44.com, 1
+fffcc55.com, 1
+fffcc66.com, 1
+fffcc77.com, 1
+fffcc88.com, 1
+fffcc99.com, 1
+fffdd00.com, 1
+fffdd11.com, 1
+fffdd22.com, 1
+fffdd33.com, 1
+fffdd44.com, 1
+fffdd55.com, 1
+fffdd66.com, 1
+fffdd77.com, 1
+fffdd88.com, 1
+fffdd99.com, 1
+fffdm.com, 1
+fffee00.com, 1
+fffee11.com, 1
+fffee22.com, 1
+fffee33.com, 1
+fffee44.com, 1
+fffee55.com, 1
+fffee66.com, 1
+fffee77.com, 1
+fffee88.com, 1
+fffee99.com, 1
+fffgg00.com, 1
+fffgg11.com, 1
+fffgg22.com, 1
+fffgg33.com, 1
+fffgg44.com, 1
+fffgg55.com, 1
+fffgg66.com, 1
+fffgg77.com, 1
+fffgg88.com, 1
+fffgg99.com, 1
+fffhh00.com, 1
+fffhh11.com, 1
+fffhh22.com, 1
+fffhh33.com, 1
+fffhh44.com, 1
+fffhh55.com, 1
+fffhh66.com, 1
+fffhh77.com, 1
+fffhh88.com, 1
+fffhh99.com, 1
+fffii00.com, 1
+fffii11.com, 1
+fffii22.com, 1
+fffii33.com, 1
+fffii44.com, 1
+fffii55.com, 1
+fffii66.com, 1
+fffii77.com, 1
+fffii88.com, 1
+fffii99.com, 1
+fffjj00.com, 1
+fffjj11.com, 1
+fffjj22.com, 1
+fffjj33.com, 1
+fffjj44.com, 1
+fffjj55.com, 1
+fffjj66.com, 1
+fffjj77.com, 1
+fffjj88.com, 1
+fffjj99.com, 1
+fffkk00.com, 1
+fffkk11.com, 1
+fffkk22.com, 1
+fffkk33.com, 1
+fffkk44.com, 1
+fffkk55.com, 1
+fffkk66.com, 1
+fffkk77.com, 1
+fffkk88.com, 1
+fffkk99.com, 1
+fffll00.com, 1
+fffll11.com, 1
+fffll22.com, 1
+fffll33.com, 1
+fffll44.com, 1
+fffll55.com, 1
+fffll66.com, 1
+fffll77.com, 1
+fffll88.com, 1
+fffll99.com, 1
+fffmm00.com, 1
+fffmm11.com, 1
+fffmm22.com, 1
+fffmm33.com, 1
+fffmm44.com, 1
+fffmm55.com, 1
+ffiec.gov, 1
+ffis.me, 0
+ffl123.com, 1
+fflone.com, 1
+ffmradio.de, 1
+ffmv.de, 1
+ffn-connect.de, 1
+ffnm.org, 1
+ffp-survey.com, 1
+ffprofile.com, 1
+ffrev.de, 1
+ffsociety.nl, 1
+fftech.se, 1
+fftechnology.pt, 0
+ffty2.com, 1
+ffw-zeven.de, 1
+ffwd-it.nl, 1
+ffxiv-eureka.com, 1
+ffxiv-tools.jp, 1
+ffzeven.de, 1
+fgdc.gov, 1
+fgeiger.dnshome.de, 1
+fggpay.com, 1
+fgidu.com, 1
+fgtsolutions.com, 1
+fgui.de, 1
+fh-apac.com, 1
+fh-chinese.com, 1
+fh-chn.com, 1
+fh-jituan.com, 1
+fh-photographie.art, 1
+fh-wechat.com, 1
+fh-x.de, 1
+fh-zh.com, 1
+fh.spb.ru, 1
+fh169.cc, 1
+fh6lfwyn.com, 1
+fh70.com, 0
+fhappcp.com, 1
+fhar.be, 1
+fharbe.com, 1
+fharbe.de, 1
+fharbe.net, 1
+fhasiacorp.com, 1
+fhasiacorporate.com, 1
+fhba.com.au, 1
+fhcdn.xyz, 1
+fhdhelp.de, 0
+fhdhilft.de, 0
+fhersoberanes.tk, 1
+fhfaoig.gov, 1
+fhfuhui.com, 1
+fhglobal-zh.com, 1
+fhglobal-zhs.com, 1
+fhglobalcn.com, 1
+fhgroup-chn.com, 1
+fhgroup-cn.com, 1
+fhgroup-zh.com, 1
+fhgroup-zhs.com, 1
+fhgroupcn.com, 1
+fhgroupzhs.com, 1
+fhi.nl, 1
+fhinds.co.uk, 1
+fhjituan-cn.com, 1
+fhjituan-zh.com, 1
+fhjituan-zhs.com, 1
+fhjituancn.com, 1
+fhjituanzhs.com, 1
+fhjt-apac.com, 1
+fhjt-zh.com, 1
+fhjtapac.com, 1
+fhjtchn.com, 1
+fhjtcn.com, 1
+fhjtglobal.com, 1
+fhjtzh.com, 1
+fhjtzhs.com, 1
+fhm.duckdns.org, 1
+fhmarkets.com, 1
+fhmkh.cn, 1
+fhome.ch, 1
+fhope.org, 1
+fhsseniormens.club, 1
+fhstation.com, 1
+fhstatus-chinese.com, 1
+fhtrader.com, 1
+fhv-waldhausen.de, 1
+fhwechat.com, 1
+fhzhs.com, 1
+fi.google.com, 1
+fi.se, 1
+fi.search.yahoo.com, 0
+fiam.me, 1
+fiamtorino.eu, 1
+fianna.tk, 1
+fianoromano.news, 1
+fiasgo.dk, 1
+fiataldivat.hu, 1
+fibank.bg, 1
+fiberoptikz.tk, 1
+fiberxl.com, 1
+fibery.io, 1
+fibo-forex.org, 1
+fibogroup.com, 1
+fibrasynormasdecolombia.com, 1
+fibraworks.com, 1
+fibrefly.co.uk, 1
+fibrenttech.co.za, 1
+fibretv.co.nz, 1
+fibretv.tv, 1
+fibroarrendacaseton.mx, 0
+fibromuebles.com, 1
+fibu.email, 1
+fibune.com, 1
+fibutest.de, 1
+fic.is, 1
+fichajes.com, 1
+fichier-pdf.fr, 0
+fickfreundinnen.net, 1
+fickweiler.nl, 1
+ficlab.com, 1
+fico.com, 1
+ficor.gov, 1
+fictionaltruths.com, 1
+ficus.io, 0
+fid-elite.ch, 0
+fidanza.eu, 1
+fiddle.to, 1
+fiddlesaw.com, 1
+fiddlestickstoys.com.au, 1
+fidelapp.com, 1
+fidelis-it.ch, 1
+fidelis-it.net, 1
+fidelitybank.com.gh, 1
+fidelityhomestead.com, 1
+fidelitysound.es, 1
+fidell.com.ua, 1
+fides.ch, 1
+fideschile.tk, 1
+fidesic.com, 0
+fidgetbox.co.uk, 1
+fidhouriet.ch, 1
+fidlar.com, 1
+fidmmuseum.org, 1
+fidoo.com, 1
+fiduciaire-ratio.ch, 0
+fiducoldex.com.co, 1
+fiedelaks-landbarf.de, 1
+fieggen.eu, 1
+fieggen.net, 1
+fieggen.social, 1
+fiekeoffringa.nl, 1
+fieldcrafts.com, 1
+fieldeffect.com, 1
+fieldsgynroboticsurgery.com, 1
+fieldworkbrewing.com, 1
+fiemmeimpianti.it, 1
+fienaliri.tk, 1
+fierman.eu, 0
+fierman.net, 0
+fierman.us, 0
+fierscleaning.nl, 1
+fiery.me, 0
+fieryaura.eu, 1
+fierykitchen.pl, 1
+fiesta-mk5-limited-edition.nl, 1
+fiestasalquezar.tk, 1
+fiet.cat, 1
+fietsambassade.be, 1
+fietsambassade.gent, 1
+fietsambassadegent.be, 1
+fietsennaarbarcelona.tk, 1
+fietsherstel.gent, 1
+fietsvakman.nl, 1
+fietsvierdaagsen.nl, 1
+fifaaddict.com, 1
+fifacup.ga, 1
+fifadimensions.tk, 1
+fifafans.tk, 1
+fifastars.tk, 1
+fifatournament.tk, 1
+fifaultimatemod.tk, 1
+fifauteam.com, 1
+fifehg.org.uk, 1
+fifemedicalgroup.co.uk, 1
+fiff.de, 0
+fifi.club, 1
+fifr.nl, 1
+fifthwall.com, 1
+fiftynorth.eu, 1
+fiftyseven.media, 1
+fiftyshadesofgreyfullmovie.ga, 1
+fiftyshadesofluca.ml, 1
+fig.ms, 1
+figaroparrucchiere.it, 1
+figbert.com, 1
+figbytes.biz, 1
+figbytes.com, 1
+fighribali.tk, 1
+fightape.cf, 1
+fightape.ga, 1
+fightape.gq, 1
+fightape.ml, 1
+fighter-planes.tk, 1
+fighting-turtle.tk, 1
+fightingshit.tk, 1
+fightingtigerbet888.com, 1
+fightsupplies.co.uk, 1
+figibi.com, 1
+figl.net, 1
+figliasons.com, 1
+figma.com, 1
+figmalover.com, 1
+figshare.com, 1
+figsrugbyleague.com.au, 1
+figura.cz, 1
+figuras.tk, 1
+figurasdelinguagem.com.br, 1
+figure.com, 1
+figure.nz, 1
+figuro.la, 0
+figuurzagers.nl, 0
+fihatest.ml, 1
+fiilr.com, 1
+fiix.io, 1
+fija.org, 1
+fijibutterflyfishcount.com, 1
+fijimarinas.com, 1
+fijiresortforsale.com, 1
+fijisharkcount.com, 1
+fijnefeestdageneneengelukkignieuwjaar.nl, 1
+fijnewoensdag.nl, 1
+fiken.no, 1
+fikirblog.net, 1
+fikirtasarim.net, 1
+fikong.com, 1
+fikrinet.tk, 1
+fikriwildannugraha.com, 1
+fiksem-it.nl, 1
+fil-tec-rixen.com, 1
+fil.fi, 0
+filamentia.nl, 1
+filanthropystar.org, 1
+filantropikum.com, 1
+filapanel.com, 1
+filaretihairlove.gr, 1
+filcosplay.tk, 1
+file-cloud.eu, 1
+file-recovery-mac.com, 1
+file.ac, 1
+file.doctor, 1
+file24.tk, 1
+filebox.one, 1
+filecopa.com, 1
+filedesc.com, 1
+filedoom.ml, 1
+filehash.de, 1
+filehippo.com, 1
+filehippo.jp, 1
+filehorsefile.com, 1
+fileio.io, 1
+filejo.com, 1
+filek.ga, 1
+fileon.com, 1
+fileplanet.com, 1
+fileport.io, 1
+filequit.xyz, 1
+files.com, 0
+files.from-me.org, 1
+files.to, 1
+filesense.com, 1
+fileservicios.com.ar, 1
+fileshare.party, 1
+filesharingshop.com, 1
+filesoup.io, 1
+filestar.io, 1
+filestartest.io, 1
+filetransfer.one, 1
+filezilla-project.org, 1
+filhodohomem.com, 1
+filhomes.ph, 1
+fili.com, 1
+filidorwiese.nl, 1
+filigrana.tk, 1
+filiio.com, 1
+filiotech.com, 1
+filiotech.pl, 1
+filip-prochazka.com, 0
+filipadamczak.com, 1
+filipi.no, 1
+filipinasdailynews.tk, 1
+filipinochinese.tk, 1
+filipinostaff.uk, 1
+filipn.cz, 1
+filippo.io, 1
+filippoberio.co.uk, 1
+filippodanesi.it, 0
+filipstaffa.net, 1
+filizaker.tk, 1
+filleritemsindia.com, 1
+fillmorecountyne.gov, 1
+fillmysuitca.se, 1
+fillo.com.tr, 1
+film-colleges.com, 1
+film-op-tv.nl, 1
+film-storyboards.com, 0
+film-storyboards.fr, 0
+film-tutorial.com, 1
+film.ru, 1
+filmarchiv-sachsen.de, 0
+filmatiporno.xxx, 1
+filmbabasi.net, 1
+filmbasar.com, 1
+filmbest.tk, 1
+filmcorner.tk, 1
+filmdates.co.uk, 1
+filme-onlines.com, 1
+filmedonstage.com, 1
+filmezzunk.hu, 1
+filmfestivalflix.com, 1
+filmfog.cf, 1
+filmfog.ga, 1
+filmimpact.com, 1
+filmisfun.com, 1
+filmisfun.net, 1
+filmizleindir.tk, 1
+filmkode.com, 1
+filmnet.pl, 1
+filmnetz.tk, 1
+filmoffice.pl, 1
+filmosliw.cf, 1
+filmotekaplus.pl, 1
+filmovka.pl, 1
+filmowanie-dronem.com.pl, 1
+filmphotograph.com, 1
+filmpornofrancais.fr, 1
+filmpronet.in, 1
+filmsearch.tk, 1
+filmserver.de, 1
+filmsidan.tk, 1
+filmsite-studio.com, 1
+filmsleague.com, 1
+filmtheaternieuwegein.tk, 1
+filmwallpapers.ml, 1
+filmyporno.net, 1
+filmzwesela.online, 1
+filobot.xyz, 1
+filokiralama.name.tr, 1
+filosofare.tk, 1
+filosofia.tk, 1
+filosofiskaeleonora.se, 1
+filpromer.com, 1
+filstop.com, 1
+filter-kiev.com, 1
+filterlists.com, 1
+filtershekanha.com, 1
+filthyapartmenters.ga, 1
+filthyapartmentest.ga, 1
+filtr.me, 1
+filworx.com, 1
+fimc-biodiversityportal.org, 1
+fimfiction.net, 1
+fimozin.ga, 1
+fimp.pt, 1
+fimsquad.com, 1
+fin-ware.ru, 1
+fin.ddns.net, 1
+fin.ee, 0
+fina-foxy.com, 1
+finagosolo.com, 1
+finaktiv.tk, 1
+final-expense-quotes.com, 1
+final-rest.co.uk, 1
+final-x.com, 1
+final.ac, 1
+finalashes.tk, 1
+finalesuperuser.com, 1
+finalfate.tk, 1
+finalfoursteam.tk, 1
+finalfourstream.tk, 1
+finalgambit.band, 1
+finalleopard.tk, 1
+finalmenteazul.pt, 1
+finalonline.tk, 1
+finalrewind.org, 1
+finaltouchmusic.net, 1
+finalweapon.net, 1
+finalworkdriesstef.tk, 1
+finalx.nl, 1
+finanalysis.com, 1
+finance-colleges.com, 1
+finance-consulting.ga, 1
+finance-devils.com, 1
+finance-equation.co.uk, 1
+finance-news.ga, 1
+financeaffiliateprograms.com, 1
+financecontrol.tk, 1
+financedepth.com, 1
+financedraft.com, 1
+financeforafrica.com, 1
+financeguest.com, 1
+financehindi.com, 1
+financeinterface.tk, 1
+financejobs.ch, 1
+financelong.com, 1
+financemagnates.com, 1
+financemain.com, 1
+financenews.tk, 1
+financepen.com, 1
+financeplush.com, 1
+financepre.com, 1
+financestead.com, 1
+financethrive.com, 1
+financetwenty.com, 1
+financewhile.com, 1
+financewithcromulent.com, 1
+financial-law.tk, 1
+financial-standby.de, 1
+financialfreedomaus.com, 1
+financialfrolicker.com, 1
+financialhost.org, 1
+financialmoveers.ga, 1
+financialmoveest.ga, 1
+financialnews.today, 1
+financialopticshq.com, 0
+financialplannerworld.com, 1
+financniexperti.sk, 1
+finansified.com, 1
+finansinspektionen.se, 1
+finanstilsynet.dk, 1
+finansy.tk, 1
+finanz-planer.net, 1
+finanzasydinero.com, 1
+finanzconsult.org, 1
+finanzen-az.com, 1
+finanzen-weblog.de, 1
+finanzierung-sofortzusage.de, 1
+finanztime.com, 1
+finanzwende-recherche.de, 1
+finaster.com.br, 1
+finax.eu, 1
+finbio.cf, 1
+fincabank.kg, 1
+fincafresh.is, 1
+fincarebank.com, 0
+fincas-ruiz.com, 1
+fincent.xyz, 1
+finch.am, 1
+finch.ga, 1
+finchkeeper.com, 1
+finchnest.co.uk, 1
+finchtechie.com, 1
+fincities.tk, 1
+find-mba.com, 1
+findahero.com.au, 1
+findairconditioningers.ga, 1
+findairconditioningest.ga, 1
+findallgames.com, 1
+findanengineer.com, 1
+findapinball.com, 1
+findautoloan.ml, 1
+findbalancedliving.com, 1
+findcanary.com, 1
+findcbdoilnearme.com, 1
+findcep.com, 0
+finddecisionsest.ga, 1
+findedeinencoach.net, 1
+findelahistoria.com, 1
+finder.bike, 1
+findete.tk, 1
+findeth.io, 1
+findheim.at, 0
+findhow.org, 1
+findingawesome.com, 1
+findinggenius.com, 1
+findingimagesers.ga, 1
+findingimagesest.ga, 1
+findingkorea.com, 0
+findingneverlandthemusical.com, 1
+findings.co, 1
+findingtheuniverse.com, 1
+findingturkeyers.ga, 1
+finditez.com, 1
+findlayohio.gov, 1
+findlimitsers.ga, 1
+findlocalproduce.co.uk, 1
+findmail.ga, 1
+findmassmoney.gov, 1
+findme.partners, 1
+findmentalhealth.co.uk, 1
+findmespot.com, 1
+findmybottleshop.com.au, 1
+findmycare.ca, 1
+findmyfamily.org, 1
+findmytricks.com, 0
+findnhmoney.gov, 1
+findolino.at, 1
+findoon.de, 1
+findoutlyrics.com, 1
+findprivateinvestor.com, 1
+findrejsepartner.dk, 1
+findsalmonest.ga, 1
+findscan.me, 1
+findschool.ge, 1
+findsingledating.ml, 1
+findstorenearme.ca, 1
+findstorenearme.co.uk, 1
+findstorenearme.us, 1
+findsupport.gov, 1
+findthatnude.com, 1
+findthere.net, 1
+findtrain.tk, 1
+findtreatment.gov, 1
+findwell.be, 1
+findyour.diet, 1
+findyourdreams.tk, 1
+findyouridealpartner.com, 1
+findyourstores.com, 1
+findyourvoice.ca, 1
+fine-services.paris, 1
+fineartbead.de, 1
+fineartbyjames.co.uk, 1
+fineartofguitar.com, 1
+finecocoin.io, 1
+finecraft.cc, 1
+finefriends.nl, 1
+finefriendsapp.com, 1
+finehealth.ru, 0
+finehomesource.com, 1
+finelineaestheticstx.com, 0
+finenet.com.tw, 1
+fineshare.tk, 1
+finesio.sk, 1
+finesoon.net, 1
+finessedentalrancho.com, 1
+finestblingers.ga, 1
+finestblingest.ga, 1
+finestrabatalera.tk, 1
+finestreview.cf, 1
+finet.se, 1
+finex.by, 1
+finexity.com, 1
+finexo.ch, 1
+finfleet.id, 1
+finfocus.today, 1
+finform.ch, 1
+finfowe.com, 1
+fingerlakesgaming.com, 1
+fingerprint.com, 0
+fingerprintjs.com, 1
+fingerscrossed.style, 1
+fingertight.ga, 1
+finhelp.ga, 1
+fini-de-jouer.ch, 0
+finicity.com, 1
+finilaviolence.gc.ca, 1
+finion.com, 1
+finishingpasteers.ga, 1
+finishingpasteest.ga, 1
+finishmaster.com, 1
+finisron.in, 1
+finkelstein.fr, 1
+finlandcook.online, 1
+finlandcook.top, 1
+finlaylloyd.com, 1
+finlib.in, 1
+finlito.tk, 1
+finliz.com, 1
+finmozg.ru, 1
+finn-svoboda.cf, 1
+finn-thorben.me, 1
+finn.io, 1
+finnclass.cz, 1
+finndel.no, 1
+finnhjelpemidler.no, 1
+finnishclothing.tk, 1
+finnishconsulting.com, 1
+finnjumping.tk, 1
+finnkupongkoder.no, 1
+finnwea.com, 0
+finom.co, 1
+finovate.com, 1
+finpomosh.gq, 1
+finprison.net, 1
+finpt.com, 0
+finqk.nl, 1
+finqueslaromanica.com, 1
+finr.fr, 1
+fins.money, 1
+finscan.com, 1
+finsecurity.eu, 1
+finsight.com, 1
+finsprings.org, 1
+finst.com, 1
+finstererlebnis.de, 1
+fintechaccelerate.com, 1
+finteo.de, 1
+fintracker.ca, 1
+fintry.ca, 0
+finturio.de, 1
+finvantage.com, 1
+finvantive.com, 1
+finvantive.nl, 1
+finverse.com, 1
+finwarriors.tk, 1
+finwe.info, 1
+finzy.com, 1
+fionahengartner.ch, 1
+fionamcbride.com, 1
+fionna.io, 1
+fiore31.fr, 1
+fiorellaweddings.com, 1
+fiorenzaperfumhome.com.br, 1
+fioriepiante.info, 1
+fioristionline.it, 1
+fioristionline.net, 1
+fiosgenomics.com, 1
+fioulmarket.fr, 1
+fipackaging.com, 1
+fiphfp.fr, 1
+fipo.life, 1
+fipq.tk, 1
+fir.ch, 1
+firatcakir.com.tr, 1
+firatnews.com, 1
+firatofm.tk, 1
+firaun.tk, 1
+firc.de, 1
+fire, 1
+fire-eyes.tk, 1
+fire-places.tk, 1
+fire-schools.com, 1
+fire-science-schools.com, 1
+firealarms.gq, 1
+fireballsteven.tk, 1
+firebaseio.com, 1
+firebirdrangecookers.com, 1
+firebounty.com, 1
+fireboxfood.com, 1
+firebrandchurch.com, 1
+firecask.com, 1
+firechip.cc, 1
+firecity.tk, 1
+firecore.com, 1
+firecry.org, 1
+firedemons.tk, 1
+firedo.de, 1
+firedup4success.com, 1
+fireeye.tk, 1
+firefart.at, 0
+firefense.com, 1
+firefightergarage.com, 1
+fireflygatlinburg.com, 1
+fireglow.de, 1
+fireinthedeep.com, 1
+fireintheholevideos.tk, 1
+fireleadership.gov, 1
+firelinkshrine.xyz, 1
+firemail.de, 1
+firemaker.tk, 1
+firenews.cf, 1
+firenza.org, 1
+firenzetoday.it, 1
+fireoakstrategies.com, 1
+fireperformerstoronto.com, 1
+fireplacerepairlasvegas.com, 1
+fireplex.co.uk, 1
+fireportal.cz, 1
+fireportal.sk, 1
+fireradio.tk, 1
+firerain.me, 1
+fireservicerota.co.uk, 1
+fireshellsecurity.team, 1
+firesofheaven.org, 1
+firesolutionsinc.com, 1
+firestart.tk, 1
+firestarter.fi, 1
+firestickhacks.com, 1
+firestuff.org, 1
+firetotheprisons.org, 1
+firetrunk.com, 1
+fireurboss.tk, 1
+firevap.org, 1
+firewall.net.za, 1
+firewallremoval.cf, 1
+firewallremovalers.ga, 1
+fireware.tk, 1
+fireworksshowvr.com, 1
+firexarxa.de, 1
+firexfly.com, 1
+firexp.tk, 1
+firingsquad.tk, 1
+firma-cerny.cz, 1
+firma-offshore.com, 1
+firmador.cloud, 1
+firmador.online, 1
+firmaet.com, 1
+firmajulegaver.dk, 1
+firmale.com, 1
+firmament.space, 1
+firmament.tk, 1
+firmanali.com, 1
+firmant.me, 1
+firmapi.com, 1
+firmennie-crossovki.tk, 1
+firmenwerbung-vermarktung.de, 1
+firmfoundationsconsulting.com, 0
+firmkernel.tk, 1
+firmware.science, 1
+firobe.fr, 1
+firouz.tk, 1
+firsov.gq, 1
+first-aid-kit.net, 0
+first-house.no, 1
+first-hyp.de, 1
+first-legion.eu, 1
+first-money.tk, 1
+first-ns.com, 0
+first-time-offender.com, 1
+first-wishes.com, 1
+first.org, 1
+first4it.com, 1
+firstbankkansas.com, 1
+firstbaptistchurchofchrist.org, 1
+firstbooks.ml, 1
+firstbus.co.uk, 1
+firstcallnc.com, 1
+firstcapitalfcu.com, 1
+firstcentralsavings.com, 1
+firstchoicebouncycastlehire.co.uk, 1
+firstchoicefriseur.at, 1
+firstchoicejunkservice.com, 1
+firstchurchmn.org, 1
+firstcitizensbank.com, 1
+firstclass.com.kh, 1
+firstclasscastles.com, 1
+firstclassleisure.co.uk, 1
+firstclassnuisance.tk, 1
+firstclinic.tk, 1
+firstcoastsir.com, 1
+firstcoastteaco.com, 1
+firstcolonyengraving.com, 1
+firstcommunity.com, 1
+firstcontact.cf, 1
+firstdent.ro, 1
+firstdry.com.br, 1
+firstechpayments.com, 0
+firstfinanceit.com, 1
+firstfinca.de, 1
+firstgov.gov, 1
+firstgradeframeofmind.com, 1
+firstimpressionsecuritydoors.com, 1
+firstlab.com, 1
+firstlayout.net, 1
+firstlegal.group, 1
+firstlightfusion.com, 1
+firstlightinspirations.tk, 1
+firstload.tk, 1
+firstmall.de, 1
+firstmarket.tech, 1
+firstname.tk, 1
+firstnet.gov, 1
+firstnetwork.cf, 1
+firstnetworksouth.com, 1
+firstorion.com, 1
+firstperformance.ro, 1
+firstphilec.com, 1
+firstplace.ga, 1
+firstq.xyz, 1
+firstqa.com, 1
+firstresponder.gov, 1
+firstserviceplumbing.com, 1
+firstshowing.net, 1
+firstsiteguide.tk, 1
+firsttimer.tk, 1
+firsttimeround.tk, 1
+firsttimeshopperers.ga, 1
+firsttimeshopperest.ga, 1
+firstup.io, 1
+firstversionist.com, 1
+firstwebring.tk, 1
+firstwordpharma.com, 1
+firthidaho.gov, 1
+firtreetechnology.co.uk, 1
+fis.io, 1
+fisa.net.za, 1
+fiscalidadresiduos.org, 1
+fiscalitatresidus.org, 1
+fischbacher-reisebuero.de, 1
+fischer-group.com, 1
+fischer-immoteam.de, 1
+fischer-its.com, 0
+fischer-kundendienst.de, 1
+fischer-programmierung.ch, 0
+fischer-wasels-medizin.de, 1
+fischerfutureheat.de, 1
+fischerp.net, 1
+fischers.srv.br, 1
+fischersports.com, 1
+fisciences.com, 1
+fiscoeconti.it, 1
+fish-hook.ru, 1
+fish-n-chips.uk, 1
+fish.lgbt, 1
+fish2.me, 1
+fish24.bg, 1
+fishbattle.io, 1
+fishbattle.net, 1
+fishbrain.com, 1
+fishcorp.dk, 1
+fishergo.ml, 1
+fishergo.tk, 1
+fishermailbox.net, 1
+fisherman-union.ml, 1
+fishermansbend.apartments, 1
+fishermansbendcorporation.com.au, 1
+fishermansbendtownhouses.com.au, 1
+fishersin.gov, 1
+fishfive.top, 1
+fishgen.no, 1
+fishingworld.tk, 1
+fishingzone.bg, 1
+fishlanestudios.com, 1
+fishman.idv.tw, 1
+fishoftheday.tv, 1
+fishoilsafety.com, 1
+fishport.cloud, 1
+fishserver.net, 1
+fishtacos.blog, 1
+fishtank.ga, 1
+fishycam.com, 1
+fishygames.ml, 1
+fishyscans.tk, 1
+fishystuff.cf, 1
+fisinfomanagerdr.com, 1
+fisio-clinics.com, 1
+fisiobox.eu, 1
+fisiodomiciliargoiania.com.br, 1
+fisionutri.com.br, 1
+fisioterapia-online.com, 1
+fisioterapiaalquimia.com, 1
+fisioterapialanchares.com, 1
+fisioterapista.roma.it, 1
+fisiotohome.com, 1
+fiskelures.se, 1
+fission.moe, 1
+fistingtogether.com, 1
+fisvo.org, 0
+fit-4u.ch, 0
+fit-mit-nina.com, 1
+fit-mit-system.eu, 1
+fit-portal.ru, 1
+fit365.jp, 0
+fit81.com, 1
+fit81.it, 1
+fitandfightrijswijk.nl, 1
+fitanu.com, 1
+fitas.store, 1
+fitasdobonfim.com, 1
+fitawakening.co.uk, 1
+fitbase.cf, 1
+fitbase.fitness, 1
+fitbizcpa.org, 1
+fitbodyestetica.com.br, 1
+fitbylo.com, 1
+fitcamp.fitness, 1
+fitch.group, 1
+fitchannel.com, 1
+fitchconnect-stg.com, 1
+fitchconnect.com, 1
+fitchpeople.nl, 1
+fitcoachion.com, 1
+fitcrewhn.com, 1
+fitculator.com, 1
+fite.family, 0
+fitecleaningservices.com, 1
+fitekin.com, 1
+fitequilibrio.com.br, 1
+fiteveryday.co.uk, 1
+fitflaop.ga, 1
+fitfocusau.com.au, 1
+fitfoodfab.nl, 1
+fitfoodrecipe.com, 1
+fitikafo.com, 1
+fitint.ro, 1
+fitlinewellnesscoach.com, 1
+fitmommyinheels.com, 1
+fitmybike.eu, 0
+fitness-challenge.co.uk, 1
+fitness-world.ga, 1
+fitness.edu.au, 1
+fitness.gov, 1
+fitnessbenefit.com, 1
+fitnessbest.com, 1
+fitnessbond.com, 1
+fitnessfoodguide.com, 1
+fitnesshaber.com, 1
+fitnessimage.com.au, 1
+fitnesskarate.club, 1
+fitnessmaus.com, 1
+fitnessplanet.best, 1
+fitnessstudio-website.de, 1
+fitnesstotal.com.br, 1
+fitnesstrainer-website.de, 1
+fitnessunder50.com, 1
+fitnessup.fr, 1
+fitnessupay.com, 1
+fitnessupreme.com, 1
+fitnessvocab.com, 1
+fitnessvolt.com, 1
+fitnetion.com, 1
+fitnhot.com, 1
+fitnur.com, 1
+fitnutkatie.com, 1
+fitnutricode.pt, 1
+fito.tk, 1
+fitodifesa.it, 1
+fitotovar.ru, 1
+fitpass.co.in, 1
+fitrecepty.info, 1
+fitspo.net, 1
+fitspring.com, 1
+fittelo.cz, 1
+fittherapy.biz, 0
+fitxxxsandy.net, 1
+fitzsim.org, 1
+fiu.ee, 0
+fius.de, 1
+five.sh, 1
+fiveboosts.xyz, 1
+fivecrm.com, 1
+fivefortheroad.com, 1
+fivegraces.com, 1
+fiveminute.tk, 1
+fivemm.shop, 1
+fivemods.io, 1
+fivepb.me, 1
+fivepedia.tk, 1
+fiveslice.pizza, 1
+fivestar.et, 1
+fivestartrader.com, 1
+fivetecnologia.com, 1
+fivethirtyeight.com, 1
+fiveyearsahead.com, 1
+fix-boredom.ml, 1
+fix-css.com, 1
+fix-ru.ga, 1
+fix-the-timeline.com, 1
+fix-the-timeline.org, 1
+fix.mk, 1
+fixedfeeplacements.co.uk, 1
+fixedgear.tk, 1
+fixedmatch.bet, 1
+fixedtoday.com.au, 1
+fixerra.tech, 1
+fixfd.com, 1
+fixfix.ch, 1
+fixfm.tk, 1
+fixforce.nl, 1
+fixi.dk, 1
+fiximage.net, 1
+fixingscrews.co.uk, 1
+fixmobile.online, 1
+fixmyalarmpanel.co.uk, 1
+fixmyglitch.com, 1
+fixodent-fr-fr-swapper.azurewebsites.net, 1
+fixodent.fr, 1
+fixorg.ru, 1
+fixpart.de, 1
+fixpart.nl, 1
+fixpix.gq, 1
+fixplusflex.de, 1
+fixpoint.co.at, 1
+fixpoint.systems, 1
+fixthetimeline.com, 1
+fixthetimeline.org, 1
+fixturemundial.com, 1
+fixupx.com, 1
+fixverkaufen.de, 1
+fixville.co, 1
+fiyatgrafik.com, 1
+fiyatinedir.net, 1
+fizadvocaten.nl, 1
+fizeau.com, 1
+fiziktedavi.name.tr, 1
+fizjo-strefa.com, 1
+fizjonell.pl, 1
+fizjoterapia.uk, 1
+fizjourogeek.pl, 1
+fizmiks.lv, 1
+fizmix.lv, 1
+fizyonetistanbul.com, 1
+fizyoterapi.name.tr, 1
+fizz.buzz, 1
+fizz.cloud, 1
+fizz.space, 1
+fizz.studio, 1
+fizz.systems, 1
+fizz.team, 1
+fizz.technology, 1
+fizz.tools, 1
+fizz.zone, 1
+fizzcharts.com, 1
+fizzcompetitions.com, 1
+fizzcoronationstreetdied.cf, 1
+fizzcreativemedia.com, 1
+fizzpopmedia.com, 1
+fizzstudio.org, 1
+fj.je, 1
+fj.search.yahoo.com, 0
+fjallbackacamping.se, 1
+fjallconnections.com, 1
+fjant.tk, 1
+fjco.alsace, 1
+fjerhammer.dk, 1
+fjharcu.com, 1
+fjkl.uk, 1
+fjnuacm.top, 1
+fjordboge.dk, 1
+fjordenpaard.tk, 1
+fjordtorsk.se, 1
+fjsb.com, 1
+fjugstad.com, 1
+fjzone.org, 1
+fkaoi.net, 1
+fkbae.to, 1
+fkcdn.de, 1
+fkfev.de, 1
+fkgfw.men, 1
+fklegal.com, 1
+fkmt-server.net, 1
+fkosquad.moe, 1
+fktpm.ru, 1
+fl-ad.com, 1
+fl-catering.ru, 1
+fl.ru, 1
+fl3xx.com, 1
+flabacinov.ga, 1
+flabutelov.tk, 1
+flacandmp3.ml, 1
+flacon.tk, 1
+flacsoandes.edu.ec, 1
+fladnag.net, 1
+flaeskeklubben.dk, 1
+flaeskeklubben.eu, 1
+flagburningworld.com, 1
+flagcdn.com, 1
+flagfox.net, 1
+flaggorvarlden.se, 1
+flaggrimsby.co.uk, 1
+flagi-panstw.pl, 1
+flagipanstw.info.pl, 1
+flagipanstw.pl, 1
+flagistrany.ru, 1
+flaglercounty.gov, 1
+flaglerelections.gov, 1
+flaglermosquito.gov, 1
+flagma-no.com, 1
+flagma.biz.tr, 1
+flagma.by, 1
+flagma.de, 1
+flagma.es, 1
+flagma.hu, 1
+flagma.pl, 1
+flagma.ua, 1
+flagma.uz, 1
+flagpedia.asia, 1
+flagpedia.net, 1
+flagriculture.gov, 1
+flagspot.net, 0
+flagstone-magazin.ro, 0
+flagthis.com, 1
+flagyl-500-mg.ga, 1
+flair.nl, 1
+flaite.com, 1
+flakytest.com, 1
+flam.studio, 1
+flaman-h7a.fr, 1
+flamehaze.tk, 1
+flamencoexplained.com, 0
+flamencoshoes.tk, 1
+flamengopi.tk, 1
+flamentecnic.tk, 1
+flameofthoughts.tk, 1
+flameport.com, 1
+flamer-scene.com, 0
+flamet.eu, 0
+flameviper.tk, 1
+flamingcow.tv, 1
+flaminggorgefireandems.gov, 1
+flamingkeys.com, 1
+flamingogroup.vn, 1
+flamingoroute.tk, 1
+flamingowomenspavilion.com, 1
+flamme-von-anor.de, 1
+flammy.tk, 1
+flamoes.be, 1
+flamtky.de, 1
+flana.com, 1
+flanadot.com, 1
+flanagan.tk, 1
+flanderslaw.com, 1
+flandersmake.be, 1
+flanga.io, 0
+flanigan.tk, 1
+flapoverspeed.com, 1
+flapperistic.tk, 1
+flare.cloud, 1
+flareian.com, 1
+flaretechnologies.io, 1
+flarewalker.com, 1
+flarewalker.eu, 1
+flarewalker.net, 1
+flarewalker.org, 1
+flareweb.it, 1
+flart.studio, 1
+flart.tk, 1
+flarumtr.com, 1
+flasaki.gr, 1
+flash-games.tk, 1
+flash.homes, 1
+flashback.org, 1
+flashbackband.tk, 1
+flashbeat.tk, 1
+flashcardsmobile.com, 1
+flashcover.com.br, 1
+flasheschile.tk, 1
+flashgamedev.tk, 1
+flashgamesplayer.com, 1
+flashgot.net, 1
+flashigra.tk, 1
+flashingblinkylights.com, 1
+flashissue.com, 1
+flashkeysers.ga, 1
+flashlearners.com, 1
+flashlightchart.com, 1
+flashpegasus.com.br, 1
+flashscores.tk, 1
+flashset.tk, 1
+flashuk.com, 1
+flassetlocators.com, 1
+flaszka.com, 1
+flat-cdn.com, 1
+flat-embed.com, 1
+flat-tire.biz, 1
+flat.io, 1
+flatart.pl, 1
+flatbellyreview.com, 1
+flatbook.one, 1
+flatcast.tk, 1
+flatcoated.tk, 1
+flatheadelectric.com, 1
+flathome.co.jp, 1
+flaticons.net, 1
+flatlandchurch.com, 0
+flatmail.net, 1
+flatmail.pl, 1
+flatmatehub.com.au, 1
+flatpackmates.co.uk, 1
+flatplanet.tk, 1
+flatrate.com, 0
+flatreviews.co.nz, 1
+flatrooms-chiemgau.de, 1
+flatsomestudio.ir, 1
+flatsurfers.eu, 1
+flattie.cz, 1
+flatwoodsky.gov, 1
+flauschig.net, 1
+flavelappliances.com, 1
+flaviao.com, 1
+flavinha.tk, 1
+flavinus.fr, 1
+flaviu.co.uk, 1
+flavo.io, 1
+flavorblogers.ga, 1
+flavorblogest.ga, 1
+flawed.world, 1
+flawedworld.com, 1
+flawless-gaming.tk, 1
+flawlesscowboy.xyz, 1
+flawlessly.tk, 1
+flawlessweddings.nl, 1
+flayla.tk, 1
+flblog.top, 0
+flcatering.com, 1
+flcgil.it, 1
+flcma.gov, 1
+flcourts.gov, 1
+flcttn.com, 1
+fldjj.gov, 1
+fldsmdfr.nl, 1
+flealab.it, 1
+flechatec.net.br, 0
+fleche-ardennaise.be, 1
+flect.net, 1
+fleeb.xyz, 1
+fleep.io, 1
+fleeps.co, 0
+fleesty.dynv6.net, 1
+fleet-group.com, 1
+fleet-search.com, 1
+fleet.gov, 1
+fleetcomplete.com, 1
+fleetcor.at, 1
+fleetcor.ch, 1
+fleetcor.cz, 1
+fleetcor.de, 1
+fleetcor.fr, 1
+fleetcor.hu, 1
+fleetcor.lu, 1
+fleetcor.nl, 1
+fleetcor.pl, 1
+fleetcor.sk, 1
+fleetcorcards.be, 1
+fleetlinkatlascopco.com, 1
+fleetofhope.tk, 1
+fleetsmith.com, 1
+fleetssl.com, 1
+fleettools.tk, 1
+fleetyards.net, 1
+flehm.de, 1
+fleisch.club, 1
+fleischkaes.de, 1
+fleki.hu, 1
+flemberg.com, 1
+fleming.de, 1
+flemingmccullagh.com, 1
+flemingtonaudiparts.com, 1
+flemishopelclub.tk, 1
+flens.dance, 1
+flensburg-hilft-flensburg.de, 1
+flerstourisme.fr, 1
+fleshtone.tk, 1
+fleshwound.tk, 1
+fletcherdigital.com, 1
+fletcherdoescrime.com, 1
+fletchmusic.tk, 1
+fletchto99.com, 1
+fletesymudanzasbaratas.com, 1
+flets-ms.com, 1
+fleurdelune.it, 1
+fleurenplume.fr, 1
+fleurette.me, 1
+fleuriste-cannes.fr, 1
+fleuromance.ga, 1
+fleursdesoleil.fr, 0
+fleursdujour.ph, 1
+fleuryfleury.com, 1
+flevoland.nl, 1
+flex-one.fr, 1
+flex1solutions.com, 1
+flexalert.org, 1
+flexapplications.se, 1
+flexartsocial.com, 1
+flexbpo.com.br, 1
+flexcube.ch, 1
+flexdesign.fr, 1
+flexdrukker.nl, 1
+flexforcemonkey.com, 1
+flexgs.ca, 1
+flexgs.net, 1
+flexhyp.de, 1
+flexi-dance.pl, 1
+flexiblenetflow.com, 1
+flexibsd.com, 1
+flexicano.nl, 1
+flexicurity.tk, 1
+fleximus.org, 0
+flexingpro.com, 1
+flexinsurance.com.au, 1
+flexinvesting.fi, 0
+flexirobes.com.au, 1
+flexitanq.es, 0
+flexman.tk, 1
+flexmedia.tk, 1
+flexopus.com, 1
+flexphonesest.ga, 1
+flexpoint.com.br, 1
+flexport.com, 1
+flexsocialbox.com, 1
+flexsuplementos.com.br, 1
+flextrades.com, 1
+flextribly.xyz, 1
+flextudo.com, 1
+flextyp.com, 1
+flextypes.com, 1
+flexundfix.de, 1
+flexve.com, 1
+flexworkhero.de, 1
+flfl.de, 1
+flgaming.gov, 1
+flhealthcharts.gov, 1
+fliacuello.com.ar, 1
+flibanserina.com, 1
+flicerdowneh.cf, 1
+flickcritter.com, 1
+flickdirect.com, 1
+flicke.red, 1
+flickingercenter.com, 1
+flickor.tk, 1
+flicks2click.com, 1
+flie.co.jp, 1
+flieger-funk-runde.de, 1
+fliesen-waldschmidt.de, 1
+flight.school, 1
+flightacademy-memmingen.com, 1
+flightairport.com, 1
+flightcheapfares.com, 1
+flightdiary.cf, 1
+flightdiary.ga, 1
+flightdiary.gq, 1
+flightfrankfurt.com, 1
+flighthonolulu.com, 1
+flightjackets.tk, 1
+flightrights.gov, 1
+flightscarhire.com, 1
+flightschoolbooking.com, 1
+flightschoolcandidates.gov, 1
+flightschoolxxi.com, 1
+flightstimes.com, 1
+flightstoheathrow.com, 1
+flightti.com, 1
+flightticketsto.com, 1
+flightzero.cf, 1
+fliino.com, 1
+fliino.eu, 1
+fliino.info, 1
+fliino.net, 1
+fliino.org, 1
+flikmsg.co, 1
+flimnet.tk, 1
+flinch.io, 1
+fling.dating, 1
+flingflong.com, 1
+flinny.org, 1
+flintavenue.com, 1
+flintstones.tk, 1
+flip-flop.tk, 1
+flip.kim, 1
+flip.lease, 1
+flipflop.rs, 1
+flipin.ga, 1
+flipmusic.tk, 1
+flipneus.net, 1
+flipnhotdeals.com, 1
+flipos.be, 0
+flipperkast.tk, 1
+flippers-leuven.be, 1
+flipphotography.ga, 1
+flipping.land, 0
+flipsidevr.com, 1
+flipsnack.com, 1
+fliptable.org, 1
+flipthescripts.org, 1
+flipweb.tk, 1
+flirt-norden.de, 1
+flirtbox.tk, 1
+flirtee.net, 1
+flirtitup.com, 1
+flirtline.tk, 1
+flirtlu.com, 1
+flirtlu.net, 0
+flirtlu.org, 1
+flirtportalcheck24.de, 1
+flirty.tk, 1
+flixcheck.com, 1
+flixcheck.de, 1
+flixcost.com, 1
+flixed.io, 1
+flixflex.tk, 1
+flixone.com, 1
+flixpatrol.com, 1
+flixports.com, 1
+flixstats.com, 1
+flmedicaidmanagedcare.com, 1
+floart.tk, 1
+floatapp.com, 1
+floatationlocations.com, 1
+floaternet.com, 1
+floatifnghotel.cf, 1
+floatifnghotel.ga, 1
+floatifnghotel.tk, 1
+flockbox.club, 1
+flocktofedora.org, 1
+floersheimer-openair.de, 1
+floffi.media, 1
+flofr.gov, 1
+floify.com, 1
+floir.gov, 1
+floj.tech, 1
+flokinet.is, 1
+flokinet.social, 1
+flokinet.to, 1
+flokkr.com, 1
+floline.fr, 1
+flom.fi, 1
+flomax385.tk, 1
+flomedia.pl, 1
+flomeyer.de, 1
+floneo.fr, 1
+flonharmonymassage.space, 1
+floobits.com, 1
+floodboss.ml, 1
+flooddoctorva.com, 1
+floodguypro.com, 1
+floodheroessaltlakecity.com, 1
+floodsmart.gov, 1
+floogulinc.com, 1
+flooood.tk, 1
+floor3.co.uk, 1
+floorballphilippines.tk, 1
+floorhoursers.ga, 1
+floorhoursest.ga, 1
+flooringbidest.ga, 1
+flooringnightmares.com, 1
+flooringsourcetx.com, 1
+floors4lessbay.com, 1
+floort.net, 1
+floosak.co, 1
+flooz.trade, 0
+flop.tk, 1
+floppa.com.br, 1
+floppomoppo.ml, 1
+floppy.tk, 1
+flora-nova.tk, 1
+floraclick.net, 1
+florademurcia.tk, 1
+floraexpress.it, 1
+florafaunafavourites.co.uk, 1
+floragarden.tk, 1
+florahospitality.com, 1
+floralin.se, 1
+floralworkshopsers.ga, 1
+floranext.com, 1
+florante.com, 1
+florasite.tk, 1
+florausa.net, 0
+floravan.com, 1
+floravino.de, 1
+florealatelier.com, 1
+florebrasil.com.br, 1
+floreg.com, 1
+florence.com.tr, 1
+florencecountywi.gov, 1
+florenceutilitieswi.gov, 1
+florencewi.gov, 1
+florenciaextrema.tk, 1
+florenciasabio.com, 1
+florent-tatard.fr, 1
+floresastrid.tk, 1
+floresdocesfloricultura.com.br, 1
+floresgioiellishop.com, 1
+floresvilleedc.org, 0
+florevit.com, 1
+florhamparknj.gov, 1
+floria.online, 1
+florian-bachelet.fr, 1
+florian-knorn.com, 1
+florian-puschmann.de, 1
+florian-thie.de, 1
+florian2833z.de, 1
+florianartisans.com, 1
+florianbecker.it, 1
+florianbouchet.fr, 1
+floriankarmen.com, 1
+florianmitrea.uk, 1
+florianschmitt.ca, 1
+florianschmitt.tech, 1
+florianstroeger.com, 1
+florianstroeger.tk, 1
+floriantanner.ch, 1
+florianysantiago.com, 1
+floricultura24h.com.br, 1
+florida-estetica.com, 1
+florida-online.tk, 1
+florida-prep.org, 1
+floridaagriculture.gov, 1
+floridabrightfutures.gov, 1
+floridaconsumerhelp.gov, 1
+floridados.gov, 1
+floridaethics.gov, 1
+floridafabrication.net, 1
+floridafieros.org, 1
+floridafx.gov, 1
+floridahealthcareconnections.gov, 1
+floridaimigracao.com, 1
+floridaindependent.com, 1
+floridalegion.org, 1
+floridaplasticsurgery.com, 1
+floridapowermanagement.com, 1
+floridarrc.com, 1
+floridasexhealth.com, 1
+floridastadium.ga, 1
+floridastadiumers.ga, 1
+floridastadiumest.ga, 1
+floridastatefair.com, 1
+floridastatefair.net, 1
+floridastatefairag.com, 1
+floridastatefairauthority.com, 1
+floridasturnpike.com, 1
+floridaweightlossdoctors.com, 1
+floriebriand.com, 0
+floriimorii.tk, 1
+floris.tk, 1
+florisbrunet.com, 1
+florismouwen.com, 1
+florismouwen.nl, 1
+floristavirtual.com.br, 1
+floristeriayasmina.com, 1
+florisvdk.net, 1
+florix.tk, 1
+florlola.com, 1
+florp.social, 1
+flortal.de, 1
+floseed.fr, 1
+flossexanten.de, 1
+flosuretechnologies.com, 1
+floth.at, 1
+flothost.com, 1
+flothow.com, 1
+flourishdx.com, 1
+flourishgrazingevents.co.uk, 1
+flourishtogether.com, 1
+flow-serv.com, 1
+flow.su, 1
+flowair24.ru, 1
+flowalizer.com, 1
+flowalyzer.com, 1
+flowauditor.com, 1
+flowbuk.me, 1
+flowbyjonascaldeira.com, 1
+flowcount.xyz, 1
+flowcrypt.com, 1
+flowdise.com, 1
+flower5.org, 1
+flowercare.tk, 1
+flowercityflavor.com, 0
+flowerdelivery.tk, 1
+flowerdesign.tk, 1
+flowerhub.com.au, 1
+flowermound.gov, 1
+flowerpassword.com, 1
+flowerpictures.tk, 1
+flowers-city.com.ua, 0
+flowers-shops.tk, 1
+flowers.sumy.ua, 1
+flowers2moscow.com, 1
+flowersbylegacy.com, 1
+flowerscaffe.com, 1
+flowersquito.com, 1
+flowerstateest.ga, 1
+flowerstopetersburg.com, 1
+flowerstoukraine.com, 1
+flowerstver.ru, 1
+flowerwholesale.com, 1
+flowfest.com, 1
+flowgate.net, 1
+flowgo.tk, 1
+flowhcm.com, 1
+flowheater.net, 1
+flowhopper.com, 1
+flowinformer.com, 1
+flowingdata.com, 1
+flowinity.com, 1
+flowinity.eu.org, 1
+flowinity.host, 1
+flowinvoice.com, 1
+flowio.cz, 1
+flowith.io, 1
+flowlytics.host, 1
+flowmagazine.com, 1
+flowmagazine.nl, 1
+flownonfiction.com, 1
+flownty.com, 1
+flowoodpolice.gov, 1
+flowreplicator.com, 1
+flowsave-staging.nl, 1
+flowsave.nl, 1
+flowscale.com, 1
+flowstars.tk, 1
+flowstateyoga.com.au, 1
+flowstudios.com, 1
+flowtex.tk, 1
+floydcountyga.gov, 1
+floydcova.gov, 1
+floydsofleadville.com, 1
+floyt.com, 1
+flp-pushkar.info, 1
+flpd.gov, 1
+flpd6.gov, 1
+flra.gov, 1
+flsa6.gov, 1
+flsbanners.com, 1
+flslawyer.com, 1
+flst.link, 1
+flstaging.cloud, 1
+flubio.de, 1
+flubiostudios.com, 1
+flubiostudios.de, 1
+fluconazole.gq, 1
+fluencytech.com, 1
+fluentos.com, 1
+fluessiggas.de, 1
+fluff.im, 1
+fluffycat.ga, 1
+fluffycloud.de, 1
+fluggesellschaft.de, 1
+flughafenairport.com, 1
+fluglektuere.com, 1
+flugplatz-edvc.de, 1
+flugplatzmanager.de, 1
+flugrueckerstattung.de, 1
+flugsimulatorfrankfurt.com, 1
+fluidattacks.co, 1
+fluidattacks.com, 1
+fluidbb.co.uk, 1
+fluidpicturesinc.com, 1
+fluids.ac.uk, 1
+fluidsignal.com, 1
+fluig.com, 1
+fluitbeurt.nl, 1
+flukestar.tk, 1
+flumble.nl, 1
+flunschi.goip.de, 1
+fluoxetin.ga, 1
+fluoxetin.gq, 1
+fluoxetin.tk, 1
+fluoxetine.ml, 1
+fluoxetine.net, 1
+fluoxetine2.ru, 1
+flushlife.com, 1
+flusszs.tk, 1
+fluteandpianoteaching.co.uk, 1
+flutterappdev.com, 1
+flutterfactory.io, 1
+fluxforge.com, 1
+fluxi.fi, 1
+fluxnet.tk, 1
+fluxo.space, 1
+fluxoid.com, 1
+flvs.net, 0
+flvyingeagle.ga, 1
+flws.cl, 1
+fly, 1
+fly-fjends.dk, 1
+fly.moe, 1
+flyantvirtual.tk, 1
+flyavantar.com, 1
+flyawayart.tk, 1
+flyawaybirds.ga, 1
+flybar.tk, 1
+flybis.net, 1
+flyboarder.tk, 1
+flyboyfpv.com, 1
+flybyjunkhaulers.com, 0
+flydoc.org, 1
+flyer-homes.com, 1
+flyer.tools, 1
+flyer1stg.wpenginepowered.com, 1
+flyerdatabase.tk, 1
+flyerim.com, 1
+flyfifer.co.uk, 1
+flyforpoints.com, 1
+flyforsinkelse.dk, 1
+flyforsinkelser.no, 1
+flygexpo.tk, 1
+flygforsening.se, 1
+flygon.pink, 1
+flygplanering.se, 1
+flyhealthy.gov, 1
+flying-angels.tk, 1
+flying-dudes.de, 1
+flying-press.com, 1
+flyingangels.cf, 1
+flyingbasicsest.ga, 1
+flyingcolours.tk, 1
+flyingdoggy.net, 1
+flyingdreamers.com, 1
+flyingdutchman.tk, 1
+flyinghelpline.com, 1
+flyinghigh.tk, 1
+flyinglions.tk, 1
+flyingmonkeys.tk, 1
+flyingpackets.net, 1
+flyingpotatoes.tk, 1
+flyingspaghettimonsterdonationsfund.nl, 1
+flyingtutorsers.ga, 1
+flylcpa.gov, 1
+flylvia.com, 1
+flymns.fr, 1
+flymsy.com, 1
+flyn43.com, 1
+flynn.io, 1
+flynnhub.com, 1
+flynowpaylater.com, 1
+flyp.me, 1
+flypenge.dk, 1
+flyplay.com, 1
+flypuntoazul.gq, 1
+flyserver.co.il, 1
+flyspace.ga, 1
+flyspace.ml, 1
+flyssh.net, 1
+flyswoop.com, 1
+flyt.online, 1
+flytedek.com, 1
+flythecopter.tk, 1
+flytoadventures.com, 1
+flytrap.in, 1
+flyupture.com, 1
+flywind.ml, 1
+flyxll.com, 1
+flyzold.com, 1
+flyzone.tk, 1
+flyzoomattzir.com, 1
+fm-digitize.de, 1
+fm-online.tk, 1
+fm-panel.tk, 1
+fm.ie, 1
+fmamfg.org, 1
+fmanet.org, 1
+fmarchal.fr, 1
+fmbfirefl.gov, 1
+fmbilder.se, 1
+fmbonline.com, 1
+fmc.gov, 1
+fmc.hk, 1
+fmcs.gov, 1
+fmcsa.fr, 1
+fmfp.eu, 1
+fmi.gov, 1
+fminsight.net, 1
+fmjansen.com, 1
+fmjd64.com, 1
+fmjd64.org, 1
+fmlife.tk, 1
+fmm-creative.com, 1
+fmn.nl, 1
+fmo.ca, 0
+fmorales.com, 0
+fmorales.com.ni, 0
+fmpilot2.com, 1
+fmportal.biz, 1
+fmpuertomadero.cf, 1
+fmsforestry.com, 1
+fmslovakia.com, 1
+fmstr.ml, 0
+fmt-live.de, 1
+fmussatmd.com, 1
+fnacdarty.com, 1
+fnbava.com, 1
+fnbofks.com, 1
+fnbot.shop, 1
+fnckfashion.com, 1
+fndho.ca, 1
+fndout.com, 1
+fneon.eu, 1
+fnerk.org, 1
+fnet.gr, 1
+fnet.org, 1
+fnews.tk, 1
+fnfmods.net, 1
+fnka.de, 1
+fnkr.net, 1
+fnlcontent.nl, 1
+fno.cz, 1
+fnof.ch, 1
+fnordserver.eu, 1
+fnpro.eu, 1
+fnpvenues.com, 1
+fnrs.nl, 1
+fnscatania.tk, 1
+fnwiki.com, 1
+fnz.com, 1
+foair.me, 0
+foamfortress.tk, 1
+foard.biz, 1
+foard.us, 1
+fob-china-moscow.ru, 1
+fob-china.ru, 1
+fob-india.ru, 1
+fob-iran.ru, 1
+focalforest.com, 1
+focalpoint.tk, 1
+focanamoda.com.br, 1
+focanocliente.com.br, 1
+focored.com, 1
+focus2career.com, 0
+focus2move.com, 1
+focusbet-api.com, 1
+focusbet.cc, 1
+focusbet.io, 1
+focuscomic.com, 1
+focusdemolition.com.au, 1
+focusgroup.tk, 1
+focushm.com, 1
+focusministries1.org, 1
+focusnews.in, 1
+focusoptimization.com, 1
+focusphotobooths.com, 1
+focusphotography.net, 1
+focusproductions.tk, 1
+focustec.tk, 1
+focusti.com.br, 1
+focustuningclub.tk, 1
+focuswales.com, 1
+fodder.ga, 1
+foehl.de, 1
+foej-aktiv.de, 1
+foej.net, 1
+foepwned.com, 1
+foerderverein-horrheim.de, 1
+foerderverein-rimsg.de, 1
+fof-clan.tk, 1
+foggi.cf, 1
+foggi.ml, 1
+foggiatoday.it, 1
+fognini-depablo.eu, 1
+fogu.com, 1
+foguest.com.br, 1
+fogway.net, 1
+fogworldn.com, 1
+foi.se, 1
+foiaonline.gov, 1
+foilhat.tk, 1
+foixet.com, 1
+fojing.com, 1
+fojt.cz, 1
+fojtova.cz, 1
+fojtovi.cz, 1
+fok.nl, 1
+fokan.be, 1
+fokan.ch, 1
+fokep.no, 1
+fokos.de, 0
+fokus.ag, 1
+fol.tf, 1
+folar.ga, 1
+folclore.tk, 1
+foldcle.com, 1
+foldertips.com, 1
+foldnfly.com, 1
+folf.codes, 1
+foliencenter24.com, 1
+folife.nl, 1
+folio.no, 1
+foljeton.dk, 0
+folk.as, 1
+folk.tk, 1
+folkdance.tk, 1
+folkfests.org, 1
+folkmusicworld.com, 1
+folkofolk.se, 1
+folkperu.tk, 1
+folkrace.tk, 1
+folktalerecords.tk, 1
+folktellers.tk, 1
+folkweb.net, 1
+follandviolins.com, 1
+follow-the-leader.tk, 1
+follower98.ir, 1
+followgrown.com, 1
+followlearning.com, 1
+followme.com, 1
+followmystaff.com, 1
+followpharma.com, 1
+followsbuy.com, 1
+followthatpage.com, 1
+followthecult.de, 1
+followtheevidence.me, 1
+followthepin.com, 1
+follygardens.com, 1
+folszyb.pl, 1
+foluomeng.net, 1
+folwark.krakow.pl, 1
+folwia.pl, 1
+folxhealth.com, 1
+foma.ru, 1
+foma.tk, 1
+fomo.af, 1
+fomo.exposed, 1
+fomo.trading, 1
+fomobremen.info, 1
+fomopop.com, 1
+foncorbeta.com, 1
+fondation-afnic.fr, 1
+fondation-vinci.com, 1
+fondationdesterritoires.org, 1
+fondationgus.com, 1
+fondationo2.ch, 0
+fondationwiggli.ch, 1
+fondbaikal.ml, 1
+fonds-dieter.be, 1
+fondy.ua, 1
+fondzee.cz, 1
+foneapk.com, 1
+fonga.ch, 1
+fonix.tk, 1
+fonkongres.cz, 1
+fonline.tk, 1
+fono.jp, 0
+fonrouge.tk, 1
+fonseguin.ca, 1
+fontainebleau.tk, 1
+fontanaca.gov, 1
+fontawesome.com, 1
+fonte-trading.com, 1
+fontein.de, 1
+fontela.es, 1
+fontenelegroup.com, 1
+fontnegar.ir, 1
+fontocean.com, 1
+fontplus.jp, 1
+fonts4free.net, 1
+fontsinuse.com, 1
+fontstand.com, 1
+fonzone.it, 0
+foo, 1
+foo.fo, 1
+foo.hamburg, 1
+food4healthybones.com, 1
+food4me.in, 1
+foodadaptive.ga, 1
+foodafter.ga, 1
+foodagenda.ga, 1
+foodanchor.ga, 1
+foodandseeds.com, 1
+foodarrow.ga, 1
+foodatlantic.ga, 1
+foodattitude.ch, 0
+foodauthority.ga, 1
+foodavatar.ga, 1
+foodbad.ga, 1
+foodbeast.ga, 1
+foodblod.ga, 1
+foodbody.ga, 1
+foodbounce.ga, 1
+foodboy.com, 1
+foodbrowse.ga, 1
+foodbrowser.ga, 1
+foodbuddies.ga, 1
+foodbuller.ga, 1
+foodcamel.ga, 1
+foodcaster.ga, 1
+foodcheaper.ga, 1
+foodcheapest.ga, 1
+foodclearance.ga, 1
+foodclient.ga, 1
+foodclub.lv, 1
+foodcollections.ga, 1
+foodcollector.ga, 1
+foodcorporation.ga, 1
+foodcourier.ga, 1
+foodcowgirls.com, 1
+foodcrafter.ga, 1
+foodcreativity.ga, 1
+foodcrystal.ga, 1
+foodculinaryusa.tk, 1
+foodcupcake.ga, 1
+foodcurious.ga, 1
+fooddeliverypartners.cz, 1
+fooddeliverypartners.online, 1
+fooddivine.ga, 1
+fooddodge.ga, 1
+fooddollar.ga, 1
+fooddollars.ga, 1
+fooddowntown.ga, 1
+foodeastbay.ga, 1
+foodecono.ga, 1
+foodepic.ga, 1
+foodescrow.ga, 1
+foodev.de, 1
+foodexcel.ga, 1
+foodfalcon.ga, 1
+foodfeature.ga, 1
+foodfirefriends.com, 1
+foodflower.ga, 1
+foodfriek.nl, 1
+foodgecko.ga, 1
+foodglamour.ga, 1
+foodglory.ga, 1
+foodgoddess.ga, 1
+foodgratis.ga, 1
+foodgroove.ga, 1
+foodgrow.ga, 1
+foodguerilla.ga, 1
+foodguerrilla.ga, 1
+foodhandy.ga, 1
+foodhotrod.ga, 1
+foodhusky.ga, 1
+foodieso.com, 1
+foodintergrity.ga, 1
+foodiron.ga, 1
+foodiron.tk, 1
+foodjoker.ga, 1
+foodkayak.ga, 1
+foodlast.ga, 1
+foodless.ga, 1
+foodlicious.ml, 1
+foodlightning.ga, 1
+foodlimited.ga, 1
+foodlist.net, 1
+foodloader.net, 1
+foodlobers.com, 1
+foodloco.ga, 1
+foodlover.restaurant, 1
+foodlucky.ga, 1
+foodmatche.ga, 1
+foodmeasure.ga, 1
+foodmillions.ga, 1
+foodminer.ga, 1
+foodnachos.com, 1
+foodnations.ga, 1
+foodnature.ga, 1
+foodnature.tk, 1
+foodnight.ga, 1
+foodo.cz, 1
+foodoffline.ga, 1
+foodomega.ga, 1
+foodonbook.com, 1
+foodoneday.ga, 1
+foodopplis.ga, 1
+foodoriginal.ga, 1
+foodother.ga, 1
+foodouter.ga, 1
+foodovernight.ga, 1
+foodpart.ga, 1
+foodpearl.ga, 1
+foodpermanent.ga, 1
+foodplatinum.ga, 1
+foodplum.ga, 1
+foodpresident.ga, 1
+foodprestige.ga, 1
+foodpronto.ga, 1
+foodquantum.ga, 1
+foodrainforest.ga, 1
+foodrapid.ga, 1
+foodrates.ga, 1
+foodremarkable.ga, 1
+foodrex.ga, 1
+foodrhino.ga, 1
+foodrings.ga, 1
+foodrips.com, 1
+foods.pe, 1
+foodsafety.gov, 1
+foodsafetyjobs.gov, 1
+foodsafetyworkinggroup.gov, 1
+foodsavers.gent, 1
+foodsaversgent.be, 1
+foodsedona.ga, 1
+foodseurope.com, 1
+foodshuffle.ga, 1
+foodsignature.ga, 1
+foodsilk.ga, 1
+foodsleuth.ga, 1
+foodsoldier.ga, 1
+foodsonic.ga, 1
+foodsoul.pro, 1
+foodsparkle.ga, 1
+foodsplash.ga, 1
+foodspring.co.uk, 1
+foodspring.de, 1
+foodspring.es, 1
+foodspring.fr, 1
+foodspring.it, 1
+foodsreborn.com, 1
+foodsunflower.ga, 1
+foodsuperhero.ga, 1
+foodsupplyiq.com, 1
+foodsurprise.ga, 1
+foodsurreal.ga, 1
+foodsustain.ga, 1
+foodtable.at, 1
+foodtimeline.org, 1
+foodtrekker.tk, 1
+foodtruck.ai, 1
+foodtruckconnections.com, 1
+foodtrucksnorthwest.com, 1
+foodtummy.com, 1
+foodurban.ga, 1
+foodusa.cf, 1
+foodusa.ga, 1
+foodusa.gq, 1
+foodverde.ga, 1
+foodwaterfront.ga, 1
+foodwidget.ga, 1
+foodwish.ga, 1
+foodyankee.ga, 1
+foodzpace.com, 1
+foogle.cf, 1
+fooishbar.org, 0
+fool.im, 1
+fooladi.tk, 1
+foolip.org, 1
+foolproofcomics.tk, 1
+foonly.fi, 1
+foorack.com, 1
+fooster.io, 1
+foot-direct.com, 1
+foot.fr, 1
+foot2rue.tk, 1
+foot4live.com, 1
+footasse.com, 1
+football-news.gq, 1
+football-world.tk, 1
+footballcelebrationsers.ga, 1
+footballexpress.co.uk, 1
+footballforum.de, 1
+footballfoundation.org.uk, 1
+footballmessi.tk, 1
+footballnews.net, 1
+footballrussia.cf, 1
+footballscores.ga, 1
+footballsrit.tk, 1
+footballtips.tk, 1
+footbolka.tk, 1
+footbolki.ml, 1
+footchronique.tk, 1
+footdoctorpodiatristnyc.com, 1
+footloose.co.uk, 1
+footmercato.net, 1
+footparisien.com, 1
+footstepsinthegambia.com, 1
+foottube.com, 1
+footvillewi.gov, 1
+footwear-catalogue.tk, 1
+footytalk.tk, 1
+for-testing.tk, 1
+for.care, 1
+for.gd, 1
+forabrokenrobot.tk, 1
+forallgifts.com, 1
+forat.tk, 1
+foray-jero.me, 1
+foraz.tk, 1
+forberedt.no, 1
+forbes.com, 1
+forbeser.com, 1
+forbiddenhistory.info, 1
+forbiddenshelf.com, 1
+forbole.com, 1
+forcamp.ga, 1
+force-shadow.tk, 1
+force-unleashed.com, 1
+force-unleashed.de, 1
+force-user-content.com, 1
+force.com, 1
+force4racing.co.uk, 1
+force4racing.com, 1
+forcebasements.com, 1
+forcecompanies.com, 1
+forcelink.eu, 1
+forcelink.nl, 1
+forcelinkamerica.com, 1
+forcelinkamerica.nl, 1
+forcemasonry.net, 1
+forcemasonryinc.com, 1
+forcemat.fr, 0
+forcenet.gov.au, 1
+forces.army, 1
+forceusercontent.com, 1
+forcewaterproofing.com, 1
+forchildren.tk, 1
+ford-mustang.tk, 1
+ford-shop.by, 1
+fordeetv.com, 1
+fordlibrarymuseum.gov, 1
+fordpartsgiant.com, 1
+fordpartsprime.com, 1
+fordsbranch.church, 1
+fordservicetraining.com, 1
+fordshop.by, 0
+fordtrac.com.br, 1
+foreammatti.fi, 1
+forecastapp.net, 1
+forecastcity.com, 1
+foreclosurecitiesers.ga, 1
+foredata.fi, 1
+forefront.dental, 1
+forefrontcloud.com, 1
+foreign-language-colleges.com, 1
+foreignaffairsmotorsports.com, 1
+foreignassistance.gov, 1
+foremail.tk, 1
+foreningssparbanken.se, 1
+forenschmiede.tk, 1
+forensic-system.com, 0
+forensicpsychologyedu.org, 1
+forensicpsychologyonline.com, 1
+forensicsciencecentral.tk, 1
+forensicsinfo.ga, 1
+forensicsinfoest.ga, 1
+forensischepsychiatrie.tk, 1
+forers.com, 1
+foresdon.jp, 1
+foresightbusinessservices.co.uk, 1
+foresite.com, 1
+forest-cl.com, 1
+forest-remote-control.com, 1
+forest-soft.xyz, 1
+forestairllc.com, 1
+forestcermegresik.com, 1
+forestcountypa.gov, 1
+forestdeclaration.org, 1
+forestersfriendlysociety.co.uk, 1
+foresthaven.tk, 1
+forestparkga.gov, 1
+forestraven.net, 1
+forestsprings.com.au, 1
+forestsystems.com, 1
+foresttownrcwi.gov, 1
+forestvets.com, 1
+forever.gq, 1
+foreverbreak.com, 1
+forevercollage.com, 1
+foreverpontiac.com, 1
+foreverreem.com, 1
+foreverssl.com, 1
+forevertoday.nl, 1
+foreverydream.com, 1
+forewordreviews.com, 1
+forex-arabia.tk, 1
+forex-trading-tutorial.tk, 1
+forex-up.cf, 1
+forex.ee, 1
+forexbrokerinspect.com, 1
+forexchef.de, 1
+forexcity.cf, 1
+forexcomreview.co, 1
+forexee.com, 1
+forexexchange.tk, 1
+forexhistorydata.com, 1
+forexinthai.com, 0
+forexlive.com, 1
+forexmarketsm.tk, 1
+forexnew.org, 1
+forexpattern.tk, 1
+forexplay.com, 1
+forextickler.com, 1
+forexwine.com, 1
+forexworld.cf, 1
+forfeit.ga, 1
+forfeiture.gov, 1
+forfortcollins.com, 1
+forfunssake.co.uk, 1
+forge.cn, 1
+forge.my.id, 1
+forgeary.com, 1
+forgemedia.io, 1
+forgetfulmomma.com, 1
+forgetme.ga, 1
+forgetme.gq, 1
+forgetme.tk, 1
+forgetmenot.care, 1
+forgetwp.com, 1
+forgive.com.tw, 1
+forgivemefather.com, 1
+forgottenho.me, 1
+forgottenrealms.tk, 1
+forgottenworld.it, 1
+forhealth.org, 1
+forhims.co.uk, 1
+forhosting.nl, 1
+forix.agency, 1
+forixcommerce.com, 1
+forixecommerce.com, 1
+forixseo.com, 1
+fork-portal.ml, 1
+forkfeeds.com, 1
+forkknifeswoon.com, 1
+forklift.name.tr, 1
+forklifttire.com, 1
+forksales.com, 1
+forkurd.ml, 1
+forlitoday.it, 1
+form100.de, 1
+formador.tk, 1
+formafantasma.com, 1
+formalgrammar.tk, 1
+formalistgallery.com, 1
+formality.de, 1
+formality.one, 0
+forman.store, 1
+formand.ru, 1
+formapi.io, 1
+formassembly.com, 1
+format-paysage.ch, 0
+format.ua, 1
+formation-assureur.com, 1
+formation-astro.com, 1
+formation-colmar.tk, 1
+formation-commissaire-justice.fr, 1
+formation-cqp-ssiap-paris.fr, 1
+formation-iade.tk, 1
+formation-intergeneration.com, 1
+formation-russe-paris.com, 1
+formation.ai, 1
+formation.tech, 1
+formationaumagnetisme.fr, 1
+formatmydoc.co.nz, 1
+formforger.com, 1
+formhub.ru, 1
+formi9.com, 1
+formidium.com, 1
+formingequipment.tk, 1
+formini.dz, 1
+formio.nl, 1
+formodernkids.com, 1
+formommiesbymommy.com, 1
+formopinionest.ga, 1
+formotherrussia.tk, 1
+forms.gov, 1
+formsbyair.com, 1
+formsite.com, 1
+formsmarts.com, 1
+formsmarts.net, 1
+formue.com, 1
+formula-busines.ru, 1
+formula-ot.ru, 1
+formula.cf, 1
+formulacionquimica.com, 1
+formulasguimaraes.com, 1
+formulastudent.de, 1
+formulaveevictoria.com.au, 1
+formup.com.pl, 1
+formworkcontractorssydney.com, 1
+fornarisandres.com, 1
+fornata.it, 1
+fornaxmall.com, 1
+fornoreason.net.au, 1
+foro-coopfuture.tk, 1
+foro.io, 0
+foroaranda.com, 1
+forocachacero.tk, 1
+forocbmollet.tk, 1
+forocio.tk, 1
+forocoches.com, 1
+forocristiano.tk, 1
+forodebanfield.tk, 1
+forodieta.com, 0
+foroenguera.tk, 1
+forojovensanfernando.tk, 1
+forologikidilosi.com.gr, 1
+foromasters.tk, 1
+foropl.com, 0
+forosdelmisterio.tk, 1
+forourselves.com, 1
+forowarhammer.tk, 1
+forrestheller.com, 1
+forrestwalkbarbershop.com.au, 1
+forrettabarinn.is, 1
+forro.berlin, 1
+forro.info, 1
+forsaken.tk, 1
+forsakenplanet.tk, 1
+forsakenstoners.tk, 1
+forsakringsarkivet.se, 1
+forsaleacameras.tk, 1
+forsaleelectronics.tk, 1
+forsaleinedmonton.ca, 1
+forsat.ga, 1
+forsbenin.org, 1
+forschbach-janssen.de, 1
+forsetinncafe.is, 1
+forsi.xyz, 0
+forskolin.gq, 1
+forstbetrieb-hennecke.de, 1
+forstprodukte.de, 1
+forsure.tk, 1
+forsvarsmakten.se, 1
+forsyth.cc, 1
+forsythco.com, 1
+forsythcountync.gov, 1
+forsythmo.gov, 1
+forsyththeatre.com, 1
+fort.eu, 1
+fortabletoys.com, 1
+fortatkinsonia.gov, 1
+fortatkinsonwi.gov, 1
+fortawesome.org, 1
+fortbendisd.gov, 1
+fortcommunity.com, 1
+fortdeposital.gov, 1
+fortdodgeradio.com, 1
+fortebet.rw, 1
+fortebet.ug, 1
+fortepiano.tk, 1
+fortesanshop.it, 1
+forthenrycustomknives.com, 1
+forthvalleykeswick.co.uk, 1
+fortifydiy.com, 1
+fortigate.es, 1
+fortipartner.co.uk, 1
+fortipartner.com, 1
+fortipartner.dk, 1
+fortipartner.net, 1
+fortipartner.nl, 1
+fortipartner.pl, 1
+fortipartner.se, 1
+fortipartner.uk, 1
+fortisadhesives.com.au, 1
+fortknoxster.com, 1
+fortlauderdaleaircharter.com, 1
+fortmatic.com, 1
+fortnet.online, 1
+fortnightlyofeugene.org, 1
+fortnitedb.com, 1
+fortnitemagic.ga, 1
+fortoglethorpega.gov, 1
+fortress.no, 1
+fortress.sk, 1
+fortresslinux.com, 1
+fortresslinux.nl, 1
+fortresslinux.org, 1
+fortricks.in, 1
+fortuna-apotheke-lahnstein.de, 1
+fortuna-loessnitz.de, 1
+fortuna-s.com, 1
+fortunabuilders.tk, 1
+fortunacigarettes.tk, 1
+fortunahamburg.tk, 1
+fortune-healing.com, 1
+fortunebazar.tk, 1
+fortuneinvestments.ga, 1
+fortunenames.ga, 1
+fortunenamesers.ga, 1
+fortunenamesest.ga, 1
+fortunetireusa.com, 1
+fortwinn.gov, 1
+forty-two.ml, 1
+forty.sh, 1
+forty8creates.com, 1
+fortycreekwhisky.com, 1
+fortygordy.com, 1
+fortytwo.cloud, 1
+fortytwo.tk, 1
+forum-4.de, 1
+forum-batteries.com, 1
+forum-egypte.tk, 1
+forum-expert.tk, 1
+forum-gilee.cf, 1
+forum-goszakaz.ru, 1
+forum-kinozal-tv.appspot.com, 1
+forum-mercury.tk, 1
+forum-noginska.tk, 1
+forum-reklamowe.cf, 1
+forum-tutorapide.ml, 1
+forum-tw.tk, 1
+forum-washington.tk, 1
+forum24.ml, 1
+forumblanes.tk, 1
+forumblockchain.com.br, 1
+forumcarriocity.tk, 1
+forumchiase.com, 1
+forumcondominio.it, 1
+forumconstruire.com, 1
+forumdabeleza.com.br, 1
+forumderelacionamento.com.br, 1
+forumdimo.fr, 1
+forumfeeers.ga, 1
+forumfi.com, 1
+forumhsbm.tk, 1
+forumhub.org, 1
+forumirc.net, 1
+forumistudentore.tk, 1
+forumix.tk, 1
+forummobile.com.br, 1
+forumoff.com, 1
+forumofld.in, 1
+forumotion.cf, 1
+forumotomobil.com, 0
+forumpakistan.tk, 1
+forumpenaguru.com, 1
+forumrowerowe.org, 1
+forums4everyone.tk, 1
+forumsampdoria.tk, 1
+forumsaudedigital.com.br, 1
+forumsearch.tk, 1
+forumsig.net, 1
+forumsrussia.ga, 1
+forumtruthest.ga, 1
+forumtv.pro, 1
+forumvardbyggnad.se, 1
+forve.cf, 1
+forward-fly-fishing.ch, 0
+forward-proxy.email, 1
+forward.lc, 1
+forwardemail.net, 1
+forwardfever.tk, 1
+forwardfinancingest.ga, 1
+forwardkredit.de, 1
+forwardtogether.org, 1
+foryoumer.com, 1
+foryourhealthybody.com, 1
+forza-milan.tk, 1
+forzasette.tk, 1
+fos-apps.org, 1
+foscamcanada.com, 1
+fosdem.org, 1
+foselectro.ru, 1
+fosgreece.com, 1
+foshanshequ.com, 0
+fossagarrafoni.tk, 1
+fossbots.org, 1
+fossboxen.com, 1
+fossboxen.net, 1
+fossboxen.org, 1
+fossewayflowers.co.uk, 1
+fossewayflowers.com, 1
+fossildlp.com, 1
+foster.ga, 1
+fosteringconsultant.com, 1
+fosters.ky, 1
+fosterwiki.com, 1
+fotbal-dubina.tk, 1
+fotbalclubcaracal.tk, 1
+foter.tk, 1
+fotikpro.ru, 1
+foto-bilder.ch, 1
+foto-forum.tk, 1
+foto-gallery.tk, 1
+foto-huwi.ch, 1
+foto-janvanaefst.nl, 1
+foto-leitner.com, 1
+foto-leitner.de, 1
+foto-na-doc.ru, 1
+foto-robitsch.at, 1
+foto-roma.ru, 1
+foto-verslui.lt, 1
+foto-znakomstva.ml, 1
+foto.by, 1
+foto.com, 1
+fotoallerlei.com, 1
+fotoatis.biz, 1
+fotoballon.com, 1
+fotoblog.nrw, 1
+fotobodyart.nl, 1
+fotobrinke.de, 1
+fotochip.tk, 1
+fotocoach.pl, 1
+fotocopiatrici.roma.it, 1
+fotofaerie.net, 1
+fotofast.tk, 1
+fotoflits.net, 1
+fotofofftein.de, 0
+fotofon.tk, 1
+fotofreunde-telegram.eu, 1
+fotograf-mario.de, 1
+fotograf-website.de, 1
+fotografechristha.nl, 1
+fotografessa.pl, 1
+fotografiadellalucerossa.com, 1
+fotografiamakro.pl, 1
+fotografiarte.com.es, 1
+fotografies.tk, 1
+fotografija.tk, 1
+fotografoivanalmeida.com.br, 1
+fotografy-help.de, 1
+fotohiking.com, 1
+fotohome.dk, 1
+fotokorner.com, 1
+fotokurskalmar.se, 1
+fotolectura.tk, 1
+fotoleitner.com, 1
+fotoleitner.de, 1
+fotomodel.cf, 1
+fotomodels.tk, 1
+fotomonza.com, 1
+fotontechnik.pl, 1
+fotonza.ru, 1
+fotoobraznaplatne.sk, 1
+fotopalacedigitalstudio.tk, 1
+fotopro.tk, 1
+fotorecull.tk, 1
+fotoshoot.org, 1
+fotosquares.com, 1
+fotostravestisbr.com, 1
+fotostrobo.ch, 1
+fotostudio-leitner.com, 1
+fotostudio-leitner.de, 1
+fotostudio-schweiz.ch, 1
+fotostudiobasic.tk, 1
+fotosubmarina.tk, 1
+fotosyeventos.es, 1
+fototjansterkalmar.se, 1
+fototutorial.tk, 1
+fotovsibiri.ml, 1
+fotowand.ml, 1
+fotowettbewerb.co, 0
+fotowolfy.com, 1
+fotozakazka.cz, 1
+fotozone.tk, 1
+fotp.com, 1
+fotrino.com, 1
+foucheplumbers.com, 1
+foudufafa.de, 0
+fougereettralala.fr, 1
+fougner.co, 1
+foulabook.com, 1
+found.com, 1
+found.website, 1
+foundationassure.com, 1
+foundationdevices.com, 1
+foundationmaintenance.com, 1
+foundationprogramme.nhs.uk, 1
+foundationrepairannarbor.com, 0
+foundationrepairasheville.com, 1
+foundationrepairbasementwaterproofingtn.com, 1
+foundationrepairchicagoil.com, 1
+foundationrepairnebraska.com, 1
+foundationspecialisteast.com, 1
+foundationspecialistmi.com, 1
+foundchurch.co.uk, 1
+founded.ml, 1
+founderinvestors.tk, 1
+founderio.net, 1
+foundland.com, 1
+foundrehotels.com, 1
+foundries.io, 1
+foundsounds.me, 1
+fountainco.gov, 1
+fountainvalley.gov, 1
+fourashesgolfcentre.uk, 1
+fourbrothers.tk, 1
+fourcask.com, 1
+fourchetteverte.ch, 1
+fourcornerscb.com, 1
+fourdesignstudio.com, 1
+fourfivecbd.co.za, 1
+fourfri.es, 1
+fouriemc.com, 1
+fourmidabel.tk, 1
+fourmies.fr, 1
+fournarisopenday.com, 1
+fournisseur-des-collectivites.com, 1
+fourpeaks.com, 1
+fourscore.ga, 1
+foursight.io, 0
+fourstrategy.de, 1
+fourwaysplumber24-7.co.za, 1
+fousekis.tk, 1
+fousetmoney.tk, 1
+foutras.com, 1
+foutrelis.com, 1
+fovndry.com, 1
+fowesolutions.net, 1
+foweyretreat.co.uk, 1
+fowlmanor.tk, 1
+fowlsmurf.net, 1
+fowos.de, 1
+fox-zulu.de, 1
+fox.my, 0
+fox13now.com, 1
+fox17online.com, 1
+fox47news.com, 1
+fox4now.com, 1
+foxandfish.be, 1
+foxart.com.tr, 1
+foxbenjaminfox.com, 1
+foxbnc.uk, 1
+foxcav.es, 1
+foxcloud.tk, 1
+foxcon.tk, 1
+foxdemos.ml, 1
+foxdev.co, 1
+foxdirectory.tk, 1
+foxes.no, 1
+foxeworks.net, 1
+foxghoul.com, 1
+foxgirl.land, 1
+foxholehq.net, 1
+foxing.club, 1
+foxite.me, 1
+foxlanesportsclub.co.uk, 1
+foxlawfresno.com, 1
+foxly.de, 1
+foxmailer.ml, 1
+foxmay.co.uk, 1
+foxo.blue, 0
+foxontheinter.net, 1
+foxpad.tk, 1
+foxpia.no, 1
+foxpointwi.gov, 1
+foxquill.com, 0
+foxscribbler.com, 1
+foxstreetcomms.co.za, 0
+foxstyle.gq, 1
+foxtransportables.com.au, 1
+foxtravelnews.com, 1
+foxtrials.com, 1
+foxtrotcharlie.ovh, 1
+foxtrotfm.tk, 1
+foxtwomodels.com, 1
+foxus.lt, 1
+foxxylove.net, 1
+foxycredit.com, 1
+foxygf.com, 1
+foxytubes.com, 1
+foyale.io, 1
+foylelegal.com, 1
+fozzie.co.uk, 1
+fozzie.space, 1
+fpalzira.es, 1
+fpasca.com, 1
+fpc.gov, 1
+fpcdn.io, 1
+fpds.gov, 1
+fpersona.com, 1
+fpf.org, 1
+fpgamania.com, 1
+fpjscdn.net, 1
+fpki.sh, 1
+fpline.jp, 1
+fpnet.tk, 1
+fpnpmcdn.net, 1
+fprinnovaciones.es, 1
+fprl39.ru, 1
+fprojects.lv, 1
+fps.ac.cn, 1
+fps168.com, 1
+fps73.ru, 1
+fpsclasico.de, 1
+fpsclasico.eu, 1
+fpsclassico.com, 1
+fpsjp.org, 1
+fpstest.org, 1
+fpsturk.net, 1
+fpsv.de, 1
+fpt.icu, 1
+fptbb.com, 1
+fpu.sk, 1
+fpy.cz, 1
+fqcstandard.com.tr, 1
+fr-fotopage.tk, 1
+fr.search.yahoo.com, 0
+fr33tux.org, 1
+fr3qradio.tk, 1
+fra.bg, 1
+fraai.agency, 1
+fracasados.tk, 1
+frack.nl, 0
+fracreazioni.it, 1
+fractieplanner.nl, 1
+fraction-calculations.com, 1
+fractionalciso.com, 1
+fractionalseo.net, 1
+fracturedfx.com, 1
+fracturedperspective.com, 1
+fraeuleinmeerbackt.de, 1
+fragara.com, 1
+fragbite.se, 1
+fragclub.tk, 1
+fragdenstaat.de, 1
+frageboegen-martini-klinik.de, 1
+fragilesolar.cf, 1
+fragmanhotel.com, 1
+fragment.com, 1
+fragmentation.ml, 1
+fragments.ga, 1
+fragmentspuren.de, 1
+fragmentus.tk, 1
+fragnation.tk, 1
+fragnet.net, 1
+fragolabs.com, 1
+fragstore.net, 1
+fragzona.tk, 1
+fraho.eu, 1
+frahub.com, 1
+frail.gq, 1
+fralef.me, 0
+fralippolippi.tk, 1
+frama.link, 1
+frama.site, 1
+frama.wiki, 1
+framabag.org, 1
+framabee.org, 1
+framabin.org, 1
+framablog.org, 1
+framaboard.org, 1
+framabook.org, 1
+framabookin.org, 1
+framacalc.org, 1
+framacarte.org, 1
+framaclic.org, 1
+framacolibri.org, 1
+framadate.org, 1
+framadrive.org, 1
+framadrop.org, 1
+framadvd.org, 1
+framadventure.no, 1
+framaestro.org, 1
+framaform.org, 1
+framaforms.org, 1
+framagames.org, 1
+framagenda.org, 1
+framagit.org, 1
+framago.de, 1
+framakey.org, 1
+framalab.org, 1
+framalang.org, 1
+framalibre.org, 1
+framalistes.org, 1
+framandroid.org, 1
+framanews.org, 1
+framanote.org, 1
+framanotes.org, 1
+framapack.org, 1
+framapad.org, 1
+framapiaf.org, 1
+framapic.org, 1
+framasite.org, 1
+framasites.org, 1
+framaslides.org, 1
+framasoft.net, 1
+framasoft.org, 1
+framasphere.org, 1
+framastart.org, 1
+framastats.org, 1
+framastory.org, 1
+framatalk.org, 1
+framateam.org, 1
+framatube.org, 1
+framavectoriel.org, 1
+framavox.org, 1
+framawiki.org, 1
+framazic.org, 1
+framboise314.fr, 1
+framedog.tk, 1
+framedpaws.com, 1
+framemo.org, 1
+framer.ai, 1
+framer.com, 1
+framer.live, 1
+framer.website, 1
+framerjs.com, 1
+frames-eyelash.com, 1
+frames-hair-design.com, 1
+framesi.cz, 1
+framindmap.org, 1
+framinetest.org, 1
+framinghampd.gov, 1
+frammenti.tk, 1
+fran.cr, 1
+francabellarsi.tk, 1
+francaispornofilm.com, 1
+france-cartouches.fr, 1
+france-cyber-maritime.eu, 1
+france-hotellerie-restauration.com, 1
+france-news.cf, 1
+france-orchidees.org, 1
+france-serres.com, 1
+france-volontaires.org, 1
+franceactivetravel.cf, 1
+franceactivetravel.ml, 1
+francebattery.com, 1
+francelight.fr, 1
+francenum.gouv.fr, 1
+francepandi.fr, 0
+francerent.com, 1
+frances8.com, 1
+francesca-and-lucas.com, 1
+francescazambon.it, 0
+francescocozza.it, 1
+francescopalazzo.com, 1
+francescopandolfibalbi.it, 1
+francescorandazzo.tk, 1
+francescorenna.tk, 1
+francescosbistro.com, 1
+francescosiciliano.tk, 1
+francesfluente.cf, 1
+franceskivillas.tk, 1
+francetraceur.fr, 1
+franchini.email, 1
+franchini.engineer, 1
+franchisebarrelhousepub.com, 1
+franchisechaodoi-cambodia.com, 1
+franchiseguide.ga, 1
+franchisehive.com, 1
+franchiseportal.de, 1
+franchisesports.co.uk, 1
+francinebelanger.network, 1
+francis.ph, 1
+franciscadelasllagasvirtual.com, 1
+franciscoeduardocruz.tk, 1
+franciscolapa.eu, 1
+francisgoethals.be, 1
+francishouserecovery.org, 1
+francisplaza.com, 1
+franckgirard.net, 1
+francocasimirri.tk, 1
+francodev.com, 1
+francodev.com.br, 1
+francoexpeditionperu.com, 1
+francofunghi.tk, 1
+francois-occasions.be, 1
+francoisbelangerboisclair.com, 1
+francoiscarrier.com, 1
+francoise-janssens.be, 1
+francoise-paviot.com, 1
+francoisharvey.ca, 1
+francoislaude.fr, 1
+francoislepage.com, 0
+franconia.space, 1
+francosuaga.es, 1
+francotecnologia.com, 1
+francotecnologia.com.br, 1
+francovital.com, 1
+francoz.me, 1
+francs-tireurs.tk, 1
+frand.tk, 1
+frandor.co.uk, 1
+frandroid.com, 1
+frandymvp.tk, 1
+franekerweer.tk, 1
+franfoto.com, 0
+frangallegodorado.es, 1
+frangipane.tk, 1
+frank-america.com, 1
+frank-gcc.com, 1
+frank-lastia.tk, 1
+frank-vincent.nl, 0
+frank-wendy.tk, 1
+frank.fyi, 1
+frankbellamy.co.uk, 1
+frankdufaux.com, 1
+franke-chemie.de, 1
+frankellawfirm.com, 1
+frankelod.com, 1
+frankenfresh.de, 1
+frankenlehrmittel.de, 1
+frankenweb.tk, 1
+frankeschenfelder.de, 1
+frankeurope.com, 1
+frankferrari.tk, 1
+frankfu.ltd, 0
+frankfurtergirl.net, 1
+frankhaarlem.tk, 1
+frankieburkeactor.tk, 1
+frankierfachmann.de, 1
+frankierprofi.de, 1
+frankierstar.de, 1
+frankieylosmatadores.tk, 1
+frankland.tk, 1
+franklin-townshipohio.gov, 1
+franklincountyflorida.gov, 1
+franklincountyia.gov, 1
+franklincountyms.gov, 1
+franklincountync.gov, 1
+franklincountyne.gov, 1
+franklincountyny.gov, 1
+franklincountywa.gov, 1
+franklinct.gov, 1
+franklindelco-ny.gov, 1
+franklinhua.com, 1
+franklinmo.gov, 1
+franklintonnc.gov, 1
+franklintownshipcarbonpa.gov, 1
+franklintwpbeavercopa.gov, 1
+franklinvillagemi.gov, 1
+frankmungoattorney.com, 1
+franksgreatoutdoors.com, 0
+franksiler.com, 1
+frankslaughterinsurance.com, 0
+frankthetank.biz, 1
+frankvision.se, 1
+frankwei.xyz, 0
+frankyan.com, 1
+frankychen.net, 1
+frankydo.com, 1
+franmerino.tk, 1
+franqois.id, 1
+franqois.my.id, 1
+franquiadia.com.br, 1
+franquiadickeys.com.br, 1
+fransebulldog-cadeaushop.tk, 1
+franta.biz, 1
+franta.email, 1
+frantajaros.cz, 1
+frantic1048.com, 1
+frantorregrosa.me, 1
+franz-vatter.de, 1
+franz.beer, 1
+franzen.tk, 1
+franziska-pascal.de, 1
+franziskaherbert.de, 1
+franzknoll.de, 1
+franzoni.eu, 1
+franzt.ovh, 1
+franzters.tk, 1
+frappant.cc, 1
+frappant.net, 1
+frappe.cloud, 1
+frappe.io, 1
+frappecloud.com, 1
+frappeframework.com, 1
+frarossi.tk, 1
+fraselab.ru, 1
+fraserengineco.com, 1
+fraserleonardart.com, 1
+frasermurray.scot, 1
+fraservalleyhotdog.com, 1
+frasesconemocion.com, 1
+frasesdodia.com, 1
+frasesdodia.net, 0
+frasesparaface.com.br, 1
+frasestop.com, 1
+frasestop.com.br, 1
+frasesytarjetas.com, 1
+frasicelebri.it, 1
+fratellisbt.it, 1
+fratelliscarrone.com, 1
+fratellistomboli.it, 1
+fraterbolivia.tk, 1
+fraternityfriendsest.ga, 1
+fraternitynetworkest.ga, 1
+fraternityphotosers.ga, 1
+fraternityphotosest.ga, 1
+fratia.com, 1
+fratiicazanoi.ro, 1
+fratreunioners.ga, 1
+fratreunionest.ga, 1
+frattaroli.org, 1
+frau-pusteblu.me, 1
+frau-sucht-bauer.de, 1
+frau.gq, 1
+fraudpoders.ga, 1
+fraudpodest.ga, 1
+fraudswatch.tk, 1
+fraudtoken.com, 1
+frauen-etappenrennen.de, 1
+frauenaerztin-wedel.de, 1
+frauenarztin-wedel.de, 1
+frauenlob.rocks, 0
+fraulen.ru, 1
+fraurichter.net, 1
+frax.finance, 1
+fraye.net, 1
+frazell.net, 1
+frazeysburg.gov, 1
+frazi.tk, 1
+frbracch.it, 1
+frc.gov, 1
+frc.gov.au, 1
+frc.us.com, 1
+frccsgo.tk, 1
+frcdr.org, 1
+freak-show.tk, 1
+freak-team.tk, 1
+freak-waves.de, 1
+freak-zone.tk, 1
+freakguitars.tk, 1
+freakinstream.com, 1
+freaksites.dk, 0
+freaksports.com.au, 0
+freakyawesome.agency, 1
+freakyawesome.art, 1
+freakyawesome.band, 1
+freakyawesome.business, 1
+freakyawesome.ca, 1
+freakyawesome.co, 1
+freakyawesome.co.uk, 1
+freakyawesome.design, 1
+freakyawesome.fm, 1
+freakyawesome.in, 1
+freakyawesome.lgbt, 1
+freakyawesome.net, 1
+freakyawesome.org, 1
+freakyawesome.solutions, 1
+freakyawesome.world, 1
+freakyawesome.yoga, 1
+freakyhappenings.tk, 1
+freakymatesers.ga, 1
+freakymatesest.ga, 1
+freave.co, 0
+frebi.org, 1
+frebib.co.uk, 1
+frebib.com, 1
+frebib.me, 1
+frebib.net, 1
+freckles.bg, 1
+fred-dresken.nl, 1
+fred26.fr, 1
+fredbarboo.cf, 1
+fredbarboo.ga, 1
+fredbarboo.gq, 1
+fredbarboo.ml, 1
+freddieleeman.nl, 1
+freddieonfire.tk, 0
+freddo.tk, 1
+freddyhasderyk.tk, 1
+freddyhirsch.com.ng, 1
+freddyjs.com, 1
+freddythechick.net, 1
+freddyvasquez.com, 1
+freddyxvasquez.com, 1
+fredericdenis.fr, 1
+fredericfrancois.com, 1
+frederickearlstein.com, 1
+frederickmd.gov, 1
+fredericksburg.com, 1
+frederictonrealestate.com, 1
+frederieknelissen.nl, 1
+frederikbethkeviolins.com, 1
+frederikugarte.tk, 1
+frederikvig.com, 1
+fredhook.tk, 1
+fredjanssen.tk, 1
+fredloya.com, 1
+frednet.tk, 1
+fredoniaaz.gov, 1
+fredoniaiowa.gov, 1
+fredoniawi.gov, 1
+fredoum.fr, 1
+fredriksslaktforskning.se, 1
+fredriksslekt.se, 1
+freds4buildings.com, 1
+fredtec.ru, 1
+fredz.eu, 1
+free-apply.com, 1
+free-barcode-generator.net, 1
+free-bitco.ml, 1
+free-cms.tk, 1
+free-generate.tk, 1
+free-lancer.ml, 1
+free-nation.tk, 1
+free-obmen.ml, 1
+free-ppp.jp, 1
+free-printablehq.com, 1
+free-printablemap.com, 1
+free-quotes.info, 1
+free-rein.net, 1
+free-seo.ml, 1
+free-seo.tk, 1
+free-sql-query-tool.com, 1
+free-ss.site, 1
+free-tarot.net, 1
+free-watching.ga, 1
+free-webtv.tk, 1
+free.com.tw, 1
+free4allsw.com, 1
+free6to12yo.gq, 1
+free8.xyz, 1
+freeadvertisingexchange.com, 1
+freeaf.gq, 1
+freeagent.tk, 1
+freeartico.ga, 1
+freeassange.net, 1
+freeasyshop.com, 1
+freeauction.tk, 1
+freeauroraoperations.tk, 1
+freebacklinksforyoudirectory.tk, 1
+freebasics.com, 1
+freebcard.com, 1
+freebegames.tk, 1
+freebetoffers.co.uk, 1
+freebetonthegrandnational.com, 1
+freebettingreviews.com, 1
+freebiofuels.ga, 1
+freebiofuelsers.ga, 1
+freebirdairlines.com, 1
+freebit.ch, 1
+freebitcoinfaucet.org, 1
+freebookdomain.tk, 1
+freebookslibrary.gq, 1
+freebornfinancial.ca, 1
+freeboson.org, 1
+freebsd.la, 1
+freebsd.me, 1
+freebsdbrasil.com.br, 1
+freebus.org, 1
+freebusinessideas.net, 1
+freecam-sex.com, 1
+freecam2cam.site, 1
+freecatz.pe.kr, 1
+freechatlines.com, 1
+freecloud.at, 1
+freeclubpenguin.tk, 1
+freecn.xyz, 1
+freecodenew.com, 1
+freecorner.tk, 1
+freecottage.fr, 1
+freecoursepage.net, 1
+freecourseweb.com, 1
+freecrypt.ga, 1
+freedatesite.ml, 1
+freedatesites.cf, 1
+freedatingonline.ml, 1
+freedeals4u.ga, 1
+freedev.cz, 1
+freedgb.com, 1
+freediomatiq.com, 0
+freedirectory.tk, 1
+freedogecrypt.tk, 1
+freedom-substitute.fr, 1
+freedom.nl, 1
+freedom.press, 1
+freedom35.org, 0
+freedomains4all.tk, 1
+freedomdujour.com, 1
+freedomfinanceuat.azurewebsites.net, 1
+freedomflotilla.org, 1
+freedomfrontier.tk, 1
+freedomhk.info, 1
+freedomhkg.info, 1
+freedomhouse.org, 1
+freedomisslavery.tk, 1
+freedomkiaparts.com, 1
+freedomonline.bg, 1
+freedomonthenet.org, 1
+freedomperception.com, 1
+freedomsaukwi.gov, 1
+freedomscam.com, 1
+freedomtoolkit.com, 1
+freedomvote.nl, 1
+freedomwill.tk, 1
+freedomworldoutreach.com, 1
+freeebooksblog.com, 1
+freeenglishhelp.com, 1
+freeexampapers.com, 1
+freefallproductions.tk, 1
+freefilesync.org, 1
+freefincal.com, 1
+freeflightstoitaly.ngo, 1
+freefonts.ga, 1
+freeform4u.de, 1
+freefuckvids.com, 1
+freegame-mugen.jp, 1
+freegutters.com, 1
+freehdporn.tv, 1
+freehorseracingtv.com, 1
+freehotline.ru, 1
+freehouse.video, 1
+freehqporno.com, 1
+freeiconspng.com, 0
+freeimage.host, 1
+freeimageclub.com, 1
+freeinet.cf, 1
+freeinet.tk, 1
+freeinfos.fr, 1
+freeinoutboard.com, 1
+freekdevries.nl, 1
+freelance-webdesign.co.uk, 1
+freelance.barcelona, 1
+freelance.boutique, 1
+freelance.nl, 1
+freelanceessaywriters.com, 1
+freelancehunt.com, 1
+freelancemw.com, 0
+freelancerim.ml, 1
+freelanceunited.co.uk, 1
+freelancewebprogrammer.com, 1
+freeliferp.de, 1
+freeloadfinance.com, 1
+freemagi.ga, 1
+freeman-online.tk, 1
+freemania.nl, 1
+freemanlogistics.com, 1
+freemans.com, 1
+freemanwealth.com, 0
+freemason.pt, 1
+freemazes.tk, 1
+freemchosting.tk, 1
+freeme.gq, 1
+freemilf.org, 1
+freemilfpics.com, 1
+freeminecraftmaps.tk, 1
+freeministryresources.org, 1
+freemomhugs.org, 1
+freemor.ca, 1
+freemotion.tk, 1
+freemovieonline.ga, 1
+freend.me, 0
+freenet.com.ng, 1
+freenetflow.com, 1
+freenetproject.org, 1
+freenft.com, 1
+freenome.com, 1
+freenome.net, 1
+freenomyoulilb.tk, 1
+freeo.cf, 1
+freeonlinearticles.tk, 1
+freeonlinegames.gq, 1
+freeonplate.com, 1
+freeparks.co.uk, 1
+freepastlife.com, 1
+freepatternsarea.com, 1
+freepedia.cf, 1
+freepeopledirectory.com, 1
+freephonefinder.cf, 1
+freeplace.tk, 1
+freepluginoffer.com, 1
+freepoints.us, 1
+freepornhunt.com, 1
+freepornomovies.info, 1
+freepornovideos.me, 1
+freepornpics.net, 1
+freepornvideos.life, 1
+freepornxxxvids.com, 1
+freeportbakery.com, 1
+freeporttx.gov, 1
+freeprintabletm.com, 1
+freepro.com, 1
+freepro.fr, 1
+freepron.xyz, 1
+freeradical.zone, 1
+freereal.ml, 1
+freerealincest.com, 1
+freergform.org, 1
+freeride-dragobrat.com, 1
+freeroughporn.com, 1
+freerun.cn, 0
+freesat.cn, 1
+freeschool.cf, 1
+freescorefast.com, 1
+freesexvideo.pro, 1
+freesexvidz.com, 1
+freeshell.de, 1
+freeshipping.com, 1
+freeskateparks.com, 1
+freeslots.guru, 0
+freesmile.tk, 1
+freesms-online.de, 1
+freesocialbookmarkingsites.tk, 1
+freesoft-board.to, 1
+freesoftlab.com, 1
+freesolitaire.win, 1
+freesourcestl.org, 1
+freespace.info, 1
+freespanlift.com, 1
+freespeech.org, 1
+freesports.ml, 1
+freesteam.net, 1
+freesteam.org, 1
+freestylemartialarts.tk, 1
+freesunday.tk, 1
+freetagboards.tk, 1
+freetamco.com, 1
+freetaxusa.com, 1
+freetelegraph.ga, 1
+freetelegraphers.ga, 1
+freetext.org, 1
+freethecape.org.za, 1
+freethetv.ie, 1
+freethinker.org, 1
+freethinkers.org, 1
+freethought.org, 1
+freetimefun.tk, 1
+freetokill.tk, 1
+freetranslations.org, 1
+freetrung.tk, 1
+freetsa.org, 1
+freeunitconverter.online, 1
+freeuseporn.org, 1
+freevideoproxy.com, 1
+freeview.in, 1
+freevisits.tk, 1
+freevstplugins.net, 1
+freewarez.org, 1
+freewaywarehouse.com, 1
+freewebh0st.tk, 1
+freewoman.club, 1
+freewoodfactory.com, 1
+freexmovie.com, 1
+freexxxmovies.biz, 1
+freeyourmusic.com, 1
+freeza.cf, 1
+freeza.tk, 1
+freezander.tk, 1
+freezemea.com, 1
+freezerrepairaustin.com, 1
+freezion.com, 1
+freezoneplan.com, 1
+freezvon.ru, 1
+freibesetzt.tk, 1
+freiboth.ddns.net, 1
+freie-software.net, 1
+freifahrt.de, 1
+freifall.tk, 1
+freifunk-burgaltendorf.de, 1
+freifunk-duesseldorf.de, 1
+freifunk-lindlar.net, 1
+freifunk-luenen.de, 1
+freifunk-myk.de, 1
+freifunk-remscheid.de, 1
+freight-broker.ru, 1
+freight-news.ru, 1
+freightcenter.com, 1
+freightinsightservice.com, 1
+freinetmiddenschool.gent, 1
+freitas.org, 1
+freitasm.com, 1
+freitasul.com.br, 1
+freitasul.io, 1
+freiwurst.net, 1
+freizeitpark.tk, 1
+freizeitplaza.de, 1
+frejasdal.dk, 1
+frekans.tk, 1
+frekat.tk, 1
+fremdlymarketing.com, 0
+fremontcountyco.gov, 1
+fremontcountyia.gov, 1
+fremontcountyid.gov, 1
+fremontfire.gov, 1
+fremonthills.gov, 1
+fremontmi.gov, 1
+fremontsmilesdentistry.com, 1
+fremonttribune.com, 1
+frences.tk, 1
+french.tk, 1
+frenchbluecottage.com, 1
+frenchcreekcog.org, 1
+frenchcreekroofing.com, 1
+frenchdays.fr, 1
+frenchieskingdom.com, 1
+frenchmac.com, 1
+frenchtownmi.gov, 1
+frenchvandal.com, 0
+frendamos-roleplay.ml, 1
+frendle.tech, 1
+frenetic.lv, 1
+frenger.co.uk, 1
+frenger.com.au, 1
+frente-popular.tk, 1
+frenzel.dk, 1
+frequence-turf.fr, 1
+frequencymc.cc, 1
+frequentlyaskedquestions.cf, 1
+frequenttraveller.com.au, 1
+freres-marchand.fr, 1
+fresar-engineering.nl, 1
+frescafit.com, 1
+frescamezcla.tk, 1
+fresco.ph, 1
+frescobol.tk, 1
+frescocooks.com, 1
+fresh-hotel.org, 1
+fresh-info.cf, 1
+fresh-info.gq, 1
+fresh-info.tk, 1
+fresh-networks.net, 1
+fresh.co.il, 1
+fresh4.co.uk, 1
+fresh4trash.io, 1
+freshbean.club, 1
+freshbooks.com, 0
+freshcode.nl, 1
+freshdesk-apps-by-invantive.com, 1
+fresheetmusic.com, 1
+freshempire.gov, 1
+freshersworld.ml, 1
+fresherwalkins.tk, 1
+freshfinder.com.au, 0
+freshfishdelivery.com, 1
+freshgreenhouse.net, 1
+freshhosting.tk, 1
+freshinsport.fr, 1
+freshjoomlatemplates.com, 1
+freshmail.com, 0
+freshmail.pl, 0
+freshman.tech, 1
+freshmans-pizza.de, 1
+freshmusicsheets.com, 1
+freshpatio.com, 1
+freshplus62.com, 0
+freshporno.net, 1
+freshpounds.com, 1
+freshproducemusic.tk, 1
+freshsexpics.com, 1
+freshsheetmusic.com, 1
+freshtest.tk, 1
+freshuk.co.il, 1
+freshwave.gr, 1
+fresno.tk, 1
+fresnofloodcontrol.gov, 1
+fresnois.com, 1
+freso.dk, 1
+fretboardforever.com, 1
+fretpal.online, 1
+fretscha.com, 1
+frettboard.com, 1
+frettennet.tk, 1
+frettirnar.is, 1
+freundeskreis-tarjan.de, 1
+freundinnen-ausflug.de, 0
+freundinnen-kurzurlaub.de, 0
+freundinnen-urlaub.de, 0
+freundinnenausflug.de, 0
+frfghtr.com, 1
+frfi.io, 1
+fribourgviking.net, 1
+fricassea.com, 1
+frickelboxx.de, 1
+frickelmeister.de, 1
+frickenate.com, 1
+frida.se, 1
+fridakahlofans.com, 1
+fridaybot.tk, 1
+fridaybridge.tk, 1
+fridayfoucoud.ma, 1
+fridaynightskate.tk, 1
+fridaysforfuture-bremen.de, 1
+fridge.dk, 1
+fridgesearchest.ga, 1
+fridolinka.cz, 1
+fried.tk, 1
+friedberg2020.de, 1
+friedbergdirectfx.ca, 1
+friederes.lu, 0
+friederloch.de, 1
+friedhelm-wolf.de, 1
+friedli.info, 1
+friedrich-foto-art.de, 1
+friedrichshafen.tk, 1
+friedsamphotography.com, 1
+friedstechnology.com, 1
+friedstechnology.nl, 1
+friedstechnology.online, 1
+friedzombie.nl, 1
+friedzombie.online, 1
+friendbot.ml, 1
+friendick.jp, 1
+friendindeed.com, 1
+friendku.tk, 1
+friendly.pe, 1
+friendlybearlabs.com, 1
+friendlydabs.com, 1
+friendofpaws.com, 1
+friendofthehoneybee.co.uk, 1
+friendofthehoneybee.org, 1
+friendofthehoneybee.org.uk, 1
+friendowment.us, 1
+friends-online.tk, 1
+friends.cafe, 1
+friendscapital.co.uk, 1
+friendsforeverrecords.tk, 1
+friendshipismagicsquad.com, 1
+friendsnew.com, 1
+friendsnomore.tk, 1
+friendsofgfwpc.org, 1
+friendsofmagnacarta.tk, 1
+friendsofoldstthomas.org, 1
+friendsofthehoneybee.co.uk, 1
+friendsofthehoneybee.com, 1
+friendsofthehoneybee.org, 1
+friendsofthehoneybee.org.uk, 1
+friendsofthehoneybee.uk, 1
+friendsoftheriverfront.org, 1
+friendsonline.com, 1
+friendsonline.tk, 1
+friendspoint.tk, 1
+friendsvilletn.gov, 1
+friendswoodtx.gov, 1
+friendtech.tk, 1
+friesvredesplatform.tk, 1
+friet.org, 1
+frietbesteld.nl, 1
+frietzombie.nl, 1
+friezy.ru, 1
+frightmare.tk, 1
+frigi.ch, 0
+frign.de, 1
+frigochaco.com.py, 1
+frigolit.net, 1
+frikandellenmoord.nl, 1
+frikandelmoord.nl, 1
+friker.tk, 1
+frikilinks.tk, 1
+frikimasters.es, 1
+frikipedia.tk, 1
+frikiteca.tk, 1
+frikizone.tk, 1
+frikotv.tk, 1
+frilima.com.br, 1
+friller.com.au, 1
+frillip.com, 0
+fringeintravel.com, 1
+frinkiac.com, 1
+frino.de, 1
+friplay.host, 1
+fripoune.fr, 1
+fripper.tk, 1
+frisaga.com, 1
+frisaga.me, 1
+frisaga.net, 1
+frisaga.org, 1
+frisaga.travel, 1
+friseur-foerder.de, 1
+friseur.website, 1
+friseure-website.de, 1
+friseurlinds.de, 1
+frisil.pt, 1
+friss.com, 0
+frissenootjes.tk, 1
+frisuren.tk, 1
+fritravelapp.com, 1
+fritteli.ch, 1
+fritz-koehne-schule.de, 1
+fritzbox-forum.tk, 1
+friv-2018.ga, 1
+frizo.com, 1
+frlcnews.com, 1
+frlt.one, 1
+frmbike.net, 1
+fro.ge, 1
+frodriguez.xyz, 1
+froehliche-hessen.de, 1
+frog.industries, 1
+frogatto.com, 1
+frogeducation.com, 1
+frogeye.fr, 1
+froggitt.com, 1
+froginfra.net, 1
+froglms.net, 1
+frogos.net, 1
+frogplay.net, 1
+frogsonamission.de, 1
+frogstage.com, 1
+frogtest.co.uk, 1
+frogtown.capital, 1
+froh-s.com, 1
+froh.co.jp, 1
+froicorp.com, 1
+frokenblomma.se, 1
+frolova.org, 1
+from-the-net.com, 1
+from.network, 0
+from.tk, 1
+fromager.net, 1
+fromageriedepeisey.com, 1
+fromages-freres-marchand.com, 1
+fromages-freres-marchand.fr, 1
+fromages-marchand.com, 1
+fromages-marchand.fr, 1
+fromix.de, 1
+fromlemaytoz.com, 1
+fromlifephoto.com, 1
+fromm-projects.de, 1
+frommars.tk, 1
+frommyhands.tk, 1
+fromoldbooks.org, 1
+fromrestaurants.tk, 1
+fromscratch.rocks, 1
+fromthecave.tk, 1
+fromthecountsplace.tk, 1
+fromthemonks.com, 1
+fromthesoutherncross.com, 1
+fromthetopsalonnh.com, 1
+fromwithin.tk, 1
+fronhadeseda.com.br, 1
+front.com, 1
+frontbaydevices.tk, 1
+frontconcept.com.my, 1
+fronteers.nl, 0
+fronteimoveis.com.br, 1
+fronterasblog.tk, 1
+frontier.bet, 1
+frontierbrasil.tk, 1
+frontierclimate.com, 0
+frontiernav.net, 1
+frontiernetworks.co.uk, 1
+frontiers.nl, 1
+frontiersinflight.com, 1
+frontigate.com, 1
+frontline.cloud, 1
+frontline6.com, 0
+frontlinepolicies.com, 1
+frontrouge.fr, 1
+frontrunneragency.com, 1
+froogo.co.uk, 1
+frosinonetoday.it, 1
+frosoku.com, 1
+frostedgame.xyz, 1
+frostexpert.ru, 1
+frostfire.tk, 1
+frostplatform.com, 1
+frostprotection.co.uk, 1
+frostwarning.com, 1
+frostwolf.tk, 1
+frosty-gaming.xyz, 1
+frosty.sk, 1
+frosty.style, 1
+frostymr.com, 1
+frostysummers.com, 1
+frothy285.com, 1
+froufe.com, 0
+frowin-base.de, 1
+frowin-stemmer.de, 0
+frown.town, 1
+frownonline.co.uk, 1
+frowresource.org.uk, 1
+froyomio.com, 1
+frozen-gaming.tk, 1
+frozen-geek.net, 1
+frozen-solid.net, 1
+frozencuisine.ga, 1
+frozencuisineers.ga, 1
+frozencuisineest.ga, 1
+frozendurian.club, 1
+frozenpennies.com, 1
+frp-roleplay.de, 1
+frpg.gov, 1
+frprn.com, 1
+frprn.es, 1
+frprn.xxx, 1
+frrfb.org.au, 1
+frsecure.com, 1
+frshminds.com, 1
+frsnpwr.net, 1
+frsra.ml, 1
+frtib.gov, 1
+frtn.com, 1
+frtr.gov, 1
+fruchtikus.net, 1
+frugaldateest.ga, 1
+frugalfamily.co.uk, 1
+frugalfamilyhome.com, 1
+frugalfarmwife.com, 1
+frugalmatic.com, 1
+frugro.be, 1
+fruit-farm.tk, 1
+fruit.ga, 1
+fruit.ml, 1
+fruitbouquets.com, 1
+fruitdiva.com, 1
+fruitfits.com, 1
+fruitfulenglish.com, 1
+fruition.co.jp, 1
+fruitjuicetab.ch, 1
+fruitlandmi.gov, 1
+fruitlawers.ga, 1
+fruitmoose.com, 1
+fruitscale.com, 1
+fruitsexpressdelivery.com.sg, 1
+fruitsfromchile.com, 1
+fruitybeauty.tk, 1
+fruitycasinos.com, 1
+fruityloop.tk, 1
+fruityten.co.uk, 1
+frutasyvejetales.com, 1
+frutidump.tk, 1
+frutuozo.com.br, 1
+fruturaproduce.com, 1
+fruxh.moe, 1
+fruxnux.net, 1
+frwmb.gov, 1
+fry.at, 1
+frydrychit.cz, 1
+fryfiredistrictaz.gov, 1
+fs-d.org, 1
+fs-fitness.eu, 1
+fs-g.org, 1
+fs-m.org, 1
+fs-maistadt.de, 1
+fs-rozmarija.tk, 1
+fs-w.org, 1
+fs-world.org, 1
+fs1.hopto.org, 1
+fs22a.de, 1
+fsalmeron.tk, 1
+fsapubs.gov, 0
+fsavc.org.uk, 1
+fsbn.eu, 1
+fsbpaintrock.com, 1
+fsch2009.com, 1
+fsck.cz, 1
+fsck.jp, 0
+fsconline.info, 1
+fscott.de, 1
+fsd.gov, 1
+fselka.is, 1
+fseo.tk, 1
+fsfi.is, 1
+fsg.one, 1
+fsgeek.ca, 1
+fsharpfactory.io, 1
+fsinf.at, 1
+fsinsight.com, 1
+fsk.fo, 0
+fsky.info, 1
+fsma.pl, 1
+fsmi.in, 1
+fsnb.com, 1
+fspk.pro, 1
+fsps.ch, 1
+fsrs.gov, 1
+fsscms.com, 1
+fssolutions.com, 1
+fssp-bordeaux.fr, 1
+fsst-nsn.gov, 1
+fstatic.io, 1
+fstm.tk, 1
+fstpn.at, 1
+fstpn.blog, 1
+fstpn.ch, 1
+fstpn.cloud, 1
+fstpn.de, 1
+fstpn.es, 1
+fstpn.eu, 1
+fstpn.info, 1
+fstpn.io, 1
+fstpn.it, 1
+fstpn.link, 1
+fstpn.media, 1
+fstpn.net, 1
+fstpn.network, 1
+fstpn.org, 1
+fstpn.pt, 1
+fstpn.shop, 1
+fstpn.si, 1
+fstpn.uk, 1
+fsty.uk, 1
+fsub.de, 1
+fsvoboda.cz, 1
+fsvt.ch, 0
+fsxxi.com, 1
+ft.com, 0
+ftang.de, 1
+ftapi.com, 0
+ftc.gov, 1
+ftccomplaintassistant.gov, 1
+ftcefile.gov, 1
+ftcscout.org, 1
+ftfgroup.us, 1
+ftg-ru.ga, 1
+ftgeufyihreufheriofeuozirgrgd.tk, 1
+ftgho.com, 1
+fthat.link, 1
+ftl-gaming.tk, 1
+ftl-ltl-china.ru, 1
+ftl13.com, 1
+ftlparksprojects.com, 1
+ftm.wiki, 1
+ftmc.tk, 1
+ftmwiki.com, 1
+ftmwiki.net, 1
+ftmwiki.org, 1
+ftmyersdogtraining.com, 1
+ftng.se, 1
+ftpmovement.tk, 1
+ftpporto.com, 0
+ftptest.net, 1
+ftrac.com.br, 1
+ftrfnd.me, 1
+ftth.eu.org, 0
+ftv.re, 1
+ftworthhousekeeper.com, 1
+ftx.io, 1
+ftx.tech, 1
+ftxtr.com, 0
+fu110.de, 1
+fu666.de, 1
+fu898.top, 1
+fuantaishenhaimuli.net, 1
+fuas.cl, 1
+fucajz.cz, 1
+fuchs-informatik.de, 1
+fuchsy.com, 1
+fuciam.com.co, 1
+fuck-your-false-positive.de, 1
+fuckar.ch, 1
+fuckcf.cf, 1
+fuckedintraffic.com, 1
+fuckimm.com, 1
+fucknazis.cf, 1
+fucknazis.tk, 1
+fuckobr.com, 1
+fuckobr.net, 1
+fuckobr.org, 1
+fuckobr.su, 1
+fucksc.cf, 1
+fuckssl.com, 1
+fucktory.tk, 1
+fuckup.dk, 1
+fuckwhatyouthink.tk, 1
+fuckxiaozhan.com, 0
+fuckxichina.com, 1
+fuckyou.monster, 1
+fuckyoupaypal.me, 1
+fuckz.net, 1
+fudaoyuan.com, 1
+fuddittu.tk, 1
+fudgeapps.co.uk, 1
+fudgeapps.uk, 1
+fudie.net, 1
+fudsend.com, 1
+fuego.tech, 1
+fuegocruzado.tk, 1
+fuegoenlasangre.tk, 1
+fuegosalsapower.tk, 1
+fueko.net, 1
+fuelbyte.sg, 1
+fuelcycle.com, 1
+fuelgalicia.tk, 1
+fuelingfilms.com, 1
+fuelpumpu.com, 1
+fuembellida.tk, 1
+fuenf-sterne.de, 1
+fuenferrada.tk, 1
+fuentesdeenergia.org, 1
+fuentesdeleon.tk, 1
+fuer-gerechte-steuern.at, 1
+fuerzaazul.tk, 1
+fufu.dance, 1
+fugaku.cloud, 1
+fuge-specialisten.dk, 1
+fuglar.tk, 1
+fugle.de, 1
+fuglede.dk, 1
+fugu.lol, 1
+fuhe-psy.com, 1
+fuhui-apac.com, 1
+fuhui-asia.com, 1
+fuhui-baike.com, 1
+fuhui-chinese.com, 1
+fuhui-chn.com, 1
+fuhui-fxcm.com, 1
+fuhui-global.com, 1
+fuhui-status.com, 1
+fuhui-web.com, 1
+fuhui-zhs.com, 1
+fuhuiapps.com, 1
+fuhuicorporate.com, 1
+fuhuifinance.com, 1
+fuhuigupiao.com, 1
+fuhuihub.com, 1
+fuhuijt.com, 1
+fuhuilab.com, 1
+fuhuimarket.com, 1
+fuhuimarkets.com, 1
+fuhuimobile.com, 1
+fuhuionline.com, 1
+fuhuiso.com, 1
+fuhuistation.com, 1
+fuhuistocks.com, 1
+fuhuitoutiao.com, 1
+fuhuitouzi.com, 1
+fuhuitrade.com, 1
+fuhuitrader.com, 1
+fuhuitrading.com, 1
+fuhuiwechat.com, 1
+fuhuizh.com, 1
+fuhuizhihu.com, 1
+fuinhas.tk, 1
+fuite.ch, 0
+fuitedeau.ch, 0
+fuites-eau-charente.com, 1
+fuites.ch, 0
+fuiveningent.be, 1
+fujianshipbuilding.com, 1
+fujieb.com, 1
+fujifilm-connect.com, 1
+fujijin.co.jp, 1
+fujikatu.tk, 1
+fujikochan.tk, 1
+fujimurado.com, 1
+fujiwarashinzo.com, 1
+fujiyakimono.com, 1
+fukabori-kaidora.com, 1
+fukase-seed.com, 1
+fukikaeru.com, 1
+fukn.jp, 1
+fuku-fashion.nl, 1
+fukuiedu.com, 1
+fukuko.biz, 1
+fukuko.xyz, 1
+fukushima-fun.com, 1
+fukushimacoffee.com, 1
+fulcrumanalytics.com, 1
+fulcrumdigital.com, 1
+fulda.tk, 1
+fulfil.io, 1
+fulfillmentcostsers.ga, 1
+fulfillmentcostsest.ga, 1
+fulfilmentcrowd.com, 1
+fulfyld.com, 1
+fulgentoncology.com, 1
+fulgenzis.com, 1
+fulisex.com, 1
+fuliwang.info, 1
+full-hd.info, 1
+full-stack.ninja, 1
+full.eu.org, 1
+fullautomotivo.com.br, 1
+fullaw.in, 1
+fullblast.tk, 1
+fullbulla.tk, 1
+fullbundle.com, 1
+fullcirclestudio.nl, 1
+fullcolors7.com, 1
+fulldw.com, 1
+fullerlife.org.uk, 1
+fullertonne.gov, 1
+fullfilez.com, 1
+fullfillery.com, 1
+fullhost.com, 1
+fullhotfilm.co, 1
+fullhouseresorts.com, 1
+fullhub.ru, 1
+fullinsiderers.ga, 1
+fullinsiderest.ga, 1
+fullintel.com, 1
+fullmetalconsulting.tk, 1
+fullmoondesignhouse.tk, 1
+fullmoonhentai.tk, 1
+fullpaisa.com, 1
+fullsize.ml, 1
+fullsizefordclub.tk, 1
+fullstackway.com, 1
+fulltextarchive.com, 1
+fulltxt.ml, 1
+fully-covered.tk, 1
+fully-hair.tk, 1
+fullzest.com, 1
+fultoncountyar.gov, 1
+fultoncountyil.gov, 1
+fultoncountyilelections.gov, 1
+fultoncountyky.gov, 1
+fultondaleal.gov, 1
+fulup.com, 1
+fulyayurdumetin.com, 1
+fumblers.ca, 1
+fumerx.com, 1
+fumify.tk, 1
+fumilink.com, 1
+fumotousa.com, 1
+fun-baby.ru, 1
+fun-bounce.co.uk, 1
+fun-day.tk, 1
+fun-life.com.tw, 0
+fun-tasia.co.uk, 1
+fun4ubouncycastles.co.uk, 1
+funadiq.com, 1
+funadvisor.ca, 0
+funadvisorfrance.com, 1
+funaiwhistle.com, 1
+funandfriends.tk, 1
+funandlearning.es, 1
+funatic.nl, 1
+funatic.tk, 1
+funboards.cz, 1
+funboat.tk, 1
+funbuynet.com.br, 1
+funchal.cf, 1
+funchal.ga, 1
+funchal.gq, 1
+funchal.pt, 1
+functions-online.com, 1
+functionx.io, 1
+functori.com, 1
+funcustomshirts.com, 1
+fundacaoeveris.com.br, 1
+fundacion.in, 1
+fundacionfade.org, 1
+fundacionfranciscofiasco.org, 1
+fundacionindigo.tk, 1
+fundacionlaboral.org, 1
+fundacionminutodigital.org, 1
+fundacionsiempreadelante.org, 1
+fundacionsilverina.org, 1
+fundacjamatkiewy.pl, 1
+fundaekhaya.co.za, 1
+fundamentt.com, 1
+fundatiacomunitaragalati.ro, 1
+fundayltd.com, 1
+fundedschools.ml, 1
+fundelva.com, 1
+fundex.id, 1
+fundhawk.com, 1
+fundiggitydog.co.nz, 1
+funding-zone.com, 1
+fundingoptions.com, 1
+fundingpartner.dk, 1
+fundingpartner.no, 1
+fundingpartner.se, 1
+fundkyapp.com, 1
+fundmylegalclaim.co.uk, 1
+fundort.ch, 1
+fundpress.org, 0
+funds.ddns.net, 1
+fundwave.com, 1
+funenhobby.nl, 1
+funeral-doom.tk, 1
+funeralforafriend.tk, 1
+funeralshowers.ga, 1
+funeralshowest.ga, 1
+funerare-cazacu.com, 1
+funerare24.ro, 1
+funerariaalarcon.cl, 1
+funfactorleeds.co.uk, 1
+funfacts.cz, 1
+funfm.tk, 1
+fungalforager.com, 1
+fungame.eu, 1
+fungame.fr, 1
+fungit.org, 0
+fungomoscow.cf, 1
+fungosdemexico.tk, 1
+funguana.com, 1
+funhiking.tk, 1
+funhotdate.com, 1
+funhouse-inflatables.co.uk, 1
+funhunt.es, 1
+funideas.org, 1
+funidelia-tr.com, 1
+funidelia.at, 1
+funidelia.be, 1
+funidelia.bg, 1
+funidelia.ca, 1
+funidelia.ch, 1
+funidelia.cl, 1
+funidelia.co, 1
+funidelia.co.il, 1
+funidelia.co.nz, 1
+funidelia.co.uk, 1
+funidelia.com, 1
+funidelia.com.ar, 1
+funidelia.com.au, 1
+funidelia.com.br, 1
+funidelia.com.ua, 1
+funidelia.cz, 1
+funidelia.de, 1
+funidelia.dk, 1
+funidelia.ee, 1
+funidelia.es, 1
+funidelia.fi, 1
+funidelia.fr, 1
+funidelia.gr, 1
+funidelia.hk, 1
+funidelia.hr, 1
+funidelia.hu, 1
+funidelia.id, 1
+funidelia.ie, 1
+funidelia.in, 1
+funidelia.is, 1
+funidelia.it, 1
+funidelia.kr, 1
+funidelia.lt, 1
+funidelia.lu, 1
+funidelia.lv, 1
+funidelia.mx, 1
+funidelia.my, 1
+funidelia.nl, 1
+funidelia.no, 1
+funidelia.ph, 1
+funidelia.pt, 1
+funidelia.ro, 1
+funidelia.rs, 1
+funidelia.ru, 1
+funidelia.se, 1
+funidelia.sg, 1
+funidelia.si, 1
+funidelia.sk, 1
+funidos.tk, 1
+funinfo.tk, 1
+funinthesunboating.com, 1
+funio.com, 1
+funkazoid-radio.com, 1
+funken-networks.de, 1
+funkfernbedienung-industrie.de, 1
+funkimforst.de, 1
+funknotaus.de, 1
+funkogames.com, 1
+funkshop.tk, 1
+funksteckdosen24.de, 0
+funkstyles.tk, 1
+funktdesign.eu, 1
+funktionel.co, 1
+funktionevents.co.uk, 1
+funky-emulation.net, 1
+funkydealz.no, 1
+funkyflo.tk, 1
+funkysims.tk, 1
+funline.tk, 1
+funlook.ga, 1
+funlook.tk, 1
+funmobiles.tk, 1
+funmountaincanyon.com, 1
+funnelsforbricks.io, 1
+funnelw3b.com, 1
+funniestclip.com, 1
+funny-boy.tk, 1
+funny-rates.tk, 1
+funny-wedding.ga, 1
+funnyanimalvideos.ml, 1
+funnybee.tk, 1
+funnybubu.ro, 1
+funnychristianjokes.tk, 1
+funnycommercials.ga, 1
+funnylinks.cf, 1
+funnymedia.tk, 1
+funnymetals.com, 1
+funnypicz.cf, 1
+funnyprankvideo.ga, 1
+funnypromotions.tk, 1
+funnytimes.cf, 1
+funnyvideoclips.cf, 1
+funnyvideoclips.tk, 1
+funoverip.net, 1
+funpakistan.tk, 1
+funpartytips.com, 1
+funphone.tk, 1
+funplaza.tk, 1
+funprode.org, 1
+funprogramming.tk, 1
+funreaktor.com, 1
+funshemale.com, 1
+funshirts.tk, 1
+funsite.tk, 1
+funsmsmailing.tk, 1
+funsoup.tk, 1
+funtastic-basketball.de, 1
+funtastic.ie, 1
+funtime-inflatables.co.uk, 1
+funtime.com.ua, 1
+funtime.kiev.ua, 1
+funtimesbouncycastles.co.uk, 1
+funtimeusabiloxi.com, 1
+funtimez.cf, 1
+funtimez.ga, 1
+funtimez.gq, 1
+funto.tk, 1
+funtonez.tk, 1
+funwithbells.com, 1
+funy.eu.org, 1
+funyirotraktor.hu, 1
+funzack.cf, 1
+fur-shop.tk, 1
+fur.city, 1
+fur.mt, 1
+fur.red, 1
+furaffrate.net, 1
+furbooru.org, 1
+furca.ca, 1
+furcdn.net, 1
+furcity.me, 1
+fureais.com, 1
+furgetmeknot.co.za, 1
+furgetmeknot.org, 1
+furgetmeknot.org.za, 1
+furgo.love, 1
+furi.ga, 1
+furiacelesteiquique.tk, 1
+furiaot.com, 1
+furik.me, 1
+furisode-sendai.com, 1
+furisode-yamaguchiya.com, 1
+furiya.tk, 1
+furkanahsap.com, 1
+furkankose.ml, 1
+furkanmudanyali.com, 1
+furkot.com, 1
+furkot.de, 1
+furkot.es, 1
+furkot.fi, 1
+furkot.fr, 1
+furkot.it, 1
+furkot.pl, 1
+furkot.ro, 1
+furlan.co, 0
+furlan.tk, 1
+furlog.it, 1
+furmap.fr, 1
+furnace-zero.tk, 1
+furnfurs.com, 1
+furnishedproperty.com.au, 1
+furniteco.com, 1
+furniture-for-home.tk, 1
+furniture-warehouse.co.za, 1
+furnitureconcept.co.uk, 1
+furniturefashion.com, 1
+furnitureforlife.com, 1
+furnitureforlifeboulder.com, 1
+furniturefromthebarn.com, 1
+furnitureproduction.tk, 1
+furnituresolutions.tk, 1
+furniturestrends.com, 1
+furnu.org, 1
+furorcanario.tk, 1
+furoretferrum.tk, 1
+furosemide-lasix.tk, 1
+furosemide.gq, 1
+furries.id, 1
+furry.codes, 1
+furry.cool, 1
+furry.dk, 1
+furry.gay, 1
+furrybot.co, 1
+furrycdn.org, 1
+furrycraft.ga, 1
+furrytech.network, 1
+furs.town, 1
+fursandfur.tk, 1
+furseo.co, 1
+fursho.ws, 1
+furshows.org, 1
+furtodo.at, 1
+furtodo.com, 1
+furtodo.cz, 1
+furtodo.de, 1
+furtodo.eu, 1
+furtodo.hu, 1
+furtodo.pl, 1
+furtodo.sk, 1
+furtodobox.com, 1
+furtodobox.cz, 1
+furtodobox.eu, 1
+furtodobox.sk, 1
+furtodoit.com, 1
+furu-sato.com, 1
+furukawabenn.com, 1
+furuse-shika.com, 1
+furuy.com, 0
+furuyadc.com, 1
+furworks.de, 1
+furyalexmichaelides.com, 1
+fusacity.tk, 1
+fusacovi.cf, 1
+fuselight.nl, 1
+fuseos.net, 1
+fuseyahoken.com, 1
+fushee.com, 1
+fusi.tk, 1
+fusico.be, 1
+fusico.com, 1
+fusico.digital, 1
+fusion-lamps.com, 1
+fusionapps.com, 1
+fusionapps.net, 1
+fusionarmenia.tk, 1
+fusionas.tk, 1
+fusionauth.io, 1
+fusionbd.net, 1
+fusionespeluqueria.es, 1
+fusionfacades.co.uk, 1
+fusionfactory.tk, 1
+fusiongaming.de, 1
+fusionpatrol.com, 0
+fusionplatter.eu, 1
+fusions.co.jp, 1
+fusionstudios.tk, 1
+fusionvr.in, 1
+fuso.com.py, 1
+fuso.net, 1
+fussball-xxl.de, 1
+fussballmanager.de, 1
+fussballpiraten.com, 1
+fussballtransfers.com, 1
+fussboden-manufaktur.de, 0
+fussbodenmanufaktur.de, 0
+fussell.io, 1
+fussfetisch.tk, 1
+fussy.ee, 1
+fussycats.com, 1
+fussycats.uk, 1
+fusu.re, 1
+fuszara.eu, 1
+fut21gen.com, 1
+futa.agency, 1
+futa.wiki, 1
+futaba-works.com, 1
+futacockinside.me, 1
+futarara.ga, 1
+futaritomo.tk, 1
+futaroulette.com, 1
+futbito.com, 1
+futbol-tv.tk, 1
+futbolcba.com, 1
+futbolistasveteranas.com, 1
+futbolmodesto.tk, 1
+futbolus.tk, 1
+futbomb.com, 1
+futebolatualizado.tk, 1
+futebolbrasileirosnes.tk, 1
+futeboleapostasonline.com, 1
+futhark24.com, 1
+futhark24.eu, 1
+futhark24.net, 1
+futhark24.org, 1
+futharkhorde.tk, 1
+futieltextiel.be, 1
+futo.biz, 1
+futone.com.br, 1
+futos.de, 1
+futrou.com, 0
+futsalnews24.com, 1
+futunk.be, 1
+futunk.com, 1
+futunk.eu, 1
+futunk.net, 1
+futunk.nl, 1
+futurageindia.com, 1
+futurains.com, 1
+futurama-il.tk, 1
+futurama-latino.org, 1
+future-dance.tk, 1
+future-telecom.com, 1
+futureappin.com.au, 1
+futureaudiographics.com, 0
+futurecharcoal.com, 1
+futurefive.asia, 1
+futurefive.co.nz, 1
+futurefive.com.au, 1
+futureforward.coop, 1
+futurefuels.com.au, 1
+futurefund.com, 1
+futurefund.gov.au, 1
+futurefundapp.com, 1
+futuregamereleases.com, 1
+futuregaming.io, 1
+futuregrowthva.com, 1
+futureimmigration.net, 1
+futurenda.com, 1
+futurenewsforyou.com, 1
+futureofyoucdc.sg, 1
+futureplan.de, 1
+futureplanet.tk, 1
+futuresinmarketing.co.uk, 1
+futuresonline.com, 0
+futuresound.tk, 1
+futurestyletiling.com.au, 1
+futuretechtrends.co.uk, 1
+futurethinkers.org, 1
+futureville.city, 1
+futurewithoutfear.com, 1
+futurewithoutfear.org, 1
+futurewithoutfear.us, 1
+futureyouhealth.com, 1
+futurezone.at, 1
+futuristicarchitectures.tk, 1
+futuristicjobs.sk, 1
+futurity.ml, 1
+futurygames.com, 1
+fuulle.com, 1
+fuvelis.com, 1
+fuwafuwa.moe, 1
+fuwafuwatime.moe, 1
+fuwashima.moe, 1
+fuxgames.com, 1
+fuyu.moe, 1
+fuzenet.net, 1
+fuzigames.com, 1
+fuzion.co.th, 1
+fuzoku-sodan.com, 1
+fuzoku.jp, 1
+fuzzbucket.tk, 1
+fuzzi.es, 1
+fuzzing-project.org, 1
+fuzzlemann.de, 1
+fuzzy.domains, 1
+fuzzylogic.tk, 1
+fvap.gov, 1
+fvb.world, 1
+fvdm.com, 1
+fveevaete.com, 1
+fvformation.fr, 0
+fvg.io, 1
+fw-einsatz.de, 1
+fwaux.de, 1
+fwba.hopto.org, 1
+fwdx.net, 1
+fwest.ovh, 1
+fwest98.nl, 1
+fwest98.ovh, 1
+fwg.sk, 1
+fwkart.de, 1
+fwo.gov.au, 1
+fwpda.gov, 1
+fwr.cz, 1
+fws.gov, 1
+fwt99.com, 1
+fwt999.com, 1
+fwtapp.com, 1
+fwtewm.com, 1
+fwtpic.com, 1
+fwup.org, 1
+fwupd.org, 1
+fx-rating.com, 1
+fxbrokerreview.org, 1
+fxcg-education.com, 1
+fxcm-arabic.com, 1
+fxcm-asia.com, 1
+fxcm-chn.com, 1
+fxcm-global.com, 1
+fxcm-id.com, 1
+fxcm-markets.com, 1
+fxcm-online.com, 1
+fxcm.com.tw, 1
+fxcm.com.vn, 1
+fxcm.eu, 1
+fxcm.my, 1
+fxcm.vn, 1
+fxcmaffiliates.com, 1
+fxcmapps-asia.com, 1
+fxcmapps.com, 1
+fxcmbullion.com, 1
+fxcmchn.com, 1
+fxcmglobal.com, 1
+fxcmhub.com, 1
+fxcmidn.com, 1
+fxcmmkt.com, 1
+fxcmportal.com, 1
+fxcmtrader.com, 1
+fxcmvn.com, 1
+fxcmzh.com, 1
+fxcopierpro.com, 1
+fxeuropa.com, 1
+fxexplained.co.uk, 1
+fxgame.online, 1
+fxiaoke.com, 1
+fxislamic.com, 1
+fxnotch.com, 1
+fxopen.co.uk, 1
+fxopen.com, 1
+fxopen.com.au, 1
+fxopen.com.br, 1
+fxopen.com.mx, 1
+fxopen.my, 1
+fxopen.ru, 1
+fxp.at, 1
+fxp.co.il, 1
+fxperk.com, 1
+fxpig-ib.com, 1
+fxpunch.com, 1
+fxrates.com, 1
+fxstatus-chinese.com, 1
+fxstock.eu, 1
+fxstrategics.com, 1
+fxtalk.cn, 0
+fxtrade-lab.com, 1
+fxtwitter.com, 1
+fxwebstudio.com.au, 0
+fydjbsd.cn, 1
+fyfywka.com, 1
+fyllehack.se, 1
+fyllingen-elinst.no, 1
+fylm.ai, 1
+fyn.nl, 1
+fyn.software, 1
+fynbo.io, 1
+fyndiq.se, 1
+fyol.pw, 1
+fyou.co, 1
+fyp-aiman.com, 1
+fyphb.com, 1
+fyptt.to, 1
+fyrebox.guru, 1
+fyrehost.net, 0
+fyrfalkcontent.se, 1
+fyroeo.fr, 0
+fysio-ict.nl, 1
+fysiotherapie-ict.nl, 1
+fysiotherapie.tk, 1
+fysiotherapieapeldoornzuid.nl, 1
+fysiotherapiesimons.nl, 1
+fyss.ga, 1
+fysuite.com, 1
+fytorio-pasxalis.gr, 1
+fyziotonka.sk, 1
+fzoske.de, 1
+fzx750.ru, 1
+fzxx.eu.org, 1
+fzxx.xyz, 1
+g-c-z.cc, 1
+g-center.tk, 1
+g-dart.com, 1
+g-ds.de, 1
+g-electricity.ml, 1
+g-fruit.gr, 1
+g-lab.xyz, 1
+g-m-w.eu, 1
+g-p-design.com, 1
+g-printec.com, 1
+g-rom.net, 1
+g-sp.azurewebsites.net, 1
+g-tea.ml, 1
+g.co, 0
+g00228.com, 1
+g01.in.ua, 1
+g0158.com, 1
+g0881.com, 1
+g0man.com, 1
+g1.ie, 1
+g10e.ch, 1
+g15ubezpieczenia.pl, 1
+g1reeds.com, 1
+g2-inc.com, 1
+g2fdistribuidora.com.br, 1
+g2jp.uk, 1
+g2links.com, 0
+g2llc.com, 1
+g2pla.net, 1
+g2soft.net, 0
+g36533.com, 1
+g36594.com, 1
+g3circuit.com, 1
+g3d.ro, 1
+g3hardcore.tk, 1
+g3homefoods.com, 1
+g47.web.id, 1
+g4v.in, 1
+g4w.co, 1
+g5.gov, 1
+g51365.com, 1
+g5197.co, 1
+g5yss.uk, 1
+g6666g.tk, 1
+g6729.co, 1
+g6957.co, 1
+g6957.com, 0
+g72020.gov, 1
+g7campdavid.gov, 1
+g7liveseafood.com.sg, 1
+g7usa.gov, 1
+g82365.com, 1
+g8energysolutions.co.uk, 1
+g9297.co, 1
+g9728.co, 1
+ga-digitazion.com, 1
+ga-part.ru, 1
+gaaog.com, 1
+gaasuper6.com, 1
+gabaldon.eu, 1
+gabaldon.nl, 1
+gabapentin.gq, 1
+gabare-loire.com, 1
+gabbeh.jp, 1
+gabby-online.tk, 1
+gabby.vn, 0
+gabbyer.ga, 1
+gabbyer.gq, 1
+gabbyer.ml, 1
+gabe.download, 1
+gabe.house, 1
+gabe.pics, 1
+gabe.watch, 1
+gabe565.com, 1
+gabecook.com, 1
+gabelli.com, 1
+gabethebabetv.com, 1
+gabigold.net, 1
+gabijazava.com, 1
+gabinet-okulistyczny.tk, 1
+gabiocs.com, 1
+gabiz.tk, 1
+gablermade.com, 1
+gablesplasticsurgery.com, 1
+gablesportsga.com, 0
+gablesvets.co.uk, 1
+gably.net, 1
+gabnotes.org, 1
+gabodesign.tk, 1
+gabonflash.com, 0
+gaborg.hu, 1
+gabraham.tk, 1
+gabriel.to, 1
+gabrielaebruno.cf, 1
+gabrielafriasfanclub.tk, 1
+gabrielcury.tk, 1
+gabriele-kluge.de, 1
+gabrielemarino.tk, 1
+gabrielflores.tk, 1
+gabrielg.es, 1
+gabrielgn.com.br, 0
+gabriella.cf, 1
+gabriellabastos.tk, 1
+gabriellearruda.com, 1
+gabrielrm.dynu.net, 1
+gabrielsimonet.ch, 1
+gabrielsteens.nl, 1
+gabrielyin.com, 0
+gabryjeluk.tk, 1
+gabskent.de, 1
+gabtitui.gov.au, 1
+gabucho.tk, 1
+gabyclark.com, 1
+gabyminneboo.tk, 1
+gabysoft.tk, 1
+gabz.net, 1
+gachea.cl, 1
+gachimuchi.ru, 1
+gachiyase.com, 1
+gachter.name, 0
+gaci88play.com, 1
+gacirenin.cf, 1
+gacirenin.tk, 1
+gackowski.tk, 1
+gadabit.pl, 1
+gadaj.eu, 1
+gadalkindom.ru, 1
+gadanie.cf, 1
+gadanie.ml, 1
+gadatel.ml, 1
+gaddiblog.com, 1
+gaddini.it, 1
+gadecs.com, 1
+gadget-freak.cf, 1
+gadget-hat.tk, 1
+gadget-tips.com, 1
+gadgetflashers.ga, 1
+gadgetflip.com, 1
+gadgetfreak.cf, 1
+gadgetgalaxy.ro, 1
+gadgetgi.ga, 1
+gadgetguideonline.com, 1
+gadgethacks.com, 1
+gadgetick.com, 1
+gadgetinfo.ga, 1
+gadgetized.net, 1
+gadgetmaker.tk, 1
+gadgetmaniac.tk, 1
+gadgets-cars.com.es, 1
+gadgets-mall.com, 1
+gadgetsandwearables.com, 1
+gadgetsgigabytesandgoodwill.com, 1
+gadgetshome.ml, 1
+gadgetslab.tk, 1
+gadingpromosindo.tk, 1
+gadkiy-farm.tk, 1
+gadsdensoefl.gov, 1
+gadse.games, 1
+gadzilla.tk, 1
+gaeldst.dk, 1
+gaelico.tk, 1
+gaemsofyesterday.com, 1
+gaengler.com, 1
+gaestehaus-leipzig.de, 1
+gaestehaus-monika.com, 1
+gaetanosonline.com, 1
+gafachi.com, 1
+gafan.cf, 1
+gaff-rig.co.uk, 1
+gaflooring.com, 1
+gag101.com, 1
+gaganenterprises.in, 1
+gagarin.ga, 1
+gagecountyne.gov, 1
+gagekroljic.com, 1
+gagesmith.tk, 1
+gagne.tk, 1
+gagnerenfant.tk, 1
+gagor.pl, 0
+gagramore.cf, 1
+gagygnole.ch, 0
+gaheztexab.com, 1
+gaiafood.co, 1
+gaijin.network, 1
+gailfellowsphotography.com, 1
+gaines-sodiamex.fr, 0
+gainesborotn.gov, 1
+gainesvillega.gov, 1
+gainingadvantage.com, 1
+gainnet.ru, 1
+gaio-automobiles.fr, 1
+gaireg.de, 1
+gais.tk, 1
+gaitandmobility.com, 1
+gaitasenlavereda.tk, 1
+gaite.me, 0
+gaitrehabilitation.com, 1
+gaitresearch.com, 1
+gajabhindi.cf, 1
+gajabhindi.tk, 1
+gajas18.com, 1
+gajda.cz, 1
+gajowniczek.eu, 1
+gajqc.gov, 1
+gakkainavi-epsilon.net, 1
+gakki.photos, 1
+gaku-architect.com, 1
+gaku-nkc.net, 1
+gala.im, 1
+gala.kiev.ua, 0
+galabands.info, 1
+galact.tk, 1
+galaksidot.tk, 1
+galaktika-znakomstv.tk, 1
+galaltosalento.it, 1
+galama.tk, 1
+galamusik-band.de, 1
+galamusikband.de, 1
+galanight.cz, 1
+galapagos.cx, 1
+galapagosbig15.com, 1
+galardica.com, 1
+galasin.cf, 1
+galasin.ga, 1
+galatabazaar.com, 1
+galavanmoskou.tk, 1
+galaw.gov, 1
+galax.tech, 1
+galax.us, 1
+galaxieblog.com.my, 0
+galaxit.ch, 1
+galaxus.at, 1
+galaxus.ch, 1
+galaxus.com, 1
+galaxus.de, 1
+galaxus.eu, 1
+galaxus.fr, 1
+galaxy.edu.pe, 1
+galaxyaudiobook.com, 1
+galaxyeuropemusic.com, 1
+galaxymedia.tk, 1
+galaxyofebooks.com, 1
+galaxyplex.tk, 1
+galaxyscientific.com, 1
+galaxystaking.space, 1
+galaxysweeper.com, 1
+galaxytracker.tk, 1
+galearquitetura.com.br, 1
+galecommercial.com, 1
+galefacialplastics.com, 1
+galenguyer.com, 1
+galenreasoner.com, 1
+galenzoski.com, 1
+galepaal.tk, 1
+galeria-reisen.de, 1
+galeria42.com, 1
+galeriabunkers.tk, 1
+galeriakobylarz.pl, 1
+galeriarr.pl, 1
+galerias-xamoralarte.cf, 1
+galerias-xamoralarte.ga, 1
+galerie-claudia-walz-nagold.tk, 1
+galerie-com.com, 1
+galerie-saintgermain.fr, 1
+galeries.photo, 0
+galeriesimple.fr, 1
+galexlee.com, 1
+galfar.jp, 1
+galfarma.cl, 1
+galgamer.eu.org, 1
+galgamer.moe, 1
+galganoboutique.com, 1
+galgoafegao.com.br, 1
+galgoingles.com.br, 1
+galgopersa.com.br, 1
+galhristova.com, 1
+galia.bg, 1
+galiciamaxica.eu, 0
+galiciasensual.tk, 1
+galickidigital.ie, 1
+galilahiskye.com, 1
+galilei.tk, 1
+galileicompara.com, 1
+galileo.io, 1
+galileohealth.com, 1
+galim.org.il, 1
+galina.ga, 1
+galinas-blog.de, 1
+galinkltd.com, 1
+galinos.gr, 1
+galip.nl, 1
+galiuzvejoti.org, 1
+galive.ga, 1
+galizae-sports.tk, 1
+galj.info, 1
+gallagherperformance.com, 1
+gallaghertownshippa.gov, 1
+gallant.tk, 1
+gallatinhousecleaning.com, 1
+galle.cz, 1
+galleonwaymedical.com.au, 1
+galleriacontinua.com, 1
+gallerify.eu, 1
+gallery-easysolution.tk, 1
+gallery-kaze.jp, 1
+galleryinfo.ga, 1
+gallerywestframeplant.com, 1
+gallesproperties.com, 1
+gallest.cf, 1
+gallest.ga, 1
+galleyfoods.com, 1
+gallifordtry.co.uk, 1
+gallifreyan-koala.tech, 1
+gallifreyapp.co.uk, 1
+gallifreypermaculture.com.au, 1
+gallivare.se, 1
+gallmeyer-consulting.com, 1
+gallopingkylin.com, 1
+gallun-shop.com, 1
+galoforo.it, 1
+galoserver.org, 1
+galpsafetytalks-portal-preprod.azurewebsites.net, 1
+galpsafetytalks-portal-production.azurewebsites.net, 1
+galtelligence.com, 1
+galton.sk, 1
+galtonbrands.com, 1
+galtonbrands.es, 1
+galtondev.com, 1
+galvincdn.com, 1
+galvingao.com, 1
+galvinism.ink, 1
+galwaytooughterardgreenway.ie, 1
+galwew.ga, 1
+gamadomesticos.com, 1
+gamagam.gq, 1
+gamalawadforum.tk, 1
+gamalhamza.tk, 1
+gamanlu.com, 1
+gambarian.com, 1
+gamberorosso.menu, 1
+gamberorotto.com, 1
+gambetti.fr, 1
+gambiafishing.tk, 1
+gambiapagina.tk, 1
+gambinotrasporti.it, 1
+gambisti.de, 1
+gambit.pro, 1
+gambitnash.co.uk, 1
+gambitnash.com, 1
+gambitprint.com, 1
+gamblersgaming.eu, 1
+gamblerspick.com, 1
+gambling-business.club, 1
+gamblingaffiliatevoice.com, 1
+gamblingconsulting.expert, 1
+gamburger.tk, 1
+gamcore.com, 1
+game-club.me, 1
+game-designers.net, 1
+game-developers.org, 1
+game-dominion.tk, 1
+game-files.net, 0
+game-gentle.com, 1
+game-net.ml, 1
+game-repack.site, 1
+game.es, 1
+game.gal, 1
+game4less.com, 1
+game818play.com, 1
+game88play.com, 1
+gameanalytics.com, 1
+gameapexlegends.com, 1
+gamebase.tk, 1
+gamebillingcentre.com, 1
+gamebits.net, 0
+gameblabla.nl, 1
+gameboyarchive.com, 1
+gamebrott.com, 1
+gamecarddelivery.com, 1
+gamecdn.com, 0
+gameclimax.cf, 1
+gameclimax.tk, 1
+gameclue.jp, 1
+gamecollector.be, 1
+gameconservation.org.uk, 1
+gameconsole.co.nz, 1
+gamecs.tk, 1
+gamecss.ml, 1
+gamedaim.com, 1
+gameday.org.uk, 1
+gamedealsnow.com, 1
+gamedna.studio, 1
+gamedware.com, 1
+gameexpress.tk, 1
+gamefarm.ru, 1
+gamefear.ga, 1
+gamefear.tk, 1
+gameflip.com, 1
+gamefoster.com, 1
+gamefreek.tk, 1
+gamegainlx.cf, 1
+gamegear.club, 0
+gamegix.com, 1
+gamegoddess.cf, 1
+gamegoddess.tk, 1
+gamegoone.tk, 1
+gamegrad.tk, 1
+gameharbor.eu, 1
+gamehighquality.tk, 1
+gameimani.ga, 1
+gameindustry.eu, 1
+gameisbest.jp, 1
+gamejobs.co, 1
+gamekaitori.jp, 0
+gamekb.gq, 1
+gamekeepers.cz, 1
+gamekeybox.tk, 1
+gamekiller.ga, 1
+gamelarix.com, 1
+gamelink.com, 1
+gameloft.ga, 1
+gamelok.ga, 1
+gamemakers.tk, 1
+gamenerd.net, 1
+gamenew.tk, 1
+gameofbooks.de, 1
+gameonespirit.tk, 1
+gameoveronline.tk, 1
+gamepad.com.br, 1
+gameplaysforkids.com, 1
+gameplus.win, 1
+gamepokies.ml, 1
+gameportalmoz.tk, 1
+gamepower.tk, 1
+gamepres.org, 0
+gamepunel.cf, 1
+gamepunel.tk, 1
+gamepunelita.cf, 1
+gamepunelita.tk, 1
+gamepuzzleinfo.tk, 1
+gamer-vip.com, 1
+gameracinginfo.tk, 1
+gamerankings.com, 1
+gamerant.com, 1
+gamercredo.com, 1
+gamereactor.asia, 1
+gamereactor.cn, 1
+gamereactor.de, 1
+gamereactor.dk, 1
+gamereactor.es, 1
+gamereactor.eu, 1
+gamereactor.fi, 1
+gamereactor.fr, 1
+gamereactor.it, 1
+gamereactor.no, 1
+gamereactor.pt, 1
+gamereactor.se, 1
+gamerepository.ga, 1
+gamerepublic.hu, 0
+gameres.com, 1
+gamering.cf, 1
+gamerkings.tk, 1
+gamers-community.tk, 1
+gamers-paradise.tk, 1
+gamersedge.tk, 1
+gamersflix.com, 0
+gamersgrill.com, 1
+gamersheaven.tk, 1
+gamersplace.tk, 1
+gamerspost.ga, 1
+gamerstudiozinc.tk, 1
+gamersuniverse.tk, 1
+gamersweb.ga, 1
+gamertelligence.com, 1
+gamertrashers.ga, 1
+gamerturk.tk, 1
+gamerwelfare.com, 1
+gamerzdot.com, 1
+games-rt.ru, 1
+games-station.tk, 1
+games2kids.net, 1
+games4theworld.org, 1
+gamesandcasino.com, 1
+gamesaviour.com, 1
+gamesbap.com, 1
+gamescore.tk, 1
+gamescum.ru, 1
+gamesdepartment.co.uk, 0
+gamesector.tk, 1
+gameserver-admin.ga, 1
+gameserver-sponsor.me, 1
+gameserver.fun, 1
+gamesgalaxy.it, 1
+gamesgate.tk, 1
+gameshack.io, 1
+gameship.ga, 1
+gameshopsrbija.com, 1
+gameshowchallenge.ie, 1
+gamesmagic.tk, 1
+gamesone.tk, 1
+gamespark.ga, 1
+gamespark.tk, 1
+gamespider.tk, 1
+gamesplanet.com, 1
+gamesplanet.tk, 1
+gamesputnik.ru, 1
+gamestand.net, 1
+gamester.tv, 1
+gamesunited.tk, 1
+gamesweek.melbourne, 1
+gametainment.net, 1
+gametilt.com, 1
+gametium.com, 1
+gametium.es, 1
+gametowndev.tk, 1
+gametube.website, 1
+gameview.tk, 1
+gamewarden.org, 1
+gamewardenedu.org, 1
+gamewayz.online, 1
+gamewinninggoal.com, 1
+gameworldcdr.tk, 1
+gamezero.nl, 1
+gamezon.ga, 1
+gamezon.tk, 1
+gamezsmack.com, 1
+gamhealth.net, 1
+gamifi.co.uk, 1
+gamilab.no, 1
+gamindustri.fr, 1
+gaming-club.tk, 1
+gaming-dice.tk, 1
+gaming-life.tk, 1
+gaming-news.tk, 1
+gaming-online.tk, 1
+gamingaktier.com, 1
+gamingblogx.com, 1
+gamingboard.eu, 1
+gamingdirectory.com, 1
+gamingdose.com, 1
+gamingerox.com, 1
+gamingexodus.com, 1
+gamingexperts.ga, 1
+gamingforecast.com, 1
+gaminggear.bg, 1
+gaminghost.ml, 1
+gaminglaptop.deals, 1
+gaminglessonest.ga, 1
+gamingmeets.com, 1
+gamingmonitortest.com, 1
+gamingph.com, 1
+gamingregulation.com, 1
+gamingtech.es, 1
+gamingterritory.com, 1
+gamingtilltheend.cf, 1
+gamingtoday.ga, 1
+gamingtopbox.ga, 1
+gamingwesters.ga, 1
+gamingwithcromulent.com, 1
+gamingx.tk, 1
+gamingzoneservers.com, 1
+gamishijabsyari.com, 1
+gamishou.fr, 1
+gamivo.com, 1
+gamize.com, 1
+gamma-travel.fr, 1
+gammabeyond.com, 1
+gammaboxtech.com, 1
+gammabrossfrance.fr, 1
+gammaknife.com, 1
+gammaphibeta.tk, 1
+gammonvillage.com, 1
+gamrenovation.ca, 1
+gamv.eu, 1
+gan.wtf, 1
+ganado.org, 0
+ganaha.org, 1
+ganardinerillo.tk, 1
+ganasoku.net, 1
+gancedo.com.es, 1
+gandalfcz.tk, 1
+gandalfservice.com, 1
+gandalfthefeline.com, 1
+gandmfamilydental.com, 1
+gandmltd.co.uk, 1
+gangbangs.tk, 1
+gangbangteen.net, 1
+ganggalbichler.at, 1
+ganglioslinfaticos.com, 1
+gangnamcool.com, 1
+gangnamoffices.com, 1
+gangrulz.tk, 1
+gangstafier.tk, 1
+gangstaflow.tk, 1
+gangsterz.tk, 1
+ganintegrity.com, 0
+gankel.nl, 1
+ganneff.de, 1
+gannett-cdn.com, 1
+gannettinnovation.com, 1
+ganodermatiendaonline.com, 1
+gant.tk, 1
+gantt-chart.com, 1
+ganyouxuan.com, 1
+gao.rocks, 1
+gao4.pw, 1
+gaodebo.com, 1
+gaoice.run, 1
+gaoice.top, 1
+gaoinnovation.gov, 1
+gaoinnovationlab.gov, 1
+gaoinnovations.gov, 1
+gaojianli.me, 1
+gaojianli.tk, 1
+gaojue.art, 1
+gaon.network, 1
+gaoqirun.com, 1
+gaos.org, 1
+gap150.jp, 1
+gapfa.ro, 1
+gaphag.ddns.net, 1
+gaponov.tk, 1
+garage-leone.com, 1
+garage.click, 1
+garage042.bg, 1
+garage15.com.ua, 1
+garagechief.com, 1
+garagedejan.ch, 1
+garagedoorrepaircedarhilltx.com, 1
+garageenginuity.com, 1
+garagemhermetica.org, 1
+garagen-crew.de, 1
+garagenet.com, 1
+garageportcenter.se, 1
+garagerogge.be, 1
+garanteasy.com, 1
+garantieabschluss.de, 1
+garantplus.kz, 1
+gararin.com, 1
+garaventa.com, 1
+garbage-juice.com, 1
+garbarinocatalogo.com, 1
+garbuszus.de, 1
+garbuz.ga, 1
+garcia-leplus.com, 1
+garciacarrion.com, 0
+garciaconstruction.com, 1
+garcialeplus.com, 1
+garciam.gt, 1
+garciaortiz.com, 1
+garco.co, 1
+garda-see.mobi, 1
+gardarika.tk, 1
+garden-land.ga, 1
+garden-life.org, 1
+garden-view.com, 1
+garden4less.co.uk, 1
+gardenblog.tk, 1
+gardencentreshopping.co.uk, 1
+gardencityal.gov, 1
+gardengameshireuk.com, 1
+gardeninggroot.com, 1
+gardenofads.com, 1
+gardenplantslife.com, 1
+gardenroomsdirect.co.uk, 1
+gardenstatecakes.com, 1
+gardensuperstore.com.au, 1
+garder.me, 1
+gardikagigih.com, 1
+gardinenzubehoer.tk, 1
+gardinia.ae, 1
+gardinpets.com, 1
+gardis.ua, 1
+gardnerlawyers.com, 1
+gardonslecap-covid19.ch, 1
+garduri-electrice-animale.ro, 1
+gardurialuminiuiasi.ro, 1
+garethbowker.com, 1
+garethbowker.uk, 1
+garethkirk.com, 1
+garethkirkreviews.com, 1
+garethrhugh.es, 1
+garfieldairlines.net, 1
+garfieldairlines.tk, 1
+garfieldcountyne.gov, 1
+garfieldcountywa.gov, 1
+gargantuan.tk, 1
+gargantuan.wang, 1
+gargas.ml, 1
+gargazon.net, 1
+gargola.tk, 1
+garibaldi.gov, 1
+gariganshi.ml, 1
+garip.me, 1
+garito3pa.tk, 1
+garlandcountyar.gov, 1
+garmonia.ml, 1
+garmonia.tk, 1
+garnerseo.co.uk, 1
+garnetnv.com, 1
+garnix-openair.de, 1
+garnuch-immo.de, 1
+garnuchbau.de, 1
+garo.email, 1
+garo.legal, 1
+garo.ninja, 1
+garochristian.us, 1
+garona.ru, 1
+garonna.com.ua, 1
+garotadeestilo.tk, 1
+garotastop10.tk, 1
+garotos.gq, 1
+garotos.tk, 1
+garp.org, 1
+garrafastermicas.net.br, 1
+garrardcountyky.gov, 1
+garrettcornwell.tk, 1
+garrettcountymd.gov, 1
+garrettmotion.com, 1
+garrettpopcorn.com, 1
+garrettrasel.com, 1
+garrigan.info, 1
+garrigan.nyc, 1
+garriganenterprises.com, 1
+garriganenterprises.net, 1
+garriganenterprisesinc.com, 1
+garriganenterprisesinc.net, 1
+garron.net, 1
+garrow.se, 1
+garrowdigitalmedia.com, 1
+garrowmediallc.com, 1
+garryserver.de, 1
+garsio.com, 1
+garstonvets.co.uk, 1
+gartanien.de, 1
+garten-diy.de, 1
+gartenbaur.de, 1
+gartengutachter.org, 1
+gartenplanung-brendes.de, 1
+gartmaninsurance.net, 1
+garudam.info, 1
+gary.gov, 1
+garycarmell.com, 1
+garyjones.co.uk, 1
+garyrh.com, 1
+garystallman.com, 1
+garywhittington.com, 0
+gas-boilers.tk, 1
+gas-proekt.tk, 1
+gasar.com, 1
+gasbarkenora.com, 1
+gasenergy.kz, 1
+gasesdelaguajira.com, 1
+gasfitermaipu.cl, 1
+gashalot.com, 1
+gasherde.tk, 1
+gasinstallationsjohannesburg.co.za, 1
+gasmar.cl, 1
+gasometria.com, 1
+gaspard-ulliel.tk, 1
+gasparesganga.com, 1
+gasscc.id, 1
+gassero.com, 0
+gasslerorourke.com, 0
+gassouthkenticoqa.azurewebsites.net, 1
+gassycat.be, 1
+gassycat.co.uk, 1
+gassycat.eu, 1
+gassycat.uk, 1
+gassyukumenkyoguide.com, 1
+gastarbajter.tk, 1
+gastepress.com, 1
+gasthausbauernhof.ch, 1
+gasthaustalacher.ch, 1
+gastonvietto.tk, 1
+gastouderbureausnoesje.nl, 1
+gastoudererenda.nl, 1
+gastro-dino.de, 1
+gastroalianza.es, 1
+gastroboom.kz, 1
+gastroboss.cz, 1
+gastrodino.com, 1
+gastrodino.de, 1
+gastroenterologen.no, 1
+gastrolab.tk, 1
+gastromedicalcenter.com.br, 1
+gastronom.ga, 1
+gastronomias.com.pt, 1
+gastrosfera.info, 1
+gastrotiger.at, 1
+gastrotiger.de, 1
+gatachic.com.br, 1
+gatapro.net, 0
+gate.sc, 1
+gate2home.com, 1
+gate4you.com, 1
+gatehub.net, 1
+gatekiller.co.uk, 1
+gatemaster.ga, 1
+gatemotorsbedfordview.co.za, 1
+gatemotorskyalami.co.za, 1
+gatemoves.com, 1
+gatenz-panel.com, 1
+gates-of-olympus-app.com, 1
+gatesstlouis.com, 1
+gatestoaesgaard.tk, 1
+gateway-cart.com, 1
+gatewaybridal.com, 1
+gatewayfurniture.com, 1
+gatewayp.com, 1
+gatewaytire.com, 1
+gatewaytrial.com, 1
+gatewaytrust.org.uk, 1
+gathegi.ga, 1
+gatherling.com, 1
+gatherup.com, 1
+gathu.co.ke, 1
+gatilagata.com.br, 1
+gatilhoarmas.com.br, 1
+gatlink.tk, 1
+gatoland.es, 1
+gatolovers.es, 1
+gatomix.net, 1
+gator34.com, 1
+gatoslivres.org, 1
+gattomatto.tk, 1
+gatturkey.com, 1
+gauche.com, 1
+gaudeamus-folklor.cz, 1
+gaudeamuschoir.tk, 1
+gaudere.co.jp, 1
+gaudi-renove.com, 1
+gaumenverfuehrer.de, 1
+gaurl.ga, 1
+gautam-iiith.tk, 1
+gautam-k.tk, 1
+gautengplumber24-7.co.za, 1
+gauthier.dk, 1
+gauthier.tel, 1
+gauting.de, 1
+gavarny.be, 1
+gavaskee.com, 1
+gavilanz.ddnsfree.com, 1
+gavin.sh, 1
+gavinbrown.ca, 1
+gavingreer.com, 1
+gavinnewsom.com, 1
+gavins.stream, 1
+gavintang.me, 1
+gavlix.se, 1
+gavr.space, 1
+gaw.sh, 1
+gay-chat.it, 1
+gay-jays.com, 1
+gay-personal-ads.com, 1
+gay.systems, 1
+gayanalysing.co.uk, 1
+gayauthors.org, 1
+gaycafe.lt, 1
+gaychatrooms.tk, 1
+gaycock4u.com, 1
+gaycum.de, 0
+gayfeedr.com, 1
+gayfr.online, 1
+gayfr.social, 1
+gayga.gov, 1
+gaygay.pro, 1
+gaygeeks.de, 1
+gayglobaltravel.com, 0
+gayhotmovies.com, 1
+gaymen.pictures, 1
+gaymer.network, 1
+gaymerx.org, 1
+gaynight.tk, 1
+gayonly.ch, 1
+gaypornvideos.xxx, 1
+gayreppc.com, 1
+gaysexpositions.guide, 1
+gaytor.rent, 1
+gaytorrent.ru, 1
+gaytubec.com, 1
+gayuhtri.my.id, 1
+gayukai.net, 1
+gazapos.ga, 1
+gazaryan.tk, 1
+gazbonicacidmc.ga, 1
+gazeta-n1.ru, 1
+gazete.org, 1
+gazetefutbol.de, 1
+gazette.govt.nz, 1
+gazettengr.com, 1
+gazi.edu.tr, 1
+gazik.com.ua, 1
+gazizov.tk, 1
+gazobeton-don.ru, 1
+gazor.tk, 1
+gazoz.ga, 1
+gazst.ru, 1
+gazza.tk, 1
+gb-bilder.com, 1
+gb-repair.com, 1
+gba.ge, 1
+gba.gob.ar, 1
+gbatroid.com, 1
+gbcdigitalmarketing.com, 1
+gbcomm.tk, 1
+gbcsummercamps.com, 1
+gbdavisplasticsurgery.com, 1
+gbes.com, 1
+gbfoundation.org, 1
+gbhem.org, 1
+gbi-etalon.ru, 1
+gbika.org, 1
+gbinsta.com, 1
+gbiotech.tk, 1
+gbisigma.com, 1
+gbk-host.de, 1
+gbk-teamplan.de, 1
+gbkom.de, 1
+gbl.selfip.net, 0
+gboys.net, 0
+gbp.com.ph, 1
+gbpayments.io, 1
+gbpicshd.com, 1
+gbquotes.com, 1
+gbrand.com.au, 1
+gbs.com.ua, 1
+gbsapri.it, 1
+gbscience.com, 1
+gbsvelasco.com, 1
+gbusercontent.com, 1
+gbwhats.cc, 1
+gc-event-manager.com, 1
+gc-hartberg.tk, 1
+gc-mc.de, 1
+gc-pfalz.de, 1
+gc.ru.net, 1
+gc22.xyz, 1
+gc4hr.org, 1
+gcabrasives.co.uk, 1
+gcaresolutions.com, 1
+gcautodeals.com, 1
+gcb.com.my, 1
+gcbit.dk, 1
+gcc-globalclimatechange.com, 0
+gccfoodstuff.com, 0
+gcdamp.gov, 1
+gcfadvisors.com, 1
+gcgeeks.com.au, 1
+gcgroup.io, 1
+gchp.ie, 0
+gchq.lol, 1
+gchq.wtf, 1
+gclegal.com.au, 1
+gclpower.com, 1
+gcmsnotes.com, 1
+gcode.space, 1
+gcoded.de, 1
+gcolomboart.com, 1
+gconcept.tk, 1
+gconstruction.org, 1
+gcoption.pro, 1
+gcorevape.ca, 1
+gcqd.fr, 1
+gcrm.jp, 1
+gcs-ventures.com, 1
+gcschool.tk, 1
+gcsepod.com, 1
+gcsm-qc.ca, 1
+gcso.gov, 1
+gcstechnologies.com, 1
+gctdtx.gov, 1
+gcuf.edu.pk, 1
+gcustom.email, 1
+gcwatx.gov, 1
+gcwcid1tx.gov, 1
+gcwholistic.com, 1
+gd-ots.com, 1
+gd1214b.icu, 0
+gda.gov.lb, 1
+gdacs.org, 1
+gdax.com, 1
+gdb.re, 1
+gddzqg.com, 1
+gdedoma.ru, 1
+gdesemena.ru, 1
+gdhzcgs.com, 1
+gdiary.net, 1
+gdit.com, 1
+gdkn0.gq, 1
+gdm.cl, 1
+gdngs.de, 1
+gdoce.es, 0
+gdomusicaeventi.tk, 1
+gdpr-pohotovost.cz, 1
+gdpr.fr, 1
+gdretrofunk.cf, 1
+gdtd.info, 1
+gdufe.top, 1
+gdv.me, 0
+gdwservices.com, 1
+gdz.tv, 1
+gdz4you.com, 1
+ge1.me, 0
+ge3k.net, 1
+gea-waldviertler.at, 1
+geafworks.tk, 1
+geaiai.com, 1
+gealot.com, 1
+geansunter.com, 1
+gear-acquisition-syndrome.community, 1
+gear4music.ch, 1
+gear4music.com, 1
+gear4music.de, 1
+gear4music.dk, 1
+gear4music.es, 1
+gear4music.fr, 1
+gear4music.ie, 1
+gear4music.it, 1
+gear4music.nl, 1
+gear4music.no, 1
+gear4music.se, 1
+gearallnews.com, 1
+gearbot.rocks, 1
+gearboxhero.com, 1
+gearev.net, 1
+gearfinder.nl, 1
+gearnews.tk, 1
+gearset.com, 1
+gearsupply.com, 0
+geaskb.nl, 0
+geass.xyz, 1
+geauxdns.com, 1
+geba-online.de, 1
+gebaeude-braun.de, 1
+gebaeudebilanzierung.de, 1
+gebaeudeklima-schweiz.ch, 1
+gebeliktakibim.com, 1
+geben.digital, 1
+gebhardtinsurancegroup.com, 1
+gebiert.de, 1
+gebn.co.uk, 1
+gebn.uk, 1
+geborgen-wachsen.de, 1
+gebpow.com, 1
+gebruikershandleiding.com, 1
+gebrvoit.de, 1
+gebzehaliyikama.net, 1
+gecbunlari.com, 1
+gecem.org, 1
+gechr.io, 1
+geckler-ee.de, 0
+geckos-geocaching.de, 1
+geckosurfschool.com, 1
+gecosan.com, 1
+gedachtekaarsje.nl, 1
+gedankenworks.com, 0
+geder.at, 1
+gedichtensite.tk, 1
+gediga.net, 1
+gedlingcastlehire.co.uk, 1
+gedlingtherapy.co.uk, 1
+geecrat.com, 1
+geek-hub.de, 1
+geek-rooms.tk, 1
+geek.ch, 1
+geek.com.tr, 1
+geek1.de, 1
+geekabit.nl, 1
+geekanatomy.com, 1
+geekandi.com, 1
+geekariom.com, 0
+geekashell.tk, 1
+geekattitude.org, 1
+geekbundle.org, 1
+geekcore.tk, 1
+geekcq.com, 1
+geekcreations.co.uk, 1
+geekdocs.de, 0
+geekdoit.com, 1
+geekedin.ga, 1
+geekflare.com, 1
+geekgear.tk, 1
+geekgirltech.com, 1
+geekhelpline.com.au, 1
+geekium.me, 1
+geeklair.net, 1
+geeklan.co.uk, 1
+geekles.net, 1
+geekmagazine.com.br, 1
+geeknik.com, 1
+geekofeminin.com, 1
+geekowl.com, 1
+geekpad.com, 1
+geekplay.fr, 1
+geekport.net, 1
+geekpost.net, 1
+geeks.berlin, 1
+geeks.lgbt, 0
+geeks.one, 0
+geeksforrent.com, 1
+geekshirts.cz, 1
+geeksontap.com.au, 1
+geekspace.gq, 1
+geeksquadforums.tk, 1
+geekstreet.fr, 1
+geekstuff.tk, 1
+geektarven.com, 1
+geektechsolutions.com.au, 1
+geektechypro.tk, 1
+geektopia.es, 1
+geekurl.cf, 1
+geekwhack.org, 1
+geekwithabudget.com, 1
+geekwu.org, 1
+geekyboi.co.uk, 1
+geekymansion.com, 1
+geekynutritionist.com, 1
+geekystudios.us, 1
+geekz.sk, 1
+geekzone.co.nz, 1
+geekzone.fr, 1
+geekzuprepairs.com, 1
+geelaeden.de, 1
+geele.co.th, 1
+geemprestimos.com, 1
+geenspam.net, 1
+geentsefeesten.be, 1
+geeq.ch, 1
+geerdsen.net, 1
+geertdegraaf.nl, 1
+geertjanvanhest.nl, 1
+geertswei.nl, 1
+geestelijkgezondgent.be, 1
+geesthof.de, 1
+gefinances.com, 1
+gefolge.org, 1
+gegeco.ch, 0
+gegevensdelen.nl, 1
+geh.li, 1
+gehirn.co.jp, 1
+gehirn.jp, 1
+gehirnapis.jp, 1
+gehirnstatus.jp, 1
+gehopft.de, 1
+gehrdencarre.de, 1
+gehrke.cloud, 1
+gehrke.in, 1
+gehrke.nrw, 1
+gehsicht.de, 1
+geico.com, 1
+geigr.de, 1
+geilefrauen.pics, 1
+geileverhalen.tk, 1
+geiser-family.ch, 1
+geishamika.com, 1
+geisten.net, 1
+geitenijs.com, 1
+gekko.tk, 1
+gekkoldprom.com, 1
+gekleurdverleden.be, 1
+geko.cf, 1
+gelaendermanufaktur.de, 1
+gelan.nl, 1
+gelanc.ml, 1
+gelaterista.de, 1
+gelb-computer.de, 1
+gelcocktail.fr, 1
+geld-im-blick.de, 1
+geld-magazin.info, 1
+geldimblick.de, 1
+geldmaat.nl, 1
+geldoderleben.tk, 1
+geldspelletjes.net, 1
+geldteveel.eu, 1
+geldvoorelkaar.nl, 1
+geleenbeekdal.nl, 1
+geleia-real.com, 1
+geli-graphics.com, 1
+gelijk.cf, 1
+gelisimakademi.com.tr, 1
+gellis12.com, 1
+gelmostop.tk, 1
+geloft.cf, 1
+geloft.gq, 1
+gelog-software.de, 0
+gelonghui.com, 1
+geloofindemocratie.nl, 1
+geloven-enzo.nl, 1
+gelsey.com, 1
+geluidsstudio.com, 1
+geluidstechniek.tk, 1
+geluidsverwachting.nl, 1
+gelukkigehonden.nl, 1
+geluleminceur.fr, 1
+gelvetika.cf, 1
+gem-forex.org, 1
+gem-forex.pro, 1
+gem-info.fr, 0
+gemahui.su, 1
+gemails.eu, 1
+gemaskeerd.nl, 1
+gemawardian.com, 1
+gemax-online.de, 1
+gembet99.com, 1
+gemeentehub.nl, 1
+gemeentestein.nl, 1
+gemeinde-luederitz.de, 1
+gemeinde-sonnen.de, 1
+gemeinderatswahl2020.de, 1
+gemeinfreie-lieder.de, 1
+gemelen.net, 1
+gemforex.pro, 1
+gemforex.top, 1
+gemgroups.in, 1
+gemik.com, 1
+gemini.com, 1
+geminicorp.be, 0
+geminifm.tk, 1
+gemmproductions.com, 1
+gemmy.cf, 1
+gemonite.com, 1
+gempak.com, 1
+gempool.ie, 1
+gemquery.com, 1
+gemstn.com, 1
+gemstones.com, 1
+gemwerx.com, 1
+gen.cn.eu.org, 1
+gen.net.eu.org, 1
+gen53.org, 1
+genbars.jp, 1
+genbrugge.tk, 1
+genchev.io, 0
+genclikdunyasi.com, 1
+genclikotobusu.com, 1
+gencnet.tk, 1
+gend.moe, 1
+gend.work, 1
+gender-summit.com, 1
+gendergp.com, 1
+genderidentiteit.nl, 1
+genderrevealshop.nl, 1
+gendrin.com, 1
+gendundrupa.ch, 0
+gene-drive.com, 1
+gene-drives.com, 1
+geneacdn.net, 1
+genealog.fr, 1
+genealog.ong.br, 1
+genealogiegazet.nl, 1
+genealogieonline.nl, 1
+genealogiewerkbalk.nl, 1
+genealogy-beyers.tk, 1
+genealorand.com, 1
+geneanet.org, 1
+geneastar.org, 1
+geneau.net, 1
+geneawiki.com, 1
+geneeskrachtig.com, 1
+genehightower.com, 1
+genehome.com.au, 1
+genejournal.blog, 1
+genelhaberler.tk, 1
+genemesservwparts.com, 1
+genemon.at, 1
+genen.ga, 1
+generace-id.org, 1
+generacionmoderatto.tk, 1
+generador-electrico.com, 1
+generadorminecraft.tk, 1
+general-anaesthesia.com, 1
+general-anaesthetics.com, 1
+general-anesthesia.com, 1
+general-directorate-of-administration.gov.lb, 1
+general-insurance.tk, 1
+generalautocheck.com, 1
+generalcustomshop.com.br, 1
+generali-investments-portal.cz, 1
+generali-worldwide.com, 1
+generalinsuranceagencies.com.au, 1
+generalinsuranceservices.com, 1
+generalliabilityinsure.com, 1
+generalpsych.cf, 1
+generalshale.com, 1
+generalsync.com, 1
+generaltitlewebui-stage.azurewebsites.net, 1
+generaly.ga, 1
+generateurdapplis.fr, 1
+generateurdesmiley.tk, 1
+generatevelocity.com, 1
+generation-clic.net, 1
+generation-free.org, 1
+generation247.nl, 1
+generationgoat.com, 1
+generationnext.pl, 0
+generationr.nl, 1
+generationsweldom.com, 1
+generator-energy.ru, 1
+generatorcountry.com, 1
+generatorkodowkreskowych.pl, 1
+generatormusic.tk, 1
+generatorreview.pro, 1
+generators-pro.ru, 1
+generic-noroxin.ml, 1
+generic-plavix.ga, 1
+generic-sildenafil-citrate.cf, 1
+generic-tadalafil.cf, 1
+generic-tenormin.gq, 1
+genericabana.gq, 1
+genericaccutaneonline.ml, 1
+genericaceon.tk, 1
+genericacomplia.ga, 1
+genericadvaironline.ml, 1
+genericanticipation.com, 1
+genericazithromycin.tk, 1
+genericazulfidine.gq, 1
+genericcalan.gq, 1
+genericcelebrex.tk, 1
+genericclaritin.ga, 1
+genericcolchicine.ml, 1
+genericdevelopment.nl, 1
+genericdutasteride.cf, 1
+genericflagyl.ga, 1
+genericforavodartmedication.tk, 1
+genericforflagyl.cf, 1
+genericlevaquin.tk, 1
+genericlexaprocost.cf, 1
+genericlexaprocost.tk, 1
+generico.in, 0
+genericprevacidlansoprazole.tk, 1
+genericrhinocort.ga, 1
+genericuroxatral.gq, 1
+genericvytorin.ml, 1
+generix.biz, 1
+generujdata.cz, 1
+geneseecountymi.gov, 1
+geneseetwpmi.gov, 1
+genesis-a-fresh-translation-from-hebrew-to-english.com, 1
+genesisblock.com, 1
+genesiscoding.net, 1
+genesiseureka.com, 1
+genesisgold.com, 1
+genesisgrade.com, 1
+genesismachina.ca, 1
+genesisplay.tk, 1
+genesistoday.org, 1
+genesys-uk.com, 1
+genetargetsolutions.com.au, 1
+genetidyne.com, 1
+genetworx.com, 1
+geneuse.ai, 1
+genevaal.gov, 1
+genevablogers.ga, 1
+genevablogest.ga, 1
+genevachauffeur.com, 1
+genevacountyal.gov, 1
+genevalunch.com, 1
+geneve.guide, 1
+genfaerd.dk, 1
+gengcerita.tk, 1
+genghan.com, 1
+genia-life.de, 1
+genial.ly, 1
+genie.tk, 1
+genieall.com, 1
+geninspira.com, 1
+geniodonna.it, 1
+geniofinanciero.org, 1
+genioideal.com, 1
+geniosport.com, 1
+genious.co, 1
+genious.world, 1
+genioyfigura.tk, 1
+geniusclan.tk, 1
+geniuses.gq, 1
+geniussis.com, 1
+geniusteacher.in, 1
+geniuswin.it, 1
+geniuszone.biz, 1
+genkihub.com, 1
+genlack.com, 0
+genmab.co.jp, 1
+gennaroabete.duckdns.org, 1
+gennerator.com, 1
+gennet.com, 1
+geno-hyp.de, 1
+geno-hypo.de, 1
+geno4links.ml, 1
+genocidediary.org, 1
+genocideofua.org, 1
+genodeftest.de, 1
+genohyp.com, 1
+genohyp.de, 1
+genohyp.net, 1
+genohypo.de, 1
+genom.by, 1
+genome-reform.com, 1
+genome.eu, 1
+genome.gov, 0
+genomedia.jp, 1
+genomelink.io, 1
+genomequestlive.com, 1
+genomesoft.systems, 1
+genometrik.de, 1
+genomicsinc.com, 1
+genomicslab.in, 1
+genomicsplc.com, 0
+genoog.com, 1
+genophore.com, 1
+genoplot.com, 1
+genorma.com, 1
+genossen.ru, 1
+genossenwiese.ch, 1
+genotix.eu, 1
+genotix.nl, 1
+genovatoday.it, 1
+genoveve.de, 1
+gensenwedding.jp, 1
+genshiken-itb.org, 1
+gensicke.de, 1
+gensleiten.de, 1
+genslerapps.com, 1
+genslerwisp.com, 1
+gensokyo.cafe, 1
+gensokyo.chat, 0
+gensokyo.re, 1
+gensolarenergy.com, 1
+gensonline.eu, 1
+gentapps.com, 1
+gentas.se, 1
+gentbereikbaar.be, 1
+gentblogt.be, 1
+gentbrugsemeersen.be, 1
+gentcdn.com, 1
+gentcityofmusic.be, 1
+gentcongres.be, 1
+gentcongres.com, 1
+gentcongres.eu, 1
+gentcongres.org, 1
+gentcreativecityofmusic.be, 1
+gentec.cz, 1
+gentengarde.be, 1
+gentevenement.be, 1
+gentfietst.be, 1
+gentgezondestad.be, 1
+gentgreenkey.be, 1
+gentholidayland.be, 1
+gentholidayland.com, 1
+gentianes.ch, 0
+gentinvest.be, 1
+gentklimaatstad.be, 1
+gentlecollies.tk, 1
+gentledance.ch, 1
+gentledance.net, 1
+gentledentalcaregroup.co.uk, 1
+gentleentuit.be, 1
+gentlemanwithin.com, 1
+gentlent.biz, 1
+gentlent.blog, 1
+gentlent.cn, 1
+gentlent.co, 1
+gentlent.com, 1
+gentlent.eu, 1
+gentlent.group, 1
+gentlent.help, 1
+gentlent.info, 1
+gentlent.io, 1
+gentlent.net, 1
+gentlent.org, 1
+gentlent.tech, 1
+gentlent.uk, 1
+gentlent.us, 1
+gentlent.xyz, 1
+gentlentapis.com, 1
+gentlentgroup.com, 1
+gentlentssl.com, 1
+gentlichtfestival.be, 1
+gentlichtfestival.com, 1
+gentlivinglab.be, 1
+gentmuziekstad.be, 1
+gentoo-blog.de, 0
+gentooblog.de, 1
+gentoocn.org, 1
+gentryarkansaspd.gov, 1
+gentrydeng.cn, 1
+gentrydeng.com, 1
+gentse-ondernemersdagen.be, 1
+gentsefeesten.be, 1
+gentsefeesten.gent, 1
+gentseondernemersdagen.be, 1
+gentsklimaatverbond.be, 1
+gentslimopweg.be, 1
+genttegenarmoede.be, 1
+gentverwent.be, 1
+genuineppe.co.uk, 1
+genuinetech.pk, 1
+genunlimited.ga, 1
+genunlimited.tk, 1
+genusbag.com, 1
+genutax.ca, 1
+genuxtsg.com, 1
+genxreviewest.ga, 1
+genzdx.xyz, 1
+genzia.ga, 1
+geo-files.tk, 1
+geo-industrie.fr, 1
+geo-portale.it, 1
+geoactivism.org, 1
+geoapps.nl, 1
+geoarchive.tk, 1
+geocaching.hu, 1
+geocar.com, 1
+geocell.website, 1
+geocod.tk, 1
+geocoin2016.dk, 1
+geocommunicator.gov, 1
+geocompass.at, 1
+geoconcretsa.com, 1
+geoconsultant.eu, 1
+geoconvention.ga, 1
+geodatasource.com, 1
+geodesic-tents.com, 1
+geodesign.tk, 1
+geoenvironconsult.ga, 1
+geofabrika.ru, 1
+geoffanderinmyers.com, 1
+geoffmyers.com, 1
+geoffreymmoore.pw, 1
+geoffreyrichard.com, 1
+geoffsec.org, 1
+geofit.ru, 1
+geoflowerstudio.com, 1
+geoforex.ro, 1
+geofox.eu, 1
+geofox.org, 1
+geogas.com.au, 1
+geografia-peru.tk, 1
+geographique.tk, 1
+geography-schools.com, 1
+geohashing.site, 1
+geoip-js.com, 1
+geoip.fedoraproject.org, 1
+geoip.stg.fedoraproject.org, 1
+geojs.io, 1
+geokeys.cf, 1
+geolex.tk, 1
+geolite.info, 1
+geologist.tk, 1
+geology-schools.com, 1
+geolonia.com, 1
+geomac.gov, 1
+geomadrid.ga, 1
+geomagne.tk, 1
+geoman.tk, 1
+geomancy.net, 1
+geomatic.tk, 1
+geometra.roma.it, 1
+geometra24.it, 1
+geometri.tk, 1
+geometrie-rechner.de, 1
+geometriya-dash.online, 1
+geometry-calculators.com, 1
+geon.nl, 1
+geoned.bg, 1
+geonice.ga, 1
+geonot.es, 1
+geophysicsjournal.com, 1
+geopixeles.cl, 1
+geopoetico.tk, 1
+geoponika.gr, 1
+georadar-algerie.com, 1
+georg-ledermann.de, 1
+george-brighton.co.uk, 1
+george-orwell.com, 1
+george.black, 1
+george.com.tw, 1
+george.id.au, 1
+george.ooo, 1
+georgebeverlysheamemorial.org, 1
+georgeblack.me, 1
+georgebrighton.co.uk, 1
+georgeclaghorn.com, 1
+georgeclooney.tk, 1
+georgecolgrove.com, 1
+georgedesign.ch, 1
+georgegachara.tk, 1
+georgehotz.tk, 1
+georgekaraoglanis.tk, 1
+georgelucas.tk, 1
+georgemudie.com, 1
+georgenad.duckdns.org, 1
+georgepancescu.ro, 1
+georges-sadeler.com, 1
+georges.nu, 1
+georgesand.be, 1
+georgeshobeika.cf, 1
+georgeslasaucisse.fr, 1
+georgetownohio.gov, 1
+georgetowntexas.gov, 1
+georgewatson.me, 1
+georgewbushlibrary.gov, 1
+georgiaaccess.gov, 1
+georgiaautoglass.net, 1
+georgiacriminaldefense.com, 1
+georgiaglassrepair.com, 1
+georgiainfo.ga, 1
+georgiajetcharter.com, 1
+georgian.io, 1
+georgianews.ml, 1
+georgiangames.gq, 1
+georgianhistory.tk, 1
+georgiaparks.org, 1
+georgiastuartyoga.co.uk, 0
+georgiawrestling.tk, 1
+georgie.cc, 1
+georgiebailey.com, 1
+georgiedann.ga, 1
+georgiedann.gq, 1
+georgiedann.ml, 1
+georginabouzova.tk, 1
+georginikolov.com, 1
+georgioskontaxis.com, 1
+georgioskontaxis.net, 1
+georgioskontaxis.org, 1
+georgiosnetworks.com, 1
+georglauterbach.com, 1
+georglauterbach.de, 1
+georgmayer.eu, 1
+geosales.tk, 1
+geoscout.uk, 1
+geoserves.com, 1
+geosever.cz, 1
+geosno.com, 1
+geospecialsers.ga, 1
+geostems.com, 1
+geoswohnen.de, 1
+geotabgov.us, 1
+geotec-weilrod.de, 1
+geotech.tk, 1
+geotextil.ec, 1
+geothermalproducts.info, 1
+geotrust.com.ru, 1
+geotruth.net, 1
+geourl.me, 1
+geowest.tk, 1
+gep.ch, 1
+gepassociati.cloud, 1
+gepe.ch, 1
+gepgroup.gr, 1
+gepps.de, 1
+geppy.im, 1
+gera-haushaltsaufloesung.de, 1
+gerainano.com, 1
+geraintwhite.co.uk, 1
+gerald-zojer.com, 1
+geranium.dk, 1
+gerard-klooster.net, 1
+gerardinden.nl, 1
+gerardmccabe.com.au, 1
+gerardozamudio.mx, 1
+gerards-abenteuer.de, 1
+gerbang-singkolo.ga, 1
+gerber-construction.com, 1
+gerbil.tk, 1
+gerbils.tk, 1
+gerbyte.co.uk, 1
+gerbyte.com, 1
+gerbyte.uk, 1
+gerd-frank.com, 1
+gereedschapmuseumdehobbyzolder.tk, 1
+gerenciaconsultor.com, 1
+gerencial.com.br, 1
+geret.cl, 1
+gergoladi.me, 1
+geriartriya.ru, 1
+gerimileva.com, 1
+gerinet.pl, 1
+gerkevangarderen.nl, 1
+germain.cc, 1
+germaintechnologies.com, 1
+german242.com, 1
+germanclarkoh.gov, 1
+germancoding.com, 1
+germancoding.de, 1
+germancorbo.com, 1
+germancraft.net, 1
+germandarknes.net, 1
+germanicvs.tk, 1
+germaniumsoft.com, 1
+germanmasterpainters.nz, 1
+germanophobia.tk, 1
+germanpavilion.com, 1
+germanpay.com, 1
+germanrojas.ga, 1
+germansoldiers.net, 1
+germanssky.de, 1
+germantolobis.lt, 1
+germantownpolicewi.gov, 1
+germantownwi.gov, 1
+germantrip.tk, 1
+germanymade.com, 1
+germanypay.com, 1
+germanytravel.ga, 1
+germanytravelguide.ml, 1
+germanzero-nv.de, 1
+germfr.ee, 1
+germinalekeren.tk, 1
+germistry.com, 1
+gernert-server.de, 1
+gero.io, 1
+geroiplavska.tk, 1
+geropa.it, 1
+gerris.tk, 1
+gerrit078.nl, 1
+gerritcodereview.com, 1
+gers-authentique.com, 1
+gerstbauer.tk, 1
+gerstner.it, 1
+gertjan-tamerus.tk, 1
+gertrudeco.com, 1
+gertrudentor.de, 1
+gerum.dynv6.net, 0
+gerwinvanderkamp.nl, 1
+gesamenvat.nl, 1
+gesath.co, 1
+gesath.com, 1
+geschenkkoerbeversand.de, 1
+geschenkkorb-ideen.de, 1
+geschenkly.de, 1
+geschichtscheck.de, 1
+geschichtswerkstatt.tk, 1
+geschmackspiloten.de, 0
+geschwinder.net, 1
+geseduc.cl, 1
+gesentorno.tk, 1
+gesetz.tk, 1
+gesica.cloud, 1
+gesmav-trier.de, 1
+gesnerfigueiredo.com.br, 1
+gesnex.com, 1
+gessettirotti.it, 1
+gessosaoluiz.com, 1
+gestaoclub.com.br, 1
+gestcoelho.com, 1
+gestion-de-contact.fr, 1
+gestionadministrativevirtuelle.ca, 1
+gestionadministrativevirtuelle.ch, 1
+gestione-certificazioni.it, 1
+gestioninfosolutions.com, 1
+gestionth.com, 1
+gestorehotel.com, 1
+gestorestecnologicos.com, 1
+gestus.tk, 1
+gesuiti.it, 1
+gesundessen.at, 1
+gesundessen.ch, 1
+gesundessen.de, 1
+gesundheit-ifg-muenchen.de, 1
+gesundheitmassage.com, 1
+gesundheitswelt24.de, 1
+gesundimmund.de, 1
+get-a-wingman.com, 1
+get-asterisk.ru, 1
+get-baaam.com, 1
+get-erp.ru, 1
+get-express-vpn.com, 1
+get-maurice.com, 1
+get-my-report.com, 1
+get-quick-bits-fast-2018.pw, 1
+get-refer.com, 1
+get-x-web-link2.com, 1
+get-your-business.tk, 1
+get.design, 1
+get.gov, 1
+get.how, 1
+getabear.com, 1
+getacrane.co.uk, 1
+getahearing.com, 1
+getaldea.com, 1
+getalink.ga, 1
+getalitools.ru, 1
+getanresources.com, 1
+getanswer.ga, 1
+getar.tk, 1
+getaskoll.at, 1
+getawaycab.tk, 1
+getawayline.com, 1
+getback.ch, 1
+getbellhop.co, 1
+getbodysmart.com, 1
+getboomerangwater.com, 1
+getbootstrap.com, 1
+getboubou.com, 1
+getbox.me, 1
+getbrain.tk, 1
+getbreadcrumbs.com, 1
+getbrowink.com, 1
+getbutterfly.com, 1
+getbuya.com, 1
+getcabal.com, 1
+getcare.com, 1
+getcarina.com, 1
+getchip.cc, 1
+getcloak.com, 1
+getclubsoda.com, 1
+getcodelove.com, 1
+getcolq.com, 1
+getcontact.com, 1
+getcookie.ml, 1
+getcyber.me, 1
+getcyber.org, 1
+getdash.io, 1
+getdeclutter.com, 1
+getdinghy.com, 1
+getdirectcredit.com, 1
+getdishnow.tk, 1
+getdoc.com.br, 1
+getdoges.tk, 1
+getdownon.it, 1
+getdumpsterdash.com, 1
+getecoins.shop, 1
+geteducation.tk, 1
+geteduroam.no, 1
+getelectronics.tk, 1
+geterp.ru, 1
+getescrowest.ga, 1
+getestudio.com, 1
+getevidenceers.ga, 1
+getexipure.com, 1
+getfastanswer.com, 1
+getfedora.org, 1
+getfit.md, 1
+getfitbee.com, 1
+getfitwithkip.com, 1
+getflip.com, 0
+getflorence.co.uk, 0
+getfreeelectricity.tk, 1
+getfreeltc.ml, 1
+getgeek.dk, 1
+getgeek.ee, 1
+getgeek.es, 1
+getgeek.fr, 1
+getgeek.io, 1
+getgeek.no, 1
+getgeek.nu, 1
+getgeek.pl, 1
+getgeek.se, 1
+getgreencarpetct.com, 1
+gethere.gq, 1
+gethotspotshield.com, 1
+gethow.org, 1
+gethttpsforfree.com, 1
+gethvac.pro, 1
+gethyas.com, 1
+geti2p.com, 1
+getidee.com, 1
+getidee.de, 1
+getidmcc.com, 1
+getinfoleads.tk, 1
+getinshape.today, 1
+getinsuranceanywhere.com, 1
+getinternet.gov, 1
+getintra.org, 1
+getitpeople.com, 1
+getjadedlocal.com, 1
+getjms.com, 1
+getlaminas.org, 1
+getlantern.org, 0
+getlawnbuddy.com, 1
+getlawyered.com.au, 1
+getleanflorida.gov, 1
+getlessgivemore.com, 1
+getlibrary.com, 1
+getmango.com, 1
+getmarksvoice.com, 1
+getmdl.io, 1
+getme.cf, 1
+getmello.org, 1
+getmeloan.org, 1
+getmerch.eu, 1
+getmetech.com, 0
+getmimo.com, 0
+getmonero.cz, 1
+getmybosslife.com, 1
+getnetset.com, 1
+getnew.tk, 1
+getnews360.com, 1
+getnib.com, 1
+getnikola.com, 1
+getontop.club, 1
+getonyx.com, 1
+getoxley.com, 1
+getpagespeed.com, 1
+getpaidclub.tk, 1
+getpaidtocode.com, 1
+getpaidtodesign.com, 1
+getpaidtodev.com, 1
+getpanelapp.com, 1
+getpavedmidmichigan.com, 1
+getpdf.in, 1
+getpet.lt, 1
+getplus.com.au, 1
+getpro.plumbing, 1
+getprohealth.com, 1
+getpromo.cf, 1
+getpublii.com, 1
+getready2dance.tk, 1
+getreadyforever.tk, 1
+getrelish.com, 1
+getresilience.org, 1
+getresults.co.za, 1
+getriebeservice-gse.de, 1
+getroman.com, 1
+getsamegoal.com, 1
+getscif.com, 1
+getsecure.nl, 1
+getserm.com, 1
+getserum.xyz, 1
+getsession.org, 1
+getsetbounce.co.uk, 1
+getsilknow.com, 1
+getsimone.online, 1
+getsmartlife.in, 1
+getsocreative.com, 1
+getspaces.com, 1
+getstark.co, 1
+getstat.net, 1
+getstream.io, 1
+getsubs.net, 1
+getswadeshi.com, 1
+getsweep.com, 1
+getteamninja.com, 1
+gettext.tk, 1
+getthefriendsyouwant.com, 1
+getthejobicanhelp.com, 1
+gettheworldmoving.com, 1
+getticker.com, 1
+gettingtvers.ga, 1
+gettodoing.com, 1
+gettonline.com, 1
+gettopquality.com, 1
+gettravelista.com, 1
+gettrust.com, 1
+getts.ro, 1
+getts.shop, 1
+gettwo.ml, 1
+getupandbounce.co.uk, 1
+getupdat.es, 1
+getupwakeclub.com, 1
+getvalidate.com, 1
+getvdownloader.com, 1
+getveer.io, 1
+getwemap.com, 1
+getwokegobroke.xyz, 1
+getword.com, 1
+getwork.tk, 1
+getwsodo.com, 1
+getyou.onl, 0
+getyour.nz, 1
+getyoureuro.tk, 1
+getyourlifestraight.com, 1
+getyournurse.de, 1
+getyourphix.tk, 1
+geulis.tk, 1
+geus-okna.eu, 1
+gevara.cz, 1
+gevelreinigingtiel.nl, 1
+gevme.com, 1
+gevo.gg, 1
+gew.is, 1
+gewasteelt.ga, 1
+gewel.io, 1
+gewerbe-fix.ag, 1
+gewerbe-fix.at, 1
+gewerbe-fix.ch, 1
+gewerbe-fix.com, 1
+gewerbe-fix.de, 1
+gewerbe-fix.eu, 1
+gewerbe-fix.info, 1
+gewerbe-fix.net, 1
+gewerbe-fix.org, 1
+gewerbefix.ag, 1
+gewerbefix.at, 1
+gewerbefix.biz, 1
+gewerbefix.ch, 1
+gewerbefix.com, 1
+gewerbefix.de, 1
+gewerbefix.eu, 1
+gewerbefix.info, 1
+gewerbefix.net, 1
+gewerbefix.org, 1
+gewinn.tk, 1
+gewis.nl, 1
+gexobiz.tk, 1
+geyduschek.be, 0
+geytabir.cf, 1
+gezakekazeg.tk, 1
+gezginsolar.com, 1
+gezinnenhilton.com, 1
+gezondetips.nl, 0
+gezondheidsfondsenvoorrookvrij.nl, 1
+gezondheidszorg-ict.nl, 1
+gezondheidszorg-it.nl, 1
+gf-franken.de, 1
+gf0.ltd, 1
+gf5fcalc.com, 1
+gfac.ru, 1
+gfahnen.de, 1
+gfast.ru, 1
+gfc.scot, 1
+gfcleisure.co.uk, 1
+gfcnieuws.com, 1
+gfcorp.jp, 1
+gfe.link, 1
+gfedating.com, 1
+gfestival.fo, 1
+gfetechs.com, 1
+gfgmmarketing.com, 1
+gfishbone.com, 1
+gfk-kunststoff-luebben.de, 1
+gfleaks.com, 1
+gfmp.com.pl, 1
+gfms.ru, 1
+gfnetfun.cf, 1
+gforce.ninja, 1
+gforex.pro, 1
+gforex.top, 1
+gfoss.gr, 1
+gfourmis.co, 1
+gfournier.ca, 1
+gfox.hu, 1
+gfpress.it, 1
+gfrevenge.com, 1
+gfronline.tk, 1
+gfsolucoesdigitais.com, 1
+gfsolucoesdigitais.com.br, 1
+gfx.cards, 1
+gfxbench.com, 1
+gfxviet.net, 1
+gfxworld.tk, 1
+gfycat.com, 1
+gg.ax, 1
+gg.co.uk, 1
+gg.world, 1
+gg5197.co, 1
+gg6729.co, 1
+gg6729.com, 1
+gg6957.co, 1
+gg9297.co, 1
+gg9397.com, 1
+gg9728.co, 1
+ggb.world, 1
+ggcp.com, 1
+ggdcpt.com, 1
+ggdghorkennisnet.nl, 1
+ggdrop.com, 1
+ggdrop.top, 1
+gge16.ru, 1
+ggg.re, 1
+gggg.loan, 1
+gginin.today, 1
+ggiveilig.nl, 1
+ggld.net, 1
+gglks.com, 1
+ggmmontascale.it, 1
+ggobbo.com, 1
+ggs-marschallstrasse.de, 1
+ggs.jp, 1
+ggservers.com, 1
+ggss.cf, 1
+ggworld.ga, 1
+gh-sandanski.com, 1
+gh16.com.ar, 1
+gha.st, 1
+ghada.blog, 1
+ghafatzayed.com, 1
+ghanaculture.tk, 1
+ghanapremiumconsultant.com, 1
+ghanitechnologies.com, 1
+gharbala.com, 1
+ghayegh.org, 1
+ghazals.tk, 1
+ghazi.im, 1
+ghbtns.com, 1
+ghcci.com, 1
+ghcoaching.mx, 1
+gheestore.in, 0
+ghentcityofmusic.be, 1
+ghentcreativecityofmusic.be, 1
+ghentfilmoffice.be, 1
+ghentholidayland.be, 1
+ghentlichtfestival.be, 1
+ghentlichtfestival.com, 1
+ghentlightfestival.be, 1
+ghentlightfestival.com, 1
+ghentlivinglab.be, 1
+gheorghe-sarcov.ga, 1
+gheorghesarcov.ga, 1
+gheorghesarcov.tk, 1
+ghereben.xyz, 1
+ghettonetflix.de, 1
+ghgkhalsaschool.com, 1
+ghi.gov, 1
+ghil.de, 1
+ghimaging.com, 1
+ghini.com, 1
+ghiro.tk, 1
+ghlinks.com.gh, 1
+ghll.org.uk, 1
+ghllc.com, 1
+ghn.vn, 1
+ghnewslive.com, 1
+ghobcars.com, 1
+ghobot.ai, 1
+ghobusers.com, 1
+ghostarmy.tk, 1
+ghostarrow.com, 1
+ghostbusters.tk, 1
+ghostbustersuk.tk, 1
+ghostcarve.ml, 1
+ghostcir.com, 0
+ghostdesign.tk, 1
+ghostdog.ga, 1
+ghostdragon.tk, 1
+ghostfam.com, 1
+ghostfam.win, 1
+ghostfiregaming.com, 1
+ghostgimbals.com, 1
+ghostinbox.pl, 1
+ghostlight.tk, 1
+ghostmarket.io, 1
+ghostnight.ga, 1
+ghostpi.pro, 1
+ghostpin.ga, 1
+ghostplanet.tk, 1
+ghostrealms.tk, 1
+ghostridersclan.tk, 1
+ghostruler.com, 1
+ghosts-to-you.tk, 1
+ghostsnote.tk, 1
+ghostsquad.tk, 1
+ghostutils.tk, 1
+ghostwritershigh.com, 1
+ghotokbaba.com, 1
+ghou.me, 1
+ghowell.io, 1
+ghpastor.com, 1
+ghprinter.com.br, 1
+ghprinting.net, 1
+ghsix.com.br, 1
+ghwconline.org, 1
+ghyvelde.fr, 1
+gi-plant.shop, 1
+giac.net, 1
+giac.org, 1
+giacomodebidda.com, 1
+giacomopelagatti.it, 1
+giacomosecchi.com, 1
+giakki.eu, 1
+gialai.gov.vn, 1
+gialupa.tk, 1
+giamcanhieuqua.vn, 1
+giancarlomarino.com, 1
+giangma.tk, 1
+giannakis.tk, 1
+gianproperties.com, 1
+giant-panda.com, 1
+giant-tortoise.com, 1
+giantratesers.ga, 1
+giantratesest.ga, 1
+giantrooster.de, 1
+giantroostergames.de, 1
+giantslipandslide.co.uk, 1
+giantsquid.cf, 1
+giantsquid.ga, 1
+giantsquid.gq, 1
+giantsquid.tk, 1
+gianttree.de, 1
+gianturl.net, 1
+giaohangtietkiem.vn, 1
+giardinaggio.milano.it, 1
+giardinaggio.napoli.it, 1
+giardinaggio.roma.it, 1
+giardiniblog.it, 1
+giardiniere.bologna.it, 1
+giardiniere.milano.it, 1
+giardiniere.roma.it, 1
+giardinoperfetto.com, 1
+giatrakos.com, 1
+giaydepvnn.com, 1
+gibberfish.org, 1
+gibbon.tk, 1
+gibbonedu.org, 1
+gibkoesteklo.ml, 1
+gibraltar-jobs.com, 1
+gibraltarwi.gov, 1
+gibranhernandez.tk, 1
+gibsonmemorial.ca, 1
+gibsonsecurity.co.uk, 1
+gicasport.it, 1
+gichigamigames.com, 1
+gickelskerb.de, 1
+gidapgs.cf, 1
+giddsmedia.com, 1
+giddyaunt.net, 1
+gideonbot.com, 1
+gidive.com, 1
+gidro-dom.ru, 1
+gidro.tech, 1
+gidroponica.ml, 1
+giebel.it, 1
+giedrioukis.lt, 1
+gielectrical.com.au, 0
+giemsa.com, 1
+gierds.de, 1
+gieschke.de, 1
+gietvloergarant.nl, 1
+gif-avatars.com, 1
+gif.tips, 0
+giff.com.mx, 1
+giffard.com, 1
+gifhelittlestars.co.uk, 1
+giford.com, 1
+gifsonline.tk, 1
+gift4ever.tk, 1
+giftbaskets.ru, 1
+giftbasketsoverseas.com, 1
+giftbit.com, 1
+giftcard.net, 1
+giftedconsortium.com, 1
+giftedmodels.com, 1
+giftex.cz, 1
+giftexperts.com, 1
+giftfavorite.tk, 1
+giftfocus.com, 1
+giftlist.guru, 1
+giftnix.com, 1
+giftofsquare.net, 1
+giftofsquare.org, 1
+giftpoint.io, 1
+gifts.best, 1
+giftscop.com, 1
+giftsenda.com, 1
+giftsforaspecialoccasion.com, 1
+giftsholidays.tk, 1
+giftsofsquare.com, 1
+giftsofsquare.net, 1
+giftsofsquare.org, 1
+gifudodo.com, 1
+gifuxuk.tk, 1
+gifzilla.net, 0
+gig.com, 1
+gig.ru, 0
+gig40.com, 1
+giga.nl, 1
+gigabitz.pw, 1
+gigachad.net, 1
+gigacloud.org, 1
+gigacloud.ua, 0
+gigacomputer.cz, 1
+gigagroup.cf, 1
+gigahertz.de, 1
+gigalink.me, 1
+giganet.tk, 1
+gigantar.com, 1
+gigantino.net, 1
+gigantism.com, 1
+gigantron.com, 1
+gigaone.pl, 1
+gigarange.org, 1
+gigarange.xyz, 1
+gigasoft.tk, 1
+gigatags.tk, 1
+gigatop.ga, 1
+gigatron.tk, 1
+gigawa.lt, 1
+gigawattz.com, 1
+gigaway.com, 1
+giggear.com.au, 1
+gigharborwa.gov, 1
+gigindia.in, 1
+gigis-pizzeria.de, 1
+gigiscloud.servebeer.com, 1
+giglink.club, 1
+gigloog.tk, 1
+gigpam.com, 1
+gigs.com, 1
+gigseekr.com, 1
+gijonshiro.tk, 1
+gikovatelojavirtual.com.br, 1
+gil.gg, 1
+gil.re, 1
+gilandrad.tk, 1
+gilangcp.com, 1
+gilbert-schmalriede.de, 1
+gilbertosimoni.tk, 1
+gilbertsvilleny.gov, 1
+gildenhost.de, 1
+gileadpac.com, 1
+gilescountytn.gov, 1
+gilewis.net, 1
+gilfed.com, 1
+gilion.tk, 1
+gill-cote-bistro.fr, 1
+gill-swerts.tk, 1
+gill-temptation.tk, 1
+gillesmorelle.com, 0
+gillespetrotey.com, 1
+gillettepromociones.com, 1
+gillfamily.de, 1
+gillmanandsoame.co.uk, 1
+gillsco.com, 1
+gilly.berlin, 0
+gilmanwi.gov, 1
+gilmasocial.ga, 1
+gilme.net, 1
+gilnet.be, 0
+gilpincountydronepilot.com, 1
+gilsanchez2009.com, 1
+gilsum-nh.gov, 1
+giltedge.travel, 1
+gim-app.tk, 1
+gim.ac.in, 1
+gimahhot.com, 1
+gimbal.ca, 1
+gimme.money, 1
+gimmickbots.com, 1
+gimmickmedia.de, 1
+gimnazija-skofjaloka.si, 1
+gimnazija.tk, 1
+gimnazijapg.me, 1
+gimnaziya.ga, 1
+gimnaziya.tk, 1
+gimnazjum-miloslaw.tk, 1
+gimpware.tk, 1
+gina-architektur.design, 1
+ginabaum.com, 1
+ginatony.com, 1
+ginecomastiatratamento.com.br, 1
+ginen.xyz, 0
+ginepolice.gov, 1
+ginev.tk, 1
+gingersutton.com, 1
+gingerxumd.com, 1
+ginionusedcars.be, 0
+ginitaly.it, 1
+ginnegappen.nl, 1
+ginniemae.gov, 1
+ginnungagap.space, 1
+ginosfiredup.ca, 1
+gintaresdental.lt, 1
+gintian.com, 1
+gintonic.tk, 1
+ginx.tv, 1
+ginza-viola.com, 1
+ginzago.ru, 1
+ginzaj.com, 1
+gio-abbigliamento.it, 1
+giochistars.it, 1
+giochistem.it, 1
+giocolive.com, 1
+gioielleriamolena.com, 1
+gion-ent.co.jp, 1
+gion.io, 1
+giopiu.it, 1
+giordan.com, 1
+giordano.com, 1
+giordanomultiservice.it, 1
+giorgia.tk, 1
+giorgiosite.tk, 1
+giornalisportivi.online, 1
+giovannarossi.tk, 1
+giovannibattistadagnino.eu, 1
+giovannisantini.tk, 1
+giovinco.tk, 1
+gip-carif-idf.net, 1
+gip-carif-idf.org, 1
+gipelpsb.fr, 1
+giper.ga, 1
+giperfast.tk, 1
+gipernn.ru, 1
+gipl.tk, 1
+gipsic.com, 1
+gipsplitka.ru, 1
+gipuzkoabasket.tk, 1
+giradiscos.com, 1
+giraffeduck.com, 1
+giraffenland.de, 1
+giraffes.org, 1
+gircimediterranee.fr, 1
+giresunhaberleri.tk, 1
+giri.co, 1
+girisbetturka.com, 1
+girishkumar.tk, 1
+girl.click, 1
+girl.science, 1
+girlan.net, 1
+girlandhermoon.com, 0
+girlbaito.jp, 1
+girlboss.ceo, 1
+girlcock.ceo, 1
+girldevelopit.com, 1
+girldick.gay, 1
+girlfriend.gq, 1
+girlgrind.com, 1
+girliciousbeauty.com, 1
+girlie.tk, 1
+girlingsdiamond.co.uk, 1
+girlinthetiara.com, 1
+girlisme.com, 1
+girljacket.com, 1
+girls-heaven.com, 1
+girlsaloudcity.tk, 1
+girlsbar-navi.jp, 1
+girlschandigarh.in, 1
+girlsfucked.com, 1
+girlsgenerationgoods.com, 1
+girlsgetpied.com, 1
+girlsglimpse.cf, 1
+girlsglimpse.ga, 1
+girlsglimpse.gq, 1
+girlshealth.gov, 1
+girlshere.tk, 1
+girlsnet.work, 1
+girlswhonerd.com, 1
+girlunfinished.com, 1
+girlz.jp, 1
+gironde-tourisme.fr, 1
+gironiforum.fr, 1
+giroskuter.ga, 1
+girsedesign.de, 1
+girvas.ru, 1
+gis.ee, 1
+gisa.gv.at, 1
+gisac.org, 1
+gisauto.ru, 1
+gisbornecabs.com.au, 1
+gisellapiano.tk, 1
+gisher.news, 1
+gisher.org, 1
+gisher.video, 1
+gishiko.net, 1
+gishpo.tk, 1
+gisma.tk, 1
+gistr.io, 1
+giswi.com, 1
+git-stuff.tk, 1
+git-top-repos.net, 1
+git.ac.cn, 1
+git.co, 1
+git.market, 1
+git.nl.eu.org, 1
+git.org.il, 0
+git.sb, 1
+git.tt, 0
+gitarist.tk, 1
+gitarren-akademie-online.de, 1
+gitch.xyz, 1
+gite-ambleteuse.tk, 1
+gite-bouvines.fr, 1
+gite-le-pascaud.fr, 1
+gitecolombedesbois.com, 1
+gitelermitage.be, 1
+gites-melaual.fr, 1
+gitgaattreaty.ca, 1
+github.blog, 1
+github.com, 1
+github.partners, 1
+githubapp.com, 1
+githubengineering.com, 1
+githubindia.com, 1
+githubnext.com, 1
+giti.com.sg, 1
+gitlab-apps.com, 1
+gitns.com, 1
+gitns.dev, 1
+gitns.io, 1
+gitns.net, 1
+gitns.nl, 1
+gitns.org, 1
+gitstuff.tk, 1
+gittigidiyor.com, 1
+gittr.ch, 1
+gitvibe.com, 1
+giuem.com, 1
+giuliabonati.com, 1
+giuliano.design, 1
+giuliawylde.com, 1
+giulliamodas.com.br, 1
+giunchi.net, 1
+giuristifriburgo.ch, 1
+giuseppebuccheri.it, 1
+giuseppemacario.it, 1
+giuseppemacario.men, 1
+giusyesabatino.it, 1
+give.net, 1
+give2charity.co, 1
+give2charityapp.com, 1
+giveasquare.com, 1
+giveasquare.net, 1
+giveasquare.org, 1
+givecfc.org, 1
+givelab.com, 1
+givemeaverse.com, 1
+givemebeer.tk, 1
+givemeyour.cc, 1
+givemylife.cf, 1
+givemylife.ga, 1
+givemylife.gq, 1
+givemylife.ml, 1
+given2.blog, 1
+given2.com, 1
+given2.me, 1
+given2.us, 1
+given4.it, 1
+givepenny.com, 1
+givery.cz, 1
+givery.sk, 1
+givesunlight.com, 1
+giveuselife.org, 1
+giving.com, 1
+givingnexus.org, 0
+givingpledge.org, 1
+givingtools.com, 1
+givip.eu, 1
+gix.net.pl, 1
+gixtools.co.uk, 1
+gixtools.com, 1
+gixtools.net, 1
+gixtools.uk, 1
+gizemlibilgi.com, 1
+gizitalk.com, 1
+gizlicekim.tk, 1
+gizmo.ovh, 1
+gizmocrazed.com, 1
+gizmodo.com, 1
+gizmodo.es, 1
+gizmodo.in, 1
+gizmogrind.com, 1
+gj-bochum.de, 1
+gj-cham.tk, 1
+gj6.top, 0
+gjan.in, 1
+gjan.info, 1
+gjan.io, 1
+gjanaconstruction.com, 1
+gjcampbell.co.uk, 1
+gjengset.com, 1
+gjnoonan.co.uk, 1
+gjung.com, 1
+gk-it.ru, 1
+gkb2.ru, 1
+gkbm.com, 1
+gkconsultancy.tk, 1
+gkdforum.eu.org, 1
+gkdk.se, 1
+gkdworld.com, 1
+gkdworld.eu.org, 1
+gkepm.com, 1
+gkhull.com, 1
+gklparis.fr, 1
+gkmusicindia.tk, 1
+gknews.tk, 1
+gkoenig-innenausbau.de, 1
+gkq.co.in, 1
+gkralik.eu, 1
+gkrru4v.xyz, 1
+gkstyle.net, 0
+gku-winterling.de, 1
+gkv-gorinchem.nl, 1
+gkvharidwar.org, 1
+gkvsc.de, 1
+gkzmengineering.com, 1
+gl-operacion.com.mx, 1
+gl.search.yahoo.com, 0
+glabiatoren-kst.de, 1
+glacialexperience.is, 1
+glaciercountymt.gov, 1
+glacierviewfire.gov, 1
+glad.com, 1
+gladala.tk, 1
+gladiac.duckdns.org, 1
+gladiator.tf, 1
+gladiators-clan.tk, 1
+gladiatorshop.nl, 1
+gladiium.store, 1
+gladosdan.com, 1
+gladstonemi.gov, 1
+gladwellentertainments.co.uk, 1
+gladwork.tk, 1
+gladysstrickland.com, 1
+glahcks.com, 1
+glamadelaide.com.au, 1
+glamcambabes.com, 1
+glamdaldyreklinikk.no, 1
+glami.com.tr, 1
+glaminati.com, 1
+glamlivesex.com, 1
+glamorousgoat.nl, 1
+glamorously-built.tk, 1
+glamour4you.de, 1
+glamourandgains.com, 1
+glamourdaze.com, 1
+glamourhair.tk, 1
+glamourmagazine.co.uk, 1
+glamourtime.tk, 1
+glamur-video.com, 1
+glance.gr, 1
+glanz-dienste.de, 1
+glanzodergarnicht.com, 1
+glas-systeme.eu, 1
+glasdon.com, 1
+glase.shop, 1
+glaserceramics.com, 1
+glasfaser-im-hanseviertel.de, 1
+glasgestaltung.biz, 1
+glasgowfilm.org, 0
+glasgowlife.org.uk, 1
+glashandelverbo.nl, 1
+glashandelwolf.nl, 0
+glasiko.tk, 1
+glass-blaster.com, 1
+glass.google.com, 1
+glass.photo, 1
+glasschmuck-millefiori.de, 1
+glassellparkschool.org, 1
+glassemployees.com, 1
+glassfoxowo.com, 1
+glasshouseretreat.co.uk, 1
+glassicasino.in, 1
+glasslikes.com, 1
+glassnebula.com, 1
+glassner.org, 1
+glassochchoklad.se, 1
+glassofdirt.tk, 1
+glassofgrape.com, 1
+glassportpapd.gov, 1
+glassrainbowtrust.org.je, 1
+glassrepairsperth.com.au, 1
+glassrom.org, 1
+glassrom.pw, 1
+glasssculpture.org, 1
+glasstechnics.be, 1
+glasswall.com, 1
+glassweb.com.mx, 1
+glassworld.tk, 1
+glastenbury.com, 1
+glaston.com, 1
+glaswerk-mellenbach.de, 1
+glaswolsite.tk, 1
+glatfelter.com, 1
+glauca.digital, 1
+glauca.space, 1
+glaucoma.uk, 1
+glavfundament.ru, 0
+glavny-yurist.ru, 1
+glavred.info, 0
+glazedmag.fr, 1
+glazenschuifwandenoutlet.nl, 1
+glazkova.ga, 1
+glbaumaulwurf.de, 1
+glbins.com, 1
+glbth.com, 1
+glcastlekings.co.uk, 1
+gld.re, 1
+gle, 1
+gleam.tk, 1
+gleanview.com, 1
+glebov.tk, 1
+gleeband.com, 1
+gleentech.com, 1
+gleesongs.tk, 1
+gleich-aluminium-shop.de, 1
+gleisner.io, 1
+gleisner.legal, 1
+gleki.com, 1
+glemtpassord.dep.no, 1
+glenatlasmd.com, 1
+glenavy.tk, 1
+glenbeulahwi.gov, 1
+glencambria.com, 1
+glencarbonil.gov, 1
+glencoveny.gov, 1
+glendalewv.gov, 1
+glendarraghbouncycastles.co.uk, 1
+glenderan.com, 1
+glendivemt.gov, 1
+glenhuntlyapartments.com.au, 1
+glenmarieproperties.com, 0
+glenmarkpharma.sk, 1
+glenmorewisconsin.gov, 1
+glennfitzpatrick.com, 1
+glennhamers.nl, 1
+glennvillega.gov, 1
+glennwilson.co.uk, 1
+glenshere.com, 1
+glenwhitememorial.com, 1
+glenwoodpark.com, 1
+glesbymarks.com, 1
+glevolution.com, 1
+glexia.com, 1
+glgclan.tk, 1
+gli.sh, 1
+gliagrumi.it, 1
+glibmarket.in, 1
+glickman-consulting.com, 1
+glidestep.com, 1
+glidingshop.cz, 1
+glidingshop.de, 1
+glidingshop.eu, 1
+glieroidelcalcio.com, 1
+gliihc.net, 1
+glimhome.com, 1
+glimpses.tk, 1
+glini.net, 1
+glit.sh, 1
+glitchcomic.tk, 1
+glitched.online, 1
+glitery.com, 1
+glitter-graphics.com, 1
+glitterblast.uk, 1
+glitteringmariah.tk, 1
+glittersjabloon.nl, 1
+glitzerstuecke.de, 1
+glitzybingo.co.uk, 1
+glixee.com, 1
+glk.academy, 1
+glloq.org, 0
+glm.io, 1
+glnpo.gov, 1
+global-adult-webcams.com, 1
+global-business-solutions.cf, 1
+global-carbonsolutions.com, 1
+global-content.net, 1
+global-electronic-music.tk, 1
+global-factory.co.jp, 1
+global-fh.com, 1
+global-free-classified-ads.com, 1
+global-monitoring.com, 1
+global-motherboard.com, 1
+global-qanoon.gq, 1
+global-scg.org, 1
+global-share.org, 1
+global-topsecret.tk, 1
+global-trance.tk, 1
+global-village.koeln, 1
+global-wire.eu, 1
+global-wire.fi, 1
+global-wire.net, 1
+global.my.id, 1
+global1.gg, 1
+globalacademicgroup.com, 1
+globalaccountservice.com, 1
+globalamend.com, 1
+globalawakening.com, 1
+globalbix.com, 1
+globalbridge-japan.com, 1
+globalbroadcastsolutions.com, 1
+globalbusiness.tk, 1
+globalbusinessinfoaccomodation.tk, 1
+globalbusinessinfoasia.tk, 1
+globalbusinessinfoera.tk, 1
+globalbusinessinfographic.tk, 1
+globalbusinessinfoinsurance.tk, 1
+globalbusinessinfonews.tk, 1
+globalbusinessinfouk.tk, 1
+globalbusinessinfousa.tk, 1
+globalbusinessnews.tk, 1
+globalbusinessrisk.com, 1
+globalcancer.tk, 1
+globalchemlab.ga, 1
+globalconsultant.tk, 1
+globalconsulting.ml, 1
+globaldataline.ml, 1
+globaldefensa.tk, 1
+globaldestruction.tk, 1
+globaled.org.uk, 1
+globalenergyinterconnection.com, 0
+globalentertainment.ga, 1
+globalenv.online, 1
+globalepsilon.com, 1
+globalflavorjourney.com, 1
+globalformat.de, 1
+globalfuhui.com, 1
+globalgate.cc, 1
+globalgivingtime.com, 1
+globalgovernancewatch.org, 1
+globalgrowth.group, 1
+globalhealth.gov, 1
+globalhealthstrategiesnetwork.com, 1
+globalhealthstrategiesnetwork.info, 1
+globalhealthstrategiesnetwork.net, 1
+globalhealthstrategiesnetwork.org, 1
+globalhomeautomation.ca, 1
+globalhomicideers.ga, 1
+globalhorses.de, 1
+globalimmigrationvisa.com, 1
+globalink.tk, 1
+globalipaction.ch, 1
+globalisierung-fakten.de, 1
+globalitac.com, 1
+globalizationpedia.com, 1
+globalkwizz.tk, 1
+globalmarketrade.com, 1
+globalmasonryers.ga, 1
+globalmasonryest.ga, 1
+globalmaster.com.mx, 1
+globalmed.tk, 1
+globalmethane.org, 1
+globalmetropolis.tk, 1
+globalmobilityjourneys.com, 1
+globalnewsdaily.cf, 1
+globalnewsdaily.tk, 1
+globalnewsnetwork.tk, 1
+globalnewssystems.tk, 1
+globalno.me, 1
+globalnomadvintage.com, 1
+globalobuv.tk, 1
+globalopsgame.tk, 1
+globalpandemictools.com, 1
+globalpediatriciansest.ga, 1
+globalperspectivescanada.com, 1
+globalpolarbear.com, 1
+globalproduction.ga, 1
+globalprojetores.com.br, 1
+globalradio.tk, 1
+globalreachgroup.com, 1
+globalroad.ma, 1
+globalrussia.tk, 1
+globalsecuritydatabase.com, 1
+globalsecuritydatabase.io, 1
+globalsecuritydatabase.net, 1
+globalsecuritydatabase.org, 1
+globalsens.com, 1
+globalsensationsers.ga, 1
+globalsensationsest.ga, 1
+globalseo.ga, 1
+globalseo.ml, 1
+globalseostrategy.com, 1
+globalshippinglimited.ga, 1
+globalsign.com.ru, 1
+globalspeed.tk, 1
+globalstar.com, 1
+globalstrike.tk, 1
+globalthermoforming.com, 1
+globaltiendat.com, 1
+globaltravel.cf, 1
+globaltravel.ga, 1
+globaltravel.tk, 1
+globaltrucking.uk, 1
+globalventil.com, 0
+globalvision.co, 1
+globalvisions-events.ch, 1
+globalvisions-events.com, 1
+globalvoice.ga, 1
+globalwarmingis.science, 1
+globalwidemedia.com, 1
+globalwire.fi, 1
+globalwitness.org, 0
+globalzone.tk, 1
+globaz.ch, 1
+globe-brasil.tk, 1
+globe.gov, 1
+globedx.exchange, 1
+globegazette.com, 1
+globeinform.com, 1
+globelink-group.com, 1
+globemilk.nl, 1
+globemusic.es, 1
+globeprotocol.be, 1
+globeprotocol.com, 1
+globeprotocol.de, 1
+globeprotocol.es, 1
+globeprotocol.eu, 1
+globeprotocol.fr, 1
+globeprotocol.io, 1
+globeprotocol.it, 1
+globeprotocol.nl, 1
+globeprotocolecosystem.nl, 1
+globereservationsest.ga, 1
+globetalent.nl, 1
+globetrotting.com.au, 1
+globevision.ca, 1
+globologic.com, 1
+globotech.be, 1
+globotur.de, 1
+globowood.ml, 1
+globuli-info.de, 1
+globus-plus.ml, 1
+globustrust.tk, 1
+glocesterri.gov, 1
+glocken-apotheke.info, 1
+glockenturm.digital, 1
+gloeckle-gruppe.de, 1
+glofox.com, 1
+glonee.live, 1
+gloning.name, 1
+glont.net, 1
+gloomy.tk, 1
+glorenza.org, 1
+gloria-home.co.uk, 1
+gloria-mundi.eu, 1
+gloria.tv, 1
+gloriousbride.com, 1
+gloriousfoods.co.uk, 1
+glorycambodia.com, 1
+glorycamrealty.com, 1
+gloryhealthcarellc.com, 1
+gloryholefucking.com, 1
+glorymark.com, 1
+gloryofloveband.tk, 1
+gloryofmusic.tk, 1
+gloryrise.tk, 1
+glorystar.ml, 1
+glosiko.cn, 1
+glosiko.com.cn, 1
+glosiko.net, 1
+glosiko.org, 1
+glossar.tk, 1
+glossowiki.ml, 1
+glossyfied.com, 1
+glotechrepairs.co.uk, 1
+glotte-trotters.fr, 1
+glotter.com, 1
+gloucesterva.gov, 1
+glovementor.com, 1
+glowfic.com, 1
+glowmedspaencino.com, 1
+glowskins.my.id, 1
+glpreparation.com, 1
+glsauto.com, 1
+glucometros.net, 1
+glue.tk, 1
+gluechapter.ga, 1
+glueck-im-norden.de, 1
+gluecksgriff-taschen.de, 1
+glueckskindter.de, 1
+gluecksmomente.boutique, 1
+gluglu.jp, 1
+gluit.de, 1
+glumac.com, 1
+glutenfreefoods.net, 1
+glutenfreehomemaker.com, 1
+glutenfreelife.co.nz, 1
+glutenfreeonashoestring.com, 0
+glutenfreevr.com, 1
+gluto.tk, 1
+gluware.com, 1
+gluwee.com, 1
+glxnet.com, 1
+glyam.nl, 1
+glyburidemetformin.tk, 1
+glykofridis.nl, 1
+glyph.ws, 1
+glyphosat.com, 1
+glyptodon.com, 1
+glz.ca, 1
+gm-assicurazioni.it, 1
+gm-net.jp, 1
+gm.search.yahoo.com, 0
+gm207.com, 0
+gm5.com.br, 1
+gmaetk.com, 1
+gmail, 1
+gmail.com, 0
+gman.bot, 1
+gmanlabs.com, 1
+gmanukyan.com, 1
+gmao.com, 1
+gmasil.de, 1
+gmavsg.org, 1
+gmbh-kiekin.de, 1
+gmc-mca.org, 1
+gmc-roma.it, 1
+gmc.uy, 1
+gmcbm.net, 1
+gmcd.co, 1
+gmdu.net, 1
+gmfumaria.com, 1
+gmgard.com, 1
+gmgcyouth.org, 1
+gmhdrivingschool.co.uk, 1
+gmhostingservices.co.uk, 1
+gmimarkets.com, 1
+gmind.ovh, 1
+gmit.com.ar, 1
+gmkdetailing.cz, 1
+gml4d2.ml, 1
+gmo-cybersecurity.com, 1
+gmod.de, 1
+gmopconsortium.org, 1
+gmpark.dk, 1
+gmpartsdb.com, 1
+gmpartsgiant.com, 1
+gmpartsprime.com, 1
+gms-marine.com, 1
+gmslaw.com, 1
+gmslparking.co.uk, 1
+gmsociety.tk, 1
+gmsurveyingms.com, 1
+gmta.gov, 1
+gmta.nl, 1
+gmtelectrical.com.au, 1
+gmtm.com, 1
+gmtplus.co.za, 1
+gmuh.fr, 0
+gmundner.africa, 1
+gmw-hannover.de, 1
+gmw-ingenieurbuero.de, 1
+gmx.at, 1
+gmx.ch, 1
+gmx.co.uk, 1
+gmx.com, 1
+gmx.de, 1
+gmx.es, 1
+gmx.fr, 1
+gmx.net, 1
+gmz.cx, 1
+gn00.com, 1
+gnagismen.tk, 1
+gnaptracker.tk, 1
+gnawa-diffusion.tk, 1
+gnax.jp, 0
+gncbilgi.com, 1
+gnetwork.eu, 1
+gnezdo.tk, 1
+gnfb.be, 1
+gnfrazier.me, 1
+gnhub.org, 1
+gnida.tk, 1
+gnihm.ac.in, 1
+gnilebein.de, 1
+gnk.io, 1
+gnmlive.com, 1
+gnom.me, 1
+gnomania.ml, 1
+gnomen.tk, 1
+gnomon-transport.com.ng, 1
+gnrinfo.tk, 1
+gns.gov.pt, 1
+gnu.style, 1
+gnuand.me, 1
+gnucashtoqif.us, 1
+gnuher.de, 1
+gnulinux.gq, 1
+gnulinuxforum.tk, 1
+gnupi.tk, 1
+gnuplus.me, 1
+gnush.cf, 1
+gnush.ga, 1
+gnush.gq, 1
+gnusocial.jp, 1
+gnuworldorder.ml, 1
+gnylf.com, 1
+gnzsnz.com, 1
+go-away.xyz, 1
+go-cqhttp.org, 1
+go-dove.com, 1
+go-down.tk, 1
+go-embedded.de, 1
+go-go.link, 1
+go-hijra.com, 1
+go-kuwait.tk, 1
+go-life.com.tw, 1
+go-mail.me, 1
+go-propiedades.cl, 1
+go-site.co.uk, 1
+go-sprout.de, 1
+go-srx.tk, 1
+go-zh.org, 1
+go.exchange, 1
+go.microsoft.com, 1
+go.ne, 1
+go2archive.nl, 1
+go2biz.com, 1
+go2mob.tk, 1
+go2sh.de, 1
+go2store.com, 1
+go2ubl.nl, 1
+go4games.ro, 1
+go4golfreizen.nl, 1
+go4it.ro, 1
+go4rest.de, 1
+go6.si, 1
+go6lab.si, 0
+go889w.com, 1
+goabase.com, 1
+goabase.net, 1
+goaddress.co.ke, 1
+goaheadireland.ie, 1
+goalac.org, 1
+goalbookapp.com, 1
+goalgrass.com, 1
+goalie1998.duckdns.org, 1
+goalup.com.br, 1
+goanalyse.co.uk, 1
+goapunks.net, 0
+goarnlms.org, 1
+goatbot.xyz, 1
+goathub.io, 0
+goatlord.tk, 1
+goatstore.ca, 1
+goavio.rest, 1
+gobarrelroll.com, 1
+gobebra.com, 1
+gobeline.com, 1
+gobetweenfilms.com, 1
+gobi.tk, 1
+gobiernousa.gov, 1
+goblackwood.co.uk, 1
+goblintears.com, 1
+gobouncy.co.uk, 1
+gobouncy.com, 1
+gobugfree.com, 1
+gobytedesign.uk, 1
+gocardless.com, 1
+gocareserv.com, 1
+gocct.com, 1
+gociicii.com, 1
+gockelsee.de, 1
+gockhuatsuky.tk, 1
+goclark.at, 1
+gocleanandsafe.nz, 1
+goclinic.com.br, 1
+goclix.ml, 1
+goconow.com, 1
+goconstruct.org, 1
+gocornwallbus.co.uk, 1
+gocpa.space, 1
+gocphongthuy.net, 1
+god-clan.hu, 1
+godalivetpalandet.tk, 1
+godall.tk, 1
+godan.tech, 1
+godanriver.com, 1
+godark.uk, 1
+godating.tk, 1
+godattributes.com, 1
+godaxen.tv, 1
+godblessus.com, 1
+godbo9.com, 0
+godclan.hu, 1
+goddamnwinnebago.com, 1
+goddess.name, 1
+goddesslena.com, 1
+godesigner.ru, 1
+godestination-morocco.com, 1
+godfilm.tk, 1
+godiscovers.com, 1
+godisgreat.africa, 1
+godish.com, 1
+godles.pl, 1
+godloveme.com, 1
+godmusicapp.com, 1
+godns.ru, 1
+godofredo.ninja, 1
+godoter.cn, 1
+godoza.tk, 1
+godrealms.com, 1
+godrive.ga, 1
+godsofhell.com, 1
+godsofhell.de, 1
+godsowncountry.tk, 1
+godsrollercoaster.co.uk, 1
+godstoghosts.com, 1
+godsunchained.com, 1
+godswila.be, 1
+godswill.tk, 1
+godwithusalinaitwefoundation-ugandalimited.com, 1
+godyo.com, 1
+godzillaencastellano.tk, 1
+goecart.net, 1
+goecomp.com, 1
+goeddesoundandlight.com, 1
+goedeke.ml, 1
+goedekers.com, 1
+goedekortingscodes.be, 1
+goedekortingscodes.nl, 1
+goedkoopparkeren.nl, 1
+goedkoopstecartridges.nl, 1
+goedkope-bestelautoverzekeringen.nl, 1
+goedkope-scooterverzekeringen.nl, 1
+goedkopecartridgeskopen.nl, 1
+goedkopeonesies.nl, 1
+goedkopetaxiservice.nl, 1
+goedkopetonerkopen.nl, 1
+goehler-baumpflege.de, 1
+goeikan.life, 1
+goenea.com, 1
+goenova.com, 1
+goerdeler-alumni-club.de, 1
+goergetown.tk, 1
+goerlitz-zgorzelec.org, 1
+goerres2014.de, 1
+goetec.ac.uk, 1
+goetemp.de, 1
+goetheschule-giessen.de, 1
+goetic.space, 1
+goetteesbarbershop.com, 1
+goettinger-katzenschutz.de, 1
+goetzinger-web.de, 1
+gofabcnc.com, 1
+goffrie.com, 1
+gofigure.fr, 0
+gofile.io, 1
+gofile.link, 1
+goflix.cf, 1
+goflo.net, 1
+gofobo.com, 1
+gofoiayourself.org, 1
+gofoodieonline.com, 1
+gofoodservice.com, 1
+goforcex.top, 0
+gofriends.cf, 1
+gofront.com, 1
+gofundhourly.tk, 1
+gofundme.com, 1
+goge.ml, 1
+gogebic.gov, 1
+gogeeks.com.au, 1
+gogem.in, 1
+gogetssl.com, 0
+gogle-analytics-srv2456.com, 1
+gogle-analytics.com, 1
+gogleapis.com, 1
+gogo.mn, 1
+gogocarto.fr, 1
+gogocharters.com, 1
+gogogirl.vip, 1
+gogolino.tk, 1
+gogomail.ga, 1
+gogonano.com, 1
+gograbit.com, 1
+gogracego.com, 0
+gogreece.dk, 1
+gogroopie.com, 1
+gogs.ca, 1
+gogsat.com, 1
+gogu.ma, 1
+goguarded.com, 1
+gohanrecords.tk, 1
+gohelixit.com, 1
+gohhaksu.sg, 1
+gohon.org, 1
+gohost.kz, 1
+gohvac.pro, 1
+gohyer.com, 1
+going-dutch.tk, 1
+going.com, 1
+goingawesomeplaces.com, 1
+goinggreenshow.gq, 1
+goingreen.com.au, 1
+goiymua.com, 1
+goizalde.tk, 1
+gojoebean.com, 1
+gokazakhstan.com, 1
+gokgids.nl, 1
+gokhankesici.com, 1
+gokmenguresci.com, 1
+gokoururi.com, 1
+goksu.in, 1
+goktoday.com, 1
+gokturkfindik.com, 1
+gokyrgyzstan.com, 1
+golan.ml, 1
+golang.org, 1
+golaw.ua, 1
+golayamadam.tk, 1
+gold-bird.tk, 1
+gold-diamondltd.tk, 1
+gold-fm.ml, 1
+gold9999.com, 1
+goldankauf1875.at, 1
+goldband.tk, 1
+goldbar.com.hk, 1
+goldbio.com, 1
+goldbug.ga, 1
+goldcard.cz, 1
+goldchip.com, 1
+goldclubcasino.com, 1
+goldcoast-plumbing.com.au, 1
+goldcoastasian.com, 1
+goldcoastit.com.au, 1
+goldcoastphotographycourses.com, 1
+goldcoastplumbingcompany.com.au, 1
+goldcreek.tk, 1
+golddeer.com, 1
+golden-beef.fr, 1
+golden-kamuy.com, 1
+golden-sea.tk, 1
+goldenage.tk, 1
+goldenagefoundation.tk, 1
+goldenbadger.de, 0
+goldenberg.tk, 1
+goldencircle.ga, 1
+goldenclub.ga, 1
+goldencoil.pl, 1
+goldendawnapersonalaffair.com, 1
+goldendogs.tk, 1
+goldeneggs.club, 1
+goldeneyesantafe.com, 1
+goldenfawz.com, 1
+goldenglow.fans, 1
+goldenhillsoftware.com, 1
+goldenhost.ca, 1
+goldenhouse.ga, 1
+goldeninvestmentbarcelona.com, 1
+goldenjoy.com, 1
+goldenkeys.io, 1
+goldenmunchbakeshop.com, 1
+goldenoaksgolfclub.com, 1
+goldenpi.com, 1
+goldenplate.com.sg, 1
+goldenravengifts.com, 1
+goldenretrieverspets.com, 1
+goldenruleemail.com, 1
+goldenshiny.com, 1
+goldensunmfg.com, 1
+goldentech.ca, 1
+goldentechelectronics.net, 1
+goldentip.cf, 1
+goldentriangletourindia.com, 1
+goldenwolrd.tk, 1
+goldenworldec.com, 1
+goldenyacca.co.uk, 1
+goldenyacca.net, 1
+goldenyacca.org, 1
+goldequipment.com.br, 1
+goldex.tk, 1
+goldfavela.com, 1
+goldfingermusic.tk, 1
+goldfm1031.tk, 1
+goldfmromania.ro, 1
+goldhabour.com, 1
+goldhill.ml, 1
+goldkid.com, 1
+goldloeckchen159.net, 1
+goldmanpropertygroup.com, 1
+goldminer.ga, 1
+goldpreisfinder.at, 1
+goldround.com, 1
+goldrushenergy.com, 1
+goldschmiede-suessenguth.de, 1
+goldsilver.org.ua, 1
+goldsmithwest.com, 1
+goldspace.tk, 1
+goldstandardtrust.tk, 1
+goldstartransport.co.uk, 1
+goldstein.rs, 1
+goldstein.tel, 1
+goldtits.com, 1
+goldwater.gov, 1
+goldwaterfoundation.gov, 1
+goldwaterscholarship.gov, 1
+goldwish.com, 1
+goldysoptic.bg, 1
+goldytechspecialists.com, 1
+goldzilla.eu, 1
+gole.ms, 1
+golearn.gov, 1
+golestanehali.ir, 1
+golezi.com, 1
+golf-alto-adige.com, 1
+golf-supplies.tk, 1
+golfandfashion.dk, 1
+golfbeautyers.ga, 1
+golfbeautyest.ga, 1
+golfbettingsystem.co.uk, 1
+golfbroadcasterers.ga, 1
+golfbroadcasterest.ga, 1
+golfburn.com, 1
+golfbyzipers.ga, 1
+golfbyzipest.ga, 1
+golfcabrio.de, 1
+golfcarttips.com, 1
+golfcleanerers.ga, 1
+golfcleanerest.ga, 1
+golfcleanersers.ga, 1
+golfcleanersest.ga, 1
+golfdeviceers.ga, 1
+golfedumorbihan56.com, 1
+golfhausmallorca.com, 1
+golfinbritishcolumbia.com, 1
+golfinclusiveers.ga, 1
+golfingbeters.ga, 1
+golfingbetest.ga, 1
+golfinginjuriesers.ga, 1
+golfkulur.is, 1
+golfmagic.com, 1
+golfplus.fr, 1
+golfrange-ffm.de, 1
+golfscape.com, 1
+golfshirtsjohannesburg.co.za, 1
+golfshirtwholesalejohannesburg.co.za, 1
+golftournamentgifts.tk, 1
+goliamo-vranovo.com, 1
+golikes.ml, 1
+golink.co, 0
+golnet.hu, 1
+goloa.fr, 1
+goloaninsurance.tk, 1
+goloborodko.net, 1
+golocksmithhonolulu.com, 1
+golootlo.pk, 1
+golosbots.tk, 1
+golosok.ml, 1
+golosovanye4you.tk, 1
+golser-schuh.at, 1
+golser.info, 1
+gomakemovie.com, 0
+gomarket33.com, 1
+gomasa.net, 1
+gomasy.jp, 1
+gomasy.net, 1
+gomdl.com, 1
+gomega.vn, 1
+gomel.chat, 1
+gomel.city, 1
+gomelagromashplus.by, 1
+gomelchat.com, 1
+gomelphoto.com, 1
+gomer.tk, 1
+gometa.link, 1
+gomeya.com, 1
+gomezhvac.com, 1
+gomezites.tk, 1
+gomicrophone.ml, 1
+gomine.tk, 1
+gomiso.com, 1
+gommista.roma.it, 1
+gomods.link, 1
+gomoon.com, 1
+gomorrabeach.tk, 1
+gomovein.com, 1
+gomtz.gq, 1
+gon.nl, 1
+gon45.com, 1
+gonadotropina.com, 1
+gonalops.gq, 1
+goncalofontoura.tk, 1
+goncalves-admredes.cf, 1
+gonce.io, 1
+goncharov.cf, 1
+goncharov.ml, 1
+goncharov.tk, 1
+gondawa.com, 1
+gondon.tk, 1
+gonebald.tk, 1
+gonenli.com, 1
+gonepal.com, 1
+gonerogue.ml, 1
+gongik.info, 1
+gongjianwei.com, 1
+gongjuhao.com, 1
+gonintendo.com, 1
+gonitro.com, 1
+gonortheast.co.uk, 1
+gonorthwest.co.uk, 1
+gontagro.com.ua, 1
+gonumber.ga, 1
+gonx.dk, 0
+gonz0.com.ar, 1
+gonzalesca.gov, 1
+goo.gl, 1
+goo4it.nl, 1
+gooch.io, 1
+good-cd.ml, 1
+good-course.ga, 1
+good-know.gq, 1
+good-linux.cf, 1
+good-luck3500.ga, 1
+good-wishes-4-u.ga, 1
+gooday.life, 1
+goodbargin.com, 1
+goodbenefit.com, 1
+goodbits.tech, 1
+goodbody.ie, 0
+goodbriar.com, 1
+goodcas.ca, 1
+goodcas.com, 1
+goodchoiceflowers.com, 1
+goodcoat.com, 1
+goodcollection.com, 1
+goodcotton.com, 1
+gooddatingsites.ml, 1
+goodday.finance, 1
+gooddayatwork.co.uk, 1
+gooddomainna.me, 1
+goodearth.com.tw, 1
+goodeditor.com, 1
+goodenglish.ga, 1
+goodenvironment.com, 1
+goodesign.su, 1
+goodface.com, 1
+goodfame.com, 1
+goodfarm.com, 1
+goodfarms.com, 1
+goodfeels.net, 1
+goodfoodrussia.com, 1
+goodfundsgateway.com, 1
+goodfundslending.com, 1
+goodhealthgateway.com, 1
+goodhopemedical.com, 1
+goodhotel.co, 1
+goodhuecountymn.gov, 1
+goodiesnet.ca, 0
+goodiesoft.hu, 0
+goodiespub.fr, 1
+goodingcountyid.gov, 1
+goodjobs.gov, 1
+goodkino.ga, 1
+goodlandks.gov, 1
+goodlink.ml, 1
+goodlosersest.ga, 1
+goodmailing.tk, 1
+goodmanwi.gov, 1
+goodmedia.solutions, 1
+goodmood.co.uk, 1
+goodmood.fr, 1
+goodmoodsocken.de, 1
+goodmorningapril.com, 1
+goodok.eu, 1
+goodopportunity.ga, 1
+goodpeople.tk, 1
+goodproof.com, 1
+goodryb.top, 1
+goodschain.com, 1
+goodseed.nl, 1
+goodsex4all.com.br, 1
+goodsey.com, 1
+goodshepherdmv.com, 1
+goodshuffle.com, 1
+goodsite.ga, 1
+goodspeaker.tk, 1
+goodsrepublic.com, 1
+goodstorage.com.br, 1
+goodsync.com, 1
+goodteach.com, 1
+goodth.ink, 1
+goodthing2.com, 1
+goodtrader.tk, 1
+goodtrip.kr, 1
+goodvibesblog.com, 1
+goodway.tv, 1
+goodwhois.com, 1
+goodwillbusiness.org, 1
+goodwillindy.org, 1
+goodwillnfp.org, 1
+goodwin43.ru, 0
+goodyearsotn.co.uk, 1
+goodyphotography.com, 1
+goofy.gr, 1
+google, 1
+google-analytics.com, 1
+google-and.tk, 1
+google-lunettes.fr, 1
+google.ax, 1
+google0.ca, 1
+googleadvies.nl, 1
+googleandroid.cz, 1
+googlecom.gq, 1
+googlehits.com, 1
+googlekun.tk, 1
+googlemail.com, 0
+googleplaypartnerportal.com, 1
+googleplex.com, 1
+googlerecetas.com, 1
+googleseo.pw, 1
+googleshortcuts.org, 1
+googlesource.com, 1
+goola.it, 1
+goolnk.com, 1
+goombi.fr, 1
+goondocks.io, 1
+goonersworld.co.uk, 1
+goonfleet.com, 1
+goontu.be, 1
+gooodnews.ga, 1
+goooo.info, 1
+goosecreeksc.gov, 1
+goosementor.com, 1
+goosip.tk, 1
+gootax.pro, 0
+gooty.ru, 1
+gooutdoorskansas.com, 1
+gopass-dev.com, 1
+gopass.health, 1
+gopher.tk, 1
+gophoto.it, 1
+gopigment.com, 1
+gopkg.link, 1
+gopnikman.cf, 1
+gopornovideo.com, 1
+goppold.net, 1
+gopri.tk, 1
+gopro-qa.com, 1
+gopro-staging.com, 1
+gopro.com, 1
+goproallaccess.com, 1
+gopronow.ga, 1
+gopuntaisla.com, 1
+gopwhip.gov, 1
+goquiq.com, 1
+goquiqstatus.com, 1
+gorakhpurclassifieds.tk, 1
+goranrango.ch, 1
+gorazde.tk, 1
+gorbatschow.tk, 1
+gorbilet.com, 1
+gorbov.tk, 1
+gorby.tk, 1
+gorce.com, 1
+gorchakov.org, 1
+gordas.cf, 1
+gordeijnsbouw.nl, 1
+gordianbla.de, 0
+gordillo.legal, 1
+gordion.tk, 1
+gordon-reid.com, 1
+gordonbeeming.com, 1
+gordonbeeming.com.au, 1
+gordonbeeming.xyz, 1
+gordoncountyga.gov, 1
+gordonhamilton.com, 1
+gordonquarter.org.au, 1
+gordontrading.co.nz, 1
+gordvorets.tk, 1
+gordyf.com, 1
+gordyforty.com, 1
+gorebayairport.ca, 1
+gorebayairport.com, 1
+gorenje-ru.ru, 1
+gorepriest.tk, 1
+gorf.club, 1
+gorgeousb.com, 1
+gorgeouslyflawed.com, 1
+gorgeouspizza.co.nz, 1
+gorgias.me, 1
+goriki.tk, 1
+goringdogsitting.co.uk, 1
+gorki.tk, 1
+gorky.media, 1
+gorlani.com, 1
+gorlani.net, 1
+gormanprojects.com, 1
+gorn.ch, 1
+goroboted.com, 0
+gorodabakan.cf, 1
+gorodabakan.ga, 1
+gorodabakan.gq, 1
+gorodabakan.ml, 1
+gorodabakan.tk, 1
+gorodivanovo.tk, 1
+gorodrabot.by, 1
+gorodrabot.kz, 1
+gorodrabot.ru, 1
+gorodrostov.tk, 1
+gorodruza.tk, 1
+gorodyaroslavl.tk, 1
+goroscop.ga, 1
+goroscop.ml, 1
+goroscop.tk, 1
+goroscope2011.tk, 1
+goroskop-sovmestimosti-znakov.tk, 1
+goroskop-sovmestimosti.ml, 1
+goroskop.gq, 1
+goroskopnew.tk, 1
+gorschenin.com, 1
+gorstom.ml, 1
+gortaniza.tk, 1
+gorymoon.se, 1
+gosaavd.tk, 1
+gosarh.tk, 1
+gosarhiv.tk, 1
+goscg.com, 1
+gosch.de, 1
+goshawkdb.io, 1
+goshin-group.co.jp, 1
+goshop.pl, 1
+goshopnow.co.za, 1
+gosia-banaszkiewicz.com, 1
+gosiberia.ru, 1
+gosimpler.com, 1
+goskills.com, 1
+gosling-gov.tk, 1
+gosling-mod.tk, 1
+goslot.com, 1
+gosnipe.com, 1
+gosolockpicks.com, 1
+gospeldesign.tk, 1
+gospelidea.com, 1
+gospellifewc.com, 1
+gospelmusic.io, 1
+gospelnarrative.com, 0
+gospelsmusic.uk, 1
+gospelstreamingsermons.com, 1
+gospelunited.tk, 1
+gospelvestcination.de, 1
+gospelzone.ga, 1
+gospence.com, 1
+gospercountyne.gov, 1
+gospiritus.com, 1
+gosq.co, 1
+gosq.com, 1
+gossiptimes.tk, 1
+gossr.pw, 1
+gost-energo.ru, 1
+gostargazing.co.uk, 1
+gostartkit.com, 1
+gostatera.com, 1
+gosti-dom.ga, 1
+gostica.com, 1
+gostomaisdecarrosdoquechocolates.com, 1
+gostudy.net, 1
+gosu.pro, 1
+gosupps.com, 1
+goswak.com, 1
+goszakupki.tk, 1
+got-tty.de, 1
+gotabflow.com, 1
+gotajikistan.com, 1
+gotchaphotos.net.au, 1
+gotcounterers.ga, 1
+gotcounterest.ga, 1
+goteamproclean.com, 1
+goteleport.com, 1
+gotepisodes.tk, 1
+gotforumers.ga, 1
+gotgeeks.nl, 1
+gotgenes.com, 0
+gothailand.cf, 1
+gothamcateringnyc.com, 1
+gothamcity.ch, 1
+gothamcity.fr, 1
+gothic-world.tk, 1
+gothiclandscape.com, 1
+gothicmarketing.tk, 1
+gothicsite.tk, 1
+gotikadesaldos.tk, 1
+gotirupati.com, 0
+gotit.com.tw, 1
+gotmilk.ml, 1
+gotmuebles.com, 1
+gotnet.tk, 1
+goto.google.com, 1
+goto.world, 1
+goto10.se, 1
+gotobooks.ml, 1
+gotobrno.cz, 1
+gotoexam.tk, 1
+gotohomerepair.com, 1
+gotolinux.ru, 1
+gotomap.com, 1
+gotomi.info, 0
+gotomojo.com, 1
+gotonet.tk, 1
+gotonline.ml, 1
+gotonline.tk, 1
+gotorussia.tk, 1
+gotovilekovi.tk, 1
+gotovka.ga, 1
+gotovka.tk, 1
+gotowebstore.com, 1
+gotoxy.at, 1
+gotrail.fr, 1
+gotransferdr.com, 1
+gotravel.blog, 1
+gotravel.hu, 1
+gotravel.us, 1
+gotravelmexico.com.mx, 1
+gotrek.com.au, 1
+gotreksperu.com, 1
+gotrendier.com.co, 1
+gotrendier.mx, 1
+gotriage.tk, 1
+gotstreamingers.ga, 1
+gotstubs.com, 1
+gott-it.dk, 1
+gottagohack.fr, 0
+gottasketchemall.com, 1
+gottcar.com, 1
+gottfridsberg.org, 1
+gottika.com, 1
+goturkmenistan.com, 1
+gotvax.us, 1
+gotver.tk, 1
+gotzg.de, 1
+goudenharynck.be, 1
+goudenlaantje.nl, 1
+goudronblanc.com, 1
+goudsbloemonline.nl, 1
+goudt.nl, 1
+gouforit.com, 1
+goug0.com, 1
+gougeaway.tk, 1
+gougeul.org, 1
+goukon.ru, 1
+gouplinkit.com, 1
+gourgouli.com, 1
+gourmet-safran.de, 1
+gourmetfestival.de, 1
+gourmetsditalie.com, 1
+gourmetspalencia.com, 1
+gourmetvitamins.ga, 1
+goushuang.com, 1
+goutsmits-tegelwerken.nl, 1
+gouwdata.nl, 1
+gouwen.com, 1
+gov.exposed, 1
+gov.md, 1
+gov.tc, 1
+gov.uk, 0
+govape.tk, 1
+govecountyks.gov, 1
+governikus.de, 1
+governmentjob.gq, 1
+governmentjobs.gov, 1
+governmentphoneservice.com, 1
+governorhub.com, 1
+govindagiri.tk, 1
+goviralnow.ml, 1
+govloans.gov, 1
+govmi.gov, 1
+govno-site.tk, 1
+govnohosting.cf, 1
+govnosite.tk, 1
+govotecolorado.gov, 1
+govotetn.gov, 1
+govquarter.gq, 1
+govsales.gov, 1
+govtjobs.blog, 1
+govtnaukrinews.com, 1
+govtrack.us, 1
+govvacationrewards.com, 1
+govype.com, 1
+gow220.ru, 1
+gowager.co.uk, 1
+gowaianapanapa.com, 1
+gowancommunications.com, 1
+gowatermarkdesign.com, 1
+gowe.wang, 0
+goweraesthetics.co.uk, 1
+gowervets.co.uk, 1
+gowikings.dk, 1
+gowildrodeo.co.uk, 1
+gowin.ae, 1
+gowinit.de, 1
+gowithflo.de, 1
+gowlingwlg.com, 1
+goworld.gq, 1
+gowpcare.com, 1
+goxyshuk.duckdns.org, 0
+goyahkles-spirit-to.tk, 1
+goyoyo.com, 1
+goyumoilexpeller.com, 1
+gozadera.es, 1
+gozenhost.com, 1
+gozenhosting.com, 1
+gp-lightstone.de, 1
+gpalabs.com, 1
+gpatrading.com, 1
+gpbdev.ru, 1
+gpccp.cc, 1
+gpcmicro.com, 1
+gpcp.org, 1
+gpcs.ml, 1
+gpcsolutions.fr, 1
+gpdp.it, 1
+gpfclan.de, 1
+gpforum.tk, 1
+gpga.cf, 1
+gpgscoins.com, 1
+gphalt.com, 1
+gphalt.de, 1
+gpio.gq, 1
+gpl25.ml, 1
+gplans.us, 1
+gplintegratedit.com, 1
+gpltimes.club, 1
+gpltimes.com, 0
+gpltimes.org, 1
+gplvilla.com, 1
+gpnotebook.com, 0
+gpo.gov, 0
+gpodev.gov, 1
+gpolanco.com, 1
+gpony.fr, 1
+gppro.com, 0
+gpr.ge, 1
+gpremium.cl, 1
+gps-fleettracking.ga, 1
+gps-track-sys.info, 1
+gps.com.br, 1
+gps4net.com, 1
+gps4net.eu, 1
+gpsarena.ro, 1
+gpsbag.com, 1
+gpsblackbox.com, 1
+gpsfix.cz, 1
+gpskoordinaten.de, 1
+gpsmith.tech, 1
+gpsnavigator.tk, 1
+gpsolarpanels.com, 1
+gpspolis.nl, 1
+gpsroomers.ga, 1
+gpstrackersaustralia.com, 1
+gpsvideocanada.com, 1
+gpswebsoft.ml, 1
+gptunnel.kz, 1
+gptunnel.ru, 1
+gpu.nu, 1
+gpwaconference.com, 1
+gpwatimes.org, 1
+gpwih.com, 1
+gpwmd-portal.org, 1
+gpz500s.tk, 1
+gq-magazine.co.uk, 1
+gqms.com, 1
+gqyyingshi.com, 0
+gr.search.yahoo.com, 0
+gra-gcc.com, 1
+gra2.com, 1
+graasp.net, 0
+grabacabpa.com, 1
+grabadolasermonterrey.com, 1
+graberbooks.gq, 1
+grabi.ga, 1
+grabnews.ga, 1
+grabnews.tk, 1
+grabowski.ovh, 1
+grabrfi.com, 1
+grabyourfreeleadshere.tk, 1
+grace-wan.com, 1
+gracealexwatch.org, 1
+gracebaking.com, 0
+graceclinic.com.tw, 1
+gracecommunity.school, 1
+gracecounselingcos.com, 1
+gracedaycorea.com, 1
+gracedays.org, 1
+gracedonors.co.uk, 1
+gracedonors.co.za, 1
+gracedonors.com, 1
+graceharborapps.net, 1
+gracelawoffice.com, 1
+graceradio.tk, 1
+gracereminder.com, 1
+gracethrufaith.com, 1
+gracetini.com, 1
+grachten.museum, 1
+gracia-club.tk, 1
+graciasmarvin.tk, 1
+gracodesign.eu, 1
+gradedblue.com, 1
+gradelink.com, 1
+gradenotify.com, 1
+gradgreenhouse.com, 1
+gradienthosting.co.uk, 1
+gradients.com, 1
+gradientthemes.com, 1
+gradinacufluturi.ro, 1
+gradingcontractornc.com, 1
+gradinitasamariteanulcluj.ro, 1
+gradintel.com, 1
+gradity.eu, 1
+gradle.com, 1
+gradle.org, 1
+grads360.org, 1
+graduados.tk, 1
+gradualgram.com, 1
+graduatenursingedu.org, 1
+graduatewriter.com, 1
+graecum.org, 1
+graeskmad.dk, 1
+graetgossip.com, 1
+graetintelligence.com, 1
+graetnew.com, 1
+graetnewsnetwork.com, 1
+graetreport.com, 1
+graf-igor.ch, 1
+graf.re, 1
+grafana.com, 1
+grafcaps.com, 1
+grafenberg.tk, 1
+graffiti-street-art-ebook.tk, 1
+graffitinetwerk.nl, 1
+graffitiwall.tk, 1
+graffprint.pl, 1
+grafia.ink, 1
+graficagesa.com.br, 1
+graficanocera.com, 1
+graficasantana.com.br, 1
+graficoywebvalencia.tk, 1
+grafik.gq, 1
+grafimagenpublicidad.com, 1
+grafittikontroll.cf, 1
+grafmag.pl, 1
+grafmark.art, 1
+grafmurr.de, 1
+grafnet.com.br, 1
+grafologia.tk, 1
+grafos.ml, 1
+grafoterapia.tk, 1
+grafphoto.com, 1
+graft.community, 1
+graft.spb.ru, 1
+graftoncountynh.gov, 1
+graftonglobe.cf, 1
+graftonglobe.tk, 1
+graftonnd.gov, 1
+graftworld.pw, 1
+grafuroam.com, 1
+grahambaggett.com, 1
+grahambaker.ca, 1
+grahamcarruthers.co.za, 1
+grahamcluley.com, 0
+grahamedgecombe.com, 1
+grahamleeonline.com, 1
+grahamsmith.tech, 1
+grailians.com, 1
+grailify.com, 1
+grain-feature-branch.co, 1
+grain-staging.co, 1
+grain.com, 1
+graine-de-cafe.com, 1
+graingert.co.uk, 1
+graliv.net, 0
+grallersdegegants.tk, 1
+gramati.com.br, 1
+grammar.co.id, 1
+grammar.hu, 1
+grammarhouse.me, 0
+grammofono.gr, 0
+grammysgrid.com, 1
+gramtarang.org.in, 1
+gran-hermano.tk, 1
+granalacant.tk, 1
+granary-demo.appspot.com, 0
+granaturov.mk.ua, 1
+granby404.eu, 1
+grancargo.com.br, 0
+grancellconsulting.com, 1
+grancordobahoy.com.ar, 1
+grand-assistance.co.jp, 1
+grand-books.cf, 1
+grand-certification.kz, 1
+grand-challenge.org, 1
+grand-design.tk, 1
+grand-hotel-de-france.com, 1
+grand-house.gq, 1
+grand-knighki.gq, 1
+grand-sity.ru, 1
+grandalfa.co.nz, 1
+grandblanctwpmi.gov, 1
+grandcabin.md, 1
+grandcafeatpark.nl, 1
+grandcanyon.tk, 1
+grandcanyonmore.com, 1
+grandcanyonmoretours.com, 1
+grandcapital.cn, 1
+grandcapital.id, 1
+grandcapital.net, 1
+grandcapital.ru, 1
+grandchene.ch, 0
+grandchutewi.gov, 1
+grandcountydronepilot.com, 1
+grande-rock.tk, 1
+grande.coffee, 1
+grande.wiki, 1
+grandepresion.com, 1
+grandesign.pt, 1
+grandesmaisons.fr, 1
+grandeurgifts.in, 1
+grandfallscamp.com, 1
+grandfieldok.gov, 1
+grandfoodandcateringservices.com.au, 0
+grandfootball.tk, 1
+grandhomemx.com, 1
+grandi-books.gq, 1
+grandisco.tk, 1
+grandiscontionline.com, 1
+grandislandne.gov, 1
+grandmasfridge.org, 0
+grandmass.com, 1
+grandmasternetwork.com, 1
+grandmusiccentral.com.au, 1
+grandpachy.tk, 1
+grandpad.biz, 1
+grandpad.net, 1
+grandpadusercontent.com, 1
+grandpcd.com, 1
+grandrapidsmn.gov, 1
+grandrapidswi.gov, 1
+grandstarcourier.ml, 1
+grandtiresers.ga, 1
+grandviewgynecology.ca, 1
+grandviewheights.gov, 1
+grandwailea.com, 1
+grandwill.com, 1
+grandworldnghiduong.com, 0
+grandx86.pl, 1
+granfort.es, 0
+granfutbol.com, 1
+grangecon.tk, 1
+grangette.eu, 1
+grani.gq, 1
+granian.pro, 1
+granica.tk, 1
+granigroup.ru, 1
+granishe.com, 1
+granit-capital.ga, 1
+graniteedvance.org, 1
+graniteescrow.com, 1
+granitehillcapital.com, 1
+graniteind.com, 1
+granitestateproductions.tk, 1
+granitko.ru, 1
+grannynude.tv, 1
+grannypussy.net, 1
+grannypussy.tv, 1
+grannypussypics.com, 1
+grannys-stats.com, 1
+grannytitty.com, 1
+grannytube.net, 1
+grannytube.tv, 1
+grannytubes.com, 1
+granool.ga, 1
+granotamaniacos.tk, 1
+granpoder-islacristina.tk, 1
+gransfors354.com, 1
+granstoqueatacadista.com.br, 1
+granstor.com, 0
+granstrom.tk, 1
+grantashqg.com, 1
+grantcountyne.gov, 1
+grantdb.ca, 1
+granthamnh.gov, 1
+grantmorrison.net, 1
+grantsmasters.com, 1
+grantsolutions.gov, 1
+granttwpstclairmi.gov, 1
+granulate.io, 1
+graonatural.com.br, 0
+grapee.jp, 1
+grapeintentions.com, 1
+grapevine.is, 1
+graph.org, 1
+graphe.gq, 1
+graphene.software, 1
+graphenecompany.com, 1
+grapheneenergy.com, 1
+grapheneengine.com, 1
+grapheneos.ca, 1
+grapheneos.com, 1
+grapheneos.info, 1
+grapheneos.net, 1
+grapheneos.org, 1
+grapheneos.ovh, 1
+grapheneos.social, 1
+graphenepower.com, 1
+graphic-schools.com, 1
+graphic-shot.com, 1
+graphicbuffet.co.th, 1
+graphicdesignresources.net, 1
+graphicdream.tk, 1
+graphicinfo.com, 1
+graphicnab.com, 1
+graphicps.com, 1
+graphicspace.tk, 1
+graphicz.ml, 1
+graphiste-freelance-rouen.fr, 1
+graphite.org.uk, 1
+graphiteconnect.com, 1
+grapholio.net, 1
+graphpaper.studio, 1
+graphviewer.tk, 1
+grapixo.com, 1
+grapplinginsider.com, 1
+grasboom35plus.nl, 1
+grasdealer.com, 1
+grasengroenkunstgras.nl, 1
+grasmark.com, 1
+grasp24.pl, 1
+grasrijk.tk, 1
+grassau.com, 1
+grasscity.com, 0
+grassenberg.de, 1
+grasshoppervape.com, 1
+grasski.net, 1
+grassreinforcement.com.au, 1
+grast.jp, 1
+graszoden.tk, 1
+gratelin.ga, 1
+gratis-hosting.cf, 1
+gratis.market, 1
+gratis4u.tk, 1
+gratisfotos.nl, 1
+gratisfullalbum.tk, 1
+gratishandy.tk, 1
+gratisliste.de, 1
+gratismuziek.tk, 1
+gratisonlinespel.tk, 1
+gratisparati.tk, 1
+gratitudeabundancepassion.com, 1
+gratius.tk, 1
+gratiz.nl, 1
+grattan.co.uk, 1
+grattecenne.com, 1
+gratuitweb.tk, 1
+graumeier.de, 1
+grauwasser-blog.de, 1
+gravedad-zero.tk, 1
+gravedigger.tk, 1
+gravelshooters.com, 1
+gravelshooters.net, 1
+gravelshooters.org, 1
+gravely-dealers.com, 1
+gravely.com, 1
+gravelylawn.com, 1
+gravelymower.com, 1
+gravensteengent.be, 1
+gravescountyky.gov, 1
+gravilink.com, 1
+gravira.ru, 1
+gravirovshik.ru, 1
+gravitascreative.net, 1
+gravitational.co, 1
+gravitational.com, 1
+gravitational.io, 1
+gravitco.com, 1
+gravitechthai.com, 1
+gravitlauncher.ml, 1
+graviton.work, 1
+gravity-bonanza.org, 1
+gravity-inc.net, 1
+gravityformspdfextended.com, 1
+gravityinvestments.com, 1
+gravitypdf.com, 1
+gravityresearchgroup.cf, 1
+gravityresearchgroup.ga, 1
+gravityresearchgroup.gq, 1
+gravityresearchgroup.tk, 1
+gravytrain.tk, 1
+grawe-blog.at, 1
+gray.network, 1
+grayarrow.com, 1
+graybroughton.com, 1
+graycat.ml, 1
+grayhatter.com, 1
+graymuzzlesociety.org, 1
+grayowlworks.com, 1
+grayphics.com, 1
+grayrectangle.com, 1
+grayslakeadvisors.com, 1
+grayson.sh, 1
+graysonsmith.co.uk, 1
+graysquare.com, 1
+grayville-il.gov, 1
+grazetech.com, 1
+grazhdanskij-advokat.tk, 1
+grbrt.com, 1
+grc.com, 0
+grd.cx, 1
+grday.com, 1
+grdnlife.site, 1
+great-ajax.tk, 1
+great-mom.tk, 1
+great.nagoya, 1
+greatagain.gov, 1
+greataltrock.tk, 1
+greatamericaneu.com, 1
+greatamericanuk.com, 1
+greatbarrierisland.nz, 1
+greatbeginningsmi.com, 1
+greatdane.com, 1
+greatdanegrp.com, 1
+greatdanemowers.com, 1
+greatepier.tk, 1
+greatergood.com, 0
+greatergoods.com, 1
+greaterzion.com, 1
+greatestcampsest.ga, 1
+greatestwallsest.ga, 1
+greatfallsmt.gov, 1
+greatfire.org, 1
+greatgooglymoogly.tk, 1
+greathairtransplants.com, 1
+greathillpartners.com, 1
+greatlakesden.net, 1
+greatlakesendurance.com, 1
+greatlakesintegrativemed.com, 1
+greatlakestechdiving.com, 1
+greatlifeinsurancegroup.com, 1
+greatlms.com, 1
+greatnetsolutions.com, 1
+greatnews.ro, 1
+greatoceanroadbrewhouse.com.au, 1
+greatplains.io, 1
+greatplainsaustralia.com.au, 1
+greatrenumbering.tk, 1
+greatrichmond.com, 1
+greatsankeypc.org.uk, 1
+greatscholars.tk, 1
+greatscience.tk, 1
+greatsittersers.ga, 1
+greatsittersest.ga, 1
+greatsurfersers.ga, 1
+greatsurfersest.ga, 1
+greatvacation.tk, 1
+greatwebdesign.uk, 1
+grechutaszkolenia.pl, 1
+greciahora.com, 1
+greeblehaus.com, 1
+greedy-it.de, 1
+greek-islands-hotels.tk, 1
+greeklish.gr, 1
+greekmusic.academy, 1
+greeknewspapers.tk, 1
+greeks.tk, 1
+greekweb.tk, 1
+greeleycountyne.gov, 1
+green-adn.com, 1
+green-anarchy.tk, 1
+green-attitude.be, 1
+green-aura.ru, 0
+green-clean.at, 1
+green-factory.gq, 1
+green-factory.ml, 1
+green-finance.fr, 1
+green-gardens.fr, 1
+green-laser.ga, 1
+green-laser.ml, 1
+green-light.cf, 1
+green-light.co.nz, 0
+green-light.ga, 1
+green-light.gq, 1
+green-light.ml, 1
+green-paradise.tk, 1
+green-smart.com, 1
+green-smart.work, 1
+green-snake.com, 1
+green-version.com, 1
+green-wood.com, 1
+green.com.do, 1
+greenacrescannabisgroup.com, 1
+greenaddress.it, 1
+greenangels.com.ua, 1
+greenapproach.ca, 1
+greenartistsswiss.ch, 1
+greenassembly.fr, 1
+greenbat57.fr, 1
+greenbeauty.in, 1
+greenbuildingsystemsllc.com, 1
+greenburghny.gov, 1
+greencapital.gent, 1
+greencbd.com, 1
+greencircleplantnursery.com.au, 1
+greencircleplantnursery.net.au, 1
+greenclouddefense.com, 1
+greencocktail.ga, 1
+greencoconutresort.cf, 1
+greencoconutresort.ga, 1
+greencoconutresort.gq, 1
+greencoconutresort.ml, 1
+greencross.cf, 1
+greencyprus.com, 1
+greendaylivecrew.tk, 1
+greendesserters.ga, 1
+greendessertest.ga, 1
+greendiscussionsers.ga, 1
+greendotcc.com, 1
+greendotcredit.com, 1
+greendragonsearch.tk, 1
+greendrive.tk, 1
+greendvorik.com.ua, 1
+greenearthlawns.com, 0
+greenecountyny.gov, 1
+greenecountyohio.gov, 1
+greenecountytn.gov, 1
+greenecountytnsheriffsdept.gov, 1
+greenetwpclintonpa.gov, 1
+greenews.ga, 1
+greenex.pro, 1
+greenfever.pl, 1
+greenfieldlaxwi.gov, 1
+greenfieldwi.gov, 1
+greenflashforensics.com, 1
+greenforum.tk, 1
+greenfoxadventures.com, 1
+greenfunder.co.uk, 1
+greengarden.tk, 1
+greengates.co.uk, 1
+greengoblindev.com, 1
+greengorych.io, 1
+greengorych.ru, 1
+greengov.gov, 1
+greengrocery.tk, 1
+greenhandy.com, 1
+greenhats.de, 1
+greenhillhosting.com, 1
+greenholiday.tk, 1
+greenhollowbowmen.tk, 1
+greenhous-technology.tk, 1
+greenice.net, 1
+greeningsremovalsandstorage.co.uk, 1
+greenislandgroupny.com, 1
+greenit.eco, 1
+greenkey.gent, 1
+greenkitchen.tk, 1
+greenlakecountywi.gov, 1
+greenland-estate.tk, 1
+greenleft.org.au, 0
+greenlifecannabis.com, 1
+greenlifetour.tk, 1
+greenlighttreeservices.com, 1
+greenline.financial, 1
+greenliquidsystem.com, 1
+greenliv.pl, 1
+greenmesg.org, 1
+greenmind.tk, 1
+greenminegroup.com, 1
+greenmoon.tk, 1
+greenmountainenergy.com, 1
+greenopedia.com, 1
+greenopeningsers.ga, 1
+greenopeningsest.ga, 1
+greenpal.jp, 1
+greenpanda.de, 1
+greenpartyofnewmilford.org, 1
+greenpaws.ee, 1
+greenpeace.community, 1
+greenplanet.tk, 1
+greenplanetgrass.com.au, 1
+greenridgemo.gov, 1
+greenroach.ru, 1
+greenroom.tk, 1
+greenrushdaily.com, 1
+greensad36.ru, 1
+greensboro.com, 1
+greensborosecuritycameras.com, 1
+greensborovt.gov, 1
+greensidevetpractice.co.uk, 1
+greensilllatam.com, 1
+greensmartplanet.com.my, 1
+greensmartplanet.my, 1
+greensph.tk, 1
+greensquare.tk, 1
+greenstation.no, 1
+greensurpriseers.ga, 1
+greensurpriseest.ga, 1
+greenswimmingers.ga, 1
+greenswimmingest.ga, 1
+greentea.gq, 1
+greentea.ml, 1
+greentea.tk, 1
+greenteamtwente.nl, 1
+greentechhvac.in, 1
+greenthought.tk, 1
+greentop.tk, 1
+greenupchdky.gov, 1
+greenux.cloud, 1
+greenux.cz, 1
+greenville.k12.sc.us, 1
+greenware.tk, 1
+greenway-moskva.ru, 1
+greenwaylog.net, 1
+greenwhitearmy.tk, 1
+greenwichbiosciences-influence-beta.azurewebsites.net, 1
+greenwiki.ca, 1
+greenwithdecor.com, 1
+greenwood-it.co.uk, 1
+greenwoodne.gov, 1
+greenwoodny.gov, 1
+greenwoodtwpcrawfordpa.gov, 1
+greenytimes.com, 1
+greenyway.com, 1
+greenzved.tk, 1
+greer.ru, 1
+greetabl.com, 1
+greetingcdsers.ga, 1
+greetingcdsest.ga, 1
+greffe-de-cheveux-turquie.com, 1
+greg.red, 1
+gregbrimble.com, 1
+gregdf.com, 1
+greger.me, 1
+greghouse.tk, 1
+gregmartyn.com, 1
+gregmarziomedia.co.za, 1
+gregmarziomedia.com, 1
+gregmc.ru, 1
+gregmckeown.com, 1
+gregmilton.com, 1
+gregmilton.org, 1
+gregmote.com, 1
+grego.pt, 1
+gregoirow.be, 1
+gregorians.org, 1
+gregorkofler.com, 1
+gregory-kramer.fr, 1
+gregory-thibault.com, 1
+gregorydorrifourt.fr, 1
+gregoryhammond.ca, 1
+gregorykelleher.com, 1
+gregoryrealestategroup.com, 1
+gregorywiest.com, 1
+gregproffit.com, 1
+gregscloud.com, 1
+greizer.tk, 1
+grekiskagudar.tk, 1
+grekos.com.pl, 1
+gremagol.xyz, 1
+gremlinsmountain.tk, 1
+grenadaco-opbank.com, 1
+grenade.ga, 1
+grenadiercorps-kaarst.de, 1
+grenadiere-kaarst.de, 1
+grenadierkorps-kaarst.de, 1
+grenadierkorps.de, 1
+grend.gq, 1
+grenfell.org.au, 1
+grenfellinternetcentre.com.au, 1
+grengine.ch, 1
+grenlan.com, 1
+grenoblepartners.com, 1
+grepable.com, 1
+grepular.com, 1
+gresak.io, 0
+gresik.info, 1
+gresrewop.ca, 1
+gresrewop.com, 1
+greta-birkner.de, 1
+greta-fischer-schule.de, 1
+gretalfoodproducts.com, 1
+gretathemes.com, 1
+gretch.space, 1
+gretchensbridalgallery.com, 1
+gretel.ai, 1
+greuel.online, 1
+greutmann.net, 1
+grevenagreece.gr, 1
+grevesgarten.de, 1
+grexx.today, 1
+grey-cat.tk, 1
+greybullwy.gov, 1
+greycentre.com, 1
+greycrane.net, 1
+greydesign.tk, 1
+greyhackcentral.gq, 1
+greyhash.se, 1
+greyheads.cat, 1
+greyline.tk, 1
+greymatteroffline.tk, 1
+greymuzzlemanor.org, 1
+greypanel.com, 1
+greyrectangle.com, 1
+greyskymedia.com, 1
+greysolonballroom.com, 1
+greystonesmovement.com, 1
+greystonesscouts.tk, 1
+greywalker.tk, 1
+greywolf.cz, 1
+grfinefoods.co.uk, 1
+grfnhousing.org, 1
+grg.de, 1
+grh.am, 0
+grhhosting.com, 1
+griassdi-reseller.de, 1
+gricargo.com, 1
+grickle.org, 1
+grid.is, 1
+gridcatalyst.org, 1
+gridcodestudio.com, 1
+gridfuse.com, 1
+gridgain.com, 1
+gridgames.tk, 1
+gridgroup.com.tr, 1
+gridironelitetraining.com, 1
+gridlab.de, 1
+gridly.nl, 1
+gridspace.ca, 1
+gridtennis.net, 1
+gridvis.cloud, 1
+griechische-pfoetchen.de, 1
+griefheart.com, 1
+grieg-gaarden.no, 1
+grieg.net, 1
+grieg.no, 1
+grieg.org, 1
+grieglogistics.no, 1
+griegshipbrokers.no, 1
+griendencollege.tk, 1
+grienenberger.eu, 1
+griesser2.de, 1
+griffin.com, 1
+griffinmuseum.org, 1
+griffinsrfc.tk, 1
+griffithobs.org, 1
+griffithobservatory.org, 1
+griffophotography.tk, 1
+grifomarchetti.com, 1
+grifone.tk, 1
+griftersnet.com, 1
+grigo.ga, 1
+grigo.tk, 1
+grigorev.tk, 1
+grijalba.tk, 1
+grijpskerk500.tk, 1
+grillboxtaxi.de, 1
+grillen-darf-nicht-gesund-sein.de, 1
+grillfocused.com, 1
+grillidellostretto.tk, 1
+grilllness.com, 1
+grilltanksplus.com, 1
+grimdarkterrain.com, 1
+grimetoshinecleaners.co.uk, 1
+grimm.cz, 1
+grimmhome.com, 1
+grimmonolith.tk, 1
+grimorium.tk, 1
+grimsby.ac.uk, 1
+grimsbydns.com, 1
+grimsbymoneyman.com, 1
+grinday.tk, 1
+grindgore.tk, 1
+grinmore.com, 1
+grinned.tk, 1
+grinnellksroots.com, 1
+grinnellplanes.com, 1
+grinnellplans.com, 1
+grinpis.tk, 1
+gripcoat.jp, 1
+gripeffect.nl, 1
+gripeh1n1.com, 1
+gripencrossfit.cf, 1
+gripencrossfit.gq, 1
+gripnijmegen.rip, 1
+gripopit.nl, 1
+gripvol.nl, 1
+gripwenab.cf, 1
+grishavirus.cf, 1
+grissianerhof.com, 1
+griswoldia.gov, 1
+grit3.com, 1
+gritsany.hopto.org, 1
+griyadenature.tk, 1
+griyo.online, 1
+grizz.gdn, 1
+grizzenergygum.com, 1
+grizzlys.com, 0
+grizzlys.tk, 1
+grm.com.co, 1
+grnbank.com, 1
+groaccess.com, 1
+groben-itsolutions.de, 1
+grockradio.ga, 1
+grocock.me.uk, 1
+groenaquasolutions.nl, 1
+groenemoskeeen.nl, 0
+groeneoldtimer.nl, 1
+groenlinks.nl, 1
+groentebesteld.nl, 1
+groenteclub.nl, 1
+groentefruitzeep.com, 1
+groentefruitzeep.nl, 1
+groepjam-usedcars.be, 1
+groepper-it.de, 1
+groestlcoin.org, 1
+groetzner.net, 1
+grog.pw, 1
+grokker.com, 1
+groklearning.com, 1
+grolimur.ch, 0
+grolleau.fr, 1
+gromasikov.tk, 1
+gromovphotography.tk, 1
+gronau-it-cloud-computing.de, 1
+grondius.com, 1
+grondwerkencooreman.be, 1
+groningerkustvaart.tk, 1
+groomershop.ru, 0
+groomlake.tk, 1
+groomscroft.co.uk, 1
+groomscroft.com, 1
+grooove.pl, 1
+groothagenbeek.nl, 1
+grootinadvies.nl, 1
+groots.com, 1
+groove3.com, 1
+grooveguard.tk, 1
+groover.com.br, 1
+groovie.tk, 1
+groovyboove.co.uk, 1
+groovydiscountsers.ga, 1
+groovydiscountsest.ga, 1
+groovydisk.com, 1
+groovygoldfish.org, 1
+groovyrelocation.com, 1
+gropar.ch, 1
+gropar.com, 1
+gropp.org, 1
+grosirfashion.online, 1
+gross.business, 1
+grossaci.cz, 1
+grossberger-ge.org, 0
+grosser.io, 1
+grossiste-en-ligne.com, 1
+grossmisconduct.news, 1
+grossorders.com, 1
+groszek.pl, 1
+grotesk.tk, 1
+groth.im, 1
+groth.xyz, 1
+grothem.cf, 1
+grothem.gq, 1
+grothoff.org, 1
+grottalchemica.it, 1
+grottenthaler.eu, 1
+grouchysysadmin.com, 1
+ground-control.de, 1
+groundball.tk, 1
+groundfm.tk, 1
+groundmc.net, 1
+groundsdirect.com, 1
+groundspan.com, 1
+groundthumpingmotors.com, 1
+groundthumpingmotors.net, 1
+groundthumpinmotors.com, 1
+groundthumpinmotors.net, 1
+group-digitcom.com, 1
+group-galore.com, 1
+group-project.xyz, 1
+group4layers.net, 1
+groupama.hu, 1
+groupama.sk, 1
+groupamadirekt.hu, 1
+groupdcc.com, 1
+groupe-accedia.org, 1
+groupe-cassous.com, 1
+groupe-erige.com, 1
+groupe-goddi.com, 1
+groupe-neurologique-nord.lu, 0
+groupeaccedia.biz, 1
+groupeaccedia.com, 1
+groupeaccedia.fr, 1
+groupeaccedia.info, 1
+groupeaccedia.net, 1
+groupeaccedia.org, 1
+groupeconseilera.com, 1
+groupekabowd.com, 1
+groupeleven.com, 1
+groupeonepoint.com, 1
+groupeperrier.com, 1
+grouperacinecotedesbar.fr, 1
+groupescr.fr, 0
+groupghistelinck-cars.be, 1
+groupkoufopoulou.gr, 1
+groupleavingcards.com, 1
+groupmallers.ga, 1
+groupmallest.ga, 1
+groupme.com, 1
+groupouts.com, 1
+grouppassers.ga, 1
+groups.google.com, 1
+groupsgyani.com, 1
+groupsh.ca, 1
+groupsite.blue, 1
+groupx.tk, 1
+groutandseal.co.nz, 1
+grove-archiv.de, 1
+grovecity.cf, 1
+grovecity.ga, 1
+grovecity.gq, 1
+grovecity.ml, 1
+grovecrypto.com, 1
+grovefinancialgroup.com.au, 1
+groveland.place, 1
+grovelandmi.gov, 1
+grovesales.co.uk, 1
+growatiopex.com, 1
+growblocks.com, 1
+growbydata.com, 1
+growbyrabbit.com, 1
+growebmarketing.com, 0
+growers.social, 1
+growery.com, 1
+growery.net, 1
+growery.org, 1
+growidentity.com, 1
+growingallthings.co.uk, 1
+growinghumankindness.com, 1
+growingsearch.com, 1
+growitsecure.com, 1
+growledlamp.fr, 1
+growledlamp.it, 0
+growme.gq, 1
+growth-rocket.com, 1
+growth.design, 1
+growthagent.com, 1
+growthandrenewal.ca, 1
+growthinbusiness.com, 1
+growthlab.com.my, 1
+growthlytics.co.uk, 1
+growthoutpatient.com, 1
+growthseedconsulting.com, 1
+growthservicesinc.com, 1
+growthsimulationest.ga, 1
+growthtoysers.ga, 1
+growthtoysest.ga, 1
+growy.ch, 0
+grozdanov.tk, 1
+grozter.se, 1
+grpformations.cloud, 1
+grplusbd.cf, 1
+grsecurity.net, 1
+grsglaciere13.asso.fr, 1
+grtc.today, 1
+grthomes.com, 1
+grtmmail.com, 1
+grtp02.com, 1
+gruaskmsa.cl, 1
+gruasllanos.cl, 1
+gruber-software.com, 0
+gruble.de, 1
+gruca.com.br, 1
+gruebebraeu.ch, 1
+grueberstein.de, 1
+gruelang.org, 1
+gruenderlehrstuhl.de, 1
+gruene-im-rvr.de, 1
+gruene-linde-schwimmen.tk, 1
+gruene-wattenscheid.de, 1
+gruener-salon-bochum.de, 1
+gruenerpass.co.at, 1
+gruenes-wp.de, 1
+gruenhagenlaw.com, 1
+gruenprint.de, 1
+gruenwedels-restaurant.de, 1
+gruenwedels.de, 1
+gruhn.email, 1
+grummittgroundworks.co.uk, 1
+grumpie.tk, 1
+grumpy.fr, 1
+grumpygamers.com, 1
+grumpyguy.ga, 1
+grundig.co.uk, 1
+grundlage.fi, 1
+grundschulratgeber.de, 1
+grundskoleboken.ga, 1
+grundskoleboken.gq, 1
+grundskoleboken.tk, 1
+grundycountyil.gov, 1
+grundycountyiowa.gov, 1
+grunion.tk, 1
+grunlab.net, 1
+grunttoziemia.pl, 1
+grunwaldzki.center, 1
+grunwasser.fr, 1
+grupatvogzivota.tk, 1
+grupdedansa.tk, 1
+gruphepsi.tk, 1
+grupo-famia.tk, 1
+grupo-zoom.com, 1
+grupoalv.com, 1
+grupoandrey.com.mx, 1
+grupoauxteclic.com, 1
+grupobit.net, 1
+grupocata.com, 1
+grupocb.com.br, 1
+grupodcasa.tk, 1
+grupodecoroinhaspnsa.tk, 1
+grupodepasajeros.tk, 1
+grupodes.com.br, 1
+grupoeitb.eus, 1
+grupoellatu.tk, 1
+grupoenelcolombia.com, 1
+grupoenergiabogota.com, 1
+grupoentregas.com, 1
+grupoeurodesign.com, 1
+grupofarmavip.pt, 1
+grupoharbour.com, 1
+grupoice.com, 1
+grupoimb.pt, 1
+grupoiwana.tk, 1
+grupolegalsgf.com, 1
+grupomacroex.com, 1
+grupomanquecura.tk, 1
+grupomedlegal.com, 1
+grupomonti.com.ar, 1
+grupomwr.com, 1
+grupoparco.com, 1
+grupoproabienesraices.com.mx, 1
+grupos.cf, 1
+gruposanjose.tk, 1
+gruposiit.com.mx, 1
+gruposousa.pt, 1
+grupovendap.com, 1
+grupovisabeira.com, 0
+gruppa.ml, 1
+gruppa.net, 1
+gruppakolibri.ml, 1
+gruppe-casablanca.tk, 1
+grupposanmarco.eu, 1
+grupposiciliaviola.tk, 1
+gruppotac.com, 1
+grurez.com, 1
+gruta.website, 1
+gruveo.com, 1
+gruver.de, 1
+gruwa.net, 1
+gruz0.ru, 1
+gruzchiki.ml, 1
+gruzchiki74.tk, 1
+gruzinfo.tk, 1
+gruzmt.ru, 1
+gruzoperevozki.ml, 1
+gruzoperevozki.tk, 1
+grwebdesigns.gr, 1
+gryffin.ga, 1
+gryffin.ml, 1
+gryffin.tk, 1
+gryphzia.cf, 1
+gryte.tk, 1
+grytics.com, 1
+grzegorzchomutowski.pl, 1
+grzesiak.com, 1
+gs-pflege.de, 1
+gs-schlossberg.de, 1
+gs93.de, 1
+gsa-online.de, 1
+gsa.gov, 1
+gsaadvantage.gov, 1
+gsaauctions.gov, 1
+gsafleet.gov, 1
+gsaj114.net, 1
+gsatest2.gov, 1
+gsaxcess.gov, 1
+gscgh.com, 1
+gscloud.xyz, 1
+gscpaudit.org.uk, 1
+gsd.id, 1
+gsded.com, 1
+gse.space, 1
+gservera.com, 1
+gsfreak.pt, 1
+gshoes.bg, 1
+gsilva.org, 1
+gsimagebank.co.uk, 1
+gsiw.be, 1
+gsiw.gent, 1
+gslabnet.org, 1
+gslate.com, 0
+gsm-info.tk, 1
+gsmbrick.com, 1
+gsmkungen.com, 1
+gsmmedia.tk, 1
+gsmpreview.com, 1
+gsmsale.nl, 1
+gsmtool.tk, 1
+gsmvermist.tk, 1
+gsp.com, 1
+gspcreations.com, 1
+gspilar.tk, 1
+gsrc.io, 1
+gst.name, 1
+gst.priv.at, 1
+gstackrankers.com, 1
+gstehlik.com, 1
+gstrans.bg, 1
+gt-himmel.com, 1
+gta-arabs.com, 1
+gta5redux.com, 1
+gtacoop.com, 1
+gtacty.co, 1
+gtaforum.nl, 1
+gtagames.nl, 1
+gtalenders.ca, 1
+gtanalytics.com, 1
+gtapg.net, 1
+gtb-nsn.gov, 1
+gtbeyes.com, 1
+gtbgames.com, 1
+gtbprivacy.com, 1
+gtc.com.gt, 0
+gtcountymi.gov, 1
+gtcprojects.com, 1
+gtd.cloud, 1
+gtdnordic.fi, 1
+gtek.com.br, 1
+gtgcloudservices.com, 1
+gti.cx, 1
+gtk-tim.ru, 1
+gtlaun.ch, 0
+gtlcenter.org, 1
+gtld.fyi, 1
+gtm-server.com, 1
+gtmetrix.com, 1
+gtmhub.com, 1
+gtn-pravda.ru, 1
+gtonline.ml, 1
+gtopala.com, 1
+gtopala.net, 1
+gtreasury.com, 1
+gtrwebdesign.nl, 0
+gts-tradgard.se, 1
+gts-varmepumpar.se, 1
+gtsb.io, 1
+gtsoftware.gr, 1
+gtupgrade.eu, 1
+gtx970settlement.com, 1
+gtxmail.de, 1
+gtxthere.tk, 1
+gtzq.com, 1
+gu153gx.uk, 1
+guadagnare.info, 1
+guadagnosicuro.tk, 1
+guadalinfoconlaroja.tk, 1
+guadaluperoses.co, 1
+guadalupetx.gov, 1
+guajars.cl, 1
+guamcourts.gov, 1
+guanggaonet.com, 1
+guangjiangk.com, 1
+guannan.net.cn, 0
+guanzhong.ca, 1
+guapcoinswap.finance, 1
+guapi.ml, 1
+guaranteedexchangeers.ga, 1
+guaranteedexchangeest.ga, 1
+guaranteedfitdanceshoes.com, 1
+guaranteedfittangoshoes.com, 1
+guardando.tk, 1
+guardedbox.com, 1
+guardedbox.es, 1
+guarderiajackson.tk, 1
+guardiabermellon.tk, 1
+guardian-codex.tk, 1
+guardian-heliotrope.tk, 1
+guardian360.nl, 1
+guardianangelportraits.com, 1
+guardiancodewebservices.com, 1
+guardianerm.net, 1
+guardiapretoriana.tk, 1
+guarever.tk, 1
+guarrato.tk, 1
+guategmala.ga, 1
+guateradio.tk, 1
+guatzessen.at, 1
+guayaquil-consort.tk, 1
+gubagoo.com, 1
+gubagoo.io, 1
+gubea.org, 0
+gubernia37.ml, 1
+gubka.ga, 1
+gudaman.com, 1
+gudangpangan.id, 1
+gudbrand.no, 1
+guddaff.de, 1
+gudini.net, 1
+gudostudio.tk, 1
+gudrun.ml, 1
+gudrun.tk, 1
+gudrunsleiter.it, 1
+gueckgueck.tk, 1
+guegan.de, 1
+guejarsierra.tk, 1
+guelo.ch, 1
+guelphhydropool.com, 1
+guendra.dedyn.io, 1
+guenstiger-it-support.ch, 1
+guenstigparken.de, 1
+guenther-freitag.tk, 1
+guenthereder.at, 1
+guerard.info, 1
+guercioarchitecture.com, 1
+guerillastocktrading.com, 1
+guernica1913.tk, 1
+guernseycounty.gov, 1
+guerra-civil.tk, 1
+guerra24.net, 1
+guerracivilencaceres.tk, 1
+guerrasgalacticas.tk, 1
+guerrilla-marketing.cf, 1
+guerrillaradio.tk, 1
+guerrillas.tk, 1
+guesclin.com, 1
+guessmatch.com, 1
+guestandmore.de, 1
+guestby.tk, 1
+guesthouse-namaste.com, 1
+guesthouse.tk, 1
+guestnetscript.tk, 1
+guestofhonor.tk, 1
+gueules-cassees.asso.fr, 1
+guevener.de, 1
+gufen.ga, 1
+gufen.gq, 1
+guffr.it, 1
+gufolev.tk, 1
+gugaalves.net, 1
+gugaltika-ipb.org, 0
+gugcstudentguild.com.au, 0
+guge.ch, 1
+gugert.net, 1
+gugli3d.com, 1
+gugs.tk, 1
+gugu-game.tk, 1
+gugucnn.tk, 1
+gugumu.com, 1
+guhei.net, 1
+guhenry3.tk, 1
+guiabroker.com, 1
+guiacg.com, 0
+guiaextra.com, 1
+guiahotelera.com.co, 1
+guiajunqueiropolis.com.br, 1
+guialegal.co, 1
+guiaminhasaude.net, 1
+guiaprofesional.co, 1
+guiarestobar.com.co, 1
+guiascliente.com, 1
+guiasdemexico.tk, 1
+guiasescapate.tk, 1
+guiasuteis.com.br, 1
+guiatelefone.com, 1
+guiaturismovallarta.com, 1
+guiaturisticanuevayork.com, 1
+guid2steamid.com, 1
+guid2steamid.pw, 1
+guidaditalia.com, 1
+guiddy.fr, 1
+guide-ecole.ch, 1
+guide-peche-cantal.com, 0
+guide-voyage.ga, 1
+guidebook.co.tz, 1
+guidecbd.fr, 1
+guidechecking.com, 1
+guidedchoice.com, 1
+guidedesventes.fr, 1
+guidedogs.org.uk, 1
+guidedselling.net, 1
+guidedsteps.com, 0
+guidegr.com, 1
+guidehouseinsights.com, 1
+guideline-pro.com, 1
+guideline.com, 1
+guideline.gov, 1
+guideline.io, 1
+guidelines.gov, 1
+guidemaroc.tk, 1
+guideo.ch, 0
+guidepointsecurity.com, 1
+guideposts.org, 0
+guides-peche64.com, 1
+guidesacademe.com, 1
+guidesiracusa.tk, 1
+guidesorbetiere.com, 1
+guidethailande.tk, 1
+guidetourism.tk, 1
+guidoclub.fr, 1
+guidopedia.ga, 1
+guikemarijwielhandel.nl, 1
+guild.xyz, 1
+guilded.gg, 1
+guildgearscore.cf, 1
+guildnet.tk, 1
+guilfordct.gov, 1
+guilfordvt.gov, 1
+guillaume-briand.fr, 1
+guillaumecote.me, 1
+guillaumematheron.fr, 1
+guillaumesworld.com, 1
+guille.tk, 1
+guillemagullo.tk, 1
+guillembosch.es, 1
+guillen.tk, 1
+guillouf.com, 1
+guillouxinformatique.fr, 1
+guiltyfox.ca, 1
+guiltyfox.com, 1
+guim.co.uk, 1
+guinaliu.tk, 1
+guineapig101.com, 1
+guineapigmustach.es, 1
+guinel-johnson.fr, 1
+guinguetteclovis.com, 1
+guirossler.com.br, 1
+guise.tk, 1
+guitar-strings-online.tk, 1
+guitarangel.tk, 1
+guitards.tk, 1
+guitare-rumba-congolaise-school.com, 1
+guitarefacile.tk, 1
+guitarfreak.tk, 1
+guitarraclasica.tk, 1
+guitarreria.tk, 1
+guitarristaluisquintero.com, 1
+guitarristas.info, 1
+guitartrader.international, 1
+gujarat.tk, 1
+gujinfo.com, 1
+gujun-sky.com, 1
+guki.me, 1
+gulabovski.ga, 1
+gulchuk.com, 1
+gulcinulutuna.com, 1
+guldhaug.org, 1
+guldkorn.dk, 1
+gule.loan, 1
+gulenbase.no, 1
+gulfcoastwaterauthoritytx.gov, 1
+gulfstream.ru, 0
+gulfvestors.com, 1
+gulizaroztemel.av.tr, 1
+gulkhannasir.tk, 1
+gulliversfun.co.uk, 1
+gulliwer.tk, 1
+gulllakeview.com, 1
+gulphora.tk, 1
+gulsot.tk, 1
+guma.cf, 1
+guma.ml, 1
+gumag.tk, 1
+gumbles.tk, 1
+gumbo-millennium.nl, 1
+gumbo.gq, 1
+gumbo.nu, 1
+gumeyamall.jp, 1
+gumi.ca, 1
+gummibande.noip.me, 0
+gummientchen.net, 1
+gumtree.ie, 1
+gumtreecs.com.au, 1
+gun-room.com, 1
+gunarchive.com, 1
+gunauc.net, 1
+gunbot.com, 1
+gunbrig.com, 0
+gundemguncel.tk, 1
+gunerds.com.br, 1
+gunfighterj.com, 1
+gunhunter.com, 1
+guninstructionsers.ga, 1
+guninstructionsest.ga, 1
+gunisifiyatlari.com, 1
+gunlaketribe-nsn.gov, 1
+gunlube.science, 1
+gunners.cf, 1
+gunnlawfirm.com, 1
+gunstatus.net, 1
+gunturnovizal.tk, 1
+gununsesi.info, 1
+gununsesi.org, 1
+gununsesiaz.info, 1
+gunvaluesboard.com, 1
+gunwatch.co.uk, 1
+gunworld.com.au, 1
+gunz.net, 1
+gunziefolleto.tk, 1
+gunzreplays.com, 1
+guochang.fun, 1
+guochanren.com, 1
+guoda.art, 1
+guogetv.com, 1
+guoke.com, 1
+guolaoban.xyz, 1
+guolaw.ca, 1
+guomai.com, 1
+guozeyu.com, 1
+gura.moe, 1
+gurbetilan.com, 1
+gurges.xyz, 1
+guri.ml, 1
+gurl.eu.org, 1
+gurleyal.gov, 1
+gurmel.ru, 1
+gurselcetin.com, 1
+gurty.tk, 1
+guru-naradi.cz, 1
+guruakuntansi.co.id, 1
+guruarchive.com, 1
+gurucomi.com, 1
+gurufox.ai, 1
+gurugamer.com, 1
+gurumobile.tk, 1
+gurunanakdarvar.tk, 1
+gurunanakhospitals.com, 1
+gurunpa.com, 1
+gururi.com, 1
+gurutraveltraining.com, 1
+guruworld.tk, 1
+gus.moe, 1
+gusar.by, 1
+gusli.net, 1
+guso.gq, 1
+gust.edu.kw, 0
+gust.org.pl, 1
+gustaff.de, 1
+gustarfsberg.cf, 1
+gustarfsberg.ga, 1
+gustarfsberg.gq, 1
+gustarfsberg.tk, 1
+gustavapp.com, 1
+gustaveeiffel-arruda.pt, 1
+gustavo-lima.ml, 1
+gustavoleiloeiro.lel.br, 1
+gustavomolina.com, 1
+gustavopalitos.com.br, 0
+gustavovelasco.ml, 1
+gustavscelmins.tk, 1
+gustaw.net.pl, 1
+gusted.xyz, 1
+gustiaux.com, 0
+gustimaulan.com, 1
+gusto.com, 1
+gustom.io, 0
+gusuraman.tk, 1
+gutegutscheine.at, 1
+gutegutscheine.ch, 1
+gutegutscheine.de, 1
+gutenburger-marburg.de, 1
+gutendag.ga, 1
+gutetexte.tk, 1
+guthabenkarten-billiger.de, 1
+gutieli.com, 1
+gutierrezvidal.tk, 1
+gutmeister.ch, 1
+gutools.co.uk, 1
+guts.moe, 1
+gutscasino.ml, 1
+gutschein-spezialist.de, 1
+gutscheineplus.de, 1
+gutscheingeiz.de, 1
+gutscheinpony.de, 1
+gutstein.ch, 1
+gutterbus.com, 1
+gutterdogs.com, 1
+gutterguardcharlotte.com, 1
+gutterguardsystems.com, 1
+guttergurugeelong.com.au, 1
+guttermaster.co.uk, 1
+gutterpupper.com, 1
+guttershutter.biz, 1
+guttertex.com, 1
+gutuia.blue, 1
+guug.ml, 1
+guus-thijssen.nl, 1
+guvernalternativa.ro, 1
+guwowo.com, 1
+guyeskens.be, 1
+guykokken.tk, 1
+guymenje.com, 1
+guypearce.co.uk, 1
+guyretreaters.ga, 1
+guyretreatest.ga, 1
+guys-reviews.ml, 1
+guysauto.com, 1
+guysroulette.com, 1
+guytarrant.co.uk, 1
+guzdek.co, 1
+guzelforum.tk, 1
+guzelkadinlar.tk, 1
+guzellikmerkezleri.tk, 1
+guzelresim.tk, 1
+guzelsozlerim.tk, 1
+guzelvideo.tk, 1
+guzemarkets.com, 1
+guzey.me, 1
+guzgu.me, 1
+guzlewski.pl, 1
+guzmansgreenhouse.com, 1
+gv-kirchberg.ch, 1
+gv-neumann.de, 1
+gv-salto.nl, 1
+gvaa.nl, 1
+gvatas.in, 1
+gvc-it.tk, 1
+gvchannel.xyz, 1
+gvdn.cz, 1
+gveh.de, 1
+gvenglish.com, 1
+gvh.hu, 1
+gvip.xyz, 0
+gvitebsk.cf, 1
+gvobgyn.ca, 1
+gvoetbaldagenalcides.nl, 1
+gvoh-ny.gov, 1
+gvt2.com, 1
+gvt3.com, 1
+gvvsicilia.tk, 1
+gvwgroup.cloud, 1
+gvwgroup.com, 1
+gvwparts.com, 1
+gw-uks-app-test-coreapi-02.azurewebsites.net, 1
+gw.fi, 1
+gw.lu, 1
+gw2.me, 1
+gw2efficiency.com, 1
+gw2treasures.com, 1
+gw66.cc, 0
+gwbet99.cc, 1
+gwennyeeckels.com, 1
+gwenolakaigre.tk, 1
+gwerder.net, 1
+gwg-march.ch, 1
+gwiazdowapark.pl, 1
+gwinnettcounty.gov, 1
+gwinteriors.com.au, 1
+gwmean.tk, 1
+gwnmarketing.com, 1
+gwo24.pl, 1
+gworld.cf, 1
+gwrr.com, 1
+gwrtech.com, 1
+gwy15.com, 1
+gwynfryncottages.com, 1
+gxdesign.tk, 1
+gxgx.org, 1
+gxm5.com, 1
+gxmyqy.net, 1
+gyaanprasaar.tk, 1
+gyanchowk.com, 1
+gyannews.ga, 1
+gyas.nl, 1
+gybagardlin.tk, 1
+gycis.me, 1
+gyefund.com, 1
+gyefund.org, 1
+gyertyalang.hu, 1
+gyjbyev.ga, 1
+gyllander.tk, 1
+gylly.net, 1
+gyllyngvase.com, 1
+gymagine.ch, 1
+gymbase.ml, 1
+gymbunny.de, 1
+gymguyzclearwater.com, 1
+gymguyzstpete.com, 1
+gymguyztampa.com, 1
+gymhero.me, 1
+gymjokesers.ga, 1
+gymjokesest.ga, 1
+gymkirchenfeld.ch, 1
+gymnaserenens.ch, 0
+gymnasium-farmsen.de, 1
+gymnasium-hittfeld.de, 1
+gymnasium56.tk, 1
+gymnastic.cf, 1
+gymnastic.ga, 1
+gymnastic.gq, 1
+gymnastic.ml, 1
+gymnastic.tk, 1
+gymnasticbodies.com, 1
+gymnastikfitness.se, 1
+gymnchod.cz, 1
+gymonlondon.com, 1
+gympap.de, 1
+gympass.com, 1
+gymvilla.nl, 1
+gynaecology.co, 1
+gynaeinfertility.com.sg, 1
+gynaemd.com.sg, 1
+gynaemdclementi.com.sg, 1
+gynaeovariancyst.com.sg, 1
+gynas.co.uk, 1
+gyongyosi.ga, 1
+gyoriedes.hu, 1
+gyoza.beer, 1
+gypsiebylouise.com, 1
+gypso-sendai.com, 1
+gypsybloom.co.uk, 1
+gypsymama.cz, 1
+gypsyreel.com, 1
+gyre.ch, 0
+gyrenens.ch, 0
+gyroscopicinvesting.com, 1
+gyrusclinic.com, 0
+gyu-raku.jp, 1
+gyx.one, 1
+gyy.me, 1
+gz-architekten.de, 1
+gz-benz.com, 1
+gz-bmw.com, 1
+gzitech.com, 1
+gzitech.net, 1
+gzitech.org, 1
+gzlivre.org, 1
+gzom.ru, 1
+gzonemu.ga, 1
+gztelli.ch, 1
+h-advisors.global, 1
+h-e-a-t.com, 1
+h-gac.gov, 1
+h-gen.to, 1
+h-jo.net, 1
+h-maxton.de, 1
+h-node.org, 1
+h-server.myfirewall.org, 1
+h-var.com, 1
+h.fo, 1
+h001.ru, 0
+h07.cn, 1
+h09.eu, 1
+h0r.st, 1
+h0stb3rry.org, 1
+h0u5er.com, 1
+h10l.com, 1
+h10s.net, 1
+h11.io, 1
+h11.moe, 1
+h1b.tech, 1
+h1ctf.com, 1
+h1z1swap.com, 1
+h2.com.sg, 1
+h2020faros.eu, 1
+h24.org, 1
+h2b.cz, 1
+h2cclipboard.com, 1
+h2cdn.cloud, 1
+h2gonc.gov, 1
+h2hc.email, 1
+h2ole.com, 1
+h2omusic.tk, 1
+h2ox.io, 1
+h2rul.eu, 1
+h2u.tv, 1
+h36533.com, 1
+h3artbl33d.nl, 1
+h3x.jp, 0
+h3z.jp, 1
+h51365.com, 1
+h5197.co, 1
+h5q.net, 1
+h6729.co, 1
+h6729.com, 1
+h6957.co, 1
+h6p.de, 1
+h82365.com, 1
+h8p.de, 1
+h9297.co, 1
+h9728.co, 1
+h9j.com.br, 1
+ha-kunamatata.de, 1
+ha.com, 1
+ha2hva1n.com, 1
+ha3.eu, 1
+ha34.com, 1
+ha6.ru, 1
+haagsebubbel.tk, 1
+haakonbecker.de, 1
+haakonhaug.com, 1
+haaldesignpro.com, 1
+haancommunity.cf, 1
+haaog.com, 1
+haar-trifft-medizin.de, 1
+haar.gq, 1
+haarbosch.net, 1
+haarigerrattenarsch.com, 1
+haarlemsesaxofoonschool.nl, 1
+haartrifftmedizin.de, 1
+haas.co.uk, 1
+haasonline.tk, 1
+haavard.me, 1
+hab.dynu.net, 1
+habahaba.tk, 1
+habarimail.com, 1
+habarisoft.com, 1
+habarovsk.ml, 1
+habbixed.tk, 1
+habbocore.tk, 1
+habboinside.tk, 1
+habbolibres.tk, 1
+habbstars.org, 1
+habbzohotel.tk, 1
+habedieeh.re, 1
+habeeba.tk, 1
+habenafilm.cz, 1
+habercininyeri.com, 1
+haberer.me, 1
+haberizma.com, 1
+haberlandconsulting.com, 1
+haberlanddesign.com, 1
+haberlanddigital.com, 1
+haberlandgroup.com, 1
+haberlandpartners.com, 1
+haberlandpodcasts.com, 1
+haberledik.com, 1
+habermatik.net, 1
+habermatik.tk, 1
+habernet.tk, 1
+habersitesikur.tk, 1
+haberton.com, 1
+habesha.bet, 1
+habibi-fit.com, 1
+habibifit.com, 1
+habilcondominios.com.br, 1
+habitable.ga, 1
+habitat-domotique.fr, 1
+habitatberks.org, 1
+habitiss.be, 1
+hable.kr, 1
+hablemosdenutricion.com, 1
+habnubis.es, 1
+habr.ee, 1
+habra-adm.ru, 1
+habrastorage.org, 1
+habsmack.tk, 1
+habtium.es, 1
+hac2er.net, 1
+hacc.top, 1
+haccp.bergamo.it, 1
+haccp.milano.it, 1
+haccp.roma.it, 1
+hacertest.com, 1
+hachette-collections.com, 1
+hachettepartworks.com, 1
+hachimijiogan.info, 1
+hachre.de, 0
+hacifadilogullari.com.tr, 1
+hacihusrevyikim.tk, 1
+hack-bang.com, 1
+hack-forum.ml, 1
+hack-net.gq, 1
+hack.fi, 1
+hackablestuff.cf, 1
+hackadena.com, 1
+hackamac.tk, 1
+hackathonjr.tw, 1
+hackathontwjr.ml, 0
+hackatruck.com.br, 1
+hackattack.com, 1
+hackbarth.guru, 1
+hackbeil.name, 1
+hackbubble.me, 1
+hackcess.net, 1
+hackclubmauritius.nl, 1
+hackcraft.net, 1
+hackdown.eu.org, 1
+hackdown.tech, 1
+hackdra.com, 1
+hackdra.io, 1
+hackeado.tk, 1
+hacked.com, 1
+hackedaf.com, 1
+hackedthe.net, 1
+hackendoz.com, 1
+hackengine.ga, 1
+hackenkunjeleren.nl, 1
+hackenturet.dk, 1
+hacker.deals, 1
+hacker.holiday, 1
+hacker.im, 1
+hacker.one, 1
+hacker1.com, 1
+hacker101.com, 1
+hacker8.cn, 0
+hackercommunity.org, 1
+hackerfa.tk, 1
+hackerflare.com, 1
+hackerforums.tk, 1
+hackergateway.com, 1
+hackerhotel.nl, 1
+hackerinfo.ml, 1
+hackerman.nu, 1
+hackernews.ddns.net, 1
+hackernewsuk.cf, 1
+hackernoon.com, 0
+hackerone-ext-content.com, 1
+hackerone-user-content.com, 1
+hackerone.at, 1
+hackerone.blog, 1
+hackerone.com, 1
+hackerone.events, 1
+hackerone.live, 1
+hackerone.net, 1
+hackerone.org, 1
+hackeronte.tk, 1
+hackers-networks.tk, 1
+hackersclothing.com, 1
+hackerspace.rocks, 1
+hackerstory.tk, 1
+hackersw0rld.tk, 1
+hackerzbug.tk, 1
+hackettrecipes.com, 1
+hackforgood.com, 1
+hackgunny.tk, 1
+hackhouse.sh, 1
+hackingand.coffee, 0
+hackingdh.com, 1
+hackingdumpdrive.org, 1
+hackingfever.tk, 1
+hackingondemand.com, 1
+hackingwithswift.com, 1
+hackintosh.eu, 1
+hackintosh.social, 1
+hackmd.io, 1
+hackmeifyoucan.site, 1
+hacknet-bar.cn, 1
+hackney.tk, 1
+hackops.tk, 1
+hackreone.com, 1
+hackrepreneur.com, 1
+hackrigs.com, 1
+hacksecu.re, 1
+hacksoc.co.uk, 1
+hackthat.tk, 1
+hackthehacker.ml, 1
+hackthissite.org, 1
+hacktivis.me, 1
+hacktivitycon.com, 1
+hacktober.dk, 1
+hackworx.com, 0
+hackyourfaceoff.com, 1
+hackzogtum-coburg.de, 1
+hacp.gov, 1
+hadaly.fr, 1
+hadassah.moscow, 1
+haddos.tk, 1
+haderecker.me, 1
+hadesblack.com, 1
+hadetlachapelle.com, 1
+hadibut.fr, 1
+hadika.tk, 1
+hadin.tk, 1
+hadleyluker.com, 1
+hadoora.hu, 1
+hadopi.fr, 1
+hadotifpc.in, 1
+hadouk.in, 1
+hadouken.tk, 1
+hadoverde.com, 1
+hadrons.org, 1
+hadudonura.tk, 1
+hady.boutique, 1
+hady.fr, 1
+haefligermedia.ch, 1
+haegele.consulting, 1
+haehnel.xyz, 1
+haehnlein.at, 1
+haemka.de, 1
+haemmerle.net, 1
+haemonetics.com, 1
+haens.li, 1
+haerwu.biz, 1
+hafcareclinic.com, 1
+haferman.net, 1
+haferman.org, 1
+haffen.com, 1
+hafizkadir.tk, 1
+hafling.net, 1
+haflingers.tk, 1
+hafniatimes.com, 1
+hag27.com, 1
+hagalaz-design.de, 1
+hagbergmedia.se, 1
+hagen-bauer.de, 0
+hagenkleinert.de, 1
+haggisofnorway.tk, 1
+hagiati.gr, 1
+hagix.tk, 1
+hagleitner.com, 1
+hagoyvivo.com, 1
+hagskold.se, 1
+hagtingius.nl, 1
+haguichi.net, 1
+haha-raku.com, 1
+haha.moe, 1
+haha.nl, 0
+hahahahaha.cf, 1
+hahapo.com, 1
+hahn-trafo.com, 1
+haiawan.de, 1
+haiboxu.com, 1
+haichuang.com, 1
+haiduc.tk, 1
+haifaworld.tk, 1
+haifengz.com, 0
+haigle.com, 1
+haileyuantoy.com, 0
+hails.info, 1
+hailstorm.nl, 1
+hailstormproject.tk, 1
+haimablog.ooo, 1
+hainanstar.cc, 1
+haineshilton.com, 1
+hair-care-guide.com, 1
+hair-carekit.tk, 1
+hair-dressing.tk, 1
+hair-extension.tk, 1
+hair-extensions.tk, 1
+hairbrushes.tk, 1
+haircareblog.tk, 1
+haircarebrazil.com, 1
+haircareology.com, 1
+haircode.gr, 1
+hairconventioners.ga, 1
+hairconventionest.ga, 1
+haircrazy.com, 1
+haircutideas.gq, 1
+hairdrezzersonfire.com, 1
+hairextensionjakarta.com, 1
+hairextensionsaustralia.tk, 1
+hairextensionshop.tk, 1
+hairextensionstore.tk, 1
+hairextensionsuk.tk, 1
+hairfitwolvega.nl, 1
+hairgrowth.cf, 1
+hairgrowth.gq, 1
+hairgrowth.ml, 1
+hairhardstyle.tk, 1
+hairhumanextensions.tk, 1
+hairlossadvice.tk, 1
+hairlossandscalpclinic.co.uk, 1
+hairmitage.pl, 0
+hairphoto.tk, 1
+hairpins.tk, 1
+hairsalon-wish.com, 1
+hairstyles-salon.tk, 1
+hairyfilm.com, 1
+hairymilfpics.com, 1
+hairypussyvideos.net, 1
+hairyteenpics.com, 1
+hairytouch.com, 1
+hairytube.tv, 1
+hairywomen.tv, 1
+hairywomenpics.com, 1
+haislipcorp.com, 1
+haitaka.cc, 1
+haitang.com, 1
+haitangsoshu.com, 1
+haitangsoushu.com, 1
+haititan.com, 1
+haititransfert.com, 1
+haitou.tk, 1
+haitrieu.com, 1
+haixihui.cn, 1
+haixingyun.com, 1
+haizs.com, 1
+haizs.net, 1
+haizum.pro, 1
+hajekdavid.cz, 1
+hajekj.cz, 1
+hajnzic.at, 1
+hak-lab.com, 1
+hak-zona.tk, 1
+hak.edu.ee, 1
+haka.se, 1
+hakama-sendai.com, 1
+hakanpeker.tk, 1
+hakaru.org, 1
+hakase.pw, 1
+hakasia.tk, 1
+hakatemia.fi, 0
+hake.me, 1
+haker24.tk, 1
+hakerzona.tk, 1
+hakiminvestment.com, 1
+hakimova.tk, 1
+hakkarihaberi.tk, 1
+hakkarihaberleri.tk, 1
+hakkariradyo.tk, 1
+hakkasan.com, 1
+hakkasannightclub.com, 1
+hakon.lol, 1
+haku.vn, 1
+hakugin.me, 1
+hakurei.ga, 1
+hakurei.win, 1
+hal-9th.space, 1
+halacs.hu, 1
+halagroup.ml, 1
+halalbooking.com, 1
+halatik.com.ua, 1
+halbbit.eu, 1
+halberstadt.tk, 1
+halbich.design, 1
+halcraft.tk, 1
+halcyon-scion.com, 1
+halcyonsbastion.com, 1
+haleluyah-asuubabi.ga, 1
+halepetdoorsofaz.com, 1
+halescornerswi.gov, 1
+haleyandlucas.tk, 1
+half-logic.eu.org, 1
+half.ga, 1
+half.host, 1
+half.in.th, 1
+halfbeasters.ga, 1
+halfbeastest.ga, 1
+halfhosting.de, 1
+halfmba.com, 1
+halfords.com, 1
+halfords.ie, 0
+halfreal.tk, 1
+halgap.ga, 1
+haliava.tk, 1
+halic.tk, 1
+halifaxboropdpa.gov, 1
+halifaxma.gov, 1
+halifaxmoneyman.com, 1
+halifaxsailingclub.org.uk, 1
+halilova.ga, 1
+halilova.ml, 1
+halilova.tk, 1
+halilweb.tk, 1
+halilyagcioglu.tk, 1
+halimjr.com, 0
+halkakoop.com, 1
+halkbank.mk, 1
+halkegitimkurs.com, 1
+halkoyu.org, 1
+halkyon.net, 1
+hall1c.com, 1
+hallanalysis.com, 1
+hallcopainting.com, 1
+hallelujahsoftware.com, 1
+hallettxn.com, 1
+halli.tk, 1
+halliday.work, 1
+halligan.tk, 1
+hallighof.de, 1
+halligladen.de, 1
+hallmanmemorials.net, 1
+hallmarkbusiness.com, 1
+hallmarkestates.ca, 1
+halloffameapartments.com, 1
+hallofoddities.tk, 1
+hallofworlds.online, 1
+hallopstyling.com, 1
+halloway.tk, 1
+halloweencostumesideas101.com, 1
+halloweenmusic.org, 1
+hallspumpandwellservice.net, 1
+halltrends.tk, 1
+hallucineer.com, 1
+hallucinogen.com, 1
+hallucinogens.org, 1
+hallways.tk, 1
+halneff.ga, 1
+halo.fr, 1
+halocredit.pl, 0
+halogen.vip, 1
+halogenos.org, 1
+halongbaybackpackertour.com, 1
+haloobaloo.com, 1
+halopedia.org, 1
+haloperidol.cf, 1
+haloscenter.com, 1
+halovanic.org, 1
+halpin.tk, 1
+halseyor.gov, 1
+halt.org, 1
+halterner-tc.de, 1
+halukaka.net, 1
+halv.me, 1
+halvalla.tk, 1
+halyul.com, 1
+ham.community, 1
+hamacho-kyudo.com, 1
+hamali.bg, 1
+hamarimarriage.tk, 1
+hamartrophy.cf, 1
+hamasu.com, 1
+hamave.nl, 1
+hamburg40grad.de, 1
+hamburgcode.com, 1
+hamburgerbesteld.nl, 1
+hamburgerland.tk, 1
+hamburgobgyn.com, 1
+hamdenct.gov, 1
+hamdiscussions.com, 1
+hamedfans.tk, 1
+hamelneinfachonline.de, 0
+hamelnpsychotherapie.de, 1
+hamerslag.tk, 1
+hamgamweb.com, 1
+hamha.tk, 1
+hamibot.cn, 1
+hamibot.com, 1
+hamiltonatlnj.gov, 1
+hamiltoncountyil.gov, 1
+hamiltoncountyne.gov, 1
+hamiltone-clearance.co.uk, 1
+hamiltone.co.uk, 1
+hamiltonil.gov, 1
+hamiltonpdnj.gov, 1
+hamiltonsalestraining.com, 1
+hamiltonvotesfl.gov, 1
+hamiltonweather.ca, 1
+hamiltonzinelibrary.cf, 1
+hamiltonzinelibrary.ga, 1
+hamiltonzinelibrary.gq, 1
+hamiltonzinelibrary.ml, 1
+hamking.tk, 1
+hamkorbank.uz, 1
+hamletstudio.tk, 1
+hammacklawfirm.com, 1
+hammann-services.de, 1
+hammed.tk, 1
+hammer-schnaps.com, 1
+hammer-sms.com, 1
+hammercast.fm, 1
+hammered.tk, 1
+hammerhead.tk, 1
+hammernews.tk, 1
+hammerofdamnation.tk, 1
+hammerofthor-india.com, 1
+hammerstorm.ga, 1
+hamminga.nl, 1
+hammondwi.gov, 1
+hamoominim.tk, 1
+hamoup.com, 1
+hampelmd.com, 1
+hampl.tv, 1
+hampshiretechservices.co.uk, 1
+hamptonandrhodes.com, 1
+hamptonrhodes.com, 1
+hamptonroads.gov, 1
+hampus.lol, 1
+hampuskraft.com, 1
+hamsaranjavan.tk, 1
+hamsokhan.tk, 1
+hamsterchines.tk, 1
+hamsteriousgift.com, 1
+hamsternetwork.com, 1
+hamstersenanos.tk, 1
+hamsterworld.tk, 1
+hamsystems.eu, 1
+hamtwpfcoh.gov, 1
+hamwan.nl, 0
+hamzahamry.ga, 1
+han-nas.com, 1
+hana-groupsac.com, 1
+hana.ondemand.com, 1
+hanabi.fan, 0
+hanacademy.us, 1
+hanakaru.tk, 1
+hanako-health.com, 1
+hanako-health.de, 1
+hanakohealth.com, 1
+hanakohealth.de, 1
+hanakovydny.cz, 1
+hanan.cz, 1
+hanatan.net, 1
+hanazono.tokyo, 1
+hanbing.it, 1
+hancevillewateral.gov, 1
+hancockcountyia.gov, 1
+hancockcountyky.gov, 1
+hancockcountymaine.gov, 1
+hancockcountyohioelections.gov, 1
+hancockcountywv.gov, 1
+hancockin.gov, 1
+hancocklawfl.com, 1
+hand-made24.de, 1
+hand.community, 1
+hand2h.com, 1
+handballinside.de, 1
+handballmania.tk, 1
+handbrake.fr, 1
+handcity.com, 1
+handelsbanken.co.uk, 1
+handelsbanken.com, 1
+handelsbanken.dk, 1
+handelsbanken.fi, 1
+handelsbanken.no, 1
+handelsbanken.se, 1
+handheldsound.com, 1
+handhockeyers.ga, 1
+handhockeyest.ga, 1
+handicap-job.com, 1
+handicappingsportsers.ga, 1
+handicappingsportsest.ga, 1
+handicapzero.org, 1
+handicraftsman.tk, 1
+handicraftsmarble.com, 1
+handigehannie.nl, 1
+handleidingkwijt.com, 1
+handlekrypto.com, 1
+handles.tech, 1
+handlingcosters.ga, 1
+handlingcostest.ga, 1
+handlungsleitfaden.de, 1
+handmade-club.tk, 1
+handmade-workshop.de, 1
+handmadehechoamano.com, 1
+handmadeselling.com, 1
+handmadetutorials.ro, 1
+handphones.tk, 1
+handpiece.com, 1
+handpresso.com, 1
+hands.net, 1
+handsaccounting.com, 1
+handsender-express.com, 1
+handsome-samurai.jp, 1
+handsomeabel.tk, 1
+handsonscience.com.au, 1
+handstandstudio.ga, 1
+handsup.dance, 1
+handwerk-digital-steinfurt.de, 1
+handwerker4u.de, 1
+handwerkwebseiten.de, 0
+handy-fun.tk, 1
+handy-page.tk, 1
+handy.lc, 1
+handymanbibleers.ga, 1
+handymanbibleest.ga, 1
+handymanbypolli.com, 1
+handymanlondonplease.co.uk, 1
+handynummer-info.ch, 1
+handyoutdoorgoods.com, 1
+handyschaft.de, 1
+handysex.live, 1
+handyticket.de, 1
+hanfoot.tk, 1
+hanfox.co.uk, 0
+hanfverband-erfurt.de, 1
+hang333.moe, 1
+hangar4.es, 1
+hangarbox.de, 1
+hangardasaves.com.br, 1
+hangargeek.ml, 1
+hangcapnach.com, 1
+hangkei.com, 1
+hangout, 1
+hangouts.google.com, 1
+hangryum.com, 1
+hangtenseo.com, 1
+hangw.xyz, 1
+hanhardt.org, 1
+hanhtrinhxanh.org, 1
+haniasitek.com, 1
+haniha.com, 1
+hanisirfan.cf, 1
+hanjl.com, 0
+hanjuapp.com, 1
+hanke.se, 1
+hankoreas.com, 1
+hankr.com, 1
+hanksservice.com, 1
+hanky2.com, 1
+hanlonconcrete.com, 1
+hanmandalu.com, 1
+hanmandao.com, 1
+hanmandaohang.com, 1
+hanmangu.com, 1
+hanmanlou.com, 1
+hanmanshijie.com, 1
+hanmanxia.com, 1
+hanming.li, 1
+hanmofu.life, 0
+hannaandersson.com, 1
+hannagroup.ca, 1
+hannah.link, 1
+hannahbarrettyoga.com, 1
+hannaljungberg.tk, 1
+hannehovi.fi, 1
+hannekroencke.com, 1
+hannes.paris, 1
+hannit.de, 1
+hannoluteijn.nl, 1
+hannover-96.tk, 1
+hannover-reisen.tk, 1
+hannywbarek.com, 1
+hanoibuffet.com, 1
+hanoicapital-tanvn.tk, 1
+hanomag-tractors.tk, 1
+hanpenblog.com, 1
+hanrobado.com, 1
+hansa-flex.com.ua, 1
+hansa.org.ru, 1
+hansahome.ddns.net, 1
+hansanders.nl, 1
+hansashop.eu, 0
+hansashop.fi, 0
+hansbruis.tk, 1
+hanschventures.com, 1
+hansee.com, 1
+hansen-kronshagen.de, 1
+hansen.hn, 1
+hansgoes.it, 1
+hansgoes.nl, 1
+hansgoesit.nl, 1
+hanshosting.nl, 1
+hanshow.com, 1
+hansinternational.com.au, 1
+hansklok.tk, 1
+hansminten.com, 1
+hansmund.com, 1
+hansmunt.nl, 1
+hansolrella.com, 1
+hansonian.com, 1
+hanspaulske-cteni.tk, 1
+hanspetersteiger.ch, 1
+hansvaneijsden.com, 1
+hansvaneijsden.nl, 1
+hant.se, 1
+hantera.fi, 1
+hantse.com, 0
+hanwhalife.com, 1
+hanxv.pw, 1
+hanys.xyz, 1
+hanzcollection.online, 1
+hanzubon.jp, 1
+hao-zhang.com, 1
+haofeng.com, 1
+haoke.com, 1
+haoming.com, 1
+haorenka.co, 1
+haoz.tk, 1
+haozhexie.com, 1
+haozi.me, 1
+hapfox.de, 1
+hapiao.com, 1
+hapijs.cn, 1
+hapissl.com, 1
+hapivm.com, 1
+hapless.tk, 1
+happeopleindonesia.id, 1
+happiestoutdoors.ca, 1
+happii.dk, 1
+happiness.solutions, 1
+happist.com, 1
+happity.co.uk, 1
+happu-dinero.tk, 1
+happy-end-shukatsu.com, 1
+happy-face.tk, 1
+happy-family.tk, 1
+happy-finance.tk, 1
+happy-space.tk, 1
+happy-wans.com, 1
+happy-watches.com, 1
+happy2hub.eu, 1
+happyagain.de, 1
+happyagain.se, 1
+happyandrelaxeddogs.com, 1
+happyanimalsshop.com, 1
+happybabyhappymama.nl, 1
+happybeerdaytome.com, 1
+happybirthdaywisher.com, 1
+happybounce.co.uk, 1
+happychat.io, 1
+happychungus.tk, 1
+happychurch.com, 1
+happycoder.net, 0
+happycoders.eu, 1
+happycolors.us, 1
+happycompany.fi, 1
+happycore.ml, 1
+happycrashers.ga, 1
+happycrashest.ga, 1
+happycustomer360.pt, 1
+happydad.tk, 1
+happydays.cat, 1
+happydoghosting.net, 1
+happydoq.ch, 0
+happydota.ga, 1
+happydreamsz.com, 1
+happyexwife.ga, 1
+happyfoolss.com, 1
+happyfun.tk, 1
+happyfuture.tk, 1
+happygadget.me, 1
+happygardencenter.com.br, 1
+happygreats.ml, 1
+happygreats.tk, 1
+happyhabitzone.com, 1
+happyhumans.com, 1
+happyindia.ml, 1
+happyjapan.co.jp, 1
+happykidsforkids.com, 1
+happylearning.com, 1
+happylifestyle.com, 1
+happymine.nl, 1
+happymonday.ua, 1
+happymondayclub.com, 1
+happymoney.com, 1
+happymothersday.tk, 1
+happynight.tk, 1
+happypets.pe, 1
+happyplantparent.com, 1
+happyretail.ai, 1
+happyrunning.tk, 1
+happyschnapper.com, 1
+happyscore.nl, 1
+happyscubadiving.tk, 1
+happyteamlabs.com, 1
+happytestings.com, 1
+happytime.gq, 1
+happytopup.com, 1
+happytours.cf, 1
+happytoys.com.br, 1
+happytugs.com, 1
+happyukgo.com, 1
+happywater.my, 1
+happyweekend.ga, 1
+happywheels1.online, 1
+hapronailz.tk, 1
+haproxy.tech, 1
+hapsana.nl, 1
+hapsfordmill.co.uk, 1
+haptemic.com, 1
+hapticmedia.com, 1
+hapticmedia.io, 1
+hapvm.com, 1
+haqrpatrol.com, 1
+har5.com, 1
+harabar.ga, 1
+harabar.gq, 1
+harabar.ml, 1
+harabe.ga, 1
+harahanla.gov, 1
+harajiplastic.ir, 1
+harald-d.dyndns.org, 1
+harald-nyborg.dk, 1
+harald-pfeiffer.de, 1
+harambo.cf, 1
+harapanrakyat.com, 1
+harapecorita.com, 1
+harapjunk.hu, 1
+harasov.tk, 1
+harbecke.cloud, 1
+harbecke.me, 1
+harbecke.net, 1
+harbecke.org, 1
+harbecke.xyz, 1
+harbor.com, 1
+harborhillsdaycamp.com, 1
+harboursport.co.nz, 1
+hard-drive-recovery-blog.tk, 1
+hard.email, 1
+hardatack.tk, 1
+hardcore-hooligans.tk, 1
+hardcore-toys.com, 1
+hardcoreincest.net, 1
+hardcorejokeers.ga, 1
+hardcorejokeest.ga, 1
+hardcorekings.com, 1
+hardcorepost.com, 1
+hardeecountyfl.gov, 1
+hardeeflvotes.gov, 1
+hardeman.nu, 1
+hardenburghny.gov, 1
+hardenize.com, 1
+hardergayporn.com, 1
+hardesec.com, 1
+hardfalcon.net, 1
+hardfloorcleaninglondon.co.uk, 1
+hardforum.com, 1
+hardfought.org, 1
+hardgame.tk, 1
+hardgospelcafe.tk, 1
+hardh.at, 0
+hardhat.io, 1
+hardhatengineer.com, 1
+hardies.nl, 1
+hardinal.com, 1
+hardincountyil.gov, 1
+hardincountyky.gov, 1
+hardincountyohio.gov, 1
+hardjump.tk, 1
+hardmetal.tk, 1
+hardmine.ru, 1
+hardnet.cz, 1
+hardnode.org, 1
+hardnoiser.tk, 1
+hardpay.com, 1
+hardrain980.com, 1
+hardrock.tk, 1
+hardrocksportsbook.com, 1
+hardscience.games, 1
+hardscience.io, 1
+hardstation.tk, 1
+hardstyleclothes.tk, 1
+hardtailrecon.com, 1
+hardtec.tk, 1
+hardtfrieden.de, 1
+hardtime.tk, 1
+hardtimeszine.tk, 1
+hardwake.tk, 1
+hardwareforum.ga, 1
+hardwarelog.in, 1
+hardwarelogin.com, 1
+hardwarelogin.rocks, 1
+hardwareschotte.de, 1
+hardwick-ma.gov, 1
+hardwickvt.gov, 1
+hardworm.tk, 1
+hardy.bz, 1
+hardyhaberland.com, 1
+hardzone.es, 1
+harem.tk, 1
+harery.com, 1
+harfordpark.org, 1
+harfordvotes.gov, 1
+hargaindo.com, 1
+hargamobilmu.com, 0
+harghita.com, 1
+hargita.com, 1
+hari-katha.tk, 1
+hari-tech.com, 1
+harianjogja.com, 1
+haribilalic.com, 1
+harigovind.org, 1
+hariharnagar.tk, 1
+hariji.tk, 1
+haringtwpmi.gov, 1
+harishgoyal.tk, 1
+harithsankalpa.com, 1
+haritsa.co.id, 1
+hariz.ga, 1
+harlan.cc, 1
+harlem-mt.gov, 1
+harlemeverafter.com, 1
+harleyclassifieds.com, 1
+harleysvillegroup.com, 1
+harlim.tk, 1
+harlingentx.gov, 1
+harlor.de, 1
+harmfarm.nl, 1
+harmim.cz, 1
+harmlesspeopleers.ga, 1
+harmlesspeopleest.ga, 1
+harmoney.com, 1
+harmoniaatlanta.org, 1
+harmonicasireland.com, 1
+harmonizely.com, 0
+harmony-labradoodles.nl, 1
+harmony.co.id, 1
+harmonyeg.net, 1
+harmonyhomeaidservices.co.uk, 1
+harmonylife.ro, 1
+harmonyroomspa.com, 1
+harmreductionwa.org, 1
+harms.io, 1
+harmsboone.org, 1
+harnettcountync.gov, 1
+harneycountyor.gov, 1
+harno.ee, 0
+harnoisfamily.net, 1
+harnov.dk, 0
+harodeportivo.tk, 1
+haroldkip.nl, 1
+haroldkramer.tk, 1
+haroldsharpe.com, 1
+harp.gov, 1
+harpen.de, 1
+harpersvilleal.gov, 1
+harplingemark.se, 1
+harpoonlarsen.tk, 1
+harpreetrakhra.ca, 1
+harputlugil.com, 1
+harrachovskyapartman.cz, 1
+harray.tk, 1
+harrcostl.com, 1
+harriedrecords.tk, 1
+harrietjohnston.tk, 1
+harrimantn.gov, 1
+harringtonca.com, 1
+harrisandharris.com.au, 1
+harrisconsulting.ie, 1
+harrisexteriors.com, 1
+harrisonar.gov, 1
+harrisonassessments.asia, 1
+harrisonassessments.co.id, 1
+harrisonassessments.co.in, 1
+harrisonassessments.co.uk, 1
+harrisonassessments.com.au, 1
+harrisonassessments.com.hk, 1
+harrisonassessments.com.tw, 1
+harrisonassessments.de, 1
+harrisonassessments.eu, 1
+harrisoncareerguide.com, 1
+harrisoncountymo.gov, 1
+harrisoncountyms.gov, 1
+harrisoncountymschanceryclerk.gov, 1
+harrisonsdirect.co.uk, 1
+harrisontownshipmi.gov, 1
+harrisrealestate.com, 1
+harrogatemoneyman.com, 1
+harry-baker.com, 1
+harry-hk.tk, 1
+harryagustiana.tk, 1
+harryanddavid.com, 1
+harryandharrison.com, 1
+harrychristensen.tk, 1
+harrymcgee.tk, 1
+harrymclaren.co.uk, 1
+harryosborn.tk, 1
+harrypotterclan.tk, 1
+harrypottereditor.com, 1
+harrypottereditor.net, 1
+harrypottervenezuela.tk, 1
+harrysmallbones.co.uk, 1
+harryvapoteur.com, 1
+harryvrancken.nl, 1
+harryxxjohnson.ga, 1
+harryyy.me, 0
+harshani.ga, 1
+harshee.ml, 1
+hartan.to, 1
+hartdesign.co.nz, 1
+hartfordct.gov, 1
+hartfordschools.org, 0
+hartfordtwpwipd.gov, 1
+hartie95.de, 1
+hartleighclyde.com.au, 1
+hartlep.email, 1
+hartleycountytx.gov, 1
+hartlieb.me, 1
+hartmancpa.com, 1
+hartmann-hartmann.eu, 1
+hartmannindustries.com, 1
+hartpsychologen.nl, 1
+hartsfieldrock.tk, 1
+hartslagnu.nl, 1
+hartstart.info, 1
+hartvannike.tk, 1
+hartwellga.gov, 1
+hartwickny.gov, 1
+hartzer.com, 1
+haru-restaurant.tk, 1
+haruhi.org.ua, 1
+harukakikuchi.com, 1
+harukawa.moe, 1
+harumi-cl.jp, 1
+harunafilez.tk, 1
+harvard-ma.gov, 1
+harvardil.gov, 1
+harvardpartners.com, 1
+harvestapp.com, 1
+harvester.fr, 1
+harvestfellowshipchurch.net, 1
+harvestgospelministries.org, 1
+harvestmoon.ga, 1
+harvestmoon.ml, 1
+harveyauzorst.com, 1
+harveyplum.com, 1
+harveysautoservice.net, 1
+harveysproducts.co.nz, 1
+harwoeck.group, 1
+haryana.gov.in, 1
+harz.cloud, 0
+harzin.tk, 1
+harzlaender.de, 1
+has-no-email-set.de, 1
+has.gy, 1
+has.report, 1
+has.work, 1
+hasabig.wang, 1
+hasalittle.wang, 1
+hasandeniz.uk, 1
+hasandurmus.com, 1
+hasanmtech.com, 1
+hasansaribas.com, 1
+hasanyildiz.com, 1
+hasas-automatizari.ro, 1
+hasas-cnc.ro, 1
+hasbara.tk, 1
+haschrebellen.de, 1
+hasdf.de, 1
+hasecuritysolutions.com, 1
+hasel.news, 1
+haselsteiner.me, 1
+hasenmueller.de, 1
+hasgeek.com, 1
+hash.works, 1
+hashcat.net, 1
+hashedin.com, 1
+hashemian.com, 1
+hashes.com, 1
+hashes.org, 1
+hashi.dk, 0
+hashi.icu, 1
+hashi.sbs, 1
+hashiconf.com, 0
+hashicorp.com, 0
+hashimah.ca, 1
+hashimoto-jimusho.com, 1
+hashinteractive.com, 0
+hashish.net, 1
+hashiura.jp, 1
+hashmart.io, 1
+hashnode.com, 0
+hashplex.com, 1
+hashru.nl, 1
+hashsters.com, 1
+hashsters.io, 1
+hashulchan.co.il, 1
+hashworks.net, 1
+hashxp.org, 1
+hasilkeluaransgp.com, 1
+hasilocke.de, 1
+hasjob.co, 1
+haskellcountytx.gov, 1
+haskovec.com, 1
+hasmoralsers.ga, 1
+hasmoralsest.ga, 1
+hass-server.pp.ua, 1
+hassan-kuordish.tk, 1
+hassanhardware.com, 1
+hassans.tk, 1
+hassclan.tk, 1
+hasselbach-dellwig.de, 1
+hassellunden.ga, 1
+hassiba-abderaouf.tk, 1
+hassra.org.uk, 1
+hasstopped.com, 1
+hastadoktor.com, 1
+hastaneurunleri.com.tr, 1
+hastati.tk, 1
+hastingsapplianceservice.com.au, 1
+hastingsdirect.com, 1
+hastingsmi.gov, 1
+hastingsne.gov, 1
+hastmassage.tk, 1
+hastyllc.com, 1
+hasx.me, 1
+hasznosithato.tk, 1
+haszon.hu, 1
+hatake.tk, 1
+hatakekaigi.com, 1
+hataonline.tk, 1
+hatarisecurity.co.ke, 1
+hatcher.cloud, 1
+hatchutah.gov, 1
+hate.ga, 1
+hate.tk, 1
+hatemarga.tk, 1
+hatematerial.tk, 1
+hatethe.uk, 1
+hathai.org, 1
+hathawaydinwiddie.com, 1
+hatierchinois.fr, 1
+hatinyhouse.com, 1
+hatori.tk, 1
+hatpakha.com, 1
+hatraters.ga, 1
+hatratest.ga, 1
+hats-land.com, 1
+hatsnet.io, 1
+hatsthings.com, 1
+hatsuharu.tk, 1
+hatsukoi-seikotsu.com, 1
+hatter.in, 1
+hatter.ink, 1
+hatter.me, 1
+hatterjiang.com, 1
+hatterjiang.org, 1
+hattori-hanzo.tk, 1
+hattricksites.tk, 1
+hatul.info, 1
+haucke.xyz, 1
+haughtonla.gov, 1
+hauller.ch, 1
+haulpackaging.com, 1
+hauntedcastle.tk, 1
+hauntedhouserecords.co.uk, 1
+hauntedtruth.tk, 1
+hauora.fyi, 1
+hauora.tech, 1
+haus-garten-test.de, 1
+haus-henne.de, 1
+haus-maritchen.at, 1
+haus-mittelpunkt.de, 1
+haus-momo.ch, 1
+haus.bio, 1
+hausarzt-nw.de, 1
+hausarzt-nw.info, 1
+hausdorf.ru, 1
+hausfoto.cz, 1
+hausfrauficken.com, 1
+haushaltsaufloesung-vor-ort.de, 1
+haushaltsaufloesung-zentrum.de, 1
+haushenne.de, 1
+haushub.org, 1
+hausmann-versorgungstechnik.de, 1
+hausmeister-website.de, 1
+hauspie.fr, 1
+hausresidential.com.au, 1
+haust.tk, 1
+haustechnik-breu.de, 1
+hausundhaus.de, 1
+hausverbrauch.de, 1
+hausverwaltung-motsch.de, 1
+hautarztzentrum.ch, 1
+hautehorlogerie.org, 1
+hautemontagne.com, 1
+hautescimesone.ch, 1
+hautsache-friesoythe.de, 1
+hautsdefrance.fr, 1
+havaci.tk, 1
+havaguncel.com, 1
+havana-club.com, 1
+havanaheritage.org, 1
+havarijna-sluzba-bratislava.sk, 1
+havasuinsurance.com, 1
+havasuopenhouse.com, 1
+havasutacohacienda.com, 1
+havator.fi, 1
+have-it.tk, 1
+have.jp, 1
+haveabounce.co.uk, 1
+havedicewillsave.com, 1
+haveforeningen-enghaven.dk, 1
+havefunbiking.com, 1
+haveg.ru, 1
+haveibeenpwned.be, 1
+haveibeenpwned.com, 1
+havellab.de, 1
+havells.com, 1
+haven-staging.cloud, 1
+havencyber.com, 1
+havenstar.com, 1
+havenstudios.com, 1
+haverford.com, 1
+havernbenefits.com, 1
+haverplastics.co.uk, 1
+havetherelationshipyouwant.com, 1
+havi-engel.de, 1
+havivdriver.co.il, 1
+havohravo.com, 1
+havuzkapinda.com, 1
+hawaiiafro.tk, 1
+hawaiianchoice.com, 1
+hawaiianlion.cf, 1
+hawaiianlion.ga, 1
+hawaiianlion.gq, 1
+hawaiifamilydental.com, 1
+hawaiiforbernie.com, 1
+hawaiinet.tk, 1
+hawaiipolice.gov, 1
+hawaindustrial.com, 1
+hawat.cz, 1
+hawawa.kr, 1
+hawickvets.co.uk, 1
+hawit-steuerberatung.de, 1
+hawit-steuerberatung.support, 1
+hawk-la.com, 1
+hawk.pl, 1
+hawkargentina.com, 1
+hawkbiosystems.com, 0
+hawkeyeia.gov, 1
+hawkeyeinsight.com, 1
+hawkins.plus, 1
+hawkinsonkiaparts.com, 1
+hawkofgeorgia.com, 1
+hawkon.dk, 1
+hawkrovers.tk, 1
+hawksguild.com, 0
+hawle-service.at, 1
+hawler.tk, 1
+hawo.academy, 1
+hawrerahimi.nl, 0
+hax.to, 1
+haxland.tk, 1
+haxor.one, 1
+haxx.hu, 1
+hay.email, 1
+hayai.space, 1
+hayalgucu.net, 1
+hayalmeyal.com, 1
+hayashi-rin.net, 1
+hayatmurat.tk, 1
+haydenal.gov, 1
+haydenbleasel.com, 0
+haydenfranklin.com, 1
+haydenjames.io, 1
+hayestwpclaremi.gov, 1
+hayestwpotsegomi.gov, 1
+hayfordoleary.com, 1
+hayl.me.uk, 1
+hayleywestenra.tk, 1
+hayobethlehem.nl, 1
+hayonik.com, 1
+hayrivertownship.gov, 1
+haysc.tech, 1
+hayssuperclean.com, 1
+haystack.tk, 1
+haystackrenovation.com.au, 1
+hayvanlar.net, 1
+hayvid.com, 1
+hayvid.net, 1
+hayward.uk.com, 1
+haywoodtn.gov, 1
+hazalturesan.tk, 1
+hazana.ovh, 1
+hazara-online.tk, 1
+hazaristan.asia, 1
+haze-productions.com, 1
+haze.productions, 1
+hazeldeanfamilydentalcentre.com, 1
+hazelhof.nl, 1
+hazelkid.tk, 1
+hazelwood.co.uk, 1
+hazeover.com, 1
+hazhistoria.net, 1
+hazimdesign.tk, 1
+hazit.co.il, 1
+hazlocheaters.com, 1
+hazloconlapix.com, 1
+hazyhosting.tk, 1
+hazytales.com, 1
+hazza.net, 1
+hb.by, 1
+hb5197.com, 0
+hb6729.com, 1
+hb8522.com, 1
+hb9397.com, 1
+hba1crechner.de, 1
+hbaa.ml, 1
+hbag.org, 1
+hbauer.net, 0
+hbbet.com, 1
+hbcm70.fr, 1
+hbcu-colleges.com, 1
+hbfisioeesthetic.com.br, 1
+hbgshop.cf, 1
+hbh.sh, 1
+hbility.eu, 0
+hbl-stahl.de, 1
+hblwrk.de, 1
+hbo-center.com, 1
+hboeck.de, 1
+hbomaxaustralia.com, 1
+hbpro.pt, 1
+hbr.link, 1
+hbs-it-gmbh.de, 1
+hbsslaw.co.uk, 1
+hbsslaw.com, 1
+hbsvzos.nl, 1
+hbudd.com, 0
+hbussmann.com, 1
+hbvip.com, 1
+hbweb.io, 1
+hbxianghang.com, 0
+hby.cx, 1
+hc-sc.gc.ca, 0
+hcahealthcare.co.uk, 1
+hcamag.com, 1
+hcaptcha.com, 1
+hcasino.it, 1
+hcaz.io, 1
+hcc-s.de, 1
+hcc-server.de, 1
+hccnet.org, 1
+hcdatn.gov, 1
+hcdonbass.com, 1
+hceu-performance.com, 1
+hcfeye.com.au, 1
+hcfl.gov, 1
+hcfoodpantry.org, 1
+hcg24.com, 1
+hcgallia.tk, 1
+hcie.pl, 0
+hclsw.at, 0
+hclsw.ch, 0
+hclsw.de, 0
+hclu.co, 1
+hcmuehlethurnen.ch, 1
+hcnh.gov, 1
+hco4.com, 1
+hcqmeta.com, 1
+hcr.io, 0
+hcs.land, 1
+hcscrusaders.com, 1
+hcsoffshore.com, 1
+hctegelhandel.tk, 1
+hctr002.tk, 1
+hcv.cz, 1
+hcv.ind.in, 1
+hcvp.com.pt, 1
+hcwels.at, 1
+hd-offensive.at, 0
+hd-olimpo.club, 1
+hd-only.org, 1
+hd-outillage.com, 1
+hd4arab.tk, 1
+hd6729.com, 1
+hd6957.com, 1
+hd9397.com, 1
+hd9721.com, 1
+hdaccess.info, 1
+hdatraining.ma, 1
+hdbigass.com, 1
+hdbits.org, 1
+hdblackporn.com, 1
+hdbooty.com, 1
+hdc.sg, 1
+hdcoupler.com.au, 1
+hddrecovery.net.au, 1
+hdeaves.uk, 1
+hdert.com, 1
+hdevent.net, 1
+hdfreeizle.com, 1
+hdfreex.com, 1
+hdgrannytube.com, 1
+hdguru.com, 1
+hdhoang.space, 1
+hdhomelift.com, 1
+hdlooks.tk, 1
+hdm-bogensport.at, 1
+hdmatureporn.com, 1
+hdmaturetube.com, 1
+hdmaturetube.tv, 1
+hdmilfporn.com, 1
+hdmixfilim.com, 1
+hdml.kr, 1
+hdmomtube.com, 1
+hdnakedgirls.com, 1
+hdnastudio.com, 1
+hdporno.tv, 1
+hdpornose.com, 1
+hdpornpics.com, 1
+hdpornpicture.com, 1
+hdrams.com, 1
+hdrcomercio.com.br, 1
+hdrezka2018.tk, 1
+hdrip.info, 1
+hdrtranscon.com, 0
+hds-lan.de, 1
+hdscheduleers.ga, 1
+hdscheduleest.ga, 1
+hdsengine.ml, 1
+hdsexxx.net, 1
+hdsinemax.com, 1
+hdtvblogsers.ga, 1
+hdtvblogsest.ga, 1
+hdtvboarders.ga, 1
+hdtvboardest.ga, 1
+hdv.paris, 1
+hdv12.horse, 1
+hdview.co.uk, 1
+hdwallpapers.net, 1
+hdwetpussy.com, 1
+hdxvideosporns.com, 1
+hdxxxpics.net, 1
+hdy.nz, 1
+hdz.org, 1
+hdzineers.ga, 1
+hdzineest.ga, 1
+he-sb.cf, 1
+he-sb.eu.org, 1
+he-sb.top, 1
+he.kg, 1
+heaaart.com, 1
+head-hunters.tk, 1
+head.org, 1
+head.ru, 1
+headachemigraine.org, 1
+heade.cf, 1
+headed2.com, 1
+headforcloud.com, 1
+headhuntercolombia.com, 1
+heading2australia.ga, 1
+headinsider.net, 0
+headlight.tech, 1
+headlineclub.gr, 1
+headlinepublishing.be, 1
+headofhair.pl, 1
+headphonesinear.tk, 1
+headshotharp.de, 1
+headsmackskatepark.tk, 1
+headstartkernow.org.uk, 1
+headstogether.org.uk, 1
+headstrong.de, 1
+headsuphealth.com, 1
+headwall-hosting.com, 1
+headwayapp.co, 1
+healdsburg.gov, 1
+healinfoods.com, 1
+healingfoundation.org.au, 1
+healingriverscounseling.net, 1
+healingthenaturalway.cf, 1
+healingthenaturalway.ga, 1
+healingthenaturalway.gq, 1
+healingwell.com, 1
+healingwithvibrationsummit.com, 1
+healinlife.com, 1
+healmyhearttoday.ga, 1
+healmynation.com, 1
+healtbeautyturkey.tk, 1
+health-and-beauty-news.net, 1
+health-ashlandcounty-oh.gov, 1
+health-e.org.za, 1
+health-ecore.com, 1
+health-in-mind.org.uk, 1
+health-match.com.au, 1
+health-plan-news.com, 1
+health-road.ga, 1
+health-toolbox.com, 1
+health-tourism.com, 1
+health.gd, 1
+health.gov, 1
+health.graphics, 1
+health.mil, 1
+health24.ml, 1
+health24world.ml, 1
+health360.bh, 1
+health4all.tk, 1
+health4food.com, 1
+health4life.tk, 1
+healthabundant.ga, 1
+healthactive.co, 0
+healthadaptive.ga, 1
+healthalbuquerque.tk, 1
+healthalternativemedicine.tk, 1
+healthamazing.ga, 1
+healthand.ml, 1
+healthandfitnessover40.co.uk, 1
+healthandglow.tk, 1
+healthandskinbeauty.com, 1
+healtharlington.tk, 1
+healtharrow.ga, 1
+healthasociation.tk, 1
+healthatlanta.tk, 1
+healthatlantic.ga, 1
+healthatlantic.tk, 1
+healthawareness.cf, 1
+healthbanfield.tk, 1
+healthbank.io, 1
+healthbeltsville.tk, 1
+healthbinghamton.tk, 1
+healthbit.com.br, 1
+healthblender.ga, 1
+healthblod.ga, 1
+healthbolton.tk, 1
+healthbordelonville.tk, 1
+healthboston.tk, 1
+healthboulevard.ga, 1
+healthbounce.ga, 1
+healthbrisbane.tk, 1
+healthbrite.ga, 1
+healthbrochures.info, 1
+healthbunny.ga, 1
+healthcalculator.site, 1
+healthcanal.ga, 1
+healthcaptive.ga, 1
+healthcare.gov, 0
+healthcare4ppl.com, 1
+healthcareadministrationedu.org, 1
+healthcareagency.tk, 1
+healthcareareainfo.tk, 1
+healthcareconnexion.com, 1
+healthcarediversion.org, 1
+healthcaredrugs.tk, 1
+healthcareera.tk, 1
+healthcareinfonews.tk, 1
+healthcaremedicine.tk, 1
+healthcarenutrition.tk, 1
+healthcarepathway.com, 1
+healthcareresearch.tk, 1
+healthcarereviews.tk, 1
+healthcarerevopt.com, 1
+healthcarestaffingacademy.com, 1
+healthcaresystemcareersedu.org, 1
+healthcatch.ga, 1
+healthcentralasia.tk, 1
+healthcentralmedicine.tk, 1
+healthcentralnews.tk, 1
+healthcentralstore.tk, 1
+healthcentraltreatment.tk, 1
+healthcharte.ga, 1
+healthchecks.io, 1
+healthchillicothe.tk, 1
+healthchoice.tk, 1
+healthcise.com, 1
+healthclassy.ga, 1
+healthclearance.ga, 1
+healthclyman.tk, 1
+healthcode.cf, 1
+healthcollect.ga, 1
+healthcolumbia.tk, 1
+healthcolumbus.tk, 1
+healthcommission.ga, 1
+healthcompany.tk, 1
+healthconfluence.tk, 1
+healthconstruct.ga, 1
+healthcostinstitute.org, 0
+healthcounty.ga, 1
+healthcourier.ga, 1
+healthcrafter.ga, 1
+healthcrawler.ga, 1
+healthcrown.cf, 1
+healthcrown.ga, 1
+healthcrystal.ga, 1
+healthculloden.tk, 1
+healthcultureexpo.com, 1
+healthcupid.ga, 1
+healthcurious.ga, 1
+healthdaily.cf, 1
+healthdaily.ga, 1
+healthdallas.tk, 1
+healthdata.gov, 1
+healthdelta.ga, 1
+healthdenver.tk, 1
+healthdesigning.ga, 1
+healthdestination.ga, 1
+healthdetroit.tk, 1
+healthdigitalstore.tk, 1
+healthdodge.ga, 1
+healthdowntown.ga, 1
+healthdraw.ga, 1
+healtheagle.ga, 1
+healtheffectsofasbestos.com, 1
+healthekids.tk, 1
+healthemden.tk, 1
+healthessence.ga, 1
+healthfalcon.ga, 1
+healthfame.ga, 1
+healthfiesta.ga, 1
+healthfinder.gov, 1
+healthfitapp.com, 1
+healthfitstore.com, 1
+healthflavor.ga, 1
+healthfleet.ga, 1
+healthfortwaltonbeach.tk, 1
+healthfortworth.tk, 1
+healthfrederick.tk, 1
+healthfreeport.tk, 1
+healthful.eu.org, 1
+healthglamour.ga, 1
+healthgoddess.ga, 1
+healthgrace.ga, 1
+healthgrad.com, 1
+healthgrandrapids.tk, 1
+healthguerilla.ga, 1
+healthguerrilla.ga, 1
+healthhair.ru, 1
+healthhard.ga, 1
+healthharrisburg.tk, 1
+healthhelena.tk, 1
+healthhendersonville.tk, 1
+healthhosts.com, 1
+healthhuntsville.tk, 1
+healthhusky.ga, 1
+healthi.ch, 1
+healthierweight.co.uk, 1
+healthimagine.ga, 1
+healthintergrity.ga, 1
+healthiraq.ga, 1
+healthiron.ga, 1
+healthit.gov, 1
+healthjackpot.ga, 1
+healthjarrettsville.tk, 1
+healthjoker.ga, 1
+healthkaro.tk, 1
+healthkaty.tk, 1
+healthkayak.ga, 1
+healthknight.ga, 1
+healthlable.com, 1
+healthlabs.com, 1
+healthlar.com, 1
+healthleadsusa.org, 1
+healthlesson.tk, 1
+healthlifeforyou.tk, 1
+healthlightning.ga, 1
+healthlincoln.tk, 1
+healthloco.ga, 1
+healthlongwood.tk, 1
+healthlowprice.ga, 1
+healthlucky.ga, 1
+healthmagazines.tk, 1
+healthmanager.ml, 1
+healthmanchester.tk, 1
+healthmatchapp.com, 1
+healthmeasure.ga, 1
+healthmedcost.com, 1
+healthmedicalcenter.it, 1
+healthmedicineasia.tk, 1
+healthmedicinebiology.tk, 1
+healthmedicinedrug.tk, 1
+healthmedicinestore.tk, 1
+healthmedicineus.tk, 1
+healthmedicineworld.tk, 1
+healthmeta.ga, 1
+healthmetric.ga, 1
+healthmiami.tk, 1
+healthmillions.ga, 1
+healthmilwaukee.tk, 1
+healthmilwaukie.tk, 1
+healthmotivation.ml, 1
+healthmountolive.tk, 1
+healthmuscle.ga, 1
+healthmuscle.tk, 1
+healthmystical.ga, 1
+healthnano.ga, 1
+healthnational.ga, 1
+healthnobel.ga, 1
+healthnorman.tk, 1
+healthnorthamerican.ga, 1
+healthnorthgreenbush.tk, 1
+healthnutrition.tk, 1
+healthnutritionfood.tk, 1
+healthnutritiongrowth.tk, 1
+healthnutritioninfo.tk, 1
+healthnutritioninfonews.tk, 1
+healthnutritioninjury.tk, 1
+healthnutritionpregnancy.tk, 1
+healthnutritionpublic.tk, 1
+healthnutritionusa.tk, 1
+healthnweight.tk, 1
+healthoakland.tk, 1
+healthocity.ga, 1
+healthoffline.ga, 1
+healthoneday.ga, 1
+healthonplanet.com, 1
+healthoptions.tk, 1
+healthpaducah.tk, 1
+healthpeace.ga, 1
+healthpeach.ga, 1
+healthpersonal.ga, 1
+healthpert.com, 1
+healthphase.ga, 1
+healthpickup.ga, 1
+healthpirates.ga, 1
+healthplansamerica.org, 1
+healthplatinum.ga, 1
+healthpremier.ga, 1
+healthprestige.ga, 1
+healthpriority.ml, 1
+healthproconsulting.com, 1
+healthquality.tk, 1
+healthquantum.ga, 1
+healthquest.com.au, 1
+healthrail.ga, 1
+healthrangely.tk, 1
+healthrapid.ga, 1
+healthraven.ga, 1
+healthreadset.ga, 1
+healthremarkable.ga, 1
+healthreno.tk, 1
+healthrequest.ga, 1
+healthrish.com, 1
+healthrivergrove.tk, 1
+healthrule.ga, 1
+healthrunners.ga, 1
+healths-tips.ml, 1
+healthsacramento.tk, 1
+healthsalvage.ga, 1
+healthsample.ga, 1
+healthsanantonio.tk, 1
+healthsanjose.tk, 1
+healthsanluisobispo.tk, 1
+healthsantaana.tk, 1
+healthsantaclara.tk, 1
+healthscience.tk, 1
+healthseason.ga, 1
+healthseattle.tk, 1
+healthservicediscounts.com, 1
+healthsession.ga, 1
+healthshadow.ga, 1
+healthsleuth.ga, 1
+healthslide.ga, 1
+healthsomerset.tk, 1
+healthsone.com, 1
+healthsouthfield.tk, 1
+healthsparkle.ga, 1
+healthspencer.tk, 1
+healthspringfield.tk, 1
+healthstar-dev.io, 1
+healthstar.io, 1
+healthstrick.ga, 1
+healthstudy.tk, 1
+healthstyletips.ml, 1
+healthsunflower.ga, 1
+healthsustain.ga, 1
+healthsyndrome.tk, 1
+healthtacoma.tk, 1
+healthtimes.ga, 1
+healthtips4you.ml, 1
+healthtoledo.tk, 1
+healthtreats.ga, 1
+healthtrio.com, 1
+healthtrust.tk, 1
+healthturbo.ga, 1
+healthultra.ga, 1
+healthunique.ga, 1
+healthurban.ga, 1
+healthvacancies.tk, 1
+healthvariety.ga, 1
+healthvariety.tk, 1
+healthveedersburg.tk, 1
+healthvision.ml, 1
+healthwarior.tk, 1
+healthwausau.tk, 1
+healthwealthtime.org, 1
+healthwichita.tk, 1
+healthy-map.com, 1
+healthy-shoko.com, 1
+healthy.io, 1
+healthy.works, 1
+healthyaging-digital.com, 1
+healthyalabama.tk, 1
+healthyalaska.tk, 1
+healthyankee.ga, 1
+healthyarizona.tk, 1
+healthyarkansas.tk, 1
+healthybeauty365bn.com, 1
+healthyburn.tk, 1
+healthychoices.tk, 1
+healthyclinic.tk, 1
+healthycolorado.tk, 1
+healthyfeet.gr, 1
+healthyfitfood.com, 1
+healthyflorida.tk, 1
+healthyfoodanddrink.tk, 1
+healthygeorgia.tk, 1
+healthyhomesofmichigan.com, 0
+healthyhomeventilation.com.au, 1
+healthyhours.tk, 1
+healthyindiana.tk, 1
+healthykansas.tk, 1
+healthykitchen101.com, 1
+healthymaine.tk, 1
+healthymen.ml, 1
+healthyminnesota.tk, 1
+healthymississippi.tk, 1
+healthynewjersey.tk, 1
+healthynutritionguide.info, 1
+healthyoregon.tk, 1
+healthypennsylvania.tk, 1
+healthypeople.gov, 1
+healthyrecipes101.com, 1
+healthyrun.tk, 1
+healthysanfrancisco.org, 1
+healthyschoolsnewcastle.org.uk, 1
+healthysouthdakota.tk, 1
+healthyspirituality.org, 1
+healthystore.my.id, 1
+healthystyle.tk, 1
+healthysuperhuman.com, 1
+healthyteame.com, 1
+healthytipsdiet.tk, 1
+healthyweblife.tk, 1
+healthywyoming.tk, 1
+healthyyou.ml, 1
+healtmainwp.tk, 1
+healtyersworld.tk, 1
+heap.zone, 1
+heapsofheaven.com, 1
+heardcountyathletics.com, 1
+hearfool.cc, 1
+hearingbydesign.co.nz, 1
+hearingshofar.com, 1
+hearkener.com, 1
+heart-cartoons.tk, 1
+heart-valve-surgery.com, 1
+heartbeat24.de, 1
+heartbomb.co.jp, 1
+heartbound.wiki, 1
+heartcard.tk, 1
+heartchating.tk, 1
+heartcomms.com.au, 1
+heartgames.pl, 1
+hearthealing.ca, 1
+hearthstonehungary.hu, 1
+hearthustlebrands.com, 1
+heartlandbiomed.com, 1
+heartlandbraidedrugs.com, 1
+heartlandcocacola.com, 1
+heartlandrentals.com, 1
+heartlandtownandcountry.tk, 1
+heartofenglandfirstaidtraining.com, 1
+heartofgod.tk, 1
+heartofthepeace.com, 0
+heartonmysleevegreetings.com, 1
+heartsintrueharmony.com, 1
+heartsucker.com, 0
+hearttruth.gov, 1
+heartview.com.br, 1
+heartway.online, 1
+heartwoodart.com, 1
+heartwoodrefuge.org, 0
+hearty.biz, 1
+hearty.blog, 1
+hearty.eu.org, 0
+hearty.ga, 1
+hearty.gift, 1
+hearty.gq, 1
+hearty.ink, 1
+hearty.me, 1
+hearty.ml, 1
+hearty.ooo, 1
+hearty.org.tw, 1
+hearty.sg, 1
+hearty.taipei, 1
+hearty.tech, 1
+hearty.tw, 1
+heartyapp.com, 1
+heartyapp.tw, 1
+heartymail.com, 1
+hearusa.com, 1
+heaslip-aluminium-smelter-engineering.com, 1
+heat-press.com.au, 1
+heat-ua.pt, 1
+heat.gov, 1
+heatcheck.security, 1
+heatcleanerers.ga, 1
+heatcleanerest.ga, 1
+heatershop.co.uk, 1
+heatgeek.com, 1
+heathaze.xyz, 1
+heatherbells.tk, 1
+heathercutler.ca, 0
+heatherleysephotography.com, 1
+heathersmithcommercial.com, 1
+heathersnotes.com, 1
+heathrowairportparking24.co.uk, 1
+heatingequipment.tk, 1
+heaven-boutique.de, 0
+heavenlybeauty.tk, 1
+heavenlylanka.com.au, 1
+heavenlynails.pl, 1
+heavenlyseals.com, 1
+heavenlysmokenc.com, 1
+heavennewsers.ga, 1
+heavennewsest.ga, 1
+heavensattic.co.uk, 1
+heavensolutions.com.br, 1
+heaventurizm.com.tr, 1
+heavycaliber.com, 1
+heavycoupleers.ga, 1
+heavycoupleest.ga, 1
+heavyequipments.org, 0
+heavyhymnal.com, 1
+heavylord.tk, 1
+heavysounds.tk, 1
+hebamme-cranio.ch, 1
+hebamme-ebersberg.de, 1
+hebamme-sabine.eu, 1
+hebbelabi.tk, 1
+hebe.stream, 1
+heber.tk, 1
+hebersprings.gov, 1
+heberut.gov, 1
+hebikhiv.nl, 1
+hebin.cf, 1
+hebmexico.tk, 1
+hebrew.ga, 1
+hebronnh.gov, 1
+hec-espace-entreprise.ch, 0
+hec.global, 1
+hecco.io, 1
+heccubus.tk, 1
+hechaocheng.ga, 1
+hechaocheng.ml, 1
+hechaocheng.tk, 1
+hechizosymagianegra.es, 1
+hechno.com, 1
+heckelektro.de, 1
+heckhome.com, 1
+hecking.tk, 1
+heckmann.photos, 1
+hectorama.tk, 1
+hectorfiorini.com.ar, 0
+hectorlima.tk, 1
+hedd.audio, 1
+heddoun.com, 1
+hedefhalk.com, 1
+hedefkompresor.com, 1
+hedenskrig.tk, 1
+hederaconsulting.com, 1
+hederawinkel.nl, 0
+hedge.fi, 1
+hedgedoc.net, 1
+hedgedoc.org, 1
+hedgehogs.tk, 1
+hedgesafeers.ga, 1
+hedgesafeest.ga, 1
+hedgeschool.ie, 1
+hedgetube.ga, 1
+hedinghamandchambers.co.uk, 1
+hedman.tk, 1
+hedonics.org, 1
+hedonism.org, 1
+hedonistai.org, 1
+hedonistic-imperative.com, 1
+hedonistic.org, 1
+hedonisticimperative.com, 1
+hedonium.com, 1
+hedoujia.tw, 1
+hedronarchive.com, 1
+hedweb.co.uk, 1
+hedweb.com, 1
+hedweb.net, 1
+hedweb.org, 1
+hedweb.uk, 1
+hedys.de, 1
+hee.ink, 1
+heeftmijnwebsitehttpsnodig.nl, 1
+heeler.red, 1
+heello.es, 1
+heerenveenlokaal.nl, 1
+heesenyachts.com, 0
+heethealthcare.com, 1
+hefengautoparts.com, 1
+heficed.com, 1
+heftfilme.com, 1
+hefty.cloud, 1
+heg.ge, 1
+hegdahl.tk, 1
+hegdahl.xyz, 1
+hegebo.de, 1
+hegocre.com, 1
+heh.ee, 1
+heha.co, 0
+hehecams.com, 1
+hehechat.com, 1
+heheparty.com, 1
+heheparty.net, 1
+heheparty.org, 1
+hehome.xyz, 0
+heiaheia.com, 1
+heibel.tk, 1
+heibobo.cf, 1
+heibobo.com, 1
+heibobo.ga, 1
+heibobo.gq, 1
+heibobo.ml, 1
+heibobo.tk, 1
+heic.nz, 1
+heictoany.com, 1
+heid.ws, 1
+heidarilawgroup.com, 1
+heidegg.ch, 1
+heidelbergengineering.com, 1
+heiden-wir-helfen.de, 1
+heidifuller.com, 1
+heidihills.com, 1
+heidinousiainen.com, 1
+heidirange.tk, 1
+heidisheroes.org, 1
+heidns.cn, 0
+heighton.com.au, 1
+heightselectrical.com.au, 1
+heigl-care.de, 1
+heihaha.com, 1
+heihei.cf, 1
+heijblok.com, 1
+heijdel.nl, 1
+heijmans.blog, 1
+heijmans.io, 1
+heijmans.org, 1
+heijmans.pm, 1
+heijmans.tech, 1
+heikal.tk, 1
+heikegastmann.com, 1
+heikki-mikkola.tk, 1
+heiko-zimmermann.com, 1
+heiko.ph, 1
+heikomauel.de, 1
+heikoopminiaturen.nl, 1
+heiland.io, 1
+heilbronn.tk, 1
+heiliao.in, 1
+heiligebirmanen.tk, 1
+heiliger-gral.info, 1
+heilpflanzenmagie.de, 1
+heilpraktiker-maxdorf.de, 1
+heimatverein-eitensheim.de, 1
+heimdallsensors.com, 1
+heimnetze.org, 0
+heimonen.eu, 1
+heimstaden.dk, 1
+heina.net, 1
+heineken.co.za, 1
+heino-peters.de, 1
+heinonen.cc, 1
+heinrich1.de, 1
+heinrich5991.de, 1
+heinvanhemert.nl, 1
+heinzdekat.tk, 1
+heinzencastellano.tk, 1
+heiraten-gardasee.de, 1
+heiraten-venedig.de, 1
+heise.cf, 1
+heise.ml, 1
+heisenberg.co, 1
+heishop.com.br, 1
+heishop.mx, 1
+heist-clan.tk, 1
+heistheguy.com, 1
+heitepriem.info, 1
+heiwa-valve.co.jp, 1
+hejazultra.org, 1
+heka.ai, 1
+hekat.sk, 1
+hekate.com.mx, 1
+hekatija.com, 1
+hekeki.com, 1
+hekoro.ml, 1
+hektenkairez.com, 1
+hekwerken.tk, 1
+helabet.com, 1
+helabet.ng, 1
+heladospipos.ga, 1
+helagotaland.ga, 1
+helagotaland.gq, 1
+helali.me, 1
+helbreath.tk, 1
+helcim.com, 1
+helco.xyz, 1
+helden-spielen.de, 1
+heldenhalde.de, 1
+heldmayer.com, 1
+heldtech.services, 1
+heldundsexgott.de, 1
+helebce.tk, 1
+heleendebruyne.be, 1
+helemduruth.com, 1
+helena-loos.de, 1
+helenair.com, 1
+helenakmiec.pl, 1
+helenapaparizouspainfanclub.tk, 1
+helenatownshipmi.gov, 1
+helendoe.uk, 1
+helendoron.fr, 1
+helene-conway.com, 1
+helenekurtz.com, 1
+helenelefauconnier.com, 1
+helenevanwunnik.tk, 1
+helenkellersimulator.org, 1
+helenlim.pw, 1
+helenmarie.ie, 1
+helenmcguinness.online, 1
+helensmithpr.co.uk, 1
+helenssjoholm.cf, 1
+helenssjoholm.ga, 1
+helenvalsj.tk, 1
+helenwade.tk, 1
+heleus.it, 1
+helfordriversc.co.uk, 1
+helga-fest.tk, 1
+helgaschultz.de, 1
+helgeklein.com, 1
+helhetsframtradande.se, 1
+heli-iq.at, 1
+heli-iq.com, 1
+heli-iq.cz, 1
+heli-iq.de, 1
+heli-iq.dk, 1
+heli-iq.es, 1
+heli-iq.fi, 1
+heli-iq.fr, 1
+heli-iq.it, 1
+heli-iq.nl, 1
+heli-iq.sk, 1
+helia.com.au, 1
+helibella.com, 1
+helichat.de, 1
+heliconservices.com, 1
+heligrandcanyon.com, 1
+helijobs.net, 1
+helikopter.ml, 1
+helikopterman.tk, 1
+helikopters.tk, 1
+helioanodyne.eu, 1
+heliobil.fr, 1
+heliocentrism.jp, 1
+helion.ch, 0
+helioring.com, 1
+helios4.com, 1
+heliosbot.net, 1
+heliosnet.com, 1
+heliosvoting.org, 0
+heliport-moscow.ru, 1
+helisimmer.com, 1
+heliumtech.tk, 1
+helix.am, 1
+helixagencyservices.com, 0
+helkyn.eu, 1
+helkyn.fr, 1
+helkyn.org, 1
+hell-o.net, 1
+hell.rodeo, 1
+hell.sh, 1
+hellband.tk, 1
+hellblade.tk, 1
+hellblast.tk, 1
+hellboundhackers.org, 1
+hellendumanrealty.com, 1
+hellenicagora.co.uk, 1
+hellenicmusicacademy.com, 1
+hellerarko.de, 1
+hellfreak.tk, 1
+hellhammer.tk, 1
+hellhavens.tk, 1
+hello-aioi.com, 1
+hello-papaye.com, 1
+hello-products.com, 1
+helloacm.com, 1
+helloafrica.ga, 1
+helloalpha.com, 1
+helloappservices.com, 1
+hellobarestore.com, 1
+hellobee.com, 1
+hellobetter.de, 1
+hellobrian.me, 1
+hellocash.business, 1
+hellocat.cf, 1
+hellocentral.ga, 1
+hellocoding.de, 1
+hellodesign.tk, 1
+hellodollface.com, 1
+helloemailers.ga, 1
+helloemailest.ga, 1
+helloexit.com, 1
+helloheadsup.com, 1
+helloindia.tk, 1
+hellokashmir.tk, 1
+hellolove.sg, 1
+hellomookie.com, 1
+hellomouse.cf, 1
+hellomouse.net, 1
+hellomouse.tk, 1
+hellomunnar.in, 1
+hellomyword.tk, 1
+hellonews.cf, 1
+hellonews.ga, 1
+helloo.com.br, 1
+hellopandaphoto.com, 1
+hellopowerserg.com, 1
+hellorory.com, 1
+hellorussia.ga, 1
+hellosalmon.com, 1
+hellosayge.com, 1
+hellosells.com, 1
+hellosixpackabs.com, 1
+helloskip.com, 0
+hellosmoove.com, 1
+hellotandem.com, 1
+hellotars.com, 1
+helloteen.tk, 1
+hellothematic.com, 1
+hellothought.net, 1
+hellotwist.com, 1
+hellov.in, 1
+helloverify.com, 1
+hellovillam.com, 1
+helloworldhost.com, 0
+hellpc.net, 1
+hellpizza.nz, 1
+hellraid.com, 1
+hellseeker.tk, 1
+hellsinkivampires.tk, 1
+hellsoldiers.tk, 1
+hellven.net, 1
+hellvis.tk, 1
+hellyeahbeer.tk, 1
+helm-pokale.de, 1
+helmethouse.com, 1
+helminger-lrs.at, 1
+helmondautoschade.nl, 1
+helmscapital.co.uk, 1
+helochic.com, 1
+heloisamarra.com, 1
+helorobo.com, 1
+help-me.today, 1
+help207.me, 1
+help24.be, 0
+help911.com, 1
+helpamericavote.gov, 1
+helpatmyhome.com, 1
+helpc.eu, 1
+helpcalculator.tk, 1
+helpcapital.ru, 1
+helpcomp.tk, 1
+helpconnect.com.au, 1
+helpcrm.co.uk, 1
+helpekwendenihospital.com, 1
+helpfulcash.com, 1
+helpinghandspartners.org, 1
+helpkoil.com, 1
+helplightning.com, 1
+helpline.com.ua, 1
+helplisted.com, 1
+helpmecovid.com, 1
+helpmij.cf, 1
+helpnet.ro, 1
+helpout.us, 1
+helpowl.com, 1
+helppc.com.ua, 1
+helprb.ru, 1
+helpscoutdocs.com, 1
+helptasker.com, 1
+helptasker.net, 1
+helptasker.org, 1
+helptasker.ru, 1
+helpticket.ml, 1
+helpticket.tk, 1
+helpwaarbenik.nl, 1
+helpwiki.nl, 1
+helpwise.io, 1
+helpwithadoption.com, 1
+helpwithinreach.com, 1
+helpwithmybank.gov, 1
+helpwithmycheckingaccount.gov, 1
+helpwithmycreditcard.gov, 1
+helpwithmycreditcardbank.gov, 1
+helpwithmymortgage.gov, 1
+helpwithmymortgagebank.gov, 1
+helsenorge.no, 1
+helsi.me, 1
+helsingfors.guide, 1
+helsinginlaakariyhdistys.fi, 1
+helsinki-systems.de, 1
+helst.org, 1
+heluna.tk, 1
+helvatech.ch, 1
+helvetic.finance, 1
+hemagon.com, 1
+hemanklerehab.com, 1
+hemaroids.tk, 1
+hemdal.se, 0
+hemdian.com, 1
+hemmens.eu, 1
+hemmersbach.com, 1
+hemnet.se, 1
+hemorroi.ga, 1
+hemp.com, 1
+hemphopper.eu, 1
+hempoffset.com, 1
+hempsteadcitytx.gov, 1
+hemrin.com, 1
+hems.si, 1
+hemtest.com, 1
+hen.ee, 1
+hen.ne.ke, 1
+hendersoncountyil.gov, 1
+hendersonky.gov, 1
+hendersonvalleyautomotive.co.nz, 1
+hendersonwomenscare.com, 1
+henderz.tk, 1
+hendrickx.be, 1
+hendrik.li, 1
+hendrinortier.nl, 1
+hendrix.com.ng, 1
+hendrix.tk, 1
+hendryelections.gov, 1
+hengelsportjansenlommel.tk, 1
+hengstumone.com, 1
+henhenlu.com, 0
+henkboelman.com, 1
+henke-home.eu, 1
+henker.net, 1
+henkibeer.com, 1
+henko-consulting.com, 1
+henkpille.tk, 1
+henkverlinde.com, 0
+henley-computer-repairs.co.uk, 1
+henleybouncycastles.co.uk, 1
+henlich.de, 1
+hennecke-forstbetrieb.de, 1
+henneke.me, 1
+hennepincounty.gov, 1
+hennepintheatretrust.org, 1
+hennes-haan.de, 1
+hennes-pokalshop.de, 1
+hennes-shop.de, 1
+henneshaan.de, 1
+hennessey.com, 1
+hennesshop.de, 1
+hennessy.tk, 1
+hennies.org, 1
+hennikernh.gov, 1
+henningkerstan.de, 1
+henningkerstan.org, 1
+henradplumbing.co.uk, 1
+henri-feuillade.tk, 1
+henri.moe, 1
+henrichaussade.fr, 1
+henrico.gov, 1
+henrieta-nagyova.tk, 1
+henriettatownshipmi.gov, 1
+henrik-sachse.de, 1
+henrikjosefsson.net, 1
+henrikjuvonen.fi, 1
+henriknoerr.com, 1
+henriksachse.com, 1
+henriksachse.de, 1
+henriksoderlund.com, 1
+henrikwelk.de, 1
+henrilammers.nl, 1
+henrri.net, 1
+henry.gg, 1
+henryalanbrown.com, 1
+henrybelk.com, 1
+henrybrown0.com, 1
+henryclub.tk, 1
+henryco911tn.gov, 1
+henrycountyga.gov, 1
+henrycountyohio.gov, 1
+henrycountysheriffga.gov, 1
+henryctyil.gov, 1
+henryford.tk, 1
+henryhouse.wales, 1
+henryhugo.tk, 1
+henryishax.com, 1
+henryluker.com, 1
+henrymercado.tk, 1
+henrymintzberg.nl, 1
+henryocallaghan.com, 1
+hentai-paradise.fr, 1
+hentai.it, 1
+hentaigogo.com, 1
+hentaimaster.net, 1
+hentaipornography.com, 1
+hentaipros.com, 1
+hentaiprosnetwork.com, 1
+hentairead.com, 1
+hentairoulette.com, 1
+hentaishit.com, 1
+hentaiworld.cc, 0
+hentaizm.cf, 1
+hentamanga.tk, 1
+hentavfall.no, 1
+hentschke-bau.de, 1
+hentschke-betonfertigteilwerk.de, 1
+hentschke-invest.de, 1
+henzenhoning.nl, 1
+henzy.cloud, 1
+hepfree.nyc, 1
+hepha.ch, 1
+hephzibahga.gov, 1
+heppler.net, 1
+heptafrogs.de, 1
+heptagonsystems.com, 1
+heptner24.de, 1
+hepuer.com, 1
+hepworthwakefield.org, 1
+her-life.ru, 1
+her.porn, 1
+her123.win, 1
+heraa.top, 1
+heracasinos.com, 1
+herald-review.com, 1
+herald.ga, 1
+heraldcourier.com, 1
+heraldik-wiki.de, 1
+heraldmakassar.com, 1
+herasoft.com, 1
+heratnews.tk, 1
+herba-belgie.be, 1
+herbacom.ro, 1
+herbalcart.com, 1
+herbalhouse.tk, 1
+herbalife.ru, 1
+herbalifereport.tk, 1
+herbalkanker.tk, 1
+herbalmusings.net, 1
+herbalproducts.com, 1
+herbarex.bg, 1
+herbarium.cf, 1
+herberichfamily.com, 1
+herbers.tk, 1
+herbertjanvandinther.nl, 1
+herbertmouwen.nl, 1
+herbiez.com, 1
+herbigass.com, 1
+herbisan.pl, 1
+herbnal.com, 1
+herbreathonglass.tk, 1
+herbsociety.org, 1
+herbsupplements.co.uk, 1
+herbweb.net, 1
+herbweb.org, 1
+herbymiast.waw.pl, 1
+herculesca.gov, 1
+herculex.fi, 1
+herderradio.ml, 1
+herdingcatshere.com, 1
+herdwilliam.ml, 1
+herdwilliam.tk, 1
+herealways.tk, 1
+herecafe.com, 1
+heredapoxetine.gq, 1
+herefordlighthouse.org, 0
+heren.fashion, 1
+herenstraatvoorburg.tk, 1
+hereplus.me, 1
+hereporn.com, 1
+heretic-guild.com, 1
+hereticle.com, 1
+hereticmaniacs.tk, 1
+hereticofficial.com, 1
+hereticpreist.tk, 1
+herez.fr, 1
+hergaenergy.com, 1
+hergeandtintin.tk, 1
+herila.ml, 1
+heringer.tk, 1
+heritagehandicraft.com, 1
+heritageinvestigativegroup.com, 1
+heritagereformed.tk, 1
+heritagetea.tk, 1
+heritagetechnologies.net, 1
+herizon.cf, 1
+herjj.com, 1
+herkam.pl, 1
+herkel.email, 1
+herkel.media, 1
+herkelmedia.com, 1
+herkelmedia.de, 1
+herkimercountyny.gov, 1
+herlimit.com, 1
+hermanbrouwer.nl, 1
+hermandevries.com, 1
+hermann-hesse-kolleg.de, 1
+hermann.in, 1
+hermanoscarrera.tk, 1
+hermes-net.de, 1
+hermes-onlinehandel.de, 1
+hermes-servizi.it, 1
+hermessenger.fr, 1
+hermetas.org, 1
+hermetien.tk, 1
+hermietkreeft.site, 0
+herminghaus24.de, 1
+hermiston.gov, 1
+hermitant.fr, 1
+hermiu.com, 1
+hermodesign.com, 1
+hermonmaine.gov, 1
+hermosaseagirt.com, 1
+hernandovotes.gov, 1
+hernanygerman.tk, 1
+herndl.org, 1
+herne-kupony.sk, 1
+herni-kupony.cz, 1
+herniaclinic.com.sg, 1
+hernikgames.tk, 1
+hernn.com, 1
+heroblog.info, 1
+herocentral.de, 1
+heroco.xyz, 1
+herod.tk, 1
+heroes3stat.tk, 1
+heroesofthenorth.com, 1
+heroesoftomorrow.nl, 1
+heroesorchestra.com, 1
+herofil.es, 1
+herogaming.net, 1
+herohealth.com, 1
+heroiclove.com, 1
+heroicpixel.com, 1
+herold.me, 1
+herold.space, 1
+heromlabs.tk, 1
+heromuster.com, 1
+heronhallacademy.org.uk, 1
+heroofkings.com, 1
+heroplusgroup.com, 0
+heroway.com, 1
+heroxin.com, 1
+herp.careers, 1
+herp.top, 1
+herpderpderpderp.com, 1
+herpes-no.com, 1
+herr-webdesign.de, 1
+herrald-skeeleren.tk, 1
+herramientasbazarot.com, 1
+herrderzeit.de, 1
+herregruppa.no, 1
+herrenblut.tk, 1
+herrenmuehle-wein.de, 1
+herreriamauricio.com.ar, 1
+herreriaorozco.com, 1
+herrfirm.com, 1
+herriman.gov, 1
+herriman.net, 1
+herringadvancemachine.com, 1
+herringboneeats.com, 1
+herringsresidence.be, 1
+herritage.ga, 1
+herrkal.eu, 1
+herrman.tk, 1
+herrns.cloud, 1
+herrschaftlich-durch-dresden.de, 1
+herrsmith.com, 1
+herrtxbias.net, 1
+herrtxbias.org, 1
+hersdorf-eifel.de, 1
+hersheyfeis.com, 1
+hersmartchoice.com, 1
+herthaloewen.tk, 1
+hertie.de, 1
+hertsbouncycastles.com, 1
+heru.tk, 1
+herumixer.ga, 1
+herus.net.pl, 1
+hervegranger.fr, 1
+hervia.com, 1
+hervormdweeshuiszwolle.nl, 1
+herwz.com, 1
+herychreality.cz, 1
+herza.id, 1
+herzberg.site, 1
+herzfuersoziales.at, 1
+herzig.cc, 1
+herzpfa.de, 1
+herzwacht.de, 1
+herzzuherz.de, 1
+hes.com.cy, 1
+hesabcenter.com, 1
+hesama.tk, 1
+hesaplama.net, 1
+hesbayefrost.be, 1
+hesbenergie.be, 1
+hescos.tk, 1
+heshamelsawah.clinic, 1
+heshamselim.tk, 1
+hessabras.ir, 1
+hessen-liebe.de, 1
+hessen.de, 1
+hessen.social, 1
+hessenheim.tk, 1
+hessentoday.de, 1
+hessherrera.com, 1
+hessis.xyz, 1
+hessischer-landtag.de, 1
+hesslag.com, 1
+hestaheimur.is, 1
+hestegrovvaren.dk, 1
+hestervanderheijden.nl, 1
+hestia-systeme.be, 1
+hestia-systeme.com, 1
+hestia-systeme.eu, 1
+hestia-systeme.fr, 1
+hestonlawfirm.com, 1
+hesyifei.com, 1
+het-klaverblad.nl, 1
+hetchie.com, 1
+hetcoronalab.nl, 1
+hetdebat.tk, 1
+hetene.nl, 1
+hetfundament.team, 1
+hetgetouw.be, 1
+hethely.ch, 1
+hetkomtnooitmeergoed.nl, 1
+hetmanrecovery.com, 1
+hetmedialab.nl, 1
+hetmeisjeachterpauw.nl, 1
+hetmer.cz, 1
+hetoefenpunt.be, 1
+hetushu.com, 1
+hetveurtheater.nl, 1
+hetvezercsarda.hu, 1
+hetwalhalla.nl, 1
+hetwebsitebedrijf.nl, 1
+heureetka.fr, 1
+heureka.fi, 1
+heureka2.com, 1
+heute-kaufen.de, 1
+heute.training, 1
+heutger.de, 1
+heutger.net, 1
+hev.edu.ee, 1
+hevenerfeld.de, 1
+hevenkin.cn, 1
+hevertonfreitas.com.br, 1
+hevo.io, 1
+hevoapp.com, 1
+hevodata.com, 1
+hevoiq.com, 1
+hevrishut.cf, 1
+hewavitharanamv.tk, 1
+hewlettbayparkny.gov, 1
+hewlettharbor.gov, 1
+hex.nl, 1
+hexagon-e.com, 1
+hexagonengg.com, 1
+hexalinq.com, 1
+hexane.cf, 1
+hexapt.com, 1
+hexashore.tn, 1
+hexasoft.com.my, 1
+hexatech.gq, 1
+hexatech.tk, 1
+hexaware.com, 1
+hexaweb.tk, 1
+hexcel.com, 1
+hexcode.in, 1
+hexhu.com, 1
+hexhu.net, 1
+hexiaohu.cn, 0
+hexid.me, 0
+hexieshe.com, 1
+hexo.ink, 0
+hexo.io, 0
+hexobind.com, 1
+hexoff.com, 1
+hexony.com, 1
+hexr.org, 1
+hexsafe.io, 1
+hexstream.expert, 1
+hexstream.net, 1
+hexstream.xyz, 1
+hexstreamsoft.com, 1
+hexure.com, 1
+hexxagon.com, 1
+hey-staging.com, 1
+hey.com, 1
+hey.pw, 1
+heyblogging.com, 0
+heybookmark.ga, 1
+heybookmark.gq, 1
+heybritney.tk, 1
+heybyrdie.com, 1
+heydorff.duckdns.org, 1
+heyfiesta.com, 1
+heyghost.io, 1
+heyitgirl.com, 1
+heyitsfree.net, 1
+heyjobs.co, 1
+heyjoecoffee.com, 1
+heyjoflyer.win, 1
+heyjournal.com, 1
+heylink.asia, 1
+heyomg.com, 1
+heyplay.eu.org, 1
+heysora.net, 1
+heytrade.com, 1
+heyvilleers.ga, 1
+heyvilleest.ga, 1
+heywise.com, 1
+heywood.cloud, 1
+hezzit.net, 1
+hf-rpg.ml, 1
+hf51-domeinen.nl, 1
+hf51.nl, 1
+hfa3.org, 1
+hfholidays.co.uk, 1
+hfikq8.cf, 1
+hflsdev.org, 0
+hfox.org, 1
+hfsa.org, 1
+hfsctx.gov, 1
+hfsg-habicht.at, 1
+hfvuejq.pro, 1
+hfx405.de, 1
+hg.eu, 1
+hg.python.org, 1
+hg0086.la, 0
+hg71839.com, 1
+hgb.club, 1
+hgc.solutions, 1
+hgc369.com, 1
+hgcityca.gov, 1
+hgfa.fi, 1
+hghanbarimd.com, 1
+hgmaranatha.nl, 1
+hgpowerglue.nl, 1
+hgseo.me, 1
+hgseo.net, 1
+hgtwa.com.au, 1
+hguandl.com, 1
+hgvnet.de, 1
+hgyo.me, 1
+hgyoseo.com, 1
+hgzw.com, 0
+hh-host.de, 1
+hh-massage.de, 1
+hh-medic.com, 1
+hh-ri.com, 1
+hh-wolke.dedyn.io, 1
+hh5197.co, 1
+hh6729.co, 1
+hh6729.com, 0
+hh6957.co, 1
+hh9297.co, 1
+hh9397.com, 1
+hh9728.co, 1
+hhalic.com, 1
+hhank.com, 1
+hhdelfland.nl, 1
+hhdy3.com, 1
+hhhdb.com, 1
+hhristov.tk, 1
+hhs.gov, 1
+hhsrocketry.tk, 1
+hhxiaozhan.ml, 1
+hi-million.ga, 1
+hi-million.ml, 1
+hi-newspaper.ml, 1
+hi-res.cloud, 1
+hi-res.com.cn, 1
+hi-res.vip, 1
+hi-techcrimes.net, 1
+hialatv.com, 1
+hiatoconteudodigital.com.br, 1
+hibanaworld.com, 1
+hibbingmn.gov, 1
+hibin.tk, 1
+hibiscuscoastfinancialservices.com.au, 1
+hibrid-turf.com, 1
+hiccupsandjuice.co.uk, 1
+hickmancountytn.gov, 1
+hickoryrecord.com, 1
+hickorywinecellar.com, 1
+hicksvilleohio.gov, 1
+hicl.org, 1
+hicoria.com, 1
+hicts.nl, 1
+hiczp.com, 1
+hidalgoad.org, 1
+hidashin.co.jp, 1
+hidayatullah.com, 1
+hidbo.de, 1
+hidden-audio.de, 1
+hidden.gq, 1
+hidden.nyc, 1
+hiddenbyleaves.tk, 1
+hiddencafebcn.com, 0
+hiddendragon.ml, 1
+hiddenempire.tk, 1
+hiddenhand.finance, 1
+hiddenhillselectric.com, 1
+hiddenhillselectrical.com, 1
+hiddenhillselectrician.com, 1
+hiddenhillsexteriorlighting.com, 1
+hiddenhillslandscapelighting.com, 1
+hiddenhillslighting.com, 1
+hiddenhillsoutdoorlighting.com, 1
+hiddenimage.ml, 1
+hiddenmalta.net, 1
+hiddenpalms.tk, 1
+hiddenredknights.tk, 1
+hiddenrefuge.eu.org, 1
+hiddens.tk, 1
+hiddenvalley.com, 1
+hiddout.com, 1
+hide-in.cloud, 1
+hide.me, 1
+hideallip.com, 1
+hideandseek.org, 1
+hidedd.com, 1
+hidelinkz.com, 1
+hideo54.com, 1
+hideouswebsite.com, 1
+hidetagu2021.net, 1
+hideuri.com, 1
+hidon.hu, 1
+hidra.tk, 1
+hidrasecurity.com, 1
+hidrolimpiadora.com.es, 1
+hidrolimpiadorasprofesionales.org, 1
+hidroshoping.com.br, 1
+hidupbisadiatur.com, 1
+hieisuki.ga, 1
+hielscher.com, 1
+hien.cf, 1
+hierden-bosch.nl, 1
+hierdenbosch.nl, 1
+hierer.com, 1
+hietbrink.tk, 1
+hietegerrekes.tk, 1
+hieucd.com, 1
+hif.red, 1
+hif88.com, 1
+hifala.de, 1
+hifast.cc, 1
+hiffen.tk, 1
+hiffo.de, 1
+hifiaudio.sk, 1
+hifiphile.com, 1
+hifly.aero, 1
+hifly.com.tw, 1
+hifrds.com, 1
+hifrnds.in, 1
+hig.gov, 1
+higeniqcleaning.com.au, 1
+higentexpo.com, 1
+higginsroofing.com.au, 1
+higgsboson.tk, 1
+high-flying.co.uk, 1
+high-ground.org, 1
+high-heels.se, 1
+high-school-atka.ga, 1
+high-solar.com, 1
+high-tech.tk, 1
+high-way.me, 1
+highaltitudearchery.com, 0
+highburycorp.com, 1
+highcalorierecipes.com, 1
+highcbdoildrops.com, 1
+highchair.tk, 1
+highdaseo.ml, 1
+highdefinitionnetworksers.ga, 1
+highdefinitionnetworksest.ga, 1
+highdensityheadache.tk, 1
+highdeserttinyhomes.com, 1
+highdonate.tk, 1
+higheducation.ml, 1
+highenergy.tk, 1
+higherairspace.eu, 1
+higherpress.org, 1
+highftp.tk, 1
+highgravityconsulting.com, 1
+highground.com, 1
+highheeltamia.com, 1
+highintegrity.tk, 1
+highinthemid80s.com, 1
+highkick.jp, 1
+highland-webcams.com, 1
+highlanddancing.tk, 1
+highlandheights-ky.gov, 1
+highlandparkcog.org, 1
+highlandpublicschool.co.in, 1
+highlandsclerkfl.gov, 1
+highlandsfl.gov, 1
+highlandsmode.nl, 1
+highlatitudestravel.com, 0
+highlevelwoodlands.com, 1
+highlightsfootball.com, 1
+highlightsfootball.net, 1
+highlnk.com, 1
+highnation.ml, 1
+highperfection.com, 1
+highperformance.ie, 1
+highplainssiding.com, 1
+highpressuretech.com, 1
+highproject.site, 1
+highproxies.com, 1
+highqappliance.com, 1
+highrank.cf, 1
+highrank.ga, 1
+highrank.tk, 1
+highship-industries.com, 1
+highsightroofing.com, 1
+highskilled.tk, 1
+highsky.ir, 1
+highspeed-arnsberg.de, 1
+highspeedinternetservices.ca, 1
+highspenfc.tk, 1
+highsprings.gov, 1
+highstage.com, 1
+highstakesdb.com, 1
+hightech.construction, 1
+hightechbrain.net, 1
+hightechone.cf, 1
+hightechreviews.ga, 1
+hightechsystems.nl, 1
+highthcahempflower.com, 1
+hightimes.com, 1
+hightop.com, 0
+highway11north.tk, 1
+highway54.tk, 1
+highway71autoparts.com, 1
+highwaytohoell.de, 1
+highwayzen.org, 1
+highworldnet.ga, 1
+higilimpmaringa.com.br, 1
+higilopocht.li, 1
+higsegeirl.com, 1
+higueras.tk, 1
+hii.or.th, 1
+hiig.edu.ee, 1
+hiitrepublic.com.au, 1
+hiiumeretuulepark.ee, 1
+hiiw.cloud, 1
+hiiw.de, 1
+hijabfashion.shop, 1
+hijyen-belgesi.com, 1
+hik-cloud.com, 1
+hikagestudios.com, 1
+hikarinet.tk, 1
+hikawa.top, 1
+hike.pics, 1
+hikeinrio.com, 1
+hiker.cool, 1
+hikerone.com, 1
+hiking-site.nl, 1
+hikingmonthlyers.ga, 1
+hikingmonthlyest.ga, 1
+hikka.ru, 1
+hikyu.it, 0
+hilahdih.cz, 1
+hilalnews.ga, 1
+hilaolu.com, 1
+hilarious.ga, 1
+hilaryhutler.com, 0
+hilarymundial.tk, 1
+hilbertwi.gov, 1
+hilde.link, 1
+hiledge.com, 1
+hilelipc.com, 0
+hilfe-bei-krebs-vechta.de, 1
+hilfikers.com, 1
+hilinecreators.tk, 1
+hill.selfip.net, 1
+hillcottagessuffolk.co.uk, 1
+hillcountryoralsurgery.com, 1
+hillcrestplumber.co.za, 1
+hillenbrand.com, 1
+hillexplorer.com, 1
+hillhiker.com, 1
+hillier-swift.co.uk, 1
+hilllodgingcompany.com, 1
+hillner.eu, 1
+hillroadgarage.tk, 1
+hills-selfstorage.co.uk, 1
+hillsandsaunders.com, 1
+hillsboroccpa.org, 1
+hillsboroughchristian.org, 1
+hillsclerk.com, 1
+hillsdalecounty.gov, 1
+hillsfarmstays.co.uk, 1
+hillshandymate.com, 1
+hillsidecustom.com, 1
+hillsphotosoc.tk, 1
+hillstohome.com, 1
+hillstrak.com.au, 1
+hillstrakwpg.com.au, 1
+hilltopcellar.com, 1
+hilltopsurgicalhospital.ga, 1
+hilnu.com, 1
+hilomrm.com, 1
+hiltonfoundation.org, 1
+hiltonhylandluxurycondos.com, 1
+hilunetan.tk, 1
+himalaja-kender.hu, 1
+himalaya-masala.at, 1
+himarijuana.tk, 1
+himawari-scanlator.tk, 1
+himawari-shika.org, 1
+himbamcky.com, 1
+himcy.ga, 1
+himens.com, 0
+himg.eu, 1
+himic.ru, 0
+himiku.com, 1
+himj.de, 1
+himmi.ru, 1
+himnosycanticos.org, 1
+himpler.com, 0
+himprom.com, 1
+hin10.com, 1
+hinaryazan.com, 1
+hinasense.jp, 1
+hinata-hidetoshi.com, 1
+hinatayamagolf.jp, 1
+hindenburgring.com, 1
+hindenburgring.de, 1
+hindibaba.tk, 1
+hindigalaxy.com, 1
+hindikibindi.tk, 1
+hindimeinjankari.com, 1
+hindimeseekhe.tk, 1
+hindimoviedownload.net, 1
+hindu-temple.tk, 1
+hinduradio.tk, 1
+hindustantimes.ml, 1
+hinduworld.tk, 1
+hindweb.tk, 1
+hingehealth.com, 0
+hingle.me, 1
+hinhanhykhoa.com, 1
+hinit.no, 1
+hinkel.tk, 1
+hinketsujyoshi-no-torisetsu.com, 1
+hinotify.io, 1
+hinsdaledental.com, 1
+hintergedanken.com, 0
+hinterposemuckel.de, 1
+hinto.com.au, 1
+hintss.pw, 0
+hinyari.net, 1
+hiob.fr, 0
+hiorth.tk, 1
+hiparish.org, 1
+hipcircles.tk, 1
+hipecompany.tk, 1
+hipeople.com.br, 1
+hiper-humor.tk, 1
+hipercultura.com, 1
+hipermenu.com, 1
+hipersuli.hu, 1
+hiphop.ren, 1
+hiphopall.tk, 1
+hiphopbolivia.tk, 1
+hiphopdates.de, 1
+hiphopfashion.tk, 1
+hipkneeortho.com.sg, 1
+hipnos.net, 1
+hipnosecriciuma.com.br, 1
+hipnosisypsicoterapia.com, 1
+hipnotista.tk, 1
+hipo.pt, 1
+hipocampo.org, 1
+hipodromcasusu.tk, 1
+hippiekiller.net, 1
+hippies.com.br, 1
+hippogriffhaven.com, 1
+hippogriffhaven.net, 1
+hippolini-herold.de, 1
+hippomovers.com, 1
+hippopotamuses.org, 1
+hips.com, 1
+hipstermamaproductions.com, 1
+hipsterpixel.co, 1
+hiptwist.tk, 1
+hipuranyhou.cz, 1
+hiq.co.za, 1
+hiq.sh, 1
+hirake55.com, 1
+hiramoto-ph.com, 1
+hiramvlgohio.gov, 1
+hirano-shikaclinic.com, 1
+hiranosayuri-piano.com, 1
+hiratake.xyz, 1
+hireabouncycastle.net, 1
+hirechrisfinazzo.com, 1
+hirecities.cf, 1
+hirecities.ml, 1
+hirecitiesers.ga, 1
+hirecitiesest.ga, 1
+hirecto.io, 1
+hireinsight.io, 1
+hirel.gq, 1
+hirepro.in, 1
+hireprofs.com, 1
+hirerecruiters.io, 1
+hireshield.com, 1
+hiresteve.ca, 1
+hirevets.gov, 1
+hirevo.eu, 1
+hirevue.com, 1
+hirewiz.tk, 1
+hirezzportal.com, 1
+hiring-process.org, 1
+hiringopps.com, 1
+hiringprocess.careers, 1
+hirisejanitorial.com, 0
+hirobbie.com, 1
+hiromi-dental.tokyo, 1
+hiromi.eu.org, 1
+hiromuogawa.com, 1
+hirorock.tk, 1
+hirosehp.jp, 1
+hiroshima-lpg-shien.jp, 1
+hirotaka.org, 1
+hirsch-lawyer.tk, 1
+hirschbergertal.de, 1
+hirschl.eu, 1
+hirtz.pm, 1
+hirtzfr.eu, 1
+hiru.top, 1
+hirumo.com, 1
+hirunet.ml, 1
+hiruthicsha.com, 1
+his.com, 1
+hisax.de, 1
+hisbrucker.net, 1
+hiseplast.com.br, 0
+hishirikka.com, 1
+hisoft.pk, 1
+hispadent.com.do, 1
+hispalazarus.tk, 1
+hispania-valencia.com, 1
+hispania.ml, 1
+hispanidad.tk, 1
+hispasat.es, 1
+hispashare.org, 1
+hispasonic.com, 1
+hispro.co, 1
+hisregistries.net, 1
+hisregistries.org, 1
+hisscentralen.se, 1
+hisscraft.se, 1
+hissgruppen.com, 1
+histalek.de, 0
+histhist.ru, 1
+histicle.com, 1
+histkult.ml, 1
+histkult.tk, 1
+histogames.com, 1
+histoire-cite.ch, 0
+histoires.tk, 1
+historia-arte.com, 1
+historiadebagua.tk, 1
+historiaeculturaguarani.org, 1
+historiarte.tk, 1
+historiasdepueblo.es, 1
+historiasyrelatos.tk, 1
+historiasztuki.tk, 1
+historicengland.org.uk, 1
+historichousesghent.be, 1
+historicizam.tk, 1
+historischehuizengent.be, 1
+history-schools.com, 1
+history-vision.tk, 1
+history.google.com, 1
+history.gov, 1
+history.pe, 1
+historymuseumsb.org, 1
+historytree.net, 1
+hit-electronics.com, 1
+hit.moe, 1
+hitchcockcountyne.gov, 1
+hitchen.net, 1
+hitchens.tk, 1
+hitchpin.com, 1
+hitchunion.org, 1
+hitech-news.ml, 1
+hitech-zone.com, 0
+hitekcomputing.net, 1
+hitekmechanical.com, 1
+hitel.tk, 1
+hiteshchandwani.com, 1
+hitflow.fr, 1
+hitflow.net, 1
+hitfm.ml, 1
+hitfm.tk, 1
+hithai.net, 1
+hitham.tk, 1
+hithouse.tk, 1
+hitiles.tk, 1
+hitimewine.net, 1
+hititgunesi-tr.com, 1
+hititleers.ga, 1
+hititleest.ga, 1
+hitkey.tk, 1
+hitleap.com, 1
+hitmaker.ga, 1
+hitmaker.tk, 1
+hitmanstat.us, 1
+hitmen.tk, 1
+hitmix.tk, 1
+hitmyheart.tk, 1
+hitn.at, 1
+hitocom.net.br, 1
+hitokoto-mania.com, 1
+hitokoto.cn, 1
+hitomecha.com, 1
+hitori-inc.com, 1
+hitpatrolers.ga, 1
+hitpatrolest.ga, 1
+hitpointer.tk, 1
+hitpt.com, 0
+hitrecord.org, 1
+hitrek.ml, 1
+hitrow-move.ga, 1
+hitrueauthentic.com, 1
+hitsk.in, 1
+hitter-lauzon.com, 1
+hitter.family, 1
+hitterfamily.com, 1
+hittop.tk, 1
+hittra.eu, 1
+hiv-symptome.de, 1
+hiv.com.tw, 1
+hiv.gov, 1
+hivaids.tk, 1
+hivatal-info.hu, 1
+hivault.cf, 1
+hive.gov, 1
+hive101.info, 1
+hivekey.eu, 1
+hivekey.io, 1
+hivelocity.net, 1
+hivemind.org, 1
+hivemindsystems.com, 1
+hiveopolis.eu, 1
+hiverlune.net, 0
+hivesigner.com, 1
+hiwannz.com, 1
+hiwebsite.tk, 1
+hiwiki.tk, 1
+hix.fi, 1
+hiyacar.co.uk, 1
+hiyuki2578.net, 1
+hizakura.nl, 1
+hizhina-hagrida.ru, 1
+hizliresim.com, 1
+hj-mosaiques.be, 1
+hj.rs, 1
+hj111777.com, 0
+hj2375.com, 0
+hj3586.com, 0
+hj3639.com, 0
+hj5386.com, 0
+hj555.cc, 1
+hj556.cc, 1
+hj6298.com, 0
+hj6929.com, 0
+hj9379.com, 1
+hj99111.com, 1
+hj99333.com, 0
+hjallboscoutkar.se, 1
+hjaltespizza.dk, 1
+hjartasmarta.se, 1
+hjbw-sterken.nl, 1
+hjdiaz.com, 1
+hjelmqvist-it.se, 1
+hjelpemiddeldatabasen.no, 1
+hjes.com.ve, 1
+hjkbm.cn, 1
+hjmag.com, 0
+hjorslev.com, 1
+hjort-froik.com, 1
+hjort.land, 1
+hjosh.com, 1
+hjoworld.tk, 1
+hjphoto.co.uk, 1
+hjtky.cn, 1
+hjyl.org, 1
+hjyl.xn--fiqs8s, 0
+hjyl1999.com, 0
+hjyl2828.com, 0
+hjyl299.com, 0
+hjyl699.com, 0
+hjyl7999.com, 0
+hjyl9898.com, 0
+hk-shuttle.net, 1
+hk.search.yahoo.com, 0
+hk130.com, 1
+hkamran.com, 1
+hkas.org.hk, 1
+hkconcept.lu, 1
+hkgix.net, 1
+hkl-gruppe.de, 1
+hkmap.co, 1
+hkmap.com, 1
+hkmap.live, 1
+hkmap.net, 1
+hkmusz.cn, 0
+hkno.it, 1
+hkoreatv.gq, 1
+hkp-usa.com, 1
+hkr.at, 1
+hks.pw, 1
+hkskhf.dk, 1
+hkspeed.com, 1
+hktech.link, 1
+hktkl.com, 1
+hktss.pp.ua, 1
+hkustmbajp.com, 1
+hkvi.nl, 1
+hl-design.co.kr, 1
+hl8id.club, 1
+hl8id.vip, 1
+hl8th.vip, 1
+hlavacek.us, 1
+hlavi.hu, 1
+hlebopekarna.com, 1
+hledejlevne.cz, 1
+hledejpravnika.cz, 1
+hlfh.space, 1
+hlg88.cc, 1
+hlidani-tornado.cz, 1
+hlinformatics.nl, 1
+hllr.xyz, 1
+hlm.wtf, 1
+hln.be, 1
+hloe0xff.ru, 1
+hlopokshop.ru, 1
+hlp.group, 1
+hlpublicidad.com, 1
+hls-tutorial.tk, 1
+hlsblog.com, 1
+hlsjgw.com, 1
+hlsmandarincentre.com, 1
+hlsquality.com, 1
+hlstory.tk, 1
+hltdos.com, 1
+hltk.fi, 1
+hltv.org.cn, 1
+hlucas.de, 1
+hlx66.cc, 1
+hlx86.cc, 1
+hly0928.com, 1
+hlz.mn, 1
+hm-notes.ru, 1
+hm.ee, 0
+hm1ch.com, 1
+hm1ch.ovh, 1
+hmarchat.tk, 1
+hmbana.org, 1
+hmcdj.cn, 1
+hmcreations.us, 1
+hme360.com, 1
+hmgym.ru, 1
+hmka.com, 0
+hmlpoc.com.br, 1
+hmnd.io, 1
+hmodapk.com, 1
+hmp.sc, 1
+hms-networks.com, 0
+hms-zentrum.de, 1
+hmshost.com, 1
+hmsotel.com, 1
+hmsplatform.tk, 1
+hmtransfer.ir, 1
+hmv.com, 1
+hn.search.yahoo.com, 0
+hn122.cc, 1
+hndmd.com, 1
+hnfertilizermachine.com, 1
+hnmd9.gq, 1
+hnn.net.br, 1
+hno-arzt-thomitzek.de, 1
+hno-norderstedt.de, 1
+hnojik.cz, 1
+hnsseed.com, 1
+hntuin.nl, 1
+hny.co, 1
+hnyp.hu, 1
+hoaas.no, 1
+hoahau.org, 1
+hoahop.tk, 1
+hoanghaiauto.vn, 1
+hoangvangioi.com, 1
+hoaphathomes.com, 1
+hoardit.ml, 1
+hoathienthao.com, 1
+hoathienthao.vn, 1
+hobartok.gov, 1
+hobbiesworld.tk, 1
+hobby-drechselei.de, 1
+hobby-lover.com, 1
+hobby4geek.com, 1
+hobbybrauer.de, 1
+hobbydo.cf, 1
+hobbydo.ga, 1
+hobbydo.gq, 1
+hobbyhorseslovakia.com, 1
+hobbyvogue.com, 1
+hobbyweeklyers.ga, 1
+hobbyweeklyest.ga, 1
+hoberg.ch, 1
+hobiliga.mk, 1
+hobindesign.com, 1
+hobo.video, 1
+hoboken.tk, 1
+hobokenpdnj.gov, 1
+hobokenrecords.tk, 1
+hobonline.tk, 1
+hobroefterskole.dk, 1
+hoc-bv.nl, 1
+hoccovua.vn, 1
+hochatown.gov, 1
+hochhaus.us, 1
+hochheimer-zeitung.de, 1
+hochimins.org, 1
+hochland.pl, 1
+hochoukikikiraku.com, 1
+hochuvrotik.cf, 1
+hochyi.com, 0
+hochzeit-ap.de, 1
+hochzeit-cm.at, 1
+hochzeit-dana-laurens.de, 1
+hochzeit-saufzeichnungen.tk, 1
+hochzeitsplaner-rodgau.de, 1
+hochzeitsplanerin-hamburg.de, 1
+hochzeitsregion.at, 1
+hochzeitstypen.de, 1
+hockey.academy, 1
+hockeyalertest.ga, 1
+hockeyapp.ch, 1
+hockeymotion.ch, 0
+hockingfamily.net, 1
+hockingfamily.nz, 1
+hockinghills.com, 1
+hockinghillscabins.com, 1
+hocoma.com.mx, 1
+hocoma.eu, 1
+hocoma.net, 1
+hocoma.org, 1
+hoctienganhgiaotiep.ga, 1
+hodeis.ga, 1
+hodes.tk, 1
+hodgeman.gov, 1
+hodgephotography.com, 1
+hodi.dk, 1
+hodi.host, 1
+hoe.re, 1
+hoegl.com, 0
+hoeheterobenjij.nl, 1
+hoejetaastrupprovsti.dk, 1
+hoelty.network, 1
+hoerbuecher-und-hoerspiele.de, 1
+hoeren.club, 1
+hoerspielbox.de, 1
+hoesnelwasik.nl, 1
+hoest.it, 1
+hoeveiligismijn.nl, 1
+hoewler.ch, 0
+hof-imbiss-lieske.de, 1
+hof-mulin.ch, 1
+hofapp.de, 1
+hofbraeu-muenchen.de, 1
+hoferdach.de, 1
+hoffmancorporation.com, 1
+hoffmanig.com, 1
+hoffmannresearch.ca, 1
+hoffmanns-ballonshop.de, 1
+hoffmeyer.me, 1
+hoffnungdeutschland.de, 1
+hofgut.net, 1
+hofiprojekt.cz, 1
+hofmannenhofmann.nl, 1
+hofmeisterkink.com, 1
+hofor.dk, 1
+hofpleinlijn.nl, 1
+hofstaetter.io, 1
+hoga.fr, 1
+hogamail.fr, 1
+hogar.gt, 1
+hoge.se, 1
+hogepad.com, 0
+hogerduinen.tk, 1
+hogeslagolst.nl, 1
+hogl.dk, 1
+hogrebe.de, 0
+hogren.cf, 1
+hogren.ga, 1
+hogren.gq, 1
+hogvorts.tk, 1
+hogwarts.io, 1
+hogwartshome.org.ua, 1
+hoh.com.sg, 1
+hohenleimbach.de, 1
+hohenpoelz.de, 1
+hohlhupe.de, 1
+hohlhupen.de, 1
+hohm.in, 1
+hohma.tk, 1
+hohnet.com, 0
+hohny.gov, 1
+hoikin.tk, 1
+hoiku-map.tokyo, 0
+hoiku-navi.com, 0
+hoing.io, 1
+hoistsdirect.com, 1
+hojalatero.tk, 1
+hojat.tk, 1
+hojoworks.com, 1
+hoka.com, 1
+hoken-okazaki.com, 1
+hoken-wakaru.jp, 1
+hokende.com, 1
+hokenselect.jp, 1
+hokioisecurity.com, 1
+hokkaido.tk, 1
+hokko.de, 1
+hokqbet88.co, 1
+hokuin.co.jp, 1
+hokung.xyz, 1
+holacannx.com, 1
+holacbdoils.com, 1
+holad.de, 1
+holadinero.es, 0
+holadinero.mx, 0
+holainternet.tk, 1
+holbrookaz.gov, 1
+holdengreene.com, 1
+holdenmaine.gov, 1
+holdenmo.gov, 1
+holderbekebvba.be, 1
+holdiers.tk, 1
+holdingcelebrations.tk, 1
+holdinghandsbrazil.com, 1
+holdmybeer.io, 0
+holdmymeme.com, 1
+holdperson.tk, 1
+holebedeljek.hu, 1
+holeboom.com, 1
+holgapanama.tk, 1
+holger-schwarze.de, 1
+holgergruenhagen.com, 1
+holgerlehner.com, 1
+holgr.com, 1
+holi-coresdaindia.com.br, 1
+holiday-home-baer.de, 1
+holidayacademy.co.uk, 1
+holidayair.net, 1
+holidaycity.org, 1
+holidayclub.tk, 1
+holidayformula.ru, 1
+holidayhomestrust.info, 1
+holidayincotswolds.co.uk, 1
+holidayland.gent, 1
+holidaylocal.ga, 1
+holidaylocalers.ga, 1
+holidaylocalest.ga, 1
+holidays-info.com, 1
+holidaytable.tk, 1
+holidaytours.tk, 1
+holine.studio, 1
+holini.com, 0
+holisticacupuncture.com.au, 1
+holisticdevelopmentagency.ml, 1
+holistichealer.in, 1
+holisticon.de, 1
+holisticwebsolutions.co.uk, 1
+holiy.jp, 1
+hollabanken.cf, 1
+holladayut.gov, 1
+holland-sailing.de, 1
+hollandco.com, 1
+hollanderclub.tk, 1
+hollandersleepproducts.com, 1
+hollandhouse.info, 1
+hollandsewolken.nl, 1
+hollandskroon.nl, 1
+hollandsweb.com, 1
+hollandwi.gov, 1
+hollermann.eu, 1
+hollingsworthpaul.com, 1
+hollinsbookstore.com, 1
+hollistermo.gov, 1
+hollisters.servepics.com, 1
+hollmann.international, 1
+hollomanfss.marketing, 1
+hollowman.ml, 1
+hollowrap.com, 1
+hollowwinds.xyz, 1
+holly.lgbt, 1
+hollybanks.net, 1
+hollybonnerdesigns.com, 1
+hollyforrest.ca, 1
+hollyforrestphotography.ca, 1
+hollyloless.com, 1
+hollyloless.net, 1
+hollyloless.org, 1
+hollyspringsfarmnac.com, 1
+hollyspringsms.gov, 1
+hollywoodbios.com, 1
+hollywoodsmilesfl.com, 1
+hollywoodstars.tk, 1
+hollyworks.com, 1
+holmenwi.gov, 1
+holmes.ie, 0
+holmeselectionsfl.gov, 1
+holmesian.org, 1
+holmeslaw.ie, 1
+holmesworkholding.co.uk, 1
+holmium-laser.ru, 0
+holmq.dk, 1
+holmqvist.tk, 1
+holo.host, 1
+holo.ovh, 1
+holocron.one, 1
+holod-servis777.tk, 1
+holofox.ru, 1
+holori.com, 1
+holostyak.tk, 1
+holowaty.me, 1
+holoxplor.space, 1
+holstein.tk, 1
+holstphoto.com, 1
+holtcountyne.gov, 1
+holtkampfinancieeladvies.nl, 0
+holtslander.ca, 1
+holtwick.de, 1
+holtwick.it, 1
+holubowski.com, 1
+holundersberg.de, 1
+holvonix.com, 1
+holychaos.tk, 1
+holycrosscatholics.org, 1
+holycrossphl.org, 1
+holycrossrockporttx.org, 1
+holycrossverobeach.org, 1
+holydevils.tk, 1
+holydragoon.jp, 1
+holydumplings.net, 1
+holyfamilyrussell.org, 1
+holyghost-church.org, 1
+holygrove.tk, 1
+holyhiphopdatabase.com, 1
+holymartyrschurch.org, 1
+holyoake.org.au, 1
+holyriders.cf, 1
+holyrosary.com.au, 1
+holyscriptur.es, 1
+holyspiritpalmyra.com, 1
+holyspiritweb.org, 1
+holyszko.com, 1
+holytransaction.com, 1
+holyubofficial.net, 1
+holywhite.com, 1
+holywr.it, 1
+holzbau-lepski.de, 1
+holzed.com, 1
+holzschutz-holzbearbeitung.de, 1
+holzspielzeug-shop.ch, 1
+holzstueckwerk.de, 1
+holzundgarten.de, 1
+homa.website, 0
+homake.cf, 1
+homatism.com, 1
+homd.xyz, 1
+home-design.bg, 1
+home-hunts.com, 1
+home-insurance-quotes.tk, 1
+home-iq.at, 1
+home-iq.cz, 1
+home-iq.fr, 1
+home-iq.it, 1
+home-iq.pl, 1
+home-iq.se, 1
+home-iq.sk, 1
+home-manicure.tk, 1
+home-ncj.com, 1
+home-page.xyz, 1
+home-portal.tk, 1
+home-remedies.tk, 1
+home-sagita.tk, 1
+home.saxo, 1
+home24bank.com, 1
+homeable.io, 1
+homeadore.com, 1
+homeadvice.ga, 1
+homeadvice.tk, 1
+homeandliving.it, 1
+homebank.kg, 1
+homebar.ml, 1
+homebasedbusinessopportunity.tk, 1
+homebattle.ga, 1
+homeblaster.ga, 1
+homebrew.tk, 1
+homebrewshop.be, 1
+homebrewworm.tk, 1
+homebuilder.tk, 1
+homebutton.tk, 1
+homecache.ga, 1
+homecareassociatespa.com, 1
+homecaring.com.au, 1
+homecaster.ga, 1
+homecatch.ga, 1
+homecharte.ga, 1
+homechase.ga, 1
+homechase.tk, 1
+homecheck.gr, 1
+homecinema-fr.com, 1
+homeclient.ga, 1
+homecollections.ga, 1
+homecoming.city, 1
+homecompost.in, 1
+homecpr.com.au, 1
+homecrawler.ga, 1
+homecreatives.net, 1
+homedecorclassic.tk, 1
+homedecorspecialists.com, 1
+homedesignabilene.tk, 1
+homedesignakron.tk, 1
+homedesignalbuquerque.tk, 1
+homedesignamarillo.tk, 1
+homedesignanaconda.tk, 1
+homedesignanchorage.tk, 1
+homedesignarlington.tk, 1
+homedesignarvada.tk, 1
+homedesignathens.tk, 1
+homedesignatlanta.tk, 1
+homedesignaugusta.tk, 1
+homedesignaustin.tk, 1
+homedesignbabbitt.tk, 1
+homedesignbakersfield.tk, 1
+homedesignbatonrouge.tk, 1
+homedesignbirmingham.tk, 1
+homedesignboise.tk, 1
+homedesignboston.tk, 1
+homedesignbouldercity.tk, 1
+homedesignbuckeye.tk, 1
+homedesignbuffalo.tk, 1
+homedesigncaliforniacity.tk, 1
+homedesigncapecoral.tk, 1
+homedesigncary.tk, 1
+homedesigncasagrande.tk, 1
+homedesignchandler.tk, 1
+homedesignchattanooga.tk, 1
+homedesignchesapeake.tk, 1
+homedesignchicago.tk, 1
+homedesigncincinnati.tk, 1
+homedesigncleveland.tk, 1
+homedesignclinton.tk, 1
+homedesignclovis.tk, 1
+homedesigncolorado.tk, 1
+homedesigncolumbus.tk, 1
+homedesigncompany.co.nz, 1
+homedesigncorona.tk, 1
+homedesigncorpuschristi.tk, 1
+homedesigncusseta.tk, 1
+homedesigndayton.tk, 1
+homedesigndesmoines.tk, 1
+homedesigndetroit.tk, 1
+homedesigndowney.tk, 1
+homedesigndurham.tk, 1
+homedesignedison.tk, 1
+homedesignedmond.tk, 1
+homedesignellsworth.tk, 1
+homedesignelpaso.tk, 1
+homedesignelreno.tk, 1
+homedesignera.tk, 1
+homedesigneugene.tk, 1
+homedesignfayetteville.tk, 1
+homedesignfontana.tk, 1
+homedesignfresno.tk, 1
+homedesignfrisco.tk, 1
+homedesigngarland.tk, 1
+homedesigngeorgetown.tk, 1
+homedesigngilbert.tk, 1
+homedesignhartford.tk, 1
+homedesignhartsville.tk, 1
+homedesignhayward.tk, 1
+homedesignirvine.tk, 1
+homedesignjacksonville.tk, 1
+homedesignjonesboro.tk, 1
+homedesignjuneau.tk, 1
+homedesignknoxville.tk, 1
+homedesignlasvegas.tk, 1
+homedesignlexington.tk, 1
+homedesignlincoln.tk, 1
+homedesignlubbock.tk, 1
+homedesignlynchburg.tk, 1
+homedesignmacon.tk, 1
+homedesignmadison.tk, 1
+homedesignmesa.tk, 1
+homedesignmiami.tk, 1
+homedesignmidland.tk, 1
+homedesignmilwaukee.tk, 1
+homedesignmobile.tk, 1
+homedesignmontgomery.tk, 1
+homedesignnews.tk, 1
+homedesignnewyork.tk, 1
+homedesignnewyorkcity.tk, 1
+homedesignnightmute.tk, 1
+homedesignnorman.tk, 1
+homedesignoakland.tk, 1
+homedesignohio.tk, 1
+homedesignomaha.tk, 1
+homedesignontario.tk, 1
+homedesignorlando.tk, 1
+homedesignoxnard.tk, 1
+homedesignpaterson.tk, 1
+homedesignpeoria.tk, 1
+homedesignphoenix.tk, 1
+homedesignplano.tk, 1
+homedesignportland.tk, 1
+homedesignraleigh.tk, 1
+homedesignrichmond.tk, 1
+homedesignsandiego.tk, 1
+homedesignsanfrancisco.tk, 1
+homedesignsantaana.tk, 1
+homedesignseattle.tk, 1
+homedesignstamford.tk, 1
+homedesigntacoma.tk, 1
+homedesigntampa.tk, 1
+homedesigntoledo.tk, 1
+homedesigntucson.tk, 1
+homedesigntulsa.tk, 1
+homedesignventura.tk, 1
+homedesignwashington.tk, 1
+homedev.cf, 1
+homedeveloper.cf, 1
+homedeveloper.ga, 1
+homedeveloper.gq, 1
+homedeveloper.ml, 1
+homedeveloper.tk, 1
+homedirectory.ml, 1
+homedizz.top, 1
+homedollar.ga, 1
+homedollars.ga, 1
+homeduck.ga, 1
+homeeagle.ga, 1
+homeehome.com, 1
+homeer.com, 1
+homeexperience.tk, 1
+homefacialpro.com, 0
+homefarmhealesville.com.au, 1
+homeflag.ga, 1
+homefolder.ga, 1
+homeforeveryone.tk, 1
+homeforfamily.tk, 1
+homeformula.ga, 1
+homeforum.tk, 1
+homegang.ga, 1
+homegardendecoration.tk, 1
+homegardengift.com, 1
+homegardeningforum.com, 1
+homegardenresort.nl, 1
+homegeo.ga, 1
+homegreenmark.com, 1
+homegreens.eu, 1
+homegrounds.co, 1
+homegrowncannabisco.com, 1
+homegun.ga, 1
+homeideasanddesigns.tk, 1
+homeimagician.com.au, 1
+homeimprovement.ga, 1
+homeimprovementinfo.tk, 1
+homeimprovementnews.tk, 1
+homeindiainfratech.com, 1
+homeinet.tk, 1
+homeinformation.tk, 1
+homeinformationpackages.com, 1
+homeinspired.tk, 1
+homeinteriorasia.tk, 1
+homeinteriorcanada.tk, 1
+homeinteriorebuild.tk, 1
+homeinterioritaly.tk, 1
+homeinteriorremodel.tk, 1
+homeinterioruk.tk, 1
+homeinteriorusa.tk, 1
+homeinvasion.tk, 1
+homeinvention.tk, 1
+homejapanese.ml, 1
+homekiss.ga, 1
+homelab.farm, 1
+homelabquotes.com, 1
+homeland.ie, 1
+homelandsecurity.gov, 1
+homelandsecurityedu.org, 1
+homeletter.ga, 1
+homelib.cf, 1
+homelion.ga, 1
+homelove.tk, 1
+homelovehome.tk, 1
+homemadetips.ga, 1
+homemadetipsers.ga, 1
+homemadetipsest.ga, 1
+homemarks.ga, 1
+homemaster-chita.ru, 1
+homematicblog.de, 1
+homemediadb.org, 1
+homemember.ga, 1
+homemessenger.ga, 1
+homen.in, 1
+homenature.tk, 1
+homenetworksecurity.eu, 1
+homenewsdesign.tk, 1
+homeniano.com, 1
+homenight.ga, 1
+homensdeouro.com.br, 1
+homenumber.ga, 1
+homeodynamics.com, 1
+homeoesp.org, 1
+homeofbeer.nl, 1
+homeofceline.tk, 1
+homeofjones.net, 1
+homeologyla.com, 1
+homeomatic.ga, 1
+homeopathie.tk, 1
+homeopathieridderspoor.nl, 1
+homeoperator.net, 1
+homeopplis.ga, 1
+homeorama.ga, 1
+homeostase.pt, 1
+homeover.ga, 1
+homeownersinsurancenv.com, 1
+homepage-nach-preis.de, 1
+homepal.cf, 1
+homepal.ga, 1
+homepal.gq, 1
+homepassport.ga, 1
+homepatch.ga, 1
+homephonelookup.tk, 1
+homeprivate.de, 1
+homeprivate.net, 1
+homepropertyera.tk, 1
+homepropertyinfo.tk, 1
+homepropertynews.tk, 1
+homepropertyunique.tk, 1
+homepropertyworld.tk, 1
+homeprotech.com, 1
+homequality.tk, 1
+homerail.ga, 1
+homerally.ga, 1
+homerecording.com, 1
+homerepairsideas.tk, 1
+homerequest.ga, 1
+homerex.ga, 1
+homero.tk, 1
+homesbyayres.com, 1
+homeschoolinkorea.tk, 1
+homesconnect.com, 1
+homeseguridad.com, 1
+homeseller.com, 1
+homeserve.es, 1
+homeserver-kp.de, 1
+homesforaustralia.ga, 1
+homesfordinner.ca, 1
+homeshow.ml, 1
+homeshowoff.com, 1
+homesonic.ga, 1
+homesport.es, 1
+homespunhouse.tk, 1
+homespure.com, 1
+homestamp.ga, 1
+homestead-honey.com, 1
+homesteadfarm.org, 1
+homesteadserver.cloud, 1
+homesteadtwpmi.gov, 1
+homestick.ga, 1
+homestreaming.ga, 1
+homestuck.ml, 1
+homesugar.ga, 1
+homesuite.tk, 1
+homesweethouse.tk, 1
+hometeenorgy.com, 1
+hometown.ml, 1
+hometrust.ca, 0
+hometunnel.de, 0
+homeunder.ga, 1
+homeunion.tk, 1
+homeview.ga, 1
+homevisual.ga, 1
+homewatt.co.uk, 1
+homewebnews.tk, 1
+homewidget.ga, 1
+homewinner.ga, 1
+homewish.ga, 1
+homewood.com, 1
+homeworkacers.com, 1
+homeworksuite.com, 1
+homeworld.ga, 1
+homeyou.com, 1
+homeyx.cf, 1
+homezlog.com, 1
+homitov.tk, 1
+hommecontemporain.org, 1
+homnest.fr, 0
+homo.ga, 1
+homofo.tk, 1
+homoglyph.net, 1
+homointerneticus.tk, 1
+homokfuvo.com, 1
+homoo.social, 1
+homophobia.tk, 1
+homophones.ml, 1
+homowank.com, 1
+hompimpaa.id, 1
+hompus.nl, 0
+homs.design, 1
+homunyan.com, 1
+homyak.gq, 1
+homyhomee.com, 1
+homyremedies.com, 1
+honaragah.com, 1
+honbin.tw, 1
+honda2wheelersindia.com, 1
+honda2wheelersindia.in, 1
+hondaactivindia.com, 1
+hondaarabia.com, 1
+hondacustomerserviceexperience.com, 1
+hondadigitalevent.com, 1
+hondago-bikerental.jp, 1
+hondainamerica.com, 1
+hondaindiafoundation.org, 1
+hondapartsnow.com, 1
+hondapowerproducts.ph, 1
+hondasancarlos.com, 1
+hondaswap.com, 1
+hondengedragscentrumfriesland.nl, 1
+hondensnacks.shop, 1
+hondudiario.tk, 1
+honest.ga, 1
+honestblogers.ga, 1
+honestblogest.ga, 1
+honestworknmoney.tk, 1
+honesty.com.pl, 1
+honey-whale.com, 1
+honey.beer, 1
+honeybhealthyliving.com, 1
+honeybrooklibrary.org, 1
+honeycomb.io, 1
+honeycombcreative.com, 1
+honeycome-recruit.com, 0
+honeycreeper.com, 1
+honeycrypt.com, 1
+honeyfact.com, 1
+honeygirl.tk, 1
+honeyspot.de, 1
+honeysucklewhite.com, 1
+honeytracks.com, 1
+honeyuniversity.net, 1
+honeyxlips.com, 1
+hong.com.br, 1
+hong.io, 1
+hongbomiao.com, 1
+honghan.tw, 1
+hongjun.li, 1
+hongki.tk, 1
+hongkongliberate.com, 1
+hongkongwillwin.com, 1
+hongnguyen.tk, 1
+hongo-ganka.com, 1
+hongocha.tk, 1
+hongorw.tk, 1
+hongosdemexico.tk, 1
+honguyensy.tk, 1
+hongyun-rent.com, 1
+honigconte.com, 1
+honigkuchenpferdeher.de, 1
+honkai.sr, 1
+honkhonk.net, 1
+honkion.net, 1
+honnedechuju.com, 1
+honoka-seitai.jp, 1
+honolulubws.gov, 1
+honovere.de, 1
+hontint.com, 1
+hontoir.eu, 1
+honzakulig.com, 1
+hoo.lt, 1
+hooapp.lt, 1
+hood-epc.xyz, 1
+hoodiessouthafrica.com, 1
+hoodoo.io, 1
+hoodoo.tech, 1
+hoodrivercounty.gov, 1
+hoodsite.com, 1
+hoofdredacteuren.nl, 1
+hoofexplorer.com, 1
+hoofexplorer.de, 1
+hoogdam.tk, 1
+hoogeveen.nl, 0
+hooghiemstrazelf.nl, 1
+hoogstraatseschaakclub.tk, 1
+hoogveen.tk, 1
+hookagency.com, 1
+hookah-uae.com, 1
+hookahfoil.ru, 1
+hookandloom.com, 1
+hookbin.com, 1
+hookedoncraftswaterford.ie, 1
+hookercountyne.gov, 1
+hookshotdesign.com, 1
+hoolibit.com, 1
+hooliganka.tk, 1
+hooliganz.tk, 1
+hoon.tk, 1
+hoooc.com, 1
+hoop.la, 1
+hooperlabs.xyz, 1
+hoopertechnicalsolutions.com, 1
+hooprelief.tk, 1
+hoopweb.org, 1
+hooray.beer, 1
+hoorig.de, 1
+hoorr.com, 1
+hoos.cf, 1
+hoosa.de, 1
+hooshop.lt, 1
+hootv.lt, 1
+hootworld.net, 0
+hoovism.com, 1
+hop-ict.nl, 1
+hop.exchange, 1
+hope.com, 1
+hopeandhealing.cz, 1
+hopeforlorn.tk, 1
+hopefultexas.com, 1
+hopeland.com.br, 1
+hopemeet.info, 1
+hopemeet.me, 1
+hopepartnershipproject.com, 1
+hopesanddreams.org.uk, 1
+hopeworld.pro, 1
+hopf.de, 1
+hopglass.eu, 1
+hopglass.net, 1
+hopi.com.tr, 1
+hopict.nl, 1
+hopital-tarascon09.fr, 1
+hopitaux-ariege.fr, 1
+hopkintonpolice-ri.gov, 1
+hopkintonri.gov, 1
+hoplongtech.com, 1
+hopo.design, 1
+hoponmedia.de, 1
+hops-and-ashes.de, 1
+hopscotch.cz, 1
+hopscotchmodel.com, 1
+hor.rent, 1
+hor.website, 1
+horablanquiazul.tk, 1
+horaceli.com, 1
+horaciolopez.pro, 1
+horackova.info, 1
+horaenpunto.com, 1
+horairetrain.ch, 1
+horairetrain.fr, 1
+horairetrain.lu, 1
+horairetrain.nl, 1
+horamesianica.tk, 1
+horcajadadelatorre.tk, 1
+horclan.tk, 1
+hord.ca, 1
+horde-entertainment.tk, 1
+horecatiger.eu, 1
+horeco.com, 1
+horgenberg.com, 1
+horiconwi.gov, 1
+horikawa-cement.co.jp, 1
+horionimoveis.com.br, 1
+horizon.ne.jp, 1
+horizonlawncare.tk, 1
+horizonmail.ga, 1
+horizonpainting.ca, 1
+horizonshypnosis.ca, 0
+horizonsmilestx.com, 1
+horizonsocial.media, 1
+horizontalsystems.io, 1
+horizonveterinaryservices.com, 1
+horkel.cf, 1
+horkel.tk, 1
+hormet.tk, 1
+hormigonimpreso.biz, 1
+hormonetrackerers.ga, 1
+hormonetrackerest.ga, 1
+horn.co, 1
+hornbach-holding.de, 1
+hornblower.tk, 1
+hornburg.io, 1
+horne.com, 1
+hornet.pl, 1
+hornetsecurity.com, 1
+horneytownbrewing.com, 1
+horngyihyangped.com.tw, 1
+horntec.at, 1
+hornwiesen-grundschule.de, 1
+horny-gay-dragons.com, 1
+hornyaf.com, 1
+hornybank.com, 1
+hornyforhanzo.com, 1
+hornyhostel.com, 1
+horoca.net, 1
+horochx.org, 0
+horodance.dk, 1
+horoscope-sound-healing.com, 1
+horoscopimages.tk, 1
+horoscopist.com, 1
+horoscopo.ml, 1
+horotoday.tk, 1
+horovod.im, 1
+horozo.com, 1
+horrell.ca, 1
+horrendous-servers.com, 1
+horror-forum.de, 1
+horrordor.eu.org, 1
+horrordor.tk, 1
+horrorfreaks.tk, 1
+horrormovies.gr, 1
+horrorserv.com, 1
+horrycountysc.gov, 1
+hors.coffee, 1
+horsa.cc, 1
+horsa.io, 1
+horsa.xyz, 1
+horsebreeding.cf, 1
+horsebreeding.ga, 1
+horsebreeding.gq, 1
+horsebreeding.tk, 1
+horsegateway.com, 1
+horsehead.tk, 1
+horsehunter.co.uk, 1
+horsellscouts.org.uk, 1
+horsellscoutsandguides.com, 1
+horsemanshipdentistry.com, 1
+horsemanshipdentistryschool.com, 1
+horseplanet.tk, 1
+horsewithnoname.com, 1
+horsgroup.com, 1
+horsky.me, 1
+horstfuchs.tk, 1
+horstmanshof.eu, 1
+horstmanshof.nl, 1
+hortencollection.com, 1
+hortico.rs, 1
+horton-brasses.com, 1
+horus.com.br, 1
+horusrc.com, 1
+horvat.tk, 1
+horvath.ooo, 1
+horvathd.eu, 1
+horvatia.tk, 1
+horvatnyelvkonyv.hu, 1
+hory.me, 1
+horza.org, 1
+hosch.co.nz, 1
+hose.ga, 1
+hosentaschenblog.org, 1
+hoshi-sr.com, 1
+hoshimaq.com.br, 1
+hoshimaquinas.com.br, 1
+hoshinplan.com, 1
+hosiery.tk, 1
+hosieryexpoers.ga, 1
+hosieryexpoest.ga, 1
+hosifuri.net, 1
+hosimiyasio.com, 0
+hosoi-tax.com, 1
+hospiceandcommunitycare.com, 1
+hospiceandcommunitycare.net, 1
+hospiceandcommunitycare.org, 1
+hospicecommunity.net, 1
+hospicecommunity.org, 1
+hospiceconnect.org, 1
+hospicelights.org, 1
+hospiceoflancaster.com, 1
+hospiceoflancaster.org, 1
+hospicepathofremembrance.org, 1
+hospiceprofessional.org, 1
+hospicespringfling.org, 1
+hospicewebsite.org, 1
+hospicewise.org, 1
+hospimedia.fr, 1
+hospitalcmq.com, 1
+hospitalcruzvermelha.pt, 1
+hospitaldaluz.pt, 1
+hospitaldebarcelona.cat, 1
+hospitaldelaconcepcion.com, 1
+hospitality-colleges.com, 1
+hospitalsanjuandedios.es, 1
+hospitalsineachstate.com, 1
+hospitalviladaserra.com.br, 1
+hossi.pro, 0
+hossien.tk, 1
+host-heberg.com, 1
+host-morezar.ml, 1
+host-stage.net, 1
+host.ax, 1
+host.com.tw, 1
+host1oc.eu.org, 1
+host24.com.pk, 1
+hostadvice.com, 1
+hostalk.net, 1
+hostalsanmarcos.tk, 1
+hostarea51.com, 1
+hostathome.fr, 1
+hostaz.net, 1
+hostbility.com, 1
+hostboxonline.com, 1
+hostcloud.ml, 1
+hostcoz.com, 1
+hostcsr.com, 1
+hostdaddyhn.com, 1
+hostdns.com, 1
+hosteasy.nl, 0
+hosted-power.com, 1
+hostedcomments.com, 1
+hosteddatabase.in, 1
+hostedghost.eu, 1
+hostedghost.net, 1
+hostedghost.nl, 1
+hostedghost.org, 1
+hostedtalkgadget.google.com, 1
+hostelacion.com, 1
+hostelaciones.com, 1
+hosteleriauno.es, 1
+hostelio.com, 1
+hostelxaxid.si, 1
+hosteons.com, 1
+hostesstrainingers.ga, 1
+hostesstrainingest.ga, 1
+hostfact.nl, 1
+hostfission.com, 1
+hostfree12.tk, 1
+hostgreet.com, 1
+hosthum.com, 1
+hostiberi.com, 1
+hostidn.com, 1
+hostido.net.pl, 1
+hostiko.com.ua, 1
+hosting-fast.com, 1
+hosting-rus.tk, 1
+hosting-swiss.ch, 1
+hosting.co.jp, 1
+hostingactive.it, 0
+hostingalternative.com, 0
+hostingdesignweb.com, 0
+hostingdiario.com, 1
+hostingdirect.nl, 1
+hostingdirectory.ga, 1
+hostingedominio.com, 1
+hostingelite.tk, 1
+hostingfirst.nl, 1
+hostingforyou.online, 1
+hostinghaus.tk, 1
+hostinghelp.guru, 1
+hostinginnederland.nl, 1
+hostingmedia.cl, 1
+hostingorservers.com, 1
+hostingphp.ch, 1
+hostingsolutions.cz, 1
+hostingsupremo.com, 1
+hostingsvizzera.com, 1
+hostingtg.com, 1
+hostingtipps.eu, 1
+hostingweb.pe, 1
+hostinkos.com, 1
+hostinvest.tk, 1
+hostitforcheap.com, 1
+hostix.de, 1
+hostixo.com, 1
+hostker.com, 1
+hostker.net, 1
+hostlev.com, 1
+hostma.ma, 1
+hostmijnpagina.nl, 1
+hostmodern.com.au, 1
+hostmore.com.br, 1
+hostonssd.ga, 1
+hostpoint-static.ch, 1
+hostpoint.ch, 1
+hostprior.ro, 1
+hostreputation.com, 1
+hostripples.com, 1
+hostripples.in, 1
+hosts.cf, 0
+hostsall.com, 1
+hostup.se, 0
+hostux.network, 1
+hostwella.com, 1
+hostwinds.com, 1
+hosuronline.com, 1
+hosuto.nl, 1
+hot-and-new.gr, 1
+hot-games.gq, 1
+hot-models.tk, 1
+hot-sex-photos.com, 1
+hot-spa.ch, 0
+hot.in.th, 1
+hot101fm.tk, 1
+hotaircoldlove.tk, 1
+hotaru.tk, 1
+hotbabe.ml, 1
+hotbabesplus.com, 1
+hotbeats.tk, 1
+hotbella.net, 1
+hotblondepussy.com, 1
+hotbox.fun, 1
+hotbustymoms.com, 1
+hotcamsreview.com, 1
+hotcandlestick.com, 1
+hotcars.com, 1
+hotchillibox.co.za, 1
+hotchillibox.com, 1
+hotcoder.tk, 1
+hotcursosrio.com.br, 1
+hotdates18.dk, 1
+hotdates18.fi, 1
+hotdishes.tk, 1
+hotdoc.com.au, 1
+hotdogscoolcats.net, 1
+hotdogwheel.tk, 1
+hotdresses.ga, 1
+hote-inox.ro, 1
+hotearth.de, 1
+hotebonytube.com, 1
+hotel-4-stelle.it, 1
+hotel-altabadia.com, 1
+hotel-arabba.net, 1
+hotel-aubrac.fr, 1
+hotel-bella-muerte.tk, 1
+hotel-bolzano.org, 1
+hotel-bruneck.net, 1
+hotel-brunico.net, 1
+hotel-du-parc-allevard.fr, 1
+hotel-fleuralp.it, 1
+hotel-garni-letizia.it, 1
+hotel-gruenwald.it, 1
+hotel-kontorhaus.de, 1
+hotel-kornwestheim.de, 1
+hotel-kronjuwel.de, 1
+hotel-kyiv.com.ua, 1
+hotel-le-vaisseau.ch, 0
+hotel-leda.com, 1
+hotel-navis.hr, 1
+hotel-promyk.pl, 1
+hotel-rosner.at, 1
+hotel-rosskopf.it, 1
+hotel-selva-gardena.net, 1
+hotel-valgardena.net, 1
+hotel-vipiteno.net, 1
+hotel-vivendi.de, 1
+hotel-waldheim.eu, 1
+hotel-wartburg-stuttgart.de, 1
+hotelalpino.com, 1
+hotelandplace.com, 1
+hotelarevalo.com, 1
+hotelastor.com, 1
+hotelbird.com, 1
+hotelbiz.cf, 1
+hotelbiz.ga, 1
+hotelbiz.gq, 1
+hotelbretagne.dk, 1
+hotelconsulado.com.br, 1
+hotelcorporate.codes, 1
+hotelcorporatecodes.com, 1
+hoteldahu.it, 1
+hoteldel.com, 1
+hoteldimorae.it, 1
+hoteldvorik.ml, 1
+hotelelaphusabrac.com, 1
+hoteleldhestar.is, 1
+hotelesterobeach.com, 1
+hotelfloresta.tk, 1
+hotelfloridachaco.com, 1
+hotelflow.com.br, 1
+hotelgodisa.com, 1
+hotelident.de, 1
+hoteliers.com, 1
+hotelitalia.tk, 1
+hotelite.tk, 1
+hotelkeihan.co.jp, 1
+hotellalucciola.net, 1
+hotellamm.it, 1
+hotellaserenella.it, 1
+hotelmap.com, 1
+hotelmariasas.it, 1
+hotelmarinaadria.com, 1
+hotelmelograno.eu, 1
+hotelmonal.in, 1
+hotelnagarkotparadise.tk, 1
+hotelplazataranto.com, 1
+hotelponcowinatan.com, 1
+hotelpromo.codes, 1
+hotelreis.com.br, 1
+hotelriviera.co.uk, 1
+hotels-insolites.com, 1
+hotels-resorts-in-crimea.tk, 1
+hotels3d.com, 1
+hotels4teams.com, 1
+hotelsalzberg.ga, 1
+hotelsalzberg.gq, 1
+hotelsalzberg.ml, 1
+hotelsantalibera.tk, 1
+hotelsfares.com, 1
+hotelsinbuxton.com, 1
+hotelsinformer.com, 1
+hotelsingaporeairport.com, 1
+hotelsinncoventry.com, 1
+hotelsonline.tk, 1
+hotelsrejber.cz, 1
+hotelsrit.tk, 1
+hotelsthisweekend.com, 1
+hotelsvetaekaterina.com, 1
+hotelv.com, 1
+hotelvalena.com, 1
+hotelvisegrad.hu, 1
+hotelzapse-aurora.tk, 1
+hotesb.net, 1
+hotfiesta.ml, 1
+hotgirl.tv, 1
+hotglue.me, 1
+hothag.com, 1
+hothardware.com, 1
+hothbricks.com, 0
+hotheart.ru, 1
+hothub.net, 1
+hotiii.ga, 1
+hotiks.tk, 1
+hotjasmingirls.com, 1
+hotlinenum.com, 1
+hotlinetohell.cf, 1
+hotlog.tk, 1
+hotmail, 1
+hotmango.tk, 1
+hotmann.de, 1
+hotmart.com, 1
+hotmilfphotos.com, 1
+hotmom.tv, 1
+hotmomsvideos.com, 1
+hotmovies.com, 1
+hotmoviesforher.com, 1
+hotnews-today.com, 1
+hotnewsnl.tk, 1
+hotnow.live, 1
+hotnudeteen.com, 1
+hoto.us, 1
+hoton.in, 1
+hotornot.com, 1
+hotperiscope.tk, 1
+hotpinkbraces.com, 1
+hotplate.co.nz, 1
+hotpmo.com, 1
+hotpopky.cf, 1
+hotpornfilms.com, 1
+hotporngirl.com, 1
+hotporntubes.com, 1
+hotpornvideos.tv, 1
+hotproxy.gq, 1
+hotpussypics.com, 1
+hotpussytube.com, 1
+hotrender.com, 1
+hotroviettel.vn, 1
+hotrowordpress.com, 0
+hotschneckchen.net, 1
+hotscripting.tk, 1
+hotsex.tv, 1
+hotsexvids.net, 1
+hotsexxxcams.com, 1
+hotshira.com, 1
+hotshotsleeves.com, 1
+hotsmi.cf, 1
+hotsoft.com.br, 1
+hotsolarsolutions.com, 1
+hotspot.cl, 1
+hotspotshield.com, 1
+hotspringsar.gov, 1
+hotsvenja.com, 1
+hottaro.com, 1
+hottchic.com, 1
+hottestguyoftech.com, 1
+hottestwebcamgirls.org, 1
+hottheme.net, 1
+hottie.at, 1
+hotting.nl, 1
+hottoys.tk, 1
+hotvehs.com, 1
+hotwaterspecialist.com.au, 1
+hotwifer.com, 1
+hotyoyo.ga, 1
+hotzheipoe.com, 1
+houdah.com, 1
+houdenvanhonden.nl, 1
+houhuayuan.com, 1
+houlang.ac.cn, 1
+houldsworthmill.com, 1
+hourai.gg, 1
+houraiteahouse.net, 1
+hourlyearning.tk, 1
+hourlyringtonesers.ga, 1
+hourlyringtonesest.ga, 1
+hoursofoperation.biz, 1
+hourspent.com, 1
+house-cleaning-howtos.com, 1
+house-sparrow.com, 1
+houseandgarden.co.uk, 1
+houseareacanada.tk, 1
+houseareaitaly.tk, 1
+housebar.tk, 1
+housecarty.com, 1
+housedesigninfo.tk, 1
+housedesignnews.tk, 1
+houseepropiedadraiz.com, 1
+houseforce.biz, 1
+household-appliances.tk, 1
+householdheroes.com.au, 1
+householdjournalers.ga, 1
+householdjournalest.ga, 1
+householdofmercy.org, 1
+houseinfonews.tk, 1
+housekeep.com, 1
+housekeeperlondon.co.uk, 1
+houselocal.co.uk, 1
+housemart.company, 1
+housemates.uk.com, 1
+housemouse.tk, 1
+houseofaceonline.com, 1
+houseofhipsters.com, 1
+houseofmusic.co.uk, 1
+houseofpertijs.com, 1
+houseofpheromones.com, 1
+houseoftutors.co.uk, 1
+houseofyee.com, 1
+houseplant.tk, 1
+houser.lu, 1
+houseracko.com, 1
+houseremodels.tk, 1
+houseroxrecords.com, 1
+housese.at, 1
+houseshop.biz, 1
+housesmartdecore.tk, 1
+housesumo.com, 1
+housetories.com, 1
+housevertising.nl, 1
+housing.com, 1
+housingauctions.net, 1
+housingcenter.com, 1
+housinglincolncountyor.gov, 1
+housingloan.jp, 1
+housingokc.gov, 1
+housten.com, 1
+houston-building-maintenance.com, 1
+houston-probate-law.com, 1
+houstonaudubon.org, 1
+houstonauthorizedrepair.com, 1
+houstonbestmaidservice.com, 1
+houstoncenterforvaluedliving.com, 1
+houstoncosoal.gov, 1
+houstoncountyal.gov, 1
+houstongaragedoorsrepair.com, 1
+houstonhomerevival.com, 1
+houstonhughes.tk, 1
+houstonjetcharter.com, 1
+houstonlake.gov, 1
+houstonlockout.com, 1
+houstonmethodist.org, 1
+houstonproperties.com, 1
+houtar.eu.org, 1
+houthandelbunskoek.nl, 1
+houthandeljacobs.nl, 1
+houtinee.com, 1
+hovala.tk, 1
+hovelaar.nl, 1
+hoverboardbarato.com, 1
+hovia.com, 1
+hovset.net, 1
+how-to-build-computer.tk, 1
+how-to-simply.com, 1
+how-to-write-a-book.cf, 1
+how-to-write-a-book.ga, 1
+how-to-write-a-book.gq, 1
+how-to-write-a-book.ml, 1
+how2dev.tools, 1
+how2smart.com, 1
+howa-n.net, 0
+howandroidhelp.com, 1
+howandwhys.com, 1
+howardchippewawi.gov, 1
+howardcounty-mo.gov, 1
+howardcountyne.gov, 1
+howardcountysheriffmo.gov, 1
+howardhannava.com, 1
+howardkaplanbooks.com, 1
+howardscholars.org, 1
+howardsgrovewi.gov, 1
+howardshaw.com, 1
+howarh.com, 0
+howdo.nl, 1
+howdoesmycode.work, 1
+howdoyousaythis.com, 1
+howdybikes.com, 1
+howellaccounts.co.uk, 1
+howellcountymo911.gov, 1
+howellpolicenj.gov, 1
+howesky.com, 1
+howgoodwasmysex.com, 1
+howieisawesome.com, 1
+howlers.tk, 1
+howlinhawk.tk, 1
+howlonghaswilliambeenwaitingforhislicence.uk, 1
+howmanymilesfrom.com, 1
+howmanypeoplearethereinthe.world, 1
+howmanypeoplearethereintheworld.com, 0
+howmuch.cf, 1
+howmuch.ga, 1
+howoldisjava8.today, 1
+howoldistheinter.net, 1
+howonce.cn, 1
+howonce.com.cn, 1
+howonce.net, 1
+howonce.org, 1
+howopen.net, 1
+howpchub.com, 1
+howsecureismypassword.net, 1
+howsmyssl.com, 1
+howsmytls.com, 1
+howto-connect.com, 1
+howto-outlook.com, 1
+howtobehealthy.tk, 1
+howtoboy.com, 1
+howtodesignwebsite.com, 1
+howtofixwindows.com, 1
+howtofreelance.com, 1
+howtogeek.com, 1
+howtogeekpro.com, 1
+howtogosolar.org, 0
+howtohomepage.tk, 1
+howtohow.org, 1
+howtoinstall.co, 1
+howtomakefriends.tk, 1
+howtomanagedevices.com, 1
+howtomediacenter.com, 1
+howtomovetheneedle.com, 1
+howtoplayguitarlikeapro.com, 1
+howtopreventvulnerabilities.com, 1
+howtorunfasterandlonger.com, 1
+howtoslapsomeonethroughtheinternet.com, 1
+howtostopsnoring.tk, 1
+howtoteachviolin.com, 1
+howtotech.com, 1
+howtotech.de, 1
+howtrainyourdog.ml, 1
+howtutu.click, 1
+howtutu.com, 1
+howtutu.email, 1
+howtutu.eu, 1
+howtutu.info, 1
+howtutu.link, 1
+howtutu.net, 1
+howtutu.org, 1
+howtutu.social, 1
+howudoin.tk, 1
+howunadeydoam.ng, 1
+howwhy.tw, 1
+hoxo.fr, 1
+hoychivilcoy.tk, 1
+hoyenapple.com, 1
+hoyerfamilysaffron.com, 1
+hoyosdelespino.tk, 1
+hoz-pack.com.ua, 1
+hozana.si, 0
+hozinga.de, 1
+hozio.com, 1
+hozio.net, 1
+hozkomurcu.com, 1
+hozonshoku.com, 1
+hp-67.com, 1
+hp-lexicon.org, 1
+hp42.de, 1
+hpac-portal.com, 1
+hpage.com, 1
+hpbn.co, 1
+hpc.mil, 1
+hpccsystems.com, 0
+hpeditor.tk, 1
+hpfxd.com, 1
+hphp.ga, 1
+hpic.net, 1
+hpisavageforum.com, 1
+hpk.edu.ee, 1
+hpkp-faq.de, 1
+hplace.com.br, 1
+hpm.pt, 1
+hpneo-conseil.com, 1
+hpruehl.de, 1
+hpsdigital.hu, 1
+hpsldc.com, 1
+hpsq.io, 1
+hpv-info.ee, 1
+hpvtimmerwerken.nl, 1
+hq.marketing, 1
+hq77.ru, 1
+hqblog.cn, 0
+hqproductreviews.com, 1
+hqsy.net, 1
+hqteas.com, 1
+hqtrannytube.com, 1
+hqwebhosting.tk, 0
+hqy.moe, 1
+hqy2000.com, 1
+hr-automation.eu, 1
+hr-books.shop, 1
+hr-clan.tk, 1
+hr-nielsen.tk, 1
+hr-praemien-santander.de, 1
+hr-tech.shop, 1
+hr-toys.shop, 1
+hr98.tk, 1
+hrabogados.com, 1
+hraesvelg.net, 1
+hrafnkellbaldurs.com, 1
+hrafnsholl.is, 1
+hrajhry.sk, 1
+hrajme.tk, 1
+hranicka.cz, 1
+hravatar.com, 1
+hrbanen.nl, 1
+hrbatypes.cz, 1
+hrblnrdx.org.cn, 1
+hrbrt.co, 1
+hrbrt.nl, 0
+hrcdn.net, 1
+hrcigroup.com, 1
+hrcrew.com.au, 1
+hrd-sec.com, 1
+hrd.pl, 1
+hrdns.de, 1
+hreflang.info, 1
+hrejterzy.com, 1
+hrgt.eu, 1
+hristijanspirovski.tk, 1
+hristos.com, 1
+hriveralaw.com, 1
+hrjfeedstock.org, 1
+hrjob.ml, 1
+hrjob.tk, 1
+hrk.aero, 1
+hrka.cc, 0
+hrkfamilylaw.com, 1
+hrknuddel.de, 1
+hrlab.de, 1
+hrlive.ga, 1
+hrmafia.ga, 1
+hrmcms.com, 1
+hrmg.agency, 1
+hrmny.sh, 1
+hrndz.io, 1
+hrnk.org, 1
+hro.to, 1
+hrobert.hu, 1
+hroc.co.uk, 1
+hrodna.life, 1
+hroling.nl, 1
+hromaticworld.tk, 1
+hroschyk.cz, 1
+hrpage.ml, 1
+hrprofessionals.tk, 1
+hrreporter.com, 1
+hrsa.gov, 1
+hrseoservice.com, 1
+hrsourav.info, 1
+hrstapps-dev.com, 1
+hrtechnologypro.cf, 1
+hrtpova.gov, 1
+hru.gov, 1
+hrumka.net, 1
+hrw66.cc, 1
+hrwsba.gov, 1
+hrxkauppa.fi, 1
+hryniewski.net, 1
+hryx.net, 1
+hrzblt.eu, 1
+hs-flensburg.de, 1
+hs-group.net, 1
+hs-hire.co.uk, 1
+hs7imports.com.br, 1
+hsappstatic.net, 1
+hsasearch.com, 1
+hsbc-zertifikate.de, 1
+hsbs.com.sg, 1
+hsbuild.com, 1
+hsc.com.vn, 1
+hsc.gd.cn, 1
+hschen.top, 0
+hscomposites.co.nz, 1
+hse-dev.com, 1
+hse-online.com, 1
+hse-reglementaire.com, 1
+hselectricalservices.com, 1
+hsex.tv, 0
+hsg-lumdatal.de, 1
+hsgms.de, 1
+hshnetwork.net, 1
+hsi.health, 1
+hsivonen.com, 1
+hsivonen.fi, 1
+hsivonen.iki.fi, 1
+hsjdzaragoza.es, 1
+hskernel.com, 1
+hskin.top, 1
+hskprep.com, 1
+hsm-eldesafio.tk, 1
+hsmithsmithfield.co.uk, 1
+hsmr.cc, 1
+hsn-tsn.com, 1
+hsn.com, 1
+hsog.tk, 1
+hsprotection.net, 1
+hsr.gov, 1
+hsreformas.es, 1
+hsselite.com, 1
+hst.tc, 1
+hstoyanov.com, 1
+hsts-preload-test.xyz, 1
+hsts.eu, 1
+hsts.eu.org, 1
+hsts.me, 1
+hsts.ovh, 1
+hstsbadnosniff.com, 1
+hstspreload.appspot.com, 1
+hstspreload.com, 1
+hstspreload.de, 1
+hstspreload.me, 1
+hstspreload.org, 1
+hstudio.tk, 1
+hsturan.com, 1
+hsutilitiesms.gov, 1
+hszemi.de, 1
+ht.mk, 1
+htaccessbook.com, 1
+htaps.com, 1
+htb-email.co, 1
+htb-email.com, 1
+htb-email.uk.com, 1
+htb.click, 1
+htb.co.uk, 1
+htbap.net, 1
+htbemail.co, 1
+htbemail.co.uk, 1
+htbemail.com, 1
+htbemail.net, 1
+htbemail.org, 1
+htbplc.co.uk, 1
+htcclan.tk, 1
+htdcomputer.vn, 1
+hte.ovh, 1
+hti.digital, 1
+htikeagkyaw.com, 1
+htl-anmeldung.at, 1
+htl.wiki, 1
+htlball.at, 1
+htljobs.at, 1
+htm-partners.com, 1
+htmag.co.il, 1
+htmanager.fr, 1
+htmdom.com, 1
+html-builder.tk, 1
+html-code-generator.com, 1
+html-css.tk, 1
+html5.org, 1
+htmlacademy.ru, 1
+htmlandcss.tk, 1
+htmlcssphp.ga, 1
+htmlcssphp.gq, 1
+htmlcssphp.ml, 1
+htmlcssphp.tk, 1
+htmlnet.tk, 1
+htmltemplated.com, 1
+htmlvalidator.com, 1
+htmlweb.ml, 1
+htmlyse.com, 1
+htmue.org, 1
+htp2.top, 1
+htt.pe, 1
+http.codes, 1
+http.dog, 1
+http.garden, 1
+http.gs, 1
+http.pizza, 1
+http2.com.cn, 1
+http2.eu, 1
+http2.pro, 1
+http3-hosting.de, 1
+http3.ch, 1
+http3.info, 1
+http3.pro, 1
+http418.org, 1
+httpcats.com, 1
+httpd.gq, 1
+httpducks.com, 1
+httpgoats.com, 1
+httpguides.com, 1
+https-rulesets.org, 1
+https.com.tw, 1
+https.dk, 1
+https.gs, 1
+https.jetzt, 1
+httpsalarm.com, 1
+httpsarnemergan.ml, 1
+httpsecured.net, 1
+httpsecurityreport.com, 1
+httpsiseasy.com, 1
+httpsispisseasy.com, 1
+httpsnow.com, 1
+httpsnow.org, 1
+httpstaak.tk, 1
+httpstest.eu, 1
+httpstest.nl, 1
+httpswatch.ca, 1
+httpswatch.eu, 1
+httpswatch.nl, 1
+htvoutlet.com, 1
+htxnet.biz, 1
+htzopremasrbija.co.rs, 1
+hu-1xbet.com, 1
+hu-a-u.com, 1
+hu.search.yahoo.com, 0
+hua-in.net, 1
+huabianwa.com, 0
+huachuang.com, 1
+huagati.com, 1
+huang.nu, 1
+huangban.org.cn, 1
+huangguancq.com, 1
+huangh.com, 1
+huangjia71.com, 1
+huangjia72.com, 1
+huangjia73.com, 1
+huangjia74.com, 1
+huangjia75.com, 1
+huangjia76.com, 1
+huangjia777.com, 1
+huangjia78.com, 1
+huangjia79.com, 1
+huangjiaint.com, 1
+huangjingjing.com, 1
+huangkevin.com, 1
+huangqifu.com, 1
+huangshuo.net, 1
+huangzenghao.cn, 0
+huangzenghao.com, 1
+huangzjnet.gq, 1
+huanqiu1988.com, 1
+huanta.tk, 1
+huanvm.com, 1
+huanwei.com, 1
+huanyu.com, 1
+huapood.com, 1
+huaqian.art, 1
+huashan.co.uk, 1
+huashang.tk, 1
+huawenyy.com, 1
+huaxueba.com, 1
+hub24.com.au, 1
+hub385.com, 1
+hubanero.cz, 1
+hubapi.com, 1
+hubbardhouseugrrmuseum.org, 1
+hubbaworld.tk, 1
+hubbell.com, 1
+hubblogging.com, 1
+hubchain.com, 1
+hubchain.com.br, 1
+hubchain.fr, 1
+hubchain.io, 1
+hubchain.org, 1
+huber-informatik.de, 1
+hublaagram.ml, 1
+hubnet.fr, 1
+hubok.net, 1
+huboo.co.uk, 1
+huboo.com, 1
+hubovra.nl, 1
+hubrecht.at, 1
+hubsaveers.ga, 1
+hubsaveest.ga, 1
+hubspot.com, 1
+hubspot.de, 1
+hubspot.es, 1
+hubspot.fr, 1
+hubspot.jp, 1
+hubux.tk, 1
+hubx.co, 1
+huchet.me, 0
+hucklebucks.com, 1
+huckletree.com, 0
+hudaa.us, 1
+hudbugcomics.com, 1
+huddlecamhd.com, 1
+hudebnibazarmixer.cz, 1
+hudeem-vmeste.ml, 1
+hudhaifahgoga.co.za, 1
+hudhomestore.gov, 1
+hudobniny.net, 1
+hudognik.com, 1
+hudrydum.cz, 1
+hudsonlifting.co.uk, 1
+hudsonregional.gov, 1
+hudsonsolutions.com, 1
+hudsonwi.gov, 1
+hudu.com, 1
+huduser.gov, 1
+huecomundo.tk, 1
+huehnerartikel.de, 1
+huelgajusticiaextremadura.tk, 1
+huellasfestival.com, 1
+huelvatrabaja.com, 1
+huemanpesolutions.com, 1
+huemeyraophelia.com, 1
+huemul.studio, 1
+huengsberg.com, 1
+huepfburggiessen.de, 1
+huertoydesamparados.tk, 1
+hues-in-lee.de, 1
+huesers.de, 1
+huesitos.tk, 1
+hueterecruiters.com, 1
+hufelare.tk, 1
+huffduffer.com, 1
+huffingtonwire.com, 1
+huffsinsurance.com, 1
+hug0.cz, 1
+hugebeasters.ga, 1
+hugebeastest.ga, 1
+hugetits.tv, 1
+huggies.com.au, 1
+huggy.moe, 1
+hughfitzgerald.com, 1
+hugi.is, 1
+huglen.info, 1
+hugobarral.me, 1
+hugochilemme.com, 1
+hugocurado.info, 1
+hugogarra.com, 1
+hugolegrand.fr, 1
+hugolynx.fr, 0
+hugomilano.ga, 1
+hugonote.cf, 1
+hugonote.ga, 1
+hugonote.gq, 1
+hugonote.ml, 1
+hugonote.ovh, 1
+hugonote.tk, 1
+hugotech.vn, 1
+hugovr.nl, 1
+hugoyugou.com, 1
+hugs.ua, 1
+huhao.tk, 1
+huhu.cf, 1
+huibrotladen.com, 1
+huicui.com, 1
+huiguniang.com, 1
+huiketang.com, 1
+huimin.com, 1
+huimou.com, 1
+huininga.com, 1
+huininga.nl, 1
+huininga.org, 1
+huirongis.me, 1
+huis-en-tuin.be, 1
+huisaandecosta.nl, 1
+huisartsen-ict.nl, 1
+huisartsenpraktijkheemraadssingel.nl, 1
+huisartsenpraktijksonmezer.nl, 1
+huisartsenpraktijkzonnehoed.nl, 1
+huisartsenpraktijkzwalm.be, 1
+huisdierinfopunt.tk, 1
+huiser.nl, 1
+huisjeboompje-baby.nl, 1
+huislaw.com, 1
+huislijn.nl, 1
+huissier-vosges.com, 1
+huit.re, 1
+huitaodang.com, 1
+huk-autoservice.de, 1
+hukkatavara.com, 1
+hukuhauchi.com, 1
+hulaginswoodworking.com, 1
+hulet.tech, 1
+hulii.com, 1
+hulii.com.au, 1
+hulkbay.tk, 1
+hulkweb.tk, 1
+hullmoneyman.com, 1
+hullscp.co.uk, 1
+hullseals.space, 1
+huloveyou.com, 1
+hulpbijmarketing.nl, 1
+hulpertechsite.tk, 1
+hulpmiddelenshop.nl, 1
+hulpverleningszonecentrum.be, 1
+hulsoft.co.uk, 1
+hultrid.hopto.org, 1
+hululkitab.co, 1
+huma-auto.club, 0
+human-centricity.com, 1
+human-clone.com, 1
+human-dev.io, 1
+human-parasites.tk, 1
+human-shinri.com, 1
+humana-medicaresupplement.com, 1
+humanamente.tk, 1
+humanbeing.tk, 1
+humanenrich.com, 1
+humanesdemadrid.tk, 1
+humanewolf.com, 1
+humanexperiments.com, 1
+humanhairgo.tk, 1
+humanhealth.pl, 1
+humanidad.tk, 1
+humaninterest.com, 1
+humanistgruppen.tk, 1
+humanit.com.au, 1
+humanitiesacademicpublishers.com, 0
+humanity.com, 1
+humanize.security, 1
+humanlocation.net, 1
+humanresources.gq, 1
+humanresourcesedu.org, 1
+humanresourcesmanager.de, 1
+humanrights.gov.au, 1
+humanrights.tk, 1
+humansense.nl, 1
+humanservicesedu.org, 1
+humanshiftpaper.com, 1
+humantouchmassagechairs.com, 1
+humanvidas.com.br, 1
+humanzee.com, 1
+humara.tk, 1
+humass.nl, 1
+humbaur.com, 1
+humbble.fr, 1
+humblebee.at, 1
+humblebee.be, 1
+humblebee.bg, 1
+humblebee.ch, 1
+humblebee.co.uk, 1
+humblebee.cz, 1
+humblebee.dk, 1
+humblebee.es, 1
+humblebee.eu, 1
+humblebee.foundation, 1
+humblebee.fr, 1
+humblebee.gr, 1
+humblebee.hu, 1
+humblebee.ie, 1
+humblebee.it, 1
+humblebee.nz, 1
+humblebee.pl, 1
+humblebee.us, 1
+humblebeeshop.ca, 1
+humblebeeshop.com.au, 1
+humblecraft.tk, 1
+humbledot.com, 0
+humblenano.africa, 1
+humblenano.io, 1
+humboldt-wi.gov, 1
+humboldtcavotes.gov, 1
+humboldtcountyca.gov, 1
+humboldtcountynv.gov, 1
+humboldtcsi.com, 1
+humboldthomeguide.com, 1
+humboldtmfg.com, 1
+humdata.org, 1
+humdruma-recordingz.tk, 1
+humer-it.com, 0
+humexe.com, 1
+humeydi.tk, 1
+humi.ca, 1
+humio.com, 1
+humm90.com, 1
+hummel.tk, 1
+hummingbird.co, 0
+hummy.tk, 1
+hummy.tv, 1
+humo.be, 1
+humor-life.tk, 1
+humor-web.tk, 1
+humor.cf, 1
+humor.ga, 1
+humorbest.tk, 1
+humorcheck.ga, 1
+humorcheckers.ga, 1
+humorcheckest.ga, 1
+humored.gq, 1
+humorojo.com, 1
+humpen.se, 1
+humphreyscountytn.gov, 1
+humpydumpy.tk, 1
+humuluslupulus.de, 1
+humus.tk, 1
+hunanbank.com, 1
+hund.io, 1
+hund.ml, 1
+hundamosantena3.tk, 1
+hundedekken.tk, 1
+hundeschule.tk, 1
+hundestudios.tk, 1
+hundhausen.de, 1
+hundimiento.com, 1
+hundlee.tk, 1
+hundter.com, 1
+hundur.tk, 1
+hunedoara.tk, 1
+hungarian-united-church.tk, 1
+hungarianeducationagency.com, 1
+hungaryz.ml, 1
+hungnm.me, 1
+hungryas.tk, 1
+hungryginie.com, 1
+hungryhealthyhappy.com, 1
+hunhold.at, 1
+hunhold.biz, 1
+hunhold.ch, 1
+hunhold.com, 1
+hunhold.de, 1
+hunhold.eu, 1
+hunhold.it, 1
+hunhold.net, 1
+hunhold.org, 1
+huniverse.co, 1
+hunngard.com, 1
+hunqz.com, 1
+hunstoncanoeclub.co.uk, 1
+hunter-read.com, 1
+hunter.io, 1
+hunter32.ru, 1
+hunterjohnson.io, 1
+huntersandprops.tk, 1
+hunterscreekapartments.net, 1
+hunterscrolls.tk, 1
+huntertrade.com.br, 1
+huntexpired.com, 0
+huntflow.ai, 1
+hunting.ml, 1
+huntingdonlifesciences.com, 1
+huntingdonsmithfieldpa.gov, 1
+huntingnewfoundlandlabrador.com, 1
+huntingtonestateproperties.com, 1
+huntingtonnow.com, 1
+huntingtonwv.gov, 1
+huntreminder.com, 1
+huntsvillealtransit.gov, 1
+huntsvillecottage.ca, 1
+huntvac.com, 1
+huny.eu.org, 1
+hunzai.tk, 1
+huoduan.com, 1
+huohu-sports.com, 1
+huohuo.cf, 1
+huohuo.ml, 1
+huon.fyi, 1
+huonit.com.au, 0
+huoqibaike.club, 1
+huoyankan.com, 1
+huoyou.com, 1
+huozhen.com, 1
+hup.hu, 0
+hupeng.me, 1
+hupoyunlar.com, 1
+hurbascooter.com, 1
+hurbo.com, 1
+hurdafiyatlari.site, 1
+hurinkazan2020.com, 1
+hurleyhomestead.com, 1
+huron.tk, 1
+huronsd.gov, 1
+hurra-blog.tk, 1
+hurricanecarroll.com, 1
+hurricanelabs.com, 0
+hurricaneplaneers.ga, 1
+hurricaneplaneest.ga, 1
+hurricanewv.gov, 1
+hurricanewvpd.gov, 1
+hurriyetseriilan.tk, 1
+hurstbourneacresky.gov, 1
+hurstiharrell.tk, 1
+hurtigrabat.dk, 1
+hurtigtinternet.dk, 1
+husakbau.at, 1
+hushbabysleep.com, 1
+hushfile.it, 1
+hushpuppiesobuv.ru, 1
+husic.net, 0
+husky-in-nood.tk, 1
+huskyeye.de, 1
+huskygifts.com, 1
+huskyinc.us, 0
+husmann.tech, 1
+husqvarnamoped.se, 1
+hussam.eu.org, 1
+hussehrana.com, 1
+hustlerstate.tk, 1
+hutavaterstetten.de, 1
+hutchinsonmn.gov, 1
+huthacks.com, 1
+huto.ml, 1
+huttotxedc.gov, 1
+huurwoordenaar.nl, 1
+huuto.tk, 1
+huutonauru.net, 1
+huwcbjones.uk, 1
+huwjones.me, 1
+huwshepheard.com, 1
+huxcoconstruction.com, 1
+huxixs.com, 1
+huxley.net, 1
+huynhviet.com, 1
+huyvu.nl, 1
+huzurmetal.net, 1
+huzurpansiyonfirtinavadisi.com, 1
+hv-2020.de, 1
+hv-2020.online, 1
+hv-anmeldung.de, 1
+hv-huset.no, 1
+hv-portal.de, 1
+hv.se, 1
+hva.cl, 1
+hvac-distributing.com, 1
+hvac-distributing.xyz, 1
+hvacschool.org, 1
+hvanmeldung.de, 1
+hvanmeldung.online, 1
+hvcoksvote.gov, 1
+hvdbox.de, 0
+hvenetworks.cf, 1
+hveradistributions.com, 1
+hverdagogkink.no, 1
+hvh.no, 1
+hvhdct.gov, 1
+hvhercules.tk, 1
+hvhindia.in, 1
+hvllucinvtion.tk, 1
+hvorschool.tk, 1
+hvr.co.il, 1
+hvrint.de, 1
+hvtuananh.com, 1
+hvvmg.com, 1
+hvylya.net, 1
+hw8.eu, 1
+hwag-pb.de, 1
+hwasung.com.vn, 1
+hwe.nz, 1
+hwholdsworth.com.au, 1
+hwinfo.tk, 1
+hwjkk.com, 1
+hwnd.io, 1
+hwsw.io, 1
+hwvv.nl, 1
+hwx8.com, 0
+hx-sun.com, 1
+hx36.net, 0
+hx53.de, 1
+hx678.cc, 1
+hx77.cc, 0
+hxit.cn, 1
+hxkvm.com, 1
+hxkvm.net, 1
+hxp.io, 1
+hxr404.cf, 1
+hxsrz.eu.org, 1
+hxtival.com, 1
+hxtival.nl, 1
+hy1.com, 1
+hyacinthus.tk, 1
+hyatt.com, 1
+hyb7.com, 1
+hybrd.is, 1
+hybrid-crescent.tk, 1
+hybriden.cf, 1
+hybriden.tk, 1
+hybridiyhdistys.fi, 1
+hybridklubben.fi, 1
+hybridragon.net, 1
+hybridscript.tk, 1
+hybridsounds.tk, 1
+hybridworld.tk, 1
+hybridworx.com, 1
+hybridworx.de, 1
+hybridworx.eu, 1
+hybridworx.net, 1
+hybridworx.org, 1
+hybrydowe-samochody.pl, 1
+hybula.com, 1
+hycken.com, 1
+hyckenberg.com, 1
+hyderabaddccb.org, 1
+hyderabadonlinegifts.com, 1
+hydra-interactive.com, 1
+hydra.az, 1
+hydrabit.nl, 1
+hydrante.ch, 0
+hydras.tk, 1
+hydrazin.pw, 1
+hydro17.com, 1
+hydroagro.pl, 1
+hydroaralen.com, 1
+hydrochlorothiazide.gq, 1
+hydrochlorothiazide125.ga, 1
+hydrocloud.net, 1
+hydrocontrolsystems-janssenwaterproofing.com, 1
+hydrocontrolsystems.com, 1
+hydrogel.tk, 1
+hydrogenplatform.com, 1
+hydrographicsocietybenelux.eu, 1
+hydroid.tk, 1
+hydrolifehottubs.co.uk, 1
+hydrolyze.tk, 1
+hydromech.com.au, 1
+hydrometrixtechnologies.com, 1
+hydronicheatingaustralia.com.au, 1
+hydronium.cf, 1
+hydronium.ga, 1
+hydronium.ml, 1
+hydronium.tk, 1
+hydronix-bg.com, 1
+hydroposev.com, 1
+hydrosaat.ch, 1
+hydrosight.com, 1
+hydrosila.com, 0
+hydroturbine.info, 0
+hydrozen.io, 1
+hydrozone.fr, 1
+hyds.com, 1
+hyec.jp, 1
+hyex.com.au, 1
+hygieneproclean.co.nz, 1
+hygienet.be, 1
+hygo.com, 1
+hygraph.com, 1
+hyk.me, 1
+hyland.com, 1
+hylark.com, 1
+hylians.com, 1
+hyllie.net, 1
+hymn.com, 1
+hymnal.net, 1
+hymnsandverses.com, 1
+hync.io, 1
+hyncice.com, 1
+hyndax.com.ar, 0
+hynek.me, 1
+hyodyntamaton.site, 0
+hyoi.de, 1
+hypar.io, 1
+hyparia.fr, 1
+hyparia.org, 1
+hypehub.tech, 1
+hypelifemagazine.com, 1
+hypemgmt.com, 1
+hyper-fit.nl, 1
+hyper-matrix.org, 1
+hyper-network.de, 1
+hyper-spirit.com, 1
+hyper-text.org, 0
+hyper.ai, 1
+hyper.lol, 1
+hyperalgesia.com, 1
+hyperautomotive.com.au, 1
+hyperblast-universe.tk, 1
+hyperbolecomics.com, 1
+hyperbolic-mayonnaise-interceptor.ovh, 1
+hyperc.club, 1
+hypercdn.de, 1
+hypercritical.co, 1
+hyperd.sh, 1
+hyperdesign.com, 1
+hyperemesis.ie, 1
+hyperhidrose.tk, 1
+hyperion-project.org, 1
+hyperion.gmbh, 0
+hyperion.io, 1
+hyperionms.com, 1
+hyperjewel.com, 1
+hyperjit.com, 1
+hyperlocal.co.za, 1
+hypermonkey.tk, 1
+hypernode.com, 1
+hyperonline.tk, 1
+hyperplanning.fr, 1
+hyperreal.chat, 1
+hyperreal.info, 1
+hypersequent.com, 1
+hypershell.tk, 1
+hypersomnia.com, 1
+hyperspace.tk, 1
+hyperstack.org, 1
+hypertaut.com, 1
+hypertensionexplained.com, 1
+hypertesto.me, 1
+hyperthymia.com, 1
+hypervsn.com, 1
+hypetrix.com, 1
+hypexstore.tk, 1
+hyphen.co.za, 1
+hyphenpda.co.za, 1
+hypixelstudios.com, 1
+hypno-thera.fr, 1
+hypnobb.com, 1
+hypnos.hu, 1
+hypnose-hennigsdorf.de, 1
+hypnose-nimes.fr, 1
+hypnoseduction.tk, 1
+hypnoside.tk, 1
+hypnosis.edu, 1
+hypnotistanbul.com, 1
+hypnotizedgirls.ml, 1
+hypnovir.us, 1
+hypo-fix.com, 1
+hypo-fix.de, 1
+hypo-light.de, 1
+hypo-x.de, 1
+hypo4u.de, 1
+hypocretins.com, 1
+hypocrites.tk, 1
+hypofax.de, 1
+hypofix-web.de, 1
+hypofix.com, 1
+hypofix.de, 1
+hypofixweb.de, 1
+hypofixx.de, 1
+hypofux.de, 1
+hypokalkulacka.sk, 1
+hypolife.de, 1
+hypolineweb.de, 1
+hyposoft.de, 1
+hypotheca.ca, 1
+hypotheekbond.nl, 1
+hypothekenbank.ag, 1
+hypotheques24.ch, 1
+hypothermia.tk, 1
+hypothes.is, 1
+hypothyroidmom.com, 1
+hypowelt.com, 1
+hypr.ee, 1
+hyr.mn, 0
+hyra.tk, 1
+hyrin.tk, 1
+hyrius.net, 1
+hyrulekingdom.tk, 1
+hys-te-ria.tk, 1
+hyser.com.ua, 1
+hysh.jp, 1
+hysh.net, 1
+hysh.org, 1
+hystats.net, 1
+hysupchile.cl, 1
+hytale.com, 1
+hytzongxuan.com, 1
+hytzongxuan.top, 1
+hyunbridge.com, 1
+hyundaifinance.de, 0
+hyundaipartsdeal.com, 1
+hyundaisrilanka.lk, 1
+hyunjoonkim.net, 1
+hyvinvointineuvoja.fi, 1
+hyy.ch, 1
+hyy.chat, 1
+hyychat.com, 1
+hyyen.com, 1
+hyyperchat.com, 1
+hyze.fr, 1
+hyzy.fr, 1
+hz601.org, 1
+hzbk.org, 0
+hzmpower.com, 1
+hzsx.com, 1
+hztgzz.com, 1
+i--b.com, 1
+i-0v0.in, 1
+i-3c.co.jp, 1
+i-am-cjc.tech, 1
+i-am-seo.co.uk, 1
+i-cite.es, 1
+i-connect.ie, 0
+i-cyber.gov.ua, 1
+i-experts.nl, 1
+i-fastnet.net, 1
+i-forum.ga, 1
+i-house.gq, 1
+i-hoz.ru, 1
+i-lab.ml, 1
+i-li.com, 1
+i-like-hits.tk, 1
+i-liren.com, 1
+i-logic.co.jp, 1
+i-logic.net, 1
+i-make-love.tk, 1
+i-make.com, 1
+i-make.fr, 1
+i-med.com.au, 1
+i-model.org, 1
+i-motor.nl, 1
+i-office.com.vn, 1
+i-on.by, 1
+i-panic.com, 1
+i-pinged-everyone.today, 1
+i-port-voice.com, 1
+i-prince.tk, 1
+i-proswiss.com, 0
+i-r-a.tk, 1
+i-readycentral.com, 1
+i-red.info, 1
+i-scream.space, 1
+i-sports.cz, 1
+i-stream2watch.com, 1
+i-telligence.de, 0
+i-tm.com.tw, 1
+i-tools.ru, 1
+i-verbi.it, 1
+i-vignette.com, 1
+i-volve.net, 1
+i-voting.pl, 1
+i.hosting, 1
+i00.eu, 1
+i00228.com, 1
+i0856.com, 0
+i0day.com, 1
+i10z.com, 1
+i1430.com, 0
+i24.host, 1
+i2capmark.com, 1
+i2education.com, 1
+i2itherapy.com, 1
+i2pgit.org, 0
+i36533.com, 1
+i365365.com, 1
+i36588.com, 1
+i3o.me, 1
+i49.net, 1
+i4cu.uk, 1
+i4net.eu, 1
+i4ware.fi, 1
+i51365.com, 0
+i5197.co, 1
+i5y.co.uk, 1
+i5y.org, 1
+i6729.co, 1
+i6729.com, 0
+i6957.co, 1
+i7.io, 1
+i7sas.tk, 1
+i82365.com, 1
+i879.com, 1
+i88i.gq, 1
+i8cp.com, 1
+i9297.co, 1
+i9728.co, 1
+i9assessoria.net.br, 1
+i9s.in, 1
+ia.ca, 1
+ia.net, 1
+ia1000.com, 1
+iaa.ee, 1
+iaata.info, 1
+iab-diva.ru, 1
+iabot.tk, 1
+iacee.org, 1
+iacitywebdesigner.com, 1
+iaco.li, 1
+iacono.com.br, 0
+iactu.info, 1
+iadb.org, 1
+iadminify.com, 1
+iadore.tk, 1
+iadttaveras.com, 1
+iae.one, 1
+iaeste.or.jp, 1
+iaf.gov, 1
+iaf.nu, 1
+iafd.com, 1
+iaforum.com.br, 1
+iafss2023.com, 1
+iain.tech, 1
+iainsimms.co.uk, 1
+iainsimms.com, 1
+iainsimms.me, 1
+ialternatywne.pl, 1
+iam.lc, 0
+iam.soy, 1
+iamafricacampaign.com, 1
+iamafricacampaign.org, 1
+iamaileen.com, 1
+iamanewme.com, 1
+iambhatti.tk, 1
+iamcloud.de, 1
+iamconnected.eu, 1
+iamhealthystore.com, 1
+iaminashittymood.today, 1
+iamjoshellis.com, 1
+iamkate.com, 1
+iamlearning.co.uk, 1
+iamlegend.ml, 1
+iamlife.com, 1
+iamlzh.com, 0
+iamokay.nl, 1
+iamovement.org, 1
+iamsadmax.ga, 1
+iamsainknight.tk, 1
+iamsamaskom.tk, 1
+iamtheib.me, 1
+iamthelife.io, 1
+iamthesweetspot.com, 1
+iamtonyarthur.com, 1
+iamtp.com, 1
+iamtrainsafe.co.uk, 1
+iamusingtheinter.net, 0
+iamyourpillow.com, 1
+ian-barker.co.uk, 1
+ian.sh, 0
+ian678.com, 1
+ian678.tk, 1
+ianasheu.com, 1
+ianbrault.com, 1
+iancu.me, 1
+iandouglasscott.com, 1
+iane-ccs.com, 1
+ianix.com, 1
+ianklug.com, 1
+iankmusic.com, 1
+ianmooreis.me, 1
+ianmoriarty.com.au, 1
+ianonavy.com, 1
+ians.lu, 1
+iansyst.co.uk, 1
+ianthompsonbooks.com, 1
+ianwalsh.org, 0
+iaofirearms.com, 1
+iapro.com, 1
+iapws.com, 0
+ias-gruppe.net, 1
+ias.ua, 1
+iassess.eu, 1
+iaswc.org, 1
+iatfei.com, 1
+iatrikos-exoplismos.gr, 1
+iaudited.com, 1
+iav.com, 1
+iav.de, 1
+iawx.net, 1
+iaxx.eu, 1
+ib-kreindl.at, 1
+ib-wedler.de, 1
+ib-zentrale.de, 1
+iba.community, 1
+iba.gov.au, 1
+ibacktraced.it, 1
+ibadboy.net, 1
+iban.com, 1
+ibaoger.com, 1
+ibavaro.com, 1
+ibb.co, 1
+ibb.co.com, 1
+ibb.istanbul, 1
+ibbit.ro, 1
+ibc-container.be, 1
+ibc.com, 1
+ibcl.us, 1
+ibcmed.com, 1
+ibcmed.net, 1
+ibcmed.org, 1
+ibe.de, 1
+ibeep.com, 0
+ibei.ru, 1
+ibemember3.com, 1
+ibericaderedes.es, 1
+ibericarbenet.es, 1
+ibericarcuzco.es, 1
+ibericarcuzcomini.es, 1
+ibericarformula.es, 1
+ibericargestoso.es, 1
+ibericarmotors.es, 1
+ibericarmotorsmalaga.es, 1
+ibericarmovilcentro.es, 1
+ibericarmovilsur.es, 1
+ibericarreicomsa.es, 1
+ibericartechnik.es, 1
+ibetora.com, 1
+ibex.co, 1
+ibexmultiday.com, 1
+ibexpackaging.com, 1
+ibexrepair.co.uk, 0
+ibhgospel.com, 1
+ibi.mt, 1
+ibidyoupeace.com, 1
+ibiki-boushi-makura.net, 1
+ibilog.net, 1
+ibin.co, 1
+ibinex.news, 1
+ibiu.xyz, 0
+ibiz.mk, 1
+ibizads.tk, 1
+ibizaluxuryachts.com, 1
+ibk.at, 1
+iblog.pk, 1
+iblowdry.com, 1
+iblsoft.com, 1
+ibm.gov.in, 1
+ibm3.com, 1
+ibmaspera.com, 1
+ibmix.de, 1
+ibo-chemnitz.de, 1
+iboat.eu, 1
+ibodyiq.com, 1
+ibon.org, 1
+iboy1069.com, 0
+iboysoft.com, 1
+ibpegasus.tk, 1
+ibpsrecruitment.co.in, 1
+ibq.life, 1
+ibra.org.uk, 1
+ibrainmedicine.org, 1
+ibraphotography.com, 1
+ibrom.eu, 1
+ibron.co, 0
+ibroshop.com, 1
+ibsasport.org, 1
+ibsglobal.co.za, 1
+ibsis.org, 1
+ibstyle.tk, 1
+ibu.ca, 1
+ibug.io, 1
+ibuildings.com, 1
+ibuildings.nl, 1
+ibuki.run, 1
+ibuprofens.gq, 1
+iburgs.com, 1
+ibuzz.tk, 1
+ibwc.gov, 1
+ibykos.com, 1
+ibz.be, 1
+ic3.gov, 1
+icafecash.com, 1
+icagency.it, 1
+icams-portal.gov, 1
+icanhazpass.com, 1
+icanseeyou.tk, 1
+icap.my, 1
+icardistry.com, 1
+icaremoving.com, 1
+icareofficesolutions.com, 1
+icarlos.net, 1
+icas-nsn.gov, 1
+icasas.mx, 1
+icasnetwork.com, 1
+icastgo.ca, 0
+icastgo.com, 0
+icasture.top, 1
+icatt.nl, 1
+icbemp.gov, 0
+icca-chem.org, 1
+iccorporateinteriors.com.au, 1
+iccupplatoon.tk, 1
+iccxx.cn, 1
+icd-codes.org, 1
+icddd.pl, 1
+icdisinfection.com.au, 1
+icdp.org.ua, 1
+icebat.dyndns.org, 1
+iceberg.academy, 0
+iceberg.cyou, 1
+iceberg.ddns.me, 1
+icebike.org, 1
+icebook.co.uk, 1
+icebound.cc, 1
+icebound.win, 1
+iceboxstudio.tk, 1
+icecars.net, 0
+icecodenew.tk, 1
+icecontrol.ro, 1
+icecreamandclara.co.uk, 1
+icecreamika.tk, 1
+icecutethings.com, 1
+icedev.pl, 1
+icedox.ga, 1
+icedre.am, 1
+icedream.tech, 0
+icedterminal.com, 1
+icedterminal.me, 1
+icedude.tk, 1
+iceewind.com, 1
+iceflow.tk, 1
+icefoxtee.com, 1
+iceheart.tk, 1
+icehost.cf, 1
+icekiller.ga, 1
+icelandic.cf, 1
+icelook.tk, 1
+icemakerrepairaustin.com, 1
+icemedia.com.au, 0
+icemoto.tk, 1
+icemyworld.tk, 1
+icenter.ee, 1
+icentury.ca, 1
+icepharmaceuticals.com, 1
+icerinkwarehouse.com, 1
+icerockproperties.com, 1
+iceshadow.tk, 1
+icetechworld.com, 1
+icetiger.eu, 1
+icetravellers.com, 0
+icewood-bois.com, 1
+ich-finde-wikipedia-toll.tk, 1
+ich-hab-die-schnauze-voll-von-der-suche-nach-ner-kurzen-domain.de, 1
+ich-tanke.de, 1
+icharme.fr, 1
+ichasco.com, 1
+ichbinein.org, 1
+ichbinhuebi.de, 1
+ichbinkeinfreier.com, 1
+ichbinkeinreh.de, 1
+ichfahre.at, 1
+ichglaubesbackt.de, 1
+ichibanfansub.com.br, 1
+ichibot.trade, 1
+ichibot.vip, 1
+ichigo.university, 1
+ichigoproduction.co.kr, 1
+ichigoproduction.kr, 1
+ichijoh.co.jp, 1
+ichisound.ml, 1
+ichitaka.tk, 1
+ichitaso.com, 1
+ichtroje.tk, 1
+ichuck.rocks, 1
+ici-freewares.tk, 1
+ici.ac.nz, 1
+ici.ms, 1
+ici.net.au, 1
+icie.info, 1
+icieducation.ca, 1
+icieducation.co.uk, 1
+icieducation.ie, 1
+icims.ca, 1
+icims.com, 1
+icims.eu, 1
+icims.io, 1
+icims.us, 1
+icisontdesdragons.fr, 1
+ickerseashop.com, 1
+icl82.systems, 1
+iclart.com, 1
+iclb.be, 1
+iclg.com, 1
+iclinic-mrt.ru, 1
+iclinic.ua, 1
+icloud.com, 1
+icloud.st, 1
+icloudlogin.com, 1
+icmarket.com, 1
+icmtx.com, 1
+icnc.ga, 1
+icnsk.ru, 1
+icnsoft.org, 1
+icodeconnect.com, 1
+icojapan.tokyo, 1
+icollezionisti.com, 1
+icolorpalette.com, 1
+icomputeconsulting.com, 1
+icomuk.co.uk, 1
+icon-programming.tk, 1
+icone-one.fr, 1
+iconexperience.com, 1
+iconintegration.com.au, 1
+iconique-menuiserie.be, 1
+iconmale.com, 1
+iconmalenetwork.com, 1
+iconoarte.tk, 1
+iconomi.net, 1
+iconparkingsystems.com, 1
+iconpropertyrescue.com, 1
+icons4free.tk, 1
+iconsiam.com, 1
+iconsuppstore.com, 1
+iconworld.ml, 1
+iconx.ml, 1
+iconz.tk, 1
+icounseling.com, 1
+icountnm.gov, 1
+icowhitepapers.co, 1
+icpb.com.my, 1
+icpc2016.in.th, 1
+icpcorp.com, 1
+icpe.nl, 1
+icq-project.net, 1
+icq-world.tk, 1
+icq.com, 1
+icr-box.ddns.net, 1
+icraft.bg, 1
+icrat.org, 1
+icrc.org, 1
+icreative.nl, 1
+icruise.com, 1
+ics-blitz.me, 1
+icsolutions.nl, 1
+icst.tk, 1
+icsti.org, 1
+ict-concept.nl, 1
+ict-oldehove.nl, 1
+ict-radar.com, 0
+ict-radar.nl, 0
+ict.govt.nz, 1
+ictbaneninnederland.nl, 1
+ictcareer.ch, 1
+ictergezocht.nl, 1
+ictfreak.nl, 1
+ictinforensics.org, 1
+ictkaisha.be, 1
+ictl.eu, 1
+ictoniolopisa.it, 1
+ictradar.com, 0
+icts.gov, 1
+icttindia.org, 0
+icusignature.com, 1
+icustomboxes.com, 1
+icy.aq, 1
+icyapril.com, 1
+icycanada.com, 1
+icydestiny.com, 0
+icyeurope.com, 1
+icyhealth.com, 0
+icyheroes.com, 1
+icyrock.com, 1
+icytales.com, 0
+icywhiz.com, 1
+iczc.cz, 1
+icze4r.co, 1
+icze4r.com, 1
+icze4r.net, 1
+icze4r.online, 1
+icze4r.org, 1
+iczelion.tk, 1
+iczer.one, 1
+iczer.org, 1
+id-blog.ch, 0
+id-fxcm.com, 1
+id.atlassian.com, 0
+id.fedoraproject.org, 0
+id.mayfirst.org, 0
+id.search.yahoo.com, 0
+id.wine, 1
+id0.gr, 1
+id3global.com, 1
+id5-sync.com, 1
+idaeus.eu, 1
+idahoansforliberty.net, 1
+idahofalls.gov, 1
+idahohealth.tk, 1
+idahomushroomclub.org, 1
+idanie.cf, 1
+idaspis.com, 1
+idatalabs.com, 0
+idatownshipmi.gov, 1
+idawallen.com, 1
+idblab.tk, 1
+idbm.ch, 1
+idbs.com, 1
+idc-business.be, 0
+idc.yn.cn, 1
+idc95.com, 0
+idcat.cat, 1
+idcrawl.com, 1
+idcrushermachine.ga, 1
+idcwr.com, 1
+iddaatahmin11.com, 1
+iddaatahmin6.com, 1
+iddaatahminleri.com.tr, 1
+iddconnect.com, 1
+iddconnect.org, 1
+iddportugal.pt, 1
+idea.ws, 1
+ideadozz.hu, 1
+ideageek.net, 1
+ideagenpentana.com, 1
+ideahub.tk, 1
+ideahubnepal.org, 1
+ideaklinik.com, 1
+ideaklinikbursa.com, 1
+ideaktiv.com, 1
+ideal-reality.com, 1
+ideal-social.com, 1
+ideal.shop, 1
+idealabs.tk, 1
+idealadvogadosbh.com.br, 1
+idealbet.it, 1
+idealbody.cf, 1
+idealbody.gq, 1
+idealcontabilidade.net, 0
+idealdedetizadorabh.com.br, 1
+idealimobiliariabh.com.br, 1
+idealize.ml, 1
+idealmature.com, 1
+idealmilf.com, 1
+idealnastrona.pl, 1
+idealni-hypoteka.cz, 1
+idealog.id, 1
+idealresponse.co.uk, 1
+idealsegurancaeletronica.com.br, 1
+idealserralheriabh.com.br, 1
+idealtruss.com, 1
+idealtruss.com.tw, 1
+idealucedifilippi.it, 1
+idealwhite.space, 1
+idealwifes.com, 1
+ideaplex.ca, 1
+ideas.com, 0
+ideasdigitales2025.es, 1
+ideasenfoto.com, 0
+ideashop.com, 1
+ideasinlab.com, 1
+ideau.pl, 1
+ideaweb.de, 1
+ideaweblab.com, 0
+idec.com, 1
+idee-geschenk.eu, 1
+idee-lq.at, 1
+idee-lq.ch, 1
+idee-lq.com, 1
+idee-lq.de, 1
+idee-lq.net, 1
+ideefactory.de, 1
+ideericette.it, 1
+ideesrecettes.net, 1
+idehvector.com, 1
+ideiasefinancas.com.br, 1
+ideice.gob.do, 1
+idemo.in, 1
+iden-tt.com, 1
+iden-tt.net, 1
+iden-tt.org, 1
+idenamaislami.com, 1
+idensys.nl, 1
+ident-clinic.be, 1
+identa.io, 1
+identassist.com, 1
+identeco.de, 1
+identifyme.net, 1
+identifytag.com, 1
+identigraf.center, 1
+identity-hash.online, 1
+identity-inspector.com, 0
+identity-project.com, 1
+identity.aero, 1
+identity.plus, 1
+identityexperts.co.uk, 1
+identityflashmob.com, 1
+identitykrisis.com, 1
+identitysandbox.gov, 1
+identityswapers.ga, 1
+identityswapest.ga, 1
+identitytheft.gov, 1
+ideologiaycultura-ap.tk, 1
+ideorealm.tk, 1
+idered.net, 1
+ides.co.jp, 1
+idesign.tk, 1
+idesoft.cloud, 1
+idesoft.com, 1
+idesoft.eu, 1
+idesoft.info, 1
+idesoft.net, 1
+idesoftinnovacion.com, 1
+idesoftinnovacion.es, 1
+idev-hub.com, 1
+idev.games, 1
+idevicesinc.com, 1
+idexxpublicationportal.com, 1
+idf64.com, 1
+idf64.org, 1
+idfc.gov, 1
+idgr.de, 1
+idhl.fr, 1
+idhosts.co.id, 1
+idigovs.com, 0
+idinby.dk, 1
+idiomasdelmundo.tk, 1
+idiomasdominados.tk, 1
+idioteque.tk, 1
+idjnow.com, 1
+idkidknow.com, 1
+idleleo.com, 1
+idlemon.net, 1
+idlethoughtsandramblings.com, 1
+idlewildflowers.com, 1
+idlxb.com, 1
+idmanagement.gov, 1
+idmaster.ml, 1
+idmmovers.com, 1
+idmobile.co.uk, 1
+idmod.org, 1
+idn.gov.pt, 0
+idndomain.tk, 1
+idndx.com, 1
+idnic.net, 1
+idoctoril.com, 1
+idohost.tk, 1
+idol-bikes.ru, 1
+idolf.dk, 1
+idolfap.com, 1
+idolish7.fun, 0
+idoljp.com, 1
+idonthaveawebsite.tk, 1
+idontplaydarts.com, 1
+idoparadoxon.hu, 1
+idoxus.de, 1
+idp.onl, 1
+idraetsmusik.dk, 1
+idratherbequilting.com, 1
+idraulico-roma.it, 1
+idraulico.roma.it, 1
+idream-solutions.co.uk, 0
+idrissi.eu, 1
+idroot.us, 1
+idropulsoredentale.shop, 1
+idsafe.co.za, 1
+idsc.com.tw, 1
+idsconsulting.co.nz, 1
+idstudio.tk, 1
+idta.com.au, 1
+idtechnowizard.com, 1
+idtheft.gov, 1
+idtrkarnal.com, 1
+iduntownshipmn.gov, 1
+idvchile.cl, 1
+idventure.de, 1
+idvl.de, 1
+idwaste.com, 1
+idweblog.com, 1
+idwebsitehosting.com, 1
+idwebtools.tk, 1
+idxforza.com, 1
+idyl.fr, 1
+idysse.com, 1
+ie.edu, 1
+ie.search.yahoo.com, 0
+ieeesb.nl, 1
+ieeesbe.nl, 1
+ieeespmb.org, 1
+iegat.com, 1
+iegatpracticetest.com, 1
+ieiscccuba.tk, 1
+ieji.de, 1
+iemail.eu.org, 1
+iemb.cf, 1
+iemc.pt, 1
+iemsamex.com, 1
+ienakacs.jp, 1
+ienakanote.com, 0
+ienekolife.net, 1
+ienergizer.com, 1
+ieomidi.com, 1
+iepaiement.fr, 1
+iepanywhere.com, 1
+ieros.it, 1
+ies-italia.it, 0
+iesledzkarjeru.lv, 1
+iesonline.co.in, 1
+iesucreipi.edu.co, 1
+iet.co.za, 1
+ieti.eu, 1
+ieval.ro, 1
+ievgenialehner.com, 1
+iewar.com, 1
+iexaminer.org, 1
+iexpats.com, 1
+if-sikkerhet.no, 1
+if0.ru, 1
+ifacservice.be, 1
+ifadian.club, 1
+ifailed.tk, 1
+ifailedlife.tk, 1
+ifaisalmukhtar.tk, 1
+ifam-erfurt.de, 1
+ifan.ch, 0
+ifan.ws, 1
+ifangpei.cn, 1
+ifangpei.com.cn, 1
+ifasfest2022.com, 1
+ifbagro.in, 1
+ifcfg.jp, 1
+ifconfig.tk, 1
+ifdb.org, 1
+ifdif.com, 1
+ifederalland.com, 1
+ifelse.io, 1
+ifengge.cn, 1
+iffk.in, 1
+ifgcdn.com, 1
+ifh.cc, 1
+ifibe.com, 1
+ifisher.xyz, 1
+ifleurs.com, 1
+iflixtv.ga, 1
+iflscience.com, 1
+ifmilitaria.tk, 1
+ifmsa-lahore.tk, 1
+ifnet.fr, 1
+ifnulltrue.com, 1
+ifoa.it, 1
+ifohancroft.com, 1
+ifok.de, 1
+ifolder.ga, 1
+iforced.net, 1
+ifort.fr, 1
+ifosep.fr, 0
+ifoss.me, 1
+ifpe.edu.br, 1
+ifrabb.fr, 1
+iframefinancement.be, 1
+ifreemax.ml, 1
+ifreetion.cn, 1
+ifreetion.com, 1
+ifriend.tk, 1
+ifsaalemi.tk, 1
+ifsac.org, 1
+ifsh.me, 1
+ift.cx, 1
+iftarsaati.org, 1
+iftcentre.com, 1
+iftrue.de, 0
+ifur.ga, 1
+ifwhenhow.org, 1
+ifworlddesignguide.com, 1
+ifxd.bid, 1
+ifxnet.com, 1
+ifylofd.xyz, 1
+ifyou.live, 1
+ig-plastik.tk, 1
+ig.com, 1
+ig.me, 1
+ig.solutions, 1
+iga-semi.jp, 1
+igad.int, 1
+igame.ml, 1
+igamingaffiliateprograms.com, 1
+igamingdirectory.com, 1
+igamingnews.com, 1
+igamingnyheder.dk, 1
+igamingpocketdirectory.com, 1
+igamingsuppliers.com, 1
+igarage.nl, 0
+igc.in.th, 1
+igdb.com, 1
+igenuinebeauty.co.jp, 1
+igforum.tk, 1
+igfwd.email, 1
+iggies.tk, 1
+igglabs.com, 1
+iggprivate.com, 1
+iggsoft.com, 1
+iggsoftware.com, 1
+igi-2.com, 1
+igi.codes, 0
+igiftcards.de, 1
+igiftcards.nl, 1
+igimusic.com, 0
+igiugig.gov, 1
+igiveyouthisday.com, 1
+igk.nz, 0
+igkabel.cf, 1
+igkabel.ga, 1
+igkabel.gq, 1
+igkabel.ml, 1
+igkabel.tk, 1
+iglesiabelen.tk, 1
+iglesiaquecamina.tk, 1
+igln.fr, 1
+igloballaw.com, 1
+iglobus.cz, 0
+igloocommunities.com, 1
+igloodigitalworkplace.ca, 1
+igloodigitalworkplace.com, 1
+igloodigitalworkplaces.ca, 1
+igloopartnerportal.com, 1
+igloopreview.ca, 1
+igloosandbox.com, 1
+iglosujemy.pl, 1
+igmedia.ir, 1
+igmus.org, 1
+ign-proprete.fr, 1
+ignace72.eu, 1
+ignaciolacruz.com, 1
+ignacjanskiednimlodziezy.pl, 1
+ignat-mag.com, 1
+ignat-torcov.tk, 1
+ignat.by, 1
+ignatij.tk, 1
+ignatovich.by, 1
+ignatovich.me, 1
+ignet.gov, 1
+ignite-reading.com, 1
+ignite.cz, 1
+ignitedmindz.in, 1
+igniteenergy.co.uk, 1
+igniteheatcool.com.au, 1
+ignytebrands.com, 1
+igocarwraps.com, 1
+igor-hristenko.tk, 1
+igor-usov.tk, 1
+igorandandre.com, 1
+igorlink.com, 1
+igormiranda.com.br, 1
+igorrealestate.com, 1
+igorshishkin.com, 1
+igorshishkin.ru, 1
+igorskyflyer.me, 1
+igorville.gov, 1
+igorvisi.com, 1
+igorvlasov.tk, 1
+igorvracar.com, 1
+igorw.org, 1
+igotoffer.com, 0
+igpwned.com, 1
+igra-prestol.tk, 1
+igra3k.tk, 1
+igram.io, 1
+igramming.com, 1
+igranit.md, 1
+igraonicalara.tk, 1
+igrarium.com.ua, 0
+igrek.co.jp, 1
+igrivi.com, 1
+igrodrom-kvest.tk, 1
+igromasikov.tk, 1
+igrovoi-klub.tk, 1
+igrun.com, 1
+igrun80.com, 1
+igrun88.com, 1
+igrunplay.com, 1
+igry-onlayn.ru, 1
+igryalawar.tk, 1
+igshop.ir, 1
+igsmgmt.com, 1
+igsoc.org, 1
+igt.com, 1
+igualdaton.org, 1
+iguanacruda.tk, 1
+iguru.gr, 1
+igust4u-archive.ga, 1
+igva.or.kr, 1
+ih8sn0w.com, 1
+iha6.com, 1
+ihacares.com, 1
+ihackear.com, 1
+ihacker.ai, 1
+ihakkitekin.com, 1
+ihatethissh.it, 1
+ihc.im, 1
+ihcprofile.com, 1
+ihdev.party, 1
+ihe-europe.net, 1
+iheartguys.com, 1
+iheartguys.net, 0
+iheartguys.org, 1
+iheatwithoil.com, 1
+ihempz.cz, 0
+ihersua.es, 1
+ihk-onlinewahl2021.de, 1
+ihkk.net, 1
+ihls.world, 0
+ihmc.us, 1
+ihmmarketing.com, 1
+ihmphila.org, 1
+ihmsp.org, 1
+ihonk.com, 1
+ihoofs.com, 1
+ihorizon.jp, 1
+ihorvorotnov.com, 1
+ihost.md, 1
+ihostup.net, 1
+ihouseu.com, 1
+ihr-finanzcockpit.de, 1
+ihr-hausarzt-kleinmachnow.de, 1
+ihre-ernaehrung.de, 1
+ihre-pflege-sachsen.de, 1
+ihrhost.com, 1
+ihri.ca, 1
+ihsangans.my.id, 1
+ihwanburhan.com, 1
+ii-vi.com, 1
+ii.cx, 1
+ii5197.co, 1
+ii6729.co, 1
+ii6729.com, 0
+ii6957.co, 1
+ii9297.co, 1
+ii9728.co, 1
+iia.no, 1
+iibarizona.com, 1
+iid.sg, 1
+iidb.org, 1
+iideaz.org, 1
+iiet.pl, 1
+iig-order.com, 1
+iii-coalition.us, 1
+iiii.gq, 1
+iiii.loan, 1
+iiii.ml, 1
+iiij.ml, 1
+iiinhoj.com, 1
+iiit.pl, 1
+iimarckus.org, 1
+iinehp.com, 1
+iinf.in, 1
+iinfin.org, 1
+iinix.com, 1
+iino-iina.co.jp, 1
+iiong.com, 1
+iipaynationofsantaysabel-nsn.gov, 1
+iipvapi.com, 1
+iipython.cf, 1
+iir.com, 1
+iis.net, 1
+iisjy.cn, 1
+iispeed.com, 1
+iisuss.gq, 1
+iitneetprep.com, 1
+iitowns.ir, 1
+iitranslation.com, 1
+iitrust.lk, 1
+ij.rs, 1
+ijemin.com, 1
+ijianli.cn, 1
+ijm.com, 1
+ijmondlijn.nl, 1
+ijmuiderstrand.tk, 1
+ijnokmpl.cf, 1
+ijohan.nl, 1
+ijpmediagroup.com, 1
+ijsbaanwitten.nl, 1
+ijsblokjesvormen.nl, 1
+ijsclubtilburg.nl, 1
+ijsselglas.nl, 1
+ijubt.cf, 1
+ijunohana.jp, 1
+ijustwanttomeetmyheroes.com, 1
+ijzerwarenhandel.nu, 1
+ika.monster, 1
+ikachalife.com, 1
+ikall.com, 1
+ikama.cz, 1
+ikara.social, 1
+ikari-san.tk, 1
+ikaros.tk, 1
+ikarus-itkurs.de, 1
+ikasgela.com, 1
+ikazumitsu.tk, 1
+ikbenrichie.nl, 1
+ikeacareers.co.uk, 1
+ikebuku.ro, 1
+ikedaquotes.org, 1
+ikenmeyer.com, 1
+ikenmeyer.eu, 1
+ikerepc.tk, 1
+ikeyless.com, 1
+ikfloreer.nu, 1
+ikhwanfillah.com, 1
+ikikiv.com, 1
+ikiler.com, 1
+ikimo9.com, 1
+ikinokori-marketing.com, 1
+ikisser.de, 1
+ikiteker.org.tr, 1
+ikk-classic.de, 0
+ikk.me, 1
+ikkakujuku.work, 0
+ikkatsu-satei.jp, 1
+ikke-coach.nl, 1
+ikkev.de, 0
+ikkoku.de, 1
+iklan-baris.gq, 1
+iklan.tk, 1
+iklanbaris.tk, 1
+ikmx.net, 1
+iknowd.org, 1
+iknowthatgirl.com, 1
+ikoreg.nl, 1
+ikra24.in.ua, 1
+ikrab.club, 1
+iks.moe, 1
+iksi.cc, 1
+iksi.me, 1
+iksworld.kr, 1
+iktisatbank.com, 0
+ikuda.net, 1
+ikudo.top, 1
+ikumi.us, 1
+ikutin.id, 1
+ikvts.de, 1
+ikwildjworden.com, 1
+ikwileendomein.tk, 1
+ikwilscheiden.nl, 1
+ikx.me, 1
+ikzoekeengoedkopeauto.nl, 1
+ikzoektim.nl, 1
+il12thcourt.gov, 1
+il2eu.com, 1
+ila.tw, 1
+ilab.health, 1
+ilac101.com, 1
+ilacrehberi.com, 1
+ilag.gov, 1
+ilamparas.at, 1
+ilamparas.co.uk, 1
+ilamparas.com, 1
+ilamparas.com.co, 1
+ilamparas.com.ve, 1
+ilamparas.mx, 1
+ilard.fr, 1
+ilasoft.net, 1
+ilaunch.co.za, 1
+ilawgix.com, 1
+ilazycat.com, 1
+ilbiglietto24.eu, 1
+ilbiscottificiodipamparato.it, 1
+ilc552.com, 1
+ilc553.com, 1
+ilchaos.com, 1
+ilconiglioblu.it, 1
+ilcorrieredellacitta.com, 1
+ilcourthelp.gov, 1
+ilctucson.com, 1
+ildepu.tk, 1
+ildigitale.it, 1
+ildisagio.tk, 1
+ildomani.it, 1
+ile-kalorii.pl, 1
+ile-sapporo.jp, 1
+ilearned.eu, 0
+ilearningengines.com, 0
+ileat.com, 1
+ileci.de, 1
+ileduguesclin.fr, 1
+ilektronika-farmakeia-online.gr, 1
+ilemonrain.com, 1
+ileonidze.tk, 1
+ilericikadinlar.org, 1
+iletisimmakinesi.com, 1
+iletiyonetimi.com, 1
+iletmen.com, 1
+ilformichiere.com, 1
+ilfumoshop.ru, 1
+ilg.ink, 1
+ilgazhaliyikama.com, 1
+ilgisaglik.com, 1
+ilhan.name, 1
+ilhansubasi.com, 1
+ilhombek.ml, 1
+iliad78.net, 1
+iliamna.media, 1
+iliastsi.net, 1
+ilienonline.com, 1
+ilife.bg, 1
+iligang.cn, 1
+iligang.com, 1
+iligang.com.cn, 1
+iligang.link, 1
+iligang.net, 1
+iligang.xin, 1
+ilikepenguins.tk, 1
+ilikezo.tk, 1
+ilimar.tk, 1
+ilimitar.tk, 1
+ilin.dk, 1
+ilin.xyz, 1
+iliny.hu, 1
+ilionsky.com, 1
+iljadr.be, 1
+illaadventure.com, 1
+illadrodimerendine.it, 1
+illafuture.com, 1
+illambias.ch, 0
+illange.info, 1
+illative.net, 1
+illavobuempliz.ch, 1
+illegalpornography.com, 1
+illegalpornography.me, 1
+illerzell.de, 1
+illicitart.ca, 1
+illicopresto.net, 1
+illimitmail.com, 1
+illinitechservice.com, 0
+illinoiscaselaw.com, 1
+illinoiscourtscommission.gov, 1
+illinoiseagle.com, 0
+illinoisequipmentdistributors.com, 1
+illinoishealth.tk, 1
+illjinx.info, 1
+illnation.tk, 1
+illogical-gaming.at, 1
+illorenese.fr, 1
+illsley.org, 1
+illu.ee, 1
+illubel.com, 1
+illumed.net, 1
+illumepgh.com, 1
+illuminated-security.com, 1
+illuminatelife.tk, 1
+illuminaten.tk, 1
+illuminatisocietyworldwide.org, 1
+illuminatiwatcher.com, 1
+illumini.io, 1
+illumis.com, 0
+illusia.tk, 1
+illusionephemere.com, 0
+illusionsdoptique.com, 1
+illusionsix.com, 1
+illusiveshop.com, 1
+illustrate.biz, 1
+illuxat.com, 1
+ilmaestro.net, 1
+ilmainensanakirja.fi, 1
+ilmanifesto.it, 0
+ilmcorp.com, 1
+ilmiogiardiniere.it, 1
+ilmubahasainggris.com, 1
+iloft.xyz, 1
+iloli.name, 1
+ilona-france.tk, 1
+ilondres.es, 1
+ilonewolfs.com, 1
+ilonpolku.fi, 1
+ilouis.cn, 0
+ilove.fish, 1
+iloveasiancams.com, 1
+iloveawardcams.com, 1
+iloveboycams.com, 1
+ilovecomputering.com, 1
+ilovefanyi.win, 1
+ilovefun.tk, 1
+ilovegrowingmarijuana.com, 1
+iloveherb.ru, 1
+ilovejoycams.com, 1
+ilovelivecams.com, 1
+ilovelwy.com, 1
+ilovematurecams.com, 1
+ilovemycams.com, 1
+iloveporn.ml, 1
+iloveprivatecams.com, 1
+ilovesamara.tk, 1
+ilovesnow.ml, 1
+ilovestickers.gr, 1
+ilovethiscampsite.com, 1
+ilovetranniescams.com, 1
+ilovewallpaper.tk, 1
+iloveyoutoo.tk, 1
+ilovias-farm.fr, 1
+ilpapaverodermohn.it, 1
+ilpescara.it, 1
+ilpiacenza.it, 1
+ilpuntosano.it, 1
+ilrg.com, 1
+ils-savaient.fr, 1
+ils.lt, 1
+ilsalvagente.it, 1
+ilsaperedelgusto.it, 1
+ilsedelangeforum.tk, 1
+iltec.ru, 1
+iltis.live, 1
+iltis.rocks, 1
+iltombolo.tk, 1
+iltuogiardino.org, 1
+iltuomedicodifamiglia.it, 1
+ilug-ktm.tk, 1
+iluman.tk, 1
+ilumantio.tk, 1
+ilunion.tk, 1
+ilusionesopticas.net, 1
+ilusionistas.tk, 1
+ilusionphoto.com, 1
+ilusoesopticas.com, 1
+ilustradanuvem.pt, 1
+ilya-potemin-domain.tk, 1
+ilya.pp.ua, 1
+ilyabakhlin.com, 1
+ilyatsykunov.com, 1
+im-a.cricket, 1
+im-alter-daheim.ch, 0
+im-c-shop.com, 1
+im-haus-sonnenschein.de, 1
+im-in.space, 1
+im-internet-geld-verdienen.tk, 1
+im-razmakh.ru, 1
+im-s.net, 1
+im4h.de, 1
+im4h.eu, 1
+im4h.info, 1
+im66.net, 1
+ima-solutions.fr, 1
+imadalin.ro, 1
+image-cdn.co.uk, 1
+image-drive.de, 1
+image.hosting, 1
+image.ie, 1
+image.tf, 1
+image4arab.tk, 1
+imagealbums.tk, 1
+imagebin.ca, 1
+imagecom.tk, 1
+imagecurl.com, 1
+imagefu.com, 1
+imagen891.tk, 1
+imagenesdedibujosalapizfacilesdehacer.com, 1
+imageproductions.ga, 1
+imagequix.com, 1
+imagerecall.tk, 1
+imagerestorationcenter.com, 1
+imagerive.ch, 0
+imageshare.web.id, 1
+imagetostl.com, 1
+imagevillage.ir, 1
+imageworld.tk, 1
+imagex.graphics, 1
+imaginair.es, 1
+imaginarium.tk, 1
+imaginary.ca, 1
+imaginary.stream, 1
+imaginarymakings.me, 1
+imaginationpathway.com, 1
+imagine-programming.com, 1
+imagineata.ro, 1
+imaginebelfast.com, 1
+imaginefamilychiropractic.com, 1
+imaginelab.club, 1
+imagineokla.gov, 1
+imaginescape.tk, 1
+imaginethatevent.com, 1
+imaginethefloor.tk, 1
+imaginetricks.com, 1
+imagingstudio.co.uk, 0
+imagisphe.re, 1
+imajavm.com, 1
+imajjeans.com, 1
+imakash.gq, 1
+imakeyougreatagain.com, 1
+imakin.nl, 1
+imamenu.com, 1
+imamiyadental.jp, 1
+imanageproducts.co.uk, 1
+imanageproducts.com, 1
+imanageproducts.uk, 1
+imanolbarba.net, 1
+imanoles.ddns.net, 1
+imap.support, 1
+imap2imap.de, 1
+imaple.net, 1
+imaple.org, 1
+imara-reiki.de, 1
+imaret.com.tr, 1
+imarkethost.co.uk, 1
+imarketing.pe, 1
+imask.ml, 1
+imask.tk, 1
+imatraelekter.ee, 1
+imawasn-consulting.com, 1
+imaya.tk, 1
+imbd-pro.net, 1
+imbdagency.com, 1
+imbianchino.roma.it, 1
+imbit.tk, 1
+imboom.tk, 1
+imbrian.org, 1
+imbunatatiri-logan.tk, 1
+imbushuo.net, 1
+imck.ml, 1
+imcsi.cn, 1
+imdaadapp.com, 1
+imdb, 1
+imdb-pro.com, 1
+imdb-pro.net, 1
+imdb.com, 1
+imdb.me, 1
+imdb.pro, 1
+imdbpro.com, 1
+imdbresume.com, 1
+imdcc.net, 1
+ime-a-tolerancia-eredmenye.club, 1
+ime.moe, 1
+imed.com.pt, 1
+imed.pt, 1
+imedi.it, 1
+imediabay.com, 1
+imediafly.com, 1
+imediato.pt, 1
+imediatoonline.com, 1
+imedikament.de, 1
+imeria.tk, 1
+imerys-mineraux-decoratifs.com, 1
+imesh-light.tk, 1
+imex-dtp.com, 1
+imexm.mx, 1
+imexmed.com.gt, 1
+imfacademy.com, 1
+imfblog.com, 1
+imforza.com, 1
+img.cm, 1
+img.mg, 1
+img.ovh, 1
+img.ren, 1
+imgaa.com, 1
+imgbb.com, 1
+imgen.top, 1
+imgencrypt.com, 1
+imgg.es, 1
+imgmodels.com, 1
+imgo.ga, 1
+imgo.tk, 1
+imgup.co, 1
+imguploaden.nl, 1
+imhua.com, 1
+imi-rhapsody.eu, 0
+imibo.com, 1
+imicroscope.tk, 1
+imidge.com.ua, 1
+imigrasilampung.co.id, 1
+imigrate.me, 1
+imin.co, 1
+imine.ru, 1
+iminshell.com, 0
+imirhil.fr, 1
+imis.com.br, 1
+imisa.com.mx, 1
+imisto.net, 1
+imitationjewelry.tk, 1
+imitza.com, 0
+imjo.in, 1
+imjustcreative.com, 1
+imkan.tours, 1
+imkero.net, 1
+imkerverein-moenchswald.de, 1
+imkindofabigdeal.com, 1
+imksk.com, 1
+imlbp.com, 1
+imlbp.eu.org, 1
+imlec.net, 1
+imlhx.com, 1
+imlinan.cn, 1
+imlinan.info, 1
+imlinan.net, 1
+imlloyd.yt, 1
+imlonghao.com, 1
+imls.gov, 1
+immanuellutheranmedia.org, 1
+immarypoppinsyall.tk, 1
+immaterium.de, 1
+immbruxelles.com, 1
+immedia.net, 1
+immedicohospitalario.es, 1
+immense.ly, 1
+immersa.co.uk, 1
+immersionclub.tk, 1
+immersionwealth.com, 1
+immersivewebportal.com, 1
+immi.shop, 1
+immiboards.com, 1
+immigrantdad.com, 1
+immigration-lawyers.co.nz, 1
+immigrationdirect.com.au, 1
+immijobs.co.uk, 1
+immo-agentur.com, 1
+immo-aval.org, 1
+immo-express.ag, 1
+immo-express.biz, 1
+immo-express.info, 1
+immo-express.org, 1
+immo-israel.ltd, 1
+immo-les-allees.com, 1
+immo-ment.eu, 1
+immo-passion.net, 0
+immo-spezial.com, 1
+immo-spezial.eu, 1
+immo-spezial.org, 1
+immoaval.de, 1
+immoaval.mobi, 1
+immobilien-badlippspringe.de, 1
+immobilien-in-istanbul.de, 1
+immobilien-schrammek.de, 1
+immobilien-suedtirol.bz.it, 1
+immobilien-uster.ch, 1
+immobilien-wallat.de, 1
+immobilien-zirm.de, 1
+immobiliengutachter-holland.de, 1
+immobilienkredit.de, 1
+immobilienmakler-berlin-biesdorf.de, 1
+immobilienmakler-berlin-kaulsdorf.de, 1
+immobilienmakler-berlin-mahlsdorf.de, 1
+immobiliensachverstaendiger-ludwigsburg.de, 1
+immobiliensachverstaendiger-waiblingen.de, 1
+immobilienservice-website.de, 1
+immobilier-realiste.fr, 1
+immobilier-swiss.ch, 1
+immobilier.org.il, 1
+immobilier92.net, 1
+immobilierlibourne.com, 1
+immobilo.de, 1
+immocompar.com, 1
+immoel101.com, 1
+immoexpress.org, 1
+immoisrael.agency, 1
+immoisrael.be, 1
+immoisrael.ch, 1
+immoisrael.co.il, 1
+immoisrael.com, 0
+immoisrael.de, 1
+immoisrael.eu, 1
+immoisrael.fr, 1
+immoisrael.ltd, 1
+immoisrael.lu, 1
+immoisrael.net, 1
+immoisrael.nl, 1
+immoisrael.org, 1
+immoisrael.org.il, 1
+immomydesk.fr, 1
+immoponteq.com, 1
+immoraldoctors.tk, 1
+immortal-it.tk, 1
+immortal.org.in, 1
+immortal.run, 1
+immortalcorporation.tech, 1
+immortallove.tk, 1
+immortec.com, 1
+immortol.tech, 1
+immortuos.live, 1
+immospezial.info, 1
+immovisual.be, 1
+immtel.co, 1
+immtel.com, 1
+immune.cf, 1
+immunoboost.be, 1
+immutable.com, 1
+imnabrasive.com, 1
+imoads.com, 1
+imobile3.com, 1
+imobiliare.tk, 1
+imobiliariaemblumenau.com.br, 1
+imobiliariamax.com.br, 1
+imobiliariamoema.com.br, 1
+imobiliariaprofit.com.br, 1
+imobiliariarealdream.com.br, 1
+imobilien.tk, 1
+imoe.fun, 0
+imokuri123.com, 1
+imolights.com, 1
+imolights.net, 1
+imolog.cl, 1
+imoner.com, 1
+imoner.ga, 1
+imoneynet.com, 1
+imorano.it, 1
+imosthailand.com, 1
+imoter.it, 1
+imouto.ru, 1
+imouyang.com, 0
+imoveisavenda.rio.br, 1
+impact-lyon.fr, 1
+impact-visual.tk, 1
+impact.com, 1
+impact.health.nz, 1
+impactartstudy.com, 1
+impactcomics.com.au, 1
+impactdepth.com, 1
+impacter.eu, 1
+impactovenezuela.com, 1
+impactparcels.co.uk, 1
+impactparcels.com, 1
+impactpub.ch, 0
+impactyou-academy.nl, 1
+impactyou.nl, 1
+impakho.com, 1
+impalaparts.com, 1
+imparat.de, 0
+imparostobene.it, 1
+impartner.com, 1
+impas.se, 1
+impec-cable.com, 1
+impeka.in, 1
+impelup.com, 1
+impendulo.org, 1
+imperator-janssens.tk, 1
+imperdin.com, 1
+imperdintechnologies.com, 1
+imperial-legrand.com, 1
+imperialcounty.org, 1
+imperialearth.com, 1
+imperialfenceinc.com, 1
+imperialfencestlouis.com, 1
+imperialism.rip, 1
+imperialmetalproducts.com, 1
+imperialne.gov, 1
+imperials.family, 1
+imperialteam.tk, 1
+imperialwrestling.tk, 1
+imperiodamodamiranda.com.br, 1
+imperiodeleones.cl, 1
+imperiodigital.online, 1
+imperiodosvinhos.com.br, 1
+imperioth.com, 1
+imperiumnova.info, 1
+imperivm-romanvm.com, 1
+imperiyashop.tk, 1
+impermeabilisationqc.com, 1
+impex.com.bd, 1
+impexul.de, 1
+impf.site, 1
+impfung.cf, 1
+impfung.site, 1
+imphotep.net, 1
+impianti.it, 1
+impiantistica.org, 1
+impiantofotovoltaico.roma.it, 1
+impiricus.com, 1
+implantologiadentalgt.com, 1
+implicitsuccess.com, 1
+implosion.tk, 1
+implude.com, 0
+impns.org, 1
+imponet.com.ar, 1
+import-shopping.de, 1
+importanteducation.tk, 1
+importsagt.com, 1
+importsem.com, 1
+importsign.com, 1
+imposingoods.com, 1
+impossible.org, 1
+impossiblechoisir.tk, 1
+impossiblehq.com, 1
+impossiblenutrition.com, 1
+impossiblex.com, 1
+impotsimple.ca, 1
+imppac-schmuck.de, 1
+imppac.de, 1
+impreg-group.com, 1
+imprenditore.it, 1
+imprendo.co, 1
+imprendo.pro, 1
+imprensaglobal.com.br, 1
+imprensaglobal.org, 1
+imprenta-es.com, 1
+imprenta.bg, 1
+imprentamanonelles.com, 1
+impresa-di-pulizie.milano.it, 1
+impresa-di-pulizie.org, 1
+impresa-pulizie.it, 1
+impresadipulizia.milano.it, 1
+impresadipulizia.roma.it, 1
+impresadipulizie.roma.it, 1
+impresadipulizie.verona.it, 1
+impresaedile.roma.it, 1
+impresaitalia.info, 1
+impresapulizia.milano.it, 1
+impresapuliziacleanproject.it, 1
+impresapulizie.firenze.it, 1
+impresapulizie.it, 1
+impresapulizie.milano.it, 1
+impresapulizie.roma.it, 1
+impresapuliziebergamo.it, 1
+impress-app.com, 1
+impressao3d.ml, 1
+impressivebison.eu, 0
+impressivetitle.tk, 1
+imprezer.tk, 1
+imprezzor.com, 1
+imprimante-3d-store.fr, 1
+improbo-group.com, 1
+improd.works, 1
+improfestival.ee, 1
+improv.ee, 1
+improvebusinessonline.info, 1
+improved-madness.de, 1
+improvenerg.com, 1
+improvetoyourself.ga, 1
+improveyourvision.tk, 1
+improvingsleepnaturally.com, 1
+imprumutdeurgenta.ro, 1
+impudence.tk, 1
+impuls.tk, 1
+impulse-clan.de, 1
+impulsewebdesign.nl, 1
+impulsocristiano.com, 1
+imququ.com, 1
+imranc.ca, 1
+imranhossen.ml, 1
+imransarwar.com, 1
+imrbq.com, 1
+imreh.net, 1
+imro.ie, 1
+imrozrum.k12.tr, 1
+imrunner.com, 1
+imrunner.ru, 1
+ims-dc.com, 1
+ims-sargans.ch, 1
+imsace.tk, 1
+imstocker.com, 1
+imtec-rohr.de, 1
+imtikai.ml, 1
+imtikaib.ml, 1
+imtools.gq, 1
+imumed.cz, 1
+imunify360.com, 1
+imusionforum.tk, 1
+imwalking.de, 1
+imy.rs, 0
+imyjy.cn, 1
+imzhu.com, 1
+imzye.me, 1
+in-1xbet.com, 1
+in-bachelor.de, 1
+in-books.tk, 1
+in-crypto.tk, 1
+in-depth.wiki, 1
+in-depthoutdoors.com, 1
+in-flame-team.com, 1
+in-flames.com, 1
+in-line.ru, 1
+in-love.tk, 1
+in-star.com.ua, 1
+in-ua.com, 1
+in.search.yahoo.com, 0
+in.xero.com, 0
+in10tion.com, 0
+inaji.com, 1
+inakasoftware.com, 1
+inakipsikologoa.com, 1
+inalvittile.cf, 1
+inalvittile.ga, 1
+inalvittile.ml, 1
+inalvittile.tk, 1
+inanaji.ga, 1
+inanam.tk, 1
+inanan.cf, 1
+inandoutcarwashcharleston.com, 1
+inanec.gq, 1
+inaned.ga, 1
+inaproc.id, 1
+inara.cz, 1
+inares.org, 1
+inarizona.tk, 1
+inawisdom.com, 1
+inbetweenathome.nl, 1
+inbitcoin.it, 1
+inblank.tk, 1
+inbound.tk, 1
+inbounder.io, 0
+inbox.google.com, 1
+inbox.gq, 1
+inboxceo.com, 1
+inboxen.org, 1
+inboxsms.tk, 1
+inboxxme.com, 1
+incarceratedwombats.com, 1
+incarter.ga, 1
+incaweb10.es, 1
+ince.tools, 1
+inceif.edu.my, 1
+incels.is, 1
+incels.wiki, 1
+inceneritore.ga, 1
+incent-fit.co, 1
+incent-fit.com, 1
+incent.fit, 1
+incent.fitness, 1
+incentafit.co, 1
+incentea.com, 1
+incentefit.co, 1
+incentehealth.com, 1
+incentfitness.com, 1
+incentifit.co, 1
+incentihealth.com, 1
+incentivefit.com, 1
+incentivi.it, 1
+incentofit.com, 1
+inceptionband.tk, 1
+incert.cn, 1
+incertint.com, 1
+inchargeus.net, 1
+inchcape-fleet-autobid.co.uk, 1
+inchenaim.com, 1
+inchidi.id, 1
+incident.dk, 1
+incidentresponsesolution.com, 1
+incidentresponsesystem.com, 1
+includesubdomains.preloaded.test, 1
+includesubdomains2.preloaded.test, 1
+inclusio.shop, 1
+inclusion.tn, 1
+inclusionhcpa.org, 1
+inclusioproject.com, 1
+inclusiv.nl, 0
+incn.su, 1
+incnjp.com, 1
+incognito.org.uk, 1
+incoherent.ch, 1
+income-earnings.tk, 1
+incomeestatellc.com, 1
+incomeplus.tk, 1
+incometaxbengaluru.org, 1
+incometricks.tk, 1
+incomewithdraw.tk, 1
+incomfinance.tk, 1
+incommon.io, 1
+incompliance.de, 1
+inconkz.com, 1
+inconsciente.tk, 1
+incontactmetjezelf.nl, 1
+inconvietnam.vn, 1
+incore.com, 1
+incorp.asia, 1
+incorp.ph, 1
+incorporatedstyle.com, 1
+incowrimo.org, 1
+incpak.com, 1
+incredibilis.tk, 1
+incrediblenews.tk, 1
+incrediblez.tk, 1
+increment.com, 1
+incrementation.net, 0
+increso.it, 1
+increyble.com, 1
+incrom.com, 0
+inculate.tk, 1
+incurvy.de, 1
+ind.ie, 1
+indamail.hu, 1
+indata42.nl, 1
+indatable.com, 1
+indecente.tk, 1
+indeco.com.ec, 1
+indecomm.com, 1
+indeika.ml, 1
+indeksonline.tk, 1
+indemer.mc, 1
+indenturaswork.lt, 1
+independenceia.gov, 1
+independenceliveers.ga, 1
+independenceliveest.ga, 1
+independencerecovery.com, 1
+independent-bank.com, 1
+independent-operators.com, 1
+independent-photo.com, 1
+independentadvicefinancial.ga, 1
+independentbookshopers.ga, 1
+independentbookshopest.ga, 1
+independentfinancial.ga, 1
+independentmoneyadvice.ga, 1
+independentpartyofamerica.tk, 1
+independenttravelcats.com, 1
+independenttribune.com, 1
+independenza.tk, 1
+independesk.com, 1
+indevelopment.tk, 1
+index-education.com, 1
+index-education.net, 1
+index-games.com, 1
+indexbase.ru, 1
+indexcesmad.cz, 1
+indexhost.tk, 1
+indexmarket.ga, 1
+indexmarket.gq, 1
+indexmod.gq, 1
+indexpert.es, 1
+indexsalaire.be, 1
+india-1xbet.com, 1
+india-ennenga.ga, 1
+india-export.com.ua, 1
+indiaai.gov.in, 1
+indiada.ru, 1
+indiaexamresult.in, 1
+indiaexport.com.ua, 1
+indiaflowermall.com, 1
+indiafm.tk, 1
+indiaforums.com, 1
+indiainteriors.in, 1
+indiainvestments.wiki, 1
+indiamistress.tk, 1
+indian-elephant.com, 1
+indian-health-news.com, 1
+indianaberry.com, 0
+indianacareerconnect.com, 1
+indianaffairs.gov, 1
+indianahealth.tk, 1
+indianajail.gov, 1
+indianapolismet.org, 1
+indianapolisnews.ml, 1
+indianapolispsychologistsers.ga, 1
+indianapolispsychologistsest.ga, 1
+indianapolisrestorations.com, 1
+indianareflux.com, 1
+indianawaterdamagerepairpros.com, 1
+indianbank.in, 1
+indianbeauty.ml, 1
+indianbridalservices.com, 1
+indianbrides.cf, 1
+indiancreekvillagepdfl.gov, 1
+indianculture.gov.in, 1
+indiandramasonline.tk, 1
+indianengineer.tk, 1
+indianet.tk, 1
+indiangamingreport.com, 1
+indianhairextension.tk, 1
+indianheadcu.org, 1
+indianhelpline.in, 1
+indianhill.gov, 1
+indiankart.nl, 1
+indianlakepa.gov, 1
+indianmasala4u.tk, 1
+indianporn2.xxx, 1
+indianriver.gov, 1
+indiantechhunter.tk, 1
+indianvirginhumanhair.tk, 1
+indianwarriors.tk, 1
+indianwellsca.gov, 1
+indianwomen.cf, 1
+indiapostgdsonline.gov.in, 1
+indiatechblogger.cf, 1
+indiatourhelp.tk, 1
+indiatravel.ml, 1
+indiaviral.ga, 1
+indiavotekar.com, 1
+indiawise.co.uk, 1
+indiaworlddigital.tk, 1
+indicatifs.fr, 1
+indico.tk, 1
+indicodata.ai, 1
+indicure.com, 1
+indiecat.tk, 1
+indieethos.com, 0
+indiemovementers.ga, 1
+indiemovementest.ga, 1
+indiereview.tk, 1
+indievelopment.nl, 1
+indieweb-endpoints.cc, 1
+indieweb.rocks, 1
+indigartbeading.ca, 1
+indigartbeading.com, 1
+indigenous.gov.au, 1
+indigestiblesuppuration.tk, 1
+indignes-strasbourg.tk, 1
+indigo.pet, 1
+indigo.tk, 1
+indigobooks.gq, 1
+indigojewelers.com, 1
+indigopaints.be, 1
+indigosakura.com, 1
+indigterms.com, 1
+indihome.co.id, 1
+indika.pe, 1
+indilens.com, 1
+indimike.tk, 1
+indioca.gov, 1
+indir2017.tk, 1
+indirhadi.tk, 1
+indirimkuponumarketim.com, 1
+indironline.com, 1
+inditip.com, 1
+inditoot.com, 1
+indivicloud.me, 0
+individualobligation.com, 1
+individuals.tk, 1
+indiwebawards.tk, 1
+indiwtf.com, 1
+indiya-kino.gq, 1
+indiya-land.ru, 1
+indlish.ga, 1
+indnews.ga, 1
+indo-wiki.fr, 1
+indo4life.tk, 1
+indobo.com, 1
+indobrains.id, 1
+indochinatravel.tk, 1
+indodax.com, 1
+indoetis-surneli.ga, 1
+indoface.ga, 1
+indofountain.tk, 1
+indogenius.org, 1
+indogermantrade.de, 1
+indoglobenews.co.id, 1
+indoidnews.ga, 1
+indoittraining.com, 0
+indonesiatrip.tk, 1
+indonesiax.co.id, 1
+indoor-kletterwald.de, 1
+indoorlandmarks.com, 1
+indopress.tk, 1
+indorepack.com, 1
+indospot.ml, 1
+indospot.tk, 1
+indotravels.tk, 1
+indovinabank.com.vn, 1
+indovision.tk, 1
+indramas.tk, 1
+indramdhani.net, 0
+indranesia.tk, 1
+indraq.tk, 1
+indreams.me, 1
+indtwpmi.gov, 1
+induehorse.co.uk, 1
+indumar.com, 1
+indumentaria-arabe.tk, 1
+induoloog.nl, 1
+indusap.com, 1
+indusfastremit-us.com, 1
+indusfastremit.com, 1
+indust.me, 1
+industreiler.com.br, 1
+industriafranchini.com, 1
+industrial-remote-control.com, 1
+industrial-ventilation.eu, 1
+industrialalpinism.tk, 1
+industrialcalibration.co.uk, 1
+industrialcomputers.com, 1
+industrialcontainer.com, 1
+industrialgassprings.com, 1
+industrialprecisionmfg.com, 1
+industrilokal.com, 1
+industrydecarbonization.com, 1
+industryoutlaws.tk, 1
+industryskillsaustralia.org.au, 1
+indyandmeskincare.com.au, 1
+indybay.org, 1
+indyperio.com, 1
+indyroom.tk, 1
+indyscouts.tk, 1
+inebula.it, 1
+ineedmore.domains, 1
+ineffect.net, 1
+inefin.tk, 1
+ineight.com, 1
+inertianetworks.com, 1
+inery.io, 1
+inesfinc.es, 1
+inesnutricion.com, 1
+inessoftsec.be, 1
+inet.se, 1
+inetdesign.tk, 1
+inethost.eu, 1
+inetinfo.io, 1
+inetol.net, 1
+inetserver.eu, 1
+inetsoftware.de, 1
+inetuser.tk, 1
+inetworking.it, 1
+ineuron.ai, 1
+inevitavelbrasil.com.br, 1
+inevo.com, 1
+inevo.no, 1
+inews.bg, 1
+inewsten.com, 1
+inex.one, 0
+inexlog.fr, 1
+inexpensivecomputers.net, 1
+ineztheminiatureelephant.com, 1
+inf-fusion.ca, 1
+inf-it.com, 1
+inf0sec.nl, 1
+infalaw.com, 1
+infamousguild.tk, 1
+infans.be, 1
+infantry.org.ua, 1
+infarktniki.ru, 1
+infarmbureau.com, 1
+infcloud.com, 1
+infectedvoice.tk, 1
+infecyon.tk, 1
+infeedo.com, 1
+infelix.tk, 1
+infelko.ru, 1
+inference.biz.tr, 1
+inferencium.com, 1
+inferencium.net, 1
+inferiousbypasser.cf, 1
+infermiere.roma.it, 1
+inferse.com, 1
+infertilitycure.tk, 1
+inffin-portal.com, 1
+inffin-portal.de, 1
+infhosting.com.au, 1
+inficom.org, 1
+infidel.org, 1
+infidels.me, 1
+infidels.org, 1
+infidia.tk, 1
+infiernoalgecireno.tk, 1
+infihow.com, 1
+infinan.ru, 1
+infineon-bipolar.com, 1
+infinether.net, 1
+infinifit.store, 1
+infinipharm.com, 1
+infinite.com, 1
+infiniteautomation.com.au, 1
+infiniteid.com, 1
+infinitelightofbeing.org, 1
+infinitenews.cf, 1
+infinitenews.ml, 1
+infiniteserieslabs.com, 1
+infinitiofallentownparts.com, 1
+infinitiofaugustaparts.com, 1
+infinitioflynnwoodparts.com, 0
+infinitiofmarinparts.com, 1
+infinitipartsdeal.com, 1
+infinito.tk, 1
+infinitomarca.com, 1
+infinitoporciento.tk, 1
+infinity-computer-systems.com, 1
+infinitybas.com, 1
+infinitybc.se, 1
+infinitybooksindia.in, 1
+infinitybots.gg, 1
+infinityels.com, 1
+infinityengine.org, 1
+infinityepos.co.uk, 1
+infinityfaces.tk, 1
+infinityname.tk, 1
+infinityonce.ml, 1
+infinityready.com, 1
+infinityrecruitinggroup.com, 1
+infinityvr.net, 1
+infinityweb.com.au, 1
+infinoe.fr, 1
+infinum.com, 1
+infirmieredevie.ch, 0
+infirmiers-montpellier.fr, 1
+infla-tables.tk, 1
+inflammatory.tk, 1
+inflanev.com, 1
+inflatablehire-scotland.co.uk, 1
+inflatablesny.com, 1
+inflatamania.com, 1
+inflate-a-bubbles.co.uk, 1
+inflatiecalculator.nl, 1
+inflationstation.net, 1
+inflexa.com, 1
+inflexsys.com, 0
+infloat.de, 1
+influencemobile.services, 1
+influencestaging.services, 1
+influentsolutions.ch, 1
+influo.com, 1
+influxus.com, 0
+info-beamer.com, 1
+info-bolivia.tk, 1
+info-compusciencetech.tk, 1
+info-days.tk, 1
+info-eolien.fr, 1
+info-free.ml, 1
+info-it.tk, 1
+info-kiwi.tk, 1
+info-o-zbozi.cz, 1
+info-obzor.ga, 1
+info-obzor.ml, 1
+info-reason.cf, 1
+info-screen.me, 1
+info-sell.ml, 1
+info-sys.tk, 1
+info-tech.tk, 1
+info-thailand.ru, 1
+info-usaha.tk, 1
+info.go.th, 1
+info.gov, 1
+info2all.nl, 1
+info4camper.com, 1
+infoaboutlawyers.com, 1
+infoamin.com, 1
+infoapis.net, 1
+infobae.com, 1
+infobalkans.com, 1
+infobanglanet.tk, 1
+infobasquet.tk, 1
+infobiznes.cf, 1
+infobiznes.ga, 1
+infobiznes.tk, 1
+infoblogs.pl, 1
+infoblox.com, 0
+infobot.email, 1
+infobot.eu, 1
+infobot.nl, 1
+infobrain.net, 1
+infobrest.tk, 1
+infobusinessnews.tk, 1
+infocanada.tk, 1
+infocanicatti.tk, 1
+infocapsol.com, 1
+infocision.com, 1
+infocoin.es, 1
+infocommsociety.com, 0
+infocrypto.pl, 1
+infocus.company, 1
+infocusvr.net, 1
+infodesigners.eu, 1
+infodesk.at, 1
+infodis.com, 1
+infoduv.fr, 1
+infoeccos.com, 1
+infofamouspeople.com, 1
+infoflora.ch, 1
+infofp.tk, 1
+infogai.tk, 1
+infogamesports.tk, 1
+infogate.ga, 1
+infogram.com, 1
+infogress.tk, 1
+infogrfx.com, 1
+infogroups.ml, 1
+infogym.com, 1
+infohas.ma, 1
+infohunter.education, 1
+infoiinfo.tk, 1
+infoindia.tk, 1
+infoiptv.tk, 1
+infoislamharian.tk, 1
+infojeunes.fr, 1
+infojmp.com, 1
+infokesehatan.ga, 1
+infoland.ml, 1
+infolead.tk, 1
+infolibertaire.net, 1
+infomail-online.ml, 1
+infomalin.fr, 1
+infomarradi.it, 1
+infomatricula.pt, 1
+infomax.gr, 1
+infomeddnews.com, 1
+infomexico.tk, 1
+infomikulcice.cz, 1
+infomir.eu, 1
+infomir.store, 0
+infomoney.com.br, 1
+infonet.fr, 1
+infopaperiguatemi.com.br, 1
+infoparamigrantes.com, 1
+infopedia.tk, 1
+infopercept.com, 1
+infopreneur.blog, 1
+infoprofuse.com, 1
+infopulse.com, 1
+infopuntzorg.nl, 0
+inforabota.tk, 1
+inforata.com, 1
+inforegister.ee, 1
+inforeviews.ru, 1
+inforge.tk, 1
+inforges.es, 1
+inform.kz, 1
+informace-zbozi.cz, 1
+informaciondeciclismo.com, 1
+informacionsexual.com, 1
+informal.pk, 1
+informalflowers.com, 1
+informasidumay.gq, 1
+informassist10.fr, 1
+informat.ga, 1
+informaticapremium.com, 0
+informaticien.tk, 1
+informaticmousset.tk, 1
+informaticoalicante.tk, 1
+informaticolamancha.tk, 1
+informatiger.net, 1
+informatik-handwerk.de, 1
+informationdoor.ga, 1
+informationdoorers.ga, 1
+informationdoorest.ga, 1
+informationinhindi.tk, 1
+informationliteracy.gov, 1
+informationnetworkwebsite.com, 1
+informationntechnology.com, 1
+informationrx.org, 1
+informations-echafaudages.com, 1
+informations-reglementees-sfil.fr, 1
+informationsarchiv.net, 1
+informationsaveers.ga, 1
+informationsaveest.ga, 1
+informatique-13.com, 1
+informatiquefacile.fr, 1
+informatiquenevers.fr, 1
+informator.tk, 1
+informelles.tk, 1
+informnapalm.org, 1
+informspb.tk, 1
+inforok.tk, 1
+inforopub.tk, 1
+infortheride.com, 1
+infosactu.com, 1
+infoschool.ml, 1
+infosec-handbook.eu, 0
+infosec.exchange, 0
+infosec.md, 1
+infosec.mv, 1
+infosec.pizza, 1
+infosec.wiki, 1
+infoseccenter.ro, 1
+infosecchicago.com, 1
+infosecdecompress.com, 1
+infosecsw.ca, 1
+infosectek.io, 1
+infosectekniques.com, 1
+infosective.org, 1
+infosenior.ch, 0
+infoserp.net.pe, 1
+infoshield.sa, 1
+infosolution.biz, 1
+infosoph.org, 1
+infostor.com, 1
+infosubasta.es, 1
+infosystem.cf, 1
+infotabla.si, 1
+infotax24.com.pl, 1
+infotectsecurity.com, 1
+infoteka.cf, 1
+infotekno.co.id, 1
+infotics.es, 1
+infotune.nl, 1
+infotv.io, 1
+infotype.ga, 1
+infouspekh.ru, 1
+infovb.org, 1
+infoventas.store, 1
+infovision-france.com, 1
+infowaywebsolutions.com, 1
+infoweb.ee, 1
+infowheels.tk, 1
+infoworm.org, 1
+infra-group.eu, 1
+infra-se.com, 1
+infra-voice.hu, 1
+infra.beer, 1
+infra.land, 1
+infra.press, 1
+infraball.com, 1
+infrabeep.com, 1
+infrabeta.com, 1
+infrabind.com, 1
+infrabold.com, 1
+infrabond.com, 1
+infraboom.com, 1
+infrabox.nl, 1
+infraclass.com, 1
+infraclip.com, 1
+infracron.com, 1
+infradart.com, 1
+infradeep.com, 1
+infradio.am, 1
+infradisk.com, 1
+infradive.com, 1
+infradot.com, 1
+infradrop.com, 1
+infraedifice.com, 1
+infrafile.com, 1
+infrafind.com, 1
+infrafire.com, 1
+infraflip.com, 1
+infraflux.com, 1
+infrafuse.com, 1
+infrafusion.com, 1
+infraget.com, 1
+infralicht.nl, 0
+infralira.com, 1
+infralist.com, 1
+infraloon.com, 1
+inframake.com, 1
+inframeet.com, 1
+inframenu.com, 1
+inframetro.com, 1
+inframint.com, 1
+infraname.com, 1
+infranest.com, 1
+infranium.com, 1
+infranium.eu, 1
+infranium.info, 1
+infranium.net, 1
+infranium.org, 1
+infranotes.com, 1
+infranoto.com, 1
+infranox.com, 1
+infrapass.com, 1
+infrapedia.ch, 1
+infrapeer.com, 1
+infrapilot.com, 1
+infraping.com, 1
+infrapirtis.lt, 1
+infrapixel.com, 1
+infraplot.com, 1
+infraplushk.com, 1
+infrarank.com, 1
+infrarate.com, 1
+infrareader.com, 1
+infraredradiant.com, 1
+infras.fr, 1
+infrasend.com, 1
+infraspin.com, 1
+infrastat.com, 1
+infrastatic.com, 1
+infratank.com, 1
+infratask.com, 1
+infrathink.com, 1
+infratrip.com, 1
+infravibe.com, 1
+infravideo.com, 1
+infravoce.com, 1
+infravoice.com, 1
+infraware.com, 1
+infrazine.com, 1
+infruction.com, 1
+infstudios.nl, 1
+infuse-mn.gov, 1
+infusemedia.com, 1
+ing, 1
+ing-buero-junk.de, 1
+ing.dk, 1
+ingalabs.hu, 1
+ingatlanjogaszok.hu, 1
+ingatlanneked.hu, 1
+ingbusiness.pl, 1
+inge-deco.com, 1
+inge-r.nl, 1
+ingebroer.com, 1
+ingegnereambientale.tk, 1
+ingemmologie.com, 1
+ingenesis.com, 1
+ingeni.ink, 1
+ingenieriaclinica.org, 0
+ingenieure-website.de, 1
+ingenious-development.tk, 1
+ingenium.si, 1
+ingeniumsociety.tk, 1
+ingenius.ws, 1
+ingenuitycloudservices.com, 1
+ingerhy.com, 1
+ingermany.ml, 1
+ingersolltwpmi.gov, 1
+inges-kattehjem.dk, 1
+ingeseratlantica.es, 1
+ingestion.life, 1
+ingevorderd.nl, 1
+ingfreelancer.com, 1
+ingfss.ru, 1
+inghamcountymi.gov, 1
+ingilizceturkce.gen.tr, 1
+ingjobs.ch, 1
+inglebycakes.co.uk, 1
+inglesencanada.cf, 1
+inglesfoco.com.br, 1
+inglesideonthebaytx.gov, 1
+inglesnarede.com.br, 1
+inglessantacruz.tk, 1
+inglestotal.tk, 1
+ingo-schlueter.de, 1
+ingolfsskali.is, 1
+ingoschlueter.de, 1
+ingrain-ed.com, 1
+ingrammicrocloud.com, 1
+ingresatupedido.com, 1
+ingresosautomaticos.tk, 1
+ingresospasivosyafiliados.online, 1
+ingridbai.me, 1
+ingridvanderveen.com, 1
+ingticos.com, 1
+ingushetia.tk, 1
+ingwaz.org, 1
+inhabitgroup.com, 1
+inhale.it, 1
+inhaltsangabe.de, 1
+inhere.cf, 1
+inherfeet.ml, 1
+inhoff.eu, 1
+inhomedesign.ro, 1
+inhouseents.co.uk, 1
+inhousehr.nl, 1
+inia.ai, 1
+iniiter.com, 1
+iniitian.com, 1
+inilabs.xyz, 1
+inilahgorontalo.com, 1
+inilahkalsel.com, 1
+inilahkendari.com, 1
+inilahtv.com, 1
+inima.org, 1
+inimicalpart.com, 1
+inin.gq, 1
+init.blog, 1
+init.ink, 1
+init3.cn, 1
+initblogger.com, 1
+initiative20x20.org, 1
+initq.net, 1
+initramfs.io, 1
+initrandom.com, 1
+inizio.pe, 1
+injerry.com, 1
+injigo.com, 0
+injuryactive.com, 1
+injurylawyers.com, 1
+injurylawyersphoenixaz.com, 1
+injust.cf, 1
+injust.ga, 1
+injust.gq, 1
+injust.me, 1
+injust.ml, 1
+injust.tk, 1
+inkandtonerni.co.uk, 1
+inkbeau.com, 1
+inkblogdb.com, 1
+inkblot.art, 1
+inkbunny.net, 1
+inkburners.ga, 1
+inkburnest.ga, 1
+inkdawgz.com, 1
+inkdrop.co.za, 0
+inkedin.com, 1
+inkeliz.com, 1
+inkerotic.com, 1
+inkerz.com.br, 1
+inkforall.com, 1
+inkhor.se, 1
+inkhub.com.au, 1
+inkjets-inks.tk, 1
+inkliners.tk, 1
+inkognito.cf, 1
+inkognito.ga, 1
+inkognito.gq, 1
+inkognito.ml, 1
+inkomensafhankelijkehuurverhoging.nl, 1
+inkopers.org, 1
+inkor.tk, 1
+inkpay.com, 1
+inksay.com, 1
+inkteeshop.com, 1
+inkthedealseminars.com, 1
+inkthemes.com, 1
+inkthreadable.co.uk, 1
+inkubatori.tk, 1
+inkurz.de, 1
+inkvisual.tk, 1
+inlabo.de, 1
+inlights.io, 1
+inlimiters.ga, 1
+inlimitest.ga, 1
+inline-online.tk, 1
+inline-sport.cz, 1
+inlinea.ch, 1
+inlineskates.tk, 1
+inlink.ee, 1
+inlink.ltd, 1
+inlocon.de, 1
+inlt.com, 1
+inlumi.com, 1
+inmaaa.cf, 1
+inmamaskitchen.com, 1
+inmaps.xyz, 1
+inmatefinancial.com, 1
+inmateintake.com, 1
+inmedic.pl, 1
+inmemoria.tk, 1
+inmemorium.tk, 1
+inmemoryofdaniella.com, 1
+inmigracion-florida.com, 1
+inmobanking.com.gt, 1
+inmobiliaria-sanpablo.cl, 1
+inmobiliariamarino.com, 0
+inmobiliariaredimido.com, 1
+inmobillium.fr, 1
+inmonteblandinio.be, 1
+inmoodforsex.com, 1
+inmoterrenas.com, 1
+inmotionmktg.com, 1
+inmoveskates.com, 1
+inmucrom.com, 1
+inmucrom.es, 1
+inmuseworld.tk, 1
+inmusicfestival.com, 1
+inmyhead.tk, 1
+innainnaki.net, 1
+innatocol.com, 1
+inncoaching.nl, 1
+inner-vision.tk, 1
+innerdarkside.tk, 1
+innerfence.com, 1
+innerlife.company, 1
+innerlifeskills.com, 1
+innerlightcrystals.co.uk, 1
+innermarkerranch.com, 1
+innermindpsychology.com.au, 1
+innermostparts.org, 1
+innerpeace.tk, 1
+innersafe.com, 1
+innerspace.ae, 1
+innertrip.co.kr, 1
+innewsweekly.com, 1
+innico.cf, 1
+inniger.be, 1
+innio.com, 1
+innisfildental.com, 1
+inno.ch, 0
+inno2grid.com, 1
+innocence.org.cn, 0
+innocenceseekers.net, 1
+innogames.com, 1
+innogames.de, 1
+innohb.com, 1
+innolabfribourg.ch, 1
+innoloop.com, 0
+innopharmaeducation.com, 1
+innopharmatechnology.com, 1
+innosysdelft.com, 1
+innot.net, 1
+innotec.security, 1
+innoteil.com, 1
+innoteknology.com, 1
+innov.in, 1
+innova-online.at, 1
+innova-scape.info, 1
+innovacoachgroup.com, 1
+innovae.eu, 0
+innovairservices.ch, 0
+innovamag.com, 1
+innovaptor.at, 1
+innovaptor.com, 1
+innovasistemas.com, 1
+innovate-indonesia.com, 1
+innovateohio.gov, 1
+innovateohioplatform.gov, 1
+innovation-workshop.ro, 1
+innovation.gov, 1
+innovationbranding.ga, 1
+innovationbrandingers.ga, 1
+innovationbrandingest.ga, 1
+innovationcu.ca, 1
+innovationrealtygrp.com, 1
+innovative-trading.tk, 1
+innovativeactors.com, 1
+innovativebuildingsolutions.co.za, 1
+innovativefoodservices.com, 1
+innovativeglass.co.nz, 1
+innovativeideaz.org, 1
+innovativetrials.com, 1
+innovativeunderwriters.com, 1
+innoventity.in, 1
+innover.se, 1
+innoviahome.com, 0
+innovion.it, 1
+innovomuebles.com, 1
+innovum.cz, 1
+innowire.tk, 1
+innsaimonitor.com, 1
+innsalzachsingles.de, 1
+innvisiondesign.net, 1
+innwan.com, 1
+inoa8.com, 1
+inoapps.com, 1
+inocelda.com, 1
+inoio.de, 1
+inomics.com, 1
+inondation.ch, 0
+inorbit.io, 1
+inorden.se, 1
+inoreader.com, 1
+inorigo.com, 1
+inorigo.net, 1
+inoruhana.com, 1
+inosek.com, 1
+inostudio.com, 1
+inostudio.ru, 0
+inotecsoftware.com, 1
+inourtime.cn, 1
+inovalon.com, 1
+inovalon.global, 1
+inovasirumahku.tk, 1
+inovatec.ca, 1
+inovatec.com, 1
+inovatecapi.com, 1
+inovatecsystems.com, 1
+inovigo.ro, 1
+inovitec.ro, 1
+inox-deurtrekkers.be, 1
+inoxandco.com, 1
+inparkmagazine.com, 1
+inpas.co.uk, 1
+inpasa.com.br, 1
+inpdp.tk, 1
+inpector.de, 1
+inpresso.pl, 1
+inprode.com, 1
+inprosy.com, 1
+inpulsetech.io, 1
+input.sh, 1
+inputdriven.com, 1
+inputmodes.com, 1
+inqorp.ca, 1
+inquant.de, 1
+inquisicion.tk, 1
+inquisition.is, 1
+inrage.fr, 0
+inrilan.tk, 1
+ins-jpn.com, 1
+ins-kreativ.de, 1
+ins.to, 0
+ins1gn1a.com, 1
+insame.space, 1
+insanb.com, 1
+insancendekiams.sch.id, 1
+insane.zone, 1
+insaneair.co.uk, 1
+insanedevs.com, 1
+insanepyro.tk, 1
+insanity.zone, 1
+insblauehinein.nl, 1
+inschrijfformulier.com, 1
+inscom.events, 1
+inscribe.ai, 1
+inscribeinternal.com, 1
+inscribeusercontent.com, 1
+inscripcionessena.com, 1
+inscriu.ro, 1
+insecret.ua, 1
+insecure.org.je, 1
+insegne.roma.it, 1
+insemed.de, 1
+inserior.com, 1
+inserta.tk, 1
+insertcoins.net, 1
+insertcredit.com, 1
+insertface.com, 1
+inshapenutrition.com.br, 1
+inshared.nl, 1
+inshibackdrop.com, 1
+inshop.hu, 1
+insiberia.tk, 1
+inside-m2m.de, 1
+inside-the-outside.com, 1
+insideastronomy.tk, 1
+insideaudit.com, 1
+insidebeach.com.br, 1
+insidebedroom.com, 0
+insideevs.com, 1
+insideevs.com.ar, 1
+insideevs.com.tr, 1
+insideevs.de, 1
+insideevs.fr, 1
+insideevs.ru, 1
+insidegnss.com, 1
+insidehook.com, 1
+insideofgaming.de, 1
+insideperu.tk, 1
+insideprisonbreak.tk, 1
+insider-invest.tk, 1
+insiderateers.ga, 1
+insiderateest.ga, 1
+insidergazette.com, 1
+insiderpie.de, 1
+insiders.ga, 1
+insiderx.com, 1
+insidethefirewall.tk, 1
+insidetheigloo.com, 1
+insideview.com, 1
+insightfulpsychics.com, 1
+insighti.com, 1
+insights.plus, 1
+insightsoftware.com, 1
+insignificant.space, 1
+insindacabili.it, 1
+insinuator.net, 1
+insistel.com, 1
+insolent.ch, 1
+insolved.com, 1
+insomnia-isterica.tk, 1
+insomniac.pl, 1
+insomniac.ro, 1
+insomniachelp.com, 1
+insono.no, 1
+insouciant.org, 1
+inspektre.com, 0
+inspektre.io, 1
+inspirascholen.be, 1
+inspiration.gr, 1
+inspirationalstories.com, 1
+inspirationalstories.tk, 1
+inspire-av.com, 1
+inspire2rise.com, 1
+inspired-builds.co.uk, 1
+inspired-creations.co.za, 1
+inspired-lua.org, 1
+inspiredbyannefrank.com, 1
+inspiredelements.co.uk, 1
+inspiredentalwellness.com, 1
+inspiredhousewife.com, 1
+inspiredlife.fun, 1
+inspireplanner.com, 1
+inspiresurgery.com, 1
+inspirez-vous-sophro.com, 1
+inspiringtips.com, 1
+inspirithealth.ca, 1
+insportline.bg, 1
+insportline.cz, 1
+insportline.de, 1
+insportline.eu, 1
+insportline.hu, 1
+insportline.lt, 1
+insportline.si, 1
+insportline.sk, 1
+inspreeveryone.ga, 1
+insrt.uk, 0
+insside.net, 1
+insst.es, 1
+insta-viewer.ml, 1
+instaapk.net, 1
+instacart.careers, 1
+instacart.com, 1
+instachina.ru, 1
+instacredito.pt, 1
+instadapp.io, 1
+instafind.nl, 1
+instaforex.com.ng, 1
+instagc.com, 1
+instagrabber.ru, 1
+instagram-atom.appspot.com, 1
+instagram.com, 1
+instagramdeposu.com, 1
+instagrammernews.com, 1
+instagramtweet.com, 1
+instagraph.cn, 1
+instahub.net, 1
+instalamosyreformamos.es, 1
+installation-hotte-cuisine.com, 1
+installation-of-xenon.tk, 1
+installer-borne-electrique.fr, 1
+installgentoo.net, 1
+instances.social, 1
+instanse.nl, 1
+instant-clearance-sale.co.uk, 1
+instant-hack.com, 1
+instant-hack.io, 1
+instant-hack.to, 1
+instant-thinking.de, 0
+instant.io, 1
+instanteindeleble.com, 1
+instantessay.tk, 1
+instantfinishers.ga, 1
+instantfinishest.ga, 1
+instantinsightinc.com, 1
+instantintegrationers.ga, 1
+instantintegrationest.ga, 1
+instantkhabar.com, 1
+instantluxe.com, 1
+instantluxe.de, 1
+instantmoron.com, 1
+instantpage.tk, 1
+instantprint.co.uk, 1
+instantreplay.tk, 1
+instantsiteaudit.com, 1
+instava.cz, 1
+instawi.com, 1
+instawierszyki.pl, 1
+instead.com.au, 1
+insteagle.com, 1
+instelikes.com.br, 1
+instem.jp, 1
+instics.com, 1
+instinctive-archery.de, 0
+institutadios.com, 0
+institutchroma.fr, 1
+instituto18denoviembre.tk, 1
+institutoclaro.org.br, 1
+institutoconsulplan.org.br, 1
+institutodeoposiciones.com, 1
+institutodyn.com, 1
+institutoessencia.com, 1
+institutofacial.com, 1
+institutogiuseppe.com, 1
+institutogiuseppe.com.ar, 1
+institutoliderar.edu.co, 1
+institutomaritimocolombiano.com, 1
+institutovinton.com, 1
+institutulcultural.ro, 1
+instocktho.cc, 1
+instructorcarders.ga, 1
+instrukci.tk, 1
+instrumart.ru, 0
+instrumentalevening.tk, 1
+instrumentalverein-tueddern.de, 1
+instrumentodepaz.com, 1
+instylecollection.tk, 1
+instytut.tk, 1
+instytutwellsense.pl, 1
+insulationchicagoil.com, 1
+insulations.ga, 1
+insulectro.com, 1
+insult.es, 1
+insultband.tk, 1
+insultnik.ru, 1
+insultniki.ru, 1
+insurance, 1
+insurance-companies.tk, 1
+insurance24.online, 1
+insurancebloggingers.ga, 1
+insurancebloggingest.ga, 1
+insurancebonzer.ga, 1
+insurancebusinessmag.com, 1
+insuranceclassic.ga, 1
+insurancecompanylive.tk, 1
+insurancehotline.com, 1
+insuranceleep.ga, 1
+insurancenews.gq, 1
+insurancequotes.tk, 1
+insurancesaman.tk, 1
+insurancesquaders.ga, 1
+insurancesquadest.ga, 1
+insuranceweb.ga, 1
+insurebot.com.au, 1
+insurebuysers.ga, 1
+insurebuysest.ga, 1
+insured-event.tk, 1
+insuredcloud.ga, 1
+insuredcreativity.com, 1
+insuredonline.in, 1
+insuremycar.ru, 1
+insureon.com, 1
+insurethebox.tk, 1
+insurgent.tk, 1
+insurgo.cloud, 1
+insurrectosdelbosque.tk, 1
+insyde.cloud, 1
+insyde.com, 1
+insydesw.com, 1
+inszu.com, 0
+int-elektro.eu, 1
+int-ext-design.fr, 1
+int-refer.nhs.uk, 1
+int-web.site, 1
+int21h.jp, 1
+int64software.com, 1
+intab.io, 1
+intafe.co.jp, 1
+intajouna.com, 1
+intakesync.com, 1
+intakings.tk, 1
+intal.info, 1
+intalink.org.uk, 1
+intarweb.ca, 1
+intasky.cz, 1
+intasky.sk, 1
+intcn.online, 1
+intcn.ru, 1
+inte.ru, 1
+inteapuestas.com, 1
+intechdaybcp.com, 1
+inteforge.com, 1
+integ.jp, 1
+integra-belgium.be, 1
+integrafin.co.uk, 1
+integrahealth.com.mx, 1
+integral-calculator.com, 1
+integral-calculator.ru, 1
+integralblue.com, 1
+integralcare.org, 1
+integralinmobiliario.com, 1
+integralkk.com, 1
+integralrechner.de, 1
+integralschool.ru, 1
+integrammes.fr, 1
+integratedbms.co.za, 1
+integratedmedicalonline.com, 1
+integratedphysio.com.au, 1
+integratedtec.net, 1
+integration-mouvements-oculaires.com, 1
+integrativepsychiatry.co.il, 1
+integrator.io, 1
+integreatedmedia.com, 1
+integrisaviation.com, 1
+integritet.com.se, 1
+integritree.ca, 1
+integrity.gov, 1
+integritydetail.com, 1
+integrityfirstloans.com, 1
+integrityglobal.com, 1
+integrityhomecontractors.com, 1
+integritykrakow.pl, 1
+integrityline.com, 1
+integrityokc.com, 1
+integrityoklahoma.com, 1
+integromat.com, 1
+integroof.com, 1
+integsystem.com, 1
+intel.gov, 1
+intel.im, 1
+intel69.cf, 1
+intelalumni.org, 1
+intelcapital.com, 1
+intelekta.es, 1
+intelhost.com.br, 1
+intelics.com.au, 1
+intelius.cf, 1
+intellar.com, 1
+intellect-ls.com, 1
+intellecta.is, 1
+intellective.us, 1
+intellectmoney.ru, 1
+intelledox.com, 1
+intellego.de, 1
+intellek.io, 1
+intellektuaalomand.ee, 1
+intelliance.eu, 1
+intellicore.cl, 1
+intellicus.com, 1
+intelligence-explosion.com, 1
+intelligenceia.fr, 1
+intelligenetics.com, 0
+intelligentnegotiator.com, 1
+intelligentrics.com, 1
+intelligentwaves.com, 1
+intelligista.tk, 1
+intelligizedigital.com, 1
+intelligroup360.com, 1
+intellihr.io, 1
+intellimatica.se, 1
+intellimax.ir, 1
+intellinetixvibration.com, 1
+intellio.pl, 1
+intellior.ag, 1
+intellitonic.com, 1
+intellium.io, 0
+intelly.kr, 1
+intelly.nl, 1
+intelly365.nl, 1
+intelrealsense.com, 1
+inteltechniques.com, 1
+intelx.io, 1
+intencje.pl, 1
+intenirphoto.tk, 1
+intensify.pictures, 1
+intensiveintervention.org, 1
+intensivpflege-sachsen.de, 1
+intentin.com, 1
+inter-culinarium.com, 1
+inter-design.sk, 1
+inter-news.tk, 1
+interabbit.co, 1
+interabbit.com, 1
+interacademybrazil.com.br, 1
+interacthindu.tk, 1
+interactiveanddesign.com, 1
+interactivebrokersreview.co, 1
+interactivedigesters.ga, 1
+interactivedigestest.ga, 1
+interactiveliterature.org, 1
+interactivetheatrecollective.tk, 1
+interad.com, 1
+interaffairs.com, 1
+interagencystandingcommittee.org, 1
+interaktiva.fi, 1
+interallied.org, 1
+interbanco.com.gt, 1
+interbank.pe, 1
+interbase.org, 1
+interbec.com, 1
+interblink.tk, 1
+interc0der.tk, 1
+intercariforef.org, 1
+intercars.bg, 1
+interceptorproject.hr, 1
+interchangehq.com, 1
+interchanges.io, 1
+intercol.com.br, 1
+intercom-attachments-1.com, 1
+intercom-attachments-5.com, 1
+intercom-attachments-6.com, 1
+intercom-attachments-9.com, 1
+intercom-attachments.com, 1
+intercom-attachments.eu, 1
+intercom-language.training, 1
+intercom-mail.com, 1
+intercom-mail.eu, 1
+intercom-sheets.com, 1
+intercom.com, 1
+intercom.io, 1
+intercomcdn.com, 1
+intercomcdn.eu, 1
+intercomp-cbu.ru, 1
+intercomp.ru, 1
+intercomunicador.org, 1
+intercomunicadores.org, 1
+interconlarp.org, 1
+intercop.es, 1
+intercrosse.tk, 1
+interday.net, 1
+interdc.com, 1
+interdc.nl, 1
+interdescargas.tk, 1
+interdez.com.ua, 1
+interesnyimir.com, 1
+interessengemeinschaft-pregelstrasse.tk, 1
+interesting.ac.cn, 1
+interestingfacts.gq, 1
+interface-systems.de, 1
+interfloraservices.co.uk, 1
+interflores.com.br, 1
+interfug.de, 1
+intergenx.co.uk, 1
+intergenx.com, 1
+intergenx.org, 1
+intergenx.org.uk, 1
+intergermania.com, 1
+intergraphix.com.ar, 1
+interguard.net, 1
+interguardian.de, 1
+interhealthcare.com.au, 1
+interiery-waters.cz, 1
+interieursud.fr, 1
+interimnorge.no, 1
+interior-design-colleges.com, 1
+interior16.cf, 1
+interiorai.com, 1
+interiorcarpentryqatar.com, 1
+interiorcheapo.com, 1
+interiorcolors.tk, 1
+interiorsnmore.com, 1
+interisaudit.com, 1
+interitus.tk, 1
+interlapse.tk, 1
+interleasing.co.nz, 1
+interleasing.com.au, 1
+interlecwa.com, 0
+interlijn.nl, 1
+interlingvo.biz, 1
+interlink-jp.com, 1
+interlinked.us, 1
+interlogos.bg, 1
+intermac.nl, 1
+intermaquinas.es, 1
+intermarche.pt, 1
+intermezzo-emmerich.de, 1
+intermezzo-emmerich.nl, 1
+interminsk.tk, 1
+intern.tax, 1
+internacionalista.tk, 1
+internaldisfunction.tk, 1
+internalfb.com, 1
+internalframebackpack.tk, 1
+internalkmc.com, 1
+internally.ga, 1
+internalportal.net, 1
+international-books.org, 1
+international-business-world.com, 1
+international-friends.net, 1
+international-genealogy-services.com, 1
+international.cn.eu.org, 1
+international.expert, 1
+internationalairlinestickets.com, 1
+internationalbussines.tk, 1
+internationaldelight.com, 1
+internationaldesigncomp.com, 1
+internationalepolitik.de, 1
+internationalfashionjobs.com, 1
+internationalflightstickets.com, 1
+internationalfm.tk, 1
+internationalfrom.com, 1
+internationalgse.com, 1
+internationaljoustingleague.tk, 1
+internationalrelationsedu.org, 1
+internationalrugsdallas.com, 1
+internationalschool.it, 1
+internationaltalento.it, 1
+internationaltercumeburosu.com.tr, 1
+internationaltranslating.com, 1
+internationalweekly.tk, 1
+internect.co.za, 1
+internet-aukcion.info, 1
+internet-drive.tk, 1
+internet-gazeta.ga, 1
+internet-hypothekenbank.de, 1
+internet-israel.com, 1
+internet-tv4u.tk, 1
+internet.org, 1
+internet42.tk, 1
+internet4all.gov, 1
+internetauction.tk, 1
+internetbank.swedbank.se, 1
+internetbloger.tk, 1
+internetbugbounty.com, 1
+internetbugbounty.org, 1
+internetbusiness-howto.com, 1
+internetcom.jp, 1
+internetdagarna.se, 1
+internetface.tk, 1
+internetfonden.se, 1
+internetforall.gov, 1
+internethediyesi.com, 1
+internethypothekenbank.de, 1
+internetinhetbuitengebied.nl, 1
+internetional.nl, 1
+internetk.tk, 1
+internetkunskap.se, 1
+internetline.tk, 1
+internetmagaz.tk, 1
+internetmarketingprofitscenter.com, 1
+internetmarkets.net, 1
+internetmedia.si, 1
+internetmineers.ga, 1
+internetmineest.ga, 1
+internetmuseum.se, 1
+internetnz.nz, 1
+internetofdon.gs, 1
+internetoffensive.fail, 1
+internetofinsecurethings.com, 1
+internetoskol.tk, 1
+internetovehazardnihry.cz, 1
+internetowykantor.pl, 1
+internetpasoapaso.com, 1
+internetpoem.com, 1
+internetpro.me, 1
+internetprofitspro.com, 1
+internetslapfights.com, 1
+internetstaff.com, 1
+internetstatistik.se, 1
+internetstiftelsen.se, 1
+internetstones.com, 1
+internetsubsidie.tk, 1
+internetthreatcenter.com, 1
+internetthreatscenter.com, 1
+internettoday.ga, 1
+internettradie.com.au, 0
+internetwealthresource.com, 1
+internetzaim.tk, 1
+internetzentrale.net, 1
+internews24.com, 1
+interparcel.com, 1
+interphoto.by, 1
+interplex.com, 1
+interpol.gov, 1
+interpretacjawynikowbadan.info.pl, 1
+interprete.tk, 1
+intersectionconsultancy.co.uk, 1
+interseguro.pe, 1
+interseller.io, 1
+intersexualite.tk, 1
+intersitios.com, 1
+interslang.tk, 1
+intersolute.de, 1
+interspar.at, 1
+intersportks.com, 1
+interspot.nl, 1
+interssl.com, 1
+interstateremovalists.sydney, 1
+intersun.es, 1
+intersun.fr, 1
+intersun.pt, 1
+intersys.uy, 1
+interterranfed.org, 1
+intertime.services, 1
+intertrans.tk, 1
+interval-training-timer.ru, 1
+intervalzero.com, 1
+intervention.io, 1
+interverv.com, 1
+interview-suite.com, 0
+interview-test-taker.com, 1
+interviewme.pl, 1
+interviewpipeline.co.uk, 1
+interviewstarsers.ga, 1
+interviewstarsest.ga, 1
+intervista-rh.fr, 1
+interways.de, 1
+interwebz-cheats.com, 1
+interwebz.cloud, 1
+interwebz.nz, 1
+interwerk.de, 1
+intesis.com, 0
+intestclub.tk, 1
+inthechair.com, 1
+inthechileanwoods.tk, 1
+inthepicture.com, 1
+inthevip.com, 1
+inthouse.cloud, 1
+intifx.com, 1
+intigriti.com, 0
+intihalprogrami.com, 1
+intim-24.tk, 1
+intim-ru.tk, 1
+intimastoreatacado.com.br, 1
+intimatecollision.com, 1
+intimidad.tk, 1
+intimznakomstvo.tk, 1
+intmissioncenter.org, 0
+into-the-mountain.com, 1
+intomsk.tk, 1
+inton.biz, 1
+intoparking.fi, 1
+intor.fi, 1
+intosec.nl, 1
+intotraffic.nl, 1
+intouchgames.co.uk, 1
+intouchtablets.com, 1
+intoxicate.tk, 1
+intpb.com.au, 0
+intpforum.com, 1
+intr0.cf, 1
+intr0.com, 1
+intr0.tk, 1
+intracdf.net, 1
+intracellulartherapies.com, 1
+intrack.net.au, 1
+intracom.com, 0
+intradayseasonals.com, 1
+intrador.com, 1
+intrafi.com, 1
+intralan.nl, 1
+intranet.dvag, 1
+intranetcity.ch, 1
+intranetcrowd.com, 1
+intraobes.com, 1
+intraxia.com, 1
+intrdate.us, 1
+intrepidmedia.tk, 1
+intrepy.com, 1
+intrigue3d.com, 1
+intrixgroup.com, 1
+intro.management, 1
+intron.pw, 1
+intropickup.ru, 1
+intropika.tk, 1
+intrstd.in, 1
+intrum-credit-information-ws.ch, 1
+intstyle.com.ua, 1
+intsys.fi, 1
+intux.be, 0
+intvonline.com, 1
+intxt.net, 1
+inu.nl, 1
+inuevostiempos.es, 1
+inumcoeli.com.br, 1
+inusasha.de, 1
+inuyasha-petition.tk, 1
+invadecafe.tk, 1
+invaded.ga, 1
+invadelabs.com, 1
+invalida.ru, 1
+invantive-apps-for-dynamics-crm.com, 1
+invantive-apps-for-magento.com, 1
+invantive-apps-for-nmbrs.com, 1
+invantive-apps-for-salesforce.com, 1
+invantive-apps-for-stackoverflow.com, 1
+invantive-apps-voor-exact-online.nl, 1
+invantive-apps-voor-loket.nl, 1
+invantive-apps-voor-xml-auditfiles.nl, 1
+invantive.be, 1
+invantive.cloud, 1
+invantive.co.uk, 1
+invantive.com, 1
+invantive.de, 1
+invantive.es, 1
+invantive.eu, 1
+invantive.net, 1
+invantive.nl, 1
+invantive.org, 1
+invasion.com, 1
+invasivespeciesinfo.gov, 1
+invata-ma.ro, 1
+invenio.software, 1
+inventarioti.serveftp.net, 1
+inventati.org, 1
+inventify.com, 1
+inventionjudgeers.ga, 1
+inventionjudgeest.ga, 1
+inventions-home.tk, 1
+inventionsteps.com.au, 1
+inventix.nl, 1
+invento.tk, 1
+inventortesters.ga, 1
+inventortestest.ga, 1
+inventorybase.co.uk, 1
+inventorybase.com, 1
+inventoryimages.co.uk, 1
+inventorylab.com, 1
+inventos.tk, 1
+inventoseinventores.com, 1
+inventum.cloud, 1
+inveny.fr, 1
+inveris.de, 1
+inverness.gov, 1
+inversegravity.net, 1
+inverselink-user-content.com, 1
+inverselink.com, 1
+inversion.travel, 1
+inversionesgalindo.com, 1
+invertiaweb.com, 1
+invertir.gov, 1
+invespex.com, 1
+invest-stroj.tk, 1
+invest.gov, 1
+investa.ph, 1
+investactiv.tk, 1
+investarholding.nl, 1
+investasiku.tk, 1
+investasimudah.tk, 1
+investasipasti.tk, 1
+investbeneficios.com.br, 1
+investcorp.com, 1
+investelogo.com.br, 1
+investeringsgids.be, 1
+investgold.ml, 1
+investgold.tk, 1
+investgroop.ml, 1
+investia.ca, 1
+investigace.cz, 1
+investigatemalware.com, 1
+investigatingmalware.com, 1
+investigations-nbi.com, 1
+investigatore.it, 1
+investigatore.milano.it, 1
+investigatore.roma.it, 1
+investigatore.torino.it, 1
+investigazione.milano.it, 1
+investigazione.roma.it, 1
+investinamerica.gov, 1
+investinestonia.com, 0
+investingdiary.cn, 1
+investinginamerica.gov, 1
+investingnews.com, 1
+investingoal.com, 1
+investingoutlook.co, 1
+investingtrader.net, 1
+investintech.com, 1
+investion.cf, 1
+investir.ch, 0
+investirdanslancien.fr, 1
+investire.biz, 0
+investirenisrael.fr, 1
+investirfazbem.com.br, 1
+investirsolidaire.fr, 1
+investisiya.az, 1
+investisseur-nomade.fr, 1
+investisseur-or-matieres.com, 1
+investlatam.com, 1
+investment-adh.com, 1
+investment.com, 1
+investmentrankingsers.ga, 1
+investmentrankingsest.ga, 1
+investmonitor.tk, 1
+investnext.com, 1
+investnorthernontario.com, 1
+investonline.cf, 1
+investor-academy.jp, 1
+investor.com.tr, 1
+investor.gov, 1
+investorcom.com, 1
+investoren-beteiligung.de, 1
+investorforms.com, 1
+investorloanshub.com, 1
+investorplace.com, 1
+investorrightsnetwork.com, 1
+investors.pl, 1
+investpay.ru, 1
+investpsp.ca, 1
+investpsp.com, 1
+investresolve.com, 1
+investservis.eu, 1
+inviaworld.tk, 1
+invicta.fr, 1
+invicti.com, 1
+invictuscapital.com, 1
+invictuscustodia.com, 1
+invidious.rocks, 1
+invidis.de, 1
+invincia.com, 1
+invinoaustria.cz, 1
+invisia.com.br, 1
+invisible-college.com, 1
+invisible.io, 1
+invisibledrain.com, 1
+invisiblehat.ventures, 1
+invisiblejiujitsu.co.uk, 1
+invisibles.ch, 0
+invisiblesolutions.com, 1
+invisiblewindows.ca, 1
+invisionary.tech, 1
+invisionary.tk, 1
+invisionretail.nl, 1
+invisitone.com, 1
+invitation-factory.tk, 1
+invitationtrackerers.ga, 1
+invitationtrackerest.ga, 1
+invitebiz.tk, 1
+invitepeople.com, 1
+invitescafe.com, 1
+invitia.net, 1
+invito.tk, 1
+invoiced.com, 1
+invoicely.com, 1
+invokingspirits.tk, 1
+involic.com, 1
+involve.asia, 1
+invuite.com, 1
+invuite.com.au, 1
+inwebo.net, 1
+inwepo.co, 1
+inwit.tk, 1
+inwonderofit.com, 1
+inycia.com, 1
+inyo.gov, 1
+inyourowntime.zone, 1
+inyr.hu, 0
+inzdr.com, 1
+inzeitinteractive.tk, 1
+inzelabs.com, 1
+inzeni.pl, 1
+inzernettechnologies.com, 1
+inzestfreunde.de, 1
+inzichtmeditatie.nl, 1
+inzidenz.eu, 1
+inzite.com, 1
+io.kg, 1
+io.nl.eu.org, 1
+io88.win, 1
+ioactive.com, 1
+ioanamateas.ro, 1
+ioanavisan.tk, 1
+iobint.com, 1
+iocbc.com, 1
+iochen.com, 1
+iocorp.jp, 1
+iocp.org, 0
+ioctl.cc, 1
+iocurrents.com, 0
+iodb.ru, 1
+iodu.re, 1
+ioga.tk, 1
+iogm-official.id, 1
+iograficathemes.com, 1
+iolabs.io, 1
+ioliver.co.uk, 1
+iololi.com, 1
+iolpodcast.com, 1
+iomedia.ch, 0
+iompost.com, 1
+iomstamps.com, 1
+ionc.ca, 1
+ioncubedecode.xyz, 1
+iondrey.cf, 1
+iondrey.fr, 1
+iondrey.ga, 1
+iondrey.gq, 1
+iondrey.ml, 1
+iondrey.tk, 1
+ione.net.nz, 1
+iongroup.com, 1
+ionhowto.com, 1
+ionicframework.com, 1
+ionicshop.xyz, 1
+ionize.cloud, 1
+ionlabs.kr, 1
+ionline.ml, 1
+ionovia.de, 1
+ionspin.com, 0
+ionstudio.pe, 1
+ionutnica.ro, 1
+ionx.co.uk, 1
+iop.intuit.com, 1
+iopex.com, 1
+iopool.us, 1
+iorgroup.org, 1
+ioriogioielli.com, 1
+ios11018.com, 1
+iosartstudios.gr, 1
+iosco.org, 1
+iosecurity.co.za, 1
+iosgeekblog.com, 1
+iosjailbreakiphone.com, 0
+iosme.ga, 1
+iosolutions.cl, 1
+iosprivacy.com, 1
+iossearch.tk, 1
+iostream.by, 1
+iosxr.de, 1
+iot-alliances.com, 1
+iotac.xyz, 1
+iotanodes.org, 1
+iotbusinessforum.com.br, 1
+iotekha.tv, 1
+iotfen.com, 1
+iotjenik.eu, 1
+iotmu.com, 1
+iotportal.tk, 1
+iotrasloco.it, 1
+iotsms.io, 1
+ioville.com, 1
+iovo.consulting, 1
+iowa80.com, 1
+iowacolonytx.gov, 1
+iowacorncountry.com, 1
+iowadol.gov, 1
+iowaintex.gov, 1
+iowamissingpersons.gov, 1
+iowaneedsanewkim.com, 1
+iowarawmilk.net, 1
+iowaschoolofbeauty.com, 1
+iowasmokefreeair.gov, 1
+iowastem.gov, 1
+iowaworks.gov, 1
+iowaworksforveterans.gov, 1
+iowawx.com, 1
+iowxy.com, 1
+iox.is, 1
+ioxio-dataspace.com, 1
+ioxio-showroom.com, 1
+ip-addr.es, 1
+ip-audio.org, 1
+ip-cam-pro-cz.com, 1
+ip-generation.de, 1
+ip-hahn.de, 0
+ip-kameri.com, 1
+ip-life.net, 1
+ip-tanz.com, 1
+ip.dog, 1
+ip.gt, 1
+ip.or.at, 1
+ip.sb, 1
+ip3.world, 1
+ip3office.com, 0
+ip40.com, 1
+ip4unlocked.tk, 1
+ip6.li, 1
+ipaddress.my, 1
+ipaddressreputation.com, 1
+ipadizate.com, 1
+ipadizate.es, 1
+ipadkaitori.jp, 0
+ipadr.is, 1
+ipal.im, 1
+ipal.name, 1
+ipal.tel, 1
+ipanchev.com, 1
+iparenda.tk, 1
+iparkki.com, 1
+ipcc-wg3.gov, 1
+ipcim.com, 1
+ipclabs.tk, 1
+ipcmali.ml, 1
+ipcom.com.br, 0
+ipconsulting.se, 1
+ipcontolsite.ga, 1
+ipcontolsite.tk, 1
+ipcstore.com, 1
+ipdental.tk, 1
+ipdfreedom.me, 1
+ipdgroup.com.au, 1
+ipdistrimart.com, 1
+ipemcomodoro.com.ar, 1
+iperconnessi.it, 1
+iperon.ru, 1
+ipetecperu.org, 1
+ipetitions.by, 1
+ipfire.org, 1
+ipfirebox.de, 1
+ipfixcalculator.com, 1
+ipfixcollector.com, 1
+ipfixifies.com, 1
+ipfixify.com, 1
+ipfixinator.com, 1
+ipfixreplicator.com, 1
+ipflu.com, 1
+ipfs.io, 1
+ipgeolocation.io, 1
+ipggroup.com, 1
+ipgrabbed.rip, 1
+iphone.fashion, 1
+iphone6.ro, 1
+iphonebatarya.net, 1
+iphonechina.net, 0
+iphoned.nl, 1
+iphonekaitori.tokyo, 0
+iphonemobile.ro, 1
+iphonerepairbolton.co.uk, 1
+iphonesoft.fr, 1
+iphoneunlock.nu, 1
+iphostreputation.com, 1
+ipid.me, 1
+ipidkun.com, 1
+ipigri.tk, 1
+ipinfo.tw, 1
+ipioneer.ga, 1
+ipirangaparafusos.com.br, 1
+ipl.pt, 1
+iplabs.de, 0
+iplaycraft.ru, 1
+iplayradio.net, 0
+ipleak.net, 1
+ipledgeonline.org, 0
+iplog.info, 0
+iplookup.tk, 1
+ipmatic.ga, 1
+ipmotion.ca, 1
+ipmscorp.com, 1
+ipmscoutek.com, 0
+ipnoze.com, 1
+ipnrt.net, 1
+ipoac.be, 1
+ipoac.nl, 1
+ipokabu.net, 1
+ipomue.com, 1
+ipon.hu, 1
+ipon.ro, 1
+iposm.net, 0
+ipoteka.az, 1
+ipow.tk, 1
+ipperde.tk, 1
+ipplans.com, 1
+ippo-juku.com, 1
+ippo.org.uk, 1
+iprcenter.gov, 1
+iprep.it, 0
+ipresent.com, 1
+iprice.co.id, 1
+iprice.hk, 1
+iprice.my, 1
+iprice.ph, 1
+iprice.sg, 1
+iprice.vn, 1
+ipricethailand.com, 1
+iprisk.info, 1
+ipro.sbs, 1
+iproducemusic.com, 1
+iproductrepair.com, 1
+iproskills.com, 1
+iprpetitiondenied.com, 1
+ips-consult.nl, 1
+ips-sachsen.de, 1
+ips.com.my, 1
+ipschool.spb.ru, 1
+ipsculemborg.nl, 1
+ipsecurelink.com, 1
+ipsilon-project.org, 1
+ipso.paris, 1
+ipssl.li, 1
+ipstoragesolutions.com, 1
+ipsubscription.store, 1
+ipsum.dk, 1
+ipswitch.com.tw, 1
+iptechnology.tk, 1
+iptoasn.com, 1
+iptops.com, 1
+iptv.ge, 1
+iptvfriend.ga, 1
+iptvzoom.xyz, 1
+ipty.de, 1
+ipuservicedesign.com, 1
+ipushmail.tk, 1
+ipv4.cf, 1
+ipv4.cy, 1
+ipv4.gr, 1
+ipv4.party, 1
+ipv4.rip, 1
+ipv6-adresse.dk, 1
+ipv6-handbuch.de, 1
+ipv6.bible, 1
+ipv6.cool, 1
+ipv6.cy, 1
+ipv6.gr, 1
+ipv6.jetzt, 0
+ipv6.pictures, 1
+ipv64.net, 0
+ipv6ioffentligsektor.se, 1
+ipv6vpn.net, 1
+ipvbook.com, 0
+ipview.tk, 1
+ipwho.site, 1
+iqcybersolutions.com, 1
+iqmarketing.nl, 1
+iqor.com, 1
+iqos.ml, 1
+iqphone.cf, 1
+iqphone.ga, 1
+iqr2.com, 1
+iqraskolan.se, 1
+iqreview.ru, 1
+iqsecurity.eu, 1
+iqtechportal.com, 1
+iqtek.solutions, 1
+iqwst.com, 1
+ir.to, 1
+iraanswersers.ga, 1
+iraanswersest.ga, 1
+iraf.de, 1
+iragoldreview.com, 1
+irajsingh.tk, 1
+irakturkleri.org, 1
+iramellor.com, 1
+iran-best.cf, 1
+iran-efshagari.com, 1
+iran-oil.tk, 1
+iran-speedex.tk, 1
+iranactua.tk, 1
+irancenter.tk, 1
+iranconnect.tk, 1
+irandex.ga, 1
+irandex.gq, 1
+irando.co.id, 1
+irandroid.ml, 1
+iranettelecom.com.br, 1
+iranfilmcity.tk, 1
+iranfreshfruit.cf, 1
+irangeodesy.tk, 1
+iranian.lgbt, 1
+iranjeunesse.com, 1
+iranjob.tk, 1
+iranlinks.tk, 1
+iranonline.tk, 1
+iranophiles.com, 1
+iranophiles.net, 1
+iranophiles.org, 1
+iranpedia.tk, 1
+iranrebate.com, 1
+iranturkey.info, 1
+iranwiki.ovh, 1
+irap.org, 1
+iraq2u.tk, 1
+iraq4u.tk, 1
+iraqinews.ga, 1
+iraqmartialarts.tk, 1
+iraqtop.tk, 1
+irareturners.ga, 1
+irasandi.com, 1
+irasingh.tk, 1
+iratechwatch.com, 1
+iratten.de, 1
+irayo.net, 1
+irbot.com.br, 1
+irchat.cn, 1
+ircica.org, 1
+ircmett.de, 1
+ircnet.de, 1
+ircnow.org, 0
+ircoholik.ml, 1
+ircom.com.ar, 1
+ircpad.com, 1
+ircsapiklari.tk, 1
+ircstats.org, 1
+irdll.com, 1
+ireaco.com, 1
+iready.ro, 1
+irealisatie.nl, 1
+iredellcountync.gov, 1
+iregister.al, 1
+ireiguam.org, 1
+ireis.fr, 1
+ireland.gq, 1
+irelandforukraine.ie, 1
+irelandinternetstuffs4u.tk, 1
+irelandondemand.ie, 1
+irelandremembers.com, 1
+irelandremembers.ie, 1
+irelandremembers.org, 1
+irelandstats.com, 1
+iren.gov, 1
+irenefellner.com, 1
+irenekauer.com, 1
+irenelove.com, 1
+ireneskralen.tk, 1
+irenictherapy.com, 1
+irentcar.com.tw, 1
+ireps.gov.in, 1
+iresineworld.tk, 1
+irf2.pl, 1
+irfanweb.cf, 1
+irfs.org, 1
+irgit.pl, 1
+iricky.art, 1
+iridescentsun.com, 1
+iridiumbrowser.de, 1
+irina-beauty.de, 1
+irinaf.tk, 1
+irioka.be, 1
+irion-edm.com, 1
+iris-design.info, 1
+iris-elements-development.co.uk, 1
+iris-elements-development.com, 1
+iris-elements-staging.co.uk, 1
+iris-elements-staging.com, 1
+iris-elements-testing.co.uk, 1
+iris-elements-testing.com, 1
+iris-elements.co.uk, 1
+iris-elements.com, 1
+iris-insa.com, 1
+iris.co.uk, 1
+irische-segenswuensche.info, 1
+irisdesideratum.com, 1
+irisdesign.com, 1
+irisfansite.tk, 1
+irish.radio, 1
+irishdancing.tk, 1
+irishdenetwork.org, 1
+irishlifehealth.ie, 1
+irishmusic.nu, 0
+irishradioplayer.radio, 1
+irishub.co.uk, 1
+irishwool.ru, 1
+irisinclusiva.pt, 0
+irisinfo.net, 1
+irismq.fr, 1
+irisopenspace.co.uk, 1
+irisws-development.co.uk, 1
+irisws-staging.co.uk, 1
+irisws-testing.co.uk, 1
+iritual.ru, 1
+irkutsk-studygood.ga, 1
+irkutsk38.tk, 1
+irland-firma.com, 1
+irlfp.com, 1
+irlpack.pl, 1
+irlprable.tk, 1
+irma-gadalka.tk, 1
+irmag.ru, 1
+irmakprefabrik.com, 1
+irmgard-woelfle.de, 1
+irmgardkoch.com, 1
+irmo.hr, 1
+irmonline.tk, 1
+irob.co.jp, 1
+iroiroaruyo.net, 1
+iroise.ch, 1
+iroisedh.fr, 1
+iron-infos.cf, 1
+iron.io, 1
+ironarch.net, 1
+ironbarnyc.com, 1
+ironbelly.pro, 1
+ironbow.com, 0
+ironbowhealthcare.com, 0
+ironcage.tk, 1
+ironcladapp.com, 1
+ironcross.tk, 1
+irondequoit.gov, 1
+ironfistdesign.com, 1
+ironfittings.com.br, 1
+irongym.tk, 1
+ironitekstil.com, 1
+ironmagma.tk, 1
+ironmaidenbootleghub.tk, 1
+ironmongery.cf, 1
+ironmongery.ga, 1
+ironmongeryexperts.co.uk, 1
+ironpeak.be, 1
+ironraven.ch, 1
+ironraven.ml, 1
+ironridgewi.gov, 1
+ironscales.com, 0
+ironstar.tk, 1
+irontigers.ga, 1
+irontigers.gq, 1
+irontigers.ml, 1
+ironwaytransport.com, 1
+ironwind.ga, 1
+ironwolftechnology.com, 1
+ironwoodmi.gov, 1
+ironycats.net, 1
+iroomz.co.uk, 1
+iroquoiscountyil.gov, 1
+irpadafrique.ml, 1
+irr52.ru, 0
+irr59.ru, 1
+irrational.net, 1
+irrewilse.se, 1
+irrigation.zone, 1
+irscouponsers.ga, 1
+irscouponsest.ga, 1
+iruarts.ch, 1
+iruca.co, 1
+iruniruten.tk, 1
+iruoy.com, 1
+irvetclinic.com, 1
+irvinekentucky.gov, 1
+irvingtonnj.gov, 1
+irvingtonva.gov, 1
+irvingtx.gov, 1
+irweb.io, 1
+irwincounty-ga.gov, 1
+irwinvalera.com, 1
+iryodatumoguide.com, 1
+irzumshafiq.tk, 1
+is-a-furry.org, 1
+is-and.com, 1
+is-in-hyper.space, 1
+is-news.today, 1
+is-real.xyz, 1
+is-rocket.science, 1
+is-socket.tk, 1
+isa357.com, 1
+isa4310.com, 1
+isa5417.com, 1
+isaaccomputerscience.org, 1
+isaaccs.org, 1
+isaacdgoodman.com, 1
+isaacgolding.com, 1
+isaackabel.cf, 1
+isaackabel.ga, 1
+isaackabel.gq, 1
+isaackabel.ml, 1
+isaackabel.tk, 1
+isaackhor.com, 1
+isaacman.tech, 1
+isaacmorneau.com, 1
+isaacperez.tk, 1
+isaacphysics.org, 1
+isaaczais.com, 1
+isaaya.com, 1
+isab.run, 1
+isabelaflores.com, 1
+isabelcaviedes.com, 1
+isabellahoopsentertainment.com, 1
+isabellainlove.com, 1
+isabellamelodia.com, 1
+isabellavandijk.nl, 1
+isabelle-delpech.com, 0
+isabellehogarth.co.uk, 1
+isabellzaloof.ga, 1
+isabellzaloof.gq, 1
+isabelmurillo-ordonez.com, 0
+isabelvalfer.com, 1
+isacyberinsure.com, 1
+isacybersecurity.com, 1
+isadamlari.tk, 1
+isaeus.nl, 1
+isakow.cf, 1
+isakow.gq, 1
+isamay.es, 1
+isamiok.com, 1
+isantv.com, 1
+isara.com, 1
+isaropiping.fr, 1
+isastylish.com, 1
+isavanderbrugge.nl, 1
+isavings.com, 1
+isbagla.com, 1
+isbase.de, 1
+isbaseballstillon.com, 1
+isbk.de, 0
+isbndirect.com, 0
+isbpanel.com, 1
+isc.org, 1
+isc2.org, 0
+isc2estoniachapter.ee, 1
+iscert.org, 1
+ischia2.it, 1
+ischool.co.jp, 1
+iscontrol.com.mx, 1
+iscrizioniexpofelina.it, 1
+iscultas.pp.ua, 1
+isdecolaop.nl, 1
+isdn.jp, 1
+isdown.cz, 1
+isecrets.se, 1
+iseecure.be, 1
+isekaimaid.xyz, 1
+isense.tw, 1
+isentek.com, 1
+iseriemandopkantoor.nl, 1
+isering.com, 1
+isernogiemandopkantoor.nl, 1
+iservicio.mx, 1
+iseulde.com, 1
+isexu.ga, 1
+isg-one.com, 0
+isg-tech.com, 1
+isgp-studies.com, 1
+ishadow.com, 1
+ishamf.com, 1
+ishet.al, 1
+ishigurodo.com, 1
+ishiharaken.com, 1
+ishii.blog, 1
+ishimen.co.jp, 1
+ishiro.me, 1
+ishland.com, 1
+ishopforpowerserg.com, 1
+ishtyl.com, 1
+isidore.uk, 1
+isidrocamachodiaz.es, 1
+isikdolls.com, 1
+isiklitabela.tk, 1
+isil.fi, 1
+isimonbrown.co.uk, 1
+isimonline.tk, 1
+isincheck.com, 1
+ising.pl, 1
+isiponline.ca, 1
+isis.cloud, 1
+isiso.com.tr, 1
+isistomie.com, 0
+isitan.com, 0
+isitchristmas.com, 1
+isitcoffeetime.com, 1
+isitdoneyet.gov, 1
+isitef.com, 1
+isitmed.com, 1
+isitnuclearwaryet.com, 1
+isitpatchtuesday.com, 1
+isitrest.info, 1
+iska.plus, 0
+iskanderbroere.nl, 1
+iskaron.de, 1
+iskaz.rs, 1
+iskconbd.org, 1
+iskconperth.com, 1
+iskin.xyz, 0
+iskkk.com, 1
+iskkk.net, 1
+iskorka.tk, 1
+iskra.world, 0
+iskurturkiye.cf, 1
+iskurturkiye.ga, 1
+iskurturkiye.gq, 1
+islam-2day.tk, 1
+islam-azeri.tk, 1
+islam-doc.tk, 1
+islam-net.tk, 1
+islam.az, 1
+islam.si, 1
+islam4all.tk, 1
+islam4congo.tk, 1
+islamabadcourt.tk, 1
+islamantarih.tk, 1
+islambolivia.tk, 1
+islamdersi.tk, 1
+islamdin.com, 1
+islamerkantho.com, 0
+islamfirst.ml, 1
+islamicacademy.tk, 1
+islamicarchitecturalheritage.com, 1
+islamicnews.tk, 1
+islamicsolution.tk, 1
+islaminbremen.de, 0
+islamipages.tk, 1
+islamisgreat.tk, 1
+islamiyet.gen.tr, 0
+islamiyet.tk, 1
+islamnews.ga, 1
+islamnewss.tk, 1
+islamo.tk, 1
+islamonline.net, 1
+islamparafriendsclub.ml, 1
+islamqa.info, 1
+islamspread.tk, 1
+islamvictory.com, 1
+islamvictory.net, 1
+islamvictory.org, 1
+island-cruises.tk, 1
+island-line.net, 1
+island-line.nl, 1
+island.is, 1
+islandbuses.info, 1
+islandchillfiji.com.my, 1
+islandcityoregon.gov, 1
+islandheightsborough.gov, 1
+islandhosting.com, 1
+islandinthenet.com, 1
+islandlakeil.gov, 1
+islandmenshealth.com, 1
+islandpumpandtank.com, 0
+islandsbanki.is, 1
+islandsofgreenturtles.tk, 1
+islasvirgenes.org, 1
+islatortuga.eu, 1
+islcustomsbrokers.com, 1
+islekyapi.com, 1
+islensktlambakjot.is, 1
+isleofman.tk, 1
+isletmenlikkursuankara.tk, 1
+isliada.org, 1
+islide-powerpoint.com, 1
+islief.com, 1
+islightdown.today, 1
+islikimas.lt, 1
+islipny.gov, 1
+islykaithecutest.cf, 1
+islykaithecutest.ml, 1
+ismail-biber.tk, 1
+ismailtoraman.com, 1
+ismailtoraman.com.tr, 1
+ismat.com, 0
+ismekkurs.com, 1
+ismena.bg, 1
+isminc.com, 1
+ismywebsitepenalized.com, 1
+isn.cz, 1
+isn.education, 1
+isnot.ai, 1
+iso.fr, 1
+iso27001.dk, 1
+iso27032.com, 1
+isobook.ml, 1
+isofartak.com, 1
+isogg.org, 1
+isognattori.com, 1
+isoip.org, 1
+isolatiehal.nl, 1
+isolation-exterieur-94.fr, 1
+isolation-exterieure-thermique.fr, 1
+isolation-thermique-exterieure.fr, 1
+isolation-thermique.maison, 1
+isolde.com, 1
+isole-lofoten.it, 1
+isolta.com, 1
+isolta.de, 1
+isolta.ee, 1
+isolta.fi, 1
+isolta.lv, 1
+isolta.se, 1
+isopres.de, 1
+isopro.info, 1
+isoroc-nidzica.pl, 1
+isosat.net, 1
+isotope.gov, 1
+isovideo.com, 1
+isowebtech.com, 1
+ispactivo.com, 1
+ispanika.tk, 1
+ispaniola.ga, 1
+ispanskijshuanom.ru, 1
+ispanyadahayat.com, 1
+ispartahaber.cf, 1
+ispartahaber.gq, 1
+ispartahaber.tk, 1
+ispc-synergies.org, 1
+ispfontela.es, 1
+ispmedipv6.se, 1
+isportsfab.com, 1
+ispro-ng.com, 1
+ispsoft.pro, 1
+isputinstillpresident.com, 1
+ispymissions.ga, 1
+isra-mag.com, 1
+israel-alma.org, 1
+israel-in-color.com, 1
+israel-nadlan.com, 1
+israel-real.estate, 1
+israel-web.com, 1
+israel21c.org, 1
+israelandantisemitism.com, 1
+israelandhome.com, 1
+israelbiblicalstudies.com, 1
+israelcareersers.ga, 1
+israelcareersest.ga, 1
+israelflorist.com, 1
+israelitas.tk, 1
+israelitopbox.ga, 1
+israelmesianico.tk, 1
+israelnewswire.tk, 1
+israelpalestinenews.org, 1
+israelportalk.cf, 1
+israelportalk.ga, 1
+israelportalk.gq, 1
+israelportalk.ml, 1
+israelportalk.tk, 1
+israkurort.com, 1
+isramedia.tk, 1
+isreedyinthe.uk, 1
+isreedyinthe.us, 1
+isreedyintheuk.com, 1
+isrib.com, 1
+issa.eu.org, 1
+issaias.net, 0
+issaquah.cam, 1
+issasfrissa.se, 1
+isscouncil.com, 1
+issea.wiki, 1
+issforum.org, 1
+issho.jp, 1
+issio.net, 1
+isslshop.com, 1
+issnet.cf, 1
+issnet.ga, 1
+issnet.gq, 1
+issuerconsulting.com, 1
+issues.email, 1
+issuetrak.com, 1
+issundries.com, 1
+ist-analys.com, 1
+ist-analyse.com, 1
+ist-intim.de, 1
+ist-toll.xyz, 1
+ista-vdm.at, 1
+istagb.ga, 1
+istanbul.systems, 1
+istanbulblog.tk, 1
+istanbulbogazicienstitu.com, 1
+istanbuleskort.tk, 1
+istanbulhaberleri.tk, 1
+istanbulhomes.com, 1
+istanbulmasajsalonu.tk, 1
+istanbulweb.gen.tr, 1
+istdas.lol, 1
+istec.com.ua, 1
+istech.com.tr, 1
+istekparcam.com, 1
+istekparcam.com.tr, 1
+isterfaslur.com, 1
+isthatarabic.com, 1
+istheapplestoredown.com, 1
+istheapplestoredown.de, 1
+isthedoorlocked.com, 1
+isthefieldcontrolsystemdown.com, 1
+istheinternetonfire.com, 1
+istherrienstillcoach.com, 1
+istheservicedown.co.uk, 1
+istheservicedown.com, 1
+istheservicedowncanada.com, 1
+isthisarabic.com, 1
+isthisus.org, 1
+isthnew.com, 1
+istimdead.today, 1
+istitutoimballaggio.org, 1
+istitutoricci.com, 1
+istitutoricci.it, 1
+istitutovivaldi.it, 1
+istkurznochkanzler.at, 1
+istmiregal.nl, 1
+istogether.com, 1
+istories.media, 1
+istorija-balkana.tk, 1
+istormsolutions.co.uk, 1
+istorrent.is, 1
+istratov.tk, 1
+istrosec.com, 1
+istrosec.org, 1
+istschonsolangeinrente.de, 1
+istsi.org, 1
+istudentpro.ml, 1
+istudio.one, 1
+isuggi.com, 1
+isultov.tk, 1
+isutils.com, 1
+isv.online, 1
+isvbscriptdead.com, 1
+isvsecwatch.org, 1
+isvstar.com, 1
+isvw.nl, 0
+iswag.se, 1
+iswapgh.com, 1
+isystem.cf, 1
+isystem.ga, 1
+isystem.gq, 1
+isystem.tk, 1
+isyu.xyz, 1
+iszy.cc, 1
+iszy.xyz, 1
+it-academy.sk, 1
+it-actual.ru, 1
+it-actually.work, 1
+it-altstadt.de, 1
+it-biznes.com, 1
+it-blog.cf, 1
+it-boss.ro, 1
+it-com.ga, 1
+it-connect.fr, 1
+it-cooking.com, 1
+it-ebook.ml, 1
+it-enthusiasts.tech, 1
+it-expert.tk, 1
+it-inside.ch, 1
+it-ip-rudnick.de, 1
+it-jobbank.dk, 1
+it-lobster.com, 1
+it-maker.eu, 1
+it-ngo.com, 1
+it-novosti.tk, 1
+it-perm.tk, 1
+it-rotter.de, 1
+it-seems-to.work, 1
+it-service24.com, 1
+it-stack.de, 1
+it-stek.ru, 1
+it-support-stockholm.se, 1
+it-tainment.de, 1
+it-tekniker.nu, 1
+it-ti.me, 1
+it-volgograd.tk, 1
+it-wars.com, 1
+it-web-entwicklung.de, 1
+it-world.eu, 0
+it-xperts.be, 1
+it-zt.at, 1
+it.com.eg, 0
+it.search.yahoo.com, 0
+it1b.com, 1
+it4sure.nl, 1
+it76.tk, 1
+it82.com, 1
+ita2a.it, 1
+itabenar.tk, 1
+itactiq.com, 1
+itactiq.info, 1
+itad.top, 1
+itaiferber.net, 1
+itaindustrial.com.br, 1
+itaja.com, 1
+itakunai-shika.com, 1
+italbavaro.com, 1
+italdesign.it, 1
+italentado.ml, 1
+italia-facile.ru, 1
+italiaeconomy.it, 1
+italiale.tk, 1
+italian-shoes.tk, 1
+italiana-lacrima.tk, 1
+italiancarservice.nl, 1
+italianerd.com, 1
+italianerd.it, 1
+italianettepizza.com, 1
+italianfoodonlinestores.com, 1
+italianforkids.com.au, 1
+italianhelper.com, 1
+italianluxuryinter.cf, 1
+italianluxuryinter.ga, 1
+italianluxuryinter.gq, 1
+italiano-bello.com, 1
+italianpillow.com, 1
+italianracingteam.tk, 1
+italiansrent.com, 1
+italiansrit.tk, 1
+italianweddingmusicians.com, 1
+italianweddingvideographers.com, 1
+italiasera.it, 1
+italiataxi.ru, 1
+italiatopnews.tk, 1
+italiensk-tolk.dk, 1
+italik.co.uk, 1
+italjet-tuning.tk, 1
+italk.ml, 1
+italserrande.it, 1
+italyinspires.com, 1
+italyisbeautiful.com, 1
+italyspecialty.coffee, 1
+itamservices.nl, 1
+itap.gov, 1
+itape.com, 0
+itaro.bot, 1
+itaro.ee, 1
+itaro.eu, 1
+itascacountymn.gov, 1
+itasis.com.br, 1
+itasolution.it, 1
+itb-online.co.uk, 1
+itbog.org, 1
+itbolagmedipv6.se, 1
+itbrief.asia, 1
+itbrief.co.nz, 1
+itbrief.com.au, 1
+itbrouwerij.be, 1
+itc-lucke.com, 1
+itcamefromtheunderground.tk, 1
+itcbuerobedarf.de, 1
+itcentroamerica.com, 1
+itchy.nl, 1
+itchybrainscentral.com, 1
+itcinfotech.com, 1
+itcloud.ca, 1
+itclub.me, 1
+itclubonline.tk, 1
+itcommodities.club, 1
+itcompanies.net, 1
+itconsulting-wolfinger.de, 1
+itcoolie.in, 1
+itcreative.ro, 1
+itcs.services, 1
+itcyber.pl, 1
+itcybersecurity.gr, 1
+itdashboard.gov, 1
+itdata.tk, 1
+itdoneproperly.com, 1
+itds-consulting.com, 1
+itds-consulting.eu, 1
+itdutchie.com, 1
+itechbrand.com, 1
+itechfast.tk, 1
+itechpros.com.au, 1
+itecor.net, 0
+iteecafe.hu, 1
+itefix.net, 1
+itefix.no, 1
+iteha.de, 1
+iteke.ml, 1
+iteke.tk, 1
+iteks.fr, 1
+iteksys.ru, 1
+item.no, 1
+itemcreator.tk, 1
+itemmc.com, 1
+itempathy.com, 1
+iteon.pl, 1
+itepechi.me, 1
+iteracy.com, 1
+iternova.net, 1
+itero.eu, 1
+iterror.co, 1
+itexpert12.tk, 1
+itexplaineders.ga, 1
+itexplainedest.ga, 1
+itezu.ml, 1
+itfall.tk, 1
+itfh.eu, 0
+itfirmaet.dk, 1
+itfix.org.uk, 1
+itgeeks.nl, 1
+itgoesup.com, 1
+itgoesupent.com, 1
+itgoesupentertainment.com, 1
+ithakama.com, 1
+ithakama.cz, 1
+ithenrik.com, 1
+ithillel.ua, 1
+ithinc.net, 1
+ithjalpforetag.se, 1
+ithmaarbank.com, 1
+ithriveedinburgh.org.uk, 1
+ithuthuat.vn, 1
+itidying.com, 1
+itikon.com, 1
+itilo.de, 0
+itinerance.ca, 1
+itinero.xyz, 1
+itioc10.tk, 1
+itis.gov, 1
+itis4u.ch, 1
+itisjustnot.cricket, 1
+itisyourmoney.co.uk, 1
+itiweb.tk, 1
+itk.se, 1
+itleaked.gq, 1
+itlg.ru, 1
+itlife.tk, 1
+itlitera.com, 1
+itlog.tk, 1
+itlogic.com.au, 1
+itludens.com, 1
+itmastersupport.tk, 1
+itmatournai.tk, 1
+itmax.ua, 1
+itmedicinai.lt, 1
+itmindscape.com, 1
+itmustbee.com, 1
+itmx.cc, 0
+itnet.com.ua, 1
+itninja.one, 1
+itnota.com, 1
+itnow.ng, 1
+itnsusa.com, 1
+itoady.com, 1
+itochan.jp, 1
+itoezichtprotocol.nl, 1
+itoma.tech, 1
+itondersteuning.eu, 1
+itotalaccess.net, 1
+itouriria.com, 1
+itoxic.tk, 1
+itpanda.pl, 1
+itparty.tk, 1
+itpaukku.tk, 1
+itpedia.nl, 1
+itperm.tk, 1
+itplace.bg, 1
+itpol.dk, 1
+itpress.fi, 1
+itpro.ua, 1
+itprotect.pl, 1
+itradeit.in, 1
+itradenetwork.com, 1
+itraffic.cf, 1
+itraffic.tk, 1
+itraincalisthenic.com, 1
+itraveille.fr, 1
+itravelbg.com, 1
+itraveller.net, 1
+itreboot.co.nz, 1
+itrendbuzz.com, 1
+itrew.ru, 1
+itrezzo.com, 1
+itrio.pet, 1
+itrodeo.com, 1
+itrollskogens.tk, 1
+itruss.com.tw, 1
+itruth.tk, 1
+its-aeth.tk, 1
+its-em.ma, 1
+its-gutachten.de, 1
+its-not-your.business, 1
+its-schindler.de, 1
+its-taxi.nl, 1
+its-v.de, 1
+its.gov, 1
+its420somewhere.com, 1
+its4living.com, 1
+its5oclock.eu, 1
+itsabouncything.com, 1
+itsacheckmate.com, 1
+itsakerhetspodden.se, 1
+itsalan.tk, 1
+itsallmath.org, 1
+itsanicedoor.co.uk, 1
+itsaw.de, 1
+itsayardlife.com, 1
+itsbananas.life, 1
+itsbrightly.com, 1
+itsburning.nl, 1
+itscalculator.com, 1
+itscc.kr, 1
+itsch-itsche.com, 1
+itsdcdn.com, 1
+itsec.link, 1
+itsecblog.de, 1
+itsecboecker.de, 1
+itsecrnd.com, 1
+itsecuritycoach.com, 1
+itseeze.com, 1
+itservis.org, 1
+itsevann.com, 1
+itsevident.com, 1
+itsforu.de, 1
+itsgottabedark.com, 1
+itsgreener.com, 1
+itshamradio.com, 1
+itshka.rv.ua, 1
+itsig-faq.de, 1
+itsloution.tk, 1
+itsm.tools, 1
+itsmeaxel.ovh, 1
+itsmycode.com, 1
+itsmyparty.ie, 1
+itsnotnot.tk, 1
+itsnotquitethehilton.com, 0
+itsnudi.com.br, 1
+itsoft.ru, 1
+itsok.de, 1
+itsok.link, 1
+itsoluciones.com.co, 1
+itspartytimeonline.co.uk, 1
+itspartytimesweetinflations.com, 1
+itspersonalizeders.ga, 1
+itspersonalizedest.ga, 1
+itspersonaltraining.nl, 1
+itsquiet.org, 1
+itsrana.com, 1
+itssolidest.ga, 1
+itsstefan.eu, 1
+itstartswithme.ca, 1
+itstatic.tech, 1
+itstimetravel.com, 1
+itsuitsyou.co.za, 1
+itsuka-world.com, 1
+itsundef.in, 0
+itsupport24.tk, 1
+itsupportguys.com, 1
+itswincer.com, 1
+itsybitsytrees.com, 1
+itsynergy.co.uk, 1
+itt-shop.bg, 1
+itt-shop.com, 1
+itt-us.com, 1
+ittgame.tk, 1
+ittreservations.com, 1
+ittykins.com, 1
+itunesgiftcard.in.th, 1
+itur.co.il, 1
+itvaatlik.ee, 1
+itvia.email, 1
+itvia.eu, 1
+itvia.net, 1
+itvia.org, 1
+itviec.com, 1
+itvirtual.tk, 1
+itw.com, 1
+itweak.tk, 1
+itwebentwicklung.de, 1
+itwell.cz, 1
+itwofm.com, 1
+itwolfcl.tk, 1
+itworks.nyc, 1
+itwozi.com, 0
+itx.no, 1
+itxartu.tk, 1
+itxlatam.com, 1
+itxn.cn, 0
+itxnorge.no, 1
+itxuc.com, 1
+ityug247.com, 1
+itzahammer.tk, 1
+itzamnaxelahomestay.tk, 1
+itzap.com.au, 1
+itzer.de, 1
+itzine.ru, 1
+itzkavin.tk, 1
+itzlive.tk, 1
+iubuniversity.tk, 1
+iurisnovagestion.es, 0
+iusedtobelieve.com, 1
+iuspenal.com, 1
+iv-vr.com, 1
+iv-well.com, 1
+iv.pl, 0
+iv4kiso.com, 1
+ivahbbiz.tk, 1
+ivan-maliy.tk, 1
+ivan-popov.tk, 1
+ivan-tadej.tk, 1
+ivan-varga.tk, 1
+ivan1874.cf, 1
+ivan1874.dynu.net, 1
+ivan770.me, 1
+ivana-models-escortservice.de, 0
+ivanaleksandrov.com, 1
+ivanbenito.com, 1
+ivancacic.com, 0
+ivandafish.net, 1
+ivanderevianko.com, 1
+ivanesalud.com, 1
+ivanilla.org, 1
+ivanime.com, 1
+ivankuchin.tk, 1
+ivanmeade.com, 1
+ivanov.icu, 1
+ivanovka.ga, 1
+ivanovocity.tk, 1
+ivanovolive.ru, 1
+ivanpolchenko.com, 1
+ivantedesco.tk, 1
+ivanwolf.ga, 1
+ivanya.tk, 1
+ivanzorin.cf, 1
+ivdnt.org, 1
+ivelop.me, 0
+ivendi.com, 1
+iventishirts.com, 1
+ivermectin.gq, 1
+ivermectinc19.com, 1
+ivertubani.com, 1
+ivetazivot.cz, 1
+ivetebolos.com.br, 1
+ivfausland.de, 1
+ivi.cx, 1
+ivifashion.tk, 1
+ivioschool.nl, 1
+ivisa.ga, 1
+ivisitkorea.com, 1
+ivisitorinsurance.com, 1
+ivixor.ru, 1
+ivjose.com, 0
+ivkom.com, 1
+ivkymppi.fi, 1
+ivmmeta.com, 1
+ivmstatus.com, 1
+ivn555.tk, 1
+ivn777.tk, 1
+ivn888.tk, 1
+ivn999.com, 0
+ivnext.org, 1
+ivo-ouwerkerk.nl, 1
+ivo.co.za, 1
+ivocopro.com, 1
+ivocotec.com, 1
+ivoid.cf, 1
+ivopetkov.com, 1
+ivor.io, 1
+ivor.is, 1
+ivorvanhese.com, 1
+ivorvanhese.nl, 1
+ivory.com, 1
+ivory.de, 1
+ivoryandgrace.com, 1
+ivoryhomes.com, 1
+ivoryonsunset.com, 1
+ivotemahdi.com, 1
+ivoucher-kuwait.com, 1
+ivpark.fr, 1
+ivpbot.tk, 1
+ivpn.net, 1
+ivr.fi, 0
+ivre.rocks, 1
+ivrn.net, 1
+ivs-tech.ru, 1
+ivsign.net, 1
+ivtherapyclinic.ru, 1
+ivy-league-colleges.com, 1
+ivyandrose.co, 1
+ivyhelpers.com, 1
+ivypanda.com, 1
+ivyseeds.cf, 1
+iwalton.com, 1
+iwant.cz, 1
+iwantexchange.com, 1
+iwantpayments.com, 1
+iwanttrack.com, 1
+iwantyoutocomment.tk, 1
+iwascoding.com, 1
+iwascoding.de, 1
+iwasfit.com, 1
+iwashealthy.com, 1
+iwatchcops.com, 1
+iwatchcops.org, 1
+iwatchla.net, 1
+iwate-shien-r5.com, 1
+iwate-tabipro-ver4.jp, 1
+iwatt.sk, 1
+iwch.tk, 1
+iwd.gc.ca, 1
+iwebdna.com, 1
+iwebing.tk, 1
+iweblab.it, 1
+iwebolutions.com, 1
+iwebsolution.tk, 1
+iwec.pk, 1
+iwex.swiss, 1
+iwf.sport, 1
+iwhite.tk, 1
+iwiki.net, 1
+iwismer.ca, 1
+iwmf.ir, 1
+iwonder.tw, 1
+iwp.ch, 1
+iwtsd.gov, 1
+iww.me, 1
+iww.mx, 1
+iww.org.au, 1
+iww.org.nz, 1
+ix.run, 1
+ix8.ru, 0
+ixiaqu.com, 0
+ixir.gen.tr, 1
+ixit.cz, 1
+ixn.com, 1
+ixoso.com, 1
+ixplayer.com, 1
+ixquick-proxy.com, 1
+ixquick.co.uk, 1
+ixquick.com, 1
+ixquick.de, 1
+ixquick.eu, 1
+ixquick.fr, 1
+ixquick.info, 1
+ixquick.nl, 1
+ixtan.ga, 1
+ixware.de, 1
+ixxat.com, 0
+ixypsilon.net, 1
+iy.uy, 1
+iyadalkassab.com, 1
+iyan.es, 1
+iyanmv.com, 1
+iyassu.com, 1
+iyc.web.tr, 1
+iyiarastir.com, 1
+iyibul.net, 1
+iyinolaashafa.com, 1
+iyn.me, 1
+iyouewo.com, 1
+iyoumu.top, 1
+iyspanel.com, 1
+iyume.top, 1
+iz8mbw.net, 1
+izabava.tk, 1
+izabel.tk, 1
+izamulhakeem.tk, 1
+izana.com.br, 1
+izanagi52.ddns.net, 1
+izapi4.fr, 1
+izavel.com, 1
+izb.se, 1
+izbirateli.com, 1
+izecubz.me, 1
+izedge.com, 1
+izi-agency.com, 1
+izipik.gq, 1
+izkustvo.com, 1
+izleorg2.org, 1
+izm.ovh, 1
+izmail-invertor.com.ua, 1
+izmailovo.tk, 1
+izmir-media.cf, 1
+izmir-media.ga, 1
+izmir-media.gq, 1
+izmir-organizasyon.tk, 1
+izmirarabakiralama.name.tr, 1
+izmirarackiralama.name.tr, 1
+izmirescort.tk, 1
+izmireskortlari.tk, 1
+izmirgideracma.com, 1
+izmirotokiralama.name.tr, 1
+izmirprotestan.org, 1
+izmirrentacar.name.tr, 1
+izmirtemizlik.tk, 1
+izodiacsigns.com, 1
+izs.me, 1
+izttech.com, 1
+izuba.info, 0
+izumi-hirodental.com, 1
+izumi-ryokan.com, 1
+izumrudniy.tk, 1
+izvorul-bucovinei.ro, 1
+izxxs.com, 1
+izxxs.net, 1
+izxzw.net, 1
+izzardink.com, 1
+izzqz.me, 1
+izzy.is, 1
+izzy.kiwi, 1
+izzycat.net, 1
+izzymendosa.net, 1
+izzyontour.tk, 1
+j-annonce.co.il, 1
+j-harrison-media.co.uk, 1
+j-harrison.co.uk, 1
+j-library.com, 1
+j-maxton.de, 1
+j-ph.ovh, 1
+j-robertson.com, 1
+j00228.com, 1
+j05.cn, 1
+j0bs.org, 1
+j0e.com, 1
+j0hn.net, 0
+j0hndball.com, 1
+j0m.de, 1
+j0s.eu, 1
+j15h.nu, 1
+j1visahealthinsurance.com, 1
+j2ee.cz, 1
+j2h.de, 1
+j3.cn, 1
+j32663.com, 1
+j32665.com, 1
+j32773.com, 1
+j32774.com, 1
+j32b.com, 1
+j365.me, 1
+j36533.com, 1
+j3dpd.com, 1
+j3e.de, 1
+j4m.xyz, 1
+j5197.co, 1
+j5lx.de, 1
+j5lx.eu, 1
+j5lx.io, 1
+j5s7.de, 1
+j5y.de, 1
+j605.tk, 1
+j6729.co, 1
+j6729.com, 1
+j6957.co, 1
+j6957.com, 0
+j70111.com, 0
+j70222.com, 0
+j70333.com, 0
+j70444.com, 0
+j70555.com, 0
+j82365.com, 1
+j8jp.com, 0
+j9.ag, 0
+j9297.co, 1
+j9507.com, 0
+j9508.com, 0
+j9514.com, 0
+j95app.com, 0
+j95bb.com, 0
+j95cc.com, 0
+j95dd.com, 0
+j95ee.com, 0
+j95ios.com, 0
+j95ss.com, 0
+j95xx.com, 0
+j95zz.com, 0
+j9728.co, 1
+ja-jirei-ienohikari.com, 1
+ja-no-me.ru, 1
+ja-sobstvennik.tk, 1
+ja-tay.sr, 1
+ja-youth.jp, 1
+ja-zur-gs.de, 1
+ja1deijssel.tk, 1
+jaago-pakistan.tk, 1
+jaajko.com, 1
+jaajko.eu, 1
+jaajko.fi, 1
+jaajko.me.uk, 1
+jaajko.site, 1
+jaajko.xyz, 1
+jaakkohannikainen.fi, 1
+jaalits.com, 1
+jaamaa.com, 1
+jaanikese.edu.ee, 1
+jaarverslagveere.nl, 1
+jaaxypro.com, 1
+jab-graphics.com, 1
+jaba.hosting, 1
+jababu.cz, 1
+jabagly.com, 1
+jabal-aqel-albab.tk, 1
+jabba.homelinux.org, 1
+jabbari.io, 1
+jabbas.eu, 1
+jabber.at, 1
+jabber.uk, 1
+jabberd.org, 1
+jabberdog.tk, 1
+jabberfr.org, 1
+jabbers.one, 1
+jabberster.tk, 1
+jabboworld.tk, 1
+jaberg-rutschi.ch, 1
+jabergrutschi.ch, 1
+jabjab.de, 1
+jabou.co.uk, 1
+jabramson.com, 1
+jabramson.net, 1
+jabsolutions.tk, 1
+jacaranda-deutschland.org, 1
+jaccblog.com, 1
+jacek.pro, 1
+jacekowski.org, 1
+jachtbouw.eu, 1
+jachtypruszynski.pl, 1
+jacik.cz, 1
+jack-daw.com, 1
+jack-p2.tech, 1
+jack.fr.eu.org, 1
+jack2celebrities.com, 1
+jackafur.net, 1
+jackal-cogito.tk, 1
+jackandrascals.com, 1
+jackarmail.eu, 1
+jackass-as.com, 1
+jackassofalltrades.org, 1
+jackbauer.tk, 1
+jackblues.tk, 1
+jackdanielssauces.com, 1
+jackdawphoto.co.uk, 1
+jacket-coat.tk, 1
+jackets-coats.tk, 1
+jackets-coatsplus.tk, 1
+jackets-for-men.tk, 1
+jackf.me, 1
+jackgames.net, 1
+jackgreiner.ca, 1
+jackhammerinteractive.com, 1
+jackhoodtransportation.com, 1
+jackienguyen.dk, 1
+jackiestp.com, 1
+jackingramnissanparts.com, 1
+jackinmybox.com, 1
+jackjack.ga, 1
+jackmail.tk, 1
+jackmcgregor.uk, 1
+jackmechanic.com, 1
+jackob.tk, 1
+jackops.com, 1
+jackpothappy.com, 1
+jackripper.tk, 1
+jackrussel.tk, 1
+jackrusselterrier.com.br, 1
+jacksanalytics.com, 1
+jacksball.com, 1
+jacksfeestverhuur.nl, 1
+jackson-quon.com, 1
+jacksonchen666.com, 1
+jacksoncountyfl.gov, 1
+jacksoncountyor.gov, 1
+jacksoncountytn.gov, 1
+jacksoncountywi.gov, 1
+jacksonfdwi.gov, 1
+jacksongoo.de, 1
+jacksonportwi.gov, 1
+jacksonsykes.com, 1
+jacksontwpclermontoh.gov, 1
+jacksontwpfranklinoh.gov, 1
+jacksontwpmcpa.gov, 1
+jacksonville.gov, 1
+jacksonvilleal.gov, 1
+jacksonvillebeach.gov, 1
+jacksorrell.com, 1
+jackspub.net, 1
+jackstone.tk, 1
+jacksutton.info, 1
+jacktor.com, 1
+jackvaley.com, 1
+jackwarren.info, 1
+jackwu.net, 1
+jackylawless.net, 1
+jackyliao.me, 1
+jackyliao123.tk, 1
+jackyyf.com, 0
+jaco.by, 0
+jacobenjogchum.tk, 1
+jacobey.net, 1
+jacobi-server.de, 1
+jacobian.org, 1
+jacobjangles.com, 1
+jacobo.tk, 1
+jacobsenarquitetura.com, 1
+jacobsmeubels.nl, 1
+jacobspctuneup.tk, 1
+jacobtamassiaadvocacia.adv.br, 1
+jacobtaylor.id.au, 1
+jacool.tk, 1
+jacopo.tk, 1
+jacopomolina.me, 1
+jacquant.be, 1
+jacquelinebellefontaine.co.uk, 1
+jacquelinesdream.tk, 1
+jacquesdedixmude.eu, 1
+jacquesfrantz.com, 1
+jaculus.eu, 0
+jad.so, 1
+jadara.info, 1
+jadchaar.me, 1
+jadedmonkey.tk, 1
+jadehairstyle.nl, 1
+jadelsbach.de, 1
+jadesong.cn, 1
+jadesong.net, 1
+jadid-alwadifa.com, 1
+jadidgroup.com, 1
+jadiercms.cf, 1
+jadopado.com, 1
+jadox.com, 1
+jaduniv.cf, 1
+jae.su, 1
+jae.zone, 1
+jaeger.link, 1
+jaehyeon.it, 1
+jaenparaisointerior.es, 1
+jaepinformatica.com, 1
+jaetech.org, 1
+jafarmehdipor.ga, 1
+jag-meccar.tk, 1
+jaga-me.com, 1
+jagad.id, 1
+jagadhatrionline.co.in, 1
+jagaimo.works, 1
+jagan.be, 1
+jagar.com.pl, 1
+jagatreview.com, 1
+jagbouncycastles.co.uk, 1
+jagerkin.tk, 1
+jagerman.com, 1
+jagogame.tk, 1
+jags.tk, 1
+jagspecialisters.ga, 1
+jagspecialistest.ga, 1
+jagsttalschule.de, 1
+jaguar-network.com, 1
+jaguarkuda.com, 1
+jaguarlandrover-asse.be, 1
+jaguarlandrover-occasions.be, 1
+jahanaisamu.com, 1
+jahidhasanmurad.tk, 1
+jahimees.ee, 1
+jahit.tk, 1
+jahner.xyz, 1
+jahubar.tk, 1
+jaialdi.tk, 1
+jaiho-zeetoz1server.ga, 1
+jailbait.ml, 1
+jailbreakingisnotacrime.org, 1
+jailfood.ga, 1
+jailfooders.ga, 1
+jailfoodest.ga, 1
+jailstorm.ml, 1
+jaimechanaga.com, 1
+jainmantras.com, 1
+jaion.tech, 1
+jaion.xyz, 1
+jaipurescort.club, 1
+jaipurescortagency.com, 1
+jairoenfrancien.tk, 1
+jaisiam.co.th, 1
+jaisin.com, 1
+jaispirit.com, 1
+jaiyen.com, 1
+jaiyun.tk, 1
+jajce.tk, 1
+jajojababy.com, 1
+jajycycojota.cf, 1
+jakabszallas.hu, 1
+jakarta-tourism.go.id, 1
+jakarta.ee, 1
+jakartaone.org, 1
+jakartaurbanhosting.com, 1
+jakdelatseo.cz, 1
+jake.eu.org, 1
+jake.ml, 1
+jake.nom.za, 1
+jake.rodeo, 1
+jakegyllenhaal.ga, 1
+jakemansfield.com, 1
+jakereynolds.co, 1
+jakeross.me, 1
+jakerullman.com, 0
+jakeslab.tech, 1
+jakewales.com, 1
+jakincode.army, 1
+jakincode.com, 1
+jako.tk, 1
+jakob-bleek.de, 1
+jakob-server.tk, 1
+jakobczyk.org, 1
+jakobejitblokaci.cz, 1
+jakobhildebrand.de, 1
+jakobkrigovsky.com, 1
+jakobs.systems, 1
+jakobssystems.net, 1
+jakpost.net, 1
+jakpremyslet.cz, 1
+jakse.fr, 1
+jaksi.io, 1
+jaktang.com, 1
+jakub-boucek.cz, 1
+jakubarbet.eu, 1
+jakubboucek.cz, 1
+jakubklimek.com, 1
+jakubmeysner.com, 1
+jakubsindelar.cz, 1
+jakubvrba.cz, 1
+jakumammy.pl, 1
+jakzostacmilionerem.biz, 1
+jal-ja.com, 1
+jala.tech, 0
+jalebiyat.tk, 1
+jaleesa.sa, 1
+jaleo.cn, 1
+jaliscolindo.tk, 1
+jall.com.br, 1
+jallatte.fr, 1
+jallenfabric.com, 1
+jaloozone.ml, 1
+jalopnik.com, 1
+jaluzelemoderne.ro, 1
+jaluziperde.tk, 1
+jamaat.hk, 1
+jamaica.gq, 1
+jamaicabeachtx.gov, 1
+jamally.co.za, 1
+jambapp.org, 1
+jambb.nu, 1
+jamberry.com.mx, 1
+jambihackerlink.tk, 1
+jambing.cn, 1
+jamboree.online, 1
+jambox.ca, 1
+jambox.pl, 1
+jamcyberinc.com, 1
+jamdro.id, 1
+jamelhammoud.com, 1
+james-bell.co.uk, 1
+james-parker.com, 0
+james.cyou, 1
+james.je, 1
+james.pub, 1
+jamesachambers.com, 1
+jamesaimonetti.com, 1
+jamesandeverett.com, 1
+jamesbillingham.com, 1
+jamesbromberger.com, 1
+jamesbrown.cn, 1
+jamesbrown.us, 1
+jameschorlton.co.uk, 1
+jamesconroyfinn.com, 0
+jamesdorf.com, 1
+jamesedition.com, 1
+jamesevans.is, 1
+jamesgarrigan.info, 1
+jamesgarrigan.nyc, 1
+jamesgreenfield.com, 1
+jameshawk.pl, 1
+jamesheald.com, 1
+jameshenderson.online, 1
+jameshost.net, 1
+jameside.com, 1
+jamesj.me, 0
+jamesjboyer.com, 1
+jamesjj.net, 1
+jamesknd.uk, 0
+jamesl.tk, 1
+jameslahey.com, 1
+jamesmarsh.net, 1
+jamesmcnee.co.uk, 1
+jamesmcnee.com, 1
+jamesmorrison.me, 1
+jamesmurphy.tk, 1
+jamesplumbingcompanypasadenatx.com, 1
+jamespreade.xyz, 1
+jamesredmond.tk, 1
+jamesrobertson.net, 1
+jamesrobertson.sh, 1
+jamesross.name, 1
+jamesrtyrrell.com, 1
+jamessliu.com, 1
+jamessmith.me.uk, 1
+jamestgh.com, 1
+jamestilburg.nl, 1
+jamestmart.in, 1
+jamestown.de, 0
+jamestowncando-nc.gov, 1
+jamesturnerstickley.com, 1
+jameswarp.com, 1
+jameswhite.tech, 1
+jamesxu.com, 1
+jameszero.net, 1
+jamfm.tk, 1
+jamhost.org, 1
+jamie-read-photography.com, 1
+jamie.cymru, 1
+jamie.wales, 1
+jamieb.org, 1
+jamiehansonyoga.com, 1
+jamiehenrybrown.co.uk, 1
+jamiejones.cymru, 1
+jamiejones.wales, 1
+jamielinux.com, 1
+jamiemagee.co.uk, 1
+jamiemagee.dk, 1
+jamiematthews.ml, 1
+jamiepleasants.com, 1
+jamiesnape.io, 1
+jamieweb.net, 1
+jamiiforums.com, 1
+jaminidesign.com, 1
+jamiviz.com, 1
+jamjestsimon.pl, 1
+jamloop.com, 1
+jammucake.com, 1
+jammy4312.me, 1
+jammysplodgers.co.uk, 1
+jamonesrute.com, 1
+jamonsilva.com, 1
+jamstack.icu, 1
+jamstallt.se, 1
+jamstatic.fr, 0
+jamukmod.com, 1
+jamusa.tk, 1
+jamyeprice.com, 0
+jan-and-maaret.de, 1
+jan-becker.com, 1
+jan-bretschneider.de, 1
+jan-bucher.ch, 1
+jan-daniels.de, 1
+jan-graca.tk, 1
+jan-hill.com, 1
+jan-melcher.de, 1
+jan-reiss.de, 1
+jan-rieger.de, 1
+jan-roenspies.de, 1
+jan-von.de, 1
+jan.gl, 1
+jana-rambusch.net, 1
+janada.cz, 1
+janaundgeorgsagenja.eu, 1
+janavish.tk, 1
+janbanach.com.pl, 1
+janbennink.com, 1
+janbilek.cz, 1
+janbretschneider.de, 1
+janbruckner.de, 1
+jancosales.com, 1
+jandenhertog.nl, 1
+jandenul.com, 1
+jandesign.at, 1
+jandev.de, 1
+jandj.yachts, 0
+jandonkers.com, 1
+jandroegehoff.de, 1
+janduchene.ch, 1
+janelauhomes.com, 1
+janelle-jamer.tk, 1
+janellequintana.tk, 1
+janenwouter.tk, 1
+janes.com, 0
+janesaddiction.org, 1
+janetandjohns.tk, 1
+janetedkins.com, 1
+janeweeber.com, 1
+janey.cf, 1
+janeymac.com, 1
+janfennell.tk, 1
+jangl.com, 1
+janheidler.dynv6.net, 1
+janhermann.cz, 1
+janhuelsmann.com, 1
+jani.media, 1
+janik.cz, 1
+janikrabe.com, 1
+janilowski.pl, 1
+janime.top, 1
+janine-und-johannes.de, 1
+janjoris.nl, 1
+jankamp.com, 1
+janker.me, 1
+janklokman.tk, 1
+janmischo.it, 1
+jann.is, 1
+jannehonkonen.tk, 1
+jannes-althoff.de, 1
+jannesmeyer.com, 0
+jannetaflorist.com, 1
+jannhaber.de, 1
+jannis-goeing.de, 1
+jannisfink.de, 1
+janokacer.sk, 1
+janome.club, 1
+janome.com.ua, 1
+janonis.com, 1
+janoshida.hu, 1
+janostheil.de, 1
+janphilip-bernius.de, 1
+janroossien.nl, 1
+jans.cloud, 1
+janschaumann.de, 1
+jansendermatografie.nl, 1
+janservfl.com, 1
+janslab.pl, 1
+janssen.fm, 1
+janterpstra.eu, 1
+jantinaboelens.nl, 1
+january.com, 1
+janujani.com, 1
+janulkowedomki.pl, 1
+janus-it.pl, 1
+janv.it, 1
+janvanmechelen.tk, 1
+janvari.com, 1
+janvaribalint.com, 1
+janvidresearch.com, 1
+janw.me, 1
+janw.xyz, 1
+janwern.com, 1
+janwillhaus.de, 1
+jao-collection.com, 1
+jaot.info, 1
+jaotusvork.ee, 1
+japan-forum.nl, 1
+japan-tent.com, 1
+japan-xxxtube.com, 1
+japan.sh, 1
+japanasonic.ru, 1
+japanchiropractic.com.br, 1
+japanduhoc.com, 1
+japanese-cuisine.com, 1
+japanese-dominatrix.com, 1
+japanese-imperialism971.tk, 1
+japanese-tantra-escort.com, 1
+japaneseacupuncture.london, 1
+japaneseemoticons.org, 0
+japanesekeyboard.net, 1
+japanesemusic.tk, 1
+japanesephotosite.tk, 1
+japanesque.ru, 1
+japaniac.de, 1
+japanknives.tk, 1
+japannext.co.jp, 1
+japanphilosophy.com, 0
+japanporns.pro, 1
+japanroll.cf, 1
+japansepuzzel.tk, 1
+japantravel.tk, 1
+japanwatches.xyz, 1
+japanwowsex.com, 1
+jape.today, 1
+japico.or.jp, 1
+japlin.io, 1
+japlin.tk, 1
+japonskonamiru.cz, 1
+japonyol.net, 1
+japornpics-video.com, 1
+japornpics.com, 1
+jappleng.com, 1
+jaquelin.tk, 1
+jaquishbiomedical.com, 1
+jar.cool, 1
+jaraizaboli.tk, 1
+jaramilloconstrucciones.pe, 1
+jardelatacadao.com.br, 1
+jardigital.com.au, 1
+jardinderline.ch, 1
+jardineras.online, 1
+jardinesimperiales.com, 1
+jaredfernandez.com, 1
+jaredkunz.com, 1
+jaredonline.tk, 1
+jaredratcliff.com, 1
+jaredstevenson.com, 1
+jaresourcehub.org, 1
+jarett-lee.com, 1
+jarigvandaag.nl, 1
+jaris.fi, 1
+jarkkorahkonen.fi, 1
+jarl.ninja, 1
+jarlette.com, 1
+jarlstrom.com, 1
+jarmandental.com, 1
+jarmatys.pl, 1
+jarmix.fi, 1
+jarniashop.se, 1
+jarno.rocks, 1
+jarnobogaert.xyz, 1
+jarnskog.tk, 1
+jarodg.fr, 1
+jarods.org, 0
+jarofthread.com, 1
+jarondl.net, 1
+jaroslavc.eu, 1
+jarovske-udoli.cz, 1
+jarovskeudoli.cz, 1
+jarquedelaval.tk, 1
+jarrettgraham.com, 1
+jarritos.com.sg, 1
+jarritos.es, 1
+jarritosaustralia.com.au, 1
+jarritoseurope.eu, 1
+jarritosfrance.com, 1
+jarroba.com, 1
+jarrods.tech, 1
+jarry.io, 1
+jarsater.com, 0
+jarski.eu, 1
+jarvisairfoil.com, 1
+jas-ac.com, 1
+jas-team.net, 1
+jasasewaspg.com, 1
+jasch.tk, 1
+jaschaa.de, 1
+jasco.gov, 1
+jaseng.ga, 1
+jasewhite.com, 1
+jashinchan.cn, 1
+jasik.xyz, 1
+jasl.works, 1
+jasm1nii.xyz, 1
+jasminedirectory.com, 1
+jasminefields.net, 1
+jasminka.cz, 1
+jasminlive.cam, 1
+jasminsangels.com, 1
+jasminslife.com, 1
+jasminum.uk, 1
+jasmyn.tk, 1
+jasomill.at, 1
+jason-isaacs.tk, 1
+jason.red, 1
+jasonamorrow.com, 0
+jasonchampagne.fr, 1
+jasoncoopermd.com, 1
+jasoncosper.com, 1
+jasoncs.eu.org, 1
+jasongreenwell.com, 1
+jasonhardin.me, 1
+jasonisclever.com, 1
+jasonmili.online, 1
+jasonreadinglandscapes.com.au, 1
+jasonricketts.me, 1
+jasonsansone.com, 1
+jasonsplecoscichlids.com, 1
+jasonthai.me, 0
+jasonvillein.gov, 1
+jasonwei.nctu.me, 1
+jasonwongwr.com, 1
+jasper.link, 1
+jasper.pt, 1
+jasperhammink.com, 0
+jasperhugo.com, 1
+jasperhuttenmedia.com, 1
+jaspernbrouwer.nl, 1
+jasperpatterson.com, 1
+jasperpatterson.me, 1
+jasperpatterson.net, 1
+jaspersreef.com, 1
+jaspertn.gov, 1
+jasperyang.cn, 1
+jaspven.net, 1
+jaspyrbooks.com, 1
+jassecharlie.com, 1
+jastrow.me, 1
+jaszbereny-vechta.eu, 1
+jatekjatek.hu, 1
+jatekvasarlas.hu, 1
+jateng.press, 1
+jatiwahidfurniture.com, 0
+jatransportadora.com, 1
+jaumepons.net, 1
+jav.st, 1
+java-fan.tk, 1
+java-for-minecraft.com, 1
+java-tracking.gq, 1
+javaanalysisers.ga, 1
+javaanalysisest.ga, 1
+javabahia.tk, 1
+javabc.com, 1
+javabot.ml, 1
+javacakegames.com, 1
+javachinna.com, 1
+javaexpert.tk, 1
+javafactory.io, 1
+javafiles.tk, 1
+javafluers.ga, 1
+javafluest.ga, 1
+javan.de, 1
+javanguiano.mx, 0
+javapost.tk, 1
+javasaranamitrasejati.com, 1
+javascriptlab.fr, 1
+javaweb.site, 1
+javaxxz.com, 1
+javedali.tk, 1
+javedhasrat.com, 1
+javfree.me, 1
+javi-soleil.tk, 1
+javierbalvin.com, 1
+javierbarrio.com, 1
+javierfalcon.tk, 1
+javierflorescastillero.es, 1
+javiergddw.com, 1
+javierguandalini.com, 1
+javierjurado.tk, 1
+javiermascherano.tk, 1
+javiersanchez.tk, 1
+javiscoffee.com, 1
+javitron.tk, 1
+javleech.com, 1
+javorina.tk, 1
+javsod.top, 1
+jawharati.tk, 1
+jawo2008.pl, 1
+jaxfstk.com, 1
+jaxxnet.co.uk, 1
+jaxxnet.org, 1
+jay4.is, 1
+jay6.tech, 1
+jayanthreddy.ml, 1
+jayantkageri.in, 1
+jaybeez.tk, 1
+jaybrokers.com, 1
+jayf.de, 1
+jayfreestone.com, 1
+jayharkess.uk, 1
+jayharris.ca, 1
+jayhost.cf, 1
+jayhost.tk, 1
+jayjardine.cf, 1
+jayjardine.ga, 1
+jayjardine.gq, 1
+jayjardine.ml, 1
+jaykuhns.com, 1
+jaylewis.us, 1
+jaylineko.com, 1
+jaymecd.rocks, 1
+jaypandit.me, 1
+jaypark.gq, 1
+jaypeeaman.in, 1
+jaypeeonline.tk, 1
+jayrl.com, 1
+jaysanart.com, 0
+jaysaw.me, 1
+jayschulman.com, 1
+jayspage.tk, 1
+jaytauron.xyz, 1
+jaytx.com, 1
+jayveel.nl, 1
+jayxon.com, 1
+jayxu.com, 1
+jazerxx.com, 1
+jazminguaramato.com, 1
+jazz-alliance.com, 1
+jazz-alliance.org, 1
+jazzab-online.tk, 1
+jazzanet.com, 1
+jazzapart.tk, 1
+jazzband.tk, 1
+jazzfeet.co.uk, 1
+jazzindeck.com, 1
+jazzman.tk, 1
+jazzy-feet.com, 1
+jazzy.id.au, 1
+jazzy.pro, 1
+jazzysumi.com, 1
+jazzyvsart.com, 1
+jb-pixel.tk, 1
+jb0.de, 1
+jb138.cc, 1
+jballelectronics.com, 1
+jbayetsecretariat.be, 1
+jbbd.fr, 1
+jbbdev.com, 1
+jbc88.cc, 1
+jbcharleston.com, 1
+jbcharlestonfss.tv, 1
+jbctransport.ca, 1
+jbdesignfoundations.com, 1
+jbdillon.com, 1
+jberlife.marketing, 1
+jbeta.is, 1
+jbidigital.co.uk, 1
+jblackweb.com, 1
+jblan.ca, 1
+jbloomphotography.com, 1
+jbmechanics.com, 1
+jbnetwork.org, 1
+jboats.com, 1
+jboho.com, 1
+jbond.tk, 1
+jbootsma.com, 1
+jbradaric.me, 1
+jbridal.com.au, 1
+jbs-jardins.ch, 0
+jbs.com.br, 1
+jbsinternational.com, 1
+jbsoftware.ca, 1
+jbspeakr.cc, 1
+jbt-stl.com, 1
+jc6.xyz, 1
+jc666.xyz, 1
+jcadg.com, 1
+jcaicedo.com, 1
+jcaicedo.tk, 1
+jcb.com, 1
+jcbaterias.com.br, 1
+jcbgolfandcountryclub.com, 1
+jcblagri.in, 1
+jccars-occasions.be, 1
+jcchen.art, 1
+jcchouinard.com, 1
+jcdenast.tk, 1
+jcelectronics.com.au, 1
+jcf-office.com, 1
+jchn.be, 1
+jci.bio, 1
+jci.care, 1
+jci.cc, 1
+jci.charity, 1
+jci.chat, 1
+jci.coach, 1
+jci.community, 1
+jci.contact, 1
+jci.direct, 1
+jci.domains, 1
+jci.education, 1
+jci.exchange, 1
+jci.fail, 1
+jci.fyi, 1
+jci.gallery, 1
+jci.gives, 1
+jci.graphics, 1
+jci.group, 1
+jci.guide, 1
+jci.how, 1
+jci.institute, 1
+jci.life, 1
+jci.live, 1
+jci.marketing, 1
+jci.me.uk, 1
+jci.media, 1
+jci.mobi, 1
+jci.name, 1
+jci.ooo, 1
+jci.org.uk, 1
+jci.photography, 1
+jci.pictures, 1
+jci.place, 1
+jci.productions, 1
+jci.promo, 1
+jci.pub, 1
+jci.studio, 1
+jci.systems, 1
+jci.tips, 1
+jci.university, 1
+jci.watch, 1
+jci.wiki, 1
+jci.works, 1
+jci.zone, 1
+jcinet.cc, 1
+jcinet.net, 1
+jcit.xyz, 1
+jclayton.com, 1
+jcleon.tk, 1
+jclp.cf, 1
+jclynne.com, 1
+jcm.cz, 1
+jcmo.gov, 1
+jcmunz.com, 1
+jcode.gov, 1
+jcontspoord.nl, 1
+jcor.me, 0
+jcoscia.com, 1
+jcphotography.dk, 1
+jcra.net, 1
+jcrhcdwy.gov, 1
+jcrobin56.fr, 1
+jcrooke.net, 1
+jcsava.gov, 1
+jcsolutions.tk, 1
+jcus.co, 1
+jcvignoli.com, 1
+jcwebtechnologies.com, 1
+jcwodan.nl, 1
+jd-group.co.uk, 0
+jd-trust.com, 1
+jd1.de, 1
+jd777.vip, 1
+jdc.io, 1
+jdcdirectsales.com, 1
+jdcdirectsales.com.ph, 1
+jdd888.cc, 1
+jdecommastermind.com, 1
+jdefreitas.com, 1
+jdelgado.fr, 1
+jdhigh.com, 1
+jdhouse.com.br, 1
+jdjamescorp.com, 1
+jdjohnsonmedia.com, 1
+jdjohnsonwaterproofing.com, 1
+jdlt.co.uk, 1
+jdm.elk.pl, 1
+jdm.pl, 1
+jdmgarage.com.au, 1
+jdoi.pw, 1
+jdpleisure.co.uk, 1
+jdscastlehire.co.uk, 1
+jdsecurity.com.au, 1
+jdsoft.eu, 1
+jdtangney.com, 1
+jdtic.com, 1
+jdtrust.net, 1
+jdtrust.one, 1
+jduarte.xyz, 1
+je-vends.fr, 0
+je-voyage.net, 1
+je.net.cn, 1
+je2050.de, 1
+jealousy.tk, 1
+jean-luc.org, 1
+jean-remy.ch, 1
+jeancafe.ddns.net, 1
+jeancampa.com, 1
+jeancardeno.com, 1
+jeancarlos.tk, 1
+jeanclaudegolvin.com, 1
+jeandanielfaessler.ch, 1
+jeanettevanrookhuizen.nl, 1
+jeangalea.com, 1
+jeangarcia.tk, 1
+jeaninformatico.tk, 1
+jeankygourmet.com, 1
+jeanmarieayer.ch, 1
+jeanmichelaudet.com, 1
+jeanmusic.tk, 1
+jeannecalment.com, 1
+jeannedekkers.tk, 1
+jeannekunst.tk, 1
+jeannelucienne.fr, 1
+jeannette-py.fr, 1
+jeanniegraefe.tk, 1
+jeannotbel.tk, 1
+jeannotjeux.fr, 1
+jeanphilippe.io, 1
+jeans-butik.tk, 1
+jeans-moda.tk, 1
+jeans-shopping.tk, 1
+jeans-stores.tk, 1
+jeansbutik.tk, 1
+jeansdemodacol.com, 1
+jeanslee.tk, 1
+jeansmoda.tk, 1
+jeansstyle.tk, 1
+jeanstastytreats.co.za, 1
+jeayalar.com, 1
+jec-dekrone.be, 1
+jecho.cn, 1
+jecjacshop.com, 1
+jecnetwork.gq, 1
+jed.site, 1
+jeda.ch, 1
+jeda.im, 1
+jedatw.com, 1
+jedayoshi.me, 1
+jedayoshi.tk, 1
+jedcg.com, 1
+jeddahlyn.nl, 1
+jedepannetonordi.ch, 0
+jedepannetonordi.com, 0
+jedepannetonordi.fr, 0
+jedi-master.tk, 1
+jedi-online.tk, 1
+jedicouncil.tk, 1
+jedilukmas.tk, 1
+jedora.com, 0
+jeek.jp, 0
+jeemain.org, 1
+jeep-diagnost.ml, 1
+jeep4ik.com, 1
+jeepeg.com, 1
+jeepspares.com.au, 1
+jeeptourpocos.com.br, 1
+jeeran.com, 1
+jeeranservices.com, 1
+jeetwin.com, 1
+jeevanmag.tk, 1
+jeevanpaul.in, 0
+jef.yt, 1
+jefaisducafe.mywire.org, 1
+jefcorlabs.com, 1
+jeff-dom.ovh, 1
+jeff.win, 1
+jeffcasavant.com, 0
+jeffcloninger.net, 1
+jeffcom911co.gov, 1
+jeffdaviscountyga.gov, 1
+jeffersoncountyks.gov, 1
+jeffersoncountyne.gov, 1
+jeffersoncountyny.gov, 1
+jeffersoncountyor.gov, 1
+jeffersoncountypa.gov, 1
+jeffersonknoxohio.gov, 1
+jeffersonkyattorney.gov, 1
+jeffersonohio.gov, 1
+jeffersonregan.co.uk, 1
+jeffersonregan.com, 1
+jeffersonregan.net, 1
+jeffersonregan.org, 1
+jeffersonsbourbon.com, 1
+jeffersonvillepdin.gov, 1
+jeffhoy.us, 1
+jeffhoyphotography.com, 1
+jeffhuxley.com, 1
+jeffok.com, 1
+jeffpenchoff.com, 1
+jeffreyhaferman.com, 1
+jeffri.me, 1
+jeffsanders.com, 1
+jeflix.stream, 1
+jefrydco.id, 1
+jefsweden.eu, 1
+jegkorongszovetseg.hu, 1
+jegos.tk, 1
+jehende.fr, 1
+jehjf.com, 1
+jehovahsays.net, 1
+jej.cz, 1
+jej.sk, 1
+jekadvantage.com, 1
+jekhar.com, 1
+jel-tech.com, 0
+jelena-adeli.com, 1
+jelena-karleusa.tk, 1
+jelenkovic.rs, 1
+jell.ie, 1
+jellebo.dk, 1
+jellekaufmann.nl, 1
+jelleluteijn.com, 1
+jelleluteijn.eu, 1
+jelleluteijn.net, 1
+jelleluteijn.nl, 1
+jelleluteijn.pro, 1
+jelleraaijmakers.nl, 1
+jellybeanpress.com, 1
+jellyfin.spdns.eu, 1
+jellyfish.co, 1
+jellyfishlivewire.co.uk, 1
+jellynails.tk, 1
+jellypepper.com, 1
+jellysquid.me, 1
+jelmer.co.uk, 1
+jelmer.uk, 1
+jelmoli-shop.ch, 1
+jelmyto.com, 0
+jelo.tk, 1
+jelobox.tk, 1
+jelocalise.fr, 1
+jem.gov, 1
+jem.style, 1
+jembatankarir.com, 1
+jemezdravo.eu, 1
+jemezsprings-nm.gov, 1
+jemnezymy.com, 1
+jemoreng.tk, 1
+jemputan-karyawan.site, 1
+jems-il.gov, 1
+jemshoes.com, 1
+jemyzdrowo.pl, 1
+jena-fans-aurich.tk, 1
+jena.de, 1
+jena.space, 0
+jencshiny-org.tk, 1
+jendela360.com, 1
+jendialmeditation.com, 1
+jendies.com, 1
+jenelle.ml, 1
+jeneratorkiralama.name.tr, 1
+jenever.amsterdam, 1
+jeney.eu, 1
+jenin.ml, 1
+jenkinscountyga.gov, 1
+jenkinsry.fi, 1
+jenn-pro-graphics.com, 1
+jennahunt.net, 1
+jenne.com, 1
+jennethaarfotografie.nl, 1
+jennette.tk, 1
+jennierobinson.com, 1
+jenniferbuslerinteriors.com, 1
+jenniferchan.id.au, 1
+jenniferehle.tk, 1
+jenniferengerwingaantrouwen.nl, 1
+jenniferfontaine.fr, 1
+jenniferhudsonshow.com, 1
+jenniferjoos.de, 1
+jenniferlucia.com, 1
+jennifermason.eu, 1
+jennifermorrisonart.com, 1
+jennifersauer.nl, 1
+jenniferschmidt.com.au, 1
+jennifertilly.tk, 1
+jenniwiltz.com, 1
+jennyjones.tk, 1
+jennymovies.com, 1
+jennysarl.ch, 0
+jennysbakery.com.au, 1
+jennysource.tk, 1
+jennystella.net, 1
+jennythebaker.com, 1
+jeno.cf, 1
+jenolson.net, 1
+jens-prangenberg.de, 1
+jens.hk, 1
+jensales.com, 1
+jensdesmeyter.be, 1
+jenskliewer.de, 1
+jensrex.dk, 1
+jents.ro, 1
+jenyak.com, 1
+jeoffrey-sanchez.ovh, 1
+jeon.cf, 0
+jepa.si, 1
+jepcraft.ddns.net, 1
+jeproteste.info, 1
+jeps.fi, 1
+jeremiahbenes.com, 1
+jeremiahlee.com, 1
+jeremiebt.com, 1
+jeremy-chen.org, 1
+jeremy-gautier.com, 1
+jeremy.hu, 1
+jeremyatwoodlaw.com, 1
+jeremybentham.com, 1
+jeremybloomfield.co.uk, 1
+jeremyc.ca, 0
+jeremycantu.com, 1
+jeremycrews.com, 1
+jeremyfaton.me, 1
+jeremyharnois.com, 1
+jeremyhodges.uk, 1
+jeremynally.com, 1
+jeremyness.com, 1
+jeremyrobinlyons.com, 1
+jeremysermersheim.com, 1
+jeremywinn.com, 1
+jeremywinn.xyz, 1
+jerichoproject.org, 1
+jerisandoval.tk, 1
+jermann.biz, 1
+jeroendeneef.com, 1
+jeroened.be, 1
+jeroenensanne.wedding, 1
+jeroenstekelenburg.nl, 1
+jerome-r.tk, 1
+jerome.to, 1
+jeromecountyid.gov, 1
+jeromequezel.fr, 1
+jerometejano.tk, 1
+jerret.de, 1
+jerridoswell.tk, 1
+jerryabrams.com, 0
+jerrybustillo.tk, 1
+jerrychacon.com, 1
+jerrysretailstores.com, 1
+jerryweb.org, 1
+jerryyu.ca, 1
+jersec.com, 1
+jerseybikehire.co.uk, 1
+jerseycounty-il.gov, 1
+jerseycountyclerk-il.gov, 1
+jerseyink.net, 1
+jerseyjumpingbeans.co.uk, 1
+jerseylvi2013.org, 1
+jerseywater.je, 1
+jerusalem.estate, 1
+jerusalempersonals.ml, 1
+jerusalempersonalsers.ga, 1
+jerusalempersonalsest.ga, 1
+jerusalemplus.tv, 1
+jesec.cn, 1
+jesec.io, 1
+jesen.org, 1
+jesiensredniowiecza.pl, 1
+jesmatboutique.com, 1
+jesmh.de, 1
+jesolo.tk, 1
+jesperandersson.tk, 1
+jespersen.tk, 1
+jessacharlie.com, 1
+jesscharlie.com, 1
+jesseblum.com, 1
+jessebollinger.com, 1
+jessecharley.com, 1
+jessecharli.com, 1
+jessecharlie.com, 1
+jessecharlie.info, 1
+jessecharlie.net, 1
+jessecharlie.org, 1
+jessecharlienaser.com, 1
+jessekaufman.com, 1
+jesseklaver.nl, 1
+jessem.fr, 1
+jessenaser.com, 1
+jessenaser.net, 1
+jessenaser.org, 1
+jesseonline.tk, 1
+jessesjumpingcastles.co.uk, 1
+jessetorrenga.nl, 1
+jessetrebil.com, 1
+jessetrebilfoundationsystems.com, 1
+jessevictors.com, 1
+jessica-weller.de, 1
+jessicabarends.nl, 1
+jessicabenedictus.nl, 0
+jessicaevrard.com, 1
+jessicahrehor.com, 1
+jessicasmith3d.com, 1
+jessicharlie.com, 1
+jessieabraham.tk, 1
+jessiecharlie.com, 1
+jessihod.com, 1
+jessika-atelier.nl, 1
+jesslynfietje.com, 1
+jesspryles.com, 1
+jessycharlie.com, 1
+jesters-court.net, 1
+jestre.org, 1
+jestyc.com, 1
+jesucristo.ga, 1
+jesuisadmin.fr, 1
+jesuisunpapageek.fr, 1
+jesuiszen.fr, 1
+jesus-rock.tk, 1
+jesuscapitan.tk, 1
+jesuscnasistente.com, 1
+jesusda.tk, 1
+jesusdenazaret.com, 1
+jesusnazarenobaena.tk, 1
+jesusplusnothing.com, 1
+jesusthegoodshepherd.org, 1
+jesusvasquez.tk, 1
+jet-lend.ru, 1
+jet.su, 1
+jetable.org, 1
+jetapi.org, 1
+jetbbs.com, 1
+jetcard.co.uk, 1
+jetchartercanada.com, 1
+jetchartereurope.com, 1
+jetcost.com, 1
+jetcraft.tk, 1
+jetdrywallinteriors.com, 1
+jetfirenetworks.com, 1
+jetflex.de, 1
+jethash.io, 1
+jetkittens.co.uk, 1
+jetmirshatri.com, 0
+jetmusic.tk, 1
+jetpack.com.ar, 1
+jetsadabetchoke77.com, 0
+jetsetretiree.com, 1
+jetshare.co.nz, 1
+jetsieswerda.nl, 1
+jetskerijneveld.nl, 1
+jetsome.co, 0
+jetson.tk, 1
+jetstudio.ch, 0
+jettenbommelaer.nl, 1
+jettenjachtbouw.eu, 1
+jettlarue.com, 1
+jettshome.org, 1
+jetular.com, 1
+jetular.net, 1
+jetwhiz.com, 1
+jetzt-elektromobil.de, 1
+jeugdbrandweerbladel.tk, 1
+jeugdclubjia.tk, 1
+jeugdharmonie-geluwe.tk, 1
+jeugdkans.nl, 1
+jeugdraad.gent, 1
+jeurissen.co, 1
+jeuxerotiques.net, 1
+jevalide.ca, 1
+jevel-mag.tk, 1
+jeveuxchoisir.fr, 1
+jevisite.ca, 1
+jewadianmitra.co.id, 1
+jewadvert.ml, 1
+jewaedv.de, 1
+jeweet.net, 0
+jewelcaddesigns.com, 1
+jewellerynet.com, 1
+jewelleryoutlook.com, 1
+jewelry-directories.tk, 1
+jewelrycoverers.ga, 1
+jewishboston.com, 1
+jewishboyscouts.com, 1
+jewishfed.org, 1
+jewishjourneys.org, 1
+jewishmusic.tk, 1
+jewishphilanthropies.org, 1
+jewishphoenix.com, 1
+jewishquotations.com, 1
+jexler.net, 1
+jey-line.de, 1
+jez.nl, 1
+jezebelsromance.com, 1
+jezero.tk, 1
+jezura.cz, 1
+jezzicat.org, 1
+jf-beco.pt, 1
+jf-fotos.de, 1
+jf-igrejanovadosobral.pt, 1
+jf-madalena.tk, 1
+jf886.cc, 1
+jfbst.net, 1
+jfcare.dk, 1
+jfgselbitztal.tk, 1
+jfhr.de, 1
+jfhr.me, 1
+jfjtransport.com, 1
+jfklibrary.gov, 1
+jflmsan.pt, 1
+jfmdevelopment.ml, 1
+jforums.org, 1
+jfr.im, 1
+jfreitag.de, 1
+jfroyalelogistics.com.ng, 1
+jftn.nl, 1
+jftw.org, 1
+jfuturist.com, 1
+jfvaccountants.nl, 1
+jfy.is, 1
+jfy.jp, 1
+jg-cdn.com, 1
+jg-skid.me, 1
+jg-tc.com, 1
+jg078.com, 1
+jgambard.me, 1
+jgc.li, 1
+jgeverest.com, 1
+jgid.de, 1
+jgke.fi, 1
+jgmenterprises.ca, 1
+jgoldbergmd.com, 1
+jgoldgroup.com, 1
+jgomezweb.es, 1
+jgpeterson.com, 1
+jgregory.co.uk, 1
+jgregory.uk, 1
+jgsbrickwork.co.uk, 1
+jgwb.de, 1
+jgwb.eu, 1
+jh-group.net, 1
+jh4.eu, 1
+jhandke.de, 1
+jharnois.com, 1
+jharnois.net, 1
+jhatpatjobs.com, 1
+jhaudio.com, 1
+jhaveri.net, 1
+jhbgroup.nl, 1
+jhburton.co.uk, 1
+jhcommunitysports.co.uk, 1
+jhe.li, 1
+jhenwei.com.tw, 1
+jhfunerals.com.au, 1
+jhill.de, 1
+jhj.jp, 1
+jhmrcm.com, 1
+jhonesmarcos.tk, 1
+jhonmurillo.ml, 1
+jhonnyjose.com.ar, 1
+jhost.gq, 1
+jhuang.me, 1
+jhw3d.com, 1
+jiacl.com, 1
+jiahao.codes, 1
+jiai.cf, 1
+jiai.gq, 1
+jiai.ml, 1
+jiai.tk, 1
+jialiangkang.com, 1
+jiami.dog, 0
+jianbin.wang, 1
+jiangmei.ml, 1
+jiangmen.tk, 1
+jiangshiart.com, 1
+jiangwu.eu, 1
+jianhuo.cf, 1
+jianhuo.ml, 1
+jianny.me, 1
+jianren.cf, 1
+jianren.ml, 1
+jianshebingtuan.com, 1
+jianwei.wang, 1
+jianyu.io, 1
+jianyuan.art, 1
+jianyuan.pro, 1
+jianzhan.com, 1
+jiaoliuben.com, 1
+jiaoyu8.cn, 1
+jiaqiang.vip, 1
+jiatingtrading.com, 1
+jiaty.com, 1
+jiaxitian.com, 1
+jiayi.eu.org, 1
+jiayi.life, 1
+jiazhao.ga, 0
+jibe.com, 1
+jibeapply.com, 1
+jibecdn.com, 1
+jibungoto.jp, 1
+jicaivvip.com, 1
+jichi.io, 1
+jichi.nz, 1
+jiehun.com.cn, 1
+jieshangwei.com, 1
+jieyang2016.com, 1
+jif.gc.ca, 1
+jigidi.com, 1
+jigsawinsurance.com, 1
+jigsawplanet.com, 1
+jiguang.com, 1
+jigyoushoukei.co.jp, 1
+jiheng.tk, 1
+jiid.ga, 1
+jiji.co.ci, 1
+jiji.co.ke, 1
+jiji.co.ma, 1
+jiji.co.rw, 1
+jiji.co.tz, 1
+jiji.com.bd, 1
+jiji.com.et, 1
+jiji.com.gh, 1
+jiji.ke, 1
+jiji.lk, 1
+jiji.ng, 1
+jiji.sn, 1
+jiji.ug, 1
+jijistatic.com, 1
+jikegu.com, 1
+jikei-reha.com, 1
+jikken.de, 0
+jilaninteraktif.tk, 1
+jilking.ga, 1
+jillamy.com, 1
+jillvirus.tk, 1
+jilworldwide.org, 1
+jimautoservice.pl, 1
+jimbeam-welcomesessions.at, 1
+jimbiproducts.com, 1
+jimbosprint.com, 1
+jimbrown.org, 1
+jimbutlerkiaparts.com, 1
+jimcoggeshall.com, 1
+jimconacher.pro, 1
+jimdorf.com, 1
+jime-hlavou.cz, 1
+jimeaton.com, 1
+jimezdrave.cz, 1
+jimfranke.com, 1
+jimfranke.nl, 1
+jimgarrigan.info, 1
+jimgarrigan.nyc, 1
+jiminny.com, 0
+jimisfanvan.nl, 1
+jimizhou.xyz, 1
+jimjh.com, 1
+jimkanabar.fr, 1
+jimkimmel.com, 1
+jimmiestore.com, 1
+jimmycai.com, 1
+jimmycarterlibrary.gov, 1
+jimmycn.com, 1
+jimmydomingo.tk, 1
+jimmykey.com, 0
+jimmynelson.com, 1
+jimmyrickenbacker.com, 1
+jimobbs.tk, 1
+jimpl.com, 1
+jimsheatandcool.com, 1
+jimslop.nl, 1
+jimucho.online, 1
+jimvophotography.tk, 1
+jimwhitesell.com, 1
+jimwoodrealty.com, 1
+jimwoodrealty.help, 1
+jin-design.si, 1
+jinancy.fr, 1
+jinanshen.com, 1
+jinbbq.com, 1
+jinbijin.nl, 1
+jinbo123.com, 0
+jinbowiki.org, 1
+jinbuguo.com, 1
+jinduoduo369.com, 1
+jinduoduo666.com, 1
+jinduoduo888.com, 1
+jinfbmanagement.com, 1
+jing-in.net, 1
+jingbo.fan, 1
+jinglebugs.co.nz, 1
+jingmi.com.tw, 1
+jinhaagency.com, 1
+jinhaagency1.com, 1
+jinja.ai, 1
+jinjafx.io, 1
+jinkou.cf, 1
+jinkou.ga, 1
+jinkou.gq, 1
+jinkou.ml, 1
+jinliming.ml, 1
+jinng.org, 1
+jino.gq, 1
+jinshabu.net, 1
+jintaiyang123.org, 1
+jiogo.com, 1
+jip2011.jp, 1
+jipsnel.nl, 1
+jira.com, 1
+jirehlov.cn, 1
+jirehlov.com, 1
+jiretvariedades.com, 1
+jiri-vincour.cz, 1
+jiriholy.cz, 1
+jirkanch-ayollar.ga, 1
+jirkanch-ayollar.ml, 1
+jisai.net.cn, 1
+jisaudavel.com.br, 1
+jischool.org, 1
+jiserack.com, 1
+jisnashville.gov, 1
+jitendrapatro.me, 1
+jitprod.com, 1
+jitsipatapoe.ddns.net, 0
+jittruckparts.com, 1
+jiudao.com, 1
+jiveinvestments.com, 1
+jix.im, 1
+jixing.one, 1
+jixun.eu, 1
+jixun.moe, 1
+jixun.uk, 1
+jiyou.pw, 0
+jiyuu-ni.com, 1
+jiyuu-ni.net, 1
+jizzoh.com, 1
+jizzoh.net, 1
+jizzoh.org, 1
+jj5197.co, 1
+jj6729.co, 1
+jj6729.com, 0
+jj6957.co, 1
+jj9297.co, 1
+jj9728.co, 1
+jjfxz.com, 1
+jjjj.loan, 1
+jjlandscapedesign.com, 1
+jjlvk.nl, 1
+jjonaws.com, 1
+jjphotographyia.com, 1
+jjsguitarpickups.com, 1
+jjsmaccountants.com, 1
+jjspartyhire.co.uk, 1
+jjsummerboatparty.co.uk, 1
+jjzmaj.tk, 1
+jk-forensics.de, 1
+jk-regeltechnik.de, 1
+jk-rjevka.gq, 1
+jkarteaga.tk, 1
+jkbfabrics.com, 0
+jkessen.de, 1
+jkest.cc, 1
+jkfasham.com.au, 1
+jkg.tw, 1
+jkinteriorspa.com, 1
+jkloli.tk, 1
+jkmoving.com, 0
+jkng.eu, 1
+jkpg-kontoret.se, 1
+jkrippen.com, 1
+jkts.tk, 1
+jktu.cc, 1
+jkuu.org, 1
+jkv-media.cloud, 1
+jkws2.nl, 1
+jkyuan.tk, 1
+jl-dns.eu, 1
+jl-dns.nl, 1
+jl-exchange.nl, 1
+jl-k.com, 1
+jl-mail.nl, 1
+jl-picard.tk, 1
+jlbleakley.com, 1
+jld.paris, 1
+jldrenergysaver.com, 0
+jliu.xyz, 1
+jlkhosting.com, 1
+jlmintegrated.com.au, 1
+jlmirall.es, 1
+jlmunn.com, 1
+jloh.co, 1
+jloh.codes, 1
+jlot.org, 1
+jlpn.eu, 1
+jlpn.nl, 1
+jlponsetto.com, 1
+jlqwer.com, 1
+jlr-luxembourg.com, 1
+jls.idv.tw, 1
+jltcsecuritygroup.com, 1
+jltctech.com, 1
+jlulug.org, 1
+jlwagner.net, 1
+jm73umh.pw, 1
+jm9.co, 1
+jmanalansan.com, 1
+jmango360.com, 1
+jmap.support, 1
+jmarciniak.it, 1
+jmarineau.com, 1
+jmb-jetshades.com, 1
+jmb.lc, 1
+jmbproject.ga, 1
+jmcataffo.com, 1
+jmce.eu, 1
+jmcleaning.services, 1
+jmdekker.it, 1
+jmedesign.tk, 1
+jmedved.com, 1
+jmeno.eu, 1
+jmentertainment.co.uk, 1
+jmf-clan.tk, 1
+jmg3.dynu.net, 1
+jmha.live, 1
+jmisern.com, 1
+jmk.hu, 1
+jmlegrand.com, 1
+jmm.io, 1
+jmn.pl, 1
+jmob.loan, 1
+jmonagas-portfolio.ml, 1
+jmorahan.net, 1
+jmp.chat, 1
+jmpb.hu, 1
+jms8.net, 1
+jmservices.pro, 1
+jmsjms.cc, 1
+jmsjms.me, 1
+jmsjms.org, 1
+jmsjms.xyz, 1
+jmsmarcelo.tk, 1
+jmsolodesigns.com, 1
+jmsquall.tk, 1
+jmssg.jp, 1
+jmstfv.com, 1
+jmsystems.sk, 1
+jmtk.co, 1
+jmtrv.com.co, 1
+jmwsquared.com, 1
+jmy.fyi, 1
+jmzo.nl, 0
+jn1.me, 1
+jncie.eu, 1
+jnewhook.ca, 1
+jng.pt, 1
+jnjdj.com, 1
+jnjpolymer.com, 1
+jnktn.tv, 1
+jnm-art.com, 1
+jnmpainting.co, 1
+jnmusicgroup.com, 1
+jnr-industry.tk, 1
+jns.org, 1
+jnssnfotografie.nl, 1
+jnsz.hu, 1
+jnx.dk, 1
+jo-2016.tk, 1
+jo-jo-koi.tk, 1
+jo3-w3b-d3v.com, 1
+joa-ebert.com, 1
+joa.fr, 1
+joachimvanrossenberg.com, 1
+joanmoreira.tk, 1
+joannechtler.com, 1
+joannekemarchal.nl, 1
+joanofarcmtcarmel.org, 1
+joansoy.com, 1
+joaobautista.com, 0
+joaojunior.com, 1
+joaoorvalho.com, 1
+joaosampaio.com, 1
+joaosampaio.com.br, 1
+joaquimfialfotografia.com, 1
+job-acasa.tk, 1
+job-chocolat.jp, 1
+job-goo.com, 1
+job-jobs.pl, 1
+job-promotion.jp, 1
+job-uber.com, 1
+job.biz.tr, 1
+job2day.com.ua, 1
+jobadx.com, 1
+jobalicious.nl, 1
+jobanzeigen.de, 1
+jobassadeurs.fr, 1
+jobbkk.com, 1
+jobbnorge.no, 1
+jobbsafari.no, 0
+jobbsafari.se, 1
+jobcenter.tk, 1
+jobcie.com, 1
+jobcorps.gov, 1
+jobcorpsy2y.com, 0
+jobers.co.zw, 1
+jobflyapp.com, 0
+jobfresh.ga, 1
+jobfury.com, 1
+jobgenic.com, 1
+jobhouse.jp, 1
+jobie.tk, 1
+jobig.co.il, 1
+jobin.care, 1
+jobindex.dk, 1
+jobit.gr, 1
+joblife.co.za, 1
+joblover.ml, 1
+jobmarkt21.com, 1
+jobnas.com, 1
+joboutlook.gov.au, 1
+jobrus.ga, 1
+jobrus.ml, 1
+jobs-in-the-middle-east.tk, 1
+jobs-it.tk, 1
+jobs.gov.scot, 1
+jobs.schwarz, 1
+jobs.su, 1
+jobs.ua, 1
+jobs4sales.ch, 1
+jobsboard24.com, 1
+jobscan.co, 1
+jobsconnected.com, 1
+jobscore.com, 1
+jobscout24.ch, 1
+jobseeker.com, 1
+jobseekeritalia.it, 1
+jobsindemedia.nl, 1
+jobsineachstate.com, 1
+jobsisbrown.com, 1
+jobsjj.com, 1
+jobskilled.co.za, 1
+jobsknowlgee.tk, 1
+jobsmali.ml, 1
+jobsmarthasvineyard.com, 1
+jobsmnc.co.id, 1
+jobsnearme.london, 1
+jobsoid.com, 1
+jobsportalbookmarking.tk, 1
+jobsuchmaschine.ch, 1
+jobtools.tk, 1
+jobtread.com, 1
+jobulk.com, 1
+joburgplumbing.co.za, 1
+jobwinner.ch, 1
+jobynet.tk, 1
+jobzcorner.tk, 1
+jocafil.com, 1
+jocata.com, 1
+jocelynjenkins.com, 1
+jochem.cc, 1
+jochem.sh, 1
+jock2go.eu, 1
+jockbusuttil.co.uk, 1
+jockbusuttil.com, 1
+jockbusuttil.uk, 1
+jocomo.gov, 1
+jocuri-noi.tk, 1
+jocurionline.eu, 1
+jodaniels.photography, 1
+jodaviesscountyil.gov, 1
+jodlajodla.si, 1
+jodyboucher.com, 0
+joe-st.de, 1
+joe262.com, 1
+joearodriguez.com, 1
+joecod.es, 1
+joed.tk, 1
+joedavison.me, 1
+joedeblasio.com, 1
+joedight.net, 1
+joedoyle.us, 1
+joedroll.com, 1
+joefixit.co, 1
+joefixit.co.uk, 1
+joehenry.co.uk, 1
+joejacobs.me, 1
+joel-mayer.de, 1
+joel.coffee, 1
+joelandersen.me, 1
+joelbodmer.com, 1
+joelengel.com, 1
+joelfries.com, 1
+joelgugler.com, 1
+joelito.tk, 1
+joelj.org, 1
+joelkoen.com, 1
+joelle.me, 1
+joelleandpeter.co.uk, 1
+joelleisthatbitch.tk, 1
+joellev.nl, 1
+joellimberg.com, 1
+joellombardo.com, 0
+joelmunch.com, 1
+joelving.dk, 0
+joeon.systems, 1
+joepitt.co.uk, 0
+joerg-wellpott.de, 1
+joergschneider.com, 1
+joerss.at, 1
+joeseago.com, 0
+joeshare.info, 1
+joeshimkus.com, 1
+joeskup.com, 1
+joesmotorpool.fr, 1
+joesniderman.com, 1
+joesniderman.net, 1
+joesniderman.org, 1
+joespaintingpgh.com, 1
+joeteach.us, 1
+joettecalabrese.com, 1
+joetyson.io, 1
+joetyson.me, 1
+joeyfelix.com, 1
+joeyhoer.com, 1
+joeysglassbaytown.com, 1
+joeysmith.com, 0
+joeyvanvenrooij.nl, 1
+joeyvilaro.com, 1
+jofel-kinderkleding.tk, 1
+jofogas.hu, 1
+jogg.nl, 1
+joggers.tk, 1
+joggingtips.ga, 1
+jogi-server.de, 1
+jogjacar.com, 1
+jogjakarta.tk, 1
+joglopark.com, 1
+jogorama.com.br, 0
+jogosdeanimais.org, 1
+jogosecodes.com, 0
+jogosfutebolhoje.pt, 1
+jogoshoje.com, 1
+jogoshoje.io, 0
+jogwitz.de, 1
+johan-koffeman.tk, 1
+johanaskalova.cz, 1
+johand.io, 1
+johanlog.com, 1
+johann.tk, 1
+johanna-besmier.fr, 1
+johanna.gallery, 1
+johannabest.com, 1
+johannaojanen.com, 1
+johannavarmala.fi, 1
+johannes-bauer.com, 1
+johannes-schaefer.de, 1
+johannes-sprink.de, 0
+johannes-zinke.de, 1
+johannes.io, 1
+johannes.wtf, 1
+johannesen.tv, 1
+johannfritsche.de, 1
+johanpeeters.com, 1
+johansf.tech, 0
+johego.org, 1
+johlmike.com, 1
+john2point0.com, 1
+johnabraham.net, 1
+johnangellgrant.com, 1
+johnathanhasty.com, 1
+johnball.co, 1
+johnbeerens.com, 1
+johnbeil.com, 1
+johnblackbourn.com, 1
+johnblotsky.tk, 1
+johncam.tk, 1
+johncleary.me, 1
+johncook.co.uk, 1
+johncook.ltd.uk, 1
+johndball.co, 1
+johndball.com, 1
+johndball.info, 1
+johndball.net, 1
+johndball.org, 1
+johndeisher.com, 1
+johndonmoyer.com, 1
+johnex.se, 1
+johnfulgenzi.com, 1
+johngmchenrymd.com, 1
+johngreatwood.com, 1
+johnhenderson-god.com, 1
+johniii.co, 1
+johninwood.com, 1
+johnjayro.com, 1
+johnjohnsons.tk, 1
+johnkastler.net, 1
+johnkraal.com, 1
+johnlewis.com, 1
+johnload.tk, 1
+johnmac.cn, 1
+johnmalloneemd.com, 0
+johnmcc.net, 1
+johnmcintosh.pro, 1
+johnmellison.com, 1
+johnmichel.org, 1
+johnmillerdesign.com, 0
+johnmirenda.com, 1
+johnno.be, 1
+johnnybegood.tk, 1
+johnnybet.com, 1
+johnnybsecure.com, 1
+johnnydoe.tk, 1
+johnnyofans.com, 1
+johnnysandaire.com, 1
+johnocallaghan.tk, 1
+johnocera.com, 1
+johnopdenakker.com, 1
+johnroberts.me, 1
+johnrockefeller.net, 1
+johnrosen.xyz, 1
+johnrosen1.com, 1
+johnrosewicz.com, 1
+johnscottcbe.com, 1
+johnshopkinssolutions.com, 1
+johnsoncowy.gov, 1
+johnsongenealogy.net, 1
+johnsonho.net, 1
+johnsonroofingltd.co.nz, 1
+johnsons.tk, 1
+johnsonsca.com, 1
+johnsonsuk.com, 1
+johnspion.tk, 1
+johnstownpa.gov, 1
+johnstownrockcowi.gov, 1
+johnswarbrick.com, 1
+johnthenerd.com, 1
+johntomasowa.com, 1
+johntrujillomd.com, 1
+johnvanhese.nl, 1
+johnwinter.tk, 1
+johny.tv, 1
+johnyytb.be, 1
+johutha.ch, 1
+joi-dhl.ch, 0
+join-aomori.jp, 1
+join.com, 1
+joinamericacorps.gov, 1
+joinamericorps.gov, 1
+joincahoot.com, 1
+joinclyde.com, 1
+joindiaspora.com, 1
+joinentre.com, 1
+joinet.com, 1
+joinfear.tk, 1
+joingy.com, 1
+joingy.net, 1
+joingy.org, 1
+joinmobilizon.org, 1
+joinpeertube.org, 1
+jointherlworld.com, 1
+jointheunseen.com, 1
+jointotem.com, 1
+jointsache.com, 1
+joinus-outfits.nl, 1
+joj.sk, 1
+jojo-kiss.com, 1
+jojo-pieism.tk, 1
+jokateszunk.hu, 1
+jokedalderup.nl, 1
+jokerme.com, 1
+jokersro.tk, 1
+jokertv.ovh, 1
+jokesbykids.com, 1
+jokewignand.nl, 1
+joksara.tk, 1
+jolette-hernandez.tk, 1
+joletteperu.tk, 1
+jolienoir.net, 1
+joliet.gov, 1
+joliettech.com, 1
+jolihi.de, 1
+joline.me, 1
+jolinebrussel.nl, 1
+jollausers.de, 1
+jolle.io, 1
+jollyfun.tk, 1
+jollygoodspudz.ca, 1
+jollykidswobbleworld.co.uk, 1
+jollytotschildminder.com, 1
+jollytur.com, 1
+jolo.software, 1
+jolokia.ch, 1
+jomactransport.com, 1
+jomagus.de, 1
+jomibe.de, 1
+jomjohor.my, 1
+jomla.ae, 1
+jomo.tv, 1
+jomsolat.tk, 1
+jonadamich.tk, 1
+jonaharagon.com, 1
+jonahburke.com, 1
+jonahperez.com, 1
+jonahtheprophet.tk, 1
+jonandnoraswedding.com, 1
+jonark.co, 1
+jonas-thelemann.de, 1
+jonas.me, 0
+jonasberger.com, 1
+jonasbrothers-la-jonaticas.tk, 1
+jonasdiego.tk, 1
+jonasgregersen.com, 1
+jonasgroth.se, 0
+jonasherkel.de, 1
+jonaskarlssonfoto.se, 1
+jonaskjodt.com, 1
+jonaskoeritz.de, 1
+jonaskruckenberg.de, 0
+jonaslovatouniverse.tk, 1
+jonasvdc.info, 1
+jonasvildmark.com, 1
+jonaswitmer.ch, 1
+jonatan.gq, 1
+jonathan-apps.com, 1
+jonathan-himmelreich.de, 1
+jonathancarter.org, 1
+jonathandaleswindle.com, 1
+jonathandowning.uk, 0
+jonathanisaac.com, 1
+jonathanlara.com, 1
+jonathanmassacand.ch, 1
+jonathanrobichaud.ca, 1
+jonathanrys.com, 1
+jonathansanchez.pro, 1
+jonathansomoza.it, 1
+jonathanwisdom.com, 1
+jonba.tk, 1
+jonbarron.cf, 1
+jonblankenship.com, 1
+jondarby.com, 1
+jondevin.com, 1
+jondowdle.com, 0
+jonesborostatebank.com, 0
+jonescountyiowa.gov, 1
+jonescountyiowaelections.gov, 1
+jonescreektx.gov, 1
+jonesfor.men, 1
+joneslymma.com, 1
+jonesopolis.xyz, 1
+jonestowntx.gov, 1
+jonestrading.com, 1
+jonferwerda.net, 1
+jonfor.net, 1
+jong030.nl, 1
+jongbloed.nl, 1
+jongcaxent.tk, 1
+jongenstromp.tk, 1
+jongenwijs.gent, 1
+jongerenkring.tk, 1
+jongpay.com, 1
+jongtonghapkido.tk, 1
+jonilar.com, 1
+jonin.tk, 1
+jonin2.tk, 1
+jonincharacter.com, 1
+jonipuhakka.fi, 1
+jonizatorywody24.pl, 1
+jonkerkamman.tk, 1
+jonkermedia.nl, 0
+jonkpl.com, 1
+jonlabelle.com, 1
+jonlu.ca, 1
+jonnasbeauty.com, 1
+jonnichols.info, 1
+jonny5.ru, 1
+jonnybarnes.uk, 1
+jonnyflash.tk, 1
+jonnygreenwood.tk, 1
+jonoalderson.com, 1
+jonohewitt.com, 1
+jonola.com, 1
+jonpavelich.com, 1
+jons.org, 1
+jonscaife.com, 1
+jonsey.co, 1
+jonshelton.com, 1
+jonslife.tk, 1
+jonssheds.com, 1
+jonstar.tk, 1
+jony.tk, 1
+joo.ru, 1
+joodari.fi, 1
+joogle.at, 1
+jooksuratas.ee, 1
+jooli.tk, 1
+joom.com, 1
+joomag.com, 1
+joomanji.fr, 1
+joomearaweb.tk, 1
+joomla-leipzig.com, 1
+joomladeveloper.ru, 1
+joomlaguru.pl, 1
+joompress.biz, 1
+joona.pw, 1
+joonstudios.com, 1
+joopzy.com, 1
+joorshin.ir, 1
+joostdeheer.nl, 1
+joostmaglev.nl, 1
+joostvanderlaan.nl, 1
+jootshop.ga, 1
+joovy.com, 1
+jopestkil.com, 0
+jophson.tk, 1
+joqi4.gq, 1
+joran.org, 1
+jorcus.com, 1
+jordan-armstrong.tk, 1
+jordan-collector.tk, 1
+jordan-jungk.de, 1
+jordancards.com, 1
+jordandevelopment.com, 1
+jordanhamilton.me, 1
+jordanlys.com, 1
+jordanmetal.tk, 1
+jordanmlu.nl, 1
+jordannight.net, 1
+jordanp.engineer, 1
+jordanpark.com, 0
+jordanprice.ml, 1
+jordanprogrammer.tk, 1
+jordans.co.uk, 1
+jordanscorporatelaw.com, 1
+jordansfiles.tk, 1
+jordansmovies.tk, 1
+jordansrequests.tk, 1
+jordanstrustcompany.com, 1
+jordhy.com, 1
+jordibelgraver.email, 1
+jordibelgraver.eu, 1
+jordibelgraver.xyz, 1
+jordioller.com, 1
+jordjord.com, 1
+jorexenterprise.com, 1
+jorgelopezorquesta.tk, 1
+jorgemarquez.es, 1
+jorgenegrete.tk, 1
+jorgenson-peninsula.com, 1
+jorisdalderup.nl, 1
+joriz.tk, 1
+jormulti.tk, 1
+jornadahypera.com.br, 1
+jornalalerta.com.br, 1
+jornalaquidf.com.br, 1
+jornalero.tk, 1
+jornes.com, 0
+jorsev.com, 1
+jos-verstappen-fan.tk, 1
+josaa.nic.in, 1
+josannedesign.tk, 1
+josc.com.au, 1
+joscares.com, 1
+jose-alexand.re, 1
+jose-latino.tk, 1
+jose-lesson.com, 1
+jose-manuel-benito-alvarez.tk, 1
+josebernabe.ch, 1
+joseenriquegonzalez.tk, 1
+joseetesser.nl, 1
+josef-lotz.de, 1
+josefernandomorilloardila.tk, 1
+josefinagrau.tk, 1
+josefjanosec.com, 1
+joseflegal.com, 1
+josefottosson.se, 1
+josefranca.pt, 0
+josejorques.tk, 1
+joseluisberrocal.tk, 1
+josemariavazquez.com, 1
+josenastrid.tk, 1
+josepbel.com, 1
+josephalexander.media, 1
+josephanthony.tk, 1
+josephbleroy.com, 1
+josephcz.com, 1
+josephcz.win, 0
+josephcz.xyz, 1
+josephmarino.net, 1
+josephpinder.com, 1
+josephsniderman.com, 1
+josephsniderman.net, 1
+josephsniderman.org, 1
+josephv.website, 1
+josephwright.co.uk, 1
+josephziegler.com, 0
+joserafaelsosa.tk, 1
+joserecetas.com, 1
+josericaurte.com, 1
+josestiller.de, 1
+joseventos.com, 1
+josh-goodrich.com, 1
+josh.life, 1
+joshanders.com, 1
+joshbyrne.com.au, 1
+joshcaluette.com, 1
+joshdiamant.com, 1
+joshfoley.co.uk, 1
+joshgroban.tk, 1
+joshharmon.me, 1
+joshhoffer.com, 1
+joshimedical.com, 1
+joshking.com, 1
+joshlovephotography.co.uk, 1
+joshparker.blog, 1
+joshparker.uk, 1
+joshrickert.com, 1
+joshruppe.com, 1
+joshs.domains, 1
+joshs.guide, 1
+joshs.photos, 1
+joshschmelzle.com, 1
+joshspage.ltd, 1
+joshspage.ltd.uk, 1
+joshspage.uk, 1
+joshthewanderer.com, 1
+joshu.am, 1
+joshua-kuepper.de, 1
+joshua.law, 1
+joshuadiamant.com, 1
+joshuagoss.com, 1
+joshuajohnson.ca, 1
+joshuamessick.com, 1
+joshuanishimura.xyz, 1
+joshuaschmitt.us, 1
+joshuastock.net, 1
+joshygeo.tk, 1
+josiekellys.com, 1
+josiemccoy.co.uk, 1
+josien.fr, 1
+josien.net, 1
+josineto.art, 1
+josipovicstevo.tk, 1
+josisummer.net, 1
+josmith.co.za, 1
+joso.tk, 1
+josoansi.de, 1
+josprox.ovh, 0
+jostle.us, 1
+josuekula.com, 1
+josueteconecta.mx, 1
+josvir.sytes.net, 1
+jot.works, 1
+jotbe.io, 1
+jotes-creations.de, 1
+jotoho.de, 1
+jotoma.de, 1
+joubinkhorsandmd.com, 1
+jouetspetitechanson.com, 1
+jouleperformance.ch, 0
+jouleperformance.de, 0
+jouonline.nl, 1
+jouons-aux-echecs.be, 1
+jourbook.cf, 1
+jourdain.pro, 1
+jourdespa.fr, 1
+journaldesvoisins.com, 0
+journaldufumeur.ch, 1
+journales.com, 1
+journalgameers.ga, 1
+journalgameest.ga, 1
+journalism-schools.com, 1
+journalism.org, 1
+journaliste.tk, 1
+journalisticapp.com, 1
+journalnow.com, 1
+journals.ru, 1
+journalstar.com, 1
+journaltimes.com, 1
+journaway.com, 1
+journeedesfilles.gc.ca, 1
+journey.study, 1
+journeyfriday.rocks, 1
+journeying.ca, 1
+journeyofmymothersson.com, 1
+journeyrent.com, 1
+journeytofi.com, 1
+journeytomastery.net, 1
+joustsec.com, 1
+jouw-job.nl, 1
+jouwbuis.nl, 1
+jouwpaardenbak.nl, 1
+jouwsongteksten.tk, 1
+jouwzorgjob.be, 1
+jovanmarkovic.ga, 1
+jovenescontraelaburrimiento.tk, 1
+jovic.hamburg, 1
+jovisa.com.tw, 1
+joweb.co, 1
+jowm-jo.com, 1
+joworld.net, 0
+joy-ride.yokohama, 1
+joyas.gt, 0
+joybuggy.com, 1
+joyce.tk, 1
+joycejamiewedding.com, 1
+joycemachine.com, 1
+joychetry.com, 1
+joycosmetics.ch, 1
+joydivision.tk, 1
+joydream.tk, 1
+joyfulevents.tk, 1
+joyfulhealthyeats.com, 1
+joyinteractive.tk, 1
+joyinverse.com, 1
+joyjohnston.ca, 0
+joymaxiptv.com, 1
+joymepass.com, 1
+joyouscare.co.uk, 1
+joyousisle.com, 1
+joyqi.com, 1
+joysinventingblog.com, 1
+joystickblog.tk, 1
+jozefjabczun.com, 1
+jozefkvasnica.tk, 1
+jozefmichalmintal.com, 1
+jozefmutis.com, 1
+jozefmutis.sk, 1
+jp.kg, 1
+jp.md, 1
+jp404.com, 1
+jpan007.com, 1
+jpanetta.tk, 1
+jparts.su, 1
+jpaudio.org, 1
+jpbe-network.de, 1
+jpbe.de, 1
+jpc-design.com, 1
+jpcases.com.au, 1
+jpcorriganlaw.com, 1
+jpcrochetapparel.com, 1
+jpdineroasi.com, 1
+jpeg.io, 1
+jpegd.io, 1
+jpekkala.com, 1
+jperformance.nl, 1
+jpg.am, 1
+jpg.fr, 1
+jpgangbang.com, 1
+jpgtopdfc.com, 1
+jphev.de, 1
+jphost.ml, 1
+jpilan.com, 1
+jpinfo.tk, 1
+jpixta.com, 1
+jplennard.com, 1
+jpmelos.com, 1
+jpmelos.com.br, 1
+jpmguitarshop.com.br, 1
+jpngamerswiki.com, 1
+jpope.org, 1
+jppc.net, 1
+jppcadvertising.com, 1
+jpph.org, 0
+jpr.io, 1
+jpralves.net, 1
+jpram.net, 1
+jproducts.nl, 1
+jproxx.com, 1
+jps-selection.co.uk, 1
+jps-selection.com, 1
+jps-selection.eu, 1
+jpshop.ru, 1
+jpsinflatables.co.uk, 1
+jpst.it, 1
+jpvermogensregie.com, 1
+jpvfinanceira.net, 1
+jpvisual.com, 1
+jqlin.com, 1
+jqlsql.com, 1
+jqpowerwash.com, 1
+jqrecycling.com, 1
+jquery.wtf, 1
+jr-signalisation.fr, 1
+jr5devdoug.xyz, 1
+jr5devdouglas.xyz, 1
+jr5proxdoug.xyz, 1
+jrabasco.me, 1
+jrbv.nl, 1
+jrc.cz, 1
+jrc9.ca, 0
+jrchaseify.xyz, 1
+jreb.nl, 1
+jredmond.io, 1
+jreiff.de, 1
+jreinert.com, 1
+jrflorian.com, 1
+jrfortune.com, 1
+jrjuristen.nl, 0
+jrlopezoficial.com, 1
+jrmora.com, 0
+jrnlz.me, 1
+jrock.tk, 1
+jrock.us, 1
+jross.me, 1
+jrroofinglancs.co.uk, 1
+jrrw.de, 1
+jrstehlik.com, 1
+jrstehlik.cz, 1
+jrt.ovh, 1
+jrtapsell.co.uk, 1
+jrtransportedemotos.com.br, 1
+jrucomsoc.tk, 1
+jrulka.ru, 1
+jrwebb.co.nz, 1
+jrwu.win, 1
+jrxpress.com, 1
+jrzapis.com, 1
+jrzhong.com, 1
+jrzid.com, 1
+jrzly.com, 1
+js-web.eu, 1
+js-webcoding.de, 1
+js5203344.com, 1
+js6868.cc, 1
+js86.de, 0
+js889.com, 1
+js93029.com, 1
+jsautomation.co.za, 1
+jsbentertainment.nl, 1
+jsberrylaw.com, 1
+jsbevents.nl, 1
+jsblights.nl, 1
+jsc.mx, 1
+jschumacher.info, 1
+jscsshtml.com, 1
+jsd-aach.de, 1
+jsd-cog.org, 1
+jsdelivr.com, 1
+jsdelivr.net, 1
+jsdesign.mx, 1
+jsdt.ca, 1
+jselby.net, 1
+jsem.fun, 1
+jsemonjr.tech, 1
+jsfloydlaw.com, 0
+jsg.hk, 1
+jsgr.ca, 1
+jsh918.com, 1
+jsidefox.de, 1
+jsjfact.com, 1
+jsjohnsononline.com, 1
+jsjs.net, 1
+jsk26.ru, 1
+jskier.com, 1
+jslots.dk, 1
+jsme.cz, 1
+jsme.fun, 1
+jsn.one, 1
+jsnfwlr.com, 0
+jsnfwlr.io, 0
+jso-crescendo.ch, 1
+json.download, 1
+json.id, 0
+jsonsinc.com, 1
+jsonvalidator.tk, 1
+jsourcery.com, 1
+jsp-cloud.de, 1
+jspartnersinc.com, 1
+jsphys.org.cn, 1
+jspp2023.jp, 1
+jsproxy.tk, 0
+jsre-kinki.jp, 1
+jss6868.cc, 1
+jstanleyasphaltpaving.com, 1
+jstarlab.com, 1
+jsteward.moe, 1
+jstore.ch, 1
+jsvr.tk, 0
+jswebbdevelopment.com, 1
+jswn9945.xyz, 1
+jsx.jp, 1
+jsxc.ch, 1
+jt-evolution.tk, 1
+jtafla.com, 1
+jtcat.com, 1
+jtconsultancy.sg, 1
+jtech.com.br, 1
+jtfew.co.uk, 1
+jtkconstructiongroup.com, 1
+jtl-connect.de, 1
+jtl-connector.de, 1
+jtl-fulfillment.com, 1
+jtl-pos.com, 1
+jtl-software.com, 1
+jtl-software.de, 1
+jtl-url.de, 1
+jtmagen.com, 0
+jtownacademy.com, 1
+jtp.id, 1
+jtrocinski.com, 1
+jtrojanowska.pl, 1
+jts3servermod.com, 1
+jttech.se, 1
+jtxdev.my.id, 1
+jtxmail.org, 1
+jtxserver.xyz, 1
+ju-edu.tk, 1
+ju-rex.eu, 1
+juabcounty.gov, 1
+jualkambing.tk, 1
+juancadc.es, 1
+juancamos.com, 1
+juancarlosflores.tk, 1
+juancarlosgalvez.tk, 1
+juancarlosllaque.com, 1
+juancatalangomez.es, 1
+juanfrancisco.tech, 1
+juanherranz.com, 1
+juanhub.com, 1
+juanitia.com, 1
+juanitofatas.com, 1
+juanjomontecinos.tk, 1
+juanmanuel.tk, 1
+juanmapauso.tk, 1
+juanmasuarez.tk, 1
+juanmazzetti.com, 1
+juanmoreno.tk, 1
+juanpena.tk, 1
+juanrodriguezofficial.tk, 1
+juansebastianveron.tk, 1
+juanxt.ddns.net, 1
+jub0bs.com, 1
+jubelmart.ga, 1
+jubileum.online, 0
+jucca-nautica.si, 1
+jucelo.de, 1
+jucktehkeinen.de, 1
+jucocauca.tk, 1
+jucyhotel.com.au, 1
+jucyhotels.com.au, 1
+judc-ge.ch, 1
+jude.eu.org, 1
+judge.ga, 1
+judge.tk, 1
+judge2020.com, 1
+judgeball.com, 1
+judi-online.ga, 1
+judi.ga, 1
+judi.tk, 1
+judiciary.gov.ph, 1
+judidominokiukiu.ga, 1
+judidominokiukiu.ml, 1
+judithsargentini.nl, 1
+judo2point0.com, 1
+judobasicsers.ga, 1
+judobasicsest.ga, 1
+judobreda.nl, 1
+judochaters.ga, 1
+judochatest.ga, 1
+judoprodeti.cz, 1
+judosaintdenis.fr, 1
+judybai.me, 1
+judykatura.pl, 1
+juegosycodigos.mx, 1
+juejin.com, 1
+juergaperu.tk, 1
+juergen.tk, 1
+juergenklieber.de, 1
+juergenspecht.com, 1
+juergenspecht.de, 1
+juergmeier.ch, 1
+jufem.tk, 1
+jugendfeuerwehr-vechta.de, 1
+jugendforum-schaafheim.de, 1
+jugendhackt.org, 1
+jugendpresse-hessen.de, 1
+jugendpresse.de, 1
+jugendsuenden.info, 1
+jugh.de, 1
+jugoncalv.es, 1
+jugwallonie.be, 1
+juhakoho.com, 1
+juhanihakala.fi, 1
+juhosaastamoinen.com, 1
+juhosaastamoinen.fi, 1
+juhosaastamoinen.net, 1
+juice.cf, 1
+juice.codes, 1
+juicebox.com.au, 1
+juicipattiesfranchising.com, 1
+juicycrones.org.uk, 1
+juicydesigns.co.za, 1
+juicyforum.com, 1
+jujutsuoulu.fi, 1
+jujuygrafico.com.ar, 1
+jukebox-manuals.tk, 1
+jukkakivi.fi, 1
+jukkakivimaki.fi, 1
+jukovka.tk, 1
+juku-wing.jp, 1
+julb.de, 1
+julditec.com, 1
+jule-spil.dk, 1
+julenetxaniz.eus, 1
+julenlanda.com, 0
+julesfrans.be, 1
+julesmiddleton.art, 1
+julesroovers.nl, 1
+julia-clarete.tk, 1
+julia-jones.org, 1
+julia-spriggs.fr, 1
+julia.school, 1
+juliahub.com, 1
+juliajuice.net, 1
+juliakieser.de, 1
+julian-miller.de, 1
+julian-post.de, 0
+julian-uphoff.de, 1
+julian-weigle.de, 1
+julian.tech, 1
+julianaedouglas.ga, 1
+julianatoma.com.br, 1
+julianbarske.de, 1
+julianbh.com, 1
+julianbroadway.com, 1
+julianestrada.es, 1
+juliangonggrijp.com, 1
+juliangramajo.tk, 1
+julianickel.de, 1
+juliankraemer.de, 1
+julianmathis.de, 1
+julianmeyer.de, 1
+julianmontague.io, 1
+julianozucare.tk, 1
+juliansimioni.com, 1
+julianskitchen.ch, 0
+julianvmodesto.com, 1
+julianwallmeroth.de, 1
+julianweigle.de, 1
+julianxhokaxhiu.com, 1
+juliaoantiguidades.com.br, 1
+julias.zone, 1
+juliasugar.net, 1
+juliawebber.co.za, 1
+juliazeengardendesign.co.uk, 1
+julibear.com, 1
+julie-and-stevens-wedding.com, 1
+juliedecubber.com, 1
+juliekoubova.com, 1
+juliekoubova.cz, 1
+juliekoubova.name, 1
+juliekoubova.net, 1
+juliekproperties.com, 1
+juliemaurel.fr, 1
+julien-demare.com, 1
+julien-noyelle.com, 1
+julien.expert, 1
+julienc.io, 1
+juliendoco.com, 1
+julienmotheron.tk, 1
+julienpaterne.com, 0
+juliens.tk, 1
+julienschmidt.com, 1
+julienstalder.ch, 0
+julientartarin.com, 1
+juliepetit.com, 1
+julier.com.br, 1
+julieskitchensf.com, 1
+julieskyhigh.net, 1
+juliet-squad.tk, 1
+julietous.be, 1
+julietta-sanchez.org, 1
+juliettesinteriors.co.uk, 1
+julio.jamil.nom.br, 1
+juliofreitas.com, 1
+juliohernandezgt.com, 1
+juliusklein.tk, 1
+jullensgroningen.com, 1
+julm.de, 1
+julmer.tk, 1
+juls.cloud, 0
+jult.net, 0
+jultube.de, 1
+july52.ru, 1
+jumardotaekwondo.tk, 1
+jumbo-air.de, 1
+jumbopan.net, 1
+jumbopeters.tk, 1
+jumbster.com, 0
+jumeirashoes.com, 1
+jumelagevezin-vezins.tk, 1
+jumellesvision.fr, 1
+jumibow.com, 1
+jumio.com, 1
+jummedia.com.au, 1
+jump4funinflatables.co.uk, 1
+jumpalitan.tk, 1
+jumpandbounce.co.uk, 1
+jumpandjivechildrensparties.co.uk, 1
+jumparoundbouncycastles.co.uk, 1
+jumparty.co.uk, 1
+jumpbuttonnorth.com, 1
+jumpeasy.com.au, 1
+jumperke.be, 1
+jumperweb.tk, 1
+jumping4all.com, 1
+jumping4all.info, 1
+jumping4all.nl, 1
+jumpingcastlesonline.com.au, 1
+jumpingdeliege-vip.be, 1
+jumpingforall.com, 1
+jumpingforall.nl, 1
+jumpingjacksbouncycastles.co.uk, 1
+jumpintogreenerpastures.com, 1
+jumpman-iphone-design.de, 1
+jumpnplay.co.uk, 1
+jumpnplay.com.au, 1
+jumprun.com, 1
+jumpseller.cl, 1
+jumpseller.com, 1
+jumpstartuat.co.za, 1
+jun-e-jay.com, 1
+junbread.win, 1
+junco.nl, 1
+junctioncitywisconsin.gov, 1
+jundongwu.com, 0
+juneau.gov, 1
+juneaucountywi.gov, 1
+junebo.net, 1
+junebo.nu, 1
+junebo.se, 1
+juneereccentre.com.au, 1
+junefolkhogskola.se, 1
+juneis.dog, 1
+junethack.net, 1
+junfk.shop, 1
+junge-linke.tk, 1
+jungefreiheit.de, 1
+jungelinke.tk, 1
+junger-chor-marienburg.de, 1
+junggesellmuc.de, 1
+junglaurbana.tk, 1
+jungle-forums.tk, 1
+jungleducks.ca, 0
+junglejackscastles.co.uk, 1
+junglelab.io, 1
+junglememories.co.uk, 1
+jungleworks.com, 1
+junglist.org, 1
+jungschuetzen.tk, 1
+jungundwild-design.de, 1
+jungyonghwa.tk, 1
+juniet.net, 1
+juniku.tk, 1
+juniorchamber.international, 1
+juniorhandball.com, 0
+juniornasim.cf, 1
+juniorsambo.tk, 1
+juniorsbook.com, 1
+juniorsplanet.in, 1
+juniperroots.ca, 1
+junix.systems, 1
+junjie.pro, 1
+junjun-web.net, 0
+junk-bear.com, 1
+junkcarbin.com, 1
+junkcarboys.ca, 1
+junkdrome.org, 0
+junkersparadise.tk, 1
+junkfoodcafe.com, 1
+junkguy.tk, 1
+junkiedownload.tk, 1
+junkracing.tk, 1
+junksleep.com, 1
+junktojewels.com.au, 1
+junkyardtuning.tk, 1
+junlyu.org, 1
+junomessenger.cf, 1
+junshinkai.ed.jp, 1
+junte.tk, 1
+juntos.gov, 1
+juntosfmc.com.br, 1
+junyan.ga, 1
+junyangz.com, 1
+junyu33.me, 1
+juozasveza.lt, 1
+jupiteram.com, 1
+jupiterfy.com, 1
+juppy.tk, 1
+jura-reiseschutz.de, 1
+jura-versicherungen.de, 1
+juragan.ga, 1
+juraganhp.com, 1
+juragantembakau.com, 1
+jurancic.com, 1
+jurassicbarkharrogate.co.uk, 1
+jurassicworldfilmen.cf, 1
+jurat.online, 1
+jurcic-prpic.hr, 1
+jurena.sk, 1
+jurex-cup.cz, 1
+jurex.cz, 1
+jurexcup.cz, 1
+jurgenfranse.nl, 1
+jurgens.tk, 1
+jurgis.tk, 1
+jurislex.tk, 1
+jurisprudentacedo.com, 1
+jurist-website.de, 1
+jurist.gq, 1
+juristech.io, 1
+juristique.fr, 1
+juristique.info, 1
+juristique.org, 1
+juristique.us, 1
+jurjendevries.com, 0
+jurkomp.ru, 1
+jurnalfm.md, 1
+jurnalilmiah.com, 1
+jurposluga.tk, 1
+jurquestion.tk, 1
+jurriaan.ninja, 1
+jusfitness.com.au, 1
+jusha.cz, 1
+juspay.in, 1
+jusquauxdents.tk, 1
+just-a-clanpage.de, 1
+just-bees.de, 1
+just-heberg.fr, 1
+just-keep-swimming.tk, 1
+just-muh.de, 1
+just-pools.co.za, 1
+just-vet-and-drive.fr, 1
+just-webdesign-berlin.de, 1
+just.nl, 1
+just3preety.com, 1
+just6f.com, 1
+justacoupleofclarkes.co.uk, 1
+justacrazygirl.com, 1
+justanorganizedhome.com, 1
+justanothercompany.name, 1
+justanotherday.tk, 1
+justasdelish.com, 1
+justbelieverecoverypa.com, 1
+justbooktransfers.com, 0
+justboom.co, 1
+justbraces.com.sg, 1
+justbydesign.com, 1
+justcall.io, 1
+justcalm.tk, 1
+justcams.tv, 1
+justchunks.net, 1
+justement.ch, 1
+justf.tk, 1
+justfencingcheshire.co.uk, 1
+justfoodfordogs.com, 1
+justformen.org, 1
+justforschools.co.uk, 1
+justforsunn.com, 1
+justfresh.com, 1
+justfunerals.co.nz, 1
+justgalak.com, 1
+justgalak.org, 1
+justgamblers.com, 1
+justgardenoffices.co.uk, 1
+justgayvideo.com, 1
+justgiving.co.uk, 1
+justgiving.com, 1
+justgiving.io, 1
+justgiving.nl, 1
+justgiving.services, 1
+justice-rains-from-above.tk, 1
+justice.gc.ca, 1
+justice.gov, 1
+justice4amy.org, 1
+justice4chris.org, 1
+justiceforjameela.org, 1
+justifinetwork.com, 1
+justifyloans.com, 1
+justin-p.me, 1
+justin-tech.com, 1
+justin3d.nl, 1
+justindianporn.me, 1
+justinellingwood.com, 1
+justinfreid.com, 1
+justinho.com, 1
+justinmanders.nl, 1
+justinritter.de, 1
+justinsinkula.com, 1
+justinstago.com, 1
+justinstandring.com, 1
+justkidsdental.com, 1
+justknigi.gq, 1
+justlovecoffeefranchise.com, 1
+justmade.com.br, 1
+justmensgloves.com, 1
+justmyblog.net, 1
+justmysocks.xyz, 1
+justnajoua.tk, 1
+justneworleans.com, 1
+justninja.com, 1
+justnu.se, 0
+justor.ru, 1
+justpass.co.uk, 1
+justpass.uk, 1
+justpaste.it, 1
+justpdf.cf, 1
+justpractice.ca, 1
+justquoteme.ga, 1
+justrighthsc.com, 1
+justsa.co.za, 1
+justsandro.tk, 1
+justsellmycar.com, 1
+justshare.tk, 1
+justt-watch-now.xyz, 1
+justupdate.me, 1
+justwannalearn.com, 1
+justweather.org, 1
+justwizards.me, 1
+justyy.com, 1
+justzz.xyz, 1
+juszczak.io, 1
+juszkiewicz.com.pl, 1
+jutella.de, 0
+jutlander-netbank.dk, 1
+jutrainingdiet.fr, 1
+juttaheitland.com, 1
+juul-iversen.dk, 1
+juul.xyz, 0
+juurussuo.tk, 1
+juusujanar.eu, 0
+juvenile-studios.de, 1
+juventudevareira.tk, 1
+juventusmania1897.com, 1
+juventusnews24.com, 1
+juweldot.tk, 1
+juwelier-schmuck.de, 1
+juwelierstoopman.nl, 0
+juweliervanwillegen.nl, 1
+juzgadocaldas.com, 1
+juzz.io, 1
+jv-projects.be, 1
+jvanerp.nl, 1
+jvbouncycastlehire.co.uk, 1
+jvdham.nl, 1
+jvdz.nl, 1
+jvega.me, 1
+jvianes.ddns.net, 1
+jvlfinance.cz, 1
+jvmcomunicacao.com.br, 1
+jvphotoboothhire.co.uk, 1
+jvspin.com, 1
+jvspin13135.top, 1
+jvspinapp.com, 1
+jw-services-stg.org, 1
+jw-services.org, 1
+jw.fail, 1
+jw1.ca, 1
+jwala.diamonds, 1
+jwatt.org, 1
+jwatt.uk, 1
+jwb.red, 1
+jwbrown.com, 1
+jwbrown.nl, 1
+jwbrown.ru, 1
+jwchords.org, 1
+jwds.blog, 1
+jwe.nl, 1
+jweditions.co.uk, 1
+jwhite.network, 1
+jwilsson.com, 0
+jwjwjw.com, 1
+jwmmarketing.com, 1
+jwod.gov, 1
+jwolt-lx.com, 1
+jwplay.ml, 1
+jwpoore.com, 1
+jwr.me, 1
+jwroberts.com, 1
+jwschuepfheim.ch, 1
+jwz.org, 1
+jxcad.com.cn, 1
+jxdsp.com, 1
+jxir.de, 1
+jxltom.com, 1
+jxm.in, 1
+jxs.ch, 1
+jxsmodafeminina.com.br, 1
+jybrid.com, 1
+jydemarked.dk, 1
+jyllandsakvariet.dk, 1
+jyoba.co.jp, 1
+jyoti-fairworks.org, 0
+jysecurity.com, 1
+jyvaskylantykkimies.fi, 1
+jz.lc, 1
+jzagorulko.com, 1
+jzbk.org, 0
+jzeb.co, 1
+jzminimalist.com, 1
+jztkft.hu, 1
+jzwebdesign.ie, 1
+jzz.cool, 1
+k-45.ru, 1
+k-amenix.co.jp, 1
+k-bone.com, 1
+k-collab.com, 1
+k-designstudio.com, 1
+k-h-c.ru, 1
+k-homes.net, 1
+k-labs.be, 1
+k-linkcarecenter.com, 1
+k-matsudaclinic.com, 1
+k-moto.sk, 1
+k-netz.de, 1
+k-pan.com, 1
+k-s-edition.ru, 0
+k-sails.com, 1
+k-scr.me, 1
+k-so.de, 1
+k-system.de, 1
+k-tube.com, 0
+k-will.tk, 1
+k.tt, 1
+k1024.org, 1
+k123123.com, 1
+k1chn.com, 0
+k2.works, 1
+k234234.com, 1
+k258059.net, 1
+k29.ee, 1
+k2industrial.com, 1
+k2velosi.com, 1
+k36533.com, 1
+k38.cc, 1
+k3a.me, 1
+k3concert.nl, 1
+k3nny.fr, 1
+k3t.net, 1
+k4law.com, 1
+k4nzi.duckdns.org, 1
+k507.com, 0
+k51365.com, 1
+k5197.co, 1
+k55655.com, 1
+k583.com, 0
+k60d.com, 1
+k66.ag, 1
+k665.vip, 1
+k6729.co, 1
+k6729.com, 1
+k6957.co, 1
+k6957.com, 0
+k7add.com, 1
+k7azx.com, 1
+k7cl.com, 1
+k8.com, 1
+k80608.com, 1
+k82.org, 1
+k82365.com, 1
+k85.app, 0
+k86.app, 1
+k86681.com, 1
+k86690.com, 0
+k86853.com, 1
+k869.co, 0
+k86921.com, 0
+k86929.com, 0
+k86930.com, 1
+k86967.com, 0
+k87.app, 1
+k87073.com, 0
+k87074.com, 0
+k87075.com, 0
+k87076.com, 0
+k87077.com, 0
+k87079.com, 0
+k87080.com, 0
+k87119.com, 0
+k87121.com, 0
+k87126.com, 0
+k87131.com, 0
+k87133.com, 0
+k87136.com, 0
+k87210.com, 1
+k873.co, 0
+k875.co, 0
+k88107.com, 1
+k88110.com, 0
+k88116.com, 0
+k88127.com, 0
+k88172.com, 1
+k88256.com, 1
+k88257.com, 1
+k88259.com, 1
+k88302.com, 0
+k88306.com, 1
+k88312.com, 0
+k88313.com, 1
+k88327.com, 1
+k886.co, 1
+k88670.com, 0
+k88672.com, 0
+k889.co, 1
+k8892.com, 1
+k89.app, 1
+k8dalao.com, 1
+k8didi.com, 1
+k8gege.com, 1
+k8jiejie.com, 1
+k8laosiji.com, 1
+k8meimei.com, 1
+k8meinv.com, 1
+k8n.de, 1
+k8r.eu, 1
+k8v27.com, 0
+k8vn.com, 0
+k9297.co, 1
+k9728.co, 1
+k9bhh.net, 1
+k9erp.com, 1
+k9lady.ml, 1
+k9life.cf, 1
+k9life.gq, 1
+k9life.ml, 1
+k9swx.com, 1
+ka-kousin.co.jp, 1
+ka4aka.tk, 1
+ka4ka-ru.tk, 1
+ka4ka.cf, 1
+ka4ka.ml, 1
+kaalberry.com, 0
+kaamoscreations.com, 1
+kaamosmail.com, 1
+kaandorpfietsen.nl, 1
+kaanhaa.com, 0
+kaaniche.xyz, 1
+kaany.io, 1
+kaartje.shop, 1
+kaasbesteld.nl, 1
+kaatha-kamrater.se, 0
+kaatsen.tk, 1
+kab-s.de, 1
+kabachok.tk, 1
+kabal.tk, 1
+kabardinka.ga, 1
+kabardino-balkariya.ml, 1
+kabel.cf, 1
+kabel.ga, 1
+kabel.gq, 1
+kabel.ml, 1
+kabeldiertje.nl, 1
+kabellegger.nl, 1
+kabeltv.co.nz, 1
+kabeuchi.com, 1
+kabide.net, 1
+kabinett.cz, 1
+kabir.cf, 1
+kabir.tk, 1
+kablo.tk, 1
+kabluchek.tk, 1
+kabluchok.tk, 1
+kabodo.com, 1
+kaboommagazine.ga, 1
+kaboommagazine.gq, 1
+kaboommagazine.ml, 1
+kabos.art, 1
+kabu-abc.com, 1
+kabuka.jp.net, 1
+kabuki-inc.co.jp, 1
+kabukpsikoloji.com, 1
+kabulboy.tk, 1
+kabulpress.org, 1
+kabushiki.jp, 1
+kabyle.com, 1
+kacanews.com, 1
+kacang-bali.com, 1
+kacgal.com, 1
+kachaem-knigi.gq, 1
+kachat.io, 1
+kachelfm.nl, 1
+kachka.cf, 1
+kachlikova2.cz, 1
+kack.website, 1
+kackyreloaded.com, 1
+kacy-kisha.com, 1
+kada.lk, 1
+kadalove.net, 1
+kaddex.xyz, 1
+kaddify.de, 1
+kadeatwood.com, 1
+kadenafss.com, 1
+kadenba.ch, 1
+kadence.tk, 1
+kadenlegion.com, 1
+kadeshcdc.org, 1
+kadet.net.ru, 1
+kadett-c-club-limburg.tk, 1
+kadhal-kirukkan.tk, 1
+kadidak.com, 0
+kadifeli.com, 1
+kadinbonesulsel.id, 1
+kadinhaber.tk, 1
+kadinhayati.com, 1
+kadinisci.org, 1
+kadinsaglikhaber.tk, 1
+kadinvesaglik.tk, 1
+kadix.com.br, 0
+kado-ya.jp, 1
+kadolis.com, 1
+kadro.com.pl, 1
+kadvi.tk, 1
+kadykchanskiy.ml, 1
+kaeme.com, 1
+kaeptns-sechser.de, 1
+kaeru-seitai.com, 1
+kaese-journal.ch, 1
+kaesehagen.nl, 1
+kafel-ufa.tk, 1
+kafeline.com, 1
+kaffad.site, 1
+kaffeekrone.de, 1
+kaffeepflanze-pflege.de, 1
+kaffeeringe.de, 1
+kaffeesud.org, 1
+kaffeklubben.tk, 1
+kaffeluckan.se, 1
+kafgoldenbearsbor.tk, 1
+kafoom.de, 1
+kagami.tk, 1
+kagata-kids.com, 1
+kagebyvyre.tk, 1
+kagel.ch, 1
+kagelmacher.ch, 1
+kages.at, 1
+kaggle.com, 1
+kagi.com, 1
+kagicomb.org, 1
+kagl.me, 1
+kagomesashi.tk, 1
+kaguramea.fr, 1
+kaha.co.id, 1
+kahane.org, 1
+kahmad.in, 1
+kahoot.it, 1
+kahvakiekkotalkoot.fi, 1
+kai-i.com, 1
+kai-justin.de, 1
+kai-ratzeburg.de, 1
+kai-ruecker.tk, 1
+kaiahealth.com, 1
+kaibaunderwear.com.ar, 1
+kaibinyang.com, 1
+kaibinyang.tk, 1
+kaibo.cz, 1
+kaibo.eu, 1
+kaiche.com, 1
+kaida-rybak.ru, 1
+kaidoblogi.eu, 1
+kaifischer.tv, 1
+kaigojj.com, 1
+kaihipay.jp, 1
+kaijo-physics-club.work, 1
+kaik.io, 1
+kaika-facilitymanagement.de, 1
+kaikei7.com, 1
+kaikrups.com, 1
+kaileymslusser.com, 0
+kaimassagechairs.com, 1
+kaimi.io, 1
+kaimonojyoz.jp, 1
+kainelaw.com, 1
+kainetsoft.com, 1
+kainsanders.com, 1
+kainz.be, 1
+kaiod.tk, 1
+kaioken.bar, 1
+kaion.vn, 1
+kaipel.de, 1
+kairion.de, 0
+kairuitan.com, 0
+kais08.com, 1
+kaisanord.org, 1
+kaiser.ga, 1
+kaiser.wf, 1
+kaiseraerospace.tk, 1
+kaiserinformativo.com, 1
+kaisev.net, 1
+kaishi009.com, 1
+kaishi555.com, 1
+kaisto.net, 0
+kaisyo.co.jp, 1
+kaitol.click, 1
+kaitseministeerium.ee, 0
+kaity-sun.com, 1
+kaiu-sport.de, 1
+kaiusaltd.com, 0
+kaiva.cl, 1
+kaiwritings.com, 1
+kaiwu.xyz, 1
+kaiy.moe, 1
+kaizencraft.ga, 1
+kaizendigitalstudios.live, 1
+kaizenjuku.org, 1
+kaizenreporting.com, 1
+kaizeronion.com, 1
+kaizoku-dmc.com, 1
+kajak.land, 1
+kajalkumar.tk, 1
+kajasafe.fi, 1
+kajirakuda.com, 1
+kajlovo.cz, 1
+kajzonnebeke.tk, 1
+kak-pohudet-legko.ml, 1
+kaka.farm, 0
+kakabo.vn, 1
+kakacon.nz, 1
+kakan.ml, 1
+kakaravaara.fi, 1
+kakatu.ru, 1
+kakazai.com, 1
+kakdolgonline.cf, 1
+kakdoma-23.ru, 1
+kakeru.cf, 1
+kaketang.com, 0
+kakkerlakken.tk, 1
+kakofotmitzaim.cf, 1
+kakofotmitzaim.ga, 1
+kakofotmitzaim.gq, 1
+kakofotmitzaim.ml, 1
+kakofotmitzaim.tk, 1
+kakoo-media.nl, 1
+kakoomedia.nl, 1
+kakpoluchitzaim.cf, 1
+kakpoluchitzaim.ga, 1
+kakpoluchitzaim.gq, 1
+kakpoluchitzaim.ml, 1
+kakpoluchitzaim.tk, 1
+kaksdelatpotolok.ru, 1
+kaktus-tour.cf, 1
+kaktuskola.se, 1
+kakuch.com, 0
+kakvzyatdolg.ga, 1
+kakvzyatdolg.ml, 1
+kakvzyatzaim.cf, 1
+kakvzyatzaim.gq, 1
+kakvzyatzaim.tk, 1
+kal05.tk, 1
+kalababy.bg, 1
+kalabhavashricreations.com, 1
+kaladarb.com, 0
+kalaharifeis.com, 1
+kalakarclub.com, 1
+kalambur.gq, 1
+kalambur.ml, 1
+kalami.nl, 1
+kalamos-psychiatrie.be, 1
+kalamos.tk, 1
+kalamotownship-mi.gov, 1
+kalapatec.id, 1
+kalashnikov.ml, 1
+kalaskvintetten.tk, 1
+kalaspuffar.se, 1
+kalastus.com, 1
+kaldewei.com, 1
+kaleidoscope.co.uk, 1
+kalek.eu, 1
+kalendarabiturienta.tk, 1
+kalender.com, 1
+kalender.goip.de, 1
+kalerne.tk, 1
+kalhufvudet.se, 1
+kaliaa.fi, 1
+kalian.cz, 1
+kaliboairport.tk, 1
+kaliboys.com, 1
+kaliforniya.tk, 1
+kalimantan.tk, 1
+kalimari.tk, 1
+kalimat.gq, 1
+kalimba-hangszerbolt.hu, 1
+kalina.ml, 1
+kaliningrad.gq, 1
+kaliningrad.ml, 1
+kalinka-shop.tk, 1
+kaliocommerce.com, 1
+kalisch.eu, 1
+kalisilat.tk, 1
+kalk-shop.nl, 1
+kalkaskavillagemi.gov, 1
+kalkulacka-havarijni.cz, 1
+kalleanka.tk, 1
+kalligo.ga, 1
+kalligraf.tk, 1
+kallisto.io, 1
+kallosmedicalaesthetics.com, 1
+kalmarbilder.se, 1
+kalmbach.com, 1
+kalmservices.ca, 1
+kalmykia.cf, 1
+kalmykia.tk, 1
+kalogeropoulos-st.com, 1
+kalohan.tk, 1
+kaloix.de, 1
+kalolina.com, 1
+kalombo.ru, 1
+kalompaturi.com, 1
+kalpavriksh.org, 1
+kalsa.ga, 1
+kalsbouncies.com, 1
+kaltenbrunner.it, 1
+kalterersee.ch, 1
+kaltoft.net, 0
+kaluga.cf, 1
+kaluga.gq, 1
+kalugadeti.ru, 1
+kalugin.tk, 1
+kaluja.fi, 1
+kalwak.cr, 1
+kalwestelectric.com, 1
+kalyandevelopers.com, 1
+kalyangupta.ml, 1
+kalyanmatka.guru, 1
+kalyazin-online.tk, 1
+kam-serwis.pl, 1
+kamalame.co, 1
+kamandula.tk, 1
+kamanja.io, 1
+kamareddine.tk, 1
+kamasutra-training.gq, 1
+kamata-saisyuusyou.com, 1
+kamata-shinkyu-seikotsu.jp, 1
+kamataryo.com, 1
+kamatoycleaner.com, 1
+kamazuri.art, 1
+kambistories.com, 1
+kamchatkatravel.tk, 1
+kamchatkawinter.tk, 1
+kamcolorectal.com, 1
+kamel.social, 1
+kameldesign.com, 1
+kameliya.tk, 1
+kamen-master.ru, 1
+kamennyj-pisatel.tk, 1
+kameno-news.tk, 1
+kamer.nl, 1
+kamera.org.tr, 1
+kamerpower.com, 0
+kamery.top, 1
+kameryzababku.sk, 1
+kamey-steuerberatung.de, 1
+kameya.bg, 1
+kami-riha.com, 1
+kamien-ogrodowy.tk, 1
+kamienie-migdalkowe.pl, 1
+kamikami.eu, 1
+kamikatse.net, 1
+kamikatzerl.net, 1
+kamikazeweb.tk, 1
+kamildrozd.tk, 1
+kamilla.ml, 1
+kamilmagdziak.pl, 1
+kamilsevi.com, 0
+kamin-island.ru, 1
+kaminbau-laub.de, 1
+kaminholz.eu, 1
+kaminoke.info, 0
+kaminoweb.com, 1
+kaminy-msk.ru, 0
+kamio.co.uk, 1
+kamisato-ent.com, 1
+kamistik.com, 1
+kamitech.ch, 1
+kamiyo.tk, 1
+kamlunglelystad.tk, 1
+kamnob.com, 1
+kamp-kisten.nl, 1
+kampanyaradar.com, 1
+kampffische.tk, 1
+kampfsportschule-einherjar.de, 1
+kampova.sk, 1
+kamppailusali.fi, 1
+kampungcyber.tk, 1
+kampunginggris-ue.com, 1
+kampusku.tk, 1
+kamrad.tk, 1
+kamranmirhazar.com, 1
+kamu.org, 1
+kamui.co.uk, 1
+kamumisafirhaneleri.com.tr, 1
+kamuniang.org, 1
+kan-ken.fr, 1
+kan.bi, 1
+kan3.de, 1
+kana-mono.biz, 1
+kana.me, 1
+kanabun.top, 1
+kanaete-uranai.com, 1
+kanag.pl, 1
+kanakdharaenterprise.com, 1
+kanal-c.net, 1
+kanal-schaefer.de, 1
+kanal-tv-haensch.de, 0
+kanalasal.id, 0
+kanalbutikken.no, 1
+kanali.info, 1
+kanapa.gq, 1
+kanariesite.tk, 1
+kanatsuki.tk, 1
+kanava.tk, 1
+kancelaria-prawna.pl, 1
+kancelyaria.com.ua, 1
+kancolle.me, 1
+kanctovary.tk, 1
+kandalife.com, 1
+kandelaberi.tk, 1
+kanden-com-reform.com, 1
+kandhamal.org, 1
+kandianshang.com, 1
+kandkforwarding.com, 1
+kandofu.com, 1
+kandr.net, 1
+kandra.com.br, 1
+kandrahechiceravudu.com, 1
+kandrive.gov, 1
+kanduit.live, 1
+kandycoated.com, 1
+kanecastles.com, 1
+kanecountyhospitalut.gov, 1
+kanecountyil.gov, 1
+kanehisa.xyz, 1
+kanehusky.com, 0
+kanetix.ca, 1
+kanganer.com, 1
+kangaroo-bouncycastle.co.uk, 1
+kangarooislandholidayaccommodation.com.au, 1
+kangaroojacks.co.uk, 1
+kangaroos.org, 1
+kangaroosgardencentre.ca, 1
+kangavar.tk, 1
+kangbo.com, 1
+kangdaniel.cn, 1
+kangkai.me, 1
+kangkang.net, 1
+kangkang.org, 1
+kangliortho.com, 1
+kangoeroeteam.tk, 1
+kangouroo.ch, 1
+kangutingo.com, 1
+kangzaber.com, 1
+kaninchenartikel.de, 1
+kanis.ag, 1
+kanitha.sk, 1
+kankakeecountyclerk.gov, 1
+kankerpannekoek.nl, 1
+kankfn.com, 1
+kankimaru.com, 1
+kanna.cf, 1
+kannabia.com, 1
+kannata.ml, 1
+kanneldiamond.com, 1
+kano.fan, 0
+kano.tk, 1
+kanootours.com, 1
+kanosuki.com, 0
+kanotijd.nl, 1
+kanoumokuzai.co.jp, 1
+kanpian369.com, 1
+kanru-clinic.com.tw, 1
+kansai-ramen-derby.com, 1
+kansascityzoo.org, 0
+kansasconstruction.ga, 1
+kansashealth.tk, 1
+kansashighwaypatrol.gov, 1
+kansasnet.tk, 1
+kansasvaccine.gov, 1
+kansasvoterinfo.gov, 1
+kanshutan.com, 1
+kantankye.nl, 1
+kantoorartikelen.nl, 1
+kantoorboel.nl, 1
+kantoormeubilair.nl, 1
+kantora-plovdiv.com, 1
+kantorad.io, 1
+kantorosobisty.pl, 1
+kantrok.com, 1
+kantube.tk, 1
+kanui.ml, 1
+kanuking.de, 1
+kanuvu.de, 1
+kanvasbaski.tk, 1
+kanz.jp, 1
+kanzashi.com, 1
+kanzlei-sixt.de, 1
+kanzshop.com, 1
+kaohongshu.blog, 1
+kaora.cz, 1
+kaosintesta.tk, 1
+kap-kirche.de, 1
+kap.pe, 1
+kapaci.com, 1
+kapanlagi.gq, 1
+kapelya.gq, 1
+kapilarya.com, 1
+kapiorr.duckdns.org, 1
+kapital-kredit.cf, 1
+kapitalsprung.com, 1
+kapitany.tk, 1
+kapiteintje.tk, 1
+kaplan.se, 1
+kaplanco.com, 1
+kaplanprofessional.edu.au, 1
+kaplatzis.com, 1
+kapparhokappa.tk, 1
+kappenstein.org, 0
+kappharn.com, 1
+kappit.dk, 1
+kappow.co.uk, 1
+kapri.dn.ua, 1
+kaproseo.com, 1
+kapsalonlinds.nl, 1
+kapseli.net, 1
+kapsouro-ksimeromata.eu, 1
+kaptadata.com, 1
+kaptamedia.com, 1
+kapui.net, 1
+kapukoaldizkaria.tk, 1
+kapulakennel.tk, 1
+kapunet.tk, 1
+kaputt.com, 1
+kaputtendorf.tk, 1
+kaputtzich.duckdns.org, 1
+kara-fabian.com, 1
+kara-fabian.de, 1
+karabah.cf, 1
+karabah.tk, 1
+karabas.com, 1
+karabukhaber.tk, 1
+karachay.tk, 1
+karacommagere.com, 1
+karada.live, 1
+karadenizhaberleri.tk, 1
+karajonline.tk, 1
+karakafa.net, 1
+karakurt.me, 1
+karamanev.me, 1
+karamel69.ru, 1
+karamomo.net, 1
+karand.me, 1
+karanjthakkar.com, 1
+karanlyons.com, 1
+karantyn.pro, 1
+karaoglanis-info.tk, 1
+karaoglanis.tk, 1
+karaokerentalcalgary.com, 1
+karaokerentaledmonton.com, 1
+karaokerentalmontreal.com, 1
+karaokerentalottawa.com, 1
+karaokerentaltoronto.com, 1
+karaokeyboards.tk, 1
+karapatan.org, 1
+karapuzz.tk, 1
+karasev-stroy.ru, 1
+karasevm.ru, 1
+karasik.by, 1
+karatecabes.tk, 1
+karateclub-waregem.tk, 1
+karatepunkslaroca.tk, 1
+karatesamurai.tk, 1
+karawane.tk, 1
+karayollarimisafirhanesi.com, 1
+karaz.ps, 1
+karbox.de, 1
+kardac.com, 1
+kardia-bordeauxdoggen.tk, 1
+kardize24.pl, 1
+kardjali.bg, 1
+kardla.edu.ee, 1
+kareenaworld.tk, 1
+karel-dingeldey.de, 1
+karel-it.be, 1
+karelgol.tk, 1
+karelia.cf, 1
+karelia.ga, 1
+karelia.ml, 1
+karelin.tk, 1
+kareltrans.tk, 1
+karelvanhecke.com, 1
+karemfouad.com, 1
+karen-homestay.tk, 1
+karencatering.com, 1
+karenerdos.com.au, 1
+karenofarcola.com, 1
+karenvien.ga, 1
+karewan.ovh, 1
+kargas.cf, 1
+kargl.net, 1
+kargotakip.co, 1
+kargotakip.me, 1
+karhukamera.com, 1
+karikatur.cf, 1
+karikatur.ga, 1
+karikatur.ml, 1
+karikatur.tk, 1
+karimova.tk, 1
+karimsaadati.tk, 1
+karimunsejahtera.com, 1
+karina.gd, 1
+karinagallagher.com, 1
+karinahh.net, 1
+karinheinenmaassen.nl, 1
+karinov.co.id, 1
+karinwerner.com, 1
+karit.nz, 1
+kariyermemur.com, 1
+karkey.in, 1
+karkkilandemarit.fi, 1
+karlbowden.com, 1
+karlic.net, 1
+karliekloss.tk, 1
+karlin.run, 1
+karlis-kavacis.id.lv, 1
+karlis.tk, 1
+karlislab.com, 1
+karlloch.de, 1
+karlogavric.com, 1
+karloluiten.nl, 1
+karloskontana.tk, 1
+karlov.tk, 1
+karlproctor.co.uk, 1
+karlskronajk.tk, 1
+karlsmithmn.org, 1
+karlson.gq, 1
+karlswift.com, 0
+karlzotter.com, 1
+karmaassurance.ca, 1
+karmaflux.com, 1
+karmaful.de, 1
+karmagroup.com, 1
+karmainsurance.ca, 1
+karmalighting.com, 1
+karmatrend.cf, 1
+karmelava.tk, 1
+karmil.tk, 1
+karn.nu, 1
+karnage.eu, 1
+karneid.info, 1
+karniz.ml, 1
+karo.pc.pl, 1
+karoche.ga, 1
+karodos.pl, 1
+karolak.fr, 0
+karolaschinkel.de, 1
+karolbiskup.pl, 1
+karolinamed.ru, 1
+karopapier.de, 1
+karopc.pl, 1
+karorally.tk, 1
+karoverwaltung.de, 1
+karpanhellas.com, 0
+karperontspanning.tk, 1
+karperpagina.tk, 1
+karpets.gq, 1
+karpo.tk, 1
+karppaamo.fi, 1
+karr.ga, 1
+karramba.tk, 1
+karriharju.tk, 1
+karrot.world, 1
+karryfishing.com, 1
+karsiyakacilingir.biz.tr, 1
+karsofsystems.com, 1
+karstenhelmbold.de, 1
+karstjewellery.co.uk, 1
+karstransport.tk, 1
+karta-baikala.ml, 1
+karta-mira.com, 1
+karta-paliwowa.pl, 1
+kartacha.com, 1
+kartalvincisletmeciligi.com, 1
+kartar.net, 0
+kartec.com, 1
+kartenmarie.de, 1
+kartenplanet.ch, 1
+kartikmohta.com, 1
+karting-normandie.fr, 1
+kartoffel-stampfer.com, 1
+kartoffel-tobi.de, 1
+kartonki.tk, 1
+kartonmodellbau.org, 1
+kartpower.tk, 1
+karudomizile.de, 1
+karula.org, 0
+karupp-did.net, 1
+karussell.com.tr, 0
+kas.ie, 1
+kasad.com, 1
+kasamatsu-sogo-hoken.com, 1
+kasanikares.com, 1
+kasasaprotect.com, 1
+kasaysayan.tk, 1
+kasei.im, 1
+kasettilamerit.fi, 1
+kaseyhopkins.com, 1
+kashbet.net, 1
+kashbontravels.com, 1
+kashflowcoupon.co.uk, 1
+kashflowpromocode.co.uk, 1
+kashifmajid.tk, 1
+kashifshah.tk, 1
+kashinavi.com, 1
+kashis.com.au, 1
+kashmash.com, 1
+kashmirartquest.tk, 1
+kashousing.tk, 1
+kashta-svgeorgi.com, 1
+kasiafricagroup.org, 1
+kasinobonus.com, 1
+kasinoilmanrekisteroitymista.io, 1
+kasinonetti.com, 1
+kasinopartio.com, 1
+kasis.nl, 1
+kaskadee.eu, 1
+kaskocdn.com, 1
+kaskocloud.com, 1
+kaskodev.com, 1
+kaskojs.com, 1
+kaskoqa.com, 1
+kasparovru.ml, 1
+kasparovru.tk, 1
+kasper-team.tk, 1
+kasperstad.dk, 1
+kass-media.com, 1
+kassa.at, 1
+kassa.com, 1
+kassa.expert, 1
+kassa24.kz, 1
+kasse.at, 1
+kasse.pro, 1
+kassemmal.at, 1
+kassen-zero.net, 1
+kassianoff.fr, 1
+kassola.tk, 1
+kastamonuhaberleri.tk, 1
+kastankaoffice.cz, 1
+kastas.com, 1
+kastas.com.tr, 1
+kastelruth.biz, 1
+kastemperaturen.ga, 1
+kastgroup.com, 1
+kastmedia.com, 1
+kastorsky.ru, 0
+kastrup.is, 1
+kastrupvinduet.dk, 1
+kastuvas-tau.lt, 1
+kasu.ga, 1
+kasvall.com, 1
+kasyna-internetowe.com, 1
+kasynoanalyzer.com, 1
+kat.cat, 1
+kat4at.tk, 1
+katachistore.com, 1
+katagena.com, 1
+kataiszilveszter.hu, 0
+katalog-parfyum.tk, 1
+katalog-serverof.ml, 1
+katalog-serverov.cf, 1
+katalog-serverov.ga, 1
+katalog-serverov.tk, 1
+katalog-tovarov.tk, 1
+katalogbutikker.dk, 1
+katalogharga.cf, 1
+katalogkapsli.pl, 1
+katan-stroi.tk, 1
+katapult-impuls.com, 1
+katapult.es, 0
+katapult.tk, 1
+katarios.tk, 1
+katarpilar.com, 1
+katarsis.lt, 1
+katarsisuib.no, 1
+katartika.tk, 1
+katazuketai.net, 1
+katc.com, 1
+kate-beckinsale.tk, 1
+kate-hurst.com, 1
+katedra.de, 1
+kateduggan.com, 1
+kateduggan.net, 1
+katekligys.com, 1
+katemihalikova.cz, 1
+katenka.tk, 1
+katerinaverbovskaya.com, 1
+katerman.cf, 1
+katerman.ga, 1
+katerman.gq, 1
+katerman.ml, 1
+kateryan.tk, 1
+kateryantv.tk, 1
+katestudio.dk, 1
+katesymmans.co.nz, 1
+katewrightmba.com, 1
+katex.org, 1
+kateysagal.tk, 1
+katfitness.co.uk, 1
+kathakkachakkar.com, 1
+kathardt.de, 1
+katherineandkegan.love, 1
+katherineswynford.tk, 1
+kathleendeisher.com, 1
+kathmandupost.com, 1
+kathrin-maren-enders.de, 1
+kathrynbernardo.tk, 1
+kathy.best, 1
+kathy.lgbt, 1
+kathy.link, 1
+kathyekaan.com, 1
+kathyschlitzer.com, 1
+kati-raumplaner.de, 1
+kati0.com, 1
+katiebenson.tk, 1
+katiechai.xyz, 1
+katiemadethat.shop, 1
+katiepears.net, 1
+katieriker.com, 1
+katieskandy.co.uk, 1
+katieskastles.co.uk, 1
+katio.net, 1
+katiusha.tk, 1
+kativa.it, 1
+katja-nikolic-design.de, 1
+katjapratschke.de, 1
+katka.info, 1
+katmccormick.com, 1
+katnunn.co.uk, 1
+kato-yane.com, 1
+katoikos.world, 1
+katolickaseznamka.cz, 1
+katom.com, 1
+katowice2021.eu, 1
+katrelleonline.tk, 1
+katretter.de, 1
+katrin.tk, 1
+katrinakaifphotos.tk, 1
+katrinasevilla.com, 1
+katrinjanke.de, 0
+katscastles.co.uk, 1
+katsiavarasorthopedics.gr, 1
+katsunet.com, 1
+katsushikacity-cashless.jp, 1
+kattelans.de, 1
+kattelans.eu, 1
+kattelus.tk, 1
+kattens.tk, 1
+katushka.cf, 1
+katushka.ga, 1
+katycollection.com, 0
+katyl.info, 0
+katyusha.net, 1
+katzei.fr, 1
+katzenbrunnen-test.de, 1
+katzensklave.me, 1
+katzrkool.xyz, 1
+kau-boys.com, 1
+kau-boys.de, 1
+kaufberatung.community, 1
+kaufhausdesaffen.com, 1
+kaufkraftkiel.de, 1
+kaufleute-sbh.de, 1
+kaukauna.gov, 1
+kauper.de, 1
+kauperwood.ovh, 1
+kaushal.tk, 1
+kausharach.tk, 1
+kausta.me, 1
+kaustubhk.com, 1
+kavalasite.gr, 1
+kavaplius.lt, 1
+kavatasygarety.tk, 1
+kaveh24.com, 1
+kavelruilonline.nl, 1
+kaverti.com, 1
+kavik.no, 1
+kavin.rocks, 0
+kavinchauhan.in, 1
+kavitech.vn, 1
+kavithai.tk, 1
+kavkaz-info.tk, 1
+kavkaz.cf, 1
+kavli-express.gr, 1
+kavovary-kava.cz, 1
+kavshipping.com, 1
+kawabeest.tk, 1
+kawadoart.com, 1
+kawaii-dollies.tk, 1
+kawaii.su, 1
+kawaiicon.org, 1
+kawaiii.link, 1
+kawaiiku.com, 1
+kawaiiku.de, 1
+kawaiilo.li, 1
+kawamura-inc.jp, 1
+kawandegroup.com, 1
+kawasakipartsonline.co.uk, 1
+kawayii.com, 1
+kawigraphics.com, 1
+kawnation.gov, 1
+kawuk.com, 1
+kay.la, 1
+kay.moe, 1
+kayakaventura.tk, 1
+kayakcastro.tk, 1
+kayakpolouniversidades.tk, 1
+kayashkina.com, 1
+kaydan.io, 1
+kayipkiliseler.com, 1
+kayisir.com, 1
+kayit.co.uk, 1
+kayleen.net, 1
+kaylielaw.com, 1
+kayne.com, 1
+kayon.cf, 1
+kayscs.com, 1
+kayseri.bel.tr, 1
+kayserihaberleri.tk, 1
+kaysville.gov, 1
+kaysvillechurch.com, 1
+kayteedidquiltsandmore.com, 1
+kazakov.lt, 1
+kazan-tury.ml, 1
+kazanasolutions.de, 1
+kazand.lt, 1
+kazandaemon.ru, 1
+kazangoforums.tk, 1
+kazanusadba.cf, 1
+kazap.co.uk, 1
+kazard.co.za, 1
+kazarmy.tk, 1
+kazeso.kz, 1
+kazigk.me, 1
+kazino5.tk, 1
+kazna.ml, 1
+kaznice.art, 1
+kaznur.tk, 1
+kazoohr.com, 1
+kaztest.tk, 1
+kazu-techlab.com, 1
+kazu.click, 1
+kazuhirohigashi.com, 1
+kazumi-clinic.com, 1
+kazumi.ooo, 1
+kazumi.ro, 1
+kazuno-jc.or.jp, 1
+kazvel.com, 1
+kazvet.ru, 1
+kazwolfe.io, 1
+kazy111.info, 1
+kb-psy.fr, 1
+kb096.com, 1
+kb1000.de, 1
+kb1313.com, 1
+kb2121.com, 1
+kb283.com, 1
+kb35.net, 1
+kb38.net, 1
+kb481.com, 0
+kb5050.com, 1
+kb5151.com, 1
+kb5757.com, 1
+kb7070.com, 1
+kb82.net, 1
+kb88dc05.com, 1
+kb88dc12.com, 1
+kb88dc15.com, 1
+kb88dc16.com, 1
+kb88dc17.com, 1
+kb88dc26.com, 1
+kb930.com, 1
+kb9797.com, 1
+kb9988.com, 1
+kba-online.de, 1
+kbb-ev.de, 1
+kbbouncycastlehire.co.uk, 1
+kbc.be, 0
+kbcjiolotterywinners.com, 1
+kbco.net, 1
+kbcr.gov, 1
+kbet168.com, 1
+kbhfuge.dk, 1
+kbit.dk, 1
+kbkstudio.cz, 1
+kbleventhire.co.uk, 1
+kbmhawaii.com, 1
+kboosting.com, 1
+kbsinflatablekingdom.co.uk, 1
+kbst.se, 0
+kbtairmont.com, 1
+kbtit.jp, 1
+kbz.fr, 1
+kc-holzfaeller.de, 1
+kc-hrubeho.cz, 1
+kc-leeuwarden.tk, 1
+kc1hbk.com, 1
+kc3.moe, 1
+kc5mpk.com, 1
+kcc8.com, 1
+kcfiradio.com, 1
+kchanews.com, 1
+kcire.me, 1
+kck-online.tk, 1
+kckarchitects.com, 1
+kcmak.net, 1
+kcmicapital.com, 1
+kcnawatch.org, 1
+kcnexp.eu.org, 1
+kcnwallet.com, 1
+kcnxp.com, 1
+kcomi.com, 1
+kcor.org, 1
+kcpredict.com, 1
+kcptun.com, 1
+kcsconstructioncompany.com, 1
+kcsh.men, 1
+kcsonline.biz, 1
+kcsordparticipation.org, 1
+kcsprayfoam.com, 1
+kcucs.com, 1
+kd-23.ru, 1
+kd-event.de, 1
+kd.net.nz, 1
+kdarawandekar.tk, 1
+kdb.uz, 1
+kdcinfo.com, 1
+kdcompany.ru, 1
+kde-je-skladem.cz, 1
+kdgd.de, 1
+kdiender.nl, 1
+kdistech.nz, 1
+kdizain.ru, 1
+kdjsa.com, 1
+kdk.com.my, 1
+kdl-group.pl, 1
+kdo-ma-dnes-svatek.cz, 1
+kdo-vola.cz, 1
+kdonkers.com, 1
+kdoslavi.cz, 1
+kdpmgi.com, 1
+kdproduction.cz, 1
+kdrama.cc, 1
+kdramaholic.com, 1
+kdrive.tk, 1
+kduggan.net, 1
+kdw.cloud, 1
+kdyby.org, 0
+ke.fo, 1
+ke.ke, 1
+ke8gtp-vf.herokuapp.com, 1
+kea.dk, 1
+keaipublishing.com, 1
+keala.services, 1
+keane.space, 1
+keaneokelley.com, 1
+kearney.io, 1
+kearneycountyne.gov, 1
+kearneyhub.com, 1
+kearnyaz.gov, 1
+keatsandchapman.ie, 1
+keaysmillwork.com, 1
+keb.com.au, 1
+keb.net.au, 1
+kebab.bg, 1
+kebabbesteld.nl, 1
+kebabbruce.com, 0
+kebhanamyanmar.com, 1
+kebo.xyz, 1
+keca.ca, 1
+kech-immobilier.com, 1
+kecht.at, 1
+kecrily.me, 1
+kedarastudios.com, 1
+kedero.com, 1
+kedi.tk, 1
+kedinox.com, 1
+kediri.win, 1
+keditor.biz, 1
+kedungombo.tk, 1
+kedv.es, 1
+kee.fi, 1
+kee.pm, 1
+keeb.supplies, 1
+keeb.supply, 1
+keechain.io, 1
+keeckee.ml, 1
+keeforcecloud.com, 1
+keekmix.nl, 1
+keelandlong.com, 1
+keeleandfinchdentaloffice.com, 1
+keeley.net, 1
+keeleysam.com, 1
+keelove.net, 1
+keemail.me, 1
+keematdekho.com, 1
+keenenh.gov, 1
+keengamer.com, 1
+keep-smiling.tk, 1
+keep.id, 1
+keep.moe, 1
+keepa.com, 1
+keepagree.gq, 1
+keepclean.me, 0
+keeperapp.com, 1
+keeperklan.com, 0
+keepersecurity.com, 1
+keepersecurity.com.au, 1
+keepersecurity.eu, 1
+keepersecurity.jp, 1
+keepersecurity.us, 1
+keepiteasy.eu, 1
+keepitsecure24.com, 1
+keepitsimplebitcoin.com, 1
+keepitweedy.com, 1
+keepleft.gr, 1
+keepsakedna.com, 1
+keepsight.org.au, 1
+keepsolid.com, 1
+keesmartens.tk, 1
+keesslop.nl, 1
+keestalkstech.com, 1
+keetfm.tk, 1
+keevault.pm, 1
+keeweb.info, 1
+keez.cf, 1
+keezin.ga, 1
+kefucha.de, 1
+kegan.lol, 1
+keganthorrez.com, 1
+kegelschiene.net, 1
+kehlenbach.net, 1
+kehrle.xyz, 1
+keian.tk, 1
+keibablood.com, 1
+keiebijters.nl, 1
+keifel.de, 1
+keigakusha.co.jp, 1
+keiji0501.com, 1
+keiju.ee, 1
+keiju.fi, 1
+keijuriini.fi, 1
+keikadreamland.fun, 1
+keil-web.de, 1
+keilycosmetics.com, 1
+kein-fidget-spinner-werden.de, 1
+kein-hindernis.de, 1
+kein-vergessen.tk, 1
+keinanung.nl, 1
+keinefilterblase.de, 1
+keio-bizplaza.jp, 1
+keio-formula.com, 1
+keioni.com, 1
+keiralewis.co.uk, 1
+keirna.com, 1
+keisaku.org, 1
+keishi.co.jp, 1
+keishiando.com, 1
+keishicho-mirai-method.jp, 1
+keisinger.name, 1
+keitaro.io, 1
+keith.pro, 1
+keithazzopardi.tk, 1
+keithmcmillen.com, 1
+keiths.ml, 1
+keithstaxis.co.uk, 1
+keithws.net, 1
+keiyuki.com, 1
+keizeror.gov, 1
+kejar.id, 0
+kejpop.pl, 1
+kekaoxing.com, 1
+kekarimi.com, 1
+keke-shop.ch, 1
+kekku.li, 0
+kekoskee.gov, 1
+keks.loan, 1
+keksi.io, 0
+kelamanproduction.tk, 1
+kelamb.com, 1
+kelantan.tk, 1
+kelantanmudah.com, 0
+kelax.tk, 1
+kelcible.fr, 1
+kelcotool.com, 1
+keldan.fo, 1
+kelder.tk, 1
+kelderro.nl, 1
+kelinda.tk, 1
+kelio.io, 1
+kelis.fr, 1
+kell.tk, 1
+kell3r.ch, 1
+kellansite.com, 1
+keller-aarau.ch, 1
+keller-sports.at, 1
+keller-sports.be, 1
+keller-sports.ch, 1
+keller-sports.co.uk, 1
+keller-sports.com, 1
+keller-sports.de, 1
+keller-sports.dk, 1
+keller-sports.es, 1
+keller-sports.fr, 1
+keller-sports.it, 1
+keller-sports.nl, 1
+keller-x.at, 1
+keller-x.ch, 1
+keller-x.com, 1
+keller-x.de, 1
+keller-x.fr, 1
+keller-x.nl, 1
+keller-x.se, 1
+kellercore.tk, 1
+kellerencompass.com, 1
+kellerlan.org, 0
+kelleylatino.tk, 1
+kelleymcchesney.us, 1
+kellimacconnell.com, 1
+kellyandantony.com, 1
+kellygrenard.com, 1
+kellyosbourne.tk, 1
+kellyskastles.co.uk, 1
+kellyswordshop.com, 1
+kellyvoice.tk, 1
+kellywebcam.tk, 1
+kelm.me, 1
+kelme.com, 1
+keln.net, 1
+kelp.agency, 0
+kelsa.io, 0
+kelsall39.com, 1
+kelteks.com, 1
+kelts.tk, 1
+kelvinchung.tk, 1
+kelvinfichter.com, 0
+kelyan.fr, 1
+kelyon.info, 1
+kemahtx.gov, 1
+kemanai.akita.jp, 1
+kemand.com, 1
+kemba.com, 1
+kembla.com, 1
+kemeha.tk, 1
+kemerovo.gq, 1
+kemerovo.ml, 1
+kemerovo.tk, 1
+kemerovo42.tk, 1
+kemet.co.uk, 1
+kemhan.go.id, 1
+kemian.de, 1
+kemmerer-net.de, 0
+kemono.su, 1
+kempkens.io, 1
+kempnertx.gov, 1
+kemptechnologies.com, 0
+kemptonparkplumbing.co.za, 1
+kemptown.co.uk, 1
+kemptown.com, 1
+kemptown.net, 1
+kemsa.ga, 1
+kemsamnhatban.cf, 1
+kemsamnhatban.ga, 1
+kemsamnhatban.gq, 1
+kemsamnhatban.ml, 1
+kemsamnhatban.tk, 1
+ken-electric.com.br, 1
+ken.fm, 1
+kenbillionsyuan.tk, 1
+kenbonny.net, 0
+kendall.productions, 1
+kendallcountyil.gov, 1
+kendallvillein.gov, 1
+kendermore.it, 1
+kendernet.com, 1
+kendev.com, 1
+kendigawards.com, 1
+kendle.tk, 1
+kendrick.tk, 1
+kendu.si, 0
+kenduct.net, 1
+kenedytx.gov, 1
+kenedytxedc.gov, 1
+kenforeman.com, 1
+kengcoder.com, 1
+kengjoo.store, 1
+kenhhomestay.com, 1
+keniasfamilychildcare.com, 1
+keniff.gq, 1
+kenlewis.com, 1
+kenmo.org, 1
+kennebec.gov, 1
+kennedy.cf, 1
+kennedy.ie, 1
+kennedycorrentes18k.com.br, 1
+kennedyinsurancesolutions.com, 1
+kenners.org, 0
+kennethaasan.no, 1
+kennethandersen.com, 1
+kennethlim.me, 1
+kennethsentillas.com, 1
+kennewell.tk, 1
+kennfixx.com, 1
+kennfixx.de, 1
+kennis.ga, 1
+kennisnetwerkparkeren.nl, 1
+kenny-peck.com, 1
+kenny.technology, 1
+kennychan.xyz, 1
+kennynet.co.uk, 1
+keno.im, 1
+keno.tk, 1
+kenockeetownshipmi.gov, 1
+kenokallinger.at, 1
+kenoschwalb.com, 1
+kenpobolivia.tk, 1
+kenpotalca.tk, 1
+kenrick95.org, 1
+kens.pics, 0
+kensbouncycastles.co.uk, 1
+kensewerdoctor.com, 1
+kenshingakuen.or.jp, 1
+kensho-everyday.com, 1
+kensingtonsqca.com, 1
+kentcountyde.gov, 1
+kentdalevets.co.uk, 1
+kentec.net, 0
+kenteipay.jp, 1
+kenterlis.gr, 1
+kentlove.com, 1
+kento.nl, 1
+kentradioaeromodelers.com, 1
+kentut.xyz, 1
+kenvix.com, 0
+kenw.ca, 1
+kenwood-electronics.co.uk, 1
+kenwood.de, 1
+kenwood.eu, 1
+kenx5.eu.org, 1
+kenyachildrencentres.com, 1
+kenyonleblanc.com, 1
+kenyons.info, 1
+kenzelmann.eu, 1
+kenzelmann.name, 1
+kenzie.com.br, 1
+keops-spine.fr, 1
+keos.ga, 1
+keos.tk, 1
+kep-sbt.hu, 1
+kepak.tk, 1
+kepinski.ch, 0
+kepkonyvtar.hu, 1
+kepleruniklinikum.at, 1
+keponews.com, 1
+kepoper.com, 1
+keppler.tk, 1
+kepppi.com, 1
+kepsbt.hu, 1
+keralamurals.in, 1
+keramed.ga, 1
+keramed.gq, 1
+keramikaopava.cz, 1
+kerautretvian.fr, 1
+kerb-grossauheim.de, 1
+kerb.com, 1
+kerbin.org, 1
+kercovaparty.tk, 1
+kerdry.com, 1
+kerebro.com, 1
+keridos.de, 1
+keritial.eu.org, 1
+kerkdienststream.nl, 1
+kerkeslager.com, 1
+kerkukkitapcisi.com, 1
+kerkukvakfi.org, 1
+kermadec.com, 1
+kermadec.net, 1
+kermisgeluiden.nl, 1
+kermispagina.tk, 1
+kernel-error.com, 1
+kernel-error.de, 1
+kernel-panik.me, 1
+kernel-video-sharing.com, 1
+kernel.nz, 1
+kernelone.com, 1
+kernelpanics.nl, 1
+kernelprogrammer.com, 0
+kernet.com.ar, 1
+kernkompas.nl, 1
+kerocristais.pt, 0
+kerozenn.net, 1
+kerp.se, 0
+kerpen-renovieren.de, 1
+kerrcountytx.gov, 1
+kerrnel.com, 1
+kerroscale.in, 1
+kerryconsulting.com, 1
+kerrydavisguitars.tk, 1
+kersmexico.com, 1
+kerstboomkantenklaar.nl, 1
+kerstpagina.tk, 1
+kersvers.agency, 1
+kertis.tk, 1
+kerus.net, 1
+kervive.com, 1
+kescher.at, 1
+kescher.gay, 1
+kescher.site, 1
+keschi.at, 1
+kesef.org.il, 1
+kesen.news, 1
+kesen.wang, 1
+keshankang.com, 1
+keshankang.org, 1
+keshausconsulting.com, 1
+keshav.cc, 1
+keshavnet.com, 1
+kesifasya.com, 1
+kesinidulu.com, 1
+keskikorpimotorsport.fi, 1
+keskkonnaamet.ee, 0
+keskraamatukogu.ee, 1
+kessa.com, 1
+kesse.ru, 1
+kessel-runners.com, 1
+kesselrun.goip.de, 1
+kesslerandsons.com, 1
+kesteren.org, 1
+ketamine.co.uk, 1
+ketamine.uk, 1
+ketchcdn.com, 1
+ketchikan.gov, 1
+ketemulagi.com, 1
+ketgioisu.tk, 1
+ketoanvietnam.tk, 1
+ketocanine.ca, 1
+ketoconazole.gq, 1
+ketoliv.dk, 1
+ketotadka.com, 1
+kets.ru, 1
+kett.email, 1
+kettererholmes.tk, 1
+kettinggeleider.be, 1
+kettlemetalbbq.com, 1
+kettmail.com, 1
+kettsy.com, 1
+ketty-voyance.com, 0
+ketulgpatel.tk, 1
+ketzer.tk, 1
+keukenhof.nl, 1
+keukenstudio.tk, 1
+keurigbestprice.tk, 1
+keuvelaar.nl, 1
+keuze.nl, 1
+kevansizemore.com, 1
+kevay.nl, 1
+kevchia.com, 1
+kevertje.net, 1
+kevhosting.com, 1
+kevin-darmor.eu, 1
+kevin-emo.com, 1
+kevin-neirynck.tk, 1
+kevin-ta.com, 1
+kevin.tw, 0
+kevinackford.uk, 1
+kevinapease.com, 1
+kevinaud.io, 1
+kevinbardot.alwaysdata.net, 1
+kevinbauer.ca, 1
+kevinbowers.me, 1
+kevinchang.me, 1
+kevincox.ca, 1
+kevincoynepage.tk, 1
+kevincramer.net, 1
+kevinfigueroamusic.tk, 1
+kevinfoley.org, 1
+kevinfumbles.com, 1
+kevingsky.com, 1
+kevinhill.nl, 1
+kevinhq.com, 1
+kevinji.com, 1
+kevinkla.es, 1
+kevinlocke.name, 1
+kevinloganelectrical.co.nz, 1
+kevinmathiesen.tk, 1
+kevinmeijer.nl, 1
+kevinmo.com, 0
+kevinmoreland.com, 1
+kevinmorssink.nl, 1
+kevinn.nl, 1
+kevinpirnie.com, 1
+kevinrandles.com, 0
+kevinrousseeuw.be, 1
+kevinschoenmakers.tk, 1
+kevinscolaro.com, 1
+kevinvanderperren.tk, 1
+kevinvermassen.be, 1
+kevyn.lu, 1
+kewauneeco.gov, 1
+kexingqing.com, 1
+kexino.com, 1
+key-content.com, 1
+key-tracker.de, 1
+key.sa, 1
+key1111.com, 1
+key4.com.ua, 1
+keybase.io, 1
+keyblock.ga, 1
+keyblock.gq, 1
+keyblock.tk, 1
+keyboard-monkeys.net, 1
+keybored.co, 1
+keycat.de, 1
+keycdn.com, 1
+keycdn.xyz, 1
+keycodingjohannesburg.co.za, 1
+keycontainers.co.za, 1
+keydelay.tk, 1
+keyerror.com, 1
+keyesrobot.cn, 1
+keyfortech.com, 1
+keygen.sh, 1
+keyhani.tk, 1
+keyholdingservices.co.uk, 1
+keyhomechecker.com, 1
+keyihao.cn, 1
+keyinfo.io, 1
+keykong.io, 1
+keylength.com, 1
+keymaster.lookout.com, 0
+keymicrosystems.com, 1
+keynes.id.au, 1
+keyoxide.org, 1
+keyphotojs.cf, 1
+keypoint.edu.au, 1
+keypublishing.com, 1
+keyroot.tech, 1
+keys.fedoraproject.org, 1
+keyscore.me, 1
+keyscouts.com, 1
+keyserver.sexy, 0
+keysigma.co.uk, 1
+keysix.com, 1
+keysmedspa.com, 1
+keysofart.com, 1
+keysso.net, 1
+keystoimagination.com, 1
+keystone-europe.com, 1
+keytoenergy.com, 1
+keytomyq.com, 1
+keyua.org, 1
+keyworth-meadow.tk, 1
+keyyek.com, 0
+keziah.de, 1
+kezmanweb.tk, 1
+kezrenbeeming.com, 1
+kf-slot.com, 1
+kf005.com, 0
+kf199.com, 0
+kf2525.com, 1
+kf6636.com, 1
+kf66888.com, 0
+kf6820.com, 1
+kf688.com, 1
+kf7676.com, 0
+kf88666.com, 1
+kf8954.com, 0
+kf8955.com, 0
+kf8956.com, 0
+kf8957.com, 0
+kfassessment.eu, 1
+kfbl.cc, 1
+kfc.bike, 1
+kfgleasing.pl, 1
+kfh.com, 1
+kfirba.me, 1
+kfjgyb.com, 1
+kfk.haus, 1
+kfm.ink, 0
+kfmhf.ca, 1
+kfoundation.org, 1
+kfsys.cc, 1
+kfv-kiel.de, 1
+kfvullnetari-uck.tk, 1
+kfz-hantschel.de, 1
+kfz-sachverstand.de, 1
+kfz-service-wachtmann.de, 1
+kfz.nl, 1
+kfzjeugd.nl, 1
+kg7.pl, 1
+kgdev.fr, 1
+kgk-cgc.ch, 1
+kgk.gov.tr, 1
+kgky.cc, 1
+kgm-irm.be, 1
+kgmediafactory.com, 1
+kgnk.ru, 0
+kgs-neviges.de, 1
+kgt10.ru, 1
+kgun9.com, 1
+kgunion.com, 1
+kgv-zappendorf.tk, 1
+kh.pub.sa, 1
+khab03.ru, 1
+khabar24.tk, 1
+khachhangvietnam.tk, 1
+khadishalatina.com, 1
+khakasiya.ml, 1
+khakasiya.tk, 1
+khakassia.cf, 1
+khakassia.ga, 1
+khakassia.gq, 1
+khakassia.tk, 1
+khaki.ga, 1
+khakiblossom.com, 1
+khakim.gq, 1
+khakim.tk, 1
+khaledalsabt.com, 1
+khaledkhan.ml, 1
+khaleesi.tk, 1
+khalidalnajjar.com, 1
+khalidmail.tk, 1
+khaliinfo.tk, 1
+khalti.com, 1
+khampha.vn, 0
+khanacademy.org, 1
+khanh.sh, 1
+khankandi.tk, 1
+khanovaskola.cz, 1
+khaotipthai.se, 1
+kharatinoil.ml, 1
+kharkiv.tk, 1
+kharkov.tk, 1
+khas.co.uk, 1
+khatoco.com, 1
+khayal-3d.com, 1
+khda.gov.ae, 1
+khdestiny.tk, 1
+khebranet.tk, 1
+khepri.uk, 1
+kheshtar.pl, 1
+khetzal.info, 1
+khey-tv.fr, 1
+khg-orchester.de, 1
+khimno.com, 1
+khipu.com, 1
+khm.v.ua, 1
+khmb.ru, 0
+khmerios.tk, 1
+khmerlive.cf, 1
+khmrynok.com.ua, 1
+khoasweb.tk, 1
+khodromedic.com, 1
+khojhealth.com, 1
+khonaka.com, 1
+khorne.me, 1
+khoteyev.tk, 1
+khouloud.de, 1
+khoury-dulla.ch, 0
+khouryalexandre.com, 0
+khoxuongchothuegiare.vn, 1
+khramtsov.org, 1
+khristov.com, 1
+khronos.org, 1
+khs1994.com, 1
+khslaw.com, 1
+khste-ceciliamoorsel.tk, 1
+khudothiswanpark.vn, 1
+khukhrain.tk, 1
+khusal.tk, 1
+khwezifinancialservices.co.za, 1
+khwiki.com, 1
+ki-management.ch, 1
+ki.ki, 1
+ki6rbv.com, 1
+kiacatherine.sg, 1
+kiadoapartman.hu, 1
+kiahalchemy.com, 1
+kialo-edu.com, 1
+kialo-pro.com, 1
+kialo.com, 1
+kiamehr.tk, 1
+kiano.net, 0
+kiapartsnow.com, 1
+kiapps.ovh, 1
+kiarayoga.com, 1
+kiarey.net, 1
+kiasarnews.tk, 1
+kiasystems.com, 1
+kibea.net, 1
+kibibit.net, 1
+kibickas.lt, 1
+kibizoid.tk, 1
+kibonnu.com, 1
+kichemalamut.tk, 1
+kick-in.nl, 1
+kickasscanadians.ca, 1
+kickasspoker.com, 1
+kickback-studios.com, 1
+kickedmycat.com, 1
+kickex.com, 1
+kickico.com, 1
+kickitfootball.com.au, 1
+kicksecure.com, 1
+kickshack.tk, 1
+kicktipp.at, 1
+kicktipp.ch, 1
+kicktipp.co.uk, 1
+kicktipp.com, 1
+kicktipp.com.br, 1
+kicktipp.de, 1
+kicktipp.es, 1
+kicktipp.it, 1
+kicktipp.nl, 1
+kicktipp.pl, 1
+kicktipp.pt, 1
+kickzy.nl, 1
+kicou.info, 1
+kiczeklaw.com, 1
+kiczela.eu, 1
+kidalt.tk, 1
+kidaptive.com, 1
+kidbacker.com, 1
+kidcentraltn.com, 1
+kidderminster.ac.uk, 1
+kiddies.tk, 1
+kiddieskingdom.tk, 1
+kiddocom.org, 1
+kiddoscape.eu, 1
+kiddyboom.ua, 1
+kiddyland.co.jp, 1
+kidfitseries.com.au, 1
+kidis.lt, 1
+kidisov.tk, 1
+kidm4k.com, 1
+kidnappedbyhamas.ca, 1
+kidney.ca, 1
+kidneydonation.com, 1
+kidneyst.one, 1
+kido-dc.jp, 1
+kidonng.me, 1
+kids-castles.com, 1
+kids-ok.com, 1
+kids-world.dk, 1
+kids.gov, 1
+kids2day.in, 1
+kids360pediatrics.com, 1
+kidsblock.cc, 1
+kidsclub.photos, 1
+kidsdaysout.co.uk, 1
+kidsdinefree.com, 1
+kidsdj.co.uk, 1
+kidsforsavingearth.org, 1
+kidsgoga.ga, 1
+kidsinwoods-interfacesouth.org, 1
+kidslearners.com, 1
+kidsmark.net, 1
+kidsneversleep.com, 0
+kidsontheyard.com, 1
+kidspaper.nl, 1
+kidsplace.tk, 1
+kidsplaybouncycastles.co.uk, 1
+kidstraysers.ga, 1
+kidstraysest.ga, 1
+kidswear.ml, 1
+kidswear.tk, 1
+kidswithguns.tk, 1
+kidtoyshop.ru, 1
+kidwater4ut.gov, 1
+kidz.school.nz, 1
+kidzonet.io, 1
+kidzpartiesllp.co.uk, 1
+kidzsmile.co.uk, 1
+kiebel.de, 1
+kiedys.net, 1
+kiefnersoftware.com, 1
+kiehost.tk, 1
+kiekin.org, 1
+kiekko.pro, 1
+kielux.de, 1
+kielwi.gov, 1
+kienlen.org, 1
+kientrucphunguyen.com, 1
+kienviethung.com, 1
+kieran-mcguire.uk, 1
+kieran.de, 1
+kieranjones.uk, 1
+kieranpotts.com, 1
+kieranweightman.me, 1
+kierlandgolf.com, 0
+kierweb.co.uk, 1
+kiesjeplek.nl, 1
+kiesmedia.com, 0
+kiesuwarbeidsrechtadvocaat.nl, 1
+kiesuwkerstkaart.nl, 1
+kietblog.tk, 1
+kieutruong.com, 1
+kiev-live.tk, 1
+kievanrus.tk, 1
+kievholod.in.ua, 1
+kievkiralikotel.com, 1
+kievlove.tk, 1
+kiewit.com, 1
+kiezlerovi.cz, 1
+kif.rocks, 0
+kiffmarks.com, 1
+kifid.nl, 1
+kigurumi-party.ru, 1
+kihi.news, 1
+kiinanharjakoirat.tk, 1
+kiinteistot-lidl.fi, 1
+kiiteyo.net, 1
+kijkmeaanwanneerik.com, 1
+kik-info.com, 1
+kik-textilien.sk, 1
+kik.at, 1
+kik.cz, 1
+kik.de, 1
+kik.ee, 0
+kik.es, 1
+kik.eu, 1
+kik.hr, 1
+kik.hu, 1
+kik.nl, 1
+kik.pl, 1
+kik.pt, 1
+kik.ro, 1
+kik.si, 1
+kikbb.com, 1
+kiki-voice.jp, 1
+kikikanri.biz, 1
+kikivega.net, 1
+kikki.io, 1
+kiku.pw, 1
+kilian-sommer.de, 1
+kilian.gallery, 1
+kiliansommer.de, 1
+kilianvalkhof.com, 1
+kiliflix.de, 1
+kiliframework.org, 1
+kilimstyle.com, 1
+kilkennyaccountingservices.ie, 1
+kilkimzaibu.tk, 1
+kill.trade, 1
+killallsudoers.cloud, 1
+killaraapartments.com.au, 1
+killarnee.org, 1
+killborn.tk, 1
+killdeer.com, 1
+killedbynlp.com, 1
+killeenhardware.co.uk, 1
+killenny45.hopto.org, 1
+killer-fashion.tk, 1
+killergreen.tk, 1
+killerrabb.it, 1
+killerrobots.com, 1
+killerwebsites.com.au, 1
+killharmonic.tk, 1
+killme.rocks, 1
+killmebaby.ml, 1
+killmenow.tk, 1
+killtv.me, 1
+killua-website.tk, 1
+killymoonbouncycastles.com, 1
+kilo-files.tk, 1
+kilobyte22.de, 1
+kilogram.nl, 1
+kilomberosugar.co.tz, 1
+kilometertje.nl, 1
+kiloton.tk, 1
+kilpiapp.com, 1
+kilte.tk, 1
+kim-coiffure.fr, 1
+kimai.cloud, 1
+kimama-protein.jp, 1
+kimbal.co.uk, 1
+kimballcountyne.gov, 1
+kimballwi.gov, 1
+kimballwv.gov, 1
+kimberleythomson.tk, 1
+kimberlitewaxmelts.co.uk, 1
+kimberlyal.gov, 1
+kimberlycaprice.com, 1
+kimbunlar.tk, 1
+kimdotcom.tk, 1
+kimdumaine.com, 1
+kimerald.tk, 1
+kimgirard.com, 1
+kimherala.xyz, 1
+kimicar.de, 1
+kimino-school.com, 1
+kimiris.com, 0
+kimis.gr, 1
+kimisia.net, 1
+kimitang.com, 1
+kimmel.com, 0
+kimmel.in, 0
+kimmientje.tk, 1
+kimochi.info, 1
+kimono-furuya.com, 1
+kimono-hishiya.jp, 1
+kimono-yamaguchiya.com, 1
+kimonoplatform.com, 1
+kimoo.co, 1
+kimotodental.com, 1
+kimphattai.vn, 1
+kimsesizlereumutol.tk, 1
+kimsufi-jordi.tk, 1
+kimtran.kim, 1
+kimtstore.com, 1
+kimverly.no, 1
+kimxxx.org, 1
+kin-mail.at, 1
+kin-mail.de, 1
+kin-mail.net, 1
+kinaesthetics-begleitung-zuhause.at, 1
+kinaesthetics-forschung.net, 1
+kinaesthetics-net.at, 1
+kinaesthetics-net.ch, 1
+kinaesthetics-net.de, 1
+kinaesthetics-net.eu, 1
+kinaesthetics-net.it, 1
+kinaesthetics-verein.de, 1
+kinaesthetics.at, 1
+kinaesthetics.ba, 1
+kinaesthetics.by, 1
+kinaesthetics.ch, 1
+kinaesthetics.de, 1
+kinaesthetics.dk, 1
+kinaesthetics.es, 1
+kinaesthetics.ge, 1
+kinaesthetics.hr, 1
+kinaesthetics.it, 1
+kinaesthetics.li, 1
+kinaesthetics.net, 1
+kinaesthetics.pl, 1
+kinaesthetics.ro, 1
+kinaesthetics.ru, 1
+kinaesthetik-verein.de, 1
+kinamedia.se, 1
+kinanart.com, 1
+kinanbudotenero.tk, 1
+kinandcarta.com, 1
+kinautas.com, 1
+kincai.de, 1
+kindan.net, 1
+kindapoth.com, 1
+kinde.com, 1
+kinden-giankyou.jp, 1
+kinden-kizuna.com, 1
+kinder-garten.tk, 1
+kinderarzt-berlin-zia.de, 1
+kinderarzt-traunstein.de, 1
+kinderballett-frankfurt.de, 1
+kinderbasar-luhe.de, 1
+kinderbuecher-kostenlos.de, 1
+kinderchirurgie-muenchen.de, 1
+kinderchor-bayreuth.de, 1
+kinderevents-sehnde.de, 1
+kindergarten.vic.gov.au, 1
+kinderhaus-kunterbunt-priestewitz.de, 1
+kinderhilfe-nepal-mitterfels.de, 1
+kinderjugendfreizeitverein.de, 1
+kinderkleding.news, 1
+kindermarket.bg, 1
+kindernothilfe.de, 1
+kinderopvang.gent, 1
+kinderopvangthuis.nl, 1
+kinderosteopathie-osteopathie.de, 1
+kinderpneumologie.ch, 1
+kindertagespflege-rasselbande-halle.de, 1
+kinderzorg.tk, 1
+kindesfreude.ch, 1
+kindfotografie.nl, 1
+kindle, 1
+kindler-design.ch, 1
+kindler.xyz, 1
+kindlezs.com, 1
+kindredcode.com, 1
+kindredcode.net, 1
+kindredcode.org, 1
+kindredspirits.tk, 1
+kindspace.ca, 1
+kine-duthil.fr, 1
+kinebamps.be, 1
+kinebioquimica.com, 1
+kinecenter.ec, 1
+kinecle.com, 1
+kinencoin-tv.com, 1
+kinepolis-studio.ga, 1
+kinerehabqro.com, 1
+kinescopecdn.net, 1
+kinesiologie.tk, 1
+kinesiologikerteminde.dk, 1
+kinesiologiodense.dk, 1
+kinesiologiskolen-syd.dk, 1
+kinesiologiuddannelsen.dk, 1
+kineticsdrive.com, 1
+kinetikos.com.au, 1
+kinetiq.com, 1
+kinfule.tk, 1
+king-of-the-castles.com, 1
+kingandmcgaw.com, 1
+kingant.net, 1
+kinganywhere.eu, 1
+kingautodetailing.id, 1
+kingbot.tk, 1
+kingchess.vip, 1
+kingclass.cn, 1
+kingcourriel.fr, 1
+kingdirectionaldrilling.com, 1
+kingdomcitymo.gov, 1
+kingdomcrawlers.tk, 1
+kingdominnergy.com, 1
+kingdoms.gg, 1
+kingdomshow.mx, 1
+kingedwardvii.co.uk, 1
+kingfast.cc, 1
+kingfast.eu.org, 1
+kingfin.com, 1
+kingfisherhallacademy.org.uk, 1
+kingiescastles.co.uk, 1
+kingjamesbibleonline.org, 1
+kingkongxo.com, 1
+kinglandclearing.com, 1
+kinglier.ga, 1
+kingliey.ga, 1
+kingmakers.academy, 1
+kingofshooting.com, 1
+kingofthecastlecoventry.co.uk, 1
+kingofthecastlesentertainments.co.uk, 1
+kingofthecastlesouthwales.co.uk, 1
+kingofthecastlesrhyl.co.uk, 1
+kingpay.com, 1
+kingpincages.com, 1
+kingsaft.net, 1
+kingsblueblue.com, 0
+kingsburybc.uk, 1
+kingsfoot.com, 1
+kingsfordmi.gov, 1
+kingshome.gr, 1
+kingsley.cc, 1
+kingsolomoncages.com, 1
+kingsound.tk, 1
+kingstake.network, 1
+kingston-fear.com, 1
+kingstonga.gov, 1
+kingstonma.gov, 1
+kingsvilletexas.com, 1
+kingtech8.tk, 1
+kingtreeexperts.com, 1
+kingyo-bowl.com, 1
+kini24.ru, 1
+kinison.com, 1
+kinja.com, 1
+kinjerboerebroelof.tk, 1
+kinkenonline.com, 1
+kinklist.me, 0
+kinksecrets.ga, 1
+kinkvr.com, 1
+kinky-books.com, 1
+kinkyinlaws.com, 1
+kinkyspa.com, 1
+kinnerfisch.cn, 1
+kinnettmemorial.org, 1
+kinnikinnick.com, 0
+kino-boom.tk, 1
+kino-dom.tk, 1
+kino-doma.tk, 1
+kino-room.ga, 1
+kino-zavr.tk, 1
+kinobag.tk, 1
+kinobarashka.ga, 1
+kinoblik.tk, 1
+kinocheck.com, 1
+kinocheck.de, 1
+kinodrom.kiev.ua, 1
+kinodrom.tk, 1
+kinofest.tk, 1
+kinofile.tk, 1
+kinofilmionline.tk, 1
+kinogold.tk, 1
+kinograd.tk, 1
+kinohi.tk, 1
+kinoks.fr, 1
+kinokub.tk, 1
+kinolex.ml, 1
+kinology.tk, 1
+kinomagia.cf, 1
+kinomangas.ml, 1
+kinomangas.tk, 1
+kinomaniac.tk, 1
+kinomoto.ovh, 0
+kinoplex.com.br, 1
+kinoprostor.tv, 1
+kinos.nl, 0
+kinoscope.tk, 1
+kinoserver.ml, 1
+kinosha.tk, 1
+kinoshkahd.tk, 1
+kinoshki.ga, 1
+kinovam.tk, 1
+kinovsem.ml, 1
+kinowork.tk, 1
+kinozone.tk, 1
+kinschots.eu, 1
+kinsei.jp, 1
+kinshipnd.com, 1
+kintawifi.com, 1
+kinter.media, 1
+kinto.pro, 1
+kintone.com, 1
+kintore.tv, 1
+kintsu.com.br, 1
+kintsugi-beauty.com, 0
+kintsugispace.com, 1
+kinualive.com, 1
+kinugasa.or.jp, 1
+kinvault.com, 1
+kinyued.store, 1
+kiocloud.com, 0
+kiokoman.eu.org, 0
+kiomara.com, 1
+kiomoda.com, 1
+kionetworks.com, 0
+kionetworks.es, 1
+kioskcomedy.org, 1
+kiosque-famille.net, 1
+kiosquefamille.fr, 1
+kiot.eu, 1
+kiousis.me, 1
+kiow.com, 1
+kip-ribbetjes-bestellen.be, 1
+kipa.at, 1
+kiparchive.org, 1
+kipcrepair.com, 1
+kipi.si, 1
+kipiradio.com, 1
+kiplelive.com, 1
+kippenbart.gq, 1
+kipriakipita.gr, 1
+kiprinform.com, 1
+kiprotect.com, 1
+kiprusoffsummers.tk, 1
+kiraboshi.xyz, 1
+kiragameforum.net, 1
+kirahvi.me, 1
+kirainmoe.com, 1
+kirakorosi.tk, 1
+kiraku.co, 1
+kiralikjeneratorankara.tk, 1
+kirana.studio, 1
+kiraqueen.net, 1
+kirarie-kusatsu.com, 1
+kirbear.com, 1
+kirbyvt.gov, 1
+kirche-bamberg.de, 1
+kirchen-im-web.de, 0
+kirchenchor-oedsbach.de, 1
+kirchenchor-olzheim.de, 1
+kirchengemeinde-markt-erlbach.de, 1
+kirchner.social, 1
+kircp.com, 1
+kirei.se, 1
+kiret.tk, 1
+kirgistan.tk, 1
+kiriani.me, 1
+kirie-photos.tk, 1
+kirikira.moe, 1
+kirill.ws, 1
+kirillaristov.com, 1
+kirina.nl, 1
+kirinas.com, 1
+kirka.ga, 1
+kirkae.com, 1
+kirkforcongress.com, 1
+kirkforsenate.com, 1
+kirkify.com, 1
+kirkintillochbc.co.uk, 1
+kirkkonummenavhkerho.net, 1
+kirkovsky.com, 1
+kirkwood-smith.com, 1
+kirkwoodfencing.com, 1
+kirkwoodoutdoors.com, 1
+kirmizipill.com, 1
+kiropraktoristockholm.se, 1
+kirov.ml, 1
+kirovcity.tk, 1
+kirovgrad.tk, 1
+kirrie.pe.kr, 1
+kirs.is, 1
+kirsch-gestaltung.de, 1
+kirschbaum.cloud, 1
+kirsehir.tk, 1
+kirsehirhaber.tk, 1
+kirstenbos.ca, 1
+kirstengillibrand.com, 1
+kirstycouture.co.uk, 1
+kirstygreenwoodartist.ga, 1
+kirus.de, 1
+kirwandigital.com, 1
+kisakazan.ml, 1
+kisallatorvos.hu, 1
+kisaragi.fund, 1
+kisaragi.works, 1
+kisaragihayato.com, 1
+kisbridgingloans.co.uk, 1
+kiseimarriage.com, 1
+kisel.org, 1
+kish-takhfif.com, 1
+kishcar.co, 1
+kishenya.ua, 1
+kisiselveri.com, 1
+kiskeedeesailing.com, 1
+kislovodsk-zamok.tk, 1
+kisma.de, 1
+kismy.ga, 1
+kismy.tk, 1
+kismyder.tk, 1
+kissanime.moe, 1
+kisser.name, 1
+kissesb.net, 1
+kissgyms.com, 1
+kissima-gakou.ml, 1
+kissimmee.gov, 1
+kissmateszabolcs.hu, 1
+kissmycreative.com, 1
+kissoft.ro, 1
+kisspeptin.com, 1
+kistenmacher.net, 1
+kistipro.tk, 1
+kisulki.tk, 1
+kisumuterraceapartments.tk, 1
+kisvasut.tk, 1
+kita-bicibici.de, 1
+kita-freie-schule.de, 1
+kita-mfg.com, 1
+kita-nimmersatt-bundorf.de, 1
+kita-sun.com, 1
+kita.moe, 1
+kitabgaul.com, 0
+kitabnamabayi.com, 1
+kitacoffee.com, 1
+kitagawa-internal-medicine-clinic.com, 1
+kitaharima-ikiiki.com, 1
+kitchen-design.cf, 1
+kitchen-design.tk, 1
+kitchenguides.org, 1
+kitchenkettle.com, 1
+kitchenlove.tk, 1
+kitchenpad.biz, 1
+kitchenpad.co.uk, 1
+kitchenpad.info, 1
+kitchenpad.net, 1
+kitchenpad.org, 1
+kitchenpad.us, 1
+kitchenpadtimer.com, 1
+kitchenvile.com, 1
+kitchenware.ml, 1
+kitchenware.tk, 1
+kitchenwarehouseltd.com, 1
+kitchenwarestore.xyz, 1
+kitchfurnit.tk, 1
+kitconcept.com, 1
+kitconcept.de, 1
+kitdealoevera.com, 1
+kite-surf.tk, 1
+kite-surfen.tk, 1
+kiteboard-selbstbau.tk, 1
+kitebowl.ru, 1
+kitenation.com, 1
+kiteschoolamsterdam.nl, 1
+kiteschooledam.nl, 1
+kiteschoolnoordwijk.nl, 1
+kiteschoolofkenpo.co.uk, 1
+kitesurfen.tk, 1
+kitevalley.tk, 1
+kitgratos.tk, 1
+kitke.de, 1
+kitkit.cf, 1
+kitkit.tk, 1
+kitpara.shop, 1
+kits-graphiques-shop.tk, 1
+kits-graphiques.tk, 1
+kitsap.gov, 1
+kitscan.com, 1
+kitseliit.ee, 1
+kitspersonal.tk, 1
+kitsplumbingandheating.com, 1
+kitsquid.de, 1
+kitsuna.eu, 1
+kitta.tk, 1
+kittatinny5.org, 1
+kitten-advice-forum.cf, 1
+kittenexchangeers.ga, 1
+kittenexchangeest.ga, 1
+kittentoob.com, 1
+kittitascounty.gov, 1
+kittleapps.com, 1
+kittmedia.com, 0
+kittnerbg.com, 1
+kittpress.com, 0
+kitty-core.org, 1
+kittyblair.org, 1
+kittygalore.nl, 1
+kittyhacker101.tk, 0
+kittyknickers.com.au, 1
+kittymagician.com, 0
+kittypryde.tk, 1
+kittystar.com, 1
+kittywilder.com, 1
+kivacontainer.com, 1
+kivitelezesbiztositas.hu, 1
+kivitv.com, 1
+kiwee.eu, 1
+kiweeagentur.de, 1
+kiwi.com, 1
+kiwi.global, 1
+kiwi.ki, 1
+kiwibird.tokyo, 1
+kiwicoworking.com, 1
+kiwideo.ro, 1
+kiwiflowershop.com.ua, 1
+kiwilove.es, 1
+kiwing.ddns.net, 1
+kiwipayment.com, 1
+kiwipedia.sk, 1
+kiwiplace.com, 0
+kiwisouvenirs.com, 1
+kiwitastic.com, 1
+kiwiz.co.uk, 1
+kix.moe, 1
+kizetroniko.tk, 1
+kizkulesi.tk, 1
+kizomba.info, 1
+kiztarafi.net, 1
+kizunaai.eu.org, 1
+kizzedbykelz.com, 1
+kizzycode.de, 1
+kj1396.net, 1
+kjaer.io, 1
+kjall.me, 1
+kjarni.cc, 1
+kjarrval.is, 1
+kjccradio.tk, 1
+kjcdaily.xyz, 1
+kjchernov.info, 1
+kjellner.com, 1
+kjellvn.net, 1
+kjfaudio.com, 1
+kjg-dossenheim.org, 1
+kjkesklinna.edu.ee, 1
+kjkmail.de, 1
+kjmedia.dk, 1
+kjnotes.com, 1
+kjrh.com, 1
+kjv.fan, 1
+kk-bs.de, 1
+kk-gruppe.net, 1
+kk.gt, 1
+kk.in.th, 1
+kk.sb, 0
+kk5197.co, 1
+kk575757.com, 1
+kk6729.co, 1
+kk6729.com, 0
+kk6957.co, 1
+kk9297.co, 1
+kk9721.com, 1
+kk9728.co, 1
+kka.vc, 1
+kkangeli.tk, 1
+kkaramela.eu, 1
+kkc.com, 1
+kkcinemas.in, 1
+kkcomcon.com, 1
+kkdesignsco.com, 1
+kke8tt.top, 1
+kkforwarding.com, 1
+kkgn.nl, 1
+kki.org, 1
+kkiskra.tk, 1
+kkk0011.com, 0
+kkk101.com, 0
+kkk102.com, 0
+kkk104.com, 0
+kkk106.com, 0
+kkk109.com, 0
+kkk201.com, 0
+kkk202.com, 0
+kkk203.com, 0
+kkk204.com, 0
+kkk208.com, 0
+kkk209.com, 0
+kkkkk.click, 1
+kklb.de, 1
+kknapredak-rubin.tk, 1
+kkpig.cn, 0
+kkpp.ga, 1
+kkr-bridal.net, 1
+kkren.me, 0
+kks.ch, 1
+kksg-sulzbach.de, 1
+kksg.com, 0
+kksshop.com, 1
+kkws.co, 1
+kkyy.me, 1
+kkzxak47.com, 1
+kl008888.com, 1
+klaasvantornout.tk, 1
+klabnik.cz, 1
+klabnikova.cz, 1
+klacki.de, 1
+klackingtownshipmi.gov, 1
+klad.tk, 1
+kladionice.tv, 1
+kladson.com, 1
+kladzdor.ga, 1
+kladzdor.tk, 1
+klamathrestoration.gov, 1
+klamathtribalhealth.gov, 1
+klanggut.at, 1
+klankenkast.nl, 1
+klanklichaam.be, 1
+klapib.ee, 1
+klapsinakis.gr, 1
+klapty.com, 1
+klares-licht.de, 1
+klarheit.at, 1
+klarika.com, 1
+klarmobil-empfehlen.de, 1
+klart.se, 1
+klaspas.be, 1
+klassen.tk, 1
+klassenfahrt-tirol.at, 1
+klassiekballet.tk, 1
+klassika.cf, 1
+klassika.tk, 1
+klatschreime.de, 1
+klaudialeszczynska.pl, 1
+klauke-enterprises.com, 0
+klaukegear.eu, 1
+klaus-pforte.de, 1
+klausapp.com, 0
+klausbrinch.dk, 1
+klausen.dk, 1
+klausfischer.info, 1
+klausfoerster.tk, 1
+klauspforte.de, 1
+klauswissmann.com, 1
+klautshop.com, 1
+klavarog.tk, 1
+klaver.it, 1
+klaverjassen.tk, 1
+klavierhaus-klavins.de, 1
+klavierwunsch.de, 1
+klaviskripta.com, 1
+klaxon.ml, 1
+klaymemez.com, 1
+kle.cz, 1
+klea.tk, 1
+kleaning.by, 1
+kleebauerhof.com, 1
+kleen.tk, 1
+kleenkraftservices.com, 1
+kleidertauschpartys.de, 1
+kleim.fr, 1
+kleinblogje.nl, 0
+kleine-dingen.nl, 1
+kleine-strandburg-heringsdorf.de, 0
+kleine-strandburg.com, 0
+kleine-strolche-lich.de, 1
+kleine-viecherei.de, 1
+kleineanfragen.de, 1
+kleineserver.nl, 1
+kleinestrandburg-heringsdorf.de, 0
+kleinestrandburg-usedom.de, 0
+kleinfein.co, 1
+kleinhamilton.co.uk, 1
+kleinhaneveld.tk, 1
+kleinhapl.com, 1
+kleinhelena.dynv6.net, 1
+kleinreich.de, 1
+kleins-hutorok.de, 1
+kleinserienproduktion.com, 1
+kleinsys.com, 1
+kleintransporte.net, 0
+kleinwenner.eu, 1
+kleise.gr, 1
+kleki.com, 1
+klementijgerta.tk, 1
+klemkow.net, 1
+klemkow.org, 1
+klempin.co.uk, 1
+klempin.me, 1
+klempin.net, 1
+klempin.org, 1
+klempin.se, 1
+klempin.uk, 1
+klen.ua, 1
+klenc.eu, 1
+kleor.com, 1
+kleteckova.cz, 1
+kletsenenproeven.nl, 1
+kletskoek.com, 1
+kleurbkennen.nl, 1
+kleuro.nl, 1
+klev.tk, 1
+klever.com.mk, 1
+kleverltd.ru, 1
+kli.is, 1
+klickinvite.com, 1
+klickstdu.com, 1
+kliemann.me, 1
+klik3.nl, 0
+klikacc.com, 0
+klikarnia.pl, 1
+kliki.tk, 1
+klikket.dk, 1
+kliklinks.tk, 1
+klikmanga.id, 1
+klikmarket.tk, 1
+klikweb.id, 1
+klima.com, 1
+klimaanlage-fehler.net, 1
+klimaatkids.be, 1
+klimaatstad.gent, 1
+klimacamp-sterkraderwald.de, 1
+klimafakten.de, 1
+klimakamp.nu, 1
+klimakomplekt.com, 1
+klimalaan.no, 1
+klimalan.no, 1
+klimaloven.no, 1
+klimapartner.de, 0
+klimapartner.net, 1
+klimaplattform-milch.de, 1
+klimatt.com, 1
+klimchuk.by, 0
+klimeck.com, 1
+klinesignals.com, 1
+klingeletest.de, 1
+klingenundmesser.com, 1
+klinik-fuer-aesthetische-zahnheilkunde.de, 1
+klinikac.co.id, 0
+klinikasoyuz.ru, 1
+klinikatlantis.com, 1
+klinikum-oberberg.de, 1
+klinikum-oldenburg.de, 1
+klinkenberg.ws, 1
+klinkenbergschoenen.nl, 1
+klinkersnab.ru, 1
+klinknetz.de, 1
+klinkov.tk, 1
+klinlab.cz, 1
+klipa.tk, 1
+klishyn.com, 1
+klitmoeller.de, 1
+klitmoeller.dk, 1
+klitoris.com.tr, 1
+kliu.io, 0
+klj-beveren.tk, 1
+klj-kruibeke.tk, 1
+klj-walshoutem.tk, 1
+kll.li, 1
+klm-huisjes.nl, 1
+klmgewinnspiel.de, 1
+klmhouses.com, 1
+klocast.com, 1
+klocksnack.se, 0
+kloclabs.com, 1
+klogeschichten.net, 1
+kloia.com, 1
+klokhuis.nl, 1
+klokkenluidersvg.nl, 1
+kloop.kg, 1
+klop.info, 1
+klose.family, 1
+klosko.net, 1
+kloudstack.me, 0
+klover-avantages.fr, 1
+klover-cse.fr, 1
+kloza.tk, 1
+kls-desk.com, 1
+kls-platform.com, 1
+klssn.com, 1
+klu.io, 1
+klub-zajmov.ga, 1
+klub.tk, 1
+klubcajovna.cz, 1
+kluberphoto.hu, 1
+klubfitness.pl, 1
+klubgerlach.sk, 1
+klubwsl.tk, 1
+kluck.me, 1
+kludge.eu, 1
+klugemedia.de, 1
+klumba.org, 1
+klusbedrijfdupau.nl, 1
+klushka.cf, 1
+klushnikova.tk, 1
+klustermedia.com, 1
+klusweb-merenwijk.nl, 1
+klutchcard.com, 1
+klute.spdns.de, 1
+kluzza.nl, 1
+klva.cz, 1
+km8.co, 1
+kma.ua, 1
+kmap-state-ks.us, 1
+kmartgifted.com.au, 1
+kmb-chat.de, 1
+kmch.com, 1
+kmdarkmaster.tk, 1
+kmdevelop.com, 1
+kmecnc.com, 1
+kmeditour.net, 1
+kmhesaplama.com, 1
+kmk.hu, 1
+kmkz.jp, 1
+kmoes.ch, 1
+kmov.cc, 1
+kmpropertyfunds.com, 1
+kmpropertyfunds.com.au, 1
+kmrgroup.com, 1
+kmsk.tk, 1
+kmsm.com.au, 1
+kmzs123.cn, 1
+kn007.net, 1
+kn40la.com, 1
+kn4ivj.com, 1
+kn4ola.com, 1
+kn6olc.org, 1
+knabden.co.za, 1
+knabstrup-autoophug.dk, 1
+knallfrosch.ddnss.de, 1
+knapenzutendaal.tk, 1
+knapp.noip.me, 1
+knapp.pro, 1
+knapp.servehttp.com, 1
+knarcraft.net, 1
+knarkkorven.tk, 1
+knarzkopf.de, 1
+knashaug.com, 1
+knauf.com, 1
+knautiluz.net, 0
+knbbw-frnab.tk, 1
+knblog.jp, 1
+kncg.pw, 1
+kndrd.io, 1
+kneblesauto.com, 1
+knecht.ca, 1
+knechtology.com, 1
+kneerux.de, 1
+kneginec.hr, 1
+knegten-agilis.com, 1
+kneli.co.il, 1
+knep.me, 0
+kneppe.me, 1
+knetterbak.nl, 1
+kngk-transavto.ru, 1
+kngkng.com, 1
+knhchula.com, 1
+kniga-ru.tk, 1
+kniga.market, 0
+knigareceptov.cf, 1
+knigareceptov.tk, 1
+knighki-knighki.ml, 1
+knighkidoma.tk, 1
+knightsblog.de, 1
+knightsbridge.net, 1
+knightsfs.ie, 1
+knightsweep.com, 0
+knighulki.cf, 1
+knigi-free.cf, 1
+knigi-market.ml, 1
+knigi-na-dom.cf, 1
+knigi-zdes.gq, 1
+knigifast.ga, 1
+knigiunass.tk, 1
+knihovnajablonne.cz, 1
+knirps.com, 1
+knirps.de, 1
+knirps.fr, 1
+knirps.nl, 1
+knispelonline.de, 1
+knitfarious.com, 1
+knitted-hats.tk, 1
+knitted-things.tk, 1
+knitting-lace.tk, 1
+knitting.cz, 1
+knittingmallers.ga, 1
+knittingmallest.ga, 1
+knittingstory.cf, 1
+knivesandblades.co.uk, 1
+kniwweler.com, 1
+knize.tech, 1
+knizhniy.com, 1
+knjazevac.tk, 1
+knjizevic.at, 0
+knkv.nl, 1
+knmv.nl, 1
+knnet.ch, 1
+knoffyoga.com, 1
+knop.info, 0
+knorrnet.de, 1
+knotenpunkt-nbg.de, 1
+knottcountyky.gov, 1
+know.cf, 1
+know2protect.gov, 1
+knowbook.org, 1
+knowledge-base.info, 0
+knowledgeforce.com, 1
+knowledgehook.com, 1
+knowledgematters.com, 1
+knowledgesuccess.org, 1
+knowlevillagecc.co.uk, 1
+knowmoreplatform.com, 1
+knownsec.cf, 1
+knowrentalsers.ga, 1
+knowrentalsest.ga, 1
+knowthebus.cf, 1
+knowthebus.ga, 1
+knowthebus.gq, 1
+knowuproxy.com, 1
+knowyourday.ai, 1
+knowyourteam.com, 1
+knoxcountyil.gov, 1
+knoxcountyne.gov, 1
+knoxcountytn.gov, 1
+knoxvilleautosalesers.ga, 1
+knoxvilleautosalesest.ga, 1
+knoxvilleimplants.com, 1
+knoxvilletnpolice.gov, 1
+knrt.de, 1
+knrt.eu, 1
+knsrv.ml, 1
+knthost.com, 0
+kntt.lt, 1
+kntxt7.de, 0
+knuckles.tk, 1
+knulla.me, 1
+knulle.me, 1
+knurps.de, 1
+knuterikskare.no, 1
+knuthildebrandt.de, 0
+knuwiki.tk, 1
+knxstore.cz, 1
+knyawningrenovation.com, 1
+knygos.lt, 1
+knzb.nl, 1
+ko80.com, 1
+koaa.com, 1
+koala-pension.de, 1
+koala.one, 0
+koalapress.fr, 0
+koalarong.com, 1
+koalas.org, 1
+koanga.com.au, 1
+koba.jp, 1
+kobalux.com, 1
+kobb.tk, 1
+kobejet.com, 1
+koberl.com, 1
+kobet.tk, 1
+kobezda.net, 1
+kobieta.guru, 1
+kobietydokodu.pl, 1
+kobikian.com, 1
+kobil.com, 1
+kobly.com, 1
+kobofarm.com, 1
+koboldcraft.ch, 1
+koboldmalade.fr, 1
+kobovec.tk, 1
+kobrin.tk, 1
+kobtsev.tk, 1
+kobudo49.fr, 1
+koc.hu, 1
+kocaelihaber.tk, 1
+kocaeliyiseyret.com, 1
+koccoo.ga, 1
+koch-wro.pl, 1
+koch.com.au, 1
+kochadaiyaan.tk, 1
+kochbar.de, 1
+kochcommunity.com, 1
+kochdigital.dk, 1
+kocherev.org, 1
+kochereva.com, 1
+kocheshkov.cf, 1
+kochhar.net, 1
+kochi-death.ml, 1
+kochinke.com, 1
+kochinke.us, 1
+kochrezepte.tk, 1
+kochura.tk, 1
+kocka.cf, 1
+kockanakocko.si, 1
+kocovi.cz, 0
+kod13.com, 1
+kod5.com, 1
+kodak-ism.com, 1
+kodama-dorayaki.co.jp, 1
+kodambroker.com, 1
+kodar.tk, 1
+kodden.com.br, 1
+kode-it.de, 1
+kode.ch, 0
+kodeholic.me, 1
+kodes.com.tr, 1
+kodexplorer.ml, 1
+kodifirestick.info, 1
+kodify.net, 1
+kodigo.me, 1
+kodineuerleben.eu, 1
+kodioso.com, 1
+kodkollen.com, 1
+kodkollen.se, 1
+kodnistudio.com, 1
+koe.dk, 1
+koe.hn, 1
+koe.kr, 0
+koebbes.de, 1
+koeeusa.org, 1
+koef.nl, 1
+koehlhoff.de, 1
+koehn-consulting.com, 1
+koehn.com, 1
+koelbli.ch, 1
+koeldezomerdoor.nl, 1
+koelnerkarneval.de, 1
+koelnmafia.de, 1
+koelschs.de, 1
+koenberkhout.nl, 1
+koenig-pflueger.de, 1
+koenigsbrunner-tafel.de, 1
+koenleemans.nl, 1
+koenrh.com, 1
+koenrh.net, 1
+koenrh.nl, 1
+koenzk.nl, 1
+koerperkult.ch, 1
+koertner-muth.com, 1
+koertner-muth.de, 1
+koethen-markt.de, 1
+koetjesenkanker.nl, 1
+koez-mangal.ch, 1
+koffie-enzo.com, 1
+koffiekoeken.tk, 1
+koffiekompaan.nl, 1
+koffiezine.nl, 1
+kofler.info, 1
+kogak.ninja, 1
+kogax.com, 0
+kogi.fr, 1
+kogotok.gq, 1
+kogotok.ml, 1
+kogudesi.com, 1
+kohaku.love, 1
+kohama-obgy.jp, 1
+kohana.fi, 1
+kohlchan.net, 1
+kohlchan.top, 1
+kohlmajer.de, 1
+kohlpharma.com, 1
+kohparadise.com, 1
+koi-lexikon.de, 1
+koidulag.edu.ee, 1
+koifish.org, 1
+koing.de, 1
+koirala.email, 1
+koiro.fi, 1
+koishi.pro, 1
+koj.co, 1
+koji-tsujitani.net, 1
+kojiishikawa.com, 1
+kojipkgs.fedoraproject.org, 1
+koka-shop.de, 1
+kokakiwi.net, 1
+kokankart.com, 1
+koketteriet.se, 1
+kokk.loan, 1
+koko.news, 1
+kokoiroworks.com, 1
+kokomo.com.au, 1
+kokomoislandfiji.com, 1
+kokomoprivateisland.com, 1
+kokomoresorts.com, 1
+kokona.ch, 1
+kokona.link, 1
+kokoroheart.cf, 1
+kokoronomori.jp, 1
+kokos.pl, 1
+kokteili.tk, 1
+koktelparty.tk, 1
+kokumoto.com, 1
+kokuryu.ch, 1
+kokuyocamlin.com, 1
+kokwatersport.nl, 1
+kokyu-caba.com, 1
+kol7sry.news, 1
+kolabtree.com, 1
+kolaci.tech, 1
+kolaczek.cz, 1
+koladeogunleye.com, 1
+kolakamal.tk, 1
+kolania.com, 1
+kolania.de, 1
+kolania.net, 1
+kolaprestaurant.com, 0
+kolas.in, 1
+kolbeck.tk, 1
+kolbeinsson.se, 1
+kolcsey.eu, 1
+kolfan.tk, 1
+kolhozik.ml, 1
+kolibri.dk, 1
+kolibrikapp.com, 1
+kolibrisolutions.nl, 1
+kolin.org, 1
+kolizaskrap.bg, 1
+kolja-engelmann.de, 1
+kolkataflowermall.com, 1
+kolkatamatrimandir.tk, 1
+kolkinn.no, 1
+kollandsrud.tk, 1
+kollawat.me, 1
+kollega.it, 1
+kollegamenti.it, 1
+kollner.com, 1
+kollross.io, 1
+kolmann.at, 1
+kolmann.eu, 1
+kolmeya.com.br, 1
+kolodec-pod-kluch.ru, 1
+kolonie-am-stadtpark.de, 1
+kolonie.turystyka.pl, 1
+kolorado.tk, 1
+koloradskij-zhuk.tk, 1
+kolorkids.pt, 1
+kolorwell.tk, 1
+kolotsainaskoto.tk, 1
+kolpingsfamilie-vechta-maria-frieden.de, 1
+kolrami.com, 1
+kolsandpeers.com, 1
+koltozzbe.hu, 1
+kolue.com, 1
+koluke.co, 1
+koluke.com, 1
+kolukylaselts.ee, 1
+kolyapetrov.tk, 1
+kom.pe, 1
+komalgandhi.tk, 1
+komall.net, 1
+komarex.pl, 1
+komarh.tk, 1
+komasan.net, 1
+komatsuforklift.com, 1
+kombikredit.de, 1
+komehyo.co.jp, 1
+komelin.com, 0
+kometia.com, 1
+komfort-doma.by, 1
+komfort.kh.ua, 1
+komichcapital.com, 1
+komicloud.com, 1
+komidoc.com, 1
+komikstation.co, 1
+kominfo.go.id, 0
+kominki-sauny.pl, 1
+komintek.ru, 1
+komintern43.tk, 1
+komischkeszeug.de, 1
+komitur.tk, 1
+komlangs.nl, 1
+kommaer.dk, 1
+komment.ml, 1
+kommerciya.cf, 1
+kommerciya.ml, 1
+kommotiv.nl, 0
+kommunalkredit.de, 1
+kommunermeddnssec.se, 1
+kommunermedipv6.se, 1
+kommunikation-czw.de, 1
+kommunistienliitto.tk, 1
+kommx.de, 1
+komodolabs.com, 1
+komoju.com, 1
+komok.co.uk, 1
+komoraoze.cz, 1
+komornikmroczek.pl, 1
+komp-plus.tk, 1
+komp247.pl, 1
+kompanen.nl, 1
+kompaniya-vasya.tk, 1
+kompetenzkurs.de, 1
+kompiwin.com, 1
+komplekt.gq, 1
+komplet.sk, 1
+komplexlysimple.com, 0
+kompliant.nu, 1
+kompotik.tk, 1
+komputer-net.tk, 1
+komsija.tk, 1
+komsomolka.works, 1
+komun.me, 1
+kon-sil.de, 1
+kon.cat, 1
+konaki.net, 1
+konata.tech, 1
+konbantsan.com.tr, 1
+koncertbooking.com, 1
+koncertit.com, 1
+koncertomania.pl, 1
+kondakov.link, 1
+kondakovgorin.us, 1
+kondakovvg.com, 1
+kondi-flex.biz, 1
+kondi-flex.de, 1
+kondi-flex.net, 1
+kondi-flex.org, 1
+kondi-save.biz, 1
+kondi-save.de, 1
+kondiflex.de, 1
+kondiflex.eu, 1
+kondisave.biz, 1
+kondo-kougei.co.jp, 1
+konducars.nl, 1
+konectbus.co.uk, 1
+konetsu.tk, 1
+konf.ga, 1
+konfekcjonowanie.com, 1
+konference.tech, 1
+konfiskator.online, 1
+konflikthaus.de, 1
+konfliktklaerer.de, 1
+konfrontation.tk, 1
+kong.ink, 1
+kongar.org, 1
+kongjie.cf, 1
+kongjie.ml, 1
+kongress-hostessen.de, 1
+koniecfica.sk, 0
+konijnen-knaagdieren.tk, 1
+koningerik.nl, 1
+konings.it, 0
+koningsdag-arnhem.nl, 1
+koningslust.tk, 1
+koninkrijk.net, 1
+konjunktion.tk, 1
+konkai.store, 1
+konkanitv.ga, 1
+konkasidiaris.com, 1
+konklone.com, 1
+konkurs.ba, 1
+konnai.jp, 1
+konnex-it.de, 1
+konnitanaka.com, 1
+konoex.com, 1
+konoka.top, 1
+kononenko.ml, 1
+konopizza.at, 1
+konpyuta.nl, 1
+konser.co.uk, 1
+konsertoversikt.no, 1
+konservy.tk, 1
+konskowola.info.pl, 1
+konsol.pro, 1
+konst.se, 1
+konstanz.tk, 1
+konstitucia.com, 1
+konstructdigital.com, 1
+konsul.ga, 1
+konsul.tk, 1
+konsultacii-buhgaltera.ga, 1
+konsultaciya-astrologa.cf, 1
+konsultaciya-astrologa.ga, 1
+konsultaciya-astrologa.gq, 1
+konsultaciya-astrologa.ml, 1
+konsultaciya-astrologa.tk, 1
+konsultacje-elektryczne.pl, 1
+konsultation.nu, 1
+konsultermedipv6.se, 1
+konta-swiss.ch, 1
+kontabilitet.tk, 1
+kontaxis.org, 1
+kontenido.net, 1
+kontent.ai, 1
+kontikifinance.com, 0
+kontikiindustries.tk, 1
+kontist.com, 1
+kontorhaus-stralsund.de, 1
+kontracrew.tk, 1
+kontrapolis.info, 1
+kontrastonline.tk, 1
+kontrolapovinnosti.cz, 1
+kontur-buh.ru, 1
+kontur.tk, 1
+konturalco.ru, 1
+konus.tk, 1
+konventa.net, 1
+konwerter-online.pl, 1
+konyadireksiyonservisi.com, 1
+konyadireksiyontamiri.com, 1
+konyahaber.tk, 1
+konyalian.com, 1
+konyhaelektronika.hu, 1
+konzaross.tk, 1
+konzepttreu.de, 1
+konzertheld.de, 1
+kood13.com, 1
+koodaklife.com, 1
+koodimasin.ee, 1
+koodimasin.eu, 1
+kooer.org, 1
+koof.win, 1
+kooibeds.com, 0
+kooky.org, 1
+koolauwomenshealthcare.com, 1
+koole.eu, 1
+kooli.ee, 1
+koolikatsed.ee, 1
+koolisw.tk, 1
+koolitee.ee, 1
+kooliveeb.ee, 1
+koolkool.tk, 1
+koomaldreaming.com.au, 0
+kooner.io, 1
+koood13.com, 1
+koopdomeinnaam.nl, 1
+koophost.nl, 1
+kooplokaal.gent, 1
+koopmansamenwerking.nl, 1
+koopraoulu.ddns.net, 1
+koora-lives.tv, 1
+kooranaps.wa.edu.au, 1
+kooratalk.ga, 1
+koot.nl, 1
+koowde.nl, 1
+kooxdiving.com, 1
+koozal.de, 1
+kopany.tk, 1
+kopatych.tk, 1
+kopecode.com, 1
+kopeechka.ml, 1
+koperry.com, 1
+kopeyka.cf, 1
+kopfgeld.tk, 1
+kopfkrieg.org, 0
+kopfsalat.eu, 0
+kopfschaschlik.de, 1
+kopieid.be, 1
+kopijosari.com, 1
+kopipasta.cf, 1
+kopisee.tk, 1
+kopitekno.com, 1
+kopjethee.nl, 0
+koplancpa.com, 1
+koplax-online.com, 1
+koppbilling.com, 1
+koppelvlak.net, 1
+kopretka.cz, 1
+koproskylos.gr, 1
+kopsinc.com, 1
+koptev.ru, 1
+kopteva.ru, 1
+kopular.com, 1
+kopyandsonslandscaping.com, 1
+kopykatz.org, 0
+kor.ovh, 1
+kor1xbet.com, 1
+kora-go.tk, 1
+korabi.tk, 1
+korablino.tk, 1
+korancode.tk, 1
+koranseruya.com, 1
+korbel-loziska.cz, 1
+korben.info, 1
+kordamed.ee, 1
+kordamentha.com, 1
+kordamentha.com.au, 1
+kordut.tk, 1
+korea-1xbet.com, 1
+korea-dpr.org, 1
+korea-onlinecasino.com, 1
+korea1x-bet.com, 1
+koreabestood.ga, 1
+koreaboo.com, 1
+koreanfashion.tk, 1
+koreanhouse.tk, 1
+koreankiosk.ru, 1
+koreanland.ml, 1
+koreanpearls.tk, 1
+koreanrandom.com, 1
+koreanrandom.ru, 1
+koreantextil.com.br, 1
+koreanure.tk, 1
+koreashop24.com, 1
+koredia.com, 1
+koreisai.tech, 1
+koresageart.com, 1
+korespondent.tk, 1
+koretech.nl, 1
+korfbal.nl, 1
+korfballeague.nl, 1
+korfezemlak.com, 1
+korhonen.cc, 1
+korhonen.social, 1
+korikart.com, 1
+korikart.net, 1
+korjoin.com, 1
+korkortet.tk, 1
+korkortonline.se, 1
+korn-klan.tk, 1
+korofilms.com, 1
+koroleva.ml, 1
+korolevstvo-movie.ml, 1
+koroli.tk, 1
+korona-m.bg, 1
+korona-m.eu, 1
+korona-serial.net, 1
+koroshkabir.tk, 1
+korrelzout.nl, 1
+korsordsvar.com, 1
+korst.tk, 1
+korstanjebouw.nl, 1
+korstanjetimmerwerken.nl, 1
+kortarsmagyarfesto.tk, 1
+kortgebyr.dk, 1
+korund.tk, 1
+kos4all.com, 1
+kos9078.com, 1
+kosaki.moe, 1
+kosara.bg, 1
+koscielniak-nieruchomosci.pl, 1
+kose.edu.ee, 1
+koseven.ga, 1
+kosgebkredisi.com, 1
+koshakovo.ga, 1
+koshaq.net, 1
+koshechka.tk, 1
+koshercutleryers.ga, 1
+koshercutleryest.ga, 1
+koshereducationers.ga, 1
+koshereducationest.ga, 1
+kosherfoodreviews.com, 1
+kosherjava.com, 1
+kosherlunchers.ga, 1
+kosherlunchest.ga, 1
+koshkonongwi.gov, 1
+koshturada.by, 1
+koshvolt.com, 1
+kosinc.org, 1
+kosmetykifm.pl, 1
+kosmiq-it.com, 1
+kosmonavt.tk, 1
+kosmopoisk-orel.tk, 1
+kosmoprolet.tk, 1
+kosmosfestival.tk, 1
+kosmosjournal.org, 1
+kosmosol.it, 1
+kosmosradio.tk, 1
+koso.me, 1
+kosovitolinks.tk, 1
+kosovo.gq, 1
+kost-magazin.de, 1
+kostarikanamiru.cz, 1
+kostavro.eu, 1
+kostecka.org, 1
+kostecki.com, 1
+kostecki.org, 1
+kostecki.tel, 1
+kostenloses-forum.tk, 1
+kosterenpartners.com, 1
+kostlyn.com, 1
+kostroma-city.tk, 1
+kostroma.cf, 1
+kostroma.gq, 1
+kostroma.ml, 1
+kostroma.tk, 1
+kostube.tk, 1
+kostya.ws, 1
+kostyumi.tk, 1
+kosupayoi.com, 1
+kosuzu.moe, 1
+koszmetics.com, 1
+kotaartsklan.com, 1
+kotaev.tk, 1
+kotajakarta.info, 1
+kotak.us, 1
+kotakanimeid.com, 1
+kotakonkrit.my, 1
+kotakoo.id, 1
+kotaku.com, 1
+kotaraanglican.org.au, 1
+kotatgent.be, 1
+kother.org, 1
+kotilinkki.fi, 1
+kotisivukone.fi, 1
+kotka.ml, 1
+kotlinfactory.io, 1
+kotly-marten.com.ua, 1
+kotmale.com, 1
+kotobox.net, 1
+kotobuki-healing.com, 1
+kotoishihear.tk, 1
+kotok.tk, 1
+kotomei.moe, 1
+kotonoha.cafe, 1
+kotonozaka.xyz, 1
+kotoopros.tk, 1
+kotori.love, 1
+kotori.style, 1
+kotorimusic.ga, 1
+kotrak.com, 1
+kottbulle.net, 1
+kotthaus-bs.de, 1
+kottur.is, 1
+kotuwa.tk, 1
+kotydomowe.com, 1
+kouberacing.com.br, 1
+koubova.net, 1
+kougeihin.jp, 1
+koujiao.ml, 1
+koujiao.net, 1
+koujo-soukohonpo.com, 1
+koumakan.cc, 1
+kourin.cf, 1
+koushinjo.org, 1
+kouwenhoven.xyz, 1
+kov.space, 1
+kovachica.tk, 1
+kovacia.com, 1
+koval.io, 1
+kovaldo.ru, 1
+kovered.net, 1
+kovnsk.net, 1
+kovrik-tm.com.ua, 1
+kovroedov.ru, 0
+kovspace.com, 1
+kovu.es, 1
+kovuthehusky.com, 1
+kowalmik.tk, 1
+kowalski7.cc, 1
+kowalski7cc.xyz, 1
+kowalstwo.com.pl, 1
+kowarschick.de, 1
+kowas.net, 1
+kowu.ru, 1
+koyaanisqatsi.tk, 1
+koyo.kr, 1
+koyou-nara.com, 1
+kozackibazar.pl, 1
+kozak.cloud, 1
+kozakmateusz.ovh, 1
+kozamac.com, 1
+kozansa.net, 1
+kozarac.tk, 1
+kozbox.com, 1
+kozentic.com, 1
+kozgi.com, 1
+kozhzamenitely.tk, 1
+koziknet.com, 1
+kozitsyn.name, 1
+kozlekedes.info, 1
+kozlov.cf, 1
+kozmetikatrend.hu, 1
+kozmetikus.tk, 1
+kozuch.biz, 1
+kozuna.it, 1
+kozune.com, 1
+kp-opt.ru, 1
+kp-walsh.com, 1
+kp0808.cc, 1
+kp0809.com, 1
+kp45.ru, 1
+kpfanworld.com, 1
+kpinterface.com, 1
+kpinvest.eu, 1
+kpizlog.rs, 1
+kplastics.in, 1
+kplasticsurgery.com, 1
+kplnet.net, 1
+kpmgccc.co.nz, 0
+kpmgclientcollab.co.nz, 0
+kpntdolive.nl, 1
+kpnthings.com, 1
+kpo.fi, 1
+kpop.re, 1
+kpop.ro, 1
+kpopsource.com, 1
+kppnmataram.com, 1
+kprem.com, 1
+kprf-school74.tk, 1
+kproferm.com, 1
+kpumuk.info, 1
+kpx1.de, 1
+kqh.me, 1
+kqrm.co.jp, 1
+kr-beratungscoach.de, 1
+kr-labs.com.ua, 1
+kr.cm, 1
+kr.search.yahoo.com, 0
+kr0n.dk, 1
+kra.ee, 0
+kra2laiz.eu, 1
+kraakgeluiden.tk, 1
+kraavi.com, 1
+krabathor.tk, 1
+krabbelsisters.tk, 1
+krabbit.tw, 1
+krachbumm.de, 1
+krachtinverbinding.nl, 1
+kraemerlaw.com, 1
+krafciarka.pl, 1
+kraft.blog, 1
+kraft.im, 1
+kraft.lol, 1
+kraftek.cf, 1
+kraftfahrtversicherungen24.de, 1
+kraftway.ru, 1
+kraftzeiten.de, 1
+krag.be, 1
+kraga.sk, 1
+krakato.tk, 1
+kraken-ttt.com, 1
+kraken.com, 1
+kraken.io, 0
+krakenfutures.com, 1
+krakenrobotik.de, 1
+krakenventures.com, 1
+krakozyabra.ga, 1
+krakozyabra.gq, 1
+krakozyabra.tk, 1
+kralenparadijs.tk, 1
+kralik.io, 1
+kralovskapradelna.cz, 1
+kram.nz, 1
+kram.tec.br, 1
+kramer-edelstahl.de, 1
+kramersworld.tk, 1
+kramesondemand.com, 1
+kramsj.uk, 1
+kran.ga, 1
+krang.org.uk, 1
+kranjnakolo.ml, 1
+krankenpflege-haushaltshilfe.de, 1
+krankenpflege.ch, 1
+kranservice-alzey.tk, 1
+krapiva.tk, 1
+krasa.at, 1
+krasa.au, 1
+krasa.com.au, 1
+krasa.tk, 1
+krasavchik.by, 1
+kraski.tk, 1
+krasnaya-nit.ga, 1
+krasnodar-pravoved.ru, 1
+krasnodar.one, 1
+krasnodar24.tk, 1
+krasnodarkrai.tk, 1
+krasnoyarsk-24.tk, 1
+krasnoyarsk24.tk, 1
+krasotkafirm.tk, 1
+krasotki.ml, 1
+kratochvilovi.net, 1
+krause-outlet.de, 1
+krauseent.com, 0
+krausekauft.de, 1
+krautomat.com, 1
+kraynik.com, 1
+kraz.tk, 1
+krazykastles.co.uk, 1
+krazykoolkastles.com, 1
+krazyphotobooths.co.uk, 1
+krbzh.ch, 1
+krc.link, 1
+krch.tk, 1
+krd93.ru, 1
+kreanoid-clientportal-aus-dev.azurewebsites.net, 1
+kreanoredact-portal-aus-dev.azurewebsites.net, 1
+kreasim32.co.id, 1
+kreationnext.com, 1
+kreativbande.com, 1
+kreativelabs.ch, 0
+kreativenerds.com.ng, 1
+kreativklinik.at, 1
+kreativoweb.tk, 1
+kreativstrecke.de, 1
+kreatura.tk, 1
+kreatywni.co, 1
+kredi-hesaplama.com, 1
+kredibanka.net, 1
+kredigram.com, 1
+kredit-abzocke.com, 1
+kredit-galerie.de, 1
+kredit-kenntnis.de, 1
+kredit-mit-negativer-schufa.com, 1
+kredit-negative-schufa.de, 1
+kredit-ohne-schufa.de, 1
+kredit-schule.de, 1
+kredit24.de, 1
+kredita.dk, 1
+kreditkarta.ml, 1
+kreditkarten-forum.de, 1
+kreditkoll.nu, 1
+kredito.pt, 1
+kreditonline.ml, 1
+kreditor.gq, 1
+kreditovnet.tk, 1
+kreditsystem.net, 1
+kreditvergleich.org, 1
+kreditzirkus.de, 1
+krednal.ru, 1
+kredytzen.pl, 0
+kreen.org, 1
+krefindo.de, 1
+kreft.tk, 1
+kreftprzewieda.pl, 1
+krehak.com, 1
+kreideseetaucher.de, 1
+kreidl.org, 0
+kreidlernet.tk, 1
+kreiglaw.com, 1
+kreisau.com, 1
+krelln.net, 1
+kremalicious.com, 1
+kremer-sonnenschutzsysteme.de, 1
+kremi.org, 0
+kreno.tech, 1
+krenstetter.at, 1
+kreolis.net, 1
+krepmarket.ru, 1
+kresimir-blazevic.tk, 1
+kreslomeshok.by, 1
+krestanskydarek.cz, 1
+kretaforum.dk, 1
+kretschmann.consulting, 1
+kretschmann.it, 1
+kreuzbergflieger.de, 1
+kreuzpfadfinder.de, 1
+kreuzwortraetsellosungen.com, 1
+kreweofneptune.org, 1
+krey.is, 1
+kreyolgym.fr, 1
+krezimizik.com, 1
+krfoodsng.com, 1
+kridtvejsplanter.dk, 1
+kriechel.de, 1
+kriegserinnerungen.tk, 1
+kriegskindernothilfe.de, 1
+kriener.photography, 1
+kriis.ee, 0
+krik.rs, 1
+kriko.io, 1
+krillz.se, 1
+krilotek.com, 1
+krilov.tk, 1
+krimikiosk.de, 1
+krimisound.com, 1
+krimisound.it, 1
+krimmebel.ru, 1
+krimzeta.com, 1
+krinetzki.de, 0
+kringla.xyz, 1
+kringloopwinkels.tk, 1
+krinnovations.ie, 1
+kripa.tk, 1
+kriptodede.com, 1
+kriptokereso.com, 0
+kriptokoin.com, 1
+kriptomat.io, 1
+kriptopod.com, 1
+kriptopodgon.tk, 1
+kriptosec.com, 1
+krisboeckmans.tk, 1
+krise-chance.ch, 1
+krisenintervention-deutschland.de, 1
+kriseninterventiondeutschland.de, 1
+krisftp.fr, 1
+krishin.tk, 1
+krishnakalisaha.com, 1
+krishnendu.com, 1
+krishnenduayur.org, 1
+krishofer.com, 1
+kriskonaturopathic.com, 1
+kriskras99.nl, 1
+krismurray.co.uk, 1
+krisp.ai, 1
+krispeinture.be, 1
+krispymods.com, 1
+krisstarkey.co.uk, 1
+krist.club, 1
+kristall-energie.at, 0
+kristall.tk, 1
+kristall.xyz, 1
+kristenpaigejohnson.com, 1
+kristina-lari.ru, 1
+kristineskitchenblog.com, 1
+kristjanrang.eu, 0
+kristofba.ch, 1
+kristoffer.is, 1
+kriston.tk, 1
+kristv.com, 1
+kristymiley.com, 1
+kristyvonkashyyyk.net, 1
+kriswauters.tk, 1
+kritatechnosolutions.com, 1
+kritik.com.br, 1
+kritisch-links.de, 1
+kriyayoga.fr, 1
+kriyayoga.mx, 1
+krizevci.info, 1
+krizialim.tk, 1
+krk-gaming.de, 0
+krmela.com, 1
+krmeni.cz, 0
+kroati.de, 1
+kroczynski.net, 1
+kroell.net, 1
+kroenland.at, 1
+kroenland.com, 1
+kroenland.design, 1
+kroglice.si, 1
+krok.gq, 1
+krokedil.se, 1
+kroldata.com, 1
+kroliczki.tk, 1
+kroll.tk, 1
+kromamoveis.com.br, 1
+kromati.co, 1
+kromberg.tk, 1
+kromciri.gq, 1
+krome.sg, 1
+kromonos.net, 1
+kromozottrud.hu, 1
+kroms.org, 1
+krona.ddns.net, 1
+kronanshopping.se, 1
+kroneaustralia.com.au, 1
+kronengruppe.de, 1
+kronofogden.se, 1
+kronosnxs.com, 1
+kronosproject.tk, 1
+kronospsi.es, 1
+krony.de, 1
+kronych.cz, 1
+kroo.com, 1
+kroon.email, 1
+kroonika.ee, 1
+kropkait.pl, 1
+krosovki-nike.tk, 1
+krossakorven.tk, 1
+krossvordy.com, 1
+krouzkyliduska.cz, 0
+krovat.ru, 1
+krovatka.tk, 1
+krovlya911.ru, 1
+krozilla.tk, 1
+krpaforum.org, 1
+krs.cloud, 1
+krsaustralia.com.au, 1
+krsvrs.nl, 1
+krti.com.ua, 1
+krtl.eu.org, 1
+krtl.top, 1
+krubik.tk, 1
+kruchefssensors.azurewebsites.net, 0
+kruchheartbeatdev.azurewebsites.net, 1
+kruchsensorsdev.azurewebsites.net, 0
+krudel.tk, 1
+kruemelundkruemel.de, 1
+krug-munroe.wedding, 1
+krugerengelbrecht.co.za, 1
+krugermillions.org, 1
+krugernationalpark.org.za, 1
+krugersdorpplumber24-7.co.za, 1
+krugoval.hr, 0
+krugson.net, 1
+kruidenboeket.be, 1
+kruin.net, 1
+kruindy.com, 1
+kruis.tk, 1
+kruisselbrink.com, 1
+kruk.co, 1
+krukaze.tk, 1
+krumovgrad.eu, 1
+krumpf.de, 0
+kruno.ooo, 1
+krup.com.ua, 1
+krupa.net.pl, 0
+krusesec.com, 1
+krusic22.com, 1
+krustyland.net, 1
+krutilka.ga, 1
+krutka.cz, 1
+kruu.de, 1
+kruvesh.tk, 1
+krvtz.net, 1
+krx1bet.com, 1
+kry.no, 1
+kry.se, 1
+kryddveitingahus.is, 1
+krymp.no, 1
+kryolansaudi.com, 1
+krypmonet.com, 1
+krypsys.com, 1
+krypt.com, 1
+kryptera.se, 1
+krypterz.com, 1
+kryptix.eu, 1
+kryptix.net, 1
+krypto-webdesign.de, 1
+kryptoforce.com, 1
+kryptologie.tk, 1
+kryptomech.com, 1
+kryptomodkingz.com, 1
+kryptonowosci.pl, 1
+kryptorebels.com, 1
+kryptosekken.no, 1
+kryptowale.com, 1
+kryptux.xyz, 1
+kryshodel.ml, 1
+krystal-framework.ml, 1
+krystalrsimpson.com, 0
+krytykawszystkiego.com, 1
+krytykawszystkiego.pl, 1
+kryx.de, 1
+krzeslaonline.pl, 1
+ks-19.com, 1
+ks-39.com, 1
+ks-59.com, 1
+ks-79.com, 1
+ks-89.com, 1
+ks-niceman.tk, 1
+ks-watch.de, 1
+ks.kr.ua, 1
+ks0098.com, 1
+ks015.com, 1
+ks017.com, 1
+ks0318.com, 1
+ks038.com, 1
+ks058.com, 1
+ks0618.com, 1
+ks0660.com, 1
+ks068.com, 0
+ks0877.com, 1
+ks0886.com, 1
+ks0888.com, 1
+ks0977.com, 1
+ks0990.com, 1
+ks16.net, 1
+ks168158.net, 1
+ks17.net, 1
+ks18.cc, 0
+ks182.com, 1
+ks1athome.co.uk, 1
+ks202.com, 1
+ks2020.vip, 1
+ks206.com, 1
+ks208.com, 1
+ks2235.com, 1
+ks2888.com, 1
+ks298.com, 1
+ks299.net, 0
+ks330.com, 1
+ks335.com, 1
+ks337.com, 1
+ks337.net, 1
+ks339.com, 1
+ks35.cc, 0
+ks3533.com, 1
+ks3536.com, 1
+ks3636.com, 1
+ks3737.com, 1
+ks380.com, 1
+ks381.com, 1
+ks386.com, 1
+ks3888.com, 1
+ks5000.com, 1
+ks515.com, 1
+ks516.com, 1
+ks549.com, 1
+ks5525.com, 1
+ks5528.com, 1
+ks5529.com, 1
+ks5531.com, 1
+ks5532.com, 1
+ks5822.com, 1
+ks5888.com, 1
+ks5888.net, 1
+ks597.com, 1
+ks6225.com, 1
+ks637.com, 1
+ks6522.com, 1
+ks6535.com, 1
+ks657.com, 1
+ks6600.com, 1
+ks668.com, 1
+ks6687.com, 1
+ks680.com, 1
+ks6887.com, 1
+ks79.app, 1
+ks8.net, 1
+ks8112.com, 1
+ks8113.com, 1
+ks8115.com, 0
+ks8128.com, 1
+ks8129.com, 1
+ks8135.com, 1
+ks8152.com, 1
+ks8176.com, 1
+ks8177.com, 1
+ks8211.com, 1
+ks8218.com, 1
+ks8225.com, 1
+ks8265.com, 1
+ks8266.com, 1
+ks8278.com, 1
+ks8802.com, 1
+ks8805.com, 1
+ks8831.com, 1
+ks8836.com, 1
+ks8862.com, 1
+ks8883.com, 0
+ks8886.com, 1
+ks8915.com, 1
+ks9.app, 1
+ks9122.com, 1
+ks920.com, 0
+ks960.com, 1
+ks9696.com, 1
+ks9888.com, 0
+ks99.app, 1
+ksa-lawfirm.com, 1
+ksa.mx, 1
+ksa511.com, 1
+ksabconline.gov, 1
+ksamaps.com, 1
+ksar.tk, 1
+ksato.fr, 0
+ksauhs-med.com, 1
+ksbkrasnodar.ru, 1
+kscarlett.com, 1
+kscds.gov, 1
+kschool.co.in, 1
+ksdot.gov, 1
+kselenia.ee, 1
+kselien.gov, 1
+ksem.tk, 1
+kseniya.tk, 1
+kseniyakoroleva.tk, 1
+ksenomorf.tk, 1
+ksero.center, 1
+ksero.com.pl, 1
+ksero.info, 1
+ksero.wroclaw.pl, 0
+kserownia.eu, 1
+ksexec.gov, 1
+ksg.edu.ee, 1
+ksgamerz.ga, 1
+kshb.com, 1
+kshlm.in, 1
+kshop.gr, 1
+kshpage.in, 1
+ksiegarniabk.pl, 1
+ksiegowosc.pro, 1
+ksk-raduga.tk, 1
+ksm.co.in, 1
+ksnl.net, 1
+ksoc.com, 0
+ksoftware.tk, 1
+ksopp.si, 1
+kspndanautoba.id, 1
+ksrevenue.gov, 1
+ksrv.jp, 1
+kss.com.au, 1
+ksst.by, 1
+ksstille.de, 1
+kst-dlvr.tk, 1
+kst-service.tk, 1
+kstdlvr.by, 1
+kstitleers.ga, 1
+kstitleest.ga, 1
+kstr.us, 1
+kstservice.by, 1
+ksu.kz, 1
+ksuu.loan, 1
+ksv-friesland.nl, 1
+ksvehicles.gov, 1
+ksvip02.com, 1
+ksvip09.com, 1
+ksvoterinfo.gov, 1
+ksw.hr, 1
+kswebtags.gov, 1
+kswork.life, 1
+kt-events.de, 1
+kt-motors.com, 1
+kt.tc, 1
+kt3i.com, 1
+ktateeb.com, 1
+ktbuniversity.com, 1
+kteatras.tk, 1
+ktgy.com, 1
+kthnxbai.xyz, 1
+ktk-pc.de, 1
+ktm-troxler.de, 1
+ktnv.com, 1
+ktty.net, 1
+ktube.yt, 1
+ktuluweb.tk, 1
+ktupad.web.id, 1
+ktw.lv, 0
+ku-7.club, 1
+ku-niederwinkling.de, 1
+ku.ag, 1
+kua.com, 1
+kuaforumden.com, 0
+kuai-ssl.com, 1
+kuairead.com, 0
+kuaishou.cf, 1
+kuaitiyu.org, 1
+kuaiyaojing.com, 1
+kuaiyun.com, 1
+kualo.co.uk, 1
+kualo.com, 1
+kualo.in, 1
+kuba-erlebnisreisen.de, 1
+kuba-orlik.name, 1
+kubabrussel.be, 1
+kubalok.de, 1
+kubanitoscali.com, 1
+kubeofficebooth.com, 1
+kuberkaitseliit.ee, 1
+kuberm.com, 1
+kubern.at, 1
+kubevocalbooth.com, 1
+kubica.ch, 1
+kubierecki.pl, 1
+kubik-rubik.de, 1
+kubit.ai, 1
+kubit.co, 1
+kubit.us, 1
+kublis.ch, 1
+kubmeta.com, 1
+kubnews.ru, 1
+kubo.pw, 1
+kubopro.com, 1
+kubopro.cyou, 1
+kubota.co.nz, 1
+kubota.com.au, 1
+kubotapower.com.au, 1
+kubotek3d.com, 1
+kubrakov.ml, 1
+kubrick.tk, 1
+kubritalk.com, 1
+kubusadvocaten.nl, 1
+kuchen-am-stiel.de, 1
+kuchugury.ru, 1
+kucnibudzet.com, 1
+kucukayvaz.com, 0
+kucukcekmececilingir.gen.tr, 1
+kucukkaymakli.tk, 1
+kudelskisecurity.com, 1
+kudetours.co.za, 1
+kudinilam.tk, 1
+kuditel.net, 1
+kudofoto.com, 1
+kudoran.tk, 1
+kudoway.com, 1
+kuechler.info, 1
+kuehndel.org, 1
+kuehnel-online.eu, 1
+kuemmling.eu, 1
+kuenstler-website.de, 1
+kuepper.tk, 1
+kueri.tech, 1
+kuestensiegel.de, 1
+kufry.cz, 1
+kugelblitz.co, 1
+kuhakukawa.ml, 1
+kuhio.net, 1
+kuhlecloud.co.za, 1
+kuhn-elektrotechnik.de, 1
+kuhne-electronic.de, 1
+kuhnerts.eu, 1
+kuinin.tk, 1
+kuisus.com, 1
+kuitunenguthrie.tk, 1
+kujalichildrenscentre.or.ke, 1
+kukaidh.com, 0
+kukal.cz, 1
+kukeri-karlovo.tk, 1
+kuketz-blog.de, 1
+kuketz-security.de, 1
+kukiulpindo.com, 1
+kukla.club, 1
+kukla.io, 1
+kuko-crews.org, 1
+kukuku.fun, 1
+kukuma.tk, 1
+kukutza.tk, 1
+kul.ee, 0
+kulakov.cf, 1
+kulakov.tk, 1
+kulde.net, 1
+kuldeepg.tk, 1
+kuliahbahasainggris.com, 1
+kuliahwisatahati.com, 1
+kulikov.tk, 1
+kulinarika.net, 1
+kulinaristi.fi, 1
+kulinariya.tk, 1
+kulivps.com, 1
+kulshe.com, 1
+kultamuseo.net, 1
+kultham.ml, 1
+kulthist.tk, 1
+kultmobil.se, 1
+kultur-werkstatt-wulfen.tk, 1
+kultur1.se, 1
+kulturbanause.de, 1
+kulturbiljetter.se, 1
+kulturistika.tk, 1
+kulturmel.ch, 1
+kultus-mv.de, 1
+kuma-it.de, 1
+kumacdn.club, 1
+kumalog.com, 1
+kumanovo.tk, 1
+kumaraguruparan.tk, 1
+kumi.website, 1
+kumidia.jp, 1
+kumilasvegas.com, 1
+kumina.nl, 1
+kumiskiri.com, 1
+kumo.tk, 1
+kumoricon.org, 1
+kumpali.com, 1
+kumpula.tk, 1
+kumu.live, 1
+kumuwiki.de, 1
+kunadomowa.pl, 1
+kunaki.com, 1
+kunalchakate.tk, 1
+kunaldesai.blog, 1
+kunanji.com, 0
+kunashir.tk, 1
+kundenerreichen.com, 1
+kundenerreichen.de, 1
+kundenvertrag.de, 1
+kundesjekk.no, 1
+kundo.se, 1
+kungfudirect.com, 1
+kungsangen.com, 0
+kunitomo.jp, 1
+kunnen.tech, 1
+kunri.tk, 1
+kunsanfss.com, 1
+kunst-im-kokon.de, 1
+kunst-na-arbeid.tk, 1
+kunstcentraal.nl, 0
+kunstdrucke-textildruck.de, 1
+kunsten.be, 1
+kunstenkracht1919.tk, 1
+kunsthandel-augustus-rex.de, 1
+kunstmuseum-moritzburg.de, 1
+kunststoffzaun-berlin.de, 1
+kunstundkulturradioschoepfwerk.tk, 1
+kunstundunrat.de, 1
+kunugi-inc.com, 1
+kunze-medien.de, 0
+kuoruan.com, 1
+kuotiva.com, 1
+kup-sluzbu.cz, 1
+kupaa.ink, 1
+kupferschmids.ch, 1
+kupferstichshop.com, 1
+kupi-ceresit.ru, 1
+kupid.com, 1
+kupidon-rt.ru, 1
+kupil.ru, 1
+kupinska.pl, 1
+kupipled.cf, 1
+kupislivki.tk, 1
+kupitmtz.gq, 1
+kupitnedorogo.com, 0
+kupitraktor.gq, 1
+kupittraktormtz.gq, 1
+kupka.tech, 1
+kupkabn.de, 1
+kupleno.com, 1
+kuplukover.by, 1
+kupoholik.rs, 1
+kupon-proxy6.ru, 1
+kupone.com.br, 1
+kuponigo.com, 1
+kuponmail.tk, 1
+kuponydoher.cz, 1
+kuppingercole.com, 1
+kupriy-coach.ru, 1
+kupschke.net, 1
+kupsluzbu.cz, 1
+kupu.maori.nz, 1
+kupujemprodajem.com, 1
+kura.gg, 1
+kurafuto.homeip.net, 1
+kuralink.se, 1
+kuralreklam.com, 1
+kurani.tk, 1
+kuraraynoritake.eu, 1
+kurashino-mall.com, 1
+kurd-yogurt.tk, 1
+kurdigrafya.com, 1
+kurdinfo.tk, 1
+kurdishcommunityofottawa.tk, 1
+kurdishphotography.tk, 1
+kurdjokes.tk, 1
+kurenivka.tk, 1
+kurer-sreda.ru, 1
+kuretru.com, 1
+kurgan-city.tk, 1
+kurgan.cf, 1
+kurgancity.cf, 1
+kurido-anime.tk, 1
+kurierwilenski.lt, 1
+kurirplus.tk, 1
+kuritsa.tk, 1
+kurnia.tk, 1
+kurniadwin.to, 1
+kuroha.co.uk, 1
+kuroinu.jp, 1
+kuroisalva.xyz, 0
+kuroit.com, 1
+kurona.ga, 1
+kuronarupolyphenol.jp, 1
+kuronekogaro.com, 1
+kuropatina.tk, 1
+kurosawa-yakkyoku.com, 1
+kurrende.nrw, 0
+kurs-dron.pl, 1
+kurs-elektryka.pl, 1
+kurs-fotowoltaika.pl, 1
+kurserne.dk, 1
+kursk-otoplenie.ru, 1
+kursk.cf, 1
+kurssertifikasi.com, 1
+kurswahl-online.de, 1
+kursy-sep.com.pl, 1
+kursyjezykowelublin.pl, 1
+kursypolska.pl, 1
+kurszielnull.de, 1
+kurt-und-herma-roemer-stiftung.de, 1
+kurtdeutscher.com, 1
+kurtisfranklin.com, 1
+kurtki-moda.tk, 1
+kurtlarvadisi-pusu-1.tk, 1
+kurtmclester.com, 0
+kurtneuweiler.com, 1
+kurtosys.com, 1
+kurtschlatzer.com, 1
+kurtschleinbeck.com, 1
+kurumsalseo.com.tr, 1
+kurungkurawal.id, 1
+kuruppa.xyz, 1
+kuruwi.net, 1
+kurz.pw, 1
+kurzly.de, 1
+kurztrip-fuer-verliebte.de, 0
+kurzurlaub.tk, 1
+kusadasiescmagazin.tk, 1
+kusadasihaber.ga, 1
+kusadasihaber.tk, 1
+kusasa.biz, 1
+kuscheln.com, 1
+kuschku.de, 1
+kuscu.de, 1
+kushner-cpa.co.il, 1
+kushwanthreddy.in, 1
+kuslink.tk, 1
+kusmuhendisi.com, 1
+kusochi.eu, 1
+kustarnik.tk, 1
+kustod.io, 1
+kustom-kitchens.com, 1
+kustomcorner.com.au, 1
+kustomer.com, 1
+kustosija.tk, 1
+kustus.com.br, 1
+kustvissen.tk, 1
+kusunokitomori.com, 1
+kutahyaciniyapitasarim.com.tr, 1
+kutaisi.it, 1
+kutalek.cz, 1
+kutalin.com, 1
+kutekeiki.com, 1
+kuti.hu, 1
+kutinsoft.com, 1
+kutombawewe.net, 1
+kutsankaplan.com, 1
+kuttler.eu, 1
+kutvonen.net, 1
+kutyabarathelyek.hu, 1
+kutyamacskashop.hu, 1
+kuudere.moe, 1
+kuukkanen.net, 1
+kuunlamaailm.ee, 1
+kuwago.io, 1
+kuwichitagastro.com, 1
+kuwichitaim.com, 1
+kuzbass-pwl.ru, 1
+kuzelky-cb.cz, 1
+kuzeyegehaber.com, 1
+kuzh.me, 1
+kuzh.tk, 1
+kuzik.tk, 1
+kuzinea.tk, 1
+kuzmik.net, 1
+kuzmik.org, 1
+kuzmiks.com, 1
+kuznica.tk, 1
+kuzov-plus.tk, 1
+kuzovkin.ml, 1
+kv-genebos.tk, 1
+kvadratnimeter.si, 1
+kvadru.cz, 1
+kvalhe.im, 1
+kvalita-1a.cz, 0
+kvalitetsaktiepodden.se, 1
+kvalitetskatalog.tk, 1
+kvarta.tk, 1
+kvartira-grad.tk, 1
+kvartiragrad.tk, 1
+kvasnytskyi.net, 1
+kvasta.se, 1
+kvdb.io, 1
+kvdekolk.tk, 1
+kvest-v-moskve.ga, 1
+kvestiks.ru, 1
+kvetinymilt.cz, 1
+kvetinyumarkety.cz, 1
+kvetuvplotu.cz, 1
+kvhile.com, 1
+kvhv-brussel.be, 1
+kvilt.dk, 1
+kviskoteka.tk, 1
+kvitlyr.tk, 1
+kvmcloud.net, 0
+kvn.tf, 1
+kvnsport.ru, 1
+kvrapi.com, 1
+kvrwines.com, 1
+kvs-demo.com, 1
+kvso.tk, 1
+kvspannum.tk, 1
+kvsplayer.com, 1
+kvsrot.cz, 1
+kvt.berlin, 0
+kw.gt, 1
+kwadraadtevredenheid.nl, 1
+kwakkelglas.nl, 0
+kwalifikacje.gov.pl, 1
+kwc.gov, 1
+kwcolville.com, 1
+kweb.ml, 1
+kwedo.com, 1
+kwench.com, 1
+kwieben.com, 1
+kwikmed.eu, 0
+kwjx2.ga, 1
+kwl.com.au, 1
+kwm.group, 1
+kwnet.info, 1
+kwoll.de, 0
+kwonghei.net, 1
+kwonjiyong.cn, 1
+kwork-garand.tk, 1
+kwx.gg, 1
+kwyxz.org, 1
+kxah35.com, 1
+kxbot.ru, 1
+kxc.email, 1
+kxc.inc, 1
+kxc.sh, 1
+kxc.tools, 1
+kxnrl.com, 1
+kxxv.com, 1
+ky.rs, 1
+ky188.io, 1
+ky89.cc, 1
+ky99.io, 1
+kyaba-kura.jp, 1
+kyahimt.gov, 1
+kyango.com, 1
+kyanjames.com, 1
+kyaru.net, 1
+kyau.net, 1
+kyaulabs.com, 1
+kybalion.info.pl, 1
+kyberna.xyz, 1
+kybi.sk, 1
+kycisrael.com, 1
+kydara.com, 1
+kyj250.com, 1
+kyj322.com, 1
+kyj33.com, 1
+kyj4.com, 1
+kyj44.com, 1
+kyj511.com, 1
+kyj522.com, 1
+kyj544.com, 1
+kyj55.com, 1
+kyj56.com, 1
+kyj57.com, 1
+kyj577.com, 1
+kyj59.com, 1
+kyj599.com, 1
+kyj622.com, 1
+kyj633.com, 1
+kyj644.com, 1
+kyj65.com, 1
+kyj655.com, 1
+kyj67.com, 1
+kyj677.com, 1
+kyj76.com, 1
+kyke.tech, 1
+kylacoin.com, 1
+kylacoin.eu.org, 1
+kylby.com, 1
+kyle-s.com, 1
+kyle.place, 0
+kylebaldw.in, 0
+kyledgoodwin.com, 1
+kyleggiero.me, 1
+kylegislature.gov, 1
+kylegough.co.uk, 1
+kylegutschow.com, 1
+kylehaka.la, 1
+kylehakala.com, 1
+kylelaker.com, 1
+kylelovell.com, 1
+kylepet.co, 1
+kylewentworth.com, 1
+kylianvermeulen.com, 0
+kylianvermeulen.nl, 1
+kylie-pomada.tk, 1
+kylinj.com, 0
+kylinseating.in, 1
+kylsgl.com, 1
+kylvaja.fi, 1
+kymcojp.com, 1
+kymta.com, 1
+kyn.be, 1
+kynaston.org.uk, 1
+kynastonwedding.co.uk, 1
+kyncostyle.com, 1
+kynd.com.au, 0
+kyne.cn, 1
+kyne.wang, 1
+kynect.gov, 1
+kynjatshai.com, 1
+kyobostory-events.com, 1
+kyobusiness.com, 1
+kyochon.fr, 1
+kyoki-railway.co.jp, 1
+kyoox.ch, 1
+kyoox.io, 1
+kyorei.or.jp, 1
+kyosaku.org, 1
+kyoto-sake.net, 1
+kyoto-sowa.co.jp, 1
+kyoto-tomoshibi.jp, 1
+kyrabanx.org, 1
+kyrgizion.tk, 1
+kyrjy.com, 1
+kyrtopoulos.com, 1
+kyrylych.tk, 1
+kysepticservice.com, 1
+kysil.org, 1
+kytkintienautomaalaamo.fi, 1
+kyujin-office.net, 1
+kyunyuki.com, 1
+kyusyu.org, 1
+kyvosinsights.com, 1
+kyzyl-senir.ml, 1
+kz.search.yahoo.com, 0
+kzar.co.uk, 1
+kzforce.tk, 1
+kzsdabas.hu, 1
+kztv10.com, 1
+l-a-b-a.com, 1
+l-a-b-a.ru, 1
+l-atelier-c.com, 1
+l-i-r.tk, 1
+l-ink.eu.org, 1
+l-lab.org, 1
+l-poya.ch, 1
+l.td, 1
+l.tt, 1
+l0re.com, 1
+l17r.eu, 1
+l2.ai, 1
+l214.com, 1
+l2aviation.com, 1
+l2dragonland.tk, 1
+l2guru.ru, 1
+l2kl.com, 1
+l2news.ga, 1
+l2relax.ml, 1
+l2support.tk, 1
+l33roy.com, 1
+l33te.net, 1
+l36533.com, 1
+l4s.me, 1
+l51365.com, 0
+l5197.co, 1
+l6729.co, 1
+l6729.com, 1
+l6957.co, 1
+l7plumbing.com.au, 1
+l7world.com, 1
+l82365.com, 1
+l8x.tech, 1
+l9.fr, 1
+l9297.co, 1
+l9728.co, 1
+la-baldosa.fr, 0
+la-bonne-cuisine.fr, 1
+la-boutique-langlois.fr, 1
+la-casa.tk, 1
+la-com.org, 1
+la-compagnie-des-elfes.fr, 1
+la-fenice-neheim.de, 1
+la-france-ressuscitee.fr, 1
+la-grande-jaugue.fr, 1
+la-kaz-a-velo.fr, 1
+la-laitonnerie.com, 1
+la-maison-neuve.com, 1
+la-paco.tk, 1
+la-petite-entreprise.com, 1
+la-petite-epicerie.fr, 1
+la-ruche.net, 1
+la-sc.com, 1
+la-tourmaline.ch, 1
+la-verite.tk, 1
+la-ville-aux-dames-auto-ecole.com, 1
+la-vraie-histoire.fr, 1
+laa.gov.ly, 1
+laab.gv.at, 1
+laac.io, 1
+laagenciaespacial.com, 1
+laakevahinko.fi, 1
+laanius.dk, 1
+laarroceriacolombiana.com, 1
+laassari.me, 0
+laatikko.io, 1
+laatjeniethackmaken.nl, 1
+lab-advancedservicesportal.com, 1
+lab-oborud.com, 1
+lab-recherche-environnement.org, 1
+laba.ua, 1
+labacanisima.tk, 1
+labadusa.com, 1
+labambi.pl, 1
+labandadeases.es, 1
+labandadelamente.tk, 1
+labandadelexpreso.tk, 1
+labande-annonce.fr, 1
+labanochjonas.se, 1
+labanskoller.se, 1
+labanskollermark.se, 1
+labarcadelperegrino.com, 1
+labassist.lt, 1
+labaugmbh.de, 1
+labayru.eus, 1
+labcenter.com, 1
+labcoat.jp, 1
+labdistill.com, 1
+label-octopus.org, 1
+labeled.vn, 1
+labelfactory.nl, 1
+labels.co.ke, 1
+labequipvn.com, 1
+laberkosmos.tk, 1
+labianstore.com, 1
+labiblioafronebrulepas.com, 0
+labin.tk, 1
+labina.com.tr, 1
+labinator.com, 1
+labinsights.com, 1
+labirint.cf, 1
+lablaser.tk, 1
+lablic-beta.work, 1
+lablnet.tk, 1
+lablue.ch, 1
+lablue.de, 1
+labmakelaar.com, 1
+labmakelaar.eu, 1
+labms.com.au, 1
+labobooks.com, 1
+labodeguitamigueltorres.cl, 1
+labogue.info, 1
+laboiteafred.fr, 1
+laboiteanem.fr, 1
+laboiteare.fr, 0
+laboiteasous.com, 1
+laboma.cz, 1
+laboni.design, 1
+labor-augsburg-mvz.de, 1
+laboratoirehubertcurien.fr, 1
+laboratoria.pro, 1
+laboratoriodelmisterio.co.uk, 1
+laboratoriodemarketingb3.com, 1
+laboratoriomolina.tk, 1
+laborbluesers.ga, 1
+laborbluesest.ga, 1
+labordayauction.org, 1
+labordude.com, 1
+laborriquita.tk, 1
+labortogether.com, 1
+labostark.fr, 1
+labottegafinedistillates.it, 1
+labouncycastlehire.co.uk, 1
+labourmarketinsights.gov.au, 1
+laboutiquedejuliette.com, 1
+laboutiquedeluminia.fr, 1
+laboutiquemarocaineduconvoyeur.com, 1
+laboutiquemarocaineduconvoyeur.ma, 1
+labrat.mobi, 1
+labroma.tk, 1
+labs-is.com, 1
+labs.directory, 1
+labs.lgbt, 1
+labs.ro, 1
+labsector.com, 1
+labsitserviss.lv, 1
+labsys.xyz, 1
+labtalleraudiovisual.tk, 1
+labtechsupplyco.com, 0
+labussola.site, 1
+labworking.lt, 1
+labworks.org, 1
+laby.link, 1
+labyrinthinetool.de, 1
+labyrinthus.tk, 1
+lacaey.se, 1
+lacahsa.gov, 1
+lacalderera.tk, 1
+lacallas.tk, 1
+lacantine.xyz, 1
+lacapsule.org, 1
+lacargo.az, 1
+lacarniceria.tk, 1
+lacarreradelagua.es, 1
+lacarretica.cr, 1
+lacasadelmaniqui.net, 1
+lacasadelours.fr, 1
+lacaserita.org, 1
+lacasseroy.com, 1
+lacavedesergio.fr, 1
+lacaveducinquantenaire.com, 1
+lacazadora.tk, 1
+lacebeauty.it, 1
+laceleste.it, 1
+lacellbedding.com, 1
+lacentral.com, 0
+lacera.gov, 1
+lacetsroses.ch, 1
+laceysfarm.ie, 1
+lacfm.cf, 1
+lachain.io, 1
+lachainedesentrepreneurs.fr, 1
+lachaussettedebrasparts.fr, 1
+lachlan-harris.com, 1
+lachlan.com, 1
+lachlanallison.com, 0
+lachlanb.me, 1
+lachyoga-schwieberdingen.de, 1
+laciana.tk, 1
+lacicloud.net, 1
+lacienciadelpanico.tk, 1
+lacity.gov, 1
+lackan.tk, 1
+lackawannanypolicecorruption.org, 1
+lackfer.tk, 1
+lackierereischmitt.de, 1
+laclaque.ch, 0
+lacledelareussite.com, 0
+lacledeslan.com, 1
+lacledeslan.org, 1
+lacledor.ch, 0
+lacnesidlo.sk, 1
+lacoast.gov, 1
+lacochinacounselor.com, 1
+lacoe.edu, 1
+laconcepcion.tk, 1
+laconiapdnh.gov, 1
+lacontrevoie.fr, 1
+lacoquette.gr, 1
+lacorteimoveis.com.br, 1
+lacoste.net, 1
+lacragamerpanel.ml, 1
+lacrimosa.tk, 1
+lacrinum.com, 1
+lacrosselocatorers.ga, 1
+lacrosselocatorest.ga, 1
+lacrossemortgageers.ga, 1
+lacrossemortgageest.ga, 1
+lacrossetribune.com, 1
+lacrossewi.gov, 1
+lacroy.com.br, 1
+lactatiekundigemanouk.nl, 1
+lacuartaorden.tk, 1
+lacuerba.com, 1
+lacuisine.tk, 1
+lacuna-vermoegen.de, 1
+lacyc3.eu, 1
+lacylynn.net, 1
+lad-china.com, 0
+lada-granta.tk, 1
+lada-plus.tk, 1
+ladadate.com, 1
+ladakhtrip.tours, 1
+ladanivabelgium.tk, 1
+ladanmokhtari.tk, 1
+ladbroke.net, 1
+ladder.sport, 1
+ladeboks.dk, 1
+ladedu.com, 1
+ladelicateparenthese.com, 1
+ladenzeile.at, 1
+ladenzeile.de, 1
+ladepeche.fr, 1
+ladies-shoes.tk, 1
+ladiescode.tk, 1
+ladiesrapide.tk, 1
+ladinvestment.ml, 1
+ladisko.tk, 1
+ladislav-antos.cz, 1
+ladislavbrezovnik.com, 0
+lado.ltd, 1
+lado.site, 1
+ladobe.com.mx, 1
+ladocdn.com, 1
+ladocs.tk, 1
+ladocu.cf, 1
+ladotech.cn, 1
+ladotech.com, 1
+ladraiglaan.com, 1
+ladrones.tk, 1
+laduephoto.com, 1
+ladurbo.tk, 1
+lady-blog.ga, 1
+lady-len.com, 1
+lady-sadieann.co.uk, 1
+lady-wishlist.my.id, 1
+lady007.com.tw, 1
+ladyangelina.org, 1
+ladyanja.org, 1
+ladybanana.co.uk, 1
+ladybird.tk, 1
+ladybirdeducation.co.uk, 1
+ladyblack.tk, 1
+ladyblackdiamoond.com, 1
+ladyboy.tv, 1
+ladyboyfiles.com, 1
+ladyboyreports.com, 1
+ladyboytube.tv, 1
+ladybugjam.com, 1
+ladybugjunction.com, 1
+ladyestelle.org, 1
+ladyisabell666.com, 1
+ladykarame.org, 1
+ladylakefl.gov, 1
+ladylatoria.net, 1
+ladylucks.co.uk, 1
+ladymadd.fr, 1
+ladymakeup.com.ua, 1
+ladymayonline.tk, 1
+ladymeli.org, 1
+ladyofhopeparish.org, 1
+ladyofsongstv.com, 1
+ladyoxytocin.com, 1
+ladysecrets.cf, 1
+ladysecrets.ga, 1
+ladysybella.net, 1
+ladytron.tk, 1
+ladyvampira.com, 1
+ladyvictoriavalente.com, 1
+ladywishlist.my.id, 1
+laecosmetic.com, 1
+laecosmetics.es, 1
+laedia.com, 1
+laegemiddelstyrelsen.dk, 1
+laembajadamexico.com, 1
+laemiliafutbol.tk, 1
+laempresa.tk, 1
+laencina.tk, 1
+laer.ai, 1
+laerdal.com, 1
+laerepenger.no, 1
+laerted.ga, 1
+laeryn.com, 0
+laesisvefurinn.is, 1
+laetitia-hypnocoach.fr, 1
+laettnercamps.com, 1
+laetusinpraesens.org, 1
+laeva.edu.ee, 1
+laextra.mx, 1
+lafansite.tk, 1
+lafantasticatravel.com, 1
+lafattoriabiologica.com, 1
+lafattoriadiclotilde.it, 1
+lafayette-rushford.com, 1
+lafayettechippewawi.gov, 1
+lafayetteco.gov, 1
+lafayettecountymo.gov, 1
+lafayettemalleg.com, 1
+lafayettetnfd.gov, 1
+lafayettewcwi.gov, 1
+lafcoar.gov, 1
+lafeemam.fr, 1
+lafeepraline.fr, 1
+lafermegourmande.fr, 1
+laffer.tk, 1
+laffgaff.com, 1
+lafika.ddns.net, 1
+lafillepolyvalente.ca, 1
+lafillepolyvalente.com, 1
+lafka.org, 1
+laflanelle.fr, 1
+laflash.com, 1
+lafleur-salon.tk, 1
+laforgia.xyz, 1
+lafr4nc3.xyz, 1
+lafraia.com, 1
+lafraia.com.br, 1
+lafsc.co.uk, 1
+lafuentespain.com, 1
+lafuriadelguardiancelta.tk, 1
+lag-fan.tk, 1
+lag-gbr.gq, 1
+lagaleria-ag.com, 1
+lagalerieduchanvre.fr, 1
+lagence.ch, 1
+lagencerie.fr, 1
+lagendijk.org, 1
+lagerauftrag.info, 1
+laget.se, 1
+laghiinitalia.com, 1
+lagier.xyz, 1
+lagin.cz, 1
+laginghanda.gov.ph, 1
+lagit.in, 0
+laglab.org, 0
+lagloriadehuampani.com, 1
+lagodny.eu, 1
+lagom.org.pl, 1
+lagoonrealty.com, 1
+lagos-car-hire.com, 1
+lagoscooperativecollege.com, 1
+lagotto.tk, 1
+lagout.org, 1
+lagovistatexas.gov, 1
+lagracia.com.br, 1
+lagrangiandesign.com, 1
+lagriffeduservice.fr, 1
+lagriot.com, 1
+lagrollabz.it, 1
+lagrotta.pizza, 1
+lagrottabergenopzoom.nl, 1
+lagroza.tk, 1
+lagsoftware.com, 0
+laguiadeliman.com.ar, 1
+laguiadelpapa.com, 1
+laguiainmobiliaria.com.co, 1
+laguinguette.fr, 0
+lagunadiosdalmatians.tk, 1
+lagunakitchenandbath.com, 1
+lagunaklub.tk, 1
+laguscei.com, 1
+laguterbaru.gq, 1
+lahabra.gov, 1
+lahacker.net, 1
+lahaine.org, 1
+lahalleternative.fr, 1
+lahalte-buvette.fr, 1
+lahermandad.tk, 1
+lahirusblog.tk, 1
+lahmer.ma, 1
+lahoguera.tk, 1
+lahoratunante.tk, 1
+lai.is, 1
+lailabanx.org, 1
+lailai.link, 1
+lain.at, 1
+lain.la, 1
+lain.wiki, 1
+laindonleisure.co.uk, 1
+lainoa.eus, 1
+laipert.com, 1
+lairdutemps-bbe.fr, 1
+laisk.ru, 1
+laity.gq, 1
+laiweiyi.com, 1
+lajarana.tk, 1
+lajauria.tk, 1
+lajessaofrancisco.com.br, 1
+lajetlingerie.nl, 1
+laji.fi, 1
+lajijonencadebarbera.com, 1
+lajme-shqip.gq, 1
+lajornadafilipina.com, 1
+lajusta.tk, 1
+lak-berlin.de, 0
+lak.li, 1
+lakabina.tk, 1
+lakatos.tk, 1
+lakatrop.com, 1
+lake-baikal.ml, 1
+lakeandriverrestoration.com, 1
+lakearthurnm.gov, 1
+lakecity-obgyn.com, 1
+lakeclerkfl.gov, 1
+lakecookexteriors.com, 1
+lakecountyclerkfl.gov, 1
+lakecountyco.gov, 1
+lakecountytn.gov, 1
+lakedeltonwi.gov, 1
+lakeee.com, 1
+lakegenevanews.net, 1
+lakehavasuhouserentals.com, 1
+lakeheadfreight.biz, 1
+lakeheadlions.com, 1
+lakelafayettemo.gov, 1
+lakelandbank.com, 1
+lakemary-doctor.com, 1
+lakemillsiowa.gov, 1
+lakenheathfss.com, 1
+lakenheathfss.marketing, 1
+lakenheathfss.support, 1
+lakepoint.gov, 1
+lakerfreight.ca, 1
+lakerfreight.com, 1
+lakersview.com, 1
+lakesaintlouismo.gov, 1
+lakesherwoodelectric.com, 1
+lakesherwoodelectrical.com, 1
+lakesherwoodelectrician.com, 1
+lakesherwoodexteriorlighting.com, 1
+lakesherwoodlandscapelighting.com, 1
+lakesherwoodlighting.com, 1
+lakesherwoodoutdoorlighting.com, 1
+lakeshiremo.gov, 1
+lakesideweb.design, 1
+lakestreetministorage.com, 1
+lakesviewrobina.com.au, 1
+laketanglewoodtx.gov, 1
+laketontwpmi.gov, 1
+laketownmn.gov, 1
+lakeview.photography, 1
+lakevotes.gov, 1
+lakewaccamawnc.gov, 1
+lakewinnipegdatastream.ca, 1
+lakewoodco.gov, 1
+lakewoodcomputerservices.com, 1
+lakewoodcourtoh.gov, 1
+lakewoodoh.gov, 1
+lakichat.fi, 1
+lakkt.de, 1
+lakle.com, 1
+lakonia.com.br, 1
+lakorona.tk, 1
+lakru.one, 1
+laksa.life, 1
+lakupaavi.tk, 1
+lalagunachalate.tk, 1
+lalaloe.be, 1
+lalaog.com, 1
+lalarosas.com, 1
+lalaserniagara.ca, 1
+lalaya.fr, 1
+laled.ch, 0
+laleggepertutti.it, 1
+lalegria.tk, 1
+lalelal.me, 1
+laleli.biz, 1
+lalerou.com, 1
+lalettrepatriote.com, 0
+lalokura.tk, 1
+lalouviere.fr, 1
+lalucepulsata.it, 1
+lalucha.tk, 1
+lalucioledigitale.com, 1
+lalunedangkor.com, 0
+lalyre-corcelles.ch, 0
+lamafioso.com, 1
+lamai-crochets.fr, 1
+lamaisondufort.fr, 1
+lamaisonfantastique.fr, 1
+lamakat.de, 1
+lamalapalabra.tk, 1
+lamaletademano.com, 1
+lamaline.tk, 1
+lamalleauxsaveurs-aubigny.com, 1
+lamanchelibre.fr, 1
+lamanzanamordida.net, 1
+lamarieealhonneur.com, 0
+lamasacre.tk, 1
+lamaskill.com, 1
+lamaturitadidaniele.ml, 1
+lambassadors.com, 1
+lambauer.com, 1
+lambda.sx, 1
+lambdajournal.com, 1
+lambdaof.xyz, 1
+lambertshealthcare.co.uk, 1
+lambertz.xyz, 1
+lamblogs.com, 1
+lamboo.be, 1
+lamborghi.ni, 1
+lamchannang.com, 1
+lamclam.site, 1
+lamcondaugia-khacdaugia.com, 1
+lamconnect.com, 1
+lamdav.com, 1
+lameco.com, 1
+lamed.cz, 1
+lamedog.tk, 1
+lamedubois-parquet.fr, 0
+lamei-group.com, 1
+lameilleurecette.fr, 1
+lamergameryt.xyz, 1
+lamet-kher.tk, 1
+lameusame.be, 1
+lamigoshevora.pt, 1
+laminaatdealer.nl, 1
+laminine.info, 1
+laminsaho.tk, 1
+lamisionband.tk, 1
+lamleybrothers.co.uk, 1
+lammersmarketing.com, 1
+lammertbies.com, 1
+lammertbies.nl, 1
+lamminhquang.com, 1
+lamnea.se, 1
+lamontre.ru, 1
+lamorera.tk, 1
+lamorralla.tk, 1
+lamp.re, 0
+lampandlight.eu, 1
+lamparassevilla.com, 1
+lampbooks.gq, 1
+lampco.com, 1
+lampeetlumiere.fr, 1
+lampenlicht.be, 1
+lampenlicht.nl, 1
+lampenundleuchten.de, 1
+lamper-design.nl, 1
+lampertheimer-zeitung.de, 1
+lamplightvideo.com, 1
+lampposthomeschool.com, 1
+lamppostpublishing.com, 1
+lampsh.ml, 1
+lampsi.ru, 1
+lampyiswiatlo.pl, 1
+lamsa.tk, 1
+lamudi.ga, 1
+lamuixeranga.tk, 1
+lan-der.de, 1
+lan-der.net, 1
+lan-divy.com, 1
+lan-divy.fr, 1
+lan-x.no, 1
+lan.biz.tr, 1
+lan.re, 1
+lanabello.com.br, 1
+lanaengel.com, 1
+lanagiselle.net, 1
+lanahallen.com, 1
+lanailsupplies.com, 1
+lanaturedaure.com, 1
+lanausea.tk, 1
+lanbroa.eu, 1
+lancashirebeekeepers.org.uk, 1
+lancashirecca.org.uk, 1
+lancastercountysc.gov, 1
+lancasterma.gov, 1
+lancastertableandseating.com, 1
+lancastervillageny.gov, 1
+lance.com.br, 1
+lancea.pl, 1
+lancejames.com, 1
+lancelafontaine.com, 1
+lancelhoff.com, 1
+lancelucido.tk, 1
+lancemanion.com, 1
+lancerm.com, 1
+lancertactical.eu, 1
+lanceyip.com, 1
+lanchong.tk, 1
+lanconstruct.be, 1
+lancyvbc.ch, 0
+land.nrw, 0
+landart.tk, 1
+landassessmentservices.com, 1
+landbouwpowers.tk, 1
+landc.com.ua, 1
+landchecker.com.au, 1
+landcomputer.hu, 1
+landegge.nl, 1
+landell.ml, 1
+landers.com.au, 1
+landeseiten-optimieren.de, 1
+landfinity.com, 1
+landflair-magazin.de, 1
+landflirt.de, 1
+landforsale.co.il, 1
+landfrauen-hermetschwil.ch, 1
+landgoeddorrebeek.be, 1
+landgorilla.com, 1
+landindex.io, 1
+landinfo.no, 1
+landingtransport.com, 1
+landkind.com, 1
+landkreis-augsburg.de, 1
+landless-city.net, 1
+landloperfm.tk, 1
+landlordy.com, 1
+landmatrix.org, 0
+landofelves.net, 0
+landofmerlin.tk, 1
+landofoz.dynu.net, 1
+landoftherisingson.com, 0
+landoftile.com, 1
+landolakeswi.gov, 1
+landoncreekapartments.com, 1
+landonkhull.ddns.net, 1
+landoverhillsmd.gov, 1
+landroverexpo.com.au, 1
+landroveruganda.club, 1
+landscape-photography.org, 1
+landscapelightingagoura.com, 1
+landscapelightingagourahills.com, 1
+landscapelightingcalabasas.com, 1
+landscapelightingcamarillo.com, 1
+landscapelightingconejovalley.com, 1
+landscapelightingdosvientos.com, 1
+landscapelightinghiddenhills.com, 1
+landscapelightinglakesherwood.com, 1
+landscapelightingmalibu.com, 1
+landscapelightingmoorpark.com, 1
+landscapelightingnewburypark.com, 1
+landscapelightingoakpark.com, 1
+landscapelightingpacificpalisades.com, 1
+landscapelightingsimivalley.com, 1
+landscapelightingthousandoaks.com, 1
+landscapelightingwestlakevillage.com, 1
+landscapeloaners.ga, 1
+landscapeloanest.ga, 1
+landscapephotography.org.au, 1
+landscapesmore.com, 1
+landscaping-montreal.com, 1
+landscaping.ga, 1
+landscaping.gq, 1
+landscapingrepairers.ga, 1
+landsearch.com, 1
+landsforsale.co.il, 1
+landshaftnic.ru, 1
+landslide.tk, 1
+landtrack.com.au, 1
+landverliebt.de, 1
+landware.cf, 1
+landzicht.tk, 1
+lane.computer, 1
+lanefinder.com, 1
+lanehealth.com, 0
+lanetix.com, 1
+lang-php.com, 1
+langadeduero.tk, 1
+langages-programmation.tk, 1
+langapi.com, 1
+langatang.com, 1
+langauto.hu, 1
+langbein.org, 1
+langcom.org, 1
+langenberg.tk, 1
+langenu.tk, 1
+langer-bauwerk.de, 1
+langgasse-baar.ch, 1
+langhun.me, 1
+langley.tk, 1
+langleyok.gov, 1
+langleyporter.com, 1
+langlois-chateau.fr, 1
+langly.fr, 1
+langrock.info, 1
+langthaler.cc, 1
+langtonsant.es, 1
+languageatplay.de, 1
+languagecert.org, 1
+languagecourse.net, 1
+languageeducation.ml, 1
+languageguesser.com, 1
+languagekeyboard.net, 1
+languages.services, 1
+languagesandnumbers.com, 1
+languageterminal.com, 1
+langworth.com, 0
+langzeit-reisen.com, 1
+langzijn.nl, 1
+lanhhuyet510.tk, 1
+lanhydrockap.co.uk, 1
+lanispa.com, 1
+lankana.tk, 1
+lankarkivet.tk, 1
+lankatongtravel.lk, 1
+lanlaog.com, 1
+lanmail.tk, 1
+lanna.io, 1
+lannainnovation.com, 1
+lannamontessori.com, 1
+lannatefl.com, 1
+lanny.ga, 1
+lannywolfetrio.com, 1
+lanodan.eu, 1
+lanomina.net, 1
+lanostrasalute.it, 1
+lanoticia.com, 0
+lanourotteguiry.fr, 1
+lanparty.si, 1
+lanroamer.de, 1
+lansdell.family, 1
+lanselot.com, 1
+lansenou.com, 1
+lansilesia.tf, 1
+lansingtwpmi.gov, 1
+lansingvotes.gov, 1
+lansink.it, 1
+lansociety.org, 1
+lansoft.site, 1
+lansoftware.eu, 1
+lanternalauth.com, 1
+lanternhealth.org, 1
+lantian.pub, 1
+lanturtle.com, 1
+lanuitshanghai.ca, 1
+lanuovariviera.it, 1
+lanx.com.br, 1
+lanyang.tk, 1
+lanyards.com.au, 1
+lanyardsfactory.com.au, 0
+lanyundev.com, 1
+lanzalex.com, 1
+lanzamientovirtual.es, 1
+lanzarote.com, 1
+lanzastil.com, 1
+lao.dog, 1
+laobayy.com, 1
+laoctavadireccion.tk, 1
+laodongkynghi.info, 1
+laohei.org, 0
+laolaweb.tk, 1
+laoliang.ml, 1
+laomoss.com, 0
+laonawatersewerwi.gov, 1
+laonawi.gov, 1
+laorquestadelamemoria.tk, 1
+laospage.com, 1
+laostiaradio.tk, 1
+laotravoz.tk, 1
+laowang.run, 1
+laoying.tv, 1
+laozhu.me, 1
+lapageamelkor.org, 1
+lapaginadejuanjo.tk, 1
+lapaksulawesi.tk, 1
+lapakus.com, 1
+laparcela.tk, 1
+laparoscopyhospital.com, 1
+lapasticcerianaturale.store, 1
+lapatiala.com, 1
+lapazsheriff.org, 1
+lapcameradongnai.com, 1
+lapcamerahochiminh.com, 1
+lapcoversers.ga, 1
+lapcoversest.ga, 1
+lapdance.tk, 1
+lapeercountymi.gov, 1
+laperfumista.es, 1
+laperla-chemnitz.de, 1
+laperladelduero.tk, 1
+laperreraflamenca.tk, 1
+lapesbaldai.lt, 1
+lapetitefontaine.restaurant, 1
+lapicena.eu, 1
+lapina.tk, 1
+lapinas.com, 1
+lapinator.net, 1
+lapinmalin.tk, 1
+lapismagico.com, 1
+lapix.com.co, 1
+laplace.chat, 1
+laplace.live, 0
+laplace.network, 1
+lapland.shop, 1
+laplanquedujoueur.com, 1
+laplasadalsol.tk, 1
+laplazita.tk, 1
+lapluma.tk, 1
+lapolvora.ga, 1
+lapoly.ga, 1
+laponder.online, 1
+laponders.com, 1
+laporantercepat.com, 1
+laportedufutur.org, 1
+lapositiva.com.pe, 1
+lappari.com, 1
+lappersfort.tk, 1
+lapps.es, 1
+laprairiewi.gov, 1
+laprensadelasagradafamilia.org, 1
+lapseofsanity.net, 1
+lapshore.com, 1
+laptop-sewamurah.com, 1
+laptophub.net, 1
+laptopnaive.com, 1
+laptopnewbie.eu.org, 1
+laptoppowerjackinc.com, 1
+laptopsperu.com, 0
+laptopuri.tk, 1
+laptopvideo2go.com, 1
+laptopworld.dk, 1
+lapublicpress.org, 1
+lapulgaflamenco.com, 1
+laqira.io, 1
+laquestionviterepondue.com, 1
+lara-eu.org, 1
+larabergmann.de, 1
+larabouillere.fr, 1
+laracode.eu, 1
+laracumkitten.org, 1
+laradiorespuestas.tk, 1
+laraemarcos.ga, 1
+laraeph.com, 1
+larafabian.tk, 1
+larafoxx.org, 1
+laralove.org, 1
+laramewa.tk, 1
+laramiecountywy.gov, 1
+laramuredesmots.fr, 1
+laranjada.org, 1
+larasm.tk, 1
+laravel.software, 1
+laravelcommunity.asia, 1
+larawoodarts.com, 1
+larax.tk, 1
+larbertbaptist.org, 1
+larcaenviro.com, 1
+larch.gq, 1
+larche.org.pl, 1
+larchmontbuzz.com, 1
+larchmontny.gov, 1
+larcs.co.uk, 1
+lareclame.fr, 1
+lared-vps.ovh, 1
+lareduction.be, 1
+lareduction.ch, 1
+lareduction.fr, 1
+lareineboudoir.com, 1
+larepenger.no, 1
+larepublicacultural.es, 1
+larete.ch, 1
+large-print.ru, 1
+largerpweor.uk, 1
+largescaleforums.com, 1
+largest-soldiers.cf, 1
+largeviewer.com, 1
+laricameche.com, 0
+larifari.ch, 1
+larigami.de, 1
+larimarhomes.ca, 1
+larimer.gov, 1
+larimercolorado.gq, 1
+lariscus.eu, 1
+larkbury.com, 1
+larkenshine.com, 1
+larkeydesign.com, 1
+larkinkerluke.cf, 1
+larkleclear.com, 1
+larmenta.tk, 1
+laro.tk, 1
+larobba.ddns.net, 1
+laromlab.tk, 1
+larondenet.tk, 1
+larondinedisinfestazione.com, 1
+larosadelosvientos.tk, 1
+larotative.info, 1
+larousse-edu.fr, 1
+larpkalender.ch, 1
+larptreff.de, 1
+larry.buzz, 1
+larryandprisca.it, 1
+larryli.cn, 1
+larrysalibra.com, 1
+lars-kusch.de, 1
+lars-mense.de, 1
+lars-mielke.de, 0
+lars.cloud, 1
+lars.moi, 1
+lars.software, 1
+larsartmann.com, 1
+larsberglund.tk, 1
+larsentransfer.com, 1
+larser.tk, 1
+larseriksson.es, 1
+larsi.org, 1
+larsklene.nl, 1
+larsklint.com, 1
+larsm.org, 1
+larsnittve.tk, 1
+larsvontrier.tk, 1
+lartduportrait.fr, 1
+laruecountyky.gov, 1
+laruralevolution.gov, 1
+larver.tk, 1
+larvps.com, 1
+las-chichis.tk, 1
+las.so, 1
+las7verticales.tk, 1
+lasabina.it, 1
+lasalle.org.co, 1
+lasallecountyil.gov, 1
+lasandwicheriamedellin.com, 1
+lasanious.com, 1
+lasarmas.com, 1
+lasavonnerieducroisic.fr, 1
+lascana.co.uk, 1
+laschimeneas.com, 1
+laschoolpolice.gov, 1
+lascruces.gov, 1
+lasdelgadas.tk, 1
+lasept.com.ua, 1
+laser-toners.tk, 1
+lasercareestetica.com.br, 1
+lasercentral.com.au, 1
+lasercloud.ml, 1
+laserena.tk, 1
+lasereyess.net, 1
+laserhealthsolutions.com, 1
+laserplaza.de, 1
+laserplaza.net, 1
+laserpunch.tk, 1
+lasersolutions.tk, 1
+lasfolladoras.com, 1
+lasik-safely.com, 1
+lasinfusiones.com, 0
+lasiodora.tk, 1
+lasittellecosmetiques.com, 1
+lasix-medication.cf, 1
+lasix-medication.gq, 1
+lasix-medication.tk, 1
+lask.in, 1
+laslilas.tk, 1
+laslo-hauschild.eu, 1
+lasmallbizonline.gov, 1
+lasmesas.tk, 1
+lasmoarquitectos.com, 1
+lasmorfianapoletana.com, 1
+lasofertas.tk, 1
+lasourisglobe-trotteuse.tk, 1
+laspalmerasdelnorte.tk, 1
+laspeligrosas.tk, 1
+laspeludas.tk, 1
+laspequenassemillas.com, 1
+laspirale.tk, 1
+laspoesias.com, 1
+lasrecetasdeguada.com, 1
+lasse-boberg.tk, 1
+lasse-it.dk, 0
+lasseaktiv.art, 1
+lasseaktiv.com, 1
+lasseaktiv.es, 1
+lasseleegaard.com, 1
+lasseleegaard.dk, 1
+lasseleegaard.net, 1
+lasseleegaard.org, 1
+lassencanyonnursery.com, 1
+lassencoe.gov, 1
+lassesworld.com, 1
+lassesworld.se, 1
+lassiutriainen.fi, 1
+lassovideos.com, 1
+lasst-uns-beten.de, 1
+last-strike.org, 1
+lastallaexotics.com, 1
+lastation.ca, 1
+lastbooks.gq, 1
+lastcast.bg, 1
+lastenrad-gifhorn.de, 1
+lastingmarksers.ga, 1
+lastingmarksest.ga, 1
+lastingsmiles.org, 1
+lastkaj14.tk, 1
+lastlowtest.tk, 1
+lastmile.ml, 1
+lastminutehealthcare.com, 1
+lastmohicans.tk, 1
+lastorder.icu, 1
+lastorderguild.tk, 1
+lastorders.tk, 1
+lastoriadellecose.tk, 1
+lastpass.com, 0
+lastrada.tk, 1
+lastrik.ch, 1
+lastsunset.tk, 1
+lasttokengaming.com, 1
+lasttootinaws.com, 1
+lasttweetinaws.com, 1
+lastville.com, 1
+lastwill.ie, 1
+lasvegascasinonews.com, 1
+lasvegasdiscountattractions.com, 1
+lasvegasfit.org, 1
+lasvegasnevada.gov, 1
+laszlo.sh, 1
+laszloinstitute.com, 1
+laszlotamas.hu, 1
+lat.sk, 1
+lata.my, 1
+latabledebry.be, 1
+latahcountyid.gov, 1
+latakuta.com, 1
+latanadelpolpo.it, 1
+latardeurbana.cf, 1
+latardeurbana.ga, 1
+latardeurbana.gq, 1
+latardeurbana.ml, 1
+latardeurbana.tk, 1
+latchplus.com, 1
+late.am, 0
+lateams.ml, 1
+latecnosfera.com, 1
+latedeals.co.uk, 1
+latedecisioners.ga, 1
+latedecisionest.ga, 1
+latefeeking.com, 1
+latefeeking.net, 1
+latefeeking.org, 1
+latelatetoyshow.ie, 1
+lateliercantaldeco.fr, 1
+lateliercreationbougie.fr, 1
+latemarch.com, 1
+laten.tk, 1
+latenitefilms.com, 0
+latentviewanalytics.com, 1
+lateral.dog, 1
+lateralsecurity.com, 0
+lateraltrust.com, 1
+laterremotodealcorcon.tk, 1
+latestbitcoinnews.io, 1
+latestbitcoinnews.org, 1
+latestcoin.tk, 1
+latestimmigrationnews.today, 1
+latestjobhub.in, 1
+latestmobiles.tk, 1
+latestnewsonworld.tk, 1
+latestnewstelugu.com, 1
+latestpornvideos.com, 1
+latestsonglyrics.ml, 1
+latetrain.cn, 1
+latexmattress.com, 1
+latexspuitenspecialist.nl, 1
+lathamlabs.com, 1
+lathamlabs.net, 1
+lathamlabs.org, 1
+lathamwatkinsplatform.com, 1
+latherjacket.com, 1
+latia.tk, 1
+latiamona.com, 1
+latiendawapa.com, 1
+latifolia.com, 1
+latinacon.com, 1
+latinapress.it, 1
+latinatoday.it, 1
+latinmusiccollection.tk, 1
+latinoguysporn.com, 1
+latintoy.com, 0
+latinwomen.tk, 1
+latitudesign.com, 0
+latka.tk, 1
+latnetwork.com, 1
+latoken.com, 1
+latos.tk, 1
+latour-managedcare.ch, 1
+latourist.com, 1
+latremebunda.com, 1
+latrobefinancial.com.cn, 1
+latrynchera.tk, 1
+latticepointconsulting.com, 1
+lattyware.co.uk, 1
+lattyware.com, 1
+latuadro.ga, 1
+latvenergo.lv, 1
+latviaonline.tk, 1
+latvijasvejaparki.lv, 1
+latymer.co.uk, 1
+laubacher.io, 1
+laube-school.com, 1
+laubo.tk, 1
+lauchundei.at, 1
+laud.io, 1
+laudableapps.com, 1
+laudablesites.com, 1
+laudlab.de, 1
+laudon.nl, 1
+laudwein.fr, 1
+laufpix.de, 1
+lauftreff-himmelgeist.de, 0
+laugarvatn.com, 1
+laughinggrapepublishing.com, 1
+laughingloon.com, 1
+laughlinfss.com, 1
+laughlinfss.marketing, 1
+laukstein.com, 1
+laultimaestacion.tk, 1
+launchfinderers.ga, 1
+launchfinderest.ga, 1
+launchgroup.com.au, 1
+launchindonesia.com, 1
+launchpad-app2.com, 1
+launchpadder2.com, 1
+laundrylessonsers.ga, 1
+laundrylessonsest.ga, 1
+laundryshoplocator.com, 1
+laupapk.edu.ee, 1
+laura.network, 1
+lauraandwill.wedding, 0
+laurable.com, 1
+lauradavis.net, 1
+lauraenvoyage.fr, 1
+laurahausmann.de, 1
+laurainnes.tk, 1
+laurakashiwase.com, 1
+laurakentowski.com, 1
+lauralaurant.tk, 1
+lauralinde.de, 1
+lauraohagan.com, 1
+laurasplacefamilysupport.org.au, 1
+laurateen.net, 1
+lauravaindumentaria.com, 1
+laureadesigns.com, 1
+laureaty.tk, 1
+laurelcountycorrectionsky.gov, 1
+laurelcountysheriff.gov, 1
+laurelmd.gov, 1
+lauren.gq, 1
+laurenball.com, 1
+laurencball.com, 1
+laurenceandumehltd.com, 1
+laurencesmits.com, 0
+laurenell.com, 1
+laurenleesmith.tk, 1
+laurenlobue.com, 1
+laurenslatest.com, 1
+laurensvanderblom.nl, 1
+laurentfinance.com, 1
+laurentianlanes.com, 1
+lauresta.lt, 1
+lauresta.lv, 1
+lauretta.io, 1
+lauriane-garcia.avocat.fr, 1
+laurikari.net, 1
+laurindale.tk, 1
+laurineprice.com, 1
+laurinhaepaulo.ga, 1
+lauriuc.sk, 1
+lausannedentiste.ch, 0
+lausannelovers.ch, 0
+laut.digital, 1
+lautremode.com, 0
+lauxincost.cf, 1
+lauzon-hitter.com, 1
+lava.moe, 1
+lavabit.com, 1
+lavabit.no, 1
+lavaggio.it, 1
+lavaggista.it, 1
+lavaldostana.es, 1
+lavalledelgusto.it, 1
+lavalon.tk, 1
+lavamine.tk, 1
+lavamob.com, 1
+lavamobiles.com, 1
+lavanderia.it, 1
+lavanderia.roma.it, 1
+lavarex.co.jp, 1
+lavasing.eu.org, 1
+lavavetri.it, 1
+lavdiazofficial.tk, 1
+laveg.edu.ee, 1
+lavenderx.org, 1
+laventura.tk, 1
+lavhire.tk, 1
+laviaregia.com, 1
+laviedalex.ovh, 1
+lavinaec.com, 1
+lavinya.net, 1
+laviro.tk, 1
+lavish.co.id, 1
+lavita.de, 1
+lavitagarden.tk, 1
+lavka.cf, 1
+lavkafreida.ru, 1
+lavki.tk, 1
+lavndor.net, 1
+lavocedelviolino.it, 1
+lavochka.tk, 1
+lavoieducoeur.be, 1
+lavoiepharmd.com, 1
+lavoixdesmigraineux.fr, 1
+lavoniaga.gov, 1
+lavontx.gov, 1
+lavote.gov, 1
+lavozdelamusicachilena.tk, 1
+lavozderanquil.tk, 1
+lavril.fr, 1
+law-ag.com, 1
+law-colleges.com, 1
+law-moshkovich.co.il, 1
+law-peters.de, 1
+law-profile.com, 1
+law-zur.co.il, 1
+law.co.il, 1
+law.kg, 1
+law22.com, 1
+lawabidingcactus.com, 1
+lawandtheworkplace.com, 1
+lawcancer.cf, 1
+lawcer.com, 1
+lawcover.com.au, 1
+lawda.ml, 1
+lawdepot.ca, 1
+lawebdeljose.tk, 1
+lawebnobasta.tk, 1
+lawebstar.it, 1
+lawenforcementedu.net, 1
+lawfirmyashajustice.co.id, 1
+lawflaws.com, 1
+lawguidesingapore.com, 1
+lawhery.com, 1
+lawinorder.com, 1
+lawinorder.com.au, 1
+lawlessenglish.com, 1
+lawlessfrench.com, 1
+lawlessitalian.com, 1
+lawlessspanish.com, 1
+lawluxury.com, 1
+lawma.one, 1
+lawmint.com, 1
+lawn-seeds.com, 1
+lawnandordercs.com, 1
+lawnenvyva.com, 1
+lawnkitsers.ga, 1
+lawnkitsest.ga, 1
+lawnlessonsers.ga, 1
+lawnlessonsest.ga, 1
+lawnsearchers.ga, 1
+lawnsearchest.ga, 1
+lawnuk.com, 1
+lawpay.com, 1
+lawportal.com.ua, 1
+lawrad.com, 1
+lawrenca.com, 1
+lawrence-institute.com, 1
+lawrence.one, 1
+lawrencebaker.me, 1
+lawrenceberg.nl, 1
+lawrenceclarkemd.com, 1
+lawrencecountyboe-ohio.gov, 1
+lawrencecountyky.gov, 1
+lawrencecountymo.gov, 1
+lawrencecountymo911.gov, 1
+lawrencecountypa.gov, 1
+lawrencecountysd.gov, 1
+lawrencemurgatroyd.com, 1
+lawrencewhiteside.com, 1
+lawrencewi.gov, 1
+lawsoner.tk, 1
+lawsuit.tk, 1
+lawsuitconsultanters.ga, 1
+lawsuitconsultantest.ga, 1
+lawtimesnews.com, 1
+lawton-is.com, 1
+lawvize.com, 1
+lawyer.cf, 1
+lawyerboksburg.co.za, 1
+lawyerdigital.co.bw, 1
+lawyeredu.org, 1
+lawyermidrand.co.za, 1
+lawyerscredentialsers.ga, 1
+lawyerscredentialsest.ga, 1
+lawyerscreenerers.ga, 1
+lawyerscreenerest.ga, 1
+lawyersofmissouri.com, 1
+lawzakon.tk, 1
+lawzana.com, 1
+lawzava.com, 1
+laxaf.com, 1
+laxxl.com, 1
+layan-luxurylighting.com, 1
+layazc.com, 1
+laycock.org.uk, 1
+layer.it, 1
+layermesh.net, 1
+layers.media, 1
+layflamso.tk, 1
+laylo.io, 1
+laylo.nl, 1
+laymans911.info, 1
+layoutsatzunddruck.de, 1
+layt.org, 1
+laythetable.com, 1
+layxw.com, 1
+lazarus.es, 1
+lazarusalliance.com, 1
+lazell.de, 1
+lazell.uk, 1
+lazer.cf, 1
+lazerepilasyonankara.tk, 1
+lazerinitiative.org, 1
+lazerus.net, 1
+lazerus.pw, 1
+lazibeach.tk, 1
+lazionews24.com, 1
+lazisbaiturrahman.org, 1
+lazismuprovgorontalo.or.id, 0
+lazistance.com, 1
+lazo.futbol, 1
+lazonacartagena.tk, 1
+lazonita.tk, 1
+lazorgun.com, 1
+lazosamericaunida.org, 1
+lazosargentina.tk, 1
+lazoscollection.com, 1
+lazowik.pl, 1
+lazownik.pl, 1
+lazudi.com, 1
+lazulu.com, 1
+lazurit.com, 0
+lazyboston.com, 1
+lazyhelp.com, 1
+lazynap.com, 1
+lazysoftware.fr, 1
+lazytapir.com, 1
+lazytux.org, 1
+lazywaves.tk, 1
+lazzo.ml, 1
+lazzzy.com, 1
+lb-music.tk, 1
+lb-toner.de, 1
+lb366.cc, 1
+lba-rpg.tk, 1
+lbarrios.es, 1
+lbayer.com, 1
+lbbw-markets.de, 1
+lbc-podcast.tk, 1
+lbc.gr, 1
+lbda.net, 1
+lbhpartners.com, 1
+lbi-pg.fr, 1
+lbihrhelpdesk.com, 1
+lbio.nl, 1
+lbj.tw, 1
+lbjlibrary.gov, 1
+lbk.vn, 1
+lbls.me, 0
+lbofrance.com, 1
+lbpc.pro, 0
+lbrlh.tk, 1
+lbrli.tk, 1
+lbrls.tk, 1
+lbsg.be, 1
+lbsgroup.co.uk, 1
+lbshoes.bg, 1
+lbwl.com, 1
+lc-cs.com, 0
+lc-promiss.de, 1
+lc-suites.gr, 1
+lc040.com, 1
+lc08080.com, 1
+lc18.vip, 1
+lc3720.com, 0
+lc3736.com, 1
+lc3744.com, 1
+lc3745.com, 1
+lc3759.com, 1
+lc50000.com, 0
+lc58588.com, 0
+lc6601.com, 1
+lc6603.com, 1
+lc6607.com, 1
+lc6632.com, 1
+lc6656.com, 1
+lc6659.com, 1
+lc6665.com, 1
+lc6686.com, 1
+lc7.fun, 1
+lc8005.com, 1
+lc80802.com, 1
+lc80805.com, 1
+lc80806.com, 1
+lc80807.com, 1
+lc80810.com, 1
+lc80811.com, 1
+lc80812.com, 1
+lc80814.com, 1
+lc80815.com, 1
+lc80816.com, 1
+lc80817.com, 1
+lc80820.com, 1
+lc859.com, 0
+lc862.com, 1
+lc863.com, 1
+lc869.com, 1
+lc871.com, 0
+lc873.com, 0
+lc875.com, 0
+lc879.com, 0
+lc8812.com, 1
+lc8820.com, 0
+lc8839.com, 1
+lc8841.com, 1
+lc8881.com, 0
+lc8885.com, 0
+lc8887.com, 0
+lc891.com, 0
+lc897.com, 1
+lc8c.com, 1
+lc8guidance.com, 1
+lc9108.com, 1
+lc9256.com, 0
+lc98.net, 1
+lc9852.com, 1
+lc9862.com, 1
+lc9899.com, 1
+lc9900.com, 1
+lc9910.com, 1
+lc9920.com, 1
+lc9930.com, 1
+lc9940.com, 1
+lc9950.com, 1
+lca.gov, 1
+lcacommons.gov, 1
+lcaonline.tk, 1
+lccwillcounty.gov, 1
+lcdchart.com, 1
+lcdf.education, 1
+lce-events.com, 1
+lcemsami.gov, 1
+lcfwasa.gov, 1
+lcgaj.com, 1
+lcgyfj.com, 1
+lchardingplumbing.com.au, 1
+lcht.ch, 0
+lchtraf.com, 1
+lcistit.ru, 1
+lcl-cargo.ru, 1
+lclarkpdx.com, 1
+lclnet.de, 1
+lcnwallet.com, 1
+lcnxp.com, 1
+lcr94.org, 1
+lcrehlingen.de, 1
+lcrmscp.gov, 1
+lcs.wiki, 1
+lcsoftware.tk, 1
+lcsomo.gov, 1
+lcti.biz, 1
+lcv-psi.com, 1
+lcv-psi.com.br, 1
+lcv.bio, 1
+lcv.email, 1
+lcv.gay, 1
+lcv.lgbt, 1
+lcv.one, 1
+lcv.psc.br, 1
+lcv.rio.br, 1
+lcvip5.com, 1
+lcvip6.com, 1
+lcvip8.com, 1
+lcvleo.net, 1
+lcvmail.com, 1
+lcvmasker.com, 1
+lcvpsi.com.br, 1
+lcvtech.net, 1
+lcwater.com.tw, 1
+lcwc911pa.gov, 1
+lcwebsite.cn, 1
+lcx.cc, 1
+lcy.cat, 1
+lcy.moe, 1
+ld-begunjscica.si, 1
+ldcraft.pw, 1
+lddr.io, 1
+ldemb.com, 1
+ldesignweb.com, 1
+ldgardenservices.co.uk, 1
+ldiesel.ca, 1
+ldjb.jp, 1
+ldlcorrentes.com.br, 1
+ldlorangecountylocksmith.com, 1
+ldm2468.com, 1
+ldsvoicesoftherestoration.com, 1
+ldtborovina.cz, 1
+ldts.es, 1
+ldts.us, 1
+ldtv.top, 1
+ldvsoft.net, 0
+ldwiki.ml, 1
+le-13.fr, 1
+le-bar.org, 1
+le-caprice.co.uk, 1
+le-clos-st-loup.fr, 1
+le-club.co, 1
+le-controle-parental.fr, 1
+le-creux-du-van.ch, 0
+le-drive-de-just-vet.fr, 1
+le-forum.tk, 1
+le-fumoir.com, 1
+le-h.de, 1
+le-marais.be, 1
+le-page.info, 0
+le-palantir.com, 1
+le-parrain-boursorama.fr, 1
+le-reso.com, 1
+le-romien.tk, 1
+le-stroke-of-genius.com, 1
+le-tempo.com, 1
+le-therapeute.com, 1
+le-upfitter.com, 1
+le-vario.net, 1
+le0n.ddns.net, 1
+le0yn.ml, 1
+le130rb.com, 1
+le20dinant.be, 1
+le42mars.fr, 1
+lea.pet, 0
+lead2022.academy, 1
+leadbook.ru, 1
+leadbox.cz, 1
+leadcalyx.com, 1
+leadcricket.com, 1
+leadercreative.ga, 1
+leaderfreight.tk, 1
+leadergamer.com.tr, 1
+leaderinnetflow.com, 1
+leaderoftheresistance.com, 0
+leaderoftheresistance.net, 0
+leadersaudit.ga, 1
+leadership-insight.nz, 1
+leadgem.co.uk, 1
+leadgenie.me, 1
+leadinforce.com, 1
+leadmusic.nl, 1
+leadnxt.co.in, 1
+leadnxt.com, 1
+leadonvale-stemcell.co.uk, 1
+leadplus.com.au, 1
+leadplusdev.com.au, 1
+leadquest.nl, 1
+leadsformoney.tk, 1
+leadsonline.com, 1
+leadvales.com, 1
+leaf-nail.com, 1
+leafandseed.co.uk, 1
+leafans.tk, 0
+leafbodhi.com, 1
+leafinote.com, 1
+leafinote.net, 1
+leafland.co.nz, 1
+leafletdistributionmanchester.com, 1
+leafos.org, 1
+leaftracker.org, 1
+leafurban.com, 1
+leaguecitytexas.gov, 1
+leak.media, 1
+leakbrasil.tk, 1
+leakcontroltherapy.com, 1
+leakedbabes.tv, 1
+leakedminecraft.net, 1
+leakfix.nl, 1
+leaknet.tk, 1
+leales.org, 1
+lealove.net, 1
+lealuestern.com, 1
+lean-consulting.cf, 1
+leandoo.com, 1
+leandre.cn, 1
+leandrebergeron.com, 1
+leandri-campana-avocat.fr, 1
+leandromarcolino.tk, 1
+leandromoreno.co, 1
+leanheat.fi, 1
+leanovent.cloud, 1
+leanovent.de, 1
+leanrtech.com, 1
+leansixsigmadefinition.com, 1
+leaodarodesia.com.br, 1
+leap-mission.com, 1
+leapandjump.co.uk, 1
+leapday.us, 1
+leapworks.io, 1
+leapxx.pro, 1
+lear.com.br, 1
+lear.com.ua, 1
+leardev.de, 1
+learn-everything.info, 1
+learn-freely.com, 1
+learn-smart.uk, 1
+learn-this.tk, 1
+learn2fly.training, 1
+learnapp.com, 1
+learnatf.gov, 1
+learnattack.de, 1
+learncoding.tk, 1
+learncrypto.live, 1
+learncrypto.show, 1
+learndoj.gov, 1
+learnedhacker.com, 1
+learnerdriving.com, 1
+learnforestry.com, 1
+learnhowtoplayguitar.tk, 1
+learning-id.com, 1
+learningaboutcarinsurance.com, 1
+learningis1.st, 1
+learningisprogress.com, 1
+learningladderacademy.net, 1
+learninglaw.com, 1
+learningman.top, 1
+learningsolution.tk, 1
+learnjapanesedaily.com, 1
+learnk12.org, 1
+learnlux.com, 1
+learnosity.com, 1
+learnoutlive.com, 1
+learnpedestal.com, 1
+learnpianogreece.com, 1
+learnpine.com, 0
+learnplayground.com, 1
+learnpythonthehardway.org, 1
+learnsafe.com, 1
+learnspace.co.za, 1
+learntamil.tk, 1
+learnthetruth.tk, 1
+learntobeonline.com, 1
+learntofly.tk, 1
+learntosurfcaparica.com, 1
+learntosurflisbon.com, 1
+learntotradethemarket.com, 1
+learntube.cz, 0
+learnupon.com, 1
+learnwelsh.cymru, 1
+learnwithcorne.com, 1
+leasecar.uk, 1
+leaseit24.com, 1
+leaselink.pl, 1
+leasenow.tk, 1
+leaseourthings.com, 1
+leaseplanbank.de, 1
+leaseplanbank.nl, 1
+leasing.my, 1
+leasing.sos.pl, 1
+leasit.de, 1
+leastsignificantbit.de, 1
+leather-underwear.tk, 1
+leather.io, 0
+leathercollection.co.uk, 1
+leathercollection.de, 1
+leathercollection.es, 1
+leathercollection.fr, 1
+leatherfur.tk, 1
+leatherfurnitureexpo.com, 1
+leathergoods.tk, 1
+leathersofacleaning.co.uk, 1
+leatherstreet.tk, 1
+leatherwill.com.ua, 1
+leauda.fr, 1
+leavealink.tk, 1
+leavenworthcounty.gov, 1
+leaving.africa, 1
+lebabyfoot.fr, 1
+lebal.se, 1
+lebanesearmy.gov.lb, 1
+lebaneseastronomygroup.tk, 1
+lebanoncountypa.gov, 1
+lebanondodgewi.gov, 1
+lebanonfireoregon.gov, 1
+lebanonoregon.gov, 1
+lebanonscafe.com, 1
+lebarbatruc.com, 1
+lebarmode.fr, 1
+lebarmy.gov.lb, 1
+lebarmy.org, 1
+lebeachvillage.com, 1
+lebedovskiy.tk, 1
+leben-pflegen.ch, 1
+lebendige-heilkunst.de, 1
+lebenpflegen-march.ch, 1
+lebenpflegen.ch, 1
+lebens-fluss.at, 1
+lebenshilfe-hannover.de, 1
+lebensinselparaguay.tk, 1
+lebensmittelwarnung.de, 1
+lebesis.tk, 1
+lebihan.pl, 1
+lebkuchen-schmidt.com, 1
+leblanc.io, 0
+leblancq.ca, 1
+leblob.fr, 1
+leblogdumineur.fr, 1
+lebonheurdesgens.com, 1
+lebourgeo.is, 1
+lebozec.org, 1
+lebureau.tk, 1
+lebuys.ca, 1
+lebv.org, 1
+lecandide.info, 1
+lecannabis.at, 1
+lecannabiste.com, 1
+lecannabiste.fr, 1
+lecatal.ca, 1
+leccamilafi.ga, 1
+lecceprima.it, 1
+lecciculturadelvino.it, 1
+leccotoday.it, 1
+lecercleguimard.fr, 1
+lechateaurestaurant.com, 1
+lechaudrondupertuis.ch, 1
+lecheng.in, 1
+lecheng2.com, 1
+lecheng3.com, 1
+lecheng5288.com, 1
+lecheng7.com, 1
+lecheng88.com, 1
+lecheng88.net, 0
+lechenietravami.cf, 1
+lechim-prosto.ru, 1
+lechite.ga, 1
+lechocolatier.com, 1
+lechompenchaine.fr, 1
+lechrismaran.com, 1
+lecken.tk, 1
+leckererezepte.ch, 1
+leclaire.com.br, 1
+leclercbrico.fr, 1
+lecoinchocolat.com, 1
+lecoindufeuhabitat.com, 1
+leconnecteur-biarritz.fr, 1
+lecourriercauchois.fr, 1
+lecrayondemarz.com, 0
+lecreative.tk, 1
+lecteurs.com, 0
+lectormanga.top, 1
+lecturaweb.tk, 1
+lecul.site, 1
+led-sk.ru, 1
+led.xyz, 0
+ledburyvets.co.uk, 1
+leddeluxe.ml, 1
+leddingplasticsurgery.com, 1
+ledebergleeft.be, 1
+ledecologie.com.br, 1
+ledeguisement.com, 1
+ledensite.com, 1
+lederjackekaufen.tk, 1
+ledgerscope.net, 0
+ledigajobb.se, 1
+ledlampor365.se, 1
+ledlight.com, 1
+lednavi.de, 1
+ledpartyfloors.com, 1
+ledscontato.com.br, 1
+ledshop.mx, 1
+ledspadova.eu, 1
+leducq.eu, 1
+leducq.name, 1
+leduquwiki.cf, 1
+ledvalgustid.ee, 1
+ledwit.ru, 1
+lee.in, 1
+lee.net, 1
+lee.nl.eu.org, 1
+leeaaronsrealestate.com, 1
+leeapk.com, 1
+leebiblestudycenter.co.uk, 1
+leebiblestudycenter.com, 1
+leebiblestudycentre.com, 1
+leebiblestudycentre.org, 1
+leebladon.com, 1
+leebruce.tk, 1
+leech.ga, 1
+leech.tk, 1
+leeclemens.net, 0
+leecountyfl.gov, 1
+leecountyil.gov, 1
+leecountync.gov, 1
+leedsmoneyman.com, 1
+leee.eu.org, 1
+leee.nl.eu.org, 1
+leefbaargijzegem.be, 1
+leefbaarkrimpen.nl, 0
+leefgratis.tk, 1
+leefindlow.com, 1
+leefjongeren.nl, 1
+leefl.gov, 1
+leekimball.com, 1
+leekspin.ml, 1
+leekspin.tk, 1
+leelanautownshipmi.gov, 1
+leelaylay.com, 1
+leelou.wedding, 1
+leeman.nl, 1
+leen.io, 0
+leena.ai, 1
+leenaluhtanen.net, 1
+leendebroekertfonds.nl, 1
+leere.me, 1
+leerkotte.eu, 1
+leerliga.de, 1
+leerob.io, 1
+leerox.co, 1
+leertipp.de, 1
+leeryan.tk, 1
+leesilvey.com, 0
+leet2.com, 1
+leetbunny.tk, 1
+leetcode.com, 1
+leetcode.net, 1
+leetizia.net, 1
+leetsuliangkkproduction.tk, 1
+leevealdc.com, 1
+leeyoungaeph.tk, 1
+lefaivre-ferry.ca, 1
+lefarsankids.com.br, 1
+lefcoaching.nl, 1
+lefebvristes.com, 1
+lefebvristes.fr, 1
+lefevre-ec.fr, 1
+lefichier.net, 1
+lefilradio.fr, 1
+leflorecountyok.gov, 1
+leflox.cf, 1
+lefonddeloeil.com, 0
+lefreka.fr, 1
+lefroyee.com, 1
+left-baggage.co.uk, 1
+left.it, 1
+leftbrainsolutions.com.au, 1
+leftclick.cloud, 1
+leftcoasthauling.com, 1
+lefthandwater.gov, 1
+lefucine.com, 1
+lega-dental.com, 1
+legacktem.com, 1
+legacy.bank, 1
+legacydriving.co.za, 1
+legacyfarmstx.com, 1
+legacygame.ga, 1
+legacygame.gq, 1
+legacyofkain.tk, 1
+legacysoft.ml, 1
+legacyumc.org, 1
+legadental.com, 1
+legadosindumentaria.com.ar, 1
+legaillart.fr, 1
+legal-aid.tk, 1
+legal-eye.co.uk, 1
+legalagenda.ga, 1
+legalanchor.ga, 1
+legalatlanta.com, 1
+legalatlantic.ga, 1
+legalband.club, 1
+legalbeagle.com.hk, 1
+legalbeagles.info, 1
+legalbeast.ga, 1
+legalbetcanada.com, 1
+legalcalculator.ga, 1
+legalcanal.ga, 1
+legalcellar.ga, 1
+legalcircus.ga, 1
+legalclearance.ga, 1
+legalco.tk, 1
+legalcollector.ga, 1
+legalconnect.com, 1
+legalconstruct.ga, 1
+legalcorner.com, 1
+legalcorporation.ga, 1
+legalcrunch.ga, 1
+legalcrystal.ga, 1
+legalcustom.ga, 1
+legaldelta.ga, 1
+legaldish.ga, 1
+legaldodge.ga, 1
+legalebony.ga, 1
+legalecasinosnederland.nl, 1
+legalepic.ga, 1
+legaleus.co.uk, 1
+legalfalcon.ga, 1
+legalfighter.ga, 1
+legalflavor.ga, 1
+legalglamour.ga, 1
+legalglory.ga, 1
+legalgoddess.ga, 1
+legalgrace.ga, 1
+legalhandy.ga, 1
+legalhotrod.ga, 1
+legalhusky.ga, 1
+legalintergrity.ga, 1
+legalis.pl, 1
+legalisierung.tk, 1
+legalit.es, 1
+legaliz.ml, 1
+legalizeit.tk, 1
+legaljewel.ga, 1
+legaljoker.ga, 1
+legalloco.ga, 1
+legallowprice.ga, 1
+legalmatche.ga, 1
+legalmillions.ga, 1
+legalnations.ga, 1
+legalne-kasyna.com, 1
+legalnews.cf, 1
+legalnews.ml, 1
+legalnorthamerican.ga, 1
+legaloriginal.ga, 1
+legalphase.ga, 1
+legalpicker.ga, 1
+legalpickup.ga, 1
+legalplace.fr, 1
+legalplatinum.ga, 1
+legalpremier.ga, 1
+legalprestige.ga, 1
+legalpro.tk, 1
+legalpronto.ga, 1
+legalrapid.ga, 1
+legalrazor.ga, 1
+legalremarkable.ga, 1
+legalrobot-uat.com, 1
+legalrobot.com, 1
+legalrule.ga, 1
+legalsample.ga, 1
+legalsearch.nl, 1
+legalservicespanel.gov.au, 1
+legalsoldier.ga, 1
+legalsouthbeach.ga, 1
+legalsrit.tk, 1
+legalsustain.ga, 1
+legalthunder.ga, 1
+legaltings.com, 1
+legaltip.eu, 1
+legaltity.com, 1
+legaltreasure.ga, 1
+legalunique.ga, 1
+legalverde.ga, 1
+legalwaterfront.ga, 1
+legalyankee.ga, 1
+legamedamore.net, 1
+legato.marketing, 1
+legatofmrc.fr, 1
+legatrace.com, 1
+legba.in, 1
+legeaz.net, 1
+legen.sk, 1
+legend-of-pirates.tk, 1
+legendblogers.ga, 1
+legendblogest.ga, 1
+legendesdechine.ch, 0
+legendgrafix.tk, 1
+legendofdragoon.org, 1
+legendofkrystal.com, 1
+legendofmi.com, 1
+legends-game.ru, 0
+legendtourism.com, 1
+legendwiki.com, 1
+legentic.com, 1
+leger-voertuigen.tk, 1
+legere.info, 1
+leggyeggy.ga, 1
+legible.es, 1
+legilimens.de, 1
+legiofte.com, 1
+legioiedifrancy.com, 1
+legion.ge, 1
+legionisci.com, 1
+legioniv.org, 1
+legions.tk, 1
+legionwood.tk, 1
+legiscontabilidade.com.br, 1
+legislationupdateservice.co.uk, 1
+legit.nz, 1
+legitedelaguiole.com, 1
+legitedeprecy.com, 1
+legkie-recepty.tk, 1
+legko-pohudet.cf, 1
+legko-pohudet.ml, 1
+legko-pohudet.tk, 1
+legna.roma.it, 1
+legnami24.it, 1
+legoktm.com, 1
+legoutcheznous.com, 1
+legoutdesplantes.be, 1
+legow.tk, 1
+legowerewolf.net, 1
+legrand-ia.gov, 1
+legrandvtc.fr, 1
+legrimoiredessenteurs.fr, 1
+legro.tk, 1
+legrub.net, 1
+legtech.lu, 1
+legterm.cz, 1
+leguano-barfusspark.eu, 1
+legyenkianegykereked.hu, 1
+lehifibernetwork.gov, 1
+lehighcountypa.gov, 1
+lehighvalleypeds.com, 1
+lehmanns.de, 1
+lehmitz-weinstuben.de, 1
+lehnc.ddns.net, 1
+lehokolo.eu, 1
+lehollandaisvolant.net, 1
+lehrgang-zum-brandschutzhelfer.de, 1
+lehu.in, 1
+lehvyn.org, 0
+leia.cc, 1
+leibniz-gymnasium-altdorf.de, 1
+leibniz-trifft.de, 1
+leibniztrifft.de, 1
+leicabiosystems.com, 1
+leicester.bike, 1
+leicesterastronomicalsociety.co.uk, 1
+leicestermoneyman.com, 1
+leicestervt.gov, 1
+leidegoncalves.com, 0
+leideninternationalreview.com, 1
+leier.ml, 1
+leighneithardt.com, 1
+leignier.org, 1
+leilaelu.com.br, 1
+leilakaleva.fi, 1
+leilautourdumon.de, 1
+leilonorte.com, 1
+leiming.co, 1
+leipzig.photo, 1
+leipziger-triathlon.de, 1
+leism.com, 1
+leism.de, 1
+leism.eu, 1
+leism.net, 1
+leism.org, 1
+leismail.com, 1
+leismann.sbs, 1
+leismann.tel, 1
+leismann.uk, 1
+leisure-blog.com, 1
+leisure-supplies-show.co.uk, 1
+leisure.cf, 1
+leisure.ga, 1
+leisure.tk, 1
+leisurecooker.co.uk, 1
+leisurecooker.ie, 1
+leisurevip.com, 1
+leit.kr, 1
+leitz-cloud.com, 1
+leiyinan.com, 1
+lejardindesmesanges.fr, 1
+lejlax.com, 1
+lejournaldublog.com, 1
+lekarkabajkopisarka.pl, 1
+lekarz-wizyty.pl, 1
+lekasedgar.com, 1
+lekitable.fr, 1
+lekkergoings.nl, 1
+leko.tk, 1
+lekota.co.uk, 1
+leksi.si, 1
+lektier.cf, 1
+lel.lol, 1
+leladesign.it, 1
+lelehei.com, 1
+leleimports.store, 1
+leliekerk.nl, 1
+leliveld.nl, 1
+leliveld.org, 1
+lellek.at, 1
+lellikellyshop.bg, 1
+lellyboi.ml, 1
+lelo.com.pl, 1
+lelubre.info, 1
+lelulove.net, 1
+lelux.net, 1
+lelux.site, 1
+lem0n.eu.org, 1
+lemarcheelagrandeguerra.it, 1
+lemarquier.com, 1
+lemasdupalus.com, 1
+lemat.de, 1
+lemazol.fr, 1
+lemberg.ml, 1
+lemco.dk, 1
+lemedecin.fr, 1
+lemediajustice.fr, 1
+lemediateur-creditagricole-nord-est.com, 1
+lemefly.com, 1
+lemeridienchambers.com, 1
+lemgstudio.com, 1
+lemieuxproducts.com, 1
+leminhduong.com, 1
+lemitron.fr, 1
+lemitti.com, 1
+lemler.family, 1
+lemmamedia.com, 1
+lemmy.cafe, 1
+lemmy.name, 1
+lemmyfund.org, 1
+lemni.top, 1
+lemoine.at, 1
+lemon.nl.eu.org, 1
+lemonadefashion.com, 1
+lemonardo.ga, 1
+lemoncloud.eu.org, 1
+lemoniax.com, 0
+lemonpic.ga, 1
+lemonpool.com.tr, 1
+lemonrfx.com, 1
+lemonrockbiketours.com, 1
+lemonrotools.com, 1
+lemonsociety.cf, 1
+lemonsoftware.eu.org, 1
+lemontownshippa.gov, 1
+lemonwater.tk, 1
+lemr.fr, 1
+lemzarcapital.com, 0
+lena-klein.de, 1
+lena-klein.eu, 1
+lena-nitro.org, 1
+lenafonster.se, 1
+lenagroben.de, 1
+lenalio.fr, 1
+lenamorino.net, 1
+lenaneva.ru, 0
+lenardoips.tk, 1
+lenasophie.net, 1
+lence.net, 1
+lencia.ga, 1
+lenczewski.ddns.net, 1
+lendahandmissionteams.org, 1
+lendera.mx, 1
+lendingmate.ca, 1
+lendingpoint.com, 1
+lendinvest.com, 1
+lendme.com.au, 1
+lendme.dk, 1
+lenemes.tk, 1
+lenergietoutcompris.fr, 1
+lengby.com, 1
+lengoo.com, 1
+lengua-alemana.tk, 1
+lenguajecoloquial.com, 1
+lenguajecoloquial.es, 1
+lenguajedeprogramacion.com, 1
+lenguasgermanicas.tk, 1
+lengyelnyelvoktatas.hu, 1
+lengyelul.hu, 1
+lenhatthanh.com, 1
+lenhotec.pt, 1
+lenidh.de, 1
+lenifuchs.net, 1
+lenii.com, 1
+lenina72.tk, 1
+leninalbertop.com.ve, 1
+lenit.nl, 1
+lenkeran.tk, 1
+lenkunz.me, 1
+lenn-blaschke.com, 1
+lennard-indlekofer.de, 1
+lennard.tk, 1
+lennard0711.eu, 1
+lennartoldenburg.de, 1
+lennox.cf, 1
+lennoxsd.gov, 1
+lennusadam.eu, 1
+lennybruce.tk, 1
+lennyendewespen.tk, 1
+lennyobez.be, 1
+lennyrodriguez.com, 1
+lenoblpech.ru, 1
+lenoirnc.gov, 1
+lenord.fr, 1
+lenorefan.tk, 1
+lenostech.gr, 1
+lenou.nl, 1
+lenovovietnam.net, 1
+lenqiue.com, 0
+lenr-experiment.tk, 1
+lenr-forum.com, 1
+lens.google.com, 1
+lenseshop.tk, 1
+lenspirations.com, 1
+lenstamiri.com, 1
+lenstore.co.uk, 1
+lensual.space, 0
+lenta-ru.tk, 1
+lentanews.ml, 1
+lentesbrasil.com, 1
+lents.xyz, 1
+lentusaudio.nl, 1
+lenuagebauche.org, 1
+lenumerozero.info, 1
+lenyip.com, 1
+lenyip.works, 1
+leo-boutique.fr, 1
+leo-music.tk, 1
+leo-translate.com.ua, 1
+leo.gov, 1
+leoandpeto.com, 1
+leob.in, 0
+leoburnett.com, 1
+leocollo.com, 1
+leodraxler.at, 1
+leojweda.com, 1
+leokoo.com, 0
+leola.cz, 1
+leola.sk, 1
+leolabs.space, 1
+leolawi.gov, 1
+leomarcou.fr, 1
+leomax.ru, 1
+leominstercu.com, 0
+leomwilson.com, 0
+leon-16255.space, 1
+leon-tec.co.jp, 1
+leon-tech.com, 1
+leon.wtf, 1
+leonard.io, 0
+leonardaccessories.com, 1
+leonardcamacho.me, 1
+leonardcyber.com, 0
+leonardlorenz.de, 1
+leonardocontreras.com, 1
+leonardocremonesi.it, 1
+leonardoealessandra.com, 1
+leonardofavio.tk, 1
+leonardoferrera.com, 1
+leonardoneiva.com.br, 1
+leonardostart.tk, 1
+leonardtheologicalcollege.com, 1
+leonauto.de, 1
+leonbania.com, 1
+leonbuitendam.nl, 1
+leoncss.ml, 1
+leongalin.tk, 1
+leonhooijer.nl, 0
+leonidas-dovido.tk, 1
+leoniepur-porn.com, 1
+leonieroessler.com, 1
+leonieslonging.org, 1
+leonklingele.de, 1
+leonpa.gov, 1
+leonplast.tk, 1
+leontiekoetter.de, 1
+leontworzy.pl, 1
+leontyev.tk, 1
+leonvermunt.com, 1
+leonvermunt.nl, 1
+leonvotes.gov, 1
+leonyork.com, 1
+leopardstudio.tk, 1
+leopastel.net, 1
+leoseguin.fr, 1
+leoservicosetc.com, 1
+leoservicosetc.com.br, 1
+leoservicosetc.email, 1
+leoservicosetc.live, 1
+leoservicosetc.online, 1
+leoservicosetc.rio.br, 1
+leoservicosetc.store, 1
+leoservicosetc.world, 1
+leosopenmind.com, 1
+leosty.com, 1
+leovanna.co.uk, 1
+leowkahman.com, 1
+lep.gov, 1
+lepalierjuridique.com, 1
+lepallec.tv, 1
+lepartiecomemoracoes.com.br, 1
+lepat.es, 1
+lepatch.jp, 1
+lepblog.tk, 1
+lepenis.fr, 0
+leper.ga, 1
+lepetitendroit.fr, 1
+lepetitkids.com.br, 1
+lephilnet.tk, 1
+lepidum.jp, 1
+leping.com, 1
+lepka.tk, 1
+lepkov.ru, 1
+leplus.net, 1
+leplus.org, 1
+leporem.com.br, 1
+leportschools.com, 1
+leppis-it.de, 1
+lepraconsf.com, 1
+leprekon.tk, 1
+lepressoir-info.org, 1
+leps.fr, 1
+leptitbaltar.com, 1
+leptotrichia.tk, 1
+lepuyenvelay-tourisme.fr, 1
+lequerceagriturismo.com, 1
+lequest.dk, 1
+lequocthai.com, 1
+ler3.com, 1
+lerameau.fr, 1
+lerefuge.xyz, 1
+lerika.tk, 1
+lerks.blog, 1
+lerku.com, 1
+lernenamsee.ch, 1
+lernerspersonalinjury.ca, 0
+lernorteuropa.com, 1
+lernorteuropa.de, 1
+lernorteuropa.eu, 1
+lernpfad.ch, 1
+leros.bg, 1
+leroytwp-calhounmi.gov, 1
+lerryn.net, 1
+lertsiritravel.net, 1
+les-aides.fr, 1
+les-ateliers-de-melineo.be, 0
+les-epris.fr, 1
+les-explos.com, 1
+les-formations.fr, 1
+les-inoxydables.com, 1
+les-pipelettes-de-narbonne.com, 1
+les-pros-du-drone.com, 1
+les-universalistes.be, 1
+lesa-kiev.biz.ua, 1
+lesa.biz.ua, 1
+lesa.boutique, 1
+lesacredescouleurs.fr, 1
+lesalpinistes.com, 1
+lesamisdelaroumanie.com, 1
+lesamoureuxdangelique.ovh, 1
+lesargentinas.tk, 1
+lesartisanes.fr, 1
+lesas.tk, 1
+lesbea.com, 1
+lesbi-porno-video.ru, 1
+lesbianlovers.tk, 1
+lesbicas.com.pt, 1
+lesblogueuses.fr, 1
+lesbonzoms.alwaysdata.net, 1
+lesborgestv.cat, 1
+lesbrillantsdaristide.com, 1
+lescarnetsderoutedesophie.com, 1
+leschamoisduvercors.fr, 1
+lescommunes.com, 1
+lescomptoirsdepierrot.com, 1
+lesconcours.tk, 1
+lescoquetteriesdenais.fr, 1
+lescouturesdisa.fr, 1
+lescrieursduweb.com, 0
+lesdeuxfilles.be, 1
+lesdouceursdeliyana.com, 1
+leseditionsbraquage.com, 1
+lesershop24.de, 1
+lesformations.net, 0
+lesfouines.com, 1
+lesfurets.com, 1
+lesgarianes.com, 1
+lesgitesdusapey.fr, 0
+lesgoodnews.fr, 1
+leshetu.com, 0
+leshok.tk, 1
+leshop.ch, 1
+lesin.tk, 1
+lesitederencontre.fr, 1
+lesjardinsdemathieu.net, 0
+leskei.ru, 1
+leslhassadeluminia.fr, 1
+leslie.horse, 1
+lesmajuscules.fr, 1
+lesmatinesdheres.fr, 1
+lesmills-redirect-test.azurewebsites.net, 1
+lesmontagne.net, 1
+lesnet.co.uk, 1
+lesnoticiesdensergialarcon.site, 1
+lesours.in, 1
+lesparqueteurs.xyz, 1
+lespasseursdelivres.fr, 1
+lespatriotes.tk, 1
+lespecialiste-pradelexcellence.com, 1
+lesperlesdunet.tk, 1
+lespinasse.org, 1
+lesplatanes.ch, 0
+lesportmusic.tk, 1
+lesprofsplacotent.com, 1
+lesptitspasdelyne.fr, 1
+lesptitstutos.fr, 1
+lesquatredauphins.fr, 0
+lesrivesdegaronne.com, 1
+lessavonnables.fr, 1
+lesschwab-privacyportal-ui.azurewebsites.net, 1
+lessets-graphiques.com, 1
+lessiamia.net, 1
+lessing.consulting, 1
+lessis.moe, 1
+lessonsofacto.com, 1
+lesspass.com, 1
+lestanzedelgattopardo.it, 1
+lesterchan.net, 1
+lesterrassesdusoleil.ch, 0
+lestravauxduparticulier.fr, 1
+lestrokeofgenius.com, 1
+lestudiopecot.fr, 1
+lesummeira.is, 1
+lesvertsmaroc.tk, 1
+lesycr.cz, 1
+lesyndicat.info, 0
+leszonderstress.nl, 1
+letableaunoir.fr, 1
+letaman.tk, 1
+letao18.com, 0
+letchikleha.tk, 1
+letdownloads.tk, 1
+letec.be, 1
+leteckedarky.cz, 1
+letemps.ch, 1
+letempsdujasmin.fr, 1
+leter.io, 0
+leterroirdesvignobles.fr, 1
+letgodbetrue.com, 1
+lethalgaming.tk, 1
+lethalhardcore.com, 1
+lethosdesigns.co.uk, 1
+lethosdesigns.com, 1
+letic.fr, 1
+leticia.com.tw, 1
+leticia.ml, 1
+letiloulous.fr, 1
+letipweb.tk, 1
+letitfleet.io, 1
+letitfly.me, 1
+letiziamx.com, 0
+letmdesigncommercial.com, 1
+letmebet.de, 1
+letmepost.com, 1
+letnik.tk, 1
+leto12.xyz, 0
+letocar.com, 1
+letopise.com, 1
+letraba.com, 1
+letranif.net, 1
+letras.com, 1
+letras.mus.br, 1
+letras10.co, 1
+letraschile.com, 1
+lets-go-acoustic.de, 0
+lets.nu, 0
+letsbrand-holding.com, 1
+letsbrand-holding.nl, 1
+letsbrandholding.com, 1
+letsbrandholding.nl, 1
+letscahoot.net, 1
+letscrackit.ml, 1
+letsdebug.net, 1
+letsdevelop.com.br, 1
+letsdocode.com, 1
+letsdoeit.com, 1
+letsdothatagain.gq, 1
+letsdothatagain.ml, 1
+letsdothatagain.tk, 1
+letselhulpservice.nl, 1
+letsencrypt-for-cpanel.com, 1
+letsflyinto.space, 1
+letsgame.nl, 1
+letsgetintouch.com, 1
+letsgo.icu, 1
+letsgomaldives.com, 1
+letsgowhilewereyoung.com, 1
+letsknow.ga, 1
+letsknow.tk, 1
+letson.me, 1
+letsorganise.uk, 1
+letspartyrugby.co.uk, 1
+letsplayourgameagain.gq, 1
+letsrave.tk, 1
+letstalk.video, 1
+letstryanal.com, 1
+lette.tk, 1
+letterbox-online.de, 1
+letterrill.gq, 1
+lettersblogatory.com, 1
+lettings101.org, 0
+letto.ru, 1
+lettori.club, 1
+lettragetattoo.tk, 1
+lettrefrancophile.ga, 1
+lettres-motivation.net, 1
+lettucegeek.com, 1
+letturaveloce.tk, 1
+letusdothehomework.com, 1
+letustravel.tk, 1
+letvikar.dk, 1
+letweedoo.com, 1
+letyro.pl, 1
+letzi-immobilien.ch, 1
+leuchtmann.ch, 1
+leucothea.org, 1
+leuenhagen.com, 1
+leukert.org, 1
+leulu.com, 1
+leusemiamusic.tk, 1
+leuthardtfamily.com, 1
+leutransporteur.com, 1
+leuvensefilmclub.tk, 1
+lev103.com, 1
+levabilligt.com, 1
+levans.fr, 0
+levantage.tk, 1
+levante.net.nz, 1
+levaomat.com, 1
+levaquin750.ga, 1
+levati.name, 1
+leveeroadstudio.com, 1
+level33.com.sg, 1
+level37.tk, 1
+level4.parts, 1
+level5-drywall.com, 1
+level6.me, 1
+levelaccordingly.com, 1
+levelninehvac.com, 1
+levelrankings.com, 1
+levels.one, 1
+levelsoft.ml, 1
+levelum.com, 1
+levelupdisability.com.au, 1
+leveluplv.com, 1
+leveluprankings.com, 1
+levelx.team, 1
+levendwater.org, 1
+levensbron.nl, 1
+leventismotors.com.ng, 1
+leverj.io, 1
+levermann.eu, 1
+leviaan.nl, 1
+leviathan-studio.com, 1
+leviathanfan.tk, 1
+leviathanstory.tk, 1
+levico.tk, 1
+levida.ca, 1
+levidromelist.com, 1
+levineteamestates.com, 1
+levinus.de, 1
+levis.fun, 1
+levis.name, 1
+levischuck.com, 1
+levisenlaw.com, 1
+levitate.ro, 0
+levitatingx.com, 1
+levitation.tk, 1
+levlagom.com, 1
+levna-knihovna.cz, 1
+levolor.com, 1
+levonet.sk, 1
+levothyroxineonline.gq, 1
+levs.tk, 1
+levy.org, 1
+levyinstitute.com, 1
+levyinstitute.net, 1
+levyinstitute.org, 1
+levymultiplier.com, 1
+levymultiplier.org, 1
+levyntgard.tk, 1
+lew.im, 1
+lewdawson.com, 0
+lewdgamer.com, 1
+lewebdantoine.fr, 1
+leweslivingstreets.tk, 1
+lewiatan.opole.pl, 1
+lewig.net, 1
+lewis-sharp.com, 1
+lewiscollard.com, 1
+lewiscountyny.gov, 1
+lewiscountytn.gov, 1
+lewisdatasecurity.com, 0
+lewisjuggins.co.uk, 1
+lewismcyoutube.uk, 1
+lewistonutah.gov, 1
+lewt.me, 1
+lex-legal.com.ua, 1
+lex18.com, 1
+lexapro-price.ga, 1
+lexautoservice.nl, 1
+lexblogplatform.com, 1
+lexblogplatformthree.com, 1
+lexch.com, 1
+lexdavicont.ro, 1
+lexdigital.pl, 1
+lexe.club, 1
+lexeri.com, 1
+lexgo.be, 1
+lexgo.lu, 1
+lexic.co, 1
+lexico.pt, 1
+lexicography.online, 1
+lexicore.ga, 1
+lexifax.ga, 1
+lexikon24.tk, 1
+lexington-credit-repair.com, 1
+lexingtonil.gov, 1
+lexingtonok.gov, 1
+lexinter.net, 1
+lexiprof.com, 1
+lexis.ml, 1
+lexitthemovie.tk, 1
+lexjunkie.xyz, 1
+lexmedia.ro, 1
+lexmondcommunications.com, 1
+lexoh.com, 1
+lexpartsofac.com, 1
+lexpert.ca, 1
+lexreception.com, 1
+lexsc.gov, 1
+lextechsuite.com, 1
+lexum.com, 1
+lexuspartsnow.com, 1
+lexvademecum.com, 1
+lexway.pk, 1
+leyaonline.com, 1
+leybelsgarden.cf, 1
+leyendaluzrenacer.com, 1
+leyeslaboralesdecolorado.gov, 1
+leyfutmex.com, 1
+leyhorizontal.es, 1
+leylalips.org, 1
+leymaritima.com, 1
+leytron.tk, 1
+lez.gent, 1
+lez2020.be, 1
+lez2020.gent, 1
+lezbomovies.com, 1
+lezdombliss.com, 1
+lezdomsm.com, 1
+lezen.tk, 1
+lezgetreal.com, 1
+lezhang.top, 1
+leziblog.cn, 1
+lezzetyurdu.com.tr, 1
+lf-space.com, 1
+lfashion.eu, 1
+lfc.com.pl, 1
+lfcnsv.de, 1
+lff.club, 1
+lffweb.ga, 1
+lfg.com.ph, 1
+lfgss.com, 1
+lfi-mv.de, 0
+lfmosqueira.com.br, 1
+lfn.moe, 1
+lfnaturopathie.com, 1
+lforum.tk, 1
+lfrconseil.com, 1
+lfyhokk.tk, 1
+lg-obchod.cz, 1
+lg-store.sk, 1
+lg-world.cz, 1
+lg.gz.cn, 1
+lg0.site, 1
+lg2.com, 1
+lgam.com, 1
+lgbt-colleges.com, 1
+lgbt.io, 1
+lgbt.ventures, 1
+lgbtqtherapyspace.com, 1
+lgbtventures.com, 1
+lgbusiness.es, 0
+lgelectric.cz, 1
+lgelectric.eu, 1
+lgerman.de, 1
+lgesteticaautomotiva.com.br, 1
+lghfinancialstrategy.ch, 0
+lgiswa.com.au, 1
+lgmars.xyz, 1
+lgmotors.cz, 1
+lgnsh.fr, 1
+lgobchod.cz, 1
+lgp.go.th, 1
+lgrs.com.au, 1
+lgscripts.com.br, 1
+lgsg.us, 1
+lgstore.cz, 1
+lgstore.sk, 1
+lgsystem.cz, 1
+lgsystems.cz, 1
+lgtrees.co.uk, 1
+lgv-france.com, 1
+lgworld.cz, 1
+lhajn.cz, 1
+lhakustik.se, 1
+lhasaapso.com.br, 1
+lhconsult.tk, 0
+lheinrich.org, 1
+lhffinanceira.online, 1
+lhm.de, 1
+lhokseumawekota.go.id, 1
+lhost.su, 1
+lhp-creation.com, 1
+lhp-creation.fr, 1
+lhr.wiki, 1
+lhsj28.com, 1
+lhsj68.com, 1
+lhsj78.com, 1
+lhv.nl, 1
+li-de.tk, 1
+li-ke.co.jp, 1
+li-n.net, 1
+li-project.com, 1
+li.fi, 1
+li.gz.cn, 1
+li.search.yahoo.com, 0
+li1436-89.members.linode.com, 1
+li985.com, 0
+lia-fox.org, 1
+liaengel.com, 1
+liaiai.com, 1
+lialash.pro, 1
+lialeone.org, 1
+lialion.de, 1
+liam-is-a-nig.ga, 1
+liam-le-may.fr, 1
+liam-w.io, 1
+liam.bzh, 1
+liam.ovh, 1
+liambaron.com, 1
+liamelliott.me, 1
+liamlin.me, 1
+liamsteckler.com, 1
+lian-in.net, 1
+liana.site, 1
+lianand.com, 1
+liangbi.ml, 1
+liange.com, 1
+liangfaner.com, 1
+lianglongcredit.com, 1
+liangxingai.com, 1
+liangyichen.net, 1
+lianhe.art, 1
+lianid.com, 1
+lianka.eu, 1
+lianka.pl, 1
+lianka.uk, 1
+lianwen.kim, 1
+lianxin.com, 1
+liaozheqi.cn, 1
+liar.wiki, 1
+lib.pm, 1
+lib.rs, 1
+lib64.net, 1
+libanswers.com, 1
+libanswers.net, 1
+libapps.com, 0
+libapps.net, 1
+libart.so, 1
+libauth.com, 1
+libbitcoin.org, 1
+libble.eu, 1
+libcal.com, 1
+libcal.net, 1
+libchat.com, 1
+libchat.net, 1
+libcip.org, 1
+libcmodbus.org, 1
+libconnect.com, 1
+libconnect.net, 1
+libcrc.org, 1
+libcrm.com, 1
+libcrm.net, 1
+libelle.nl, 1
+libelulaweb.tk, 1
+liberad.fr, 1
+liberal.ru, 1
+liberalartsedu.org, 1
+liberale-demokraten.de, 1
+liberalis.tk, 1
+liberapay.com, 1
+liberategrace.com, 1
+liberation2020.com, 1
+liberationgroup.com, 1
+liberationtek.com, 0
+liberatupotencial.site, 1
+liberda.nl, 1
+liberdademg.com.br, 1
+liberecstehovani.cz, 1
+libermoto.fr, 1
+liberta-me.org, 1
+libertacao.tk, 1
+libertadgreen.tk, 1
+libertarian-party.com, 1
+libertas-tech.com, 1
+libertas.co.jp, 1
+liberte-toujours.tk, 1
+libertino.tk, 1
+libertis.ga, 1
+liberty-city.tk, 1
+liberty-host.tk, 1
+liberty-med.ru, 1
+liberty-univers.art, 1
+liberty-universe.art, 1
+liberty.co.uk, 1
+libertybaptistmn.org, 1
+libertycountyflsoe.gov, 1
+libertydentalplan.com, 1
+libertyga.tk, 1
+libertygrovewi.gov, 1
+libertyhillssewer.gov, 1
+libertylakewapd.gov, 1
+libertyland.tk, 1
+libertylondon.com, 1
+libertyreversemortgage.com, 1
+libertystation.com, 1
+libertytereconoce.com, 1
+libertytwpadamspa.gov, 1
+libertyvault.us, 1
+libertywines.co.uk, 0
+libertywines.ie, 0
+libertyxpress.tk, 1
+libfins.org, 1
+libgame.com, 1
+libget.com, 1
+libgraphe.me, 1
+libguides.com, 0
+libguides.net, 1
+libhttp.org, 1
+libinsight.com, 1
+libinsight.net, 1
+libivis.com, 1
+liblogo.com, 1
+libmpq.org, 1
+libnull.com, 1
+libot.eu.org, 1
+libpdf.org, 1
+libportal.cf, 1
+libractes.tk, 1
+libraideos.tk, 1
+librairiez.ca, 1
+librairiez.com, 1
+librairiezbookstore.com, 1
+libramedia.ru, 1
+libranet.eu, 1
+libraries.vic.gov.au, 1
+librarika.com, 1
+librarium.tk, 1
+library-quest.com, 1
+library.nhs.uk, 1
+libraryh3lp.com, 1
+libraryofcode.org, 1
+libraryofcode.us, 1
+librarytapes.tk, 1
+librarytools.com, 1
+libravatar.org, 1
+librazy.org, 1
+libre-innovation.org, 1
+libre-service.de, 1
+libre.cr, 1
+libre.university, 1
+libreai.nl.eu.org, 1
+libreboot.org, 1
+librebox.de, 1
+librechat.ai, 0
+libredns.eu, 1
+libreduca.com, 1
+libreexpresion.tk, 1
+libreho.st, 1
+librelamp.com, 1
+libremail.nl, 1
+librematrix.com, 1
+libremedia.video, 1
+librends.org, 1
+libreoffice.ee, 1
+libreofficefromcollabora.com, 1
+libreplanet.org, 1
+libreria-ouroboros.tk, 1
+libreriaelzocalo.cl, 1
+librervac.org, 1
+libresoft.ml, 1
+libressobooks.sk, 1
+libreview.com, 1
+libreview.ru, 1
+librisulibri.it, 1
+librosantimateria.com, 1
+librosdelasteroide.com, 1
+librosdescargas.club, 1
+librosgratisnet.tk, 1
+librosparareinventarse.es, 1
+libruis.com, 0
+libscpi.org, 1
+libskia.so, 1
+libslack.org, 1
+libsodium.org, 1
+libstaffer.com, 1
+libstaffer.net, 1
+libstick.org, 1
+libstock.si, 1
+libwizard.com, 1
+libwizard.net, 1
+libyanexpert.ml, 1
+lic39.ru, 1
+licence-registry.com, 1
+licencja-na-drona.pl, 1
+licencja-na-drony.pl, 1
+licensecrack.com, 1
+licensediscovery.io, 1
+licenseplates.cc, 1
+licenzacalcio.tk, 1
+liceoc9.tk, 1
+licesisters.com, 1
+lichess.org, 1
+lichnyj-astrolog.cf, 1
+lichnyj-astrolog.ga, 1
+lichnyj-astrolog.gq, 1
+lichnyj-astrolog.ml, 1
+lichnyj-astrolog.tk, 1
+lichtbild.nrw, 1
+lichtbildfotos.de, 1
+lichtcam.ddns.net, 0
+lichtfestival.be, 1
+lichtfestival.gent, 1
+lichtfestivalgent.be, 1
+lichtfestivalgent.com, 1
+lichtfestivalgent.tv, 1
+lichtfestivalghent.be, 1
+lichtfestivalghent.com, 1
+lichtjesavondkoedijk.nl, 1
+lichtmetzger.de, 0
+lichtplatformnsvv.nl, 1
+lichtschatten.tk, 1
+lichtsturm.net, 1
+lichttechnik-tumler.com, 1
+lichtval.tk, 1
+licia-music.com, 1
+lickd.co, 1
+lickingcounty.gov, 1
+licloud.homeip.net, 1
+licoreseugenioavila.com, 1
+licx.ml, 1
+licx.ru, 1
+lida-vets.co.uk, 1
+lidarwindtechnolog.cf, 1
+lidarwindtechnolog.ga, 1
+lidaumba.com, 1
+lidavidm.me, 1
+lidel.org, 1
+lidernaturascarlettbados.com, 1
+liderok.tk, 1
+lidkoping.se, 1
+lidl-gewinnspiel.de, 1
+lidl-holidays.com, 1
+lidl-immobilien.de, 1
+lidl-kochen.de, 1
+lidl-shop.be, 1
+lidl-shop.cz, 1
+lidl-shop.nl, 1
+lidl-shop.sk, 1
+lidl-sklep.pl, 1
+lidl-stikeez.si, 1
+lidl-vins.fr, 1
+lidl.at, 1
+lidl.be, 1
+lidl.de, 1
+lidl.es, 1
+lidlonline.es, 1
+lidlovajogurteka.si, 1
+lidodecor.com, 1
+lidogr.com, 1
+lidong.me, 1
+lidosparesort.com, 1
+lidtkemotors.com, 1
+liduan.net, 0
+lieba.ch, 1
+liebel.org, 1
+lieben.tk, 1
+lieberwirth.biz, 1
+liecomiribea.cf, 1
+lied8.eu, 1
+liegveld.nl, 1
+liehuojun.com, 0
+liella.me, 1
+liemen.net, 1
+liena.be, 0
+liendar-silver.com, 1
+lienhuyghebaert.tk, 1
+lier.link, 1
+lier.tk, 1
+lieren4x4.nl, 1
+lierohell.tk, 1
+liesbethkeijzer.nl, 1
+lieuu.com, 0
+lifamily.xyz, 1
+lifanov.com, 1
+lifars.com, 0
+lifco-industrie.com, 1
+life-emotions.pt, 1
+life-in-hell.tk, 1
+life-is-riddle.tk, 1
+life-mastery-tv.com, 1
+life-style.tk, 1
+life-tec.tk, 1
+life-time.nl, 1
+life24korea.com, 1
+life29.com, 1
+life360.com, 1
+life4net.tk, 1
+lifeandhealthtips.tk, 1
+lifeandhowtosurviveit.com, 1
+lifeartstudios.net, 1
+lifeasgame.tk, 1
+lifeatthemax.graphics, 1
+lifeatthemax.marketing, 1
+lifeatthemax.us, 1
+lifebymargot.co.uk, 1
+lifecare.org, 1
+lifecism.com, 1
+lifecoach.tw, 1
+lifecoachkatrien.be, 1
+lifeconnections.ro, 1
+lifecraft.cf, 1
+lifedrops.com.au, 1
+lifefaithtruth.com, 1
+lifefoto.de, 1
+lifegoesonsojustsmile.tk, 1
+lifehacker.com, 1
+lifeinheart.com, 1
+lifeinhellfansite.tk, 1
+lifeinhex.com, 1
+lifeinsurancepro.org, 1
+lifeintwentys.com, 1
+lifeisabug.com, 1
+lifeismmo.com, 1
+lifeispain.tk, 1
+lifeisqi.nl, 1
+lifekeycounsel.com, 1
+lifekirov.tk, 1
+lifekiss.ru, 1
+lifelessandcalm.com, 1
+lifelineanimal.org, 1
+lifelinespublishing.com, 1
+lifelinesupport.org, 1
+lifelinksystems.com, 1
+lifelock.ml, 1
+lifelovers.tk, 1
+lifemalayalam.com, 1
+lifematenutrition.com, 1
+lifemcserver.com, 1
+lifemstyle.com, 1
+lifenews24.tk, 1
+lifenexto.com, 1
+lifengoal.com, 1
+lifepathdoc.com, 1
+liferay.com, 1
+lifereset.it, 1
+lifesaverhindi.tk, 1
+lifeseatsers.ga, 1
+lifeseatsest.ga, 1
+lifeset.pp.ua, 1
+lifesettlements.com, 1
+lifeskills-education.co.uk, 0
+lifeslice.online, 1
+lifeslonglist.com, 1
+lifesoccer.tk, 1
+lifestorage.com, 0
+lifestyle.bg, 1
+lifestyle7788.com, 1
+lifestyledoctor.in, 1
+lifestylefoodies.com, 1
+lifestylehousing.in, 1
+lifestylexplocial.tk, 1
+lifetech.com.my, 1
+lifetimefitness.tk, 1
+lifetimemedsers.ga, 1
+lifetimemedsest.ga, 1
+lifetimetraining.co.uk, 1
+lifetoolscdc.com, 1
+lifetree.network, 1
+lifeupgame.fr, 1
+lifewithdyna.com, 1
+lifexpert.tk, 1
+lifi.digital, 1
+lifi.is, 1
+liftagacademy.com, 1
+liftedpixel.net, 1
+liftie.info, 1
+liftingchat.com, 1
+liftntake.com, 1
+liftyourgame.com, 1
+lig.ink, 0
+liga.ng, 1
+liga99.tk, 1
+ligacontrachetos.tk, 1
+ligadegamers.com, 1
+ligadelconsorcista.org, 1
+ligadosgames.com, 1
+ligare-fp.com, 1
+ligaro.nl, 1
+light.law, 1
+light.mail.ru, 1
+lightandvideo.com, 1
+lightbearer.tk, 1
+lightbluelearning.com, 1
+lightbox.co, 1
+lightcp.com, 1
+lightcraftmc.tk, 1
+lightdark.xyz, 1
+lightfestivalghent.be, 1
+lightfestivalghent.com, 1
+lightfoot.co.uk, 1
+lighthouse-rbg.de, 1
+lighthouseglobal.com, 1
+lighthouseguild.org, 1
+lighthouseinstruments.com, 1
+lighthousepointfl.gov, 1
+lightingagoura.com, 1
+lightingagourahills.com, 1
+lightingcalabasas.com, 1
+lightingconejovalley.com, 1
+lightingdosvientos.com, 1
+lightinghiddenhills.com, 1
+lightinglakesherwood.com, 1
+lightingmalibu.com, 1
+lightingmoorpark.com, 1
+lightingnewburypark.com, 1
+lightingoakpark.com, 1
+lightingpacificpalisades.com, 1
+lightingsimivalley.com, 1
+lightingthousandoaks.com, 1
+lightingwestlakevillage.com, 1
+lightme.us, 1
+lightmere.com, 1
+lightning.com, 1
+lightning.community, 1
+lightning.engineering, 1
+lightningcollectors.com, 1
+lightningpatrolers.ga, 1
+lightningpatrolest.ga, 1
+lightningprotocol.finance, 0
+lightnings.tk, 1
+lightningseed.net, 1
+lightningwirelabs.com, 1
+lightoflifehomoeopathyclinic.com, 1
+lightography.com, 1
+lightonelectrical.com.au, 1
+lightpod.com.au, 1
+lightquantum.moe, 1
+lightrun.com, 1
+lights0123.com, 1
+lightsfromspace.com, 0
+lightsheep.no, 0
+lightsouts.com, 1
+lightsoverlapland.com, 1
+lightsproject.com, 1
+lightstands.xyz, 1
+lighttp.com, 0
+lightupcollective.co.uk, 1
+lightupkapiti.nz, 1
+lightweighthr.com, 1
+lightwitch.org, 0
+lightworks.tk, 1
+lightyear.no, 1
+ligiptv.tk, 1
+ligmadrive.com, 1
+ligneclaire.tk, 1
+lignemalin.com, 1
+lignite.com, 1
+lignoma.com, 1
+ligonier.com, 1
+ligustinus.tk, 1
+lihi-home.co.il, 1
+lihj.eu.org, 1
+lihj.me, 1
+lihuenjardin.com, 1
+liikluslab.ee, 1
+liisauusitaloarola.fi, 1
+liivimeretuulepark.ee, 1
+lijana.rs, 1
+lijero.co, 1
+liji.ru, 1
+lijie.org, 1
+lijstbob.nl, 1
+lijstje.be, 1
+lijstje.nl, 1
+likans.tk, 1
+like-boss.ga, 1
+like-rabota.tk, 1
+likeablehub.com, 1
+likeageek.tk, 1
+likeany.com, 1
+likebee.gr, 1
+likebot.ml, 1
+likecrabwalkslowly.ml, 1
+likedobrasil.com, 1
+likefast.tk, 1
+likefluence.com, 1
+likegeeks.com, 1
+likehifi.de, 1
+likemovies.de, 1
+likenewhearing.com.au, 1
+likenosis.com, 1
+likere.com, 1
+likesec.net, 1
+likesec.se, 1
+likesforinsta.com, 1
+likesolidaria.com.co, 1
+likestudio.com.ua, 1
+likewatercs.com, 1
+likhner.com, 0
+likme.tv, 1
+likui.me, 1
+lilai107.com, 1
+lilai116.com, 0
+lilai18.ph, 1
+lilai2211.com, 1
+lilai3366.com, 1
+lilai5566.com, 0
+lilai634.com, 1
+lilai6616.com, 1
+lilai6677.com, 1
+lilai6688.com, 0
+lilai777.com, 1
+lilai838.com, 1
+lilai8866.com, 0
+lilai9966.com, 1
+lilaplus.com.tr, 1
+lilawadee.tk, 1
+lile.cl, 1
+lilianejuchli.ch, 1
+liliang.moe, 1
+lilicloth.com, 1
+lilidarcek.sk, 0
+lilie.fr, 1
+lilievabien.fr, 1
+lilighazaryan.tk, 1
+lilimusic.tk, 1
+lilisg.tk, 1
+lilith-magic-molds.com, 1
+lilith-magic.com, 1
+lilithfund.org, 1
+lilithqueisser.de, 1
+lilium.com, 1
+liliwarrior.com, 1
+liliweb.tk, 1
+lillalisa.tk, 1
+lillaparken.se, 1
+lille.ml, 1
+lillenordmann.no, 1
+lillieprivat.org, 1
+lilly-lil.net, 1
+lilly-lil.org, 1
+lillylove.net, 1
+lillywhitehotelgroup.com.au, 1
+lilola.de, 1
+lilou-sportswear.com, 1
+lilousportswear.com, 1
+lilpwny.com, 1
+lilstarry.com, 1
+liltv.media, 1
+lily-bearing.com, 0
+lily-inn.com, 1
+lily-luv.com, 1
+lily.flowers, 1
+lilyallenlife.ga, 1
+lilylasvegas.com, 1
+lilypad.gg, 1
+lilypadwikisecret.tk, 1
+lilysbouncycastles.com, 1
+lilyvet.com, 1
+lim-light.com, 1
+lim.gr, 1
+limanhaber.net, 1
+limaohio.gov, 1
+limap.ch, 1
+limatownshipmi.gov, 1
+limawi.io, 1
+limbaido.tk, 1
+limberg.me, 1
+limbo-online.tk, 1
+limbra.tk, 1
+limburg.nl, 1
+limc.me, 1
+lime-host.cf, 1
+lime-host.tk, 1
+limechain.tech, 1
+limecho.net, 1
+limehost.com, 1
+limehotel.tk, 1
+limelightnashville.cf, 1
+limelightnashville.ga, 1
+limelightnashville.gq, 1
+limenaria-beach.tk, 1
+limenotlemon.com, 1
+limepot.xyz, 1
+limescapes.com.au, 1
+limesparrow.cf, 1
+limestart.cn, 1
+limestonecleaningchicago.com, 1
+limestonemechanical.ca, 1
+limetee.cz, 1
+limetorrent.gq, 1
+limetw.eu.org, 1
+limewtea.com, 0
+limingtonmaine.gov, 1
+limitbreak.com, 1
+limitdropers.ga, 1
+limitdropest.ga, 1
+limitededitioncomputers.com, 1
+limitededitionsolutions.com, 1
+limitlex.com, 1
+limitshareers.ga, 1
+limitshareest.ga, 1
+limiturls.ga, 1
+limnt.cn, 1
+limo.pl, 0
+limo.sh, 1
+limoairporttoronto.net, 1
+limoforsale.com, 1
+limoshka.ru, 1
+limousine.milano.it, 1
+limousineservicezurich.com, 0
+limouzines.cf, 1
+limouzy-combi.com, 1
+limpiadordeporos.online, 1
+limpid.nl, 1
+limsia.co, 1
+limsia.com, 1
+limstash.com, 1
+limules.ch, 0
+limx.win, 1
+lin.fi, 1
+linafernandez.com.co, 1
+linaklein.de, 1
+linalove.net, 1
+linalynn.com, 1
+linan.info, 1
+linan.site, 1
+linaproclinic.com, 1
+linawinter.com, 1
+linawinter.net, 1
+lincasonline.tk, 1
+lincdavis.com, 1
+lince-bonares.tk, 1
+lincolnadamscountywi.gov, 1
+lincolnbrokerage.com, 1
+lincolncountyga.gov, 1
+lincolncountyid.gov, 1
+lincolncountymoclerk.gov, 1
+lincolncountync.gov, 1
+lincolncountyne.gov, 1
+lincolncountysd.gov, 1
+lincolncountysheriffok.gov, 1
+lincolncountytn.gov, 1
+lincolncountywy.gov, 1
+lincolnil.gov, 1
+lincolnimps.tk, 1
+lincolnmoneyman.com, 1
+lincolnparkpressurewashing.com, 1
+lincolnri.gov, 1
+lincolnshirefdil.gov, 1
+lincolnstreetband.tk, 1
+lincolntownshipnewaygocountymi.gov, 1
+lincolnzoo.org, 1
+lincore.ru, 1
+lind-bohanon.org, 1
+lindajahn.de, 1
+lindakloenreizen.nl, 1
+lindalap.fi, 1
+lindalush.net, 1
+lindamadu.com.br, 1
+lindanblog.com, 1
+lindaolsson.com, 1
+lindazi.com, 1
+lindbladcruises.com, 1
+lindeal.com, 0
+lindemontessori.cz, 1
+linden-nj.gov, 1
+linden.me, 0
+linden.tk, 1
+lindenfd-nj.gov, 1
+lindenlibrary-nj.gov, 1
+lindentx.gov, 1
+lindependant.fr, 1
+lindependant.ml, 1
+lindernational.com, 1
+lindeskar.se, 1
+lindgrenracing.tk, 1
+lindipendente.online, 1
+lindler.rocks, 1
+lindner-architektur.ruhr, 1
+lindner-edv.at, 1
+lindnerhof-taktik.de, 1
+lindnerhof.info, 1
+lindnerova.cz, 1
+lindo.ru, 1
+lindogdahl.dk, 1
+lindon.gov, 1
+lindon.pw, 1
+lindoors.tk, 1
+lindows.tk, 1
+lindquistnet.us, 1
+lindsay-lohan.tk, 1
+lindsaygorski.com, 1
+lindsborgks.gov, 1
+lindseyadelman.com, 1
+lindseyfansite.tk, 1
+lindskogen.se, 1
+lindung.pp.ua, 1
+line.biz, 1
+line.co.nz, 0
+line.me.uk, 1
+linea-nova.be, 1
+lineacreative.com, 1
+lineaesse5.it, 1
+lineageos.org, 1
+lineamortal.tk, 1
+linebet.com, 1
+linebet02489q.com, 1
+linebet17654d.com, 1
+linebooks.cf, 1
+linedance.tk, 1
+lineinchina-enterprise.tw, 1
+linejuby.dk, 1
+lineman.edu, 1
+lineru.com, 1
+lineshop.ml, 1
+linestep.jp, 1
+lineto.com, 1
+linext.cn, 0
+linfadenopatia.com, 1
+linfamilygc.com, 1
+linge-ma.ro, 1
+lingerie.com.br, 1
+lingeriecollect.ga, 1
+lingeriesilhouette.com, 1
+lingolia.com, 0
+lingros-test.tk, 1
+lingshan.tk, 1
+lingua-arabica.org, 1
+lingua.tk, 1
+lingualeo.com, 1
+linguamilla.com, 1
+linguarama.com, 1
+linguaromanica.tk, 1
+linguatrip.com, 1
+linguword.com, 1
+lingvist.com, 1
+linhaoyi.com, 0
+linherest.tk, 1
+linhim.de, 1
+linhua.org, 1
+linjerry.tk, 1
+link-group.tk, 1
+link-knighki.cf, 1
+link-list.tk, 1
+link-live.com, 1
+link-man.net, 1
+link-medital.com, 1
+link-net.ga, 1
+link-sanitizer.com, 1
+link.co.uk, 1
+link.com, 1
+link24.tk, 1
+link26.tk, 1
+link2link.tk, 1
+link2serve.com, 1
+link2u.tk, 1
+link9.net, 1
+linkagencia.co, 1
+linkare.be, 1
+linkare.com, 1
+linkare.eu, 1
+linkare.pt, 1
+linkat4.cz, 1
+linkatak.ga, 1
+linkbong.tk, 1
+linkbooks.ga, 1
+linkcat.tk, 1
+linkdesign.tk, 1
+linkdolar.tk, 1
+linkdr.uk, 1
+linke-kommunalpolitik.de, 1
+linked.fm, 1
+linkedpipes.com, 1
+linkenheil.org, 1
+linker-wenzel.com, 1
+linkersconnect.com, 1
+linkgiamgia.com, 1
+linkie.vn, 1
+linkinbooks.gq, 1
+linkindex.net, 1
+linking.ml, 1
+linkinpark4ever.tk, 1
+linkinparkoutpost.tk, 1
+linkla.ma, 1
+linklocker.co, 1
+linkmauve.fr, 1
+linkmycyber.training, 1
+linknaarlinux.tk, 1
+linknavigator.tk, 1
+linko-pomoika.tk, 1
+linkonaut.net, 1
+linkopia.com, 1
+linkportal.tk, 1
+linkposts.tk, 1
+linkrehberi.tk, 1
+linkriver.io, 1
+linkroll.cf, 1
+links22.com, 1
+linksafe.ga, 1
+linksanitizer.com, 1
+linksbridge.com, 1
+linkscloud.org, 1
+linksecure.nl, 1
+linksextremist.at, 1
+linksite.tk, 1
+linksmatrix.tk, 1
+linkspace.tk, 1
+linksphotograph.com, 1
+linkst.co, 0
+linkstagr.am, 1
+linkthis.me, 1
+linkthis.ml, 1
+linkthisstatus.ml, 1
+linkto.cf, 1
+linku.com, 1
+linkurio.us, 1
+linkurious.com, 1
+linkuva.tk, 1
+linkview.tk, 1
+linkware.it, 1
+linkwater.org, 1
+linkwheel.tk, 1
+linky.tk, 1
+linkycat.com, 1
+linmania.tk, 1
+linmarrdavao.com, 1
+linnaclinic.com, 1
+linnaeusgroup.co.uk, 1
+linncfs.top, 1
+linncosomo.gov, 1
+linncounty-ia.gov, 1
+linncountyelections-ia.gov, 1
+linncountyiowa.gov, 1
+linncountyor.gov, 1
+linngde.com, 1
+lino.cooking, 1
+linocolombo.tk, 1
+linocomm.com, 1
+linocomm.net, 1
+linocomm.nl, 1
+linomass.com, 1
+linomass.nl, 1
+linonin.tk, 1
+linoplan.be, 1
+linoplan.com, 1
+linoplan.dk, 1
+linoplan.eu, 1
+linoplan.fr, 1
+linoplan.info, 1
+linoplan.net, 1
+linoplan.nl, 1
+linoscan.com, 1
+linoscan.nl, 1
+linoskin.com, 1
+linoskin.nl, 1
+linostor.com, 1
+linostor.nl, 1
+linoszpadel.tk, 1
+linotrac.com, 1
+linotrac.nl, 1
+linotype.tk, 1
+linpx.com, 0
+linqhost.nl, 1
+linserto.it, 1
+linshiyouxiang.com, 1
+linss.com, 1
+lintmx.com, 1
+linu.gq, 1
+linuq.org, 1
+linusdrop.tips, 1
+linuslagerhjelm.se, 1
+linusruckstuhl.ch, 1
+linux-admin-california.com, 1
+linux-admin.tk, 1
+linux-audit.com, 1
+linux-florida.com, 1
+linux-help.org, 1
+linux-mint-czech.cz, 1
+linux-pc.ml, 1
+linux-share.tk, 1
+linux-taganrog.tk, 1
+linux-techie.com, 1
+linux-tips.us, 1
+linux-vme.org, 1
+linux.cn, 0
+linux.conf.au, 1
+linux.fi, 1
+linux.im, 1
+linux.pizza, 1
+linux3.org, 1
+linux4.de, 1
+linux4all.tk, 1
+linuxarequipa.tk, 1
+linuxbabe.com, 1
+linuxbg.eu, 1
+linuxbierwanderung.com, 0
+linuxbloc.tk, 1
+linuxbsd.tk, 1
+linuxcbt.com, 1
+linuxcommand.ru, 1
+linuxdashboard.com, 1
+linuxdays.cz, 1
+linuxdoc.org, 1
+linuxforu.tk, 1
+linuxforum.ch, 1
+linuxforwindows.com, 1
+linuxgiggle.com, 1
+linuxguru.tk, 1
+linuxhandbook.com, 1
+linuxhostingdelhi.com, 1
+linuxhostingindia.in, 1
+linuxhostsupport.com, 1
+linuxiac.com, 1
+linuxil.org, 1
+linuxincluded.com, 1
+linuxiuvat.de, 1
+linuxkompis.se, 1
+linuxlatbot.tk, 1
+linuxlounge.net, 1
+linuxmalta.tk, 1
+linuxnews.de, 1
+linuxonline.tk, 1
+linuxproject.net, 1
+linuxsecurity.expert, 1
+linuxtage.at, 1
+linuxwerkstatt.net, 1
+linuz.it, 1
+linvosges.com, 1
+linx.net, 1
+linxmind.eu, 1
+linxtter.com, 1
+linyunbin.com, 1
+linz.eu.org, 1
+linz.host, 1
+linzeliang.com, 1
+linzyjx.com, 1
+liodex.com, 1
+lion-king.ru, 1
+lion3star.store, 1
+lionchita.tk, 1
+lionessport.com, 0
+lionhosting.nl, 1
+lionkitchenremodel.com, 1
+lionland.tk, 1
+lionpa.ws, 1
+lions.gr.jp, 1
+lionsk.tk, 1
+lioraaja.com, 1
+liorggi.ga, 1
+lip.pt, 1
+lipacom.ga, 1
+lipartydepot.com, 1
+lipator.cf, 1
+lipeck.ga, 1
+lipeck.tk, 1
+lipetsk-centralniy.cf, 1
+lipetsk48.tk, 1
+lipex.com, 1
+lipighor.com, 1
+lipighor.xyz, 1
+lipnihezron.tk, 1
+lipo.lol, 1
+lipoabaltimore.org, 1
+lipovka.tk, 1
+lipowebsite.tk, 1
+lippu1.fi, 1
+lips.ne.jp, 1
+liptor.gq, 1
+lipturess.tk, 1
+liq.com.br, 1
+liqd.net, 1
+liqiang.com, 1
+liqiuyu.com, 1
+liqueur.wiki, 1
+liquid.cz, 1
+liquid.network, 1
+liquid.place, 1
+liquidation.tk, 1
+liquidbounce.tk, 1
+liquidcorp.fr, 1
+liquidflash.ml, 1
+liquidhost.co, 1
+liquidinternet.co, 1
+liquidradio.pro, 1
+liquidwarp.net, 1
+liquidweb.tk, 1
+liquipedia.net, 1
+liquiritia.tk, 1
+liquorice.co.za, 1
+lirc572.com, 1
+lirelesgens.com, 1
+liress.gq, 1
+liri.ie, 1
+lirico.ca, 1
+lirion.de, 1
+lirlandais.ch, 0
+lirnberger.com, 1
+lirui.nl.eu.org, 1
+lirui.org, 1
+lirui.tech, 1
+lis-na-plasty.cz, 1
+lis.koeln, 1
+lisa-mainz.tk, 1
+lisa.xyz, 1
+lisabel.ca, 1
+lisadelbo.tk, 1
+lisahh-jayne.com, 0
+lisahutson.co.uk, 1
+lisaloves.tk, 1
+lisamaffia.tk, 1
+lisanotes.com, 1
+lisanshizmetleri.com, 1
+lisapinder.com, 1
+lisapo.info, 1
+lisas.ml, 1
+lisasack.net, 1
+lisasc.gq, 1
+lisasworkshop.co.uk, 1
+lisavrobinson.tk, 1
+lisaweilandt.com, 1
+lisbon-pre-1755-earthquake.org, 1
+lisbonwi.gov, 1
+lisburnhottubnbounce.co.uk, 1
+lishayut-prav.cf, 1
+lishayut-prav.ga, 1
+lishayut-prav.gq, 1
+lishayut-prav.ml, 1
+lishayut-prav.tk, 1
+lishup.com, 1
+lisiano.eu, 1
+lisieuxarquitetura.com.br, 1
+lisinphotography.com, 1
+lisius.ga, 1
+liskgdt.net, 1
+lislan.org.uk, 1
+lisnail.gr, 1
+lisowski-development.com, 0
+lisowski-photography.com, 1
+lissabon.tk, 1
+lissabonsite.tk, 1
+lissajouss.tk, 1
+lissauer.com, 1
+lisslonglegs.com, 1
+lissongallery.com, 1
+list-gymnasium.de, 1
+list1.tk, 1
+listach.tk, 1
+listahu.org, 1
+listapp.uz, 1
+liste.net.tr, 1
+listekdo.fr, 1
+listen.dk, 1
+listener.ga, 1
+listening-skills.eu, 1
+listenkj.com, 1
+listenup.study, 1
+lister-kirchweg.de, 1
+listerplace.co.uk, 1
+listerventures.com, 0
+listiclepal.com, 1
+listim.com, 0
+listinfinity.net, 1
+listing.gq, 1
+listisima.com, 1
+listkeeper.io, 0
+listminut.be, 1
+listoffreeware.com, 1
+listratenkov.com, 1
+lists.fedoraproject.org, 1
+lists.mayfirst.org, 0
+lists.stg.fedoraproject.org, 1
+listsothebysrealtyhk.com, 1
+lit-verlag.de, 1
+litaphoenix.net, 1
+litarvan.com, 1
+litcc.com, 1
+litchfieldpark.gov, 1
+litchidova.nl, 1
+litcomphonors.com, 1
+lite-1x0801165.top, 1
+lite-1x132537.top, 1
+lite-1x378220.top, 1
+lite-1x389463.top, 1
+lite-1x4720786.top, 1
+lite-1x562968.top, 1
+lite-1x563355.top, 1
+lite-1x5942934.top, 1
+lite-1x605138.top, 1
+lite-1x6274108.top, 1
+lite-1x682393.top, 1
+lite-1x7814040.top, 1
+lite-1x8343697.top, 1
+lite-1x9264112.top, 1
+lite-1x9866970.top, 0
+lite-chat.tk, 1
+liteanalytics.com, 1
+litebit.de, 1
+litebit.eu, 1
+litebit.nl, 1
+litebitcdn.eu, 1
+litebits.com, 1
+litebooks.gq, 1
+litecache.de, 1
+litecloud.ml, 1
+litecoinnews.club, 1
+litehost24.tk, 1
+litemere.org, 1
+litemere.us, 0
+litemind.com, 0
+liteminer.cf, 1
+litepay.ch, 1
+literacychannel.ga, 1
+literapedia-bern.ch, 1
+literaria.tk, 1
+literatura-portal.cf, 1
+literaturaacessivel.com.br, 1
+literature-schools.com, 1
+literaturka.ga, 1
+literaturkreis-online.at, 1
+literaturkreis-online.ch, 1
+literaturkreis-online.de, 1
+literaturkreis.online, 1
+literaturpreis.online, 1
+literaturtage-recklinghausen.de, 1
+literie06.com, 1
+literoticavod.com, 1
+litespeed-webserver.de, 1
+litespeedanalytics.com, 1
+litespeedwebserver.de, 1
+litfest.ru, 1
+litfin.name, 1
+litfl.com, 1
+lithesalar.se, 1
+lithianissaneugeneparts.com, 1
+lithiumhosting.com, 0
+litiab.tk, 1
+litigatech.com, 1
+litkicks.com, 1
+litnis.com, 1
+litolin.tk, 1
+litorallimpo.com.br, 1
+litportal.gq, 1
+litteraturkanonen.se, 1
+litterfreeriversandstreams.eu, 1
+little-brother.eu, 1
+little-cake.com, 1
+little-luk.com, 1
+little-news.gq, 1
+little-shield.com, 1
+little.recipes, 1
+littlebar.tk, 1
+littlebestfriend.de, 1
+littlebig.co, 1
+littlebirds.cf, 1
+littlebites.co.nz, 1
+littleblackfish.se, 1
+littlebootshonduras.tk, 1
+littleboutiqueshop.co.uk, 1
+littleboutiqueshop.com, 1
+littleboutiqueshop.uk, 1
+littlecreatures.com.au, 1
+littlecreekhosting.com, 1
+littledev.nl, 0
+littleduck.eu.org, 1
+littleduck.xyz, 1
+littlefairy.no, 1
+littlefamilyadventure.com, 1
+littlefingersindia.com, 1
+littlefiredragon.tk, 1
+littlefool.de, 1
+littleforkmn.gov, 1
+littlegiants.edu.au, 1
+littlegianttraveler.com, 1
+littlegleemonster.com, 1
+littlehacker.tk, 1
+littlehide.gq, 1
+littlehoop.edu, 1
+littleireland.co.uk, 1
+littlelucifercafe.tk, 1
+littlemaple.tk, 1
+littlemaster.tk, 1
+littlenicky.org, 1
+littlenina.nz, 0
+littleorangecookbook.com, 1
+littleorchardpreschool.us, 1
+littlepigcreek.com.au, 1
+littlepincha.fr, 0
+littleqiu.net, 1
+littlericket.me, 1
+littleriverfreerange.ga, 1
+littlerose.ml, 1
+littlerphotographie.fr, 1
+littles.moe, 1
+littlescallywagsplay.co.uk, 1
+littleservice.cn, 1
+littlesk.in, 1
+littleskin.cn, 1
+littleson.com.br, 0
+littlesouls.ml, 1
+littlewatcher.com, 1
+littleyokohamakennel.tk, 1
+liturgical.net, 1
+liturkey.tk, 1
+litvideoserver.de, 1
+litz.ca, 1
+litzenberger.ca, 1
+liubliu.co.uk, 1
+liud.im, 1
+liudon.com, 1
+liuhecai.com, 1
+liujr.tk, 1
+liujunyang.com, 0
+liukang.com, 1
+liukang.tech, 1
+liul.in, 1
+liuliuya.com.tw, 1
+liulo.cf, 1
+liups.one, 1
+liuq.org, 1
+liuqiao.best, 1
+liuqiao.cf, 1
+liuqiao.eu.org, 1
+liuqiao.ga, 1
+liuqiao.gq, 1
+liuqiao.ml, 1
+liuqiao.pp.ua, 1
+liuqiao.tk, 1
+liuqiaolovecaonali.ml, 1
+liushuyu.tk, 1
+livadm.ml, 1
+livdesign.com.tw, 1
+live-home-cams.com, 1
+live-knigi.cf, 1
+live-news.gq, 1
+live-tv-channels.org, 1
+live-z-rejstejna.cz, 1
+live.ac.cn, 1
+live2play.ml, 1
+live2travelmore.us, 1
+live4k.media, 1
+live8811.com, 1
+live8899.cn, 1
+live8899.co, 1
+live8899.net, 1
+live9922.com, 1
+liveachievers.tk, 1
+liveandalucia.es, 1
+liveanimations.org, 1
+livebandphotos.com, 1
+livebarmenu.com, 1
+livebeachcam.net, 1
+livebestbooks.gq, 1
+livebookmark.ml, 1
+livebox-mag.fr, 1
+livebythesun.de, 1
+livecards.co.uk, 1
+livecards.es, 1
+livecards.it, 1
+livecast.com.tr, 1
+livecchi.cloud, 1
+livechads.com, 1
+livechads.org, 1
+liveciv.top, 1
+livecommande.fr, 1
+liveconcertvideo.tk, 1
+livedesign.at, 1
+livedomain.at, 1
+livedrawtogel.id, 1
+liveeventartist.ca, 1
+liveeventpainter.ca, 1
+liveevents.ee, 1
+liveflooring.com, 1
+livefoot.fr, 1
+liveforspeed.se, 1
+livefortheviews.com, 1
+liveinmelbourne.vic.gov.au, 1
+liveint.org, 1
+liveit.pt, 1
+liveita.com, 1
+liveitmerck.ca, 1
+livejasmin-online.com, 1
+livejasmin.dk, 1
+livejh.tk, 1
+livekaarten.be, 1
+livekaarten.nl, 1
+livekey.tk, 1
+livekooora.online, 1
+livekort.com, 1
+livekort.dk, 1
+livekort.no, 1
+livekort.se, 1
+livekortti.fi, 1
+livela.jp, 1
+livelexi.com, 1
+livelifewithintent.com, 1
+livelink.tk, 1
+livelondon.fr, 1
+livelong.tk, 1
+livelonglife.tk, 1
+livelovelaughlg.com, 1
+liveman.dk, 1
+livemomentum.ml, 1
+livemosspointe.com, 1
+livenewsrussia.tk, 1
+liveomadic.com, 1
+liveoutdoor.ga, 1
+livepainter.ca, 1
+livepaperhelp.com, 1
+liveperformersmeeting.net, 1
+livepix.gg, 1
+liveplaygo.com, 1
+livepodcast.ru, 1
+livepornguide.com, 1
+livequote.info, 1
+liveregistratie.nl, 1
+liverfoundation.org, 1
+liverider.co.jp, 1
+liverkids.tk, 1
+livermoreca.gov, 1
+livermorefireco.gov, 1
+livero.pl, 1
+liverobot8.com, 1
+liverobot888.com, 1
+liverpoolmoneyman.com, 1
+liversurgery.com, 1
+livescore-fixedmatches.com, 1
+livesexcalls.co.uk, 1
+liveskype.com, 1
+livesportts.ml, 1
+livestone.tk, 1
+livestrana.tk, 1
+livestreamtvbox.com, 1
+livesure.com, 1
+liveteachers.in, 1
+livetilesglobal.com, 1
+livetopknigi.gq, 1
+livetoride.co.za, 1
+liveutifree.com, 1
+livevacancies.co.uk, 1
+livewebtutor.com, 1
+liveweddingartist.ca, 1
+liveweddingpainter.ca, 1
+livewirecommunications.co.uk, 1
+livezrejstejna.cz, 1
+livfcshop.com, 1
+livi.co, 1
+livi.co.uk, 1
+livi.fr, 1
+living-legends.tk, 1
+living-space.co.nz, 1
+living-with-outlook-2010.com, 1
+living.video, 1
+living2000.com, 1
+livingafrugallife.com, 1
+livingbitsandthings.com, 1
+livingconfidently.com, 1
+livingdex.ca, 1
+livingdocs.io, 1
+livinghebrew.tk, 1
+livinginhimalone.com, 1
+livingislands.org, 1
+livingislands.tv, 1
+livinglab.be, 1
+livinglifesecurely.com, 1
+livinglink.be, 1
+livinglocalapp.com, 1
+livingoutdoors.ga, 1
+livingstonca.gov, 1
+livingtired.org, 1
+livingtohearsix.com, 1
+livingworduk.org, 1
+livinkitchen.tk, 1
+livive.com, 1
+livli.cz, 1
+livli.pl, 1
+livli.sk, 1
+livnev.me, 1
+livnev.xyz, 1
+livogeva.dk, 1
+livornonellarete.tk, 1
+livornotoday.it, 1
+livrariacoad.com.br, 1
+livrariaideak.com.br, 1
+livrariause.com, 1
+livres-et-stickers.com, 1
+livresetmanuscrits.com, 1
+livroseuniformes.com.br, 1
+livspace.com, 1
+livsta.ca, 1
+lixi.today, 1
+lixiaoyu.live, 1
+lixinnovations.com, 1
+lixis.com, 1
+lixtick.com, 1
+lixvapes.com, 1
+lixx.org, 1
+liyin.date, 1
+liying-sub.buzz, 1
+liyingcloud.org, 1
+liz-ate.com, 1
+liz-fry.com, 0
+liz.ee, 1
+liza.fashion, 1
+lizagalore.tk, 1
+lizaminnelli.tk, 1
+lizardsystems.com, 1
+lizardtech.top, 1
+lizcheney.com, 1
+lizeal.tk, 1
+lizheng.de, 1
+lizhi.io, 1
+lizhihezi.com, 1
+lizhuan.cn, 0
+lizlew.is, 1
+liznewton.com.au, 1
+liztattoo.se, 1
+lizteacher.com, 1
+lizufyr.eu, 1
+lizzandra.tk, 1
+lizzaran.io, 1
+lizzian.uk, 1
+lizzwood.com, 1
+lizzymcc.com, 1
+lizzysdoggrooming.com, 1
+lizzythepooch.com, 1
+lj-creation.com, 1
+ljason.cn, 1
+ljc.ro, 1
+ljekarne-plantak.hr, 1
+ljoonal.xyz, 1
+ljpc-hosting.nl, 1
+ljpc.nl, 1
+ljpc.solutions, 1
+ljs.io, 1
+ljskatt.com, 1
+ljskatt.no, 1
+ljsport.nl, 1
+ljubescica.hr, 1
+ljungabolet.se, 1
+ljusdal.se, 1
+ljw.me, 1
+lk-hardware.cz, 1
+lk1.bid, 1
+lkbk.uk, 1
+lkellar.org, 1
+lkff.nl, 1
+lkhrs.com, 1
+lklyrics.com, 1
+lkmt.us, 1
+lknw.de, 1
+lkp111138.me, 1
+lkqpickyourpart.com, 1
+lktvchannel.com, 1
+lkwmodellbau.at, 1
+ll.gr, 1
+ll5197.co, 1
+ll6729.co, 1
+ll6729.com, 0
+ll6957.co, 1
+ll9297.co, 1
+ll9728.co, 1
+llac.org, 1
+llanelli-radio-club.tk, 1
+llanowar.tk, 1
+llantasysuspensiones.shop, 1
+llanterascerca24.com.mx, 1
+llave.io, 1
+llccd.eu.org, 1
+llcgeek.com, 1
+llcig.com, 1
+llcigroup.com, 1
+lldigital.co.il, 1
+lleal.com, 1
+lleidanoticies.com, 1
+llemoz.com, 1
+llinck.fr, 1
+llinternational.tk, 1
+llm-guide.com, 1
+lloretparty.de, 1
+lloyd-day.me, 1
+lloydrogerspencer.com, 1
+llrpartners.com, 1
+llumar.com, 1
+llvm.us, 1
+llyncelyn.com, 1
+lm-architecture.com, 1
+lm-landscapes.co.uk, 1
+lm1628.com, 1
+lm228.cn, 1
+lm228.com, 1
+lm338.cn, 1
+lm338.com, 1
+lmasqueen.com, 1
+lmbyrne.co.uk, 1
+lmde.fr, 1
+lmh-style.com, 1
+lmi3d.com, 1
+lmintlcx.com, 1
+lmmks.com, 1
+lmmtfy.io, 1
+lmr.com, 1
+lmrcirurgiaplastica.pt, 1
+lmrcouncil.gov, 1
+lmsal.com, 1
+lmtls.me, 1
+lmtravis.com, 1
+lmvsci.gov, 1
+ln.io, 1
+lndb.me, 1
+lndrive.space, 1
+lnhydy.cn, 1
+lnk.bio, 1
+lnk.dk, 1
+lnoldan.com, 1
+lnovus.ru, 1
+lnsk.lt, 1
+lnsolucoesfinanceiras.com.br, 1
+lntpower.com, 0
+lnxy.eu, 1
+lnyltx.cn, 1
+lnzphoto.com, 1
+lo-zuromin.tk, 1
+lo.fail, 1
+loackerbusiness.it, 1
+load.pm, 0
+loader.to, 1
+loader.us.com, 1
+loadhourly.tk, 1
+loading.express, 1
+loading.se, 1
+loadlow.me, 1
+loadme.ml, 1
+loadninja.com, 1
+loadover.me, 1
+loadwallet.com, 1
+loafhead.me, 1
+loan-lenders.co.za, 1
+loanathome.com, 1
+loanfreeze.ga, 1
+loanpad.com, 1
+loanpost.com.au, 1
+loanreadycredit.com, 1
+loanscanada.ca, 1
+loansharkpro.com, 1
+loanstreet.nl, 1
+loantillpaydaydelaware.com, 1
+loavies.com, 1
+lob-assets-staging.com, 1
+lob-assets.com, 1
+lob-staging.com, 1
+lobao.eti.br, 1
+lobao.pro.br, 1
+lobbes.nl, 1
+lobbster.co, 1
+lobby.game, 1
+lobbylmb.nl, 1
+lobevert.com, 1
+lobiancocucina.com, 1
+lobin21.com, 1
+lobivia.de, 1
+lobmedya.com, 1
+lobocapoeira.tk, 1
+lobosdomain.ddns.net, 1
+lobosdomain.hopto.org, 1
+lobosdomain.no-ip.info, 1
+lobsangstudio.com, 1
+lobstr.co, 1
+loc-gauthier.fr, 1
+loca-voiture.fr, 1
+locabir.cf, 1
+locadoraequiloc.com.br, 1
+local-insight.com, 1
+local-shop.com, 1
+local360.net, 1
+localassocier.tk, 1
+localbandz.com, 1
+localbiketrader.com, 1
+localbitcoins.com, 1
+localblitz.com, 1
+localbouncycastle.com, 1
+localcdn.org, 1
+localcleann.uk, 1
+localcrew.nl, 1
+localcryptos.com, 1
+locald.at, 1
+localdating.ml, 1
+localdigitaldesign.com, 1
+localethereum.com, 1
+localexpert.realestate, 1
+localexpress.io, 1
+localhandyman.work, 1
+localhorst.duckdns.org, 0
+localisedseo.com, 1
+localize.live, 1
+localized.tk, 1
+localizejs.com, 1
+localizestaging.com, 1
+locall.cf, 1
+locallandscape.services, 1
+locallawfirms.com, 1
+locallhost.me, 1
+localmonero.co, 1
+localnetwork.nz, 1
+localnode.net, 1
+localops.co, 1
+localplumber-uk.com, 1
+localprideart.com, 1
+localprivatediary.com, 1
+localrvs.com, 1
+localsearch.homes, 1
+localseo.ltd, 1
+localseogurus.com, 1
+localseorepair.co, 1
+localseorepair.design, 1
+localseorepair.ltd, 1
+localseorepair.network, 1
+localseorepair.rocks, 1
+localseorepair.services, 1
+localseorepair.world, 1
+localserver.ca, 1
+localspot.pl, 1
+localstartupfest.id, 1
+localstudio.tk, 1
+localtownhouses.ga, 1
+locape.com.br, 1
+locapos.com, 1
+locas.me, 1
+locatecellphone.gq, 1
+locatemypain.com, 1
+location-appartement-dakar.com, 1
+location-fichier-email.com, 1
+location-vacances-campello.com, 1
+location-vacances-croatie.tk, 1
+location-vacances.biz, 1
+locationkaraokemontreal.com, 1
+locationkaraokeottawa.com, 1
+locationkaraokequebec.com, 1
+locationmarrakechvoiture.com, 1
+locations.tk, 1
+locationsiledyeu.fr, 1
+locationvoitureallemagne.com, 1
+locationvoitureangleterre.com, 1
+locationvoitureaustralie.com, 1
+locationvoitureautriche.com, 1
+locationvoiturebelgique.com, 1
+locationvoiturecorse.net, 1
+locationvoitureespagne.com, 1
+locationvoiturefinlande.com, 1
+locationvoitureislande.com, 1
+locationvoitureitalie.com, 1
+locationvoiturenorvege.com, 1
+locationvoiturepaysbas.com, 1
+locationvoitureportugal.com, 1
+locationvoituresuede.com, 1
+locatornet.ga, 1
+locatorplus.gov, 1
+locauxrama.fr, 1
+locchat.com, 1
+loceryl.cl, 1
+lochlans.com, 1
+lochloco.tk, 1
+lock-expert.de, 0
+lock.me, 1
+lock23.ca, 1
+lockaby.org, 1
+lockdownfm.live, 1
+lockemower.com, 1
+locker.plus, 1
+locker3.com, 1
+lockerroomstories.com, 1
+locketurf.com, 1
+lockings.uk, 1
+locklegal.com, 1
+lockless.tk, 1
+locklock.com.br, 1
+locklockbrasil.com.br, 1
+locknlock.com.br, 1
+locknlockbrasil.com.br, 1
+lockoutgroup.com, 1
+lockpick.nl, 1
+lockpicks.se, 1
+lockr.jp, 1
+locksmith-durbannorth.co.za, 1
+locksmithbalchsprings.com, 1
+locksmithdearborn.com, 1
+locksmithdriftwood.com, 1
+locksmithedenvale24-7.co.za, 1
+locksmithedmonds.com, 1
+locksmithforcarshoustontx.com, 1
+locksmithgarland-tx.com, 1
+locksmithglenvista.co.za, 1
+locksmithgrapevinetx.com, 1
+locksmithhillcrest.co.za, 1
+locksmithlakewaytx.com, 1
+locksmithlivoniami.com, 1
+locksmithmadisonheights.com, 1
+locksmithmesquitetexas.com, 1
+locksmithmidrand24-7.co.za, 1
+locksmithmissouricity.com, 1
+locksmithsammamishwa.com, 1
+locksmithsanantoniotexas.com, 1
+locksmithsbluff.com, 1
+locksmithsbuda.com, 1
+locksmithscottsdaleaz.com, 1
+locksmithservice-houston.com, 1
+locksmithsinsanantoniotx.com, 1
+locksmithspring.com, 1
+locksmithspringtx.com, 1
+locksmithssanmarcostx.com, 1
+locksmithstaffordtx.com, 1
+locksmiththewoodlands.com, 1
+locksoflove.org, 1
+locksport.org.nz, 1
+lockwoodchristmastreefarm.com, 1
+loco-concepts.nl, 1
+loco-socials.nl, 1
+loco.gg, 1
+locomotionds.com, 1
+locomotiv.tk, 1
+locomotive.ca, 1
+locomotiveworks.co.uk, 1
+locoroom.com, 1
+locoserver.net, 1
+locspec.com.au, 1
+locstars.com, 1
+locus-cell.com, 1
+locus-dashboard.com, 1
+locus.ml, 1
+locus.tk, 1
+locustvalleyvet.com, 1
+locutusvader.com, 1
+lodash.com, 0
+loddeke.eu, 1
+lode.li, 1
+lode.tk, 1
+lodela.ru, 1
+lodestarss.com, 1
+lodewijkict.nl, 1
+lodewillems.com, 1
+lodger.cf, 1
+lodki-pvh.com, 1
+lodni.site, 1
+lodongxu.com, 1
+lodosswar.tk, 1
+lodus.io, 1
+loekkoopmans.tk, 1
+loeklommers.nl, 1
+loekvormgeving.nl, 1
+loenshotel.de, 1
+loesje.nl, 1
+loew.de, 1
+lofirmo.com, 1
+loforo.com, 1
+loft.com.br, 1
+lofttravel.com, 1
+loftyideas.ml, 1
+loftymedia.ca, 1
+lofw.tk, 1
+log.moe, 1
+log.pw, 0
+log4shell.org, 1
+logactiond.org, 1
+logal.media, 1
+logalot.com, 1
+loganandmaria.com, 1
+logancapital.com, 1
+logancooper.jp, 1
+logancountyks.gov, 1
+logancountyky.gov, 1
+logancountyohio.gov, 1
+loganengineeroh.gov, 1
+loganhealthohio.gov, 1
+logankpaschke.com, 1
+loganmarchione.com, 1
+loganmarchione.rocks, 1
+loganparkneighborhood.org, 1
+loganscene.tk, 1
+logart.tk, 1
+logay.com.br, 1
+logbook.ch, 1
+logbot.info, 1
+logcat.info, 1
+logdoc.tk, 1
+loge.fr, 1
+logement.com, 1
+logement.tk, 1
+logevou-immobilier.tk, 1
+logexplorer.net, 1
+logfile.at, 1
+logfile.ch, 1
+logfinish.com, 1
+logfro.de, 1
+logheavenvt.com, 1
+logic8.ml, 1
+logical-invest.com, 1
+logicalgassolutions.co.uk, 1
+logicalperformance.com, 1
+logicchen.com, 1
+logicdream.tk, 1
+logicgate.com, 1
+logiciel-entreprise-seurann.fr, 1
+logicielscrm.fr, 1
+logicintel.com, 1
+logicio.ch, 0
+logicio.de, 0
+logicio.net, 0
+logicne-hise.si, 1
+logicnets.com, 1
+logico.ar, 1
+logicsale.com, 1
+logicsale.de, 1
+logicsale.fr, 1
+logicsale.it, 1
+logicz.top, 1
+logimap.cz, 1
+login.corp.google.com, 1
+login.gov, 1
+login.launchpad.net, 1
+login.ooo, 1
+login.raiffeisen.ch, 1
+login.sapo.pt, 1
+login.ubuntu.com, 1
+login.yahoo.com, 0
+logingate.hu, 1
+loginsecure.eu, 1
+loginvovchyk.ru, 1
+loginwithmc.com, 1
+logipdv.pt, 1
+logismarket.com, 1
+logismn.gov, 1
+logisparte.com, 1
+logitel.de, 1
+logitheque.tk, 1
+logitracgps.com, 1
+logitrack.tk, 1
+loglineargroup.com, 1
+logndetektor-test.no, 1
+lognetjobs.co.uk, 1
+logodestekhatti.net, 1
+logodevir.biz, 1
+logodevir.org, 1
+logoenvue.fr, 1
+logoesun.com, 1
+logofiyati.com, 1
+logoglo.com, 1
+logoku.com, 1
+logolabben.cf, 1
+logolando.tk, 1
+logomarket.jp, 1
+logon-int.com, 1
+logopaedie-millian.de, 1
+logopaedie-sandkrug.de, 1
+logopaediereinhard.de, 0
+logopedickyden.cz, 1
+logopedie-direct.nl, 1
+logopedietaalrijk.nl, 1
+logopedista.roma.it, 1
+logopedistalanni.it, 1
+logopoeia.com, 1
+logoprofi.tk, 1
+logosnet.com.br, 1
+logosradio.tk, 1
+logostock.jp, 1
+logowik.com, 1
+logram.io, 1
+lograr.me, 1
+logrhythm.com, 1
+logtalk.org, 1
+logtenberg.eu, 1
+logue.media, 1
+logue.tk, 1
+logwise.com, 1
+logydice.com, 1
+logze.nl, 1
+lohanaflores.com.br, 1
+loheprobado.com, 1
+lohkoketju.fi, 1
+lohmeyer.cc, 1
+lohnsteuerhilfe-essen.de, 1
+lohocla.org, 1
+lohr.me, 1
+loic-raymond.fr, 1
+loiit.ga, 1
+loire-en-bateau.fr, 1
+loirevalley.co, 1
+lois-bullion.com, 1
+lois.cf, 1
+loisircreatif.net, 0
+loja-meltech.com.br, 1
+lojaapi.com, 1
+lojaapoio.com.br, 1
+lojabeeways.com.br, 1
+lojadafloresta.pt, 1
+lojadamimo.com.br, 1
+lojadanidrea.com.br, 1
+lojadarenda.com.br, 1
+lojadelicatojatai.com.br, 1
+lojadesomautomotivo.com.br, 1
+lojadewhisky.com.br, 1
+lojadoarcomprimido.com.br, 1
+lojadoprazer.com.br, 1
+lojadosirmaos.com.br, 1
+lojadosomautomotivo.com.br, 1
+lojaestacaosaopedro.com.br, 1
+lojafilipaper.com.br, 1
+lojaflordelaranjeira.com.br, 1
+lojagravataria.com.br, 1
+lojahbk.com.br, 1
+lojahendel.com.br, 1
+lojahunamarcenaria.com.br, 1
+lojak2.com.br, 1
+lojal19.com.br, 1
+lojamagicalx.com, 1
+lojamultplick.com.br, 1
+lojaodo9.com.br, 1
+lojaprimemed.com.br, 1
+lojaprojetoagua.com.br, 1
+lojasoulstyle.com.br, 1
+lojasvictoria.com.br, 1
+lojasvirtuaisesites.com.br, 1
+lojatema.com.br, 1
+lojaterrazul.com.br, 1
+lojatudomi.com.br, 1
+lojausapel.com.br, 1
+lojavirtualdopsicopedagogo.com.br, 1
+lojavirtualinfopaper.com.br, 1
+lojavisamed.com.br, 1
+lojaxo.com.br, 1
+lojistaguarani.com.br, 1
+lojix.com, 0
+lojj.pt, 1
+lokace.eu, 1
+lokan.id, 1
+lokinet.org, 1
+lokjagruktafoundation.com, 1
+lokmon2.eu, 1
+lokomotivaplzen.cz, 1
+lokys.de, 1
+lola.by, 1
+lolacandy.com, 1
+lolalacita.net, 1
+lolalohse.com, 1
+lolas-vip.com, 1
+lolaseuropeancafe.com, 1
+lolbird.tk, 1
+lolcats.cat, 1
+lolchat.tk, 1
+lolcloud.ru, 1
+lolcorp.pl, 1
+lolcosplay.ga, 1
+lolcow.farm, 1
+loldudes.com, 1
+lolfinity.com, 1
+lolfunny.tk, 1
+loli.art, 1
+loli.cam, 1
+loli.com, 1
+loli.edu.kg, 1
+loli.gallery, 1
+loli.io, 1
+loli.net, 1
+loli.ovh, 1
+loli.pet, 1
+loli.win, 1
+loli.world, 1
+loliblogs.cf, 1
+loliblogs.ga, 1
+loliblogs.gq, 1
+loliblogs.ml, 1
+lolibrary.org, 1
+lolic.xyz, 1
+lolicon.eu, 1
+loliel.tk, 1
+lolifamilies.cf, 1
+lolifamilies.ga, 1
+lolifamilies.gq, 1
+lolifamilies.tk, 1
+lolifamily.cf, 1
+lolifamily.ga, 1
+lolifamily.gq, 1
+lolifamily.js.org, 1
+lolifamily.ml, 1
+lolifamily.tk, 1
+lolifox.cf, 1
+loliloli.moe, 1
+loliloli.net, 1
+loliloli.top, 1
+lolinfo.ga, 1
+lolinya.link, 1
+lolio.tw, 1
+loliotero.com, 1
+lolipops.ga, 1
+lolis.stream, 1
+lolitalechat.com, 1
+lolivpn.com, 1
+lolkot.ru, 1
+lolli8.com, 1
+lollipopo69.net, 1
+lollypop.tk, 1
+lollysmalls.com, 1
+lollyteam.tk, 1
+lolmania.tk, 1
+lolnet.tk, 1
+lolnews.cf, 1
+lolnews.ga, 1
+lolnews.tk, 1
+lolo17.com, 1
+lols.gg, 1
+lolware.net, 1
+lom.name, 0
+loma.ml, 1
+lomaster.tk, 1
+lomayko.ml, 1
+lombard.co.uk, 1
+lombard.ie, 1
+lombardiaeconomy.it, 1
+lomex.tk, 1
+lomgo.cf, 1
+lomgo.ga, 1
+lomgo.gq, 1
+lommeregneren.dk, 1
+lommers.org, 1
+lommyfleet.com, 1
+lomond.com.au, 1
+lomuarredi.com, 1
+lomza.tk, 1
+lon-so.com, 1
+lona.io, 1
+lonasdigital.com, 1
+lonavla.tk, 1
+loncarlyonjenkins.com, 1
+london-design.co.uk, 0
+london-electricians.com, 1
+london-mafia.tk, 1
+london-transfers.com, 1
+londoncarpetcleaningltd.co.uk, 1
+londonderrynh.gov, 1
+londonderrynhfire.gov, 1
+londonderrynhpd.gov, 1
+londonelects.org.uk, 1
+londongynaecologist.co, 1
+londonhealthcare.ga, 1
+londonhealthcare.tk, 1
+londonjob.tk, 1
+londonkan.jp, 1
+londonkeyholdingcompany.co.uk, 1
+londonmoneyman.com, 1
+londonnorthwesternrailway.co.uk, 1
+londonpropertymatch.com, 1
+londonschool.mx, 1
+londonseedcentre.co.uk, 1
+londonsoccer.tk, 1
+londontrivia.gq, 1
+londontwpmi.gov, 1
+londonvetspecialists.vet, 1
+londonwomensclinic.com, 1
+londrihost.com.br, 1
+londynelliot.com, 1
+lone-gunman.be, 1
+lone-wolf.tk, 1
+lonely.moe, 1
+lonelyhaoss.com, 1
+lonelyion.com, 1
+lonelypawn.com, 1
+lonelys.se, 1
+lonelytweets.com, 1
+lonelyworld.co.uk, 1
+lonelyworld.tk, 1
+loneronin.tk, 1
+lonerwolf.com, 0
+lonesomecosmonaut.com, 1
+lonestarpediatricdental.com, 1
+lonestarrott.com, 1
+lonewolftech.ga, 1
+long-8.com, 1
+long-9.com, 1
+long-journey.com, 1
+long008.com, 1
+long0310.com, 1
+long0311.com, 1
+long0317.com, 1
+long0318.com, 1
+long0355.com, 1
+long0377.com, 1
+long0398.com, 1
+long0536.com, 1
+long0538.com, 1
+long0539.com, 1
+long0555.com, 1
+long0556.com, 1
+long0728.com, 1
+long0776.com, 1
+long08.com, 1
+long0818.com, 1
+long0877.com, 1
+long0878.com, 1
+long0897.com, 1
+long0898.com, 1
+long0976.com, 1
+long0999.com, 1
+long100.vip, 1
+long113.com, 1
+long266.com, 1
+long68.net, 1
+long688.com, 0
+long8032.com, 1
+longbeachms.gov, 1
+longbeachroleplay.de, 1
+longboatlocal.com, 1
+longbridge.hk, 1
+longbsants.com, 1
+longchampgirls.tk, 1
+longcountyga.gov, 1
+longcovid.academy, 1
+longcovid.blog, 1
+longcovid.forum, 1
+longenyc.com, 1
+longest.tk, 1
+longevityfaq.com, 1
+longevitywi.com, 1
+longflexing.com, 1
+longfordlodge.tk, 1
+longhaircareforum.com, 1
+longhairworld.tk, 1
+longhorn-imports.com, 1
+longhorn.id.au, 1
+longiminus.tk, 1
+longislandbusiness.info, 1
+longislanddigestive.com, 1
+longislandsewerandwatermain.com, 1
+longlakeny.gov, 1
+longlanearchitects.co.uk, 1
+longlink.tk, 1
+longlivehongkong.com, 1
+longma.pw, 1
+longma168.cn, 1
+longma168.com, 1
+longmeadowma.gov, 1
+longmontnetworking.com, 1
+longmontwaterheaters.com, 1
+longoconsulting.us, 1
+longpaddock.qld.gov.au, 1
+longportpd.org, 1
+longstride.net, 1
+longtermcare.gov, 1
+longtermrentalsportugal.com, 1
+longviewnc.gov, 1
+longwoodwrestling.com, 1
+lonleymoon.tk, 1
+lonniec.com, 1
+lonniemason.net, 1
+lonokedistrictcourtar.gov, 1
+lonslai.com, 1
+lonza.ch, 1
+lonza.com, 1
+lonzagroup.net, 1
+loober.tk, 1
+look-books.tk, 1
+look-info.tk, 1
+look-like.tk, 1
+lookae.com, 0
+lookagain.co.uk, 1
+lookasik.eu, 1
+lookastic.com, 1
+lookastic.de, 1
+lookastic.es, 1
+lookastic.fr, 1
+lookastic.ru, 1
+lookathernow.com, 1
+lookatmysco.re, 1
+looker.wang, 0
+lookflyfares.com, 1
+lookie.ml, 1
+lookitdesign.com, 1
+lookscanned.io, 1
+lookshops.cn, 1
+lookshops.com, 1
+looksmax.org, 1
+lookup-dns.net, 1
+loomi.tv, 1
+loomis.center, 1
+loonbedrijfdenboer.nl, 1
+loonbedrijfwierda.nl, 1
+looneymooney.com, 1
+loonindex.be, 1
+loonylatke.com, 1
+loop.co.id, 1
+loopback.kr, 1
+loopcore.de, 1
+loopgolf.co, 0
+loophq.com, 1
+loopingtag.eu, 1
+loopingz.com, 1
+loopkey.com.br, 1
+loopool.tk, 1
+looseleafsecurity.com, 1
+lootdog.io, 1
+loothole.com, 1
+loots.eu, 1
+lootslot.com, 1
+lootstudios.com, 1
+loottitan.com, 1
+looxent.com, 1
+lopendvuurtje.tk, 1
+lopes.at, 1
+lophtalmo.cc, 1
+lopia.jp, 1
+loplovers.tk, 1
+loposchokk.com, 1
+lopp.net, 1
+loqu8.com, 1
+loquo.com, 1
+loqyu.co, 1
+lor.kharkov.ua, 1
+loraincountyohio.gov, 1
+loraincountyrecorder.gov, 1
+lorasong.com, 1
+loratadine10mg.gq, 1
+lorbooks.tk, 1
+lorcalive.co.uk, 0
+lorcamadrid.tk, 1
+lorcanaplayer.com, 1
+lord-design.tk, 1
+lord-of-forex.tk, 1
+lord-voldemort.tk, 1
+lordar.tk, 1
+lordbyron.tk, 1
+lordcaos.tk, 1
+lorddominion.tk, 1
+lordfutbol.tk, 1
+lordgandalf.nl, 1
+lordgrant.tk, 1
+lordkrishna.tk, 1
+lordlink.net, 1
+lordmusic.tk, 1
+lordofcbd.fr, 1
+lordofthecraft.tk, 1
+lordschimney.com, 1
+lordsesshoumaru.tk, 1
+lordshaokahn.tk, 1
+lordskate.tk, 1
+lordusa.com, 1
+lore.azurewebsites.net, 1
+loreedeslandes.com, 1
+loremipsum.info, 1
+lorena-salido.tk, 1
+lorenadumitrascu.ro, 1
+lorengraff.net, 1
+lorenstudioo.com, 1
+lorenz-hundler.co, 1
+lorenzgoossens.be, 1
+lorenzocampagna.myqnapcloud.com, 1
+lorenzodallaga.com, 1
+lorenzodeangelis.tk, 1
+lorenzoprinci.com, 1
+loreofthenorth.com, 1
+loreofthenorth.net, 1
+loreofthenorth.nl, 1
+loricozengeller.com, 1
+lorimar.bg, 1
+lorimullins.com, 1
+lorine.tk, 1
+lorisfnotary.com, 1
+loritaboegl.de, 1
+lorn.tk, 1
+lornabenes.com, 1
+lornategeorge.tk, 1
+lornosa.com, 1
+lorqui.tk, 1
+lorucreative.fi, 1
+los-diablos.tk, 1
+los11mandamientos.tk, 1
+losangelescarpetcleaning.com, 1
+losangelesduiattorney.com, 1
+losangelesprivatejets.com, 1
+losangelestown.com, 1
+losartesanos.cl, 1
+losaucas.tk, 1
+losbandidosdelahoya.tk, 1
+losblancosalbania.cf, 1
+losbunkerschile.tk, 1
+loscamaradasmc.net, 1
+loschilums.tk, 1
+loschuchos.tk, 1
+losconsoladores.com, 1
+losdelapobla.tk, 1
+losdelcyber.tk, 1
+losdelsotano.tk, 1
+losderover.be, 1
+losdeshollinadores.es, 1
+losdingos.tk, 1
+losdisidentes.tk, 1
+losdrogatones.tk, 1
+lose-weight-now.ml, 1
+losedata.tk, 1
+losemperadores.tk, 1
+loser.wtf, 1
+losespiritus.tk, 1
+loseweightbaby.tk, 1
+loseweightin5days.tk, 1
+losfiesteros.tk, 1
+losflamers.tk, 1
+losfugitivos.tk, 1
+losfuocos.tk, 1
+losgastricos.cl, 1
+losgringos.tk, 1
+loshalcones.tk, 1
+loshogares.mx, 1
+losinterrogantes.com, 1
+losjardines.tk, 1
+loslegendarios.tk, 1
+losless.fr, 1
+loslunesalrock.tk, 1
+losmaniatikos.tk, 1
+losmedicamentos.net, 0
+losmejoresgadgets.info, 1
+losmiserables.tk, 1
+losmolinos.tk, 1
+losnervios.tk, 1
+loson.cz, 1
+losopkos.tk, 1
+lospadrinosmagicos.tk, 1
+lospegotes.tk, 1
+lospozuelos.tk, 1
+losratonescoloraos.tk, 1
+losrosales.tk, 1
+losrso.tk, 1
+loss.no, 1
+lossaicos.tk, 1
+lossandthemourningafter.com, 0
+lost-bit.tk, 1
+lost-illusions.tk, 1
+lost-perdidos-hiatus.tk, 1
+lostandfound.mu, 1
+lostandfoundmember.com, 1
+lostandfoundsoftware.com, 1
+lostarkstats.com, 1
+lostarq.com, 1
+lostbubblegame.com, 1
+lostcork.com, 1
+lostcosmonaut.cc, 1
+lostfest.co.uk, 1
+lostfield.tk, 1
+lostfilm-tv.ru, 1
+lostgeek.de, 0
+losthighway.tk, 1
+lostinfilm.org.uk, 1
+lostinfood.co.uk, 1
+lostinlove.tk, 1
+lostinside.tk, 1
+lostinweb.eu, 0
+lostkeys.co.uk, 1
+lostluma.net, 1
+lostproperty.org, 1
+lostprophetschile.tk, 1
+lostsandal.com, 1
+lostserial.cf, 1
+lostserver.com, 1
+loststudios.net, 1
+losttv.tk, 1
+lostwithdan.com, 1
+lostwithiel.org.uk, 1
+lostwithielcommunitycentre.org.uk, 1
+lostwithielu3a.org.uk, 1
+lostwoods.tk, 1
+losviajesdequimyelena.com, 1
+losyandex.tk, 1
+loszucoz.tk, 1
+lotc.cc, 1
+loteamentoabertocapivari.com.br, 1
+lotekk.gq, 1
+lotereiki.tk, 1
+loteriasdominicana.com.do, 1
+lothai.re, 1
+lothlorien.ca, 0
+lotimena.com, 1
+lotl.ru, 1
+lotn.mobi, 1
+lotnonline.com, 1
+lotnonline.net, 1
+lotnonline.nl, 1
+loto-king.com, 1
+lotocash.com, 1
+lotoperu.com, 1
+lotoquine.io, 1
+lotos-ag.ch, 1
+lotro-wiki.com, 1
+lottarewards247.com, 1
+lottcarey.org, 1
+lotteo.com, 1
+lotteryking.net, 1
+lotto.com, 1
+lotto.gt, 1
+lotto.ht, 1
+lotto.monster, 1
+lottobazar.com, 1
+lottodatabase.com, 1
+lottohoy.com, 1
+lottolive24.com, 1
+lottologics.com, 1
+lottolooting.com, 1
+lottomat.com, 1
+lottomonks.com, 1
+lottonigeria.com, 1
+lottopark.com, 1
+lottos.com.au, 1
+lottosonline.com, 1
+lottothaipro.com, 1
+lottoxworld.com, 1
+lottozambia.com, 1
+lotusbook247.com, 1
+lotusdiving.net, 1
+lotuselise.tk, 1
+lotusweb.tk, 1
+lotuswebsolutions.tk, 1
+lotw.de, 1
+lou.ist, 1
+lou.lt, 1
+louange-reconvilier.ch, 0
+louboutin.tk, 1
+louboutinshoessale.tk, 1
+loud-dragon.tk, 1
+loudcloudhealth.com, 1
+louddesignstudios.com, 1
+louderfaster.co.uk, 1
+loudersent.ga, 1
+loudly.com, 1
+loudmouth.tk, 1
+loudontn911.gov, 1
+louerunhacker.fr, 1
+louest.ch, 1
+loueurmeublegestion.expert, 1
+louhiranta.fi, 1
+louhomeworkouts.com, 1
+louisa.tk, 1
+louisacounty.gov, 1
+louisacountyia.gov, 1
+louisapolicefoundation.com, 1
+louisapolicefoundation.org, 1
+louisdefunes.tk, 1
+louisefar.tk, 1
+louisemisellinteriors.co.uk, 1
+louiserutkowski.tk, 1
+louisianalifesciences.gov, 1
+louisianamo.gov, 1
+louisianamusicfactory.com, 1
+louisiananetzero.gov, 1
+louisianarural.gov, 1
+louisianassbci.gov, 1
+louisroyer.ovh, 1
+louisville.gov, 1
+louisvillecarguys.com, 1
+louisvilleconnections.ga, 1
+louisvillefilmfestival.org, 1
+louisvillene.gov, 1
+louisvilleohio.gov, 1
+louiza.tk, 1
+loujaxx.net, 1
+loukas-stoltz.fr, 1
+loukkos.ma, 1
+loune.net, 1
+lounge.guide, 1
+loungecafe.net, 1
+loungecafe.org, 1
+loungepass.com, 1
+loupcountyne.gov, 1
+lourdes.love, 1
+lourdesigns.tk, 1
+lourencolar.com, 1
+lourissa.tk, 1
+lourorestaurante.pt, 1
+loursaint.tk, 1
+lousingchaphu.com, 1
+lousoyolos.fr, 1
+loutro.tk, 1
+louwlemmer.com, 1
+louyu.cc, 1
+lov4affiliate.com, 1
+lovcasino.com, 1
+love-and-hate.cf, 1
+love-books.ga, 1
+love-navigator.tk, 1
+love-palestine.com, 1
+love-planeta.tk, 1
+love-sent.com, 1
+love-spells-tarot.com, 1
+love4musik.com, 1
+love4taylor.eu.org, 1
+love4taylor.xyz, 1
+loveai.org, 0
+loveamber.me, 1
+loveandloyalty.se, 1
+lovebeingsexy.co.uk, 1
+lovebigisland.com, 1
+lovebirdhut.tk, 1
+lovebo9.com, 1
+lovebo9.net, 1
+lovebombed.wtf, 1
+lovebug.beauty, 1
+lovechester.com, 1
+lovecrystal.co.uk, 1
+lovecsnov.tk, 1
+lovedaleschool.tk, 1
+lovedutch.tk, 1
+lovegpl.com, 1
+lovehairstyles.com, 1
+loveherass.com, 1
+loveholidays.com, 1
+loveinabox.pt, 1
+loveismore.de, 0
+loveismore.es, 0
+loveismore.eu, 0
+loveismore.fr, 0
+loveismore.it, 0
+loveismore.org, 0
+loveismore.pl, 0
+loveismore.ru, 0
+loveismore.sk, 0
+loveismystyle.tk, 1
+loveisourweapon.com, 1
+lovejms.com, 1
+lovejoymethodist.org, 1
+lovelandelec.com, 1
+lovelee.tk, 1
+lovelens.li, 0
+loveless.ml, 1
+lovelive-anime.jp, 1
+lovelive-anime.tk, 1
+lovelive.us, 1
+lovelivewiki.com, 1
+lovell.co.uk, 1
+lovellgov.com, 1
+lovelybook4u.gq, 1
+lovelyfamilymm.com, 1
+lovelylanguedoc.com, 1
+lovelytimes.net, 1
+lovemaker.se, 1
+lovemanagementaccounts.co.uk, 1
+lovemasjid.com, 1
+lovememories.cf, 1
+lovemen.cc, 1
+lovemiku.info, 1
+lovemoon.tk, 1
+lovemybubbles.com, 1
+lovenet.tk, 1
+loveni.me, 1
+lovenwishes.com, 1
+loveplanets.tk, 1
+lover-bg.com, 1
+lovereligion.tk, 1
+loverepublic.ru, 1
+loverngifts.com, 1
+loverussiangirls.tk, 1
+loveshop.pt, 1
+lovesmagical.com, 0
+lovesquirting.com.br, 1
+lovessentials.com, 1
+lovetablecloths.co.uk, 1
+lovetarot.jp, 1
+lovethatmakeup.tk, 1
+lovetheprint.co.za, 1
+lovetime.co.il, 1
+lovetowork.tk, 1
+loveuno.com, 1
+loveweddingphotosandfilm.co.uk, 0
+loveyouhome.ua, 1
+lovg.ren, 1
+lovi.at, 1
+lovin.ga, 1
+lovin.tk, 1
+loving-house.com, 1
+lovingbody.yoga, 1
+lovink.net, 1
+lovinoes.de, 1
+lovlyhorses.tk, 1
+lovlyluna.net, 1
+lovlyluna.org, 1
+lovstabanan.se, 1
+low-battery.tk, 1
+low-diets.com, 1
+lowcarbdietmealsmsk.ga, 1
+lowcarbspark.com, 1
+lowcosthost.cf, 1
+lowcostivf.net, 1
+lowcostwire.com.au, 1
+lowell85.com, 1
+lowendblog.com, 1
+loweporn.com, 1
+lower-level.tk, 1
+lower.nu, 1
+lowerchancefordtwppa.gov, 1
+lowercostcalls.com, 1
+lowermydrinking.com, 1
+lowerpricefinder.com, 1
+lowerthetone.com, 1
+lowesprotect.com, 1
+lowlab.io, 1
+lowlevelmusic.com, 1
+lowmagnitude.com, 1
+lowndes-al.gov, 1
+lowriderz.tk, 1
+lowsec.space, 1
+lowtempind.com, 1
+loyaleco.it, 1
+loyaliplaw.com, 1
+loyaltech.ch, 1
+loyaltech.tk, 1
+loyaltyreviewers.ga, 1
+loyisa.cn, 1
+loyloy.net, 1
+loyolahs.edu, 1
+loyverse.town, 1
+lozhka-mernaya.tk, 1
+lp-support.nl, 0
+lp177.fr, 1
+lpc.fun, 1
+lpcd-lafla.gov, 1
+lpcdops-lafla.gov, 1
+lpchemicalsolution.tk, 1
+lpcom.de, 1
+lpdp.photo, 1
+lpemprestimos.online, 1
+lpfan.tk, 1
+lph.saarland, 1
+lphispano.tk, 1
+lpiem.fr, 1
+lpkosovo.tk, 1
+lplbullets.com, 1
+lpmkonji.cf, 1
+lpnjobsite.com, 1
+lpnm.us, 1
+lps.in.ua, 1
+lpsolutions.com, 1
+lpt-nebreziny.cz, 1
+lpt-nebreziny.eu, 1
+lptami.gov, 1
+lqa.org.uk, 1
+lqd.plus, 1
+lqhi.cn, 1
+lqy.me, 1
+lr-expert.ru, 1
+lra-cloud.de, 1
+lrbm.com, 1
+lrc.cn, 1
+lrcr.ch, 0
+lrfix.com, 1
+lricountry.com, 1
+lriese.ch, 1
+lrn.com, 1
+lroc.com.au, 1
+lrp-autorecycling.de, 1
+lrq.icu, 1
+lrssystems.com, 1
+lrumeq.com, 1
+lrv-grobbendonk.tk, 1
+ls-alarm.de, 1
+lsbricks.com, 1
+lsbttiq.org, 1
+lsc-dillingen.de, 1
+lsc-mn.gov, 1
+lsc.ee, 1
+lsc.moe, 1
+lscache.de, 1
+lsd.cat, 1
+lsdev.biz, 1
+lsfnet.org, 1
+lsg2021acm.com, 1
+lshiy.com, 1
+lshydrogenmethane.cz, 1
+lskgreenacquisition.com, 1
+lskgreencomponent.com, 1
+lskgreendevelop.com, 1
+lskgreenenergy.com, 1
+lskgreengroup.cz, 1
+lslbc.gov, 1
+lspdonline.gq, 1
+lsquared.com, 1
+lsquo.com, 1
+lsscreens.de, 1
+lstlx.com, 1
+lstma.com, 1
+lstu.tk, 1
+lsupg.com, 1
+lsxteam.tk, 1
+lsy.cn, 1
+lsys.ac, 1
+lszj.com, 1
+lt.search.yahoo.com, 0
+lt27.de, 1
+ltaake.com, 1
+ltailshort.tk, 1
+ltba.org, 1
+ltcfeds.com, 1
+ltcwaterwijk.nl, 1
+ltdev.im, 1
+ltecode.com, 1
+ltgc.cc, 1
+lthcastings.com, 0
+ltheinrich.de, 1
+ltib.com.au, 1
+ltime.ml, 1
+ltlec.cn, 1
+ltlec.com, 0
+ltlec.net, 1
+ltlec.services, 1
+ltls.org, 1
+ltmw.xyz, 1
+ltn-tom-morel.fr, 1
+ltn.pw, 1
+lto.ru, 1
+ltonlinestore.in, 0
+ltransferts.com, 1
+ltservers.net, 1
+lty.best, 1
+lty.space, 1
+ltycode.org, 1
+lu-rp.es, 1
+lu.search.yahoo.com, 0
+lu0.org, 1
+lu2343.com, 1
+luacustica.tk, 1
+luademelsexshop.com, 1
+lual.tk, 1
+luanvancaohoc.com, 1
+luanxt.tk, 1
+luathungson.vn, 1
+lubar.me, 1
+lubosabo.tk, 1
+lubot.net, 1
+lubotodorov.com, 1
+lubrind.com, 1
+luc-nutrition.tk, 1
+luc-oberson.ch, 0
+luc.li, 1
+luca-app.de, 1
+luca-steeb.com, 1
+lucaconrads.de, 1
+lucade.ddns.net, 0
+lucafontana.net, 1
+lucafrancesca.me, 1
+lucakrebs.de, 1
+lucaplus.com, 1
+lucarautti.com, 1
+lucarelli.fr, 1
+lucas.pet, 1
+lucasartsclassics.com, 1
+lucasbastos.com, 1
+lucasbergen.ca, 1
+lucascantor.com, 1
+lucascaton.com.br, 1
+lucascosta-ido.ml, 1
+lucascountyohiovotes.gov, 1
+lucasdamasceno.com, 1
+lucasem.com, 1
+lucasferraz.com.br, 1
+lucasg.org, 1
+lucasgymnastics.com, 1
+lucasjag.com.br, 1
+lucaslarson.net, 1
+lucasmateus.ga, 1
+lucasmz.eu.org, 1
+lucasvieira.fr, 1
+lucciolachile.com, 1
+lucdethier.be, 1
+luce.life, 1
+lucentioluo.space, 1
+lucentt.co.nz, 1
+lucenttour.tk, 1
+lucerin.ga, 1
+lucesledsbaratas.shop, 1
+luchalibre.tk, 1
+luchandro.tk, 1
+luchshie-experty.top, 0
+luchthavenmaastricht.nl, 1
+luchtspoor.nl, 1
+lucia-art.cf, 1
+lucia-riemer.de, 1
+lucid-light.de, 1
+lucid-reality.ch, 1
+lucidea.com, 1
+lucidframeworks.com, 1
+lucidlabs.in, 1
+lucidlink.com, 1
+lucidoccult.com, 1
+lucidplumbing.com.au, 1
+lucidya.com, 1
+lucie-parizkova.cz, 1
+lucielavickova.com, 1
+luciferblog.tk, 1
+luciferianism.tk, 1
+lucifevesdaubrac.fr, 1
+lucille-thomas.fr, 1
+lucillewillemsen.tk, 1
+luciobarcellona.it, 1
+luciogelsi.com, 1
+lucishere.cz, 1
+luciusweb.es, 1
+luckblock.net, 1
+luckblock.site, 1
+luckeyproductions.com, 1
+luckibots.de, 1
+lucklesslovelocks.com, 1
+luckmoneymyth.com, 1
+lucko.me, 1
+luckperms.net, 1
+lucksh.ga, 1
+lucksh.gq, 1
+lucksh.tk, 1
+luckwi.gov, 1
+lucky-bul.tk, 1
+lucky-frog.co.uk, 1
+lucky-time.tk, 1
+lucky13strategies.com, 1
+luckyabonent.ml, 1
+luckybeantravel.com, 1
+luckyblockland.fr, 1
+luckycasino.se, 1
+luckycastles.co.uk, 1
+luckycloud.de, 1
+luckydag.com, 1
+luckydoglodge.net, 1
+luckyemail.ml, 1
+luckyfrog.hk, 1
+luckymice.ml, 1
+luckyrent.tk, 1
+luckystorevn.com, 1
+luckyxf.com, 1
+lucloud.top, 1
+luclu7.fr, 1
+lucorautopartes.com, 1
+lucrar.pt, 1
+lucschiltz.com, 1
+luctam.com, 1
+lucychan.tk, 1
+lucyhancock.tech, 1
+lucymontebello-arte.com, 1
+lucyparsonslabs.com, 1
+lucysan.net, 1
+lucz.co, 1
+luda.me, 1
+ludasmith.co.uk, 1
+lude.tk, 1
+ludek.biz, 1
+luden.tk, 1
+ludika.tk, 1
+ludikovsky.name, 1
+ludivine-viguie.com, 1
+ludmilla.tk, 1
+ludmillaewagner.ga, 1
+ludo-giuly.tk, 1
+ludofantasy.fr, 1
+ludogogy.co.uk, 1
+ludogue.net, 1
+ludolust.tk, 1
+ludomo.de, 1
+ludong365.com, 1
+ludotech.tk, 1
+ludovic-frank.fr, 1
+ludovic-muller.fr, 1
+ludovic.com.br, 1
+ludovicfernez.com, 1
+ludovicozitelli.it, 1
+ludum-polus.xyz, 1
+ludum.pl, 1
+ludunwayoo.com, 1
+ludwig.im, 1
+ludwiggrill.de, 1
+ludwigjohnson.se, 1
+ludwigpro.net, 1
+ludwigsburger-brauhaus.de, 1
+luedeke-bremen.eu, 1
+lueersen.homedns.org, 1
+luehne.de, 1
+luematecidos.com, 1
+luematecidos.com.br, 1
+luenwarneke.com, 1
+lufa.com, 1
+luffyhair.com, 1
+luftbild-siegerland.de, 1
+luftfilterbegehren.at, 1
+lufthansa.com, 1
+luftreiniger.biz, 1
+lugandbezel.com, 1
+lugaresturisticosdeguatemala.ga, 1
+lugaway.com, 1
+luggagecare.com, 1
+lugimax.com, 1
+luginbuehl.be, 1
+luginbuehl.eu, 1
+lugobama.tk, 1
+lugros.tk, 1
+lugui.in, 1
+lui.vn, 1
+luijten.it, 1
+luinonotizie.it, 1
+luis-portfolio.es, 1
+luis.ee, 1
+luis.fi, 1
+luisa-birkner.de, 1
+luisafernandapenuela.com, 1
+luisanalopilatogrecia.tk, 1
+luisaviles.tk, 1
+luisbacher.tk, 1
+luisbustamante.mx, 1
+luisfreire.ml, 1
+luisillo.tk, 1
+luisjosesaldana.com, 1
+luismiguelcolombia.tk, 1
+luisnavarrosl.tk, 1
+luisnet.tk, 1
+luisrubiqwe.ml, 1
+luisv.me, 1
+luisvmf.com, 1
+luisvmf.tk, 1
+luisyr.com, 1
+luiza-fashion.com, 1
+luiza.ga, 1
+luizafigueiredo.com.br, 1
+luje.net, 1
+luje.nl, 1
+lujin.ml, 1
+luk.earth, 1
+luk.photo, 1
+lukas-gorr.de, 1
+lukas-meixner.com, 1
+lukas-schauer.de, 1
+lukas-webdesign.tk, 1
+lukas.im, 1
+lukas2511.de, 1
+lukasapetra.com, 1
+lukasberan.com, 1
+lukasberan.cz, 1
+lukasbures.com, 1
+lukaschiu.com, 1
+lukasfelder.tk, 1
+lukasgimberis.com, 1
+lukaskollmer.de, 1
+lukasldc.com, 1
+lukasmatuska.cz, 0
+lukasrod.cz, 1
+lukasschauer.de, 1
+lukasunger.cz, 1
+lukasunger.net, 1
+lukasw.tk, 1
+lukaswiden.com, 1
+lukaszczyk.de, 1
+lukaszderlatka.pl, 1
+lukaszuk.pl, 1
+lukaszwojcik.com, 1
+lukaszwojcik.net, 1
+lukatz.de, 1
+luke.id, 1
+luke6887.me, 1
+lukeandjesse.wedding, 1
+lukeistschuld.de, 1
+lukekuza.com, 1
+lukekuza.me, 1
+lukem.eu, 1
+lukem.net, 1
+lukeplant.me.uk, 1
+luker.org, 1
+lukersallamericanstorage.com, 1
+lukersstorage.com, 1
+lukerstorage.com, 1
+lukertech.net, 1
+lukesbouncycastlehire.com, 1
+lukestert.com, 0
+lukesutton.info, 1
+lukeswiki.eu, 1
+luketscharke.com, 1
+lukezweb.tk, 1
+lukin.ga, 1
+lukka.tk, 1
+lukmanulhakim.id, 1
+lukolab.lt, 1
+lukonet.com, 1
+lukullpizza.de, 1
+lule-kendo.tk, 1
+lullugun.net, 1
+luls.tk, 1
+luluca.com.br, 1
+luludapomerania.com, 1
+lulugold.ba, 1
+lumacurve.com, 1
+lumaesthetic.co.uk, 1
+lumapr.com, 1
+lumbardhi.tk, 1
+lumbercartel.ca, 1
+lumberjackman.tk, 1
+lumbre-encendedores.com, 1
+lumchan.tk, 1
+lumenapp.com, 1
+lumenore.com, 0
+lumentell.us, 1
+lumer.tech, 1
+lumi.com, 1
+lumien.net, 1
+lumieredesoy.com, 1
+luminal-creation.com, 1
+luminalearning.com, 1
+luminaproject.ml, 1
+luminariagames.com, 1
+luminary.pl, 1
+lumindigital.com, 0
+lumineled.se, 1
+lumingze.eu.org, 1
+luminia-informatique.fr, 1
+lumitop.com, 1
+lumixtar.com, 1
+lummi-nsn.gov, 1
+lummihealth.gov, 1
+lumminary.com, 1
+lumoa.me, 1
+lumoria.eu, 1
+lumos.gallery, 1
+lumpenrock.tk, 1
+lumpov.com, 1
+lumpy.ga, 1
+lumsa.university, 1
+lumsdens.ga, 1
+lumus-grafikdesign.de, 1
+lumweb.tk, 1
+luna-corazon.net, 1
+luna-love.net, 1
+luna.ro, 1
+lunaballoonclub.com.au, 1
+lunaburner.ml, 1
+lunaclan.tk, 1
+lunacraft.ga, 1
+lunadea.tk, 1
+lunademiel.org, 1
+lunafag.ru, 1
+lunagiftables.com, 1
+lunagrill.com, 1
+lunalove.de, 1
+lunalovely.net, 1
+lunaluna.com, 1
+lunalya.de, 1
+lunanova.moe, 1
+lunaonline.tk, 1
+lunapps.com, 1
+lunar6.ch, 0
+lunares.pl, 1
+lunarflake.com, 1
+lunarhost.cf, 1
+lunaribes.ch, 1
+lunarlog.com, 1
+lunarsoft.net, 1
+lunartail.nl, 1
+lunarum.tk, 1
+lunascope.ru, 1
+lunasqu.ee, 1
+lunastrail.com, 1
+luncfreak.com, 1
+lunchcafe-inderoos.nl, 1
+lund.se, 1
+lundlist.net, 1
+lundscape.com, 1
+lune-indigo.ch, 0
+lune.gay, 1
+lunekes.com, 1
+lunenburg-gilmanvt.gov, 1
+lunenburgva.gov, 1
+lunepieters.co.za, 1
+lunextd.com, 1
+lungta.pro, 1
+lunguflorin.ro, 1
+lungvictorycarpet.com, 1
+luniak.net, 1
+lunight.ml, 1
+lunite.net, 1
+lunite.tk, 1
+lunivertdelyne.fr, 1
+lunix.io, 1
+lunk.it, 1
+lunlixiaozhan.icu, 1
+luntadila.ga, 1
+lunulanails.nl, 1
+luochunhui.com, 1
+luoe.me, 1
+luoh.cc, 1
+luoh.me, 1
+luohua.im, 1
+luojan.com, 1
+luoli.one, 1
+luoliguan10.com, 1
+luoliguan11.com, 1
+luoliguan12.com, 1
+luoliguan13.com, 1
+luoliguan14.com, 1
+luoliguan15.com, 1
+luoliguan17.com, 1
+luoliguan18.com, 1
+luoliguan4.com, 1
+luoliguan5.com, 1
+luoliguan6.com, 1
+luoliguan9.com, 1
+luonggia.tk, 1
+luongvu.com, 0
+luongyen.com, 1
+luoshifeng.com, 1
+luotianyi.online, 1
+luowu.cc, 1
+luoxingyu.ml, 1
+lupa.cz, 1
+lupa.mk, 1
+luparacoes.com.br, 1
+lupecode.com, 1
+lupinencyclopedia.com, 1
+lupnix.org, 1
+lupocattivoblog.com, 1
+luppa.loan, 1
+lupriflex.com, 1
+luqsus.pl, 1
+luripump.se, 1
+lurishop.com.br, 1
+lurkmirror.ml, 1
+lushclub.tk, 1
+lushersolutions.com, 1
+lushnikov-alex.ru, 1
+lushnja.tk, 1
+lusis.fr, 1
+lusitom.com, 1
+luso-livros.net, 1
+lusoft.cz, 1
+lusosider.pt, 1
+lusson.fr, 1
+lust.works, 1
+lustanslakejer.tk, 1
+lusteniny.cz, 1
+lustgarten.org, 1
+lustiger-kellner.de, 1
+lustigetweets.at, 1
+lustrecloud.art, 1
+lusynth.com, 0
+luteijn.biz, 1
+luteijn.cloud, 1
+luteijn.email, 1
+lutendo.com, 1
+lutesite.tk, 1
+lutherus.tk, 1
+lutify.me, 1
+lutoma.org, 1
+lutricia.tk, 1
+lutruwita.com, 1
+luukaslindsey.tk, 1
+luukdebruincv.nl, 0
+luukklene.nl, 1
+luukuton.fi, 1
+luulosairaus.com, 1
+luuppi.fi, 1
+luv-scent.com, 1
+luv.asn.au, 1
+luv2watchmycam.com, 1
+luvare.com, 1
+luvey.com, 1
+luvmihome.com, 1
+luvscent.com, 1
+lux-house.tk, 1
+luxanos.com, 1
+luxarchive.tk, 1
+luxaterra.com, 1
+luxcaravan.com, 0
+luxcraft.eng.br, 0
+luxden.com, 1
+luxe-in.gr, 1
+luxe.digital, 1
+luxebadkameraccessoires.nl, 1
+luxedentalfl.com, 1
+luxegram.co, 1
+luxehomecompany.com, 1
+luxelyhome.com, 1
+luxemburgsite.tk, 1
+luxeturf.com.au, 1
+luxfosdecoenterprise.com, 1
+luxhair.com.ua, 1
+luxhome.tk, 1
+luxinfine.su, 1
+luxinmo.com, 1
+luxmedia.co.in, 1
+luxonengineering.com, 1
+luxonmx.com, 1
+luxosemimos.com.br, 1
+luxoticlingerieandswimwear.com, 0
+luxplay.com.tw, 1
+luxsat.tk, 1
+luxsci.com, 1
+luxstil.ga, 1
+luxulyanvalley.co.uk, 1
+luxur.is, 1
+luxure.cl, 1
+luxury-tours.in, 1
+luxuryandexecutivetravel.co.uk, 1
+luxurydress.tk, 1
+luxuryfashion.hu, 1
+luxurygifts.tk, 1
+luxuryhome.co.id, 1
+luxuryhomeinfo.tk, 1
+luxuryhomenews.tk, 1
+luxuryhomepro.tk, 1
+luxuryhomerebuild.tk, 1
+luxuryhomeuk.tk, 1
+luxuryhomeusa.tk, 1
+luxuryhous.ru, 1
+luxuryislandtrips.com, 1
+luxurymedina.com, 1
+luxurynsight.net, 0
+luxuryoutbacktours.com.au, 1
+luxuryportal.net, 1
+luxuryspeed.tk, 1
+luxurystays.in, 1
+luxurythatlasts.com, 1
+luxurywatchesworldwide.com, 1
+luxuryweddingsindonesia.com, 1
+luxushair.com, 1
+luxusnivoucher.cz, 1
+luxusnyvoucher.sk, 1
+luxusy.pl, 1
+luxuszugreisen.info, 1
+luxvacuos.net, 1
+luxwatch.com, 1
+luyckx.net, 1
+luyungterd.com, 0
+luzfaltex.com, 1
+luzi-type.ch, 1
+luzica.tk, 1
+lv.lk, 1
+lv.search.yahoo.com, 0
+lv0.it, 0
+lv5.top, 1
+lvcshu.com, 1
+lvdgroup-innov8.com, 1
+lvdr.tech, 1
+lvee.org, 1
+lvfc.co, 1
+lvftw.com, 1
+lvg-heidelberg.info, 1
+lvg.cl, 1
+lvguitars.com, 1
+lvkasz.us, 1
+lvkaszus.pl, 1
+lvlv.cf, 1
+lvm.me, 1
+lvna.capital, 1
+lvnacapital.com, 1
+lvnya.top, 1
+lwb.pt, 1
+lwd-temp.top, 1
+lwems.co.uk, 1
+lwgwiki.com, 1
+lwis.me, 1
+lwisa.ma, 1
+lwl-foej-bewerbung.de, 1
+lwl.moe, 1
+lwnlh.com, 1
+lwqwq.com, 1
+lwsl.ink, 1
+lx-blog.cn, 1
+lx-is.lu, 1
+lxai.net, 1
+lxd.cc, 0
+lxd.tw, 1
+lxiii.eu, 1
+lxiv.eu, 1
+lxn.re, 1
+lxnchan.cn, 1
+lxshowcnc.com, 1
+lxx4380.com, 1
+lxx77.com, 1
+ly-nux.fr, 1
+lyam.fr, 1
+lyanaprintable.com, 1
+lyap-lyandiya.ga, 1
+lyax.be, 1
+lycan.me, 1
+lycaonsec.com, 1
+lychankiet.name.vn, 0
+lycly.me, 1
+lydianibley.com, 1
+lydiawebfans.tk, 1
+lydudlejning.net, 1
+lyfbits.com, 1
+lyfepyle.com, 1
+lyftrideestimate.com, 1
+lyftservice.se, 1
+lyklasmidur.is, 1
+lykope.com, 1
+lyla-pressing.com, 1
+lyme-regis-accommodation.co.uk, 1
+lymia.moe, 1
+lymiahugs.com, 1
+lyna.ml, 1
+lyncag.org, 1
+lyncoin.com, 1
+lyndhurstohio.gov, 1
+lyndo.ga, 1
+lyndontownshipmi.gov, 1
+lynero.dk, 1
+lyness.io, 1
+lyness.uk, 1
+lyngvaer.no, 1
+lynho.com.br, 1
+lynk.hopto.org, 1
+lynkmi.com, 1
+lynnbosten.nl, 1
+lynnco.com, 1
+lynndye.com, 1
+lynnejeancleaning.com, 1
+lynnellneri.com, 1
+lynnesbian.space, 1
+lynnfieldhigh97.com, 1
+lynnfieldma.gov, 1
+lynnlaytonnissanparts.com, 1
+lynnvartan.com, 1
+lynth.io, 1
+lynthium.com, 1
+lynwilliams.com, 1
+lynwoodca.gov, 1
+lynx-webservice.com, 0
+lynx.nl, 1
+lynxbroker.com, 1
+lynxbroker.cz, 1
+lynxbroker.pl, 1
+lynxbroker.sk, 1
+lynxriskmanager.com, 1
+lyodiet.it, 1
+lyon-interactive.com, 1
+lyon-synergie.com, 1
+lyonelkaufmann.ch, 0
+lyonliving.com, 1
+lyonsbytes.com, 1
+lyontwp-higginsmi.gov, 1
+lyradhealth.com, 0
+lyrae.de, 1
+lyrenhex.com, 1
+lyrex.net, 1
+lyric.co.uk, 1
+lyrica.systems, 1
+lyrical-nonsense.com, 1
+lyricfm.ie, 1
+lyricheaven.com, 1
+lyricsbase.com, 1
+lyricsforyou.gq, 1
+lyricsroll.com, 0
+lyricsupdater.tk, 1
+lyriksidan.ga, 1
+lyrique.ch, 1
+lys.ch, 0
+lysander-hans.com, 1
+lyscnd.com, 1
+lysel.net, 1
+lysergion.com, 1
+lysethcreation.com, 1
+lyst.co.uk, 1
+lyteclinic.com, 0
+lyubov-sovmestimost.cf, 1
+lyuda.tk, 1
+lyukaacom.ru, 1
+lyuks-parfyum.tk, 1
+lyuly.com, 1
+lyx.dk, 1
+lyxel-staging.tk, 1
+lz.lv, 1
+lz.sb, 1
+lz233.ac.cn, 1
+lzcreation.com, 1
+lzqii.cn, 1
+lzwc.nl, 1
+lzwwebsite.tk, 1
+lzzr.me, 1
+m-16.ml, 1
+m-22.com, 1
+m-ast.de, 1
+m-beshr.tk, 1
+m-cert.fr, 0
+m-ch.ml, 1
+m-chemical.com.hk, 1
+m-em.co.jp, 1
+m-enterprise.net, 1
+m-epigrafes.gr, 1
+m-exchange.ml, 1
+m-fashion.com.ua, 1
+m-gaming.tk, 1
+m-generator.com, 1
+m-h-b.fr, 1
+m-hydravlika.com.ua, 1
+m-i.si, 1
+m-idea.jp, 1
+m-mail.fr, 1
+m-monitor.pl, 1
+m-mts.ru, 1
+m-nasiri.com, 1
+m-net.de, 1
+m-o-v-i-e.tk, 1
+m-o-x.de, 1
+m-of-love.de, 1
+m-office.pl, 1
+m-producties.nl, 1
+m-ses.fr, 1
+m-team.cc, 1
+m-warrior.tk, 1
+m.ac, 1
+m.facebook.com, 1
+m.mail.ru, 1
+m.me, 1
+m.sb, 1
+m08.co, 1
+m0t0k1ch1.com, 1
+m1-garand-rifle.com, 1
+m132.eu, 1
+m134.eu, 1
+m1d1.black, 1
+m1gun.tk, 1
+m1hax.uk, 1
+m23cal.eu, 1
+m24o.net, 1
+m2designer.com.br, 1
+m2dleadership.com, 1
+m2epro.com, 1
+m2i-api.com, 1
+m2icondb.com, 1
+m2il.co, 1
+m2international.com, 1
+m2jest1c.ml, 1
+m2os.com, 1
+m2tm.fr, 1
+m3-software.com, 1
+m360.com.ph, 1
+m36533.com, 1
+m3ntor.tech, 1
+m3rck.ch, 1
+m42-gmbh.de, 1
+m426.ch, 1
+m4all.gr, 1
+m4g.ru, 1
+m4rcus.de, 1
+m5197.co, 1
+m5industries.com, 1
+m5wl5r.com, 1
+m6729.co, 1
+m6729.com, 0
+m6957.co, 1
+m6pub.fr, 0
+m7rxx.com, 1
+m82365.com, 1
+m8593.com, 1
+m9297.co, 1
+m9728.co, 1
+m9t.ch, 1
+ma-bimbo.com, 1
+ma-canne-a-peche.fr, 1
+ma-decheterie-du-domicile.fr, 1
+ma-eir.nl, 1
+ma-lex.ma, 1
+ma-ligne.co, 1
+ma-paroisse.ch, 1
+ma-queue.com, 1
+ma-subvention-electrique.com, 1
+ma-ze-linux.tk, 1
+ma109.org, 1
+ma110.org, 1
+ma162.org, 1
+ma2t.com, 1
+maa2.com, 1
+maaamet.ee, 0
+maadi.tk, 1
+maafushiscuba.com, 1
+maagdesigns.com.uy, 1
+maahchepen.tk, 1
+maaiai.com, 1
+maailm.tk, 1
+maaldrift.tk, 1
+maaleht.ee, 1
+maaret.de, 1
+maarivpn.com, 1
+maarja.edu.ee, 1
+maartenderaedemaeker.be, 1
+maartenvandekamp.nl, 1
+maasstaddinerexpres.nl, 1
+maat.pt, 1
+maatt.ch, 1
+maatt.fr, 0
+maatwerkopruimcoaching.nl, 1
+maatwerkzorgcoaching.nl, 1
+maavaishnowsewatrust.com, 1
+maaya.jp, 1
+mab.com, 1
+maba.tk, 1
+mabankonline.com, 1
+mabelmartinez.es, 1
+mable.com.au, 1
+mableton.gov, 1
+mabnn.org, 1
+mabnn.ru, 1
+mabnn.spb.ru, 1
+mabra.com, 1
+mabusalah.tk, 1
+mac-i-tea.ch, 0
+mac-iphone.com, 1
+mac-world.pl, 1
+mac.biz.tr, 1
+macabeo.bio, 1
+macallan-tls.com, 1
+macallantls.com, 1
+macangus-wainwright.com, 1
+macaos.com, 1
+macapflag.com, 1
+macappstudio.com, 1
+macappstudiobridge.com, 1
+macappstudioprojects.com, 1
+macaque.io, 0
+macarenagomezfan.tk, 1
+macaroons.tk, 1
+macaroonshindig.tk, 1
+macautocouture.ga, 1
+macautocouture.gq, 1
+macautocouture.ml, 1
+macaw.de, 1
+macaw.lt, 1
+macaw.net, 1
+macaws.org, 1
+macbo.de, 1
+maccabi-dent.com, 1
+macchinetedesche.it, 1
+macdj.tk, 1
+macdonaldplasticsurgery.ca, 1
+macedonian-hotels.com.mk, 1
+macedonian-hotels.mk, 1
+macegroup.com, 1
+macehead.tk, 1
+maceinturecuir.com, 1
+maces-net.de, 1
+macfieclansociety.org, 1
+macgeneral.de, 1
+macgenius.com, 1
+mach-it.com.ar, 1
+mach-it.com.uy, 1
+mach-politik.ch, 1
+mach.com.ar, 1
+macha.cloud, 1
+machaaltricks.tk, 1
+machbach.com, 1
+machbach.net, 0
+machbel.com, 1
+machelpnashville.com, 1
+machiavelli.tk, 1
+machikka.com, 0
+machin.email, 1
+machinatio.ga, 1
+machine.email, 1
+machinebazar.com, 1
+machineidle.com, 1
+machinerysafety101.com, 1
+machineseeker.com, 1
+machineseeker.es, 1
+machinio.com, 1
+machissenefre.ga, 1
+machled.com.ar, 1
+machmit.tk, 1
+machnho.com, 1
+macho-i-botan.tk, 1
+machon.biz, 1
+machosting.jp, 1
+machtweb.de, 1
+machupicchu.tk, 1
+machwasgeil.es, 1
+macil.tech, 1
+macinyasha.net, 1
+macioszektv.eu, 1
+mack-eng.com, 1
+mack.im, 1
+mack.space, 1
+mackanz.tk, 1
+mackenziedatastream.ca, 1
+macker.io, 1
+mackeysack.com, 1
+mackies.ga, 1
+mackinawil.gov, 1
+mackinvia.com, 1
+macksproductions.in, 1
+maclafferty.be, 1
+macleans.ca, 1
+maclemon.at, 1
+macleod.io, 1
+macley.nl, 1
+macmor.com, 1
+macna.com.sa, 1
+macnemo.de, 1
+macnetwork.eu, 0
+macnetwork.fr, 0
+macnetwork.net, 0
+macnews.org, 1
+macnugget.org, 1
+maco.org.uk, 1
+macon.de, 1
+maconcountymo.gov, 1
+maconnerie-dcs.ch, 1
+macosx86.ml, 1
+macoupinvotes.gov, 1
+macpaw.com, 1
+macpress.com.br, 1
+macreosolutions.com, 1
+macroeng.tk, 1
+macroestetica.com, 1
+macrogamer.com, 1
+macropremia.com.ar, 1
+macros.co.jp, 1
+macrosec.tech, 1
+macroseo.tk, 1
+macrotech.tk, 1
+macskorlari.net, 1
+macsoftware.org, 1
+macsonuclari.com.tr, 1
+macsonuclari.mobi, 1
+macstore.pe, 0
+macvcure.com, 1
+macvidcards.eu, 1
+mad-in-love.com, 1
+mad-rabbit.com, 1
+mad.es, 1
+mad2moi.com, 1
+madadmin.com, 1
+madae.nl, 1
+madamasr.com, 1
+madamcougar.com, 1
+madame-kosmetikstudio.de, 1
+madameblueimages.com, 1
+madamegarage.nl, 1
+madamemeringue.nl, 1
+madbicicletas.com, 1
+madbin.com, 1
+madbouncycastles.co.uk, 1
+madcloud.io, 1
+madcosao.gov, 1
+madcs.nl, 0
+maddi.biz, 1
+maddie.gay, 1
+maddin.ga, 1
+made-to-usb.com, 1
+made.md, 1
+made2coach.com, 1
+madebydusk.com, 1
+madebyesmel.com, 1
+madebyhand.art, 1
+madebyshore.com, 1
+madebythijmen.nl, 1
+madecenter.com.br, 1
+madechocolaterie.nl, 1
+madeforelle.shop, 1
+madeglobal.com, 1
+madeinabyss-manga-new.com, 1
+madeinamerica.gov, 1
+madeincana.com, 1
+madeincanarias.net, 1
+madeinchezmoi.net, 0
+madeinsport.com, 1
+madeinua.com, 1
+madeira.link, 1
+madeiraislandnews.com, 1
+madeiranuncios.pt, 1
+madeitstick.com, 1
+madelynn.me, 0
+mademoe.com, 1
+maden.com, 1
+madenco.nl, 1
+mader-logistik.de, 1
+mader.jp, 1
+maderasbrown.com, 1
+madetosave.org, 1
+madewithcollab.com, 1
+madewithopendata.org, 1
+madeyra.com, 1
+madge.tk, 1
+madhawaweb.tk, 1
+madhon.co.uk, 1
+madhon.com, 1
+madhyrecords.com, 1
+madian.tk, 1
+madinahtech360.com, 1
+madinatalzahra.org, 1
+madinatech360.com, 1
+madinina.tk, 1
+madintouch.com, 1
+madison.com, 1
+madisoncountyalema.gov, 1
+madisoncountyhelps.com, 1
+madisoncountyil.gov, 1
+madisoncountyky.gov, 1
+madisoncountyne.gov, 1
+madisonent-facialplasticsurgery.com, 1
+madisonhind.com, 1
+madisonmobilenotary.com, 1
+madisonpressurewashing.com, 1
+madisonprocaccini.tk, 1
+madisonsjewelersorlando.com, 1
+madisonsquarerealestate.com, 1
+madisontwpmi.gov, 1
+madkids.ga, 1
+madknight.tk, 1
+madlandezboard.tk, 1
+madlife.fr, 1
+madluging.tk, 1
+madmasters.tk, 1
+madmaxstore.it, 1
+madmoizelle.com, 1
+madnetwork.org, 1
+madobe.tk, 1
+madokami.net, 1
+madokami.pw, 1
+madonnadellafibra.gq, 1
+madonnamedia.tk, 1
+madorijewelry.com, 1
+madost.one, 1
+madou278.ru, 1
+madprod.tk, 1
+madpsy.uk, 1
+madrakmoadel.ir, 1
+madrasareforms.cf, 1
+madrasareforms.ga, 1
+madrasareforms.ml, 1
+madreacqua.org, 1
+madrecha.com, 0
+madreluna.it, 1
+madresdelacruz.tk, 1
+madrese.tk, 1
+madrespect.com, 1
+madride.tk, 1
+madridistas.com, 1
+madscientistwebdesign.com, 1
+madsihle.com, 1
+madskauts.tk, 1
+madskill.tk, 1
+madskills.tk, 1
+madsklitgaard.dk, 1
+madskristensen.dk, 1
+madspeed-performance.tk, 1
+madsstorm.dk, 0
+madteam.tk, 1
+madtown.tk, 1
+madu369.com, 1
+maduexclusive.com, 1
+maduracion.com, 1
+maduradas.info, 1
+maduradas.net, 1
+madviewer.tk, 1
+madvoxel.com, 1
+madwarlock.com, 1
+mae-berlinistanbul.com, 1
+maedacolo.com.br, 1
+maedchenflohmarkt.at, 1
+maedchenflohmarkt.de, 1
+maeitems.ca, 1
+maeko.fr, 1
+maeliacreation.fr, 1
+maeln.com, 1
+maelstrom-fury.eu, 1
+maelstrom.ninja, 1
+maeprototipi.it, 1
+maersktankers.com, 1
+maerzpa.de, 1
+maestrocabins.co.uk, 1
+maestrocasas.es, 1
+maestrocasas.pt, 1
+maestrocase.it, 1
+maestrochalet.fr, 1
+maestroholzbau.de, 1
+maestrotuinhuizen.nl, 1
+maeterlinck100.be, 1
+maev.si, 1
+maeva-beauty.com, 1
+maeva-beauty.fr, 1
+maeva.com, 1
+maevelyfotografia.com, 1
+maewongaming.tk, 1
+maff.co.uk, 1
+maff.scot, 1
+mafia-web.tk, 1
+mafiaclan.tk, 1
+mafiaclub.ml, 1
+mafiaforum.de, 1
+mafiagames.tk, 1
+mafiamohaa.tk, 1
+mafiasi.de, 1
+mafiatown.pl, 1
+mafondue.ch, 0
+mafworld.com, 1
+mafy.fi, 1
+magaconnection.com, 1
+magadan.ga, 1
+magadan.gq, 1
+magadan.ml, 1
+magaliff.net, 1
+magaria.ml, 1
+magasindejouets.com, 1
+magasinsalledebain.be, 1
+magasinsalledebain.fr, 1
+magasinsalledebains.be, 1
+magasinsalledebains.fr, 1
+magasinsenfrance.com, 1
+magaso.tk, 1
+magaviva.com, 1
+magazilla.ga, 1
+magazin4ik.ga, 1
+magazinecards.ga, 1
+magazinedabeleza.net, 1
+magazinedotreino.com.br, 1
+magazinhaberi.tk, 1
+magazone.cf, 1
+magazone.gq, 1
+magazone.ml, 1
+magazynauto.pl, 1
+magbt.net, 1
+magdahavas.com, 1
+magdakostyra.pl, 1
+magdalena-pulawska.pl, 1
+magdalenabus.tk, 1
+magdalenatransa.tk, 1
+magdeburg.directory, 1
+magdic.eu, 1
+magebit.com, 1
+magebrawl.com, 1
+magel.io, 1
+magellan-met.ru, 1
+magenbrot.net, 0
+magenda.sk, 1
+magenkompass.de, 0
+magentaize.net, 1
+magentazorg.nl, 1
+magento-ecommerce.co.za, 0
+magentodevelopment.co.uk, 1
+magentrix.com, 1
+magenx.com, 1
+magepro.fr, 1
+magescobd.com, 1
+magewell.nl, 1
+maggianos.com, 1
+maggie-shaw.co.uk, 0
+maggie.gy, 1
+maggiemcgee.tk, 1
+maggot.cf, 1
+maggsy.co.uk, 1
+magi-cake.com, 1
+magiamgiashopee.vn, 1
+magiamgiatot.tk, 1
+magic-3dprint.nl, 1
+magic-cakes.nl, 1
+magic-cards.info, 1
+magic-carpetcleaning.co.uk, 1
+magic-cheerleading.tk, 1
+magic-city.quest, 1
+magic-fly.de, 1
+magic-network.tk, 1
+magic-photo-events.fr, 1
+magic5.ro, 1
+magical-secrets.com, 0
+magical.rocks, 1
+magicalcodewit.ch, 1
+magicalvegas.it, 1
+magicalwishes.tk, 1
+magicamulet.me, 1
+magicball.co, 1
+magicball.ga, 1
+magicbar.tk, 1
+magicbeanschool.com, 1
+magicbroccoli.de, 1
+magiccards.info, 1
+magicdesktop.com, 1
+magicdlp.com, 1
+magicdust.com.au, 1
+magicflora.tk, 1
+magiciansofchaos.tk, 1
+magicitaca.com, 0
+magicjudges.org, 1
+magickmale.de, 1
+magiclen.org, 1
+magicline.com, 1
+magiclogix.com, 1
+magicnethosting.com, 1
+magicomotor.com, 1
+magicorama.com, 1
+magicorange.com, 1
+magicpaper.net, 1
+magicpill.com.au, 1
+magicpowertissue.com, 1
+magicsms.pl, 1
+magicspaceninjapirates.de, 1
+magicstay.com, 1
+magictable.com, 1
+magictallguy.tk, 1
+magicthecreation.tk, 1
+magicvalley.com, 1
+magicvaporizers.at, 0
+magicvaporizers.be, 0
+magicvaporizers.co.uk, 0
+magicvaporizers.com, 0
+magicvaporizers.cz, 0
+magicvaporizers.de, 0
+magicvaporizers.dk, 0
+magicvaporizers.ee, 0
+magicvaporizers.es, 0
+magicvaporizers.fi, 0
+magicvaporizers.fr, 0
+magicvaporizers.gr, 0
+magicvaporizers.hr, 0
+magicvaporizers.hu, 0
+magicvaporizers.ie, 0
+magicvaporizers.it, 0
+magicvaporizers.lu, 0
+magicvaporizers.nl, 0
+magicvaporizers.pl, 0
+magicvaporizers.pt, 0
+magicvaporizers.se, 0
+magicvaporizers.si, 0
+magicvaporizers.sk, 0
+magicvodi.at, 1
+magicvoordeel.nl, 1
+magieshop.nl, 1
+magija.ga, 1
+magikbyte.com, 1
+magique.tk, 1
+magiskmanager.com, 1
+magiskzip.com, 1
+magisterjuris.com, 1
+magisternegi.tk, 1
+magliner.com, 1
+magnacarebroker.com, 1
+magnacumlaude.co, 1
+magnamus.it, 1
+magnate.co, 1
+magnatechnology.com, 1
+magneetfolie.nl, 1
+magnes.priv.pl, 1
+magnesium-biomed.ch, 1
+magnesy-neodymowe.com.pl, 1
+magnesy-neodymowe.pl, 1
+magnesy-tanio.net, 1
+magnesy.de, 1
+magnesy.net.pl, 1
+magnesy.priv.pl, 1
+magnet.pub, 1
+magnetar.com, 1
+magnetgaming.com, 1
+magnetic-ink.dk, 1
+magnetic.su, 1
+magneticanvil.com, 1
+magneticarrow.com, 1
+magneticarrowdev.com, 1
+magneticattraction.com.au, 1
+magneticspringsoh.gov, 1
+magnetoai.com, 1
+magnetoscopio.tk, 1
+magnetoterapiapertutti.com, 1
+magnetpass.uk, 1
+magnets.jp, 1
+magnetsdb.com, 1
+magnetto.ga, 1
+magnettracker.com, 1
+magnetvpn.com, 1
+magniezetassocies.fr, 1
+magnifact.com, 1
+magnific.tk, 1
+magniflood.com, 1
+magnit-akciya.tk, 1
+magnitgang.ml, 1
+magnitola.ml, 1
+magnoliadoulas.com, 1
+magnoliastrong.com, 1
+magnoliawi.gov, 1
+magnosautos.ng, 1
+magnumresearch.com, 1
+magnunbaterias.com.br, 1
+magnusdemant.ch, 1
+magnusfulton.com, 1
+magnusj.net, 1
+magnuspro.cz, 1
+magnuspro.sk, 1
+magnuz.tk, 1
+magodasredes.com.br, 1
+magok.ru, 1
+magonote-nk.com, 1
+magornitho.org, 1
+magosmedellin.com, 1
+magraebela.com, 1
+magsdata.com, 1
+magu.kz, 1
+mague.org, 1
+maguire.email, 1
+maguire.tk, 1
+maguroalmare.com.br, 1
+maguspace.com, 0
+maguy-energies.com, 1
+magwin.co.uk, 1
+magyal.hu, 1
+magyarepitok.hu, 1
+mah-nig.ga, 1
+mahabharat.tk, 1
+mahadihasan.cf, 1
+mahadsunnah.com, 1
+mahalaraibanda.ro, 1
+mahali.tk, 1
+mahalux.com, 1
+mahalux.cz, 1
+mahalux.de, 1
+mahalux.eu, 1
+maharishikaa.org, 1
+mahaskacountyia.gov, 1
+mahatenders.gov.in, 1
+mahatmarice.com, 1
+mahatmayoga.org, 1
+mahavirmandirpatna.org, 1
+mahawi.sk, 1
+mahayana.tk, 1
+mahayogam.org, 1
+mahbobmax.tk, 1
+mahboobi.tk, 1
+mahdafweb.tk, 1
+mahealthsurveys.gov, 1
+maherhost.uk, 1
+maheshbabuphotography.tk, 1
+maheshpur.tk, 1
+maheshpurnews24.tk, 1
+maheshwaran.tk, 1
+mahgu.com, 1
+mahi.be, 1
+mahieu-wonen.nl, 1
+mahindrahomefinance.com, 1
+mahirakyildiz.com, 1
+mahjong-navi.com, 1
+mahjong.org, 1
+mahjonggames.tk, 1
+mahjongrush.com, 1
+mahler.io, 1
+mahmalci.net, 1
+mahmoodmehrabi.com, 1
+mahmoodmehrabi.ir, 1
+mahmoudeeb.com, 1
+mahnaz.tk, 1
+mahnwache-luetzerath.org, 1
+mahorka.tk, 1
+mahou-sanmiguel.com, 1
+mahtabichat.ml, 1
+mahtra.edu.ee, 1
+mahurivaishya.co.in, 1
+mahurivaishya.com, 1
+mai.ru, 1
+maiaimobiliare.ro, 1
+maialeechin.com, 1
+maiateam.pt, 1
+maib.tas.gov.au, 1
+maichun.info, 0
+maid.gg, 1
+maid.tk, 1
+maidalawfirm.com, 1
+maidenliput.fi, 1
+maidens.se, 1
+maidenworld.tk, 1
+maidoty.net, 1
+maie.ro, 1
+maiebanatulfruncea.com, 1
+maiet.net, 1
+maigesellschaft-lammersdorf.de, 1
+maijia800.com, 1
+maik-mahlow.de, 1
+maikendener.com, 1
+maikhuong.tk, 1
+maikoloc.com, 1
+mail-de.jp, 1
+mail-delivery.ga, 1
+mail-ink.com, 1
+mail-rotter.de, 1
+mail-routing.net, 1
+mail-settings.google.com, 1
+mail-signatures.com, 1
+mail.ch, 1
+mail.co.uk, 1
+mail.com, 1
+mail.cx, 1
+mail.de, 1
+mail.fr, 1
+mail.google.com, 1
+mail.storage, 1
+mail.td, 1
+mail.tm, 1
+mail.yahoo.com, 0
+mail180.com, 1
+mail4you.in, 1
+mailanyzer.com, 1
+mailbase.cf, 1
+mailbox.mg, 1
+mailbox.org, 1
+mailboy.ml, 1
+mailboy.tk, 1
+mailbywire.com, 1
+mailchaud.com, 1
+mailcubexs.tk, 1
+maildrops.tk, 1
+mailer-olivea.cz, 1
+mailer.me, 1
+mailex.cf, 1
+mailexpresso.tk, 1
+mailexx.ga, 1
+mailexx.gq, 1
+mailexx.ml, 1
+mailfence.com, 1
+mailflank.com, 0
+mailflex.my.id, 1
+mailgenius.com, 1
+mailgun.com, 1
+mailhardener.com, 1
+mailia.me, 1
+mailinabox.email, 1
+mailinabox.ml, 1
+mailinaitor.tk, 1
+mailingproduct.tk, 1
+mailinizer.com, 1
+mailinyzer.com, 1
+mailjet.com, 1
+mailjunkey.tk, 1
+maillotdefoot.tk, 1
+maillotfoot.tk, 1
+mailmaid.de, 1
+mailman.ml, 1
+mailmaster.tk, 1
+mailmerc.com, 1
+mailmum.io, 1
+mailnara.co.kr, 1
+mailnerds.de, 1
+mailomat.swiss, 1
+mailon.ga, 1
+mailosaur.com, 1
+mailpass.ml, 1
+mailplus.com.au, 1
+mailsac.com, 1
+mailsend.ml, 1
+mailstart.ga, 1
+mailstation.de, 1
+mailsupport.cz, 1
+mailtelligent.com, 1
+mailtobiz.tk, 1
+mailtracker.ml, 1
+mailum.org, 0
+mailwala.tk, 1
+mailway.io, 1
+mailxpress.ga, 1
+maimaiyeuem.tk, 1
+maimemostatus.com, 1
+main-bvxea6i-sw23ji6z2nxsu.us-4.platformsh.site, 1
+main-spitze.de, 1
+main1.host, 1
+maindrivekew.com.au, 1
+mainechiro.com, 1
+mainehousing.org, 0
+mainelosap.gov, 1
+mainframeserver.space, 1
+mainhattan-handwerker.de, 1
+mainhuyahan.tk, 1
+mainlined.org, 1
+mainone.net, 1
+mainserver.co.za, 1
+mainstaysafetywedge.com, 1
+mainstortho.com, 1
+maintainyourwebsite.help, 1
+maintenance-traceur-hp.fr, 1
+mainzbiomed.com, 1
+mainzelmaennchen.net, 1
+mainzer-allerlei.de, 1
+maiorapostas.com, 1
+maioresemelhores.com, 1
+mair.best, 1
+mairamerlotto.com.br, 1
+mairangiautomotive.co.nz, 1
+mairie-landry.com, 1
+mairie-sornay.fr, 1
+mairiedakieni.ga, 1
+mairiedemoncelsurseille.com, 1
+maisallianz.com, 1
+maisapanama.com, 1
+maiscuidar.com, 1
+maiscupoes.com, 1
+maisecom.com.br, 1
+maisempregonet.com, 1
+maisgasolina.com, 1
+maisie.nl, 1
+maison-auriat.fr, 1
+maison-coutin.com, 1
+maison-du-mineur.com, 1
+maison-du-savon-de-marseille.fr, 1
+maison-et-domotique.com, 1
+maison-haimard.fr, 1
+maisondelafigue.com, 1
+maisongabrielle.com.br, 1
+maisonkobe.fr, 1
+maisonmere.group, 1
+maisonpourtous.ca, 1
+maisonrouge-musee.fr, 1
+maisonsdenfrance-cls.fr, 1
+maisproduzida.com.br, 1
+maistempo.com.br, 1
+maitemerino.net, 1
+maitheme.com, 1
+maiti.info, 1
+maitlandcashforcars.com.au, 1
+maitrelucas.fr, 1
+maitrise-orthopedique.com, 1
+maitum.de, 1
+maizeks.gov, 1
+maizuru-ongaku-kan.com, 1
+maj.ac, 1
+majahoidja.ee, 1
+majalahka.com, 1
+majalahponsel.org, 1
+majalmirasol.com, 1
+majameer.com, 1
+majasballites.lv, 1
+majavucic.com, 1
+majaweb.cz, 1
+majelisriyadhah.com, 1
+majemedia.com, 1
+majesnix.org, 1
+majestas.tk, 1
+majestic-files.com, 1
+majestic-rp.ru, 1
+majestic.games, 0
+majestio.tk, 1
+majid.info, 1
+majisign.co.uk, 1
+majkassab.com, 1
+majkassab.net, 1
+majkassab.org, 1
+majkl.me, 1
+majkyto.cz, 1
+majlovesreg.one, 1
+majolka.com, 1
+majorcore.com, 1
+majorhifi.com, 1
+majorpaintingco.com, 1
+majorsanat.com, 1
+majusainsurance.com, 1
+makaleci.com, 1
+makalu.me, 1
+makanj.tk, 1
+makaradigital.com, 0
+makariza.com.co, 1
+makasetesan.com, 1
+make-a-difference-daily.com, 1
+make-my-link-longer.ml, 1
+make-my-link-longer.xyz, 1
+make.org, 1
+make50aday.tk, 1
+makeacrowd.eu, 1
+makeagif.com, 1
+makeaoffice.nl, 1
+makechanges.com.au, 1
+makedin.net, 1
+makedonija.net.mk, 1
+makeh2o.com, 1
+makeit-so.de, 0
+makeitpopadvertising.com, 1
+makeitshort.ml, 1
+makeitsimple.pt, 1
+makejusticework.org.uk, 1
+makelindazi.com, 1
+makellos-kosmetik.de, 1
+makemejob.com, 1
+makemillion.tk, 1
+makemoney-plan.tk, 1
+makemoney.ng, 1
+makemusic-asia.com, 1
+makemyassignmentbest.com, 1
+makemynewspaper.com, 1
+makemypost.com, 1
+makenaiyo-fx.com, 1
+makenprint.uk, 1
+makeovershop.ro, 1
+makepro.net, 1
+maker.systems, 1
+maker.to, 0
+makera.ga, 1
+makerdao.com, 1
+makermiles.com, 1
+makermiles.net, 1
+makermiles.org, 1
+makertown.jp, 1
+makesenseofdata.co.uk, 1
+maketheconnection.net, 1
+maketodiet.com, 1
+makeupartistedu.org, 1
+makeupevelinua.cf, 1
+makeupevelinua.ga, 1
+makeupillusion.com, 1
+makeuplove.nl, 1
+makeuppleasure.it, 1
+makeurbiz.com, 1
+makeurl.ml, 1
+makeus.tk, 1
+makewebbetter.com, 1
+makfra.com, 0
+makhmudov.net, 1
+makhzan.org, 1
+maki-chan.de, 1
+maki-it.de, 1
+makilingchallenge.tk, 1
+making-it.nl, 1
+makingbusinessmatter.co.uk, 1
+makingmemoney.cf, 1
+makingmemoney.ga, 1
+makingmemoney.gq, 1
+makingmemoney.ml, 1
+makingmoneyathome.tk, 1
+makingmoves.gq, 1
+makingmusichappen.com, 1
+makkiyaz.tk, 1
+makkusu.photo, 1
+maklerinfo.biz, 1
+makohu.tk, 1
+makomako.tk, 1
+makonet.com.au, 0
+makos.jp, 1
+makowitz.cz, 1
+makrama.shop, 1
+makromedikal.com.tr, 1
+maksa.ga, 1
+maksibetgiris.com, 1
+maksima.kh.ua, 1
+maksimmrvica.tk, 1
+maksimyugai.com, 1
+maksmedia.tk, 1
+maksnet.net, 0
+maksonshop.ga, 1
+maksoud-karim.net, 1
+maksport.ml, 1
+maksutov.tk, 1
+maktoob.search.yahoo.com, 0
+makuisa.fi, 1
+makulatura.cf, 1
+makuonline.tk, 1
+makuquina.tk, 1
+makura.fun, 1
+malabarismo.tk, 1
+malacat.com, 1
+malachiteauth.com, 1
+maladie-autoimmune.fr, 1
+malafidezoeker.nl, 1
+malagabaterias.com, 1
+malagarental.com, 1
+malagarental.es, 1
+malahov.tk, 1
+malamutedoalasca.com.br, 1
+malardalenvvs.se, 1
+malareal.com.br, 1
+malariaadvice.gq, 1
+malariabehaviorsurvey.org, 1
+malash.me, 1
+malatyahaberleri.tk, 1
+malavida.tk, 1
+malavirgen.tk, 1
+malayalamtalkies.tk, 1
+malaysia.cf, 1
+malaysia.search.yahoo.com, 0
+malaysiabrands.com.my, 1
+malaysiainternship.my, 1
+malaysianews.ga, 1
+malaysianews.gq, 1
+malaysianews.ml, 1
+malaysianews.tk, 1
+malaysianhairextensions.tk, 1
+malaysiasentral.com, 1
+malaysiatxt.com, 1
+malaysurveys.com, 1
+malcathatochen.co.il, 1
+malcolmellis.com, 1
+malcolmsterling.com, 1
+malcomterry.com, 1
+maldenvotes.com, 1
+maldives-showing.cf, 1
+maldives-showing.ga, 1
+maldives.cx, 1
+maldivestraveller.mv, 1
+male-cats-spray.ml, 1
+maleaccess.com, 1
+malebooks.ml, 1
+malechastityjournal.com, 1
+malecki.tk, 1
+malecondemusique.fr, 1
+maleevcues.com, 1
+malego.be, 1
+malekperiodontics.com, 1
+malenaamatomd.com, 1
+malenyflorist.com.au, 1
+malermeister-kessler.de, 1
+malermeister-tichnau.de, 1
+malerponge.de, 1
+malesoowki.blog, 1
+malestrippersmanchester.co.uk, 1
+malevus.com, 1
+maleyco.tk, 1
+maleylabapplications.org, 1
+malezan.com, 1
+malflutningsstofan.is, 1
+malfunction.tk, 1
+malhasgusmao.com.br, 1
+maliar.fr, 1
+malibaby.ga, 1
+malibu-electric.com, 1
+malibudread.fr, 1
+malibuexteriorlighting.com, 1
+malibulingerie.com, 1
+malibumodas.com.br, 1
+maliciousdeath.tk, 1
+malicis.com, 0
+malik.holdings, 1
+malik.id, 1
+malikcomputers.tk, 1
+malikdeenarislamicacademy.tk, 1
+maliksofts.com, 1
+malikussa.id, 1
+malikussaid.com, 1
+malimusavirler.tk, 1
+malinaclub.com, 1
+malinheadview.ie, 1
+malinmethod.com, 1
+malisheva-blog.cf, 1
+malisheva-blog.ga, 1
+maliweb.ml, 1
+malkaso.com.ua, 1
+malkingroup.com.au, 1
+malkiteribki.com, 1
+malkoun.com, 1
+malkovich.cf, 1
+malkovich.ga, 1
+mall.cz, 1
+mall.hr, 1
+mall.hu, 1
+mall.pl, 1
+mall.sk, 1
+mallach.net, 1
+mallasvita.com, 1
+malles.org, 1
+mallgastronomico.com.ar, 1
+mallhabana.com, 1
+mallofit.com, 1
+mallonline.com.br, 1
+mallorca.tk, 1
+mallorca2024.com, 1
+mallpass.ga, 1
+malltina.com, 0
+malmyzh.tk, 1
+malone.link, 0
+maloneyja.com, 1
+malorita.tk, 1
+malp.cc, 1
+malphisruul.de, 1
+malscan.com, 0
+malsignature.com, 1
+malta-firma.com, 1
+maltarugs.com, 1
+maltasite.tk, 1
+maltaultrastifo.tk, 1
+maltegegner.de, 0
+malu.style, 1
+malvinas-falklands.tk, 1
+malvy.kiev.ua, 1
+malwar.ee, 1
+malwar.eu, 1
+malware.watch, 1
+malwareincidentresponse.com, 1
+malwareinvestigator.gov, 1
+malwaretips.com, 1
+malwarewise.com, 1
+malwarez.xyz, 1
+malworld.me, 1
+malwr.ee, 1
+malypiesekzuzi.pl, 1
+mamabatataya.com, 1
+mamacasinos.com, 1
+mamacitaz.com, 1
+mamacoolinar.bg, 1
+mamadoma.com.ua, 1
+mamaisonsherby.ca, 1
+mamamoet.ru, 1
+maman-geek.com, 1
+mamanakormit.tk, 1
+mamanecesitaungintonic.com, 1
+mamanetplus.fr, 1
+mamanzari.com, 1
+mamanzaris.com, 1
+mamaplus.net, 1
+mamaruga.com, 1
+mamasorganizedchaos.com, 1
+mamastyle.store, 1
+mamaxi.org, 1
+mamaznaet.ml, 1
+mambas.cn, 1
+mambos.tk, 1
+mamburao.tk, 1
+mame.cl, 1
+mamiechacha.com, 1
+mamijaclean.tk, 1
+mamilitante.fr, 1
+mamilove.com, 1
+mamlaka.ml, 1
+mamlaka.tk, 1
+mammabelly.com.br, 1
+mammaklader.tk, 1
+mammal-taxonomy.tk, 1
+mammals.net, 1
+mammooc.org, 1
+mammothlakesmls.net, 1
+mammothpublishing.org, 1
+mamochka.org.ua, 0
+mamodsteam.tk, 1
+mamohe.de, 1
+mamoni.co, 1
+mamont.cloud, 1
+mamontov.tk, 1
+mamopracuj.pl, 1
+mamoris-net.jp, 1
+mamospienas.lt, 1
+mamot.fr, 1
+mamradost.sk, 1
+mamsds.com, 1
+mamtapark.tk, 1
+mamuko.nl, 1
+mamunlyric.tk, 1
+man-man.nl, 1
+man-stuff.co.uk, 1
+man3s.jp, 0
+mana.ee, 1
+mana.wiki, 1
+manab-it.com, 1
+manach.net, 1
+manaenergija.lv, 1
+manage.cm, 1
+manage.com, 0
+manageairlinesbooking.com, 1
+manageathome.co.uk, 1
+managed-it.africa, 1
+managed-it.co.za, 1
+managedcontractors.co.uk, 1
+managedhosting.de, 0
+managedserver.it, 1
+managedservicesraleighnc.com, 1
+managedwphosting.nl, 1
+managefile.tk, 1
+managefuhui.com, 1
+management-companie.ro, 1
+managementboek.nl, 1
+managementforstartups.com, 0
+manageprefs.com, 1
+manageprojects.com, 0
+manager.linode.com, 0
+managment.io, 1
+manalu.cz, 1
+manaonetrading.com, 1
+manasakcijas.lv, 1
+manaspaul.tk, 1
+manateepao.gov, 1
+manatees.com.au, 1
+manatees.net, 1
+manausagil.com, 1
+manavgabhawala.com, 1
+manawa.tech, 1
+manawill.jp, 1
+manawithtea.com, 1
+manbetx1998.live, 1
+manboy.tk, 1
+mancaverevolution.com, 1
+manchester.careers, 1
+manchesterairportparking24.co.uk, 1
+manchestermn.gov, 1
+manchestermoneyman.com, 1
+manchestertechservices.co.uk, 1
+manchesterwi.gov, 1
+manchopancho.de, 1
+mancrates.com, 1
+mandala-ausmalbilder.de, 1
+mandala-book.tk, 1
+mandalayogaspa.com, 1
+mandanudes.ae, 1
+mandaraequestrian.com, 1
+mandarinplay.tk, 1
+mandatkollen.se, 1
+mandaz.eu, 1
+mandcbouncycastlehire.co.uk, 1
+mandediary.com, 1
+mandefender.tk, 1
+mandela-effect-wiki.tk, 1
+mandelaeffect.tk, 1
+manderstam.com, 1
+mandiblackburnphoto.com, 1
+mandospersonalizados.es, 1
+manducoshop.com, 1
+mandynamic.gr, 1
+manegehenriet.tk, 1
+manegestalflicka.tk, 1
+maneggio.milano.it, 1
+manekin.cf, 1
+manekin.ga, 1
+manekin.gq, 1
+manekin.ml, 1
+manelbenlloch.com, 1
+manelli.fr, 1
+maneql.co.jp, 1
+maneql.info, 1
+manero.de, 1
+manesht.ir, 1
+manfiction.com, 1
+manforums.com, 1
+manfred-feiger.com, 1
+manfred-kostner.tk, 1
+manfredgruber.at, 1
+manfredi.io, 1
+manfredimatteo.com, 1
+manfredschafer.ch, 1
+manfree.tk, 1
+manga-life.info, 1
+manga-passion.de, 1
+manga-republic.com, 1
+manga.ax, 1
+manga1000.top, 1
+manga1001.top, 1
+manga168.com, 1
+mangabond.tk, 1
+mangaboxes.ml, 1
+mangacat.ga, 1
+mangadex.org, 1
+mangaesp.tk, 1
+mangafreak.tk, 1
+mangagaga.tk, 1
+mangahigh.com, 1
+mangajp.top, 0
+mangakita.net, 1
+manganimefan.tk, 1
+mangapoi.com, 1
+mangareactor.tk, 1
+mangas.eu.org, 1
+mangatafestas.com.br, 1
+mangaworld.gq, 1
+mangeur-de-cigogne.tk, 1
+mangfoldimai.no, 1
+mangga.cloud, 1
+mangio.co.uk, 1
+mangnhuapvc.com.vn, 1
+mango-zajm.gq, 1
+mango888.com, 1
+mangoservers.tk, 1
+mangotwoke.co.uk, 1
+manguyen.de, 0
+manhack.net, 1
+manhassetparkdistrictny.gov, 1
+manhattan.at, 1
+manhattanchoralensemble.org, 1
+manhattanda.org, 1
+manhattandermatologistsnyc.com, 1
+manhattanfruitier.com, 1
+manhattanks.gov, 1
+manhattanlife.com, 1
+manhuagui.com, 1
+manhwasco.net, 1
+mani.tw, 1
+maniacoland.com, 1
+maniadicane.com.br, 0
+maniaiti.nz, 1
+manial4d2.ml, 1
+maniasoft.pl, 1
+maniazul.tk, 1
+manicbouncycastles.co.uk, 1
+manicminers.tk, 1
+manicode.com, 1
+manicur-salon.tk, 1
+manicuradegel.es, 1
+manif-est.info, 1
+manikinuk.tk, 1
+manilacrawl.com, 1
+maniorpedi.com, 1
+maniosglass.gr, 1
+manipil.ch, 0
+manipurmatka.net, 1
+manisahaberleri.tk, 1
+manitaggarwal.com, 0
+manito.kr, 1
+manitoulinairport.ca, 1
+manitoulinairport.com, 1
+manitoulinglobalforwarding.ca, 1
+manitoulinglobalforwarding.co, 1
+manitoulinglobalforwarding.com, 1
+manitoulinglobalforwarding.mx, 1
+manitoulingolf.com, 1
+manitoulingroup.ca, 1
+manitoulingroup.co, 1
+manitoulingroup.com, 1
+manitoulinheavyhaul.ca, 1
+manitoulinheavyhaul.com, 1
+manitoulinlogistics.ca, 1
+manitoulinlogistics.com, 1
+manitoulintransport.ca, 1
+manitoulintransport.co, 1
+manitoulintransport.com, 1
+manitoulintransport.info, 1
+manitoulintransport.net, 1
+manitoulinusedequipment.ca, 1
+manitoulinusedequipment.com, 1
+manitoulinwarehousing.com, 1
+manitouspringsco.gov, 1
+manitowoccountywi.gov, 1
+manitowocwi.gov, 1
+manja-und-martin.de, 1
+manjalcouture.com, 1
+manjaro.ru, 1
+mankier.com, 1
+mankomarketing.com, 1
+manku.pl, 1
+manmatters.com, 1
+mann-und-maeuse.de, 1
+mannaelectric.com, 0
+mannafields.org, 1
+mannat-hallmumbra.com, 1
+manneguiden.no, 1
+mannenzang.tk, 1
+mannhaarkunst.com, 1
+mannheimbloggt.tk, 1
+mannigroup.com, 1
+manningtreetilesandflooring.co.uk, 1
+mannnen.nl, 1
+mannservrice.cf, 1
+manoek.dynu.net, 1
+manofmany.com, 1
+manofmanythings.com, 1
+manogara.tk, 1
+manoha-proservices.fr, 1
+manoila.co.uk, 1
+manoirdecontres.com, 1
+manojsharan.me, 1
+manolitodarts.tk, 1
+manologaribay.tk, 1
+manonandre-avocat.fr, 1
+manoro.de, 1
+manortx.gov, 1
+manova.cz, 1
+manowarus.com, 1
+manporn.xxx, 1
+manpro.systems, 1
+manrollo.com, 1
+mansarda-life.net, 1
+mansdell.net, 1
+mansfeld.pl, 1
+manshamita.com, 1
+manshatech.com, 1
+mansikka-sachi.com, 1
+mansionflip.com, 1
+manski.net, 1
+mansle.fr, 1
+mansoorkhan.tk, 1
+mansora.co, 1
+mansora.io, 1
+mansora.net, 1
+mansour.io, 1
+mansurov.tk, 1
+mantachiepharmacy.com, 1
+mantalak.com, 1
+mantaoilco.com, 1
+mantaro.site, 1
+manteca.gov, 1
+manteligencia.com, 1
+mantelligence.com, 1
+mantenimiento-zaragoza.com, 1
+mantenimientoimpresoras.com, 1
+mantenimientosenjardineriaypiscinasveracruz.com, 1
+mantex.ml, 1
+manti.by, 1
+mantor.org, 0
+mantra.pictures, 1
+mantraptownshipmn.gov, 1
+mantul.top, 0
+manual-directory.com, 1
+manual-pdf.com, 1
+manualdousuario.net, 0
+manuall.ae, 1
+manuall.co.uk, 1
+manuall.cz, 1
+manuall.de, 1
+manuall.dk, 1
+manuall.es, 1
+manuall.fi, 1
+manuall.fr, 1
+manuall.hu, 1
+manuall.info.tr, 1
+manuall.it, 1
+manuall.jp, 1
+manuall.kr, 1
+manuall.no, 1
+manuall.pl, 1
+manuall.pt, 1
+manuall.ro, 1
+manuall.se, 1
+manuall.sk, 1
+manualowl.com, 1
+manualscollection.com, 1
+manualsnet.com, 1
+manuel-herrmann.de, 1
+manuel-schefczyk.de, 1
+manuel7espejo.com, 1
+manuelahidalgo.org, 1
+manuelboelstler.tk, 1
+manuelcancelas.com, 1
+manueldelgadohomes.com, 1
+manueldossantos.tk, 1
+manuelefior.tk, 1
+manuelefysiotherapeut.nl, 1
+manueljirado.tk, 1
+manuelosorio.me, 1
+manuelperujo.ch, 1
+manuelraimo.cf, 1
+manuelrueger.de, 1
+manufacturedhomemoving.com, 1
+manufacturing.gov, 1
+manufacturingsupportgroup.co.uk, 1
+manufacturingusa.com, 1
+manulife.ca, 1
+manulization.com, 1
+manulization.ru, 1
+manumagnum.com, 1
+manuscript.com, 1
+manuscripteditorial.com, 1
+manuscriptlink.com, 1
+manusiasosial.tk, 1
+manusje-van-alles.nl, 1
+manutenzionecaldaie.it, 1
+manutenzionegiardini.it, 1
+manutenzionestabili.it, 1
+manuth.life, 1
+manutouch.com.cn, 1
+manwork.tk, 1
+manwv.gov, 1
+manychat.com, 1
+manyebook.com, 1
+manyetikboya.com, 1
+manyhotfiesta.ml, 1
+manylots.ru, 1
+manyo.jp, 1
+manypets.com, 1
+manyproservices.com, 1
+manytricks.com, 1
+manytubes.ga, 1
+manyzero.ml, 1
+manzanagroup.ru, 1
+manzanita-nsn.gov, 1
+maomihz.com, 1
+maone.net, 1
+maorilandfilm.co.nz, 1
+maorx.cn, 1
+maoshuai.bid, 1
+maoshuai.cc, 1
+maoshuai.club, 1
+maoshuai.cn, 0
+maoshuai.co, 1
+maoshuai.cx, 1
+maoshuai.fun, 1
+maoshuai.hk, 1
+maoshuai.in, 1
+maoshuai.ltd, 1
+maoshuai.me, 1
+maoshuai.net, 1
+maoshuai.online, 1
+maoshuai.org, 1
+maoshuai.pw, 1
+maoshuai.ren, 1
+maoshuai.site, 1
+maoshuai.store, 1
+maoshuai.tw, 1
+maoshuai.vip, 1
+maoshuai.wang, 1
+maoshuai.win, 1
+maoshuai.xyz, 1
+maowtm.org, 1
+maozedong.red, 1
+map-immo.fr, 1
+map.fund, 1
+map4erfurt.de, 1
+map4jena.de, 1
+mapa-airsoft-akci.cz, 1
+mapapeterie.ca, 1
+mapasmundi.com.br, 1
+mapausenaturelle.fr, 1
+mapblender.com, 1
+mapchange.org, 1
+mapduce.com, 1
+mapdump.com, 1
+mapi.eu.org, 1
+mapillary.com, 1
+maplebgm.cc, 1
+maplegrove.cf, 1
+maplegrovetownshipmi.gov, 1
+mapleholland.tk, 1
+maplehome.tk, 1
+maplehousehomeinvestors.com, 1
+maples.com, 1
+mapletime.com, 1
+mapletokyo.top, 1
+mapletonmn.gov, 1
+maplevalleytwpmi.gov, 1
+maplewood.tk, 1
+maplewoodnj.gov, 1
+mappingfutures.org, 1
+mappingspaceperu.com, 1
+mapresidentielle.fr, 1
+mapsindoors.com, 1
+mapsly.com, 1
+mapstack.org, 1
+maptician.com, 1
+mapuut.net, 1
+maqs.tk, 1
+maquena.org, 1
+maquetasdeaviones.tk, 1
+maquetting.com, 1
+maquiguarda.pt, 1
+maquinariahosteleriaocasion.com, 1
+maquinariaspesadas.org, 0
+maquinasperfectas.tk, 1
+maquinasquepiensan.tk, 1
+mar-eco.no, 1
+mar.pt, 1
+mara.paris, 1
+marabook.fr, 1
+marabumadrid.com, 1
+maracarlinicourses.com, 1
+maracit.tk, 1
+maraichere-gourmande.org, 1
+marajo.ml, 1
+marajo.tk, 1
+marakovits.net, 1
+maralclock.ir, 1
+maranathacarechildren.com, 1
+maranightmare.net, 1
+maransurology.com, 1
+maranza.org, 1
+marasma.tk, 1
+marathoncitywi.gov, 1
+marathons.tk, 1
+marauderos.tk, 1
+marazul.tk, 1
+marbellaoptic.ro, 1
+marbermedical.com, 1
+marble.com, 1
+marbleceramiccorp.com.au, 1
+marbleme.jp, 1
+marblenexus.de, 1
+marbogardenlidkoping.se, 1
+marbree.eu, 1
+marc-beninca.fr, 1
+marc-hammer.de, 1
+marc-hoffrichter.de, 1
+marc-schlagenhauf.de, 0
+marc.info, 1
+marcago.com, 1
+marcaixala.me, 1
+marcapollo.ml, 1
+marcbeije.com, 1
+marcberndtgen.de, 1
+marcceleiro.com, 1
+marcdietschi.com, 1
+marcel-preuss.de, 1
+marcel-waldvogel.ch, 1
+marcelabarrozo.tk, 1
+marcelheemels.org, 1
+marcelino.cf, 1
+marcelinofranchini.com, 1
+marcelinofranchini.eu, 1
+marcelinofranchini.info, 1
+marcelinofranchini.net, 1
+marcelinofranchini.org, 1
+marcelkooiman.com, 1
+marcell-jansen.tk, 1
+marcelmarnitz.com, 1
+marcelofernandez.tk, 1
+marcelois.me, 1
+marcelovasconcelos.com.br, 1
+marcelpreuss.de, 1
+marcelsiegert.com, 1
+marcelwaldvogel.ch, 1
+marcelwiedemeier.com, 1
+marcelwolf.coach, 1
+marcenariaembh.com.br, 1
+marcgoertz.de, 1
+march-consulting.jp, 1
+marcha.org.ar, 1
+marchagen.nl, 1
+marchellenevers.tk, 1
+marchenzen.nl, 1
+marchesini.com, 1
+marchesini.com.ua, 1
+marcheuparis.com, 1
+marchhappy.tech, 0
+marchinghatters.tk, 1
+marchingnorth.com, 1
+marchoffrichter.de, 1
+marchouben.nl, 1
+marchqualitymeats.com, 1
+marchukov.com, 1
+marcianoandtopazio.com, 1
+marcillacetfils.fr, 1
+marclange.net, 1
+marco-burmeister.de, 1
+marco-hegenberg.net, 1
+marco-reitmeier.de, 1
+marco-s.net, 1
+marcoaurelio.tk, 1
+marcocasoni.com, 1
+marcoececilia.it, 1
+marcoherten.com, 1
+marcoklomp.nl, 1
+marcolattanzio.tk, 1
+marcopiottante.tk, 1
+marcopolo-restaurant.com, 1
+marcoreitmeier.de, 1
+marcorubiol.com, 1
+marcositaliandeli.co.uk, 0
+marcossan.com, 1
+marcosteixeira.tk, 1
+marcotolk.com, 1
+marcovery.com, 1
+marcretzlaff.com, 1
+marcschlagenhauf.de, 0
+marcsello.com, 1
+marcsferraripage.tk, 1
+marcus-scheffler.com, 1
+marcus.pw, 0
+marcusburghardt.tk, 1
+marcusds.ca, 1
+marcuskoh.com, 1
+marcusporter.tk, 1
+marcusquinn.com, 1
+marcusstafford.com, 1
+marcypro.com, 1
+marczocher.de, 1
+mardelcupon.com, 1
+mardigrasnapkins.com, 1
+mardinhaberleri.tk, 1
+mardinsondakika.tk, 1
+mare-sylt.de, 1
+mare.org.mk, 1
+mare92.cz, 1
+marebca.xyz, 1
+marechal-company.com, 1
+mareforfa.com, 1
+maregionsud.fr, 1
+marei.ad, 1
+mareinitalia.com, 1
+marekkohn.tk, 1
+marekkorlak.com, 1
+mareklecian.cz, 1
+marelijah.org, 1
+marengomi.gov, 1
+maresencial.com, 1
+maresimone.com, 1
+marex.host, 1
+marfadelivery.tk, 1
+marga-marga.tk, 1
+margagriesser.de, 1
+margan.ch, 1
+margaret.land, 1
+margaretgel.com, 1
+margaridamendessilva.com, 1
+margaritafries.com, 1
+margatroid.com, 1
+margaux-perrin.com, 1
+margauxnennig.com, 1
+margays.de, 1
+margeriam.com, 1
+margherita.cl, 1
+margintoniks.fr, 1
+margo-co.ch, 0
+margo.ml, 1
+margolcia.com.pl, 1
+margolis.gq, 1
+margotbworldnews.tk, 1
+margotdesign.ovh, 1
+margots.biz, 1
+margots.tech, 1
+margriet.nl, 1
+margus.uk, 0
+marhamat.cf, 1
+marhobateren.tk, 1
+mari-ie.ro, 1
+maria-blanco.tk, 1
+maria-kirilenko.tk, 1
+maria-sharapova.tk, 1
+mariaalcazar.com, 1
+mariaangelamacario.com, 1
+mariadelcastillo.com, 1
+mariaelisaejunior.ga, 1
+mariafernanda.com.br, 1
+mariage-protestant.ch, 0
+mariage-reussi.fr, 1
+mariagealamontagne.com, 1
+mariages.net, 1
+mariahandnasty.com, 1
+mariahcareyvenezuela.tk, 1
+mariaisabel.tk, 1
+marialopez.tk, 1
+mariamenounos.tk, 1
+mariamia.org, 1
+mariamindbodyhealth.com, 1
+marianatherapy.com, 1
+marianelaisashi.com, 1
+marianhoenscheid.de, 1
+mariannethijssen.nl, 1
+marianneveenstra.tk, 1
+marianrivera.tk, 1
+mariansalzman.com, 1
+mariapanina.ru, 1
+mariapietropola.com, 1
+mariart.studio, 1
+mariasavchenko.com, 1
+mariasemarias.com.br, 1
+mariaterbildt.tk, 1
+mariavilleme.gov, 1
+mariberceritera.online, 1
+marie-pettenbeck-schule.de, 1
+marie-psy.fr, 1
+marie.club, 1
+mariealber.cz, 1
+mariearthur.fr, 1
+mariecurie.tk, 1
+mariejulien.com, 1
+mariella-sun.net, 1
+marielouise.tk, 1
+mariemccaig.co.uk, 1
+mariemiramont.fr, 1
+mariereichl.cz, 1
+mariescountymo.gov, 1
+marieskyler.net, 1
+marietrap.ch, 0
+marifilmines.com, 1
+marijang.id, 1
+marijuanajobscannabiscareers.com, 1
+marik.net.br, 1
+marikafranke.de, 1
+marikekinze.de, 1
+marillatownshipmi.gov, 1
+marilower.tk, 1
+marilsnijders.nl, 1
+marilynandsarah.org, 1
+marilynmonroy.com.ec, 1
+marin-dom.ru, 0
+marin-tullet.com, 0
+marina-group.tk, 1
+marina-tsvetaeva.ml, 1
+marinaborregoterapeuta.pt, 1
+marinadarje.com, 1
+marinamontana.net, 1
+marinapetruzio.it, 1
+marinapozzoli.tk, 1
+marinaquip.com, 1
+marinarinaldi.ml, 1
+marinasmad.com, 1
+marinat.de, 1
+marinat2012.de, 1
+marinazarza.es, 1
+marine.gov, 1
+marinecadastre.gov, 1
+marinedesign.tk, 1
+marineecologyfiji.com, 1
+marinekaplama.com, 1
+marinela.tk, 1
+marinelausa.com, 0
+marinella.tk, 1
+marinershousecalstock.com, 1
+marinettecountywi.gov, 1
+marinettewi.gov, 1
+mario-ancic.tk, 1
+mario-sarto.com, 1
+mario.com.ua, 1
+mario420.ga, 1
+marioabela.com, 1
+marioberluchi.by, 0
+mariogarcia.tk, 1
+mariogeckler.de, 0
+marioncounty911illinois.gov, 1
+marioncountyar.gov, 1
+marioncountyil.gov, 1
+marioncountyiowa.gov, 1
+marioncountyms.gov, 1
+marioncountyohio.gov, 1
+marioncountysheriffar.gov, 1
+marioncountytn.gov, 1
+marionflclerk.gov, 1
+mariontwpcvxmi.gov, 1
+marioserver.ml, 1
+mariospizzaoxford.co.uk, 1
+mariouniversalis.fr, 1
+mariowiki.com, 1
+mariposah.ch, 1
+marisamorby.com, 0
+marisasitaliankitchen.com, 1
+mariskavankasbergen.nl, 1
+mariskax.net, 1
+marismenos.tk, 1
+maritiemshertogenbosch.nl, 1
+maritime-mea.com, 1
+maritimehistory.org.uk, 1
+maritimeinstitute.sg, 1
+maritlarsen.ml, 1
+maritlarsen.tk, 1
+marius-schmalz.de, 1
+mariusschulz.com, 1
+marix.ro, 1
+marizaikonomi.tk, 1
+marj3.com, 1
+marjadeleeuw.nl, 1
+marjanne.tk, 1
+marjeta-gurtner.ch, 1
+marjoleindens.be, 1
+marjon.photography, 1
+marjonruns.nl, 1
+marjorie-wiki.de, 1
+marjoriebarretto.tk, 1
+marjoriecarvalho.com.br, 1
+mark-a-hydrant.com, 1
+mark-armstrong-gaming.com, 1
+mark-dietzer.de, 1
+mark-semmler.de, 1
+mark1998.com, 1
+markandrosalind.co.uk, 1
+markantalyamasajsalonu-bayanmasoz-cim.cf, 1
+markco.fi, 1
+markdain.net, 1
+markdixon.name, 1
+markecubanos.com, 1
+markedplassen.no, 1
+markellos-olive.gr, 1
+markenet.co, 1
+markentier.tech, 1
+market-garden.tk, 1
+market.android.com, 1
+marketadvisory.com.au, 0
+marketbasket.tk, 1
+marketcavalli.it, 1
+marketcrypto.id, 1
+marketerprofesional.com, 0
+marketespace.fr, 0
+marketfeed.news, 1
+marketforce.com, 1
+marketgarden.tk, 1
+marketgrid.ml, 1
+marketgrid.tk, 1
+marketia.ml, 1
+marketing-advertising.eu, 1
+marketing-schools.org, 1
+marketing1-0-1.com, 1
+marketing4trends.com, 1
+marketinganalytics.africa, 1
+marketingautomationplan.nl, 1
+marketingbab.com, 1
+marketingbrandingnews.com, 1
+marketingbrandingnews.net, 1
+marketingcareeredu.org, 1
+marketingco.nl, 1
+marketingconcafe.com, 1
+marketingdesignu.cz, 1
+marketingdigitalefisiente.com, 1
+marketingdominante.com.br, 1
+marketingforfood.com, 1
+marketingmd.com, 1
+marketingpalace.tk, 1
+marketingstrategy.gq, 1
+marketingtrendnews.com, 1
+marketingtutor.net, 1
+marketingwelt-lipp.de, 1
+marketingypublicidaddigital.com.mx, 1
+marketio.ai, 1
+marketizare.ro, 1
+marketking.ga, 1
+marketmotion.com.au, 1
+marketnews.com, 1
+marketone.com, 1
+marketplace.org, 1
+marketplace.tf, 1
+marketplacetue.nl, 1
+marketresearch.biz, 1
+marketsearch.ga, 1
+marketsnerd.com, 1
+marketsosyali.tk, 1
+markettailor.io, 0
+marketvalue.gq, 1
+marketvolume.com, 1
+marketyourcup.com, 1
+markfietje.eu, 1
+markfisher.photo, 1
+markhaehnel.de, 1
+markhedrick.com, 1
+markholden.guru, 1
+markhoodauthor.com, 1
+markhoodbooks.com, 1
+markhoodphoto.com, 1
+markhoodwrites.com, 1
+markhornsby.co.uk, 1
+markhornsby.uk, 1
+markido.com, 1
+markisa.ninja, 1
+markitanova-anna.tk, 1
+markitee.com, 0
+markitzeroday.com, 1
+markjansen.tk, 1
+markkirkforillinois.com, 1
+markkirkforsenate.com, 1
+markkusilvennoinen.fi, 1
+marklehane.com, 1
+markllego.com, 1
+markmet.fi, 1
+markmetcalfe.io, 1
+markmorris.com.au, 1
+markocloud.com, 1
+markoglou.com.gr, 1
+markoh.co.uk, 1
+markprof.ru, 1
+markpulido.net, 1
+markri.nl, 1
+markridgwell.co.uk, 1
+markridgwell.com, 1
+marks.sa, 1
+marksa.net, 1
+markshroyer.com, 1
+marksm.it, 1
+marksmanhomes.com, 1
+marksouthall.com, 1
+markstevenkirk.com, 1
+markstickley.co.uk, 1
+markt-heiligenstadt.de, 0
+markt8asten.nl, 1
+marktcontact.com, 1
+markterweele.nl, 1
+marktgemeinde-glonn.de, 1
+marktgorman.com, 1
+marktguru.at, 1
+marktguru.de, 1
+markthisforme.com, 1
+markup-ua.com, 1
+markus-blog.de, 1
+markus-enzweiler.de, 1
+markus-keppeler.de, 1
+markus-musiker.de, 1
+markus-ullmann.de, 1
+markus289.com, 1
+markusabraham.com, 1
+markusehrlicher.de, 1
+markusgran.de, 1
+markushof.it, 1
+markusjanzen.de, 1
+markuskeppeler.de, 1
+markuskeppeler.no-ip.biz, 1
+markuslintula.fi, 1
+markusmani.tk, 1
+markusribs.com, 1
+markusritzmann.ch, 0
+markusueberallassetmanagement.de, 1
+markusueberallconsulting.de, 1
+markusweimar.de, 1
+markuswirnsperger.com, 1
+marlboroughchamber.nz, 1
+marlboroughfarmersmarket.tk, 1
+marlen.cz, 1
+marlenefavela.tk, 1
+marlenekrasa.com, 1
+marliesfens.nl, 1
+marliesslomp.nl, 1
+marlonbellmann.de, 1
+marlonbellmann.eu, 1
+marlosoft.net, 1
+marmaluot.com, 1
+marmarahaberleri.tk, 1
+marmarahastanesi.com.tr, 1
+marmelab.com, 1
+marmelo.digital, 1
+marmista.roma.it, 1
+marmitethegreyhound.com, 1
+marmo.gallery, 1
+marmo.tk, 1
+marmotte.love, 1
+marmurmedical.com, 1
+marny.eu, 1
+marocmail.ma, 1
+marocnews.tk, 1
+marocweb.tk, 1
+maroebeni.tk, 1
+marolu.one, 1
+maroochydorecentre.com, 1
+maroochydorecitycenter.com, 1
+maroochydorecitycenter.com.au, 1
+maroochydorecitycentre.com, 1
+maroochydorecitycentre.com.au, 1
+maroochydorecitycentre.net.au, 1
+maroquineriepirlot.be, 0
+maroshionline.tk, 1
+maroussia.tk, 1
+marouviere.fr, 1
+marpa-wohnen.de, 1
+marplo.net, 1
+marqperso.ch, 1
+marqueandbrew.com, 1
+marqued.com, 1
+marquepersonnelle.ch, 1
+marqueswines.co.uk, 1
+marquimanagement.com, 1
+marquisepools.com, 1
+marrai.de, 1
+marrakech-camel-trips.com, 1
+marrakech-tours-in-morocco.com, 1
+marrakechairporttransfer.com, 1
+marrakechauxiliaire.com, 1
+marrakeche.com, 1
+marrakechtriptours.com, 1
+marredesefairebaladersurlenet.com, 1
+marretada.org, 1
+marriage-shrine.jp, 1
+marriageinchrist.com, 1
+marrickvilleapartments.com.au, 1
+marronniergate.com, 0
+marropax.com, 1
+marryfox.net, 1
+mars-infos.org, 1
+mars.army, 1
+mars.navy, 1
+marsafc.tk, 1
+marsanvet.com, 1
+marsatapp.com, 1
+marshaiargentina.com, 1
+marshall-allman.tk, 1
+marshallcoms.gov, 1
+marshallcountyillinois.gov, 1
+marshallcountywv.gov, 1
+marshallruskwi.gov, 1
+marshallscastles.com, 1
+marshallsheriffms.gov, 1
+marshallwilson.com, 1
+marshfieldvillagevt.gov, 1
+marshfieldvt.gov, 1
+marshmallow.co, 1
+marshmallow.com, 1
+marshmallowchallenge.com, 1
+marshop.tk, 1
+marsicano.tk, 1
+marsikelektro.cz, 1
+marsilioblack.tk, 1
+marsmediavideo.com, 1
+marta-chat.ga, 1
+marta.uz, 0
+martacooks.com, 1
+martapratsmakeup.com, 1
+martasibaja.com, 1
+martastandzoninteriors.com, 1
+martastroll.com, 1
+martdev.com, 1
+martec.dk, 1
+martel-innovate.com, 0
+martelange.ovh, 1
+martelliyaqub.co.nz, 1
+martellosecurity.com, 1
+martemeo-wetterau.de, 1
+martensson.io, 1
+martesanamilano.com, 1
+marthakenney.com, 1
+marthas.sale, 1
+marthasvillemo.gov, 1
+marti201.ga, 1
+martial-arts.tk, 1
+martialarts-wels.at, 1
+martialartsbrownsplains.ga, 1
+martialgym.tk, 1
+martian.community, 1
+martian.tk, 1
+martide.com, 1
+martijnschreuders.tk, 1
+martijnvanderzande.nl, 1
+martijnvdputten.tk, 1
+martin-burger.net, 1
+martin-caslavsky.tk, 1
+martin-loewer.de, 1
+martin-mattel.com, 1
+martin-prell.de, 1
+martin-smith.info, 1
+martin-weil.de, 1
+martin.vet, 0
+martinaachen.tk, 1
+martinalonsovega.tk, 1
+martinarnold.co.uk, 1
+martinassurfdepot.tk, 1
+martinbaileyphotography.com, 0
+martinbiely.com, 1
+martinboerhof.nl, 1
+martincernac.cz, 1
+martincornelissen.tk, 1
+martindales.ltd.uk, 1
+martine.nu, 1
+martinebot.com, 1
+martinelias.cz, 1
+martineric.tk, 1
+martineve.com, 0
+martinfresow.de, 1
+martinhal.cn, 1
+martinhal.com, 1
+martinhalfamilyblog.com, 1
+martinhalholiday.com, 1
+martinhalliving.com, 1
+martinhalpropertysales.com, 1
+martinhalresidences.com, 1
+martinhaunschmid.com, 0
+martinho.tk, 1
+martinishotpodcast.com, 1
+martinkunc.tk, 1
+martinkus.eu, 1
+martinlukes.cz, 1
+martinmawbycurtaintracks.co.uk, 1
+martinmaze.com, 1
+martinmuc.de, 1
+martino.ga, 1
+martinploug.dk, 1
+martinpohl.cz, 0
+martinreed.net, 1
+martins.im, 1
+martinschulze.org, 1
+martinschurdak.tk, 1
+martinsferryoh.gov, 1
+martinsouza.net, 1
+martinstepar.cz, 1
+martinsvillebulletin.com, 1
+martinus.cafe, 1
+martinverkerkonline.tk, 1
+martinvillalba.com, 1
+martinvillalba.com.ar, 1
+martinvillalba.info, 1
+martinvillalba.net, 1
+martinvillalba.org, 1
+martinvotes.gov, 1
+martinwhelton.uk, 1
+martnlab.com, 1
+martonveronika.tk, 1
+martstop.ir, 1
+martstroy.ru, 1
+marturet.com, 1
+marty.me.uk, 1
+martyrium.tk, 1
+marufmusic.tk, 1
+maruja.tk, 1
+marula-oel.de, 1
+marulaweb.com, 1
+marunouchi-hotel.co.jp, 1
+marustat.ru, 1
+marvaco.cf, 1
+marvaco.ga, 1
+marvaco.tk, 1
+marvelcargiveaways.co.uk, 1
+marveld.nl, 1
+marvelmoviemarathon.com, 1
+marvelo.cf, 1
+marvelouspainting.com, 1
+marvelweed.ru, 1
+marvin-elsen.com, 1
+marvin.is, 1
+marvin.rocks, 1
+marvinelsen.com, 1
+marvingazibaric.io, 1
+marvinkeller.de, 0
+marvinxyz.de, 1
+marvnet.cf, 1
+marvnet.design, 1
+marvnet.ga, 1
+marvnet.gq, 1
+marvnet.ml, 1
+marvnet.tk, 1
+marvnetdigital.cf, 1
+marvnetdigital.ga, 1
+marvnetdigital.gq, 1
+marvnetdigital.ml, 1
+marvnetdigital.tk, 1
+marvnetforum.cf, 1
+marvnetforum.ga, 1
+marvnetforum.gq, 1
+marvnetforum.ml, 1
+marvnetforum.tk, 1
+marvos.se, 1
+marw.org, 1
+marwadionline.com, 1
+marxist.party, 1
+marxists.org, 1
+marxmyths.org, 1
+marxpark.tk, 1
+mary-e-kay.tk, 1
+maryamghorbani.com, 1
+maryannhaircpa.com, 1
+marycliffpress.com, 1
+marycowanceramics.com, 1
+maryeileen90.party, 1
+maryeileenkelly.com, 1
+maryhaze.net, 1
+marykatrinaphotography.com, 1
+marykirsch.net, 1
+marylandbasementandcrawlspacewaterproofing.com, 1
+marylandcomptroller.gov, 1
+marylandtaxes.gov, 1
+marylandtraditions.org, 1
+maryleemacdonald.org, 1
+maryluzturismo.co, 1
+marymaloney.tk, 1
+marymount.edu.mx, 1
+marypierce.tk, 1
+maryrock.net, 1
+maryrose.org, 1
+marysvilleks.gov, 1
+marytetzstore.com.br, 1
+marywet.net, 1
+marzio.co.za, 1
+mas.be, 1
+mas.bg, 1
+masadaoffensive.com, 1
+masafarms.com, 1
+masajilanver.tk, 1
+masakanibu.ga, 1
+masakigarden.com, 1
+masalaband.tk, 1
+masaloku.com.tr, 1
+masanteadelavenir.fr, 1
+masanunciosimpresos.com, 1
+masarik.sh, 1
+masaze-hanka.cz, 1
+mascarablond.tk, 1
+mascarbo.tk, 1
+mascarillas.blog, 1
+mascenter.xyz, 1
+maschine.email, 1
+maschinen.email, 1
+maschinensucher.de, 1
+mascorazon.com, 1
+mascotarios.org, 1
+mascoteando.net, 1
+masdemariette.com, 1
+masdemexico.com, 1
+masduta.co, 1
+masdzub.com, 1
+masepps.pe, 1
+maservant.com, 1
+maservant.net, 1
+masfloss.net, 1
+mashairi.co.ke, 1
+masharphomecooking.com, 1
+mashek.net, 1
+mashin.al, 1
+mashina.world, 0
+mashinavremeni.ml, 1
+mashine-art.ru, 1
+mashinist.tk, 1
+mashonkavortu.tk, 1
+mashoom.co.uk, 1
+mashrmail.com, 1
+mashrmail.io, 1
+mashtibax.ga, 1
+masiavillalonga.com, 1
+masinaspalat.info, 1
+masiniunelte.store.ro, 1
+masinky.tk, 1
+masite.net, 1
+mask-skin.tk, 1
+maskamuse.com, 1
+masked.love, 1
+maskedemail.nl, 1
+maskedworld.tk, 1
+maskerking.com, 1
+maskim.fr, 1
+masking.my.id, 1
+maskinkultur.com, 1
+maskmail.co, 1
+maskmy.id, 1
+maskova.net, 1
+maskstyle.tk, 1
+maslenka.tk, 1
+maslin.io, 1
+maslow.tk, 1
+masmusica.tk, 1
+masmusicaradio.tk, 1
+maso-corto.com, 1
+masob.site, 1
+masoftware.ddns.net, 1
+masoncountyil.gov, 1
+masoncountywa.gov, 1
+masoncountywaelections.gov, 1
+masoncountywv.gov, 1
+masonkysheriff.gov, 1
+masqueless.org, 1
+masqueradecostumes.tk, 1
+masrilanguage.tk, 1
+masrud.com, 1
+masrur.org, 1
+mass-analytics.com, 1
+mass.pt, 1
+massaer.tk, 1
+massage-californien.tk, 1
+massage-colleges.com, 1
+massage-la-clusaz.com, 1
+massage-technique.tk, 1
+massage-vitalite.fr, 1
+massage-well.ch, 1
+massage4u.net, 0
+massageandwellbeing.com, 1
+massagecoolangatta.com.au, 1
+massagecupping.com, 1
+massagegunadvice.com, 1
+massagehabits.com, 1
+massagekartan.ga, 1
+massagepraktijkamyklappe.nl, 1
+massages-du-monde-charente.fr, 1
+massagespaindia.com, 1
+massagetable.shop, 1
+massagetherapylicense.org, 1
+massagetherapyschoolsinformation.com, 1
+massaggi.it, 1
+massaggio.it, 1
+massagik.ml, 1
+massanews.com, 1
+massapothecary.com, 1
+massauditor.gov, 1
+massazh.cf, 1
+massbank.eu, 1
+massconsultores.com, 1
+masse.org, 1
+massfone.com, 1
+masshost.tk, 1
+masshpc.gov, 1
+massive.tk, 1
+massiveanalyser.com, 1
+massiveassault.tk, 1
+masskick.ga, 1
+massmurder.tk, 1
+massmutualascend.com, 0
+massolutions.pro, 1
+masspingtool.com, 1
+masstercurssos.com, 1
+massvow.com, 1
+masta.me, 1
+mastah.fr, 1
+mastd.fr, 1
+mastd.me, 0
+mastd.onl, 1
+mastdatabase.co.uk, 1
+mastdi.eu, 1
+mastelic.net, 1
+mastellone.us, 1
+master-net.org, 1
+master-tmb.ru, 1
+master.shop, 1
+masteranimal.tk, 1
+mastercardpac.com, 1
+mastercareplus-demo.com, 1
+mastercareplus-staging.com, 1
+mastercareplus-uat.com, 1
+mastercareplus.com, 1
+mastercomfig.com, 1
+masterdan.net, 1
+masterdemolitioninc.com, 1
+masterdesingweb.tk, 1
+masterdigitale.com, 1
+masterdistillers.net, 1
+masterdrilling.com, 1
+mastere.tn, 1
+masterflitzer.xyz, 1
+masterglasses.ru, 1
+mastergrampartners.com, 1
+masterhelenaroma.com, 1
+masterimperia.com, 1
+masterin.it, 1
+masterinchess.com, 1
+masterise.tv, 1
+masterjuantex-projects.tk, 1
+masterkitchen.com.br, 1
+masternetix.ga, 1
+masternetltd.com, 1
+masterofallscience.com, 1
+masterofazoth.tk, 1
+masterofbytes.ch, 1
+masterpassword.org, 1
+masterplc.com, 1
+masterprophetlibrary.com, 1
+masterproseo.ru, 1
+masterpsylogos.ru, 1
+masterquest.tk, 1
+masters-burrell.co.uk, 1
+masters-education.com, 1
+masters-in-special-education.com, 1
+mastersadistancia.com, 1
+mastersindatascience.org, 1
+mastersinesl.org, 1
+mastersinlibraryscience.net, 1
+mastersofscale.com, 1
+mastersplace.tk, 1
+masterstation.net, 1
+mastersthesiswriting.com, 1
+masterstruckingacademy.com, 1
+masterstuff.de, 1
+mastertent.com, 1
+masterton.com.au, 1
+mastertutoriales.com, 0
+masterunblock.com, 0
+masterurist.ru, 1
+mastervision.tk, 1
+masterwank.com, 1
+masterwayhealth.com, 1
+mastiffingles.com.br, 1
+mastilenergy.us, 1
+mastips.cl, 1
+mastodon-poradnik.pl, 1
+mastodon.au, 1
+mastodon.blue, 0
+mastodon.com.pl, 1
+mastodon.cr, 1
+mastodon.ee, 1
+mastodon.fun, 1
+mastodon.org.uk, 1
+mastodon.pizza, 1
+mastodon.pl, 0
+mastodon.top, 1
+mastodon.uno, 1
+mastodont.tk, 1
+mastpartners.com, 1
+masuclub.jp, 1
+masuclub.net, 1
+masumitsu.jp, 1
+masumreza.tk, 1
+masun.org, 1
+maswali.com, 1
+mat-berenbostel.de, 1
+mat.co.th, 1
+mat.com.vn, 1
+mat.services, 1
+mat.tt, 1
+mat99.dk, 1
+mata-i-nautisme.fr, 1
+matador-group.eu, 1
+matafonov.tk, 1
+mataharitimoer.tk, 1
+matanz.de, 1
+matapacoin.org, 1
+matarbyte.se, 1
+matarees.com, 1
+matarrosabierzo.com, 1
+matatabimix.com, 1
+matatall.com, 1
+matc.net, 1
+match.audio, 1
+match.by, 1
+match2meet.io, 1
+matcha-iga.jp, 1
+matcha14.com, 1
+matchday.cz, 1
+matchflix.ch, 1
+matchimmo.fr, 1
+matchlive.ga, 1
+matchmeup.de, 1
+matchmove.com, 1
+matchpointusa.com, 1
+matco.ca, 0
+mate.academy, 1
+mate.software, 1
+matega.hu, 1
+mateiko.by, 1
+matej-oliva.cz, 1
+matejgroma.com, 1
+matejkosiarcik.com, 1
+matel.org, 1
+matematik-ozel-ders.tk, 1
+matematikformulleri.com, 1
+matematikkulubu.tk, 1
+matematyka.wiki, 1
+matemonsac.com, 0
+mateoconlechuga.com, 1
+matepro.pl, 1
+materasocial.live, 1
+materassi.roma.it, 1
+materassicatania.it, 1
+materi.co.id, 1
+materiaischiquinho.com.br, 1
+material-ui.com, 1
+material-world-fuyouhin.com, 1
+material.security, 1
+materialdeconstruccion.com.mx, 1
+materialism.com, 1
+materialyinzynierskie.pl, 1
+materiel-grand-format.fr, 1
+maternityfashion.in, 1
+maternoinfantile.online, 1
+maternum.com, 1
+mateslibres.com, 1
+matetineamoi.fr, 1
+mateuszchyla.pl, 1
+mateuszmajewski.com, 1
+mateuszpilszek.pl, 1
+matewanwv.gov, 1
+mateworks.hu, 1
+matglobal.tech, 1
+matgodt.no, 1
+math-coaching.com, 1
+math-colleges.com, 1
+math-drills.com, 1
+math-net.ru, 1
+math.hamburg, 1
+mathalexservice.info, 1
+mathavuzteknolojileri.com.tr, 1
+mathdf.com, 1
+matheball.de, 1
+mathebau.de, 1
+mathebibel.de, 1
+mathechor.de, 1
+mathematica.org, 1
+mathematik.rocks, 1
+matheo-schefczyk.de, 1
+mathers.ovh, 1
+mathes.berlin, 1
+matheusmacedo.ddns.net, 1
+mathewlane.com, 1
+mathhire.org, 1
+mathias.re, 0
+mathiasbynens.be, 1
+mathiasgarbe.de, 1
+mathiasheise.de, 1
+mathiaswagner.org, 1
+mathieu-marteau.fr, 0
+mathieuchollet.eu, 1
+mathieugrant.com, 1
+mathieuguimond.com, 1
+mathieui.net, 1
+mathijskingma.nl, 1
+mathiveri.tk, 1
+mathleaks.com, 1
+mathleaks.se, 1
+mathnet.ru, 1
+maths.network, 1
+mathschool.lt, 1
+mathsource.ga, 1
+mathspace.co, 1
+mathswithcorne.com, 1
+mathteacheredu.org, 1
+mathys.io, 1
+mati.gq, 1
+mati.lol, 1
+mati.tk, 1
+maticz.com, 1
+matijakolaric.com, 1
+matildeferreira.co.uk, 1
+matillat.ovh, 1
+matindustrial.com, 1
+matipl.pl, 1
+matis.rs, 1
+matiu.tk, 1
+matjaz.it, 1
+matkuling.com, 1
+matkuling.no, 1
+matlss.com, 1
+matnkat.com, 1
+matocmedia.com, 1
+matok.me.uk, 1
+matolab.lt, 1
+matomari.tk, 1
+matopu.tk, 1
+matoutepetiteboutique.com, 1
+matov.tk, 1
+matovaya-pomada.ml, 1
+matozone.com, 1
+matpools.com, 1
+matreon.nl, 1
+matrichelp.co.za, 1
+matrieux.dk, 1
+matrimonio.com, 1
+matrimonio.com.co, 1
+matrimonio.com.pe, 1
+matrimonios.cl, 1
+matrimoniosriviera.com, 1
+matrimonybest.com, 1
+matriterie-sdv.ro, 1
+matrix-pm.com, 1
+matrix-team.tk, 1
+matrix.org, 1
+matrix3dp.com, 1
+matrix40.com, 1
+matrixbricks.com, 1
+matrixengineered.com, 1
+matrixfm.tk, 1
+matrixglobalsms.com, 1
+matrixhealthcare.ca, 1
+matrixmedia.ro, 1
+matrixmold.com, 1
+matrixpost.net, 1
+matrixread.com, 0
+matrixreq.com, 0
+matroskin.ml, 1
+matsson.com, 1
+matsu.gov, 1
+matsushima-kosodate.com, 1
+matt-brooks.com, 1
+matt-royal.com.cy, 1
+matt.re, 1
+mattab.xyz, 1
+mattadams.info, 1
+mattajones.com, 1
+mattandreko.com, 1
+mattandyana.com, 1
+mattaponi.gov, 1
+mattari-app.com, 1
+mattatoio.eu, 1
+mattbailey.tech, 1
+mattberryman.org, 1
+mattbiscay.com, 1
+mattbray.com, 1
+mattbsg.xyz, 1
+mattchellew.net, 1
+mattcoles.io, 1
+mattconstruction.com, 1
+mattcorallo.com, 1
+mattcorp.com, 1
+mattdbarton.com, 1
+mattelek.com, 1
+mattelekharris.com, 1
+mattentaart.tk, 1
+matteobrenci.com, 1
+matteomarescotti.it, 1
+matteosaturn.com, 1
+matteozinnia.it, 1
+mattersource.com, 1
+mattessons.co.uk, 1
+mattferderer.com, 1
+mattfiore.com, 1
+mattga.ca, 1
+mattgemmell.com, 1
+mattgoddardphotography.co.uk, 1
+matthew-carson.info, 1
+matthew-cash.com, 1
+matthewaker.com, 1
+matthewberry.co.za, 1
+matthewburket.com, 1
+matthewcollins.me, 1
+matthewgallagher.co.uk, 1
+matthewgraybosch.com, 1
+matthewgrow.com, 1
+matthewhaeck.com, 1
+matthewimaniphotography.ga, 1
+matthewj.ca, 1
+matthewkairys.com, 1
+matthewkenny.co.uk, 1
+matthewkerley.com, 1
+matthewlankford.com, 1
+matthewljiang.com, 1
+matthewohare.com, 0
+matthewoliver.com, 1
+matthewoshea.tk, 1
+matthewprenger.com, 1
+matthewrochow.com, 1
+matthewsaeger.com, 1
+matthewsfuneralhome.com, 1
+matthewtester.com, 1
+matthewthode.com, 1
+matthewthode.net, 1
+matthewthode.org, 1
+matthey.nl, 1
+matthi.coffee, 1
+matthi3u.xyz, 1
+matthias-lohr.com, 1
+matthias-lohr.net, 1
+matthias-muenzner.de, 1
+matthias-wimmer.de, 1
+matthiasadler.info, 1
+matthiaserb.com, 1
+matthiaslohr.net, 1
+matthiasmueller.me, 1
+matthiasott.ch, 1
+matthiasott.com, 1
+matthiasschwab.de, 1
+matthiasweiler.de, 0
+matthiaswillemsen.me, 1
+matthieu-munoz.fr, 1
+matthieuchedidweb.tk, 1
+matthieuschlosser.fr, 1
+matthijssen.info, 1
+matthijsvos.com, 1
+matthijsvos.org, 1
+mattia98.org, 0
+mattiascibien.net, 0
+mattisclever.com, 1
+mattlaks.com, 1
+mattmarkel.com, 1
+mattmarkelmedia.com, 1
+mattmatters.io, 1
+mattmccutchen.net, 1
+mattmcshane.com, 1
+mattmoorcroft.com, 1
+mattmorrissound.co.uk, 1
+mattnetwork83.com, 1
+mattonline.me, 1
+mattpeterson.com, 1
+mattpippen.com, 1
+mattprice.eu, 1
+mattquintanilla.xyz, 1
+mattres.com, 1
+mattresscleaningcampsbay.co.za, 1
+mattresscleaningcapetown.co.za, 1
+mattresscleaningdurban.co.za, 1
+mattresscleaninghoutbay.co.za, 1
+mattresscleaningseapoint.co.za, 1
+mattresscleaningwesterncape.co.za, 1
+mattressdiscounters.com, 1
+mattressfirm.org, 1
+mattressfundraiser.net, 1
+mattressman.co.uk, 1
+mattressomni.ng, 1
+mattrubin.me, 1
+mattrude.com, 1
+matts.systems, 1
+matts.world, 1
+mattsavin.me, 1
+mattshi.com, 1
+mattslack.me, 1
+mattsmissionblog.com, 1
+mattsvensson.com, 1
+mattwill.be, 1
+matucloud.de, 1
+matuntu.ml, 1
+mature-lovers.com, 1
+mature-orgasm.com, 1
+matureasspics.com, 1
+maturebbwtube.com, 1
+maturebigass.com, 1
+maturecharm.com, 1
+maturefucktube.com, 1
+maturegrandtube.com, 1
+matureladiespics.com, 1
+matureporn-videos.com, 1
+matureporn.com, 1
+maturepornpics.com, 1
+maturepussypics.com, 1
+maturetube.tv, 1
+maturexthumbs.com, 1
+matuslab.net, 1
+matway.com, 1
+matway.net, 1
+matyldamost.cz, 1
+matze.co, 1
+matze.org, 0
+matzoos.com, 1
+mau.bot, 1
+mau.chat, 1
+mau.fi, 1
+mau.life, 1
+mau.lu, 1
+mau.photos, 1
+maubot.xyz, 1
+maudfourier.com, 0
+mauditeboisson.tk, 1
+maudok.gov, 1
+mauhalito.tk, 1
+mauicharm.com, 1
+mauldincookfence.com, 1
+mauletsmallorca.tk, 1
+maumovie.ml, 1
+maunium.net, 1
+mauracher.cc, 1
+maurice-walker.com, 0
+mauricechavez.tk, 1
+mauricedb.nl, 1
+mauriceje.ga, 1
+mauricespapens.tk, 1
+mauricio-ochmann.tk, 1
+mauriciog.com.ar, 0
+mauricioghiorzi.com.ar, 0
+mauricioquadradoconsultor.com.br, 1
+mauricioquadradocontador.com.br, 1
+mauriciosilva.tk, 1
+mauriciotoussaint.tk, 1
+mauriciotoussaintarte.tk, 1
+mauritsverelst.com, 1
+mauroalejandro.co, 1
+mauronovellas.es, 1
+maurovacca.com, 1
+maurrikone.com, 1
+maury-moteurs.com, 1
+mausmani.tk, 1
+mausoleum.ga, 1
+maut1.de, 1
+mauticamp.ng, 1
+mauto.md, 1
+mautwelt.de, 1
+maveeranpasupathi.tk, 1
+maven-cap.com, 1
+maven.ng, 0
+mavente.fr, 1
+maventrading.com, 1
+mavenvets.co.uk, 1
+mavericklabel.com, 1
+maverickmobilemechanics.com, 1
+maveris.com, 0
+maviepearl.net, 1
+mavrick.tk, 1
+mavro.cf, 1
+mavro.ga, 1
+mavro.gq, 1
+mawinguhost.co.ke, 1
+mawkebaljalal.com, 1
+mawo.olkusz.pl, 1
+mawrex.tech, 1
+max-anime.tk, 1
+max-apk.com, 0
+max-cafe.cz, 1
+max-moeglich.de, 1
+max-went.pl, 1
+max.gov, 1
+max00365.com, 1
+max11365.com, 0
+max1365.com, 0
+max22365.com, 0
+max2365.com, 0
+max33365.com, 0
+max3365.com, 0
+max4365.com, 0
+max44365.com, 0
+max5365.com, 0
+max55365.com, 0
+max6365.com, 0
+max66365.com, 0
+max77365.com, 0
+max8365.com, 0
+max88365.com, 0
+max9365.com, 0
+max96.de, 1
+maxalbanesi.it, 1
+maxaro.nl, 1
+maxb.fm, 1
+maxbike.tk, 1
+maxboobs.com, 1
+maxbruckner.de, 1
+maxbruckner.org, 1
+maxbuelk.de, 1
+maxbytes.nl, 0
+maxcash.com, 1
+maxchan.info, 1
+maxclean.ml, 1
+maxcleaning.be, 1
+maxconstructionmachinery.com, 1
+maxdargent.com, 1
+maxdata.pt, 1
+maxedgymequipment.com, 1
+maxgamez.tk, 1
+maxh.me.uk, 1
+maxh.name, 1
+maxhamon.ovh, 1
+maxhoechtl.at, 1
+maxhorvath.com, 1
+maxi-retail.ru, 1
+maxibanki.ovh, 1
+maxiclin.pt, 1
+maxico.tk, 1
+maxigiga.com, 1
+maxiglobal.net, 1
+maxihide.tk, 1
+maxihyp.de, 1
+maxim.live, 1
+maxima.at, 0
+maximababy.de, 1
+maximalsparen.com, 1
+maximanet.tk, 1
+maximbaz.com, 1
+maximdeboiserie.be, 1
+maximdens.be, 1
+maximeferon.fr, 1
+maximegagnon.io, 1
+maximemalfoy.com, 1
+maximemichaud.me, 1
+maximilian-graf.de, 1
+maximilian-greger.com, 1
+maximilian-staedtler.de, 1
+maximiliancole.tk, 1
+maximiliangaedig.com, 1
+maximiliankaul.de, 1
+maximiliankrieg.de, 1
+maximoguk.com, 1
+maximosilupu.tk, 1
+maximovie.eu, 1
+maxims-travel.com, 1
+maximumcontrol.nl, 1
+maximumphysiotherapy.com, 1
+maximusconstrutora.com.br, 1
+maximusrose.com, 1
+maxindo.net.id, 1
+maxinesbydennees.com, 1
+maxipcalls.com, 0
+maxipro.ru, 1
+maxiservak.ml, 1
+maxisito.it, 1
+maxivisor.ga, 1
+maxjacobs.com.au, 1
+maxkaul.de, 1
+maxlaumeister.com, 1
+maxley.yachts, 1
+maxmanus.ga, 1
+maxmarket.bg, 1
+maxmatthe.ws, 0
+maxmilton.com, 1
+maxmind-test.com, 1
+maxmuen.de, 1
+maxmusic.tk, 1
+maxmusical.ml, 1
+maxnac.tk, 1
+maxopen.cf, 1
+maxopolyworldnews.com, 1
+maxp.info, 0
+maxpl0it.com, 1
+maxpoint.it, 1
+maxportal.tk, 1
+maxprog.com, 1
+maxqda.com, 1
+maxqda.de, 1
+maxr1998.de, 0
+maxrandolph.com, 1
+maxrickettsuy.com, 1
+maxrider.tk, 1
+maxroganov.tk, 1
+maxs.com, 1
+maxschleiffer.com, 1
+maxtransport.az, 1
+maxtruxa.com, 1
+maxundlara.at, 1
+maxundlara.com, 1
+maxundlara.eu, 1
+maxundlara.org, 1
+maxuniverse.de, 1
+maxus.com.py, 1
+maxus.tk, 1
+maxvaluedeals.com, 1
+maxwaellenergie.de, 1
+maxweiss.io, 1
+maxwell-english.co.jp, 0
+maxwellblog.com, 1
+maxwellcity.cf, 1
+maxwellcity.ga, 1
+maxwellcity.ml, 1
+maxwellmoore.co.uk, 1
+maxwittfeld.tech, 1
+may24.tw, 1
+mayaimplant.com, 1
+mayamaibach.org, 1
+mayamarquez.co, 1
+mayamushrooms.co.uk, 1
+mayanaturopathy.co.uk, 1
+mayanet.tk, 1
+mayangateway.com, 1
+mayashoefke.tk, 1
+mayavi.co.in, 0
+maybeonline.de, 1
+maybeshewill.xyz, 1
+maybeul.com, 1
+mayblossom.net, 1
+maycarivero.com, 1
+maydaystrategies.com, 1
+maydex.info, 1
+mayerbrownllz.com, 1
+mayfieldheightsohio.gov, 1
+mayflowerbocawina.tk, 1
+mayflowercreative.com, 1
+mayflowerfairytales.com, 1
+mayiadvise.nl, 1
+mayito.tk, 1
+mayki.ga, 1
+maykitut.tk, 1
+maynails.com.br, 1
+maynardnetworks.com, 0
+maynesoftware.co.uk, 1
+mayomarquees.com, 1
+mayopartyhire.com, 1
+mayorcahill.com, 1
+mayre-idol.tk, 1
+mayrivermontessori.com, 1
+maysambotros.tk, 1
+mayslandingcornholeleague.com, 1
+maythai.eu, 1
+maythai.pl, 1
+maytretrungphuong.com, 1
+maywood-il.gov, 1
+mayx.eu.org, 1
+mazartdesign.tk, 1
+mazavto.ml, 1
+mazcue.com, 0
+mazda-mps.de, 1
+mazda-thermote.com, 1
+mazda626.net, 1
+mazdaofgermantown.com, 1
+mazdel.tk, 1
+maze.com.br, 1
+maze.fr, 0
+mazenitude.fr, 1
+mazepa.ml, 1
+mazet-machines-a-coudre.fr, 1
+mazhab.tk, 1
+mazik.tk, 1
+mazken.tk, 1
+mazternet.ru, 1
+mazurlabs.tk, 1
+mazury-invest.pl, 1
+mazzotta.me, 1
+mb-amenagements.be, 1
+mb-analytics.at, 1
+mb-demo.net, 1
+mb-is.info, 1
+mb-server.de, 1
+mb-t.net, 1
+mb300sd.com, 1
+mbaasy.com, 1
+mbaestlein.de, 1
+mbainflatables.co.uk, 1
+mbalaw.pl, 1
+mbanogmat.com, 1
+mbar.us, 1
+mbarbadun.es, 0
+mbardot.com, 0
+mbasic.facebook.com, 0
+mbcars.be, 0
+mbci.gov, 1
+mbcoaching40.fr, 1
+mbcom.de, 1
+mbd2021cm.com, 1
+mbda.gov, 1
+mbddash-staging.azurewebsites.net, 1
+mbdou50.ru, 1
+mbdrogenbos-usedcars.be, 1
+mbeach.fr, 1
+mbed.com, 1
+mbed.org, 1
+mbedcloud.com, 1
+mbedcloudintegration.net, 1
+mbfiles.tk, 1
+mbi.nl, 1
+mbilker.us, 1
+mbinf.de, 0
+mbinformatik.de, 0
+mbjeng.com, 0
+mbk.net.pl, 1
+mblankhorst.nl, 1
+mble.mg, 1
+mbmassageterapi.se, 1
+mbong.kr, 1
+mbpskill.co.id, 1
+mbr-net.de, 1
+mbr.moe, 1
+mbr.pw, 1
+mbrd.de, 1
+mbrental.fr, 1
+mbrjun.cn, 1
+mbsec.net, 1
+mbsunu.com, 1
+mbsync4supply.com, 1
+mbt-constructions.co.uk, 1
+mbtaadvisoryboard.gov, 1
+mbudy.in, 1
+mburaks.com, 1
+mburns.duckdns.org, 1
+mbvelden.nl, 1
+mbw.org.au, 1
+mbwemmel-usedcars.be, 1
+mbwsignup.com, 1
+mc-auth.com, 1
+mc-connect.net, 1
+mc-dos.ru, 1
+mc-jobs.net, 1
+mc-mods.org, 1
+mc-sin.ch, 1
+mc-teemocraft.tk, 1
+mc.ax, 1
+mc007.xyz, 1
+mc2informatique.fr, 1
+mc3dreal.de, 1
+mc4free.cc, 1
+mc5zvezd.ru, 0
+mcagon.tk, 1
+mcahm.eu.org, 1
+mcalert.in, 1
+mcaps-mn.gov, 1
+mcb-bank.com, 1
+mcbbs.wiki, 1
+mcbooks.vn, 0
+mccannhealth.com, 1
+mccannworldgroup.com, 1
+mccarthyprestige.com.au, 1
+mccarthystonefoundation.org, 0
+mccasa.com.br, 1
+mccinc.ca, 1
+mcclaincountyok.gov, 1
+mccn.pp.ua, 1
+mccommando.tk, 1
+mcconciergerie.com, 1
+mcconecountymt.gov, 1
+mccoolesredlioninn.com, 1
+mccordscvs.com, 1
+mccormicklaw.com.au, 1
+mccsquantico.marketing, 1
+mcculloughjchris.com, 0
+mcculloughsgolf.com, 1
+mccurtainems.gov, 1
+mcdanieldevelopmentservices.com, 1
+mcdean.com, 1
+mcdeed.net, 1
+mcdermottautomotive.com, 1
+mcdesigns68.co.uk, 1
+mcdgenclikkulubu.org, 1
+mcdona1d.me, 1
+mcdonaldcountymissouri.gov, 1
+mcdonalds.cloud, 1
+mcdonalds.co.il, 1
+mcdonalds.design, 1
+mcdowellcountyncboe.gov, 1
+mcdowellcountywv.gov, 1
+mcdowellnews.com, 1
+mcdreamcity.com, 1
+mcdsg.net, 1
+mcduff.ga, 1
+mce.eu, 1
+mce.nyc, 1
+mce55.eu, 1
+mcea-hld.jp, 1
+mceconferencecentre.eu, 1
+mcemyigit.com.tr, 1
+mcescher.com, 1
+mceyedol.tk, 1
+mcfallout.ru, 1
+mcfarlow.sk, 1
+mcfipvt.com, 1
+mcfreedom.eu, 1
+mcg4loans.com, 1
+mcgaccountancy.co.uk, 1
+mcgarrybair.com, 1
+mcgavocknissanwichitaparts.com, 1
+mcgillsbuses.co.uk, 1
+mcgovernance.com, 1
+mcgrand.shop, 1
+mcgregortx.gov, 1
+mch2022.org, 1
+mchaelkordomain.tk, 1
+mchan.us, 1
+mchel.net, 1
+mchenrycountyclerkil.gov, 1
+mchollet.eu, 1
+mchopkins.net, 1
+mchost.no, 1
+mchristopher.com, 1
+mchughisle.net, 1
+mci.gov.sg, 0
+mcideas.tk, 1
+mcintyredisplays.com, 1
+mcirculo.com.br, 1
+mcivor.me, 1
+mcjackk77.me, 1
+mcjars.com, 1
+mckay-bednar.net, 1
+mckeancountypa.gov, 1
+mckendry.com, 1
+mckendry.consulting, 1
+mckenna.academy, 0
+mckenney.xyz, 1
+mckenzielandscaping.ca, 1
+mckernan.in, 0
+mckhan.com, 1
+mckinley1.com, 1
+mckinleytk.com, 1
+mckinneyisdtx.gov, 1
+mckleenz.com, 1
+mckycraft.xyz, 1
+mcl.de, 1
+mcl.gg, 1
+mclanedirect.com, 1
+mclanexpress.com, 1
+mclast.de, 1
+mclear.in, 1
+mcleishandmatthews.com.au, 1
+mclennan.gov, 1
+mcleodcountymn.gov, 1
+mcleodgaming.com, 1
+mcleodoptical.com, 1
+mclinflatables.co.uk, 1
+mclmotors.co.uk, 1
+mcmillan.ski, 1
+mcmillanskiclub.com, 1
+mcmillanskiclub.com.au, 1
+mcmind.ddns.net, 1
+mcmk.in, 1
+mcnairinternational.com, 1
+mcnav.net, 1
+mcnet.care, 1
+mcnext.net, 1
+mcnoobs.pro, 1
+mcon.se, 1
+mconline.sg, 1
+mcos.nc, 1
+mcost.no, 1
+mcoutinho.pt, 0
+mcpa.top, 0
+mcpaoffice.com, 1
+mcpart.land, 1
+mcpat.com, 1
+mcpe.computer, 1
+mcpepc.com, 1
+mcpepc.me, 0
+mcplayman.de, 1
+mcprocdn.com, 1
+mcraft.ru, 1
+mcregex.com, 1
+mcrn.jp, 1
+mcrook.com, 1
+mcroyal.fr, 1
+mcs-nl.com, 1
+mcsa-usa.org, 1
+mcsdatum.co.uk, 1
+mcseboard.de, 1
+mcserverslisting.net, 1
+mcsfikirsanat.com, 1
+mcsidan.tk, 1
+mcsmart.ru, 1
+mcsnovatamabayan.com, 1
+mcsoneca.tk, 1
+mcsrvstat.us, 1
+mcstaralliance.com, 1
+mctea.tk, 1
+mctherealm.net, 1
+mctitan.net, 1
+mctools.org, 1
+mctwcloud.tk, 1
+mcubedigital.com, 1
+mcukhost.co.uk, 1
+mcuuid.net, 1
+mcversions.net, 1
+mcvs.net, 1
+mcwrapper.com, 1
+mcycbd.com.au, 1
+mcyukon.com, 1
+md-1xbet.com, 1
+md-clinica.com.ua, 1
+md-events.tk, 1
+md-mb.ro, 1
+md-progressistes.fr, 1
+md-service.net, 1
+md28.in, 1
+md5file.com, 1
+mdaemon.de, 1
+mdaemon.tips, 1
+mdangels.org, 1
+mdatc.gov, 1
+mdazo.net, 1
+mdbre.gov, 1
+mdbug.de, 1
+mdca-jp.org, 1
+mdcloudps.com, 1
+mdconnect.asia, 1
+mddetails.com, 1
+mddietclinic.com, 1
+mddistributorsstore.com, 1
+mdeep.ru, 0
+mdek.at, 1
+mdewendt.de, 1
+mdf-bis.com, 0
+mdf-nakladki.kiev.ua, 1
+mdgsocialmediasecurity.com, 1
+mdgx.com, 1
+mdinstituteplasticsurgery.com, 1
+mdinvest.nz, 1
+mdir.tk, 1
+mditsa.de, 1
+mdiv.pl, 1
+mdjobsite.com, 1
+mdl.co.ua, 1
+mdlayher.com, 1
+mdleom.com, 1
+mdma.net, 1
+mdmed.clinic, 1
+mdns.eu, 1
+mdosch.de, 1
+mdpp.com.br, 1
+mdpparish.com, 1
+mdrsp.de, 1
+mdrthmcs.io, 1
+mds-paris.com, 1
+mdsave.com, 1
+mdscomp.net, 1
+mdsglobal.com, 1
+mdtaxconnect.gov, 1
+mdtorelli.it, 1
+mdwedding168.com, 1
+mdwellness.ca, 1
+mdwftw.com, 1
+mdx.no, 1
+mdxdave.de, 0
+mdxn.org, 1
+me-groups.com, 1
+me-mainz.de, 1
+me-news.tk, 1
+me-soft.nl, 1
+me.com.br, 1
+me.net.nz, 0
+me.vu, 1
+me2md.com, 1
+me7878.com, 1
+mea-vota-uitvaart.nl, 1
+mea.com.lb, 1
+meadowfen.farm, 1
+meadowfenfarm.com, 1
+meadowviewfarms.org, 1
+meadvillems.gov, 1
+mealcast.ml, 1
+mealpedant.com, 1
+meals.lv, 1
+mealsnmemories.in, 1
+meamod.com, 0
+meandmyemotions.org, 1
+meanevo.com, 1
+meangreenjunk.com, 1
+meaningfulbits.io, 1
+meanit.ie, 1
+meanjstraininginstitute.com, 1
+meany.xyz, 1
+meao.market, 1
+meao.online, 1
+meao.pictures, 1
+meao.ru, 1
+meapbot.com, 1
+meapbot.net, 1
+meapbot.org, 1
+meapbot.pro, 1
+measiedu.org, 1
+measureaustralia.com.au, 1
+measurementsolutionsinc.com, 1
+measureyourpenis.today, 1
+meat-berry.ru, 1
+meat-education.com, 1
+meat.org.uk, 1
+meatfoods.com.br, 1
+meatfreecarnivore.com, 1
+meavagas.com, 1
+meazurelearning.com, 1
+mebehliyetsinavsorulari.com, 1
+mebel-dnr.ml, 1
+mebel-voronezh.cf, 1
+mebelconcept.tk, 1
+mebelipalitra.ru, 0
+mebelipetrov.com, 1
+mebeliside.bg, 1
+mebelisk.com.br, 1
+mebelizori.com, 1
+mebelnik.pro, 1
+mebeloffice.com.ua, 1
+mebelok.com, 1
+mebelradom.com, 1
+mebelshik.tk, 1
+mebinrobin.com, 1
+meblerymar.pl, 1
+mebtall.ru, 1
+mec.gub.uy, 1
+mec010.com, 1
+mec020.com, 1
+mec021.com, 1
+mec022.com, 1
+mec023.com, 1
+mec024.com, 1
+mec025.com, 1
+mec027.com, 1
+mec028.com, 1
+mec029.com, 1
+mec0310.com, 1
+mec0311.com, 1
+mec0312.com, 1
+mec0313.com, 1
+mec0314.com, 1
+mec0315.com, 1
+mec0316.com, 1
+mec0317.com, 1
+mec0318.com, 1
+mec0319.com, 1
+mec0335.com, 1
+mec0350.com, 1
+mec0351.com, 1
+mec0352.com, 1
+mec0353.com, 1
+mec0354.com, 1
+mec0355.com, 1
+mec0356.com, 1
+mec0357.com, 1
+mec0358.com, 1
+mec0359.com, 1
+mec0370.com, 1
+mec0371.com, 1
+mec0372.com, 1
+mec0373.com, 1
+mec0374.com, 1
+mec0375.com, 1
+mec0376.com, 1
+mec0377.com, 1
+mec0378.com, 1
+mec0379.com, 1
+mec0391.com, 1
+mec0392.com, 1
+mec0393.com, 1
+mec0394.com, 1
+mec0395.com, 1
+mec0396.com, 1
+mec0398.com, 1
+mec0410.com, 1
+mec0411.com, 1
+mec0412.com, 1
+mec0413.com, 1
+mec0414.com, 1
+mec0415.com, 1
+mec0416.com, 1
+mec0419.com, 1
+mec0421.com, 1
+mec0429.com, 1
+mec0431.com, 1
+mec0432.com, 1
+mec0433.com, 1
+mec0434.com, 1
+mec0435.com, 1
+mec0436.com, 1
+mec0437.com, 1
+mec0438.com, 1
+mec0439.com, 1
+mec0440.com, 1
+mec0450.com, 1
+mec0451.com, 1
+mec0452.com, 1
+mec0453.com, 1
+mec0454.com, 1
+mec0455.com, 1
+mec0456.com, 1
+mec0457.com, 1
+mec0458.com, 1
+mec0459.com, 1
+mec0470.com, 1
+mec0471.com, 1
+mec0472.com, 1
+mec0473.com, 1
+mec0474.com, 1
+mec0475.com, 1
+mec0476.com, 1
+mec0477.com, 1
+mec0478.com, 1
+mec0479.com, 1
+mec0482.com, 1
+mec0483.com, 1
+mec0510.com, 1
+mec0511.com, 1
+mec0512.com, 1
+mec0513.com, 1
+mec0514.com, 1
+mec0515.com, 1
+mec0516.com, 1
+mec0517.com, 1
+mec0518.com, 1
+mec0519.com, 1
+mec0523.com, 1
+mec0530.com, 1
+mec0531.com, 1
+mec0532.com, 1
+mec0533.com, 1
+mec0534.com, 1
+mec0535.com, 1
+mec0536.com, 1
+mec0537.com, 1
+mec0538.com, 1
+mec0539.com, 1
+mec0550.com, 1
+mec0551.com, 1
+mec0552.com, 1
+mec0553.com, 1
+mec0554.com, 1
+mec0555.com, 1
+mec0556.com, 1
+mec0557.com, 1
+mec0558.com, 1
+mec0559.com, 1
+mec0561.com, 1
+mec0562.com, 1
+mec0563.com, 1
+mec0564.com, 1
+mec0565.com, 1
+mec0566.com, 1
+mec0570.com, 1
+mec0571.com, 1
+mec0572.com, 1
+mec0573.com, 1
+mec0574.com, 1
+mec0575.com, 1
+mec0576.com, 1
+mec0577.com, 1
+mec0578.com, 1
+mec0579.com, 1
+mec0580.com, 1
+mec0591.com, 1
+mec0592.com, 1
+mec0593.com, 1
+mec0594.com, 1
+mec0595.com, 1
+mec0596.com, 1
+mec0597.com, 1
+mec0598.com, 1
+mec0599.com, 1
+mec0660.com, 1
+mec0661.com, 1
+mec0662.com, 1
+mec0663.com, 1
+mec0691.com, 1
+mec0692.com, 1
+mec0701.com, 1
+mec0710.com, 1
+mec0711.com, 1
+mec0712.com, 1
+mec0713.com, 1
+mec0714.com, 1
+mec0715.com, 1
+mec0716.com, 1
+mec0717.com, 1
+mec0718.com, 1
+mec0719.com, 1
+mec0722.com, 1
+mec0724.com, 1
+mec0728.com, 1
+mec0730.com, 1
+mec0731.com, 1
+mec0732.com, 1
+mec0733.com, 1
+mec0734.com, 1
+mec0735.com, 1
+mec0736.com, 1
+mec0737.com, 1
+mec0738.com, 1
+mec0739.com, 1
+mec0743.com, 1
+mec0744.com, 1
+mec0745.com, 1
+mec0746.com, 1
+mec0751.com, 1
+mec0752.com, 1
+mec0753.com, 1
+mec0754.com, 1
+mec0755.com, 1
+mec0756.com, 1
+mec0757.com, 1
+mec0758.com, 1
+mec0759.com, 1
+mec0760.com, 1
+mec0762.com, 1
+mec0763.com, 1
+mec0765.com, 1
+mec0766.com, 1
+mec0768.com, 1
+mec0769.com, 1
+mec0770.com, 1
+mec0771.com, 1
+mec0772.com, 1
+mec0773.com, 1
+mec0774.com, 1
+mec0775.com, 1
+mec0776.com, 1
+mec0777.com, 1
+mec0778.com, 1
+mec0779.com, 1
+mec0790.com, 1
+mec0791.com, 1
+mec0792.com, 1
+mec0793.com, 1
+mec0794.com, 1
+mec0795.com, 1
+mec0796.com, 1
+mec0797.com, 1
+mec0798.com, 1
+mec0799.com, 1
+mec0810.com, 1
+mec0811.com, 1
+mec0812.com, 1
+mec0813.com, 1
+mec0814.com, 1
+mec0816.com, 1
+mec0817.com, 1
+mec0818.com, 1
+mec0819.com, 1
+mec0826.com, 1
+mec0827.com, 1
+mec0830.com, 1
+mec0831.com, 1
+mec0832.com, 1
+mec0833.com, 1
+mec0834.com, 1
+mec0835.com, 1
+mec0836.com, 1
+mec0837.com, 1
+mec0838.com, 1
+mec0839.com, 1
+mec0840.com, 1
+mec0851.com, 1
+mec0852.com, 1
+mec0853.com, 1
+mec0854.com, 1
+mec0855.com, 1
+mec0856.com, 1
+mec0857.com, 1
+mec0858.com, 1
+mec0859.com, 1
+mec0870.com, 1
+mec0871.com, 1
+mec0872.com, 1
+mec0873.com, 1
+mec0874.com, 1
+mec0875.com, 1
+mec0876.com, 1
+mec0877.com, 1
+mec0878.com, 1
+mec0879.com, 1
+mec0881.com, 1
+mec0883.com, 1
+mec0886.com, 1
+mec0887.com, 1
+mec0888.com, 1
+mec0890.com, 1
+mec0891.com, 1
+mec0898.com, 1
+mec0899.com, 1
+mec0910.com, 1
+mec0911.com, 1
+mec0912.com, 1
+mec0913.com, 1
+mec0914.com, 1
+mec0915.com, 1
+mec0916.com, 1
+mec0917.com, 1
+mec0919.com, 1
+mec0930.com, 1
+mec0931.com, 1
+mec0932.com, 1
+mec0933.com, 1
+mec0934.com, 1
+mec0935.com, 1
+mec0936.com, 1
+mec0937.com, 1
+mec0938.com, 1
+mec0941.com, 1
+mec0943.com, 1
+mec0951.com, 1
+mec0952.com, 1
+mec0953.com, 1
+mec0954.com, 1
+mec0971.com, 1
+mec0972.com, 1
+mec0973.com, 1
+mec0974.com, 1
+mec0975.com, 1
+mec0976.com, 1
+mec0977.com, 1
+mec0991.com, 1
+mec111.com, 1
+mec111.net, 1
+mec222.com, 1
+mec222.net, 1
+mec333.com, 1
+mec333.net, 1
+mec539.com, 1
+mec555.com, 1
+mec555.net, 1
+mec666.net, 1
+mec760.com, 1
+mec777.net, 1
+mec825.com, 1
+mec888.com, 1
+mec888.net, 1
+mec999.com, 1
+mec999.net, 1
+mecalux.com, 1
+mecalux.es, 1
+mecanicoautomotriz.org, 0
+mecanique-casa.com, 1
+mecari.tk, 1
+meccanico.milano.it, 1
+meccano.srl, 1
+meccrcog-oh.gov, 1
+mecenat-cassous.com, 1
+mecenatfoot.fr, 1
+mechafightclub.com, 1
+mechanical.tk, 1
+mechanics-schools.com, 1
+mechanicweb.com, 1
+mechanus.io, 1
+mechasdepelo.com, 0
+mechaspartans6648.com, 1
+mechinfinity.tk, 1
+mechmk1.me, 1
+mechsoftgroup.com, 1
+mechta.gq, 1
+meciel.net, 1
+mecloudprinter.com, 1
+mecomed.com, 1
+mecp.de, 1
+med-banki.ru, 1
+med-colleges.com, 1
+med-flex.com, 1
+med-line.cf, 1
+med-metrix.com, 0
+med-nagoya-neurosurgery.jp, 1
+med-otzyv.ru, 1
+med-spravca.ml, 1
+med.aid.pl, 1
+meda.bg, 1
+medaboutme.ru, 1
+medalerthelp.org, 1
+medali21.tk, 1
+medaliturki.tk, 1
+medalofvalor.gov, 1
+medbankishop.ru, 1
+medbiocompany.com, 1
+medbiocompany.ml, 1
+medbreaker-friends.at, 1
+medbreaker.one, 0
+medcab.in, 1
+medcartoon.com, 1
+medcentr.online, 1
+medcentrnadezhda.ru, 1
+medcir.com.br, 1
+medcorfu.gr, 1
+medd.com.au, 1
+meddata.pp.ua, 1
+meddatix.com, 1
+meddiehub.com, 1
+meddin.com, 1
+mede-handover.azurewebsites.net, 1
+medebridge.com.au, 1
+medec.ec, 1
+medecinesalternatives-developpementspirituelcreatif.com, 1
+medefield.com, 1
+medeinos.lt, 0
+medelement.com, 1
+medellinencanciones.tk, 1
+medfind.link, 1
+medfordoregon.gov, 1
+medfordwi.gov, 1
+medguide-bg.com, 1
+medhatzaki.com, 1
+medhiwa.com, 1
+medhy.fr, 1
+medi-link.co.il, 0
+medi.com.br, 1
+media-cable-solutions.de, 1
+media-credit.eu, 1
+media-cube.com, 1
+media-fleet.fr, 1
+media-instance.ru, 1
+media-journalism.org, 1
+media-land.tk, 1
+media-library.co.uk, 1
+media-serwis.com, 1
+media-start.tk, 1
+media-store.ir, 1
+media-street.co.uk, 1
+media-valko.hu, 1
+media-webs5.com, 1
+media24.world, 1
+media4u.tk, 1
+mediaarea.net, 1
+mediaareplural.ca, 1
+mediabackoffice.co.jp, 1
+mediabeestjes.nl, 1
+mediablaster.com, 1
+mediabogen.net, 1
+mediabola.net, 1
+mediabookdb.de, 0
+mediabooks.ml, 1
+mediaboutique.nl, 1
+mediacenter.dynv6.net, 1
+mediacluster.de, 1
+mediacolor.fr, 1
+mediadex.be, 1
+mediafly.com, 1
+mediafocus.biz, 1
+mediaforkids.org, 1
+mediagetnews.tk, 1
+mediagrand.net, 1
+mediagus.com, 1
+mediahaus.de, 0
+mediajurnal.com, 1
+medialab.nrw, 1
+medialine.ag, 1
+medialine.com, 1
+medialinkz.ga, 1
+medialunaventura.com, 1
+medialys.ca, 1
+mediamarket42.tk, 1
+mediamarkt.pl, 1
+mediametrix.ru, 1
+mediamonitors.net, 1
+mediamora.nl, 1
+medianbases.ga, 1
+mediantechnologies.com, 1
+mediaoffice.ae, 1
+mediapark.uz, 1
+mediapart.fr, 1
+mediapath.gr, 0
+mediapost-publicite.fr, 1
+mediaprint-eco.com, 1
+mediarenegades.net, 1
+mediarithmics.com, 1
+mediarithmics.io, 1
+mediarquita.com, 1
+medias-presse.info, 1
+mediasagasocialseo.com, 1
+mediaserver7.com, 1
+mediasklep24.pl, 1
+mediaspike.com, 1
+mediassist.in, 1
+mediassistindia.com, 1
+mediassistindia.net, 1
+mediassisttpa.in, 1
+mediasst.com, 1
+mediastroke.com, 1
+mediataput.ga, 1
+mediathekview.de, 0
+mediation-mv.de, 1
+mediationculturelleclp.ch, 0
+mediatorzy.waw.pl, 1
+mediatrust.org, 1
+mediaukkies.nl, 0
+mediawax.be, 1
+mediaweb.com.ve, 1
+mediawijsheid.nl, 0
+mediawijzer.net, 0
+mediawiki.com, 1
+mediawiki.org, 1
+medibooker.com.au, 1
+medic-world.com, 1
+medic808.com, 1
+medicairsolutions.com, 1
+medical-assistant-colleges.com, 1
+medical-centr.tk, 1
+medical-contact.de, 1
+medical-hospital-beds.com, 1
+medical-instinct.de, 0
+medical-tiny.com, 1
+medical-tiny.de, 1
+medicalabroad.org, 0
+medicalaegis.com, 1
+medicalassistantadvice.com, 1
+medicalassistantschools.com, 1
+medicalauction.ga, 1
+medicalbillingcodingworld.com, 1
+medicalbillrights.gov, 1
+medicalbrace.net, 1
+medicalcountermeasures.gov, 1
+medicaldispute.tk, 1
+medicaleyetec.fr, 1
+medicalhelp.com.br, 1
+medicallicensing.com, 1
+medicalonliner.tk, 1
+medicalpeople.tk, 1
+medicalphysicistservices.com, 1
+medicalsite.tk, 1
+medicalsland.com, 1
+medicaltiny.com, 1
+medicaltiny.de, 1
+medicaltools.de, 1
+medicalys-tunisie.com, 0
+medicare-providers.net, 1
+medicareadvantage.com, 1
+medicareclinic.tk, 1
+medicarecompareusa.com, 1
+medicarecoveragefinder.com, 1
+medicareinfo.org, 1
+medicaremarket.com, 1
+medicaresupplement.com, 1
+medicasa-gmbh.de, 1
+medicel.com, 1
+medicenteritalia.it, 1
+medichat.ml, 1
+medicimaging.com, 1
+medicina-interventionala.ro, 1
+medicina-news.tk, 1
+medicinae.solutions, 1
+medicinaesolutions.com, 1
+medicinaesolutions.com.br, 1
+medicinalflora.com.br, 1
+medicinasportpadova.it, 1
+medicine.com, 1
+medicine.lv, 1
+medicinesfast.com, 0
+medicinia.com.br, 1
+medicininismetalas.lt, 1
+medicinskavranje.edu.rs, 1
+mediciventures.com, 1
+mediclinik.tk, 1
+medicm.jp, 1
+medicompany.tk, 1
+medicoresponde.com.br, 1
+medictools.de, 1
+medicus.ai, 1
+medidordehumedad.online, 1
+mediengestalter-website.de, 1
+medienhelden.de, 1
+medienweite.de, 1
+medievalexpert.com, 1
+medifab.online, 1
+medifit.si, 1
+medifoto.tk, 1
+medigap-quote.net, 1
+medihost.com.au, 1
+medihostsolutions.com.au, 1
+medikuma.com, 1
+medilogistics.co.za, 1
+medinacountyohio.gov, 1
+medinaelst.nl, 1
+medinc.tk, 1
+mediniti.com, 1
+medino.com, 1
+medinorte.es, 1
+medinside.ch, 0
+medinside.li, 0
+medinsider.ch, 0
+medinsider.li, 0
+mediolan.pl, 1
+medirota.com, 1
+medisense.tk, 1
+mediskin.ro, 1
+medisuv.ga, 1
+medisysintl.net, 1
+medisystempharmacy.com, 1
+meditacionesparasanar.club, 1
+meditadvisors.com, 1
+meditarenargentina.org, 1
+meditateinolympia.org, 1
+meditation-music.shop, 1
+meditation-rennes.org, 1
+meditationsydney.org.au, 1
+meditel.nl, 1
+meditez.ca, 1
+meditrak.ml, 1
+medium.com, 1
+mediums.cf, 1
+medivisionsc.com, 1
+medivox.tk, 1
+mediweed.tk, 1
+mediziner-goettingen.tk, 1
+medja.net, 1
+medklee.com, 1
+medkliniks.ru, 1
+medlemsraadgiveren.no, 1
+medlemsradgiveren.no, 1
+medlineplus.gov, 1
+medlink.pl, 1
+medmark.com, 1
+medmobil.ru, 1
+mednews.net.ua, 1
+medo64.com, 1
+medofis.com, 1
+medorand.gov, 1
+medosedu.in, 1
+medousaclinique.com, 1
+medovea.ru, 1
+medovoe.ml, 1
+medpeer.co.jp, 1
+medpeer.jp, 1
+medportalmd.tk, 1
+medpost.com, 1
+medprozone.com, 1
+medreich.com, 1
+medrol.cf, 1
+meds.ru, 1
+medsanuk.co.uk, 1
+medscangroup.ru, 1
+medschat.com, 1
+medschrome.com, 1
+medscope.com.au, 1
+medscope.tk, 1
+medservice.cz, 1
+medsi-online.tk, 1
+medsilset.com.br, 1
+medsister.tk, 1
+medsol.co.za, 0
+medsovet.tv, 1
+medspecial.tk, 1
+medstatix-dev.com, 1
+medstatix.co, 1
+medsync.nl, 1
+medtalents.ch, 1
+medtankers.management, 0
+medtech-jp.net, 1
+medtehnika.ua, 1
+medtronicpain.com, 1
+medullaortopedi.com, 1
+medunovi.com, 1
+medusa.wtf, 1
+meduza.io, 1
+medvedikorenka.cz, 1
+medvedivka.tk, 1
+medvedka-nasekomoe.tk, 1
+medvedkovo-hovrino.ru, 1
+medvesajt.hu, 1
+medvet.com.es, 1
+medvidi.com, 1
+medy-me.com, 1
+medyahabertv.com, 1
+medyaweb.net, 1
+medycznyangielski.pl, 1
+medyotan.ga, 1
+medyumzeyneleroglu.com, 1
+medza.ru, 1
+medzinenews.com, 0
+meedoennoordkop.nl, 0
+meek.ml, 1
+meekhak.com, 1
+meeko.cc, 1
+meekru.com, 1
+meektech.com, 1
+meenzen.net, 1
+meeo7.tk, 1
+meepbot.net, 1
+meepbot.org, 1
+meepbot.pro, 1
+meeque.de, 1
+meer-der-ideen.de, 1
+meeras.ga, 1
+meereskunst.de, 1
+meerman.nl, 0
+meerpadel.nl, 1
+meesenburg.ro, 1
+meesman.nl, 1
+meesteresmisty.nl, 1
+meet, 1
+meet.google.com, 1
+meetanshi.com, 1
+meetbeagle.com, 1
+meetbot.fedoraproject.org, 1
+meetcleo.com, 1
+meetfranz.com, 1
+meetfriends.tk, 1
+meeting-server.ml, 1
+meetingvotes.com, 1
+meetjeslandsetriathlon.tk, 1
+meetmaps.com, 1
+meetmarlo.com, 1
+meetmibaby.co.uk, 1
+meetmonarch.com, 1
+meetmygoods.com, 1
+meetmyown.ga, 1
+meetmyown.tk, 1
+meetsummer.org, 1
+meetthesinglessda.co.uk, 1
+meettheslavs.com, 1
+meetville.com, 1
+meetyou.me, 1
+meeusen-usedcars.be, 1
+meewan.fr, 1
+meeztech.com, 1
+meeztertom.nl, 1
+mefano.com, 1
+meffrepatrimoine.com, 1
+meg-a-bounce.co.uk, 1
+mega-aukcion.ru, 1
+mega-byte.nl, 0
+mega-feeling.de, 1
+mega-jeans.ru, 1
+mega-microstories.com, 1
+mega.co.nz, 1
+mega.io, 0
+mega.nz, 1
+megaar.tk, 1
+megabike.tk, 1
+megabook.ml, 1
+megabooker.hr, 1
+megabounce.co.uk, 1
+megabouncingcastles.com, 1
+megacellenerji.com, 1
+megadrol.com, 1
+megaelettrostimolatore.com, 1
+megafilez.tk, 1
+megaflix.nl, 1
+megaflowers.ru, 1
+megagame.zapto.org, 1
+megagifs.de, 1
+megahertzdesigns.pro, 1
+megaherz.tk, 1
+megahobby.jp, 1
+megahost.kz, 1
+megahostingbr.tk, 1
+megahouse.co.jp, 1
+megaimpressao3d.com.br, 1
+megainflatables.co.uk, 1
+megainformatyk.pl, 1
+megajackpot.ph, 1
+megajackpot.win, 1
+megajatek.hu, 1
+megakoncert90.cz, 1
+megalibportal.ga, 1
+megalibrarygirl.ml, 1
+megalogistic.ru, 1
+megalol.tk, 1
+megalonomia.ml, 1
+megam.host, 1
+megamarket-russia.ru, 1
+megamillions.tk, 1
+megamisja.pl, 1
+megamov.eu, 1
+megamov.fr, 1
+megamov.pro, 1
+meganandmarc.us, 1
+meganholliday.blog, 1
+meganmarston.cf, 1
+meganmarston.ga, 1
+meganruggiero.com, 0
+megaobzor.com, 1
+megaparadise.ml, 1
+megapari.com, 1
+megapixel.cz, 1
+megaplan.cz, 1
+megaplan.ru, 1
+megaportal.ga, 1
+megaportal.tk, 1
+megaprofi.tk, 1
+megarap.cf, 1
+megaron.at, 1
+megasesso.com, 1
+megasitesoficial.tk, 1
+megasunsunglasses.bg, 1
+megateam.tk, 1
+megatom.net.br, 1
+megatyumen.ru, 1
+megauction.tk, 1
+megavasoc.com.ar, 1
+megaviews.tk, 1
+megavoyages.ca, 1
+megawebsite.tk, 1
+megawhat.energy, 1
+megaxchange.cash, 1
+megayachts.world, 1
+megazigzag.com, 1
+megeve-tourisme.fr, 1
+megger-aktionen.de, 1
+megger.li, 1
+meggidesign.com, 1
+meggie.tk, 1
+megh.tv, 1
+megin.gq, 1
+megin.tk, 1
+meginajums1.space, 1
+megmaster.com, 1
+megnetix.tk, 1
+mego-tracer.de, 1
+mego.cloud, 1
+mego.gmbh, 1
+megotracer.de, 1
+megumico.net, 1
+megztosidejos.lt, 1
+meh.is, 1
+mehalick.com, 1
+meharossii.ru, 1
+mehdavia.tk, 1
+mehdi-lifestyle.com, 1
+mehdibouchema.be, 1
+mehdimassage.com, 1
+meherbaba.sk, 1
+mehhh.xyz, 1
+mehibo.tk, 1
+mehlogy.com, 1
+mehlvilletermiteandpestcontrolinc.com, 1
+mehmet.net, 1
+mehmetince.net, 1
+mehode.com, 1
+mehostdd.com, 0
+mehrabpurtimes.tk, 1
+mehrgarh.tk, 1
+mehrleben.at, 1
+mehrnevesht.com, 1
+mehrwert.de, 1
+meia.ir, 1
+meiaiai.com, 1
+meideas108.com, 1
+meidev.co, 0
+meierhofer.net, 1
+meiersmarkus.de, 1
+meifacil.com, 1
+meigetsuen1980.com, 1
+meijburg.com, 1
+meikampf.de, 1
+meikan.moe, 1
+meil.se, 1
+meiler.cf, 1
+meilink.eu, 0
+meilleur-casino-bitcoin.com, 1
+meilleur-casino-fiable.com, 1
+meilleursagents.com, 1
+meilleursavis.fr, 1
+meilleursjeuxporno.fr, 1
+meilleurstrucs.com, 1
+meima.cc, 1
+meimeistartup.com, 1
+mein-arabischkurs.de, 1
+mein-betriebsrat.digital, 1
+mein-domizil.at, 1
+mein-es1.de, 1
+mein-gehalt.at, 1
+mein-muehlhausen.bayern, 1
+mein-neuer-garten.de, 1
+mein-restaurant.digital, 1
+mein-webportal.de, 0
+meinadultportalcheck.com, 1
+meinbetriebsrat24.de, 1
+meincenter-meinemeinung.de, 1
+meincoach.at, 1
+meindm.at, 1
+meine-email-im.de, 1
+meine-email-im.net, 1
+meine-finanzanalyse.de, 1
+meine-immofinanzierung.de, 1
+meine-lebensenergie-staerken.de, 1
+meine-mav.digital, 1
+meine-mobile-reiseagentur.de, 1
+meineip.eu, 1
+meineit.dvag, 1
+meinerabatt.de, 1
+meinereiseangebote.de, 1
+meinevorlagen.com, 1
+meineweidegans.at, 1
+meinewolke.pw, 1
+meineziege.de, 1
+meinezuckerbaeckerei.de, 1
+meinflirtportalcheck.com, 1
+meinflirtportalcheck.de, 1
+meinforum.net, 1
+meinhard.com, 1
+meinpalestina.de, 1
+meinpflegedienst.net, 1
+meinstartinsleben.com, 1
+meinstartinsleben.de, 1
+meinstift.ch, 1
+meintragebaby.de, 1
+meinungsplatz.ch, 1
+meinungsplatz.de, 1
+meiqia.com, 0
+meirifuli6.com, 1
+meis.space, 1
+meise.cf, 1
+meise.ml, 1
+meistaramajas.lv, 1
+meister-stuecke.com, 1
+meister-texte.com, 1
+meister-wuttke.de, 1
+meisterlabs.com, 1
+meisternote.com, 1
+meisterplan.com, 1
+meisterplan.io, 1
+meisterprep.com, 1
+meistertask.com, 1
+meistronamai.lt, 1
+meitan.gz.cn, 1
+meitianyixiaobu.com, 1
+meiyi.ga, 1
+meiyouad.com, 1
+mejofi.com, 1
+mejofi.eu, 1
+mejofi.net, 1
+mejofi.nl, 1
+mejofi.org, 1
+mejor-broker.com, 1
+mejor-vpn.com, 1
+mejorator.net, 1
+mejorator.org, 1
+mejorespatineteselectricos.es, 1
+mejorfiltrodeagua.com, 1
+mejovonakowogov.gq, 1
+mejpbs.com, 1
+mekajen.com, 1
+mekaleskirit.tk, 1
+mekanika.com.my, 1
+mekanismo.tk, 1
+mekatro.tech, 1
+mekatronika.tk, 1
+mekatrotekno.com, 1
+mekawy.tk, 1
+mekegi.com, 1
+meken.com, 1
+mekhaodee.com, 1
+mekkaoui.cf, 1
+mekker.dk, 1
+meklon.net, 1
+mekomit.co.il, 1
+mekongmontessori.com, 1
+mel-bet.com, 1
+melagenina.tk, 1
+melanfengshui.com, 1
+melaniatrump.com, 0
+melanie-guy.fr, 1
+melanie-schwarze.de, 1
+melaniebernhardt.com, 1
+melaniec-thebest.tk, 1
+melaniefaucher.ca, 1
+melaniegowen.com, 0
+melaniegruber.de, 1
+melanieschweiger.com, 1
+melanin.cf, 1
+melanto.ro, 1
+melaodealmeirim.pt, 1
+melbar.com.au, 0
+melbet-sp.com, 1
+melbet.com, 1
+melbet.mobi, 1
+melbet27.com, 1
+melbet33011.com, 1
+melbetaffiliates.com, 1
+melbetapp.com, 1
+melbetua.com, 1
+melbourneapartments.website, 1
+melbournebushwalkers.org.au, 1
+melbournecivilcelebrant.tk, 1
+melbournefringe.com.au, 1
+melbournehookah.com.au, 1
+melbournehousesitters.com, 1
+melcher.it, 1
+melchizedek-forum.de, 1
+melda-agustin.tk, 1
+melda.ru, 1
+meldcode-assistent.nl, 1
+melderegister-auskunft.de, 1
+meldjeaan.be, 1
+meldknop.nl, 1
+meldpuntemma.nl, 1
+meldsluikstort.gent, 1
+mele.ro, 1
+melectronics-ostschweiz.ch, 1
+meledia.com, 0
+melenchatsmelenchiens.fr, 1
+melhorproduto.com.br, 1
+meli-deluxe.org, 1
+melicove.com, 1
+melideluxe.org, 1
+melihacar.com.tr, 1
+melikoff.es, 1
+melillimonartesania.com, 1
+melina-schefczyk.de, 1
+melinacurves.com, 1
+melinamay.net, 1
+melino.com.ua, 1
+meliowebweer.nl, 1
+melisica.tk, 1
+melissaadkins.com, 1
+melissaauclaire.com, 1
+melissadeluxe.com, 1
+melissageorge.tk, 1
+melissalb.tk, 1
+melissameuwszen.nl, 1
+meliyb.ga, 1
+melkboshigh.co.za, 1
+melkiran.tk, 1
+melkoghonning.no, 1
+mellenbergerathletics.com, 1
+mellika.ch, 1
+mellonexia.ml, 1
+mellonne.com, 1
+melnessgroup.com, 1
+melodee.de, 1
+melodict.com, 1
+melodija.tk, 1
+melodiouscode.co.uk, 1
+melodiouscode.com, 1
+melodiouscode.net, 1
+melodiouscode.uk, 1
+melody-lyrics.com, 1
+melody.my, 1
+melodycenter.de, 1
+melonhub.com, 1
+melonstudios.net, 1
+melopie.com, 1
+melpomene.me, 1
+melrosemichaels.net, 1
+melrosewi.gov, 1
+meltdownresearch.com, 1
+melted.me, 1
+meltina-hotel.com, 1
+meltybit.com, 1
+melusine.eu, 1
+melvillecity.com.au, 1
+melvinsfrance.tk, 1
+melvintemo.com, 1
+melyssamonroy.com, 1
+mema.recipes, 1
+memberbaz.ml, 1
+memberclicks.net, 1
+memberplushq.com, 1
+members-arbourlake.com, 1
+members-only-shopping.com, 1
+members.nearlyfreespeech.net, 0
+membershipservices.org.uk, 1
+membersolutions.com, 1
+memberstweets.com, 1
+memdoc.org, 1
+meme, 1
+meme.fi, 1
+meme.institute, 1
+memecentral.org, 1
+memecoin.org, 1
+mememan.org, 1
+memememememememe.me, 1
+memento-mori.cf, 1
+memetrash.co.uk, 1
+memez.download, 1
+memind.net, 1
+memiux.com, 1
+memnet.com.au, 1
+memo-linux.com, 1
+memo.ee, 1
+memoire-resistance-ariege.fr, 1
+memoireimplicite.com, 1
+memoirmedie.dk, 1
+memolestas.tk, 1
+memorablewords.org, 1
+memoriaacademy.com, 1
+memorial.com.tr, 1
+memoriaseternizadas.com.br, 1
+memories-factory.pt, 1
+memorind.com, 1
+memoryex.net, 1
+memoryjoggerlibrary.com, 1
+memorylines.ml, 1
+memoryofyou.eu, 1
+memoryplex.com, 1
+memphisrap.com, 1
+memphisthemusical.com, 1
+mempool.chat, 1
+mempool.de, 1
+mempool.ninja, 1
+mempool.space, 1
+memrise.com, 1
+memurvadisi.tk, 1
+men-costumes.tk, 1
+men.com, 1
+menanam.net, 1
+menandsny.gov, 1
+menaraannonces.com, 1
+menardcountyil.gov, 1
+menashawi.gov, 1
+menazimkhan.tk, 1
+menddie.com, 1
+mendekuitxua.tk, 1
+mendel.tk, 1
+menden.com, 1
+mendipbouncycastles.co.uk, 1
+mendix-apps.com, 1
+mendmybackprogram.com, 0
+mendocinocounty.gov, 1
+mendomaps.com, 1
+mendonca.co, 1
+mendonvt.gov, 1
+mendovoice.com, 1
+mendozagenevieve.com, 1
+mendrala.eu, 1
+mendrala.net, 1
+menerga.it, 1
+mengjianjiemeng.com, 1
+mengjiucai.com, 1
+mengliangyun.xyz, 1
+mengma.pub, 1
+mengqingzhong.cn, 1
+mengqingzhong.com, 1
+mengqingzhong.com.cn, 1
+mengyibai.com, 1
+menh.vn, 1
+menhera.org, 0
+menielias.com, 1
+menlo-partner1-admin.com, 1
+menlo-partner1.com, 1
+menlo-vmware.io, 1
+menlo.cloud, 1
+menlo.security, 1
+menlofire.gov, 1
+menlogov-admin.com, 1
+menlogov.com, 1
+menlosecurity.com, 1
+menlosecurity.jp, 1
+menlotraining.com, 1
+menlotraining.net, 1
+menlotraining.org, 1
+menn.tk, 1
+mennace.com, 1
+mennetwork.com, 1
+menno.cloud, 0
+menno.me, 1
+mennohouse.ca, 1
+menole.com, 1
+menole.de, 1
+menole.net, 1
+menomg.com, 1
+menomineecountymi.gov, 1
+menomineemi.gov, 1
+menotag.com, 1
+mens-qzin.jp, 1
+mens-v.com, 1
+mens-watch.tk, 1
+mensagemaniversario.com.br, 1
+mensagemdaluz.com, 1
+mensagensaniversario.com.br, 1
+mensagensdeconforto.com.br, 1
+mensagensperfeitas.com.br, 0
+mensaj.es, 1
+mensajeurbano.tk, 1
+mensajitos.tk, 1
+mensarena.gr, 1
+mensasifrovacka.cz, 1
+mensch-peter.me, 1
+menschocolat.jp, 1
+mensconvoy.tk, 1
+menselijkembryo.tk, 1
+menshaircuts.com, 0
+menshairstylestoday.com, 1
+menshealthcollective.au, 1
+menspeak.ga, 1
+menswear.tk, 1
+mental-check.jp, 1
+mentalcalculations.tk, 1
+mentalcraft.tk, 1
+mentalevolution.tk, 1
+mentalhealthcounselorlicense.com, 1
+mentalhealthmn.org, 1
+mentalhealthtimes.tk, 1
+mentalizes.tk, 1
+mentalpage.com, 1
+mentalproblems.tk, 1
+mentaltraining-fuer-musiker.ch, 1
+mentecuriosa.net, 1
+menteofficial.com, 1
+menterarchitects.com, 1
+mentes-inquietas.tk, 1
+mentesinquietas.tk, 1
+menthiere.fr, 1
+menti.com, 1
+mentimeter.com, 1
+mentiq.az, 1
+mentolo.tk, 1
+mentonein.gov, 1
+mentor.gov, 1
+mentoriademercadeo.com, 1
+mentoringauchan.es, 1
+mentrixpill.com, 1
+menuel.me, 1
+menufree.org, 1
+menuiserie-deumer.be, 1
+menupay.com, 1
+menureader.ml, 1
+menurutparaahli.com, 1
+menzel-motors.com, 0
+menzel4you.tk, 1
+menzietti.it, 1
+meo.cz, 1
+meo.de, 1
+meo.es, 1
+meoption.biz, 1
+meoteam.dk, 1
+meou.pictures, 1
+meow-games.com, 1
+meow.cloud, 0
+meow.enterprises, 1
+meow.plus, 1
+meower.org, 1
+meowstodon.net, 1
+meowtech.network, 1
+mepassport.com, 1
+mepau.com.au, 1
+mepc.jp, 1
+mepcoeng.ac.in, 1
+meperidina.com, 1
+mephedrone.org, 1
+mepresto.com, 1
+meps.net, 1
+mera.ddns.net, 1
+merabsurviladze.com, 1
+meraki.hu, 1
+meralda.eu, 1
+meralda.net, 1
+meralda.org, 1
+meraldamulder.com, 1
+meraldamulder.eu, 1
+meraldamulder.net, 1
+meraldamulder.org, 1
+meran.in, 1
+meransuedtirol.com, 1
+meravirsa.com, 1
+mercadobitcoin.com.br, 1
+mercadocampesino.com.co, 1
+mercadohype.tk, 1
+mercadoleal.com.br, 1
+mercadolibre.cl, 1
+mercadolibre.co.cr, 1
+mercadolibre.com.ar, 1
+mercadolibre.com.bo, 1
+mercadolibre.com.co, 1
+mercadolibre.com.do, 1
+mercadolibre.com.ec, 1
+mercadolibre.com.gt, 1
+mercadolibre.com.hn, 1
+mercadolibre.com.mx, 1
+mercadolibre.com.ni, 1
+mercadolibre.com.pa, 1
+mercadolibre.com.pe, 1
+mercadolibre.com.py, 1
+mercadolibre.com.sv, 1
+mercadolibre.com.uy, 1
+mercadolibre.com.ve, 1
+mercadolibrefz.tk, 1
+mercadolivre.com.br, 1
+mercadopago.cl, 0
+mercadopago.com, 1
+mercadopago.com.ar, 1
+mercadopago.com.br, 1
+mercadopago.com.co, 1
+mercadopago.com.ec, 1
+mercadopago.com.mx, 1
+mercadopago.com.pe, 1
+mercadopago.com.uy, 1
+mercadopago.com.ve, 1
+mercadoprop.la, 1
+mercanix.co.uk, 1
+mercatino-olomouc.cz, 1
+mercatinomusicale.com, 1
+mercatoitticosbt.it, 1
+mercedelectionsca.gov, 1
+mercedes-anciennes.fr, 1
+mercedes-benz-arena-stuttgart.de, 1
+mercedes-benz-kiev.com, 1
+mercedes-benz.art, 1
+mercedes-benz.com.py, 1
+mercelo.com, 1
+mercenaryvfx.com, 1
+mercercountyohio.gov, 1
+mercercountypa.gov, 1
+mercerisland.gov, 1
+merchant-portal.co.kr, 1
+merchantsbankofindiana.com, 0
+merchcity.com, 1
+merchentpro.biz, 1
+merchstudio.ru, 1
+merck-animal-health-usa.com, 1
+merco.com.au, 1
+mercode.eu.org, 1
+mercosuleditora.com.br, 1
+mercredifiction.io, 1
+mercure.dk, 1
+mercury-pool.com, 1
+mercury.com, 1
+mercury.foundation, 0
+mercury.photo, 1
+mercurycards.com, 1
+mercurysquad.tk, 1
+mercyseverity.tk, 1
+merelaager.ee, 1
+merelskleertjes.tk, 1
+merenbach.com, 1
+merenita.eu, 1
+merenita.net, 1
+merenita.nl, 1
+merezha.ua, 1
+mergegroup.com.au, 1
+mergellina.tk, 1
+meribook.com, 1
+meridanas.me, 1
+meridiangroup.ml, 1
+meridianmetals.com, 1
+meridianoshop.com.br, 1
+meridiansteel.co.uk, 1
+meridianstore.com.br, 1
+merikserver.tk, 1
+merionwest.com, 1
+merisia.ca, 1
+meritcb.eu, 1
+meritec.co.uk, 1
+meritsol.com, 1
+meritus.com.au, 1
+merkatal.com, 1
+merkattumaa.tk, 1
+merkchest.tk, 1
+merke.tk, 1
+merkel.me, 1
+merklin.gq, 1
+merlet.eu, 1
+merlin-memorial.de, 1
+merlin.dk, 1
+merlinnot.com, 1
+merlinsmagic.tk, 1
+merlinsoap.com, 1
+merloaded.rocks, 1
+mermakov.info, 1
+mernau.co, 1
+merojob.com, 1
+merpay.com, 1
+merrickcountyne.gov, 1
+merrillanwi.gov, 1
+merrimacwi.gov, 1
+merrison.uk, 1
+merrychristmas.ml, 1
+merryxmas2015.tk, 1
+mersa-co.ir, 1
+merson.org, 1
+merson.tv, 1
+merstham.cricket, 1
+mersthamcc.co.uk, 1
+mertak.cz, 1
+mertcangokgoz.com, 1
+mertuslu.com, 1
+meruhealth.com, 1
+mervart.co.uk, 1
+mervetekinmimarlikinsaat.com.tr, 1
+mervewear.com, 1
+merylholloway.com, 1
+merza.is, 1
+merzai.co.uk, 1
+mes-bouquins.fr, 1
+mes-courriers.fr, 1
+mes-finances.be, 1
+mes-vacances.tk, 1
+mes10doigts.ovh, 1
+mesaazpolice.gov, 1
+mesabi.ga, 1
+mesalancasterpa.gov, 1
+mesappros.com, 1
+mesasysillas.site, 1
+mesbonnesrecettes.com, 1
+mescadeaux.com, 1
+mescaline.com, 1
+mescaline.org, 1
+mescaline.uk, 1
+mescaline.wiki, 1
+mesdagh.be, 1
+mesec.cz, 1
+mesh.gov, 1
+meshachgt.com, 1
+meshdigital.io, 1
+meshekard.co.il, 1
+meshflow.be, 1
+meshflow.net, 1
+meshintranet.com, 1
+meshok.ru, 1
+meshotes.com, 1
+mesjumelles.fr, 1
+meskdeals.com, 1
+meskiukas.tk, 1
+meslekkursu.com, 1
+mesmer.tk, 1
+mesologie-soesterberg.nl, 1
+mesomeds.com, 1
+mesonandino.tk, 1
+mesondelcazador.com, 1
+mesos.cl, 1
+mesothelioma.com, 1
+mesotheliomacentre.tk, 1
+mesotheliomalawfirm-worldwide.tk, 1
+mesquitegcd.gov, 1
+mesquitelandscapeservices.com, 1
+messageclient.gq, 1
+messagely.com, 1
+messagescelestes-archives.ca, 1
+messagevortex.com, 1
+messagevortex.net, 1
+messaha.tk, 1
+messcoutsandguides.tk, 1
+messdorferfeld.de, 1
+messemakine.com, 1
+messen.tk, 1
+messenger.com, 0
+messengerkids.com, 1
+messengersofjoy.net, 1
+messengerupdate.com, 1
+messengerwebbrands.com, 1
+messengerwebdesign.com, 1
+messer24.ch, 1
+messerschmitt-kawasaki.de, 1
+messifan.tk, 1
+messinale.tk, 1
+messinatoday.it, 1
+messonline.tk, 1
+messure.ru, 1
+mestazitrka.cz, 1
+mestovpohybu.cz, 1
+mesuaferrea.com, 1
+mesutates.tk, 1
+mesvision.com, 1
+mesvt.com, 1
+meszlenyiattila.tk, 1
+meta-db.com, 1
+meta-word.com, 1
+meta.com, 1
+meta4.be, 1
+meta48.live, 1
+metaalshopper.nl, 1
+metablog.xyz, 1
+metabound.co.uk, 1
+metabox.io, 1
+metacareers.com, 1
+metachthonia.io, 1
+metaclays.io, 1
+metacoda.com, 1
+metacode.biz, 1
+metacompliance.com, 1
+metacortex.cf, 1
+metacred.com, 1
+metacritic.com, 1
+metadata.be, 1
+metadata.io, 1
+metadedi.net, 1
+metaether.net, 1
+metafiz.ml, 1
+metaformarketing.com, 1
+metagaming.tk, 1
+metaintro.net, 1
+metait.de, 1
+metaiverse.info, 1
+metakari.one, 1
+metal-madness.tk, 1
+metal-news.tk, 1
+metal-rock.tk, 1
+metalarea.ru, 1
+metalargentum.tk, 1
+metalbus.tk, 1
+metalcity.tk, 1
+metalcon.az, 1
+metalcorenews.ga, 1
+metalempire.tk, 1
+metaleonsociety.io, 0
+metalequipped.com, 1
+metalevolution.tk, 1
+metalgie.work, 1
+metalgoth.tk, 1
+metalhouse.tk, 1
+metaljournal.tk, 1
+metaljunkiez.com, 1
+metallbau-gehr.de, 1
+metallheads.tk, 1
+metallictrading.ga, 1
+metalliran.tk, 1
+metallization.tk, 1
+metallobaza.ml, 1
+metalloiskateli.com.ua, 1
+metallomania.it, 1
+metallosajding.ru, 1
+metallrecycling.org, 1
+metalmaniac.tk, 1
+metalmonocle.com, 0
+metalnight.tk, 1
+metalnivrati-iasenko.com, 1
+metalpesado.tk, 1
+metalsoviet.tk, 1
+metaltracks.tk, 1
+metalu.ch, 0
+metalunion.tk, 1
+metalwarrior.tk, 1
+metalweaverscreations.com, 1
+metalworkingexpo.com, 1
+metamorfosis.cf, 1
+metamorphouse.ch, 1
+metanoia8295.com, 1
+metanoiaphotography.com, 1
+metanomial.com, 1
+metanumbers.com, 1
+metapeen.nl, 1
+metaphilic.tk, 1
+metaprivatewealth.com, 0
+metapsychie.com, 1
+metapublic.com, 1
+metasearch.nl, 1
+metaskil.com, 1
+metasolutions.se, 1
+metasophi.com, 1
+metasquare.com.au, 1
+metasquare.nyc, 1
+metastasys.net, 1
+metasurfforecast.com, 1
+metasysteminfo.com, 1
+metaurl.io, 1
+metavr.ru, 1
+metaword.co.jp, 1
+metaword.com, 1
+metaword.net, 1
+metaword.org, 1
+metaximas-taverna.gr, 1
+metayou.gq, 1
+metcalfecountyky.gov, 1
+metebalci.com, 1
+meteo-parc.com, 1
+meteoabegondo.tk, 1
+meteobox.co, 1
+meteobox.com, 1
+meteobox.cz, 1
+meteobox.de, 1
+meteobox.es, 1
+meteobox.fr, 1
+meteobox.mx, 1
+meteobox.pl, 1
+meteobox.sk, 1
+meteobox.tk, 1
+meteocat.net, 1
+meteocuenca.tk, 1
+meteohuertamur.tk, 1
+meteonederbetuwe.nl, 1
+meteopievedicampo.ddns.net, 1
+meteoradar.ch, 1
+meteosat.tk, 1
+meteoweb.eu, 1
+meteowiki.tk, 1
+meter.md, 1
+meterhost.com, 1
+meterinsight.com, 1
+metex.exchange, 1
+metformin365.tk, 1
+methamphetamine.co.uk, 1
+method.com, 1
+methode.com, 1
+methodfactory.com, 1
+methodist.com.tr, 1
+methodprinting.com, 1
+methodsofcare.com, 1
+methotrexatee.gq, 1
+methotrexates.gq, 1
+methuen.gov, 1
+methusalem.tk, 1
+methwhore.date, 1
+methylone.com, 1
+metin2.community, 1
+metin2.download, 1
+metin2.top, 1
+metin2blog.de, 1
+metin2dev.org, 1
+metinarslanturk.com, 1
+metiz.site, 1
+metizsoft.com, 1
+metkos.pl, 1
+metkov.com.ua, 1
+metkovic-news.com, 1
+metmetfamily.fr, 1
+meto.eu.org, 0
+metodomontessoriano.com, 1
+metodosilvaniaderejuvenescimento.com, 1
+metop.de, 1
+metprint.hu, 1
+metradar.ch, 1
+metric.ai, 0
+metricmutt.com, 1
+metrika.ml, 1
+metriks.ru, 1
+metrix-money-ptc.com, 1
+metro-detroit.com, 1
+metro-vet.co.uk, 1
+metro-web.net, 1
+metroarchive.jp, 1
+metrobank.com.ph, 1
+metrobriefs.com, 0
+metrobus.co.uk, 1
+metrocraft2033.tk, 1
+metrodemaracaibo.tk, 1
+metrodemedellin.gov.co, 1
+metrofree.ga, 1
+metrohd.com, 1
+metroline.ml, 1
+metrolisboa.pt, 1
+metrolush.com, 1
+metromark.net, 1
+metron-eging.com, 1
+metron-networks.com, 1
+metron-online.com, 1
+metron.mv, 1
+metronidazolee.gq, 1
+metronik.it, 1
+metronome.ga, 1
+metroparks.net, 1
+metrophone.vn, 1
+metroplanorlando.gov, 1
+metroplex.me, 1
+metropole.com.au, 1
+metropolis.ga, 1
+metropolis5000.tk, 1
+metropolisdawn.de, 1
+metropolisdawn.net, 1
+metropolisil.gov, 1
+metroproductiongroup.com, 1
+metrorealestatepros.com, 0
+metrothessalonikis.tk, 1
+metroval.tk, 1
+metroymca.org, 1
+metrss.com, 1
+metrss.eu, 1
+metrss.net, 1
+metsasta.com, 1
+metsosivut.fi, 1
+metspoedbeschikbaar.nl, 1
+mettelenejohansson.dk, 1
+mettin.org, 1
+metu.social, 1
+metver.tk, 1
+metyweb.ga, 0
+metzgermark.com, 1
+meuautotrac.com.br, 1
+meubanco7.com.br, 1
+meubebepa.com.br, 1
+meublesrosa.be, 1
+meuemby.com, 1
+meugamer.com, 1
+meugibi.com, 1
+meulenerkes.tk, 1
+meulivro.biz, 1
+meulk.co.uk, 1
+meulocal.ml, 1
+meuneneoficial.com.br, 1
+meupatrocinio.com, 1
+meurisse.org, 1
+meusartis.ca, 1
+meuscabeloscacheados.com.br, 1
+meusextosentido.com, 1
+meusucesso.com, 1
+meutia.net, 1
+mevanshop.com, 1
+mevaturizm.com.tr, 1
+meveydesign.tk, 1
+mevissenpsychotrauma.nl, 1
+mevrouwtjepeper.nl, 0
+mevsalud.cl, 1
+mew.build, 1
+mew.vn, 1
+mex-it-up.com, 1
+mexaliu.ml, 1
+mexby.com, 1
+mexicankrill.com, 1
+mexico.rs, 1
+mexico.sh, 1
+mexicobeachfl.gov, 1
+mexicocsd.gov, 1
+mexicodental.co, 1
+mexicojetcharter.com, 1
+mexicom.org, 1
+mexicosrit.tk, 1
+mexior.nl, 1
+mexiquilanj.com, 1
+mexticket.com, 1
+meyafloors.com, 1
+meyateks.com, 1
+meydan.tv, 1
+meyer-horn.de, 1
+meyeraviation.com, 1
+meyersconstructionandconsulting.com, 1
+meypell.com, 1
+meyrawinkel.nl, 1
+meys.io, 1
+mezcal.amsterdam, 1
+mezedokamomata.tk, 1
+meziblog.cz, 1
+mezinfo.tk, 1
+mezio.pt, 1
+mezquetillas.tk, 1
+mezzanine.net, 1
+mezzehuis.be, 1
+mezzoettaro.it, 1
+mf-fischer.de, 1
+mf-natuurfotografie.nl, 1
+mf.me, 1
+mfa.tw, 1
+mfactory.ca, 1
+mfamonitor.com, 1
+mfatravaux.fr, 1
+mfavis.com, 1
+mfcentral.com, 1
+mfdy66.com, 1
+mfedderke.com, 0
+mfen.de, 1
+mfg-fx.com, 1
+mfgo.link, 1
+mfgusa.com, 1
+mfiles.pl, 1
+mfinanse.pl, 1
+mfischer-it.de, 0
+mfits.co.uk, 1
+mflodin.se, 1
+mfmarquesantos.pt, 1
+mfoda-eg.com, 1
+mforum.com.au, 1
+mfotel.pl, 1
+mfpccprod.com, 1
+mfr-lameignanne.fr, 1
+mfrepair.com, 1
+mft-license.com, 1
+mft.global, 1
+mfxbe.de, 0
+mfxer.com, 1
+mfxm.fr, 1
+mfyy123.com, 1
+mg-case.com, 1
+mgaconsulting.org.uk, 1
+mgae.com, 1
+mgaroz.pro, 1
+mgatreeservices.com, 1
+mgc.com.tr, 1
+mgclercoh.gov, 1
+mgcs.org, 1
+mgdigitalmarketing.com.au, 1
+mgf.mx, 1
+mgfashion.ae, 1
+mgfgroup.ca, 1
+mgfgroup.com, 1
+mgfgroup.mx, 1
+mgfgroup.us, 1
+mgfnow.com, 1
+mgfpatrimoine.com, 1
+mghiorzi.com.ar, 0
+mghw.ch, 1
+mgi.gov, 1
+mgic.com, 1
+mgientertainment.com, 1
+mgis.com, 1
+mgkl.ru, 1
+mgknet.com, 1
+mgldiffusion.fr, 1
+mglobalservices.com, 1
+mgmd.org, 1
+mgmeet.com, 1
+mgmpic.com, 1
+mgmultiservicessrl.it, 1
+mgo-ostenfelde.tk, 1
+mgonline.tk, 1
+mgousse.tk, 1
+mgr-dev.tech, 1
+mgrcred.online, 1
+mgriff.id.au, 1
+mgrossklaus.de, 0
+mgrt.net, 1
+mgsdb.com, 1
+mgsisk.com, 1
+mgtbaas.eu, 1
+mgvideo.com.au, 1
+mh-cdn.de, 1
+mh-hannover.de, 0
+mh.com.fj, 1
+mh2.in, 1
+mha.fi, 1
+mhabdullah.tk, 1
+mhadegree.org, 1
+mhadot.com, 1
+mhainfantandtoddler.com, 1
+mhalfter.de, 1
+mhammerbacher.me, 1
+mhand.org, 1
+mhasika.tk, 1
+mhastey.com, 1
+mhatlaw.com, 1
+mhcdesignstudio.com, 1
+mheistermann.de, 1
+mhermans.nl, 1
+mhf.gc.ca, 1
+mhg-platform.com, 1
+mhgeay.fr, 1
+mhginsurance.com, 1
+mhh.de, 0
+mhi.com, 1
+mhi.web.id, 1
+mhiler.com, 1
+mhilger.de, 1
+mhjuma.com, 1
+mhmfoundationrepair.com, 1
+mhonline.fr, 1
+mhtdesign.net, 1
+mhuig.top, 1
+mhurologytriad.org, 1
+mi-amigo.tk, 1
+mi-beratung.de, 1
+mi-ras.ru, 1
+mi.ras.ru, 1
+mi.sc, 1
+mi1k.cn, 1
+mi80.com, 1
+mia-manager.dk, 1
+mia.gent, 1
+mia.tw, 0
+mia3d.fr, 1
+miaadler.net, 1
+miaairportvillas.com, 1
+miability.com, 1
+miablow.net, 1
+miacuario.cl, 1
+miadennees.com, 1
+miagentemicasa.com, 1
+miagexport.com, 1
+miah.top, 1
+miaha.ch, 1
+mialma.live, 1
+miami.gov, 1
+miamibeachcommunitychurch.com, 1
+miamicountyohioauditor.gov, 1
+miamidadeclerk.gov, 1
+miamifl.casa, 1
+miamifl.homes, 1
+mianbao.ga, 1
+mianfei.us, 1
+miankamran.tk, 1
+mianra.ddns.net, 1
+miao.team, 1
+miaoft.com, 0
+miaovps.com, 0
+miaowo.org, 1
+miap.eu, 1
+miarecki.eu, 1
+miartwalk.com, 1
+miasarafina.de, 1
+miasegurado.com, 1
+miasma.tk, 1
+miasonne.com, 1
+miatabox.com, 1
+miatfactory.be, 1
+miatgent.be, 1
+miathepintzu.com, 1
+miavierra.org, 1
+miaw.ooo, 1
+mibaso.com, 1
+mibeneficio.cl, 1
+mibh.de, 1
+miboulot.com, 1
+mibuiin.com, 1
+mica-zeitz.de, 1
+mica.ml, 1
+micado-software.com, 1
+micah.soy, 1
+micamisetaestampada.com, 1
+micanetic.com, 1
+micareklamajansi.com, 1
+micasayestilo.com, 1
+micase.info, 1
+micatalogo.club, 1
+micay.ca, 1
+micbase.com, 1
+miccaldo.tk, 1
+miccgolf.com, 1
+miccomi.com, 1
+micdagostini.com, 1
+michadenheijer.com, 1
+michael-glaser.de, 1
+michael-hess.com, 1
+michael-r.ddns.net, 1
+michael-r.dynv6.net, 1
+michael-rigart.be, 1
+michael-schefczyk.de, 1
+michael-schilling.de, 0
+michael-simon.de, 1
+michael-steinhauer.eu, 1
+michael.band, 1
+michael.com, 1
+michael.ie.eu.org, 1
+michael.zone, 1
+michaelabbas.tk, 1
+michaelamead.com, 1
+michaelasawyer.com, 1
+michaelband.co, 1
+michaelband.com, 1
+michaelbeer.co.uk, 1
+michaelbondar.tk, 1
+michaelboogerd.tk, 1
+michaelcailloux.com, 1
+michaelcassar.com, 1
+michaelcrane.live, 1
+michaeldancot.com, 1
+michaeldjoseph.com, 1
+michaeleisen.org, 1
+michaelessek.com, 1
+michaelfoods.com, 1
+michaelglaser.de, 1
+michaelgroves.tk, 1
+michaelgwynn.tk, 1
+michaelhastrich.nl, 1
+michaelhayes.tk, 1
+michaelhebblethwaite.com, 1
+michaelholidaybooks.com, 1
+michaeliannetta.tk, 1
+michaeliscorporation.com, 1
+michaelismold.com, 1
+michaelizquierdo.com, 1
+michaeljames.com.au, 1
+michaeljdennis.com, 0
+michaeljohnsrestaurant.com, 1
+michaelkennedy.ie, 1
+michaelkiske.tk, 1
+michaelkleinert.de, 1
+michaelklos.nl, 1
+michaelkorsgill.tk, 1
+michaelkuehn.tk, 1
+michaell.io, 1
+michaelleibundgut.com, 1
+michaelliunsky.cn, 1
+michaelloveys.com, 1
+michaeln.net, 1
+michaelolson.blog, 1
+michaelpelletterie.it, 1
+michaelpfrommer.de, 1
+michaelpfrommer.pub, 1
+michaelpmullally.com, 1
+michaelrigart.be, 1
+michaelschmidt.ch, 1
+michaelschubert.com, 0
+michaelschule-rheine.de, 1
+michaelsnoeren.nl, 0
+michaelstoffer.com, 1
+michaeltaboada.me, 1
+michaeltittes.de, 1
+michaeltruskowski.com, 1
+michaelvician.me, 0
+michaelwermeester.com, 1
+michaelwmckinney.com, 1
+michaelworth.au, 1
+michal-klabnik.com, 1
+michal-klabnik.cz, 1
+michal-spacek.com, 1
+michal-spacek.cz, 1
+michalchomo.eu, 1
+michaldudek.it, 1
+michalinastrzyz.xyz, 1
+michalis.xyz, 1
+michalklabnik.com, 1
+michalklabnik.cz, 1
+michalkral.tk, 1
+michalkunicki.pl, 1
+michalmlozniak.com, 1
+michalpodraza.pl, 1
+michalspacek.com, 1
+michalspacek.cz, 1
+michalstepar.cz, 1
+michalszotkowski.cz, 1
+michalwiglasz.cz, 1
+michaonline.de, 1
+micharts.biz, 1
+michasfahrschule.com, 1
+michel-cloud.de, 1
+michel-kratochvil.tk, 1
+michel-pilaert.coach, 1
+michel-wein.de, 1
+micheladisavino.tk, 1
+michelangelo1978.com, 1
+michelangelofoundation.org, 1
+michelbenita.com, 1
+michelcoumes.com, 1
+micheldoultremont.com, 1
+michele.ga, 1
+michelegreenmd.com, 1
+michelgolfier.ml, 1
+michelinb2b.com, 1
+michelinmedia.com, 1
+michelkok.tk, 1
+michellavat.com, 1
+michelledonelan.co.uk, 0
+michellelowery.com, 1
+michelletmc.com, 1
+michelletrachtenberg.tk, 1
+michelskovbo.dk, 1
+micheltronchetti.fr, 1
+michelwolf.ch, 1
+michey.tk, 1
+michielbijland.nl, 1
+michielskleding.be, 1
+michielvanfastenhout.nl, 1
+michielwalrave.tk, 1
+michig.tk, 1
+michiganacousticneuroma.com, 1
+michiganautolaw.com, 1
+michiganearhearing.com, 1
+michiganhealth.tk, 1
+michiganrebates.com, 1
+michigantestingairbalancing.com, 1
+michilaw.com, 1
+michmexguides.com.mx, 1
+michu-it.com, 1
+michu.pl, 1
+mick.au, 1
+mickael.org, 1
+mickaelbonnard.fr, 1
+mickel.tk, 1
+mickelvaessen.com, 1
+mickey-krasilnikov.com, 1
+mickeyspizzalincolnpark.com, 1
+mickybottenberg.com, 1
+mickyfanclub.tk, 1
+micled.com, 1
+micled.net, 1
+micled.org, 1
+micluz.shop, 1
+micoff.tk, 1
+micolab.com, 1
+micompa.co, 1
+micon.ro, 1
+micospa.gq, 1
+micourt.gov, 1
+micr0lab.org, 1
+micra.org.uk, 1
+micrm.vn, 1
+micro-credit.tk, 1
+microbiologist.tk, 1
+microbiologyinfo.com, 1
+microbiota-insect-vectors.group, 1
+microbiote-insectes-vecteurs.group, 1
+microbird.club, 1
+microblink.com, 1
+microcert.cn, 1
+microchains.network, 1
+microcomploja.com.br, 1
+microcosm.com, 1
+microdata.es, 1
+microdesic.com, 1
+microdot.fr, 1
+microdots.de, 1
+microdrive.pt, 1
+microferma.site, 1
+microfinance-crimea.ru, 0
+microfusa.com, 1
+microgroove.jp, 1
+microhydrony.org, 1
+microjovem.pt, 1
+microl.ink, 1
+microland.one, 1
+microloan.pk, 1
+microlog-online.de, 1
+microlog.org, 1
+micromagic.fi, 1
+micromaid.cf, 1
+micromata.de, 1
+micromicro.cc, 1
+micronotfound.gq, 1
+micropigmentacaobh.com.br, 1
+micropigmentadordesucesso.com, 1
+micropigpets.com, 1
+microsoft, 1
+microsoftedgeinsider.com, 1
+microtel2notch.tk, 1
+microtube.tk, 1
+microvb.com, 1
+microwesen.de, 1
+microworkers.com, 1
+microzubr.com, 1
+micruity.com, 1
+mics-notrack.com, 1
+micsell.com, 1
+micsoft.gq, 1
+miculturaservicios.gob.do, 1
+micxel.com.au, 1
+midaero.co.uk, 1
+midair.io, 1
+midam.sk, 1
+midamericapiering.com, 1
+midasauctions.com, 1
+midasbay-free.ml, 1
+midcarolinaregionalairport.com, 1
+midcarolinaregionalairport.org, 1
+midcolumbiainsurance.com, 1
+middag.com.br, 1
+middelstaedt.com, 1
+middle-way.de, 1
+middleboroughma.gov, 1
+middleeasy.com, 1
+middlesbroughmoneyman.com, 1
+middlesexpolicenc.gov, 1
+middlesexwoodpigeonclub.co.uk, 1
+middletonshoppingcentre.co.uk, 1
+middletowndelcopa.gov, 1
+middletownny.gov, 1
+middletownri.gov, 1
+middleware.services, 1
+mide.gob.do, 1
+midea.kg, 1
+mideo.tk, 1
+midesa.eu, 1
+midesa.it, 1
+midgawash.com, 1
+midi-coquillages.com, 1
+midi-olympique.fr, 1
+midia.tk, 1
+midiaid.de, 0
+midial.cz, 1
+midiet.co.za, 1
+midilibre.fr, 1
+midislandrealty.com, 0
+midkam.ca, 1
+midlandcountymi.gov, 1
+midlandsfundays.co.uk, 1
+midlandslotus.co.uk, 1
+midlandsphotobooths.co.uk, 1
+midmichiganasphaltpaving.com, 1
+midnight-gaming-community.tk, 1
+midnightmango.co.uk, 1
+midnightmechanism.com, 1
+mido.ga, 1
+mido4link.tk, 1
+midohiowsd.gov, 1
+midos.house, 1
+midpss.lt, 1
+midrange.com, 1
+midress.club, 1
+midrra.com, 1
+midspace.co.uk, 1
+midspss.lt, 1
+midstatebasement.com, 1
+midterm.us, 1
+midtownflooring.ca, 1
+midtownsmilesdentalcare.com, 1
+midville-ga.gov, 1
+midwaycitysanitaryca.gov, 1
+midwayrecovery.com, 1
+midwest-hidta.gov, 1
+midwest737simulations.com, 1
+midwestbloggers.org, 1
+midwestdfe.com, 1
+midwestinjurylawyers.com, 1
+midwestragdolls.com, 1
+midwestrecyclingcorp.com, 1
+midwife360.com, 1
+midwifeschooling.com, 1
+midyatotantik.tk, 0
+midyefilesi.com.tr, 1
+miedge.net, 1
+miegl.com, 1
+miegl.cz, 1
+mielboreal.com, 0
+mieldemexico.us, 1
+mielelpinsapar.com, 0
+mielke-it.ch, 1
+miem.us, 1
+miembarcacion.com, 1
+miemus.eu, 1
+mieresabadus.ro, 1
+mierloiu.ro, 1
+miesmuschel.tk, 1
+mieszkania-wroclaw.tk, 1
+mieterschutzkartei.de, 1
+mietwohnungen-vermietung.com, 1
+mieuxgrandir.ch, 0
+mifacturabolivia.com, 1
+mifflincountypa.gov, 1
+miffy.me, 1
+mifirm.net, 0
+miftahulteknik.com, 1
+mig5.net, 1
+mig81.com, 1
+migg.it, 1
+miggy.org, 1
+mighit.ml, 1
+mightycause.com, 1
+mightyfive.tk, 1
+mightyjo.org, 1
+mightytext-ios.tk, 1
+mightytips.biz, 1
+mightytips.com.br, 1
+mightytips.hu, 1
+migliorailtuoambiente.it, 1
+miglioricasinoonline.info, 1
+migliorisitiincontri.it, 1
+mignet.io, 1
+mignonne.com, 1
+mignonneapi.com, 1
+migrafill.net, 1
+migraine-en-werk.nl, 1
+migrainereliefplan.com, 1
+migrantskillsregister.org.uk, 1
+migrantworker.gov, 1
+migraplus.ru, 1
+migratiolex.com, 1
+migrations.tk, 1
+migrinfo.fr, 1
+miguel-platteel.fr, 1
+miguel.pw, 1
+miguelalonso.tk, 1
+miguelangeljulvez.com, 1
+miguelcollections.com, 1
+miguelcolmenares.com, 1
+migueldemoura.com, 1
+migueldominguez.ch, 0
+miguelgfierro.com, 0
+miguelito.tk, 1
+miguelmenendez.pro, 1
+miguelmoura.com, 1
+migueloblitas.tk, 1
+miguelpallardo.tk, 1
+miguia.tv, 1
+mihaiordean.com, 1
+mihaiturcu.ninja, 1
+mihalgrameno.ml, 1
+mihalicka.com, 1
+mihanwebtest.tk, 1
+miharu.moe, 1
+mihaylov.tk, 1
+mihgroup.eu.org, 1
+mihgroup.net, 1
+mihir.ch, 1
+mihirsingh.com, 1
+mihnea.net, 1
+mihu233.com.cn, 1
+miih-kiosk.com, 1
+miimhort.com, 1
+miisy.com, 1
+miisy.eu, 1
+miisy.me, 1
+miit-informain.pt, 1
+mija-fotografie.de, 1
+mijam.xyz, 1
+mijlanduitvaartzorg.nl, 1
+mijn-maagband.tk, 1
+mijnafspraak.nl, 1
+mijnblog.nl, 1
+mijncloud.space, 1
+mijndiad.com, 1
+mijndiad.nl, 1
+mijnejk.nl, 1
+mijnenergiemissie.nl, 1
+mijnetz.nl, 1
+mijngeldcoach.nl, 1
+mijngent.be, 1
+mijnhosting.org, 0
+mijnkantoor.net, 1
+mijnkerstkaarten.be, 1
+mijnkwadraad.nl, 1
+mijnmedirisk.nl, 1
+mijnnaamdag.nl, 1
+mijnonesie.nl, 1
+mijnrecepten.be, 1
+mijnrecepten.com, 1
+mijnrecepten.eu, 1
+mijnrecepten.nl, 1
+mijnreisoverzicht.nl, 1
+mijnsite.ovh, 1
+mijnstembureau-aaenhunze.nl, 1
+mijnstembureau-almere.nl, 1
+mijnstembureau-alphen-chaam.nl, 1
+mijnstembureau-amersfoort.nl, 1
+mijnstembureau-amsterdam.nl, 1
+mijnstembureau-baarle-nassau.nl, 1
+mijnstembureau-beek.nl, 1
+mijnstembureau-beuningen.nl, 1
+mijnstembureau-boekel.nl, 1
+mijnstembureau-coevorden.nl, 1
+mijnstembureau-denhelder.nl, 1
+mijnstembureau-dijkenwaard.nl, 1
+mijnstembureau-enschede.nl, 1
+mijnstembureau-geldrop-mierlo.nl, 1
+mijnstembureau-gilzerijen.nl, 1
+mijnstembureau-goirle.nl, 1
+mijnstembureau-groningen.nl, 1
+mijnstembureau-haarlemmermeer.nl, 1
+mijnstembureau-harderwijk.nl, 1
+mijnstembureau-helmond.nl, 1
+mijnstembureau-hilvarenbeek.nl, 1
+mijnstembureau-hollandskroon.nl, 1
+mijnstembureau-kerkrade.nl, 1
+mijnstembureau-koggenland.nl, 1
+mijnstembureau-leiden.nl, 1
+mijnstembureau-leiderdorp.nl, 1
+mijnstembureau-loonopzand.nl, 1
+mijnstembureau-losser.nl, 1
+mijnstembureau-midden-groningen.nl, 1
+mijnstembureau-molenlanden.nl, 1
+mijnstembureau-oisterwijk.nl, 1
+mijnstembureau-oosterhout.nl, 1
+mijnstembureau-pekela.nl, 1
+mijnstembureau-rijssen-holten.nl, 1
+mijnstembureau-s-hertogenbosch.nl, 1
+mijnstembureau-schagen.nl, 1
+mijnstembureau-staphorst.nl, 1
+mijnstembureau-steenbergen.nl, 1
+mijnstembureau-tynaarlo.nl, 1
+mijnstembureau-utrecht.nl, 1
+mijnstembureau-veendam.nl, 1
+mijnstembureau-waadhoeke.nl, 1
+mijnstembureau-waalre.nl, 1
+mijnstembureau-weert.nl, 1
+mijnstembureau-westerwolde.nl, 1
+mijnstembureau-wierden.nl, 1
+mijnstembureau-woensdrecht.nl, 1
+mijnstembureau-zoetermeer.nl, 1
+mijnstembureau-zundert.nl, 1
+mijnstembureau-zwijndrecht.nl, 1
+mijnstembureau.nl, 1
+mijntelefoonboek.com, 1
+mijntransacties.nl, 0
+mijnvogaanvraag.nl, 1
+mijnwefact.nl, 1
+mika.moe, 1
+mikado-rybak.ru, 1
+mikadoe.nl, 1
+mikaelf.com, 0
+mikaeljansson.net, 1
+mikaelk.tk, 1
+mikaelkulig.com, 1
+mikaila.tk, 1
+mikakalathil.ca, 1
+mikakalevi.com, 1
+mikaknuutila.com, 1
+mikaknuutila.fi, 1
+mikaknuutila.photography, 1
+mikalikes.men, 1
+mikanakashima.com, 1
+mike-bland.com, 1
+mike-burns.com, 1
+mike-et-pascale-sanger.com, 1
+mikeandemily.duckdns.org, 1
+mikeblog.site, 1
+mikebolynnbuilders.com, 1
+mikeburns.tk, 1
+mikecapson.com, 0
+mikecb.org, 1
+mikechasejr.tk, 1
+mikegao.org, 1
+mikegerwitz.com, 1
+mikeguy.co.uk, 1
+mikehamburg.com, 1
+mikeklidjian.com, 1
+mikekreuzer.com, 1
+mikelawson.com, 1
+mikelpradera.tk, 1
+mikelundpainting.com, 1
+mikemcgeephotography.com, 1
+mikemooresales.com, 1
+mikeowens.us, 1
+mikeprocopio.com, 1
+mikerichards.email, 0
+mikerichards.gallery, 0
+mikerichards.photography, 0
+mikerichards.photos, 0
+mikerichards.pictures, 0
+mikerichardsphotography.com, 0
+mikeschaffnerphotography.com, 1
+mikesplumbingswfl.com, 0
+mikesystems.tk, 1
+miketabor.com, 1
+miketheuer.com, 1
+mikethiessen.net, 1
+mikevesch.com, 1
+mikewestonline.com, 1
+mikewieland.ch, 1
+mikewillia.ms, 1
+mikewrites.online, 1
+mikeybot.com, 1
+mikeylab.com, 1
+mikeyroxtravels.com, 1
+mikhail-youzhny.tk, 1
+mikhailkolesnikov.tk, 1
+mikhalt.tk, 1
+mikhirev.ru, 1
+mikhlevich.ru, 1
+miki-boras.de, 1
+miki.community, 1
+miki.it, 1
+mikiclinic-sendai.com, 1
+mikino.cf, 1
+mikino.ga, 1
+mikino.gq, 1
+mikino.ml, 1
+mikkei.space, 1
+mikkel.cc, 1
+mikkelladegaard.dk, 0
+mikkelscheike.com, 1
+mikkelvej.dk, 1
+mikkohuupponen.com, 1
+mikkonen.bio, 1
+mikkonen.com, 1
+miklcct.com, 1
+miklima.pl, 1
+mikodojo.tk, 1
+mikonmaa.fi, 1
+mikori.sk, 1
+mikorrhiza-gomba.hu, 1
+mikos.tk, 1
+mikoulloa.com, 1
+mikper.com, 1
+mikrokosmos.tk, 1
+mikropixel.de, 1
+mikrotech.co.za, 1
+mikrothink.com, 1
+mikrotike.tk, 1
+mikrozajmy-na-kartu.cf, 1
+miku-doujin.com, 1
+miku.cloud, 1
+miku.party, 1
+miku.tips, 1
+mikumiku.stream, 1
+mikunosworld.com, 1
+mikusa.xyz, 1
+mikysgrill.it, 1
+mil-spec.ch, 0
+mil.ee, 0
+mil0.com, 1
+milacronindia.com, 1
+milaelaine.net, 1
+milagrotequila.com, 1
+milahendri.com, 1
+milakirschner.de, 1
+milan-news.ml, 1
+milaneziadvocacia.com, 1
+milani.io, 1
+milania.de, 1
+milanm.org, 1
+milanmi.gov, 1
+milano-web.it, 1
+milanoclownfestival.tk, 1
+milanodigitalweek.com, 1
+milanotoday.it, 1
+milanow67.ml, 1
+milanpala.cz, 0
+milanstephan.de, 0
+milanvit.net, 1
+milanvreeken.nl, 1
+milapopovich.com, 1
+milasescmagazin.tk, 1
+milatlumaczenia.pl, 1
+milavica.tk, 1
+milavicca.tk, 1
+milbournequine.co.uk, 1
+milcahsmusings.com, 1
+milchweg.com, 1
+milcrofton.gov, 1
+mildridesua.com, 1
+mile6.com, 1
+milehighmedia.com, 1
+mileme.com, 1
+milenaria.es, 1
+mileonapp.com, 1
+miles-and-more-kreditkarte.com, 0
+milesaddict.com, 1
+milesapart.dating, 1
+milescitymt.gov, 1
+milesconsulting.io, 1
+milesdewitt.com, 1
+milestonehotel.com, 1
+milestonemachine.com, 1
+milestonephysicaltherapy.ca, 1
+miletic.net, 1
+mileyweasel.de, 1
+milfanaltube.com, 1
+milfbank.com, 1
+milfed.com, 1
+milfedin.com, 1
+milfgalleries.com, 1
+milfhunter.com, 1
+milfmoms.tv, 1
+milfordfiremi.gov, 1
+milfordtwpmi.gov, 1
+milfporn.tv, 1
+milfpornograph.com, 1
+milfsection.com, 1
+milhistwiki.tk, 1
+milhoazul.com.br, 1
+miliodemendralejo.tk, 1
+militaria.hu, 1
+military-equipment.tk, 1
+military-veteran.com, 1
+militaryaviationsafety.gov, 1
+militaryconsumer.gov, 1
+militaryfetish.tk, 1
+militaryonesource.mil, 1
+militarypumps.com, 1
+militarysrit.tk, 1
+miliumnet.tk, 1
+milivcounty.gov, 1
+milk.games, 1
+milkaalpesiutazas.hu, 1
+milkacat.com, 1
+milkagyengedseg.hu, 1
+milkaholic.ml, 1
+milkameglepetes.hu, 1
+milkbarncreamery.com, 1
+milkice.me, 1
+milkingit.net, 1
+milkingmachine.tk, 1
+milkmoovement.io, 1
+milkopet.com, 1
+milktea.info, 0
+milkteacant.com, 1
+milkwoodrestaurant.com, 0
+milkyperu.com, 1
+milkypond.org, 1
+milkywan.fr, 1
+milladeo.tk, 1
+millalex.com, 1
+millant.ovh, 1
+millasexshopoficial.com.br, 1
+millburyma.gov, 1
+millcreekut.gov, 1
+millcreekwa.gov, 1
+millefleurs.eu, 1
+millennialbella.net, 1
+millennium-thisiswhoweare.net, 1
+millenniumfalcon.org, 1
+millenniumhotels.com, 1
+millenniumweb.com, 0
+miller-alex.de, 1
+miller-shop.cf, 1
+milleralarms.co.uk, 1
+millerandzois.com, 1
+millercountyga.gov, 1
+millercountymo.gov, 1
+millerfabricationsolutions.com, 1
+millerfamilyfarmtx.com, 1
+millermotorswestbank.com, 1
+milleron.net, 1
+milleron.xyz, 1
+millesime-communication.fr, 1
+millettable.com, 1
+millhill.org.uk, 1
+millhousen.tech, 1
+milliarden-liste.de, 1
+millibirlik.tk, 1
+millibitcoin.jp, 1
+milliecdn.com, 1
+milliegrace.org, 1
+millikart.az, 1
+millionaireclub.tk, 1
+millionairemethodsacademy.tk, 1
+millionairessecrets.com, 1
+millioncloud.org, 1
+millioncombolist.tk, 1
+milliongrounds.com, 1
+millionlearn.org, 1
+millionmakers.com, 1
+millionseha.com, 1
+millistice.com, 1
+millistream.com, 1
+millix.com, 1
+millnet.cloud, 1
+millonario.tk, 1
+millscountyiowa.gov, 1
+millscountytx.gov, 1
+millsidecentre.org, 1
+milltime.se, 1
+millwooddentalcentre.com, 1
+millwoodwa.gov, 1
+milmesetas.com, 1
+milmiedos.tk, 1
+milmmed.ru, 1
+milnerga.gov, 1
+milodistradfallning.com, 1
+milomedia.net, 1
+milor.nl, 1
+milosguide.dk, 1
+milpitas.gov, 1
+milr.dk, 1
+miltau.de, 1
+miltonga.gov, 1
+miltontwpmi.gov, 1
+miltor.by, 1
+miltor.com.ua, 1
+miltor.ru, 1
+miluneetsens.fr, 1
+milvilla.com, 1
+milvus.com.br, 1
+milwaukee-webdesigner.com, 1
+milwaukeecreative.com, 1
+milwaukeeinternational.tk, 1
+milwaukeetool.eu, 1
+mim-standaard.nl, 1
+mim.am, 1
+mim.properties, 1
+mimamau.de, 1
+mimavision.ddns.net, 1
+mimemo.io, 1
+mimemoriadepez.com, 1
+mimeo.digital, 1
+mimercadillo.tk, 1
+mimgnj.com, 1
+mimikov.cz, 1
+mimithedog.com, 1
+mimm.gov, 1
+mimocad.io, 1
+mimoesthetic.com, 1
+mimonia.cf, 1
+mimonia.ga, 1
+mimonia.gq, 1
+mimorin.tk, 1
+mimovrste.com, 1
+mimoza.tk, 1
+mimscellaneous.com, 1
+mimumimu.net, 1
+mimundodxn.com, 1
+mimusic.cf, 1
+min-forsyning.dk, 1
+min.io, 1
+min.kiwi, 0
+min2.ru, 1
+minacssas.com, 1
+minademonic.org, 1
+minaio.tk, 1
+minakov.pro, 1
+minamassimo.org, 1
+minamisouma-furusato.jp, 1
+minamo.io, 1
+minantavla.se, 0
+minapan.ro, 1
+minapin.com, 1
+minaprine.com, 1
+minasfor.com.br, 1
+minatokucarpet.com, 1
+minced.cf, 1
+minclaw.com, 1
+mincom.ga, 1
+mind-books.gq, 1
+mind-box.ch, 0
+mind-drama.com, 1
+mind-farma.com, 1
+mind-hochschul-netzwerk.de, 1
+mind-media.com, 1
+mind-moves.es, 1
+mindandfull.ga, 1
+mindask.tk, 1
+mindblown.pl, 1
+mindbounce.com, 1
+mindbox.cat, 1
+mindbuild.com, 1
+mindcms.nl, 1
+mindcoding.ro, 1
+mindcraft.ga, 1
+minddistortion.tk, 1
+minddrive.cf, 1
+mindeasy.co.nz, 1
+mindenitt.ga, 1
+mindequityinternational.com, 1
+mindera.com, 0
+mindfab.de, 1
+mindfactory.de, 1
+mindflowmarketing.com, 1
+mindfulnessjourney.ca, 1
+mindhand.com, 1
+mindjee.tk, 1
+mindleaking.org, 1
+mindmax.fi, 1
+mindmeister.com, 1
+mindmusic.online, 1
+mindmynature.com, 1
+mindomo.com, 1
+mindonmymoney.nl, 1
+mindox.com.br, 1
+mindprod.com, 1
+mindrepair.net, 1
+mindresti.tk, 1
+mindrnd.com, 1
+mindscapephotos.de, 1
+mindset-energie.ch, 1
+mindsight.com.br, 1
+mindspliteffect.tk, 1
+mindstream.one, 1
+mindthe5.com, 1
+mindthe5.org, 1
+mindtherock.com, 1
+mindtickle.com, 1
+mindvsmind.tk, 1
+mindwork.space, 1
+mindywalker.co, 1
+mine-craftlife.com, 1
+mine-pixl.de, 1
+mine-temoin.fr, 1
+mine260309.me, 0
+minebbs.com, 1
+minebitcoin.tk, 1
+minecity.fun, 1
+minecraft-forum.eu, 1
+minecraft-game.ga, 1
+minecraft-server.eu, 1
+minecraft.buzz, 1
+minecraft.com.br, 1
+minecraft.social, 1
+minecraft.vip, 1
+minecraft.wiki, 1
+minecraftbestroyale.gq, 1
+minecraftdolarcube.gq, 1
+minecrafteasy.gq, 1
+minecraften.net, 0
+minecraftforever.tk, 1
+minecraftforum.de, 1
+minecraftforum.fun, 1
+minecraftforum.ovh, 1
+minecraftgoldwar.tk, 1
+minecraftgta5.ml, 1
+minecraftjustone.ga, 1
+minecraftnewserie.tk, 1
+minecraftonlinesfull.tk, 1
+minecraftrealgold.gq, 1
+minecraftrealgold.ml, 1
+minecraftruns.ml, 1
+minecrafts.gq, 1
+minecraftstal.com, 1
+minecraftwin.gq, 1
+minecraftx.ml, 1
+minefields.tk, 1
+minefort.com, 1
+minehash.tk, 1
+minehattan.de, 1
+minelands.ml, 1
+minelight.ml, 1
+minelucky.net, 1
+minenash.com, 1
+minepack.net, 1
+mineralnibani.bg, 1
+minered.org, 1
+minerstat.com, 1
+minersvillepa.gov, 1
+minerva2015.it, 1
+minervaaschools.com, 1
+minervabi.com, 1
+minervacars.com, 1
+mines-stetienne.fr, 1
+minesouls.fr, 1
+minestealth.xyz, 1
+minestory.cf, 1
+minesweepergame.de, 1
+minetracker.dk, 1
+mineturtle.de, 1
+minez-nightswatch.com, 0
+minf3-games.de, 1
+minfin.gov.ua, 1
+mingkai.me, 1
+mingle2.com, 1
+mingming.info, 0
+mingram.net, 1
+mingwah.ch, 0
+mingy.ddns.net, 1
+mingyannet.com, 1
+minh.at, 0
+minhanossasenhora.com.br, 1
+minhanwindow.vn, 1
+minhng99.cloud, 1
+minhng99.eu, 1
+minhtuongcomputer.com, 1
+minhyukpark.com, 1
+mini-igra.tk, 1
+mini-piraten.de, 1
+mini-rock-festival.de, 1
+mini-zoo.club, 1
+mini2.fi, 1
+minialbums.ga, 1
+miniatomium.tk, 1
+minibabi.site, 1
+minibackpackgirls.cf, 1
+minibaggerverleih-aulendorf.de, 1
+minibardelivery.com, 1
+minibikini.cf, 1
+minibomba.pro, 1
+minibrewery.cf, 1
+minibus-service.ru, 1
+minibusrent.ro, 1
+minicampingshalom.nl, 1
+minican.net, 1
+miniclip.com, 1
+minics.tk, 1
+minidrett.no, 1
+minifree.org, 1
+minigames.com, 1
+minigermanauto.com, 1
+minigolf-oase.com, 0
+minigolf-reisinger.com, 1
+minigolfandgames.co.uk, 1
+minikasinosblackandred.es, 1
+minikidz.es, 1
+minikin.tk, 1
+minikneet.com, 1
+minikneet.nl, 1
+miniliga.at, 1
+minimal-apps.de, 1
+minimal-nothing.ml, 1
+minimal-website.ch, 0
+minimalistbaker.com, 1
+minimalistmenu.com, 1
+minimaliston.com, 1
+minimalmx.io, 1
+minimayhemsoftplay.co.uk, 1
+minimegaarcade.com, 1
+minimonies.tk, 1
+minimotogp.tk, 1
+minin.tk, 1
+mining-club.tk, 1
+mining.diamonds, 1
+miningtronics.com, 0
+minintendo.tk, 1
+minipc.de, 1
+minipigscare.com, 1
+minir.ru, 1
+minirizhi.com, 1
+miniskylab.com, 1
+miniso.me, 1
+minisoft4u.ir, 1
+ministerioaguadevida.tk, 1
+ministeriodeeducacion.gob.do, 1
+ministory.tk, 1
+ministryofinternet.eu, 1
+ministryofvillas.com, 1
+ministudio.ml, 1
+minitaq.com, 1
+minitec.ro, 1
+minitruckin.net, 1
+minitrucktalk.com, 1
+minivaro.de, 1
+miniverse.social, 1
+minivideoadapterssales.tk, 1
+miniwallaby.com, 1
+minix.jp, 1
+minjusticia.gob.cl, 1
+mink-coat.tk, 1
+minka.net.bo, 1
+minkafighter.de, 1
+minkafighter.eu, 1
+minkatilmancoaching.nl, 1
+minkymoon.jp, 1
+minlly.com, 1
+minload.com, 1
+minly.com, 1
+minmaxgame.com, 1
+minna.tk, 1
+minnesota8.org, 1
+minnesotacitymn.gov, 1
+minnesotahealthcareconsortium.gov, 1
+minnesotalakemn.gov, 1
+minng.cc, 1
+minnisites.com, 1
+minnit.chat, 1
+minobar.com, 1
+minocyclinee.gq, 1
+minocyclinehere.gq, 1
+minocyclines.gq, 1
+minohtaurov.cf, 1
+minor.news, 1
+minorice.net, 1
+minorisa.tk, 1
+minoritywhip.gov, 1
+minotauro.com.ar, 1
+minotnd.gov, 1
+minoxbahia.com.br, 1
+minpingvin.dk, 1
+minpolit.com, 1
+minquipo.nl, 1
+minsk-city.tk, 1
+minsk-cops.tk, 1
+minsk-music.tk, 1
+minsub.jp, 1
+mint-frauen-bw.de, 0
+mintal.is, 1
+mintblau.com, 1
+mintclass.com, 1
+mintdsmile.com.au, 1
+mintea-noua.ro, 1
+mintea.pw, 1
+mintea.xyz, 1
+minternals.com, 1
+minterslab.com, 1
+mintersvault.com, 1
+mintert.net, 1
+mintfirsts.co.uk, 1
+mintfirsts.com, 1
+mintitafever.tk, 1
+minto.cc, 1
+mintogardens.org.au, 1
+minton.systems, 1
+mintosherbs.com, 1
+mintosoft.net, 1
+mintse.com, 0
+mintstar.net, 1
+minttang.cn, 0
+mintymoney.com, 1
+mintywhite.com, 1
+minu.link, 1
+minube.co.cr, 1
+minul.in, 1
+minungdomsbolig.dk, 1
+minutashop.ru, 1
+minuteflightdeals.com, 1
+minutemanplumbingtulsa.com, 1
+minuten-drogentests.de, 1
+minutepunchline.com, 1
+minuterice.com, 1
+minutocultural.com.br, 1
+minux.info, 1
+minweb.org, 1
+minxmine.eu.org, 1
+minzdravri.ru, 1
+mio-ip.ch, 1
+miobeach.nl, 1
+miodimleko.pl, 1
+miodziki.pl, 0
+miomiojoyeria.com, 1
+miorganics.ro, 1
+miottawavotes.gov, 1
+mipapo.de, 1
+mipediatra.tk, 1
+mipesa.cz, 1
+mipiaci.co.nz, 0
+mipiaci.com.au, 0
+miplanilla.com, 1
+mipnet.cl, 1
+mipromo.com, 1
+mipropertiesnorth.com, 1
+miproximopaso.org, 1
+miprudelafi.ga, 1
+mipueblito.tk, 1
+mipymesenlinea.com, 1
+mir-faktov.tk, 1
+mir-koji.tk, 1
+mir-multimedia.tk, 1
+mir-obshenia.tk, 1
+mir-pressy.ga, 1
+mir-tiktak.tk, 1
+mir-torgovli.tk, 1
+mir.do, 1
+mir.pe, 1
+mir24.tk, 1
+mira.fun, 1
+mira.systems, 1
+mira.vip, 1
+mirabella.tk, 1
+miraclesformya.org, 1
+mirades.es, 1
+mirador.co.uk, 1
+mirador.com, 1
+miradordelcondado.com, 1
+mirage-project.tk, 1
+miragenews.com, 1
+miragg.cf, 1
+miraggiostudio.com, 1
+miragrey-porn.com, 1
+miraheze.org, 1
+mirahezebots.org, 1
+mirai-coupon.com, 1
+miraizu-recruit.com, 1
+mirakl.com, 0
+miraldi.eu, 1
+miramanga.org, 1
+miramar-obgyn.com, 1
+miramar.ca, 1
+miramichireader.ca, 1
+mirandaberkhof.com, 1
+mirandakids.bg, 1
+miranza.es, 1
+mirasee.com, 1
+mirasmun.tk, 1
+miratechgroup.com, 1
+miraxe.cf, 1
+miraxe.ga, 1
+miraxe.gq, 1
+mirazonline.tk, 1
+mirazperu.tk, 1
+mircarfinder.ru, 1
+mircreditov.tk, 1
+mircsohbet.tk, 1
+mirdetaley.tk, 1
+mireiaseuba.com, 1
+mireillewendling.com.br, 1
+miremedio.cl, 1
+mirepublic.co.nz, 1
+mireservaonline.es, 1
+miriamgamburd.com, 1
+miriamharel.tk, 1
+mirinfonews.tk, 1
+mirjamderijk.nl, 1
+mirkino.tk, 1
+mirknighechek.tk, 1
+mirknighek.cf, 1
+mirknighek.gq, 1
+mirkofranz.de, 1
+mirkomainardi.com, 1
+mirkout.com, 1
+mirkvartir.tk, 1
+mirmax.ch, 1
+mirnesnet.tk, 1
+mirnews.ml, 1
+mirobuvi.com.ua, 1
+mirogrdnika.info, 1
+miroirbythalia.shop, 1
+mirokon.tk, 1
+mironet.cz, 1
+mironi.ml, 1
+mironized.com, 1
+mironov.tk, 1
+miroslavholec.cz, 1
+mirotakampus.com, 0
+mirprav.tk, 1
+mirri.net, 1
+mirrordream.net, 1
+mirrormirror.tk, 1
+mirrormirrorhairstyles.com, 1
+mirrorsedgearchive.de, 1
+mirrorsedgearchive.ga, 1
+mirrorwood.com, 1
+mirrorz.help, 1
+mirs.ky, 1
+mirshak.com, 0
+mirtazapine.gq, 1
+mirte-engelhard.com, 1
+mirte-engelhard.nl, 1
+mirtentov.ru, 1
+mirtes.cz, 1
+mirtouf.fr, 1
+mirumhongkong.com, 1
+mirvent.site, 1
+mirvolgograda.ml, 1
+mirwild.cf, 1
+mirwild.gq, 1
+miryam-martinez.tk, 1
+mirzetonline.tk, 1
+mis1042.com, 0
+mis1042.top, 1
+misa.org, 1
+misaka.me, 1
+misakacloud.net, 1
+misakaloli.com, 0
+misakastudio.com, 1
+misaki0.jp, 1
+misakiya.co.jp, 1
+misalacuna.cl, 1
+misanci.cz, 1
+mischolz.de, 1
+misclick.net, 1
+misclick.nl, 1
+misco.it, 1
+misconfigured.io, 1
+miscuadros.tk, 1
+miscursosdebelleza.com, 1
+misfit-media.com, 1
+mishamayfairart.com, 1
+mishaomar.tk, 1
+mishavayner.com, 1
+mishkinn.ru, 1
+mishpatim.tk, 1
+mishrahome.com, 1
+mishraurology.com, 1
+mishraweb.com, 1
+misiepluszowe.com, 1
+misinstrumentos.com, 1
+misiunas.eu, 1
+misjoyas.com.es, 0
+misk.com, 1
+miskara.com, 1
+miskatonic.org, 1
+misoji-resist.com, 1
+misol.kr, 1
+misooda.in, 1
+mispelis.tk, 1
+mispromo.com, 1
+misreflexiones.tk, 1
+misreports.in, 1
+miss-inventory.co.uk, 1
+miss.com.tw, 1
+missadrastea.org, 1
+missakari.com, 1
+missaocadastrobv.com.br, 1
+missapk.com, 1
+missbitcoin.nl, 1
+missblisshair.com.au, 1
+missdoertie.net, 1
+missdoggystyle.com, 1
+missdream.org, 1
+misseguf.dk, 1
+missevent.pl, 1
+missflora.se, 1
+missguidedus.com, 1
+missilovely.tk, 1
+missingchildreneurope.eu, 1
+missinglinks.tk, 1
+mission-gesundheit.online, 1
+mission-orange.de, 1
+missions.me, 1
+missionsgemeinde.de, 1
+missionskreis-kueps.de, 1
+mississaugaelite.com, 1
+misskappababy.com, 1
+misskey.art, 1
+misslollipop.fr, 1
+missmaid.co.uk, 1
+missmaid.com, 1
+missmeydan.com, 1
+misson.ovh, 1
+missoula.gov, 1
+missoulacountymt.gov, 1
+missoulian.com, 1
+missouri-sky.tk, 1
+missouriheatingcoolingadvice.com, 1
+missourivalleyhomes.com, 1
+missoy.me, 1
+misspoliticsaustralia.cf, 1
+misspoliticsaustralia.ga, 1
+misspoliticsaustralia.gq, 1
+misspoliticsaustralia.ml, 1
+missthetoro.tk, 1
+misstika-bijoux.com, 1
+misstress.cf, 1
+missualready.com, 1
+missuniverse.tk, 1
+missworldinfo.tk, 1
+missycosmeticos.com.br, 1
+missycraindance.com, 1
+missyjay.tk, 1
+missyou.link, 1
+mist79.ru, 1
+mistacms.com, 0
+mistades.ga, 1
+mistajsay.com, 1
+mister-auto.co.uk, 1
+mister-auto.com, 1
+mister-auto.de, 1
+mister-auto.es, 1
+mister-auto.it, 1
+mister-auto.nl, 1
+mister-matthew.de, 1
+misterbandb.com, 1
+misterboddy.com, 1
+misterd.ml, 1
+misterdomain.eu, 1
+mistergermany.tk, 1
+mistergout.com, 1
+misterkeltic.com, 1
+misterl.net, 1
+misterorion.com, 1
+mistertesi.it, 1
+misteryrip.tk, 1
+mistinecn.com, 0
+mistitservices.in, 1
+mistrasolutions.com, 1
+mistreaded.com, 1
+mistress-lucia.tk, 1
+mistressnadine.tk, 1
+mistressofbeads.tk, 1
+mistyoverlookranch.com, 1
+misupportit.dk, 1
+misura.re, 1
+misw.jp, 1
+miswonline.nl, 1
+mit-dem-rad-zur-arbeit.de, 0
+mit-dem-rad-zur-uni.de, 0
+mit-sexchat-geld-verdienen.com, 1
+mit-uns.org, 1
+mit.akita.jp, 1
+mit.dk, 1
+mit.edu.it, 1
+mit.gg, 0
+mita-beutel.tk, 1
+mita.me, 1
+mitarbeiterbefragungen.com, 1
+mitarbeitermotivation-anleitungen.de, 1
+mitarrangement.dk, 1
+mitchell.to, 1
+mitchellcountync.gov, 1
+mitchelmore.ca, 1
+mitchkalf.nl, 0
+mitchkiah.com, 1
+mitdip-mit-group-ch.azurewebsites.net, 1
+mite3.nl, 1
+mitechtrading.com, 1
+mitel.io, 1
+mitelec.es, 1
+miteltest.com, 1
+mitenloytaatoita.fi, 1
+mitenloytaatyota.fi, 1
+mitensaadatoita.fi, 1
+mitensaadatyota.fi, 1
+mitev.gq, 1
+mitevi.com, 1
+mitgrussen.de, 1
+mithgol.tk, 1
+mithril.email, 1
+mithypnoseweiter.de, 1
+mitiad.gq, 1
+mitico.at, 1
+miticobikes.at, 1
+miticobikes.com, 1
+mitiendademunecas.com, 1
+mitigant.io, 1
+mitigationcommission.gov, 1
+mitik974.me, 1
+mitikas.de, 1
+mitiko.xyz, 1
+mitindo.it, 1
+mitior.net, 1
+mitjavila.com, 1
+mito-meishi.shop, 1
+mitokashi.ml, 1
+mitranlogistik.com, 1
+mitraseo.tk, 1
+mitratech.com.br, 1
+mitrausahagoto.com, 1
+mitrausahatani.com, 1
+mitrax.com.br, 1
+mitre10.com.au, 0
+mitrecaasd.org, 1
+mitremai.org, 1
+mitrostudios.com, 1
+mitsign.com, 1
+mitsonnenbrillen.de, 1
+mitsov.eu, 1
+mitsu.com, 1
+mitsu.in, 1
+mitsubishi-motors.com.co, 0
+mitsubishi-stanok.ru, 1
+mitsubishielectric-rce.eu, 1
+mitsukisushi.com, 1
+mitt.ca, 1
+mittagonghomestead.com.au, 1
+mittarinvaihto.fi, 1
+mittdolcino.com, 1
+mittelalter-lexikon.de, 1
+mittelhessen.de, 1
+mittelunsachlich.de, 1
+mittendorff.tk, 1
+mittenofficesystems.com, 1
+mitterbach.org, 1
+mittid.dk, 1
+mittilmeld.dk, 1
+mittwoch-nacht.net, 1
+mitulv4u.tk, 1
+mitzpettel.com, 1
+miui-germany.de, 1
+miui.kr, 1
+miukimodafeminina.com, 1
+mivestuariolaboral.com, 1
+mividasecreta.tk, 1
+mivm.cn, 1
+mivne.co.il, 1
+mivo.es, 1
+mivzak.im, 1
+mivzakim.biz, 1
+mivzakim.cf, 1
+mivzakim.ga, 1
+mivzakim.gq, 1
+mivzakim.info, 1
+mivzakim.ml, 1
+mivzakim.mobi, 1
+mivzakim.net, 1
+mivzakim.org, 1
+mivzakim.tk, 1
+mivzakim.tv, 1
+mivzaklive.co.il, 0
+miweb.ec, 1
+miwebmadrid.es, 1
+mix-books.ga, 1
+mix-channel.ml, 1
+mix-master.fr, 1
+mix-recruit.jp, 1
+mix.my, 1
+mixandplay.tk, 1
+mixedanimals.com, 1
+mixedrecipe.com, 1
+mixerfestival.com.br, 1
+mixes.cloud, 1
+mixescloud.com, 1
+mixfix.com.br, 1
+mixgreen.de, 1
+mixify.ga, 1
+mixinglight.com, 1
+mixingnight.com, 1
+mixingnightaudio.com, 1
+mixizle.com, 1
+mixmastermitch.com, 1
+mixmastersdeejays.tk, 1
+mixmister.com, 1
+mixmix.tk, 1
+mixmovi.com, 1
+mixnix.tk, 1
+mixnmojo.com, 1
+mixom.net, 1
+mixon.tk, 1
+mixpanel.com, 1
+mixposure.com, 1
+mixtafrica.com, 1
+mixx.com.hk, 1
+miyagi-ctr.com, 1
+miyagi-r.com, 1
+miyajima-ken.jp, 1
+miyako-kyoto.jp, 1
+miyamane-room.com, 1
+miyanaga.tech, 1
+miyasyou.com, 1
+miyatakaikei.com, 1
+miyavru.com, 1
+miyazakian.com, 1
+miyohiro.net, 1
+miyoshi-kikaku.co.jp, 1
+miyoshi-kikaku.com, 0
+mizar.im, 0
+mizik.cz, 1
+miziklakay.com, 1
+mizipack.com, 0
+mizoey.se, 1
+mizon.com.pe, 1
+mizrahi-tefahot.co.il, 1
+mizternational.com, 1
+mizu.coffee, 1
+mizucoffee.net, 1
+mizuhobank.co.id, 1
+mizuhofutures.com, 1
+mizuiromoon.com, 1
+mizukoshika.jp, 1
+mizumax.me, 1
+mj-reit.com, 1
+mj420.com, 0
+mjacobson.net, 1
+mjanja.ch, 1
+mjasm.org, 1
+mjbeventspr.com, 0
+mjbtechtips.com, 1
+mjcstsul2022.tk, 1
+mjf.cz, 1
+mjhs.org, 1
+mjhsfoundation.org, 1
+mjjshow.eu.org, 1
+mjlwebdev.pl, 1
+mjmpartnerlink.com.au, 1
+mjniessen.com, 1
+mjollnir.fr, 1
+mjpromotions.nl, 1
+mjpronk.nl, 1
+mjrlegends.com, 1
+mjsacco-dwi.com, 1
+mjsports.bet, 1
+mjstudios.tech, 0
+mjstudios.tk, 1
+mjt.me.uk, 1
+mjuktvatten.nu, 1
+mjwadvisory.com.au, 1
+mjzdaman.tk, 1
+mk-builder.net, 1
+mk-translations.ua, 1
+mk.gov.tr, 1
+mk89.de, 1
+mkaciuba.com, 0
+mkakh.xyz, 1
+mkala.ru, 1
+mkalisch.de, 1
+mkbd.ru, 1
+mkbeindhoven.nl, 1
+mkbet.tk, 1
+mkbofficeshop.nl, 1
+mkbouncycastles.co.uk, 1
+mkbouncyhire.co.uk, 1
+mkboynton.org, 1
+mkcert.org, 1
+mkchandler.com, 1
+mkdevice.it, 1
+mkes.com, 1
+mkey-solution.at, 1
+mkey-solution.com, 1
+mkey-solution.de, 1
+mkey-solutions.at, 1
+mkey-solutions.com, 1
+mkey-solutions.de, 1
+mkey.solutions, 1
+mkeysolution.at, 1
+mkeysolution.com, 1
+mkeysolution.de, 1
+mkeysolutions.at, 1
+mkeysolutions.com, 1
+mkeysolutions.de, 1
+mkg-laposte.info, 1
+mkg-pch.com, 1
+mkg-wiebelskirchen.de, 1
+mkhsoft.eu, 1
+mki-igrushki.ru, 1
+mkie.cf, 1
+mkinfo.com.br, 1
+mkjl.ml, 0
+mkjoyeria.cl, 0
+mkk.de, 1
+mkkcrafts.com, 1
+mkkkrc.ru, 1
+mklenterprises.com, 0
+mklenterprisesacademy.com, 1
+mklenterprisescoaching.com, 1
+mklpedia.de, 1
+mklwork.lt, 1
+mkm.ee, 0
+mkm.szczecin.pl, 1
+mkmaster.tk, 1
+mkmedien.tk, 1
+mknowles.com.au, 1
+mkoppmann.at, 1
+mkpdeepclean.com, 1
+mkpeurope.org, 1
+mkplay.io, 1
+mkprensa.tk, 1
+mkrecek.cz, 1
+mkringel.de, 0
+mksac.co.uk, 1
+mksdarchitects.com, 1
+mkse.com, 1
+mkt.com, 1
+mkt7.de, 1
+mktcoral.com, 1
+mktemp.org, 1
+mkultraclean.com.au, 1
+mkw.st, 1
+mkws.sh, 1
+ml.tax, 1
+ml2d.com, 1
+mlada-moda.cz, 1
+mladamoda.sk, 1
+mladenovac.tk, 1
+mladinskislatna.si, 1
+mladiorl.cz, 1
+mladypodnikatel.cz, 1
+mlaschool.co.za, 1
+mlawfirm.com, 1
+mlcfinvest.in, 1
+mlclaw.com, 1
+mlcnfriends.com, 1
+mlcrosoftonlline.cz, 1
+mlcrosoftonlline.ml, 1
+mlelieveld.com, 1
+mleydier.fr, 1
+mlfilm.ml, 1
+mlgsmokers.tk, 1
+mli-interface-api-test.azurewebsites.net, 1
+mlii.net, 1
+mlirb.com, 1
+mlk.sd, 1
+mlkday.gov, 1
+mllz.com, 1
+mlm-hochzeit.de, 1
+mlmjam.com, 1
+mlmjunction.tk, 1
+mlmowing.com.au, 1
+mlnews.ml, 1
+mlo.no, 1
+mlohr.com, 1
+mlohr.net, 1
+mlonline.com.mx, 1
+mloska.tk, 1
+mlp.horse, 1
+mlpavimentosdehormigonimpreso.com, 1
+mlpk.cz, 1
+mlpvcdn.top, 1
+mlpvector.club, 1
+mlshhz.eu.org, 1
+mlsrv.de, 1
+mlstav.sk, 1
+mlsvallarta.com, 1
+mltrade.ml, 1
+mlukas.xyz, 1
+mlundberg.se, 1
+mluservices.com, 1
+mlv-psychosomatik.de, 1
+mlv.me, 1
+mlwr.ee, 1
+mlytics.com, 1
+mm-sol.com, 1
+mm13.at, 1
+mm5197.co, 1
+mm6729.co, 1
+mm6729.com, 0
+mm6957.co, 1
+mm9297.co, 1
+mm9728.co, 1
+mma-records.de, 1
+mmalisz.com, 1
+mmallardi.no-ip.biz, 1
+mmanews24.com, 1
+mmapiws.com, 1
+mmaps.ddns.net, 1
+mmaps.org, 1
+mmarising.com, 1
+mmarnitz.de, 1
+mmassemblyline.de, 1
+mmav.co, 1
+mmav.live, 1
+mmav.tv, 1
+mmbb.org, 0
+mmcalc.jp, 1
+mmcase.ml, 1
+mmgal.com, 1
+mmhome.fr, 1
+mmilog.hu, 1
+mminsco.com, 0
+mmkstudio-digital.com, 1
+mml.cx, 0
+mmlebanon.com, 1
+mmlstyliser.com, 1
+mmm-boxing.tk, 1
+mmm.lu, 1
+mmmarco.com, 1
+mmmaximaliselmeny.hu, 1
+mmmc.hk, 1
+mmmofnigeria.tk, 1
+mmmonk.net, 1
+mmmsancristobal.es, 1
+mmoe.moe, 1
+mmogah.com, 1
+mmoneko.com, 1
+mmonit.com, 1
+mmorpg-stat.eu, 1
+mmot.sk, 1
+mmpaymentsystem.com, 1
+mmphub.com, 1
+mmprojects.nl, 1
+mmr.ua, 1
+mmrepair.in, 1
+mms.is, 1
+mmsmotor.com.hk, 1
+mmstick.tk, 1
+mmstudio.tk, 1
+mmucha.de, 1
+mmuclassifieds.tk, 1
+mmulder.com, 1
+mmwb.nl, 1
+mmwtrademarks.com.au, 1
+mmxblog.com, 1
+mmxx-distribution.com, 1
+mmzztt.com, 1
+mn-hootsuite.herokuapp.com, 1
+mn.ax, 1
+mnatechnologies.com.au, 1
+mnbg.tk, 1
+mncalliedhealth.com, 1
+mncbank.co.id, 1
+mnccc.gov, 1
+mnciitbhu.me, 1
+mncloud.de, 1
+mncustom.com, 1
+mnd.sc, 1
+mndeveloper.com, 1
+mne.moe, 1
+mnec.io, 1
+mneeb.de, 1
+mnemonic.ninja, 1
+mnemonicninja.com, 1
+mneti.ru, 1
+mngfam.ddns.net, 1
+mnguyen.io, 1
+mnhc.gov, 1
+mnienamel.com, 1
+mniopenresearch.org, 1
+mnium.de, 1
+mnjg123.de, 1
+mnkysoft.com, 1
+mnml.art, 1
+mnml.blog, 1
+mnml.top, 1
+mnmt.no, 1
+mnnknz.de, 1
+mnnon.com, 1
+mnocea.eu, 1
+mnogoigrovka.ru, 1
+mnogoknighek.gq, 1
+mnogoknighek.ml, 1
+mnogoknighek.tk, 1
+mnogosofta.tk, 1
+mnogoznai.tk, 1
+mnotrioesdp.ml, 1
+mnprairie.gov, 1
+mnrloroli.tk, 1
+mnrtechsolutions.com, 1
+mnrv.trade, 1
+mns.co.jp, 1
+mnsaviation.com, 1
+mnsenate.gov, 1
+mnsure.org, 1
+mnsvu.org, 1
+mnt-tech.fr, 1
+mnt9.com, 0
+mnt9.de, 1
+mnvotes.gov, 1
+mo-en-karim.tk, 1
+mo-mochizuki.com, 1
+mo-vvs.dk, 1
+mo.nl, 1
+mo2021.de, 1
+moa.moe, 1
+moabpapier.de, 1
+moabygg.se, 1
+moahmo.com, 0
+moaicar.com, 1
+moas.design, 1
+moas.photos, 1
+moattitlesecurity.com, 1
+mob2con.com.br, 1
+mob889.com, 1
+moba-automation.com, 1
+moba-automation.com.br, 1
+moba-automation.de, 1
+mobal.com, 0
+mobclan.tk, 1
+mobcsp.work, 1
+mobeewash.com, 1
+mobeforlife.com, 0
+moberi.com.ua, 1
+mobex.biz, 1
+mobi-katalog.tk, 1
+mobidevtalk.com, 1
+mobifrance.com, 1
+mobigadget.tk, 1
+mobijo.tk, 1
+mobikasa.com, 1
+mobil-badwimpfen.de, 1
+mobil-bei-uns.de, 1
+mobil11.net, 1
+mobila-chisinau.md, 1
+mobilci.net, 1
+mobildeal.id, 1
+mobile-discothek.at, 1
+mobile-holzofenpizza.de, 1
+mobile-industrial-robots.com, 1
+mobile-ivr.tk, 1
+mobile-master.org, 1
+mobile-news.tk, 1
+mobile-pedia.com, 1
+mobile.de, 1
+mobile.eti.br, 1
+mobile.united.com, 0
+mobile.usaa.com, 0
+mobile360.ph, 1
+mobileague.ml, 1
+mobilebingoclub.co.uk, 1
+mobilebooster.tk, 1
+mobileciti.com.au, 1
+mobilecoin.com, 1
+mobilecraftingco.com, 1
+mobilefactory.io, 1
+mobilegoldcoastelectrical.ga, 1
+mobilehydraulics.com.au, 1
+mobileit.cz, 1
+mobilelaby.com, 1
+mobilelobbyers.ga, 1
+mobilemedics.com, 1
+mobilemondayaustin.com, 1
+mobileone.com.my, 1
+mobilepartner.tk, 1
+mobilephoneadvise.com, 1
+mobiler-handel.de, 1
+mobileread.com, 1
+mobileritelushi.com, 1
+mobilesafe.shop, 1
+mobilesector.de, 1
+mobilesettingers.ga, 1
+mobilesignalsolutions.co.uk, 1
+mobilesms.io, 1
+mobilesnewsworld.ga, 1
+mobilestories.se, 1
+mobilestuff.tk, 1
+mobiletechnews.tk, 1
+mobileteleconferenceers.ga, 1
+mobiletirer.tk, 1
+mobiletop.co.uk, 1
+mobiletraff.co, 1
+mobilewikiserver.com, 1
+mobilgaraj.com, 1
+mobilhaber.ga, 1
+mobilhondatangsel.com, 1
+mobilidadeurbana.ind.br, 1
+mobilificio.roma.it, 1
+mobilisation-generale.org, 0
+mobiliteit.gent, 1
+mobiliteitgent.be, 1
+mobiliteitsbedrijf-gent.be, 1
+mobiliteitsbedrijf.be, 1
+mobiliteitsbedrijfgent.be, 1
+mobiliteitsbedrijfstadgent.be, 1
+mobiliteitstadgent.be, 1
+mobility-events.ch, 1
+mobility-services.eu, 1
+mobilityworks.eu, 0
+mobilityworld.tk, 1
+mobilize.us, 1
+mobilizon.fr, 1
+mobilizon.org, 1
+mobilizone.com, 1
+mobilki.tk, 1
+mobilni.site, 1
+mobilo4ka.ru, 1
+mobilosoft.com, 1
+mobiltank.fr, 1
+mobiltune.tk, 1
+mobilux.lv, 1
+mobincube.com, 1
+mobincube.es, 1
+mobincube.mobi, 1
+mobinet.tk, 1
+mobinst.ml, 1
+mobio.net, 1
+mobiotics.com, 1
+mobiproj.com, 1
+mobiride.co, 1
+mobisaar-cloud.de, 1
+mobistartv.ml, 1
+mobitracker.co, 1
+mobius.network, 1
+mobizma.com, 1
+moblkar.com, 1
+mobmp4.info, 1
+mobobe.com, 1
+mobolight.ml, 1
+mobot.sg, 1
+mobox.health, 1
+mobshop.hu, 1
+mobsitin.tk, 1
+mobtop.ga, 1
+mobtop.ml, 1
+mobycoders.com, 1
+mobydog.net, 1
+mobygeek.com, 1
+mobylette.tk, 1
+moca-2081.com, 1
+moca-2082.com, 1
+moca-kinder.de, 1
+mocent.de, 1
+mochanstore.com, 1
+mochilerostailandia.com, 1
+mochiyuki.net, 1
+mochizuki.moe, 0
+mochoko.com, 1
+mockerel.com, 1
+mockers.tk, 1
+mocknen.net, 1
+mocksvillenc.org, 1
+mocomoco.jp, 1
+mod.af, 0
+mod.gov.lb, 1
+mod.io, 1
+moda-donna.cf, 1
+moda-line.ml, 1
+modacompleta.com.br, 1
+modafilmdmodafinil.com, 1
+modafinil.wiki, 1
+modafinilici.com, 1
+modafinilwizard.co, 1
+modafinilwizard.com, 1
+modafinilyes.com, 1
+modafo.com, 1
+modahaber.com, 1
+modalogi.com, 1
+modalrakyat.com, 1
+modaltraining.co.uk, 1
+modamia.pl, 1
+modamoom.com.br, 1
+modanacrho.tk, 1
+modanese.net, 1
+modanloftsortigashills.com, 1
+modapharma.org, 1
+modasexy.it, 1
+modav.org, 1
+modax.ua, 1
+modbom.com.tw, 1
+modcombo.com, 1
+modcover.com, 1
+modd.com.au, 1
+modded-minecraft-server-list.com, 1
+moddedphones.com, 1
+modderday.com, 1
+moddermore.net, 1
+modding-forum.com, 1
+modding-openmw.com, 0
+modding-welt.com, 1
+moddingworld.tk, 1
+moddiy.com, 1
+moddo.com, 1
+mode-individuell.de, 1
+mode-musthaves.com, 1
+modebest.co.uk, 1
+modecaso.com, 1
+modehaus-marionk.de, 1
+model-school.tk, 1
+model.earth, 1
+modelbase.org, 1
+modelclub-draveil.eu, 1
+modeldanielle.tk, 1
+modeldentalab.lt, 1
+modeldimension.com, 1
+modeldoll.tk, 1
+modelearth.org, 1
+modelfotografie.tk, 1
+modeli.tk, 1
+modelisme-rc.net, 1
+modell-lq.net, 1
+modellbahnshop.de, 1
+modellismo.roma.it, 1
+models-resource.com, 1
+modelspoor-projecten.nl, 1
+modelspoorprojecten.nl, 1
+modem.cf, 1
+modemaille.com, 0
+modemchild.net, 1
+modemguides.com, 1
+modenatoday.it, 1
+modenodf.ru, 1
+moderaterna.se, 1
+moderatoren.org, 1
+modern-family.tv, 1
+modern-gaming.ga, 1
+modernapprenticeships.org, 1
+modernautorepairs.com, 1
+moderncommercialrealestate.com, 1
+moderndayprepping.com, 1
+moderndeck.org, 1
+moderndukes.tk, 1
+moderneraplumbingandgas.com.au, 1
+moderngentlemen.net, 1
+moderniknihovna.cz, 1
+modernindia.ml, 1
+modernizr.com, 0
+modernliferoleplay.cf, 1
+modernmomarchy.com, 1
+modernsaas.net, 1
+modernsavage.coach, 1
+moderntech.dk, 1
+moderntld.net, 1
+moderntrainer.co.za, 1
+moderntreasury.com, 1
+modernwebz.com, 1
+modernworkplacelearning.co.za, 1
+modernx.de, 1
+modesalination.com, 1
+modestoca.gov, 1
+modetalente.com, 1
+modetrends.tk, 1
+modgamer.gq, 1
+modicollege.com, 1
+modifiedmind.com, 1
+modineaviation.com, 1
+modint.nl, 1
+modirhp.ir, 1
+modisarkar.tk, 1
+modistryusercontent.com, 1
+modlimit.cf, 1
+modpop.se, 1
+mods.fm, 1
+modscrew.com, 1
+modsecurity.net, 1
+modszombies.com, 1
+moduhygiene.com, 1
+modul21.eu, 1
+modul8infinity.co, 1
+modul8r.com, 1
+modulebaan.tk, 1
+moduleus.com, 1
+modulex-gmbh.de, 1
+modulkuhni.by, 1
+modulo.ee, 0
+moduloseltaladro.com, 1
+modum.by, 1
+modusawperandi.com, 1
+modusgames.com, 1
+modusit.co.za, 1
+modusmundi.com, 1
+modussystems.com, 1
+modvigilonlinerx.com, 1
+modxvm.com, 1
+modzcenter.com, 1
+modzcenter.es, 1
+moe-max.jp, 1
+moe.best, 0
+moe.blog, 1
+moe.ci, 1
+moe.gov.eg, 1
+moe.tools, 1
+moe4sale.in, 1
+moebeltaxi-berlin.com, 1
+moeblog.cn, 1
+moeblog.top, 1
+moec.top, 1
+moecater.com, 1
+moechel.com, 1
+moefactory.com, 1
+moefi.xyz, 1
+moegato.com, 1
+moegi.ml, 1
+moego.me, 1
+moego.pet, 1
+moehrke.cc, 1
+moekes.amsterdam, 1
+moeking.me, 1
+moeli.org, 1
+moellers.systems, 1
+moeloli.ac.cn, 1
+moelten.org, 1
+moemdom.info, 1
+moenew.top, 1
+moenew.us, 0
+moenjodaro.tk, 1
+moensnatuursteen.be, 1
+moepass.com, 1
+moesborg.dk, 1
+moescat.xyz, 0
+moeslinger-gehmayr.com, 1
+moeto-zdrave.com, 1
+moetrack.com, 1
+moewe.org, 1
+moeyy.tech, 1
+mofbinsurance.com, 1
+mofo.com, 1
+mofohome.dyndns.org, 1
+mofos.com, 1
+mofosnetwork.com, 1
+mogbox.net, 1
+mogica.tk, 1
+mogilev-forum.tk, 1
+moglie.xxx, 1
+mogomix.cf, 1
+mogradus.com, 1
+mogwailabs.de, 1
+mogyuchi.com, 1
+moha-swiss.com, 0
+mohaabobclan.tk, 1
+mohaanation.tk, 1
+mohabatein1.tk, 1
+mohalicity.info, 1
+mohamedalibenammarmaba.tk, 1
+mohamedfouad.tk, 1
+mohamedhamdy.tk, 1
+mohamedhosting.tk, 1
+mohamedsherif.ml, 1
+mohamedsherif.tk, 1
+mohammad-hamarsheh.com, 1
+mohammad-yarahmadi.tk, 1
+mohammadhamed.tk, 1
+mohammadreza-bakhtiari.tk, 1
+mohammed.ga, 1
+mohammedalrifai.tk, 1
+mohave.gov, 1
+mohela.com, 1
+mohelafederal.com, 1
+moheyuddin.tk, 1
+mohister.cn, 1
+mohitchahal.com, 1
+mohot.com.tw, 1
+mohot.fit, 1
+mohot.shop, 1
+mohr-maschinenservice.de, 1
+mohsen-pashootan.vercel.app, 1
+moi-sait.tk, 1
+moikolhoz.ml, 1
+moikolhoz.tk, 1
+moin.solar, 1
+moip.com.br, 1
+moipourtoit.ch, 0
+moipourtoit.com, 0
+moipourtoit.org, 0
+moirre.com, 1
+moisesbarrio.es, 1
+moisesbarrio.me, 1
+moitruongcrsvina.com, 1
+mojaapteka.pl, 1
+mojaczarnastrona.pl, 1
+mojadm.sk, 1
+mojaknjiznica.com, 0
+mojakursumlija.tk, 1
+mojama3dz.com, 1
+mojartech.ml, 1
+mojavenissanofbarstowparts.com, 1
+mojavibe.com, 1
+mojdom.ba, 1
+mojdrvar.tk, 1
+moje-communication.de, 1
+mojeco2.cz, 1
+mojedatovaschranka.cz, 1
+mojefilmy.xyz, 1
+mojetatuaze.pl, 1
+mojeurlopy.pl, 1
+mojilitygroup.com, 1
+mojitoparty-articlespara.website, 1
+mojizuri.cafe, 1
+mojizuri.com, 1
+mojizuri.jp, 1
+mojkragujevac.net, 1
+mojleksikon.com, 1
+mojnet.eu, 1
+mojnet.net, 1
+mojo.az, 1
+mojo.so, 1
+mojobrewband.com, 1
+mojoco.co.za, 1
+mojodentallaboratory.co.uk, 0
+mojomen.com, 1
+mojomen.net, 1
+mojomen.org, 1
+mojoshowers.ga, 1
+mojt.net, 1
+mojtabagol.tk, 1
+mojtest.site, 1
+mojzis.com, 1
+mojzis.cz, 1
+mojzisova.com, 1
+mokadev.com, 0
+mokaszinhaz.tk, 1
+mokeedev.com, 1
+mokeedev.review, 1
+mokhtarmial.com, 1
+mokrynskyi.com, 1
+moksha-movement.com, 1
+mokujinken.tokyo, 1
+mokum-organics.com, 0
+mokutovo.tk, 1
+moldinspectionslosangeles.com, 1
+moldova-online.ml, 1
+moldovanka.tk, 1
+moldovawall.tk, 1
+moldsearchers.ga, 1
+molecularbiosystems.org, 1
+moleestudio.com, 1
+molehill.it, 1
+molekula.hr, 1
+molenaagtekerke.tk, 1
+molenaar-ricardo.tk, 1
+moleskinestudio.com, 1
+molexces.com, 1
+molinillo.tk, 1
+moliporex.com, 1
+moliporex.pt, 1
+molise.store, 1
+molkerei-ammerland.com, 1
+molleron.net, 1
+molletjesveer.tk, 1
+mollie.com, 1
+mollie.nl, 1
+mollybears.org, 1
+mollyblooms.tk, 1
+mollyringworm.tk, 1
+mollysun.net, 1
+molodechno-mk.by, 1
+molodost.ga, 1
+molodost.gq, 1
+molodost.tk, 1
+molokaibreeze.com, 1
+molokov.tk, 1
+molot-tora.ml, 1
+molot-tora24.ga, 1
+molpay.com, 1
+molpek.com, 1
+moltapor.tk, 1
+molti.hu, 1
+molusk.ml, 1
+molwick.com, 1
+mom.life, 1
+moma.co.uk, 1
+moment-terroir.ch, 1
+momentalno.tk, 1
+momentmag.com, 1
+momentum.photos, 1
+momentumcoach.se, 1
+momentumcomfortgear.com, 1
+momentumdash.com, 1
+momentummarketers.ga, 1
+momi-chura.com, 1
+momimi.me, 1
+momistudio.com, 1
+momit.eu, 1
+momjoyas.com, 1
+mommoneymap.com, 1
+mommyapproveders.ga, 1
+mommyapprovedest.ga, 1
+mommydigest.ga, 1
+mommydigesters.ga, 1
+mommydigestest.ga, 1
+mommylessoners.ga, 1
+mommylessonest.ga, 1
+mommypantsest.ga, 1
+momo0v0.club, 1
+momobako.com, 1
+momochrome.online, 1
+momondersteuning.nl, 1
+momove.nl, 1
+moms.com, 1
+momsagainstcooties.com, 1
+momsays.co.za, 1
+momsbangteens.com, 1
+momslickteens.com, 1
+momspublictube.com, 1
+momstableonline.com, 1
+momtazz.net, 1
+momtits.com, 1
+momtubevideos.com, 1
+momy-genealogie.info, 1
+mon-a-lisa.com, 1
+mon-agenda.org, 0
+mon-agora.com, 1
+mon-assurance-deces.fr, 1
+mon-butin.fr, 1
+mon-cartable.fr, 1
+mon-code.net, 1
+mon-compte.bzh, 1
+mon-dolibarr.fr, 0
+mon-habitation.ca, 1
+mon-match.com, 1
+mon-partage.fr, 1
+mon-sac-italien.fr, 1
+mon-trafic.com, 1
+mon22.ch, 0
+monacannation.gov, 1
+monaco-automaten.de, 1
+monaco-info.tk, 1
+monacoexpress.tk, 1
+monad.io, 1
+monagenceentreprise-caap.fr, 1
+monarch.security, 1
+monarchcleanersnc.com, 1
+monarchelectric.com, 1
+monarcjuexpo.ch, 1
+monaroindustrial.com.au, 1
+monasteriumlab.com, 1
+monauralpress.com, 0
+monays.ga, 1
+monbebeautrement.fr, 1
+monbedou.net, 1
+monconcoursdgfip.fr, 1
+mondayaftersunday.com, 1
+mondaynightbrewing.com, 1
+monde-oriental.tk, 1
+monde.win, 1
+mondechenoafrance.tk, 1
+mondedie.fr, 1
+mondholz24.de, 1
+mondo-it.ch, 1
+mondo.rs, 1
+mondocellulari.tk, 1
+mondoffice.com, 1
+mondolila.tk, 1
+mondovisione.com, 1
+mondoviwi.gov, 1
+mondpo.pro, 1
+mondsee-psychotherapie.at, 1
+mondzorgparkzicht.nl, 1
+monechafaudage.com, 1
+moneni.com, 1
+moneoci.com.br, 1
+monerogamez.com, 1
+monese.com, 1
+moneshaq.fr, 1
+moneta-rossii.ru, 1
+monetenfuchs.de, 1
+monetize.ml, 1
+monetizer.co, 1
+monetizer.com, 1
+monetizzando.it, 1
+monetki.net, 1
+monettmo.gov, 1
+monex.ro, 1
+money-book.jp, 1
+money-earning.tk, 1
+money-fast.ga, 1
+money-finder.ml, 1
+money-loan-now.com, 1
+money-okey.tk, 1
+money-quick.cf, 1
+money-spell.com, 1
+money-tapuz.co.il, 1
+money-transfers.tk, 1
+money-trust.ru, 1
+money.bg, 1
+money4net.tk, 1
+moneybill.us, 1
+moneybird.com, 1
+moneybird.de, 1
+moneybird.nl, 1
+moneybirdstorage.com, 1
+moneyblo.com, 1
+moneychill.biz, 1
+moneyclick.tk, 1
+moneycredit.eu, 1
+moneydaily.tk, 1
+moneydecadadia.com, 1
+moneyextra.net, 1
+moneyfactory.gov, 1
+moneyformybeer.com, 1
+moneyfuxx.com, 1
+moneygo.se, 1
+moneygrup.tk, 1
+moneymania.tk, 1
+moneymart.ca, 1
+moneymet.ru, 1
+moneymint.com, 1
+moneyniti.com, 1
+moneyonchain.com, 1
+moneypot.com, 1
+moneyreal.tk, 1
+moneyreview.gr, 1
+moneysavingpro.com, 1
+moneysmart.gov.au, 1
+moneytalks.com, 1
+moneytech.tk, 1
+moneytoday.se, 1
+monfilm.tk, 1
+monforte.tk, 1
+mongla168.net, 1
+mongla88.net, 1
+mongolbox.tk, 1
+mongolito.tk, 1
+monhomecinema.fr, 0
+monibu.org, 1
+monicadurr.com, 1
+monicahq.com, 1
+monicamallampalli.com, 1
+monicanaranjo.tk, 1
+monicapotter.tk, 1
+monicz.pl, 1
+monidenum.fr, 1
+monific.com, 0
+monika.tk, 1
+monikadesign.uk, 1
+monin.net, 1
+moninformaticien.ovh, 0
+monique.io, 1
+moniquedekermadec.com, 1
+moniquevanhoutum.nl, 1
+monirtalk.ml, 1
+monirtalks.ml, 1
+moniteaucountymo.gov, 1
+monitman.solutions, 1
+monitor-mailtracker.com, 1
+monitor365.ch, 1
+monitorashop.com.br, 1
+monitorbandwidth.net, 1
+monitorbox.jp, 1
+monitord.at, 1
+monitordownloadsers.ga, 1
+monitorga.tk, 1
+monitoring-servers.tk, 1
+monitoring.kalisz.pl, 1
+monitoringanetwork.com, 1
+monitoringd.de, 1
+monitoringminecraft.ru, 1
+monitz.de, 1
+moniva.ru, 1
+monix.io, 1
+monjardin.tk, 1
+monjo.io, 1
+monjob.tk, 1
+monkey-donkey.es, 1
+monkey47.com, 1
+monkey47.events, 1
+monkey47shuffle.com, 1
+monkeybusiness.agency, 1
+monkeymills.ga, 1
+monkeys.pt, 1
+monkeysorce.tk, 1
+monkeytek.ca, 1
+monlissagebresilien.com, 1
+monloyer.quebec, 1
+monmouthcountynj.gov, 1
+monmouthmaine.gov, 1
+monmouthor.gov, 1
+monnai.com, 1
+monnaiecourante.tk, 1
+mono-money.com, 1
+mono0x.net, 1
+monobunt.at, 1
+monocircus.com, 1
+monocles.de, 1
+monocyte.host, 1
+monodejuegos.shop, 1
+monodrama.tk, 1
+monohost.ml, 1
+monokli.tk, 1
+monolithapps.com, 1
+monolithic.tk, 1
+monolithindustries.com, 1
+monolithon.net, 1
+monongaliasheriff.gov, 1
+monophy.com, 1
+monopoly.tk, 1
+monorail.cf, 1
+monorail.ga, 1
+monorail.gq, 1
+monordibogue.com, 1
+monorthopedagogue.ca, 1
+monospazzole.roma.it, 1
+monothesis.com, 1
+monoworks.co.jp, 1
+monoxoro.tk, 1
+monpanier-procter-et-gamble.fr, 1
+monplay.host, 1
+monrabais.fr, 1
+monrasp.ddns.net, 1
+monroecountymo.gov, 1
+monroecountyny-opi.gov, 1
+monroecountysheriff-ny.gov, 1
+monroecountywv.gov, 1
+monroect.gov, 1
+monroeoregon.gov, 1
+monroetn.gov, 1
+monsalvat.no, 1
+monshoppingcestcalais.fr, 1
+monsieurbureau.com, 1
+monsieursavon.ch, 0
+monsitemoncommerce.com, 1
+monsonshoney.com.au, 1
+monstahcapital.com, 1
+monster-ryot.com, 1
+monsterandfox.co.uk, 1
+monsterarmsest.ga, 1
+monstercurves.com, 1
+monstergovt.com, 1
+monsterlinkmarketing.com, 1
+monstermashentertainments.co.uk, 1
+monsterminigames.de, 1
+monsterminus.tk, 1
+monstermoney.tk, 1
+monsternet.pl, 1
+monsternotebook.com.tr, 1
+monstersuniversity.ga, 1
+monsterx.cn, 1
+monstl.com, 1
+monstresdesfetes.com, 1
+mont-thabor.fr, 1
+montack.de, 1
+montagetravel.com, 1
+montagnainitalia.com, 1
+montagne-experience.fr, 1
+montaguehotel.com, 1
+montala.com, 1
+montalvofarret.xyz, 1
+montanabiack.de, 1
+montanacreativitymovement.tk, 1
+montanaguard.gov, 1
+montanaonlinedivorce.com, 1
+montanasky.tv, 1
+montanatrouthunters.com, 1
+montanawi.gov, 1
+montanwerk.de, 1
+montarosa.tk, 1
+montas.io, 1
+montcalmcountymi.gov, 1
+montclairca.gov, 1
+montco.today, 1
+montebelloca.gov, 1
+montehermoso.tk, 1
+montelescope.fr, 1
+montenativo.de, 0
+montenegro-yacht.com, 1
+monterey.gov, 1
+montessori-oberhaching.de, 1
+monteurzimmerfrei.de, 1
+monteurzimmerking.deals, 1
+montevue.co.za, 1
+montgomeryboroughpa-police.gov, 1
+montgomerycountyal.gov, 1
+montgomerycountyar.gov, 1
+montgomerycountyclerkoh.gov, 1
+montgomerycountyhealthky.gov, 1
+montgomerycountyia.gov, 1
+montgomerycountyil.gov, 1
+montgomerycountync.gov, 1
+montgomerycountyoh.gov, 1
+montgomerycountypa.gov, 1
+montgomeryfirm.com, 1
+montgomerynj.gov, 1
+montgomeryohio.gov, 1
+montgomeryprobatecourtal.gov, 1
+montgomerysoccer.net, 1
+montgomeryvotesal.gov, 1
+monti.fi, 1
+montiallison.com, 1
+monticelloky.gov, 1
+montillafarm.com, 1
+montoneros.tk, 1
+montop.tk, 1
+montourcounty.gov, 1
+montourcountypa.gov, 1
+montrain.com, 1
+montrain.fr, 1
+montre-luxe-occasion.com, 1
+montrealcatadoptions.com, 1
+montrealwi.gov, 1
+montredeal.fr, 1
+montres-mh-besancon.fr, 1
+montsaintaignan.fr, 1
+montuan.com.br, 1
+montychristie.com, 1
+montyvlogs.com, 1
+monvalleyphotos.com, 1
+monvanityideal.com, 1
+monvoyagedentaire.com, 1
+monweb.tk, 1
+monzaradio.tk, 1
+monzatoday.it, 1
+monzo.me, 1
+monzo.tk, 1
+moocat.me, 1
+moodfabrics.com, 1
+moodfoods.com, 1
+moodforsex.com, 1
+moodgym.com.au, 1
+moodgym.de, 1
+moodifiers.com, 0
+moodle.gq, 1
+moodle.servebbs.com, 1
+moodsta.com, 1
+moodyfss.marketing, 1
+moodyfssrequest.com, 1
+mooglms.com, 1
+mooivoet.nl, 1
+moojp.co.jp, 1
+mooka.tk, 1
+moola.market, 1
+moolah.rocks, 1
+moom20101234567890.tk, 1
+moon.fish, 1
+moonagic.com, 1
+moonagic.io, 1
+moonbench.xyz, 1
+moonbooth.com, 1
+moonboxi.tk, 1
+moonboys.de, 1
+moonbyte.at, 1
+mooncharmshop.com, 1
+moonchart.co.uk, 1
+moondoor.tk, 1
+moondrop.org, 1
+moondsee.de, 1
+moonfist.eu, 1
+moonfreak.tk, 1
+moonhaa.com.br, 1
+mooninvoice.com, 1
+moonkin.eu, 1
+moonlabs.nl, 1
+moonlanders.nl, 0
+moonlight-pr.com, 1
+moonlight-show.tk, 1
+moonlightdesign.org, 1
+moonlightlovers.com, 1
+moonlightlovers.es, 1
+moonlightpicnic.tk, 1
+moonlights.tk, 1
+moonlighttheatre.tk, 1
+moonlit.cloud, 1
+moonlit.games, 1
+moonmelo.com, 1
+moonmoondomain.com, 1
+moonpay.com, 0
+moonpay.io, 1
+moonproject.io, 1
+moonracer.ga, 1
+moonraptor.co.uk, 0
+moonraptor.com, 0
+moonrhythm.info, 0
+moonrhythm.io, 1
+moonsalutations.com, 1
+moonsama.com, 1
+moonshadow.tk, 1
+moonshyne.org, 1
+moonsmanagement.be, 1
+moonspaceart.com, 1
+moonspell.com, 1
+moonssif.com, 1
+moonue.com, 0
+moonvpn.org, 1
+moonwolfwiccanschool.tk, 1
+moonzerotwo.tk, 1
+moopro.nl, 1
+mooreandsmalley.co.uk, 1
+mooreautoglass.com, 1
+moorelife.cn, 1
+mooremi.gov, 1
+mooremillerinvestmentgroup.ca, 1
+mooremoney.co, 1
+mooresvilletribune.com, 1
+mooretownrancheria-nsn.gov, 1
+moorfunevents.co.uk, 1
+moorheadmn.gov, 1
+moormiles.com, 1
+moorparkelectrical.com, 1
+moorparkelectrician.com, 1
+moorparkexteriorlighting.com, 1
+moorparklandscapelighting.com, 1
+moorparklighting.com, 1
+moorparkoutdoorlighting.com, 1
+moorstay.com, 1
+moort.be, 1
+moosic.co, 1
+moosikapp.ml, 1
+moosikapp.tk, 1
+moosmann-moehrle.de, 1
+moosmaus.tk, 1
+moot-info.co.za, 1
+moov.tk, 1
+moova.io, 1
+moove-it.com, 1
+moovemais.com.br, 1
+mopak.tk, 1
+moparcraft.com, 1
+moparcraft.net, 1
+moparcraft.org, 1
+moparinsiders.com, 1
+moparisthe.best, 1
+moparisthebest.com, 1
+moparisthebest.net, 1
+moparisthebest.org, 1
+moparpartsgiant.com, 1
+moparscape.net, 1
+moped-versichern.de, 1
+mopedpress.com, 1
+mopedreifen.de, 0
+mopie.de, 1
+moplay.org, 1
+mopliangxing.com, 1
+mopoclub.ru, 1
+moppeleinhorn.de, 1
+moppelito.tk, 1
+moppenfactory.tk, 1
+moquettes.roma.it, 1
+moquiridatabuaria.com.br, 1
+mor.estate, 0
+mora.pl, 1
+moracont.com, 1
+moradali.tk, 1
+moralcenter.cf, 1
+moralcompass.ga, 1
+moraldehornuez.tk, 1
+moraliswimwear.com, 1
+morandofora.com.br, 0
+moranyachts.com, 1
+morata.tk, 1
+moratilla.ml, 1
+moravostavdruzstvo.cz, 1
+morawiecki.pl, 1
+moraxyc.com, 1
+morbatex.com, 1
+morbitiles.org, 1
+morbius.cz, 1
+morbotron.com, 1
+morc.me, 1
+morchstore.com, 1
+mord-ost.de, 1
+mordamla.com, 1
+mordelles-altitude.fr, 1
+mordovia.cf, 1
+mordovia.ga, 1
+mordovia.gq, 1
+mordovia.tk, 1
+mordoviya.tk, 1
+more-hikkoshi.com, 1
+more-terrain.de, 1
+moreal.co, 1
+moreapp.co.uk, 1
+morebus.co.uk, 1
+morechance.de, 1
+morecigarettes.tk, 1
+morecreativelife.com, 1
+morediets.net, 1
+moreeducation.tk, 1
+morehertz.com, 1
+morehopefoundations.org.uk, 1
+morellilaw.com, 1
+moremindsbetter.com, 1
+morenadacentral.tk, 1
+morenci.ch, 1
+moreniche.com, 1
+moreno820.com.ar, 1
+moreoptimal.com, 1
+moreoptimal.world, 1
+morepablo.com, 1
+moreshop.pl, 1
+morespacestorage.co.uk, 1
+moresw.com, 1
+moretesting.tk, 1
+morethanautodealers.com, 1
+morethancode.be, 1
+morethandigital.info, 1
+moretti.camp, 1
+morevesi.cf, 1
+morewithcore.com, 1
+morfide.com, 1
+morgan-insurance.com, 1
+morgancounty-al.gov, 1
+morgancounty-il.gov, 1
+morgancountymo.gov, 1
+morgancountysheriffal.gov, 1
+morgancountyutah.gov, 1
+morgandesort.com, 1
+morganeb.be, 1
+morgansleisure.co.uk, 1
+morganton.com, 1
+morganwilder.com, 1
+morgengold.de, 1
+morghochak.com, 1
+morgner.com, 1
+mori-cdc.com, 1
+morindesrochersbeaulieu.ca, 1
+morinomiyako-a.co.jp, 1
+morioh.com, 1
+morisakimikiya.com, 1
+morishoji-english-school.com, 0
+moritoworks.com, 1
+moritz-baestlein.de, 1
+moritzkornher.de, 1
+moritztremmel.de, 1
+moriz.de, 1
+moriz.net, 1
+morke.tk, 1
+morleyeaglesteeball.org, 1
+morleygrainger.com, 1
+mormon-colleges.com, 1
+mormonleaks.io, 1
+mormonvoiceers.ga, 1
+mormonvoiceest.ga, 1
+mornatales.tk, 1
+morningbird.eu, 1
+morningcurve.com, 0
+morninggarden.com, 1
+morningstar.moe, 1
+morningstaruniversityonline.com, 1
+moro-gastro.de, 1
+moroccanews.tk, 1
+moroccofriendlytravel.com, 1
+moroccomiami.com, 1
+moroccotodaynews.ga, 1
+moroccotouristguide.com, 1
+moroccotravelingcars.com, 1
+moroccounfiltered.com, 1
+morocotacoin.news, 1
+morogoro.tk, 1
+morooi.cn, 1
+morosystems.cloud, 1
+morox.top, 1
+moroz.cx, 1
+morozko.gq, 1
+morozstudio.tk, 1
+morozyaka.tk, 1
+morph3d.tk, 1
+morphed.io, 1
+morpheusdata.com, 1
+morphisec-utp.com, 1
+morphitattachments.com.au, 1
+morphysm.co, 1
+morphysm.com, 1
+morphysm.de, 1
+morphysm.io, 1
+morphysm.org, 1
+morrellllc.com, 0
+morrharet.se, 1
+morris.computer, 1
+morrisvillemo.gov, 1
+morrisvillenc.gov, 1
+morrowga.gov, 1
+morrowind-finland.tk, 1
+morsang.net, 1
+morselife.org, 1
+morshedinterior.com, 1
+mortaltorment.tk, 1
+mortebrume.eu, 1
+mortengamstpedersen.tk, 1
+mortezaafri.tk, 1
+mortgagecalculator.biz, 1
+mortgageexpert.io, 1
+mortgagetranslations.gov, 1
+mortis.eu, 1
+mortonmspd.gov, 1
+morus.tk, 1
+morvo.mx, 1
+mos-camin.ru, 1
+mosa.guru, 1
+mosa.tk, 1
+mosaic-design.ru, 1
+mosaically.com, 1
+mosaicmarble.com, 1
+mosaicot.com, 1
+mosaique-lachenaie.fr, 1
+mosam.ru, 1
+mosautoshina.ru, 1
+mosboutique.it, 1
+moscardino.net, 1
+moscomes.com, 1
+moscow-moscow.tk, 1
+moscow-new.cf, 1
+moscow.tk, 1
+moscow001.com, 1
+moscowlove.tk, 1
+moscownews.ml, 1
+moscownights.org, 0
+moscowsex.tk, 1
+moscowtimes.tk, 1
+mosdosug.ml, 1
+mosdot.org.il, 1
+moseic.com, 1
+moselwi.gov, 1
+moserhof.it, 1
+moservice.id, 1
+mosfet.cz, 1
+mosfetkiller.de, 1
+mosharof-hossain.ml, 1
+moshaver-tahsili.com, 1
+moshavergroup.com, 1
+moshcore.tk, 1
+moshenniki.cc, 1
+moshiach.ru, 1
+moshiachtime.com, 1
+moshop.com.vn, 1
+moshwire.com, 1
+mosin.org, 1
+mosio.com, 1
+moskas.tk, 1
+moskeedieren.nl, 1
+moskva-city.cf, 1
+moskva-kamen.ru, 1
+moskvagruz.tk, 1
+moskvitch.org, 1
+mosmirmebeli.com, 1
+mosnews.tk, 1
+moso.io, 1
+mosobl.tk, 1
+mosquito-code.com, 1
+mosquito-sklep.pl, 1
+mosquitojoe.com, 1
+mossan.net, 1
+mosscade.com, 1
+mosselle.ro, 1
+mosshi.be, 1
+mossipanama.com, 1
+mossplants.ru, 1
+mossylog.tk, 1
+most.tk, 1
+mostafabanaei.cf, 1
+mostardela.pt, 0
+mostazaketchup.com, 1
+mostbet.com, 1
+mostbet2.com, 1
+mostbetr.com, 1
+mostdisturbingnews.com, 1
+mosternaut.com, 1
+mostfamousbirthdays.com, 1
+mostlyharmless.at, 1
+mostlyoverhead.com, 1
+mostmost.tk, 1
+mostqbalwatanalqahirah.com, 1
+mostquoted.com, 1
+mosttaza.com, 1
+mostware.nl, 0
+mosurist.tk, 1
+moswand.nl, 1
+motability.co.uk, 1
+motchirotchi.com, 1
+motd.ch, 1
+motekforce.link, 1
+motekforcelink.com, 1
+motekforcelink.eu, 1
+motekforcelink.net, 1
+motekforcelink.nl, 1
+motekmedical.com, 1
+motekmedical.eu, 1
+motekmedical.nl, 1
+motekrysen.com, 0
+moteksystems.com, 1
+moteksystems.net, 1
+motezazer.fr, 1
+moth.monster, 1
+motherboard.services, 1
+motherbrain.tk, 1
+motherearth.cf, 1
+mothereff.in, 0
+motherguru.ca, 0
+motherhood.se, 1
+motherhoodinblack.com, 1
+motherlondon.com, 1
+motherofsorrows.net, 1
+mothership.de, 1
+mothersmediaonline.ga, 1
+motichi.cf, 1
+motifstudio.com.ua, 1
+motion504.com, 1
+motional.com, 1
+motiondata-vector.at, 1
+motiondata-vector.com, 1
+motiondreamatix.de, 1
+motionglobeers.ga, 1
+motionory.com, 1
+motiv-rechts.tk, 1
+motiva.health, 1
+motivation.cc, 1
+motivational-babes.com, 1
+motivationalliance.com, 1
+motivness.com, 1
+motivo.nl, 0
+motiweb.fr, 1
+motlife.net, 0
+moto-texnika.tk, 1
+motoactionimola.it, 1
+motoblogism.com, 1
+motoboxbrasil.com.br, 1
+motobrasilferramentas.com.br, 1
+motochileneta.tk, 1
+motoclubentresemana.tk, 1
+motoclubrker.tk, 1
+motocrosssite.tk, 1
+motodb.co.uk, 1
+motodb.net, 1
+motodb.uk, 1
+motodeal.com.ph, 1
+motof.tk, 1
+motoforce.lt, 1
+motofoto.tk, 1
+motogb.net, 1
+motogrupblanes.tk, 1
+motohell.com, 1
+motojato.com.br, 1
+motokados.tk, 1
+motoland.ml, 1
+motolife.tk, 1
+motolinesupply.com, 1
+motomorgen.com, 1
+motonline.com.br, 1
+motor-agro.com, 1
+motor-agro.com.ua, 1
+motor-agro.ru, 1
+motor-cycles.tk, 1
+motor-forum.nl, 1
+motor1.com, 1
+motorbiketenerife.com, 1
+motorbiketourhanoi.com, 1
+motorcitycasino.com, 1
+motorcyclecentral.net, 1
+motordearranque.com.br, 1
+motoridiricerca.tk, 1
+motorinews24.com, 1
+motorkohler.es, 1
+motorline.ru, 1
+motorparts-images.nl, 1
+motorparts-online.com, 1
+motorring.ru, 1
+motorslopers.tk, 1
+motorspeed.de, 1
+motorsplus.com, 0
+motorsport-passion.com, 1
+motorst.dk, 1
+motortg.it, 1
+motortrend.com, 1
+motorways.tk, 1
+motorwrappen.nl, 1
+motoryachtclub-radolfzell.de, 1
+motorz.ca, 1
+motorzone.od.ua, 1
+motoscooter.eu, 1
+motoselfservices.fr, 1
+motospaya.com, 1
+motostyle.ua, 1
+mototax.ch, 1
+mototeam.tk, 1
+mototec.it, 1
+mototsi.com, 1
+mototuristas.tk, 1
+motovaruosad.ee, 1
+motovated.co.nz, 0
+motovio.de, 1
+motovrienden.tk, 1
+motowilliams.com, 1
+motoworld.biz, 1
+motransportinfo.com, 1
+motri-projekt.tk, 1
+motringeneric.tk, 1
+motshop.tk, 1
+motstats.co.uk, 1
+mott.pe, 1
+motte.tattoo, 1
+motto-iikoto.com, 1
+motum.no, 1
+motum.se, 1
+motumblekinge.se, 1
+motumport.se, 1
+motumskane.se, 1
+motun.ga, 1
+mou-pmr.tk, 1
+moube.fr, 1
+mouche.fr, 1
+moucloud.cn, 1
+mouff.li, 1
+mouldboard.ga, 1
+moulin-pomerol.com, 1
+moultonpdtx.gov, 1
+moultriecountyil.gov, 1
+mound.ga, 1
+moundvillewi.gov, 1
+mounimaharaj.tk, 1
+mouniresidences.com, 1
+mountain-retreat-center.com, 1
+mountain-rock.ru, 1
+mountainairandheating.com, 1
+mountainbatchers.de, 1
+mountainbell.net, 1
+mountainchalet.blue, 1
+mountaincitytx.gov, 1
+mountaindiscovery.org, 1
+mountaingrovemo.gov, 1
+mountainprotocol.com, 1
+mountainsandmist.com, 1
+mountainsmokes.com, 0
+mountainspiritinn.com, 1
+mountainspringsrentals.ca, 1
+mountainstage.org, 1
+mountaintree.net, 1
+mountainutilities.eu, 1
+mountairymd.gov, 1
+mountbatten.cz, 1
+mountbrowneguestcottage.ga, 1
+mountcarrollil.gov, 1
+mountclemens.gov, 1
+mountdora.gov, 1
+mountfield.co.nz, 1
+mountjoy.school, 1
+mountknowledge.nl, 1
+mountpost.tk, 1
+mountvernonin.gov, 1
+mountvictoryohio.gov, 1
+mountwashington-ma.gov, 1
+mountzdisposal.com, 1
+mouracloset.com.br, 1
+mourassiloun.com, 1
+mouse-ps.com, 1
+mouseflow.com, 1
+mousepotato.uk, 1
+moushed.tk, 1
+moussa-ibrahim.ml, 1
+moutiezhaller.com, 1
+mov, 1
+mova.club, 1
+movabletype.net, 1
+movacare.de, 1
+movaci.com, 1
+moval.gov, 1
+move-out-cleaning.co.uk, 1
+moveceara.com.br, 1
+movefi.com.br, 1
+moveissul.com.br, 1
+moveltix.net, 1
+movemais.com, 1
+movember.com, 0
+moveme.ca, 0
+movementhub.org, 1
+movementsodom.tk, 1
+moveon4.com, 1
+moveon4.de, 1
+moveonca.com, 1
+moveonfr.com, 1
+moveonlite.com, 1
+moveonru.com, 1
+movepin.com, 1
+movetonewcastle.com.au, 1
+movewellnesslab.com, 1
+movewithfiness.com, 1
+moveyourass.tk, 1
+movfun.ga, 1
+movie-download.cz, 1
+movie-infos.net, 1
+movie-sounds.org, 1
+movie1000.com, 1
+movieboost.nl, 1
+moviebox.com, 1
+movieeveningers.ga, 1
+movieeveningest.ga, 1
+moviefreeze.com, 1
+movieglot.ml, 1
+movieguys.org, 1
+moviejack.org, 0
+moviemadness.uk, 1
+movieoldiesest.ga, 1
+movieredeem.com, 1
+movies-diploma.fun, 1
+movies-fan.tk, 1
+movies1977.ga, 1
+movies4us.me, 1
+moviesetc.net, 1
+moviesrules.tk, 1
+moviestodownload.tk, 1
+movietopper.ml, 1
+movietradition.tk, 1
+moviewatchin.tk, 1
+movihut.com, 1
+moviko.nz, 1
+movil.uno, 1
+movilandroide.com, 1
+moviles.com, 1
+moviltronix.com, 1
+movimento-terra.it, 1
+movimentoterra.roma.it, 1
+moving-pixtures.de, 1
+movingjokesers.ga, 1
+movingjokesest.ga, 1
+movinglogistics.nl, 0
+movingoklahoma.org, 1
+movingservice-houston.com, 1
+movingtohttps.com, 1
+movio.ga, 1
+moviro.net, 1
+movlib.org, 1
+movnest.com, 1
+mowercountymn.gov, 1
+mowing-the-lawn.com, 1
+mowsey.org, 1
+mowster.com, 1
+mowster.net, 1
+moxfield.com, 1
+moxiegirlz.id, 1
+moy-biznes.tk, 1
+moy-gorod.od.ua, 0
+moy-ogorod.info, 1
+moy-urozhay.info, 1
+moy.cat, 1
+moybiznes.tk, 1
+moyer.pub, 0
+moylen.eu, 1
+moyminsk.tk, 1
+moyobi.com, 0
+moyogorod.info, 1
+moyu.host, 0
+moyufangge.com, 1
+moz.idv.tw, 1
+mozambiquetravel.com, 1
+mozartgroup.hu, 1
+mozektevidi.net, 1
+mozfr.org, 1
+mozgb.ru, 1
+mozgovoy.tk, 1
+mozilla-russia.org, 1
+mozilla.cz, 1
+mozo.com.au, 1
+mozzak.tk, 1
+mozzez.de, 1
+mozzi.online, 1
+mozzilla.cz, 1
+mp-bln.de, 1
+mp.gov.in, 1
+mp.org, 1
+mp3.tj, 1
+mp3cut.net, 1
+mp3gratuiti.com, 0
+mp3musicfind.ga, 1
+mp3noi.com, 1
+mp3skull.cf, 1
+mp3sort.biz, 0
+mpa-pro.fr, 1
+mpadegree.org, 1
+mpak.tk, 1
+mpamag.com, 1
+mpc-hc.org, 1
+mpc-view.net, 1
+mpcforum.pl, 1
+mpcmsa.org, 1
+mpdu.tk, 1
+mpebrasil.tk, 1
+mpetroff.net, 1
+mpfront.com, 1
+mpg.gg, 1
+mpg.ovh, 1
+mpgaming.pro, 1
+mpgu.tk, 1
+mphold.ru, 1
+mphprogram.com, 1
+mphprogramslist.com, 1
+mphq.de, 1
+mphwinkel.nl, 1
+mpi-sws.org, 1
+mpi.org, 1
+mpiac.com, 1
+mpk-chayka.org.ua, 1
+mpkrachtig.nl, 1
+mplanetphl.fr, 0
+mplant.io, 1
+mpodraza.eu, 1
+mpodraza.pl, 1
+mpool.eu.org, 1
+mpool.live, 1
+mpornoindir.tk, 1
+mpowr.com, 1
+mpps.it, 1
+mprep.info, 1
+mprsco.eu, 1
+mpsctriskelions.tk, 1
+mpserver12.org, 1
+mpsi1.fr, 1
+mpso.it, 1
+mpsoundcraft.com, 1
+mptdom.com, 1
+mptenders.gov.in, 1
+mptool.pt, 1
+mpu-ibbi.de, 1
+mpu-vorbereitung.com.de, 1
+mpy.ovh, 1
+mqacg.com, 1
+mqas.net, 1
+mqbeauty.com.tw, 1
+mqbx.nl, 1
+mr-7.ru, 1
+mr-a.de, 1
+mr-anderson.org, 0
+mr-bills.com, 1
+mr-brown.tk, 1
+mr-coffee.net, 1
+mr-englischkurse.de, 1
+mr-labo.jp, 1
+mr-moulding-knives.com, 0
+mr-plomberie.com, 0
+mr-wolf.nl, 0
+mr.bet, 1
+mr0.de, 1
+mr1310.com, 1
+mr1xbet.com, 1
+mr3.io, 1
+mr8.de, 1
+mraag.xyz, 1
+mrafrohead.com, 1
+mragroup.net, 1
+mrak.blog, 0
+mralonas.cf, 1
+mralonas.ga, 1
+mralonas.gq, 1
+mralonas.ml, 1
+mralonas.tk, 1
+mramor.ml, 1
+mrandmrsparrot.gr, 1
+mrandyyp.com, 1
+mranimal.tk, 1
+mrazek.biz, 1
+mrbeardcbd.es, 1
+mrbighungary.hu, 1
+mrbounce.com, 1
+mrbouncescrazycastles.co.uk, 1
+mrbouncycastle.com, 1
+mrbusiness360.com, 1
+mrc-productivity.com, 1
+mrca-sharp.com, 0
+mrcelulares.co, 1
+mrclutch.com, 1
+mrcog.tk, 1
+mrcomer.tk, 1
+mrcool.com, 1
+mrcool.store, 1
+mrcooldiy.ca, 1
+mrcooldiy.com, 1
+mrcoolevents.com, 1
+mrcoolfranchise.com, 1
+mrcoolfranchising.com, 1
+mrcooluniversal.ca, 1
+mrcooluniversal.com, 1
+mrcyberpixel.tk, 1
+mrd-rc.com, 1
+mrd-v.com, 1
+mrd.ninja, 1
+mrdatenschutz.de, 1
+mrdayman.com, 1
+mredsanders.net, 1
+mrenegades.com, 1
+mrephrase.com, 1
+mrevolution.eu, 1
+mrewards-production.herokuapp.com, 1
+mrewards-uat.herokuapp.com, 1
+mrfactors.com, 1
+mrfd.nl, 1
+mrfindfix.com, 1
+mrfinka.ml, 1
+mrformaltuxedos.com, 1
+mrfreshtruck.com, 1
+mrg-srv.ru, 1
+mrg-team.ru, 1
+mrgeek.ru, 1
+mrgstaticcdn.ru, 1
+mrgstaticcontent.ru, 1
+mrguider.org, 1
+mrgusercontent.ru, 1
+mrgutternj.com, 1
+mrhc.ru, 1
+mrhost.biz, 1
+mri.community, 1
+mrichard333.com, 1
+mricspatial.com, 1
+mrik.jp, 1
+mrinalpurohit.in, 1
+mrizzio.com, 1
+mrjbanksy.com, 1
+mrjo.sh, 1
+mrjunior.ga, 1
+mrjunior.ml, 1
+mrkapowski.com, 0
+mrknee.gr, 1
+mrkrabat.de, 1
+mrliu.me, 1
+mrlove.tk, 1
+mrmad.com.tw, 1
+mrmanson.tk, 1
+mrmarcie.com, 1
+mrmemory.co.uk, 1
+mrmeomeo.xyz, 1
+mrmn.nl, 1
+mrmoregame.de, 1
+mrmosier.tk, 1
+mrmostafaacademy.tk, 1
+mrnabetterlife.com.sg, 1
+mrnathanpowell.com, 1
+mrnh.tk, 1
+mrnice.ml, 1
+mrnonz.com, 1
+mrnordic.com, 1
+mrpanipiales.com, 1
+mrpcap.com, 1
+mrpetersen.de, 1
+mrplates.co.nz, 1
+mrplates.co.uk, 1
+mrplates.com.au, 1
+mrpluss.ml, 1
+mrpricegroup.com, 1
+mrrjva.gov, 1
+mrs-labo.jp, 1
+mrs-shop.com, 1
+mrsbairds.com, 0
+mrschristine.com, 1
+mrsejf.cz, 1
+mrshahin.cf, 1
+mrshang.tk, 1
+mrsheep.win, 1
+mrshish.com.au, 1
+mrsiding.net, 1
+mrsjinthelibrary.com, 1
+mrsk.me, 1
+mrssclaus.ca, 1
+mrstat.co.uk, 1
+mrston.ml, 1
+mrstuudio.ee, 1
+mrtg.com, 1
+mrtieungao.tk, 1
+mrtskidkispb.ru, 0
+mrtunnel.club, 1
+mru.org, 1
+mruczek.trade, 1
+mruczek.wiki, 1
+mruganiepodspacja.pl, 1
+mruniver.se, 1
+mrupert.com, 1
+mrux.io, 1
+mrux.pl, 1
+mrv.li, 1
+mrvl.net, 1
+mrvnt.co, 1
+mrwacky.com, 1
+mrwen.net, 1
+mrwindow.co.uk, 1
+mrwp.ru, 1
+mrwrestling.tk, 1
+mrxn.net, 1
+mrzonk.cf, 1
+ms-australia.de, 1
+ms-ch.ch, 1
+ms-fassmoebel.de, 1
+ms-wissenschaft.de, 0
+ms295.com, 0
+ms67pta.org, 1
+msa-aesch.ch, 1
+msa.bank, 1
+msahebhonar.com, 1
+msaludasuhogar.com, 1
+msar.eu, 1
+msbdocs.com, 1
+msc-corps.de, 1
+mscc.mu, 1
+mscc.org, 1
+msch.pw, 1
+mschuessler.org, 1
+msda23.gov, 1
+msdnicrosoft.cn, 0
+msdprojectclearmo.gov, 1
+msebera.cz, 1
+msedkiewicz.pl, 1
+mselectronique.tk, 1
+mserve.ddns.net, 1
+mservers.cz, 1
+msfishingcharter.com, 1
+msgallery.tk, 1
+msgauctions.com, 1
+msgr.com, 1
+msgroupitaly.com, 1
+msgs.ee, 1
+msgtrust.com, 1
+msh100.uk, 1
+msha.gov, 1
+mshastanddown.gov, 1
+mshemailmarketer.com.au, 1
+mshgame.ga, 1
+msi-zlin.cz, 1
+msiegmund.com, 1
+msieursvp.fr, 1
+msig-thai.com, 1
+msinc.ru, 1
+msisupplyinc.com, 1
+msize48.ch, 1
+msk-balkon.ru, 1
+msklawyer.com, 1
+msktc.org, 1
+mslivros.com.br, 1
+msm-data.com, 1
+msm.ai, 1
+msmails.de, 1
+msmeble.pl, 1
+msmetana.cz, 1
+msn.cn, 1
+msn.com, 1
+msnarzedzia.pl, 1
+msncash.cf, 1
+msnedu.org, 1
+msngr.com, 1
+msnhdd.info, 1
+msnr.net, 1
+msoc.gent, 1
+msoffice-inc.net, 1
+msoida.me, 1
+msoll.de, 1
+msoll.eu, 1
+msoutlook.info, 1
+msp.com.au, 1
+msp66.de, 0
+mspark.tk, 1
+mspatexas.com, 1
+mspcc.org, 1
+msphotographics.de, 0
+mspnocsupport.com, 1
+msprealestateinc.com, 1
+mspsocial.net, 1
+msquadrat.de, 0
+msquared.id.au, 1
+msr-schaltanlagen.de, 1
+msrf.de, 1
+msroot.de, 1
+msrumon.com, 1
+mss6.com, 1
+mssa.jp, 1
+msscholz.de, 1
+mssm-portal.com, 1
+mssora.com, 1
+mssys.de, 0
+mstazakka.com, 1
+mstdn.blue, 1
+mstdn.fm, 1
+mstdn.fr, 1
+mstdn.im, 1
+mstdn.in.th, 1
+mstdn.io, 1
+mstdn.party, 1
+mstever.com, 1
+mstr-f-dstrctn.de, 1
+mstridde.de, 1
+mstudio.tk, 1
+msu.edu.tr, 1
+msuess.me, 1
+msuna.net, 1
+msv-limpezas.pt, 1
+msvbeveiliging.nl, 1
+mswdtemplate.com, 1
+msx.org, 1
+msyndicate.com, 1
+msz-fotografie.de, 1
+mszavodumiru.cz, 1
+mt-bank.jp, 1
+mt-tech.fi, 1
+mt-west.org, 1
+mt.run, 0
+mt.search.yahoo.com, 0
+mt1016.com, 1
+mt1130.com, 1
+mt2414.com, 1
+mt2ofx.tk, 1
+mt4professional.com, 1
+mta-sts.email, 1
+mta-sts.eu, 1
+mta-sts.nl, 1
+mta.fail, 1
+mta.org.ua, 1
+mtabriz.de, 1
+mtane0412.com, 0
+mtangel.gov, 1
+mtap.in, 1
+mtasa.hu, 1
+mtasts.xyz, 1
+mtataes.gov.ma, 1
+mtauburnassociates.com, 1
+mtb.wtf, 1
+mtbfoodie.com, 1
+mtboutiques.com, 1
+mtcoks.gov, 1
+mtcq.jp, 1
+mtd.org, 1
+mtd.ovh, 1
+mtdnrc.gov, 1
+mte-online.com, 1
+mte.sk, 1
+mtechprecisioninc.com, 1
+mtehe-square.com, 1
+mtel.gr, 1
+mteleport.net, 1
+mtelizabeth.com, 1
+mtf.party, 1
+mtf.rip, 1
+mtf.wiki, 1
+mtfgnettoyage.fr, 1
+mtfwiki.com, 1
+mtfwiki.lgbt, 1
+mtfwiki.net, 1
+mtfwiki.org, 1
+mtfwiki.xyz, 1
+mtgoptex.com, 1
+mtgsuomi.fi, 1
+mthd.link, 1
+mthode.org, 1
+mthrbrd.com, 1
+mthrbrd.net, 1
+mths.be, 0
+mticareportal.com, 1
+mtinz.com, 1
+mtirc.co, 1
+mtjoytwppa.gov, 1
+mtkhs.com, 1
+mtlabs.jp, 1
+mtlconcerts.com, 1
+mtlebanonbaptist.church, 1
+mtlegnews.gov, 1
+mtltransport.com, 1
+mtludlow.co.uk, 1
+mtmedia.org, 1
+mtn-media.de, 1
+mtnc.nl, 1
+mtncoi-coe.com, 1
+mtnvalleyhospice.org, 1
+mtnwebwiz.com, 1
+mtoma.tk, 1
+mtouch.facebook.com, 0
+mtp-services.fr, 1
+mtpa.live, 1
+mtpleasant-tn.gov, 1
+mtr-croatia.tk, 1
+mtr.md, 1
+mtr123.cn, 0
+mtravelers.net, 1
+mtredistricting.gov, 1
+mtrx.tech, 1
+mts-energia.eu, 1
+mts-global.com, 1
+mtsafe.gov, 1
+mtsoftware.com.au, 1
+mtstandard.com, 1
+mtthwbrd.com, 1
+mttoubkaltrek.com, 1
+mtv.re, 1
+mtvernonlisbonpd-ia.gov, 1
+mtvroadies.tk, 1
+mtw.org, 1
+mtwolfpa.gov, 1
+mtz-bu.gq, 1
+mtz-info.gq, 1
+mtz-sng.gq, 1
+mtz80-mtz82.gq, 1
+mtzbelarus.gq, 1
+mtzfederico.com, 1
+mu-sigma.com, 1
+mu-thunder.online, 1
+mu-venezuela.tk, 1
+mu-wi.gov, 1
+mu.ax, 1
+mu.search.yahoo.com, 0
+mu00.org, 1
+mu105.cc, 1
+mu3e.com, 1
+mu3on.com, 1
+muabannhanh.com, 0
+muac-innolab.eu, 1
+muafakatmalaysia.ga, 1
+muafakatmalaysia.gq, 1
+muafakatmalaysia.ml, 1
+muanhamy.vn, 1
+muarstabyggmarknad.tk, 1
+mubase.dk, 1
+muble.tk, 1
+muc.space, 1
+muceniece.tk, 1
+muchamiel.nl, 1
+muchbetterthancash.com, 1
+muchisimos.com, 1
+muchohentai.com, 1
+muchoruidoacademy.com, 1
+muchotrolley.tk, 1
+muckingabout.eu, 1
+muclan.tk, 1
+mucmail.de, 1
+mucustoms.com, 1
+mudanzasjuniorh.com, 1
+mudanzaspacifico.com, 1
+mudanzasuiza.com.ec, 1
+mudanzasytransportesbh.com, 1
+mudaomundo.org, 1
+mudareganhar.pt, 0
+mudasobwa.tk, 1
+mudbenesov.cz, 1
+mudcomplex.ga, 1
+mudcomplexers.ga, 1
+mudcrab.us, 0
+muddy-bugs.co.uk, 1
+muddy-landrover.tk, 1
+mudey.pt, 1
+mudgezero.one, 1
+mudit.xyz, 0
+mudla.net, 1
+mudpiles.cat, 1
+mudramagik.com, 1
+mudrc.net, 1
+mudrex.com, 1
+mudrockrentals.com, 1
+muelhau.pt, 1
+muell-weg.de, 1
+muellapp.com, 0
+mueller-starck.de, 1
+mueller5.eu, 1
+muellerurology.com, 1
+muenchberger.com, 0
+muennich-coll.de, 1
+muenzen.tk, 1
+muenzenforum.tk, 1
+mufi.ga, 1
+mufibot.net, 1
+mufid.tk, 1
+muflon-linux.org, 1
+muga.space, 1
+muganworld.com, 1
+mugawe.com, 1
+mugdost.com, 1
+mugen.technology, 1
+mugfanatic.com, 1
+mugrabyhostel.tk, 1
+mugsstumpaward.com, 1
+muguayuan.com, 1
+muh.io, 1
+muhabarishaji.com, 0
+muhabbet.org, 1
+muhafazakarkiralikvilla.com, 1
+muhammadal-behairi.clinic, 1
+muhammadlukman.ml, 1
+muhammadmunif.ml, 1
+muhammed.tk, 1
+muhanov.net, 1
+muhanova.com, 1
+muhasebeci.org, 1
+muhasebekurslari.tk, 1
+muhcow.dk, 1
+muhibbulislam.tk, 1
+muhiminulhasan.me, 1
+muhlenbergtwppa.gov, 1
+muhrielle.org, 1
+mui.com, 1
+mui.fitness, 1
+mui.kitchen, 1
+mui.news, 1
+mui.pet, 1
+mui.today, 1
+muii.com.br, 1
+muilties.com, 1
+muir.eu.org, 1
+muir.fun, 1
+muir.pp.ua, 1
+muisoft.fi, 1
+muizenpagina.tk, 1
+muizenpuntje.tk, 1
+muj-sejf.eu, 1
+mujemail.ml, 1
+mujerescolombianas.tk, 1
+mujeresfemeninas.com, 1
+mujlinux.cz, 1
+mujoco.org, 1
+muk-kobetsu.com, 1
+mukli.hu, 1
+muku-flooring.com, 1
+mukwa.gov, 1
+mula.tk, 1
+mulaisehat.com, 1
+mulberryar.gov, 1
+mulberryfirear.gov, 1
+mulberrypolicear.gov, 1
+mulchexpressusa.com, 1
+mulder.social, 1
+mulderfamilie.tk, 1
+mulej.net, 1
+mulheres18.com, 1
+muling.lu, 1
+mulk.hopto.org, 1
+mullen.net.au, 1
+mullens-usedcars.be, 1
+mullerkappers.nl, 1
+mullett-townshipmi.gov, 1
+mullinsfarms.com, 1
+muloot.de, 1
+multerer.biz, 1
+multi-cryptex.gq, 1
+multi-fruit.tk, 1
+multi-pribor.ru, 1
+multi-soudures.fr, 1
+multi-tool.ml, 1
+multi-vpn.biz, 1
+multiagent.tk, 1
+multiasistencia.com, 1
+multibomasm.com.br, 1
+multichange.net, 1
+multiclinicacardio.com.br, 1
+multicoin.capital, 0
+multiconsumos.tk, 1
+multicore.cl, 1
+multicorpbra.com, 1
+multifamily.loans, 1
+multigamecard.com, 1
+multigeist.de, 1
+multigo.ru, 1
+multihobby.tk, 1
+multikalender.de, 0
+multilevelmarketing.cf, 1
+multiline.ge, 1
+multilingualpress.org, 1
+multilogik.com, 1
+multimalin.ovh, 1
+multimatte.com, 1
+multimedia-pool.com, 1
+multimedia.or.jp, 1
+multimediaworld.tk, 1
+multimediosmonti.com, 1
+multipassword.com, 1
+multipleapi.de, 1
+multiplex-rc.de, 1
+multiplex.tk, 1
+multiplexcy.com, 1
+multiplier-effect.org, 1
+multiplies.tk, 1
+multiply.co.za, 1
+multipotential-labo.com, 1
+multipuntos.ml, 1
+multirep.ch, 0
+multiroom-streaming.de, 1
+multischool.tk, 1
+multisite.ovh, 1
+multispaninc.com, 1
+multisportaustralia.com.au, 1
+multistas.tk, 1
+multitec.nl, 1
+multitek.no, 1
+multitenantlaravel.com, 1
+multiterm.org, 1
+multitheftauto.com, 1
+multitool.cf, 1
+multitraf.ga, 1
+multivideo.tk, 1
+multivpn.biz, 1
+multivpn.cn.com, 1
+multivpn.co.uk, 1
+multivpn.com.de, 1
+multivpn.com.ua, 1
+multivpn.fr, 1
+multivpn.su, 1
+multnomahvotes.gov, 1
+multsearch.eu.org, 1
+multymaq.com, 0
+mum.ceo, 1
+mum.lu, 1
+muma.cf, 1
+muma.ml, 1
+mumbaionlinegifts.com, 1
+mumbairoleplay.tk, 1
+mumble.be, 1
+muminkoykiran.com, 1
+mummatters.com.au, 1
+mummyandmephotography.com, 1
+mumolabs.com, 1
+mumszab.se, 1
+mumusofa.com.tw, 1
+muna.de, 1
+munakata-cl.jp, 1
+munch.me, 1
+munchcorp.com, 1
+mund-interdisziplinaer.com, 1
+mundo-otaku.tk, 1
+mundoalba.tk, 1
+mundoarabe.com.br, 1
+mundobizarro.tk, 1
+mundocompleto.tk, 1
+mundocristiano.tk, 1
+mundodalua.tk, 1
+mundodasmensagens.com, 1
+mundodastribos.com, 1
+mundodewill.com.br, 1
+mundodocurioso.com.br, 1
+mundodosagapornis.tk, 1
+mundoemalerta.com, 1
+mundofoto.tk, 1
+mundofriki.es, 1
+mundogamers.top, 1
+mundoinfrarrojo.com, 1
+mundojoven.tk, 1
+mundokia.com.co, 0
+mundokinderland.com.br, 1
+mundomagicotv.com, 1
+mundomovie.tk, 1
+mundonow.com, 1
+mundopatchwork.online, 1
+mundoperfecto.net, 1
+mundorealtv.tk, 1
+mundosat.com, 1
+mundoscrapbooking.online, 1
+mundoseth.tk, 1
+mundosteampunk.club, 1
+mundosuiri.ml, 1
+mundschenk.at, 1
+mundtec.com.br, 1
+munduberriak.com, 1
+munduch.cz, 1
+munduch.eu, 1
+muneni.co.za, 1
+munera.ca, 1
+munfordtn.gov, 1
+munialajuela.go.cr, 1
+munibilling.com, 1
+munich-eventlocations.de, 1
+municipioseducadores.es, 1
+munihei.de, 1
+muniplus.com.ar, 1
+munkeeboi.com, 1
+munki.org, 1
+munnezza.tk, 1
+munroads.com, 1
+muntajati-om.com, 0
+muntproever.nl, 1
+muntstuk.com, 1
+munwr.com, 0
+munzlocal10.org.nz, 1
+muoivancauhoivisao.com, 1
+mup-republicanos.tk, 1
+muqqabla.com, 1
+mur-parfait.com, 1
+mur-vegetal-interieur.fr, 1
+muradiyetemizlik.com, 1
+murakami-sah.com, 1
+muralart.ga, 1
+murasaki.co.uk, 1
+murasame.tech, 1
+murashun.jp, 1
+muratatifsayar.com.tr, 1
+muratbekgi.com, 1
+muratcileli.tk, 1
+muratec.tw, 1
+muratoff.pp.ua, 1
+muratore-roma.it, 1
+murciacobras.tk, 1
+murciaprocuradores.tk, 1
+murdercube.com, 1
+murena.io, 1
+murfreesboroar.gov, 1
+murfy.kiwi, 1
+murfy.nz, 1
+murgi.de, 1
+murksbreider.tk, 1
+murl.ml, 1
+murmansk.cf, 1
+murmanskforum24x7.tk, 1
+murmashi.com, 1
+murmashi.ru, 1
+murmures.net, 1
+murof.com.br, 1
+murphy-law.net.ru, 1
+murphydriverewards.com, 0
+murphysfire.gov, 1
+murray.xyz, 1
+murraya.cn, 1
+murraycountymn.gov, 1
+murraywaldren.com, 1
+murrietadogtrainers.com, 1
+murrsuit.eu, 1
+murrsuit.net, 1
+murrsuit.org, 1
+mursa.tk, 1
+mursatov.tk, 1
+murster.tw, 1
+mursu.directory, 1
+murtazamustafahirani.tk, 1
+murz.tv, 1
+murzallawfirm.com, 1
+murzik.space, 1
+musaccostore.com, 0
+musacomo.com, 1
+musafir-aceh.tk, 1
+musasionline.com, 1
+musaslush.com, 1
+musavat.com, 1
+musbizu.com.ng, 1
+muscatinecountyiowa.gov, 1
+muscatinejournal.com, 1
+muscle-home.fr, 1
+muscle-tg.com, 1
+muscleandrecovery.com, 1
+musclecarresearch.com, 1
+musclecarsillustrated.com, 1
+musclecarus.com, 1
+muscles.cf, 1
+muscolinomusic.com, 1
+muscularbabes.net, 1
+musculardystrophyuk.org, 1
+muscuolisq.cf, 1
+musearchengine.com, 1
+museclef.com, 1
+musecomunicazione.it, 1
+musedash.moe, 1
+museeducolombier.fr, 1
+museepab.fr, 1
+musehelix.com, 1
+museloveurania.com, 1
+museo.com.au, 1
+museodefutbol.online, 1
+museodeinsectos.tk, 1
+museodelistmo.tk, 1
+muserver.io, 1
+muses-success.info, 1
+musetti.tw, 1
+museumnachtgent.be, 1
+museumplantinmoretus.be, 1
+museumtravelalliance.com, 1
+museumwaalsdorp.nl, 1
+mush-room.co.jp, 1
+mushel.ddns.net, 1
+mushikabu.net, 1
+mushing.pl, 1
+mushino.com, 1
+mushka.ga, 1
+mushman.tk, 1
+mushroomcloud.moe, 1
+mushroomnetwork.co.za, 1
+mushroomtutor.com, 1
+music-is-my-life.de, 1
+music-privilege.fr, 1
+music-project.eu, 1
+music-store-download.com, 1
+music.amazon.com, 1
+musica.com, 1
+musicales.tk, 1
+musicall.com, 1
+musicalschwarzenburg.ch, 1
+musicandrelated.tk, 1
+musicapara.net, 1
+musicapopolareitaliana.net, 1
+musicaporbolivia.tk, 1
+musicare.com, 1
+musicasbr.com.br, 1
+musicbow.com, 0
+musicbox.party, 1
+musicchris.de, 1
+musicfactory.ml, 1
+musicflac4.tk, 1
+musicfor.us, 1
+musicfreakz.cf, 1
+musicfromgod.com, 1
+musicgamegalaxy.de, 1
+musicgeek.ga, 1
+musicgivesmelife.com, 1
+musichiphop.ga, 1
+musichome.tk, 1
+musicinsiderdigest.com, 1
+musickhouseleveling.com, 1
+musickorea.tk, 1
+musiclenta.tk, 1
+musiclite.tk, 1
+musicmasala.tk, 1
+musicnotesroom.com, 1
+musicompare.com, 1
+musicradar.co.il, 1
+musicradio.ga, 1
+musicradio.gq, 1
+musicradio.tk, 1
+musicrainbow.tk, 1
+musicrepublicmagazine.com, 1
+musicrooz.tk, 1
+musicschoolonline.com, 1
+musicsense.cf, 1
+musicsmoke.tk, 1
+musicsnippet.com, 1
+musicsrv.de, 1
+musicstudio.pro, 1
+musictech.com, 1
+musictools.tk, 1
+musictouch.ru, 1
+musicvideo.club, 1
+musicvietnam.tk, 1
+musicwear.cz, 0
+musigama.tk, 1
+musik-mentaltraining.ch, 1
+musik-reitemann.de, 1
+musik-vereinsbedarf.de, 0
+musikarti.com, 1
+musiker.tk, 1
+musikhaus-korn.de, 1
+musikholics.com, 1
+musikidersi.tk, 1
+musiktag2020.ch, 1
+musikverein-elten.de, 1
+musikverein-schuettorf.de, 1
+musikzentrale.net, 0
+musings.cloud, 1
+musings.tech, 1
+musiq-supreme.tk, 1
+musique2nuit.com, 1
+musiques-traditionnelles.ga, 1
+musition.cloud, 1
+musition.com, 1
+musition.net, 1
+musitioncloud.com, 1
+musitionfirst.com, 1
+muskegoncounty.gov, 1
+muskegontwpmi.gov, 1
+muskegowi.gov, 1
+musketiers.tk, 1
+muskuratimorning.tk, 1
+muslimah.boutique, 1
+muslimbanter.co.za, 1
+muslimmarriage.cf, 1
+muslimpocket.com, 1
+muslimsoul.cf, 1
+muslimsoul.ga, 1
+muslimsoul.gq, 1
+muslimsoul.ml, 1
+muslitocomics.tk, 1
+musmann.io, 1
+musopen.org, 1
+musoscorner.com.au, 1
+muspla.com.br, 1
+mussalains.com, 1
+musselsblog.com, 1
+mussonsppe.com, 1
+mussonstrading.com, 1
+musta.ch, 1
+mustangapparel.ca, 1
+mustard.llc, 1
+mustasj.no, 1
+mustat.com, 1
+muster-folien.de, 1
+muster-schablonen.de, 1
+musterihizmet.com, 1
+musterionsec.com, 1
+mustertexte-musterbewerbung.de, 1
+mustexist.tk, 1
+musthave.tk, 1
+musthavesforreal.com, 1
+musthinsider.com, 1
+mustika.cf, 1
+mustketing.com, 1
+musttest.com, 1
+musttest.email, 1
+musttest.eu, 1
+musttest.net, 1
+musttest.org, 1
+musubi-dev.net, 1
+musulmanesnuevos.tk, 1
+mususu.com, 1
+mutagen.io, 1
+mutahar.me, 1
+mutantmonkey.in, 1
+mutantmonkey.info, 1
+mutantmonkey.sexy, 1
+mutex.tech, 1
+mutfakyolu.com, 1
+muthai.in.th, 1
+mutiararentas.com.my, 1
+mutsumikai8989.com, 1
+mutua.es, 1
+mutua.it, 1
+mutual.ga, 1
+mutualcootradecun.com, 1
+mutualfunds.cf, 1
+mutualfunds.ml, 1
+mutualmoney.ml, 1
+mutualofomahamedicareplans.com, 1
+mutuals.cool, 1
+mutuelle.fr, 1
+muuglu.es, 1
+muunnin.net, 1
+muurari.tk, 1
+muusika.fun, 1
+muusikoiden.net, 1
+muv.co.uk, 1
+muwatenraqamy.org, 1
+muwi.tk, 1
+muxetv.com, 1
+muxup.com, 1
+muy.ooo, 1
+muydelgada.com, 1
+muyinternetsante.tk, 1
+muz-portal.com, 1
+muz2u.ru, 1
+muzcomedia.ru, 1
+muzenzacrianca.tk, 1
+muzetxe.com, 1
+muzeumkomiksu.eu, 0
+muzflix.net, 1
+muzi-tips.tk, 1
+muzi.cz, 1
+muzicamp3.org, 1
+muzicar.rs, 0
+muzicari.tk, 1
+muziekcentrumdebijloke.gent, 1
+muziekluisteren.eu, 1
+muziektermen.tk, 1
+muzikanews.tk, 1
+muzikantine.nl, 1
+muzike.tk, 1
+muzline.ua, 1
+muzmo.ga, 1
+muzotakt.pl, 1
+muzprosvet.tk, 1
+muzykanawesele.info, 1
+mv-schnuppertage.de, 0
+mv-spital.tk, 1
+mv-wohnen.de, 1
+mvandek.nl, 1
+mvarsamis.com, 1
+mvb-it.nl, 1
+mvbits.com, 0
+mvbstyling.nl, 1
+mvbug.com, 1
+mvccp.co.za, 1
+mvdmt.gov, 1
+mvelopes.com, 1
+mventix.com, 1
+mvib.net, 1
+mviess.de, 1
+mvisioncorp.com, 1
+mvistatic.com, 1
+mvmcorps.com, 1
+mvn.lu, 1
+mvno.io, 1
+mvorisek.com, 1
+mvorisek.cz, 1
+mvpinfo.ga, 1
+mvpower.pt, 1
+mvpzd.com, 1
+mvrcheck.com, 1
+mvrdrivingrecords.com, 1
+mvsp.ru, 1
+mvwdca.gov, 1
+mvwoensei.com, 1
+mvwoensei.xyz, 1
+mvwoensel.com, 1
+mvzstartpagina.tk, 1
+mw-power.ru, 1
+mw.search.yahoo.com, 0
+mwahyunz.id, 1
+mwai.edu.ph, 1
+mwamitours.com, 1
+mware-staging.azurewebsites.net, 1
+mwavuli.co.ke, 1
+mway.io, 1
+mwba.org, 1
+mwcwallet.com, 1
+mwd.world, 1
+mwdsls.gov, 1
+mwe.st, 1
+mwezi.org, 1
+mwhcp.org.au, 1
+mwicescholarship.com, 1
+mwinds.tk, 1
+mwmopd.gov, 1
+mwms.nl, 1
+mwnonline.net, 0
+mwohlfarth.de, 1
+mwork.tech, 1
+mwpromotion.fr, 1
+mwr.team, 1
+mwscouts.org, 1
+mwskwong.com, 1
+mwstrategicservices.com, 1
+mwtj.com, 1
+mwtown.gov, 1
+mwu.dk, 1
+mwv2wle.club, 1
+mww.moe, 1
+mx-moto.fr, 0
+mx-quad.fr, 0
+mx-solutions.net, 1
+mx.org.ua, 1
+mx.search.yahoo.com, 0
+mx310.jp, 1
+mx5international.com, 1
+mx86.eu, 1
+mxawei.cn, 1
+mxdanggui.org, 1
+mxdvl.com, 0
+mxes.net, 1
+mxgateway.eu, 1
+mxii.eu.org, 1
+mxin.ltd, 1
+mxn8.com, 1
+mxtm.de, 1
+mxtsoluciones.com.mx, 1
+my-aftershave-store.co.uk, 1
+my-azov.tk, 1
+my-best-wishes.com, 1
+my-bratsk.tk, 1
+my-calend.ru, 1
+my-carrent.de, 1
+my-cars.tk, 1
+my-clubpenguin.tk, 1
+my-contract.ch, 0
+my-contract.info, 0
+my-contract.net, 0
+my-coordinates.com, 1
+my-darkon.ru, 1
+my-demo.co, 1
+my-digital.fr, 1
+my-dns.co.il, 1
+my-documentforce.com, 1
+my-education.tk, 1
+my-finance.tk, 1
+my-force-user-content.com, 1
+my-fuhui.com, 1
+my-gps-tracker.co.uk, 1
+my-host.ovh, 1
+my-how-to-draw.com, 1
+my-hps.de, 1
+my-ifms.com, 1
+my-ip.work, 1
+my-itbk.de, 1
+my-kirov.tk, 1
+my-lightning-container.com, 1
+my-lightning.com, 1
+my-meal.nl, 1
+my-mediahome.ru, 1
+my-meteo.net, 1
+my-mobile-apps.com, 1
+my-montenegro.tk, 1
+my-nextcloud.at, 1
+my-optika.ru, 1
+my-pawnshop.com.ua, 0
+my-pharmacie.com, 1
+my-phone.tk, 1
+my-profile.org, 1
+my-road.de, 1
+my-salesforce-communities.com, 1
+my-salesforce-community-builder.com, 1
+my-salesforce-community-live-preview.com, 1
+my-salesforce-community-preview.com, 1
+my-salesforce-hub.com, 1
+my-salesforce-scrt.com, 1
+my-salesforce-sites.com, 1
+my-salesforce.com, 1
+my-salesforcescrt.com, 1
+my-sex-cam.com, 1
+my-static-demo-808795.c.cdn77.org, 1
+my-static-live-808795.c.cdn77.org, 1
+my-store.ch, 1
+my-stories.ml, 1
+my-story.ml, 1
+my-stuff-online.com, 1
+my-town.tk, 1
+my-tunisia.tk, 1
+my-visualforce.com, 1
+my-web.xyz, 1
+my-webcloud.at, 1
+my-website.top, 1
+my-woodcraft.com, 1
+my.cat, 1
+my.com.my, 1
+my.onlime.ch, 0
+my.urown.cloud, 1
+my.usa.gov, 1
+my1login.com, 1
+my4g.net, 1
+my4thtelco.com.sg, 1
+my4thtelco.sg, 1
+my630.org, 1
+my77.vip, 0
+myabakus.com, 1
+myaccount.google.com, 1
+myaccountview.net, 1
+myactivity.google.com, 1
+myafweb.com, 1
+myaggic.com, 1
+myairware.com, 1
+myakkatactical.com, 1
+myalliance.church, 1
+myalliancechurch.com, 1
+myalpine.shop, 1
+myalsadd.tk, 1
+myamend.com, 1
+myamihealth.com, 1
+myandre.tk, 1
+myandroidfriend.ml, 1
+myanimelist.net, 1
+myanimo.ml, 1
+myanmar-responsiblebusiness.org, 1
+myanmar.gov.mm, 1
+myapexcard.com, 1
+myappworx.com, 1
+myaquariumclub.com, 1
+myaquaterra.tk, 1
+myareaf2a.com, 1
+myarentcar.com, 1
+myarticlelibrary.cf, 1
+myarticles.io, 1
+myartsjournal.com, 1
+myasb.club, 1
+myathena.ai, 0
+myatipfile.com, 1
+myauto.ml, 1
+myayurvedicdiary.com, 1
+mybaby.bg, 1
+mybags.cf, 1
+mybakkupakku.com, 1
+mybank.com, 1
+mybaran.tk, 1
+mybarcelona.tk, 1
+mybathroom.tk, 1
+mybaticloud.com, 1
+mybb.com, 1
+mybb.de, 1
+mybbcode.tk, 1
+mybeancloud.co.za, 1
+mybeautyjobs.de, 1
+mybestbook.tk, 1
+mybestbooks.gq, 1
+mybestteam.tk, 1
+mybicc.org, 1
+mybieo.com, 1
+mybigplunge.com, 1
+mybillie.com, 1
+mybirds.tk, 1
+mybisnis.tk, 1
+mybizzmail.com, 1
+mybloggedlife.com, 1
+myblogwire.org, 1
+myblueprints.org, 1
+mybon.at, 0
+mybon.online, 1
+mybookbee.com, 1
+myboostport.com, 1
+myboothang.com, 1
+myborder.ru, 1
+mybotti.eu, 1
+myboxing.tk, 1
+mybpstar.com, 1
+mybrand.nl, 1
+mybrb.com, 1
+mybreakwatertower.com, 1
+mybritney.tk, 1
+mybro.tv, 1
+mybrokenheart.tk, 1
+mybsms.gr, 1
+mybts.fr, 1
+mybubbleteashop.com, 1
+mybuddytheplumberparkcity.com, 1
+mybudgetapp.com, 1
+mybuildingcertifier.com.au, 1
+mybupa.com.au, 1
+mycaelis.fr, 1
+mycalifornialemonlaw.com, 1
+mycam.gq, 1
+mycandylove.com, 1
+mycardplace.com, 1
+mycarecorner.net, 1
+mycarecrew.co, 1
+mycarinsurance123.com, 0
+mycarwashers.com, 1
+mycase.com.ua, 1
+mycats.tk, 1
+mycaviste.com, 1
+mycbils.uk, 1
+mychamberlain.co.nz, 0
+mychamberlain.com, 1
+mychamberlain.com.au, 0
+mychamberlain.eu, 0
+mychawinda.cf, 1
+mychemromance.tk, 1
+mychicken.info, 1
+mychicken.nl, 1
+mychildatschool.com, 1
+mycigna.com.hk, 1
+mycinema.pro, 1
+mycircleworks.com, 1
+myclang.com, 1
+myclasscam.com, 1
+myclgnotes.com, 1
+myclimate.com, 1
+myclinicalstudybuddy.com, 1
+myclon.tk, 1
+mycloud-system.com, 1
+mycloudbits.me, 1
+mycloudhome.site, 1
+mycloudhome.top, 1
+mycloudhome.xyz, 1
+mycloudkey.net, 1
+mycloudsaas.com, 1
+mycloudsoftware.com.br, 1
+mycodes.com.au, 1
+mycofairtrade.com, 0
+mycoins.gallery, 1
+mycoldjet.com, 1
+mycollegebag.in, 1
+mycolo.gq, 1
+mycolorado.gov, 1
+mycommerce.tk, 1
+mycompanion.cz, 1
+mycompanysite.host, 1
+myconan.net, 1
+myconan.tk, 1
+myconcorde.fr, 1
+myconf.com, 1
+myconf.es, 1
+myconf.uk, 1
+myconferencion.tk, 1
+myconnection.ie, 1
+myconradsiegel.com, 1
+myconsultingresources.com, 1
+mycontactacuvue.fr, 0
+mycontactopticien.fr, 0
+mycontrolmonitor.com, 1
+mycoordinates.xyz, 1
+mycopa.com, 1
+mycorbookkeeping.com, 1
+mycounterstrike.ru, 1
+mycr.eu, 1
+mycreditcardcenter.com, 1
+mycreditjunkie.com, 1
+mycreditunion.gov, 1
+mycredy.com, 1
+mycrm.coach, 0
+mycrowdstack.com, 1
+mycrypnet.io, 1
+mycts.org, 1
+mycues.gov, 1
+mycumortgage.com, 1
+mycyberspace.tech, 1
+mydabb.com, 1
+mydais.org, 1
+mydarkness.cf, 1
+mydarksite.tk, 1
+mydarkstar.net, 1
+mydarwin.co.uk, 1
+mydataprotected.com, 1
+mydating.be, 1
+mydaymark.com, 1
+mydaywebapp.com, 1
+mydeardreams.com, 1
+mydebian.in.ua, 1
+mydedicatedservice.ca, 1
+mydedicatedservice.com, 1
+mydegreeroute.com, 1
+mydentalplan.gr, 1
+mydentist.co.uk, 0
+mydenverhomesource.com, 1
+mydesignrules.com, 1
+mydestiny.tk, 1
+mydetailbox.com, 1
+mydigitalexperience.fr, 1
+mydigitalnation.com, 1
+mydirtyclub.com, 1
+mydirtyhobby.com, 1
+mydirtyhobby.de, 1
+mydirtysexstories.com, 1
+mydisabilitymatters.com, 1
+mydisabilitymatters.org.au, 1
+mydisco.tk, 1
+mydistance.tk, 1
+mydlonline.be, 1
+mydnshost.co.uk, 1
+mydoc.fr, 1
+mydocserve.com, 1
+mydoggyadvisor.com, 1
+mydogispolite.tk, 1
+mydogtrainingcollar.com, 1
+mydolls.ml, 1
+mydomen.ml, 1
+mydoxod.tk, 1
+mydreamlifelab.com, 1
+mydreamshaadi.in, 1
+mydrnetvpn.tk, 1
+mydroneservices.ca, 1
+mydroneservices.com, 1
+mydslwebstats.co.uk, 1
+mydsomanager.com, 1
+myduffyfamily.com, 1
+mydx.ru, 1
+myeasybooking.de, 1
+myebony.cam, 1
+myecms.com, 1
+myedcreview.cf, 1
+myeditclub.ml, 1
+myedu.ga, 1
+myedu.gq, 1
+myeducationhub.tk, 1
+myedumundo.com, 1
+myeisenbahn.de, 1
+myekon.com, 1
+myelebest.ga, 1
+myelka.tk, 1
+myelucidation.com, 1
+myemailadd.net, 1
+myemailsender.tk, 1
+myeml.net, 1
+myenemy.tk, 1
+myenglish.tk, 1
+myensolofts.com, 1
+myentspecialist.sg, 1
+myepass.bg, 1
+myepass.de, 1
+myeriri.com, 1
+myers.house, 1
+myersking.com, 1
+myessaydoc.com, 1
+myessaygeek.com, 1
+myetherwallet.com, 1
+myeventstation.com, 1
+myevive.com, 1
+myexams.nl, 1
+myf.cloud, 1
+myface.pt, 1
+myfae.eu, 1
+myfamilyancestry.tk, 1
+myfamilyfirsthc.com, 1
+myfancyurl.tk, 1
+myfantasysportstalk.com, 1
+myfavmessage.cf, 1
+myfavorite.com.tw, 1
+myfdic.gov, 1
+myfi24.ru, 1
+myfiladelfia.com, 1
+myfile.gq, 1
+myfinance.co.nz, 1
+myfinverse.com, 1
+myfinx.bh, 1
+myfinx.io, 1
+myfirenet.com, 0
+myfirstchessclub.com, 1
+myfishpalace.at, 1
+myfitnessbenefit.com, 1
+myfitnesscare.com, 1
+myflatfinders.com, 1
+myflightrefund.com, 1
+myfloridacfo.gov, 1
+myfloridadeferredcomp.com, 1
+myfloridahouse.gov, 1
+myfloridarealty.com, 1
+myfloridarx.gov, 1
+myformatconverter.com, 0
+myfortdodge.com, 1
+myforum.community, 1
+myfpvstore.com, 1
+myfreespiritpointscard.com, 1
+myfrenchtattoo.fr, 1
+myfsb.bank, 1
+myfuhui.com, 1
+myfunworld.de, 1
+myfursona.com, 1
+myfutanari.com, 1
+myfutureself.com.au, 1
+myfuturewebsite.co.uk, 1
+myfxbook.com, 1
+myfxcm.com, 1
+myg21.com, 1
+mygadgetguardian.lookout.com, 0
+mygallery.homelinux.net, 1
+mygameconsole.tk, 1
+mygaming.news, 1
+mygate.at, 0
+mygaypornstarlist.com, 1
+mygaysitges.com, 1
+mygd.org, 1
+mygear.live, 1
+mygedit.com, 1
+mygedit.info, 1
+mygedit.net, 1
+mygedit.org, 1
+mygeek.tk, 1
+mygeek911.com, 1
+mygeneral.org, 1
+mygeorgia.org, 1
+mygeotrip.com, 1
+mygermanuniversity.com, 1
+mygest.me, 1
+myggkungen.se, 1
+mygigabitnation.com, 1
+mygignation.com, 1
+mygilehery.tk, 1
+mygimp.tk, 1
+mygirlfriendshouse.com, 1
+myglobalopti.nl, 1
+mygnmr.com, 1
+mygobelin.tk, 1
+mygolod.com, 1
+mygomel.tk, 1
+mygov.scot, 1
+mygreatjob.eu, 1
+mygreatlakes.org, 1
+mygreatwebsite.co.uk, 1
+mygreencloset.com, 1
+mygreenrecipes.com, 1
+mygretchen.de, 1
+mygrodno.tk, 1
+mygtcup.co, 1
+mygymer.ch, 1
+myhabitshop.com, 1
+myhappiness.tk, 1
+myhealthchecked.com, 0
+myhealthcheckup.ca, 1
+myhealthcheckup.com, 1
+myhealthsquad.ca, 1
+myhealthyday.com, 1
+myhelcim.com, 1
+myhell-anonim.tk, 1
+myhelo.com, 1
+myhermes.co.uk, 1
+myhfstar.com, 1
+myhkweb.tk, 1
+myhmz.bid, 1
+myhollywoodnews.com, 1
+myhome-24.pl, 1
+myhoor.ga, 1
+myhostname.net, 1
+myhotel.sk, 1
+myhotgirls.ml, 1
+myhouse-ne.co.uk, 1
+myhouse.rocks, 1
+myhousestats.com, 1
+myhub.eu.org, 1
+myhurlburt.marketing, 1
+myhuthwaite.com, 1
+myibidder.com, 1
+myibp.ph, 1
+myicare.org, 1
+myid.be, 1
+myigetit.com, 1
+myimg.cn, 1
+myimmitracker.com, 1
+myinfoenter.tk, 1
+myinjuryattorney.com, 1
+myinsiderplus.com, 1
+myinstapy.ru, 0
+myinsurancesource.com, 1
+myintegrativehealthcenters.com, 1
+myinternist.com, 1
+myinvestinglife.com, 1
+myinvisibleknapsack.com, 1
+myip.com.tw, 1
+myip.solutions, 1
+myisolved.com, 1
+myjbn.org, 1
+myjobsearchengine.com, 1
+myjudo.net, 1
+myjumparoo.co.uk, 1
+myjumpsuit.de, 1
+myjuvelirika.ru, 1
+mykarelia.ga, 1
+mykarelia.tk, 1
+myke.website, 1
+mykelseyonline.com, 1
+mykill.pl, 1
+mykitchen.gq, 1
+mykolhoz.tk, 1
+mykonos-island.tk, 1
+mykontool.de, 1
+mykoreankitchen.com, 1
+mykukun.com, 1
+mykumedir.com, 1
+mykurgan.tk, 1
+mykursumlija.tk, 1
+mylabaih.com, 1
+mylacera.gov, 1
+mylastchapter.tk, 1
+mylatestnews.org, 1
+mylawer.ga, 1
+myld.be, 1
+mylearners.vic.gov.au, 1
+myled.ml, 1
+mylegacyvip.com, 1
+mylene-chandelier.me, 1
+mylever.com, 1
+mylfca.com, 1
+mylifeabundant.com, 1
+mylifeinbalance.be, 1
+mylifesphotograph.com, 1
+myliftmaster.eu, 0
+mylight.tk, 1
+myline.cf, 1
+mylisting.club, 1
+mylittlechat.ru, 1
+mylittleforum.ml, 1
+mylittlegrocer.co.uk, 1
+mylittlegrocer.com, 1
+mylittlewallpaper.com, 1
+mylittlewizard.fr, 1
+myliveupdates.com, 1
+myload.ch, 1
+myloan.hk, 1
+myloanmanager.com, 1
+mylobster.ml, 1
+mylocalairconditioning.com.au, 1
+mylocality.shop, 1
+mylocalmortgage.co.uk, 1
+mylocraft.tk, 1
+myloft.xyz, 1
+myloneworkers.com, 1
+mylotto.co.nz, 1
+mylover.be, 1
+mylrd.xyz, 1
+mylstrom.com, 1
+myltfilm.tk, 1
+myltivarka.ml, 1
+mymagic.ml, 1
+mymagnifi.org, 1
+mymailboxpro.cf, 1
+mymailspace.ml, 1
+mymaineconnection.gov, 1
+mymanagement.ml, 1
+mymartinbeckeropenhab.de, 1
+mymartinbeckeropenhab.eu, 1
+mymartinhalchiado.com, 1
+mymartinhalresidences.com, 1
+mymb.pm, 1
+mymcc.gift, 1
+mymdindia.com, 1
+mymdtaxes.gov, 1
+mymed.de, 1
+mymed.eu, 1
+mymedia.gotdns.com, 1
+mymediabox.com, 1
+mymerlin.co.nz, 0
+mymerlin.com.au, 0
+mymesra.com.my, 1
+mymixtapez.com, 1
+mymkphotography.com, 1
+mymo.in.th, 1
+mymommyworld.com, 1
+mymoneycoin.ml, 1
+mymonture.com, 1
+mymoretrip.com, 1
+mymotor.nl, 1
+mymovein.com, 1
+mymsr.de, 0
+mymun.com, 1
+mymun.net, 1
+mymusiclist.alwaysdata.net, 1
+mymusique.tk, 1
+mymx.lu, 0
+mynak.se, 1
+mynameistavis.com, 1
+mynametags.ae, 1
+mynametags.be, 1
+mynametags.com, 1
+mynametags.com.br, 1
+mynametags.fr, 1
+mynametags.ie, 1
+mynametags.it, 1
+mynametags.mt, 1
+mynametags.nl, 1
+mynametags.pt, 1
+mynas.ovh, 0
+mynaturalmood.es, 1
+mynaturebox.com, 0
+mynaughtyalbum.com, 1
+mynaui.com, 1
+mynavi-kaigo.jp, 1
+myndcommunication.com, 1
+myndighetermeddnssec.se, 1
+myndighetermedipv6.se, 1
+mynerva.io, 1
+mynetblog.com, 1
+mynetflow.com, 1
+mynetpay.be, 1
+mynetworkingbuddy.com, 1
+mynewhorizons.shop, 1
+mynewsfit.com, 1
+mynewsinc.org, 1
+mynext.events, 1
+mynextmove.org, 1
+mynic.my, 1
+mynimo.com, 1
+mynissan.ml, 1
+myniveshak.com, 1
+mynjhelps.gov, 1
+mynn.io, 0
+mynn.ml, 1
+mynook.info, 1
+mynr.ai, 1
+mynrg.gr, 1
+mynutrientcloud.com, 1
+mynxtcld.spdns.de, 1
+myocci.net, 1
+myoctocat.com, 1
+myoddlittleworld.com, 1
+myodysi.com, 1
+myofficeconnect.co.uk, 1
+myokaloosa.gov, 1
+myonline.store, 1
+myonlinemovies.ga, 1
+myonlinevehicleinsurance.com, 1
+myopd.in, 1
+myorder-pg.com, 1
+myorders.co, 1
+myoregon.gov, 1
+myosana.nl, 1
+myoueb.fr, 1
+myoukochou.com, 1
+myoutdooragent.com, 1
+myowncloud.ovh, 1
+myowncloud.pl, 1
+myownconference.com, 1
+myownconference.email, 1
+myowndisk.net, 1
+myowntutor.co.uk, 1
+mypaperdone.com, 1
+mypaperwriter.com, 1
+mypartnernews.com, 1
+mypathologos.gr, 1
+mypay.fr, 1
+mypaypac.com, 1
+mypcb.tk, 1
+mypeace.tk, 1
+mypenza.tk, 1
+mypeople.co.in, 1
+myperfecthome.ca, 1
+myperks.in, 1
+mypersonalpage.tk, 1
+mypetcloud.com, 1
+mypetitjob.fr, 1
+mypetsvetsltd.co.uk, 1
+mypharmjar.com, 1
+myphotogift.in, 1
+myphotonics.ml, 1
+myphotoprism.spdns.de, 1
+myphotos.ga, 1
+myphotoshopbrushes.com, 1
+myphx311.gov, 1
+myphysiocoach.ch, 1
+mypillcard.com, 1
+mypiloteis.com, 1
+mypinellasclerk.gov, 1
+mypivcard.com, 1
+myplaceonline.com, 1
+mypnu.net, 1
+mypogljad.tk, 1
+mypornsnap.top, 1
+myportal.ga, 1
+myposters.tk, 1
+mypowerserg.ca, 1
+mypowerserg.com, 1
+mypowersergca.ca, 1
+mypress.mx, 1
+myprintcard.de, 1
+myproblog.com, 1
+myprofitweb.com, 1
+mypromocode.com, 1
+mypropertal.com, 1
+myproteinpal.co.za, 1
+myprotime.eu, 1
+myproxy.eu.org, 0
+mypskov.tk, 1
+mypsy.online, 1
+mypsychicreadings.tk, 1
+mypvhc.com, 1
+myqrreview.com, 1
+myraboats.tk, 1
+myrandomtips.com, 1
+myrants.org, 1
+myrasp.eu, 1
+myrays.cloud, 1
+myraytech.net, 0
+myreadingmanga.info, 1
+myrealestateautomation.com, 1
+myrealestatemate.com.au, 1
+myred.net, 1
+myredserver.com, 1
+myref.net, 1
+myreferral.systems, 1
+myrekber.co.id, 1
+myremont.tk, 1
+myremotelogin.ddns.net, 1
+myrent.quebec, 1
+myrepubic.net, 1
+myrepubiic.net, 1
+myrepublc.net, 1
+myrepublic.asia, 1
+myrepublic.cf, 1
+myrepublic.cloud, 1
+myrepublic.com.cn, 1
+myrepublic.com.hk, 1
+myrepublic.com.kh, 1
+myrepublic.com.lk, 1
+myrepublic.com.my, 1
+myrepublic.com.ph, 1
+myrepublic.com.tw, 1
+myrepublic.eu.com, 1
+myrepublic.ga, 1
+myrepublic.gq, 1
+myrepublic.icu, 1
+myrepublic.in, 1
+myrepublic.limited, 1
+myrepublic.lk, 1
+myrepublic.ml, 1
+myrepublic.mobi, 1
+myrepublic.my, 1
+myrepublic.net, 1
+myrepublic.net.au, 1
+myrepublic.nz, 1
+myrepublic.ph, 1
+myrepublic.rocks, 1
+myrepublic.run, 1
+myrepublic.tk, 1
+myrepublic.tv, 1
+myrepublic.tw, 1
+myrepublic.us.com, 1
+myrepublic.xyz, 1
+myrepublicau.com, 1
+myrepublicaus.com, 1
+myrepublicbroadband.com.au, 1
+myrepublicfibre.com.au, 1
+myrepublicgroup.com, 1
+myrepublicinternet.com.au, 1
+myrepublicltd.com, 1
+myrepublicmy.com, 1
+myrepublicnz.com, 1
+myrepublicsg.com, 1
+myrepublictelecom.com, 1
+myrepubllc.net, 1
+myresearchapp.com, 1
+myresearchtoolbox.net, 1
+myresidence.de, 1
+myrevery.com, 1
+myreviews.ga, 1
+myrewardspoints.com, 1
+myria.com, 1
+myriad.com, 1
+myriadique.com, 1
+myriadlex.com.tw, 1
+myriadof.com, 1
+myrig.com, 1
+myrig.net, 1
+myrom.tk, 1
+myrotvorets.center, 1
+myrotvorets.news, 1
+myrp.co, 1
+myrtlebeachdogtrainers.com, 1
+myruststats.com, 1
+myrvog.net, 1
+myrvogna.net, 1
+myrxplans.com, 1
+mys.gov.sd, 1
+mysa.tk, 1
+mysafetygear.co.za, 1
+mysafeway.com, 1
+mysaldo.info, 1
+mysam.net, 1
+mysantanderpension.co.uk, 1
+mysavvastraining.com, 1
+mysavvywallet.com, 1
+mysaymk.tk, 1
+mysbaccoach.com, 1
+mysber.ru, 1
+mysbi.tk, 1
+myschool.edu.au, 1
+myschoolitaly.com, 1
+myschoolphoto.org, 1
+myschools.nyc, 1
+mysciencecloset.com, 1
+myseatime.com, 1
+mysecretstylist.ga, 1
+mysecurity.review, 1
+mysecurityevent.de, 1
+myseo.ga, 1
+myservicearl.com, 1
+myserviceportal.de, 1
+myservices.digital, 1
+myservik.ml, 1
+myseu.cn, 1
+mysexpedition.com, 1
+mysexvids.net, 1
+mysexycard.com, 1
+mysexydate24.com, 1
+myshenwang.tk, 1
+myshiftbid.com, 1
+myshikarpur.tk, 1
+myshowbiz.tk, 1
+mysidekick.io, 1
+mysignal.com, 1
+mysill.gr, 1
+mysilvershield.com, 1
+mysisterandi.co.za, 1
+mysitex.com, 1
+myslc.gov, 1
+mysmartloan.ca, 1
+mysmmstore.com, 1
+mysmmstore.in, 1
+mysmsapp.cn, 1
+mysociallinks.org, 1
+mysociety.ml, 1
+mysockfactory.ch, 1
+mysockfactory.com, 1
+mysoftbtrans.com, 1
+mysoftebelge.com, 1
+mysoftlonca.com, 1
+mysoundtalks.com, 0
+mysourceofhealth.com, 0
+myspa.vn, 1
+myspeedcash.com, 1
+myspicer.com, 1
+mysports.com, 1
+mysql-real-escape-string.xyz, 1
+mysqldump-secure.org, 1
+myssl.com, 1
+mystaffonline.com, 1
+mystagic.cloud, 1
+mysteriouscode.com, 1
+mysteriouscode.io, 1
+mysteriousmind.com.au, 1
+mystery-box.cf, 1
+mystery-science-theater-3000.de, 0
+mysterybeer.nl, 1
+mysteryboxes.co.uk, 1
+mysteryboxinc.com, 1
+mysteryfun.house, 1
+mysterymind.ch, 0
+mysteryshow.site, 1
+mystex.me, 1
+mystgames.tk, 1
+mystia.org, 1
+mystic-falls.tk, 1
+mystic-welten.de, 1
+mysticalroseschoolofcaloocan.com, 1
+mysticexperience.com, 1
+mysticgate.it, 1
+mysticmedia.net, 1
+mysticmine.shop, 1
+mysticrealm.tk, 1
+mystiko.eu, 1
+mystinkefinger.de, 1
+mystock911.com, 1
+mystoeckel.de, 1
+mystorage.work, 1
+mystore24.us, 1
+mystorydoctor.com, 1
+mystorymonster.com, 1
+mystown.org, 1
+mystream.com, 1
+mystreet.ga, 1
+mystrength.com, 1
+mystrix-esports.eu, 1
+mystudy.me, 1
+mystudycart.com, 1
+mystudymap.tk, 1
+mystyk.art, 1
+mystylion.com, 1
+mysupplements.ga, 1
+mysurfhostel.com, 0
+myswabi.tk, 1
+myswimmingclub.uk, 1
+myswitchelectric.com, 1
+myswooop.de, 1
+mytamarin.com, 1
+mytana.com, 1
+mytanningcompany.com, 1
+mytaratata.com, 1
+mytc.fr, 1
+myte.ch, 1
+mytea.life, 1
+mytecheg.com, 1
+mytefl.com, 1
+mytests.tk, 1
+mytfg.de, 1
+mythen-fonds.ch, 1
+mythenfonds.ch, 1
+mytherapist.com, 1
+mythicdelirium.com, 1
+mythiqueamerique.fr, 1
+mytime.fr, 1
+mytime.gl, 1
+mytimer.tk, 1
+myting.net, 1
+mytntware.com, 1
+mytoncityut.gov, 1
+mytraiteurs.com, 1
+mytraning.cf, 1
+mytransmissionexperts.com, 1
+mytravelblog.de, 1
+mytravelguide.tk, 1
+mytravelresearch.com, 1
+mytreasury.gov, 1
+mytrendiya.com, 1
+mytrialist.org, 1
+mytribus.com, 1
+mytrinity.com.ua, 1
+mytripcar.co.uk, 1
+mytroc.pro, 1
+mytruecare.org, 1
+mytrustadviser.com, 1
+mytty.net, 1
+mytuleap.com, 1
+mytun.com, 1
+myturf.com.au, 0
+mytuzla.tk, 1
+mytwilight.tk, 1
+myunitard.uk, 1
+myunitypoint.org, 1
+myunraid.ru, 1
+myupdatestudio.com, 1
+myupdatesystems.com, 1
+myupdateweb.com, 1
+myusagepayments.com, 1
+myvaccinefl.gov, 1
+myvacompany.com, 1
+myvalleymarketing.com, 1
+myvau.lt, 1
+myvawic.org, 1
+myvcc.ru, 1
+myvegasadvisor.com, 1
+myveronanj.com, 1
+myvet.ie, 1
+myviewboard.com, 1
+myvoipnews.com, 0
+myvologda.tk, 1
+myvotect.gov, 1
+myvpl.com, 1
+myvulcan-platinum.ru, 1
+mywalletcrypto.cf, 1
+mywapforum.ga, 1
+mywari.com, 1
+myweb360.de, 1
+mywebexperience.gq, 1
+mywebinar.com, 1
+mywebinar.io, 1
+mywebpanel.eu, 1
+mywebpanel.nl, 1
+mywebpharmacy.tk, 1
+mywebserver.ml, 1
+myweightlosstips.tk, 1
+mywestondental.com, 1
+mywifiext.net, 1
+mywihomes.com, 1
+mywikis.net, 1
+mywindscreen.my, 1
+mywish.co.il, 1
+mywonderland.co.nz, 1
+myworkboard.com, 1
+myworkfromhome.ml, 1
+myworkplaceperks.ca, 1
+myworkplaceperks.com, 1
+myworldbbs.tk, 1
+myworth.com.au, 1
+mywrecklawyer.com, 1
+myxnr.com, 1
+myxt.net, 1
+myxxxsite.tk, 1
+myyoutubepage.tk, 1
+myzarabot.tk, 1
+myzina.cz, 0
+myzoetrope.com, 1
+mz-mz.net, 1
+mza.com, 1
+mzademiryolu.com, 1
+mzcsgo.top, 1
+mzflirt.de, 1
+mzitu.com, 1
+mzlive.eu, 1
+mzlog.win, 1
+mzmtech.com, 1
+mzorn.photography, 0
+mzplumber.com, 1
+mzr.jp, 1
+mzri.ru, 1
+mzrme.top, 1
+mzstatic.cc, 1
+mztmzt.com, 1
+mzyxsl.top, 1
+n-cis.ru, 1
+n-design-service.de, 1
+n-design.de, 1
+n-doc.com, 1
+n-doc.de, 1
+n-gram.it, 1
+n-laboratory.jp, 0
+n-linear.org, 1
+n-m.lu, 1
+n-man.info, 1
+n-metz.de, 1
+n-pix.com, 0
+n-tennis.fr, 1
+n-un.de, 0
+n.ee, 1
+n.rich, 1
+n.tt, 1
+n0099.net, 1
+n03.top, 1
+n0paste.tk, 0
+n1.homes, 1
+n15.org, 1
+n16.co, 1
+n1co68.freeboxos.fr, 1
+n1mp.org, 1
+n26.com, 1
+n29.co, 0
+n2diving.net, 1
+n2o.io, 1
+n2oclub.com, 1
+n2z.net, 1
+n36533.com, 1
+n37.co, 1
+n3rd.eu, 1
+n3rd0rama.tk, 1
+n3t.ch, 1
+n4mullingartolongford.ie, 1
+n4zm.com, 1
+n5197.co, 1
+n61roscommon.ie, 1
+n6729.co, 1
+n6729.com, 0
+n6957.co, 1
+n7.education, 1
+n8.gay, 1
+n82365.com, 1
+n87pedia.tk, 1
+n888ok.com, 1
+n8ch.net, 1
+n8mgt.com, 1
+n8nvi.com, 1
+n8s.jp, 1
+n8solutions.biz, 1
+n8solutions.host, 1
+n8solutions.net, 1
+n8solutions.us, 1
+n8ta.com, 1
+n9297.co, 1
+n95.news, 1
+n95s.icu, 1
+n95s.tech, 1
+n9728.co, 1
+na-agency.com, 1
+na-kipre.tk, 1
+na-school.nl, 1
+na.nl, 1
+na1.nl, 1
+naacam.org.za, 1
+naahgluck.de, 1
+naamlint.nl, 1
+naano.org, 1
+naap.tk, 1
+naarenaa.tk, 1
+naaronstoe.nl, 1
+nab-services.ml, 1
+nabaleka.com, 1
+nabc.com.au, 1
+nabeer.ga, 1
+nabeez.cf, 1
+nabidka.net, 1
+nabidkydnes.cz, 1
+nabiev.tk, 1
+nabitrix.tk, 1
+nabokov.tk, 1
+naboplastic.com, 1
+nabosoft.tk, 1
+nabzgroup.com, 1
+nac-6.fr, 1
+nac.gov.pl, 1
+nacfit.com, 1
+nachalniku.cf, 1
+nachalniku.ga, 1
+nachalniku.gq, 1
+nachalniku.ml, 1
+nachalniku.tk, 1
+nachalosbog.bg, 1
+nachalova.tk, 1
+nachbar.chat, 1
+nachdenken-erlaubt.de, 1
+nachoblanco.tk, 1
+nachovni.org, 1
+nachsendeauftrag.net, 0
+nachsenden.info, 1
+nachtmuziek.info, 1
+nacin.com, 1
+nacionale.com, 1
+nacionaltelha.com.br, 1
+nackwallpapers.ml, 1
+nacnkabiltrim.cf, 1
+nacocu.cf, 1
+nacom.tk, 1
+nacoree.ga, 1
+nacres.tk, 1
+nacsonline.tk, 1
+nacu.com.np, 1
+nacua.org, 1
+nacudeck.com, 1
+nacyklo.cz, 1
+nad-r.com, 1
+nada.com, 1
+nada.org, 1
+nadabrahma-hangtalmasszazs.hu, 1
+nadache.info, 1
+nadacnifondacr.cz, 1
+nadaquenosepas.com, 1
+naddi.org, 1
+nadejeproninu.cz, 1
+nadeko.net, 1
+nadelholzkulturen.de, 1
+nadex.com, 1
+nadezhda.ml, 1
+nadiafourcade-photographie.fr, 1
+nadilo.com.br, 1
+nadine-birkner.de, 1
+nadine-chaudier.net, 1
+nadinecays.com, 1
+nadinethings.gq, 1
+nadir.tk, 1
+nadjabenaissa.tk, 1
+nadjasummer.com, 1
+nadlan.immo, 1
+nadlerdentistry.com, 1
+nadoba-msk.ru, 1
+nadomna-rabota.tk, 1
+nadoske.info, 1
+nadsandgams.com, 1
+naduvilathu.tk, 1
+nadyaolcer.fr, 1
+naec.ge, 1
+naeemsafdar.net, 1
+naehenfuerwahrekleinehelden.de, 1
+naehtalente.de, 1
+naemnuk.tk, 1
+naf-connect.com, 1
+nafco-online.com, 1
+nafconnexus.com, 1
+nafezly.com, 1
+nafhomes.com, 1
+nafhroaviano.com, 1
+nafilia.com, 1
+nafod.net, 1
+nafto.org, 1
+nag.org.au, 1
+naga-semi.com, 1
+naga-wedding.tk, 1
+naga.com, 1
+naga.gq, 1
+naga.im, 1
+nagaragem.com.br, 1
+nagashi.ma, 0
+nagato.tk, 1
+nagaya.biz, 1
+nagb.gov, 1
+nagb.org, 1
+nagel-dentaltechnik.de, 1
+nageler.org, 1
+nagelfam.com, 1
+nagelideeen.ml, 1
+naggie.net, 1
+nagoonline.com, 1
+nagoya.tk, 1
+nagpurinstar.tk, 1
+nagrad.tk, 1
+nagya.com, 1
+nagya.eu, 1
+nagya.net, 1
+nagyandras.com, 1
+nagyandras.eu, 1
+nagyandras.net, 1
+nagybotond.com, 0
+nah.nz, 1
+nah.re, 1
+naheulcraft.be, 1
+nahfe.xyz, 1
+nahman.tk, 1
+nahouw.net, 1
+nahrag.tk, 1
+nahrung.de, 1
+nahs-classof1972.com, 1
+nahtanoj.tk, 1
+nahttps.tk, 1
+nahue.ar, 1
+nahue.com.ar, 1
+nahura.com, 1
+nai-job.jp, 1
+naia.me, 1
+naide.ee, 1
+naidoc.org.au, 1
+naifix.com, 1
+naijabeat.com, 1
+naijapower.com, 1
+naijaretro.com, 0
+naijaxnet.com.ng, 1
+naijmobile.com, 1
+naika.clinic, 1
+nailartstudio.it, 1
+nailattitude.ch, 0
+nailchiodo.com, 1
+nailclub.tk, 1
+naildesignsjournal.com, 1
+nailmoscow.ru, 1
+nails-n-more.be, 1
+nailsart.roma.it, 1
+nailshop.gq, 1
+nailsmania.ua, 1
+nailspafinder.com, 1
+naim.tk, 1
+nairamine.org, 1
+nairobibusinessreview.com, 1
+nairus.com.br, 1
+nais.org, 1
+najany.de, 1
+najany.dk, 1
+najany.nl, 1
+najany.se, 1
+najarkadeh.com, 1
+najbezpieczniejsze.pl, 1
+najdou.cz, 1
+naji-astier.com, 1
+najprzepis.pl, 1
+najrecept.sk, 1
+naka.io, 1
+nakaci.de, 1
+nakacide.com, 1
+nakada-shika.com, 1
+nakada4610.com, 1
+nakagawa-d.co.jp, 1
+nakagawa-s.jp, 1
+nakahama-dental.com, 1
+nakajima-kawara.com, 1
+nakalabo.jp, 1
+nakama.tv, 1
+nakamastudios.com, 1
+nakamochi.io, 1
+nakanishi-paint.com, 1
+nakanocity-cashless.jp, 1
+nakayama.industries, 1
+nakayamaresearch.com, 1
+nakazanie.ga, 1
+naked.pics, 1
+nakedalarmclock.me, 1
+nakedbigdickmen.com, 1
+nakedfacts.co.uk, 0
+nakedgirls247.xxx, 1
+nakedinkas.com, 1
+nakedmaturepics.com, 1
+nakedpussypics.com, 1
+nakedpussyvideos.com, 1
+nakedtruth.in, 1
+nakedwomenpics.com, 1
+nakenmodell.tk, 1
+nakib4tech.com, 1
+nakim.cf, 1
+nakin.tk, 1
+nakisa.com, 1
+nakka.ch, 1
+nakkati.tk, 1
+nakliyat.name.tr, 1
+nakliye.name.tr, 1
+nakluky.cz, 1
+nako.blog, 1
+nako.kr, 1
+nako.no, 1
+naksquad.net, 1
+nakukata.com, 1
+nakupi.online, 1
+nakupnabytku.sk, 1
+nalanyinyun.top, 1
+naldydimpudus.com, 1
+nale-hosting.tk, 1
+nalepky-na-zed.cz, 1
+nalepte.cz, 1
+nalexandru.xyz, 1
+nalios.be, 1
+nalle.fi, 1
+nalles.net, 1
+nalresearch.com, 1
+naltrexon.gq, 1
+nalukfitness.com.br, 1
+nalwin.cc, 1
+namaanakperempuan.net, 1
+namabank.com.vn, 1
+namacindia.com, 1
+namalelaki.com, 1
+namamala.com, 1
+namaperempuan.com, 1
+namastehomecooking.com, 1
+namastenaturo.fr, 1
+namastewestland.nl, 1
+namazon.org, 1
+namazvakitleri.com.tr, 0
+namclear.com.na, 1
+name.am, 1
+name.ax, 1
+namecoin.info, 1
+namecoin.org, 1
+namedb.ru, 1
+namegen.jp, 1
+namegrep.com, 1
+nameid.org, 1
+namepros.com, 1
+nameproscdn.com, 1
+namereel.com, 1
+nameserver.tk, 1
+nameshield.com, 1
+nameshield.net, 1
+namesmaker.com, 0
+namesnack.com, 1
+namespacesquatting.com, 1
+namestudio.com, 1
+namestudioapi.com, 1
+nametalent.com, 1
+namethatporn.com, 1
+namethissymbol.com, 1
+nametiles.co, 1
+namevirus.com, 1
+namevirus.net, 1
+namevirus.org, 1
+nami.bo, 1
+nami.exchange, 1
+nami.trade, 1
+namikawatetsuji.jp, 1
+naminam.de, 1
+namlcftc.gov.ae, 1
+nammont.com, 1
+namoro.com.pt, 1
+namozagy.com, 1
+namrs.net, 1
+namsbaekur.is, 1
+namskra.is, 1
+namu.la, 1
+namu.live, 1
+namu.moe, 1
+namu.news, 1
+namu.wiki, 1
+nan0.cloud, 1
+nanafeed.com, 1
+nanaimo.ca, 1
+nanaimoneighbourhoods.ca, 1
+nanaka.love, 1
+nanaya.net, 1
+nanaya.pro, 1
+nanboya.com, 1
+nancecountyne.gov, 1
+nanch.com, 1
+nanco.co.jp, 1
+nanco.jp, 1
+nancytelford.com, 1
+nancytutors.com, 1
+nancyzone.tk, 1
+nandajorna.nl, 1
+nandakumar.co.in, 1
+nandakumar.org, 1
+nandapanithota.xyz, 1
+nandedam.com, 1
+nandedbazar.tk, 1
+nandemo.tk, 1
+nandertga.ddns.net, 1
+nandi.tech, 1
+nandito.tk, 1
+nanfangstone.com, 1
+nange.cn, 1
+nangluongxanhbinhphuoc.com, 1
+nangwizard.net, 1
+nanhuimed.com, 1
+nanhuitop.com, 0
+naninossoftware.tk, 1
+nanjie.com.tw, 1
+nanjiyy.com, 1
+nankiseamansclub.com, 1
+nanmu.me, 1
+nannatextiles.com, 1
+nannatextiles.de, 1
+nannyandhousekeeper.uk, 1
+nannytax.ca, 1
+nano.com.au, 1
+nano.voting, 1
+nanoavionics.com, 1
+nanodynelabs.com, 1
+nanofate.tk, 1
+nanofy.org, 1
+nanogi.ga, 1
+nanogramme.fr, 0
+nanohatsolution.tk, 1
+nanohostsolution.cf, 1
+nanointeractive.cn, 1
+nanolet.ga, 1
+nanollet.org, 1
+nanomicron.eu, 1
+nanomusic.co.kr, 1
+nanopixel.ch, 1
+nanoport.jp, 1
+nanoprogress.pl, 1
+nanosek.pro, 1
+nanosene.com, 1
+nanoshop.ml, 1
+nanospheres.tk, 1
+nanostetic.com, 1
+nanostix.com.my, 1
+nanotechnologist.com, 1
+nanotechnologysolutions.com.au, 1
+nanotechtorsion.com, 1
+nanotipbot.tk, 1
+nanotrasen.org, 0
+nanovolt.nl, 1
+nanowallet.io, 1
+nansa.ch, 1
+nanubo.com, 1
+nanubo.de, 1
+nanucchy.com, 1
+nanxin.xyz, 1
+nao.sh, 1
+naob.no, 1
+naocan.cf, 1
+naocan.ml, 1
+naotron.com, 1
+napavalleyregister.com, 1
+napcae.de, 1
+napervilleweather.com, 1
+naphex.rocks, 1
+napi.edu.ee, 1
+napidoktor.hu, 1
+napifilm.com, 1
+napikuponok.hu, 1
+napilol.ml, 1
+napisdata.us, 1
+napitok.tk, 1
+napituti.cf, 1
+napkins-wholesale.co.za, 1
+napkins-wholesale.com, 1
+napkins-wholesale.in, 1
+napkins-wholesale.nz, 1
+napkins-wholesale.uk, 1
+naplata.mk, 1
+naples.tk, 1
+naplestotalgarage.com, 1
+napnet.hu, 1
+napo.tk, 1
+napoleonoutlawed.tk, 1
+napolict.com, 1
+napolike.it, 1
+napolinissanctparts.com, 1
+napolitoday.it, 1
+napominanie.ml, 1
+napoveda.online, 1
+nappkassen.se, 1
+nappy.co, 1
+nappylaundry.ga, 1
+nappywashing.ga, 1
+naprapativast.se, 1
+naprawa-bazy-danych.pl, 1
+naprodukcji.xyz, 1
+napych.com, 1
+naql.om, 1
+naqrat.sa, 1
+naquebec.tk, 1
+nara.gov, 1
+naraboty.ga, 1
+narada.com.ua, 1
+naradiebosch.sk, 1
+naradiehusqvarna.sk, 1
+naradiemakita.sk, 1
+narafood.ro, 1
+naraku.cc, 1
+naranonsantabarbara.org, 1
+narardetval.se, 1
+narasi.tv, 1
+narayanahealth.org, 1
+narazaka.net, 1
+narcissism.tk, 1
+narcocheck.com, 1
+narcoticsanonymous.tk, 1
+narda-sts.com, 1
+nardamiteq.com, 1
+nardpedro.tk, 1
+narealcomadai.com.br, 1
+narec.org, 1
+narek.tk, 1
+narela.com.mx, 0
+narenderchopra.com, 1
+narevapromotions.com, 1
+narfation.org, 1
+nargileciden.com, 1
+nargileh.nl, 1
+naric.com, 1
+narin.cf, 1
+narindal.ca, 1
+narindal.ch, 1
+naringslivsala.se, 1
+nariohtools.com, 1
+naris-grc.com, 1
+narkasa.com, 1
+narko-stop.org, 1
+narkocenter116.ru, 1
+narmafzar.tk, 1
+narmos.ch, 1
+naro.se, 1
+narodnaya-medizina.tk, 1
+narodniki.com, 1
+narodnyi-potolok.by, 1
+narodowyspispowszechny.pl, 1
+narodserial.cf, 1
+naroph.jp, 1
+naroska.name, 1
+narrativasdigitais.pt, 0
+narrative.network, 1
+narrative.org, 1
+narrenverein-wolkenschieber.de, 1
+narrow.one, 1
+narthollis.net, 1
+nartkoc.com, 1
+nartlift.com, 1
+naruchnie-chasi.com, 1
+narushil-pdd.cf, 1
+narushil-pdd.ga, 1
+narushil-pdd.gq, 1
+narushil-pdd.ml, 1
+narushil-pdd.tk, 1
+naruto-best.tk, 1
+narutodelivery.com.br, 1
+narutolimits.tk, 1
+narutoshippuden.tk, 1
+narutoshow.tk, 1
+narutouzumaki.tk, 1
+narvizit.com, 1
+nary-software.com, 1
+narzedziownia.top, 1
+nas-redes-sociais.com, 1
+nas.gov.ua, 1
+nasaacronyms.com, 1
+nasacxhacxha.org, 1
+nasarawanewsonline.com, 1
+nasavelkaceskoslovenskasvadba.eu, 1
+nasbi.pl, 1
+nascentmaker.com, 1
+naschart.com, 1
+naschenweng.info, 1
+naschenweng.me, 1
+naschtastisch.de, 1
+nascloud.be, 1
+nasdarq.com, 1
+nasecasomira.cz, 1
+nasedluhy.cz, 1
+naseehah.ga, 1
+nasehyar.ir, 1
+nash-dom.tk, 1
+nash-megagid.tk, 1
+nash-server.tk, 1
+nash-shishtavec.tk, 1
+nash2008.com, 1
+nasha-kahovka.tk, 1
+nashareklama.tk, 1
+nashc.net, 1
+nashfm.tk, 1
+nashfutbol.tk, 1
+nashidetki.tk, 1
+nashira.cz, 1
+nashjurist.tk, 1
+nashkrai.ga, 1
+nashsovetik.info, 1
+nashuaradiology.com, 1
+nashuarpc.gov, 1
+nashvillebasements.com, 1
+nashvilledowntown.com, 1
+nashvillelidsurgery.com, 1
+nashvilleplasticsurgery.com, 1
+nashvillesheriff.gov, 1
+nashwaukmn.gov, 1
+nashzhou.me, 1
+nasic-japan.com, 1
+nasilbirsite.tk, 1
+nasimblog.tk, 1
+nasimsabz.com, 1
+nasirrezazi.tk, 1
+naslovi.net, 1
+nasme.tk, 1
+nasosvdom.com, 1
+nasosvdom.com.ua, 1
+nasr.mobi, 1
+nasrabady.tk, 1
+nasrullaganjnews.tk, 1
+nassaucountyfl.gov, 1
+nassautrafficny.gov, 1
+nassconorfolk.com, 1
+nassi.me, 1
+nast.ro, 1
+nast.tk, 1
+nastationztv.com, 1
+nastjenka.tk, 1
+nastunya.tk, 1
+nastyapetrovaflorist.ru, 1
+nastycomics.eu, 1
+nastysclaw.com, 1
+nasvyazi.ga, 1
+naszymzdaniem.pl, 1
+nat-neocron.tk, 1
+nat.ac, 1
+nataez.tk, 1
+nataldigital.com, 1
+natalia-in-quebec.tk, 1
+natalia-shablo.ru, 1
+natalia-venezuela.tk, 1
+nataliaanderson.com.br, 1
+nataliapearl.com, 1
+nataliealba.net, 1
+nataliehershlag.tk, 1
+natanaelys.com, 1
+nataniel-perissier.fr, 1
+natarius.tk, 1
+natariusadvokat.ga, 1
+natasa-theodoridou.tk, 1
+natasabekvalac.tk, 1
+natasasavija.tk, 1
+nataschaskraamzorg.nl, 1
+natashacampos.com.br, 1
+natashacampos.nl, 1
+natashavaz.nl, 1
+natashki.tk, 1
+natbomusic.com, 1
+natchezss.com, 1
+natcredit.ru, 1
+nate.sh, 1
+nateandxtina.wedding, 1
+natedoss.com, 1
+nategreen.org, 0
+natehobi.com, 1
+natelefon.tk, 1
+natenom.com, 1
+natenom.de, 1
+natenom.name, 1
+natenzia.fr, 1
+nateoster.com, 1
+natera.com, 1
+nates.tk, 1
+natesigal.com, 1
+natevolker.com, 1
+natflix.ch, 1
+natgo.xyz, 1
+nathalie-guillaumin.coach, 1
+nathaliedijkxhoorn.com, 1
+nathaliedijkxhoorn.nl, 1
+nathaliesadventure.eu, 1
+nathaliesavale.com, 1
+nathalieschaos.tk, 1
+nathan.ovh, 1
+nathan2055.com, 1
+nathanaeldawe.com, 1
+nathanbarry.com, 1
+nathancrank.com, 1
+nathancuendet.ch, 1
+nathanielknight.ca, 1
+nathanielparker.com, 0
+nathanielparker.de, 0
+nathanielparker.info, 0
+nathanielparker.org, 0
+nathanielsigal.com, 1
+nathankonopinski.com, 1
+nathanmfarrugia.com, 1
+nathanphoenix.com, 1
+nathansmetana.com, 1
+nathenmaxwell.tk, 1
+nathumarket.com.br, 1
+nation.net.pk, 1
+national-anime.com, 1
+national-shitposting.agency, 1
+nationalacademic.nl, 1
+nationalaustriabank.com, 1
+nationalbank.gov, 1
+nationalbankhelp.gov, 1
+nationalbanknet.gov, 1
+nationalcybersecuritysociety.org, 1
+nationalemployertraining.co.uk, 1
+nationaleyecenter.id, 1
+nationalfleetparts.com, 1
+nationalgangcenter.gov, 1
+nationalgridrenewables.com, 1
+nationalhomequotes.com, 1
+nationaljobservice.com, 1
+nationalmall.gov, 1
+nationalmap.gov, 0
+nationalmower.com, 1
+nationalopera.ml, 1
+nationalpriorities.org, 1
+nationalresourcedirectory.gov, 1
+nationalservice.gov, 1
+nationaltestingnetwork.com, 1
+nationaltrails.ru, 1
+nationandfreedom.tk, 1
+nationslending.com, 1
+nationsreportcard.gov, 1
+nationwide.com, 1
+nationwideadvisory.com, 1
+nationx.tk, 1
+nativalab.com, 1
+native2ascii.net, 1
+nativemeadowshoney.com, 1
+nativemusicrecords.cf, 1
+nativeonestop.gov, 1
+nativeproductions.ml, 1
+natives-team.ch, 0
+nativetitle.org.au, 1
+nativitychurchnj.org, 1
+nativitynj.org, 1
+natlec.ch, 1
+natlec.com, 1
+natmal.net, 1
+nato-stamps.tk, 1
+natreningu.net, 1
+natrespro.com, 1
+natronaincident.gov, 1
+natronasheriff.gov, 1
+natropie.pl, 1
+nats-flop.tk, 1
+natty.sh, 1
+natualsmoke.com, 1
+natuerlichabnehmen.ch, 1
+natunion.ga, 1
+natur-care.com, 1
+natur-plus.tk, 1
+natur-seele.de, 1
+natur-udvar.hu, 1
+natur-und-kultur.de, 1
+natur.com, 1
+natura-sense.com, 1
+natura2000.tk, 1
+naturabuy.fr, 1
+naturalbadbreathcures.com, 1
+naturalbladdercontrol.tk, 1
+naturalcosmetics.cf, 1
+naturaldisasters.tk, 1
+naturalflowerpower.com, 1
+naturalhealingguides.com, 1
+naturalkitchen.co.uk, 1
+naturallychildled.com, 1
+naturallygood4u.com, 1
+naturallyuncommon.com, 1
+naturalmentesinescuela.com, 1
+naturalprobiotica.com, 1
+naturalreaders.com, 1
+naturalresources.wales, 1
+naturalstyle.tk, 1
+naturalwellnesssolutions.org, 1
+naturana.news, 1
+naturaprint.fr, 1
+naturart.pt, 1
+nature-avenue.com, 1
+natureandculture.org, 0
+natureclaim.com, 1
+naturedao.hk, 1
+natureexplorer.is, 1
+natureisland.tk, 1
+naturel.tk, 1
+natureleafmarket.co.uk, 1
+naturelife.bg, 1
+naturelk.org, 1
+naturemeadows.in, 1
+naturesbest.co.uk, 1
+natureshealthandbody.com, 1
+naturesupply.eu, 1
+naturheilkunde-sabine-klein.de, 1
+naturheilpraxis-grauer.de, 1
+naturheilpraxis-oida.de, 1
+naturheilpraxis-p-grote.de, 1
+naturliga.tk, 1
+naturopath.tk, 1
+naturopatiasiddharta.com, 1
+naturparadies-rheinauen.de, 1
+naturschutz-holderbank.ch, 1
+naturvit.at, 1
+natusvita.com, 1
+natusvita.com.br, 1
+natuurinhuisheerenveen.tk, 1
+natuurkundegeflipt.nl, 1
+natuurlijk.tk, 1
+natuurlijkehaarkleuring.nl, 1
+natuurophaarmooist.nl, 1
+natviehealthcare.com, 1
+natwest.com, 1
+natwestbusinesshub.com, 1
+natwestgroup.com, 1
+natwestinternational.com, 1
+naucountry.com, 1
+naude.co, 1
+naufalpanjwani.com, 1
+naughty.audio, 1
+naughtydog.com, 1
+nauris.fi, 1
+nauseainthemorning.ml, 1
+nausicaahotel.it, 1
+naut.ca, 1
+nautholl.is, 1
+nautiboat.it, 1
+nauticlink.com, 1
+nautika.tk, 1
+nautiljon.com, 1
+nautiluslabs.com, 1
+nautilusoceanica.com, 1
+nautours.de, 1
+nautsch.de, 1
+nauz-art.com, 1
+nav.no, 1
+nava.org, 1
+navadebejar.tk, 1
+navajasdesupervivencia.es, 1
+navajocountysheriff.gov, 1
+navalarchitect.tk, 1
+navalkejigo.tk, 1
+navaneethnagesh.com, 1
+navarrete.tk, 1
+navasoft.com.tr, 1
+naveengranites.com, 1
+navegantesdelcosmos.ec, 1
+navegarea.tk, 1
+naveka.ga, 1
+navenlle.com, 1
+naviaddress.io, 1
+navidarian.tk, 1
+navienna.com, 1
+navient.com, 1
+navigo-inc.com, 1
+navigo.cc, 1
+navigo.global, 1
+navinka.com, 1
+navionhcs.com, 1
+navirefi.com, 1
+naviteq.eu, 1
+navkor.tk, 1
+navlnachekg.cz, 1
+navnet.ml, 1
+navoiyrapmafia.tk, 1
+navoto.com, 1
+navstevnik.sk, 1
+navycs.com, 1
+navyfederal.org, 1
+nawaf-blog.com, 1
+nawasyo.co.jp, 1
+nawdar.tk, 1
+nawir.de, 1
+nawroth.info, 1
+nawt.pl, 1
+nax.io, 0
+naxcivan.tk, 1
+naxe.lv, 1
+naxsnaps.co.uk, 1
+nayanaas.com, 1
+nayankasturi.eu.org, 1
+nayapakistan.tk, 1
+nayatel.com, 1
+nayefalebrahim.com, 1
+naymai.com, 1
+nayna.tk, 1
+nayr.us, 1
+naz-sciaves.eu, 1
+nazarenohuelva.tk, 1
+nazarenoviso.tk, 1
+nazbol.tk, 1
+nazevfirmy.cz, 1
+nazimogluinsaat.com, 1
+nazmulislam.cf, 1
+nazuna.blue, 1
+nb.mba, 1
+nb.zone, 1
+nb6.de, 1
+nba-2k.com, 1
+nba-croatia.com, 0
+nba.christmas, 1
+nba.com.de, 1
+nba.de.com, 1
+nba.download, 1
+nba.gd, 1
+nba.gs, 1
+nba.gy, 1
+nba.hosting, 1
+nba.im, 1
+nba.live, 1
+nba.lu, 1
+nba.moe, 1
+nba.trade, 1
+nba.vc, 1
+nba.vg, 1
+nba2.com, 1
+nba2k.blog, 1
+nba2k.cc, 1
+nba2k.co, 1
+nba2k.download, 1
+nba2k.live, 1
+nba2k.net, 1
+nba2k.tw, 1
+nba2kcn.com, 1
+nba2kmods.com, 1
+nba2kmt.com, 1
+nba2kmy.team, 1
+nba2kol.com, 1
+nba2konline.com, 1
+nba2konlinex.com, 1
+nba2kqq.com, 1
+nba2kx.com, 1
+nbaac.org, 1
+nbadancers.com, 1
+nbadao.com, 1
+nbade.com, 1
+nbafile.com, 1
+nbagirls.com, 1
+nbaim.com, 1
+nbaimg.com, 1
+nbalivecn.com, 1
+nbalivex.com, 1
+nbao.ca, 1
+nbaot.org, 1
+nbapc.org, 1
+nbapwned.com, 1
+nbari.com, 1
+nbask.com, 1
+nbasky.com, 1
+nbaspot.com, 1
+nbavc.com, 1
+nbavg.com, 1
+nbayouxi.com, 1
+nbc.com.tr, 1
+nbc26.com, 1
+nbf.ae, 1
+nbfl.gov, 1
+nbg.mobi, 1
+nbgrp.org, 1
+nbhwj.com, 1
+nbib.gov, 1
+nbios.net, 1
+nbis.gov, 1
+nbl-forklift.com, 1
+nbm.gov, 1
+nbotvinnik.com, 1
+nbr.uno, 1
+nbrain.de, 1
+nbriresearch.com, 1
+nbrown.us, 1
+nbtc.com, 1
+nbwp.uk, 1
+nbx.com, 1
+nc-beautypro.fr, 1
+nc-formation.fr, 1
+nc-network.io, 1
+nc3rs.org.uk, 1
+ncadc.org, 1
+ncalculators.com, 1
+ncamarquee.co.uk, 1
+ncarmine.com, 1
+ncascade.com, 1
+ncastillo.xyz, 1
+ncat.tokyo, 1
+ncauditor.gov, 1
+ncbham.be, 1
+ncbon.gov, 1
+ncc-efm.com, 1
+ncc-efm.org, 1
+ncc-qualityandsafety.org, 1
+nccauto.gov.in, 1
+ncceh.ca, 1
+nccemail.net, 1
+ncchd.go.jp, 1
+nccny.com, 1
+nccoe.org, 1
+nccpa.net, 1
+ncdc.pt, 1
+ncdpi.gov, 1
+ncdwlq.space, 1
+ncea.net.au, 1
+nceahelp.com, 1
+ncedcloud.gov, 1
+ncegs.sk, 1
+ncem.gov, 1
+ncfireca.gov, 1
+ncgaming.gov, 1
+nch.com, 1
+nchaf-dynamic.gov, 1
+nchaf-static.gov, 1
+nchaf.gov, 1
+nchangfong.com, 0
+nchomeownerassistance.gov, 1
+nchrd.org, 1
+nci.com.es, 1
+nci.systems, 1
+ncic.gg, 1
+ncig.com.au, 1
+ncionline.co.uk, 1
+ncjdigital.com, 1
+ncjrs.gov, 1
+ncksrv.com, 1
+ncksrv.email, 1
+ncksrv.eu, 1
+ncksrv.net, 1
+ncksrv.nl, 1
+ncksrv.org, 1
+nclea.gov, 1
+nclf.net, 0
+ncli-design.com, 1
+ncloud.freeddns.org, 1
+ncmc.me, 1
+ncmedicaidplan.gov, 1
+ncmedicaidplans.gov, 1
+ncmms.gov, 1
+ncncs.com, 1
+ncommenuptial.tk, 1
+ncosc.gov, 1
+ncpc.gov, 1
+ncpimd001.spdns.de, 1
+ncpublichealth.info, 1
+ncpw.gov, 1
+ncr.pub, 1
+ncrjobs.in, 1
+ncrpay.com, 1
+ncrypt.ai, 1
+ncrypt.at, 1
+ncs-cleaning.dk, 1
+ncsbadvisors.gov, 1
+ncsbe-apps.gov, 1
+ncsc.gov.uk, 1
+ncsccs.com, 1
+ncshp.gov, 1
+ncsis.gov, 1
+ncsparta.gov, 1
+ncswa-nm.org, 1
+ncswboard.gov, 1
+nctu.moe, 1
+nctx.co.uk, 1
+ncua.gov, 1
+ncuc.gov, 1
+ncvps.gov, 1
+ndaal.eu, 1
+ndaccount.com, 1
+ndarville.com, 1
+ndbilje.si, 0
+ndcpolipak.com, 1
+ndd.govt.nz, 1
+ndeb-bned.ca, 1
+ndev.tk, 1
+ndhhs.gov, 1
+ndhlink.com, 1
+ndiama.eu.org, 1
+ndigen.com, 1
+ndisreview.gov.au, 1
+ndlegis.gov, 1
+ndlegistest.gov, 1
+ndmath.club, 1
+ndns.ga, 1
+ndpbrn-research.org, 1
+ndpigskin.com, 1
+ndplumbingboard.gov, 1
+ndq.be, 1
+ndrew.me, 1
+nds-helicopter.de, 1
+nds-online.ru, 1
+ndscreening.com, 1
+ndtblog.com, 1
+ndum.ch, 1
+ndvlaw.com, 1
+ndvr.com, 1
+ndx.ee, 1
+ndxinfo.eti.br, 1
+ndy.sex, 1
+ne-on.org, 1
+ne.ax, 1
+nea.gov, 1
+nealvorusphd.com, 1
+neanderthalia.tk, 1
+neapi.com, 1
+nearbi.com.mx, 1
+nearby.in.th, 1
+nearestbusiness.com, 1
+nearlist.com, 1
+nearnorthcustoms.biz, 1
+nearnorthcustoms.co, 1
+nearnorthcustoms.com, 1
+nearnorthcustomsus.com, 1
+nearnorthmassage.com, 1
+nearnorthus.com, 1
+neartothesky.com, 1
+neasahourigan.com, 0
+neatful.eu.org, 1
+neath-afan-gymnastics.com, 1
+neatlife.co.uk, 1
+neatnestsdesign.com, 1
+neatnestsorganizing.com, 1
+neatous.cz, 1
+neatous.net, 1
+neatsvor.at, 1
+neatsvor.lt, 1
+neauviachannel.com, 1
+neave.tv, 1
+neawth.com, 1
+neaz.tk, 1
+neb.li, 1
+neba.io, 1
+nebeauty.it, 1
+nebebra.stream, 1
+nebelhauch.de, 1
+nebenan.de, 1
+nebenbeiblog.ch, 1
+nebix.tk, 1
+nebohost.tk, 1
+neboley.cf, 1
+nebra.io, 1
+nebraskadrypeas.gov, 1
+nebraskajudicial.gov, 1
+nebraskaresearch2.gov, 1
+nebraskawheat.gov, 1
+nebucadnezzer.tk, 1
+nebulae.co, 1
+nebulise.com, 1
+necd.me, 1
+necio.ca, 1
+neckbeard.xyz, 1
+necord.com, 1
+necretro.org, 1
+necromantia.tk, 1
+necronaut.tk, 1
+necronomusick.tk, 1
+necropolis-online.tk, 1
+necta.go.tz, 0
+nectere.ca, 1
+nectir-staging.com, 1
+nectir.co, 1
+necycvet.ru, 0
+nedapflux.com, 1
+nedcdata.org, 1
+nedcv-preview.nl, 1
+nedcv.nl, 1
+nedela.tk, 1
+nedemek.com.tr, 1
+nederbetuwe.nl, 0
+nederlandmobiel.nl, 1
+nederlands-vastgoedfonds.nl, 1
+nederlandse-modelspoor-database.nl, 1
+nederlandwereldwijd.nl, 1
+nedermisp.nl, 1
+nedhome.ml, 1
+nedim-accueil.fr, 1
+nedimon.gq, 1
+nedir.help, 1
+nednex.com, 1
+nedviga.gq, 1
+nedviga.tk, 1
+nedvizhimost.tk, 1
+nedvizhimostthailand.ml, 1
+nedvrf.ru, 1
+nedzadalibegovic.com, 1
+neecist.org, 1
+needfire.ga, 1
+needflare.com, 1
+needing.cf, 1
+needle-demo.azurewebsites.net, 1
+needle.net.nz, 1
+needle.nz, 1
+needme.com, 1
+needmytranscript.com, 1
+needrom.com, 1
+needsth.top, 1
+neeerd.org, 1
+neel.ch, 1
+neemo.nz, 1
+neenahwi.gov, 1
+neenan.com, 1
+neero.fr, 1
+nees.ga, 1
+neesoft.com, 1
+neesousunebonneetoile.ca, 1
+neet-investor.biz, 1
+neetflix.net, 1
+neetze-ferienwohnung.de, 1
+neev.tech, 0
+nefald.fr, 0
+nefertitis.cz, 0
+neff-pressen.de, 1
+nefit-bosch.nl, 1
+nefro-cme.de, 1
+nefthy.de, 1
+neftis.es, 1
+neg9.org, 0
+negabarit.tk, 1
+negai.moe, 0
+negativecrestinegratuite.tk, 1
+negativecurvature.net, 1
+negativeentropy.org, 1
+negativex.gq, 1
+neglected.space, 1
+neglecteddiseases.gov, 1
+negocieipanema.com.br, 1
+negociemos.com.co, 1
+negociequintoandar.com.br, 1
+negocios-imatore.com, 1
+negociosparaoptimistas.com, 1
+negociosurbanos.net, 1
+negoya-shokai.info, 1
+negozimoda.it, 1
+negoziointimo.com, 1
+negr.gay, 1
+negr.tv, 1
+negrete.tk, 1
+negril.com, 0
+neh.gov, 1
+nehalem.gov, 1
+neheim-huesten.de, 1
+nehmer.net, 1
+nehnutelnosti.io, 1
+nehoupat.cz, 1
+nehrp.gov, 1
+nehta.gov.au, 1
+nei.org, 1
+neide.ga, 1
+neighbor.co.il, 1
+neighborhood-threat.tk, 1
+neighborshop.de, 1
+neighborsunitedwilmington.org, 1
+neil-barrett.com, 1
+neil-barrett.uk, 1
+neila.tk, 1
+neilcaruana.com, 1
+neildaniels.com, 1
+neilfarrington.com, 1
+neilgaimanphilippines.tk, 1
+neilpatel.com, 1
+neilrooney.com, 1
+neilwynne.com, 1
+neilyanto.com, 1
+neimadtelliam.fr, 1
+neio.uk, 1
+neishe.net, 1
+neiu.edu, 1
+nej.dk, 0
+nejenpneu.cz, 1
+nejlevnejsi-parapety.cz, 1
+nejmaklerka.cz, 1
+nejrecept.cz, 1
+nejsvetla.cz, 1
+nekb.org, 1
+nekenieh.net, 1
+nekkit.xyz, 1
+nekljudov.ga, 1
+neko-city.tk, 1
+neko-network.tk, 1
+neko-nyan-nuko.com, 1
+neko-nyan.org, 1
+nekochan.blog, 1
+nekodex.net, 1
+nekohana-inuhana.com, 1
+nekoku.io, 1
+nekomanten.de, 1
+nekomata.tk, 1
+nekomimi.pl, 1
+nekomimirouter.com, 1
+nekomimix.net, 1
+nekomiya-sama.top, 1
+nekomoe.moe, 1
+nekondiciya.cf, 1
+nekonet.us, 1
+nekosc.com, 1
+nekox.ml, 1
+nekrasowsky.ml, 1
+nekretnine-lidl.hr, 1
+nekrylov.ee, 0
+nekrylov.org.ru, 0
+nekrylov.spb.ru, 0
+nekusoul.de, 1
+nelebaehre.de, 0
+nelefon.com, 1
+nelegal-edition.ml, 1
+nelegal-edition.tk, 1
+nelflex.com.br, 1
+nelhage.com, 1
+nelili.com, 1
+nelipak.com, 0
+nella-project.org, 1
+nellacms.org, 1
+nellafw.org, 1
+nellen.it, 1
+nellislife.marketing, 1
+nellydallois.fr, 1
+neln.jp, 1
+neln.net, 1
+nelnet.com, 1
+nelnet.net, 1
+nelnetbank.com, 1
+nelosculpteur.fr, 1
+nelson-marine.com, 0
+nelsoncountyky.gov, 1
+nelsonrecruitmentservices.co.uk, 1
+nelsonrodrigues.tk, 1
+nelsontwpoh.gov, 1
+nelsonworldwide.com, 1
+nelswong.com, 1
+nelty.be, 1
+nely.rocks, 1
+nema.gov.au, 1
+nemagiya.tk, 1
+nemahacountyne.gov, 1
+nemberone.com, 1
+nemcd.com, 1
+nemecisolutions.com, 1
+nemecl.eu, 1
+nemesisenterprises.de, 1
+nemesiz.tk, 1
+nemez.net, 1
+nemiroth.net, 1
+nemirow.tk, 1
+nemkoff.tk, 1
+nemnodes.org, 1
+nemo.run, 1
+nemo911.gov, 1
+nemokamas.tk, 1
+nemplex.com, 1
+nemplex.win, 0
+nemplex.xyz, 1
+nems.no, 0
+nemsurvey.dk, 1
+nemtilmeld.dk, 1
+nemumu.com, 1
+nemunai.re, 1
+nemyriv.tk, 1
+nemzetizaszlok.hu, 1
+nen-ga.jp, 1
+nenapu.tk, 1
+nenco.nl, 1
+nenderus.su, 1
+neneko.moe, 1
+nenkin-kikin.jp, 1
+neno.io, 1
+neo-facade.be, 1
+neo-novarion.com, 1
+neo-wave.ro, 1
+neo1.com, 1
+neo2k.dk, 0
+neo2shyalien.eu, 0
+neo4j.com, 1
+neobits.nl, 1
+neoblindados.com.br, 1
+neoblog.tk, 1
+neobt.ro, 1
+neocenter.org, 1
+neochan.net, 1
+neochan.ru, 1
+neocharge.net, 1
+neocities.org, 1
+neoclan.tk, 1
+neocyd.com, 1
+neodaedalus.com.au, 1
+neodigital.bg, 1
+neodrive.ch, 1
+neodruid.tk, 1
+neoedresources.org, 1
+neoeliteconsulting.com, 1
+neofinancial.com, 1
+neogenomics.com, 1
+neograftaustintx.com, 1
+neohu.com, 1
+neoinvestor.club, 1
+neojo.org, 1
+neoko.fr, 1
+neokobe.city, 1
+neokonmarketing.de, 1
+neolaudia.es, 1
+neolinfx.com, 1
+neolininvestment.com, 1
+neolink.com.br, 1
+neom-specificenergy.com, 1
+neom.directory, 1
+neonataleducationalresources.org, 1
+neonatalgoldenhours.org, 1
+neonbutik.com.tr, 1
+neoneuland.de, 1
+neonfestival.net, 1
+neonia.com.pl, 1
+neonigma.tk, 1
+neonknight.ch, 1
+neons.org, 1
+neontemple.net, 1
+neoone.art, 0
+neophilus.net, 1
+neopolis.gr, 1
+neopoly.com, 1
+neopoly.de, 1
+neoreflex.nz, 1
+neorsd.org, 1
+neos.co.jp, 1
+neosdesignstudio.co.uk, 1
+neosecurityteam.tk, 1
+neoshomo.gov, 1
+neosoft.hu, 1
+neosolution.ca, 1
+neossa.com, 1
+neostralis.com, 1
+neostralis.de, 1
+neostralis.net, 1
+neosys.com, 1
+neosys.eu, 1
+neot-shacked.com, 1
+neotech-solutions.com, 1
+neotiv.com, 1
+neotracker.io, 0
+neovapo.com, 1
+neoverify.com, 1
+neoverso.tk, 1
+neovote.com, 1
+neowa.tk, 1
+neowin.net, 1
+neoxcrf.com, 1
+neoz.com.br, 1
+neozeon.io, 1
+nepal-evolution.org, 0
+nepal.ga, 1
+nepalboxoffice.tk, 1
+nepalese.tk, 1
+nepali-fonts.tk, 1
+nepalsnews.tk, 1
+nepartypas.tk, 1
+nepezzano13.com, 1
+neph.social, 1
+nephelae.eu, 1
+nephelion.org, 1
+nephology.net.au, 1
+nephrogo.com, 1
+nephrogo.de, 1
+nephrogo.lt, 1
+nephrolog.lt, 1
+nephy.jp, 1
+neplatnasmlouva.cz, 1
+nepomuk-ev.de, 1
+nepovolenainternetovahazardnihra.cz, 1
+nepozitkova.cz, 1
+neppglobal.top, 1
+nepremicninar.com, 1
+nepremicnine-lidl.si, 1
+nepremicnine.click, 1
+neptun-rio.tk, 1
+neptune.lol, 1
+neptunosrefugio.tk, 1
+nepu.tk, 1
+nerba.net, 1
+nerd.gallery, 1
+nerdalert.dk, 1
+nerdaristocracy.com, 1
+nerdblog.eu, 1
+nerdbox.cc, 1
+nerdca.st, 1
+nerdgebastel.de, 1
+nerdgift.ml, 1
+nerdherd.fun, 1
+nerdherd.ovh, 1
+nerdhouse.io, 1
+nerdies24.de, 0
+nerdin.space, 1
+nerdinator.ddns.net, 1
+nerdjokes.de, 1
+nerdmind.de, 1
+nerdmovieproductions.it, 1
+nerdnet.goip.de, 1
+nerdoftheherd.com, 1
+nerdoutstudios.tv, 1
+nerdplusart.com, 1
+nerdpol.ch, 1
+nerdpol.org, 1
+nerdpress.net, 1
+nerdrush.com, 1
+nerds-gegen-stephan.de, 1
+nerds.company, 0
+nerdsin.space, 1
+nerdsonline.tk, 1
+nerdsuits.tk, 1
+nerdsweide.nl, 1
+nerdszondergrenzen.nl, 1
+nerdvault.one, 1
+nerdwallet.com, 1
+nerdydev.net, 1
+nerdyfam.tech, 1
+nerdygadgets.org, 1
+nerdyspace.net, 1
+nerfcity.tk, 1
+nerfroute.com, 1
+neri.it, 1
+nerion.tk, 1
+nerispa.it, 1
+neriumrx.com, 1
+nerja.es, 1
+nerloee.dk, 1
+neroli.bg, 1
+neroninvestment.org, 1
+neropiceno.tk, 1
+nerot.eu, 1
+neroteknik.com.tr, 1
+nerotv.live, 1
+nerpa-club.ru, 1
+nerss.ca, 1
+nertus.ua, 1
+nerull7.info, 1
+nerv.com.au, 1
+nerven.se, 1
+nervi.ga, 1
+nesabamedia.com, 1
+neseari.com, 1
+nesfb.com, 1
+nesheims.com, 1
+nesheimswaterrestoration.com, 1
+neshkorowi.gov, 1
+neshtata.bg, 1
+neskins.com, 1
+nesoddkatten.no, 1
+nesolabs.com, 1
+nesolabs.de, 1
+nespim.tk, 1
+nespresso.vn, 1
+ness.sh, 1
+nessaesthetics.com, 1
+nesscitycatholic.org, 1
+nesstormented.tk, 1
+nestas.eu, 1
+nestbynature.com, 1
+nesterov.pw, 1
+nestetic.com, 1
+nestforms.com, 1
+nestinvest.com, 1
+nestlanddesign.com, 1
+nestlein.de, 1
+nestone.ru, 1
+nestra.tk, 1
+nestreeo.com, 1
+neswblogs.com, 1
+neswec.org.uk, 1
+net-abuse.email, 1
+net-combo-ja.com, 1
+net-file.tk, 1
+net-news.gq, 1
+net-provider.cloud, 1
+net-safe.info, 1
+net-script.tk, 1
+net-service.cz, 1
+net.nl.eu.org, 1
+net2ftp.com, 1
+net4you.net, 1
+netaap.nl, 1
+netamia.com, 1
+netanin.tk, 1
+netape.nl, 1
+netapps.de, 1
+netba.net, 1
+netbank.com.au, 1
+netbasequid.com, 0
+netbeacon.de, 1
+netbears.com, 1
+netbears.ro, 1
+netbeyond.de, 1
+netbird.tk, 1
+netbit.com.br, 1
+netbows.com, 1
+netbows.es, 1
+netbox.org, 1
+netbrewventures.com, 1
+netbrief.ml, 1
+netbulls.io, 1
+netbuzz.ru, 1
+netcake.in, 1
+netcapital.com, 1
+netcd.tk, 1
+netcenteret.tk, 1
+netchameleon.com, 1
+netcitadel.com, 1
+netcitycheb.ru, 1
+netco-group.de, 1
+netco-privacy.de, 1
+netco-system.de, 1
+netcoolusers.org, 1
+netcoresmartech.com, 1
+netcost-security.fr, 1
+netcrew.de, 1
+netculturejokes.tk, 1
+netd.at, 1
+netdego.jp, 1
+netdex.co, 1
+netdiode.com, 1
+netdiode.eu, 1
+netdiode.net, 1
+netdiode.org, 1
+netdir.tk, 1
+netdisk.io, 1
+netdnstrace1.com, 1
+netdox.asia, 1
+netdox.de, 1
+netducks.com, 1
+netducks.space, 1
+netdude.tk, 1
+netelite.tk, 1
+netera.se, 1
+neteraser.de, 1
+neteye.ru, 1
+netfabb.com, 1
+netface.com.br, 1
+netferie.de, 1
+netferie.dk, 1
+netferie.no, 1
+netfiles.de, 1
+netfirmtextile.com, 1
+netflowanalysissolution.com, 1
+netflowanalysissolutions.com, 1
+netflowcalculator.com, 1
+netflowcollector.com, 1
+netflowknight.com, 1
+netflowknights.com, 1
+netflowreplicator.com, 1
+netflowsword.com, 1
+netflowtoday.com, 1
+netflowtrafficanalysis.net, 1
+netfog.de, 1
+netfolio.pt, 1
+netforall.tk, 1
+netfoundry.io, 1
+netfreedom.tk, 1
+netfs.pl, 1
+netfuture.ch, 1
+netgaming.de, 1
+netgenetiqs.de, 1
+netgroup.dk, 1
+netguide.co.nz, 1
+nethack.ninja, 1
+nethackwiki.com, 1
+nethask.ru, 1
+nethead.at, 1
+netheadsonair.com, 1
+nethealth.cf, 1
+nethealth.ga, 1
+nethealth.tk, 1
+netherite.gg, 1
+netherlandstypography.nl, 1
+netherlandsworldwide.nl, 1
+nethernet.nl.eu.org, 0
+nethorizon.pl, 1
+nethound.ga, 1
+nethouse.se, 1
+nethruster.com, 0
+nethui.nz, 1
+nethunter.top, 1
+netica.fr, 0
+netig.net, 1
+netim.pl, 1
+netipbox.com, 1
+netjobz.tk, 1
+netkappa.gr, 1
+netkigestioncomercial.com, 1
+netkimonos.com.br, 1
+netkolik.org, 1
+netla.tk, 1
+netlab.my.id, 1
+netleaf.ca, 1
+netlentes.com.br, 1
+netletic.com, 1
+netlevel.ga, 1
+netlify.com, 1
+netlocal.ru, 1
+netmaddy.com, 1
+netmagellan.com, 1
+netmagicas.com.br, 1
+netmajstor.eu, 1
+netmania.tk, 1
+netmedia.tk, 1
+netmedicaitalia.it, 1
+netmeister.org, 1
+netmouse.tk, 1
+netmt.de, 1
+netnea.com, 1
+netnl.eu, 1
+netoborona.tk, 1
+netobur.net, 1
+netolink.co.il, 1
+netolink.com, 1
+netor.ga, 1
+netpatient.dk, 1
+netpenge.tk, 1
+netpreneur.co.za, 1
+netprepare.com, 1
+netprofile.com.au, 0
+netrabota.tk, 1
+netracks.ga, 1
+netradyne.com, 1
+netraising.com, 1
+netrecruituk.co.uk, 1
+netreputation.com, 1
+netresec.com, 1
+netreviews.tk, 1
+netrewrite.com, 1
+netrino.be, 1
+netrino.info, 1
+netrino.io, 1
+netrix.de, 1
+netrogue.ninja, 1
+netronix.be, 1
+netrunner.xyz, 1
+nets.com.sg, 1
+netschool.tk, 1
+netsearch.ga, 1
+netsec.cloud, 1
+netsecma.com, 1
+netshopgarden.com.br, 1
+netsite.dk, 1
+netslum.tk, 1
+netsoftit.com, 1
+netsoins.org, 1
+netsparker.com.tr, 0
+netspeedia.net, 1
+netsphere.cloud, 1
+netsphere.cz, 1
+netstjernen.dk, 1
+netstrategy.it, 1
+netsyms.com, 1
+netsystems.pro, 1
+nettamente.com, 1
+nette.org, 1
+nettegeschenke.de, 1
+netter.co.id, 1
+nettgiro.no, 1
+nettia.fi, 0
+nettiger.tk, 1
+nettikasino.top, 1
+nettikasino247.com, 1
+nettiruletti.ga, 1
+nettiruletti.tk, 1
+nettletonms.gov, 1
+nettools.link, 1
+nettoptangida.com, 1
+nettoyage-apres-deces-crime.fr, 1
+nettoyage-hotte-restaurant.net, 1
+nettoyage-syndrome-de-diogene.fr, 1
+nettoyage.email, 1
+nettoyeurtombe.fr, 1
+nettruepro.com, 1
+nettunoguide.dk, 1
+nettx.co.uk, 1
+nettype.ca, 1
+netu.ro, 1
+netube.org, 1
+netunia.org, 1
+netvizura.co.uk, 1
+netvlies.nl, 0
+netvpn.ml, 1
+netvpn.net, 1
+netwarc.eu, 1
+netwarc.nl, 1
+netwatch.me, 1
+netwave.pl, 1
+netwerkgeneeskunde.nl, 1
+netwerkmediawijsheid.nl, 1
+netwerkstoom.nl, 1
+netwidow.com, 1
+netwire-solutions.com, 1
+netwire.tk, 1
+networg.cz, 1
+networg.pl, 1
+network-au-qa-api.azurewebsites.net, 1
+network-midlands.co.uk, 1
+network-midlands.uk, 1
+network-wr.tk, 1
+network.ae, 0
+network23.nl, 1
+networkarena.tk, 1
+networkcoverageplus.com, 1
+networkdiode.com, 1
+networkdiode.eu, 1
+networkdiode.net, 1
+networkdiode.org, 1
+networking-groups.co.uk, 1
+networking4all.com, 1
+networkingnexus.net, 1
+networkingwithfish.com, 1
+networkinternetmonitor.com, 1
+networklessons.com, 1
+networkmas.com, 1
+networkmidlands.co.uk, 1
+networkmidlands.uk, 1
+networkmon.net, 1
+networkperformancemonitoring.net, 1
+networkposting.com, 1
+networksec.info, 1
+networksecuritysolutions.info, 1
+networksolutionsconsultant.com, 1
+networkthreatdetection.com, 1
+networkthreatprotection.com, 1
+networktools.tk, 1
+networktrafficanalysis.net, 1
+networktrafficanalyzer.net, 1
+networktrafficmonitoring.net, 1
+networkuser.de, 1
+networld.to, 1
+networth.at, 1
+networthpal.com, 1
+networthtracker.xyz, 1
+networx-online.de, 1
+netz-noe.at, 1
+netz0.com, 1
+netzabfragen.de, 1
+netzagentur.at, 1
+netzen.tk, 1
+netzer.ml, 1
+netzfabrik.com, 1
+netzfrauen.org, 1
+netzona.org, 1
+netzpolitik.org, 1
+netzquelle.net, 1
+netzsv.website, 1
+netztest.at, 1
+netzvieh.de, 1
+netzwerk-kinderschutz-msh.de, 1
+netzwerk-kvp.de, 1
+netzwerk-lq.com, 1
+netzwerk-sozialliberal.de, 1
+netzwerkwerk.de, 1
+netzwolf.info, 1
+neuber-it.de, 1
+neuber.uno, 1
+neubr.de, 1
+neuca24.pl, 1
+neuch.info, 0
+neue-energien.tk, 1
+neuelandschaft-welzow.de, 1
+neuf-chateaux.com, 1
+neuhaus-city.de, 1
+neukoppel.de, 1
+neuland.technology, 1
+neumanncontractors.com.au, 1
+neumanndredging.com.au, 1
+neumannindustrialcoatings.com.au, 1
+neumarkcb.com, 1
+neumaticar.cl, 0
+neumond.de, 1
+neurabyte.com, 1
+neuraclix.com, 1
+neuralink.com, 1
+neuralkids.org, 1
+neureichenau.de, 1
+neurexcellence.com, 1
+neurido.net, 1
+neurobiology.com, 1
+neurochip.co.uk, 1
+neurochirurgie-hamborn.de, 1
+neurocny.cloud, 1
+neurococi.org, 1
+neurococi.ro, 1
+neurodiversum.space, 1
+neuroethics.com, 1
+neurogroove.info, 1
+neurohouse.com.br, 1
+neurojournal.ru, 1
+neurologia.tk, 1
+neurologie.tk, 1
+neurologysantamonica.com, 1
+neuron22.ru, 1
+neurontinprice.ga, 1
+neuronus.com.br, 1
+neuropharmacology.com, 1
+neurophysiotherapy.ga, 1
+neuropsychologisthouston.com, 1
+neurosurgeryinmexico.com, 1
+neuroticosanonimos.tk, 1
+neuroticpoets.com, 1
+neurotransmitter.net, 1
+neurozentrum-zentralschweiz.ch, 1
+neustadt-keller.de, 1
+neustadtguides.de, 1
+neuteleers.tk, 1
+neutrino.eu.org, 1
+neutron.ch, 1
+neutronfire.com, 1
+nev.si, 1
+neva-star.ml, 1
+neva.li, 1
+nevadacountyca.gov, 1
+nevadafiber.com, 1
+nevadafiber.net, 1
+nevadamentalhealth.com, 1
+nevam.cf, 1
+neve.in.ua, 1
+never-afk.de, 0
+never-mind.tk, 1
+never-more.tk, 1
+never.pet, 1
+neveraquemola.ml, 1
+neverasquemola.ml, 1
+neverendingrejection.tk, 1
+nevergirl.tk, 1
+nevergonnatouchit.tk, 1
+nevergreen.io, 1
+neverhood-tv.tk, 1
+neverland.link, 1
+neverlandindonesia.com, 1
+neverlant.com, 1
+neverlant.org, 1
+neverness.tk, 1
+nevers.fr, 1
+neversayretired.in, 0
+neverwasinparis.com, 1
+nevi.nl, 1
+nevida.ir, 1
+nevim-co-varit.cz, 1
+nevivur.net, 1
+nevntech.com, 1
+nevocloud.com, 1
+nevolution.me, 1
+nevoxo.com, 0
+nevrodiversitet.no, 1
+nevski.eu, 1
+nevychova.cz, 1
+new, 1
+new-1xbet.com, 1
+new-black-order.com, 1
+new-boiler-prices.co.uk, 1
+new-jersey-online-casinos.com, 1
+new-medic.com, 1
+new-mexico-sexcams.com, 1
+new-pornvideos.com, 1
+new-smile.cf, 1
+new-standart.tk, 1
+new-tuning.tk, 1
+new-vip.com, 1
+new-vip1.com, 1
+new-vvip.com, 1
+new-way.ml, 1
+new-web-studio.com, 1
+new-zone.tk, 1
+new10.com, 1
+newage.bg, 1
+newagehoops.com, 1
+newalbanyohio.gov, 1
+newalive.net, 1
+newamericanagent.com, 1
+newamericanfunding.com, 1
+newannual.com, 1
+newantiagingcreams.com, 1
+newapparatus.com, 0
+newarkca.gov, 1
+newarkohio.gov, 1
+newarkwi.gov, 1
+newasa.ga, 1
+newasianbistro.com, 1
+newaygo.gov, 1
+newaygocountymi.gov, 1
+newbabylon.tk, 1
+newbackup.ml, 1
+newbasemedia.us, 1
+newberlinwi.gov, 1
+newberrycounty.gov, 1
+newberryfl.gov, 1
+newbies.tk, 1
+newbietech.cn, 0
+newblogr.com, 1
+newboldwi.gov, 1
+newbownerton.xyz, 1
+newbraunfels.gov, 1
+newbrest.tk, 1
+newbrightonresidents.org.nz, 1
+newbronze.com.br, 1
+newbrunswick.today, 1
+newbrunswickonlinedivorce.com, 1
+newbrunswicktoday.com, 1
+newbss.co.uk, 1
+newbuilding.tk, 1
+newburybouncycastles.co.uk, 1
+newburyparkelectric.com, 1
+newburyparkelectrical.com, 1
+newburyparkelectrician.com, 1
+newburyparkexteriorlighting.com, 1
+newburyparklandscapelighting.com, 1
+newburyparkoutdoorlighting.com, 1
+newburyportma.gov, 1
+newcab.de, 0
+newcapitaldev.com, 1
+newcarlisleohio.gov, 1
+newcars.tk, 1
+newcasinos-au.com, 1
+newcasinos-ca.com, 1
+newcastlemoneyman.com, 1
+newcastleok.gov, 1
+newcc.gov, 1
+newchance.store, 1
+newchapter.com, 1
+newcharmed.tk, 1
+newchester.gov, 1
+newchoicesspb.ru, 1
+newcityinfo.ch, 0
+newcityinfo.info, 1
+newcitystudio.ch, 0
+newcoincasino.com, 1
+newcoly.com, 1
+newcombny.gov, 1
+newconcept.tk, 1
+newcontext.com, 1
+newcreamforface.com, 1
+newcreationperso.com.br, 1
+newcurve.tk, 1
+newday.host, 1
+newdaychristian.com, 1
+newdayproperties.com, 1
+newdayrecordlabel.com, 1
+newdecortrends.com, 1
+newdenversurvivors.tk, 1
+newdietandexercises.tk, 1
+newdimensioninterlock.com, 0
+newdirectionsolar.com.au, 1
+newdunite.com, 1
+newdurhamnh.gov, 1
+newedgeink.ca, 1
+newemage.com.mx, 1
+newendsoft.com, 0
+newengineer.com, 1
+newenglandradioforum.tk, 1
+newenglandworkinjury.com, 1
+newfacialbeautycream.com, 1
+newfairfieldct.gov, 1
+newfangledscoop.com, 1
+newfield-ext.co.jp, 1
+newfiepedia.ca, 1
+newflavor.design, 1
+newfld.com, 1
+newforex.ml, 1
+newforms.nl, 1
+newfoundland-labradorflora.ca, 1
+newfoundlandlabrador.com, 1
+newgarden.tk, 1
+newgardenfarms.org, 1
+newglarusvillagewi.gov, 1
+newgle.xyz, 1
+newgrowbook.com, 0
+newguidance.ch, 0
+newhamyoungbloods.co.uk, 1
+newhavenshiami.gov, 1
+newholland.tk, 1
+newhomedesign.tk, 1
+newhopeplacement.com, 1
+newhoperailroad.com, 1
+newillusion.tk, 1
+newind.info, 1
+newinf.at, 1
+newingtonnhpolice.gov, 1
+newinsane.info, 1
+newipswichnh.gov, 1
+newjerseyvideography.com, 1
+newkaliningrad.ru, 1
+newlands-fasteners.com.au, 1
+newlegalsteroid.com, 1
+newlifebathrooms.com.au, 1
+newlifefund.org, 1
+newlight.net.br, 1
+newlondonhospital.org, 1
+newlovers.ga, 1
+newlovers.gq, 1
+newlynamed.com, 1
+newlytricks.ml, 1
+newmadridcountymo.gov, 1
+newman.ga, 1
+newmansown.co.uk, 1
+newmap.nl.eu.org, 1
+newmarketbouncycastlehire.co.uk, 1
+newmatworld.com, 1
+newmed.com.br, 1
+newmedia.gotdns.com, 1
+newmediaone.net, 1
+newmeproducts.com, 1
+newmex.com.br, 1
+newmilfordct.gov, 1
+newmilfordnj.gov, 1
+newmusic.org, 1
+newmusicjackson.org, 1
+newmuslims.tk, 1
+newmuz.tk, 1
+newnorthfuels.ca, 1
+newnorthfuels.com, 1
+newodesign.com, 1
+newoho.com, 1
+newoldboughtsold.com, 1
+newoldstock.uk, 1
+newonlineroad.com, 1
+neworiflame.tk, 1
+newosis.life, 1
+newpad.de, 1
+newparadigmventures.net, 0
+newparrot.tk, 1
+newphysics.fi, 1
+newplxx.gotdns.com, 1
+newplxx.online, 1
+newpointeg.com, 1
+newportbus.co.uk, 1
+newporthomehealth.com, 1
+newportit.com, 1
+newportri.gov, 1
+newposts.ru, 1
+newpraguemn.gov, 1
+newpress24.tk, 1
+newquilters.com, 1
+newreleases.io, 1
+newrelic.com, 1
+newreop.com, 1
+news-and-blogs.tk, 1
+news-club.tk, 1
+news-novoros.cf, 1
+news-of-russia.gq, 1
+news-offerte.com, 1
+news-police.tk, 1
+news-srilanka.tk, 1
+news-sy.cf, 1
+news-technology.ml, 1
+news-zp.tk, 1
+news.bg, 1
+news123.ga, 1
+news12elite.tk, 1
+news17.tk, 1
+news24rus.tk, 1
+news29.tk, 1
+news53today.tk, 1
+news54.tk, 1
+news5cleveland.com, 1
+news60.tk, 1
+news89.cf, 1
+news89.ga, 1
+news89.gq, 1
+newsadvance.com, 1
+newsall.gr, 1
+newsarmenia.tk, 1
+newsarticle.ml, 1
+newsasia7.com, 1
+newsauto.tk, 1
+newsbali.tk, 1
+newsbay.gr, 1
+newsbeat.kiwi, 1
+newsbes.org, 1
+newsbomba.ml, 1
+newsbusiness.cf, 1
+newscenter.gr, 1
+newscheck.tk, 1
+newschool.ie, 1
+newsclue.org, 1
+newscultural.tk, 1
+newsdiff.eu, 1
+newsdiff.nl, 1
+newsdiffs.eu, 1
+newsdiva.org, 1
+newseon.org, 1
+newserfanekeihani.tk, 1
+newserumforskin.com, 1
+newseue.com, 1
+newsfiber.org, 1
+newsfinale.com, 1
+newsforum.ml, 1
+newsforyou.cf, 1
+newsgenix.org, 1
+newsgroups.io, 1
+newsguyz.com, 1
+newshell.it, 1
+newshome.tk, 1
+newshorehamri.gov, 1
+newshour.media, 1
+newsig.com, 1
+newsignature.com, 1
+newsinfilm.com, 1
+newsinformer.ga, 1
+newsinkansas.ml, 1
+newsinpenn.ml, 1
+newsinplanet.com, 1
+newsinpolitics.ga, 1
+newsireland.tk, 1
+newsiva.org, 1
+newskinlasercenter.com, 1
+newslanka.tk, 1
+newsletteralerts.com, 1
+newsletters.gq, 1
+newslia.org, 1
+newsliner.gq, 1
+newslookup.com, 1
+newsmacro.org, 1
+newsmotor.info, 1
+newsmyth.org, 1
+newsnfl.tk, 1
+newsoul.de, 1
+newspawn.net, 1
+newsportbox.ru, 1
+newspower.ir, 1
+newspriest.com, 1
+newsprix.com, 1
+newspsychology.com, 1
+newsquare.biz, 1
+newsreach.org, 1
+newsteadccc.com.au, 1
+newstel.tk, 1
+newsthai.ml, 1
+newsticker.tk, 1
+newstj.ml, 1
+newstone-tech.com, 1
+newstraveltoday.gq, 1
+newsuk.tk, 1
+newsupdatesdaily.ga, 1
+newsuzbekistan.tk, 1
+newsvideo.tk, 1
+newsvirginian.com, 1
+newsvoice.com, 1
+newswav.com, 1
+newsweekme.com, 1
+newswired.org, 1
+newsworld247.tk, 1
+newsxp.tk, 1
+newsyclub.tk, 1
+newtambov.gq, 1
+newtambov.tk, 1
+newtech.ro, 1
+newtekstil.ga, 1
+newterritorialclaims.tk, 1
+newtlgpacks.ml, 1
+newtodrones.com, 1
+newton-circus.jp, 1
+newtoncomputing.com, 1
+newtoncountymo.gov, 1
+newtonhaus.com, 1
+newtrackon.com, 1
+newtravelplans.com, 1
+newusatoday.ga, 1
+newvehicle.com, 1
+newvisionhealing.com, 1
+newwaterford-oh.gov, 1
+newwavelinen.com, 1
+newway.ie, 1
+newwind.tk, 1
+newwise.com, 1
+newworldnewlife.tk, 1
+newxit.tk, 1
+newyearsdishes.tk, 1
+newyorkcardiac.com, 1
+newyorkcoffeejobs.com, 1
+newyorkdiscountattractions.com, 1
+newyorkland.forsale, 1
+newyorknews.tk, 1
+newyorkrp.tk, 1
+newyorktoutsimplement.com, 1
+newyoushampoo.com, 1
+newz.to, 1
+newzashitnik.tk, 1
+newzealandadventure.tk, 1
+newzealandheatpumps.co.nz, 1
+newzen.fr, 1
+newzertainment.com, 1
+newzlight.com, 1
+newzlyup.com, 1
+newzvilla.ga, 1
+nex.io, 1
+nex.li, 1
+nexcoda.io, 1
+nexd.com, 1
+nexgeneration-solutions.com, 1
+nexgenwebdesign.co.uk, 1
+nexgi.com, 1
+nexhealth.info, 1
+nexicafiles.com, 1
+nexiodev.com, 1
+nexiodevopslocal.com, 1
+nexiopay.com, 1
+nexiopaydev.com, 1
+nexiopaydevopslocal.com, 1
+nexiopaysandbox.com, 1
+nexiopaystaging.com, 1
+nexiopaystg.com, 1
+nexiosandbox.com, 1
+nexiostaging.com, 1
+nexitdata.com, 1
+nexiumgeneric.tk, 1
+nexo.games, 1
+nexon.com.au, 1
+nexril.net, 0
+nexs.gg, 1
+nexscience.tk, 1
+next-geek.fr, 1
+next-idea.co, 1
+next-level-accounting.com, 1
+next-log.ru, 0
+next-tms.com, 1
+next.me, 1
+next24.io, 1
+nextads.ch, 1
+nextbike.tk, 1
+nextcairn.com, 1
+nextcloud-alpha.ddns.net, 1
+nextcloud-miyamoto.spdns.org, 1
+nextcloud-server.spdns.de, 0
+nextcloud.co.za, 1
+nextcloud.com, 1
+nextcloud.nerdpol.ovh, 1
+nextcloudcn.com, 1
+nextclouddarwinkel.nl, 1
+nextcom.digital, 1
+nextdayoff.com, 1
+nextdayvapes.co.uk, 1
+nextedgecloud.com, 1
+nextevolution.co.uk, 1
+nextfm.tk, 1
+nextg.gg, 1
+nextgen-life-insurance.com, 1
+nextgen-wealth.com, 1
+nextgen.com, 0
+nextgen.sk, 1
+nextgenerationaccessories.com, 1
+nextgenerationaccessories.online, 1
+nextgenerationaccessories.ru, 1
+nextgenerationaccessories.store, 1
+nextgenforbbm.com, 1
+nextgenmath.com, 1
+nextgensocialnetwork.com, 1
+nextgenthemes.com, 0
+nextgreatmess.com, 1
+nexthop.co.th, 0
+nextiot.de, 1
+nextitstep.com, 1
+nextiva.com, 1
+nextlegends.gov, 1
+nextlevel-forum.de, 1
+nextlevel-it.co.uk, 1
+nextlevelchess.blog, 1
+nextlevelforum.de, 1
+nextmarkets.com, 1
+nextme.se, 1
+nextnowagency.com, 0
+nextos.com, 1
+nextrader.guru, 0
+nextrasp.it, 1
+nextrec.site, 1
+nextright.tk, 1
+nextsound.tk, 1
+nextsource.com, 1
+nextstep-labs.gr, 1
+nextstepstudios.ga, 1
+nextsulting.com, 1
+nexttv.co.il, 1
+nextus.me, 1
+nextvibration.com, 1
+nextvision.pt, 1
+nextwab.com, 1
+nextworldcoding.ga, 1
+nextzen.com.bd, 1
+nexus, 1
+nexus-start.de, 1
+nexus-vienna.at, 1
+nexusbyte.de, 1
+nexusmedianews.com, 1
+nexussystems.tk, 1
+nexwebsites.com, 1
+nexxss.jp, 1
+nexxus-sistemas.net.br, 1
+nexzcore.com, 1
+nexzus.com, 1
+neyco.fr, 1
+neyer-lorenz.de, 1
+neyjens.com, 1
+nezis.tk, 1
+nezkakukec.si, 1
+nezrouge-est-vaudois.ch, 1
+nezsultan.tk, 1
+nf-tel.com, 1
+nf9q.com, 1
+nfam.de, 1
+nfb-ec.co.za, 1
+nfb-fsg.co.za, 1
+nfb.co.za, 1
+nfbam.co.za, 1
+nfbassetmanagement.co.za, 1
+nfbct.co.za, 1
+nfbec.co.za, 1
+nfbel.co.za, 1
+nfbfsg.co.za, 1
+nfbib.co.za, 1
+nfbpe.co.za, 1
+nfbplett.co.za, 1
+nfbpwm.co.za, 1
+nfbst.co.za, 1
+nfcweb.de, 1
+nfe-elektro.de, 1
+nffpm.ae, 1
+nffs.cf, 1
+nffsimples.com.br, 1
+nfgonlineuk.tk, 1
+nfitraining.nl, 1
+nfl.ddns.net, 1
+nfl.dedyn.io, 1
+nfl.duckdns.org, 1
+nfl.zapto.org, 1
+nflchan.org, 1
+nflo.pl, 1
+nfls.io, 1
+nflsic.org, 1
+nfluence.org, 1
+nfobar.com, 1
+nfoi.pk, 1
+nforto.com, 1
+nfpors.gov, 1
+nfpsa.lv, 1
+nframe.io, 1
+nfs.pub, 1
+nfsec.pl, 1
+nft-dagasi.com, 1
+nft-dev-web.azurewebsites.net, 1
+nft-qa-web.azurewebsites.net, 1
+nft.io, 1
+nftactually.com, 1
+nftdelegation.com, 1
+nftshowroom.com, 1
+ng-musique.com, 1
+ng.edu.ee, 1
+ngarate.com, 1
+ngatikuri.tk, 1
+ngawa-avocat-paris.fr, 1
+ngbilling.com.br, 1
+ngc.gov, 0
+ngclearing.com, 0
+ngecezt.ddns.net, 1
+ngefics.tk, 1
+ngegame.id, 1
+ngelag.com, 1
+ngergs.de, 1
+ngetik.id, 1
+nggukbo9lbfadcf5.gq, 1
+nghe.net, 1
+ngi.eu, 0
+ngiemboon.net, 1
+nginx.io, 1
+nginxtest.ml, 1
+nginxyii.tk, 1
+ngla.gov, 1
+ngmisr.com, 1
+ngmx.com, 1
+ngmx.eu, 1
+ngmx.net, 1
+ngmx.nl, 1
+ngmx.org, 1
+ngmx.social, 1
+ngndn.jp, 1
+ngns.cz, 1
+ngo-online.de, 1
+ngontinhtruyen.com.vn, 1
+ngoresan.tk, 1
+ngorod.tk, 1
+ngplus.name, 1
+ngribok.ru, 1
+ngroupllc.com, 1
+ngservers.com, 0
+ngsmedicare.com, 1
+nguoimuahangmy.com, 1
+nguru.net, 1
+nguyencucthanh.com, 1
+nguyenduythiem.com, 1
+nguyenfamily.cc, 1
+nguyenfamily.tk, 1
+nguyenslist.com, 1
+nguyensuu.tk, 1
+ngvf.de, 1
+ngvgamechanger.com, 1
+ngx.hk, 1
+ngx.im, 1
+ngxmetrics.com, 1
+ngxpkg.com, 1
+nh.ee, 1
+nhacthanhcavietnam.com, 1
+nhadat100.vn, 1
+nhadonghanh.com, 1
+nhai.gov.in, 1
+nhakinh.net, 1
+nhance.pl, 1
+nhanlucnhatban.com, 1
+nharper.org, 1
+nhathaugiare.com, 1
+nhatrang.tk, 1
+nhatrangbooks.com, 1
+nhbp-nsn.gov, 1
+nhbp.gov, 1
+nhccnews.org, 1
+nhcps.com, 1
+nhdecoration.fr, 1
+nhdsilentheroes.org, 1
+nhg.nl, 1
+nhjvillalmanzo.tk, 1
+nhk.jp, 1
+nhnieuws.nl, 1
+nho.do, 1
+nhome.ba, 1
+nhr.nl, 1
+nhscript.tk, 1
+nhsolutions.be, 0
+nhsuites.com, 1
+nhtsa.gov, 1
+nhv-vintagelemans.com, 1
+ni-dieu-ni-maitre.com, 1
+ni-mate.com, 1
+ni-s.de, 1
+ni.search.yahoo.com, 0
+niaa.gov.au, 1
+niadd.com, 1
+niagara.ru, 0
+niagaraconstruction.org, 1
+niagarafalls.ca, 1
+niagaraschoice.org, 1
+niallator.com, 1
+niawier-wetsens.tk, 1
+nibadesign.nl, 1
+nibblehole.com, 1
+nibbler.ai, 1
+nibert.fr, 1
+nibiru.com.uy, 1
+nibletllc.com, 1
+nibouw.nl, 1
+nic.ads, 1
+nic.android, 1
+nic.app, 1
+nic.bnpparibas, 1
+nic.bo, 1
+nic.boo, 1
+nic.cal, 1
+nic.channel, 1
+nic.chrome, 1
+nic.dad, 1
+nic.day, 1
+nic.dclk, 1
+nic.dev, 1
+nic.docs, 1
+nic.drive, 1
+nic.eat, 1
+nic.esq, 1
+nic.fly, 1
+nic.foo, 1
+nic.gbiz, 1
+nic.gle, 1
+nic.gmail, 1
+nic.goog, 1
+nic.google, 1
+nic.gov, 1
+nic.guge, 1
+nic.hangout, 1
+nic.here, 1
+nic.how, 1
+nic.ing, 1
+nic.meet, 1
+nic.meme, 1
+nic.mov, 1
+nic.new, 1
+nic.nexus, 1
+nic.page, 1
+nic.play, 1
+nic.prod, 1
+nic.prof, 1
+nic.rsvp, 1
+nic.soy, 1
+nic.xn--q9jyb4c, 1
+nic.youtube, 1
+nic.zip, 1
+nic199.ru, 1
+nicaieri.ro, 1
+nicanordic.com, 1
+nicastrosalvatore.tk, 1
+nicat.cf, 1
+nicava.com.mx, 1
+nice-autosurf.com, 1
+nice-germany.tk, 1
+nice-links.tk, 1
+nice-pay.com, 1
+nice-school.com.ua, 1
+nice.ch, 1
+nice.com, 0
+niceactimize.com, 0
+niceb5y.net, 0
+nicecockb.ro, 1
+niceguyit.biz, 1
+nicepussypics.com, 1
+nicerings.com, 1
+nicesco.re, 1
+nicestudio.co.il, 1
+nicesurf.tk, 1
+nicetits.pics, 1
+nicevillefl.gov, 1
+nicheosala.info, 1
+nicheosala.tk, 1
+nicher.tk, 1
+nichesite.gq, 1
+nichetest.tk, 1
+nichevideogalore.com, 0
+nichi.co, 1
+nichijou.com, 1
+nichijou.org, 1
+nicholasjohnson.ch, 1
+nicholaslazzerini.com, 1
+nicholasnassar.com, 1
+nicholasquigley.com, 1
+nicholaswilliams.net, 1
+nicholsonkring.tk, 1
+nicht-blau.de, 1
+nichteinschalten.de, 0
+nichthelfer.de, 1
+nichtkunst.tk, 1
+nichya.tk, 1
+nichyaforum.tk, 1
+nicic.gov, 1
+niciunde.ro, 1
+nick-black.com, 1
+nick-slowinski.de, 0
+nick-stone.com, 1
+nickcleans.co.uk, 1
+nickcraver.com, 1
+nickfoerster.io, 1
+nickfreeman.de, 1
+nickfrost.rocks, 1
+nickguyver.com, 1
+nickhawn.com, 0
+nickhitch.co.uk, 1
+nickhowell.co.uk, 0
+nickkallis.com, 1
+nicklock.ml, 1
+nickloose.de, 1
+nickmandler.tk, 1
+nickmazuk.com, 1
+nickmchardy.com, 1
+nickmiller.ie, 1
+nickmorri.com, 0
+nickmorris.name, 0
+nicknames.tk, 1
+nicknamez.tk, 1
+nickoticko.tk, 1
+nickplotnek.co.uk, 1
+nickrickard.co.uk, 1
+nickrickard.uk, 1
+nicks-autos.com, 1
+nickscomputers.nl, 1
+nickserv.eu, 1
+nickserv.org, 1
+nickserv.social, 1
+nickserve.com, 1
+nickserve.eu, 1
+nickserve.net, 1
+nickserve.nl, 1
+nickserve.org, 1
+nickserve.social, 1
+nickstories.de, 1
+nicktamin.de, 1
+nickwasused.cf, 1
+nickwasused.de, 1
+nickwasused.ga, 1
+nickwasused.gq, 1
+nickwasused.ml, 1
+nickwasused.tk, 1
+nickwatton.com, 0
+nickyfoxx.net, 1
+nicn.me, 1
+nico.st, 1
+nicochinese.com, 1
+nicoforconi.it, 1
+nicogrosser.de, 0
+nicoknibbe.nl, 1
+nicokroon.nl, 1
+nicoladixonrealestate.com, 1
+nicolaeiotcu.ro, 1
+nicolaiteglskov.dk, 1
+nicolajanedesigns.co.uk, 1
+nicolalapenta.com, 1
+nicolaleonardi.it, 1
+nicolaottomano.it, 1
+nicolas-benoit-immobilier.fr, 1
+nicolas-bouvier.tk, 1
+nicolas-dumermuth.com, 1
+nicolas-feuillatte.com, 1
+nicolas-hoizey.com, 1
+nicolas-hoizey.photo, 0
+nicolas-simond.ch, 1
+nicolas-simond.com, 1
+nicolaschelly.tk, 1
+nicolasfrebert.fr, 1
+nicolasfriedli.ch, 1
+nicolashervaud.com, 1
+nicolasiung.me, 0
+nicolaslogerot.com, 1
+nicolasprovost.tk, 1
+nicolaszambetti.ch, 1
+nicolaw.uk, 1
+nicole-richie.info, 1
+nicolebracy.com, 1
+nicoleisaacs.com, 1
+nicolemathew.com, 1
+nicoleta-prestescu.tk, 1
+nicolettajennings.com, 1
+nicolettapallotta.com, 1
+nicolettevandervalk.nl, 0
+niconico.ooo, 1
+nicoobank.com, 1
+nicopretzl.de, 1
+nicorevin.ru, 1
+nicosaveyn.be, 1
+nicovip.com, 1
+nicsezcheckfbi.gov, 1
+nicsys.de, 1
+nictiz.nl, 1
+nicul.in, 1
+nicwortel.nl, 1
+nidhoeggr.duckdns.org, 1
+nidialozano.com, 1
+nidosi.nu, 1
+nidosinu.com, 1
+nidsuber.ch, 1
+niduxcomercial.com, 1
+nie-wieder-muede.de, 1
+niebla.com.co, 1
+niederalt.com, 1
+niedermair.bz, 1
+niederohmig.de, 1
+niedersachsen.cloud, 1
+niedlaechelt.de, 1
+nieha.us, 1
+niels-modeltog.tk, 1
+nielsbohr.ai, 1
+nielsdesign.tk, 1
+nielsensaskiagaantrouwen.be, 1
+niemaler.de, 1
+niemandmussirgendwas.de, 1
+niemeyer.org.br, 1
+nien.cf, 1
+nien.co, 1
+nien.com, 1
+nien.eu.org, 1
+nien.gq, 1
+nien.org, 1
+nien.taipei, 1
+nien.tk, 1
+nienfun.com, 1
+nienkeslop.nl, 1
+nierenpraxis-dr-merkel.de, 1
+nierenpraxis-merkel.de, 1
+niers.land, 1
+nierstichting.nl, 1
+nieselregen.com, 1
+niesstar.com, 0
+nietmvwoensel.com, 1
+nietveel.tk, 1
+nietvolgensdeboekjes.nl, 1
+nietzsche.com, 1
+nieuwebroek.com, 1
+nieuwebroek.nl, 1
+nieuwpoort.tk, 1
+nieuwsbegrip.nl, 1
+nieuwsberichten.eu, 1
+nieuwsfiets.nu, 1
+nieuwslagmaat.nl, 1
+nifc.gov, 1
+niferry.co.uk, 1
+niffler.software, 1
+nifleim.net, 1
+niflheimr.es, 1
+niftiestsoftware.com, 1
+niftyninjamarketing.com, 1
+nifume.com, 1
+niga.tk, 1
+nigdeescort.tk, 1
+nigelpentland.co.uk, 1
+nigelvm.com, 1
+nigelwright.com, 1
+nigeriaimagefoundation.org, 1
+nigeriaportal.tk, 1
+nigglipads.com.br, 1
+niggo.eu, 0
+night-academy.pl, 1
+night2stay.cn, 1
+night2stay.de, 1
+night2stay.fr, 1
+night2stay.ru, 1
+nightandthecityofbrokenpromises.tk, 1
+nightblue.ml, 1
+nightblue.tk, 1
+nightbox.cf, 1
+nightbura.biz, 1
+nightcitynews.info, 1
+nightclassifieds.com, 1
+nightdreamer.me, 1
+nightfirecat.com, 1
+nightfoxtips.com, 1
+nighthawks.tk, 1
+nighthawkstrategies.com, 1
+nightingalebabyconcierge.com, 1
+nightkiss66.org, 1
+nightlife.gent, 1
+nightlight.gg, 1
+nightlive.tk, 1
+nightmail.net, 1
+nightmareabyss.top, 0
+nightmarejoker2.com, 1
+nightmoose.org, 1
+nightoutrecords.tk, 1
+nightpass.tk, 1
+nightscapes.tk, 1
+nightscout.host, 1
+nightsi.de, 1
+nightskyalerts.com, 1
+nightsnack.cf, 1
+nightstar-online.tk, 1
+nightstory.tk, 1
+nightvisionradio.tk, 1
+nightwinds.tk, 1
+nightwishchile.tk, 1
+nightwood.cf, 1
+nigmapictures.tk, 1
+nigt.cf, 1
+nih.ao, 1
+nihaarpstars.com, 1
+nihaoonline.tk, 1
+nihilistan.tk, 1
+nihilocomunidad.tk, 1
+nihon-rosoku.com, 1
+nihseniorhealth.gov, 0
+nihtek.in, 1
+nii2.org, 1
+niice.co, 1
+niinaratsula.com, 1
+niit-mts.com, 1
+niit.com, 1
+niitfoundation.org, 1
+niitnguru.com, 1
+niituniversity.in, 1
+niituva.ga, 1
+niiu.digital, 1
+niiucapital.com.sg, 1
+nijiero-ch.com, 0
+nijikata.com, 1
+nijimama-life.com, 1
+nijm.nl, 1
+nijniy-novgorod.tk, 1
+nijofotografie.de, 1
+nijzoon.nl, 0
+nik.io, 1
+nika-travel.ga, 1
+nikabazar.ir, 1
+nikahplus.com, 1
+nikahsekeri.tk, 1
+nikami.tk, 1
+nikandcara.com, 1
+nikant.tk, 1
+nikavandenbos.nl, 1
+nikavenus.com, 1
+nike-studio.com, 1
+nikeairjordan.cc, 1
+nikelunartw.net, 1
+nikesoccerbodotoutlet.ga, 1
+nikest.cf, 1
+nikest.tk, 1
+niket.site, 1
+nikeyichinese.com, 1
+nikhilnimiya.love, 1
+nikhilramakrishnan.tk, 1
+nikimix.com, 0
+nikitacartes.xyz, 0
+nikitagukov.ru, 1
+nikitenko.tk, 1
+nikitin.photo, 1
+nikitina.ml, 1
+nikka.systems, 1
+nikkasystems.com, 1
+nikkei225jp.com, 1
+nikkila.me, 1
+nikkotaytay.tk, 1
+nikksno.io, 1
+niklas.pw, 1
+niklasbabel.com, 1
+niklashagman.se, 1
+niklasstinkt.com, 1
+niko-mapping-studio.tk, 1
+niko-vfx.com, 0
+nikodev.es, 1
+nikoflix.site, 1
+nikolaev.ml, 1
+nikolahost.tk, 1
+nikolahristov.tech, 1
+nikolai-schmidt.tk, 1
+nikolaipribylski.tk, 1
+nikolaj-platoshkin.cf, 1
+nikolajmackowski.dk, 1
+nikolamilekic.com, 1
+nikolasbradshaw.com, 1
+nikon-photocontest.com, 1
+nikoniko-dental-premium.jp, 1
+nikonlibrary.co.uk, 1
+nikonnps.co.uk, 1
+nikonschool.co.uk, 1
+nikosoikonomopoulos.tk, 1
+nikosverths.tk, 1
+nikotiinipussit.com, 1
+nikscloud.eu, 1
+nikz.in, 1
+nil.com, 1
+nil.gs, 0
+nil.mx, 1
+niledevelopmentseg.com, 1
+nilefi.cf, 1
+niles-simmons.de, 1
+niles.xyz, 1
+nilesil.gov, 1
+nilianwo.com, 1
+nilmaraquintela.com.br, 1
+nilnasc.com, 1
+nilosoft.com, 1
+niloxy.com, 1
+nilpointer.com, 1
+nilrem.org, 0
+nils.ch, 1
+nils.moe, 1
+nilsbrisset.info, 1
+nilslandscaping.com.au, 1
+nilsnet.tk, 1
+nilsvital.de, 1
+nim.tw, 1
+nimbl.nz, 1
+nimble.com.br, 1
+nimblefins.co.uk, 1
+nimbo.com.au, 1
+nimbus-link.co.uk, 1
+nimbus-net.tk, 1
+nimbuslink.co.uk, 1
+nimbyte.com, 1
+nimeia.tk, 1
+nimes-ales.fr, 1
+nimfa.ml, 1
+nimfomanki.tk, 1
+nimiedad.com, 1
+nimiq.com, 1
+nimit.se, 1
+nimnadasl.tk, 1
+nimnordic.com, 1
+nimus.tk, 1
+nina-laaf.de, 1
+nina-woerz.tk, 1
+ninaafenehjelm.com, 1
+ninadeissler.de, 1
+ninadevil.org, 1
+ninakoenig.org, 1
+ninanice.net, 1
+ninaobermeier.com, 1
+ninarocha.ch, 1
+ninasky.tk, 1
+ninasofian.ro, 1
+ninaundandre.de, 1
+ninavegas.net, 1
+ninchat.com, 1
+ninebennink.com, 0
+ninedaysmore.tk, 1
+nineenergyservice.com, 1
+ninepints.co, 1
+ninespec.com, 1
+ninetailed.ninja, 1
+ninetaillabs.com, 1
+ninetaillabs.xyz, 1
+nineteensixtyone.co.uk, 1
+ninetyninestreet.co.nz, 1
+ninetyseven.tk, 1
+ninfora.com, 1
+ningrui.me, 0
+ningunlugarestalejos.com, 1
+ningwei.net, 1
+niniko.tk, 1
+ninja-corner.tk, 1
+ninjacomputing.com, 1
+ninjahub.net, 1
+ninjamagic.tk, 1
+ninjaseo.es, 1
+ninjasquad.fr, 1
+ninjaworld.co.uk, 1
+ninkt.com, 1
+ninmegam.gq, 1
+ninnen.com, 1
+ninofink.com, 1
+ninohaslach.ch, 1
+ninoo.nl, 1
+ninovayazilim.com, 1
+ninpang.com, 1
+ninrio.com, 1
+ninsin-akachan.com, 1
+nintendo424.com, 1
+nintendocarddelivery.com, 1
+nintendocollectionsystem.com, 1
+nintendoreporters.com, 1
+ninth.cat, 1
+ninth.moe, 1
+ninth.tw, 1
+ninthc.at, 1
+ninthfloor.org, 1
+ninure.tk, 1
+ninux.ch, 0
+ninverse.com, 1
+niourk.com, 1
+nipax.cz, 1
+nipe-systems.de, 1
+nipit.biz, 1
+nipn-nutrition-platforms.org, 1
+nippel.tk, 1
+nipplefucking.com, 1
+nippon-tour.tk, 1
+nippon.plus, 1
+nipponkempoph.tk, 1
+nipponkousei.com, 1
+nipponnews.tk, 1
+nipponsteelwelding-thai.co.th, 1
+nippynet.tk, 1
+nirada.info, 1
+nirex.as, 1
+nirex.cz, 1
+nirex.sk, 1
+nirhub.ru, 1
+nirjonmela.com, 1
+nirjonmela.net, 1
+nirma.co.in, 1
+nirmalroy.ml, 1
+niro.bio, 1
+nirudo.me, 1
+nirvana-esport.fr, 1
+nirvananirvana.tk, 1
+nirvanashop.com, 1
+nirvel-shop.com, 1
+niscemi.tk, 1
+nishikino-maki.com, 1
+nishimebistro.cz, 1
+nishisbma.com, 1
+nishiwaki-shonaifoods.com, 1
+nishiyama-shoten.com, 1
+nisomnia.com, 1
+nissanofbismarckparts.com, 1
+nissanpartsdeal.com, 1
+nisselist.tk, 1
+nisselrooij.nl, 1
+nissens.com, 1
+nist.tech, 1
+nit.school, 1
+nitaonline.org, 0
+nitecore.ga, 1
+nitendaytowing.ga, 1
+nitifilter.com, 1
+nitix.games, 1
+nitolab.com, 1
+nitoville.com, 1
+nitranoviny.sk, 1
+nitro.az, 1
+nitrocloud.ddns.net, 1
+nitrohorse.com, 0
+nitrokey.com, 1
+nitromaster.tk, 1
+nitromtb.org, 1
+nitropanel.com, 0
+nitropur.com, 1
+nitropur.de, 1
+nitroupload.com, 1
+nitschinger.at, 1
+nitter.hu, 0
+nitter.net, 1
+niu.edu.tw, 1
+niuco.com.br, 1
+niunaimilk.cn, 0
+niutennici.tk, 1
+nivaad.com, 1
+nivarussia.ml, 1
+niveau-klatsch.com, 1
+niveau-texter.de, 1
+nivel03.com, 1
+nivelo.io, 1
+nivoit.cf, 1
+nix-sender.com, 1
+nix-sender.ru, 0
+nix.org.ua, 0
+nix13.xyz, 1
+nixcore.gq, 1
+nixcp.com, 1
+nixie.fashion, 1
+nixonlibrary.gov, 1
+nixor.ee, 0
+nixorigin.one, 1
+nixpare.com, 1
+nixplus.tk, 1
+nixrepair.nl, 1
+nixsub.tk, 1
+nixtest.net, 1
+nixx-gel.cz, 1
+nixx.tk, 1
+nixxin.tk, 1
+niyawe.de, 1
+niyazpoyilan.com, 0
+niyen.com, 1
+niyen.eu, 1
+niyen.net, 1
+niyen.org, 1
+niyen.social, 1
+nizarvoiceover.tk, 1
+nizhaoheng.com, 1
+nizozemsku.nl, 1
+nizwassolutions.com, 1
+nja.id.au, 1
+njast.net, 1
+njbr.ml, 1
+njbr.tk, 1
+njcareers.org, 1
+njccpo.gov, 1
+njdcj.gov, 1
+njdge.gov, 1
+njeda.gov, 1
+njedge.net, 1
+njeri.codes, 1
+njfog.org, 1
+njgames.org, 1
+njhq.org, 1
+njilc.com, 1
+njintl.com, 1
+njleg.gov, 1
+njliner.me, 1
+njliner.net, 1
+njngroup.org, 1
+njpc.org, 1
+njpjanssen.nl, 1
+njpranksters.tk, 1
+njpropertysolutionsrealty.com, 1
+njsbf.org, 1
+njsda.gov, 1
+njshield.gov, 1
+njsp.gov, 1
+njtransfer.org, 1
+njuftp.com, 1
+njvcco.gov, 1
+nk-vision.com, 1
+nk1.de, 1
+nkapliev.org, 1
+nkbi.ru, 1
+nkbwnx.com, 1
+nkg-mosbach.de, 1
+nkg.com.au, 1
+nkghas.com, 1
+nkjwmn.com, 1
+nkjwrs.com, 1
+nkkr.hu, 1
+nklwhx.com, 1
+nko.org, 1
+nkontur.com, 1
+nkorolev.tk, 1
+nkp-media.de, 1
+nkrf.no, 1
+nkrupp.net, 1
+nksmart.ru, 0
+nkvd-farm.ru, 1
+nkx4sjyrk4tcv0sluhwajyc-n6icja9gchqxmhp.com, 0
+nkyrtl.org, 1
+nl-comunistas.tk, 1
+nl-ix.net, 1
+nl.search.yahoo.com, 0
+nl3ehv.nl, 1
+nla.no, 1
+nlap.ca, 0
+nlc-business.com, 1
+nlead.gov, 1
+nllboard.co.uk, 1
+nlm.gov, 1
+nlorganizing.com, 1
+nlponline.com.ua, 1
+nlpperformance.ma, 1
+nlrb.gov, 1
+nlyfeue.gq, 1
+nm.cx, 1
+nm.sl, 1
+nma.is, 1
+nmaedu.org, 1
+nmb.gov, 1
+nmbhgc.org, 1
+nmcep.net, 0
+nmd.so, 1
+nmegent.be, 1
+nmeoverbetuwe.nl, 1
+nmfinanciallaw.com, 1
+nmhp.com, 1
+nmijudiciary.gov, 1
+nmindepth.com, 1
+nmitaylor.com, 1
+nmjusticedata.gov, 1
+nmmlp.org, 1
+nmontag.com, 1
+nms-thoracic-surgery.com, 1
+nmugroup.com, 1
+nmx.de, 1
+nmx.moe, 1
+nn-com.co.jp, 1
+nn-vol.ga, 1
+nn0.net, 1
+nn01.cc, 1
+nn01.com, 1
+nn04.org, 1
+nn5197.co, 1
+nn6729.co, 1
+nn6729.com, 1
+nn6957.co, 1
+nn9297.co, 1
+nn9728.co, 1
+nna774.net, 1
+nnas.org.uk, 1
+nnc.cat, 1
+nnc.im, 1
+nndfn.com, 1
+nnet.ca, 1
+nnews.tk, 1
+nnkkserver02.ddns.net, 1
+nnlm.gov, 1
+nnnn.loan, 1
+nnnnn.click, 1
+nnnovel.com, 1
+nnrevolt.com, 1
+nnss.gov, 1
+no-andishan.ir, 1
+no-b.kiev.ua, 1
+no-bet.ru, 1
+no-cookies.net, 1
+no-data.tk, 1
+no-dev.de, 1
+no-eye-deer.tk, 1
+no-gods-no-masters.com, 1
+no-grey-area.com, 1
+no-ice.be, 1
+no-ice.nl, 1
+no-ip.cz, 1
+no-more-gray-hair.ga, 1
+no-more-gray-hair.gq, 1
+no-more-gray-hair.ml, 1
+no-n.at, 1
+no-nat.de, 1
+no-real.tk, 1
+no-reply.mx, 1
+no-terrorism.tk, 1
+no-war-on-iraq.tk, 1
+no-xice.com, 0
+no.search.yahoo.com, 0
+no112.org, 1
+no1universities.tk, 1
+no2bacoorcityhood.tk, 1
+no34infowey.co.uk, 1
+noaccess.tk, 1
+noacore.ch, 1
+noadi-pixels.tk, 1
+noagendahr.org, 1
+noah-shop.com, 1
+noah-witt.com, 1
+noahjacobson.com, 1
+noahmodas.com.br, 1
+noahs.com, 1
+noahsaso.com, 1
+noamweb.com, 1
+noangel.tk, 1
+noart.tk, 1
+noatec.eu, 1
+noawildschut.com, 1
+noawildschut.nl, 1
+nob.ro, 1
+nobackups.com, 1
+nobasico.com.br, 1
+nobellc.com, 1
+nober.tk, 1
+nobilefoods.com, 1
+nobitschek.de, 1
+noble-diagnostic.com, 1
+noblechemical.com, 1
+nobleco.gov, 1
+noblecountyprosecutoroh.gov, 1
+noblehearinginstitute.com, 1
+nobleparkapartments.com.au, 1
+nobleproducts.biz, 1
+noblesmart.com, 1
+nobletary.com, 1
+noblogs.org, 1
+nobori.cloud, 1
+nobori.ltd, 1
+nobori.me, 1
+nobounce.me, 0
+noboxo.ch, 1
+nobreaks.ca, 1
+nobs.no, 1
+nobsmc.com, 1
+nobunplease.com, 1
+nobutwhy.com, 1
+nobz.com.br, 0
+noc.best, 1
+noc.wang, 1
+nocapplugins.xyz, 1
+noccie.com, 1
+nocillaconchorizo.tk, 1
+nocit.dk, 1
+nocks.com, 1
+noclegiwchecinach.pl, 1
+nocloud.website, 1
+noco.nl, 1
+nocoastpunx.tk, 1
+nocodefactory.io, 1
+nocoffee.tech, 1
+nocoffeetech.de, 1
+nocommentsallowed.com, 1
+nocr.net, 1
+nocreyentes.org, 1
+nocrm.io, 1
+noctinus.tk, 1
+noctisphoto.tk, 1
+nocturnos.tk, 1
+nocturnus.tk, 1
+noctys.com, 1
+nocyclopedia.tk, 1
+nod32.com.pt, 1
+nodde.cf, 1
+nodecdn.net, 1
+nodecore.mine.nu, 1
+nodecraft.com, 1
+nodefoo.com, 1
+nodejs.org, 1
+nodelab-it.de, 1
+nodelia.com, 0
+nodepoet.com, 1
+noderunners.network, 1
+nodespin.com, 1
+nodestination.tk, 1
+nodi.at, 0
+nodi.cloud, 1
+nodie.ga, 1
+nodist.club, 1
+nodkimrecord.com, 1
+nodl.cloud, 1
+nodmarcrecord.com, 1
+noedidacticos.com, 1
+noefio-software.com, 1
+noel.wf, 1
+noel.yt, 1
+noelblog.ga, 1
+noellimpag.me, 0
+noemax.com, 1
+noeontheend.com, 1
+noexcusesc.gov, 1
+noexec.org, 1
+nofilter.gq, 1
+nofrillsdns.com, 1
+noga4you.de, 1
+nogema.net, 1
+nogerondier.eu, 1
+nogetime.com, 1
+nogfw.org, 1
+nogfw.pro, 1
+nogfwsite.com, 1
+nogger.nl, 1
+nogluten.com, 1
+nogmat.org, 1
+nogradhont.hu, 1
+nogre.com, 1
+nogyogyaszat.eu, 0
+nohatenj.gov, 1
+nohats.ca, 1
+nohomeinsurance.com, 1
+nohttps.org, 1
+nohungerfoodbank.org, 1
+nohup.se, 1
+nohup.xyz, 1
+noideas.tk, 1
+noidlikes.coffee, 1
+noiglosujemy.com.pl, 1
+noiglosujemy.pl, 1
+noincludesubdomains.preloaded.test, 0
+noirland.co.nz, 1
+noirmale.com, 1
+noirmalenetwork.com, 1
+noirpvp.com, 1
+noiseboyz.com, 1
+noisebridge.social, 1
+noisky.cn, 1
+noisyfox.cn, 1
+noisyfox.io, 1
+noisyspa.io, 1
+noithat78.com, 1
+noithatbachtin.com, 1
+noithatphangia.net, 1
+noiz.ro, 1
+noj.ac, 0
+nojihata.com, 1
+nojok.es, 1
+nojoumstudio.live, 1
+nojum.tk, 1
+nokarateinthepit.com, 1
+nokchon.tk, 1
+nokia.la, 1
+noknow.ovh, 0
+nokono.com, 1
+nokoshop.fr, 1
+noktadedektor.com, 1
+noktadetectors.com, 1
+noktadetectors.com.br, 1
+noktron.de, 1
+nokumbaya.com, 1
+nokya.tk, 1
+nokzedoc.tv, 1
+nolanpoe.me, 1
+nolanpowellisaho.com, 1
+nolanvilletx.gov, 1
+nolate.de, 1
+nolatepayments.com, 1
+nolaviz.org, 1
+noleggio-bagni-chimici.it, 1
+noleggiobagnichimici.perugia.it, 1
+noleggioimbarcazioni.it, 1
+noleggiolimousine.roma.it, 1
+noleggiovetture.it, 1
+nolimit.bike, 1
+nolinobaby.pl, 1
+nolovus.com, 1
+nolt.io, 1
+nolte-tver.ru, 1
+nolutut.ga, 1
+nomada.gt, 1
+nomadaregalos.com, 1
+nomadcasino.com, 1
+nomadichome.com, 1
+nomadichome.org, 1
+nomadichomes.com, 1
+nomadichomes.org, 1
+nomadiclifes.com, 1
+nomadicrootsco.com, 1
+nomadix.com, 1
+nomadlist.com, 1
+nomadproject.io, 0
+nomadtech.servehttp.com, 1
+nomadworld.net, 1
+nomasfraudecolorado.gov, 1
+nomaspicaduras.com, 1
+nomaster.cc, 1
+nomee6.xyz, 1
+nomerel.com, 1
+nomerodekors-esport.no, 1
+nomerodekors.no, 0
+nomesbiblicos.com, 1
+nomial.co.uk, 1
+nomifensine.com, 1
+nomik.xyz, 1
+nomo.com, 1
+nomore112.org, 1
+nomsing.tk, 1
+nomtechbytes.com, 1
+nomzamo.spdns.org, 1
+noname-ev.de, 0
+nonametheme.com, 1
+nonemail.ch, 1
+nonemu.ninja, 1
+nonnaloreta.it, 1
+nono.fi, 0
+nono303.net, 1
+nonobstant.cafe, 1
+nonpareilonline.com, 1
+nonprofit.info, 1
+nonsa.pl, 1
+nonslipdeckingco.uk, 1
+nonstopjob.ga, 1
+nontonfilem.ml, 1
+nonuplebroken.com, 1
+nonverbalcommunicationcertificate.com, 1
+nonx.pro, 1
+nonxsistent.tk, 1
+nonzero.io, 1
+noob-box.net, 1
+noob-rp.ru, 1
+nooben.com, 1
+noobit.org, 1
+noobow.me, 1
+noobs-in-action.com, 1
+noobsrus.co.uk, 1
+noobsunited.de, 0
+noobswhatelse.net, 1
+noobunbox.net, 1
+noodweer.be, 1
+noom.com, 1
+noon-entertainments.com, 1
+noonan.family, 1
+noonan.tech, 1
+nooneshere.co.uk, 1
+noop.ch, 1
+noop.com.au, 1
+noordbikers.tk, 1
+noorden.com, 1
+noordsee.de, 1
+noordwijk.nl, 1
+nooresunnat.tk, 1
+noorsolidarity.com, 0
+noorzaitribe.ga, 1
+noosebrigade.com, 1
+noosxe.com, 1
+nootropic.com, 1
+nootropicpedia.com, 1
+nootropil.cf, 1
+noovell.com, 1
+nopagefound.com, 1
+nopaincenter.ro, 0
+nopajam.tk, 1
+nopassword.ca, 1
+nopasswords.ca, 1
+nopaste.eu, 1
+nopaynocure.com, 1
+nophelet.com, 1
+nopiamanual.net, 1
+nopm.xyz, 1
+nopropaganda.tk, 1
+nopuedesdejarlopasar.es, 1
+nora-devot.com, 1
+noraahost.com, 1
+noracora.com, 1
+norad.sytes.net, 1
+noradevot.com, 1
+noradevot.org, 1
+noradrenalina.com, 1
+norala.tk, 1
+noralku.net, 1
+norazpublicservice.gov, 1
+norbert-wollheim-platz.tk, 1
+norbertorabinovichblog.com, 0
+norbit.de, 1
+norcalworkcomp.com, 1
+norcconcrete.com, 1
+norcopa.gov, 1
+nord-sud.be, 1
+nordaccount.com, 1
+nordbusinessaccount.com, 1
+nordcheckout.com, 1
+nordcity.ga, 1
+nordcom.io, 1
+norddevelopmentgroup.com, 1
+norden.eu.org, 1
+norden.social, 1
+norderney-zs.de, 1
+nordesttrasporti.it, 1
+nordex.ca, 1
+nordfinck.de, 1
+nordformstore.dk, 1
+nordgravite.fr, 1
+nordhealth.com, 1
+nordhealth.fi, 1
+nordicequities.com, 1
+nordicirc.com, 1
+nordico.club, 1
+nordicportalen.tk, 1
+nordicsemi.com, 1
+nordicsolutionsgroup.com, 1
+nordicsrit.tk, 1
+nordicway.dk, 1
+nordinfo.fi, 1
+nordiskhiss.se, 1
+nordiskhissvarmland.se, 1
+nordlandsbanken.no, 1
+nordlandverliebt.de, 1
+nordlayer.com, 1
+nordlichter-brv.de, 1
+nordlocker.com, 1
+nordmark-pharma.de, 1
+nordmoregatebilklubb.com, 1
+nordpass.asia, 1
+nordpass.com, 1
+nordsec.com, 1
+nordseeblicke.de, 1
+nordstarfossils.com, 1
+nordvestkysten.de, 1
+nordvestkysten.dk, 1
+nordvpn.com, 1
+nordwal.de, 1
+nordwaldzendo.de, 1
+norebase.com, 1
+noref.tk, 1
+noregrets.tk, 1
+noreply.mx, 1
+norestfortheweekend.com, 1
+norfipc.com, 1
+norfolkgardencare.co.uk, 1
+norgesenergi.no, 1
+norichanmama.com, 1
+noriel.ro, 1
+norikazumatsuno.tk, 1
+noripon.blog, 1
+noriskit.nl, 1
+noritakechina.com, 1
+noriva.com.mt, 1
+norlink.ca, 1
+normaculta.com.br, 1
+normalady.com, 1
+normalil.gov, 1
+normalinlinden.de, 1
+normalized.ga, 1
+normalizuj.me, 1
+normalporter.tk, 1
+normalsecurity.com, 1
+norman-legal.com, 1
+norman-preusser-gmbh.de, 1
+normanbauer.com, 1
+normandgascon.com, 1
+normandie-bienetre.com, 1
+normandiereiki.com, 1
+normandy.tk, 1
+normanhurstldc.nsw.edu.au, 1
+normco.re, 0
+normity.nl, 1
+norml.fr, 1
+noroutine.com, 1
+noroutine.me, 1
+norridgewock.gov, 1
+norrisautomotiveinc.com, 1
+norrishome.tk, 1
+norristn.gov, 1
+norrkemi.se, 1
+norrlandsbilverkstad.se, 1
+norrliden.de, 1
+norsewars.com, 1
+norskespilleautomater.com, 1
+norskpensjon.no, 1
+nortecompartidoexperience.es, 1
+nortecultural.tk, 1
+nortek.com, 1
+northafrican.tk, 1
+northamericantrack.com, 0
+northampton-vets.co.uk, 1
+northatlantalawgroup.com, 1
+northatlantalawgroup.net, 1
+northaugustasc.gov, 1
+northbannockfire.gov, 1
+northbayvillage-fl.gov, 1
+northbengaltourism.com, 1
+northboot.xyz, 0
+northbranch-md.com, 0
+northbranfordct.gov, 1
+northbranfordpdct.gov, 1
+northbrisbaneapartments.com.au, 1
+northcapitalb.com, 1
+northcarolinahealth.tk, 1
+northcharlestonsc.gov, 1
+northcoastlabs.com, 1
+northcoastpsychotherapy.com.au, 1
+northcountyfire.gov, 1
+northcountykiaparts.com, 1
+northcreekresort.com, 1
+northcreekresortblue.ca, 1
+northdallasendo.com, 1
+northdavisfireut.gov, 1
+northdevonbouncycastles.co.uk, 1
+northeastcdc.org, 1
+northeasternchimney.com, 1
+northeasternsportfishing.com, 1
+northebridge.com, 0
+northernflame.tk, 1
+northerngate.net, 1
+northernhamsterclub.com, 1
+northernlight.com, 1
+northernlitescourier.ca, 1
+northernpowertrain.com, 1
+northfayettepa.gov, 1
+northfayettepapolice.gov, 1
+northfieldmn.gov, 1
+northfieldnh.gov, 1
+northfinance.dk, 1
+northflightaeromed.org, 1
+northhampton-nh-pd.gov, 1
+northhudsonwi.gov, 1
+northiowatractorride.com, 1
+northkingstownri.gov, 1
+northkoreainsider.tk, 1
+northliner.tk, 1
+northlinkferries.com, 1
+northlinkferries.net, 1
+northmiamibeachfl.gov, 1
+northmountliquor.ca, 1
+northoaksmn.gov, 1
+northokanaganbookkeeping.com, 1
+northplainfield-nj.gov, 1
+northplainfieldnj.gov, 1
+northplattene.gov, 1
+northpointoutdoors.com, 1
+northpole.dance, 1
+northportfl.gov, 1
+northportpdfl.gov, 1
+northpost.is, 1
+northprairiepdwi.gov, 1
+northprairiewi.gov, 1
+northpublicidade.com.br, 1
+northrose.net, 1
+northshoremums.com.au, 1
+northshorevisitor.com, 1
+northstarcommunitytrust.org, 1
+northstarcommunitytrust.org.uk, 1
+northstaredit.org.uk, 1
+northstarmodular.com, 1
+northstartrust.co.uk, 1
+northstartrust.com, 1
+northstartrust.org, 1
+northstartrust.org.uk, 1
+northsummitfireut.gov, 1
+northtek.tk, 1
+northteksystems.com, 1
+northtex.com, 1
+northtexaspiano.org, 1
+northtexasvasectomy.com, 1
+northtints.store, 1
+northtopsailbeachnc.gov, 1
+northtowndental.ca, 1
+northumberlandcountypa.gov, 1
+northumbria.ac.uk, 1
+northwestimaging.com, 1
+northwilkesboronc.gov, 1
+northwoodoh.gov, 1
+northwoodstudios.org, 1
+northzone.ml, 1
+norveg.ru, 1
+norvelltwp-mi.gov, 1
+norwalkct.gov, 1
+norwalkps.org, 0
+norway.ml, 1
+norwayinternetstuffs4u.tk, 1
+norwegian.events, 1
+norwellma.gov, 1
+norwichzen.org.uk, 1
+norwoodma150.gov, 1
+norys-escape.de, 1
+norz.at, 1
+norzetto.com, 1
+nos-oignons.net, 1
+nosacheva.ru, 1
+nosandjayo.com, 1
+nosbenevolesontdutalent.com, 1
+noschairsfauteuils.fr, 1
+noscript.net, 1
+noseastumismo.com, 1
+nosecare.com, 1
+nosecrets.ch, 1
+nosedoctor.net, 1
+nosetup.tk, 1
+noseware-apps.de, 1
+nosfermiers.com, 1
+nosinmiperro.tk, 1
+nosite.co.za, 1
+noskov.org, 1
+nosleepforrobots.com, 1
+noslite.nl, 1
+nosmoke.cc, 1
+nosmoking.tk, 1
+nosoxo.com, 1
+nosproduitsdequalite.fr, 1
+nossaseguros.ao, 1
+nossasenhoradodesterro.com.br, 1
+nossasenhoradopranto.pt, 0
+nossorepresentante.com.br, 1
+nostalgicinfinity.tk, 1
+nostalgie.tk, 1
+nostalgift.ir, 1
+nostalgiktv.ml, 1
+nostalgimidi.se, 1
+nostalgische-attracties.nl, 1
+nostaljicicekcilik.com, 1
+nostar.fr, 1
+nostoautomaatti.fi, 1
+nostosh.eu.org, 1
+nostradansacornella.tk, 1
+nostraforma.com, 0
+nostring.io, 1
+nostrum.ee, 1
+nostrupload.com, 1
+nosuch.site, 1
+nosuch.website, 1
+nosurfinbrighton.tk, 1
+noswap.com, 1
+nosyu.pe.kr, 0
+not-a.link, 1
+not4me.ga, 1
+not4me.tk, 1
+nota-web.com, 1
+nota.moe, 1
+nota.place, 1
+notablepeeps.com, 1
+notabug.eu, 1
+notabug.org, 1
+notacooldomain.com, 1
+notactivelylooking.com, 1
+notadd.store, 1
+notallmine.net, 0
+notalone.gov, 1
+notamo.de, 1
+notar-glagowski.com, 1
+notar-glagowski.de, 1
+notar-peikert.com, 1
+notari.pro, 1
+notariatpublic.com, 1
+notaries-europe.com, 1
+notariosbcn.com, 1
+notarisdecatalunya.org, 1
+notariusz-bialystok.com, 1
+notariuszprzybylowicz.pl, 1
+notariuszsych.pl, 1
+notary-tx.com, 1
+notary24.ru, 1
+notarypublic.co.nz, 1
+notashamedministry.org, 1
+notbolaget.se, 1
+notbot.es, 1
+notby.net, 1
+notcompletelycorrect.com, 1
+notcurses.com, 1
+notdankmemer.lol, 1
+note.ms, 1
+note1024.tk, 1
+note7forever.com, 1
+notebin.xyz, 1
+notebleue.com, 1
+noteboat.net, 1
+notebooksbilliger.de, 1
+notebooksteurer.shop, 1
+notebrook.com, 1
+notecoffee.tw, 1
+noted.de, 1
+notedinstyle.co.uk, 1
+notenarchiv.eu, 1
+notepam.com, 1
+notequal.me, 1
+notesforpebble.com, 1
+noteskeeper.ru, 1
+notfunny.tk, 1
+notgerman.com, 1
+nothinfancy.ca, 1
+nothing.net.nz, 1
+nothing.org.uk, 1
+nothingbundtcakes.com, 1
+noti.tg, 1
+noticiaelmundo.com, 1
+noticias7.org, 1
+noticiasdeautos.site, 1
+noticiasdetv.com, 1
+noticiasdocambio.com.br, 1
+noticiashoy.online, 1
+noticiassonaqui.com, 1
+noticiasymas.cl, 1
+noticieropopular.tk, 1
+noticies.tk, 1
+notienegoyete.ga, 1
+notif-build-laposte.info, 1
+notif-colissimo-laposte.info, 1
+notif-laposte.info, 1
+notif-lidentitenumerique-laposte.info, 1
+notif-lpfr-laposte.info, 1
+notif-moncompte-laposte.info, 1
+notific.at, 1
+notificami.com, 1
+notify.gov, 1
+notifyed.com, 1
+notifymy.team, 1
+notime.tk, 1
+notinglife.com, 1
+notion.so, 1
+notionbackups.com, 1
+notipress.mx, 1
+notisec.hu, 1
+notisecit.hu, 1
+notisphererecalls.com, 1
+notiziarioweb.tk, 1
+notizie.ai, 1
+notliriklagu.com, 1
+notme.cf, 1
+notmyrealmail.com, 1
+notnewz.tk, 1
+notnize.net, 1
+notnl.com, 1
+notofilia.com, 1
+notokyc.com, 1
+notomalayan.tk, 1
+notonprem.com, 1
+notora.tech, 1
+notoriousdev.com, 1
+notre-planete.info, 1
+notrefuse.tk, 1
+notresiteduvercors.tk, 1
+notrid.com, 1
+notryden.com, 1
+notsafefor.work, 1
+notsoape.com, 1
+nottawatwpisabellami.gov, 1
+nottinghammoneyman.com, 1
+nottwo.ru, 1
+notube.cc, 1
+notube.io, 1
+notube.net, 1
+notube.site, 1
+nou9ta.tk, 1
+noudjalink.nl, 1
+nougat-anduze.fr, 1
+noumeet.com, 1
+nouragha.com, 1
+nourishandnestle.com, 1
+nourishbyfrida.com, 1
+noussommesluniversite.org, 1
+nousyukum.com, 1
+nouveau.nl, 1
+nouveauhosting.com.au, 1
+nouvelle.net.au, 1
+nova-dess.ch, 0
+nova-eq.com, 1
+nova-host.ml, 1
+nova-kultura.org, 1
+nova.live, 1
+novabench.com, 0
+novacal.ga, 1
+novacap.ca, 1
+novacoaching.nl, 1
+novacoast.com, 1
+novadir.com, 1
+novafreixo.pt, 1
+novageracao2021.pt, 1
+novaintegra.co, 1
+novaintegra.com, 1
+novak.cf, 1
+novakola.bg, 1
+novalevante.info, 1
+novalite.rs, 0
+novalnet.de, 1
+novanetwork.ml, 1
+novanice.net, 1
+novanta.pl, 1
+novantaphotonics.com, 1
+novaofcalifornia.com, 1
+novaquark.com, 1
+novaratoday.it, 1
+novarock.tk, 1
+novasdecadamanha.com.br, 1
+novashare.io, 1
+novasport.ru, 1
+novasprint.tk, 1
+novastore.com.br, 1
+novastores.co, 1
+novatelecom.cl, 0
+novavax.com, 0
+novaway.ca, 1
+novaya.media, 1
+novaya.no, 1
+novayagazeta.ee, 1
+novayagazeta.eu, 1
+novayagazeta.ru, 1
+novayazemlya.tk, 1
+nove.city, 1
+noveciti.com, 1
+novecity.cloud, 1
+novecity.com, 1
+novecity.info, 1
+novecity.it, 1
+novecity.org, 1
+novecitymail.com, 1
+novecore.pro, 1
+novel543.com, 1
+novelas.net.br, 1
+novelinglife.net, 0
+novelly.in, 1
+novelmic.com, 1
+noveltr.com, 1
+noveltydoorers.ga, 1
+noveltydoorest.ga, 1
+novelvyretraite.fr, 1
+novema.jp, 1
+novenopiso.tk, 1
+novezamky.tk, 1
+novgorod24.tk, 1
+novgorodinfo.tk, 1
+novi-marof.hr, 1
+novias.co.jp, 1
+noviceman.tk, 1
+novichek-plus.ml, 1
+novichok.ml, 1
+novickoe.ml, 1
+novilaw.com, 1
+novilidery.com, 1
+novilist.hr, 1
+novinkihd.tk, 1
+noviny.sk, 1
+novinykraje.cz, 1
+novip.tk, 1
+noviyan.com, 1
+novobi.com, 1
+novobudowa.pl, 1
+novocarrobr.com.br, 1
+novodiegomaia.com.br, 1
+novogimn.tk, 1
+novogradnje.si, 1
+novogrudok.tk, 1
+novojet.cl, 1
+novokurovka.tk, 1
+novokuznetsk.tk, 1
+novonegoc.io, 1
+novoodesabibl.tk, 1
+novoopus.com, 1
+novoresume.com, 1
+novorossiysk.tk, 1
+novorussiya.tk, 1
+novosad-kom.tk, 1
+novosel.ga, 1
+novoselie.ga, 1
+novosibavia.ru, 0
+novosleep.ca, 1
+novosti-novorossii.ml, 1
+novosti-novosibirsk.tk, 1
+novosti-online.tk, 1
+novosti-tv.tk, 1
+novostimira.gq, 1
+novostionline.tk, 1
+novostiz.tk, 1
+novostroyki.ml, 1
+novotoznanie.com, 1
+novparket.ru, 0
+novrazbb.com, 1
+novsti.cf, 1
+novu.com, 1
+novumclinic.pl, 1
+novumnet.com.br, 1
+novurania.com, 0
+novy.software, 1
+novy.vip, 1
+novychas.online, 1
+novye-kuhni.ml, 1
+novysvit.com.ua, 1
+novyzelandnamiru.cz, 1
+now.sh, 1
+now101atm.tk, 1
+nowaccy.info, 1
+nowaesthetic.com, 1
+nowaovivo.com.br, 1
+nowarning.cc, 1
+nowbb.tk, 1
+nowebsite.tk, 1
+nowecor.de, 1
+noweigh.co.uk, 1
+nowhairtime.com, 1
+nowhere.dk, 1
+nowinkijedynki.tk, 1
+nowitzki.network, 1
+nowlas.org, 0
+nowloading.co, 1
+nowloading.tk, 1
+nowoczesnysalon.ga, 1
+nowoe.ru, 1
+nowonline.biz, 1
+nowremindme.com, 1
+nowtime.cc, 1
+nowtips.gq, 1
+nowtricity.com, 1
+nowzad.com, 1
+nowzarimd.com, 1
+noxh.net, 1
+noxi.ga, 1
+noxiouspl.uk, 1
+noxomusic.com, 1
+noxx.global, 1
+noxx.solutions, 1
+noxx.uk, 1
+noy.asia, 1
+noy.cat, 1
+noyoga.at, 1
+noyweb.tools, 1
+nozaka-k.com, 1
+nozel.cf, 1
+nozel.ga, 1
+nozel.gq, 1
+nozesurvival.pl, 1
+nozom.tk, 1
+np-edv.at, 1
+np.search.yahoo.com, 0
+np39.de, 1
+npaf.org, 1
+npaihb.org, 1
+npass.us, 1
+npath.de, 1
+npbeta.com, 1
+npc-ts.org, 1
+npc.org.au, 1
+npclimited.co.uk, 1
+npcradio.tk, 1
+npdigital.com, 1
+npgcdn.net, 1
+nphrm.com, 1
+npjobsite.com, 1
+nplc.cc, 1
+nplindia.org, 1
+npm.li, 1
+npmcdn.com, 1
+npontu.com, 1
+npowerbusinesssolutions.com, 1
+nprb.org, 1
+npregion.org, 1
+npsas.org, 1
+nptelegraph.com, 1
+nptn.tk, 1
+npuer.life, 1
+npws.net, 1
+nqesh.blog, 1
+nqesh.net, 1
+nqesh.org, 1
+nqesh.ph, 1
+nqeshonline.com, 1
+nqeshreviewer.com, 1
+nqhomeinsurance.gov.au, 1
+nqwebdesign.com, 1
+nrac.or.jp, 1
+nrail.eu, 1
+nrbpublishing.com, 1
+nrbri.ru, 1
+nrc-gateway.gov, 1
+nrc.gov, 1
+nrchealth.com, 1
+nrd.gov, 1
+nrdstd.io, 1
+nreihofer.de, 1
+nrev.ch, 1
+nrj-plomberie.com, 1
+nrkn.fr, 1
+nrldc.in, 0
+nrm.co.nz, 1
+nrpyrenees.fr, 1
+nrsmart.com, 1
+nrsweb.org, 1
+nrthcdn.me, 1
+nrvc.net, 1
+nrvn.cc, 1
+nrvnastudios.com, 1
+nrw-stiftung-magazin.de, 1
+ns-frontier.com, 1
+ns-hook.dk, 1
+ns.gov, 1
+ns0.ca, 1
+ns230kvopenhouse.com, 1
+ns2servers.pw, 1
+nsa.ovh, 1
+nsacom.com, 1
+nsadns.uk, 1
+nsamail.uk, 1
+nsapb.bg, 1
+nsb.lk, 1
+nsbfalconacademy.org, 1
+nsbih.ba, 1
+nsboston.org, 1
+nsboutique.com, 1
+nsbufl.gov, 1
+nscai.gov, 1
+nscorporation.co.jp, 1
+nscresearchcenter.org, 1
+nsdcprayerforce.com, 1
+nsec.dk, 1
+nseindia.com, 1
+nsep.gov, 1
+nsepapa.com, 1
+nsfw-story.com, 1
+nsfw.dk, 1
+nshipster.cn, 1
+nshipster.co.kr, 1
+nshipster.com, 1
+nshipster.es, 1
+nshispeed.nl, 1
+nsics.co.jp, 1
+nsikakimoh.com, 1
+nsine.be, 1
+nsinternational.com, 1
+nsinternational.nl, 1
+nsjbio.com, 1
+nskarate.tk, 1
+nsl.co.nz, 1
+nslacandelaria.com, 1
+nsm.ee, 1
+nsmail.cn, 1
+nsmail.com, 1
+nsn.nl, 1
+nsncatalog.com, 1
+nso.ie, 1
+nso.li, 1
+nsoft.nu, 1
+nsoiran.tk, 1
+nsopr.gov, 1
+nsopw.gov, 1
+nsp-discount.com, 1
+nsp.com.ua, 1
+nsp.ua, 1
+nspeaks.com, 0
+nspireoutreach.org, 1
+nspoh.nl, 1
+nsradiology.net, 1
+nssfchile.tk, 1
+nssquad.tk, 1
+nst-maroc.com, 1
+nstatic.xyz, 1
+nstd.net, 1
+nsteck.com, 1
+nstnet.org, 1
+nsu.pw, 1
+nsv.ee, 1
+nswedu.link, 1
+nsworks.com, 0
+nszero.tk, 1
+nta-net.nl, 1
+ntags.org, 1
+ntcoss.org.au, 1
+ntcp.ph, 1
+ntcrmezon.ru, 1
+ntdf.co.uk, 1
+nte.email, 1
+ntecha.com, 1
+ntechp.com, 1
+ntgltema.ml, 1
+ntgvision.com, 1
+nth.sh, 0
+nti.de, 1
+ntia.gov, 1
+ntindependent.com.au, 1
+ntinet.com, 1
+ntinformatique.ca, 1
+ntj125app.com, 1
+ntk-institute.org, 1
+ntlabs.org, 1
+ntnlst.com, 1
+ntokens.com, 1
+ntokens.com.br, 1
+ntotten.com, 1
+ntppool.com, 1
+ntppool.net, 1
+ntppool.org, 1
+ntr.ac.cn, 1
+ntreizel.com, 1
+nts.com, 1
+ntsb.gov, 1
+ntsipl.com, 1
+ntsmcqs.com, 0
+ntsmetrics.com, 1
+ntsp.team, 1
+ntt-buses.com, 1
+ntu.edu.sg, 0
+ntuchinesesociety.com, 0
+ntvtelugu.com, 1
+ntx360grad-fallakte.de, 1
+ntxsolarandconstruction.com, 1
+ntz.im, 1
+nu-pogodi.net, 1
+nu.com.mx, 1
+nu.fi, 1
+nuacht.ie, 1
+nuage-libre.fr, 1
+nuage365.de, 0
+nuanda.es, 1
+nuansagoal.co, 1
+nub.so, 1
+nubank.com.br, 1
+nube.com.br, 1
+nubeaustral.ar, 1
+nubehogar.nsupdate.info, 1
+nubian.cf, 1
+nubian.tk, 1
+nubilum.noip.me, 1
+nubium.net, 1
+nubla.fr, 1
+nubla.io, 1
+nubnology.com, 1
+nubraza.com, 1
+nubu.at, 1
+nubunk.com.ng, 0
+nucciocondorelli.it, 1
+nuckollscountyne.gov, 1
+nuclea.site, 1
+nuclearcake.de, 1
+nuclearforum.tk, 1
+nuclearhell.tk, 1
+nuclearmed.org, 1
+nuclearnation.tk, 1
+nuclearsky.tk, 1
+nucleios.com, 1
+nucleomarketing.com.br, 1
+nucleosynth.space, 1
+nucleus-co.org, 1
+nucleuscore.org, 1
+nucleuspanel.com, 1
+nudaveritas.tk, 1
+nudeai.com, 1
+nudeandfresh.tk, 1
+nudegirlphotos.com, 1
+nudegirls.tv, 1
+nudel.ninja, 1
+nudes.ovh, 1
+nudetube.com, 1
+nudevotion.com, 1
+nudgesecurity.io, 1
+nudo.tk, 1
+nudoleaks.com, 1
+nuecescountytx.gov, 1
+nuel.cl, 1
+nuernberg-finanzen.de, 1
+nuernbergwillwandel.de, 1
+nuespacios.com, 0
+nuestrasdanzashn.tk, 1
+nuetel.com, 1
+nuevacombarbala.tk, 1
+nuevaimagenpublicidad.es, 1
+nuevapublicidad.tk, 1
+nuevaya.com.ni, 0
+nuffield.nl, 1
+nugdev.co, 0
+nuggit.ga, 1
+nugmanov.net, 1
+nugratis.nl, 1
+nugush.tk, 1
+nuhbeg.com, 1
+nuhil.tk, 1
+nuhs.edu.sg, 1
+nuhs.sg, 1
+nuitec.com.br, 1
+nuits-franciliennes.fr, 1
+nuke-masters.tk, 1
+nukeiso.ml, 1
+nukeportal.ml, 1
+nukeportal.tk, 1
+nukeshop.tk, 1
+nukleoti.de, 1
+nukute.com, 0
+nul20.nl, 1
+null-d.com, 1
+null-life.com, 0
+null48.net, 1
+nullbit.tk, 1
+nulldev.org, 1
+nulle-part.org, 1
+nulledme.ga, 1
+nulleds.tk, 1
+nullificatr.tk, 1
+nullonerror.org, 1
+nullop.tech, 1
+nullptr.zone, 1
+nullroute.com, 1
+nullroute.wtf, 1
+nullscripts.tk, 1
+nullsechs.tk, 1
+nullshare.tk, 1
+nulltime.net, 1
+nullvoid.me, 1
+nullxsec.net, 1
+nully.xyz, 1
+nulo.ar, 0
+nuls.io, 1
+nulsc.biz, 1
+numancia.tk, 1
+numarasorgulama.tel, 1
+number.me, 1
+numbercult.net, 1
+numberzero.org, 1
+numbots.com, 1
+numeezy.com, 1
+numerama.com, 1
+numericall.gq, 1
+numeriquoi.com, 1
+numeritelefonici.it, 1
+numerix.com, 1
+numerli.com, 1
+numero1.ch, 0
+numero1.tk, 1
+numerobis.tk, 1
+numerologist.com, 1
+numerosrojos.es, 1
+numerossanos.com.ar, 1
+numerouno.ml, 1
+numerspiral.pt, 1
+numismatix.de, 1
+numismed-seniorcare.de, 1
+nummer378.de, 1
+numo.co, 1
+numwave.nl, 1
+numxl.com, 1
+nunesgh.com, 1
+nunesgh.org, 1
+nunnenmacher.net, 0
+nunnun.jp, 1
+nuno-sarmento.com, 1
+nunoarruda.com, 1
+nunoefabia.tk, 1
+nunogand.com, 1
+nunoleiria.com, 1
+nunomoura.com, 1
+nunoprospero.com, 1
+nunsarean.tk, 1
+nuntiicaelo.in.ua, 1
+nunu.cf, 1
+nunu.ml, 1
+nuooly.com, 1
+nuos.org, 1
+nuovaelle.it, 1
+nuovaguardia.tk, 1
+nuovicasino.it, 1
+nupaybusiness.com.br, 1
+nupixemedia.com, 1
+nuquery.com, 1
+nur-test.de, 1
+nur.berlin, 1
+nuraling.com, 1
+nuranagi.rocks, 1
+nureg.club, 1
+nureg.net, 1
+nuria-fergo.tk, 1
+nuriaamat.com, 1
+nuriacamaras.com, 1
+nurkamol.com, 1
+nurlyn.com, 0
+nurmio.fi, 1
+nurnabi.ml, 1
+nurseactioners.ga, 1
+nurseactionest.ga, 1
+nursejj.com, 1
+nursemom.ca, 1
+nurserystory.co.uk, 1
+nurseslabs.com, 1
+nursetheticsbyliam.co.uk, 1
+nursing-school-degrees.com, 1
+nursing-school2.tk, 1
+nursingconsultant.ca, 1
+nursinghero.com, 1
+nursinglicensure.org, 1
+nursingschool.network, 1
+nursunity.ml, 1
+nurture-thrive.com, 1
+nusabarongmotormalang.com, 1
+nusaceningan.io, 1
+nusantaraku.tk, 1
+nusatrip-api.com, 1
+nussadoclub.org, 1
+nussschale.eu, 1
+nustay.com, 1
+nut.spb.ru, 1
+nutbot.co.uk, 1
+nutleyarchives.org, 1
+nutleyeducationalfoundation.org, 1
+nutleyef.org, 1
+nutmeg.com, 1
+nutra-creations.com, 1
+nutra.tk, 1
+nutralivbio.com, 1
+nutrashop.fr, 1
+nutriciametabolics-shop.de, 1
+nutricionistatulioalmeida.com, 1
+nutriciously.com, 1
+nutriclub.co.id, 1
+nutrifruiti.ca, 1
+nutrifyyourself.com, 1
+nutrijets.com, 1
+nutriment.co.uk, 1
+nutrineyfelipe.com, 1
+nutripedia.gr, 1
+nutripure.fr, 1
+nutrisidangym.com, 1
+nutrislice.com, 1
+nutristories.gr, 1
+nutrition.gov, 1
+nutritiondynamixrd.com, 1
+nutritioned.org, 1
+nutritionfitness.fr, 1
+nutritious.cf, 1
+nutrizionista.roma.it, 1
+nutroeffect.com, 1
+nutsandboltsfoundation.org, 1
+nutsforfruits.com.au, 1
+nutwgent.tk, 1
+nuus.hu, 1
+nuva.hu, 1
+nuvabridge.com, 1
+nuvasystem.com, 1
+nuvechtdal.nl, 1
+nuvini.com, 1
+nuvoagency.com, 1
+nuvolosicuro.io, 1
+nuvotheagency.com, 1
+nuwave.com, 0
+nux.jp, 1
+nuxer.fr, 1
+nuzhenkredit.ga, 1
+nuzhenkredit.gq, 1
+nuzhenkredit.ml, 1
+nuzhenkredit.tk, 1
+nv-art.ru, 1
+nvcmaine.gov, 1
+nvcogct.gov, 1
+nvd.nl, 1
+nvda-addons.org, 1
+nvda.es, 1
+nvdps.gov, 1
+nve-qatar.com, 1
+nvest.co.za, 1
+nvestel.co.za, 1
+nvestholdings.co.za, 1
+nvestholdings.com, 1
+nvestproperties.co.za, 1
+nvests.co.za, 1
+nvestsec.co.za, 1
+nvfh.co.za, 1
+nvfoundation.com, 1
+nvh.group, 1
+nvi-go.nl, 1
+nviewscareer.com, 1
+nvigate.gov, 1
+nvio.mx, 1
+nvkc.nl, 0
+nvl-game.tokyo, 1
+nvleg.gov, 1
+nvlifeinsurance.info, 1
+nvlop.xyz, 0
+nvme.xyz, 1
+nvmo.org, 1
+nvnv.cf, 1
+nvoip.com.br, 1
+nvq.nl, 1
+nvr.bz, 1
+nvrddma.gov, 1
+nvrk.edu.ee, 1
+nvsp.in, 1
+nvtc.gov, 1
+nvtpower.com, 1
+nvtz.nl, 1
+nvz-kennisnet.nl, 1
+nvzhlv.com, 1
+nw-glass.com, 1
+nw-risk.com, 1
+nwaafund.org, 1
+nwbc.gov, 0
+nwcc.bike, 1
+nwcouncil.gov, 1
+nwea.nl, 1
+nwfdaz.gov, 1
+nwfem.com, 1
+nwh.nz, 1
+nwimports.com, 1
+nwitt.us, 1
+nwmpcllc.com, 0
+nwn.fi, 1
+nwoordinances.tk, 1
+nwopage.tk, 1
+nwperformanceandoffroad.com, 1
+nwps.fi, 1
+nwra.com, 1
+nwradio.tk, 1
+nwrp.eu, 1
+nwshell.com, 1
+nwspecialists.com, 1
+nwtl.com, 1
+nwtparks.ca, 0
+nwtrb.gov, 1
+nwuss.okinawa, 1
+nwwnetwork.net, 1
+nx42.pw, 1
+nxcloud.ml, 1
+nxdomain.info, 1
+nxedge.com, 1
+nxf.li, 1
+nxit.ca, 1
+nxlogis.kr, 1
+nxnt.link, 1
+nxplinc.com, 1
+nxstudios.tk, 1
+nxth.io, 1
+nxtport.eu, 1
+nxxcloud.nl, 1
+ny-events.club, 1
+nya-cloud.com, 1
+nya.as, 1
+nya.autos, 1
+nya.chat, 1
+nya.codes, 1
+nya.one, 1
+nya.show, 1
+nya.work, 1
+nyaan.net, 1
+nyaan.org, 1
+nyac.at, 1
+nyadisk.net, 1
+nyahururu.tk, 1
+nyaken.tk, 1
+nyan.it, 0
+nyan.kim, 1
+nyan.stream, 1
+nyangasm.com, 0
+nyangasm.net, 0
+nyangasm.org, 0
+nyanor.cloud, 1
+nyansparkle.com, 1
+nyantec.com, 1
+nyap.org, 1
+nyatane.com, 1
+nyau.me, 1
+nyauth.com, 1
+nyawau.ch, 1
+nyawork.com, 1
+nybcreative.com, 1
+nycctp.com, 1
+nycdentalimplantscenter.com, 1
+nycestateest.ga, 1
+nycgastroenterologists.com, 1
+nych.com, 1
+nycoyote.org, 1
+nycpac.net, 0
+nycstyleboutique.com, 1
+nycu.moe, 1
+nydig.com, 0
+nydnxs.com, 0
+nyeclipse.com, 1
+nyecountynv.gov, 1
+nyerjakekszekkel.hu, 1
+nyerjazoreoval.hu, 1
+nyerjenaheraval.hu, 1
+nyfurnitureoutlets.com, 1
+nygbcomicguide.tk, 1
+nygbtourguide.tk, 1
+nyhaoyuan.net, 1
+nyhemsgarden.se, 1
+nyheter-sverige.ga, 1
+nyiaarhus.dk, 1
+nyiarlumar.tk, 1
+nyiooc.org, 0
+nyirc.gov, 1
+nylasercenter.com.pl, 1
+nylbdc.gov, 1
+nylevemusic.com, 1
+nylipa.gov, 1
+nyliveauctions.com, 1
+nyloc.de, 1
+nym.at, 1
+nynadynasir.co.id, 0
+nynadynasir.my.id, 1
+nyoka-flutter.com, 1
+nyoka-nodejs.com, 1
+nyoka-react.com, 1
+nyoka.io, 1
+nyoka.ru, 1
+nyoliveoil.com, 1
+nyorokko.com, 1
+nyphox.ovh, 1
+nyrany.online, 1
+nyronet.de, 0
+nysis.fr, 1
+nysis.net, 1
+nysis.org, 1
+nystrom.tk, 1
+nystrs.gov, 1
+nystudio107.com, 1
+nysusankitchen.com, 1
+nytrafficticket.com, 1
+nytvattat.tk, 1
+nyupoco.com, 1
+nyuware.pw, 1
+nyxapp.net, 1
+nyyu.tk, 1
+nyzed.com, 1
+nz.search.yahoo.com, 0
+nzb.su, 1
+nzbfinder.ws, 1
+nzbr.de, 1
+nzbstars.com, 1
+nzcorp.dk, 1
+nzdata.org, 1
+nzelaweb.com, 1
+nzfaponline.com, 1
+nzguns.co.nz, 1
+nzhistory.govt.nz, 1
+nzia.tk, 1
+nzmaths.co.nz, 1
+nzmca.org.nz, 1
+nzmomentum.co.nz, 1
+nzno.org.nz, 1
+nzpost.ga, 1
+nzroom.cf, 1
+nzsafety.co.nz, 1
+nzsafetyblackwoods.co.nz, 1
+nzstudy.ac.nz, 1
+nzt.capital, 1
+nzt.co, 1
+nzt.dev, 1
+nzt.foundation, 1
+nzt.holdings, 1
+nzt.io, 1
+nzt.one, 1
+nzt.productions, 1
+nzt.properties, 1
+nzt.services, 1
+nzt.team, 1
+nzt.technology, 1
+nzt.tools, 1
+nzt.ventures, 1
+nztcap.com, 1
+nztcap.de, 1
+nztcapital.com, 1
+nztcapital.de, 1
+nztcapital.net, 1
+nztfoundation.com, 1
+nztholdings.com, 1
+nztproperties.com, 1
+nztservices.com, 1
+nzttechnology.com, 1
+nzttools.com, 1
+nzttools.net, 1
+nztventures.com, 1
+nztventures.de, 1
+nztventures.net, 1
+nzws.me, 0
+o-bereg.ru, 1
+o-coeur-de-la-fleur.fr, 1
+o-dvor.tk, 1
+o-n-s.co.jp, 1
+o-results.ch, 1
+o-ta-su-ke.net, 1
+o.ee, 1
+o00.eu, 1
+o00228.com, 1
+o0c.cc, 1
+o11y.top, 1
+o15y.com, 1
+o2.tn, 1
+o2design.tk, 1
+o2fitnes.ru, 1
+o2solutions.ae, 1
+o2ss.com, 0
+o3.ua, 1
+o36533.com, 1
+o365info.com, 1
+o3c.com.br, 1
+o3ptitschats.fr, 1
+o3swap.com, 1
+o3wallet.com, 1
+o5.cx, 0
+o5.vc, 1
+o5197.co, 1
+o6729.co, 1
+o6729.com, 0
+o6957.co, 1
+o6asan.com, 1
+o6i.de, 1
+o7.nz, 1
+o82365.com, 1
+o9297.co, 1
+o9728.co, 1
+o98.net, 0
+o9solutions.com, 1
+oaaa.org, 1
+oabtherapy.com, 1
+oadeo.com, 1
+oahpmdata.net, 1
+oakbarnvets.com, 1
+oakbarnwellness.com, 1
+oakbottle.com, 1
+oakcreekwi.gov, 1
+oakdale.org, 0
+oakdaleca.gov, 1
+oakdalemn.gov, 1
+oaken.duckdns.org, 1
+oakesfam.net, 1
+oakface.com.au, 1
+oakharbor.gov, 1
+oakhillfl.gov, 1
+oakhillseniors.com, 1
+oakislandnc.gov, 1
+oaklandenrolls.org, 1
+oaklandfire6.com, 1
+oakparkelectrical.com, 1
+oakparkexteriorlighting.com, 1
+oakparklandscapelighting.com, 1
+oakparklighting.com, 1
+oakparkoutdoorlighting.com, 1
+oakrealty.ca, 1
+oakridgeclinic.ca, 1
+oakshield.nl, 1
+oakslim.com, 1
+oaktravel.nl, 1
+oaktree-realtors.com, 0
+oaktreecapital.com, 0
+oaktreelodge.org.uk, 1
+oakwood-park.tk, 1
+oanclothing.com, 1
+oandareview.co, 1
+oanow.com, 1
+oase-fuer-wohlbefinden.ch, 1
+oasegroen.nl, 1
+oasiristorantebagno.it, 1
+oasis-info.co.uk, 1
+oasis.in, 1
+oasisbodycare.jp, 1
+oasisgenetics.com, 1
+oasiskitchens.com, 1
+oasislab.id, 1
+oatmealdome.me, 1
+oatycloud.spdns.de, 1
+oauthaccountmanager.googleapis.com, 1
+oauthdb.com, 1
+obagg.com, 1
+obala.ga, 0
+obalawebsolutions.ml, 1
+obalky-obaly.sk, 1
+obamalibrary.gov, 1
+obamawhitehouse.gov, 1
+obandln.de, 1
+obarax.com, 1
+obatjantungrematik.tk, 1
+obbr.tk, 1
+obcevents.co.uk, 1
+obcfl.com, 1
+obclub.tk, 1
+obcom.tk, 1
+obdinvest.ru, 1
+obdolbacca.ru, 1
+obec-krakovany.cz, 1
+obecvinodol.tk, 1
+obed-doma.tk, 1
+obejor.com.ng, 1
+obelisco.tk, 1
+obelix05.duckdns.org, 1
+oberam.de, 1
+obereg.cf, 1
+obereg.ga, 1
+obereg.ml, 1
+oberg.co, 1
+oberg.us, 1
+oberhofdrinks.com, 1
+obermeiers.eu, 1
+oberoi.de, 1
+obery.com, 1
+obesidadenmallorca.com, 1
+obesidadlavega.com, 1
+obet901vip.com, 1
+obezma.com, 1
+obg-global.com, 1
+obg.ceo, 1
+obgalslancaster.com, 1
+obgynecologistnyc.com, 1
+obgynmaryland.com, 1
+obgynmiamifl.com, 1
+obgynqueensnyc.com, 1
+obi-betriebsrat.tk, 1
+obi-investissements.fr, 1
+obido.pl, 1
+obihoernchen.de, 1
+obioncountytn.gov, 1
+obioncountytn911.gov, 1
+obj.moe, 1
+object.earth, 1
+objectcache.pro, 1
+objectif-securite.ch, 1
+objectif-terre.ch, 0
+objectif-vancouver-2010.fr, 1
+objectifs-fitness.com, 1
+objectivefoodie.com, 1
+objectivity.co.uk, 1
+objectorientedsolutions.com, 1
+objekt-textil.ch, 0
+objetodestaque.com.br, 1
+obl.ong, 1
+oblak.host, 1
+oblak.studio, 1
+oblikdom.pro, 0
+oblinvest.org, 1
+oblitsov.ru, 1
+oblivious.ml, 1
+oblojka.tk, 1
+oblondata.io, 0
+obmen-viz.tk, 1
+obmen-vizitami.ml, 1
+obmenka.tk, 1
+obmennik.tk, 1
+obnalichka.cf, 1
+obnalichka.ga, 1
+obnalichka.gq, 1
+obnalichka.tk, 1
+obocat.tk, 1
+oboes.top, 1
+oboivam.ru, 1
+obomne.tk, 1
+obozrevatel.tk, 1
+obpr.gov.au, 1
+obrabotka-zakazow.tk, 1
+obraideal.com, 1
+obrasereformasbh.com.br, 1
+obrobka-zdjec.pl, 1
+obs.plus, 1
+obsceneeulogy.tk, 1
+obscur.tk, 1
+obscur.us, 1
+obscureware.xyz, 1
+obsd.me, 1
+observability.top, 1
+observatoire-des-partenariats.fr, 1
+observer.com, 1
+obsessedwithknives.ru, 1
+obsessivecompulsiveexplained.com, 1
+obsessivefacts.com, 1
+obsica.com, 1
+obsidianirc.net, 1
+obsproject.com, 1
+obss.com.tr, 1
+obss.tech, 1
+obstgarten.berlin, 1
+obsuzhday.com, 1
+obtima.org, 1
+obu4alka.ru, 1
+obuchowicz.pl, 1
+obuhov.ml, 1
+obuhov.tk, 1
+obuvgarmisch.cz, 1
+obuysya.tk, 1
+obxlistings.com, 1
+obyna3.pl, 1
+obyrai.org.ua, 1
+obyvateleceska.cz, 1
+obzor-znakomstv.tk, 1
+obzory-evgeny.tk, 1
+oc-minecraft.com, 1
+ocabj.net, 1
+ocacnews.net, 1
+ocalafl.gov, 1
+ocalaflwomenshealth.com, 1
+ocalapd.gov, 1
+ocalhukuk.com, 1
+ocapiarquitetura.com.br, 1
+ocarm.org, 1
+ocarupo.com, 0
+ocasio.es, 1
+ocassessor.gov, 1
+ocauditor.gov, 1
+ocb.gov, 1
+ocbc.com, 1
+occ.eu, 1
+occ.gov, 1
+occam-consulting.de, 1
+occasion.nc, 1
+occhelps.gov, 1
+occrp.org, 1
+occu.lt, 1
+occult-magick.ga, 1
+occult-magick.gq, 1
+occult-magick.ml, 1
+occulter.fr, 1
+occultism.tk, 1
+occultisme.tk, 1
+occultumproductions.tk, 1
+occupational-therapy-colleges.com, 1
+occupationaltherapylicense.org, 1
+occupations.org.ru, 1
+occupy4elephants.tk, 1
+occupybakersfield.tk, 1
+occupynightlife.com, 1
+occuspace.io, 1
+ocd2016.com, 1
+ocdadmin.com, 1
+ocdhub.co.za, 1
+ocealy.com, 1
+ocean-of-love.ml, 1
+ocean-sun.com, 1
+oceanaway.tk, 1
+oceanborn.ml, 1
+oceanborn.tk, 1
+oceanbreezehomes.com, 1
+oceancity.vin, 1
+oceancountynj.gov, 1
+oceancrew.org, 1
+oceandns.eu, 1
+oceandns.net, 1
+oceane.training, 1
+oceanearth.us, 1
+oceanfirst.com, 1
+oceaniahome.tk, 1
+oceaniaservergroup.com, 1
+oceanic.global, 1
+oceanings.com, 1
+oceanlogisticgroup.com, 1
+oceanlord.me, 1
+oceanofapk.com, 1
+oceanohost.com, 1
+oceanpark.vn, 1
+oceansedgecustompools.com, 1
+oceanshaman.cf, 1
+oceanshaman.ga, 1
+oceanshaman.gq, 1
+oceanshaman.ml, 1
+oceansidetour.tk, 1
+oceanspraymiami.com, 1
+oceanspringsarchives.net, 0
+oceansurplus.tk, 1
+oceanviewde.gov, 1
+oceanvisuals.com, 1
+ocenilla.ml, 1
+ocenilla.tk, 1
+ocenka-msfo.ru, 1
+ocenka-nedv.ml, 1
+ocenka.tk, 1
+ocennaswgoogle.pl, 1
+ocf.io, 1
+ocfelections.gov, 1
+ocg-card.com, 1
+ochaken.cf, 1
+ochatoosenbei.tk, 1
+ochemindessens.com, 1
+ochioneta.es, 1
+ochki-linzi.tk, 1
+ochobeatsmedia.net, 1
+ochotnicky.com, 1
+ochrepoint.com.au, 1
+ochsenfeld-design.de, 1
+ochsenfeld-fotografie.de, 1
+ochsenfeld.co, 1
+ochsundjunior.ch, 1
+ochsundjunior.swiss, 1
+ochutnejitalii.cz, 1
+ociaw.com, 1
+ocimumcdn.net, 1
+ockendenhemming.co.uk, 1
+oclausen.com, 1
+ocloudhost.com, 1
+oclube.online, 1
+ocmlng.com, 1
+ocmw.gent, 1
+ocmwgent.be, 1
+ocni-ambulance-most.cz, 1
+ocnjapartment.com, 1
+ocnjdaily.com, 1
+ocodo.ru, 1
+ocolere.ch, 1
+oconlakewi.gov, 1
+ocontocountywi.gov, 1
+ocotg.com, 1
+ocponj.gov, 1
+ocprintgraphics.gov, 1
+ocqueoctwpmi.gov, 1
+ocsamochodu.pl, 1
+ocsan.gov, 1
+ocsbl.at, 1
+ocsbl.blog, 1
+ocsbl.ch, 1
+ocsbl.cloud, 1
+ocsbl.co.uk, 1
+ocsbl.com, 1
+ocsbl.consulting, 1
+ocsbl.de, 1
+ocsbl.fr, 1
+ocsbl.group, 1
+ocsbl.info, 1
+ocsbl.link, 1
+ocsbl.media, 1
+ocsbl.net, 1
+ocsbl.network, 1
+ocsbl.nl, 1
+ocsbl.online, 1
+ocsbl.org, 1
+ocsbl.shop, 1
+ocsbl.social, 1
+ocsbl.tech, 1
+ocsbl.uk, 1
+ocsc.pro, 1
+ocsnet.com, 1
+octagon.institute, 1
+octal.es, 0
+octane.co, 1
+octane.net.au, 1
+octanio.com, 1
+octarine.cc, 1
+octarineparrot.com, 1
+octav-avocats.fr, 1
+octav.name, 1
+octavia.net, 1
+octaviorojas.tk, 1
+octaviosimon.com, 1
+octo.im, 1
+octobered.com, 0
+octocaptcha.com, 1
+octod.tk, 1
+octodex.ru, 1
+octoeverywhere.com, 1
+octofox.de, 1
+octohedralpvp.tk, 1
+octolopagon.games, 1
+octopoos.com, 1
+octopoos.org, 1
+octopub.tk, 1
+octopus-apps.be, 1
+octothorpe.club, 1
+octothorpe.ninja, 1
+octovpn.com, 1
+ocufekojip.ga, 1
+ocularsolution.com, 1
+oculta.ml, 1
+oculus.com, 1
+ocunclaimed.gov, 1
+ocuuc.org, 1
+ocvote.gov, 1
+ocwr.gov, 1
+ocydias.tk, 1
+odabilocal.com, 1
+odatakao.com, 1
+oday.org, 1
+odbierzspozywke.pl, 1
+odbtomsk.ru, 1
+odd17.org, 1
+oddfellowwellness.com, 1
+oddformrecords.tk, 1
+oddintely.com, 1
+oddity.tk, 1
+oddlama.org, 1
+oddmouse.com, 0
+oddmuse.org, 1
+oddnumber.ca, 1
+oddoo.net, 1
+oddsandevens.ca, 1
+oddsandevensbookkeeping.ca, 1
+oddscasino.top, 1
+oddsmoneyers.ga, 1
+oddsnet.com, 1
+oddsseeker.com, 1
+oddtime.net, 0
+oddtoes.com, 1
+ode.red, 0
+odedigitale.marketing, 1
+odegua.com, 1
+odejdamoda.tk, 1
+odeliabridal.com, 1
+odensc.com, 1
+odensc.me, 1
+odenvilleal.gov, 1
+odeonentertainment.co.uk, 1
+odesigning.com, 1
+odessalove.tk, 1
+odete.com.br, 1
+odezdaotto.tk, 1
+odhosc.ca, 1
+odiall.co, 1
+odiall.tk, 1
+odiamoselregeton.tk, 1
+odifi.com, 1
+odigitalmarketing.com.br, 1
+odij.nl, 1
+odijmond.nl, 1
+odinpl.com, 1
+odinraz.ga, 1
+odinseye.net, 1
+odinson.tk, 1
+odisealinux.com, 1
+odishainfo.tk, 1
+odishassc.in, 1
+odishatv.in, 1
+odisseo.io, 1
+odlicomul.ga, 1
+odnostranichnik.tk, 1
+odo-pro.ru, 1
+odo.online, 1
+odonata-editions.fr, 1
+odonti.com, 1
+odontoguia.co, 1
+odontologiawilliampizarro.com, 1
+odoo.co.th, 1
+odoppelto.de, 1
+odoranswers.com, 1
+odoru.ga, 1
+odorucinema.ga, 1
+odosblog.de, 1
+odpikedoslike.com, 1
+odsylvie.cz, 1
+odtu.lu, 1
+oducs.org, 1
+odvps.com, 0
+odxin.com, 1
+odysea.cat, 1
+odyso.org, 1
+odyssee-animation.tk, 1
+odyssey44.com, 1
+odysseyofthemind.eu, 1
+odzyskiwanie.biz, 1
+odzywianie.info.pl, 1
+oe-it.ru, 1
+oe.ink, 1
+oe0fcdncxjpdd05b.myfritz.net, 1
+oea.gov, 1
+oec-music.com, 0
+oecdpisaforschools.org, 1
+oecherrezepte.duckdns.org, 1
+oedeemboek.nl, 1
+oegd.at, 1
+oeh.ac.at, 1
+oeilpouroeilcreations.fr, 0
+oeko-bundesfreiwilligendienst-sh.de, 1
+oeko-bundesfreiwilligendienst.de, 1
+oeko-jahr-jubilaeum.de, 1
+oeko-jahr.de, 1
+oelbilder-oelmalerei.de, 1
+oelsner.net, 1
+oemdealsers.ga, 1
+oemparcacim.com, 1
+oemspace.net, 1
+oemwolf.com, 1
+oen.tw, 1
+oeno.link, 1
+oenolab-vidalies.com, 1
+oermen.com, 1
+oertle.tk, 1
+oessi.eu, 1
+oettig.de, 1
+oetzies-quiz.com, 0
+of-sound-mind.com, 1
+of2106.dnsalias.org, 1
+of2m.fr, 1
+ofa.org, 1
+ofallonil.gov, 1
+ofaqim.city, 1
+ofasoft.com, 1
+ofb.uz, 1
+ofcampuslausanne.ch, 0
+ofelia.tk, 1
+ofertasadsl.com, 1
+ofertastop.es, 1
+ofertino.es, 1
+ofertolino.fr, 1
+off-festival.pl, 1
+off-rabota.tk, 1
+off.net.mk, 1
+offbeat-music.com, 1
+offbeatbeats.com, 0
+offbeatbits.com, 0
+offbyinfinity.com, 1
+offcasesstore.com, 1
+offenekommune.de, 1
+offenes-deutschland.de, 1
+offensity.com, 1
+offentligsektormedmoln.se, 1
+offeo.com, 1
+offer-today.ml, 1
+offerhome.com, 1
+offermagnet.co, 0
+offermann-koeln.de, 1
+offers-daraghmehstores.com, 1
+offers.jp, 1
+offgamers.com, 1
+offgames.io, 1
+offgridauto.com, 1
+office, 1
+office-addins.com, 1
+office-aslabo.com, 1
+office-basilique.notaires.fr, 1
+office-de-tourisme.net, 0
+office-dolmetscher-scharnagl.de, 1
+office-furniture-direct.co.uk, 1
+office-house.tk, 1
+office-mizutani.jp, 1
+office-op.tk, 1
+office-ruru.com, 1
+office.urown.cloud, 1
+office2s.com, 1
+office365-apps.com, 1
+office365.us, 1
+officecode.co.uk, 1
+officedivvy.co, 1
+officedivvy.com, 1
+officedivvy.company, 1
+officeefficient.de, 1
+officeface.cf, 1
+officeforstudents.org.uk, 1
+officefundays.co.uk, 1
+officeguide.cz, 1
+officeinteriors.co.nz, 1
+officemaps.net, 1
+officemovepro.com, 1
+officepie.pro, 1
+officerjones.tk, 1
+officert.ga, 1
+official-sensitive.org, 1
+official.link, 1
+official.my, 1
+officialdubaidev.com, 1
+officialhazalturesan.tk, 1
+officialmc2.com, 1
+officialniledevelopments.com, 1
+officialpyramids.com, 1
+officialsunset.com, 1
+officialzzstore.com, 1
+officina.roma.it, 1
+officina.tk, 1
+officium.tech, 1
+offis.de, 0
+offlineauthentication.com, 1
+offpages.cf, 1
+offpages.gq, 1
+offpages.ml, 1
+offpageseopro.tk, 1
+offroadhoverboard.net, 1
+offshoot.rentals, 0
+offshoredaddy.com, 1
+offshoremoney.tk, 1
+offshoretravelsest.ga, 1
+offshorewfs.com, 1
+offshorewindwatchdog.com, 1
+offspringmexico.tk, 1
+offspringzero.tk, 1
+offtherails.ie, 1
+offtheshelf.com, 1
+offtopica.uk, 0
+offworld.com, 1
+ofggolf.com, 1
+oficinadanet.com.br, 1
+oficios.cl, 1
+oficoex.es, 1
+oficomercr.com, 0
+ofileo.fr, 1
+ofina.on.ca, 1
+ofis.tk, 1
+ofisas.cloud, 1
+ofisescort.ga, 1
+ofisescort.tk, 1
+ofkodasplace.nl, 1
+oflow.me, 0
+ofo.moe, 1
+ofo2.com, 0
+ofogh.co, 1
+oformi.net, 1
+oformit-zajm-kruglosutochno.ga, 1
+oformlaj.ga, 1
+ofpad.com, 1
+ofrion.lu, 1
+ofs-28.com, 1
+ofsetas.lt, 1
+oftamedic.com, 0
+oftn.org, 1
+ofuquemalitaestoy.tk, 1
+og-chemistry.ru, 1
+oga.fit, 0
+ogamerezine.tk, 1
+ogarkovo.ml, 1
+ogcloud.io, 1
+ogcurated.com, 1
+ogdensburgnj.gov, 1
+oge.ch, 0
+oge.gov, 1
+ogfarms.in, 1
+oggw.us, 1
+oggyp.com, 1
+ogilvy.com, 1
+ogis.gov, 1
+ogkw.de, 1
+oglebay.com, 1
+oglecountyil.gov, 1
+oglen.ca, 1
+oglesbyil.gov, 1
+oglix.com.br, 1
+ogmworld.tk, 1
+ognedoor.ru, 0
+ognemet.net, 1
+ognyan.tk, 1
+ogo-knigi.ml, 1
+ogogo-knigi.ml, 1
+ogolnotematyczny.pl, 1
+ogorod-money.tk, 1
+ogorodnik.guru, 1
+ogorodoved.info, 1
+ogot.org, 1
+ogoulems.com, 1
+ogrencimerkezi.org, 1
+ogrenciyurtlari.tk, 1
+ogretmenimsanat.com, 0
+ogui.de, 1
+ogunquit.gov, 1
+ogurishun.tk, 1
+ogurus.com, 1
+oguya.ch, 1
+ogyaa.jp, 0
+ogznet.com, 1
+oh-my-lash.nl, 1
+oh14.de, 0
+ohai.is, 1
+ohai.social, 1
+ohai.su, 1
+ohako-inc.jp, 1
+oharas.fr, 1
+ohartl.de, 1
+ohayosoro.me, 1
+ohbabybean.com, 1
+ohcanvas.com, 1
+ohchouette.com, 1
+ohcomassagechairs.com, 1
+oheila.com, 1
+ohentpay.com, 1
+ohglowup.nl, 1
+ohhappy.win, 1
+ohifonly.com, 0
+ohioag.gov, 1
+ohioago.gov, 1
+ohiobrewweek.com, 1
+ohiobusinesscentral.gov, 1
+ohioflockcote.com, 1
+ohiosos.gov, 1
+ohiostateparks.gov, 1
+ohiot21.gov, 1
+ohiotobacco21.gov, 1
+ohiowebtech.com, 1
+ohling.org, 1
+ohlmeier.com, 1
+ohm.sg, 1
+ohmanager.kr, 1
+ohmayonnaise.com, 1
+ohmy.ca, 1
+ohmydish.nl, 1
+ohmygeekettes.fr, 1
+ohmymalware.com, 1
+ohmyunix.com, 1
+ohne-name.de, 1
+ohnonotme.com, 0
+ohol.se, 1
+ohoreviews.com, 1
+ohrange-music.tk, 1
+ohreally.de, 1
+ohrus.mx, 1
+ohsohairy.co.uk, 1
+ohtoy.com, 1
+ohverynice.ml, 1
+ohwatch.co.za, 1
+ohydne.pl, 1
+ohyooo.com, 1
+ohype.ga, 1
+ohype.gq, 1
+oi-wiki.org, 1
+oiahe.org.uk, 1
+oiaposta.com, 1
+oidrava.tk, 1
+oiepoie.nl, 0
+oikontroloi.tk, 1
+oikosweb.com, 1
+oil-heaters.tk, 1
+oilfieldinjury.attorney, 1
+oilman.ml, 1
+oilpaintingsonly.com, 1
+oilsan.com, 1
+oilx.co.uk, 1
+oilyouneed.co.id, 1
+oimexico.tk, 1
+oinimod.com, 1
+oinky.ddns.net, 1
+oirealtor.com, 1
+oirnoir.gq, 1
+oirnoir.ml, 1
+ois.dk, 1
+oisabre.com, 1
+oisd.nl, 1
+oiseauxdesjardins.tk, 1
+oita-homes.com, 1
+oitaven.es, 1
+oiwe.info, 1
+ojapanesetea.ca, 1
+ojdip.net, 1
+ojee.nic.in, 1
+ojjdp.gov, 1
+ojk.ee, 0
+ojp.gov, 1
+ok-travel.tk, 1
+ok.ru, 1
+ok118.com, 1
+ok2a.org, 1
+ok3on.cz, 1
+okachimachi-naka-clinic.jp, 1
+okaidi.es, 1
+okaidi.fr, 1
+okaidi.ro, 1
+okaidi.si, 1
+okami-no-tochi.com, 1
+okanaybek.tk, 1
+okashi.me, 1
+okay.cf, 1
+okay.coffee, 1
+okayloser.com, 1
+okazoo.eu, 1
+okburrito.com, 1
+okcasino.ga, 1
+okchousebuyer.com, 1
+okeechobeecountyfl.gov, 1
+okeepixels.ru, 1
+okelections.gov, 1
+okemahok.gov, 1
+okeydeyim.com, 1
+okhanvatansever.tk, 1
+okhrana.agency, 1
+okib.ca, 1
+okiefrog.org, 1
+okinawa-mag.net, 1
+okinawa-seaside.com, 1
+okinawan-lyrics.com, 1
+okinext.com, 1
+okiram.net, 1
+okis.win, 1
+okkhor52.com, 1
+okkultemysterier.tk, 1
+okkur.community, 1
+okkur.dev, 1
+okkur.io, 1
+okkur.net, 1
+okkur.org, 1
+okkur.team, 1
+okkurlabs.com, 1
+oklahomaced3.gov, 1
+oklahomafibroids.com, 1
+oklahomamoversassociation.org, 1
+oklahomanotepro.com, 1
+oklahomasoftwaresolutions.com, 1
+oklahomaworkstogether.gov, 1
+okmaybe.ca, 1
+okmirror.net, 1
+okmulgeecounty.gov, 1
+okmx.cloud, 1
+okmx.de, 1
+okmzt.com, 1
+okna-tm.kz, 0
+okna-vek.com.ua, 1
+okna.ua, 1
+oknakz-astana.kz, 1
+oknavdom.tk, 1
+oknopvh.ml, 1
+okobojitech.com, 1
+okokorecepten.nl, 1
+okonto.com, 1
+okosg.kr, 1
+okotelecom.ml, 1
+okpo.tk, 1
+okqubit.net, 1
+okr.pub, 1
+okremarketing.com, 1
+okrodrigo.com, 1
+oksafe-t.org, 1
+oksanakazakova.tk, 1
+oksichemk.com, 1
+okskoleni.cz, 1
+oksystem.cz, 1
+oktava.tk, 1
+oktave.co, 1
+oktaybozaci.com, 1
+oktayincesuturizm.com, 1
+oktime.cz, 1
+oktober.tk, 1
+oktoplus.com.br, 1
+oktos.tk, 1
+oktour.ca, 1
+oktransportation.gov, 1
+okubo-shika.jp, 1
+okuguchihifuka-clinic.com, 1
+okukan.com.au, 1
+okulistiyoruz.tk, 1
+okurapictures.com, 1
+okusiassociates.com, 1
+okv.de, 1
+okviz.com, 1
+okwine.ua, 1
+okwu.cz, 1
+ola.finance, 1
+olacatlitter.com, 1
+olafnorge.de, 1
+olafvantol.nl, 1
+olafwalther.de, 1
+olamagri.com, 1
+olamgroup.com, 1
+olamiccutlery.com, 1
+olamisys.com, 1
+olamisys.email, 1
+olamisys.xyz, 1
+olaradio.tk, 1
+olasderisa.tk, 1
+olasouris.com, 0
+olastrafford.org, 1
+olatiferreira.com, 1
+olax.tk, 1
+olb.de, 1
+olbat.net, 1
+olcayanar.com, 1
+olcbrookhaven.org, 1
+old-computer-club.ml, 1
+old-times.ga, 1
+old-tomsk.tk, 1
+old-wheelers.tk, 1
+oldaine.tk, 1
+oldbkcom.tk, 1
+oldbones.tk, 1
+oldbrookinflatables.co.uk, 1
+oldbrookmarqueehire.co.uk, 1
+oldcars.tk, 1
+oldcastle.tk, 1
+oldcc.gov, 1
+oldcity.tk, 1
+oldcitysmokehouse.com, 1
+oldcold.co, 1
+olddisk.ml, 1
+olddragon.com.br, 1
+oldemilllandinghoa.com, 1
+oldenzaal.tk, 1
+older-racer.com, 1
+oldertarl.ddns.net, 1
+olderwomanpics.com, 1
+oldfarming.tk, 1
+oldfieldmusic.tk, 1
+oldfriends.tk, 1
+oldhouse.tk, 1
+oldhousetonewhome.net, 1
+oldiesmusicguide.tk, 1
+oldiesradio.tk, 1
+oldinnpub.tk, 1
+oldita.ru, 1
+oldliverpoolrailways.tk, 1
+oldonyosafaris.com, 1
+oldpc.com.ua, 1
+oldports.org, 1
+oldriver.tk, 1
+oldroadswhippets.tk, 1
+oldrun.is, 1
+oldrup.art, 1
+oldrup.dk, 1
+oldrup.net, 1
+oldscans.tk, 1
+oldschool-criminal.com, 1
+oldschool.wiki, 1
+oldshara.tk, 1
+oldskoolreviews.tk, 1
+oldspice.com, 1
+oldsql.tk, 1
+oldsticker.com, 1
+oldstmary.com, 1
+oldtacomamarine.com, 1
+oldtavern.tk, 1
+oldtimer.tk, 1
+oldtimerclub.tk, 1
+oldtimerparts.de, 0
+oldtimerreifen-moeller.de, 1
+oldtimers.tk, 1
+oldtimesecurity.tk, 1
+oldtowntownship-il.gov, 1
+oldtoystuff.com, 1
+oldvaliken.tk, 1
+oldvps.com, 0
+olea.pk, 1
+oleam.org, 1
+olecoin.io, 1
+oleg.loan, 1
+olegchursin.com, 0
+olegon.ru, 1
+oleksandr-petrusenko.com, 1
+oleksii.name, 0
+olemon.eu.org, 1
+olenergie.com, 1
+olenergie.fr, 1
+olenergies.com, 1
+olenergies.eu, 1
+olenergies.fr, 1
+olennolla.fi, 1
+olennolla.net, 1
+oleodecopayba.com.br, 1
+olepiraatti.fi, 1
+olerogas.xyz, 1
+oles-hundehaus.de, 1
+olesaradio.tk, 1
+olevoitalia.com, 1
+olffi.com, 1
+olfnewcastle.com, 1
+olfsecane.org, 1
+olgallery.tk, 1
+olgamalytcheva.com, 1
+olgamilosevic.edu.rs, 1
+olgapankova.art, 1
+olgaserebrennikova.tk, 1
+olgcc.net, 1
+olgui.net, 0
+olgun.eu, 1
+olhcparish.net, 1
+olibarcenas.es, 0
+olidetrim.com, 1
+oliebollenbakservice.nl, 1
+olifant.fr, 0
+oligenesi.it, 1
+olightstore.ro, 1
+olihar.com, 1
+olimpicmoradebre.tk, 1
+olimpikfit.com, 1
+olimpoao.tk, 1
+olinux.fr, 1
+oliode.tk, 1
+olisius.com, 1
+olitham.com, 1
+olive.my, 1
+oliveandcompany.com, 1
+olivedon.com, 1
+olivejs.com, 1
+oliveoil.bot, 1
+oliveoil.pro, 1
+oliveoilschool.org, 1
+oliveoilshop.com, 1
+oliveoiltest.com, 1
+oliveoiltimes.com, 1
+oliver-wenz.de, 1
+oliverclark.tk, 1
+oliverclausen.com, 1
+oliverdunk.com, 0
+olivereats.ca, 1
+oliverfaircliff.com, 1
+oliverflecke.me, 1
+oliverjoss.com, 1
+oliverlanguages.com, 1
+olivernaraki.com, 1
+oliverniebuhr.de, 1
+oliverspringer.eu, 1
+oliverswindles.com, 1
+oliverwenz.de, 1
+olives.my, 1
+olivetbgc.org, 1
+olivetchurch.org.uk, 0
+olivetownship-mi.gov, 1
+olivia.cf, 1
+olivialufkin.tk, 1
+olivier-giroud.tk, 1
+olivier-rochet.com, 1
+olivier-verbois.fr, 1
+olivierberardphotographe.com, 0
+oliviercreation.tk, 1
+olivierdurand.tk, 1
+olivierpieters.be, 1
+oliviervaillancourt.com, 1
+olivinehoney.com.au, 1
+olivlabs.com, 1
+oljyakatemia.fi, 1
+olk9mo.com, 1
+olkywade.com, 1
+ollerom.com, 1
+ollerom.nl, 1
+ollie.io, 1
+ollielloyd.tk, 1
+ollieowlsblog.com, 1
+ollies.cloud, 1
+ollies.cz, 1
+olliespage.com, 1
+olliespage.net, 1
+olliespage.uk, 1
+ollietoys.com, 1
+ollning.com, 1
+ollo.ga, 1
+olltechjob.com, 1
+olmari.fi, 1
+olmc-nutley.org, 1
+olmcjc.com, 1
+olmcnewark.com, 1
+olmecaaltos.com, 1
+olmet.pl, 1
+olmik.net, 1
+olmportal.com, 1
+olmsted.io, 1
+olmstedcounty.gov, 1
+olmstedtownshipohio.gov, 1
+oloadvid.tk, 1
+olofly.com, 1
+olofsson.cc, 1
+ololmke.org, 1
+olomercy.com, 1
+olopp.org, 1
+olphseaside.org, 1
+olqoa.org, 1
+olschurch.com, 1
+olsen-town.tk, 1
+olsenban.de, 1
+olshop.ai, 1
+olson25.org, 0
+olsonproperties.com, 1
+oluchiedmundmusic.com, 1
+oludeniz.tk, 1
+olustvere.edu.ee, 1
+olxa.tk, 1
+olxdir.tk, 1
+olydent.com, 0
+olyfed.com, 1
+olygazoo.com, 1
+olymp-arts.world, 1
+olympe-transport.fr, 1
+olymperfitness.com, 1
+olympia-blerick.tk, 1
+olympia-londerzeel.tk, 1
+olympiads.ca, 1
+olympiaduilawyers.com, 1
+olympiamanzanilla.tk, 1
+olympic-lodge.com, 1
+olympic-research.com, 1
+olympicfitness.com.mx, 1
+olympiclodge.com, 1
+olympiclodgebyayres.com, 1
+olymptrade.com, 1
+olympusx.co.za, 1
+om.yoga, 1
+oma-opa-enkel-urlaub.de, 0
+oma-opa-enkel.de, 0
+omaedu.ro, 1
+omag.gov, 1
+omaha.com, 1
+omaha.gov, 1
+omahachapterone.org, 1
+omahagutterandsiding.com, 1
+omaharoofpros.com, 1
+omahcoin.com, 1
+omal.info, 1
+omanair.com, 1
+omangrid.com, 1
+omanhr.cf, 1
+omanpost.om, 1
+omarans.com, 1
+omarflorist.com, 1
+omarh.net, 1
+omarhachach.com, 1
+omarhachach.net, 1
+omarhussien.tk, 1
+omarov.tk, 1
+omarpalos.com, 1
+omarsamarah.tk, 1
+omarsuniagamusic.ga, 1
+omart.org, 1
+omarzunic.com, 1
+omatoimi.fi, 1
+omatulevaisuus.fi, 1
+omaweetraad.nl, 1
+omaxe.tk, 1
+omayn.com, 1
+omb.gov, 1
+ombrazur.fr, 1
+ombregialle.it, 1
+omc-copiers.com, 1
+omedita.lt, 1
+omega-intranet.com, 1
+omegachess.tk, 1
+omegacode.pl, 1
+omegahosting.net, 1
+omegamc.ua, 1
+omegarazer.ca, 1
+omegathermoproducts.nl, 1
+omegleporn.to, 1
+omelectricnyc.com, 1
+omenprinting.com.au, 1
+omeopatiadinamica.it, 1
+omerdanismaz.com, 0
+omersalaj.com, 1
+omert.tk, 1
+omerta.tk, 1
+omertabeyond.com, 1
+omertabeyond.net, 1
+omestudios.tk, 1
+ometepeislandinfo.com, 1
+omexcables.com, 1
+omf.link, 1
+omfacialsurgery.com, 1
+omfmf.tk, 1
+omgbouncycastlehire.co.uk, 1
+omgit.works, 1
+omgpu.com, 1
+omgvaneyckwashere.be, 1
+omgvaneyckwashere.com, 1
+omgvaneyckwashere.eu, 1
+omgvaneyckwashere.gent, 1
+omhome.net, 1
+omicaorganics.com, 1
+omicawholesale.com, 1
+omicron3069.com, 1
+omid16b.com, 1
+omidfan.ir, 0
+omintmais.azurewebsites.net, 0
+omipicon.io, 1
+omira.pt, 1
+omitech.co.uk, 1
+omlpar.gov, 1
+ommam.com.br, 1
+ommcitalflex.com, 1
+omn.cc, 1
+omnama.it, 1
+omnel.ml, 1
+omngc.gov, 1
+omniaaerospace.com, 1
+omniaclubs.com, 1
+omniaintranet.com, 1
+omniaintranet.de, 1
+omniaintranet.dk, 1
+omniaintranet.se, 1
+omniarch.se, 0
+omniasl.com, 0
+omniatv.com, 1
+omniballot.us, 1
+omnibot.tv, 1
+omnicourt.jp, 1
+omnidiecasting.com, 1
+omnidigital.ae, 1
+omniflora.shop, 1
+omnifotoside.tk, 1
+omnifurgone.it, 1
+omniga.de, 0
+omnilert.net, 1
+omniscimus.net, 0
+omnisiens.se, 1
+omnisky.dk, 1
+omnissimmo.fr, 1
+omniteck.com, 1
+omnitrack.org, 1
+omnitrattore.it, 1
+omnits.pro, 1
+omny.info, 1
+omorashi.org, 1
+omoteura.com, 1
+omranic.com, 1
+omro-wi.gov, 1
+omroepbaarle.be, 1
+omroepvenray.nl, 1
+omronwellness.com, 1
+omshivalab.com, 1
+omsknews.tk, 1
+omskrock.com, 1
+omskweb.tk, 1
+omstars.com, 1
+omtcloud.jp, 1
+omundojornalismo.pt, 1
+omva.de, 1
+omveda.org, 1
+omxz8.com, 1
+on-air.today, 1
+on-find.com, 1
+on-networkers.cf, 1
+on-networkers.gq, 1
+on-networkers.ml, 1
+on-networkers.tk, 1
+on-running.com, 1
+on-state.com.ua, 1
+on-tandemdrive.com, 1
+on-tandemdrive.nl, 1
+on-targettrainingcourses.com, 1
+on-tech.co.uk, 1
+on-the-wave.com, 1
+on-tv.tk, 1
+on2it.net, 1
+on3.com, 1
+on3static.com, 1
+on5.co.id, 1
+on9.link, 1
+ona.io, 1
+onaboat.se, 1
+onaforums.com, 1
+onahonavi.com, 1
+onai.es, 1
+onair.ovh, 1
+onarto.com, 1
+onavstack.net, 1
+onbettertech.com, 1
+onbley.com.br, 1
+oncaagt.com, 1
+oncc.org, 1
+oncecocuklar.org.tr, 1
+oncemorearoundeternity.com, 1
+oncentive.io, 1
+onceuagain.tk, 1
+onceuponabow.org, 1
+onceuponachicken.com, 1
+onceuponarainbow.co.uk, 1
+oncf.asso.fr, 1
+onchclub.tk, 1
+onclouds.tech, 1
+oncore-eurofins.com, 1
+oncotarget.ru, 1
+ond-inc.com, 1
+ond-inc.jp, 1
+ondafc.es, 1
+ondajoven.tk, 1
+ondav.com, 1
+ondcp.gov, 1
+onde.xyz, 1
+ondeapostar.pt, 1
+ondemandassociate.com, 1
+onderka.com, 1
+onderwijscentrum.gent, 1
+onderwijscentrumgent.be, 1
+onderzoeksraad.nl, 1
+ondevamosjantar.com, 1
+ondiet.biz, 1
+ondoline.ch, 1
+ondoorgrond.tk, 1
+ondra05.cz, 1
+ondradoksy.com, 1
+ondrei.one, 1
+ondrej.org, 1
+ondrejhoralek.cz, 1
+ondrejsramek.cz, 1
+ondrejvasicek.cz, 1
+one-clue.com, 1
+one-cozmic.com, 1
+one-dot.de, 1
+one-host.ga, 1
+one-news.net, 0
+one-piece-fans.com, 1
+one-pixel.tk, 1
+one-resource.com, 1
+one-s.co.jp, 1
+one-tab.com, 1
+one24exp.com, 1
+one3oneapartments.com, 1
+one6688.com, 0
+oneaftac.gov, 1
+oneandfree.org.au, 1
+oneapi.io, 1
+oneartyminute.com, 1
+oneazcu.com, 0
+onebanc.ai, 1
+onebelo.tk, 1
+onebigcow.com, 1
+onebiz.tk, 1
+oneblinc.com, 1
+oneblock.fr, 1
+onebookstore.ml, 1
+onebreadcrumb.com, 1
+onebreadcrumb.com.au, 1
+onecarsource.com, 1
+onecharge.biz, 1
+onechoice.co.nz, 1
+onechronos.com, 1
+oneclick.accountant, 1
+oneclick2books.cf, 1
+oneclickbooks.gq, 1
+oneclickbooks.ml, 1
+oneclickjailbreak.com, 1
+oneclickmoney.cf, 1
+oneclickmoney.ml, 1
+oneclickmoney.tk, 1
+oneclub.ua, 1
+onedaygrandcanyonrafting.com, 1
+onedeal.com.ua, 1
+onedevonshireplace.co.uk, 1
+onediversified.com, 1
+onedoc.ch, 1
+onedot.nl, 1
+onedrive.com, 0
+onee3.org, 1
+oneearthsacredarts.com, 1
+oneem.tk, 1
+oneest.com, 1
+onefabday.com, 1
+onefamily.com, 1
+onefestivalplaza.com.au, 1
+onefestivaltower.au, 1
+onefestivaltower.com, 1
+onefestivaltower.com.au, 1
+onefile.tk, 1
+onefinitee.in, 1
+onefish.cc, 1
+onefocusapp.com, 1
+onefour.ga, 1
+onegeeks.org, 1
+onegroup.ua, 1
+onehealthbehaviors.org, 1
+oneheartbali.church, 0
+onehorizon.it, 1
+onehost.blue, 1
+onehost.kz, 0
+oneidacityny.gov, 1
+oneidacountywi.gov, 1
+oneindex.tk, 1
+oneiroi.co.uk, 1
+oneirosociety.tk, 1
+onekey.so, 1
+onekeycn.com, 1
+oneless.tk, 1
+onelifenutrition.co.uk, 1
+onelinkbpo.com, 1
+onemeter.com, 1
+onemindmedicinals.com, 1
+oneminute.io, 0
+onemix.me, 1
+onemodel.com.au, 1
+onemodel.us, 1
+onemonthcamera.tk, 1
+onemoonmedia.de, 1
+onenetcdn.com, 1
+onenetwork.com, 1
+onenetwork.io, 1
+oneoncology.com, 1
+oneone.moe, 1
+oneonemedia.tk, 1
+oneononeonone.de, 1
+oneononeonone.tv, 1
+onepeloton.ca, 1
+onepeloton.co.uk, 1
+onepeloton.com, 1
+onepersona.io, 1
+onepieceplayer.com, 1
+oneplaykh.com, 1
+onepluscamps.com, 0
+onepointsafeband.ca, 1
+onepointsafeband.com, 1
+onepointzero.com, 1
+onepotliving.com, 1
+oneprediction.com, 1
+onerivermedia.com, 1
+ones.buzz, 1
+onescience.tk, 1
+oneshotmediakc.com, 1
+oneso.win, 1
+onespan.com, 0
+onespiritinc.com, 1
+onesportslive.com, 1
+onestarclassics.com, 1
+onestasolar.com, 1
+onestepbooks.gq, 1
+onestepbooks.ml, 1
+onestopcastles.co.uk, 1
+onestopmedicalsupplies.com, 1
+onestopshop.ml, 1
+onestpasdesanges.fr, 1
+onet.co.jp, 1
+onetakeonehit.tk, 1
+onetap.com, 1
+onetcenter.org, 1
+onetcodeconnector.org, 1
+onetech.it, 1
+oneteg.com, 1
+onetestatatime.com, 1
+onetimegallery.com, 1
+onetly.com, 1
+onetonline.org, 1
+onetouchreveal.com, 1
+onetouchrevealplus.com, 1
+onetouchtour.com, 1
+onetown.gq, 1
+onetranslations.com.br, 1
+onetrust.com, 1
+onets.es, 1
+onetwentyseven001.com, 1
+onetwo-vermietung.de, 1
+onetwosweetatelier.com, 1
+oneupchocolatebars.com, 1
+oneurl.co, 1
+oneway.ga, 1
+oneweb.hu, 1
+onewebdesign.nl, 0
+onewebdev.info, 1
+onewhim.com, 1
+onewyo.gov, 1
+onex.bet, 1
+onezero24.net, 1
+onfaloc.tk, 1
+onfilm.tk, 1
+onfleet.com, 1
+onformative.net, 1
+ong.or.at, 1
+ongea.io, 1
+ongelukvandaag.nl, 1
+ongewenstretour.nl, 1
+ongiaenegogoa.com, 1
+onglobetrotter.com, 1
+ongoal.gr, 1
+onguardonline.gov, 1
+onhistory.co.uk, 1
+onhub1.com, 1
+oni.nl, 1
+onibolt.com, 1
+onice.ch, 1
+onicore.cf, 1
+onidesign.tk, 1
+onilacare.com, 1
+onimaodonto.com.br, 1
+oninpresento.ga, 1
+onionbot.ga, 1
+onionbot.me, 1
+onionflix.net, 1
+onionplay-network.stream, 1
+onionplay.co, 1
+onionplay.org, 1
+onionshare.org, 1
+onionsocial.com, 1
+onionyst.com, 1
+oniria.ch, 0
+oniriamultimedia.com, 1
+onirik-studio.com, 1
+oniuq.com, 1
+onix.eu.com, 1
+onixcco.com.br, 1
+onkfaktor.de, 1
+onkologiya.ga, 1
+onkyousa.com, 1
+onld.de, 1
+onlfait.ch, 0
+onlifehealth.com, 1
+online-audio-converter.com, 1
+online-bookmakers.ru, 1
+online-bouwmaterialen.nl, 1
+online-calculator.com, 1
+online-calculator.xyz, 1
+online-car-show.com, 1
+online-carhire.tk, 1
+online-casino.eu, 1
+online-clothing-store.tk, 1
+online-concepts.net, 1
+online-concepts.nl, 1
+online-consulting-corp.com, 1
+online-content.ru, 1
+online-diary.tk, 1
+online-divorce.co.za, 1
+online-eikaiwa-guide.com, 1
+online-english.tk, 1
+online-fix.me, 1
+online-health-insurance.com, 1
+online-heldin.de, 1
+online-jobs.cf, 1
+online-learning.bg, 1
+online-lernprogramme.de, 1
+online-mobile-phone-shop.tk, 1
+online-news-usa.tk, 1
+online-one-piece.com, 1
+online-pochta.ml, 1
+online-pr.at, 1
+online-series.ru, 1
+online-shop-equipment.tk, 1
+online-sql-editor.com, 1
+online-stopwatch.com, 1
+online-store-phones.tk, 1
+online-taxes.tk, 1
+online-tesis.com, 1
+online-textil.com, 1
+online-textil.cz, 1
+online-textil.sk, 1
+online-umwandeln.de, 1
+online-video-cutter.com, 1
+online-voice-recorder.com, 1
+online-wedding.site, 1
+online-wholesalers.com, 1
+online-xxxmovies.com, 1
+online.forum, 1
+online.marketing, 1
+online.net.gr, 1
+online.swedbank.se, 1
+online24.pt, 1
+online365.ga, 1
+onlineairlinesbooking.com, 1
+onlinebewerbungsserver.de, 1
+onlinebiller.com, 1
+onlinebillingform.com, 1
+onlinebookmarks.tk, 1
+onlinebrides.tk, 1
+onlinebs.tk, 1
+onlinebupropion.gq, 1
+onlinebusiness.law, 1
+onlinecannabiseducation.com, 1
+onlinecarstyling.nl, 1
+onlinecasinoerdk.com, 1
+onlinecasinoknowhow.com, 1
+onlinecasinokoning.com, 1
+onlinecasinos.vlaanderen, 1
+onlinecasinoselite.org, 1
+onlinecasinosportugal.pt, 1
+onlinecasinotrend.nl, 1
+onlinechallenge.nl, 1
+onlinecollegeessay.com, 1
+onlinecosmeticsstore.tk, 1
+onlinecounselingprograms.com, 1
+onlinecrafts.tk, 1
+onlinedapoxetina.gq, 1
+onlinedivorce.com, 1
+onlinedivorce.lawyer, 1
+onlinedoctors24.com, 1
+onlinefabricstore.com, 1
+onlinefashion.it, 1
+onlinefloridadivorce.com, 0
+onlinefurniture.us, 1
+onlinegallery.cf, 1
+onlinegames4free.tk, 1
+onlinegamesforgirls.tk, 1
+onlinegeeks.ru, 1
+onlineglassesreview.com, 1
+onlinehartha.com, 1
+onlinehashfollow.com, 1
+onlinehsa.com, 1
+onlinehypermarket.ru, 1
+onlineinfo.freesite.host, 1
+onlineinfographic.com, 1
+onlineinsurancetips.ga, 1
+onlinejobs.ga, 1
+onlinekansspel.cf, 1
+onlinekansspel.tk, 1
+onlinekasino.de, 1
+onlinekmc.com, 1
+onlineknighki.ga, 1
+onlinekocunuz.com, 1
+onlinekreditmitsofortzusage.com, 1
+onlinelegalmarketing.com, 1
+onlinelegalmedia.com, 1
+onlineloansnocreditcheck.tk, 1
+onlinemag24.com, 0
+onlinemagento.com, 1
+onlinemarketfinds.cf, 1
+onlinemarketingmuscle.com, 1
+onlinemarketingtraining.co.uk, 1
+onlinembapage.com, 1
+onlinemediamasters.com, 1
+onlinemedicalassistantprograms.net, 1
+onlinemphdegree.net, 1
+onlinemswprograms.com, 1
+onlinenewspaperclassifieds.com, 1
+onlineordersnow.com, 1
+onlineorto.com, 1
+onlinepay.tk, 1
+onlinepaydayloans365.tk, 1
+onlineplay.ml, 1
+onlinepokies.me, 1
+onlineporno.cc, 1
+onlineprogrammingbooks.com, 1
+onlinepsychologydegrees.com, 1
+onlineradio.com.pl, 1
+onlineradio.pp.ua, 1
+onlineradiobr.com, 1
+onlineradious.com, 1
+onlinescams.uk, 1
+onlineschipaanpak.nl, 1
+onlinesearningstips.ga, 1
+onlinesellingexperiment.com, 1
+onlineseminar.com, 1
+onlineseminar.es, 1
+onlineseminar.nl, 1
+onlineservisprogrami.com, 1
+onlineshop-helgoland.de, 1
+onlineshopsatkhira.tk, 1
+onlinesitereviews.com, 1
+onlinesorusor.cf, 1
+onlinespielcasino.de, 1
+onlinesports.cf, 1
+onlinesports.tk, 1
+onlinestatic.net, 0
+onlinestoresite.com.au, 1
+onlinesudoku.tk, 1
+onlinesurveys.ac.uk, 1
+onlinesystem.jp, 1
+onlinetadacip.gq, 1
+onlinetextil.cz, 1
+onlineth.com, 1
+onlinetntj.com, 1
+onlinevardenafil.gq, 1
+onlineveilingmeester.nl, 1
+onlineverdict.com, 1
+onlineverdienen.tk, 1
+onlinevergidanismani.com, 1
+onlineviewers.tk, 1
+onlinevisa.ru, 1
+onlinevoting.tk, 1
+onlinewallpapers.tk, 1
+onlineweblearning.com, 1
+onlineworkshops.tk, 1
+onlinewot.ru, 1
+onlinews.ml, 1
+onlinexl.nl, 1
+onlineyearbook.tk, 1
+onlineyos.ru, 1
+onlinezaim.ml, 1
+only.bible, 1
+only.lc, 1
+only3x.com, 1
+only4free.tk, 1
+onlybestporn.com, 1
+onlybooks.gq, 1
+onlycrumbsremain.com, 1
+onlyesb.net, 1
+onlyfans.com, 1
+onlyfans.love, 1
+onlyfitgear.com, 1
+onlyincentivesest.ga, 1
+onlyjedis.com, 1
+onlyjesus.net, 1
+onlylithiumhere.gq, 1
+onlylovastatin.gq, 1
+onlymammoths.com, 1
+onlymyenglish.com, 1
+onlysergio.com, 1
+onlysmoker.com, 1
+onlystars.news, 1
+onlystay.ga, 1
+onlyu.eu, 1
+onlyveg.tk, 1
+onlyvintagewatches.com, 1
+onmaps.de, 1
+onmaru.com, 1
+onmyside.com, 1
+onnatuurlijk.tk, 1
+onnee.ch, 1
+onodera.com.br, 1
+onoelixir.gr, 1
+onohawaiianbbq.com, 1
+onondaga.gov, 1
+ononoki.org, 1
+onoranze-funebri.biz, 1
+onore.org, 1
+onospancakehouse.com, 1
+onoticiado.com.br, 1
+onourwifi.com, 0
+onoweb.be, 1
+onpatient.com, 1
+onpaws.com, 1
+onpay.io, 1
+onpermit.net, 1
+onpointinsights.us, 0
+onpointplugins.com, 1
+onpopup.ga, 1
+onporn.fun, 1
+onrampwallet.com, 1
+onrealt.ru, 0
+onrr.gov, 1
+onsemediagroup.ml, 1
+onsenlaichelesdoigts.be, 1
+onsetupdates.com, 1
+onsinscrit.com, 1
+onsite4u.de, 1
+onsitespeedometer.com, 1
+onslaughtstreetboarding.tk, 1
+onslowsheriffnc.gov, 1
+onsoppad.nl, 1
+onspring.com, 1
+onstat.tk, 1
+onsudoku.com, 1
+onsweb.nl, 1
+ontargetsystem.ru, 1
+ontariocat.com, 1
+ontariocountyny.gov, 1
+ontariodog.com, 1
+ontariohearing.com, 1
+ontarioplace.com, 1
+ontariopropertybuyers.com, 1
+ontariostorage.com, 1
+ontdekhetzelf.nu, 1
+ontestpad.com, 1
+onthe.network, 1
+ontheballbuilding.com.au, 1
+onthecheap.store, 0
+onthegosystems.com, 1
+onthesocials.com.au, 1
+ontheten.org, 1
+onthewaypodcast.com, 1
+ontogenese.net, 1
+ontopoflove.nl, 1
+ontourmarketing.at, 1
+ontrio.cz, 1
+ontrip.dk, 1
+ontrip.kr, 1
+ontsnappingskamer.nl, 1
+ontwerpdenkers.nl, 0
+onul.works, 1
+onurdemirezen.com, 1
+onurer.net, 1
+onurerhan.com, 1
+onurozden.com.tr, 1
+onuruzunonline.com, 1
+onvey.io, 1
+onvisit.net, 1
+onvori.com, 1
+onvori.de, 1
+onvousment.fr, 1
+onwie.com, 1
+onwie.fr, 1
+onwing.ai, 1
+onx.dk, 1
+onysix.de, 1
+onysix.net, 1
+onyx-groups.com, 1
+onyxcts.com, 1
+onyxeg.estate, 1
+onyxfic.cc, 1
+onyxgen.duckdns.org, 1
+onzelievevrouw-veldegem.tk, 1
+onzerelaties.net, 1
+oo5197.co, 1
+oo6729.co, 1
+oo6729.com, 1
+oo6957.co, 1
+oo9297.co, 1
+oo9728.co, 1
+oodlessoftplay.co.uk, 1
+ooeste.com, 0
+oofishing.ru, 1
+oog-osaka.jp, 1
+oogami.name, 1
+oogartsennet.nl, 1
+oogent.be, 1
+ooharttemplates.com, 1
+ooii.net, 1
+oomepu.com, 1
+oomnitza.com, 1
+oomph-delikatessen.tk, 1
+oomuj.info, 1
+oonne.com, 1
+ooo-santal.ml, 1
+ooo.xxx, 1
+oooaltera.ru, 1
+oooh.events, 1
+ooonja.de, 1
+oooo.loan, 1
+ooooo.cz, 1
+ooove.ru, 1
+oopsis.com, 1
+oopure.com, 1
+oorbellen.nl, 1
+oortcast.com, 1
+oositk.tk, 1
+oosm.org, 1
+oosolutions.nl, 1
+oostendevooranker.be, 0
+oot.rs, 1
+op11.co.uk, 0
+op3racional.eu, 1
+opacity.au, 1
+opaco.tk, 1
+opadaily.com, 1
+opale-concept.com, 1
+opalesurfcasting.net, 1
+opalhunter.at, 1
+opalternative.tk, 1
+opap.jp, 1
+oparamo.tk, 1
+oparceirao.com.br, 1
+oparideal.com.br, 1
+oparl.org, 1
+opatowice.tk, 1
+opatut.de, 0
+opbedbugcanines.com, 1
+opcenter.de, 1
+opcionpublicitaria.com, 1
+opcod3.io, 1
+opcoes.net.br, 1
+opd.co.nz, 1
+opdera.org, 1
+opdi.aero, 1
+ope.ee, 1
+opel-focken.de, 1
+opelim.net, 1
+open-ai-chatgpt.ru, 1
+open-banking-access.uk, 1
+open-bs.com, 1
+open-bs.ru, 1
+open-ctp.com, 1
+open-ctp.net, 1
+open-ctp.org, 1
+open-data-apps.org, 1
+open-desk.org, 1
+open-domotics.info, 0
+open-fixture-library.org, 1
+open-future.info, 1
+open-gaming.net, 1
+open-greenenergy.com, 1
+open-infrastructure.net, 1
+open-letters.de, 1
+open-mesh.org, 1
+open-novel.work, 1
+open-procurement.com, 1
+open-sauce-recipes.co.uk, 1
+open-source.gr, 1
+open-to-repair.fr, 0
+open-trip.id, 1
+open-work.space, 1
+open-xchange.com, 1
+open.film, 1
+open.my.id, 1
+open.ru, 1
+openacte.ch, 0
+openaedmap.org, 1
+openagenda.com, 1
+openai.com, 1
+openai.community, 1
+openai.sb, 0
+openalt.org, 1
+openaq-staging.org, 1
+openarch.nl, 1
+openarchivaris.nl, 1
+openbayes.network, 1
+openbayesstatus.com, 1
+openbeecloud.com, 1
+openbet.it, 1
+openbible.com.au, 1
+openbiblebookstore.com.au, 1
+openbleam.com, 1
+openblox.org, 1
+openbriefing.org, 1
+openbsd.cz, 1
+openbsdhosting.com, 1
+openbusiness.tk, 1
+opencache.uk, 1
+opencagedata.com, 1
+opencartbot.com, 1
+opencartspecialist.com, 1
+openchronicles.net, 1
+opencircuit.nl, 1
+opencity.spb.ru, 1
+openclima.com, 1
+openclub24.ru, 1
+openconf.uk, 1
+openconnect.com.au, 1
+opencpes.com, 0
+opencpes.info, 1
+opencpes.io, 1
+opencpes.net, 1
+opencpes.org, 1
+opencrm.co.uk, 1
+openctp.com, 1
+openctp.net, 1
+openctp.org, 1
+opendata.cz, 1
+opendataincubator.eu, 1
+opendesk.cc, 0
+opendisdata.nl, 1
+opendolls.com, 1
+opendsp.ru, 1
+openendpoint.tools, 1
+openevic.info, 1
+openexec.com, 1
+openexec.net, 1
+openfin.co, 1
+openfir.st, 0
+openfitapi-falke.azurewebsites.net, 1
+openfpcdn.io, 1
+openfuture.digital, 1
+opengameart.org, 1
+opengovpartnership.de, 1
+openhandhelds.org, 1
+openhistory.de, 1
+openid.net.br, 1
+openinframap.org, 1
+openinsieme.com, 1
+openintel.com.br, 1
+openintl.com, 1
+openjsf.org, 1
+openjur.de, 1
+openkat.nl, 1
+openkim.org, 1
+openkvk.nl, 1
+openlink.com, 1
+openlitecache.com, 1
+openmail.ml, 1
+openmandriva.org, 1
+openmarkets.com.au, 0
+openmarkets.group, 0
+openmind.ga, 1
+openmindsec.com, 1
+openmindsec.de, 1
+openmined.org, 0
+openmirrors.cf, 1
+openmirrors.ml, 1
+openmtbmap.org, 1
+opennippon.com, 1
+opennippon.ru, 1
+openpictures.ch, 1
+openpowerfoundation.org, 1
+openproject.com, 1
+openproton.cf, 1
+openprovider.nl, 0
+openqnx.com, 1
+openquery.com.au, 1
+openrainbow.ae, 1
+openrainbow.com, 1
+openrainbow.health, 1
+openrainbow.net, 1
+openrainbow.org, 1
+openre.site, 1
+openrealestate.co, 1
+openreel.com, 0
+openremote.io, 1
+openresearch.amsterdam, 1
+openreview.net, 1
+openroademail.com, 1
+openrtm.org, 1
+openruhr.de, 1
+openscience.ml, 1
+opensecurity.in, 1
+opensecurity.pl, 1
+opensim.tk, 1
+openslava.tk, 1
+opensocial.at, 1
+opensocietyuniversitynetwork.org, 1
+opensource-cms.nl, 1
+opensource-training.de, 1
+opensource.fund, 1
+opensourcecombat.com, 1
+opensourcesoftware.rocks, 1
+opensourcesurvey.org, 1
+opensourcex.tk, 1
+openspot.tk, 1
+opensquares.org, 1
+opensrc.one, 1
+openssl.org, 0
+openstandia.jp, 1
+openstem.com.au, 1
+openstreetmap.is, 1
+openstreetmap.org, 1
+opentable.com, 1
+opentable.com.au, 1
+opentenders.tech, 1
+opentrack.info, 1
+opentrader.com.au, 0
+opentrash.org, 1
+openverse.com, 0
+openvision.tk, 1
+openvz.org, 1
+openwaveguide.de, 1
+openwebstandard.org, 1
+openwifi.gr, 1
+openwrt-dist.tk, 1
+openxcom.org, 1
+openyoga.nl, 1
+opera.im, 1
+operacdn.com, 1
+operacionlimpieza.com, 1
+operad.fr, 1
+operadotejo.org, 1
+operahedeland.dk, 1
+operanavigation.ro, 1
+operatic.gq, 1
+operationhomefront.org, 1
+operationkiwi.work, 1
+operationlifeline.ca, 1
+operationlifeline.org, 1
+operationturkey.tk, 1
+operationwarm.org, 1
+operator.tk, 1
+operatoresanitario.it, 1
+operaunica.tk, 1
+operd.gob.do, 1
+opexterminating.com, 1
+opfin.com, 1
+opforintel.com, 1
+opgani7.info, 1
+ophelia.ink, 0
+ophepartners.org, 1
+ophidian.tk, 1
+ophthalmologynotes.tk, 1
+opiates.ca, 1
+opic.gov, 1
+opid.my.id, 1
+opieoils.co.uk, 1
+opil.no, 1
+opimo3d.com.br, 1
+opin.me, 1
+opinie.pl, 1
+opinio.fr, 1
+opinionipannolini.it, 1
+opinioniprodotto.it, 1
+opinionitech.com, 1
+opinionmodel.it, 1
+opiniterupdate.com, 1
+opioidaffectedyouth.org, 1
+opioids.co.uk, 1
+opioids.com, 1
+opioids.gov, 1
+opioids.uk, 1
+opioids.wiki, 1
+opioneers.ga, 1
+opioneers.tk, 1
+opiskelijaradio.com, 1
+opiskelijaradio.fi, 1
+opisrael.tk, 1
+opito.com, 1
+opium.io, 0
+opix.fr, 1
+opl.bz, 1
+oplane.io, 1
+oplata-mvd.ga, 1
+oplata-vklike.tk, 1
+oplata.uz, 1
+oplop.appspot.com, 1
+opm.gov, 1
+opmaakonderscheidingen.nl, 1
+opnx.dk, 1
+opoderdaenergiafeminina.com.br, 1
+opomec.com, 1
+opop.cz, 1
+opopulechki.tk, 1
+oportunidadeganhos.tk, 1
+oportunidadinfinita.tk, 1
+opos.cf, 1
+oposicionescastillayleon.com, 1
+oposicionescorreos.es, 1
+oposicionesprofesores.tk, 1
+opp.moe, 1
+oppa888.com, 1
+oppa888.net, 1
+oppabet.com, 1
+oppada.com, 1
+oppejoud.ee, 1
+oppekepe.org, 0
+opploans.com, 1
+opportunity.de, 1
+opportunityfund.eu, 0
+opportunityliu.top, 1
+opportunitylouisiana.gov, 1
+opposer.me, 1
+oppositehq.com, 0
+oppositionsecurity.com, 1
+oppoweb.ml, 1
+oppress.life, 1
+oppressed.news, 1
+oppstartslos.no, 1
+oppwa.com, 1
+opq.pw, 1
+opraab.ga, 1
+opraser.cz, 1
+oprbox.com, 1
+oprekin.com, 1
+opreturn.org, 1
+opritten-en-terrassen.be, 1
+opritverklikker.nl, 1
+opromox.com, 1
+oprueba.com, 1
+opruimenwerkt.nl, 1
+opryshok.com, 1
+ops.ai, 1
+ops.com.pl, 1
+opsbase.com, 1
+opsecx.com, 1
+opskins.tk, 1
+opskiwi.work, 1
+opsmate.com, 0
+opsnotepad.com, 1
+opso.gov, 1
+opspedia.id, 1
+opstory.com, 1
+opstrengning.tk, 1
+opswill.com, 1
+opsystems.bg, 1
+opta-tv.com, 1
+opteam.pl, 1
+opteamax.de, 1
+opteamax.eu, 1
+optenhoefel.de, 1
+optgo.com.ua, 1
+opti-net.at, 1
+opti-net.solutions, 1
+optic-street.ru, 1
+optical-faking.tk, 1
+opticalprescriptionlab.com, 1
+opticaltest.com, 1
+opticamasvision.com, 1
+opticasocialvision.com, 1
+opticianedu.org, 1
+opticiansri.org, 1
+opticoolheadgear.com, 1
+opticsexplorer.com, 1
+opticstore.com.ua, 1
+optiekzien.nl, 0
+optifleet-evol.net, 1
+optifury.com, 1
+optigazelle.com, 1
+optigear.nl, 1
+optik-sehstern.de, 1
+optik-tamara.de, 1
+optik-trosdorff.de, 1
+optikflow.com, 1
+optikoscolombia.com, 1
+optilan.tk, 1
+optimakers.pl, 1
+optimale.co.uk, 1
+optimall.tk, 1
+optimalrehab.se, 1
+optimalruby.com, 1
+optimaner.pl, 1
+optimed.tk, 1
+optimised.cloud, 1
+optimised.io, 1
+optimisedlabs.co.uk, 1
+optimisedlabs.info, 1
+optimisedlabs.net, 1
+optimisedlabs.uk, 1
+optimist.bg, 1
+optimization-online.org, 1
+optimizationanalyticsest.ga, 1
+optimize-jpg.com, 1
+optimizedlabs.co.uk, 1
+optimizedlabs.info, 1
+optimizedlabs.net, 1
+optimizedlabs.uk, 1
+optimom.ca, 1
+optimon.io, 1
+optimumfmw.com, 1
+optimummanagement.net, 1
+optimummarinemanagement.net, 1
+optimummenhealth.com, 1
+optimumpacific.net, 1
+optimumship.net, 1
+optimumvikingsatcom.com, 1
+optimumwebdesigns.com, 1
+optimus.io, 1
+optimuscrime.net, 1
+optimuslearningschool.com, 1
+optimust.fi, 1
+options-today.com, 1
+optionsfund.cn, 1
+optionskredit.ag, 1
+optionskredit.biz, 1
+optionskredit.com, 1
+optionskredit.eu, 1
+optionskredit.info, 1
+optionskredit.net, 1
+optionskredit.org, 1
+optionsloop.com, 1
+optique-morice.com, 1
+optirank.co, 1
+optisell.ga, 1
+optmos.at, 1
+optogenics.com, 1
+optolamp.com.br, 1
+optomaeurope.com, 0
+optome.com, 1
+optoms.tk, 1
+optoutday.de, 1
+optoutpod.com, 1
+optru.eu.org, 1
+opture.ch, 1
+optykgill.pl, 1
+optymyze.com, 1
+opus-codium.fr, 1
+opus-labs.fr, 1
+opus-nail.com, 1
+opusdei.org, 1
+opuspremiumfilms.com, 1
+opussystems.com.au, 1
+opvakantie-noorwegen.nl, 1
+opvakantie-zweden.nl, 1
+opvoedingswinkelgent.be, 1
+opwaarts.tk, 1
+opwekking.tk, 1
+opzich.nl, 1
+oqevapimivud.tk, 1
+oqkd.eu, 1
+oqpo.ru, 1
+oqrqtn7ynmgc7qrgwd-ubhdvfiymfbjrh5ethdti8.com, 0
+oquedizabiblia.com.br, 1
+oqwebdesign.com, 1
+orablanket.co.nz, 1
+oracle-support.nl, 1
+oracleclown.com, 1
+oracolo.tk, 1
+oraculos.pt, 1
+oraculosiono.net, 0
+oraklinika.tk, 1
+oralb.com, 1
+oraldigital.com.br, 1
+oralemiraza.com, 1
+oralight.ml, 1
+orang-utans.com, 1
+orange.md, 1
+orangeacademy.cz, 1
+orangeappalam.com, 1
+orangecityfl.gov, 1
+orangecookie.com, 1
+orangefinanse.com.pl, 1
+orangehome.ga, 1
+orangejetpack.com, 1
+orangekey.tk, 1
+orangelandgaming.com, 1
+orangenj.gov, 1
+orangenuts.in, 1
+orangepages.ga, 1
+orangerock.tk, 1
+orangeshop.ee, 1
+orangesquash.org.uk, 0
+orangesquirrelevents.co.uk, 1
+orangetexas.gov, 1
+orangetown.com, 1
+orangtua.tk, 1
+oranjee.net, 0
+oranjerie.tk, 1
+orano.vn, 1
+oranous.tk, 1
+oranweb.tk, 1
+oraz.tk, 1
+orazen.it, 1
+orbassano5aele2021.tk, 1
+orbesurgeons.com.au, 1
+orbik.com, 1
+orbit.aero, 1
+orbit.church, 1
+orbita.zp.ua, 1
+orbitabaja.com, 1
+orbitaclub.cf, 1
+orbital3.com, 1
+orbitalcommerce.com.br, 0
+orbitcleaning.com.au, 1
+orbitdefence.co.uk, 1
+orbitfoods.ca, 1
+orbitforum.ga, 1
+orbitgoods.ca, 1
+orbitpro.co, 1
+orbitrock.xyz, 1
+orbits.ga, 1
+orbitum.fr, 1
+orbitum.space, 1
+orbu.net, 1
+orbussoftware.com, 0
+orcada.co, 1
+orcahq.com, 1
+orcamais.com.br, 1
+orcamarine.tk, 1
+orcas.tk, 1
+orcawiki.nl, 1
+orchardnh.org, 1
+orchestra-ppm.io, 1
+orchestra.tk, 1
+orchidcare.co.id, 1
+orchidee-mariage.com, 0
+orchidee-massage.tk, 1
+orchideemilano.it, 1
+orchidhousehotels.com, 1
+orchidinsurance.com, 1
+orchidlive.com, 1
+orchidplantscare.com, 1
+orchids.ua, 1
+orchidsforum.com, 1
+orcomsilver.tk, 1
+orcsnet.com, 1
+ord-airportparking.com, 1
+ordastoikennel.tk, 1
+ordbokpro.se, 1
+ordenmutantes.tk, 1
+order-a-laura.de, 1
+order-ftw.de, 1
+order-tools.io, 1
+order.catering, 1
+order.online, 1
+ordercipro.gq, 1
+orderdiflucan.ga, 1
+ordereze.com, 1
+ordermygear.com, 1
+ordernerd.com, 1
+orderomnicef.gq, 1
+orderpizza.tk, 1
+orderseason.digital, 1
+orderteethest.ga, 1
+ordervaltrexonlines.ga, 1
+ordevanoranjenassau.nl, 1
+ordfejd.se, 1
+ordilo.org, 1
+ordina.tk, 1
+ordinals.com, 1
+ordner.tk, 1
+ordoro.com, 1
+ordr.net, 1
+ordr.no, 1
+ordremk.fr, 1
+orduhaberleri.tk, 1
+ore.cool, 1
+oreber.com, 1
+oref-idf.com, 0
+oref-idf.net, 0
+oref-idf.org, 0
+orefice.roma.it, 1
+oregon2020census.gov, 1
+oregonatv.gov, 1
+oregoncoop.gov, 1
+oregonenergysaver.com, 1
+oregonmenshealth.com, 1
+oregonpasturenetwork.org, 1
+oregonstudentaid.gov, 1
+orel-city.ml, 1
+orel-sait.tk, 1
+orel.ga, 1
+orel.se, 1
+orelblog.tk, 1
+orelferm.ru, 1
+orelnet.tk, 1
+orem.gov, 1
+orenburg-life.tk, 1
+orendamebliv.com.ua, 1
+orendatattoo.bg, 1
+orenohatake.com, 1
+orensport.tk, 1
+oreo.rocks, 1
+oreomuhely.hu, 1
+oresama.studio, 1
+oreshinya.xyz, 1
+oreskylaw.com, 1
+orestadit.dk, 1
+oreto.de, 0
+orevan.net, 1
+orevan.org, 1
+orf-digitalsatkarte.at, 0
+orf-kartentausch.at, 0
+orfelios.com, 1
+orfeo-engineering.ch, 1
+orfininumeister.it, 1
+orfordvillewi.gov, 1
+org-css.tk, 1
+organaqsis.com, 1
+organdonor.gov, 1
+organic.pk, 1
+organicae.com, 1
+organicappraisalers.ga, 1
+organicaromas.com, 1
+organicindiausa.com, 1
+organicmachinery.net, 1
+organicossuliani.com.br, 1
+organicpoint.in, 1
+organicrootsfestival.tk, 1
+organicsearcher.com, 1
+organictanningest.ga, 1
+organisatieteam.nl, 1
+organisation-mariage.net, 1
+organizacasa.com.br, 1
+organizalpha.com, 1
+organizasyon.tk, 1
+organization-of-holidays.tk, 1
+organizedrhyme.tk, 1
+orgasmium.com, 1
+orged.de, 1
+orgoniteindonesia.com, 1
+orgsyn.in, 1
+orgtech.ga, 1
+orgyporngroup.com, 1
+orians.eu, 1
+oriatasi.tk, 1
+oribia.net, 1
+oricejoc.com, 0
+orido.org, 1
+oriental-events.net, 1
+orientalart.nl, 1
+orientalcollege.tk, 1
+orientalcuisine.tk, 1
+orientalgadgets.tk, 1
+orientaltrends.com.br, 1
+orientate.com.mx, 1
+orientir.tk, 1
+oriflamesamara.tk, 1
+oriflameszepsegkozpont.hu, 1
+orifonline.ro, 0
+origami.to, 1
+origamiii.me, 1
+origamiking.wiki, 1
+origemtemperos.com.br, 1
+origenarts.com, 1
+origent.com, 1
+originahl-scripts.com, 1
+original-christstollen.com, 1
+original-christstollen.de, 1
+originalabsinthe.com, 1
+originalbee.co.uk, 1
+originalblackfilms.ga, 1
+originalescaro.tk, 1
+originalmusicstream.tk, 1
+originalniknihy.cz, 0
+originalpharmacygrup.ml, 1
+originalreading.com, 1
+originalseconds.com, 0
+originaltee.uk, 1
+origingames.tk, 1
+originpc.com, 0
+origins-webdesign.fr, 1
+origintlsflexible.com, 1
+origintlsfull.com, 1
+origintlsstrict.com, 1
+origintunes.tk, 1
+orikos.tk, 1
+orikum.org, 0
+orilliacdc.com, 1
+orilon.fr, 1
+orimex-mebel.ru, 1
+orimono.ga, 1
+oriocdn.com, 1
+orion-rentals.tk, 1
+orion-universe.com, 1
+orioneclipse.com, 1
+orionelement.com, 1
+orionfcu.com, 1
+orionfinancialservices.com, 1
+oriongames.eu, 1
+orionlab.com.br, 1
+orionrisk.com, 1
+oris.edu.ee, 1
+oriveda.ch, 1
+oriveda.co.uk, 1
+oriveda.com, 1
+oriveda.nl, 1
+oriya-hrs.com, 1
+orizarja.tk, 1
+orkaev.cf, 1
+orkestar-krizevci.hr, 1
+orkiv.com, 0
+orkkikerho.tk, 1
+orland.tk, 1
+orlandgo.com, 1
+orlandhillspdil.gov, 1
+orlando-marijuana-doctor.com, 1
+orlandobalbas.com, 1
+orlandojetcharter.com, 1
+orlandooutdoor.com, 1
+orlandopooltech.com, 1
+orlandoprojects.com, 1
+orlandorentavilla.com, 1
+orleansiowa.gov, 1
+orleika.io, 1
+orleika.ml, 1
+ormanetrading.com, 1
+ormuratore.com, 1
+ornc.org, 1
+ornikar.com, 1
+ornithopter.tk, 1
+ornitina.com, 1
+ornsyn.no, 1
+ornua.com, 1
+ornz.net, 0
+oro.milano.it, 1
+oro.roma.it, 1
+orocojuco.com, 1
+oroconews.com.br, 1
+orodelsalento.com, 1
+orologeria.roma.it, 1
+orologi.roma.it, 1
+oronomn.gov, 1
+oroshikikin.jp, 1
+orovillelaw.com, 1
+orpf.ir, 1
+orphee-beaute.com, 0
+orpheus.network, 1
+orpheus2.com.ec, 1
+orquestas.tk, 1
+orrs.de, 1
+orsal.fr, 1
+orsgo.com, 1
+ortahisarsigorta.com, 1
+ortanatech.com, 1
+ortecapps-dev.com, 1
+ortecbdp.com, 1
+ortecdna.com, 1
+ortechealthtest.com, 1
+ortegaportfolio.com, 1
+ortegat.com, 1
+ortelius.com, 1
+ortelius.se, 1
+ortemis.host, 1
+orteo.co, 1
+ortho-graz.at, 1
+orthoatthevillage.com, 1
+orthocab.com, 1
+orthocop.cz, 1
+orthodealsers.ga, 1
+orthodontiste-geneve-docteur-rioux.com, 0
+orthodoxy.lt, 0
+orthograph.ch, 1
+orthomolecularproducts.com, 0
+orthopedic-shoes.tk, 1
+orthopedicsalon.tk, 1
+orthoprax.net, 1
+orthoquest.ca, 1
+orthotrafficest.ga, 1
+ortiatuttogas.it, 1
+ortigueira.ga, 1
+ortizmario.com, 1
+ortocraft.tk, 1
+ortoemangiato.it, 1
+ortografiacerta.com.br, 1
+ortoinnovapanama.com, 1
+ortop.ua, 1
+ortopedia.tk, 1
+ortopertutti.it, 1
+ortto.com, 0
+oruggt.is, 1
+orum.in, 1
+orviboperu.com.pe, 1
+orwell.tk, 1
+oryva.com, 1
+oryxlabs.com, 1
+oryxserver.ch, 1
+orzado.com, 1
+orzado.com.ua, 1
+orzechot.pl, 1
+os-s.de, 1
+os-s.net, 1
+os-t.de, 1
+os.web.tr, 1
+os24.cz, 1
+os33.com, 1
+os33.net, 1
+os76.xyz, 1
+osaamiskartoitus.fi, 1
+osac.gov, 1
+osacrypt.studio, 1
+osagecounty-ok.gov, 1
+osagenation-nsn.gov, 1
+osagokasko.ga, 1
+osaka-culture-art.com, 1
+osaka-hero-project.com, 0
+osakaevoce.com.br, 1
+osakagasaustralia.com.au, 1
+osakayuku.com, 1
+osakerekisteri.fi, 1
+osaketori.fi, 1
+osaki.fr, 1
+osallistuvavantaa.fi, 1
+osamabook.tk, 1
+osamakhalid.com, 1
+osamatoon.ml, 1
+osandp.com, 1
+osankj.tk, 1
+osano.com, 1
+osateam.tk, 1
+osawatomieks.org, 1
+osb-alliance.de, 1
+osbeck.com, 1
+osborn.io, 1
+osborne.tk, 1
+osbornecounty.gov, 1
+osborneinn.com, 0
+osbornepro.com, 1
+osburn.com, 1
+osc.gov, 1
+oscar.ms, 1
+oscarapp.net, 1
+oscarmartinez.tk, 1
+oscarr.nl, 1
+oscars-web.tk, 1
+oscarsalas.tk, 1
+oscarspatiobar.com, 1
+oscarvk.ch, 1
+osceolaar.gov, 1
+osceolacountyfl.gov, 1
+osceolacountyia.gov, 1
+osceolafdar.gov, 1
+osceolapdar.gov, 1
+osci.io, 1
+oscloud.com, 1
+oscom.tk, 1
+oscpi.com, 1
+oscreen.ru, 1
+osdeployment.com, 1
+osdeployments.com, 1
+osdls.gov, 1
+oseido.tk, 1
+osepideasthatwork.org, 1
+osereso.tn, 1
+oses.mobi, 0
+osetia.tk, 1
+osetinskie-pirogi.ga, 1
+osetiya.gq, 1
+osetiya.ml, 1
+osez-l-odyssee.fr, 1
+osgroup.tk, 1
+oshayr.com, 1
+oshea.cc, 1
+oshens.com, 1
+osholife.tk, 1
+oshrc.gov, 1
+osi-systems.com, 1
+osiedlemalownicze.wroc.pl, 1
+osimmo.fr, 1
+osindesejados.com.br, 1
+osipenko.ua, 1
+osiris-ai.co.uk, 1
+osirisrising.tk, 1
+osirisrp.online, 1
+osirium.com, 1
+osk-group.ru, 1
+oskety.com, 1
+oskrba.net, 1
+oskrba.online, 1
+oskuro.net, 1
+oslinux.net, 1
+oslo-kammerorkester.no, 1
+osm.is, 1
+osm.org, 1
+osmaniyehaber.tk, 1
+osmanlitakilari.tk, 1
+osmanlitorunu.com, 1
+osmarks.net, 1
+osmarks.tk, 1
+osmdroid.net, 1
+osmosebox.com, 1
+osmosis-inversa.online, 1
+osmre.gov, 1
+osmt.cc, 1
+osnova.cz, 1
+osobnyak.tk, 1
+osohq.com, 1
+osolutionscorp.com, 1
+osom.finance, 1
+osomagicmountain.com, 1
+osomjournal.org, 1
+osoo.kg, 1
+osorezone.com, 1
+osorio.io, 0
+ospis.pl, 1
+ospo-alliance.org, 1
+osrdmo.gov, 1
+osrs.wiki, 1
+osrsmap.net, 1
+osrsplugins.xyz, 1
+ossdiabolo.tk, 1
+osservatorionessuno.it, 1
+osservatorionessuno.org, 1
+ossigeno.tk, 1
+ossipee-nh.gov, 1
+ossrox.org, 1
+osszekotatermeszettel.hu, 1
+ostalb.social, 1
+ostan-collections.net, 1
+ostan-nku.tk, 1
+ostankino.tk, 1
+ostechnix.com, 1
+ostek.tk, 1
+ostendorf.com, 1
+osteolaclusaz.com, 0
+osteopathe-voisine.com, 1
+osteopathie-guggenberger.de, 1
+osteopatiaymasaje.com, 1
+osteriabellavista.ch, 0
+osteriadelponte.tk, 1
+osterkraenzchen.de, 1
+ostermcbride.com, 1
+ostern-osterfest.tk, 1
+ostgotakonst.se, 1
+osti.gov, 1
+ostimwebtasarim.name.tr, 1
+ostimyedekparca.com.tr, 1
+osto.us, 1
+ostp.gov, 1
+ostr.io, 1
+ostra.gg, 1
+ostra.me, 1
+ostrausercontent.com, 1
+ostravskypediatrickyden.cz, 1
+ostrov8.com, 1
+ostrovseocitra.cf, 1
+ostrovseocitra.ga, 1
+ostrovseocitra.gq, 1
+ostrovseocitra.ml, 1
+ostseebad-sellin.de, 1
+ostylelimo.com, 1
+osuarez3.com, 1
+osun.eu, 1
+osuszanie-krakow.pl, 1
+osuszanie-prinz.com.pl, 1
+osuszanie-radom.pl, 1
+osuszanie-warszawa.pl, 1
+osvaldocontreras.tk, 1
+osveld.com, 1
+osvhub.com, 1
+oswaldlabs.com, 1
+oswalds.co.uk, 1
+oswaldsmillaudio.com, 1
+oswegoil.gov, 1
+oswegony.gov, 1
+osworx.net, 1
+ot-honfleur.fr, 1
+ot-vinta.tk, 1
+otaikajang.org, 1
+otakaroltd.co.nz, 1
+otako.pl, 0
+otaku-treasure.com, 1
+otaku.fm, 1
+otakubox.de, 1
+otakucloud.net, 0
+otakuie.tk, 1
+otakurepublic.com, 1
+otakurumi.de, 1
+otakuzonefanzine.tk, 1
+otariarutiunian.com, 1
+otchecker.com, 1
+otd-dentalcare.com, 0
+otdel16.tk, 1
+otdelka56.ml, 1
+otdelka76.tk, 1
+otdelochnik.tk, 1
+otdih-krim.tk, 1
+otdyh-v-abhazii.tk, 1
+oteri.de, 1
+otg-drives.tk, 1
+otgadaika.tk, 1
+oth666.com, 0
+other98.com, 0
+othercdn.com, 1
+otherkinforum.com, 1
+otherlandlabs.com, 0
+otherwise.tk, 1
+othrys.net, 1
+oticasvisao.net.br, 1
+otimismoemrede.tk, 1
+otinane.eu, 1
+otipax.ru, 1
+otiumtech.com, 1
+otixz.com, 1
+otkm-stuttgart.tk, 1
+otmns.net, 1
+otng.us, 1
+otogeworks.com, 1
+otokiralama.name.tr, 1
+otoma.tk, 1
+otomania.tk, 1
+otomauto.com, 1
+otomekaito.xyz, 1
+otomny.fr, 1
+otomobilforumu.com, 1
+otomobilhaber.com, 1
+otonity.com, 1
+otoplastik.ml, 1
+otoplenie-ufa.ml, 1
+otorino.tk, 1
+otorium.gq, 1
+otorrino.pt, 0
+otosemi.com, 0
+otoy.com, 1
+otpbd.xyz, 1
+otpdvi.gov, 1
+otpgoldenfish.ro, 1
+otpnyugdij.hu, 1
+otpportalok.hu, 1
+otprema.hr, 1
+otpsmart.com.ua, 1
+otptikforum.cf, 1
+otr.ie, 1
+otrm.de, 1
+otrosidigo.tk, 1
+otrubah.com, 1
+ots.gov, 1
+otsfreestyle.jp, 1
+otsu.beer, 1
+ott-tv.org, 1
+ottawatribe.gov, 1
+ottens.tk, 1
+otterpops.tk, 1
+ottertailcounty.gov, 1
+ottertailcountymn.gov, 1
+otterupdate.com, 1
+ottervillemo.gov, 1
+otthonelektronika.hu, 1
+otticait.com, 1
+otticaturi.it, 1
+ottingergolf.com, 1
+ottmarliebert.tk, 1
+ottogroup.com, 1
+ottokrake.ba, 1
+ottomanbedsuk.tk, 1
+ottorinoferilli.com, 1
+ottoversand.at, 1
+otuts.eu, 1
+otvaracie-hodiny.sk, 1
+otya.me, 1
+otzyvy.cc, 1
+ouaibe.qc.ca, 1
+ouaie.be, 1
+ouaisetalors.fr, 1
+ouattara.ch, 1
+oudedokken.be, 1
+oudersvannu.nl, 1
+ouestacro.fr, 1
+ouestfrance-auto.pro, 1
+ouezzan.tk, 1
+ouglor.com, 1
+oui-mais-toscope.info, 1
+ouin.land, 1
+ouinex.com, 1
+ouinex.xyz, 1
+ouiouibunny.ch, 1
+ouiouibunny.fr, 1
+oujj.link, 1
+oukasou.moe, 1
+oukasou.xyz, 1
+ouldlamara.tk, 1
+oulunjujutsu.com, 1
+oumactive.com, 1
+ouminews.net, 1
+oumlaut.net, 1
+oumorienteering.com, 1
+oumpower.com, 1
+oumrace.com, 1
+oumsnatch.com, 1
+oumsport.com, 1
+ounage.de, 1
+ouowo.gq, 1
+our-box.de, 1
+our-box.net, 1
+our-little-secret.tk, 1
+our-store.ml, 1
+ourai.ws, 1
+ourayco.gov, 1
+ourchoice2016.com, 1
+ourcloud.at, 1
+ourcodinglives.com, 1
+ourcreolesoul.com, 1
+ourcrowd.com, 1
+ourcybercommunity.com, 1
+ourdocuments.gov, 1
+ourevents.net, 1
+ourfamilyworld.com, 1
+ourgame.ie, 1
+ourharvest.com, 1
+ourhr.club, 1
+ourindiana.gov, 1
+ourladymountcarmel.net, 1
+ourladymtcarmel.org, 0
+ourladyofcalvary.org, 1
+ourladyoftheassumptionchurch.org, 1
+ourladyqueenofmartyrs.org, 1
+ourlink.tk, 1
+ourmarket.live, 1
+ournewsindia.ga, 1
+ourocg.cn, 1
+ouroh2.com, 1
+ouronyx.com, 0
+ourpharmacynetwork.com, 1
+ourphonestoday.com, 1
+ourplanetary.com, 1
+ours.money, 1
+oursaintfrancis.org, 1
+oursibparksplan.com, 1
+oursportscentral.com, 1
+ourstory.rip, 1
+oursurplus.com, 1
+oursweb.com, 1
+oursweb.net, 1
+oursweb.org, 1
+ourtableforseven.com, 1
+ouruglyfood.com, 1
+ourvau.lt, 1
+ourwits.com, 1
+ourworldindata.org, 0
+ourworldspeaks.com, 1
+oust.ch, 0
+oustaou-connect.com, 1
+out-of-england.cf, 1
+out-of-england.ga, 1
+out-of-england.gq, 1
+out-of-england.ml, 1
+outagamie.gov, 1
+outandaboutpv.com, 1
+outbankapp.com, 1
+outbot.com, 1
+outbound.tk, 1
+outbreak.games, 1
+outcasts-guild.eu, 1
+outcomes10.com, 1
+outdoorfurniture.ie, 1
+outdoorgearlab.com, 1
+outdoorimagingportal.com, 1
+outdoorlearningmap.com, 1
+outdoorlightingagoura.com, 1
+outdoorlightingagourahills.com, 1
+outdoorlightingcalabasas.com, 1
+outdoorlightingconejovalley.com, 1
+outdoorlightingdosvientos.com, 1
+outdoorlightinghiddenhills.com, 1
+outdoorlightinglakesherwood.com, 1
+outdoorlightingmalibu.com, 1
+outdoorlightingmoorpark.com, 1
+outdoorlightingnewburypark.com, 1
+outdoorlightingoakpark.com, 1
+outdoorlightingsimivalley.com, 1
+outdoorlightingthousandoaks.com, 1
+outdoorlightingwestlakevillage.com, 1
+outdoormanufaktur.com, 1
+outdoorphoto.co.za, 1
+outdoorsytravel.com, 1
+outerface.net, 1
+outerheaven.pro, 1
+outerlimitsdigital.com, 1
+outernet.tk, 1
+outerspace.ga, 1
+outervision.com, 1
+outetc.com, 1
+outfaced-dancestudio.de, 1
+outfit-weimar.eu, 1
+outgress.com, 1
+outgrow.co, 1
+outhwaite.com, 1
+outincanberra.com.au, 1
+outinnationalsecurity.org, 1
+outka.xyz, 1
+outlaw-star.tk, 1
+outletcity.bg, 1
+outletstoresmalls.com, 1
+outline.ski, 1
+outline.vn, 1
+outlook.com, 1
+outlook.pl, 1
+outlookbythebay.com, 1
+outlookonthedesktop.com, 1
+outlooktransfer.com, 1
+outloudradio.uk, 1
+outnetic.com, 1
+outnow.ch, 1
+outoftheboxfitness.com, 1
+outofthefog.net, 1
+outofyourcomfortzone.net, 1
+outplnr.fr, 1
+output.com, 1
+outrank.co.uk, 1
+outrider.ai, 1
+outshinesolutions.nl, 1
+outsideconnections.com, 1
+outsidershairboutique.com, 1
+outsize.tk, 1
+outsourcify.net, 1
+outsourcingdenomina.co, 1
+outsourcingnominabogota.com, 1
+outstack.vote, 1
+outstanding.tk, 1
+outstandingpromotion.com, 1
+outtask.ai, 0
+outwoodz.co.uk, 1
+outworking.com, 1
+ouverture-coffre-fort.fr, 1
+ouvindo.com.br, 1
+ouwerling.tk, 1
+ov-chipkaart.nl, 1
+ovabastecedoraindustrial.com, 1
+ovalle.tk, 1
+ovallevirtual.tk, 1
+ovationhand.com, 1
+ovc.gov, 1
+ovcttac.gov, 1
+ovegi.co.id, 1
+ovelhaostra.com, 1
+ovelhosabio.com, 1
+ovelhosabio.com.br, 1
+oven.media, 1
+ovenapp.io, 1
+ovenrepairaustin.com, 1
+overa.net, 1
+overallmotivation.com, 1
+overallscanners.tk, 1
+overca.sh, 1
+overcached.com, 1
+overcame.cf, 1
+overcasthq.com, 1
+overclockers.ga, 1
+overclockers.ge, 1
+overcomers.tk, 1
+overdance.com.br, 1
+overdrive-usedcars.be, 0
+overener.biz, 1
+overener.cn, 1
+overener.co, 1
+overener.com, 1
+overener.tech, 1
+overener.us, 1
+overflow.io, 1
+overframe.gg, 1
+overgear.tk, 1
+overground.tk, 1
+overhead.com.pe, 1
+overheek.tk, 1
+overlevers.tk, 1
+overlevingsmessen.nl, 1
+overlook.tk, 1
+overlooklakeaustin.com, 1
+overlord.network, 1
+overmorgen.nl, 1
+overnetfaq.tk, 1
+overnetworld.tk, 1
+overnightglasses.com, 1
+overpb.gq, 1
+overprint-samara.ru, 1
+overps.cf, 1
+overrated.ga, 1
+overratedtech.com, 1
+overrun.tk, 1
+overs.jp, 1
+oversea.com.br, 1
+overseamusic.de, 1
+overseasstudenthealth.com, 1
+overside.ml, 1
+oversight.garden, 1
+oversight.gov, 1
+oversight.nz, 1
+oversightboard.com, 1
+overspace.cloud, 1
+overstemmen.nl, 1
+overstockpromote.com, 1
+overthecloud.it, 1
+overthegate.tk, 1
+overtoncountytn.gov, 1
+overtunes.tk, 1
+overture.london, 1
+overwatchss.club, 1
+overzicht.pro, 1
+overzicht.ws, 1
+ovez.ga, 1
+ovhcdn.pw, 1
+ovidiusbouwbedrijf.nl, 1
+ovidro.pt, 0
+ovirt.org, 1
+oviser.ml, 1
+ovisy.com, 1
+ovni-owners.org.uk, 1
+ovnrain.com, 0
+ovochi.tk, 1
+ovodakadarkut.tk, 1
+ovomope.cn, 1
+ovosimpatico.com, 1
+ovosimpatico.org, 1
+ovpn.com, 1
+ovpn.to, 1
+ovstravel.com, 1
+ovuk.ru, 1
+ovvv.top, 1
+ovvy.net, 0
+owagik.com, 1
+owatonna.gov, 1
+owatonnagrows.gov, 1
+owdeutschland.org, 1
+owenet.net, 1
+owensboroky.gov, 1
+owenschumacher.tk, 1
+owensmith.website, 1
+owensvilleoh.gov, 1
+owethecure.win, 1
+owfactory.com, 1
+owid.cloud, 1
+owise.tk, 1
+owl-media.pl, 1
+owl-media.ru, 1
+owl-media.us, 1
+owl-stat.ch, 0
+owl.net, 1
+owlandbee.co.uk, 1
+owlandbee.eu, 1
+owlandbee.uk, 1
+owlando.com, 1
+owlandrabbitgallery.com, 1
+owlazy.com, 1
+owlbee.be, 1
+owlbee.de, 1
+owlbee.es, 1
+owlbee.eu, 1
+owlbee.fr, 1
+owlbee.it, 1
+owlbee.nl, 1
+owldevelopers.tk, 1
+owlexa.com, 1
+owlhollowbakery.com, 1
+owln.ai, 0
+owlnull.me, 1
+owlscrap.ru, 1
+owlvilleers.ga, 1
+ownagepranks.com, 1
+ownc.at, 1
+owncloud.ch, 1
+owncloud.com, 1
+ownerbusiness.org, 1
+ownergroup.net, 1
+ownersre.com, 1
+ownhosting.cloud, 1
+owningless.fr, 1
+ownparking.com, 1
+ownspec.com, 1
+ownsport.fr, 1
+owntips.ml, 1
+owntournament.org, 1
+ownwolke.de, 1
+ownyourfamily.com, 1
+owo.enterprises, 1
+owo.jp, 1
+owo.li, 0
+owrt-risk.dedyn.io, 1
+owyheecounty.gov, 1
+owysgarden.com.au, 1
+ox.restaurant, 1
+oxalato.com, 1
+oxaliz.gq, 1
+oxanababy.com, 1
+oxborrow.ca, 1
+oxbridge.eu, 1
+oxelie.com, 0
+oxen.io, 1
+oxfordandcambridgetutors.com, 1
+oxfordbio.com, 1
+oxfordbus.co.uk, 1
+oxforddigital.com.au, 1
+oxfordenglish.com.ua, 1
+oxfordkneeinfo.com, 1
+oxfordmd.gov, 1
+oxfordtutors.com, 1
+oxforduniverse.com, 1
+oxfordurgentclinic.com, 1
+oxia.me, 1
+oxialive.fr, 1
+oxiame.eu, 1
+oxibeiras.pt, 1
+oxide.social, 1
+oxidecomputer.net, 1
+oxidecomputer.social, 1
+oxidized.org, 1
+oxigenoinformatica.tk, 1
+oximedia.ga, 1
+oximoron.tk, 1
+oxinarf.pt, 1
+oxizonia.com, 0
+oxlab.com.ar, 1
+oxo.cloud, 0
+oxona.eu, 1
+oxoo.ooo, 1
+oxopackaging.com.au, 0
+oxos.com, 1
+oxots.com, 1
+oxotscovid.com, 1
+oxt.co, 1
+oxwebdevelopment.com.au, 1
+oxxengarde.de, 1
+oxxoshop.com, 0
+oxydac.com, 1
+oxydrate.com, 1
+oxygames.tk, 1
+oxygenated.cf, 1
+oxygenforchennai.com, 1
+oxygin.net, 0
+oxylabs-china.net, 1
+oxylabs.cn, 1
+oxylabs.io, 1
+oxylog.fr, 1
+oxymail.ru, 1
+oxymoron.tk, 1
+oxynux.xyz, 1
+oxytocin.org, 1
+oxytocin.wiki, 1
+oxyx.tk, 1
+oxz.me, 1
+oya.ai, 1
+oyakyamacevler.net, 1
+oyal.co.uk, 1
+oyama-conf.com, 1
+oyama-karate.tk, 1
+oyap.ca, 1
+oyaphwcdsb.com, 1
+oyapkprdsb.ca, 1
+oyaptcdsb.com, 1
+oyaquelegal.com.br, 1
+oyemobile.ca, 1
+oyemobile.com, 1
+oyesunn.com, 0
+oyk13tyuj8ljpete31edj2tes-9if7bi.com, 0
+oyosoft.fr, 1
+oyosoft.net, 1
+oyr79.tk, 1
+oysterboxhotel.com, 1
+oysterworldwide.com, 1
+oyun.news, 1
+oyundijital.com, 1
+oyungg.net, 0
+oyunmadeni.tk, 1
+oyunnetwork.com, 1
+oyunnext.com, 1
+oyunoynuyalim.tk, 1
+oyunshell.com, 1
+oz-artfocus.com, 1
+oz-style.com, 1
+ozacek.fun, 1
+ozantravel.com, 1
+ozark-serial.net, 1
+ozarkinspected.com, 1
+ozaukeecounty.gov, 1
+ozaymotor.com, 1
+ozbekistanhavayolu.com.tr, 1
+ozbolt.eu, 1
+ozcare.org.au, 1
+ozcreatives.tech, 1
+ozdemirgrubu.com, 1
+ozdenotomotiv.com.tr, 1
+ozdevelopment.com, 1
+ozel-ders.tk, 1
+ozelgitardersi.tk, 1
+ozellaruck.tk, 1
+ozelmarmaratip.com, 1
+ozemsec.com.br, 1
+ozerify.com, 1
+ozero-kardyvach.ru, 1
+ozgesezen.com, 1
+ozgurbozkurt.com, 1
+ozgurgokmen.net, 1
+ozgurkazancci.com, 1
+ozhegov.site, 0
+ozli.ga, 1
+ozmo.ml, 1
+ozna.tk, 1
+oznamovacipovinnost.cz, 1
+ozoksteel.com, 1
+ozone-medical.fr, 1
+ozonitron.com, 1
+ozonitron.de, 1
+ozonitron.eu, 1
+ozonstyle.ga, 1
+ozonytron.com, 1
+ozonytron.de, 1
+ozonytron.eu, 1
+ozoz.cc, 1
+oztorah.com, 1
+ozvoip.net, 1
+ozvolvo.org, 1
+ozyurttesisat.com, 1
+ozzie.fr, 1
+ozzyfant.de, 1
+p-art.design, 1
+p-fent.ch, 1
+p-home.tk, 1
+p-insurgence.com, 1
+p-k-b.com, 1
+p-konto.tk, 1
+p-ku.com, 1
+p-p.site, 1
+p-pac.com, 0
+p-pc.de, 1
+p-t.io, 1
+p.ac, 1
+p.lu, 1
+p.sb, 1
+p02.de, 1
+p0l.de, 1
+p1-acc.nl, 1
+p1-apps.nl, 1
+p1-test.nl, 1
+p10.ru, 0
+p1984.nl, 0
+p1cn.com, 1
+p1group.com, 1
+p1ratrulezzz.me, 1
+p22.co, 1
+p2enews.com, 1
+p2p-tv.tk, 1
+p2pool.observer, 1
+p2r.ru, 1
+p3.marketing, 1
+p30mororgar.ir, 1
+p333aa.com, 1
+p333b.net, 1
+p333e.net, 1
+p333j.net, 0
+p35consulting.com, 1
+p36533.com, 1
+p3medicalinc.com, 1
+p3ter.fr, 1
+p4.pm, 1
+p4c-admin.azurewebsites.net, 1
+p4p.click, 1
+p4plus2.com, 1
+p4t.co, 1
+p5197.co, 1
+p5r.uk, 1
+p6729.co, 1
+p6957.co, 1
+p7jl.com, 1
+p7m.de, 1
+p7m.eu, 1
+p7sesvhc.com, 1
+p82365.com, 1
+p8r.de, 1
+p91aa.com, 1
+p9297.co, 1
+p9728.co, 1
+p99perf.com, 1
+p99performance.com, 1
+p9cq.com, 1
+p9d1.com, 1
+pa-w.de, 1
+pa.search.yahoo.com, 0
+pa1ch.fr, 1
+pa5am.nl, 1
+paack.co, 1
+paack.com, 1
+paal.network, 1
+paanews.com, 1
+paarberatung-hn.de, 1
+paardekoopergroup.com, 1
+paardenhulp.nl, 1
+paardensportbak.nl, 1
+paarissohail.tk, 1
+paaseiland.org, 1
+paaspasst.de, 1
+paass.net, 0
+paaster.io, 0
+paazmaya.fi, 1
+pabio.com, 1
+pablikado.cz, 1
+pablo-serrano.com, 1
+pablo-sky.tk, 1
+pablo.im, 0
+pablo.io, 1
+pablo.scot, 1
+pablo.sh, 1
+pabloarcuri.com, 1
+pabloartea.ga, 1
+pabloarteaga.co.uk, 1
+pabloarteaga.com, 1
+pabloarteaga.com.es, 1
+pabloarteaga.es, 1
+pabloarteaga.eu, 1
+pabloarteaga.info, 1
+pabloarteaga.me, 1
+pabloarteaga.name, 1
+pabloarteaga.net, 1
+pabloarteaga.nom.es, 1
+pabloarteaga.org, 1
+pabloarteaga.science, 1
+pabloarteaga.tech, 1
+pabloarteaga.uk, 1
+pabloarteaga.xyz, 1
+pablocamino.tk, 1
+pablocelorio.com, 1
+pablofain.com, 0
+pablofonta.es, 1
+pablolopezlujan.es, 1
+pablomachado.tk, 1
+pablomolina.tk, 1
+pablomoreno.tk, 1
+pablonadiecomotu.tk, 1
+pabloroblesminister.com, 1
+pablosaraiva.com, 1
+pabpunk.tk, 1
+pacas-solution.it, 1
+pacatlantic.com, 1
+pacay.id, 1
+pacch.io, 1
+pacco.tk, 1
+paccolat.name, 1
+pace.car, 0
+pace.cool, 1
+pacecare.com, 1
+pacecounsel.com, 1
+paceda.nl, 1
+pacelink.de, 1
+pacem.global, 1
+pacemakers.ml, 1
+pacemigration.com.au, 0
+pacenterforhearingandbalance.com, 1
+pachaiyappas.org, 1
+pachalingo.tk, 1
+pachamamaproduct.com, 1
+pachamamita.de, 1
+pachinstyle.com, 1
+pachuca.social, 1
+pachuta.pl, 1
+pacificaent.net, 1
+pacificarperu.com, 1
+pacificbags.com.au, 1
+pacificbeachpub.com, 1
+pacificblue.kiwi, 1
+pacificblue.software, 1
+pacificcashforcars.com.au, 1
+pacificcoast.com, 1
+pacificcycling.ga, 1
+pacificgynsurgicalgroup.com, 1
+pacifichospitalists.com, 1
+pacificislander.org, 1
+pacifico.com.pe, 1
+pacificocooler.com, 1
+pacificpackaging.com.au, 1
+pacificpalisadeselectric.com, 1
+pacificpalisadeselectrical.com, 1
+pacificpalisadeslandscapelighting.com, 1
+pacificpalisadeslighting.com, 1
+pacificprivatebank.com, 1
+pacificpuke.com, 1
+pacificrimcollege.online, 1
+pacificscience.com, 1
+pacificstandard.com, 1
+pacificstates.net, 1
+pacifictechnologie.com, 1
+pacifique-web.nc, 1
+pacifistka.tk, 1
+pack-haus.de, 1
+pack.com.ua, 1
+pack.rocks, 1
+pack1537.org, 1
+pack183.com, 1
+pack50cubs.org, 1
+packagestours.com, 1
+packaging-design.net, 1
+packaginghouse.co.nz, 1
+packagingproject.management, 1
+packagist.jp, 1
+packagist.org, 0
+packair.com, 1
+packandseal.in, 1
+packedagain.com, 1
+packer.io, 0
+packetapp.ru, 1
+packetcrash.net, 1
+packetfabric.com, 1
+packetlinux.com, 1
+packetmail.net, 1
+packetnomad.net, 1
+packetoverflow.com, 1
+packlane.com, 1
+packliberte.org, 1
+packservice.es, 1
+packservice.it, 1
+packtracking.org, 1
+packwire.com, 1
+paclease.com.my, 1
+pacman.ltd, 1
+pacobarbera.tk, 1
+pacoda.de, 0
+pacogarcia.tk, 1
+pacogorzados.tk, 1
+pacot.es, 1
+pacpost.live, 1
+pact2017.nl, 1
+pactandoconlamoda.com, 1
+pacteo.com, 1
+pactf-flag-4boxdpa21ogonzkcrs9p.com, 1
+pactf.com, 1
+pactrol.com, 1
+pacxodka.ru, 1
+paczkadlawieznia.pl, 1
+paczkahigieniczna.pl, 1
+paczkazywnosciowa.pl, 1
+pad.wf, 1
+padam-group.com, 1
+padberx-marketing-consultants.de, 1
+padderne.tk, 1
+paddestoelen-encyclopedie.tk, 1
+paddle4ever.hu, 1
+paddy.rocks, 1
+padichota.tk, 1
+padisahbilisim.tk, 1
+padle.ml, 1
+padmagroup.com, 1
+padovaoggi.it, 1
+padpilot.co, 1
+padremiguel.pt, 1
+padron.com.es, 1
+padshah.tk, 1
+paducaheic.com, 1
+padzilla.com, 1
+pae.com, 1
+paedlink.ca, 1
+paegae.gr, 1
+paermartinsson.se, 1
+paesa.es, 1
+paesi.info, 1
+paff.xyz, 1
+paga.red, 1
+pagalnew.com, 1
+pagalofacil.com, 1
+pagalworld-news.ml, 1
+pagalworld.com, 1
+pagalworld.mobi, 1
+pagalworld.name, 1
+pagalworld.us, 1
+pagamesssddr.com, 1
+pagancollective.cf, 1
+paganismguide.com, 1
+paganistisch-forum.tk, 1
+pagatuarriendo.cl, 1
+pagbitcoin.com, 1
+page, 1
+page-engine.tk, 1
+page-speed.ru, 1
+page.lgbt, 1
+page12.tk, 1
+pageboard.fr, 1
+pageboard.io, 1
+pagecdn.io, 1
+pagedesignhub.com, 1
+pagedesignpro.com, 1
+pagedesignshop.com, 1
+pagedesignweb.com, 1
+pagefulloflies.io, 1
+pagenews.tk, 1
+pagenstedt.de, 1
+pagepapi.com, 1
+pagerange.com, 1
+pagerduty.com, 1
+pages-tocaven.com, 1
+pagesdemo.xyz, 1
+pagespeaker.com, 1
+pagespeedwizard.com, 1
+pagestash.net, 1
+pageuppeople.com, 1
+pagevitals.com, 1
+pagewizz.com, 1
+pagexl.com, 1
+pagiamtzis.com, 1
+pagina394.com.br, 1
+paginamaravillosa.tk, 1
+paging.blog, 0
+pagliucadb.ddns.net, 1
+pagodart.com.br, 1
+pagueveloz.com.br, 1
+paguponku.com, 1
+pagure.io, 1
+pagure.org, 1
+pahadee.coffee, 1
+pahe.win, 1
+pahealthbilling.com, 1
+pahira.gq, 1
+paho.org, 1
+pahom.gq, 1
+pahrumpnv.gov, 1
+pahui.cf, 1
+pahui.ml, 1
+pahuudenanatomia.fi, 1
+paide.edu.ee, 1
+paidnaija.com, 0
+paidsurveys.tk, 1
+paidtocode.com, 1
+paidtodesign.com, 1
+paidtodev.com, 1
+paiementdp.com, 1
+paiementpasseport-mali.com, 1
+paige.ai, 1
+paigejulianne.com, 1
+paigethegeek.com, 1
+paiinternational.in, 1
+painart.ru, 1
+paincareehr.com, 1
+painclinic.tk, 1
+paincore.tk, 1
+paindata.dk, 1
+paine.tv, 1
+painefamily.co.uk, 1
+painesvillemunicipalcourt-ohio.gov, 1
+painfreenyc.com, 1
+painful.fun, 1
+painkiller-tech.com, 1
+painkillercart.com, 1
+paint-it.pink, 1
+paint4.life, 1
+paintball-ljubljana.si, 1
+paintball-shop.sk, 1
+paintballer.co, 1
+paintbrush.ga, 1
+paintcolorsbysue.com, 1
+painted-designs.tk, 1
+painteddesertfrenchies.com, 1
+paintingindurban.co.za, 1
+paintingrepair.ga, 1
+paintlabcustom.com.br, 1
+paintpaina.com, 1
+paintprotectionfilm.store, 1
+paintscratch.com, 1
+paio2-rec.com, 1
+paipuman.jp, 1
+paireepinart.com, 1
+pairsclassifiedads.tk, 1
+paisa-dev.azurewebsites.net, 1
+paisleyandsparrow.com, 1
+paistation.ch, 1
+paivafernandes.com.br, 1
+pajadam.me, 1
+pajamka.com.ua, 1
+pajbot.de, 1
+pajobsite.com, 1
+pajuvuo.fi, 1
+pak-kazan.ru, 1
+pakal.org, 1
+pakaranggrek.com, 1
+paket.monster, 1
+paketbox-systems.at, 1
+paketverfolgung.info, 1
+paketwatch.de, 0
+paketwisataliburan.com, 1
+pakeystonesaves.gov, 1
+pakeystonescholars.gov, 1
+pakfactory.com, 1
+pakforces.tk, 1
+pakho.xyz, 1
+pakingas.lt, 1
+pakistan24.tk, 1
+pakistanblogger.tk, 1
+pakistanheadline.tk, 1
+pakistanichatzone.com, 1
+pakistanientertainers.ga, 1
+pakistanmusic.tk, 1
+pakistanpost.ga, 1
+pakitow.fr, 1
+pakjefooi.be, 1
+pakjefooi.com, 1
+pakjefooi.email, 1
+pakjefooi.eu, 1
+pakjefooi.net, 1
+pakjefooi.nl, 1
+pakjefooi.org, 1
+pakkibaat.tk, 1
+pakmarkas.lt, 1
+pakmedia.tk, 1
+paknetworking.org, 1
+pakostane-apartments.tk, 1
+pakpak.tk, 1
+pakpedia.pk, 1
+pakremit.com, 1
+paksui-ne.tk, 1
+palabr.as, 1
+palaceitalia.tk, 1
+palacezamkidwory.com, 1
+paladin.wtf, 1
+paladini.tk, 1
+palaisfrance.com, 1
+palakkad.tk, 1
+palamaailmalta.fi, 1
+palant.info, 1
+palantir.com, 1
+palariviera.com, 1
+palatin.at, 1
+palatineil.gov, 1
+palationtrade.com, 1
+palatte.ml, 1
+palau-pizza.fr, 1
+palavalbasket.it, 1
+palavatv.com, 1
+palawan.jp, 0
+palazzo.work, 1
+palazzodellasalute.it, 1
+palazzofiano.it, 1
+palem.com, 1
+palenque.tk, 1
+paleo.io, 1
+paleodietfoodlist.com, 1
+paleodietrecipes.com, 1
+paleografie.tk, 1
+paleonora.tk, 1
+paleontologiadebagua.tk, 1
+paleoself.com, 1
+paleoso.com, 1
+paleosquawk.com, 1
+palermoantagonista.tk, 1
+palermofc.com, 1
+palermofilmfestival.tk, 1
+palermopride.it, 1
+palermotoday.it, 1
+paless-aless.by, 1
+palessit.com, 1
+palestra.roma.it, 1
+palestraspimentel.com, 1
+paletdecor.com.ua, 1
+palette26.com, 1
+paletten.tk, 1
+palfut.com, 1
+paliucuiciucci.tk, 1
+palkiviadika.ru, 1
+palladium46.com, 1
+palladiumprivate.com, 1
+pallavibhattdesigns.com, 1
+pallavihautecouture.com, 1
+palletflow.com, 1
+palletsprojects.com, 0
+pallhed.se, 1
+palli.ch, 0
+palliativ-del.de, 1
+palmaprop.com, 1
+palmarinaestrada.com.br, 1
+palmatin.com, 1
+palmbayfl.gov, 1
+palmbeachbusinessbroker.com, 1
+palmbeachcounty-fl.gov, 1
+palmbeachcuisine.com, 1
+palmbeachelections.gov, 1
+palmbeachvotes.gov, 1
+palmcoast.gov, 1
+palmcoastbusinessnetwork.com, 1
+palmdesert.gov, 1
+palmedconsultants.com, 1
+palmedconsultants.org, 1
+palmen-apotheke.de, 1
+palmettogba.com, 1
+palmex.com, 1
+palmfan.com, 1
+palmiye.tk, 1
+palmlivingae.com, 1
+palmofinfinity.tk, 1
+palmyramo.gov, 1
+palner.eu, 1
+paloalto.gov, 1
+paloma.tk, 1
+palomalopez.tk, 1
+palomardisplays.com, 1
+palominorp.tk, 1
+palonhs.tk, 1
+palotahaz.hu, 1
+palpitediario.com.br, 1
+paltopro.com, 1
+palworld.cn, 1
+pamajans.com, 0
+pamaniqu.nl, 1
+pamc.tk, 1
+pamiers-citoyenne.fr, 1
+pamlightdesign.com, 1
+pamm.tk, 1
+pamontecarloclub.tk, 1
+pamorana.net, 1
+pamsorel.co.za, 1
+pamukhaliyikama.net, 1
+pamvo.com, 1
+pan-lleveme.com, 1
+pan-portugal.com, 1
+pan.digital, 1
+pana4ucloud.ddns.net, 1
+panaceainfosec.com, 1
+panamacity.gov, 1
+panamacitypolice.gov, 1
+panamatravel.tk, 1
+panamatrippin.com, 1
+panamawebfactory.com, 1
+panangelium.tk, 1
+panasca.is, 1
+panascais.at, 1
+panascais.ch, 1
+panascais.co, 1
+panascais.com, 1
+panascais.cz, 1
+panascais.es, 1
+panascais.fi, 1
+panascais.fr, 1
+panascais.host, 1
+panascais.info, 1
+panascais.io, 1
+panascais.me, 1
+panascais.net, 1
+panascais.network, 1
+panascais.nl, 1
+panascais.org, 1
+panascais.pl, 1
+panascais.pt, 1
+panascais.pw, 1
+panascais.ru, 1
+panascais.site, 1
+panascais.tech, 1
+panascais.us, 1
+panascais.zone, 1
+panasproducciones.com, 1
+panaxis.biz, 1
+panaxis.ch, 1
+panaxis.li, 1
+pancake-world.com, 1
+pancake.gg, 1
+pancani.it, 1
+panchajanyafashions.com, 1
+panda-community.com, 1
+panda-craft.tk, 1
+panda-lang.net, 1
+panda-life.tk, 1
+panda.tf, 1
+pandababy.bg, 1
+pandacbd.com, 1
+pandadoc.com, 1
+pandagiftimport.com, 1
+pandahut.net, 1
+pandakid.tk, 1
+pandalab.care, 1
+pandaltd.nl, 0
+pandamo.pl, 1
+pandamoto.fr, 1
+pandapsy.com, 1
+pandasilk.com, 1
+pandavpn.pro, 1
+pandavpnpro.com, 1
+pandelys.tk, 1
+pandemicflu.gov, 1
+pandemicoversight.gov, 1
+pandillatel.ml, 1
+pandit.tech, 1
+pandithaya.tk, 1
+pandjes.com, 1
+pandkonijn.nl, 1
+pandn-bulgaria.com, 1
+pando-market.com, 1
+pandora-prestige.ru, 1
+pandora-system.ru, 1
+pandora.com.tr, 1
+pandoramutiara.id, 1
+pandorarox.com, 1
+pandorrah.nl, 1
+pandorum.cf, 1
+panduan-hamil.tk, 1
+pandymic.com, 1
+pandys.org, 1
+panel-stroy.cf, 1
+panelbear.com, 1
+paneldewelopera.pl, 1
+paneldoorsolutions.com, 1
+paneldoorsolutions.de, 1
+panele-fotowoltaiczne.pl, 1
+paneljobsers.ga, 1
+panelsandwich.com, 1
+panetolikos.gr, 1
+paneu.de, 1
+panezai.tk, 1
+pang.ga, 1
+pangea-it.com, 1
+pangea.cloud, 1
+pangeaservices.com, 1
+pangolin.exchange, 0
+pangoly.com, 1
+panhandleprairiewings.com, 1
+panhardclub.nl, 0
+panheelstraat.tk, 1
+panic-away.tk, 1
+panic.tk, 1
+panicroomgames.ch, 1
+panictours.tk, 1
+panier-legumes.bio, 1
+panierscadeauxinternationaux.com, 1
+paniigielka.pl, 1
+paniniamerica.net, 1
+panino.gr, 1
+paninohome.com, 1
+paniodpolskiego.eu, 1
+paniyanovska.ua, 1
+panjiva.com, 1
+pankiewiczlaw.com, 1
+pankoff.net, 1
+panlex.org, 1
+panmill.xyz, 1
+panmuseum.gr, 1
+panna-blues.tk, 1
+panneauxpropres.be, 1
+pannellisolari.roma.it, 1
+pannovate.com, 1
+pano-guru.com, 1
+pano.ie, 1
+panoramacambios.com, 1
+panoramahillhotel.com, 1
+panoramaphoto.cf, 1
+panoramica.tk, 1
+panoramique.tk, 1
+panoramiquesorganya.tk, 1
+panoramixbycallens.eu, 1
+panoraven.com, 1
+panorays.com, 1
+panoti.com, 0
+panpsychism.com, 1
+panpsychist.com, 1
+pansec.de, 1
+panser.dk, 1
+pansermuseet.com, 1
+pansermuseet.dk, 1
+pansermuseum.dk, 1
+pansino.net, 1
+pansion-differently.tk, 1
+pansionat-himik.ru, 1
+panskeet.xyz, 1
+pansys.de, 1
+panszelescik.pl, 1
+pantagraph.com, 1
+pantai.com.my, 0
+pantallanotebook.cl, 1
+pantallasyescenarios.com, 0
+pantas.com, 1
+pantera.tk, 1
+panthenolplus.co.uk, 1
+panthenolplus.com, 1
+pantheoncommunity.org, 1
+pantherage.co.uk, 1
+panthercitysand.com, 1
+panthi.lk, 1
+pantingly.tk, 1
+pantonshire.com, 1
+pantou.org, 0
+pantryjars.com, 1
+pants-off.xyz, 0
+pantsu.club, 1
+pantsuservice.tk, 1
+pantuflas.tk, 1
+pantypit.com, 1
+panwchi.com, 1
+panyajt.in.th, 1
+panzdravi.cz, 1
+panzer72.ru, 1
+panzers.tk, 1
+panzerwarmodsru.tk, 1
+pao.moe, 1
+paocaibang.net, 1
+paocloud.co.th, 1
+paolodapul.net, 1
+paolodemichele.it, 0
+paolomargari.tk, 1
+paolomarzano.com, 1
+paolomoriggia.com, 1
+paolotagliaferri.com, 1
+paotang.in.th, 1
+paoyou.ml, 1
+pap-pap.ga, 1
+pap.la, 0
+papa---mama.tk, 1
+papa-online.tk, 1
+papa-webzeit.de, 1
+papabrand.tk, 1
+papadoccaffe.pt, 1
+papadopoulos.me, 1
+papaimama.ru, 1
+papajohns.com.ec, 1
+papakarlohas.ru, 1
+papakarlotools.ru, 1
+papakatsu-life.com, 1
+papapa-members.club, 1
+paparazzie.de, 1
+paparazzo.net, 1
+paparoach-fans.ru, 1
+papastratosmazi.gr, 1
+papatest24.de, 1
+papattesstore.com, 1
+papaya.me.uk, 1
+papayapay.com, 1
+papayapythons.com, 1
+papelariaestacaodopapel.com.br, 1
+papelcraft.co.uk, 1
+papeleo.digital, 1
+papelisimo.es, 1
+paper-cutter.com, 1
+paper.sc, 1
+paper.wf, 1
+paperandpage.com, 1
+papercanyon.com, 1
+paperhoney.by, 1
+paperless.spdns.eu, 1
+papermuseum.jp, 1
+paperplus.com.au, 0
+paperpress.gq, 1
+papersmart.net, 1
+papersowl.com, 1
+papertracker.net, 1
+paperwallets.io, 1
+paperwork.co.za, 1
+paperwritinghelp.net, 1
+paperwritten.com, 1
+papgift.com, 1
+papi.com, 1
+papieri.dental, 1
+papierniak.net, 1
+papierniczy.eu, 1
+papillegustative.com, 1
+papillon-events.be, 1
+papinido4ki.ru, 1
+papkinadochka.ru, 1
+papotage.net, 1
+papouille.ml, 1
+pappacoda.it, 1
+pappasappar.se, 1
+pappu.tk, 1
+pappubracelet.com, 0
+papuzkija.pl, 1
+paqtam.com, 1
+par-allel.ru, 1
+parabellum-barakaldo.tk, 1
+parabolaeditorial.com.br, 1
+parabooking.com, 1
+paraborsa.net, 1
+paracels.tk, 1
+parachute.gov, 1
+parachute.live, 1
+parachutes.tk, 1
+parachuteteam.co.uk, 1
+paracomer.es, 1
+parade-nootdorp.nl, 1
+paradex.io, 1
+paradies-baar.ch, 1
+paradiesgirls.ch, 1
+paradigma-med.ru, 1
+paradigmas.tk, 1
+paradigmshift.com.pk, 1
+paradiscapacitados.site, 1
+paradise-engineer.com, 1
+paradise-engineering.com, 1
+paradise-world.ml, 1
+paradiselost.com, 0
+paradisend.tk, 1
+paradiseprivatehospital.com, 1
+paradisestore.org, 1
+paradisetownshipmi.gov, 1
+paradisim.tk, 1
+paradisu.fr, 1
+paradopolis.com, 1
+paradoxdesigns.org, 1
+paradoxium.ml, 1
+paraelganzo.tk, 1
+parafarmacia.it, 1
+paragliding-lessons.com, 1
+paragonremodeling.com, 0
+paragonsigns.tk, 1
+paragontasarim.com, 1
+paragreen.net, 1
+paraguay.tk, 1
+parakazanmafikirleri.com, 1
+paralegaledu.org, 1
+paraleli.ge, 1
+parallel-creative.co.uk, 1
+parallel-worlds.tk, 1
+paralleum.cz, 1
+paraluman.be, 1
+paralysis.ga, 1
+paramapa.com.py, 1
+paramascotas.vip, 1
+paramithicy.com, 1
+paramloda.online, 1
+paramo-pineiro.tk, 1
+paramountbank.com, 1
+paramountdigitalcopy.com, 1
+paramusborough.gov, 1
+paranoid.is, 1
+paranoidandroid.co, 1
+paranoidandroid.tk, 1
+paranoidpengu.in, 1
+paranoidpenguin.net, 1
+paranormales.tk, 1
+paranoxer.hu, 1
+paranoxido.tk, 1
+parapenteciconia.tk, 1
+parapickgames.ga, 1
+paraplyen.tk, 1
+parapsihologia.tk, 1
+parareflex.fr, 1
+paras.tk, 1
+parasatria.tk, 1
+paraserviceco.com, 1
+parasgroupindia.com, 1
+parasitologyclub.org, 1
+parasomnia.tk, 1
+parastaran.tk, 1
+parasympathy.com, 1
+paratlan.hu, 1
+paratlantalalkozas.hu, 1
+parattusdecora.com.br, 1
+paratupelo.com.es, 1
+paratxt.org, 1
+paraverse.tk, 1
+paravielfalt.zone, 1
+parazyd.cf, 1
+parcare.at, 1
+parcare.be, 1
+parcare.es, 1
+parcare.fr, 1
+parcare.nl, 1
+parcbotanique.com, 1
+parcelauditpartners.com, 1
+parceltrackr.com, 1
+parcelup.com, 1
+parchcraftaustralia.com, 1
+parcheggi-firenze.it, 1
+parcheggio-aeroportofiumicino.it, 1
+parcheggio-aeroportomalpensa.it, 1
+parckwart.de, 1
+parcoursup-nouvelle-caledonie.fr, 1
+parcoursup.fr, 1
+pardal.tk, 1
+pardanaud.com, 1
+paregion13.gov, 1
+parejaideal.es, 1
+parelectric.com, 1
+parelweb.nl, 1
+paremedical.au, 1
+paremvasi.net, 1
+parentelement.com, 1
+parenthood.guide, 1
+parentingplaydough.tk, 1
+parentinterview.com, 1
+parentpay.com, 1
+parentpayments.com.au, 1
+parents-as-allies.com, 1
+parentsandzebrasunited.com, 1
+parentsguidetotheworld.com, 1
+parentsintouch.co.uk, 1
+parentsmaster.com, 1
+parenttheirpassion.com, 1
+pareshukuk.com, 1
+paretoit.com, 1
+paretorule.cf, 1
+parfum-best.ml, 1
+parfumer.tk, 1
+parfumi-eu.com, 1
+parfumi.tk, 1
+parfumtester-100.ml, 1
+parfumuri.blog, 1
+parhelionaerospace.com, 1
+pari-match.in, 1
+pari-vinci.org, 1
+pari.cz, 1
+paribus.io, 1
+parichadrelax.se, 1
+parideal.com, 1
+parideal.de, 1
+paridokhtmoshkzad.com, 1
+paridurable.com, 1
+parikmag-pm.ru, 1
+parikmaxeru.tk, 1
+parimatch-best.com, 1
+parimatch-betting.com, 1
+parimatch-chance.com, 1
+parimatch-email.com, 1
+parimatch-live.com, 1
+parimatch-play.com, 1
+parimatch-plus.com, 1
+parimatch-sport.com, 1
+parimatch-sports.com, 1
+parimatch-world.com, 1
+parimatch.co.tz, 1
+parimatch.com, 1
+parimatch.in, 1
+parimatch.kz, 1
+parimatch.net, 1
+parimatch.tj, 1
+parimatch8.com, 1
+parimatchgo.com, 1
+parimatchlive.com, 1
+parimatchsports.com, 1
+parimatchtop.com, 1
+parina.vn, 1
+parinc.com, 1
+pario.li, 1
+paripesa.com, 1
+paripesa.ng, 1
+paris-elysees.com, 0
+paris-luttes.info, 1
+paris.edu, 1
+parisa-panahi.com, 1
+parisackerman.com, 1
+parisbesttravel.com, 1
+parisdeluxxxe.com, 1
+parisdimitriou.com, 1
+parisdomino.tk, 1
+parisescortgirls.com, 1
+parisfranceparking.com, 1
+parisfranceparking.de, 1
+parisfranceparking.fr, 1
+parisfranceparking.nl, 1
+parishoftheholycross.org, 1
+parishome.jp, 1
+parismalleg.com, 1
+parisportif.tv, 1
+parissportifs.com, 1
+pariu.online, 0
+parizhanka.tk, 1
+park-trek.com, 1
+park.gd, 1
+parkable.com, 1
+parkairecrossing.com, 1
+parkbee.com.br, 1
+parkcare.at, 1
+parkcare.be, 1
+parkcare.co.uk, 1
+parkcare.es, 1
+parkcare.fr, 1
+parkcare.it, 1
+parkcare.nl, 1
+parkcare.pt, 1
+parkcheap.nl, 1
+parkchesterinfo.com, 1
+parkcitycu.org, 1
+parkcounty-wy.gov, 1
+parkcountyco.gov, 1
+parkcountysheriff-wy.gov, 1
+parkderm.com, 1
+parked-domain.net, 1
+parkeer.nl, 1
+parkeerserviceboxtel.nl, 1
+parkefficient.de, 1
+parken-duesseldorfflughafen.de, 1
+parken-flughafenamsterdam.de, 1
+parken-flughafenbremen.de, 1
+parken-flughafendortmund.de, 1
+parken-flughafendresden.de, 1
+parken-flughafeneindhoven.de, 1
+parken-flughafenfrankfurt.de, 1
+parken-flughafenhahn.de, 1
+parken-flughafenhannover.de, 1
+parken-flughafenkoeln.de, 1
+parken-flughafennuernberg.de, 1
+parken-flughafenstuttgart.de, 1
+parken-flughafentegel.de, 1
+parken-flughafenweeze.de, 1
+parken-hamburgflughafen.de, 1
+parken-leipzigflughafen.de, 1
+parkenamflughafen.de, 1
+parkenflughafen-muenchen.de, 1
+parkenflughafenbrandenburg.de, 1
+parkenflughafenlelystad.de, 1
+parker-pllc.com, 1
+parkerco.gov, 1
+parkercs.cf, 1
+parkercs.ga, 1
+parkercs.gq, 1
+parkercs.ml, 1
+parkercs.tech, 1
+parkercs.tk, 1
+parkeren.in, 1
+parkerenamsterdamcentrum.nl, 1
+parkerenbremen-airport.nl, 1
+parkerenbrussel-airport.nl, 1
+parkerencharleroi-airport.nl, 1
+parkerendusseldorf-airport.nl, 1
+parkereneindhoven-airport.nl, 1
+parkerenfrankfurt-airport.nl, 1
+parkerengroningen-airport.nl, 1
+parkerenhahn-airport.nl, 1
+parkerenkeulen-airport.nl, 1
+parkerenlelystad-airport.nl, 1
+parkerenrotterdam-airport.nl, 1
+parkerenrotterdamcentrum.nl, 1
+parkerenschiphol-airport.nl, 1
+parkerenutrechtcentrum.nl, 1
+parkerenweeze-airport.nl, 1
+parkerforum.cf, 1
+parkerforum.tk, 1
+parkers.cf, 1
+parkers.co.uk, 1
+parkers.ga, 1
+parkers.gq, 1
+parkers.ml, 1
+parkers.tk, 1
+parkersweeper.com, 1
+parket.gq, 1
+parketsn.ru, 0
+parkettlegerhandwerk.eu, 1
+parking-aeropuertomadrid.es, 1
+parking-roissycharlesdegaulle.fr, 1
+parkingaeroport-beauvais.fr, 1
+parkingaeroport-bordeaux.fr, 1
+parkingaeroport-charleroi.be, 1
+parkingaeroport-marseille.fr, 1
+parkingaeroport-nantes.fr, 1
+parkingaeroport-nice.fr, 1
+parkingaeroport-orly.fr, 1
+parkingaeroport-zaventem.be, 1
+parkingaeropuerto-alicante.es, 1
+parkingaeropuerto-barcelona.es, 1
+parkingaeropuerto-bilbao.es, 1
+parkingaeropuerto-malaga.es, 1
+parkingaeropuerto-santander.es, 1
+parkingaeropuerto-sevilla.es, 1
+parkingaeropuerto-valencia.es, 1
+parkingcheap.co.uk, 1
+parkinggaragecleaningchicago.com, 1
+parkinggaragepressurewashingchicago.com, 1
+parkinginparis.fr, 1
+parkingmasters.be, 1
+parkingparisnord.fr, 1
+parkingtoday.com, 1
+parkinsons.tk, 1
+parkmycloud.com, 1
+parkofnations.com, 1
+parkos.com, 1
+parkos.de, 1
+parkos.it, 1
+parkos.nl, 1
+parkplus.in.ua, 0
+parkr.io, 0
+parkrangeredu.org, 1
+parkrunstats.servehttp.com, 1
+parkseed.com, 1
+parksi.top, 1
+parkstonegp.com, 1
+parkstreet.com, 1
+parksubaruoemparts.com, 1
+parktownpatrols.co.za, 1
+parktraum.com, 1
+parkujkladne.cz, 1
+parkvetgroup.com, 1
+parkviewmotorcompany.com, 1
+parkwayminyan.org, 1
+parkweiher.koeln, 1
+parkwhiz.com, 1
+parlakjurnal.com, 1
+parlament.cf, 1
+parlamento.gub.uy, 1
+parlamentum.com.br, 1
+parleamonluc.fr, 1
+parleu2016.nl, 1
+parleur.net, 1
+parliamentcamp.com, 1
+parmartecultura.it, 1
+parmatoday.it, 1
+parmels.com.br, 1
+parmoli.tk, 1
+parnassys.net, 1
+parniplus.com, 1
+parnizaziteksasko.cz, 1
+paroisses-theix-surzur.com, 1
+parokia.hu, 1
+parolededieu.org, 1
+paroli.pl, 1
+parolu.io, 1
+paronubi.com, 1
+parool.nl, 1
+parovozov.ga, 1
+paroxetine.gq, 1
+parperfeito.pt, 1
+parpharm.com, 1
+parque-batlle.tk, 1
+parquebatlle.tk, 1
+parquestejo.pt, 1
+parquettista.milano.it, 1
+parquettista.roma.it, 1
+parquettisti.roma.it, 1
+parratennis.com.au, 1
+parrocchiadimeana.tk, 1
+parrocchiamontevecchia.it, 1
+parroquiacorazondemaria.tk, 1
+parroquiadesanlesmes.tk, 1
+parrotbook.cf, 1
+parry.org, 1
+pars.work, 1
+parsdev.com, 0
+parsec.app, 1
+parsemail.org, 1
+parser.nu, 1
+parsi.com, 1
+parsify.eu, 1
+parsiko.com, 1
+parsonsfamilyhomes.com, 1
+parsonspdks.gov, 1
+parsuv.ir, 1
+part.la, 1
+partage.ovh, 1
+parteaga.com, 1
+parteaga.net, 1
+partecipa.tn.it, 1
+partedmagic.com, 1
+partenopei.net, 1
+parthkolekar.me, 1
+parthuisot.fr, 1
+particle-vision.ch, 1
+particles.cf, 1
+particleslam.com, 1
+partido-libertario.tk, 1
+partidolibertario.tk, 1
+partiellkorrekt.de, 1
+partigetir.com, 1
+partigoldendoodle.com, 1
+partii.tk, 1
+partijtjevoordevrijheid.nl, 0
+partijvoordedieren.nl, 1
+partilino.com, 1
+partin.nl, 0
+partiono.com, 1
+partir-en-livre.fr, 1
+partisaani.com, 1
+partisan-berlin.tk, 1
+partituras.tk, 1
+partner-compensation.com, 1
+partner-finden.tk, 1
+partnerbeam.com, 1
+partnerchik.tk, 1
+partnerforex.tk, 1
+partnermobil.de, 1
+partnerobzor.tk, 1
+partnerportal.io, 1
+partners1xbet.com, 1
+partners1xbit.com, 1
+partners1xslot.com, 1
+partners1xslots.com, 1
+partners4results.net, 1
+partnersbiz.com, 1
+partnersconsult.net, 1
+partnersofprc.com, 1
+partnertaxhub.com, 1
+partnerwerk.de, 0
+partofthequeue.cf, 1
+partofthequeue.ga, 1
+partofthequeue.gq, 1
+partofthequeue.ml, 1
+parts4phone.com, 0
+partsandmotorcycles.com, 1
+partsandscore.com, 1
+partsavto.tk, 1
+partsbox.com, 1
+partsbox.io, 1
+partscenterplus.com, 1
+partscov.ga, 1
+partscov.gq, 1
+partsdost.com, 1
+partsestore.com, 1
+partsgeek.com, 1
+partsguysusa.com, 1
+partsinstock.com, 1
+partsworld.bg, 1
+partusedtyres.net, 1
+party-kneipe-bar.com, 1
+party-time-inflatables-durham.co.uk, 1
+partyaccommodationsers.ga, 1
+partyaccommodationsest.ga, 1
+partyausstatter24.de, 1
+partyclub.tk, 1
+partycoin.ga, 1
+partyevents.tk, 1
+partygangsta.de, 1
+partyhireliverpool.co.uk, 1
+partykanal.cz, 1
+partymat.de, 1
+partymusikband.de, 1
+partypearl.de, 1
+partypeeps.tk, 1
+partyphoto.tk, 1
+partyrocksbounce.co.uk, 1
+partyschnaps.com, 1
+partyshop.ge, 1
+partytimeltd.ie, 1
+partywithunicorns.com, 1
+partyyy.io, 1
+partyzone.ie, 1
+paru-design.com, 1
+parvaneh.fr, 1
+parys.org, 1
+pasabahcemagazalari.com, 1
+pasadena.gov, 1
+pasadenapooch.org, 1
+pasarella.eu, 1
+pascal-bourhis.com, 1
+pascal-koelsch.de, 1
+pascal-ua.tk, 1
+pascal-wittmann.de, 1
+pascalchristen.ch, 1
+pascalgames.tk, 1
+pascalhargarter.de, 1
+pascaline-jouis.fr, 1
+pascalleguern.com, 1
+paschmid.ch, 1
+pascoaselecta.com, 1
+pascocountyfl.gov, 1
+pascoflcorrections.gov, 1
+pascopresents.com, 1
+pascosheriff.com, 1
+pascovotes.gov, 1
+pascualberniz.tk, 1
+pascualinmuebles.com, 1
+pasearch.nl, 1
+paseka-putilinyh.ru, 1
+paseodelariviera.com, 1
+pashminacachemire.com, 1
+paslc.gov, 1
+paslerfilm.de, 1
+pasnederland.tk, 1
+pasnine.my.id, 1
+pasportaservo.org, 1
+pasquinelli-truebag.ch, 1
+pass-jobcoaching.nl, 1
+passa.org, 1
+passabook.com, 1
+passau-webdesign.com, 1
+passbolt.com, 1
+passedport.eu, 1
+passedport.net, 1
+passedport.org, 1
+passegginieculle.it, 1
+passendonderwijs.nl, 0
+passengertravelportal.com, 1
+passer.ga, 1
+passer.tk, 1
+passfilesafe.com, 1
+passfindr.com, 1
+passfoto-deinfoto.ch, 1
+passgator.com, 1
+passieposse.nl, 1
+passinggrade.co.id, 1
+passion-billard.fr, 1
+passion-net.fr, 1
+passionatefoodie.co.uk, 1
+passionatehorsemanship.com, 1
+passionatelife.com.au, 1
+passiondesigns.web.id, 1
+passionebenessere.com, 1
+passionegriglia.com, 1
+passionforbusiness.com, 1
+passionpictures.eu, 1
+passions-art.com, 1
+passiton.com, 1
+passive-work.gq, 1
+passivebook.com, 1
+passiveseinkommen.tk, 1
+passivhaus.tk, 1
+passky.org, 1
+passover-fun.com, 1
+passphrase.today, 1
+passport.yandex.by, 1
+passport.yandex.com, 1
+passport.yandex.com.tr, 1
+passport.yandex.kz, 1
+passport.yandex.ru, 1
+passport.yandex.ua, 1
+passportapproved.com, 1
+passportcorporate.com, 1
+passports.govt.nz, 1
+passporttrails.com, 1
+passportunlimited.com, 1
+passrhce.com, 1
+passrhcsa.com, 1
+passthrough.com, 1
+passtooeasy.com, 1
+passumpsicbank.com, 1
+passvanille-reservation.fr, 1
+passvau.lt, 1
+passware.com, 1
+passwd.one, 1
+passwd.org, 1
+password-checker.de, 1
+password.codes, 1
+password.consulting, 1
+passwordgenerator.ml, 1
+passwordlist.io, 0
+passwords.google.com, 1
+passwordsapp.org, 1
+passwordscon.com, 1
+passwordscon.org, 1
+passwordsecurity.info, 1
+passwordsheeters.ga, 1
+passwordsheetest.ga, 1
+passwordsleakcheck-pa.googleapis.com, 1
+passworks.io, 1
+pasta-factory.co.il, 1
+pastaenprosecco.nl, 1
+pastaroomers.ga, 1
+pastaroomest.ga, 1
+paste.fedoraproject.org, 1
+paste.gg, 1
+paste.rodeo, 1
+paste.to, 1
+pastebin.bet, 1
+pastebin.run, 1
+pasteblin.com, 1
+pasteht.ml, 1
+pasteleriaflomar.es, 1
+pastelpixels.studio, 1
+pasternok.org, 1
+pasteros.io, 1
+pastetot.com, 1
+pasteworks.com, 1
+pasticceria.milano.it, 1
+pasticcerialorenzetti.com, 1
+pasticceriaveneziana.ga, 1
+pastillased.gq, 1
+pastinfluences.com.au, 1
+pastorbelgagroenendael.com.br, 1
+pastorcanadense.com.br, 1
+pastordocaucaso.com.br, 1
+pastorello.cf, 1
+pastorello.ga, 1
+pastorello.gq, 1
+pastori-kollegen.de, 1
+pastorluciano.tk, 1
+pastormaremanoabruzes.com.br, 1
+pastorsline.com, 1
+pastorsuico.com.br, 1
+pastry.network, 1
+pastrybakerymachinery.com, 1
+pasugo.tk, 1
+pasyta.gr, 1
+paszkowski.tk, 1
+patagonie.fr, 1
+patagosfm.tk, 1
+patalie.cz, 0
+patalie.sk, 0
+patanegra-jambon.fr, 1
+patanegra-prosciutto.it, 1
+patanegra-schinken.ch, 1
+patanegra-schinken.de, 1
+patapwn.com, 1
+patatbesteld.nl, 1
+patbatesremodeling.com, 0
+patchassociates.com, 1
+patchduty.com, 1
+patchli.fr, 1
+patchofabsence.com, 1
+patchstack.com, 0
+patchyvideo.com, 1
+patdorf.com, 1
+patechmasters.com, 1
+patel.sh, 1
+patelheaters.com, 1
+patent-motorowodny.pl, 1
+patent-sternika.pl, 1
+patentados.com, 1
+patentmanufaktur.video, 1
+patentpanelers.ga, 1
+patentpanelest.ga, 1
+patentu.ga, 1
+patentverwag.com, 1
+paterno-gaming.com, 1
+patersonpdnj.gov, 1
+patguzmanconstruction.com, 1
+pathfinderbank.com, 1
+pathfindergeo.com, 1
+pathofexile2.com, 1
+pathogen.nl, 1
+pathologie-dna.nl, 1
+pathsaversers.ga, 1
+pathsaversest.ga, 1
+pathsha.re, 1
+pathwayscenterforgrief.org, 1
+pathwayscenterforgriefandloss.org, 1
+pathwaysthroughgrief.org, 1
+pathwaytofaith.com, 1
+patience.nl, 1
+patient.info, 1
+patientenverfuegung.digital, 1
+patientup.com, 1
+patientys.com, 1
+patiga.ga, 1
+patikabiztositas.hu, 1
+patikakristaly.hu, 1
+patimbanservisindonesia.co.id, 1
+patin.cf, 1
+patineteselectricosbaratos.net, 1
+patioboreal.ca, 1
+patioroof.cf, 1
+patiosheders.ga, 1
+patioshedest.ga, 1
+patlis.com, 1
+patmanx.tk, 1
+patmos.tech, 0
+patorganiser.co.uk, 1
+patorganiser.com, 1
+patorganiser.com.au, 1
+patpat.com, 1
+patralos.at, 0
+patri.fr, 1
+patric-lenhart.de, 1
+patrice-carriere.tk, 1
+patriceonline.tk, 1
+patricia-lackovic.from.hr, 1
+patriciadelamora.tk, 1
+patriciakraken.at, 1
+patriciaramos.pt, 1
+patriciaroy.co, 1
+patrick-omland.eu, 1
+patrick-robrecht.de, 1
+patrick.dark.name, 1
+patrick.my-gateway.de, 1
+patrick21.ch, 1
+patrickaudley.ca, 1
+patrickaudley.com, 1
+patrickbusch.net, 1
+patrickcontainerrotator.ga, 1
+patrickdankers.nl, 1
+patrickhoefler.net, 1
+patrickpeeters.com, 1
+patrikjohan.cf, 1
+patrikjohan.ga, 1
+patrikjohan.gq, 1
+patrikjohan.tk, 1
+patriksima.cz, 1
+patrina-bukoting.my.id, 0
+patriotbailbondsdenver.com, 1
+patriotbearingsupply.com, 1
+patriotcs.tk, 1
+patriotinsurancebrokers.com, 1
+patriotsaustralia.com, 1
+patriquefashion.tk, 1
+patris-querre.com, 1
+patrisnews.com, 1
+patrocinio.com.br, 1
+patrogers.org, 1
+patrovic.com, 1
+patrycjamichera.com, 1
+patryk.cf, 1
+patrz.eu, 1
+patservicecenter.com, 1
+patsytoforyou.ch, 0
+pattanath.com, 1
+pattayafruitgarden.tk, 1
+pattayawebservices.com, 1
+patterico.com, 1
+pattern.com, 1
+pattersonca.gov, 1
+pattoes.ga, 1
+pattonfanatic.com, 1
+pattuka.com, 1
+pattyboobs.net, 1
+pattyliao.com, 1
+pauct.com, 1
+paudley.ca, 1
+paudley.com, 1
+paudley.org, 1
+pauk.at, 1
+paul-barton.co.uk, 1
+paul-online.tech, 1
+paul-sitarz.com, 1
+paul-zhang.de, 1
+paul.media, 1
+paul.reviews, 1
+paulahot.tk, 1
+paulandmadge.com, 1
+paulanet.tk, 1
+paulasilvasvensson.eu, 1
+paulbaily.com, 1
+paulborza.com, 1
+paulbramhall.uk, 1
+paulbrown.ddns.net, 1
+paulc-themovie.com, 1
+paulchua.tk, 1
+paulcloud.fr, 1
+paulcoldren.org, 1
+pauld.codes, 1
+pauldeconinck.tk, 1
+paulfc.com, 1
+paulgerberrealtors.com, 1
+paulgo.io, 1
+paulhacker.com, 1
+paulharrisoncars.com, 1
+paulibean.tk, 1
+paulinaschubert.net, 1
+paulini.ga, 1
+pauliuspiecius.com, 1
+pauljackson.ga, 1
+pauljamesblinds.co.uk, 1
+pauljmartinez.com, 1
+pauljrowland.co.uk, 1
+pauljzak.com, 1
+paullockaby.com, 1
+paullovestugba.nl, 1
+paulmarc.org, 1
+paulmarvin.tk, 1
+paulmolloy.guitars, 1
+paulmolloydesign.com, 1
+pauloalcalde.co, 1
+pauloalcalde.com, 1
+pauloalcobianeves.pt, 1
+paulober.eu, 1
+pauloboer.nl, 1
+paulocolacino.tk, 1
+paulogarcia.tk, 1
+pauloneto.eu, 1
+paulopaiva.com.br, 1
+paulopeters.com.br, 1
+paulorochago.com.br, 1
+paulov.com, 1
+paulov.info, 1
+paulov.ru, 1
+paulrainesjr.com, 1
+paulrobertlloyd.com, 1
+paulromer.net, 1
+paulrotter.de, 1
+paulrowland.co.uk, 1
+paulrudge.codes, 1
+paulschreiber.com, 1
+paulscustomauto.com, 1
+paulshir.com, 1
+paulshir.is, 1
+paulsitarz.com, 1
+paulsnar.lv, 1
+paulswartz.net, 1
+paultonspark.co.uk, 1
+paultrans-muenchen.de, 1
+paulus-foto.pl, 1
+paulus.cloud, 1
+paulw.io, 1
+paulward.net, 1
+paulwatabe.com, 1
+paulwatler.co.uk, 1
+paulwendelboe.com, 1
+paulwilhelm.de, 1
+pauly-stahlhandel.com, 1
+pauly-stahlhandel.de, 1
+paulzakin.com, 1
+paulzen.me, 1
+pausado.com, 1
+pausewhenagitated.com, 1
+pautadiaria.com, 1
+pavajebucovina.ro, 1
+pavamtio.cz, 1
+pavando.com, 0
+pavcomm.com, 1
+pavel.cc, 1
+paveldesign.tk, 1
+pavelfojt.cz, 1
+pavelfucik.com, 1
+pavelfucik.cz, 1
+pavelfucik.eu, 1
+pavelich.com, 1
+pavelitus.tk, 1
+paveljanda.com, 1
+pavelrebrov.com, 1
+pavelstriz.cz, 1
+paven.io, 0
+pavernosmatao.tk, 1
+paviliontwpmi.gov, 1
+pavingtiles.tk, 1
+pavitrajyotish.com, 0
+pavlic.se, 1
+pavlov-ledec.cz, 1
+pavlova.es, 1
+paw.cloud, 1
+paw.net.pl, 1
+paw.pt, 1
+pawafuru.com, 0
+pawapuro.ga, 1
+pawapuro.tk, 1
+pawchewgo.com, 1
+pawealthmanagement.com, 1
+pawel-international.com, 1
+pawelgo.pl, 1
+pawelnazaruk.com, 1
+pawelurbanek.com, 1
+pawelurbanski.com, 1
+pawgearlab.com, 1
+pawneecountyne.gov, 1
+pawnsoft.tk, 1
+pawp.com, 1
+pawpatrol.tk, 1
+pawpawtownshipmi.gov, 1
+pawserv.pw, 0
+pawsitiv.space, 1
+pawson.tk, 1
+pawspetwear.com.au, 1
+pawsr.us, 1
+pawsru.org, 1
+pawtraitcaptures.com.au, 1
+paxerahealth.com, 1
+paxwinkel.nl, 1
+pay-online.in, 1
+pay.accountant, 1
+pay.apartments, 1
+pay.band, 1
+pay.basketball, 1
+pay.business, 1
+pay.catering, 1
+pay.cleaning, 1
+pay.condos, 1
+pay.construction, 1
+pay.contractors, 1
+pay.dance, 1
+pay.dentist, 1
+pay.dog, 1
+pay.engineer, 1
+pay.equipment, 1
+pay.faith, 1
+pay.flights, 1
+pay.football, 1
+pay.foundation, 1
+pay.gallery, 1
+pay.gov, 0
+pay.graphics, 1
+pay.hockey, 1
+pay.im, 1
+pay.insure, 1
+pay.investments, 1
+pay.kitchen, 1
+pay.lawyer, 1
+pay.llc, 1
+pay.memorial, 1
+pay.mg, 0
+pay.photography, 1
+pay.plumbing, 1
+pay.rent, 1
+pay.rentals, 1
+pay.repair, 1
+pay.sb, 1
+pay.school, 1
+pay.solar, 1
+pay.storage, 1
+pay.surf, 1
+pay.tennis, 1
+pay.ubuntu.com, 1
+pay.university, 1
+pay.video, 1
+pay.wedding, 1
+pay2keep.com, 1
+pay8522.com, 1
+paya.cat, 1
+payam.co.nz, 1
+payam.com.au, 1
+payat.io, 1
+paybackfx.com, 1
+payblog.org, 1
+payboy.biz, 1
+payboy.click, 1
+payboy.rocks, 1
+paybro.eu, 1
+paycardtech.com, 1
+paycentre.com, 1
+paycore.com, 1
+paycore.io, 1
+paydepot.com, 1
+paydoor9.com, 1
+payeasy.tech, 1
+payfare.com, 1
+payfazz.com, 1
+payforpeople.nl, 0
+paygvpn.com, 1
+payhub.jp, 1
+payjunction.com, 1
+payjunctionlabs.com, 1
+paykings.com, 1
+paylabs.co.id, 1
+paylessclinicers.ga, 1
+paylessclinicest.ga, 1
+paylessmealsers.ga, 1
+paylessmealsest.ga, 1
+paylike.io, 1
+paylike.se, 1
+payload.ca, 1
+paylocal.net, 0
+payme.io, 1
+payme.uz, 1
+payment-express.net, 1
+payment-network.com, 0
+payment.vet, 1
+paymentaccuracy.gov, 1
+paymentjs.com, 1
+payments.google.com, 1
+paymentworks.com, 1
+paymeservice.com, 1
+paymongo.com, 1
+paymongo.help, 1
+paymore.org, 1
+paymyphysician.com, 1
+paynexpay.com, 1
+paynuity.com, 1
+payonline-api.xyz, 1
+paypac.com.au, 1
+paypac.org, 1
+paypack.net.au, 1
+paypal.com, 1
+paypal.gift, 1
+paypaq.com, 1
+paypcns.co.uk, 1
+paypod.org, 1
+paypro.nl, 0
+payps.ru, 1
+payraise.us, 1
+payroll.ch, 0
+payroll.myftp.org, 1
+payrollhr.be, 1
+paysap.bt, 1
+paysbuy.com, 1
+paysbuy.net, 1
+paysbuy.org, 1
+payscevennes.fr, 1
+paysensei.com, 1
+paysera.com, 1
+paysera.ee, 1
+paysera.lt, 1
+payservices.com, 1
+paysitesreviews.net, 1
+payskins.xyz, 1
+payslipview.com, 1
+paysomeonetodomyonlineclasses.com, 1
+payspace.com, 1
+paystack.com, 1
+paystarkagency.com, 1
+paysys.jp, 1
+paytm.in, 1
+paytowriteessays.net, 1
+payu.com, 1
+payufin.in, 1
+payupay.ru, 1
+payvalida.com, 1
+paywait.com, 1
+payward.com, 1
+payzang.com, 1
+pazarlab.com, 1
+pazyarmonia.tk, 1
+pb-design.ch, 1
+pb-eatz.com, 1
+pb.ax, 0
+pba.org.uk, 1
+pback.se, 1
+pbbm.com.ph, 1
+pbc.gov, 1
+pbcables.tk, 1
+pbcknd.ml, 1
+pbcpao.gov, 1
+pbdigital.org, 0
+pbern.xyz, 1
+pbest.tk, 1
+pbgfl.gov, 1
+pbhs.co.uk, 1
+pbiexplorer.com, 1
+pbla.biz, 1
+pbmdiscounter.nl, 1
+pbo.vic.gov.au, 1
+pborn.eu, 1
+pbourhis.me, 1
+pbpe.tv, 1
+pbqs.site, 1
+pbr.so, 1
+pbraunschdash.com, 1
+pbrb.gov, 1
+pbrumby.com, 1
+pbsrmoto.com.au, 1
+pbsuite.com, 1
+pbwebdev.com, 1
+pbz.im, 1
+pc-center.tk, 1
+pc-mac.de, 1
+pc-master.pl, 1
+pc-pharma.com, 1
+pc-porady.pl, 1
+pc-remont.tk, 1
+pc-service.me, 1
+pc-servis-brno.com, 1
+pc-soft.gq, 1
+pc-soft.tk, 1
+pc-stuff.tk, 1
+pc-taskal.net, 1
+pc-tech.ga, 1
+pc-tweak.de, 1
+pc-warriors.com, 1
+pc.domains, 1
+pc28yc.com, 1
+pc94666.com, 1
+pcah.gov, 1
+pcast.gov, 1
+pcbarchitect.com, 1
+pcbfl.gov, 1
+pcbmarketing.gq, 1
+pcbmodel.com, 1
+pcbny.com, 1
+pcbooks.in, 1
+pcbricole.fr, 1
+pcbuildinggr.com, 1
+pccartel.com, 1
+pccc.co.za, 1
+pccdal.gov, 1
+pccegoa.org, 1
+pccomc.tk, 1
+pcdekegel.nl, 1
+pcdn.cf, 1
+pcdocjim.com, 1
+pcdomain.com, 1
+pcdroid.ga, 1
+pcdroid.tk, 1
+pcel.com, 1
+pcengines.com.au, 1
+pcexpress.tk, 1
+pcf-frankfurt.de, 1
+pcf.com, 1
+pcfdut.gov, 1
+pcfiles.ga, 1
+pcfunder.co.uk, 1
+pcgalleries.com, 1
+pcgamemc.com, 1
+pcgamingfreaks.at, 1
+pcgverademo.com, 1
+pchan.is, 1
+pchancs.com, 1
+pchelpforum.net, 1
+pci-e.net, 1
+pci4.org, 1
+pcie.ac, 1
+pcipal.com, 1
+pcisecuritystandards.org, 1
+pcissc.org, 1
+pckurzypd.sk, 1
+pclgroup.co.nz, 1
+pclicensekeys.com, 1
+pcloud.com, 1
+pclyst.com, 0
+pcmania.tk, 1
+pcmaw.com, 1
+pcminsk.by, 1
+pcmkrembangan.or.id, 1
+pcmobile.tech, 1
+pcmr.info, 1
+pcmr.rocks, 1
+pcmscientific.com, 1
+pcnaid.com, 1
+pcnetinc.com, 1
+pcnewsoft.tk, 1
+pcnotdienst-oldenburg-rastede.de, 1
+pcpao.gov, 1
+pcpasokh.ir, 1
+pcpirates.tk, 1
+pcplaza.tk, 1
+pcprkolo.pl, 1
+pcproblem.tk, 1
+pcpromaroc.ma, 1
+pcptest-api.azurewebsites.net, 1
+pcpuhastaja.tk, 1
+pcrab.ml, 1
+pcrecovery.ga, 1
+pcrobot.cz, 1
+pcrypt.org, 1
+pcsafe.cf, 1
+pcsbrasil.ml, 1
+pcscotus.gov, 1
+pcsetting.com, 1
+pcsolutionsofwillis.ga, 1
+pcsolutionsofwillis.gq, 1
+pcstoronto.ca, 0
+pcsuniverse.ga, 1
+pcsx2.net, 1
+pcsystem.co.uk, 1
+pctelecom.cf, 1
+pctelecom.ga, 1
+pctelecom.gq, 1
+pctelecom.ml, 1
+pctips.cf, 1
+pctips.gq, 1
+pctips.tk, 1
+pctonic.net, 1
+pctravel.ca, 1
+pctronicks.tk, 1
+pctrouble.net, 1
+pcunddruckerservice.de, 1
+pcunderground.com.ar, 1
+pcvalueservices.com.au, 0
+pcvirusclear.com, 1
+pcw.gov.ph, 1
+pcwdevtwebsite.azurewebsites.net, 1
+pcwiz2u.com, 1
+pcworld.pl, 1
+pcxserver.com, 1
+pd1rnt.nl, 1
+pdamerica.org, 1
+pdavislawgroup.com, 1
+pdax.ph, 1
+pdbj.org, 1
+pderas.com, 1
+pdf-archive.com, 0
+pdf-tool.fr, 1
+pdf.io, 1
+pdf4pro.com, 1
+pdfbear.com, 1
+pdfbook-dl.ml, 1
+pdfbooksonline.gq, 1
+pdfconvert.me, 1
+pdfflier.cf, 1
+pdfget.com, 1
+pdfko.com, 1
+pdflip.cf, 1
+pdfmanga.tk, 1
+pdfmint.com, 1
+pdfpassword.org, 1
+pdfpasswort.de, 1
+pdfpedia.cf, 1
+pdfprostore.cf, 1
+pdfquran.tk, 1
+pdfresizer.com, 1
+pdfsearches.com, 1
+pdfsheeters.ga, 1
+pdfsheetest.ga, 1
+pdihc.com, 1
+pdkrawczyk.com, 1
+pdmonroewi.gov, 1
+pdox.net, 1
+pdpa.ai, 1
+pds.police.uk, 1
+pdsk.ch, 1
+pdtech.ltd, 1
+pdtppfl.gov, 1
+pdvault.co, 1
+pe-bank.jp, 1
+pe-netz.de, 1
+pe-portal.de, 1
+pe.search.yahoo.com, 0
+pe7k.com, 1
+pe7k.de, 1
+pe7k.nl, 1
+peabodytile.com, 1
+peace-is-possible.net, 1
+peaceandjava.com, 1
+peaceandwool.com, 0
+peacedivorce.com, 1
+peaceexpoers.ga, 1
+peaceexpoest.ga, 1
+peacefulrock.com, 1
+peaceispossible.cc, 1
+peacekeeper.tk, 1
+peacekingpod.com, 1
+peacepiperanch.com, 1
+peacetourco.cf, 1
+peacewiththewild.co.uk, 1
+peachbuildingproducts.com, 1
+peachesandchampagne.com, 1
+peachstateaesthetics.com, 1
+peacock.onl, 1
+peacockn.com, 1
+peaici.fr, 1
+peak-careers.com, 1
+peakd.com, 1
+peakhillre.ga, 1
+peakperformance.hr, 1
+peaksalesrecruiting.com, 1
+peakseoservices.co.uk, 1
+peaksloth.com, 1
+peaksports.com, 0
+peaksupport.io, 1
+peakvets.co.uk, 1
+peanutbutter.com, 1
+peanutpay.de, 1
+peanutproductionsnyc.com, 1
+pearbloom.com, 1
+pearlcohen.com, 1
+pearle.nl, 1
+pearljamargentina.tk, 1
+pearloc.com, 1
+pearlsonly.ca, 1
+pearlsonly.com, 1
+pearlsonly.com.au, 1
+pearlsonly.de, 1
+pearlteethers.ga, 1
+pearlteethest.ga, 1
+pearson424.org, 1
+pearsonbsl.com, 1
+pearstudios.cf, 1
+pearvn.tk, 1
+peas-project.com, 1
+pease.co.nz, 1
+peathealth.co.nz, 1
+peatsuki.com, 1
+peawee.co.uk, 1
+peawo.com, 1
+pebblenest.uk, 1
+pebkac.gr, 0
+peblet.be, 1
+pebook.tk, 1
+pec-email.com, 1
+pec.net, 1
+pecadis.de, 1
+pecan.ai, 1
+pecetowicz.pl, 1
+pecheneg.tk, 1
+pechibani.by, 0
+pechka.tk, 1
+pechnik-negara.ru, 0
+pechonova.com, 1
+pecker-johnson.com, 1
+peckway.co.uk, 1
+pecmd.net, 1
+pecs.com, 1
+pecsusa.com, 1
+pect.com.pk, 1
+ped-bike.de, 1
+peda.net, 1
+pedago.it, 1
+pedagoplume.fr, 1
+pedaleuse.be, 1
+pedalia.cc, 1
+pedalirovanie.tk, 1
+pedalr.eu, 1
+peddals.com, 1
+peddy.dyndns.org, 1
+peddyland.tk, 1
+pediatersucha.sk, 1
+pediatricdentistrycenter.com, 1
+pediatricdentistslilburnga.com, 1
+pediatricorthopedic.com, 1
+pedicure-stadspolders.nl, 1
+pedicurean.nl, 1
+pedicureduiven.nl, 1
+pedicurepraktijkvelserbroek.nl, 1
+pedikura-vitu.cz, 1
+pedimanie.cz, 1
+pedimoda.com.br, 1
+pedo.house, 1
+pedodontie.ro, 1
+pedohunters.de, 1
+pedrazanoticias.tk, 1
+pedro.com.es, 1
+pedrobotias.tk, 1
+pedrolamas.com, 1
+pedrollo-ua.com, 1
+pedroministro.pt, 1
+pedromunoz.tk, 1
+pedrooliveira.tk, 1
+pedrosanto.tk, 1
+pedrosart.it, 1
+pedrosaurus.com, 1
+pedrosillo-delosaires.tk, 1
+pedrotimoteo.com, 1
+peduse.com, 1
+pedziran.com, 1
+peekier.com, 1
+peelawayyourpain.com, 1
+peels.fr, 1
+peen.ch, 1
+peenee.in.th, 1
+peenor.xyz, 1
+peep.gq, 1
+peer.travel, 1
+peerberry.com, 1
+peercraft.at, 1
+peercraft.be, 1
+peercraft.biz, 1
+peercraft.ch, 1
+peercraft.cn, 1
+peercraft.co.uk, 1
+peercraft.com, 1
+peercraft.de, 1
+peercraft.dk, 1
+peercraft.es, 1
+peercraft.eu, 1
+peercraft.fr, 1
+peercraft.info, 1
+peercraft.it, 1
+peercraft.net, 1
+peercraft.nl, 1
+peercraft.org, 1
+peercraft.pl, 1
+peercraft.pt, 1
+peercraft.se, 1
+peercraft.us, 1
+peerjs.com, 1
+peername.com, 1
+peerpressurecreative.com, 1
+peers-liste.de, 1
+peers.gq, 1
+peers.tk, 1
+peersquaders.ga, 1
+peersquadest.ga, 1
+peerview.com, 1
+peerviewpress.com, 1
+peervoice.com, 1
+peerweb.com, 1
+peerwebdc.tk, 1
+peetah.com, 0
+peetersport.ee, 1
+peew.de, 1
+peewee-design.tk, 1
+pefile.tk, 1
+pefisa.com.br, 1
+pegas-studio.net, 1
+pegasnet.tk, 1
+pegdown.org, 1
+pegrum.rocks, 1
+pegundugun.tk, 1
+peifeng.li, 1
+peifi.de, 0
+peinture-77.fr, 1
+peippo.at, 1
+peirong.me, 1
+pejic.nl, 1
+pekarstvivetvrzi.cz, 1
+pekcazip.com, 1
+peklostroj.cz, 1
+peklostroj.eu, 1
+peklostroj.sk, 1
+peko.com.mk, 1
+pelagicus.co.uk, 1
+pelajaran.co.id, 1
+pelanucto.cz, 1
+pelata.net, 1
+pelatihanwirausaha.com, 1
+peleti.at, 1
+pelgrimhof.be, 1
+pelhamalrecreation.gov, 1
+pelhamlibraryal.gov, 1
+pelhrimov-strmechy.tk, 1
+pelican.ie, 1
+pelicanottertailmn.gov, 1
+pelicans.tk, 1
+peliculaonline.tk, 1
+peliculaslatino.tk, 1
+pelikone.fi, 1
+pelinca.nl, 1
+pelis-online.net, 1
+pellegrino.ar, 1
+pellet.pordenone.it, 1
+pellet.roma.it, 1
+pelletgrillreviews.com, 1
+pelletizermill.com, 1
+pelletsprice.com, 1
+pelmeni.cf, 1
+pelmeniuralskie.tk, 1
+pelo.tk, 1
+pelopoplot.com, 0
+pelosanimais.org, 1
+pelotonimports.com, 1
+pelsu.fi, 1
+peluche.tk, 1
+peluqueriaalcobendas.es, 1
+peluqueriacanina.tk, 1
+peluqueriacaninacavecanem.es, 1
+pem-jp.co.uk, 1
+pemagrid.org, 1
+pemasalem.com, 1
+pembeteknoloji.com.tr, 1
+pembhi.com, 1
+pembinewi.gov, 1
+pemborongbangunan.id, 1
+pembrokenc.gov, 1
+pemdas.xyz, 1
+pemerintahkota.com, 1
+pemez.com, 1
+pems.gov.au, 1
+pen-sec.de, 1
+pen15art.tk, 1
+pena-party.tk, 1
+pena600.tk, 1
+penatizavarise.com, 1
+penaugustin.com, 1
+penbrookpa.gov, 1
+pencepay.com, 1
+pencil2d.org, 1
+pencillab.cn, 1
+penconsultants.com, 1
+pendidikan.co.id, 1
+pendletoncountyky.gov, 1
+pendletoncountywv.gov, 1
+pendriveapps.com, 1
+pendrivelinux.com, 1
+penedo.tk, 1
+penelopia.pl, 1
+penes.cf, 1
+penetrationstest.se, 1
+penfold.fr, 1
+pengajar.co.id, 1
+pengembangan-web-mp-pd.com, 1
+pengepung.com, 1
+pengi.me, 1
+pengisatelier.net, 1
+pengui.uk, 1
+penguin-stats.cn, 1
+penguin-stats.io, 1
+penguin.co.uk, 1
+penguinclientsystem.com, 1
+penguindominatrix.com, 1
+penguindrum.moe, 1
+penguinos.tk, 1
+penguinprotocols.com, 1
+penguinrandomhousegrupoeditorial.com, 1
+penguins.ca, 1
+penguinshome.tk, 1
+penguinvillage.info, 1
+pengumuman.id, 0
+penholder.ga, 1
+peni.tk, 1
+peniarth.cymru, 1
+peninsula360.com, 1
+penispumpen.se, 1
+pennan.tk, 1
+pennergold.net, 1
+pennhillspa.gov, 1
+pennsauken.gov, 1
+pennyapp.io, 0
+pennybot.tk, 1
+pennylane.com, 1
+pennymail.ga, 1
+pennywise.tk, 1
+peno1.tk, 1
+penopoly.cf, 1
+penopoly.ga, 1
+penopoly.gq, 1
+penopoly.ml, 1
+penopoly.tk, 1
+penorai.ru, 1
+penoray.ru, 1
+penosa.ga, 1
+penrite.pl, 1
+penrose.edu, 1
+pens-money.cf, 1
+pens-money.ga, 1
+pens-money.gq, 1
+pensacolafl.gov, 1
+pensacolawinterfest.org, 1
+pensador.com, 1
+pensador.info, 1
+pensatore.tk, 1
+pensia.tk, 1
+pensieridigitali.tk, 1
+pensierolaterale.tech, 1
+pensioenfonds-ey.nl, 1
+pension-am-alten-waschhaus.de, 1
+pension-chevaux.com, 1
+pension-haus-sonnenschein.de, 1
+pension-ua.tk, 1
+pension.ga, 1
+pensionchien.com, 1
+pensionecani.roma.it, 1
+pensioner-1000.tk, 1
+pensionesdominicanas.com, 1
+pensionstal.tk, 1
+pensiontrackerers.ga, 1
+pensiun.ga, 1
+pensiune-doina.ro, 1
+pensiunea-maria.tk, 1
+pensiunea-paco.ro, 1
+pensiunealido.ro, 1
+pentacodes.com, 0
+pentagon-area.tk, 1
+pentagonix.com.br, 1
+pentagram.cf, 1
+pentagram.me, 1
+pentagrid.ch, 1
+pentamexicali.tk, 1
+pentamultiservice.it, 1
+pentandra.com, 1
+pentaquin.com, 1
+pentaquin.net, 1
+pentatonik.tk, 1
+pentechmc.blog, 1
+pentekdograma.com, 1
+pentest.blog, 1
+pentesterlab.com, 1
+pentestit.com, 1
+pentestpartners.com, 1
+penthy.eu, 1
+pentofun.ch, 1
+pentoo.ch, 1
+pentools.org, 1
+pentopolimer.com, 1
+pentwatertownshipmi.gov, 1
+penuelaspr.gov, 1
+penultimategaming.com, 1
+penya.ga, 1
+penyavictorhernani.tk, 1
+penz.media, 1
+penza-on-line.tk, 1
+penza-today.tk, 1
+penzaonline.cf, 1
+penzionvzahrade.cz, 1
+people.deloitte, 1
+people2hire.co.uk, 1
+peopleandchange.nl, 1
+peoplecareeyesandteeth.com.au, 1
+peoplecarehealthinsurance.com, 1
+peoplecarehealthinsurance.com.au, 1
+peoplecareopticalanddental.au, 1
+peoplecareopticalanddental.com, 1
+peoplecareopticalanddental.com.au, 1
+peoplefinders.ml, 1
+peoplelikemeapp.com, 1
+peopleofcolorcareers.com, 1
+peopleplanetconnect.org, 1
+peoplesbankal.com, 0
+peoplescu.com, 1
+peoplesdecade.org, 1
+peopleskills4u.net, 1
+peoplesliberationfront.tk, 1
+peoplesoft-support.nl, 1
+peoplespets.co.uk, 1
+peoplesplatform.cf, 1
+peoplesplatform.tk, 1
+peoplesrepublicofchinasucks.com, 1
+peoplesrights.org, 1
+peoriacounty.gov, 1
+peoriaelections.gov, 1
+peoriaevents.com, 1
+peoriail.gov, 1
+peoriaparks-il.gov, 1
+pepe.cz, 1
+pepechkov.com, 1
+pepechkova.com, 1
+pepeelektro.sk, 1
+pepegol.it, 1
+pepegym.cz, 1
+pepemodelismo.com.br, 1
+pepenero.ma, 1
+peperiot.com, 1
+peperoni.tk, 1
+peperstraat.online, 1
+pepfar.gov, 1
+pepitadinamitastudios.com, 1
+pepix.pl, 1
+peplex.ddns.net, 1
+peplex.nl, 1
+peppelmedi.fi, 1
+pepperandpartner.com, 1
+peppermillinteriors.com, 1
+peppertalks.com, 1
+peppyflora.com, 1
+pepsi.investments, 1
+pepsipromos.com, 1
+pepta.net, 1
+pepul.com, 1
+pepul.tech, 1
+pepwaterproofingllc.com, 1
+peqal.cf, 1
+pequenaitalia.com.br, 1
+pequenas-historias.tk, 1
+pequenosbichos.com.br, 1
+pequenosfavoritos.com.br, 0
+per-olsson.se, 1
+peraavcilar.com, 1
+peracup.com.tr, 1
+perala.me, 1
+perali.com, 0
+peraparker.cz, 1
+perberestja.gq, 1
+perception-point.io, 1
+perceptive.pro, 1
+perceptyx.com, 1
+perchance.org, 1
+percherosdepared.es, 1
+percherosdepared.online, 1
+percolate.com, 1
+percussiontonal-forum.de, 1
+percy.io, 1
+percydutton.co.uk, 1
+percymagic.tk, 1
+perd.re, 1
+perdanabagus.tk, 1
+perdele-draperii.ro, 1
+perdita-capelli.tk, 1
+perdolyathlendr.tk, 1
+perecraft.com, 1
+peredovaya.tk, 1
+peredoz.tk, 1
+pereezd.ml, 1
+peregrinefund.org, 1
+peregrinus.es, 1
+perekodu.ee, 1
+peremena.ml, 1
+perenne.ee, 1
+perennialte.ch, 1
+perennialwomens.com, 1
+perera.net, 1
+peresypchanka.tk, 1
+pereuda.com, 1
+perevedi.org, 1
+perevedut.cf, 1
+perevod-tekst-pesni.ru, 1
+perewall.tk, 1
+perez-marrero.com, 1
+perezdecastro.org, 0
+perf-b2b.com, 1
+perf1.com, 1
+perfare.net, 1
+perfect-blog.com, 1
+perfect-carstyle.de, 1
+perfect-dream.tk, 1
+perfect-privacy.com, 1
+perfect-seo.ru, 1
+perfect-servers.com, 1
+perfect-tour.ro, 1
+perfect8.com.tw, 1
+perfectbalance.tech, 1
+perfectcloud.org, 1
+perfectcommunity.ga, 1
+perfecteclass.com.cy, 1
+perfectfocuseyecare.com, 1
+perfectgift.com, 0
+perfectgift.tk, 1
+perfectlyluxe.ml, 1
+perfectlyluxe.tk, 1
+perfectmatch.cf, 1
+perfectme.ml, 1
+perfectme.tk, 1
+perfectosidiotaspunk.tk, 1
+perfectplrarticles.ga, 1
+perfectpussypics.com, 1
+perfectsize.pl, 1
+perfectsnap.co.uk, 1
+perfectsoft.tk, 1
+perfecttits.net, 1
+perfectweb.today, 1
+perfectworldbot.tk, 1
+perfekt-style.com, 1
+perfekt2004.com, 1
+perfektesgewicht.com, 1
+perferxprecision.com, 1
+perfmatters.io, 1
+perfmed.ro, 1
+perforlabs.com, 1
+performance-advertising.de, 1
+performance.gov, 1
+performancehealth.com, 0
+performancematters.ie, 1
+performancerh.fr, 1
+performancerunningsolutions.com, 1
+performances-supervision.fr, 1
+performancetillagebolt.com, 1
+performancetransmission.net, 1
+performansguru.com, 1
+performing-art-schools.com, 1
+performingdreams.tk, 1
+performiptv.com, 1
+performiptv.net, 1
+performive.com, 1
+performpracticesolutions.com, 1
+perfumerie.tk, 1
+perfumes.com.br, 1
+perfumesloewe.com, 1
+perfumesweb.com.br, 1
+perfumki.tk, 1
+pergam.by, 0
+pergam.kz, 1
+pergamentka-apartments.cz, 1
+pericsope.gq, 1
+peridotcapitalpartners.com, 1
+perigon.ch, 1
+perini.com.au, 1
+perinton.gov, 1
+periodex.co, 1
+periodicojerez.info, 1
+periodicomirador.com, 1
+periodicopcion.tk, 1
+periodista.tk, 1
+periony.com, 1
+periosearch.tk, 1
+periscope.tv, 1
+periscopeup.com, 1
+perishablepress.com, 1
+peritos-informaticos.com, 1
+perkilo.eu, 1
+perksplus.com, 1
+perlbanjo.com, 1
+perlego.com, 1
+perlesdelumiere.com, 1
+perlina.co.il, 1
+perm-avia.ru, 1
+perm-jur.ch, 0
+perm-juridique.ch, 0
+perm-l2.tk, 1
+perma-batteries.com, 1
+permaculture.cf, 1
+permadi.id, 1
+permaditya.my.id, 1
+permajackofstlouis.com, 1
+permajackstlouis.com, 1
+permak.tk, 1
+permanence-juridique.com, 0
+permanencejuridique-ge.ch, 0
+permanencejuridique.com, 0
+permanencesecretariat.fr, 1
+permanentnyj-makiazh.ru, 1
+permarisk.gov, 1
+permaseal.net, 1
+permasealbasement.com, 1
+permasealbasementsystems.com, 1
+permasealplumbing.com, 1
+permasealwaterproofing.com, 1
+permaset.com.au, 1
+permeance108.com, 1
+permian-elec.com, 1
+permis-a-points-bordeaux.com, 1
+permis-a-points-montpellier.com, 1
+permis-apoints.com, 1
+permis-apoints.fr, 1
+permis.online, 1
+permiscoderoute.fr, 1
+permisecole.com, 1
+permistheorique.be, 1
+permistheoriqueenligne.be, 1
+permitting.gov, 1
+permutationcity.net, 1
+perniciousgames.com, 0
+pernod-ricard.io, 1
+peroduaselangor.com, 1
+peronmedya.com, 1
+perot.me, 1
+perpetual.ga, 1
+perpetualemotion.com, 1
+perpetuum.tk, 1
+perrau.lt, 0
+perreiraproperties.com, 1
+perretes.com.es, 1
+perritas.tk, 1
+perritos.tk, 1
+perron.ml, 1
+perroon.eu, 1
+perrybook.tk, 1
+perrycountyal.gov, 1
+perrycountyil.gov, 1
+perrycountyky.gov, 1
+perrycountymo.gov, 1
+perrycountytn.gov, 1
+perryvilleky.gov, 1
+perryvillemo.gov, 1
+pers-hr.tk, 1
+perscore.tk, 1
+perseo.tk, 1
+persephone.gr, 1
+persey-ssm.com.ua, 1
+persey.tk, 1
+persian-clan.tk, 1
+persiandating.tk, 1
+persianrom.com, 1
+persiart.shop, 1
+persiennexperten.se, 1
+persiennkompaniet.se, 1
+persistence.one, 1
+persistshields.org, 1
+persjrp.ca, 1
+perso.pl, 1
+persoform.ch, 1
+personabrindesbr.com.br, 1
+personacommunications.com.au, 1
+personal-genome.com, 1
+personal-scrum.de, 1
+personal-scrum.eu, 1
+personalaccidentsers.ga, 1
+personalaccidentsest.ga, 1
+personalfunctionaldata.net, 1
+personalhydroponics.com, 1
+personalidadmagnetica.com, 1
+personaliseyourwine.com.au, 1
+personalisiertegeschenke.tk, 1
+personalisiertesgeschenk.tk, 1
+personalityjunkie.com, 1
+personaljokes.cf, 1
+personaljokes.ml, 1
+personaljokesers.ga, 1
+personaljokesest.ga, 1
+personaljourneys.co.nz, 1
+personalnames.net.ru, 1
+personalpages.us, 1
+personalrecreationaltourguides.com, 1
+personaltrainer-senti.de, 1
+personaltraineredu.org, 1
+personalwebsite.services, 1
+personcar.com.br, 1
+persondatakonsulenterne.dk, 1
+personetics.com, 1
+personlookup.com.au, 1
+personnedisparue.fr, 1
+perspective-daily.de, 1
+perspective.com.tr, 0
+perspectives-de-voyage.com, 1
+perspectivum.com, 0
+perspektivwechsel-coaching.de, 0
+perspio.io, 1
+persson.im, 1
+persson.me, 1
+perssonsgarn.se, 1
+persuader-reports.gov, 1
+persuasionmatters.com, 1
+perswayze.com, 1
+perthhillsarmadale.com.au, 1
+perthpregnancycentre.com.au, 1
+perthtrains.net, 1
+perthunicyclists.tk, 1
+perthweekend.com.au, 1
+pertwarp.tk, 1
+perubusca.nl, 1
+perugamerz.tk, 1
+perugiatoday.it, 1
+peruil.gov, 1
+perulinks.tk, 1
+perun.wiki, 1
+perunderforos.tk, 1
+perunsoft.rs, 1
+perupoemas.tk, 1
+peruprogramadores.tk, 1
+perusal.eu, 1
+perusal.social, 1
+perusteet.tk, 1
+peruutetutlennot.fi, 1
+peruvianhairextension.tk, 1
+peruvianhumanhair.tk, 1
+peruvianphotography.com, 1
+peruviantravel.tk, 1
+pervacio.hu, 1
+perved.org, 1
+pervejshijistochnik.tk, 1
+perversa.cl, 1
+pervesk.lt, 1
+pervoklass.cf, 1
+pervomaysk-city.ml, 1
+perzeidi.hr, 1
+pesandansampai.tk, 1
+pesar.tk, 1
+pesc.ru, 1
+pescadorcomunicacao.com, 1
+pescamagnetica.pt, 1
+pescanetworks.tk, 1
+pescans.com, 1
+pescco.com.br, 1
+peshakoo.com, 1
+pesinatsizsenetle.com, 1
+pesitalia.tk, 1
+pesnik.tk, 1
+pesnitut.ga, 1
+pesquisasremuneradas.net, 1
+pessa-webdesign.tk, 1
+pessebrevivent-lallacuna.tk, 1
+pestalertsers.ga, 1
+pestalertsest.ga, 1
+pestcontrol.co.uk, 1
+pestdefense.com, 1
+pesterchum.online, 1
+pesterchum.xyz, 1
+pesthotelers.ga, 1
+pestici.de, 1
+pestkill.info, 1
+pestleandmortar.hk, 1
+pesto.video, 1
+pestpatrol.ga, 1
+pestpilis.hu, 1
+pestra.tk, 1
+pet-cat-accessories.ml, 1
+pet-distributor.cz, 1
+pet-guide.net, 1
+pet-hotel-mura.net, 1
+pet-net.tk, 1
+pet-tekk.co.uk, 1
+peta.tk, 1
+petabits.de, 1
+petabundant.ga, 1
+petal-ms.gov, 1
+petaladdin.com, 1
+petalkr.com, 1
+petalsoft.tk, 1
+petamazing.ga, 1
+petaouchnok.ch, 1
+petar.fyi, 1
+petblaster.ga, 1
+petblender.ga, 1
+petbooking.it, 1
+petbrowser.ga, 1
+petburial.cf, 1
+petcareonline.com, 1
+petcharte.ga, 1
+petclassy.ga, 1
+petclient.ga, 1
+petcollections.ga, 1
+petcollector.ga, 1
+petcolor.ga, 1
+petcounty.ga, 1
+petcrawler.ga, 1
+petdesign.tk, 1
+petdesigning.ga, 1
+petdir.ga, 1
+petdish.ga, 1
+petdollar.ga, 1
+peteacheredu.org, 1
+petech.ro, 1
+petelew.is, 1
+petemerges.com, 1
+petemerges.xyz, 1
+peter-r.co.uk, 1
+peter-taban.de, 1
+peter-zhu.ca, 1
+peter.org.ua, 1
+peterackermans.tk, 1
+peterandjoelle.co.uk, 1
+peterarcherbeyondvision.com, 0
+peterbarrett.ca, 1
+peterbischof.at, 1
+peterborgapps.com, 1
+peterboroughhydroponics.com, 1
+peterbruceharvey.com, 1
+peterbulckaen.tk, 1
+petercai.com, 1
+petercawthron.com, 1
+peterdavehello.org, 1
+peterfiorella.com, 1
+peterfolta.net, 1
+petergudo.tk, 1
+peterhall.au, 1
+peterheery.me, 0
+peterherman.tk, 1
+peterhome.cn, 1
+peterhome.tk, 1
+peterhuetz.at, 1
+peterhuetz.com, 1
+peterjin.org, 1
+peterjohnson.io, 1
+peterkotula.tk, 1
+peterkrivanek.com, 1
+peterkshultz.com, 0
+peterkuma.net, 1
+peterlajos.com, 1
+peterlew.is, 1
+peterlmai.com, 0
+petermaar.com, 1
+petermamo.com, 1
+petermuenster.tk, 1
+peteroerlemans.be, 1
+peterpauer.com, 1
+peterpiperpizza.com, 1
+peters.consulting, 1
+petersburgmi.gov, 1
+peterseninc.com, 1
+petersonbrosrealty.com, 0
+petersport.ee, 1
+petersson-gartengestaltung.de, 1
+petersweb.me.uk, 1
+petervaldesii.com, 0
+petervantriet.nl, 1
+peteryoungfineart.com, 1
+peteschmidt.com.au, 1
+petevagabond.com, 1
+petfa.ga, 1
+petfame.ga, 1
+petfeedback.ga, 1
+petfilter.tk, 1
+petfleet.ga, 1
+petflower.ga, 1
+petfolder.ga, 1
+petgeo.ga, 1
+petgrow.ga, 1
+petgun.ga, 1
+pethandsome.ga, 1
+pethard.ga, 1
+petherwick.co.uk, 1
+petherwick.com, 1
+peticion.tk, 1
+petimagine.ga, 1
+petit-archer.com, 1
+petit-bebe.fr, 1
+petitbleu.fr, 1
+petite-annonce.tk, 1
+petite-maison.ch, 0
+petiteframes.com, 1
+petitenympha.com, 1
+petitions.by, 1
+petitions.pro, 1
+petitmaison.net, 1
+petitnuagephotographie.be, 1
+petitsfrenchies.com, 1
+petitsfreresdespauvres.fr, 1
+petitu.mx, 1
+petjoy.co.za, 1
+petkiss.ga, 1
+petknight.ga, 1
+petless.ga, 1
+petlife.od.ua, 1
+petlife.vet, 1
+petlittle.ga, 1
+petmall.bg, 1
+petmatchmaker.org, 1
+petmegoo.com, 1
+petmessenger.ga, 1
+petmetric.ga, 1
+petnatural.ga, 1
+petnight.ga, 1
+petnow.gr, 1
+petopedia.ga, 1
+petopplis.ga, 1
+petops.de, 1
+petos.tk, 1
+petover.ga, 1
+petpedia.co, 1
+petpipe.ga, 1
+petpower.eu, 1
+petpuppy.tk, 1
+petr.as, 1
+petr.se, 1
+petr22shcool.tk, 1
+petra-toroid.ro, 1
+petrachuk.ru, 1
+petrally.ga, 1
+petrarca.tk, 1
+petras-pfotenuni.de, 1
+petrates.ga, 1
+petredhot.ga, 1
+petrequest.ga, 1
+petrichorsolutions.co, 1
+petrkulik.cz, 1
+petrocheminc.com, 1
+petrochemprojects.ga, 1
+petrol-power.tk, 1
+petroleum-schools.com, 1
+petroleumservicecompany.com, 1
+petroll.ga, 1
+petroscand.eu, 1
+petrostar.com, 1
+petrostathis.com, 0
+petrotamin.ir, 1
+petrotranz.com, 1
+petrotrustlibya.com, 1
+petrov.engineer, 0
+petrovitch.tk, 1
+petrozavodsk.ga, 1
+petruv-grunt.cz, 1
+petruzz.net, 1
+pets4adoption.tk, 1
+pets4life.com.au, 1
+petsafe.net, 0
+petsartcollection.com, 1
+petscams.com, 1
+petschnighof.at, 1
+petsdeners.ga, 1
+petsdenest.ga, 1
+petsidi.com, 1
+petsmundoanimal.com, 1
+petsnapshot.ga, 1
+petsnews.ga, 1
+petsnvets.org, 1
+petspark.tk, 1
+petsplash.ga, 1
+petsru.net, 1
+petstick.ga, 1
+petstok.com.br, 1
+petstreaming.ga, 1
+petsulcatatortoise.com, 1
+petsurreal.ga, 1
+pettersatlher.com.br, 1
+pettopsecret.ga, 1
+pettreasure.ga, 1
+pettreats.com.br, 1
+petunder.ga, 1
+peturnashes.ga, 1
+petutility.tk, 1
+petvisual.ga, 1
+petwall.info, 1
+petwood.co.uk, 1
+petyolo.org, 1
+peuf.shop, 1
+peukert.cc, 1
+peupledefrance.fr, 1
+pevat-ua.tk, 1
+pew.ninja, 1
+pewamo.gov, 1
+pewat.com, 1
+pewforum.org, 1
+pewglobal.org, 1
+pewresearch.org, 1
+pex.digital, 0
+pexlab.net, 1
+peyote.com, 1
+peyote.org, 1
+peyote.wiki, 1
+peyukoshop.com, 1
+pf.dk, 1
+pfa.or.jp, 1
+pfabel.com, 1
+pfadfinder-grossauheim.de, 1
+pfalz-mail.de, 1
+pfandbriefbank.net, 1
+pfandbriefe.de, 1
+pfandbriefsparen.de, 1
+pfannkuchenbratze.de, 1
+pfarchimedes-pensioen123.nl, 1
+pfarr-rad.de, 1
+pfarreiengemeinschaft-neuerburg.de, 1
+pfarrhaus-mon.ch, 1
+pfashionmart.com, 1
+pfcafeen.dk, 1
+pfcardprogram.com, 1
+pfcchavdar.tk, 1
+pfcharland.com, 1
+pfctr.com, 1
+pfd-nz.com, 1
+pfe.rs, 1
+pfefferkuchen-shop.de, 0
+pfefferkuchenprinzessin-dresden.de, 0
+pfefferle.online, 1
+pfeiffer.tech, 1
+pfeifferszilard.hu, 1
+pferdesportclub-chiemgau.de, 1
+pfeuffer-elektro.de, 1
+pff.com.au, 1
+pfft.net, 1
+pfgl.co.uk, 1
+pfingstsportfest.de, 0
+pfish.zone, 1
+pfk.org.pl, 1
+pflan.dk, 1
+pflanzen-shop.ch, 1
+pflanzkompass.at, 1
+pflege.ch, 1
+pfmeasure.com, 1
+pfnpc.org, 1
+pfolta.net, 1
+pfonboarding.org, 1
+pfonks.com, 1
+pfp.com.au, 1
+pfp.works, 1
+pfr.email, 1
+pfr.wtf, 1
+pfrost.me, 1
+pfsandbox.com, 1
+pfsquad.blog, 0
+pfsquad.nu, 1
+pfssales.com, 1
+pfudor.tk, 1
+pfwarriors.com, 1
+pg-forum.at, 1
+pg-forum.ch, 1
+pg-forum.de, 0
+pg-it.at, 1
+pg-mana.net, 1
+pg-sec.com, 1
+pg-sec.cz, 1
+pg-sec.eu, 1
+pg-slot.me, 1
+pgazette.tk, 1
+pggm.nl, 1
+pgh-art.com, 1
+pgica.org, 1
+pgit.at, 1
+pgklaw.com.au, 1
+pglaum.tk, 1
+pgllandscaping.com, 1
+pgln.tk, 1
+pgmann.com, 1
+pgmjr.com, 1
+pgmsource.com, 1
+pgmsp.net, 1
+pgmtechnologies.com, 1
+pgnd.net, 1
+pgnetwork.io, 1
+pgnetwork.net, 1
+pgnetwork.org, 1
+pgp.lol, 1
+pgp.net, 1
+pgp.org.au, 1
+pgpaintanddesign.com, 1
+pgpmail.cc, 1
+pgregg.com, 1
+pgsec.cz, 1
+pgsec.eu, 1
+pgsek.cz, 1
+pgsindustries.com.au, 0
+pgslot.id, 1
+pgsls.com, 1
+pgsupplier.com, 1
+pgwap.com, 1
+pgwellnesscoach.it, 1
+ph-brand.jp, 1
+ph-consult.sk, 1
+ph-ooe.at, 1
+ph.search.yahoo.com, 0
+ph1worlddevelopers.com, 1
+ph3r3tz.net, 1
+ph4nt0m.ddns.net, 0
+ph89.de, 1
+pha.one, 1
+pha.pub, 1
+phaedranyx.co.uk, 1
+phagyo.com, 1
+phannuoc.net, 1
+phantasia.tk, 1
+phantasie.cc, 1
+phantasmag.gq, 1
+phantastikon.de, 1
+phantom-games.tk, 1
+phantomfund.cf, 1
+phantomfund.ml, 1
+phantomfunders.ga, 1
+phantomlighting.com, 1
+phantomlord.tk, 1
+phantomphans.tk, 1
+phantomware.tk, 1
+pharandespaces.com, 1
+pharma-insights.nl, 1
+pharmaabsoluta.com.br, 1
+pharmaboard.de, 1
+pharmaboard.org, 1
+pharmaceuticalcannabis.org, 1
+pharmacie-dufayel.fr, 1
+pharmacie-matignon.com, 1
+pharmaciechatelle.be, 1
+pharmacology.uk, 1
+pharmacy-evalar.ru, 1
+pharmacy.org.pk, 1
+pharmacyevalar.ru, 1
+pharmadrugtest.com, 1
+pharmalab.eu, 1
+pharmalab.fr, 1
+pharmalinkinternational.com, 1
+pharmapolitics.com, 1
+pharmasana.co.uk, 1
+pharmasana.de, 1
+pharmasana.ru, 1
+pharmasyncers.ga, 1
+pharmasyncest.ga, 1
+pharmgkb.org, 0
+pharmica.co.uk, 1
+pharmica.uk, 1
+pharosconsulting.com, 1
+pharside.dyndns.org, 1
+pharynks.com, 1
+pharynx.nl, 1
+phase4electric.com, 1
+phasersec.com, 1
+phastidio.net, 1
+phatblackbooty.com, 1
+phattea.tk, 1
+phbits.com, 1
+phc4submit.org, 1
+phcimages.com, 1
+phcloud.spdns.de, 1
+phcnetworks.net, 0
+phcorner.net, 1
+phd, 1
+phdelivery.com, 1
+phdgames.com, 1
+phdhub.it, 1
+phdk.ir, 1
+phdsolutions.org, 1
+phdwuda.com, 1
+pheasantrunpress.com, 1
+phellow.de, 1
+phellowseven.com, 1
+phelx.de, 1
+phen-garcinia.info, 1
+phenergan.ga, 1
+phenergan.ml, 1
+phenixairsoft.com, 1
+phenixlab.fr, 0
+phenomnaltwincities.com, 1
+phenriques.com, 1
+phenweb.co.uk, 1
+pheramoan.com, 1
+pheromeons.com, 1
+pheromoans.com, 1
+pheromoens.com, 1
+pheromonetalk.com, 0
+pheronome.com, 1
+pheronomes.com, 1
+pheros.com, 1
+pheroz.com, 1
+phesita.gq, 1
+phew.co.nz, 1
+phfrost.nl, 1
+phialo.de, 1
+phibureza.com, 1
+phigrupopolideportivo.es, 0
+phihq.com, 0
+phil-dirt.com, 1
+phil-phillies.com, 1
+phil.red, 1
+phil.to, 1
+phil.tw, 1
+philadelphia.com.mx, 1
+philanima.com, 1
+philarmonic-abaza.tk, 1
+philasd.org, 1
+phildevient.tk, 1
+phildonaldson.com, 1
+phileas-psychiatrie.be, 1
+philia-sa.com, 0
+philipbuckmaster.co.uk, 1
+philipdb.com, 1
+philipdb.nl, 1
+philipdeussen.com, 1
+philipdeussen.de, 1
+philiperiksson.se, 1
+philipkdick.tk, 1
+philipkobelt.ch, 1
+philiplowran.tk, 1
+philipmordue.co.uk, 1
+philipmorrisdirect.co.uk, 1
+philipoff.com, 1
+philipp-trulson.de, 0
+philipp.vip, 1
+philippa.cool, 1
+philippbirkholz.com, 1
+philippbirkholz.de, 1
+philippe-mignotte.fr, 1
+philippebonnard.fr, 1
+philippegoffin.be, 1
+philippehannes.fr, 1
+philippekhau.tk, 1
+philippemunn.photo, 1
+philippheenen.de, 0
+philippinegreenparty.tk, 1
+philippinenewsvanguard.tk, 1
+philippkaindl.de, 1
+philippkeschl.at, 1
+philippwinterberg.com, 1
+philipslater.cf, 1
+philipslater.ga, 1
+philipslater.gq, 1
+philipslater.ml, 1
+philipsmanythougths.cf, 1
+philipsmanythougths.ga, 1
+philipsmanythougths.ml, 1
+philipssupportforum.com, 1
+philipstewart.uk, 1
+philipthomas.com, 1
+philipzhan.com, 1
+philipzhan.tk, 1
+philis-oenologie.fr, 1
+phillipgoldfarb.com, 1
+phillippe-lemarc.ch, 1
+phillipspediatricsoxford.com, 1
+phillprice.com, 0
+phillyhometech.com, 1
+phillyinjurylawyer.com, 1
+philnheimann.com, 1
+philographie.com, 1
+philology.tk, 1
+philomathiclife.com, 1
+philosoftware.com.br, 1
+philosophers.tk, 1
+philosopherswool.com, 1
+philosophy-colleges.com, 1
+philosophyguides.org, 1
+philosophytalk.org, 1
+philphonic.de, 1
+philpropertygroup.com, 0
+philrights.org, 1
+phils1990.com, 1
+philsturgeon.uk, 1
+philward.io, 1
+philwilson-green.cf, 1
+philwilson-green.ga, 1
+philwilson-green.gq, 1
+philwilson-green.ml, 1
+phimmoingay.org, 1
+phimtor.com, 1
+phinikarides.net, 1
+phiomegachi.tk, 1
+phishguard.sa, 1
+phishing-studie.org, 1
+phishing.army, 1
+phishingplanet.com, 1
+phishingusertraining.com, 1
+phisis.com.br, 1
+phive.eu, 1
+phive.social, 1
+phixer.com, 1
+phligence.com, 1
+phobos.tk, 1
+phoebestrong.org, 1
+phoenix-correspondence-commission.gov, 1
+phoenix.dj, 1
+phoenixboard.tk, 1
+phoenixcourt.gov, 1
+phoenixdepositionservices.com, 1
+phoenixfrequency.ga, 1
+phoenixlpgpasig.com, 1
+phoenixmanga.com, 1
+phoenixmunicipalcourt.gov, 1
+phoenixnest.ltd, 1
+phoenixpower.tk, 1
+phoenixsalon.eu, 1
+phoenixurbanspaces.com, 1
+phoenixville.online, 1
+phoenixwebsitedesign.com, 1
+phographer.com, 0
+pholio.com, 1
+phone-service-center.de, 1
+phone-spy.ml, 1
+phone42.com, 1
+phonearena.com, 1
+phonedoc.it, 1
+phonefilter.co.uk, 1
+phonefleet.fr, 1
+phonegnome.com, 1
+phoneia.com, 1
+phoneincentivesers.ga, 1
+phoneincentivesest.ga, 1
+phoneinformation.cf, 1
+phoneinformation.ga, 1
+phoneinformation.gq, 1
+phoneinformation.ml, 1
+phoneinformation.tk, 1
+phonelookupname.ml, 1
+phonenumber-info.co.uk, 1
+phonenumberfind.cf, 1
+phonenumberfind.ga, 1
+phonenumberfind.gq, 1
+phonenumberfind.ml, 1
+phonenumberfind.tk, 1
+phonesbooksest.ga, 1
+phonesexchat.com, 1
+phonesexnumbers.com, 1
+phoneswiz.com, 1
+phonet.tk, 1
+phonetika.org, 1
+phonetrace.tk, 1
+phonetrack.tk, 1
+phonevibrator.com, 1
+phonex.bg, 1
+phonex.com.mx, 1
+phoneyourselfers.ga, 1
+phoneyourselfest.ga, 1
+phonix-company.fr, 1
+phonosynthese.tk, 1
+phonosynthesis.tk, 1
+phorcys.net, 1
+phormance.com, 1
+phormulagroup.com, 1
+phosagro.biz, 0
+phosagro.com, 0
+phosagro.ru, 0
+phosforum.ga, 1
+photistic.org, 1
+photo-blowup.com, 0
+photo-booth.ro, 1
+photo-design.ml, 1
+photo-host.tk, 1
+photo-journ.com, 0
+photo-livesearch.com, 1
+photo-news.tk, 1
+photo-on-event.de, 1
+photo-paysage.com, 1
+photo-travel.tk, 1
+photoartelle.com, 1
+photobank.ml, 1
+photobc.photos, 1
+photobcdev.photos, 1
+photoblock.tk, 1
+photobooth-romania.ro, 1
+photobooth.id, 1
+photobosco.tk, 1
+photobrunobernard.com, 1
+photobyzachary.tk, 1
+photochka.tk, 1
+photoclothing.tk, 1
+photoconferenceers.ga, 1
+photoconferenceest.ga, 1
+photodeal.fr, 1
+photodyna.tk, 1
+photofinale.com, 1
+photogelique.be, 1
+photograf.io, 1
+photograni.ru, 1
+photographe-perigueux.com, 1
+photographe-reims.com, 0
+photographeremploymenters.ga, 1
+photographeremploymentest.ga, 1
+photographerforwedding.tk, 1
+photographersdaydream.com, 1
+photography-workshops.net, 1
+photographyandvideo.tk, 1
+photographyforchange.com, 1
+photographyforchange.org, 1
+photolakeview.com, 1
+photolessya.by, 1
+photomath.com, 1
+photomizer.com, 0
+photomodelcasting.com, 1
+photomosaicwall.ca, 1
+photonclub.ir, 1
+photoncourier.com, 1
+photopalace.tk, 1
+photophobia.tk, 1
+photoprint.tk, 1
+photoprofi.tk, 1
+photops.fr, 1
+photoreal.tk, 1
+photorelive.com, 1
+photosafari.com.my, 1
+photosafaribg.com, 1
+photosavi.com, 1
+photosbyadeline.com, 1
+photosbyzachary.tk, 1
+photoscheduleers.ga, 1
+photoscheduleest.ga, 1
+photoscotland.net, 1
+photosgaia.ch, 1
+photoshop-tipps-und-tricks.de, 1
+photosight.ru, 1
+photosight.tk, 1
+photosoftware.nl, 1
+phototechnique.tk, 1
+phototravel.uk, 1
+phototrio.com, 1
+photoutils.com, 1
+photovoltaik-reinigung.biz, 1
+photowall.tk, 1
+photowire.uk, 1
+photune.net, 1
+phoxden.net, 1
+php.watch, 1
+phpadmin666.com, 1
+phparcade.com, 1
+phparena.net, 1
+phpartners.org, 1
+phpbb-tutorials.cf, 1
+phpbbchinese.com, 0
+phpdevlabs.tk, 1
+phpdorset.co.uk, 1
+phpfactory.io, 1
+phpfashion.com, 1
+phpgalleria.com, 1
+phpinfo.in.th, 1
+phpkari.cz, 1
+phpkoru.com, 1
+phpliteadmin.org, 1
+phpmyadmin.net, 1
+phpmynewsletter.com, 1
+phpnuke-guatemala.tk, 1
+phpprime.com, 1
+phpsecure.info, 1
+phpstan.com, 1
+phpstan.org, 1
+phpunit.de, 1
+phpwebs.com, 1
+phqsoft.com, 1
+phr34kz.pw, 0
+phra.gs, 1
+phreakaus.tk, 1
+phreaker.ml, 1
+phreaknet.org, 1
+phreesia.com, 1
+phrenology.com, 1
+phrive.space, 1
+phrlegal.com, 1
+phruse.com, 1
+phryanjr.com, 0
+phryneas.de, 1
+phsa.au, 1
+phsa.co.nz, 1
+phsa.com.au, 1
+phsa.net.au, 1
+phsa.nz, 1
+phsarapp.com, 1
+phtalent.tk, 1
+phtbth-upload.com, 1
+phuket-idc.com, 1
+phuket-idc.de, 1
+phuket-nash.cf, 1
+phuket-nash.ga, 1
+phuket-tour.ga, 1
+phuketbeach.tk, 1
+phuketdir.com, 1
+phuketroman.tk, 1
+phuketstyle.tk, 1
+phukettour.ga, 1
+phukettravel.gq, 1
+phukienchanh.com, 1
+phulyshop.com, 0
+phumin.in.th, 1
+phuoctran.com.vn, 1
+phuoctran.org, 1
+phuoctran.vn, 1
+phuong.faith, 1
+phurl.de, 1
+phv-bw.de, 1
+phwoarbeauty.com, 1
+phx2-az.tk, 1
+phxserver.net, 0
+phyi.loan, 1
+phyley.com, 1
+phyllischerry.com, 1
+phys.ir, 0
+physia.gr, 1
+physicalism.com, 1
+physicalist.com, 1
+physicalmedicineandrehab.com, 1
+physicaltherapistassistantedu.org, 1
+physicianassistantedu.org, 1
+physicianbookest.ga, 1
+physiciansopticalservice.com, 1
+physicpezeshki.com, 1
+physics-schools.com, 1
+physicsforums.com, 1
+physik.lol, 1
+physio-im-appelbachtal.de, 1
+physio-koenigsee.de, 1
+physiobalance.nl, 1
+physiobrite.tk, 1
+physioteam-franz.de, 1
+physiotherapie-buk.de, 1
+physiotherapie-concept.de, 1
+physiotherapie-seiwald.de, 1
+physiotherapist-physicaltherapist.com, 1
+physiovesenaz.ch, 0
+physis.earth, 1
+phytosunaroms.com, 1
+phyxion.net, 1
+phyzx.com.au, 1
+pi-dash.com, 1
+pi-net.dedyn.io, 1
+pi-supply.com, 1
+pi1.io, 1
+pia-bardo.tk, 1
+piaad9.org, 1
+piadouwes.tk, 1
+piai.cf, 1
+piai.ga, 1
+piai.gq, 1
+piai.ml, 1
+piai.tk, 1
+piaiai.com, 1
+piajuly.net, 1
+pialove.net, 1
+pianetaottica.eu, 1
+pianetaottica.info, 1
+pianetaottica.it, 1
+pianetatatuaggi.it, 1
+piano.io, 1
+pianoadventures.com, 1
+pianodisco.tk, 1
+pianoforpreschoolers.cf, 1
+pianoforpreschoolers.ga, 1
+pianoforpreschoolers.gq, 1
+pianoguy.tk, 1
+pianojockl.org, 1
+pianoo.nl, 1
+pianopronto.com, 1
+pianoschmitz.de, 1
+pianotaku.com, 1
+pianotuning.cn, 0
+piantami.com, 1
+pianyigou.com, 1
+piaohong.tk, 1
+piasativa.com, 1
+piasto.com.cy, 1
+piata-imobiliara.tk, 1
+piataborrachas.com.br, 1
+piatabrasil.com.br, 1
+piatenko.ml, 1
+piatika.com, 1
+piatika.in, 1
+piavonpadberg.com, 1
+piboston.org, 1
+piboubes.me, 1
+pic-sl.com, 1
+pic.gov, 1
+pic.sr, 1
+pic2map.com, 1
+pic2pat.com, 1
+pic2pat.nl, 1
+picalendar.com, 1
+picante.today, 1
+picapollochino.tk, 1
+picasoft.net, 1
+picatavocat.fr, 1
+picatom.com, 0
+piccirello.com, 1
+piccoliamicisport.it, 1
+piccolino.tk, 1
+piccolinokids.gr, 1
+piccolitrasporti.it, 1
+piccolopark.co.nz, 1
+piccolotrasloco.it, 1
+picdefacer.com, 1
+pichainlabs.com, 0
+pichlerei.at, 1
+pick.aw, 1
+pick150.hu, 1
+picka.gift, 1
+pickastock.info, 1
+pickaw.click, 1
+pickaw.com, 1
+pickaw.link, 1
+pickawaycountyohio.gov, 1
+picked.cf, 1
+pickelhaubes.com, 1
+pickemsheet.com, 1
+pickenscountysc.gov, 1
+picketfence.tk, 1
+pickhdtvers.ga, 1
+pickhdtvest.ga, 1
+picklinik.id, 0
+pickmysoap.gr, 1
+picknetworkiscoming.sg, 1
+picknyeroizek.hu, 1
+picksin.club, 1
+picksshop.com, 1
+pickswapers.ga, 1
+pickswapest.ga, 1
+picksygirl.com, 1
+pickupenc.ru, 1
+piclect.com, 1
+picme.tk, 1
+picmms.com, 1
+pico.si, 1
+picobellos.tk, 1
+picofme.io, 1
+picom365.com, 1
+picone.com.au, 1
+piconepress.com, 1
+picordi.fr, 1
+picoulumber.com, 1
+picpay.com, 1
+picr.ws, 1
+picrew.me, 1
+pics.io, 1
+picsalesers.ga, 1
+picsastock.com, 1
+picshare.nz, 1
+picsnmore.de, 1
+picstar.tk, 1
+picsto.re, 0
+pictopat.com, 1
+pictopat.nl, 1
+pictoplasma.com, 1
+pictoriastudios.com, 1
+pictorista.com, 1
+pictr.nl, 1
+picturedent.org, 1
+picturesalon.com, 1
+picturesitaly.com, 1
+picturesoverstillwater.com, 1
+picturesque-games.tk, 1
+picturevictoria.vic.gov.au, 1
+picturingjordan.com, 1
+pidelo-peru.com, 1
+pidgi.net, 1
+pidginpoetry.com, 1
+pidjipi.com, 1
+pidu.jp, 1
+pie-express.xxx, 1
+pieceofcake.solutions, 1
+piecesofmind.in.rs, 1
+piecestech.com, 1
+piechart.ga, 1
+piedrahita.tk, 1
+piedrasblancas.gov, 1
+piedroshop.nl, 1
+piekacz.co.uk, 1
+piekacz.eu.org, 1
+piekacz.net, 1
+piekacz.tel, 1
+piektraining.com, 1
+piel.ai, 1
+piel.vip, 1
+pieland.eu, 1
+pielgrzymappka.pl, 1
+piem.org, 1
+piemonteeconomy.it, 1
+piening.ddns.net, 1
+piensa-escribe.tk, 1
+piepermail.nl, 1
+piepschuimlogo.nl, 1
+pieq.eu, 1
+pieq.eu.org, 1
+pier1url.com, 1
+pier28.com, 1
+pier2pier.org, 1
+piercecountyne.gov, 1
+piercingnagykereskedes.hu, 1
+piercingpiac.hu, 1
+piercraft.com, 1
+pierianservices.com, 1
+pieropuschiavo.it, 1
+pierpaoloamarante.it, 1
+pierre-denoblens.net, 1
+pierre-schmitz.com, 1
+pierreau.fr, 1
+pierreborgmann.de, 1
+pierrejeansuau.fr, 1
+pierreloizeau.com, 1
+pierreterrien.fr, 1
+pierrevieville.fr, 1
+pierreyvesdick.fr, 1
+piersmana.com, 1
+pierson.tk, 1
+pierstone.com, 1
+pietbrakman.tk, 1
+pietcees.nl, 1
+pietechsf.com, 0
+pieter-verweij.nl, 1
+pieterbamps.tk, 1
+pieterbos.nl, 1
+pieterdev.net, 1
+pietraglobal.com, 1
+pietredirapolano.com, 1
+pietron.name, 1
+pietrosoft.tk, 1
+pietrzyk.it, 1
+pieux-expert.com, 1
+piezus.ru, 1
+pif.email, 1
+pif.gov, 1
+pig-breeding.tk, 1
+pig333.com, 1
+pigb.net, 1
+pigdetector.com, 1
+pigeonracinginformation.com, 1
+pigeons-rings.com, 1
+pigfox.com, 1
+piggingcleaning.com, 1
+pigop.com, 1
+pigsbytebooks.org, 1
+pigsforsale.co.za, 1
+pigslv.com, 1
+pigzilla.co, 1
+pihaar.de, 1
+pii-protect.com, 1
+pii.bz, 1
+piifunder.co.uk, 1
+piifunder.uk, 1
+piifunding.com, 1
+piizapp.com, 1
+pijamasbichopreguica.com.br, 1
+pijiutuan.com, 1
+pijuice.com, 1
+pijusmagnificus.com, 1
+pikafan.de, 1
+pikafederation.ca, 1
+pikaramagazine.com, 1
+pikboxstore.com, 0
+pikecoga.gov, 1
+pikecountyil.gov, 1
+pikecountyohcommissioners.gov, 1
+pikeitservices.com.au, 1
+pikeky.gov, 1
+pikepa.gov, 1
+piketonohio.gov, 1
+pikimusic.moe, 1
+pikker.ee, 1
+pikkuegypti.tk, 1
+pikminwiki.com, 1
+pikmy.com, 1
+piknichok.ml, 1
+piksli.si, 1
+pilani.ch, 0
+pilar.moe, 1
+pilarguineagil.com, 1
+pilasebastovce.sk, 1
+pilatesavenue.co.uk, 1
+pilatescenteraz.com, 1
+pilatespt.nl, 1
+pilatesstation.co.th, 1
+pilatus-aircraft.com, 1
+pilbaraports.com.au, 1
+pildat.org, 1
+pileawayremovals.com, 1
+pilgermaske.org, 1
+pili-serv.ovh, 1
+piliszek.net, 1
+pillar.fi, 1
+pillar.ninja, 1
+pillar.us, 1
+pillitteriobgyn.com, 1
+pillow.sk, 1
+pillowcast.net, 1
+pillowexpertsers.ga, 1
+pillowexpertsest.ga, 1
+pillowfort.pub, 1
+pilot-colleges.com, 1
+pilot-gps.africa, 1
+pilot-gps.com, 0
+pilot.co, 1
+pilot.com, 1
+pilotbook.org, 1
+pilotcareercenter.com, 1
+pilotgrowth.com, 1
+pilotinterviews.com, 1
+pilotknobmo.gov, 1
+pilotproject.tk, 1
+pilotshop.com, 1
+pilsen.fun, 1
+pilseta24.lv, 1
+pilsner.nu, 1
+pilsook.com, 1
+pilvi.space, 1
+pilvin.pl, 1
+pimastoneaz.com, 1
+pimhaarsma.nl, 1
+pimhaarsmamedia.nl, 1
+pimichi.com, 1
+pimmel.stream, 1
+pimo.id, 1
+pimoid.fr, 1
+pimplelotionest.ga, 1
+pimpmymac.ru, 1
+pimpmypaper.com, 1
+pimpmyperf.fr, 0
+pimpninjas.org, 1
+pimppublishing.com, 1
+pimpstack.com, 1
+pims-hub.org.uk, 1
+pimylifeup.com, 1
+pin.net.au, 1
+pinalcourtsaz.gov, 1
+pinale.es, 1
+pinalove.com, 1
+pinamals.com, 1
+pinarecordsmusic.tk, 1
+pinaro.de, 1
+pinarshivmarket.com, 1
+pinatubo.tk, 1
+pinball.tk, 1
+pinboxx.com, 1
+pinceau-peinture.com, 1
+pinceaux.org, 1
+pincha.com.tw, 0
+pinched.ga, 1
+pinchoparados.tk, 1
+pinchuk.tk, 1
+pincodeit.com, 1
+pincollector.club, 1
+pincollector.net, 1
+pincong.rocks, 1
+pincsolutions.com, 1
+pindakaas.ga, 1
+pindakaas.tk, 1
+pindanutjes.be, 0
+pindercooling.com, 1
+pindostan.tk, 1
+pinebaylibrary.org, 1
+pinebeachnj.gov, 1
+pinebeecreative.com, 0
+pinebrook.tk, 1
+pinecitymn.gov, 1
+pinecone.io, 0
+pinecountymn.gov, 1
+pinedadegiguela.tk, 1
+pinedahair.com, 1
+pinefinancialgroup.com, 1
+pinegraph.com, 1
+pinegrovetownshipmi.gov, 1
+pinellaslaser.com, 1
+pinellastaxcollector.gov, 1
+pinemountbaptistchurch.org, 1
+pineradelolmo.com, 1
+pinerivermi.gov, 1
+pinesol.com, 1
+pinetreeadvisors.us, 1
+pinflux2.com, 1
+ping-books.cf, 1
+pingce.com, 1
+pingnp.me, 0
+pingodoce.pt, 1
+pingpongparkinson.at, 1
+pingrc.net, 1
+pinguinita.tk, 1
+pinguinreal.sk, 1
+pingvinofnet.ml, 1
+pinhadigital.com, 1
+pinheirobittencourt.com.br, 1
+pinigseu.xyz, 1
+pinimg.com, 1
+pink-check.school, 1
+pink-panther.tk, 1
+pink.nl, 1
+pinkapple.com, 1
+pinkband.tk, 1
+pinkbike.com, 1
+pinkbikecycle.com, 1
+pinkcasino.co.uk, 1
+pinkerton.io, 1
+pinkfoxwebdesign.com, 0
+pinkhatbeard.com, 1
+pinkitalia.tk, 1
+pinklecfest.org, 1
+pinklittlenotebook.com, 1
+pinkmango.travel, 0
+pinkoi.com, 1
+pinkoz.xyz, 1
+pinkpearl.tk, 1
+pinkplay.com.br, 1
+pinkpop.nl, 1
+pinkpussy.tv, 1
+pinkpussypics.com, 1
+pinksec.com.au, 1
+pinkster.tk, 1
+pinktara.hu, 1
+pinkvelvet.tk, 1
+pinkwatertaxis.com.au, 1
+pinkylam.me, 1
+pinleather.rs, 0
+pinmeto.com, 1
+pinnacle-tex.com, 1
+pinnacleallergy.net, 1
+pinnaclecare.com, 1
+pinnaclecommunityservices.com.au, 1
+pinnaclegroupgc.com, 1
+pinnacleholdings.com, 1
+pinnaclelife.co.nz, 0
+pinnaclelife.nz, 1
+pinnacleroofingsolutions.com, 1
+pinnacletrailers.com, 1
+pinnakl.com, 1
+pinnoto.eu.org, 1
+pinnoto.org, 1
+pinoservers.tk, 1
+pinot.it, 1
+pinoy-santi.com, 1
+pinoydeal.ph, 1
+pinoyreal.com, 1
+pinoyseoservices.com, 1
+pinoysurvey.com, 1
+pinoytambayan.ga, 1
+pinoytambayan.tk, 1
+pinoytimes.tk, 1
+pinpaituiguang.com.cn, 1
+pinpayments.com, 1
+pinpointengineer.co.uk, 1
+pinsami.it, 1
+pinsamiprofessional.com, 1
+pinse.la, 1
+pinsi.pt, 1
+pinsource.kz, 1
+pinspiration.com, 1
+pinta.tk, 1
+pinterest.at, 1
+pinterest.ca, 1
+pinterest.ch, 1
+pinterest.cl, 1
+pinterest.co, 1
+pinterest.co.kr, 1
+pinterest.co.uk, 1
+pinterest.com, 1
+pinterest.com.au, 1
+pinterest.com.mx, 1
+pinterest.com.pe, 1
+pinterest.com.py, 1
+pinterest.com.uy, 1
+pinterest.de, 1
+pinterest.dk, 1
+pinterest.ec, 1
+pinterest.engineering, 1
+pinterest.es, 1
+pinterest.fr, 1
+pinterest.ie, 1
+pinterest.info, 1
+pinterest.it, 1
+pinterest.jp, 1
+pinterest.nl, 1
+pinterest.nz, 1
+pinterest.ph, 1
+pinterest.pt, 1
+pinterest.ru, 1
+pinterest.se, 1
+pinterestvideo.com, 1
+pinterjann.is, 1
+pinterst.com, 1
+pintiaktivasyon.com, 1
+pintrest.com, 1
+pinupbets.gq, 1
+pinupsex.com, 1
+pinxporn.net, 1
+pinyonpass.com, 1
+pinyonpass.net, 1
+pinyonpass.org, 1
+pioneer-car.eu, 1
+pioneer-rus.ru, 1
+pioneer.eu, 1
+pioneerbible.org, 1
+pionierboat.cf, 1
+pionierboat.ga, 1
+pionierboat.tk, 1
+pionieren.tk, 1
+pionplex.de, 1
+piovan.com, 1
+pip-maker.com, 1
+pipa-shop.nl, 1
+piparitaikina.fi, 1
+pipeclub.tk, 1
+piped.video, 1
+pipefishdigital.com, 1
+pipelineengineeringsoftware.com, 1
+pipenav.gq, 1
+pipenny.net, 1
+piperswe.me, 1
+pipestonecounty.gov, 1
+pipetehran.ir, 1
+pipetobacco.uk, 1
+pipfrosch.com, 0
+pipglobal.com, 1
+piprivillage.ml, 1
+pipscprd.ca, 1
+piquaoh.gov, 1
+piqueteway.tk, 1
+piraino.fr, 1
+piramalglassusa.com, 1
+piramide.nl, 1
+piranhaattack.tk, 1
+piranja-cola.de, 1
+piranjasoul.de, 1
+pirapiserver.ddns.net, 1
+pirate-proxy.click, 1
+pirate-proxy.club, 1
+pirate-proxy.date, 1
+pirate-proxy.onl, 1
+pirate-proxy.pw, 1
+pirate-proxy.top, 1
+pirate-punk.net, 1
+pirate.chat, 1
+pirate.gq, 0
+piraten-basel.ch, 1
+piraten-kleinbasel.ch, 1
+piraten-recording.tk, 1
+piratenlogin.de, 0
+pirateparty.org.uk, 1
+piratepay.io, 0
+pirateproxy.how, 1
+pirates-comic.com, 1
+piratesbrewcoffee.net, 1
+piratesforums.co, 1
+piratesofthewadden.tk, 1
+piratez.tk, 1
+pircher.co.uk, 1
+pircher.tk, 1
+pires.ovh, 1
+pirman.es, 1
+pirnaaktuell.de, 1
+pirnhub.xyz, 1
+pirofire.bg, 1
+pirofire.com, 1
+pirogi.ga, 1
+piroleikki.co.jp, 1
+pirscapital.com, 1
+pirxpilot.me, 1
+pisaggni.ch, 1
+pisanpeikot.tk, 1
+pisaparaasescolas.pt, 1
+pisarzowa.tk, 1
+pisatoday.it, 1
+piscapisca.pt, 1
+piscesdwarf.com, 1
+piscestrade.com, 1
+piscine.roma.it, 1
+piscines-unibeo.com, 1
+pisearch.cc, 1
+pisearch.cn, 1
+pisemnet.tk, 1
+pisf.in, 1
+pishgamiran.tk, 1
+pisitsolutions.com, 1
+pisk.loan, 1
+piskenfuerwehr.de, 1
+pisquettes.fr, 1
+pissblau.com, 1
+pissflaps.co.uk, 1
+pissflaps.org.uk, 1
+pista73.com, 1
+pistonkandidatu.tk, 1
+pisupp.ly, 1
+piszmak.pl, 1
+pit-book.com, 1
+pit-stop-sto.tk, 1
+pitaiatrade.com, 1
+pitajrobota.com, 1
+pitakashop.hu, 1
+pitang.com, 1
+pitbooks.ga, 1
+pitbullclub.tk, 1
+pitbullsecuritysolutions.ca, 1
+pitc.nl, 1
+pitch.com, 1
+pitchforkunion.tk, 1
+pitchup.com, 1
+pitchupp.com, 0
+pitctestdomain.gov, 1
+piteadetox.com, 1
+piter-auto-painter.ru, 1
+piter-print.tk, 1
+piter178.tk, 1
+piterfish.ru, 1
+pitfire.io, 1
+pitius.tk, 1
+pitman.tk, 1
+pitomec.tk, 1
+pitot-rs.org, 1
+pitrick.tk, 1
+pitrivertribe.gov, 1
+pitshift.click, 1
+pitshift.com, 1
+pitsstop.nu, 1
+pitsundaorgan.tk, 1
+pittandmoore.co.nz, 1
+pittmancentertn.gov, 1
+pittohio.com, 1
+pittsburghfibroids.com, 1
+pittsburghhiresveterans.org, 1
+pittsburgtx.gov, 1
+pittsvillemd.gov, 1
+pitu.gov, 1
+piu.moe, 1
+piuincontri.com, 1
+piuplayer.com, 1
+piurvolium.tk, 1
+pius.com.br, 1
+piute.gov, 1
+piutesd.gov, 1
+pivbar.tk, 1
+pivio.nl, 1
+pivnica.cf, 1
+pivnica.ga, 1
+pivnica.gq, 1
+pivnica.tk, 1
+pivotaltracker.com, 1
+pivotanimation.org, 1
+pivotanimation.tk, 1
+pivovarcunak.cz, 1
+pivx2bitcoin.com, 1
+pivxblockchain.com, 1
+pivxblockchaindownload.com, 1
+piw.pw, 0
+piwko.co, 1
+pix-geeks.com, 1
+pix5.de, 1
+pixaise.pics, 1
+pixalatio.tk, 1
+pixbaton.jp, 1
+pixe2019.org, 1
+pixel-history.tk, 1
+pixel-ninjas.de, 1
+pixel-perfection.com, 1
+pixel-puls.de, 1
+pixel.facebook.com, 0
+pixel.google.com, 1
+pixel4k.com, 1
+pixelats.cat, 1
+pixelbrew.coffee, 1
+pixelcatproductions.net, 1
+pixelchannel.ga, 1
+pixelcomunicacion.com, 1
+pixelcrayons.com, 1
+pixelfiends.tk, 1
+pixelglance.com, 1
+pixelgliders.de, 1
+pixelglue.com.au, 1
+pixelheaven.tk, 1
+pixelhero.co.uk, 0
+pixelion.tk, 1
+pixellent.me, 1
+pixelmarketing.hu, 0
+pixelmattic.com, 1
+pixelmedianetwork.com, 1
+pixelmonworld.fr, 1
+pixelonl.com, 1
+pixelpaper.org, 1
+pixelplex.io, 1
+pixelrain.info, 1
+pixelsbanking.com, 1
+pixelshealth.com, 1
+pixelsketch.co.uk, 1
+pixelsquared.us, 1
+pixelstamp.net, 1
+pixelstrade.com, 1
+pixeltranslating.com, 1
+pixelturkey.art, 1
+pixelturkey.com, 1
+pixelumin3d.com, 1
+pixelurbia.com, 1
+pixeluser.de, 1
+pixelution.at, 1
+pixelw.design, 1
+pixelwijk.de, 1
+pixelz.cc, 1
+pixemoji.com, 1
+pixend.de, 1
+pixeon.com, 1
+pixiin.com, 1
+pixinfo.com, 1
+pixiv.cat, 1
+pixiv.moe, 1
+pixiv.re, 1
+pixlfox.com, 1
+pixloc.fr, 1
+pixnel.com.br, 1
+pixodo.tk, 1
+pixojo.tk, 1
+pixouno.com, 1
+pixshop.fr, 1
+pixstash.net, 1
+pixsystem.com, 1
+pixxxels.cc, 1
+pixyship.com, 1
+pixzilla.de, 1
+pizala.de, 1
+pizdelka.tk, 1
+pizza-24.tk, 1
+pizza-aachen.de, 1
+pizza-calzone.com, 1
+pizza-curator.com, 1
+pizza-house.tk, 1
+pizza2020andcatering.com, 1
+pizzabesteld.nl, 1
+pizzacontenta.tk, 1
+pizzacosi.nl, 1
+pizzafest.ddns.net, 1
+pizzagaming.tk, 1
+pizzagigant.hu, 1
+pizzahut.co.in, 1
+pizzahut.com.tw, 1
+pizzamc.eu, 1
+pizzaplus.tk, 1
+pizzariapartiupizza.com.br, 1
+pizzariaroma.cf, 1
+pizzarts.fr, 1
+pizzaslut.xyz, 1
+pizzeriaamadeus.hr, 1
+pizzeriasmallorca.com, 1
+pizzeriaveneziana.it, 1
+pj11018.com, 1
+pj4488.cc, 1
+pjax.xyz, 1
+pjc.is, 1
+pjentertainments.co.uk, 1
+pjleisure.co.uk, 1
+pjo.no, 1
+pjotor.tk, 1
+pjp.com.mt, 0
+pjshop.cf, 1
+pjsk.cc, 1
+pjsk.eu.org, 1
+pjuu.com, 0
+pjv.co.id, 1
+pk-master.tk, 1
+pk-soft.tk, 1
+pk.search.yahoo.com, 0
+pk7777.com, 1
+pk8k.com, 1
+pkautodesign.com, 0
+pkb.shop, 1
+pkbjateng.com, 1
+pkeus.de, 1
+pkg.one, 1
+pkgbuild.com, 1
+pkgt.de, 0
+pki.com.ru, 1
+pkirwan.com, 1
+pkjtim.com, 1
+pko.ch, 0
+pkov.cz, 1
+pkq5.com, 1
+pkrank.com, 1
+pkservice.tk, 1
+pkshs.my, 1
+pkspskov.tk, 1
+pkvgames.expert, 1
+pkvgamesqq.asia, 1
+pkwebsolutions.cf, 1
+pl-cours.ch, 0
+pl-trans.tk, 1
+pl.search.yahoo.com, 0
+pl2.es, 1
+placasonline.com.br, 1
+placeandsee.com, 1
+placedaffiliate.com, 1
+placedapps.com, 1
+placedsupport.com, 1
+placeforgames.tk, 1
+placehold.co, 1
+placements.io, 1
+placementspot.ca, 1
+placenet.fr, 1
+placeofindia.com, 1
+placepay.com, 1
+placepugs.com, 1
+placeralplato.com, 1
+placercountyelections.gov, 1
+placidoandriolo.tk, 1
+placker.com, 1
+plagiarismcheck.org, 1
+plagu.ee, 1
+plagued.tk, 1
+plaid.com, 1
+plainfieldil.gov, 1
+plainfieldpolicenj.gov, 1
+plainfieldvt.gov, 1
+plaingreenloans.com, 1
+plainjs.com, 1
+plainlanguage.gov, 1
+plainoltrailers.com, 1
+plainsgeorgia.gov, 1
+plainsoftware.org, 1
+plaintech.net.au, 1
+plaintext.pizza, 1
+plaintextpledge.com, 1
+plaintextpledge.email, 1
+plaintextpledge.eu, 1
+plaintextpledge.net, 1
+plaintextpledge.org, 1
+plaintownshipstarkoh.gov, 1
+plaintray.com, 1
+plaisirdumouvement.com, 1
+plaisiretsens.com, 1
+plaisirs-coquins.com, 1
+plakakodlari.com, 1
+plakbak.nl, 1
+plaloo.gq, 1
+plaloo.tk, 1
+plan-immobilier.fr, 1
+plan-it-events.de, 1
+planafy.com, 1
+planbase.com, 1
+planchasvertical.es, 1
+plancke.io, 1
+plandecorones.net, 1
+plandegralba.net, 1
+plandomemanorny.gov, 1
+plandy.me, 1
+planecon.nz, 1
+planeexplanation.com, 1
+planen-bauen.eu, 1
+planer.me, 1
+planet-laas.de, 1
+planet-work.com, 1
+planet.live, 1
+planeta-deti.org, 1
+planeta-remontika.ga, 1
+planetadeti.org, 1
+planetadjs.com, 1
+planetairsports.com, 1
+planetalife.com, 1
+planetamarrom.tk, 1
+planetamend.com, 1
+planetamestizo.tk, 1
+planetamotoshonda.com.br, 1
+planetamusik.tk, 1
+planetandroid.ga, 1
+planetanim.fr, 1
+planetapolska.com, 1
+planetaprogramas.tk, 1
+planetarapluso.tk, 1
+planetarian.moe, 1
+planetasilius.tk, 1
+planetasuboficial.com.br, 1
+planetau2.com, 1
+planetbreath.ch, 0
+planetcbd.net, 1
+planetchiropracticga.com, 1
+planete-lira.fr, 1
+planete-secu.com, 1
+planeteroliste.com, 1
+planeteroliste.fr, 1
+planetfertilityest.ga, 1
+planetgolf.de, 1
+planetgrehen.tk, 1
+planethowl.com, 1
+planeticke.com, 1
+planetickettravel.com, 1
+planetknauer.net, 1
+planetmath.org, 1
+planetmetroidprime.tk, 1
+planetmobile.tk, 1
+planetmugen.tk, 1
+planetonline.tk, 1
+planetpowershell.com, 1
+planetradio.tk, 1
+planetromeo.com, 1
+planetromeofoundation.org, 1
+planetscale.com, 1
+planetstimes.com, 1
+planettimer.com, 1
+planetun.mobi, 1
+planetweb.tk, 1
+planful.com, 0
+planify.io, 0
+planisanin.tk, 1
+planiserin.tk, 1
+planisware.academy, 1
+planisware.cn, 1
+planisware.io, 1
+planisware.live, 1
+planiswareusa.com, 1
+planisys.net, 1
+planitz.com, 1
+planitz.net, 1
+planitz.org, 1
+planium.io, 1
+planled.ga, 1
+planlos.net, 0
+planmember.com, 1
+planmemberpartners.com, 1
+planned-cities.com, 1
+plannedgrocery.com, 1
+plannedlink.com, 1
+planning.center, 1
+planning.ga, 1
+planning.nl, 1
+planningcenter.com, 0
+planningsagenda.nl, 1
+plano.gq, 1
+planodesaude.net.br, 1
+planresto.com, 1
+planriean.com, 1
+planrow.com, 1
+plansaude.med.br, 1
+planshetnik.tk, 1
+plant-gift.jp, 1
+plantacioneseltejo.es, 1
+plantarportugal.org, 1
+plantastique.ch, 0
+planteforum.no, 1
+plantenvinder.nl, 1
+plantepakken.dk, 1
+plantes.ch, 1
+plantezcheznous.com, 1
+planther.nl, 1
+plantidentification.co, 0
+plantinum-cbd.com, 1
+plantmojomagic.com, 1
+plantprosperous.com, 1
+plantroon.com, 1
+plantrustler.com, 1
+plantsupplement.co.uk, 1
+planujemywesele.pl, 1
+planungsdetail.de, 1
+planungsregion-abw.de, 1
+planview.com, 1
+plaque-funeraire.fr, 1
+plaque-immatriculation-auto.com, 1
+plaqueimmat.fr, 1
+plaredo.tk, 1
+plaros.ml, 1
+plasapulsa.tk, 1
+plasesolev.tk, 1
+plasfab.com.au, 1
+plaskiewicz.pl, 1
+plasma.nl.eu.org, 1
+plasmainc.xyz, 1
+plasmatrap.com, 1
+plasofficial.it, 1
+plassmann.ws, 1
+plast.bg, 1
+plast.design, 1
+plastdesign.com.ua, 1
+plastex.tk, 1
+plastic2print.com, 1
+plasticdoctor.co.uk, 1
+plasticdonut.tk, 1
+plasticflash.com, 1
+plasticobiodegradable.com, 1
+plasticosbiobasados.com, 1
+plasticpassion.tk, 1
+plasticscm.com, 1
+plasticstare.com, 1
+plasticsurgeon.ga, 1
+plasticsurgerynola.com, 1
+plasticsurgerypartyers.ga, 1
+plasticsurgerypartyest.ga, 1
+plasticwindows.tk, 1
+plastiform.nl, 1
+plastischechirurgie-linz.at, 1
+plastokna.tk, 1
+plastovelehatko.cz, 1
+plataformaslms.com, 1
+platanakia.tk, 1
+plate.de, 1
+plateforme-exposant.com, 1
+plateformecapitalisation.org, 1
+plateriaaida.tk, 1
+platform-med.org, 1
+platform2020prague.com, 1
+platforma2020praha.cz, 1
+platformadmin.com, 1
+platformio-cn.com, 1
+plathome.co.jp, 1
+platiniumvapes.com, 1
+platinnetz.de, 1
+platinum1.ru, 1
+platinumalertsers.ga, 1
+platinumalertsest.ga, 1
+platinumcalendarest.ga, 1
+platinumcat.info, 1
+platinumgatesecurity.co.uk, 1
+platinumjubilee.gov.au, 1
+platinumkids.com.br, 1
+platinumpoolsaz.com, 1
+platinumsystems.biz, 1
+platinumtalkers.ga, 1
+platinumtalkest.ga, 1
+platitudemusic.com, 1
+platodecomida.com, 1
+platpoint.com, 1
+platschi.net, 1
+plattecountymovotes.gov, 1
+platten-nach-mass.de, 1
+plattenair.tk, 1
+platter.cf, 1
+platter.ga, 1
+platter.gq, 1
+platter.tk, 1
+platterlauncher.com, 1
+plattmakers.de, 0
+platueguide.tk, 1
+platypiduses.com, 1
+plaul.de, 1
+plausibility.cloud, 1
+plaut.sk, 1
+plavdoma.com.ua, 1
+plavormind.tk, 1
+play, 1
+play-asia.com, 1
+play-best-games.com, 1
+play-casino-japan.com, 1
+play-charades.com, 1
+play-lu.com, 1
+play-mate.tk, 1
+play-telochki.tk, 1
+play.cash, 1
+play.google.com, 1
+play3niu1.com, 1
+play3niu11.com, 1
+play3niu18.com, 1
+play3niu22.com, 1
+play3niu33.com, 1
+play3niu55.com, 1
+play3niu58.com, 1
+play3niu66.com, 1
+play3niu68.com, 1
+play3niu8.com, 1
+play3niu88.com, 1
+play595.com, 1
+playabalares.ga, 1
+playandwin.co.uk, 1
+playanka.com, 1
+playapex.cn, 1
+playapex.com.cn, 1
+playapexcn.com, 1
+playasdegalicia.tk, 1
+playavalon.net, 1
+playball.tk, 1
+playcasinos.ca, 1
+playcollect.net, 1
+playdaysparties.co.uk, 1
+playdlawosp.pl, 1
+playdrop.ml, 1
+playeereq.lol, 1
+playelephant.com, 1
+player701.net, 1
+player701.ru, 1
+playerdb.co, 1
+playerslounge.co, 0
+playerup.com, 1
+playface.ml, 1
+playform.cloud, 1
+playfrank.com, 1
+playgame.tk, 1
+playgamenow.tk, 1
+playgameoflife.com, 1
+playgroundhaarlem.nl, 1
+playhappywheelsunblocked.com, 1
+playhothand.com, 1
+playhothands.com, 1
+playinfinity.com, 1
+playinfinityvr.com, 1
+playit.rs, 1
+playkids.com, 1
+playlistresearch.com, 1
+playmat.com, 1
+playmei.com, 0
+playnow.com, 1
+playnuganug.com, 1
+playocean.net, 1
+playorigin.com, 1
+playphoenix.net, 1
+playpirates.com, 1
+playpower.tk, 1
+playreal.cc, 1
+playreal.city, 1
+playreal.com.tw, 1
+playsnake.org, 1
+playsoftware.tk, 1
+playsprout.industries, 1
+playstation-network.ga, 1
+playstation-news.de, 1
+playstationplus.es, 1
+playstationtrophies.org, 1
+playtheme.ru, 1
+playtictactoe.org, 1
+playtoearn.net, 1
+playtop.tk, 1
+playtopia.com, 1
+playtopia.fr, 1
+playtopia.nl, 1
+playtopia.no, 1
+playtzolk.in, 1
+playviolinmusic.com, 1
+playwhyyza.com, 1
+playwright.co, 1
+playxylo.com, 1
+playzone.tk, 1
+plaza.ph, 1
+plazamarinavallarta.com, 1
+plazaproductionone.com, 1
+plazaservicesllc.com, 1
+plazasummerlin.com, 1
+plcclosets.com, 1
+plcgurus.net, 1
+plchardware.com, 1
+pldx.org, 1
+pleasantonca.gov, 1
+pleasantonmobilenotary.com, 1
+pleasantvalleywi.gov, 1
+pleasantviewmi.gov, 1
+pleasantvillepd.org, 1
+please-uwu.me, 1
+pleaseuseansnisupportedbrowser.ml, 1
+pleasure-science.com, 1
+pleasured.tk, 1
+pleasureplanetbrothel.com.au, 1
+pleb.cc, 1
+plebeian.com.tw, 1
+pleeease.io, 1
+pleer.ru, 1
+plegro.com, 1
+pleiadiantalk.tk, 1
+pleiar.no, 1
+pleier.no, 1
+pleijsier.tk, 1
+pleindedemsvaart.tk, 1
+plejdbelysning.se, 1
+plenigo.com, 1
+plenkanaotrez.ml, 1
+plentybetter.com, 1
+plentybetter.org, 1
+pleo.io, 1
+pleskssd1.nl, 1
+plesse.pl, 1
+pletenkin-nn.ru, 1
+plex-server.cz, 1
+plex.tv, 1
+plexa.de, 1
+plexbpvr.ddns.net, 1
+plexhome13.ddns.net, 1
+plexidirect.nl, 1
+plexiglasssheetscuttosize.com, 1
+plexion.cf, 1
+plexion.ga, 1
+plexion.gq, 1
+plexmark.net, 1
+plexmark.tk, 1
+plexnet.cz, 1
+plexopedia.com, 1
+plexpy13.ddns.net, 1
+plextv.de, 1
+plexusmd.com, 0
+plexusworldwide.com, 1
+plgr.cc, 1
+plgr.tech, 1
+plicca.com, 0
+plichso.de, 1
+plicker.net, 1
+plikersi.tk, 1
+plikiai.tk, 1
+plintusof.by, 1
+pliosoft.com, 1
+pliroforikikoufopoulou.gr, 1
+plissee-experte.de, 1
+plitu.de, 1
+plixer.com, 1
+plixer.net, 1
+plkeenecc.com, 1
+pllivres.cf, 1
+plob.org, 1
+plodwithme.com, 1
+ploi.io, 1
+plokko.com, 1
+plomberie-rivesud.ca, 1
+plomeros.cl, 1
+plomin.tk, 1
+plongee-phuket.fr, 1
+ploof-cleaning.gr, 1
+plooij.it, 1
+ploptec.tk, 1
+plothost.com, 1
+plotly.com, 1
+plougastel.com, 1
+plov.loan, 1
+plowerolin.tk, 1
+ploxel.co.uk, 1
+ploxel.com, 1
+plr4wp.com, 1
+plrarena.com, 1
+pltyw.com, 1
+plu.st, 1
+plugcubed.net, 0
+plugin-planet.com, 1
+pluginhayati.tk, 1
+pluginrealty.net, 1
+pluginthemehub.com, 1
+plugshare.com, 1
+pluimveeplanner.nl, 1
+plumage.so, 1
+plumair-ve.com, 1
+plumb.build, 1
+plumber-in-boksburg.co.za, 1
+plumber-in-sandton.co.za, 1
+plumber-kempton.click, 1
+plumber-midrand.click, 1
+plumber-randburg.click, 1
+plumberdurbannorth.co.za, 1
+plumberkingsburgh.co.za, 1
+plumberlewisvilletexas.com, 1
+plumberoftucson.com, 1
+plumberqueensburgh.co.za, 1
+plumberumhlangarocks.co.za, 1
+plumbingbear.com, 1
+plumbingfourways.co.za, 1
+plumbingkingsllc.com, 0
+plumbingmidrand.co.za, 1
+plumbingshop.tk, 1
+plumbware.co.uk, 1
+plumefox.com, 1
+plumlakewi.gov, 1
+plumlocosoft.com, 1
+plumnet.ch, 0
+plumperthumbs.com, 1
+plumpie.net, 0
+plumplat.com, 1
+plumsail.com, 1
+plumz.me, 1
+plur.com.au, 1
+plural.cafe, 1
+pluralistic.net, 1
+pluralpedia.org, 1
+pluricosmetica.com, 1
+plurilock.com, 1
+pluriumint.com, 1
+plurr.me, 1
+plurr.us, 1
+plus-project.co.uk, 1
+plus.google.com, 1
+plus.sandbox.google.com, 1
+plus.st, 1
+plus15.ml, 1
+plus15.tk, 1
+plus1s.site, 1
+plusbeauty.tw, 1
+plusbot.tk, 1
+plusfitness.com.au, 1
+plusgrandevilledefrance.com, 1
+plushev.tk, 1
+pluslink.co.jp, 1
+plusnet.de, 0
+plusport-api.com, 1
+plusport.com, 1
+plusreed.com, 1
+plustech.co.id, 1
+plustwik.com, 1
+pluta.net, 1
+plutiedev.com, 1
+pluto5000.com, 1
+plutopia.ch, 1
+pluvo.site, 1
+pluxml.org, 1
+plyind.com, 1
+plymouthboroughpa.gov, 1
+plymouthbus.co.uk, 1
+plymouthcountyiowa.gov, 1
+plymouthct.gov, 1
+plymouthnh.gov, 1
+plymouthrockwi.gov, 1
+plymouthshawneeindians.org, 1
+plymouthtownshippa.gov, 1
+plymouthwi.gov, 1
+plz.report, 1
+plzdontpwn.me, 1
+plzen-sadrokarton.cz, 1
+plzen.fun, 1
+plzh4x.me, 1
+plztoy.com, 1
+pm-22711.space, 1
+pm-onboarding-external-dev.azurewebsites.net, 1
+pm-partners-management-dev.azurewebsites.net, 1
+pm-schilderwerk.nl, 1
+pm-tm.info, 1
+pm.gov.au, 1
+pm.link, 1
+pm.me, 1
+pm.ua, 1
+pm.uz, 1
+pm13.cz, 1
+pm13.org, 1
+pm25.im, 1
+pma-iss.com, 1
+pma-tools.de, 1
+pmail.tw, 1
+pmalaty.com, 1
+pmarbeid.nl, 1
+pmarques.info, 1
+pmbc.org, 1
+pmbet.vip, 1
+pmbrachyeducation.ca, 1
+pmc-maisons-bois.fr, 1
+pmc.gov.au, 1
+pmcancercampus.ca, 1
+pmcancerclasses.ca, 1
+pmcancerrehab.ca, 1
+pmcaregiver.ca, 1
+pmcc.net, 1
+pmccrystal.com, 1
+pmconsulting.es, 1
+pmcorganometallix.com, 1
+pmcorp.com, 0
+pmcorp.mx, 1
+pmcouvrie.com, 1
+pmctcg.com, 1
+pmctire.com, 0
+pmcvinyladditives.com, 1
+pmdealerest.ga, 1
+pmdistributors.com.au, 1
+pmessage.ch, 1
+pmf.gov, 1
+pmg-offshore-company.com, 1
+pmg.ua, 1
+pmglobal.ro, 1
+pmgroup-global.com, 1
+pmh.codes, 1
+pmi-install.com, 1
+pmi.edu, 1
+pmi.gov, 1
+pmiandulive.com, 1
+pmibags.com, 1
+pmicorp.in, 1
+pmk.ddns.net, 0
+pml4t.net, 1
+pmnaish.co.uk, 1
+pmnd.rs, 1
+pmoreau.org, 1
+pmoscr.com, 1
+pmota.org, 1
+pmp-art.com, 1
+pmp6.fr, 1
+pmpm.tk, 1
+pms.myiphost.com, 1
+pmscomputers.com, 1
+pmsf.eu, 1
+pmsfdev.com, 1
+pmsfoundation.ml, 1
+pmsoft.nl, 0
+pmt-documenten.nl, 1
+pmvmaconnerie.fr, 1
+pn.com.au, 1
+pn.id.lv, 1
+pnakosoft.com, 1
+pnakosoft.com.au, 1
+pnbholdings.com, 1
+pncfx.com, 1
+pneu01.fr, 1
+pneu74.fr, 1
+pneuhaus-lemp.ch, 1
+pneumania.fr, 1
+pneupro.ma, 1
+pnfiles.tk, 1
+png.am, 1
+pnggrid.com, 1
+pnimmobilier.ch, 0
+pnlarticles.com, 1
+pnnl.gov, 1
+pnoec.org.do, 1
+pnr.aero, 1
+pnr.sh, 1
+pnsc.is, 1
+pnut.io, 0
+pnvufs.com, 1
+pnwchirocoverage.com, 1
+po-italy.ru, 1
+po-krasivi.bg, 1
+po-sha-go-vo.ru, 1
+po.cash, 1
+po.ne, 1
+po.net, 1
+poac.net, 1
+pobalkonu.ru, 1
+pobierz.pl, 1
+poc060.com, 1
+poc080.com, 1
+poc090.com, 1
+poc100.com, 1
+poc109.com, 1
+poc11.com, 1
+poc116.com, 1
+poc118.com, 1
+poc119.com, 1
+poc120.com, 1
+poc128.com, 1
+poc13.com, 1
+poc15.com, 1
+poc16.com, 1
+poc17.com, 1
+poc18.com, 1
+poc19.com, 1
+poc21.com, 1
+poc211.com, 1
+poc226.com, 1
+poc228.com, 1
+poc23.com, 1
+poc25.com, 1
+poc26.com, 1
+poc261.com, 1
+poc262.com, 1
+poc27.com, 1
+poc290.com, 1
+poc298.com, 1
+poc31.com, 1
+poc32.com, 1
+poc33.com, 1
+poc35.com, 1
+poc36.com, 1
+poc37.com, 1
+poc38.com, 1
+poc51.com, 1
+poc518.com, 1
+poc52.com, 1
+poc53.com, 1
+poc55.com, 1
+poc56.com, 1
+poc568.com, 1
+poc57.com, 1
+poc58.com, 1
+poc586.com, 1
+poc588.com, 1
+poc59.com, 1
+poc601.com, 1
+poc618.com, 1
+poc63.com, 1
+poc65.com, 1
+poc66.com, 1
+poc661.com, 1
+poc663.com, 1
+poc665.com, 1
+poc668.com, 1
+poc669.com, 1
+poc67.com, 1
+poc68.com, 1
+poc69.com, 1
+poc699.com, 1
+poc71.com, 1
+poc718.com, 1
+poc72.com, 1
+poc75.com, 1
+poc76.com, 1
+poc768.com, 1
+poc77.com, 1
+poc771.com, 1
+poc772.com, 1
+poc773.com, 1
+poc779.com, 1
+poc78.com, 1
+poc79.com, 1
+poc8.com, 1
+poc816.com, 1
+poc86.com, 1
+poc866.com, 1
+poc88.vip, 1
+poc8811.com, 1
+poc882.com, 1
+poc8822.com, 1
+poc883.com, 1
+poc8833.com, 1
+poc885.com, 1
+poc8855.com, 1
+poc886.com, 1
+poc8866.com, 1
+poc887.com, 1
+poc8877.com, 1
+poc888.com, 1
+poc889.com, 1
+poc8899.com, 1
+poc89.com, 1
+poc899.com, 1
+poc916.com, 1
+poc918.com, 1
+poc98.com, 1
+poc99.com, 1
+poc992.com, 1
+poc993.com, 1
+poc995.com, 1
+poc996.com, 1
+poc997.com, 1
+poc998.com, 1
+pocahontascountyiowa.gov, 1
+pocahontascountywv.com, 1
+pocakking.tk, 1
+pocatello.gov, 1
+pocatellonissanparts.com, 1
+pochemuchka-books.com, 1
+pochikikaku.com, 1
+pochkiguru.ru, 1
+pochoden-praha.cz, 1
+pocitacezababku.cz, 1
+pock-programming.net, 1
+pocket-lint.com, 1
+pocketbookdot.tk, 1
+pocketcraft.io, 1
+pocketdeer.cc, 1
+pocketfruity.com, 1
+pocketgamingdirectory.com, 1
+pocketmags.com, 1
+pocketpasta.com, 1
+pockettraveling.tk, 1
+poco.se, 1
+pococo.tk, 1
+pocopizza.co.uk, 1
+pocze.ch, 1
+pod-emnik.by, 1
+pod.lv, 1
+podari-radost.tk, 1
+podari.tk, 1
+podarki-deda-moroza.tk, 1
+podarkiboss.tk, 1
+podarky.gq, 1
+podarochek.tk, 1
+podarochkki.tk, 1
+podatrans.com, 1
+podawful.com, 1
+podawful.pizza, 1
+podcast.style, 1
+podcaster.org.il, 1
+podcastmusic.com, 1
+podcastpulse.net, 1
+podcreative.ca, 1
+podcrto.si, 1
+podcrypters.ga, 1
+podcryptest.ga, 1
+podd.xyz, 1
+podemos.info, 1
+podfastlane.com, 1
+podia.com.gr, 0
+podia.gq, 1
+podipod.com, 1
+podis.ro, 1
+podivilov.com, 1
+podivilov.cz, 1
+podivilov.net, 1
+podivilov.ru, 1
+podnikatel.cz, 1
+podologie-diever.nl, 1
+podologie-tangstedt.de, 1
+podologyclinic.gr, 1
+podolskaya.tk, 1
+podoscop.org, 1
+podparkers.ga, 1
+podparkest.ga, 1
+podprotectionest.ga, 1
+podqueue.fm, 1
+podroof.com, 0
+podroof.com.au, 0
+podrozwmilczeniu.pl, 1
+podshrink.de, 1
+podvenec.tk, 1
+podycust.co.uk, 1
+poed.com.au, 1
+poed.net.au, 1
+poeditor.com, 1
+poehlerflorian.de, 1
+poeleapellets.org, 1
+poemasonline.tk, 1
+poemerx.com, 1
+poemerx.net, 1
+poemindia.cf, 1
+poemlife.com, 1
+poems-bodywear.store, 1
+poemwall.cf, 1
+poemwall.ml, 1
+poemwallers.ga, 1
+poemwallest.ga, 1
+poenhub.xyz, 1
+poetasmenores.tk, 1
+poetenblog.tk, 1
+poeticplanetimagery.com, 1
+poetics.tk, 1
+poetka.tk, 1
+poetry.ge, 1
+poetryinmusic.tk, 1
+poetsgate.com, 1
+poetsjeboot.nl, 1
+poezja.art, 1
+poezja.com.pl, 1
+poezjagala.pl, 1
+pog.im, 1
+pogera.com, 0
+poggensee.it, 1
+pogljad-brest.tk, 1
+pogodavolgograd.tk, 1
+pogodok.tk, 1
+pogomate.com, 1
+pogotowie-komputerowe.tk, 1
+pogotowiekomputeroweolsztyn.pl, 1
+pogrebeniq-sofia.com, 1
+pogrebisky.net, 1
+pohlmann.io, 1
+pohmagazine.org, 1
+pohoron.ru, 1
+poimel.ga, 1
+poimenidou.eu, 1
+poimenidou.gr, 1
+poimenidou.info, 1
+poin.tk, 1
+poinsot.info, 1
+point.pink, 1
+pointaction.com, 1
+pointagri.com, 1
+pointbarre.tk, 1
+pointcab.vn, 1
+pointclickcare.com, 1
+pointel.it, 1
+pointermate.com, 1
+pointforwardinc.net, 1
+pointfoundation.org, 1
+pointhost.de, 1
+pointiswunderland.de, 1
+pointmaquininha.com, 0
+pointpalace.tk, 1
+pointpleasantbeachnj.gov, 1
+pointpur.ch, 1
+points-pote.com, 1
+points4unitedway.com, 1
+pointtosource.com, 1
+pointum.com, 1
+pointworksacademy.com, 1
+pointzip.cf, 1
+pointzip.ml, 1
+pointzipers.ga, 1
+pointzipest.ga, 1
+poiru.net, 1
+poisk-books.ml, 1
+poiskdru.ga, 1
+poiskkladov.tk, 1
+poiskkristinity.ml, 1
+poiskrus.ml, 1
+poisoncolombia.tk, 1
+poisonget-rid-ofac.tk, 1
+poitiers-ttacc-86.eu.org, 1
+pojer.me, 1
+pojoksosmed.com, 1
+pokagontownshipmi.gov, 1
+pokalsocial.de, 1
+poke.blue, 1
+pokedex.mobi, 1
+pokedexer.com, 1
+pokeelektronik.com, 1
+pokeelektronik.com.tr, 1
+pokefarm.com, 1
+pokeforest.io, 1
+pokegourou.com, 1
+pokeinthe.io, 1
+pokelens.tk, 1
+pokeli.de, 1
+pokemmo.com, 1
+pokemmo.eu, 1
+pokemonargentina.tk, 1
+pokemondb.net, 1
+pokemonforums.tk, 1
+pokemongoclub.tk, 1
+pokemonguide.tk, 1
+pokemonlab.com, 1
+pokemonsimulator.com, 1
+pokemonsvet.cz, 1
+pokemontabletopadventures.com, 1
+pokemori.jp, 1
+pokepon.center, 1
+poker4all.tk, 1
+pokerace.cf, 1
+pokerace.tk, 1
+pokeraddressers.ga, 1
+pokeraddressest.ga, 1
+pokeram.ml, 1
+pokerblog.tk, 1
+pokeridioters.ga, 1
+pokeridiotest.ga, 1
+pokerigrach.com, 1
+pokernyheder.io, 1
+pokerreligioners.ga, 1
+pokerreligionest.ga, 1
+pokerslab.com, 1
+pokerstarslearn.com, 1
+pokerventure.ga, 1
+pokerventureers.ga, 1
+pokerventureest.ga, 1
+pokerzone.com, 1
+poki.at, 1
+poki.be, 1
+poki.bg, 1
+poki.by, 1
+poki.ch, 1
+poki.cn, 1
+poki.co.id, 1
+poki.co.il, 1
+poki.com, 1
+poki.com.br, 1
+poki.cz, 1
+poki.de, 1
+poki.dk, 1
+poki.fi, 1
+poki.gr, 1
+poki.it, 1
+poki.jp, 1
+poki.nl, 1
+poki.no, 1
+poki.pl, 1
+poki.pt, 1
+poki.ro, 1
+poki.se, 1
+pokkareindeermeat.com, 1
+pokl.cz, 1
+pokoiki.pl, 1
+pokon548.ink, 1
+pokpok.tk, 1
+pokrowcecardo.pl, 1
+pokupar.com, 1
+pokupkionline.tk, 1
+pokysoia.gov, 1
+pol-members.com, 1
+polaire.org, 1
+polak-import.tk, 1
+polan.tk, 1
+poland.tf, 1
+polanda.com, 1
+polandb2b.directory, 1
+polandtownship.gov, 1
+polar-baer.com, 1
+polarbear.army, 1
+polarhome.tk, 1
+polarisapp.xyz, 1
+polarisengineering.com, 1
+polarispool.com, 0
+polaroidmag.com, 1
+polaschin.ch, 1
+polatas.com.tr, 1
+polatsemih.com, 1
+polbox.fr, 1
+poldrack.me, 1
+pole-mecanique.fr, 1
+pole.net.nz, 1
+poleasingowy.net, 1
+polebarn.com, 1
+polemik.tk, 1
+polenautohuur.nl, 1
+polerka.tk, 1
+polestar.com.tw, 1
+poletaem.tk, 1
+poleznie-soveti.info, 1
+polezno-v-internete.ml, 1
+police-schools.com, 1
+police4tn.gov, 1
+policeauctionsusa.com, 1
+policemanapp.com, 1
+policereferencecheck.com, 1
+policeroleplay.community, 1
+policesromandesrecrutement.ch, 1
+policies.pro, 1
+policybanks.com, 1
+policyhub.gov.au, 1
+policymakr.com, 1
+policymine.com, 1
+policyreporter.us, 1
+policytrusters.ga, 1
+policytrustest.ga, 1
+polidelia.com, 1
+poliermachines.be, 1
+polifisio.com.br, 1
+poliground.com, 1
+polimer39.ml, 1
+polina-gagarina.gq, 1
+polioptics.com, 1
+polis.or.at, 1
+polis.to, 0
+polis812.ru, 1
+polisafety.gr, 1
+polisanaraka.pl, 1
+polisanarciarska.pl, 1
+polish-dictionary.com, 1
+polish-flag.com, 1
+polish-translations.com, 1
+polish-translator.com, 1
+polish-translator.net, 1
+polish-translators.net, 1
+polish.directory, 1
+polishdating.cf, 1
+polishfabrics.com, 1
+polishforums.com, 1
+polishhockey.tk, 1
+polishmarriage.org, 1
+polishmodels.net, 1
+polishtranslation.com, 1
+polisipati.tk, 1
+polismar.com, 1
+polismar.pt, 1
+polismar.uy, 1
+polisport.tk, 1
+polisynazycie.com.pl, 1
+polit-it.pro, 1
+polit.im, 1
+politagree.com, 1
+politeiaudesa.org, 0
+politeka.net, 1
+politex.tk, 1
+politic.org.ua, 1
+political-science-schools.com, 1
+politicalasylum.tk, 1
+politicalscore101.com, 1
+politicaprivacidade.com, 1
+politiciancompare.com, 1
+politicsandnews.cf, 1
+politicsandnews.ga, 1
+politicsandnews.ml, 1
+politicsandnews.tk, 1
+politicsnews.ga, 1
+politicsnews.ml, 1
+politicsnews.tk, 1
+politicsnigeria.com, 1
+politiegent.be, 1
+politik-bei-uns.de, 1
+politik-kommunikation.de, 1
+politisor.com, 1
+politnews5.tk, 1
+politsei.ee, 0
+politvesti.tk, 1
+polkcountyne.gov, 1
+polkcountywi.gov, 1
+polkelections.gov, 1
+polkhealthforanewyou.net, 0
+polki.com, 1
+polknc.gov, 1
+polkswcdiowa.gov, 1
+pollen.co, 1
+pollendine.co.uk, 1
+pollet-ghijs.be, 1
+pollet-ghys.be, 1
+polletmera.com, 0
+pollev-embeds.com, 1
+pollev.com, 1
+polleverywhere.com, 1
+polliga.tk, 1
+pollingplace.uk, 1
+pollnowhere.com, 1
+pollock.gallery, 1
+pollock.tk, 1
+pollpodium.nl, 1
+polly.spdns.org, 1
+pollypaps.ru, 1
+pollyundpaule.de, 1
+polnischestoffe.eu, 1
+polog.tk, 1
+poloil.gov, 1
+polomack.eu, 1
+poloniainfo.com, 1
+polonialidzbark.tk, 1
+polorize.com, 1
+polourize.com, 1
+polski-dentysta-birmingham.uk, 1
+polskiadwokat.org, 1
+polskiemalzenstwo.org, 1
+polskienewsy.tk, 1
+polspam.pl, 1
+poltavawave.com.ua, 1
+poltax.com.pl, 1
+poltsamaa.edu.ee, 1
+poltsamaalasteaed.edu.ee, 1
+poly-fast.com, 0
+poly.se, 1
+polycoise.com, 1
+polycraftual.co.uk, 1
+polygamer.net, 0
+polyglot.com.gr, 1
+polygondemos.com, 1
+polygonthemes.com, 1
+polygraphi.ae, 1
+polymake.org, 1
+polymath.pm, 1
+polymathian.com, 1
+polymax.co.uk, 1
+polymics.com, 1
+polymtl.ca, 0
+polyna.eu, 1
+polynesia.tech, 1
+polynomapp.com, 1
+polypane.rocks, 1
+polyr.xyz, 1
+polyring.ch, 1
+polytarian.com, 1
+polytekniskforening.dk, 1
+polyvalents.fr, 1
+polzaune.de, 1
+pomadgw.xyz, 1
+pomba.pl, 1
+pombalhome.duckdns.org, 1
+pombas.net, 1
+pomdoc.com, 1
+pomelo-paradigm.com, 1
+pomerol-au-coeur.com, 1
+pomfeed.fr, 1
+pomilo.fr, 0
+pommetelecom.fr, 1
+pomockypredeti.sk, 1
+pomocniczy.eu.org, 1
+pomogi-mne.tk, 1
+pomogidrugu.tk, 1
+pomogite.ml, 1
+pomologie.fr, 1
+pomonaca.gov, 1
+pomorskibereg.ml, 1
+pomost.ga, 1
+pomozmruczkom.pl, 1
+pompefunebrilariviera.it, 0
+pompeii.tickets, 1
+pomsinoz.com, 1
+pomtom.co.nz, 1
+ponabana.com, 1
+ponca-nsn.gov, 1
+poncho-bedrucken.de, 0
+pondacademy.com, 1
+pondband.net, 1
+pondof.fish, 1
+pondsama.com, 1
+poneiras.com, 1
+ponga.se, 1
+pongplace.com, 1
+ponio.org, 1
+ponio.xyz, 1
+ponnau.com, 1
+ponpokorin.tk, 1
+ponpon.tk, 1
+ponselsoak.com, 1
+ponsoftware.net, 1
+ponte-camp.de, 1
+ponteggi.it, 1
+ponteggi.roma.it, 1
+pontificia.tk, 1
+pontiwerx.com.au, 1
+pontodogame.com.br, 1
+pontosdevista.pt, 1
+pontosnews.gr, 1
+pontotoccountyms.gov, 1
+pontupagina.com, 1
+ponxel.com, 1
+pony-cl.co.jp, 1
+pony.tf, 1
+ponyar.net, 1
+ponycyclepals.co.uk, 1
+ponydesignclub.nl, 1
+ponyfoo.com, 1
+ponyhof-muensterland.de, 1
+ponytail.fr, 1
+ponytailsdesigns.com, 1
+poobert.tk, 1
+poochpark.tk, 1
+poodleassassin.com, 1
+poodlefan.net, 1
+pooi.me, 1
+poojanews.com, 0
+pookhaarden.nl, 1
+pookl.com, 1
+pool-selber-bauen.de, 1
+pooletranslation.com.au, 1
+poolheatingsolutionswa.com.au, 1
+poolmans.se, 0
+pools.shop, 1
+poolsafely.gov, 1
+poolsafety.gov, 1
+poolsonline.tk, 1
+poolspa.es, 1
+pooltools.net, 1
+poolvilla-margarita.net, 1
+poon.io, 1
+poopa.loan, 1
+poopjournal.rocks, 1
+poopr.ru, 1
+poorclarepa.org, 1
+pooriaarab.com, 1
+poortenautomatiseren.be, 1
+pop-culture.tk, 1
+pop-myworld.com, 1
+pop.dk, 1
+pop.xxx, 1
+pop3.support, 1
+popadvertisementers.ga, 1
+popadvertisementest.ga, 1
+popcarte.com, 1
+popcat.ru, 1
+popcorncult.ru, 1
+popcowboyest.ga, 1
+popcultureshack.com, 1
+popdog.click, 1
+popecountyar.gov, 1
+popecountymn.gov, 1
+popeducation.ga, 1
+popeye.com, 1
+popfitclothing.com, 1
+popflow.cf, 1
+popflow.gq, 1
+popfunko.pt, 1
+popines.tk, 1
+popinga.es, 1
+popinga.it, 1
+popinga.net, 1
+popishop.tk, 1
+popitsnack.com, 1
+popjudge.cf, 1
+popjudge.ml, 1
+popka.sk, 1
+popki.tk, 1
+popkins.cf, 1
+popkins.ga, 1
+popkins.gq, 1
+popkins.ml, 1
+popkins.tk, 1
+poplargrove-il.gov, 1
+poplavok77.tk, 1
+poplite.xyz, 1
+popmagz.com, 1
+popmate.io, 1
+popmatters.com, 1
+popmenu.com, 1
+popmundoforum.tk, 1
+popokin.tk, 1
+popolini.ch, 1
+popolini.com, 1
+popotesetcocottes.fr, 1
+popova.tk, 1
+popoway.cloud, 1
+popoway.me, 1
+popoway9.ml, 1
+poppersareus.com, 1
+poppersy.ml, 1
+poppersy.tk, 1
+popphoto.nl, 1
+poppingdance.tk, 1
+poppinspayroll.com, 1
+poppleriverwi.gov, 1
+popporn.com, 1
+poppsylvie.com, 1
+poppylala.com, 1
+popravilam.by, 1
+popravilam.com, 1
+poprostuakwarystyka.pl, 1
+poptattoo.tk, 1
+poptavka.net, 1
+popular-male-kitten-names.tk, 1
+popularbusinessplatform.com, 1
+popularcar.com, 1
+popularculturegaming.tk, 1
+populardiets.tk, 1
+populardogs.ga, 1
+populardogs.gq, 1
+populardogs.ml, 1
+popularhairstyles.org, 1
+population-ethics.com, 1
+population.gov.au, 0
+popup-stores.online, 1
+popupbazaar.tk, 1
+popwaifu.click, 1
+popxclusive.com, 0
+poquiloco.com, 1
+poquvi.net, 0
+porady-wnetrzarskie.pl, 1
+porady.elblag.pl, 1
+porady.elk.pl, 1
+porady.kalisz.pl, 1
+porady.legnica.pl, 1
+porady.lubin.pl, 1
+porady.malopolska.pl, 1
+porady.mielno.pl, 1
+porady.opole.pl, 1
+porady.org, 1
+porady.pila.pl, 1
+porady.radom.pl, 1
+porady.rybnik.pl, 1
+porady.swinoujscie.pl, 1
+porady.walbrzych.pl, 1
+porady.zgora.pl, 1
+poradywnetrzarskie.pl, 1
+porazarul.by, 1
+porchdaydreamer.com, 1
+porcore.com, 1
+porelcorazon.com, 1
+porelsam.ml, 1
+porevo.tk, 1
+poriadok.eu, 1
+porinnuotiopojat.tk, 1
+pork.org.uk, 1
+porka.gq, 1
+porkbun.com, 1
+porkmart.ga, 1
+porknlaser.com, 1
+porkpiesonline.co.nz, 1
+porlote.com, 1
+porm.club, 1
+porn2019.tk, 1
+porn24-7.com, 1
+porn77.info, 1
+pornagent.de, 1
+pornbabetyra.net, 1
+pornbabetyra.org, 1
+pornbay.eu, 1
+pornbay.org, 1
+pornblog.org, 1
+porncomix69.com, 1
+porncomp.com, 1
+porncompanions.com, 1
+porndoe.com, 1
+porndoepedia.com, 1
+porndragon.net, 1
+pornfacefinder.com, 0
+pornflare.net, 1
+pornforwomentube.com, 1
+pornfreehub.com, 1
+pornfreesites.com, 1
+pornfriends.tk, 1
+porngals4.com, 1
+porngameshub.com, 1
+pornhib.xyz, 1
+pornhub.com, 1
+pornhubapparel.com, 1
+pornhubpremium.com, 1
+pornhun.xyz, 1
+pornimg.net, 1
+porniwi.com, 1
+pornless.biz, 1
+pornline.porn, 1
+pornline.sex, 1
+pornloupe.com, 1
+pornmax.net, 1
+pornmega.net, 1
+porno-chat.it, 1
+porno-geschichten.com, 1
+porno-stars-video.ru, 1
+pornobilder.pics, 1
+pornoclips.net, 1
+pornodvdkopen.nl, 1
+pornogo.sex, 0
+pornogo.tube, 1
+pornohypnosis.tk, 1
+pornokran.com, 1
+pornomens.be, 1
+pornomovies.mobi, 1
+pornomovieshd.com, 1
+pornopark.nl, 1
+pornopica.com, 1
+pornopica.com.br, 1
+pornoplus.fr, 1
+pornorapido.net, 1
+pornovk.xxx, 1
+pornpics.com, 1
+pornpics.de, 1
+pornport.org, 1
+pornrd.com, 1
+pornsticky.com, 1
+pornstop.net, 1
+pornsuper.net, 1
+pornteddy.com, 1
+porntop100.com, 1
+porntube-vidios.ml, 1
+porntvclip.com, 1
+pornultra.net, 1
+pornvideos-tour.com, 1
+pornvideos-tube.com, 1
+pornvideos.tv, 1
+pornvidsfree.com, 1
+pornxxnxx.com, 1
+pornxxxvideos.xyz, 1
+porny.xyz, 1
+porodin.ml, 1
+pororoca.xyz, 1
+porplemontage.com, 1
+porroserver.tk, 1
+pors-sw.cz, 1
+porsche356registry.org, 1
+porschen.fr, 1
+porsolt.com, 1
+port.gdynia.pl, 0
+port.social, 1
+port443.hamburg, 0
+port443.se, 1
+port5060.net, 1
+port67.org, 1
+port80.hamburg, 0
+portable-games.tk, 1
+portablespeakers.tk, 1
+portablespeakersfinder.com, 1
+portadam.com, 1
+portafoliodenegocios.com.mx, 1
+portagecounty-oh.gov, 1
+portagedessiouxmo.gov, 1
+portagein.gov, 1
+portail-familles.net, 1
+portail-partenariats.fr, 1
+portail-rh.fr, 1
+portail.does-it.net, 1
+portal-books.ga, 1
+portal-ekologia.pl, 1
+portal-news.tk, 1
+portal-ru.tk, 1
+portal-uang.com, 1
+portal.fo, 1
+portal.tirol.gv.at, 0
+portaladictos.tk, 1
+portalampgroep.nl, 1
+portalcarriers.com, 1
+portalchega.pt, 1
+portaldamizade.com, 1
+portaldatorcida.com.br, 1
+portaldocredito.pt, 1
+portaldogremista.com.br, 1
+portaleldense.tk, 1
+portalexpressservices.com, 1
+portalm.tk, 1
+portalmundo.xyz, 1
+portalpandalandia.tk, 1
+portalultautv.net, 1
+portalutil.com.br, 1
+portalz.xyz, 1
+portamiinpista.it, 0
+portanatura.it, 1
+portatilea.com, 1
+portativ-mobi.tk, 1
+portcanaveral.gov, 1
+portchesterny.gov, 1
+portcomputingsolutions.com.au, 1
+porte.roma.it, 1
+portedwardswi.gov, 1
+portent.com, 1
+porterbuddy.com, 1
+portercountyin.gov, 1
+porterpeds.com, 1
+portes-imaginaire.org, 1
+portesmagistral.com, 0
+portfolio-anish.tk, 1
+portfoliorlr.es, 1
+portfreezone.com, 1
+porthos.com.ar, 1
+porthueneme.gov, 1
+porthys.pt, 1
+portiapp.mx, 1
+portiaweb.org.uk, 1
+portierato.it, 1
+portingkit.com, 1
+portis.io, 1
+portiva.com, 1
+portmeirion.co.uk, 0
+portoccd.org, 0
+portofala.pt, 1
+portofedmonds.gov, 1
+portofephrata.gov, 1
+portofnenana.gov, 1
+portofsubs.com, 1
+portokalliali.tk, 1
+portonfus.com, 1
+portorchardwa.gov, 1
+portoseguro.med.br, 1
+portosonline.pl, 1
+portovelhoshopping.com.br, 1
+portraitcameos.com, 1
+portsaidyman.tk, 1
+portsdebalears.gob.es, 1
+portservice.se, 1
+portsmouthnhpd.gov, 1
+portsmouthohpd.gov, 1
+portsmouthri.gov, 1
+portsmouthsheriffsofficeva.gov, 1
+portsona.com, 1
+portugal-a-programar.org, 1
+portugal-a-programar.pt, 1
+portugal-car-hire.net, 1
+portugalbycar.com, 1
+portugalivre.tk, 1
+portugalsko.net, 1
+portugalsurflessons.com, 1
+portusidades.com.pt, 1
+portvaletickets.com, 1
+portwashingtonwi.gov, 1
+portwing.gov, 1
+porumaoutrareforma.org, 1
+porumbei.tk, 1
+porwal.pl, 1
+posa.moe, 1
+posaunenchor-senden.de, 1
+posbich.net, 1
+pose-faux-plafond.fr, 1
+poseidon-giesing.de, 1
+poseidonwaterproofing.info, 1
+poseidonwaterproofing.net, 1
+poseidonwaterproofing.org, 1
+poseidonworld.tk, 1
+posh.tech, 1
+poshcastles.co.uk, 1
+poshe.tk, 1
+poshlashes.se, 1
+poshmark.com, 1
+poshsecurity.com, 1
+poshvine.com, 1
+posicionament.tk, 1
+posied.ga, 1
+posijson.stream, 1
+positionus.io, 1
+positivastudios.tk, 1
+positive-thinking-for-you.com, 1
+positive.com.cy, 1
+positive.photography, 1
+positivecoach.org, 1
+positivenames.net, 1
+positiveone.tk, 1
+positiveoutlook.cn, 1
+positiverbeitrag.net, 1
+positiverbeitrag.org, 1
+positivetherapy.in, 1
+positivethinkingmind.com, 1
+positivityoflife.com, 1
+positivos.tk, 1
+positronicmoron.tk, 1
+poslednigenerace.cz, 1
+posoco.in, 1
+pospisilik.eu, 1
+pospisilikovi.cz, 1
+post-anon.tk, 1
+post-darwinian.com, 1
+post-darwinism.com, 1
+post-health.net, 1
+post-office.tk, 1
+post-victoria.com, 1
+post-x.org, 1
+post.com.ar, 1
+post.how, 1
+post.icu, 1
+post.io, 1
+post.kim, 1
+post.lol, 1
+post.tf, 1
+post4me.at, 1
+postacyprus.com, 1
+postal.dk, 1
+postaltreasures.com, 1
+postandfly.com, 1
+postat.com, 1
+postback.io, 0
+postbanken.no, 1
+postblue.info, 1
+postbox.life, 1
+postcardpayment.com, 1
+postcards.tk, 1
+postcodeswag.co.uk, 1
+postcodeswag.com, 1
+postcodeswag.uk, 1
+postdarwinian.com, 1
+postdarwinism.com, 1
+postdeck.de, 1
+postechbamboo.tk, 1
+posteo.de, 1
+posteo.net, 1
+posteo.pro, 1
+postermywall.com, 1
+postern.net, 1
+postern.nl, 1
+postern.org, 1
+postern.uk, 1
+posters.win, 1
+posterspy.com, 1
+postfactum.info, 1
+postfalls-naturopathic.com, 1
+postfalls.gov, 1
+postfallspolice.gov, 1
+postfinance.ch, 1
+postimages.org, 1
+postimg.cc, 1
+postlakeswi.gov, 1
+postlifepreps.com, 1
+postlogistic.tk, 1
+postman.co, 1
+postman.ga, 1
+postmaniac.com, 1
+postmarka.tk, 1
+postmaster.boats, 1
+postmatescode.com, 1
+postmelody.gr, 1
+postmerkezi.tk, 1
+postmistress.email, 1
+postmusicologia.tk, 1
+postn.eu, 1
+postnet.club, 1
+postnext.com, 1
+postolia.cf, 1
+postoyanstvo.cf, 1
+postpot.co.kr, 1
+postscnn.com, 1
+poststar.com, 1
+postsubmeta.net, 1
+posttigo.com, 1
+posturografia.info, 1
+posturographie.info, 1
+posturography.courses, 1
+posturography.education, 1
+posturography.equipment, 1
+posturography.info, 1
+posturography.science, 1
+posturography.software, 1
+posturography.solutions, 1
+posturography.systems, 1
+posturography.training, 1
+posturologie.info, 1
+posturologo.roma.it, 1
+posukovskaschola.cz, 1
+posutochno.ml, 1
+posutochno.tk, 1
+pot-au-feu.info, 1
+potadvisor.com, 1
+potatiz.com, 1
+potato.im, 1
+potatochip.tk, 1
+potatodiet.ca, 1
+potatolighting.com, 1
+potatopro.com, 1
+potatosoft.kr, 1
+potatosouprecipe.ml, 1
+potatotee.com, 1
+potature.it, 1
+potature.org, 1
+potature.rimini.it, 1
+potature.roma.it, 1
+potbelly.com, 1
+potemkin.tk, 1
+potencial-school.ru, 1
+potentialcalm.co.uk, 1
+poterepersonale.it, 1
+pothe.com, 1
+pothe.de, 1
+pothuarivu.tk, 1
+potion.ai, 0
+potionlabs.de, 1
+potlytics.com, 1
+potolok-brest.tk, 1
+potolok.am, 1
+potomac.cf, 1
+potomacanalysis.com, 1
+potomacurology.com, 1
+potomania.cz, 1
+potosi-bolivia.tk, 1
+potosivlgwi.gov, 1
+potosiwi.gov, 1
+potrahushki.tk, 1
+potreningu.pl, 1
+potrillionaires.com, 1
+potsandplanters.com.au, 1
+potsdam.directory, 1
+pottawatomiecountyok.gov, 1
+pottcountyks.gov, 1
+potteranderson.com, 1
+pottercountytexasvotes.gov, 1
+potterish.com, 1
+potterperfect.tk, 1
+pottershouse.tk, 1
+potterybroker.ga, 1
+pottkinder.de, 1
+pottshome.co.uk, 1
+pottsvillepa.gov, 1
+potvorka.tk, 1
+potwin.tk, 1
+potworowski.de, 1
+potz.tk, 1
+pouchulu.tk, 1
+poudlard.fr, 1
+pouets.ovh, 1
+poultryfeedformulation.com, 1
+poun.tk, 1
+poundgatepark.co.uk, 1
+poupaeganha.pt, 1
+poupardinheiro.com.br, 1
+poupee.me, 1
+pourali.com, 1
+poured-floors.tk, 1
+pourout.org, 0
+pousadamaremata.com.br, 1
+pouwels-oss.nl, 1
+povar.ru, 1
+povarenok.cf, 1
+povareshka.tk, 1
+povmacrostabiliteit.nl, 1
+povomo.online, 1
+povzetki-knjig.si, 1
+pow.jp, 1
+powch-dev.com, 1
+powch-dev2.com, 1
+powdercoatatl.com, 1
+powdercoatingatl.com, 1
+powderedcloud.cf, 1
+powderedcloud.ga, 1
+powderkeg.com, 1
+powderlife.com, 1
+powderspraymachine.com, 1
+powelljones.co.uk, 1
+power-bi-connector.be, 1
+power-bi-connector.eu, 1
+power-bi-connector.nl, 1
+power-coonies.de, 1
+power-flowengineer.com, 1
+power-magnetic.ml, 1
+power-of-interest.com, 1
+power-plugins.com, 1
+power-recovery.com, 1
+power-tools24.com, 1
+power100.co.uk, 1
+power2prevent.gov, 1
+poweranalitica.com, 1
+powerb.ch, 1
+powerbalance.tk, 1
+powerball.cf, 1
+powerball.club, 1
+powerbi.istanbul, 1
+powerbux.tk, 1
+powercloud.technology, 1
+powercod.tk, 1
+powercomputers.nl, 1
+powercounty.gov, 1
+powercv.ro, 1
+poweredbyiris.nl, 1
+powerenglish.cl, 1
+powerentertainment.tv, 1
+powerfifty.com, 1
+powerforpeople.tk, 1
+powerfortunes.com, 1
+powerfulcom.net, 1
+powergridess.com, 0
+powergroup.tk, 1
+powerhouse.pro, 1
+powerhousegym.co, 1
+powerinboxperformance.com, 1
+powerlifting.tk, 1
+powerling.com, 1
+powerlp.com, 1
+powermeter.at, 1
+powerpc.pt, 1
+powerpilot.co.za, 1
+powerplan.com, 1
+powerplantmall.com, 1
+powerplatform.istanbul, 1
+powerplay.com, 1
+powerplay.xyz, 1
+powerplayer.tk, 1
+powerroo.com.au, 1
+powersaleskc.com, 1
+powerscif.com, 1
+powerscourt.tk, 1
+powerserg.ca, 1
+powerserg.io, 1
+powerserg.net, 1
+powerserg.shop, 1
+powerserg.us, 1
+powersergcloud.com, 1
+powersergconnect.com, 1
+powersergconsulting.com, 1
+powersergdatasystems.com, 1
+powersergdatasystems.tk, 1
+powersergdynamic.com, 1
+powersergedatasystems.com, 1
+powersergfeds.com, 1
+powersergholdings.com, 1
+powersergisrc.com, 1
+powersergmysteryshopping.com, 1
+powersergopioidoverdoseinterventiontrust.com, 1
+powersergpiv.com, 1
+powersergsecure.com, 1
+powersergsis.com, 1
+powersergsystems.com, 1
+powersergsystems.net, 1
+powersergthisisthetunnelfuckyouscott.com, 1
+powersergthisisthewebsitefuckyouchris.com, 1
+powersergthisisthewebsitefuckyouscott.com, 1
+powersergunited.com, 1
+powersergunited.org, 1
+powersergusercontent.com, 1
+powersergwiring.com, 1
+powersergwiringconsultants.com, 1
+powershaper.io, 1
+powershellmagic.com, 1
+powersolusa.com, 1
+powersport.lt, 1
+powersubmitter.tk, 1
+powersurgedatasystems.com, 1
+powerswitch.org.nz, 1
+powertecno.ml, 1
+powertoolsrater.net, 1
+powertop.com, 1
+powertrike.tk, 1
+powertrunk.com, 1
+poweruser.su, 1
+powervolt.ru, 1
+powerwarranties.com, 1
+powerwellness-korecki.de, 1
+powerwheels.tk, 1
+powerwithpeople.com, 1
+powerzonewrestling.tk, 1
+powmobilegrooming.com, 1
+powwi.co, 1
+poylabo.com, 1
+poynter.net, 1
+pozarevac.tk, 1
+pozd.tk, 1
+pozdravlyalka.gq, 1
+pozemedicale.org, 1
+pozharnyi.tk, 1
+pozitiffchik.ga, 1
+pozitiffchik.ml, 1
+pozitiffchik.tk, 1
+pozitiv.gq, 1
+pozitone.com, 1
+poziworld.com, 1
+poznajrynek.pl, 1
+poznajteneryfe.pl, 1
+poznavatelno.ml, 1
+pozzitiv.ro, 1
+pp.es, 1
+pp3345.net, 1
+pp5197.co, 1
+pp6729.co, 1
+pp6729.com, 1
+pp6957.co, 1
+pp9297.co, 1
+pp9728.co, 1
+ppam.de, 1
+ppapogey.com, 1
+ppapogey.ru, 1
+ppaya.com, 1
+ppbi.com, 1
+ppcgeeks.com, 1
+ppcsesco.com, 1
+ppf.co.uk, 1
+ppg.report, 1
+ppgod.us, 1
+ppipe.net, 1
+ppirs.gov, 1
+ppissis.com.cy, 1
+ppktgti.top, 1
+ppld.org, 1
+pplog.info, 1
+pplsoft.nl, 1
+pplsvc.com, 1
+pplusp.dk, 1
+ppmlocal.com, 1
+ppmoon.com, 1
+ppms.gov, 1
+ppoou.co.uk, 1
+ppoozl.com, 1
+pppo.gov, 1
+ppppp.click, 1
+ppsltd.ca, 1
+ppssh.org, 1
+pptavmdata.org, 1
+ppter8.com, 1
+ppweb.pro, 1
+ppy.sh, 1
+pqd.ru, 1
+pqforce.com, 1
+pqgruber.com, 1
+pqscript.com, 1
+pr-news.spb.ru, 1
+pr-project.tk, 1
+pr.search.yahoo.com, 0
+pr.tn, 1
+pr100.gov, 1
+pr1sm.com, 1
+pr2studio.com, 1
+pr3-space-staging.ga, 1
+pr3.space, 1
+pr92.tk, 1
+pra.rip, 1
+prabhasakshi.com, 1
+prabirghosh.tk, 1
+prac.to, 1
+prachiiimohite.tk, 1
+pracovita.pl, 1
+pracownia-kasi.pl, 1
+pracowniamebli.mazury.pl, 1
+pracsuite.com, 1
+practical-lean.com, 1
+practicalhomes.com.au, 1
+practicallabs.com, 1
+practicepanther.com, 1
+practisforms.com, 1
+practitest.com, 1
+practixdevelopment.com, 1
+practo.com, 1
+practodev.com, 1
+pracusalev.tk, 1
+pradeek.tk, 1
+pradeepagrawal.com, 1
+pradersystems.ch, 1
+pradmin.ru, 1
+prado.it, 1
+pradohalcones.com, 1
+pradyumnashome.com, 1
+praemoveo.net, 1
+praeparation-keppner.de, 1
+praerien-racing.com, 1
+praetzlich-hamburg.de, 1
+praew.com, 1
+pragata.id, 1
+pragatiparasguesthouse.co.in, 1
+prageeth-niranjan.tk, 1
+pragma-messenger.ch, 1
+pragma-solution.com, 1
+pragmatist.nl, 1
+pragrimsby.co.uk, 1
+pragser-tal.net, 1
+pragtravel.cf, 1
+prague-swim.cz, 1
+praguepsychology.com, 1
+praguepsychology.cz, 1
+praha-9.eu, 1
+praha-kominictvi.cz, 1
+praha.tk, 1
+praia.studio, 1
+praiagrande.tk, 1
+prairienursery.com, 1
+prairievilletwp-mi.gov, 1
+praisehim.club, 1
+praiss.net, 1
+prajwal-koirala.com, 1
+prakhar.uk, 1
+prakharprasad.com, 1
+prakharvarta.com, 1
+praksite.fr, 1
+praktijkbeoordelen.nl, 1
+praktijkdevecht.nl, 1
+praktijkmarula.nl, 1
+praktijkpassepartout.nl, 1
+praktijktamaravanoers.nl, 1
+praktijktian.be, 1
+praktijktoetsen.nl, 1
+praktiker.hu, 1
+praktikum.tk, 1
+praladofuturo.blog, 1
+pralaw.com, 1
+praleria.com, 1
+pramuwaskito.org, 1
+prana-coachings.ch, 1
+prana-me.com, 1
+pranabesh.com, 1
+pranafilms.tk, 1
+pranavida.cl, 0
+prancor.ru, 1
+pranita-schals.de, 1
+pranita.cz, 1
+pranita.sk, 1
+prankawards.ga, 1
+pranksearch.ml, 1
+prankstercompany.com, 1
+prashantcafe.tk, 1
+prasinoscomputers.ml, 1
+prasos.fi, 1
+prasso.se, 0
+prateep.io, 1
+pratelloshop.tk, 1
+pratemarkets.com, 1
+praterraines.co.uk, 1
+prathambooks.org, 1
+praticienmedecinechinoise.be, 1
+prato-allo-stelvio.org, 1
+pratopronto.org, 1
+pratorotoli.it, 1
+pratosirunin.ga, 1
+pratyu.sh, 1
+prauxilium.com, 1
+pravac.de, 1
+pravagolosa.cf, 1
+pravagolosa.ga, 1
+pravagolosa.gq, 1
+pravda-tv.com, 1
+praveenawstest1.tk, 1
+praveenjuge.com, 1
+praveenravichandran.xyz, 1
+pravex.com.ua, 1
+pravlife.ru, 1
+pravnisistem.rs, 1
+pravo-brest-belarus.tk, 1
+pravo911.tk, 1
+pravoslavie.tk, 1
+pravoslavnayarus.tk, 1
+pravosudie.tk, 1
+prawer.com, 1
+prawnikdlaanglii.co.uk, 1
+praxino.de, 0
+praxis-dingeldey.de, 1
+praxis-dr-bandulik.de, 1
+praxis-familienglueck.de, 1
+praxis-fickenscher.de, 1
+praxis-kjpt.de, 1
+praxis-liebner.de, 1
+praxis-oranienburg.de, 1
+praxis-rufer.ch, 1
+praxis-sorg-sam.ch, 0
+praxis-waedicity.ch, 1
+praxisamziegetsberg.de, 1
+praxisbiel.de, 1
+praxisfilms.org, 1
+praxisgroup.services, 1
+praxistipp24.com, 1
+prayag.tk, 1
+prazdnik-volgodonsk.tk, 1
+prazdniki-sait.tk, 1
+prazdniktost.tk, 1
+prazeremamamentar.com.br, 1
+prc.gov, 1
+prcarrier.tk, 1
+prcsurvey.com, 1
+prd-use-device-api.azurewebsites.net, 1
+prdashboard.tk, 1
+prdctz.tips, 1
+pre-commit.ci, 1
+pre-commit.com, 1
+pre-renewal.com, 1
+preapps.com, 1
+precambridge.tk, 1
+precedecaritas.com.br, 1
+precedencemedia.com, 1
+precedenceum.com, 1
+precept.uk.com, 1
+preci0.com, 1
+preciadictos.tk, 1
+preciofishbone.com, 1
+preciofishbone.de, 1
+preciofishbone.dk, 1
+preciofishbone.se, 1
+preciofishbone.vn, 1
+preciosmejores.com, 1
+preciousdad.com, 1
+preciouspebble.co.uk, 1
+preciscx.com, 1
+precisebusiness.com, 1
+precisefuture.com, 1
+precisionchiroct.com, 1
+precisionclan.com, 1
+precisioncoolingco.com, 1
+precisioncourt.com, 1
+precisiondentalnyc.com, 1
+precisiondentistrynj.com, 1
+precisiondigital-llc.com, 1
+precisionicerinks.com, 1
+precisionlender.com, 1
+precisionmachineservice.com, 1
+precisionpdr.tech, 1
+precisionsportsonline.com, 1
+precisionstocks.com, 0
+precisiontechcorp.com, 1
+precisionvaccinations.com, 1
+precoro.us, 1
+precutppf.store, 1
+predator-league.com, 1
+predatoria.tk, 1
+predatorworld.tk, 1
+predckazanie.ru, 1
+predication.ch, 1
+predictz.com, 1
+predilife.com, 1
+predkosci.pl, 1
+predmetnyj-fotograf.by, 1
+prednisolone1.gq, 1
+predoiu.ro, 1
+predskazanie.cf, 1
+predskazanie.ml, 1
+predskazanie.tk, 1
+predstavitelstvo-v-sude.tk, 1
+preejaculation.ga, 1
+preescolarsteps.com, 1
+prefabricadosdelcaribe.com, 1
+prefabrik-ev.com, 1
+prefect.cloud, 1
+prefect.io, 0
+prefereal.com, 1
+prefereal.net, 1
+prefereal.org, 1
+preference.ga, 1
+preferredathlete.com, 1
+preferredreverse.com, 1
+preferredservice.ca, 1
+prefix.eu, 1
+preflighthomeinspections.com, 1
+prefontaine.name, 1
+pregen.tk, 1
+pregnancytips.tk, 1
+pregnantorcrazy.com, 1
+preguntasdeciudadania.com, 1
+pregunteleakaren.gov, 1
+preis-alarm.info, 1
+preis-alarm.org, 1
+preisser-it.de, 1
+preisser.it, 1
+prek.se, 1
+prekladysanca.cz, 1
+prelesti.tk, 1
+preloaded-hsts.badssl.com, 1
+preludes.org, 1
+prelved.com, 1
+prelved.es, 1
+prelved.fi, 1
+prelved.fr, 1
+prelved.it, 1
+prelved.nl, 1
+prelved.pl, 1
+prelved.se, 1
+prematureacceleration.club, 1
+premazon.com, 1
+preme.name, 1
+premiachef.com, 1
+premier-dream.co, 1
+premier-hub.com, 1
+premier-pallets.com, 1
+premier-podiatry.com, 1
+premieraviation.com, 1
+premierbouncycastles.co.uk, 1
+premierconveyors.com, 1
+premierdesigns.org, 1
+premierdisco.co.uk, 1
+premiereco.com.sg, 1
+premieresloges.ca, 1
+premierevents.ie, 1
+premierfinance.ae, 1
+premierflmagazine.com, 1
+premierheart.com, 1
+premierleague.gq, 1
+premierloto.cg, 1
+premierloto.cm, 1
+premierloto.co.ke, 1
+premierloto.co.mz, 1
+premierloto.ml, 1
+premierloto.mw, 1
+premierloto.td, 1
+premiermaldives.com, 1
+premiermarketing.co.nz, 1
+premierokchomebuyers.com, 1
+premierpedsny.com, 1
+premierpoolsandspas.com, 1
+premierpups.com, 1
+premierseeds.co.nz, 0
+premiership-predictors.co.uk, 1
+premiersimgl.com, 1
+premioambiente.it, 1
+premiovapozicovna.sk, 1
+premiovicentejorgesilva.pt, 0
+premised.land, 1
+premium-computer.fr, 1
+premium-job.ru, 1
+premiumcredit.am, 1
+premiumcs.ru, 1
+premiumdesign.hr, 1
+premiumkeystore.com, 1
+premiumlegalsupport.ga, 1
+premiumpeaches.com, 1
+premiumpictureframing.com, 1
+premiumshop24.de, 1
+premiumsmile.ru, 1
+premiumturkey.ml, 1
+premiumusedautoparts.com, 1
+premiumwebdesign.it, 1
+premkumar.net, 1
+premlall.com, 1
+premsarswat.me, 1
+premstarinc.com, 1
+prenatal.com, 1
+prenatal.es, 1
+prendashop.es, 1
+prensaalterna.com, 1
+prensahispana.ga, 1
+prensarural.org, 1
+prepa-benjam.fr, 1
+prepa-code.com, 1
+prepagosyescortforyou.com, 1
+prepaid-cards.xyz, 1
+prepaidgirl.com, 1
+prepaidify.com, 1
+prepaidkredietkaart.be, 1
+prepare-job-hunting.com, 0
+prepareforthesat.com, 1
+preparetheword.com, 1
+prepedia.org, 1
+prepfba.com, 1
+prepr.io, 1
+prepress.ru, 1
+preprodfan.gov, 1
+prepscouts.tk, 1
+prepsiedy.cf, 1
+prepz.es, 0
+prequence.com, 1
+preregpharmacy.org, 1
+presbee.com, 1
+presbyterian-colleges.com, 1
+preschoole.gq, 1
+preschoolteacher.org, 1
+presdesdunes.com, 1
+presence-group.com, 1
+presence-relation.fr, 0
+presenciainternet.com, 1
+present-m.com, 1
+presentaline.ch, 1
+presentationmedia.com, 1
+presentationsteknik.org, 1
+presentsofmind.com.au, 1
+preserveart.org, 1
+preservecrownhill.cf, 1
+preservecrownhill.ga, 1
+preservegrandcountyhistory.org, 1
+preserveourhillcountry.org, 1
+preserverollinspass.org, 1
+preserving.tk, 1
+presgrp.com, 1
+presgrp.net, 1
+president.bg, 1
+president.ee, 0
+presidentdirectory.ga, 1
+presidentialinnovationfellows.gov, 1
+presidentialserviceawards.gov, 1
+presidio.gov, 1
+presidiocommercial.gov, 1
+presidiotunneltops.gov, 1
+presly.org, 1
+presnetter.de, 1
+presnya.tk, 1
+presov.ml, 1
+press-edge.tk, 1
+press-lent.com, 1
+press-presse.ca, 1
+press-wall24.ru, 1
+press.lv, 1
+pressakey.com, 1
+pressakey.de, 1
+presscenter.jp, 1
+presscommunity.tk, 1
+presscuozzo.com, 1
+presseagrume.net, 1
+pressed.com, 1
+pressemeddelelse.dk, 1
+pressento.com, 1
+pressfreedomtracker.us, 1
+pressidium.com, 1
+pressimize.com, 1
+presslabs.com, 1
+pressnet.tk, 1
+pressnetwork.tk, 1
+pressnewscafe.gq, 1
+pressofatlanticcity.com, 1
+pressography.org, 1
+pressreleasecentral.tk, 1
+pressreleasepedia.tk, 1
+pressrush.com, 1
+pressspace2hack.com, 1
+pressspacetohack.com, 1
+pressup.it, 1
+pressureradio.com, 1
+pressurewashers.ml, 1
+pressurewashersandiego.com, 1
+pressurewashingchicago.com, 1
+presta-div-airs.fr, 1
+prestaandsons.com.au, 1
+prestaclip.com, 1
+prestar.com.my, 1
+prestaservicesgroup.com, 1
+prestashopmanager.com, 1
+prestatest.tk, 1
+prestatyn-scala.info, 1
+prestatynflowershow.co.uk, 1
+prestec.com, 1
+prestige-car-location.ch, 0
+prestigebouncycastles.co.uk, 1
+prestigecarkeys.com, 1
+prestigeeventshire.co.uk, 1
+prestigehealth.services, 1
+prestigehealthservices.au, 1
+prestigehealthservices.com.au, 1
+prestigelegalgroup.com.au, 1
+prestigerepairs.com.au, 1
+prestigesigns.net, 1
+prestigesoundandlight.co.uk, 1
+prestigestaffingsolutions.org.au, 1
+prestigeworldwidepr.com, 1
+prestigia.com, 1
+prestonadamscountywi.gov, 1
+prestonapp.com, 1
+prestonbrant.com, 1
+prestopermits.com, 1
+prestopizzas63.fr, 1
+prestudenta.sk, 1
+prestupniki.tk, 1
+pretabelamodas.com.br, 1
+pretalx.com, 1
+pretix.eu, 1
+pretome.info, 1
+pretor-sa.com, 1
+pretrialservices.gov, 1
+prettier.fun, 1
+pretty-liars.tk, 1
+pretty-smile.com.tw, 1
+prettybed.com, 1
+prettycities.ga, 1
+prettycloud.net, 1
+prettycloud.org, 1
+prettycobs.com, 1
+prettydirtyteens.com, 1
+prettygirlcheats.com, 1
+prettykeira.tk, 1
+prettynode.com, 0
+prettyporn.com, 1
+prettysimplemom.com, 1
+prettyskin.com.tw, 1
+prettytunesapp.com, 1
+pretzelhands.com, 0
+pretzelx.com, 1
+preums.co, 1
+preussner-grafik-design.de, 1
+prevalent.net, 1
+preventshare.com, 1
+preview-it-now.com, 1
+preview.ninja, 1
+previewfreemovies.com, 1
+previewninja.com, 1
+previewtoday.it, 1
+previh.eu, 1
+previous.one, 1
+previousmagazine.com, 1
+previsiemens.com.br, 0
+previstart.com, 1
+previstart.fr, 1
+prevodkazet.cz, 1
+prevu3d.com, 1
+prexxorvita.com, 1
+prezentmarzen.com, 1
+preziti.eu, 1
+prfanfiction.tk, 1
+prg.rs, 1
+prgrmmr.nl, 1
+pri.email, 1
+priano.com, 0
+price-spider.com, 1
+price-tracker.duckdns.org, 1
+price.com.hk, 1
+priceactionhelp.com, 1
+priceblink.com, 1
+pricefx.com, 1
+pricefx.eu, 1
+pricegg.com, 1
+pricegg.com.ua, 1
+pricegg.ru, 1
+priceless-jewelry.com, 1
+pricelesspics.tk, 1
+pricelistforbxmodules.ga, 1
+pricelooper.com, 0
+priceofbusiness.com, 1
+pricepropharmacy.com, 1
+pricesdoors.com, 1
+priceshop.com, 1
+pricesmax.com.mx, 0
+pricesniffer.co, 1
+pricevillepdal.gov, 1
+pricevortex.com, 1
+pricing-fox.cz, 1
+pricing-fox.sk, 1
+priczone.com, 1
+pride-enterprises.org, 1
+pridecounseling.com, 1
+pridecraft.gay, 1
+prideindomination.com, 1
+pridnestrovye.gq, 1
+pridurok.tk, 1
+prielwurmjaeger.de, 1
+priestess.tk, 1
+prifo.se, 1
+prij.fr, 1
+prijsvergelijken.ml, 1
+prikaznoparty.com, 1
+prikeshsavla.com, 1
+prikolkz.tk, 1
+prikpot.com, 1
+prima-backoefen.de, 1
+prima-badezimmermoebel.de, 1
+prima-digitalkameras.de, 1
+prima-fernseher.de, 1
+prima-gefrierschraenke.de, 1
+prima-herde.de, 1
+prima-informatique.com, 1
+prima-kuehlschraenke.de, 1
+prima-mikrofone.de, 1
+prima-mikrowellen.de, 1
+prima-monitore.de, 1
+prima-pcs.de, 1
+prima-smartphones.de, 1
+prima-tablets.de, 1
+prima-trockner.de, 1
+prima-waschmaschinen.de, 1
+prima-webcams.de, 1
+primadirectory.tk, 1
+primaflorafloristaccrington.co.uk, 1
+primalinea.pro, 1
+primalracing.com, 1
+primalshop.dk, 1
+primalsurvivor.net, 1
+primananda.com, 1
+primanota.ch, 0
+primapak.bg, 1
+primary.health, 1
+primarycareconnect.com.au, 1
+primarydomain.us, 1
+primarysector.space, 1
+primasmartwatches.de, 1
+primates.com, 1
+primaudialrecords.com, 1
+primaveradesign.com.br, 1
+primbit.ru, 1
+prime, 1
+prime-host.ml, 1
+prime-med.com.tw, 1
+primecapsslim.com.br, 1
+primecreative.com.br, 1
+primecursos.com.br, 1
+primed.io, 1
+primedesigns.com.au, 1
+primeequityproperties.com, 1
+primeestates.co, 1
+primeexecutiveoffices.com, 1
+primefinance.co.nz, 1
+primegeradores.com.br, 1
+primegiftindia.com, 1
+primekinoshita.com, 1
+primelogistics.cf, 0
+primemotive.com, 0
+primemotive.com.au, 1
+primeops.co, 1
+primepest.net, 1
+primeprime.cf, 1
+primeratx.gov, 1
+primerdeal.com, 1
+primersbc.com.br, 1
+primesense.com.br, 1
+primesensecosmeticos.com.br, 1
+primetechpa.com, 1
+primetics.co.uk, 0
+primeview.com, 1
+primglaz.ru, 1
+primisbank.com, 1
+primit.com, 1
+primitiv.tk, 1
+primitivesbykathy.com, 1
+primo.be, 1
+primordialsnooze.com, 1
+primorsk.com, 1
+primorski.com, 1
+primorus.lt, 1
+primos-tech.com, 1
+primowatercorp.com, 1
+primrose-2.com, 1
+primrosehillvets.ie, 1
+primrosenyagwaya.online, 1
+primsports.ru, 1
+primyris.fr, 1
+princearmoryacademy.com, 1
+princebazawule.com, 1
+princedavidlodge.org.uk, 1
+princelishan.com, 1
+princelishan.com.tw, 1
+princemathew.tk, 1
+princemolak.ga, 1
+princes-st.org.nz, 1
+princess.software, 1
+princessbackpack.de, 1
+princessefoulard.com, 1
+princesspawg.tk, 1
+princessyachts.com, 1
+princetonmn.gov, 1
+princetonnassaupediatrics.com, 1
+princetonradiationoncology.com, 1
+princetontxcdc.gov, 1
+princevikal.cf, 1
+princez.uk, 1
+princezna.club, 1
+princh.com, 1
+principal.com.my, 1
+principalam.com, 1
+principalcomputers.com.au, 1
+principalhotelcolumbia.com, 1
+principalsexam.com, 1
+principalship.net, 1
+principaltoolbox.com, 1
+principia-journal.de, 1
+principia-magazin.de, 1
+principia-online.de, 1
+princovi.cz, 1
+prinesec.com, 1
+prineville.gov, 1
+prinice.org, 1
+print-street.tk, 1
+printable-map-az.com, 1
+printablemapaz.com, 1
+printablemapforyou.com, 1
+printablerebateform.net, 1
+printableschedule.net, 1
+printandgo.fr, 1
+printbase.cz, 1
+printbigjournal.tk, 1
+printdrivers.org, 1
+printeknologies.com, 1
+printerdrivers.com, 1
+printerem.hu, 1
+printerinks.com, 1
+printerinks.ie, 1
+printerinktoutlet.nl, 1
+printersdrivers.net, 1
+printersupportfaq.com, 1
+printertonerkopen.nl, 1
+printexpress.cloud, 1
+printfn.com, 0
+printful.com, 1
+printkinng.com.tw, 1
+printler.com, 1
+printme.com, 1
+printmet.com, 1
+printmet.ru, 1
+printmijn3dmodel.be, 1
+printmydesigns.ml, 1
+printperfect.ro, 1
+printpoint.tk, 1
+printrr.ca, 1
+printscan.com, 1
+printtara.me, 1
+printtolife.com.au, 1
+printus.pro, 1
+printwasteminimizer.com, 1
+printyour.com.ua, 1
+prinz.gg, 1
+prinzoka.com.br, 1
+prio.pt, 1
+prior-it.be, 0
+prior.cloud, 1
+priorite-education.com, 1
+priorityeducation4u.tk, 1
+priorityelectric-agourahills.com, 1
+priorityelectric-camarillo.com, 1
+priorityelectric-dosvientos.com, 1
+priorityelectric-hiddenhills.com, 1
+priorityelectric-lakesherwood.com, 1
+priorityelectric-moorpark.com, 1
+priorityelectric-newburypark.com, 1
+priorityelectric-simivalley.com, 1
+priorityelectric.biz, 1
+priorityelectric.net, 1
+priorityessays.com, 1
+priorityfakes.com, 1
+prioritynissannewportnewsparts.com, 1
+priorlakemn.gov, 1
+priorshalldental.com, 1
+priscillacouto.com.br, 1
+prisma.io, 0
+prisma.tk, 1
+prismacloud.com, 1
+prismacloud.xyz, 1
+prismaot.tk, 1
+prismapixel.studio, 1
+prismatic.ro, 1
+prismomarketing.com, 1
+prismosystems.com, 1
+prisonerresource.com, 1
+pristinegrace.org, 1
+pristinepotty.com, 1
+prisync.com, 1
+pritchi.tk, 1
+pritti-wummen.de, 1
+priv.au, 1
+priv.gc.ca, 1
+priv.im, 1
+privace.ch, 1
+privaci.ai, 1
+privacy-web.tk, 1
+privacy-week-vienna.at, 1
+privacy-week.at, 1
+privacy-works.tk, 1
+privacy.ac.cn, 1
+privacy.ax, 1
+privacy.com.de, 1
+privacy.repair, 1
+privacybydesign.foundation, 1
+privacycentermqt.com, 1
+privacychick.com, 1
+privacychick.io, 1
+privacycloud.nl, 1
+privacydesign.ch, 1
+privacydev.net, 1
+privacyend.com, 1
+privacyfenceanddeckllc.com, 1
+privacyforpatriots.com, 1
+privacyget.tk, 1
+privacyguides.net, 1
+privacyinternational.org, 1
+privacymanatee.com, 1
+privacynow.eu, 1
+privacypro.io, 1
+privacypros.io, 1
+privacyredirect.com, 1
+privacyscore.org, 1
+privacysecuritybrainiacs.com, 1
+privacystatement.tk, 1
+privacysvcs.net, 1
+privacywe.com, 0
+privacyweek.at, 0
+privacyweek.de, 1
+privacyweek.eu, 1
+privacyweek.wien, 1
+privacyweekvienna.at, 1
+privaday.de, 1
+privalgo.co.uk, 1
+privasphere.com, 1
+privatamateure.com, 1
+private-diary-taka.com, 1
+private-krankenversicherung.tk, 1
+private-relay.email, 1
+private.coffee, 1
+privateadvisorgroup.com, 1
+privateamateure.com, 1
+privatebanks.uk, 1
+privatebin.info, 1
+privateboat.amsterdam, 1
+privatecapsecurity.org, 1
+privatecolor.com, 1
+privatecredit.pro, 1
+privatedata.tk, 1
+privatedomaincontrol.com, 1
+privateger.me, 1
+privategiant.com, 1
+privatehd.to, 1
+privateideas.de, 1
+privateinvestigatoredu.org, 1
+privatejetschina.com, 1
+privatejetsdallas.com, 1
+privatejetsteterboro.com, 1
+privatejosh.cf, 1
+privatemillionaire.com, 1
+privatenebula.eu, 1
+privatepilot.lu, 0
+privaterelay.com, 0
+privatesangels.com, 1
+privateschoolreview.com, 1
+privateservice.cz, 1
+privatetrainingonline.se, 1
+privateuploader.com, 1
+privatevpn.com, 1
+privatfrei.de, 1
+privatmeet.com, 1
+privatstunden.express, 1
+privc.io, 1
+privcloud.cc, 1
+privcloud.org, 1
+privcom.net, 1
+privea.fr, 1
+priveadressen.tk, 1
+privelust.nl, 1
+priverify.com, 1
+privilegevisa.fr, 1
+privo.com, 1
+privorot.cf, 1
+privu.me, 1
+privw.com, 1
+privy-staging.com, 1
+privy.com, 1
+privylabs.com, 1
+prix-carburants-info.fr, 1
+prix-carburants.gouv.fr, 1
+prixlitteraire-cevennes.fr, 1
+prixmetaux.fr, 1
+prixpictet.com, 1
+priyan.nl, 1
+priyan.tk, 1
+priz-kod.ru, 1
+prizcode.ru, 1
+prizecode.ru, 1
+prizehometickets.com.au, 1
+prizelink.com.au, 1
+prizkod.ru, 1
+prizrak-v-dospehah.ga, 1
+prizwiz.com, 1
+prizzlys.com, 1
+prjktruby.com, 0
+prkn.je, 1
+prlved.co.uk, 1
+prmihoc.com, 1
+prnav.com, 1
+pro-alter.ch, 1
+pro-babochek.ru, 1
+pro-ben.sk, 1
+pro-bike.ro, 1
+pro-c.me, 1
+pro-esb.net, 1
+pro-furgoleros.tk, 1
+pro-ing.com, 0
+pro-israel.tk, 1
+pro-kemerovo.ml, 1
+pro-kolhoz.tk, 1
+pro-laser.com, 1
+pro-lq.at, 1
+pro-lq.ch, 1
+pro-lq.com, 1
+pro-lq.de, 1
+pro-lq.hu, 1
+pro-lq.it, 1
+pro-lq.net, 1
+pro-lq.ro, 1
+pro-marienburg.de, 1
+pro-mile.pl, 1
+pro-moed.nl, 1
+pro-ogorod.info, 1
+pro-server.tk, 1
+pro-taucher.com, 1
+pro-taucher.de, 1
+pro-web-design.tk, 1
+pro-wiert.pl, 1
+pro.co.id, 1
+pro.co.il, 1
+pro100systems.com.ua, 1
+pro4x4.com.ua, 0
+proacksecurity.com, 1
+proacousticsusa.com, 1
+proact-it.co.uk, 1
+proactive.run, 1
+proactivenews.ml, 1
+proadvanced.com, 1
+proalist.com, 1
+proalter.ch, 1
+proambt.nl, 1
+proamis-moodle.fi, 1
+proantab.ru, 1
+proarbor.com, 0
+proastec.com.br, 1
+proaudiogc.com, 1
+probably.group, 1
+probablyrational.com, 1
+probase.ph, 1
+probateandplanning.com, 1
+probationforms.com, 1
+probationnotes.com, 1
+probationofficeredu.org, 1
+probely.com, 1
+probiancanarias.com, 1
+probiller.com, 1
+probinarin.ga, 1
+problem-solver.ml, 1
+problemstate.com, 1
+problemstate.de, 1
+problemstate.net, 1
+problemstate.org, 1
+probleu.com, 1
+probonus.tk, 1
+probooks.gq, 1
+probrewer.com, 1
+procalc.be, 1
+procarmanuals.com, 1
+procarmotors.cl, 1
+procarservices.com, 1
+procarswoking.com, 1
+procave.de, 1
+proceed.tk, 1
+procens.us, 0
+procert.ch, 0
+procesadorafenix.com.mx, 1
+processesinmotion.com, 1
+processout.com, 1
+processtec.com.br, 1
+prochainephase.com, 1
+prochaj.ru, 1
+procharter.com, 1
+procinorte.net, 1
+procitec.cz, 1
+proclaiminteractive.com, 1
+proclock.com, 1
+procode.ch, 1
+procode.gq, 1
+procomservices.com, 1
+procor.com, 1
+procore.com, 0
+procore.space, 1
+procostamar.com, 1
+procountor.fi, 1
+procountor.se, 1
+procountorsolo.com, 1
+procrackbox.com, 1
+procrastinatingengineer.uk, 1
+procrastinationland.com, 1
+procreditbank.com.al, 1
+procsec.top, 1
+proctoloji.com, 1
+proctor.ml, 1
+proctorauth.com, 1
+proctorial.cf, 1
+proctorio.com, 1
+proctorio.net, 1
+proculair.com, 1
+proculair.nl, 1
+procurant.com, 1
+procurement.moscow, 0
+procurs.us, 1
+procursus.social, 1
+procurx.pt, 1
+prod-bp-geotab-api.azurewebsites.net, 1
+prod-simplesend-api.azurewebsites.net, 1
+prod-vigl-www-master.azurewebsites.net, 1
+prodampro.ru, 1
+prodatalabs.com, 1
+prodentalsantacruz.es, 1
+prodesigntools.com, 1
+prodesk.bg, 1
+prodhealthcare.org, 1
+prodigibook.com, 1
+prodigyhacking.com, 1
+prodigyhq.io, 1
+prodinger.com, 0
+prodottitipicidellatoscana.it, 1
+prodottogiusto.com, 1
+producemybook.com, 1
+producentbalustrad.pl, 1
+producepromotions.com, 1
+producertools.io, 1
+producerwereld.nl, 1
+productbarcodes.com, 1
+productboard.com, 1
+productdesignsoftware.com.au, 0
+productfurniture.ga, 1
+production.vn, 1
+productionscime.com, 1
+productiv.com, 1
+productive.io, 1
+productivemachine.net, 1
+productiveplastics.com, 1
+productkeyslist.com, 1
+productosdeteruel.es, 0
+productosquimicosrd.com, 1
+productpeo.pl, 1
+products-for-health.tk, 1
+products4more.at, 1
+productsafety.gov.au, 1
+productscastle.com, 1
+productupdates.org, 1
+produform.it, 1
+produits-dantan.com, 1
+produkt.cf, 1
+produra.nl, 1
+produtosdeacademia.com, 1
+prodwa.re, 1
+prodware.fr, 1
+proecommerce.com, 1
+proeflokaalbakker.nl, 1
+proefteksten.nl, 0
+proekt.tk, 1
+proelectro.pro, 1
+proemployeeprotection.com, 1
+proemployeeprotection.net, 1
+proesb.net, 1
+proeski.com, 0
+prof, 1
+prof-toplivo.ru, 1
+prof-waldowski.de, 1
+prof.lv, 1
+profarea.ru, 1
+profbigbang.ru, 1
+profbioresearch.ga, 1
+profboecker.eu, 1
+profchristophergoh.com.sg, 1
+profection.biz, 1
+profession.email, 1
+professionalbeautyshop.it, 1
+professionalblog.tk, 1
+professionalbussines.tk, 1
+professionaleducation.tk, 1
+professionalfinance.uk, 1
+professionallawyer.tk, 1
+professionalportfolio.ga, 1
+professionalrakeback.com, 1
+professionalstandards.org.uk, 1
+professions.org.ru, 1
+professor-d.ga, 1
+professorart.ru, 1
+professorwidget.tk, 1
+proffbar.ru, 1
+profi.de, 1
+profian.com, 1
+proficio.at, 1
+proficio.cz, 1
+proficio.de, 1
+proficio.io, 1
+proficiodigital.pl, 1
+proficiodigital.sk, 1
+profidea.cz, 1
+profielektrik.tk, 1
+profigen.com.br, 1
+profil-doors.spb.ru, 1
+profile.ooo, 1
+profile.tf, 1
+profilepk.com, 1
+profiles.google.com, 1
+profilesw.com, 1
+profiletree.com, 0
+profilewatcher.ga, 1
+profilib.com, 1
+profilib.net, 1
+profilib.top, 1
+profilmedecin.fr, 1
+profilmonline.cn, 1
+profilmonline.com, 1
+profilmonline.jp, 1
+profilwerkstatt.de, 1
+profinetz.de, 1
+profinvestment.com, 1
+profisee.com, 0
+profiservis.info, 1
+profissionalstool.ga, 1
+profit24.ml, 1
+profitable-textilien.ch, 1
+profitableventure.com, 1
+profitablewebprojects.com, 1
+profitdouble.tk, 1
+profitero.com, 1
+profitimages.com, 1
+profitmiracle.tk, 1
+profitsunraveled.com, 1
+profixcap.com, 1
+profloorstl.com, 1
+profmatheus.com, 1
+profmetod.com, 1
+profondeville-sharks.be, 1
+profor.cz, 1
+proformer.io, 1
+proformi.com, 1
+profound-world.com, 1
+profritual.ru, 1
+profsaranya.com, 1
+profservice.it, 1
+proft.eu, 0
+profumeria.roma.it, 1
+profuntime.tk, 1
+profusion.io, 0
+profvideo.kharkov.ua, 1
+profwald.4lima.de, 1
+prog-d.tk, 1
+prog-mailolder.tk, 1
+prog.olsztyn.pl, 1
+prog24.net, 1
+progamehackers.tk, 1
+progaudio.be, 1
+progea.com, 1
+progenda.be, 1
+proger.ga, 1
+proger.ml, 1
+progeste.pt, 1
+progettodighe.it, 1
+progettograjau.com, 1
+progettonazionale.it, 1
+progezi.com, 1
+progg.no, 1
+proggersession.com, 1
+proggersession.de, 1
+proglib.io, 1
+prognoshealth.com, 0
+prognozis.cf, 1
+progolfjourney.com, 1
+progon.cf, 1
+progonsoftware.com, 1
+prograce.info, 1
+program-and.work, 1
+programador-web-freelance.es, 0
+programagrowup.com.br, 1
+programando.tk, 1
+programarya.com, 1
+programaticon.tk, 1
+programer21.com, 1
+programmads.com, 1
+programmaticmagic.com, 1
+programmatv.tk, 1
+programme-launch28-code854-com.ml, 1
+programmed.com.au, 1
+programmervibe.com, 1
+programmes-neufs-corse.fr, 1
+programming-solutions.tk, 1
+programminghomeworkhelp.com, 1
+programnews.tk, 1
+programsareproofs.com, 1
+programshow.com, 1
+programsupport300procent.com, 1
+prograph.tk, 1
+prograppa.tk, 1
+progres.construction, 1
+progresion.co, 1
+progresivoptic.ro, 1
+progresja.com, 1
+progress-linux.org, 1
+progress.photos, 1
+progressive.ml, 1
+progressivecfo.co.nz, 1
+progressivedie.net, 1
+progressivenewz.org, 1
+progressiveplanning.com, 1
+progressivestreetdance.tk, 1
+progressivetree.com, 1
+progressm.tk, 1
+progressnet.nl, 1
+progressonderwijs.nl, 1
+progressportaal.nl, 1
+progressverkiezingen.nl, 1
+progresswww.nl, 1
+progroep.nl, 1
+progtime.net, 1
+prohashing.com, 1
+prohelpers.tk, 1
+prohibition.tk, 1
+prohost24.tk, 1
+prohrcloud.com, 1
+proi.net, 1
+proibidoler.com, 1
+proiceresurfacer.com, 1
+proinn.com.br, 1
+proj.org.cn, 1
+proj3ct.me, 1
+proj6.site, 1
+project-alice.io, 1
+project-forum.tk, 1
+project-ice.org, 1
+project-merlin.co.uk, 1
+project-novis.org, 1
+project-one.co.jp, 1
+project-rune.tech, 1
+project-tamriel.com, 1
+project.ac.cn, 1
+project86fashion.com, 1
+projectalias.com, 1
+projectarmy.net, 0
+projectborealisgitlab.site, 1
+projectbotticelli.com, 1
+projectbuild.tk, 1
+projectcares.tk, 1
+projectcolonisation.tk, 1
+projectcompassion.org, 1
+projectemail.co, 1
+projectfreehosting.ga, 1
+projectgazaabindo.com, 1
+projecthelius.com, 1
+projecthopeless.tk, 1
+projecthosting.nl, 1
+projectimagine.com, 1
+projectinferno.tk, 1
+projection.gq, 1
+projectl1b1t1na.tk, 1
+projectlarix.com, 1
+projectleague.lol, 1
+projectlinuseasttn.org, 1
+projectloaded.com, 1
+projectmailext.co, 1
+projectmaka.io, 1
+projectmakeit.com, 1
+projectmanager.host, 1
+projectmap.solutions, 1
+projectmetrics.co.uk, 1
+projectmidnight.tk, 1
+projectobs.com, 1
+projectobsidian.io, 1
+projectplacebo.ca, 1
+projects.nl.eu.org, 1
+projectsafechildhood.gov, 1
+projectsegfau.lt, 1
+projectskynet.org, 1
+projectsmart.co.uk, 1
+projectstem.org, 1
+projecttalent.be, 1
+projectte.ch, 1
+projecttopics.org, 0
+projectunity.io, 1
+projectvault.ovh, 1
+projectveritasaction.com, 0
+projectview.ai, 1
+projectweb.gr, 1
+projectxyz.eu, 1
+projectzet.tk, 1
+projehocam.com, 1
+projekt-allianz.de, 1
+projekt-manufaktur.de, 1
+projekt-umbriel.de, 1
+projekt-wild.tk, 1
+projektarbeit-projektplanung.de, 1
+projektentwicklung-westfalen.de, 1
+projektzentrisch.de, 1
+projest.ch, 0
+projet-fly.ch, 1
+projet-pastel.be, 1
+projet-saara.com, 1
+projetofinancas.com.br, 1
+projetomovase.com, 1
+projetootaku.net, 1
+projetsvl.com, 1
+prokaza.tk, 1
+prokey-marburg.de, 1
+proklimat.pro, 1
+prokop.ovh, 1
+prokop.uk, 1
+prolens-lankaran.tk, 1
+proletaren.se, 1
+prolikewoah.com, 1
+prolobziki.ru, 1
+prolocofrascarolo.tk, 1
+prologic.bg, 1
+prologicabg.com, 1
+proloyalweb.com, 1
+promajna.tk, 1
+promax.nl, 1
+promea.net, 1
+promecin.com, 1
+promedlatam.com, 1
+promedyczny.pl, 1
+promenics.com, 1
+promentesalzburg.at, 1
+promet.si, 1
+prometey.tk, 1
+prometheanfire.net, 1
+prometheanfire.org, 1
+promethen.com, 1
+prometheus.cf, 1
+prometteur.com, 1
+promiflash.de, 1
+promisedland.tk, 1
+promisesaplus.com, 1
+promislovik.tk, 1
+prommontag.com, 1
+promo-brille.at, 0
+promo-brille.ch, 0
+promo-brille.de, 0
+promo-code.tk, 1
+promo-kodi.tk, 1
+promo.lc, 1
+promobit.com.br, 1
+promobo.fr, 1
+promocao.email, 1
+promocion2007.tk, 1
+promocjedladzieci.pl, 1
+promocodes777.com, 1
+promocodius.com, 1
+promocoespg.pt, 1
+promodance.cz, 1
+promodoble.com, 1
+promods.download, 1
+promods.net, 1
+promods.store, 1
+promofirstmedia.co.id, 1
+promohulp.nl, 0
+promohunt.ru, 0
+promokodi.tk, 1
+promolife.be, 1
+promolover.com, 1
+promomart.eu, 1
+promopirates.com, 1
+promopony.com, 1
+promorder.ru, 1
+promosjungle.com, 1
+promosolucoes.tk, 1
+promotech.pro, 1
+promoteiq.com, 0
+promoterms.com.au, 1
+promoteroute.com, 1
+promotiongeeks.com, 0
+promotionnissanauto.com, 1
+promotionvillanakarin.com, 1
+promotor.ro, 1
+promovendum.nl, 1
+promozioni.it, 1
+prompt-service.ro, 1
+promuovi.tv, 1
+promwad.com, 0
+pron4ik.gq, 1
+pronandi.tk, 1
+pronatec.pro.br, 1
+pronikoho.cz, 1
+pronoundb.org, 1
+pronto-intervento-fognature.it, 1
+pronto-intervento.net, 1
+prontointerventofognature.roma.it, 1
+prontointerventoimmediato.it, 1
+prontossl.com, 1
+pronty.it, 1
+prooffice.de, 1
+proofofwork.art, 1
+proofpoint.com, 1
+proofpointessentials.com, 1
+proofwiki.org, 1
+proos.nl, 1
+propaganda.love, 0
+propagandablog.de, 0
+propagationtools.com, 1
+propanesale.cf, 1
+propbot.com, 1
+propco.co.uk, 1
+propecia.ml, 1
+propeld.com.au, 1
+properchels.com, 1
+propermatches.com, 1
+propersky.com, 1
+propertech.com.br, 1
+properticons.com, 1
+properties.org.il, 1
+propertiesmiami.com, 1
+property-tax.cf, 1
+property-tax.ga, 1
+property-tax.gq, 1
+propertyauctionaction.co.uk, 1
+propertycareincorporated.com, 1
+propertycrawl.com, 1
+propertydealer.ga, 1
+propertyfindercdn.com, 1
+propertyflare.com, 1
+propertygroup.pl, 1
+propertyinspect.com, 1
+propertylondon.co.uk, 1
+propertyme.com.au, 1
+propertymingo.com, 1
+propertyofariana.pw, 1
+propertyofthepeople.org, 1
+propertyone.mk, 1
+propertyrate.com, 1
+propertyroad.co.uk, 1
+propertysales-almeria.com, 1
+propertyselling.ga, 1
+propertysex.com, 1
+propertyupdate.com.au, 1
+propertyworkshop.com, 1
+properwills.com, 1
+propfirmdiscount.com, 1
+prophetdesign.ch, 1
+prophitt.me, 1
+propiedadescima.com, 1
+propiedadesenventaenplayadelcarmen.com, 1
+propiedadesenventaentulum.com, 1
+propiteer.com, 1
+propiteercapitalplc.com, 1
+propmark.com.br, 1
+propolisturkiye.tk, 1
+proporcer.tk, 1
+proposeinspain.net, 1
+propr.no, 1
+propranolol.cf, 1
+propranololgeneric.ml, 1
+proprietairesmaisons.fr, 1
+propseller.com, 1
+propshub.com, 1
+proressource.ca, 0
+proressources.ca, 1
+proris.com, 0
+prosafilosofica.com.br, 1
+prosamineira.com.br, 1
+proschlaf.at, 1
+proscore-vr2005-1plc.de, 1
+proscore-vr2006-1plc.de, 1
+proscost.com, 1
+proserialkey.com, 1
+proservice.website, 1
+proservices.vip, 1
+prosharp.com.au, 1
+proshoereview.com, 1
+proshop.pl, 1
+prosimvstupte.cz, 1
+proslimdiets.com, 1
+prosocialmachines.com, 1
+prosoft.com.es, 1
+prosony.es, 1
+prospa.digital, 1
+prospectky.gov, 1
+prospecto.com.au, 1
+prospecto.ee, 1
+prospecto.hr, 1
+prospecto.lt, 1
+prosperafrica.gov, 1
+prosperbot.com, 1
+prosperfit.com, 1
+prosperi.academy, 0
+prosperityprojectaz.org, 1
+prosperoarts.com.au, 1
+prosperontheweb.com, 1
+prosperstack.com, 1
+prosperus.ru, 1
+prospo.co, 1
+prosport.md, 1
+prosportovani.cz, 1
+prospreads.com, 1
+prostaglandina.com, 1
+prostavropol.cf, 1
+prostecheat.xyz, 1
+prostitutka.cf, 1
+prostitutka.ml, 1
+prostitutki-narvskaja.ga, 1
+prostitytki-nijnevartovsk.club, 1
+prosto-dengi.tk, 1
+prostocash.com, 1
+prostodengi.ml, 1
+prostogame.ga, 1
+prostohobby.ru, 1
+prostoivkusno.ml, 1
+prostoporno.fun, 1
+prostoporno.guru, 1
+prostoporno.life, 1
+prostoporno.live, 1
+prostoporno.love, 1
+prostoporno.net, 1
+prostoporno.sexy, 1
+prostoporno.video, 1
+prostoporno.vip, 1
+prostoporno.zone, 1
+prostor.cf, 1
+prostore.vn, 1
+prostoskidki.ml, 1
+prostozaim.ml, 1
+prostreamstudio.com, 1
+prostye-recepty.com, 1
+prosurf.com.hr, 1
+prosurveillancegear.com, 1
+prosvet.tk, 1
+prosveta1901.tk, 1
+prosvita.dp.ua, 1
+protaaltar.com, 1
+protanki.ml, 1
+protanki.tk, 1
+protapnews.tk, 1
+protecaodns.pt, 1
+proteccaocivil.com, 1
+proteccaocivil.net, 1
+proteccaocivil.org, 1
+protecciondelconsumidor.gov, 1
+proteces.ru, 1
+protecht.com.au, 1
+protechtgroup.com, 1
+proteco.sk, 1
+protectapack.com.au, 1
+protectasecurity.pe, 1
+protected-forms.com, 1
+protectedreport.com, 1
+protectem.de, 1
+protecti.com, 1
+protection-plexi.com, 1
+protection-plexi.fr, 1
+protection.ga, 1
+protectionformula.com.ua, 1
+protectoraircare.com.au, 1
+protectwrap.ml, 1
+protege.moi, 1
+proteh.com.ua, 1
+proteinreport.org, 1
+protek.si, 1
+protek.tk, 1
+proteka.com.tr, 1
+protekpainters.com, 1
+protempore.fr, 1
+protenus.com, 1
+proteogenix-products.com, 1
+proteogenix.science, 1
+protesthongkong.com, 1
+proteus-eretes.nl, 1
+protez.ga, 1
+protez.ml, 1
+protez.tk, 1
+prothots.com, 1
+protic.online, 1
+protic.pt, 1
+protiksana.gr, 1
+protipster.com, 1
+protium.co.in, 1
+proto.io, 1
+protobetatest.com, 1
+protocol.ai, 1
+protocol.co.il, 1
+protocoloantiotario.com.br, 1
+protogenbrainbooster.tk, 1
+protok.tk, 1
+proton.ch, 1
+proton.me, 1
+protonbg.bg, 1
+protonmail.ch, 1
+protonmail.com, 1
+protonpartnersglobal.com, 1
+protonpix.com, 1
+protonvpn.com, 1
+prototayl.gq, 1
+prototech.store, 1
+prototypable.io, 1
+prototype.bg, 1
+prototypefund.de, 1
+prototyping-computer.ml, 1
+prototypofablab.it, 1
+protoxin.net, 0
+protrainerbrasil.com.br, 1
+protranslate24.ru, 1
+protrolley.cf, 1
+protteapapelaria.com.br, 1
+protvplus.ro, 1
+proudplus.com, 1
+proust.ch, 0
+proust.media, 0
+proustmedia.de, 0
+prouveonline.pt, 1
+proux.global, 1
+prove-uru.co.uk, 1
+prove.com, 1
+prove.no, 1
+proveits.me, 0
+provenbyyullia.com, 1
+provence-appartements.com, 0
+provent.io, 0
+provera10mg.tk, 1
+proverb.today, 1
+proverennie-kursi.gq, 1
+proverennie-kursi.ml, 1
+proverennie-kursi.tk, 1
+provereno-rabotaet.gq, 1
+provereno-rabotaet.tk, 1
+proverochka.tk, 1
+provide-vr2002-1plc.de, 1
+provide-vr2003-1plc.com, 1
+provide-vr2003-1plc.de, 1
+provide-vr2004-1plc.de, 1
+provide-vr2005-1plc.de, 1
+provide-vr2006-1plc.de, 1
+provide-your-image.de, 1
+providencecmc.com, 1
+provident1031.com, 1
+providenthousing.com, 1
+providential.be, 1
+providerlijst.ml, 1
+providmedical.com.ua, 1
+provigis.com, 0
+provincialrubber.co.uk, 1
+provinciaotlavoro.it, 1
+provinstyper.com, 1
+provinzblogger.de, 1
+provisionevents.co.uk, 1
+provisionircd.tk, 1
+provitec.com, 1
+provlas.se, 1
+provo.gov, 1
+provocador.es, 1
+proweb-design.no, 1
+prowi.se, 1
+prowindow.sk, 1
+prowise.com, 1
+prowise.me, 1
+prowoodthai.com, 1
+prowpcare.com, 1
+prowrestlingevents.tk, 1
+prox.ru, 1
+proxaccess.com, 1
+proximity.ga, 1
+proximityradio.fr, 1
+proximo.tk, 1
+proxirealtime.com, 1
+proxmox-airsonic.tk, 1
+proxy-bay.cc, 1
+proxy-bay.click, 1
+proxy-bay.me, 1
+proxy-bay.one, 1
+proxy-bay.onl, 1
+proxy-bay.top, 1
+proxybay.ink, 1
+proxybay.red, 1
+proxyhub.eu.org, 1
+proxyline.net, 1
+proxytool.cf, 1
+proyectofreestyle.com, 1
+proyectomca.es, 1
+proyectosaludecuador.org, 1
+proyectosinelec.com, 1
+proyectostep.tk, 1
+prozac20mg.cf, 1
+prozapchast24.ru, 1
+prozhedownload.com, 1
+prozoneplan.com, 1
+prozorlivec.tk, 1
+prpbenevolent.org, 1
+prpbt.io, 1
+prpferrara.it, 1
+prpr.bid, 1
+prpr.cat, 1
+prpr.icu, 1
+prpr.live, 1
+prpr.rip, 1
+prpr.win, 1
+prsbtdc.org, 1
+prsg.tk, 1
+prsnlafk.com, 1
+prstatic.com, 1
+prt.in.th, 1
+prtpe.com, 1
+pru.com.hk, 1
+pru.hk, 1
+pruchovi.tk, 1
+prudenceandthecrow.com, 1
+prudential.com.sg, 1
+pruebapg.cl, 1
+pruebasrapidasdrogas.com, 1
+pruem.software, 1
+pruijn-overheidsadvies.nl, 1
+pruma.com.br, 1
+prushka.gq, 1
+prushka.ml, 1
+prushka.tk, 1
+pruve.it, 1
+prvnirodinna.cz, 1
+prwebconsulting.com, 0
+prwid.gov, 1
+pry.co, 1
+pryan.org, 1
+prylarprylar.se, 1
+prynhawn.com, 1
+prynhawn.net, 1
+prynhawn.org, 1
+prytkov.com, 1
+prywatnie.com, 1
+przemas.pl, 1
+przemek-kuczynski.com, 1
+przemyslprzyszlosci.gov.pl, 1
+przepisykolejowe.tk, 1
+przerabianiezdjec.pl, 1
+przybys.eu, 1
+przyciemnianieszyb.waw.pl, 1
+ps-clinic.jp, 1
+ps-provider.co.jp, 1
+ps-rosatom.ru, 1
+ps-sale.ru, 1
+ps-w.ru, 1
+ps.energy, 1
+ps194.net, 1
+ps194.org, 1
+ps2.io, 1
+ps2911.com, 1
+ps2online.tk, 1
+ps3419.org, 1
+ps4all.nl, 1
+ps5ssd.com, 1
+ps8318.com, 1
+psa-travel-care.com, 1
+psa.at, 1
+psa.gov, 1
+psa.org.au, 1
+psacertified.org, 1
+psaho.ru, 1
+psalivenews.ml, 1
+psalmer.tk, 1
+psasines.pt, 1
+psau.edu.sa, 1
+psauthority.org.uk, 1
+psauxit.com, 0
+psazy.ml, 1
+psb.cloud, 1
+psb1.org, 1
+psb1911.com, 1
+psb4ukr.net, 1
+psb4ukr.org, 1
+psc-elsene.be, 1
+pschierl.com, 1
+pscosigngroup.com, 1
+pscp.tv, 1
+pscr.gov, 1
+pscu.com, 1
+psd-vfx.com, 1
+psdfindia.in, 1
+psdmarket.net, 1
+psdpt-tpfd.gc.ca, 1
+psdreams.com, 1
+psdsfn.com, 1
+psdsuc.com, 1
+pseac.org, 1
+pseek.com, 1
+psemc.com, 1
+pseta.ru, 1
+psevdonim.ga, 1
+psezalla.es, 1
+psg-calw.de, 1
+psge.ps, 1
+pshar.ma, 1
+pshostpk.com, 1
+pshweb.tk, 1
+psi-tv.tk, 1
+psi.gay, 1
+psicanalista.milano.it, 1
+psici.eu, 1
+psicoblog.tk, 1
+psicoexpansao.com.br, 1
+psicologajanainapresotto.com.br, 1
+psicologamarianaortiz.com, 1
+psicologia.gay, 1
+psicologiaparatodos.com.mx, 1
+psicologias.rio.br, 1
+psicologo-especialista-barcelona.com, 1
+psicologo-infantil-barcelona.com, 1
+psicologo.vip, 1
+psicomagia.com.br, 1
+psicometricas.mx, 1
+psihocentrala.com, 1
+psiholognatalija.rs, 1
+psihologonline.tk, 1
+psihology.gq, 1
+psihology.tk, 1
+psihoterapevt1.by, 1
+psihoterapija-slap.hr, 1
+psihotest.tk, 1
+psii.global, 0
+psiint.ca, 1
+psikokoro.com, 1
+psilly.com, 1
+psinergy.info, 1
+psinergyhealth.com, 1
+psinergytech.com, 1
+psinetika.tk, 1
+psionline.com, 0
+psionlinestore.com, 1
+psiplex.cf, 1
+psiplex.ga, 1
+psiplex.gq, 1
+psishop.tk, 1
+psitarz.com, 1
+psixotest.tk, 1
+psixotesty.tk, 1
+pskhu-wedding.ru, 1
+pskov-daily.tk, 1
+pskov.gq, 1
+pskov.ml, 1
+pslf.gov, 1
+pslgroup.com, 1
+psm.org.ph, 1
+psmpl.com, 1
+psncarddelivery.com, 0
+psncardplus.be, 1
+psncardplus.com, 1
+psncardplus.dk, 1
+psncardplus.nl, 1
+psncardplus.se, 1
+psncoach.com, 1
+psncuc.gov, 1
+pso2.icu, 1
+psochecker.com, 1
+pson.ninja, 1
+psono.pw, 1
+psoo.top, 1
+psoppc.com, 1
+psoppc.info, 1
+psoppc.net, 1
+psoppc.org, 1
+psoriasischecker.com, 1
+pspapershow.ga, 1
+pspenvases.es, 1
+psphp.tk, 1
+psplus.ml, 1
+psplus.tk, 1
+psprices.com, 1
+psprsaz.gov, 1
+psps.cat, 1
+psq.com.au, 1
+psreturn.com.au, 1
+pssgcsim.org, 1
+pssjd.org, 1
+pssschristchurch.tk, 1
+pst.edu.au, 1
+pst.moe, 1
+pstake.finance, 1
+pste.pw, 1
+pstrozniak.com, 1
+pstrykmyk.eu, 1
+pstutorials.tk, 1
+psu.je, 1
+psv-herford-badminton.de, 1
+psw-consulting.de, 1
+psw-group.de, 1
+psw-training.de, 1
+psw.net, 1
+pswatcher.com, 1
+psyart.tk, 1
+psycenter.tk, 1
+psych2go.net, 1
+psychcare.cz, 1
+psychedelia.com, 1
+psychedelics.org, 1
+psychiatretdah.fr, 1
+psychiatrie-ricany.cz, 1
+psychiatriepapezova.net, 1
+psychiatriepraktijkutrecht.nl, 1
+psychiatry-clinic.com.tw, 1
+psychic-healer-mariya-i-petrova-boyankinska-b-borovan-bg.com, 1
+psychicfairnetwork.cf, 1
+psychicfairnetwork.gq, 1
+psychicfairnetwork.ml, 1
+psychiq.com, 1
+psychische-systeme.de, 1
+psychistory.ru, 1
+psycho-familles.com, 1
+psycho-lobby.fr, 1
+psycho-news.tk, 1
+psycho.space, 1
+psychoactive.com, 1
+psychoco.net, 1
+psychoesprit.ca, 1
+psychologbruksela.be, 1
+psychologi.cf, 1
+psychologic.tk, 1
+psychologie-hofner.at, 1
+psychologischepraktijkphilips.nl, 1
+psychologist-license.com, 1
+psychologist.ga, 1
+psychologlodz.info, 1
+psychologue-a-paris.com, 1
+psychologue-grenoble.org, 1
+psychologydegreeguide.org, 1
+psychologytests.tk, 1
+psychometric.careers, 1
+psychometrictest.ca, 1
+psychometrictest.co.il, 1
+psychometrictests.ca, 1
+psychometrictests.in, 1
+psychometrictests.uk, 1
+psychometrischetests.de, 1
+psychometrist.ir, 1
+psychomotricien-la-rochelle.com, 1
+psychonaut.tk, 1
+psychonews.tk, 1
+psychopathtest.com, 1
+psychosis.tk, 1
+psychotechnique.africa, 1
+psychotechnique.be, 1
+psychotechnique.ch, 1
+psychotechnique.com, 1
+psychotechnique.lu, 1
+psychotechniquetest.fr, 1
+psychotel.tk, 1
+psychoterapia-skuteczna.pl, 1
+psychotest.gq, 1
+psychotestprep.com, 1
+psychotherapie-ahlmeyer.de, 1
+psychotherapie-kp.de, 0
+psychotherapie-leipzig.eu, 1
+psychotherapie-lichterfelde.berlin, 1
+psychotherapie1220wien.at, 0
+psychotiq.tk, 1
+psychotropical.com, 1
+psychpsyo.com, 1
+psycolleges.com, 1
+psydprograms.org, 1
+psyelena.be, 1
+psygame.cf, 1
+psyh.tk, 1
+psyhoslovar.ru, 1
+psyk-patienten.tk, 1
+psykologtidningen.cf, 1
+psykologtidningen.ga, 1
+psykologtidningen.gq, 1
+psykometrisk.se, 1
+psykosyntes.tk, 1
+psyllabus.ru, 1
+psylliums.com, 1
+psynapse.net.au, 1
+psytrance-pro.com, 1
+pszinfo.hu, 1
+pt-d.ru, 1
+pt-server.de, 1
+pt.im, 1
+pt1xbet.com, 1
+pt4.tech, 1
+pta-security.nl, 1
+pta.world, 1
+ptab2pt.ga, 1
+ptal.eu, 1
+ptasiepodroze.eu, 1
+ptbi.org.pl, 1
+ptboys.tk, 1
+ptbx.co, 1
+ptcbooks.gq, 1
+ptcdogpark.com, 1
+ptcit.com, 1
+ptco.store, 1
+ptcorporategifts.com.sg, 1
+ptczone.tk, 1
+pteceng.com, 1
+ptepanacea.com, 1
+pterodactyl.org.cn, 1
+pterodactylus.cz, 1
+ptfiber.com, 1
+ptfiber.ru, 1
+ptfiber.spb.ru, 1
+ptgoldensun.com, 1
+ptheophanidis.com, 1
+pthsec.com, 1
+pticoaching.nl, 1
+ptit-trocoeur.fr, 1
+ptjobsite.com, 1
+ptlibrary.ml, 1
+ptltrade.com, 1
+ptm.ro, 1
+ptmarquees.ie, 1
+ptmco.org, 1
+ptotoday.com, 1
+ptpasi.ddns.net, 1
+ptrbrs.nl, 1
+ptrdata.com, 1
+ptrl.ws, 1
+ptron.org, 1
+ptrt.xyz, 1
+ptrujillo.com, 1
+ptsadvokat.cf, 1
+ptscrightony.fr, 1
+ptserver.org, 1
+ptservidor.pt, 1
+ptsf.pt, 1
+ptshft.co, 1
+ptsjapan.co.jp, 1
+ptssystems.co.in, 1
+ptt.casa, 1
+ptt.gov, 1
+ptt2.su, 1
+pttimewithtim.com, 1
+pttrains.eu, 1
+ptufdc.com, 1
+ptupapers.tk, 1
+pturl.tk, 1
+pty.gg, 1
+ptzoptics.com, 1
+puac.de, 1
+pub-med.ru, 1
+pub-online.ro, 1
+pubclub.com, 1
+pubertytalk.com, 1
+pubi.me, 1
+pubkgroup.com, 1
+pubkit.io, 1
+publanda.nl, 1
+publi-all.be, 1
+public-files.com, 1
+public-g.de, 1
+public-measures.com, 1
+public-projects.com, 1
+public-projects.de, 1
+public-vocals.de, 1
+public.cat, 1
+publicagent.com, 1
+publiccarauctionscalifornia.com, 1
+publicdatacloud.com, 1
+publicdatafiles.com, 1
+publicdelivery.org, 1
+publicdomainartwork.com, 0
+publichealth.cf, 1
+publichealth.gq, 1
+publichealthcareeredu.org, 1
+publichealthdegrees.org, 1
+publichealthonline.org, 1
+publicintegrity.org, 1
+publicintelligence.net, 1
+publicishealth.es, 1
+publicitar.tk, 1
+publicmarket.com, 1
+publicnode.com, 1
+publicnoticesbaycountyfl.gov, 1
+publicpickups.com, 1
+publicrea.com, 1
+publicschoolreview.com, 1
+publicserviceloanforgiveness.gov, 1
+publicspeakingcamps.com, 1
+publicsuffix.org, 1
+publictechsupport.org, 1
+publicvoid.ga, 1
+publicwhip.org.uk, 1
+publik.ml, 1
+publikum.net, 1
+publimepa.it, 0
+publiq.space, 1
+publis.me, 1
+publish.ga, 1
+publishedpaper.ga, 1
+publisherservices.co, 1
+publishmystory.co, 1
+publishpressnews.tk, 1
+publivate.ca, 1
+publiweb.tk, 1
+publixphere.net, 1
+pubmed2xl.com, 1
+pubquiz-online.nl, 1
+pubsavoy.tk, 1
+puccakir.tk, 1
+puchshop.de, 1
+puckcreations.com, 1
+pucogid.ga, 1
+puddin.ml, 1
+pudding.tk, 1
+puddingtheatre.tk, 1
+pudro.com, 1
+puebladeeca.tk, 1
+puebladesoto.tk, 1
+pueblanmilksnake.com, 1
+pueblocantabro.tk, 1
+pueblocc.edu, 1
+pueblosamerica.com, 1
+puella.xyz, 1
+puenteviejo.tk, 1
+puer.eu.org, 1
+puer8.cn, 1
+puertodramaturgia.tk, 1
+puertoplazalasterrenas.com, 1
+puestifiestas.mx, 1
+puetter.eu, 1
+puffer.blog, 1
+puffy.tube, 1
+puffyan.us, 1
+pugachev.ml, 1
+puggan.se, 1
+pugilares.com.pl, 1
+pugstime.com, 1
+puhe.se, 1
+puhudefu.de, 1
+puissancemac.ch, 0
+puiterwijk.org, 1
+pujasharma.associates, 1
+pujcky.cz, 1
+pujd3.gq, 1
+puka.edu.ee, 1
+pukfalkenberg.dk, 1
+pula-site.tk, 1
+pulcinella.tk, 1
+puli.com.br, 1
+pulinkai.eu.org, 1
+pulinkai.xyz, 1
+pulito.it, 1
+pulitoken.net, 1
+pulitoperfetto.ddns.net, 1
+pulizia.roma.it, 1
+puliziacantine.it, 1
+pulizie.roma.it, 1
+pulizieuffici.milano.it, 1
+pulizievap.it, 1
+pulkovo-cargo.ru, 1
+pulledporkheaven.com, 1
+pulley.co.jp, 1
+pullman.milano.it, 1
+pullman.roma.it, 1
+pullnopunchesradio.tk, 1
+pulower.tk, 1
+pulpan.xyz, 1
+pulpitsupplypreachers.com, 1
+pulpproject.org, 1
+pulsadanvoucher.tk, 1
+pulsagolden.tk, 1
+pulsedive.com, 1
+pulsenetwork.com, 1
+pulser.stream, 1
+pulseroot.ga, 1
+pulsestaffingllc.com, 1
+pulsnitzer-lebkuchen-shop.de, 0
+pulsnitzer-lebkuchen.de, 1
+pulsnitzer-lebkuchen.shop, 0
+pulsnitzer-pfefferkuchen-shop.de, 0
+pulsnitzer-pfefferkuchen.shop, 0
+pulsr.ml, 1
+pulsus.mobi, 1
+pulvislab.it, 1
+pumarin.tk, 1
+pumin.ml, 1
+pump19.eu, 1
+pumpen-blum.de, 1
+pumuntincu.eu.org, 1
+punaise-de-lit-paris.com, 1
+punat.tk, 1
+puncakpass.net, 1
+punchadragon.com, 1
+punchlinetheatre.co.uk, 1
+punchlinetheatre.com, 1
+punctually.gq, 1
+pundak.games, 1
+pundix.com, 1
+puneindia.tk, 1
+punematka.com, 1
+pungatv.ml, 1
+punikonta.de, 1
+punishment.institute, 1
+punitsheth.com, 1
+punjabsind.in, 1
+punk-jazz.tk, 1
+punkapoule.fr, 1
+punkart.tk, 1
+punkas.tk, 1
+punkcolombia.tk, 1
+punkgrossos.com, 1
+punknews.org, 1
+punknmetal.tk, 1
+punkrestaurant.is, 1
+punksway.top, 1
+punkt05.de, 1
+punpoetry.com, 1
+punshjp.com, 1
+puntacanalink.com, 1
+puntacananetwork.com, 1
+puntacanapizza.com, 1
+puntacanavapor.com, 1
+puntaires.com, 1
+puntaprop.com, 1
+puntcunts.com, 1
+puntoaparte.pe, 1
+puntocroce.tk, 1
+puntoestadodemexico.com, 1
+puntogommevenegono.it, 1
+puntonium.hu, 1
+puntopropiedad.com, 1
+puntoremov.ga, 1
+puntualseo.com, 1
+pupboss.com, 1
+pupilgauge.com, 1
+pupok.cf, 1
+pupok.gq, 1
+puppo.space, 1
+puppy.actor, 1
+puppyfinder.com, 1
+puppyfish.com, 1
+puppygock.gay, 1
+puppyirl.gay, 1
+puppykennel.tk, 1
+puppylove.hu, 1
+puq.moe, 1
+pur-institut.fr, 1
+pura-ponia.cf, 1
+pura-ponia.ga, 1
+pura-ponia.gq, 1
+puragreement.tk, 1
+puralifesciences.com, 1
+puravayalchurch.tk, 1
+puravida-estate.com, 1
+puravidaeamor.com.br, 1
+purchasebestone.tk, 1
+purchaserprotect.co.uk, 1
+purchasescooters.ga, 1
+purchasetncrash.gov, 1
+purchasingpower.com, 1
+pure-gmbh.com, 1
+pure-paste.tk, 1
+pure2life.nl, 0
+purear.com.br, 1
+pureart.co.jp, 1
+pureart.jp, 1
+pureatmospherellc.com, 1
+pureaudioplayer.ru, 1
+purecodedigital.com, 1
+purecreative.digital, 1
+puredayshop.com.tw, 1
+puredisinfecting.com, 1
+puredisinfection.com, 1
+puredns.org, 1
+purefarminggame.com, 1
+purefoot.jp, 1
+pureleverage.com, 1
+purelife.photography, 1
+pureliferx.com, 1
+purelovecoaching.fi, 1
+purely.domains, 1
+purelymail.com, 1
+purelypestcontrol.com, 1
+puremosquito.com, 1
+purenhd.com, 1
+purepestandlawn.com, 1
+puresanitization.com, 1
+purestiks.tk, 1
+puretermite.com, 1
+puretone.pro, 1
+purevapeofficial.com, 1
+purevicky.com, 1
+purewaterguide.net, 1
+purewealth.cloud, 1
+purikore.com, 1
+puritanas.tk, 1
+puritas.lk, 1
+purits.de, 1
+purityclothing.co.uk, 1
+purneauniversity.org, 1
+purovive.tk, 1
+puroyorganico.co, 1
+puroyorganico.com.co, 1
+purpl.ink, 1
+purple.tech, 1
+purplehost.com.br, 1
+purplehotel.cf, 1
+purplemath.com, 1
+purplemet.com, 1
+purplemoon.ch, 1
+purplemoon.mobi, 1
+purpleplains.net, 1
+purplepr.bg, 1
+purples.cf, 1
+purples.gq, 1
+purplestar.ch, 1
+purplestar.com, 1
+purplestar.mobi, 1
+purpletter.tk, 1
+purplewindows.net, 1
+purplez.pw, 1
+purplscientific.com, 1
+purpspc.com, 1
+purrclaws.com, 1
+purreview.cf, 1
+purrfectboudoir.com, 1
+purrfectcams.com, 1
+purrfectmembersclub.com, 1
+purrfectswingers.com, 1
+purroy.tk, 1
+purrpley.com, 1
+purrpley.io, 1
+purrpley.me, 1
+purrrpley.com, 1
+purrrpley.dev, 1
+purrrpley.io, 1
+purrrpley.me, 1
+purrrrpley.com, 1
+purrrrpley.io, 1
+purrrrpley.me, 1
+purse-les.com, 1
+purstonlamb.com, 1
+pursuable.cf, 1
+pursuehappiness.tk, 1
+pursuingoutdoors.com, 1
+pursuit-relax.com, 1
+purtahan.tk, 1
+purupuru-shibuya.school, 1
+purupuru.school, 1
+purwantara.id, 1
+puryearlaw.com, 1
+pusatinkubatorbayi.com, 0
+pusatlojistik.com, 1
+puschkin.ga, 1
+pusehusetmalvik.no, 1
+pusera.com, 1
+puset.tk, 1
+push-free.com, 1
+pusha.tk, 1
+pushmetrics.io, 1
+pushoflove.com, 1
+pushok.tk, 1
+pushpanel.io, 1
+pushphp.com, 1
+pushponline.com, 1
+pushthebutton.tk, 1
+pusichatka.ddns.net, 1
+pusra.ga, 1
+pussplay.com, 1
+pussycat.ml, 1
+pussylickingnow.com, 1
+pussyspace.com, 1
+pustak.tk, 1
+pustakvishwa.tk, 1
+pusztul.at, 1
+put-spaseniya.ml, 1
+put.moe, 1
+put.re, 1
+putana.gq, 1
+putanaru.gq, 1
+putani.gq, 1
+putany.tk, 1
+putanypitera.ml, 1
+putasenvalencia.es, 1
+putatara.net, 1
+puteulanus.xyz, 1
+puthenthope.tk, 1
+putin.red, 1
+putitforward.com, 1
+putlire.ga, 1
+putman-it.nl, 1
+putnam-fl.gov, 1
+putnam-ga.gov, 1
+putnamcollision.com, 1
+putnamcountywv.gov, 1
+putnamil.gov, 1
+putnamvalley.gov, 1
+putney.io, 1
+putnik.tk, 1
+putokaz.eu, 0
+putomani.rs, 1
+putre.io, 1
+putrock.be, 1
+putstrategii.ru, 0
+putty.org, 1
+puttymonos.club, 1
+puttymonos.work, 1
+putzigdesign.de, 1
+puur.gent, 1
+puurgent.be, 1
+puxlit.net, 1
+puyallupnissanparts.com, 1
+puyblanc.info, 1
+puzi.nl, 1
+puzz.gg, 1
+puzzlage.com, 1
+puzzle-welt.ch, 1
+puzzlegames.com, 1
+puzzlepiehouse.com, 1
+puzzlepoint.ch, 1
+puzzles-to-print.com, 1
+puzzleswaps.com, 1
+puzzyfun.net, 1
+pv-paderborn-now.de, 1
+pvamg.org, 1
+pvao.gov.ph, 0
+pvawa.com.au, 1
+pvda.nl, 1
+pvdplanet.tk, 1
+pvebuilds.xyz, 1
+pvgvethospital.co.uk, 1
+pvh-membrany.ru, 1
+pvhe.pl, 1
+pvideo.cz, 1
+pvlrmnnk.com, 1
+pvmotorco.com, 1
+pvp-factions.fr, 1
+pvp.edu.ee, 1
+pvpagario.tk, 1
+pvpcraft.ca, 1
+pvpctutorials.de, 1
+pvpheroes.gg, 1
+pvpheroes.no, 1
+pvplist.ml, 1
+pvportal.me, 1
+pvpready.gov, 1
+pvpserverler.pro, 1
+pvpzone.fr, 0
+pvrtours.com, 1
+pvtschlag.com, 0
+pvtx.gov, 1
+pvv-vermietung.de, 1
+pvz.tools, 1
+pw.org, 1
+pwaiwm.site, 0
+pwanotes.ga, 1
+pwaresume.com, 1
+pwbaccountants.com, 1
+pwcva.gov, 1
+pwd.az, 1
+pwd.vc, 1
+pwddelhi.gov.in, 1
+pwdsafe.com, 0
+pwe.vision, 1
+pwg-see.de, 1
+pwn.fi, 1
+pwnedpass.tk, 1
+pwneytelecom.com, 1
+pwnies.dk, 1
+pwoss.xyz, 1
+pws.my, 1
+pwsplash.com, 1
+pwss.gov.au, 1
+pwud.ga, 1
+pxagency.fr, 1
+pxc-coding.com, 1
+pxetech.com, 1
+pxgamer.xyz, 1
+pxl-mailtracker.com, 1
+pxl.cl, 1
+pxl.st, 1
+pxld.sh, 1
+pxnetwork.fr, 1
+pxstart.cz, 1
+pxtwitter.com, 1
+pxventures.com.au, 1
+pxx.io, 1
+py-amf.org, 1
+py.pl, 1
+py.search.yahoo.com, 0
+pya.org.tr, 1
+pybtex.org, 0
+pyca.tk, 1
+pycckue.tk, 1
+pychef.com, 1
+pycoders.com, 1
+pycrc.org, 1
+pycrypto.org, 1
+pycycle.info, 1
+pydotamisa.tk, 1
+pydrocsid.ml, 1
+pygarage.com, 0
+pygb.cl, 1
+pygmyleafchameleon.com, 1
+pygn.win, 1
+pygos.space, 1
+pyhello.world, 1
+pyjiaoyi.cc, 1
+pyjy.org, 0
+pylad.se, 1
+pylon.bot, 1
+pymescentro.net, 1
+pymestari.com, 1
+pymtreceipt.com, 1
+pyopenssl.org, 1
+pypa.io, 1
+pypckomp.ddns.net, 1
+pypi.io, 1
+pypi.org, 1
+pypi.python.org, 1
+pyra-explorer.tk, 1
+pyramidsmalleg.com, 1
+pyramydair.com, 1
+pyrios.pro, 1
+pyro.works, 1
+pyroballpcbs.com, 1
+pyrofestival-vermoise.fr, 1
+pyromaniac.tk, 1
+pyrotechnologie.de, 1
+pyspace.org, 1
+pythia.nz, 1
+python.org, 0
+pythonatrix.com, 1
+pythonblog.tk, 1
+pythondiscord.com, 1
+pythonfactory.io, 1
+pythonhosted.org, 1
+pythonmorsels.com, 1
+pytodon.com, 1
+pytradebot.com.br, 1
+pywikibot.org, 1
+pyxalis.com, 1
+pyxisfreelance.au, 1
+pyxisfreelance.co, 1
+pyxisfreelance.com.au, 1
+pyxo.net, 0
+pyxyp.com, 1
+pzpittsburgh.com, 1
+pzsearch.nl, 1
+pzu-masa.pl, 1
+pzz.by, 1
+q-and-a.tk, 1
+q-inn.com, 1
+q-inn.nl, 1
+q-m.space, 1
+q-mami.com, 1
+q-matrix.de, 1
+q-technologies.com.au, 1
+q.to, 1
+q00228.com, 1
+q01.us, 1
+q1000.nl, 1
+q1q2q3.tk, 1
+q1z.net, 1
+q3.is, 1
+q3cdn.net, 1
+q3jlzwq.com, 1
+q5118.com, 1
+q5197.co, 1
+q6729.co, 1
+q6729.com, 1
+q6957.co, 1
+q78kg.eu.org, 1
+q7k.net, 1
+q82365.com, 1
+q8igh228tq.tk, 1
+q9.ee, 1
+q9.io, 1
+q9297.co, 1
+q9728.co, 1
+qa-brandywineglobal.com, 1
+qa.fedoraproject.org, 1
+qa.stg.fedoraproject.org, 1
+qaabildigital.com, 1
+qabalah.ga, 1
+qabalah.jp, 1
+qabel.de, 1
+qabete.com, 1
+qac.gov, 1
+qaconstrucciones.com, 1
+qadmium.com, 1
+qadmium.tk, 1
+qadrishattari.tk, 1
+qaina.net, 1
+qalab.tk, 1
+qalm.net, 1
+qanatnews.tk, 1
+qani.me, 1
+qaq.cloud, 1
+qaq.icu, 1
+qaq.jp, 1
+qarto.com, 1
+qask.ml, 1
+qasphere.com, 1
+qassay.com, 1
+qatartimes.tk, 1
+qatesol.org.au, 1
+qawasmigroup.com, 1
+qaz.cloud, 1
+qazcloud.com, 0
+qbasic.tk, 1
+qbasicsite.tk, 1
+qbcorescripts.com, 1
+qbits.li, 1
+qbotica.com, 1
+qbrix.dk, 1
+qbstores.com, 1
+qbug.cf, 1
+qc-ikonwork.com, 1
+qc.immo, 1
+qc.search.yahoo.com, 0
+qcbrna.qa, 1
+qcc.gov.ae, 1
+qccareerschool.com, 0
+qcdesignschool.com, 0
+qcdjco.com, 1
+qcdoll.com, 1
+qcert.org, 1
+qclean.com.au, 1
+qcmakeupacademy.com, 0
+qcmlw.com, 1
+qconline.com, 1
+qconnan-photos.fr, 1
+qconomics.com, 1
+qcrx.cn, 0
+qcstudentcenter.com, 0
+qcstyleacademy.com, 0
+qctimes.com, 1
+qctravelschool.com, 0
+qdabogados.com, 1
+qdep.net, 1
+qdm.tw, 1
+qdmnotizie.it, 1
+qdon.space, 1
+qdqlh.cn, 1
+qdrat.ml, 1
+qdrcst.com, 1
+qdstationary.co.uk, 1
+qdstationery.co.uk, 1
+qe-lab.at, 1
+qed.ai, 1
+qeddi.com.au, 1
+qeepintelligence.tk, 1
+qeepitsafe.nl, 1
+qeering.link, 1
+qei.org.au, 1
+qelectrotech.org, 1
+qeros.io, 1
+qeshmminer.com, 1
+qetesh.de, 1
+qetic.co.jp, 1
+qewc.com, 1
+qfes.qld.gov.au, 1
+qfjvv7f.xyz, 1
+qform.ru, 1
+qfurs.ru, 1
+qgblog.org, 0
+qgushi.com, 1
+qhost.cf, 1
+qhse-professionals.nl, 1
+qiai.cf, 1
+qiai.ga, 1
+qiai.gq, 1
+qiai.ml, 1
+qiancao.cf, 1
+qiancao.ml, 1
+qianglie.com, 1
+qiangshen.com, 1
+qianlong.net, 1
+qianmu.com, 1
+qiannews.net, 0
+qianqiao.me, 1
+qianshuo.com, 1
+qiantuwenlu.com, 1
+qianzhanggui.com, 1
+qiaohong.org, 1
+qiaowai.com, 1
+qiayuan.com, 1
+qiber.org, 1
+qicaiyunnan.com, 1
+qicoder.com, 1
+qifu.me, 1
+qifu.org.cn, 1
+qigehl.com, 1
+qihalu.com, 1
+qihc.com, 1
+qihl.gg, 1
+qike.tk, 1
+qikio.com.au, 1
+qimingbu.com, 1
+qimingceming.com, 1
+qin.moe, 1
+qingan.ca, 1
+qingchuan.cc, 1
+qingdu.com, 1
+qingkong.net, 0
+qinglingyu.cn, 1
+qingly.me, 1
+qingniantuzhai.com, 1
+qingpat.com, 0
+qingpei.me, 1
+qingyule.com, 1
+qinlili.bid, 1
+qionouu.cn, 1
+qiqitv.info, 1
+qis.fr, 1
+qisas.com, 1
+qiscience.tk, 1
+qisda.com, 1
+qissajewels.com, 1
+qitabbs.com, 0
+qitano.com, 1
+qitarabutrans.com, 1
+qiu.moe, 0
+qiu006.com, 1
+qiuke.com, 1
+qiuwenbaike.cn, 1
+qiuyiwenyao.com, 1
+qivonline.pt, 1
+qiwi.be, 1
+qix.ca, 1
+qixbit.com, 1
+qixi.biz, 1
+qiyan.email, 0
+qkart.net, 1
+qkek.tk, 1
+qkka.org, 1
+qklshequ.com, 1
+ql.tc, 1
+qlares.nl, 1
+qlarititech.io, 1
+qlc.co.th, 1
+qlcvea.com, 1
+qlcvea.it, 1
+qldconservation.org.au, 1
+qldformulaford.org, 1
+qldnetwork.com.au, 1
+qliving.com, 1
+qlock.mywire.org, 1
+qlrace.com, 0
+qlsh.com, 1
+qm-marzahnnordwest.de, 1
+qm8828.net, 1
+qm8838.net, 1
+qm8888.net, 1
+qmang.com, 1
+qmarket.tk, 1
+qmdcoin.com, 1
+qmee.com, 1
+qmeriaux.fr, 1
+qmp-media.nl, 0
+qnap.co.jp, 1
+qnap.com, 1
+qnap.com.br, 1
+qnap.com.cn, 1
+qnap.com.hk, 1
+qnap.com.tw, 1
+qnap.de, 1
+qnap.hk, 1
+qnap.tw, 1
+qnected.nl, 1
+qnixon.com, 1
+qnotafm.com.co, 1
+qnq.moe, 1
+qnsgmd.com, 1
+qofpeacechurch.org, 1
+qombo.nl, 1
+qoml.net, 1
+qonnected.nl, 1
+qontinuum.space, 1
+qoor.io, 0
+qoostudio.com, 1
+qoptalk.com, 1
+qosim.ga, 1
+qosqo.tk, 1
+qotw.net, 1
+qoyyim.com, 1
+qp666d.com, 1
+qpai.net, 1
+qparents.qld.edu.au, 1
+qpaypro.com, 1
+qpcna.org, 1
+qpi.net.au, 1
+qpipi.com, 1
+qponverzum.hu, 1
+qpsinc.com, 1
+qq.ee, 1
+qq201314.com, 1
+qq5197.co, 1
+qq52o.me, 1
+qq6177.net, 1
+qq6729.co, 1
+qq6729.com, 0
+qq6957.co, 1
+qq885.com, 1
+qq9297.co, 1
+qq9728.co, 1
+qqiao.me, 1
+qqmingzi.cc, 0
+qqq6.com, 0
+qqq67.com, 1
+qqrss.com, 1
+qr.ae, 1
+qr.cl, 1
+qr.gp, 1
+qr.sb, 1
+qr0.ch, 1
+qr1.at, 1
+qraa.qld.gov.au, 1
+qrara.net, 1
+qrbird.com, 1
+qrcoba.org, 1
+qrcodes.tools, 1
+qrcontagion.com, 1
+qrd.by, 1
+qredo.com, 0
+qrida.qld.gov.au, 1
+qrlab.biz, 1
+qrlab.ch, 1
+qrlab.de, 1
+qrlab.eu, 1
+qrlab.info, 1
+qrlab.net, 1
+qrlfinancial.com, 1
+qrmenux.com, 1
+qrpatrol.com, 1
+qrplanet.com, 1
+qrprincipal.com, 1
+qrpth.eu, 1
+qrsa.com.au, 1
+qruiser.com, 1
+qryptopia.com, 1
+qrz.one, 1
+qscloud.de, 1
+qseek.cf, 1
+qslstudio.tk, 1
+qsoblog.gq, 1
+qssupplies.co.uk, 1
+qstivi.de, 1
+qt.ax, 1
+qt.to, 1
+qtacairsoft.com, 1
+qtmd.org, 1
+qtmsheep.com, 0
+qtn.net, 1
+qto.chat, 1
+qto.co, 1
+qto.com, 1
+qto.com.hk, 1
+qto.de, 1
+qto.fr, 1
+qto.info, 1
+qto.name, 1
+qto.net, 1
+qto.org, 1
+qto.support, 1
+qto.wiki, 1
+qtpass.org, 1
+qtpower.co.uk, 1
+qtpower.net, 1
+qtpower.org, 1
+qtspace.cn, 1
+qttransformation.com, 1
+qtv.ge, 1
+qtvr.com, 1
+qu.ax, 1
+quackapp.com, 1
+quad9.com, 1
+quad9.net, 1
+quadcityjuggalos.tk, 1
+quadernoapp.com, 1
+quadomania.tk, 1
+quadrantbusinesssolutions.org, 1
+quadrantrd.com, 1
+quadratimkreis.tk, 1
+quadreon.com, 1
+quadron.hu, 1
+quaedam.org, 1
+quafe.tech, 1
+quakeroaksfarm.org, 1
+quaketips.ga, 1
+quakeworld.tk, 1
+qualbe.com, 1
+qualebroker.com, 1
+qualescegliere.it, 1
+qualiacomputers.com, 1
+qualidesign.com.br, 0
+qualifio.com, 1
+qualita.es, 1
+qualitahub.com, 1
+qualite-ecole-et-formation.ch, 0
+qualith.tk, 1
+quality-automation.de, 0
+quality-homeservice.com, 1
+quality-life.gr, 1
+qualitycarbonfiber.com, 1
+qualitycesspool.com, 1
+qualitycommerical.com, 1
+qualityconcreteleveling.com, 1
+qualityconcreterepair.com, 1
+qualitydns.net, 1
+qualityfireproofing.com, 1
+qualitygame.tk, 1
+qualitymark.com.br, 1
+qualitymudjacking.com, 1
+qualityofcourse.com, 0
+qualityoflife.ga, 1
+qualityoflife.tk, 1
+qualityoutletx.ga, 1
+qualityoutletx.tk, 1
+qualitypiering.com, 1
+qualityplusconsulting.com, 0
+qualitypolyjacking.com, 1
+qualitypropertycare.co.uk, 1
+qualitysistemas.com.br, 1
+qualitytitlepaducah.com, 1
+qualitywaterproofingco.com, 1
+qualityworks.tk, 1
+quall.com, 1
+qualtrics.com, 1
+qualyven.com, 1
+quandoandare.it, 1
+quanquan.cyou, 1
+quanquan.space, 1
+quantability.net, 1
+quantaloupe.tech, 1
+quantalytics.com, 1
+quantaservices.com, 1
+quantatec.com.br, 1
+quantdigit.com, 1
+quantemplate.in, 1
+quanterix.com, 1
+quanterra.ch, 0
+quantfury.com, 1
+quanti.au, 1
+quanticlab.com, 1
+quantifiedcommerce.com, 1
+quantikstudio.tk, 1
+quantiphi.com, 1
+quantiply.tech, 1
+quantolytic.de, 1
+quantomaisconsorcios.com.br, 1
+quantora.nl, 1
+quantris.net, 1
+quantrix.com, 1
+quanttydesignweb.com.br, 1
+quantuin.com, 1
+quantuin.dk, 1
+quantum-evolution.jp, 1
+quantum-lviv.pp.ua, 1
+quantum-mechanics.com, 1
+quantum.gdn, 1
+quantum.gl, 1
+quantum.gov, 1
+quantum.st, 1
+quantum2.xyz, 1
+quantum5.ca, 1
+quantumca.com.cn, 1
+quantumcrypto.nl, 1
+quantumfinance.com.au, 1
+quantumgoldanddiamonds.com, 1
+quantuminformationframework.com, 1
+quantuminks.com, 1
+quantumlink.tk, 1
+quantumortho.com.sg, 1
+quantumpair.net, 1
+quantumshade.ca, 1
+quantumweb.ml, 1
+quantuscreative.com, 1
+quantweb.tk, 1
+quantxperts.com, 1
+quapawnation.gov, 1
+quarantine-system.com, 0
+quareal.ru, 1
+quarep.org, 1
+quarim.cz, 1
+quark.com.pl, 1
+quark.house, 1
+quark.waw.pl, 1
+quarkcore.pt, 1
+quarklab.pl, 1
+quarrymill.com, 1
+quarterfull.com, 1
+quarterhorses.es, 1
+quartix.com, 1
+quartix.fr, 1
+quartogame.tk, 1
+quartus-residentiel.fr, 1
+quartzclinical.com, 1
+quarus.net, 1
+quasarcr.com, 1
+quasarelectronics.co.uk, 1
+quasarhomes.com, 1
+quasetio.ml, 1
+quashed.co.nz, 1
+quasiproxy.com, 1
+quasseldroid.info, 1
+quassowski.de, 1
+quatermass.tk, 1
+quaternion.tk, 1
+quattro.tk, 1
+quatuor-courtage.fr, 1
+quaxio.com, 1
+quay.net, 1
+quayconsultingllc.com, 1
+quaydental.ie, 0
+quba.fr, 1
+qubes-os.org, 1
+qubhockey.tk, 1
+qubicgames.com, 1
+qubitoss.com, 1
+qubitsandbytes.co.uk, 1
+qubyte.codes, 1
+qudini.com, 1
+quebec.ca, 1
+quebeccat.com, 1
+quebeccats.com, 1
+quebecdogs.com, 1
+quebecsolidaire.net, 1
+quedos.com.au, 1
+queencasino.live, 1
+queencdn.com, 1
+queencomplex.net, 1
+queencreekaz.gov, 1
+queenhub.tk, 1
+queenkedi.net, 1
+queenlexie.tk, 1
+queenmargaret.ddns.net, 1
+queenondvd.tk, 1
+queenparis-porn.com, 1
+queenrocks.tk, 1
+queensbotanical.org, 1
+queensfactory.it, 1
+queenshaflo.com, 1
+queenslandtonguetieclinic.com.au, 1
+queenspark.com, 1
+queensrdapartments.com.au, 1
+queenstyles.tk, 1
+queentitine.com, 1
+queenworld.tk, 1
+queer-augsburg.de, 1
+queer.farm, 1
+queer.party, 1
+queer.pl, 1
+queerasfolk.lgbt, 1
+queercinema.ch, 1
+queerfest.tk, 1
+queersin.space, 1
+queerspirit.net, 1
+quegeeks.com, 1
+queirozmiotto.adv.br, 1
+queirozmiotto.com.br, 1
+quel-dj.com, 1
+quelbusinesschoisir.com, 1
+quellarotondasembrafi.ga, 1
+quelle-catalog.tk, 1
+quelle.de, 1
+quelleez.com, 1
+quelleformation.net, 1
+quellenwiese.ski, 0
+quemmeliga.com, 1
+quemquaeritis.tk, 1
+quemvende.pt, 1
+quena-artesania.tk, 1
+quenchwater.com, 1
+quenecesitopara.com, 1
+quenotejodan.cl, 1
+quentar.tk, 1
+quentin-informatique.fr, 1
+quentin-sauvetre.fr, 1
+quentinaurat.com, 1
+quentinchevre.ch, 1
+quentingemine.be, 1
+quepourlesjuristes.fr, 1
+quera.ir, 1
+querelle.tk, 1
+querenciavirtual.com.br, 1
+quermes.net, 1
+quernon.fr, 0
+querocalcular.com.br, 1
+query-massage.com, 0
+query.gov.ps, 1
+quesartencomprar.com, 1
+quesecelebra.info, 1
+quessinternational.com, 1
+quest-on-demand.com, 1
+quest3.co, 1
+quest3.co.uk, 1
+quest3.com, 1
+quest3.info, 1
+quest3.net, 1
+quest3.org, 1
+quest3.tv, 1
+quest3.uk, 1
+quest7.jp, 1
+questbars.cf, 1
+questbars.ga, 1
+questbars.gq, 1
+questforgaming.com, 1
+questfororgasm.com, 1
+questiii.com, 1
+question.cf, 1
+question.com, 1
+questionable.host, 1
+questionandanswer.ml, 1
+questionyu.com, 1
+questofaidance.tk, 1
+questoj.cn, 1
+questsocial.it, 1
+questsys.com, 1
+questthree.com, 1
+quetiapine.life, 1
+quetico.tk, 1
+queup.net, 1
+quevisiongrafica.com, 1
+quezoncity.ml, 1
+quhyu.xyz, 1
+quible.tk, 1
+quic-hosting.de, 1
+quic.cf, 1
+quic.fr, 1
+quic.stream, 1
+quicareer.com, 1
+quichante.com, 1
+quiche-quic.cf, 1
+quichost.com, 1
+quick-and-easy.tk, 1
+quick-seo.tk, 1
+quickassortments.com, 1
+quickbooksguru.com.au, 1
+quickboysvrouwen2.nl, 1
+quickcashcarremovals.com.au, 1
+quickcel.tk, 1
+quickerticker.tk, 1
+quickformspro.com, 1
+quickinfosystem.com, 1
+quickjobsfinder.com, 1
+quicklinks.tk, 1
+quicklinkz.tk, 1
+quicknode.com, 1
+quicko.com, 1
+quickq.nu, 1
+quickquote.pt, 1
+quickrate.de, 1
+quickref.me, 1
+quicksell.co, 1
+quicksell.store, 1
+quickshops.ga, 1
+quickstart.co.za, 1
+quicksupplies.us, 1
+quicksupply.com, 1
+quicktapstudios.com, 1
+quicktaxinmessina.tk, 1
+quicktricks.net, 1
+quickudpinternetconnections.com, 1
+quickvideo.tk, 1
+quickway.cn.com, 1
+quickyshare.com, 1
+quicomo.it, 1
+quidax.com, 1
+quieoltre.it, 1
+quiero.news, 1
+quieroserbombero.org, 1
+quieroserdoula.com, 1
+quieroserdoula.es, 1
+quieroserdoula.org, 1
+quierosermercedario.tk, 1
+quierosersanta.tk, 1
+quiescent.gq, 1
+quiet-downloads.tk, 1
+quiet-waters.org, 1
+quietapple.com, 1
+quietapple.org, 1
+quietlife.tk, 1
+quietplace.tk, 1
+quietstudyactivities.tk, 1
+quietus.gq, 1
+quigley.id.au, 1
+quik.legal, 1
+quikchange.net, 1
+quiksite.com, 1
+quillandinkroleplay.com, 1
+quillandpage.com, 1
+quillandquire.com, 1
+quillwave.com, 1
+quilmo.com, 1
+quiltmc.org, 1
+quimatic.com.br, 1
+quimba.tk, 1
+quimica.science, 1
+quin.md, 0
+quincyclegg.com, 1
+quinder.tk, 1
+quinmedia.tk, 1
+quinn.com, 0
+quinnbet.com, 1
+quinnlabs.com, 0
+quinnlawcenters.com, 1
+quinnstech.ga, 1
+quinpro.nl, 1
+quintacbls.cl, 1
+quintadasmoitas.com, 1
+quintadesanamaro.com, 1
+quintanadelmonte.tk, 1
+quintanilla.tk, 1
+quintenbraakman.com, 1
+quintenbraakman.nl, 1
+quinteroorthodontics.com, 0
+quintessa.org, 1
+quintobarrio.tk, 1
+quintonic.fr, 0
+quiq-api.com, 1
+quiq-cdn.com, 1
+quiq-frp.com, 1
+quiq-in.com, 1
+quiq-uri.com, 1
+quiq-url.com, 1
+quiq.com, 1
+quiq.im, 1
+quiq.sh, 1
+quiq.us, 1
+quiqd.com, 1
+quiqstatus.com, 1
+quiqurl.com, 1
+quiqurls.com, 1
+quire.io, 1
+quirkytravelguy.com, 1
+quisildenafil.gq, 1
+quitri.tk, 1
+quivedo.com, 1
+quiwy.ninja, 1
+quiz.biz, 1
+quizapps.se, 1
+quizhub.ml, 1
+quizinn.live, 1
+quizl.io, 0
+quizlets.tk, 1
+quizmaker.ml, 1
+quizogames.com, 1
+quizz.biz, 1
+quizzard.ga, 1
+quizzard.tk, 1
+quizzen.tk, 1
+quizzhit.com, 1
+qul.link, 1
+qulix.by, 1
+qulix.ch, 1
+qulixqa.com, 0
+qumin.com, 1
+qumirezi.tk, 1
+qunzi.la, 1
+quocdesign.ch, 0
+quoi.xyz, 1
+quoininc.com, 1
+quokka.codes, 1
+quora.com, 1
+quorcis.fr, 1
+quorrax.com, 1
+quotable.ga, 1
+quoteidiot.com, 1
+quoteinfo.net, 1
+quoteoftheday300.ga, 1
+quotescover.com, 1
+quoteshindi.net, 1
+quotesnsayings.net, 1
+quotesofgta.tk, 1
+quotev.com, 1
+quotidiani.net, 1
+quotidianodiragusa.it, 1
+quovadisaustria.com, 1
+quoviz.com, 1
+qupom.com.br, 1
+quppa.net, 1
+quprop.com, 1
+quran-archive.org, 1
+qurani.tk, 1
+quranicremedies.com, 1
+quranliveonline.com, 1
+quranpdf.cf, 1
+quranvoice.tk, 1
+qurium.org, 1
+qurplus.nl, 1
+qusi.cf, 1
+qusi.ml, 1
+qussaikhuli.tk, 1
+quuck.eu, 1
+quuck.nl, 1
+quuz.org, 1
+qv-eherkenning.nl, 1
+qvady.com, 0
+qvg.company, 1
+qvggroup.com, 1
+qvision.ml, 1
+qvq.cloud, 1
+qvq.one, 1
+qwant.com, 1
+qwantjunior.com, 1
+qwanturank.news, 1
+qwarkhealth.com, 1
+qwasar.io, 1
+qwaser.fr, 1
+qwdqwd.de, 1
+qweb.pro, 1
+qwertee.com, 1
+qwerty.work, 1
+qwertyatom100.me, 1
+qwik.space, 1
+qwikdash.com, 1
+qwords.com, 1
+qwq.icu, 0
+qwq.moe, 1
+qwq2333.top, 1
+qwqjsq.net, 1
+qwqjsq8.com, 1
+qwrk.io, 1
+qwus.cf, 1
+qwus.tk, 1
+qx.fi, 1
+qx.se, 1
+qxazusa.xyz, 0
+qxin.info, 1
+qxq.moe, 1
+qxzg.org, 1
+qxzg.xyz, 1
+qxzgssr.xyz, 1
+qy.is, 0
+qz3ldfzr.com, 1
+qzhou.ddns.net, 1
+qzin.jp, 1
+qzlyrics.com, 1
+qzr.fi, 1
+r-ay.cn, 1
+r-baruth.de, 1
+r-core.org, 1
+r-e-a.net, 1
+r-gmp.com, 1
+r-ix.de, 1
+r-re.org, 1
+r-re.ru, 1
+r-reabilitolog.ru, 1
+r-rehab.online, 1
+r-rehab.org, 1
+r-rwebdesign.com, 1
+r-t-b.fr, 1
+r-t-n.tk, 1
+r.nf, 1
+r.pl, 1
+r.sb, 1
+r00tsandwings.com, 1
+r00tsolutions.ca, 1
+r0t.co, 1
+r0uzic.net, 1
+r102.ch, 1
+r15cookie.com, 1
+r17.co.id, 1
+r18.moe, 1
+r1a.eu, 1
+r1ch.net, 1
+r1h3.nl, 1
+r1ss.com, 1
+r2cdn.com, 1
+r2d2pc.com, 1
+r2wind.cn, 1
+r2wind.com, 1
+r33.space, 1
+r36533.com, 1
+r3bl.blog, 1
+r3dh4ck.ml, 1
+r3gi.cz, 1
+r3s1stanc3.me, 1
+r40.us, 1
+r4fo.com, 1
+r4g3baby.com, 1
+r5197.co, 1
+r6729.co, 1
+r6729.com, 1
+r6957.co, 1
+r7.com.au, 1
+r72w.com, 1
+r7h.at, 1
+r82365.com, 1
+r8corporate.com, 1
+r9297.co, 1
+r9728.co, 1
+ra-joergensen.de, 1
+ra-studio.ml, 1
+ra.vc, 1
+ra3y.xyz, 1
+raadgiverborsen.com, 1
+raafwelfaretrustfund.gov.au, 1
+raailto.com, 1
+raamattuopisto.fi, 1
+raar.tk, 1
+raas.today, 1
+raassembly.com, 1
+raaynk.com, 1
+rabalefood.com, 1
+raballder.tk, 1
+rabatcity.tk, 1
+rabatt24.net, 1
+rabatt24.org, 1
+rabattkoll.se, 1
+rabatz.tk, 1
+rabbisacks.org, 1
+rabbit.finance, 1
+rabbitcallcenter.com, 1
+rabbitcare.ae, 1
+rabbitcare.com, 1
+rabbitcare.id, 1
+rabbitcare.my, 1
+rabbitcare.ph, 1
+rabbitcare.qa, 1
+rabbitcare.tl, 1
+rabbitcare.vn, 1
+rabbitdns.org, 1
+rabbitfinance.com, 1
+rabbithash.com, 1
+rabbitinternet.com, 1
+rabbitsearch.org, 1
+rabbitserverlist.com, 1
+rabbitsstore.com, 1
+rabbottweb.com, 1
+rabby.tk, 1
+rabenkralle.tk, 1
+raberget.org, 1
+rabinson2005.tk, 1
+rabota-online.tk, 1
+rabotabiz.tk, 1
+rabotaemdoma.tk, 1
+rabotanet.tk, 1
+rabotaprofily.tk, 1
+rabotayte.tk, 1
+rabotenkadot.tk, 1
+rabynska.eu, 1
+racaliz.tk, 1
+racamera.com, 1
+racasdecachorro.org, 1
+raccoltadifferenziata.it, 1
+raccoltarifiuti.com, 1
+raccoltarifiuti.milano.it, 1
+raccoon.io, 1
+racedrop.tk, 1
+racelandky.gov, 1
+racemanager.io, 1
+racesimscoring.com, 1
+racetraq.net, 1
+rachaelsmaids.com, 1
+rachaeltaylor.tk, 1
+rachelandadamarethebest.com, 1
+rachelchen.me, 1
+racheldiensthuette.de, 1
+rachelmoorelaw.com, 1
+rachelsbouncycastles.co.uk, 1
+racheltinniswood.ie, 1
+rachelwatkins.co.nz, 1
+rachnacollege.tk, 1
+racialmisclassification.org, 1
+racinecounty.gov, 1
+racing-planet.cz, 1
+racingfanclub.tk, 1
+racingteameelde.tk, 1
+racius.com, 1
+rackoon.de, 1
+raclet.co.uk, 1
+raconconsulting.co.uk, 1
+raconteurs.gent, 1
+racquetdepot.co.uk, 1
+racsoft.cl, 1
+ract.au, 1
+ract.club, 1
+ract.co, 1
+ract.info, 1
+ract.net, 1
+ract.net.au, 1
+ractf.co.uk, 1
+racunalo.com, 1
+racunovodstvo-prina.si, 1
+rad-route.de, 1
+rad.com, 1
+rad.plus, 1
+rad2share.com, 1
+rada-group.eu, 1
+radaar.io, 1
+radar.sx, 1
+radarband.tk, 1
+radarbanyumas.co.id, 1
+radarbogor.id, 1
+radarcoupon.ch, 1
+radarcoupon.it, 1
+radarcupao.pt, 1
+radarcupom.com.br, 1
+radarcupon.com.ar, 1
+radarcupon.com.co, 1
+radarcupon.com.mx, 1
+radarcupon.es, 1
+radarcupon.ro, 1
+radardetector.lol, 1
+radarerp.net, 1
+radarfirst.com, 1
+radarstationery.com, 0
+radartatska.se, 0
+radartek.com, 1
+radbag.de, 1
+radbag.nl, 1
+radbee.com, 1
+radchakan.com, 1
+radcliffky.gov, 1
+radcloud.de, 1
+radconinc.net, 1
+radcube.hu, 1
+raddeluxe.com, 1
+raddle.me, 1
+radechefonne.it, 1
+radegundisfest.de, 1
+radekmazar.eu, 1
+radektworek.pl, 1
+rader.ninja, 1
+radeticlaw.com, 1
+radgi.com, 1
+radharanikijay.tk, 1
+radiadores.tk, 1
+radiadoresalternativos.cl, 1
+radiadoressoares.com.br, 1
+radialplus.tk, 1
+radianceswimwear.com, 1
+radiantenergy.tk, 1
+radiantwonder.com, 1
+radiation-oncologist.gr, 1
+radiationserviceswa.com.au, 1
+radiationtherapy.tk, 1
+radiatorendiscounter.nl, 1
+radicaldream.tk, 1
+radicalfuture.tk, 1
+radicalhapa.tk, 1
+radicallycanadian.com, 1
+radicaloptimism.org, 1
+radicalsub.com.br, 1
+radicaltransformationproject.com, 1
+radicalwebdesign.co.uk, 1
+radierprojetos.me, 1
+radio-amezi.tk, 1
+radio-angelos.tk, 1
+radio-az.tk, 1
+radio-bandit.ml, 1
+radio-beer.tk, 1
+radio-bladel.tk, 1
+radio-brest.tk, 1
+radio-club.ml, 1
+radio-delmare.tk, 1
+radio-fly.tk, 1
+radio-luikie.tk, 1
+radio-mix.ml, 1
+radio-mouse.tk, 1
+radio-news.tk, 1
+radio-of-magic.com, 1
+radio-one.ml, 1
+radio-online.com, 1
+radio-online.tk, 1
+radio-pulsar.com, 1
+radio-pulsar.eu, 1
+radio-utopie.de, 1
+radio-valois-multien.fr, 1
+radio.de, 1
+radio.es, 1
+radio.fr, 1
+radio1.ie, 1
+radio404.tk, 1
+radio4friends.tk, 1
+radio56.tk, 1
+radio99.tk, 1
+radioab-normaal.tk, 1
+radioactiv.tk, 1
+radioactivenetwork.xyz, 1
+radioaeropuerto.tk, 1
+radioafibra.com.br, 1
+radioaltamar.tk, 1
+radioalternativa.tk, 1
+radioar.tk, 1
+radioarzua.tk, 1
+radioazioni.tk, 1
+radiobahena.be, 1
+radiobandung.tk, 1
+radioborges.tk, 1
+radiobucarica.cf, 1
+radiocappissima.tk, 1
+radiocartel.tk, 1
+radiocc.ddns.net, 1
+radiocentrafrique.cf, 1
+radiochilac.tk, 1
+radioclandestina.tk, 1
+radiocombinatie-kampen.tk, 1
+radiocommande-forestiere.fr, 1
+radiocommande-industrielle.fr, 1
+radiocomsaocarlos.com.br, 1
+radioconciencia.tk, 1
+radiocrash.tk, 1
+radiocrazy.ml, 1
+radiocristianauniversal.tk, 1
+radioculture.tk, 1
+radiocusco.tk, 1
+radiodance.tk, 1
+radiodarkwolf.tk, 1
+radiodeluxe.ml, 1
+radiodeutsch.com, 1
+radiodevrijheid.tk, 1
+radiodiagonal.tk, 1
+radiodoblen.tk, 1
+radiodxguatemala.tk, 1
+radioelectronic.tk, 1
+radioenam.tk, 1
+radioenergia.tk, 1
+radioesferico.tk, 1
+radioexito.tk, 1
+radiofmimagen.net, 1
+radiofred.tk, 1
+radiogabriela.tk, 1
+radiogaga.ga, 1
+radiogalena.tk, 1
+radiogear.ru, 1
+radiogetsemani.tk, 1
+radiogomezone.tk, 1
+radioharrastus.tk, 1
+radioheikrekel.tk, 1
+radiohlam.cf, 1
+radiohlam.ga, 1
+radiohouse.tk, 1
+radioibiapina.tk, 1
+radioilusion.es, 1
+radioilusiones.tk, 1
+radioiman.net, 1
+radiojackienorth.tk, 1
+radiojeneverstoker.tk, 1
+radioknop.nl, 1
+radiokontakt.tk, 1
+radiokukesi.tk, 1
+radiolanguages.tk, 1
+radiolaparranda.tk, 1
+radiolatinafm.tk, 1
+radiolavka32.ru, 1
+radioldpr.ru, 1
+radiolibertad.tk, 1
+radioliberty.ga, 1
+radiolla.com, 1
+radiolodz.pl, 1
+radiom.fr, 1
+radiomacuto.gq, 1
+radiomagicafm.tk, 1
+radiomakarena.tk, 1
+radiomanifiesto.tk, 1
+radiomaster.tk, 1
+radiomc.tk, 1
+radiomedia.tk, 1
+radiomercure.net, 1
+radiometal.tk, 1
+radiometeor.com, 1
+radiomikelerentxun.tk, 1
+radiomix.cz, 1
+radiomixer.net, 1
+radiomodem.dk, 1
+radiomontebianco.it, 1
+radiomoodmix.tk, 1
+radionalita.tk, 1
+radionetcolombia.tk, 1
+radionikkei.com, 1
+radionojavan.ir, 1
+radionoticias.tk, 1
+radionrg.tk, 1
+radiooffice.tk, 1
+radioombo.xyz, 1
+radioonline.com, 1
+radioparquesur.tk, 1
+radiopatapoe.nl, 1
+radioperfect.tk, 1
+radiopharereims.tk, 1
+radiopicaflor.tk, 1
+radioplayer.ie, 1
+radiopleer.net, 1
+radiopolarniki.spb.ru, 1
+radiopranfm.cf, 1
+radioprimerodemayo.tk, 1
+radiopush.tk, 1
+radior9.it, 1
+radioradicchio.it, 1
+radiorainbow.tk, 1
+radioranking.de, 1
+radiorecord.ml, 1
+radioregional.pt, 1
+radioremix80.tk, 1
+radioricardo.tk, 1
+radios-associatives.tk, 1
+radiosanducito.tk, 1
+radiosatbolivia.com, 1
+radioschool.co.nz, 1
+radioscope.tk, 1
+radiosdeguate.com, 0
+radioseda.ca, 1
+radiosilver.tk, 1
+radiosimba.ug, 1
+radiosterrekijker.tk, 1
+radiosuperplus.tk, 1
+radioszczecin.pl, 1
+radiotataouine.tk, 1
+radiotehnika.tk, 1
+radiotelephoni.tk, 1
+radiotexas.tk, 1
+radiotunes.tk, 1
+radiotuning.tk, 1
+radiotv.tk, 1
+radioumbrella.ga, 1
+radiouniversofm.tk, 1
+radiounofm.tk, 1
+radiounost.tk, 1
+radioventura.tk, 1
+radiovera.ru, 1
+radiovertical.tk, 1
+radiovirgendelcarmen.tk, 1
+radiovolmax.tk, 1
+radiowakeup.tk, 1
+radioxanadu.tk, 1
+radiozetta.tk, 1
+radiozilverster.tk, 1
+radis-adopt.com, 1
+radito.com, 1
+radium-it.ru, 1
+radium.group, 1
+radiumcode.com, 1
+radiumone.io, 1
+radiusmethod.com, 1
+radiusone.com, 1
+radixsalon.tk, 1
+radixweb.com, 1
+radjaternak.com, 1
+radlina.com, 1
+radnas.com, 1
+radnickapartija.tk, 1
+radnicki-nis.tk, 1
+radogear.com, 1
+radoman.ga, 1
+radon.tk, 1
+radopsec.com, 1
+radopsec.net, 1
+radopsec.org, 1
+radost-crikvenica.hr, 1
+radost.digital, 1
+radpath.at, 1
+radreisetraumtreibstoff.de, 1
+radstake.de, 1
+raduga-tv.tk, 1
+raduga4.ml, 1
+radverkehr-kelsterbach.de, 1
+radwebhosting.com, 1
+radyabkhodro.net, 1
+radyn.com, 1
+radyogemisi.com, 1
+radzikow.ski, 1
+raeder-test.azurewebsites.net, 1
+raeu.me, 1
+raeven.nl, 1
+raevinnd.com, 1
+raewardfresh.co.nz, 1
+raf.org, 1
+rafaelangelfg.tk, 1
+rafaelortiz.es, 1
+rafaelsobis.tk, 1
+rafaeltuber.cf, 1
+rafalkukla.com, 1
+rafaprialv.com, 1
+rafaroca.net, 1
+rafclan.tk, 1
+raffaellaosti.com, 1
+raffall.com, 1
+rafinad.io, 1
+rafo.tech, 1
+rafo.tk, 1
+rafsis.com, 0
+raft.pub, 1
+rafting-japan.com, 1
+ragadoor.com, 1
+ragasto.nl, 1
+ragdollrecon.com, 1
+rage-overload.ch, 1
+rage4.com, 1
+ragebin.com, 1
+ragic.com, 1
+raginggaming.ga, 1
+ragingrune.tk, 1
+ragingserenity.com, 1
+ragnamania.tk, 1
+ragnamart.tk, 1
+ragnaroktop.com.br, 1
+ragsnprints.com, 1
+ragstores.com, 1
+ragt.ag, 1
+ragu.co.uk, 1
+ragusina.hr, 1
+rahasyavedicastrology.com, 1
+rahayi.tk, 1
+raheel.cf, 1
+raheel.tk, 1
+raheem.marketing, 1
+rahenytennis.tk, 1
+rahgame.com, 1
+rahil-p.com, 1
+rahilworld.tk, 1
+rahimareports.ml, 1
+rahmans.tk, 1
+rahrahstudios.com, 1
+rahul.moe, 1
+rahulsadarangani.com, 1
+rai88asia.com, 1
+raiceshebreas.org, 1
+raid-runners.fr, 1
+raiden.network, 1
+raidensnakesden.co.uk, 1
+raidensnakesden.com, 1
+raidensnakesden.net, 1
+raidentawork.lt, 1
+raiderhacks.com, 1
+raidkeeper.com, 1
+raidstone.net, 1
+raidstone.rocks, 1
+raiffeisen-kosovo.com, 0
+raiffeisen.al, 0
+raiffeisenbank.ba, 0
+raiffeisenleasing-kosovo.com, 1
+raiilto.com, 1
+raikko.tk, 1
+rail-o-rama.nl, 1
+rail24.nl, 1
+rail360.nl, 1
+railalabwork.lt, 1
+railbird.nl, 1
+railbus.fan, 1
+railcarrxqa.com, 1
+railclub.tk, 1
+railfans.ca, 1
+railfeeding.com, 1
+railgun.ac, 1
+railgun.com.cn, 1
+railgun.email, 1
+railjob.cn, 1
+raillto.com, 1
+railorama.nl, 1
+railpassie.nl, 1
+railroadhistory.net, 1
+railsafetysystems.com.au, 1
+railsideworks.com, 1
+railsimulator.net, 1
+railsperformance.com.br, 1
+railto.cm, 1
+railto.co, 1
+railto.com, 1
+railto.com.de, 1
+railto.com.se, 1
+railto.llc, 1
+railtollc.com, 1
+railvideo.co.uk, 1
+railvideo.net, 1
+railvideo.nl, 1
+railway.moe, 1
+railwayease.com, 1
+rain.bz, 1
+rain.moe, 1
+rainative.com, 1
+rainbeaus.cf, 1
+rainbeaus.ga, 1
+rainbeaus.gq, 1
+rainbeaus.ml, 1
+rainbow-christian.tk, 1
+rainbow-girl.top, 1
+rainbow-web.com, 1
+rainbowbrains.com, 1
+rainbowcomputer.tk, 1
+rainbowflowers.co.uk, 0
+rainbowinflatables.co.uk, 1
+rainbowlaserspewpew.xyz, 1
+rainbowloompattern.com, 1
+rainbowloompatterns.com, 1
+rainbowmath.tk, 1
+rainbowplayschool.in, 1
+rainbowsmoothies.win, 1
+rainbowstars.ru, 1
+rainbowstore.com.au, 1
+rainbowstore.com.ua, 1
+rainbowsushi.dk, 1
+rainbowswingers.net, 1
+rainbowtransport.com, 1
+raincoat.systems, 1
+rainel.at, 1
+rainerstoll.at, 1
+rainevixen.com, 1
+rainfall.ro, 1
+rainforest.engineering, 1
+rainforestfoundation.org, 1
+rainierpros.com, 1
+rainiv.com, 1
+rainmanzone.com, 1
+rainnetwork.tk, 1
+rainnny.club, 1
+rainpaper.com, 1
+raintreatment.ga, 1
+rainturtle.com, 1
+rainuk.com, 1
+rainville.me, 1
+rainway.io, 1
+raipet.no-ip.biz, 1
+raipet.spdns.eu, 1
+raise-educationandwellbeing.co.uk, 1
+raisecorp.com, 1
+raisects.co.uk, 1
+raisetheyouth.co.uk, 1
+raisingresilientreaders.com, 1
+raisioammattilaisille.fi, 1
+raistrick.art, 1
+raistrick.it, 1
+raitotec.com, 1
+raitza.de, 1
+raja.fr, 1
+rajabpour.com, 1
+rajaealhoceima.tk, 1
+rajafashion.tk, 1
+rajapack.be, 1
+rajapack.co.uk, 1
+rajapack.de, 1
+rajapack.es, 1
+rajapack.it, 1
+rajapack.nl, 1
+rajasatour.id, 1
+rajeen.tk, 1
+rajeshkochhar.com, 1
+rajeshkumar.tk, 1
+rajivdeepinsights.com, 1
+rajkapoordas.com, 1
+rajkotupdates.news, 1
+rajofestival.tk, 1
+rajomon.com, 1
+rajrajasthani.tk, 1
+rajsolankimusic.ga, 1
+rajtechnologies.com, 1
+rajudhoni.ga, 1
+rak-business-service.com, 1
+rakennuspeli.com, 1
+rakeshkaryana.com, 1
+raketa.travel, 1
+raketaholst.com.ua, 1
+raketaro.de, 1
+raketenwolke.de, 1
+rakett.org, 0
+rakibzashup.ml, 1
+rakibzashup.tk, 1
+raklouisville.com, 1
+rakom.tk, 1
+rakovec.hr, 1
+raksa.media, 1
+raksha-bandhanwish.ga, 1
+rakshitrekhi.tk, 1
+raku.bzh, 1
+raku.land, 1
+rakugaki.cn, 0
+rakugokai.net, 1
+ralaoui.com, 1
+ralaoui.me, 1
+raleighadultmedicine.com, 1
+raleighboneandjoint.com, 1
+raleighcapitolent.com, 1
+raleighmedicalgroup.com, 1
+raleighpsych.com, 1
+raleighsinuscenter.com, 1
+ralfs-zusizone.de, 1
+rally-base.com, 1
+rally-base.cz, 1
+rally-base.eu, 1
+rally-results.eu, 1
+rally-vysledky.cz, 1
+rallybase.cz, 1
+rallybase.eu, 1
+rallycycling.com, 0
+rallyedu.com, 1
+rallyekrumlov.cz, 1
+rallyfotosaswin.tk, 1
+rallytrophy.tk, 1
+ralphandretta.com, 1
+ralphandretta.net, 1
+ralphandretta.org, 1
+ralphbisschops.com, 1
+ralphdeal.com, 1
+raltha.com, 1
+ralvke.rocks, 1
+ram-tenancy.cf, 1
+ram-tenancy.ga, 1
+ram-tenancy.ml, 1
+ram.nl, 1
+rama.ovh, 1
+ramatola.uk, 0
+ramblingrf.tech, 1
+rambo.codes, 1
+rambus.com, 1
+ramchand.tk, 1
+ramel.tk, 1
+ramen-dealer.de, 1
+ramenramenramen.net, 1
+ramfaseo.ca, 1
+ramfy.ru, 1
+ramiabusalah.tk, 1
+ramieres.cf, 1
+ramirito.tk, 1
+ramitan.com, 1
+ramkot.tk, 1
+ramle.be, 1
+rammstein.pt, 1
+rammsteinaustralia.tk, 1
+rammsteinzone.tk, 1
+ramonahillsideplayers.org, 1
+ramonguilherme.com.br, 0
+ramos.tur.br, 1
+ramowitha.com, 1
+ramp.com, 1
+rampeboreal.ca, 1
+rampestyuma.com, 1
+rampiva.com, 1
+ramplaysugente.tk, 1
+ramrecha.com, 0
+ramsay.xyz, 1
+ramsayshorsetransport.com, 1
+ramsayshorsetransport.com.au, 1
+ramsdensforcash.co.uk, 1
+ramsdensplc.com, 1
+ramseycountymn.gov, 1
+ramseycs.net, 0
+ramsor-gaming.de, 1
+ramt.tk, 1
+ramtechmodular.com, 1
+ramusa.org, 1
+ramydent.no, 1
+ramynetwork.tk, 1
+ramzinex.com, 1
+ran-drunken.tk, 1
+ran-ran.top, 1
+ran-sama.ddns.net, 1
+rana.realestate, 1
+rana.shop, 1
+ranasinha.com, 1
+rancakmedia.com, 1
+rancheriastereo.tk, 1
+ranchesterwy.gov, 1
+ranchocordova.gov, 1
+ranchodoalqueidao.pt, 1
+rancowar.com, 1
+randallcounty.gov, 1
+randallcraig.com, 1
+randallso.gov, 1
+randburgplumbing.co.za, 1
+randc.org, 1
+randdtaxcreditspecialists.com, 1
+randolf.ca, 1
+randolphcountyal.gov, 1
+randolphcountyil.gov, 1
+random-numbers.org, 1
+random-password.org, 1
+random-project.com, 1
+random-samplings.org, 1
+random.org, 1
+randomactsofkindness.org, 1
+randomads.net, 1
+randomadversary.com, 1
+randomarticle.ml, 1
+randombig.cat, 1
+randombit.eu, 0
+randombooks.gq, 1
+randombrainwave.cf, 1
+randombrainwave.ga, 1
+randombrainwave.gq, 1
+randombrainwave.ml, 1
+randomdomain.io, 1
+randomforestweb.com, 1
+randomforum.tk, 1
+randomideas.me, 1
+randomizer.space, 1
+randomkindness.tk, 1
+randomkoalafacts.com, 1
+randompasswordgenerator.fun, 1
+randomquotesapp.com, 1
+randomsearching.ml, 1
+randomserver.pw, 1
+randomserver.xyz, 1
+randomsnapshots.tk, 1
+randomstuffproductions.tk, 1
+randomtest.cf, 1
+randomthings.cf, 1
+randomuuid.org, 1
+randomweb.tk, 1
+randorn.com, 1
+randox.com, 1
+randy.su, 1
+randyandpixel.com, 1
+randyrhoads.tk, 1
+randyselzer.com, 1
+ranfics.tk, 1
+ranfurlychambers.co.nz, 1
+rangde.org, 1
+range.co, 1
+rangeforce.com, 1
+rangeforce.eu, 1
+rangerfiles.tk, 1
+rangersloyalsite.tk, 1
+rangersofbelgium.be, 1
+rangeweb.ga, 1
+ranginkamonkadeh.ir, 1
+rangsmo.se, 0
+rangzol.now.sh, 1
+raniermn.gov, 1
+ranjanbiswas.in, 1
+ranjanbiswas.net, 1
+ranjeetmehta.tk, 1
+rankeco.com, 1
+rankia.ga, 1
+ranking-deli.jp, 1
+ranking-mensesthe.jp, 1
+ranking10hits.tk, 1
+rankingide.tk, 1
+rankingofe.com.pl, 1
+rankingubezpieczeniowy.pl, 1
+rankingubezpieczennazycie.pl, 1
+ranksite.cf, 1
+ranksite.ga, 1
+ranksite.gq, 1
+ranksite.ml, 1
+ranksite.tk, 1
+ranktis.com, 1
+rankya.com, 1
+rannamoisaaiasalong.ee, 1
+rannseier.org, 1
+ranos.org, 1
+ransomspares.co.uk, 1
+ranson.com.au, 1
+ransonwv.gov, 1
+rantalaholcomb.tk, 1
+rantamplan.tk, 1
+rantanda.com, 1
+rante.com, 1
+ranters.nl, 1
+rany.eu.org, 1
+ranyeh.co, 1
+ranyeh.com, 1
+ranzbak.nl, 1
+raoliveoil.ga, 1
+raomed.com.ar, 1
+raovatsaigon.tk, 1
+rap4ever.org, 1
+rapala.com, 1
+rapanui.tk, 1
+rapay.net, 1
+rapbull.net, 1
+rapdinle.tk, 1
+rapenroer.com, 1
+rapenroer.nl, 1
+raphael.li, 1
+raphaeladdile.com, 1
+raphaelcasazza.ch, 0
+raphaelmoura.ddns.net, 1
+raphaelschneider.de, 1
+raphrfg.com, 1
+rapid-care.com, 1
+rapid4all.com, 1
+rapidapp.io, 1
+rapidcenter.tk, 1
+rapidcityjournal.com, 1
+rapidessay.com, 1
+rapidgator.net, 1
+rapidguide.tk, 1
+rapidlegal.com, 1
+rapidoo.com.br, 1
+rapidscale.net, 1
+rapidseo.net, 1
+rapidshit.net, 1
+rapidspike.com, 1
+rapidssl.com.ru, 1
+rapidsslonline.com, 1
+rapidstone.com, 1
+rapnet.com, 1
+raposafixe.pt, 1
+rapoteka.tk, 1
+rappels-produits.com, 1
+rappet.de, 1
+rappisexshop.com, 1
+rapport.link, 1
+raps.org, 1
+rapsconfab.com, 1
+raptechpk.com, 1
+rapu.nz, 1
+rapwoyska.tk, 1
+rapyd.net, 1
+raqebpress.com, 1
+raqoo.jp, 1
+raquelmolinacases.tk, 1
+rar.moe, 1
+raranga.net.nz, 1
+rarbgmirrored.org, 1
+rarbgproxied.org, 1
+rarbgunblocked.org, 1
+rare-x.org, 1
+rarece.cf, 1
+rarediseaseday.org, 1
+rareearthhair.com.au, 1
+rarefish.tk, 1
+raregems.io, 1
+rarehi.com, 1
+rarename.tk, 1
+rarity.tools, 1
+raritysniper.com, 1
+rarlab.com, 1
+rarlabs.com, 1
+raroh73.com, 1
+raroh73.xyz, 1
+rarous.net, 1
+rarsoft.com, 1
+raryosu.info, 1
+rasa.com, 1
+rasadnikcvecaperic.rs, 0
+rasagiline.com, 1
+rasaja.com, 1
+rasberry.cf, 1
+rascals-castles.co.uk, 1
+rascals.ga, 1
+rascalscastles.co.uk, 1
+rascript.tk, 1
+rascvet.tk, 1
+rase.rocks, 1
+raserbajs.tk, 1
+rashamehrnikan.com, 1
+rashane.com, 1
+rashbogota.tk, 1
+rasheed-nuss.tk, 1
+rashmipandit.com, 1
+rashodkin.tk, 1
+raskruti.ga, 1
+raskruti.ml, 1
+raskrutka.cf, 1
+rasmushaslund.com, 1
+rasnyder.com, 1
+rasp-consulting.de, 1
+raspberryultradrops.com, 1
+raspclock.com, 1
+raspitec.ddns.net, 1
+rassadacvetov.com, 0
+rasset.ie, 1
+rassistem.rs, 1
+rassro.sk, 1
+rastabooks.ga, 1
+rasteniem.ru, 1
+rastko-jevtovic.tk, 1
+rasty.cz, 1
+rat.pw, 1
+rataassociates.com, 1
+ratajczak.one, 1
+ratasdesign.com, 1
+ratatosk.net, 1
+ratbarricade.com, 1
+ratd.net, 1
+rate.is, 1
+ratebridge.com, 1
+rateddomain.ml, 1
+ratelimited.me, 1
+ratelsec.com, 1
+ratemyfishtank.com, 1
+ratepayeralliance.org, 1
+rates.ca, 1
+ratespy.com, 1
+rathbonesonline.com, 1
+rathdrum.gov, 1
+rathdrumpolice.gov, 1
+ratherrarerecords.com, 0
+rathgeb.org, 1
+rathmann-couture.de, 1
+rathorian.fr, 1
+rathsallaghhouseonline.com, 1
+ratingostar.com, 1
+ratingus.co, 1
+ratinq.co, 1
+ratiocinat.ga, 1
+ratiocontent.de, 0
+rationalcreation.com, 1
+rationalism.com, 1
+rationalops.com, 1
+ratirl.be, 1
+ratman.xyz, 1
+ratsmicedormice.com, 1
+rattanhousecarpentry.com, 1
+rattattees.com, 1
+rattenkot.io, 1
+ratujemyzwierzaki.net, 1
+ratujmydzikiekoty.org, 1
+ratunek.com.pl, 1
+ratusha.ml, 1
+rauchfrei-info.de, 1
+rauhenebrach.de, 1
+raulc.space, 1
+raulmalea.ro, 1
+raulrivero.es, 1
+raulval.com, 1
+raumausstatter-fangmann.de, 1
+rauros.net, 1
+rausch-extase.ch, 1
+rauschenbach.de, 1
+rauserv.de, 1
+rautarutto.tk, 1
+rava.tk, 1
+ravada-vdi.com, 1
+ravagers.tk, 1
+ravages.tk, 1
+ravalement-facade.net, 1
+ravalement-facade.paris, 1
+ravalement-facades.net, 1
+ravallirepublic.com, 1
+ravchat.com, 1
+raveboy.dyndns.org, 1
+ravefm.tk, 1
+raveharmony.com, 1
+ravelin.click, 1
+ravelin.com, 1
+raven.dog, 1
+raven.express, 1
+ravenandsage.com, 1
+ravencoin.com, 1
+ravencoin.org, 1
+ravenger.net, 1
+ravengergaming.net, 1
+ravenhillavenue.com, 1
+ravennatoday.it, 1
+ravenrealms.tk, 1
+ravenrepublic.net, 1
+ravenrockrp.com, 1
+ravenstonejeweler.com, 1
+raventechnology.es, 1
+ravenx.me, 1
+ravescout.club, 1
+raveseguros.com, 1
+ravesteijn.nl, 1
+ravhaaglanden.org, 1
+ravihotel.com, 0
+ravijuhend.ee, 1
+ravik.tk, 1
+ravimiamet.ee, 0
+ravimiregister.ee, 1
+ravinala-airports.aero, 1
+raviparekh.co.uk, 1
+ravis.org, 1
+ravkavonline.co.il, 1
+ravkr.duckdns.org, 1
+ravnareka.tk, 1
+ravne.land, 1
+ravron.com, 1
+ravse.dk, 1
+raw.nl, 1
+rawa-ruska-union-nationale.fr, 1
+rawballs.nl, 1
+rawbeautysource.com, 1
+rawcom.pl, 1
+rawdamental.com, 1
+rawdutch.nl, 1
+rawfitco.com.au, 1
+rawforce.tk, 1
+rawinfosec.com, 1
+rawley.co.uk, 1
+rawlinswy.gov, 1
+rawlord.ga, 1
+rawmarkable.co.uk, 1
+rawmathub.gr, 1
+rawmonolife.ru, 1
+rawpearls.com, 1
+rawr.sexy, 1
+raxion.cf, 1
+raxion.tk, 1
+ray-works.de, 1
+rayadventure.com, 1
+raycarruthersphotography.co.uk, 1
+raycon.io, 1
+raydius.de, 1
+rayfalling.com, 1
+rayhillforsupremecourt.com, 1
+rayiris.com, 1
+rayj.me, 1
+rayj.org, 1
+raykitchenware.com, 1
+raylo.com, 1
+raym.ml, 1
+raymd.de, 1
+raymondha.ca, 1
+raymondha.com, 1
+raymondvineyards.com, 1
+raymundo.doctor, 1
+raynbo.ai, 1
+raynis.net, 1
+raynoonanwindows.ie, 1
+rayonbricolage.com, 1
+rayonnage-stockage.fr, 1
+raysbarreto.tk, 1
+raysei.com, 1
+raysmtp.ga, 1
+raysolutions.tk, 1
+raystark.com, 1
+raystedman.org, 1
+raytonne.cn, 1
+raytonne.com, 1
+rayusradiology.com, 1
+raywardapparel.com, 1
+raywisdom.tk, 1
+rayworks.de, 1
+rayzer.dk, 1
+razakhanimazhab.tk, 1
+razalabs.com, 1
+razalabs.gr, 1
+razberry.kr, 1
+razborpoletov.cf, 1
+razborpoletov.ml, 1
+razborpoletov.tk, 1
+razborpoletovsite.cf, 1
+razborpoletovsite.ga, 1
+razborpoletovsite.gq, 1
+razborpoletovsite.tk, 1
+razdolnoe.tk, 1
+razeencheng.com, 1
+razgon.ga, 1
+razgon.tk, 1
+raziculacrimi.ro, 1
+razrabo.tk, 1
+razrsec.uk, 1
+razvan.digital, 1
+razvanburz.ro, 1
+razvanvatamanu.ro, 1
+razvlekuha.cf, 1
+razvlekuhablog.tk, 1
+rb-china.net, 1
+rb.cz, 1
+rballday-entertainment.nl, 1
+rbbaader.de, 1
+rbbuae.com, 1
+rbcafe.com, 1
+rbcdn.cz, 1
+rbclub.cz, 1
+rbcosmetici.it, 1
+rbd.events, 1
+rbensch.com, 0
+rbet.tk, 1
+rbh.co.uk, 1
+rbi-admin.com, 1
+rbi-umbrella.com, 1
+rbiacademylms.org, 1
+rbin.nl, 1
+rbknarkers.tk, 1
+rbltracker.com, 1
+rbmafrica.co.za, 1
+rbmland.com, 1
+rbnet.xyz, 1
+rbocache.com, 1
+rbprosthodontics.com, 1
+rbs.co.uk, 1
+rbs.com, 1
+rbsexshop.com.br, 1
+rbsinternational.com, 1
+rbt.rs, 1
+rbt.sx, 1
+rbtvshitstorm.de, 1
+rbunews.tk, 1
+rburchell.com, 0
+rburz.com, 1
+rbx.com, 1
+rbx.gg, 1
+rc-offi.net, 1
+rc-shop.ch, 1
+rc.cruises, 1
+rc1.eu, 1
+rc21x.com, 1
+rc2edit.nl, 1
+rc3n.com, 1
+rc7.ch, 1
+rca.ink, 1
+rca2015.ru, 1
+rcbanger.tk, 1
+rcbtrace.net, 1
+rccars.info, 1
+rcclub.com, 1
+rccom.ru, 1
+rccrush.com, 1
+rcd.cz, 0
+rcdeescolasantcugat.com, 1
+rcdevs.com, 1
+rcdocuments.com, 1
+rcdrone.tk, 1
+rcelectronica.com, 1
+rcfl.gov, 1
+rcforex.com, 1
+rcgoncalves.pt, 1
+rchavez.site, 1
+rchrdsn.uk, 1
+rcips.ky, 1
+rclaywilliamsdo.com, 1
+rclsm.net, 1
+rcmlinx.com, 1
+rcmodelflying.tk, 1
+rcmstream.com, 1
+rcnitrotalk.com, 1
+rcoliveira.com, 1
+rcorporation.be, 1
+rcotec.be, 1
+rcpdesign.cl, 1
+rcphiphop.tk, 1
+rcprogranada.com, 1
+rcraigmurphy.net, 1
+rcrdelecuador.com, 1
+rcru.org, 1
+rcsacessoria.online, 1
+rcsda.net, 1
+rcslt.org, 1
+rcsolutions.nl, 0
+rcsscontractors.com, 1
+rct-chair.com, 1
+rct.sk, 0
+rct.uk, 1
+rctalk.com, 1
+rctiads.com, 1
+rctrk.net, 1
+rctruck.nl, 0
+rctx.tk, 1
+rcubesports.com, 1
+rcxzsc.com, 1
+rd0xb.com, 1
+rdactive.de, 1
+rdb.vote, 1
+rdcdesign.com, 1
+rddjapan.info, 1
+rded.nl, 1
+rdesigner.tk, 1
+rdfencingandgates.co.uk, 1
+rdfmapped.com, 1
+rdforum.org, 1
+rdfproject.it, 1
+rdfz.tech, 1
+rdienclosures.com, 1
+rdimedical.com, 1
+rdl.at, 1
+rdm.lu, 1
+rdmc.academy, 1
+rdmc.biz, 1
+rdmc.center, 1
+rdmc.contact, 1
+rdmc.education, 1
+rdmc.fr, 1
+rdmc.host, 1
+rdmc.info, 1
+rdmc.io, 1
+rdmc.link, 1
+rdmc.live, 1
+rdmc.network, 1
+rdmc.ovh, 1
+rdmc.report, 1
+rdmc.site, 1
+rdmc.sn, 1
+rdmc.support, 1
+rdmc.systems, 1
+rdmc.tel, 0
+rdmc.tn, 1
+rdmc.vision, 1
+rdmc.wiki, 1
+rdmrotterdam.nl, 0
+rdmshit.net, 1
+rdmtaxservice.com, 0
+rdn-team.com, 1
+rdns.gq, 1
+rdo.gg, 1
+rdrama.net, 1
+rdsm.be, 0
+rdtech.de, 1
+rdto.io, 1
+rduser.lol, 1
+rdv-cni.fr, 1
+rdv-coquin-rapide.fr, 1
+rdvobras.pt, 0
+rdwh.tech, 0
+rdwz.one, 1
+re-align.life, 1
+re-arranged.tk, 1
+re-engines.com, 1
+re-leased.com, 1
+re-presented.de, 1
+re-security.com, 1
+re.yt.nom.br, 1
+reach-on.de, 1
+reach.gov, 1
+reach.gov.sg, 1
+reachdigital.com.au, 1
+reachhead.com, 1
+reachley.net, 1
+reachout-ghana.com, 1
+reachout2.nl, 1
+reachrss.com, 1
+reachum.com, 1
+reachwithed.com, 1
+reaconverter.com, 1
+react-db.com, 1
+reacteev.com, 1
+reactfactory.io, 1
+reactheme.com, 1
+reactionindex.com, 1
+reactive-load.com, 1
+reactive-press.com, 1
+reactive.com.ru, 1
+reactivedrop.com, 1
+reactivemarkets.com, 1
+reactor-family.tk, 1
+reactpwa.com, 1
+read-blackclovermanga.com, 1
+read-myheromanga.com, 1
+read.family, 1
+readabilitychecker.com, 1
+readable.pw, 1
+readapt-nutrition.com, 1
+readcomics.gq, 1
+readersfavorite.com, 1
+reades.co.uk, 1
+reades.uk, 1
+readify.net, 1
+readifycloud.com, 1
+reading-assist.com, 1
+readingea.com, 1
+readingoutpost.com, 1
+readingrats.de, 1
+readlater.de, 1
+readless.cf, 1
+readmybeacon.com, 1
+readmynews.cf, 1
+readouble.com, 0
+readpages.gq, 1
+readtome.co.in, 1
+readup.tk, 1
+ready2learn.eu, 1
+ready4bf.tk, 1
+ready5g.net, 1
+readyblinds.com.au, 1
+readycentbid.com, 1
+readycentral.com, 1
+readychurchsites.com, 1
+readyclassroomcentral.com, 1
+readycolorado.gov, 1
+readycontacts.com, 1
+readydedis.com, 1
+readyeutaw.gov, 1
+readyfiction.com, 1
+readyit.pl, 1
+readync.gov, 1
+readyrowan.com, 1
+readyrowan.org, 1
+readyscif.com, 1
+readysell.net, 1
+readysetscif.com, 1
+readysetworkpa.com, 1
+readysetworksd.com, 1
+readystep.ga, 1
+readytocleanga.com, 1
+readytongue.com, 0
+readywithresourcestn.gov, 1
+reaff.com, 0
+reaganlibrary.gov, 1
+reakcjonista.tk, 1
+reaksi.id, 1
+real-blog.eu, 1
+real-it.nl, 1
+real-linux.tk, 1
+real-site.tk, 1
+real-srebrenica-genocide.cf, 1
+real-srebrenica-genocide.ga, 1
+real-srebrenica-genocide.gq, 1
+real-srebrenica-genocide.ml, 1
+real-thailand.tk, 1
+real-work.tk, 1
+real2000.com, 1
+realacademy.net, 1
+realactionslots.com, 1
+realanteile.at, 0
+realbiographies.cf, 1
+realbiz.ml, 1
+realcanada.com.gt, 1
+realcapoeira.ru, 1
+realclinic.jp, 1
+realdomdom.cf, 1
+realestate-in-uruguay.com, 1
+realestate-lidl.at, 1
+realestate-lidl.be, 1
+realestate-lidl.bg, 1
+realestate-lidl.ch, 1
+realestate-lidl.co.uk, 1
+realestate-lidl.com, 1
+realestate-lidl.cz, 1
+realestate-lidl.dk, 1
+realestate-lidl.fr, 1
+realestate-lidl.gr, 1
+realestate-lidl.it, 1
+realestate-lidl.lt, 1
+realestate-lidl.lu, 1
+realestate-lidl.lv, 1
+realestate-lidl.pl, 1
+realestate-lidl.pt, 1
+realestate-lidl.ro, 1
+realestate-lidl.rs, 1
+realestate-lidl.se, 1
+realestate-lidl.sk, 1
+realestateagent-directory.com, 1
+realestatebees.com, 1
+realestateblogs.tk, 1
+realestateboston.tk, 1
+realestateexecutives.tk, 1
+realestategreenville.tk, 1
+realestatekanada.tk, 1
+realestatemaryland.tk, 1
+realestateofnewmexico.com, 1
+realestateonehowell.com, 1
+realestates.istanbul, 1
+realestatesales.gov, 1
+realestatestagingassociation.com, 1
+realestatetennessee.net, 1
+realestatewebnews.tk, 1
+realfamilyincest.com, 1
+realfreedom.city, 0
+realgarant-shop.de, 0
+realgiulianova.it, 1
+realgogo.com, 1
+realgoods.com, 1
+realhelpcompany.ga, 1
+realhorsegirls.net, 1
+realhost.name, 1
+realhypnosistraining.com.au, 1
+realidad.tk, 1
+realimagess.com, 1
+realincest.tv, 1
+realinsurance.com.au, 1
+reality.news, 1
+reality0ne.com, 0
+realitycrazy.com, 1
+realitydudes.com, 1
+realitydudesnetwork.com, 1
+realityjunkies.com, 1
+realitykings.com, 1
+realityrecoverycollective.tk, 1
+realitystudio.org, 1
+realitytoday.cf, 1
+realives.com, 1
+realizegov.com, 1
+realkeywords.ga, 1
+reall.uk, 1
+reallife-it.de, 1
+reallifeforums.com, 0
+reallight.ge, 1
+reallinux.tk, 1
+reallivingcc.com, 1
+reallovetab.ga, 1
+really-simple-plugins.com, 1
+really-simple-ssl.com, 1
+reallyangryaboutchipshops.com, 1
+reallybadidea.tk, 1
+reallycooljobs.ga, 1
+reallyone.com, 1
+reallytrusted.com, 1
+reallywild.tk, 1
+realm-of-shade.com, 1
+realm.is, 1
+realmadrid-bet1x2.com, 1
+realmadridoffice.tk, 1
+realmaturetube.com, 1
+realmixwell.tk, 1
+realmjoin.com, 1
+realmofaesir.com, 1
+realmofespionage.xyz, 1
+realmoney.games, 1
+realnature.com.br, 1
+realneo.me, 1
+realnet.tk, 1
+realno-money.tk, 1
+realonline.com.au, 1
+realoteam.ddns.net, 1
+realpaella.com, 1
+realpropertyprofile.gov, 1
+realpython.com, 1
+realrapfans.tk, 1
+realshopit.blog, 1
+realtechreviews.com, 1
+realtimenetworks.com, 1
+realtimeregister.com, 1
+realtoraidan.com, 1
+realty-pochta.tk, 1
+realtygroup-virginia.com, 1
+realtyofnaples.com, 1
+realtys.ca, 1
+realum.com, 1
+realum.de, 1
+realum.eu, 1
+realum.net, 1
+realvapamarde.cf, 1
+realvisioninternet.com, 1
+realvnc.com, 1
+realvnc.help, 1
+realwaycome.com, 1
+realwebsite.ga, 1
+realwinner.es, 1
+realworldholidays.co.uk, 1
+realyux.com, 1
+reancos.report, 1
+reanimated.eu, 1
+reanimed.com.ua, 1
+reank-mnx.site, 1
+reapandsowmarketing.com, 1
+rearmatch.cf, 1
+rearmatch.ga, 1
+rease.com.au, 1
+reavaninc.com, 1
+reaven.nl, 1
+rebajasoferta.com, 1
+rebalancenyc.com, 1
+rebaltica.lv, 1
+rebane2001.com, 1
+rebargroup.org, 1
+rebase.com.tr, 1
+rebatekey.com, 1
+rebecamode.ch, 1
+rebeccawendlandt.com, 1
+rebeccawilson.co.uk, 1
+rebel-owl.com, 1
+rebel.com.br, 1
+rebelbranding.nl, 1
+rebelchick.tk, 1
+rebelcorp.cloud, 1
+rebelcorp.ltd, 1
+rebeldeway-al.tk, 1
+rebeldeway-ks.tk, 1
+rebelko.de, 1
+rebellecare.com, 1
+rebelliouskitten.art, 1
+rebellyon.info, 1
+rebelonline.nl, 1
+rebelsewerservices.com, 1
+rebelsi.pl, 1
+rebelstudio.ml, 1
+rebelz.se, 1
+rebirthlongboard.co.th, 1
+rebizzield.com, 1
+rebonus.com, 1
+rebootwithnature.in, 0
+reboxetine.com, 1
+reboxonline.com, 1
+rebrandly.com, 1
+rebschool.ml, 1
+rebtoor.com, 0
+rebuga.com, 1
+rebuild96.ru, 1
+rebull.fr, 1
+rebure.com, 1
+rebus.support, 1
+rebusfarm.net, 1
+reby.cf, 1
+reby.tk, 1
+rec.moe, 1
+rec5.nl, 1
+recallinsider.com, 1
+recalls.gov, 1
+recambiospuntored.com, 1
+recantoshop.com.br, 1
+recaptcha-demo.appspot.com, 1
+recaptime.eu.org, 1
+recat-project.eu, 1
+receipts-app.com, 1
+receitas.tk, 1
+receitasdacassia.tk, 1
+receitasdepesos.com.br, 1
+receitasfavoritas.com, 1
+receptenwebsite.com, 1
+reception247.com, 0
+receptionsbook.com, 1
+recessmonkeyz.tk, 1
+recetasboricuas.com, 1
+recetasdelospaises.com, 1
+recetasdemape.com, 1
+recetasget.com, 1
+recetips.com, 1
+recettecookeo.net, 1
+recettes-de-tiramisu.fr, 1
+recettes-series.com, 1
+rechenknaecht.de, 1
+rechenwerk.net, 1
+recherchegruppe.tk, 1
+rechky.tk, 1
+recht.us, 1
+rechten-konsens-brechen.tk, 1
+rechtenliteratuurleiden.nl, 0
+rechtsanwalt-loesener.de, 1
+rechtsanwaltdrach.de, 1
+rechtsanwaltskammer-hamm.de, 1
+rechtschreibpruefung24.de, 1
+rechtsschutz-onlineshops.de, 1
+recidivism.com, 1
+recifaliste.fr, 1
+recipea.com, 1
+recipegym.com, 0
+recipekensaku.com, 1
+recipesbyjaz.com, 1
+recipesdelite.com, 1
+recipeslist.tk, 1
+recipesmadeeasy.co.uk, 1
+recipewebbook.com, 1
+recipex.ru, 1
+recipeyak.com, 1
+recipito.tk, 1
+reciple.kz, 1
+recitoners.net, 1
+reckers-griesbach.com, 1
+recklessly.ga, 1
+reckner.com, 1
+reckoning.gq, 1
+reckontalk.com, 1
+reckord-bau.de, 1
+reckord.org, 1
+reclaimmysparkle.com, 1
+reclaimyourface.eu, 1
+reclamejagers.nl, 1
+reclamewereldsmp.eu, 1
+reclinerfactory.com, 1
+reclusiam.net, 1
+recmon.hu, 1
+recoa.tk, 1
+recoilbox.com, 1
+recolic.cc, 1
+recolic.net, 1
+recollection.fr, 1
+recollective.com, 1
+recolor.ml, 1
+recomendador.cl, 1
+recommend.pro, 1
+recommends.ml, 1
+recompiled.org, 0
+recon-networks.com, 1
+recon.net.br, 1
+reconocimientoincan.org.mx, 1
+recordagrave.org, 1
+recordati.com.tr, 1
+recordmeeting.jp, 1
+recordmeeting.net, 1
+recordproduction.com, 1
+recordsmanagement.gov, 1
+recordstudio.tk, 1
+recouvrement-jmconseil.com, 1
+recoveringfromfaith.com, 1
+recoveringircaddicts.org, 1
+recoveringmarketer.com, 1
+recovers.pl, 1
+recovery.gov.au, 1
+recoveryohio.gov, 1
+recoveryonline.org, 1
+recoveryunplugged.com, 1
+recovre.com.au, 1
+recraft-batteries.com, 1
+recraft-ventures.com, 1
+recraft.energy, 1
+recraft.ventures, 1
+recraftventures.com, 1
+recreatiewoningverzekeringen.nl, 1
+recroommasters.com, 1
+recruit.net, 1
+recruitcrm.io, 0
+recruiterbox.com, 1
+recruiting.ai, 1
+recruitnow.nl, 1
+recruitpedia.co.uk, 1
+recruitpediacorp.com, 1
+recruitsecuritytraining.co.uk, 1
+recruitsecuritytraining.com, 1
+recruitskill.cf, 1
+recruitskill.ga, 1
+recruitskill.gq, 1
+rectale.co, 1
+rectale.com, 1
+rectale.xyz, 1
+rectecforum.com, 1
+rectoraudiparts.com, 1
+rectoverso61.fr, 1
+rectus.co.jp, 1
+recuperation-points.fr, 1
+recuperatucuentaya.com, 1
+recupero.it, 1
+recurly.com, 1
+recursos.vip, 1
+recursoscristianosleinad.com, 1
+recursosilimitados.tk, 1
+recursosimbiopos.com, 1
+recursosmi.com.br, 1
+recursosrev.tk, 1
+recycle-plant.com, 0
+recycle.cf, 1
+recyclebc.ca, 1
+recyclebin.email, 1
+recycledinorsett.co.uk, 1
+recycledinorsett.com, 1
+recyclenow.com, 1
+recycling.tk, 1
+recyclingisland.com, 1
+recyklacekovu.cz, 1
+red-button.hu, 1
+red-dragon.tk, 1
+red-eyed-tree-frogs.com, 1
+red-lightning.tk, 1
+red-official.com, 1
+red-panda.be, 1
+red-planet.tk, 1
+red-t-shirt.ru, 1
+red-train.de, 1
+red-trigger.net, 1
+red-wine.tk, 1
+red031000.com, 1
+red1it.net, 1
+red2fred2.com, 1
+redable.nl, 1
+redacted.finance, 1
+redactibio.com, 1
+redactieco.nl, 1
+redaktcms.com, 1
+redarx.com, 1
+redballoonsecurity.com, 1
+redbeardplumbing.net, 1
+redcabbage.tk, 1
+redcanary.co, 1
+redcandycane.tk, 1
+redcapital.cl, 1
+redcardinal.tk, 1
+redcarnationhotels.com, 1
+redcarpetmonday.com, 1
+redcatrampageforum.com, 1
+redcedar.gov, 1
+redchat.cz, 1
+redcity.apartments, 1
+redcode-web.design, 1
+redcoded.com, 1
+redcone.net, 1
+redcontralarepresion.org, 1
+redcorus.com, 1
+redcreek.tk, 1
+redcross.com.ph, 1
+redcupit.com, 1
+redd.it, 1
+reddark.io, 1
+reddcoin.com, 1
+reddcrypt.com, 1
+reddepsicologosdecr.com, 1
+reddice.tk, 1
+reddingo.at, 1
+reddingo.be, 1
+reddingo.ch, 1
+reddingo.com, 1
+reddingo.com.au, 1
+reddingo.de, 1
+reddingo.es, 1
+reddingo.eu, 1
+reddingo.fr, 1
+reddingo.it, 1
+reddingo.jp, 1
+reddingo.nl, 1
+reddingo.nz, 1
+reddingrancheria-nsn.gov, 1
+reddingsbrigade-zwolle.nl, 1
+reddit.com, 1
+reddit2kindle.com, 1
+redditinc.com, 1
+reddraggone9.com, 0
+reddyai.com, 1
+rede-reim.de, 1
+rede-t.com, 1
+redearsliderturtles.com, 1
+redecsirt.pt, 1
+rededca.com, 1
+rededecuidadores.pt, 1
+redefertig.de, 1
+redefiningstrength.com, 1
+redehiperfarma.com.br, 1
+redelectrical.co.uk, 0
+redemancy.net, 1
+redemption.gq, 1
+redes-neuronales.tk, 1
+redeyeguatemala.tk, 1
+redfish.tk, 1
+redflare.com.au, 1
+redfog.com, 1
+redfox-media.com, 1
+redfox-media.eu, 1
+redfox-media.net, 1
+redfox-media.org, 1
+redfoxlotto.com, 1
+redfoxmarketiing.com, 1
+redfoxwebdesign.com.au, 1
+redgatesoftware.co.uk, 1
+redgeek.cf, 1
+redgeek.ga, 1
+redgeek.gq, 1
+redgeek.ml, 1
+redgranitefdwi.gov, 1
+redgravity.net, 1
+redhackerteam.tk, 1
+redhandedsecurity.com.au, 1
+redhead.id.au, 1
+redheadfuck.com, 1
+redheeler.com.br, 1
+redhillboardriders.tk, 1
+redhookchallenge.org, 1
+redhookny.gov, 1
+redhotmonks.com, 1
+redhotmonks.nl, 1
+redhottube.cf, 1
+redhottube.ga, 1
+redhottube.gq, 1
+redhottube.ml, 1
+redi.tk, 1
+rediafile.com, 1
+rediazauthor.com, 1
+redid.com.au, 1
+redion.me, 1
+redir.me, 1
+redireci.one, 1
+redirecionarnoticias.ml, 1
+redirect.fedoraproject.org, 1
+redirect.pizza, 1
+redirect.stg.fedoraproject.org, 1
+redirect.works, 1
+redirection-plf.online, 1
+rediscoveredfamilies.com, 1
+redisgreen.com, 1
+rediske.me, 1
+redite.co, 1
+redivis.com, 1
+redjuice.co.uk, 1
+redkite.se, 1
+redknothomes.com, 1
+redletter.link, 1
+redlight.net, 1
+redlink.de, 1
+redlink.tk, 1
+redlinker.ml, 1
+redlionclub.ga, 1
+redlionhockwold.com, 1
+redloeki.tk, 1
+redmarker.ai, 1
+redmas.com.co, 1
+redmejoracontinua.com, 1
+redmondoregon.gov, 1
+redmore.me, 1
+redneck-radio.tk, 1
+redneragenturen.org, 1
+rednex.tk, 1
+rednsx.org, 0
+rednumberone.com, 1
+redoikos.org, 1
+redot.com, 1
+redpanda.gay, 1
+redparrotstudios.tk, 1
+redpen.gr, 1
+redper.serveminecraft.net, 1
+redperegrine.com, 0
+redphi.dedyn.io, 1
+redphoenix.tk, 1
+redpitaya.com, 1
+redprice.by, 1
+redq.now.sh, 1
+redrafting.ga, 1
+redragon.co.za, 1
+redraven.studio, 1
+redrealm.tk, 1
+redrivernm.gov, 1
+reds-dev.ga, 1
+redsequence.com, 1
+redshank-largeformat.co.uk, 1
+redshell.pw, 1
+redshiftcybersecurity.co.za, 1
+redshoeswalking.net, 1
+redshop.uk, 1
+redsicom.com, 1
+redsiege.com, 1
+redsift.cloud, 1
+redsift.com, 1
+redsift.io, 1
+redsis.com, 1
+redskullstuff.gq, 1
+redsolutor.gq, 1
+redsquarelasvegas.com, 1
+redstack.tk, 1
+redstarline.be, 1
+redstarpictures.tk, 1
+redstarsurf.com, 1
+redstarwholesale.co.za, 1
+redstoneart-server.top, 1
+redstonehomekits.com, 1
+redstoner.com, 1
+redstonium.net, 1
+redstor.com, 1
+redtails.tk, 1
+redteam-pentesting.de, 1
+redteam.coach, 1
+redteams.fr, 1
+redtomato.ga, 1
+redtrig.ca, 1
+redtrig.com, 1
+redtsar2000papers.tk, 1
+redtubs.tk, 1
+redtune.jp, 1
+reducealcoholism.com, 1
+reducedlens.org, 1
+reducer.co.uk, 1
+reducto.tk, 1
+reduktorntc-k.com.ua, 1
+redunion.tk, 1
+redvau.lt, 1
+redvent-decor.ru, 1
+redvent.ru, 1
+redwater.co.uk, 1
+redwaterhost.com, 1
+redwaymu.cf, 1
+redweek.com, 1
+redwhey.com, 1
+redwiki.tk, 1
+redwillowcountyne.gov, 1
+redwood.pw, 1
+redwoodsgroup.com, 1
+redwoodtoxicology.com, 1
+redzonedaily.com, 1
+reebelo.co.nz, 1
+reebelo.com.au, 1
+reececustom.com, 1
+reedgroup.com, 1
+reedsvillewi.gov, 1
+reedy.tk, 1
+reeftrip.com, 1
+reehomes.com, 1
+reel360.com, 1
+reeladventurefishing.com, 1
+reelchicago.com, 1
+reelgame.ml, 1
+reelnews.ga, 1
+reels.in.th, 1
+reelssaver.com, 1
+reemployks.gov, 1
+reenergo.ru, 1
+reenio.com, 1
+reenio.cz, 1
+reenio.sk, 1
+reentry.gov, 1
+reentrycenterofocala.com, 1
+rees-carter.net, 1
+reesi.site, 1
+reesmichael1.com, 1
+reeson.at, 1
+reeson.de, 1
+reeson.info, 1
+reeson.org, 1
+reevaappliances.co.uk, 1
+reeves-family.com, 1
+reevoo.com, 1
+reezocar.be, 1
+reezocar.com, 1
+refalm.com, 1
+refb.org, 1
+refbanners.com, 1
+refbanners.website, 1
+refer.codes, 1
+refer.nhs.uk, 1
+referat.club, 1
+referati.tk, 1
+referdell.com, 1
+reference-classic.fr, 1
+reference-emploi.com, 1
+reference-expertise.fr, 1
+reference.be, 1
+referencement-local.info, 1
+referenceur.be, 1
+referendumcouncil.org.au, 1
+referko.in, 1
+referrer.website, 1
+reffect.io, 1
+refillrx.com, 1
+refillthecity.eu, 1
+refinedinspectionservices.com, 1
+refinedlightingaz.com, 1
+refinedroomsllc.com, 1
+refinery29.com, 1
+refjob.jp, 1
+reflab.dk, 1
+reflectionsbarlingsbeach.com.au, 1
+reflectionsonthebay.org.au, 1
+reflecton.io, 1
+reflectoring.io, 1
+reflectson.org, 1
+refletindosaude.com.br, 1
+reflets-de-france.fr, 0
+reflets.info, 1
+reflexions.co, 1
+reflexionspain.tk, 1
+reflexive-engineering.com, 1
+refline.ch, 1
+refluxogastroesofagico.ga, 1
+refocusai.com, 1
+refood-cascaiscpr.eu, 1
+refood.com, 1
+reform.ee, 1
+reformando-t.es, 1
+reformasflores.com, 1
+reformation.financial, 1
+reformatreality.com, 1
+reformayobra.com, 1
+reformedermatology.com, 1
+refpa.top, 1
+refpa1342653.top, 1
+refpa170071.top, 1
+refpa4216323.top, 1
+refpa4496162.top, 1
+refpa4903566.top, 1
+refpa5446390.top, 1
+refpa59720.top, 1
+refpa6781648.top, 1
+refpaasxufov.top, 1
+refpabei.top, 1
+refpabuyoj.top, 1
+refpadewok.com, 1
+refpaewsbc.top, 1
+refpaffkansb.top, 1
+refpaicctvtm.top, 1
+refpaiglbwkv.top, 1
+refpaikgai.top, 1
+refpajqhsd.top, 1
+refpakrtsb.top, 1
+refpakwpsrbm.top, 1
+refpalqtdn.top, 1
+refpamjeql.top, 1
+refpanjoke.com, 1
+refpaopsxi.top, 1
+refpaqutiu.top, 1
+refparrknf.top, 1
+refpasra.host, 1
+refpasrasw.world, 1
+refpaswoon.top, 1
+refpatqltx.top, 1
+refpavikwm.top, 1
+refpavnpad.top, 1
+refpaydc.top, 1
+refpayio.top, 1
+refpazkjixes.top, 1
+reframeituk.org.uk, 1
+refresh-dc.org, 1
+refreshcartridges.co.uk, 1
+refreshingserum.com, 1
+refreshliving.us, 1
+refreshmentshop.co.uk, 1
+refrigeracion2hermanos.com.mx, 1
+refrigeratorrepair-austin.com, 1
+refu.net, 0
+refuelcollective.com, 0
+refuelcreative.com.au, 0
+refuelmcconnell.com, 1
+refuelmcconnell.marketing, 1
+refugiodomilitar.com.br, 1
+refundo.cz, 1
+refundo.sk, 1
+refurb-tracker.com, 1
+refusedcarfinance.com, 1
+reg.place, 1
+rega-sport.it, 1
+regacentro.pt, 1
+regain.com, 1
+regain.us, 1
+regal.radio, 1
+regalador.com, 1
+regalcapitalwi.com, 1
+regalfille.com, 1
+regalosymuestrasgratis.com, 1
+regalpaintingfdl.com, 1
+regalradio.net, 1
+regaltheatre.com.au, 1
+regamega.ru, 0
+reganclassics.co.uk, 1
+reganclassics.com, 1
+reganparty.com, 1
+regardezleprogramme.fr, 1
+regasportshop.it, 1
+regata-club.com.ua, 1
+regata2015.tk, 1
+regatesenbretagne.bzh, 1
+regazofotografia.com, 1
+regdomain.ga, 1
+regdomain.tk, 1
+regele.tk, 1
+regenboghorn.com, 0
+regencytablesandsinks.com, 1
+regencywalkinclinic.com, 1
+regendevices.eu, 1
+regeneo.cz, 1
+regenerapoint.it, 1
+regenpfeifer.net, 0
+regensburg-repariert.de, 1
+regent.ac.za, 1
+regentcruises.com, 1
+regentmovies.tk, 1
+regento.bg, 1
+regex.bingo, 1
+regex101.com, 1
+reggaesumfest.com, 1
+reggaexplosion.tk, 1
+reggea.tk, 1
+reggiotoday.it, 1
+regiamo.ch, 1
+regiaodeaveiro.pt, 1
+regie-sc.ch, 1
+regime-anticellulite.com, 1
+regimebonheur.com, 1
+reginaascanio.es, 1
+reginaclinic.jp, 1
+reginalenz.com, 1
+reginfo.gov, 1
+regio-salland.nl, 1
+regiobeveland.nl, 1
+regioinfo.nl, 1
+regiojet.com, 1
+regiojet.cz, 1
+region-vologda.tk, 1
+region22.tk, 1
+region6armymars.org, 1
+regionaalenergieloket.nl, 1
+regional-rabatt.de, 1
+regionalgrowth.com, 1
+regionethost.tk, 1
+regionethungaria.hu, 1
+regionmedia.cf, 1
+regionstea.net, 1
+regioplanverbindt.nl, 1
+regiosalland.nl, 1
+regiovertrieb.de, 0
+regis.tech, 1
+regisearch.co.uk, 1
+registech.com, 1
+register.com.np, 1
+register.to, 0
+registerforevent.co.uk, 1
+registerforhappywellth.com, 1
+registertovoteflorida.gov, 1
+registr.io, 1
+registrarius.org, 1
+registrarplus.net, 1
+registrarplus.nl, 1
+registrierung.tk, 1
+registry.google, 1
+registry.quebec, 1
+registryfinder.com, 1
+registryplus.net, 1
+registryplus.nl, 1
+regmik.ua, 1
+regnix.net, 1
+regnr.info, 1
+regolithmedia.com, 1
+regon.hu, 1
+regospel.tk, 1
+regpacks.com, 1
+regraph.de, 1
+regression.tk, 1
+regsec.com, 1
+regtech.tk, 1
+regtify.com, 1
+regtify.org, 1
+regtransfers.co.uk, 1
+reguladordevoltagem.com.br, 1
+regularizaboti.com.br, 1
+regularlabs.com, 1
+regulations.gov, 1
+regulative.gq, 1
+rehab.cf, 1
+rehab.cn.ua, 1
+rehabilitologist.ru, 1
+rehabphilippines.com, 1
+rehabthailand.com, 1
+rehabthailand.org, 1
+rehasport-informationen.de, 1
+rehasport-marketing.de, 1
+rehasportwelt.de, 1
+rehau-ua.com, 1
+reher.pro, 1
+rehobothbeachde.gov, 1
+rehobothma.gov, 1
+reholi.com.ar, 1
+rehzzo.cloud, 1
+rei.ki, 1
+reiaudio.com.br, 1
+reichardt-home.goip.de, 1
+reichel-steinmetz.de, 1
+reichelt-cloud.de, 1
+reichelt.com, 1
+reichelt.de, 1
+reichelt.nl, 1
+reichl-online.net, 1
+reiciunas.lt, 1
+reidasbombas.com, 1
+reidasmalas.com.br, 1
+reidasofficial.lt, 1
+reidjaeger.com, 1
+reidodice.com, 1
+reidope.com.br, 1
+reidostorrents.com, 1
+reidrice.com, 1
+reifeswinger.com, 1
+reifr.net, 1
+reignsphere.net, 1
+reiki-france.fr, 1
+reikiblog.cf, 1
+reikicrystal.com, 1
+reikimart.com, 1
+reikimaster.tk, 1
+reilly.io, 1
+reimaginebelonging.de, 1
+reimaginebelonging.org, 0
+reimann.me, 1
+reimers.de, 1
+reimsmediaslibres.info, 1
+reinaertvandecruys.com, 1
+reinaertvandecruys.me, 1
+reinaldudrasfamily.ee, 1
+reinascba.com.ar, 1
+reinencaressa.be, 1
+reiner-h.de, 1
+reinfer.io, 1
+reinfo.wiki, 1
+reingroup.ru, 1
+reinhardtsgermanautorepair.com, 1
+reinhardtsgrimma.de, 1
+reinhart-auto.cz, 1
+reinheft.de, 0
+reinierjonker.nl, 1
+reinisch.io, 1
+reinodemurcia.tk, 1
+reinoldus.ddns.net, 1
+reinotools.com, 1
+reinout.nu, 1
+reinouthoornweg.nl, 1
+reintjens.de, 1
+reinventersontravail.com, 1
+reinvention-institute.com, 1
+reirei.cc, 1
+reisbergadr.com, 1
+reisdemuthwiltgen.com, 1
+reisebuero-baader.de, 1
+reisen.ga, 1
+reisenbauer.at, 1
+reisenbauer.ee, 0
+reiseziel-hiddensee.de, 0
+reiseziele.tk, 1
+reishikitchen.co.uk, 1
+reishikitchen.com, 1
+reishiplantkitchen.co.uk, 1
+reishiplantkitchen.com, 1
+reispower.nl, 1
+reisslittle.com, 1
+reissnehme.com, 1
+reisspecialistdevalk.nl, 1
+reitmeier.me, 1
+reitoracle.com, 1
+reitstall-goettingen.de, 1
+reittherapie-tschoepke.de, 1
+reivernet.com, 0
+reja.au, 1
+rejahrehim.com, 1
+rejail.ru, 1
+rejected-by-society.tk, 1
+rejected.tk, 1
+rejective.tk, 1
+rejects.email, 1
+rejido.tk, 1
+rejushiiplotter.ru, 1
+rejuvetclinicpromotion.com, 1
+rekka-j.com, 1
+rekklab.com, 1
+rekkur.com, 1
+rekkur.consulting, 1
+rekkur.de, 1
+rekkur.dev, 1
+rekkur.io, 1
+rekkur.net, 1
+rekkur.org, 1
+rekkur.solutions, 1
+rekkur.team, 1
+rekkur.tech, 1
+rekkur.technology, 1
+rekkursolutions.com, 1
+rekkurtechnology.com, 1
+reklama-crimea.com, 1
+reklamapoumu.ru, 1
+reklamim.tk, 1
+reklamirui.tk, 1
+reklamjog.hu, 1
+reklamy-led.tk, 1
+rekmedia.tk, 1
+rekono.si, 0
+rekorhaliyikama.com, 1
+reksadanapanin.co.id, 1
+rekurasi.com, 1
+rekursion.at, 1
+rel-me.cc, 1
+relais-laguiole.com, 1
+relaisducoustoubi.com, 1
+relatedgroup.com, 1
+relates.link, 1
+relatethesport.com, 0
+relatic.net, 1
+relation.cf, 1
+relationalplayground.com, 1
+relations-business.com, 1
+relationsatwork.net, 1
+relationshiptalk.net, 1
+relationsproblem.nu, 1
+relatosypoesias.tk, 1
+relawan24jam-magetan.pp.ua, 1
+relaxcenternederland.nl, 1
+relaxdata.eu, 1
+relaxhavefun.com, 1
+relaxpointhyncice.cz, 1
+relaxti.me, 1
+relaxxed.nl, 1
+relaxxxed.com, 1
+relaybox.io, 1
+relayto.com, 1
+release-monitoring.org, 1
+releasedate.me, 1
+releaseinternational.org, 1
+releasepoint.com, 1
+releases.live, 1
+releasetimes.io, 1
+relevaillesquebec.com, 1
+relevanttomyinterests.com, 1
+releve-analyser.com, 1
+reley.me, 1
+reliabilityweb.com, 1
+reliablecanadianpharmacy.com, 1
+reliabledegree.com, 1
+reliablemaids.co.uk, 1
+reliablemojo.com, 1
+reliablepi.com, 1
+reliableremovals-blackpool.co.uk, 1
+reliablewire.com, 1
+reliahost.nl, 1
+relialink.co.uk, 1
+reliant.com, 1
+reliant3sixty.com, 1
+reliantpropertygrpri.com, 1
+relic.gq, 1
+relieftn.com, 1
+reliefweb.int, 1
+religious-life.com, 1
+religiousfreedomunderfire.com, 1
+religiya.tk, 1
+relikt.tk, 1
+relines.ru, 1
+relisten.nl, 1
+reloading.ml, 1
+relocatefeds.gov, 1
+relojeriajoyeria.com, 1
+relojes-especiales.com, 1
+relojes-online.com, 1
+relookdecoration.fr, 1
+relsak.cz, 0
+reltio.com, 1
+relution.io, 1
+relvan.com, 1
+relvan.tech, 1
+relyhost.io, 1
+relyon-plasma.com, 1
+relyonnutec.com, 1
+rem-coatings.de, 1
+rem-cond.ru, 1
+rem0te.net, 1
+remain.london, 1
+remake-projects.tk, 1
+remambo.jp, 1
+remarkmart.com, 1
+remateszarate.cl, 0
+remax-direct.co.il, 1
+remax.at, 1
+remaxelite.co.il, 1
+remaxtop.co.il, 1
+remeb.de, 1
+remedi.tokyo, 1
+remediohalkiparaladiabetes.org, 1
+remedionaturales.com, 1
+remedioparaherpes.com, 1
+remedios.com.br, 1
+remedioscaseros.guru, 1
+remejeanne.com, 1
+remembear.com, 1
+remember.de, 1
+rememberingjordan.org, 1
+remembermidi.sytes.net, 1
+rememberthemilk.com, 0
+remembervets.com, 1
+remennik.tk, 1
+remesal.es, 1
+remessaonline.com.br, 1
+remetall.cz, 1
+remezcla.com, 1
+remhomut.ru, 1
+remi-decker.tk, 1
+remi-saurel.com, 1
+remi-theriault.com, 1
+remiafon.com, 1
+remicade.com, 1
+remifajardo.cf, 1
+remilner.co.uk, 1
+reminda.com, 1
+reminded.tk, 1
+remington-europe.com, 1
+remirampin.com, 1
+remissan.com, 1
+remissionclinic.com, 0
+remitano.com, 1
+remix64.com, 1
+remiz.org, 1
+remmik.com, 1
+remminhdang.com, 1
+remo.health, 1
+remodded.cf, 1
+remodded.gq, 1
+remodded.ml, 1
+remodded.tk, 1
+remodelate.mx, 1
+remodelhealth.com, 1
+remodelwithlegacy.com, 1
+remonline.ru, 1
+remont-45.tk, 1
+remont-kazan.tk, 1
+remont-kvartirvmoskve.ga, 1
+remont-naushnikov.tk, 1
+remont-rollet-izgotovlenie.cf, 1
+remont-rukami.tk, 1
+remontdot.tk, 1
+remontfirm.tk, 1
+remonti.info, 1
+remontkompyutera.tk, 1
+remontlog.com, 1
+remontmax.bg, 1
+remontmebliv.lviv.ua, 1
+remonto.tk, 1
+remontpc.cf, 1
+remontpc.tk, 1
+remontportal.tk, 1
+remontstrong.ru, 1
+remonttikauppa.com, 1
+remontuks.ru, 1
+remora.tk, 1
+remorse.ga, 1
+remote-health.net, 1
+remoteassistants.io, 1
+remotebudget.com, 1
+remotedesktop.corp.google.com, 1
+remotedxb.com, 1
+remoteoffice.ga, 1
+remoteok.com, 1
+remoteroom.jp, 1
+remoteshack.cf, 1
+remoteshack.ml, 1
+remoteutilities.com, 1
+remoteworkertech.asia, 1
+remoteworkingpal.com, 1
+remotewx.com, 1
+remotish.com, 1
+removalcellulite.com, 1
+removebg.in, 1
+removedrepo.com, 1
+removerz.ca, 1
+remploy.co.uk, 1
+remptmotors.com, 0
+remsenny.gov, 1
+remservices.ky, 1
+remsoft.com.br, 1
+remwhile.com, 1
+remyb.me, 1
+remyphotography.fr, 1
+remyroguevolution.tk, 1
+rena.am, 1
+renaatsioncke.com, 1
+renaissance.shop, 1
+renard-pierne-avocats.fr, 1
+renascercorretora.com.br, 1
+renascerstp.org, 1
+renate-lietz.de, 1
+renatemamber.nl, 1
+renateonline.tk, 1
+renaudmuller.fr, 1
+renaultclubticino.ch, 0
+rencbrain.com, 1
+rencontredemerde.fr, 1
+rendall.tv, 1
+render.com, 1
+renderatelier.com, 1
+renderferma-cash.tk, 1
+renderloop.com, 1
+renderstack.io, 1
+renderworld.tk, 1
+renderzone.tk, 1
+rendez-vous.gq, 1
+rendezvous-cafe.co.uk, 1
+rendre-service.ch, 0
+rendutowers.org.au, 1
+rene-eizenhoefer.de, 1
+rene-schwarz.com, 0
+rene-stolp.de, 1
+renearends.nl, 1
+renecoignard.co, 1
+renecoignard.com, 1
+renecoignard.fr, 1
+renecoignard.me, 1
+renecoignard.net, 1
+renecoignard.org, 1
+renecoignard.ru, 1
+renedekoeijer.com, 1
+renegadeexploration.com, 1
+renehsz.com, 1
+renem.net, 0
+reneopharma.com, 1
+reneploetz.de, 1
+reneschmidt.de, 1
+reneschroeter.de, 1
+renet.com.br, 1
+renet.tk, 1
+renevo.eu, 1
+renewablekids.tk, 1
+renewablemaine.org, 1
+renewcleaningservices.net, 1
+renewedhr.com, 1
+renewgsa.com, 1
+renewittke.ch, 1
+renewittke.com, 1
+renewmedispa.com, 0
+renewpfc.com, 1
+renezuo.com, 1
+renicimery.com.br, 1
+renjyaku-dental.com, 1
+renkenlaw.com, 1
+renklihobi.com, 1
+rennes-bachata.com, 1
+rennes-blues.com, 1
+rennes-danse-africaine.com, 1
+rennes-danse-orientale.com, 1
+rennes-danses-en-ligne.com, 1
+rennes-hip-hop.com, 1
+rennes-lindy-hop.com, 1
+rennes-pilates.com, 1
+rennes-reggaeton.com, 1
+rennes-rock-6-temps.com, 1
+rennes-salsa-portoricaine.com, 1
+rennes-salsa.com, 1
+rennes-tango.com, 1
+rennes-valse.com, 1
+rennes-west-coast-swing.com, 1
+rennes-yoga.com, 1
+rennes-zumba.com, 1
+rennfire.org, 1
+rennie.com, 1
+renoboston.com, 1
+renocountyks.gov, 1
+renoproject.org, 1
+renorun.ca, 1
+renorun.com, 1
+renos.tk, 1
+renovalar.com.br, 1
+renovandoingresos.com, 1
+renovation-abm.fr, 1
+renovation-de-facade.fr, 1
+renovation-interieur-paris.com, 1
+renovation-maison.paris, 1
+renovationsatl.com, 1
+renovationsf.cf, 1
+renovationsf.ga, 1
+renovera.be, 1
+renovum.es, 1
+renrenche.com, 0
+rens.nu, 1
+renscreations.com, 1
+rent-a-c.io, 1
+rent-a-coder.de, 1
+rent-car.ga, 1
+rent-to-own-home.ga, 1
+rent.ie, 1
+rent.men, 1
+rentacar.name.tr, 1
+rentacaramerica.com, 1
+rentacarankara.com.tr, 1
+rentacarizmir.com.tr, 1
+rentacarmedo.me, 1
+rentaciudadana.co, 1
+rentalboatsafety.com, 1
+rentalharmony.co.za, 1
+rentalseleutheraisland.com, 1
+rentalsport.it, 1
+rentamosandamios.com.mx, 1
+rentandamiosycasetas.com, 1
+rentandgoandalo.it, 1
+rentandgofalcade.it, 1
+rentandgosestriere.it, 1
+rentandgovalmalenco.it, 1
+rentasportexclusive.it, 1
+rentasweb.gob.ar, 1
+rentatrajes.com.mx, 1
+rentbasements.com, 1
+rentberry.com, 1
+rentbrowser.com, 1
+rentcafe.co.uk, 1
+rentex.com, 1
+rentfaster.ca, 1
+renthelper.us, 1
+renticar.com, 1
+rentinsingapore.com.sg, 1
+rently.nl, 1
+rentm.media, 1
+rentmama.cf, 1
+rentmama.ga, 1
+rentmama.gq, 1
+rentmama.ml, 1
+rentmasseur.com, 1
+rentmen.eu, 1
+rentnow.my, 1
+rentourhomeinprovence.com, 1
+rentsbg.com, 1
+rentsucks.com, 1
+renuo.ch, 1
+renusoni.ga, 1
+renusson.com, 1
+renut.com.np, 1
+renverse.co, 1
+renvillecountymn.gov, 1
+renvisegrad.hu, 1
+renwerks.com, 1
+renxinge.cn, 0
+renyiyou.com, 1
+renyu.ai, 1
+reo.gov, 0
+reorz.com, 0
+reox.at, 1
+repaircafe-hanau.de, 1
+repairdriveshafts.tk, 1
+repairingmobile.tk, 1
+repairit.support, 1
+repairland.gr, 1
+repairlinkshop.com, 1
+repairtly.com, 0
+repalriley38.com, 1
+repaper.org, 1
+reparacionesdecalefones.com, 1
+reparacioneslocativas.com.co, 1
+reparacionmovilesmurcia.com, 1
+repararimac.eu, 1
+repararipad.eu, 1
+reparariphone.biz, 1
+repararmac.eu, 1
+repararsamsung.eu, 1
+repararxiaomi.eu, 1
+reparatiecrm.nl, 1
+reparatieferestre.md, 1
+reparation-traceur.com, 1
+reparaturcafe-pfullendorf.de, 1
+reparo.pe, 0
+repasi.org, 1
+repat.de, 1
+repauto.com.ua, 1
+repaxan.com, 1
+repeat.gg, 1
+repettoshoes.tk, 1
+repin.in.ua, 1
+repinger.my.id, 1
+repl.ga, 1
+replacementrate.ga, 1
+replay.ga, 1
+replaynexus.com, 1
+replicacoin.ga, 1
+replicagold.ml, 1
+replici.net, 1
+replikatelefon.tk, 1
+repliksword.com, 1
+repo.ml, 1
+repology.org, 1
+report-incident.de, 1
+report-it.trade, 1
+report-uri.com, 1
+report.cf, 1
+reportallusa.com, 1
+reportband.gov, 1
+reporte.tk, 1
+reportercareer.ga, 1
+reporterre.net, 1
+reporters.ng, 1
+reporting.gov, 1
+reportoid.tk, 1
+reposaarenkuva.fi, 1
+reposeed.dev, 1
+reposeed.org, 1
+represent.us, 1
+reproaccess.gov, 1
+reproductive-revolution.com, 1
+reproductiveaccess.gov, 1
+reproductivehealthservices.gov, 1
+reproductiverevolution.com, 1
+reproductiverights.gov, 1
+reprogramador.com, 1
+reprogramador.es, 1
+reprogramming-predators.com, 1
+reprogrammingpredators.com, 1
+reprolegaldefensefund.org, 1
+reprolegalhelpline.org, 1
+reprorights.gov, 1
+repsltd.co.uk, 1
+repstalent.com, 1
+reptieleninfo.tk, 1
+reptilescan.com, 1
+reptrax.com, 1
+republic.gg, 1
+republic.gr, 1
+republica.gt, 1
+republicafederal.tk, 1
+republicanleader.gov, 1
+republicanwhip.gov, 1
+republicasantabanana.org, 1
+republicmo.gov, 1
+republictelecom.net, 1
+republik-sombora.tk, 1
+republikalajm.com, 1
+republikapost.com, 1
+republique.org, 1
+repuestosmedellin.com, 1
+repugnant-conclusion.com, 1
+repugnantconclusion.com, 1
+reputatiedesigners.nl, 1
+reqionstockholm.se, 1
+request.cf, 1
+requesthymn.com, 1
+requestio.pp.ua, 1
+requestr.co.uk, 1
+requeteguapas.com, 1
+requeue.ga, 1
+requin.tk, 1
+requirements.ga, 1
+rercel.com, 0
+reregu.cf, 1
+reroboto.com, 1
+reroboto.eu, 1
+reroboto.net, 1
+reroboto.org, 1
+reroboto.social, 1
+reroll.tv, 1
+rerumu.com, 1
+resale.condos, 1
+resalerental.com, 1
+resanebartar.tk, 1
+resbi.tk, 1
+resc.la, 1
+rescatec.com, 1
+resch-verlag.com, 1
+resch.pro, 1
+rescms-secure.com, 1
+rescuenode.com, 1
+rescuer.gq, 1
+rescuer.tk, 1
+research-panel.jp, 1
+research.facebook.com, 0
+researchmarathi.com, 1
+researchresults.com, 1
+researchstory.com, 1
+researchtriangle.org, 1
+researchwriting.co.uk, 1
+reseau-ait.ca, 1
+reseau-image.com, 1
+reseau-tee.net, 1
+reseau-web.com, 1
+reseau.je, 1
+reseau007.tk, 1
+resellerprogram.ga, 1
+resellrefreshrepeat.com, 1
+reserva-agora.pt, 1
+reservadecitasonline.com, 1
+reservar-un-hotel.com, 1
+reservationsair.com, 1
+reservetonshift.com, 1
+reservilaisliitto.fi, 1
+reset12.co.uk, 1
+resfriatech.com.br, 1
+reshebnik.ml, 1
+reshka.ga, 1
+residence-donatello.be, 1
+residence-edelweiss.com, 1
+residence-simoncelli.com, 1
+residencedesign.net, 1
+residencemagazine.se, 1
+residencepanoramique.com, 1
+residencescauri.it, 1
+residency-bond.eu, 1
+resident-evil.tk, 1
+residentiallocksmithdallas.com, 1
+residentialmortgageholdings.com, 1
+residentialpressurewashingchicago.com, 1
+residentinfo.net, 1
+residualpayments.com, 1
+resigno.tk, 1
+resilience.sh, 1
+resiliencebox.com, 1
+resilientlouisianacommission.gov, 1
+resilienzatropical.it, 1
+resimdo.de, 1
+resimevi.tk, 1
+resine.roma.it, 1
+resinflooringcompany.com, 1
+resinheaven.com.au, 1
+resisfestival.com, 1
+resist.bot, 1
+resistancebooks.com, 0
+resistav.com, 1
+resivibe.com, 1
+resize2fs.de, 0
+resju21.ch, 1
+resmigazete.gov.tr, 1
+resmim.net, 1
+resolu.ru, 1
+resolute.com, 1
+resolutesystems.com, 1
+resolutewealthmanagement.com, 0
+resolutionnews.cf, 1
+resolutionnews.ga, 1
+resolve-portal.it, 1
+resolved.tk, 1
+resolvefa.co.uk, 1
+resolvefa.com, 1
+resolveit.gq, 1
+resolvergroup.com.au, 1
+resolvo.com, 1
+resoplus.ch, 0
+resort-islands.net, 1
+resort-nuvola.be, 1
+resort.ga, 1
+resortafroditatucepi.com, 1
+resortrealty.com, 0
+resorts.ru, 1
+resortsupportfiji.com, 1
+resoundpro.ca, 1
+resourceconnect.com, 1
+resourceguruapp.com, 1
+resources.flowfinity.com, 1
+resourcesmanagementcorp.com, 1
+resourcespace.com, 1
+respawwn.com, 1
+respectmyprivacy.eu, 1
+respectmyprivacy.net, 1
+respectmyprivacy.nl, 1
+respecttheflame.com, 1
+respinar.com, 1
+respiradores.tk, 1
+respiranto.de, 1
+respiratorytherapistlicense.com, 1
+respire-yoga.fr, 1
+respokare.com, 1
+respon.jp, 1
+respondeck.de, 1
+responer.com, 1
+respons.je, 1
+respons.me, 1
+respons.mobi, 1
+respons.us, 1
+respons.ws, 1
+responscode.eu, 1
+responscode.info, 1
+responscode.mobi, 1
+responscode.nl, 1
+responsecode.info, 1
+responsecode.mobi, 1
+responsecode.nl, 1
+responsible-disclosure.nl, 1
+responsible.ca, 1
+responsibledisclosure.nl, 1
+responsivepaper.com, 1
+respostas.com.br, 1
+ressourcement-interieur.com, 1
+ressourceportal.dk, 1
+ressourcesindivior.com, 1
+ressourcesleopharma.fr, 1
+ressupply.com, 1
+rest-in-moscow.tk, 1
+resta.ga, 1
+restad.org, 1
+restart-brno.cz, 1
+restartperm.ml, 1
+restauraceumichala.cz, 1
+restaurant-de-notenkraker.be, 1
+restaurant-fujiyama.fr, 1
+restaurant-naan.de, 1
+restaurant-neuemuehle.de, 1
+restaurant-oregano.de, 1
+restaurant-rosengarten.at, 1
+restaurant-spartacus.tk, 1
+restaurantcleaningchicago.com, 1
+restaurantdetgulepakhus.tk, 1
+restaurantedonono.com.br, 1
+restaurantepepeyestrella.es, 0
+restauranteplatoubeda.es, 1
+restaurantesimonetti.com.br, 1
+restaurantguru.com, 1
+restauranthugo.nl, 1
+restaurantmadeinitaly.be, 1
+restaurants.sg, 1
+restauranttester.at, 1
+restauratorin-maubach-dresden.de, 1
+restauriedili.roma.it, 1
+restauto.com.ua, 1
+restbygait.com, 1
+restchart.com, 1
+rester-a-domicile.ch, 1
+rester-autonome-chez-soi.ch, 1
+restic.net, 1
+restior.com, 1
+restioson.me, 1
+restless.it, 1
+restlesseshop.com, 1
+restlesslegs.tk, 1
+resto-renaissance.be, 1
+restoclub.ru, 1
+restomojo.tk, 1
+restoran.cf, 1
+restorationphotos.tk, 1
+restorethegulf.gov, 1
+restoringhopeberks.org, 1
+restoruns.com, 1
+restrealitaet.de, 1
+restream.fi, 1
+resultsatretail.com, 1
+resultscx.com, 1
+resultsdate.news, 1
+resume4dummies.com, 1
+resumecompanion.com, 1
+resumegenius.com, 1
+resumegets.com, 1
+resumehelp.com, 1
+resumehelp.io, 1
+resumelibros.tk, 1
+resumenlatinoamericano.org, 1
+resumeprime.com, 1
+resumerabbit.com, 1
+resumeshoppe.com, 1
+resumevalley.com, 1
+resumeworded.com, 1
+resumic.com, 1
+resumic.dev, 1
+resumic.io, 1
+resumic.net, 1
+resumic.org, 1
+resurfacehub.com, 1
+resurgent.network, 1
+resurspartner.tk, 1
+resveratrolsupplement.co.uk, 1
+retailcleaners.ga, 1
+retailcybersolutions.com, 1
+retailing.cf, 1
+retailmarket.net, 1
+retailnext.net, 1
+retaque.tk, 1
+retarara.tk, 1
+retard.ca, 1
+retardedstudios.tk, 1
+retefrati.it, 0
+reteteaz.net, 1
+retetenoi.net, 1
+retetop95.it, 0
+reth.ch, 1
+rethymnorooms.tk, 1
+reticket.me, 1
+reticle.cf, 1
+reticon.de, 1
+retics.cf, 1
+retidurc.fr, 1
+retiesebaan.tk, 1
+retin.ml, 1
+retinaconsultantstexas.com, 1
+retinacv.es, 1
+retinens.com, 1
+retirementincomeplanninggroup.com, 1
+retireyourpassword.org, 1
+retiring-dentist.co.uk, 1
+retiringaccountant.co.uk, 1
+retiringifa.co.uk, 1
+retiva-bet23367.com, 1
+retivabet.com, 1
+retmig.dk, 1
+retmus.com, 1
+reto.ch, 0
+reto.io, 1
+retohaeberli.com, 0
+retokromer.ch, 0
+retool.com, 0
+retornaz.com, 1
+retornaz.eu, 1
+retornaz.fr, 1
+retract.com.au, 1
+retractableawningssydney.com.au, 1
+retraitebysaulsplace.nl, 1
+retro-game.org, 1
+retro-gaming.at, 1
+retro.rocks, 1
+retroarms.com, 1
+retroarms.cz, 1
+retrobook.tk, 1
+retrocdn.net, 1
+retrocircuitos.com, 1
+retrogamenews.tk, 1
+retrohousewifegoesgreen.com, 1
+retroity.net, 1
+retrojar.top, 1
+retrojugo.tk, 1
+retronet.nl, 1
+retropack.org, 1
+retropedal.tk, 1
+retrophoto.fr, 0
+retropixel.ga, 1
+retroride.cz, 1
+retroroundup.com, 0
+retroskoter.tk, 1
+retroslave.ga, 1
+retrotechgeek.net, 1
+retroterminal.com, 1
+retrotown.ws, 1
+retrotubesporn.com, 1
+retrovideospiele.com, 1
+retroworld.tk, 1
+retseptykaboli.cf, 1
+rettar.net, 1
+rette-ein-kinderleben.de, 1
+rettig.xyz, 1
+retube.ga, 1
+return-profit.tk, 1
+return.sh, 1
+returnearly.net, 1
+returnly.com, 1
+returnonerror.com, 1
+reucon.com, 1
+reueljohnk.com, 1
+reulitz.de, 0
+reuna.me, 1
+reunion.tk, 1
+reup.cash, 1
+reurbcaceres.com.br, 1
+reuschtools.com, 1
+reusesti.ro, 1
+reusorecicla.com.br, 1
+reut42.de, 1
+reuter-profishop.de, 0
+reuter.de, 0
+reuterhall.se, 1
+reutersevents.com, 1
+rev-crew.info, 1
+revaio.com, 1
+reval.com, 1
+revalidatiekennisnet.nl, 1
+revaloriza.cf, 1
+revapost.fr, 1
+revayd.net, 1
+revconnect.tk, 1
+revcovi.com, 1
+revda.su, 1
+reveal-sound.com, 1
+reveal11.cloud, 1
+revealcellcamtracker.com, 1
+revealdata.com, 1
+revechat.com, 1
+revellecoaching.com, 0
+revellio.tk, 1
+revenge-spells.com, 1
+revengegames.lv, 1
+revengeofthesomething.tk, 1
+revenue-playbook.com, 1
+revenuegeeks.com, 1
+revenuegrid.com, 1
+reverce.com, 1
+reveriecaps.com.br, 1
+revers.tk, 1
+reverse1999.wiki, 1
+reverseaustralia.com, 1
+reversecanada.com, 1
+reversecrucifixkm.altervista.org, 1
+reversedns.tk, 1
+reverseloansolutions.com, 1
+reversemortgageguides.com, 1
+reversemortgageguides.org, 1
+reversesouthafrica.com, 1
+revgen.life, 1
+revierstrand.de, 1
+review.jp, 1
+review247.ga, 1
+reviewbestseller.com, 1
+reviewchecker.nl, 1
+reviewdetector.ml, 1
+reviewengin.com, 1
+reviewgeek.com, 1
+reviewheaven.ml, 1
+reviewku.id, 1
+reviewninja.net, 1
+reviewpipe.com, 1
+reviews.anime.my, 0
+reviewsfunnel.com, 1
+reviewskia.com, 1
+reviewskia.in, 1
+reviewsonline.ml, 1
+reviewspot.net, 1
+reviewu.ca, 1
+revifymedspa.com, 1
+revijahak.hr, 1
+revintake.com, 1
+revionics.com, 1
+reviquimicos.com, 1
+revis-online.cf, 1
+revis-online.gq, 1
+revis-online.ml, 1
+revis-online.tk, 1
+revisi.id, 1
+revisione.it, 1
+revisionmedia.pl, 1
+revisionnotes.xyz, 1
+revisore.it, 1
+revisores.pt, 1
+revisoronline.cf, 1
+revisoronline.ga, 1
+revisoronline.gq, 1
+revisoronline.ml, 1
+revisoronline.tk, 1
+revista-atalaya.ml, 1
+revista-programar.info, 1
+revistabifrontal.com, 1
+revistacocina.tk, 1
+revistadiscover.com, 1
+revistaespecies.ga, 1
+revistaligustinus.tk, 1
+revistamatg.com, 1
+revitalisierungs-akademie.de, 1
+revivalinhisword.com, 1
+revivalprayerfellowship.com, 1
+revive-me.org, 1
+reviveourhearts.com, 1
+reviveplumbingmelbourne.com.au, 1
+reviviendolavilla.tk, 1
+revizor-online.cf, 1
+revizor-online.ga, 1
+revizor-online.gq, 1
+revizor-online.ml, 1
+revizor-online.tk, 1
+revizor.ml, 1
+revizoronline.tk, 1
+revloop.com, 1
+revmap.com, 1
+revoka.de, 1
+revol.space, 1
+revolucioncharango.com, 1
+revolution-mining.com.au, 1
+revolution.net.nz, 1
+revolutionary.tk, 1
+revolutionaryaim-vienna.tk, 1
+revolutionaryireland.cf, 1
+revolutionaryireland.ga, 1
+revolutionaryireland.gq, 1
+revolutionaryireland.ml, 1
+revolutionengine.tk, 1
+revolutionenkommer.dk, 1
+revolutionhealth.ca, 1
+revolutionizingheartfailure.com, 1
+revolutionofbeauty.tk, 1
+revolutionofgaming.tk, 1
+revolware.com, 1
+revosoft.de, 1
+revres.info, 1
+revspot.net, 1
+revthefox.co.uk, 1
+revton.com, 1
+revuestarlight.me, 1
+revworld.org, 1
+revx.io, 1
+rewardingexcellence.com, 1
+rewardoapp.com, 1
+rewardscout.eu, 1
+rewatch.com, 1
+rewawatch.tk, 1
+rewebsitepro.com, 1
+rewirenewsgroup.com, 1
+rewisto.de, 1
+rewolucja1905.pl, 1
+rewriteguru.com, 1
+rewritertools.com, 1
+rex.red, 1
+rex.st, 1
+rex.tc, 1
+rexbang.tk, 1
+rexbaumgartnerdds.com, 1
+rexburgid.gov, 1
+rexcutty.com, 1
+rexdf.net, 1
+rexel.com, 1
+rexeroofing.com, 1
+rexo.ch, 1
+rexograph.com, 1
+rexskz.info, 1
+rextomanawato4.tk, 1
+rexuy.com, 1
+rexvin.co.id, 0
+rexxworld.com, 1
+reyesfernando.com, 1
+reyesholdings.com, 1
+reyna.cc, 1
+reynders.xyz, 1
+reynoldsburg.gov, 1
+reytorogroup.com, 1
+rezendemultimarcas.com.br, 1
+rezept-planer.de, 1
+rezidencezdanice.cz, 1
+rezio.io, 0
+rezistor.tk, 1
+rezka-burenie.cf, 1
+rezni.cz, 1
+reznik.tk, 1
+reztudio.com, 1
+rezultant.ru, 1
+rezun.cloud, 1
+rf-gamer.gq, 1
+rf.studio, 1
+rfasafedrop.org, 1
+rfbcnet.tk, 1
+rfbz.ca, 1
+rfdirectory.tk, 1
+rfeif.org, 1
+rfg.ru, 1
+rfgadvisorywealth.com, 0
+rfmsconnect.nl, 1
+rfn.cz, 1
+rfnews.tk, 1
+rfoard.com, 1
+rfodistribution.co.za, 1
+rfomega.ga, 1
+rfphero.io, 1
+rfs-zbpe.net, 1
+rfstag.com, 1
+rfstag.org, 1
+rftoon.com, 1
+rfvigo.com, 1
+rfxanalyst.com, 1
+rg.to, 1
+rga.cl, 1
+rgacomputacion.cl, 1
+rgbinnovation.com, 1
+rgbpty.com, 1
+rgc.com.co, 0
+rgdt.tk, 1
+rgf.be, 0
+rgfundraising.com, 1
+rggraphics.mx, 1
+rgnext.com, 1
+rgpd-elearning.com, 1
+rgpdkit.io, 1
+rgservice.ml, 1
+rgtonline.com, 1
+rgz.ee, 1
+rhaegal.me, 1
+rhamzeh.com, 1
+rhaniegghe.be, 1
+rhaniegghesoftwaresecurity.be, 1
+rhbrown.com, 1
+rhcteam.com, 1
+rhd-instruments.com, 1
+rhd-instruments.de, 1
+rhd.org, 1
+rhdiscovery.com, 1
+rhees.nl, 1
+rheijmans.io, 1
+rheijmans.nl, 1
+rheimsandcohen.ltd, 1
+rhein-liebe.de, 1
+rheincargo.com, 1
+rheine.schule, 1
+rheineschulen.de, 1
+rheinland-pilgern.de, 1
+rheinmetall.com, 1
+rheinturm.nrw, 1
+rhelevate.com, 1
+rhese.net, 1
+rhetorical.ml, 0
+rhetthenckel.com, 1
+rhev.in, 1
+rhforum.tk, 1
+rhfs.tk, 1
+rhhd.gov, 1
+rhhfoamsystems.com, 1
+rhicin.com, 1
+rhinelander.ca, 1
+rhinelanderpd.gov, 1
+rhinesuchus.com, 1
+rhino-inquisitor.com, 1
+rhino.co.tz, 1
+rhinobase.net, 1
+rhinoceroses.org, 1
+rhinosf1.com, 1
+rhnet.at, 1
+rho.co, 1
+rhode-island-sexcams.com, 1
+rhodeislandhealth.tk, 1
+rhodes.ml, 1
+rhodesianridgeback.com.br, 1
+rhodos.fr, 1
+rhona.cl, 1
+rhost.nl, 1
+rhowell.io, 1
+rhsb.ch, 1
+rhsbl.com, 1
+rhswl.com, 1
+rhubarb.land, 1
+rhumblineadvisers.com, 1
+rhwebdesigns.co.uk, 1
+rhye.tk, 1
+rhyme.com, 1
+rhymesofreason.com, 1
+rhymeswithmogul.com, 1
+rhynl.io, 1
+rhyno.io, 1
+rhysg.net, 1
+rhysperry.com, 1
+rhysre.net, 1
+rhystagr.am, 1
+rhyswebbmassage.com, 1
+rhythmaning.org, 1
+riable.com, 1
+riacanada.ca, 1
+riachuello.tk, 1
+riaiai.com, 1
+riaki.net, 1
+riaktiv.tk, 1
+rial.space, 1
+rialto.co.nz, 1
+rialtocapital.com, 1
+rian.gq, 1
+riared.net, 1
+riared.org, 1
+riaszto-szereles.eu, 1
+riaudetil.com, 1
+rib-dinslaken.com, 1
+rib-dinslaken.de, 1
+rib-fm.com, 1
+rib-fm.de, 1
+rib-ims.at, 1
+rib-ims.ch, 1
+rib-ims.com, 1
+rib-ims.de, 1
+rib-leipzig.com, 1
+riba-lov.ga, 1
+ribafs.tk, 1
+ribapo.com, 1
+ribar.com, 1
+ribblu.com, 1
+ribccs.com, 1
+ribdigital.com, 0
+ribella.net, 1
+ribes.design, 0
+ribims.de, 1
+ribit4u.co.il, 1
+ribmountainwi.gov, 1
+ribolov.tk, 1
+ribtours.co, 1
+ric-rac.org, 1
+ricardo.nu, 0
+ricardobaptistaleite.pt, 1
+ricardojsanchez.com.ar, 1
+ricardopq.com, 1
+ricardoquaresma.tk, 1
+ricardotaakehb.tk, 1
+ricassiocosta.me, 1
+ricaud.me, 1
+riccy.org, 1
+riceadvice.info, 1
+ricecountymn.gov, 1
+ricedust.com, 1
+ricelasvegas.com, 1
+ricettedellanonna.net, 1
+ricettesemplicieveloci.altervista.org, 1
+rich-good.com, 0
+richadams.me, 1
+richandsteph.co.uk, 1
+richandsteph.uk, 1
+richard-fath.de, 1
+richard-offermanns.nl, 1
+richard-purves.com, 1
+richardb.me, 0
+richardcrosby.co.uk, 1
+richardharpur.com, 1
+richardhicks.us, 1
+richardhouts.tk, 1
+richardinesrolltop.com, 1
+richardjgreen.net, 1
+richardlangham.plumbing, 1
+richardlangworth.com, 1
+richardlevinmd.com, 1
+richardrblocker.net, 1
+richardschut.nl, 1
+richardsdebt.com, 1
+richardson.cam, 1
+richardson.engineering, 1
+richardson.pictures, 1
+richardson.software, 1
+richardson.systems, 1
+richardson.tk, 1
+richardson.tw, 1
+richardsoncountyne.gov, 1
+richardstonerealestate.com, 1
+richbutler.co.uk, 1
+richcat.tw, 1
+richecommecresus.com, 1
+richelelahaise.nl, 0
+richeyweb.com, 1
+richeza.com, 1
+richfieldadamscowi.gov, 1
+richfieldsean.org, 1
+richie.cloud, 0
+richie.fi, 1
+richie.pm, 1
+richiebartlett.com, 1
+richieheijmans.com, 1
+richieheijmans.email, 1
+richieheijmans.eu, 1
+richieheijmans.io, 1
+richieheijmans.network, 1
+richieheijmans.nl, 1
+richieheijmans.one, 1
+richiesroom.com, 1
+richini.com, 1
+richlandcenterwi.gov, 1
+richlandcountyoh.gov, 1
+richlandcountywi.gov, 1
+richlandwa.gov, 1
+richlj.com, 1
+richlj.net, 1
+richlogic.blog, 1
+richmond.com, 1
+richmondca.gov, 1
+richmondcountyclerk.com, 1
+richmondcountync.gov, 1
+richmondkitchens.com.au, 1
+richmondla.gov, 1
+richmondsunlight.com, 1
+richmoney.us, 1
+richmtdriver.com, 1
+richtabak.ru, 1
+richviajero.com, 1
+richwayfun.com, 1
+rickelrath.de, 1
+rickengineering.com, 1
+ricketyspace.net, 0
+rickhoekman.com, 1
+ricki-z.com, 0
+rickmakes.com, 1
+rickmanlegal.com, 1
+rickmartensen.nl, 0
+rickoriginal.nl, 1
+rickrongen.nl, 1
+rickrussellhomes.com, 0
+rickscastles.co.uk, 1
+ricksdailytips.com, 1
+rickvanderzwet.nl, 1
+ricky.photos, 1
+rickyips.tk, 1
+rickyromero.com, 1
+rickysgames.tk, 1
+rico-brase.de, 1
+rico-j.de, 1
+rico.ovh, 1
+ricobaldegger.ch, 1
+ricochet.com, 1
+ricochet.im, 1
+ricoydesign.com, 1
+ricozienke.de, 1
+ridayu.jp, 1
+riddhimarketplace.com, 1
+riddims.co, 1
+riddimsworld.com, 1
+riddler.com.ar, 1
+riddlock.com, 1
+rideapart.com, 1
+rideelectric.gov, 1
+ridegravel.ch, 1
+rideintaxi.com, 1
+rident-estetic.ro, 1
+riderchris.com, 1
+riders.ga, 1
+rides-japan.jp, 1
+ridetour.ru, 1
+rideyourdamn.bike, 1
+ridgecrestca.gov, 1
+ridgefieldct.gov, 1
+ridgespringsc.gov, 1
+ridgewaterlodge.com, 1
+ridgewaywi.gov, 1
+ridgidgear.eu, 1
+ridho.id, 1
+ridingoklahoma.com, 1
+ridingthetigerpro.com, 1
+rido.ml, 1
+ridsdale.ca, 1
+riechsteiner.tech, 1
+riecht-besser.de, 1
+riederle.com, 1
+riedl-shk.de, 1
+riemzac.com, 1
+riesenweber.id.au, 1
+riesheating.com, 1
+rieslingtrailclarecottages.ga, 1
+riess-ambiente.net, 1
+rietspoppen.tk, 1
+rietveldacademie.nl, 1
+riffable.com, 1
+riffnation.tk, 1
+riffreporter.de, 0
+riflajelemn.ro, 1
+rifledesign.co.uk, 1
+rift.pictures, 1
+rifugioselvabella.tk, 1
+rigabeerbike.com, 1
+rigabeerbike.lv, 1
+rigart-michael.be, 1
+rigartmichael.be, 1
+rigelro.ga, 1
+rigeltarot.com, 1
+riggsloves.me, 1
+riggsmarkham.com, 1
+riggtech.com.au, 1
+righettod.eu, 1
+rightblog.tk, 1
+rightbraingroup.com, 1
+rightfulowner.tk, 1
+rightinbox.com, 1
+rightlaw.nz, 1
+rightmovecanada.com, 1
+rightnetworks.com, 1
+rightreview.co.uk, 1
+rights.ninja, 1
+rightschool.cf, 1
+rightsizingcalculator.com, 1
+rightsolutionplumbing.com.au, 1
+rightstartcapital.com, 1
+rightstartent.com, 1
+rightstartinc.com, 1
+rightstuff.link, 1
+rightthingrecruit.com, 1
+righttolife.org.uk, 1
+rigidlandscapes.com.au, 1
+rihappy.tk, 1
+riietr.com, 1
+riigikogu.ee, 0
+riil.org, 1
+riino.site, 1
+rijk-catering.nl, 0
+rijnland.net, 1
+rijonawnings.com, 1
+rijschoolgevonden.nl, 0
+rijschoolrichardschut.nl, 1
+rijsecure.nl, 1
+rijsinkunst.nl, 1
+rik.onl, 1
+rikardhallberg.com, 1
+rikels-slaapexperts.nl, 1
+rikki.moe, 1
+riklewis.com, 1
+rikmeijer.nl, 1
+rikpalm.nl, 1
+riksby.com, 1
+riku.pro, 1
+riku.pw, 1
+rikunori.com.tw, 1
+rileyevans.co.uk, 1
+rileypaige.com, 1
+rileys.club, 0
+rileyskains.com, 0
+rileystar.com, 1
+rilish.cf, 1
+rillet.com, 1
+rilretg.com, 1
+rim-kardzhali.bg, 1
+rim-kardzhali.org, 1
+riman.tk, 1
+rimax.vn, 0
+rimba.eu, 1
+rime.red, 1
+rimessaggio.it, 1
+rimetsu.com, 1
+riministreet.com, 1
+riminitoday.it, 1
+rimnow.mr, 1
+rimnow.net, 1
+rimo.site, 1
+rimonhwang.com, 1
+rimorrecherche.nl, 1
+rimzim.tk, 1
+rinabhabra.com, 1
+rinaent.com, 1
+rincat.ch, 1
+rincon-nsn.gov, 1
+rincondenoticas.com, 1
+rinconga.gov, 1
+rinconplacas.com, 1
+rinconwaterca.gov, 1
+rindepo.com, 1
+rineke.art, 1
+ring.com, 1
+ringgitplus.com, 1
+ringingliberty.com, 1
+ringlightstudios.com, 1
+ringmybell.tk, 1
+ringneckparakeets.com, 1
+ringofglory.ga, 1
+ringofglory.gq, 1
+ringover.com, 1
+rinka.moe, 1
+rinkhill.com, 1
+rinko-mama.com, 1
+rinoartdistrict.org, 1
+rinova.me, 1
+rinsbacherhof.com, 1
+rinskeshomepage.tk, 1
+rintarokobayashi.jp, 1
+rinton.ru, 1
+rinu.cf, 1
+rinvex.com, 1
+rinyui.cn, 1
+rinyui.com, 1
+rioinbox.com.br, 1
+rioloagolf.tk, 1
+riomaisbrindes.com.br, 1
+riomi.org, 1
+riosat.ru, 1
+riosoil.co.uk, 1
+riosoil.com, 1
+riosoils.co.uk, 1
+riosoils.com, 1
+riotest.xyz, 1
+riotseeds.cloud, 1
+rip-sport.cz, 1
+ripadores.tk, 1
+ripcorddesign.com, 1
+ripcordsandbox.com, 1
+ripcurl.tk, 1
+ripenapps.com, 1
+ripetizioni.roma.it, 1
+ripin.org, 1
+ripmixmake.org, 1
+ripon-wi.gov, 1
+riponadvance.com, 1
+ripp-it.com, 1
+ripper.store, 1
+ripplecraft.cn, 1
+ripplemarkeg.com, 0
+ripplenews.club, 1
+ripplenews.co, 1
+ripplenews.io, 1
+ripplenews.live, 1
+ripplenews.news, 1
+ripplenews.online, 1
+ripplenews.ru, 1
+ripplenews.world, 1
+rippling.com, 1
+riproduzionichiavi.it, 1
+riptidetech.io, 1
+ripu-eshii.com, 1
+riri-tendedasole.it, 1
+ririro.com, 1
+ris.fi, 1
+ris2048.pt, 1
+risa.chat, 1
+risada.nl, 1
+risalatconsultants.com, 1
+riscascape.net, 1
+risco.ro, 1
+riscone.info, 1
+riscoscommunity.org, 1
+riscoshardware.tk, 1
+riscure.com, 1
+rise-technologies.com, 1
+rise.com, 1
+rise.global, 1
+rise.md, 1
+risecomedy.com, 1
+risecstate.gov, 1
+riseofmiddle-earth.tk, 1
+riseonline.wiki, 1
+riseproject.ro, 1
+riseshost.ml, 1
+riseup.net, 1
+riseupelectrical.com.au, 1
+rishabh.me, 1
+rishav.top, 1
+risheriffs.gov, 1
+rishikeshan.com, 1
+rishikeshyoga.in, 1
+rishteykaro.com, 1
+risi-china.com, 1
+risilience.com, 1
+rising-cubers.tk, 1
+risingsoftware.com, 1
+risingtidecapital.org, 1
+risitas.com.ar, 1
+riskbase.uk, 1
+riskconsole.com, 1
+riskiq.com, 0
+riskmitigation.ch, 1
+riskstudio.com, 1
+risky.services, 1
+riskymeals.com, 1
+risman.tk, 1
+risonanzamagnetica.roma.it, 1
+risoscotti.es, 0
+risounokareshi.com, 1
+risparmiare.info, 1
+risquefetish.com, 1
+risquefetish.net, 1
+risquefetish.org, 1
+risquefetishtoys.com, 1
+ristioja.ee, 1
+ristisanat.fi, 1
+ristorantedabeni.be, 1
+ristoviitanen.fi, 1
+ristrutturazione.roma.it, 1
+ristrutturazioneappartamenti.milano.it, 1
+ristrutturazioneappartamento.roma.it, 1
+ristrutturazioniappartamentinapoli.it, 1
+risu.to, 1
+risunki.ga, 1
+rit.ee, 0
+rit.space, 1
+ritaescortsdelhi.com, 1
+ritaj.estate, 1
+ritaohio.gov, 1
+ritas.tk, 1
+ritchieneville.tk, 1
+riteboost.com, 1
+ritel.nl, 1
+ritense.com, 0
+ritense.nl, 1
+ritepriceheatingcooling.com.au, 1
+ritepriceroofing.com.au, 1
+riterry.com, 1
+riteway.rocks, 1
+ritirocalcinacci.roma.it, 1
+ritirocalcinacci.viterbo.it, 1
+ritmoloco.fr, 1
+ritmos.tk, 1
+ritmuzic.ml, 1
+ritoge.com, 1
+ritoner.it, 1
+ritos.ru, 1
+ritrium.com, 1
+ritsf.com, 1
+ritsu-life.com, 1
+rittau.org, 1
+rittersprinting.com, 1
+ritual-gratek.ru, 1
+ritual.com, 1
+ritual.ml, 0
+ritunewasser.ch, 1
+ritus.md, 1
+ritzcarltonclub.com, 1
+ritzlux.com.tw, 1
+rivaforum.de, 1
+rivago.tk, 0
+rivals.space, 1
+rivalsa.cn, 1
+rivalsa.net, 1
+rivastation.de, 1
+riveal.fr, 1
+rivenmains.com, 1
+river-rest.com, 1
+river.gq, 1
+riverbednetflowsupport.com, 1
+rivercitybni.com, 1
+rivercitycycling.org, 1
+riverford.co.uk, 1
+riverhoa.org, 1
+riverlandenergy.com, 1
+riverlea.com.au, 1
+riverlinegaragedoor.com, 1
+riveroakaa.com, 0
+riveroaksdentaljax.com, 1
+riverotravel.cl, 1
+riverpark.casa, 1
+riverridgecc.com, 1
+riverroaddental.ca, 1
+riverrun.tk, 1
+rivers.gov, 1
+riverschool.net, 1
+riversidebaptistchurch.net, 1
+riversideiowa.gov, 1
+riversidemo.gov, 1
+riversideradio.nl, 1
+riversmeet.co.uk, 1
+rivertv.ca, 1
+riverviewtree.com, 1
+rivervista-vacationhomes.com, 1
+riverweb.gr, 1
+riverwoods.gov, 1
+rivethealthlaw.com, 1
+rivian.com, 1
+rivian.software, 1
+rivingtongreenwich.co.uk, 1
+rivlo.com, 1
+rivmedia.co.uk, 1
+rivoflor.it, 1
+rivolta.tk, 1
+rivus.net, 1
+riweco.ga, 1
+riwers.io, 1
+rix.ninja, 1
+rixcloud.moe, 1
+rixzz.ovh, 1
+riyono.com, 1
+rizaderindag.com, 1
+rizalpalawan.gov.ph, 0
+rizehaberleri.tk, 1
+rizer.io, 0
+rizhik.com.ua, 1
+rizikaockovani.cz, 1
+rizonrice.club, 1
+rizospastis.gr, 1
+rj-onderneemt.nl, 1
+rjan.nl, 1
+rjbookings.nl, 1
+rjclegeplads.dk, 1
+rje-hub.net, 1
+rjet.com, 1
+rjfedor.com, 1
+rjfedor.ddns.net, 1
+rjhgroup.co.uk, 1
+rjia.gq, 1
+rjmartz.com, 1
+rk-box.ru, 1
+rk-links.ml, 1
+rk-mediawork.de, 0
+rk.com, 1
+rkabworks.uk, 1
+rkbegraafplaats.com, 1
+rkesport.com, 0
+rkfp.cz, 1
+rkkerkjoppe.nl, 1
+rkmedia.no, 1
+rkmns.edu.in, 1
+rknews.tk, 1
+rkowalewski.de, 1
+rkstudio.com, 1
+rl3.de, 1
+rlahaise.nl, 0
+rlalique.com, 1
+rlan.eu.org, 1
+rland.ph, 1
+rlcosmeticsurgery.com, 1
+rld.org, 1
+rleeden.no-ip.co.uk, 1
+rleeden.servehttp.com, 1
+rleeden.servemp3.com, 1
+rleh.de, 1
+rlmud.tk, 1
+rlove.org, 1
+rlptoday.de, 1
+rm-it.de, 1
+rm2brothers.cc, 1
+rmb.li, 1
+rmbnsw.org.au, 1
+rmbs.de, 1
+rmbs.org, 1
+rmcbs.de, 1
+rmcinsuranceservices.com, 1
+rmconsulting.com, 1
+rmdb.tk, 1
+rmdhnreza.my.id, 1
+rmdis.au, 1
+rmdscreen.com, 1
+rme.li, 0
+rmf.io, 1
+rmfscrubs.com, 1
+rmgsm.ir, 1
+rmi.com.ar, 1
+rmit.ee, 0
+rmitobacco.com, 1
+rml-liege.be, 1
+rmm-i.com, 1
+rmmanfredi.com, 1
+rmodular.com, 1
+rmol.tk, 1
+rmp-gebaeudedienste.de, 1
+rmpbuilders.com.au, 1
+rmrcapitalinc.com, 1
+rmrig.org, 1
+rms.com, 1
+rms.sexy, 1
+rmsisrs.com, 1
+rmsk.tk, 1
+rmsliberty.com, 1
+rmsu.pl, 1
+rmsupply.nl, 1
+rmt-construction.co.za, 1
+rmtconstruction.co.za, 1
+rmupasswordstudy.com, 1
+rmurai.com, 0
+rmvalues.com, 1
+rmw-energy.de, 1
+rmyachting.com, 1
+rn29.me, 1
+rnag.ie, 1
+rnb-storenbau.ch, 1
+rnbjunk.com, 1
+rndtool.info, 1
+rnest-maintenance.eu, 1
+rnews.tk, 1
+rngmeme.com, 1
+rnjobsite.com, 1
+rnmkrs.co, 1
+rnp.br, 1
+rntgroup.com, 1
+rntomsn.com, 1
+rntomsnedu.org, 1
+rnz3.net, 1
+ro.co, 1
+ro.exchange, 1
+ro.search.yahoo.com, 0
+ro89.com, 1
+roa.net, 1
+roach.nz, 1
+road-safety.cz, 1
+road-trips.fr, 1
+roadaccident.tk, 1
+roadandtransport.ga, 1
+roadbikes.tk, 1
+roaddoc.de, 1
+roadguard.nl, 0
+roadhousecinemas.com, 1
+roadtochina.tk, 1
+roadtoglory.tk, 1
+roadtopgm.com, 1
+roadtripaustralia.com.au, 1
+roadtripnation.com, 1
+roadtripusa.tk, 1
+roalogic.com, 1
+roamadvisors.com, 1
+roamfreun.tk, 1
+roamroofingco.com, 1
+roams.com.co, 1
+roams.es, 1
+roams.mx, 1
+roanboute.be, 1
+roanoke.com, 1
+roar.com.br, 1
+roaringforkfire.gov, 1
+roastely.com, 1
+roaster.ga, 1
+roastrepublic.co, 1
+roayahnews.com, 1
+rob006.net, 1
+robandjanine.com, 1
+robaxin750mg.ml, 1
+robben.io, 1
+robbertt.com, 0
+robbie.bio, 1
+robbie.contact, 1
+robbie.studio, 0
+robbiebird.tk, 1
+robbiecrash.me, 1
+robbielowe.co, 1
+robbievasquez.com, 1
+robbins-construction.com, 1
+robbinsdalemn.gov, 1
+robbrestyle.com, 1
+robbyzworld.cf, 1
+robdavidson.network, 1
+robersonaudio.tk, 1
+robert-adam.de, 1
+robert-ewert.tk, 1
+robert-flynn.de, 1
+robert-foster.com, 1
+robert-reisemobil.de, 1
+robert-victor.co.uk, 1
+robert-wiek-transporte.de, 1
+robertaltizer.com, 1
+robertattfield.com, 1
+robertayamashita.com, 1
+robertayamashita.com.br, 1
+robertbln.com, 1
+robertcspies.de, 1
+robertdunn.net, 1
+robertg.me, 1
+robertglastra.com, 1
+robertgonzalez.tk, 1
+roberthenrys.com, 1
+roberthurlbut.com, 1
+robertkrueger.de, 1
+robertlowdon.com, 1
+robertlysik.com, 1
+robertmusil.ml, 1
+robertocasares.no-ip.biz, 0
+robertodegroot.tk, 1
+robertodivirgilio.it, 1
+robertoentringer.com, 0
+robertof.ovh, 1
+robertoggarcia.tk, 1
+robertopazeller.ch, 1
+robertoullan.tk, 1
+robertreiser.photography, 1
+robertrijnders.nl, 1
+robertsfinejewelers.com, 1
+robertsjoneslaw.com, 1
+robertsmits.be, 1
+robertson-cg.com, 1
+robertsonblums.com, 1
+robertsoncountytn.gov, 1
+robesoncountync.gov, 1
+robgorman.ie, 1
+robhorstmanshof.nl, 1
+robi-net.it, 1
+robicue.com, 0
+robin-kusch.de, 1
+robin-meis.com, 1
+robin-novotny.com, 1
+robin.co.kr, 1
+robin.info, 1
+robinb0s.nl, 1
+robinbos.nl, 1
+robinbrook.co.uk, 1
+robindirksen.com, 1
+robinevandenbos.nl, 1
+robinflikkema.nl, 1
+robinfrancq.ml, 1
+robinhallnursery.org.uk, 1
+robinhor10.tk, 1
+robinhordon.tk, 1
+robinlinden.eu, 1
+robinloeffel.ch, 0
+robinminto.com, 1
+robinmurez.com, 1
+robinopletal.com, 1
+robinsoncontracting.ca, 1
+robinsonphotos.uk, 1
+robinsonsmalls.com, 1
+robinsonstrategy.com, 1
+robinsonyu.com, 1
+robinsremembered.tk, 1
+robintimmers.nl, 1
+robinvanpersie.tk, 1
+robinvdmarkt.nl, 1
+robinwill.de, 1
+robinwinslow.uk, 1
+robinzone.ua, 1
+robinzorg.nl, 1
+robjager-fotografie.nl, 0
+robkaper.nl, 1
+robkish.life, 1
+roblog.tk, 1
+roblox.com, 1
+robloxenthusiasts.ga, 1
+robnicholls.co.uk, 1
+robobusiness.ga, 1
+robocop.no, 1
+robodeidentidad.gov, 1
+roboform.com, 1
+robohash.org, 1
+robokits.co.in, 1
+roboland.ga, 1
+roboonline.tk, 1
+roboquantico.com, 1
+roboraptor.tk, 1
+roborehber.com, 1
+robot-invest.cf, 1
+robot-invest.ml, 1
+robot.car, 1
+robotask.in, 1
+robotattack.org, 1
+robotbattle.tk, 1
+robotcoral.de, 1
+robotdecocinaya.com, 1
+roboth.am, 1
+robotham.org, 1
+roboticsummit.com.br, 1
+robotimeshop.com, 1
+robotkvarnen.se, 1
+roboto.social, 1
+robotrewrite.com, 1
+robots-ju.ch, 1
+robotsbigdata.com, 1
+robottip.com, 1
+robowars.ga, 1
+robpol86.com, 1
+robs-info.eu, 1
+robspc.repair, 1
+robspeed.rocks, 1
+robstibal.com, 1
+robtatemusic.com, 1
+robtex.com, 1
+robu.in, 1
+robust.ga, 1
+robustac.com, 1
+robuxemporium.com, 1
+robuxkingz.ml, 1
+roc-reo.tk, 1
+roc-taiwan.su, 1
+roc-taiwan.taipei, 1
+roc-tw.tw, 1
+roc.gov.au, 0
+rocabot.ddns.net, 1
+roccasemijoias.com.br, 1
+rochaaricanduva.com.br, 1
+rochakhand-knitcraft.com.np, 1
+rochcloud.cf, 1
+rochediagram.com, 1
+rochesterglobal.com, 1
+rochesternh.gov, 1
+rochestertwpil.gov, 1
+rochesterwi.gov, 1
+rochesterymca.org, 1
+rochow.me, 1
+rocis.gov, 1
+rock-base.tk, 1
+rock-zottegem.be, 1
+rock4life.be, 1
+rocka.me, 1
+rockabilly-sinners.tk, 1
+rockadocious.com, 1
+rockagogo.com, 1
+rockandroll.tk, 1
+rockats.org, 1
+rockbandparty.com, 1
+rockbankland.com.au, 1
+rockbridge.tk, 1
+rockcelebrities.net, 1
+rockcellar.ch, 1
+rockcountyne.gov, 1
+rockcult.ru, 1
+rockdalecoprobatecourt.gov, 1
+rockdaletx.gov, 1
+rockenfolie.com, 0
+rockenfuerlachenhelfen.de, 1
+rockernj.com, 1
+rocket-resume.com, 1
+rocket.is, 1
+rocketbears.com, 1
+rocketcityts.com, 1
+rocketdashboard.com, 1
+rocketdoctor.ca, 1
+rocketdoctor.us, 1
+rocketeer.tk, 1
+rocketevents.com.au, 1
+rocketgnomes.com, 1
+rocketmill.co.uk, 1
+rocketmulejunkremoval.com, 1
+rocketnet.ml, 1
+rocketr.net, 1
+rocketrubber.com, 1
+rocketsales.al, 1
+rocketsales.at, 1
+rocketsales.be, 1
+rocketsales.bg, 1
+rocketsales.by, 1
+rocketsales.cz, 1
+rocketsales.dk, 1
+rocketsales.es, 1
+rocketsales.eu, 1
+rocketsales.fi, 1
+rocketsales.fr, 1
+rocketsales.gr, 1
+rocketsales.io, 1
+rocketsales.it, 1
+rocketsales.lt, 1
+rocketsales.lu, 1
+rocketsales.md, 1
+rocketsales.me, 1
+rocketsales.mk, 1
+rocketsales.pt, 1
+rocketsales.ro, 1
+rocketsales.se, 1
+rocketsales.si, 1
+rocketsales.sk, 1
+rocketsandtutus.com, 1
+rocketsworld.tk, 1
+rockfallsil.gov, 1
+rockfax.com, 1
+rockfordnetworks.com, 1
+rockfordpressurewashing.com, 1
+rockfordtow.com, 1
+rockfreshmanyear.com, 1
+rockfs.ml, 1
+rockingreports.com, 1
+rockinit.tk, 1
+rockinmama.net, 1
+rockinronniescastles.co.uk, 1
+rockislandcountyil.gov, 1
+rockitinflatables.co.uk, 1
+rockitreports.com, 1
+rocklabs.xyz, 1
+rocklandbrownwi.gov, 1
+rocklandcountyny.gov, 1
+rocklinhousecleaning.com, 1
+rocknbluestoday.tk, 1
+rocknreports.com, 1
+rocknrowdyranch.com, 1
+rocknwater.com, 1
+rockpesado.com.br, 1
+rockporttx.gov, 1
+rockrider.tk, 1
+rockriver.tk, 1
+rocksalt.tk, 1
+rockset.com, 1
+rockshooters.com, 1
+rockslideengineering.com, 1
+rocksoundradio.tk, 1
+rockspringswi.gov, 1
+rocktape.com, 1
+rocktonil.gov, 1
+rocktontownshipil.gov, 1
+rockvilledentalarts.com, 1
+rockworldteam.tk, 1
+rockyford-co.gov, 1
+rockymountaininsurancecenter.com, 1
+rockymountainspice.com, 1
+rockymountva.gov, 1
+rockymtnexpress.com, 1
+rockyourlife.gq, 1
+rockyrealestate.com, 1
+rocssti.net, 1
+rodab.party, 1
+rodafe.sk, 1
+rodapiao.com.br, 1
+rodarion.pl, 1
+rodchapman.com, 0
+roddis.net, 1
+rodehutskors.net, 1
+rodelstein.eu, 1
+rodeobull.biz, 1
+rodeodrive.tk, 1
+rodeohire.com, 1
+rodeoimport.com, 1
+rodeosales.co.uk, 1
+roder-skarf.se, 1
+rodest.net, 0
+rodevlaggen.nl, 1
+rodgersawnings.com, 1
+rodichi.net, 1
+rodin.tk, 1
+rodinka.tk, 1
+rodinnebyvanie.eu, 1
+rodinneodpoledne2018.cz, 1
+rodirik.de, 1
+roditely.cf, 1
+rodneybrooksjr.com, 1
+rodnikbel.tk, 1
+rodobike.com.br, 1
+rodokubu.jp, 1
+rodolfo.gs, 1
+rodomonte.org, 1
+rodosto.com, 1
+rodpenroseracing.com.au, 1
+rodrigamer.com, 1
+rodrigoacevedo.com.uy, 1
+rodrigoarayaaliaga.com, 1
+rodrigoarriaran.com, 1
+rodrigocarvalho.blog.br, 1
+rodrigocofre.com, 1
+rodrigodematos.tk, 1
+roeckx.be, 1
+roed.gg, 1
+roeden.dk, 1
+roedesonline.nl, 1
+roedl.de, 1
+roefja.com, 1
+roeitijd.nl, 0
+roelenscitynews.ml, 1
+roelhollander.eu, 1
+roeljoyas.com, 1
+roellcapital.com, 1
+roelmagdaleno.com, 1
+roelof.io, 1
+roelonline.tk, 1
+roels.com, 1
+roelsworld.eu, 1
+roemhild.de, 1
+roenhorst.net, 0
+roeriverbooks.ie, 1
+roerstaafjes.nl, 1
+roethelheim.net, 1
+roethelheim.org, 1
+rofena.org, 1
+rofl.com.ua, 1
+rofrank.space, 1
+rogacevo.tk, 1
+rogagym.com, 1
+rogaineforwomen.ga, 1
+rogalcraigtaylor.com, 1
+rogard.fr, 0
+rogarden.ro, 1
+roge.pw, 1
+rogeiro.net, 1
+rogell.tk, 1
+rogerdat.ovh, 1
+rogerdeflor.tk, 1
+rogerfages-peinture.fr, 1
+rogerhub.com, 1
+rogerkunz.ch, 1
+rogerriendeau.ca, 1
+rogersvilletn.gov, 1
+rogersvilleumc.org, 1
+roggebroek.nl, 1
+rogiershikes.tk, 1
+rogin.tk, 1
+rognhaugen.no, 1
+rogo.cz, 1
+rogoff.xyz, 1
+rogplus.nl, 1
+rogue-e.xyz, 1
+rogue.pw, 1
+roguecoder.net, 1
+roguefortgame.com, 1
+roguelicious.com, 1
+roguenation.space, 1
+roguenetworks.me, 1
+roguerocket.com, 1
+roguetech.ca, 1
+roguetechhub.org, 1
+rohal.tk, 1
+rohanbassett.com, 1
+rohaniways.com, 0
+rohankondvilkar.com, 1
+rohansingh.cf, 1
+rohde.de, 0
+rohedaten.de, 1
+rohitagr.com, 1
+rohitgupta.xyz, 1
+rohkeakirkko.fi, 1
+rohlik.cz, 1
+rohrle.com, 1
+rohrle.net, 1
+rohrle.org, 1
+rohrreinigung-zentrale.de, 1
+rohrstock.at, 1
+roi-project.be, 1
+roi-project.eu, 1
+roiblozyxfswe.ga, 1
+roidsstore.com, 1
+rointe.online, 1
+roircop.info, 1
+roishopper.com, 1
+roisu.org, 0
+rojavainformationcenter.com, 1
+rojiblancos.tk, 1
+rojotv.tk, 1
+rokade.info, 1
+rokales.com, 1
+rokalesalapitvany.com, 1
+rokass.nl, 1
+rokettube.tk, 1
+rokki.ch, 0
+roko-foto.de, 1
+rokudenashi.de, 1
+rokuk.org, 1
+rolamar.com.br, 1
+roland.io, 1
+rolandinsh.com, 0
+rolandlips.com, 1
+rolandog.com, 1
+rolandoredi.com, 1
+rolandozarate.tk, 1
+rolandszabo.com, 1
+rolandvanipenburg.com, 1
+rolc.org.sg, 1
+roldeco.nl, 1
+rolecontj.com, 1
+roleplayhome.com, 1
+roligh.cf, 1
+roligt.tk, 1
+roliki.ml, 1
+roll-bakery.com.tw, 1
+roll.hockey, 1
+roll9.com, 1
+rollatorweb.nl, 1
+rollbackdiabetes.com, 1
+rolledout.info, 1
+rollerderbycollection.ga, 1
+rollerderbywines.ga, 1
+rollerwarehouse.com, 1
+rolleyes.org, 1
+rollforadventure.com.au, 1
+rollingbarge.com, 1
+rollingcouchapp.com, 1
+rollinghillsestates.gov, 1
+rollingshuttle.org, 1
+rollinsdogtraining.com, 1
+rollinspass.org, 1
+rollthedice.tk, 1
+rollthepay.com, 1
+rolotrans.cf, 1
+rolotrans.ga, 1
+rolotrans.gq, 1
+rolotrans.ml, 1
+rolstoelappartementen.tk, 1
+rolzzandik.cf, 1
+roma-servizi.it, 1
+romab.com, 1
+romacoffee.co.nz, 1
+romadiluna.band, 1
+romadprojects.com.au, 1
+romagnaoggi.it, 1
+romail.ml, 1
+romainlapoux.com, 1
+romainlapoux.fr, 1
+roman-pavlik.cz, 1
+roman.systems, 1
+romana.org, 1
+romanceamor.com.pt, 1
+romancerecipes.com, 1
+romancy.tk, 1
+romanglos.de, 1
+romania-film.ml, 1
+romaniacompany.com, 1
+romanian.cam, 1
+romankozak.cz, 1
+romanmichel.de, 1
+romano.guru, 1
+romanos.tk, 1
+romanovka.ml, 1
+romanpavlodar.kz, 1
+romantelychko.com, 1
+romanticdate.ga, 1
+romanticdate.gq, 1
+romanticdate.ml, 1
+romanticdate.tk, 1
+romantico.tk, 1
+romanticsexshopguatemala.com, 1
+romantictoys.nl, 0
+romanticvillas.com.au, 0
+romantik-fm.ml, 1
+romantik-fm.tk, 1
+romantik.cf, 1
+romantik.tk, 1
+romantischetuin.nl, 1
+romanywg.com, 1
+romapk.tk, 1
+romarin.es, 1
+romaservicegroup.it, 1
+romashka.tk, 1
+romasko.ml, 1
+romastantra.com, 1
+romatoday.it, 1
+romatours.pt, 0
+romatrip.it, 1
+romb.tv, 1
+rombarte.pl, 1
+romcom.info, 1
+romdrop.com, 1
+rome-airport.net, 1
+rome.tools, 1
+romediatori.com, 1
+romega.gov, 1
+romegafire.gov, 1
+romegapolice.gov, 1
+romenz.com, 1
+romeoahmed.top, 1
+romeoferraris.com, 1
+romeoijulio.tk, 1
+romerska-ringar.se, 1
+rommelhuntermusic.tk, 1
+rommelmark.nl, 1
+rommelwood.de, 1
+romo-holidays.de, 1
+romo-holidays.dk, 1
+roms.fun, 0
+romspedia.com, 1
+romtex.co.uk, 1
+romun.net, 1
+romy.tw, 1
+ron2k.za.net, 1
+ronaldcantor.com, 1
+ronaldleite.tk, 1
+ronaldvanassen.nl, 1
+ronan.cf, 1
+ronanrbr.com, 1
+ronasit.com, 1
+ronbongamis.com, 1
+ronc.ru, 1
+roncoutilities.com, 1
+ronda.tk, 1
+rondacan.com, 1
+rondommen.nl, 1
+rondouin.fr, 1
+ronem.com.au, 1
+ronforeman.com, 1
+ronghexx.com, 0
+roninathletics.com, 1
+roninf.ch, 1
+roninitconsulting.com, 1
+ronniegane.kiwi, 1
+ronnylindner.de, 1
+ronomon.com, 1
+ronzertnert.xyz, 1
+roobet.com, 1
+roodarvasi.ir, 1
+roodfruit.com, 1
+roodfruit.nl, 1
+roodfruit.studio, 1
+roodgroen.social, 1
+roodhealth.co.uk, 1
+roodo.com, 1
+roof.ai, 0
+roofcareswfl.com, 1
+roofcheckmate.com, 1
+roofer.cf, 1
+roofhaven.co.uk, 1
+roofingandconstructionllc.com, 1
+roofingmaterials.tk, 1
+roofingomaha.com, 1
+roofonline.com, 1
+roofpost.gq, 1
+roofride.com, 1
+roofsandbasements.com, 0
+rooftopapp.com, 1
+roohanionlinespiritualhelp.co.uk, 1
+rooiratel.red, 1
+rook-playz.net, 1
+rookgamingisevil.com, 1
+rookie.com.pl, 1
+rookiemamabear.com, 1
+roolife.xyz, 0
+room-checkin24.de, 1
+room-composite.com, 1
+room.to, 0
+room208.org, 1
+room362.com, 1
+room45.tk, 1
+room8group.com, 0
+roombase.nl, 1
+roomcube.tk, 1
+roomee.tk, 1
+roomguide.info, 1
+roomhub.jp, 1
+roomie.fi, 1
+roomieapp.fi, 1
+roomme.dk, 0
+roommomrescue.com, 1
+roomonline.tk, 1
+roomoutside.com, 1
+rooms.aero, 1
+roomsatevents.eu, 1
+roomstr.de, 1
+rooneyholdings.com, 1
+roopakv.com, 1
+roorda-schilders.nl, 1
+roosendaalsbiergilde.nl, 1
+roosendaalsbockbierfestival.nl, 1
+rooseveltcountymt.gov, 1
+roosterpets.com, 1
+root-books.gq, 1
+root-books.ml, 1
+root-couture.de, 1
+root-space.eu, 1
+root.bg, 1
+root.cz, 1
+root.eu.org, 1
+root.place, 1
+rootandvessel.com, 1
+rootbsd.at, 1
+rootcamp.net, 1
+rootcommand.com, 1
+rootdo.com, 1
+rootdo.org, 1
+rootear.com, 1
+rootedlifemontessori.com, 1
+rooter.group, 1
+rootergroupinc.ca, 1
+rootfor.me, 1
+rootgsm.com, 1
+rootie.de, 1
+rootinchase.com, 1
+rootingpalace.tk, 1
+rootkit.es, 1
+rootlair.com, 1
+rootless.ga, 1
+rootless.tk, 1
+rootly.com, 1
+rootnician.com, 1
+rootonline.de, 1
+rootpak.com, 1
+rootperov.tech, 1
+rootpigeon.com, 1
+rootprompt.at, 1
+rootrelativity.com, 1
+rootroo.com, 1
+roots-example-project.com, 1
+roots.io, 0
+rootsandrain.com, 1
+rootsbar.fr, 0
+rootscope.co.uk, 0
+rootsinmadrid.tk, 1
+rootsland.de, 1
+rootsland.net, 1
+rootsmusicmanagement.tk, 1
+rootstation.de, 1
+rootsweb.com, 1
+rootusers.com, 1
+roozbeh.tk, 1
+rop.cx, 1
+ropd.info, 1
+ropesmart.com, 1
+ropoxcheats.ru, 1
+roques.tk, 1
+roquesevilla.com, 1
+rorelseprojektet.se, 1
+roromendut.online, 1
+rorr.im, 1
+roryneville.com, 1
+rosa-spain.tk, 1
+rosabellas.co.uk, 1
+rosabrasiv.ga, 1
+rosacosmos.tn, 1
+rosaflorbijoux.com.br, 1
+rosalinda.cl, 1
+rosalindturner.co.uk, 1
+rosalopezcortes.tk, 1
+rosamystica.tk, 1
+rosanerolife.tk, 1
+rosangar.com, 1
+rosaquest.ru, 0
+rosary.hounslow.sch.uk, 1
+rosaserra.es, 1
+rosbiznes.tk, 1
+rosclar.com, 0
+roscommontownshipmi.gov, 1
+rosdpk.ru, 1
+rosdver.ru, 1
+rose-corp.co.jp, 1
+rose-prism.org, 1
+roseberyvenues.co.uk, 1
+rosebikes.com, 1
+rosebikes.de, 1
+rosebikes.nl, 1
+roseboom-bouwkundigadvies.nl, 1
+rosebudcountysheriffmt.gov, 1
+rosecoaudit.com, 1
+rosecrance.org, 1
+rosedenellandudno.co.uk, 1
+rosefloricultura.com.br, 1
+rosehishop.com, 1
+rosehosting.reviews, 1
+roseitsolutions.co.uk, 1
+roseliere.com, 0
+roselinlin.com, 1
+rosemariefloydballet.com, 1
+rosemountmn.gov, 1
+rosenberg-fansite.tk, 1
+rosenberggard.se, 1
+rosenheimsingles.de, 1
+rosenkavalier.tk, 1
+rosenkeller.org, 1
+roseon.net, 0
+roseparkhouse.com, 1
+rosesciences.com, 1
+rosesunmotor.com, 1
+rosetiger.life, 1
+rosetravel.de, 0
+rosettapeters.com, 1
+rosetteromance.tk, 1
+rosetwig.ca, 1
+rosetwig.systems, 1
+rosevalleyfolk.com, 1
+rosevillefacialplasticsurgery.com, 1
+rosevillekindy.nsw.edu.au, 1
+rosevilletoday.com, 1
+rosewater.me, 1
+rosewebdesignstudio.co.uk, 1
+rosewebdesignstudio.uk, 1
+rosfan.by, 1
+rosgenea.ru, 1
+roshhashanahfun.com, 1
+roshiya.co.in, 1
+rosi-royal.com, 1
+rosiervandenbosch.nl, 1
+roskillcv.nz, 1
+roskillcv.org.nz, 1
+roslagenshiss.se, 1
+roslagensmansjour.tk, 1
+roslynpad.net, 1
+rosme.it, 1
+rosoft.tk, 1
+rosolioitalicus.com, 1
+rosound.cz, 1
+rosrabota.tk, 1
+ross-mitchell.com, 0
+rosscountyohiocasa.gov, 1
+rosscountyohiocourts.gov, 1
+rosset.me, 1
+rosset.net, 1
+rossia.ga, 1
+rossignoli.it, 1
+rossiyskaja.cf, 1
+rosskopfs.de, 1
+rosslug.org.uk, 1
+rossome.org, 1
+rossstores.com, 1
+rosstownshipmi.gov, 1
+rosstroj-balashiha.ml, 1
+rosstwpmcpa.gov, 1
+rossvillega.gov, 1
+rost.tv, 1
+rostclub.ro, 1
+rosten.tk, 1
+rostirolla.se, 0
+rostlau.be, 1
+rostov-aikido.tk, 1
+rostov-arena.ml, 1
+rostov.cf, 1
+rosty.sh, 1
+roswellcity.tk, 1
+rosystemsint.com, 1
+roszdravnadzor.gov.ru, 1
+rot256.io, 1
+rot47.net, 1
+rotamap.net, 1
+rotanaval.tk, 1
+rotaquote.com, 1
+rotaractclubtucuman.tk, 1
+rotaracthelmond.tk, 1
+rotarusofia.ru, 1
+rotary.org.ru, 1
+rotaryceuta.tk, 1
+rotaryfunds.ga, 1
+rotarykardzhali.org, 1
+rotas-turisticas.com, 1
+rotasgastronomicas.com, 1
+rotasgastronomicas.pt, 1
+rotasturisticas.com, 1
+rotasturisticas.com.pt, 1
+rotasturisticas.net, 1
+rotasturisticas.org, 1
+rotasturisticas.pt, 1
+rotasurbanas.pt, 1
+rotate4all.com, 1
+rotate4u.eu, 1
+rotaville.com, 1
+rotayazilim.net, 1
+roteam.tk, 1
+rotek.at, 1
+roten.email, 1
+rotespotsdam.tk, 1
+rothbruederlein.tk, 1
+rothco.com, 1
+rothe.io, 1
+rothkranz.net, 1
+rothwellgornthomes.com, 1
+rotince.tk, 1
+rotol.me, 1
+rotonde.gq, 1
+rottadeifenici.it, 1
+rottal-inn.de, 1
+rottamazioni.it, 1
+rotterdamapartments.com, 1
+rotterdamjazz.info, 1
+rottie.xyz, 1
+rottnestexpress.com.au, 1
+rottweil-hilft.de, 1
+rottweilerdogcare.com, 1
+rotu.pw, 1
+rotunneling.net, 1
+rouair.com, 1
+rouamatfashion.gr, 1
+roueneternalmagic.fr, 1
+rougechocolat.fr, 1
+rougeetblanc.tk, 1
+roughcopy.com.au, 1
+roughgrain.com, 1
+roughnex.tk, 1
+roughnotes.com, 1
+roughsexporn.com, 1
+roughtime.se, 1
+roulettecarnival.com, 1
+roulettelive.ml, 1
+roulettestar.com, 1
+roulinfo.ch, 0
+roullier.com, 1
+roulons-autrement.com, 1
+roundaboutweb.net, 1
+roundandbrown.com, 1
+roundball.tk, 1
+roundcube.mayfirst.org, 0
+roundgarden.nl, 1
+roundrock-locksmith.com, 1
+roundtablekzn.co.za, 1
+roundtechsquare.com, 1
+roundtoprealestate.com, 0
+roussillon-informatique.fr, 1
+roussos.cc, 1
+roussosmanos.gr, 1
+rout0r.org, 1
+route-wird-berechnet.de, 1
+route66.net, 1
+route66smiles.com, 1
+routechoices.com, 1
+routedlogic.net, 1
+routemates.tk, 1
+router24.info, 1
+routerchart.com, 1
+routerclub.ru, 1
+routerctrl.com, 1
+routerfi.com, 1
+routeto.com, 1
+routetracker.co, 1
+routeur4g.fr, 0
+rouwcentrumterheide.be, 1
+rouyt.com, 1
+rovatronic.tk, 1
+roverglobal.ga, 1
+roveridx.com, 1
+roverkob.dk, 1
+rovetf.tk, 1
+rovezzano.tk, 1
+rovian.ua, 1
+rovid.link, 1
+rovin.tk, 1
+rovity.io, 0
+rovota.com, 1
+rowancasting.ie, 1
+rowancounty911.com, 1
+rowancounty911.org, 1
+rowancountyairport.com, 1
+rowancountync.gov, 1
+rowankaag.nl, 1
+rowanpubliclibrary.com, 1
+rowansheriff.com, 1
+rowansheriff.org, 1
+rowantransit.com, 1
+rowantransit.org, 1
+rowanz.nl, 1
+rowery.org, 1
+rowingsa.asn.au, 1
+rowlog.com, 1
+rowra.org, 1
+roxanaherguz.com, 1
+roxanaramirez.love, 1
+roxanneguinoo.tk, 1
+roxburytech.tk, 1
+roxet.my.id, 1
+roxhillmedia.com, 1
+roxiesbouncycastlehire.co.uk, 1
+roxswinery.com, 1
+roxville.tk, 1
+roy-buehring.de, 1
+roy.wang, 1
+royal-coatings.com, 1
+royal-flowers.dp.ua, 1
+royal-knights.tk, 1
+royal-life.tk, 1
+royal-rangers.de, 1
+royal.io, 1
+royal71.com, 0
+royal806.com, 1
+royal84.com, 0
+royal869.com, 0
+royal876.com, 1
+royal88.com, 1
+royal880.com, 0
+royal8822.com, 0
+royal896.com, 0
+royal929.com, 0
+royal939.com, 1
+royalasianescorts.co.uk, 1
+royalaubar.com, 1
+royalbluewa3.cc, 1
+royalcanin.es, 1
+royalcanin.pt, 1
+royalcaninevent.com, 1
+royalcaribbeanentertainment.com, 1
+royalcavaliers.tk, 1
+royalchallengers.com, 1
+royalchess100.com, 1
+royalcitystudios.ca, 1
+royalcitytaxi.ca, 1
+royalcrowns.tk, 1
+royaldarts.tk, 1
+royaldoorkc.com, 1
+royaleafrica.com, 1
+royalembassys.com, 1
+royalfitnesschennai.in, 1
+royalfloraholland.com, 1
+royalfoundation.com, 1
+royalgdeluxe.al, 1
+royalgrandpalace.th, 1
+royalgroup.msk.ru, 1
+royalhosting.ch, 1
+royalkitchensandfurniture.co.ug, 1
+royalmarinesassociation.org.uk, 1
+royalmech.tk, 1
+royalnissanparts.com, 0
+royaloz.ma, 1
+royalpainters.co, 1
+royalpalmbeachfl.gov, 1
+royalpanda.com, 1
+royalrace.tk, 1
+royalsleeping.com, 1
+royalstylefit.com, 1
+royalsyouthhockey.com, 1
+royaltonvt.gov, 1
+royaltube.net, 1
+royalty-market.com, 1
+royaltyexchange.com, 1
+royaltyk9.com, 1
+royalvortex.co, 1
+royalworldservice.com.ua, 1
+royalyule.com, 1
+royaume-des-chats.fr, 1
+royaume-smoke.com, 1
+royaumesoublies.com, 1
+roycampbell.tk, 1
+royceandsteph.com, 1
+roycestars.com, 1
+roycewilliams.net, 1
+royger.tk, 1
+royoy.com, 1
+royrevell.com, 1
+roystowingrockford.com, 1
+roytuts.com, 1
+royvansichem.nl, 1
+royveenendaal.com, 1
+royxiang.me, 1
+royzez.com, 1
+rozalisbengal.ro, 1
+rozalynne-dawn.ga, 1
+rozar.eu, 1
+rozar.sk, 1
+rozataki.com.tr, 1
+rozemaandag.tk, 1
+rozhodce.cz, 1
+rozprodat.cz, 1
+roztilefona.net, 1
+rp-idskenhuizen.nl, 1
+rp-megapolis.tk, 1
+rp-murk.tk, 1
+rpa.gov, 1
+rpadonline.com, 1
+rpcinmobiliaria.net, 0
+rpg-maker.net, 1
+rpg-maker.org, 1
+rpgchan.cf, 1
+rpgfactory.tk, 1
+rpgfan.com, 1
+rpgmaker.es, 1
+rpgmakers.tk, 1
+rpguru.com, 1
+rpherbig.com, 1
+rphyncice.cz, 1
+rpi-pihole-mon.ddns.net, 1
+rpj.life, 1
+rpm-oldtimer-events.ch, 1
+rpmdrivingschool.com.au, 1
+rpmglobal.com, 1
+rpo97.fm, 0
+rpora.co, 1
+rpower.com, 1
+rpowerpos.com, 1
+rps-auto.com, 1
+rpschultz.de, 1
+rpts.edu, 1
+rpus.co, 1
+rpy.xyz, 1
+rq-labo.jp, 1
+rq.is, 1
+rqvmovies.com, 1
+rr30019.com, 1
+rr361.de, 1
+rr5197.co, 1
+rr6729.co, 1
+rr6729.com, 0
+rr6957.co, 1
+rr9297.co, 1
+rr9728.co, 1
+rrailto.com, 1
+rray.org, 1
+rrbahmedabad.gov.in, 1
+rrbmuzaffarpur.gov.in, 1
+rrbpatna.gov.in, 1
+rrbt.eu, 1
+rrbt.net, 1
+rrbts.com, 1
+rrdesignsuisse.com, 0
+rrdtool.com, 1
+rritv.com, 1
+rrke.cc, 0
+rrmac.ml, 1
+rrmiran.com, 1
+rrssww.space, 1
+rrtribalcourts-nsn.gov, 1
+rrudnik.com, 1
+rrvmz.cf, 1
+rrwolfe.com, 1
+rs-cloud.ddns.net, 1
+rs-devdemo.host, 1
+rs-maschinenverleih.de, 1
+rs.wiki, 1
+rs200.org, 1
+rsa-erp.com, 1
+rsa-services.com, 1
+rsanahuano.com, 1
+rsap.ca, 1
+rsarchive.net, 1
+rsauget.fr, 1
+rsb.net, 1
+rsblake.com, 1
+rsblake.net, 1
+rsc-cronenberg.de, 1
+rsc.wiki, 1
+rschooltoday.com, 1
+rscturmoil.com, 1
+rsdantyslab.lt, 1
+rsdbyroos.nl, 1
+rsdisedezzari.it, 1
+rsdns.ml, 1
+rse-reporting.com, 1
+rsec.kr, 1
+rsecure.tk, 1
+rsfinance.ch, 1
+rsgnl.fr, 1
+rsgx.com, 1
+rsingermd.com, 1
+rsl-hilden.de, 1
+rsl.gd, 1
+rslcaresa.com.au, 1
+rsldb.com, 1
+rslnd.com, 1
+rsm-intern.de, 1
+rsmedic.com, 1
+rsol.fr, 1
+rsolutions-expertises.fr, 1
+rspevents.ro, 1
+rspp.ru, 1
+rsquare.nl, 1
+rsridentassist.com, 1
+rsrnd.org, 1
+rsrural.com.br, 1
+rsrv.fr, 1
+rss.org.uk, 1
+rss.sh, 0
+rss3.co, 1
+rss3.io, 0
+rssfeedblast.com, 1
+rssfeedonline.tk, 1
+rssicons.pl, 1
+rssl.me, 1
+rssproject.nl, 1
+rssr.ddns.net, 1
+rssr.se, 1
+rssreaderone.com, 1
+rstadler.com, 1
+rstsecuritygroup.co.uk, 1
+rsttraining.co.uk, 1
+rsvaachen.de, 1
+rsvp, 1
+rsvpparty.com, 1
+rswebsols.com, 1
+rswm.in, 1
+rszod.com, 1
+rt-inc.com, 1
+rt-praxis-barbara-scheibel.de, 1
+rt.com, 1
+rt22.ch, 1
+rt96.it, 1
+rtarabic.com, 1
+rtate.ca, 1
+rtate.se, 1
+rtc-israel.com, 1
+rtcyber.com, 1
+rtd.uk, 0
+rtde.life, 1
+rtde.live, 1
+rtde.me, 1
+rtde.site, 1
+rtde.tech, 1
+rtde.world, 1
+rtde.xyz, 1
+rte.email, 1
+rte.eu, 1
+rte.host, 1
+rte.ie, 1
+rte.mobi, 1
+rte.radio, 1
+rte1.ie, 1
+rteaertel.ie, 1
+rtebensoc.ie, 1
+rtec.com.tw, 1
+rteguide.ie, 1
+rteinternational.ie, 1
+rtejr.ie, 1
+rtek.se, 1
+rtenews.eu, 1
+rteo.com.au, 1
+rteone.ie, 1
+rteplayer.co.uk, 1
+rteplayer.com, 1
+rteplayer.ie, 1
+rteplayer.org, 1
+rtesport.eu, 1
+rtestore.eu, 1
+rtgame.co.uk, 1
+rtgnews.cf, 1
+rtho.me, 1
+rths.tk, 0
+rtionline.gov.in, 1
+rtjobsite.com, 1
+rtkbe.com, 1
+rtl.de, 1
+rtlspiele.de, 1
+rtm.kr, 1
+rtmoran.org, 1
+rtmtech.ru, 1
+rtp.org, 1
+rtpa.es, 1
+rtparket.ga, 1
+rtsak.com, 1
+rtsr.ch, 0
+rttechlaw.com, 1
+rttreservations.com, 1
+rttss.com, 1
+rttvip.com, 1
+rttvvip.com, 1
+rtveen.nl, 1
+rtvslos.nl, 1
+rtwcourse.com, 1
+ru-acyclopedia.cf, 1
+ru-adv.tk, 1
+ru-auto.tk, 1
+ru-e-business.com, 1
+ru-m.org, 1
+ru-robot.tk, 1
+ru-sale.tk, 1
+ru-sprachstudio.ch, 1
+ru.search.yahoo.com, 0
+ru251.tk, 1
+rua.ink, 0
+ruageek.com, 1
+ruangangkasa.com, 0
+ruanmi.de, 1
+ruanwen168.com, 1
+ruavan.com, 1
+rubashki-opt.ml, 1
+rubashki.tk, 1
+rubbaduckee.tk, 1
+rubber.cf, 1
+rubberband.com, 1
+rubberchicken.net, 1
+rubberduckit.com, 1
+rubberlegscastles.co.uk, 1
+rubbermaidoutlet.com, 0
+rubbix.net, 1
+rubblebenoni.co.za, 1
+rubbleedenvale.co.za, 1
+rubblekempton.co.za, 1
+rubblemidrand.co.za, 1
+rubblerandburg.co.za, 1
+rubbleremovalsjohannesburgsouth.co.za, 1
+rubblesandton.co.za, 1
+rubdiavila.com, 1
+ruben.ga, 1
+rubenbaer.ch, 1
+rubenbrito.net, 1
+rubenfelix.tk, 1
+rubengutierrez.tk, 1
+rubenkruisselbrink.nl, 1
+rubenmamo.com, 1
+rubenpeeters.ml, 1
+rubenplazagarcia.es, 1
+rubenroy.com, 1
+rubenruiz.org, 1
+rubens.cloud, 1
+rubenschulz.nl, 1
+rubenshotel.com, 1
+rubenshuis.be, 1
+rubenslikkarchive.com, 1
+rubensteinphotography.com, 1
+rubensvrouwen.tk, 1
+ruber.cf, 1
+rubia.ca, 1
+rubiales.tk, 1
+rubic.tk, 1
+rubiconwi.gov, 1
+rubidium.ml, 1
+rubidium.se, 1
+rubik.tk, 1
+rubika.com.ua, 1
+rubinamillinery.com, 1
+rubinchyk.tk, 1
+rubinnadlan.co.il, 1
+rubiogafsi.com, 1
+rubirubli.tk, 1
+rubix.com, 1
+rublacklist.net, 1
+rublev.tk, 1
+rubonnek.com, 1
+rubooks.gq, 1
+rubreklama.tk, 1
+ruby-auf-schienen.de, 1
+rubyfactory.io, 1
+rubymaybetranslations.com, 1
+rubymediagroup.com, 1
+rubyonline.tk, 1
+rubyonremote.com, 1
+rubyquincunx.org, 1
+rubyribbon.com, 1
+rubystore.ga, 1
+rucheentreprise.fr, 1
+ruchka-mashinka.gq, 1
+rucinscy.net, 1
+rucinski.ch, 1
+rucinski.eu, 1
+rucinski.uk, 1
+rucksackrebellen.de, 1
+ruckzuck-privatpatient.de, 1
+rud.is, 1
+rudating.tk, 1
+rudd-o.com, 0
+rude.com, 1
+rudefish.tk, 1
+rudewiki.com, 1
+rudianto.id, 1
+rudibora.ml, 1
+rudimentalluxury.com, 1
+rudloff.pro, 1
+rudnikas.com, 1
+rudolf.gq, 1
+rudolph.life, 1
+rudovasky.com, 1
+rudrastyh.com, 1
+rudy.ga, 1
+rudymendoza.tk, 1
+rue-de-la-vieille.fr, 0
+ruebli-kurier.ch, 1
+rueckbeil.com, 1
+rueckert-gymnasium-blog.de, 1
+rueckgr.at, 1
+ruecommune.fr, 1
+ruediger-voigt.eu, 1
+ruedigervoigt.de, 1
+rueduparticulier.tk, 0
+rueg.eu, 1
+ruero.com, 1
+ruerte.net, 1
+ruexpert.cf, 1
+ruf888.com, 1
+rufartabs.ml, 1
+ruffbeatz.com, 1
+ruffcuts.com.au, 1
+ruffinstorage.com, 1
+ruffkatt.com, 1
+ruffm.com, 1
+ruffnecks.tk, 1
+ruflay.ru, 1
+ruforce.ml, 1
+rugadgets.tk, 1
+rugby.tk, 1
+rugby.video, 1
+rugbynow.com, 1
+rugbyrama.fr, 1
+rugcleaninglondon.co.uk, 1
+rugeley-vets.co.uk, 1
+rugged-cctv.com, 0
+rugk.dedyn.io, 1
+rugspa.ie, 1
+rugstorene.co.uk, 1
+rugugu.jp, 1
+ruha.co.in, 1
+ruhigehand.de, 1
+ruhimustafa.tk, 1
+ruhnke.cloud, 0
+ruhproject.kz, 1
+ruhrdurst.tk, 1
+ruhrmobil-e.de, 1
+ruhrnalist.de, 1
+ruhrpott-media.com, 1
+ruhrpott-media.de, 1
+ruhrpott.rodeo, 1
+rui-t.xyz, 1
+ruiduntrading.com, 1
+ruifu.tech, 1
+ruileitao.pt, 1
+ruiming.me, 1
+ruimonteiro.pt, 1
+ruimoreira.co.uk, 1
+ruimtevoor.gent, 1
+ruimtevoorgent.be, 1
+ruin.one, 1
+ruinme.tk, 1
+ruinone.com, 1
+ruinsofchaos.com, 1
+ruiruigeblog.com, 1
+ruitersportbak.nl, 1
+ruixin.org, 1
+rujbin.ddns.net, 1
+ruk.ca, 1
+rukhaiyar.com, 1
+rukiyegarip.art, 1
+ruknguk.tk, 1
+rukouye.cf, 1
+rukouye.ml, 1
+rul.ai, 1
+rulaholding.fi, 1
+rule5.ai, 1
+ruli.tk, 1
+ruliad.de, 1
+rullzer.com, 1
+rultek.tk, 1
+rulu.tv, 1
+rumaenien.immo, 1
+rumah-tanah-dijual.com, 1
+rumah123.com, 1
+rumahbukitpodomoro.com, 1
+rumahcodingtest.tk, 1
+rumahkeadilan.co.id, 1
+rumahkristal.tk, 1
+rumahminimalisoi.com, 1
+rumahpropertigratis.com, 1
+rumahresep.cf, 1
+rumartinez.es, 1
+rumata.pub, 1
+rumatallc.com, 1
+rumbasguayaquil.com, 1
+rumble.com, 1
+rumbleline.ga, 1
+rumeli.edu.tr, 1
+rumemi.com, 1
+rumenka.tk, 1
+ruminecraftru.tk, 1
+rumix.ga, 1
+rumix.tk, 1
+rumlager.de, 1
+rummage4property.co.uk, 1
+rummey.co.uk, 1
+rumreader.com, 1
+rumtaste.com, 1
+rumus.co.id, 1
+rumusbilangan.com, 1
+rumusrumus.com, 1
+rumussoal.com, 1
+run-it-direct.co.uk, 1
+run.vn, 1
+runagain.ch, 0
+runalyze.com, 1
+runame.ml, 1
+runar-data.de, 1
+runbo-australia.ga, 1
+runbo-new-zealand.ga, 1
+runbo-nz.ga, 1
+runboaustralia.ga, 1
+runcarina.com, 1
+rundh-audio.de, 1
+rundh.de, 1
+rundom.co, 1
+rundu.ml, 1
+rundum-service-omh.de, 1
+rundum-sorglos.digital, 1
+rundumcolumn.xyz, 1
+runebet.com, 1
+runeblog.ru, 1
+runecaster.tk, 1
+runementors.com, 0
+runes.cf, 1
+runescape.wiki, 1
+runescapelordsconquest.tk, 1
+runesforbeginners.com, 1
+runet.cf, 1
+runetracker.org, 1
+runeworldforums.tk, 1
+runews.cf, 1
+runfitcoaching.com, 1
+rungie.com, 0
+rungisinternational.com, 1
+rungstedhave.dk, 1
+rungutan.com, 1
+runicspells.com, 1
+runklesecurity.com, 1
+runlet.gq, 1
+runlevel3.de, 1
+runmyprocess.com, 1
+runmyqubit.com, 1
+runmyqubit.de, 1
+runmyvillage.com, 1
+runner.az, 1
+runners.yoga, 1
+runnerslab.com, 1
+running-tiger.ch, 1
+running-tiger.cn, 1
+running-tiger.de, 1
+runningcitadel.com, 1
+runningfast.cf, 1
+runningrabb.it, 1
+runningshows.tk, 1
+runpartner.com, 1
+runrun.es, 1
+runrun.sk, 1
+runschrauger.com, 1
+runvs.io, 1
+ruobiyi.com, 0
+ruobr.ru, 1
+ruonavaara.fi, 1
+ruoskachile.tk, 1
+rupeek.com, 1
+rupeespeaks.tk, 1
+rupeevest.com, 1
+rupom.me, 1
+rupool.tk, 1
+rupostel.com, 1
+rupressa.tk, 1
+ruprivorot.tk, 1
+rupture-skate.tk, 1
+ruptureradio.com, 1
+ruqbnsmokebbq.ga, 1
+ruquiz.tk, 1
+rural-house.tk, 1
+rural.gov, 1
+ruralhousing.es, 1
+ruralis.it, 1
+ruralsuppliesdirect.co.uk, 1
+rurange-les-thionville.fr, 1
+ruri.io, 1
+rurian-gyohen.com, 1
+ruris.bg, 1
+ruro.tk, 1
+rurouni.tk, 1
+rus-blog.tk, 1
+rus-call.com, 1
+rus-manual.tk, 1
+rusa.loan, 1
+rusakov.tk, 1
+rusdigisolutions.com, 1
+ruse.church, 1
+ruseartgallery.tk, 1
+rusenemas.tk, 1
+rusexmany.ml, 1
+rush49.com, 1
+rushashkyfond.com, 1
+rushbmedia.com, 1
+rushcountykansas.gov, 1
+rushhour.nl, 0
+rushmix.com, 0
+rushmyessay.gq, 1
+rushpoppershop.co.uk, 1
+rushriverwi.gov, 1
+rushyo.com, 1
+rusichi.tk, 1
+rusien-den.com, 1
+rusificatio.tk, 1
+rusifikator.tk, 1
+rusiptv.cf, 1
+ruska-modra.cz, 1
+ruskamodra.cz, 1
+ruskcountytx.gov, 1
+ruski.tk, 1
+ruskod.net, 1
+ruslandautohuur.nl, 1
+rusmir.tk, 1
+rusmodel.tk, 1
+rusmolotok.ru, 1
+rusnalog.ru, 1
+rusnicolas.cf, 1
+rusnum.com, 1
+rusnum.ru, 1
+rusorg.de, 1
+ruspolik.ru, 1
+rusposuda.cf, 1
+russ-portal.tk, 1
+russandol.eu, 1
+russchooljordan.tk, 1
+russell-ar.gov, 1
+russell-tech.co.uk, 1
+russellcountyky.gov, 1
+russellenvy.com, 1
+russelljohn.net, 1
+russellmeek.net, 1
+russellshobby.com, 1
+russellupevents.co.uk, 1
+russia-furniture.tk, 1
+russia-knigi.ga, 1
+russia-rp.tk, 1
+russia.wtf, 1
+russiahockey.tk, 1
+russiahunting.tk, 1
+russialife.gq, 1
+russian-artist.tk, 1
+russian-fur.tk, 1
+russian-knights.ru, 1
+russian-page.tk, 1
+russianbearsmotorsport.tk, 1
+russianbluecatsguide.com, 1
+russianbrides.cf, 1
+russianbridge.org, 1
+russianbristol.tk, 1
+russiancrimes.in.ua, 1
+russianews.cf, 1
+russianews.ga, 1
+russianflora.com, 1
+russianflora.ru, 1
+russianpostcalc.ru, 1
+russianpunkrock.tk, 1
+russianrandom.ru, 1
+russiantranslation.tk, 1
+russinfo.net, 1
+russisch.tk, 1
+russograffix.tk, 1
+russpuss.ru, 1
+rust.cf, 1
+rust.mn, 1
+rust.pm, 1
+rust.yokohama, 1
+rustambek.tk, 1
+rustamkhanko.gq, 1
+rustdesk.com, 1
+rustfactory.io, 1
+rustfanatic.com, 1
+rustfu.rs, 1
+rusticpathways.com.au, 1
+rusticroadlandscaping.com, 1
+rusticus-consulting.de, 0
+rustls.com, 1
+rustls.org, 1
+rustonla.gov, 1
+rustup.rs, 1
+rusty44.com, 1
+rustyrambles.com, 0
+rustytub.com, 1
+rusunion.org, 1
+ruswomen.tk, 1
+ruta-66.tk, 1
+rutadelastermitas.tk, 1
+rutadelmejillon.com, 1
+rutar.org, 1
+rutas-turisticas.com, 1
+rutascostarica.viajes, 1
+rutasindonesia.viajes, 1
+rutasmaldivas.viajes, 1
+rutazeus.tk, 1
+ruter.myftp.org, 0
+rutgerbrouwer.tk, 1
+rutgerschimmel.nl, 0
+rutgershealth.org, 1
+ruthbarrettmusic.com, 1
+ruthbellgrahammemorial.org, 1
+ruthhaloho.com, 1
+ruthil.co.il, 1
+ruthil.com, 1
+ruthlavidente.com, 1
+ruthmarques.com.br, 1
+ruthmontenegro.com, 1
+ruthmontenegro.es, 1
+rutiger.com, 1
+rutika.ru, 1
+rutlandma.gov, 1
+rutorka.tk, 1
+ruttenadvocaat.be, 1
+rutterroy.com, 1
+ruud-online.tk, 1
+ruudkoot.nl, 1
+ruurdboomsma.nl, 1
+ruvoip.net, 1
+ruwhof.com, 1
+ruwhof.net, 1
+ruxit.com, 0
+ruya.com, 1
+ruyana.tk, 1
+ruyatabirleri.com, 1
+ruyatabirlerin.gen.tr, 1
+ruzaevka.tk, 1
+ruzomberok.bike, 1
+ruzovyslon.cz, 1
+rv-jpshop.com, 1
+rva.gov, 1
+rvaneijk.io, 1
+rvantwembeke.tk, 1
+rvcamperguide.com, 1
+rvem.org, 1
+rvender.cz, 1
+rvf6.com, 1
+rvmfm.com, 1
+rvoigt.eu, 1
+rvrcleaning.nl, 0
+rvsa2bevestigingen.nl, 1
+rvsa4bevestigingen.nl, 1
+rvsbevestigingen.nl, 1
+rvss-or.gov, 1
+rvvc.im, 1
+rw-invest.com, 1
+rw.search.yahoo.com, 0
+rw2.de, 1
+rwalch.at, 1
+rway.pro, 1
+rwb.charity, 1
+rwbstuff.com, 1
+rwgamernl.ml, 1
+rwhapdentalservicesreport.net, 1
+rwlib.net, 1
+rws-cc.com, 1
+rws-vertriebsportal.de, 1
+rwx.ovh, 1
+rwx.work, 1
+rx-base.nl, 1
+rx-diet.com, 1
+rxbn.de, 1
+rxbusiness.com, 1
+rxcarbon.com, 1
+rxcom.net, 1
+rxphoto.com, 1
+rxtx.pt, 0
+rxxx.ml, 1
+ry88url.com, 1
+ryabinushka.tk, 1
+ryan-13.tk, 1
+ryan-design.com, 1
+ryan-gehring.com, 1
+ryan-goldstein.com, 1
+ryan.black, 1
+ryan.cafe, 1
+ryananeff.com, 1
+ryanclemmer.com, 1
+ryancmassey.com, 1
+ryancompanies.com, 1
+ryandewsbury.co.uk, 1
+ryanfamily.net.au, 1
+ryanhopk.com, 1
+ryanhowell.io, 1
+ryanjarvis.law, 1
+ryankearney.com, 0
+ryankilfedder.com, 1
+ryanonfire.tk, 1
+ryanparman.com, 1
+ryanrichardwalker.com, 1
+ryansmithphotography.com, 1
+ryanwordpress.com, 1
+ryazagro.ru, 1
+ryazan-region.ru, 1
+ryazancity.tk, 1
+rybak-opt.ru, 1
+rybak-russia.ru, 1
+rybalku.ru, 1
+rybarski.com, 1
+rybinsk.ga, 1
+rybnitsa.cf, 1
+rybnitsa.ga, 1
+rybnitsa.gq, 1
+rybnitsa.tk, 1
+rybox.info, 1
+rychlikoderi.cz, 0
+rycose.com, 1
+rycose.net, 1
+rycpk.org, 1
+ryd.no, 1
+rydeify.com, 1
+ryder.tk, 1
+rydercragie.co.uk, 1
+rydercragie.com, 1
+rydercragie.uk, 1
+rydermais.tk, 1
+ryderstatus.com, 1
+rydi.org, 1
+ryejuice.sytes.net, 1
+ryenews.org.uk, 1
+ryfma.com, 1
+ryland.consulting, 0
+rylbyte.com, 1
+rylin.net, 1
+rymanow.tk, 1
+rymdweb.com, 1
+rymergames.tk, 1
+rymshospital.com, 1
+rynekpierwotny.pl, 1
+rynkebo.dk, 1
+ryobitools.eu, 1
+ryoch.in, 1
+ryois.me, 1
+ryois.net, 1
+ryona.agency, 1
+rys.pw, 1
+rythm.es, 1
+ryu-ga-gotoku-audition.com, 1
+ryu22e.org, 1
+ryuanerin.kr, 1
+ryuukei-nf.tk, 1
+ryvit.com, 1
+ryzen.cz, 1
+ryzhov.me, 1
+rzeczy-silene.pl, 1
+rzero.com, 1
+rzero.tk, 1
+rzhv1.cf, 1
+rzip.de, 1
+rzsmt.com, 1
+s-5-university.com, 1
+s-c.se, 1
+s-comp.pl, 1
+s-cubed.net, 1
+s-deal.eu, 1
+s-geiser.de, 1
+s-gong.com, 1
+s-he.at, 1
+s-hertogenbosch.tech, 1
+s-housing.vn, 1
+s-huset.dk, 1
+s-i-m.tk, 1
+s-kaupat.fi, 1
+s-mainte.com, 1
+s-mall.com.sg, 1
+s-n-unso.com, 1
+s-on.li, 1
+s-pro.io, 1
+s-s-paint.com, 1
+s-sisters.ru, 1
+s-team.tk, 1
+s-u.pw, 1
+s-yuz.com, 1
+s-zwrm.de, 1
+s.ai, 1
+s.ee, 1
+s.lu, 1
+s.sb, 1
+s.td, 1
+s.team, 1
+s.tt, 1
+s.wtf, 1
+s007.co, 1
+s0923.com, 1
+s0laris.co.uk, 1
+s0t.ru, 1
+s1-llc.com, 1
+s10y.eu, 1
+s1128.com, 1
+s1l3nt.org, 1
+s1mplescripts.de, 1
+s1ris.org, 1
+s2.coach, 1
+s20121946.ml, 1
+s26s.com, 1
+s2i.ch, 0
+s2member.com, 1
+s2n.tech, 1
+s2t.net, 0
+s36533.com, 1
+s3call.ddns.net, 0
+s3chat.ddns.net, 1
+s3cur1ty.com, 1
+s3cur3.it, 1
+s3file.ddns.net, 1
+s3gfault.com, 1
+s3lph.me, 1
+s3w.es, 1
+s3waas.gov.in, 1
+s402.de, 1
+s404.de, 1
+s44.eu, 1
+s4c.cymru, 0
+s4db.net, 1
+s4hosting.in, 1
+s4media.org, 1
+s4media.xyz, 1
+s4q.me, 1
+s4tips.com, 1
+s4ur0n.com, 1
+s5197.co, 1
+s550.cc, 0
+s551.cc, 0
+s552.cc, 0
+s553.cc, 0
+s556.cc, 0
+s557.cc, 0
+s558.cc, 0
+s559.cc, 0
+s5g8.com, 1
+s6.tel, 1
+s64.cz, 1
+s6729.co, 1
+s6729.com, 1
+s6957.co, 1
+s6jl.com, 1
+s6n.jp, 1
+s6o.de, 1
+s82365.com, 1
+s88.com, 1
+s8a.me, 1
+s92.cloud, 1
+s92.io, 1
+s92.me, 1
+s9297.co, 1
+s95.de, 1
+s9728.co, 1
+s9h.cn, 0
+sa-blog.net, 1
+sa-mp.me, 1
+sa-mp.ro, 1
+sa-refer.nhs.uk, 1
+sa-stu.com, 1
+sa-studio.chat, 1
+sa-studio.ltd, 1
+sa-studio.vip, 1
+sa.gov, 1
+sa.net, 1
+sa68.cc, 1
+sa88.cc, 0
+saadat.in.ua, 1
+saadurrehman.tk, 1
+saam.aero, 1
+saanich.ca, 1
+saap.me, 1
+saaral.org, 1
+saarehaigla.ee, 1
+saaremaa.tk, 1
+saaricraft.ml, 1
+saarloosschilderwerken.nl, 1
+saarteliinid.ee, 1
+saas.de, 1
+saasalerts.com, 1
+saatchiart.com, 1
+saathi.asia, 1
+sab.id, 1
+saba-piserver.info, 1
+saba-shop.tk, 1
+sabachat.tk, 1
+sabahattin-gucukoglu.com, 1
+sabaland.tk, 1
+sabanco.com.br, 1
+sabaplastic.co, 1
+sabasseguros.cl, 1
+sabatikirooms.com, 1
+sabbat-wildfire.tk, 1
+sabbaticalhomes.com, 1
+sabbottlabs.com, 1
+sabedinovski.tk, 1
+saber-nyan.com, 1
+sabesprev.com.br, 1
+sabghijewelers.com, 1
+sabharwallawfirm.ca, 1
+sabhindimai.net, 1
+sabians.tk, 1
+sabiasque.pt, 1
+sabine-forschbach.de, 1
+sabineforschbach.de, 1
+sablanout.com, 1
+sable.gq, 1
+sabmobile.pk, 1
+saborcaribe.tk, 1
+saboresdamontanha.com.br, 1
+sabranie.com, 1
+sabrina-auer.tk, 1
+sabrinajoias.com, 1
+sabrinajoias.com.br, 1
+sabrinajoiasprontaentrega.com.br, 1
+sabrinajoiasvarejo.com.br, 1
+sabrinamiskiewicz.tk, 1
+sabrinarus.tk, 1
+sabrinazeidan.com, 1
+sabrine.tk, 1
+sabris.com, 1
+sabung-ayam.net, 1
+sabworldtricks.tk, 1
+sac-shoes.fr, 1
+sacabc.ca, 1
+sacademica.tk, 1
+sacaentradas.com, 1
+saccani.net, 1
+saccottino.tk, 1
+saccounty.gov, 1
+saccountyiowa.gov, 1
+sace.ca, 1
+sace.org.za, 1
+sacektirme.tk, 1
+sacfreightlines.com, 1
+sacha-botz.com, 0
+sacharidovejednotky.eu, 1
+sachasmets.be, 1
+sachi.lk, 1
+sachiepvien.net, 1
+sachinchauhan.ml, 1
+sachk.com, 0
+sachse.info, 0
+sachsenlady.com, 1
+sachte-restaurant.de, 1
+sacians.tk, 1
+sacibo.ga, 1
+sackmesser.ch, 1
+saclier.at, 1
+saco.tech, 1
+sacodealegria.com, 1
+sacprincesse.com, 1
+sacramentocounty.gov, 1
+sacramentum.tk, 1
+sacreatedesign.com, 1
+sacreativity.com, 1
+sacred-destinee.tk, 1
+sacred-knights.net, 1
+sacredart-murals.co.uk, 1
+sacredheart-cliftonheights.net, 1
+sacredheartbath.org, 1
+sacredheartmission.org, 1
+sacredmessages.net, 1
+sacredsecondhandbooks.com.au, 1
+sacrome.com, 1
+sacrosanctus.tk, 1
+sacscoc.org, 1
+sacwellness.com, 1
+sad-berezka.ru, 0
+sad-ko.ru, 1
+sadbox.es, 1
+sadbox.org, 1
+sadbox.xyz, 1
+sadeedos.systems, 1
+sadeem.space, 1
+sadesign.co.uk, 1
+sadev.co.za, 1
+sadhana.cz, 1
+sadhanaclub.de, 1
+sadhawkict.org, 1
+sadiejanehair.com, 1
+sadiestavern.cf, 1
+sadiestavern.ga, 1
+sadiestavern.gq, 1
+sadiestavern.ml, 1
+sadievilleky.gov, 1
+sadiosang.net, 1
+sadiqloaded.tk, 1
+sadjawebsolutions.com, 1
+sadko-group.com, 1
+sadkodesign.com.ua, 1
+sadmansh.com, 1
+sadou.kyoto.jp, 0
+sadoun.com, 1
+sadovskiy.tech, 1
+sadrailsim.de, 1
+sadsu.com, 0
+sadtxt.com, 1
+sadurscy.pl, 1
+sadus.tk, 1
+saechsischer-christstollen.shop, 0
+saeder-krupp.de, 1
+saeedvaladbaygi.info, 1
+saeidii.com, 1
+saeitalianfood.com, 1
+saenforcement.agency, 1
+saengsook.com, 1
+saengsuk.com, 1
+saevor.com, 1
+saf.earth, 1
+safagiza.ml, 1
+safalfasalonline.in, 1
+safar.sk, 1
+safara.host, 1
+safataviationgroup.com, 1
+safatech.me, 1
+safc.tk, 1
+safe-kim.com, 1
+safeacs.com, 1
+safeadmin.ga, 1
+safeandsecureserver.com, 1
+safearth.training, 1
+safeathomeohio.gov, 1
+safeatlast.co, 1
+safebaseflorida.com, 1
+safebaseinc.com, 1
+safebasementswaterproofing.com, 1
+safebits.ch, 1
+safebits.de, 1
+safebits.eu, 1
+safebits.fr, 1
+safebits.it, 1
+safeblackout.com, 1
+safeboard.ml, 1
+safebus.io, 1
+safecar.gov, 1
+safecircuitelectric.com, 1
+safecoin.tech, 1
+safecso.cf, 1
+safedatabasesystems.com, 1
+safedrivepod.com, 1
+safeers.tk, 1
+safefly.se, 1
+safefreehost.gq, 1
+safefreepornsites.com, 1
+safegas.com.ua, 1
+safegold.ca, 1
+safegroup.pl, 1
+safeguardace.com, 1
+safeguardhosting.ca, 1
+safehero.com, 1
+safeheron.com, 1
+safeheron.vip, 1
+safehouse.zone, 1
+safehousepestcontrol.au, 1
+safeinfra.nl, 1
+safejourney.education, 1
+safekidney.com.tw, 1
+safeme.ga, 1
+safeme.gq, 1
+safemt.gov, 1
+safenetwork.it, 1
+safensoundstoragegroton.com, 1
+safeo.fr, 1
+safeocs.gov, 1
+safeplay.co, 1
+safeplayground.net, 1
+safeporn.org, 1
+safeprint.pt, 1
+safer-software.tk, 1
+safera.com, 1
+safercar.gov, 1
+saferchildren.eu, 0
+saferequest.net, 1
+saferfederalworkforce.gov, 1
+safermao.fr, 1
+saferpost.com, 1
+saferproduct.gov, 1
+saferproducts.gov, 1
+saferrafrica.org, 1
+safersurfing.eu, 0
+safertruck.gov, 1
+safescif.com, 1
+safesearchs.com, 1
+safesecuretrusted.com, 1
+safesecurevital.ca, 1
+safesmartvent.com, 1
+safesoundcounselingllc.com, 1
+safestayok.gov, 1
+safestreets.cf, 1
+safetables.ga, 1
+safethishome.com, 1
+safetrainingservices.co.uk, 1
+safetrax.in, 1
+safety-in-construction.tk, 1
+safety.co.nz, 1
+safetycloud.me, 1
+safetydrivessuccess.com, 1
+safetymeasuresas.com, 1
+safetymp3.com, 1
+safetynames.com, 1
+safetynation.co.uk, 1
+safetynetwork.me, 1
+safetynigeria.com, 1
+safetyrange.com, 1
+safetyrisk.net, 1
+safetysite.tips, 1
+safetysource.co.nz, 1
+safevault.org, 1
+safevisit.com.au, 1
+safewatchsecurity.ie, 1
+safewayins.com, 1
+safewayinsurance.com, 1
+safewaysecurityscreens.com.au, 1
+safewaywaterproofing.com, 1
+safewebsystems.com, 1
+safex.org, 1
+saffron.com, 1
+saffronpreview.global, 1
+safiafashion.kz, 1
+safijourney.com, 1
+safinamide.co.uk, 1
+safiosolutions.com, 1
+safirakbar.tk, 1
+safire.ac.za, 1
+safkgroup.com, 1
+safleo.org, 1
+safquh.com, 1
+sag-consultores.com, 1
+sagacioussuricata.com, 1
+sagagardencentre.co.uk, 1
+sagan.tk, 1
+sagarawat.in, 1
+sagargandecha.com.au, 0
+sagasailing.dk, 1
+sagauae.com, 1
+sageclinic.org, 1
+sagefitness.store, 1
+sagegardens.ca, 1
+sagenesykkel.com, 1
+sagenet.net.au, 0
+sagerus.com, 1
+sageseeds.info, 1
+sagetel.ga, 1
+sageth.com, 1
+saggis.com, 1
+saggytitsporn.com, 1
+saghekin.com, 1
+sagicorgeneral.com, 1
+sagicorlife.com, 1
+sagicorlifeusa.com, 1
+sagitta.hr, 1
+saglik-haberleri.tk, 1
+saglikhaber.tk, 1
+sagliklidegisim.com, 1
+sagnette.xyz, 1
+sago.group, 1
+sagomedia.tk, 1
+sagradamadre.hu, 1
+sagradobyme.cl, 1
+sagretreviso.it, 1
+sahabatnesia.com, 1
+sahafekitap.com, 1
+sahalin.tk, 1
+sahalinskiy.gq, 1
+sahar.io, 1
+saharacloud.com, 1
+sahararun.tk, 1
+saharazik.tk, 1
+saharmassachi.com, 1
+sahb.dk, 1
+sahilbahl.com, 1
+sahinozgenhukuk.com, 1
+sahkotyot.eu, 1
+sahpa.co.za, 1
+saibotk.de, 1
+said.id, 1
+said.it, 1
+said.my.id, 1
+saidpurtechnical.tk, 1
+saidrive.net, 1
+saidrive.online, 1
+saidtezel.com, 0
+saieditor.com, 1
+saifonvillas.com, 1
+saifoundation.in, 1
+saifoundation.org, 1
+saigonflowers.com, 1
+saigonland24h.vn, 1
+saigonstar.de, 1
+saikarra.com, 1
+saikou.moe, 1
+saikouji.tokushima.jp, 1
+sail-holidays-hub.gr, 1
+sail-nyc.com, 1
+sailarmada.com, 1
+sailboatdata.ddns.net, 1
+sailmail.io, 1
+sailormoondoujinshi.org, 1
+sailormoonevents.org, 1
+sailormoonfansubs.com, 1
+sailormoongallery.org, 1
+sailormoonlibrary.org, 1
+sailum.tk, 1
+sailwiz.com, 1
+saily.pl, 1
+saimithrayoga.nl, 1
+saimoe.moe, 1
+saimoe.org, 1
+sainet.xyz, 1
+sainetworks.net, 1
+sainews.net, 1
+sainikbiswas.com, 0
+sainokuni-eng.jp, 1
+sainsburys.jobs, 1
+sainsburysbusinessdirect.co.uk, 1
+sainshand.tk, 1
+saint-bernard-gouesch.fr, 1
+saint-clan.tk, 1
+saint-cyril.com, 1
+saint-peterburg.tk, 1
+saint-petersburg.cf, 1
+saint-petersburg.gq, 1
+saint-petersburg.ml, 1
+saint-ssd.org, 1
+saintaardvarkthecarpeted.com, 1
+saintanne.net, 1
+saintanthonylakin.org, 1
+saintaugustineschool.tk, 1
+saintbernardpetcare.com, 1
+saintefoy-tarentaise.fr, 1
+saintereso.tk, 1
+sainteugenechurch.net, 1
+sainteugeneschurch.com, 1
+saintfrancescabrini.net, 1
+saintgabrielparish.org, 1
+sainth.de, 0
+sainthedwig-saintmary.org, 1
+sainthelena-centersquare.net, 1
+sainthelenaparish.net, 1
+sainthelenas.org, 1
+saintisidorecyo.com, 1
+saintjamestheapostle.org, 1
+saintjosephschurch.net, 1
+saintleochurch.net, 1
+saintlouisfence.com, 1
+saintmarkchurch.net, 1
+saintmaryna.com, 1
+saintmaryscathedral-trenton.org, 1
+saintmichaelpress.tk, 1
+saintpatrick-norristown.net, 1
+saintpetersburg.cf, 1
+saintpetersburg.ga, 1
+saintpetersburg.gq, 1
+saintpetersburg.ml, 1
+saintphilipneri.org, 1
+saintpius.net, 1
+saintpolycarp.org, 1
+saintseiya-temple.tk, 1
+saintspicious.de, 1
+saintsrowmods.com, 1
+sainttheresahome.org.sg, 1
+saintvincent.tk, 1
+saintw.com, 0
+sainzderozas.com, 1
+saipariwar.com, 1
+saipeople.net, 1
+saiputra.com, 1
+saiputra.net, 1
+sairadio.net, 1
+sairadio.net.in, 1
+sairadio.one, 1
+sairai.bid, 1
+sairlerimiz.tk, 1
+sairus.fr, 1
+saisandesh.org, 1
+saisecure.net, 1
+saiserver.net, 1
+saisons-fruits-legumes.fr, 1
+saisyuusyou-ikebukuro.com, 1
+saisyuusyou-omiya.com, 1
+saisyuusyou-takasaki.com, 1
+saisyuusyou-utsunomiya.com, 1
+sait.health, 1
+saitapovan.com, 1
+saitas.net, 1
+saito-koken.co.jp, 1
+saitrance.com, 1
+saitschool.ml, 1
+saitv.net, 1
+saitv.org.in, 1
+saiwebtv.com, 1
+sajabesaya.tk, 1
+sajbersove.rs, 1
+sajdowski.de, 0
+sajetekengineering.com, 1
+sajjadrezaei.fit, 1
+sajjadzaidi.com, 1
+sajt-vizitka-nedorogo.ru, 1
+sajter.ga, 1
+sakac.cz, 1
+sakainvest.com, 1
+sakaki.anime.my, 0
+sakamichi.moe, 1
+sakaritsa-residence.com, 1
+sakaryahaberi.tk, 1
+sakder.com, 1
+sake.my, 1
+sakellariadis.gr, 1
+sakenohana.com, 1
+sakerhetsbubblan.se, 1
+sakiborislam.com, 1
+sakipsabancimuzesi.org, 1
+sakirdak.tk, 1
+sakitama-shika.com, 1
+sakiyamagumi.com, 1
+saklad5.com, 1
+sako-lab.jp, 1
+sakostacloud.de, 1
+sakrajda.eu, 1
+saksham.org, 1
+sakshi.gq, 1
+saksonski-szlak-parowozow.pl, 1
+sakura-paris.org, 1
+sakuracdn.com, 1
+sakuramarketingdigital.com.br, 1
+sakurapalace.tk, 1
+saladgo.id, 1
+saladin.vn, 1
+salahospitality.com, 1
+salalfoundation.ca, 0
+salamanders.tk, 1
+salamence.tk, 1
+salamzibaei.com, 1
+salariominimo.com.co, 1
+salarycalculatoruk.co.uk, 1
+salaryfinance.com, 1
+salas.cf, 1
+salas.tk, 1
+salasbanquetes.cl, 1
+salat-s-krevetkami.ru, 1
+salati.tk, 1
+salatiga.com, 1
+salatiga.net, 1
+salboy.co.uk, 1
+salce.com.au, 1
+salco-company.com, 1
+sald.us, 1
+saldanda.ml, 1
+salde.net, 1
+salduero.tk, 1
+sale-internet.cf, 1
+sale-sokuho.com, 1
+sale4ru.ru, 1
+saleaks.org, 1
+salebaba.com, 1
+saleduck.at, 1
+saleduck.ch, 1
+saleduck.co.id, 1
+saleduck.co.th, 1
+saleduck.com.my, 1
+saleduck.com.ph, 1
+saleduck.com.sg, 1
+saleduck.com.vn, 1
+saleduck.dk, 1
+saleduck.fi, 1
+saleduck.se, 1
+saledump.nl, 1
+saleem.cf, 1
+salegor.tk, 1
+saleh4unraid.cyou, 1
+salekaz.ru, 1
+salemma.gov, 1
+salempress.com, 1
+salensmotors-usedcars.be, 1
+salento-nostro.tk, 1
+salentocab.com, 1
+salerno-on-line.tk, 1
+salernonotizie.it, 1
+salernotoday.it, 1
+salery.ga, 1
+sales-experience.nl, 1
+sales-respect.nl, 1
+salesdesign.vn, 1
+salesdivisie.nl, 1
+salesdock.be, 1
+salesdock.de, 1
+salesdock.nl, 1
+salesflare.com, 1
+salesforce-communities.com, 1
+salesforce-experience.com, 1
+salesforce-hub.com, 1
+salesforce-scrt.com, 1
+salesforce-setup.com, 1
+salesforce-sites.com, 1
+salesforce.com, 1
+salesforce.mil, 1
+salesforceliveagent.com, 1
+salesforcescrt.com, 1
+salesfunnelfirstaid.com, 1
+saleskeyonline.com, 1
+salesoutcomes.com, 1
+salesprocessing.gq, 1
+saletodo.com, 1
+saleturs.tk, 1
+saletzki.de, 1
+salework.net, 0
+salge.rocks, 1
+salhiyatower.com, 1
+salibandy.tk, 1
+salidaswap.com, 1
+salient-dialers.com, 1
+salilab.org, 1
+salim.space, 1
+salimicm.com, 1
+salinecountyks.gov, 1
+salinecountyne.gov, 1
+salinemi.gov, 1
+salinevilleoh.gov, 1
+salins-les-bains.com, 1
+salisburylehighpa.gov, 1
+salisburyreds.co.uk, 1
+salisucre.fr, 1
+salland1.nl, 1
+sallandstorage.nl, 1
+salledebainmontreal.gq, 1
+sallisawok.gov, 1
+sally-secret.com, 1
+sallyandruss.ca, 1
+sallyangeli.tk, 1
+sallycooke.co.uk, 1
+sallydowns.name, 1
+sallyheerenveen.nl, 1
+sallyjo.tk, 1
+sallyman.de, 1
+salmadenora.net, 1
+salman.agency, 1
+salmanravoof.com, 1
+salmati.de, 1
+salmelainenwalter.tk, 1
+salminencrane.tk, 1
+salmo-rybak.ru, 1
+salmonde.de, 1
+salmonella.co.uk, 1
+salmonrecovery.gov, 1
+salmotierra-salvatierra.com, 0
+salnet.wf, 1
+salo.fi, 1
+salon-de-patchouli.com, 1
+salon-hinata.biz, 1
+salon-largo.com, 1
+salon-legato.com, 1
+salon-minipli.de, 1
+salon-svadbi.tk, 1
+salon-yuan.jp, 0
+salon.io, 0
+salon1.ee, 1
+salonasymetria.com, 1
+salonboothuren.amsterdam, 1
+salone-mio.com, 1
+salonestella.it, 1
+saloniestate.ml, 1
+salonist.io, 1
+salonkaufmann.it, 1
+salonmarjon.nl, 1
+salonni.tk, 1
+salonsantebienetre.ch, 0
+salrosadohimalaia.com, 1
+salsa-straubing.de, 1
+salsa.berlin, 1
+salserocafe.com, 0
+salt-travel.cf, 1
+salt.fish, 1
+saltandlight.sg, 1
+saltcave.gq, 1
+saltedfish.network, 1
+saltedge.com, 1
+saltedpasta.com, 1
+salter.com.tr, 1
+saltercane.com, 0
+saltlakecounty.gov, 1
+saltlakehealth.gov, 1
+saltnsauce.cf, 1
+saltnsauce.ga, 1
+saltnsauce.gq, 1
+saltnsauce.ml, 1
+saltrecovery.com.au, 1
+saltro.nl, 0
+saltstack.cz, 1
+saltsugarlove.de, 1
+saltus.ga, 1
+saltwaterfishaspets.com, 1
+saltydogpaddle.org, 1
+saltykai.com, 1
+salud-paratodos.com, 1
+salud.top, 0
+saludakeuring.nl, 1
+saludmas.site, 1
+saludmaspro.com, 1
+saludnutrivida.com, 1
+saluels.servemp3.com, 1
+salukinet.tk, 1
+salunganogroup.com, 1
+salus-cm.care, 1
+salussafety.io, 1
+salut-butovo.cf, 1
+salutenaturale.com.br, 1
+salutes.tk, 1
+salutethefish.com, 1
+salutethegrains.com, 1
+salutethepig.com, 1
+salutparis.ml, 1
+salva.ovh, 1
+salva.re, 1
+salvaalocombia.com, 1
+salvadoralevin.tk, 1
+salvadorcorriols.tk, 1
+salvadorinfantil.tk, 1
+salvalartesicilia.it, 1
+salvameblog.tk, 1
+salverainha.org, 1
+salwyrr.com, 1
+salz-und-sinn.de, 1
+salzamt.tk, 1
+salzburg-erfahren.at, 1
+salzburg-verkehr.at, 1
+salzburgsfinest.tk, 1
+salzerperu.com, 1
+salzmann.solutions, 1
+sam-football.fr, 1
+sam.gov, 1
+sam66.cc, 1
+sam88.cc, 1
+samabest.tk, 1
+samalderson.co.uk, 1
+samandcatonline.tk, 1
+samandej.ir, 1
+samanexports.in, 1
+samangel.org, 1
+samanhatami.ir, 1
+samanthabiggers.com, 1
+samanthasmith.tk, 1
+samar-leyte.tk, 1
+samara-avia.ru, 1
+samara-hosting.tk, 1
+samarhotel.com, 1
+samaritainsmeyrin.ch, 0
+samarpanfurniture.com, 1
+samarth.edu.in, 1
+samarthtyagi.tk, 1
+samatva-yogalaya.com, 1
+samba.org, 1
+sambeso.net, 1
+sambot.ru, 1
+sambot22.tk, 1
+sambuchanan.tk, 1
+samcera.gov, 1
+samclarke.com, 1
+samclarke.uk, 1
+samdev.io, 1
+same.lol, 1
+samedamci.com, 1
+samedis.care, 1
+samegoal.com, 1
+samegoal.org, 1
+samehzidan.com, 1
+samel.de, 1
+samelol.com, 1
+samentest.tk, 1
+samenuitsamenthuis.tk, 1
+samenvoorelkaar.nl, 1
+samenvoormedicatieoverdracht.nl, 1
+samenwerkingsportaal.nl, 1
+samepage.io, 1
+samesound.ru, 1
+sametcanaz.tk, 1
+sameteem.com, 1
+sametimetomorrow.tk, 1
+sameworks.com, 1
+samh.org.uk, 1
+samhall.se, 1
+samhsa.gov, 1
+samhuri.net, 1
+samic.ir, 1
+samic.org, 1
+samic.us, 1
+samifar.in, 1
+samilyanov.tk, 1
+samin.tk, 1
+samir-software.tk, 1
+samiratv.tk, 1
+samishnation.gov, 1
+samisoft.ir, 1
+samiysok.cf, 1
+samkelleher.com, 1
+samkoandmikotoywarehouse.com, 1
+saml-gateway.org, 1
+saml2.com, 1
+samlam.ddns.net, 1
+samlamac.com, 1
+samlaw.co.nz, 0
+sammich.eu, 1
+sammich.social, 1
+sammichscripts.com, 1
+sammyservers.com, 1
+sammyservers.net, 1
+samodel.ml, 1
+samodel.tk, 1
+samogonka.tk, 1
+samokhin.cf, 1
+samorazvitie.ru, 1
+samorzad.gov.pl, 1
+samosad.tk, 1
+samotorsporttyres.com.au, 1
+samoyeddogsguide.com, 1
+samoylov.gq, 1
+samoylyk.net, 0
+samozdraw.ga, 1
+sampaguide.com, 1
+sampath.lk, 1
+sampatjewelers.com, 1
+sample-site.click, 1
+samplefashion.nl, 1
+sampsoncountync.gov, 1
+sampurna.shop, 1
+samroelants.com, 1
+sams.wtf, 1
+samsatcorner.com, 1
+samscollection.in, 1
+samsebe.ml, 1
+samsebe.tk, 1
+samsepi0l.ovh, 1
+samshouseofspaghetti.net, 1
+samson-td.com, 1
+samson.org.au, 1
+samsreseller.com, 1
+samstudios.tk, 1
+samsungbiologics.com, 1
+samsunghalfmarathon.com, 1
+samtalen.nl, 1
+samudranesia.id, 1
+samuel-brown.com, 1
+samuel-philipp.de, 1
+samuelbeckett.tk, 1
+samuelbramley.com, 1
+samuelgd.com, 1
+samuelharmon.com, 1
+samuelkeeley.com, 1
+samuelkyalo.tk, 1
+samuelphotos.com, 1
+samuels-blog.de, 1
+samuels-graphics.tk, 1
+samuelsxpress.com, 1
+samuidiving.net, 1
+samuirehabcenter.com, 1
+samurai-marumori.com, 1
+samuraiskye.com, 1
+samusil.org, 1
+samvanderkris.com, 1
+samwelek.co.uk, 1
+samwilberforce.com, 1
+samwrigley.co.uk, 1
+samwu.tw, 1
+samxoxo.com, 1
+samy.rip, 1
+samyang.tk, 1
+samystic.com, 1
+san-cassiano.com, 1
+san-genesio.net, 1
+san-leonardo.com, 1
+san-martino.org, 1
+san-vigilio-marebbe.net, 1
+san.tv, 1
+san0j.de, 1
+sana-commerce.com, 1
+sana-store.com, 1
+sana-store.cz, 1
+sana-store.sk, 1
+sanagustin.com, 1
+sanalaile.tk, 1
+sanalikaforum.tk, 1
+sanalturcu.com, 1
+sanandreasstories.com, 1
+sanantoniolocksmithtx.com, 1
+sanapaino.fi, 1
+sanasport.at, 1
+sanasport.be, 1
+sanasport.bg, 1
+sanasport.cz, 1
+sanasport.de, 1
+sanasport.fr, 1
+sanasport.hu, 1
+sanasport.it, 1
+sanasport.pl, 1
+sanasport.si, 1
+sanasport.sk, 1
+sanates.cz, 1
+sanatfilan.com, 0
+sanatori-elochka.tk, 1
+sanatori-teterev.tk, 1
+sanatorii-sverdlovskoy-oblasti.ru, 1
+sanatorionosti.com.ar, 1
+sanatstore.ir, 1
+sanayi.gov.tr, 1
+sanbenitocounty-ca-cre.gov, 1
+sanbernardino.gov, 1
+sanbornteam.com, 1
+sanbs.org.za, 1
+sancaktepehaber.tk, 1
+sanche.org, 1
+sanchez.adv.br, 0
+sancpa.ca, 1
+sancraft.de, 1
+sancta-domenica.hr, 1
+sanctio.tk, 1
+sanctum.geek.nz, 0
+sanctus-de.tk, 1
+sanctus.co.uk, 1
+sand-and-mercury.tk, 1
+sand-bleibt.de, 1
+sand-craft.ml, 1
+sand-stoneinc.com, 1
+sand66.cc, 1
+sand66.com, 1
+sandairephotography.com, 1
+sandbox.i.ng, 1
+sandbox.mydigipass.com, 0
+sandelduggal.com, 1
+sanderdesign.tk, 1
+sanderdorigo.nl, 1
+sanderkoenders.eu, 1
+sanderkoenders.nl, 1
+sanderpoppe.com, 0
+sanderscreditrepair.com, 1
+sandersmontalto.com, 1
+sandersonfarms.com, 1
+sanderspies.com, 1
+sanderstaxpro.com, 1
+sandervanderstap.nl, 1
+sandesh.tk, 1
+sandgatebaysidedental.com.au, 1
+sandiegolifechanging.org, 1
+sandiegoluxuryhomes.org, 1
+sandiegotaxpreparation.com, 1
+sandiegotown.com, 1
+sandipmukherjee.tk, 1
+sandiuno.ml, 1
+sandle.uk, 1
+sandlerpartners.com, 1
+sandmanintel.com, 1
+sandmarc.cz, 1
+sandokan.tk, 1
+sandor.wtf, 1
+sandoval.photography, 1
+sandownpolicenh.gov, 1
+sandpaper.com, 1
+sandr0.tk, 1
+sandra-perlbach.de, 1
+sandrabay.com, 1
+sandrabernardo.com, 1
+sandragortemaker.nl, 1
+sandrainden.nl, 1
+sandraindenfotografie.nl, 1
+sandramargolesmd.com, 1
+sandramorrone.tk, 1
+sandras-hobbystueble.de, 1
+sandrasturm.net, 1
+sandravdmeulen.nl, 1
+sandrinesite.tk, 1
+sandrolittke.de, 1
+sandrproperty.com, 1
+sandsclan.tk, 1
+sandspoint.gov, 1
+sandssteelservices.com, 1
+sandstein.de, 1
+sandstroh.network, 1
+sandtears.com, 1
+sandtime.io, 1
+sandtler.moe, 1
+sandton-plumbing.co.za, 1
+sandtonrubbleremovals.co.za, 1
+sanduskycountyoh.gov, 1
+sandwichclub.tk, 1
+sandwichcouncil.tk, 1
+sandwoman.tk, 1
+sandybigboobs.com, 1
+sandybigboobs.net, 1
+sandylanevacations.com, 1
+sandyrobsonhypnotherapy.co.uk, 1
+sandyspringadventurepark.org, 1
+sandyvazquez.com, 1
+sanemind.de, 1
+sanetschka.tk, 1
+sanex.ca, 1
+sanf.org, 1
+sanfernando.tk, 1
+sanfranciscotours.org, 1
+sangamonil.gov, 1
+sangen.ml, 1
+sangheon.com, 1
+sangina.eu, 1
+sangiovannilipioni.tk, 1
+sanglierhurlant.fr, 1
+sangoandmiroku.tk, 1
+sangowen.xyz, 1
+sangreytinta.tk, 1
+sangwanbeach.tk, 1
+sangyoui.health, 1
+sanhotel.ml, 1
+sanidadnaval.cl, 1
+sanierungskonzept.pro, 1
+sanificazioni.roma.it, 1
+sanikapandit.com, 1
+sanilaccounty.gov, 1
+sanilactownshipmi.gov, 1
+sanin.gq, 1
+sanitaer-heinze.com, 1
+sanitaer-notdienst-zentrale.de, 1
+sanitairwinkel.be, 1
+sanitairwinkel.com, 1
+sanitairwinkel.nl, 1
+sanitaria.it, 1
+sanitation-planning-tool.herokuapp.com, 1
+sanitix.com, 1
+sanitizinggurus.com, 1
+sanity.host, 1
+sanity.io, 1
+sanitynet.org, 1
+sanityrant.cf, 1
+sanityrant.ml, 1
+sanjab.io, 1
+sanjanaherath.cf, 1
+sanjaymenon.xyz, 1
+sanjosecolorectal.com, 1
+sanjosecostarica.org, 1
+sanjoweb.tk, 1
+sanjuanchamelco.tk, 1
+sanjuancountywa.gov, 1
+sanjuandeabajo.tk, 1
+sanjuandediosburgos.es, 1
+sanketsu.ml, 0
+sanki.tk, 1
+sankt-kassian.com, 1
+sanktannae-advokater.dk, 1
+sanktpetriskole.dk, 1
+sanliurfahaberi.tk, 1
+sanluisdequillota.tk, 1
+sanmarcovecchio.tk, 1
+sanmina.com, 1
+sanmonjiya-kimono.com, 1
+sanmuding.com, 1
+sanne-content.de, 1
+sannefoltz.com, 1
+sannikfk.gq, 1
+sanodent.com.ua, 1
+sanook69.com, 1
+sanook69s.com, 1
+sanooktiew.com, 0
+sanowski.com, 1
+sanowski.eu, 1
+sanowski.net, 1
+sanpablo.tk, 1
+sanpancrazio.tk, 1
+sanpatigroup-beautysalon.jp, 1
+sanpatigroup-recruit.jp, 1
+sanpatigroup.jp, 1
+sanpatriciocountytx.gov, 1
+sanpham-balea.org, 1
+sanqinyinshi.com.cn, 1
+sanrafaelvigo.org, 1
+sanray73.ru, 1
+sans-hotel.com, 1
+sansairyu-kuyoukai.com, 1
+sansdb.io, 0
+sansdict.ml, 1
+sansgetirsin.com, 1
+sanskarexam.in, 1
+sanskrit.pub, 1
+sanskrit.site, 1
+sanskritiyoga.com, 1
+sansonehowell.com, 1
+sansumclinic.org, 1
+santa-fell-from.space, 1
+santabarbaraca.gov, 1
+santabarbarapix.com, 1
+santacasamarilia.com.br, 1
+santackergaard.nl, 1
+santaclaracounty.gov, 1
+santaclaratx.gov, 1
+santaclarautah.gov, 1
+santaclarita.gov, 1
+santacruzca.gov, 1
+santacruzcountyca.gov, 1
+santacruzgalapagoscruise.com, 1
+santacruzstudio.com.mx, 1
+santafetx.gov, 1
+santaluciatirajana.com, 1
+santamargarita.tk, 1
+santamariadelaisla.tk, 1
+santamariaretreats.co.uk, 1
+santamariaretreats.uk, 1
+santamonicapost123.org, 1
+santander-dojo.com, 1
+santander.com, 0
+santanderassetmanagement.es, 0
+santanderibc.com, 0
+santanderideas.com, 0
+santandertrade.com, 1
+santantonio.tk, 1
+santapace.com.br, 1
+santarosaca.gov, 1
+santarosanm.gov, 1
+santasofiastereo.tk, 1
+santaynezchumash-nsn.gov, 1
+sante-actu.com, 1
+sante-informations.com, 1
+sante.akita.jp, 1
+santegra.tk, 1
+santehnica.ml, 1
+santehnik-dnepr.dp.ua, 1
+santehnik-home.ru, 1
+santehnika-tut.ru, 1
+santekhmarket-nn.ru, 1
+santenatureetcie.com, 0
+santeriabeliefs.com, 1
+santeriasanjorge.com.ar, 1
+santhatela.com.br, 1
+santhoffplumbingco.com, 0
+santhoshveer.com, 1
+santiagogarza.co, 1
+santibanezdetera.tk, 1
+santibz.es, 1
+santillana.com, 1
+santimb.photos, 1
+santippolito-borgo.tk, 1
+santjoandevilassar.tk, 1
+santmark.eu, 1
+santmark.info, 1
+santmark.net, 1
+santmark.org, 1
+santo.fi, 1
+santodelgiorno.it, 1
+santomospb.ru, 1
+santong.tk, 1
+santoscarmelitas.tk, 1
+santosdecordoba.tk, 1
+santoshpandit.com, 1
+santswebdesign.com, 1
+santugon.tk, 1
+santv.cc, 0
+sanuk.com, 1
+sanukarlos.tk, 1
+sanweb.info, 1
+saojudastadeu.edu.br, 1
+saoneth.pl, 1
+saorsa.fr, 1
+saorsat.com, 1
+saorsat.ie, 1
+saorsat.net, 1
+saorsat.tv, 1
+saorview.com, 1
+saorview.ie, 1
+saorview.net, 1
+saorviewconnect.ie, 1
+saorviewconnected.ie, 1
+sap-inc.co.jp, 1
+sapac.es, 1
+sapafolumuxu.tk, 1
+sapancavillalari.com, 1
+sapaship.ru, 1
+saphead.cn, 1
+saphi.re, 1
+saphnelosavings.com, 1
+sapibatam.com, 0
+sapien-ci.com, 1
+sapien.com, 1
+sapience.com, 1
+sapienml.com, 1
+sapiensecure.io, 0
+sapienz.tk, 1
+sapienza-eclipse.com, 1
+sapienzaconsulting.com, 1
+sapik.hu, 1
+sapiperelining.com.au, 1
+sapling.ai, 1
+saplumbers.com.au, 1
+sapmap01.azurewebsites.net, 1
+sapoghki.tk, 1
+sapphi.st, 1
+sapphic.site, 1
+sapphirebet.com, 1
+sapphireblinds.com.au, 1
+sapphireblue.me, 1
+sapphirecleaningwa.com.au, 1
+sapphirepearl.com.sg, 1
+sapphireservicesga.com, 1
+sapporo-asaichi.com, 1
+sapporo.ga, 1
+sapprendre.ch, 0
+saprima.de, 0
+sapti.me, 1
+sapulpaok.gov, 1
+sapulpapd.gov, 1
+sapuseven.com, 1
+saputra.org, 1
+saq.com, 0
+saqara.com, 1
+saracenmarkets.com, 1
+sarae.id, 1
+sarafanchik.tk, 1
+sarafanchiki.tk, 1
+sarafani.tk, 1
+sarafrazan.tk, 1
+sarafshop.tk, 1
+sarah-brown.tk, 1
+sarah-harding.tk, 1
+sarah-huenten.de, 1
+sarah-jane.nl, 1
+sarah-jones.uk, 1
+sarahbaker.co.nz, 1
+sarahbowling.org, 1
+sarahjaneethan.co.uk, 1
+sarahjaneredmond.com, 1
+sarahlicity.co.uk, 1
+sarahlicity.me.uk, 1
+sarahmakmq.com, 1
+sarahmckenna.ie, 0
+sarahmodel.tk, 1
+sarahneumann.tk, 1
+sarahplusdrei.de, 1
+sarahshabrina.tk, 1
+sarahsommer.de, 1
+sarahtamsin.com, 1
+sarahvanessen.tk, 1
+sarahwellington.com, 1
+sarahwikeley.co.uk, 1
+saraleebread.com, 0
+saranamayyappa.tk, 1
+sarand.ch, 0
+saraskins.space, 1
+sarasotadentistry.com, 1
+sarasotaroboticurology.com, 1
+saratogasprings-ut.gov, 1
+saratogawi.gov, 1
+saraton-kasalligi.cf, 1
+saraton-kasalligi.ml, 1
+saraton-kasalligi.tk, 1
+saratov24.tk, 1
+saratovlive.tk, 1
+saratovnews.ml, 1
+saratovtime.tk, 1
+sarayeketabesoti.ir, 1
+sarbarhetsskanning.se, 1
+sarbash.ee, 1
+sarbel.tk, 1
+sarcasmlol.ga, 1
+sarcastic.com.au, 1
+sarcoxiemo.gov, 1
+sard.ro, 1
+sardacompost.it, 1
+sardegnarifiuti.it, 1
+sardegnatirocini.it, 1
+sardine.tk, 1
+sardinhagarcia.pt, 1
+sardinianvillas.co.uk, 1
+sardinianvillas.com, 1
+sardinianvillas.ru, 1
+sardoche.lol, 1
+sarecords.tk, 1
+sareena.org, 1
+sarella.org, 1
+sarems.com, 1
+saresegur.com, 1
+sargar.tk, 1
+sargarmi.tk, 1
+sargenttechnologyservices.com, 1
+sarh.com.au, 1
+sarhua.tk, 1
+saria.fun, 1
+saribunga.id, 1
+sarink.eu, 1
+sarisander.com, 1
+saritas.com.tr, 1
+sarjakuvakauppa.fi, 1
+sarjas.tk, 1
+sarkaridomain.com, 1
+sarkarinaukriworld.net, 1
+sarkariresultz.in, 1
+sarkazam.ml, 1
+sarkchat.cf, 1
+sarki-sozleri.net, 1
+sarkisianbuilders.com, 1
+sarkom.tk, 1
+sarkvideos.cf, 1
+sarmpel.tk, 1
+sarndipity.com, 1
+sarny.at, 1
+sarogiw.tk, 1
+saropa.com, 1
+sarpsb.org, 1
+sarrworld.com, 1
+sars-cov-2.com, 1
+sarto.roma.it, 1
+sartori.tk, 1
+sartoria.milano.it, 1
+sartoria.roma.it, 1
+sarumtechnologies.com, 1
+sarv.com, 1
+sarvaappstage.com, 1
+sarzamintarh.ir, 1
+sas-snowboarding.sk, 1
+sasakala.tk, 1
+sasapost.co, 1
+sasasa.org, 1
+sasazono.com, 1
+sascha-brockel.de, 1
+sascha.io, 1
+sascha.is, 1
+saschabruemmer.de, 1
+saschaeggenberger.ch, 1
+saschaeggenberger.com, 1
+sascorp.co.uk, 1
+sascorp.es, 1
+sash.pw, 1
+sashabognibov.tk, 1
+sashaclothing.tk, 1
+sashakrasnoyarsk.tk, 1
+sashascollections.com, 1
+sashka.com.ua, 1
+sashleighaust.com, 1
+sasioglu.co.uk, 1
+saskiacreations.nl, 1
+saskiadhont.be, 1
+saskialund.de, 1
+sasrobotics.xyz, 1
+sasroli.tk, 1
+sasse9662.net, 1
+sassyporkchop.com, 1
+sastamalandemarit.fi, 1
+sastd.com, 1
+sasthyaseba.com, 1
+sasyabapi.com, 1
+sat-kw.net, 1
+sat-p.tk, 1
+sat4all.com, 1
+sata-group.com, 1
+satai.dk, 1
+satal.in, 1
+satangcorp.com, 1
+satania.moe, 1
+satanindito.tk, 1
+satanspowers.tk, 1
+satario.vn, 1
+satat.cf, 1
+satat.tk, 1
+sataturf.com, 1
+sateahafreedi.com, 1
+sateallia.org, 1
+satelital.tk, 1
+satellights.tk, 1
+satellite-equipment.tk, 1
+satellite-shop.tk, 1
+satellite-top.com, 1
+satellitebeach.gov, 1
+satellites.hopto.me, 1
+satellitetelevision.tk, 1
+satellitetv-deal.com, 1
+satellitetv.tk, 1
+satheeshsbennet.tk, 1
+satimagingcorp.com, 1
+satindolls.tk, 1
+satinn.pl, 1
+satirelabs.com, 1
+satisfaction.su, 1
+satisfactory-calculator.com, 1
+satismeter.com, 1
+satisperfectacollections.com, 1
+satistemsilcileri.com, 1
+sativatunja.com, 1
+satl-lelystad.nl, 1
+satlantis.tk, 1
+satmd.de, 1
+sato-legaloffice.jp, 1
+satopletova.cz, 1
+satoshinumbers.com, 1
+satowa-network.eu, 0
+satpersian.tk, 1
+satplay.host, 1
+satradio.tk, 1
+satramana.org, 1
+satselect.tk, 1
+satserwis.xyz, 1
+satsukii.moe, 1
+satsumi.tk, 1
+satta-company.tk, 1
+sattamatka420.mobi, 0
+sattaresult.in, 1
+sattaresult.net, 1
+sattaresult.net.in, 1
+saturday.kiwi, 1
+saturdayenterprises.ga, 1
+saturn-test.network, 1
+saturne.tk, 1
+saturnjump.com, 1
+saturnus.consulting, 1
+satvasolutions.com, 1
+satwcomic.com, 1
+satya-insights.com, 1
+satyamshivamsundaram.in, 1
+sau.cy, 1
+saubermacher.at, 1
+saubooks.tk, 1
+saucelabs.com, 1
+saudecoluna.com, 1
+saudedigitalnews.com.br, 1
+saudeintimadamulher.com.br, 1
+saudenoclique.com.br, 1
+saudiembassy.net, 1
+saudiglasses.com, 1
+saudinews.ml, 1
+saue.edu.ee, 1
+sauenytt.no, 1
+sauerbrey.eu, 1
+sauerland-rundflug.de, 1
+sauerland-schnittgruen.de, 1
+sauerwetter.tk, 1
+saugatucktownshipmi.gov, 1
+saulchristie.com, 1
+saulsplace.com, 0
+saulsplacehealth.com, 1
+saulsplacewebdesign.com, 1
+saultdefencelaw.ca, 1
+saulvanderbijl.com, 1
+sauna-acties.nl, 1
+saunaempire.lt, 1
+saunafahrten.ch, 1
+saunahats.eu, 1
+saunas.fr, 1
+saunatime.jp, 1
+saunavoordeel.nl, 1
+sauravdas.in, 1
+saurel.me, 1
+saurusly.com, 1
+sauseng.eu, 1
+sauthon.com, 0
+sauvagebridge.nl, 1
+sauve-tes-euros.com, 1
+savaari.com, 1
+savage-harmony.tk, 1
+savagecore.eu, 1
+savanna.io, 1
+savanna.vn.ua, 1
+savannahhappycats.com, 1
+savannapro.vn.ua, 1
+savant-dagen.nl, 1
+savantcare.com, 1
+savatha.tk, 1
+savbus.com, 1
+savbus.net, 1
+savbus.ws, 1
+savchenko.net, 1
+savchook.com, 1
+savconventioncenter.com, 1
+savcurv.com, 1
+save-home.com.tw, 1
+save-me-aachen.de, 1
+save-me-aachen.eu, 1
+save-me-koeln.de, 1
+save-your-bitcoins.com, 1
+save.ch, 1
+save.gov, 1
+saveaward.gov, 1
+savebees.org, 1
+savebt.net, 1
+savedana.tk, 1
+savejonasquinn.tk, 1
+savemyexams.co.uk, 1
+savemylicence.co.uk, 1
+saveolga.tk, 1
+saveoney.ca, 1
+saveora.com, 1
+saveora.shop, 1
+savesilvercreek.com, 1
+savesilvercreek.org, 1
+savesmart.be, 1
+savestatecentral.tk, 1
+savesubs.com, 1
+savetech.tk, 1
+savethedogfishfoundation.org, 1
+savetheinternet.eu, 1
+savetomp3.net, 1
+saveusfromavril.tk, 1
+savewildcats.eu, 1
+savewildcats.foundation, 1
+savewildcats.life, 1
+savewithupgrade.com, 1
+saveworldpets.ga, 1
+saveyourhouse.tk, 1
+saveyourinternet.eu, 1
+savicki.co.uk, 1
+savicki.cz, 1
+savicki.sk, 1
+savilleassessment.com, 1
+savin.ga, 1
+savin.in, 1
+savinggoliath.com, 1
+savingmoses.org, 1
+savingsbondwizard.gov, 1
+savingsoftheyear.com, 1
+savingtails.org, 1
+savitar.guide, 1
+saviynt.com, 0
+savoir.ga, 1
+savonlinnatrujillo.tk, 1
+savonsuuntaporaus.fi, 1
+savoryandpartners.com, 1
+savour-magazine.co.uk, 1
+savransafari.com, 1
+savushkin.tk, 1
+savvice.com.ph, 1
+savvycleaner.com, 1
+savvydevelopment.com, 1
+savvystagingaz.com, 1
+sawanonlinebookstore.com, 1
+sawansasaram.ml, 1
+sawiday.at, 1
+sawiday.be, 1
+sawiday.com, 0
+sawiday.cz, 1
+sawiday.de, 1
+sawiday.es, 1
+sawiday.fi, 1
+sawiday.fr, 1
+sawiday.it, 1
+sawiday.nl, 1
+sawiday.pl, 1
+sawiday.se, 1
+sawikowscy.eu, 1
+sawikowscy.pl, 1
+sawpa.gov, 1
+saxeandthecity.com, 1
+saxifrageleather.com, 1
+saxis.dk, 1
+saxobroko.com, 1
+saxobroko.ga, 1
+saxobroko.gq, 1
+saxocon.com, 1
+saxojoe.co.uk, 1
+saxojoe.de, 1
+saxol-group.com, 1
+saxoncreative.com, 1
+saxophone.tk, 1
+saxotrader.com, 1
+saxynele.tk, 1
+say-it-loud.com, 1
+sayansamanta.com, 0
+sayany.tk, 1
+sayaraautoservices.com, 1
+saybecraft.ru, 1
+saybrus.partners, 1
+saydj.tk, 1
+sayednidhalphoto.tk, 1
+sayeghonline.com, 0
+sayehsazan.ir, 1
+sayers.group, 0
+sayfa.istanbul, 1
+sayfr.com, 0
+sayhanabi.eu.org, 1
+sayhi.com, 1
+sayhuahuo.net, 1
+sayhuahuo.xyz, 1
+sayingimages.com, 1
+sayiw.com, 1
+saymonz.net, 1
+sayprepay.com, 1
+sayura.net, 1
+sayver22.com, 1
+saz-it.de, 1
+saz.sh, 1
+saz9001.com, 1
+saznworld.com, 1
+sazuz.cz, 1
+sb-graph.com, 0
+sb-group.dk, 1
+sb-sd.org, 1
+sb-webdev.de, 1
+sb.ax, 1
+sb.im, 1
+sb.sb, 1
+sb0.io, 1
+sba4u.com, 1
+sba7a.loans, 1
+sbabeshin.tk, 1
+sbacorporation.it, 1
+sbanken.no, 1
+sbankendnb.no, 1
+sbaten.nl, 1
+sbblog.cn, 1
+sbcalitagtag.edu.ph, 1
+sbcargo.com, 1
+sbcbatangas.edu.ph, 1
+sbcmedia.nl, 1
+sbcountyarc.gov, 1
+sbcountyatc.gov, 1
+sbcountywines.com, 1
+sbeech.uk, 0
+sbequineevac.org, 1
+sber-solutions.kz, 1
+sber-solutions.ru, 1
+sber.games, 1
+sberanalytics.ru, 1
+sberbank.ch, 1
+sbercity.ru, 1
+sbercontactmonitoring.ru, 1
+sbermobile.ru, 1
+sbestimes.com, 1
+sbettoken.org, 1
+sbf888.com, 1
+sbgcred.com, 1
+sbhscotland.org.uk, 1
+sbiewald.de, 1
+sbimtopografos.com, 1
+sbin.pt, 1
+sbir.gov, 0
+sbirwot.xyz, 1
+sbl250.com, 1
+sbli.com, 1
+sbm.cloud, 1
+sbm.org.tr, 1
+sbmenedzsment.hu, 1
+sbmsite.cf, 1
+sbmsite.ml, 1
+sbmsitelist.ml, 1
+sbmsitelist.tk, 1
+sbmsmartaccounting.co.uk, 1
+sbmt.cc, 1
+sbo.no, 1
+sbodewissel.tk, 1
+sborka.ml, 1
+sbpk.fr, 1
+sbpropman.co.uk, 1
+sbrc.gov, 1
+sbrouwer.org, 1
+sbrownbourne.com, 0
+sbsavings.bank, 1
+sbscyber.com, 1
+sbspp.ru, 1
+sbsrv.ml, 1
+sbssoft.ru, 1
+sbst.gov, 1
+sbstattoo.com, 1
+sby-tampere.tk, 1
+sc-artworks.co.uk, 0
+sc019.com, 1
+sc2labs.com, 1
+sc2pte.eu, 1
+sc5.jp, 1
+scaarus.com, 1
+scadanews.net, 1
+scaffalature.roma.it, 1
+scaffoldhiremidrand.co.za, 1
+scaffoldhirerandburg.co.za, 1
+scaffoldhiresandton.co.za, 1
+scaffoldingsandton.co.za, 1
+scag9.com, 1
+scai.org, 1
+scala.click, 1
+scalafactory.io, 1
+scalaire.com, 1
+scalaire.fr, 1
+scale.at, 1
+scale.milano.it, 1
+scale.roma.it, 1
+scalecalculation.ml, 1
+scaledge.com, 1
+scalemodeling.tk, 1
+scalesbiolab.com, 1
+scaleskun.com, 1
+scaligerorooms.it, 1
+scaling.solutions, 0
+scalive.tv, 1
+scallywagsbouncycastles.co.uk, 1
+scallywagskids.co.uk, 1
+scalpel.com, 1
+scalr.io, 1
+scamadviser.com, 1
+scamangels.com, 1
+scambistimaturi.com, 1
+scamblockplus.org, 1
+scamwatch.gov.au, 1
+scan.co.uk, 1
+scan.computer, 1
+scanamed.tk, 1
+scanbetting.ga, 1
+scandalindo.ml, 1
+scandalpunk.tk, 1
+scandata.cf, 1
+scandata.tk, 1
+scandesk.com, 1
+scandinavia.ga, 1
+scandinaviancorner.tk, 1
+scandiweb.com, 1
+scaner.ga, 1
+scangeo.net, 1
+scanigma.com, 1
+scanmailx.com, 1
+scanmy.email, 1
+scanningpens.ca, 1
+scanningpens.co.uk, 1
+scanningpens.com, 1
+scanningpens.com.au, 1
+scanpay.dk, 1
+scanprice.us, 1
+scansnus.com, 1
+scantrics.io, 1
+scanutracker.com, 1
+scanyachat.cf, 1
+scapin.dk, 1
+scapp9565.xyz, 1
+scappoose.gov, 1
+scappoosebay-wc.org, 1
+scarabcoder.com, 1
+scaracloud.ddns.net, 1
+scarafaggio.it, 1
+scarboroughscrapcars.com, 1
+scarboroughtec.ac.uk, 1
+scardracs.blog, 1
+scarecrow-cn.com, 1
+scaricamusica.tk, 1
+scarinex.tk, 1
+scarsviewchrysler.com, 1
+scary.cafe, 1
+scaryghost.tk, 1
+scasset.com, 1
+scatdhhs.gov, 1
+scatgirls.net, 1
+scatsbouncingcastles.ie, 1
+scatterd.im, 1
+scatteredcode.net, 1
+scatters.com, 1
+scatterscasino.com, 1
+scavalentenx.duckdns.org, 1
+scavenged.ga, 1
+scbdh.org, 1
+scbodner.com, 1
+sccd.co.uk, 1
+sccoaching.io, 1
+scde.ventures, 1
+scdmx.de, 1
+scdn.us, 1
+sceenfox.de, 1
+scejournals.org, 1
+scenadex.ga, 1
+scenari.eu, 1
+scenari.ovh, 1
+scenarp.pl, 1
+scenastu.pl, 1
+scene.mx, 1
+scenefense.tk, 1
+scenester.tv, 1
+scenetv.ga, 1
+scenic.camera, 1
+scenic.gallery, 1
+scenicbyways.info, 1
+scentiche.com, 1
+scepticism.com, 1
+scers.gov, 1
+scevity.com, 0
+scfpensante.ca, 1
+scfssp.it, 1
+sch44r0n.de, 1
+schaafenstrasse.koeln, 1
+schachburg.de, 1
+schachingerfilm.at, 1
+schadehulpservice.nl, 1
+schaedlingsbekaempfung.tk, 1
+schaerding-innovativ.at, 1
+schafspieker.ddnsking.com, 0
+schallert.com, 0
+schambereich.org, 1
+schamlosharmlos.de, 1
+schampaert.com, 1
+schaper-sport.com, 1
+schastie.ml, 1
+schat.top, 1
+schatderer.com, 1
+schatderer.xyz, 1
+schattenwoelfe.tk, 1
+schattka.com, 1
+schatzibaers.de, 1
+schauergroup.com, 1
+schaumburg-dachundwand.de, 1
+schaumburgil.gov, 1
+schauraum.tk, 1
+schauspielbuehnen.de, 1
+schausteller.de, 1
+schawe.me, 1
+schbebtv.fr, 1
+schdata.de, 1
+schedule-editor.com, 1
+schedulehero.io, 1
+scheervergelijker.nl, 1
+schefczyk.com, 1
+schefczyk.de, 1
+schefczyk.eu, 1
+schefczyk.net, 1
+schefer-mietstapler.de, 1
+scheidegger-kaesealpe.de, 1
+scheidingspuntlansingerland.nl, 1
+scheinerhaus.at, 1
+scheinlichter.de, 1
+schekino.ru, 1
+scheldestromen.nl, 1
+schelkovo.tk, 1
+schella.network, 1
+schellebelle.tk, 1
+schellenberg-web.de, 1
+schellenberg.ac, 1
+schellevis.net, 0
+schemingmind.com, 1
+schenectadycountyny.gov, 1
+schenkel.eti.br, 1
+schenkel.tk, 1
+schenkes.de, 0
+scherfke.de, 1
+schermen-en.nl, 1
+schermkapot.nl, 1
+schertztx.gov, 1
+scheuchenstuel.at, 1
+schgroup.com, 1
+schiau.co, 1
+schiavaonei.tk, 1
+schiavidiabruzzo.tk, 1
+schibsted.com, 1
+schibsted.dk, 1
+schibsted.fi, 1
+schibsted.no, 1
+schibsted.nz, 1
+schibsted.se, 1
+schickert.org, 1
+schicksal.com, 1
+schiedelkonfigurator.hu, 1
+schielandendekrimpenerwaard.nl, 1
+schier.info, 1
+schil.li, 1
+schildbach.de, 1
+schiltron.tk, 1
+schimmel-test.info, 1
+schimmelnagelspecialist.nl, 0
+schindler.be, 1
+schindler.co.il, 1
+schindler.com, 1
+schindler.ie, 1
+schindler.ma, 1
+schindler.nl, 1
+schindler.pl, 1
+schindler.rs, 1
+schindler.sk, 1
+schinkelplatz.com, 1
+schipholwatch.nl, 1
+schipholwatch.org, 1
+schippendale.de, 1
+schiriportal.ch, 1
+schirmer.io, 0
+schittscreek.shop, 1
+schizoid.tk, 1
+schizoids.net, 1
+schizomatrix.cf, 1
+schizomatrix.tk, 1
+schlachter.ca, 1
+schlafteq.com, 1
+schlagenhauf.info, 0
+schlager.de, 1
+schlagma.de, 1
+schlagzeug-lernen.com, 1
+schlappmoebel.de, 1
+schlarb.eu, 1
+schlechtewitze.com, 1
+schleifenbaum.org, 1
+schlitzbergers.com, 1
+schlopolis.tk, 1
+schloss-gottorf.de, 1
+schloss-wackerbarth.de, 1
+schlossanger.de, 1
+schlossberg-hotel-wernigerode.de, 1
+schlossfuchs.de, 1
+schlouk-map.com, 1
+schluderns.org, 1
+schluesseldienst-hannover24.de, 1
+schluesseldienst-haymov.de, 1
+schluesseldienstzentrum.de, 1
+schmaeh-coaching.ch, 1
+schmatloch.cloud, 1
+schmelzle.io, 1
+schmidal-et-fils.fr, 1
+schmidt-fri.de, 1
+schmidt-friesoythe.de, 1
+schmiedbauergut.at, 1
+schmiedecorp.com, 1
+schmiggywibblits.net, 1
+schmitt-etienne.fr, 1
+schmitt-max.com, 1
+schmitt.ws, 0
+schmitzvertalingen.nl, 1
+schmucker.it, 1
+schnalstal.info, 1
+schnapke.name, 1
+schnapsverein.ddns.net, 1
+schnaube.de, 1
+schnauzer-dogs.com, 1
+schneckenhilfe.de, 0
+schnegg.name, 0
+schneider-dresden.de, 1
+schneider-romania.ro, 1
+schneider.co.il, 1
+schneidr.de, 0
+schneids.me, 1
+schnellno.de, 1
+schnippering.com, 1
+schnism.net, 1
+schnitzel-und-co.de, 1
+schnouki.net, 1
+schnuckenhof-wesseloh.de, 1
+schnyder-werbung.ch, 0
+schody-rozycki.pl, 1
+schoenstatt-fathers.link, 1
+schoenstatt.link, 1
+schoepski.de, 1
+schoknecht.net, 1
+schoknecht.one, 1
+schoko-ferien.de, 0
+schokobebe.net, 1
+schokoferien.de, 0
+schokokeks.org, 1
+scholar.group, 0
+scholar.pk, 1
+scholar.site, 0
+scholarbaze.cf, 1
+scholarchip.com, 1
+scholarconnect.com, 1
+scholareducation.tk, 1
+scholarly.com.ph, 1
+scholarly.ph, 1
+scholarnet.cn, 1
+scholars-societas.org, 1
+scholarsclub.club, 1
+scholarships.ga, 1
+scholarships.link, 1
+scholding.ru, 1
+scholenlijst.tk, 1
+scholenprogrammagroningen.nl, 1
+scholi.org, 1
+scholieren.com, 1
+scholingua.com, 1
+schollbox.de, 0
+scholledev.com, 1
+scholohost.tk, 1
+scholtensupport.nl, 1
+scholz-kallies.de, 1
+schonstedt.com, 1
+schont.org, 1
+school-22.tk, 1
+school-27-lpr.tk, 1
+school-33.tk, 1
+school-adventures.tk, 1
+school-counselor.org, 1
+school-id.co.uk, 1
+school-korfbal.nl, 1
+school-project.tk, 1
+school-psychologists.com, 1
+school-register.co.za, 1
+school.in.th, 1
+school16-tob.tk, 1
+school173.tk, 1
+school32.tk, 1
+school43.tk, 1
+school91.ml, 1
+schoolantwoorden.tk, 1
+schoolbag.gq, 1
+schoolbag.ml, 1
+schoolbag.tk, 1
+schoolbytes.com.au, 1
+schoolbytes.education, 1
+schoolcafe.com, 1
+schoolcash.net, 1
+schoolcashonline.com, 1
+schoolcrafttownshipmi.gov, 1
+schooldatasquad.com, 1
+schooldismissalmanager.com, 1
+schooleducationharyana.gov.in, 1
+schoolheads.ph, 1
+schoolhouse.world, 1
+schooli.io, 1
+schoolofequineshiatsu.com, 1
+schoolotzyv.ru, 1
+schoolroom.ga, 1
+schoolrumble.tk, 1
+schoolsafety.gov, 1
+schoolshow.nl, 1
+schoolsonice.nl, 1
+schooltransport.com.au, 1
+schooluniform.com.au, 1
+schoonheidssalon-annelies-santpoort.nl, 1
+schoonheidssalon-annelies-velserbroek.nl, 1
+schoonheym.com, 1
+schoonheym.nl, 1
+schoop.me, 1
+schopenhauer-institut.de, 1
+schorel.eu, 1
+schorel.ovh, 1
+schorelweb.nl, 1
+schorers.org, 1
+schorle.wine, 1
+schottenland.de, 1
+schottlandtaxi.de, 1
+schoutenseo.com, 1
+schrauber.tk, 1
+schrauger.com, 1
+schrauger.info, 1
+schrauger.net, 1
+schrauger.org, 1
+schrauger.run, 1
+schraugerrun.com, 1
+schreibers.ca, 1
+schreilechner.tk, 1
+schreinerei-jahreis.de, 1
+schreinerei-schweikl.de, 1
+schreinert.com, 1
+schrijnwerkerij-deconinck.be, 1
+schrijnwerkerij-deconinck.com, 1
+schrijverspunt.nl, 1
+schritt4fit.de, 1
+schroderusa.cf, 1
+schrodingersscat.com, 1
+schrodingersscat.org, 1
+schroeder-immobilien-sundern.de, 1
+schroederdennis.de, 1
+schroepfi.de, 0
+schroettle.com, 1
+schrok.eu, 1
+schrolm.de, 1
+schsrch.org, 1
+schtiehve.duckdns.org, 1
+schu.be, 1
+schubertgmbh-ingelheim.de, 1
+schubertnest.at, 1
+schuelerzeitung-ideenlos.de, 1
+schuermannhof.de, 1
+schuetzen-ehrenbreitstein.de, 1
+schuetzenverein-schwanfeld.de, 1
+schuhbeck.tk, 1
+schuhbedarf.de, 1
+schuhwelt.de, 1
+schuhzoo.de, 1
+schulden.tk, 1
+schulderinsky.de, 1
+schule.wtf, 0
+schuler.st, 1
+schulferien.org, 1
+schulhomepage.de, 1
+schulid.de, 1
+schull.ch, 0
+schum.world, 0
+schuman.tk, 1
+schumanandmonnet.eu, 1
+schummar.de, 0
+schunako.ch, 1
+schupp.io, 1
+schutte.tk, 1
+schutterij-sintsebastianus-eys.tk, 1
+schutterijschinveld.nl, 0
+schutz-vor-schmutz.de, 1
+schutzkoffer-profilampen.at, 1
+schutznetze24.de, 1
+schutzwerk.com, 1
+schuurmanopleidingen.nl, 1
+schuylercountyil.gov, 1
+schuylercountyny.gov, 1
+schuylerne.gov, 1
+schuylkillcountypa.gov, 1
+schwabenhaus-ka.de, 1
+schwan-gestaltung.de, 1
+schwano-dent.at, 1
+schwartinsky24.de, 1
+schwartz.pro, 1
+schwarz-gelbe-fuechse.de, 1
+schwarzegar.de, 1
+schwarzenberg.tk, 1
+schwarzes-muenchen.de, 1
+schwarztrade.cz, 1
+schwarzwaelder-schinken-verband.de, 1
+schwarzwald-flirt.de, 1
+schwedischezahnaerztin.com, 1
+schwedischezahnaerztin.de, 1
+schweingehabt.expert, 1
+schweiz-sextreffen.ch, 1
+schweizerbanken.tk, 1
+schweizers-restaurant.de, 1
+schwerkraftlabor.de, 1
+schwertkriege.de, 1
+schwienbacher-karl.it, 1
+schwifty.cloud, 1
+schwiha.de, 1
+schwimmschule-kleine-fische.de, 1
+schwinabart.com, 1
+schwingen.net, 1
+schwinger.me, 1
+schwinnbike.ru, 1
+schworak.com, 1
+schwub.de, 1
+sci-internet.tk, 1
+sciagebeton.net, 1
+sciartel.ru, 1
+scias.com, 1
+scib.tk, 1
+sciburg.com, 1
+sciclubappiano.it, 1
+scicollege.org.sg, 1
+scicomm.xyz, 1
+science-questions.org, 1
+science-texts.de, 1
+science.gov, 1
+science360.gov, 1
+science4fun.info, 1
+scienceasfashion.ga, 1
+sciencebase.gov, 1
+sciencedaily.com, 1
+scienceeducation.tk, 1
+scienceeurope.org, 1
+scienceforhealth.eu, 1
+scienceminnesota.com, 1
+sciencemonster.co.uk, 1
+sciencenews.gq, 1
+scienceofpeople.com, 0
+sciencequality.tk, 1
+sciences-world.com, 1
+scienceschool.ml, 1
+sciencesolutions.eu, 1
+sciencetechworld.tk, 1
+sciencetoymaker.org, 1
+sciencetram.tk, 1
+scienceweb.tk, 1
+sciencex.com, 1
+sciencexpo.org.za, 1
+scientia.ga, 1
+scientific-editing.info, 1
+scientific-socialism.cf, 1
+scientific-socialism.ga, 1
+scientific-socialism.ml, 1
+scientificdev.net, 1
+scif.com, 1
+scifplus.com, 1
+scifsafe.com, 1
+scigov.xyz, 1
+scijinks.gov, 1
+scimaxglobal.com, 1
+scindustries.it, 1
+scintillating.stream, 1
+scionasset.com, 0
+sciooregon.gov, 1
+sciotoarts.com, 1
+sciototownship-oh.gov, 1
+scip.ch, 1
+scislowcy.pl, 1
+scisoltd.com, 1
+scit-nsn.gov, 1
+scitheory.com, 1
+scitopia.me, 1
+scituateri.gov, 1
+scity88.com, 1
+scjc-bridge.fr, 1
+sckc.stream, 1
+sclasupplychain.com, 1
+sclause.net, 1
+scloud.link, 1
+sclsnglssttldwn.com, 1
+sclub7esp.tk, 1
+scm-2017.org, 1
+scmestetic.pl, 1
+scmitchell.com, 1
+scms.com.my, 1
+scn9a.com, 1
+scnow.com, 1
+scoaladewebsiteuri.ro, 1
+scoebg.org, 1
+scoffable.com, 1
+scola.id, 1
+scolacdn.com, 1
+scoliosisinstitute.com, 1
+scom.org.uk, 1
+scommessalegale.com, 1
+scommessenonaams.com, 1
+sconecloud.com, 1
+scontomio.com, 1
+scooby.ml, 1
+scoolcode.com, 1
+scoolio.de, 1
+scoop6.co.uk, 1
+scoopcake.com, 1
+scoopcanada.com, 0
+scoopgh.com, 1
+scooply.org, 1
+scootaloo.co.uk, 1
+scootarama.com, 1
+scooterinaustralia.tk, 1
+scootermalagarental.com, 1
+scooters.ltd.uk, 1
+scootersbonaire.com, 1
+scooterservis.com, 1
+scootertechnofrance.tk, 1
+scope.studio, 1
+scopea.fr, 0
+scopechart.com, 1
+scopeglass.com.au, 1
+scopethree.org, 1
+scopus.tk, 1
+scorb.com.br, 1
+scorchers.tk, 1
+scorebet24.com, 1
+scoresense.com, 1
+scoro.com, 1
+scorobudem.ru, 1
+scorpia.co.uk, 1
+scorpiogroup.net, 1
+scorpiomarine.co.in, 1
+scorpioncomputers.nl, 1
+scorpiongames.tk, 1
+scorpions-realm.tk, 1
+scorpions.tk, 1
+scorpiotankers.com, 1
+scothauscounseling.com, 1
+scotiabank.ca, 1
+scotlandinaweek.com, 1
+scotlandrun.com, 1
+scott-lacy.com, 1
+scott-smith.us, 1
+scott.cm, 1
+scott.st, 1
+scott.today, 1
+scottainslie.me.uk, 1
+scottandtammy.com, 1
+scottashley.tk, 1
+scottbot.tk, 1
+scottbroad.com.au, 1
+scottcoil.gov, 1
+scottcountyva.gov, 1
+scottdayman.com, 1
+scottech.com.au, 1
+scottgalvin.com, 1
+scotthelme.co.uk, 1
+scotthelmesucks.com, 1
+scottipc.com, 1
+scottish-paranormal.tk, 1
+scottishcca.co.uk, 1
+scottishcu.org, 1
+scottishseniorsgolf.com, 1
+scottlanderkingman.com, 1
+scottmay.id.au, 1
+scottniven.tk, 1
+scottpilgrim.tk, 1
+scottrae.me.uk, 1
+scottsautocarrier.com, 1
+scottsbluffcountyne.gov, 1
+scottsboropdal.gov, 1
+scottsdaleaz.gov, 1
+scottseditaacting.com, 1
+scottsfreightshipping.com, 1
+scottshorter.com.au, 1
+scottspainting.com, 1
+scottsvalley.gov, 1
+scottsvilleva.gov, 1
+scottymiller.au, 1
+scottyspot.tk, 1
+scounter.tk, 1
+scour.cc, 1
+scoure.de, 1
+scourgesofcarpathia.tk, 1
+scout-korting.tk, 1
+scout.org, 1
+scouteridano.tk, 1
+scouting-kontiki.nl, 1
+scoutingeijsdenonline.tk, 1
+scoutingkontiki.nl, 1
+scoutingmeerhoven.nl, 1
+scoutingridderkerk.nl, 1
+scoutingtungelroy.nl, 1
+scoutingvilsteren.tk, 1
+scoutnation.tk, 1
+scoutnet.de, 1
+scoutreinosa.tk, 1
+scoutsanbartolome.tk, 1
+scoutsanpieropatti.tk, 1
+scoutsdeldesierto.tk, 1
+scoutwired.org, 1
+scp-rustenholz-trens.notaires.fr, 1
+scp500.com, 1
+scpe.eu.org, 1
+scphotography.co.uk, 1
+scpidcard.com, 1
+scpocahontas.nl, 1
+scpower.sg, 1
+scpreplay.net, 1
+scpsecretlab.com, 1
+scpsecretlab.pl, 1
+scpsecretlaboratory.com, 1
+scpsl.ru, 1
+scpslgame.com, 1
+scqpw.com, 1
+scra.gov, 1
+scrabble-solver.com, 1
+scrabblecheat.com, 1
+scrabbleonline.nl, 1
+scrambled.online, 1
+scramsoft.com, 1
+scrantonmma.com, 1
+scrap-car-removal.ca, 1
+scrap.photos, 1
+scrap.tf, 1
+scrapbookdecorations.ga, 1
+scrapcarbrampton.ca, 1
+scrapcars.net.au, 1
+scrapfly.io, 1
+scrapmartine.tk, 1
+scrapmetals.bg, 1
+scrapmycarperth.com.au, 0
+scrapticket.jp, 1
+scratch-ppp.jp, 1
+scratchbot.tk, 1
+scratchzeeland.nl, 1
+scrawn.net, 0
+scrayos.net, 1
+scrc.gov, 1
+screamager.tk, 1
+screamingrooster.co.nz, 1
+scredible.com, 0
+screefox.de, 1
+screen-fox.de, 1
+screen64.tk, 1
+screenart.tv, 0
+screenfax.de, 1
+screenfox.eu, 1
+screenfox.info, 1
+screenfox.net, 1
+screeningmaster.jp, 1
+screeningxchange.com, 1
+screenmachine.com, 1
+screenpublisher.com, 1
+screenrant.com, 1
+screentimelabs.com, 1
+screenwalker.de, 1
+screenwriter.tk, 1
+screenzy.io, 1
+screvencosheriffga.gov, 1
+screvencountyga.gov, 1
+scribblefun.com, 1
+scribbler.tk, 1
+scribd.com, 1
+scriber.to, 1
+scripo-bay.com, 1
+script-sign.com, 1
+script.google.com, 1
+scriptamanent.org, 1
+scripter.co, 1
+scriptgates.ru, 0
+scripthost.org, 1
+scriptjunkie.us, 1
+scriptline.ga, 1
+scriptmaker.tk, 1
+scriptnav.com, 1
+scriptolab.com, 1
+scriptomania.tk, 1
+scriptrock.com, 1
+scriptsrus.tk, 1
+scripty.org, 0
+scrod.me, 1
+scroll-to-top-button.com, 1
+scroollocker.tk, 1
+scrot.de, 1
+scruffy.ga, 1
+scruffymen.com, 1
+scrum.org, 1
+scrumplex.net, 1
+scrumplex.rocks, 1
+scrumpus.com, 1
+scrumstack.co.uk, 1
+scrutinizer.com, 1
+scryfall.com, 1
+scs-technik.de, 1
+scsd.si, 1
+scservis.cz, 1
+scsp.ai, 1
+scsprotect.com, 1
+scstg.net, 1
+sctfpa.gov, 1
+sctiger.me, 1
+sctiger.men, 1
+sctiger.ml, 1
+sctm.at, 1
+sctrainingllc.com, 1
+scubadavediving.com, 1
+scubadiving-phuket.com, 1
+scubahirefiji.com, 1
+scubaland.hu, 1
+scubly.com, 1
+scul.net, 1
+sculptaestheticsclinic.co.uk, 1
+sculpteo.com, 1
+sculpture.support, 1
+sculpturesworldwide.tk, 1
+scunthorpemoneyman.com, 1
+scuola-e-cultura.it, 1
+scuolaguidalame.ch, 0
+scuolamazzini.livorno.it, 1
+scuolaparentalesanpancrazio.it, 1
+scurtam.tk, 1
+scuspd.gov, 1
+scuters.club, 1
+scvilareal.tk, 1
+scvotes.gov, 1
+scw.nz, 1
+scwildflours.com, 1
+scwilliams.co.uk, 1
+scwilliams.uk, 1
+scwind.com, 1
+scylla.live, 1
+scytl.com, 0
+sd.af, 1
+sd.ax, 1
+sd44.ca, 1
+sdaniel55.com, 1
+sdarcc.gov, 1
+sdarot.tw, 1
+sdb.aero, 1
+sdbehavioralhealth.gov, 1
+sdcapp.in, 1
+sdcardrecovery.de, 1
+sdea.ca, 1
+sdebitati.it, 1
+sdesam.ru, 1
+sdeu.fr, 1
+sdfamilycare.org, 1
+sdgllc.com, 1
+sdgrait.tech, 1
+sdguitdagingen.be, 1
+sdguitdagingen.gent, 1
+sdhb.cz, 1
+sdhblatnice.cz, 1
+sdhblatnice.eu, 1
+sdhcounselling.co.uk, 1
+sdho.org, 1
+sdipolanight.co.uk, 1
+sdis-trib.fr, 1
+sdkco.net, 1
+sdn.cz, 1
+sdn3wonocoyo.sch.id, 1
+sdns.fr, 1
+sdns.io, 1
+sdocast.com, 1
+sdp-grupopit.com, 1
+sdp.training, 1
+sdphoto.com.au, 1
+sdpokieswiry.ga, 1
+sdpokieswiry.tk, 1
+sdruzeniprovltavu.cz, 1
+sdsi.us, 1
+sdsite.tk, 1
+sdsmanagement.me, 0
+sdsmt.engineering, 1
+sduconnect.nl, 0
+sdut.gq, 1
+sdvx.net, 0
+sdxcentral.com, 1
+sdyzmun.club, 1
+se-booster.com, 1
+se-center.pl, 1
+se-live.org, 1
+se-theories.org, 1
+se.au, 0
+se.com, 1
+se.gg, 1
+se.search.yahoo.com, 0
+se2.com, 1
+sea-airinternational.tk, 1
+sea-godzilla.com, 1
+sea.zapto.org, 1
+seabooty.com, 1
+seaborn.top, 0
+seachef.it, 1
+seadrive.cc, 1
+seadus.ee, 1
+seaelba.com, 1
+seagulls-luebeck.de, 1
+seahaweb.org, 1
+seaif.org, 1
+seal-tite.eu, 1
+sealart.pl, 1
+sealaw.com, 1
+sealbaker.com, 1
+seallacres.com.br, 1
+sealoffantasy.de, 1
+sealtitebasement.com, 1
+sealvault.org, 1
+seamac.info, 1
+seamester.com, 1
+seamoo.se, 1
+seamus.party, 1
+sean-wright.com, 1
+sean.scot, 1
+seanbright.com, 1
+seanbright.info, 1
+seanbright.net, 1
+seanchaidh.org, 1
+seanchristian.tk, 1
+seancody.com, 1
+seancodynetwork.com, 1
+seandawson.info, 1
+seanein.com, 1
+seanholcroft.co.uk, 1
+seankilgarriff.com, 0
+seanmeedevworld.com, 1
+seanrodda.com, 1
+seanstaffiery.com, 1
+seaoftime.tk, 1
+seaplayhomes.com, 1
+seaportfish.com, 1
+seara-staging.net, 1
+searacon.nl, 1
+searafoodsolutions.com.br, 1
+search, 1
+search-net.tk, 1
+search.gov, 1
+search.yahoo.com, 0
+search4stores.com, 1
+searchable.ml, 1
+searchaudits.com, 1
+searchbar.co.za, 1
+searchbyai.com, 1
+searchbyimages.com, 1
+searchcandy.uk, 1
+searchcoloradohouses.com, 1
+searchdatalogy.com, 1
+searchdogs.ch, 1
+searchenginelinks.co.uk, 1
+searchenginepartner.com, 1
+searchforbeer.com, 1
+searchforjohn.com, 1
+searchfox.org, 1
+searchgurus.ca, 1
+searchmore.dk, 1
+searchpartners.dk, 1
+searchperfumes.ga, 1
+searchtechnology.tk, 1
+searchverdict.com, 1
+searchwork.tk, 1
+searchzone.ch, 0
+seareelfiji.com, 1
+searena.ga, 1
+seark.edu, 1
+searsucker.com, 1
+searx.be, 1
+searx.ca, 1
+searx.ee, 1
+searx.nu, 1
+searx.one, 1
+searx.org, 1
+searx.rocks, 1
+searx.ru, 1
+searx.run, 1
+searx.space, 1
+searx.work, 1
+searxng.cf, 1
+searxng.com, 1
+seashkey.com, 1
+seasidestudios.co.uk, 1
+seasistent.tk, 1
+season.moe, 1
+seasonlevel.com, 1
+seasonsboutique.com.au, 1
+seasonsof.berlin, 1
+seat61.com, 1
+seatbeltpledge.com, 1
+seatinglane2u.com, 1
+seats.aero, 1
+seattle-life.net, 1
+seattlebasementwaterproofers.com, 1
+seattlecannabis.co, 1
+seattledevicerepair.com, 0
+seattleduiattorneys.com, 1
+seattlemesh.net, 1
+seattlewalkinbathtubs.com, 1
+seaview.gq, 1
+seaviewkohchang.com, 1
+seavision-group.com, 1
+seavision-group.it, 1
+seavision-latam.com, 1
+seavision-lixis.com, 1
+seavision-usa.com, 1
+seavision.es, 1
+seavision.eu, 1
+seavision.fr, 1
+seavision.it, 1
+seavision.ru, 1
+seb.surf, 1
+seb8iaan.com, 1
+sebald.com, 1
+sebald.org, 1
+sebar-iklan.gq, 1
+sebariklanmassal.gq, 1
+sebarin.tk, 1
+sebastiaandouma.co.uk, 1
+sebastiaanwijnimport.nl, 1
+sebastian-bravo.com, 1
+sebastian-elisa-pfeifer.eu, 1
+sebastian-haeutle.de, 1
+sebastian-janich.de, 1
+sebastian-kraus.me, 1
+sebastian-kuhnert.de, 1
+sebastian-lutsch.de, 1
+sebastian-michalke.de, 1
+sebastian-reck.de, 1
+sebastian-walla.com, 1
+sebastianblade.com, 1
+sebastianboegl.de, 1
+sebastiandarhoi.cf, 1
+sebastianelectric.org, 1
+sebastianforst.de, 1
+sebastianhofmann.legal, 1
+sebastiantroncoso.tk, 1
+sebastianungureanu.com, 1
+sebastiaperis.com, 1
+sebastien-meric.com, 1
+sebasveeke.nl, 1
+sebba.tk, 1
+sebdat.cloud, 1
+sebeobrana.ml, 1
+sebepoznani.eu, 1
+seberika.tk, 1
+seberova.cz, 1
+sebetesty.cz, 1
+sebgar.ca, 1
+sebi.org, 1
+sebio.be, 1
+sebjacobs.com, 1
+seblod.com, 1
+seblossom.com, 1
+seboh.gov, 1
+seboluo.com, 1
+seboreia.tk, 1
+sebster.com, 1
+seby.io, 1
+sec-consult.com, 1
+sec-tunnel.com, 1
+sec-wiki.com, 1
+sec.ec, 1
+sec.gd, 1
+sec.gov, 1
+sec30.com, 1
+sec3ure.co.uk, 1
+sec530.com, 1
+secadoresdepelo.tk, 1
+secapp.fi, 1
+secard.cc, 1
+secard.me, 1
+secard.xyz, 1
+secaucusnjpolice.gov, 1
+secborder.com, 1
+secctexasgiving.org, 0
+secdaemons.com, 1
+secdfir.com, 1
+secfilingdata.com, 1
+secgui.de, 1
+sech.me, 1
+secinto.com, 1
+secitem.de, 1
+seclimax7.pw, 1
+seclink.link, 1
+seclms.net, 1
+secnet.ga, 1
+secnews.gr, 1
+secolve.com, 1
+secomo.org, 1
+second-life-partner-ichien.com, 1
+secondchancejobsforfelons.com, 1
+secondlife.tk, 1
+secondmeasure.com, 1
+secondnature.bio, 1
+secondnexus.com, 1
+secondorder.xyz, 1
+secondtreasuresmv.com, 1
+secondversion.com, 1
+seconfig.sytes.net, 1
+secong.tk, 1
+secoseal.de, 1
+secpatrol.de, 1
+secpoc.online, 1
+secre.cy, 1
+secrecion.com, 1
+secret-bases.co.uk, 1
+secret-garden.it, 1
+secret-queen.ga, 1
+secret-queen.ml, 1
+secret.garden, 1
+secretagentclub.tk, 1
+secretar.is, 1
+secretary-schools.com, 1
+secretarypics.com, 1
+secretbase.cf, 1
+secretbusiness.tk, 1
+secretcharm.nl, 1
+secretdeals.ga, 1
+secretenergy.com, 1
+secretgardendesigns.shop, 1
+secretimports.com.br, 1
+secretmap.ml, 1
+secretmolodosti.ga, 1
+secretmolodosti.ml, 1
+secretmolodosti.tk, 1
+secretmuseum.net, 1
+secretofanah.com, 1
+secretosbolivia.tk, 1
+secrets-marketing.tk, 1
+secretsbynature.nl, 1
+secretsdujeu.com, 1
+secretservercloud.ca, 1
+secretsofuniverse.in, 1
+secretstomartialarts.tk, 1
+secretum.tech, 1
+secretworld.ml, 1
+secretzone.bg, 1
+secrium.io, 1
+secs.london, 1
+secta.cf, 1
+secteam.ee, 1
+secteam.eu, 1
+sectelligence.com, 1
+sectelligence.nl, 1
+sectember.com, 1
+sectember.events, 1
+sectest.ml, 1
+secthirty.com, 1
+sectigo.com.ru, 1
+sectigostore.com, 1
+sectio-aurea.org, 1
+section-31.org, 1
+section.io, 1
+section508.gov, 1
+section77.de, 1
+sector.cx, 1
+sector.zone, 1
+sector7.nu, 1
+sectrans.tk, 1
+sectun.com, 1
+secu.host, 1
+secularweb.org, 1
+secumailer.com, 1
+secumailer.nl, 1
+secundity.com, 1
+secundity.nl, 1
+secunm.org, 1
+securai.de, 1
+secure-automotive-cloud.com, 1
+secure-automotive-cloud.org, 1
+secure-computing.net, 1
+secure-consult.com, 1
+secure-graphic.de, 1
+secure-gw.de, 1
+secure-it-is.nl, 0
+secure-server-hosting.com, 1
+secure.advancepayroll.com.au, 1
+secure.facebook.com, 0
+secure.wang, 1
+secureapplicationaccess.ca, 1
+secureapplicationaccess.com, 1
+secureauth.com, 1
+securebot.ga, 1
+securebuildingaccess.com, 1
+secured-login.net, 1
+secured.vote, 1
+secureddocumentshredding.com, 1
+securedrop.org, 1
+securedsigning.com, 1
+secureenduserconnection.se, 1
+securefiletransfer.nl, 1
+securegovernment.us, 1
+securehugs.com, 1
+secureideas.com, 0
+secureim.de, 1
+secureinfo.pl, 1
+securekonnect.com, 1
+securelect-inspection.com, 1
+securelogin.nu, 1
+secureo.at, 1
+secureobscure.com, 1
+secureonline.co, 1
+secureonline.nl, 1
+secureprivacy101.org, 1
+secureqbplugin.com, 1
+securerepository.net, 1
+securesense.nl, 1
+securesite.pro, 1
+securesiteaccess.com, 1
+securesnacks.com, 1
+securesuite.co.uk, 0
+securesystems.de, 1
+securetalks.com.br, 1
+securetaxcpa.com, 1
+securetown.top, 0
+securetrustbank.com, 1
+secureutilitypayments.com, 1
+securevideo.com, 1
+securewebcomputing.com, 1
+secureyourerp.nl, 1
+securi-tay.co.uk, 1
+securify.nl, 1
+securimail.ch, 1
+securipy.com, 1
+securist.nl, 1
+securitelandry.com, 1
+securitum.pl, 1
+security-24-7.com, 1
+security-brokers.com, 1
+security-headers-dot-testing-sb6.appspot.com, 1
+security-systems.nl, 1
+security.gives, 1
+security.golf, 1
+security.google.com, 1
+security.pl, 1
+security.xn--q9jyb4c, 1
+security201.co.uk, 1
+security201.com, 1
+securityabstract.com, 1
+securityaware.me, 1
+securitybrief.asia, 1
+securitybrief.co.nz, 1
+securitybrief.com.au, 1
+securitybrief.eu, 1
+securitydelta.nl, 1
+securitydriver.com, 1
+securityescrownews.com, 1
+securityfest.com, 1
+securitygladiators.com, 1
+securityguard-license.org, 1
+securityheaders.com, 1
+securityheaders.io, 1
+securityheaders.nl, 1
+securityindicators.com, 1
+securitypluspro.com, 1
+securitypuppy.com, 1
+securitysense.co.uk, 1
+securitysnobs.com, 0
+securitysoapbox.com, 1
+securitystreak.com, 1
+securitystudio.com, 1
+securitytalent.nl, 1
+securitytalk.pl, 1
+securitytestfan.gov, 1
+securitytrails.com, 1
+securitywatch.co.nz, 1
+securitywithnick.com, 1
+securitywithoutborders.org, 1
+securix.hk, 1
+securl.chat, 1
+securl.link, 1
+securly.me, 1
+securocloud.com, 1
+securoswiss.ch, 1
+securot.eu, 1
+securview.ch, 1
+secuvera.de, 0
+secuxtech.com, 1
+secvuln.info, 1
+secwall.me, 1
+secwatch.nl, 1
+secweb.org, 1
+secyourity.se, 1
+seda.wa.edu.au, 1
+sedico.mx, 1
+sedicomm.com, 1
+sedirector.net, 1
+sedkisghairi.com, 0
+sedl.org, 1
+sedlex.fr, 1
+sedmicka.sk, 0
+sedoexpert.nl, 1
+sedoexperts.nl, 1
+sedonagolfresort.com, 0
+sedro-woolley.gov, 1
+see22.de, 1
+seearmenia.tk, 1
+seebetterlab.com, 1
+seecat.biz, 1
+seedandleisure.co.uk, 1
+seedboite.ovh, 1
+seedbox.fr, 1
+seedbox.hosting, 1
+seedcom.dk, 0
+seedcoworking.es, 1
+seedisclaimers.com, 1
+seedno.de, 1
+seedscientific.com, 1
+seedspark.com, 1
+seedsystemcoaching.com, 1
+seefeldbilder.at, 1
+seehisnudes.com, 0
+seeidinc.com, 1
+seeinred.tk, 1
+seejay.me, 1
+seekicon.com, 1
+seekingalpha.com, 1
+seeks.ru, 1
+seeksupply.ga, 1
+seekweb.com, 1
+seeme.ai, 1
+seemomclick.com, 1
+seemorehere.tk, 1
+seemyreality.tk, 1
+seeonce.co, 1
+seerainer.com, 1
+seerist.com, 1
+seerr.ddns.net, 1
+seesuite.com, 0
+seetheprogress.com, 1
+seetheprogress.de, 1
+seetheprogress.eu, 1
+seetheprogress.net, 1
+seetheprogress.org, 1
+seetow.sg, 1
+seetv.ga, 1
+seewang.me, 1
+seewhatididhere.com, 1
+seewines.com, 1
+seexw.com, 1
+seezeitlodge-bostalsee.de, 1
+sef.co.za, 1
+sefa.cloud, 1
+sefan.ru, 1
+sefodbold.dk, 1
+sefru.de, 1
+seg-leipzig.org, 1
+seg-sys.com, 1
+seg-tox.org, 1
+seg.do, 1
+segamastersystem.tk, 1
+segaretro.org, 1
+segdo.de, 1
+segdo.media, 1
+segdogames.com, 1
+segdomedia.com, 1
+segel-setzen-buch.de, 1
+segm.org, 1
+segmentify.com, 1
+segmentnext.com, 1
+segnalabullo.it, 1
+segnidisegni.eu, 1
+segpay.com, 1
+segulink.com, 1
+segurancaresidencialbh.com.br, 1
+segurancati.com, 1
+segurcaixaadeslas.es, 1
+segurdatacr.com, 1
+segurico.cz, 1
+seguridadconsumidor.gov, 1
+seguridadsistem.tech, 1
+seguridadsistemtienda.tech, 1
+seguromail.com.br, 1
+segurosbantrab.com.gt, 1
+segurosdesaluddominicanos.com, 1
+segurosmaurobracchieri.com, 1
+segurosmr.es, 1
+segurosocial.gov, 0
+segurosproteccion.com, 1
+segv.fi, 1
+sehat-solusi-makmur.com, 1
+sehatpoin.com, 1
+sehatyab.com, 1
+sehd.top, 0
+sehersirin.com, 1
+seheyah.me, 1
+sei-yu.net, 1
+seibert.ninja, 0
+seibu-kikaku.co.jp, 1
+seida.at, 1
+seidel-immobilienberatung.de, 1
+seiffen.de, 1
+seifried.org, 1
+seika-housei.com, 1
+seikatu-navi.com, 1
+seikoman.tk, 1
+seil.de, 1
+seiler-ds.com, 1
+seilergeodrones.com, 1
+seilermicro.com, 1
+seilgold.de, 1
+seimo.cn, 1
+seincojavea.es, 0
+seineoparebrise.fr, 1
+seinfeldquote.com, 1
+seinolab.jp, 1
+seintec-ec.com, 0
+seintje24.nl, 1
+seira.tk, 1
+seirdy.one, 1
+seirei.ne.jp, 1
+seiryokuzai-ch.com, 1
+seisansei.net, 1
+seishinan.xyz, 1
+seishinchuo-lawoffice.com, 1
+seishuncollection.com, 1
+seismas1.com, 1
+seisthewaytobe.com, 1
+seistolzaufdich.de, 1
+seistrup.dk, 1
+seitai-nabejun.jp, 1
+seitai-taiyou.com, 1
+seitanic-cookbook.de, 1
+seitenwaelzer.de, 1
+seitokai.jp, 1
+seiulocal300.org, 1
+seize.io, 1
+seized.gov, 1
+seizethedaybrasil.com.br, 1
+sejageek.com, 1
+sek.ai, 1
+sekainokokki.jp, 1
+sekfung.me, 1
+sekisonn.com, 1
+sekkom.com, 1
+sekoia.io, 1
+sekoya.org, 1
+sekreti-biznesa.cf, 1
+sekretiki.info, 1
+seks-znakomstva.tk, 1
+sekshikayeler.tk, 1
+sektor-news.tk, 1
+sektor.ro, 1
+sektor.tech, 1
+sektor41.com, 1
+sektorgaza.su, 1
+sekundadosetki.pl, 1
+sekurak.pl, 1
+sekusi-tochiki.tk, 1
+sekweta.com, 1
+selang.cf, 1
+selang.ml, 1
+selangdi.com, 1
+selatv.com, 1
+selayar.vacations, 1
+selber-coden.de, 1
+selbst-schmiede.de, 1
+selco-himejiminami.com, 1
+selcukluhali.com.tr, 1
+selcuksportr.com, 1
+selcusters.nl, 1
+seldadogancan.com, 1
+selebrita.ml, 1
+selectables.tk, 1
+selectagents.gov, 1
+selectbusteni.tk, 1
+selected-properties.com, 0
+selectedbym.com, 1
+selectel.ru, 1
+selectionengine.ca, 1
+selectionengine.com, 1
+selectionengine.net, 1
+selectionengine.org, 1
+selector.space, 1
+selectsplat.com, 1
+selegiline.com, 1
+selen.com.br, 1
+selena-armavir.ml, 1
+selenapelletier.tk, 1
+seleondar.ru, 1
+selesnafes.com, 0
+selezionebarbrboguaccero.cf, 1
+selezionebarbrboguaccero.ga, 1
+selezionebarbrboguaccero.tk, 1
+self-business.tk, 1
+self-evident.org, 1
+selfassess.govt.nz, 1
+selfbattery.ga, 1
+selfbestyou.com, 1
+selfcaregate.com, 0
+selfcateringstratford.co.uk, 1
+selfdefinition.org, 1
+selfdefinition.tk, 1
+selfdevelopment.com.au, 1
+selfelec.be, 1
+selfemployed.ga, 1
+selfguidedholiday.com, 1
+selfharm.xyz, 1
+selfici.com, 1
+selfici.cz, 1
+selfiehome.cz, 1
+selfiestick.bg, 1
+selfishness.com, 1
+selfloath.in, 1
+selfmade4u.de, 0
+selfpublishingformula.com, 1
+selfrealize.ga, 1
+selfretire.cf, 1
+selfserverx.com, 0
+selfswrecker.com, 1
+selftech.tk, 1
+selfycheck.it, 1
+selimcerkezi.tk, 1
+selistina.tk, 1
+selkiemckatrick.com, 1
+sell2orbit.com, 1
+sellajoch.com, 1
+sellbit.io, 1
+sellcoins.top, 1
+selldone.com, 1
+selldorado.com, 1
+seller.diamonds, 1
+sellerengine.com, 1
+sellers.market, 1
+sellersfunding.com, 1
+sellersmart1.com, 1
+sellerssignals.com, 1
+sellerstats.ru, 1
+sellerteam.tk, 1
+sellerwiz.io, 1
+sellguard.pl, 1
+sellingsherpa.com, 0
+sellmymobile.com, 1
+sellmyphone.co.uk, 1
+sellmyshares.com.au, 1
+sello.com, 1
+sellocdn.com, 1
+sellorbuy.uk, 1
+sellorbuy.us, 1
+sellphotos.tk, 1
+sellsmartwatches.tk, 1
+selltobluefirefly.com, 1
+selltobpp.com, 1
+selltoec.com, 1
+selltogaprime.com, 1
+selltothousandhills.com, 1
+selltous.com.au, 1
+sellusdtindubai.com, 1
+sellwithsquare.com, 1
+selma.com, 1
+selmatownship-mi.gov, 1
+selmec.com.mx, 1
+selmer-tn.gov, 1
+selmon.ru, 1
+selo-cer.tk, 1
+selo-grncare.tk, 1
+selo.ru, 1
+seloc.org, 1
+selokids.ru, 1
+selsovet56.tk, 1
+seltek.su, 1
+seltendoof.de, 1
+selvaggialucarelli.blog, 1
+selwyn.cc, 1
+sema4.ai, 1
+semacode.com, 1
+semaflex.it, 1
+semaine-cevenole.fr, 1
+semalt.net, 1
+semanaacademica.org.br, 1
+semanarioaqui.tk, 1
+semantic-systems.com, 1
+semantica.cz, 0
+semantics.ga, 1
+semao.org, 1
+semaphore-studios.com, 1
+sembosihosting.tk, 1
+sembska.de, 1
+sembyotic.com, 1
+semcensurabrag.com.br, 1
+semeia.io, 1
+semena-ua.ml, 1
+semenov.ml, 1
+semenov.su, 1
+semenserang.com, 1
+sementes.gratis, 1
+sementesquati.com.br, 1
+semestaindovest.co.id, 1
+semesur.com, 1
+semi.social, 1
+semianalog.com, 1
+semicolon.cf, 1
+semicon.cc, 1
+semiconductors.gov, 1
+semicvetik.tk, 1
+seminarioabdtic.com.br, 1
+seminariruum.ee, 1
+seminarraum-isny.de, 1
+seminolecountyoklahoma.gov, 1
+seminovostoyota.com.br, 1
+semiotical.com, 0
+semiotika.tk, 1
+semira.tk, 1
+semirben.de, 1
+semiread.com, 1
+semiretire.ga, 1
+semiweb.ca, 1
+semmuhely.tk, 1
+semobr.cf, 1
+semops.gq, 1
+semox.de, 1
+semparar.com.br, 1
+sempersolaris.com, 1
+semplicementelight.com, 1
+sempoctet.ca, 1
+sempreupdate.com.br, 1
+semps-2fa.de, 1
+semps-threema.de, 1
+semps.de, 1
+semrecc.gov, 1
+semrush.com, 1
+semsec.net, 1
+semtinde.com, 1
+semver.ca, 1
+semyonov.su, 1
+semyonov.us, 1
+senacor.com, 1
+senamexico.com, 1
+senaofertaeducativa.co, 1
+senaofertaeducativa.com, 1
+senarea.nl, 1
+senarist.tk, 1
+senarius.de, 1
+senat.cz, 1
+senat.ro, 1
+senbil.net, 1
+senbil.video, 1
+sence.gob.cl, 1
+send.tk, 1
+send2sign.net, 1
+sendaddress.com, 1
+sendai-cc.jp, 1
+sendai-cdc.com, 1
+sendai-cooking.com, 1
+sendai-ctr.com, 1
+sendai-himawari.jp, 1
+sendai-rc.com, 1
+sendai-recruit.com, 1
+sendai-sisters.com, 1
+sendai-sougou.com, 1
+sendai-works.com, 1
+sendaimori.com, 1
+sendaiouji.com, 1
+sendbird.com, 1
+sendbox.cz, 1
+sender.party, 1
+sender.services, 1
+senderdb.com, 1
+senderismoinfantil.tk, 1
+senderosdelavida.com, 1
+sendflowers.pk, 1
+sendigperu.com, 1
+sendingbee.com, 1
+senditvia.email, 1
+sendmail.com, 1
+sendonce.io, 1
+sendonomics.com, 1
+sendpulse.com, 1
+sendsonar.com, 1
+sendthisfile.com, 1
+sendtrix.nl, 1
+sendy.land, 1
+sendzik.eu, 1
+senecailpd.gov, 1
+senergiya.tk, 1
+senf-kren.at, 1
+senfcall.de, 1
+senhost.tk, 1
+seni-beladiri.tk, 1
+senibongcove.my, 1
+senibonggolfclub.com.my, 1
+senior-sigan.ml, 1
+seniorcommunitymedia.com, 1
+seniorem.eu, 1
+seniorhost.net, 1
+seniorlivinginvestments.eu, 1
+seniormanager.cz, 1
+seniorsupportservicesohio.com, 1
+senkals.one, 1
+senkyo.watch, 1
+senneeeraerts.be, 1
+sennik.tk, 1
+senoctarsoft.tk, 1
+senok.ml, 1
+senooken.jp, 1
+senor-cheapo.nl, 1
+senork.de, 1
+senpiper.com, 1
+senres.top, 1
+senrj.be, 1
+sens2lavie.com, 1
+sense.eu.com, 1
+sense.finance, 1
+sense.hamburg, 1
+sensebridge.net, 1
+senseful-online.de, 1
+senseful-online.eu, 0
+senseful-online.info, 1
+senseiclassroom.tk, 1
+senseilabs.com, 1
+senselabs.it, 1
+sensepixel.com, 1
+sensepost.com, 1
+senshudo.tv, 1
+sensibleita.tk, 1
+sensiblelanecounty.tk, 1
+sensiblepcsupport.co.uk, 1
+sensical.net, 0
+sensoft-int.com, 1
+sensoft-int.net, 1
+sensoft-int.org, 1
+sensor-dream.ru, 0
+sensoria.com.br, 1
+sensoriels-by-crealyne.fr, 1
+sensormatic.bg, 1
+sensorshop.ir, 0
+sensorsoft-waterontharder.nl, 1
+sensorville.com.br, 1
+sensoscientific.com, 1
+sensound.ml, 1
+sensualism.com, 1
+sensuality-models.com, 1
+sensually.tk, 1
+sensualsexyhot.com.br, 1
+sensuuri.tk, 1
+sentandsecure.com, 1
+sentencing.net, 1
+sentenza.tk, 1
+senteon.co, 1
+senterada.tk, 1
+sentia.com, 1
+sentic.info, 1
+sentiment.rest, 1
+sentiments.io, 1
+sentinel.gov, 1
+sentinelnet.tk, 1
+sentinelproject.io, 1
+sentinels.tk, 1
+sentir.id, 1
+sentirmebien.org, 1
+sentitvia.email, 1
+sentmail.ga, 1
+sentor.se, 1
+sentorsecurity.com, 1
+sentrafield.com, 1
+sentral.com, 1
+sentralegal.com, 1
+sentry.io, 1
+sentry.nu, 1
+sentrybay.com, 1
+sentrytwo.com, 1
+sentworks.com, 1
+senzaparole.de, 1
+senzei.tk, 1
+seo-analyse.com, 1
+seo-blog12.tk, 1
+seo-dr-it.com, 1
+seo-forum.nu, 0
+seo-inc.ru, 1
+seo-linz.at, 1
+seo-obmen.tk, 1
+seo-phpbb.cf, 1
+seo-piar.tk, 1
+seo-portal.tk, 1
+seo-promox.cf, 1
+seo-promox.tk, 1
+seo-reality.cf, 1
+seo-reklama.ml, 1
+seo-reklama.tk, 1
+seo-sem.online, 1
+seo-smo.ml, 1
+seo-smo.tk, 1
+seo-srbija.rs, 1
+seo-tools4u.com, 1
+seo-url.tk, 1
+seo-website.ru, 1
+seo.consulting, 1
+seo.domains, 1
+seo.london, 1
+seo.services, 1
+seo40.fr, 1
+seoagentur-hamburg.com, 1
+seoankara.name.tr, 1
+seoapi.com, 1
+seoarchive.org, 1
+seoargentina.com.ar, 1
+seoblogs.cf, 1
+seobook2015.cf, 1
+seobook2015.ga, 1
+seobook2015.gq, 1
+seobook2016.gq, 1
+seoclubs.tk, 1
+seocontents24.tk, 1
+seocraft.me, 1
+seocreator-blog24.tk, 1
+seodayo.com, 1
+seodefinitivo.com, 1
+seodelhi.com, 1
+seodoma.ml, 1
+seodrug.tk, 1
+seoefectivo.com, 1
+seoenmexico.com.mx, 1
+seoexpert.com.br, 1
+seoforyou.nl, 1
+seogeek.nl, 1
+seogeky.com, 1
+seogilog.com, 1
+seogood.cf, 1
+seohackers.fr, 1
+seohost.pl, 1
+seohouston.com, 1
+seoified.com, 1
+seoinc.com, 1
+seojaguar.tk, 1
+seokatka.tk, 1
+seolabuitest.azurewebsites.net, 1
+seoline.cf, 1
+seolister.cf, 1
+seolisting.cf, 1
+seolisting.tk, 1
+seolizer.de, 1
+seolord.cf, 1
+seomag.tk, 1
+seomarketing.bg, 1
+seomasti.com, 1
+seomaton.com, 1
+seomaton.org, 1
+seomaxion.com, 1
+seomedo.com, 1
+seomen.biz, 1
+seomonk.com, 1
+seonaut.org, 1
+seonoco.com, 1
+seonow.ga, 1
+seonurse.com, 1
+seoonline.cf, 1
+seoonlinejaipur.tk, 1
+seopiar.tk, 1
+seoping.ru, 0
+seoplus.com, 1
+seopost.ga, 1
+seoprnews.cf, 1
+seopromotion.tk, 1
+seoproof.tk, 1
+seoptimize.fr, 1
+seoquero.com, 1
+seoranker.tk, 1
+seorepress.com, 1
+seorus.cf, 1
+seorus.ml, 1
+seoruse.com, 0
+seos.ga, 1
+seoscan.ga, 1
+seoschmiede.at, 1
+seoscribe.net, 1
+seosearch.org, 1
+seoserfing.tk, 1
+seosergio.com, 1
+seoshanti.ru, 0
+seoshnik.tk, 1
+seosmart.gq, 1
+seosof.com, 1
+seosos.gq, 1
+seosos.ml, 1
+seospace.ro, 1
+seospecialist.ma, 1
+seosprint.gq, 1
+seostrit.cf, 1
+seostrit.tk, 1
+seosuccor.com, 1
+seoteam.tk, 1
+seotesty.cz, 1
+seotip.top, 1
+seotipster.com, 1
+seotoolset.tk, 1
+seoturkey.tk, 1
+seotutorials32.tk, 1
+seoulartcollective.tk, 1
+seoulista.vn, 1
+seovision.se, 1
+seovisit.tk, 1
+seovisits.tk, 1
+seoviziti50.tk, 1
+seowebsite.tools, 1
+seowerkz.com, 1
+seowind.io, 1
+seowordpress.pl, 1
+seowork.tk, 1
+seozel.tk, 1
+seozen.ru, 1
+seozen.top, 1
+sep-online.com.pl, 1
+sep.bydgoszcz.pl, 1
+sep.cc, 1
+sep.jgora.pl, 1
+sep.rzeszow.pl, 1
+sep.tarnobrzeg.pl, 1
+sepakbola.id, 1
+separacioniglesiaestado.tk, 1
+sepehrmahan.com, 1
+sepenggal.info, 1
+seproco.com, 0
+septakkordeon.de, 1
+septam-orchestra.fr, 1
+septem.cc, 0
+septemcapital.ru, 1
+septentrionalist.org, 1
+septicrepairspecialists.com, 1
+septics.ga, 1
+septictankpumpingservices.com, 1
+septodont.com.br, 1
+septodont.com.ru, 1
+septodont.in, 1
+septodontchina.com, 1
+septonol.tk, 1
+septs.blog, 1
+sepulcharium.tk, 1
+seputarfinansial.com, 1
+seqing.cf, 1
+sequachee.com, 1
+sequatchiecounty-tn.gov, 1
+sequatchiecountytn.gov, 1
+sequencediagram.org, 1
+sequencing.com, 1
+sequitur.tech, 1
+ser-it.pl, 1
+sera.jp, 1
+serail.biz.id, 1
+seraimu.me, 1
+seraku.co.jp, 1
+seraph.red, 1
+seraph.tokyo, 1
+serasa.com.br, 1
+serasaexperian.com.br, 1
+seratblog.ga, 1
+serban.ro, 1
+serbanpaun.ro, 1
+serbiaonline.tk, 1
+serc.ac.uk, 1
+sercanazizoglu.com, 1
+sercasindustry.tk, 1
+serdarakyildiz.com, 1
+serdarwork.com, 1
+serdengolpinar.tk, 1
+serecoponsillo.it, 1
+sereema.com, 1
+serele.fr, 1
+seren.tk, 1
+serenascreations.com, 1
+serenata.tk, 1
+serenavilage.net, 1
+serenavillage.net, 1
+serenavillageresidence.com, 1
+serenaweb.de, 1
+serendeputy.com, 1
+serenesolutions.nl, 1
+serenityeditor.com, 1
+serenitytvl.com, 1
+seresco.es, 0
+serf.io, 1
+serfas.gr, 1
+serfinansa.com.co, 1
+sergal.club, 1
+sergal.de, 1
+sergal.gay, 1
+serge-design.ch, 1
+sergeemond.ca, 1
+sergefonville.nl, 1
+sergelapointe.ca, 1
+sergeyburov.tk, 1
+sergeyesenin.tk, 1
+sergeykozharinov.com, 1
+sergi.tk, 1
+sergicoll.cat, 1
+sergio-rivero.tk, 1
+sergiochica21.tk, 1
+sergiocv.com, 1
+sergioforsanmateo.com, 1
+sergioforse.com, 1
+sergiogm.es, 1
+sergiogug.tk, 1
+sergiomur.tk, 1
+sergioogarciaa.es, 1
+sergiopereiracouto.tk, 1
+sergiopimpao.pt, 1
+sergiozygcunt.com, 1
+sergiozygmunt.com, 1
+sergiozygmunt.org, 1
+sergivb01.me, 0
+sergos.de, 0
+serguzim.me, 1
+serhan.in, 1
+serial-kinder.tk, 1
+serial2000.tk, 1
+serializacion.mx, 1
+serialize.gq, 1
+serialkey.info, 1
+seriesdatv.pt, 1
+seriesfeed.com, 0
+seriesgratis.tk, 1
+serifosguide.dk, 1
+serije.co, 1
+serinamusic.com, 1
+seringe.com, 1
+seriouss.am, 1
+serioussam.ml, 1
+serkanceyhan.com, 1
+serkanyarbas.com.tr, 1
+serkozh.me, 1
+sermerkt.is, 1
+sernate.com, 1
+seroquel50mg.tk, 1
+seroquelonline.ga, 1
+seroquelonline.tk, 1
+serotiuk.com, 0
+serpenteq.com, 1
+serpes.nz, 1
+serphost.ml, 1
+serpic.photo, 1
+serpinco.com, 1
+serptoolsuite.com, 1
+serpuhof.ru, 1
+serralheriaeseguranca.com.br, 1
+serrande.it, 1
+serrande.roma.it, 1
+serraniadecuencaafondo.tk, 1
+serrano-chris.ch, 0
+serrature.roma.it, 1
+serreshikeclub.tk, 1
+sertaobom.eco.br, 1
+sertaovivo.tk, 1
+sertasimmons.com, 1
+sertec.com.mx, 1
+sertim.tk, 1
+serv.site, 1
+serval-concept.com, 1
+serval-formation.com, 1
+servant42.com, 1
+servantweb.fr, 1
+servatmandi.com, 1
+serve.gov, 1
+serve.work, 1
+servebyte.com, 1
+servecrypt.com, 1
+servecrypt.net, 1
+servecrypt.ru, 1
+serveistic.cat, 1
+serveistic.es, 1
+servelelecciones.cl, 1
+servelink.com, 1
+servend.gov, 1
+servepublic.com, 1
+servepublic.org, 1
+server-bg.net, 1
+server-daten.de, 1
+server-essentials.com, 1
+server-kiste.de, 1
+server-zugang.eu, 1
+server.pro, 1
+server.vote, 1
+server4london.site, 1
+server72a.ddns.net, 1
+server92.eu, 1
+server92.tk, 1
+serveradium.com, 1
+serveradmin.ovh, 1
+serverbin.net, 1
+serverbit.it, 1
+serverco.com, 1
+serverd.de, 1
+serverdechile.tk, 1
+serverdensity.io, 1
+serverdragon.site, 1
+serverexpose.com, 1
+serverfix.net, 1
+serverhost.no, 1
+serverhunter.com, 1
+serverion.ga, 1
+serverka.tk, 1
+serverlauget.no, 1
+serverlein.com, 1
+serverlog.net, 1
+serverlounge.eu, 1
+servermacher.de, 1
+servermaster.sk, 1
+servernerds.net, 1
+serverninja.tk, 1
+serveroffline.net, 1
+serverpedia.de, 1
+servers.vg, 1
+serverscan.com, 1
+serversfrom.space, 1
+serversify.net, 1
+serverstatus.tk, 1
+serverstuff.info, 1
+serversuit.com, 1
+servertastic.com, 1
+servertechsupply.com, 1
+servertutorial.eu, 1
+serveru.us, 1
+servetten-groothandel.nl, 1
+serveur.nl, 1
+serveurs-minecraft.com, 1
+serveursminecraft.org, 1
+servfefe.com, 1
+servi-tek.net, 1
+service-auto-baneasa.com, 1
+service-auto-baneasa.ro, 1
+service-centre.cf, 1
+service-compris.net, 1
+service-soft.de, 1
+service-status.cloud, 1
+service-ways.com, 1
+service-wueste-vodafone.tk, 1
+service.gov.scot, 1
+service.gov.uk, 1
+service.vic.gov.au, 0
+service220.ar, 1
+serviceair.com.ar, 1
+serviceautobaneasa.com, 1
+serviceautobaneasa.ro, 1
+servicebeaute.fr, 1
+serviceboss.de, 1
+servicecentreperth.com.au, 1
+servicedesk.ath.cx, 1
+servicefish.tk, 1
+serviceflow.co.za, 1
+serviceforge.com, 1
+serviceland.am, 1
+servicemasterlawncare.ca, 1
+servicemembers.gov, 1
+servicenow.com, 1
+servicepclaptop.com, 1
+servicesforfree.com, 1
+serviceslotenmaker.nl, 0
+servicesneo.com, 1
+servicesnetpro.com, 1
+servicespot.ca, 1
+servicevie.com, 0
+serviciales.com, 1
+servicii-funerare.tk, 1
+serviciodebarralibreparaeventos.com, 1
+serviciomigraciones.cl, 1
+serviciosdeti.gq, 1
+serviciosfncs.com, 1
+servicioskoinonia.org, 1
+serviciotecnicoencomputacion.com.ve, 0
+servida.ch, 1
+servietten-grosshandel.at, 1
+servietten-grosshandel.be, 1
+servietten-grosshandel.ch, 1
+servietten-grosshandel.de, 1
+serviettes-et-plus.com, 1
+servilletas-de-papel.es, 1
+servilletas-de-papel.mx, 1
+servilonjas.com, 1
+servingbaby.com, 0
+servingroddick.tk, 1
+servingseniors.org, 1
+servingupsouthern.com, 1
+servion.com, 1
+servis-azd.cz, 1
+servis4u.top, 1
+servisin.id, 1
+servispasaoglu.com.tr, 1
+servitel.ga, 1
+servitor.cf, 1
+servitproducts.com, 1
+servivum.com, 1
+serviziocolf.it, 1
+serviziourgente.it, 1
+servmaslt.com, 1
+servn.ca, 1
+servo.org, 1
+servonline.de, 1
+servpress.net, 1
+servrox.solutions, 1
+servtepstore.com, 1
+servtraq-staging.azurewebsites.net, 1
+servtraqazure.com, 1
+servus.ca, 1
+servx.org, 1
+serw.org, 1
+serwetki-papierowe.pl, 1
+serwis-militarny.net, 1
+serwis-telewizorow.pl, 1
+serwis-wroclaw.pl, 1
+serwispv.eu, 1
+serwistomy.pl, 1
+serworkribeirao.com.br, 1
+serx.cf, 1
+seryovpn.com, 1
+ses-egy.com, 1
+ses-offshore.com, 1
+sesa.org, 1
+sesam-biotech.com, 1
+sesamomusical.tk, 1
+sesardeploymentmanager.com, 1
+sesardm.eu, 1
+sescoen.tk, 1
+seseai.ga, 1
+sesenaonline.tk, 1
+sesliturkgencligi.tk, 1
+sesperformance.eu, 1
+sesrdcem.cz, 1
+sessile-oak.co.uk, 1
+session.bbc.co.uk, 1
+session.bbc.com, 1
+sessionslogning.dk, 1
+sestry.tk, 1
+set-freeporn.com, 1
+setabun.or.jp, 1
+seteampty.net, 1
+setenforce.one, 1
+setesat.com.br, 1
+setevik.tk, 1
+sethclinic.com, 1
+sethcorker.com, 1
+sethcurry.ga, 1
+sethforprivacy.com, 1
+sethjust.com, 1
+sethlmatarassomd.com, 1
+sethoedjo.com, 1
+sethriedel.com, 1
+sethvargo.com, 1
+seti-germany.de, 0
+setin.srl, 1
+setkit.net, 1
+setmore.com, 1
+setof88.com, 1
+setonhill.edu, 1
+setphaserstostun.org, 0
+settberg.de, 1
+setterirlandes.com.br, 1
+settimanadellascienza.it, 1
+settleapp.co, 1
+settlingin.ga, 1
+setuid.de, 1
+setuid.io, 1
+setuid0.kr, 1
+setun.tk, 1
+setuplog.io, 1
+setupstreamers.com, 1
+setxxxtube.com, 1
+setzzy.com, 1
+seu.edu.sa, 1
+seucreditodigital.com.br, 1
+seuntaylor.co, 1
+seuplano.com.br, 1
+seutens.be, 1
+seutens.eu, 1
+sevastopol.tk, 1
+sevathian.com, 1
+seven-seas.ml, 1
+sevenartzpublicidad.com, 1
+sevendevilsnc.gov, 1
+sevenfoureight.ml, 1
+sevengang.tk, 1
+sevenhillsapartments.com.au, 1
+sevenicealimentos.com.br, 1
+sevenmatches.com, 1
+sevenrooms.com, 1
+sevenseasmarble.co.uk, 1
+seventeamiles.com, 1
+seventwentynine.com, 1
+seventymania.de, 1
+severac.org, 1
+severesexfilms.com, 1
+severine-trousselard.com, 1
+severing.cf, 1
+seviercountyar.gov, 1
+seviercountyassessor-ar.gov, 1
+sevilinux.es, 1
+sevillacani.tk, 1
+sevillalinces.tk, 1
+sevillanazarena.tk, 1
+sevinci.ch, 1
+sevitahealth.com, 1
+sevocomm.com, 1
+sevsey.ru, 1
+sewa.nu, 1
+sewalaptopm2i.com, 1
+sewardcountyne.gov, 1
+sewatec.com, 1
+sewavillamurah.tk, 1
+sewfarsewgood.uk, 1
+sewing-machines.com.ua, 1
+sewing-world.ru, 1
+sewinginsight.com, 0
+sewingtales.com, 0
+sewoo.co.uk, 1
+seworld.ml, 1
+sex-chat-geld-verdienen.com, 1
+sex-education.com, 1
+sex-sex-cam.com, 1
+sex-videochat.club, 1
+sex5.com, 1
+sexaki.com, 1
+sexandthecitty.tk, 1
+sexarab.live, 1
+sexawynet.cam, 1
+sexcamsbay.com, 1
+sexdocka.nu, 1
+sexedquickies.com, 1
+sexedrescue.com, 1
+sexflare.net, 1
+sexgamesclub.com, 1
+sexgarage.de, 1
+sexgirlfriend.com, 1
+sexgood.com.ua, 1
+sexhab.guru, 1
+sexin.nl, 1
+sexkrd.love, 1
+sexkursk.club, 1
+sexminister.tk, 1
+sexmobil.de, 1
+sexobryansk.guru, 1
+sexocheb.com, 1
+sexoclicker.com, 1
+sexoclicker.net, 1
+sexoclicker.org, 1
+sexocomgravidas.com, 1
+sexokursk.com, 1
+sexologist.cf, 1
+sexonwax.com, 0
+sexosintabues30.com, 1
+sexotomsk.com, 1
+sexoufa.center, 1
+sexoyalta.love, 1
+sexoyrelax.com, 1
+sexpay.net, 1
+sexpdf.com, 1
+sexpression.com.br, 1
+sexshopfacil.com.br, 1
+sexshopnet.com.br, 1
+sexsimf.red, 1
+sexswing.com, 0
+sextacy.tk, 1
+sextapegermany.com, 1
+sextoysproductstore.com, 1
+sextpanther.com, 1
+sextreffendeutschland.com, 1
+sextubespot.com, 1
+sextw.net, 1
+sexualdiversity.org, 1
+sexufa.red, 1
+sexvideochat.it, 1
+sexvideos.tel, 1
+sexvirtualspace.com, 1
+sexworking.com, 1
+sexworkrights.com, 1
+sexxyangie.com, 1
+sexy-mom.org, 1
+sexy-periscope.ml, 1
+sexy-store.nl, 1
+sexyanne.net, 1
+sexybuttpics.com, 1
+sexyfotosvandep.nl, 1
+sexyhub.com, 1
+sexyjanahot.com, 1
+sexyjenjen.net, 1
+sexyleni.org, 1
+sexynakedgirls.pics, 1
+sexynaty.org, 1
+sexynoemi.com, 1
+sexyporn.tv, 1
+sexyrachel846.com, 1
+sexystine.net, 1
+sexyteens.net, 1
+sexyvenushuegel.org, 1
+seyfarth.de, 1
+seykapuertasautomaticas.com, 1
+seymourfanclub.tk, 1
+seypt.de, 1
+seyr.it, 1
+seyr.me, 1
+seyv.io, 1
+seyyarelektrik.com, 1
+sf-builders.com, 1
+sf-kayh.de, 1
+sf3223.com, 1
+sfaparish.org, 1
+sfarc.ml, 1
+sfat.llc, 1
+sfbao.cn, 1
+sfbao.com, 1
+sfbaytransit.org, 1
+sfcardio.fr, 1
+sfccapital.com, 1
+sfccapitalpartners.com, 1
+sfcityoption.org, 1
+sfdchub.com, 1
+sfdcopens.com, 1
+sfdev.ovh, 1
+sfdlsource.tk, 1
+sfee.cl, 1
+sfera360.es, 1
+sfg-net.com, 1
+sfg-net.eu, 1
+sfg-net.net, 1
+sfg-net.org, 1
+sfg-nordholz.de, 1
+sfhp.org, 1
+sfile.eu, 1
+sfirat-haomer.com, 1
+sfleisure.com, 1
+sflhidta.gov, 1
+sfmason.net, 1
+sfnetwork.pl, 1
+sfo-fog.ch, 0
+sfoks33.ru, 1
+sfondo.info, 1
+sfp.net.tr, 1
+sfpdev.com, 1
+sfpebblesstones.com, 1
+sfpuc.gov, 1
+sfslashing.com, 1
+sft-framework.org, 1
+sftool.gov, 1
+sfumusic.com, 1
+sfvonline.nl, 1
+sfweef.gq, 1
+sfxmr.de, 1
+sg-1xbet.com, 1
+sg-gallerylive.it, 1
+sg-strietwald.de, 1
+sg.search.yahoo.com, 0
+sg1.tech, 1
+sga99.biz, 1
+sga99.fun, 1
+sga99.info, 1
+sga99.net, 1
+sga99.top, 1
+sga99.vip, 1
+sgatlantis.tk, 1
+sgbarker.com, 1
+sgbpa.co.uk, 1
+sgcaccounts.co.uk, 1
+sgcountymt.gov, 1
+sgdementia.ca, 1
+sgdi.gov.sg, 1
+sgdm-services.com, 1
+sgfinanceira.online, 1
+sggame990.com, 1
+sght.gallery, 1
+sgitc.de, 1
+sgj0.net, 1
+sglazov.ru, 1
+sglibellen.de, 1
+sgnation.dk, 1
+sgnl.ai, 1
+sgo-overbetuwe.nl, 1
+sgombero.it, 1
+sgoossens.nl, 1
+sgplay.io, 1
+sgrmreproduccionapp.azurewebsites.net, 1
+sgrossi.it, 1
+sgrowe.de, 1
+sgrs.be, 1
+sgrub.xyz, 1
+sgs-systems.de, 1
+sgs.camera, 1
+sgs.systems, 1
+sgsautoparts.com.au, 0
+sgsmart.ru, 1
+sgsosu.net, 1
+sgsp.nl, 1
+sgtcodfish.com, 1
+sgtech.ga, 1
+sgthotshot.com, 1
+sgtool.eu, 1
+sgtrains.com, 1
+sgtsnookums.net, 1
+sgtt.ch, 0
+sgutranscripts.org, 1
+sh-heppelmann.de, 1
+sh-network.de, 1
+sh.com.tr, 1
+sh0rt.in, 1
+sh0rt.zone, 1
+sh0u.jp, 1
+sh0uld.net, 1
+sh1mar.in, 1
+sh4y.cn, 1
+sh4y.com, 1
+sh68.cc, 0
+sha.bi, 1
+sha512.online, 1
+shabaka.org, 1
+shabashka.ml, 1
+shabiwangyou.com, 1
+shackleton.io, 1
+shad.waw.pl, 1
+shade.sh, 1
+shadebarandgrillorlando.com, 1
+shadebarandgrillutica.com, 1
+shadebarandgrillwindsor.com, 1
+shadedesign.cz, 1
+shademid.com, 0
+shadesofgrayadr.com, 1
+shadesofgraylaw.com, 1
+shadex.net, 1
+shadhoc.com, 1
+shadigee.org, 1
+shadikhan.tk, 1
+shadow-forum.tk, 1
+shadow-group.org, 1
+shadowandy.net, 1
+shadowcp.eu, 1
+shadowdomain.ml, 1
+shadowfight2.tk, 1
+shadowfox.tk, 1
+shadowguardian507.tk, 1
+shadowkingdomrecords.com, 1
+shadowkitsune.net, 1
+shadowknight.tk, 1
+shadowlurker.com.au, 1
+shadowmorph.info, 1
+shadowping.com, 1
+shadowplus.net, 0
+shadowsing.com, 1
+shadowsocks.au, 1
+shadowsocks.click, 1
+shadowsocks.com, 1
+shadowsocks.com.au, 1
+shadowsocks.com.hk, 1
+shadowsocks.fr, 0
+shadowsocks.la, 1
+shadowsocks.live, 1
+shadowsocks.nz, 1
+shadowsocks.se, 1
+shadowsocks.software, 1
+shadowsocks.to, 1
+shadowstalkers.tk, 1
+shadowstep.tk, 1
+shadowstrikers.tk, 1
+shadowuniverse.xyz, 1
+shadowvolt.net, 1
+shadrinsk-city.ru, 1
+shadynook.net, 1
+shadypark.tk, 1
+shaeishu.co, 1
+shafa.ua, 1
+shaffermixers.com, 1
+shafrental.id, 1
+shafteldhon.com, 1
+shaftofdarkness.club, 0
+shag-shag.ru, 1
+shahar.cc, 0
+shaharyaranjum.com, 1
+shaheedirfani.tk, 1
+shaheednawazirfani.tk, 1
+shahidafkar.tk, 1
+shahidfakih.com, 1
+shahidflix.ml, 1
+shahidhashmi.net, 1
+shahpurjat.xyz, 1
+shahriar.ca, 1
+shahriar.email, 1
+shahriar.xyz, 1
+shahrsazan.tk, 1
+shahrvand.ga, 1
+shahsaadkhan.tk, 1
+shahyadmusic.com, 1
+shahzaibm.com, 1
+shaicoleman.com, 1
+shaiden-porn.com, 1
+shaik.pl, 1
+shailendra.org, 1
+shailendramishra.com, 1
+shailendramishra.in, 1
+shainessim.com, 1
+shaitan.eu, 1
+shaiyapegasus.tk, 1
+shajeer.tk, 1
+shakalaka.co.za, 1
+shakan.ch, 0
+shakardara.com, 1
+shakebeforeuse.tk, 1
+shaken-kyoto.jp, 1
+shakepay.com, 1
+shakerheightsoh.gov, 1
+shakerventures.com, 1
+shakerwebdesign.net, 1
+shakespeareans.net, 1
+shakespearesolutions.com.au, 0
+shakespearevet.com, 1
+shakesprimer.tk, 1
+shakingthehabitual.com, 1
+shaknews.tk, 1
+shakraphix.tk, 1
+shakthifacility.com, 1
+shalaahmet.tk, 1
+shaloc.site, 1
+shalomamuzik.tk, 1
+shalombolivia.tk, 1
+shalomcottage.tk, 1
+shalyapin.by, 1
+sham-rock.tk, 1
+shamaev.me, 1
+shamami.ml, 1
+shamans.ga, 1
+shambala.cf, 1
+shamed.tk, 1
+shamesofhungary.com, 1
+shamil.tech, 1
+shamimahmed.tk, 1
+shamimmedia.ir, 1
+shamiphotos.tk, 1
+shamokit.com, 1
+shampoo63.ru, 0
+shan.io, 0
+shan.sg, 1
+shan.si, 1
+shaneparker.tk, 1
+shanerichards.tk, 1
+shanetully.com, 1
+shanevandermeer.com, 1
+shanewadleigh.com, 1
+shanghaimineral.com, 0
+shangobud.com, 1
+shanhay.tk, 1
+shaniainternational.tk, 1
+shanikaonline.tk, 1
+shanikofireor.gov, 1
+shanju.tk, 1
+shankangke.com, 1
+shanli.tk, 1
+shansen-online.de, 1
+shansing.cn, 1
+shansing.com, 1
+shansing.net, 1
+shansing.org, 1
+shantelle.tk, 1
+shanteo.com, 1
+shantitsafar.com, 1
+shantiyoga.ro, 1
+shanwong.com, 1
+shanwong.design, 1
+shanxia.com, 1
+shanxiapark.com, 1
+shanyi.space, 1
+shaofu.cf, 1
+shaolin-kungfu.tk, 1
+shaoxia.xyz, 0
+shape.pink, 1
+shapediver.com, 1
+shapelyways.com, 1
+shapers-production.fr, 1
+shapesouthcarolina.gov, 1
+sharaf.net, 1
+sharanyamunsi.net, 1
+sharanyan.com, 1
+shararam-card.tk, 1
+sharats.me, 1
+shardanageometries.it, 1
+shardbyte.com, 1
+share.la, 1
+share2act-dev.io, 1
+share2act-test.io, 1
+shareabc.vip, 1
+shareapollo.com, 1
+shareasale-analytics.com, 1
+sharebot.ga, 1
+shareby.cam, 1
+sharedalbumsf.com, 1
+sharedgoals.co, 1
+sharedhost.de, 1
+sharefox.eu, 0
+sharegate.tk, 1
+sharehabor.org, 1
+sharehousechintai.jp, 1
+sharekey.com, 0
+sharelinks.tk, 1
+sharelovenotsecrets.com, 1
+sharemania.tk, 1
+sharemessage.net, 1
+sharenotes.tk, 1
+sharenz.com, 0
+shareoffice.ch, 1
+sharepointcass.com, 1
+sharepointdrive.com, 1
+sharerotic.com, 1
+sharery.net, 1
+sharescope.co.uk, 1
+shareselecttools.com, 1
+sharethe.link, 1
+sharethemeal.org, 1
+sharetheroad.org, 1
+shareworks.com, 1
+shareworx.net, 1
+sharezen.de, 0
+shariahlawcenter.com, 1
+shariahlawcenter.org, 1
+sharialawcenter.com, 1
+sharialawcenter.org, 1
+shariftown.tk, 1
+sharik-msk.ga, 1
+sharik.ml, 1
+sharine.nl, 1
+sharing-kyoto.com, 1
+sharingcolombia.com, 1
+sharingiscaring.cc, 1
+sharingphotos.co, 0
+sharisharpe.com, 1
+sharix.ml, 1
+shark-host.tk, 1
+shark5060.net, 1
+sharkblog.tk, 1
+sharkey.tk, 1
+sharkeyscuba.com, 1
+sharkie.org.za, 1
+sharking.gq, 1
+sharko.tk, 1
+sharkpaint.tk, 1
+sharks.football, 1
+sharkstriker.com, 1
+sharmafamily.tk, 1
+sharona.cloud, 1
+sharonnh.gov, 1
+sharonpope.com, 1
+sharonsplace.biz, 1
+sharpe-practice.co.uk, 1
+sharpe.systems, 1
+sharpiesscrubs.tk, 1
+sharpletters.net, 1
+sharpmetals.com, 1
+sharpsburg-ga.gov, 1
+sharptudhope.co.nz, 1
+sharren.org, 1
+sharu.me, 1
+sharvey.ca, 1
+shashlik.tk, 1
+shastacounty.gov, 1
+shatabdichildrenschool.tk, 1
+shatalov.com, 1
+shatteredarchive.com, 1
+shaukatkhanum.org.pk, 1
+shaumine.ml, 1
+shaunallen.co.uk, 1
+shaunandamyswedding.com, 1
+shaunc.com, 1
+shaundanielz.com, 1
+shaunthomasart.com, 1
+shavedpics.com, 1
+shavedpussy.tv, 1
+shavedpussypics.com, 1
+shavingks.com, 1
+shavit.space, 1
+shavitech.com, 1
+shawanocountywi.gov, 1
+shawarmapressfranchise.com, 1
+shawcentral.ca, 0
+shawclan.id.au, 1
+shawfamily.id.au, 1
+shawiah.tk, 1
+shawlumber.ca, 1
+shawmutdelivers.com, 1
+shawnalucey.com, 1
+shawnee-nsn.gov, 1
+shawngvs.com, 1
+shawnhogan.com, 1
+shawnleetttt.cyou, 0
+shawnow.com, 1
+shawnz.ca, 1
+shawnz.org, 1
+shawty.tk, 1
+shaytan.tk, 1
+shazbots.org, 1
+shazzlemd.com, 1
+shazzlepro.com, 1
+shc.gov.sa, 1
+shcode.de, 1
+shcsystems.bg, 1
+shd.one, 1
+shdw.cc, 1
+she.kiwi, 1
+she.run, 0
+she.tw, 1
+sheaf.site, 1
+sheaorganics7.com, 1
+shear.tk, 1
+shearin.pro, 1
+sheaspire.com, 1
+sheaspire.com.tw, 1
+sheatoz.com, 1
+sheboygancountywi.gov, 1
+sheboyganfallswi.gov, 1
+shechipin.cf, 1
+shechipin.ga, 1
+shechipin.gq, 1
+shechipin.ml, 1
+shedrentalspot.com, 1
+shedrin.tk, 1
+sheds.online, 1
+shee.org, 1
+sheehans.com.au, 1
+sheehyinfinitioftysonsparts.com, 1
+sheekdeveloper.com, 1
+sheekmedia.com, 1
+sheelyuu.art, 1
+sheenveininstitutestl.com, 1
+sheepfriends.com, 1
+sheepproductions.com, 1
+sheeprock.tk, 1
+sheepsound.tk, 1
+sheepymeh.net, 1
+sheerchain.com, 1
+sheet.host, 1
+sheetengine.net, 1
+sheetsindonesia.com, 1
+sheetstutorial.com, 1
+shef.com, 1
+shefburgers.com, 1
+sheffield-wednesday-fc.tk, 1
+sheffieldjob.net, 1
+sheffieldmoneyman.com, 1
+shefftunes.tk, 1
+shehaal.com, 1
+shehan.live, 1
+shehata.com, 1
+sheika.ro, 1
+sheilasdrivingschool.com, 1
+shek.zone, 1
+shelbycounty-il.gov, 1
+sheldon.sk, 1
+sheldoniowa.gov, 1
+shelehov.tk, 1
+shelf-ssp.com, 1
+shelf.io, 1
+shelfordsandstaplefordscouts.org.uk, 1
+shellavartanian.tk, 1
+shellcon.io, 1
+shellday.cc, 1
+shellfire.de, 1
+shelljuggler.com, 0
+shellopolis.com, 1
+shellot.com, 1
+shellsec.pw, 0
+shellshock.eu, 1
+shellta.com, 1
+shellta.net, 1
+shellwhite.ga, 1
+shellwhite.tk, 1
+shelma.tk, 1
+sheloki.com, 1
+shelterislandtown.gov, 1
+shelterrealestate.com.au, 1
+sheltieplanet.com, 1
+sheltongrp.com, 1
+sheltonvirtual.com, 1
+shelvacu.com, 1
+shemaleflick.com, 1
+shemalehub.com, 1
+shemalepictures.net, 1
+shemaleplus.com, 1
+shemalestrokers.com, 1
+shemalexxxfreetube.com, 1
+shemogo.com, 1
+shemsconseils.ma, 1
+shena.co.uk, 1
+shenandoahrealestate.org, 1
+shenannigans.tk, 1
+shenbibi.com, 0
+shenderman.ml, 1
+shenghaiautoparts.com, 1
+shenghaiautoparts.net, 1
+shenghuang.tk, 1
+shengrenyu.com, 1
+shengyipin.com.my, 1
+shenmiya.com, 1
+shenshi.com, 1
+shentengtu.idv.tw, 1
+sheo-tech.fr, 1
+shepherdsfriendly.co.uk, 1
+shepherdsvilleky.gov, 1
+sheptytsky.ga, 1
+sheratsuki.tk, 1
+sherbers.de, 1
+sheremetka.com, 1
+sheridancountyks.gov, 1
+sheridancountymt.gov, 1
+sheridancountywy.gov, 1
+sheridanil.gov, 1
+sheriffmiamicountyks.gov, 1
+sheriffpawneecountyne.gov, 1
+sheriffpendletoncountyky.gov, 1
+sheriffwashingtoncountymaine.gov, 1
+sherissims.tk, 1
+shermancountyks.gov, 1
+shermancountyne.gov, 1
+shermanms.gov, 1
+shermanshebcowi.gov, 1
+shermantwphuronmi.gov, 1
+sherpa.blog, 1
+sherpnortheast.com, 1
+sherrikelley.com, 1
+sherut.net, 1
+shervinsafineh.com, 1
+shesherownceo.com, 1
+shethbox.com, 1
+shetshivar.com, 1
+shevans.com, 1
+shevet-achim.tk, 1
+sheweek.ml, 1
+shewillcheat.com, 1
+shft.cl, 1
+shgf.de, 1
+shgt.jp, 1
+shgw186.com, 1
+shh-listen.com, 1
+shh.sh, 1
+shh7.com, 1
+shhmale.com, 1
+shi.ma, 1
+shiawasedo.co.jp, 1
+shibainu.com.br, 1
+shibashake.com, 1
+shibayan.jp, 1
+shibbydex.com, 1
+shibeflix.com, 1
+shibleysmiles.com, 1
+shibumi.com, 1
+shichibukai.net, 1
+shichidadoma.ru, 1
+shico.org, 1
+shidai88.cc, 1
+shield.my.id, 1
+shielder.it, 1
+shieldnet.tk, 1
+shieldnsheath.com, 1
+shieldsair.com, 1
+shiellc.com, 1
+shif.tk, 0
+shift-record.com, 1
+shift-to.co.jp, 1
+shiftcrypto.ch, 1
+shiftcrypto.shop, 1
+shiftcrypto.support, 1
+shiftdelete.net, 1
+shiftdevices.com, 1
+shiftfrequency.com, 1
+shiftj.is, 1
+shiftkey.com, 1
+shiftkey.pl, 1
+shiftleft.io, 1
+shiftleft.org, 1
+shifton.com, 1
+shiftsixth.com, 1
+shiga1.jp, 1
+shigaben.or.jp, 1
+shiganmartialarts.com, 1
+shiggles.net, 1
+shiggles.org, 1
+shigizemi.com, 1
+shigotoarimasu.com, 1
+shigotoba.com, 1
+shih-tzu-dogs.com, 1
+shihabuddin.tk, 1
+shihadwiki.com, 1
+shiji.info, 1
+shijij.com, 1
+shijing.me, 1
+shikaku-test.com, 1
+shikiryu.com, 1
+shileo.de, 1
+shilled.tk, 1
+shillongdesign.com.au, 1
+shilpaonline.tk, 1
+shimi.blog, 1
+shimi.guru, 1
+shimi.net, 1
+shimi.photography, 1
+shimitower.pw, 1
+shimmo.de, 1
+shimmy1996.com, 1
+shimo.im, 1
+shin-sekai.de, 1
+shin-yo.de, 1
+shindocuba.tk, 1
+shineads.in, 1
+shineindiarktutorial.ml, 1
+shineleds.ga, 1
+shinenet.cn, 1
+shineon.biz, 1
+shines.ml, 1
+shinetruckleads.com, 1
+shinghoi.com, 1
+shinglereplacementlv.com, 1
+shinice.net, 1
+shining.gifts, 1
+shiningservices.ie, 1
+shiningstarlogistics.com, 1
+shinju.moe, 0
+shinkamigoto.tv, 1
+shinko-osaka.jp, 1
+shinnecock-nsn.gov, 1
+shinnyosangha.org, 0
+shinobi-fansub.ro, 1
+shinochip.ru, 1
+shinodadc-nakano.com, 1
+shinonome-lab.eu.org, 1
+shinsandenki.com, 1
+shinsyo.com, 1
+shinta.ro, 1
+shintoism.com, 1
+shinuytodaati.co.il, 1
+shinycleankitchen.com, 1
+shinyoko-saisyuusyou.com, 1
+shinypebble.uk, 1
+shinyteethand.me, 1
+shiomiya.com, 1
+ship-safely.com, 1
+shipaik.com, 1
+shipard.com, 1
+shipard.cz, 1
+shipard.org, 1
+shipbuddies.com, 1
+shipcloud.io, 0
+shipengliang.com, 1
+shipeurousa.com, 1
+shipgoldchandler.com, 1
+shipham.co.uk, 1
+shipheart.tech, 1
+shipinhuiyi.com, 0
+shipitsmarter.com, 1
+shiplapandshells.com, 1
+shipmile.com, 1
+shipmondo.com, 1
+shipmonk.cloud, 1
+shipmonk.com, 1
+shipnak.com, 1
+shippercenter.info, 1
+shippexx.com, 1
+shipping-trade.ga, 1
+shippinglabel.de, 1
+shippingyourworld.ca, 1
+shippingyourworld.com, 1
+shipshewana.gov, 1
+shiptek.co, 1
+shiptest.net, 1
+shiptron.com, 1
+shiqi.ca, 1
+shiqi.lol, 1
+shiqi.one, 1
+shiqi.online, 1
+shiqi.se, 1
+shiqi.tv, 1
+shiqi1.com, 1
+shiqishidai.cc, 1
+shiqisifu.cc, 1
+shiranaitenshi.tk, 1
+shirao.jp, 1
+shirazi.tk, 1
+shiresvets.com, 1
+shirevirtual.tk, 1
+shireyishunjian.com, 1
+shiriforum.tk, 1
+shirley.li, 1
+shirlygilad.com, 1
+shiro.com.pk, 1
+shiroki-k.net, 1
+shiropaev.tk, 1
+shirosaki-hana.fun, 1
+shirro.com, 1
+shirshik.xyz, 1
+shiryo.ch, 1
+shishadenbosch.nl, 1
+shishamania.de, 1
+shishkin.im, 1
+shishlik.net, 1
+shit.com, 1
+shit.one, 1
+shit.software, 1
+shit.works, 1
+shitara-tateo.jp, 1
+shitbeast.institute, 0
+shitcountries.org, 1
+shitdefined.net.cn, 1
+shitdick.tk, 1
+shitfest.net, 1
+shitmybradsays.com, 1
+shitnikovo.tk, 1
+shitposter.club, 1
+shitposter.io, 1
+shitpostingmain.com, 1
+shitposts.se, 1
+shitproductions.org, 1
+shittyurl.org, 1
+shittywok.tk, 1
+shiva-temple.tk, 1
+shivalikbank.com, 1
+shivamber.com, 1
+shivammathur.com, 1
+shivenjoshi.com, 1
+shivering-isles.com, 0
+shiwa-shop.ml, 1
+shiyouqkl.com, 1
+shiyutech.com, 1
+shk.im, 0
+shk8.tk, 1
+shkafi-krasnodar.tk, 1
+shkola-95.ru, 1
+shkola1.ml, 1
+shkolamishlenia.tk, 1
+shkolladigjitale.com, 1
+shkolnyimir.gq, 1
+shkololo.cf, 1
+shkololo.ga, 1
+shkololo.gq, 1
+shkololo.ml, 1
+shkololo.tk, 1
+shlang.tk, 1
+shlemenkov.by, 1
+shlmag.com, 1
+shlmagazine.com, 1
+shlmail.info, 1
+shlupka.ml, 1
+shlupka.tk, 1
+shlyakpavel.tk, 1
+shlyapa-com.tk, 1
+shlyhi.tk, 1
+shm.ac.jp, 1
+shmidta.tk, 1
+shmilyhua.com, 1
+shmotki.ml, 1
+shmroom.tk, 1
+shmtranslations.com, 1
+shmulvad.com, 1
+shnuff.co.uk, 1
+sho-furtwangen.de, 1
+shoarq.com, 1
+shobujtech.com, 1
+shochikubai.tk, 1
+shochufes.jp, 1
+shock.ee, 0
+shockerdragon.tk, 1
+shocklogic.com, 1
+shockproof.systems, 1
+shodan.io, 1
+shoe.club, 1
+shoejitsu.co, 1
+shoekeys.lt, 1
+shoelevel.com, 1
+shoeline.com, 1
+shoemakerywc.com, 1
+shoeracks.uk, 1
+shoesandmorebdn.com, 0
+shoesonline.co.il, 1
+shoesoutlet.tk, 1
+shoestorebiz.tk, 1
+shoestorenet.tk, 1
+shoestringeventing.co.uk, 1
+shojo.online, 1
+shokaran.tk, 1
+shokofarehab.ir, 1
+shokola.com, 0
+sholtowu.com, 1
+shongshoy.com, 1
+shontakleinpeter.tk, 1
+shooba.net, 1
+shoobacreations.com, 1
+shoosmiths.com, 1
+shooter.dog, 1
+shootpooloklahoma.com, 1
+shootsame.tk, 1
+shop-cnc.de, 1
+shop-cosmetic.tk, 1
+shop-cosmetics.tk, 1
+shop-de-johnniewalker.com, 1
+shop-eldorado.tk, 1
+shop-hellsheadbangers.com, 1
+shop-lingerie.tk, 1
+shop-ok.tk, 1
+shop-s.net, 1
+shop-slivki.tk, 1
+shop3dmili.com, 1
+shop4d.com, 1
+shop4im.com, 1
+shopacer.co.za, 1
+shopadvies.nl, 1
+shopalike.cz, 1
+shopalike.dk, 1
+shopalike.es, 1
+shopalike.fi, 1
+shopalike.fr, 1
+shopalike.hu, 1
+shopalike.it, 1
+shopalike.nl, 1
+shopalike.pl, 1
+shopalike.se, 1
+shopalike.sk, 1
+shopapi.cz, 1
+shoparbonne.co.uk, 1
+shopatkei.com, 1
+shopazmoon.ir, 1
+shopbabymonitors.gq, 1
+shopbackyardpro.com, 1
+shopbakersnook.com, 1
+shopbysarah.com, 1
+shopcceputnam.com, 1
+shopcom.tk, 1
+shopcosmetic.tk, 1
+shopcoupons.co.id, 1
+shopcoupons.my, 1
+shopcoupons.ph, 1
+shopcoupons.sg, 1
+shopcrocs.in, 0
+shopdiy.com, 1
+shopee6.com, 0
+shopexo.in, 1
+shopfazz.com, 1
+shopfinale.com, 1
+shopforcovers.com, 1
+shopforeverproducts.com, 1
+shopfully.com.au, 1
+shophisway.com, 1
+shophumm.com, 1
+shophumm.com.au, 1
+shopific.co, 1
+shopific.com, 1
+shopify.com, 1
+shopify2006.com, 1
+shopifycloud.com, 1
+shopifyfactory.io, 1
+shopikal.com, 1
+shopingbiz.tk, 1
+shopintra.net, 1
+shopkini.com, 0
+shoplandia.co, 1
+shoplogcap.com, 1
+shoplus.com.tw, 1
+shoplyft.co.za, 1
+shopmalinka.cf, 1
+shopmlr.com, 1
+shopnguyenlieumypham.com, 1
+shopofturkey.com, 1
+shoponlinedeals.tk, 1
+shoposal.com, 1
+shoppbs.org, 1
+shoppe561.com, 1
+shopperexperts.com, 1
+shopperexpertss.com, 1
+shoppersdepuertorico.com, 1
+shoppies.tk, 1
+shopping-cart-migration.com, 1
+shopping-il.org.il, 1
+shoppingabundant.ga, 1
+shoppinganchor.ga, 1
+shoppingandreviews.it, 1
+shoppingappeal.ga, 1
+shoppingarrow.ga, 1
+shoppingavatar.ga, 1
+shoppingbad.ga, 1
+shoppingblaster.ga, 1
+shoppingblender.ga, 1
+shoppingblod.ga, 1
+shoppingboulevard.ga, 1
+shoppingbounce.ga, 1
+shoppingbrite.ga, 1
+shoppingcalculator.ga, 1
+shoppingcamel.ga, 1
+shoppingcanal.ga, 1
+shoppingcarnival.ga, 1
+shoppingcatch.ga, 1
+shoppingcellar.ga, 1
+shoppingcharm.ga, 1
+shoppingcharte.ga, 1
+shoppingcheaper.ga, 1
+shoppingcheapest.ga, 1
+shoppingcircus.ga, 1
+shoppingclearance.ga, 1
+shoppingcollections.ga, 1
+shoppingcollector.ga, 1
+shoppingcompanion.ga, 1
+shoppingconstruct.ga, 1
+shoppingcorporation.ga, 1
+shoppingcrawler.ga, 1
+shoppingcreativity.ga, 1
+shoppingcrunch.ga, 1
+shoppingcrystal.ga, 1
+shoppingcupid.ga, 1
+shoppingdepot.ga, 1
+shoppingdesigning.ga, 1
+shoppingdish.ga, 1
+shoppingdivine.ga, 1
+shoppingdowntown.ga, 1
+shoppingduck.ga, 1
+shoppingeagle.ga, 1
+shoppingeastbay.ga, 1
+shoppingecho.ga, 1
+shoppingecono.ga, 1
+shoppingelectra.ga, 1
+shoppingenvy.ga, 1
+shoppingepic.ga, 1
+shoppingexcel.ga, 1
+shoppingfalcon.ga, 1
+shoppingfeature.ga, 1
+shoppingfiesta.ga, 1
+shoppingfighter.ga, 1
+shoppingfleet.ga, 1
+shoppingformula.ga, 1
+shoppinggecko.ga, 1
+shoppingglamour.ga, 1
+shoppingglory.ga, 1
+shoppinggrab.ga, 1
+shoppingguerilla.ga, 1
+shoppinghands.ga, 1
+shoppinghandsome.ga, 1
+shoppinghotrod.ga, 1
+shoppingimagine.ga, 1
+shoppingintergrity.ga, 1
+shoppingiron.ga, 1
+shoppingisrael.org.il, 1
+shoppingjackpot.ga, 1
+shoppingjoker.ga, 1
+shoppingkayak.ga, 1
+shoppinglast.ga, 1
+shoppinglightning.ga, 1
+shoppinglimited.ga, 1
+shoppinglittle.ga, 1
+shoppingloco.ga, 1
+shoppinglowprice.ga, 1
+shoppingmain.ga, 1
+shoppingmeasure.ga, 1
+shoppingmember.ga, 1
+shoppingmeta.ga, 1
+shoppingmetric.ga, 1
+shoppingmillions.ga, 1
+shoppingminer.ga, 1
+shoppingmystical.ga, 1
+shoppingnatural.ga, 1
+shoppingnature.ga, 1
+shoppingnormal.ga, 1
+shoppingnorthamerican.ga, 1
+shoppingnumber.ga, 1
+shoppingocity.ga, 1
+shoppingoffline.ga, 1
+shoppingomatic.ga, 1
+shoppingonlinecoffee2u.com, 1
+shoppingorama.ga, 1
+shoppingoriginal.ga, 1
+shoppingother.ga, 1
+shoppingouter.ga, 1
+shoppingpassport.ga, 1
+shoppingpeace.ga, 1
+shoppingpeach.ga, 1
+shoppingpearl.ga, 1
+shoppingpermanent.ga, 1
+shoppingpersonal.ga, 1
+shoppingphase.ga, 1
+shoppingpicker.ga, 1
+shoppingpickup.ga, 1
+shoppingplatinum.ga, 1
+shoppingplum.ga, 1
+shoppingpresident.ga, 1
+shoppingprestige.ga, 1
+shoppingpriority.ga, 1
+shoppingpure.ga, 1
+shoppingrail.ga, 1
+shoppingrainforest.ga, 1
+shoppingrally.ga, 1
+shoppingrater.ga, 1
+shoppingrazor.ga, 1
+shoppingreadset.ga, 1
+shoppingremarkable.ga, 1
+shoppingreps.ga, 1
+shoppingrequest.ga, 1
+shoppingrex.ga, 1
+shoppingrhino.ga, 1
+shoppingrings.ga, 1
+shoppingrule.ga, 1
+shoppingseason.ga, 1
+shoppingsedona.ga, 1
+shoppingshoot.ga, 1
+shoppingshuffle.ga, 1
+shoppingsignature.ga, 1
+shoppingsilk.ga, 1
+shoppingsleuth.ga, 1
+shoppingsnapshot.ga, 1
+shoppingsparkle.ga, 1
+shoppingstreaming.ga, 1
+shoppingsugar.ga, 1
+shoppingsunflower.ga, 1
+shoppingsuperhero.ga, 1
+shoppingsustain.ga, 1
+shoppingthoughts.com, 1
+shoppingthunder.ga, 1
+shoppingtopsecret.ga, 1
+shoppingtreasure.ga, 1
+shoppingtreats.ga, 1
+shoppingturbo.ga, 1
+shoppingunique.ga, 1
+shoppingurban.ga, 1
+shoppingvariety.ga, 1
+shoppingwaterfront.ga, 1
+shoppingwinner.ga, 1
+shoppingworth.ga, 1
+shoppingyankee.ga, 1
+shoppre.com, 1
+shoppsb.com, 1
+shoppyad.com, 1
+shoprentone.com, 1
+shopsici.com, 1
+shopsmarter.com, 1
+shopstasy.com, 1
+shoptec.sk, 1
+shopteq.hu, 1
+shopthestates.net, 1
+shoptin.de, 1
+shoptio.cz, 1
+shoptions.net, 1
+shoptupperware.in, 1
+shopunderwear.tk, 1
+shopunilever.com, 1
+shopupnorth.com, 1
+shopvcs.com, 1
+shopwebhue.com, 1
+shore.co.il, 1
+shorebreaksecurity.com, 1
+shorehamdental.ca, 1
+shorehamfort.co.uk, 1
+shorehillgolf.com, 1
+shorenstein.com, 1
+shoresofshawneebend.com, 1
+shorewoodil.gov, 1
+shorewoodmn.gov, 1
+shorewoodwi.gov, 1
+shoreyit.com, 1
+shorifhussain.tk, 1
+shorinkarate.tk, 1
+shork.space, 1
+shornehasim.co.il, 1
+short-games.gq, 1
+short-term-plans.com, 1
+short.io, 1
+shortaudition.com, 1
+shortaudition.net, 1
+shortaudition.tv, 1
+shortbread.systems, 1
+shortbreakstudios.com, 1
+shortcircuit-online.tk, 1
+shortcut-link.ga, 1
+shortcut.com, 1
+shortcut.pw, 1
+shortcutable.com, 1
+shorted.one, 1
+shorten.ninja, 1
+shorteral.gov, 1
+shorti.ga, 1
+shortnews.cf, 1
+shortquotesworld.com, 1
+shortr.li, 1
+shortshadows.band, 1
+shortstackcustoms.com, 1
+shortwave.com, 1
+shortwave.tk, 1
+shoruihokan.com, 1
+shoshin-aikido.de, 1
+shoshin.technology, 1
+shoshonecityid.gov, 1
+shossain.tk, 1
+shost.ga, 1
+shota-sekkotsuin.com, 1
+shota.pictures, 1
+shota.soy, 1
+shotbow.net, 1
+shotoniphone.ga, 1
+shotsleeve.com, 1
+shou.si, 1
+shoudanren.jp, 1
+shoujik8.com, 1
+shoujochronicle.org, 1
+shouldbetaught.com, 1
+shoulderandelbowspecialist.com.au, 1
+shouldiclick.it, 1
+shouldiwater.today, 1
+shouldtest.com, 1
+shouldtest.email, 1
+shouldtest.eu, 1
+shouldtest.net, 1
+shouldtest.org, 1
+shouohkai-dental.com, 1
+shoveltoss.com, 0
+shovonhasan.com, 0
+show2all.nl, 0
+showbetgiris.com, 1
+showbits.net, 0
+showcats.tk, 1
+shower.im, 1
+showerdoorco.com, 1
+showersnet.com, 1
+showf.om, 1
+showfom.sb, 1
+showgirls.ga, 1
+showmax.com, 1
+showme.co.za, 1
+showme.hu, 1
+showmeengland.co.uk, 1
+showmethescore.cf, 1
+showmoviz.com, 1
+showmyip.com, 1
+shown.io, 1
+shownet.tk, 1
+showpassword.net, 0
+showroom.co.uk, 1
+showroom.uk, 1
+showroom113.ru, 1
+showroombarral.com, 1
+showslot.com, 1
+showsonar.com, 1
+shoyuf.top, 1
+shpfy-manager.com, 1
+shpil.by, 1
+shpilevsky.name, 1
+shpiliak.com, 1
+shpiliak.ru, 1
+shpori.tk, 1
+shrapnel.com, 0
+shrapnel.ga, 1
+shraymonks.com, 1
+shred.ch, 0
+shredder.tk, 1
+shredoptics.ch, 0
+shreveportlawater.gov, 1
+shreyansh26.me, 1
+shrglobal.com, 1
+shrimpnews.tk, 1
+shrines.ga, 1
+shrines.tk, 1
+shrinidhiclinic.in, 1
+shrinker.tk, 1
+shrinkhub.com, 1
+shrinkmydoc.com, 1
+shroomery.com, 1
+shroomery.net, 1
+shroomery.org, 1
+shropshireautonomy.co.uk, 1
+shropshirebowls.tk, 1
+shrovetide.tv, 1
+shrsl.com, 1
+shrt.tv, 1
+shrub.ca, 1
+shrug.fyi, 1
+shrug.ml, 0
+shssl.vip, 0
+sht-vr-player.cf, 1
+shtaiman.com, 1
+shtaiman.net, 1
+shtaiman.org, 1
+shtaketnik-metall.ru, 1
+shtaketniki.kz, 1
+shtaketniki.ru, 1
+shteiman.com, 1
+shteiman.net, 1
+shteiman.org, 1
+shtfpreparedness.com, 1
+shtorku.com, 1
+shu-fu.net, 1
+shuang.us, 1
+shubhkumar.in, 0
+shucheng.li, 1
+shufersal-cashback.co.il, 1
+shufflecube.tk, 1
+shufflemix.tk, 1
+shuffleradio.nl, 1
+shuffleware.tk, 1
+shugarmanpsychiatric.com, 1
+shugua.com.tw, 1
+shuhacksoc.co.uk, 1
+shui.ga, 0
+shuizilan.com, 1
+shukatsu-ichiba.com, 1
+shulan.moe, 1
+shuletime.ml, 1
+shulker.store, 1
+shulman.tk, 1
+shulyaka.org.ru, 1
+shuma.ga, 1
+shumnyj-istochnik.tk, 1
+shumov.tk, 1
+shunliandongli.cn, 1
+shunliandongli.com, 1
+shunmei-hari.com, 1
+shunter.tk, 1
+shunzi.tk, 1
+shuo.li, 0
+shuomingshu88.com, 1
+shura.eu.org, 1
+shurita.org, 1
+shuset.dk, 1
+shushuwoa.com, 1
+shuttelportal.nl, 1
+shutter-shower.com, 1
+shutterflybusinesssolutions.com, 1
+shutts.com, 1
+shutupandtakemy.codes, 1
+shutupbabyiknowit.party, 1
+shuvodeep.de, 1
+shux.pro, 1
+shuxiaoyi.cn, 1
+shuzicai.cn, 1
+shvedskie-stenki.ml, 1
+shw-bw.dyndns.org, 1
+shw-nc.dyndns.org, 1
+shw-rz.dyndns.org, 1
+shwemyanmarmalay.com, 1
+shwrm.ch, 1
+shy4evr.com, 1
+shymeck.pw, 1
+shymeck.xyz, 1
+shytok.net, 0
+shyuka.me, 1
+si-benelux.nl, 1
+si.insure, 1
+si.to, 1
+si2b.fr, 1
+sia.one, 1
+sia6.com, 1
+siadiamond.com, 1
+siadlak.com, 1
+siaggiusta.com, 1
+siai.cf, 1
+siai.gq, 1
+siai.ml, 1
+sialis.tk, 1
+sialtv.pk, 1
+siamdevsqua.re, 1
+siamdevsquare.com, 1
+siamega.com, 1
+siaminterhost.com, 1
+siamojo.com, 1
+siamrehab.com, 1
+siamsnus.com, 1
+siamwatercraftpromotion.com, 1
+sianjhon.com, 1
+siatris.qc.ca, 1
+siava.ru, 1
+sib-taxi.ru, 1
+sibanyestillwater.com, 1
+sibauto.club, 1
+sibekohirescaffolding.co.za, 1
+siberas.de, 1
+siberia.gq, 1
+siberiactiva.com, 1
+siberiancatsinformation.com, 1
+siberianhealth.com, 1
+siberianhuskypets.com, 1
+siberiaserver.ga, 1
+siberkulupler.com, 1
+sibernet.tk, 1
+sibfk.org, 1
+sibfl.gov, 1
+sibgold.su, 1
+sibi.nl, 1
+sibintek.ru, 1
+sibirium-red.ga, 1
+sibiuindependent.ro, 1
+sibleycounty.gov, 1
+sibleycountyattorney.gov, 1
+sibleyla.gov, 1
+sibnerpartie.tk, 1
+sibpdfl.gov, 1
+sibpizza.com, 1
+sibrenvasse.nl, 1
+sibs-dance-diamonds.ch, 1
+sibu.one, 1
+siccardisport.it, 1
+sice-si.org, 1
+sich-fight.club, 1
+sich-positionieren.net, 1
+siciliadisinfestazioni.it, 1
+siciliamconsulting.com, 1
+sicilianbalm.com, 1
+siciliapulizie.it, 1
+sicilpiuma.it, 1
+sicistroje-kocarek.cz, 1
+sickbrothers.tk, 1
+sicken.eu, 1
+sickhouse.se, 1
+sickmadworld.tk, 1
+sicomasp.com, 1
+sicoobpaulista.com.br, 1
+sicurezza24.info, 1
+sicurezzalavoro24.com, 1
+sicurled.com, 1
+sicvisuals.com, 1
+sicz.de, 1
+sid-giessen.de, 1
+sid500.com, 1
+sidari.tk, 1
+sidas.com, 1
+sidatbacklink.tk, 1
+siddhamehta.tk, 1
+siddigsami.com, 1
+sidecredit.ga, 1
+sidefx.com, 1
+sideleau.com, 1
+sidema.be, 1
+sidemount-tauchen.com, 1
+sideofburritos.com, 1
+sideofburritos.social, 1
+sidepodcast.com, 1
+sidepodcastdaily.com, 1
+sidepodcastextra.com, 1
+sideral.is, 1
+sideshowbarker.net, 1
+sidewalkcleaningchicago.com, 1
+sidewalkpressurewashingchicago.com, 1
+sidhbalibaba.com, 1
+sidi-smotri.ru, 1
+sidianbank.co.ke, 1
+sidik.web.id, 1
+sidingsmedia.com, 1
+sidiprojects.us, 1
+sidirokastro.ga, 1
+sidium.de, 1
+sidmax.ca, 1
+sidneyhaberland.com, 1
+sidneymi.gov, 1
+sidnicio.us, 1
+sidocsa.com, 1
+sidomulyo.tk, 1
+sidonge.com, 0
+sidorovich.tk, 1
+sidpod.ru, 1
+sidsdock.org, 1
+siduga.com, 1
+sie.at, 1
+siebenhirten7.at, 1
+siebeve.be, 1
+siecledigital.fr, 1
+siecon-it.com, 1
+siega.pl, 1
+siegemund-frankfurt.de, 1
+sieglercars.ch, 1
+siegprod.tk, 1
+sieh.es, 1
+sieiro.tk, 1
+siel.nl, 1
+sielsystems.nl, 1
+siemencaes.tk, 1
+siemens.ch, 1
+siemens.co.in, 1
+siemens.co.uk, 1
+siemens.com, 1
+siemens.com.br, 1
+siemens.com.sg, 1
+siemens.es, 1
+siemens.nl, 1
+siemplify-soar.com, 1
+siemplifyg.net, 1
+sientemendoza.com.ar, 1
+siepietnica.tk, 1
+sieplo.nl, 1
+siepomaga.net, 1
+siepomaga.pl, 1
+sierkbornemann.de, 1
+sierom.net, 1
+sierpinska.eu, 1
+sierramadreca.gov, 1
+sierramusic.tk, 1
+sietejefes.com.ar, 1
+sieulog.com, 1
+sieuthithangmay.com, 1
+sifasharing.tk, 1
+sifecs.ml, 1
+siffron.com, 1
+sifnosguide.dk, 1
+sifreuret.com, 0
+sift-tool.org, 0
+sig-io.nl, 1
+sig6.org, 1
+siga.com, 1
+sigabrt.org, 1
+sigateway.com, 1
+sigb.sh, 1
+sigcafe.net, 1
+sigep.org, 1
+sigfridlinden.se, 1
+siggi.io, 1
+sight-restoration.tk, 1
+sight-sound.com, 1
+sightandsound.co.uk, 1
+sightcure.jp, 1
+sightdx.com, 1
+sightful.be, 1
+sightful.eu, 1
+sightful.nl, 1
+sightmachine.com, 0
+sightseeing.news, 1
+sighup.nz, 1
+sigi.tk, 1
+sigint.pw, 0
+sigio.nl, 1
+sigma-apartments.com, 1
+sigma957.net, 1
+sigmacomputers.ga, 1
+sigmaits.net, 1
+sigmalux.ca, 1
+sigmalux.co.nz, 1
+sigmalux.co.uk, 1
+sigmalux.com.au, 1
+sigmalux.es, 1
+sigmalux.fr, 1
+sigmalux.ltd, 1
+sigmalux.lu, 1
+sigmalux.nz, 1
+sigmalux.sarl, 1
+sigmalux.uk, 1
+sigmaomeganu.tk, 1
+sigmasensors.com.br, 1
+sigmateca.tk, 1
+sigmath.net, 1
+sign.dog, 1
+signaconsultoria.com.br, 1
+signage.red, 1
+signal.org, 0
+signal34.com, 1
+signaldc.com, 1
+signaldp.com, 0
+signalmaps.co.uk, 1
+signalstart.com, 1
+signature.in.th, 1
+signature365.com, 1
+signaturedallas.com, 1
+signatureplants.co.nz, 1
+signatureplasticsurgery.net, 1
+signatureresolution.com, 1
+signaturerx.co.uk, 1
+signcreative.de, 1
+signere.com, 1
+signetfm.com, 1
+signicat.com, 0
+signicat.io, 1
+significado.origem.nom.br, 1
+significadodenombres.net, 1
+significados.com, 1
+significados.com.br, 1
+significantbanter.com, 1
+signing-milter.org, 1
+signing.tools, 1
+signinwithmc.com, 1
+signix.net, 1
+signmore.com, 0
+signmycode.com, 1
+signorbet.it, 1
+signpath.io, 1
+signrequest.com, 1
+signrightsigns.co.uk, 1
+signs4vehicles.co.uk, 1
+signsdance.uk, 1
+signslabelstapesandmore.com, 0
+signtul.com, 0
+signup.ly, 1
+signup.ninja, 1
+signupgenius.com, 1
+signuponline.events, 1
+signwell.com, 1
+sigparser.com, 1
+sigptr.me, 1
+sigsync.com, 1
+sigterm.no, 1
+sigterm.sh, 1
+sigurnost.online, 1
+sigvik.ru, 1
+sihirlielma.com, 1
+siika.solutions, 1
+siikaflix.tv, 1
+siimustilak.edu.ee, 1
+sijbesmaverhuizingen.nl, 1
+sijem.si, 1
+sijimi.cn, 1
+sik-it.nl, 1
+sikaranbrotherhood.tk, 1
+sikawebtools.com, 1
+sikayetvar.com, 0
+sike.org, 1
+sikecikcomel.com, 1
+sikevux.se, 1
+sikkasoft.com, 1
+sikkerwindows.dk, 1
+sikkind.com, 0
+siku-shop.ch, 1
+siku.pro, 1
+sil.box, 1
+sila.qa, 1
+silagra.ml, 1
+silalesa.ml, 1
+silasborowy.de, 1
+silashes.com, 1
+silashes.ru, 1
+silbercloud.com, 1
+silberfluss.com, 1
+silberkiste.com, 1
+silbox.ch, 1
+sildenafilcitrate.cf, 1
+sildenafilcitrate100mg.ga, 1
+silent-clean.de, 1
+silent.quest, 1
+silent.se, 1
+silentartifact.org, 1
+silentdream.tk, 1
+silentgreen.tk, 1
+silentkernel.fr, 1
+silentneko.ga, 1
+silentsite.tk, 1
+silentsky.tk, 1
+silentsystem.com, 1
+silentsystem.it, 1
+silentundo.org, 1
+silesianus.pl, 1
+silex.live, 1
+silica-project.com, 1
+silicateillusion.org, 1
+silicon-north.com, 1
+silicon-vision.com, 1
+siliconheartlandohio.gov, 1
+siliconwafer.ltd, 1
+silina.tk, 1
+siliton.pl, 1
+silk, 1
+silken-madame.tk, 1
+silkky.cloud, 1
+silkon.net, 1
+silkproducts.tk, 1
+silkroad-iraq.com, 1
+sillisalaatti.fi, 1
+sillysnapz.co.uk, 1
+silo.org.br, 1
+siloportem.eu, 1
+siloportem.net, 1
+silqueskineyeserum.com, 1
+silsha.me, 1
+silta.tk, 1
+silv.me, 1
+silv.tk, 1
+silver-fenrir.cn, 1
+silver-heart.co.uk, 1
+silver-johnes.tk, 1
+silvera.com.co, 1
+silverairways.com, 0
+silverback.is, 0
+silverbankltd.com, 1
+silverbowflyshop.com, 1
+silverbox.ga, 1
+silverdroid.gq, 1
+silverfalcon.me, 1
+silvergatebank.com, 1
+silvergatebank.net, 1
+silvergoldbull.at, 1
+silvergoldbull.ba, 1
+silvergoldbull.be, 1
+silvergoldbull.bg, 1
+silvergoldbull.bj, 1
+silvergoldbull.by, 1
+silvergoldbull.ca, 1
+silvergoldbull.cl, 1
+silvergoldbull.cm, 1
+silvergoldbull.cn, 1
+silvergoldbull.co, 1
+silvergoldbull.co.ao, 1
+silvergoldbull.co.il, 1
+silvergoldbull.co.no, 1
+silvergoldbull.co.tz, 1
+silvergoldbull.co.uk, 1
+silvergoldbull.com, 1
+silvergoldbull.com.ar, 1
+silvergoldbull.com.au, 1
+silvergoldbull.com.eg, 1
+silvergoldbull.com.gh, 1
+silvergoldbull.com.mt, 1
+silvergoldbull.cr, 1
+silvergoldbull.cz, 1
+silvergoldbull.de, 1
+silvergoldbull.dj, 1
+silvergoldbull.do, 1
+silvergoldbull.ec, 1
+silvergoldbull.ee, 1
+silvergoldbull.es, 1
+silvergoldbull.fi, 1
+silvergoldbull.gd, 1
+silvergoldbull.ge, 1
+silvergoldbull.gl, 1
+silvergoldbull.gr, 1
+silvergoldbull.gt, 1
+silvergoldbull.hk, 1
+silvergoldbull.hn, 1
+silvergoldbull.hr, 1
+silvergoldbull.hu, 1
+silvergoldbull.id, 1
+silvergoldbull.in, 1
+silvergoldbull.is, 1
+silvergoldbull.it, 1
+silvergoldbull.kg, 1
+silvergoldbull.kr, 1
+silvergoldbull.ky, 1
+silvergoldbull.li, 1
+silvergoldbull.lk, 1
+silvergoldbull.lt, 1
+silvergoldbull.lv, 1
+silvergoldbull.ma, 1
+silvergoldbull.md, 1
+silvergoldbull.mk, 1
+silvergoldbull.ml, 1
+silvergoldbull.mw, 1
+silvergoldbull.my, 1
+silvergoldbull.nz, 1
+silvergoldbull.ph, 1
+silvergoldbull.pl, 1
+silvergoldbull.pt, 1
+silvergoldbull.qa, 1
+silvergoldbull.rs, 1
+silvergoldbull.ru, 1
+silvergoldbull.se, 1
+silvergoldbull.si, 1
+silvergoldbull.sn, 1
+silvergoldbull.sv, 1
+silvergoldbull.tg, 1
+silvergoldbull.tj, 1
+silvergoldbull.tn, 1
+silvergoldbull.tt, 1
+silvergoldbull.tw, 1
+silvergoldbull.uy, 1
+silvergoldbull.uz, 1
+silvergoldbull.ws, 1
+silverkattens.tk, 1
+silverlakeks.gov, 1
+silverlinkz.net, 1
+silvermama.co.za, 1
+silvermatch.ga, 1
+silveronline.ml, 1
+silveronline.tk, 1
+silverscopedesign.com, 1
+silverscreenindia.com, 1
+silversgarage.com, 1
+silversgarage.net, 1
+silversgarage.org, 1
+silvershadow.cc, 1
+silverspringdowntown.com, 1
+silverstyle.ua, 1
+silvertorrents.cf, 1
+silverwaregames.io, 1
+silverwind.io, 1
+silverwolf.cn, 1
+silvestri.consulting, 1
+silviacataldi.com, 1
+silviadominguez.tk, 1
+silviaecintia.tk, 1
+silvianavarro.tk, 1
+silviaroddey.tk, 1
+silvine.xyz, 1
+silviorodriguez.tk, 1
+silvius.at, 1
+silvobeat.blog, 1
+silvobeat.com, 1
+silvu.net, 1
+silvullet.com, 1
+sim-karten.net, 1
+sim-minaoshi.jp, 1
+sim-mobile.ml, 1
+sim4seed.org, 1
+simabonnement.nl, 1
+simac.fr, 1
+simam.de, 1
+simantec.cl, 1
+simaogv.net, 1
+simark.ca, 1
+simart.cf, 1
+simartik.com, 1
+simasoft.com, 1
+simava.org, 1
+simbeton.nl, 1
+simbike.ru, 1
+simbolo.co.uk, 0
+simcity-cafe.tk, 1
+simcityjoy.tk, 1
+simcoecurlingclub.ca, 1
+simcongroup.ir, 1
+simdex.org, 1
+simeonoff.ninja, 1
+simeononsecurity.ch, 1
+simeononsecurity.com, 1
+simetal.ch, 0
+simetri.tk, 1
+simetria.org, 1
+simex.tk, 1
+simfdr.com, 1
+simfree-review.com, 1
+simha.online, 1
+simhaf.cf, 1
+similarcontent.com, 1
+similarfans.com, 1
+simivalley.gov, 1
+simivalleyelectrical.com, 1
+simivalleyexteriorlighting.com, 1
+simivalleylandscapelighting.com, 1
+simivalleylighting.com, 1
+simivalleyoutdoorlighting.com, 1
+simkin.tk, 1
+simkova-reality.cz, 1
+simlog.tk, 1
+simmerle.com, 1
+simocar.fr, 0
+simoesgoulart.com.br, 1
+simon-agozzino.fr, 1
+simon-kosmrl-diplomski.xyz, 1
+simon-mueller.de, 1
+simon-templar.fr, 1
+simon.butcher.name, 1
+simon.gr, 1
+simon.lc, 1
+simon3k.moe, 1
+simonastallone.com, 1
+simonberard.garden, 1
+simonbondo.dk, 1
+simoncommunity.org.uk, 0
+simoncook.org, 1
+simoncotsworth.com, 1
+simone.pl, 1
+simone.sh, 1
+simonetti.nl, 1
+simonevans.uk, 1
+simonewebdesign.it, 1
+simonfischer.info, 1
+simonhirscher.de, 1
+simonita.cz, 1
+simonkjellberg.com, 1
+simonkjellberg.se, 1
+simonmaddox.com, 1
+simonoener.com, 1
+simonreich.de, 1
+simonreynoldsfavesunfaves.cf, 1
+simonschmitt.ch, 1
+simonsmh.cc, 1
+simonspeich.ch, 1
+simonspikensmultiplexcinema.uk, 1
+simonsreich.de, 1
+simonssh.ddns.net, 1
+simonweil.com, 0
+simonwessel.net, 1
+simonwoodside.com, 1
+simonzoellner.de, 1
+simosol.de, 1
+simosol.dk, 1
+simotrescu.ro, 1
+simp.beauty, 1
+simpaticotours.com, 1
+simpatie.tk, 1
+simpbx.net, 1
+simpel.nl, 1
+simpelkoken.be, 1
+simpelkoken.com, 1
+simpelkoken.net, 1
+simpelkoken.nl, 1
+simpelkoken.org, 1
+simpelkredit.dk, 1
+simpeo.org, 1
+simpex.ch, 1
+simphome.com, 1
+simphony.cz, 1
+simple-perfect.tk, 1
+simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.com, 1
+simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.eu, 1
+simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.international, 1
+simple.com, 0
+simpleartifact.com, 1
+simpleavenue.com, 1
+simplecallgirls.com, 1
+simplechoicesuper.com.au, 1
+simpleclassiclife.com, 1
+simpleclothing.ro, 1
+simplecmsdemo.com, 1
+simplecoding.click, 1
+simplecompliance.co.uk, 1
+simplecrypt.io, 1
+simplecryptoconvert.com, 1
+simplefx.com, 1
+simplegoodhealth.com, 1
+simplehome.ml, 1
+simpleinfoblog.com, 1
+simpleinout.com, 1
+simpleit.services, 1
+simpleline.studio, 1
+simplelinux.tk, 1
+simplelist.ga, 1
+simplelogin.co, 1
+simplelogin.io, 1
+simpleman.cf, 1
+simplemining.net, 1
+simplenet.io, 1
+simplenet.ro, 1
+simplepaddle.com, 1
+simplepengu.com, 1
+simplepoll.rocks, 1
+simpleports.eu, 1
+simpleports.net, 1
+simpleports.org, 1
+simpleprivacy.fr, 1
+simpleprojects.net, 1
+simplereport.gov, 1
+simplerezo.com, 1
+simplerses.com, 1
+simples.vet, 1
+simplesellatl.com, 1
+simplesend.io, 1
+simpleshow.com, 1
+simplesite.hu, 1
+simplespy.tk, 1
+simplesummerreading.com, 1
+simpletax.ca, 1
+simpletools.tk, 1
+simpletrace.nz, 1
+simplevote.ca, 1
+simplewebarchitecture.com, 1
+simplewire.de, 1
+simplexgame.net, 1
+simplexwireless.com, 1
+simplia.cz, 1
+simpliby.com, 1
+simplicitypvp.net, 1
+simplifiedlaws.com, 1
+simplifixed.com, 1
+simplifyingcollege.com, 1
+simplifylivelove.com, 1
+simplifyvms.com, 1
+simplix.info, 1
+simplixos.org, 1
+simplr.ai, 1
+simplrflex.com, 1
+simplus.id, 1
+simplusbr.com, 1
+simply-bob.de, 1
+simply-pattinson.tk, 1
+simply-pdf.de, 1
+simply-premium.com, 1
+simply.com, 1
+simply.scot, 1
+simply2020.com, 1
+simplybrave.net, 1
+simplycateringequipment.co.uk, 1
+simplycharlottemason.com, 1
+simplychocolate.com, 1
+simplycloud.de, 1
+simplydonelegal.com, 1
+simplydrivennapasonoma.com, 1
+simplyeducate.me, 1
+simplyfitperth.com.au, 1
+simplyfixit.co.uk, 1
+simplyfranciscan.org, 1
+simplyfuture.net, 1
+simplygood.work, 1
+simplyhelen.de, 1
+simplyjet.tk, 1
+simplymaidsaz.com, 1
+simplymeatsmoking.com, 1
+simplymidget.tk, 1
+simplyml.com, 1
+simplyowners.net, 1
+simplyplans.co.uk, 1
+simplyregister.net, 1
+simplyshamal.online, 1
+simplysmartgardening.com, 1
+simplytiles.com, 1
+simplyuniforms.com.au, 1
+simplyvoting.com, 1
+simpplr.com, 1
+simprosuite.com, 1
+simpsoncountyky.gov, 1
+simpul.nl, 1
+simracingcockpit.com, 1
+simrail.cn, 1
+simrail.nl, 1
+simranmehta.ga, 1
+sims4hub.ga, 1
+simscale.com, 1
+simsek.biz.tr, 1
+simservice.dk, 1
+simsim.in, 1
+simsimi.ml, 1
+simsmotorshop.be, 1
+simsnieuws.nl, 1
+simstarstyle.tk, 1
+simul.host, 1
+simulfund.com, 1
+simulhost.com, 1
+simulise.cloud, 1
+simulise.com, 1
+simulise.help, 1
+simulping.com, 1
+simulus.education, 1
+simulus.technology, 1
+simulus.training, 1
+simumiehet.com, 1
+simus.fr, 1
+simyayayinlari.com, 0
+sin-el-fil.com, 0
+sin-nombre-alleria.de, 1
+sin.swiss, 0
+sin4psi77.tk, 1
+sina-praxis.com.mx, 1
+sina.swiss, 1
+sinakuhestani.ir, 0
+sinalizeweb.com.br, 0
+sinan.mobi, 1
+sinanozpinar.com, 1
+sinanozpinar.nl, 1
+sinapuros.tk, 1
+sinarbaktiperdana.id, 1
+sinatralegal.com, 1
+sinavelvet.com, 1
+sinavyo.ml, 1
+sincelockdown.co.uk, 1
+sincemydivorce.com, 1
+sincityfan.tk, 1
+sinclairinat0r.com, 1
+sincordones.net, 1
+sindacato.it, 1
+sindarina.com, 1
+sindarina.eu, 1
+sindarina.net, 1
+sindarina.org, 1
+sindastra.com, 1
+sindastra.de, 1
+sindastra.net, 1
+sindastra.org, 1
+sinde.ru, 1
+sindicatoburgos.org, 0
+sindirectory.com, 1
+sindlerova.com, 1
+sindlerova.cz, 1
+sindominio.net, 1
+sindromebenjamin.tk, 1
+sineadobrien.com, 1
+sinefili.com, 1
+sinemakurd.tk, 1
+sinergify.com, 1
+sinetron.ga, 1
+sinews.tk, 1
+sinfield.com, 0
+sinfoniettabelcanto.org, 1
+sinfully.gq, 1
+sinfully.tk, 1
+sinfulthrills.co.uk, 1
+singaporebrand.com.sg, 1
+singaporeccc.org.sg, 1
+singaporeconventionweek.sg, 1
+singaporecriminaldefencelawyer.com, 1
+singaporedivorcelawyer.com, 1
+singaporefamilylawyer.com, 1
+singaporefreelegaladvice.com, 1
+singaporetoptentravel.com, 1
+singaporewebdesign.tk, 1
+singapur24.tk, 1
+singasia.net, 1
+singcapital.com.sg, 1
+singee.me, 1
+singel.ch, 1
+singen.eu.org, 1
+singer.ru, 1
+singerpragathi.tk, 1
+singerwang.com, 1
+singeyel.gq, 1
+singingblackbird.tk, 1
+singita.com, 1
+single-in-stuttgart.de, 1
+singleeuropeansky.aero, 1
+singlehandedsailing.tk, 1
+singlenine.gq, 1
+singleproduction.com, 1
+singles-aus-hamburg.de, 1
+singles-berlin.de, 1
+singles-day.org.il, 1
+singlesproject.org, 1
+singleton-factory.de, 1
+singleuse.link, 1
+singlu10.org, 0
+singluten.tk, 1
+singreggaeoke.com, 1
+singulair-generic.tk, 1
+sini.tk, 1
+sinibaldi.me, 1
+sinistragiovanile.tk, 1
+sinkaray.com, 1
+sinkfactory.com, 1
+sinkhole-florida.com, 1
+sinkholerepairsflorida.com, 1
+sinkinglure.net, 1
+sinkip.com, 1
+sinluzvenezuela.tk, 1
+sinmarea.com, 1
+sinn-frei.tk, 1
+sinner-rider.tk, 1
+sinnersprojects.ro, 0
+sinnvoll-online.de, 1
+sinnvoll-online.info, 1
+sinog.si, 1
+sinok.tk, 1
+sinonimos.com.br, 1
+sinonimosonline.com, 1
+sinonimosonline.com.br, 1
+sinopx.cf, 1
+sinoscandinavia.se, 1
+sinosky.org, 1
+sinpermiso.info, 1
+sinquin.eu, 1
+sinronet.com, 0
+sinsalida.tk, 1
+sinsin.io, 1
+sinsitio.tk, 1
+sinsolucion.tk, 1
+sint-apollonia-appels.tk, 1
+sint-barbara.tk, 1
+sint-joris.nl, 1
+sint-sebastianus.tk, 1
+sint-servattumus.tk, 1
+sinta-d.com, 1
+sintas.lt, 1
+sintaxis.org, 1
+sintbaafsabdij.gent, 1
+sintbaafsabdijgent.be, 1
+sinterama.biz, 1
+sinterklaas-spelletjes.nl, 1
+sinterklaasnet.tk, 1
+sinthill.com, 1
+sintomasdocancer.com, 1
+sintpietersabdijgent.be, 1
+sintsationeel.nl, 1
+sinuate.gq, 1
+sinuelovirtual.com.br, 1
+sinusbot.online, 1
+sinusitis-bronchitis.ch, 1
+sinvideovault.com, 1
+siogyumolcs.hu, 1
+sion-colony.tk, 1
+sion.info, 1
+siouxcityjournal.com, 1
+siouxcountyne.gov, 1
+siouxfalls.gov, 1
+sipa.nc, 1
+sipa.pf, 1
+sipadmin.ru, 1
+sipd.go.id, 0
+sipede.tk, 1
+siphalor.de, 1
+sipinterdindikcilegon.id, 1
+sipo.tk, 1
+sippanel-stroy.ru, 1
+siproj.com.br, 1
+sipstix.co.za, 1
+siptls.com, 1
+sipuri.me, 1
+sipyuru.com, 1
+sipyuru.lk, 1
+siq.li, 1
+siqi.wang, 1
+sirakov.tk, 1
+siralyvisegrad.hu, 1
+siranap.com, 1
+sirandorung.tk, 1
+sirassiraadjes.nl, 1
+siraweb.org, 1
+sirbio.ru, 1
+sircon.no, 1
+sirena.ml, 1
+sirenassociates.com, 1
+sirenasweet.net, 1
+sirenasweet.org, 1
+sirencallofficial.com, 1
+sirenequestrianvaulting.co.uk, 1
+sirenequestrianvaulting.com, 1
+sirenslove.com, 1
+sirenvaulting.club, 1
+sirenvaulting.co.uk, 1
+sirenvaulting.com, 1
+sirenvaulting.group, 1
+siretaweb.id, 1
+sirfaustobrasil.com.br, 1
+sirg.fr, 1
+siri.cc, 1
+siria.tk, 1
+siris.nl, 1
+sirius-se.hu, 1
+sirius.su, 1
+siriuspro.pl, 1
+siriuspup.com, 1
+sirkusteemuriihela.com, 1
+sirma.com, 1
+sirnakhaber.tk, 1
+siro.gq, 1
+sirovatka.tk, 1
+sirplus.com.ar, 1
+sirpsycho.tk, 1
+sirram.de, 1
+sirtaptap.com, 1
+sirtuins.com, 1
+sirupybartonik.cz, 1
+sirvio.eu, 1
+sirvoy.ca, 1
+sirvoy.co.nz, 1
+sirvoy.co.uk, 1
+sirvoy.co.za, 1
+sirvoy.com, 1
+sirvoy.com.au, 1
+sirvoy.de, 1
+sirvoy.dk, 1
+sirvoy.es, 1
+sirvoy.fi, 1
+sirvoy.fr, 1
+sirvoy.ie, 1
+sirvoy.jp, 1
+sirvoy.nl, 1
+sirvoy.no, 1
+sirvoy.se, 1
+sirzech.my.id, 1
+sis.net.sa, 1
+sisadmin21.tk, 1
+sisap.com, 0
+siscompbolivia.tk, 1
+siscompt.com, 0
+siscowebcrm.it, 1
+siselectrom.com, 1
+siseministeerium.ee, 0
+sisiengineers.gq, 1
+sisirbatu.tk, 1
+sismit.es, 1
+sisms.pl, 1
+sisqo.tk, 1
+sisqualwfm.com, 1
+sissden.eu, 1
+sisseastumine.ee, 1
+sissyroulette.com, 1
+sisteltestserver.com, 1
+sistem-maklumat.com, 1
+sistem-maklumat.com.my, 1
+sistema-trenirovok.ml, 1
+sistema20k.tk, 1
+sistemair.be, 1
+sistemapronto.ml, 1
+sistemaseinformacao.com.br, 1
+sistemasespecializados.com, 1
+sistemista.it, 1
+sistemy48.ru, 0
+sistonenfranco.tk, 1
+sistrade.com, 1
+sisv.eu, 1
+sisver.mx, 1
+sit-brn.ru, 1
+sit-tech.by, 1
+sit.ec, 1
+sit.moe, 1
+sit.sh, 1
+sitak.fi, 1
+sitanleta.de, 1
+sitatravel.gr, 1
+sitc.sk, 1
+sitco.global, 1
+sitcopharma.com, 1
+site-de-paris-en-ligne.fr, 1
+site-development.tk, 1
+site-dns.com, 1
+site-master.ml, 1
+site-oficial-inicio.com, 1
+site-oflcial.com, 1
+site-remont.ml, 1
+site-romania.tk, 1
+site-ua.tk, 1
+site.com, 1
+site.mu, 1
+site2002.tk, 1
+siteadvokat.cf, 1
+sitebrass.ru, 1
+sitebuilderreport.com, 0
+sitecentre.com.au, 1
+sitechange.dedyn.io, 1
+sitechecker.pro, 1
+sitecreation.tk, 1
+sitecreator.tk, 1
+sitecrew.cf, 1
+sitecuatui.com, 1
+sitedebelezaemoda.com.br, 1
+sitedynamix.co.uk, 1
+siteforce.com, 1
+sitehizi.com, 1
+siteintelstage.com, 1
+sitek.rocks, 1
+sitekatalog.tk, 1
+sitelinks.ga, 1
+sitelinks.ml, 1
+sitemai.eu, 1
+sitemap.solutions, 1
+sitemaxiphilippe.ch, 1
+sitempro.com.mx, 0
+sitemydesk.fr, 1
+sitenv.org, 1
+sitepentruprofesori.com, 1
+siteplug.com, 1
+sitepokupok.ru, 1
+siterank.cf, 1
+siterank.gq, 1
+siterapidowp.com.br, 1
+siterencontre.me, 1
+siteru.tk, 1
+sites.google.com, 1
+sites2poker.fr, 1
+sites2rencontre.fr, 1
+sitesara.com, 1
+sitesdesign.tk, 1
+sitesforward.com, 1
+sitesignal.net, 1
+sitesko.de, 1
+sitestudio.tk, 1
+sitesweb.gq, 1
+sitetalk.tk, 1
+sitetuners.com, 1
+siteviseagency.com, 1
+siteweb-seo.fr, 1
+sitgesfilmfestival.com, 1
+sithijaya.tk, 1
+sithmanifest.com, 1
+sitinjau.com, 1
+sitiosantaangela.com.br, 1
+sitischu.com, 1
+sitisnab.kz, 1
+sitnikov.ga, 1
+sito-online.ch, 1
+sittingwell.co.uk, 1
+sittogether.club, 1
+sittogether.tw, 1
+situm.com, 1
+situsbandarq.cf, 1
+situsbandarq.ga, 1
+situsbandarq.ml, 1
+situsbandarq.tk, 1
+sitypro.com, 1
+sitz.ch, 1
+sitzungsdienst.net, 0
+siulam-wingchun.org, 1
+siusto.com, 1
+sivaexports.in, 1
+sivaru.tk, 1
+sivizius.eu, 1
+sivyerge.com, 1
+siw.nl, 1
+siw64.com, 1
+siwa.cf, 1
+siwek.xyz, 1
+siwiki.rs, 1
+siwyd.com, 1
+six27.com, 1
+sixam.co.jp, 1
+sixara.com, 1
+sixcolors.lu, 1
+sixcorners.info, 1
+sixcorners.net, 1
+sixde.com.au, 1
+sixe.es, 1
+sixforkurd.tk, 1
+sixnines.net, 1
+sixpack.gr, 1
+sixpackband.tk, 1
+sixpackholubice.cz, 1
+sixstrings.tk, 1
+sixtiesgroovemachine.com, 1
+sixtiesgroovemachine.nl, 1
+sixyy.com, 1
+siyako.com, 1
+siyuan.com, 1
+sizeofvoid.org, 1
+sizeunknown.com, 1
+sizeunknown.net, 1
+sizinajans.com, 1
+sj-leisure.com, 1
+sja-se-training.com, 1
+sjaakgilsingfashion.nl, 1
+sjaaktrekhaak.nl, 1
+sjbwoodstock.org, 1
+sjcpa.gov, 1
+sjd.is, 0
+sjeverni.info, 1
+sjfss.com, 1
+sjfss.marketing, 1
+sjid.co.uk, 1
+sjiplanning.com.au, 1
+sjleisure.co.uk, 1
+sjlmd.moe, 1
+sjm-hamburg.de, 0
+sjnp.org, 1
+sjoelen.tk, 1
+sjoelsport.nl, 1
+sjoorm.com, 1
+sjorsvanweert.nl, 1
+sjouke.dedyn.io, 1
+sjparanormal.tk, 1
+sjrcommercialfinance.co.uk, 1
+sjrslms.in, 0
+sjs.org.hk, 1
+sjtravel.guru, 1
+sjwheel.net, 1
+sk-ii.com, 1
+sk.tl, 1
+sk4y.net, 1
+sk8israel.com, 1
+skaala.com, 1
+skaapkraalonline.co.za, 1
+skachat-filmi.info, 1
+skachat-programmylini.ga, 1
+skachat-shablon-rezyume-na-angliyskom-yazyk.tk, 1
+skachat-zip.tk, 1
+skachay-knighki.gq, 1
+skachay-photo.gq, 1
+skagen-feriebolig.dk, 1
+skaginn.tv, 1
+skaiman.ga, 1
+skaitliukas.tk, 1
+skalec.org, 1
+skalis-portage.com, 1
+skalniak.pl, 1
+skamper.tk, 1
+skankofamerica.com, 1
+skanray.com, 1
+skarke.se, 1
+skarla.com, 1
+skarox.com, 1
+skarox.ee, 1
+skarox.eu, 1
+skarox.net, 1
+skarox.ru, 1
+skat.dk, 1
+skatefilms.tv, 1
+skateparkmontbriz.tk, 1
+skaterangels.tk, 1
+skaterepublic.tk, 1
+skatesins.ch, 1
+skatesliide.tk, 1
+skateswagger.com, 1
+skatingchina.com, 1
+skatrey.com, 1
+skatteankestyrelsen.dk, 1
+skattebo.no, 1
+skatteforvaltningen.dk, 1
+skazama.com, 1
+skazka.ml, 1
+skazka.ru, 1
+skazochnyj-sait.tk, 1
+skbexteriorcleaningsolutions.com, 1
+skbilisim.tk, 1
+skblab.ru, 1
+skcwood.com, 1
+skday.com, 1
+skedda.com, 1
+skeditor.tk, 1
+skeeley.com, 1
+skeetads.com, 1
+skegnesstec.ac.uk, 1
+skei.org, 1
+skepneklaw.com, 1
+skepp.com, 1
+skepticalsports.com, 1
+skeptics.org, 1
+skeptik.tk, 1
+sketch.io, 1
+sketch.jpn.com, 1
+sketchbox.tk, 1
+sketchmonk.tk, 1
+sketchnote.co, 1
+sketchy.tk, 1
+skew.ch, 1
+skezi.eu, 1
+skgzberichtenbox.nl, 1
+skhaz.io, 1
+skhidnitsa.com.ua, 1
+skhiratemara.ma, 1
+skhire.co.uk, 1
+skhoop.cz, 1
+skhosting.eu, 1
+skhron.com.ua, 1
+ski-outdoor-shop.de, 1
+ski-planet.com, 1
+skibbereencomhaltas.tk, 1
+skibikers.tk, 1
+skid.church, 1
+skiddle.com, 1
+skidka.by, 1
+skidki-ru.cf, 1
+skidkimira.ru, 1
+skidzun.de, 1
+skifairview.com, 1
+skiff.city, 1
+skiff.com, 1
+skiff.town, 1
+skiforlight.ca, 1
+skiftet.org, 1
+skifttiljutlanderbank.dk, 1
+skigebied.nl, 1
+skiingnewsletter.cf, 1
+skiingnewsletter.ga, 1
+skiingproperty.com, 1
+skiinstructor.services, 1
+skikkogbank.no, 1
+skile.ru, 0
+skiley.net, 1
+skilift-quellenwiese.at, 0
+skill-x.ru, 1
+skill.moe, 1
+skill.tk, 1
+skillab.ro, 1
+skillablers.com, 1
+skilldnsproc.com, 1
+skillearning.de, 1
+skillmoe.at, 1
+skillonnet.com, 1
+skillrocket.in, 1
+skills2serve.org, 1
+skillsboffin.com, 1
+skillsenhancementtexas.gov, 1
+skillsenhancementtx.gov, 1
+skillsforall.com, 1
+skillshare.com, 1
+skillsoftcompliance.com, 1
+skilltran.com, 1
+skillup.co, 1
+skillwaze.com, 1
+skiman.tk, 1
+skimbo.tk, 1
+skin-cosmetic.eu, 1
+skin.club, 1
+skinbet.co, 1
+skinboost.ga, 1
+skinboost.ml, 1
+skincare-note.com, 1
+skincareagent.cf, 1
+skincarequeentv.com, 1
+skindb.net, 1
+skinetic.eu, 1
+skinews.tk, 1
+skinexpert.ml, 1
+skinfoodpeachcotton.tk, 1
+sking.io, 1
+skinlords.com, 1
+skinmarket.co, 1
+skinmedshop.ro, 1
+skinmodo.com, 1
+skinnation.tk, 1
+skinnybitch99.net, 1
+skinport.com, 1
+skinpwrd.com, 1
+skinrejuvenate.com.au, 1
+skinrender.ga, 1
+skinseries.cf, 1
+skinsolution.ga, 1
+skinsolutionclinic.com, 1
+skinstyleglobal.com, 1
+skinsuperstore.tk, 1
+skintdad.co.uk, 1
+skintillation.com, 1
+skio.com, 1
+skioakenfull.com, 1
+skip.re, 1
+skipfault.com, 1
+skipperinnovations.com, 0
+skippy.dog, 0
+skipr.co, 1
+skipr.ninja, 1
+skiptadiabetes.com, 1
+skipton.io, 1
+skiptontownhall.co.uk, 1
+skirent-masocorto.com, 1
+skirted.cf, 1
+skirts.tk, 1
+skirtskenya.tk, 1
+skirwin.com, 1
+skischule-sinzheim.de, 1
+skischule-wildewiese.de, 1
+skisportdain.it, 1
+skitecsh.com, 1
+skitop.it, 1
+skitourmag.com, 1
+skitznet.tk, 1
+skizzen-zeichnungen.de, 1
+skj6.ga, 1
+skjt.co.jp, 1
+skk.moe, 1
+skky.net, 1
+skladchinamk.ru, 1
+skladmebliv.ua, 0
+skladnicaksiegarska.pl, 1
+sklepbhp.online, 1
+sklepsnowboardowy.pl, 1
+sklepvoip.tel, 1
+sklepwielobranzowymd.com, 1
+sklisen.tk, 1
+sklotechnik.cz, 1
+skm.dk, 1
+skmedia.ga, 1
+skmp.cc, 1
+skmsport.com, 1
+sknasirali.com, 1
+sknclinics.co.uk, 1
+skoander.com, 1
+skoda-im-dialog.de, 1
+skodapower.tk, 1
+skodapreowned.in, 1
+skoi2023.com, 1
+skoilly.cc, 1
+skoiy.com, 1
+skokie.gov, 1
+skolagatt.is, 1
+skolakrizik.cz, 1
+skolappar.nu, 1
+skolebil.dk, 1
+skolem.de, 1
+skolni-system.eu, 1
+skolnieks.lv, 1
+skolnilogin.cz, 1
+skolniweby.cz, 1
+skolplattformen.org, 1
+skolskyportalporuba.cz, 1
+skooli.com, 1
+skorbord.tk, 1
+skorepova.info, 1
+skoroff.com, 1
+skoropolnolunie.gq, 1
+skorovsud.ru, 1
+skorpil.cz, 1
+skorstensfolket.se, 1
+skory.us, 1
+skorzew.ski, 1
+skoskav.org, 1
+skotobaza.tk, 1
+skotstvo.tk, 1
+skovbosburgerblog.dk, 1
+skovik.com, 1
+skpark.cf, 1
+skpk.de, 1
+skpracta.info, 1
+skpracta.tk, 1
+skprhome.i234.me, 1
+skram.de, 1
+skrepnek-sidebar.tk, 1
+skreutz.com, 1
+skrid.net, 1
+skrillex.tv, 1
+skrin.ru, 1
+skripta.tk, 1
+skriptorium.de, 1
+skrivargarden-nes.cf, 1
+skrivebeskyttet.dk, 1
+skrivebordet.tk, 1
+skrprojects.com.au, 1
+skrsv.net, 1
+skrundz.ca, 1
+skrundz.com, 1
+skrundz.id, 1
+skrydata.ga, 1
+sksdrivingschool.com.au, 1
+sksh.io, 1
+sktan.com, 1
+sktsolution.com, 0
+sktst.dk, 1
+skuizy.ddns.net, 1
+skulblaka.ch, 1
+skuldwyrm.no, 1
+skullcrusher.tk, 1
+skullowner.nl, 1
+skunkapeservers.net, 1
+skupka-zolota-dorogo.ru, 1
+skutry-levne.cz, 1
+skutry.cz, 1
+skux.ch, 1
+skvele-cesko.cz, 1
+skvelecesko.cz, 1
+skvot.de, 1
+skwile-cafe.com, 1
+skwitko.com, 1
+skwlkrs.com, 1
+skxpl.eu.org, 1
+sky-aroma.com, 1
+sky-cargo.at, 1
+sky-coach.com, 1
+sky-coach.nl, 1
+sky-dogs.com, 1
+sky-driver.ch, 1
+sky-live.fr, 1
+sky-motion.de, 1
+sky-music.tk, 1
+sky-of-use.net, 1
+sky-os.ru, 1
+sky-torch.com, 0
+sky-wap.cf, 1
+skyarch.net, 1
+skybirch.com, 1
+skybirds.org, 1
+skyblockmc.eu, 1
+skyblockmc.no, 1
+skyblond.info, 1
+skybloom.com, 1
+skyblue4.com, 1
+skyborne.tk, 1
+skybound.link, 0
+skybrary.aero, 1
+skybrary.eu, 1
+skybrary.info, 1
+skybridge.net, 1
+skycapture.ca, 1
+skychan.org, 1
+skyclinic.ua, 1
+skycmd.net, 1
+skyder.com.mx, 0
+skyder.mx, 0
+skyderby.ru, 1
+skydiveaddiction.com, 1
+skydivegeronimo.com.au, 1
+skydiverecuador.com, 1
+skydivingexperiences.co.uk, 1
+skydoc.uz, 1
+skydragoness.com, 1
+skydrive.live.com, 0
+skydronesolutions.com, 1
+skye.vg, 1
+skyeeverest.tk, 1
+skyem.co.uk, 0
+skyeng.ru, 1
+skyevg.systems, 1
+skyexpressinternational.com, 1
+skyfall.network, 1
+skyfibertech.com, 1
+skyfpicture.tk, 1
+skygame.tk, 1
+skygates.tk, 1
+skyguru.tk, 1
+skyhigh-mizell.tk, 1
+skyhook.earth, 1
+skyhooks.tk, 1
+skyhyve.com.au, 1
+skyhyve.xyz, 1
+skyint.io, 1
+skyla.tk, 1
+skylair.info, 1
+skylandanalytics.net, 1
+skylander.cf, 1
+skylar.ai, 0
+skylarker.org, 1
+skylash.be, 1
+skylgenet.nl, 1
+skylightcreative.com.au, 1
+skylightipv.com, 1
+skylimitmedia.com, 1
+skyline.link, 1
+skyline.tw, 1
+skylineexplorer.com, 1
+skylinehk.org, 1
+skylinehouse.ca, 1
+skylinertech.com, 1
+skylineservers.com, 1
+skylocker.net, 1
+skyltmax.se, 1
+skym-mc.fr, 1
+skymail.de, 1
+skymass.xyz, 1
+skyminds.net, 1
+skymkmk.com, 1
+skymonk.tk, 1
+skynet-research.us, 0
+skynet233.ch, 0
+skynet800.goip.de, 1
+skynetcloud.org, 1
+skynetcloud.site, 1
+skynetnetwork.eu.org, 1
+skynetstores.ae, 1
+skynetz.tk, 1
+skyoceanblue.com, 1
+skyone.host, 1
+skyoy.com, 0
+skypanic.com, 1
+skypark.tk, 1
+skypc.com.ar, 1
+skypce.net, 1
+skype, 1
+skype.com, 0
+skypech.com, 1
+skypefr.com, 1
+skypicker.com, 1
+skyportcloud.com, 1
+skyqueen.cc, 1
+skyquid.co.uk, 1
+skyra.pw, 1
+skyrider.me, 1
+skyrosconsulting.com, 1
+skys-entertainment.com, 1
+skyscanner.ca, 1
+skyscanner.co.in, 1
+skyscanner.com, 1
+skyscanner.com.au, 1
+skyscanner.com.hk, 1
+skyscanner.de, 1
+skyscanner.es, 1
+skyscanner.fr, 1
+skyscanner.gg, 1
+skyscanner.net, 1
+skyscanner.pt, 1
+skyscanner.ru, 1
+skyscnr.com, 1
+skyseo.cf, 1
+skysoftbg.com, 1
+skysplash.gq, 1
+skysprouts.co.uk, 1
+skysuite.nl, 1
+skytamil.net, 1
+skytechosting.com, 1
+skytel.ge, 1
+skyterraathome.com, 1
+skyterraembrace.com, 1
+skyterrawellness.com, 1
+skytickets.ga, 1
+skytiger.ga, 1
+skytown.ga, 1
+skytterlogg.no, 1
+skytterloggen.no, 1
+skyvr.mx, 1
+skywalkersa.ga, 1
+skywatch.com, 1
+skywindowsnj.com, 1
+skyworldserver.ddns.net, 1
+skywt.cn, 0
+skyynet.de, 1
+skyzimba.com.br, 1
+sl-alarm.ru, 1
+sl-bildermacher.de, 1
+sl-informatique.ovh, 1
+sl.al, 1
+sl0.us, 1
+sl41.com.br, 1
+sla.pl, 1
+slaam.tk, 1
+slab.com, 1
+slabserver.com, 1
+slabstage.com, 1
+slack-files.com, 1
+slackline.tk, 1
+sladkiiflirt.ru, 1
+slaek.de, 1
+slagerijdekoekelaere.be, 1
+slagerijrooken.be, 1
+slagerijvanguilik.nl, 1
+slaght.de, 0
+slainvet.net, 1
+slajeslag.nl, 1
+slalix.pw, 1
+slalix.xyz, 1
+slamdunkdedication.tk, 1
+slamhope.gq, 1
+slamix.nl, 1
+slamtradingcards.com.au, 1
+slan.fr, 1
+slangbella.com, 1
+slaninka.eu, 1
+slanterns.net, 1
+slapen17.nl, 1
+slaps.be, 1
+slash64.co.uk, 1
+slash64.uk, 1
+slashbits.no, 1
+slashcam.de, 1
+slashcrypto.org, 1
+slashdigit.com, 1
+slashnroses.com, 1
+slashnroses.nl, 1
+slashorg.net, 1
+slass.fr, 1
+slate.to, 1
+slatechart.com, 1
+slated.ie, 0
+slatemc.com, 1
+slatemc.fun, 1
+slateteams.com, 1
+slathering.cf, 1
+slatteryassetadvisory.com.au, 1
+slaughter.com, 1
+slaughterhouse.fr, 1
+slava.ml, 1
+slavasoloviev.com, 1
+slavasveta.info, 1
+slaveykov.bg, 1
+slavic401k.com, 1
+slavira.ru, 1
+slavomircapik.com, 1
+slaws.io, 1
+slayer.tech, 1
+slayersonline.net, 1
+slayingqueen.com, 1
+slaytec.com, 1
+slb.ru, 1
+slbbiromaru.sch.id, 1
+slbetx.com, 1
+slbknives.com, 1
+slbm.com.au, 1
+slboatstorage.com, 1
+slcdn.net, 1
+sld08.com, 1
+sldev.ovh, 1
+sldlcdn.com, 1
+sldonline.org, 1
+sledgehammerti.me, 1
+sledgeroofing.com, 1
+sledwyoming.com, 1
+sleekfellow.com, 1
+sleekflow.io, 1
+sleep-go.info, 1
+sleep-tight.cf, 1
+sleepawaycampseries.tk, 1
+sleepcouncil.org.uk, 1
+sleepet.tw, 1
+sleepig.com, 1
+sleepily.tk, 1
+sleepingmattressreview.com, 1
+sleepmap.de, 1
+sleepo.ga, 1
+sleeps.jp, 0
+sleepsaround.ga, 1
+sleepshop.be, 1
+sleepstar.co.uk, 1
+sleepstar.fr, 1
+sleepys.net, 1
+sleetandsole.es, 1
+sleetandsole.eu, 1
+sleeuwijkskerkje.nl, 1
+sleio.com, 1
+sleismann.de, 1
+sleismann.eu, 1
+sleismann.org, 1
+slemen.tk, 1
+slepsluzbabeograd.org, 1
+sletaem.ml, 1
+sletat.ru, 1
+slev.tk, 1
+slevermann.de, 0
+slevomat.cz, 1
+slew.gq, 1
+slezenko.tk, 1
+sli.do, 1
+slicedpies.com, 1
+sliceone.com, 1
+slicklines.co.uk, 1
+slidebatch.com, 1
+slidefiftyfamily.tk, 1
+slidemembers.com, 1
+slideproducts.com, 1
+slides.zone, 1
+slideshare.net, 1
+slido.com, 1
+slidstvo.info, 1
+slightshop.com, 1
+slik.ai, 1
+slim-health.com, 1
+slim-slender.com, 1
+slim.ua, 1
+slime5.com.tw, 1
+slimeg.clinic, 1
+slimetutorial.com, 1
+slimgrafix.cz, 1
+slimmarkets.com, 1
+slimmingjabs.com, 1
+slimopweg.be, 1
+slimspots.com, 1
+slimster.nl, 1
+slimtelecom.nl, 1
+slimwindows.cf, 1
+slimwindows.ga, 1
+slimwindows.gq, 1
+slingo-sta.com, 1
+slingoweb.com, 1
+slink.hr, 1
+slinkwa.re, 1
+slinx.tk, 1
+slip-gaming.tk, 1
+slipandfalllawyerhelp.com, 1
+sliphua.work, 1
+slipknot-site.tk, 1
+slipnslide.xxx, 1
+slippening.com, 1
+sliptrickrecords.com, 1
+sliszlaw.com, 1
+slite.com, 1
+sliteapp.com, 1
+slivkadesigns.tk, 1
+slix.io, 1
+slizgawka.eu, 1
+sllatina.tk, 1
+slm-sla.tk, 1
+slma.tk, 1
+sln.cloud, 1
+slo-net.net, 1
+slo-tech.com, 1
+slo.nl, 1
+sloancom.com, 1
+sloanrealtygroup.com, 1
+sloboda.tk, 1
+slobrowink.com, 1
+slobsbeer.com, 1
+slocounty.gov, 1
+slodkiflirt.pl, 1
+sloeproeienalmere.nl, 0
+sloepverhuur-roggebroek.nl, 1
+slogan.tk, 1
+slogancreator.com.au, 1
+slogix.in, 1
+sloneczni.pl, 1
+slonep.net, 1
+slonko.net, 1
+sloopautonoordholland.com, 1
+slootskyartisticdentistry.com, 1
+slopecountynd.gov, 1
+slopeedge.com, 1
+slopeedge.net, 1
+slopeoak.com, 1
+slotarazzi.com, 1
+slotbonus24.com, 1
+slotboss.co.uk, 1
+slotcatalog.com, 1
+sloterplas-beveiliging.nl, 1
+sloterplas-bouw.nl, 1
+sloterplas-management.nl, 1
+slotfara.net, 1
+slotgames.pro, 1
+slotgratisonline.net, 1
+slothless.com, 1
+sloths.org, 1
+sloticagames.com, 1
+slotjava.com.br, 1
+slotjava.es, 1
+slotjava.it, 1
+slotlist.info, 1
+slotmachinesgratisonline.com, 1
+slotmad.com, 1
+slotsinspector.com, 1
+slotsmegacasino.com, 0
+slotsup.com, 1
+slouching.ga, 1
+sloudways.com, 1
+slovakiana.sk, 1
+slovenia-trip.tk, 1
+slovenskekasina.sk, 1
+slovenskycestovatel.sk, 1
+slow.social, 1
+slow.zone, 0
+slowapi.com, 1
+slowcookingperfected.com, 1
+slowfoodandhandforgedtools.com.au, 1
+slowgames.xyz, 1
+slowinski.tk, 1
+slowsocial.email, 1
+slowsocial.eu, 1
+slowsocial.net, 1
+slowsocial.org, 1
+slowsociety.org, 0
+slpidny.gov, 1
+slpm.com, 1
+slpower.com, 1
+slrd-isperih.com, 1
+slrie.de, 1
+slt.ee, 1
+slt24.de, 1
+sltda.gov.lk, 1
+sluciaconstruccion.com, 1
+sluderno.org, 1
+sludge.tk, 1
+slugify.online, 1
+sluhockey.com, 1
+sluimann.de, 1
+sluitkampzeist.nl, 0
+sluitsnel.nl, 1
+slunecnice.cz, 1
+slunyavchik.tk, 1
+sluo.org, 1
+slushat-tekst-pesni.ru, 1
+slushe.com, 1
+slushpool.com, 1
+slutty-girls.cf, 1
+slxh.eu, 1
+slxh.nl, 1
+slyarts.com, 1
+slycegateway.com, 1
+slycepay.com, 1
+slycereporting.com, 1
+slymak.com, 1
+slytigers.tk, 1
+slyvon.com, 1
+slzr.cloud, 1
+sm-kyoushitsu.com, 1
+sm-supplements.gr, 1
+sm.ms, 1
+sm161.cn, 1
+sm2016.ch, 1
+sm2ct.cn, 1
+sma-dev.de, 1
+sma-gift.com, 1
+smackhappy.com, 0
+smadav.ml, 1
+smaksbanken.no, 1
+smalandscountryclub.tk, 1
+small-blog.cf, 1
+small-king.ml, 1
+smallbusinesscharter.org, 1
+smallbytedesign.co, 1
+smallchanges.tv, 1
+smallchat.nl, 1
+smallcraftadvisory.tk, 1
+smallcubed.com, 1
+smalldata.tech, 1
+smalldeveloper.ml, 1
+smalle-voet.de, 1
+smallfarmersjournal.com, 1
+smallfoot.tk, 1
+smallplanet.com, 0
+smalls-world.tk, 1
+smallsiri.gq, 1
+smallsites.eu, 1
+smalltalkconsulting.com, 1
+smalltunepress.tk, 1
+smallville.tk, 1
+smallville25.tk, 1
+smallwhitebear.ga, 1
+smaltimento-rifiuti.com, 1
+smaltimento-rifiuti.org, 1
+smaltimento.caserta.it, 1
+smaltimento.milano.it, 1
+smaltimento.napoli.it, 1
+smaltimento.roma.it, 1
+smaltimento.salerno.it, 1
+smaltimentoamianto.campania.it, 1
+smaltimentoamianto.frosinone.it, 1
+smaltimentoamianto.latina.it, 1
+smaltimentocalcinacci.roma.it, 1
+smaltimentorifiuti.firenze.it, 1
+smaltimentorifiuti.livorno.it, 1
+smaltimentorifiuti.milano.it, 1
+smaltimentorifiuti.napoli.it, 1
+smaltimentorifiuti.prato.it, 1
+smaltimentorifiuti.roma.it, 1
+smaltimentorifiuti.veneto.it, 1
+smanson.duckdns.org, 1
+smaragderna.cf, 1
+smaragderna.ga, 1
+smaragderna.tk, 1
+smares.de, 1
+smaridibor.tk, 1
+smarinintgal.tk, 1
+smarpshare.com, 1
+smarriti.it, 1
+smart-bezpeka.com, 1
+smart-broker.ru, 1
+smart-cp.jp, 1
+smart-fixed.ru, 1
+smart-house.bg, 1
+smart-hub.io, 1
+smart-informatics.com, 1
+smart-klimat.ru, 1
+smart-lab.ch, 1
+smart-mirror.de, 1
+smart-mrt.co.il, 1
+smart-pharma.group, 1
+smart-profile.ro, 1
+smart-travel.tk, 1
+smart-tux.de, 1
+smart-wind.ru, 1
+smart-wohnen.net, 1
+smart-zona.tk, 1
+smartacademy.ge, 1
+smartacademy.pro, 1
+smartagilesolution.com, 1
+smartandcom.ch, 1
+smartapplianceservices.com, 1
+smartar.com, 1
+smartart.gr, 1
+smartart.tk, 1
+smartass.space, 1
+smartass0027.com, 1
+smartassembly.tk, 1
+smartasset.com, 1
+smartbase.de, 1
+smartbear.com, 1
+smartbitcoininvestments.com, 1
+smartbiz.vn, 1
+smartblock.cloud, 1
+smartbuytrends.com, 1
+smartcar.com, 0
+smartcard.tools, 1
+smartcents.gold, 1
+smartcheck.gov, 1
+smartchezvous.com, 1
+smartchoices.ie, 1
+smartclothing.pl, 1
+smartcloudconnect.io, 1
+smartcluster.ga, 1
+smartcommunications.com, 1
+smartcover.tk, 1
+smartcpa.ca, 1
+smartdb.jp, 1
+smartdigital.ga, 1
+smarteco.tk, 1
+smartedukasi.co.id, 1
+smarterskies.gov, 1
+smartersoft-integra.com, 1
+smartersoft.io, 1
+smartertowing.com, 1
+smartest-trading.com, 1
+smartestate.com, 1
+smartevals.com, 1
+smartfaktor.pl, 1
+smartfit.cz, 1
+smartfixmarburg.de, 1
+smartfons.tk, 1
+smartfooding.com, 1
+smartftp.com, 1
+smartgirledits.com, 1
+smartgirls.tk, 1
+smartglassworld.net, 1
+smartgrepp.se, 1
+smartgrid.gov, 1
+smartgridsecurity.com, 1
+smartgridsecurity.org, 1
+smartguardzone.kr, 1
+smarthdd.com, 1
+smarthealthinnovationlab.com, 1
+smarthome365.nl, 1
+smarthomegain.com, 1
+smarthrms.com, 1
+smartick.com.do, 1
+smartit.gr, 1
+smartius.it, 1
+smartjoin.style, 1
+smartland.com, 1
+smartlandapartments.com, 1
+smartlandconstruction.com, 1
+smartlandturnkey.com, 1
+smartleads.tk, 1
+smartleaklocator.com, 1
+smartliferd.ml, 1
+smartlinecomputers.nl, 1
+smartlink.sk, 1
+smartlist.ga, 0
+smartloanhacks.com, 1
+smartlocksmith.com, 1
+smartlogiq.com, 1
+smartlogreturns.com, 0
+smartlogstock.com, 0
+smartlogtower.com, 1
+smartlooks.es, 1
+smartmachine.com, 1
+smartmail24.de, 1
+smartme.pl, 1
+smartmeal.ru, 1
+smartmessages.eu, 1
+smartmessages.net, 1
+smartmeterfraud.tk, 1
+smartminibushire.co.uk, 0
+smartmomsmartideas.com, 1
+smartnanny.cf, 1
+smartnews-smri.com, 1
+smartnoob.de, 1
+smartoctopus.art, 1
+smartografia.pl, 1
+smartoneclub.com, 1
+smartours.com, 1
+smartpanelsmm.com, 1
+smartpatika.hu, 1
+smartpheromones.com, 1
+smartphone-pliable.wtf, 1
+smartphone.nl, 1
+smartphonecases.tk, 1
+smartphonechecker.co.uk, 1
+smartphonefixen.be, 1
+smartphonepliable.co, 1
+smartphonesolution.tk, 1
+smartplus.ae, 1
+smartpolicingplatform.com, 1
+smartpos.net.br, 1
+smartproductguide.com, 1
+smartpti.net, 1
+smartrak.co.nz, 1
+smartrak.com, 1
+smartrecruiters.com, 1
+smartrentacar.ro, 1
+smartresumeservices.com, 1
+smartriotour.com.br, 0
+smartrise.us, 1
+smartroofingandsheetmetal.com, 1
+smartseatravel.com, 1
+smartservices.nl, 0
+smartshiftme.com, 1
+smartshop.gr, 1
+smartshoppers.es, 1
+smartshousekeeper.pt, 1
+smartsitio.com, 1
+smartspace.ml, 1
+smartspace.tk, 1
+smartsparrow.com, 0
+smartsprouts.com, 1
+smartsteelus.com, 1
+smartstep.pt, 1
+smartsupply.global, 1
+smartthursday.hu, 1
+smartvalor.com, 1
+smartwank.com, 1
+smartweb.ge, 1
+smartwebportal.co.uk, 1
+smartwoodczech.cz, 1
+smartwritingservice.com, 1
+smartwurk.nl, 0
+smarty.cz, 1
+smartzonegsm.ro, 1
+smartzonemikulov.cz, 1
+smash-gg.club, 1
+smashbros-chile.tk, 1
+smashbylaney.com, 1
+smashcooper.tk, 1
+smashingconf.com, 1
+smashingmagazine.com, 1
+smashnl.tk, 1
+smashno.ru, 1
+smavesto.de, 1
+smb-analytics.pw, 1
+smb-bsa.ca, 1
+smb.wiki, 1
+smb445.com, 1
+smbabyshop.gr, 1
+smbc.co.id, 1
+smbc.direct, 1
+smbi-gelblasterhq.com.au, 1
+smc.consulting, 1
+smcacre.gov, 1
+smcconsulting.be, 1
+smcconsulting.eu, 1
+smchfujuae.com, 1
+smcj.xyz, 1
+smcpneumatics.com, 1
+smcquistin.uk, 1
+smcvote.gov, 1
+smd-tlt.ru, 1
+smdc.com, 1
+smdcn.net, 1
+smdmetals.com, 1
+sme-gmbh.com, 1
+sme-gmbh.net, 1
+sme.sk, 1
+smedata.sk, 1
+smedix.com, 1
+smeetsengraas.com, 1
+smekonferencie.sk, 1
+smelly.cloud, 1
+smereka.ua, 1
+smeso.it, 1
+smeta.ml, 1
+smetak.cz, 1
+smetana.pro, 1
+smetbuildingproducts.com, 1
+smeuj.nl, 1
+smeweb.com, 1
+smexpt.com, 1
+smeys.be, 1
+smgl.cm, 1
+smh.me, 1
+smhatelier.com, 1
+smi-a.me, 1
+smialnumenor.tk, 1
+smiatek.name, 1
+smicenter.tk, 1
+smicompact.com, 1
+smictecniservi.com, 1
+smiilliin.com, 1
+smiilliin.site, 1
+smikom.ru, 1
+smile-train.org, 1
+smileback.co.uk, 1
+smilecliniq.com, 1
+smilecon.cf, 1
+smiledirectsales.com, 1
+smiledoctors.com, 1
+smileeye.com.tw, 1
+smilegenerator.tk, 1
+smilenwa.com, 1
+smileofindia.co.in, 1
+smilephi.com, 1
+smilessoftplay.co.uk, 1
+smiletrain.ph, 1
+smiletrainbrasil.com, 1
+smiletraincanada.org, 1
+smiletraindubai.org, 1
+smiletrainindia.org, 1
+smiletrainindonesia.org, 1
+smiletrainla.org, 1
+smileykylie.com, 1
+smileys-emojis.com, 1
+smileytechguy.com, 1
+smilingmiao.com, 1
+smime.io, 1
+smimea.info, 1
+smipty.cn, 1
+smipty.com, 1
+smiraus.cz, 1
+smishnik.tk, 1
+smit.com.ua, 1
+smith-solutions.com, 1
+smith-tech.ga, 1
+smith.bz, 1
+smithandellis.com, 1
+smithandnephewpensions.co.uk, 1
+smithandnoble.com, 1
+smithbell.com.ph, 0
+smithchung.eu, 1
+smithcountyelectiontn.gov, 1
+smithcountyms.gov, 1
+smithcountytxtaxrates.gov, 1
+smithf.red, 1
+smithikakart.in, 1
+smithmont.com, 1
+smithsanchez.com, 1
+smithsonian.gov, 1
+smithsstational-fpd.gov, 1
+smithsstational.gov, 1
+smithsystem.net, 1
+smithteresa.tk, 1
+smithwealth.com.au, 1
+smits.com, 1
+smits.frl, 1
+smitsdesigncenter.nl, 1
+smitsmail.net, 1
+smittybilt.com, 1
+smkkesfambatujajar.sch.id, 1
+smkn5smg.sch.id, 1
+sml.lc, 1
+smleaks.com, 1
+smlk.org, 1
+smlstriperfishing.com, 1
+smltour.net, 1
+smm.im, 1
+smm.lu, 1
+smmcab.ru, 1
+smmedia.cz, 1
+smmedya.com, 1
+smmlaba.io, 1
+smmog.tk, 1
+smmpaketleri.com, 1
+smmpanelweb.com, 1
+smmpropaganda.ru, 1
+smmworldbooster.com, 1
+smnz.de, 1
+smogdog.net, 1
+smoivez.tk, 1
+smokeandmirrors.agency, 1
+smokedrhymez.tk, 1
+smokefree.gov, 1
+smokefreeclinic.com.au, 1
+smokefreerowan.org, 1
+smokefreestage.jp, 1
+smokeopedia.com, 1
+smokeping.pl, 1
+smoker.tk, 1
+smokestore.bg, 1
+smoking-robot.com, 1
+smokinghunks.com, 1
+smokingtapes.ga, 1
+smolbotbot.com, 1
+smolensk-i.ru, 1
+smolensk.ml, 1
+smolensk.tk, 1
+smolkatours.com, 1
+smolnikova.tk, 1
+smolny.org, 0
+smoninstitute.com, 1
+smoo.st, 1
+smooth-e.net, 1
+smoothambler.com, 1
+smoothfreight.ca, 1
+smoothics.at, 1
+smoothics.com, 0
+smoothics.eu, 1
+smoothics.mobi, 1
+smoothics.net, 1
+smoothweblife.tv, 1
+smoove.io, 1
+smoqerhome.ddns.net, 1
+smorgasblog.ie, 1
+smoser.eu, 1
+smplace.com, 1
+smplr.uk, 1
+smpn10kotagorontalo.sch.id, 0
+smpnsata.sch.id, 1
+smpositiva.com, 1
+smppcenter.com, 1
+smpred.net, 1
+smprime.com, 1
+smries.com, 1
+smriticharan.com, 1
+smrtgeekdevs.com, 1
+sms-pro.tk, 1
+sms.storage, 1
+sms.to, 1
+sms1.ro, 1
+sms72.tk, 1
+smsalert.mobi, 1
+smsalvand.tk, 1
+smsappointment.com, 0
+smsbd.net, 1
+smsben.com, 0
+smsbrana.cz, 0
+smsg-dev.ch, 0
+smsinger.com, 0
+smsk.email, 1
+smskeywords.co.uk, 1
+smskmail.com, 1
+smsprivacy.org, 1
+smstec.ru, 1
+smstoreoficial.com.br, 1
+smszone.tk, 1
+smtchahal.com, 1
+smtcn.cc, 1
+smtenants.cn, 1
+smtji.com, 1
+smtnet.com, 1
+smtouseef.com, 1
+smtparish.org, 1
+smtpdev.com, 1
+smtpserver.dk, 1
+smuc-koca.si, 1
+smudge.ai, 1
+smuhelper.cn, 1
+smuncensored.com, 1
+smurffi.net, 1
+smurl.tk, 1
+smusg.com, 0
+smutfactor.com, 1
+smvcm.com, 1
+smvpdev.nl, 1
+smvpro.dk, 1
+smwenglish.com, 1
+smx.net.br, 1
+smxconventioncenter.com, 1
+smys.uk, 1
+sn0int.com, 1
+snab-ural.ga, 1
+snabbacash.no, 1
+snacdata.com, 1
+snack-online.com, 1
+snackbartaapje.com, 1
+snackbesteld.nl, 1
+snackbyincome.sg, 1
+snacktakos.gr, 1
+snacky.nl, 1
+snafarms.com, 1
+snafu.cz, 1
+snaildos.tk, 1
+snajdr.online, 1
+snajdrova.eu, 1
+snakafya.com, 1
+snakeanarchy.tk, 1
+snakejs.ga, 1
+snakesandladders.tk, 1
+snakesolid.nl, 1
+snap.com, 1
+snapaffiliate.net, 1
+snapappointments.com, 1
+snapappts.com, 1
+snapbuzz.tk, 1
+snapfinance.com, 1
+snapintegrations.net, 1
+snapkit.com, 1
+snapserv.net, 1
+snapware.tk, 1
+snapworks.net, 1
+snarf.in, 1
+snargol.com, 1
+snatch-note.tk, 1
+snatertlc.it, 1
+snatti.com, 1
+snav.cc, 1
+snazel.ae, 1
+snazel.co.il, 1
+snazel.co.uk, 1
+snazel.de, 1
+snazel.ee, 1
+snazzie.nl, 1
+snco.gov, 1
+snd-zentrum.de, 1
+sndbouncycastles.co.uk, 1
+sndcdn.com, 1
+snea-kers.tk, 1
+sneak.berlin, 1
+sneakers-sports.tk, 1
+sneakers88.it, 1
+sneakersmexs.com, 1
+sneakpod.de, 0
+sneakycode.net, 1
+sneakynote.com, 1
+sneakypaw.com, 1
+sneberger.cz, 0
+sneed.company, 1
+sneed.it, 1
+sneedit.com, 1
+sneedit.de, 1
+sneeit.com, 1
+snegozaderzhatel.ru, 1
+snehasish-chakraborty.com, 1
+snekul.net, 1
+snel4u.nl, 1
+snelbv.nl, 1
+snellius.tk, 1
+snelshops.nl, 1
+snelwebshop.nl, 1
+snelwegzen.nl, 1
+snem.tk, 1
+snerith.com, 1
+snesdev.com, 1
+snetts.com, 1
+snfdata.com, 0
+sngallery.co.uk, 1
+sngnews.tk, 1
+snh.nrw, 1
+snh48live.org, 1
+snic.website, 1
+sniderman-online.com, 1
+sniderman.co.il, 1
+sniderman.eu.org, 1
+sniderman.org, 1
+sniderman.pro, 1
+sniderman.us, 1
+sniderman.xyz, 1
+sniep.net, 1
+sniffing.gq, 1
+sniffnfetch.com, 1
+sniffy.ee, 1
+snip.software, 1
+snipdrive.com, 1
+sniper.cat, 1
+snipermarkettiming.com, 1
+snipl.io, 1
+snippet.host, 1
+snippet.ml, 1
+snippet.press, 1
+snippet.wiki, 0
+snippetpress.com, 1
+snitch.rocks, 1
+snitchnet.tk, 1
+snitko.pro, 1
+snizl.com, 1
+snj.pt, 1
+snlianshang.com, 1
+snnwes.de, 1
+sno-tek.net, 1
+snoerendevelopment.nl, 0
+snooker.tk, 1
+snoot.club, 1
+snorerx.com, 1
+snoringtreatment.tk, 1
+snorkelaroundtheworld.com, 1
+snortfroken.net, 1
+snoska.ga, 1
+snote.io, 1
+snotekbyariens.com, 1
+snoupon.com, 1
+snow-service.it, 1
+snowalerts.nl, 1
+snowapparel.us, 1
+snowatka.com, 1
+snowboard-break.tk, 1
+snowboardforum.tk, 1
+snowcat.tk, 1
+snowchamps.nl, 1
+snowcrestdesign.com, 1
+snowdon.io, 1
+snowdrop.moe, 1
+snowdy.dk, 1
+snowdy.eu, 1
+snowdy.link, 1
+snowflakeaz.gov, 1
+snowfox.ai, 1
+snowhana.com, 1
+snowhaze.ch, 1
+snowhaze.com, 1
+snowman25.de, 1
+snowmassvillage.gov, 1
+snoworld.one, 1
+snowpak.com, 0
+snowparties.com, 1
+snowpaws.de, 1
+snowplanet.tk, 1
+snowplow.forsale, 1
+snowpro.tk, 1
+snowprosinc.com, 1
+snowraven.de, 1
+snowrippers.ro, 0
+snowschool.tk, 1
+snowshoedistrictwv.gov, 1
+snowsubs.moe, 1
+snowvictoria.ga, 1
+snowy.ink, 1
+snowy.land, 1
+snowyluma.com, 1
+snowyluma.me, 1
+snp-media.de, 0
+snperformance.gr, 1
+snrat.com, 1
+snrd-africa.net, 1
+snrd.de, 1
+snrd.eu, 1
+snroth.de, 1
+snrub.co, 1
+sns-beta.com, 1
+sns-dev.com, 1
+sns-tg.pl, 1
+snsirius.cf, 1
+snsp.es, 1
+snsp.nl, 1
+snsp.ro, 1
+sntial.co.za, 1
+sntry.cc, 1
+snugsite.com.au, 1
+snukep.kr, 1
+snwsjz.com, 1
+snyder-ne.gov, 1
+so-academy.fr, 1
+so-link.co, 1
+so-spa.ru, 1
+so.is-a-cpa.com, 1
+so.ninja, 1
+soacompanhantes.vip, 1
+soadultos.com, 1
+soakgames.com, 1
+soap-teco.com, 1
+soapex.com, 1
+soapsspoilers.com, 1
+soar-npc.org, 1
+soat.fr, 0
+soatplus.com, 1
+soax.com, 0
+sobakasite.tk, 1
+sobaki.tk, 1
+sobatiment.fr, 1
+sobchak.ga, 1
+sobersys.com, 1
+sobieray.dyndns.org, 1
+soblaznenie.ru, 1
+soblaznenie2.ru, 1
+sobre.tk, 1
+sobrelixo.tk, 1
+sobreporcentagem.com, 1
+sobuj.me, 1
+soc.net, 1
+soc247.cloud, 1
+socal-babes.com, 1
+socalaccessandvideo.com, 1
+socblock.com, 1
+soccer4live.com, 1
+soccerking-store.com, 1
+soccerquarters.tk, 1
+soccers.fr, 1
+soccorsostradale.lazio.it, 1
+soccorsostradale.roma.it, 1
+socfactor.ru, 1
+sochealth.co.uk, 1
+socheap.win, 1
+sochi-sochno.ru, 1
+sochi.tatar, 1
+sochionline.tk, 1
+soci.ml, 1
+sociaalwerknederland.nl, 1
+sociability.dk, 1
+social-class.ga, 1
+social-directory-list.tk, 1
+social-engineering.tk, 1
+social-line.tk, 1
+social-media-strategy.org.uk, 1
+social-net.ir, 1
+social-network.tk, 1
+social-work-colleges.com, 1
+social-work.tk, 1
+socialab.gr, 1
+socialace.in, 1
+socialair.tk, 1
+socialarchive.nl, 1
+socialblaze.com.au, 1
+socialbook2015.ga, 1
+socialbook2015.gq, 1
+socialbook2015.ml, 1
+socialbook2015.tk, 1
+socialcare.wales, 1
+socialclimb.com, 1
+socialcredit.icu, 1
+socialdemo.ga, 1
+socialdemo.ml, 1
+socialdemo.tk, 1
+socialdevelop.biz, 0
+socialeducation.tk, 1
+socialesactivo.ga, 1
+socialesretro.tk, 1
+socialfreak.cf, 1
+socialgroups.tk, 1
+socialhams.net, 1
+socialhax.com, 1
+socialhp.com, 1
+socialism.tk, 1
+socialist-alliance.org, 0
+socialistregister.com, 1
+socialistyouth.tk, 1
+sociality.io, 1
+socializator.tk, 1
+socialloots.com, 1
+socialmarketingday.nl, 1
+socialmatch.de, 1
+socialmedia-manager.gr, 1
+socialmediadisruption.com, 1
+socialmedias.tk, 1
+socialmeeps.ml, 1
+socialnet.ml, 1
+socialnetworkdemo.tk, 1
+socialnews.ga, 1
+socialnitro.com, 1
+socialnous.co, 1
+socialpa.ws, 1
+socialplace.net, 1
+socialproject.ml, 1
+socials.gq, 1
+socialsecurity.gov, 0
+socialstrata.com, 1
+socialsurvivalist.net, 1
+socialtactics.cf, 1
+socialtactics.ga, 1
+socialtactics.gq, 1
+socialtactics.ml, 1
+socialtick.club, 1
+socialtournaments.com, 0
+socialtranslation.ga, 1
+socialtrends.pl, 1
+socialwave.tk, 1
+socialworkdegrees.org, 1
+socialworkout.net, 1
+socialworkout.org, 1
+socialworkout.tv, 1
+sociedad-electronica.tk, 1
+sociedadadventista.tk, 1
+sociedadcivil.tk, 1
+sociedadderesistencia.tk, 1
+sociedadecologica.tk, 1
+sociedadsostenible.tk, 1
+societatis.fr, 1
+societe-chablaisienne-de-revetements.com, 1
+societe-chablaisienne-de-revetements.fr, 1
+societedescompagnons.fr, 1
+societyawards.com, 1
+societyofbur-q-ua.tk, 1
+societyparty.ga, 1
+socii.network, 1
+socilit.com, 1
+sociobiology.com, 1
+sociofab.com, 1
+sociohosting.es, 1
+sociology-bg.gq, 1
+sociology-schools.com, 1
+sociologyk.nl, 1
+sociopampers.com.ar, 1
+sociopathy.org, 1
+sociosalafuerza.tk, 1
+socious.io, 1
+sociusian.gq, 1
+sockfetish.net, 1
+sockscap64.com, 1
+socksfromholland.com, 1
+socktopus.io, 1
+socomforums.tk, 1
+soconj.gov, 1
+socprime.com, 1
+socratec-pharma.de, 1
+socraticsolutions.us, 1
+socseti.cf, 1
+socseti.ga, 1
+socseti.gq, 1
+socseti.ml, 1
+socstar.ml, 1
+socstation.com, 1
+soczu.duckdns.org, 1
+soda-net.com, 1
+soda.ga, 1
+sodadigital.com.au, 1
+sodafilm.de, 1
+sodalai.tk, 1
+sodel-sa.eu, 1
+soderestore.com, 1
+sodermans.com, 1
+soderparr.com, 1
+sodexam.pro, 1
+sodi.gent, 1
+sodi.nl, 1
+sodigent.be, 1
+sodigent.gent, 1
+sodirace.com, 1
+sodo.top, 1
+sodom-metal.tk, 1
+sodrujestvo.tk, 1
+sodsouthernindiana.com, 1
+sodusny.gov, 1
+soegi-haru.com, 1
+soellc.com, 1
+soellner.info, 1
+soelt.dk, 1
+soelystsaebe.dk, 1
+soengen.com, 1
+soenkem.ddnss.de, 1
+soepvork.nl, 1
+sofa-bed.tk, 1
+sofa-rockers.org, 1
+sofabedshop.de, 1
+sofacamafuton.com.br, 1
+sofasia.com, 1
+sofasthousebuyers.com, 1
+sofaware.eu, 1
+sofdwi.gov, 1
+soff.se, 1
+soffit.com, 1
+sofi.codes, 1
+sofiaestado.com, 1
+sofialobocera.com, 1
+sofianeves.tk, 1
+sofias.tk, 1
+sofiavanmoorsel.com, 1
+sofibox.com, 1
+sofiesteinfeld.com, 1
+sofiesteinfeld.de, 1
+sofoco.us, 1
+sofortcutie24.de, 1
+sofortimplantate-muenchen.de, 1
+sofortindenurlaub.de, 1
+sofpedia.ro, 0
+soft-key.tk, 1
+soft-office.tk, 1
+soft-resets.com, 1
+soft-search-system.tk, 1
+soft.taipei, 1
+soft3arbi.com, 1
+soft41.ru, 1
+soft4led.com, 1
+softandbouncy.co.uk, 1
+softanka.com, 1
+softarabi.com, 1
+softbabyducks.com, 1
+softbit.pt, 1
+softblinds.co.uk, 1
+softchin.ir, 1
+softcom.net, 0
+softcompany.tk, 1
+softcomplex.com, 1
+softconcept.pt, 1
+softcreatr.com, 1
+softcreatr.de, 1
+softekontrack.com, 1
+softelectronet.tk, 1
+softfuture.tk, 1
+softhints.com, 1
+softios.com, 1
+softizy.com, 1
+softlay.com, 1
+softline.ru, 0
+softmas.cl, 1
+softnet-consulting.com, 1
+softonic-ar.com, 1
+softonic-id.com, 1
+softonic-th.com, 1
+softonic.cn, 1
+softonic.com, 1
+softonic.com.br, 1
+softonic.com.tr, 1
+softonic.jp, 1
+softonic.kr, 1
+softonic.nl, 1
+softonic.pl, 1
+softonic.ru, 1
+softonic.vn, 1
+softonit.ru, 1
+softonline.net, 1
+softowe.com, 1
+softpark.cf, 1
+softpark.ml, 1
+softplay4hire.co.uk, 1
+softsecmatheodexelle.be, 1
+softskills.tech, 1
+softskin.ga, 1
+softstack.ru, 1
+softtester.tk, 1
+softview.gq, 1
+softview.tk, 1
+software-search.com, 1
+software-tech.tk, 1
+software-voor-projecten.nl, 1
+software.rocks, 1
+softwareag-stage.cloud, 1
+softwarebeveiligingtestdomein.be, 1
+softwarechris.com, 1
+softwarecloud.ml, 1
+softwareclub.tk, 1
+softwarehexe.de, 1
+softwarepara.net, 1
+softwarepatenten.tk, 1
+softwarepixie.com, 1
+softwaresanta.com, 1
+softwaresecurityandradefernando.be, 1
+softwaterinc.com, 1
+softwearautomation.com, 1
+softweb-dev.de, 1
+softwing.de, 1
+softwsabri.be, 1
+softx.tk, 1
+sog-gilde.tk, 1
+sogaro-realestate.de, 1
+sogec-digital.fr, 1
+sogeek.me, 1
+sogesel.es, 1
+sogetrel-tn.de, 1
+sogno.it, 1
+sogo.com.hk, 1
+sogo.com.my, 0
+sogola.com, 1
+sogoreate-landtrust.org, 1
+sogravatas.com.br, 1
+sogravatas.net.br, 1
+sogut.bel.tr, 1
+sogutma.com.tr, 1
+sohamroy.me, 1
+sohanakhan.tk, 1
+sohanman.com, 1
+sohka.eu, 1
+soho-art.com, 1
+soia.ca, 1
+soilegustafsson.fi, 1
+soillessgeek.com, 1
+soilscapesolutions.com, 1
+soinsparlesmains.fr, 1
+sointelcom.com.co, 1
+soinvett.com, 0
+soissons-technopole.org, 1
+soji.io, 1
+sokak-sanati.tk, 1
+sokenconstruction.com, 1
+soket.ee, 1
+sokkenkraam.nl, 1
+soko.reisen, 1
+sokolin.com, 1
+sokolmelnik.tk, 1
+sokolovskyi.ml, 1
+sokolslavkov.tk, 1
+sokouchousa.net, 1
+sokrabatt.se, 1
+sokretirement.com, 1
+sol-3.de, 0
+sol-design.jp, 1
+sol-negro.tk, 1
+sol.de, 1
+sol24.net, 1
+solaland.co.uk, 1
+solalnathan.com, 1
+solalt.com, 1
+solana-active.tk, 1
+solanacasinos.io, 1
+solanaroyale.com, 0
+solandsimonasphalt.com, 1
+solanocounty.gov, 1
+solanowonen.nl, 1
+solarace.tk, 1
+solaradventures.icu, 1
+solarafrica.com, 1
+solaranalytics.com, 1
+solaranalytics.com.au, 1
+solarandenergyspecialists.com, 1
+solarbattery.ga, 1
+solarbynatureinc.com, 1
+solarcia.com.br, 1
+solareagricola.it, 1
+solarfaa.ir, 1
+solarfever.ga, 1
+solargaming.tk, 1
+solarhome.ml, 1
+solarhome.tk, 1
+solariilacheie.ro, 1
+solarisbank.de, 1
+solarisgroup.com, 1
+solarity.coop, 1
+solarium.gov, 1
+solarium.milano.it, 1
+solarloon.com, 1
+solaronics.tk, 1
+solarpanelquotes.org, 1
+solarpanels.tk, 1
+solarplan-berlin.de, 1
+solarrights.org, 1
+solarscan.com, 1
+solarseason.ga, 1
+solarstrom.net, 1
+solartek.cf, 1
+solartek.ga, 1
+solartek.gq, 1
+solartrackerapp.com, 1
+solartravel.tk, 1
+solarwave.tk, 1
+solarwind.cf, 1
+solati.co, 1
+solautoescuela.com, 1
+solaxfaq.com, 1
+solbjer.se, 1
+solcenter.com, 1
+solcloud.eu, 1
+solcom.de, 1
+solcyber.com, 1
+soldamontanhabeachwear.com.br, 1
+soldarizona.ga, 1
+soldaten-genealogie.tk, 1
+soldbygagan.com, 1
+solden.be, 1
+soldesduck.be, 1
+soldesduck.ch, 1
+soldierangels.tk, 1
+soldieroftruthpublishing.com, 1
+soldiersmg.tk, 1
+sole-erdwaermetauscher.de, 1
+soleanos.tk, 1
+solechuva.com.br, 1
+solectrus.de, 1
+soledadmataro.tk, 1
+soledadpenades.com, 0
+soleil33.net, 1
+solemare-hotel.it, 1
+solencell.com.tr, 1
+solentbasketball.co.uk, 1
+solentbubblesandbounce.co.uk, 1
+solfegiator.ch, 0
+solfipinformatique.org, 1
+solgar.dk, 1
+soli.cafe, 1
+solicafe.at, 1
+solidariaautos.com, 1
+solidarita-kosovo.net, 1
+solidarityzone.org, 1
+solidform.ml, 1
+solidgroundchiro.com, 1
+solidhost.cf, 1
+solidimage.com.br, 1
+solidincome.ga, 1
+solidityfactory.io, 1
+solidnet.software, 1
+solidnetwork.org, 1
+solidpurenonsense.tk, 1
+solidshield.com, 1
+solidsteel.tk, 1
+solidtuesday.com, 1
+solidway.co.nz, 1
+solifi.com, 1
+soligorsk.place, 1
+solihullcarnival.co.uk, 1
+solihullinflatables.com, 1
+solihulllionsclub.org.uk, 1
+solihullobserver.co.uk, 1
+solihullpcrepairs.co.uk, 1
+solikreis-stuttgart.tk, 1
+solipsists.tk, 1
+solisrey.es, 1
+solitaire-game.org, 1
+solitairenetwork.com, 1
+solitary.social, 1
+solitaryride.com, 1
+soliten.de, 1
+soliujing.ml, 1
+solium.com, 1
+soliver-group.com, 1
+sollah.com, 1
+sollahlibrary.com, 1
+solliv.com, 1
+solmek.co.uk, 1
+solnascentepapelaria.com.br, 1
+solntsezaschitnye-ochki.tk, 1
+solo.com.sa, 1
+solobus.com.co, 1
+solocorse.com, 1
+solodukhin.tk, 1
+solofajas.online, 1
+solofi.fr, 1
+sologetaway.ga, 1
+sologoc.com, 1
+sologstrand.com, 1
+sologstrand.dk, 1
+sologstrand.nl, 1
+sologstrand.no, 1
+sologstrand.se, 1
+soloinfo.it, 1
+soloingenieria.tk, 1
+solomidis.tk, 1
+solomo.pt, 1
+solomoncorp.com, 1
+solomonsklash.io, 1
+solongandthanksforallthe.fish, 1
+soloparati.cf, 1
+soloprivacidad.com, 1
+soloproductos.top, 1
+soloreti.com, 1
+soloroboto.com, 1
+solos.im, 1
+solosesso.tk, 1
+solostocks.cl, 1
+solostocks.com, 1
+solostocks.com.ar, 1
+solostocks.com.br, 1
+solostocks.com.co, 1
+solostocks.com.mx, 1
+solostocks.de, 1
+solostocks.fr, 1
+solostocks.it, 1
+solostocks.ma, 1
+solostocks.net, 1
+solostocks.pl, 1
+solostocks.pt, 1
+solovey.su, 0
+solovia.ru, 1
+solovyovalawfirm.com, 1
+solsea.io, 1
+solsi.ga, 1
+solsticecam.com, 1
+soltanastore.com, 1
+soltysblue.pl, 1
+solucion.gq, 1
+solucionesmk.online, 1
+solucionupsperu.com, 1
+solumgb.co.uk, 1
+solunet.com.ar, 1
+solut.ai, 1
+solutek.com.au, 1
+solution24.nl, 1
+solutionalbum.com, 1
+solutionmotsfleches.com, 1
+solutionpieces.com, 1
+solutionplumber.com, 1
+solutions-ii.com, 1
+solutions-it.net, 1
+solutions30.com, 1
+solutionshosted.de, 1
+solutiontutorials.com, 1
+solutys-btp-logistic.com, 1
+solutysmultiservices.com, 1
+soluzionefightlist.altervista.org, 1
+soluzionifightlist.cf, 1
+solv.ws, 1
+solvation.de, 1
+solvaybank.com, 1
+solvedapp.io, 1
+solviejo.tk, 1
+solvin.com, 1
+solviq.com, 1
+solware.co.uk, 1
+solwaveovens.com, 1
+solwayfeeders.com, 1
+solweb.co.uk, 1
+solwit.com, 1
+solxsys.com, 0
+solymar.co, 1
+soma.com.au, 1
+somaar.tk, 1
+somaini.li, 1
+somaliaonline.com, 1
+somalilandtalk.tk, 1
+somanao.com, 1
+somautomotivobr.com.br, 1
+someapi.de, 1
+somecrazy.com, 1
+somedial.ch, 1
+somedomain.tk, 1
+somehsara.tk, 1
+someog.com, 0
+somerm.com, 1
+somerprints.co.uk, 1
+somersbypark.com, 1
+somersetcountynj.gov, 1
+somersetscr.nhs.uk, 1
+somersetwellbeing.nhs.uk, 1
+somersworthnh.gov, 1
+somes.me, 1
+someserver.cf, 1
+something-blue.tk, 1
+something-else.cf, 1
+something.pink, 1
+somethingsimilar.com, 1
+somethingsketchy.net, 1
+somevideotapes.com, 1
+somewherenews.cf, 1
+somewherenews.ga, 1
+somewherenews.gq, 1
+somewherenews.ml, 1
+somi.nl, 1
+sominemo.com, 1
+somix.com, 1
+soml.best, 1
+sommarles.no, 1
+somme.tk, 1
+sommefeldt.com, 1
+sommeil.cl, 1
+sommeilsante.com, 1
+sommer-reitmajer.de, 1
+sommerhusudlejning.com, 1
+sommerles.no, 1
+sommerplassen.no, 1
+somnam.tk, 1
+somni.one, 1
+somnus.com, 1
+somogyivar.hu, 1
+somosbrujas.com, 1
+somosfin-app.com, 1
+somosgesath.com, 1
+somosgratitude.com.br, 1
+somoslaarmenia.com, 1
+somosweb.cf, 1
+somoybuzz.com, 1
+sompo-intl.com, 1
+sompo.com.br, 1
+sompohorizon.com, 1
+somsak.de, 1
+somuchbetterwithage.com, 1
+somweyr.de, 1
+son-onlajn.cf, 1
+son-onlajn.ga, 1
+son-onlajn.gq, 1
+son-onlajn.ml, 1
+son-onlajn.tk, 1
+son-tolkovatel.cf, 1
+son-tolkovatel.ga, 1
+son-tolkovatel.gq, 1
+son-tolkovatel.ml, 1
+son-tolkovatel.tk, 1
+son.ru, 1
+sona-gaming.com, 1
+sona.fr, 1
+sonacupalova.cz, 1
+sonalisharma.co.in, 1
+sonar.ga, 1
+sonaraamat.com, 1
+sonarhmx01.serveftp.org, 1
+sonarhmx02.serveftp.org, 1
+sonarsource.com, 1
+sonavankova.cz, 1
+sonaza.com, 1
+sonaza.fi, 1
+sonbilgi.net, 1
+soncini.ch, 1
+soncnaura.si, 1
+sondebase.com, 1
+sondemitierra.tk, 1
+sonder.com.au, 1
+sonderfloral.com, 1
+sonderkomission.ch, 1
+sondoro.tk, 1
+sondriotoday.it, 1
+sonesinafar.tk, 1
+sonesisonesi.tk, 1
+sonesonesisi.tk, 1
+sonet.digital, 1
+sonet.uz, 1
+song.ski, 1
+songclan.tk, 1
+songdew.com, 1
+songesdeplumes.fr, 1
+songlifty.com, 1
+songsigrewupsinging.com, 1
+songslaura.tk, 1
+songsonline.tk, 1
+songsterr.com, 1
+songsthatsavedyourlife.com, 1
+songtianyi.com, 1
+songun.ml, 1
+songyang.cn, 1
+songzhuolun.com, 1
+sonia.ai, 1
+soniaai.com, 1
+soniaferrer.tk, 1
+sonic.network, 1
+sonic.sk, 0
+sonic.studio, 1
+sonicautomation.ai, 1
+sonicdoe.com, 1
+sonicdx.com.au, 1
+soniclaunchpad.com, 1
+soniclink.tk, 1
+sonicshop.tk, 1
+sonicwanderer.tk, 1
+sonicworld.tk, 1
+sonidosbinaurales.com, 1
+sonidoslibertarios.tk, 1
+sonik.tk, 1
+sonimusic.tk, 1
+soninger.ru, 1
+sonix.dk, 1
+sonixonline.com, 1
+sonixpro.com, 1
+sonja-daniels.com, 1
+sonja-kowa.de, 1
+sonjaruster.de, 1
+sonjaundjeromeheiraten.jetzt, 1
+sonjoux.com, 1
+sonkamusic.tk, 1
+sonlapc.vn, 1
+sonmark.ru, 1
+sonnenbergharrison.law, 1
+sonnendeal.ml, 1
+sonnendeal.tk, 1
+sonnenta.de, 1
+sonneundstrand.de, 1
+sonnik-znachenie-sna.cf, 1
+sonnik-znachenie-sna.ga, 1
+sonnik-znachenie-sna.gq, 1
+sonnik-znachenie-sna.ml, 1
+sonnik-znachenie-sna.tk, 1
+sonnyland.tk, 1
+sonodrom.tk, 1
+sonoecoracao.com.br, 1
+sonofsunart.com, 1
+sonohigurashi.blog, 1
+sonologic.nl, 1
+sonology.tk, 1
+sonomacounty.gov, 1
+sonomacountywriterscamp.com, 1
+sonomotors.com, 1
+sonoratexas.gov, 1
+sonorem-audition.fr, 1
+sonosguide.dk, 1
+sonraisecurity.com, 1
+sons.cf, 1
+sons.tk, 1
+sonsight.tk, 1
+sonsonate.cf, 1
+sonsonate.tk, 1
+sony-psvita.ru, 1
+sonyazi.com, 1
+soohealthy.nl, 1
+soom.ga, 1
+soom.tk, 1
+soomee.be, 1
+soomee1.be, 1
+soontm.net, 1
+soopure.nl, 1
+soopy.moe, 1
+sopelaotaez.tk, 1
+sopenguin.com, 1
+soph.jp, 1
+soph.tk, 1
+soph.us, 1
+sopheos.com, 0
+sopher.io, 1
+sophia.com.br, 1
+sophiaandmatt.co.uk, 1
+sophiafoundation.org, 1
+sophiahatstudio.com, 1
+sophiajaneboutique.com, 1
+sophiakligys.com, 1
+sophiatazar.com, 1
+sophie-revault.fr, 1
+sophiebreslin.co.uk, 1
+sophiekush.com, 1
+sophier.tk, 1
+sophomoric.ga, 1
+sophos.com, 1
+sophus.com.br, 1
+sopilov.tk, 1
+sopira.ru, 1
+sopo.me, 1
+soportelatino.ml, 1
+sopra.tk, 1
+soprabalao.com.br, 1
+sopriza.com, 1
+sopronforras.tk, 1
+soprovise.fr, 1
+sopsop.tk, 1
+soqor-damam.com, 1
+soquee.net, 0
+sor.so, 1
+sorabi.jp, 1
+soraharu.com, 0
+soraiaschneider.com.br, 1
+sorakumo.jp, 1
+sorbire.com, 1
+sorcix.com, 0
+sorellecollection.com.au, 1
+sorellinteriors.com, 1
+soren.xyz, 1
+sorenstudios.com, 1
+sorex.photo, 1
+sorin.cc, 1
+sorincocorada.ro, 1
+sorn.service.gov.uk, 1
+sornyaki.tk, 1
+sorocabacopos.com.br, 0
+sorpresashop.nl, 0
+sorrentofc.com.au, 1
+sorrentoparking.com, 1
+sorridi.xyz, 1
+sorrowfulunfounded.com, 1
+sort.land, 1
+sortandpack.com, 1
+sortaweird.net, 0
+sorted.org.nz, 1
+sorteiosdotom.com.br, 1
+sortek.mk, 1
+sorteonline.com.br, 1
+sorting.ai, 1
+sortirentrenous.com, 1
+sortly.com, 1
+sorubak.com, 1
+soruly.com, 1
+soruly.io, 1
+soruly.moe, 1
+soruly.net, 1
+soruly.org, 1
+sorumatik.co, 1
+sorunrehberi.com, 1
+sorveglianza.roma.it, 1
+sorwi.gov, 1
+sorx.tech, 1
+sorz.org, 1
+sos-brigade.org, 1
+sos-deratisation.com, 1
+sos-elettricista.it, 1
+sos-fabbro.it, 1
+sos-falegname.it, 1
+sos-idraulico.it, 1
+sos-loodgieter.com, 1
+sos-muratore.it, 1
+sos.sk, 0
+sos.xxx, 1
+sosafe-awareness.com, 1
+sosaka.ml, 1
+sosaka.tk, 1
+soscavehumide.fr, 1
+sosecu.red, 1
+sosedisetka.tk, 1
+sosesh.shop, 1
+sosessaimabeilles.com, 1
+sosharch.com, 1
+soshin.cf, 1
+sosimple.academy, 1
+sosisuka.ga, 1
+sosko.in.rs, 1
+soslsd.org, 0
+sosmicro.tk, 1
+sosnovka.ga, 1
+soso.ga, 1
+soso.loan, 1
+soso.ml, 1
+soso.stream, 1
+sosoft.tk, 1
+sosoftplay.co.uk, 1
+sosok.tk, 1
+sosou.eu, 0
+sospechhulp.nl, 1
+sospeed.net, 1
+sosregistration.eu, 1
+sostacancun.com, 1
+soste.fi, 0
+sosteric.si, 1
+sosuchki.com, 1
+sosyalat.com, 1
+sosyalevin.com, 0
+sosyalpro.com.tr, 1
+sosz.org, 1
+sota.sh, 1
+sotadb.info, 1
+sotaltamer.it, 1
+sotar.us, 1
+soterdev.com, 1
+sotieg.fr, 1
+sotin-hr.tk, 1
+sotis.bg, 1
+sotnya.cf, 1
+sotnyk.ml, 1
+sotoasobi.net, 1
+sotocine.tk, 1
+sotolar.com, 1
+sotonlgbt.org.uk, 1
+sotool.dk, 1
+sotovik.tk, 1
+sotrom.com, 1
+sotsiaalkindlustusamet.ee, 0
+sotthewes.nl, 1
+sottilealimentos.com.br, 1
+sottomarini.tk, 1
+sotypicallydutch.nl, 1
+soubriquet.org, 1
+soufastnet.com.br, 1
+souga.eu.org, 1
+sougou.com, 1
+souked.com, 1
+soukka-seura.fi, 1
+soukodou.jp, 1
+soul-of-style.com, 1
+soul-source.co.uk, 1
+soulberber.com, 1
+soulc.ml, 1
+soulcasa.com.br, 1
+soulconstructors.com, 1
+soulcrazy.org, 1
+souldecorpaints.co.nz, 1
+soulema.com, 1
+souletter.com, 1
+soulike.tech, 1
+soulinbusiness.ga, 1
+soulla.tk, 1
+soulmating.de, 1
+soulmusic.tk, 1
+soulnatura.es, 1
+soulogic.com, 1
+soulpetrol.in, 1
+soulpowercoaching.ga, 1
+soulreapers.tk, 1
+soulshare.com, 1
+soulshare.net, 1
+soulshow.tk, 1
+soulsinner.tk, 1
+soulsteer.com, 0
+soulwinning.tk, 1
+soulyfunerals.co.nz, 1
+soulyi.io, 1
+soumen.tk, 1
+soumikghosh.com, 1
+soumission-assurances.ca, 1
+soumissionalarme.ca, 1
+soumya.xyz, 1
+soumya92.me, 1
+sounah.com, 1
+sound-gardens.com, 1
+sound-orpheus.tk, 1
+sound-recording.org, 1
+sound-wave.tk, 1
+sound.as, 1
+soundabout.nl, 1
+soundar.eu.org, 1
+soundar.net, 1
+soundbase.tk, 1
+soundblast.tk, 1
+soundcache.tk, 1
+soundcamp.org, 1
+soundcharts.com, 1
+soundclick.com, 1
+soundcloud-to-mp3.com, 1
+soundcloud.com, 1
+soundee.com, 1
+soundeo.com, 1
+soundeo.net, 1
+soundersmusic.com, 1
+soundexclusive4ever.tk, 1
+soundfingers.com, 0
+soundgasm.net, 1
+soundgo.gq, 1
+soundinthesignals.tk, 1
+soundlight.tk, 1
+soundman.ga, 1
+soundmix.tk, 1
+soundmk.ch, 1
+soundmoney.club, 1
+soundmoney.page, 1
+soundmoney.tech, 1
+soundoffsignal.com, 1
+soundonmike.tk, 1
+soundproofingideas.com, 1
+soundprotectionllc.com, 1
+soundrecords.tk, 1
+soundrelief.com, 0
+soundresource.tk, 1
+soundrise.tk, 1
+sounds-resource.com, 1
+sounds.koeln, 1
+soundservice.gr, 1
+soundshepard.tk, 1
+soundslike.gent, 1
+soundtrash.tk, 1
+soundtube.tk, 1
+soundwavefestival.tk, 1
+soundzimega.tk, 1
+soungui.cm, 1
+soungui.com, 1
+soungui.net, 1
+soupbuahtaza.id, 1
+sour.is, 1
+souravbhor.gq, 1
+souravbhor.ml, 1
+source-clan.tk, 1
+sourceaudio.co.uk, 1
+sourceaudio.com, 1
+sourceaudiodetect.com, 1
+sourcecode.hosting, 1
+sourcecode.love, 1
+sourcecode.tw, 1
+sourcegraph.com, 1
+sourcehut.net, 1
+sources.tk, 1
+sourcesdegarrigue.fr, 1
+sourcexchange.net, 1
+sourcing4exports.co.uk, 1
+sourcitec.com, 1
+souria.tk, 1
+sourlakepd.gov, 1
+sourmatt.xyz, 1
+sourraundweb.tk, 1
+sourse.co, 1
+sous-surveillance.net, 0
+southadamswaterco.gov, 1
+southambouncycastle.co.uk, 1
+southamptontownnypolice.gov, 1
+southbankregister.com.au, 1
+southbaylatherapy.com, 1
+southbendflooring.com, 1
+southboroughma.gov, 1
+southbridge-ma.gov, 1
+southcarolinahealth.tk, 1
+southdakotahealth.tk, 1
+southdakotanet.tk, 1
+southeast-asia.ru, 1
+southeastradiology.com, 1
+southeastvalleyurology.com, 1
+southerncross.tk, 1
+southernforge.com, 1
+southerngospelnow.com, 1
+southerngospelprizes.com, 1
+southernknightsatlanta.com, 1
+southernlights.cf, 1
+southernlights.club, 1
+southernlights.gq, 1
+southernlights.ml, 1
+southernlights.site, 1
+southernmost.us, 1
+southernsecurity.org, 1
+southernsurgicalga.com, 1
+southernvalve.com, 1
+southernviewmedia.com, 1
+southernwatersolutions.com, 1
+southessexstatus.co.uk, 1
+southfieldtownshipmi.gov, 1
+southgatemi.gov, 1
+southgatesystems.com, 1
+southgeorgiacargotrailers.org, 1
+southjacksonville-il.gov, 1
+southjerseyhomes.info, 1
+southkingstownri.gov, 1
+southlakenissanparts.com, 1
+southlaketx.gov, 1
+southlandurology.com, 1
+southmarengo.com, 1
+southmarengoal.gov, 1
+southmelbourne.apartments, 1
+southmill.com, 1
+southmilwaukee.gov, 1
+southmorangtownhouses.com.au, 1
+southogdencity.gov, 1
+southphoenixair.tk, 1
+southridgeservices.com, 1
+southside-crew.com, 1
+southside-digital.co.uk, 1
+southside-tuning-day.de, 1
+southsidebargaincenter.com, 1
+southsidebuildingcenter.com, 1
+southsideplacetx.gov, 1
+southstpaulmn.gov, 1
+southtoowoombahawks.com.au, 0
+southwebsterohio.gov, 1
+southwestkansaslibrarysystem.gov, 1
+southwestpremierurology.com, 1
+southwestrda.org.uk, 1
+southwestwildlife.org, 1
+southwickma.gov, 1
+southwindsor-ct.gov, 1
+southyorkshire-pcc.gov.uk, 1
+southyorkshireviolencereductionunit.com, 1
+soutien-naissance.com, 1
+souto.eu, 1
+souvenir-fashion.com, 1
+souvenirs-gifts.tk, 1
+souzanabellydance.com, 1
+sova-center.ru, 1
+sova.cc, 1
+sova.st, 1
+sova.wiki, 1
+sovendus.ch, 1
+sovendus.com, 1
+sovendus.de, 1
+sovendus.dk, 1
+sovendus.es, 1
+sovendus.fr, 1
+sovendus.it, 1
+sovendus.nl, 1
+sovendus.pl, 1
+sovendus.se, 1
+sovereign.bounceme.net, 1
+sovereignpcs.com, 1
+soverin.net, 1
+sovest.ml, 1
+sovet4ik.info, 1
+soveti.info, 1
+sovetidachniku.info, 1
+sovetiogorodniku.info, 1
+sovhoz.tk, 1
+sovmestimost-goroskop.cf, 1
+sovmestimost-goroskop.ga, 1
+sovmestimost-goroskop.gq, 1
+sovmestimost-goroskop.ml, 1
+sovmestimost-zodiak.gq, 1
+sovos.com, 1
+sovremenik.tk, 1
+sovryn.com, 1
+sovtech.tk, 1
+sovxoz.gq, 1
+sowget.com, 1
+sowhat.dk, 0
+sowncloud.de, 1
+sowndfinancial.com, 1
+sowsmallgarden.com, 1
+sowtarabiya.com, 1
+soybase.org, 1
+soychef.today, 1
+soychile.cl, 1
+soydoula.com, 1
+soydxn.com, 1
+soyezonline.fr, 1
+soyinstalador.cl, 1
+soyladani.com, 1
+soylemeztrading.com, 1
+soyou.jp, 1
+soytusitio.com, 1
+soyuznik.ml, 1
+soyvigilante.com, 1
+sozai-good.com, 1
+sozai.tk, 1
+sozdanie-krana.ml, 1
+soze.in, 1
+sozialabstand.de, 1
+soziale.email, 1
+sozialismus.tk, 1
+sozialistische-gruppe.de, 1
+sozialy.com, 1
+sozlervereplikler.com, 1
+sozole.eu, 1
+sozon.ca, 1
+sp-az.com, 1
+sp-codes.de, 1
+sp-consulting.ch, 1
+sp-dh.com, 1
+sp-gg.com, 1
+sp-magic.de, 1
+sp-moebel.net, 1
+sp-pn.com, 1
+sp-sites.com.au, 1
+sp.rw, 1
+sp03.de, 1
+sp8ce.co, 1
+spa-center.tk, 1
+spaallegretto.com, 1
+spabellabolivia.com, 1
+spac2stock.com, 1
+space-art.tk, 1
+space-combat.tk, 1
+space-for.business, 1
+space-inc.co.jp, 1
+space-it.de, 1
+space-mining.cf, 1
+space-net.ml, 1
+space-station.tk, 1
+space-time-elements.com, 1
+space-y.cf, 1
+space.gov.ae, 1
+spaceage.mp, 1
+spaceanimalnutrition.com, 1
+spaceapi.io, 1
+spacebabies.nl, 1
+spacebear.ee, 1
+spacebestnews.tk, 1
+spacecityweather.com, 1
+spacecorp.de, 1
+spacedance.tk, 1
+spacedogs.ml, 1
+spacedrive.nl, 1
+spacefighters.tk, 1
+spacehey.com, 1
+spacehighway.ms, 1
+spacehighways.net, 1
+spaceholder.cc, 1
+spaceint.fr, 1
+spacekeat.com, 1
+spacelabs.io, 1
+spacelabshealthcare.com, 1
+spacelandpark.ga, 1
+spacelift.io, 1
+spacenerd.it, 1
+spaceon.tk, 1
+spacepirates.tk, 1
+spacepixel.ml, 1
+spacepunks.de, 1
+spacerocksmc.tk, 1
+spaceroot.cz, 1
+spacesedu.com, 1
+spaceshells.tk, 1
+spacestation13.com, 1
+spacetime.am, 0
+spaceunique.de, 1
+spaceunique.eu, 1
+spacewinner.nl, 0
+spacinov.com, 1
+spacivox.com, 1
+spackova.cz, 1
+spacomic.com, 1
+spaconnection.com, 1
+spaconsulting.it, 1
+spactostock.com, 1
+spadok.org.ua, 1
+spaenny.tf, 1
+spaghettiphreakers.tk, 1
+spaghettiwesterns.tk, 1
+spagobudapest.com, 1
+spahireleeds.co.uk, 1
+spainemotions.com, 1
+spaink.net, 1
+spainpol.es, 1
+spajk.cz, 1
+spalnobelyo.com, 1
+spaltron.net, 1
+spamasaurus.com, 1
+spamcage.com, 1
+spamdrain.com, 1
+spamedica.com.co, 1
+spamhunter360.gq, 1
+spamlinks.net, 1
+spammable.com, 1
+spamtuning.tk, 1
+spamty.eu, 1
+spanch.cf, 1
+spanch.ga, 1
+spanch.gq, 1
+spanch.ml, 1
+spanch.tk, 1
+spanchelele.cf, 1
+spanchelele.ga, 1
+spanchelele.gq, 1
+spanchelele.ml, 1
+spanchelele.tk, 1
+spanda.io, 1
+spandrusyszyn.com, 1
+spanglishls.com, 1
+spanien.guide, 1
+spanischunterricht.tk, 1
+spanishblackboard.com, 1
+spanishdogs.tk, 1
+spanishenglish.com, 1
+spanishenglish.net, 1
+spanishnewsarticles.tk, 1
+spanishnow.tk, 1
+spankmonster.com, 1
+spanmass-portal.org, 1
+spanner.tk, 1
+spanner.works, 1
+spanpine.gq, 1
+spanstindrundt.no, 1
+spantrix.com, 1
+spanyolul.hu, 1
+spar-dich-frei.com, 1
+spar-ics.com, 1
+spar-ni.co.uk, 1
+spar.at, 1
+spar.hr, 1
+spar.hu, 1
+spar.si, 1
+sparanoid.blog, 1
+sparanoid.com, 1
+sparanoid.net, 1
+sparanoid.network, 1
+sparanoidstatus.com, 1
+sparatryggt.se, 1
+spare.no, 1
+spare.se, 1
+sparendirekt.at, 1
+spargrancanaria.es, 1
+sparkandglass.com, 1
+sparkar.com, 1
+sparkasse.de, 1
+sparkbase.cn, 1
+sparkeddigital.ca, 1
+sparkedge.eu, 1
+sparkforautism.org, 1
+sparkingscala.com, 1
+sparkl.fm, 1
+sparklabs.com, 1
+sparklatvia.lv, 1
+sparkleapp.com, 1
+sparklebastard.com, 1
+sparklesvt.com, 1
+sparklewindowcleaners.co.za, 1
+sparklingloungecampiglio.it, 1
+sparklyfairy.co.nz, 1
+sparkplug.tk, 1
+sparkpluguniversity.com, 1
+sparkresearch.net, 1
+sparksga.gov, 1
+sparkz.no, 1
+sparmedo.de, 1
+sparprofi.at, 1
+sparrius.com, 1
+sparrowwallet.com, 1
+sparta-en.org, 1
+sparta-szczekociny.tk, 1
+sparta-upice.tk, 1
+sparta.ee, 1
+spartacuslife.com, 1
+spartaermelo.nl, 1
+spartamet.tk, 1
+spartan300.tk, 1
+spartanis.tk, 1
+sparvagn.tk, 1
+sparx.dog, 1
+spasem-park.tk, 1
+spasicilia.it, 1
+spasskellner-comedykellner.ch, 1
+spatialflunky.one, 1
+spatialnom.com, 1
+spatiugratis.tk, 1
+spatter.cf, 1
+spatter.tk, 1
+spatzenwerkstatt.de, 1
+spawn.cz, 1
+spaysy.com, 1
+spazioasperger.it, 1
+spaziobenedetti.com.br, 1
+spaziopervoi.com.br, 1
+spazturtle.co.uk, 1
+spazzacamino.roma.it, 1
+spb-clean.ru, 1
+spbatelec.fr, 1
+spbelect.info, 1
+spbelect.org, 1
+spbet99.com, 1
+spbfavourite.ru, 1
+spbgorod.ru, 1
+spbot.ml, 1
+spc-ag.ch, 1
+spcconnect.com, 1
+spcollege.edu, 1
+spconsult.com.br, 1
+spctech.click, 1
+spd-porta-westfalica.de, 1
+spd-porta-westfalica.eu, 1
+spd15revision.gov, 1
+spdepartamentos.com.br, 1
+spdf.net, 1
+spdfund.org, 1
+spdillini.com, 1
+spdrdng.com, 1
+spe.org.co, 1
+speac.jp, 1
+speacock.co.uk, 1
+speacock.uk, 1
+speak-polish.com, 1
+speak.nl, 0
+speak.software, 1
+speakandgo.education, 1
+speakeasy.co, 1
+speaker-animateur.com, 1
+speakermatch.com, 1
+speakersbusiness.com, 1
+speakersden.tk, 1
+speakersforschools.org, 1
+speakertwpmi.gov, 1
+speakthewordaudio.com, 1
+spear.ga, 1
+spec-auto.com.ua, 0
+spec-ranking.pl, 1
+specdrones.us, 1
+specflow.org, 1
+special-education-degree.net, 1
+special-equipment.tk, 1
+special-ops.org, 1
+specialcameras.tk, 1
+specialcounsel.com, 1
+speciale.cf, 1
+specialeffect.tk, 1
+specialelectronics.tk, 1
+specialisedlightingandtorches.com.au, 1
+specialist.srv.br, 0
+specialistskin.com.sg, 1
+specialized-hosting.eu, 1
+specialnoise.tk, 1
+specialofficesupplies.tk, 1
+specialplasticparts.com, 1
+specialproperties.com, 1
+specialsite.tk, 1
+specialtechnique.tk, 1
+specialtyalloys.ca, 1
+specialtyjets.ca, 1
+specialworld.ml, 1
+speciauxquebec.com, 1
+speciesism.com, 1
+specificenergy.com, 1
+speciosapro.com, 0
+speckle.systems, 1
+speckrot.ru, 1
+specks.tk, 1
+specopssoft.com, 1
+specprawnik.pl, 1
+specs-tech.com, 1
+specsdot.ga, 1
+spectacles.com, 1
+spectemur.tk, 1
+spectrafox.com, 1
+spectre-network.tk, 1
+spectrocoin.com, 1
+spectrosoftware.de, 1
+spectrum-markets.com, 1
+spectrum.co.ae, 0
+spectrum.gov, 1
+spectrum3d.ru, 1
+spectrumelectrical-brisbane.com.au, 1
+spectrumreachadacademy.com, 1
+spectrumreachpayitforward.com, 1
+spectrumtexas.net, 1
+spediscifiori.com, 1
+spedizioni.roma.it, 1
+speechdrop.net, 1
+speechmate.com, 1
+speechmore.ml, 1
+speechpathologygraduateprograms.org, 1
+speechpathologymastersprograms.com, 1
+speed-bonus.tk, 1
+speed-strike.tk, 1
+speed.tk, 1
+speedable.net, 1
+speedcam.tk, 1
+speedcubing.tk, 1
+speeddate.it, 0
+speeddating.mx, 1
+speeder-vpn.tk, 1
+speeder.cf, 1
+speeder.one, 1
+speeders.cf, 1
+speeders.ga, 1
+speedexam.net, 1
+speedhoundz.com, 1
+speedleads.dk, 1
+speedlearning.ml, 1
+speedlearningapp.com, 1
+speedlearningapp1.com, 1
+speedliner.com, 1
+speedmailer.nl, 1
+speedof.me, 1
+speedracer.ca, 1
+speedsvip.cc, 1
+speedtailors.com, 1
+speedtemplate.de, 1
+speedtest-russia.com, 1
+speedvitals.com, 1
+speedwaybring-proposal.cf, 1
+speedwaybusinesspark.com, 1
+speedwell.pt, 1
+speedwp.ch, 1
+speedychat.it, 0
+speedynews.ml, 1
+speedyplatypus.com, 1
+speedzone.bg, 1
+speelfabriek.tk, 1
+speeli.com, 1
+speets.ca, 1
+spegeltankar.tk, 1
+speich.net, 1
+spek.tech, 1
+spekit.com, 1
+spelaspelautomater.ga, 1
+speleo-explo.fr, 1
+speleo.live, 1
+speletrodomesticos.com.br, 1
+spellcheck24.net, 1
+spellchecker.net, 1
+spellchecksquatting.com, 1
+spellic.com, 1
+spelling.ml, 1
+spellslinger.space, 1
+spencernc.gov, 1
+spencerscherer.com, 1
+spend.cloud, 1
+spendable.money, 1
+spendd.co, 1
+spenderservice.net, 1
+spendesk.com, 1
+spendlinq.com, 1
+spendmenot.com, 1
+spendo.gq, 1
+spendwise.com.au, 1
+spenglerei-shop.de, 1
+spenny.tf, 1
+spensix-pekalongan.tk, 1
+spentra.com, 1
+sperandii.it, 1
+sperformance.shop, 1
+spero.solutions, 1
+sperrmuell-berlin.de, 1
+sperrstun.de, 1
+spertto.com, 1
+spes.solutions, 1
+spesaerisparmio.com, 1
+spesys-services.fr, 1
+spetsialist.cf, 1
+spetskabel.ru, 1
+spettacolocame.ga, 1
+speventos.es, 1
+spewingmews.moe, 1
+speww.com, 1
+spfusion.com, 1
+sphaeristerium.it, 1
+sphere-realty.com, 1
+sphereblur.com, 1
+spherejoias.com.br, 1
+sphericalmagic.com, 1
+sphericalvision.cz, 1
+spholdings.us, 1
+sphynx-cats.com, 1
+sphynxboyz.com.au, 1
+spicandspanroofrestoration.com.au, 1
+spice-club.tk, 1
+spicegirlschart.tk, 1
+spiceislandhome.com, 1
+spicejungle.com, 1
+spicelandcorporation.com, 1
+spicemail.cc, 1
+spicemoney.com, 0
+spicerack.co.uk, 0
+spicerack.uk, 1
+spicevids.com, 1
+spicevidsgay.com, 1
+spichki.tk, 1
+spicture.in, 1
+spicydog.org, 1
+spicydog.tk, 1
+spicymatch.com, 1
+spicysubject.com, 1
+spicywombat.com, 1
+spidercrabs.tk, 1
+spidergymrotterdam.tk, 1
+spidermail.tk, 1
+spidermanitalia.tk, 1
+spidernet.tk, 1
+spideroak.com, 1
+spiders.org.ua, 1
+spidersweb.cf, 1
+spidersweb.ga, 1
+spidersweb.gq, 1
+spidertechpromotions.com, 1
+spidometr.ml, 1
+spie-wirliebenkabel.de, 1
+spiegelingenblog.nl, 1
+spiegels-op-maat.nl, 1
+spieka.info, 1
+spielautomaten.cf, 1
+spielbankspezialist.com, 1
+spielcasinos.com, 1
+spiele-gewinnspiele.tk, 1
+spielefant.de, 1
+spielezar.ch, 1
+spielgeld.tk, 1
+spielland.ch, 1
+spiellawine.de, 1
+spielmit.com, 1
+spieltexte.de, 1
+spiet.nl, 1
+spiffsearch.com, 1
+spiga.ch, 0
+spigotdesign.com, 1
+spikar.gr, 1
+spike.sh, 1
+spikejeon.tk, 1
+spikelands.com, 1
+spilka-dyplomativ.tk, 1
+spillbasen.no, 1
+spillersfamily.net, 0
+spillforum.no, 1
+spillhosting.no, 1
+spillmaker.no, 0
+spilnu.dk, 1
+spin.city, 1
+spinal.ga, 1
+spinbetter.com, 1
+spinbetter.life, 1
+spinbetter.online, 1
+spincity-casino.com, 1
+spindelnet.dk, 1
+spinderella.tk, 1
+spindrel.com, 1
+spinecomms.com, 1
+spinemexin.tk, 1
+spinner.dnshome.de, 1
+spinning-portugal.com, 1
+spinolamediation.com, 1
+spinozablue.com, 1
+spinpay.com.br, 1
+spins.city, 1
+spins.fedoraproject.org, 1
+spinscity-casino.info, 1
+spinscity.club, 1
+spinscity.info, 1
+spinscity.net, 1
+spinscity777.info, 1
+spintracer.de, 1
+spireat.it, 1
+spirella-shop.ch, 1
+spirent.com, 1
+spirit-hunters-germany.de, 1
+spirit55555.dk, 1
+spiritbionic.ro, 1
+spiritdesigns.tk, 1
+spiritedengineers.tk, 1
+spiritinthesky.com, 1
+spiritous.cf, 1
+spiritscorp.ddns.net, 1
+spiritual.codes, 0
+spiritualites.ch, 0
+spiritualityrise.com, 1
+spiritualpsychologyofacting.com, 1
+spiritualvybz.com, 1
+spiritworld.ml, 1
+spiro.se, 1
+spiski-domenov.tk, 1
+spisochek.tk, 1
+spisok-domenov.tk, 1
+spit.com.au, 1
+spitalbuhusi.ro, 1
+spitalulbuzau.ro, 1
+spitfireuav.com, 1
+spithoven.tk, 1
+spjaet.dk, 1
+splashily.gq, 1
+splashstoretw.com, 1
+splatjov.space, 1
+splatnet3.net, 1
+splatprofcare.com, 1
+splawoffice.com, 1
+splconsulenza.it, 1
+spleis.no, 1
+splendadent.it, 1
+splendidspoon.com, 0
+splendorservizi.it, 1
+splex.com, 1
+spli.co, 1
+splibrary.tk, 1
+splikity.com, 1
+splimtechco.tk, 1
+splintercake.tk, 1
+splinterface.io, 1
+splintermail.com, 1
+splinternews.com, 1
+split-taxiboat.com, 1
+split.rent, 1
+splitdna.com, 1
+splitero.com, 1
+splitreflection.com, 1
+splnk.net, 1
+sploch.com, 1
+splorge.cloud, 0
+splorge.website, 1
+splunk.net, 1
+splytech.io, 1
+spm-servis.tk, 1
+spmax.design, 1
+spmf.org.sg, 1
+spmfijnmechanica.nl, 1
+spmttest.azurewebsites.net, 1
+spnitalianfestival.com, 1
+spnsv.com, 1
+spocool.com, 1
+spodelime.com, 1
+spofia.nu, 1
+spokanecounty.gov, 1
+spokanevalleywa.gov, 1
+spokeoaffiliates.com, 1
+spokesly.com, 1
+spolekatelier.cz, 1
+spoluck.ca, 1
+spolwind.de, 0
+spom.net, 1
+sponc.de, 1
+spongebobwiki.tk, 1
+sponsor.software, 1
+spoofhaus.com, 1
+spookbook.net, 1
+spookquest.com, 1
+spooks.ga, 1
+spookyinternet.com, 1
+spoorcam.nl, 1
+sporadesnews.gr, 1
+sporenvanslavernijutrecht.nl, 1
+sporeprinters.com, 1
+sporki.fun, 1
+sporq.de, 1
+sporstball.com, 1
+sport-attitude.com, 1
+sport-in-sundern.de, 1
+sport-news.ml, 1
+sport-news24hs.tk, 1
+sport-obzor.tk, 1
+sport-online-ru.cf, 1
+sport-potreby.cz, 1
+sport-potreby.sk, 1
+sport-school.tk, 1
+sport-socken.net, 1
+sport-tv-guide.live, 1
+sport24.by, 1
+sport4sd.com, 1
+sportabatese.tk, 1
+sportabee.com, 0
+sportadictos.com, 1
+sportal.se, 1
+sportalliance.com, 1
+sportboot.mobi, 1
+sportcenter.ga, 1
+sportcenter.ml, 1
+sportchirp.com, 1
+sportclipsfranchise.com, 1
+sportcompactwarehouse.com, 1
+sportcucc.hu, 1
+sportda.tk, 1
+sporte3q.com, 1
+sportedy.com, 1
+sporter.com.hr, 1
+sportfair.it, 1
+sportfits.at, 1
+sportfits.de, 1
+sportfits.eu, 1
+sportfogadas.tk, 1
+sporthotel-rasen.com, 1
+sportify-design.fr, 1
+sportihome.com, 1
+sportinfon.cf, 1
+sportingclubdacruz.pt, 0
+sportivo.cf, 1
+sportivo.ga, 1
+sportivo.tk, 1
+sportli.cz, 1
+sportli.sk, 1
+sportlinks.tk, 1
+sportllux.com.br, 1
+sportmedia.ga, 1
+sportmultimedia.pt, 1
+sportnesia.com, 1
+sportnieuws.nl, 1
+sportnn.tk, 1
+sporto24.ml, 1
+sportovni.site, 1
+sportovnidum.cz, 1
+sportovnivozy.cz, 1
+sportparks.com, 1
+sportparks.org, 1
+sportpiacenza.it, 1
+sportplaatje.nl, 0
+sportposch.com, 1
+sportprint.hr, 1
+sportraucher.tk, 1
+sportrecife.com.br, 1
+sportrent.it, 1
+sports-colleges.com, 1
+sports-equipmen.tk, 1
+sports-news-today.ml, 1
+sports-online.cf, 1
+sports-sites.ml, 1
+sports-wear.tk, 1
+sportsandnews.tk, 1
+sportscanada.tk, 1
+sportsdans.tk, 1
+sportsdeck.tk, 1
+sportsdestinations.com, 1
+sportskibat.tk, 1
+sportsmagy.com, 1
+sportsmania.tk, 1
+sportsmansblog.com, 1
+sportsmashup.com, 1
+sportsmax.tv, 1
+sportspainmanagementnyc.com, 1
+sportspassbremen.de, 1
+sportspeople.com.au, 1
+sportstips.tk, 1
+sportstreetstyle.com, 1
+sportsxplay.com, 1
+sportticino.ch, 0
+sporttomorrow.com, 1
+sporttown.it, 1
+sportvereine.online, 1
+sportverzorging.tk, 1
+sportvision.ml, 1
+sportvissenfun.tk, 1
+sportwars.net, 1
+sportwette.net, 1
+sportwettenbonus.de, 1
+sportwettenschweiz.net, 1
+sportygirlsjewels.ga, 1
+sportztalk.com, 1
+spot-cleaner.tk, 1
+spot-pro.jp, 1
+spotifycodes.com, 1
+spotifyfreetrial.co.uk, 1
+spotifystars.com, 1
+spotifytop.me, 1
+spotless-londoncleaningcompany.com, 1
+spotlessohio.com, 1
+spotlightsrule.com, 1
+spotme.fit, 1
+spotmefit.com, 1
+spotonlive.dk, 1
+spotpetins.com, 1
+spotpetinsurance.ca, 1
+spotsee.io, 0
+spotsolutions.com, 1
+spotswoodvet.com, 1
+spotsylvaniacounty-va.gov, 1
+spotsylvaniacountyva.gov, 1
+spottedfoxdigital.com, 0
+spottedpenguin.co.uk, 1
+spotupload.com, 1
+spotwelders.co.nz, 1
+spotypal.com, 1
+spotzlight.cf, 1
+spotzlight.tk, 1
+spowtr.com, 1
+sppin.fr, 1
+sppit.com, 1
+spr.id.au, 1
+sprachenlernen24.org, 1
+sprachfreudehoch3.de, 1
+sprashivalka.com, 1
+spravka-internet.tk, 1
+spravka.tk, 1
+spravki.cf, 1
+spravochnick.ru, 1
+sprawdz-nip.pl, 1
+sprawdzanie-pozycji.pl, 1
+sprax2013.de, 1
+sprayontv.com, 0
+spreadsheetconverter.co, 1
+spreadsheets.google.com, 1
+spreadshirt.at, 1
+spreadshirt.be, 1
+spreadshirt.ca, 1
+spreadshirt.ch, 1
+spreadshirt.co.uk, 1
+spreadshirt.com, 1
+spreadshirt.com.au, 1
+spreadshirt.de, 1
+spreadshirt.dk, 1
+spreadshirt.es, 1
+spreadshirt.fi, 1
+spreadshirt.fr, 1
+spreadshirt.ie, 1
+spreadshirt.it, 1
+spreadshirt.net, 1
+spreadshirt.nl, 1
+spreadshirt.no, 1
+spreadshirt.pl, 1
+spreadshirt.se, 1
+spreadthejam.tk, 1
+spreadthenews.eu, 1
+spreaf.shop, 1
+spreed.me, 1
+spribe.co, 1
+spribe.io, 1
+spribe.net, 1
+spribe.tech, 1
+spribegaming.com, 1
+spricknet.de, 1
+sprietlopen.tk, 1
+sprillerer.tk, 1
+springbaystudio.com, 1
+springbreak.it, 1
+springdalewi.gov, 1
+springerundpartner.de, 1
+springfieldbricks.com, 0
+springfieldchartertownship.gov, 1
+springfieldsd.gov, 1
+springfieldvt.gov, 1
+springgrillhouse.com, 1
+springgrovepa.gov, 1
+springhillmaine.com, 1
+springhow.com, 1
+springlakemi.gov, 1
+springlanguages.com, 1
+springportmi.gov, 1
+springportny.gov, 1
+springsoffthegrid.com, 1
+springspeedshop.com, 1
+springtxcarpetcleaning.com, 1
+sprintkitchen.com, 1
+sprintlee.com, 1
+sprintswac.tk, 1
+spriterinc.com, 1
+spriters-resource.com, 1
+spritmonitor.de, 1
+spritsail.io, 1
+sprizzy.com, 1
+sprock.io, 0
+sprocktech.com, 1
+sprogress.uz, 1
+sprossen-keimlinge.de, 1
+sprossenwand.de, 1
+sproutsandstems.com, 1
+sproutstudio.com, 1
+sproutstudiostaging.com, 1
+sproutways.com, 1
+sprt.pl, 1
+sprucecreekclubs.com, 1
+sprucecreekgcc.com, 1
+spruces.gq, 1
+sprucingupmamahood.com, 1
+sprueche-zum-valentinstag.de, 1
+sprueche-zur-geburt.info, 1
+sprueche-zur-hochzeit.de, 1
+sprueche-zur-konfirmation.de, 1
+sprutech.de, 1
+sprzataniepopozarze.com.pl, 1
+sps-lehrgang.de, 1
+spslawoffice.com, 1
+spstaticfiles.com, 1
+spstechnical.com, 1
+spt.tf, 1
+spthk.com, 1
+sptk.org, 1
+spuda.net, 1
+spuffin.com, 1
+spufpowered.com, 1
+spur.com.br, 1
+spurghi.roma.it, 1
+spurhaus.com, 1
+spurstark.de, 1
+spurto.in, 1
+sputnik1net.org, 1
+spx.com, 1
+spy-net.tk, 1
+spycam.hopto.me, 1
+spychala-it.de, 1
+spyclub.tk, 1
+spydar007.com, 1
+spydar007.net, 1
+spydar007.wiki, 1
+spydersec.com, 1
+spyequipmentuk.co.uk, 1
+spypornone.com, 1
+spyprofit.ru, 1
+spyre.com, 1
+spyretx.com, 1
+spyroszarzonis.com, 1
+spyse.com, 1
+spytrash.tk, 1
+sq0z.ovh, 1
+sq3dmv.pl, 1
+sqalogic.com, 1
+sqap.pt, 1
+sqclick.com, 1
+sqdll.com, 1
+sqills.com, 0
+sql-injection.cz, 1
+sql-injection.rocks, 1
+sql-oem.com, 1
+sql-query-tool-exact-online.nl, 1
+sql-query-tool.com, 1
+sql-und-xml.de, 1
+sql.bi, 1
+sqlapius.net, 1
+sqlbi.com, 1
+sqldbm.com, 1
+sqli.cz, 1
+sqli.rocks, 1
+sqlinjection.cz, 1
+sqlinjection.rocks, 1
+sqliteonline.com, 1
+sqlwrapper.com, 1
+sqmin.tk, 1
+sqr-training.com, 1
+sqrl.ch, 1
+sqroot.eu, 1
+sqsd.xyz, 1
+squad.fr, 1
+squadco.com, 1
+squadgames.ru, 1
+squamiferum.net, 1
+squardllc.ml, 1
+square-gamers.tk, 1
+square-gaming.org, 1
+square-phone.com, 1
+square-src.de, 0
+square.com, 1
+square.com.mx, 1
+square.engineering, 1
+square.it, 1
+square.ly, 1
+square.mx, 1
+square.site, 1
+squarecdn.com, 1
+squaredancedance.tk, 1
+squaredtechnologies.com, 1
+squareeye.com, 1
+squarefootllcconstruction.com, 0
+squareforums.com, 1
+squaregift.com, 1
+squaregift.net, 1
+squaregift.org, 1
+squareinchhome.com, 1
+squareincircle.me, 1
+squareinstallments.com, 1
+squareinvite.com, 1
+squareinvoices.com, 1
+squarelab.it, 1
+squaremktg.com, 1
+squarenoid.com, 1
+squareoffer.com, 1
+squareonebgc.com.ph, 1
+squarepocketdesign.com, 0
+squareregister.com, 1
+squaresoft.ga, 1
+squaresolutions.com, 1
+squarestagingexternal.com, 1
+squareup.com, 1
+squareupsandbox.com, 1
+squeakie.club, 1
+squeaksscalesandtails.com, 1
+squeaky.services, 1
+squealing-filth.tk, 1
+squeezemetrics.com, 1
+squelcher.cf, 1
+squibby.ml, 1
+squid-board.org, 0
+squid.gay, 1
+squidnovels.tk, 1
+squido.ch, 1
+squidparty.com, 1
+squids.space, 1
+squiresinsurance.net, 1
+squirex2.com, 1
+squirted.com, 1
+squirtingpussygirl.com, 1
+squirtqueen.org, 1
+sqxb0.ga, 1
+sr-33.com, 1
+sr-f.tk, 1
+sr.ht, 1
+sr33.com, 1
+sr88.co.uk, 1
+sr88.me.uk, 1
+srae.me.uk, 1
+sram.top, 1
+srandom.com, 1
+sranje.rocks, 1
+sratim.tv, 1
+sravyareddy.space, 1
+srb.help, 1
+srbc.gov, 1
+src.fedoraproject.org, 1
+src.pp.ua, 1
+srcbolt.com, 1
+srchicmodas.com.br, 1
+srchub.org, 1
+srcpa.gov, 1
+srd.re.kr, 0
+srdmarketingservice.com, 1
+sreb.loan, 1
+srebro.cc, 1
+sreedhareeyam.tk, 1
+sreeharis.tk, 1
+sreenadh.in, 1
+sremodelingnyc.com, 1
+srfloki.com, 1
+srhdesign.co.uk, 1
+sri.com.pa, 0
+sridevi.ru, 1
+srife.net, 1
+srigc.com, 1
+srilanka.travel, 1
+srilankan-hope-for-children.nl, 1
+srilankanguides.com, 1
+sriramdigital.tk, 1
+sriravana.tk, 1
+srishtifibernetnetwork.in, 1
+sristicreationart.com, 1
+sritafrican.tk, 1
+sritalabama.tk, 1
+sritalaska.tk, 1
+sritbeauty.tk, 1
+sritbrazil.tk, 1
+sritcalifornia.tk, 1
+sritcities.tk, 1
+sritclassic.tk, 1
+sritculture.tk, 1
+sritegypt.tk, 1
+srithunters.tk, 1
+sritidaho.tk, 1
+sritsafety.ml, 1
+sritspanish.tk, 1
+srittheatre.tk, 1
+sritvermont.tk, 1
+srix.ml, 1
+srkarra.com, 1
+srkb.net, 1
+srle.tk, 1
+srmi.biz, 1
+srmllc.net, 1
+srmstatic.com, 1
+srnl.gov, 1
+sro.fi, 1
+sro.nl, 1
+srochno-pohudeti.tk, 1
+srochnozaim.gq, 1
+srochnyj-zajm.ga, 1
+sroma.tk, 1
+srorisksolutions.tk, 1
+sros.fi, 1
+sroturkey.tk, 1
+srp.gov, 1
+srpx.de, 1
+srqpedals.com, 1
+srroddy.com, 1
+srs.sg, 0
+srsforward.email, 1
+srsfwd.com, 1
+srsfwd.email, 1
+srsfwd.eu, 1
+srsfwd.net, 1
+srsfwd.org, 1
+srspmatti.in, 1
+srto.win, 1
+srun.in, 0
+sruthisjewellery.com, 1
+srv-4g-test.fr, 1
+srv-home.fr, 1
+srvonfire.com, 1
+srwminc.com, 1
+srx.sx, 1
+ss-news.tk, 1
+ss.com, 1
+ss.lazio.it, 1
+ss.lt, 1
+ss.lv, 1
+ss.ua, 1
+ss09.com, 0
+ss5197.co, 1
+ss64.com, 1
+ss64.org, 1
+ss6729.co, 1
+ss6729.com, 0
+ss6957.co, 1
+ss9188.com, 0
+ss9288.com, 0
+ss9297.co, 1
+ss9397.com, 1
+ss9728.co, 1
+ssa.co.ir, 1
+ssa.gov, 0
+ssaarevents.tk, 1
+ssab.gov, 1
+ssasociety.nl, 1
+ssatpa.com, 1
+ssatripura.com, 1
+ssb.ee, 1
+ssbjk.org, 1
+ssbljk.com, 1
+ssbrm.ch, 1
+ssbwiki.com, 1
+ssc.vg, 0
+sscd.no, 1
+sschd.cc, 0
+sscnapoli.it, 1
+ssconn.com, 1
+sscpsms.biz, 1
+ssdax.com, 1
+ssdpalermo.it, 1
+ssenberg.nl, 1
+ssentinel.com, 1
+sserc.ca, 1
+ssetechnologies.com, 1
+ssf.no, 1
+ssfca.gov, 1
+ssh-keys.online, 1
+ssh-vault.com, 1
+ssh.in.ua, 0
+sshbox.tk, 1
+sshd.site, 1
+sshool.at, 1
+sshwiki.tk, 1
+sshx.top, 1
+ssjid.gov, 1
+ssk.ovh, 1
+sskb-ey.tech, 1
+ssky.cn, 1
+ssl-zertifikate.de, 1
+ssl.com.ru, 1
+ssl.google-analytics.com, 1
+ssl.org, 1
+ssl24.pl, 1
+ssl247.co.uk, 1
+ssl247.com.mx, 1
+ssl247.de, 1
+ssl247.dk, 1
+ssl4all.gq, 1
+sslc.gov, 1
+sslcertificaten.nl, 1
+sslcheck.nl, 1
+sslcloud.net, 1
+ssld.at, 1
+ssldecoder.eu, 1
+ssldev.net, 1
+sslgctx.gov, 1
+sslgram.com, 1
+sslhello.com, 1
+sslle.eu, 1
+sslmate.com, 1
+sslmonitor.eu, 1
+sslmonkey.net, 1
+sslok.com, 0
+sslping.com, 1
+sslpoint.com, 1
+ssls.cz, 1
+sslsecureproxy.com, 1
+sslsurvey.de, 1
+ssltrus.com.cn, 1
+ssm-techmarketing.tk, 1
+ssma.it, 1
+ssmato.me, 1
+ssmd.tk, 1
+ssmic.com, 0
+ssmm88.cc, 1
+ssmothership.tk, 1
+ssmpuc.com, 1
+ssmrca.ca, 1
+ssmwebportal.tk, 1
+ssnetwork.jp, 1
+ssone.ee, 1
+ssprod.tk, 1
+sspu.ml, 1
+ssqq.com, 1
+ssr.llc, 1
+ssradio.live, 1
+ssready.io, 1
+ssrfq.com, 1
+ssrgov.cn, 1
+ssrvpn.tech, 1
+sss.red, 1
+ssshh.com, 1
+sssib.ru, 1
+ssslelectricfencing.co.za, 1
+sssppp.gq, 1
+sssss.click, 1
+sssssssss.com, 0
+sst-racing.ch, 1
+sst.ru, 1
+sstaging.com, 1
+sstestingservice.com, 1
+ssu.moe, 1
+ssuc.net, 1
+ssuiteoffice.com, 1
+ssuitesoft.com, 1
+st-damase.qc.ca, 1
+st-kilian-markt-erlbach.de, 1
+st-li.com, 0
+st-news.de, 1
+st-shakyo.jp, 1
+st-steuern.de, 1
+st42.fr, 1
+staaldart.tk, 1
+staapp.org, 1
+staapprecruiting.org, 1
+staatdesinternets.nl, 1
+staatdesnederlandscheninternets.nl, 1
+staatdesnederlandseninternets.nl, 1
+staatschutz.at, 1
+staatsschutz.at, 1
+staatsschutzgesetz.at, 1
+staatvanhetnederlandscheinternet.nl, 1
+staatvanhetnederlandseinternet.nl, 1
+stabelino.tk, 1
+stabilimento.it, 1
+stabilizatory.ga, 1
+stableflect.finance, 1
+stablelib.com, 1
+stablina.tk, 1
+stacabinetdepot.com, 1
+stacisezeptat.cz, 1
+stackery.io, 1
+stackhub.cc, 1
+stacklasvegas.com, 1
+stackroute.in, 1
+stackshine.com, 1
+stackstartup.com, 1
+stackstartup.tech, 1
+stacky.me, 1
+stad.gent, 1
+stadgent.be, 1
+stadiamaps.com, 1
+stadionmanager.com, 1
+stadionwelt.de, 1
+stadlwirt.at, 1
+stadm.com, 1
+stadspaleizengent.be, 1
+stadtbauwerk.at, 0
+stadtcentrum.it, 1
+stadterneuerung-hwb.de, 1
+stadtkapelle-oehringen.de, 1
+stadtpapa.de, 1
+stadtplan-ilmenau.de, 1
+staer.ro, 1
+staff.direct, 1
+staffaugmentation.ae, 1
+staffaugmentation.al, 1
+staffaugmentation.at, 1
+staffaugmentation.ba, 1
+staffaugmentation.be, 1
+staffaugmentation.bg, 1
+staffaugmentation.ch, 1
+staffaugmentation.co.il, 1
+staffaugmentation.co.uk, 1
+staffaugmentation.com.ar, 1
+staffaugmentation.com.ua, 1
+staffaugmentation.cz, 1
+staffaugmentation.de, 1
+staffaugmentation.dk, 1
+staffaugmentation.ee, 1
+staffaugmentation.es, 1
+staffaugmentation.eu, 1
+staffaugmentation.fi, 1
+staffaugmentation.fr, 1
+staffaugmentation.ge, 1
+staffaugmentation.gr, 1
+staffaugmentation.hr, 1
+staffaugmentation.hu, 1
+staffaugmentation.it, 1
+staffaugmentation.jp, 1
+staffaugmentation.li, 1
+staffaugmentation.lt, 1
+staffaugmentation.lu, 1
+staffaugmentation.lv, 1
+staffaugmentation.md, 1
+staffaugmentation.me, 1
+staffaugmentation.mk, 1
+staffaugmentation.mx, 1
+staffaugmentation.nl, 1
+staffaugmentation.no, 1
+staffaugmentation.pe, 1
+staffaugmentation.ph, 1
+staffaugmentation.pl, 1
+staffaugmentation.pt, 1
+staffaugmentation.ro, 1
+staffaugmentation.rs, 1
+staffaugmentation.si, 1
+staffaugmentation.us, 1
+staffaugmentation.vn, 1
+staffhours.com, 1
+staffi.tk, 1
+staffingnation.com, 1
+staffordpk.tk, 1
+staffsante.fr, 1
+staffsocial.fr, 1
+stage-bluejeans.com, 1
+stage-gate.la, 1
+stage-metrobible.org, 1
+stage-privacyportal-ui.azurewebsites.net, 1
+stage-props-blank-guns.com, 1
+stage-recuperation-points-bordeaux.com, 1
+stage-recuperation-points-lille.com, 1
+stage-recuperation-points-lyon.com, 1
+stage-recuperation-points-marseille.com, 1
+stage-recuperation-points-montpellier.com, 1
+stage-recuperation-points-nantes.com, 1
+stage-recuperation-points-nice.com, 1
+stage-recuperation-points-paris.com, 1
+stage-recuperation-points-reims.com, 1
+stage-recuperation-points-rennes.com, 1
+stage-recuperation-points-strasbourg.com, 1
+stage-recuperation-points-toulouse.com, 1
+stage.wepay.com, 1
+stage4.ch, 1
+stageirites.com, 1
+stageirites.fr, 1
+stageirites.org, 1
+stagend.com, 1
+stagespediatrics.com, 1
+stagewalker.no, 1
+staging-scholar.tk, 1
+stagingcleargrain.com.au, 1
+stagingelpactest.eu, 1
+stagingpepocoin.com, 1
+stagmarketim.com, 1
+stagoz.com, 1
+stahlen.dk, 1
+stahlfors.com, 1
+stahlp.dk, 1
+stahlzart-moebel.de, 1
+stahlzart.at, 1
+stahlzart.com, 1
+stahlzart.de, 1
+stail.eu, 1
+stainfilm.com, 1
+stainhaufen.de, 1
+stainless-steel-cookware.tk, 1
+stainternational.com, 1
+staiprefa.com, 1
+stair.ch, 1
+stairlin.com, 0
+stairmaster.tk, 1
+stajka.tk, 1
+staked.us, 1
+stakedate.com, 0
+stakeholders.ca, 1
+stakingjobs.com, 1
+stako.jp, 1
+stakotec.de, 1
+staktrace.com, 1
+stal-rulon.ru, 1
+stalbansvt.gov, 1
+stalbanswv.gov, 1
+stalder.work, 1
+stalevski.tk, 1
+stalgeraardsbergen.tk, 1
+stalin.tk, 1
+stalker-eyes.ga, 1
+stalker-shop.com, 1
+stalker-source.tk, 1
+stalkerteam.pl, 1
+stalkr.net, 1
+stalkthe.net, 1
+stall-frei.de, 1
+stallardjw.me, 1
+stallbesuch.de, 1
+stallionsnow.com, 1
+stallone.pl, 1
+stalphonsusks.org, 1
+stalplus.ml, 1
+stalstroi.ml, 1
+staltrade.uz, 1
+stalwartshopping.com, 1
+stalworld.tk, 1
+stamant.org, 1
+stamboomforum.nl, 1
+stamboomgids.nl, 1
+stamgent.be, 1
+stamit.nl, 1
+stamkassa.nl, 1
+stammering.ga, 1
+stammtisch-bauwagen.tk, 1
+stammtisch.domains, 1
+stamonicatourandtravel.com, 1
+stampederadon.com, 1
+stamperdle.com, 1
+stampinggroundky.gov, 1
+stampix.com, 1
+stampsbar.co.uk, 0
+stamurai.com, 1
+stanandjerre.org, 1
+stanbul.ru, 1
+stanchierifamilylaw.com, 1
+stancoe.org, 0
+stand.earth, 1
+stand.gg, 1
+standard-mobilitaet.de, 1
+standard-wohnungsbaukredit.ag, 1
+standard-wohnungsbaukredit.biz, 1
+standard-wohnungsbaukredit.com, 1
+standard-wohnungsbaukredit.de, 1
+standard-wohnungsbaukredit.eu, 1
+standard-wohnungsbaukredit.info, 1
+standard-wohnungsbaukredit.net, 1
+standard-wohnungsbaukredit.org, 1
+standard.co.uk, 1
+standardizarea.ro, 1
+standardlifters.com, 1
+standardmetrics.io, 1
+standardnotes.com, 1
+standards.gov, 1
+standardstraversal.jp, 1
+standardwohnungsbaukredit.ag, 1
+standardwohnungsbaukredit.biz, 1
+standardwohnungsbaukredit.com, 1
+standardwohnungsbaukredit.de, 1
+standardwohnungsbaukredit.eu, 1
+standardwohnungsbaukredit.info, 1
+standardwohnungsbaukredit.net, 1
+standardwohnungsbaukredit.org, 1
+standdownofnorthjersey.org, 1
+standford.pe, 1
+standfore.com, 1
+standheizung-shop.de, 1
+standiluminaciones.com, 1
+standingbear.tk, 1
+standoff-magic.ru, 1
+standoffarena.com, 1
+standoffdrop.ru, 1
+standsearch.cf, 1
+standupcomedy.cf, 1
+standupcomedy.ga, 1
+standupcomedy.tk, 1
+standwithhaiti.org, 1
+stanfordny.gov, 1
+stang.moe, 1
+stangeland.tk, 1
+stanglwirt.com, 1
+stanin.net, 1
+stanislav-lysenko.lawyer, 1
+stankingma.com, 1
+stankingma.nl, 1
+stanmed24.pl, 1
+stanmirstudio.pl, 1
+stannesvets.co.uk, 1
+stannri.org, 1
+stanonline.tk, 1
+stanron.com, 1
+stansberryresearch.com, 1
+stansweather.net, 1
+stantabler.com, 1
+stanthony-hightstown.net, 1
+stantonca.gov, 1
+stantoncountyne.gov, 1
+stanwoodwa.gov, 1
+stanza.group, 1
+stape.io, 1
+staplespromo.com, 1
+staplestx.gov, 1
+stapvoorstapduurzaam.nl, 1
+star-citizen.wiki, 1
+star-clean.it, 1
+star-darom.co.il, 1
+star-life.tk, 1
+star-one.co.uk, 1
+star.my.id, 1
+star.watch, 1
+starase.com, 0
+starb.in, 1
+starbaese.de, 1
+starbase01.com, 1
+starboardmarketing.io, 1
+starbreaker.org, 1
+starbt.ro, 1
+starbucks.vn, 1
+starbusiness.ml, 1
+starbyte.co.uk, 1
+starcitizen.tools, 1
+starcitizenreferral.codes, 1
+starcitywv.gov, 1
+starcoachservices.ca, 1
+starcomproj.com, 1
+starconnect.at, 1
+starcraftsource.tk, 1
+starcroisieres.com, 1
+starcubix.com, 1
+starcys.xyz, 1
+stardanceacademy.net, 1
+stardev.ovh, 1
+stardima.com, 1
+stardomino.tk, 1
+stardozen.com, 0
+stardrive.cf, 1
+starease.com, 1
+starease.net, 1
+starengineeringinc.com, 1
+starexponent.com, 1
+starfall.systems, 1
+starfeeling.net, 1
+starfield.ai, 1
+starfieldguide.com, 1
+starfiles.co, 1
+starfm.gq, 1
+starfm.ml, 1
+starfriend.ru, 1
+stargarder-jungs.de, 1
+stargate.gq, 1
+stargazer.de, 1
+stargift.ch, 1
+starglancer.ddns.net, 1
+starherald.com, 1
+stari.co, 1
+stariders.com, 1
+starina.ru, 1
+starinc.xyz, 1
+staring.es, 1
+staring.tk, 1
+staringer.net, 1
+starinsights.com, 1
+starka.st, 1
+starkbim.com, 1
+starking.net.cn, 1
+starking.tk, 1
+starknh.gov, 1
+starkparks.gov, 1
+starkstromkonsument.de, 1
+starkvilleurgentcareclinic.com, 1
+starlabs.bio, 1
+starless.one, 1
+starlim.co.in, 1
+starlim.org, 1
+starlincuesta.gq, 1
+starline.ru, 1
+starlinks.tk, 1
+starlinkz.tk, 1
+starluky.com, 1
+starlux.cz, 1
+starlynr.sk, 1
+starman.agency, 1
+starmyworld.ga, 1
+staroch.name, 1
+starorusing.com, 0
+starover.tk, 1
+starpeak.org, 1
+starphonefix.com, 0
+starpoles.com, 1
+starprime.ch, 1
+starprime.de, 1
+starprime.eu, 1
+starprime.net, 1
+starrace.eu, 1
+starretest.nl, 1
+starreview.tk, 1
+starring.work, 1
+starrosesandplants.com, 1
+starry.blue, 1
+starrynight.com, 1
+starryvoid.com, 1
+starsam80.net, 1
+starsandmanifolds.xyz, 0
+starsbattle.net, 1
+starscream.xyz, 1
+starsessions.cc, 1
+starsguru.com, 1
+starship.xyz, 1
+starsing.bid, 1
+starskim.cn, 1
+starsoft.io, 1
+starspie.com, 1
+start-knighki.gq, 1
+start-nadlan.co.il, 1
+start-school.online, 1
+start.ag, 1
+start.ie, 1
+start.stockholm, 1
+start2dance.tk, 1
+startablog.tv, 1
+startag.xyz, 1
+startandstop.fr, 1
+startaninflatablebusiness.com, 1
+startbetter.tk, 1
+startbiz.biz.id, 1
+startbiz.co.id, 1
+startbiz.my.id, 1
+startbiz.web.id, 1
+startengine.com, 1
+starter.social, 1
+startersiteweb.com, 1
+startgeophysical.ga, 1
+starthubs.uk, 1
+starti.com.ua, 1
+startinganllcbusiness.com, 1
+startingent.be, 1
+startingyourbusiness.com, 1
+startit.bot, 1
+startlab.sk, 1
+startlap.es, 1
+startle.cloud, 1
+startle.studio, 1
+startlgvtraining.co.uk, 1
+startlinks.tk, 1
+startliste.info, 1
+startmail.com, 1
+startner.com, 1
+startpage.com, 1
+startpage.info, 1
+startpage4u.tk, 1
+startplats.tk, 1
+startplaying.games, 1
+startpoint.tk, 1
+starts.sh, 1
+startsafety.uk, 1
+startstack.tech, 1
+starttraffic.uk, 1
+startup-stack.com, 1
+startup-stack.tech, 1
+startup.melbourne, 1
+startupbros.com, 1
+startupgov.lt, 1
+startupisland.tw, 1
+startupislandtaiwan.com, 1
+startupislandtaiwan.net, 1
+startupislandtaiwan.org, 1
+startupopinions.com, 1
+startupstack.cloud, 1
+startupstack.llc, 1
+startupstack.net, 1
+startupstack.online, 1
+startupstack.pro, 1
+startupstack.services, 1
+startupstack.site, 1
+startupstack.software, 1
+startupstack.systems, 1
+startupstack.tech, 1
+startupstack.technology, 1
+startupstacksandbox.com, 1
+startupstacktech.com, 1
+startupswitzerland.com, 1
+startuptechstack.com, 1
+startupum.ru, 1
+startupweb.io, 1
+startupyourmind.com, 1
+startw.cf, 1
+startwithpieter.com, 1
+starvizyon.com, 1
+starwarschronology.com, 1
+starwatches.eu, 1
+starx.ink, 1
+stashbase.org, 1
+stashcast.org, 1
+stashport.org, 1
+stashseed.org, 1
+stasia.ml, 1
+stasiniewicz.com, 1
+stasiniewicz.net, 1
+stass.eu, 1
+stastka.ch, 1
+stasyan.ga, 1
+staszic.waw.pl, 1
+stat-xpert.com, 1
+stat.ink, 1
+statcenter.tk, 1
+state-of-body-and-mind.com, 1
+statecareercenter.com, 1
+statecollegemortgages.com, 1
+stated.gq, 1
+statefunddirect.com, 1
+stateidea.ga, 1
+statejobcenter.com, 1
+statelibraryofiowa.gov, 1
+statelines.ga, 1
+statelywork.com, 1
+statemercantile.com.au, 1
+statenislandonlinecremation.com, 1
+stateofwatourism.com, 1
+statepoint.net, 1
+staterun.tk, 1
+stateserv.com, 1
+statesville.com, 1
+statfluence.com, 1
+statgram.me, 1
+static-assets.io, 1
+static-myfxee-808795.c.cdn77.org, 1
+static-myfxoau-808795.c.cdn77.org, 1
+static-myfxouk-808795.c.cdn77.org, 1
+static.hosting, 1
+static.wepay.com, 1
+staticfury.com, 1
+staticline.de, 1
+staticweb.tk, 1
+statik.space, 1
+statinfer.com, 1
+stationa.ch, 0
+stationary-traveller.eu, 1
+stationaryengines.tk, 1
+stationcharlie.co.za, 1
+stationmedia.tk, 1
+statistician-online.com, 0
+statistik-seminare.de, 1
+statnevlajky.sk, 1
+statnivlajky.cz, 1
+stats-co.eu, 1
+stats-mailtracker.com, 1
+stats.g.doubleclick.net, 1
+stats.moe, 1
+statscrew.com, 1
+statsit.ga, 1
+statsme-app.com, 1
+statspolicy.gov, 1
+status.events, 1
+status.im, 0
+status.vg, 1
+statusbadges.me, 1
+statusboard.eu, 1
+statuscast.com, 1
+statuscode.ch, 0
+statusforward.com, 1
+statushero.com, 1
+statusmachine.com, 1
+statusmantra.tk, 1
+statuswatch.io, 1
+statxperts.com, 1
+stauffer-media.net, 1
+stavanger.kommune.no, 1
+stavgp2.ru, 1
+stavinchains.tk, 1
+stavnager.net, 1
+stavropol-news.ga, 1
+stavros.ovh, 1
+staxflax.tk, 1
+stay-curious.at, 1
+stay4all.nl, 1
+stayby.me, 1
+staycurrent.eu, 1
+staycurrent.nl, 1
+staydryohio.com, 1
+stayglam.com, 1
+staygold.blog, 1
+staygoldenphotobooth.com, 1
+stayinbusiness.nl, 1
+staylovely.tk, 1
+stayme.cz, 1
+stayokay.com, 1
+stazi.tk, 1
+stb-schefczyk.com, 1
+stb-schefczyk.de, 1
+stb-schefczyk.info, 1
+stb-schefczyk.net, 1
+stb-timmler.de, 1
+stb.gov, 1
+stbarnabashealthsystem.com, 1
+stbartholomewmanchester.org, 1
+stbcg.com, 1
+stbk.link, 1
+stbl.org, 1
+stblaw.com, 1
+stc-istok.com.ua, 1
+stc-knrm.nl, 1
+stc.training, 1
+stcatharinesromawolves.tk, 1
+stcc.edu, 1
+stccordoba.com, 1
+stceciliakearny.org, 1
+stcet.ac.in, 1
+stcharlescountycsfamo.gov, 1
+stcharlesparish.gov, 1
+stclairpa.gov, 1
+stclairvet.co.uk, 1
+stclementmatawan.org, 1
+stclementreligioused.org, 1
+stcloudfl.gov, 1
+stcomcybersecurity.net, 1
+stcplasticsurgery.com, 1
+stdavidparish.org, 1
+stdavidtheking.com, 1
+stdenv.de, 1
+stderr.cc, 1
+stderr.ch, 1
+stdev.org, 1
+stdev.top, 1
+stdnet.ru, 1
+stdssr.com, 1
+ste2.de, 1
+steacy.tech, 1
+steak-kojiro.com, 1
+steakovercooked.com, 1
+stealingheather.com, 1
+stealsaga.net, 1
+stealth.net, 1
+stealthbinders.tk, 1
+stealthhaven.xyz, 1
+stealthmodel.fi, 1
+stealthseminar.com, 1
+steam-rewards.tk, 1
+steam-route-saxony.com, 1
+steamcarddelivery.com, 1
+steamcardexchange.net, 1
+steamcars.be, 1
+steamcleaning.expert, 1
+steamcn.info, 1
+steamcrack.ga, 1
+steamdb.info, 1
+steamdeckinfo.org, 1
+steamerrors.com, 1
+steamgifts.com, 1
+steamid.net, 1
+steamid.tools, 1
+steamkeyget.ga, 1
+steamlevelmarket.com, 1
+steamold.com, 0
+steamosaic.com, 1
+steampoweredlawngnome.com, 1
+steampress.io, 1
+steamscore.info, 1
+steamsprays.tk, 1
+steamstat.us, 1
+steamstatus.cn, 1
+steamtrades.com, 1
+stebenkov.tk, 1
+steborio.pw, 1
+steckel.cc, 1
+stecos.co.uk, 1
+stedb.eu, 1
+stedbg.net, 1
+stedelijkorkestpurmerend.nl, 1
+steebel.com.au, 1
+steeble.com.au, 1
+steef389.eu, 1
+steeha.nl, 1
+steel-pc.fr, 1
+steel-pc.lu, 1
+steel-roses.de, 1
+steelbeasts.org, 0
+steelecountymn.gov, 1
+steelecountynd.gov, 1
+steelephys.com.au, 1
+steelfencestlouis.com, 1
+steelfirm.ga, 1
+steelframejourney.com, 1
+steelfxpatinas.com, 1
+steelhouse.com, 1
+steelmounta.in, 1
+steelnavi.jp, 1
+steelpoint.com.pl, 1
+steelportknife.com, 1
+steelsheds.biz, 1
+steelshop.net, 1
+steelsoldiers.com, 1
+steelvortex.tk, 1
+steelway.biz, 1
+steelzone.tk, 1
+steemit.com, 1
+steempeak.com, 1
+steemworld.org, 1
+steemyy.com, 1
+steenkampskraal.com, 1
+steenwijkerland.nl, 1
+steering-wheel.tk, 1
+steevels.nl, 1
+stefaanoyen.be, 1
+stefamedia.com, 1
+stefan-bayer.eu, 1
+stefan-karstens.de, 1
+stefan-rothe.ch, 1
+stefan-schlueter.de, 1
+stefan-schmid.com, 1
+stefan.de, 1
+stefanbayer.de, 1
+stefandesign.tk, 1
+stefanfriedli.ch, 1
+stefangroothuis.tk, 1
+stefania.tk, 1
+stefaniepetermann.eu, 1
+stefaniharvilla.tk, 1
+stefanini.com, 1
+stefanknobel.ch, 1
+stefano-wesel.de, 1
+stefanoiavarone.com, 1
+stefanolsdal.tk, 1
+stefanrusie.ro, 1
+stefanvd.net, 1
+stefany.cloud, 1
+stefany.eu, 1
+stefchapman.tk, 1
+stefcraps.tk, 1
+steffenmeister.com, 1
+steffi-in-australien.com, 1
+steffi-knorn.de, 1
+steffko.net, 1
+stefpastoor.nl, 0
+stegenevieve.gov, 1
+steggemachine.com, 1
+stehlik.co.uk, 1
+stehlik.sk, 1
+steigerlegal.ch, 1
+steinbach.ai, 1
+steiner-dominik.at, 1
+steiner.do, 1
+steiner.is, 1
+steiner.is.it, 1
+steiner.sh, 1
+steinerkovarik.de, 1
+steiners.party, 1
+steingergreeneandfeiner.com, 1
+steingergreenefeiner.com, 1
+steinhartwatches.de, 1
+steinibox.de, 1
+steinmassl.org, 1
+steinmetz.cloud, 1
+stekelenburg.me, 1
+steklein.de, 1
+steleentechnischevraag.com, 1
+steleentechnischevraag.eu, 1
+steleentechnischevraag.nl, 1
+stelem.com, 1
+stelfox.net, 1
+stelga.ca, 1
+steliosmanousakis.gr, 1
+stella-shop.eu, 1
+stellacinderella.net, 1
+stellanova-planeten.de, 0
+stellar.com.de, 1
+stellar.org, 1
+stellarguard.me, 1
+stellarite.io, 1
+stellarium-gornergrat.ch, 1
+stellarlumensnews.today, 1
+stellarosa-clinic.net, 1
+stellarpurr.me, 1
+stellartraderacademy.co.uk, 1
+stellen.ch, 1
+stelleninserate.de, 1
+stellenticket.de, 1
+steller.co, 1
+stelletjeafgebeuktemongolen.tk, 1
+stellexshop.ru, 1
+stelling.nl, 0
+stellmacher.name, 1
+stelovisual.pl, 1
+stels.ml, 1
+stels.tk, 1
+steltzer-scheidung.de, 1
+stelzl.co, 1
+stem16plus.gent, 1
+stematechnologies.ga, 1
+stembureau-nissewaard.nl, 1
+stembureauledenindenhaag.nl, 1
+stembureaunijmegen.nl, 1
+stemcellclinic.design, 1
+stemcellclinic.live, 1
+stemcellclinic.ltd, 1
+stemcellclinic.network, 1
+stemcellclinic.services, 1
+stemcellclinic.store, 0
+stemcellclinic.tech, 1
+stemcellclinic.vip, 1
+stemcellclinic.world, 1
+stemcellsscotland.co.uk, 1
+stemderbomen.tk, 1
+stemgirls.co.za, 1
+stemklank.tk, 1
+stemmayhem.com, 1
+stemoplinks.nl, 1
+sten.photography, 1
+stena.cf, 1
+stenaro.ch, 1
+stencilsaustralia.com.au, 1
+stenhojmedia.dk, 1
+stening.co, 1
+steno.nl, 1
+stenstromen.se, 1
+stenvallmcclain.tk, 1
+stenzhorn-cloud.de, 1
+steolo.com, 1
+step-lead.cc, 1
+step2web-cms.info, 1
+stepanvanek.cz, 1
+stepanyansurgical.com, 1
+steparovi.cz, 1
+stepbrobd.com, 1
+steph.ninja, 0
+steph3n.me, 1
+stephan-matthiesen.de, 1
+stephanao.tk, 1
+stephandriessen.tk, 1
+stephaniecalahan.com, 1
+stephaniedeady.ie, 1
+stephanielacroix.nl, 1
+stephanieleonidasfan.tk, 1
+stephanieschreiber.com, 1
+stephanoptiek.nl, 1
+stephen-oliver-art.co.uk, 1
+stephenbakalian.com, 1
+stephencorp.com, 1
+stephencreilly.com, 1
+stephenhaunts.com, 1
+stephenj.co.uk, 1
+stephenperreira.com, 1
+stephenplustwik.com, 1
+stephenreescarter.net, 1
+stephenschirle.gq, 1
+stephenschirle.ml, 1
+stephenschrauger.com, 1
+stephenschrauger.org, 1
+stephenscity.gov, 1
+stephensol.is, 1
+stephensolis.com, 1
+stephensolis.net, 1
+stephensolisrey.es, 1
+stephensoncountyil.gov, 1
+stephsolis.net, 1
+stephspace.net, 1
+stephycom.com, 1
+stepin.cloud, 0
+steplab.co, 1
+steplogictalent.com, 1
+steponedanceclub.uk, 1
+steppesisters.org, 1
+steppicrew.de, 1
+steppingoutinstyleonline.com, 1
+steppinout.tk, 1
+stepplanning.com, 1
+stepstone.dk, 1
+stepupforeurope.eu, 1
+stepyz.com, 1
+stepzen.com, 1
+ster-enzo.nl, 1
+ster.nl, 1
+sterchit.ch, 1
+stereo.com, 1
+stereoamistadmomos.ga, 1
+stereoamistadmomos.gq, 1
+stereoamistadmomos.ml, 1
+stereob.it, 1
+stereochro.me, 0
+stereoscopio.es, 1
+stereostudio.cf, 1
+stereotyped.de, 1
+sterilium.tk, 1
+sterling.com, 1
+sterlingheights.gov, 1
+sterlinginsurance.com.au, 0
+sterlingtechnotrade.com, 1
+sterlinx.de, 1
+stern-freunde.de, 1
+stern.koeln, 1
+sternadel.pl, 1
+sternen-sitzberg.ch, 1
+sternenbund.info, 1
+sternik-motorowodny.com.pl, 1
+sterno.cf, 1
+sternplastic.com, 1
+sternsinus.com, 1
+sternstrailer.com, 1
+steroids.ga, 1
+steroidswiki.com, 1
+sterr.in, 1
+sterretranen.tk, 1
+sterva.mobi, 0
+sterydki.pl, 1
+sterz.io, 1
+stestena.eu, 1
+stesti.cz, 1
+stethostalk.com, 1
+stetson.edu, 1
+steuerberater-bayreuth.com, 1
+steuerberater-essen-steele.com, 1
+steuerberater-hopfner.de, 1
+steuerberatungs-website.de, 1
+steuerboard.org, 1
+steuerimgriff.de, 1
+steuerkanzlei-edel.de, 1
+steuerteam-kliem.de, 1
+steuertipps-sonderausgaben.de, 1
+steve-mason.tk, 1
+steve.kiwi, 1
+stevebanks.info, 1
+steveborba.com, 1
+stevebuck.tk, 1
+stevecostar.com, 1
+stevedoggett.com, 1
+steveellwood.com, 1
+stevegellerhomes.com, 1
+stevegrav.es, 1
+stevejcraig.com, 1
+stevejobsfollowers.tk, 1
+stevemario.com, 1
+stevemason.tk, 1
+stevemonteyne.be, 1
+steven-klix.de, 0
+steven.photos, 1
+stevenapate.com, 1
+stevenavaldez.tk, 1
+stevenberg.net, 1
+stevenbolgartersnakes.com, 1
+stevendearstyne.com, 1
+stevengoodpaster.com, 1
+stevengrech.com, 1
+stevenhardy.digital, 1
+stevenjacobs.be, 1
+stevenjacobs.eu, 1
+stevenkendypierre.com, 1
+stevenkobes.com, 1
+stevenmdriving.co.uk, 1
+stevenroddis.com, 1
+stevensautotopsandupholstery.com, 1
+stevenscountymn.gov, 1
+stevenshame.com, 1
+stevenski.com, 0
+stevensonal.gov, 1
+stevensontaxservices.com, 1
+stevenspoint.gov, 1
+steventress.com, 1
+steventruesdell.com, 1
+stevenz.blog, 1
+stevenz.net, 1
+stevenz.science, 1
+stevenz.xyz, 1
+steveoswald.tk, 1
+stevepacheco.com, 1
+stevereedmp.co.uk, 1
+stevesbriefmovierecommendations.com, 1
+stevezheng.cf, 1
+stevezheng.tk, 1
+stevezone.in, 1
+steviate.com, 1
+steviate.de, 1
+stevin.com, 1
+stevinson.org, 1
+stewards.tk, 1
+stewart.tk, 1
+stewpolley.com, 1
+stfd-oh.gov, 1
+stfrancisnaugatuck.org, 1
+stg-0-con.com, 1
+stgabrielstowepa.org, 1
+stgeorgegolfing.com, 1
+stgeorgeks.gov, 1
+stgermainwi.gov, 1
+stghv.com, 1
+stgiannanorthfieldnj.org, 1
+stgy.it, 1
+sth.sh, 1
+sthelen.eu, 1
+sthelensoregon.gov, 1
+sthenryrc.org, 1
+sthetix.info, 1
+sthpr.gr, 1
+sthreemarketing.com, 1
+stibal.art, 1
+stichtingcompassroemenie.nl, 1
+stichtingscholierenvervoerzeeland.nl, 1
+stichtingsticky.nl, 0
+stichtingtwigadukina.nl, 1
+stichtingwwtoegankelijk.nl, 1
+stichtsevecht.nl, 1
+stick2bike.de, 1
+stickandpoketattookit.com, 1
+stickerapp.com, 1
+stickerparadise.me, 1
+stickers-garage.com, 1
+stickertrade.me, 1
+stickies.io, 1
+stickmangames.tk, 1
+stickme.be, 1
+stickmy.cn, 1
+sticksandstonescomic.tk, 1
+sticksandstonesland.com, 1
+stickstone.co, 1
+stickswag.cf, 1
+stickswag.eu, 1
+sticky.to, 1
+stickypassword.com, 1
+stickywilds.com, 1
+stidmobile-id.com, 1
+stiebel-eltron.co.nz, 1
+stiebel-eltron.com.au, 1
+stiebel.co.nz, 1
+stiebel.com.au, 1
+stiebelmedia.co.nz, 1
+stiebelmedia.com.au, 1
+stiebelrewards.com.au, 1
+stiebelservice.com.au, 1
+stiebelstore.com.au, 1
+stiehler-leipzig.tk, 1
+stiekemverliefdopjou.nl, 1
+stierheating.com, 1
+stiff.wang, 1
+stifflersmom.ga, 1
+stift-kremsmuenster.at, 1
+stift-kremsmuenster.net, 1
+stiftung-lq.ch, 1
+stiftung-lq.com, 1
+stiftung-lq.net, 1
+stiftungleostrauss.com, 1
+stiftunglq.com, 1
+stigaview.com, 1
+stigviewer.com, 1
+stihiya.tk, 1
+stiira.com, 1
+stijlvol-wonen.com, 1
+stijndv.com, 1
+stijnodink.nl, 1
+stikic.me, 1
+stikkie.me, 1
+stikkyikkys.com, 1
+stikonas.eu, 0
+stila.no, 1
+stileapp.com, 1
+stilecop.com, 1
+stilettobg.com, 1
+stilfoto.net, 1
+stilingavonia.lt, 1
+stilldrunkfromyesterday.com, 1
+stille-post.eu, 1
+stillnessmovement.com, 1
+stillpointmag.org, 1
+stillwatermn.gov, 1
+stillwatertownshipmn.gov, 1
+stillwell.me, 1
+stillwhite.com, 1
+stillwhite.com.au, 1
+stilmobil.se, 1
+stilnaya-odezhda.tk, 1
+stilsvadba.tk, 1
+stiltmedia.com, 1
+stiltnerelectric.com, 1
+stiltsoft.com, 1
+stimex.bg, 1
+stimmgabel.lu, 1
+stimpatico.com, 1
+stimulants.uk, 1
+stina-vino.hr, 1
+stinesvillein.gov, 1
+stingraybook.com, 1
+stinici.site, 1
+stinkefingereinhorn.de, 1
+stinkintechnology.com, 1
+stinkmemes.com, 1
+stinter.cf, 1
+stintup.com, 0
+stiphosting.nl, 1
+stirblaut.de, 1
+stirling.co, 1
+stirlingpoon.com, 1
+stirringphoto.com, 1
+stisidores.org, 1
+stitch.money, 1
+stitchersvillage.com, 1
+stitchfiddle.com, 1
+stitchlabs.com, 1
+stivesbouncycastlehire.co.uk, 1
+stjh.org.sg, 1
+stjlogistics.com, 1
+stjohnbjc.org, 1
+stjohncamden.com, 1
+stjohnin.com, 1
+stjohnin.gov, 1
+stjohnnepomucene.com, 1
+stjohnpa.org, 1
+stjohnsc.com, 1
+stjohnsmi.gov, 1
+stjohnsottsville.org, 1
+stjoseph-stcatherine.org, 1
+stjosephclaremont.org, 1
+stjosephmo.gov, 1
+stjosephri.org, 1
+stjosephspringcity.com, 1
+stjosephtownship.com, 1
+stjscatholicchurch.org, 1
+stjude-ettekkar.tk, 1
+stjustin.org, 1
+stkc.win, 1
+stkeverneparishcouncil.org.uk, 1
+stkevin-stbenedict.org, 1
+stkildaosteopathy.com.au, 1
+stla.net, 1
+stlautoenhancements.com, 1
+stlawco.gov, 1
+stleismann.de, 1
+stlfc.gov, 1
+stlfence.com, 1
+stln.ml, 1
+stlouiscountymovotes.gov, 1
+stlouisfence.com, 1
+stlouisinsuranceco.com, 1
+stlouisnativeflute.com, 1
+stlouisparkmn.gov, 1
+stlouisstabilizing.com, 1
+stlpassports.com, 1
+stlpoolattendants.com, 1
+stlu.de, 1
+stlucieclerk.gov, 1
+stluciesheriff.gov, 1
+stlucievillagefl.gov, 1
+stlueke.de, 1
+stlukenh.org, 1
+stlukesbrandon.org, 1
+stma.is, 1
+stmariagoretti.net, 1
+stmarkcharlotte.org, 1
+stmarkseagirt.com, 1
+stmarthachurch.com, 1
+stmaryextra.uk, 1
+stmaryscountymd.gov, 1
+stmaryskutztown.com, 1
+stmarysmdsao.gov, 1
+stmarysnutley.org, 1
+stmarystfd.org, 1
+stmaryswv.gov, 1
+stmatthewri.org, 1
+stmattsparish.com, 1
+stmattsucc.org, 1
+stmfdky.gov, 1
+stmichaellvt.com, 1
+stmichaelmn.gov, 1
+stmichaelsmajors.tk, 1
+stmltn.com, 1
+stmohrael.org, 1
+stmsolutions.pl, 1
+stmsouthcoventry.com, 1
+stn.me.uk, 0
+stnews.ga, 1
+stnl.de, 0
+stntrading.eu, 1
+sto-garant.nl, 1
+sto.ne, 1
+stock-analysis-on.net, 1
+stockageprive.net, 1
+stockanalysis.com, 1
+stockbrain.co.jp, 1
+stockbridge-ma.gov, 1
+stockbridgevt.gov, 1
+stockgraphicdesigns.com, 1
+stockholm.ga, 1
+stockholm.se, 1
+stockholmpride.org, 1
+stockhuntertrading.com, 1
+stockilluminati.com, 1
+stockmarkettoday.news, 1
+stockmeta.jp, 1
+stockpile.com, 1
+stockportny.gov, 1
+stockportspiritualistchurch.co.uk, 1
+stockpricetrends.com, 1
+stocks-adviser.com, 1
+stockslam.ga, 1
+stocksnews.tk, 1
+stockspy.ru, 1
+stockstuck.com, 1
+stockt-shirtdesigns.com, 1
+stocktonengineering.co.uk, 1
+stocktout.info, 1
+stocktrader.com, 1
+stockway.tk, 1
+stockx.com, 1
+stockx.io, 1
+stockyards.com, 1
+stocorp.com, 1
+stocp.org, 1
+stoddardcountyclerk.gov, 1
+stodieck.com, 1
+stodlinjen.se, 1
+stoeckel.info, 0
+stoeckl-schmaus.com, 1
+stoemp.gent, 1
+stoffelnet.de, 1
+stoffhandwerk.tk, 1
+stohrm.com, 1
+stoianlawfirm.com, 1
+stoicatedy.ovh, 1
+stoicnotaries.com, 1
+stoicsimple.com, 1
+stoicus.com.br, 1
+stoinov.com, 1
+stoiximatikesetairies.tv, 1
+stokkink.com, 1
+stokl.com.au, 0
+stokrotkadelikatesy.pl, 1
+stolarka.tk, 1
+stolarstvi-jiriholy.cz, 1
+stolbart.com, 1
+stolensun.tk, 1
+stolin.info, 1
+stolina.de, 1
+stolkpotplanten.nl, 1
+stoll.info, 1
+stollen-wurm.de, 1
+stollenwurm.de, 1
+stolpe.tk, 1
+stolpe5674.tk, 1
+stolpersteine-dithmarschen.tk, 1
+stolpi.is, 0
+stoltz-it.de, 1
+stomaline.com.ua, 1
+stomatolog-czestochowa.cf, 1
+stomatolog-czestochowa.ga, 1
+stomatolog-czestochowa.gq, 1
+stomatolog.cf, 1
+stomatolog.ga, 1
+stomatologiya.gq, 1
+stomatologiya.ml, 1
+stomproced.ro, 1
+stomt.com, 1
+stone-guru.co.uk, 1
+stone-support.de, 1
+stoneagehealth.com.au, 1
+stoneandtile.design, 1
+stonebriarpropertyinspections.com, 1
+stonechatjewellers.ie, 1
+stonecore.co, 0
+stonecountyar.gov, 1
+stonecutgods.com, 1
+stonedwarf5.net, 1
+stonedworms.de, 0
+stoneedgeconcrete.com, 1
+stonefoot.de, 1
+stonefusion.org.uk, 1
+stonegatewealth.com, 0
+stonegray.ca, 1
+stonehammerhead.org, 1
+stonehurstcap.com, 1
+stonemain.eu, 1
+stonemanbrasil.com.br, 1
+stoneocean.net, 1
+stoneproperty.ie, 1
+stonerwitch.tk, 1
+stonesfamilyrestaurant.com, 1
+stonesgarden.pl, 1
+stonetribute.tk, 1
+stonewallwcidtx.gov, 1
+stoneworld.ga, 1
+stonewuu.com, 1
+stoneydsp.com, 1
+stoningtonboroughct.gov, 1
+stonkslab.com, 1
+stonsil.com, 1
+stonystratford.org, 1
+stoom-stichting.nl, 1
+stoomstichting.be, 1
+stoomstichting.biz, 1
+stoomstichting.com, 1
+stoomstichting.de, 1
+stoomstichting.eu, 1
+stoomstichting.info, 1
+stoomstichting.net, 1
+stoomstichting.nl, 1
+stoomstichting.org, 1
+stoomtreinhuren.nl, 1
+stoomtreinreizen.be, 1
+stoomtreinreizen.com, 1
+stoomtreinreizen.eu, 1
+stoomtreinreizen.nl, 1
+stoomtreinreizen.org, 1
+stop-acouphenes.ch, 1
+stop-activ.ga, 1
+stop-bankrotstvu.ru, 0
+stop-microsoft.org, 1
+stop-nikotin.tk, 1
+stop-russia.tk, 1
+stop-tihange.eu, 1
+stop-tihange.org, 1
+stop.pe, 1
+stopaggressivedriving.com, 1
+stopanskaleasing.mk, 1
+stopautoshop.bg, 1
+stopbullying.gov, 1
+stopever.com, 1
+stopforumspam.com, 1
+stopfraud.gov, 1
+stoph.at, 1
+stopillicit.com, 1
+stopka.tk, 1
+stopkadr-studio.ru, 1
+stopklopam.ru, 1
+stoplossoff.tk, 1
+stopmetbellen.be, 1
+stopmoustic.fr, 0
+stopoverconnections.com, 1
+stoppage.cf, 1
+stopransomware.gov, 1
+stoprat.fr, 1
+stopsafeguardingnow.org.uk, 1
+stopsmoke.gq, 1
+stopssherdenking.tk, 1
+stopsvet.ml, 1
+stopthemoss.com, 1
+stoptheperio.com, 1
+stopthethyroidmadness.com, 1
+stopthinkconnect.jp, 1
+stoptrading.co.uk, 1
+stopves.tk, 1
+stopvirus.in, 1
+stor-guard.com, 1
+stora.mn, 1
+storage-base.de, 1
+storage-books.gq, 1
+storage-in-motion.com, 1
+storageideas.uk, 1
+storageioblog.com, 1
+storagenewsletter.com, 1
+storageshedsnc.com, 1
+storck.com, 1
+stordbatlag.no, 1
+store-en-stock.com, 1
+store10.de, 0
+store71.it, 1
+storeandforward.email, 1
+storeandforward.eu, 1
+storeandforward.nl, 1
+storebusy.nz, 1
+storecard.tk, 1
+storecove.com, 0
+storedieu.com, 1
+storedsafe.com, 1
+storeforward.email, 1
+storeforward.eu, 1
+storeforward.net, 1
+storeforward.nl, 1
+storeforward.org, 1
+storefront.gq, 1
+storefrontcleaningchicago.com, 1
+storeisrael.co.il, 1
+storeit.co.uk, 1
+storemax.com.au, 1
+storepaperoomates.co.bw, 1
+storepaperoomates.com, 1
+storepaperoomates.net, 1
+storephotovoltaique.com, 1
+storeplus.ml, 1
+storepy.com.mx, 1
+storesonline.fr, 1
+storewebshop.com, 1
+storgaarddieu.com, 1
+stori.press, 1
+storiadellarte.com, 1
+storiadirectory.tk, 1
+storiagraph.com, 1
+stories-event.com.ua, 1
+stories-pro.com, 1
+storiesbysign.com, 1
+storillo.com, 1
+storin.nl, 1
+storipress.com, 1
+storipress.pro, 1
+storistalker.com, 1
+storj.io, 1
+storjar.com, 1
+storm-news.tk, 1
+stormairsoft.tk, 1
+storman.com, 1
+stormchile.cl, 1
+stormdamages.claims, 1
+stormestudios.tk, 1
+stormfest.tk, 1
+stormhub.ml, 1
+stormi.io, 1
+stormlab.tk, 1
+stormrider.tk, 1
+stormylegions.tk, 1
+storspillercasino.com, 1
+storungssuche.com, 1
+storvann.net, 1
+storvann.no, 1
+storvault.co.za, 1
+story.be, 1
+story.nl, 1
+storyark.de, 1
+storyark.eu, 1
+storyboardmedia.cl, 1
+storybuilder.me, 1
+storyclash.com, 1
+storycollective.film, 1
+storycopy.org, 1
+storycycle.tk, 1
+storyland.ie, 1
+storyliebe.de, 1
+storymalayalam.com, 1
+storyoneforty.com, 1
+storysift.news, 1
+storytea.top, 1
+storytel.net, 1
+storytell.com, 1
+storytellingforbusiness.com.au, 1
+storytellingsales.com, 1
+storytime.hu, 1
+stotranidhi.com, 1
+stoumann.dk, 1
+stourstreet.com, 1
+stouter.nl, 1
+stoverepairaustin.com, 1
+stovokzal.com.ua, 1
+stoxford.com, 1
+stp-ip.com, 1
+stp-ip.net, 1
+stp.dev, 1
+stpatrick.tk, 1
+stpatrickathenscatskill.org, 1
+stpatrickbayshore.org, 1
+stpatrickkennettsquare.org, 1
+stpatrickri.org, 1
+stpatricks-pelham.com, 1
+stpatricksmapleridge.ca, 1
+stpatsschool.org, 1
+stpaulcatholicchurcheastnorriton.net, 1
+stpaulsbullville.org, 1
+stperseo.tk, 1
+stpetersresidence.org, 0
+stpioparish.com, 1
+stpip.com, 1
+stpip.net, 1
+stps.dk, 0
+str8hd.com, 1
+str92.com, 1
+straalatelier.com, 1
+straatderzotten.nl, 1
+stradedelvino.ch, 1
+stradsolutions.ga, 1
+strafe-muss-sein.at, 1
+strafensau.de, 1
+straffordpub.com, 1
+strahlende-augen.info, 1
+strahovanienet.tk, 1
+straightcurlyhair.tk, 1
+straightlinetutoring.com, 1
+straightnude.com, 1
+strail-english.jp, 1
+strajnar.si, 1
+straka.name, 1
+strakertranslations.com, 1
+strakh.tk, 1
+strakonak.cz, 1
+stralau.kicks-ass.net, 1
+stralenpoedercoaten.nl, 1
+stralingsonzin.com, 1
+strana-snov.tk, 1
+strana.ga, 1
+strandedinotter.space, 1
+strandfuif.tk, 1
+strandhaus-claassen.de, 1
+strandhaus-hinter-der-duene.de, 1
+strandhousedingle.com, 1
+strandkorb-jentzsch.de, 1
+strandom.ru, 1
+strandschnuppern.de, 0
+strange.ga, 1
+strangecharmlabs.com, 1
+strangeelectricdreams.com, 1
+strangelandrecording.com, 1
+strangelandrecordingstudios.com, 1
+strangelandsoundstage.com, 1
+strangelane.com, 1
+strangelanerecords.com, 1
+strangelittlecovers.tk, 1
+strangeminds.social, 1
+strangemusicbox.com, 1
+strangemusichollywood.com, 1
+strangemusicinc.com, 1
+strangemusicinc.net, 1
+strangeonline.tk, 1
+strangers-team.fr, 1
+strangerthingsmerch.co, 1
+strangestfacts.cf, 1
+strangevip.com, 1
+strangeways.ca, 1
+strangeworksinc.com, 1
+strangeworldmerch.com, 1
+strangeworldmerchandising.com, 1
+straniero.net, 1
+strankahrvatskogprava.tk, 1
+straphael-holyangels.com, 1
+strappazzon.xyz, 1
+strashtrading.com, 1
+strass-sur-mesure.fr, 1
+strassberger.tk, 1
+strasweb.fr, 1
+stratahealth.com, 1
+strategery.io, 1
+strategia.tk, 1
+strategicemailservices.com, 1
+strategicenvironmentalassessment.gov.scot, 1
+strategiclivingblog.com, 1
+strategicmanagementinsight.com, 1
+strategicmind.com, 1
+strategicpartnersmedia.com, 1
+strategie-zone.de, 1
+stratego-belgie.tk, 1
+strategy.it, 1
+strategy66.com, 1
+strategybusiness.ga, 1
+stratejm.com, 1
+stratekispiel.at, 1
+stratfordct.gov, 1
+stratfordnh.gov, 1
+stratfordwi.gov, 1
+stratforge.com, 1
+strathspeycrown.com, 1
+strati.com.br, 1
+stratible.com, 0
+stratik.com.co, 1
+stratinator.com, 1
+stratlibs.org.uk, 1
+stratmann-b.de, 1
+stratocumulus.legal, 1
+stratos.support, 1
+stratreg.com, 1
+stratsoftware.com, 1
+strattera.ga, 1
+strattonapps.com, 1
+strattonhats.com, 1
+stratum0.org, 1
+stratuscloud.co.za, 1
+stratuscloud.group, 1
+stratuscloudconsulting.net, 1
+stratuspayments.net, 1
+stratussc.com, 1
+straubis.org, 1
+straubs.eu, 1
+strauss-advisor.de, 1
+strauss.eu.com, 1
+strauss.tirol, 1
+stravato.com, 1
+stravato.net, 1
+stravers.shoes, 1
+strawberries.tk, 1
+strawberry-laser.gr, 1
+strawberry-melon.com, 1
+strawberry.dk, 1
+strawberry.fi, 1
+strawberry.no, 1
+strawberry.se, 1
+strawberrydreadlocks.tk, 1
+strawberryhotels.com, 1
+strawberryplants.org, 1
+strawpoll.fi, 1
+stray-soul.com, 1
+straydio.co.uk, 1
+straylight.tk, 1
+strcat.ga, 1
+strd.co, 1
+stream-box.tk, 1
+stream.gifts, 1
+stream.ru, 0
+streamblur.net, 1
+streamchan.org, 1
+streamcraft.net, 1
+streamelements.com, 1
+streameo.tk, 1
+streamfood.tv, 1
+streamgifter.com, 1
+streamgoalandres.ml, 1
+streaming-download.net, 1
+streamliner.fr, 1
+streamlinerg.com, 1
+streamlineverify.com, 1
+streammasterpro.com, 1
+streamodz.com, 1
+streampanel.net, 1
+streams.dyndns.org, 1
+streamside.tk, 1
+streamsoft.pl, 1
+streamspouredout.com, 1
+streamtelly.com, 1
+streamurl.link, 1
+streamz.be, 1
+streamzilla.com, 1
+streathamfoodfestival.com, 1
+streekproducten.tk, 1
+streekwinkelkatlijk.nl, 1
+streem.com.au, 1
+streem.media, 1
+streemprn.xyz, 1
+streengis.tk, 1
+streepjescodelezer.nl, 1
+streepjesenstipjes.nl, 1
+street-clic.tk, 1
+street-hoops.tk, 1
+street-legal.tk, 1
+street-medics.fr, 1
+street-race.tk, 1
+street-racing.tk, 1
+streetart.tk, 1
+streetartcities.com, 1
+streetballromania.tk, 1
+streetcheck.co.uk, 1
+streetdancecenter.com, 1
+streetdreamz.tk, 1
+streetforceteam.tk, 1
+streetking.tk, 1
+streetliferadio.tk, 1
+streetlightdata.com, 1
+streetmaderecordz.tk, 1
+streets.mn, 1
+streetsalad.tk, 1
+streetshirts.co.uk, 1
+streetspirit.tk, 1
+streetspotr.com, 1
+streetstunters.tk, 1
+streetview.wien, 1
+streetwitnessing.org, 1
+streetwitnessingchurch.com, 1
+strefapi.com, 1
+strefapi.pl, 1
+strefarysunku.pl, 1
+strehl.tk, 1
+stremio.com, 1
+strenge-zucht.schule, 1
+strength-secure.com, 1
+strengthroots.com, 1
+stressdown.ml, 1
+stressed.tk, 1
+stressexplained.com, 1
+stressfrei-marceva.de, 1
+streszczenia.pl, 1
+stretchpc.com, 1
+stretchwrap.co.nz, 1
+strettoweb.com, 1
+striae.cf, 1
+striata.biz, 1
+striata.com, 1
+striata.info, 1
+striata.mobi, 1
+striata.org, 1
+stricken.gq, 1
+stricted.net, 1
+strictlynormal.com, 1
+strideengineering.com.au, 1
+strietwaelder-blaettche.de, 1
+strijdmeevoorvrede.gent, 1
+strijkkraal.tk, 1
+strijkshop.be, 1
+strike.money, 1
+strikeone.io, 1
+strikeout.ga, 1
+strikers.cf, 1
+strikers.futbol, 1
+strikevectorex.com, 1
+strikezonesalessystems.com, 1
+strings.cf, 1
+stripe.com, 1
+striped.horse, 1
+stripped-anarchy.xyz, 1
+strippersinthehoodxxx.com, 1
+striptizer.tk, 1
+stritai.ru, 1
+strixmusic.com, 1
+strizh.com.ua, 1
+strl-tunis.tk, 1
+strm.pl, 1
+strobe.cool, 1
+strobel.cl, 1
+strobotti.com, 1
+stroccounioncity.org, 1
+stroeck.at, 1
+stroeder.com, 1
+stroeder.de, 1
+stroeerdigital.de, 1
+stroginopk.ga, 1
+strogov.me, 1
+strogova.me, 1
+stroifenix.ru, 1
+stroigid.tk, 1
+stroimsami.tk, 1
+stroimvse.ml, 1
+stroiproect.tk, 1
+strojmaster.tk, 1
+strokesb.store, 1
+strokesurvivor.nz, 1
+strom.family, 1
+stromak.cz, 0
+stromberg.marketing, 1
+stromectol.gq, 1
+stromkomfort.cz, 1
+stromsparen24.at, 1
+stromvergleichgaspreis.de, 1
+stromzivota.sk, 1
+strona-na-medal.pl, 1
+strong-game.com, 1
+strong-iptv.online, 1
+strongblock.com, 1
+strongdm.com, 1
+strongencryption.org, 1
+stronger-communities.org.uk, 1
+strongercommunity.org.uk, 1
+strongergateway.com, 1
+stronghermoney.com, 0
+strongmind.be, 1
+strongohio.gov, 1
+strongpassword.club, 1
+strongrandom.com, 0
+strongroom.ai, 1
+strongsalpinesucculents.com, 1
+strongtomorrow.tk, 1
+strongtoto.com, 1
+strongtowerpc.com, 1
+strony365.pl, 1
+stroomacties.nl, 1
+strooming.nl, 0
+stroopwafel.ch, 1
+stropek.eu, 1
+strophicmusic.com, 1
+stropkova.eu, 1
+strosebelmar.com, 1
+strotmann.de, 1
+strousberg.net, 1
+strover.bg, 0
+stroy-klg.ru, 1
+stroyca.tk, 1
+stroydvor.tk, 1
+stroyka-iz-brusa.ru, 1
+stroykomi.tk, 1
+stroymart.bg, 1
+stroymex.online, 1
+stroynet.ml, 1
+stroyservice-tver.ru, 1
+strozik.de, 1
+strrl.com, 1
+strtrade.com, 1
+structurally.net, 1
+structure.gov.au, 1
+strugee.net, 1
+strullmeier.eu, 1
+strumpe.lv, 1
+strunecka.cz, 1
+struxureon.com, 1
+strydom.me.uk, 1
+strypsteen.com, 1
+strypsteen.me, 1
+strzelcy.org.pl, 1
+sts-consulting.it, 1
+stscecyteo.org, 1
+stsen.de, 1
+stsolarenerji.com, 1
+ststanislaus.com, 1
+ststanstrans.org, 1
+ststephensc.gov, 1
+sttammanyurology.com, 1
+sttelemediagdc.in, 1
+sttf.org.uk, 1
+stthomasbrigantine.org, 1
+stthomaschurchri.org, 1
+sttl-topographie.com, 1
+sttpk.id, 0
+sttrv.ru, 1
+stuartbeard.com, 1
+stuartbell.co.uk, 1
+stuartbell.uk, 1
+stuartcrawford.co.nz, 1
+stuartcrawford.nz, 1
+stuarteggerton.com, 1
+stuartfl.gov, 1
+stuartmorris.id.au, 1
+stuartmorris.me, 1
+stuartmorris.name, 1
+stuartmorris.tel, 1
+stuartmoving.com, 1
+stuartparsons.com, 1
+stubbings.de, 0
+stubbingsmail.de, 1
+stubbmail.de, 1
+stubentiga.de, 1
+stuc-groep.nl, 1
+stuccokingsfl.com, 1
+stuckateur-bruno.de, 0
+stucki-bagger.ch, 1
+stuckwithme.tk, 1
+stucydee.nl, 1
+stud-lib.ml, 1
+studay.fr, 1
+studboo.com, 1
+student.andover.edu, 1
+student.faith, 1
+studentaid.gov, 1
+studentenmobiliteit.be, 1
+studentenplaza.tk, 1
+studentenwerk.sh, 1
+studenterguiden.dk, 1
+studentforums.biz, 1
+studenti.tk, 1
+studentinaneta.com, 1
+studentingent.be, 1
+studentite.bg, 1
+studentjournalist.ml, 1
+studentklinikk.no, 1
+studentloans.gov, 1
+studentnep.tk, 1
+studentpop.com, 1
+studentproject.be, 1
+studentquickpay.com, 1
+studentrobotics.org, 1
+students4sports.org, 1
+studentse.fr, 1
+studentsfirstnb.com, 1
+studentstc.cz, 1
+studenttenant.com, 1
+studi-luar-negeri.tk, 1
+studiedeals.dk, 1
+studiekort.se, 1
+studiekortet.com, 1
+studiekortet.eu, 1
+studiekortet.net, 1
+studiekortet.nu, 1
+studiekortet.org, 1
+studiekortet.se, 1
+studienportal.eu, 1
+studierttomnoch.de, 1
+studio-54.tk, 1
+studio-637.com, 1
+studio-abok.com, 1
+studio-architetto.com, 1
+studio-fotografico.ru, 1
+studio-impress.com, 1
+studio-mir.tk, 1
+studio-n.pl, 1
+studio-np.ru, 1
+studio-one.ru, 1
+studio32.tk, 1
+studio4101.ga, 1
+studio413.net, 1
+studio54.tk, 1
+studio678.com, 0
+studio91.tk, 1
+studioabq.com, 1
+studioadevents.com, 1
+studioamoureus.nl, 1
+studioandrew.tk, 1
+studioat55.com, 1
+studioavvocato.milano.it, 1
+studioavvocato.roma.it, 1
+studioavvocato24.it, 1
+studiobrandano.com, 1
+studiocharloslivro.tk, 1
+studioclassic.no, 1
+studiodelbenessere.com, 1
+studiodentisticomasi.com, 1
+studiodentisticosanmarco.it, 0
+studiodoprazer.com.br, 1
+studiodpe.com, 0
+studiodriban.com, 0
+studioelo.com.br, 0
+studioevent.tk, 1
+studiofpvet.it, 1
+studiofutbol.com.ec, 1
+studiogears.com, 1
+studiograou.com, 1
+studiogronda.it, 1
+studiohelder.fr, 0
+studioherc.com, 1
+studiohomebase.amsterdam, 1
+studiolegalemarchi.tk, 1
+studiolegalepaternostro.it, 1
+studiolive.club, 1
+studiolu.tk, 1
+studiolupotti.it, 1
+studiomarcella.com, 1
+studiomenfis.com, 1
+studionowystyl.pl, 1
+studiopanamaitalia.com, 1
+studiopirrate.com, 1
+studioriehl.com, 1
+studioroxo.com, 1
+studioshiftup.net, 1
+studiosql.ml, 1
+studiostawki.com, 1
+studiostudio.net, 1
+studiosuracidenunzio.it, 1
+studiotheatrestains.fr, 1
+studiotolsta.com, 1
+studiovaud.com, 0
+studiowildverband.nl, 1
+studiozef.tk, 1
+studiozes.nl, 1
+studipad.de, 1
+studipro-formation.fr, 1
+studipro-marketing.fr, 1
+studipro.fr, 1
+studisys.net, 1
+studium.cz, 1
+studius.gq, 1
+studiweb.pro, 1
+studport.rv.ua, 1
+studsovet.cf, 1
+studsovet.tk, 1
+studuj.digital, 1
+studujdigital.cz, 1
+studujdigital.eu, 1
+studwebs.ml, 1
+studyarabic.info, 1
+studyarch.tk, 1
+studybay.com, 0
+studybeans.org, 1
+studyclerk.com, 1
+studyero.com, 1
+studyhacker.jp, 1
+studyhacker.net, 1
+studyhub.cf, 1
+studyin.jp, 1
+studyinaustraliafair.africa, 1
+studying-neet.com, 1
+studylink.com, 1
+studylish.com, 1
+studyme.ml, 1
+studynoun.com, 1
+studyosepeti.com, 1
+studyportal.net, 1
+studyservice.net, 1
+studysive.com, 1
+studyspanish-lapaz-bolivia.tk, 1
+studystack.ml, 1
+studytactics.com, 1
+studytour.ml, 1
+studytube.nl, 0
+stuermer.me, 1
+stuetzredli.ch, 1
+stuff-fibre.co.nz, 1
+stuffi.fr, 1
+stuffiwouldbuy.com, 0
+stuffsearth.com, 1
+stuhrs.dk, 1
+stuka-art.de, 0
+stulda.cz, 1
+stumeta.de, 1
+stumeta2018.de, 1
+stumeta2019.de, 1
+stumf.si, 1
+stumpblog.com, 1
+stundenplan-editor.de, 1
+stunnel.org, 1
+stunner.watch, 1
+stunning-dresses.com, 1
+stunningautos.com, 1
+stunningbikecotours.com, 1
+stunninggdansk.com, 1
+stunningkrakow.com, 1
+stunningpoland.com, 1
+stunningpoznan.com, 1
+stunningszczecin.com, 1
+stunningwarsaw.com, 1
+stunningwroclaw.com, 1
+stunov.ga, 1
+stunov.gq, 1
+stuntman.ga, 1
+stuntman.tk, 1
+stuntmen.xyz, 1
+stuntx-server.ga, 1
+stupendousproduce.com, 1
+stuphid.tk, 1
+stupidcupid.tk, 1
+stupidest.org, 1
+stupidstatetricks.com, 1
+stupidthoughts.tk, 1
+stupino-stroy.cf, 1
+sturdybusiness.com, 1
+sturents.com, 1
+sturgeonbaywi.gov, 1
+stut.tk, 1
+stutelage.com, 1
+stutsmancounty.gov, 1
+stuttgart.ga, 1
+stuudium-mail.ee, 1
+stuudium.cloud, 1
+stuudium.com, 1
+stuudium.eu, 1
+stuudium.life, 1
+stuudium.link, 1
+stuudium.net, 1
+stuudium.org, 1
+stuudium.pro, 1
+stuut.info, 1
+stuvel.eu, 1
+stuvus.de, 1
+stuvus.uni-stuttgart.de, 1
+stuyvesantoutdoor.com, 1
+stv.lol, 0
+stview.me, 1
+stvrainsdco.gov, 1
+stwcforum.tk, 1
+stwcreation.com, 1
+stworzwirusa.tk, 1
+stx.ie, 1
+stygium.net, 0
+styilishdress.tk, 1
+style-keeping.com, 1
+style-style.com, 1
+stylearray.com, 1
+stylebajumuslim.com, 1
+stylebeat.tk, 1
+styleci.io, 1
+styleclub.tk, 1
+stylecollective.us, 1
+styledbysally.com.au, 1
+styleelite.tk, 1
+styleetvieperfumes.com, 1
+styleflow.nl, 1
+stylemall.tk, 1
+stylepixo.com, 1
+stylerecap.com, 1
+stylesaag.com, 1
+stylesinmotion.co, 1
+stylesound.tk, 1
+styletheweb.cf, 1
+styletron.org, 1
+stylett.ru, 1
+styletyx.com, 1
+stylezutra.com, 1
+stylidafm.gr, 1
+stylight.co.uk, 1
+stylight.com, 1
+stylight.de, 1
+stylight.fr, 1
+stylight.it, 1
+stylight.nl, 1
+stylingstudio.ga, 1
+stylishentertainment.co.uk, 1
+stylishweddingdisco.co.uk, 1
+stylistbazaar.com, 0
+stylle.me, 1
+styllussports.com.br, 1
+stylodessens.fr, 1
+stylspire.com, 1
+styplon.cf, 1
+stypr.com, 1
+styrerommet.no, 1
+styriswaste.com, 1
+styxxx.de, 1
+su-kacagi.istanbul, 1
+su1ph3r.io, 1
+suachuanha365.com, 1
+sualkuchionline.tk, 1
+suamicowi.gov, 1
+suatdautu.com, 1
+suaudeau.fr, 1
+suaudeau.org, 1
+suayslim.com, 1
+sub-etha.se, 1
+sub-net.at, 1
+sub-topia.de, 1
+subahankamal.tk, 1
+subalert.com, 1
+subanelvolumen.tk, 1
+subaru.pl, 1
+subarudev.pl, 1
+subarupartsdeal.com, 1
+subarus.tk, 1
+subaruxv.pl, 1
+subastasdecarros.net, 1
+subastatutraslado.com.mx, 1
+subbacultcha.tk, 1
+subcero.com.ar, 1
+subdev.org, 1
+subdimension.org, 1
+subdivider.tk, 1
+subestan.tk, 1
+subgirl.ga, 1
+subiblia.com, 1
+subic.ga, 1
+subilarch.net, 0
+subject-barred.cf, 1
+subject-barred.ga, 1
+subjecto.com, 0
+subjektzentrisch.de, 1
+sublettecountywy.gov, 1
+sublimacaoshop.com.br, 1
+sublimated.tk, 1
+sublimesurface.fr, 1
+sublimetours.com, 1
+sublimigeek.fr, 1
+subliminalrecorder.com, 1
+subliminalrecordingsystem.com, 1
+submeet.vet, 1
+submelon.tech, 1
+submit-link.cf, 1
+submiteads.tk, 1
+submittable.com, 1
+submityou-rlink.tk, 1
+submityour-link.tk, 1
+subology.co, 1
+suborbital.io, 1
+subpage.tk, 1
+subscription-list.com, 1
+subscription-plus.uk, 1
+subscriptionplus.uk, 1
+subserv.tk, 1
+subsidioalempleo.cl, 1
+subsistence.wiki, 1
+subsitude.tk, 1
+subsoft.tk, 1
+substanceandprogram.info, 1
+substances.be, 1
+substitutealert.com, 1
+substore.co.il, 1
+subteen.gq, 1
+subterra.tk, 1
+subtitry.ru, 1
+subtituleros.tk, 1
+suburb.social, 1
+suburban-landscape.net, 1
+suburbaninfinitioftroyparts.com, 1
+suburbanprojects.com.au, 1
+suburbanpsych.org, 1
+suburbanurologic.com, 1
+suburbanweldingandsteel.com, 1
+suburbass.tk, 1
+suburbservice.net, 0
+subversionnews.tk, 1
+subvetcustoms.com, 1
+subway.co.id, 1
+subwaysurfers.tk, 1
+subwaytrain.tk, 1
+succesprojekter.dk, 1
+success.pp.ua, 1
+successbox.vn, 1
+successclicker.tk, 1
+successdeliv.com, 1
+successemails.ml, 1
+successible.net, 1
+successive.tech, 1
+successminds.com, 1
+successrice.com, 1
+succmy.wang, 1
+succorfish.net, 1
+succubus.network, 1
+succubus.xxx, 1
+succulentplantguru.com, 1
+succulenty.ru, 1
+sucessclick.gq, 1
+suche.org, 1
+suchhire.com, 1
+suchhunde.wien, 1
+suchmaschinen-werkstatt.de, 1
+suckerpunch.com, 1
+suckmyan.us, 0
+sucks.rip, 1
+sucolab.jp, 1
+sucomado.jp, 1
+sucomaga.jp, 1
+sucretown.net, 1
+sucro.us, 1
+sucsses.cf, 1
+sucsses.ga, 1
+sucsses.gq, 1
+sudabaus.com, 1
+sudak-turizm.tk, 1
+sudametrica.tk, 1
+sudanell.tk, 1
+sudanindependent.com, 1
+sudanindependent.net, 1
+sudaraka.org, 0
+suddenlysavvy.com, 1
+sudeleycastle.co.uk, 1
+sudetytour.cz, 1
+sudo.li, 1
+sudo.ws, 1
+sudoash.com, 1
+sudocat.me, 1
+sudoku-insight.tk, 1
+sudoku.org.ua, 1
+sudoless.com, 1
+sudoless.eu, 1
+sudoless.net, 1
+sudosaveclimate.com, 1
+sudoschool.com, 1
+sudosu.fr, 1
+sudrania.com, 1
+sudtirol.com, 1
+sudya-dredd.ru, 1
+suecaunitedfc.tk, 1
+suedtirolerhotels.it, 1
+sueletricidade.pt, 1
+suelyonjones.com, 1
+suempresa.cloud, 1
+suenotek.com, 1
+sueperclean.com, 1
+suerteloteria.com, 1
+suessenbecker.de, 1
+suessundbitter.de, 1
+suevia-ka.de, 1
+suff.co, 1
+suffix.ru, 1
+sufix.cz, 1
+sufleu.ro, 1
+sufleuri.ro, 1
+sug.hr, 1
+sugarbrother.com, 0
+sugarcube.ml, 1
+sugarcube.tk, 1
+sugardaddy.network, 1
+sugardating.network, 1
+sugarfans.com, 1
+sugarfetch.com, 1
+sugargrant.gq, 1
+sugarlandsara.com, 1
+sugarlandurology.com, 1
+sugarondemand.com, 1
+sugaropencloud.eu, 1
+sugaropencloud.uk, 1
+sugarpiano.com, 1
+sugarroll.ml, 1
+sugarsalted.com, 1
+sugarshin.net, 1
+sugartownfarm.com, 1
+sugaru.pe, 1
+sugatime.tk, 1
+sugattor.ga, 1
+sugawara-soroban.com, 1
+sugayaganka.net, 1
+suggea.com, 1
+suggestim.ch, 0
+sugoicraft.tk, 1
+sugos.cf, 1
+sugos.ga, 1
+sugos.gq, 1
+sugos.ml, 1
+suhost.com.br, 1
+suhost.site, 1
+suhsport.es, 1
+suicide.gq, 1
+suicidegirls.cf, 1
+suicidepreventioncenter.tk, 1
+suidouraku.com, 1
+suijo-bus.osaka, 1
+suike.com, 1
+suikerspinnetje.nl, 1
+suisui.stream, 1
+suite360sel.org, 1
+suiteassured.com, 1
+suitebase.org, 1
+suitecrm.com, 1
+suitemail.org, 1
+suitesafe.org, 1
+suitesapp.com, 1
+suiteuser.org, 1
+suitocracy.com, 1
+suitsandboots.ca, 1
+sujal.com, 1
+sujatadev.in, 1
+sujiao.de, 1
+sujoy.me, 1
+sujoydhar.in, 1
+sukamusik.tk, 1
+suke3.jp, 1
+suki.moe, 1
+sukirastore.com, 1
+sukiu.net, 1
+sukker-oaxaca.com, 1
+sukoyakapp.com, 1
+sukrie.net, 1
+sukruarslan.tk, 1
+suksiriwan.com, 1
+suksit.com, 0
+sulabs.org, 1
+sulakskii-canyon.ru, 1
+sulavius.tech, 1
+sulawesi-adventure.tk, 1
+suleeka.tk, 1
+sulek.eu, 1
+sulemanmalik.tk, 1
+sulemanquotes.tk, 1
+suleri.tk, 1
+sulfegate.org, 1
+sulkmen.tk, 1
+sullinssudspressurewashing.com, 1
+sullivancountypa.gov, 1
+sulman4paf.tk, 1
+sulphurspringsar.gov, 1
+sultans.tk, 1
+sulytics-tool.com, 1
+sum1.tk, 1
+suma.coop, 1
+sumac.is, 1
+sumakola.space, 1
+sumanai.gq, 1
+sumanai.tk, 1
+sumantv.com, 1
+sumaque.com, 1
+sumatogroup.com, 1
+sumatphoto.com, 1
+sumatrabarat.cf, 1
+sumatrabarat.ga, 1
+sumatrabarat.gq, 1
+sumatrabarat.ml, 1
+sumatrabarat.tk, 1
+sumatraselatan.cf, 1
+sumatraselatan.ga, 1
+sumatraselatan.gq, 1
+sumatraselatan.ml, 1
+sumatraselatan.tk, 1
+sumatrautara.cf, 1
+sumatrautara.ga, 1
+sumatrautara.gq, 1
+sumatrautara.ml, 1
+sumatrautara.tk, 1
+sumatriptan365.tk, 1
+sumbur.ga, 1
+sumcrevillent.tk, 1
+sumecho.com, 1
+sumguy.com, 1
+sumhost.ml, 1
+sumiko.moe, 1
+sumill.com, 1
+sumire.ne.jp, 1
+sumisa.cf, 1
+sumit.blog, 1
+sumit.sh, 1
+sumitbot.ga, 1
+sumitchahal.blog, 1
+sumitchahal.com, 1
+sumitronics.com.tw, 1
+sumiyakimatsu.com, 1
+sumkunado.ru, 1
+summa.eu, 0
+summarized.gq, 1
+summaryexecution.com, 1
+summaryexecution.net, 1
+summaryexecution.org, 1
+summer.ga, 1
+summer.today, 1
+summeracademy-china.org, 1
+summerbo.at, 1
+summercampthailand.com, 1
+summerdance.tk, 1
+summerfieldtwpmonroemi.gov, 1
+summerjam.de, 1
+summermc.cc, 1
+summermovies.nyc, 1
+summerschoolcybersecurity.org, 1
+summerstylessalon.com, 1
+summing.ga, 1
+summit-level.ru, 1
+summit-research.org, 1
+summitcountyboe.gov, 1
+summitcustomsbrokers.com, 1
+summitdentistry.nl, 1
+summiteyekc.com, 1
+summitlighthousela.org, 1
+summitms.gov, 1
+summitseodesign.com, 1
+sumner-jc-wi.gov, 1
+sumochki.tk, 1
+sumppumpchicagoil.com, 1
+sumpters.co.nz, 1
+sumran.in, 1
+sumtercountysc.gov, 1
+sumterhousecleaning.com, 1
+sumthing.com, 1
+sumtotal.host, 1
+sumtotallab.host, 1
+sumutoday.com, 1
+sumzero.com, 1
+sun-beach.com.ua, 1
+sun-host.ml, 1
+sun-lounge.be, 1
+sun-shield.fr, 1
+sun-studio.tk, 1
+sun-wellness-online.com.vn, 0
+sun1218.com, 1
+sun1245.com, 1
+sun1338.com, 1
+sun1345.com, 1
+sun1378.com, 1
+sun668.asia, 1
+sun668.co, 1
+sunbeltasphalt.com, 1
+sunbirdgrove.com, 1
+sunbit.com, 1
+sunblind.tk, 1
+sunbnice.com, 1
+sunburstdata.com, 1
+sunby.jp, 1
+sunby.org, 1
+suncanary.tk, 1
+suncat.tk, 1
+sunchasercats.com, 1
+sunchild.ml, 1
+suncity288.com, 1
+suncity288.net, 1
+suncity8118.cn, 1
+suncity8118.com, 1
+suncity818.cn, 1
+suncity818.com, 1
+suncity818.net, 1
+suncity8338.cn, 1
+suncity8338.com, 1
+suncity858.cn, 1
+suncity858.com, 1
+suncity8668.com, 1
+suncity8998.com, 1
+suncitycinemas.com, 1
+suncloud.ch, 0
+suncoastdisplays.com, 1
+suncoastrebuilding.com, 1
+suncomegrain.ga, 1
+suncrypto.in, 1
+sundalandia.pp.ua, 1
+sundanceusa.com, 1
+sunday.pm, 1
+sundayfundayjapan.com, 1
+sundaysky.com, 1
+sunderland.ac.uk, 1
+sunderlandmoneyman.com, 1
+sundhedsdatastyrelsen.dk, 1
+sundhedsvejen.dk, 1
+sundialpowdercoating.com, 1
+sundiel.tk, 1
+sundoctors.com.au, 0
+suneilpatel.com, 1
+sunfeathers.net, 1
+sunfiregold.com, 1
+sunfireshop.com.br, 1
+sunflare.tk, 1
+sunflowercircuitclerk.gov, 1
+sunflyer.cn, 1
+sunfox.cz, 1
+sunfulong.me, 1
+sungalsses.ml, 1
+sunglassstyle.co.nz, 1
+sungreen.info, 1
+sunhaoxiang.net, 1
+sunhills23.ru, 1
+sunho.net.tw, 1
+suniru.com, 0
+sunjaydhama.com, 1
+sunjiutuo.com, 1
+sunjob.tk, 1
+sunkar.tk, 1
+sunkavallymd.com, 1
+sunkimurology.com, 1
+sunlit.cloud, 1
+sunmantechnology.com, 1
+sunmeiren.com, 1
+sunn.ie, 1
+sunnuntaileivonta.fi, 1
+sunnuntaimargariini.fi, 1
+sunnuntaipaasiainen.fi, 1
+sunnuntaipiirakka.fi, 1
+sunnuslight.com, 1
+sunny.co.uk, 1
+sunnyhome.tk, 1
+sunnylyx.com, 1
+sunnynetworks.net, 1
+sunnyoxygen.xyz, 1
+sunnyside-jazzclub.com, 1
+sunnysideinc.ca, 1
+sunnyssingh.tk, 1
+sunnyx3m.com, 1
+sunokuran.tk, 1
+sunpax.ga, 1
+sunpediatrics.com, 1
+sunpig.com.my, 1
+sunpig.com.sg, 1
+sunpig.my, 1
+sunpig.sg, 1
+sunplay.host, 1
+sunpower.id, 1
+sunradio.tk, 1
+sunred.info, 1
+sunred.org, 1
+sunrichtec.com, 1
+sunrise.tk, 1
+sunrisebeachmo.gov, 1
+sunrisebeachtx.gov, 1
+sunroof.ga, 1
+sunroomsbywoodland.com, 1
+sunroomsbywoodlandwindows.com, 1
+sunroomschicagoil.com, 1
+sunsafe.se, 1
+sunsdesign.net, 1
+sunsetfire.de, 1
+sunsetmusic.tk, 1
+sunsetnelson.com, 1
+sunsetservicecentre.ca, 1
+sunsetweb.fr, 1
+sunsetwx.com, 1
+sunshilin.tk, 1
+sunshine-cleaners.com.au, 1
+sunshinefrontier.tk, 1
+sunshinelife.tk, 1
+sunshineoilstop.com, 1
+sunshinerequest.com, 1
+sunshinesf.org, 1
+sunshinesramblings.com, 1
+sunskyview.com, 1
+sunsong.org, 1
+sunsparksolar.co.uk, 1
+sunsquare.cz, 1
+sunstar.bg, 1
+sunstaroptical.com, 1
+sunstyl.fr, 1
+sunsumba.com, 1
+sunsun-jewelry.com, 1
+sunsun.co, 1
+sunsun.com.sg, 1
+sunsungem.com, 1
+sunsungems.com, 1
+sunsunjewellery.com, 1
+sunsunjewelry.com, 1
+sunsunjewelry.net, 1
+sunsunjewelry.org, 1
+sunticschool.org, 1
+sunvillas.vn, 1
+sunwayxfarms.com, 1
+sunwei-proxy.tk, 1
+sunwolf.studio, 1
+sunyanzi.cf, 1
+sunyanzi.tk, 1
+suomensotilas.fi, 1
+suomentilitoimistot.fi, 1
+suomiheraa.com, 1
+suomika.pl, 1
+suourl.com, 0
+sup-net.de, 1
+supa.sexy, 1
+supasomsak.de, 1
+supazena.com, 1
+supdajuice.tk, 1
+supedio.com, 1
+supedium.com, 1
+supel.cf, 1
+supel.ga, 1
+supel.gq, 1
+supel.ml, 1
+super-60.ag, 1
+super-60.biz, 1
+super-60.com, 1
+super-60.de, 1
+super-60.eu, 1
+super-60.info, 1
+super-60.net, 1
+super-60.org, 1
+super-baik.tk, 1
+super-boy.tk, 1
+super-gs.jp, 1
+super-knighki.gq, 1
+super-lolitas.tk, 1
+super-net.tk, 1
+super-o-blog.com, 1
+super-puper.su, 0
+super-silicon.com, 1
+super-trophy.de, 1
+super11.nl, 1
+super365.info, 1
+super365aa.com, 1
+super60.ag, 1
+super60.biz, 1
+super60.de, 1
+super60.eu, 1
+super60.info, 1
+super60.net, 1
+super60.org, 1
+super60plus.de, 1
+superaficionados.com, 1
+superalem.org, 1
+superb.games, 1
+superb.net, 1
+superbart.nl, 1
+superbaskirskij-med.tk, 1
+superbdistribute.com, 1
+superbestpalsclub.tk, 1
+superbir.net, 1
+superbomber.tk, 1
+superboom.dance, 1
+superbouncebouncycastles.com, 1
+superbowlkneel.com, 1
+superbugs.nl, 1
+superbuy.com.tw, 1
+supercalorias.com, 1
+supercarpets.ru, 1
+supercarrot.tk, 1
+supercastlesadelaide.com.au, 1
+supercastlesbrisbane.com.au, 1
+supercastlesmelbourne.com.au, 1
+supercastlessouthsydney.com.au, 1
+supercastlessunshinecoast.com.au, 1
+supercentenarian.com, 1
+supercharged.co.uk, 1
+supercinebattle.fr, 1
+supercontent.cf, 1
+supercontent.ga, 1
+supercontent.ml, 1
+supercontent.tk, 1
+supercorp.cf, 1
+supercours.net, 1
+superdaddy.club, 1
+superdeals.cf, 1
+superdevtools.com, 1
+superdolly.cf, 1
+superdolly.ga, 1
+superdolly.gq, 1
+superdolly.ml, 1
+superdrillers.tk, 1
+superdroni.com, 1
+supereduc.cl, 1
+superenduro.net, 1
+superfaktura.at, 1
+superfaktura.cz, 1
+superfaktura.sk, 1
+superfans.top, 1
+superfastpress.com, 1
+superfastquintessentially.co.uk, 1
+superfavorite.tk, 1
+superfinancial-dorsetbranch.co.uk, 1
+superfluous.tk, 1
+superfly.tk, 1
+superfoodsexplained.com, 1
+superfury.tk, 1
+supergmtransport.com.au, 1
+supergood.ga, 1
+supergoods.tk, 1
+supergrandmasternetwork.com, 1
+supergroup.tk, 1
+superguide.com.au, 1
+superhappiness.com, 1
+superherba.cz, 1
+superherofactory.hu, 1
+superhits.gq, 1
+superhumanendurance.ga, 1
+superhyp.de, 1
+superidea.in, 1
+superidropulitrice.com, 1
+superiordetail.tk, 1
+superiorinngrandmarais.com, 1
+superiormanifestations.com, 1
+superiormusic.tk, 1
+superioroptical.com, 1
+superioropticalva.com, 1
+superiorseamlessinc.com, 1
+superiorvision.com, 1
+superiorwi.gov, 1
+superis.eu, 1
+superkakdoma.ru, 1
+superklima.ro, 0
+superkonsult.se, 1
+superkrasota.tk, 1
+superlevel.de, 1
+superlight.tk, 1
+superlisa.nl, 1
+superlog.tk, 1
+superlol.tk, 1
+supermae.pt, 1
+supermagna.tk, 1
+supermanera.tk, 1
+supermarketkibris.com, 1
+supermarkets.ga, 1
+supermart.tk, 1
+supermarx.nl, 1
+supermedia.cool, 1
+supermeitw.com, 1
+supermercadosdia.com.ar, 1
+supermercato24.it, 1
+supermil.ch, 1
+supermini-games.tk, 1
+supermustang.tk, 1
+supern0va.net, 0
+supernatural-fans.tk, 1
+supernaturalbrand.com, 1
+supernaturalchronicles.com, 1
+supernaut.info, 1
+supernogi.ga, 1
+supernovicebaker.com, 1
+superpaczka24.pl, 1
+superpart.com, 1
+superpase.com, 1
+superpi.noip.me, 1
+superpollo.com.ec, 1
+superpowerexperts.com, 1
+superraclette.fr, 1
+supersahnetorten.de, 1
+superseguros.gob.do, 1
+superservers.ml, 1
+supershrooms.nl, 1
+supersisi.cf, 1
+supersisi.ml, 1
+superskidki.cf, 1
+supersmashflash.com, 1
+supersocial.net, 1
+supersole.net, 0
+supersolenoid.tk, 1
+supersonicsoft.com, 1
+superstargossip.com, 1
+superstarhost.tk, 1
+superstart.tk, 1
+supersteosbouncycastles.com, 1
+superstropdas.nl, 1
+supersu.kr, 1
+superswingtrainer.com, 1
+supertape.com, 1
+supertrade.tk, 1
+supertrophy.de, 1
+supertutorial.com.br, 1
+superunion.com, 1
+superuser.one, 1
+supervasan.se, 1
+supervets.com.au, 1
+supervisorbullying.com, 1
+superway.es, 1
+superwhoopi.tk, 1
+superworks.com, 1
+superzaim.ga, 1
+supfood.cz, 1
+suphelper.ru, 1
+supioka.com, 1
+suplementasi.com, 1
+suplery.com, 1
+suplindex.com, 1
+suplments.co.uk, 1
+suplments.com, 1
+suplments.de, 1
+suplments.fr, 1
+suplments.it, 1
+suplments.pt, 1
+supmil.net, 1
+suppchat.ru, 1
+suppdeals.eu, 1
+supperclub.net, 1
+suppernova.com, 1
+supplement.cf, 1
+supplementaanbiedingen.nl, 1
+supplementalconditions.com, 1
+supplementpolice.tk, 1
+supplements101.net, 1
+supplementwarehouseonline.com, 1
+supplhi.com, 1
+supplierlinkup.com, 1
+suppliersession2021.com, 1
+supplies24.at, 1
+supplies24.es, 1
+supplychainriskmanagement.com, 1
+supplynation.org.au, 1
+supplyoutlook.com, 1
+support-ticino.ch, 1
+support.it, 1
+support.mayfirst.org, 0
+support1448.com, 1
+support1448.org, 1
+support4professionals.nl, 1
+supportal.one, 1
+supportericking.org, 1
+supportfan.gov, 1
+supporthost.com, 1
+supportingspeciallearners.com, 1
+supportiv.com, 0
+supportivecare.org, 1
+supportlafd.org, 1
+supportme123.com, 0
+supportmeindia.com, 1
+suppos-net.tk, 1
+supra.tf, 1
+supracube.com, 1
+supraelco.com, 1
+suprax365.tk, 1
+suprem.biz, 0
+suprem.ch, 0
+supremacrypt.com, 1
+supreme-council.me, 1
+supreme-court.tk, 1
+supremeexclusivecandles.com, 1
+suprememale.tk, 1
+supremestandards.com, 1
+suprintbot.xyz, 1
+supriville.com.br, 1
+supropionegocio.tk, 1
+supweb.ovh, 0
+supwoman.site, 1
+supya.co, 1
+suranganet.tk, 1
+surasak.org, 1
+surasak.tk, 1
+suravi.in.net, 1
+suraya.online, 1
+sure-it.de, 1
+surebets.bet, 1
+surecloud.com, 0
+surefit-oms.com, 1
+surefleet.com.au, 1
+surelyhired.com, 1
+suresi.com.tr, 1
+suresi.gen.tr, 1
+surest.com, 0
+surf1969.tk, 1
+surfacespots.ga, 1
+surfandturfroofing.com, 1
+surfbluewave.com, 1
+surfenergy.tk, 1
+surfingshare.com, 1
+surfkath.de, 1
+surflessonslisbon.com, 1
+surfnetkids.com, 1
+surfnetparents.com, 1
+surfocal.com, 0
+surfocal.net, 1
+surfoleon.tk, 1
+surfseo.ml, 1
+surfseo.tk, 1
+surfsm2.ddns.net, 1
+surgatekno.com, 1
+surgeholdinggroup.com, 1
+surgeongeneral.gov, 1
+surgicalassociates.sg, 1
+surgicalassociateswny.com, 1
+surgicalresourcesgroup.com, 1
+surgispa.net, 1
+surgoinsvilletn.gov, 1
+surialternat.tk, 1
+surik.de, 1
+surikov.tk, 1
+suriname.tk, 1
+suriyainvestments.com, 1
+surkum.eu, 1
+surl.win, 1
+surma.tk, 1
+surnganet.tk, 1
+suroil.com, 1
+suroot.moe, 1
+suros.com.tw, 0
+surpassexam.com, 1
+surpasshosting.com, 1
+surplusdirectory.ml, 1
+surplusrecord.com, 1
+surpreem.com, 1
+surprisepubliclibrary.gov, 1
+surpriz-net.tk, 1
+surrealdb.com, 1
+surrealistas.tk, 1
+surreycyclingclub.co.uk, 1
+surreyheathyc.org.uk, 0
+surreysportspark.co.uk, 1
+surrogacyaccount.com, 1
+surrycountync.gov, 1
+surrycountyncvotes.gov, 1
+surthriveak.com, 1
+suruifu.com, 1
+suruifu.tk, 1
+suruno.com, 0
+survature.com, 1
+surveer.com, 1
+surveyapp.io, 1
+surveyberbayar.com, 1
+surveyhealthcare.com, 1
+surveyorcloud.com, 1
+surveyremover.tk, 1
+surveyspy.net, 1
+surveytester.com, 1
+surveyviet.com, 1
+survicate.com, 1
+survival-mastery.com, 0
+survivalgearideas.com, 1
+survivalknivar.se, 1
+survivebox.fr, 1
+survivebox.net, 1
+survivingmesothelioma.com, 1
+suryayurveda.com, 1
+sus.zone, 1
+susajja.com, 1
+susanacruzdesign.com, 1
+susanagomez.tk, 1
+susanbpilates.co, 1
+susanbpilates.com, 1
+susanmmeyersauthor.com, 1
+susann-kerk.de, 1
+susanna-komischke.de, 1
+susannaridge.com, 1
+susconam.org, 1
+susdomicilios.co, 1
+suse.com, 1
+suseki.ga, 1
+sushi-sakura.tk, 1
+sushi.roma.it, 1
+sushibesteld.nl, 1
+sushifrick.de, 1
+sushikatze.de, 1
+sushilmedicos.tk, 1
+sushiprints.com, 1
+susiestoddart.tk, 1
+suska.tk, 1
+susoft.tk, 1
+susosudon.com, 1
+suspect.id, 1
+suspensebox.com, 1
+suspiciousdarknet.xyz, 1
+suss.be, 1
+sussexheart.com, 1
+sussexsecurityinstallations.co.uk, 1
+sussexwi.gov, 1
+sussmanshank.com, 1
+sustain.software, 1
+sustainability.gov, 1
+sustainabilityknowledgegroup.com, 1
+sustainabilitysmartips.com, 1
+sustainabilitysociety.hk, 1
+sustainableweb.dk, 1
+sustainalists.com, 1
+sustainalytics.com, 0
+sustained.tk, 1
+sustaineukraine.org, 1
+sustainimum.com, 1
+sustainimum.eu, 1
+sustainimum.net, 1
+sustainimum.nl, 1
+sustainimum.org, 1
+sustainoss.org, 1
+sustc.ac.cn, 1
+sustekova.eu, 1
+susthx.com, 1
+susumulus.ml, 1
+suswhw.top, 1
+sut-b.de, 1
+sutabi.tk, 1
+suter.au, 1
+suter.id.au, 1
+suternetwork.ch, 1
+suth.jp, 1
+sutherlinoregon.gov, 1
+sutinenmatthews.tk, 1
+sutmar-anwaltskanzlei.de, 1
+sutore.com, 1
+suttacentral.net, 1
+suttonbank.com, 1
+sutty.nl, 1
+suurhelsinki.cf, 1
+suuria.de, 1
+suutaripaivat.fi, 1
+suv4.net, 1
+suvalor.com, 1
+suvari.com.tr, 1
+suvidhaapay.com, 1
+suvirink.lt, 1
+suvisioninc.com, 1
+suwanneecountyfl.gov, 1
+suwanya.cn, 1
+suwcountyfl.gov, 1
+suwebcreativa.com, 1
+suyati.com, 0
+suzannejauchius.com, 1
+suzansalem.nl, 1
+suzdalgrad.cf, 1
+suziepachecoart.com, 1
+suzikogsm.tk, 1
+suzuki-aps.de, 1
+suzuki.com, 1
+suzukiarindo.co.id, 1
+suzukibali.id, 1
+suzukicintadamai.co.id, 1
+suzukicycles.com, 1
+suzukimarinepress.com, 1
+suzukinjs.co.id, 1
+suzukinozomu.tk, 1
+suzukisumberbaru.co.id, 1
+suzukisurakarta.co.id, 1
+suzukitradajateng.co.id, 1
+suzukitradajatim.co.id, 1
+suzukiumc.co.id, 1
+sv-1966-medenbach.de, 0
+sv-bachum-bergheim.de, 1
+sv-ec-ditzingen.de, 1
+sv-gymlil.de, 1
+sv-schody.cz, 1
+sv-turm-hohenlimburg.de, 1
+sv-webdesign.com, 1
+sv.search.yahoo.com, 0
+sv1862ruesselsheim.de, 0
+sv1880-lichtenau.de, 0
+sv388.bz, 1
+sv443.net, 1
+svager.cz, 1
+svak-gutachter.de, 0
+svanstrom.com, 1
+svanstrom.org, 1
+svantner.sk, 1
+svarka22.ml, 1
+svarka24.com.ua, 1
+svarka26.gq, 1
+svarmax.com.ua, 1
+svarovani.tk, 1
+svatba.cf, 1
+svatba.ml, 1
+svatbamisiaviti.tk, 1
+svatyjur.tk, 1
+svauto.ks.ua, 1
+svc-sitec.com, 1
+svc-sitec.com.mx, 1
+svc-sitec.org, 1
+svc-studioslive-api-dev.azurewebsites.net, 1
+svc-tools.ru, 1
+svc1.xyz, 1
+svcs.pp.ua, 1
+svdb.co, 0
+sve-hosting.nl, 1
+svealandsgruppen.tk, 1
+svecbeton.cz, 1
+svedalataxi.com, 1
+svedorszag.tk, 1
+sveikas.info, 1
+svenbacia.me, 1
+svendgram.com, 1
+svendubbeld.nl, 1
+sveneckelmann.de, 1
+svenhammond.com, 1
+svenjaundchristian.de, 1
+svenmuller.com, 1
+svenmuller.nl, 1
+svenpeter.eu, 1
+svenpeter.info, 1
+svenpeter.me, 1
+svenpeter.net, 1
+svenpeter.org, 1
+svenska.events, 1
+svenskakyrkansunga.tk, 1
+svenskapsalmer.se, 1
+svenskarnaochinternet.se, 1
+svenskdam.se, 1
+svenskmediabevakning.se, 1
+svensson-generators.be, 1
+sverdlov.spb.ru, 1
+sverdlovsk.gq, 1
+sverdlovsk.ml, 1
+sverdlovsk.tk, 1
+sverlo.cf, 1
+svet.tk, 1
+svetandroida.cz, 1
+svetbank.cz, 1
+svetila.com, 1
+svetix.ch, 1
+svetkuenergija.lv, 1
+svetlanamamedova.tk, 1
+svetlayarus.tk, 1
+svetlilo.com, 1
+svetlograd.tk, 1
+svetoch.ga, 1
+svetoch.tk, 1
+svetodiod.gq, 1
+svetonaushniki.tk, 1
+svetplast.spb.ru, 0
+svetrelaxu.cz, 1
+svetserialov.to, 1
+svfitness.ru, 1
+svg-board.ml, 1
+svg.beauty, 0
+svgdesigns.com, 1
+svge.ms, 1
+svgems.xyz, 1
+svgwg.org, 1
+svgzone.tk, 1
+svh.nl, 1
+svhni.nl, 1
+svia.nl, 1
+sviatzoo.com, 1
+svin.loan, 1
+svirel.ga, 1
+svitilny.cz, 1
+sviz.pro, 1
+svj-stochovska.cz, 1
+svjvn.cz, 1
+svkpk.cz, 1
+svlh.gov, 1
+svm-basketball.de, 1
+svn-yokaiispirit.ddns.net, 1
+svnty2.dedyn.io, 1
+svobodny.fr, 1
+svobodnyblog.cz, 1
+svodjapan.info, 1
+svoi-ugolok.tk, 1
+svoimi-slovami.tk, 1
+svorcikova.cz, 1
+svorkmofotball.tk, 1
+svoya-energy.com.ua, 1
+svpe.de, 1
+svpe.eu, 1
+svportalframe.com, 1
+svrjs.org, 1
+svrtech.com.tr, 1
+svrx.one, 1
+svse.global, 1
+svseglobal.com, 1
+svsewerut.gov, 1
+svswebmarketing.com, 1
+svtemplemn.org, 1
+svtl.ch, 1
+svtr.de, 1
+svtv.org, 1
+svwissel.tk, 1
+sw-machines.io, 1
+sw-s.info, 1
+sw-servers.net, 1
+sw33tp34.com, 1
+swa-il.gov, 1
+swabifoundation.tk, 1
+swacash.com, 1
+swacu.org, 1
+swadeshiherbal.com, 1
+swag.live, 1
+swag.pw, 1
+swagat.tk, 1
+swagger.io, 1
+swagger.london, 1
+swaglookbook.com, 1
+swagmoney.enterprises, 1
+swagsocial.net, 0
+swahili-dictionary.com, 1
+swain.tk, 1
+swallowforum.tk, 1
+swallsoft.co.uk, 1
+swallsoft.com, 1
+swanbitcoin.com, 1
+swanbullion.com, 0
+swansdoor.org, 1
+swanseama.gov, 1
+swantonvt.gov, 1
+swanvinylworks.com, 1
+swap-ict.nl, 1
+swap.gg, 1
+swap.ly, 1
+swapbox.tk, 1
+swapfiets.com, 1
+swapfiets.de, 1
+swapfiets.nl, 1
+swapfin.com, 1
+swappa.com, 1
+swapspace.co, 1
+swarfarm.com, 1
+swargvibha.tk, 1
+swarlys-server.de, 1
+swarovskijewelry.tk, 1
+swat.io, 1
+swat4stats.com, 1
+swataratwpauthority-pa.gov, 1
+swatee.com, 1
+swavlambancard.gov.in, 1
+sway-cdn.com, 1
+sway.com, 1
+swayampaaka.com, 1
+swc-cfc.gc.ca, 1
+swcleanair.gov, 1
+swd.media, 1
+swdb.jp, 1
+swe77.com, 1
+swe777.com, 1
+sweak.net, 1
+sweat-shirts.tk, 1
+sweatercon.com, 1
+swebdigitalmarketing.com, 1
+swecha.org, 1
+swedbank.com, 1
+swedbank.se, 1
+swederica.tk, 1
+swedish-saints.tk, 1
+swedish.so, 1
+swedishforces.tk, 1
+swedishhost.com, 1
+swedishhost.se, 1
+sweep-me.net, 1
+sweep-staging.com, 0
+sweep.net, 0
+sweeppeasweeps.com, 1
+sweet-spatula.com, 1
+sweet64.fr, 1
+sweetair.com, 1
+sweetairlines.tk, 1
+sweetamoris.de, 1
+sweetbabyjesus.com, 1
+sweetbasilscafe.com, 1
+sweetcalculus.ru, 1
+sweetcoraline.eu.org, 1
+sweetcorner.tk, 1
+sweetdata.io, 1
+sweetdeko.com, 1
+sweeteleven.tk, 1
+sweetgood.de, 1
+sweetgracemarket.com, 1
+sweethearts.tk, 1
+sweetheartvideo.com, 1
+sweethomesnohomishrenovations.com, 1
+sweethorses.tk, 1
+sweetintrigue.tk, 1
+sweetlegs.jp, 1
+sweetlycakes.com, 1
+sweetparis.cf, 1
+sweetpinkpussy.org, 1
+sweetpummelfee.com, 1
+sweets-mimatsu.com, 1
+sweetsandlifestyle.com, 1
+sweetsideofsweden.com, 1
+sweetsinner.com, 1
+sweetspot.co.kr, 1
+sweetsugarcakes.com, 1
+sweetsusinrw.org, 1
+sweettreatscookiedough.com, 1
+sweetvanilla.jp, 1
+sweetwatercountywy.gov, 1
+sweetwatertn.gov, 1
+sweetwatertx.gov, 1
+sweetydecor.ru, 1
+sweharris.org, 1
+swelife.se, 1
+swellnote.com, 1
+swentr.site, 1
+swerve-media-testbed-03.co.uk, 1
+swet.com.ua, 1
+swetrust.com, 1
+swfmax.com, 1
+swgoh4.life, 1
+swha.xyz, 1
+swhi.net, 1
+swhw.io, 1
+swi.sytes.net, 1
+swiatpilki.com, 1
+swid.co.uk, 1
+swiezastrona.pl, 1
+swift-devedge.de, 1
+swiftbonds.com, 1
+swiftcashforcars.com.au, 1
+swiftcodetoday.com, 1
+swiftcom.co.za, 1
+swiftcrypto.com, 1
+swiftcyclist.com, 1
+swifteh.net, 1
+swiftfactory.io, 1
+swiftgram.ml, 1
+swiftink.com, 1
+swiftirc.net, 1
+swiftmod.net, 1
+swiftmodcdn.net, 1
+swiftopal.com, 1
+swiftoutput.com, 1
+swiftpak.co.uk, 1
+swiftqueue.com, 1
+swiftrecharge.com, 1
+swiggles.com, 1
+swilabible.be, 0
+swilagod.be, 1
+swilatag.be, 1
+swilly.org, 1
+swim-play.ru, 1
+swim-smart.com, 1
+swim.aero, 1
+swimclubinsurance.com, 1
+swimhome.es, 1
+swimlane.com, 1
+swimmingpoolaccidentattorney.net, 1
+swimmingpoolpumpsbassonia.co.za, 1
+swimpool.co.il, 1
+swimpools.co.il, 1
+swimready.net, 1
+swimwear365.co.uk, 1
+swindonbus.co.uk, 1
+swindontennisclub.azurewebsites.net, 1
+swindontennisclub.org, 1
+swineson.me, 1
+swing.berlin, 1
+swingcompleto.com, 1
+swingerclub.in, 1
+swingers.com.pt, 1
+swingle.ga, 1
+swingmonkey.com, 0
+swingstel.tk, 1
+swingular.com, 1
+swingwomenswellness.com, 1
+swingz.com.au, 1
+swipedon.com, 1
+swipelux.com, 1
+swipetv.ie, 1
+swireshipping.com, 1
+swish-ict.com, 1
+swishmail.com, 1
+swiss-apartments.com, 0
+swiss-connection.net, 0
+swiss-export-compliance.com, 1
+swiss-vanilla.ch, 1
+swiss-vanilla.com, 1
+swiss-watch.com.ua, 1
+swissaquashop.ch, 1
+swissbearfoodservices.com, 1
+swissbit.com, 1
+swissborg.com, 1
+swisscannabis.club, 1
+swisschat.tk, 1
+swissdomaintrustee.ch, 1
+swissentreprises.ch, 1
+swisservers.com, 1
+swissfreshaircan.ch, 0
+swissfreshaircan.com, 0
+swissgrid.ch, 0
+swisshex.ch, 1
+swisshex.net, 1
+swissinternationalva.com, 1
+swisslinux.org, 1
+swissneutral.net, 1
+swissnoso.ch, 1
+swissquawk.ch, 1
+swisstechmap.ch, 1
+swisstranslate.ch, 0
+swisstranslate.fr, 0
+swissurf.tk, 1
+swissvanilla.ch, 1
+swissvanilla.com, 1
+swisswebhelp.ch, 1
+swissxperts.ch, 1
+switch-defekt.de, 1
+switch-trader.com, 1
+switch.pt, 0
+switch2osm.org, 1
+switchassur.fr, 1
+switchbacksystems.com, 1
+switchboard.lgbt, 1
+switchbyte.nl, 1
+switcheo.exchange, 0
+switcheo.rocks, 1
+switchinitiatives.com, 1
+switchinitiatives.fr, 1
+switchinitiatives.org, 1
+switchur.com, 1
+swizio.com, 1
+swjen.com.sg, 1
+swjtu.today, 1
+swjz.art, 1
+swkdevserver.tk, 1
+swktestserver.tk, 1
+swmlink.com, 1
+swn-nec.de, 1
+swocaoh.gov, 1
+swoop-qa.cloud, 1
+swoop.cloud, 1
+swopre-appgallop.azurewebsites.net, 1
+swordfeng.xyz, 1
+swordfighting.net, 1
+swordpop.cf, 1
+swordpop.gq, 1
+sworkit.com, 1
+sworn.ga, 1
+swosplinter.nl, 1
+swostik.com, 1
+swot-digital.com, 1
+swparegionalcad.gov, 1
+swpat.org, 1
+swprowood.com, 1
+swqa.hu, 1
+swretail.ga, 1
+swtp-p-appsrv-coordination-backend-businessservices1.azurewebsites.net, 1
+swtp-p-appsrv-donorevaluation-api-businessservices1.azurewebsites.net, 1
+swtp-p-appsrv-protocol-api-businessservices1.azurewebsites.net, 1
+swtrayssq.gq, 1
+swtun.com, 1
+swunmath.com, 1
+swvatoday.com, 1
+swvaux.com, 1
+swwc.com, 1
+swxtd.com, 1
+swy.cz, 1
+swyn.net, 1
+swynwyr.com, 1
+sx3.no, 1
+sx6729.com, 1
+sx8.ovh, 1
+sxilm.com, 1
+sxistolithos.gr, 1
+sxmd99.com, 1
+sy-anduril.de, 1
+sy24.ru, 1
+syaeful12ips.tk, 1
+syakeapps.net, 1
+syakonavi.com, 1
+sybersense.com, 1
+syc-rotterdam.tk, 1
+sycamorememphis.org, 1
+sycca.com, 1
+sychov.pro, 1
+sycorr.com, 1
+sydcatholicschools.nsw.edu.au, 1
+sydgrabber.tk, 1
+sydmoen.com, 1
+sydneyaustralia.tk, 1
+sydneybusinessweb.com.au, 1
+sydneydesignprint.com.au, 1
+sydneyhelicopters.com.au, 1
+sydneylawnandturf.com.au, 0
+sydneylounge.ga, 1
+sydneyshisha.com.au, 1
+sydneysteinger.com, 1
+sydneyvangelder.com, 0
+sydneyvapeshub.com, 1
+syds.xyz, 1
+syedmuhdadasgardezi.tk, 1
+syenar.net, 1
+sygnalista-24.pl, 1
+sykam.com, 1
+sykepleien.no, 0
+sykiotis.com, 1
+sykorp.com, 1
+sylaps.com, 0
+sylcon.es, 0
+sylencegsm.com, 1
+sylfie.net, 1
+sylino.tk, 1
+syllogi.xyz, 1
+sylphix.cn, 1
+sylvaindurand.fr, 1
+sylvaindurand.org, 1
+sylvainkalache.com, 1
+sylvaloir.fr, 1
+sylvangarden.net, 1
+sylvantownshipmi.gov, 1
+sylviaharke.de, 1
+sylviemifsud.fr, 1
+sylwiart.pl, 1
+sylwiaspychala.pl, 1
+sym01.com, 1
+symantec.com.ru, 1
+symatrix.co.uk, 1
+symbility.net, 1
+symbiose-com.ch, 0
+symbiose-immobilier.ch, 0
+symbiose.com, 1
+symbiosecom.ch, 0
+symbiote.com.au, 1
+symbioxr.com, 1
+symbolics.digital, 1
+symbolnodes.org, 1
+symdevinc.com, 1
+symeonchen.com, 1
+symetrix.tk, 1
+symetryk.tk, 1
+symflower.com, 1
+symfoninews.com, 1
+symfora-meander.nl, 1
+syminsight.tk, 1
+symlink.io, 1
+symlnk.de, 1
+symoteb.ir, 1
+sympa-by.eu, 1
+sympletrade.com, 1
+symplexia.com.br, 1
+symplyos.tk, 1
+sympmarc.com, 1
+symposit.com, 1
+symposium.beer, 1
+symptome-erklaert.de, 1
+symvolik.ru, 0
+syna.dev, 1
+syna.site, 1
+synabi.com, 0
+synackrst.net, 1
+synapse.pe, 1
+synapsemedical.com.au, 1
+synapsepain.com, 0
+synaptickz.me, 1
+synccentre.com, 1
+syncevolution.org, 1
+syncgal.com, 1
+synchrocity.no, 1
+synchrocube.com, 1
+synchronic.pl, 1
+synchronicity.cz, 1
+synchronicity.icu, 1
+synchronicity.one, 1
+synchronyse.com, 1
+synclio.com, 1
+syncmylife.net, 0
+syncpal.de, 1
+syncplay.pl, 1
+syncresis.com, 1
+syncrony.com, 1
+syncsci.com, 1
+syncspace.live, 1
+syndicats.de, 1
+syndigo.com, 1
+syndika.co, 1
+syndikalismus-im-laendle.tk, 1
+syneart.com, 1
+synecek11.cz, 1
+synedat.com, 1
+synergia.ink, 1
+synergiamedicalcare.es, 1
+synergiedenken.de, 1
+synergisticsoccer.com, 1
+synergy-logistics.tk, 1
+synergyofserra.com, 1
+synergytherm.com, 1
+synergyzone.tk, 1
+synerio.com, 1
+synerionagile.com, 1
+synfrait.com, 1
+synitsa.tk, 1
+synlab-recrute.fr, 1
+synlab.es, 1
+synology-distribution.de, 1
+synology.com, 0
+synonimluksusu.pl, 1
+synony.me, 1
+synonym24.at, 1
+synoptek.com, 1
+synotna.eu, 1
+synrelay.com, 1
+syntaxnightmare.com, 1
+syntaxsociety.se, 1
+syntech.co.za, 1
+synth.no, 1
+synthax.codes, 1
+synthesis.ru, 1
+syntheticgrassliving.com.au, 1
+synthetictrading.com, 1
+synthetis.com, 1
+synthezis.tk, 1
+synthgularity.net, 1
+syntia.tk, 1
+syntric.io, 1
+syobon.org, 1
+syogainenkin119.com, 1
+syoier.com, 1
+syok.my, 1
+syonix.ru, 1
+syotatakahashi.com, 1
+syphax.ml, 1
+syplasticsurgery.com, 1
+sypp.net, 1
+sypra-host.tk, 1
+sypreformas.tk, 1
+syptak.eu, 1
+syquel-systems.de, 1
+syr.gov, 1
+syracuseut.gov, 1
+syrea.com, 1
+syrianair.cf, 1
+syrianair.ga, 1
+syrianair.ml, 1
+syrianet.cf, 1
+syrius.tk, 1
+syronex.com, 1
+sys-admin.fr, 1
+sys-stat.de, 1
+sys-state.de, 1
+sys-tm.com, 1
+sys.as, 1
+sys001-homenet.duckdns.org, 1
+sysadmin.pm, 1
+sysadmin.xyz, 0
+sysadmin21.tk, 1
+sysadmins.ro, 1
+sysadvisors.pl, 1
+sysaid.com, 1
+sysbert.de, 1
+syscap.co.uk, 1
+syscap.com, 1
+syscap.uk, 1
+syscapassetfinance.uk, 1
+syscaponline.co.uk, 1
+syscom.be, 1
+sysconautomation.com, 1
+syscoon.com, 1
+sysctl.se, 1
+syscurve.com, 1
+sysdb.io, 1
+syselg.com, 1
+sysert.tv, 0
+sysgap-gsci.com, 1
+syska.com, 1
+syslogic.io, 1
+sysmike.de, 1
+sysmike.net, 1
+sysnet.cz, 1
+sysoons.com, 1
+sysopworld.cf, 1
+sysopworld.ga, 1
+sysopworld.gq, 1
+sysopworld.ml, 1
+sysrigar.com, 1
+sysrq.in, 1
+sysrq.tech, 0
+syssolindia.com, 1
+sysstate.de, 1
+systea.fr, 1
+systea.net, 1
+system-admin-girl.com, 1
+system-design.tk, 1
+system-erp.com.pl, 1
+system-fehler.tk, 1
+system-informer.com, 1
+system-m.de, 0
+system.is, 1
+system.md, 1
+system4travel.com, 1
+systemart.pro, 1
+systematic-momo.com, 1
+systematic-momo.dk, 1
+systematik.nu, 1
+systemausfall.org, 1
+systemb.ch, 1
+systemblog.tk, 1
+systemc.com, 0
+systemchange.in, 1
+systemd.ch, 0
+systemd.eu.org, 1
+systemerka.pl, 1
+systemerr.tk, 1
+systemhaus.saarland, 1
+systeminformer.com, 1
+systemintegra.ru, 0
+systemisbusy.info, 1
+systemlead.pl, 1
+systemli.org, 1
+systemonthego.com, 1
+systems-thinking.eu, 1
+systemsense.com.au, 1
+systemsinblue.tk, 1
+systemsoftwareleader.com, 1
+systemswizard.io, 1
+systemtoto.ml, 1
+systemysportowe.pl, 1
+systemzeit.info, 1
+systime.dk, 1
+systoolbox.net, 1
+syswap.fr, 1
+syswiki.org, 1
+sysystems.cz, 1
+syt3.net, 1
+sytenko.org.ua, 1
+sytoshine.com, 1
+syuez.com, 1
+syunpay.cn, 1
+syuumi.eu, 1
+syuumi.me, 1
+syzygy-tables.info, 1
+syzygycareers.com, 1
+sz-ideenlos.de, 1
+sz-lessgym-kamenz.de, 1
+szabadpingvin.eu, 1
+szablinski.pl, 1
+szachowaprzygoda.pl, 1
+szadeczky.com, 1
+szafkirtv.pl, 1
+szakszervezet.work, 1
+szalaiterko.hu, 1
+szamitogepdepo.com, 1
+szamlarobot.hu, 1
+szamotulskanocnapiatka.pl, 1
+szasz.me, 1
+szaszm.tk, 0
+szclsya.me, 1
+szczury.org, 1
+szeged365.hu, 1
+szegediszobafestok.hu, 1
+szektor.com, 1
+szektor.net, 1
+szelagnes.com, 1
+szelagnes.hu, 1
+szemuvegtrend.hu, 1
+szentistvanpt.sk, 1
+szepsegbennedrejlik.hu, 1
+szerbnyelvkonyv.hu, 1
+szerelem.love, 1
+szgfeds.com, 1
+szhighsun.com, 1
+szih.org.pl, 1
+szilaghi.com, 1
+szilagyicsalad.ddns.net, 1
+szili.uk, 1
+sziluett.xyz, 1
+szimpla.hu, 1
+szinezdmagad.hu, 1
+szkkss.com, 0
+szklarnia.pro, 1
+szkolajazdykaleta.pl, 1
+szkolenia-dron.pl, 1
+szlovaknyelv.hu, 1
+szlovennyelv.hu, 1
+szmidtinwest.pl, 1
+szotkowski.fun, 1
+szotkowski.info, 1
+szotkowski.online, 1
+szotkowski.tech, 1
+szpet.jp, 1
+szpf.tf, 1
+szpro.ru, 1
+szs-arbeitssicherheit.de, 1
+szs.space, 1
+szsyidc.cf, 1
+sztfh.hu, 1
+sztoriboljeles.hu, 1
+sztreasure.com, 1
+sztuanzi.top, 1
+sztyup.com, 1
+szuecs.net, 1
+szw-hessen.de, 1
+szwrc.co, 1
+szww99.cc, 1
+szybkiebieganie.pl, 1
+szymczak.at, 1
+szyndler.ch, 1
+szyszkowitz.at, 1
+szzsivf.com, 1
+t-1.org, 0
+t-10.nz, 1
+t-cophony.com, 1
+t-dent.com, 1
+t-fischer.net, 1
+t-hawk.com, 1
+t-inn.tk, 1
+t-m.me, 1
+t-moon.hr, 1
+t-network.nl, 1
+t-op1.com, 1
+t-op10.com, 1
+t-op6.com, 1
+t-op7.com, 1
+t-op8.com, 1
+t-op9.com, 1
+t-pc.org, 1
+t-pravda.net, 1
+t-shirt-template.com, 1
+t-shirts4less.nl, 1
+t-shirty.tk, 1
+t-so.de, 1
+t-unit.ru, 1
+t-wirth.de, 1
+t-zrenia.ru, 1
+t.ar, 1
+t.ee, 1
+t.facebook.com, 0
+t.net.co, 1
+t.pe, 1
+t.rip, 1
+t00228.com, 1
+t08.co, 1
+t09.cc, 1
+t09.co, 1
+t0kie.space, 1
+t0ny.name, 1
+t12u.com, 1
+t1cloud.com, 1
+t1f.ru, 1
+t2-sit-test.tk, 0
+t2000headphones.com, 1
+t2000laserpointers.com, 1
+t22.uk, 1
+t2data.com, 1
+t2informatik.de, 1
+t2tea.com, 1
+t33.eu, 1
+t36533.com, 1
+t3concrete.my, 1
+t3hty.fr, 1
+t3rror.net, 1
+t3terminal.com, 1
+t4-wiki.de, 1
+t404.de, 1
+t47.io, 1
+t4c.link, 1
+t4gh.com, 1
+t5118.com, 1
+t51365.com, 1
+t5197.co, 1
+t630.nl, 1
+t6729.co, 1
+t6957.co, 1
+t7035.com, 0
+t776633.com, 1
+t7e.de, 1
+t7tech.net, 1
+t8.software, 1
+t82365.com, 1
+t8803.com, 1
+t8805.com, 1
+t8807.com, 1
+t8809.com, 1
+t8815.com, 1
+t8817.com, 1
+t8819.com, 1
+t8830.com, 1
+t88gg.com, 1
+t88jj.com, 1
+t88mm.com, 1
+t88nn.com, 1
+t88oo.com, 1
+t88ss.com, 1
+t88vip0.com, 1
+t88vip1.com, 1
+t88vip2.com, 1
+t88vip3.com, 1
+t88vip4.com, 1
+t88vip5.com, 1
+t88vip6.com, 1
+t88vip7.com, 1
+t88ww.com, 1
+t88yy.com, 1
+t8software.cn, 1
+t8software.com.hk, 1
+t8software.nl, 1
+t8w.de, 1
+t90official.games, 1
+t9297.co, 1
+t9728.co, 1
+ta-da.ua, 1
+ta-hiroshi.jp, 1
+ta-maison.fr, 1
+ta-nehisicoates.com, 1
+ta-nuth.nl, 0
+ta-server.nl, 1
+ta-soest.nl, 0
+ta65.com, 1
+taabe.net, 1
+taakjhaknews.com, 1
+taaltaal.nl, 1
+taanishsaifu.gq, 1
+taapk.com, 1
+taarnby.dk, 1
+taartbesteld.nl, 1
+taartenvankoenie.tk, 1
+taartenvanmireille.nl, 1
+taartenvanthea.nl, 1
+taat.edu.ee, 1
+tab.com, 1
+tabacarika.tk, 1
+tabacundo.tk, 1
+tabacundolindo.tk, 1
+tabadotupi.tk, 1
+tabakerka.tk, 1
+tabarnak.ga, 1
+tabby.cz, 1
+tabclassics.tk, 1
+tabe.cn, 1
+tabegamisama.com, 1
+tabelaci.tk, 1
+tabelekaloryczne.waw.pl, 1
+tabella.fi, 1
+taberna.tk, 1
+tabernaalibaba.tk, 1
+tabi-news.com, 1
+tabi-runrun.com, 1
+tabi-time.com, 1
+tabira.tk, 1
+tabisuta.com, 1
+tabiteollisuus.tk, 1
+tablamatica.tk, 1
+tablascreek.com, 1
+tableandhearth.com, 1
+tableconvert.com, 1
+tabledown.ga, 1
+tabledusud.be, 1
+tabledusud.nl, 1
+tablepaddie.com, 1
+tablepaddies.com, 1
+tableres.com, 1
+tablerocksbestrealtors.com, 1
+tablet.facebook.com, 0
+tablet4me.de, 0
+tabletd.com, 1
+tabletennis-reference.com, 1
+tabletennis-tt.tk, 1
+tablethotels.com, 1
+tabletkinamase.ga, 1
+tabletkinatradzik.ga, 1
+tabletopwealth.reviews, 0
+tablettes-tactiles.tk, 1
+tablosec.com, 1
+tably.com, 1
+tablyrics.com, 1
+taboomale.com, 1
+tabordaadvogados.ga, 1
+taborsky.cz, 1
+tabpanelwidget.com, 1
+tabrizbiology.tk, 1
+tabserectilecheap.com, 1
+tabtap.shop, 1
+tabu-bodywear.ch, 1
+tabular.tools, 1
+tabulartools.com, 1
+taburetka.ua, 1
+tac-performance.net, 1
+tac-sys.net, 1
+tache.cc, 1
+tachikawa-saisyuusyou.com, 1
+tachoplus.pl, 1
+tachtien.nl, 1
+tachyonapp.com, 1
+taciso.com, 1
+tackleundies.com, 1
+tackn.jp, 1
+tacoma-dui-attorneys.com, 1
+tacomaautomobile.tk, 1
+tacomaclassifieds.net, 1
+tacomaescorts.net, 1
+tacomarugby.com, 1
+tacomarugby.org, 1
+tacotown.tk, 1
+tactful.ai, 0
+tactical.zone, 1
+tacticalavocado.com, 1
+tacticalsquare.com, 1
+tacticalvote.co.uk, 1
+tactile.love, 1
+tactportal.com, 1
+tactus.nl, 1
+tad.ua, 1
+tadaaam.studio, 1
+tadabase.io, 1
+tadalafil-tablets.tk, 1
+tadalafilindia.gq, 1
+tadj-mahalat.com, 0
+tadjiki.tk, 1
+tadjikistan.tk, 1
+tadluedtke.com, 1
+tadtadya.com, 1
+tadu.de, 1
+tadzkitchen.com, 1
+taebek.tk, 1
+taekwondo-berlin.tk, 1
+taekwondo-hochwald.de, 1
+taetomeister.de, 1
+tafcares.org, 1
+tafdi.net, 1
+taffe-elec.com, 1
+tafinance-association.com, 1
+tafnervotacao.com.br, 1
+tafp3.ga, 1
+tafs.com, 1
+taftok.gov, 1
+tafttx.gov, 1
+tafusu-support.com, 1
+tag-insights.com, 1
+tag-verse.com, 1
+tagabrand.co.uk, 1
+tagalliances.com, 1
+tagalog.com, 1
+tagana-anindustrialpark.tk, 1
+tagat.top, 1
+tagaytayhighlands.com, 1
+tagboards.tk, 1
+tagcorp.ca, 1
+tagderinspiration.ch, 1
+tagesmutter-in-bilm.de, 1
+taggedpdf.com, 0
+taggeru.com, 1
+taggigkaktus.tk, 1
+taghit.tk, 1
+tagid.ga, 1
+tagid.tk, 1
+taginet.com, 1
+tagliando.it, 1
+taglioepiega.com, 1
+taglioepiega.eu, 1
+taglioepiega.it, 1
+tagnull.de, 1
+tagram.net, 1
+tagstationen.se, 1
+tagstatravel.com, 1
+tagsweekly.com, 1
+tagtoys.com, 1
+taguette.com, 1
+taguette.fr, 1
+taguette.org, 1
+tagungsraum-usedom.de, 0
+tagungsraum-zinnowitz.de, 0
+tagungsstaette-usedom.de, 0
+tagungsstaette-zinnowitz.de, 0
+tahabrand.com, 1
+tahaonline.tk, 1
+tahitiodoo.com, 1
+tahititourisme.com, 1
+tahititourisme.fr, 1
+tahlequah.gov, 1
+tahlilsonuclari.site, 1
+tahnee.tk, 1
+tahosa.co, 0
+tahribat.tk, 1
+tahrirbazar.com, 1
+tahugocilebut.com, 1
+tahvienovin.ir, 1
+tahynatozzi.tk, 1
+taiaro.tk, 1
+taibachicken.com, 1
+taichi-jade.com, 1
+taidu.news, 1
+taieki.nl, 1
+taifun-software.de, 1
+taiga-aikidojo.tk, 1
+taigalaloca.net, 1
+taihesy.tk, 1
+taijul.tk, 1
+taikodom.tk, 1
+tail.id.lv, 1
+tail.ml, 1
+tail.wtf, 1
+taildb.com, 1
+taille-haie.org, 1
+tailor.com.br, 1
+tailorbrands.com, 1
+tailored.health, 1
+tailoring.tk, 1
+tailpuff.net, 0
+tails.net, 1
+tailsteak.tk, 1
+tailwindapp.com, 1
+tainiesonline.tk, 1
+taintedart.co.nz, 1
+taipak-krasnoyar.tk, 1
+taipei2025.com, 1
+taipei2038.com, 1
+taishon.nagoya, 1
+taitlinstudio.com, 1
+taittowers.com, 0
+taiwan-kitchen.com, 1
+taiwanbible.com.tw, 1
+taiwanhotspring.net, 1
+taiwania.capital, 1
+taiwania.vc, 1
+taiwaniacapital.com, 1
+taiwaniacapital.com.tw, 1
+taiwaniacapital.tw, 1
+taiwanteama.com.tw, 1
+taiwantechtrek.tk, 1
+taiwantour.info, 0
+taizegroep.nl, 1
+taj-portal.tk, 1
+tajbrighton.tk, 1
+tajemno.net, 1
+tajilamagazine.com.br, 1
+tajmisreg.com, 1
+tajniy-smisl.cf, 1
+tajniy-smisl.ga, 1
+tajniy-smisl.gq, 1
+tajniy-smisl.ml, 1
+tajniy-smisl.tk, 1
+tajper.pl, 1
+tajr.shop, 1
+tajtowereg.com, 1
+tak-it.nl, 1
+tak.gov, 1
+takano-recruit.com, 1
+takano-takuhai.com, 1
+takanogroup.co.jp, 1
+takao-hs.com, 1
+takao.ga, 1
+takarabrig.com, 1
+takase.buzz, 1
+takayaindustries.ml, 1
+take-a-screenshot.org, 1
+take1give1.com, 0
+takeaction.ml, 1
+takeatumble.com.au, 1
+takebackyourstate.com, 1
+takebackyourstate.net, 1
+takebackyourstate.org, 1
+takechargetexas.gov, 1
+takecommunity.com, 1
+takedownthissite.com, 1
+takehomepay.uk, 1
+takeitback.tk, 1
+takemydodgecoins.com, 1
+taken.cf, 1
+taken.pl, 1
+takenote.co, 1
+takeomi.jp, 1
+takepicturesleavefootprints.com, 1
+takeshi.cz, 1
+takestars.tk, 1
+takethatspainfanclub.tk, 1
+takezo.tk, 1
+takhfifeirani.ir, 1
+taki.sh, 1
+taki.sk, 1
+taki.to, 1
+takinet.kr, 1
+takipavm.com, 1
+takipcikutusu.com, 1
+takiplekazan.ga, 1
+takito.net, 1
+takk.pl, 1
+takkaaaaa.com, 1
+takkguitar.net, 1
+takkyu-navi.jp, 1
+takosuke.net, 1
+takotv.com, 1
+takotv.live, 1
+taks.nl, 1
+taksaft.tk, 1
+taksimax.ru, 1
+taksometry.pl, 1
+taktak.co.uk, 0
+taktika.tk, 1
+taktraneh.com, 1
+takuhai12.com, 1
+takumi-s.net, 1
+takumikougyou.co.jp, 1
+takuro.us, 1
+takusan.ru, 1
+takuse.cf, 1
+takysoft.tk, 1
+talado.gr, 0
+talakacaruli.tk, 1
+talalaok.gov, 1
+talcualdigital.com, 1
+taldia.es, 1
+taleatherworks.com, 1
+taleblooplastic.ir, 1
+talendipank.ee, 1
+talengo.com, 1
+talent-safari.com, 1
+talentbazi.com, 1
+talentcast.nl, 1
+talentcast.org, 1
+talenteam.com, 1
+talented.ga, 1
+talentedagents.ga, 1
+talenteer.nl, 1
+talentexcellence.com, 1
+talentguru.ml, 1
+talenthubmpi.com, 1
+talentimpuls.de, 1
+talentio.com, 1
+talentis.net, 1
+talentmill.co, 1
+talentoday.com, 1
+talentplatform.ca, 1
+talentplatform.com, 1
+talentplatform.eu, 1
+talentplatform.us, 1
+talentsplit.com, 1
+talentstimuleren.nl, 1
+talentuar.com, 1
+talentwall.io, 1
+taler.net, 1
+talerakademiet.dk, 1
+talesbazaar.com, 1
+talesfromthebigpig.com, 1
+talesofrashidun.com, 1
+talesoftenko.tk, 1
+talichi.com, 1
+talichi.es, 1
+talideon.com, 0
+talikotang.tk, 1
+talisadesign.fi, 1
+talisman-amulet.ga, 1
+talk.google.com, 1
+talkappin.com.au, 1
+talkbasket.net, 1
+talkbitz.com, 0
+talkeducation.com, 1
+talkgadget.google.com, 1
+talki.tk, 1
+talkinators.tk, 1
+talkingbittersweet.com, 1
+talkingmoose.net, 0
+talkingtodrake.tk, 1
+talkingtoteapots.tk, 1
+talkischeap.co.za, 1
+talkischeap.tk, 1
+talklikeyodaday.tk, 1
+talkmojang.club, 1
+talknetwork.ru, 1
+talkreal.net, 1
+talks.run, 1
+talkscope.cf, 1
+talkscope.ml, 1
+talksileby.tk, 1
+talktobabes.com, 1
+talktobot.com, 1
+talktwincities.com, 1
+talkwithyourbaby.org, 1
+talkx.de, 1
+tallac.tk, 1
+tallahatchiecountysheriffofficems.gov, 1
+tallcraft.com, 1
+tallcraft.net, 1
+tallercommercial.com, 1
+tallercs.tk, 1
+tallerdelcuadro.online, 1
+talleresluse.com, 1
+tallerfrancia2.es, 1
+tallgrasslegal.com, 1
+tallinnsec.ee, 1
+tallinnsex.ee, 1
+tallship.cz, 1
+tallulahbernard.com, 1
+tallwoodmedical.com, 1
+tallyfy.com, 1
+tallylights.com, 1
+talment.com.mx, 1
+talmischleather.com, 1
+taloman.fi, 1
+talonro.com, 1
+talos-app.io, 1
+talos-staging.io, 1
+talpanetwork.com, 0
+talpurwadalions.tk, 1
+taltech.ee, 1
+talun.de, 1
+talusan.tk, 1
+talxis.com, 1
+tam-moon.com, 1
+tam-safe.com, 1
+tam7t.com, 0
+tama.ga, 1
+tamagotchicenter.com, 1
+tamalcloud.com, 1
+tamamlayici.com.tr, 1
+tamarac.gov, 1
+tamareverson.tk, 1
+tamarind.by, 1
+tambayology.com, 1
+tambo.es, 1
+tamboa.com, 1
+tambola.live, 1
+tambosi-odeonsplatz.de, 1
+tambov.cf, 1
+tambov.tk, 1
+tambovcity.tk, 1
+tambre.ee, 1
+tamchunho.com, 1
+tamdaotravelvi.tk, 1
+tamdidpay.tk, 1
+tamedia.ch, 1
+tameru.me, 1
+tamerx.com, 1
+tamgaturk.com, 1
+tami.co.uk, 1
+tamilentertainment.tk, 1
+tamilfunda.com, 1
+tamilglitz.in, 1
+tamilrokers.tk, 1
+tamilsms.blog, 1
+tamiltax.tk, 1
+tamim.io, 1
+tamimmalik.ml, 1
+tamindir.com, 1
+tamistuff.com, 1
+tammie.ga, 1
+tammiku.edu.ee, 1
+tammvee.ee, 1
+tammy.pro, 1
+tamoxifen-citrate.gq, 1
+tamoxifen-citrate.ml, 1
+tamoxifenformen.ga, 1
+tampa.gov, 1
+tampabaybusinesslistings.com, 1
+tampabayhistorycenter.org, 1
+tampabayhometours.info, 1
+tampacific.net, 1
+tampacific.vn, 1
+tampaexplorer.ml, 1
+tampereenliberaalit.tk, 1
+tampus.chat, 1
+tamracapital.sa, 1
+tamriel-rebuilt.org, 1
+tamrielcraft.tk, 1
+tamronhallshow.com, 1
+tamsulosin.gq, 1
+tamuraei.co.jp, 1
+tamylove.net, 1
+tan90.tw, 1
+tanabekensetsu.co.jp, 1
+tanacio.com, 1
+tanakayoshihiko.com, 1
+tanatos.ga, 1
+tanchynski.com, 1
+tancredi.nl, 0
+tancuongtea.tk, 1
+tand-teknik.dk, 1
+tandarts-ict.nl, 1
+tandartsen-ict.nl, 1
+tandartspraktijkreddingius.nl, 1
+tandartszilverschoon.nl, 1
+tandblekningidag.com, 1
+tandcr.com, 1
+tandem-trade.ru, 0
+tandemexhibits.com, 1
+tandempartnerships.com, 0
+tandemtransport.ca, 1
+tandhoutdoors.com, 1
+tandzorg.link, 1
+taneytownmd.gov, 1
+tangai.tk, 1
+tangas.tk, 1
+tangel.me, 1
+tangemann.org, 1
+tangentnet.tech, 1
+tangentnetworks.tech, 1
+tangerangkota.go.id, 1
+tangiblesnft.com, 1
+tangier.tk, 1
+tangipahoa.gov, 1
+tangle-teezer.net, 1
+tangledmeditations.com, 1
+tanglepatterns.com, 1
+tango-cats.de, 1
+tango-networks.com, 0
+tango-querida.tk, 1
+tango.berlin, 1
+tango.info, 1
+tangoalpha.co.uk, 1
+tangoanalytics.com, 1
+tangofoxi.com, 1
+tangosix.rs, 1
+tangs.com, 1
+tangub.today, 1
+tangubpatientmonitoring.com, 1
+tangyue.date, 1
+tangzhao.net, 1
+tanhaa.tk, 1
+tanhongit.com, 1
+taniawizualizacja.pl, 1
+tanie-obraczki-szczecin.tk, 1
+tanie-uprawnienia-sep.pl, 1
+taniguchi.jp.net, 1
+taniguchi.link, 1
+taniguchi.osaka.jp, 1
+taniku-succulent.com, 1
+tanjaradovic.tk, 1
+tanjasavicmusic.tk, 1
+tankdoggear.tk, 1
+tanknology.ca, 1
+tankos.tk, 1
+tankpassen-vergelijken.nl, 1
+tanks.je, 1
+tankski.co.uk, 1
+tankture.com, 1
+tanned.tk, 1
+tannenhof-moelln.de, 1
+tanner.sh, 1
+tanneradvisorysolutions.com.au, 1
+tannercorporation.com, 1
+tannerdewitt.com, 1
+tannerryan.ca, 1
+tannerwilliamson.com, 1
+tannerwj.com, 1
+tannextcloud.cf, 1
+tanningroom.co.uk, 1
+tannlegenityrkia.no, 1
+tanomimaster.com, 1
+tanovar.com, 1
+tanpaoperasi.com, 1
+tanphu.tk, 1
+tanpopo.io, 1
+tantalos.nl, 1
+tantejulia.tk, 1
+tantetilli.de, 0
+tanto259.name, 1
+tantrabali.tk, 1
+tantravoorlichting.nl, 1
+tantrum-rocks.tk, 1
+tantso.com, 1
+tanuki.army, 1
+tanushka.tk, 1
+tanveersingh.tk, 1
+tanweerkhan.tk, 1
+tanya-avdeeva.cf, 1
+tanyanama.com, 1
+tanz-kreativ.de, 0
+tanz.info, 1
+tanzania-chameleon.ga, 1
+tanzanianfilms.tk, 1
+tanzaniauk.org.uk, 1
+tanzhijun.com, 1
+tanzpartner.tk, 1
+tao-energie.tk, 1
+taoaworld.com, 1
+taoburee.com, 0
+taodung.com, 1
+taoismus.eu, 1
+taolu.tv, 1
+taolu168.com, 1
+taolubdsm10.com, 1
+taoofbeauty.tk, 1
+taoscountynm.gov, 1
+taoshu.in, 1
+taosinjurylawyers.com, 1
+taosnm.gov, 1
+taotic.eu, 1
+taowa.ca, 1
+taoyingchang.tk, 1
+tap.az, 1
+tap.bio, 1
+tapbutdao.com, 1
+tapchiphaidep.info, 1
+tapcloud.com, 1
+tapestries.tk, 1
+tapestryjournal.com, 1
+tapesvip.xyz, 1
+tapetenresonanz.de, 1
+taplemon.at, 1
+taplemon.com, 1
+tapmat.com, 1
+tapparellemessina.it, 1
+tappezzeria.roma.it, 1
+tappezziere.milano.it, 0
+tappezziere.roma.it, 1
+tapquad.com, 1
+taprix.org, 1
+tapsnapp.co, 1
+taqamorocco.ma, 1
+taquilla.com, 1
+taqun.club, 1
+tara.ru, 1
+tarabici.tk, 1
+taraiid.com, 1
+tarakan-klopik.tk, 1
+taraksarkar.tk, 1
+taranagar.tk, 1
+tarantino.tk, 1
+tarantul.org.ua, 1
+tarantula-spider.com, 1
+taraori.tk, 1
+tarapacadigitaltv.tk, 1
+tarasecurity.co.uk, 1
+tarasecurity.com, 1
+tarasevich.by, 1
+taravancil.com, 0
+tarbsong.ml, 1
+tarcode.ru, 1
+tardics.com, 1
+tardics.eu, 1
+tardics.net, 1
+tardis.cloud, 1
+tardis.io, 1
+tardishomelab.com, 1
+tarek.wtf, 1
+tarekfadel.com, 1
+tarfand-pc.tk, 1
+tarfandgram.com, 0
+tarfin.com, 1
+targaryen.house, 1
+target.com, 1
+targetbuilding.com, 1
+targetlonglife.tk, 1
+targetmarc.com, 1
+targetsportsworld.com, 0
+targettrend.com, 1
+targeturl.ru, 1
+targetx.pl, 1
+targimieszkaniowe.net, 1
+targoncavasarlas.hu, 1
+tarhunfirin.com, 1
+tarif-pellets.fr, 1
+tarife.at, 1
+tariff.cc, 1
+tarihpedia.com, 1
+tarihvakti.com, 1
+tarija.tk, 1
+tarik.io, 1
+tarikigaru.ga, 1
+tarimaferial.com, 1
+tarimkredi.net, 1
+tarjaturunen.tk, 1
+tarjetasgraficas.tk, 1
+tarjetaspark.es, 1
+tarjetaspersonales.tk, 1
+tarjetondigital.com, 1
+tarkari.tk, 1
+tarkasparrows.org.za, 1
+tarketmedia.com, 1
+tarkett-group.com, 1
+tarkov.tk, 1
+tarocchi.blog, 1
+taron.top, 1
+tarot-online-app.com, 1
+tarot-online-app.de, 1
+tarot-online.cn, 1
+tarot-online.com.pl, 1
+tarot-online.fr, 1
+tarot-online.it, 1
+tarot.vn, 1
+tarotgratis.vip, 1
+tarotreadingexplained.com, 1
+tarper24.net, 1
+tarpsnow.com, 0
+tarrantandharman.com, 1
+tarrasque.io, 1
+tarrytownny.gov, 1
+tarsan.cz, 1
+tarsusdistribution.co.za, 0
+tarsusrx.com, 1
+tartablu.it, 1
+tartaneagle.org.uk, 1
+tartanhamedshop.com.br, 1
+tartu.ee, 0
+tartufomajella.it, 1
+taruntarun.net, 1
+tarus.gq, 1
+tarvit.me, 1
+tarvoo.com, 1
+tarzanka.ml, 1
+tas.best, 1
+tas2580.net, 0
+tasarimgazetesi.com, 1
+tasarimrehberi.com, 1
+tasawehala.com, 1
+tascas.ga, 1
+tasconnect.com, 1
+tascout.com, 1
+tascuro.com, 1
+tasefiling.gov, 1
+tashicell.com, 1
+tasintrip.com, 1
+taskforce.eu, 1
+taskhorizon.audio, 1
+taskin.me, 1
+taskman.london, 1
+taskotron.fedoraproject.org, 1
+taskotron.stg.fedoraproject.org, 1
+taskrunnr.com, 1
+tasks.org, 1
+tasktrek.com, 1
+taskulu.com, 1
+taskulu.ir, 1
+taskus.com, 1
+taskwise.cf, 0
+tasnomanija.rs, 1
+tasogarenoinori.net, 1
+tasonoken.tk, 1
+tasports.com.au, 1
+tasports2043.com.au, 1
+tastenewwines.com, 1
+tasteville.com.au, 1
+tastycake.net, 0
+tastycool.io, 1
+tastyplacement.com, 1
+tastystakes.com, 1
+tastyworksreview.co, 1
+tasvideos.org, 1
+tatamypa.gov, 1
+tataog.com, 1
+tatar-bashqort.tk, 1
+tatara.ne.jp, 1
+tatard.fr, 1
+tataria.tk, 1
+tatarin.ga, 1
+tatarin.gq, 1
+tataristan.tk, 1
+tatarland.tk, 1
+tatarsecurity.ir, 1
+tataru.it, 1
+tatarworld.tk, 1
+tatary.cf, 1
+tatary.tk, 1
+tate.com, 1
+tatecountyms.gov, 1
+tateesq.com, 0
+tateishi-ip.com, 1
+tatemode.com, 1
+taters.org, 1
+tatewake.com, 1
+tatfan.com, 1
+tathanhson.com, 1
+tatiana-kpb.tk, 1
+taticul.ro, 1
+tatilsepeti.com, 1
+tatjana-young.net, 1
+tatler.com, 1
+tato.noip.me, 0
+tatoo-shop.ca, 1
+tatooine.club, 1
+tatort-fanpage.de, 1
+tatsidou.gr, 1
+tatsumi-air.com, 1
+tatsuya.tk, 1
+tatteredatlastales.com, 1
+tattoo-art.tk, 1
+tattoo-artist.org, 1
+tattoo-family.com, 1
+tattoo.roma.it, 1
+tattoocorina.tk, 1
+tattooidee.nl, 1
+tattoomotive.net, 1
+tattoopiercing-wien.at, 1
+tatu-love.tk, 1
+tatuaggi.roma.it, 1
+tatuaggio.co, 1
+tatuering.net, 1
+tatuhagu.gov, 1
+taturukav.tk, 1
+taubenartikel.de, 1
+taubin.cc, 1
+tauedu.org, 1
+taufers.info, 1
+tauntongolf.co.uk, 1
+tauntonpdma.gov, 1
+taunusstein.net, 1
+taura.vn, 1
+tauran.net, 1
+tauriscia.tk, 1
+taurus.edu.pl, 1
+taurusgaming.com, 1
+tava.tk, 1
+tavanahost.com, 0
+tavaresfl.gov, 1
+tavda.info, 1
+tavelbutiken.com, 1
+taverne.tk, 1
+taverns.tk, 1
+tavex.bg, 1
+tavex.dk, 1
+tavex.eu, 1
+tavex.fi, 1
+tavex.hu, 1
+tavex.lt, 1
+tavex.lv, 1
+tavex.no, 1
+tavex.pl, 1
+tavex.ro, 1
+tavex.rs, 1
+tavex.se, 1
+tavexbullion.co.uk, 1
+tavid.ee, 1
+taviskaron.ru, 1
+tavola-cescato.club, 1
+tavolaquadrada.com.br, 1
+tavolartegusto.it, 1
+tavoseimai.lt, 1
+tavsiyeforumu.com, 1
+tavsys.net, 1
+tavukdiyari.net, 1
+tawzea.com, 1
+tax-brain.net, 1
+tax-guard.com, 1
+taxandor.com, 1
+taxassist.co.uk, 1
+taxationweb.co.uk, 1
+taxboard.gov.au, 1
+taxborn.com, 0
+taxdispute.win, 1
+taxesreclaimed.com, 1
+taxfunder.co.uk, 1
+taxfunder.uk, 1
+taxglobalizers.com, 1
+taxhawk.com, 1
+taxi-5plus.ru, 1
+taxi-christian.de, 1
+taxi-collectif.ch, 0
+taxi-domzale.tk, 1
+taxi-doudoune.fr, 1
+taxi-edessas.gr, 1
+taxi-legroux.com, 1
+taxi-meridian.ru, 1
+taxi-puck.pl, 1
+taxi-tienen.com, 1
+taxi-zakaz.ml, 1
+taxi24.ml, 1
+taxi7.be, 1
+taxialcmaria.nl, 1
+taxibiz.ga, 1
+taxicollectif.ch, 0
+taxid-k.be, 1
+taxikraken.tk, 1
+taxiloerrach.de, 1
+taximinvody.ml, 1
+taximovies.gq, 1
+taxinhanhphanthiet24h.vn, 1
+taxipool.co.il, 1
+taxirostova.ru, 1
+taxis-collectifs.ch, 0
+taxisafmatosinhos.pt, 1
+taxiscollectifs.ch, 0
+taxiseek.ga, 1
+taxiunion.info, 1
+taxivip24h.com, 1
+taxlab.co.nz, 0
+taxly.kr, 1
+taxmadras.com, 1
+taxo.fi, 1
+taxpackagesupport.com, 1
+taxprocpa.com, 1
+taxstorestalbans.com.au, 1
+taxteam.co.il, 1
+taxuni.com, 1
+taybee.net, 1
+tayebbayri.com, 1
+tayho24h.com, 1
+taylorandfrancis.com, 1
+tayloraz.gov, 1
+taylorburton-porn.com, 1
+taylorcountyhdwv.gov, 1
+taylorcountyky.gov, 1
+taylorcountywv.gov, 1
+taylored.ga, 1
+taylorelectionsfl.gov, 1
+taylorfarms.com, 1
+taylorfrancis.com, 1
+taylorfry.au, 1
+taylorfry.co.nz, 1
+taylorfry.com, 1
+taylorfry.com.au, 1
+taylorfry.nz, 1
+taylors-castles.co.uk, 1
+taylorshillsamoan.org, 1
+taylorstauss.com, 1
+tazamobile.ga, 1
+tazarelax.es, 1
+tazefiltre.com, 1
+tazefirsat.com, 1
+tazemama.biz, 1
+tazenda.tk, 1
+tazendaforever.tk, 1
+tazewell-il.gov, 1
+tazewellcountyjury.gov, 1
+tazita.tk, 1
+tazz.ro, 1
+tb-bolshevik.tk, 1
+tb-devel.de, 1
+tb-itf.de, 1
+tb.org.tw, 1
+tbahn.de, 1
+tbatr.tk, 1
+tbbank.gov.tm, 1
+tbcinteriorismo.com, 1
+tbcloud.site, 0
+tbebkom.com, 1
+tbejos.com, 1
+tbfocus.com, 1
+tbi.equipment, 1
+tbi.systems, 1
+tbid.gov, 1
+tbird-q.com, 1
+tbitc.ch, 1
+tbksp.org, 1
+tbkwatch.co.za, 1
+tbkwatch.com, 1
+tbkwatch.org.za, 1
+tbld.gov, 1
+tblflip.de, 1
+tblnk.de, 1
+tbonejs.org, 1
+tbox.net, 1
+tbpchan.cz, 1
+tbq-s.com, 1
+tbq-s1.com, 1
+tbreni.hu, 1
+tbrindus.ca, 1
+tbs-certificates.co.uk, 1
+tbscan.com, 1
+tbsmportal.com, 1
+tbspace.de, 1
+tbsstrong.com, 1
+tbsunday.tk, 1
+tbtech.cz, 1
+tbuchloh.de, 1
+tbun.de, 1
+tbunews.com, 1
+tbunews.info, 1
+tbwa.com, 1
+tbwa.com.au, 0
+tbyi.gov, 1
+tbys.us, 1
+tbz-pariv.de, 1
+tc-solutions.be, 1
+tc-tsc.com, 1
+tc.nz, 1
+tc2.hu, 1
+tcacademy.co.uk, 1
+tcade.co, 1
+tcapws-dev.azurewebsites.net, 1
+tcapws-prod.azurewebsites.net, 1
+tcb-a.org, 1
+tcbdarts.nl, 1
+tccc.org.tw, 1
+tcckonsult.com, 1
+tccmb.com, 1
+tccportal.com, 1
+tcddtrensaatleri.com, 1
+tcdn.tech, 1
+tcdww.cn, 1
+tcepc.com, 1
+tcf.org, 1
+tcgc-adms.com, 1
+tcgcardcare.com, 1
+tcgcollector.com, 1
+tcglobal.com, 1
+tcgpraktijk.nl, 1
+tcgrepublic.com, 1
+tch-forum.com, 1
+tchak.be, 1
+tchaka.top, 1
+tchalian-boulonnerie.store, 1
+tchannels.tv, 1
+tcharning.ml, 1
+tchatland.fr, 1
+tche.digital, 1
+tchealers.com, 1
+tcheb.ru, 1
+tchebb.me, 1
+tchncs.de, 1
+tchnics.de, 1
+tcholet.com, 1
+tchoukball.ch, 0
+tchouktchouk-baroum.fr, 1
+tci-style.pl, 1
+tci-thaijo.org, 0
+tci-thailand.org, 1
+tciit.pl, 1
+tcit.fr, 0
+tcj.ir, 1
+tcl.sh, 1
+tcmk-tomsk.ru, 1
+tcmskarate.fr, 1
+tcnapplications.com, 1
+tco.zapto.org, 1
+tcoa.tk, 1
+tcpdf.org, 1
+tcpride.org, 1
+tcptun.com, 1
+tcr-ees.com, 1
+tcrecord.org, 1
+tcsemotion.com, 1
+tcspartner.eu, 1
+tcspartner.net, 1
+tcuprs.com, 1
+tcvanbuuren.tk, 1
+tcvonline.vic.gov.au, 1
+tcvw.org, 1
+tcwis.com, 1
+tcwsites.com.br, 1
+tcybert.com, 1
+tcyoung.co.uk, 1
+td-bambini.com, 1
+td-magellan.ru, 1
+td-olymp.ru, 1
+td-zolotoy.ru, 1
+tda-werbetechnik.de, 1
+tda.de, 1
+tdchrom.com, 0
+tddaij.com, 1
+tddos.pw, 1
+tdeaqua.com, 1
+tdeecalculator.org, 1
+tdelmas.ovh, 1
+tdev.team, 1
+tdk.eu, 1
+tdlesovik.ru, 1
+tdln.tk, 1
+tdn.com, 1
+tdolar.com, 1
+tdr.today, 1
+tdrcartuchos.com.br, 1
+tdro.cf, 1
+tdrs.info, 1
+tds-forum.tk, 1
+tdsb.cf, 1
+tdsb.ml, 1
+tdsbhack.tk, 1
+tdse.de, 1
+tdsf.io, 1
+tdstoragebay.com, 1
+tdtf.eu, 1
+tdtf.hk, 1
+tdtf.nl, 1
+tdvg.nl, 1
+tdxexpedited.com, 1
+tdyx-china.com.cn, 0
+te-ajut.ro, 1
+te-an.tw, 1
+te9.ru, 1
+tea-alpha.gr, 1
+tea-eurobank.gr, 1
+tea.codes, 1
+tea.in.th, 1
+teablr.com, 1
+teach.com, 1
+teach.gq, 1
+teachbase.ru, 1
+teachbiz.net, 1
+teachercall.kr, 1
+teachermommylife.com, 1
+teachernewsbd.com, 1
+teacherph.com, 1
+teacherph.net, 0
+teacherpics.com, 1
+teacherquinten.com, 1
+teacherquotes.gq, 1
+teachersasap.info, 1
+teachertoolsgpt.com, 1
+teaching-certification.com, 1
+teachinginhighered.com, 1
+teachingtoday.education, 1
+teachking.tk, 1
+teachnowprogram.com, 1
+teachonmars.com, 1
+teachpeople.org, 1
+teachwithouttears.com, 1
+teacuppersiancats.com, 1
+teacupyorkiespets.com, 1
+teaeggss.com, 1
+teagardenspa.com, 1
+teaguepdtx.gov, 1
+teahawaii.ga, 1
+teahouse.gq, 1
+teahut.net, 1
+teaine.com, 1
+teainside.ga, 1
+teaks.nl, 1
+tealium.com, 1
+team-17.tk, 1
+team-a.tk, 1
+team-aaa.tk, 1
+team-apollo.tk, 1
+team-atomic.tk, 1
+team-azerty.com, 1
+team-bbd.com, 1
+team-building.madrid, 1
+team-building.tirol, 1
+team-cut.tk, 1
+team-darkness.tk, 1
+team-eklund-motorsport.tk, 1
+team-io.net, 1
+team-royal.tk, 1
+team-russia.tk, 1
+team-swami.com, 1
+team-toranomon.com, 1
+team-work.online, 1
+team.house, 0
+team005helpdesk.ddns.net, 1
+team3.au, 1
+team3482.com, 1
+team7-home.com, 1
+team957.co.uk, 1
+teamarasensas.tk, 1
+teamasea.com, 1
+teamassists.com, 0
+teamawesome.ga, 1
+teamb.nl, 1
+teambalinge.tk, 1
+teambanzai.tk, 1
+teambeam.ru, 0
+teambee.tk, 1
+teambim.eu, 1
+teamcg.ru, 1
+teamclean.bg, 1
+teamcoco.com, 1
+teamcode.tk, 1
+teamcodeorange.tk, 1
+teamcollins.org.nz, 1
+teamconf.ru, 1
+teamdarko.tk, 1
+teamdaylo.xyz, 1
+teamdev.id, 1
+teamdevelopers.ga, 1
+teamdriven.tk, 1
+teamdumondelibre.fr, 1
+teamengland.tk, 1
+teamfriet.nl, 1
+teamhd.org, 1
+teamhealth.com, 1
+teamhinkleyc.com, 0
+teamhybrid.com, 1
+teamhybridforums.com, 1
+teamjiradia.tk, 1
+teamkankun.tk, 1
+teamkgsr.com, 1
+teamkilled.tk, 1
+teamkiller.tk, 1
+teamkoncert.pl, 1
+teamleader-apps-by-invantive.com, 1
+teamlightning.tk, 1
+teamliquid.com, 1
+teamliquid.eu, 1
+teamliquidstarleague.com, 1
+teammateworld.com, 1
+teammojo.org, 1
+teammotorcycle.com, 1
+teamninjaapp.com, 1
+teamnissannorthparts.com, 1
+teamnutrition.fr, 1
+teamos.tk, 1
+teampaddymurphy.ch, 1
+teampaddymurphy.ie, 1
+teampages.com, 1
+teampassword.com, 1
+teampatat.nl, 1
+teamphotonetwork.com, 1
+teampoison.tk, 1
+teampz.com, 1
+teamr3set.com, 1
+teamrecess.com, 1
+teamredfox.tk, 1
+teamrevolution.tk, 1
+teamroom.jp, 1
+teams.microsoft.us, 1
+teamsakura.net, 1
+teamsass.ca, 1
+teamsecure.al, 1
+teamsecure.at, 1
+teamsecure.be, 1
+teamsecure.bg, 1
+teamsecure.ch, 1
+teamsecure.co.il, 1
+teamsecure.co.uk, 1
+teamsecure.com.ua, 1
+teamsecure.cz, 1
+teamsecure.de, 1
+teamsecure.dk, 1
+teamsecure.ee, 1
+teamsecure.es, 1
+teamsecure.fi, 1
+teamsecure.fr, 1
+teamsecure.gr, 1
+teamsecure.hu, 1
+teamsecure.io, 1
+teamsecure.is, 1
+teamsecure.it, 1
+teamsecure.li, 1
+teamsecure.lt, 1
+teamsecure.lu, 1
+teamsecure.lv, 1
+teamsecure.md, 1
+teamsecure.me, 1
+teamsecure.mk, 1
+teamsecure.pl, 1
+teamsecure.pt, 1
+teamsecure.ro, 1
+teamsecure.rs, 1
+teamsecure.ru, 1
+teamsecure.se, 1
+teamsecure.si, 1
+teamsecure.sk, 1
+teamsherry.realtor, 1
+teamshirts.at, 1
+teamshirts.be, 1
+teamshirts.ch, 1
+teamshirts.co.uk, 1
+teamshirts.com, 1
+teamshirts.de, 1
+teamshirts.dk, 1
+teamshirts.fi, 1
+teamshirts.fr, 1
+teamshirts.net, 1
+teamshirts.nl, 1
+teamshirts.no, 1
+teamshirts.se, 1
+teamsignia.com, 1
+teamsomeday.tk, 1
+teamsudan.cf, 1
+teamtheory.io, 1
+teamtirith.com, 1
+teamtomorrow.tk, 1
+teamtotal.com, 1
+teamtrack.uk, 1
+teamup.com, 1
+teamup.rocks, 0
+teamupturn.com, 1
+teamupturn.org, 1
+teamusacreditrepair.com, 0
+teamusec.de, 1
+teamwass.com, 1
+teamwass.eu, 1
+teamwolf.tk, 1
+teamwork-bad-wurzach.de, 1
+teamworld.blog, 1
+teamwpsekure.com, 1
+teamx-gaming.de, 0
+teaparty.id, 1
+teapiraeus.gr, 1
+teara.govt.nz, 1
+teararia.com, 1
+teardrop.tk, 1
+tearihome.com, 1
+tearoomlints.be, 1
+tease.email, 1
+teasenetwork.com, 1
+teaser-trailer.com, 1
+teasers.ga, 1
+teaterbristol.se, 1
+teatrarium.com, 1
+teatrebarcelona.com, 1
+teatroutopia.tk, 1
+teatruastra.org.mt, 1
+teazer.tk, 1
+teb-akademia.pl, 1
+teb-x-1.com, 1
+tebebo.com, 1
+teber.av.tr, 1
+tebian.tk, 1
+tebianco.net, 1
+tebieer.com, 1
+tebodental.com, 1
+tebodentalgroup.com, 1
+tebodentistryatlanta.com, 1
+tebodentistryforkids.com, 1
+teboexperience.com, 1
+tebokidsstore.com, 1
+teboorthodontics.com, 1
+tebothetooth.com, 1
+tebsonati.tk, 1
+tebx-1.com, 1
+tebx1.com, 1
+tec24.ga, 1
+tecart-cloud.de, 1
+tecart-system.de, 0
+tecart.de, 1
+tecartcrm.de, 1
+tecatebeerusa.com, 1
+tece.com, 1
+tece.de, 1
+tecfix.com, 1
+tecfleet.com, 1
+tech-clips.com, 0
+tech-dempaz.com, 1
+tech-essential.com, 1
+tech-guru.ml, 1
+tech-idea.com, 0
+tech-ideas.tk, 1
+tech-leaders.jp, 1
+tech-my.biz, 1
+tech-ninja.de, 0
+tech-post.net, 1
+tech-professor.ir, 1
+tech-rat.com, 1
+tech-seminar.jp, 1
+tech-story.net, 1
+tech-urdu.tk, 1
+tech-value.eu, 1
+tech-zealots.com, 1
+tech-zoom.com, 1
+tech3599.com, 1
+tech3araby.com, 1
+tech4founders.co, 1
+tech4greece.gr, 1
+tech506.com, 1
+techalert.net, 1
+techangel.tk, 1
+techanit.de, 1
+techarab.ga, 1
+techarchive.cf, 1
+techarchive.ml, 1
+techarchive.tk, 1
+techarea.fr, 1
+techarkansas.tk, 1
+techask.it, 1
+techassist.io, 0
+techatt.com, 1
+techava.ru, 1
+techbelife.com, 1
+techbizidea.com, 1
+techblue.co.uk, 1
+techbmc.com, 1
+techbrawl.org, 1
+techbuz.net, 1
+techbuzzonly.com, 1
+techcavern.ml, 1
+techcentral.ml, 1
+techcenturion.com, 1
+techchip.com, 1
+techclan.ga, 1
+techcluster.tk, 1
+techcm.com, 1
+techcody.com, 1
+techcolorado.tk, 1
+techcompany.tk, 1
+techcracky.com, 1
+techcu.lt, 1
+techcult.com, 1
+techcultivation.de, 0
+techcultivation.net, 0
+techcultivation.org, 1
+techdatapark.com, 1
+techday.asia, 1
+techday.co.nz, 1
+techday.com, 1
+techday.com.au, 1
+techday.network, 1
+techdhanush.com, 1
+techdirt.com, 1
+techdocscove.xyz, 1
+techdoms.tk, 1
+techeasyblog.com, 1
+teched-creations.com, 1
+techexpert.tips, 1
+techexplorist.com, 1
+techfibian.tk, 1
+techfinancials.co.za, 1
+techfishnews.com, 1
+techformator.pl, 1
+techforthepeople.org, 1
+techforum.cz, 1
+techframework.com, 1
+techfreepro.ml, 1
+techfuturae.com, 1
+techgama.org, 1
+techgearlab.com, 1
+techgo.re, 1
+techgrance.com, 1
+techguidereview.com, 1
+techguides.tk, 1
+techgurubiz.com, 1
+techhackhome.tk, 1
+techhappy.ca, 1
+techhh.ca, 1
+techhubs.gov, 1
+techie-show.com, 1
+techiecomputers.com, 1
+techiehall.com, 1
+techieidiots.ml, 1
+techieshideaway.com, 1
+techiesmart.tk, 1
+techiestalk.in, 1
+techikoma.social, 1
+techindiana.tk, 1
+techindo.cf, 1
+techinet.pl, 1
+techinsurance.com, 1
+techiseasy.it, 1
+techisfake.ga, 1
+techitalk.ga, 1
+techitsol.tk, 1
+techiwant.com, 1
+techjobplaybook.nyc, 1
+techjobs.be, 1
+techkalture.com, 1
+techkeep.tk, 1
+techkentucky.tk, 1
+techkilla.tk, 1
+techland.net, 1
+techlandgg.com, 1
+techlearningcollective.com, 1
+techlevel.org, 1
+techlit.pk, 1
+techlore.tech, 1
+techlovers.com, 1
+techlr.de, 1
+techmagazine.tk, 1
+techmagick.com, 1
+techmaish.com, 1
+techmammal.de, 1
+techmanstan.com, 1
+techmatter.tk, 1
+techmatters.org, 1
+techmayhem.net, 1
+techmeout.io, 1
+techmerch.ru, 0
+techmusea.com, 1
+technamin.com, 1
+technavio.com, 1
+technewsetc.tk, 1
+technewyork.tk, 1
+technic-piscines.fr, 1
+technic3000.com, 1
+technicabv.nl, 1
+technicalbikram.tk, 1
+technicalbikrammalati.tk, 1
+technicalbrothers.cf, 1
+technicalfiresolutions.com, 1
+technicalforensic.com, 1
+technicalhelps.org, 1
+technicalhub.tk, 1
+technicalities.ca, 1
+technicallyeasy.net, 1
+technicalmarine.solutions, 1
+technicalproblem.tk, 1
+technicaltoolboxes.com, 1
+technicaltrainer.co.za, 1
+technicalustad.com, 1
+technician.academy, 1
+technick.net, 1
+technicodelabels.com, 1
+technicus.nl, 1
+technikoma.com, 1
+technikoma.eu, 1
+technikoma.net, 1
+technikoma.org, 1
+technikoma.social, 1
+technikplanet.de, 1
+techniqueelevage.ddns.net, 1
+techniquetechs.com, 1
+technisys.com, 1
+techno-utopia.com, 1
+techno360.in, 1
+technochat.in, 1
+technocracy.works, 1
+technodance.tk, 1
+technodemarkt.bg, 1
+technodevelopmentera.tk, 1
+technodisaster.com, 1
+technogies.cf, 1
+technogps.com, 1
+technogrand.gq, 1
+technoholod.tk, 1
+technohonks.tk, 1
+technohram.tk, 1
+technoidhost.com, 1
+technoids.tk, 1
+technoledge.jp, 1
+technolink.cf, 1
+technolink.ga, 1
+technologie-innovation.fr, 1
+technology.cx, 1
+technologyabundant.ga, 1
+technologyandroid.tk, 1
+technologyapp.tk, 1
+technologycaptive.ga, 1
+technologycellar.ga, 1
+technologyclassy.ga, 1
+technologycollections.ga, 1
+technologycollector.ga, 1
+technologycompanion.ga, 1
+technologycupid.ga, 1
+technologydesigning.ga, 1
+technologydigital.tk, 1
+technologyecho.ga, 1
+technologyecho.tk, 1
+technologyinformation.tk, 1
+technologyintergrity.ga, 1
+technologyjust.ga, 1
+technologylittle.ga, 1
+technologymessenger.ga, 1
+technologynewss.tk, 1
+technologyscience.tk, 1
+technologysi.com, 1
+technologysnapshot.ga, 1
+technologysoftware.tk, 1
+technologysouthbeach.ga, 1
+technologysprint.ga, 1
+technologysugar.ga, 1
+technologyvisual.ga, 1
+technologywaterfront.ga, 1
+technologywt.com, 1
+technolution.tk, 1
+technolux.net, 0
+technomagia.tk, 1
+technomix.tk, 1
+technopedia.gq, 1
+technorthdakota.tk, 1
+technosapien.ml, 1
+technosorcery.net, 1
+technospeakco.com, 1
+technostone.tk, 1
+technostropic.au, 1
+technostropic.com, 1
+technostropic.net, 1
+technoswag.ca, 1
+technotoday.com.tr, 1
+technotronikcanada.ca, 0
+technovisioneng.com, 1
+technoweb.ga, 1
+technowikis.com, 1
+technowise.tk, 1
+technowiz.tk, 1
+technoyl.com, 1
+techonline.com, 1
+techorbiter.com, 1
+techorganism.com, 1
+techpartes.com.br, 1
+techpedia.it, 1
+techpeer.al, 1
+techpeer.at, 1
+techpeer.be, 1
+techpeer.bg, 1
+techpeer.ch, 1
+techpeer.co.uk, 1
+techpeer.cz, 1
+techpeer.de, 1
+techpeer.dk, 1
+techpeer.ee, 1
+techpeer.es, 1
+techpeer.eu, 1
+techpeer.fr, 1
+techpeer.hu, 1
+techpeer.lt, 1
+techpeer.lu, 1
+techpeer.lv, 1
+techpeer.md, 1
+techpeer.me, 1
+techpeer.nl, 1
+techpeer.pl, 1
+techpeer.pt, 1
+techpeer.ro, 1
+techpeer.rs, 1
+techpeer.se, 1
+techpeer.si, 1
+techpeer.sk, 1
+techpilipinas.com, 1
+techpoint.org, 0
+techpp.com, 1
+techpressable.com, 1
+techprom.tk, 1
+techraptor.net, 1
+techrek.pl, 1
+techreportforall.tk, 1
+techrevolution.lt, 1
+techround.co.uk, 1
+techs.cf, 1
+techsalot.com, 1
+techsat.tk, 1
+techsaviours.online, 1
+techsaviours.org, 1
+techsecrets.tk, 1
+techsee.me, 1
+techserve.ml, 1
+techsharetx.gov, 1
+techshift.eu, 1
+techshift.nl, 1
+techshift.se, 1
+techsite.tk, 1
+techsmartstore.com, 1
+techsna.com, 1
+techsolvency.com, 1
+techsoup.net.nz, 1
+techstackjournal.com, 1
+techsys.ch, 1
+techsys.cz, 1
+techtastic.tk, 1
+techtexas.tk, 1
+techthorne.com, 1
+techtivity.pl, 1
+techto.date, 1
+techtolia.com, 1
+techtouch.tk, 1
+techtoydeveloper.tk, 1
+techtrader.ai, 1
+techtrendnews.tk, 1
+techtrozan.ga, 1
+techunit.org, 1
+techvaz.com, 1
+techview.link, 1
+techviewforum.com, 1
+techvigil.org, 1
+techvision.tk, 1
+techvoice.tk, 1
+techwalker.cf, 1
+techwallet.tk, 1
+techwestsolutions.com.au, 1
+techwin.systems, 1
+techwithcromulent.com, 1
+techwolf12.nl, 1
+techwords.io, 1
+techzant.com, 1
+techzero.cn, 1
+techzjc.com, 0
+tecit.ch, 1
+tecke.tk, 1
+teckgeekz.com, 1
+tecknobox.fr, 1
+tecknologg.website, 1
+teckprojects.com, 1
+tecmarkdig.com, 1
+tecmestre.com.br, 1
+tecne.ws, 1
+tecnicainnovacion.com.mx, 1
+tecnicapotiguar.com.br, 1
+tecnicasapinzon.com, 1
+tecnicfit.ovh, 1
+tecnick.com, 1
+tecnicman.com, 1
+tecnicman.it, 1
+tecnicoadomicilio.com.mx, 1
+tecnicoelettrodomestici.roma.it, 1
+tecnikan.ar, 1
+tecnimas.com.mx, 0
+tecnimotos.com, 1
+tecnitool.es, 1
+tecno-block.ru, 1
+tecno-pack.net, 1
+tecnoarea.com.ar, 1
+tecnoblog.net, 1
+tecnoboxchile.cl, 1
+tecnocomp-systems.com, 1
+tecnodritte.it, 1
+tecnoempleo.com, 1
+tecnofarma.com.pe, 1
+tecnogazzetta.it, 1
+tecnogestionsas.com, 1
+tecnograficaimpresos.com, 1
+tecnoimp.it, 1
+tecnoimpianti.bz.it, 1
+tecnologiahdv.com, 1
+tecnomagazine.net, 1
+tecnonews.cf, 1
+tecnonews.tk, 1
+tecnopiniones.com, 1
+tecnosa.es, 1
+tecnoticiasdigitales.tk, 1
+tecnotrattamenti.it, 1
+tecnovernicisrl.com, 1
+tecnyal.com, 1
+tecob.com, 1
+tecon.co.at, 1
+tecorrs.tk, 1
+tecparsnet.ir, 1
+tecpartnership.com, 1
+tecra.com, 1
+tecroxy.com, 1
+tecsar.cn, 1
+tecsar.org, 1
+tecscipro.de, 1
+tectas.co.jp, 1
+tecumsehmi.gov, 1
+tecwolf.com.br, 1
+tecyt.com, 1
+teczero.co.uk, 1
+ted.do, 0
+tedamos.at, 1
+tedamos.ch, 1
+tedamos.com, 1
+tedamos.de, 1
+tedankara.k12.tr, 1
+teddax.com, 1
+tedder.cc, 1
+teddit.net, 1
+teddybearsnextadventure.com, 1
+teddykatz.com, 1
+teddyss.com, 0
+teddywayne.com, 1
+tedgautsch.com, 1
+tedhardy.com, 1
+tedirgin.tk, 1
+tedroche.com, 1
+tedsdivingsystem.com, 1
+tedsears.net, 1
+tedulearning.com, 1
+tedxencgf.com, 1
+tedxyalesecondaryschool.com, 1
+tedyst.ro, 1
+tee-suche.de, 1
+teecketing.com, 1
+teedinsiam.com, 1
+teefashionstar.com, 1
+teehaus-shila.de, 1
+teekaymedia.tk, 1
+teektalk.org, 1
+teemo.gg, 1
+teemulintula.fi, 1
+teen-club.tk, 1
+teen-porno-video.ru, 1
+teencounseling.com, 1
+teengamer.tk, 1
+teengamingnights.net, 1
+teengirlpics.com, 1
+teenmissions.org, 1
+teenmoviesgallery.ga, 1
+teenoverload.com, 1
+teenpussypornvid.com, 1
+teenringen.nl, 1
+teensexgo.com, 1
+teensifynews.tk, 1
+teenslesbian.com, 1
+teenslikeitbig.com, 1
+teenslovehugecocks.com, 1
+teentinytits.com, 1
+teenusernames.com, 1
+teenviet.ga, 1
+teenwebcams.ml, 1
+teenwolfturkey.tk, 1
+teenworlds.tk, 1
+teenxxx-tube.com, 1
+teenxy.com, 1
+teepak.ml, 1
+teerer.tk, 1
+teestore.ru, 1
+teesypeesy.com, 1
+teethtalkgirl.com, 0
+teetje-doko.de, 1
+teetoptens.com, 1
+teevahasa.com, 1
+teeverse-photography.com, 1
+teeworlds-friends.de, 1
+tefek.cz, 1
+tefinet.sk, 1
+tefline.ir, 1
+tefly-frhaty.com, 1
+tefok.com, 1
+tefoley.com, 1
+tefwin.cf, 1
+teg6.com, 1
+teganlaw.ca, 1
+teganlaw.com, 1
+tege-elektronik.hu, 1
+tegel-schoonmaken.nl, 1
+teh1xbet.com, 1
+tehillimforall.com, 1
+tehnicari-za-racunalstvo.tk, 1
+tehnikarechi.studio, 1
+tehniss.rs, 1
+tehno-kip.ru, 0
+tehno-trust.tk, 1
+tehno3d.ru, 1
+tehnoklubi.ee, 1
+tehnomagija.tk, 1
+tehosmotravto.ru, 1
+tehplace.club, 1
+tehrankey.ir, 1
+tehrantamirgah.com, 1
+teichroeb.net, 1
+teier.eu, 1
+teier.net, 1
+teigtascherlfabrik.net, 1
+teigukitty.tk, 1
+teilenapp.com, 1
+teiron.ml, 1
+teiseken.tk, 1
+teixobactin.com, 1
+tejo.tk, 1
+tejomaya.net, 1
+tek-el.ru, 1
+teka.ro, 1
+tekanswer.com, 1
+tekcafe.vn, 1
+tekchoiceelectronics.com, 1
+tekdt.com, 1
+tekila.cf, 1
+tekila.ga, 1
+tekila.tk, 1
+tekingb.com, 0
+tekirdagemlak.tk, 1
+tekiro.com, 1
+tekittak.com, 1
+tekkenzone.net, 1
+tekme.pt, 1
+teknashop.com, 1
+teknik-sipil.tk, 1
+teknikaldomain.me, 1
+teknikplastik.com.tr, 1
+tekniksnack.se, 1
+teknisetdemarit.fi, 1
+tekniskakustik.se, 1
+teknodaim.com, 1
+teknoforums.com, 1
+teknogeek.id, 1
+teknoharekat.com, 1
+teknomarko.com, 0
+teknon.tk, 1
+teknorix.com, 1
+teknosa.com, 0
+teknotiq.com, 1
+teknow.tk, 1
+teknoweek.com, 0
+teko.se, 1
+tekpon.com, 1
+tekshrek.com, 0
+teksnologi.com, 1
+teksol-boat.ru, 1
+tekstover.tk, 1
+tekstpesni.tk, 1
+tektorg.ru, 1
+tektouch.net, 1
+tektuts.com, 1
+telamon.eu, 1
+telangananews.ml, 1
+telanganatoday.com, 1
+telani.net, 1
+telaviv.estate, 1
+telaviva.com.br, 1
+telavivtips.nl, 1
+telco-motor.fr, 1
+telco.si, 1
+telcodb.net, 1
+telcu.com, 1
+teldak.pt, 1
+teldoop.my.id, 1
+tele-alarme.ch, 1
+tele-assistance.ch, 0
+tele-points.net, 1
+tele-teen.ru, 1
+tele.wiki, 1
+tele2vaxel.se, 1
+teleafrica.ga, 1
+telealarme.ch, 0
+telealarmevalais.ch, 1
+teleassistance-telealarme.com, 1
+teleblog.gq, 1
+telebugs.tk, 1
+telecablenostima.tk, 1
+telecallsrl.com, 1
+telecamera.pro, 0
+telecharger-itunes.com, 1
+telecharger-open-office.com, 1
+telecharger-videos.com, 1
+telecharger-winrar.com, 1
+telechirkut.xyz, 1
+telecomhelp.ru, 1
+telecommande-express.com, 1
+telecommunications.cf, 1
+telecommutejobs.com, 1
+telecomwestland.nl, 1
+teledatos.tk, 1
+telefon.report, 1
+telefonabonnement.dk, 1
+telefoncek.si, 1
+telefonicatech.com, 1
+telefonkort.tk, 1
+telefonni-ustredna.cz, 1
+telefonseelsorge-paderborn.de, 1
+telefoon.nl, 1
+telefunk.tk, 1
+telefusion.de, 1
+telega.gq, 1
+telegaon.com, 1
+telegashop.cf, 1
+telegazeta.com.ua, 1
+telegra.ph, 1
+telegram-gp.ml, 1
+telegram.org, 1
+telegram.poker, 1
+telegramlearn.tk, 1
+telegramseen.com, 1
+telehealthsuite.com, 1
+telehealthventures.com, 0
+telekollektiv.org, 1
+telekomiker.tk, 1
+telekothonbd.com, 1
+teleleafpa.com, 1
+telelog.ml, 1
+telema.tk, 1
+telemaco.tk, 1
+telemetr.io, 0
+telemind.net, 1
+telemitra.com, 1
+telenco-datacenter.com, 1
+telenco-networks.com, 1
+telenovelas-france.tk, 1
+teleogistic.net, 1
+teleoposiciones.es, 1
+telephonedirectories.us, 1
+telephoni-cdma.tk, 1
+telepilote-academy.fr, 1
+telepok.com, 1
+telepons.com, 1
+teleport.com.br, 1
+teleport.sh, 1
+teleport.video, 1
+teleportart.gq, 1
+teleportpink.com, 1
+teleportweb.com.br, 1
+teleradio.ga, 1
+teleradio.tk, 1
+teleroute.com, 1
+telesales.guru, 1
+teleserce.com, 1
+teleshkronja.ml, 1
+teleshop.be, 1
+teleskell.org, 1
+telesoftware.tk, 1
+telesonicengineering.com.my, 1
+telestepina.ru, 1
+teleteen.ru, 1
+teleteleei.ml, 1
+teletexto.com, 1
+teletime.com.br, 1
+teleton.org, 1
+teletxt.me, 1
+teleum.net, 1
+televentabelcorp.com, 1
+televisioncontests.ga, 1
+televisionesendirecto.tk, 1
+televisionsrit.tk, 1
+televizeseznam.cz, 1
+televotia.ch, 1
+telework.gov, 1
+teleworkouts.com, 1
+telexsus.com, 1
+teleyal.blog, 1
+telezon.ru, 1
+telfaircountyga.gov, 1
+telfas.de, 1
+telford.codes, 1
+telhai.ac.il, 1
+telhatelite.com.br, 1
+teligram.ru, 1
+telit.com.br, 1
+telk.kr, 1
+telka-online.tk, 1
+telking.com, 1
+telkom.co.id, 1
+tellaresdo.com, 1
+tellercounty.gov, 1
+tellet.tel, 1
+tellimer.com, 1
+telling-voices.tk, 1
+telling.xyz, 1
+tellingua.com, 1
+tellme.tk, 1
+tellusaboutus.com, 1
+telly.site, 1
+tellygames.com, 1
+tellyourtale.com, 1
+telnet.dk, 1
+telokchki.ga, 1
+telokchki.ml, 1
+teloo.pl, 1
+telos-analytics.com, 1
+telosglobal.io, 1
+telpotas.xyz, 1
+telrock.com, 1
+telsu.fi, 1
+teltru.com, 1
+telugu4u.net, 1
+temaflex.tk, 1
+temariogratis.com, 1
+temariosoposiciones.tk, 1
+tematicas.org, 1
+tematonline.pl, 1
+tembusulaw.com, 1
+temdu.com, 0
+temertysimcentre.com, 1
+temirgaliev.tk, 1
+temizlik.ml, 1
+temizmama.com, 1
+teml.in, 1
+temmyzplace.com, 1
+temnacepel.cz, 1
+temnikova.tk, 1
+temoclub.com, 1
+temofoundation.com, 1
+temogroup.com, 1
+temogroup.org, 1
+temogroupe.com, 1
+temoinfidele.fr, 1
+temoinfo.com, 1
+temonews.com, 1
+temonews.org, 1
+temp-lars.army, 1
+temp.pm, 1
+temp37c.com, 1
+tempa.com.ua, 1
+tempdomain.ml, 1
+tempdomain.tk, 1
+tempefestivalofthearts.com, 1
+temperedglassncase.com, 1
+temperodojuca.com.br, 1
+tempestsoft.com, 1
+tempfiles.ninja, 1
+templars.army, 1
+template-help.fr, 1
+templated.ga, 1
+templatetrip.com, 1
+templeandalucia.tk, 1
+templeoverheaddoors.com, 1
+templete.tk, 1
+tempmail.ninja, 1
+tempo.co, 1
+tempo.com.ph, 1
+tempocams.com, 1
+tempocams.net, 1
+tempocams.org, 1
+temporada.icu, 1
+temporada.tk, 1
+temporal.tk, 1
+temporalmotivation.com, 1
+temporaris.com, 1
+temporaryair.com, 1
+temporaryfencehire.net.au, 1
+temporarysanity.tk, 1
+temporarytattoosguru.com.au, 1
+tempsdexpo.com, 1
+tempsoundsolutions.tk, 1
+tempus-aquilae.de, 1
+tempus.tf, 1
+temtekco.com, 1
+ten-ki-lp.work, 1
+ten-ki-saiyo.online, 1
+tena.ml, 1
+tena.tk, 1
+tenangjiwaku.tk, 1
+tenantacademy.co.za, 1
+tenantoptions.com.au, 1
+tenantprotect.co.za, 1
+tenber.ge, 1
+tenberg.com, 1
+tenbookclub.org, 1
+tencent.xn--vuq861b, 1
+tencur.com, 1
+tendanceaumasculin.fr, 1
+tendanceouest.com, 1
+tendaqu.com, 1
+tende.roma.it, 1
+tendergrupp.ru, 1
+tenderned.nl, 1
+tenderstem.co.uk, 1
+tenderstem.ie, 1
+tendiestown.com, 1
+tendinite.org, 1
+tendiris.ga, 1
+tendmed.com.br, 1
+tendomag.com, 1
+tendure.tk, 1
+tenens.ru, 1
+tenenz.com, 1
+tenerifeautohuur.nl, 1
+teners.me, 1
+tenfeetsquare.net, 1
+tenfingerscollective.tk, 1
+tengodetodo.tk, 1
+tenhourguy.com, 1
+tenispopular.com, 1
+tenisservis.eu, 1
+tenjou-tenge.tk, 1
+tenken1010.org, 1
+tenma.pro, 1
+tennaxia.com, 1
+tenncare.gov, 1
+tennesseejeepsters.com, 1
+tennis-academy-weserbergland.de, 1
+tennis-agesc.fr, 1
+tennis-altai.tk, 1
+tennis-hameln.de, 1
+tennisadmin.com, 1
+tennisapp.de, 1
+tenniscourtsjoburg.com, 1
+tenniscritic.ga, 1
+tennismania.tk, 1
+tennismindgame.com, 1
+tennisnerd.net, 1
+tennisnyi-stol.tk, 1
+tennispensacola.com, 1
+tennisportal.com.ua, 1
+tennisschool.tk, 1
+tennistalk.tk, 1
+tennisweb.cf, 1
+tenno.tools, 1
+tenon-backup.com, 1
+tenryo.work, 0
+tenshindo.ne.jp, 1
+tenshoku-hanashi.com, 1
+tenshokudo.com, 1
+tenshokufair.jp, 1
+tent.io, 1
+tenta.com, 1
+tentacle.monster, 1
+tentacle.net, 1
+tentacletank.com, 1
+tentagent.com, 1
+tenthdimensions.com, 1
+tenthirtyonepictures.com, 1
+tenthousandcoffees.com, 1
+tentoo.nl, 0
+tentq.com, 1
+tentries.com, 1
+tenutachianchizza.it, 0
+tenyx.de, 1
+tenzer.dk, 1
+teoassessoria.com.br, 1
+teodorpravicky.com, 1
+teodw.com, 1
+teodw.net, 1
+teoletextsq.tk, 1
+teologia.promo, 0
+teomahk.de, 1
+teoskanta.fi, 1
+tep.com, 1
+tepaard.ddns.net, 1
+tepautotuning.com, 1
+tepco2021.com, 1
+tepid.org, 1
+tepitus.de, 0
+teplici-crimea.ru, 1
+teplo-russia.ru, 1
+teplo-unit.ru, 1
+teplofom.ru, 1
+teplohod.kharkov.ua, 1
+teplomash24.ru, 1
+teplotehnik.tk, 1
+teplovizor.info, 1
+teppelin.fr, 1
+teppichpracker.at, 1
+tepui.io, 1
+teq-automotive.com, 1
+teqip-pms.gov.in, 1
+tequenikality.net, 1
+tequilaavion.com, 1
+tequilazor.com, 1
+terabyte-computing.com, 1
+terabyte.services, 1
+terabyteharddrive.net, 1
+terabyteit.co.uk, 1
+teracloud.at, 1
+teradatta.ga, 1
+teradatta.gq, 1
+teradatta.tk, 1
+teramind.co, 1
+teramundi.com, 1
+teran.me, 1
+teran.pw, 1
+teran.ru, 1
+teranacreative.com, 1
+terapeuticaenalza.es, 1
+terapiaradial.tk, 1
+terapower.com.tw, 1
+teraren.com, 1
+teraservice.eu, 1
+teraservice.ml, 1
+terass.com, 0
+terbaruberita.id, 1
+terborg600.nl, 1
+tercelonlinelat.tk, 1
+tercodemaria.com.br, 1
+tercosdemaria.com.br, 1
+teremopt.ru, 1
+terence2008.info, 1
+terengganudaily.tk, 1
+terenska-edinica.tk, 1
+terento.org, 1
+teritwarsj.org, 1
+teriva.ua, 1
+term-master.ru, 1
+terma.ml, 1
+termbackti.me, 1
+terme.milano.it, 1
+terme.roma.it, 1
+terme.viterbo.it, 1
+termee.com, 1
+termeh-store.com, 1
+termi.tk, 1
+termifree.tk, 1
+termin-online.com, 0
+terminalyouth.tk, 1
+terminationsremembered.com, 1
+termine.tel, 1
+termino.eu, 1
+terminsrakning.se, 1
+termitinitus.org, 1
+termius.com, 1
+termografiranje.si, 1
+termoidraulica.roma.it, 1
+termoidraulico.milano.it, 1
+termoidraulico.roma.it, 1
+termopares.tk, 1
+termproject.org, 1
+termux.com, 1
+ternex.ru, 1
+ternitoday.it, 1
+terobait48.ru, 1
+teronia.net, 1
+terosclient.de, 1
+terovania.com, 1
+terovania.de, 1
+terovania.games, 1
+terpelpanama.com, 1
+terpotiz.eu, 1
+terpotiz.net, 1
+terra-med.ga, 1
+terra-x.net, 1
+terra.bio, 1
+terra.fitness, 1
+terra7.net, 1
+terrab.de, 1
+terrabela.tk, 1
+terracapital.ma, 1
+terracloud.de, 0
+terraco.ga, 1
+terracom.gr, 1
+terracore.hu, 1
+terracycle.com, 1
+terraesencial.com, 1
+terrafinanz.de, 1
+terraform.io, 0
+terraformator.ru, 1
+terragni-sarasin.ch, 1
+terrakotta.tk, 1
+terraluna.space, 1
+terramineira.com.br, 1
+terraneesens.fr, 1
+terranimo.re, 1
+terranovadesignbuild.com, 1
+terraquercus.tk, 1
+terrariatr.tk, 1
+terrarium.tk, 1
+terrasandcooking.nl, 1
+terrasandcookingoutdoor.nl, 1
+terrasearcher.tk, 1
+terraso.net, 1
+terraso.org, 1
+terrasoverkappingvillage.be, 1
+terrasoverkappingvillage.nl, 1
+terratruehq.com, 1
+terraweb.net, 1
+terrax.net, 1
+terredeshommes.nl, 1
+terrelltx.gov, 1
+terremoto.com.br, 1
+terrenal.tk, 1
+terrenasparadise.com, 1
+terres-et-territoires.com, 1
+terresmagiques.com, 0
+terrexllc.com, 1
+terrischeer.com.au, 1
+territoriesredress.gov.au, 1
+territoriocuchero.tk, 1
+territoriya.tk, 1
+territory.cf, 1
+terroinsect.com.mx, 1
+terrorbilly.com, 1
+terrorblast.tk, 1
+terrorism.lol, 1
+terrty.net, 1
+terryburton.co.uk, 1
+terrybutler.co.uk, 0
+terryjohnsononline.com, 1
+terryoconnor.org, 1
+ters.ga, 1
+terumoindia.com, 1
+terumoindiaskilllab.com, 1
+terumomedical.com, 1
+tervelde.com, 1
+terviseamet.ee, 0
+tervolina.tk, 1
+tesche.biz, 1
+tescoirelandpayslips.com, 1
+tescoludia.sk, 1
+tesdrole.tk, 1
+teseo.kz, 1
+tesharp.com, 1
+teshuzi.com, 1
+teskalabs.com, 1
+tesla-fire.com, 1
+tesla-tula.tk, 1
+tesladeaths.com, 1
+teslam.in, 1
+teslamagician.com, 1
+teslamate.ca, 1
+teslasuit.io, 1
+teslatr.net, 1
+tesorion.nl, 1
+tespent.cn, 1
+tesseract.wiki, 1
+tesseractinitiative.org, 1
+tessierashpool.de, 1
+tessla.org, 1
+test-deployment.xyz, 1
+test-eligibilite-isolation.com, 1
+test-iq.gq, 1
+test-my.tk, 1
+test-na-beremennost.tk, 1
+test-online.tk, 1
+test-privacyportal-ui.azurewebsites.net, 1
+test-school.ml, 1
+test-textbooks.com, 1
+test-verz.online, 1
+test.de, 1
+test.gd, 1
+test.io, 1
+test1-isrewards.com, 1
+test1974.nl, 1
+test2-isrewards.com, 1
+test4pro.ga, 1
+testable.org, 1
+testadren.com, 1
+testadron.com, 1
+testantidrogarapidi.it, 1
+testapfnxg.com, 1
+testaustime.fi, 1
+testazdes.gov, 1
+testbed.fi, 1
+testbirds.cz, 1
+testbirds.sk, 1
+testcase.me, 1
+testcoz.tk, 1
+testdemoweb.tk, 1
+testdevelocidad.com, 1
+testdomens.ga, 1
+testdrogue.fr, 1
+testecta.top, 1
+testehogs.tk, 1
+testem.de, 1
+testemo.tk, 1
+testenopreis.nl, 1
+testeri.fi, 1
+testermerch.pl, 1
+testeveonline.com, 1
+testforce.tk, 1
+testfort.com, 1
+testgeomed.ro, 1
+testgroup.nl, 1
+testheat.org, 1
+testikel.be, 1
+testing-server.tk, 1
+testingbot.com, 1
+testingtask.tk, 1
+testiowa.gov, 1
+testispdomain.ml, 1
+testkinja.com, 1
+testmpf.com, 1
+testmx.email, 1
+testmx.eu, 1
+testmx.org, 1
+testmy.tk, 1
+testomato.com, 0
+testone.com.tr, 1
+testoon.com, 1
+testosterone-complex.com, 1
+testosteronedetective.com, 1
+testovaci.ml, 1
+testpinoy.com, 0
+testplant.com, 1
+testpool.gq, 1
+testpornsite.com, 1
+testprep.online, 1
+testprepinsight.com, 1
+testpsicotecnicos.com.es, 1
+testq.se, 1
+tests-and-tips.info, 1
+tests-und-tipps.info, 1
+tests.pp.ru, 1
+tests.school, 1
+tests.tips, 1
+testsab.com, 1
+testscorpiogroup.net, 1
+testscript.ml, 1
+testservice.nl, 1
+testsitefortask.xyz, 1
+testsity.tk, 1
+testsnelcovid.nl, 1
+testspsicotecnicos.org, 1
+testsweb.ml, 1
+testthis.cf, 1
+testvision.nl, 1
+testyonline.tk, 1
+tetam.dynv6.net, 1
+tetangers.tk, 1
+tetap.fun, 1
+tetete-no-te.com, 1
+tether.com, 1
+tethercasinos.io, 1
+tetherqr.com, 1
+tethys.fr, 1
+teto.nu, 1
+tetonas.tk, 1
+tetorix.gq, 1
+tetovaweb.tk, 1
+tetovo.tk, 1
+tetrabyte.tk, 1
+tetracyclin.gq, 1
+tetracyclin.ml, 1
+tetracyclin.tk, 1
+tetracycline500mg.ga, 1
+tetraktus.org, 1
+tetramax.eu, 1
+tetrarch.co, 1
+tetrimus.com, 1
+tetrisponse.io, 1
+tetsudo.jp.net, 1
+tetsumaki.net, 1
+tetweb.ir, 1
+teu-fel.com, 1
+teufel-cloud.ddns.net, 1
+teufel.de, 1
+teufelaudio.nl, 1
+teufelswerk.net, 1
+teulon.eu, 1
+teungedj.de, 1
+teunmulder.tk, 1
+teunstuinposters.nl, 1
+teusink.eu, 1
+teuto.com.br, 1
+teuton.io, 1
+teutonia-grossenlueder.de, 1
+teutonia08.de, 1
+teva.com, 1
+teveblad.be, 1
+teverzamelen.nl, 1
+tewarilab.co.uk, 1
+tewhare-iti.co.nz, 1
+tewkesburyyoga.com, 1
+tex-izol.ru, 1
+texaport.co.uk, 0
+texarkanatexas.gov, 1
+texarkanatherapycenter.com, 1
+texasbluesalley.com, 1
+texascarauctions.com, 1
+texascharterbuscompany.com, 1
+texascoffee.co, 1
+texasconcretereadymix.com, 1
+texascountymo911.gov, 1
+texascredit.com, 1
+texasdivorceforall.com, 1
+texasgynecomastia.com, 1
+texashealthtrace.gov, 1
+texasintegratedservices.com, 1
+texasnewsusa.tk, 1
+texasonesource.com, 1
+texasonlinedivorce.com, 0
+texasonlinemarriagecounseling.com, 1
+texaspaintingandgutters.com, 1
+texasparkinglotstriping.com, 1
+texasready.gov, 1
+texasteam.tk, 1
+texasultraspirit.com, 1
+texasurodoc.com, 1
+texasvolunteerattorneys.org, 1
+texaswinetrail.com, 1
+texby.com, 1
+texdot.gov, 1
+texel.es, 1
+texel.tk, 1
+texfunding.com, 1
+texican.nl, 1
+texicopolicenm.gov, 1
+texier.mx, 1
+texkey.com, 1
+texkings.com, 1
+texnogu.ru, 1
+texnoguru.tk, 1
+texnolog.tk, 1
+texnotroniks.tk, 1
+texosmotr.tk, 1
+texpresspainting.com, 1
+textadventure.tk, 1
+textassistant.ga, 1
+textcleaner.net, 1
+textcounter.tk, 1
+texteditor.co, 1
+texter-linz.at, 1
+texter.at, 1
+texterseo.at, 1
+texterseo.de, 1
+textieldiscounter.nl, 1
+textil-kyoto.tk, 1
+textiles.tk, 1
+textinmate.com, 1
+textlinktausch.tk, 1
+textonly.email, 1
+textpages.tk, 1
+textpattern.com, 1
+textpro.xyz, 1
+textprotocol.org, 1
+textron.com, 0
+textscout.io, 1
+textsite.tk, 1
+textualapp.com, 1
+textundblog.de, 1
+textura.bg, 1
+textura.gr, 1
+textura.ro, 1
+textures-resource.com, 1
+textus.com, 1
+textzformatter.com, 1
+texus.me, 1
+texy.info, 1
+teycos.com, 1
+teyit.org, 1
+teysens.com, 1
+teyyib.com, 1
+tezcam.tk, 1
+tezgoal.com, 1
+teztarama.com, 1
+tf-amd.com.my, 1
+tf-network.de, 1
+tf2b.com, 1
+tf2calculator.com, 1
+tf2pickup.cz, 1
+tf2pickup.de, 1
+tf2pickup.eu, 1
+tf2pickup.fi, 1
+tf2pickup.it, 1
+tf2pickup.org, 1
+tf2pickup.pl, 1
+tf2pickup.se, 1
+tf2pickup.web.tr, 1
+tf7879.com, 1
+tfadictivo.com, 1
+tfaforms.com, 1
+tfb.az, 1
+tferdinand.net, 1
+tfg-bouncycastles.com, 1
+tfiglobalnews.com, 1
+tfiik.com, 1
+tfinfo.fr, 1
+tfipost.com, 1
+tfk-installatieservice.nl, 1
+tfk.fr, 1
+tfle.xyz, 1
+tflite.com, 1
+tfnapps.de, 1
+tfok.ml, 1
+tfrei.de, 1
+tfscreener.com, 1
+tfsound.cz, 1
+tfsrcymru.org.uk, 1
+tft-cheat-sheet.com, 1
+tfus.co, 1
+tfw-a.com, 1
+tfx.com.br, 1
+tfxstartup.com, 1
+tfxstartup.com.br, 1
+tfyre.co.za, 1
+tg2sclient.com, 1
+tgb.org.uk, 1
+tgcfabian.nl, 1
+tgcgrain.com, 1
+tgenotary.com, 1
+tgexport.eu, 1
+tglbbs.com, 0
+tgmarketingusa.com, 1
+tgo1111.com, 0
+tgo6688.com, 0
+tgo789.com, 0
+tgo8899.com, 1
+tgoaa.com, 1
+tgoall.com, 1
+tgod.co, 1
+tgrade.finance, 0
+tgt.co.il, 0
+tgtw.cc, 1
+tgu15.com, 1
+tgui.eu, 1
+tgui.net, 1
+tgw.com, 1
+tgwork.com, 1
+tgx.rs, 1
+th-1x.com, 1
+th-1xbet.com, 1
+th-fanlist.tk, 1
+th.am, 1
+th.search.yahoo.com, 0
+th2eco.de, 1
+thablubb.de, 1
+thackert.myfirewall.org, 1
+thai-massage.tk, 1
+thai-ridgeback.tk, 1
+thai-tibet.hu, 1
+thai.land, 1
+thai369.com, 1
+thaibizsingapore.com, 0
+thaiboystory.ga, 1
+thaibrokersfx.com, 1
+thaicurry.net, 1
+thaiforexfamily.com, 1
+thaifriendly.com, 1
+thaigirls.cf, 1
+thaihomecooking.com, 1
+thaihong.co.th, 1
+thaihong.com, 1
+thaihotmodels.tk, 1
+thailande-fr.com, 1
+thailandguru.properties, 1
+thailandhotel.tk, 1
+thailandpropertylisting.ga, 1
+thailandvariety.cf, 1
+thaimbc.com, 1
+thaimega.club, 1
+thaiminh.tech, 1
+thaiorchidpetoskey.com, 1
+thaipbspodcast.com, 1
+thaiportal.gq, 1
+thais.tk, 1
+thaislots.online, 1
+thaisolarexpert.com, 1
+thaisurveys.com, 1
+thaitonic.de, 1
+thaiwatsadu.com, 1
+thaiwrestling.tk, 1
+thaixon.co.th, 1
+thajske-masaze-brno.cz, 1
+thajske-masaze-olomouc.cz, 1
+thajske-masaze-vyskov.cz, 1
+thakurmarjhuli.tk, 1
+thalamus.nz, 1
+thalan.fr, 1
+thalgott.net, 0
+thalhammer.it, 1
+thalia.nu, 1
+thalikkunushivatemple.tk, 1
+thalliman.com, 1
+thalmann.fr, 0
+thamesfamilydentistry.com, 1
+thamesvalleybuses.com, 1
+thammachartconnect.com, 1
+thammysen.vn, 1
+thanatoid.net, 1
+thancon.com, 1
+thanhtrungmobile.vn, 1
+thantra.tk, 1
+thapduoc.com, 1
+tharuka.com, 1
+tharuka.de, 1
+thaserv.de, 1
+thassos-world-web.tk, 1
+thassos.tk, 1
+that.host, 1
+thatch.ai, 1
+thatchhealth.com, 1
+thatdaria.com, 1
+thatdarkplace.com, 1
+thatdirtyd.com, 1
+thatmy.com, 1
+thatshayini-sivananthan.fr, 1
+thatskykid.com, 1
+thatssodee.com, 1
+thaumaturgian-national-university.tk, 1
+thavmacode.gr, 1
+thaw.systems, 1
+thawte.com.ru, 1
+thaxton.xyz, 0
+thc-stadvdzon.nl, 1
+thca.ca, 1
+thda.org, 1
+the-ace.tk, 1
+the-allmighty-mike.tk, 1
+the-archive.io, 1
+the-archive.ml, 1
+the-azad.com, 1
+the-big-bang-theory.com, 1
+the-bookies.com, 1
+the-brandidentity.com, 1
+the-buildersyard.com, 1
+the-burtons.xyz, 1
+the-busbys.com, 1
+the-carshop.com, 1
+the-club.fr, 1
+the-crypto-syllabus.com, 1
+the-deep.tk, 1
+the-digital-insurer.com, 1
+the-digitale.com, 0
+the-dream.tk, 1
+the-ear.net, 1
+the-earth-yui.net, 0
+the-egotronic.tk, 1
+the-farm.tk, 1
+the-finance-blog.com, 1
+the-forgotten.net, 1
+the-gist.io, 1
+the-glitch.network, 1
+the-ken.com, 1
+the-lfb.tk, 1
+the-mermaid.tk, 1
+the-metropolitans.tk, 1
+the-muddy-trophy-team.tk, 1
+the-mudmen.tk, 1
+the-naked.com, 1
+the-nose.com, 1
+the-opposites.tk, 1
+the-pcca.org, 1
+the-pressoffice.com, 1
+the-red.pp.ua, 1
+the-small-dick-club.com, 1
+the-snaglist.com, 1
+the-spellcaster.com, 1
+the-spoonfeed.club, 1
+the-storm.tk, 1
+the-tech-trend.com, 1
+the-tg.com, 1
+the-toolshop.com, 1
+the-top.net, 1
+the-trophy-company.com, 1
+the-wandering-midget.tk, 1
+the-winx.tk, 1
+the-woods.org.uk, 1
+the-world.tk, 1
+the-zenti.de, 1
+the.gd, 1
+the1.wiki, 1
+the12by12.com, 1
+the13thtribe.tk, 1
+the51news.ga, 1
+the5th.nl, 1
+the7eye.org.il, 1
+the8rules.co.uk, 1
+thea-team.net, 1
+theabsoluteroof.com, 1
+theacademicpapers.co.uk, 1
+theaccountingcompanyleeds.co.uk, 1
+theaceblock.space, 1
+theactivationfunction.com, 1
+theactuary.ninja, 1
+theadamsonchronicle.tk, 1
+theadelaideshow.com.au, 1
+theadultswiki.com, 1
+theafleo.ga, 1
+theafleo.gq, 1
+theagencywithoutaname.com, 1
+theaidigitalmarketingblog.com, 1
+thealchemistatelier.com, 1
+theallmanteam.com, 1
+thealmoners.com, 1
+thealmsolution.com, 1
+thealonas.cf, 1
+thealonas.ga, 1
+thealonas.gq, 1
+thealonas.ml, 1
+thealonas.tk, 1
+thealphaconnection.com, 1
+theamandatappingclub.tk, 1
+theamandatappingcontest.tk, 1
+theangelgivingtree.com, 1
+theangelgivingtree.info, 1
+theangelgivingtree.net, 1
+theangelgivingtree.org, 1
+theangelushouse.com, 1
+theanimalskingdom.com, 1
+theantarticx.com, 1
+theantisocialengineer.com, 1
+theantnetwork.tk, 1
+theapj.com, 1
+theapplewiki.com, 1
+theapriltears.tk, 1
+theaps.net, 0
+theaquila.tk, 1
+thearcheryguide.com, 1
+thearches.co.uk, 1
+thearchimag.tk, 1
+thearizonatribune.com, 1
+thearkfamily.org, 1
+thearmchairtrader.com, 0
+theasianshooters.com, 1
+theastrocoach.com, 1
+theataraxia.tk, 1
+theataraxiazine.tk, 1
+theater.cf, 1
+theaterfrederik.tk, 1
+theatergroep-o.nl, 1
+theaterreichenhall.tk, 1
+theatertage2024.de, 1
+theatheistbook.com, 1
+theathletic.com, 1
+theatre-schools.com, 1
+theatrefolk.com, 1
+theatrepremol.com, 1
+theatresocietyguts.tk, 1
+theatresuite.tk, 1
+theaus.xyz, 1
+theaustinbulldog.org, 1
+theaustinsevenworkshop.com, 1
+theawesomemuse.com, 1
+thebabelog.cf, 1
+thebabelog.ga, 1
+thebabelog.gq, 1
+thebabypassport.com, 1
+thebacksplashcompany.com, 1
+thebackstage.tk, 1
+thebacteriafight.gq, 1
+thebakersbuddy.co.uk, 1
+thebakery2go.de, 1
+thebalancedsystem.org, 1
+thebannerstore.com, 1
+thebarclay.org, 1
+thebarrens.nu, 1
+thebasementdefender.com, 1
+thebasementdefender.net, 1
+thebasicstudio.com, 1
+thebathroomexchange.ga, 1
+thebbfoundation.org, 1
+thebeardeditdad.com, 1
+thebeatyard.nl, 1
+thebeaulife.co, 1
+thebeautyqueen.tk, 1
+thebedfordcitizen.org, 1
+thebeeyard.org, 1
+thebeginningviolinist.com, 1
+thebenefitcalculator.com, 1
+thebengalinews.tk, 1
+thebenstore.com, 1
+theberries.tk, 1
+thebestfun.co.uk, 1
+thebesthomecooking.ru, 0
+thebestlaos.ga, 1
+thebestnews.ga, 1
+thebestofthesprings.com, 1
+thebestpersonin.ml, 1
+thebestproducts.info, 0
+thebestshopping.tk, 1
+thebetterfit.com, 1
+thebettermagazine.com, 1
+thebhc.org, 1
+thebigbigworld.tk, 1
+thebigbouncetheory.com, 1
+thebigdatacompany.com, 1
+thebigdig.xyz, 1
+thebigslow.com, 1
+thebillingtongroup.com, 1
+thebillu.com, 1
+thebinarys.com, 1
+thebiopoetist.eu.org, 1
+thebirchwoods.com, 1
+thebismarckmarathon.com, 1
+thebit.link, 1
+thebitchneyfiles.tk, 1
+thebiz.tk, 1
+theblackboard.gr, 1
+theblackcat.ga, 1
+theblackknightsings.com, 1
+theblackravens.com, 1
+theblankenshipfirm.com, 1
+theblaqcat.com, 1
+theblink.com, 1
+theblisters.tk, 1
+theblock.co, 1
+theblog.cn, 1
+theblogstarter.com, 1
+theblondeabroad.com, 0
+theblue.tk, 1
+theblueinnovations.com, 1
+thebluered.net, 0
+theblueroofcottage.ca, 1
+thebluub.com, 1
+theboard.tk, 1
+theboardroomsubi.com.au, 1
+theboats.agency, 1
+theboats.club, 1
+theboats.com, 1
+theboats.de, 1
+theboats.online, 1
+theboats.pro, 1
+thebobcoin.io, 1
+thebodylanguageguide.tk, 1
+thebodyshop.bg, 1
+theboltway.com, 1
+thebonerking.com, 1
+thebook.pro, 1
+thebosshub.net, 1
+thebot.net, 1
+theboulders.com, 1
+thebouncedepartment.co.uk, 1
+theboxofcarlos.com, 1
+theboxoutofthebox.com, 1
+theboysrepublic.tk, 1
+thebrag.com, 1
+thebrainfactory.eu, 1
+thebraininitiative.gov, 1
+thebrainwash.tk, 1
+thebranddesign.gq, 1
+thebreakroom.org, 1
+thebrewingtonfamily.net, 1
+thebridalcollection.com, 1
+thebrightons.co.uk, 1
+thebrightons.uk, 1
+thebritishlibraryinstallation.com, 1
+thebroadcastknowledge.com, 1
+thebrookeb.com, 1
+thebsl.ca, 1
+thebss.tk, 1
+thebucklandreligion.tk, 1
+thebuffalotavern.com, 1
+thebugmanfraservalley.com, 1
+thebull.com.au, 1
+thebulletin.io, 1
+thebunnyhutch.org, 1
+theburst.tk, 1
+thebus.top, 1
+thebutterflyencounters.com, 1
+thebuttongame.io, 1
+thebuttonpost.com, 1
+thecakeboxhampton.co.uk, 1
+thecalifornias.tk, 1
+thecalmnessofblankspace.tk, 1
+thecamels.org, 1
+thecameradivision.com, 1
+thecanadarace.com, 1
+thecandidforum.com, 1
+thecandystore.tk, 1
+thecardcloset.com, 1
+thecarolingconnection.com, 1
+thecarpenters.tk, 1
+thecarphunter.tk, 1
+thecarriagerooms.com, 1
+thecatanddogbowl.au, 1
+thecatbowl.com.au, 1
+thecats.tk, 1
+thecavedistro.tk, 1
+thecaveofsatyr.tk, 1
+thecavepeople.is, 1
+thecelticfiles.tk, 1
+theceocollective.com, 1
+thecfef.org, 1
+thechaikinreport.com, 1
+thechallenge.fit, 1
+thechandigarhcity.com, 1
+thechatlinenumbers.com, 1
+thechauffeur-international.com, 1
+thechavs.xyz, 1
+thecheapairlinetickets.com, 1
+thecheat.tk, 1
+thecheese.co.nz, 1
+thechelseadrugstore.ie, 1
+thechemistryisdead.tk, 1
+thecherryship.ch, 0
+thechfdietitian.com, 1
+thechicanos.tk, 1
+thechinaguide.com, 1
+thechoice.tk, 1
+thechosenones.tk, 1
+thecigarlibrary.com, 0
+thecineshoppe.com, 1
+theciso.com, 0
+thecitizen.support, 1
+thecitywarehouse.clothing, 1
+theclarke.house, 1
+theclarke.wedding, 1
+theclearingnw.com, 1
+thecleverhost.co.uk, 1
+theclimbingunit.com, 1
+theclockdepot.com, 1
+theclonker.de, 0
+thecloroxcompany.com, 1
+thecloudadmin.eu, 1
+thecluster.xyz, 1
+thecnstore.com, 1
+thecodeninja.net, 1
+thecodest.co, 1
+thecoffeecamp.com, 1
+thecoffinshop.co.nz, 1
+thecognitivequest.com, 1
+thecolorbarph.com, 1
+thecolorrun.hu, 1
+thecombustionway.com, 0
+thecomedystore.co.uk, 1
+thecommonmen.tk, 1
+thecommunityguide.org, 1
+thecommunitymakers.club, 1
+thecompany.pl, 1
+thecompliancepeople.co.uk, 1
+theconcierge-international.com, 1
+theconcordbridge.azurewebsites.net, 1
+thecondemned.tk, 1
+theconductsoflife.com, 1
+theconsultant.jp, 1
+theconsultingpeople.tk, 1
+thecontentcloud.com, 1
+theconversation.com, 1
+theconverter.net, 0
+theconveyer.org, 1
+thecook.com.co, 1
+thecookiewriter.com, 1
+thecoolbrain.co.uk, 1
+thecoredublin.tk, 1
+thecorianderkitchen.com, 1
+thecorrectblogger.com, 1
+thecostymusic.tk, 1
+thecotsworth.com, 1
+thecoverlot.com, 1
+thecovky.gov, 1
+thecowboy.cafe, 1
+thecowquerie.tk, 1
+thecr3ative.tk, 1
+thecraftingstrider.net, 1
+thecrazybrains.tk, 1
+thecrazyones.hopto.org, 1
+thecrazytravel.com, 1
+thecreativeshour.com, 0
+thecrew-exchange.com, 1
+thecrimson.tk, 1
+thecrochetcottage.net, 1
+thecronosgroup.com, 1
+thecskr.in, 1
+thecstick.com, 1
+thecubepsych.com, 1
+thecup.us, 1
+thecureplainsong.tk, 1
+thecuriousdev.com, 1
+thecursedmercantile.com, 1
+thecurvyfashionista.com, 1
+thecustomdroid.com, 1
+thecustomizewindows.com, 1
+thecyberwire.com, 1
+thecyclistchoice.com, 1
+theda.co.za, 1
+thedaac.org, 1
+thedailybloon.tk, 1
+thedailyexercise.com, 1
+thedailyprosper.com, 0
+thedailyreporteronline.com, 1
+thedailyupvote.com, 1
+thedaimon.cn, 1
+thedanceacademybuckscounty.com, 0
+thedanceranch.com, 1
+thedark.ga, 1
+thedark1337.com, 1
+thedarkages.tk, 1
+thedarkartsandcrafts.com, 1
+thedarkcolonyfansite.tk, 1
+thedarkfusion.tk, 1
+thedarksidesoftwaresecurity.ga, 1
+thedarkteam.tk, 1
+thedataexaminer.com, 1
+thedave.link, 1
+thedave.me, 1
+thedave.photos, 1
+thedawningofdarkness.tk, 1
+thedeathmachine.tk, 1
+thedeathofannakarina.tk, 1
+thedebug.life, 1
+thedefiled.tk, 1
+thedelaunay.com, 1
+thedemocraticstrategist.org, 1
+thedermdetective.com, 1
+thedev.id, 1
+thedevastatedrealm.tk, 1
+thedevilwearswibra.nl, 1
+thedevrycommonsbrasil.com, 0
+thediamondapp.com, 1
+thedietsolutionprog.tk, 1
+thedigitalcurator.art, 1
+thedigitalparadox.tk, 1
+thediligentwoman.com, 1
+thedinnerdetective.com, 1
+thediscforum.tk, 1
+thediscovine.com, 1
+thedistance.co.uk, 1
+thedivineforce.com, 1
+thediyvibe.com, 1
+thedjhookup.com, 1
+thedoc.eu.org, 1
+thedocumentrefinery.com, 1
+thedomainrobot.com, 1
+thedomains.co.uk, 1
+thedonaldarchive.tk, 1
+thedotcom.tk, 1
+thedowlinggroup.com, 1
+thedrakesdebut.com, 1
+thedrawbacks.tk, 1
+thedriftuniversity.com, 1
+thedrivers.tk, 1
+thedrizzle.tk, 1
+thedronechart.com, 1
+thedroneely.com, 1
+theduchessbudapest.com, 1
+thedysfunctionalangel.cf, 1
+thedysfunctionalangel.ga, 1
+thedysfunctionalangel.gq, 1
+thedysfunctionalangel.ml, 1
+theeagle.com, 1
+theebookkeepers.co.za, 1
+theeducationalequalityinstitute.org, 1
+theeducatoronline.com, 1
+theeffingyogablog.com, 1
+theegyptblog.tk, 1
+theeighthbit.com, 0
+theel0ja.info, 1
+theel0ja.ovh, 1
+theeldritchhounds.cf, 1
+theeldritchhounds.gq, 1
+theeldritchhounds.ml, 1
+theelephant.info, 1
+theeliteneet.com, 1
+theemeraldmagazine.com, 1
+theemptyvault.com, 1
+theender.net, 1
+theendlesssixties.com, 0
+theendpoem.com, 0
+theentropyofdelicatewonders.com, 1
+theepankar.com, 1
+theepicsponge.co.uk, 1
+theequinepractice.com, 1
+theerneshot.com, 1
+theescapegame.com, 1
+theestateplanninggroup.com, 1
+theeuropeanlibrary.org, 1
+theevergreen.me, 0
+theeverydayprepper.com, 1
+theexodus.tk, 1
+theexpatriate.de, 1
+theexplorer.ro, 1
+theextract.co.uk, 1
+theeyeopener.com, 1
+theeyewearshop.com.au, 1
+thefabricator.com, 1
+thefabulouslifestyles.com, 1
+thefabulouswomen.com, 1
+thefaircottage.com, 1
+thefairieswantmedead.com, 1
+thefairytale.tk, 1
+thefallen.tk, 1
+thefamilychemist.co.uk, 1
+thefamilygarrison.com, 1
+thefanimatrix.net, 1
+thefantasyrooms.com, 1
+thefarleys.ca, 1
+thefashiondistrict.tk, 1
+thefashionpolos.com, 1
+thefasthire.org, 1
+thefastmode.com, 1
+thefatduck.co.uk, 1
+thefatlosspuzzle.com, 0
+theferrarista.com, 0
+thefibreapp.com, 1
+thefieldservicecompany.nl, 1
+thefinalconflict.tk, 1
+thefinx.io, 1
+thefishshop.ga, 1
+thefitcare.com, 1
+thefitcareerist.com, 1
+theflashback.co.uk, 1
+theflesh.tk, 1
+theflexerzone.ga, 1
+theflowershopdeddington.com, 1
+theflowstudios.com, 1
+theflyingbear.net, 0
+theflyingdutch.tk, 1
+thefnafarchive.org, 1
+thefoodcops.com, 1
+thefooddictator.com, 1
+thefoodieblogger.com, 1
+thefoot.tk, 1
+theforkedspoon.com, 1
+theformtool.com, 1
+thefox.com.fr, 1
+thefranklinnewspost.com, 1
+thefreebay.tk, 1
+thefreemail.com, 1
+thefreethinker.tk, 1
+thefrenchbeautyacademy.edu.au, 1
+thefrenchconnection.tk, 1
+thefridaycinema.com, 1
+thefriedzombie.com, 1
+thefriedzombie.nl, 1
+thefriedzombie.online, 1
+thefriendlyplant.co.za, 1
+thefrontend.agency, 1
+thefrugalvegan.tk, 1
+thefuckingtide.com, 0
+thefulcrum.us, 1
+thefunfirm.co.uk, 1
+thefunzone.tk, 1
+thefurnitureco.uk, 1
+thefurniturefamily.com, 1
+thefusion.net.in, 1
+thefussyeater.ie, 1
+thefutureforward.com, 1
+thefuturetech.ga, 1
+thegab.in, 1
+thegadget.tk, 1
+thegadgetflow.com, 1
+thegallery-restaurant.co.uk, 1
+thegamecave.co.uk, 1
+thegamecollector.tk, 1
+thegantars.tk, 1
+thegasshop.co.uk, 1
+thegasshop.uk, 1
+thegatewaydigital.com, 1
+thegatewaytoanewworld.com, 1
+thegeekdiary.com, 1
+thegeekguy.eu, 1
+thegeeklab.de, 0
+thegeektools.com, 1
+thegemriverside.com.vn, 1
+thegeniusdz.tk, 1
+thegentleman.tk, 1
+thegeriatricdietitian.com, 1
+thegermancoder.com, 1
+thegerwingroup.com, 1
+thegetaway.com, 1
+theghostlytavern.com, 1
+thegiantsdream.tk, 1
+thegildedthistle.com, 1
+thegingersnapbaker.co.za, 1
+theginnylee.com, 1
+thegioibanca.tk, 1
+thegioicovua.com, 1
+thegioidulich.com.vn, 1
+theglencoetorah.com, 1
+theglossymusings.com, 1
+thego2swatking.com, 1
+thegoaescort.com, 1
+thegoldandsilverexchange.com, 1
+thegolden.com, 1
+thegoodinside.com, 1
+thegoodveggie.com, 1
+thegoodvybe.ml, 1
+thegospell.tk, 1
+thegpbox.com, 1
+thegradient.pub, 1
+thegraduatesalon.co.uk, 1
+thegrandline.tk, 1
+thegrandtour.tk, 1
+thegreatcommissionpodcast.com, 1
+thegreatdecay.tk, 1
+thegreatgonzo.uk, 1
+thegreatplains.com, 1
+thegreatsouthernburgerco.ga, 1
+thegreendigest.com, 1
+thegreenfields.se, 1
+thegreenhead.com, 1
+thegreenlawreport.com, 1
+thegreenmanpottery.com, 1
+thegroovecartel.com, 1
+thegrotto.tk, 1
+thegrs.com, 0
+theguerrilla.agency, 0
+thegundogaffair.com, 1
+thegvoffice.net, 1
+thehabitat.com, 1
+thehackerblog.com, 1
+thehackers.cf, 1
+thehadicks.com, 1
+thehairrepublic.net, 1
+thehalchal.com, 1
+thehamiltoncoblog.com, 1
+thehammerfund.com, 1
+thehamptonsvegan.com, 1
+thehappeny.com, 1
+thehappyxwife.ga, 1
+thehardgame.top, 1
+thehasanyildirim.tk, 1
+thehashagency.com.au, 1
+thehassanmusic.tk, 1
+thehasty.com, 1
+thehaxbys.co.uk, 1
+thehaze.org, 1
+theheadplug.tk, 1
+thehealthshed.nl, 1
+theheatingoilclub.co.uk, 1
+thehelper.tk, 1
+thehillstx.gov, 1
+thehiltonfirm.tk, 1
+thehivedesign.org, 1
+thehoff.ddnss.de, 1
+thehollandfam.com, 0
+theholloways.tk, 1
+thehomebakery.ie, 1
+thehomebarista.com, 1
+thehomemademasks.com, 1
+thehomeofthefuture.com, 1
+thehomeschoolsupplyco.com, 0
+thehoney.ga, 1
+thehonorguard.org, 1
+thehookup.be, 1
+thehopefuture.com, 1
+thehorsesadvocate.com, 1
+thehosmers.com, 1
+thehotcasinos.com, 1
+thehotfix.net, 1
+thehotness.tech, 1
+thehotrocks.tk, 1
+thehowlinwolfcafe.ga, 1
+thehudsonindependent.com, 1
+thehumancondition.com, 1
+thehumanizer.tk, 1
+thehumanjoint.com, 1
+thehumorist.tk, 1
+theideaskitchen.com.au, 1
+theidiotboard.com, 1
+theimagefile.com, 1
+theimaginationagency.com, 1
+theinboxpros.com, 1
+theindependent.ca, 0
+theindependent.com, 1
+theindiangraph.tk, 1
+theindiantimes.in, 1
+theindiemood.com, 1
+theinfoblog.com, 1
+theinitium.com, 0
+theinnerprism.com, 1
+theinput.com, 1
+theinsightsfamily.com, 1
+theinstitute.cf, 1
+theintercept.com, 0
+theinternationalgeekconspiracy.eu, 1
+theinventory.com, 1
+theinvisibleman.tk, 1
+theislandtime.com, 1
+theissen.io, 1
+theitaliantimes.it, 1
+theitsage.com, 0
+theixiangrand.gr, 1
+thejacksoninstitute.com.au, 1
+thejewelhut.co.uk, 1
+thejkdrebel.com, 1
+thejoaustralia.com, 1
+thejoneshub.com, 1
+thejonsey.com, 0
+thejourneydesignstudio.com, 1
+thejoykiller.tk, 1
+thejsmodel.com, 1
+thejukebox.tk, 1
+thejunkfiles.com, 1
+thekalakriti.tk, 1
+thekev.in, 1
+thekeymusic.com, 1
+thekickassvirtualassistant.nl, 1
+thekidszone.in, 1
+thekillertoxin.de, 1
+thekingofhate.com, 0
+thekitchendoor.co.nz, 1
+thekitchenfarnborough.co.uk, 1
+thekitchenprofessor.com, 1
+thekitchngic.com, 1
+thekitsunesden.com, 1
+thekittivibe.com, 1
+thekliniquehotdeal.com, 1
+theknightrider.com, 1
+theknittingnetwork.co.uk, 1
+theknockout.tk, 1
+theknowitguy.com, 1
+thekonsulthub.tk, 1
+thekuwayama.net, 1
+thelafayettecompany.com, 1
+thelaimlife.com, 1
+thelakedistrict.tk, 1
+thelancergroup.com, 1
+thelangfords.au, 1
+thelangfords.id.au, 1
+thelanscape.com, 1
+thelansingjournal.com, 1
+thelapine.ca, 1
+thelasallenetwork.com, 1
+thelastsurprise.com, 1
+thelastvikings.tk, 1
+thelatinbrothers.ch, 1
+thelaunchbay.com, 1
+thelaurelchiropractor.com, 1
+thelawyermag.com, 1
+thelazyfox.xyz, 1
+thelazysre.com, 1
+thelbc.io, 0
+thelearninggardener.com, 1
+theleaves.tk, 1
+thelegionshirley.co.uk, 1
+thelematics.com, 1
+thelemonlawcalifornia.com, 1
+thelencystore.com, 1
+thelevelman.com, 1
+thelibertinephilosophy.ga, 1
+thelicensecompany.com, 1
+thelifevison.com, 1
+thelightbulbproject.tk, 1
+thelightingstore.co.uk, 1
+thelightpoints.eu, 1
+thelimitededition.in, 1
+thelinuxspace.com, 1
+thelittlepeartree.eu, 1
+thelocals.ru, 1
+thelockerroom.ie, 1
+thelocxresearch.tk, 1
+thelodgeonlakedetroit.com, 1
+thelondonflorist.com, 1
+thelonelyones.co.uk, 1
+thelonious.nl, 1
+theloop.ai, 1
+theloop.build, 1
+thelordofthewing.cf, 1
+thelordofthewing.ga, 1
+thelordofthewing.gq, 1
+thelordofthewing.ml, 1
+thelordsofthefallen.com, 1
+thelosangelesconservative.com, 1
+thelostfreighter.com, 1
+thelostyankee.com, 1
+thelotter.club, 1
+thelounge.chat, 1
+theloves.com, 1
+thelwallrangers.tk, 1
+themacateam.com, 1
+themacios.com, 1
+themadlabengineer.co.uk, 1
+themagazine.my, 1
+themagazinetimes.com, 1
+themagician.tk, 1
+themainemonitor.org, 1
+themakers.ie, 1
+themallards.info, 1
+themallrats.tk, 1
+themanbbq.com, 1
+themandogs.tk, 1
+themaniaks.tk, 1
+themarkup.org, 1
+themarshallproject.org, 1
+themassageguy.capetown, 1
+themaster.site, 1
+themaster.tk, 1
+themasterplan.com.au, 1
+thematchless.de, 1
+themathbehindthe.science, 1
+themathergroup.com, 1
+themathscentre.com, 1
+themattresswarehouse.co.za, 1
+thematyper.tk, 1
+themayanah.com, 1
+themeapps.ga, 1
+themeccagroupllc.com, 1
+themecraft.studio, 0
+themediaframe.com, 1
+themedictips.com, 1
+themegatones.tk, 1
+thememory.tk, 1
+thementornetwork.com, 1
+themenzentrisch.de, 1
+themeparkfans.tk, 1
+themeparksimulations.tk, 1
+themerchandiser.net, 0
+themerciful.tk, 1
+themeridianway.com, 1
+themesurgeons.net, 1
+themetropreneur.com, 1
+themexicos.tk, 1
+themexx.at, 1
+themiamimarathon.com, 1
+themiddle.co, 1
+themiddlewoman.com.au, 1
+themify.me, 1
+themify.org, 1
+themigraineinstitute.com, 1
+themilanlife.com, 1
+themilfmovies.com, 1
+themindcollection.com, 1
+theminiacs.com, 1
+theminimalistentrepreneur.com, 1
+themiracle.tk, 1
+themirc.tk, 1
+themizellbrothers.tk, 1
+themlmsuccessnow.tk, 1
+themodel.ie, 1
+themodernreviewer.ga, 1
+themologroup.com, 1
+themomentratchada19.com, 1
+themomstudio.tk, 1
+themoneyconverter.com, 1
+themonthly.com.au, 1
+themood.site, 0
+themorningpodcast.tk, 1
+themortgagereports.com, 1
+themostexpensiveworkofart.com, 1
+themount.co.uk, 1
+themountsomerset.co.uk, 1
+themoviepreview.ga, 1
+themprojects.com, 1
+themurrayfamily.me.uk, 1
+themusecollaborative.org, 1
+themusicofchrisbulman.tk, 1
+themusicthatnobodylikes.tk, 1
+themusketeerslodge.com, 1
+themusthaves.de, 1
+thenamingcommission.gov, 1
+thenappylaundry.ga, 1
+thenathanmethod.com, 1
+thenation.tk, 1
+thenational.academy, 1
+thenaturalpath.co.nz, 1
+theneatgadgets.com, 1
+thenest.se, 1
+thenetw.org, 1
+thenew3rs.org, 1
+thenewclassics.com, 1
+thenewissue.tk, 1
+thenewsmill.com, 1
+thenewtoy.net, 1
+thenextweb.com, 1
+thenexwork.com, 1
+thenichecast.com, 1
+thenine.info, 1
+theninenine.com, 1
+theninjasedge.com, 1
+thenobullshit.coach, 1
+thenocman.com, 1
+thenolank.com, 1
+thenorthschool.org.uk, 1
+thenovicechefblog.com, 1
+thenowheremen.com, 1
+thenrdhrd.nl, 1
+thenudge.com, 1
+thenursery.it, 1
+thenutritionalreset.ca, 1
+theo-andreou.org, 1
+theo.agency, 1
+theo.me, 1
+theo546.cloud, 1
+theo546.fr, 1
+theo546.ovh, 1
+theoakageexperiment.com, 1
+theoasis.co.nz, 1
+theobg.co, 1
+theobromos.fr, 0
+theoc4ever.tk, 1
+theocharis.org, 1
+theocjournal.tk, 1
+theocoffee.com, 0
+theocracy.tk, 1
+theocratic.cf, 1
+theocratic.tk, 1
+theocrazzolara.tk, 1
+theodorahome.co, 1
+theodorahome.com.br, 1
+theodoreroosevelt.org, 1
+theodorojr.com.br, 1
+theofficeofangelascott.com, 1
+theoffsetbinary.co.in, 1
+theofleck.com, 0
+theokouzelis.com, 1
+theoldbrewhouse.info, 1
+theoldmill.tk, 1
+theoldnews.net, 1
+theoldschoolgamevault.com, 1
+theolodewijk.nl, 1
+theologique.ch, 1
+theome.ga, 1
+theomegagroup.co.uk, 1
+theonegroup.co.uk, 0
+theonethaimassage.de, 1
+theonikage.tk, 1
+theonion.com, 1
+theonyxzone.com, 1
+theoosmetalart.nl, 1
+theopaczek.com, 1
+theopera.tk, 1
+theoperators.tk, 1
+theophil.tk, 1
+theorchestranow.com, 1
+theorchestranow.org, 1
+theoriecheck.de, 1
+theoriginalassistant.com, 1
+theoriginalcandid.com, 1
+theoriginalmarkz.com, 1
+theoriginalworkshop.com, 1
+theorioncorrelation.com, 1
+theory-test-online.co.uk, 1
+theory.org, 1
+theoryofmind.tk, 1
+theoscure.eu, 1
+theosophic.ga, 1
+theosophie-afrique.org, 1
+theotherside.tk, 1
+theoverfly.co, 1
+theoverground.tk, 1
+thepac.uk, 1
+thepaffy.de, 0
+thepaleodiettips.tk, 1
+thepandacustom.com, 1
+thepaperstore.com, 1
+theparachafamily.tk, 1
+theparallelrevolution.com, 1
+theparklane-sukhumvitbearing.com, 1
+theparkwoodmanor.com, 1
+theparoxetine.gq, 1
+theparthub.com, 1
+theparticipants.tk, 1
+thepartner.co.uk, 1
+thepartydoctors.co.uk, 1
+thepatchworks.org, 1
+thepathsofdiscovery.com, 1
+thepaul.tk, 1
+thepaulagcompany.com, 0
+thepavilionbanbury.co.uk, 0
+thepaymentscompany.com, 1
+thepcweb.tk, 1
+thepeak.com, 1
+thepenguinconspiracy.tk, 1
+thepennyjar.com, 1
+thepennymatters.com, 1
+thepeoplesdata.com, 1
+thepeoplesdata.org, 1
+theperfectmediagroup.com, 1
+theperformanceblog.com, 1
+thepharm.co.nz, 1
+thephoenixdg.com, 1
+thephp.cc, 1
+thepiabo.ovh, 0
+thepiedpiper.co.uk, 1
+thepieslicer.com, 1
+thepigwrestlers.com, 1
+thepilotwoman.cf, 1
+thepilotwoman.ga, 1
+thepilotwoman.gq, 1
+thepilotwoman.ml, 1
+thepinecones.tk, 1
+thepioneersgame.com, 1
+thepiratebay.cf, 1
+thepiratebay.net, 1
+thepiratesociety.org, 1
+thepitsurfhire.co.uk, 1
+thepixel.tk, 1
+theplantpeople.co.nz, 1
+theplaydaysbus.co.uk, 1
+theplazacentre.co.uk, 1
+theploughharborne.co.uk, 1
+thepodcastreviewshow.com, 1
+thepoetryclub.tk, 1
+thepoetryofperfume.com, 1
+thepokerbank.com, 1
+thepokerpeople.com, 1
+thepollitochicken.com, 1
+thepool.tk, 1
+thepopcornfactory.com, 1
+thepowerboys.tk, 1
+thepressleygirls.com, 1
+thepressurewashingdirectory.com, 1
+thepriceisright.tk, 1
+theprimegroup.ca, 1
+theprimepr.in, 1
+theprimetalks.com, 0
+theprincegame.com, 1
+theprinceshort.tk, 1
+theprinterjam.com, 1
+theprintrepublic.com, 1
+thepriorybandbsyresham.co.uk, 1
+theprivacysolution.com, 1
+theprivatetherapyclinic.co.uk, 1
+theprodigaljournal.com, 1
+theproject.cf, 1
+theprojectx.tk, 1
+thepromisemusic.com, 1
+thepsi.com, 0
+theptclist.tk, 1
+theptpractitioner.com.au, 1
+thepulpit.tk, 1
+thepuppetdolls.tk, 1
+thepureplan.com, 1
+thepurplechickens.tk, 1
+thepuzzles.eu.org, 1
+thepyre.tk, 1
+thepyrographytool.com, 1
+theqrl.org, 1
+theqtree.com, 1
+thequillmagazine.org, 1
+theradiojudge.com, 1
+theralino.de, 1
+theramo.re, 1
+theranch.com, 1
+therandombits.com, 1
+therankkings.org, 1
+therap-up.fr, 1
+therapie-fricktal.ch, 1
+therapie-psycho-emotionnelle.fr, 1
+therapiepraxis-westbezirk.de, 1
+therapyclient.com, 1
+therapyconnects.co.uk, 1
+therapyforblackmen.org, 1
+therapyglobe.com, 1
+therapynotes.com, 1
+therapypartner.com, 1
+therapyportal.com, 1
+therapysearch.com, 1
+therapyservices.co.nz, 1
+therapysxm.com, 0
+therapyworks.com, 1
+therasmusgt.tk, 1
+therasmusperu.tk, 1
+theravada.tk, 1
+thereadingresidence.com, 1
+thereafter.ga, 1
+thereal.tk, 1
+therealcomp.ga, 1
+therealcost.gov, 1
+therealcountrydancers.tk, 1
+therealestatesolutionsguy.com, 1
+therealmaids.com, 1
+thereaper.net.au, 1
+thereaper.tk, 1
+theredhouse.org, 1
+theredsgazette.tk, 1
+thereisnocloud.fr, 1
+thereload.com, 1
+therenderingmachine.com, 1
+therenegade.tk, 1
+thereptiles.tk, 1
+theresa-mayer.eu, 1
+theresapolicewi.gov, 1
+theresingles.tk, 1
+therestaurantstore.com, 1
+theretirementincomecalculator.com, 1
+therevenge.me, 1
+therevolutionist.tk, 1
+therhetorical.ml, 0
+therhodesresidences.com, 1
+therichardsfamily.tk, 1
+therisk.global, 1
+theriverspecialist.com, 1
+thermalbad-therme.de, 1
+thermalitowsca.gov, 1
+thermia.co.nz, 1
+thermia.com.au, 1
+thermique.ch, 0
+thermity.com, 1
+thermolamina.nl, 1
+thermorhythm.com, 1
+thermostat.gq, 1
+thermostatsolutions.com, 1
+thermowood-bkh.ru, 1
+therniakov.tk, 1
+theroadrunners.tk, 1
+theroams.co.uk, 1
+therobertcoffeeshow.com, 1
+theroccos.us, 0
+therockawaysny.com, 0
+theroguestormtrooper.com, 1
+therohotel.com, 1
+therokasshow.tk, 1
+theroks.com, 1
+theromexchange.com, 1
+theroot.com, 1
+therootdental.com, 1
+therootshive.com, 1
+theros.org.uk, 1
+therowlinglibrary.com, 1
+theroyal.tk, 1
+therugswarehouse.co.uk, 1
+theruleslawyer.net, 1
+therumfordcitizen.com, 1
+therunawayspremiere.tk, 1
+theruncibleraven.com, 1
+theruraltrust.com, 1
+therusnews.tk, 1
+therustyspoon.net, 1
+therworth.com, 1
+therworth.eu, 1
+therworth.net, 1
+therworth.org, 1
+thesacreds.com, 1
+thesafetymag.com, 1
+thesage.cf, 1
+thesage.ga, 1
+thesagresapartments.com, 1
+thesalonthing.com, 0
+thesaltsanctuaryfl.com, 1
+thesarogroup.com, 1
+thesatriantoshow.tk, 1
+thesaturdaypaper.com.au, 1
+thescienceofdeduction.tk, 1
+thescientists.nl, 1
+thescriptzone.tk, 1
+theseal.tk, 1
+thesearch.com.tw, 1
+thesecondsposts.com, 0
+thesecularparent.com, 1
+thesecurityvault.com, 0
+theseed.io, 1
+theseedbox.xyz, 1
+thesehighsandlows.com, 1
+theselfevidenttruth.com, 1
+thesemisouthernhomemaker.com, 1
+theseofarm.com, 1
+theseoframework.com, 1
+theseosystem.com, 1
+theseotool.site, 1
+theseparationguide.com.au, 1
+theserpent.tk, 1
+theserver.ml, 1
+theserver201.tk, 1
+theserviceyouneed.com, 1
+thesession.org, 1
+thesetwohands864.com, 1
+theseusconsulting.it, 1
+theshaker.com.au, 1
+thesharedbrain.ch, 0
+theshesuite.com, 1
+theshopally.com, 1
+theshots.cz, 1
+theshroomery.org, 1
+thesigit.tk, 1
+thesignacademy.co.uk, 1
+thesignalco.com.au, 1
+thesilentfew.tk, 1
+thesilentlink.org, 1
+thesilentplanet.tk, 1
+thesilentsecrets.com, 1
+thesilverdaisy.com, 1
+thesimons.family, 1
+thesimplehelp.com, 1
+thesimplewebcompany.com, 1
+thesimsbrasil.tk, 1
+thesingaporelawyer.com, 1
+thesinhalanews.lk, 1
+thesipher.tk, 1
+thesis-editor.co.uk, 1
+thesisgeek.com, 1
+thesishelp.net, 1
+thesissurvey.cf, 1
+thesissurvey.gq, 1
+thesistraffic.com, 1
+thesiterank.com, 1
+theskepticalreviewarchive.com, 1
+theskingym.co.uk, 1
+theskiweek.com, 1
+thesled.net, 1
+thesocialitefamily.com, 1
+thesocialmediacentral.com, 1
+thesomepeople.org, 1
+thesoundproofwindows.co.uk, 1
+thesoundstageatstrangeland.com, 1
+thespacegame.tk, 1
+thespanishcollection.com, 1
+thespiritfm.tk, 1
+thespoiler.co.il, 1
+thesponsorshipguy.com, 0
+thesportsroom.tv, 1
+thestandards.tk, 1
+thestatementjewelry.com, 1
+thestationatwillowgrove.com, 1
+thestatuspage.com, 1
+thesteins.org, 0
+thestitchynerd.com, 1
+thestockoasis.com, 1
+thestopoff.tk, 1
+thestoragebay.co.uk, 1
+thestore.tk, 1
+thestoryshack.com, 0
+thestral.pro, 1
+thestralbot.com, 1
+thestrangenessofthings.tk, 1
+thestreet.cz, 1
+thestudioslucan.com, 1
+thestudylink.com, 1
+thestyle.city, 1
+thestylebouquet.com, 1
+thesubsequent.com, 1
+thesubstitute.nl, 1
+thesultans.tk, 1
+thesunshinecoasttourcompany.com.au, 1
+thesupersunday.tk, 1
+thesuppercircle.com, 1
+thesupremacyg.com, 1
+thesurgeons.sg, 1
+theswanstation.tk, 1
+theswanwindsor.co.uk, 1
+theswimdoctors.com, 0
+theswissbay.ch, 0
+thetablehuff.com, 1
+thetakeout.com, 1
+thetampariverwalk.com, 1
+thetandd.com, 1
+thetapirsmouth.com, 1
+thetassos.com, 1
+thetattooedpreacher.com, 1
+theteaaffair.com, 1
+theteaguemovie.tk, 1
+thetebodifference.com, 1
+thetechdude.ga, 1
+thetechnicaldost.com, 1
+thetfordtwpmi.gov, 1
+thetfordvt.gov, 1
+thetherapist.tk, 1
+thethinktankpodcast.co, 1
+thethreadsmiths.com.tw, 1
+thethreepercent.marketing, 1
+thethymevortex.zapto.org, 1
+thetinylife.com, 1
+thetipo.eu, 1
+thetipo.it.eu.org, 1
+thetipo01.tk, 1
+thetogbox.cf, 1
+thetomharling.com, 1
+thetopmovie.gq, 1
+thetopsecretepisode.tk, 1
+thetorlock.com, 1
+thetorturedman.com, 1
+thetotalemaildelivery.com, 1
+thetoto.tk, 1
+thetownehub.com, 1
+thetradinghall.com, 0
+thetrafficgeek.com, 1
+thetravel.com, 1
+thetravelczar.com, 1
+thetravelhack.com, 0
+thetravelinstitute.com, 1
+thetravelstylist.nl, 1
+thetreeradio.com, 1
+thetrendingarticle.com, 1
+thetrendspotter.net, 1
+thetropics.tk, 1
+thetrulycharming.com, 0
+thetrustai.com, 1
+thetruthabouthemp.com, 1
+thetubecopenhagen.com, 1
+thetuxkeeper.de, 0
+thetvtraveler.com, 1
+thetwistedrabbit.com, 1
+theudbs.com, 1
+theuhlesteam.com, 1
+theultimateshave.net, 1
+theunbox.com, 1
+theunconventionalconventionists.tk, 1
+theundefeated.com, 1
+theunderzone.tk, 1
+theuneundtheune.de, 1
+theunitedstates.tk, 1
+theuniversallover.tk, 1
+theuniversitiesofasia.ga, 1
+theunleashedpet.com, 1
+theunstudiedyogi.com, 1
+theunwrittenletters.tk, 1
+theupslady.cf, 1
+theupslady.ga, 1
+theurbandecor.com, 1
+theurdubooks.com, 1
+theuucc.org, 0
+thevacuumpouch.co.uk, 1
+thevalleybucketeers.tk, 1
+thevalueofarchitecture.com, 1
+thevanishedvoyager.ml, 1
+thevegcat.com, 1
+theveggietable.com, 1
+thevelvetlove.tk, 1
+thevenueofhollywood.com, 1
+thevern.co.za, 1
+theverybusyoffice.co.uk, 1
+thevetstop.co.uk, 1
+thevillageok.gov, 1
+thevillasatparkaire.com, 1
+thevine.one, 1
+thevintagenews.com, 0
+theviolenceofdevelopment.com, 1
+thevirajshelke.com, 1
+thevirgin.tk, 1
+thevirtualbookkeepers.com, 0
+thevirtualdetective.games, 1
+thevirtualhealingroom.ca, 1
+thevirtualhealingroom.com, 1
+thevirtuousdog.com, 1
+thevisasofoz.com, 1
+thevoga.com, 1
+thevoid.one, 1
+thevolte.com, 1
+thevoya.ga, 0
+thevpsdude.com, 1
+thewagesroom.co.uk, 1
+thewalkerz.tk, 1
+thewallet.today, 1
+thewarehousefellowship.org, 1
+thewatchdog.com.br, 1
+thewaterfront.org.au, 1
+thewaterfrontpoole.com, 1
+thewave.tk, 1
+thewaxhouse.academy, 1
+thewayofislam.ml, 1
+thewayofthedojo.com, 1
+thewaytoyourself.com, 1
+theweakandthestrong.tk, 1
+thewebbogan.com.au, 1
+thewebcully.com, 1
+thewebguru.net, 1
+thewebmasters.tk, 1
+thewebsitemarketingagency.com, 1
+theweddingfit.com, 1
+theweed.tk, 1
+thewest.tk, 1
+thewhiteboxxx.com, 1
+thewhitedog9487.xyz, 1
+thewhitehorses.tk, 1
+thewhiterabbit.space, 1
+thewhitneypaige.com, 1
+thewickedclan.tk, 1
+thewiki.kr, 1
+thewindow.com, 1
+thewindowcleaningexpert.com, 1
+thewindowcleaningexperts.com, 1
+thewindowcleaningexperts.net, 1
+thewindowsclub.com, 1
+thewinedelivery.ga, 1
+thewisdomtrust.org.uk, 1
+thewish.ml, 1
+thewish.tk, 1
+thewolseley.com, 1
+thewombatsict.com.au, 1
+thewomen.tk, 1
+thewomensbusinesscenter.com, 0
+thewoodkid.com.au, 1
+thewoodlandsviplimousine.com, 1
+thewoods.earth, 1
+thewoolroom.com.au, 1
+theworkingeye.nl, 1
+theworksboulder.com, 1
+theworksheets.com, 1
+theworkshop.tk, 1
+theworld.org, 1
+theworld.tk, 1
+theworldaccordingtocathers.com, 1
+theworldexchange.com, 1
+theworldexchange.net, 1
+theworldexchange.org, 1
+theworldsbestmassagechairs.com, 1
+theworldsend.eu, 1
+theworldtakes.tk, 1
+theworser.tk, 1
+thewpskill.com, 1
+thewraithmovie.tk, 1
+thewrenchmonkey.ca, 1
+thewrightflyer.com, 1
+thewritegrl.com, 1
+thewriteress.com, 1
+thexalla.tk, 1
+thexme.de, 1
+thexpert.ml, 1
+theyacht.ga, 1
+theyachtweek.com, 1
+theyakshack.co.uk, 1
+theyarnhookup.com, 0
+theycallmesnail.tk, 1
+theyear199x.org, 1
+theyearinpictures.co.uk, 1
+theyosh.nl, 1
+theysocial.tk, 1
+thezillersathenshotel.com, 1
+thezone.bg, 1
+thfaid.org, 1
+thghosting.com, 1
+thhomes.vn, 1
+thhost.tk, 1
+thiagoalessio.me, 1
+thiagohersan.com, 1
+thiagolosneves.com.br, 1
+thiagoribeiro.ml, 1
+thiasil.com, 1
+thibault-ml.com, 1
+thibaultbaheux.com, 0
+thibaultwalle.com, 1
+thibautcharles.net, 1
+thibautdecherit.fr, 1
+thibierge-associes.notaires.fr, 1
+thichson.vn, 1
+thickassporn.com, 1
+thieme-it.de, 1
+thienduongthoitrang.vn, 1
+thiepcuoidep.com, 1
+thiepxinh.net, 1
+thierryhayoz.ch, 1
+thierrymazue.com, 1
+thierrymazue.fr, 0
+thiesketelsen.de, 0
+thietbithoathiem.net, 1
+thietkegianhangtttm.com, 1
+thijmen.xyz, 1
+thijmendevalk.nl, 1
+thijmenmathijs.nl, 1
+thijmenverveeltzich.nl, 1
+thijs.amsterdam, 1
+thijs.fr, 1
+thijsenarjan.nl, 1
+thijsslop.com, 1
+thijsslop.eu, 1
+thijsslop.nl, 1
+thijsvanderveen.net, 1
+thikkodi.tk, 1
+thilko.com, 1
+thilobuchholz.de, 1
+thimbros.tk, 1
+thimic.net, 1
+thimic.no, 1
+thinair.co, 1
+thinairsolutions.com, 1
+thinegen.de, 1
+thinfilmview.com, 1
+thing.vn, 1
+thingformatter.net, 1
+thingies.site, 1
+thingsandcode.com, 1
+thingsimplied.com, 0
+thingsivesaid.com, 1
+thingsof.org, 1
+thingswithleaves.co.uk, 1
+think-ai.eu, 1
+think-positive-watches.de, 1
+think.law, 1
+thinkbigdobig.tk, 1
+thinkbigjesse.com, 1
+thinkbot.de, 1
+thinkbrands.co.uk, 1
+thinkcash.nl, 1
+thinkcogency.com, 1
+thinkd2s.com, 1
+thinkdata.com.br, 1
+thinkdigital.co.id, 1
+thinkdigital.tk, 1
+thinkel.tk, 1
+thinkelectric.cf, 1
+thinkelectric.gq, 1
+thinkelectric.ml, 1
+thinkfortune.co, 1
+thinkforyourself.tk, 1
+thinkheaddesign.com, 1
+thinkhealing.co.uk, 1
+thinkific.com, 1
+thinkindifferent.net, 1
+thinkingfaith.org, 1
+thinkingliberty.com, 1
+thinkingnull.com, 0
+thinkingplanet.net, 1
+thinkittech.com, 1
+thinkmaking.org, 1
+thinkmarketing.ca, 1
+thinkprocedural.com, 1
+thinktux.net, 1
+thinkwisesoftware.com, 0
+thinwildmercury.com, 1
+thinxtream.com, 1
+thirdbearsolutions.com, 0
+thirdgenphoto.co.uk, 1
+thirdman.auction, 0
+thirdwave.tk, 1
+thirdwaveanalytics.com, 1
+thirdwaverevenue.com, 1
+thirdworld.moe, 1
+thirteen.pm, 1
+thirtysixseventy.ml, 1
+thiruvarur.org, 1
+thiry-automobiles.net, 1
+thisbowin.com, 1
+thiscloudiscrap.com, 0
+thisdayinhockey.tk, 1
+thisdot.site, 1
+thisfreelife.gov, 1
+thishousedoesnotexist.org, 1
+thisis.id, 1
+thisisacompletetest.ga, 1
+thisisamericansoccer.com, 1
+thisisarecording.com, 1
+thisisart.ie, 1
+thisisbenwoo.com, 1
+thisishugo.com, 1
+thisismit.ch, 1
+thisisrapt.com.au, 0
+thisisreno.com, 1
+thisisrye.com, 1
+thisistechtoday.com, 1
+thisistina.nl, 1
+thisistwice.tk, 1
+thisiswhywemom.com, 1
+thismatter.com, 1
+thismatters.agency, 1
+thismumdoesntknowbest.com, 1
+thisquarterly.sg, 1
+thisserver.dontexist.net, 1
+thissimplifiedhome.com, 1
+thistleandleaves.com, 1
+thistom.de, 1
+thisuniverse.tk, 1
+thisyear.jp, 1
+thitat.net, 1
+thn.la, 1
+thoenesfamilierecht.nl, 1
+thok.de, 1
+tholab.io, 1
+tholcomb.com, 1
+thole.org, 1
+thom4s.info, 1
+thomalaudan.de, 1
+thomaner.de, 1
+thomas-bronniart.com, 1
+thomas-grobelny.de, 1
+thomas-leplus.com, 1
+thomas-sammut.com, 1
+thomas-schmittner.de, 1
+thomas-steel.com, 1
+thomas-suchon.fr, 1
+thomas.computer, 1
+thomas.love, 0
+thomas717.com, 1
+thomasbeckers.be, 1
+thomasboosman.com, 1
+thomasbreads.com, 0
+thomascountyne.gov, 1
+thomasdbrown.com, 1
+thomasduerlund.dk, 1
+thomasebenrett.de, 1
+thomasecookedds.com, 1
+thomaseikel.de, 1
+thomaseyck.com, 1
+thomasfoster.co, 1
+thomasgriffin.com, 1
+thomasgriffin.io, 1
+thomashunter.name, 0
+thomaskaviani.be, 1
+thomasleplus.com, 1
+thomasmeester.nl, 0
+thomasmerritt.de, 1
+thomaspic.com, 1
+thomaspluschris.com, 1
+thomasrichter.de, 1
+thomass.tk, 1
+thomastestor.tk, 1
+thomastimepieces.com.au, 1
+thomastonmaine.gov, 1
+thomasvanlaere.com, 1
+thomasverhelst.be, 1
+thomasvochten.com, 1
+thomaswoo.com, 1
+thomien.de, 1
+thompsonfamily.cloud, 1
+thompsonoh.gov, 1
+thomson-mcduffie.gov, 1
+thomsonbaby.com, 1
+thomsonscleaning.co.uk, 1
+thomspooren.nl, 0
+thomwiggers.nl, 1
+thongnhat.com.vn, 1
+thongsokythuat.vn, 1
+thongtinthethao.net, 1
+thooka.com, 1
+thoplam.com, 1
+thor.edu, 1
+thor.re, 1
+thorbes.ga, 1
+thorbiswebsitedesign.com, 1
+thorborg.dk, 1
+thoreau.tk, 1
+thornhillfamilydental.ca, 1
+thornlaw.co.nz, 1
+thorntonnh.gov, 1
+thorntonshvacservice.com, 1
+thoroquel.org, 1
+thoroughbredrecords.com, 1
+thors-hearth.tk, 1
+thorsten-schaefer.com, 1
+thorstenschaefer.name, 1
+thost3.de, 1
+thotcomputed.com, 1
+thotpublicidad.com, 1
+thots.org, 1
+thoughtexchange.ca, 1
+thoughtexchange.com, 1
+thoughtexchange.net, 1
+thoughtfarmer.com, 1
+thoughtleadersnetwork.nl, 1
+thoughtlessleaders.online, 1
+thoughtspot.com, 1
+thoughtsynth.com, 1
+thoughtsynth.net, 1
+thoughtsynth.org, 1
+thoughtworthy.info, 1
+thousandoaksca.gov, 1
+thousandoakselectrical.com, 1
+thousandoaksexteriorlighting.com, 1
+thousandoakslandscapelighting.com, 1
+thousandoakslighting.com, 1
+thousandoaksoutdoorlighting.com, 1
+thowzzy.be, 1
+thoxyn.com, 1
+thpatch.net, 1
+thpay.com, 1
+thprd.gov, 1
+thr-kurd.tk, 1
+threadabead.com, 1
+threadingcentral.com, 1
+threads.net, 1
+threadscircle.com, 1
+threadsdownloader.com, 1
+threadspecification.com, 1
+threadtrails.com, 1
+threadythready.com, 1
+threatcentral.io, 1
+threatcon.at, 1
+threatcon.blog, 1
+threatcon.ch, 1
+threatcon.de, 1
+threatcon.email, 1
+threatcon.eu, 1
+threatcon.io, 1
+threatcon.link, 1
+threatcon.live, 1
+threatcon.media, 1
+threatcon.net, 1
+threatcon.network, 1
+threatcon.online, 1
+threatcon.org, 1
+threatcon.shop, 1
+threatcon.tv, 1
+threatint.at, 1
+threatint.be, 1
+threatint.blog, 1
+threatint.ch, 1
+threatint.cloud, 1
+threatint.co.uk, 1
+threatint.com, 1
+threatint.com.cy, 1
+threatint.cy, 1
+threatint.de, 1
+threatint.dk, 1
+threatint.es, 1
+threatint.eu, 1
+threatint.fr, 1
+threatint.group, 1
+threatint.info, 1
+threatint.it, 1
+threatint.link, 1
+threatint.lu, 1
+threatint.media, 1
+threatint.network, 1
+threatint.nl, 1
+threatint.online, 1
+threatint.org, 1
+threatint.pl, 1
+threatint.pt, 1
+threatint.tv, 1
+threatint.uk, 1
+threatjammer.com, 1
+threatlabs.eu, 1
+threatlabs.nl, 1
+threatmonitor.io, 1
+threatnix.io, 1
+threatobserver.com, 1
+threatutic.gq, 1
+threatworking.com, 1
+three-wheels.cf, 1
+threedpro.me, 1
+threefantasy.com, 1
+threefisheswebdesign.com, 1
+threefortheroad.tv, 1
+threefours.net, 0
+threelions.ch, 1
+threeluck.sg, 1
+threema.ch, 1
+threema.id, 1
+threenorth.com, 1
+threepeakschallenge.org.uk, 1
+threepeakschallenge.uk, 1
+threeper.org, 1
+threepoint.tk, 1
+threeriversopenhouse.com, 1
+threeshield.ca, 1
+threeshield.com, 1
+threesixteen.com.au, 1
+threethirty.gq, 1
+threewire.com, 1
+threexxx.ch, 1
+threv.net, 1
+thriftdiving.com, 1
+thriftywp.com, 1
+thrillernyc.com, 1
+thrillkill.tk, 1
+thriva.co, 1
+thriveansanm.org, 1
+thriveatfive.org.uk, 1
+thriveondev.com, 1
+thriver.com, 1
+thrivetours.ca, 0
+thrivetracker.com, 1
+throckmortoncountytx.gov, 1
+throneofmolok.tk, 1
+throopny.gov, 1
+throttlerz.in, 1
+throughout.ga, 1
+throughtheglass.photo, 1
+throwaway.link, 1
+throwedrolls.com, 1
+throwmails.com, 1
+throwpass.com, 1
+thrustrules.tk, 1
+ths.li, 1
+thsc.us, 1
+thsclothing.com, 1
+thsconstructors.com, 1
+thscpac.org, 1
+thsecurity.cz, 1
+thtcmaps.sa, 1
+thuban.me, 1
+thuenhapho.com, 1
+thues.eu, 1
+thugcityrecords.tk, 1
+thuisverplegingvandermeiren.be, 1
+thuiswinkel.org, 1
+thumbnail-download.com, 1
+thumbnails.jp, 1
+thumbsnap.com, 1
+thumbsupcandy.com, 1
+thumbtack.com, 1
+thumbzilla.com, 1
+thummer.net, 1
+thunderbase.tk, 1
+thunderbolt.tk, 1
+thundercloud.onthewifi.com, 1
+thunderfield-boat.co.uk, 1
+thunderhead.com, 0
+thunderheadjtc.tk, 1
+thunderkeys.net, 1
+thunderstruckfestival.nl, 1
+thundr.eu, 1
+thunis.com, 1
+thunktank.org, 1
+thunraz.com, 1
+thuongluu.vn, 1
+thurmanny.gov, 1
+thurn.net, 1
+thurstonauditor.gov, 1
+thurstoncountyne.gov, 1
+thurstoncountysheriffne.gov, 1
+thurstonwavotes.gov, 1
+thusa.co.za, 1
+thusoy.com, 1
+thuthuatmac.com, 1
+thutm.com, 1
+thutucxuatnhapkhau.net, 1
+thuviensoft.com, 1
+thuviensoft.net, 1
+thuyetphapmoi.com, 1
+thvideo.tv, 1
+thvr.co, 1
+thw-messenger.de, 1
+thwiki.cc, 1
+thwitt.de, 1
+thxandbye.de, 1
+thycotic.ru, 1
+thynx.io, 0
+thyrex.fr, 0
+thyroidheadnecksurgery.com, 1
+thyscalesbalanced.world, 1
+ti-coast.com, 1
+ti-js.com, 1
+ti-nuage.fr, 1
+ti-pla.net, 1
+ti-planet.org, 1
+ti780.com, 1
+tiagocasalribeiro.ml, 1
+tiagomoraismorgado.tk, 1
+tiagomoreira.pt, 1
+tiagoneves.tk, 1
+tiagonunes.pt, 1
+tiagosimao.com, 1
+tiai.cf, 1
+tiai.gq, 1
+tiai.ml, 1
+tiaki.org, 0
+tiamabi.tk, 1
+tiamarcia.com.br, 1
+tian123.com, 1
+tian888.com, 1
+tianbaobo05.com, 1
+tianbaobo06.com, 1
+tianbaobo07.com, 1
+tianbaobo09.com, 1
+tianbo1088.com, 1
+tianbo1988.com, 1
+tianbo1998.com, 1
+tiandixing.org, 1
+tianeptine.com, 1
+tianibeeming.com, 1
+tianjiaxi.com, 1
+tianjinair.com, 1
+tianle.sh, 1
+tianshili.me, 1
+tiantangbt.com, 1
+tianwen.tk, 1
+tianxicaipiao.com, 1
+tianxicaipiao.win, 1
+tianxicp.com, 1
+tianyis.net, 1
+tianyou-ecjtu.com, 1
+tiarap.org, 1
+tiaria.id, 1
+tiaskipin.tk, 1
+tib1.com, 1
+tibber.com, 1
+tibberdev.com, 1
+tibbitshall.ca, 1
+tibc.ch, 1
+tiberian.tk, 1
+tibiarock.tk, 1
+tibinonest.me, 1
+tibipg.com, 1
+tible.com, 1
+tibovanheule.site, 1
+tibovanheule.space, 0
+tibox.cl, 0
+tiburgundysi.ga, 1
+ticalcgames.tk, 1
+ticfleet.com, 1
+tichdiem80.com, 1
+tichieru.pw, 1
+ticinoscout.ch, 1
+tickertable.com, 0
+tickertoolkit.com, 1
+ticket-time.es, 1
+ticketassist.nl, 1
+ticketbahia.com, 1
+ticketcity.com, 1
+ticketfan.es, 1
+tickethut.be, 1
+ticketingforless.com, 1
+ticketix.com, 1
+ticketmaze.com, 1
+ticketpay.jp, 1
+ticketpro.ca, 1
+ticketrestaurant.us, 1
+ticketrunway.com, 1
+tickets2004.tk, 1
+ticketscheapairfare.com, 1
+ticketscheapairline.com, 1
+ticketscheapflights.com, 1
+ticketslover.com, 1
+ticketsolve.com, 1
+ticketsource.co.uk, 1
+ticketsource.eu, 1
+ticketsource.io, 1
+ticketsource.us, 1
+ticketsourcebeta.co.uk, 1
+ticketswap.co, 1
+ticketswap.co.nz, 1
+ticketswap.dk, 1
+ticketswap.fi, 1
+ticketswap.in, 1
+ticketswap.pt, 1
+ticketswap.ru, 1
+tickettailor.com, 1
+ticketunity.com, 1
+ticketure.com, 1
+tickit.ca, 0
+ticktbox.com, 1
+ticnom.com, 1
+tictac.tk, 1
+tictail.com, 1
+tid.jp, 1
+tida.ge, 1
+tidal.ninja, 1
+tidal.zone, 1
+tide.com, 1
+tidecommunity.tk, 1
+tidehunter.ml, 1
+tideritter.de, 1
+tidewaterwebsites.com, 1
+tidimension.tk, 1
+tidit.nl, 1
+tidlook.co.il, 1
+tidy.chat, 1
+tidych.at, 1
+tidycustoms.net, 1
+tidydiary.com, 1
+tie.pub, 1
+tiederavintola.fi, 1
+tieffeservice.it, 1
+tiekoetter.com, 1
+tielectric.ch, 1
+tielsebakkers.tk, 1
+tiempo3.com, 1
+tiempolibre.nl, 1
+tiendabna.com.ar, 1
+tiendacanper.com, 1
+tiendacomprasegura.com, 1
+tiendadatasystem.es, 1
+tiendadeperros.com, 1
+tiendaengeneral.com, 1
+tiendafetichista.com, 1
+tiendamacoco.com.ar, 1
+tiendamagia.com, 1
+tiendamia.co, 1
+tiendamia.com, 1
+tiendamia.com.do, 1
+tiendamia.com.pa, 1
+tiendamia.com.py, 1
+tiendamia.cr, 1
+tiendaregalos.eu, 1
+tiendatecnologica.net, 1
+tiener-herentals.be, 1
+tienerdienst-johanneskapel.tk, 1
+tiengtrungquoc.net, 1
+tienic.com, 1
+tiens-ib.cz, 1
+tier5industries.com, 1
+tierarzt-karlsruhe-durlach.de, 1
+tierarztpraxis-illerwinkel.de, 1
+tieredaccess.com, 1
+tierfaszienation.de, 1
+tiergear.com.au, 1
+tieronegraphics.com, 1
+tierparadies-muhrielle.org, 1
+tierra-indomables.tk, 1
+tierracenter.com, 1
+tierradeayala.com, 1
+tierrahost.com, 1
+tierramarca.com, 1
+tierraprohibida.net, 1
+tierschutz-niederrhein.de, 1
+tiestofan.tk, 1
+tiete.be, 1
+tietew.jp, 1
+tietew.net, 1
+tietotori.fi, 1
+tieulinh.com, 1
+tiew.pl, 0
+tifa-233.com, 1
+tifan.net, 1
+tifaware.com, 1
+tifenn.eu, 1
+tifenn.nl, 1
+tiffanitooley.tk, 1
+tiffany-angel.com, 1
+tiffany-remixed.tk, 1
+tiffany.moe, 1
+tiffanyblooms.ru, 1
+tiffanychristie.ca, 1
+tiffanywatson.xyz, 1
+tiffnix.com, 1
+tiflonet.tk, 1
+tifokaos.tk, 1
+tiftonga.gov, 1
+tig.mr, 1
+tiga-design.com, 1
+tigercam.cl, 1
+tigerconnect.com, 1
+tigerfm.tk, 1
+tigerforce.tk, 1
+tigergraph.com, 1
+tigergroup.tk, 1
+tigernero.duckdns.org, 1
+tigernode.com, 1
+tigernode.net, 1
+tigertonwi.gov, 1
+tigerupload.tk, 1
+tigerzplace.tk, 1
+tiggeriffic.com, 1
+tiggertracks.com, 1
+tiggi.pw, 1
+tightassanal.com, 1
+tightasspics.com, 1
+tightassporntube.com, 1
+tightenthisshitup.com, 1
+tightpussysex.com, 1
+tigit.co.nz, 1
+tiglitub.com, 1
+tigreblanco.tk, 1
+tigzirt.tk, 1
+tihvin.tk, 1
+tii.audio, 1
+tii.party, 1
+tiihosen.fi, 1
+tiim.technology, 1
+tijden.nu, 1
+tijdvoorgeschiedenis.nl, 1
+tijerascreek.com, 0
+tijerasnm.gov, 1
+tijo.ch, 1
+tijoe.net, 1
+tik.edu.ee, 1
+tik.porn, 1
+tiki-god.co.uk, 1
+tiki.id, 1
+tikimpact.com, 1
+tikitak-o-rama.tk, 1
+tikkio.com, 1
+tikklik.nl, 1
+tikona.ga, 1
+tiktak.su, 1
+tiktok.com, 1
+tiktokdownloader.com, 1
+tiktokgirls.live, 1
+tiktokglobalshop.com, 1
+tiktokglobalshopv.com, 1
+tiktokshop.com, 1
+tiktokv.com, 1
+tikun.tk, 1
+tikuter.me, 1
+tilcra.de, 1
+tilde.green, 1
+tilde.institute, 1
+tilde.link, 1
+tildes.net, 1
+tilecleaningservicepros.com, 1
+tileco.ga, 1
+tileflooringideas.gq, 1
+tileflooringideas.ml, 1
+tilellit.pro, 1
+tilers-world.com, 1
+tilesbay.com, 1
+tilietu.com, 1
+tilikum.io, 1
+tilipalvelutuominen.fi, 1
+tilisi.ga, 1
+tilitoimistokota.fi, 0
+tilitoimistopaiva.fi, 1
+tilitoimistosukkela.fi, 1
+tilitop.tk, 1
+till-grossmann.de, 1
+till.fyi, 1
+till.im, 1
+tillamookcounty.gov, 1
+tillberg.us, 1
+tillehus.frl, 1
+tilleysbouncycastles.co.uk, 1
+tillinger.sk, 1
+tillseasyscore.com, 1
+tillwalldrug.com, 1
+tillydesign.com, 1
+tiloschroeder.space, 1
+tilosp.de, 1
+tiltedscalescollective.org, 1
+tiltedwindmillcrafts.com, 1
+tiltedwindmillpress.com, 1
+tilvids.com, 1
+tilysthings.com, 1
+tim-demisch.com, 1
+tim-demisch.de, 1
+tim-demisch.email, 1
+tim-demisch.eu, 1
+tim-lawrence.cf, 1
+tim-niclas-demisch.de, 1
+tim-niclas-demisch.eu, 1
+tim.org.tr, 1
+tim427.net, 0
+timacdonald.me, 1
+timawesomeness.com, 1
+timbarlotta.com, 1
+timbercreekcanyontx.gov, 1
+timberjewelleryboxes.ga, 1
+timberjoineryperth.com.au, 1
+timbishopartist.com, 1
+timbrust.de, 1
+timbuktutimber.com, 1
+timcamara.com, 1
+timco.cloud, 1
+timdebruijn.nl, 1
+timdemisch.de, 1
+timdemisch.email, 1
+timdemisch.eu, 1
+timdemisch.online, 1
+timdoug.com, 1
+time-business.tk, 1
+time-hotel.cf, 1
+time-killers.tk, 1
+time.cy, 1
+time.gov, 1
+time.ly, 1
+time.sh, 1
+time2060.ru, 1
+time22.com, 1
+time2choose.com, 1
+time4writing.com, 1
+timeai.io, 1
+timeauction.hk, 1
+timeblog.org, 1
+timebomb.tk, 1
+timebookings.cf, 1
+timebox.tk, 1
+timebutler.de, 1
+timecamp.com, 1
+timecamp.pl, 1
+timecaptis.com, 1
+timecarrot.tk, 1
+timecheck.tk, 1
+timedin.net, 1
+timefor.tk, 1
+timeglass.de, 1
+timelapsetv.tk, 1
+timeless-photostudio.com, 1
+timeless-spirit.com, 1
+timelesstopiary.com, 1
+timelesstreasures.tk, 1
+timelettings.com, 1
+timelimit.io, 1
+timelost.tk, 1
+timely.fun, 1
+timely.md, 1
+timelybookkeeper.com, 1
+timelycare.com, 1
+timelyprovider.com, 1
+timemuzz.com, 1
+timeneye.com, 1
+timentask.com, 1
+timeout.co.il, 1
+timeoutdoors.com, 1
+timepassengers.tk, 1
+timeprison.tk, 1
+timepro.sk, 1
+timerace.ml, 1
+timeroll.ml, 1
+timersuite.com, 1
+timertomato.com, 1
+timesamui.com, 1
+timesedlen.dk, 1
+timeserver0.de, 1
+timeserver1.de, 1
+timeserver2.de, 1
+timeserver3.de, 1
+timesheet-plugin.herokuapp.com, 1
+timesheetcomics.com, 1
+timeslive.co.ke, 1
+timesloth.io, 1
+timesmarket.org, 1
+timesofisrael.com, 1
+timesofmalta.com, 1
+timespace.eu.org, 0
+timespreader.com, 0
+timeswath.uk, 1
+timeswiki.org, 1
+timetab.org, 1
+timetastic.co.uk, 1
+timetastic.us, 1
+timeticket.eu, 1
+timeticket.nl, 1
+timetotrade.com, 1
+timetravelforum.tk, 1
+timetreeapp.com, 1
+timeular.com, 1
+timewall.de, 1
+timewasters.nl, 1
+timewasters.tk, 1
+timeweb.io, 1
+timewornlit.com, 1
+timfiedler.net, 1
+timgame.tk, 1
+timhieuthuoc.com, 1
+timi-matik.hu, 1
+timich.ga, 1
+timilion.tk, 1
+timing.com.br, 1
+timjk.de, 0
+timm-fensterbau.de, 1
+timm404.de, 1
+timmcclure.ca, 1
+timmerbedrijfpauel.nl, 1
+timmermansadministratie.nl, 0
+timmermens.com, 1
+timmish.de, 1
+timmy.ws, 1
+timmyrs.de, 1
+timnash.co.uk, 1
+timnegocia.com.br, 1
+timniclasdemisch.de, 1
+timniclasdemisch.eu, 1
+timo-viveen.nl, 1
+timochan.cn, 1
+timomontalto.de, 1
+timonenko.cf, 1
+timonline.tk, 1
+timosfoodbar.nl, 1
+timoso.de, 1
+timotheeduran.com, 1
+timothy.tk, 1
+timothybjacobs.com, 1
+timothyyip.photography, 1
+timowi.de, 1
+timoxbrow.com, 0
+timqueen.com, 1
+timroes.de, 1
+timsayedmd.com, 1
+timscheuermann.ddns.net, 1
+timseverien.com, 0
+timstoffel.net, 0
+timtaubert.de, 1
+timtelfer.com, 1
+timtj.ca, 1
+timtom.ga, 1
+timvanban.vn, 1
+timvandekamp.nl, 1
+timvanheusdencoaching.com, 1
+timverhaegh.de, 1
+timvivian.ca, 1
+timweb.ca, 1
+timx.uk, 1
+timysewyn.be, 0
+tin-bao.com, 1
+tina.is, 1
+tina.media, 1
+tinaarenaweb.tk, 1
+tinaevers.com, 1
+tinakay-photography.com, 1
+tinamajorino.tk, 1
+tinandthyme.uk, 1
+tinapoethe.com, 0
+tinastouchmassage.com, 1
+tinclip.com, 1
+tindallriley.co.uk, 1
+tinder.wiki, 1
+tinderphotos.ga, 1
+tineb.be, 1
+tinevogel.dk, 1
+tinf.de, 1
+tinf15b4.de, 1
+tinfoilsecurity.com, 1
+tinfoleak.com, 1
+tingriev.gq, 1
+tinh.work, 1
+tinhchattrangda.vn, 1
+tinhlai.gq, 1
+tinint.com, 1
+tink.network, 1
+tinka.tk, 1
+tinker.career, 1
+tinkerbeast.com, 1
+tinkerbell.space, 1
+tinkerboard.org, 1
+tinkerdifferent.com, 1
+tinkerhost.net, 1
+tinkerliving.com, 1
+tinkerliving.marketing, 1
+tinkuscochabamba.tk, 1
+tinky.tk, 1
+tinlc.org, 1
+tinmarin.org, 1
+tinmouthvt.gov, 1
+tinneke.tk, 1
+tinnhanhvietnam.tk, 1
+tinnitus.tirol, 1
+tinobeth.com, 1
+tinonawall.co.uk, 1
+tintamas.tk, 1
+tinte24.de, 1
+tintenfix.net, 1
+tintiger.com, 1
+tintoria.roma.it, 1
+tintuonmobile.tk, 1
+tinturanaturale.it, 1
+tiny-house.ro, 1
+tiny-img.com, 1
+tiny-tattoos.tk, 1
+tiny.ee, 1
+tiny777.com, 1
+tinyarcademachines.com, 1
+tinychen.com, 1
+tinycrm.pl, 1
+tinydogllc.com, 0
+tinydogs.ga, 1
+tinyemily.com, 1
+tinyfont.cf, 1
+tinyfont.ml, 1
+tinyguitars.tk, 1
+tinyhouse-bimify.fr, 1
+tinyhousebarat.com, 1
+tinyhousebarat.de, 1
+tinyhousefinance.com.au, 1
+tinyhouseprojects.be, 1
+tinyhouseturkiye.com.tr, 1
+tinylan.com, 1
+tinylink.cf, 1
+tinylotta.com, 1
+tinypic.host, 1
+tinyproxy.cf, 1
+tinyproxy.ga, 1
+tinyradiance.com, 1
+tinyspeck.com, 1
+tinyssh.com, 1
+tinyssh.org, 1
+tinytanuki.com, 1
+tinytownsoftplay.co.uk, 1
+tinytwitter.io, 1
+tinyurl.com, 1
+tinyvpn.org, 1
+tio.run, 1
+tiogacountyny.gov, 1
+tiolou.com.br, 1
+tipi.jp, 1
+tipiakers.club, 1
+tiplanet.org, 1
+tiplitskymd.com, 1
+tipmexico.com, 1
+tipnews.tk, 1
+tipo01.tk, 1
+tipocloud.cf, 1
+tipoftheday.tips, 1
+tipplist.com, 1
+tipps-fuer-den-haushalt.de, 1
+tipranks.com, 1
+tips4gamers.com, 1
+tips4india.tk, 1
+tipsacademicos.com, 1
+tipsfinal.tk, 1
+tipsforgamers.com, 1
+tipskanalen.cf, 1
+tipslifetimefitness.ga, 1
+tipslifetimefitness.gq, 1
+tipsmake.com, 1
+tipsoftech.tk, 1
+tipsplants.com, 1
+tipstersweb.com, 1
+tipsypresent.com, 1
+tiptop.cloud, 1
+tiptoptransmissions.com, 1
+tiptopusholdings.com, 1
+tipulnagish.co.il, 1
+tipwin.com, 1
+tipwin.de, 1
+tipydokasina.cz, 1
+tiqets.com, 0
+tir-mauperthuis.fr, 1
+tiraloche.com, 1
+tirana-chat.tk, 1
+tirandoalplato.tk, 1
+tirapan.top, 1
+tiraspol.tk, 1
+tircentrale.net, 0
+tirebichon.eu, 1
+tiremart.com, 1
+tirflesia.it, 1
+tirgar.org, 1
+tirgul-vertiujeni.tk, 1
+tirion.network, 0
+tirion.org, 0
+tirionnetwork.de, 1
+tirlins.com, 1
+tiroler-kupferschmiede.com, 1
+tirteafuera.tk, 1
+tirupatinightwear.co.in, 1
+tis.rs, 1
+tischlerei-klettke.de, 1
+tisec.info, 1
+tishomingo.news, 1
+tisina.org, 1
+tiski-shop.ru, 1
+tisknunahadry.cz, 1
+tism.in, 1
+tisparking.com, 1
+tissus-paris.com, 1
+tisvapo.it, 1
+tit-cdn.de, 1
+tit-dev.de, 1
+tit-dns.de, 1
+tit-mail.de, 1
+tit.systems, 1
+titahibayresidents.org.nz, 1
+titanandco.com, 1
+titandirect.co.uk, 1
+titanfile.com, 1
+titanicauto.ro, 1
+titaniumconsulting.co.uk, 1
+titantax.com, 1
+titantrades.com, 1
+titantrading.com.au, 1
+titanwaterproofing.com.au, 1
+titanyumkaplama.com, 1
+titelseite.ch, 1
+titiansgirl.com, 1
+titiansgirlphotography.com, 1
+titina.tk, 1
+titivoot.tk, 1
+titlecan.cn, 1
+titlecan.eu.org, 1
+titlecan.ru, 1
+titli.fr, 1
+titom.me, 1
+titomweb.fr, 1
+titouan.co, 0
+titser.ph, 1
+tittelbach.at, 1
+tittlelawgroup.com, 1
+tittlelawgroup.net, 1
+titulares.ar, 0
+titularizadora.com, 1
+titulosuniversitariosalaventa.com, 1
+titusetcompagnies.net, 0
+titusvillepapd.gov, 1
+tivido.nl, 1
+tivit-chill.partners, 1
+tivit-focus-partners.com, 1
+tiwilandcouncil.com, 1
+tixeconsulting.com, 1
+tixel.com, 1
+tixify.com, 1
+tixtips.com, 1
+tiyee.net, 1
+tizen-ru.tk, 1
+tizimin.tk, 1
+tizreu.xyz, 1
+tjampoer.com, 1
+tjbarn.es, 1
+tjebben.tech, 1
+tjgrant.com, 1
+tjian.info, 1
+tjkebayi.com, 1
+tjl.rocks, 0
+tjmarron.co.uk, 1
+tjongeling.tk, 1
+tjpiezo.com, 1
+tjplabs.com, 1
+tjrapid.sk, 1
+tjro.jus.br, 1
+tjsky.net, 0
+tjtechofficial.ga, 1
+tju.me, 1
+tjupt.org, 1
+tjurun.ga, 0
+tjxcanada.ca, 1
+tjxxzy.com, 1
+tjzzz.com, 1
+tk-its.net, 1
+tk-its.org, 1
+tk2net.com, 1
+tkacz.pro, 1
+tkafinearts.net, 1
+tkanemoto.com, 0
+tkanix.ru, 1
+tkarstens.de, 1
+tkcafe.net, 1
+tkcaninetraining.com, 1
+tkd-itf.tk, 1
+tkddn.com, 1
+tkgpm.com, 1
+tkhirianov.tk, 1
+tkhsurgery.com, 1
+tki.jp, 1
+tkiely.net, 1
+tkirch.de, 1
+tklm.pl, 1
+tkmr-gyouseishosi.com, 1
+tkn.me, 1
+tkonstantopoulos.tk, 1
+tkpayrollsolutions.com, 1
+tksainc.com, 1
+tkts.cl, 1
+tkwataneya.tk, 1
+tkwhongkong.tk, 1
+tl.gg, 1
+tlach.cz, 1
+tlanyan.pp.ua, 1
+tlc-environmental.co.uk, 1
+tlca.org, 1
+tlcinteriors.com.au, 1
+tlctrades.com, 1
+tldata.co, 1
+tldplaza.com, 1
+tldrtips.com, 1
+tldtattoo.com, 1
+tlehseasyads.com, 1
+tleng.de, 1
+tleplus.com, 1
+tlercher.de, 1
+tlicycling.com, 1
+tlingitandhaida.gov, 1
+tljcw.com, 1
+tlmedia.online, 1
+tlmicorp.com, 1
+tln.lib.ee, 1
+tlo.xyz, 1
+tloschinski.de, 1
+tloxygen.com, 1
+tloxygen.us, 1
+tlpn.eu, 1
+tlroadmap.io, 1
+tls-proxy.de, 1
+tls.builders, 1
+tls.care, 0
+tls.support, 1
+tlsbv.nl, 1
+tlsdane.com, 1
+tlsinspector.com, 1
+tlsmail.cc, 1
+tlsrobot.se, 1
+tlumaczenie.com, 1
+tlv77.net, 1
+tlyphed.net, 1
+tlys.de, 0
+tm-its.com, 1
+tm-sydney.au, 1
+tm-t.ca, 1
+tm2ts.com, 1
+tm80plus.com, 0
+tmachinery.cz, 1
+tmadev.com.au, 1
+tmartravel.com, 1
+tmatrack.com, 1
+tmbcloud.duckdns.org, 1
+tmberg.cf, 1
+tmberg.eu.org, 1
+tmberg.ga, 1
+tmberg.gq, 1
+tmberg.ml, 1
+tmberg.se.eu.org, 1
+tmberg.tk, 1
+tmbergtmberg.cf, 1
+tmbergtmberg.ga, 1
+tmbergtmberg.gq, 1
+tmbergtmberg.ml, 1
+tmbergtmberg.tk, 1
+tmbservis.cz, 1
+tmc.com.ar, 1
+tmc.com.mt, 1
+tmcjobs.com, 1
+tmcreationweb.com, 1
+tmcrew.org, 1
+tmdb.biz, 1
+tmdmotorhomes.com, 1
+tmeoworld.tk, 1
+tmf.ru, 1
+tmhanoi.com, 1
+tmhr.moe, 1
+tmi-products.eu, 1
+tmi-produkter.se, 1
+tmin.cf, 1
+tmindustrial.com.br, 1
+tmirz.ml, 1
+tmj4.com, 1
+tmm.cx, 1
+tmmapps.com, 1
+tmobilethuis.nl.eu.org, 1
+tmp.sx, 1
+tmpcdn.xyz, 1
+tmpraider.net, 1
+tmpsantos.com.br, 1
+tmpwn.com, 1
+tmredondela.tk, 1
+tmryan.co.uk, 1
+tmshea.com, 1
+tmstats.fr, 1
+tn-bb.com, 1
+tn.fo, 1
+tn0.club, 1
+tnb-plattform.de, 1
+tncrtinfo.com, 1
+tndagc.gov, 1
+tndentalwellness.com, 1
+tnes.dk, 1
+tnmsc.com, 1
+tnonline.net, 1
+tnosha.gov, 1
+tnpds.org.in, 1
+tnrealid.gov, 1
+tnrf.eu, 1
+tnskvi.tk, 1
+tnsos.gov, 1
+tnt-21.com, 1
+tnt.construction, 0
+tnt2k.de, 1
+tntbooks.ca, 1
+tntmobi.com, 1
+tntuservices.com, 1
+tntware.com, 1
+tnurocancer.com, 1
+tnusedoil.gov, 1
+tnutoys.com, 1
+tnved2013-narod.tk, 1
+tnwgrc.com, 1
+tnwildlandfire.gov, 1
+tnwioa.gov, 1
+to-med.ru, 1
+to-ya.jp, 1
+to.cm, 1
+to.gt, 1
+to.md, 1
+to4ka.md, 0
+toabaja.com, 1
+toabr.de, 1
+toad.ga, 1
+toade.com, 1
+toadox.com, 1
+toaks.gov, 1
+toastmasters.tk, 1
+toastrye.com, 1
+toaw.de, 1
+tob-rulez.de, 1
+tobacco.gov, 1
+tobaccolocker.com, 1
+tobbro-trans.de, 1
+tobedo.net, 1
+toberdyne.net, 1
+tobevictorious.com, 1
+tobi-mayer.de, 1
+tobi-server.goip.de, 1
+tobi-videos.goip.de, 1
+tobiaalberti.com, 1
+tobias-bauer.de, 1
+tobias-bauer.eu, 1
+tobias-bauer.fr, 1
+tobias-bauer.net, 1
+tobias-haenel.de, 1
+tobias-kleinmann.de, 1
+tobias-kluge.com, 1
+tobias-olbrich.de, 1
+tobias-picha.de, 1
+tobias-weidhase.de, 1
+tobias.gr, 1
+tobias4.ddns.net, 1
+tobiasbrunner.net, 1
+tobiasconradi.com, 1
+tobiase.de, 1
+tobiasfischer.info, 1
+tobiashorvath.com, 1
+tobiashorvath.de, 1
+tobiashorvath.net, 1
+tobiashorvath.org, 1
+tobiaskorf.de, 1
+tobiasmanske.de, 1
+tobiaspahlings.de, 1
+tobiaspreis.com, 1
+tobiaspreis.de, 1
+tobiassachs.cf, 1
+tobiassachs.de, 1
+tobiassachs.tk, 1
+tobiassattler.com, 1
+tobiaswiese.com, 1
+tobiaswiese.eu, 1
+tobiaswiese.net, 1
+tobiaswiese.org, 1
+tobiaswiese.work, 1
+tobiefornerod.ch, 1
+tobiichi3227.ddns.net, 1
+tobiichi3227.eu.org, 1
+tobinc.ddnss.de, 1
+tobis-rundfluege.de, 1
+tobis.cloud, 1
+tobischo.de, 1
+tobnm.gov, 1
+tobruxo.com.br, 1
+tobtennis.tk, 1
+toby.website, 1
+toby3d.me, 1
+tobyalden.com, 1
+tobyschrapel.com, 0
+tobyx.cc, 1
+tobyx.co, 1
+tobyx.com, 1
+tobyx.de, 1
+tobyx.eu, 1
+tobyx.is, 1
+tobyx.me, 1
+tobyx.net, 1
+tobyx.ooo, 1
+tobyx.org, 1
+tobyx.xyz, 1
+tocasoft.co.uk, 1
+tocco.ch, 1
+tochi-urikata.net, 1
+tochified.com, 1
+tochinoki.co.jp, 1
+tocho-america.com, 1
+tocomtulio.com, 1
+toconnect.me, 1
+todacarreira.com, 1
+todaciencia.com, 1
+todamateria.com, 1
+todamateria.com.br, 1
+todapolitica.com, 1
+todaslascafeteras.com, 1
+todasnoticias.pt, 1
+today.it, 1
+todayer.ru, 1
+todayfashion.info, 1
+todayfinance.news, 1
+todayfinancial.news, 1
+todayhap.net, 1
+todayjobs.pk, 0
+todaylearn.tk, 1
+todaymeow.com, 1
+todayprice.ga, 1
+todaysbestinsurance.com, 1
+todaysparent.com, 1
+todayupdates.ga, 1
+toddcullumresearch.com, 1
+toddexler.com, 1
+toddlerleaf.com, 1
+toddmclauchlin.cf, 1
+toddmclauchlin.ga, 1
+toddmclauchlin.ml, 1
+toddmissiontx.gov, 1
+toddvbanks.com, 1
+todeva.com, 1
+todo-securitywerkstuk.azurewebsites.net, 1
+todo.is, 0
+todobus.tk, 1
+todobuscadores.tk, 1
+todocracy.com, 1
+todocruces.com, 1
+tododescarga.tk, 1
+todoescaperooms.com, 1
+todoescine.com, 1
+todofadingsuns.tk, 1
+todofiesta.com.ar, 1
+todohealth.com, 1
+todoinfo.tk, 1
+todoist.com, 1
+todoist.help, 1
+todoist.net, 1
+todokete.ga, 1
+todolex.tk, 1
+todon.fr, 1
+todoporjesus.net, 1
+todoscheduler.de, 1
+todoscheduler.org, 1
+todoscomciro.com, 1
+todoseaprende.com, 1
+todosquerem.uno, 1
+todosrv.com, 1
+todotiendas.tk, 1
+toeglhofer.at, 1
+toeightycountries.com, 1
+toekomstperspectief.be, 1
+toepferei-langerwehe.de, 1
+toerschaatsenknsb.nl, 1
+toetsplatform.be, 1
+toeverynation.com, 1
+tofa-koeln.de, 1
+tofe.io, 1
+tofilmhub.com, 1
+tofliving.nl, 1
+toftered.se, 0
+tofu.cf, 1
+tofu.kim, 1
+tofuixi.com, 1
+together.gov, 1
+togetherplanning.com, 0
+togetherprice.com, 1
+togetter.com, 1
+togglename.ml, 1
+toggtr.net, 1
+togoweed.co, 1
+togtider.dk, 1
+toh25unblocked.tk, 1
+toheb.de, 0
+tohevn.tk, 1
+toho-tk.com, 1
+tohofc.co.jp, 1
+tohoku-fukushi.com, 1
+tohokufd.com, 1
+toila.best, 1
+toileobscure.fr, 1
+toilet-guru.com, 1
+toimitaax.fi, 1
+toipa.org, 1
+tojeit.cz, 1
+tojevune.cz, 1
+tok4.com, 1
+tokaido-kun.jp, 1
+tokaido.com, 1
+tokaishishisetsukanrikyokai.jp, 1
+tokarconsulting.com, 1
+tokathaberleri.tk, 1
+tokdeccor.com.br, 1
+tokelaunso.tk, 1
+token.im, 1
+tokenizedhq.com, 1
+tokenlon.im, 0
+tokenoftrust.com, 1
+tokens.net, 1
+toki-doki.tk, 1
+tokic.hr, 0
+tokidoki.team, 1
+tokimeko.jp, 0
+tokinoha.net, 1
+tokinohikari.com, 1
+tokinokakehashi.com, 1
+tokinosasae.com, 1
+tokio.fi, 1
+tokiohotel-world.tk, 1
+tokiohotelcroatia.tk, 1
+tokka.com, 1
+tokke.dk, 1
+tokkee.org, 1
+tokky.be, 1
+tokky.eu, 1
+tokky.fr, 1
+tokoangga.com, 1
+tokobelibeli.com, 1
+tokobungaasryflorist.com, 1
+tokobungadilampung.com, 1
+tokocuan.id, 1
+tokoindo.top, 1
+tokokujogja.com, 1
+tokomoto-w.com, 1
+tokopedia.ga, 1
+tokosehatselalu.com, 1
+toku.co, 0
+tokugai.com, 1
+tokusatsunetwork.com, 1
+tokyo-city.ru, 0
+tokyo-co2down.jp, 1
+tokyo-hotel.tk, 1
+tokyo-onkyo.jp, 1
+tokyo-powerstation.com, 1
+tokyoadultguide.com, 1
+tokyodenmarkweek.com, 1
+tokyomakino.com, 1
+tokyosaviva.com, 1
+tokyotalk.tk, 1
+tokyotimeline.com, 1
+tokyu-hoken.co.jp, 1
+tolartx.gov, 1
+tolas.lt, 1
+tolboe.com, 1
+toldos-en-stock.es, 1
+toldosecoberturasbh.com.br, 1
+toldst.dk, 1
+toledo.tk, 1
+toledoappraiser.com, 1
+toledoclassifieds.net, 1
+toledoescorts.net, 1
+toledohydraulic.com, 1
+tolerance-zero.tk, 1
+toleressea.fr, 1
+toles-sur-mesure.fr, 1
+tolgacankurt.com, 1
+tolibanana.com, 1
+tolkienfans.tk, 1
+tolkienlibrary.com, 1
+tolkienmusic.tk, 1
+tolkienwiki.ml, 1
+tolkovanie-sna.tk, 1
+tollandct.gov, 1
+tolle-wolke.de, 0
+tollerunterricht.com, 1
+tollfreeproxy.com, 1
+tollmanz.com, 0
+tolls.eu, 1
+tollsjekk.no, 1
+tollywood.ga, 1
+tolmaidis.com, 1
+tolmandrywall.com, 0
+tolnavar.hu, 1
+tolstoevsky.tk, 1
+tolucreaciones.com, 1
+tom-bmx.com, 1
+tom-crowley.co.uk, 1
+tom-geiger.de, 1
+tom-hanks.tk, 1
+tom-kunze.de, 1
+tom-kurka.cz, 1
+tom.je, 1
+tom0907.eu, 1
+tomabrafix.de, 1
+tomacino.de, 1
+tomaempleo.com, 1
+tomahawkwi.gov, 1
+tomahwi.gov, 1
+toman.rs, 1
+toman.sk, 1
+toman.su, 1
+tomandmara.com, 1
+tomandshirley.com, 1
+tomarlacalle.com, 1
+tomarnarede.pt, 0
+tomartv.pt, 1
+tomasa.cc, 1
+tomasdrtina.cz, 1
+tomashejatko.cz, 1
+tomashouzvicka.pl, 1
+tomasjacik.cz, 1
+tomaskavalek.cz, 0
+tomasmatulevicius.lt, 1
+tomasmoberg.org, 1
+tomasvecera.cz, 0
+tomaszdwornicki.net, 1
+tomatis-nantes.com, 1
+tomatofrogs.com, 1
+tomatohq.com, 1
+tomaz.eu, 1
+tomba.io, 1
+tombaker.me, 0
+tombclan.ga, 1
+tombeantx.gov, 1
+tombolaarcade.co.uk, 1
+tomboonen.tk, 1
+tomboy.org, 1
+tombrossman.com, 1
+tombu.biz, 0
+tombu.info, 0
+tombu.org, 0
+tombu.xyz, 0
+tomcat.ml, 1
+tomchen.org, 1
+tomco-corporation.tk, 1
+tomcort.com, 1
+tomd.ai, 1
+tomdapice.com, 1
+tomdougiamas.com, 1
+tomdudfield.com, 1
+tomend.es, 1
+tomfelton.tk, 1
+tomff.com, 1
+tomfisher.eu, 1
+tomfun.co, 1
+tomgaddis.com, 1
+tomgaechter.ch, 1
+tomget.tk, 1
+tomharling.co.uk, 1
+tomharling.uk, 1
+tomhol.cz, 1
+tomi.ai, 1
+tomi.cc, 1
+tomica.me, 1
+tomik.cloud, 1
+tomik.fun, 1
+tomikoyco.com, 1
+tomiler.com, 1
+tominysun.com, 1
+tomjans.nl, 1
+tomjepp.uk, 1
+tomjn.com, 1
+tomkempers.nl, 1
+tomkleinit.de, 1
+tomkompserwis.pl, 1
+tomkunze.de, 1
+tomkwok.com, 0
+tomlehrersongs.nl, 1
+tomli.blog, 1
+tomm.yt, 1
+tomma.tk, 1
+tommic.eu, 0
+tommihynynen.com, 1
+tommy-bordas.fr, 0
+tommybrown.ru, 1
+tommycarrauto.com, 1
+tommyemo.com, 1
+tommyemo.net, 1
+tommymoya.tv, 1
+tommypa.se, 1
+tommypalarsson.com, 1
+tommypalarsson.se, 1
+tommyphotographie.com, 0
+tommys.com, 1
+tommytran.io, 1
+tomnatt.com, 1
+tomo.gr, 0
+tomoarigato.com, 1
+tomodachi.tk, 1
+tomoko-clinic.jp, 1
+tomorrow-traxx.tk, 1
+tomorrow.one, 1
+tomosm.net, 1
+tomoveornot.de, 1
+tomp2p.net, 1
+tomphenix.com, 1
+tomphill.co.uk, 0
+tomravinmd.com, 1
+tomrei.com, 1
+tomrichards.net, 1
+tomrunting.pro, 1
+toms.ovh, 1
+tomschlick.com, 1
+tomsdevsn.me, 1
+tomsick.it, 1
+tomsk.cf, 1
+tomsk.ml, 1
+tomsk24.tk, 1
+tomsk365.ga, 1
+tomsknet.tk, 1
+tomsknews.tk, 1
+tomslawadvice.com, 1
+tomsoft.hr, 1
+tomspdblog.com, 1
+tomssite.tk, 1
+tomssl.com, 1
+tomstew.art, 1
+tomtelist.tk, 1
+tomthorogood.co.uk, 1
+tomthorogood.net, 1
+tomthorogood.uk, 1
+tomticket.com, 1
+tomudding.nl, 1
+tomvanlaer.be, 1
+tomvannoppen.tk, 1
+tomvst.net, 1
+tomwassenberg.com, 1
+tomwassenberg.nl, 1
+tomwellington.design, 1
+tomwilson.io, 0
+tomwither.com, 1
+tomy.co.za, 1
+tomyork.net, 1
+tonabor.ru, 1
+tonage.de, 1
+tonarinoliusan.com, 1
+tonarinoliusan.net, 1
+tonasketwa.gov, 1
+tonaton.com, 1
+tonazo.tk, 1
+tonburi.jp, 0
+toncusters.nl, 1
+tondles.com, 1
+tone-town.com, 1
+toneelaccent.tk, 1
+tonegidoarchief.nl, 1
+tonemadison.com, 0
+toner24.at, 1
+toner24.co.uk, 1
+toner24.es, 1
+toner24.fr, 1
+toner24.it, 1
+toner24.nl, 1
+toner24.pl, 1
+tonerdepot.de, 1
+tonerjet.at, 1
+tonerjet.co.uk, 1
+tonerklick.de, 1
+tonerkurier.de, 1
+tonermaus.de, 1
+tonermonster.de, 1
+tonex.de, 1
+tonex.nl, 1
+tongkhothanhly.com, 1
+tongli.eu.org, 1
+tonguetechnology.com, 1
+toni-dis.ch, 0
+toniduarte.tk, 1
+tonies.com, 1
+tonifarres.net, 1
+tonifix.fi, 1
+tonight.de, 1
+tonik.tk, 1
+tonimorena.net, 1
+tonkawaok.gov, 1
+tonkayagran.ru, 1
+tonnycat.com, 1
+tono.us, 1
+tonorosario.tk, 1
+tonshaiza.tk, 1
+tonsil-stone.com, 1
+tonsillar-stones.com, 1
+tonsit.com, 1
+tonsit.org, 0
+tonton.cf, 1
+tontonan.gq, 1
+tontonnews.net, 1
+tontonroger.org, 1
+tony-foster.co.uk, 1
+tonyandskye.com, 1
+tonyarcieri.com, 1
+tonydaquin.com, 1
+tonyfanningphotography.co.uk, 1
+tonygallo.tk, 1
+tonyhagerlund.tk, 1
+tonykadleck.com, 1
+tonykarbo.tk, 1
+tonymanning.com, 1
+tonyonsecurity.com, 1
+tonysantos.tk, 1
+tonytan.cn, 1
+tonytan.io, 1
+tonytan.net, 1
+tonyw.xyz, 1
+tonywebster.com, 1
+too.com.ua, 1
+too.gy, 1
+tooadalsauda.kz, 1
+toob.fr, 1
+toobi.co.uk, 1
+toobug.net, 0
+tooelecity.gov, 1
+tooelecountyvotes.gov, 1
+toofab.com, 1
+tooij.com, 1
+tookan.tech, 1
+tookhan.tk, 1
+tool.lu, 1
+toolbox.ninja, 0
+toolboxsoftware.tk, 1
+toolecountysheriffmt.gov, 1
+toolineo.de, 1
+toolip.gr, 1
+toolkits.design, 1
+toolminer.com, 1
+toolroomrecords.com, 1
+tools-services.com.co, 1
+tools.pro, 1
+tools4me.win, 0
+toolsa.bg, 1
+toolsbit.com, 1
+toolsense.io, 1
+toolset.com, 1
+toolsforbiblestudy.com, 1
+toolspain.tk, 1
+toolsu.com, 1
+toolzone.cz, 1
+toom.io, 1
+toomanymallards.com, 1
+toomy.ddns.net, 1
+toomy.pri.ee, 1
+toon.at, 1
+toon.style, 1
+tooncastle.tk, 1
+toondah.com.au, 1
+toondahjobs.com.au, 1
+toondergroup.com, 1
+toonetcreation.com, 1
+toonict.nl, 1
+toonmate.tk, 1
+toonpool.com, 1
+toonsburgh.com, 1
+toontown.team, 1
+toontownrewritten.com, 1
+toool.nl, 1
+toool.nyc, 1
+toool.org, 1
+toopita.com, 1
+toopopular.ga, 1
+toot.community, 0
+toot.haus, 1
+tootbitco.ml, 1
+toothimplantsydney.com.au, 1
+toothless.tk, 1
+toothpique.tk, 1
+toothsearch.tk, 1
+tooti.biz, 1
+tootl.org, 1
+tootsi.edu.ee, 1
+tootsiewootsies4d.com, 1
+toowoombawebdesign.com.au, 1
+top-aanbiedingen.nl, 1
+top-avis.fr, 1
+top-azia.ru, 1
+top-b.net, 1
+top-beauty.cf, 1
+top-casinos.ru, 1
+top-credit.tk, 1
+top-dance.pl, 1
+top-drop.tk, 1
+top-frog.com, 1
+top-info.ga, 1
+top-koupelny.cz, 1
+top-kuwait.com, 1
+top-melody.ru, 1
+top-messenger.com, 1
+top-mining.tk, 1
+top-model.biz, 1
+top-obaly.cz, 1
+top-opakowania.pl, 1
+top-pansionaty.ru, 1
+top-rensner.de, 1
+top-rezepte.de, 1
+top-russian.tk, 1
+top-schools.tk, 1
+top-secret.tk, 1
+top-seminaire.com, 1
+top-service.ml, 1
+top-skins.ml, 1
+top-super-60.ag, 1
+top-super-60.biz, 1
+top-super-60.com, 1
+top-super-60.de, 1
+top-super-60.eu, 1
+top-super-60.info, 1
+top-super-60.net, 1
+top-super-60.org, 1
+top-verhandlungstraining.de, 1
+top-vlm.de, 1
+top-zdrave.bg, 1
+top-zentr.tk, 1
+top.ax, 1
+top1.com.vn, 0
+top10-casinosites.net, 1
+top10.tk, 1
+top100games.ml, 1
+top10antivirus.review, 1
+top10directory.tk, 1
+top10list.tk, 1
+top10llcformationsites.com, 1
+top10media.tk, 1
+top10mountainbikes.info, 1
+top1health.com, 1
+top4shop.de, 1
+top5melhorescursosdedrone.com, 1
+topa.tk, 1
+topagrar.com, 1
+topan.tk, 1
+topandtrending.com, 1
+topanimecharacters.com, 1
+topanlage.de, 1
+toparkinfo.hu, 1
+topas.tk, 1
+topaxi.codes, 0
+topbloc.com, 1
+topbookmarking.cf, 1
+topbouncycastles.co.uk, 1
+topbrasilnews.tk, 1
+topbrunchspots.com, 1
+topbuild.com, 1
+topbusiness.tk, 1
+topbusinesshero.com, 1
+topbusinessnews.today, 1
+topbussines.tk, 1
+topcameras.tk, 1
+topcarehvac.ca, 1
+topcash.co.il, 1
+topcasinobonus.nu, 1
+topchinasupplier.com, 1
+topciderska-crkva.rs, 1
+topclan.tk, 1
+topclassfun.ie, 1
+topcoffee.cf, 1
+topcompany.be, 1
+topcomputacion.com.ar, 1
+topconteudos.com.br, 1
+topconteudos.shop, 1
+topcover.cz, 1
+topdesignfirms.com, 1
+topdesk.net, 1
+topdetal.ru, 1
+topdetoxcleanse.com, 1
+topdoctors.co.uk, 1
+topdoctors.es, 1
+topdoctors.it, 1
+topdocumentaryfilms.com, 1
+topdogsinflatables.co.uk, 1
+topdomainsandhosting.com, 1
+topdosug.ml, 1
+topdroneusa.com, 1
+topeducationhelp.co, 1
+topekafoundationpros.com, 1
+topendcamphire.com.au, 1
+toperadigital.com, 1
+topesdegama.com, 1
+topeyechang.com.tw, 1
+topfd.net, 1
+topferta.com, 1
+topfinanzas.com, 1
+topfiremedia.com, 1
+topfivepercent.co.uk, 1
+topfood.club, 1
+topfreeporn.com, 1
+topgallant.gq, 1
+topgevelbekleding.nl, 1
+topgrading.com, 1
+topgshop.ru, 1
+toph.co, 1
+tophat.studio, 1
+tophatpuffin.com, 0
+tophighnorldiet.gq, 1
+tophomeappliancerepair.com, 1
+tophr.kz, 1
+topicalnet.de, 1
+topicdesk.com, 1
+topicit.net, 1
+topicpoint.tk, 1
+topicpulse.tk, 1
+topicv.com, 0
+topideipodarkov.ru, 1
+topitalianscientists.org, 1
+topjeans.ga, 1
+topjobs.ch, 1
+topknot.gq, 1
+topkorea.ml, 1
+toplevel.nl, 1
+topline.com.sa, 1
+toplink.co.il, 1
+toplist.cz, 1
+toplist.eu, 1
+toplist.sk, 1
+topliste.tk, 1
+toplistforum.tk, 1
+toplockshop.com, 1
+topluxitalia.com, 1
+topmachstudios.com, 1
+topmanitas.es, 1
+topmaxstore.com, 1
+topmba.com.au, 1
+topmmogames.org, 1
+topmoods.com, 1
+topmotoric.com, 1
+topmovie.gq, 1
+topmuzic.tk, 1
+topmuzika.cz, 1
+topmuzika.sk, 1
+topnado.tk, 1
+topnet.tk, 1
+topnews.gq, 1
+topnews333.cf, 1
+topnews333.tk, 1
+topnlist.com, 1
+topnoshgourmet.com, 1
+topnotchendings.com, 1
+topo.com.ro, 1
+topodin.com, 1
+topofart.com, 1
+topofertas.tk, 1
+topofficesupplies.tk, 1
+topofthefreegames.ml, 1
+topographic.tk, 1
+toponlinecasino.be, 1
+toponlinecasinosites.co.uk, 1
+toponlinemarketing.tk, 1
+topophile.net, 1
+topoptics.com.ua, 1
+topotom.tk, 1
+topporn.me, 1
+topppinfo.com, 1
+topprice.ua, 1
+topproductsanalysis.com, 1
+topprogaragedoor.com, 1
+toppsnfts.com, 1
+toppstugansundbyberg.se, 1
+topradiosbrasil.tk, 1
+toprci.com.br, 1
+topreit.ru, 1
+toprelatos.com, 1
+topsailbeachnc.gov, 1
+topsailtechnologies.com, 1
+topseo.gq, 1
+topservercccam.com, 1
+topservercccam.tv, 1
+topservers.ga, 1
+topsexik.cz, 1
+topshelf.tech, 0
+topshop.tk, 1
+topshoptools.com, 1
+topsights.org, 1
+topsmartdesign.com, 1
+topsnow.ru, 1
+topspace.tk, 1
+topspani.cz, 1
+topspin.tk, 1
+topsport.bg, 1
+topsteroidsonline.com, 1
+topstuffz.com, 1
+topsuper60.ag, 1
+topsuper60.biz, 1
+topsuper60.com, 1
+topsuper60.de, 1
+topsuper60.eu, 1
+topsuper60.info, 1
+topsuper60.net, 1
+topsuper60.org, 1
+topsvet.ru, 1
+toptapety.cz, 1
+toptec.net.br, 1
+toptechnews.cf, 1
+toptechnews.tk, 1
+topteen.tk, 1
+topten.com.co, 1
+toptexture.com, 1
+toptheto.com, 1
+toptiernetworks.tk, 1
+toptilebathrooms.co.nz, 1
+toptotosite.com, 1
+toptour.tk, 1
+toptracks.tk, 1
+toptranslation.com, 1
+toptravel.tk, 1
+toptravelgram.com, 1
+toptur.tk, 1
+topu.ro, 1
+topurls.tk, 1
+topvertimai.lt, 1
+topviet.ga, 1
+topvision.es, 1
+topvpn.pl, 1
+topwin.la, 1
+topwindowcleaners.co.uk, 1
+topwonders.tk, 1
+topworkplaces.com, 1
+topwowamazing.com, 1
+topwowdesign.com, 1
+topyachts-shop.com.ua, 1
+topyachts.com.ua, 1
+topzarabotok.ml, 1
+toquechic.com, 1
+tor.taxi, 1
+tor2web.org, 1
+tor4.cf, 1
+torahanytime.com, 0
+toranjchap.com, 1
+torb.com, 1
+torba.tk, 1
+torbay.ga, 1
+torbay.tk, 1
+torbayrise.co.uk, 1
+torbe.es, 1
+torch-fan.site, 1
+torchbankz.com, 1
+torchbearer.tk, 1
+torchmc.ru, 1
+tordenskjold.de, 1
+tordo.net, 1
+toreni.us, 1
+toretfaction.net, 1
+torfbahn.de, 1
+torg-room.ru, 1
+torgoborud.tk, 1
+torgopt.tk, 1
+torgovaya.tk, 1
+toricafe.com, 1
+torigaoka-dc.com, 1
+toriko-official.ml, 1
+torino.fi, 1
+torinotoday.it, 1
+torisamaahirusama.com, 1
+tork.news, 1
+torkel.se, 1
+torlock.com, 1
+torlock2.com, 1
+tormentedradio.com, 0
+tormentgame.com, 1
+tormox.ml, 1
+tornadica.by, 1
+tornado-map.de, 1
+tornadoarchiv.ml, 1
+tornadoautos.com, 1
+tornadodetector.ga, 1
+torngalaxy.com, 1
+tornyosbbq.hu, 1
+torocatala.tk, 1
+toroguapo.com, 1
+torondor.tk, 1
+toronto-escorts.com, 1
+torontoaccesscontrol.com, 1
+torontocorporatelimo.services, 1
+torontogid.cf, 1
+torontohealthcare.tk, 1
+torontolife.com, 1
+torontonews.tk, 1
+torontopostcardclub.com, 1
+torontopowerwalkers.ca, 1
+torontoscrapcarremoval.ca, 1
+torontotransit.tk, 1
+toropova.tk, 1
+toros2.com, 1
+torotoro.co.nz, 1
+torproject.org, 0
+torproject.ovh, 1
+torprojects.com, 1
+torquato.de, 0
+torquayhbc.co.uk, 1
+torquemada.tk, 1
+torrance.gq, 1
+torrba.tk, 1
+torrecilladelaabadesa.tk, 1
+torreconta.pt, 1
+torrededonmiguel.tk, 1
+torrelorenzo.com, 1
+torremarsalou.com, 1
+torrent.fedoraproject.org, 1
+torrent.is, 1
+torrent.tm, 1
+torrentbd.com, 1
+torrentbd.me, 1
+torrentbd.net, 1
+torrentdb.tk, 1
+torrentdownload.gq, 1
+torrentfunk.com, 1
+torrentfunk2.com, 1
+torrentgalaxy.mx, 1
+torrentgalaxy.su, 1
+torrentgalaxy.to, 1
+torrenttop100.net, 1
+torrentz2.al, 1
+torrero.tk, 1
+torresdealbanchez.tk, 1
+torresjaen.tk, 1
+torresshop.es, 0
+torretzalam.com, 1
+torsdammen.se, 1
+torservers.net, 0
+torsten-schmitz.net, 1
+torsten-werner.info, 1
+torstens-buecherecke.de, 1
+torstensenf.de, 1
+torstenzimmermann.com, 1
+tortak.ml, 1
+torte.roma.it, 1
+torticollisexplained.com, 1
+tortikvam.ru, 1
+tortillas-duras.cf, 1
+tortillas-duras.ga, 1
+tortillas-duras.gq, 1
+tortillas-duras.ml, 1
+tortimes.com, 1
+tortocan.com, 1
+tortoises-turtles.com, 1
+tortuga.ga, 1
+tortugan.com.br, 1
+torwart-jugend.de, 1
+tosainu.com.br, 1
+tosatopsicologabologna.com, 1
+tosbourn.com, 1
+toscanaeconomy.it, 1
+toschool.com.br, 1
+toshen.com, 1
+toshicar.com, 1
+toshik.tk, 1
+toshiroz.com, 1
+toshkov.com, 1
+toshl.com, 1
+toskavista.de, 1
+tosolini.info, 1
+tosostav.cz, 1
+tosshi-life.com, 1
+tossitaway.tk, 1
+tosteberg.se, 0
+tot.money, 1
+totaku.ru, 0
+total-chaos.tk, 1
+total-deco.eu, 1
+total-destruction.tk, 1
+total-electric.com, 1
+total-privacy.tk, 1
+total-security.tk, 1
+totalabogados.cl, 1
+totalaccessnicaragua.co, 1
+totalbike.com.br, 1
+totalbyverizon.com, 1
+totalcarcheck.co.uk, 1
+totalcare.co.nz, 1
+totalcarpetcare.co.uk, 1
+totalchecklist.com, 1
+totalcontrols.eu, 1
+totalemaildelivery.com, 1
+totalenergies.ca, 1
+totalenergies.com, 1
+totalenergies.de, 1
+totalenergies.do, 1
+totalengineering.club, 1
+totalenterprise.pl, 1
+totalexpert.net, 1
+totalfitnessandmassage.com.au, 1
+totalforcegym.com, 1
+totalfoundationpros.com, 1
+totalhost.gq, 1
+totalinfo.in, 1
+totalintegratedtherapy.com, 1
+totalityservices.co.uk, 1
+totalleedee.com, 1
+totally-dakota.tk, 1
+totallyjessica.tk, 1
+totallylegitimatehosting.ru, 1
+totallynotaserver.com, 1
+totallyrace.tk, 1
+totallystocks.ga, 1
+totalmdplan.com, 1
+totalmerchandise.co.uk, 1
+totalmerda.tk, 1
+totalnormal.tk, 1
+totalofficeclean.co.uk, 1
+totalpackers.com, 1
+totalparts.com.au, 1
+totalsport-bg.com, 1
+totaltriathlon.com, 1
+totalwebmedia.nl, 1
+totalwebpartners.com, 1
+totalzen.ga, 1
+totch.de, 1
+tote.co.uk, 1
+totemgames.tk, 1
+tothetopmentoring.com, 1
+totheweb.com, 1
+totlan.tk, 1
+totnastic.tk, 1
+toto-realestate.com, 1
+totobetty.com, 1
+totodil.es, 1
+totolabs.com, 1
+totolink.tw, 1
+totora.tk, 1
+totsglobal.com, 1
+totstitles.com, 1
+tottoya.com, 1
+totuus.sk, 1
+totvs.com, 1
+toubkalrando.com, 1
+toucan-informatique.fr, 1
+touch-up-net.com, 1
+touch.facebook.com, 0
+touch.mail.ru, 1
+touch2ship.com, 1
+touchable.gq, 1
+touchanddraw.tk, 1
+touchbasesm2.ca, 1
+touchboobs.ml, 1
+touchdown.co, 1
+touchfoundation.org, 1
+touchfromtheheartmassagetherapyandreflexology.com, 1
+touchingwetpaint.com, 1
+touchka.ga, 1
+touchmark.tk, 1
+touchmekissmee.com, 1
+touchofjapan.com, 1
+touchoflife.in, 1
+touchscreentills.com, 1
+touchspeak.nl, 0
+touchtable.nl, 1
+touchweb.be, 1
+touchweb.ch, 1
+touchweb.fr, 1
+tough-construction.com, 1
+toughcodes.com, 1
+touhidur.ru.com, 1
+touhidur.sa.com, 1
+touhidur.studio, 1
+touhidur.tk, 1
+touhidur.xyz, 1
+touhidur.za.com, 1
+touhidurrr.me, 1
+touhou.ac.cn, 0
+touhou.cc, 1
+touhou.tw, 1
+touhouwiki.net, 1
+toujour.top, 1
+toulis.net, 1
+toulouscope.fr, 1
+toulouselautrec.com.br, 1
+toumeitech.com, 1
+toupcreative.com, 1
+touquet-volley.com, 1
+tour-de-franz.bike, 1
+tour-japan.ml, 1
+tour-vietnam.tk, 1
+touray-enterprise.ch, 1
+tourbryansk.tk, 1
+tourcienaga.tk, 1
+tourdatenarchiv.de, 1
+tourdewestwoud.nl, 1
+tourfunnels.com, 1
+tourgest.net, 1
+touringinmorocco.com, 1
+tourism-exegetai.tk, 1
+tourisme-castillonpujols.fr, 1
+tourisme-dordogne-paysfoyen.com, 1
+tourisme-fronsadais.com, 1
+tourismpskov.tk, 1
+tourismtrain.tk, 1
+touristanalyst.ga, 1
+touristmaker.com, 1
+touristsense.com, 1
+tourmalineskincare.com, 1
+tourmaster.com, 1
+tournamentmgr.com, 1
+tournaments.tk, 1
+tournation.info, 1
+touroogle.com, 1
+tours-in-petersburg.tk, 1
+toursaindia.com, 1
+toursandtransfers.it, 0
+tourshopfresno.com, 1
+toursmontessori.com, 1
+tourteller.com, 1
+tourtransferitaly.it, 1
+tourtrektrip.com, 1
+tourweekend.tk, 1
+tourx.co.nz, 1
+tous-travaux.ch, 0
+tousei.tokyo.jp, 1
+toushi-return.xyz, 1
+toushi-shakkin.com, 1
+touslesdrivers.com, 1
+touslesforums.tk, 1
+tout-a-fait.fr, 1
+tout-art.ch, 1
+toutankamon.tk, 1
+toutart.ch, 1
+toutenmusic.fr, 1
+toutmonexam.fr, 1
+toutvendre.be, 1
+toutvendre.ch, 1
+toutvendre.cm, 1
+toutvendre.es, 1
+toutvendre.fr, 1
+toutvendre.lu, 1
+toutvendre.pics, 1
+toutvendre.uk, 1
+toutvendre.us, 1
+touwhalster.tk, 1
+touyatakenaka.tk, 1
+tovaglioli-di-carta.it, 1
+tovanot.biz, 1
+tovare.com, 1
+tovari-rukodeliya.tk, 1
+tovarypochtoj.tk, 1
+toverland-tickets.nl, 1
+tovp.org, 0
+towardsthecloud.com, 1
+towaway.ru, 1
+towellconstruction.ca, 1
+tower.land, 1
+towerdefen.se, 1
+towerdefence.tk, 1
+towerloan.com, 1
+towers-kolomna.tk, 1
+towersstreet.com, 1
+towessi.tk, 1
+town-night.jp, 1
+townforge.net, 1
+townfremontwi.gov, 1
+townhomeproperties.com, 1
+townhouseregister.com.au, 1
+townifi.ga, 1
+townithacany.gov, 1
+townlaretsota.gq, 1
+townnews.com, 1
+townoconomowoc-wi.gov, 1
+townofadamsgreencountywi.gov, 1
+townofadamsjacksoncowi.gov, 1
+townofadamswi.gov, 1
+townofavonwi.gov, 1
+townofbalsamlakewi.gov, 1
+townofbarneswi.gov, 1
+townofbayfieldwi.gov, 1
+townofbeavermarinettewi.gov, 1
+townofbeecherwi.gov, 1
+townofbelgiumwi.gov, 1
+townofbeloitwi.gov, 1
+townofbrazeauwi.gov, 1
+townofbridgewater.ca, 1
+townofbrillionwi.gov, 1
+townofbrinybreezes-fl.gov, 1
+townofbrooklynwi.gov, 1
+townofbrookwoodal.gov, 1
+townofbrothertownwi.gov, 1
+townofbrunswickwi.gov, 1
+townofbutlerwi.gov, 1
+townofbyronwi.gov, 1
+townofcadizwi.gov, 1
+townofcaledoniacolumbiawi.gov, 1
+townofcampbellwi.gov, 1
+townofcanandaigua.gov, 1
+townofcantonct.gov, 1
+townofcaponbridgewv.gov, 1
+townofcarthagetn.gov, 1
+townofcedarburgwi.gov, 1
+townofchenangony.gov, 1
+townofcherrycreekny.gov, 1
+townofchesterwi.gov, 1
+townofclarnowi.gov, 1
+townofclaytonny.gov, 1
+townofclearfieldwi.gov, 1
+townofclearlakewi.gov, 1
+townofclevelandnc.gov, 1
+townofclymanwi.gov, 1
+townofcohoctonny.gov, 1
+townofcoldspringny.gov, 1
+townofcooperstownwi.gov, 1
+townofcranmoor.gov, 1
+townofdaltonnh.gov, 1
+townofdane.gov, 1
+townofdecaturwi.gov, 1
+townofdepositny.gov, 1
+townofdewhurstwi.gov, 1
+townofdexterwi.gov, 1
+townofdrammen-wi.gov, 1
+townofdraperwi.gov, 1
+townofdrummondmt.gov, 1
+townofdunbarwi.gov, 1
+townofeaugallewi.gov, 1
+townofedenwi.gov, 1
+townofemmetwi.gov, 1
+townofevansny.gov, 1
+townofexcelsiorwi.gov, 1
+townoffairfieldwi.gov, 1
+townoffonddulacwi.gov, 1
+townofforestvernonwi.gov, 1
+townofgalewi.gov, 1
+townofgardenvalleywi.gov, 1
+townofgardnerwi.gov, 1
+townofgermantownwi.gov, 1
+townofgibsonwi.gov, 1
+townofgoldenmeadow-la.gov, 1
+townofgoreok.gov, 1
+townofgraftonwi.gov, 1
+townofgrantsburgwi.gov, 1
+townofgrantshawanowi.gov, 1
+townofgreengrovewi.gov, 1
+townofgreenlake.gov, 1
+townofhamburgny.gov, 1
+townofhamiltonny.gov, 1
+townofharrisonmcwi.gov, 1
+townofhartfordwi.gov, 1
+townofherman-wi.gov, 1
+townofhollandwi.gov, 1
+townofhulbertok.gov, 1
+townofhumeny.gov, 1
+townofhustisford.gov, 1
+townofjacksonadamswi.gov, 1
+townofjacksonwi.gov, 1
+townofjanesvillewi.gov, 1
+townofjohnsonwi.gov, 1
+townofjohnstonsc.gov, 1
+townofjordanwi.gov, 1
+townofkewaskumwi.gov, 1
+townofkeystonewi.gov, 1
+townoflagrangemcwi.gov, 1
+townoflakecityco.gov, 1
+townoflakemarinettewi.gov, 1
+townoflakeviewor.gov, 1
+townoflamartinewi.gov, 1
+townoflandisnc.gov, 1
+townoflebanonny.gov, 1
+townoflebanonwi.gov, 1
+townoflemonweirwi.gov, 1
+townoflenrootwi.gov, 1
+townofleonmocowi.gov, 1
+townofleroywi.gov, 1
+townoflibertyocwi.gov, 1
+townoflincolnforestwi.gov, 1
+townoflindenwi.gov, 1
+townoflomira.gov, 1
+townoflucas-wi.gov, 1
+townofluskwy.gov, 1
+townoflyndonwi.gov, 1
+townoflynneoneidactywi.gov, 1
+townofmackfordwi.gov, 1
+townofmarionwausharawi.gov, 1
+townofmarshfieldwi.gov, 1
+townofmecanwi.gov, 1
+townofmentorwi.gov, 1
+townofmerrillwi.gov, 1
+townofmertonwi.gov, 1
+townofmiltonwi.gov, 1
+townofmineral.net, 1
+townofminocqua.gov, 1
+townofmontereytn.gov, 1
+townofmosineewi.gov, 1
+townofmtpleasantwi.gov, 1
+townofnasewaupeewi.gov, 1
+townofnecedahwi.gov, 1
+townofneenahwi.gov, 1
+townofnevawi.gov, 1
+townofnewdenmarkwi.gov, 1
+townofnewglaruswi.gov, 1
+townofnewhavendunnwi.gov, 1
+townofnewpaltzny.gov, 1
+townofnilesny.gov, 1
+townofnorwaywi.gov, 1
+townofnorwichny.gov, 1
+townofomro.gov, 1
+townofonalaskawi.gov, 1
+townofonondaga.gov, 1
+townoforegonwi.gov, 1
+townofpolk-wi.gov, 1
+townofpoygan.gov, 1
+townofprincessannemd.gov, 1
+townofpulaskiwi.gov, 1
+townofredriverwis.gov, 1
+townofreseburgwi.gov, 1
+townofriblakewi.gov, 1
+townofrichfordwi.gov, 1
+townofrichlandwi.gov, 1
+townofrichmond-walworthwi.gov, 1
+townofrichmondwi.gov, 1
+townofrockwi.gov, 1
+townofrudolphwi.gov, 1
+townofrussellwi.gov, 1
+townofruthnc.gov, 1
+townofrutlandwi.gov, 1
+townofsalemny.gov, 1
+townofsananselmoca.gov, 1
+townofsandcreekwi.gov, 1
+townofsasserga.gov, 1
+townofscottbrownwi.gov, 1
+townofscottsheboyganwi.gov, 1
+townofsenecawoodcowi.gov, 1
+townofsevastopolwi.gov, 1
+townofsheboyganfallswi.gov, 1
+townofsheboyganwi.gov, 1
+townofsidneyny.gov, 1
+townofsigelwoodwi.gov, 1
+townofspiderlakewi.gov, 1
+townofstanley-wi.gov, 1
+townofstarmandny.gov, 1
+townofstockbridge.gov, 1
+townofsturgeonbay-wi.gov, 1
+townofsumrallms.gov, 1
+townofsweetwater.com, 1
+townofsylvesterwi.gov, 1
+townoftaycheedahwi.gov, 1
+townoftheresawi.gov, 1
+townofthomsonmn.gov, 1
+townofthorpwi.gov, 1
+townofthreelakeswi.gov, 1
+townoftroupsburgny.gov, 1
+townofturtlewi.gov, 1
+townofulyssesny.gov, 1
+townofuniondoorwi.gov, 1
+townofuticawi.gov, 1
+townofvarnamtown.gov, 1
+townofvermontwi.gov, 1
+townofveteranny.gov, 1
+townofvinlandwi.gov, 1
+townofwalworthwi.gov, 1
+townofwarrensccwi.gov, 1
+townofwatertownwi.gov, 1
+townofwausaukeewi.gov, 1
+townofwautomawi.gov, 1
+townofwendellnc.gov, 1
+townofwescott-wi.gov, 1
+townofwestfieldsaukwi.gov, 1
+townofwestfordwi.gov, 1
+townofwestportin.gov, 1
+townofweyauwega-wi.gov, 1
+townofwhitewaterwi.gov, 1
+townofwinfieldwi.gov, 1
+townofwinneconne.gov, 1
+townofwittenbergwi.gov, 1
+townofwoodruffwi.gov, 1
+townofwoodvillewi.gov, 1
+townofwordenwi.gov, 1
+townofwrightstownwi.gov, 1
+townofwyomingwi.gov, 1
+townresults.ga, 1
+townshendvt.gov, 1
+townshipofthenorthshore.ca, 1
+townswalker.com, 1
+towolabs.com, 1
+towsonpediatrics.com, 1
+towywebdesigns.uk, 1
+towzone.co.uk, 1
+tox21.gov, 1
+toxicboot.com, 1
+toxicip.com, 1
+toycu.de, 1
+toyduck.ga, 1
+toyfight.co, 0
+toymania.de, 1
+toymarket.tk, 1
+toyonut.co.jp, 0
+toyopac.com, 1
+toyota-kinenkan.com, 1
+toyota.com.sg, 1
+toyotaconnected.co.th, 1
+toyotapartsdeal.com, 1
+toyotapartsprime.com, 1
+toyotasp.ru, 1
+toyouiv.net, 1
+toyouiv.org, 1
+toys-robots.cf, 1
+toys4education.com.au, 1
+toyscenter.it, 1
+toyschina.cf, 1
+toysearcher.ml, 1
+toyshowappeal.ie, 1
+toyshowthemusical.co.uk, 1
+toyshowthemusical.com, 1
+toyshowthemusical.ie, 1
+toysperiod.com, 1
+toysplace.ml, 1
+toystory3.ga, 1
+toyventure.ga, 1
+tozdev.com, 1
+tp-events.co.uk, 1
+tp-genie.com, 1
+tp-properties.co.uk, 1
+tp-shipping.co.uk, 1
+tp-technology.co.uk, 1
+tpa.or.th, 1
+tpala-pg.fr, 1
+tpark.jp, 1
+tpbseries.com, 1
+tpcbf.cn, 1
+tpccf.cn, 1
+tpcff.cn, 1
+tpchan.info, 1
+tpci.biz, 1
+tpcof.cn, 1
+tpcrestorationllc.com, 1
+tpdaniel.fr, 1
+tpedu.eu, 1
+tpedu.hk, 1
+tpedu.nl, 1
+tpeducation.cn, 1
+tpetrov.com, 1
+tpf.hk, 1
+tpgozd.si, 1
+tpiada.tk, 1
+tpk-parma.ru, 1
+tpk.quest, 1
+tplak.com, 1
+tpldevsg-mythiess-dev.azurewebsites.net, 1
+tplive.io, 1
+tplprodsg-mythiess.azurewebsites.net, 1
+tpltestsg-mythiess-test.azurewebsites.net, 1
+tpolemis.com, 1
+tpp-tpc.ga, 1
+tppleague.me, 0
+tpr.hk, 1
+tpress.tk, 1
+tprk.pl, 1
+tpro.rocks, 1
+tproger.ru, 1
+tpu-ltd.co.uk, 1
+tpu.gay, 1
+tpue.de, 1
+tpx.com, 1
+tqaclark.com, 1
+tqdev.com, 0
+tqdn.cn, 1
+tql.plus, 1
+tqnx.link, 0
+tqsintegration.com, 1
+tr.search.yahoo.com, 0
+tr0n.net, 1
+tr3fit.xyz, 1
+tra-tra.be, 1
+traas.org, 1
+trabaja.xyz, 1
+trabajadormigrante.gov, 1
+trabajaenvitamina.cl, 1
+trabajarytrabajar.com, 1
+trabajoenmx.com, 0
+trabajoreal.com, 1
+trabajouniversitario.tk, 1
+trabalance.com, 1
+trabbel.org, 1
+trabia.com, 1
+traccxs.com, 1
+trace.best, 1
+trace.guru, 1
+trace.moe, 1
+trace2race.com, 1
+tracebit.com, 1
+traceflix.com, 1
+tracefy.com, 1
+traceheatinguk.co.uk, 1
+tracelight.io, 0
+tracer.gg, 1
+tracercdn.com, 1
+traceroute.guru, 1
+traceroute.link, 1
+traceroute.network, 1
+tracery.jp, 1
+tracesteps.ga, 1
+tracetracker.com, 1
+tracetracker.no, 1
+traceur-france.fr, 1
+traceyjsvorusphd.com, 1
+tracinsurance.com, 1
+track.plus, 1
+trackadblock.com, 1
+trackballs.gq, 1
+trackchair.com, 1
+trackdays4fun.com, 1
+trackee.link, 1
+tracker-knigi.gq, 1
+tracker.com.ar, 1
+trackerx.ga, 1
+trackeye.dk, 1
+trackfocusdirect.com, 1
+trackify.tk, 1
+trackimo.ca, 1
+tracking-app.tk, 1
+tracking.best, 1
+trackingencomendas.com, 1
+trackinsight.com, 1
+tracklist4u.com, 1
+tracknetsports.com, 1
+trackntack.com, 1
+trackrecord.net, 1
+trackshun.tk, 1
+trackulo.us, 1
+trackyourlogs.com, 1
+tractariauto.tk, 1
+tractarimvbcluj.ro, 1
+tractive.com, 1
+tractor-pulling.fr, 1
+tractor-pulling.tk, 1
+tractorfan.nl, 1
+tractorpumps.com, 1
+tracxn.com, 1
+tracyhaze.net, 1
+tracyrobbinsking.com, 1
+trad-n-vo.com, 1
+trade-arcade.com, 1
+trade-bot.cf, 1
+trade-foods.com, 1
+trade-platform.tk, 1
+trade.gd, 1
+trade.gov, 1
+trade.mn, 1
+trade247.exchange, 1
+trade360solutions.com, 1
+tradeandindustrydev.com, 1
+tradebot.cf, 1
+tradebotcompany.ml, 1
+tradebuilders.com.au, 1
+tradebull.co.in, 0
+tradedesk.co.za, 1
+tradedigital.co, 1
+tradeeasy.com, 1
+tradees.com, 1
+tradefxp.com, 1
+tradeinvent.co.uk, 1
+tradeline.vn, 1
+tradelink.cf, 1
+trademarkregistration-coimbatore.com, 1
+trademen.ga, 1
+trademotion.com, 1
+tradeonfx.com, 1
+tradepass.ru, 1
+tradeplotter.com, 1
+traderfox.de, 1
+traderinside.ga, 1
+traderlion.com, 1
+traderpen.com, 1
+tradersclub.com.br, 1
+tradersport.tk, 1
+tradersrank.ga, 1
+tradesafe.co.za, 1
+tradesecretslaw.com, 1
+tradeshift.com, 1
+tradeshowfreightservices.com, 1
+tradesrenovations.ca, 1
+tradet.fi, 1
+tradeview.eu, 1
+tradewithestonia.com, 0
+tradezlist.tk, 1
+tradgardsmart.se, 1
+tradie.com, 1
+tradik.com, 1
+tradinews.com, 1
+tradinews.fr, 1
+trading-academy.cf, 1
+trading-ea.pt, 1
+tradingdeer.io, 1
+tradingfacile.eu, 1
+tradinghelper.be, 1
+tradingtag.ga, 1
+tradingview.com, 1
+tradition-immobilier.com, 1
+tradition.ch, 1
+tradition.com, 1
+traditional.kz, 1
+traditions.nl, 1
+traditionskapperscollege.nl, 1
+traditionsvivantesenimages.ch, 1
+tradreams.com, 1
+tradu.com, 1
+tradymoney.com, 1
+traegerbox.com, 0
+traegergrills.com, 1
+traf-bonus.tk, 1
+trafarm.ro, 1
+traffic.az, 1
+trafficdirection.tk, 1
+trafficgazelles.com, 0
+trafficgenerator.ga, 1
+trafficjunky.com, 1
+trafficmanager.com, 1
+trafficmanager.ltd, 1
+trafficmanager.xxx, 1
+trafficmgr.net, 1
+trafficpixel.tk, 0
+trafficsafetymarketing.gov, 1
+trafficsale.cf, 1
+traffixdevices.com, 1
+trafic-wap.tk, 1
+traficmusik.net, 1
+trafik.tk, 1
+trafiken.nu, 1
+trafplus.tk, 1
+tragamin.ca, 1
+tragamonedas-gratis.biz, 1
+tragaver.ga, 1
+traghetti.tk, 1
+tragicallytrumped.com, 1
+tragicempire.tk, 1
+tragmi.ch, 1
+traha.org, 1
+trahnisoseda.tk, 1
+trail-alps.ch, 1
+trail-alps.com, 1
+trail.pink, 1
+trailblazercommunitygroups.com, 1
+trailblazers.tk, 1
+trailcloud.ink, 1
+trailerparty.com, 1
+trailforks.com, 1
+trailrider.tk, 1
+trailrighttraining.com, 1
+trailrunbern.ch, 1
+trails-end.com, 1
+trainable.cf, 1
+trainbusferry.com, 1
+traineeshipplaza.nl, 1
+trainex.org, 1
+trainhornforums.com, 0
+trainiac.com.au, 1
+trainingcentral.cf, 1
+trainingcourt.com, 1
+trainingfitstudio.fr, 1
+trainingflow.com, 1
+traininghamburg.de, 1
+traininglife.org, 1
+trainingminds.nl, 1
+trainingproviderresults.gov, 1
+trainings-handschuhe-test.de, 1
+trainingsalicante.tk, 1
+trainingscatalogus.nl, 1
+trainingsecke.de, 1
+trainingstore.fish, 1
+trainingswiese.at, 1
+trainline.io, 1
+trainmagazine.be, 1
+trainmagazine.de, 1
+trainmagazine.nl, 1
+trainme.nl, 1
+trainoclock.com, 1
+trainplaza.be, 1
+trainplaza.net, 1
+trainplaza.nl, 1
+trains.sexy, 1
+trainsgoodplanesbad.com, 0
+trainsnmore.tv, 1
+traintimes.be, 1
+traintimes.ch, 1
+traintimes.dk, 1
+traintimes.fi, 1
+traintimes.lu, 1
+traintimes.nl, 1
+traintimes.se, 1
+traintoday.ca, 1
+traintowin.tv, 1
+trainwiki.tk, 1
+trainyourtribe.com.au, 1
+traista.ru, 1
+traitement-arthrose.fr, 1
+traitement-punaise.paris, 1
+traiteur-laporte.fr, 1
+traiteurpapillonevents.be, 1
+trajectfoto.nl, 1
+trajectvideo.nl, 1
+trakid.com, 1
+trakkr.tk, 0
+trakmd.com, 1
+trakteershop.tk, 1
+trakteren.tk, 1
+traktor-troubadour.tk, 1
+tralalashow.tk, 1
+tralios.de, 1
+tramadol.ga, 1
+tramadolhcl.ga, 1
+tramclub-basel.ch, 1
+tramikshop.ml, 1
+tramitelegal.com.ar, 1
+tramplin.tk, 1
+tramway.org, 1
+tran.pw, 1
+trance-heal.com, 1
+trance-heal.de, 1
+trance-heal.me, 1
+trance-nation.tk, 1
+trance-zone.tk, 1
+tranceheal.com, 1
+tranceheal.me, 1
+trancehost.com, 1
+trancendances.fr, 1
+tranceparadise.tk, 1
+tranceptortechnology.com, 1
+tranche2aml.com, 1
+trandanhland.com, 1
+trangcongnghe.com, 1
+trangthienlong.com.vn, 1
+tranhlavender.com, 1
+tranhmonalisa.vn, 1
+tranhvenus.com, 1
+tranmerelectric.com, 1
+trannysurprise.com, 1
+tranquilidade.ao, 1
+tranquillity.se, 1
+tranquillum.tk, 1
+tranquiloweb.com, 1
+trans-aliyans.tk, 1
+trans.eu, 1
+transacid.de, 0
+transact-online.co.uk, 1
+transactpaymentsltd.com, 1
+transaminasas.com, 1
+transangels.com, 1
+transangelsnetwork.com, 1
+transangelspremium.com, 1
+transanglo.pl, 1
+transappealrights.com, 1
+transav.ru, 1
+transbella.com, 1
+transcend.org, 1
+transcendmotor.sg, 1
+transcendretirement.net, 1
+transco.com.tr, 1
+transcoalition.net, 1
+transcontrol.com.ua, 1
+transcricentro.pt, 1
+transdev.blog, 1
+transdevbus.co.uk, 1
+transdyne.com, 1
+transes.com.tr, 1
+transfair.sh, 1
+transfer-sheregesh.com, 1
+transfer-v-sheregesh.ru, 1
+transfer-vsheregesh.ru, 1
+transfer.pw, 1
+transfera-sheregesh.ru, 1
+transferagent.co, 1
+transferbags.com, 1
+transferistan.com, 1
+transfermate.com, 1
+transfero-sheregesh.ru, 1
+transfers-sheregesh.ru, 1
+transferserver.at, 1
+transferwiseturkiye.com.tr, 1
+transfery-sheregesh.ru, 1
+transfigurewizard.com, 1
+transforleren.nl, 1
+transformaniatime.com, 1
+transformation.gouv.fr, 1
+transformersmmdb.tk, 1
+transformyourmarketing.com, 1
+transforumation.com, 1
+transfurrmation.town, 1
+transgaz.ro, 1
+transgendergedenkdag.nl, 1
+transgenderinfo.nl, 1
+transgendernetwerk.nl, 1
+transgendernetwerk.org, 1
+transglobelogistiques.com, 1
+transharder.com, 1
+transhumanism.co.uk, 1
+transhumanism.org, 1
+transhumanist.co.uk, 1
+transhumanist.com, 1
+transhumanist.net, 1
+transhumanist.org, 1
+transhumanist.uk, 0
+transinbeeld.nl, 1
+transit.my.id, 1
+transitables.tk, 1
+transitllc.ru, 1
+transito.tk, 1
+transitownplaza.com, 1
+transitpoint.us, 1
+translate-polish.com, 1
+translate.googleapis.com, 1
+translatedict.com, 1
+translation-services.ga, 1
+translation.ca, 1
+translationge.com, 1
+translations.com, 1
+translationsfirm.tk, 1
+translationsnz.com, 1
+translatorall.tk, 1
+translatorglobal.tk, 1
+translatoruk.co.uk, 0
+translink.com.au, 1
+translit-net.tk, 1
+translit.ga, 1
+translit.ru, 1
+transmarttouring.com, 1
+transmitit.pl, 1
+transmitrecordings.com, 1
+transmoni.vn, 1
+transmutatie.nl, 1
+transnexus.com, 1
+transon.tk, 1
+transpak-cn.com, 1
+transparency.cf, 1
+transparencyinadmissions.org, 1
+transparencynj.com, 1
+transparent.cf, 1
+transparentpng.com, 1
+transperfect.com, 1
+transport-gura-portitei.com, 1
+transport-gura-portitei.contact, 1
+transport.ninja, 1
+transporta.it, 1
+transportdebateauxmp.ca, 1
+transporterlock.com, 0
+transporteselsol.com, 0
+transportesvarelacr.com, 1
+transportnews.tk, 1
+transsensual.com, 1
+transsensualnetwork.com, 1
+transservice.net.ua, 1
+transsexualpantyhose.com, 1
+transsrit.tk, 1
+transtaboo.com, 1
+transtema-ru.net, 1
+transtrack.net, 1
+transtur.tk, 1
+transumption.com, 1
+transvault.com, 1
+transwank.com, 1
+transwestern.com, 1
+transwestern.net, 1
+trantrongtri.info, 1
+tranvia.info, 1
+tranzact.net, 1
+tranzron.ga, 1
+trapay.net, 1
+trapcall.com, 1
+trapichelaesperanza.com, 1
+trapkitchen.ml, 1
+trappednerve.org, 1
+trappersoutfitters.tk, 1
+traproulette.com, 1
+trapsdirect.com, 1
+trapsexy.com, 1
+trapsexy.net, 1
+trapsexy.org, 1
+trapz.xyz, 1
+trarch.com, 1
+trasandino.tk, 1
+trasatsatelital.com.ar, 1
+trash2treasurecreations.co.za, 1
+trashcanheroes.tk, 1
+trashcraft.tk, 1
+trashexpert.ru, 1
+trashmail.com, 1
+trashnothing.com, 1
+trashpanda.website, 1
+trashwagon.club, 1
+trashy-gypsy.com, 1
+trashygypsy.com, 1
+trashylingerie.ga, 1
+traslocare.roma.it, 1
+traslocatore.roma.it, 1
+traslochi-trasporti-facchinaggio.it, 1
+traslochi.napoli.it, 1
+traslochiinternazionali.it, 1
+trasloco.milano.it, 1
+trasloedil.it, 1
+trasportatori.it, 1
+trasportoambulanzaprivata.it, 1
+trastornoevitacion.com, 1
+trastornolimite.com, 1
+tratamentoparacelulite.net, 1
+tratt.net, 1
+trattamenti.biz, 1
+trattamento-cotto.it, 1
+trattamentocotto.roma.it, 1
+trauerbegleitung-kudla.de, 1
+trauertexte.info, 1
+traumaberatung-lindner.de, 1
+traumahealing.com, 1
+traumahealingaccelerated.com, 1
+traumarecoverysupport.com, 1
+traumfaenger.tk, 1
+traumobjekte.com, 1
+traumobjekte.info, 1
+traumschwingen.de, 1
+traumtrauringe.de, 1
+traut.cloud, 1
+travador.com, 1
+trave.africa, 1
+travel-and-cache.de, 0
+travel-cube.ml, 1
+travel-dealz.de, 1
+travel-rus-club.tk, 1
+travel-to-cuba.tk, 1
+travel-to-morocco-tours.com, 1
+travel-trek.tk, 1
+travel101.tk, 1
+travel2macedonia.com, 1
+travel2macedonia.com.mk, 1
+travel2macedonia.mk, 1
+travel2next.com, 1
+travel2you.ru, 1
+travel365.it, 1
+travel4history.nl, 1
+travel4news.at, 0
+traveladdiction.tk, 1
+traveladventure.ml, 1
+travelairtravel.com, 1
+travelamm.com, 1
+travelanchor.ga, 1
+travelandtourism.tk, 1
+travelarmenia.org, 1
+travelaround.tk, 1
+travelassist.us.com, 1
+travelastscom.ga, 1
+travelback.ga, 1
+travelbangladesh.ga, 1
+travelbiz.cf, 1
+travelbiz.ga, 1
+travelbiz.gq, 1
+travelbuddiesperu.com, 1
+travelbunny.ga, 1
+travelcellar.ga, 1
+travelcenter.tk, 1
+travelchannel.ml, 1
+travelcharm.ga, 1
+travelcheapdeals.com, 1
+travelcircus.ga, 1
+travelclinic.ml, 1
+travelclube.com, 1
+travelclube.com.pt, 1
+travelcollect.ga, 1
+travelcollections.ga, 1
+travelcolor.ga, 1
+travelcompany.tk, 1
+travelcrown.ga, 1
+traveldir.ga, 1
+traveldodge.ga, 1
+traveldoo.com, 1
+traveldragon.ga, 1
+travelecho.ga, 1
+traveleets.com, 1
+travelepoch.com, 1
+travelera.tk, 1
+travelerspress.com, 1
+travelersuniverse.com, 1
+travelescape.tk, 1
+traveleurope.ml, 1
+travelexbiz.com, 1
+travelexecutive.de, 1
+travelexinternational.com, 1
+travelexpress.tk, 1
+travelfarandwide.com, 1
+travelfeature.ga, 1
+travelfield.org, 1
+travelfiesta.ga, 1
+travelflighthotel.com, 1
+travelfoot.com, 1
+travelfriend.tk, 1
+travelfusion.com, 1
+travelgang.ga, 1
+travelgirlsclub.com, 1
+travelglamour.ga, 1
+travelgratis.ga, 1
+travelhands.ga, 1
+travelholicworld.com, 1
+travelhoppers.com, 1
+travelhusky.ga, 1
+traveling-thailand.info, 1
+travelingagency.tk, 1
+travelingbagsmke.com, 0
+travelingthevortex.com, 1
+travelinspirationmag.com, 1
+travelinsurance.co.nz, 1
+travelinsurance.ga, 1
+travelinsured.com, 1
+travelist.co.nz, 1
+traveljunkie.tips, 1
+travelkatta.in, 1
+travelknowledge.org, 1
+travellegacy.ga, 1
+travellets.tk, 1
+travellinginmorocco.com, 0
+travellings.cn, 0
+travellinks.tk, 1
+travellittle.ga, 1
+travellovers.fr, 1
+travelmap.net, 1
+travelmate.cf, 1
+travelmember.ga, 1
+travelmexico42.com, 1
+travelmindsets.com, 1
+travelmontenegro.tk, 1
+travelnano.ga, 1
+travelnatural.ga, 1
+travelnetwork.tk, 1
+travelnews.cf, 1
+travelni.com, 1
+travelnotoria.com, 1
+travelnumber.ga, 1
+travelodge.co.uk, 1
+traveloffline.ga, 1
+travelogue.jp, 1
+travelomega.ga, 1
+travelongravel.tk, 1
+travelook.ml, 1
+travelopedia.ga, 1
+travelouter.ga, 1
+travelove.tk, 1
+travelovernight.ga, 1
+travelpeace.ga, 1
+travelpearl.ga, 1
+travelpenguin.nl, 1
+travelphilippines.tk, 1
+travelphoto.cc, 1
+travelphotographycourse.com, 1
+travelplatinum.ga, 1
+travelplum.ga, 1
+travelpremier.ga, 1
+travelpremium.ga, 1
+travelprestige.ga, 1
+travelpride.ga, 1
+travelquantum.ga, 1
+travelrail.ga, 1
+travelrates.ga, 1
+travelraven.ga, 1
+travelrefund.com, 1
+travelreviews.tk, 1
+travelriny.com, 1
+travelsets.com, 1
+travelshelper.com, 1
+travelshopbooking.com, 1
+travelsignature.ga, 1
+travelsinfozone.com, 1
+travelsites.cf, 1
+travelsites.tk, 1
+travelsoldier.ga, 1
+travelsonic.ga, 1
+travelsouthbeach.ga, 1
+travelstation.tk, 1
+travelstrokes.com, 1
+travelsunflower.ga, 1
+travelsuperhero.ga, 1
+travelsure.tech, 1
+travelsurprise.ga, 1
+traveltains.com, 1
+traveltalk.tk, 1
+travelthing.io, 1
+travelthisweekend.com, 1
+travelthunder.ga, 1
+traveltimeagency.com, 1
+traveltomachupichu.com, 1
+traveltourist.tk, 1
+traveltovietnam.ga, 1
+traveltruster.com, 0
+travelturbo.ga, 1
+travelultra.ga, 1
+travelunicorns.com, 1
+travelunique.ga, 1
+travelup.com, 1
+travelurban.ga, 1
+travelus.nl, 1
+travelvacancy.tk, 1
+travelvictory.ga, 1
+travelvisit.cf, 1
+travelways.ml, 1
+travelwithbender.com, 1
+travelwithjack.com, 1
+travelzoneshop.com, 1
+traverse.com.ua, 0
+travi.org, 1
+travianbattleplanner.com, 1
+travin.tk, 1
+travis.nl, 1
+traviscoesd1tx.gov, 1
+traviscountyappliancerepair.com, 1
+travisf.net, 1
+travisflix.com, 1
+travisforte.io, 1
+travisfranck.com, 1
+travishenning.com, 1
+travislord.xyz, 1
+travkolyl.gq, 1
+travler.net, 1
+travnik24.tk, 1
+travuscka.ru, 1
+trawox.com, 1
+traws.cymru, 1
+traxpayroll.com, 1
+traxstage.com, 1
+trayinc.com, 1
+trayport.com, 1
+traza.cl, 1
+trazodoneonline.tk, 1
+trazodononline.gq, 1
+trazs.com, 1
+trbanka.com, 1
+trblwlf.net, 1
+trcollaborative.com, 1
+trcont.com, 1
+trctaborda.com.br, 1
+trdepoist.net, 1
+treaslockbox.gov, 1
+treasureboxgreetings.com, 1
+treasureislandbeads.ga, 1
+treasurejewelry.shop, 0
+treasuremountainmining.com, 1
+treasuretrooperguide.tk, 1
+treasury.gov.lk, 1
+treasurydirect.gov, 1
+treasuryhunt.gov, 1
+treasuryscams.gov, 1
+treatyoakdental.com, 1
+treatyoself.com.au, 1
+trebek.club, 1
+trebilfoundationsystems.com, 1
+trebnie.nl, 1
+trecebits.com, 1
+trecobox.com.br, 1
+tredegar.com, 1
+tredegarsurfaceprotection.com, 1
+tredto.com, 1
+tree.gdn, 1
+tree0.xyz, 1
+treebaglia.xyz, 1
+treecycle.com.au, 1
+treedoctornearme.com, 1
+treehorn.nl, 1
+treehouseresort.nl, 1
+treeliss.com.br, 1
+treemadeiras.com.br, 1
+treeremovalfourways.co.za, 1
+treeremovalsboksburg.co.za, 1
+treesonthemove.com, 1
+treestarmarketing.com, 1
+treevectors.com, 1
+treexy.com, 1
+treezone.net, 1
+trefpuntdemeent.nl, 1
+trehand.fr, 1
+treibholz-norddeich.de, 1
+treier.xyz, 1
+treinmagazine.be, 1
+treinmagazine.nl, 1
+treinonerd.com, 1
+treinonline.tk, 1
+treintijden.com, 1
+trek-planet.ru, 1
+trekamdienstag.de, 1
+trekintel.com, 1
+trekkerterreur.nl, 1
+trekkertirannie.nl, 1
+trekkertrek.tk, 1
+trekkertrekharpel.tk, 1
+trekking-friends.ch, 1
+trekkinglab.org, 1
+trekonbh.com, 1
+trekosecia.com.br, 1
+trekscaper.tk, 1
+trelleborg.se, 1
+trelliscompany.org, 1
+trembler.org, 1
+treml-sturm.com, 1
+tremol-spedition.com, 1
+tremontil.gov, 1
+tremors.tk, 1
+trempcountywi.gov, 1
+tren-counseling.nl, 1
+trenchapps.com, 1
+trend-calendar.com, 1
+trend-shop.ga, 1
+trendegypt.ml, 1
+trendier.com.co, 1
+trendier.mx, 1
+trendingaffords.com, 1
+trendingdeals.ga, 1
+trendingeducation.tk, 1
+trendingknow.tk, 1
+trendingnewswala.online, 1
+trendingstory.tk, 1
+trendingxxl.nl, 1
+trendkraft.de, 1
+trendmag.bg, 1
+trendme.ga, 1
+trendnews.cf, 1
+trendnews.gq, 1
+trendntech.com, 1
+trendocracy.cf, 1
+trendocracy.ga, 1
+trendocracy.gq, 1
+trendocracy.ml, 1
+trendpanel.tk, 1
+trendparty.net, 1
+trendpie.com, 1
+trendreportdeals.com, 1
+trends-24.nl, 0
+trends-news.tk, 1
+trendsce.com.br, 1
+trendtesettur.com, 0
+trendware.de, 1
+trendycrowds.com, 1
+trendydips.com, 1
+trendyolgo.com, 0
+trendys.ro, 1
+trendzilla.ga, 1
+treningo.rs, 1
+trenorario.it, 1
+trenta.fr, 1
+trentinogenealogy.com, 1
+trentonmakesnews.com, 1
+trentonoh.gov, 1
+trentotoday.it, 1
+trenujskutecznie.com, 1
+trenztec.ml, 1
+tresen-demo.com, 1
+treshermanasshop.com, 1
+tresmaistres.com.br, 1
+tresor.it, 1
+tresorit.com, 1
+tresoro.at, 1
+tresoro.de, 1
+trespedia.com, 1
+tresredatores.tk, 1
+tretail.net, 1
+tretinoin.gq, 1
+tretze-shoes.com, 1
+treurtransport.tk, 1
+trevea.fi, 1
+trevisotoday.it, 1
+trevo-lotofacil.com.br, 0
+trevorblondeel.com, 1
+trevorkay.tk, 1
+trevormarron.co.uk, 1
+trevsanders.co.uk, 1
+treworgeycottages.com, 1
+trexedia.com, 1
+trexweb.tk, 1
+trezor.io, 1
+trezy.me, 1
+trezy.net, 1
+trfmn.gov, 1
+trhastane.com, 1
+trhknih.cz, 1
+tri.gg, 1
+triad.earth, 1
+triadtool.com, 1
+triage.clinic, 1
+triage.com, 1
+triage.md, 1
+triageclinic.com, 1
+triageforensic.com, 1
+trial-server.tk, 1
+trialandsuccess.nl, 1
+trialbyfire.tk, 1
+trialmaaskant.tk, 1
+trials.tk, 1
+trialweb.com.br, 1
+triamudom.in.th, 1
+triamudom.net, 1
+triamudom.org, 1
+triangela.com, 1
+triangela.se, 1
+triangle-energie.com, 1
+trianglecastles.co.uk, 1
+trianglelawngames.com, 1
+trianglepwh.com, 1
+triangletv.rs, 1
+trianglewaverecords.tk, 1
+trib.com, 1
+tribac.de, 1
+tribaldos.com, 0
+tribaljusticeandsafety.gov, 1
+tribalwarsstyles.tk, 1
+tribalzone.tk, 1
+tribe.rs, 1
+tribeca-it.com, 1
+tribecalawsuitloans.com, 1
+tribefanaticsunited.tk, 1
+tribesbeekeepersassociation.com, 0
+tribesofneurot.tk, 1
+tribetokes.com, 1
+tribetrails.com, 1
+tribinagroup.co.id, 1
+tribinary.tk, 1
+tribistovo.tk, 1
+tribunatv.ml, 1
+tribunesia.ga, 1
+tribut.de, 1
+tributh.cf, 1
+tributh.ga, 1
+tributh.gq, 1
+tributh.ml, 1
+tributh.net, 1
+tributh.tk, 1
+tributoconsuegra.tk, 1
+tricare.mil, 1
+tricefy4.com, 1
+tricetirisad.me, 1
+tricherenligne.com, 1
+triciaree.com, 1
+tricityhelpline.com, 1
+tricityrogues.eu, 1
+trickedguys.com, 1
+trickle.works, 1
+tricksforgreeks.com, 1
+trico-pigmentazione.it, 1
+tricolortotal.tk, 1
+tricordmedia.ca, 1
+tricountyathome.com, 1
+tricountyhealthut.gov, 1
+tricountyheatingcooling.com, 1
+tridena.com, 1
+trident-online.de, 1
+trident1000logoi.gr, 1
+tridentdiagnostics.com, 1
+tridentfreightinc.com, 1
+tridentmedia.gq, 1
+tridindia.com, 1
+tridnice.eu, 1
+triedandtruebytrista.com, 1
+triefenbach.com, 1
+triefenbach.eu, 1
+triesteprima.it, 1
+trietment.com, 0
+trieuvy.com, 1
+trifence.ch, 1
+trifence.eu, 1
+trifence.net, 1
+trifence.org, 1
+trifiro.it, 1
+trigate.io, 1
+triggeredpaintz.com, 1
+triggertraders.com, 1
+trigirlpainting.com, 1
+triglovian-clades.com, 1
+trigraph.net, 1
+trigueros.tk, 1
+trigular.de, 1
+trihard.space, 1
+trihedron.tk, 1
+trihunter6000.com, 1
+trik-komputer.tk, 1
+trik.es, 0
+triker.tk, 1
+trikeweb.com, 1
+trikuj.cz, 1
+trillian.im, 1
+trilliondigital.io, 1
+trilliux.me, 1
+trilogymp.com, 1
+trim21.cn, 1
+trimage.org, 1
+trimarix.de, 1
+trimblecombustion.com, 1
+trimblenetworks.com.au, 1
+trimbletl.com, 0
+trimental.de, 1
+trimill.xyz, 1
+trimjoinerycentralcoast.com.au, 1
+trimsalon.tk, 1
+trimsalonelst.nl, 1
+trimtone.com, 1
+trimyourbushforallah.com, 0
+trinartia.com, 1
+trinary.ca, 0
+trinary.tk, 1
+trindonball.com, 1
+trineco.cloud, 1
+trineco.com, 1
+trineco.fi, 1
+tringle.org, 1
+trinhhoangtien.vn, 1
+trinhtrongson.tk, 1
+trini.tk, 1
+trinitasgyor.hu, 1
+trinitatis-leipzig.de, 1
+trinitatiskindergarten.de, 1
+trinitatiskirche-leipzig.de, 1
+trinity.fr.eu.org, 1
+trinity.one, 1
+trinitycore.org, 1
+trinityradioandvideo.org, 1
+trinitysurfaces.com, 1
+trinitywernersville.org, 1
+trinityyardgreetings.com, 1
+trink-und-partyspiele.de, 1
+trinnes.net, 1
+trintocpenalcu.com, 1
+trio.online, 1
+triolait.ca, 1
+triollo-rural.tk, 1
+triomedspa.com, 1
+triomoda.com.br, 1
+trionyx.ph, 1
+triop.se, 1
+triozon.hu, 1
+trip.my, 1
+tripadvicestore.tk, 1
+tripanimal.tk, 1
+triperapp.com, 1
+tripguide.is, 1
+tripisland.tk, 1
+triple1.net, 1
+tripleblossom.com, 1
+triplecrownsports.com, 1
+triplefork.com.ua, 1
+triplejprints.com, 1
+triplekeys.net, 1
+tripleone.co.uk, 1
+triplerinc.ca, 1
+triplesixdesigns.com, 1
+tripletake.com, 1
+triplethreatband.tk, 1
+triplevision.nl, 1
+triplicate.gq, 1
+tripmakery.com, 1
+tripoli.org, 1
+tripolinews.tk, 1
+tripomanija.tk, 1
+tripout.tech, 1
+tripozo.com, 1
+tripp.xyz, 1
+trippati.com, 1
+tripport.com.do, 1
+trips4foodies.com, 1
+tripspoint.com, 1
+triptravels.tk, 1
+tripwire.io, 1
+trisect.uk, 1
+trish-mcevoy.ru, 1
+trisha.tk, 1
+trisolaris.co.uk, 1
+trisomie21-normandie.org, 1
+trissiethehusky.rocks, 1
+tristan.moe, 1
+tristanfarkas.one, 1
+tristansommer.de, 1
+tristatechess.com, 1
+trit.pro, 1
+tritansoft.com, 1
+tritium.cf, 1
+tritoncc.com, 1
+triumc.org, 1
+triumph-duesseldorf.com, 1
+triumph-gera.de, 1
+triumph-hannover.de, 1
+triumph-rheinhessen.de, 1
+triumph-schongau.de, 1
+triumph-stuttgart.de, 1
+triwan.sk, 1
+trixiebooru.org, 1
+trixietainted.net, 1
+trixy.com.br, 1
+triz.co.uk, 0
+trizettoprovider.com, 1
+trkhosting.ga, 1
+trkmakine.com.tr, 1
+trkpuls.tk, 1
+trksystems.com, 1
+trmgo.de, 1
+troc.co.il, 1
+trocaire.org, 1
+trochoi.net, 1
+trockendock.ch, 1
+trockner-fehler.site, 1
+trodat.cf, 1
+trodniescis.gq, 1
+troedel-trolle.de, 1
+troedelhannes.at, 1
+trofeosylogros.com, 1
+trogloditas.tk, 1
+troi.de, 1
+troiaconsultoria.com.br, 1
+troianet.com.br, 1
+trojanchronicles.tk, 1
+trojanherring.com, 1
+trojanrecords.com, 1
+trok.co.il, 1
+trolebusesdevalparaiso.tk, 1
+troll-gaming.tk, 1
+trolla.us, 1
+trolldesign.cf, 1
+trolldi.eu, 1
+trolldi.eu.org, 1
+trollforums.gq, 1
+trollgetslucky.tk, 1
+trollhanttan.cf, 1
+trollhanttan.ga, 1
+trollhanttan.gq, 1
+trollhanttan.tk, 1
+trolliet.fr, 1
+trolling.gq, 1
+trollingeffects.org, 1
+trollmoa.se, 0
+trollolo.tk, 1
+trollos.cf, 1
+trollos.ga, 1
+trollos.gq, 1
+trollos.tk, 1
+trollscave.xyz, 1
+trom.tf, 1
+trommelwirbel.com, 1
+trommstone.de, 1
+trongkhanh.com, 1
+tronika.no, 1
+tronlaserarena.cz, 1
+tronmeo.com, 1
+tronnews.best, 1
+tronnews.co, 1
+tronnews.global, 1
+tronnews.life, 1
+tronnews.live, 1
+tronnews.me, 1
+tronnews.news, 1
+tronnews.world, 1
+tronnews.xyz, 1
+troomcafe.com, 1
+troonnorthgolf.com, 0
+troopaid.info, 1
+troopers.de, 1
+trophcomplewin.ml, 1
+trophies.de, 1
+trophykoi.tk, 1
+trophyshopinc.com, 1
+tropicalhurricanetracker.com, 1
+tropicalislands.tk, 1
+tropicalstandard.com, 1
+tropicalticket.cf, 1
+tropicalticket.ml, 1
+tropicaltravelco.com, 1
+tropicpet.vn, 1
+tropikdeniz.com.tr, 1
+tropiki.tk, 1
+tropiweb.tk, 1
+tropixshipping.com, 1
+troplo.com, 1
+troplo.com.au, 1
+troplo.eu.org, 1
+tropofy.com, 1
+troppotogo.it, 1
+troqueladoras.online, 1
+trosell.net, 1
+trosinenko.com, 1
+tross.tk, 1
+trotec.com, 1
+trotter.cf, 1
+troubles.ru, 1
+troubleshooter.xyz, 1
+troubleshooting.cz, 1
+troubleshooting.support, 1
+troubleshooting.tools, 1
+troubleshootyourvehicle.com, 1
+troupcountyga.gov, 1
+trousers.co.uk, 1
+trouvenet.tk, 1
+trouver-son-chemin.com, 1
+trouvetonbusiness.com, 1
+trouvetonplancul.fr, 1
+trouvez.tk, 1
+trouvons.org, 1
+trouw.nl, 1
+trouwrijk.nl, 1
+trovaprezzi.it, 1
+trovas.ch, 1
+trove.com, 1
+troxal.com, 1
+troyanos.uy, 1
+troyfawkes.com, 1
+troyflexpay.com, 1
+troyhunt.com, 1
+troyhuntstress.com, 1
+troyhuntsucks.com, 1
+troyjanda.com, 1
+troykao.com, 1
+troytn.gov, 1
+troytwpdelawareoh.gov, 1
+troywalworthwi.gov, 1
+troywistcroix.gov, 1
+trpa.gov, 1
+trs.tn, 1
+trtadalafilone.com, 1
+trtadalafilone.net, 1
+trtasarim.tk, 1
+tru.ltd, 1
+truasset.com, 1
+trubapro.com, 0
+trubleeon.fr, 1
+trubmet.tk, 1
+trubos.com.ua, 1
+trucatout.tk, 1
+trucchibellezza.com, 1
+trucchibellezza.it, 1
+truckbossdecks.com, 1
+truckcord.com, 1
+truckdeal.com.ph, 1
+truckerjobusa.com, 1
+truckersdatabase.cf, 1
+truckersmp.com, 1
+truckersworld.tk, 1
+truckingks.gov, 1
+truckscout24.at, 1
+truckscout24.be, 1
+truckscout24.bg, 1
+truckscout24.com, 1
+truckscout24.cz, 1
+truckscout24.de, 1
+truckscout24.dk, 1
+truckscout24.es, 1
+truckscout24.fr, 1
+truckscout24.gr, 1
+truckscout24.hu, 1
+truckscout24.it, 1
+truckscout24.lt, 1
+truckscout24.lv, 1
+truckscout24.nl, 1
+truckscout24.pl, 1
+truckscout24.pt, 1
+truckscout24.ro, 1
+truckscout24.ru, 1
+truckscout24.se, 1
+truckscout24.si, 1
+truckshina-plus.com.ua, 1
+truckspring.com, 1
+trucockpit-demo.com, 1
+trucockpit.ch, 1
+trucockpit.com, 1
+trucosparaelbruto.tk, 1
+trucosuso.org, 1
+trucoswindows.net, 0
+trudicollus.com, 1
+trudo.ca, 1
+trudyblackcrow.tk, 1
+true-colors.tk, 1
+true-itk.de, 1
+trueachievements.com, 1
+trueamateurs.com, 1
+trueasia.ga, 1
+truebarbershopinc.com, 1
+trueccu.com, 1
+truechimer.com, 1
+truecircumcision.tk, 1
+truecosmos.com, 1
+truecrimedaily.com, 1
+truedarkness.tk, 1
+trueduality.net, 1
+trueflowplumbing.com, 1
+trueformroofing.co.nz, 1
+truegether.com, 1
+truehealth.tk, 1
+truekey.com, 1
+truelovesakuya.info, 1
+trueminecraft.com, 1
+truenorthartcollektive.com, 1
+truenorthseedbank.com, 1
+truentumvet.it, 1
+truepartner.academy, 1
+truepartner.asia, 1
+truepartner.capital, 1
+truepartner.cn, 1
+truepartner.education, 1
+truepartner.email, 1
+truepartner.eu, 1
+truepartner.fund, 1
+truepartner.group, 1
+truepartner.hk, 1
+truepartner.holdings, 1
+truepartner.limited, 1
+truepartner.ltd, 1
+truepartner.nl, 1
+truepartner.sg, 1
+truepartner.software, 1
+truepartner.tech, 1
+truepartner.technology, 1
+truepartner.university, 1
+truepartner.us, 1
+truepartneradvisor.cn, 1
+truepartneradvisor.com, 1
+truepartneradvisor.nl, 1
+truepartnercapital.cn, 1
+truepartnercapital.hk, 1
+truepartnercapital.holdings, 1
+truepartnercapital.net, 1
+truepartnercapital.nl, 1
+truepartnercapital.org, 1
+truepartnercapital.sg, 1
+truepartnercapital.us, 1
+truepartnercapitaladvisor.nl, 1
+truepartnercapitalusa.com, 1
+truepartnerchinabondfund.cn, 1
+truepartnerchinafund.cn, 1
+truepartnerchinafuturesfund.cn, 1
+truepartnerchinagrowthfund.cn, 1
+truepartnerchinaoptionsfund.cn, 1
+truepartneredu.com, 1
+truepartnereducation.cn, 1
+truepartnereducation.com, 1
+truepartnerfund.cn, 1
+truepartnerfund.hk, 1
+truepartnerfund.nl, 1
+truepartnerinvestment.com, 1
+truepartnerinvestments.cn, 1
+truepartnerinvestments.com, 1
+truepartnerinvestments.com.hk, 1
+truepartnerinvestments.hk, 1
+truepartnertech.com, 1
+truepartnertech.nl, 1
+truepartnertech.sg, 1
+truepartnertechnology.com, 1
+truepartnertechnology.nl, 1
+truepartnertechnology.sg, 1
+truereligionjeanstore.tk, 1
+truerizm.ru, 1
+truescreen.io, 1
+trueseeing.com, 1
+truessl.shop, 1
+truesteamachievements.com, 1
+truestor.com, 1
+truetraveller.com, 1
+truetrophies.com, 1
+truetype.tech, 0
+trueweb.es, 1
+truewinter.net, 1
+truework.com, 1
+trueworlds.net, 1
+truffe.uk, 1
+trufflemonkey.co.uk, 1
+trufflepig-forensics.com, 1
+truhlarstvi-fise.cz, 1
+truimo.com, 1
+truklink.cf, 1
+truklink.ga, 1
+truklink.gq, 1
+trulock.tk, 1
+trulycharmed.tk, 1
+trumanlibrary.gov, 1
+trumanlibrary.org, 1
+trummer.xyz, 1
+trumpet-call.org, 1
+trumpet-whistleblowing.eu, 1
+trumplibrary.gov, 1
+trumppresidency.org, 1
+trumptragedy.com, 1
+trumptragic.com, 1
+trumpwhitehouse.gov, 1
+trumtruyen.vn, 1
+truncus-encephali.co.uk, 1
+trundr.com, 1
+trunix-forum.tk, 1
+trunk-show.net, 1
+truong.fi, 1
+truonganhdecor.com, 1
+truongnguyen.live, 1
+truongthanhaudio.com, 1
+truopio.com, 1
+truqu.com, 1
+trureg.uk, 1
+truromusicteacher.co.uk, 1
+trusecurity.gq, 1
+truserve.org, 1
+trusifan.tk, 1
+trusitio.com, 1
+truskmedia.tk, 1
+trussgenius.com, 1
+trussville.gov, 1
+trust-btc.ml, 1
+trust-ted.co.uk, 1
+trust.com, 1
+trust.zone, 1
+trust2protect.de, 1
+trustarts.org, 1
+trustcert.net, 1
+trustcert.org, 1
+trustcloud.ai, 1
+trustednetworks.nl, 1
+trustedpropertymanagement.net, 1
+trustedtoolbox.com, 1
+trustee.deals, 1
+trusthook.tk, 1
+trusthub.com, 1
+trustmymail.org, 1
+trustnet.co.il, 0
+trustology.io, 1
+trustpoint.one, 1
+trustreview.tk, 1
+trustserv.de, 1
+trustswiftly.com, 1
+trustvox.com.br, 1
+trustycloud.net, 1
+truten.tk, 1
+truth.com, 1
+truth.tk, 1
+truthdancer.com, 1
+truthmessages.pw, 1
+truthsayer.tk, 1
+truthsocial.com, 1
+trutrip.co, 1
+truvayangin.tk, 1
+trux.tk, 1
+truxa.net, 1
+truxton.tk, 1
+truyen-hentai.co.uk, 1
+truyen-hentai.com, 1
+truyen-hentai.de, 1
+truyen-hentai.fr, 1
+truyen-hentai.ru, 1
+truyenfull.vn, 1
+truyenkiemhiep.com.vn, 1
+truyenmoi.org, 1
+truyenmoivn.com, 1
+truyentienhiep.com.vn, 1
+trveled.com, 1
+trw-reseller.com, 1
+trwebtoon.com, 1
+trxnews.today, 1
+try2admin.pw, 1
+try2hack.it, 1
+tryaatos.com, 1
+trybabyschoice.com, 1
+trycaviar.com, 1
+trychameleon.com, 1
+trydoggo.com, 1
+tryfabulousdiet.com, 1
+tryfabulousskincream.com, 1
+tryfabulousskinserum.com, 1
+tryfrontline.cloud, 1
+tryharder.ca, 1
+tryin.cz, 1
+tryingtotakeoversweden.tk, 1
+tryingtotakeovertheworld.tk, 1
+tryitonline.net, 1
+tryk.tk, 1
+tryknow.com, 1
+trymegadrol.com, 1
+tryndraze.com, 1
+trynewjobs.com, 1
+trynowrinkleseyeserum.com, 1
+trynta.net, 1
+tryonnc.gov, 1
+tryplo.ca, 1
+tryplo.io, 1
+tryplo.net, 1
+tryplo.org, 1
+tryplo.xyz, 1
+trypt.am, 1
+tryptamine.tk, 1
+tryramp.com, 1
+tryreason.com, 1
+tryrebooting.tech, 1
+tryrfsfirst.co.uk, 1
+tryroyalcanin.com, 1
+trystagency.com, 1
+tryti.me, 1
+trytivi.com, 1
+tryupdates.com, 1
+trywesayyes.com, 1
+trz.cz, 1
+ts-farm.ru, 1
+ts-folienmontage.de, 1
+ts-pro-consulting.de, 1
+ts-projects.tk, 1
+ts-public.tk, 1
+ts3-legenda.tech, 1
+ts3.ink, 0
+ts3frei.eu, 1
+ts4rent.eu, 1
+ts5server.eu, 1
+tsacareer.com, 1
+tsacasa.com, 1
+tsacbttest.com, 1
+tsachs.eu, 1
+tsacloud.ml, 1
+tsahf.com, 1
+tsai.com.de, 1
+tsakanakis.tk, 1
+tsaro.io, 1
+tsatestprep.com, 1
+tsatsalashvili.com, 1
+tsb.co.uk, 1
+tsbg.com, 1
+tsbraz.com, 1
+tsbraz.com.br, 1
+tsc.gov, 1
+tsc.tax, 1
+tscampus.online, 1
+tsedryk.ca, 1
+tseng.dedyn.io, 1
+tsentrobuv.tk, 1
+tsenv.net, 1
+tsfempleos.com, 1
+tsg0o0.com, 1
+tsgbcs.org, 1
+tsgbit.net, 1
+tshirai.work, 1
+tshirtgenerator.ga, 1
+tshirtmemoryquilts.com, 1
+tshirtscapetown.com, 1
+tshirtsouthafrica.co.za, 1
+tsico.com, 1
+tsicons.com, 1
+tsig.nl, 1
+tsigaradiko.com, 1
+tsimg.space, 1
+tsiolakisfurs.com, 1
+tsironis-olivenoel.de, 1
+tsja.tk, 1
+tsk.ovh, 1
+tskikoh.com, 1
+tskimwagner.com, 1
+tsla.nu, 1
+tslcontractors.co.uk, 0
+tsmasseur.com, 1
+tsmgroup2.biz, 1
+tsmost.cz, 1
+tsna.cc, 1
+tsoto.net, 1
+tsp.gov, 1
+tspdrits.xyz, 1
+tsproesasac.com, 1
+tsr.best, 1
+tsra.gov.au, 1
+tsriggingequipment.com, 1
+tsrv.pw, 0
+tss.am, 1
+tst-band.tk, 1
+tsu.re, 1
+tsueri.cloud, 1
+tsukhani.com, 1
+tsukikoh.com, 1
+tsukikoh.jp, 1
+tsukuba-it.net, 1
+tsukuba.style, 0
+tsumegumi.com, 1
+tsumi.it, 0
+tsumi.moe, 1
+tsumishima.com, 1
+tsumugu2021.com, 1
+tsunami.gov, 1
+tsunamic.cf, 1
+tsunamikill.tk, 1
+tsundere.moe, 1
+tsura.org, 1
+tsurai.work, 1
+tsurezurematome.ga, 1
+tsurimap.com, 1
+tsuruhime.tk, 1
+tsutawal.com, 1
+tsutaya-ai.com, 1
+tsutsumi-kogyo.jp, 1
+tsuyuzakihiroyuki.com, 1
+tsv-1894.de, 0
+tsv-hittfeld.de, 0
+tsw.ovh, 1
+tsxxlangel.com, 1
+tsybanov.com, 1
+tt-aepfingen.tk, 1
+tt-hardware.com, 1
+tt.gt, 1
+tt0766.com, 1
+tt0966.com, 1
+tt2866.com, 1
+tt2966.com, 1
+tt3666.com, 1
+tt3699.com, 1
+tt3766.com, 0
+tt3999.com, 1
+tt5197.co, 1
+tt6729.co, 1
+tt6729.com, 1
+tt6957.co, 1
+tt7199.com, 1
+tt7299.com, 1
+tt7399.com, 1
+tt8166.com, 1
+tt8266.com, 1
+tt8366.com, 1
+tt9297.co, 1
+tt9728.co, 1
+tt9799.com, 1
+ttb.gov, 1
+ttbonline.gov, 1
+ttc-birkenfeld.de, 1
+ttcak.ddns.net, 1
+ttcf.ca, 1
+ttchan.org, 1
+ttclub.fr, 1
+ttdrive.ru, 1
+ttfin.ch, 1
+tthomes.vn, 1
+ttill.de, 1
+ttkiel.de, 1
+ttlet.com, 1
+ttlg.io, 1
+ttluoli.com, 1
+ttm.jp, 1
+ttnmpls.org, 1
+ttp-shop.com.ua, 1
+ttpwned.com, 1
+ttr-home.com, 1
+ttr3.eu, 1
+ttrade.ga, 1
+ttrecms.com, 1
+tts-assessments.com, 1
+ttshapn.org, 1
+ttsoft.pl, 0
+ttspttsp.com, 1
+ttsteel.co, 1
+ttt-networks.com, 1
+tttfic.com, 1
+ttug.co.uk, 1
+ttunda.com, 1
+ttv-bernisse80.tk, 1
+ttwtrader.com, 1
+tty.space, 1
+tty1.net, 1
+ttyystudio.com, 1
+tu-muenchen.de, 1
+tu6.pm, 1
+tuaflor.com.br, 1
+tualiadaenlimpieza.com, 1
+tuang-tuang.com, 1
+tuasaude.com, 1
+tubach.org, 1
+tubanten.nl, 1
+tubao.com.br, 1
+tubator.com, 1
+tubby.ovh, 1
+tube.tools, 1
+tube8vip.com, 1
+tubebegana.com, 1
+tubedesire.com, 1
+tubehall.com, 1
+tubejack.nl, 1
+tubeju.com, 1
+tubemilf.com, 1
+tubeporn.tv, 1
+tubepornmovies.net, 1
+tubesound.com, 1
+tubeview.cf, 1
+tubeview.ga, 1
+tubexxxone.com, 1
+tubing.cf, 1
+tubs4fun.co.uk, 1
+tubsof.fun, 1
+tubuenpedido.com, 1
+tubul.net, 1
+tubuscador.tk, 1
+tucarora.tk, 1
+tucarroycasa.com, 1
+tucevents.com, 1
+tucidi.net, 1
+tuck2000.com, 1
+tuckerobserver.com, 1
+tuckhayward.art, 1
+tuckmeintebo.com, 1
+tucnak.eu, 1
+tucny.com, 1
+tucson.com, 1
+tucsonfcu.com, 1
+tucsonpcrepair.com, 1
+tucuatro.com, 1
+tucuxi.org, 1
+tudinerito.tk, 1
+tudinhoparasuacasa.com.br, 1
+tudodebompresentes.com.br, 1
+tudorproject.org, 1
+tudorrosesamplerguild.com, 1
+tudosobrehost.com.br, 1
+tudoxwallprinter.com, 1
+tueplay.host, 1
+tueri.eu, 1
+tuerkei-immobilien.tk, 1
+tuespr.com, 1
+tuestilo.nl, 1
+tuev-hessen.de, 1
+tufelicitacion.info, 1
+tuffclassified.com, 1
+tuffmail.com, 1
+tuffmail.net, 1
+tuffsruffs.se, 1
+tufilo.com, 0
+tuftonboronh.gov, 1
+tugadar.com, 1
+tugafm.com, 1
+tugesha.com, 1
+tugnut.tk, 1
+tugrul.blog, 0
+tuhoctainha.net, 1
+tuinaportugal.com, 1
+tuincentersnaet.be, 1
+tuinenhullebroek.be, 1
+tuinenvermeiren.be, 1
+tuingereedschappen.net, 0
+tuinieren.tk, 1
+tuinmeubelkorting.nl, 1
+tuitle.com, 1
+tuja.hu, 1
+tujardin.casa, 1
+tujunfang.com, 1
+tukebab.com, 1
+tuketicihaklari.net, 1
+tukiart.tk, 1
+tula-city.tk, 1
+tula-news.ga, 1
+tulafarms.ga, 1
+tulafarms.gq, 1
+tulalip.gov, 1
+tulana.ga, 1
+tuleap.net, 1
+tuleap.org, 1
+tulevaisuusdemarit.fi, 1
+tuliha.ga, 1
+tulikajain.cf, 1
+tulikajain.ga, 1
+tulikajain.gq, 1
+tulikukko.tk, 1
+tulippublishing.com.au, 1
+tulisan.tk, 1
+tull.tk, 1
+tuller.tk, 1
+tulocura.tk, 1
+tulotos.com, 1
+tulpawiki.org, 1
+tulsa.tech, 1
+tulsameetingroom.com, 1
+tulsaworkshop.org, 1
+tulsaworld.com, 1
+tulumcosmeticos.com.br, 1
+tulup.io, 1
+tum-international.com, 1
+tum.de, 1
+tumagiri.net, 1
+tumanishvili.com, 1
+tumarcafe.com, 1
+tumblenet.tk, 1
+tumblr.com, 1
+tumed-ks.org, 1
+tumedico.es, 1
+tumelum.de, 1
+tumen.cf, 1
+tumen.gq, 1
+tumen.ml, 1
+tumen.tk, 1
+tumentorweb.com.mx, 1
+tumpicon.org, 1
+tumult-productions.tk, 1
+tun.bible, 1
+tuna.be, 1
+tunbiya.com, 1
+tuncelimezaryapimi.com.tr, 1
+tunder.tk, 1
+tundermadar.hu, 1
+tune-web.de, 1
+tunenet.ml, 1
+tuner.cloud, 1
+tunescoot.site, 1
+tuneserver.tk, 0
+tungstenworld.com, 0
+tuning-parts24.de, 1
+tuning-werkstatt-nuernberg.de, 1
+tuningblog.eu, 0
+tunisia-tech.tk, 1
+tunisiadefnews.ga, 1
+tunisiana.tk, 1
+tunisiangamers.tk, 1
+tunisiapress.tk, 1
+tunix-openair.de, 1
+tunktwppolice.gov, 1
+tunnel-staging.googlezip.net, 1
+tunnel.googlezip.net, 1
+tunnel53.net, 1
+tunnelbear.com, 1
+tunnelblick.net, 1
+tunnelbroker.net, 1
+tunnelstore.it, 1
+tunnelstore.net, 1
+tunneltracker.com, 1
+tunnelventilation.pro, 1
+tunnelwatch.com, 1
+tunningcars.tk, 1
+tunochebuena.com, 1
+tunombre.tk, 1
+tuntitili.fi, 1
+tuol-sleng.tk, 1
+tuomiset.com, 1
+tuoni.ga, 1
+tuotromedico.com, 1
+tuotteet.org, 1
+tuou.xyz, 0
+tupahost.net.br, 1
+tupass.pw, 1
+tupatane.gq, 1
+tuperiodico.soy, 0
+tupeuxpastest.ch, 0
+tupi.fm, 1
+tuppenceworth.ie, 1
+tuppennysfireplace.com, 1
+tupperwaresalamanca.com, 1
+tupsicoayuda.com, 0
+tupugoya.org, 1
+tur.bo, 1
+tur17.com, 1
+turadio.tk, 1
+turadionline.cf, 1
+turalt.com, 1
+turanga.tk, 1
+turanlawoffice.com, 1
+turanogluoptik.com, 1
+turbaza.tk, 1
+turbinadordigital.tk, 1
+turbinaonline.tk, 1
+turbineaero.com, 1
+turbinelectricity.ga, 1
+turbo.az, 1
+turbo24.com, 1
+turbocourses.net, 1
+turbodata.no, 1
+turbodata.org, 1
+turbohost.co.mz, 0
+turbomag.pl, 1
+turbomodz.com, 1
+turbomodz.es, 1
+turbosim.de, 1
+turbotube.ga, 1
+turbowheels.biz, 1
+turboworld.tk, 1
+turc.church, 1
+turcan.de, 1
+turciya.cf, 1
+tures-aurina.it, 1
+turf-experts.com, 0
+turfirm.tk, 1
+turgut46.tk, 1
+turi.space, 1
+turikslab.tk, 1
+turing.bio, 1
+turisbrasil.com, 1
+turisbrasil.com.br, 1
+turiscar.pt, 1
+turismoeviagens.com, 1
+turismogdl.com, 1
+turismoliliana.tk, 1
+turismomagdalena.com, 1
+turitzadr.com, 1
+turizm.gq, 1
+turizm.tk, 1
+turizm21.ru, 1
+turizmsektoru.ga, 1
+turizmsektoru.tk, 1
+turkana.tk, 1
+turkanime.co, 1
+turkcechat.tk, 1
+turkcedizin.tk, 1
+turkceingilizce.gen.tr, 1
+turkceyama.com, 1
+turkcoder.tk, 1
+turkdevs.net, 1
+turkey-portal.tk, 1
+turkeyfiles.tk, 1
+turkeymistress.tk, 1
+turkeyobesity.com, 1
+turkeysforlife.com, 1
+turkeysms.com.tr, 1
+turkgiller.com, 1
+turkgrafik.tk, 1
+turkhacks.com, 1
+turkhalkmuzigi.tk, 1
+turkiet.guide, 1
+turkishhackers.tk, 1
+turkishyatirim.com, 1
+turkist.tk, 1
+turkistan-rap.tk, 1
+turkiye.ai, 0
+turkkarate.tk, 1
+turkman.ml, 1
+turkman.tk, 1
+turkmanbox.tk, 1
+turkmanga.com.tr, 1
+turkmannews.tk, 1
+turkmans.tk, 1
+turkmen.news, 1
+turkmenbusiness.tk, 1
+turkmenistanairlines.tm, 1
+turkmens.tk, 1
+turkmirc.tk, 1
+turkmistress.tk, 1
+turkodon.com, 1
+turkology.tk, 1
+turkrap.tk, 1
+turkreno.com, 1
+turkrock.com, 1
+turkron.pro, 0
+turksell.ru, 1
+turksite.tk, 1
+turksiteleri.tk, 1
+turksohbet.com, 1
+turkteam.tk, 1
+turktelekomarenagolleri.tk, 1
+turktree.com, 1
+turkup.ml, 1
+turkuradyo.tk, 1
+turkutitans.tk, 1
+turl.pl, 1
+turlewicz.pl, 1
+turlockca.gov, 1
+turm-umzuege.de, 1
+turn-sticks.com, 1
+turnali.tk, 1
+turnalikoyu.tk, 1
+turnaroundinsights.com, 1
+turnbacktogod.com, 1
+turncircles.com, 1
+turneragsupply.com, 0
+turneroregon.gov, 1
+turnet.tk, 1
+turnierplanung.com, 1
+turnkey-ips.com, 1
+turnkeycybersecurityandprivacysolutions.com, 1
+turnningpoint.xyz, 1
+turnoffthelights.com, 1
+turnoffthelights.video, 1
+turnonsocial.com, 1
+turnosinscripcionchascomus.site, 1
+turnout.rocks, 1
+turnover.cf, 1
+turnto23.com, 1
+turntup.co.jp, 1
+turobot.casa, 1
+turoktv.org, 1
+turpinpesage.fr, 1
+turquoisetassel.com, 1
+turretlabs.io, 1
+tursa.com.au, 1
+turteka.com, 1
+turtle.ai, 0
+turtleduckstudios.com, 1
+turtlehead.tk, 1
+turtles.ga, 1
+turtleteam.fr, 1
+turtunis.ml, 1
+turul.tk, 1
+turuncu-sepet.com, 1
+turunculevye.com, 1
+tus-kikishinkyo.jp, 1
+tus.si, 1
+tusar.cf, 1
+tusar.ga, 1
+tuscanyleather.it, 0
+tusconsultorex.com, 1
+tusdtapi.com, 1
+tusfinanzas.ec, 1
+tusharwalaskar.com, 1
+tusi.co, 1
+tusksol.com, 1
+tuslamparasonline.com, 1
+tusmedicamentos.com, 1
+tusociofinanciero.com, 1
+tussenuur.tk, 1
+tustin.tk, 1
+tusuri.tk, 1
+tut-kino.tk, 1
+tuta.com, 1
+tuta.io, 1
+tuta.pm, 1
+tutamail.com, 1
+tutamon.net, 1
+tutanota.com, 1
+tutanota.de, 1
+tutao.de, 1
+tutarot.club, 1
+tutdevki.tk, 1
+tuteepdf.com, 1
+tutiendard.ga, 1
+tutierra.net, 1
+tutima.com, 1
+tuto-craft.com, 1
+tutocursos.com, 1
+tutomaestro.ca, 1
+tutorcruncher.com, 1
+tutorial90.cf, 1
+tutorialcoding.ga, 1
+tutorialcoding.tk, 1
+tutorialdb.tk, 1
+tutorialehtml.com, 1
+tutorialforest.com, 1
+tutorialhtml.tk, 1
+tutoriali.tk, 1
+tutorialinux.com, 1
+tutorialitmalaysia.tk, 1
+tutorialphotoshop.tk, 1
+tutorials.vg, 1
+tutorialseo.com.br, 1
+tutoriel-arduino.com, 1
+tutoringindustry.tk, 1
+tutorio.ga, 1
+tutormedia.net, 0
+tuts4you.com, 1
+tutteo.com, 1
+tuttimundi.org, 0
+tuttleok.gov, 1
+tuttoandroid.net, 1
+tuttonotizie.eu, 1
+tutu.ro, 1
+tutucos.com, 1
+tutudaju.com, 1
+tuulialaine.com, 1
+tuvankinhdoanhonline.com, 1
+tuvanmat.com, 1
+tuversionplus.com, 1
+tuvingaynay.com, 1
+tuwaner.com, 1
+tuxamca.com, 1
+tuxcare.com, 1
+tuxcloud.duckdns.org, 1
+tuxcloud.net, 1
+tuxflow.de, 0
+tuxforums.com, 1
+tuxhound.org, 1
+tuxie.com, 1
+tuxito.tk, 1
+tuxlife.net, 1
+tuxlinux.tk, 1
+tuxmobil.cf, 1
+tuxpeliculas.com, 1
+tuxphones.com, 1
+tuxpi.com, 1
+tuxplace.nl, 1
+tuxsoul.com, 1
+tuxsrv.com, 1
+tuyen.blog, 1
+tuyen.me, 1
+tuyen.xyz, 1
+tuyetchieuwebsite.tk, 1
+tuz-es-munkavedelem.hu, 1
+tuza.com.au, 1
+tuzaginside.com, 1
+tuzagtcs.com, 1
+tuzaijidi.com, 1
+tuzlamap.tk, 1
+tuzlasite.tk, 1
+tv-hot.com, 1
+tv-mainzlar.de, 1
+tv-online.ml, 1
+tv-programme.be, 1
+tv-programme.com, 1
+tv-radio.com, 1
+tv-sports.fr, 1
+tv-tuners.cf, 1
+tv-zone.tk, 1
+tv.kg, 1
+tv9gujarati.com, 1
+tvabullarbro.tk, 1
+tvaerialsmanchester.com, 1
+tvarkaulietuva.lt, 1
+tvatomic.com, 1
+tvbarled.com, 1
+tvboxstop.com, 1
+tvbracketman.co.uk, 1
+tvcal.net, 1
+tvchannelslive.tk, 1
+tvcmarketing.com, 1
+tvdenevar.net, 0
+tvears.com, 1
+tvenligne.tk, 1
+tver-msk.ru, 1
+tver2000.tk, 1
+tver69.tk, 1
+tveronline.tk, 1
+tvfamilie.be, 1
+tvfans.ga, 1
+tvfans.tk, 1
+tvfcu.com, 1
+tvfr.gov, 1
+tvgsc.sg, 1
+tvguide.com, 1
+tview.co.uk, 1
+tvindia.tk, 1
+tvipper.com, 1
+tvk.tirol, 1
+tvkaista.com, 1
+tvkaista.net, 1
+tvkaista.org, 1
+tvkaren.tk, 1
+tvlanguedoc.com, 1
+tvleaks.se, 1
+tvlplus.net, 1
+tvmice.tk, 1
+tvmodules.it, 1
+tvmounting-houston.com, 1
+tvnow.de, 1
+tvoedelo.ml, 1
+tvoia-dietka.tk, 1
+tvoistatusy.tk, 1
+tvoistili.ml, 1
+tvojeucetnictvi.cz, 1
+tvorog.dedyn.io, 1
+tvos.eu, 1
+tvoyaknighka.ga, 1
+tvoysad.ru, 0
+tvquot.es, 1
+tvrestyler.eu, 1
+tvreviewer.tk, 1
+tvs-virtual.cz, 1
+tvseasons.tk, 1
+tvseries.info, 1
+tvsheerenhoek.nl, 1
+tvsscs.com, 1
+tvstore-247.net, 1
+tvtj.ml, 1
+tvtsvod.com, 1
+tvzahist.com.ua, 1
+tw-louis.com, 0
+tw.edu.pl, 1
+tw.search.yahoo.com, 0
+twa.travel, 1
+twainhartehotels.com, 1
+twakkensi.cf, 1
+twatspot.com, 1
+twb.berlin, 1
+twcgcm.com, 1
+twd2.me, 1
+twd2.net, 0
+twdinjurylaw.com, 1
+twdreview.com, 1
+twdtulelo.hu, 1
+tweakers.com.au, 1
+tweakers.net, 1
+tweakersbadge.nl, 1
+tweaktown.com, 1
+tweaktownforum.com, 1
+tweaky.tk, 1
+tweedagenextravakantie.nl, 1
+tweedandtalon.co.uk, 1
+tweedehandskledij.be, 1
+tweedehandsmerkkledij.be, 1
+tweedekamer.nl, 1
+tweekshow.tk, 1
+tweemaster.tk, 1
+tweeple.ga, 1
+tweetadder.fr, 1
+tweetfinity.com, 1
+tweetfinityapp.com, 1
+tweetyconnect.com, 1
+twelve-inch-classics.tk, 1
+twelve.rocks, 1
+twelvecolonies.tk, 1
+twelvecornerspediatrics.com, 1
+twem.ddns.net, 1
+twerk.tk, 1
+twfwd.email, 1
+twidy.jp, 0
+twidy.uk, 1
+twig.sg, 0
+twigandolive.com, 1
+twilightcookies.ca, 1
+twilightkingdom.tk, 1
+twilightningzone.tk, 1
+twilite.co.uk, 1
+twilite.uk, 1
+twilo-host.de, 1
+twilo.de, 1
+twincap-first.de, 1
+twincapfirst.ch, 1
+twincapsula.co.jp, 1
+twincitynissantxparts.com, 1
+twindii.com, 1
+twinfield-apps.nl, 1
+twinflame.tf, 1
+twinflame.voyage, 1
+twinhealth.com, 1
+twinkpop.com, 1
+twinkseason.com, 1
+twinlakeswi.gov, 1
+twinspringcoupling.com, 1
+twinstudiosparis.com, 1
+twinztech.com, 1
+twist.com, 1
+twistapp.com, 1
+twistbets.com, 1
+twistedfamilies.com, 1
+twistedoakonline.com, 1
+twistedwave.com, 1
+twistersolutions.com, 1
+twistertech.com.br, 1
+twistfix.co.uk, 1
+twistmc.net, 1
+twisto.cz, 1
+twisto.pl, 1
+twistopay.com, 1
+twistpedia.com, 1
+twistys.com, 1
+twistysnetwork.com, 1
+twit-guide.com, 1
+twitchplaysleaderboard.info, 1
+twitchy.tk, 1
+twitcker.com, 1
+twittelzie.nl, 1
+twitter.ax, 1
+twitter.com, 0
+twitterdriver.io, 1
+twittervid.com, 1
+twittpr.com, 1
+twizzle.net, 1
+twl-clan.tk, 1
+twlan.org, 1
+twlitek.com.tw, 1
+twma.pro, 1
+twmartin.codes, 1
+two-step-verification.solutions, 1
+twoandahalfvan.eu, 1
+twobitbusker.com, 1
+twobridges.co.uk, 1
+twobrothersbbq.com, 0
+twocatsinacaravan.xyz, 1
+twocornertiming.com, 1
+twodadsgames.com, 1
+twoef.co.uk, 1
+twofestivaltower.au, 1
+twofestivaltower.com, 1
+twofestivaltower.com.au, 1
+twohuo.com, 1
+twojapogoda.pl, 1
+twojfaktum.pl, 1
+twolinesmedia.eu, 1
+twolittlefleas.co.uk, 1
+twoninersix.com, 1
+twonodes.games, 0
+twopipes.net, 1
+twopipes.org, 1
+twoqi.com, 0
+tworaz.net, 1
+twoseven.xyz, 1
+twospirits.org, 1
+twotravel.world, 1
+twr.org, 1
+twslots.online, 1
+twtf.org.uk, 1
+twtr.email, 1
+twwd.de, 1
+tx299.com, 0
+tx577.com, 1
+txbooster.com, 1
+txcap.org, 1
+txcheckup.com, 1
+txferretrescue.org, 1
+txhb.gov, 1
+txlocksmiththewoodlands.com, 1
+txlrs.org, 1
+txryan.com, 1
+txtd.io, 1
+txtdb.com, 1
+txtdirect.com, 1
+txtdirect.dev, 1
+txtdirect.io, 1
+txtdirect.link, 1
+txtdirect.me, 1
+txtdirect.org, 1
+txtentertainment.ga, 1
+txtfile.eu, 0
+txtnovel.me, 1
+txtnovel.net, 1
+txurologist.com, 1
+txwriterstudio.com, 1
+ty0m.com, 1
+ty529.com, 1
+ty573.com, 1
+ty583.com, 1
+ty587.com, 1
+ty593.com, 1
+ty5998.com, 1
+ty613.com, 1
+ty637.com, 1
+ty679.com, 1
+ty705.com, 1
+ty723.com, 0
+ty736.com, 1
+ty791.com, 1
+ty835.com, 0
+ty935.com, 1
+ty937.com, 1
+ty962.com, 0
+ty965.com, 1
+ty980.com, 1
+tyan.com, 1
+tybox.ca, 1
+tyc001.cc, 1
+tyc009.cc, 1
+tycaa.org, 1
+tycatering.com, 1
+tycho.org, 1
+tycho.tk, 1
+tychoverstraete.be, 1
+tycyc88.com, 1
+tyentitaly.com, 1
+tygochrum.se, 0
+tyinnovations.com, 1
+tyk.io, 1
+tyl.io, 1
+tylb.io, 1
+tyler.rs, 1
+tylerdavies.net, 1
+tylerdurden.ml, 1
+tylergordonhill.com, 1
+tylerharcourt.com, 1
+tylerharcourt.net, 1
+tylerharcourt.org, 1
+tylermade.net, 1
+tylermn.gov, 1
+tylerobrien.org, 1
+tyleromeara.com, 1
+tylerpayne.tk, 1
+tylerschmidtke.com, 0
+tylervigario.com, 1
+tylko-wazne.tk, 1
+tymoch.pl, 1
+tymyrddin.space, 1
+tyndalehouse.com, 1
+tynefm.tk, 1
+tyni-goc.gq, 1
+tyni-gof.gq, 1
+tynki-maszynowe.tk, 1
+tyojyu.or.jp, 0
+type1joe.com, 1
+type1joe.net, 1
+type1joe.org, 1
+type74.ir, 1
+typecheck.io, 1
+typecheckapp.com, 1
+typecho.site, 0
+typeclasses.com, 1
+typecodes.com, 1
+typegrow.com, 1
+typehub.net, 1
+typeof.pw, 1
+typeonejoe.com, 1
+typeonejoe.net, 1
+typeonejoe.org, 1
+typeria.net, 1
+typescript-weekly.com, 1
+typesofdogs.info, 1
+typesofnote.com, 1
+typesolution.pt, 1
+typetwodiabetesexplained.com, 1
+typewolf.com, 1
+typewriter.tk, 1
+typher.eu, 1
+typhlos.fr, 1
+typica.com.tw, 1
+typing.com, 1
+typingcheck.ga, 1
+typist.tech, 1
+typo3.com, 1
+typosphere.fr, 1
+typr.com, 1
+tyr0wl.com, 1
+tyrael.eu, 1
+tyraga.ga, 1
+tyrannize.us, 1
+tyrasuki.be, 1
+tyre-search.ga, 1
+tyree.tech, 1
+tyres-mechanical.com.au, 1
+tyrkey.tk, 1
+tyrocity.com, 1
+tyronega.gov, 1
+tyroola.co.id, 1
+tyroola.co.nz, 1
+tyroola.com.au, 1
+tyroola.de, 1
+tyroola.it, 1
+tyroola.nl, 1
+tyroremotes.co.uk, 1
+tyroremotes.es, 1
+tyroremotes.eu, 1
+tyroremotes.fr, 1
+tyroremotes.nl, 1
+tyroremotes.no, 1
+tyroremotes.pt, 1
+tyroremotes.se, 1
+tyrulez.tk, 1
+tysukakorrekt.ga, 1
+tysye.ca, 1
+tytixazo.tk, 1
+tytocare.com, 1
+tytod.com, 1
+tyukanyo.hu, 1
+tyumen.ga, 1
+tyuning-avto.tk, 1
+tyva.gq, 1
+tyva.ml, 1
+tyva.tk, 1
+tz9.co, 1
+tzchz.pp.ua, 1
+tzdn.gq, 1
+tzeribi.fr, 1
+tzgo.at, 1
+tzifas.com, 0
+tzinsurance.com, 1
+tziyona.net, 1
+tznews.me, 1
+tzonevrakis.gr, 1
+tzsec.com, 1
+tzsrv.cf, 1
+tzsrv.com, 1
+tzsrv.de, 1
+tzsrv.tk, 1
+tzstamp.io, 1
+tzunami.tk, 1
+tzunamiblog.tk, 1
+tzwe.com, 1
+u-chan.com, 0
+u-he.com, 1
+u-olymp.ru, 1
+u-page.nl, 1
+u-watch.it, 1
+u.nu, 1
+u.sb, 1
+u00228.com, 0
+u0060.com, 0
+u0070.com, 1
+u0080.com, 0
+u03.fr, 1
+u05.cn, 1
+u1100.com, 1
+u1144.com, 1
+u12buy.com, 1
+u15.info, 1
+u15b1.com, 1
+u15b2.com, 1
+u15jj.com, 1
+u15p1.com, 1
+u15p2.com, 1
+u15p5.com, 1
+u15p6.com, 1
+u15p7.com, 1
+u15p8.com, 1
+u15x.com, 1
+u175.com, 1
+u29dc.com, 1
+u2b.eu, 1
+u2co.de, 1
+u2croatia.tk, 1
+u2fanlife.com, 1
+u2galicia.tk, 1
+u32i64.cf, 1
+u36533.com, 1
+u4.re, 1
+u4mh-dev-accesscontroller.azurewebsites.net, 1
+u4mh-dev-portal.azurewebsites.net, 1
+u5.re, 1
+u51365.com, 1
+u5197.co, 1
+u6729.co, 1
+u6729.com, 0
+u6957.co, 1
+u6957.com, 0
+u6a5hqf.top, 1
+u7ae.com, 1
+u81365.com, 1
+u82365.com, 1
+u9297.co, 1
+u9728.co, 1
+ua-1x-bet.com, 1
+ua-autonews.tk, 1
+ua-fediland.de, 0
+ua-news.tk, 1
+ua.search.yahoo.com, 0
+ua1xbet.com, 1
+ua1xbet1967.com, 1
+ua577.com, 1
+ua5v.com, 1
+uab.tv, 1
+uachemlabs.com, 1
+uae-auto.ru, 1
+uae-company-service.com, 1
+uaefiu.gov.ae, 1
+uaestorages.com, 1
+uafinance.net, 1
+ualove.tk, 1
+uamxsociologia.tk, 1
+uanews.tk, 1
+uapp.win, 1
+uareferat.tk, 1
+uartpastelpaper.com, 1
+uasaumur.com, 1
+uash.tk, 1
+uasmi.com, 1
+uasonics.tk, 1
+uat-activesg.com, 1
+uat-mypfp.co.uk, 1
+uateach.tk, 1
+uatgootax.ru, 0
+uathq.com, 1
+uatuning.com.ua, 1
+uatx.mx, 1
+uavis.com.au, 1
+ub.edu.vn, 1
+ub.net, 1
+ub3rk1tten.com, 1
+ub889.com, 1
+uba-tra.tk, 1
+ubaid.tk, 1
+ubaldopoa.tk, 1
+ubanks.com.ua, 1
+ubanquity.com, 0
+ubcani.com, 1
+uber-work.tk, 1
+uberactivist.com, 1
+uberalles.live, 1
+uberboxen.net, 1
+ubereatspos.com, 1
+ubergamingworld.tk, 1
+uberhorny.tk, 1
+uberi.fi, 1
+ubermail.me, 1
+uberpromocodes.us, 1
+ubersmith.com, 1
+uberwald.ws, 1
+ubezpieczeniaonline.pl, 1
+ubezpieczeniazyciowe.pl, 1
+ubezpieczenie.com.pl, 1
+ubezpieczeniemieszkania.pl, 1
+ubezpieczenienanarty.pl, 1
+ubezpieczenienarciarskie.pl, 1
+ubezpieczenienazycie.net.pl, 1
+ubezpieczeniepsa.com, 1
+ubezpieczenieturystyczne.com.pl, 1
+ubezpieczeniezycia.pl, 1
+ubezpieczeniezyciowe.pl, 1
+ubezpieczonamama.pl, 1
+ubezpieczonedziecko.pl, 1
+ubicaciones-vitamina.cl, 1
+ubicv.com, 1
+ubill.ge, 1
+ubimail.org, 1
+ubiminds.com, 0
+ubiqubit.it, 1
+ubis.group, 1
+ubiurbe.com, 1
+ubleam.com, 0
+ubn-speed.fr, 0
+ubonit.pl, 1
+uborcare.com, 1
+uborka-812.ru, 1
+uborka-kvartir-moskva.gq, 1
+uborka-snega.ga, 1
+ubun.kr, 1
+ubun.net, 1
+ubuntu-es.org, 1
+ubuntu-tr.net, 1
+ubuntu-tutorials.com, 1
+ubuntu.marketing, 1
+ubuntu18.com, 1
+ubuntuproductions.fi, 1
+ubutovo.ga, 1
+ubwash.re, 1
+ubytovanihyncice.cz, 1
+ubytovnastrazske.sk, 1
+ubzoo.tk, 1
+uc4h.com, 1
+ucac.nz, 0
+ucangiller.com, 1
+ucaskernel.com, 1
+ucayim.com, 1
+ucb.com, 1
+ucbconcierge.jp, 1
+ucbostad.se, 1
+ucch.be, 0
+uccisme.net.ua, 1
+ucdap.com, 1
+ucemich.edu.mx, 1
+ucero.tk, 1
+ucfirst.nl, 1
+ucg-international.com, 1
+uchargeapp.com, 1
+ucheba.cf, 1
+ucheba.ga, 1
+ucheba.gq, 1
+ucheba.tk, 1
+uchicagomedicine.org, 1
+ucibt.com, 1
+ucih.ru, 1
+ucinvest.com.au, 1
+uciplasticsurgery.com, 1
+uck.i.ng, 1
+uckunlaboratuvari.com, 1
+uclf.de, 1
+uclip.club, 1
+ucmatedeveloper.gq, 1
+ucmjlawyers.com, 1
+ucmultrasuoni.it, 1
+ucngame.com, 1
+ucphotography.net.au, 1
+ucppe.org, 1
+ucraft.ai, 1
+ucrdatatool.gov, 1
+ucreate.site, 1
+ucretleri.net, 1
+ucsi.link, 1
+uctarna.online, 1
+ucybodyinc.com, 1
+udaap.org, 1
+udancy.com, 1
+udaneprzepisy.pl, 1
+udb.kr, 1
+udbina.tk, 1
+uddate-linthdcp-3345app.com, 1
+uddate-linthdcp-567app.com, 1
+uddi.ng, 1
+uddin.io, 1
+udemons.be, 1
+udenit.de, 1
+udenlandskecasinoer.dk, 1
+udenlandskeonlinecasino.com, 1
+udenrigspolitik.dk, 1
+udi.no, 1
+udid.fyi, 1
+udien.tk, 1
+udigital.nl, 1
+udik.tk, 1
+udinetoday.it, 1
+udla.edu.ec, 1
+udmarbella.tk, 1
+udmddn.ru, 1
+udmurtia.tk, 1
+udo-luetkemeier.de, 1
+udomain.net, 1
+udp.pw, 0
+udp.sh, 0
+udruga-point.hr, 1
+udsocial.com, 1
+udtonline.com, 1
+udvoukocek.eu, 1
+ue30.fun, 1
+ueba1085.jp, 1
+ueberdosis.io, 0
+uebersetzungscenter.ch, 1
+ueberwachungspaket.at, 1
+uedaviolin.com, 1
+uefeng.com, 0
+uel-thompson-okanagan.ca, 1
+ueliexpress.ch, 1
+uesaz.com, 1
+uesc.org, 1
+uesociedadlimitada.com, 1
+uestc.icu, 1
+uevan.com, 1
+uf-ace.com, 1
+uf-lmsan.pt, 1
+ufa-soft.tk, 1
+ufacesign.in, 1
+ufanet.id, 1
+ufanisi.mx, 1
+ufar-ntds.org, 1
+ufero.co.za, 1
+uffserver.ml, 1
+ufh.com.cn, 1
+ufindme.at, 1
+ufirst.ro, 1
+uflmsan.pt, 1
+ufo.moe, 0
+ufocentre.com, 1
+ufoch.com, 0
+ufoet.cn, 0
+ufologiahistorica.tk, 1
+ufologiaweb.tk, 1
+ufone.com, 1
+ufone.net, 1
+ufopaedia.org, 1
+ufos.tk, 1
+ufplanets.com, 1
+ufst.dk, 1
+ug.gg, 1
+ugarte-zestoa.com, 1
+ugb-verlag.de, 0
+ugc.fr, 1
+ugcdn.com, 1
+ugeek.tk, 1
+ugg.com, 1
+uggedal.com, 1
+ugirlx.com, 1
+ugis.info, 1
+uglycat.com, 1
+uglycat.eu, 1
+uglycat.net, 1
+uglycat.org, 1
+uglycat.social, 1
+uglydogpgh.com, 1
+uglypeople.com, 1
+ugmtc.org, 1
+ugolovnyj-advokat.cf, 1
+ugolsibiri.ru, 1
+ugrod.ru, 1
+ugsonline.tk, 1
+uguragdas.com.tr, 1
+ugurkorkmazyurek.com, 1
+ugurnakliyat.com.tr, 1
+uguu.se, 1
+ugx-mods.com, 1
+ugy.es, 1
+uhasseltctf.be, 1
+uhasseltctf.ga, 1
+uhc.gg, 1
+uhcuhcas.cf, 1
+uhcuhcas.ga, 1
+uhcuhcas.gq, 1
+uhcuhcas.ml, 1
+uhcuhcas.tk, 1
+uhes.com.sg, 1
+uhingaro.com, 0
+uhl.site, 1
+uhlhosting.ch, 1
+uhnwarfarinedu.ca, 1
+uhost.cyou, 1
+uhrenlux.de, 1
+uhuc.de, 1
+uhurl.net, 1
+ui.com, 1
+ui.gov, 1
+ui8.net, 1
+uiberlay.cz, 1
+uicchy.com, 1
+uid0.pl, 1
+uiharu.top, 1
+uika-bogor.ac.id, 1
+uinst.tk, 1
+uinvest.ml, 1
+uinvest.tk, 1
+uiop.link, 1
+uirysa.pl, 1
+uisd.net, 1
+uitdeoudekoektrommel.com, 1
+uiterwijk.org, 1
+uitgeverij-deviant.nl, 1
+uitingent.be, 1
+uitvaartgoessens.be, 1
+uitvaartverzekeringwijzer.net, 0
+uitvaartvrouwenfriesland.nl, 1
+uiuo.de, 1
+uizard.io, 1
+uj2008.com, 1
+ujam.com, 1
+ujeb.link, 1
+ujiyasu.com, 1
+ujjivan.com, 1
+ujob.com.cn, 1
+ujotthon.hu, 1
+ujvary.eu, 1
+uk.search.yahoo.com, 0
+ukari.hokkaido.jp, 0
+ukb.sch.id, 0
+ukbc.london, 1
+ukc2.com, 1
+ukcarers.tk, 1
+ukdefencejournal.org.uk, 1
+ukfoodbox.co.nz, 1
+ukforum.net, 1
+ukhas.net, 1
+ukimmigration.law, 1
+ukitbs.com, 1
+ukiuki.photography, 1
+ukkeyholdingcompany.co.uk, 1
+uklawfirm.tk, 1
+uklidgaraze.fun, 1
+uklizim.fun, 1
+uklizimgaraz.fun, 1
+ukmalls.co.uk, 1
+ukmeetandgreet.com, 1
+ukmerges-vaikyste.lt, 1
+ukmoneyman.com, 1
+ukmortgagecompare.co.uk, 1
+uknew.co, 1
+uknews.ga, 1
+uknews.ml, 1
+uknewsroom.tk, 1
+uknewsweek.com, 1
+ukooku.com, 1
+ukosystudio.com, 1
+ukozliku.cz, 1
+ukpass.co, 1
+ukpr.group, 1
+ukpropertyrescue.com, 1
+ukpts.org, 1
+ukraflora.ua, 1
+ukrainci.com.ua, 1
+ukraine-standart.com.ua, 1
+ukrainians.ch, 1
+ukrainianwall.com, 1
+ukrainskie-konstrukcii.com.ua, 1
+ukrapak.com.ua, 1
+ukrcredit.net, 1
+ukrn.io, 1
+ukrnames.com, 1
+ukrnet.co.uk, 1
+ukrtabletki.tk, 1
+ukrzoloto.ua, 1
+ukseafood.co.uk, 1
+ukshg.org, 1
+uksv.co.uk, 0
+ukta.tk, 1
+uktw.co.uk, 0
+uku.lt, 1
+ukulele.co.nz, 1
+ukulelesite.com.br, 1
+ukunlocks.com, 1
+ukutabs.com, 1
+ukwct.org.uk, 1
+ul-fluglehrer.de, 1
+ulax.org, 1
+ulax.tk, 1
+ulbr.dnshome.de, 1
+ulconnect.com, 1
+uldsh.de, 1
+ulement.com, 1
+ulen.me, 1
+ulet.tk, 1
+ulfmikaelmattsson.se, 1
+ulgaipbox.online, 1
+uli-eckhardt.de, 1
+ulickaprozivot.cz, 1
+ulike123.com, 1
+ulitroyo.com, 1
+ullah.se, 1
+ulli.ml, 1
+ullrich-group.de, 1
+ullrich-services.de, 1
+ulm-eurofox.fr, 1
+ulmer-schneesport.de, 1
+ulnesshealth.com, 1
+ulobby.eu, 1
+uloztoasdilej.cz, 1
+ulprospector.com, 1
+ulrichracing.com, 1
+ulrik.moe, 1
+ulrikethiele.de, 1
+ulsterbank.co.uk, 1
+ulsterbank.ie, 1
+ulsters.cf, 1
+ulstersheriffny.gov, 1
+ultaa.ru, 1
+ultahost.com, 1
+ultalabtests.com, 1
+ultima-ratio.at, 1
+ultimasearch.com, 1
+ultimasword.tk, 1
+ultimate-fireworks.tk, 1
+ultimateappreviews.co, 1
+ultimatebabyshowergifts.ga, 1
+ultimatebattle.tk, 1
+ultimatebattles.club, 1
+ultimatecheerleaders.com, 1
+ultimateclub.tk, 1
+ultimatefilmpromotion.com, 0
+ultimatefxtools.com, 0
+ultimategamechair.com, 1
+ultimategaming.tk, 1
+ultimatehalo.tk, 1
+ultimatelifesupport.ga, 1
+ultimatemafia.be, 1
+ultimatemafia.de, 1
+ultimatemafia.net, 1
+ultimatemafia.nl, 1
+ultimatemapping.tk, 1
+ultimatemotherfuckingwebsite.com, 1
+ultimatempb.com.au, 1
+ultimatepaleoguide.com, 1
+ultimateparts.nl, 1
+ultimatepatrol.de, 1
+ultimatepower.ga, 1
+ultortech.com, 1
+ultra-fast.net, 1
+ultra-pro.ga, 1
+ultra.gen.tr, 1
+ultra.law, 1
+ultra4k.com, 1
+ultrabkk.com, 1
+ultracentr.ml, 1
+ultracoupon.net, 1
+ultrafine.cf, 1
+ultralife.cf, 1
+ultraman.tk, 1
+ultramax.biz, 1
+ultramookie.com, 0
+ultraonline.ml, 1
+ultrapedic.com, 1
+ultrarare.space, 1
+ultras-venlo.tk, 1
+ultrasite.tk, 1
+ultrasocial.ml, 1
+ultrasoftpressurewashing.com, 1
+ultrasoundtechnicianschools.com, 1
+ultrastar-es.org, 1
+ultrasvargon.tk, 1
+ultratechlp.com, 1
+ultratress.com, 1
+ultraviolence.tk, 1
+ultravip.com.br, 1
+ultreya.tk, 1
+ultrixus.rocks, 1
+uludag16.com.tr, 1
+ulugatechsolutions.co.za, 1
+ulusar.com.tr, 1
+ulyanovsk-73.tk, 1
+ulyanovsk73.tk, 1
+ulyanovskcity.tk, 1
+ulysim.com, 1
+ulyssesenergy.it, 1
+um-sachsen-pictures.de, 1
+um.es, 0
+umagoyal.com, 1
+umami.vercel.app, 1
+umamibbqsushi.com, 1
+umamibites.com, 1
+umanews.net, 1
+umanityracing.com, 1
+umanupszn.gov.ua, 1
+umap.uz, 1
+umarjazeer.com, 1
+umaru.gq, 1
+umarysi.fun, 1
+umas.tk, 1
+umashev.ru, 1
+umasoda-tohoku.com, 1
+umassfive.coop, 1
+umasstransit.org, 1
+umatilla.gov, 1
+umatillacounty.gov, 1
+umbertheprussianblue.com, 1
+umbrellamediagroup.com, 1
+umbrellaye.online, 1
+umbria.network, 1
+umbricht.li, 1
+umeligence.cz, 1
+umenlisam.com, 1
+umetro.ru, 1
+umisonoda.com, 1
+umitribe.gov, 1
+umity.com.ua, 1
+umkomaaslodge-aliwalshoal.co.za, 1
+umlcode.com, 1
+ummiabi.id, 1
+umniy-dom.tk, 1
+umnugobi.tk, 1
+umo.ci, 1
+umojacloud.io, 1
+umojo.com, 1
+umoman.ru, 1
+umount.net, 1
+umripd.gov, 1
+umsapi.com, 1
+umspannwerk-leipzig.de, 1
+umtactivation.com, 1
+umtactivation.in, 1
+umutdemir.com, 1
+umv.gov.co, 1
+umwandeln-online.de, 1
+umweltgalerie.de, 1
+umzuege-hannover.net, 1
+umzugsunternehmen.berlin, 1
+umzugsunternehmenberlin.eu, 1
+un-box.org, 1
+un-framed.co.za, 1
+un-zero-un.fr, 1
+unaffectedsound.tk, 1
+unai-yus.tk, 1
+unaidesarrolladorweb.com, 1
+unaligned.net, 1
+unalignment.com, 1
+unanaciounaseleccio.tk, 1
+unangelturbio.tk, 1
+unaone.net, 1
+unapp.me, 1
+unasim.gq, 1
+unataly.gq, 1
+unataz.tk, 1
+unatbeaubrid.cf, 1
+unatco.noip.me, 1
+unausa.com.br, 1
+unautreregard.tk, 1
+unaware.tk, 1
+unbanked.com, 1
+unbelievableplaces.de, 1
+unbelievaboat.com, 1
+unblock-zh.org, 1
+unblockat.tk, 1
+unblocked.cx, 1
+unblocked.lat, 1
+unblocked.one, 1
+unblockit.asia, 1
+unblockit.bet, 1
+unblockit.bio, 1
+unblockit.blue, 1
+unblockit.cat, 1
+unblockit.click, 1
+unblockit.date, 1
+unblockit.ink, 1
+unblockit.ist, 1
+unblockit.me, 1
+unblockit.name, 1
+unblockit.nz, 1
+unblockit.vegas, 1
+unbolt.cf, 1
+unbonavocat.fr, 1
+unboundmoney.com, 1
+unboxed.cf, 1
+unboxinspector.com, 1
+uncarved.com, 1
+uncensoreddns.dk, 1
+uncensoreddns.org, 1
+uncentodecousas.tk, 1
+unchex.com, 1
+unchile.com, 1
+uncinema.cf, 1
+uncivserver.xyz, 1
+unclaimedretirementbenefits.com, 1
+unclebens-specials.gr, 1
+uncontrollablegas.com, 1
+uncorporate.cf, 1
+uncut.wtf, 1
+uncuteyes.tk, 1
+uncuttype.wtf, 1
+undangan-digital.com, 1
+undangankoo.com, 1
+undawns.tk, 1
+undecidable.de, 1
+undegasesc.net, 1
+undelightfully.tk, 1
+undemocracy.cf, 1
+undemocracy.ga, 1
+undemocracy.gq, 1
+undemocracy.ml, 1
+under-wears.tk, 1
+under15.ml, 1
+undercliff.tk, 1
+underconsideration.com, 1
+undercoverxp.tk, 1
+undercucho.tk, 1
+underdestruction.tk, 1
+underdog.tk, 1
+underfloorheating-uk.co.uk, 1
+undergroomed.com, 1
+underground.jp, 1
+undergrounder.ga, 1
+undergroundiron.tk, 1
+undergroundmusic.tk, 1
+underlined.fr, 1
+undernet.org, 1
+undernet.uy, 0
+undershoping.tk, 1
+underskatten.tk, 1
+understandmaths.co.za, 1
+undertow.ga, 1
+underwaterasia.info, 1
+underwear-fashion.tk, 1
+underwearoffer.com, 1
+underwood.tk, 1
+underwoodpatents.com, 1
+underworlds.tk, 1
+underwriting.ai, 1
+undiariodiferente.tk, 1
+undiepatrol.tk, 1
+undo.co.il, 1
+undone.tk, 1
+undp.lt, 1
+une-bonne-nouvelle.fr, 1
+une-femme-dhonneur.tk, 1
+uneaimages.com, 1
+unearth.ca, 1
+unece-deta.eu, 1
+unefuite.ch, 0
+unej.org, 1
+uneltemasini.ro, 1
+unemployment.ga, 1
+unemployment.gov, 1
+unescoclub.tk, 1
+unetyr.gq, 1
+unexcited.tk, 1
+unexpected.nu, 1
+unexplored-belarus.tk, 1
+unexplored-moscow.tk, 1
+unf.dk, 1
+unfabulous.tk, 1
+unfallrechtler.de, 1
+unfamousrecords.tk, 1
+unfathomable.blue, 1
+unfc.nl, 1
+unfixed-soul.tk, 1
+unfollow.today, 1
+unfriend.tk, 1
+unga.dk, 1
+ungaeuropeer.se, 1
+ungainlybeast.com, 1
+ungedient.de, 1
+unghie.com, 0
+ungnyo.org, 1
+ungolianth.tk, 1
+ungooglize.org, 1
+ungovernable.men, 1
+ungrafakta.cf, 1
+ungrafakta.gq, 1
+ungrafakta.tk, 1
+unhabitat.org, 1
+unhappy.tk, 1
+unhub.ru, 1
+uni-arts.com, 1
+uni-chem.rs, 1
+uni-cleaner.com, 1
+uni-watch.com, 1
+uni2share.com, 1
+unia.es, 1
+unian.info, 1
+uniaofraternalraulcury.com.br, 1
+unibaby.com, 1
+unibet.bz, 1
+unibet.ltd, 1
+unibev.net, 1
+unibevltd.com, 1
+unibh.br, 1
+unibolsit.com, 1
+unibuses.co.uk, 1
+unibusreputation.com, 1
+unicarehealth.com.au, 1
+unicef.pl, 1
+unicefcards.cz, 1
+unicefcards.gr, 1
+unicefcards.sk, 1
+unicefcestitke.rs, 1
+unicefkartkidlafirm.pl, 1
+unicefkepeslapok.hu, 1
+unicefvoscilnice.si, 1
+unicintas.com.br, 1
+unicioushop.com, 1
+unicode.gq, 1
+unicode.link, 1
+unicodesign.ch, 1
+unicolabo.jp, 1
+unicomergiraygana.com, 1
+unicoms.biz, 1
+unicoms.travel, 1
+unicoms.vip, 1
+unicool.tk, 1
+unicorn-systems.net, 1
+unicorn.melbourne, 1
+unicorndesign.ninja, 0
+unicornheaven.net, 1
+unicornmusic.tk, 1
+unicornsoft.tk, 1
+unicorntooling.eu, 1
+unicrack.cf, 1
+unicreditbulbank.info, 1
+unicul.tk, 1
+unicycle.ga, 1
+unicycle.show, 1
+unidadvirtual.com, 1
+unidata.ca, 1
+unideb.hu, 1
+unidet.eu, 1
+unieducar.org.br, 1
+uniekglas.nl, 1
+uniex.ch, 1
+uniex.pw, 1
+unifashion.ro, 1
+unifestal.com, 1
+unifiednetwork.me, 1
+unifiedwellness.ca, 1
+uniforcele.com, 1
+uniformebateriasheliar.com.br, 1
+uniforms.com.au, 1
+unify.id, 1
+unihostbrasil.com.br, 1
+unik.bg, 1
+unikainfocom.in, 1
+unike.tech, 1
+unikimages.com, 1
+unikon.su, 1
+unikos.tk, 1
+unikrn.com, 1
+unikrn.space, 1
+unikrn.tech, 1
+unikrnb2b.com, 1
+unilab.com.ph, 1
+unilinkbus.co.uk, 1
+unilinkgroup.com, 1
+unimarijo.com, 1
+unimarvel.tk, 1
+unimax.com.tw, 1
+unimeias.com.br, 1
+unimex.edu.mx, 1
+unimexver.edu.mx, 1
+unimus.net, 1
+unimusica.tk, 1
+uninatural.com.br, 1
+unine.fun, 1
+unionciclistabinefar.tk, 1
+unioncountyilcourts.gov, 1
+unioncountyiowa.gov, 1
+unioncountyncelections.gov, 1
+unioncountyor.gov, 1
+unioncr.uk, 1
+uniondeterapeutas.com, 1
+unionflpa.gov, 1
+unionhoster.ml, 1
+unionlacalera.tk, 1
+unionlife-net.com, 1
+unionmagdalena.tk, 1
+unionmissouri.gov, 1
+unionplat.ru, 1
+unionreports.gov, 1
+uniontestprep.com, 1
+unionvilleheating.com, 1
+unios.tk, 1
+unipart.digital, 0
+unipass.ga, 1
+unipaz.edu.co, 1
+unipig.de, 0
+uniqclothing.co.za, 1
+uniqopter.com, 1
+uniqsys.eu, 1
+unique-app.com, 1
+unique-news.tk, 1
+unique-punk.tk, 1
+unique-urls.tk, 1
+uniquedollz.tk, 1
+uniqueexpression-coaching.de, 1
+uniquehardware.ca, 1
+uniquehardware.net, 1
+uniquemode.nl, 1
+uniquepress.biz, 1
+uniquest.com.au, 1
+uniquestlye.ga, 1
+uniqueworks.tk, 1
+uniqweb.ga, 1
+uniresbajdas.ml, 1
+unis-pour-la-planete.com, 1
+unis-pour-le-climat.com, 1
+uniselectweb.com, 1
+uniserve.com, 1
+unison-d.com, 1
+unisontech.org, 1
+unisplendour.com, 1
+unisul.br, 1
+unisupdi.com, 1
+unisys.net.nz, 0
+unisyssecurity.com, 1
+unit-linked.ru, 1
+unit-soft.com, 0
+unit7jazz.org, 1
+unitanzania.com, 1
+unite-ka.de, 1
+uniteam.ga, 1
+uniteasia.org, 1
+united-dm.ml, 1
+united-schools.net, 1
+united-trackmaniacs.tk, 1
+united-trainers-league.tk, 1
+united.com, 0
+unitedadmins.com, 1
+unitedarmyofentropia.tk, 1
+unitedaviate.com, 1
+unitedbaby.fr, 1
+unitedbusinessbank.com, 1
+unitedcyberdevelopment.com, 1
+unitedfitness.com.au, 1
+unitedforwildlife.org, 0
+unitedhomeservices.com.au, 1
+unitedhoseinc.com, 1
+unitedkingdoms-guild.com, 1
+unitedlisbon.school, 1
+unitedpayment.com, 1
+unitedpsychological.com, 1
+unitedrestorationfl.com, 1
+unitedsiteservices.com, 1
+unitedstables.tk, 1
+unitedstudents.tk, 1
+unitedstudios.ru, 1
+unitedtractors.com, 1
+unitedvalve.com, 1
+unitedweb.com, 1
+unitedwecare.com, 1
+unitedwestand.gov, 1
+uniteforrecovery.govt.nz, 1
+unitefortherecovery.govt.nz, 1
+unitehelivy.be, 1
+uniteinhealth.org, 1
+unitel2000.de, 0
+unitencup.tk, 1
+unither.com, 1
+unitil.com, 1
+unitingwa.org.au, 1
+unitir.gq, 1
+unitizer.com, 1
+unitop.bg, 1
+unity-lepetitshop.com, 1
+unitycardiology.com.au, 1
+unityconsciousnessbooks.com, 1
+unityfactory.io, 1
+unityor.gov, 1
+unitysavannah.org, 1
+unityseguros.com, 1
+unitysyndicate.tk, 1
+unityvox.com, 1
+uniuni.info, 1
+uniup.tk, 1
+univ-segou.ml, 1
+univalence.me, 1
+univaservizi.academy, 1
+univate.berlin, 1
+univercite.ch, 0
+univeril.com, 0
+univerkeys.com, 1
+universal-credit.com, 1
+universal-happiness.com, 1
+universal-mail.ml, 1
+universal-tutorial.com, 1
+universal.at, 1
+universalcircus.tk, 1
+universaldriveshafts.com, 1
+universalecology.tk, 1
+universalmedia.tk, 1
+universalmusic.pl, 0
+universalpaymentgateway.com, 1
+universalplant.com, 1
+universalspf.org, 1
+universalstars.com.au, 1
+universalwebcommunity.tk, 1
+universdejeff.com, 1
+universe.horse, 1
+universe.la, 1
+universe.wtf, 1
+universehistory.net, 1
+universehk.tk, 1
+universeinform.com, 1
+universellafredsdanser.se, 1
+universellesleben.tk, 1
+universemasterplan.com, 1
+universen.tk, 1
+universereligion.com, 1
+universevision.com, 1
+universidadperu.com, 1
+universitapopolaredeglistudidimilano.wiki, 1
+universiteplatformu.com, 1
+universitepourlavie.tk, 1
+universitesegou.ml, 1
+universityadmissions.se, 1
+universitycentre.co.uk, 1
+universityhealthplans.com, 1
+universityhousemates.co.uk, 1
+universityhousemates.uk, 1
+universityinmaryland.com, 1
+universityintexas.com, 1
+universityofedinburgh.org.uk, 1
+universityofnarowal.ga, 1
+universitywafer.com, 1
+universoagropets.com.br, 1
+universocaballo.top, 1
+universodelasaludanimal.com, 1
+universogay.com, 1
+universrumbacongolaise.com, 1
+universus.tk, 1
+univim.edu.mx, 1
+univitale.fr, 0
+unix.family, 1
+unix.lu, 1
+unixadm.org, 1
+unixapp.ml, 1
+unixattic.com, 1
+unixauto.com, 1
+unixauto.de, 1
+unixauto.hu, 1
+unixauto.ro, 1
+unixauto.sk, 1
+unixer.tk, 1
+unixery.de, 1
+unixforum.org, 1
+unixfox.eu, 1
+unixgeeks.net, 1
+unixhost.ga, 1
+unixteam.de, 1
+unixtime.date, 1
+unk.gov, 1
+unkn0wncat.net, 1
+unknown-player.com, 1
+unknown.kyoto, 0
+unknownhacks.tk, 1
+unknownmasses.tk, 1
+unknownnet.tk, 1
+unknowntrailsrider.tk, 1
+unknowntrojan.win, 1
+unko.cz, 1
+unkrn.com, 1
+unleashfido.com, 1
+unli.xyz, 1
+unlimitedconference.id, 1
+unlimiteddata.digital, 1
+unlimiteddsl.ga, 1
+unlimitedheatingcooling.com, 1
+unlimitedpcs.com, 1
+unlimitedzone.tk, 1
+unlocator.com, 1
+unlock-my-sprint.mobi, 1
+unlockauthority.com, 1
+unlockblackberryfree.co.uk, 1
+unlockboot.com, 0
+unlocken.nl, 1
+unlockerboss.com, 1
+unlocks.co.uk, 1
+unlockscheveningen.nl, 1
+unlocktalent.gov, 1
+unlocktoolactivation.com, 1
+unlocktoolactivation.in, 1
+unluco.com, 1
+unmanaged.space, 1
+unmarkdocs.co, 1
+unmask.earth, 1
+unmetric.com, 1
+unminutomami.com, 1
+unmo.com, 1
+unn-edu.info, 1
+unnamed.tk, 1
+unnas.ca, 1
+unniehallyu.co.uk, 1
+uno-express.de, 1
+uno.fi, 1
+uno.uk, 1
+unoccupyabq.org, 1
+unocha.org, 1
+unofficialbpb.tk, 1
+unoodostoques.tk, 1
+unope.ml, 1
+unope.ru, 1
+unope.tk, 1
+unoptional.tk, 1
+unoriginal.tk, 1
+unosconotros.com, 1
+unovosti.tk, 1
+unp.me, 1
+unpar.ac.id, 1
+unparenting.com, 1
+unpi06cannes.fr, 1
+unpi38.fr, 1
+unpkg.com, 1
+unpleasant.tk, 1
+unpluggedjuice.dk, 1
+unplugstore.it, 1
+unply.com, 1
+unpoditalia.se, 1
+unpossible.xyz, 1
+unpost.net, 1
+unpr.dk, 1
+unreal-estate.cz, 1
+unreal-estate.pl, 1
+unreal.dk, 1
+unrealircd-api.org, 1
+unrealircd.org, 1
+unrelated.net.au, 1
+unrepentant.cf, 1
+unrepentant.ga, 1
+unrepentant.ml, 1
+unrestricted.ga, 1
+unri.de, 1
+unric.org, 1
+uns.com, 1
+unsee.cc, 1
+unseeliefilms.com, 1
+unseeliepress.com, 1
+unseen.is, 1
+unser-gartenforum.de, 1
+unsigcrazy.art, 1
+unsourirealecole.fr, 1
+unstable.fun, 1
+unstable.network, 1
+unstable.systems, 1
+unstablewormhole.ltd, 1
+unstockd.org, 1
+unstoppable.money, 1
+unstoppabledomains.com, 1
+unstoppableever.com.br, 1
+unstoppableunits.com, 1
+unsupervised.ca, 1
+untarget.ai, 1
+unterfrauner.it, 1
+unterhaltungsbox.com, 1
+unternehmensberater-website.de, 1
+unternehmensbewertung.pro, 1
+unternehmerrat-hagen.de, 1
+unternimmteam.de, 1
+untethereddog.com, 0
+unti.me, 1
+unti.tk, 1
+untidybits.com, 1
+untitled-home-storage.cyou, 1
+untrading.org, 1
+untro.xyz, 0
+untvweb.com, 1
+unufoundation.com, 1
+unusualhatclub.com, 1
+unusualplaces.org, 1
+unusualsubstance.com, 1
+unveiledgnosis.com, 1
+unveilturkey.com, 1
+unvetalaretraite.ca, 1
+unviajedesabor.com, 1
+unvired.com, 1
+unwa.tk, 1
+unwire.com, 1
+unwiredbrain.com, 0
+unwishingmoon.com, 1
+unworthy.ml, 1
+unx.dk, 1
+unxicdellum.cat, 1
+unyouth.co.nz, 1
+unyouth.nz, 1
+unyouth.org.nz, 1
+uoe.com, 1
+uomo.com.ar, 1
+uopeople.reviews, 1
+uoui.de, 1
+up-obmen.ml, 1
+up-stage.jp, 1
+up.com.au, 1
+up1s.tk, 1
+up2date.com.ua, 1
+up2mark.com, 0
+up2staff.com, 1
+up2tech.fr, 1
+up4cash.com, 1
+upahminimum.com, 1
+upakovka-podarkov.tk, 1
+upandatom.biz, 1
+upandrunningtutorials.com, 1
+upar.org, 1
+upay.ru, 1
+upbad.com, 1
+upbatangan.tk, 1
+upbeatrobot.com, 1
+upbeatrobot.email, 1
+upbeatrobot.eu, 1
+upbeatrobot.net, 1
+upbeatrobot.nl, 1
+upbeatrobot.org, 1
+upbeatrobot.social, 1
+upbtrbt.com, 1
+upbtrbt.eu, 1
+upbtrbt.net, 1
+upbtrbt.nl, 1
+upbtrbt.org, 1
+upcambio.com, 1
+upclinic.ru, 1
+upcloud.cz, 1
+upcwifikeys.com, 1
+upcycleandcompany.com, 1
+upd.jp, 1
+updata.com, 1
+update-linthdcp-567app1.com, 1
+updefense.io, 1
+updoze.com, 1
+upengo.com, 1
+uperne.ro, 1
+upestudios.tk, 1
+upex.tk, 1
+upfield.com, 1
+upflow.io, 1
+upforshare.com, 1
+upfronthealthcare.com, 1
+upfurniture.tk, 1
+upgamerengine.com, 1
+upgamerengine.com.br, 1
+upgamerengine.net, 1
+upgintl.com, 1
+upgrade.com, 1
+upgradeguru.de, 1
+upgradeit.dk, 1
+upgradeloans.com, 1
+upgrades-and-options.com, 1
+upgraid.ru, 1
+upguard.com, 1
+upguard.org, 1
+uphabit.io, 1
+uphold-15-party.com, 1
+upholsterycleanerslondon.co.uk, 1
+upholsterydesign.com.au, 1
+uphost.be, 1
+uphshrine.com, 1
+upitnik.rs, 1
+upjong.co.kr, 1
+uplandsparkmo.gov, 1
+uplaqui.com.br, 1
+uplead.com, 1
+upleveled.io, 1
+uplexis.com.br, 1
+upliftingappalachia.org, 1
+uplinkgame.tk, 1
+uplinklabs.net, 1
+uplinkrev.com, 1
+uplinks24.com, 1
+upload.facebook.com, 0
+uploadbaz.me, 1
+uploadbeta.com, 1
+uploadcare.com, 1
+uploadingsite.com, 1
+uploadletters.com, 1
+uploads.su, 1
+uploadscript.tk, 1
+uploadtokiosk.com, 1
+upmail.ml, 1
+upmchealthsecurity.us, 1
+upmediaclick.com, 1
+upmediaclick.net, 1
+upmediamarketer.ml, 1
+upmls.com, 1
+upmon.com, 1
+upnetwork.ml, 1
+upnext.tk, 1
+upnfm.edu.hn, 1
+upnorth.solutions, 1
+uponsel.com, 1
+uportal.tk, 1
+upp.com, 1
+uppercloud.cf, 1
+upperglass.co.uk, 1
+upperinc.com, 1
+upperskagittribe-nsn.gov, 1
+uppfinnarenc.tk, 1
+upplands-bro.se, 1
+upplevelse.com, 1
+uppsala.tk, 1
+upr.com.ua, 1
+upr.edu, 1
+upr.llc, 1
+upr.si, 1
+upr.ua, 1
+uprawnienia-1kv.pl, 1
+uprawnienia-dronowe.pl, 1
+uprawnienia-drony.pl, 1
+uprawnienia-elektryczne.pl, 1
+uprawnienia-g1.pl, 1
+uprawnienia-motorowodne.pl, 1
+uprawnienia-pomiary.pl, 1
+uprawnienia-sep-1kv.pl, 1
+uprawnienia-sep.com.pl, 1
+uprawnieniaeuropejskie.pl, 1
+uprawnienie-sep.pl, 1
+uprc.edu, 1
+uprep.lol, 1
+uprep.ml, 1
+uprh.edu, 1
+uprint.it, 1
+uprisehigh.com, 1
+upropay.com, 1
+upscaled.nl, 1
+upschreven.blog, 0
+upscope.io, 1
+upsdelperu.com.pe, 1
+upseed.ru, 1
+upsettunnel.com, 1
+upsihologa.com.ua, 0
+upsilonsigmaphi.us, 1
+upsiteseo.com, 1
+upskilllearning.ml, 1
+upskirtmania.tk, 1
+upsocial.ga, 1
+upsocial.pp.ua, 1
+upstairs.one, 1
+upstart.com, 1
+upstatesc.net, 1
+upstream.auto, 1
+uptech.biz.id, 1
+uptechbrasil.com.br, 1
+uptimed.com, 1
+uptimeradar.com, 1
+uptimeuno.com, 1
+uptional.gq, 1
+uptodateinteriors.com, 1
+uptoplay.ovh, 1
+uptownbabe.com, 1
+uptrends.com, 1
+uptrends.de, 1
+uptrex.co.uk, 1
+upundit.com, 1
+upupming.site, 0
+upupor.com, 1
+upviews.tk, 1
+upwardcreative.com, 1
+upwardflourish.com, 1
+upwardtraining.co.uk, 1
+upwork.com, 1
+uq1k.com, 1
+uqschool.com, 1
+uquid.com, 1
+uquidcoin.com, 1
+ur-lauber.de, 1
+ur.nl, 1
+ur2.pw, 1
+urabain.com, 1
+uraimo.com, 1
+urakn0x.tk, 1
+ural-emal.ga, 1
+ural-travel.ml, 1
+ural.cf, 1
+ural.ga, 1
+ural.tk, 1
+uralec.tk, 1
+uralscoin.ml, 1
+uralsite.cf, 1
+uralsk.ml, 1
+uralskaya-garmon.tk, 1
+uralspravka.cf, 1
+urandom.co.uk, 1
+urang-kurai.tk, 1
+uraniborg.net, 1
+uraniumhost.ga, 1
+uranius.eu, 1
+uranmoney.ml, 1
+uranus.cf, 1
+urbackups.com, 1
+urbalex.ch, 0
+urban-culture.fr, 1
+urban-lounge.tk, 1
+urban-news.tk, 1
+urban.melbourne, 1
+urbanagriculturesummit.cf, 1
+urbanail.gov, 1
+urbanarcana.tk, 1
+urbanartisan.cf, 1
+urbanbageecha.com, 1
+urbanbikeweamr.ga, 1
+urbanbooks.tk, 1
+urbancoyoteresearch.com, 0
+urbancreators.dk, 1
+urbane-narrationen.de, 1
+urbanesecurity.com, 1
+urbanevielfalt.de, 1
+urbanface.photography, 1
+urbanfineart.ro, 1
+urbanfoodmarket.nl, 1
+urbanfun.ga, 1
+urbangaming.tk, 1
+urbangardening.ga, 1
+urbangymfirenze.com, 1
+urbanhost.tk, 1
+urbanhotbed.eu, 1
+urbanhub.lt, 1
+urbanietz-immobilien.de, 1
+urbanindustriecoiffure-auray.fr, 1
+urbanism.xyz, 1
+urbanized.tk, 1
+urbanizedrecords.tk, 1
+urbanlounge.tk, 1
+urbanlymodern.com, 1
+urbanmic.com, 1
+urbanmuslim.tk, 1
+urbannewsservice.com, 1
+urbanology.tk, 1
+urbanon.cz, 1
+urbanovich.net, 1
+urbanpiraten.tk, 1
+urbanpromisetrenton.org, 1
+urbansketchers.org, 1
+urbansoundwave.tk, 1
+urbanspitz.tk, 1
+urbanstylestaging.com, 1
+urbantecno.com, 1
+urbantrafficschool.com, 1
+urbantrail.tk, 1
+urbantz.com, 1
+urbanusonline.tk, 1
+urbanwaters.gov, 1
+urbanwave.co.za, 1
+urbanwindows.ca, 1
+urbanxdevelopment.com, 0
+urbarberjerry.com, 1
+urbest.io, 1
+urbex.link, 1
+urbexdk.nl, 1
+urburb.social, 1
+urbv.eu, 1
+urbv.net, 1
+urbv.org, 1
+urcentral.com, 1
+urcentral.eu, 1
+urcentral.net, 1
+urcentral.nl, 1
+urcentral.org, 1
+urcommunitytimebanking.org.au, 1
+urdoverie.com, 1
+ureed.com, 1
+ureka.org, 1
+urfreecon.tk, 1
+urge55.com, 1
+urgences-valais.ch, 1
+urgencesolidarite.fr, 1
+urgent-notice.ml, 1
+urgentcaresouthaven.com, 1
+urgrafix.com, 1
+urion.com.br, 1
+uriport.com, 1
+uriports.com, 1
+uripura.de, 1
+urist1011.ru, 1
+urka.tk, 1
+urke.tk, 1
+urkhole.tk, 1
+urko.shop, 1
+urkonsultant.tk, 1
+urkult.se, 0
+url.fm, 1
+url.gd, 1
+url.ht, 1
+urlakite.com, 1
+urlaub-busreisen.de, 1
+urlaub-fuerteventura.info, 1
+urlaub-leitner.at, 1
+urlaub.de, 1
+urlaubsziele.com, 1
+urlbox.tk, 1
+urlcitr.us, 1
+urlcitrus.com, 1
+urlendecoder.tk, 1
+urlfly.tk, 1
+urlgoo.ga, 1
+urlive.ga, 1
+urljournal.tk, 1
+urlparse.com, 1
+urlrating.com, 1
+urlscan.io, 1
+urlsimple.tk, 1
+urltell.com, 1
+urltodomain.com, 1
+urluno.com, 1
+urlwing.tk, 1
+urlz.ml, 1
+urlz.tk, 1
+urmikron.tk, 1
+uro.soy, 1
+urocentre.ga, 1
+urogen.com, 1
+uroki.tk, 1
+urology.wiki, 1
+urologyoklahoma.com, 1
+urologyspecialistspc.com, 1
+urologywi.com, 1
+uronlinestreams.ga, 1
+uroute.co, 1
+urown.net, 1
+urprayermonk.org, 1
+urrestarazuserranoabogados.com, 1
+ursa-minor-beta.org, 1
+ursae.co, 1
+ursazrnec.com, 1
+ursonatefanzine.tk, 1
+urspringer.com, 1
+urspringer.de, 1
+urstore.ga, 1
+ursula-gadalka.tk, 1
+ursulahadasch.de, 1
+ursuslibris.hu, 1
+urt.fm, 1
+uruguay-experience.com, 1
+urukproject.org, 1
+uruslugi.tk, 1
+urvastekool.edu.ee, 1
+us-10.cc, 1
+us-10.com, 1
+us-films.com, 1
+us-igloopreview.com, 1
+us-immigration.com, 1
+us.ax, 1
+us.gov, 1
+us.kg, 1
+us.marketing, 1
+us.nl.eu.org, 1
+us10.net, 1
+us2uplumbing.com.au, 1
+usa-10.com, 1
+usa-10.net, 1
+usa-greencard.eu, 1
+usa-reisetipps.net, 1
+usa.gov, 1
+usa10.net, 1
+usa250.gov, 1
+usaa.com, 0
+usabackground.com, 1
+usabilis.com, 1
+usability.com.gr, 1
+usability.gov, 1
+usabusinessdirectories.com, 1
+usacainfo.com, 1
+usacarry.com, 1
+usacrime.com, 1
+usadba.net.ru, 1
+usadf.gov, 1
+usadirectory.tk, 1
+usaestaonline.com, 1
+usage.be, 1
+usagi-ku.ga, 1
+usagm.gov, 1
+usagov.gov, 1
+usahealthwebapps.com, 1
+usaherald.com, 1
+usaisilanlari.com, 1
+usait.org, 1
+usajobs.com, 1
+usajobs.gov, 1
+usalearning.gov, 1
+usamale.cf, 1
+usamdt.com, 1
+usamocha.com, 0
+usamultimeters.com, 0
+usanamiru.cz, 1
+usanewsposts.ga, 1
+usanewstrends.ga, 1
+usapel.com.br, 1
+usaprimecredit.org, 1
+usapublicrecords.com, 1
+usascripthelpers.com, 1
+usaseanconnect.gov, 1
+usastaffing.gov, 1
+usatales.com, 0
+usatiuk.com, 1
+usatodaynetworkservice.com, 1
+usatodaysportsplus.com, 1
+usavingsbank.com, 1
+usaweblist.tk, 1
+usawireguard.com, 1
+usbcompatible.com, 1
+usbevents.co.uk, 1
+usbr.gov, 1
+uscc.org.ua, 1
+uscis.gov, 1
+uscitizenship.info, 1
+uscloud.nl, 1
+uscp8.com, 1
+usctt.org, 1
+uscurrency.gov, 1
+uscveteranspark.org, 1
+usda.gov, 1
+usdailyhealth.tk, 1
+usdfc.gov, 1
+usdirectory.com, 1
+usdirectory.tk, 1
+usdoj.gov, 1
+usdoscloud.gov, 1
+usds.gov, 1
+usdty.to, 1
+use.be, 1
+use1.net, 1
+usebosin.gq, 1
+usecamisetas.com, 1
+used-laptop.in, 1
+used255.xyz, 1
+useful-thing.ru, 1
+usefuldiy.com, 1
+usefulinsight.com, 1
+usehonk.com, 1
+usemergencyservices.com, 1
+usenet.tk, 1
+usenethd.li, 1
+usenetreviewz.com, 1
+useon.com, 1
+useon.ru, 0
+user-agent.ml, 1
+user-daitron.jp, 1
+userbase.com, 1
+usercentrics.com, 1
+usercompare.tk, 1
+userflow.com, 1
+userhelp.tk, 1
+username.nz, 1
+userra.gov, 1
+userstation.de, 1
+userstyles.world, 1
+usetypo3.com, 1
+useworkshop.com, 1
+useyourloaf.com, 1
+usgamesinc.com, 1
+usgeneralhealth.tk, 1
+usgeo.gov, 1
+usgovernmentnews.com, 1
+usgs.gov, 1
+ushandbookapp.com, 1
+ushare.ch, 1
+ushealthprovider.ga, 1
+usherwoodexecutivetravel.com, 1
+usicecenter.gov, 1
+usidfc.gov, 1
+usintimate.com.br, 1
+usjobmarket24.com, 1
+usjt.br, 1
+usk-clan.tk, 1
+uskaonline.tk, 1
+uskaria.com, 1
+uskostadariksi.fi, 1
+usleravnekrog.dk, 1
+uslugi-advokata.ga, 1
+uslugi-advokata.tk, 1
+uslugi-online.pl, 1
+uslugi-voronezh.tk, 1
+uslugikoparkalodz.gq, 1
+usmammy.com.tw, 1
+usmantrader.gq, 1
+usmiddleclass.net, 1
+usmint.gov, 1
+usmoneyreserve.com, 1
+usmrecycles.com, 1
+usnews-new.tk, 1
+usnews.ga, 1
+usninosnikrcni.eu, 1
+usnti.com, 1
+usodesu.ga, 1
+usoog.com, 1
+usoptical.com, 1
+uspaacc.com, 1
+usparklodging.com, 1
+uspeh62.tk, 1
+uspeli.ml, 1
+uspesnyprvnacek.cz, 1
+usphs.gov, 1
+uspib.info, 1
+usplate.com, 1
+uspon.tk, 1
+usportsgo.com, 1
+uspory.cz, 1
+uspreventiveservicestaskforce.org, 1
+uspsblog.com, 1
+uspsoig.gov, 1
+usrspace.at, 1
+uss-atlas.de, 1
+uss-electro.ru, 1
+ussemiquincentennial.gov, 1
+ussfcu.org, 1
+ussm.gov, 1
+ussm.tk, 1
+ussnoorinayatkhan.com, 1
+ussst.org, 1
+ussst.org.in, 1
+ust.space, 1
+ustabor.uz, 1
+ustaywell.com, 1
+ustc.fun, 1
+ustensiles-cuisine.boutique, 1
+ustoy.com, 1
+ustr.gov, 1
+ustreasuryetf.com, 1
+ustugov.kiev.ua, 1
+ustugova.kiev.ua, 1
+ustyj.tk, 1
+usu.org.ua, 1
+usuan.net, 1
+usuluddin.ga, 1
+usuluddin.tk, 1
+usuwanie-wirusow-wordpress.pl, 1
+usvisallc.com, 1
+uswitch.com, 1
+usyfawovad.gq, 1
+usygov.ga, 1
+ut-addicted.com, 1
+ut-jobs.net, 1
+ut5s.com, 1
+utafutbol.tk, 1
+utagawavtt.com, 1
+utageno.jp, 1
+utahblackplate.com, 1
+utahblackplates.com, 1
+utahcanyons.org, 1
+utahcountydjcompany.com, 1
+utahdebtcare.com, 1
+utahfanclub.org, 1
+utahfireinfo.gov, 1
+utahlake.gov, 1
+utahlivebands.com, 1
+utahmotors.ru, 1
+utahonlinedivorce.com, 0
+utahphotogs.com, 1
+utaindoradio.cf, 1
+utangard.net, 1
+utaowan.com, 0
+utarn.icu, 1
+utavatu.mk, 1
+utazas-nyaralas.info, 1
+utbabogados.com, 1
+utbosbeekhuuske.tk, 1
+utcast-mate.com, 1
+utcle.org, 1
+utduc.com, 1
+utec.edu.pe, 1
+utepecem.com, 1
+utevai.tk, 1
+uthavi.org, 1
+utiao.net, 1
+utiars.com, 1
+uticagravel.com, 1
+utilajexpert.ro, 1
+utilbot.co, 1
+utilia.tools, 1
+utilidad.tk, 1
+utililab.com, 1
+utilitarian.com, 1
+utilitarian.org, 1
+utilitarianism.com, 1
+utilitarianism.org, 1
+utilitarianism.uk, 1
+utilitarismo.com, 1
+utilitas.ee, 1
+utilitiesconstructionsettlement.com, 1
+utilitronium-shockwave.com, 1
+utilitronium.com, 1
+utilityapi.com, 1
+utilitybot.in, 1
+utilityconcierge.com, 0
+utilityteam.in, 1
+utilitytech.in, 1
+utleg.gov, 1
+utloperadora.com.br, 1
+utobo.com, 1
+utodyg.ga, 1
+utonia.ch, 1
+utopiahsa.com, 1
+utopialgb.org.uk, 1
+utopian-institute.tk, 1
+utopian-surgery.com, 1
+utopiancapitalism.tk, 1
+utopians.dk, 0
+utopiasmart.city, 1
+utopiatech.tk, 1
+utopicestudios.com, 1
+utopique.net, 1
+utopyaforum.tk, 1
+utrace.me, 1
+utrantor.org, 1
+utrymningsplaner.se, 1
+uttama.ga, 1
+uttenheim.net, 1
+utterberry.io, 1
+utterman.se, 1
+uttnetgroup.fr, 1
+utube.ai, 1
+utural.tk, 1
+utusan.com.my, 1
+utw.me, 1
+utwente.io, 1
+utwf.org, 1
+utzon.net, 1
+uu5197.co, 1
+uu6729.co, 1
+uu6729.com, 0
+uu6957.co, 1
+uu9297.co, 1
+uu939.com, 1
+uu9728.co, 1
+uubb.top, 0
+uuin.top, 1
+uuit.nl, 1
+uulu.edu.ee, 1
+uurl.cf, 1
+uurl.ga, 1
+uutf.org.uk, 1
+uuuu.loan, 1
+uuuvn.space, 1
+uv.uy, 1
+uvadag.nl, 1
+uvarov.pw, 0
+uvb.com.co, 1
+uvesco.es, 1
+uvlamp.ee, 1
+uvocorp.com, 1
+uvomaltiv.ch, 1
+uvpress.com, 1
+uvsa.org.au, 1
+uvsar.com, 1
+uvt.com.co, 1
+uvtcinemas.com, 1
+uvx.io, 1
+uwac.co.uk, 0
+uwalumni.com, 0
+uwat.cc, 1
+uwat.cf, 1
+uwdigitaleboekhouder.nl, 1
+uwe-arzt.de, 1
+uwe-r.com, 1
+uwe-reimold.com, 1
+uwe-reimold.de, 1
+uwe.training, 1
+uwe.wtf, 1
+uweeze.com, 1
+uwefreund.com, 1
+uweier.com, 1
+uwereimold.de, 1
+uwesander.de, 1
+uwfreelanceopticien.nl, 1
+uwiventuresltd.com, 1
+uwtd.me, 1
+uwu.lgbt, 0
+uwu.nu, 1
+uwu.tw, 1
+uwwsb.com, 1
+ux-designers.nl, 1
+ux-solution.de, 0
+ux.pub, 1
+uxdesignerjobs.nl, 1
+uxg.ch, 1
+uxpressia.com, 1
+uxteam.com, 1
+uy.search.yahoo.com, 0
+uygindir.ml, 1
+uyz.me, 1
+uz-yulduzlar.tk, 1
+uz.search.yahoo.com, 0
+uz1xbet.com, 1
+uzagmozemunk.ga, 1
+uzagmozemunk.ml, 1
+uzayliyiz.biz, 1
+uzbaza.tk, 1
+uzbek-soft.tk, 1
+uzbekistan24.tk, 1
+uzbekkizlari.cf, 1
+uzbekkizlari.gq, 1
+uzbekkizlari.ml, 1
+uzbekkizlari.tk, 1
+uzbektumblers.tk, 1
+uzbwap.tk, 1
+uze-store.com, 1
+uzhas-uzhasny.ml, 1
+uzhits.cf, 1
+uzidesign.com, 1
+uziregister.nl, 0
+uzkalip.com, 1
+uzmansorusu.com, 1
+uznaychtotakoe.ru, 1
+uzoic.com, 1
+uzone.uk, 0
+uzparimatch.com, 1
+uzsvm.cz, 1
+uztop.ml, 1
+uzzamari.com, 1
+uzzamari.com.br, 1
+v-cn.net, 1
+v-d-p.net, 1
+v-empower.com, 1
+v-gornom.ga, 1
+v-horus.cloud, 1
+v-jo.com, 1
+v-kurgane.tk, 1
+v-media.tk, 1
+v-news.tk, 1
+v-novosibirske.tk, 1
+v-ogorode.info, 1
+v-phoenix.tk, 1
+v-platinum.ru, 1
+v-plus.ru, 1
+v-spin.cz, 1
+v-tek.fi, 1
+v-u-z.ru, 1
+v.pn, 1
+v.ps, 1
+v0ctor.me, 1
+v0i.de, 1
+v0v.cc, 1
+v0v.de, 1
+v1.dk, 1
+v10006.com, 0
+v10008.com, 1
+v139.com, 1
+v1r2zz.tk, 1
+v1sit0r.ru, 1
+v2.digital, 1
+v2.engineer, 1
+v2.pw, 1
+v2bv.net, 1
+v2bv.win, 1
+v2ex.com, 1
+v2mcdev.com, 1
+v2raytech.com, 1
+v2x.sk, 1
+v2xtls.org, 1
+v2yes.com, 1
+v3025.com, 0
+v33v33.com, 1
+v36533.com, 1
+v44v44.com, 1
+v5017.com, 0
+v51365.com, 1
+v5197.co, 1
+v55565.com, 0
+v55v55.com, 1
+v5658.com, 0
+v5ray.club, 1
+v5ray.top, 1
+v6004.com, 1
+v6021.com, 0
+v6170.com, 0
+v6350.com, 0
+v6506.com, 0
+v66255.com, 0
+v66557.com, 0
+v6729.co, 1
+v6752.com, 0
+v6957.co, 1
+v6ss.com, 1
+v700a.com, 1
+v700bb.com, 1
+v700cc.com, 1
+v700dd.com, 1
+v700ee.com, 1
+v700w.com, 1
+v7090.com, 0
+v81365.com, 1
+v82365.com, 1
+v88158.com, 0
+v8abc.com.br, 1
+v8builder.com, 1
+v9285.com, 0
+v9297.co, 1
+v9728.co, 1
+va-11-hall-a.cafe, 1
+va.gov, 0
+va.ua, 1
+va11hal.la, 1
+va11halla.ddns.net, 1
+vaaddress.co, 1
+vaan-arbeidsrecht.nl, 1
+vaarfoto.nl, 1
+vaartjesboten.nl, 1
+vaat.io, 1
+vabusinesses.org, 1
+vacacionesenlinea.com, 1
+vacacionestours.com, 1
+vacaf.org, 1
+vacanze-in-montagna-dolomiti.com, 1
+vacanze-merano.org, 1
+vacatecleaning.melbourne, 1
+vacati0n.tk, 1
+vacation-croatia.com, 1
+vacation-in-pisak.tk, 1
+vacationfund.co, 1
+vacationsforcouples.com, 1
+vacaturesonline.nl, 1
+vaccantcorner.ml, 1
+vaccinateiowa.gov, 1
+vaccine.gov, 1
+vaccines.gov, 1
+vaccineskill.biz, 1
+vaccinestats.net, 1
+vacek.llc, 1
+vacine.gov, 1
+vacines.gov, 1
+vackor.tk, 1
+vackradetaljer.se, 1
+vaclan.tk, 1
+vaclavambroz.eu, 1
+vacome.com, 1
+vacu.store, 1
+vacuna.gov, 1
+vacunas.gov, 1
+vacuumpump.co.id, 1
+vacuumsealers.ml, 1
+vacuumsupplystore.com, 1
+vadang.net, 1
+vadeainterior.com, 1
+vademekum.com, 1
+vader.news, 1
+vaderochvind.se, 1
+vaderqkcloud.ddns.net, 1
+vadiar-angola.tk, 1
+vadidanismanlik.com, 1
+vadik.me, 1
+vadillodelasierra.tk, 1
+vadis.tk, 1
+vadkuhparty.xyz, 1
+vado.li, 1
+vadras.rs, 1
+vaew.com, 1
+vagabond.film, 1
+vagabond.fr, 1
+vagabond.tk, 1
+vagabondages.tk, 1
+vagabondgal.com, 1
+vagabundos.tk, 1
+vagaerg.com, 1
+vagaerg.net, 1
+vaganciatechnology.com, 0
+vagasdeempregos.ga, 1
+vageenadispenser.tk, 1
+vaginalrejuvenationkentucky.com, 1
+vagmour.eu, 1
+vagonetta.tk, 1
+vagpartsdb.com, 1
+vagrantbits.com, 1
+vagrantcloud.com, 1
+vagrantup.com, 0
+vague-normande.com, 1
+vahak.in, 0
+vahl.blue, 1
+vahle.de, 1
+vahoshop.cz, 1
+vaibhavchatarkar.com, 0
+vaidikapriya.pub, 0
+vail.gov, 1
+vaildcrack.com, 1
+vaindil.com, 1
+vaioswolke.xyz, 0
+vairuok.lt, 1
+vak-pobeda.ru, 1
+vakanser.se, 1
+vakantiedetective.nl, 1
+vakantiehuis-ribbers.nl, 1
+vakantiehuisverzekeringen.nl, 1
+vakantieinfo.tk, 1
+vakantieveilingen.be, 1
+vakantieveilingen.nl, 1
+vakantieverblijfalgarve.nl, 1
+vakat.eu, 1
+vakifuniver.ru, 1
+vakita.fi, 1
+vakrebella.no, 1
+vakuutuskanava.fi, 1
+vakwinkeldemo.nl, 1
+val-casies.net, 1
+val-sec.com, 1
+valach.cz, 1
+valagrovoce.com, 1
+valant.io, 1
+valaphee.com, 1
+valariejenkins.com, 1
+valasi.eu, 1
+valassis.com, 1
+valasskyregion.cz, 1
+valbon.pl, 1
+valcano-krd.ru, 1
+valcano.ru, 1
+valdecaballeros.tk, 1
+valdega.org, 1
+valdelcubo.tk, 1
+valdifunes.com, 1
+valdor2.com, 1
+valdres.tk, 1
+valdultimo.org, 1
+valecnatechnika.cz, 1
+valek.net, 1
+valemountchamber.com, 1
+valemusicfest.com.br, 1
+valencia-s-vikoy.ru, 1
+valenciaescatala.tk, 1
+valencianisme.tk, 1
+valencianistas.tk, 1
+valencraft.ca, 1
+valencraft.com, 1
+valenhub.com, 1
+valenhub.es, 1
+valentin-dederer.de, 1
+valentin-ochs.de, 1
+valentin-weibel.com, 1
+valentin.app, 1
+valentinaquino.com, 1
+valentinarosamilia.com, 1
+valentinberclaz.com, 0
+valentinemom.cf, 1
+valentinemom.ga, 1
+valentinemom.gq, 1
+valentinemom.ml, 1
+valentinene.gov, 1
+valentinesongs.com, 1
+valentinoduval.fr, 1
+valentinog.com, 1
+valentinstag.ga, 1
+valentinstag.ml, 1
+valentinvesa.ro, 1
+valentytech.com, 1
+valerian.tk, 1
+valeriansaliou.name, 1
+valeriapanarina.com, 0
+valerieadolff.com, 1
+valerieorsoni.com, 1
+valeriya.life, 1
+valeryvenom.net, 1
+valescarodrigues.com.br, 1
+valgagym.ee, 1
+valgardsempornium.pw, 1
+valgavesi.ee, 1
+valhallastrengthsthbne.com.au, 1
+valiakhmetov.tk, 1
+valiant.finance, 1
+valiantprep.org, 1
+valid.com, 1
+validation.link, 1
+validatis.com, 1
+validator.nu, 1
+validbot.com, 1
+validius.fi, 1
+validius.net, 1
+validptr.zone, 1
+validus.sg, 1
+validvent.com, 1
+valifai.com, 1
+valigate.com, 1
+valigrama.ro, 1
+valika.ee, 1
+valimail.com, 1
+valimised.ee, 0
+valisevoyage.fr, 1
+valitsus.ee, 0
+valivalcoach.com, 1
+valivalcommerce.com, 1
+valkiryan.tk, 1
+valkohalla.dk, 1
+valkohattu.fi, 1
+valkoi-konyvtar.hu, 1
+valkoi-konyvtar.tk, 1
+valkoi-ksk.tk, 1
+valkova.net, 1
+valladolidlempira.tk, 1
+vallansuunta.net, 1
+vallartense.tk, 1
+valledeleresma.tk, 1
+valledibraies.org, 1
+valleditrianotizie.it, 1
+vallee-egoutiers.ca, 1
+valleesenlutte.org, 1
+vallei-veluwe.nl, 1
+vallejo.gov, 1
+vallejoca.gov, 1
+vallen.com, 1
+vallenar.tk, 1
+valleyautofair.com, 1
+valleybrookholidays.com, 1
+valleycom.com, 1
+valleycountyne.gov, 1
+valleydalecottage.com.au, 1
+valleyofdeath.tk, 1
+valleyofpeace.co.nz, 1
+valleyradiologypad.com, 1
+valleyradiologyufe.com, 1
+valleyshop.ca, 1
+valleystories.ga, 1
+valleysupply.biz, 1
+valleywaste.ca, 1
+valleywidetvrepair.ml, 1
+vallutaja.eu, 1
+valnetcdn.com, 1
+valoan.me, 1
+valolo.fr, 1
+valopv.be, 1
+valor-host.ml, 1
+valorantpicker.com, 0
+valorantpornhentai.com, 0
+valordolarblue.com.ar, 1
+valordotrabalho.com.br, 1
+valoriashard.tk, 1
+valorizofficial.com, 1
+valparaiso.tk, 1
+valparaisoin.gov, 1
+valpareso.tk, 1
+valphenn.blue, 1
+valpovo-online.tk, 1
+valsa.mx, 1
+valsenales.it, 1
+valshamar.is, 1
+valskis.lt, 1
+valsorey.ch, 0
+valtech.de, 1
+valtech.io, 1
+valtherperron.nl, 1
+valtlai.fi, 1
+valtoaho.com, 1
+valtool.uk, 1
+valu.com.eg, 1
+valudo.st, 1
+value.gd, 1
+valueaddedonline.com, 1
+valuelinksoftware.com, 1
+valuemyhome.co.uk, 1
+valuemyhome.uk, 1
+valueourmind.com, 1
+valueourminds.com, 1
+valueourminds.org, 1
+valueresearchonline.com, 1
+values.com, 1
+valueseed.net, 1
+valunet.co.za, 1
+valuoo-legal.com, 1
+valuskills.co.za, 1
+valuta-tools.nl, 1
+valuuttamuunnin.com, 1
+valvulasvaneo.com, 1
+vam-podarok.tk, 1
+vam3.com, 1
+vami.tk, 1
+vamoneysearch.gov, 1
+vamonospaportugal.tk, 1
+vamosalvaiazere.pt, 1
+vamosargentina.tk, 1
+vamoscomparar.com, 1
+vamoscurarsintra.pt, 1
+vamosfalardesaude.pt, 1
+vampire-studios.tk, 1
+vampire142.fr, 1
+vampireapocalypsesurvival.com, 1
+vampiresdawn.org, 1
+vampirzine.tk, 1
+vampyrium.com, 0
+vampyrium.net, 0
+vamsucai.com, 1
+vamziyuan.com, 1
+van-assen.com, 1
+van-brandevoort.tk, 1
+van-der-straeten.be, 1
+van.ddns.net, 1
+van11y.net, 1
+vanafhier.nl, 1
+vanarok.xyz, 0
+vanasperenschoenen.nl, 1
+vanbalen.be, 1
+vanbarel.tk, 1
+vanboven.nl, 1
+vanboyvital.tk, 1
+vanbruchem.tk, 1
+vanburencounty-mi.gov, 1
+vanburencountyiowa.gov, 1
+vancityconcerts.com, 1
+vancouver.gov, 1
+vancouvercosmeticsurgery.ca, 1
+vancouverdriveband.com, 1
+vancouverok.com, 1
+vancouverwademolition.com, 1
+vancouverwaseo.org, 1
+vancubers.com, 1
+vandaalen.email, 1
+vandalfsen.me, 1
+vandals.ml, 1
+vandam.io, 1
+vande-walle.eu, 1
+vandegriftplasticsurgery.com, 1
+vandemeent.eu, 1
+vandenbergfss.com, 1
+vandenbroekwi.gov, 1
+vandeput.be, 1
+vander-bugenne.fr, 1
+vanderbeek.be, 1
+vanderbeekonline.nl, 1
+vanderbiltcisa.org, 0
+vanderkley.it, 1
+vanderleeden.servepics.com, 1
+vanderlinde.ml, 1
+vandermeer.frl, 1
+vanderrijt.nl, 1
+vandersmissen.lawyer, 1
+vanderstraeten.dynv6.net, 1
+vanderzwet.net, 1
+vandi.tk, 1
+vandijkmaatwerk.nl, 1
+vandommelenart.com, 0
+vandoornmiddenzeeland.nl, 1
+vandortgroep.nl, 1
+vandrielschoenen.nl, 1
+vandyhacks.org, 1
+vanesaleiro.tk, 1
+vanessaamorosi.tk, 1
+vanessabalibridal.com, 1
+vanessaglendagarcia.tk, 1
+vanessarivas.com, 1
+vaneurology.com, 1
+vaneyckexpo.be, 1
+vaneyckwashere.be, 1
+vaneyckwashere.com, 1
+vaneyckwashere.eu, 1
+vaneyckwashere.gent, 1
+vangest.com, 1
+vangest.pt, 1
+vangoghcoaching.nl, 1
+vanguards.tk, 1
+vanhatten.com, 1
+vanhelsing.ml, 1
+vanhelsing.tk, 1
+vanherle-dakdichting.be, 1
+vanhoudt-usedcars.be, 1
+vanhoutte.be, 0
+vanhove.biz, 1
+vaniamgroup.com, 1
+vanier.gc.ca, 1
+vanilla-official.jp, 1
+vanillacoder.co.za, 1
+vaninsure247.co.uk, 1
+vaniola.com, 1
+vanished.tk, 1
+vanitas.xyz, 0
+vanityestetik.com, 1
+vanityfairnapkins.com, 0
+vanivi.ml, 1
+vanjeveren.nl, 1
+vanlierdezottegem.be, 1
+vanlong.com.vn, 1
+vanmalland.com, 1
+vanmalleghem.eu, 1
+vanna-mechti.tk, 1
+vanna-original.ru, 1
+vanna5.ru, 1
+vannaos.com, 1
+vannaos.net, 1
+vanndigital.com, 1
+vanner.com, 1
+vannoordgouda.nl, 1
+vanouwerkerk.net, 1
+vanquish.tk, 1
+vanral.com.br, 1
+vanrichie.nl, 1
+vanspa.vn, 1
+vanstoftotleven.nl, 1
+vantagepointpreneed.com, 1
+vantagesfa.com, 1
+vantien.com, 1
+vantru.is, 1
+vanuithartenziel.nl, 1
+vanvanlines.com, 1
+vanwa.ch, 1
+vanwertcountyohio.gov, 1
+vanwoensei.xyz, 1
+vanwoensel.directory, 1
+vanwoensel.xyz, 1
+vanwort.de, 1
+vanwunnik.com, 1
+vanya.click, 1
+vanyavpn.com, 1
+vanyavpn.ru, 1
+vaoig.gov, 1
+vapebhd.com, 1
+vapebuddy.ch, 1
+vapeclub.co.uk, 1
+vapecom-shop.com, 1
+vapecraftinc.com, 0
+vapecrunch.com, 1
+vapeforest.co.uk, 1
+vapehousebh.com, 1
+vapehouseksa.com, 1
+vapeking.co.za, 1
+vapensiero.co.uk, 1
+vapesense.co.uk, 1
+vapeshoppos.com, 1
+vapetaclope.cf, 1
+vapevine.ca, 1
+vapex.pl, 1
+vapingdaily.com, 1
+vapocial.com, 1
+vapolik.fr, 1
+vapoo.de, 1
+vapor.cloud, 0
+vapordepot.jp, 1
+vaporquest.tk, 1
+vapotank.com, 1
+vapoteuse.fr, 1
+vapourtown.com, 1
+vapteke.ru, 1
+vaptkidsight.azurewebsites.net, 1
+varaani.tk, 1
+varalaval.com, 1
+varb.in, 1
+varcare.jp, 1
+varda.nl, 1
+vardakeio.gov.gr, 1
+vardenafilhcl.gq, 1
+varela-electricite.fr, 1
+varelaloca.tk, 1
+varghese.de, 1
+variable.dk, 1
+variablyconstant.com, 1
+variance.pl, 1
+varianteespiritual.gal, 1
+variatesonline.tk, 1
+variatkowo.pl, 1
+varied.ga, 1
+varierchairs.com, 1
+variohyp.de, 1
+variomedia.de, 1
+variusunum.com, 1
+varizh.by, 1
+varjo.tk, 1
+varjuring.tk, 1
+varlex.cl, 1
+varlin.tk, 1
+varney.tk, 1
+varnish.ga, 1
+varonahairrestoration.com, 0
+varrogepcentrum.hu, 1
+varshathacker.com, 1
+varun-rajeshwari.tk, 1
+varuniyer.info, 1
+varvitra20mg.ga, 1
+varyrentacar.com, 1
+varztupasaulis.com, 1
+varztupasaulis.eu, 1
+varztupasaulis.lt, 1
+varztupasaulis.net, 1
+vas-webmaster.cz, 1
+vas.com, 1
+vasaconsulting.com, 1
+vasanth.org, 0
+vasaprilezitost.eu, 1
+vasconcellos.casa, 1
+vascularlaser.com.br, 1
+vase-anduze.fr, 1
+vase-dovolena.cz, 1
+vasel.de, 1
+vasel.eu, 1
+vaselin.cf, 1
+vaselin.ga, 1
+vaselin.gq, 1
+vaselin.ml, 1
+vaselin.tk, 1
+vases.tk, 1
+vasficelik.com, 1
+vash-doctor.tk, 1
+vash-dom.tk, 1
+vashdohod.ml, 1
+vashel.us, 1
+vasheradio.tk, 1
+vashmatrass.ru, 1
+vashprazdnik.tk, 1
+vasilev.wtf, 1
+vasilevo.tk, 1
+vasilijeojdanic.ml, 1
+vasilijeojdanic.tk, 1
+vasilikieleftheriou.com, 1
+vasilisa-volodina.cf, 1
+vasilisa-volodina.ga, 1
+vasilisa-volodina.gq, 1
+vasilisa-volodina.ml, 1
+vaskulitis-info.de, 1
+vasp.at, 1
+vassalengine.org, 1
+vassourassaojoao.com.br, 1
+vastdata.com, 0
+vastgoed-lidl.nl, 1
+vastgoedcert.nl, 1
+vastgoedfaculteit.be, 1
+vastu.co.il, 1
+vasya-com.tk, 1
+vasya-odyag.tk, 1
+vasyaka.cf, 1
+vasyaka.ga, 1
+vasyharan.com, 1
+vat-eu.com, 1
+vat-funding.com, 1
+vat.direct, 1
+vatav.eu, 1
+vatav.tk, 1
+vatazhok.com, 1
+vatikantour.tk, 1
+vatlieuhay.com, 1
+vatman.tk, 1
+vatnik.info, 1
+vato.nl, 1
+vatogo-dev2.xyz, 1
+vats.im, 1
+vattulainen.fi, 1
+vauban-ip.com, 1
+vauceri.hr, 1
+vaugarnier.fr, 1
+vaughanrisher.com, 1
+vaulavalpola.tk, 1
+vault.investments, 1
+vault.spdns.eu, 1
+vault12.com, 1
+vault12.io, 1
+vault182.xyz, 1
+vault81.de, 1
+vaultdoma.in, 1
+vaultproject.io, 0
+vaur.fr, 1
+vaurio.tk, 1
+vavabid.be, 1
+vavada.com, 1
+vave.men, 1
+vavel.com, 1
+vawebsite.co, 1
+vawic4retailers.org, 1
+vawlt.io, 1
+vawomenshealth.com, 1
+vaxbook.com, 1
+vayaport.com, 1
+vayaprecio.es, 1
+vayavotarcolorado.gov, 1
+vaygren.com, 1
+vazdemelloconsultoria.com.br, 1
+vb.com.br, 1
+vba.rest, 1
+vbanu.com.ua, 1
+vbelgorode.tk, 1
+vbetcn.com, 1
+vbl.co.th, 1
+vbql.me, 1
+vbsoft.cz, 1
+vbttc.com, 1
+vburyatii.ml, 1
+vbwinery.com, 1
+vc123.xyz, 1
+vcacursus.nl, 1
+vcanederland.nl, 1
+vcard.mx, 1
+vcare.group, 1
+vccload.com, 1
+vccmurah.net, 1
+vccv.cc, 1
+vcdspro.de, 1
+vcebookclub.com.au, 1
+vcelin-na-doliku.cz, 1
+vcf.gov, 1
+vchelyabinske.tk, 1
+vclobby.com, 1
+vcloudways.com, 1
+vcm.ru, 1
+vcmi.download, 1
+vcockpit.de, 1
+vconcept.ch, 1
+vconcept.me, 1
+vconstruct.com, 1
+vcot.info, 1
+vcpa.gov, 1
+vcperinatologickedny.cz, 1
+vcraftaudio.com, 1
+vcross.cf, 1
+vcs-steuern.de, 1
+vcsafrica.com, 1
+vcsjones.codes, 1
+vcsjones.com, 1
+vcsource.tk, 1
+vcti.cloud, 1
+vcz.fr, 1
+vczk.me, 1
+vd42.net, 0
+vda.li, 1
+vdagestan.tk, 1
+vdalabs.com, 1
+vdbongard.com, 1
+vdcomp.cz, 0
+vddruckwerk.de, 1
+vdemuzere.be, 0
+vdheyden.net, 0
+vdim.shop, 1
+vdisk24.de, 1
+vdmeij.com, 1
+vdmeta.com, 1
+vdolg2000rub.ga, 1
+vdolg2000rub.ml, 1
+vdolg8000rub.cf, 1
+vdolg8000rub.ga, 1
+vdolg8000rub.gq, 1
+vdolg8000rub.ml, 1
+vdolg8000rub.tk, 1
+vdotdatasharing.org, 1
+vdownloader.com, 1
+vdprotezai.lt, 1
+vdrei.at, 1
+vdslux.eu, 1
+vdstc.com, 1
+vdw-instruments.com, 1
+vdw.ovh, 1
+ve-1xbet.com, 1
+ve.search.yahoo.com, 0
+ve3oat.ca, 1
+veadoscomfome.tk, 1
+veast.network, 1
+vebbankir-zajm-onlajn.gq, 1
+vebdengi.tk, 1
+vebeco.de, 1
+veber.bg, 1
+veca.tk, 1
+vecara.es, 1
+vecchiofornobarletta.it, 1
+vechainstats.com, 1
+vecherka.tk, 1
+vechersky.tk, 1
+vectomatic.org, 1
+vectops.com, 0
+vector.express, 1
+vectorcardiometry.tk, 1
+vectordtg.com, 0
+vectormagnetics.com, 1
+vectorracquet.com, 1
+vectortrack.com.au, 1
+vectorwish.com, 1
+vectrum.cf, 1
+vedeneev.tk, 1
+vedev.io, 1
+vedma-praktik.com, 1
+vedom.ru, 1
+vedran-zulin.from.hr, 1
+vee.ci, 1
+veeam.com, 1
+veebill.com, 1
+veebiveski.ee, 1
+veefna.com, 1
+veegish.com, 1
+veekshanam.com, 1
+veerleklinge.nl, 1
+veessen.tk, 1
+veethi.com, 1
+veeva.com, 1
+veeva.link, 1
+veg-leiden.nl, 0
+veg.lv, 0
+vega-diva.com, 1
+vega-rumia.pl, 1
+vega.education, 1
+vegalanguageacademy.ca, 1
+vegan-essen.tk, 1
+vegan-kochen.tk, 1
+vegan-pratique.fr, 1
+vegane-proteine.com, 1
+veganenumbers.com, 1
+veganfamiliesclub.com, 1
+vegangaymer.blog, 1
+veganism.co.uk, 1
+veganism.com, 1
+veganismo.tk, 1
+veganitos.tk, 1
+veganmasterrace.com, 1
+veganplace.it, 1
+veganrecipereviews.com, 1
+veganuary.com, 1
+veganvisboer.nl, 1
+veganz.de, 1
+vegardit.com, 1
+vegascasino.news, 1
+vegasconcepts.com, 1
+vegasluxuryestates.com, 1
+vegasrock.tk, 1
+vegavio.com, 1
+vegculinary.com, 1
+vege-tables.fr, 1
+vegekoszyk.pl, 1
+vegepa.com, 1
+vegetariantokyo.net, 1
+vegetarier-sind-moerder.tk, 1
+veggie-einhorn.de, 0
+vegoresto.fr, 1
+vegpro.com, 1
+vegtelenchat.tk, 1
+veguillas.tk, 1
+vegvor.com, 1
+vehicleenquiry.service.gov.uk, 1
+vehiclehistory.gov, 1
+vehicleinfozone.com, 1
+vehicletax.service.gov.uk, 1
+vehicletransportservices.co, 1
+veidiheimar.is, 1
+veii.de, 1
+veikkosimpanen.fi, 1
+veiligesmartcities.nl, 1
+veilletechno-it.info, 1
+veilofsecurity.com, 1
+veincenterbrintonlake.com, 1
+veintidos.com.ar, 1
+vejanoticias.com.br, 1
+vejaparki.lv, 1
+vejas2004.tk, 1
+vejersferie.de, 1
+vek.com.br, 1
+vekashka.gq, 1
+vekenz.com, 1
+vektlofting.tk, 1
+vektor.tk, 1
+vektorparts.ru, 1
+velacartagena.tk, 1
+velassoltas.pt, 1
+veldadvies.nl, 1
+veldhovenactief.nl, 1
+velen.io, 1
+veles-moto.ru, 1
+velesnet.ml, 1
+velforo.com, 1
+veli.ee, 1
+velichkin.tk, 1
+velika-balgaria.tk, 1
+velikijhutir.cherkassy.ua, 1
+velis.tk, 1
+velken.de, 1
+vellandreathcornishcottages.com, 1
+vellingetaxi.se, 1
+velmart.ua, 1
+velmorra.id, 1
+velo-doktor.ch, 1
+velo-volga.tk, 1
+velo24.tk, 1
+velobar.plus, 1
+velociter.net, 1
+velocitycu.com, 0
+velocityelectronics.com, 1
+velocityfiber.com, 1
+velocitygames.tk, 1
+velocityhost.com.au, 1
+velocitytech.com, 1
+velocompany.com, 1
+velocompany.de, 1
+velomap.org, 1
+velonustraduction.com, 1
+velopinion.fr, 1
+veloroute.hamburg, 1
+velosipedi.tk, 1
+velostudio.com.ua, 1
+velotours.ga, 1
+velotyretz.fr, 0
+velovelo.gq, 1
+veluwerally2002.tk, 1
+velvet-tarantula.tk, 1
+velvetempire.tk, 1
+velvetia.no, 1
+vema-bg.com, 1
+venacifuentes.tk, 1
+venali.tk, 1
+venalytics.com, 1
+venangocountypa.gov, 1
+venatorinc.tk, 1
+venbot.tk, 1
+vendaapartamentomoema.com.br, 1
+vendadopinheiro.com, 1
+vendadopinheiro.net, 1
+vendadopinheiro.org, 1
+vendagora.tk, 1
+vendasdealbunsbrasil.tk, 1
+vendee.tk, 1
+vendela.tk, 1
+vendermicasarapido.com.mx, 1
+vendi.it, 1
+vendigital.com, 1
+vendingmachines.tk, 1
+vendisrls.it, 1
+venditorepoa.com.br, 1
+vendloop.com, 1
+vendomicasaenserena.cl, 1
+vendor-finance.uk, 1
+vendorconnect.nyc, 1
+vendorful.com, 1
+vendorleasing.uk, 1
+vendorpedia.com, 1
+vendreacheter.be, 1
+vendreacheter.net, 1
+vendserve.eu, 1
+vendsoefoutra.ga, 1
+vendsoefoutra.ml, 1
+venegreco.com, 1
+venenum.org, 1
+venera-magik.tk, 1
+venere.it, 1
+venesuela.cf, 1
+venetkaarsenovart.com, 1
+venev.com, 1
+venev.name, 1
+venezia.ga, 1
+veneziatoday.it, 1
+venezuelachat.tk, 1
+venezuelalibre.tk, 1
+venga.tk, 1
+vengriya.tk, 1
+venicci.co.uk, 1
+venicecakes.ga, 1
+venicecomputerrepair.com, 1
+venicefl.gov, 1
+venicefloridawebsitedesign.com, 1
+venicerealdeal.com, 1
+venje.pro, 0
+venlafaxine.gq, 1
+venn.com, 1
+venndy.com, 1
+vennet.fr, 1
+vennprime.com, 1
+venomxsecurity.com, 1
+venostech.com, 1
+venstar.com, 1
+ventajasdesventajas.com, 1
+ventana.kz, 1
+ventanillaproveedorespit.com, 1
+ventasreit.com, 1
+ventassantillan.com, 1
+vente-voiture.org, 1
+ventes-privees-flash.fr, 1
+venti-athens.gr, 1
+venti.eu.org, 1
+ventilateurs-plafond.com, 1
+ventiques.com, 1
+ventizo.com, 1
+ventnose.com, 1
+ventolin-hfa.tk, 1
+ventolin.ga, 1
+ventomaxx.de, 1
+ventor.ml, 1
+ventosport.nl, 1
+ventrahealth.com, 0
+ventuordici.org, 1
+venturavwparts.com, 1
+venture.biz.id, 1
+venturebanners.co.uk, 1
+ventureharbour.com, 1
+venturepointe.com, 1
+ventures.lgbt, 1
+ventureslgbt.com, 1
+venturum.com, 1
+venturum.de, 1
+venturum.eu, 1
+venturum.net, 1
+venuedriver.com, 1
+venurse.net, 1
+venus-erotic.com, 1
+venus-football-giveaway.co.uk, 0
+venusbeautyproducts.in, 1
+venusvprincess.com, 1
+venzeo.com, 1
+veobas.com, 1
+veonow.com, 1
+vepein.ga, 1
+vepein.gq, 1
+veply.com, 1
+ver.ma, 1
+ver.re, 1
+vera-1.ru, 1
+verae.tk, 1
+verafin.com, 1
+verakoubova.net, 1
+veramagazine.jp, 0
+veramark.cl, 1
+verasani.ch, 1
+verasani.com, 1
+verascityscience.com, 1
+verasoie.fr, 1
+verasoul.com, 1
+verasrvmobiledetail.com, 1
+verata.co, 0
+verbacxss.it, 1
+verberne.nu, 1
+verbert.be, 1
+verbier-lechable.com, 1
+verbierfestival.com, 0
+verbindingsboerderij.nl, 1
+verbindingsboerderijdekoolberg.nl, 1
+verbmaestro.com, 1
+verboom.co.nz, 1
+verbundkredit.ag, 1
+verbundkredit.biz, 1
+verbundkredit.com, 1
+verbundkredit.de, 1
+verbundkredit.eu, 1
+verbundkredit.info, 1
+verbundkredit.net, 1
+verbundkredit.org, 1
+verbzilla.com, 1
+vercel.co, 1
+vercel.com, 1
+vercel.email, 1
+vercel.org, 1
+vercel.sh, 1
+vercopy.com, 1
+vercountyil.gov, 1
+verdeandco.co.uk, 1
+verdensflag.dk, 1
+verdeplus.net, 1
+verdesfoundation.org, 1
+verdict.gg, 1
+verdict.ro, 1
+verdonkadvocaten.nl, 1
+verduccies.com, 0
+verdugosxerecistas.tk, 1
+veredadelaestrella.tk, 1
+verein-kiekin.de, 1
+vereine-weiskirchen.de, 1
+vereinscheck.de, 1
+vereinswahl.online, 1
+veren-group.ua, 1
+verena.gallery, 1
+vereshagino.tk, 1
+verf.nu, 1
+verfassungsklage.at, 1
+verge-solutions.com, 1
+verge.capital, 1
+vergehealth.com, 1
+vergelijksimonly.nl, 1
+vergelijkwitgoed.nl, 1
+vergesense.com, 1
+vergessen.cn, 1
+vergilioferreira.pt, 1
+vergraal.tk, 1
+verhaltenstherapie-weiden.de, 1
+verhaslaw.com, 1
+verhave.net, 1
+verhoog.xyz, 1
+veri2.com, 1
+verifalia.com, 1
+verificationlink.ga, 1
+verified.lu, 1
+verifiedcliq.com, 1
+verifiedhandles.org, 1
+verifiedjoseph.com, 0
+verifiny.com, 1
+verifize.co.za, 1
+verify.gov.sg, 1
+verifyos.com, 1
+verifyyourip.com, 1
+verigom.com, 1
+verikom.kiev.ua, 1
+verindra.ga, 1
+veriomed.com, 1
+veripn.com, 1
+veritablescreening.com, 1
+veritafineviolins.com, 1
+veritas-data.de, 1
+veritashomeschoolers.org, 1
+veritasinvestmentwealth.com, 1
+veriteliberte.fr, 1
+veriteslibertes.com, 1
+veriteslibertes.fr, 1
+verityinspections.com, 1
+verizonconnect.com, 0
+verkada.com, 1
+verkami.com, 1
+verkeer.gent, 1
+verkeersschoolrichardschut.nl, 1
+verkeersschoolvanhouten.nl, 1
+verkkovalmentajat.fi, 1
+verkossa.tk, 1
+verksampsykologi.com, 1
+verlag-lq.at, 1
+verlag-lq.ch, 1
+verlag-lq.com, 1
+verlag-lq.de, 1
+verlag-lq.net, 1
+verlagdrkovac.de, 0
+verlaglq.com, 1
+verland.org, 1
+verleger.biz, 1
+verliebt-in-bw.de, 1
+verliebt-in-niedersachsen.de, 1
+verliefde-jongens.nl, 1
+verlocke.de, 1
+verloja.com, 1
+verloskundigepraktijktolmiea.nl, 1
+vermaeckbouw.nl, 1
+vermageringsdieetpillen.ga, 1
+vermageringsdieetpillen.gq, 1
+vermageringsdieetpillen.tk, 1
+vermellcollection.com, 1
+vermogeninkaart.nl, 1
+vermont.builders, 1
+vermontbiz.com, 1
+vermontflannel.com, 1
+vermontvilletownshipmi.gov, 1
+vermouth.cf, 1
+vermuetje.nl, 1
+vern.cc, 0
+vernal.gov, 1
+verndale.com, 1
+vernis-marins.com, 1
+vernonfigureskatingclub.com, 1
+vernonfilmsociety.bc.ca, 1
+vernonreinike.com, 1
+vernonsecureselfstorage.ca, 1
+vernonspeedskatingclub.com, 1
+vernonvt.gov, 1
+veronasera.it, 1
+veroncloud.com, 1
+veronic.hu, 1
+veronicasuperguide.nl, 1
+veronique-schmitz.de, 1
+veropharm.ru, 1
+veros-volejbal.tk, 1
+veros.com, 1
+verrame.no, 1
+verry.org, 1
+vers.one, 1
+versa-networks.com, 1
+versagercloud.de, 1
+versahub.com, 1
+versaillestourisme.fr, 1
+versalhost.nl, 1
+versallesin.com, 1
+versanthealth.com, 1
+versata.pt, 1
+versatek.com, 1
+versbesteld.nl, 1
+verschil.info, 1
+verschoren.com, 0
+verschurendegroot.nl, 1
+verse.eu.org, 1
+versfin.net, 1
+versia.ru, 1
+versicherung-website.de, 1
+versicherungen-werner-hahn.de, 1
+versifylabs.com, 1
+versionit.org, 1
+versium.net, 1
+verspai.de, 1
+versprite.com, 1
+verstaanwiskunde.co.za, 1
+verstka.cf, 1
+verstka.ga, 1
+verstka.tk, 1
+verstraetenusedcars.be, 1
+versus-hair.com, 1
+versusforum.tk, 1
+versustexas.com, 1
+vertanex.com, 1
+vertaxaccountants.co.uk, 1
+vertebrates.com, 1
+vertec-cloud.at, 1
+vertec-cloud.com, 1
+vertec-cloud.de, 1
+vertec-test.at, 1
+vertec-test.com, 1
+vertec-test.de, 1
+vertec.com, 1
+verteilergetriebe.info, 1
+vertex-academy.com, 1
+vertexinc.com, 1
+vertexlife.ml, 1
+vertexlife.tk, 1
+vertexsmb.com, 1
+vertexventures.co.il, 1
+vertexventures.sg, 0
+verticalmindventures.com, 1
+verticals.tk, 1
+verticalstructure.com, 1
+verticecloud.com, 1
+verticesedge.com, 1
+vertichost.com, 1
+vertichost.ro, 1
+verticweb.com, 1
+vertigo.name, 0
+vertigomassage.com, 1
+vertikal.tk, 1
+vertiko.de, 1
+vertip.net, 1
+vertispro.com, 1
+vertragsfix.de, 1
+vertrauen.site, 1
+vertretungsplan.io, 1
+vertrieb-strategie.de, 1
+vertrouwenspiegel.nl, 1
+vertymelo.com, 1
+verustracking.com, 1
+verve.com, 1
+vervewellness.co.nz, 1
+verwandlung.org, 1
+verwarring.tk, 1
+very-good.ru, 1
+veryapt.com, 1
+verybin.com, 1
+veryestate.com, 1
+veryfinecommentary.tk, 1
+verygoodmarketing.nl, 1
+verygoodwebsite.ca, 1
+veryhome.com.pe, 1
+verymelon.de, 1
+verymetal.site, 1
+veryssl.com, 1
+veryswing.com, 1
+verzekerdbijhema.nl, 1
+verzekeringsacties.nl, 1
+verzekerjebeter.nl, 0
+verzick.com, 1
+vesa.ro, 1
+vesaviljanen.fi, 1
+vescudero.net, 1
+veseleruska.sk, 1
+veselka.tk, 1
+veselyjpovar.gq, 1
+vesen.tk, 1
+vesinhcongnghiepttchome.com, 1
+vesiskitim.ru, 1
+veski.hr, 1
+vesmail.biz, 1
+vesmail.email, 1
+vesna2011.tk, 1
+vespacascadia.com, 1
+vesseldove.com, 1
+vesselportal.com, 1
+vessentys.com, 1
+vesta.us, 1
+vestacp.top, 1
+vestakassa-online.cf, 1
+vestal.nl, 1
+vestalny.gov, 1
+vestberry.com, 1
+vestd.com, 0
+vestia.nl, 1
+vestibtech.com, 1
+vestibulaire.ch, 1
+vestibular.science, 1
+vestiizhevska.cf, 1
+vestingbar.nl, 1
+vestirnakaret.cz, 1
+vestkyneonline.cz, 1
+vestlundbolargen.tk, 1
+vestnik24.cf, 1
+vestum.ru, 1
+vesuvio.tk, 1
+vet24hour.co.uk, 1
+vet4life.co.uk, 1
+vetafarm.com.au, 1
+vetantumapu.cl, 1
+vetbilgi.com, 1
+vetbits.com, 0
+vetcard.info, 1
+vetch.ga, 1
+vetclick.com, 1
+veteranpcs.com, 1
+veteranreservecorps.com, 1
+veteransadvantage.com, 1
+veteranscrisisline.net, 1
+veteransfirstwatch.com, 1
+veteransholidaylights.com, 1
+veteransroofingllc.com, 1
+veteranticketsfoundation.org, 1
+veterinanmnm.cz, 1
+veterinanmnm.eu, 1
+veterinarian-hospital.com, 1
+veterinarianedu.org, 1
+veterinario.milano.it, 1
+veterinario.roma.it, 1
+veterinary-colleges.com, 1
+veterinaryhelp.cf, 1
+veterinaryvision.co.uk, 1
+veteriner.name.tr, 1
+veterquimica.pe, 1
+vetikalender-berlin.de, 1
+vetinte.eu, 1
+vetitus-teatro.tk, 1
+vetmgmt.com, 1
+vetnet.info, 1
+veto.fish, 1
+vetofish.com, 1
+vetosh.tk, 1
+vetpraxis.de, 1
+vetputten.nl, 1
+vetrehabsummit.com, 1
+vetren.tk, 1
+vetreria.roma.it, 1
+vetres.net.au, 1
+vets.gov, 1
+vets24.ae, 1
+vetscore.co.za, 1
+vetsmarketing.co.za, 1
+vetsource.com, 0
+vettenburg.eu, 1
+vettix.org, 1
+vetuni.cz, 1
+vetuni.eu, 1
+vetustainversion.com, 1
+vetvim.com, 1
+vetvine.com, 1
+veules-les-roses.fr, 1
+veve.com, 1
+veverusak.cz, 1
+vevioz.com, 1
+vexsh.com, 1
+vezettaksii.ru, 1
+veziaici.net, 1
+vezzo.one, 1
+vf-bikes.be, 1
+vf99.com, 1
+vfbikes.be, 1
+vfc.com, 0
+vfdworld.com, 1
+vfg.com.ua, 1
+vfn-nrw.de, 1
+vfnm.de, 1
+vfree.org, 0
+vfu.cz, 1
+vfwpost1.org, 1
+vfxstudy.com, 1
+vg-resource.com, 1
+vgatest.nl, 1
+vgbf.tk, 1
+vgchat.us, 1
+vgcheat.com, 1
+vgdocs.com, 1
+vgerak.com, 1
+vglist.co, 1
+vgopilot.azurewebsites.net, 1
+vgorcum.com, 1
+vgpu.vladimir.ru, 1
+vgropp.de, 1
+vgxcontactcenter.com.br, 1
+vgywm.com, 1
+vhelio.org, 1
+vhg.org, 1
+vhiweb.com, 1
+vhosting-it.com, 1
+vhproductions.tk, 1
+vhumo.com, 1
+via-tygo.com, 1
+via1buynow.com, 1
+viabenefitsaccounts.com, 1
+viacdn.org, 1
+viacheslavpleshkov.com, 1
+viadennis.nl, 1
+viaelegancestore.com.br, 1
+viaeth.io, 1
+viafoura.com, 1
+viaggioincoppia.com, 1
+viaggivistos.com.br, 1
+viagraest.com, 1
+viagramarketim.com, 1
+viagramarketim.org, 1
+viagratop.tk, 1
+viagusto.pl, 1
+viajantecolorido.com.br, 1
+viajantesturismo.com, 1
+viajarconmascotas.pro, 1
+vialibido.com.br, 1
+vialknives.com, 1
+vialorran.com, 0
+vialto.com, 1
+viamax.eu, 1
+viamilitaris.net, 1
+vianetplc.com, 1
+vianica.com, 1
+viaon.net.br, 1
+viapajucara.com.br, 1
+viaprinto.de, 1
+viaprofit.tk, 1
+vias-ferratas.tk, 1
+viasalix.nl, 1
+viasinc.com, 0
+viato.fr, 1
+viaura.biz, 1
+viawave.tk, 1
+viaweb.sa, 1
+viawirelessllc.com, 1
+viba-sweets.de, 1
+vibaphoto.com, 1
+vibaphoto.fr, 1
+vibbo.no, 1
+vibbslist.com, 1
+vibcon.com, 1
+vibehire.co.uk, 1
+vibeonline.tk, 1
+vibgyyor.com, 1
+vibioh.fr, 1
+vibox.co.uk, 1
+vibraagenciadigital.com.br, 1
+vibramycin100mg.tk, 1
+vibrato1-kutikomi.com, 1
+vibrolandia.com, 1
+vibromax.com, 1
+vibromax.net, 1
+vibromax.org, 1
+vicarious.cf, 1
+vicellishoes.com, 1
+vicenez.agency, 1
+vicentaburon.tk, 1
+vicentejr.com.br, 1
+vicenterodriguez81.tk, 1
+vicentico.tk, 1
+vicenzatoday.it, 1
+vicescorts.ga, 1
+vicete.tk, 1
+vichiya.com, 1
+vichovska-vyhlidka.cz, 1
+vician.cz, 1
+vicicode.com, 1
+vicieux.art, 1
+vicinityindustrial.com.au, 1
+vicioanimal.pt, 1
+viciousflora.com, 1
+viciousracing.tk, 1
+vicjuwelen-annelore.be, 1
+vickyflipfloptravels.com, 0
+vickyhundt.com, 1
+vickylarraz.tk, 1
+vickyoliver.tk, 1
+vicmatus.com, 1
+vico.vn, 1
+vicrea.nl, 1
+vicsancab.com, 1
+victimizer.tk, 1
+victora.com, 1
+victorblomberg.se, 1
+victorbuch.cf, 1
+victorc.net, 1
+victorcalvez.com, 1
+victorcanera.com, 1
+victorcarrasco.tk, 1
+victorcarwasher.com, 1
+victoreriksson.ch, 1
+victoreriksson.co, 1
+victoreriksson.es, 1
+victoreriksson.eu, 1
+victoreriksson.info, 1
+victoreriksson.me, 1
+victoreriksson.net, 1
+victoreriksson.nu, 1
+victoreriksson.org, 1
+victoreriksson.se, 1
+victoreriksson.us, 1
+victoreriksson.xyz, 1
+victorhawk.com, 1
+victorhorta.tk, 1
+victoria-clinic.ru, 1
+victoria-legis.ru, 1
+victoria.associates, 1
+victoriaartist.ru, 1
+victoriabeckham.tk, 1
+victoriacountytx.gov, 1
+victoriaharmandjieva.art, 1
+victoriait.com, 1
+victoriait.com.au, 1
+victoriamn.gov, 1
+victorianosaez.tk, 1
+victoriastudio.ru, 1
+victoriavalente.net, 1
+victoridaho.gov, 1
+victorique.moe, 1
+victorjacobs.com, 0
+victornet.de, 1
+victoroilpress.com, 1
+victorpelletmill.com, 1
+victorpericiales.com, 1
+victorricemill.com, 1
+victorrodriguez.ml, 1
+victorunix.com, 1
+victory.radio, 1
+victoryalliance.us, 1
+victorychurch.org.tw, 1
+victoryoutreach.org, 1
+victrays.com, 1
+victusrp.gq, 1
+vicugna.nl, 1
+vicyu.com, 1
+vidaliala.gov, 1
+vidanuevaparaelmundo.net, 1
+vidanuevaparaelmundo.org, 1
+vidaparalela.tk, 1
+vidapositiva.tk, 1
+vidarity.com, 1
+vidassemfronteiras.com, 1
+vidatantrica.com, 1
+vidawichi.tk, 1
+vidaxp.com, 1
+vidazoo.com, 1
+vidb.me, 1
+vidbooster.com, 0
+vidbuchanan.co.uk, 1
+vidcruiter.com, 0
+vide-dressing.org, 0
+vide-greniers.org, 0
+vide-maisons.org, 0
+videferre.tk, 1
+video-converter.com, 1
+video-lab.it, 1
+video-oldenburg.de, 1
+videoarcadia.cf, 1
+videoarcadia.ml, 1
+videobible.com, 1
+videocall.guide, 1
+videochatv.com, 1
+videochums.com, 1
+videoclean.fr, 1
+videoclubhd.ga, 1
+videoclubhd.ml, 1
+videoconferencing.guide, 1
+videoebook.tk, 1
+videoeta.com, 1
+videogameconsole.ir, 1
+videogamer.com, 1
+videogamerreader.tk, 1
+videogamesartwork.com, 1
+videograb.ga, 1
+videograb.ml, 1
+videoguard.nl, 1
+videoha.ml, 1
+videojet.com, 1
+videojuegos.com, 1
+videoload.co, 1
+videomagic.ai, 1
+videomail.io, 1
+videomaker.it, 1
+videomaniya.ml, 1
+videomarketermastery.com, 1
+videonika.tk, 1
+videopediablogs.tk, 1
+videopokerez.cf, 1
+videopornoitaliana.com, 1
+videoprikol.cf, 1
+videoprikoly.ga, 1
+videoregion.ru, 1
+videoremote.tk, 1
+videosengracado.ga, 1
+videoseyred.in, 1
+videoskaseros.com, 1
+videoskazka.tk, 1
+videospericos.tk, 1
+videosporno.life, 1
+videosporno.org, 1
+videot.tk, 1
+videotehnika.tk, 1
+videoueberwachung-set.de, 1
+videouroki.ml, 1
+videov.tk, 1
+videovt.tk, 1
+videozv.tk, 1
+videsk.io, 1
+videt-son.cf, 1
+videt-son.ml, 1
+videt-son.tk, 1
+vidimte.eu, 1
+vidiproject.com, 1
+vidister.de, 0
+viditour-golf.nl, 1
+viditour-zorg.nl, 1
+vidkovaomara.si, 1
+vidlen.com, 1
+vidlen.ru, 1
+vidlyoficial.com, 1
+vidooo.de, 1
+vidracariaembh.com, 1
+vidrop.me, 1
+vidtekno.com, 1
+vidulo.com, 1
+vidyamonk.com, 1
+viedecelibataire.fr, 1
+viega.at, 1
+viega.be, 1
+viega.ca, 1
+viega.ch, 1
+viega.co.uk, 1
+viega.com, 1
+viega.com.au, 1
+viega.cz, 1
+viega.de, 1
+viega.dk, 1
+viega.es, 1
+viega.fi, 1
+viega.fr, 1
+viega.hr, 1
+viega.hu, 1
+viega.in, 1
+viega.it, 1
+viega.lt, 1
+viega.lv, 1
+viega.mx, 1
+viega.nl, 1
+viega.no, 1
+viega.pl, 1
+viega.pt, 1
+viega.ro, 1
+viega.rs, 1
+viega.se, 1
+viega.sg, 1
+viega.si, 1
+viega.sk, 1
+viega.us, 1
+viekelis.lt, 0
+vielfalt.link, 1
+vielleserin.de, 1
+viemeister.com, 1
+viemontante.be, 0
+vienna.photos, 1
+viennadancecrew.at, 1
+viennawi.gov, 1
+vientos.coop, 0
+vientosur.info, 1
+vieon.vn, 1
+viepixel.at, 1
+vierdaagsehotel.nl, 1
+vieref.eu, 1
+vierna.ga, 1
+vierpfeile.de, 1
+vierpluseins.wtf, 1
+vietconghackz.tk, 1
+vietdungit.vn, 0
+vietfes.asia, 1
+vietforum.ml, 1
+vietnam-fishing.com, 1
+vietnam-lifer.com, 1
+vietnam-tours.tk, 1
+vietnameselove.com, 1
+vietnamhairs.com, 1
+vietnamhost.vn, 0
+vietnamphotoblog.com, 0
+vietnamphotographer.net, 1
+vietnamtravelmart.com.vn, 1
+vietnamvisa.cf, 1
+vietnamvisa.ga, 1
+vietquan.net, 1
+viettelstore.vn, 1
+vietzzaune.de, 1
+vieux.pro, 1
+vievolution.tk, 1
+view-page-source.com, 1
+vieweb.tk, 1
+viewer.ga, 1
+viewflix.win, 1
+viewfreescore.com, 1
+viewing.nyc, 1
+viewpointsfromfacebook.com, 1
+viewsea.com, 1
+viewstub.com, 1
+viewzipcode.com, 1
+viez.vn, 1
+vifranco.cl, 1
+vifsoft.com, 1
+vigiesolutions.com, 1
+vigilanciatotal.com, 1
+vigilanciaysalud.com, 1
+vigilantesporcolombia.org, 1
+vigilanza.milano.it, 1
+vigilanza.roma.it, 1
+vigiles.nl, 1
+vigilo.cf, 1
+vigilo.ga, 1
+vigl.biz, 1
+vigliano.com, 1
+vigneshkumar.com, 1
+vignobles-querre.com, 1
+vignoblesdeletat.ch, 1
+vigo-krankenversicherung.de, 1
+vigo-select.de, 1
+vigoinvestments.com, 0
+vigorous.co.il, 1
+vigorspa.it, 1
+vigoxatelier.tech, 1
+vigrid.online, 1
+vigridpartiet.tk, 1
+vihaainfosoft.com, 1
+vihtahousu.fi, 1
+viikko.cf, 1
+viikko.eu, 1
+viikko.ga, 1
+viikko.gq, 1
+viikko.ml, 1
+viilup.com, 1
+viitanen.xyz, 1
+vijay-international.com, 1
+vijayam.ml, 1
+vijaymishra.tk, 1
+vijn.io, 1
+vijoe.org, 1
+vijverbenodigdheden.nl, 1
+vik.bio, 1
+vik.im, 1
+vikalbino.com, 1
+vikalbino.com.br, 1
+vikalpgupta.com, 1
+vikapaula.com, 1
+vikashkendra.com, 1
+vikasinstitute.tk, 1
+vikaviktoria.com, 1
+vikc.ca, 1
+vikcdn.com, 1
+viki.com, 1
+viking-style.ru, 1
+viking-t.com, 1
+vikingconcretefloors.com, 1
+vikiwat.com, 1
+viko.ai, 1
+viko.co.uk, 1
+vikramkulkarni.com, 1
+vikrantkakad.in, 1
+viksbergshr.se, 1
+viktor-chin-kon-sung.com, 1
+viktor-chin-kon-sung.nl, 1
+viktor-chin.com, 1
+viktor-chin.nl, 1
+viktorbarzin.me, 1
+viktorchin.com, 1
+viktorchin.nl, 1
+viktorchin.online, 1
+viktorchin.site, 1
+viktorchinkonsung.com, 1
+viktorchinkonsung.nl, 1
+viktorchinkonsung.online, 1
+viktorchinkonsung.site, 1
+viktoria-goo.com, 1
+viktoria-stube.de, 1
+viktorovi.cz, 1
+viktorprevaric.eu, 1
+viku.fi, 1
+vila-senov.cz, 1
+vila11.com.br, 1
+vilaanimalpetshop.com, 1
+vilabiamodas.com.br, 1
+viladelpingui.net, 1
+vilafloridacapivari.com.br, 1
+vilafrancaeagles.tk, 1
+vilamarija.tk, 1
+vilamoura-car-hire.com, 1
+vilans.nl, 1
+vilantice.cz, 1
+vilavilma.si, 1
+vilavyhlidka.cz, 1
+vilawatt.cat, 1
+vilaydin.com, 1
+vildlaithailand.cf, 1
+vildlaithailand.gq, 1
+vildlaithailand.tk, 1
+vilettecouvreur.fr, 1
+vilgain.at, 1
+vilgain.com, 1
+vilgain.de, 1
+vilgain.hu, 1
+vilgain.it, 1
+vilgain.pl, 1
+vilhe.com, 1
+vilhe.fi, 1
+vilhelmjunnila.fi, 1
+vilife.tk, 1
+viliravnjak.tk, 1
+viliv.com.co, 1
+villa-christina.com, 1
+villa-gockel.de, 1
+villa-luna.it, 1
+villa-ottone.net, 1
+villa-toscana.berlin, 1
+villablancaluarca.es, 1
+villablino.tk, 1
+villaboavida.nl, 1
+villacarralon.tk, 1
+villadelprado.tk, 1
+villaditirano.tk, 1
+villaespanola.tk, 1
+villafiore.com.br, 1
+villafrancis.org.sg, 1
+villagebridalbyomnibus.com, 1
+villagecardshop.co.uk, 1
+villagecenterpediatrics.com, 1
+villagemagazines.co.uk, 1
+villagenscamuria.it, 1
+villageofalbionny.gov, 1
+villageofallouezwi.gov, 1
+villageofalmondwi.gov, 1
+villageofarenawi.gov, 1
+villageofavocawi.gov, 1
+villageofbearlakemi.gov, 1
+villageofbellevuewi.gov, 1
+villageofcallawayne.gov, 1
+villageofcarbonhill-il.gov, 1
+villageofcascadewi.gov, 1
+villageofcascowi.gov, 1
+villageofcatskillny.gov, 1
+villageofcazenoviany.gov, 1
+villageofclaytonmi.gov, 1
+villageofclaytonwi.gov, 1
+villageofclymanwi.gov, 1
+villageofcolemanwi.gov, 1
+villageofcottagegrove.gov, 1
+villageofdousman.gov, 1
+villageofedenwi.gov, 1
+villageoffarwellmi.gov, 1
+villageofforestvillewi.gov, 1
+villageoffremontwi.gov, 1
+villageofgraftonwi.gov, 1
+villageofgrantsburg.gov, 1
+villageofhempsteadpdny.gov, 1
+villageofjacksonwi.gov, 1
+villageoflagrangeohio.gov, 1
+villageoflaurensny.gov, 1
+villageoflavallewi.gov, 1
+villageoflomira.gov, 1
+villageoflonerock-wi.gov, 1
+villageofluxemburgwi.gov, 1
+villageofmenandsny.gov, 1
+villageofmendonmi.gov, 1
+villageofmillerton-ny.gov, 1
+villageofmuirmi.gov, 1
+villageofmukwonago.gov, 1
+villageofnaponeene.gov, 1
+villageofnecedahwi.gov, 1
+villageofnewberlinny.gov, 1
+villageofoakdalewi.gov, 1
+villageofoakfieldwi.gov, 1
+villageofowegony.gov, 1
+villageofpalmyrailmacoupin.gov, 1
+villageofpewaukeewi.gov, 1
+villageofriverbendmo.gov, 1
+villageofsaukvillewi.gov, 1
+villageofsciooh.gov, 1
+villageofsheldonwi.gov, 1
+villageofsirenwi.gov, 1
+villageofstetsonvillewi.gov, 1
+villageofstockbridgemi.gov, 1
+villageofstockbridgewi.gov, 1
+villageoftheresawi.gov, 1
+villageoftikiisland.gov, 1
+villageofwales.gov, 1
+villageofwhitelaw-wi.gov, 1
+villageofwitheewi.gov, 1
+villagephysicians.com, 1
+villagesincrisis.tk, 1
+villageunique.com.br, 1
+villagevet.co.uk, 1
+villagevetcattery.co.uk, 1
+villagockel.de, 1
+villahistoria.ml, 1
+villainsclothing.com.au, 1
+villaismaelcortinas.uy, 1
+villakarma.at, 1
+villakiralik.com, 1
+villalmanzo.tk, 1
+villamenty.com, 1
+villanew.tk, 1
+villanyautosok.hu, 1
+villaparkil.gov, 1
+villapiknik.tk, 1
+villarica.gov, 1
+villas-parfumdemyrte.fr, 1
+villasdelbosque.com.gt, 1
+villasenor.online, 1
+villasfinistere.fr, 1
+villasforsale-bali.com, 1
+villasintrabali.com, 1
+villasupport.it, 1
+villaumbrales.tk, 1
+villavaltava.fi, 1
+villaville.com, 1
+villawirz.it, 1
+ville-ideale.fr, 1
+ville-nesle.fr, 1
+ville-vif.fr, 1
+villegasphoto.com, 1
+villehardouin.fr, 1
+villek.fi, 1
+villekaaria.eu, 1
+villekautto.com, 1
+villenavedornon.fr, 1
+villerez.fr, 1
+villeroy-immobilier-sete.fr, 1
+villers-ecalles.fr, 1
+villesalonen.fi, 1
+villian.tk, 1
+villnoesser-tal.com, 1
+villu.ga, 1
+villu.stream, 1
+viload.org, 1
+vilondo.com, 1
+vilostore.my.id, 1
+viltsu.net, 1
+vilvoordelaan.be, 1
+vima.ch, 0
+vimbom.tk, 1
+vimbowen.xyz, 1
+vimeo.com, 1
+vimeosucks.nyc, 1
+vimexx.nl, 1
+vimium.com, 1
+vimka.gq, 1
+vimoksa.com, 1
+vimworld.com, 1
+vinacaster.com, 1
+vinarstvimodryhrozen.cz, 1
+vinaygakhar.tk, 1
+vinaygarg.com, 1
+vinc.me, 1
+vinc.name.tr, 1
+vincehut.top, 1
+vincemumford.com, 1
+vincent-haupert.de, 1
+vincentcox.com, 0
+vincenticosmeticsurgery.tk, 1
+vincentiliano.tk, 1
+vincentpancol.com, 1
+vincentpo.tk, 1
+vincentsimon.de, 1
+vincentvdsluijs.nl, 1
+vincentwolsink.nl, 0
+vinceracing.tk, 1
+vincexpertconsulting.fr, 1
+vinci-archipel.com, 1
+vinci-foundation.com, 1
+vinci-gestion.com, 1
+vinci-gestion.fr, 1
+vinci-reassurance.com, 1
+vinci-vie.com, 1
+vinci-vie.fr, 0
+vinci-vie.net, 1
+vinci.gr, 1
+vinci.lt, 1
+vinci.lu, 1
+vincible.space, 1
+vinciconps4.it, 1
+vinciladislessia.it, 1
+vincitraining.com, 1
+vinciu.com, 1
+vincour.info, 1
+vindafrid.com, 1
+vindafrid.nu, 1
+vindafrid.se, 1
+vindelicum.eu, 1
+vindeurgent.ro, 1
+vindipoker.dk, 1
+vindnu.dk, 1
+vinduesgrossisten.dk, 1
+vineeth.uk, 1
+vineethavarma.com, 1
+vinehall.ie, 1
+vinelli.de, 1
+vinepower.co.nz, 1
+vineripenutrition.com, 1
+vinesauce.info, 1
+vineta.tk, 1
+vinetalk.net, 1
+vinetech.co.nz, 1
+vineyard-wash.com, 1
+vingaardshus.dk, 1
+vingahiss.se, 1
+vingt.me, 1
+vingtsuncoach.tk, 1
+vinhobros.de, 1
+vinhomes.tv, 1
+vinhomesonline.com, 1
+vinhosdoalentejo.pt, 1
+vinicius.sl, 1
+viniciuscosta.tk, 1
+vinigas.com, 1
+vinihk.com, 0
+vinilart.com, 1
+vinilosdecorativos.net, 1
+vinistas.com, 1
+vinit.tk, 1
+vinnellarabia.com, 1
+vinner.com.au, 0
+vinnie.gq, 1
+vinny.tk, 1
+vinnyvidivici.com, 1
+vinobartonik.cz, 1
+vinocapka.cz, 1
+vinodoc.cz, 1
+vinoffice.vn, 1
+vinohradiv.tk, 1
+vinokourovnet.tk, 1
+vinokurov.tk, 0
+vinolli.de, 1
+vinopan.de, 1
+vinorossoconero.com, 1
+vinoshipper.com, 1
+vinovum.net, 1
+vinoxo.in, 1
+vinsation.com, 1
+vinsetchampagne.fr, 0
+vinsonfinancials.tk, 1
+vinstafood.com, 1
+vintageaudio.tk, 1
+vintagebandfestival.org, 1
+vintagecarparts.co.uk, 1
+vintagecaskandbarrel.com, 1
+vintagecommerce.it, 1
+vintagejeeps.net, 1
+vintagemakeupguide.com, 1
+vintageportgifts.co.uk, 1
+vintagestock.com, 1
+vintagetoydepot.tk, 1
+vintagetrailerbuyers.com, 1
+vintagewedding.tk, 1
+vintazh.net, 1
+vintizen.com, 1
+vintom.com, 1
+vintonia.gov, 1
+vinumenu.com, 1
+vinyl-digital.com, 1
+vinylbasement.tk, 1
+vinylbro.com, 1
+vinylfencestlouis.com, 1
+vinzer.tk, 1
+vinzite.com, 1
+violapiekut.com, 1
+violarenate.com, 1
+violetfairy.tk, 1
+violetgames.com, 1
+violetraven.co.uk, 1
+violettecleaning.be, 1
+violifefoods.com, 1
+violin4fun.nl, 1
+vionicbeach.com, 1
+vionicshoes.com, 1
+vionity.co, 1
+viosey.com, 1
+vioye.com, 1
+vip-banner.tk, 1
+vip-moda.ga, 1
+vip-sauna.tk, 1
+vip-soski.tk, 1
+vip-ssl.com, 1
+vip-transfer.by, 1
+vip00228.com, 0
+vip11018.com, 0
+vip2132.com, 1
+vip22884.com, 0
+vip33138.com, 0
+vip4553.com, 1
+vip45bet365.com, 0
+vip5414.com, 1
+vip6132.com, 1
+vip77018.com, 0
+vip8522.com, 1
+vipaairportsp3.gov, 1
+vipartneriai.lt, 1
+vipdirektolog.ru, 0
+vipenvia.com.br, 1
+viper-drones.com, 1
+vipertechnology.com.br, 1
+vipesball.me, 1
+vipesball.net, 1
+vipfitter.com, 1
+vipframesandtrusses.co.nz, 1
+vipgalant.ru, 1
+viphackers.tk, 1
+vipi.es, 1
+vipkit.com, 1
+vipku.ru, 1
+viplata-mgnovenno.ml, 1
+viplc4.com, 0
+viplc6.com, 0
+viplc68.com, 1
+viplc98.net, 1
+vipline.me, 1
+viplive.tk, 1
+vipllcnj.com, 1
+vipmdh.com.ua, 1
+vipmercedes.by, 1
+viporiflame.tk, 1
+vippclub.be, 1
+viprsolutions.com, 1
+vipsauna.gq, 1
+vipsexvault.com, 1
+vipshop.ga, 1
+vipsibir.cf, 1
+vipstat.pl, 1
+viptravel.tk, 1
+vipturismo-europa.com, 1
+vipus.gq, 1
+vipuser.info, 1
+vipw6600.com, 0
+vipw6603.com, 1
+vipw6606.com, 0
+vipw6608.com, 0
+vir-tec.eu, 0
+vir2.me, 1
+virajtharinda.tk, 1
+viral-loops.com, 1
+viral32111.com, 1
+virala.tk, 1
+viralboombox.xyz, 1
+viralhua.com, 1
+viralinsurance.ga, 1
+viraljobs.ga, 1
+viraloffer.ga, 1
+viralpagi.com, 1
+viralsv.com, 1
+viraltalky.com, 1
+viraltech.cf, 1
+viralted.ml, 1
+viraltobuzz.tk, 1
+viraltube.my, 1
+viralvids.gq, 1
+viraly.me, 1
+viran-khodro.tk, 1
+virazh58.tk, 1
+virbex.com, 0
+vircloud.net, 1
+virga.pp.ua, 1
+virgi.tk, 1
+virgil.gg, 1
+virgilsecurity.com, 1
+virginiaabc.gov, 1
+virginiabeachcoolsculpting.com, 1
+virginiagardens-fl.gov, 1
+virginiahealth.tk, 1
+virginiaisgoingsolar.com, 1
+virginiamnpd.gov, 1
+virginiedelmas.fr, 1
+virginietessier.fr, 1
+virginitychecker.ga, 1
+virginized.tk, 1
+virginpulse.us, 1
+virgintears.tk, 1
+virgontech.tk, 1
+virgosecurity.com.au, 1
+virgulazero.com.br, 1
+viridis-milites.cz, 1
+virima.com, 1
+virimatech.com, 1
+viris.si, 1
+virkhost.com, 1
+virostack.com, 1
+virot.eu, 1
+virtasktic.com, 1
+virtbaza.cf, 1
+virtit.fr, 1
+virtlinux.eu, 1
+virtola.ml, 1
+virtua.com.tr, 1
+virtuaal.com, 1
+virtual-assistant.ml, 1
+virtual-data-room.org, 1
+virtual-dba.com, 1
+virtual-insanity.tk, 1
+virtual-webcam.com, 1
+virtualarkansas.org, 1
+virtualbrands.com, 0
+virtualbrestby.tk, 1
+virtualbruges.tk, 1
+virtualcitehuallaga.com, 1
+virtualcity.tk, 1
+virtualcloud.ddns.net, 1
+virtualcommodities.org, 1
+virtualcomputer.ml, 1
+virtualdesign.tk, 1
+virtualdesignmedia.com, 1
+virtualedge.org, 1
+virtualgovernance.tk, 1
+virtualgraffiti.com, 1
+virtualhawaii360.com, 1
+virtualife.tk, 1
+virtuality4d.com, 1
+virtualization-online.org, 1
+virtuallanding.com, 1
+virtuallifestyle.nl, 1
+virtuallypilates.com, 1
+virtualmachine.tk, 1
+virtualmemento.tk, 1
+virtualmt2.pl, 1
+virtualnet.ec, 1
+virtualpavilion.co, 1
+virtualprom.tk, 1
+virtualroad.org, 1
+virtualsanity.com, 1
+virtualscoutschool.com, 1
+virtualsex.ga, 1
+virtualshell.ml, 1
+virtualtabletop.io, 1
+virtualvaults.com, 0
+virtualx.de, 1
+virtubox.net, 1
+virtubox.xyz, 1
+virtubroker.com.mx, 1
+virtueturkey.ga, 1
+virtuology.com, 1
+virturl.de, 1
+virtus-group.com, 1
+virtusaero.com, 0
+virtwen.com, 1
+virty.cz, 1
+virus.pm, 1
+virusah1n1.com, 1
+virusdelebola.com, 1
+virusmousepads.tk, 1
+virusprotect.ro, 1
+virusquery.com, 1
+visa-master.tk, 1
+visacentre.pk, 1
+visadaifu.com, 0
+visaforest.com, 1
+visafruit.com, 1
+visale.fr, 1
+visalia.gov, 1
+visaliafarmersmarket.com, 0
+visalist.io, 1
+visalogy.com, 1
+visaop.com, 1
+visapourailleurs.fr, 0
+visapro.com, 1
+visapro.me, 1
+visaprolaw.com, 1
+visarewardprogramplatform.com, 1
+visartdecor.com.ua, 1
+visasofoz.com, 1
+visatime.info, 1
+visatitans.ae, 1
+visatitans.ca, 1
+visatitans.co.uk, 1
+visatitans.com, 1
+visavtodor.ru, 1
+visaxplorer.com, 1
+visaya.com.co, 1
+visceralsound.ca, 1
+visconde-de-maua.com.br, 1
+viscondedemaua.com.br, 1
+viscondedemauapousadas.com.br, 1
+viscopic.com, 1
+vise.com, 0
+visegradieskuvo.hu, 1
+visegradtours.hu, 1
+viseum.co.uk, 1
+visforvaccinated.gov, 1
+vishenka.tk, 1
+vishnujyothi.co.uk, 1
+vishwashantiyoga.com, 1
+visiblethoughts.co.uk, 1
+vision-du-net.com, 1
+vision-net.ie, 1
+vision-painting.com, 0
+vision.aero, 1
+vision.edu.sa, 1
+vision2005.tk, 1
+visionagrupo.com, 1
+visionamp.com, 1
+visionations.com, 1
+visioncenter.org, 1
+visioncloud.tk, 1
+visioncraftinc.com, 1
+visiondesign.shop, 1
+visiondetails.ru, 1
+visiondigitalsog.com, 1
+visiondrivers.com, 0
+visioned.net, 1
+visioneducation.tk, 1
+visionexpress.com, 1
+visionexpress.ie, 1
+visiongamestudios.com, 1
+visioniot.com, 1
+visionlearning.com, 1
+visionnissancanandaiguaparts.com, 1
+visionnocturne.tk, 1
+visionoscope.org, 1
+visionpeak.net, 1
+visionproductssoutheast.com, 1
+visionr.com, 1
+visionsc.co.uk, 1
+visionsofmysoul.com, 1
+visiontaiwan.info, 1
+visionthroughknowledge.com, 1
+visiontree-beta.eu, 1
+visionunit.ch, 1
+visionwow.ai, 1
+visionxcreative.gq, 1
+visionzerocfl.gov, 1
+visionzeroreporting.com, 1
+visiquate.com, 1
+visit-sanbenedettodeltronto.it, 1
+visit-thailand.tk, 1
+visit.gent, 1
+visit.natal.br, 1
+visitafuengirola.es, 1
+visitafuengirola.ru, 1
+visitaltai.info, 1
+visitationbvm.net, 1
+visitazores.com, 1
+visitbangkoktravel.com, 1
+visitbelfast.com, 1
+visitbinghamton.org, 1
+visitcambridgeshirefens.org, 1
+visitcamden.com.au, 1
+visitcmafest.com, 1
+visitconwaysc.gov, 1
+visitdubai.com, 1
+visiter-tunis.tk, 1
+visitgaribaldi.gov, 1
+visitgent.be, 1
+visitgent.eu, 1
+visitghent.be, 1
+visitghent.eu, 1
+visithuntingtonwv.org, 1
+visitinvernesslochness.com, 1
+visitislandpond.com, 1
+visitmaine.com, 1
+visitmexico.com, 1
+visitmorelos.mx, 1
+visitnamibia.net, 1
+visitnewcastle.com.au, 1
+visitoractivities.com, 1
+visitorguard.com, 1
+visitorsguide.is, 1
+visitorslist.com, 1
+visitosalnes.com, 1
+visitpare.com, 0
+visitpaul.com, 1
+visits.ga, 1
+visits.tk, 1
+visitsights.com, 1
+visitsights.de, 1
+visitstegen.com, 1
+visitsugartown.com, 1
+visittartu.com, 0
+visittci.com, 1
+visitthematrix.tk, 1
+visituzbekistan.tk, 1
+visitvalenca.com, 0
+visitwv.com, 1
+visitzug.ga, 1
+visma-apps.com, 1
+vismaverzuim.com, 1
+visomdm.com, 1
+visometry.com, 1
+visor.ph, 1
+visordown.com, 1
+visoundcloud.com, 1
+visp.net, 1
+vissanum.com, 1
+visscher.codes, 1
+vista-calculator.ru, 1
+vista-research-group.com, 1
+vista.gov, 1
+vistaalegre.com, 1
+vistaalmar.es, 1
+vistacampus.gov, 1
+vistafolia.com, 1
+vistamatic.eu, 1
+vistapaket.com.ua, 1
+vistapaket.es, 1
+vistapoquei.com.br, 1
+vistastylebuilder.com, 0
+vistavoyage.eu, 1
+vistb.me, 1
+vistec-support.de, 1
+vistmagazine.com, 1
+visu.li, 1
+visual-cockpit.com, 0
+visual-concept.net, 1
+visual-conversion.com, 1
+visual-design.cf, 1
+visual-dreams.de, 1
+visualdrone.co, 1
+visualetiquetas.art.br, 1
+visualforce.com, 1
+visualgnome.com, 1
+visualintent.com.au, 1
+visualizing.info, 1
+visuall.be, 1
+visualmarketingdeals.com, 1
+visualmasters.nl, 1
+visualstories.com, 1
+visualtec.host, 1
+visudira.com, 1
+visunext.de, 1
+visuri.de, 1
+visware.com, 1
+visyeva.hu, 1
+vita-transmr.de, 1
+vitaalcheck.nl, 1
+vitaalfitcoaching.nl, 1
+vitabrillanti.com, 0
+vitaclinicliverpool.co.uk, 1
+vitacore.ru, 1
+vitaerotaksi.ru, 1
+vitafybrands.de, 1
+vitahook.pw, 1
+vitahost.ml, 1
+vitakov.tk, 1
+vital-bg.com, 1
+vital.no, 1
+vital3.cat, 1
+vitalamin.at, 1
+vitalamin.ch, 1
+vitalchoice.com, 1
+vitalengine.com, 1
+vitalhealthandbeauty.co.uk, 1
+vitalia.cz, 1
+vitaline.uz, 1
+vitalismaatjes.nl, 1
+vitalitymedcenters.com, 0
+vitalityscience.com, 0
+vitaliyshepotkov.tk, 1
+vitaliysmagic.com, 1
+vitallearning.dk, 1
+vitallearning.ee, 1
+vitallearning.eu, 1
+vitallearning.no, 1
+vitallearning.se, 1
+vitallife.com, 1
+vitallispsy.be, 1
+vitallispsy.com, 1
+vitallispsy.de, 1
+vitallispsy.eu, 1
+vitallispsy.nl, 1
+vitalpraxis-lietz.de, 1
+vitalshop.tk, 1
+vitalsolutions.ro, 1
+vitalthings.de, 1
+vitalthrills.com, 1
+vitalware.com, 1
+vitamaxxi.com.br, 1
+vitamedgroup.com, 1
+vitamina.cl, 1
+vitamina.com, 1
+vitaminas.me, 1
+vitaminegeszseg.hu, 1
+vitaminka.tk, 1
+vitaminmovie.ga, 1
+vitaminoutlet.net, 1
+vitamister.ch, 1
+vitamixromania.ro, 1
+vitanetonline.com, 1
+vitapingu.de, 1
+vitario.eu, 1
+vitastic.nl, 1
+vitavarese.tk, 1
+vitavista.health, 1
+vitavista.io, 1
+vitay.pl, 1
+viteleaf.com, 1
+viteoscrm.ch, 0
+viterbio.com, 1
+viterboonair.tk, 1
+viteuneexcuse.io, 1
+vitikit.com, 1
+vitkausk.as, 1
+vitlproducts.com, 1
+vitman.tk, 1
+vitoye.com, 1
+vitra-showrooms.co.uk, 1
+vitra-vcare.co.uk, 1
+vitrade.de, 1
+vitrado.de, 1
+vitrinachasov.cf, 1
+vitrineenligne.com, 1
+vitromex.tk, 1
+vitron.ru, 1
+vitsearch.link, 1
+vitto.tk, 1
+vittoria-conseil.com, 1
+vittoria-web.com, 1
+vittoria.consulting, 1
+vittoria.pro, 1
+vittoria.run, 1
+vittoria.studio, 1
+vittoria.tech, 1
+vittoriaconseil.com, 1
+vitucho.tk, 1
+vitus-meppen.de, 1
+viv.fi, 1
+viva.ua, 1
+viva2000.com, 1
+vivablogger.com, 1
+vivabraslav.ga, 1
+vivace.parts, 1
+vivachile.tk, 1
+vivaconagua.org, 1
+vivactis.com, 1
+vivagy.com, 1
+vivahome.tk, 1
+vivaio.roma.it, 1
+vivaiocolombo.com, 1
+vivalacloud.ru, 1
+vivalajack.de, 1
+vivaldi.club, 1
+vivaldi.com, 1
+vivaldi.net, 1
+vivaleisure.com.au, 1
+vivaleisure.group, 1
+vivalocale.com, 1
+vivamortgage.tk, 1
+vivanosports.com.br, 0
+vivapharma.net, 1
+vivas.cf, 1
+vivas.gq, 1
+vivas.ml, 1
+vivas.tk, 1
+vivat.de, 1
+vivatbet.com.ee, 1
+vivatbet.ee, 1
+vivatechnology.com, 1
+vivates.tk, 1
+vivavox.es, 1
+vivavox.tk, 1
+vive.com, 0
+vive.link, 1
+vivediabetes-sanamente.com, 1
+vivekanandaspokenenglish.com, 1
+vivekparekh.ca, 1
+vivekselvakumar.ga, 1
+vivelawir.eu, 1
+vivemedialab.com, 1
+vivemercadosaludable.com, 1
+vivemontecarlo.tk, 1
+vivendi.de, 1
+vivendoapalavra.org, 1
+vivendoderendananet.com.br, 1
+viveoriginals.com, 1
+viveport.com, 1
+viveportal.com, 1
+viveras.ch, 1
+viveremediglia.tk, 1
+viverse.com, 1
+viverstp.net, 0
+vivesaludableconomnilife.com, 1
+vivetoluca.com, 1
+vivezlaromate.com, 1
+vivi.fyi, 0
+vivi.zone, 0
+vivian.tk, 1
+vivianaball.ro, 1
+vivianadavila.com, 1
+vivianargiriou.gr, 0
+vivianbarbieri.com, 1
+vivianlms.ga, 1
+vivianmaier.cn, 1
+vivianshultsart.com, 1
+vivichannel.tk, 1
+vivid-academy.com, 1
+vivide.re, 1
+vividinflatables.co.uk, 1
+viviendacoomeva.com, 1
+viviennelinettevandenassem.tk, 1
+viviennevandenbos.nl, 1
+vivirenelmundo.com, 1
+vivirenelpoblado.com, 1
+vivo.cam, 1
+vivo.vn, 0
+vivoitaliankitchen.com, 1
+vivoldi.com, 1
+vivos.co.il, 1
+vivoseg.com, 0
+vivreenisrael.com, 1
+vivun.com, 1
+viwsec.com.br, 1
+vixlum.com, 1
+vixonline.com.br, 1
+vixrapedia.org, 1
+viyf.org, 1
+viyoga.co, 1
+vizantia.tk, 1
+vize.ai, 0
+vizedia.ga, 1
+vizeenergetiky.cz, 1
+vizela.pt, 1
+vizierdata.ca, 1
+vizion.com, 1
+vizional.com, 0
+vizirinvestimentos.com, 1
+vizit-obmen.tk, 1
+vizit.ml, 1
+vizit.tk, 1
+vizitfree.ml, 1
+vizitnik.tk, 1
+vizmart.ml, 1
+vizyonpara.com, 1
+vizzarragrup.com, 1
+vjeff.com, 1
+vjeff.net, 1
+vjk.dk, 1
+vjn.ee, 1
+vjqlifestyle.com, 1
+vjshi.xyz, 0
+vjshop.vn, 1
+vjuliano.net, 1
+vk-agent.ru, 1
+vk-group.com, 1
+vk-k.com, 1
+vk-random.ml, 1
+vk-srv.ru, 1
+vk.group, 1
+vk.nl, 1
+vk09.ru, 1
+vk1fj.net, 1
+vk2.net, 1
+vk4msl.com, 1
+vkarpaty.tk, 1
+vkavkaz.tk, 1
+vkb-remont.ru, 1
+vkcombo.ru, 1
+vkennke.org, 1
+vkfaces.com, 1
+vkfish.ga, 1
+vkflac.tk, 1
+vkg.nl, 0
+vkgroup.az, 1
+vkh-online.de, 1
+vkikaku.com, 0
+vkino.com, 0
+vkino.ml, 1
+vkirichenko.name, 1
+vkirienko.com, 1
+vklikers.tk, 1
+vkolledzhe.tk, 1
+vkontakte-poisk.ru, 1
+vkox.com, 1
+vkrutilca.tk, 1
+vksportphoto.com, 1
+vkst-field-trials.dk, 1
+vkstaticcdn.ru, 1
+vkstaticcontent.ru, 1
+vkstream.tk, 1
+vkulagin.ru, 1
+vkusercontent.ru, 1
+vkusniy.shop, 1
+vkusnyashka.tk, 1
+vkustradicii.com.ua, 1
+vkusvill.ru, 1
+vl.cloudns.cc, 1
+vl9.de, 1
+vlaamsegemeenschap.tk, 1
+vlaamsetollers.tk, 1
+vlaardingen-enzo.tk, 1
+vlachoshome.com, 1
+vladgazeta.gq, 1
+vladikavkaz-city.tk, 1
+vladimir-chanaev.pro, 1
+vladimir.ml, 1
+vladimirbatrakov.tk, 1
+vladimirchernyshov.ml, 1
+vladimirkarpets.tk, 1
+vladimirovka.ml, 1
+vladimirpenev.tk, 1
+vladivostok-city.tk, 1
+vladivostok.cf, 1
+vladivostok.tk, 1
+vladivostokportal.tk, 1
+vladmoraru.org, 1
+vladreview.com, 1
+vladsfads.com, 1
+vladwp.com, 1
+vlaggen-landen.nl, 1
+vlajo.org, 1
+vlak.hr, 1
+vlakem.net, 1
+vlance.gq, 1
+vlasov.ml, 1
+vlasova-sova.ml, 1
+vlccrussia.ru, 1
+vlci-doupe.cz, 1
+vldkn.net, 1
+vldz.co, 1
+vle.lt, 1
+vleacademy.com, 1
+vleague.tk, 1
+vleesbesteld.nl, 1
+vleij.com, 0
+vleij.family, 1
+vleij.se, 1
+vleo.me, 1
+vlh.dk, 1
+vliegendklokske.com, 1
+vliegherrie.nl, 1
+vlijmscherrup.tk, 1
+vlike.ml, 1
+vlissingse-oratoriumvereniging.nl, 1
+vlndc.org, 1
+vlnv.ca, 1
+vloeck.de, 1
+vloggerfaire.com, 1
+vloggerspace.tk, 1
+vlos.com.pl, 1
+vlovgr.se, 1
+vltonline.org, 1
+vlzbazar.ru, 1
+vm-0.com, 1
+vm.co.mz, 0
+vm.ee, 0
+vm0.eu, 1
+vm88.top, 0
+vmagadane.tk, 1
+vmath.my.id, 1
+vmautorajkot.com, 1
+vmaxleclub.com, 1
+vmc.co.id, 1
+vmccnc.com, 1
+vmconnected.co.uk, 1
+vmedia.ca, 1
+vmf365.tk, 1
+vmgirls.com, 0
+vmhydro.ru, 0
+vmis.nl, 1
+vmlze.cz, 1
+vmm.pw, 1
+vmninja.io, 1
+vmoagents.com, 0
+vmock.com, 1
+vmoe.info, 1
+vmotosoco.lv, 0
+vmst.io, 1
+vmsurgery.org, 1
+vmug.pl, 1
+vmurmanske.tk, 1
+vn.search.yahoo.com, 0
+vn58.com, 1
+vnanet.vn, 1
+vnctdj.fr, 1
+vnd.cloud, 1
+vndb.org, 1
+vneftekamske.tk, 1
+vnetboard.com, 1
+vnikolaev.tk, 1
+vnlfrk.com, 1
+vnministries.org, 1
+vnovosibirske.tk, 1
+vns168.vip, 0
+vns377c.com, 0
+vns377d.com, 0
+vns377e.com, 0
+vns377f.com, 0
+vns377g.com, 0
+vns377h.com, 0
+vns377i.com, 0
+vns377j.com, 0
+vns3780.com, 1
+vns5020.com, 0
+vns5151.com, 0
+vns5353.com, 0
+vns5656.com, 1
+vns5757.com, 0
+vns5858.vip, 1
+vns5959.com, 0
+vns6161.com, 0
+vns6262.com, 0
+vns6363.com, 0
+vns6565.com, 0
+vns6767.com, 0
+vns68611.com, 0
+vns68655.com, 1
+vns68669.com, 1
+vns6868.com, 0
+vns6868.vip, 1
+vns68722.com, 1
+vns6969.com, 0
+vnsc.org, 1
+vnumngr.com, 1
+vnxf.vn, 1
+vnya.loan, 1
+vo-vse-tyajkie.online, 1
+voanaboa.pt, 1
+voatz.com, 1
+vobe.io, 1
+vobis.pl, 1
+vocably.de, 1
+vocaloid.my, 1
+vocalviews.com, 1
+vocationaujourdhui.fr, 1
+vocationnetwork.org, 1
+vocomo.de, 1
+voctto.com.br, 1
+vocus.aero, 1
+vocustest.aero, 1
+vod.uk.com, 0
+vodadombay.cf, 1
+vodafone.com.gh, 1
+vodavoda.tk, 1
+vodb.org, 1
+voddinteriors.com, 1
+vodicak.info, 1
+vodicaknapocitac.sk, 1
+voditel.ua, 1
+vodix.nl, 1
+vodpay.com, 1
+vodpay.net, 1
+vodpay.org, 1
+voeding-en-fitness.nl, 1
+voetbalclubinfo.tk, 1
+voetbalforum.tk, 1
+voetbalindestad.be, 1
+voetbaloptv.nl, 1
+voetbalvanavond.nl, 1
+voetbalwedden.net, 0
+voetbalwedstrijdenvandaag.nl, 1
+voetenreflexmassage.nl, 1
+voetfit47.nl, 1
+voetpunttwente.nl, 1
+voeux.io, 0
+voevm.at, 0
+voevodin.tk, 1
+vofem.ru, 1
+voffka.com, 1
+vofwittenbergwi.gov, 1
+vofy.cz, 1
+vogel-verhuizingen.nl, 1
+vogelbus.ch, 1
+vogelwereld.tk, 1
+vogler.name, 1
+vogt.sh, 1
+vogt.works, 1
+vogue.co.uk, 1
+vogue.cz, 1
+vogue.gr, 1
+voguefabricsstore.com, 1
+voguefrontier.tk, 1
+voi.ch, 1
+voice-of-design.com, 1
+voice-pic.com, 1
+voice.gov.au, 1
+voicedata.tk, 1
+voicemaker.in, 1
+voicenation.com, 1
+voiceofcricket.tk, 1
+voiceofserbia.tk, 1
+voicesoflabor.com, 1
+voicesofspirit.at, 1
+voicesuk.co.uk, 1
+voicu.ch, 0
+voidancerecords.com, 1
+voidbbs.com, 1
+voidbits.io, 1
+voidbot.ai, 1
+voidcore.org, 1
+voide.club, 1
+voidge.cf, 1
+voidhacker.com, 1
+voidi.ca, 1
+voidma.in, 1
+voidpay.com, 1
+voidpay.net, 1
+voidpay.org, 1
+voidscrawl.com, 1
+voidx.top, 1
+voigt-it.solutions, 1
+voileux.org, 1
+voimix.ee, 1
+voinuocsago.com, 1
+voinuocthienmy.com, 1
+voipforbusiness.tk, 1
+voiretmanger.fr, 1
+voiretrevu.ca, 1
+voirfilms.live, 1
+voitolla.com, 1
+voivoinfotech.com, 1
+voix-bien-etre.com, 0
+vojenshandicap.dk, 1
+vojk.au, 1
+vojtat.cz, 1
+vokabl.io, 1
+vokativy.cz, 1
+vokieciupamokos.lt, 1
+vokimberlywi.gov, 1
+vokov.ml, 1
+vokrug.ga, 1
+vokurka.net, 1
+vokzalkursk.ru, 1
+vokzalperm.ru, 1
+volant.digital, 0
+volantinaggioaroma.it, 1
+volarikcapital.eu, 1
+volatile.pw, 1
+volatilesystems.org, 1
+volatilethunk.com, 1
+volatiliza.ga, 1
+volatimer.com, 1
+volcain.io, 1
+volcanconcretos.com, 1
+volcano-irkutsk.ru, 1
+volcano-kazan.ru, 1
+volcano-spb.ru, 1
+volcano-ug.ru, 1
+volcano-vts.ru, 1
+volcano-x.ru, 1
+volcano.lt, 1
+volcano24.ru, 1
+volcano75.ru, 1
+volcanov.ru, 1
+volchara.tk, 1
+volebnipruzkum.eu, 1
+volga.us, 0
+volgar.name, 1
+volgares.ru, 1
+volgavibes.ru, 0
+volgograd-34.tk, 1
+volgograd-privolzskiy.ga, 1
+volgograd34.tk, 1
+volha.tk, 1
+volichat.com, 1
+volin.tk, 1
+volk.ga, 1
+volk.gq, 1
+volkanyilmaz.com.tr, 1
+volker-gropp.de, 1
+volkergropp.de, 1
+volkerwesselstransfer.nl, 1
+volkerwesselswave.nl, 0
+volki.ga, 1
+volki.ml, 1
+volkov.ga, 1
+volksbaufi.de, 1
+volksbaugeld.de, 1
+volksbauzins.de, 1
+volkshypothek.de, 1
+volkskrant.nl, 1
+volkstuinwaregem.tk, 1
+volksvorschlagpmar.ch, 1
+volkswagen.io, 1
+volkswagengolf.tk, 1
+volkswagenmiennam.com.vn, 1
+volkswagensaigon.com.vn, 1
+volkswagensaigon.net, 0
+volkswurst.de, 1
+vollenberg.ca, 1
+volleyballcityofpreston.tk, 1
+volleyballnews.tk, 1
+volleyfreaks.tk, 1
+volleypatos.tk, 1
+vollmondstollen.de, 1
+volnamobile.ru, 1
+volochaevskiy.tk, 1
+volochisk.tk, 1
+voloder.net, 1
+voloevents.com, 1
+vologda-city.ga, 1
+vologda-city.tk, 1
+volosi.cf, 1
+volosi.tk, 1
+voloskova.ru, 1
+volqanic.com, 1
+volreinsistemas.com, 1
+volshebniki.ua, 1
+volt.fm, 1
+volta.io, 1
+voltageelectricity.tk, 1
+voltainsite.com, 1
+voltarengelprice.tk, 1
+voltarengeneric.tk, 1
+voltcloud.net, 1
+voltechtransformer.in, 1
+voltfloyd.com, 1
+volthemes.com, 1
+voltiac.ml, 1
+volto.io, 1
+voltrix.net, 1
+volubilisplus.fr, 1
+volunka.ml, 1
+volunteerham.com, 1
+volunteerhere.ga, 1
+volunteers.tk, 1
+volunteertherealuganda.com, 1
+voluntourism.ga, 1
+volusia.gov, 1
+volusiaelections.gov, 1
+volusiasheriff.gov, 1
+volusiavotes.gov, 1
+volvo1800es.tk, 1
+volvoconnect.com, 1
+vom-achterhof.de, 1
+vomitoxin.ga, 1
+vommu.be, 1
+vomsee.eu, 1
+von-haselberg.de, 1
+vonauw.com, 0
+vonborstelboerner.de, 1
+vonckers.tk, 1
+voncurr.com, 1
+vondenstein.com, 1
+vonfurstenrechtstables.nl, 1
+vonimus.com, 1
+vonitsanet.gr, 1
+vonjohanson.de, 1
+vonkuenheim.de, 1
+vonniehudson.com, 1
+vonpawn.com, 1
+vonski.pl, 1
+vonsponneck.tv, 1
+vonsuri.com, 1
+voodoo-crm.com, 1
+voodoobeginner.com, 1
+voodoocat.cf, 1
+voodooshaman.com, 1
+vooh.in, 1
+vookstock.tk, 1
+voom.pt, 1
+voorde.lol, 1
+voornaam-at-achternaam.be, 1
+vooruitmetjevereniging.nl, 1
+vooxia.xyz, 1
+vop.li, 1
+voprosnik.gq, 1
+voprosownet.tk, 1
+voquent.com, 1
+vorbrodt.blog, 1
+vorderklier.de, 1
+vorlage-musterbriefe.de, 1
+vorlage-mustervertrag.de, 1
+vorlagen-geburtstagsgruesse.de, 1
+vorlif.org, 1
+vorlonempire.org, 1
+vorm2.com, 1
+vorona.tk, 1
+vort-x.com.my, 1
+vortari.tk, 1
+vorte.ga, 1
+vortexevents.net, 1
+vortexhosting.ga, 1
+vortix.tk, 1
+vos-fleurs.ch, 1
+vos-fleurs.com, 1
+vos-systems.com, 1
+vos-systems.es, 1
+vos-systems.eu, 1
+vos-systems.net, 1
+vos-systems.org, 1
+vos.directory, 1
+vosges-tourisme.net, 1
+vosgym.jp, 1
+vosjesweb.nl, 1
+vosk-cream.tk, 1
+vosn.de, 1
+voss-klinik.com, 1
+voss-zaehne.com, 1
+voss-zaehne.de, 1
+vosselaer.com, 1
+vosser.de, 1
+vostok-zapad54.ru, 1
+vostronet.com, 1
+vot-tak-vot.tk, 1
+votajeffcoco.gov, 1
+votan.cf, 1
+vote.gov, 1
+vote.nz, 1
+vote.org, 1
+votealachua.gov, 1
+votebradfordfl.gov, 1
+votebrevard.gov, 1
+votebymail.gov, 1
+votecalhounfl.gov, 1
+votechestercountytn.gov, 1
+votecitrus.gov, 1
+voteclaycountymo.gov, 1
+votecolumbiafl.gov, 1
+votedenton.gov, 1
+votefloydva.gov, 1
+votefranklinfl.gov, 1
+voteglades.gov, 1
+votegulf.gov, 1
+votehamiltoncountyohio.gov, 1
+votehighlands.gov, 1
+votehillsborough.gov, 1
+voteid.ca, 1
+voteidaho.gov, 1
+voteindianriver.gov, 1
+votejacksonfl.gov, 1
+votejeffcoco.gov, 1
+votekansas.gov, 1
+voteks.gov, 1
+votelevy.gov, 1
+votemarion.gov, 1
+votemate.org, 1
+votemt.gov, 1
+votenassaufl.gov, 1
+voteokaloosa.gov, 1
+voteokeechobee.gov, 1
+voteosceola.gov, 1
+votepalmbeach.gov, 1
+votepinellas.gov, 1
+voter-info.uk, 1
+voterconnect.ie, 1
+voteridforme.com, 1
+voterockfordil.gov, 1
+votes-reu.ml, 1
+votesantarosa.gov, 1
+votescotttn.gov, 1
+voteseminole.gov, 1
+votesjc.gov, 1
+votetomgreencounty.gov, 1
+voteurl.cf, 1
+votewa.gov, 1
+votewalton.gov, 1
+votocek.cz, 0
+votockova.cz, 0
+votoot.com, 1
+votre-agence-web.com, 1
+votrepolice.ch, 0
+votresiteweb.ch, 0
+votrespace.ca, 1
+vouchers4u.com, 1
+voucherx.co.uk, 1
+vought-vip.com, 1
+vous-etre-utile-ceidf.fr, 1
+vous-les-jeunnes.tk, 1
+vousnousils.fr, 1
+vov.furniture, 1
+vova.loan, 1
+vovac.tk, 1
+vovachka.tk, 1
+vovkamagazine.tk, 1
+vovladikavkaze.ru, 1
+vovo4ka.tk, 1
+vowsy.club, 0
+vox.de, 1
+voxbras.com.br, 1
+voxeaarecords.com, 1
+voxel.ax, 1
+voxel.cat, 1
+voxel.sh, 1
+voxelcat.de, 1
+voxelcat.jp, 1
+voxeljet.com, 1
+voxengo.com, 1
+voxfa.com, 1
+voxfilmeonline.net, 1
+voxio.nl, 1
+voxpopuli.com, 1
+voxturba.com, 0
+voxx1116.com, 1
+voyage-martinique.fr, 1
+voyage2africa.com, 1
+voyagedeductible.com, 1
+voyageforum.com, 1
+voyageofyume.com, 1
+voyages-groupes-transgallia.com, 1
+voyagesvoyages.net, 1
+voyagewd.world, 1
+voyagewiki.com, 1
+voyagewiki.org, 1
+voyainvestments.com, 1
+voyaker.tk, 1
+voyance-direct.info, 1
+voyancedanslenord.com, 1
+voyeurspyporn.com, 1
+vozami.com, 1
+vozbudim.tk, 1
+vozdux.tk, 1
+vozelocucao.com.br, 1
+vozhatik.cf, 1
+vozhuo.cf, 1
+vozolmarketim.com, 1
+vozpopuli.com, 1
+vp-arc.org, 1
+vparilke.su, 1
+vpetkov.tk, 1
+vpn-suomi.fi, 1
+vpn-sverige.se, 1
+vpn.ht, 1
+vpn4free.ga, 1
+vpnalert.com, 1
+vpnbrains.com, 1
+vpnclient.ru, 1
+vpnemail.com, 1
+vpnent.com, 1
+vpnhongkong.gq, 1
+vpnmag.fr, 1
+vpnpro.com, 1
+vpnservice.nl, 1
+vpoltave.info, 1
+vporno.video, 1
+vpr.expert, 1
+vprotect.ga, 1
+vps-green.com, 1
+vps.auction, 1
+vps.chat, 1
+vps.discount, 1
+vps.hosting, 1
+vps.management, 1
+vps.nl, 1
+vps.tg, 1
+vpsao.org, 1
+vpsboard.com, 1
+vpsdream.dk, 1
+vpsgongyi.com, 0
+vpsji.com, 1
+vpsmore.com, 1
+vpsou.com, 1
+vpsport.ch, 1
+vpsproj.dynu.net, 1
+vpsrussia.com, 1
+vpstrial.net, 1
+vpsvz.cloud, 1
+vpsvz.ninja, 1
+vpswebs.tk, 1
+vpsxhq.com, 1
+vpu-online.com, 1
+vqcymsa.com, 1
+vqebizconsulting.com, 1
+vqeg.org, 1
+vqn.se, 1
+vr-baufi.com, 1
+vr-baufi.info, 1
+vr-baufi24.de, 1
+vr-bauficoncept.de, 1
+vr-baufinanzierung.de, 1
+vr-hypothekenbank.de, 1
+vr-immo-invest.biz, 1
+vr-immo-invest.com, 1
+vr-immo-invest.info, 1
+vr-immobilienkredit.de, 1
+vr-immobilienpool.de, 1
+vr-immocredit.de, 1
+vr-immoexpress.biz, 1
+vr-immoexpress.info, 1
+vr-immoinvest.eu, 1
+vr-immonet.de, 1
+vr-payment.de, 1
+vr-re-bank.org, 1
+vr-realestate.co.uk, 1
+vr-sinterklaashuis.nl, 1
+vr3marcas.com.br, 1
+vrac-drive.ch, 1
+vracdrive.ch, 1
+vrachi.online, 1
+vractive.pl, 1
+vragenlijstsoftware.nl, 1
+vragenvanproust.nl, 1
+vrallart.com, 1
+vramoni.ru, 1
+vran.ga, 1
+vrandopulo.ru, 1
+vravi.tech, 1
+vrba.org, 1
+vrbangers.com, 1
+vrbl.pt, 1
+vrbr.ch, 0
+vrcentrum.cz, 1
+vrchat.community, 1
+vrconk.com, 1
+vrcosplayx.com, 1
+vrcprofile.com, 1
+vrcsearch.com, 1
+vrdennis.tk, 1
+vredesregister.be, 1
+vredesregister.gent, 1
+vreeken-selfstorage.tk, 1
+vreeman.com, 1
+vreemdetante.com, 1
+vreemdetante.eu, 1
+vreemdetante.nl, 1
+vreklame.ml, 1
+vremyachko.tk, 1
+vremyapervyih-hd.tk, 1
+vresonline.gr, 1
+vresportal.co.uk, 1
+vrfoodchannel.com, 1
+vrg-gruppe.de, 1
+vrg.de, 1
+vrgamecritic.com, 1
+vrh.net.au, 1
+vriendenkring-klassiekers.tk, 1
+vriesdonkow.be, 0
+vrifox.cc, 1
+vrij-links.nl, 1
+vrijedomeinnamen.nl, 1
+vrijekunst.tk, 1
+vrijeradio.tk, 1
+vrijgezellen-feest.com, 1
+vrijgezellen-feesten.nl, 1
+vrijgezellenfeestzwolle.com, 1
+vrikshamindia.com, 1
+vrimmoexpress.biz, 1
+vrimmoexpress.eu, 1
+vrimmoinvest.ag, 1
+vrimmoinvest.org, 1
+vrimmoworld.de, 1
+vriresorts.com, 1
+vrisak-generacije.tk, 1
+vrjetpackgame.com, 1
+vrnhn.nl, 1
+vroedvrouwella.be, 1
+vros.co.id, 1
+vrostove.tk, 1
+vrp.moe, 0
+vrre.ag, 1
+vrrebank.info, 1
+vrsmash.com, 1
+vrsystem.com.br, 0
+vrtak-cz.net, 0
+vrtemptation.com, 1
+vrtidaho.gov, 1
+vrtouring.org, 1
+vrumcar.com, 1
+vrzas.net, 1
+vrzl.pro, 1
+vs1177.com, 0
+vs1717.com, 0
+vs2277.com, 0
+vs2828.com, 0
+vs5151.com, 0
+vs603.com, 1
+vs6060.com, 0
+vs6161.com, 0
+vs7711.com, 0
+vs8899.com, 0
+vs9911.com, 0
+vs9977.com, 0
+vsactivity.com, 1
+vsamsonov.com, 1
+vsaratove.tk, 1
+vsatke.tk, 1
+vsc-don-stocksport.de, 1
+vscm888.com, 0
+vscredconsultoria.online, 1
+vsd.sk, 1
+vse-bolezni.tk, 1
+vse-dlya-fermera.tk, 1
+vse-dlya-jinok.tk, 1
+vse-dlya-texniki.tk, 1
+vse-novosti.tk, 1
+vse-potolki.ml, 1
+vse-prosto.tk, 1
+vsean.net, 1
+vsec.co.il, 1
+vsee.com, 1
+vsekulinar.ru, 1
+vsem-reiki.tk, 1
+vsemrabota.ml, 1
+vsenovosti.cf, 1
+vseostile.ml, 1
+vserisuem.ga, 1
+vserus.com, 1
+vserver-preis-vergleich.de, 1
+vseserialy.tk, 1
+vsesrazu-raiffeisen.ru, 1
+vsestiralnie.com, 0
+vsestoki.com, 0
+vsevkusno.tk, 1
+vsevolod.tk, 1
+vsgcommunity.nl, 1
+vshipit.com, 1
+vshop.ir, 1
+vsimosvita.com, 1
+vsl-defi.ch, 0
+vsl.de, 1
+vsmcomunicacao.com.br, 1
+vsnfoto.com, 1
+vsoflavors.com, 1
+vsolovev.com, 1
+vsolvit.com, 1
+vsoy.co.th, 1
+vspin.cz, 1
+vsportage.com, 1
+vss-clan.ml, 1
+vsscr.tech, 1
+vsscrew.tk, 1
+vstavropole.tk, 1
+vstrikovaci-lisy.cz, 1
+vsure.com.au, 1
+vsx.ch, 1
+vsz.me, 1
+vszp.sk, 1
+vtanki.tk, 1
+vtaxi.se, 1
+vtbclub.xyz, 1
+vtbs.moe, 1
+vtcourts.gov, 1
+vtech.com, 1
+vtescebu.com, 1
+vtipe-vylez.cz, 0
+vtivision.com, 1
+vtjud.gov, 1
+vtklan.tk, 1
+vtler-glabbich.de, 0
+vtliving.com, 1
+vtm.be, 1
+vtmgo.be, 1
+vtoroy-kanal.ga, 1
+vtsnetworks.com, 1
+vttnordisere.fr, 1
+vtuber-schedule.info, 1
+vtuber.art, 1
+vtul.io, 1
+vtulinkng.com.ng, 1
+vtupro.com, 1
+vtvnetwork.org, 1
+vtwonen.be, 1
+vtwonen.nl, 1
+vuagym.com, 1
+vuakhuyenmai.vn, 1
+vuath.com, 1
+vucdn.com, 1
+vue-sur-mer.com, 1
+vuefact.com, 1
+vuefactory.io, 1
+vuelacaruru.com, 1
+vuelosabajoprecio.net, 1
+vugt.me, 1
+vuilelakens.be, 1
+vuitimig.com, 1
+vukhoidecor.com, 1
+vulcan-russia.today, 1
+vulcancycling.ga, 1
+vulcannow.ru, 1
+vulcanplatinum-best.com, 1
+vulcanplatinum777-vip.com, 1
+vulcanplatinum777club.com, 1
+vulcanrussia-game.com, 1
+vulcanrussiagame.com, 1
+vuldb.com, 1
+vulgar-teens.tk, 1
+vulkan-24-platinum.ru, 1
+vulkan-platinum-101.ru, 1
+vulkan-platinumclub.ru, 1
+vulkan-russia-pro.com, 1
+vulkan-russia.vip, 1
+vulkan-russiaklub.com, 1
+vulkan.org, 1
+vulkano-online-casino.com, 1
+vulkanplatinum-klub.com, 1
+vulkanprotektor.rs, 1
+vulkanruhe.com, 1
+vulkanruhe.de, 1
+vulkanrussia-avtomat.ru, 1
+vulkanrussia-casinos.com, 1
+vullriede-multimedia.de, 0
+vulndetect.com, 1
+vulndetect.org, 1
+vulnerability.ch, 1
+vulnerabilityscans.nl, 1
+vulnerable.af, 1
+vulnerar.com, 1
+vulners.com, 1
+vulns.sexy, 1
+vulns.xyz, 1
+vulnscan.org, 1
+vulpine.club, 1
+vulpr.com, 1
+vultrhxl.com, 1
+vulyk-medu.com.ua, 1
+vunn.com, 1
+vuojolahti.fi, 0
+vuotila.eu, 1
+vuoto.fi, 1
+vurdst.dk, 1
+vusdigital.com, 0
+vuse.com, 1
+vutrox.com, 1
+vutruso.com, 1
+vux.li, 1
+vuze.camera, 1
+vuzi.fr, 1
+vv066.com, 0
+vv1234.cn, 1
+vv5197.co, 1
+vv6729.co, 1
+vv6729.com, 0
+vv6957.co, 1
+vv9297.co, 1
+vv9728.co, 1
+vvactivia.nl, 1
+vvave.net, 1
+vvcasteren.nl, 1
+vvd.bz, 1
+vvdbronckhorst.nl, 1
+vveactiefbeheer.nl, 0
+vvg-vermietung.de, 1
+vvlemmer.tk, 1
+vvlen.com, 1
+vvoip.org.uk, 1
+vvpn.loan, 1
+vvs.spb.ru, 1
+vvsummer.ml, 1
+vvvvbrest.tk, 1
+vvvvvv.click, 1
+vvvz0.gq, 1
+vvvzeeland.nl, 1
+vvw-8522.com, 1
+vvwraca.gov, 1
+vvzero.cf, 1
+vvzero.com, 1
+vw-touranclub.cz, 1
+vw22.com, 1
+vwcredit.com, 1
+vwforum.ro, 1
+vwfs.ru, 1
+vwfsfcp.com, 1
+vwfsrentacar.co.uk, 1
+vwh-kunden.de, 1
+vwittich.de, 1
+vwoforangeparts.com, 1
+vwp.su, 1
+vwpartsinternational.com, 1
+vwpi.co, 1
+vwsaigon.vn, 0
+vwt-event.nl, 1
+vww-8522.com, 1
+vx.hn, 1
+vxapps.com, 1
+vxl-co.de, 1
+vxl.sh, 0
+vxlabs.de, 1
+vxm.se, 1
+vxz.me, 1
+vyacheslav.ml, 1
+vybavzahradu.cz, 1
+vybeministry.org, 1
+vyber-odhadce.cz, 1
+vyberdomov.cz, 1
+vyberodhadce.cz, 1
+vycius.lt, 1
+vygeja.lt, 1
+vygo.network, 1
+vygo.one, 1
+vyomoverseas.com, 1
+vyorsa.com.mx, 1
+vypij.cz, 1
+vyplnto.cz, 1
+vyre.ovh, 1
+vyresimeonline.cz, 1
+vyroba.site, 1
+vyrubka-derevya.ru, 1
+vys.in, 1
+vyshivanochka.in.ua, 1
+vysko.cz, 1
+vyskocil.com, 1
+vyskocil.eu, 1
+vysoketatry.tk, 1
+vysokij-istochnik.tk, 1
+vysokoe.tk, 1
+vysotka.tk, 1
+vysvetluju.cz, 1
+vyturys.lt, 1
+vyvod-iz-zapoya.online, 1
+vyvygen.org, 1
+vyzner.cz, 1
+vzce.cn, 1
+vzducho-klima.cz, 1
+vzemiseo.com, 1
+vzemisite.com, 1
+vzr-garant.nl, 1
+vzteam.ga, 1
+vzw-muzaik.tk, 1
+vzwregent.be, 1
+vzyatonlinezaim.ga, 1
+vzyatonlinezaim.gq, 1
+vzyatonlinezaim.ml, 1
+vzyatonlinezaim.tk, 1
+vzyatzaimonline.cf, 1
+vzyatzaimonline.ga, 1
+vzyatzaimonline.gq, 1
+vzyatzaimonline.ml, 1
+vzyatzaimonline.tk, 1
+vzzjoias.com.br, 1
+w-architectes.com, 1
+w-hub.ru, 1
+w-oasis.co.jp, 1
+w-p-k.de, 1
+w-spotlight.appspot.com, 1
+w-surgeryhospital.com, 1
+w-w-auto.de, 1
+w-ws.ga, 1
+w.st, 1
+w.wiki, 1
+w0.pw, 1
+w00228.com, 1
+w0102.com, 1
+w03.cn, 1
+w10club.com, 0
+w1n73r.de, 1
+w1nter.xyz, 1
+w2929w.com, 1
+w2ang.cn, 1
+w2ang.com, 1
+w2design.eu, 1
+w2n.me, 1
+w2w.com, 1
+w33b.in, 1
+w365.vip, 0
+w36533.com, 1
+w36594.com, 1
+w398.com, 1
+w3app.nl, 1
+w3ctag.com, 1
+w3ctag.org, 1
+w3d.io, 1
+w3layouts.com, 1
+w3n14izy.cf, 1
+w3n14izy.ga, 1
+w3n14izy.gq, 1
+w3n14izy.ml, 1
+w3n14izy.tk, 1
+w3punkt.de, 1
+w3scan.nl, 1
+w3squad.com, 1
+w40faktory.tk, 1
+w4b.in, 1
+w4eg.de, 1
+w4g-security.com, 1
+w4nvu.org, 1
+w4r.nl, 1
+w4solutions.de, 1
+w4tec.de, 1
+w50.co.uk, 0
+w5050w.com, 1
+w51365.com, 1
+w5197.co, 1
+w5gfe.org, 1
+w60.co, 1
+w61611.net, 1
+w61616.com, 0
+w66133.com, 0
+w66136.net, 0
+w66138.net, 0
+w6616.com, 1
+w661616.com, 0
+w6619.com, 1
+w66938.com, 1
+w6698.com, 0
+w6729.co, 1
+w6729.com, 1
+w6808.com, 1
+w6829.com, 1
+w6832.com, 1
+w6886.com, 1
+w6957.co, 1
+w6957.com, 0
+w7k.de, 1
+w7n.ch, 1
+w8094.com, 1
+w82365.com, 1
+w84.it, 1
+w8605.com, 1
+w8628.com, 1
+w888022.com, 0
+w888033.com, 0
+w888044.com, 0
+w888066.com, 1
+w888077.com, 0
+w888088.com, 0
+w889-line.com, 1
+w889-line.net, 1
+w88clubz.com, 1
+w8less.nl, 1
+w8wat.com, 1
+w9297.co, 1
+w9728.co, 1
+w9nb.radio, 1
+wa-m-web-alpcustomer-portal-caixabank.azurewebsites.net, 1
+wa-m-web-alpcustomer-portal-timfin.azurewebsites.net, 1
+wa-stromerzeuger.de, 0
+wa.me, 1
+waagen.tk, 1
+waaifu.com, 1
+waalsekrook.be, 1
+waani.com, 1
+waavit.com, 1
+waaynex.ch, 1
+waays.eu, 1
+waays.fr, 1
+waayz.eu, 1
+waayz.fr, 1
+wabbel.sa.com, 1
+wabifoggynuts.com, 1
+wabuwa.com, 1
+wacht-auf.de, 1
+wachter.biz, 1
+wachtspoor.nl, 1
+wachtspoor18.nl, 1
+wacken666.com, 1
+wackery.com, 1
+wacky.one, 1
+wackyblackie.eu.org, 1
+wackyblackie.ml, 1
+wackys.com, 1
+wacotrib.com, 1
+wacpericias.com.br, 1
+wade.gdn, 0
+wadebet.com, 1
+wadesboronc.gov, 1
+wadetregaskis.com, 1
+wadidi.com, 1
+wadleyga.gov, 1
+wadsworth.gallery, 1
+wadvisor.com, 1
+waeldertexas.gov, 1
+waelisch.de, 1
+waelti.xxx, 1
+waf.hk, 1
+waf.ninja, 1
+waf.sexy, 1
+wafa4hw.com, 1
+waferscriber.com, 1
+waffeln.jetzt, 1
+waffle-backend-sanggyu.shop, 1
+waffle-sanggyu.tk, 1
+wafflehacks.org, 1
+waffleindex.com, 1
+wafflemakers.ca, 1
+wafni.com, 1
+wagcenter.com, 1
+wage-feeg.gc.ca, 1
+wagesweldandfab.com, 1
+wageverify.com, 1
+waggybytes.com, 1
+wagn3r.de, 1
+wagspuzzle.space, 1
+waguramaurice.cf, 1
+wagyudelicatessen.com, 1
+wahay.org, 1
+wahine.gq, 1
+wahl-co.de, 1
+wahminda.tk, 1
+wahoo-ashland-waverly.com, 1
+wahrnehmungswelt.de, 1
+wahrnehmungswelten.de, 1
+wai-in.com, 1
+wai.run, 1
+waibit.io, 1
+waidfrau.de, 1
+waifu-technologies.com, 1
+waifu-technologies.moe, 1
+waifu.gallery, 1
+waifuist.pro, 1
+waikatowebdesigners.com, 1
+wail.net, 1
+waimanu.io, 1
+waisster.com, 1
+waistawayuk.co.uk, 0
+waitabu.org, 1
+waits.io, 1
+waiwaisw.com, 1
+waiwei.ml, 1
+waixingrenfuli.vip, 1
+wajtc.com, 1
+wak.io, 1
+waka-mono.com, 1
+wakarandroid.com, 1
+wakastream.cc, 1
+wakatime.com, 1
+wake.gov, 1
+wake.net, 1
+wakecounty.gov, 1
+wakecountynorthcarolina.ml, 1
+wakelet.com, 1
+wakenyatulindane.co.ke, 1
+wakeofthepredator.tk, 1
+wakeskincarellc.com, 1
+waketurbulencereport.eu, 1
+wakeupeire.com, 1
+wakeupplatform.com, 1
+wakeupworld.ml, 1
+wakinglighting.com, 1
+wakpamnilake-nsn.gov, 1
+wakullaelectionfl.gov, 1
+wakullavotes.gov, 1
+wakuwakustudyworld.co.jp, 0
+walaa.com.co, 1
+walaamohamed.com, 1
+waldenvt.gov, 1
+waldenwritingcenter.ml, 1
+waldgourmet.de, 1
+waldo.tk, 1
+waldo.vn, 0
+waldorf-augsburg.de, 1
+waldorf-harduf.org, 1
+waldorfdiary.com, 1
+waldparkerwoelfe.tk, 1
+waldpflegeverein.at, 1
+waldportoregon.gov, 1
+waldur.nl, 1
+waldvogel.family, 1
+walent.in, 1
+walentin.co, 1
+walentynki.tk, 1
+walesmaine.gov, 1
+walhal.la, 1
+walian.co.uk, 1
+waligorska.pl, 1
+walk.onl, 1
+walkaround.tk, 1
+walker-foundation.org, 1
+walkera-fans.de, 1
+walkercorp.com.au, 0
+walkercountytx.gov, 1
+walkerfoundation.org.au, 1
+walkergroup.com.au, 1
+walkerinsurance.net, 1
+walkermi.gov, 1
+walkersplayground.tk, 1
+walkfree.org, 1
+walkhighlandsandislands.com, 0
+walkingandcycling.org.uk, 1
+walkingrehabilitation.com, 1
+walkinweb.com, 1
+walklocal.be, 1
+walklocal.gent, 1
+walkman.cloud, 1
+walkman.io, 1
+walkme.com, 1
+walksedona.com, 1
+walksfourpaws.co.uk, 1
+wall-banners.tk, 1
+wall-of-death.co.nz, 1
+wallabag.eu, 1
+wallabag.org, 0
+wallabies.org, 1
+wallace-group.net, 1
+wallacealvesdigital.com.br, 1
+wallacecountyks.gov, 1
+wallacehigh.org.uk, 1
+wallada.tk, 1
+wallaralogistics.com.au, 1
+wallartista.com, 1
+wallbanksweb.net, 1
+wallcs.eu, 1
+wallduck.com, 1
+wallendair.com, 1
+wallers.com, 1
+wallet.google.com, 1
+wallet.pp.ua, 1
+walletconnect.com, 1
+walletconnector.cz, 1
+walletfox.com, 1
+wallethub.com, 1
+wallett.gq, 1
+wallhack.ml, 1
+wallhost.tk, 1
+wallingford.cc, 1
+wallis-inside.ch, 1
+wallisch.pro, 1
+walliscreek.com.au, 1
+wallix.com, 1
+wallmanderstd.se, 1
+wallmarketing.cz, 1
+wallners.se, 1
+wallnj.gov, 1
+wallnot.dk, 1
+wallofclocks.com, 1
+wallpaperstreet.tk, 1
+wallpapertag.com, 1
+wallpaperup.com, 1
+wallrgb.com, 1
+walls.io, 1
+wallsauce.com, 1
+walltech.tk, 1
+walltime.info, 1
+wallumai.com.au, 1
+wally4000.tk, 1
+wallytest.tk, 1
+walma.re, 1
+walnus.com, 1
+walnutcreekca.gov, 1
+walnutcreekpdca.gov, 1
+walnutgrovemo.gov, 1
+walnutvalleywater.gov, 1
+walpu.ski, 1
+walpuski.com, 1
+walruscode.com, 1
+walruses.org, 1
+walrusntiny.com, 1
+walsermedia.com, 1
+walshbanks.com, 1
+walshy.fail, 1
+walter-foerster.de, 1
+walter-mooij-jazztrio.tk, 1
+walter.lc, 1
+waltercedric.com, 0
+waltermulders.be, 1
+walterswholesale.com, 1
+waltravis.com, 1
+waltthirion.com, 1
+walutomat.pl, 1
+walvi.nl, 1
+wamia.wa.gov.au, 1
+wammu.eu, 1
+wamsi.net, 1
+wanabka.tk, 1
+wananavuoutfitters.com, 1
+wanashi.com, 1
+wanda.ch, 1
+wanda76.com, 1
+wanda79.com, 1
+wanda97.com, 1
+wanda98.com, 1
+wandelreizen.eu, 1
+wander.al, 1
+wander.tk, 1
+wanderersfc.tk, 1
+wanderfost.com, 1
+wanderfullcoven.tk, 1
+wanderinghiker.com, 1
+wanderingincaptivity.com, 1
+wanderings.online, 0
+wandystan.eu, 1
+wane.co, 1
+wang.by, 1
+wangbangyu.cf, 1
+wangbangyu.ga, 1
+wangbangyu.gq, 1
+wangbangyu.ml, 1
+wangbangyu.tk, 1
+wangcanmou.com, 1
+wangcun.eu.org, 1
+wangdaijin.com, 1
+wangejiba.com, 0
+wangjiatun.com.tw, 1
+wangluoyunying.com, 1
+wangpedersen.com, 1
+wangpromherb.hu, 1
+wangqiliang.org, 1
+wangql.cn, 1
+wangql.net, 1
+wangqr.org, 1
+wangqr.tk, 1
+wangriwu.com, 1
+wangtanzhang.com, 1
+wangwill.me, 1
+wangyue.blog, 1
+wangzhe100.xyz, 1
+wangzuan168.cc, 1
+wanitasejahtera.com, 1
+wanjuhui.com, 1
+wanlieyan.com, 1
+wannabfit.nl, 1
+wannaknow.tk, 1
+wannaparty.in, 0
+wannapopularnews.cf, 1
+wannaridecostarica.com, 1
+wanorthshoreny.gov, 1
+wantocode.com, 1
+wanybug.cf, 1
+wanybug.ga, 1
+wanybug.gq, 1
+wanybug.tk, 1
+wanzieautomation.com, 1
+wanzieinsuranceservices.com, 1
+waonui.io, 1
+wap-umbrella.tk, 1
+wapa.gov, 1
+wapazewddamcdocmanui6001.azurewebsites.net, 1
+wapazewrdamcdocmanui6001.azurewebsites.net, 1
+wapbd.ga, 1
+wapchan.org, 1
+wapelloia.gov, 1
+wapflash.ml, 1
+wapgame.gq, 1
+wapgu.cc, 1
+wapheat.tk, 1
+wapkarma.tk, 1
+wapkat.tk, 1
+waplumber.com.au, 1
+wapmaster.cf, 1
+wapmaster.ga, 1
+wapnazir.tk, 1
+wapnepal.com.np, 1
+wapnews.tk, 1
+wapnik.tk, 1
+wapo.ro, 1
+wappie.tk, 1
+wapplerbrewing.com, 1
+wapresri.go.id, 1
+wapspaces.tk, 1
+wapsychiatry.com.au, 1
+waptransfer.tk, 1
+wapveil.ml, 1
+waqood.tech, 1
+war-requiem.com, 1
+war-team.com, 1
+waragod.sk, 1
+warbox.ga, 1
+warcraft2016.tk, 1
+warcraftjournal.org, 1
+warcraftwikicz.tk, 1
+ward.nl, 1
+ward2u.com, 1
+wardeath.tk, 1
+wardemons.tk, 1
+warden.navy, 1
+wardnd.gov, 1
+wardogz.tk, 1
+wardonat.tk, 1
+wardow.com, 1
+wardpieters.eu, 1
+wardpieters.online, 1
+wardpieters.xyz, 1
+wardsborovt.gov, 1
+wardslager.com, 1
+warecountyga.gov, 1
+warehost.de, 0
+warehouse-nantes.fr, 1
+warekon.com, 1
+warekon.dk, 1
+waren.io, 1
+waren.one, 1
+warenghem.com, 1
+warengroup.eu, 1
+warengroup.fi, 1
+warengroup.net, 1
+warengroup.org, 1
+warenhosting.com, 1
+warenhuisvandijk.nl, 1
+warenits.at, 0
+warenmedia.com, 1
+warennetworks.com, 1
+warensecurity.com, 1
+wareshoalssc.gov, 1
+warezbook.org, 1
+warezoom.com, 1
+warfarina.com, 1
+warfield.org.uk, 1
+warfighters.de, 1
+wargov.tk, 1
+wargun.ml, 1
+warhaggis.com, 1
+warhistoryonline.com, 0
+warhut.cn, 1
+warid.ga, 1
+warispak.tk, 1
+warking.ml, 1
+warlions.info, 0
+warlords.cf, 1
+warmestwishes.ca, 1
+warmlyyours.com, 1
+warmservers.com, 1
+warmtepomp.express, 1
+warnernh.gov, 1
+waroengkopigazebo.net, 1
+warofelements.de, 1
+waronbrain.com, 1
+warp-radio.net, 1
+warpsubmitter.tk, 1
+warr.ath.cx, 1
+warramir.net, 1
+warrantycontracts.ga, 1
+warrantynowvoid.com, 1
+warrencampdesign.com, 1
+warrencountyga.gov, 1
+warrencountyia.gov, 1
+warrencountyil.gov, 1
+warrencountynj.gov, 1
+warrencountypa.gov, 1
+warrencountyva.gov, 1
+warrenct.gov, 1
+warrenfisher.net, 1
+warrenhousevets.co.uk, 1
+warrenmi.gov, 1
+warrenri.gov, 1
+warrentwpstjosephco-in.gov, 1
+warringtonkidsbouncycastles.co.uk, 1
+warringtonsownbuses.co.uk, 1
+warriorofmars.com, 1
+warrock-es.tk, 1
+warrs.com, 1
+wars.cat, 1
+warschild.org, 1
+warsh.moe, 1
+warsonco.com, 0
+warspot.ru, 1
+warszawa-pranie-dywanow.pl, 1
+warszawa19115.pl, 0
+warszawska285.pl, 1
+wartabank.com, 1
+warteg.com, 1
+warteg.net, 1
+wartegseberangsana.com, 1
+warthog.ml, 1
+wartimecontracting.gov, 1
+wartorngalaxy.com, 1
+wartraining.com.br, 1
+wartung.tk, 1
+warubbermate.co.th, 1
+warungmini-vanwou.nl, 1
+warupu.com, 1
+warwickbucks.gov, 1
+warworld.ml, 1
+was.ch, 1
+wasabiwallet.co, 1
+wasabiwallet.io, 1
+wasatchconstables.com, 1
+wasatchcounty.gov, 1
+waschmaschinen-dienst.de, 1
+waschpark-hantschel.de, 1
+wasdestek.tk, 1
+wasema.com, 1
+wasfestes.de, 1
+wasfuereintheater.com, 1
+wash-house.tk, 1
+washa.tv, 1
+washabich.ch, 1
+washabich.de, 1
+washburnclarkwi.gov, 1
+washburnenglishschool.tk, 1
+washcowi.gov, 1
+washcowisco.gov, 1
+washed-house.info, 1
+washerrepairaustin.com, 1
+washify.com, 1
+washington-ma.gov, 1
+washingtoncopa.gov, 1
+washingtoncountyar.gov, 1
+washingtoncountyhomeoh.gov, 1
+washingtoncountyid.gov, 1
+washingtoncountymn.gov, 1
+washingtoncountyne.gov, 1
+washingtoncountyor.gov, 1
+washingtoncountysheriffne.gov, 1
+washingtoncountytx.gov, 1
+washingtoncountywi.gov, 1
+washingtonenergy.com, 1
+washingtonnewsz.com, 1
+washingtontwpacpa.gov, 1
+washingtonviews.com, 1
+washingtonwatchdog.org, 1
+washoecounty.gov, 1
+washroomcubicles.co.uk, 1
+washsolucoesemlimpeza.com.br, 1
+washtenaw.gov, 1
+washub.org.uk, 1
+washup.tk, 1
+wasi-net.de, 1
+wasielewski.com.de, 1
+wasistderunterschied.com, 1
+wasp.host, 1
+wass.ga, 1
+wassenaar.org, 0
+wasser-technik-rottal.de, 1
+wassermanx.com, 1
+wassim.is, 1
+wastewaterservicesltd.co.uk, 0
+wastewise.com, 0
+wasticker.ru, 1
+wastrel.ch, 1
+wasys.com.br, 1
+wat.sh, 1
+wataclinic.com, 1
+watari-bg.com, 1
+watashi.bid, 1
+wataugatx.gov, 1
+watboeithet.nl, 1
+watch-host.ga, 1
+watch-wiki.org, 1
+watchamovie.ga, 1
+watchcom.co.za, 1
+watchcom.org, 1
+watchcom.org.za, 1
+watchcow.org, 0
+watchdis.tv, 1
+watchdogs.tk, 1
+watchersrealm.tk, 1
+watchface.watch, 1
+watchfreeonline.co.uk, 1
+watchinventory.com, 1
+watchjavidol.com, 0
+watchmetech.com, 1
+watchmoviesgallery.com, 1
+watchmoviesreel.com, 1
+watchparts-and-tools-okayama.co.jp, 1
+watchpeopledie.tv, 1
+watchporninpublic.com, 1
+watchpsllive.com, 1
+watchstyle.com, 1
+watcht20worldcup.com, 1
+watchthis-svp.com, 1
+watchtogether.ch, 1
+watchtolearn.co, 1
+watchurdiet.com, 1
+watchweasel.com, 1
+water-filters.tk, 1
+water-for-africa.org, 1
+water-polo.tk, 1
+water-valley.tk, 1
+water.com, 1
+waterandhealth.org, 1
+waterbassoon.eu.org, 1
+waterborefiji.com, 1
+waterboromaine.gov, 1
+watercold.cool, 1
+waterdogsmokehouse.com, 1
+waterdownmedia.co.uk, 1
+waterdrop.tk, 1
+waterdropcultureproject.com, 1
+waterest.tk, 1
+waterfedpole.com, 0
+waterfordstoves.ie, 1
+waterfordvt.gov, 1
+waterfordwi.gov, 1
+waterforlifecharity.org, 1
+waterheaterleaguecity.com, 1
+waterhouse.tk, 1
+waterjet.com.ru, 1
+waterjet.my, 1
+waterjets.jp, 1
+waterjetsale.com, 1
+waterlanders.tk, 1
+waterlandtuinen.be, 1
+waterleeftinbeek.nl, 1
+waterlemons2k.top, 1
+waterlens.moe, 1
+waterliteracy.tk, 1
+waterloo-abba-show.de, 1
+waterloofaucets.com, 1
+waterlootwpmi.gov, 1
+watermarkktp.com, 1
+watermarkly.com, 0
+watermonitor.gov, 1
+wateroutlook.com, 1
+waterpoint.tk, 1
+waterpolosantona.tk, 1
+waterpolospain.tk, 1
+waterpumps.xyz, 1
+waterpumpu.com, 1
+waterpurificationsupplies.com, 1
+watersb.org, 1
+waterschaplimburg.nl, 1
+waterside-inn.co.uk, 1
+waterside-residents.org.uk, 1
+watersky.tk, 1
+waterslide-austria.at, 0
+watersoul.com, 1
+watersource.ga, 1
+waterstreetloft.com, 1
+watertaxi.com, 1
+waterton.tk, 1
+watertorenstraat.tk, 1
+watertownmi.gov, 1
+watertownmn.gov, 1
+watertownwi.gov, 1
+watertrails.io, 1
+waterville-estatesnh.gov, 1
+watervillevalleynh.gov, 1
+watervillewomenscare.com, 1
+waterworkscondos.com, 1
+watestsite.ovh, 1
+watfordcyclehub.org.uk, 1
+watfordjc.uk, 1
+watgroeitwaar.com, 1
+watgroeitwaar.eu, 1
+watgroeitwaar.net, 1
+watgroeitwaar.nl, 1
+watgroeitwaar.org, 1
+wathory.com, 1
+watisleukemie.tk, 1
+watismijnbandenspanning.nl, 1
+watongaok.gov, 1
+watoo.tech, 1
+watsonsurplus.com, 1
+watsontownshipmi.gov, 1
+wattlefieldpottery.co.uk, 1
+wattmaedchen.de, 1
+watto29.co.jp, 1
+wattpad.com, 1
+wattstrading.co.uk, 1
+watvindtnederland.com, 1
+watzijnmijnkerntalenten.nl, 1
+waukee.gov, 1
+waukeect.com, 1
+waupacacounty-wi.gov, 1
+waupacawi.gov, 1
+wausharacountywi.gov, 1
+wauwatosa.gov, 1
+wav-productions.com, 1
+wav.tv, 1
+wave-cockpit.de, 1
+wave-electronics.com, 0
+wave-inc.co.jp, 1
+wave.is, 1
+wave.md, 1
+wave.red, 1
+waveburst.net, 1
+waveestetic.com, 1
+waveletscreative.org, 1
+wavelifesciences.com, 1
+wavenetwork.com.au, 1
+wavengine.com, 1
+wavered.cf, 1
+waverlypa.gov, 1
+waverlytn.gov, 1
+wavesboardshop.com, 1
+wavesite.tk, 1
+wavin.com, 1
+wawak.pl, 1
+wawapuquy.com, 1
+wawarsingny.gov, 1
+wawasansejarah.com, 1
+wawshop.cz, 1
+wawuwe.com, 1
+waxcollectibles.com, 0
+waxdramatic.com, 1
+waxlrs.com, 1
+way2earning.com, 1
+way2tech.de, 1
+waya0125.com, 1
+wayaberolodge.com, 1
+waybinary.com, 1
+waycoolmail.tk, 1
+waycraze.com, 1
+waycrossga.gov, 1
+wayfairertravel.com, 0
+wayfarium.com, 1
+wayleadr.com, 1
+waynecountyil.gov, 1
+waynecountymi.gov, 1
+waynecountymo.gov, 1
+waynecountyne.gov, 1
+waynecountyny.gov, 1
+waynecountyoh.gov, 1
+waynefarms.com, 1
+wayneforeman.com, 1
+waynefranklin.com, 1
+waynehartman.com, 1
+wayneo.tk, 1
+waynerushbodywork-massage-tauranga-rotorua-bayofplenty-bop.co.nz, 1
+waynesboropa.gov, 1
+waynetworking.com, 1
+waynewashcowi.gov, 1
+wayofleaf.com, 1
+wayohoo.net, 1
+waysandlore.consulting, 1
+waysandlore.fr, 1
+wayscript.io, 1
+waysport.ua, 1
+waytofreedom.tk, 1
+waytogrow.com, 1
+waytt.cf, 1
+wayuanma.com, 0
+wazdan.com, 1
+waze.com, 1
+wazefaher.tk, 1
+wazeibra.com, 1
+wazuh.com, 1
+wazzap.tk, 1
+wb-cw.tech, 1
+wb256.com, 1
+wb6668.net, 1
+wba.or.at, 1
+wbbauth.de, 1
+wbbwbwebweb.cf, 1
+wbca.ca, 1
+wbcasaverde.co, 1
+wbci.us, 0
+wbclink.io, 1
+wbeme2.com, 1
+wbenoordoostpolder.nl, 1
+wbeuil.com, 1
+wbg.li, 1
+wbh.im, 1
+wbhrb.in, 1
+wbldc.in, 1
+wblinks.com, 1
+wbnet.eu, 1
+wbolt.com, 1
+wbookcompany.com, 1
+wbphed.gov.in, 1
+wbsentinel.com, 1
+wbsogids.nl, 1
+wbss.it, 1
+wbt-solutions.ch, 1
+wbt-solutions.net, 1
+wbtechnologie.nl, 1
+wbtenders.gov.in, 1
+wbudd.com, 1
+wbut.ml, 1
+wby.by, 1
+wby.tw, 1
+wc3modding.ml, 1
+wc64.org, 1
+wca.link, 1
+wcally.com, 1
+wcarc.ca, 1
+wcat.in, 1
+wcatherinekendall.co.uk, 1
+wccu.coop, 1
+wcei.com.au, 1
+wcema-ok.gov, 1
+wcfauth.de, 1
+wcfcourier.com, 1
+wcgskibbereen.ie, 1
+wchuan.cn, 1
+wck.com, 1
+wcl.govt.nz, 1
+wcloud.pro, 1
+wcn.life, 0
+wcools.tk, 1
+wcpo.com, 1
+wcrca.org, 0
+wcru.one, 1
+wcs.rs, 1
+wcsoe.gov, 1
+wcss.com, 1
+wctsite.tk, 1
+wcwcd.gov, 1
+wcwcg.net, 1
+wd-api.com, 0
+wd-img.com, 1
+wd-ljt.com, 1
+wd.is, 1
+wd627.com, 1
+wd976.com, 0
+wdambv.nl, 1
+wdcvalencia2022.com, 1
+wdesign.cl, 1
+wdesk.com, 1
+wdf.ink, 1
+wdgpublichealth.ca, 1
+wdic.org, 1
+wdkpurple.lgbt, 1
+wdmcheng.cn, 1
+wdmg.com.ua, 1
+wdmleds.com, 1
+wdmpa.eu.org, 1
+wdmpa.org, 1
+wdnmd.ac.cn, 1
+wdntcr.com, 1
+wdo.org, 1
+wdodelta.nl, 0
+wdol.gov, 1
+wdophoto.com, 1
+wdpapi.io, 1
+wdpui.io, 1
+wdrl.info, 0
+wdsdownload.cf, 1
+wdstrings.com, 1
+wdt.cz, 0
+wdtcinfo.com, 1
+we-bb.com, 1
+we-listen.org, 1
+we-run-linux.de, 1
+we-use-linux.de, 1
+we.serveftp.net, 1
+we168168.com, 1
+we5688.net, 1
+we9988.net, 1
+weacceptbitcoin.gr, 1
+wealthadvisorsmf.com, 1
+wealthadvisorstrust.com, 1
+wealthcreationsolutions.ga, 1
+wealthprofessional.ca, 1
+wealthprojector.com, 1
+wealthprojector.com.au, 1
+wealthsimple.com, 1
+wealthsuccess.edu.vn, 1
+wear-largesizes.tk, 1
+wear-referrals.co.uk, 1
+wear1015.ml, 1
+wear2work.nl, 1
+wearandcare.net, 1
+weare.ie, 1
+weare1inspirit.com, 1
+wearebase.com, 1
+wearebfi.co.uk, 1
+wearecreator.uk, 0
+wearecrew.io, 1
+wearedevs.net, 1
+wearefestival.ml, 1
+weareflo.com, 0
+wearefrantic.com, 1
+wearegenki.com, 1
+wearehackerone.com, 1
+weareher.com, 1
+weareincognito.org, 1
+wearemarketing.com, 1
+wearemojo.com, 1
+wearenh.gov, 1
+wearepapermill.co, 1
+wearepapermill.com, 1
+wearepoo.com, 1
+wearereasonablepeople.com, 1
+wearereasonablepeople.nl, 1
+wearesilverbullet.com, 1
+wearesuma.com, 1
+wearetravellers.nl, 1
+wearetuzag.com, 1
+wearewithyou.org, 1
+weareworldtrippers.com, 1
+wearewp.pro, 1
+wearit.tk, 1
+wearmoi.com, 1
+wearvintage.ml, 1
+wearvr.com, 1
+wearwolf.tk, 1
+weasyl.com, 1
+weather-schools.com, 1
+weather.gov, 1
+weather25.com, 1
+weatherguard.com, 1
+weathermelon.io, 1
+weathermyway.rocks, 1
+weatherproduct.ga, 1
+weavabel.com, 0
+weaveral.gov, 1
+weavers.space, 1
+weaversbazaar.com, 1
+weavile.art, 1
+web-3.ru, 1
+web-advisor.co.uk, 1
+web-aps.tk, 1
+web-art.cz, 1
+web-biz.fr, 1
+web-business.tk, 1
+web-cms.fr, 1
+web-connected.com, 1
+web-create.ml, 1
+web-creations.tk, 1
+web-creato.tk, 1
+web-demarche.com, 1
+web-design-india.com, 1
+web-design-singapore.sg, 1
+web-design.co.il, 1
+web-dev-qa-db-ja.com, 1
+web-direct.nl, 1
+web-disaster.tk, 1
+web-format.tk, 1
+web-fox23.ru, 1
+web-hotel.gr, 1
+web-industry.pro, 1
+web-is-amigo.tk, 1
+web-it-entwicklung.de, 1
+web-lab.ml, 1
+web-log.ml, 1
+web-masterok.ga, 1
+web-mastery.tk, 1
+web-net.tk, 1
+web-odyssey.com, 1
+web-one.net, 1
+web-online.cf, 1
+web-performance.ch, 1
+web-privacy.tk, 1
+web-redactor.com, 1
+web-redactor.net, 1
+web-ross.gq, 1
+web-ross.tk, 1
+web-siena.it, 1
+web-smart.com, 1
+web-snadno.online, 1
+web-space.design, 1
+web-station.tk, 1
+web-stories.at, 0
+web-studio-kzo.ml, 1
+web-style.tk, 1
+web-tcapwebsite-dev.azurewebsites.net, 1
+web-test.gq, 1
+web-town.tk, 1
+web-treff.de, 1
+web-view.ml, 1
+web-wack.at, 1
+web-warrior.de, 1
+web-worker.cn, 1
+web.ca, 1
+web.de, 1
+web.net, 1
+web1212.top, 1
+web1n.com, 0
+web20indexer.com, 1
+web22.eu, 1
+web2ldap.de, 1
+web2screen.tv, 1
+web3mantra.com, 1
+web404.net, 1
+web50aqui.es, 1
+web74.ga, 1
+web76.tk, 1
+webaam.com, 1
+webachtal.com, 1
+webadiccion.net, 1
+webadicta.net, 1
+webadicto.net, 1
+webadmit.org, 1
+webagentur-flake.de, 1
+webaholic.co.in, 1
+webais.ru, 1
+webal.co.uk, 1
+webambacht.nl, 1
+webanalysissolutions.com, 1
+webandmore.de, 1
+webandsun.com, 1
+webanet.eu, 1
+webannonces.tk, 1
+webanyti.me, 1
+webapky.cz, 1
+webappky.cz, 1
+webapplay.com, 1
+webappperformance.com, 1
+webapps-conception.fr, 1
+webart-factory.de, 1
+webartex.ru, 1
+webasto-moscow.ru, 1
+webastra.fr, 1
+webauthnlogin.com, 1
+webautohelper.com, 1
+webawere.com, 1
+webb.se, 1
+webbankir.com, 1
+webbanquyen.com, 1
+webbgro.com, 1
+webbiz.co.uk, 1
+webblawmaine.com, 1
+webbolivia.tk, 1
+webbricks.ru, 1
+webbuilder.de, 1
+webbureauer.dk, 1
+webby-books.com, 1
+webcafe.tk, 1
+webcam-lisa.ml, 1
+webcam-model.tk, 1
+webcam.ninja, 1
+webcamara.sytes.net, 1
+webcamdream.hu, 1
+webcamera-online.tk, 1
+webcamera.io, 1
+webcamrunetki.ga, 1
+webcams.com, 1
+webcams4date.com, 1
+webcamstudio.hu, 1
+webcamtoy.com, 1
+webcamyoung.tk, 1
+webcaptive.com, 1
+webcaptive.net, 1
+webcarebox.com, 1
+webcargonet.com, 1
+webcarlosmartin.tk, 1
+webcarroseletricos.ga, 1
+webcase.tk, 1
+webcatchers.nl, 0
+webce.com, 1
+webce.de, 1
+webcheck.pt, 1
+webclymber.com, 0
+webcoder.cf, 1
+webcoins.tk, 1
+webcollector.ga, 1
+webcontrol.tk, 1
+webcookies.org, 1
+webcover.fr, 1
+webcrazy.ga, 1
+webcreaciones.net, 1
+webcreativa.tk, 1
+webcreative.tk, 1
+webcrial.com.br, 1
+webcrm.com, 1
+webcurtaincall.com, 1
+webdaddyit.ga, 1
+webdating.tk, 1
+webdemaestrias.com, 1
+webdesign-kall.de, 1
+webdesign-note.jp, 1
+webdesignagency.cf, 1
+webdesigncompanyindia.com, 1
+webdesigner4u.net, 0
+webdesignersinchennai.tk, 1
+webdesignfenua.tk, 1
+webdesignlabor.ch, 1
+webdesignplay.com, 1
+webdesignplayground.io, 1
+webdesignrodgau.de, 1
+webdesignsyourway.net, 1
+webdev-cw.me, 1
+webdev-cw.tk, 1
+webdev.solutions, 1
+webdevelop.ninja, 1
+webdevinsider.pl, 1
+webdevoo.com, 1
+webdgc.ro, 1
+webdieta.tk, 1
+webdietrolequinte.it, 0
+webdig.pt, 0
+webdigital.ca, 1
+webdispo.com, 1
+webdl.org, 1
+webdollarvpn.io, 1
+webdoors.ge, 1
+webdrino.com, 1
+webdrops.nl, 1
+webdushowcase.co.uk, 1
+webeast.eu, 1
+webeck-information-systems.at, 1
+webelement.sk, 0
+webemployed.com, 1
+webencrypt.org, 1
+webengage.com, 1
+webenglish.se, 1
+weber-immobilienberatung.de, 1
+weber911.gov, 1
+webera.lt, 1
+webera.pro, 1
+weberbasin.gov, 1
+weberbasinut.gov, 1
+weberelections.gov, 1
+weberl.com, 1
+webers-webdesign.de, 1
+webescucha.tk, 1
+webest.pl, 1
+webexample.win, 0
+webexp.biz, 1
+webexperts.tk, 1
+webexpertsdirect.com.au, 1
+webfeifei.tk, 1
+webfence.pt, 1
+webfigueras.tk, 1
+webfilings-eu-mirror.appspot.com, 1
+webfilings-eu.appspot.com, 1
+webfilings-mirror-hrd.appspot.com, 1
+webfilings.appspot.com, 1
+webfixers.nl, 1
+webfocus.ph, 1
+webfoersterei.de, 1
+webforce.pt, 1
+webformula.in, 0
+webforthemasses.tk, 1
+webfrenz.com, 1
+webfun.tk, 1
+webgadgets.tk, 1
+webgaku.net, 1
+webgamex.ml, 1
+webgarten.ch, 1
+webgeneric.com, 1
+webgeneric.in, 1
+webgentleman.tk, 1
+webgrow.co.za, 1
+webhackspro.com, 1
+webharvest.gov, 1
+webhelpmedica.com, 1
+webhelpmedica.fr, 1
+webhelyesarcu.hu, 1
+webhero.it, 1
+webhoffmann.de, 0
+webhooks.stream, 1
+webhopp.com, 1
+webhosting-erfahrungen.de, 1
+webhosting4u.email, 0
+webhostingblackfriday.deals, 1
+webhostingempresas.com, 1
+webhostingmagic.com, 1
+webhostingmedia.net, 1
+webhostingpros.ml, 1
+webhostings.org, 1
+webhostingshop.ca, 1
+webhostplan.info, 1
+webhostsg.net, 1
+webhotel24.se, 1
+webhotelli.website, 1
+webhotels.tk, 1
+webhotelsoversigt.dk, 1
+webi.ms, 1
+webi.sh, 1
+webia.in.th, 1
+webika.site, 1
+webimagina.tk, 1
+webinarlist.ro, 1
+webinator.tk, 1
+webinformer.tk, 1
+webini.co, 1
+webinke.ga, 1
+webinnovation.ie, 1
+webinstit.net, 1
+webionite.com, 1
+webiroha.com, 1
+webisle.com, 1
+webisoder.net, 1
+webissues.de, 1
+webitentwicklung.de, 1
+webiz.ro, 1
+webizer.fr, 1
+webjobposting.com, 1
+webkam-sex.com, 1
+webkaroindia.com, 1
+webkato.ru, 1
+webkef.com, 1
+webkeks.org, 1
+webkolektiv.com, 1
+webkorobka.tk, 1
+weblagalera.tk, 1
+weblate.com, 1
+weblate.cz, 1
+weblate.org, 1
+weblead.vip, 1
+weblegion.tk, 1
+weblian.ml, 1
+webliberty.ru, 1
+weblibrary.cf, 1
+weblightnovel.tk, 1
+weblights.ml, 1
+webline.ch, 1
+weblinkcity.tk, 1
+weblinkpedia.com, 1
+weblistposting.com, 1
+weblocus.tk, 1
+weblogia.tk, 1
+weblogic.tk, 1
+weblogzwolle.nl, 1
+webmachine.co.za, 1
+webmail.ee, 1
+webmail.gigahost.dk, 0
+webmail.info, 1
+webmail.mayfirst.org, 0
+webmail.onlime.ch, 0
+webmail.schokokeks.org, 1
+webmama.tk, 1
+webmanagement.berlin, 0
+webmandat.fr, 1
+webmandesign.eu, 1
+webmarcosmarquez.tk, 1
+webmaster16.ml, 1
+webmasterblog.tk, 1
+webmasterhall.com, 1
+webmax.cloud, 1
+webmediaclick.com, 1
+webmediaprint.at, 1
+webmediums.com, 1
+webmedpharmacy.co.uk, 1
+webmeister.org, 1
+webmenedzser.hu, 1
+webmetallica.tk, 1
+webmetering.at, 1
+webmethod.email, 1
+webminders.it, 1
+webmining.gq, 1
+webministeriet.net, 1
+webmonsters.tk, 1
+webmore.fr, 1
+webmotelli.fi, 1
+webmotion.com.au, 1
+webmyhealth.com, 1
+webnames.ca, 1
+webnancy.tk, 1
+webnestify.cloud, 1
+webnetmail4u.com, 1
+webnexty.com, 1
+webnoob.net, 1
+webo.agency, 1
+webo.pl, 1
+weboffice.ro, 1
+weboflies.tk, 1
+webofthingsmarwane.xyz, 1
+weboke.nl, 1
+weboost.com.ar, 1
+weboperater.rs, 0
+webowell.fr, 1
+webpage.com.ua, 1
+webpantry.ga, 1
+webparallax.cf, 1
+webpark.ch, 1
+webpcstudio.com, 1
+webperformance.io, 1
+webpiar.tk, 1
+webpitarque.tk, 1
+webpixelia.com, 1
+webpkgcache.com, 1
+webplace4u.nl, 1
+webplatform.news, 1
+webportail.tk, 1
+webpostingmart.com, 1
+webpostingpro.com, 1
+webpostingreviews.com, 1
+webpot.hu, 1
+webprato.it, 1
+webpresence.tk, 1
+webprice.ga, 1
+webproject.rocks, 1
+webprom.net, 1
+webprostitutki.tk, 1
+webpublishing.tk, 1
+webpubsub.com, 1
+webpunk.tk, 1
+webqam.fr, 0
+webquests.tk, 1
+webrabbit.at, 1
+webradio-maroc.tk, 1
+webrand.com, 1
+webranko.tk, 1
+webrebels.org, 0
+webregie.de, 1
+webregion.tk, 1
+webrepresalia.tk, 1
+webringpeopletogether.com.au, 1
+webs4all.ro, 0
+websa.nl, 1
+websanlamuerte.tk, 1
+websayfasi.biz.tr, 1
+webschool21.ml, 1
+websdesignpro.com, 1
+websec.nu, 1
+websectools.com, 1
+webseitendesigner.com, 0
+webseitenserver.com, 0
+webserve.be, 1
+webserverindia.com, 0
+webshaped.de, 1
+webshipper.com, 1
+webshop.nl, 1
+websika.com, 1
+website-engineering.co.za, 1
+website-traffic.shop, 1
+website.builders, 1
+website999.in, 1
+websitebakers.eu, 1
+websiteboost.nl, 1
+websitecalifornia.cf, 1
+websitecenter.tk, 1
+websitecyber.com, 1
+websitedesignersmalappuram.ga, 1
+websitedesignprice.ga, 1
+websitedirectory.nl, 1
+websiteforyou.nl, 0
+websiteirani.tk, 1
+websitelearners.cf, 1
+websiteleichtgemacht.de, 1
+websitemarketers.tk, 1
+websiteout.ca, 1
+websiteout.net, 1
+websitepromotion.ml, 1
+websiterent.ca, 1
+websites4business.ca, 1
+websitesbymark.co.uk, 0
+websitesbywordpress.com, 1
+websitesdallas.com, 1
+websitesdemos.tk, 1
+websiteservice.pro, 1
+websitesthatwork.biz, 1
+websize.me, 1
+websktop.com, 1
+websmartlink.tk, 1
+websoftba.gq, 1
+websofts.co.in, 1
+websolid.be, 1
+websolutionbd.tk, 1
+websouthdesign.com, 1
+websphere.tk, 1
+webspider.tk, 1
+webspotter.nl, 1
+webssupport.ga, 1
+webstaff.xyz, 1
+webstar.tk, 1
+webstart.nl, 1
+webstats.tk, 1
+webstaurant.com, 1
+webstaurantstore.com, 1
+websteam.tk, 1
+webstellung.com, 1
+webstergrovesmo.gov, 1
+websternytoday.gov, 1
+webstop.tk, 1
+webstore.be, 1
+webstreamworld.ae, 1
+webstreamworld.com, 1
+webstreamworld.sg, 1
+webstu.be, 1
+webstylemedia.com, 1
+websubmissions.tk, 1
+websuccess.ga, 1
+websvetaines.lt, 1
+webtalis.nl, 1
+webtasarim.info.tr, 1
+webtasarim.pw, 1
+webtasarimankara.name.tr, 1
+webtasarimi.tk, 1
+webtasarimostim.name.tr, 1
+webtaxi.cf, 1
+webtechmantra.com, 1
+webtechnicom.net, 0
+webtek.nu, 1
+webtele.ga, 1
+webtele.tk, 1
+webtelegram.eu.org, 1
+webtematica.com, 1
+webter.de, 1
+webthreesome.com, 1
+webtobesocial.de, 1
+webtodito.tk, 1
+webtomsk.tk, 1
+webtoolhost.com, 1
+webtools-eqt.co.nz, 1
+webtoolxl.net, 1
+webtoolxl.nl, 1
+webtop.co.il, 1
+webtoro.com, 1
+webtorrent.io, 1
+webtorrent.tk, 1
+webtostore.fr, 1
+webtransfers.ml, 1
+webtrend.ch, 1
+webtrh.cz, 1
+webtropia.com, 0
+webtrustcr.com, 1
+webuildsite.ga, 1
+webukhost.com, 1
+webullreview.co, 1
+webuniverse.ml, 1
+webunix.ga, 1
+webuyloansfast.com, 1
+webvampiro.tk, 1
+webvanced.nl, 1
+webvenezuela.tk, 1
+webverdienst.tk, 1
+webviewcams.com, 1
+webvpsnet.com, 1
+webvpsnet.org, 1
+webwatchdogs.net, 1
+webwatcher.tk, 1
+webwelearn.com, 1
+webwinkelexploitatie.nl, 1
+webwinkelkeur.nl, 1
+webwinkelwestland.nl, 1
+webwit.pro, 1
+webwweb.com.pl, 1
+webyazilim.biz.tr, 1
+webyazilimankara.com, 1
+webycrea.eu, 1
+webyildiz.com, 1
+webyourself.eu, 1
+webzanem.com, 0
+webzarabotok.tk, 1
+wecanvisit.com, 1
+wecareplatform.nl, 1
+weccode.com, 1
+wechange.de, 1
+wechatify.com, 1
+wecleanbins.com, 1
+wecoach.gg, 0
+wecobble.com, 1
+wecodify.nl, 1
+wecorp.org, 1
+wecreate.ml, 1
+wed13spain.tk, 1
+weda.cf, 1
+wedabout.com, 1
+wedatasolution.com.br, 1
+wedceducation.com, 1
+wedcha.com, 1
+weddinal.com, 1
+wedding-dress-hire.tk, 1
+wedding-e-dress.tk, 1
+wedding-page.ga, 1
+wedding-page.tk, 1
+wedding-transportation.com, 1
+wedding-ua.tk, 1
+weddingartist.ca, 1
+weddingbells.ca, 1
+weddingcalculator.ga, 1
+weddingdays.tv, 1
+weddingdressesguide.com, 1
+weddingfantasy.ru, 1
+weddinggoods.tk, 1
+weddinggram.ga, 1
+weddinghotographers.tk, 1
+weddingideas.gq, 1
+weddingpainter.ca, 0
+weddingplanner.tk, 1
+weddingpro.com, 1
+weddingsbynoon.co.uk, 1
+weddingtailor.com.au, 1
+weddingtrunks.tk, 1
+weddingwire.ca, 1
+weddingwire.co.uk, 1
+weddingwire.com, 1
+weddingwire.in, 1
+weddingz.in, 1
+wedefendcharities.org, 1
+wedeliverdavao.com, 1
+wedinspire.com, 1
+wedl.ru, 0
+wedontca.re, 1
+wedontcaregroup.com, 1
+wedontgetpaidenough.com, 1
+wedooper.com, 1
+wedos.com, 1
+wedot.co.uk, 1
+wedplay.host, 1
+wedshoots.com, 1
+weeaboo.ml, 1
+weeb.us, 1
+weebl.me, 1
+weeblr.com, 1
+weecarepreschool.ca, 1
+weed.ren, 1
+weedgranadagrowshop.com, 1
+weedlife.com, 1
+weednews.co, 0
+weedupdate.com, 1
+weedworthy.com, 1
+weedypedia.de, 1
+weefriendskids.com, 1
+week-numbers.org, 1
+week.report, 1
+weekdone.com, 1
+weekendbus.pl, 1
+weekendcandy.com, 1
+weekendcraft.com, 1
+weekendinitaly.com, 1
+weekendplayers.tk, 1
+weekendstartup.ml, 1
+weekly-news.pl, 1
+weekly-residence.com, 1
+weeklyads2.com, 1
+weeklydcoupgen.com, 1
+weektegenarmoede.be, 1
+weemake.fr, 0
+weemakers.fr, 0
+weepycat.com, 1
+weerda.fr, 1
+weernieuws.info, 1
+weerstationgiethoorn.nl, 1
+weerstatistieken.nl, 1
+weetalksls.com, 1
+weetix.fr, 1
+weexend.com, 1
+weezerosos.tk, 1
+weezertabs.tk, 1
+wefact.nl, 1
+wefazemos.com.br, 1
+wefillgood.com, 1
+wefitboilers.com, 1
+wefixmd.com, 1
+wefloridafinancial.com, 1
+weforgood.org.tw, 1
+wefound.com.tw, 1
+wefound.se, 1
+weg-auwald.de, 1
+wegethitched.co.uk, 1
+wegner.no, 1
+wego.ca, 1
+wegonnagetsued.org, 1
+wegotcookies.com, 1
+wegotrip.com, 1
+wegotrip.ru, 1
+wegrzynek.org, 1
+wegrzynek.pl, 1
+wegvielfalt.de, 1
+wehaa-server2.com, 1
+wehaaserver.com, 1
+wehealasone.gov.ph, 1
+wehiremac.uk, 1
+weho.gov, 1
+wehostdnn.com, 1
+wei-mao.com.ua, 1
+weibomiaopai.com, 1
+weideheuvel.org, 1
+weidmannfibertechnology.com, 0
+weig-karton.de, 1
+weighed.ga, 1
+weightlift.ml, 1
+weightlosseasy.cf, 1
+weightlossoutcome.com, 1
+weightprogram.cf, 1
+weihua.life, 1
+weikai.net, 1
+weike.tk, 1
+weiling.clinic, 1
+weils.net, 1
+weiltoast.de, 1
+weimaranerdogcare.com, 1
+weiming.ddns.net, 1
+weimingsci.cn, 1
+weimz.com, 1
+wein.cc, 1
+weinbergerlawgroup.com, 1
+weinboxbuilders.co.nz, 1
+weinfuse.com, 0
+weingut-bernd-klein.de, 1
+weinundsein.com, 1
+weinzierlweb.com, 1
+weiran.org.cn, 1
+weirddisney.com, 1
+weirdesigns.com, 1
+weirdgloop.org, 1
+weirdness.tk, 1
+weirdork.com, 1
+weirdork.eu, 1
+weirdork.net, 1
+weirdork.org, 1
+weirdork.social, 1
+weirdorks.eu, 1
+weirdorks.net, 1
+weirdorks.org, 1
+weirdorks.social, 1
+weirdserver.com, 1
+weirdware.tech, 1
+weis.bz, 1
+weis.duckdns.org, 1
+weisskircher.tk, 1
+weissman.agency, 1
+weiter.so, 1
+weiterbildung-vdz.de, 1
+weitergedacht.eu, 1
+weitsolutions.nl, 1
+weitundbreit.ch, 1
+weitz-porzellan.de, 1
+weitzmangroup.com, 1
+weixinjiefengla.com, 1
+weizenke.im, 1
+wekan.hopto.org, 1
+wekibe.de, 1
+wekipedia.com, 1
+weknowhowtodoit.com, 1
+wekurate.com, 1
+wel.com.br, 1
+weladee.com, 1
+welby.cat, 1
+welches-kinderfahrrad.de, 1
+welcome-tahiti.com, 0
+welcome-werkstatt.com, 1
+welcome26.ch, 0
+welcomehometnt.com, 1
+welcomepowayan.tk, 1
+welcometoohio.gov, 1
+welcoop-logistique.com, 1
+welcorp.com, 1
+weld.gov, 1
+weldersnet.tk, 1
+weldingandwelder.com, 1
+weldynz.co.nz, 1
+welfareness.icu, 1
+welivetogether.com, 1
+well.bayern, 1
+wella-download-center.de, 1
+wellaeducationbook.de, 1
+wellbalancedhealth.ie, 1
+wellbe.com, 1
+wellbeing360.com.au, 1
+wellbutrinxlgeneric.cf, 1
+wellcarehealthsurvey.com, 1
+wellcom.co.il, 1
+wellcomemdhealth.com, 1
+welldoc.com, 1
+welldocinc.com, 1
+wellen-reiten.com, 1
+wellensteyn.ru, 1
+weller.pm, 1
+wellesleycosmeticsurgery.com, 1
+wellesweb.net, 1
+welletin.it, 1
+wellgreece.com, 1
+wellington.govt.nz, 1
+wellist.com, 1
+wellness-alto-adige.net, 1
+wellness-bonbon.de, 0
+wellness-gutschein.de, 1
+wellness-spa-suedtirol.com, 1
+wellnesscheck.net, 1
+wellnesslifestyletravel.com, 1
+wellnessmassage-eitorf.de, 1
+welloca.com, 1
+wellreceived.com, 1
+wellsbourne.co.uk, 1
+wellsolveit.com, 0
+wellspringsga.com, 1
+wellsprung.net, 1
+wellstonok.gov, 1
+wellthy.com, 1
+wellzapness.com, 1
+welmo.fr, 1
+welom.tk, 1
+welove.lk, 1
+welove.tk, 1
+welovecatsandkittens.com, 1
+welovegalicia.com, 1
+welovelinks.com, 1
+weloveliving.it, 1
+welovemail.com, 1
+welovestrawberries.com, 1
+welpen-rucphen.tk, 1
+welpo.me, 1
+welshccf.org.uk, 1
+welshterrier.tk, 1
+welshyak.tk, 1
+welspunindia.com, 1
+welstrim.de, 1
+welt-flaggen.de, 1
+weltderangebote.de, 0
+welteneroberer.de, 1
+weltengilde.de, 1
+weltenhueter.de, 1
+weltentanzer.com, 1
+weltumradler.tk, 1
+weltverschwoerung.de, 1
+welty.cc, 1
+welty.co, 1
+welty.io, 1
+welty.me, 1
+wemadegod.tk, 1
+wemake.cx, 1
+wemakebookkeepingeasy.com, 1
+wemakemx.mx, 1
+wemakeonlinereviews.com, 1
+weme.eco, 1
+wemissyou.tk, 1
+wemovemountains.co.uk, 1
+wenablog.pl, 1
+wenaiwu.net, 1
+wenanmao.com, 1
+wenceslas.org.uk, 1
+wenchengchou.co, 1
+wenchieh.com, 1
+wendkom.com, 1
+wendlberger.net, 1
+wendu.me, 0
+wenducation.nl, 1
+wendy-david.tk, 1
+wendydarling.tk, 1
+wendys-careers.com, 1
+wendysbeautyshop.co.za, 1
+wenger-shop.ch, 1
+wengerwatson.com, 1
+wengyep.com, 1
+wenhelpdesk.tk, 1
+wenjulebu.cc, 1
+wenlopleidingen.nl, 1
+wenmilot.com, 1
+wenoexchange.com, 1
+wensenboomaltrecht.nl, 1
+wenta-computerservice.net, 1
+wenta.de, 1
+wentu.ml, 1
+wentyl.tk, 1
+wenzthewanderer.gq, 1
+weoneit.com, 1
+wep.pw, 1
+wepa.pe, 1
+wepay.com, 1
+wepay.in.th, 1
+wepbiz.com, 1
+weplan-app.com, 1
+weplananalytics.com, 1
+weplay.io, 1
+weplaycollectibles.com, 1
+weplaynaked.dk, 1
+weple.ga, 1
+weple.gq, 1
+weprenup.com, 1
+werbe-markt.de, 1
+werbe-sonnenbrillen.de, 0
+werbeagentur-benningen.de, 1
+werbeagentur-website.de, 1
+werbeagentur.de, 1
+werbefotograf-leitner.de, 1
+werbefotografie-leitner.de, 1
+werbewelt-tv.de, 1
+werbezentrum-stiebler.de, 1
+werbik.at, 1
+werchangemakers.com, 1
+werd.pw, 0
+werehub.org, 1
+wereldkoffie.eu, 1
+wereldplanner.nl, 1
+wereldreizen.tk, 1
+wereldschool.nl, 1
+werhatunsverraten.eu, 1
+werk-34.de, 1
+werk32.net, 1
+werken-bij-inwork.nl, 1
+werkenbijbejo.nl, 0
+werkenbijblokker.nl, 1
+werkenbijbuvo.nl, 1
+werkenbijdfzs.nl, 0
+werkenbijejk.nl, 1
+werkenbijintertoys.nl, 1
+werkenbijmagentazorg.nl, 1
+werkenbijpelsrijcken.nl, 1
+werkenbijpromovendum.nl, 1
+werkenbijsanitairwinkel.be, 1
+werkenbijsanitairwinkel.nl, 1
+werkenbijsherpa.nl, 0
+werkenbijvanderventions.com, 1
+werkenbijvanderventions.nl, 1
+werkeninwesterveld.nl, 1
+werkenontwikkelen2030nh.nl, 1
+werkgroepderdewereld.nl, 1
+werkgroeppaleisparkhetloo.nl, 1
+werkkrew.xyz, 1
+werksalon.at, 1
+werkslimreisslim.nl, 1
+werkstattkinder.de, 1
+werktuigen.nl, 1
+werkzoeken.nl, 1
+wermeester.be, 1
+wermeester.com, 1
+werner-ema.de, 1
+wernerco.com, 1
+wernicke-it.de, 1
+werpo.com.ar, 1
+werranfehtan.org, 1
+wertpapiertreuhand.de, 1
+wertschatz-kommunikation.de, 1
+wervingenselectieamsterdam.nl, 1
+werwolf-live.de, 1
+werxa.cz, 1
+werxus.eu, 1
+weryfikacjapodatnika.pl, 1
+wesecom.com, 1
+wesermarsch-bauelemente.de, 1
+weserv.nl, 1
+wesleyanbank.co.uk, 1
+wesleyarcher.com, 1
+wesleycabus.be, 0
+wesleywarnell.com, 1
+wesoco.de, 1
+wespath.org, 1
+wespeakgeek.co.za, 1
+wespringforward.com, 1
+wesreportportal.com, 1
+wessalicious.com, 1
+wessco.mx, 1
+wesselius.tk, 1
+wessner.co, 0
+wessner.org, 0
+wessobrunn.de, 1
+wessokind.de, 1
+west-contemporary.com, 1
+west-nerica.de, 1
+west-raptors.tk, 1
+west-trans.com.au, 0
+west-wind.net, 1
+west2.cn, 0
+westaf-edit.com, 1
+westappin.com.au, 1
+westbathmaine.gov, 1
+westboroughma.gov, 1
+westbourne-history.org.uk, 1
+westburlingtoniowa.gov, 1
+westburyfestival.org.uk, 1
+westcartilafdnc.gov, 1
+westcentenaryscouts.org.au, 1
+westcentralaor.org, 1
+westcentralmls.com, 1
+westchester-il.gov, 1
+westchesteranxietytreatment.com, 1
+westcoastaggregate.com, 1
+westcoastcastles.com, 1
+westcoastdrones.io, 1
+westcoastdrones.net, 1
+westcoastfood.ca, 1
+westcoastmarineadvisor.com, 1
+westcoastmotors.co.uk, 1
+westcode.de, 1
+westcountrydentalcrafts.uk, 1
+westcountrystalking.com, 1
+westcreekna.org, 1
+westendwifi.net, 1
+westerdraai.tk, 1
+westeremden.com, 1
+westergas.nl, 1
+westernalliancebancorporation.com, 1
+westernpadermatologist.com, 1
+westernparts.com, 0
+westernpsychiatry.com.au, 1
+westernresourceadvocates.org, 1
+westernsydney.com.au, 1
+westernwaterca.gov, 1
+westfairleevt.gov, 1
+westfordwi.gov, 1
+westfund.com.au, 1
+westgatecruiseandtravel.com, 1
+westhamptonma.gov, 1
+westhighlandwhiteterrier.com.br, 1
+westhomesteadpa.gov, 1
+westie.tk, 1
+westjp-tetuke-hosyou.co.jp, 1
+westlab.ch, 1
+westlakehills.gov, 1
+westlaketx.gov, 1
+westlakevillageelectric.com, 1
+westlakevillageelectrical.com, 1
+westlakevillageelectrician.com, 1
+westlakevillageexteriorlighting.com, 1
+westlakevillagelandscapelighting.com, 1
+westlakevillagelighting.com, 1
+westlakevillageoutdoorlighting.com, 1
+westlandcultuur.tk, 1
+westlander-nostalgie.tk, 1
+westlandinsurance.ca, 1
+westlebanonpa.gov, 1
+westlibertykypolice.gov, 1
+westline.com.tr, 1
+westlogistic.com, 1
+westmarlboroughpa.gov, 1
+westmead.org, 1
+westmeadapartments.com.au, 1
+westmelbourne.gov, 1
+westmidlandsbouncycastlehire.co.uk, 1
+westmidlandsinflatables.co.uk, 1
+westmidlandslettings.com, 1
+westmidlandsrailway.co.uk, 1
+westmilwaukeewi.gov, 1
+westminsterco.gov, 1
+westminsternational.com.au, 1
+westmodernclinic.com, 1
+westonma.gov, 1
+westonreed.com, 1
+westoveral.gov, 1
+westpennwire.com, 1
+westphalfamily.com, 1
+westplains.gov, 1
+westpointne.gov, 1
+westporthoney.com, 1
+westportisland.gov, 1
+westportok.gov, 1
+westrandgardeningservices.co.za, 1
+westreet-store.com, 1
+westsalemwi.gov, 1
+westshoresrealty.com, 1
+westside-pediatrics.com, 1
+westsidechildrenstherapy.com, 1
+westskinlaser.com, 1
+westspace.org.uk, 1
+westterrehautein.gov, 1
+westvalleyfiremt.gov, 1
+westvancouver.ca, 1
+westviewpa.gov, 1
+westvillenyc.com, 1
+westvirginiahealth.tk, 1
+westwarwickri.gov, 1
+westwingopenhouse.com, 1
+westwings.tk, 1
+westwoodhillsks.gov, 1
+wesupportthebadge.org, 1
+wesystems.cloud, 0
+wet-dry.world, 1
+wet-international.com, 1
+wet1.com.au, 1
+wetdryvacs.ie, 1
+weteachme.com, 1
+wetheghosts.eu, 1
+wethemovement.org, 1
+wetherbyvets.co.uk, 1
+wetleak.com, 1
+wetpussylipsex.com, 1
+wetpussyporn.com, 1
+wetravel.company, 1
+wetrepublic.com, 1
+wettbuero.com, 1
+wettbuero.de, 1
+wetter.de, 1
+wetthost.com, 1
+wetumpkaal.gov, 1
+wevah.com, 0
+wevenues.com, 1
+wevolver.com, 0
+wevyin.com, 1
+wew881.com, 1
+wew882.com, 1
+wewin889.com, 1
+wewitro.de, 1
+weworkjpn.com, 1
+wexfordbouncycastles.ie, 1
+wexilapp.com, 1
+weyerstall1880.de, 1
+weyhmueller.de, 0
+weyland-yutani.org, 1
+weymouthslowik.com, 1
+weyoui.de, 1
+wf-bigsky-master.appspot.com, 1
+wf-demo-eu.appspot.com, 1
+wf-demo-hrd.appspot.com, 1
+wf-dogfood-hrd.appspot.com, 1
+wf-pentest.appspot.com, 1
+wf-staging-hr.appspot.com, 1
+wf-training-hrd.appspot.com, 1
+wf-training-master.appspot.com, 1
+wf-trial-hrd.appspot.com, 1
+wf336.com, 1
+wfbabfn.com, 1
+wfbvillage.gov, 1
+wforum.nl, 1
+wfschicago.com, 1
+wftbasis.nl, 1
+wfxs.com.tw, 1
+wg-smue.de, 1
+wg-tools.de, 1
+wg2023.com.br, 1
+wgauthier.com, 1
+wgauthier.net, 1
+wgcaobgyn.com, 1
+wgdp.gov, 1
+wge-feg.gc.ca, 1
+wgec-fegc.gc.ca, 1
+wget.cool, 1
+wget.cx, 1
+wget.tw, 1
+wgfl.gov, 1
+wgi.fi, 1
+wgnr.me, 1
+wgom.org, 0
+wgplatform.co.uk, 1
+wgraphics.ru, 1
+wgrfoods.co.uk, 1
+wgrlc.vic.gov.au, 1
+wgrstudio.com, 1
+wgsh.de, 1
+wgsuyi.cf, 1
+wgtrm.com, 1
+wgyt.tk, 1
+wgzdy.top, 0
+wh-guide.de, 1
+wh.gov, 1
+wh0.re, 1
+wh966.com, 0
+whalecrew.com, 1
+whaletail.ai, 0
+whanau.org, 0
+whanglaw.com, 1
+whannell.net, 0
+whaogirls.com, 1
+whapn.sg, 1
+wharfevalleywindows.co.uk, 1
+what-do-kittens-need-to-eat.tk, 1
+what-does-kittens-need.ml, 1
+what-wood.servehttp.com, 1
+what.tf, 1
+what2see.today, 1
+whatabout.ga, 1
+whatabout.tk, 1
+whataboutjonbuckland.tk, 1
+whataboutjoshua.tk, 1
+whatairdefencedoing.com, 1
+whatarepatentsfor.com, 1
+whatcanyoudocampaign.org, 1
+whatclinic.co.uk, 1
+whatclinic.com, 1
+whatclinic.com.ph, 1
+whatclinic.de, 1
+whatclinic.ie, 1
+whatclinic.ru, 1
+whatdevotion.com, 1
+whatdevshouldknow.pl, 1
+whatevents.tk, 1
+whateveritworks.org, 1
+whatevername.tk, 1
+whateverzone.ml, 1
+whatfinger.com, 1
+whatfontis.com, 1
+whatgrowswhere.com, 1
+whatgrowswhere.eu, 1
+whatgrowswhere.net, 1
+whatgrowswhere.nl, 1
+whatgrowswhere.org, 1
+whatimissed.news, 1
+whatisapassword.com, 1
+whatiscss.tk, 1
+whatisinternetsecurity.net, 1
+whatisipfix.com, 1
+whatisl.ovh, 1
+whatismycountry.com, 1
+whatismyip.net, 0
+whatismypublicip.com, 1
+whatisnetflow.com, 1
+whatissflow.com, 1
+whatisthe.cloud, 1
+whatisthisapp.com, 1
+whatiswhatis.com, 1
+whatsapp-plus.com, 1
+whatsapp.com, 1
+whatsapp.net, 1
+whatsapp.ru, 1
+whatsatienda.com, 1
+whatsgood.tk, 1
+whatsinmyjar.com, 1
+whatsitsname.tk, 1
+whatsmychaincert.com, 1
+whatstheirnetworth.com, 1
+whatsupoutdoor.com, 0
+whatsupyo.tk, 1
+whatswrong.blog, 1
+whatthefile.info, 1
+whatthingsweigh.com, 1
+whattimedoiwork.com, 1
+whattominingrigrentals.com, 1
+whatusb.com, 1
+whatwebcando.today, 1
+whatwg.org, 1
+whatzelink.com, 1
+whawtheme.fr, 1
+whd-guide.de, 1
+whdpc.gov, 1
+wheatfieldtwpmi.gov, 1
+wheatgra.in, 1
+wheatland.com, 1
+wheatlandcomt.gov, 1
+wheatridge.gov, 1
+wheelastic.com, 1
+wheelchair-mobility-scooter-rental-london.com, 1
+wheelchair.gq, 1
+wheeler.kiwi.nz, 0
+wheelhero.com, 1
+wheelingisland.com, 1
+wheelnation.net, 1
+wheelspin.ga, 1
+wheelwide.co.uk, 1
+wheelwork.org, 0
+wheelworxrefinishing.com, 1
+wheely.com, 1
+wheelycool.tech, 1
+wheelycoolgear.com, 1
+wheelyking.tk, 1
+when-release.ru, 1
+when.fm, 0
+when.org.il, 1
+when2watch.live, 1
+whenisholiday.com, 1
+whentowork.com, 1
+whenwe.me, 1
+wheon.com, 1
+where2trip.com, 1
+whereapp.social, 1
+wherearethosemorgans.com, 1
+wherecaniwatchanime.com, 1
+wheredoi.click, 1
+wheregoes.com, 1
+whereicode.org, 0
+whereismyorigin.cf, 1
+whereisthekeep.com, 1
+whereiszakir.com, 1
+wheresbuzz.com.au, 1
+wheresthejump.com, 1
+wheretotravel.info, 1
+whereuare.se, 1
+whereveryougo.space, 1
+whexit.nl, 1
+whey-protein.ch, 1
+whichdoctor.com, 1
+whichgender.today, 1
+whichphish.com, 1
+whichwasfirst.com, 1
+whiff-of-grape.ca, 0
+whigfieldspain.tk, 1
+whil.com, 1
+whilsttraveling.com, 1
+whing.org, 1
+whining.blue, 1
+whipnic.com, 1
+whirlpool-luboss.de, 1
+whirlpool.net.au, 1
+whirr.org, 1
+whishart.cf, 1
+whishart.ga, 1
+whishart.gq, 1
+whishart.ml, 1
+whiskersandtails.co.za, 1
+whiskey.com.my, 1
+whiskey.money, 1
+whisky-circle.info, 1
+whisky.com.my, 1
+whisky.money, 1
+whisky.my, 1
+whiskydb.de, 1
+whiskydrivers.tk, 1
+whiskyhammer.com, 1
+whiskymy.com, 1
+whiskyshop.com.my, 1
+whiskyshop.my, 1
+whisp.ly, 0
+whispeer.de, 1
+whisper-net.de, 1
+whisperinghoperanch.org, 1
+whisperlab.org, 1
+whistleblower.gov, 1
+whistleblower.pl, 1
+whistleblower.report, 1
+whistleblowerordning.com, 1
+whistleblowers.org, 1
+whistleblowersoftware.com, 1
+whistlingdog.media, 0
+whitbread.com.au, 1
+whitdoit.tk, 1
+white-hell.tk, 1
+white-ibiza.com, 1
+white-info.tk, 1
+white-noise.tk, 1
+white-rabbit.tk, 1
+white-skull.tk, 1
+white-wolf.tk, 1
+whitealps.at, 0
+whitealps.be, 0
+whitealps.ch, 0
+whitealps.de, 0
+whitealps.fr, 0
+whitealps.net, 0
+whiteantelopeinteriors.com, 1
+whitebirdclinic.org, 1
+whitebox.ga, 1
+whitefieldnhpd.gov, 1
+whitefishtownshipmi.gov, 1
+whitefordtownshipmi.gov, 1
+whitehallal.gov, 1
+whitehatbrokers.com, 1
+whitehathackers.com.br, 1
+whitehats.nl, 1
+whitehorse.ga, 1
+whitehouse.gov, 1
+whitehouse.org, 1
+whitehouseconferenceonaging.gov, 1
+whitehousedrugpolicy.gov, 1
+whiteink.com, 1
+whiteinvestment.estate, 1
+whitejaguars.com, 1
+whitekings.tk, 1
+whitelabeltickets.com, 1
+whitelist-crypto.io, 1
+whitelotto.com, 1
+whitelotuscyp.com, 1
+whitelynx.co, 1
+whitemagic.ga, 1
+whitemanfss.net, 1
+whitemetalperu.tk, 1
+whiteneon.com, 1
+whiteout.wiki, 1
+whitepages.ml, 1
+whitepen.io, 1
+whitepen.tk, 1
+whitepinetn.gov, 1
+whiteprintnews.com, 1
+whiterabbit.group, 0
+whiterabbit.nl, 1
+whiterabbit.org, 1
+whiterabbitcyber.space, 1
+whiterose.goip.de, 1
+whitesalmonwa.gov, 1
+whiteshadowimperium.com, 1
+whiteshelf.org, 1
+whitesoxbestteaminbaseball.com, 1
+whitespace.se, 1
+whitespider.cf, 1
+whitespider.eu.org, 1
+whitespider.gq, 1
+whitespider.ml, 1
+whitespider.tk, 1
+whitestarlegacy.tk, 1
+whitestoneva.gov, 1
+whitesword.tk, 1
+whitevpn.cz, 1
+whitewaterks.gov, 1
+whitewatertownshipmi.gov, 1
+whiteweb.tk, 1
+whitewebhosting.com, 1
+whitewinterwolf.com, 1
+whiteyardcottage.com, 1
+whitfieldcountyga.gov, 1
+whitkirkchurch.org.uk, 0
+whitmanarchive.org, 1
+whitmancounty.gov, 1
+whittle.in, 1
+whittome.com, 1
+whitworth.nyc, 1
+whizkidpcservices.com, 1
+whizzzbang.co.uk, 1
+whm.gc.ca, 1
+whmcsdeveloper.com, 1
+whnpa.org, 1
+who-calledme.com, 1
+who.pm, 0
+whoagirls.com, 1
+whoagirls.net, 0
+whoagirls.org, 1
+whoami.eu.org, 1
+whoami.io, 1
+whoami.red, 1
+whocalld.com, 1
+whocalled.us, 1
+whocrushonme.com, 1
+whodiduexpect.com, 1
+whois.az, 1
+whoisamitsingh.com, 1
+whoiscuter.ml, 1
+whoiscutest.ml, 1
+whoisdhh.com, 0
+whoisonthebench.com, 1
+whoistheorchid.com, 1
+whoiswho.tk, 1
+wholebody.je, 1
+wholegrace.com, 1
+wholesale.cf, 1
+wholesalediamonds.tk, 1
+wholesalediscountsunglasses.com, 1
+wholesalegrowersdirect.com, 1
+wholesalehosting.co.uk, 1
+wholesaleimages.com, 1
+wholesomeharvestbread.com, 0
+wholevood.com, 1
+wholevood.de, 1
+wholewideworldtoys.com, 1
+wholewildworld.de, 1
+whoneedstobeprimaried.today, 1
+whong.media, 1
+whonix.org, 1
+whoopee.my, 0
+whooshkaa.com, 1
+whoplusyou.com, 1
+whoreofwallstreet.tk, 1
+whorepresentsme.us, 1
+whosapeach.tk, 1
+whosneo.com, 1
+whosoldmyemail.ca, 1
+whosoldmyemail.com, 1
+whosts.cn, 1
+whosyourdaddy.ml, 1
+whowherewhen.net, 1
+whqmeps.org, 1
+whqqq.com, 1
+wht.one, 1
+whta.eu, 1
+whta.se, 1
+whtcsj.com, 1
+whub.io, 0
+why-brexit.uk, 1
+why918.com, 0
+whychoosebob.net.au, 1
+whyinsurance.me, 1
+whymps.com, 1
+whynohttps.com, 1
+whynotbi.com, 1
+whypowerbrush.com, 1
+whysoslow.co.uk, 1
+whyteryan.com, 1
+whytls.com, 0
+whywa.com, 1
+whywelive.me, 1
+whyworldhot.com, 1
+whyy.eu.org, 1
+whyzeroturn.com, 1
+wi-q.cloud, 1
+wi-wi.co.jp, 1
+wiagencies.com, 1
+wiai.eu.org, 1
+wiapply.com, 1
+wibbe.link, 1
+wiberg.nu, 1
+wibness.com, 1
+wibu.moe, 1
+wibuw.com, 1
+wicamb.com, 1
+wicca-witchcraft.com, 1
+wiccansupplies.ga, 1
+wiccanwicks.ca, 1
+wiccasima.fr, 1
+wicharypawel.com, 1
+wichitafoundationpros.com, 1
+wichtel-umzuege.de, 1
+wickedsick.tk, 1
+wickedvibes.tk, 1
+wickersmith.com, 1
+wickerwoman.com, 0
+wickrath.com, 1
+wickrath.net, 1
+wicstunvetgroup.co.uk, 1
+widado.com, 1
+widatcp.gov, 1
+widderplasticsurgery.com, 1
+wideboxmacau.com, 0
+widecontrol.it, 1
+wideinfo.org, 1
+widejeans.tk, 1
+wideline.com.au, 1
+widememory.com, 1
+widenews.org, 1
+widescreenfixer.org, 1
+wideshoes.com, 1
+widewebhost.net, 1
+wideworks.agency, 1
+widgetmaker.co.uk, 1
+widma.gov, 1
+widmer.bz, 1
+widner.xyz, 1
+widoj.gov, 1
+widow411.com, 1
+widsl.de, 1
+widum.ru, 1
+widwap.net, 1
+widzenia.pl, 1
+wiebel.org, 1
+wiebetaaltdat.nl, 1
+wieckiewicz.org, 1
+wiederkehrvillagear.gov, 1
+wiedmeyer.de, 1
+wiedu.net, 1
+wieesgeht.com, 1
+wiegandt.org, 1
+wiegedaten.de, 1
+wiek.net, 1
+wieldberis.ru, 1
+wieloswiat.pl, 1
+wielrenbond.ml, 1
+wielrennen-in-zeeland.tk, 1
+wien52.at, 1
+wiender.be, 0
+wieneck-bauelemente.de, 1
+wiener.hr, 1
+wienergyjobs.com, 1
+wieobensounten.de, 1
+wiesbadener-kurier.de, 1
+wiet2home.nl, 1
+wifesbank.com, 1
+wifi-hack.com, 0
+wifi-names.com, 1
+wifi-ooe.at, 1
+wifi.com.vn, 1
+wifi.id, 1
+wificafehosting.com, 1
+wificonnect.cc, 1
+wifimb.cz, 1
+wifipineapple.com, 1
+wifirst.net, 1
+wifishing.tk, 1
+wifiwizardofoz.com, 1
+wigan.ovh, 1
+wiganer.tk, 1
+wigelsworth.io, 1
+wigger.one, 1
+wigggle.it, 1
+wigglywisdom.com, 1
+wigle.net, 1
+wigmore-hall.org.uk, 0
+wigsalon.ga, 1
+wigwam.design, 1
+wihiki.org, 1
+wiiaam.com, 1
+wiikipedia.com, 1
+wiimotion.de, 1
+wiin.co, 1
+wiingy.com, 1
+wiire.me, 0
+wijaya.net, 1
+wijaya2u.com, 1
+wijkbudget.gent, 1
+wijkdezwaenebloeme.tk, 1
+wijnbesteld.nl, 1
+wijnlandkroatie.nl, 1
+wijnservices.nl, 0
+wijsaantwerk.be, 1
+wijseuropa.gent, 1
+wijsvangent.be, 1
+wijwillendit.nl, 1
+wijzeweters.gent, 1
+wijzijnbrandstof.nl, 1
+wijzijnwolf.nl, 1
+wikalin.ski, 1
+wikelia.com, 1
+wikepedia.org, 1
+wiki-books.ga, 1
+wiki-iknownaught.ddns.net, 1
+wiki-pedia.org, 1
+wiki-play.ru, 1
+wiki-rostelecom.ru, 1
+wiki.berlin, 1
+wiki.gallery, 1
+wiki.python.org, 1
+wiki.voyage, 1
+wiki.xin, 1
+wiki24.ru, 1
+wikiboard.tk, 1
+wikibook.com, 1
+wikibooks.org, 1
+wikibooks.pt, 1
+wikibulz.com, 1
+wikibuy.com, 1
+wikicooking.tk, 1
+wikicuida.pt, 1
+wikidata.org, 1
+wikidpedia.org, 1
+wikiepdia.com, 1
+wikiepdia.org, 1
+wikifactory.com, 1
+wikifamily.ga, 1
+wikifamily.tk, 1
+wikifunctions.org, 1
+wikigta.org, 1
+wikihelp.in, 1
+wikihistory.tk, 1
+wikihow-fun.com, 1
+wikihow.com, 1
+wikihow.com.tr, 1
+wikihow.cz, 1
+wikihow.fitness, 1
+wikihow.health, 1
+wikihow.it, 1
+wikihow.jp, 1
+wikihow.life, 1
+wikihow.mom, 1
+wikihow.pet, 1
+wikihow.tech, 1
+wikihow.vn, 1
+wikijunior.com, 1
+wikijunior.net, 1
+wikijunior.org, 1
+wikileaks.ch, 1
+wikilibrary.tk, 1
+wikilink.cf, 1
+wikilink.tk, 1
+wikilinux.xyz, 1
+wikimania.com, 1
+wikimania.org, 1
+wikimatrix.org, 1
+wikimedia-dns.org, 1
+wikimedia.biz, 1
+wikimedia.com.pt, 1
+wikimedia.community, 1
+wikimedia.is, 1
+wikimedia.jp.net, 1
+wikimedia.lt, 1
+wikimedia.org, 1
+wikimedia.us, 1
+wikimedia.xyz, 1
+wikimediacommons.co.uk, 1
+wikimediacommons.info, 1
+wikimediacommons.jp.net, 1
+wikimediacommons.mobi, 1
+wikimediacommons.net, 1
+wikimediacommons.org, 1
+wikimediafoundation.com, 1
+wikimediafoundation.info, 1
+wikimediafoundation.net, 1
+wikimediafoundation.org, 1
+wikimilk.org, 1
+wikimir.tk, 1
+wikimirror.org, 1
+wikinbiography.com, 1
+wikinews.com, 1
+wikinews.de, 1
+wikinews.org, 1
+wikinews.pt, 1
+wikipaedia.net, 1
+wikipedia.bg, 1
+wikipedia.co.il, 1
+wikipedia.co.uk, 1
+wikipedia.co.za, 1
+wikipedia.com, 1
+wikipedia.com.ar, 1
+wikipedia.ee, 1
+wikipedia.es, 1
+wikipedia.fi, 1
+wikipedia.id, 1
+wikipedia.info, 1
+wikipedia.is, 1
+wikipedia.lt, 1
+wikipedia.net, 1
+wikipedia.org, 1
+wikipedia.org.il, 1
+wikipedia.sk, 1
+wikipediafoundation.org, 1
+wikipedial.org, 1
+wikipediazero.org, 1
+wikipeter.nl, 1
+wikipiedi.it, 1
+wikiquote.com, 1
+wikiquote.net, 1
+wikiquote.org, 1
+wikiquote.pt, 1
+wikiquotes.info, 1
+wikirace.tk, 1
+wikisaur.tk, 1
+wikiskripta.eu, 1
+wikislo.net, 1
+wikisorg.tk, 1
+wikisource.com, 1
+wikisource.org, 1
+wikisource.pl, 1
+wikisource.pt, 1
+wikispecies.com, 1
+wikispecies.net, 1
+wikispecies.org, 1
+wikispiel.de, 1
+wikitech.ga, 1
+wikitech.gq, 1
+wikitech.tk, 1
+wikitechsolutions.com, 1
+wikitransporte.tk, 1
+wikiutah.tk, 1
+wikiversity.com, 1
+wikiversity.org, 1
+wikiversity.pt, 1
+wikiversus.com, 1
+wikivisually.com, 1
+wikivoyage.com, 1
+wikivoyage.de, 1
+wikivoyage.eu, 1
+wikivoyage.net, 1
+wikivoyage.org, 1
+wikivoyager.de, 1
+wikivoyager.org, 1
+wikiwp.org, 1
+wikizip.ga, 1
+wikjpedia.org, 1
+wikkelweb.nl, 1
+wikpa.com, 1
+wikpedia.org, 1
+wikproduccions.tk, 1
+wiktionary.com, 1
+wiktionary.eu, 1
+wiktionary.org, 1
+wiktionary.pl, 1
+wiktionary.pt, 1
+wiktor-imbierski.com, 1
+wiktoriaflis.com, 1
+wilane.org, 1
+wilburyvets.co.uk, 1
+wilco-s.nl, 1
+wilcodeboer.me, 1
+wilcojunk.com, 1
+wilcotx.gov, 1
+wild-reels.com, 1
+wild-turtles.com, 1
+wild.at, 1
+wildanalysis.ga, 1
+wildbergh.tk, 1
+wildbirdsuets.com, 1
+wildcard.hu, 1
+wildcardfederal.net, 1
+wildcatdiesel.com.au, 1
+wildcatprotection.org, 1
+wildcaves.co.za, 1
+wildcove.ca, 1
+wildcraft.com, 0
+wildcruisers.tk, 1
+wildercerron.com, 1
+wilderky.gov, 1
+wilderoben.com, 1
+wildfilm.tv, 1
+wildfirechain.xyz, 1
+wildflowers5.com, 1
+wildfoerster.org, 1
+wildfoxlady.com, 1
+wildglass.nl, 1
+wildhelper.com, 1
+wildlifeadaptationstrategy.gov, 1
+wildlifeforafrica.org, 1
+wildmarsian.info, 1
+wildmine.su, 1
+wildonengineering.com.au, 1
+wildowi.cz, 1
+wildrideproject.tk, 1
+wildroseflorist.co.za, 1
+wildsafety.com, 1
+wildsense.tk, 1
+wildtattoo.ru, 1
+wildtrip.blog, 0
+wildvicky.net, 1
+wildwildtravel.com, 1
+wildwind.world, 1
+wildwnc.org, 1
+wildwoodpolice-fl.gov, 1
+wildwoodrockers.tk, 1
+wildzap.ml, 1
+wildzoopark.co.uk, 1
+wildzoopark.com, 1
+wilf1rst.com, 1
+wilfert.cc, 1
+wilfert.xyz, 1
+wilfredswholesale.com.au, 1
+wilfrid-calixte.fr, 0
+wilhelm-nathan.de, 1
+wilhelm-sattler-realschule.de, 1
+wilhelmhansenfonden.dk, 1
+wilhelmina.com, 1
+wili.li, 1
+wiliquet.net, 1
+wilk.tech, 0
+wilkebouwer.nl, 1
+wilkes-barretownship.gov, 1
+wilkincounty.gov, 1
+wilkipedia.org, 1
+wilkushka.com, 1
+wilky44.com, 1
+willalex.com, 1
+willardohio.gov, 1
+willardwi.gov, 1
+willbeonesecurity.xyz, 1
+willcounty.gov, 1
+willcounty911.gov, 1
+willcountyclerk.gov, 1
+willcountysao.gov, 1
+willdropphoto.co.uk, 1
+willekeinden.nl, 1
+willenberg.family, 1
+willerei.com, 1
+willerei.de, 1
+willfarrell.ca, 1
+willflies.com, 1
+willhackett.com, 1
+willhausliving.com, 1
+willi-graf-os.de, 1
+willi-roth-holzbau.ch, 1
+williamarias.tk, 1
+williamblondel.fr, 0
+williamboulton.co.uk, 1
+williamboundsltd.com, 1
+williamfeely.info, 1
+williamgoldberg.cf, 1
+williamjohngauthier.net, 1
+williamle.com, 1
+williamlong.info, 1
+williammcgill.co, 1
+williammcgill.com, 1
+williamparedes.tk, 1
+williampuckering.com, 1
+williamsalexander.com, 1
+williamscomposer.com, 1
+williamscountyoh.gov, 1
+williamsflintlocks.com, 0
+williamshomeheat.co.uk, 0
+williamsigal.com, 1
+williamstonmipd.gov, 1
+williamstownmi.gov, 1
+williamtai.moe, 1
+williamtm.com, 1
+willianchopin.tk, 1
+willich.tk, 1
+williejackson.com, 1
+willighp.de, 1
+willistonpdvt.gov, 1
+willkie.com, 1
+willlewis.co.uk, 1
+willmage.com, 1
+willnorris.com, 1
+willocks.nl, 1
+willoughbyhillsohio.gov, 1
+willow.technology, 1
+willowalexander.co.uk, 1
+willowbrook.co.uk, 1
+willowchild.de, 1
+willowcreektrucking.com, 1
+willowcundy.com, 1
+willowdalechurch.ca, 1
+willowmanorgroup.com, 1
+willowparktx.gov, 1
+willowpassdentalcare.com, 1
+willowpf.com, 1
+wills.co.tt, 1
+willship.co.nz, 0
+willsigal.com, 1
+willspointtx.gov, 1
+willstamper.name, 1
+willsthebest.co.uk, 1
+willstocks.co.uk, 1
+willturner.tk, 1
+willwilkins.com, 1
+willwoodworth.com, 1
+willys.zone, 1
+willywangstory.com.tw, 1
+willywangstory.org, 1
+willzahra.com.au, 1
+wilmette.gov, 1
+wilmingtonzen.tk, 1
+wilmothgroup.com, 1
+wilomark.com, 1
+wils.jp, 1
+wilseyrealty.com, 1
+wilshirelawfirm.com, 1
+wilson-lincoln-wi.gov, 1
+wilsoncountync.gov, 1
+wilsonfire.com, 1
+wilsonlanguage.com, 1
+wilsonovi.com, 1
+wilsontnvotes.gov, 1
+wilsonvilleoregon.gov, 1
+wiltoniowa.gov, 1
+wiltonmanors.gov, 1
+wiltonsandstonequarry.com.au, 1
+wiltrovira.com, 1
+wiltshirefarmfoods.com, 0
+wilypumpkin.com, 1
+wimbledon.com, 1
+wimlanphen.nl, 1
+wimmer-informatik.eu, 1
+wimmer-musik.eu, 1
+wimmer-software.de, 1
+wimmer-software.eu, 1
+wimmer.green, 1
+wimmer.software, 1
+wimmer.tel, 1
+wimmersoftware.de, 1
+wimmersoftware.eu, 1
+win-apuestas.com, 1
+win-fortuna.ml, 1
+win-rar.com, 1
+win-the-1.com, 1
+win11.ren, 1
+win7stylebuilder.com, 0
+win7tips.tk, 1
+win8.am, 1
+win88-line.com, 1
+win88-line.net, 1
+winampnederlands.tk, 1
+winancreekbarn.com, 1
+winario.de, 1
+winaust.com.au, 1
+winball.ml, 1
+winbics.com, 1
+winbignow.click, 1
+wincasinosmoney.com, 1
+wincasinowin.click, 1
+winch-center.de, 1
+winch.expert, 0
+winchendon-ma.gov, 1
+winckelmann2020.com, 1
+wincoil.gov, 1
+wind-riders.cf, 1
+wind.com.do, 1
+windforme.com, 1
+windgucker.de, 1
+windhamct.gov, 1
+windhamvillageoh.gov, 1
+windhamworks.com, 1
+windice1.io, 1
+windictus.net, 1
+windirect.tk, 1
+windirstat.net, 1
+windjetboats.com, 1
+windmillart.net, 1
+windowcleaningexperts.net, 1
+windowreplacement.net, 1
+windows, 1
+windows101tricks.com, 1
+windows11.com.br, 1
+windows311.org, 1
+windowsblogitalia.com, 1
+windowscult.com, 1
+windowsdoors.it, 1
+windowsforum.com, 1
+windowsfreak.de, 0
+windowsindonesia.com, 1
+windowsindonesia.id, 1
+windowslatest.com, 1
+windowsnerd.com, 1
+windowsru.com, 0
+windowsviet.com, 1
+windowsworkstation.com, 1
+windpay.ga, 1
+windr.win, 1
+windrawwin.com, 1
+windrich-werkzeugmaschinen.de, 1
+windriver.org, 1
+windroide.net, 1
+windrunner.se, 1
+windscribe.com, 1
+windsock-app.com, 1
+windsorelectricalservice.com, 1
+windsorite.ca, 1
+windsornc.gov, 1
+windsorrslsubbranch.com.au, 1
+windstreamhosting.com, 1
+windsurfercrs.com, 1
+windturbine.tk, 1
+windwoodmedia.com, 1
+windwords.me, 0
+windybank.net, 1
+windycitylawgroup.com, 1
+windycitypressurewashing.com, 1
+wine-route.net, 1
+wine-yoga.pl, 1
+wine.com.br, 1
+wine.com.my, 1
+wine.money, 1
+wine.my, 1
+wineandcheeseplace.com, 1
+winebrasil.com.br, 1
+winechapter.be, 1
+winedineunwind.org, 1
+winedoor.com, 1
+wineexperience.com.au, 1
+wineforhelp.cz, 1
+winegadgets.ru, 0
+winek.tk, 1
+winenews.it, 1
+wineparis.com, 1
+winerytoursanfrancisco.com, 1
+winezja.pl, 1
+winfieldchen.me, 1
+winfieldtownshipmi.gov, 1
+winfilestorage.tk, 1
+winfuture.de, 1
+wing-tsun.cf, 1
+wing-tsun.ga, 1
+wing-tsun.gq, 1
+wing-tsun.tk, 1
+wingchun.edu.au, 1
+wingchunboxtribe.com, 1
+wingertmd.com, 1
+winghill.com, 0
+wingify.com, 1
+wingmin.net, 1
+wingover.su, 1
+wingpictures.nl, 1
+wings.com.pk, 1
+wings.tours, 1
+wingspatagonia.com, 1
+wingstop.fr, 1
+winhelp21.tk, 1
+winhistory-forum.net, 1
+winkelbalans.nl, 1
+winkelcentrumputten.nl, 1
+winkelmanaz.gov, 1
+winkelvanmorgen.nl, 1
+winkelvansinkel.tk, 1
+winkli.ddns.net, 1
+winktonsibo.tk, 1
+winl-45774.club, 1
+winma.org, 0
+winmax.it, 1
+winmix.nl, 1
+winmodels.org, 1
+winnebagocountyiowa.gov, 1
+winnebagocountywi.gov, 1
+winneconnesd3wi.gov, 1
+winner.ua, 1
+winnercivi.com, 1
+winnersaffiliate.com, 1
+winnerschapelbelgium.be, 1
+winnery.tk, 1
+winning.gq, 1
+winningattitudeawards.org, 1
+winnipegcomputerguy.tk, 1
+winnlandscaping.com, 1
+winona-area-scum.tk, 1
+winonamn.gov, 1
+winoptical.com, 1
+winoptimise.fr, 1
+winov.com.br, 1
+winphonemetro.com, 1
+winpic.co, 1
+winpreso.com, 1
+winrar.com, 1
+winsabayi.tk, 1
+winserver.ne.jp, 1
+winslowhomer.tk, 1
+winslowslair.tk, 1
+winsufi.biz, 1
+wint.global, 1
+wintark.com, 1
+wintechlab.com, 1
+winter-auszeit.de, 0
+winter-elektro.de, 1
+winter-leak.ml, 1
+winter.ae, 1
+winterbergwebcams.com, 1
+winterco.org, 1
+wintercorn.com, 1
+winterdetective.ga, 1
+winterfeldt.de, 0
+winterhavenobgyn.com, 1
+winterhillbank.com, 1
+winteringent.be, 1
+winterlandbeverages.com, 1
+wintermeyer-consulting.de, 1
+wintermeyer.de, 1
+winternacht14.tk, 1
+winteromeo.tk, 1
+winterset.gov, 1
+winterstudies.ga, 1
+winterthur.ch, 1
+winterzine.cf, 1
+wintodoor.com, 1
+winull.de, 1
+winup.org, 1
+winvio.com, 1
+winwares.com, 1
+winwitharval.co.uk, 1
+winwiz1.com, 1
+winxpclub.tk, 1
+winzdevelopment.com, 1
+winzero.tk, 1
+winzong.cn, 1
+winzong.net, 1
+wiocha.pl, 1
+wipa.tk, 1
+wipayfinancial.com, 1
+wipeoutracing.tk, 1
+wipers-nz.co.nz, 1
+wippie.se, 1
+wippler.at, 1
+wippy.tk, 1
+wipro.com.vn, 0
+wir-do.de, 1
+wir-jugendhilfe.de, 1
+wir-machen-druck.de, 1
+wir-pflegen-zuhause.at, 1
+wir-pflegen-zuhause.ch, 1
+wir-pflegen-zuhause.de, 1
+wir-pflegen-zuhause.it, 1
+wirbsinglereview.com, 1
+wire.com, 0
+wirebank.ru, 1
+wired.co.uk, 1
+wiredcolony.com, 1
+wiredrelease.com, 1
+wiredroot.com, 1
+wireheading.com, 1
+wirekeep.com, 1
+wireless-emergency-stop.com, 1
+wireless-kill-switch.com, 1
+wirelessbelgie.tk, 1
+wirelesscctv.tk, 1
+wirelessfestival.co.uk, 1
+wirelessleeuwarden.tk, 1
+wirelesslogic.com, 1
+wirelesslogicnordic.com, 1
+wirelessthief.ga, 1
+wirelly.com, 1
+wireshark.org, 1
+wireshocks.com, 1
+wiretap.cf, 1
+wirethrone.com, 1
+wiretoss.com, 1
+wiretransaction.ga, 1
+wiriamu.net, 1
+wiris.be, 1
+wirkaufen.it, 1
+wirkaufendeinau.to, 1
+wirken.info, 1
+wirksportal.com, 1
+wirkstatt-lq.at, 1
+wirkstatt-lq.ch, 1
+wirkstatt-lq.de, 1
+wirkstatt-lq.net, 1
+wirkstoffreich.de, 1
+wirkungs-forschung.at, 1
+wirkungs-forschung.ch, 1
+wirkungs-forschung.com, 1
+wirkungs-forschung.de, 1
+wirkungs-forschung.net, 1
+wirsberg-studios.de, 1
+wirsing.nl, 1
+wirtanen.tk, 1
+wirtcountywvsheriff.gov, 1
+wirtschaftsberater-website.de, 1
+wis.no, 1
+wisak.me, 1
+wisal.org, 1
+wisardcoin.tk, 1
+wisatabagus.com, 1
+wischu.com, 1
+wiscon.co, 1
+wisconsinnet.tk, 1
+wisdoj.gov, 1
+wisdom-nict.jp, 1
+wisdomcue.com, 0
+wisdomgarden-mr.com, 1
+wisdomgeek.com, 1
+wisdomise.com, 1
+wisdomise.io, 1
+wisdomize.me, 1
+wisdomteethonly.com, 1
+wisdomteethsydney.com.au, 1
+wisdotplans.gov, 1
+wise-parenting.com, 1
+wise.jobs, 1
+wiseadvicetravelling.com, 0
+wisebarber.com, 1
+wiseclinictc.com.tw, 1
+wisecountytx.gov, 1
+wisegoldfish.com, 1
+wisehome.dk, 1
+wiseinternational.org, 1
+wiseitguys.com, 1
+wiselectures.com.au, 1
+wisemans.us, 1
+wisemen.digital, 0
+wisemoney.com.vc, 1
+wisenederland.nl, 1
+wiseradiology.com.au, 1
+wisereducacao.com, 1
+wisereshape.com, 1
+wiserpost.com, 1
+wisersp.com, 1
+wisertp.com, 1
+wisetechglobal.com, 1
+wisetoken.net, 1
+wiseup.com, 1
+wiseupcorp.com, 1
+wiseuplive.com.br, 1
+wisewaynutrition.com, 1
+wishing3.com, 1
+wishingyou.co.uk, 1
+wishlisotr.cf, 1
+wishlisotr.gq, 1
+wishlist.net, 1
+wishlog.fun, 1
+wishmail.cf, 1
+wiska.cn, 1
+wiska.co.kr, 1
+wiska.co.uk, 1
+wiska.com.br, 1
+wiska.es, 1
+wiska.in, 1
+wiska.lat, 1
+wiskundeonderzoek.tk, 1
+wism.io, 1
+wisniewskamakeup.pl, 1
+wisnz.co.nz, 1
+wispmaeksmusic.tk, 1
+wispsuperfoods.com, 1
+wispyon.com, 1
+wisr.com.au, 1
+wiss.co.uk, 0
+wissamnr.be, 1
+wisselink.tk, 1
+wissen-a5.de, 1
+wissen.center, 1
+wissena5.de, 1
+wistaysafe.gov, 1
+wisteriahousedementiacare.co.uk, 1
+wisweb.no, 1
+wit-creations.fr, 1
+wit.ai, 1
+witae.com, 1
+witajmaluszku.pl, 1
+witch-anastasia.com, 1
+witch-spells.com, 1
+witchbeauty.tk, 1
+witcher-rz.com, 1
+witcher.tk, 1
+witchhunt.tk, 1
+witchthicktits.tk, 1
+witez.net, 1
+with-environment.com, 1
+withamscouts.org.uk, 1
+withdati.fr, 1
+withdcc.com, 1
+witheachmile.com, 1
+wither.cf, 1
+witheveryheartbeat.com.au, 1
+withextraveg.net, 1
+withfoundation.org, 1
+withgentlent.com, 1
+withgoogle.com, 1
+withinsecurity.com, 1
+withjoy.com, 1
+withoutessence.io, 1
+withoutlovenotcount.ru, 1
+withpersona.com, 1
+withprocess.com, 1
+withsunglasses.co.uk, 1
+withyoutube.com, 1
+witneywaterpolo.org.uk, 1
+witrey.com, 1
+witron.de, 1
+wits.uk, 1
+witsvideo.com, 1
+witt.link, 1
+wittamer.com, 0
+wittebrug.nl, 1
+wittepapaver.nl, 1
+witteveenbos.com, 1
+wittgen-kfz-technik.de, 1
+witting.co, 0
+wittingtonventures.com, 1
+wittke-group.ch, 1
+wittke-group.cn, 1
+wittke-group.com, 1
+wittke-group.de, 1
+wittke.ch, 1
+wittke.cn, 1
+wittke.li, 1
+wittu.fi, 1
+wittur.com, 1
+witze-fun.de, 1
+witzik.at, 1
+wiut.uz, 1
+wivcfinancialservices.com, 1
+wivoc.nl, 1
+wiwi.nl, 1
+wixadvertising.com, 1
+wixel.tk, 1
+wixmultimedia.com, 1
+wiz.at, 1
+wiz.biz, 1
+wiz.io, 1
+wizadjournal.com, 1
+wizard.gov, 0
+wizardbouncycastles.co.uk, 1
+wizardk.tk, 1
+wizardkami.tk, 1
+wizardmeow.xin, 1
+wizardschool.tk, 1
+wizardswebs.com, 1
+wizathon.com, 1
+wizzair.com, 1
+wizzley.com, 1
+wizznab.tk, 1
+wizzr.nl, 1
+wjb.marketing, 1
+wjcainc.com, 0
+wjci.com, 1
+wjdetailers.com, 1
+wje-online.de, 1
+wjec.co.uk, 1
+wjg.ca, 1
+wjg.dk, 1
+wjg.se, 1
+wjm2038.me, 1
+wjr.io, 1
+wjtje.ga, 1
+wjwieland.dvrdns.org, 0
+wk-tk.com, 1
+wk.pl, 1
+wk577.com, 1
+wkberg.nl, 1
+wkbw.com, 1
+wkd.one, 1
+wkennington.com, 1
+wkitu-test.tk, 1
+wkj-airport.jp, 1
+wkola.tk, 1
+wkshp.link, 1
+wkv.com, 1
+wkweg.online, 1
+wkwsafetysolution.com, 1
+wkymenshealth.com, 1
+wkz.io, 1
+wl-bank.com, 1
+wl-bank.de, 1
+wl-bank.eu, 1
+wlaws.com, 1
+wlbank.de, 1
+wlci.gov, 1
+wlcmedical.com.au, 1
+wlf.is, 1
+wlg.city, 1
+wlmq10086.cn, 1
+wlnk.cc, 1
+wloch.me, 1
+wlolo.com, 1
+wlozku.pl, 1
+wlpc.com, 1
+wlpvzfilmy-onlajnmlawq.tk, 1
+wlt.ca, 1
+wltix.com, 1
+wlwlwx.com, 0
+wm-access.com, 1
+wm-access.de, 1
+wm-referrals.com, 1
+wm275u.top, 1
+wmaccess.com, 1
+wmaccess.de, 1
+wmar2news.com, 1
+wmasphaltservices.com, 1
+wmataoig.gov, 1
+wmc.org, 1
+wmcpaphysicians.com, 1
+wmcuk.net, 1
+wmda.info, 1
+wme.cn, 1
+wmfusercontent.org, 1
+wmi4.com, 1
+wmkowa.de, 1
+wmmi.org, 1
+wmmkf.com, 1
+wmmks.com, 1
+wmmp.link, 1
+wmnrj.com, 1
+wmphonline.com, 1
+wmphvacations.com, 1
+wmsenibong.com.my, 1
+wmsndorgen.cf, 1
+wmsndorgen.ga, 1
+wmsndorgen.gq, 1
+wmsndorgen.ml, 1
+wmsndorgen.tk, 1
+wmtools.me, 1
+wmustore.com, 1
+wnark.com, 1
+wnav.cc, 1
+wnc-frontend-alb-1765173526.ap-northeast-2.elb.amazonaws.com, 1
+wndrdtfd.com, 1
+wnmed.com.au, 1
+wnn8.com, 1
+wns68123.com, 1
+wns6852.com, 1
+wns6862.com, 1
+wns68622.com, 1
+wns6865.com, 1
+wns68666.com, 1
+wns6872.com, 1
+wnsr3970.com, 1
+wnvtech.com, 0
+wnxt.in, 1
+wo-ist-elvira.net, 1
+wo1h3o.com, 1
+wo25.net, 1
+wo2forum.nl, 1
+woadzs.com, 1
+woah.how, 1
+woai.cf, 1
+woaiuhd.com, 1
+woba.cf, 1
+woba.ml, 1
+wobako.pl, 1
+wobble.ninja, 1
+wobblywotnotz.co.uk, 1
+wobker.co, 1
+woblex.cz, 1
+wobuwo.com, 1
+woc.ao, 1
+wochenblatt.com, 1
+wochennummern.de, 1
+wocup.ga, 1
+wod-stavby.cz, 1
+wodarfmankiffen.de, 1
+wodax.dk, 1
+wodboss.com, 1
+wodemo.com, 1
+wodi.cf, 1
+wodi.ml, 1
+wodicka.org, 1
+wodinaz.com, 1
+wodka-division.de, 1
+wodzirej.net.pl, 1
+woeb.fr, 1
+woelckner.com, 1
+wofford-ecs.org, 0
+woffu.com, 1
+wogame.co, 1
+wogame.ink, 1
+wogame.org, 1
+wogame.wiki, 1
+wogame.work, 1
+wogame.works, 1
+woge.cf, 1
+woge.ml, 1
+wogo.org, 1
+woh.org, 1
+woheni.de, 1
+wohnberatung-wien.at, 1
+wohnsitz-ausland.com, 1
+wohnungsaufloesung-berlin.net, 1
+wohnungsbaukredit.ag, 1
+wohnungsbaukredit.biz, 1
+wohnungsbaukredit.com, 1
+wohnungsbaukredit.de, 1
+wohnungsbaukredit.eu, 1
+wohnungsbaukredit.info, 1
+wohnungsbaukredit.org, 1
+wohnungsmarktbeobachtung.de, 1
+wohnzimmer-koch.de, 1
+woi.vision, 1
+wois.info, 1
+wojart.pl, 1
+wojciechowka.pl, 1
+wojciechteichert.pl, 1
+wojtekmaj.pl, 1
+wojtekogrodnik.pl, 1
+wokeanda.com, 1
+wokeupset.ru, 0
+wokfilms.pt, 1
+wokinghammotorhomes.com, 1
+woldars.com, 1
+wolf-haven.tk, 1
+wolf333.com, 1
+wolfachtal-alpaka.de, 1
+wolfarth.info, 1
+wolfermann.org, 1
+wolfermans.com, 1
+wolferstetterkeller.de, 1
+wolfertconsulting.nl, 1
+wolfflabs.com, 1
+wolffproperties.com, 1
+wolfgang-kerschbaumer.at, 1
+wolfgang-kerschbaumer.com, 1
+wolfgang-kerschbaumer.net, 1
+wolfgang-kloke.de, 1
+wolfgang-ziegler.com, 1
+wolfgangkowar.de, 1
+wolfie.tv, 1
+wolflabs.co.uk, 1
+wolflambert.tk, 1
+wolfsburgwest.com, 1
+wolfsense.nl, 1
+wolfshoehle.eu, 1
+wolfskymedia.com, 1
+wolfsmobile.com, 1
+wolfstreet.com, 1
+wolfteam.tk, 1
+wolfvideoproductions.com, 1
+wolfwings.us, 1
+wolfy.design, 1
+wolfy1339.com, 1
+wolkanca.com, 1
+wolkanca.com.tr, 1
+wolke7.wtf, 1
+wolkenputzer.com, 1
+wolkenspeicher.org, 1
+wolkjehosting.nl, 1
+wolkoopjes.nl, 1
+wolkowitz.com, 1
+wollmann.it, 1
+wollongongbaptist.hopto.org, 1
+wollwerk.org, 1
+wolrdwidessl.net, 1
+wolsing.dk, 1
+wolszon.me, 1
+woltauth.de, 1
+woltlab-demo.com, 1
+woltlab.com, 1
+woltlab.de, 1
+wolvcoll.ac.uk, 1
+wolverine-obuv.ru, 1
+wolvesbanemanor.com, 1
+wolvostore.com, 1
+wom.de, 1
+womb.city, 1
+wombathost.uk, 1
+wombatnet.com, 1
+wombatpass.com, 1
+wombatpass.com.au, 1
+wombats.net, 1
+wombere.org, 1
+women-femmes.gc.ca, 1
+women-only.net, 0
+women.gc.ca, 1
+womenagainstviolence.org, 1
+womenbeautyhealth.com, 1
+womenbrace.tk, 1
+womenfashionshirt.tk, 1
+womenofficersofindia.com, 1
+womenonboardskenya.co.ke, 1
+womenridersnow.com, 1
+womens-suits.tk, 1
+womensbiz.tk, 1
+womenscalltoaction.tk, 1
+womensenews.org, 0
+womenshealth.gov, 1
+womensmedassoc.com, 1
+womensshelterofhope.com, 1
+womfs.com.au, 1
+wompenriebler.tk, 1
+womply.com, 1
+woms.top, 1
+womywomwoo.com, 1
+wonderbits.net, 1
+wonderbox.ga, 1
+wonderbox.gq, 1
+wonderbox.ml, 1
+wonderchat.tk, 1
+wondercorner.ca, 1
+wondereur.com, 1
+wonderfall.space, 1
+wonderfuleducation.eu, 1
+wonderfuleducation.nl, 1
+wonderfulworldofwalliams.tk, 1
+wonderhost.info, 1
+wonderhowto.com, 1
+wonderkind.de, 1
+wonderlab.ml, 1
+wonderland-server.net, 1
+wonderlangkawi.com, 1
+wonderleaks.gq, 1
+wondermags.com, 1
+wondermiles.com, 1
+wondermiles.org, 1
+wondersoft.co, 1
+wonderworksonline.com, 1
+wondeur.ai, 1
+wondium.nl, 1
+wonewocwi.gov, 1
+wong-sleweah.tk, 1
+wonghome.net, 1
+wongu.tech, 1
+woning-verfspuiten.be, 1
+woning-verfspuiten.com, 1
+woning-verfspuiten.nl, 1
+woningonderhoud.tk, 1
+woningsnet.nl, 1
+wonko-vs-trader.de, 1
+wonksecurity.com, 1
+wonksecurityblog.com, 1
+woo-jiho.tk, 1
+woo-order.com, 1
+woo.bi, 1
+wooblr.com, 1
+wooby.tk, 1
+wooc.org, 0
+woocommerce-b2b-plugin.com, 1
+woocommerce-multivendor.com, 1
+woocommerce.academy, 1
+wood-crafted.co.uk, 1
+wood-crafted.uk, 1
+wood4heat.ca, 1
+woodandshop.com, 1
+woodbornekitchens.com, 1
+woodbridgegrp.com, 1
+woodbury.io, 1
+woodburynj.gov, 1
+woodcat.net, 1
+woodcentral.com, 1
+woodcock.cloud, 1
+woodcountywi.gov, 1
+woodcraftcompany.ru, 1
+woodensure.com, 1
+woodev.us, 1
+woodfarm2020.com, 1
+woodfencestlouis.com, 1
+woodfordcountyil.gov, 1
+woodfordcountyky.gov, 1
+woodhavenmi.gov, 1
+woodlandboys.com, 1
+woodlandexterior.com, 1
+woodlandsiding.com, 1
+woodlandsunrooms.com, 1
+woodlandsunroomsandenclosures.com, 1
+woodlandsvale.uk, 1
+woodlandwindows.com, 1
+woodlandwindows.net, 1
+woodlawnky.gov, 1
+woodlineds.com, 1
+woodmaster23.ru, 0
+woodminstermanagement.tk, 1
+woodminsterrealty.com, 1
+woodomat.com, 1
+woodomat.net, 1
+woodomat.org, 1
+woodpeckerhallacademy.org.uk, 1
+woodridgeil.gov, 1
+woodrowandallen.com, 1
+woodruffcountyar.gov, 1
+woodsbagot.com, 1
+woodsconsulting.com, 0
+woodscountyok.gov, 1
+woodshouse.ru, 1
+woodsideca.gov, 1
+woodsidepottery.ca, 1
+woodstar.ro, 1
+woodstocknh.gov, 1
+woodstockva.gov, 1
+woodstone.nu, 1
+woodtrust.com, 1
+woodvillems.gov, 1
+woodvillemspolice.gov, 1
+woodward-vets.co.uk, 1
+woodwicker.cl, 1
+woodwo.se, 1
+woodworkcare.com, 1
+woodworkingforabeginner.com, 1
+woodwormtreatment.com, 1
+woody-art.eu, 1
+woodyallen.tk, 1
+woodysinstalaciones.com, 1
+woof.gq, 1
+woofsbakery.com, 1
+woohay.com, 1
+woohoo.in, 1
+woohooyeah.nl, 1
+wookstar.com, 1
+woolfplumbing.com.au, 1
+woolyss.com, 1
+woomu.me, 1
+woonaval.eu, 1
+woonbedrijf.com, 1
+woonboulevardvolendam.nl, 0
+woonplein.tk, 1
+woontegelwinkel.nl, 1
+woonverkoop.be, 1
+woopie.com, 1
+woopiq.com, 0
+wooplaces.com, 1
+wooproducciones.tk, 1
+woordvanvandaag.nl, 1
+woorkup.com, 1
+woorocket.com, 1
+woosh5.com, 1
+woosk.de, 1
+wootality.com, 0
+woothelpdesk.com, 1
+wootkit.tk, 1
+wootware.co.za, 1
+wopr.network, 1
+wops.cc, 1
+worayuthit.com, 1
+worca.de, 1
+worcade.com, 1
+worcesterbouncycastlehire.co.uk, 1
+worcesterbouncycastles.co.uk, 1
+worcestercu.com, 1
+worcesterfestival.co.uk, 1
+worcestermd.gov, 1
+worcesterpethydrotherapy.com, 1
+worcestervets.co.uk, 1
+worcestervetsreferrals.com, 1
+word-grabber.com, 1
+wordbits.net, 0
+wordcounter.net, 1
+wordfast.com, 1
+wordher.com, 1
+wordindonesia.com, 1
+wordindonesia.id, 1
+wordlessecho.com, 1
+wordnietvindbaar.nl, 1
+wordops.io, 1
+wordops.net, 1
+wordpress-crm-plugin.com, 1
+wordpress-crm.pl, 1
+wordpress-inc.ru, 1
+wordpress-szakerto.hu, 1
+wordpress-test.site, 0
+wordpress.com, 0
+wordpressadmin.ru, 1
+wordpressbot.tk, 1
+wordpressdevelopment.ml, 1
+wordpresstrainingtoday.com, 1
+wordregistrar.ga, 1
+words-are-pictures.com, 1
+wordsearchwhiz.com, 1
+wordsforellie.com, 1
+wordsmart.it, 1
+wordsofamaster.com, 1
+wordspam.ga, 1
+wordunscrambler.com, 1
+wordwidessl.net, 1
+wordxtra.net, 1
+wordzite.com, 1
+worf.in, 1
+wori.cf, 1
+wori.ga, 1
+wori.gq, 1
+wori.ml, 1
+wori.tk, 1
+worio.co, 1
+work-at-home.ga, 1
+work-at-home.gq, 1
+work-in-progress.website, 1
+work-msg.com, 1
+work.me, 1
+workaholic.tk, 1
+workaholics.tk, 1
+workaround.run, 1
+workat.tech, 1
+workatclever.com, 1
+workatclever.us, 1
+workatclevyr.us, 1
+workathome.tk, 1
+workathomeideas.tk, 1
+workathomenoscams.com, 1
+workathomeopportunities.tk, 1
+workathomernjobs.tk, 1
+workcare.com, 1
+workcenter.gov, 1
+workcheck.bz, 1
+workclaims.org, 1
+workcloud.jp, 1
+workcost.me, 1
+workelo.eu, 1
+workemy.com, 1
+worker.gov, 1
+workermess.tk, 1
+workers-iran.org, 1
+workerscompensationattorneysandiego.net, 1
+workerscomplawyerhelp.com, 1
+workerselforganisation.cf, 1
+workerselforganisation.ga, 1
+workflowy.com, 1
+workfromhomebusinessopportunities.cf, 1
+workfromhomebusinessopportunities.tk, 1
+workfromhomecareers.tk, 1
+workfromhomeforum.cf, 1
+workfromhomeforum.tk, 1
+workfromhomemom.cf, 1
+workfromhomeoptions.ml, 1
+workfromhomeoptions.tk, 1
+workfromhomesales.tk, 1
+workfromhomesites.ga, 1
+workfromhomesites.ml, 1
+workfromhometexas.tk, 1
+workhandyman.com, 1
+workhorsemkt.com, 1
+workindia.ml, 1
+workinestonia.com, 0
+working-group-cloudsecurityalliance.org, 1
+workingclassmedia.com, 1
+workingfamilies.org.uk, 0
+workinghardinit.work, 1
+workingmachine.info, 1
+workingnotworking.com, 1
+workingproductkeys.info, 1
+workingtalent.nl, 1
+workinnorway.no, 1
+workiva.com, 1
+workjustice.com.au, 1
+worklinepc.com, 1
+worklizard.com, 1
+workmaxidenta.lt, 1
+worknrby.com, 1
+workology.com, 1
+workona.com, 1
+workonit.cf, 1
+workoutdigital.com, 1
+workplace.com, 1
+workplace.tools, 1
+workreap.tk, 1
+workreveal.biz, 1
+works-ginan.jp, 1
+worksheets-to-print.com, 1
+workshop-assets.com, 1
+workshop-email-content.com, 1
+workshop-email-tracking.com, 1
+workshop-spf.net, 1
+workshop-sync.net, 1
+workshop.industries, 1
+workshop.men, 1
+workshopengine.com.au, 1
+workshopszwolle.nl, 1
+workshopzwolle.com, 1
+worksindev.com, 1
+worksitevr.com, 1
+workspace.pt, 1
+worksthatwork.com, 1
+workstride.org, 1
+worktefa.tk, 1
+workthings.de, 1
+workupapp.com, 1
+workwithgo.com, 0
+workwithusaid.gov, 1
+worky.ph, 1
+workzly.in, 1
+world-citizen-report.com, 1
+world-creator.se, 1
+world-documentary.ml, 1
+world-education-association.org, 1
+world-ir.international, 1
+world-lolo.com, 1
+world-mail.org, 1
+world-of-arms.tk, 1
+world-of-tes.tk, 1
+world-politics.tk, 1
+world-selena.tk, 1
+world-tanks.tk, 1
+world-trigger.net, 1
+world-web.pro, 1
+worldaccord.org, 1
+worldarmy.tk, 1
+worldatwork.org, 1
+worldbelow.tk, 1
+worldbirds.com, 1
+worldbirds.org, 1
+worldbusinessarea.tk, 1
+worldbusinessera.tk, 1
+worldcarding.tk, 1
+worldcdg.org, 1
+worldcharteronline.ga, 1
+worldchess.london, 1
+worldcigars.com.br, 1
+worldcircuit.co.uk, 1
+worldclassfriend.com, 1
+worldconsultingchile.tk, 1
+worldcrafts.org, 1
+worldcrunch.com, 1
+worldcup-odds.com, 1
+worlddataexchange.au, 1
+worlddataexchange.com, 1
+worlddataexchange.com.au, 1
+worldeg.estate, 1
+worldessays.com, 1
+worldeventscalendars.com, 1
+worldexpo.ga, 1
+worldfinancenews.org, 1
+worldfootball.tk, 1
+worldgun.ml, 1
+worldhealthcompany.tk, 1
+worldhealthdepartment.tk, 1
+worldhealthdiet.tk, 1
+worldhealthinfo.tk, 1
+worldhealthmedia.tk, 1
+worldhealthnews.tk, 1
+worldhealthsystem.tk, 1
+worldhealthtips.ga, 1
+worldhealthtips.tk, 1
+worldhomeasian.tk, 1
+worldhomebuild.tk, 1
+worldhomecanada.tk, 1
+worldhomedecor.tk, 1
+worldhomedecoration.tk, 1
+worldhomedesign.tk, 1
+worldhomeglobal.tk, 1
+worldhomeimprevement.tk, 1
+worldhomeinfo.tk, 1
+worldhomeinspiration.tk, 1
+worldhomeinterior.tk, 1
+worldhomeinteriror.tk, 1
+worldhomeitaly.tk, 1
+worldhomenews.tk, 1
+worldhomepro.tk, 1
+worldhomeuk.tk, 1
+worldhomeusa.tk, 1
+worldhosting.cf, 1
+worldinfusedcandles.com.au, 1
+worldintercontinental.cf, 1
+worldix.cf, 1
+worldix.gq, 1
+worldix.ml, 1
+worldix.tk, 1
+worldjobs.tk, 1
+worldjusticeproject.org, 1
+worldlandtrust.org, 1
+worldlanguage.tk, 1
+worldluxuryhome.tk, 1
+worldmarathons.tk, 1
+worldmeetings.com, 1
+worldnewsinbox.ga, 1
+worldnewsphoto.tk, 1
+worldofarganoil.com, 1
+worldofbelia.de, 1
+worldofgeekstuff.com, 1
+worldofheroes.ml, 1
+worldoflegion.ml, 1
+worldofparties.co.uk, 1
+worldpage.tk, 1
+worldpayaccessories.com, 1
+worldplayerx.com, 1
+worldpolitics.cf, 1
+worldpool.com.au, 1
+worldrallyforum.tk, 1
+worldranking.tk, 1
+worldrecipes.eu, 1
+worldrism.com, 1
+worldsage.org, 1
+worldsat.tk, 1
+worldsaway.ca, 1
+worldsbest.ga, 1
+worldscoop.org, 1
+worldsfree4u.ga, 1
+worldsgreatestazuredemo.com, 1
+worldsms.tk, 1
+worldsnewshub.com, 1
+worldsport.cf, 1
+worldstone777.com, 1
+worldstyles.cf, 1
+worldsweet.ru, 1
+worldsy.com, 1
+worldsystems.com.co, 1
+worldtalk.de, 1
+worldtattooevents.com, 1
+worldtourismgroup.com, 1
+worldtrandingnews.ml, 1
+worldtravelmagazine.tk, 1
+worldturkmans.tk, 1
+worldupdatereviews.com, 1
+worldviews-debattieren.de, 1
+worldvisa.tk, 1
+worldwallstreet.tk, 1
+worldwar2collector.tk, 1
+worldwideradiosummit.com, 1
+worldwidescience.org, 1
+worldwidessl.net, 1
+worldwinesweb.be, 1
+worlich.tk, 1
+wormate.io, 1
+wormburners.tk, 1
+wormbytes.ca, 1
+wormhol.org, 1
+wormhole.com, 1
+wormhole.ga, 1
+wormholevpn.net, 1
+wormincorporated.tk, 1
+wormpress.com, 1
+worms-cowclan.tk, 1
+wormser-zeitung.de, 1
+worongarymedical.com.au, 1
+worpswede.eu, 1
+worst.horse, 0
+wort-suchen.de, 1
+wortdestages.tk, 1
+worthcountyiowa.gov, 1
+worthenind.com, 1
+worthingtonindustries.com, 0
+worthless.company, 1
+worthlessingratitudecq.cf, 1
+worthlessingratitudecq.gq, 1
+worthlessingratitudecq.ml, 1
+worthlydeals.com, 1
+worthtownshipmi.gov, 1
+worthyblog.com, 1
+worthygo.com, 1
+worzo.tk, 1
+woshiluo.com, 1
+woshiluo.site, 1
+wossl.com, 1
+wossl.net, 1
+wot-life.com, 1
+wot-tudasbazis.hu, 1
+wot-zadrot.com, 1
+wotaku.top, 1
+wotcheats.ru, 1
+woti.dedyn.io, 1
+wotlo.com, 1
+wotsunduk.ru, 1
+wotzadrot.com, 1
+woudenberg.nl, 0
+woulaba.com, 1
+wound-doc.co.uk, 1
+wouter.site, 1
+wouterbruijning.nl, 1
+wouterkobes.nl, 1
+wouterpetri.com, 1
+wouterpetri.xyz, 1
+wouterslop.com, 1
+wouterslop.eu, 1
+wouterslop.nl, 1
+woutervdb.com, 1
+woutiscoding.be, 1
+wovietv.com, 1
+wow-dsg.ch, 1
+wow-foederation.de, 1
+wow-screenshots.net, 1
+wow-serbia.tk, 1
+wow8888.ph, 1
+wowa.ca, 1
+wowaffixes.info, 1
+wowarcaim.ml, 1
+wowbouncycastles.co.uk, 1
+wowchemy.com, 1
+wowcinema.tk, 1
+wowdrive.ga, 1
+wowhampers.ie, 1
+wowhediyelik.com, 1
+wowhelp.it, 1
+wowi-ffo.de, 1
+wowjs.co.uk, 1
+wowjs.org, 1
+wowjs.uk, 1
+wowlegacy.ml, 1
+wowlove.tk, 1
+wowmoroccotours.com, 1
+wownmedia.com, 1
+wownskportal.tk, 1
+wowowow.com, 1
+wowpilates.com, 1
+wowpolisa.pl, 1
+wows-mods.tk, 1
+wows.sb, 1
+wowsosellout.com, 1
+wox.ac, 1
+woyao.ml, 1
+woyzeck.org, 1
+woz.ch, 1
+wozalapha.com, 1
+wozwaardeloket.nl, 1
+wozwebdesign.com.br, 1
+wp-assistance.fr, 1
+wp-bootstrap.org, 1
+wp-bundle.co, 0
+wp-cloud.fi, 0
+wp-fastsearch.de, 1
+wp-in.de, 1
+wp-mix.com, 1
+wp-ninja.tk, 1
+wp-note.it, 1
+wp-op.com, 1
+wp-rebuild.com, 1
+wp-securehosting.com, 1
+wp-stack.pro, 1
+wp-tao.com, 1
+wp-webagentur.de, 1
+wp2static.com, 1
+wpac.de, 1
+wpandup.org, 1
+wpautolistings.com, 1
+wpboot.com, 1
+wpboys.com, 0
+wpbrigade.com, 1
+wpbyte.io, 1
+wpcanban.com, 1
+wpcc.edu, 1
+wpcepat.com, 0
+wpcgm.co.uk, 1
+wpcharged.nz, 1
+wpcheck.io, 1
+wpco.nl, 1
+wpco.se, 1
+wpconcepts.net, 1
+wpcoupons.io, 1
+wpcrs.org, 1
+wpcs.pro, 1
+wpdev.com.au, 1
+wpekspres.com, 1
+wpetri.nl, 1
+wpexpert.com.tr, 1
+wpexplainer.com, 1
+wpexplorer.com, 1
+wpfactory.io, 1
+wpformation.com, 1
+wpforum.tk, 1
+wpfunction.com, 1
+wpg-verwaltungen.de, 1
+wpginvest.com, 1
+wpguvenlik.com, 1
+wphelpdesk.nl, 1
+wphelpwithhomework.tk, 1
+wphlive.tv, 1
+wphost.nl, 0
+wphostee.co.uk, 1
+wphosting.ovh, 1
+wpinabox.de, 1
+wpinfos.de, 0
+wpinsides.com, 1
+wpjzb.com, 1
+wpknol.com, 1
+wpkoridoru.com, 1
+wpldn.uk, 1
+wpletter.de, 1
+wplibrary.net, 1
+wplicious.com, 1
+wplistings.pro, 1
+wpmafias.com, 1
+wpmaintenance.site, 1
+wpmatik.com, 1
+wpmeer.com, 1
+wpmeetup-berlin.de, 1
+wpmet.com, 1
+wpml.org, 1
+wpmu-tutorials.de, 1
+wpnesia.id, 1
+wpnews.cf, 1
+wpnews.ga, 1
+wpnews.gq, 1
+wpnews.ml, 1
+wpnews.tk, 1
+wpnovice.tk, 1
+wpocs.com, 1
+wpoptimalizace.cz, 1
+wppbki1.com, 1
+wprank.net, 1
+wprapide.com, 1
+wpresscoder.com, 1
+wpscholar.com, 1
+wpsecured.net, 1
+wpserp.com, 1
+wpsharks.com, 1
+wpsite.dk, 1
+wpsitemovers.com, 1
+wpsitesuccess.com, 1
+wpslimseo.com, 1
+wpsmackdown.com, 1
+wpspeedcare.com, 1
+wpspeedking.com, 1
+wpsuites.com, 1
+wptests.tk, 1
+wpthemearchive.com, 1
+wptotal.com, 1
+wptrigone.fr, 1
+wptrigone.net, 1
+wpturnedup.com, 1
+wptv.com, 1
+wpuse.ru, 1
+wpwebshop.com, 1
+wpwebtools.com, 1
+wpyukle.net, 1
+wq.ro, 1
+wqaw3.tk, 1
+wr.su, 1
+wrallp.com, 1
+wrap.in.ua, 1
+wrap.org.uk, 1
+wrapit.hu, 1
+wrapitup.co.uk, 1
+wrapping.spb.ru, 1
+wrara.org, 1
+wrathofgeek.com, 1
+wrbunderwriting.com, 0
+wrc-results.com, 1
+wrd48.net, 1
+wrdcfiles.ca, 1
+wrdmrk.com, 1
+wrecked.cf, 1
+wrecked.tk, 1
+wreckeroo.com.au, 1
+wreckingball.hu, 1
+wrecky.com.au, 1
+wregni.com, 1
+wrentham.gov, 1
+wrenthamfire.gov, 1
+wrenthampolice.gov, 1
+wrestlefanent.com, 1
+wresttmb.tk, 1
+wrfalimentos.com.br, 1
+wrglzd.com, 1
+wrgms.com, 1
+wrhomedecor.com.br, 1
+wrightcountymo911.gov, 1
+wrighthassall.co.uk, 1
+wrightpattfss.com, 1
+wrighttownshipottawami.gov, 1
+wrighttownshippa.gov, 1
+wringer.ga, 1
+wristler.eu, 1
+write-right.net, 1
+writeandedit-for-you.com, 1
+writeaword.tk, 1
+writemyessay.today, 1
+writemyessays.com, 1
+writemypaperhub.com, 1
+writemytermpapers.com, 1
+writeoff.me, 1
+writepro.net, 1
+writer24.ru, 1
+writerecommendations.ga, 1
+writerimranc.ca, 1
+writers-club.tk, 1
+writersblock.tk, 1
+writesafer.com, 1
+writestreak.team, 1
+writeyoursmile.com, 1
+writing-expert.com, 1
+writingapps.ga, 1
+writingbee.com, 1
+writingcities.net, 1
+writingiswork.ga, 1
+writingontablets.com, 1
+writingpapersonlineformoney.ga, 1
+writingtoserve.net, 1
+writtenandrecorded.com, 1
+writtenworld.bg, 1
+wrm.sr, 1
+wrmea.org, 1
+wrmh343.org, 1
+wrnck.cloud, 1
+wroclawguide.com, 1
+wrong.wang, 0
+wrozbyonline.pl, 1
+wrozbyzkartklasycznych.pl, 1
+wrp.gov, 1
+wrtv.com, 1
+wrytin.com, 1
+wrzalski.com, 1
+ws159.com, 1
+ws88.top, 0
+wsa.org.nz, 1
+wsa.poznan.pl, 1
+wsadek.ovh, 1
+wsave.be, 1
+wsb.pl, 1
+wsballc.com, 1
+wscad.com, 1
+wscales.com, 0
+wscauth.de, 1
+wscore.me, 1
+wsdcap.com, 1
+wsdcapital.com, 1
+wsdeboer.nl, 1
+wselektro.de, 1
+wseo.pw, 1
+wsgvet.com, 1
+wsheffield.com, 1
+wshop24.biz, 1
+wsl.sh, 1
+wsldp.com, 1
+wsm-naramowice.pl, 1
+wsn.com, 1
+wso01.com, 1
+wsparcie.gov.pl, 1
+wsrc.tk, 1
+wsrn.de, 1
+wsrv.nl, 1
+wss.com.ve, 1
+wsspalluto.de, 1
+wssv.ch, 0
+wstudio.ch, 0
+wsug.gq, 1
+wsv-pfeffingen.de, 1
+wszystkocokocham.com, 1
+wt-server3.de, 1
+wtawi.org, 1
+wtccc.org.uk, 1
+wtdiw.com, 1
+wtfast.com, 1
+wtfbryan.com, 0
+wtfcripto.com, 1
+wtfindonesia.tk, 1
+wtfnope.org, 1
+wth-security.nl, 1
+wth.in, 1
+wthproject.ru, 1
+wtkr.com, 1
+wtmarketing.com, 1
+wtp.co.jp, 1
+wtpdive.jp, 1
+wtpmj.com, 1
+wtsh.de, 1
+wtvr.com, 1
+wtw.io, 1
+wtxl.com, 1
+wuaffiliate.tk, 1
+wualabs.com, 1
+wuast24.de, 1
+wubuwu.com, 1
+wuchipc.com, 1
+wuchoamoveis.com.br, 1
+wucke13.de, 1
+wuellenweber.net, 1
+wuerfel.wf, 1
+wuerfelmail.de, 1
+wuergler-consulting.ch, 1
+wuermlitaucher.ch, 1
+wuestenbergs.tk, 1
+wuevahosting.com, 1
+wuff.gay, 1
+wug.fun, 1
+wug.jp, 1
+wug.news, 1
+wui.fan, 1
+wuifan.com, 1
+wuifan.net, 1
+wuifan.org, 1
+wuji.cz, 1
+wuki.li, 1
+wuknet.com, 1
+wuknet.net, 1
+wulai.cf, 1
+wulai.ml, 1
+wulala.one, 1
+wulel.cn, 0
+wulfrun-invicta.tk, 1
+wum.me, 1
+wuma.ml, 1
+wumai-p.cn, 1
+wumbo.cf, 1
+wumbo.co.nz, 0
+wumbo.ga, 1
+wumbo.gq, 1
+wumbo.kiwi, 1
+wumbo.ml, 1
+wumbo.tk, 1
+wuminhao.com, 1
+wums.org, 1
+wunder.io, 1
+wunderbarespolen.de, 1
+wunderkarten.de, 1
+wunderlist.com, 1
+wundertraining.com.au, 1
+wundi.net, 1
+wunschpreisauto.de, 1
+wunschzettel.de, 1
+wuoppy.com, 1
+wuppertal-2018.de, 0
+wuppertaler-frettchensitterin.tk, 1
+wurm-sb.de, 0
+wurmannsquick.bayern, 0
+wurmannsquick.de, 0
+wurstbrot.cf, 1
+wurstmineberg.de, 1
+wurzelchaos.de, 1
+wurzelkanal.de, 1
+wushka.com.au, 1
+wusu.tk, 1
+wuw.moe, 1
+wuxian.ml, 0
+wuya.eu.org, 1
+wuyifan.ga, 1
+wuyuan.io, 1
+wuz.com.tw, 1
+wuzhuiso.com, 1
+wv-n.de, 1
+wvbold.gov, 1
+wvbvm.gov, 1
+wvdnr.gov, 1
+wver.de, 1
+wvg.myds.me, 1
+wvpbs.ml, 1
+wvpbs.tk, 1
+wvpebd.gov, 1
+wvrtboard.gov, 1
+wvstateparks.com, 1
+wvunclaimedproperty.gov, 1
+wvv-8522.com, 1
+wvw-8522.com, 1
+ww3.myqnapcloud.com, 1
+ww5197.co, 1
+ww6396.com, 0
+ww6729.co, 1
+ww6729.com, 0
+ww6957.co, 1
+ww8989.com, 1
+ww9297.co, 1
+ww9397.com, 0
+ww9721.com, 1
+ww9728.co, 1
+wwa-clan.tk, 1
+wwads.cn, 1
+wwbsb.xyz, 1
+wwc.ren, 1
+wwcowa.gov, 1
+wwcut.com, 1
+wwe.to, 1
+wwgc2011.se, 1
+wwilogistics.com, 1
+wwjd.dynu.net, 1
+wwlc.ch, 1
+wwp-beauty.com, 1
+wwpxbeauty.com, 1
+wws-energysolutions.de, 1
+wws.nu, 1
+wwtelenet.com, 1
+wwtelenet.net, 1
+wwtg.gov, 1
+wwv-8522.com, 1
+wwv-8722.com, 1
+wwvip88.com, 1
+www-33445.com, 1
+www-38978.com, 1
+www-49889.com, 1
+www-68277.com, 1
+www-8225.com, 1
+www-8522.am, 1
+www-8522.com, 1
+www-8722.com, 1
+www-8887999.com, 0
+www-9118.com, 0
+www-9822.com, 1
+www-fwt.com, 1
+www-pheromone.com, 1
+www-pheromones.com, 1
+www.aclu.org, 0
+www.amazon.ca, 1
+www.amazon.cn, 1
+www.amazon.co.jp, 1
+www.amazon.co.uk, 1
+www.amazon.com, 1
+www.amazon.com.au, 1
+www.amazon.com.br, 1
+www.amazon.com.mx, 1
+www.amazon.de, 1
+www.amazon.es, 1
+www.amazon.fr, 1
+www.amazon.in, 1
+www.amazon.it, 1
+www.amazon.nl, 1
+www.banking.co.at, 1
+www.bbc.co.uk, 0
+www.bbc.com, 0
+www.braintreepayments.com, 0
+www.calyxinstitute.org, 1
+www.capitainetrain.com, 0
+www.captaintrain.com, 0
+www.cnet.com, 1
+www.com.gl, 1
+www.dm-drogeriemarkt.ba, 1
+www.dm-drogeriemarkt.bg, 1
+www.dm-drogeriemarkt.it, 1
+www.dm-drogeriemarkt.ro, 1
+www.dm.at, 1
+www.dm.cz, 1
+www.dm.de, 1
+www.dm.hr, 1
+www.dm.hu, 1
+www.dm.mk, 1
+www.dm.pl, 1
+www.dm.rs, 1
+www.dm.si, 1
+www.dropbox.com, 1
+www.dropcam.com, 0
+www.edu.tw, 1
+www.eternalgoth.co.uk, 1
+www.etsy.com, 1
+www.evernote.com, 0
+www.facebook.com, 0
+www.fastmail.com, 1
+www.figma.com, 1
+www.ft.com, 1
+www.g.co, 0
+www.gamesdepartment.co.uk, 0
+www.getcloak.com, 1
+www.gmail.com, 0
+www.googlemail.com, 0
+www.gov.pl, 1
+www.gov.scot, 1
+www.gov.uk, 0
+www.govt.nz, 1
+www.gpo.gov, 1
+www.grc.com, 0
+www.gub.uy, 1
+www.healthcare.gov, 0
+www.heliosnet.com, 1
+www.history.pe, 1
+www.honeybadger.io, 0
+www.hyatt.com, 1
+www.icann.org, 0
+www.irccloud.com, 0
+www.ki, 1
+www.lastpass.com, 0
+www.ledgerscope.net, 0
+www.lookout.com, 1
+www.messenger.com, 1
+www.mojadm.sk, 1
+www.noisebridge.net, 1
+www.opsmate.com, 1
+www.org.gg, 0
+www.paypal.com, 1
+www.python.org, 1
+www.re, 1
+www.rememberthemilk.com, 0
+www.rme.li, 0
+www.sb, 1
+www.simbolo.co.uk, 0
+www.techrepublic.com, 0
+www.theguardian.com, 1
+www.therapynotes.com, 1
+www.tinfoilsecurity.com, 1
+www.tl, 1
+www.torproject.org, 0
+www.tumblr.com, 0
+www.united.com, 1
+www.usaa.com, 0
+www.viasinc.com, 0
+www.vino.com, 0
+www.wepay.com, 1
+www.wordpress.com, 0
+www.zdnet.com, 1
+www00228a.com, 0
+www00228b.com, 0
+www00228c.com, 0
+www00228d.com, 0
+www00228e.com, 0
+www68277.com, 1
+wwwclan.tk, 1
+wwweb.be, 1
+wwwebdesignstudios.com, 1
+wwwhackeronecom.com, 1
+wwwindows.co.uk, 1
+wwwithcarrie.com, 1
+wwwn888.com, 0
+wwwsberdahk.ru, 1
+wwwwnews.tk, 1
+wwwwww.click, 1
+wwx.duckdns.org, 1
+wx37.ac.cn, 1
+wx6688.cc, 0
+wxcafe.net, 1
+wxdisco.com, 1
+wxforums.com, 1
+wxh.jp, 1
+wxhbts.com, 1
+wxkxsw.com, 1
+wxrlab.com, 1
+wxservices.tk, 1
+wxster.com, 1
+wxw.cat, 1
+wxw.guru, 1
+wxw.moe, 1
+wxw.ooo, 1
+wxxm.aero, 1
+wxyz.com, 1
+wxzm.sx, 1
+wy188.cc, 0
+wy6.org, 1
+wyam.io, 1
+wyatttauber.com, 1
+wybar.co.uk, 1
+wybar.uk, 1
+wycena.ga, 1
+wyckoff.vip, 1
+wyckoffspringmeadowcondos.com, 1
+wycombetoday.com, 0
+wycoreconstruction.com, 1
+wyczaruj.pl, 1
+wyday.com, 1
+wydmy.com.pl, 1
+wygibanki.pl, 1
+wygodnie.pl, 1
+wykedways.com, 1
+wykop.pl, 0
+wykopylodz.ga, 1
+wylark.com, 1
+wyldfiresignage.com, 1
+wylog.ph, 1
+wynajemautkrakow.cf, 1
+wynajemautkrakow.ga, 1
+wynajmijkontener.pl, 1
+wyndhamcapital.com, 1
+wyngatepta.com, 1
+wynlv.com, 1
+wynyardwood.co.nz, 1
+wyo.cam, 1
+wyofitclubs.com, 1
+wyofitness.com, 1
+wyomingcountyny.gov, 1
+wyomingcountypa.gov, 1
+wyomingia.gov, 1
+wyomingmi.gov, 1
+wyomingurology.com, 1
+wypiska.pl, 1
+wypozyczalniasamochodowkrakow.gq, 1
+wypracowania.pl, 1
+wyprawywedkarskiepremium.pl, 1
+wyrickstaxidermy.com, 1
+wyrihaximus.net, 1
+wyrimaps.net, 1
+wyriverton.com, 1
+wysa.io, 1
+wyspa.com.pl, 1
+wyssmuller.ch, 0
+wysz.com, 1
+wyydsb.cn, 1
+wyydsb.com, 1
+wyydsb.xin, 1
+wyzj.tv, 1
+wyzl.cc, 1
+wyzwaniemilosci.com, 1
+wz.lviv.ua, 1
+wz.my, 0
+wz.pt, 1
+wzaalpfm.com, 1
+wzajemnie.org.pl, 1
+wzfou.com, 1
+wzh.one, 1
+wzmzw.com, 0
+wzrd.in, 1
+wzrd.pw, 1
+wzutti.com, 0
+wzxaini9.com, 1
+wzyboy.org, 1
+x-6.pl, 1
+x-charge.uk, 1
+x-embed.com, 1
+x-files.tk, 1
+x-iweb.ru, 1
+x-kamera.de, 1
+x-lan.be, 1
+x-net24.pl, 1
+x-one.co.jp, 1
+x-orbit.dk, 1
+x-team.co.il, 1
+x-way.org, 1
+x.io, 1
+x.sb, 1
+x001.org, 1
+x00228.com, 1
+x00701.com, 1
+x00708.com, 0
+x00738.com, 1
+x00776.com, 1
+x00786.com, 0
+x0e.nl, 1
+x0r.be, 1
+x0r.link, 1
+x0rg.org, 1
+x13.com, 1
+x16.in, 1
+x1616.tk, 1
+x17.cafe, 1
+x17.ink, 0
+x2d2.de, 0
+x2oe.com, 1
+x2ox.com, 1
+x2printaccounting.com, 1
+x2studios.com, 1
+x3550.de, 1
+x3650.de, 1
+x36533.com, 1
+x378.ch, 1
+x3803.com, 1
+x3816.com, 1
+x3828.com, 1
+x3x.tc, 1
+x44.at, 1
+x500658.com, 1
+x5197.co, 1
+x58f.com, 1
+x58p.com, 1
+x58t.com, 1
+x58v.com, 1
+x5901.com, 0
+x5902.com, 1
+x5903.com, 0
+x5904.com, 1
+x5905.com, 1
+x5906.com, 0
+x5907.com, 1
+x5908.com, 0
+x5910.com, 0
+x5x.host, 1
+x6.nl, 1
+x61.sh, 1
+x64architecture.com, 1
+x6729.co, 1
+x6957.co, 1
+x7008.com, 0
+x7713.com, 0
+x7718.com, 1
+x7719.com, 0
+x7782.com, 0
+x7785.com, 0
+x7795.com, 0
+x77dd.com, 0
+x77ee.com, 1
+x77hh.com, 0
+x77jj.com, 1
+x77kk.com, 0
+x77mm.com, 0
+x77nn.com, 1
+x77pp.com, 0
+x77qq.com, 0
+x77ww.com, 0
+x7sevenusa.com, 1
+x81vv.com, 1
+x82365.com, 1
+x86.co.kr, 1
+x90.im, 1
+x9016.com, 1
+x9297.co, 1
+x9728.co, 1
+x98v.com, 1
+x98y.com, 1
+x98z.com, 1
+xa.search.yahoo.com, 0
+xa1.uk, 0
+xab199.com, 1
+xab678.com, 1
+xaba.tk, 1
+xabifk.com, 1
+xacker.tk, 1
+xacobeoexperience.com, 1
+xad.ch, 1
+xado-france.com, 1
+xajh.org, 1
+xakep-slon.tk, 1
+xakepctbo.tk, 1
+xakiatech.com, 1
+xalima.gq, 1
+xampusolid.cat, 1
+xanalys.org, 1
+xanderbron.tech, 1
+xanhdecor.com, 1
+xanny.family, 1
+xantec.com.my, 1
+xanthipolis.gr, 1
+xanthopoulos.me, 1
+xants.de, 1
+xanyl.de, 1
+xanzhu.com, 1
+xarangallomangallo.tk, 1
+xarcmastering.com, 1
+xarmenta.tk, 1
+xarxanet.org, 1
+xatr0z.org, 0
+xauzit.com, 1
+xav.ie, 1
+xaver.cash, 1
+xaver.exchange, 1
+xavi.re, 1
+xavier.is, 1
+xavierarroyo.tk, 1
+xaviermalisse.tk, 1
+xavio-design.com, 1
+xavy.fr, 1
+xayah.net, 1
+xaydungphunguyen.com, 1
+xaynhachothue.vn, 1
+xb008.com, 1
+xb053.com, 1
+xb056.com, 1
+xb058.com, 1
+xb1001.com, 1
+xb2002.com, 1
+xb201.com, 0
+xb3008.com, 1
+xb306.com, 1
+xb3888.com, 1
+xb6008.com, 1
+xb601.com, 0
+xb6610.com, 1
+xb6616.com, 1
+xb6632.com, 1
+xb6636.com, 1
+xb6638.com, 1
+xb6639.com, 1
+xb6656.com, 1
+xb6673.com, 1
+xb6676.com, 1
+xb6679.com, 1
+xb6683.com, 1
+xb6692.com, 1
+xb6696.com, 1
+xb6806.com, 1
+xb6808.com, 1
+xb6866.com, 1
+xb6880.com, 1
+xb7001.com, 1
+xb7077.com, 1
+xb7676.com, 1
+xb780.com, 1
+xb8006.com, 1
+xb8018.com, 1
+xb836.com, 1
+xb851.com, 0
+xb852.com, 1
+xb853.com, 0
+xb859.com, 0
+xb8606.com, 1
+xb862.com, 1
+xb865.com, 1
+xb871.com, 1
+xb872.com, 0
+xb873.com, 1
+xb8806.com, 0
+xb8861.com, 1
+xb891.com, 0
+xb893.com, 0
+xb896.com, 1
+xb9009.com, 1
+xb901.com, 0
+xb906.com, 1
+xb913.com, 1
+xb925.com, 1
+xb927.com, 0
+xb935.com, 0
+xb936.com, 0
+xb937.com, 1
+xb953.com, 0
+xb957.com, 1
+xb961.com, 1
+xb962.com, 0
+xb965.com, 0
+xb967.com, 0
+xb971.com, 0
+xb972.com, 1
+xb976.com, 0
+xb980.com, 1
+xb982.com, 1
+xb983.com, 0
+xbanner.tk, 1
+xbb.hk, 1
+xbb.li, 1
+xbc.nz, 1
+xbdm.fun, 1
+xbdmov.com, 1
+xbertschy.com, 1
+xbet104.com, 1
+xbet106.com, 1
+xbetkr.com, 1
+xbigzmedia.tk, 1
+xbjt11.com, 1
+xbjt2.com, 1
+xbjt3.com, 1
+xbjt33.com, 1
+xbjt66.com, 1
+xbjt666.com, 1
+xbjt77.com, 1
+xblau.com, 1
+xbortov.com, 1
+xbox, 1
+xbox-mag.net, 1
+xboxachievements.com, 1
+xboxdynasty.de, 1
+xboxplay.games, 1
+xbrl.online, 1
+xbrlsuccess.appspot.com, 1
+xbros.cz, 1
+xbt.co, 1
+xbtce.com, 1
+xbtmusic.org, 0
+xbvip.net, 1
+xbvip99.com, 1
+xbyl.xn--fiqs8s, 1
+xbyl15.com, 1
+xbyl16.com, 1
+xbyl17.com, 1
+xbyl18.com, 1
+xbyl21.com, 1
+xbyl23.com, 1
+xbyl26.com, 1
+xbyl28.com, 1
+xbyl39.com, 1
+xbyl60.com, 1
+xbyl62.com, 1
+xbyl63.com, 1
+xbyl67.com, 1
+xbyl68.com, 1
+xbyl69.com, 1
+xbyl71.com, 1
+xbyl73.com, 1
+xbyl78.com, 1
+xbyl82.com, 1
+xbyl85.com, 1
+xbyl86.com, 1
+xbyl89.com, 1
+xbyl91.com, 1
+xc01.co, 1
+xc02.co, 0
+xc03.co, 1
+xc06.co, 1
+xc07.co, 1
+xc08.co, 1
+xc09.co, 1
+xc12.co, 1
+xc15.co, 1
+xc9988.cc, 1
+xccc.net, 1
+xce.pl, 1
+xceedgaming.com, 1
+xchangeinfo.com, 1
+xcharge.uk, 1
+xchimera.com, 1
+xchuan.cn, 1
+xcler8.com, 1
+xclirion-support.de, 1
+xcloudways.com, 1
+xcmfu.com, 0
+xcompany.one, 1
+xcontainer.ir, 1
+xcraftsumulator.ru, 1
+xcspy.org, 1
+xcupidon.com, 1
+xcw8886.net, 0
+xcw8888.net, 0
+xcw8889.net, 0
+xcxmiku.com, 0
+xd.cm, 1
+xd.gd.cn, 1
+xd.gov, 1
+xdawn.cn, 1
+xdb.be, 0
+xdos.io, 1
+xdtag.com, 1
+xdty.org, 1
+xduce.com, 1
+xecure.zone, 1
+xedap24h.com, 1
+xeditpro.com, 1
+xeerpa.com, 1
+xeforce.com, 1
+xehopdongmuine.vn, 1
+xehost.com, 1
+xeiropraktiki.gr, 1
+xelesante.jp, 1
+xencrystal.me, 1
+xenfo.ro, 1
+xenical-online.ga, 1
+xenical-online.tk, 1
+xenical.tk, 1
+xenicalonline.gq, 1
+xenicalorlistat.tk, 1
+xenicalpills.tk, 1
+xenocide.tk, 1
+xenomedia.nl, 1
+xenomorph.tk, 1
+xenon.cloud, 1
+xenoncloud.net, 1
+xenophile.name, 1
+xenophobia.ga, 1
+xenoscopic.com, 1
+xenosphere.tk, 1
+xenotropegames.com, 1
+xenoworld.de, 1
+xenox-rp.ru, 1
+xenrox.net, 1
+xentho.net, 1
+xentox.com, 1
+xenwo.com, 1
+xenwo.io, 1
+xeonlab.de, 1
+xeoxaz.com, 1
+xerbisworks.com, 1
+xerdeso.tk, 1
+xerezdeportivo.tk, 1
+xerkus.pro, 1
+xerownia.eu, 1
+xertainty.com, 1
+xertainty.de, 1
+xeryus.nl, 1
+xess.co.uk, 1
+xetown.com, 1
+xevnet.com, 1
+xevolkswagen.com, 1
+xfantasy.su, 1
+xfcy.me, 1
+xfd3.de, 1
+xfinityapparel.com, 1
+xfirma.pl, 1
+xfix.pw, 1
+xfixup.com, 1
+xford.tech, 1
+xforpeople.com, 1
+xfrag-networks.com, 1
+xftp.ml, 1
+xfzhao.com, 1
+xgadget.de, 1
+xgame.com.tr, 1
+xgameshst.com, 1
+xgclan.com, 1
+xgeni.us, 1
+xgn.es, 1
+xgp.pl, 1
+xgpu.deals, 1
+xgreatben.blog, 1
+xgys.net, 0
+xgzepto.cn, 1
+xh.ax, 1
+xh7eee.com, 1
+xhamiadituria.com, 1
+xhamster.com, 1
+xhanster.gq, 1
+xhcmnews.com, 1
+xhibitran.tk, 1
+xhily.com, 0
+xhmikosr.io, 1
+xho.me, 1
+xhtml.club, 1
+xi.ht, 1
+xia.com, 1
+xia.de, 1
+xia100.xyz, 1
+xiahdeh.com, 1
+xiai.cf, 1
+xiai.ga, 1
+xiai.ml, 1
+xiamenshipbuilding.com, 1
+xiamuzi.com, 1
+xiangblog.com, 1
+xianguocy.com, 1
+xiangweiqing.co.uk, 1
+xianjianruishiyouyiyuan.com, 1
+xiannvgong.net, 1
+xianyu.uk, 1
+xiao-sheng.gq, 1
+xiaobai.pro, 0
+xiaobude.cn, 1
+xiaocg.xyz, 1
+xiaodingyi.cn, 1
+xiaohhh.com, 1
+xiaohui.love, 1
+xiaojiyoupin.com, 1
+xiaolanglang.net, 1
+xiaomao.tk, 1
+xiaomibarato.com, 1
+xiaomionline24.pl, 1
+xiaoneijun.cn, 1
+xiaoneimao.cn, 0
+xiaoniaoyou.com, 0
+xiaoqiang.blog, 1
+xiaowangshen.com, 1
+xiaowutou.com, 1
+xiaoxia.li, 1
+xiaoyu.net, 1
+xiaoyy.org, 1
+xiaozonglin.cn, 1
+xiarain.com, 1
+xiaxuejin.cn, 1
+xiazhanjian.com, 0
+xice.cf, 1
+xice.wang, 1
+xicreative.net, 1
+xiecongan.org, 1
+xiedeacc.com, 1
+xier.ch, 1
+xiexiexi.com, 1
+xif.at, 1
+xifrem.com, 1
+xiix.cf, 1
+xile.ml, 1
+xilef.org, 1
+xilegames.com, 1
+xillimite.com, 1
+xilnex.com, 1
+xilo.net, 1
+ximes.com, 1
+ximeshosted.com, 1
+ximg.co, 1
+ximware.com, 1
+xin.moe, 1
+xin365.com, 1
+xinanwork.com, 1
+xinbo010.com, 1
+xinbo016.com, 1
+xinbo018.com, 1
+xinbo019.com, 1
+xinbo020.com, 1
+xinbo026.com, 1
+xinbo028.com, 1
+xinbo030.com, 1
+xinbo038.com, 1
+xinbo050.com, 1
+xinbo056.com, 1
+xinbo059.com, 1
+xinbo060.com, 1
+xinbo066.com, 1
+xinbo068.com, 1
+xinbo069.com, 1
+xinbo070.com, 1
+xinbo076.com, 1
+xinbo078.com, 1
+xinbo079.com, 1
+xinbo080.com, 1
+xinbo086.com, 1
+xinbo088.com, 1
+xinbo089.com, 1
+xinbo090.com, 1
+xinbo096.com, 1
+xinbo098.com, 1
+xinbo099.com, 1
+xinbo120.com, 1
+xinbo129.com, 1
+xinbo130.com, 1
+xinbo138.com, 1
+xinbo150.com, 1
+xinbo156.com, 1
+xinbo158.com, 1
+xinbo160.com, 1
+xinbo170.com, 1
+xinbo178.com, 1
+xinbo179.com, 1
+xinbo180.com, 1
+xinbo186.com, 1
+xinbo190.com, 1
+xinbo196.com, 1
+xinbo198.com, 1
+xinbo200.com, 1
+xinbo218.com, 1
+xinbo238.com, 1
+xinbo256.com, 1
+xinbo258.com, 1
+xinbo260.com, 1
+xinbo266.com, 1
+xinbo268.com, 1
+xinbo269.com, 1
+xinbo270.com, 1
+xinbo276.com, 1
+xinbo278.com, 1
+xinbo279.com, 1
+xinbo280.com, 1
+xinbo286.com, 1
+xinbo290.com, 1
+xinbo296.com, 1
+xinbo298.com, 1
+xinbo306.com, 1
+xinbo308.com, 1
+xinbo316.com, 1
+xinbo318.com, 1
+xinbo326.com, 1
+xinbo338.com, 1
+xinbo350.com, 1
+xinbo356.com, 1
+xinbo359.com, 1
+xinbo369.com, 1
+xinbo376.com, 1
+xinbo378.com, 1
+xinbo379.com, 1
+xinbo38.com, 1
+xinbo380.com, 1
+xinbo386.com, 1
+xinbo389.com, 1
+xinbo390.com, 1
+xinbo396.com, 1
+xinbo398.com, 1
+xinbo400.com, 1
+xinbo401.com, 1
+xinbo406.com, 1
+xinbo407.com, 1
+xinbo466.com, 1
+xinbo468.com, 1
+xinbo478.com, 1
+xinbo480.com, 1
+xinbo496.com, 1
+xinbo498.com, 1
+xinbo506.com, 1
+xinbo508.com, 1
+xinbo516.com, 1
+xinbo526.com, 1
+xinbo528.com, 1
+xinbo536.com, 1
+xinbo538.com, 1
+xinbo556.com, 1
+xinbo566.com, 1
+xinbo570.com, 1
+xinbo576.com, 1
+xinbo578.com, 1
+xinbo580.com, 1
+xinbo586.com, 1
+xinbo590.com, 1
+xinbo600.com, 1
+xinbo608.com, 1
+xinbo609.com, 1
+xinbo610.com, 1
+xinbo676.com, 1
+xinebf.com, 0
+xing.ml, 1
+xingai.ml, 1
+xingzuozixun.com, 1
+xinlandm.com, 1
+xinmeiti168.cn, 1
+xinmeiti365.cn, 1
+xinnermedia.nl, 1
+xinpujing198.com, 0
+xinpujing200.com, 0
+xinpujing518.com, 0
+xinpujing918.com, 0
+xinshanla.com, 1
+xinxeta.es, 1
+xinxin.pl, 1
+xinyazhang.com, 1
+xinyezx.com, 1
+xinyitour.tw, 1
+xio.moe, 1
+xiphwork.de, 1
+xiqonline.com, 1
+xishiduliu.com, 1
+xisu.com, 1
+xitin.tk, 1
+xiufe.ng, 1
+xiufeng.de, 1
+xiufeng.nl, 1
+xiumu.org, 1
+xiurenwang.co, 1
+xiuxiu.cf, 1
+xiuxiu.ga, 1
+xiuxiu.gq, 1
+xiuxiu.ml, 1
+xiuxiumh01.cc, 0
+xixi.com, 1
+xiyu.com, 1
+xjd.vision, 1
+xjf6.com, 1
+xjjeeps.com, 1
+xjjzp.com, 1
+xjjzp.net, 1
+xjpvictor.info, 1
+xjtu.live, 1
+xjtu.love, 1
+xjtv.com, 1
+xjysilicone.com, 1
+xkblog.xyz, 1
+xkcd.pw, 1
+xkviz.net, 1
+xkww3n.cyou, 1
+xkwy2018.cn, 1
+xkwy2018.com, 1
+xkylee.com, 1
+xl-porn.com, 1
+xl3v3r.com, 1
+xlan.be, 1
+xlange.com, 1
+xlaw.com.br, 1
+xlbnas.cafe, 1
+xldl.ml, 1
+xlem.cn, 1
+xlink.com.pl, 1
+xlion.tw, 1
+xlmnews.today, 1
+xlnaudio.com, 1
+xloffice.se, 1
+xloud.cf, 1
+xloutdoor.se, 1
+xloveit.com, 1
+xlr8.shop, 1
+xlr8webshops.com, 1
+xlribbon.ml, 1
+xlrsecurity.com, 1
+xlstat.com, 1
+xluxes.jp, 1
+xm1s.life, 1
+xmag.pl, 1
+xmanshow.tk, 1
+xmanyz.tk, 1
+xmdhs.com, 1
+xmdhs.top, 1
+xmediabigz.tk, 1
+xmediazxy.tk, 1
+xmenrevolution.com, 1
+xmessy.com, 1
+xmisystems.com, 1
+xmiui.com, 1
+xmlseo.ru, 1
+xmnr.net, 1
+xmoj-bbs.tech, 1
+xmv.cz, 1
+xmythology.com, 1
+xmyy.com, 1
+xn------7cdabibmbihbgykn8elfdbfgbeqxmlc3a.tk, 1
+xn------7cdbfcbc0ab6akhadmzphmbibhebcc7b0ahshon.tk, 1
+xn-----6kcamlijegc9ea1aw4ivc.xn--p1ai, 1
+xn-----6kcbb0cahbiskdv1bcj5c7g.tk, 1
+xn-----6kcbjcgl1atjj7aadbkxfxfe7a9yia.xn--p1ai, 1
+xn-----7kcbhdpr0asllefq0bjk.com, 1
+xn-----7kcgqqeagtqecgbhc3aginaie1hwh.tk, 1
+xn-----7kckegeaw8apdfn0d9a0j.xn--p1ai, 1
+xn-----8kcdcb4bffibpgkpbdbcc5cedihs.tk, 1
+xn-----elcblfoyosbv5mwb.xn--p1ai, 1
+xn----4tb0c.xn--p1ai, 1
+xn----7sbabexseekfke3cifnf3b4r.tk, 1
+xn----7sbabrwauchevq0ba.xn--p1ai, 1
+xn----7sbagi4akcjwfceu2aoi5e0eh.xn--p1ai, 1
+xn----7sbarcdvrtr1be.org, 1
+xn----7sbbagp2bcfwdeee1afm.xn--p1ai, 1
+xn----7sbbak4cyaoedjf3m.xn--p1ai, 1
+xn----7sbbfsshjvgyde8g3c.xn--p1ai, 1
+xn----7sbbgbr0arxb4a4exa.com.ua, 1
+xn----7sbbhzfbdo6dnf.tk, 1
+xn----7sbbncaddj9a9b6am9p.tk, 1
+xn----7sbbq5b0a1c.com, 1
+xn----7sbc3abak3afteia.xn--p1ai, 1
+xn----7sbddc9an3aethjp.xn--p1ai, 1
+xn----7sbedlbhv2azb6a.xn--j1amh, 1
+xn----7sbfl2alf8a.xn--p1ai, 1
+xn----7sbkofbbj4akz.xn--80asehdb, 1
+xn----7sblrfhjjgq8g.xn--p1ai, 1
+xn----7sbmucgqdbgwwc5e9b.xn--p1ai, 1
+xn----7sbqlhcsgevuc0j.xn--p1ai, 1
+xn----8hcdn2ankm1bfq.com, 1
+xn----8sbadsuaby8bb4a7cwh.xn--p1ai, 1
+xn----8sbdihuaxb3abob8a.xn--p1ai, 1
+xn----8sbdjbisdat0g.xn--p1ai, 1
+xn----8sbdo7cb0b.xn--p1ai, 1
+xn----8sbggtw.xn--p1ai, 0
+xn----dtbfemantkhdczc.tk, 1
+xn----dtbfemmqjdddczc.tk, 1
+xn----dtbhcpoeofgcvoic1s.xn--p1ai, 1
+xn----etbqa2alia5i.tk, 1
+xn----htbhdmyci.xn--p1ai, 1
+xn----itbanmp3ae.xn--p1ai, 1
+xn----itbkhngkr2a.xn--p1ai, 0
+xn----jtbiihtkil8b4e.xn--p1ai, 1
+xn----mtbckubhv.xn--p1ai, 1
+xn----ncfb.ws, 1
+xn----otbabmp3ae.xn--p1ai, 1
+xn----rtbbavlecj.xn--p1ai, 1
+xn----ylba7abgd9bnh0e.xn--qxa6a, 1
+xn----ymcbah8a8de3hvarv.com, 1
+xn---35-6cdk1dnenygj.xn--p1ai, 1
+xn---71-6cdxtphfkkfrgnoc.xn--p1ai, 1
+xn--061az77a.xn--fiqs8s, 1
+xn--061az77a.xn--fiqz9s, 1
+xn--0kq33cbsi8bk6d417b.com, 1
+xn--0kq33cz5c8wmwrqqw1d.com, 1
+xn--1-9u7ey2dtz3c.com, 0
+xn--12c3bpr6bsv7c.com, 1
+xn--12carbp3gycugf9k9a.xn--o3cw4h, 1
+xn--12cfi6eb4azb7c5cbfw.com, 1
+xn--12cg9bnm5ci2ag9hbcs17a.com, 1
+xn--13-6kc0bufl.xn--p1ai, 1
+xn--15tx89ctvm.xn--6qq986b3xl, 1
+xn--1985-43d6eta0a4g2a.xn--p1ai, 1
+xn--1yst51avkr.ga, 1
+xn--1yst51avkr.xn--6qq986b3xl, 1
+xn--230ap0xpa.com, 1
+xn--24-6kc5agehpdf5a.xn--p1ai, 1
+xn--24-6kch4bfqee.xn--p1ai, 1
+xn--24-glcha1cjdmf1dye.xn--p1ai, 1
+xn--24-glcia8dc.xn--p1ai, 1
+xn--2sxs9ol7o.com, 1
+xn--36-dlcdun7abo4a.xn--p1ai, 1
+xn--3bt625flzps8a.com, 1
+xn--3btta.xn--fiqs8s, 1
+xn--3btta.xn--fiqz9s, 1
+xn--3js556addp80q.cn, 1
+xn--3lqp21gwna.cn, 1
+xn--3st814ec8r.cn, 1
+xn--3stv82k.hk, 1
+xn--3stv82k.tw, 1
+xn--41a.ml, 1
+xn--43-6kc4be0fbz.xn--p1ai, 1
+xn--45i.tk, 1
+xn--4brt03c.xn--fiqs8s, 1
+xn--4brt03c.xn--io0a7i, 1
+xn--4gq45ay49m.com, 1
+xn--4gq62f52gdss.com, 1
+xn--4kro7fswi.xn--6qq986b3xl, 1
+xn--4qs85t91oq9e.com, 1
+xn--54-6kc3btfht.xn--p1ai, 1
+xn--55q36pba3495a.com, 1
+xn--57h.ml, 0
+xn--5dbkjqb0d.com, 1
+xn--5dbkjqb0d.net, 1
+xn--6btn.xn--fiqs8s, 1
+xn--6btn.xn--fiqz9s, 1
+xn--6kru6im1lczj.com, 1
+xn--6o8h.cf, 1
+xn--6qq52xuogcjfw8pwqp.ga, 1
+xn--6qq62xsogfjfs8p1qp.ga, 1
+xn--72c1ar3gd6fvd.xn--o3cw4h, 1
+xn--73-dlclq0cfe.xn--p1ai, 1
+xn--78je2j8a.cafe, 1
+xn--7ca.co, 1
+xn--7dvy22i.com, 0
+xn--7or43h.jp, 1
+xn--7tq776cdf4a.xn--fiqs8s, 1
+xn--7tq776cdf4a.xn--fiqz9s, 1
+xn--7tq798c.ml, 1
+xn--7tqp36c113a.xn--fiqs8s, 1
+xn--7tqp36c113a.xn--fiqz9s, 1
+xn--7xa.google.com, 1
+xn--80a1a8b.tk, 1
+xn--80a5ai3dd.xn--d1at.xn--90a3ac, 1
+xn--80a6a1b.tk, 1
+xn--80a6aq.tk, 1
+xn--80aaa3bgsbbm.tk, 1
+xn--80aaa5ajbrzqd.tk, 1
+xn--80aaaane9bk7bh.tk, 1
+xn--80aaacqdkdv7b0a.tk, 1
+xn--80aaagbtu3bfbullc1c.xn--80asehdb, 1
+xn--80aaaptltzqd.tk, 1
+xn--80aacgbiy5akmx.xn--e1a4c, 1
+xn--80aacorabax9b2a3c.xn--p1ai, 1
+xn--80aae7aeoh.xn--p1ai, 1
+xn--80aahvz2a9a.xn--p1acf, 1
+xn--80aanbkcescrdedmxzcl4pmc.xn--p1acf, 1
+xn--80aapmgginxs3d.xn--p1ai, 1
+xn--80aayajj8aic.xn--p1ai, 1
+xn--80ab1bse.tk, 1
+xn--80abb4bp.tk, 1
+xn--80abmghlx4ajd.tk, 1
+xn--80ace6be.tk, 1
+xn--80achgm7d.tk, 1
+xn--80ack7b.xn--p1ai, 1
+xn--80acqgkhcn.tk, 1
+xn--80acubre5k.tk, 1
+xn--80adbvdjzhptl1be6j.com, 1
+xn--80adc7bbjgi.xn--p1ai, 1
+xn--80adjmbjd1avp5b4a.xn--p1ai, 1
+xn--80adydmce.com, 1
+xn--80ae7bafe4d.tk, 1
+xn--80aebbkaqx6at.xn--p1ai, 1
+xn--80aejhvi0at.xn--90ais, 1
+xn--80aejljbfwxn.xn--p1ai, 1
+xn--80affa6ai0a.tk, 1
+xn--80afvgfgb0aa.xn--p1ai, 1
+xn--80ah4f.xn--p1ai, 1
+xn--80ahclcaoccacrhfebi0dcn5c1jh.xn--p1ai, 1
+xn--80ahjdhy.tk, 1
+xn--80ahnefiifo0g.xn--p1ai, 1
+xn--80aihgal0apt.xn--p1ai, 1
+xn--80ajnofdk.xn--p1ai, 1
+xn--80ajuk.xn--p1ai, 1
+xn--80akjfhoqm2h2a.xn--p1ai, 1
+xn--80aknjgrv.tk, 1
+xn--80aleen8i.site, 1
+xn--80ancacgircb8q.xn--p1ai, 1
+xn--80anogxed.xn--p1ai, 1
+xn--80aocgsfei.xn--p1ai, 1
+xn--80aod6g.tk, 1
+xn--80apbaibrczvs.xn--p1ai, 1
+xn--80axad8esa.tk, 1
+xn--80azep.tk, 1
+xn--8bi.gq, 0
+xn--8n2am80a.tech, 1
+xn--90accgba6bldkcbb7a.xn--p1acf, 1
+xn--90acibo4aazm.com.ua, 1
+xn--90acjfgylpnm.xn--90ais, 1
+xn--90acrudcl3j.com, 0
+xn--90adahrqfmec.xn--p1ai, 1
+xn--90agmsorb.tk, 1
+xn--90aij9af3f.com.ua, 1
+xn--90aimoos.tk, 1
+xn--90aizn.tk, 1
+xn--90amdjbi3c0ec.xn--p1ai, 1
+xn--938h.st, 1
+xn--94q57lcvpw50b.com, 1
+xn--95q32l0t6b9cb17l.cn, 1
+xn--95qy23o.xn--fiqs8s, 1
+xn--95qy23o.xn--fiqz9s, 1
+xn--98jm6m.jp, 1
+xn--9iqy04a7fi01l.com, 1
+xn--9kq.eu.org, 1
+xn--9kqw7o.com, 1
+xn--9xa.fun, 1
+xn--afd-brhl-c6a.de, 1
+xn--afd-hrth-b6a.de, 1
+xn--afdbrhl-r2a.de, 1
+xn--afdhrth-q2a.de, 1
+xn--alcaiz-zwa.tk, 1
+xn--allgu-biker-o8a.de, 1
+xn--andre-is--yz4h8t9azf9596c4rigl8h.moe, 1
+xn--anyd-7na.at, 1
+xn--apaados-6za.es, 1
+xn--arelektrbunerisk-4bc73b.lv, 1
+xn--avocai-timioara-kmf1a.ro, 1
+xn--b-tqa.net, 0
+xn--b1aa9b.tk, 1
+xn--b1ab6abhfh.xn--p1ai, 1
+xn--b1ag9a.xn--p1ai, 1
+xn--b1agcgqrei7i.tk, 1
+xn--b1ayb.tk, 1
+xn--b3c4f.xn--o3cw4h, 1
+xn--baron-bonzenbru-elb.com, 1
+xn--bckerei-wohlgemuth-ltb.de, 1
+xn--bersetzung-8db.cc, 1
+xn--bersetzungen-beglaubigt-bpc.de, 1
+xn--berufsprfung-kinsthetik-b8b50d.ch, 1
+xn--berwachungspaket-izb.at, 1
+xn--betwinnerespaa-2nb.com, 1
+xn--bjugrd-lua.io, 1
+xn--blusastlacotalpeas-20b.online, 1
+xn--bm3bl9r.com, 1
+xn--bnq37rc0nw50b.com, 1
+xn--bognsroad-j3a.dk, 1
+xn--brneruhr-0za.ch, 1
+xn--bruno-hnel-kcb.de, 0
+xn--bwx.xn--fiqs8s, 1
+xn--bwx.xn--fiqz9s, 1
+xn--c-xga.de, 1
+xn--c1aaulbdc.tk, 1
+xn--c1adqibibm8i.com, 1
+xn--c1aehtaetb.xn--p1ai, 1
+xn--c1aid4ap8e.tk, 1
+xn--c1aolabgdj.tk, 1
+xn--c5w032d4vi.cn, 1
+xn--c5w032d4vi.xn--fiqs8s, 1
+xn--c5w032d4vi.xn--fiqz9s, 1
+xn--c5w27q.ml, 1
+xn--c5wy5c025b.cn, 1
+xn--c5wy5c025b.xn--fiqs8s, 1
+xn--c5wy5c025b.xn--fiqz9s, 1
+xn--carlshamnsvxtrike-0qb.se, 1
+xn--cck4ax91r.com, 1
+xn--cck7f515h.com, 1
+xn--cckdrt0kwb4g3cnh.com, 1
+xn--cckvb1cwa0c5br5e2d2711k.net, 1
+xn--cckwcxetd, 1
+xn--cctsgy36bnvprwpekc.com, 1
+xn--chrysopekinsiologie-hzbe.fr, 1
+xn--circul-gva.cc, 1
+xn--circul-u3a.cc, 1
+xn--cisowcy-pjb5t.pl, 1
+xn--contrasea-s6a.cl, 1
+xn--crystal-9e7ua.icu, 1
+xn--cysy13an3a5z7c.xyz, 1
+xn--d1aca2a5al.tk, 1
+xn--d1acfdr6h.com.ua, 1
+xn--d1acj9c.xn--90ais, 1
+xn--d1acmf9g.xn--p1ai, 1
+xn--d1aczdsdn4d.tk, 1
+xn--d1afcjuch.xn--p1ai, 1
+xn--d1awi.tk, 1
+xn--das-anhngerzentrum-rtb.at, 1
+xn--dck0bb4c1guc.jp, 1
+xn--dcko6fsa5b1a8gyicbc.biz, 1
+xn--dckya4a0bya6x.com, 1
+xn--dckya4a0bya6x.jp, 1
+xn--dej-3oa.lv, 1
+xn--detrkl13b9sbv53j.com, 1
+xn--diseadorwebmallorca-y3b.com, 1
+xn--dk8haaa.ws, 1
+xn--dmontaa-9za.com, 1
+xn--dragni-g1a.de, 1
+xn--dragni-g1a.eu, 1
+xn--dtursfest-72a.dk, 1
+xn--durhre-yxa.de, 1
+xn--dviz-5qa.com, 1
+xn--e--0g4aiy1b8rmfg3o.jp, 1
+xn--e--4h4axau6ld4lna0g.com, 1
+xn--e--ig4a4c3f6bvc5et632i.com, 1
+xn--e--k83a5h244w54gttk.xyz, 1
+xn--e1aa7abbg.xn--p1ai, 1
+xn--e1aaavheew.xn--p1ai, 1
+xn--e1aaavheewr.xn--p1ai, 1
+xn--e1aahuqbk6f.tk, 1
+xn--e1aajhbc0amdp4byf.xn--p1ai, 1
+xn--e1aajkmzd.xn--p1ai, 1
+xn--e1adlfhcdo7h.xn--p1ai, 1
+xn--e1afggpjhk3b1e.xn--p1ai, 1
+xn--e1agokg6a9a.tk, 1
+xn--e1aoahhqgn.xn--p1ai, 1
+xn--e1aoddhq.gq, 1
+xn--e1awbbf4g.xn--p1ai, 1
+xn--e1tvpw18d.com, 1
+xn--e1tx9l9xc.xn--6qq986b3xl, 1
+xn--ecki0cd0bu9a4nsjb.com, 1
+xn--eckok2bi6jzkpc.com, 1
+xn--eckok2bi6jzkpc.jp, 1
+xn--ee-zja.de, 1
+xn--eebao6b.com, 1
+xn--eebao6b.net, 1
+xn--eglujemy-23b.net, 1
+xn--ehq091c7jk8qq.com, 1
+xn--ehqw04eq6e.jp, 1
+xn--ehqy0ag27f64i.xyz, 1
+xn--elsignificadodesoar-c4b.com, 1
+xn--eo5aaa.eu.org, 1
+xn--erban-e9b.ro, 1
+xn--erklderbarenben-slbh.dk, 1
+xn--ertvg-pra.no, 1
+xn--et8h.cf, 0
+xn--ettbttreinternet-ynb.se, 1
+xn--ex-1b4auld4fn3u3ck2069g.com, 1
+xn--f1ai7a.tk, 1
+xn--f5q52dc2lgtg336a4xoyxh2oj.tw, 1
+xn--f9jh4f4b4993b66s.tokyo, 1
+xn--fakovcov-gza74b.eu, 1
+xn--fakovec-k6a.eu, 1
+xn--familie-pppinghaus-l3b.de, 1
+xn--feuerlscher-arten-4zb.de, 1
+xn--fhqs21ch1c4t0a.xn--czr694b, 1
+xn--fiqs8syvac75bffa172w.cn, 1
+xn--fiqs8syvak73af2cw10h.cn, 1
+xn--flskeklubben-7cb.dk, 1
+xn--flsterstollen-xob.com, 0
+xn--fp8h58f.ws, 1
+xn--fp8hm6b.ws, 1
+xn--frankierknig-djb.de, 1
+xn--frauenrztin-wedel-vqb.de, 1
+xn--frderer-n2a.de, 1
+xn--fretagsfinanser-8sb.se, 1
+xn--fs5ak3f.com, 1
+xn--g1abhqbgs.xn--p1ai, 1
+xn--gfrr-7qa.li, 1
+xn--gfrrli-yxa.ch, 1
+xn--ggle-qoaa.com, 1
+xn--gi8h6v.ml, 1
+xn--gmq92k.nagoya, 1
+xn--grnderlehrstuhl-0vb.de, 1
+xn--grnstrm-r1ae.nu, 1
+xn--gs8h.eu.org, 1
+xn--h-1ga.net, 1
+xn--h1aaahdlb4aki4h.xn--p1ai, 1
+xn--h1aaakmzd.xn--p1ai, 1
+xn--h1aagcjb0ajh5g.xn--p1ai, 1
+xn--h1aarew7ct.tk, 1
+xn--h1ahbcdb8g.xn--p1ai, 1
+xn--h1aifgllz.xn--p1ai, 1
+xn--h7t906ca.xn--fiqs8s, 1
+xn--h7t906ca.xn--fiqz9s, 1
+xn--helhetsframtrdande-xtb.se, 1
+xn--hfk-allgu-schwaben-stb.de, 1
+xn--hgbk4a00a.com, 1
+xn--hllrigl-90a.at, 0
+xn--hnse-gra.net, 1
+xn--hogarniitojesus-4qb.com, 1
+xn--hsers-kva.de, 1
+xn--ikketenkpdet-1cb.no, 1
+xn--imker-in-nrnberg-szb.de, 1
+xn--int-ru8ea.xn--6qq986b3xl, 1
+xn--internetlnen-1cb.com, 1
+xn--ionunica-29c.ro, 1
+xn--irr.xn--fiqs8s, 1
+xn--is8h6d.gq, 0
+xn--itt6x.xn--fiqs8s, 1
+xn--itt6x.xn--fiqz9s, 1
+xn--itts1a.xn--fiqs8s, 1
+xn--itts1a.xn--fiqz9s, 1
+xn--j1afcdm4f.xn--p1ai, 1
+xn--j1aoca.xn--p1ai, 1
+xn--j4h.cf, 1
+xn--j8se.com, 1
+xn--jkaappi-5waa.fi, 1
+xn--jlq480n2rg, 1
+xn--jp8hx8f.ws, 1
+xn--kckd0bd4a8tp27yee2e.com, 1
+xn--keditr-0xa.biz, 1
+xn--kinsthetik-s5a.ch, 1
+xn--kkcon-fwab.nz, 1
+xn--kl-oja.is, 1
+xn--klmek-0sa.com, 1
+xn--klschs-wxa.de, 1
+xn--ksse-5qa.fi, 1
+xn--ktha-kamrater-pfba.se, 0
+xn--l3cb0bbcf6ezc4a7e.th, 1
+xn--l8j6d.com, 1
+xn--l8jer.moe, 1
+xn--l8js6h.moe, 1
+xn--l8js6h476m.xn--q9jyb4c, 1
+xn--labanskllermark-ftb.se, 1
+xn--lfv405c.com, 1
+xn--ljyakatemia-qfb.fi, 1
+xn--lk1a.moe, 1
+xn--ll-yka.de, 1
+xn--lna-2000-9za.nu, 1
+xn--lna-4000-9za.nu, 1
+xn--locaaomoema-p9a.com.br, 1
+xn--losolivareos-jhb.com, 1
+xn--love-un4c7e0d4a.com, 1
+xn--lrepenger-g3a.no, 1
+xn--lti-3qa.lv, 1
+xn--lzs398g.xn--fiqs8s, 1
+xn--lzs398g.xn--fiqz9s, 1
+xn--m1aba.tk, 1
+xn--m6t22d1b026i1odr9k.cn, 1
+xn--m6to92j.xn--gmqw5a.xn--j6w193g, 1
+xn--m6ty4dmx2a7ki.cn, 1
+xn--m9jy50kkpx.tk, 1
+xn--manuela-stsser-psb.de, 1
+xn--marn-8ra.eu, 1
+xn--martnvillalba-zib.com, 1
+xn--martnvillalba-zib.net, 1
+xn--mbius-jua.band, 1
+xn--mein-kchenhelfer-ozb.de, 1
+xn--mensenges-o1a8c.gq, 1
+xn--mensengesss-t8a.gq, 1
+xn--mentaltraining-fr-musiker-uwc.ch, 1
+xn--mercadonavideo-2nb.com, 1
+xn--mgbbh2a9fub.xn--ngbc5azd, 0
+xn--mgbmmp7eub.com, 1
+xn--mgbpkc7fz3awhe.com, 1
+xn--mgbqq.com, 1
+xn--mgbuq0c.net, 1
+xn--mhringen-65a.de, 1
+xn--mitenlyttit-s8aad6xf.fi, 1
+xn--mitenlyttyt-s8aad6xg.fi, 1
+xn--mitensaadatit-nfb1y.fi, 1
+xn--mitensaadatyt-nfb2y.fi, 1
+xn--mlkky-jua.fr, 1
+xn--mllerhesszimmerli-22b.ch, 1
+xn--mllingen-65a.de, 1
+xn--mnck-5qa.de, 1
+xn--mnich-7ua.de, 1
+xn--mntsamling-0cb.dk, 1
+xn--morrhret-e0a.se, 1
+xn--mxaavenvi2h.live, 0
+xn--myrepubic-wub.net, 1
+xn--myrepublc-x5a.net, 1
+xn--naade-dta.com, 1
+xn--nicieri-b4a.ro, 1
+xn--nidar-tib.org, 1
+xn--nide-loa.ee, 1
+xn--nied-lchelt-q8a.de, 1
+xn--niedlchelt-u5a.de, 1
+xn--nordlicht-hrnum-jtb.de, 1
+xn--nrrdetval-v2ab.se, 1
+xn--nts.xn--fiqs8s, 1
+xn--nts.xn--fiqz9s, 1
+xn--o38h.tk, 1
+xn--o3ca2aced1cc7e5a1jc6h.com, 1
+xn--o77hka.ga, 1
+xn--obt757c.com, 1
+xn--oiqt18e8e2a.eu.org, 1
+xn--oj-uu2c9c422w3mh.com, 0
+xn--okra.xn--6qq986b3xl, 1
+xn--p2v.xn--fiqs8s, 1
+xn--p2v.xn--fiqz9s, 1
+xn--p3t555glxhnwa.com, 1
+xn--p8j9a0d9c9a.xn--q9jyb4c, 1
+xn--pascal-klsch-cjb.de, 1
+xn--patga-p4a.ga, 1
+xn--patiga-syd.ga, 1
+xn--pbt947am3ab71g.com, 1
+xn--pckl4ji.ml, 1
+xn--pckqk6xk43lunk.net, 1
+xn--pe-bka.ee, 1
+xn--petitetoile-gbb.com, 1
+xn--photovoltaik-berwachung-opc.de, 1
+xn--pn1am9c.com, 1
+xn--pq1a637b.xn--6qq986b3xl, 1
+xn--prfontaine-c7a.name, 1
+xn--q2y08clzag4u.tw, 1
+xn--q3cb3bxa0b7h.com, 1
+xn--qckss0j.tk, 1
+xn--qfun83b.ga, 1
+xn--qm1a.xn--fiqs8s, 1
+xn--qm1a.xn--fiqz9s, 1
+xn--r77hya.ga, 1
+xn--r8jzaf7977b09e.com, 1
+xn--rdiger-barney-wob.de, 1
+xn--rdiger-kuhlmann-zvb.de, 1
+xn--registriertesexualstraftter-ykc.de, 1
+xn--rhqv96geyrvng.com, 1
+xn--rih.ml, 1
+xn--rl-wka.ch, 1
+xn--roselire-60a.ch, 0
+xn--roselire-60a.com, 0
+xn--rs5a.xn--fiqs8s, 1
+xn--rs5a.xn--fiqz9s, 1
+xn--rt-cja.eu, 1
+xn--rt-cja.ie, 1
+xn--rtter-kva.eu, 1
+xn--ruanmller-u9a.com, 1
+xn--ruciski-6jb.pl, 1
+xn--s-0fa.fi, 1
+xn--s-1gaa.fi, 1
+xn--s1r71tg0o30bxm52odlvspdop4b.cn, 1
+xn--sb-lka.org, 1
+xn--schcke-yxa.de, 1
+xn--schlerzeitung-ideenlos-ulc.de, 1
+xn--schpski-c1a.de, 1
+xn--schsischer-christstollen-qbc.shop, 0
+xn--schwedischezahnrztin-pzb.de, 1
+xn--skmotoroptimering-zzb.site, 1
+xn--spenijmazania-yhc.pl, 1
+xn--spiraphnix-olb.xyz, 1
+xn--srbarhetsskanning-8qb.se, 1
+xn--srenpind-54a.dk, 1
+xn--ss-sein-fetzt-wob.de, 1
+xn--strandhaus-hinter-der-dne-1wc.de, 1
+xn--stubbfrsning-uppsala-hzb.se, 1
+xn--svezavaukuu-ulb08i.rs, 1
+xn--sz8h.ml, 1
+xn--t-oha.lv, 1
+xn--t8j4aa4nkg1h9bwcvud.com, 1
+xn--t8j4aa4nzg3a5euoxcwee.xyz, 1
+xn--t8jo9k1b.com, 1
+xn--t8qu4voqikh.com, 1
+xn--tagungssttte-usedom-owb.de, 0
+xn--tagungssttte-zinnowitz-84b.de, 0
+xn--tatilgnleri-yhb.com, 1
+xn--tftel-tom-q9a.de, 1
+xn--tgstationen-x8a.se, 1
+xn--thorme-6uaf.ca, 1
+xn--tigreray-i1a.org, 1
+xn--trdler-xxa.xyz, 1
+xn--u8jwd.ga, 1
+xn--u9j920h4sbt5ex10f.online, 1
+xn--u9j933ksxs6hu.com, 1
+xn--u9jv84l7ea468b.com, 1
+xn--u9jy16ncfao19mo8i.nagoya, 1
+xn--uba.eu.org, 1
+xn--ug8h.st, 1
+xn--uist1idrju3i.jp, 1
+xn--ukasik-2db.pl, 1
+xn--ukys-f6a.lt, 1
+xn--underux-0za.eu, 1
+xn--urgencesolidarit-qqb.com, 1
+xn--urgencesolidarit-qqb.fr, 1
+xn--uxqy9syyb.com, 1
+xn--v-wfa35g.ro, 1
+xn--v4q.ml, 1
+xn--v6q426ishax2a.xyz, 1
+xn--vck8crc010pu14e.biz, 1
+xn--vck8crcu789ajtaj92eura.xyz, 1
+xn--vihrekeino-u5a.fi, 1
+xn--vwsv89g.xn--fiqs8s, 1
+xn--vwsv89g.xn--fiqz9s, 1
+xn--vwsw0b.xn--fiqs8s, 1
+xn--vwsw0b.xn--fiqz9s, 1
+xn--vwsw0b192f.xn--fiqs8s, 1
+xn--vwsw0b192f.xn--fiqz9s, 1
+xn--vxsq49l.cn, 1
+xn--w-sgae.eu, 1
+xn--w22a.jp, 1
+xn--wby9t.xyz, 0
+xn--wcs69oyudj44b.xyz, 1
+xn--whakamtt-m7a57hba.org.nz, 1
+xn--wiateko-rjb3t.eu, 1
+xn--woistdermlleimer-rzb.de, 1
+xn--wp9ha.ws, 1
+xn--wq9h.ml, 0
+xn--xft85up3jca.ga, 1
+xn--xwqa8512b.eu.org, 1
+xn--xz1a.jp, 1
+xn--y-5ga.com, 1
+xn--y3cac7d1d.xn--o3cw4h, 1
+xn--y8j148r.xn--q9jyb4c, 0
+xn--y8j2eb5631a4qf5n0h.com, 1
+xn--y8ja6lb.xn--q9jyb4c, 1
+xn--y8jarb5hca.jp, 1
+xn--yj8h0m.ws, 1
+xn--ykqxsg6sqp4cd861a.ml, 1
+xn--ykrp42k.com, 1
+xn--yrvp1ac68c.xn--6qq986b3xl, 1
+xn--z1tq4ldt4b.com, 1
+xn--zca.dk, 1
+xn--zettlmeil-n1a.de, 1
+xn--zr9h.cf, 1
+xn--zr9h.ga, 1
+xn--zr9h.ml, 1
+xn--zr9h.tk, 1
+xn--zsr042b.fun, 1
+xnaas.info, 1
+xnativi.pl, 1
+xnet-x.net, 1
+xnetwork.ml, 1
+xniver.se, 1
+xnix.tk, 1
+xnoe.moe, 1
+xnop.yt, 1
+xnopyt.com, 1
+xnopyt.info, 1
+xnsir.com, 1
+xntrik.wtf, 1
+xnu.kr, 1
+xnxxporns.com, 1
+xo.wtf, 1
+xoan.cf, 1
+xobotun.com, 1
+xocc.cc, 1
+xoda.pw, 1
+xolotto.com, 1
+xolphin.nl, 1
+xombitgames.com, 1
+xombitmusic.com, 1
+xomyak.tk, 1
+xone.cz, 0
+xonobixa.tk, 1
+xoomenergy.com, 1
+xor.ai, 1
+xor.cat, 1
+xor.tools, 1
+xorion.pl, 1
+xorm.io, 1
+xormatic.com, 1
+xosh.fr, 1
+xotictrends.com, 1
+xotika.tv, 1
+xoutpost.com, 1
+xoxo.news, 1
+xp-ochrona.pl, 1
+xp.nsupdate.info, 1
+xpd.se, 1
+xpenology-fr.net, 1
+xperiacode.com, 1
+xperidia.com, 1
+xpertairtx.com, 1
+xpertairwaco.com, 1
+xpertcenter.ch, 0
+xpertcube.com, 1
+xpertmedia.ro, 1
+xpertsunlimited.com, 1
+xpetit.net, 1
+xpews.org, 1
+xpg.jp, 1
+xphelper.tk, 1
+xpint.com, 1
+xpj090.com, 1
+xpj100.com, 0
+xpj678678.com, 1
+xpj90.com, 1
+xpj909.cc, 0
+xpj909.com, 1
+xpj909.in, 0
+xpj909.me, 1
+xpj909.vip, 0
+xpj919.in, 0
+xpj919.me, 0
+xpj919.vip, 0
+xpjab.com, 0
+xpjcu.com, 0
+xpjdi.com, 0
+xpjei.com, 0
+xpjiosapp.com, 0
+xpjwa.com, 0
+xpjwb.com, 0
+xpletus.nl, 1
+xplo.it, 1
+xploredome.pl, 1
+xploredundee.com, 1
+xplozion.tk, 1
+xpods.sg, 1
+xportxpert.com, 1
+xpreflect.co.uk, 1
+xps-auto.com, 1
+xps3dp.com, 1
+xps40.com, 1
+xpsauto.com, 1
+xpsautomation.com, 1
+xpsfactory.com, 1
+xpsinnovation.com, 1
+xpsnow.net, 1
+xpsrobotics.com, 1
+xptrack.com, 1
+xptrackstaging.com, 1
+xpwn.cz, 0
+xq.com, 1
+xq6dtff.top, 1
+xqin.net, 1
+xqk7.com, 1
+xqwqx.com, 1
+xr5.me, 1
+xr5.tech, 1
+xrayreview.ml, 1
+xrbox.me, 1
+xrdd.de, 1
+xreverseporn.com, 1
+xrg.cz, 1
+xrippedhd.com, 1
+xrism.ro, 1
+xrockx.de, 1
+xrp.pp.ua, 1
+xrpnews.info, 1
+xrpscan.com, 1
+xrwracing-france.com, 1
+xs2a.no, 1
+xs4ever.org, 1
+xsait.tk, 1
+xsave.ru, 1
+xscancun.com, 1
+xsden.info, 1
+xsec.me, 1
+xsenya74hram.tk, 1
+xseries-forum.com, 1
+xserownia.cloud, 0
+xserownia.com.pl, 1
+xserownia.eu, 1
+xserownia.info, 0
+xserownia.net, 1
+xserownia.pl, 1
+xsitedleads.com, 1
+xsmobile.de, 1
+xsolla.com, 1
+xss.name, 1
+xss.sk, 1
+xssi.uk, 1
+xsstime.nl, 1
+xsteam.eu, 1
+xstorysnap.com, 1
+xstreamable.com, 1
+xsuper.net, 1
+xsv.cn, 1
+xsz.jp, 1
+xt.om, 1
+xt177.com, 1
+xt71uc.top, 1
+xtaboo3d.com, 1
+xtalpi.com, 1
+xtarget.ru, 1
+xtechkr.com, 1
+xtechtecnologia.tec.br, 1
+xthugboyz.com, 1
+xtianhe.com, 0
+xtips.us, 1
+xtom.africa, 1
+xtom.al, 1
+xtom.amsterdam, 1
+xtom.au, 1
+xtom.ax, 1
+xtom.be, 1
+xtom.bg, 1
+xtom.by, 1
+xtom.ch, 1
+xtom.chat, 1
+xtom.co.uk, 1
+xtom.com, 1
+xtom.com.au, 1
+xtom.com.de, 1
+xtom.com.ee, 1
+xtom.com.hk, 1
+xtom.cy, 1
+xtom.cz, 1
+xtom.de, 1
+xtom.dk, 1
+xtom.ee, 1
+xtom.es, 1
+xtom.eu, 1
+xtom.fi, 1
+xtom.fo, 1
+xtom.fr, 1
+xtom.ge, 1
+xtom.gg, 1
+xtom.gmbh, 1
+xtom.gr, 1
+xtom.hk, 1
+xtom.hr, 1
+xtom.hu, 1
+xtom.im, 1
+xtom.io, 1
+xtom.is, 1
+xtom.it, 1
+xtom.je, 1
+xtom.jp, 1
+xtom.li, 1
+xtom.limited, 1
+xtom.london, 1
+xtom.lt, 1
+xtom.ltd, 1
+xtom.lu, 1
+xtom.lv, 1
+xtom.md, 1
+xtom.me, 1
+xtom.mk, 1
+xtom.moscow, 1
+xtom.nl, 1
+xtom.no, 1
+xtom.nu, 1
+xtom.paris, 1
+xtom.pl, 1
+xtom.pt, 1
+xtom.ro, 1
+xtom.ru, 1
+xtom.si, 1
+xtom.sk, 1
+xtom.social, 1
+xtom.su, 1
+xtom.uk, 1
+xtom.us, 1
+xtom.wiki, 1
+xtom.xyz, 1
+xtorm.ro, 1
+xtournois.com, 1
+xtra.net, 1
+xtrainsights.com, 1
+xtralis.com, 1
+xtreamfire.tk, 1
+xtreme-cs.tk, 1
+xtreme-servers.eu, 1
+xtremealaskainsulation.com, 1
+xtremebouncepartyhire.com.au, 1
+xtremegaming.it, 1
+xtremejetski.ae, 1
+xtremers.tk, 1
+xtremotivation.com, 1
+xtremyblog.com, 1
+xtronics.com, 1
+xts.bike, 1
+xts3636.net, 1
+xtsna.com, 1
+xttt.net, 1
+xtu2.com, 1
+xtzone.be, 1
+xtzs6.vip, 1
+xuab.net, 1
+xuan-hao.com, 1
+xuan.com.my, 1
+xuancommagere.com, 1
+xuanmeishe.net, 0
+xuann.wang, 1
+xubo666.com, 1
+xuc.me, 1
+xucha.ml, 1
+xueaiai.cf, 1
+xueaiai.com, 1
+xueaiai.ml, 1
+xueanquan.com, 1
+xuecheng.com, 1
+xuedianshang.com, 1
+xuehuang666.cn, 1
+xuesoska.ga, 1
+xuewen.ink, 1
+xuewen.me, 1
+xuexi.icu, 0
+xuez.cc, 1
+xuming.studio, 1
+xumm.me, 1
+xunmengdu.com, 1
+xuntaosms.com, 1
+xuntier.ch, 1
+xurl.gq, 1
+xurl.ltd, 1
+xushuai.org, 1
+xusqui.com, 1
+xuwei.de, 1
+xuyh0120.win, 1
+xvadimx.me, 1
+xvaldezendocrino.com, 1
+xvidyo.ga, 1
+xviimusic.com, 1
+xvix.eu, 1
+xvmmod.com, 1
+xvpn.io, 1
+xvt-blog.tk, 1
+xwalck.se, 1
+xwaretech.info, 1
+xwf.fyi, 1
+xwfwrestling.tk, 1
+xwm.ru, 1
+xwndtq.xyz, 1
+xwnu.com, 1
+xworder.tk, 1
+xwp.co, 1
+xx.gl, 1
+xx0r.eu, 1
+xx6729.co, 1
+xx6729.com, 0
+xx6957.co, 1
+xx9297.co, 1
+xx9728.co, 1
+xxdtl.com, 1
+xxffo.com, 1
+xxhd.in, 1
+xxl-bonus.tk, 1
+xxl.dk, 1
+xxl.fi, 1
+xxl.se, 1
+xxl.tax, 1
+xxlpen.eu, 1
+xxlsports.at, 1
+xxvv.loan, 1
+xxx-fiction.com, 1
+xxx-gays.com, 1
+xxxarabgirls.com, 1
+xxxbunker.com, 1
+xxxfreepornclip.com, 1
+xxxgr.net, 1
+xxxite.me, 1
+xxxmoviesdot.com, 1
+xxxomas.com, 1
+xxxoopz.com, 1
+xxxporn-videos.com, 1
+xxxpornohub.net, 1
+xxxshades.com, 1
+xxxshemaleporn.com, 1
+xxxsuper.net, 1
+xxxteen.net, 1
+xxxtophd.com, 1
+xxxtrance.com, 1
+xxxvideos-base.com, 1
+xxxvideos-tube.com, 1
+xxxvids.mobi, 1
+xxxvids.tv, 1
+xxxvv3.com, 1
+xxxvv8.com, 1
+xxxvv9.com, 1
+xxxxlol.com, 1
+xxyy.asia, 1
+xy.ax, 1
+xy366.cc, 1
+xy369.cc, 1
+xy6161.com, 1
+xy6262.com, 1
+xy6729.com, 1
+xy6957.com, 1
+xy7171.com, 1
+xy7272.com, 1
+xy7373.com, 1
+xy96.top, 1
+xyactive.com.au, 1
+xycommunication.com, 1
+xyenon.bid, 1
+xyfun.net, 0
+xyl.cool, 1
+xyloefarmoges.gr, 0
+xyloelia.com, 1
+xylos.nl, 1
+xynta.ch, 1
+xynta.com, 1
+xyquadrat.ch, 1
+xyrexwolf-sebastien-izambard.tk, 1
+xywing.com, 0
+xyz.vn, 1
+xyz2007.com, 1
+xyz234.com, 1
+xyz323.com, 1
+xyz345.com, 1
+xyz543.com, 1
+xyz55.com, 1
+xyz566.com, 1
+xyz566.net, 1
+xyz567.com, 1
+xyz65.com, 1
+xyz66.ai, 1
+xyz66.net, 1
+xyz678.com, 1
+xyz77.com, 1
+xyz788.com, 1
+xyz88.ai, 1
+xyz88.biz, 1
+xyz88.fun, 1
+xyz88.info, 1
+xyz88.life, 1
+xyz88s.com, 1
+xyzcd.ai, 1
+xyzemails.com, 0
+xyzmedia.net, 1
+xyzmedia.rs, 1
+xyzulu.hosting, 1
+xyzxyx.com, 1
+xyzyz.xyz, 1
+xyzzy.earth, 1
+xyzzyyyz.com, 1
+xz0.de, 1
+xzclip.cn, 1
+xzib.com, 1
+xzibits.com, 1
+xzqy.net, 1
+xztech.co, 1
+y-erodoga.com, 1
+y-erogazo.com, 1
+y-nas.tk, 1
+y.com.cm, 1
+y.com.sb, 1
+y09a.com, 0
+y09app.com, 0
+y09app.vip, 0
+y09j.com, 0
+y11n.net, 0
+y2bet.com, 1
+y2dcycleroute.ie, 1
+y2k23.com, 1
+y2s.pw, 1
+y31.jp, 1
+y3451.com, 1
+y3600.cc, 1
+y3600.cz, 1
+y3650.com, 1
+y36500.com, 1
+y3651.com, 0
+y36511.com, 1
+y365188.com, 1
+y3653.com, 1
+y36533.com, 1
+y3654.com, 0
+y3656.com, 1
+y36577.com, 0
+y3bet.com, 1
+y5197.co, 1
+y5bet.com, 1
+y6180.com, 1
+y6729.co, 1
+y6729.com, 1
+y68cc.com, 0
+y68ee.com, 0
+y68ff.com, 0
+y68gg.com, 0
+y68gl.com, 1
+y68hh.com, 0
+y68ii.com, 0
+y68jj.com, 0
+y68jn.com, 1
+y68ll.com, 0
+y68oo.com, 1
+y68pp.com, 0
+y68qq.com, 0
+y68rr.com, 0
+y68sc.com, 1
+y68sz.com, 1
+y68tt.com, 0
+y68uu.com, 0
+y68yy.com, 0
+y68zz.com, 0
+y6957.co, 1
+y6bet.com, 1
+y70102.com, 1
+y70301.com, 1
+y70302.com, 1
+y70303.com, 1
+y7091.com, 1
+y7092.com, 1
+y7093.com, 1
+y890000.com, 0
+y891111.com, 0
+y892222.com, 0
+y893333.com, 0
+y894444.com, 0
+y895555.com, 0
+y896666.com, 0
+y897777.com, 0
+y898888.com, 0
+y89a.com, 0
+y89a.net, 1
+y89aaa.com, 0
+y89b.com, 0
+y89b.net, 1
+y89bbb.com, 0
+y89c.com, 1
+y89c.net, 1
+y89ccc.com, 0
+y89d.com, 1
+y89d.net, 1
+y89dd.com, 1
+y89ddd.com, 1
+y89e.com, 1
+y89e.net, 1
+y89ee.com, 1
+y89eee.com, 1
+y89f.com, 1
+y89f.net, 1
+y89fff.com, 0
+y89g.com, 1
+y89g.net, 1
+y89gg.com, 1
+y89h.net, 1
+y89hh.com, 1
+y89hhh.com, 0
+y89i.com, 0
+y89i.net, 1
+y89ii.com, 1
+y89iii.com, 1
+y89j.com, 1
+y89j.net, 1
+y89jj.com, 1
+y89jjj.com, 0
+y89k.com, 0
+y89kk.com, 1
+y89l.com, 0
+y89ll.com, 1
+y89m.com, 1
+y89n.com, 1
+y89o.com, 1
+y89q.com, 0
+y89r.com, 0
+y89s.com, 0
+y89t.com, 0
+y89u.com, 0
+y89v.com, 1
+y89ww.com, 0
+y89zz.com, 0
+y9297.co, 1
+y9728.co, 1
+y99.in, 1
+ya-hudeu.tk, 1
+ya-hudeyu.gq, 1
+ya-hudeyu.ml, 1
+ya-hudeyu.tk, 1
+ya-madina.tk, 1
+ya-radio.tk, 1
+ya-stroynaya.tk, 1
+ya-zdorova.tk, 1
+ya.mk, 1
+yaateens.org, 1
+yaay.com.br, 1
+yaay.today, 1
+yaazhtech.com, 1
+yaballe.com, 1
+yabbr.com.au, 1
+yabbr.io, 1
+yabo68.com, 0
+yabuisha.jp, 1
+yacca.co.uk, 1
+yacg.asia, 1
+yachatshomesforsale.com, 1
+yachigoya.com, 1
+yachta.kiev.ua, 1
+yachtbuyer.com, 1
+yachtcharterfleet.com, 1
+yachtcita.com, 0
+yachtcrafter.com, 1
+yachtfolio1.com, 1
+yachting-home.com, 1
+yachtlettering.com, 1
+yachtmarket.com.ua, 1
+yachtwaypoints.com, 1
+yacine-app.tv, 1
+yacostasolutions.com, 1
+yadaeditrice.com, 1
+yadnameh.ga, 1
+yaebus.tk, 1
+yaencontre.com, 1
+yafull.com, 1
+yafuoku.ru, 1
+yaghoobi.tk, 1
+yagihiro.tech, 1
+yagizhan.me, 1
+yagliyurt.com, 1
+yagmursoft.tk, 1
+yagoda-malina.tk, 1
+yagodigribi.guru, 1
+yagotour.cf, 1
+yaharu.ru, 1
+yahav.co.il, 1
+yahlab.de, 1
+yahoo.ax, 1
+yahtzeemanifesto.com, 1
+yahvehyireh.com, 1
+yahvk.moe, 1
+yaiho.com, 1
+yaiho.de, 1
+yak-host.tk, 1
+yakbett.de, 1
+yakiimo-sakura.com, 1
+yakimono.ga, 1
+yakimoshi.tk, 1
+yakisakana.tk, 1
+yakkifamirie.tk, 1
+yakmail.tech, 1
+yakovmanshin.com, 1
+yakshop.bg, 1
+yakubovich-les.ru, 1
+yakupyilmazboru.com, 1
+yakutia.tk, 1
+yakutianews.tk, 1
+yakutsk-city.tk, 1
+yakutsk.ml, 1
+yalb.tech, 1
+yalcinkaya.ninja, 0
+yalecleaners.com, 1
+yalla-kora.tv, 1
+yalla-shoots.tv, 1
+yalla-shootx.com, 1
+yallamotor.com, 1
+yalook.com, 1
+yaltaarenda.tk, 1
+yamabara.tk, 1
+yamabi.co, 1
+yamacore.de, 1
+yamadaya.tv, 1
+yamagata-fujinka.jp, 1
+yamagata-healing.com, 1
+yamaken.jp, 1
+yamal-online.ml, 1
+yamal159263.ml, 1
+yamanami.tokyo, 1
+yamanobe-taro.jp, 1
+yamatonetwork.com, 1
+yamazaki-automotive.co.jp, 1
+yame2.com, 1
+yamei1.com, 1
+yamei6688.com, 1
+yamei6699.com, 1
+yamei8.com, 1
+yamei8866.com, 1
+yamei98.com, 1
+yamei99.com, 1
+yamei9955.com, 1
+yamhillcounty.gov, 1
+yamm.io, 1
+yamobila.tk, 1
+yamunaexpresswayplot.com, 1
+yan.gg, 1
+yan.lt, 1
+yan.net.cn, 1
+yan3321.com, 1
+yanaduday.com, 1
+yananikitina.site, 1
+yanaya-k.jp, 1
+yanbohon.com, 1
+yandere.moe, 1
+yandong.tk, 1
+yang1963.com.tw, 1
+yangcs.net, 0
+yangfamily.tw, 1
+yangjingwen.cn, 1
+yangjingwen.com, 1
+yangmao.info, 1
+yangmaodang.org, 0
+yangmi.blog, 1
+yangrq.org, 1
+yangruixin.com, 1
+yangshangzhen.com, 0
+yangwang.tk, 1
+yangxi.tech, 1
+yangyi.ml, 1
+yangzi.ml, 1
+yanhongming.net, 1
+yanik.info, 1
+yanisvaroufakis.eu, 1
+yanivboost.com, 1
+yanjicg.com, 0
+yann.tw, 1
+yannic.world, 0
+yannickkordel.de, 1
+yannickkordel.eu, 1
+yannickvdvelde.tk, 1
+yanniclandsmann.de, 1
+yannikbloscheck.com, 1
+yannsalmon.fr, 1
+yannyann.com, 1
+yanovosibirsk.ml, 1
+yanservices.be, 1
+yansurachman.web.id, 1
+yantarniy.tk, 1
+yantox.com, 1
+yaodownload.com, 1
+yaoge123.com, 1
+yaoostore.com, 1
+yaoyorozu.eu, 1
+yaoyorozu.re, 1
+yap26.cc, 1
+yapan008.com, 1
+yapan222.com, 1
+yapan3.com, 1
+yapan33.com, 1
+yapan333.com, 1
+yapan365.net, 1
+yapan4.com, 1
+yapan44.com, 1
+yapan444.com, 1
+yapan55.com, 1
+yapan555.com, 1
+yapan6.com, 1
+yapan66.com, 1
+yapan666.com, 1
+yapan7.com, 1
+yapan77.com, 1
+yapan777.com, 1
+yapan8.com, 1
+yapan888.com, 1
+yapan9.com, 1
+yapan99.com, 1
+yapan999.com, 1
+yapanwang.com, 1
+yapaytech.com, 1
+yapdentalsurgery.com, 1
+yapmaz.com, 1
+yapper.fr, 1
+yappy.com, 1
+yappy.media, 1
+yarcom.ru, 0
+yardandgardenguru.com, 1
+yardesign.tk, 1
+yardhelp.ga, 1
+yardthyme.com, 1
+yardtower.com, 1
+yaren-it.de, 1
+yaren.it, 1
+yarlesac.com, 1
+yarmarka-megamarket.ru, 1
+yarnandy.com, 1
+yarnsub.com, 1
+yarogneva.ru, 1
+yarokuk.com, 1
+yaroslavia.eu.org, 1
+yaroslavova.tk, 1
+yarowork.jp, 1
+yarplast.tk, 1
+yarr.pt, 1
+yarracitta.tk, 1
+yarravilletownhouses.com.au, 1
+yaru.one, 1
+yarygin.tk, 1
+yasam.co.uk, 1
+yaseen.ae, 1
+yaseiblog.org, 1
+yash.com, 1
+yashinstore.com, 1
+yasic.net, 1
+yasikish.com, 1
+yaslihastabakici.com, 1
+yasmeencreative.com, 1
+yasmin-apartments.cz, 1
+yasmin.ml, 1
+yasmingarcia.tk, 1
+yasraiting.tk, 1
+yasrating.tk, 1
+yassinekbichi.co.uk, 1
+yassinesmael.tk, 1
+yasudaseiki.cn, 1
+yasukevicious.com, 1
+yatai18.com, 1
+yatax.fr, 1
+yateam.cc, 1
+yates.com.au, 1
+yatescountyny.gov, 1
+yatescountysheriff.gov, 1
+yatorie.net, 1
+yatriindia.tk, 1
+yatsat.com, 1
+yatserver.com, 1
+yatstudios.com, 1
+yatsuenpoon.com, 1
+yatum.com.br, 1
+yauatcha.com, 1
+yaucy.win, 1
+yaup.tk, 1
+yaustal.com, 1
+yavapaiaz.gov, 1
+yavapaivotes.gov, 1
+yavar.nl, 1
+yavin4.cf, 1
+yavip8088.com, 1
+yavorivanov.com, 1
+yavuzatasoy.tk, 1
+yawen.me, 1
+yawnbox.com, 1
+yaws.cf, 1
+yaxim.org, 1
+yay-btcl.work, 1
+yay.space, 1
+yayart.club, 1
+yayginegitim.net, 1
+yayl888.com, 1
+yaymaker.com, 1
+yayou.ag, 1
+yazichestvo.tk, 1
+yazik.ga, 1
+yazilim.tk, 1
+yazzys.com, 1
+yb21.cc, 0
+yba-lier.tk, 1
+ybexalev.ga, 1
+ybos.nl, 1
+ybr.ch, 1
+ybr.com, 1
+ybresson.com, 1
+ybrfrance.fr, 1
+ybscareers.co.uk, 1
+ybti.net, 1
+ybvip789.com, 0
+ybzhao.com, 1
+yc1820.com, 1
+ycalculators.com, 1
+ycb.fr, 1
+ycbmdevelopment.com, 1
+ycbmstaging.com, 1
+ycfld.gov, 1
+ych.art, 1
+ycherbonnel.fr, 1
+ycl.org.uk, 1
+yclan.net, 1
+ycnrg.org, 1
+ycodendauteradio.net, 1
+yd.io, 1
+yd163.cc, 1
+yd169.cc, 1
+ydetc.es, 1
+ydt.am, 1
+ydyy99.com, 1
+ydyydy.ml, 1
+yeadonboroughpa.gov, 1
+yearinviewcalendars.com, 1
+yearli.com, 1
+yeartracker.ga, 1
+yebkw.com, 1
+yebshotel.de, 1
+yecdn.com, 1
+yecl.net, 1
+yedeksubay.tk, 1
+yediothamahar.co.il, 1
+yeechie.nl, 0
+yeecord.com, 1
+yeecord.tk, 1
+yeesker.com, 1
+yekaterinburg-city.tk, 1
+yellcosheriffar.gov, 1
+yellcountyar.gov, 1
+yello.co, 1
+yellow.ai, 1
+yellow.place, 1
+yellowbrick.co, 1
+yellowcar.website, 1
+yellowfinlogistics.com, 1
+yellowfolder.com, 1
+yellowhawk.nl, 1
+yellowmessenger.com, 1
+yellowpages.ee, 1
+yellowsource.org, 1
+yellowsquid.uk, 0
+yellowstone.nsupdate.info, 1
+yellowstonecountymt.gov, 1
+yellowstrips.com, 1
+yellowsubmarinebook.com, 1
+yellowtaillasvegas.com, 1
+yellowtails.co.jp, 1
+yellowtrace.net.au, 1
+yellsystem.co.jp, 1
+yelp.at, 1
+yelp.be, 1
+yelp.ca, 1
+yelp.ch, 1
+yelp.cl, 1
+yelp.co.jp, 1
+yelp.co.nz, 1
+yelp.co.uk, 1
+yelp.com, 1
+yelp.com.ar, 1
+yelp.com.au, 1
+yelp.com.br, 1
+yelp.com.hk, 1
+yelp.com.mx, 1
+yelp.com.ph, 1
+yelp.com.sg, 1
+yelp.com.tr, 1
+yelp.com.tw, 1
+yelp.cz, 1
+yelp.de, 1
+yelp.dk, 1
+yelp.es, 1
+yelp.fi, 1
+yelp.fr, 1
+yelp.ie, 1
+yelp.it, 1
+yelp.my, 1
+yelp.nl, 1
+yelp.no, 1
+yelp.pl, 1
+yelp.pt, 1
+yelp.se, 1
+yeltsin.tech, 1
+yeltzland.net, 1
+yemalu.com, 1
+yemekbaz.az, 1
+yemekfirmalari.tk, 1
+yemekfirmasi.tk, 1
+yemeksirketleri.tk, 1
+yemektarifinet.com, 1
+yemenat.tk, 1
+yemenlink.tk, 1
+yenbainet.tk, 1
+yengec.co, 1
+yenidunya.org, 1
+yeniehliyetsinavi.com, 1
+yennhi.co, 1
+yenpape.com, 1
+yep-pro.ch, 0
+yepbitcoin.com, 1
+yepu.cc, 1
+yepu.ga, 1
+yerbasbuenas.tk, 1
+yerf.eu, 1
+yeri.com, 1
+yes-money.cf, 1
+yes-money.ga, 1
+yes-money.gq, 1
+yesapp.tk, 1
+yesasia.com, 1
+yescareer.ga, 1
+yescool.cn, 0
+yesfone.com.br, 1
+yesglasses.com, 1
+yesh.lk, 1
+yesiammaisey.me, 1
+yesichat.com, 1
+yesileczam.com, 1
+yesileczam.net, 1
+yesilliforum.tk, 1
+yesilpanda.com, 1
+yesjobs.ga, 1
+yesleaks.com, 1
+yesmirov.ga, 1
+yesmsp.com, 1
+yesmzt.com, 1
+yesod.in, 1
+yesogovinpetcare.com, 1
+yesolo.tk, 1
+yespornfree.com, 1
+yespornplease.com, 1
+yessirgear.com, 0
+yeste.tk, 1
+yestees.com, 1
+yesterford.com, 1
+yesteryear-chronicle.cf, 1
+yeswecan.co.bw, 1
+yeti.ca, 1
+yeti.com, 1
+yeti.gq, 1
+yetishirt.com, 0
+yetivisite.ch, 1
+yetkiliservisrehberi.com, 1
+yeu.io, 1
+yewan.cf, 1
+yewan.ml, 1
+yewtu.be, 1
+yex.nz, 1
+yex.trade, 1
+yezhan.ml, 1
+yezhong.cf, 1
+yezhong.ml, 1
+yezi.ga, 1
+yezishurb.site, 1
+yf128.cc, 1
+yfeer.com, 0
+yfh.me, 1
+yggdar.ga, 1
+yggdrasildice.com, 1
+ygm.org.uk, 1
+ygobbs.com, 1
+yh12366.com, 1
+yh56787.com, 1
+yh599.cc, 1
+yh64678.com, 1
+yh66689.com, 1
+yh811.com, 1
+yh88890.com, 1
+yh98768.com, 1
+yhaupenthal.org, 1
+yhclinic.com.tw, 1
+yhe.me, 1
+yhenke.de, 0
+yhhvi.cf, 1
+yhn.sh, 1
+yhndnzj.com, 1
+yhong.me, 1
+yhori.xyz, 1
+yhrd.org, 1
+yhsh.xyz, 1
+yhwj.top, 0
+yiai.cf, 1
+yiai.ga, 1
+yiai.gq, 1
+yiai.ml, 1
+yiai.tk, 1
+yibaoweilong.top, 1
+yibei-original.com, 1
+yibin0831.com, 0
+yicc.net, 1
+yichen.me, 1
+yicivideo.com, 1
+yicknam.my, 1
+yifananime.com, 1
+yifanbian.me, 1
+yifansun.net, 1
+yiff.forsale, 1
+yiff.media, 1
+yiff.rest, 1
+yiff.rocks, 1
+yiff.supply, 1
+yigelangzi.com, 1
+yigit.shop, 1
+yiguan.me, 1
+yigujin.cn, 1
+yiheng.moe, 0
+yihome.com.tw, 1
+yihouse.tw, 1
+yijia.support, 1
+yijingying.com, 0
+yikeyong.com, 1
+yilanju.com, 1
+yilconstruction.ca, 1
+yildizkariyerim.com, 1
+yildiznamebaktir.com, 1
+yilmaznargile.com, 1
+yiluup.com, 0
+yimgo.fr, 0
+yinduyy.com, 0
+yinfor.com, 1
+ying.gift, 1
+ying299.com, 1
+ying299.net, 1
+yingatech.com, 1
+yinglinda.love, 1
+yingmei.jp, 1
+yingshu.hopto.org, 1
+yingyj.com, 1
+yingzi.ml, 1
+yinlei.org, 1
+yinmingyang.cn, 1
+yinwa.cf, 1
+yinwa.ml, 1
+yinyang.jp, 1
+yippie.nl, 0
+yisrime.xyz, 1
+yiyuanzhong.com, 1
+yiz96.com, 1
+yizhihuang.org, 1
+yj4p.com, 1
+yjav.tv, 1
+yjdevtech.com, 1
+yjsp.tv, 1
+yjst.cn, 1
+yjsw.sh.cn, 1
+yjz.hk, 1
+ykb.click, 1
+ykgli.cn, 1
+ykj.ca, 1
+ykqpw.com, 1
+yksolutions.ma, 1
+yl-invest.co.il, 1
+ylanan.tk, 1
+ylde.de, 1
+yliarb.ru, 1
+ylilauta.org, 1
+ylivemusic.com, 1
+yloti.com, 1
+ylromania.ro, 1
+ylwd.gov, 1
+ym069.com, 1
+ym181.am, 1
+ym966.com, 1
+ymaca.tk, 1
+ymarion.de, 1
+ymatyt.com, 1
+ymc.moe, 1
+ymca.ga, 1
+ymcapkc.org, 1
+ymdecor.com, 1
+ymg-allergy.jp, 1
+ymlsport.pe, 1
+ymm18.com, 1
+ymoah.nl, 1
+ymos.com.tw, 1
+ymoz.com, 1
+ymtsonline.org, 1
+ymy.moe, 1
+ymy.zone, 1
+yn.org.nz, 1
+ynamly.site, 1
+ynode.com, 1
+yo-digital.ga, 1
+yoa.st, 1
+yoannlatzer.com, 1
+yoast.com, 1
+yoba.co.uk, 1
+yoba.systems, 1
+yobai-grouprec.jp, 1
+yobasystems.co.uk, 1
+yobda.tk, 1
+yobeverages.com, 1
+yobify.com, 1
+yobniyulyu.tk, 1
+yobst.tk, 1
+yochadehe.gov, 1
+yochen.de, 1
+yocoboard.com, 1
+yodababy.com.tw, 1
+yodalef3.tk, 1
+yodaremote.tk, 1
+yodelmobile.com, 1
+yodocon.com, 1
+yoga-alliance-teacher-training.com, 1
+yoga-bien-etre.com, 1
+yoga-erde.de, 1
+yoga-good.fr, 1
+yoga-in-aying.de, 1
+yoga-m.fr, 0
+yoga-masterskaya.ru, 1
+yoga-mindfulness-ibiza.com, 1
+yoga-prive.de, 1
+yoga-school.xyz, 1
+yoga-vakantie-ibiza.nl, 1
+yoga-zentrum-narayani.de, 1
+yoga.is-an-engineer.com, 1
+yogaangels.ga, 1
+yogaanswered.com, 1
+yogaecology.org, 1
+yogaemmental.ch, 1
+yogagadgets.ga, 1
+yogahealsinc.org, 1
+yogahome.com, 1
+yogaillustrations.ga, 1
+yogaillustrations.tk, 1
+yogamarlene.ch, 1
+yogamea.school, 1
+yogananda-roma.org, 1
+yogaovelser.dk, 1
+yogaportalen.dk, 1
+yogaprague.com, 1
+yogaschoolrishikesh.com, 1
+yogasolution.tk, 1
+yogatherapykosha.com, 1
+yogaworld.tk, 1
+yogibear.tk, 1
+yogmoney.com, 1
+yogonet.com, 1
+yogstation.net, 1
+yogularm.de, 1
+yogunet.de, 1
+yohanesedwin.com, 1
+yohanesmario.com, 1
+yohannes.tk, 1
+yoim.cc, 1
+yoitsu.moe, 1
+yoitsu.org, 1
+yokaiispirit.ddns.net, 1
+yokocho373.com, 1
+yokoda.okinawa, 1
+yokohama-idolmaster.jp, 1
+yokohama.ga, 1
+yokohamawakaba-ganka.com, 1
+yokone3-kutikomi.com, 1
+yokorei.yokohama, 1
+yokotafss.marketing, 1
+yokotower.com, 1
+yolandaschocolatiers.com, 1
+yolandgao.me, 1
+yolks.in, 1
+yolo-csgo.com, 1
+yolo.vn, 1
+yoloboatrentals.com, 1
+yolocast.wtf, 1
+yolocounty.gov, 1
+yolocountyca.gov, 1
+yolops.net, 1
+yolosh.se, 1
+yoloyolo.top, 0
+yomena.in, 1
+yomeuno.com, 1
+yomiren.co.jp, 1
+yomiurigolf.co.jp, 1
+yomyyomy.co.jp, 1
+yon.co.il, 0
+yonalink.com, 1
+yoneda-paint.com, 1
+yonema.com, 1
+yongbin.org, 1
+yongkang-clinic.com.tw, 1
+yongseovn.net, 1
+yonistap.com, 1
+yonja.com, 1
+yonkersdentalspa.com, 1
+yoodigital.co, 1
+yoogirls.com, 1
+yoomza.com, 1
+yoonas.com, 1
+yooooex.com, 1
+yoopies.fr, 1
+yooptopian.com, 0
+yoozik.io, 1
+yooznet.com, 1
+yopers.com, 0
+yopmail.com, 1
+yopmail.net, 1
+yoppoy.com, 1
+yops.info.pl, 1
+yoramvandevelde.net, 1
+yorcar.com, 1
+yorcom.nl, 0
+yorcool.nl, 0
+yorcybersec.co.uk, 0
+yordanisp.tk, 1
+yore.tk, 1
+yorganica.ga, 1
+yorgosbos.nl, 1
+yorkacademy.ca, 1
+yorkcountyne.gov, 1
+yorkcountysc.gov, 1
+yorkcountyschools.org, 1
+yorkieloverdiy.com, 1
+yorkiepooexpert.com, 1
+yorkmarkets.com, 1
+yorkmoneyman.com, 1
+yorkroadyums.com, 1
+yorkshiredalesinflatables.co.uk, 1
+yorkshiregardensheds.co.uk, 1
+yorkshiregrit.cc, 1
+yorkshirehousing.co.uk, 1
+yorkshireinflatables.co.uk, 1
+yorkshireterrier.com.br, 1
+yorkshireterrier.dog, 1
+yorkshireterrieraspets.com, 1
+yorktest.com, 1
+yorname.ml, 0
+yornik.nl, 1
+yoru.me, 0
+yoryo.com, 1
+yosakoinight.com, 1
+yosbeda.com, 1
+yosemo.de, 1
+yosh.is, 1
+yosheenetwork.fr, 1
+yoshibaworks.com, 1
+yoshimura-seimenjo.com, 1
+yoshitsugu.net, 1
+yoshiya2020.com, 1
+yoshkar-ola-city.tk, 1
+yosida-dental.com, 1
+yosida95.com, 1
+yosm.net, 1
+yospos.org, 1
+yoti.com, 1
+yoticonnections.com, 1
+yotilabs.com, 1
+yoto.at, 0
+yotta-zetta.com, 1
+yottahash.net, 1
+yotubaiotona.net, 1
+you-working.ru, 1
+you.bo, 0
+you.com.br, 1
+you15iv.com, 1
+youareamazingnd.com, 1
+youavtube.com, 1
+youbehero.com, 1
+youber.cz, 1
+youbetteravoid.me, 1
+youc.ir, 1
+youcanbook.me, 0
+youcanfinance.com.au, 1
+youcanfuckoff.xyz, 1
+youcanhelp.tk, 1
+youcanmakeit.at, 1
+youcruit.com, 1
+youcruit.jobs, 1
+youdino.com, 1
+youdontneedipv6.xyz, 1
+youdungoofd.com, 1
+youearnedit.com, 1
+youenglish.school, 1
+youftp.tk, 1
+yougee.ml, 1
+yougene.me, 1
+yougot.pw, 1
+youhabitat.es, 1
+youhavewords.com, 1
+youhs.top, 0
+youhua.ru, 1
+youiv.info, 1
+youiv.net, 1
+youiv.pw, 1
+youiv.tv, 1
+youiv10.com, 1
+youiv100.com, 1
+youiv20.com, 1
+youivh.com, 1
+youivr.com, 1
+youivt.com, 0
+youjob.us, 1
+youkaryote.com, 1
+youkaryote.org, 1
+youked.com, 1
+youkube.cf, 1
+youla.gq, 1
+youla.ru, 1
+youlikehookups.com, 1
+youliketwinks.com, 1
+youlovehers.com, 1
+youmeandjunee.com.au, 1
+youmiracle.com, 1
+youmonit.me, 1
+youms.de, 1
+younameit.ru, 1
+youneedfame.com, 1
+young-brahmousin.com, 1
+young-celebrities.tk, 1
+young-hands.it, 1
+young-sheldon.com, 1
+young-zy.com, 1
+young.scot, 0
+youngandunited.nl, 0
+youngart.hu, 1
+youngauthentic.cf, 1
+youngbabes.pro, 1
+youngcouple9598.net, 1
+youngdevotion.net, 1
+youngdevotion.org, 1
+youngfree.cn, 1
+younglabour.co.nz, 1
+younglabour.nz, 1
+younglabour.org.nz, 1
+younglions.cf, 1
+youngmodelsagency.tk, 1
+youngpeopleunited.co.uk, 1
+youngsook.org, 1
+youngsophie.net, 1
+youngsoulstudios.com, 0
+youngsvillenc.gov, 1
+youngtube.one, 1
+youngvoicesmatter.org, 1
+youniq.ga, 1
+younl.net, 1
+youpark.no, 1
+youpickfarms.org, 1
+youpreneur.com, 1
+your-computer-is-a-hero.tk, 1
+your-fitness-coach.ch, 1
+your-forum.tk, 1
+your-greece.ga, 1
+your-house-expert.com, 1
+your-idc.tk, 1
+your-kurs.tk, 1
+your-melody.ru, 1
+your-money.info, 1
+your-out.com, 1
+your-restorer.ru, 1
+your-sussex.wedding, 1
+your28days.com, 1
+youracnepro.com, 1
+youran.me, 1
+yourantiquarian.com, 1
+youraudiobooks.xyz, 1
+yourazbraces.com, 1
+yourbenefitsresources.com, 1
+yourberksbucksoxon.wedding, 1
+yourbittorrent.com, 1
+yourbittorrent2.com, 1
+yourblazeguard.com, 1
+yourbodyknows.dk, 1
+yourbodyknows.is, 1
+yourbonus.click, 0
+yourbreakfast.tk, 1
+yourbrewclub.com, 1
+yourbristolsomerset.wedding, 1
+yourbusiness.ml, 1
+yourcareerhost.com, 1
+yourcfo.co.in, 1
+yourcheshiremerseyside.wedding, 1
+yourcomputer.expert, 1
+yourcomputer.tk, 1
+yourconscious.life, 1
+yourcopywriter.it, 1
+yourcrypto.tax, 1
+yourdailyalerts.net, 1
+yourdailyhealthcare.tk, 1
+yourdailylocal.com, 1
+yourdata.ai, 1
+yourdata.ga, 1
+yourdemowebsite.ml, 1
+yourdevoncornwall.wedding, 1
+yourdrive.tk, 1
+youreallyneedthis.co, 1
+youreart.shop, 1
+youreastanglian.wedding, 1
+youreastmidlands.wedding, 1
+youreitbranding.com, 1
+youremailexpert.com, 1
+yourenergy.io, 1
+youreward.ga, 1
+yourfandom.ddns.net, 1
+yourfin.nl, 1
+yourforceserver.com, 1
+yourforcesupport.com, 1
+yourforcesupport.events, 1
+yourforcesupport.me, 1
+yourforcesupport.net, 1
+yourforcesupport.pro, 1
+yourforcesupport.us, 1
+yourforex.org, 1
+yourfriendlytech.com, 1
+yourfuntrivia.com, 1
+yourfuturestrategy.com.au, 1
+yourgadget.ro, 1
+yourgames.tv, 1
+yourgifttoyou.com, 1
+yourgloswilts.wedding, 1
+yourhampshiredorset.wedding, 1
+yourhealthcommunity.com, 1
+yourhearingnetwork.com, 1
+yourhertsbeds.wedding, 1
+yourhomeloanapprovals.com.au, 1
+yourhrworld.com, 1
+yourhumandesign.ch, 1
+yourkent.wedding, 1
+yourkit.com, 1
+yourkrabivilla.com, 1
+yourlanguages.de, 1
+yourlgpd.com, 1
+yourlifespirit.de, 1
+yourloan.gq, 1
+yourlocalsecurity.com, 1
+yourlondon.wedding, 1
+yourlovesong.com.mx, 1
+yourmagicstory.tk, 1
+yourmaki.com, 1
+yourmobility.ga, 1
+yourmodel.fr, 1
+yourms.com, 1
+yourname.xyz, 1
+yournewsfeed.org, 1
+yournortheast.wedding, 1
+yournorthwest.wedding, 1
+youronly.one, 1
+yourpalmbeachcountyrealtor.com, 1
+yourpalstore.com, 1
+yourpersonalfoodnesscoach.nl, 1
+yourpersonalfrance.com, 1
+yourpillstore.com, 1
+yourscotlandtour.co.uk, 1
+yoursfunny.top, 1
+yourskin.nl, 0
+yoursoul.gq, 1
+yoursoulmate.tk, 1
+yoursouthwales.wedding, 1
+yourstake.org, 1
+yourstart.tk, 1
+yourstorebridgwater.co.uk, 1
+yourstoreexeter.co.uk, 1
+yoursupportline.co.uk, 1
+yoursurrey.wedding, 1
+yourtampaparksplan.com, 1
+yourtests.tk, 1
+yourticketbooking.com, 1
+yourtourdesk.com, 0
+yourtwojugs.com, 1
+youruseragent.info, 1
+yourwatchdesign.co.uk, 1
+yourwestmidlands.wedding, 1
+yourworlds.cf, 1
+youryorkshire.wedding, 1
+yourznc.com, 1
+yousee.cf, 1
+yousee.gq, 1
+yousei.ne.jp, 1
+youservice.it, 1
+youshawn.com, 1
+youshouldnthavebeenhacking.com, 1
+yousite.by, 1
+yousound.tk, 1
+youssfitpro.com, 1
+youston.agency, 1
+youstyleski.it, 1
+yousufahmad.ca, 1
+yousuforg.ga, 1
+youth-for-life.tk, 1
+youth-sport.net, 1
+youth.gov, 1
+youthclothing.tk, 1
+youthink.jp, 1
+youthmarketing.com, 1
+youthnews.tk, 1
+youthopportunitieshub.com, 1
+youthpassageways.org, 1
+youthpolicy.org, 1
+youthreach.org, 1
+youthrules.gov, 1
+youthsadda.com, 1
+youtous.me, 1
+youtube, 1
+youtube-notify.com, 1
+youtube.com, 1
+youtubedownloader.com, 1
+youtubekids.com, 1
+youtubelet.com, 1
+youtuberis.lt, 1
+youtuberus.tk, 1
+youwebcams.org, 1
+youyifans.com, 1
+youyoulemon.com, 1
+youyuan.rocks, 1
+youyuandesign.top, 1
+yova.nl, 0
+yovko.net, 0
+yoyohe.com, 1
+yoyojobs.tk, 1
+yoyoost.duckdns.org, 1
+yoyoost.ga, 1
+yozakura.me, 1
+yozhik.tk, 1
+yozucreative.com, 1
+yparches.com, 1
+ypart.eu, 1
+ypdlp.org, 1
+ypea.info, 1
+ypfr.fr, 1
+ypgnews.tk, 1
+ypid.de, 1
+yplanapp.com, 1
+ypopovych.tk, 1
+yporti.net, 1
+ypse.com.br, 1
+ypsitownship.gov, 1
+yq5.de, 1
+yqagizev.tk, 1
+yqjf68.com, 1
+yqmhz.com, 1
+yr-labo.jp, 1
+yr.sa, 1
+yr166166.com, 1
+yrausquin.com, 1
+yrcc878.com, 1
+yrefail.net, 1
+yriik.ml, 1
+yrityksen-perustaminen.net, 1
+yrjanheikki.com, 1
+yrx.me, 1
+yryz.net, 1
+ys96.org, 1
+ysearc.tk, 1
+ysff.me, 1
+ysfridge.com, 1
+ysicorp.com, 1
+yslxxhome.com, 1
+ysmedia.jp, 1
+yspa.tv, 1
+yspertal.party, 1
+ystral.com, 1
+ysuna.xyz, 1
+yt-downloader.xyz, 0
+yt129.com, 1
+yt605.com, 1
+yt629.com, 1
+yt675.com, 1
+yt972.com, 1
+ytcodecs.com, 1
+ytcount.com, 1
+ytec.ca, 1
+ytexa.tk, 1
+ytpak.pk, 1
+ytreza.fr, 1
+ytterland.tk, 1
+ytvwld.de, 0
+ytx588.com, 1
+yu-dkc.com, 1
+yu-mug.jp, 1
+yu.vc, 1
+yuan.ga, 1
+yuan.idv.tw, 0
+yuan.nctu.me, 1
+yuanandyuan.info, 1
+yuanandyuan.me, 1
+yuanben.io, 1
+yuanbenlian.com, 1
+yuanbiji.net, 1
+yuandan.cf, 1
+yuandan.gq, 1
+yuandan.ml, 1
+yuanjiazhao.com, 1
+yuanjiazhao.tk, 1
+yuansecard.me, 1
+yuanxi343.top, 1
+yubi.co, 0
+yubico.com, 1
+yubico.org, 1
+yucaipa.gov, 1
+yucca.cf, 1
+yuccaschidigera.co.uk, 1
+yuce518.com, 1
+yuchun.me, 1
+yude.ml, 1
+yudin.ga, 1
+yue.la, 1
+yue2.net, 1
+yueeeyueee.com, 1
+yuema.net.cn, 1
+yuer.sytes.net, 1
+yuezhengling.link, 1
+yugasun.com, 1
+yugege.cf, 1
+yugioh-duelodefinitivo.tk, 1
+yugiohthenextgeneration.tk, 1
+yugodi.com, 1
+yugohome.com, 1
+yuh-lin.com, 1
+yuh.li, 1
+yuhaoskin.com.tw, 1
+yuharahisako.ga, 1
+yuho.vn, 1
+yui.cat, 1
+yui.jp.md, 1
+yuisyo.ml, 1
+yujixr.net, 1
+yukari.cafe, 1
+yuki-nagato.com, 1
+yuki.xyz, 1
+yukict.com, 1
+yukieda.com, 1
+yukigroup.ru, 1
+yukimituki.net, 1
+yukimiu.cf, 1
+yukimochi.com, 1
+yukimochi.io, 1
+yukimochi.jp, 1
+yukimochi.me, 1
+yukimochi.net, 1
+yukinastorage.net, 0
+yukino.xyz, 1
+yukitty-yukitty.com, 1
+yukkitacari.tk, 1
+yukomgroup.com, 1
+yukon.ca, 1
+yukonconnector.com, 1
+yukonlip.com, 1
+yukoslibrary.ga, 1
+yuksinau.co.id, 1
+yuksinau.id, 1
+yula.cf, 1
+yulaiz.com, 1
+yule.hk, 1
+yuleyule88game.com, 1
+yuliana-hotel.com, 1
+yulsn.io, 1
+yum0.cn, 1
+yumacountyazvotes.gov, 1
+yumacountyco.gov, 1
+yumechi.jp, 1
+yumepolo.com, 1
+yumi2.jp, 1
+yumiandryan.com, 1
+yumisign.com, 1
+yumli.net, 1
+yumm.menu, 1
+yummiyogi.com, 1
+yummycouple.net, 1
+yummydrool.com, 1
+yumtaro.com, 1
+yun-bao.co, 0
+yuna.tg, 0
+yunasecurity.com, 1
+yuncaioo.com, 0
+yunibalance.com, 1
+yunite.one, 1
+yunjishou.pro, 1
+yunloc.com, 1
+yunnet.ru, 1
+yunqueradehenares.tk, 1
+yunzhu.li, 1
+yuplay.com, 1
+yupug.com, 1
+yupulse.be, 1
+yuqi.me, 1
+yuquepay.com, 1
+yura.cf, 1
+yuricarlenzoli.it, 1
+yurikirin.me, 1
+yuriland.xyz, 1
+yurimoens.be, 1
+yurinet.org, 1
+yurisora.com, 1
+yurissimo.ch, 1
+yurissimo.cn, 1
+yurissimo.com, 1
+yurissimo.de, 1
+yurist-vopros.gq, 1
+yuriylysyuk.ru, 1
+yurtdisigocmenlik.com, 1
+yus-azaria.tk, 1
+yusa.me, 1
+yushanfang.recipes, 1
+yusu.org, 1
+yusufipek.me, 1
+yusukekato.com, 1
+yusukesakai.com, 1
+yutabon.com, 0
+yutakato.net, 1
+yutangyun.com, 1
+yuth.in, 0
+yuu.ink, 1
+yuucchi.com, 1
+yuucdn.net, 1
+yuugi.be, 1
+yuuki0xff.jp, 1
+yuumari.com, 1
+yuuta.moe, 1
+yuvaindia.co.in, 1
+yuvaskillfoundation.org, 1
+yuweetek.com, 0
+yuwei.org, 1
+yuweiji.com, 1
+yuweiyang.xyz, 1
+yux.fr, 1
+yuxiangyuan.com, 1
+yuxuan.org, 1
+yuyantang.club, 1
+yuyucn.com, 1
+yuzei.ml, 1
+yuzei.tk, 1
+yuzicare.com, 1
+yuzneri.net, 1
+yuzu.tk, 1
+yuzurisa.com, 1
+yvabph.com, 1
+yvb.moe, 1
+yveslegendre.fr, 0
+yvesx.com, 1
+yveszarkaconsultant.fr, 1
+yvettextreme.com, 1
+yvonnethomet.ch, 1
+yvonnewilhelmi.com, 1
+yw.com, 1
+ywambaguio.org, 1
+ywambutuan.org, 1
+ywamphilippines.org, 1
+ywamshipsphilippines.com, 1
+yx-express.cn, 1
+yxapp10.com, 1
+yxapp20.com, 1
+yxapp30.com, 1
+yxapp43.xyz, 1
+yxapp45.xyz, 1
+yxapp46.xyz, 1
+yxapp47.xyz, 1
+yxapp48.xyz, 1
+yxc.xyz, 1
+yxcpapp08.com, 1
+yxcpapp09.com, 1
+yxcpapp13.com, 1
+yxcpapp14.com, 1
+yxhc.cc, 0
+yxhlz.com, 1
+yxlon.cn, 1
+yxlon.co.jp, 1
+yxlon.com, 1
+yxlon.de, 1
+yxt521.com, 1
+yy-s.net, 1
+yy153.com, 0
+yy366.cc, 0
+yy369.cc, 1
+yy393.com, 0
+yy5197.co, 1
+yy6729.co, 1
+yy6729.com, 1
+yy6957.co, 1
+yy9297.co, 1
+yy9297.com, 0
+yy9721.com, 1
+yy9728.co, 1
+yya.men, 1
+yybx.top, 1
+yyc.city, 1
+yycbike.info, 1
+yyr.im, 1
+yyrss.com, 0
+yyy116.com, 1
+yyy608.com, 1
+yyyy.xyz, 1
+yz86.cc, 1
+yzal.io, 1
+yzarul.com, 1
+yzddd.com, 1
+yzer.club, 1
+yzervast-heestert.be, 1
+yzh8.cc, 1
+yzh8.net, 1
+yzh8.vip, 1
+yzimroni.net, 1
+yzy6666.com, 1
+yzydo.com, 0
+yzyweb.cn, 1
+z-cert.nl, 1
+z-e.eu, 1
+z-epub.com, 1
+z-g-v.nl, 1
+z-kasino.ru, 1
+z-konzept-nutrition.ru, 1
+z-pc.net, 1
+z-rejstejna.cz, 1
+z-vector.com, 1
+z.ee, 1
+z.is, 1
+z.md, 1
+z.mom, 1
+z.org, 1
+z.sh, 1
+z.sv, 1
+z.tl, 1
+z0.pm, 1
+z00228.com, 1
+z0ey.de, 1
+z0rro.net, 1
+z11slot.co, 1
+z1h.de, 1
+z2.fi, 1
+z2a4.com, 1
+z36533.com, 1
+z3marketing.com, 1
+z3r0101.com, 1
+z3s.nl, 1
+z3u5.net, 1
+z3ven.nl, 1
+z4k.de, 1
+z5197.co, 1
+z6.uk, 1
+z6182.com, 1
+z6192.com, 1
+z6218.com, 1
+z6252.com, 1
+z6323.com, 1
+z6359.com, 1
+z6371.com, 1
+z6512.com, 1
+z6519.com, 1
+z6527.com, 1
+z6529.com, 1
+z6573.com, 1
+z6587.com, 1
+z6729.co, 1
+z6729.com, 1
+z6827.com, 1
+z6882.com, 1
+z6897.com, 1
+z6957.co, 1
+z6957.com, 0
+z6wang.com, 1
+z8011.com, 1
+z8012.com, 1
+z8013.com, 1
+z8017.com, 1
+z8023.com, 1
+z8026.com, 1
+z8032.com, 1
+z8038.com, 1
+z8051.com, 1
+z8052.com, 1
+z8053.com, 1
+z8057.com, 1
+z8063.com, 1
+z8066.com, 1
+z8068.com, 1
+z8071.com, 1
+z8079.com, 1
+z8082.com, 1
+z8083.com, 1
+z8086.com, 1
+z8087.com, 0
+z8089.com, 1
+z8106.com, 1
+z8109.com, 1
+z8113.com, 1
+z8120.com, 1
+z8125.com, 1
+z8130.com, 1
+z8132.com, 1
+z8139.com, 1
+z8150.com, 1
+z8170.com, 1
+z8171.com, 1
+z8176.com, 1
+z8177.com, 1
+z8178.com, 1
+z8182.com, 1
+z8187.com, 1
+z8193.com, 1
+z8195.com, 1
+z8196.com, 1
+z8206.com, 1
+z8207.com, 1
+z8209.com, 1
+z8210.com, 1
+z8212.com, 1
+z8218.com, 1
+z8219.com, 1
+z8225.com, 1
+z8226.com, 1
+z8230.com, 1
+z8231.com, 1
+z8232.com, 1
+z82365.com, 1
+z8817.com, 1
+z8826.com, 1
+z8851.com, 1
+z8856.com, 1
+z8861.com, 1
+z8865.com, 1
+z8870.com, 1
+z8875.com, 1
+z8876.com, 1
+z8879.com, 1
+z8891.com, 1
+z8895.com, 1
+z8907.com, 1
+z8908.com, 1
+z8917.com, 1
+z8920.com, 1
+z8922.com, 1
+z9297.co, 1
+z9728.co, 1
+z99944x.xyz, 1
+za.search.yahoo.com, 0
+zaalleatherwear.nl, 1
+zaanlijn.nl, 1
+zaba.training, 1
+zabatsai-sam.tk, 1
+zabbix-monitoring.tk, 1
+zabbix.tips, 1
+zabbixtech.info, 1
+zabe.in, 1
+zaboi.tk, 1
+zabory-klg.ru, 1
+zabszk.net, 1
+zabszk.ovh, 1
+zabukovnik.net, 1
+zac.cy, 1
+zacaloo.com, 1
+zacarias.com.ar, 1
+zacatecasmeetings.com, 1
+zacco.site, 1
+zach.codes, 0
+zacharopoulos.me, 0
+zacharydubois.me, 1
+zacharyschneider.ca, 1
+zacharyschneider.com, 1
+zacharyseguin.ca, 1
+zacharysherman.tk, 1
+zachaysan.com, 1
+zachbolinger.com, 1
+zachborboa.com, 1
+zachfox.photography, 1
+zachgibbens.org, 1
+zachranari.tk, 1
+zachschneider.ca, 1
+zachyang.cn, 1
+zacintosh.com, 1
+zack.today, 0
+zackattack.tk, 1
+zackiarfan.ml, 1
+zacks.eu, 1
+zackzack.at, 1
+zaclys.com, 0
+zad-academy.com, 1
+zadania.wiki, 1
+zadavalka.ru, 1
+zadm.de, 1
+zadrot.tk, 1
+zadroweb.com, 1
+zaelkids.it, 1
+zaem.tv, 1
+zaferaniehearing.com, 1
+zaferbalkan.com, 1
+zaffittv.com, 1
+zaffittv.mx, 1
+zaffke.co, 1
+zafrani.ga, 1
+zagadki-cosmosa.tk, 1
+zagi.net, 1
+zagis.nl, 1
+zagorod.spb.ru, 1
+zagranicablog.tk, 1
+zagruz.tk, 1
+zahari.tk, 1
+zahirdanzavila.com, 1
+zahlensysteme-rechner.de, 1
+zahn-frankl.at, 1
+zahnaerzte-website.de, 1
+zahnarzt-korsos.at, 1
+zahnarzt-kramer.ch, 1
+zahnarzt-kruft.de, 1
+zahnarzt-neudecker.de, 1
+zahnarzt.ac, 1
+zahnarzt.se, 1
+zahnarztpraxis-schaerding.at, 1
+zahnarztpraxis-simone-koch.de, 1
+zahrowski.com, 1
+zaija.tk, 1
+zaim-best.ml, 1
+zaim15min.cf, 1
+zaimdengi.tk, 1
+zaimexpress.cf, 1
+zaimi.ml, 1
+zaimin.ga, 1
+zaimlime.ga, 1
+zaimponuj.pl, 1
+zaimvkredit2.gq, 1
+zaimvkredit3.ga, 1
+zaimvkredit3.gq, 1
+zaimvkredit3.ml, 1
+zaimvkredit4.ml, 1
+zain-hasan.ml, 1
+zainblue.com, 1
+zainzinger.org, 1
+zaitaiguo.com, 1
+zaizaia.cc, 1
+zajc.eu.org, 1
+zajm-bez-otkaza.gq, 1
+zajm-bez-poruchitelej.cf, 1
+zajm-bez-spravok.tk, 1
+zajm-cherez-sms.ml, 1
+zajm-ehkspress.ml, 1
+zajm-na-kartu.tk, 1
+zajm-na-kivi.cf, 1
+zajm-pod-raspisku.cf, 1
+zajm-pod-zalog.ga, 1
+zajm-pod-zalog.gq, 1
+zajmy-contact.cf, 1
+zajmy-contact.ga, 1
+zajmy-contact.gq, 1
+zajmy-contact.tk, 1
+zajsoft.net, 1
+zak.co.at, 1
+zak.org.pl, 1
+zakachat-brauzer.gq, 1
+zakachat-temi.gq, 1
+zakanyszek.hu, 1
+zakaria.website, 1
+zakariya.blog, 1
+zakarotta.ga, 1
+zakarpattya.fun, 1
+zakaz.cf, 1
+zakazbiletov.kz, 1
+zakcutner.com, 1
+zakcutner.uk, 1
+zakelijketaalcursus.nl, 1
+zakes.tk, 1
+zakirov.gq, 1
+zakladam.cz, 1
+zakladki.tk, 1
+zakladybukmacherskie.tv, 1
+zakmccrac.de, 1
+zakojifarm.jp, 1
+zakononline.cf, 1
+zakonu.net.ru, 1
+zakpex.com, 1
+zakr.es, 1
+zakratheme.com, 1
+zakreconysloik.com.pl, 1
+zakrentus-ostrus.space, 1
+zakspartiesandevents.com, 1
+zala.ml, 1
+zalaetavoleibol.tk, 1
+zalan.do, 1
+zalaxx.ddns.net, 1
+zaledia.com, 1
+zalef.tk, 1
+zaleycash.com, 1
+zalgos.xyz, 1
+zalihvoch.ga, 1
+zaloghaz.ro, 1
+zalohovaniburian.cz, 1
+zaltv.com, 1
+zalure.com, 1
+zalvus.com, 1
+zam0th.tk, 1
+zamalektoday.com, 1
+zamarax.com, 1
+zambianewsforum.tk, 1
+zambranopublicidadvideo.com, 1
+zamecnikkladno.cz, 1
+zamenim.tk, 1
+zametkin.tk, 1
+zamki.tk, 1
+zammad.com, 1
+zammad.org, 1
+zamok-love.tk, 1
+zamok.cf, 1
+zamokservis.com, 1
+zamor.com.br, 1
+zamorsky.tk, 1
+zamos.ru, 1
+zamow.co, 1
+zamtech.co.jp, 1
+zanahd.co.za, 1
+zananta.com, 1
+zander.dk, 1
+zandersgroup.com, 1
+zandmhomes.com, 1
+zandra.cf, 1
+zanellidesigns.co.uk, 1
+zaneslaw.com, 1
+zanettimateriais.com.br, 1
+zangerfreddy.tk, 1
+zangerwillem.tk, 1
+zango.com.au, 1
+zankevich.com, 1
+zankevich.net, 1
+zanotti.io, 1
+zanquan.net, 1
+zanreal.net, 1
+zanreal.pl, 1
+zanshinkankarate.com, 1
+zanthed.xyz, 1
+zanthra.com, 1
+zanzariere.roma.it, 1
+zaoai.cf, 1
+zaoai.ga, 1
+zaoai.gq, 1
+zaoai.ml, 1
+zaoai.tk, 1
+zaoext.com, 1
+zaorejas.tk, 1
+zaoren.cf, 1
+zaoren.ga, 1
+zaoren.gq, 1
+zaoren.ml, 1
+zaoren.tk, 1
+zap-mag.ru, 1
+zap-map.com, 1
+zapamini.ml, 1
+zaparoh.com, 1
+zapaska.tk, 1
+zapatilla.com.es, 0
+zapatillas-trekking.com, 1
+zapic.moe, 1
+zapier-staging.com, 1
+zapier.com, 1
+zaplano.tk, 1
+zapmap.com, 1
+zapmaster14.com, 1
+zapnito.com, 1
+zappbuildapps.com, 0
+zappi.io, 1
+zappingarahal.tk, 1
+zappingcuraduria.tk, 1
+zappos, 1
+zapproved.com, 1
+zapreaders.cf, 1
+zaprefy.com, 1
+zapsibir.ru, 1
+zaptorg.xyz, 1
+zapuz.com, 1
+zapzockt.de, 1
+zar-kripto.tk, 1
+zarabiaj.com, 1
+zarabianiewsieci.tk, 1
+zarabizarr.com, 1
+zarabotai-doma.ml, 1
+zarabotki-v-internete.tk, 1
+zarabotok-obzor.ru, 1
+zarabotok-v-internete.ga, 1
+zarabotok-v-internete.gq, 1
+zarabotok-veka.ga, 1
+zarabotok2017.tk, 1
+zarabotok24obzor.ru, 1
+zarabotoker.tk, 1
+zarabotoklaif.tk, 1
+zarabotokvnet.tk, 1
+zarabotokvseti.tk, 1
+zaracraft.tk, 1
+zaramendez.net, 1
+zaratan.fr, 0
+zaratime.com, 1
+zaraweb.net, 1
+zarbis.tk, 1
+zarcik.pl, 1
+zardain.tk, 1
+zarezerwuj-nocleg.com, 1
+zarfla.com, 1
+zarinab.com, 1
+zarja.tk, 1
+zarjadnik.tk, 1
+zarla.com, 1
+zarnu.com, 1
+zarobotok-forum.ga, 1
+zarobotok-forum.gq, 1
+zarobotok-forum.ml, 1
+zarof-fkf.de, 1
+zarok.tv, 1
+zaroktv.com.tr, 1
+zaroktv.krd, 1
+zarra.tk, 1
+zaruhi.ml, 1
+zary.me, 1
+zas4eku.tk, 1
+zaschtnik.ga, 1
+zasolka.guru, 1
+zastawsamochodu.pl, 1
+zastenchivost.tk, 1
+zasudili.ru, 1
+zataz.com, 1
+zatepli.eu, 1
+zaterdagwelpen.tk, 1
+zatp.com, 0
+zatrzymanie.com.pl, 1
+zatsepin.by, 1
+zauberer-bauchredner.ch, 1
+zauberwald.tk, 1
+zaufanatrzeciastrona.pl, 1
+zav-hub.ddns.net, 1
+zavalianis.gr, 1
+zavarkin.tk, 1
+zavec.com.ec, 0
+zavedeno.com, 1
+zaves.tk, 1
+zawo-electric.de, 1
+zawodowe-szkolenia.com, 1
+zayats.tk, 1
+zayavka.cf, 1
+zayavka.ml, 1
+zayla.cz, 1
+zayla.sk, 1
+zaym.tk, 1
+zaympodzalog.cf, 1
+zaympodzalog.ga, 1
+zaympodzalog.gq, 1
+zaympodzalog.ml, 1
+zaympodzalog.tk, 1
+zayzoh.com, 1
+zazaradio.tk, 1
+zazemleno.com, 1
+zazhong.cf, 1
+zazhong.ml, 1
+zazza.tk, 1
+zbanks.cn, 1
+zbarista.co.nz, 1
+zbb.kr, 1
+zberger.com, 1
+zbetcheck.in, 1
+zbib.org, 1
+zbrain.ml, 1
+zbrane-doplnky.cz, 0
+zbrsk.ru, 1
+zbsj.pl, 1
+zbuilderz-lb.com, 1
+zbut.bg, 1
+zbyga.cz, 1
+zbynekuher.cz, 1
+zcapital.ch, 1
+zcarot.com, 1
+zcarrot.com, 1
+zcb.fr, 1
+zcode.tk, 1
+zcompany.ga, 1
+zcompany.tk, 1
+zcon.nl, 1
+zcore.org, 1
+zcr.ca, 1
+zcrypto.ml, 1
+zcwtl.com, 1
+zczc.cz, 1
+zd1010.com, 1
+zd1515.com, 0
+zd209.com, 1
+zd235.com, 0
+zd236.com, 1
+zd273.com, 1
+zd275.com, 1
+zd280.com, 1
+zd303.com, 1
+zd307.com, 1
+zd3434.com, 1
+zd4848.com, 1
+zd623.com, 1
+zd632.com, 1
+zd635.com, 1
+zd6464.com, 1
+zd6565.com, 1
+zd673.com, 1
+zd6862.com, 1
+zd6866.com, 1
+zd6867.com, 1
+zd6879.com, 1
+zd6880.com, 1
+zd6883.com, 1
+zd6885.com, 1
+zd6886.com, 1
+zd6893.com, 1
+zd6898.com, 1
+zd692.com, 1
+zd693.com, 1
+zd726.com, 1
+zd732.com, 1
+zd736.com, 1
+zd753.com, 1
+zd7575.com, 1
+zd759.com, 1
+zd793.com, 1
+zd796.com, 1
+zd803.com, 1
+zd805.com, 1
+zd806.com, 1
+zd826.com, 1
+zd8826.com, 1
+zd8838.com, 1
+zd8839.com, 1
+zd8858.com, 1
+zd8865.com, 1
+zd8869.com, 1
+zd8882.com, 1
+zd9090.com, 1
+zda.ag, 1
+zdbl.de, 1
+zdcs.com, 1
+zdenek-hejl.com, 1
+zdeneklavicky.cz, 1
+zdenekpasek.com, 1
+zdenekpasek.cz, 1
+zdenekspacek.cz, 1
+zdenekvecera.cz, 1
+zdorov-blog.gq, 1
+zdorov.by, 1
+zdorovayasimya.com, 1
+zdorovcentr.ga, 1
+zdorovyj-rebjonok.ru, 1
+zdrapti.tk, 1
+zdrave-konzultace.cz, 1
+zdravec-bg.com, 1
+zdravekonzultace.cz, 1
+zdravesteny.cz, 1
+zdraveziti.eu, 1
+zdravkovic.tk, 1
+zdravnica-polin.com, 1
+zdravshop.sk, 1
+zdravypanak.sk, 1
+zdravystul.cz, 1
+zdrowebodomowe.pl, 1
+zdrowezywienie.edu.pl, 1
+zdxiaoda.me, 1
+zdymak.by, 1
+ze-mag.info, 1
+ze.delivery, 1
+ze3kr.com, 1
+zeadaniel.com, 1
+zeal-and.jp, 1
+zeal-interior.com, 1
+zealar.com.au, 1
+zealworks.jp, 1
+zeanweb.tk, 1
+zeb.fun, 1
+zebbra.ro, 1
+zeblog.tk, 1
+zebra-serwis.pl, 1
+zebradom.ru, 1
+zebraguide.com, 1
+zebravinken.tk, 1
+zebspeech.tk, 1
+zebulon.fr, 1
+zecanard.com, 1
+zecible.fr, 1
+zecircle.xyz, 1
+zeckenhilfe.de, 0
+zectazepia.tk, 1
+zecuur.nl, 1
+zedeko.pl, 1
+zedex.cn, 1
+zednet.tk, 1
+zedshaw.com, 1
+zedtm.ir, 1
+zeedroom.be, 1
+zeeg.me, 1
+zeegeeks.com, 1
+zeegers.family, 1
+zeeheldenwijk-urk.nl, 1
+zeekajakvaren.tk, 1
+zeel.com, 1
+zeelandbrug.tk, 1
+zeeloo.xyz, 1
+zeeshan.website, 0
+zeet.tk, 1
+zeetoppers.nl, 1
+zefort.com, 1
+zegazte.org, 1
+zegels-danst.tk, 1
+zegluje.net, 1
+zeglujemy.net, 1
+zegriesalmansa.tk, 1
+zeguigui.com, 1
+zehdenick-bleibt-bunt.de, 1
+zehka.net, 1
+zehkae.net, 1
+zehnegira.ir, 0
+zehy.de, 1
+zehy.link, 1
+zehy.me, 1
+zehy.net, 1
+zehy.org, 1
+zeibekiko-souvlaki.gr, 1
+zeidlertechnik.de, 1
+zeigren.com, 1
+zeihetecumre.cf, 1
+zeihetecumre.gq, 1
+zeihsel.com, 1
+zeilenmethans.nl, 1
+zeilenvoorondernemers.nl, 1
+zeilenwind.com, 0
+zeilinstructeurs.tk, 1
+zeilles.nu, 1
+zeilschoolneptunus.nl, 1
+zeit.co, 1
+zeit.sh, 1
+zeitgitter.net, 1
+zeitgitter.org, 1
+zeitoununiversity.org, 1
+zeitpunkt-kulturmagazin.de, 1
+zeitschrift-lq.com, 1
+zeitschriftlq.com, 1
+zeitzer-turngala.de, 1
+zekerbewegenhengelo.nl, 1
+zekerheidvanparcelinternational.nl, 1
+zekinteractive.com, 1
+zekra.tk, 1
+zelandnamiru.cz, 1
+zeldaliberty.tk, 1
+zeldamods.org, 1
+zelena-armija.tk, 1
+zelenazeme.cz, 1
+zelendoma.ml, 1
+zeliard.tk, 1
+zelizy.cz, 1
+zelkor.ml, 1
+zelong.tk, 1
+zeloz.xyz, 1
+zelpc.com, 1
+zelvar.cz, 1
+zemledel.info, 1
+zemli.tk, 1
+zemlova.cz, 1
+zemlyaki.ga, 1
+zemlyaki.ml, 1
+zemlyaki.tk, 1
+zemows.industries, 1
+zemtime.com, 1
+zen-solutions.io, 1
+zen-zone.tk, 1
+zenassociates.com, 1
+zenbalans.nl, 1
+zenbox.pl, 1
+zenchain.com, 1
+zencube.ga, 1
+zendarhunters.tk, 1
+zendave.au, 1
+zendev.ga, 1
+zendev.tk, 1
+zendrop.com, 1
+zenerisprojekty.pl, 1
+zenfires.com, 1
+zenfoodbook.com, 1
+zengdong.ren, 1
+zenghuanmin.cn, 0
+zengold.com, 1
+zenideen.com, 1
+zenidees.com, 1
+zeniran.com, 1
+zenisi.com, 1
+zenit505.com, 1
+zenitchik.org, 1
+zenithappliance.co.uk, 1
+zenithmanagement.net, 1
+zenithmedia.ca, 0
+zenithstudylab.org, 1
+zenithvitalcare.com.au, 1
+zenitkft.hu, 1
+zenjify.com, 1
+zenk-security.com, 1
+zenker-hausbau.at, 1
+zenki-manga.tk, 1
+zenkit.com, 1
+zenless.top, 1
+zenlogic.com, 1
+zenluxuryliving.com, 1
+zenmail.ga, 1
+zenmassageusa.com, 1
+zenmod.in.rs, 1
+zeno-dev.com, 1
+zenon.at, 1
+zenon.eu, 1
+zenpromo.ru, 1
+zenrtal-online-russia.ml, 1
+zenseal.co.uk, 1
+zenspace.us, 1
+zenstack.nl, 1
+zenstore.it, 1
+zenti-im-zug.de, 1
+zenti.cloud, 1
+zentoid.com, 1
+zentouch.gq, 1
+zentoy.club, 1
+zentrumfuerchemie.de, 1
+zenvia.com, 1
+zenvideocloud.com, 1
+zenvite.com, 1
+zenways.io, 1
+zeocax.com, 0
+zep.us, 1
+zephyrbk.com, 1
+zephyrbookkeeping.com, 1
+zephyretcoraline.com, 1
+zepig.nl, 1
+zeplin.io, 1
+zeppelflix.de, 1
+zeppelin.ml, 1
+zepter.cf, 1
+zepter.ga, 1
+zepter.gq, 1
+zepter.ml, 1
+zer0.de, 0
+zercutie.com, 1
+zerg.uk, 1
+zergy.net, 1
+zerium.ml, 1
+zerknij.tv, 1
+zerm.eu, 1
+zerm.link, 1
+zero-knigi.ml, 1
+zero-link.com, 1
+zero-sole.com, 1
+zero-stress.net, 1
+zero.lgbt, 1
+zerobelow.net, 1
+zerobelow.org, 1
+zerobounce.net, 1
+zerocalc.be, 1
+zerocash.msk.ru, 1
+zerocms.fr, 1
+zerocomputer.tk, 1
+zerocool.io, 1
+zerocz.eu, 0
+zerodeathsmd.gov, 1
+zerodensity.tv, 1
+zerodhareview.co, 1
+zerodoubtclub.com, 1
+zerofox.gq, 1
+zerofy.de, 0
+zerogamestore.ir, 1
+zerohash.com, 1
+zerohouse.co, 1
+zeroknowledge.me, 1
+zeroland.top, 0
+zerolime.se, 1
+zerolink.click, 1
+zerolink.es, 1
+zeromaxmoving.com, 1
+zeromoment.marketing, 1
+zeronedefi.com, 1
+zeronet.io, 1
+zeroplast24.ru, 1
+zeropoint.bg, 1
+zerosector.io, 1
+zeroseteatacado.com.br, 1
+zerotoleranceclan.tk, 1
+zerotoone.de, 1
+zerotrust.plus, 1
+zerotwo.ga, 1
+zerout.in, 0
+zerowastesonoma.gov, 1
+zeroz.cf, 1
+zeroz.ga, 1
+zeroz.gq, 1
+zeroz.ml, 1
+zerozero.gq, 1
+zertif.info, 1
+zertifikatsshop.de, 1
+zerto.com, 1
+zerty.de, 0
+zeryn.net, 1
+zesgoes.nl, 1
+zeshanfoundation.org, 0
+zespia.tw, 0
+zestedesavoir.com, 1
+zesty.co, 1
+zestylemon.co.uk, 1
+zeta.co.za, 1
+zeta.hk, 1
+zetadisseny.es, 1
+zetaglobal.com, 0
+zetamode.com, 1
+zetasystem.jp, 1
+zetflix.pro, 1
+zetflix.zone, 1
+zetokatowice.pl, 1
+zettahertz.com, 1
+zettaplan.ru, 1
+zettaport.com, 1
+zettlmeissl.de, 1
+zety.com, 1
+zety.es, 1
+zety.fr, 1
+zeus.gent, 1
+zeus.wang, 1
+zeuscorp.ga, 1
+zeusec.co.jp, 1
+zeusembroidery.com.au, 1
+zeusindia.tk, 1
+zevelev.net, 1
+zevenbergenbos.tk, 1
+zevlee.me, 1
+zewtie.com, 1
+zeynabacademy.com, 1
+zeyneleroglu.com.tr, 1
+zeyoking.com, 1
+zezov.com, 1
+zf.com, 1
+zfast.com.br, 1
+zfg.li, 1
+zfid.pl, 1
+zfj.hk, 1
+zfj.la, 0
+zfj.lu, 0
+zfl-site.top, 1
+zfly.me, 1
+zfpsystems.com, 1
+zfree.co.nz, 1
+zfxhzc.blog, 1
+zfyl8.com, 1
+zg-dyw.net, 1
+zgan.ga, 1
+zgmining.com, 0
+zgndh.com, 1
+zgrep.org, 1
+zgyl8.ml, 1
+zh.fyi, 1
+zh.search.yahoo.com, 0
+zhabababa.gq, 1
+zhabagly.com, 1
+zhabthra.com, 1
+zhamolov.tk, 1
+zhan.moe, 1
+zhana-auen.tk, 1
+zhang-hao.com, 1
+zhang.fm, 1
+zhang.ge, 1
+zhang14386.love, 1
+zhangda.xyz, 0
+zhangfangzhou.com, 1
+zhangjet.com, 1
+zhangjing.space, 1
+zhanglizhi.ml, 1
+zhangmenglong.cn, 1
+zhangpeng.ai, 1
+zhangwendao.com, 1
+zhangxiong.work, 1
+zhangyiming.tech, 1
+zhangyuhao.com, 0
+zhankon.com, 0
+zhanxiangyang.com, 1
+zhanzhangb.com, 1
+zhaochen.xyz, 1
+zhaochengtan.com, 1
+zhaodao.ai, 1
+zhaoeq.com, 1
+zhaofeng.li, 0
+zhaohanman.com, 1
+zhaojin97.cn, 0
+zhaopage.com, 1
+zhaostephen.com, 1
+zhaoxixiangban.cc, 1
+zhaozhiru.com, 1
+zhattyt.com, 0
+zhbot.org, 1
+zhceres.com, 1
+zhcexo.com, 1
+zhdun.tk, 1
+zhelanie.ml, 1
+zheldor-dance.ga, 1
+zheldorinform.ga, 1
+zheltyy.at, 1
+zhen-chen.com, 1
+zhengjie.com, 1
+zhengouwu.com, 1
+zhengshu.online, 1
+zhenic.ir, 1
+zhenn.fr, 1
+zhenyan.org, 1
+zhestokiemechtyi.tk, 1
+zhestokijavtor.tk, 1
+zhi.ci, 1
+zhiboba.fun, 1
+zhidkiy-kashtan.ga, 1
+zhih.me, 1
+zhihua-lai.com, 1
+zhijikaoyan.com, 1
+zhikin.com, 1
+zhiku8.com, 1
+zhima.io, 1
+zhimajk.com, 1
+zhimingwang.org, 1
+zhina.wiki, 1
+zhinood.com, 1
+zhis.ltd, 1
+zhitanska.com, 1
+zhivoe.tk, 1
+zhixiu.com, 1
+zhiyulife.pp.ua, 1
+zhizi.ca, 1
+zhl123.com, 1
+zhodani.space, 1
+zhodino.cf, 1
+zhodino.ga, 1
+zhongai.com, 1
+zhonghongshunlian.com, 1
+zhongqiao.com, 1
+zhongxigo.com, 1
+zhongzicili.ws, 1
+zhongzilou.com, 1
+zhouba.cz, 1
+zhoujianghan.com, 0
+zhoujiashu.com, 1
+zhoujunlawer.ml, 1
+zhoukan.fun, 0
+zhoukz.com, 1
+zhousiru.com, 1
+zhoutiancai.cn, 1
+zhouyipro.com, 1
+zhouzanxi.com, 1
+zhovner.com, 1
+zhthings.com, 1
+zhuangqiu.com, 1
+zhuji.com, 1
+zhuji.com.cn, 1
+zhuji.org, 1
+zhuji5.com, 1
+zhujicaihong.com, 1
+zhujiceping.com, 1
+zhujike.com, 1
+zhujike.net, 1
+zhukaev.ml, 1
+zhuktrans.msk.ru, 1
+zhumadilov.kz, 1
+zhunlink.com, 1
+zhuoyuelicai.com, 1
+zhuqiang.com, 1
+zhurnalyu.ga, 1
+zhyz.nl.eu.org, 1
+zhz.moe, 1
+zi.is, 1
+zi5.net, 1
+ziad87.net, 1
+ziai.cf, 1
+ziai.ga, 1
+ziai.gq, 1
+ziai.ml, 1
+ziaiai.com, 1
+ziarajoias.com.br, 1
+ziaulnmonzur.tk, 1
+zidanpainting.com, 0
+ziddea.com, 1
+ziegenhagel.com, 1
+ziegler-heizung-frankfurt.de, 1
+ziemlich-zackig.de, 1
+ziemlichzackig.de, 1
+zifoapptest.com, 1
+ziftone.com, 1
+zigao.info, 1
+zigarn.com, 1
+ziggi.tk, 1
+ziggletech.com, 1
+ziggo.nl, 1
+zighinetto.org, 1
+zigoomar.tk, 1
+zigottos.fr, 1
+zigsphere.com, 0
+zigzagmart.com, 1
+zihao.me, 0
+zihari.com, 1
+zihun.club, 1
+zij-aan-zij.be, 1
+zijinbor.com, 1
+zijingbt.cn, 1
+zijingbt.com, 1
+zijingbt.net, 1
+zijn.co.zw, 1
+zijspancross.tk, 1
+zikinf.com, 1
+zikipedia.ml, 1
+zikirakhirzaman.com, 1
+ziledelaultimagafaavioricai.ro, 1
+ziliotti.com.br, 1
+zilla-sushi.tk, 1
+zillertaleralpen.net, 1
+zilon.com.co, 1
+zilore.com, 1
+zilpay.io, 1
+zilsen.com, 1
+zilsoft.net, 0
+zilv.life, 1
+zilver.nl, 1
+zilverwater.tk, 1
+zima-lito.tk, 1
+zima.io, 1
+zimaoxy.com, 1
+zimbromotor.pt, 1
+zimhosiery.com, 1
+zimiao.moe, 1
+zimkaru.ga, 1
+zimmer-voss.de, 1
+zimperium.com, 1
+zimpler.com, 1
+zinabnews.tk, 1
+zinchenko.gq, 1
+zindagilive.tk, 1
+zindec.com, 1
+zinewords.com, 1
+zingermans.com, 1
+zinglix.xyz, 1
+zingpetfood.com, 1
+zinhar.tk, 1
+zinkmetselwerken.nl, 1
+zinnov.com, 1
+zinnowitzer-ferienwohnung.de, 1
+zinsserplasticsurgery.com, 1
+zio-enzo.eu, 1
+zion-craft.tk, 1
+zionaesthetics.com.sg, 1
+ziondrive.com.br, 1
+zionladderp.com, 1
+zionsvillelocksmiths.com, 1
+ziontech.eu.org, 1
+zip, 1
+zip4.pl, 1
+zipalerts.com, 1
+ziparcfhive.ga, 1
+zipatlas.com, 1
+zipjobs.com, 1
+zipkey.de, 1
+zippie.tk, 1
+zippo-days.me, 0
+zippricami.com, 1
+zippyshare.com, 1
+ziprecruiter.com, 1
+ziqijiang.com, 0
+zir-online.com, 1
+zir.com.ua, 1
+ziraatweb.com, 1
+zircly.com, 1
+zireon.tk, 1
+zirka24.net, 1
+ziroh.be, 1
+ziroux.net, 1
+zirrka.de, 1
+zisoo.nl, 1
+zistemo.com, 1
+zitadel.ch, 0
+zitadel.cloud, 1
+zitadel.com, 1
+zithromaxstrepthroat.gq, 1
+zitobox.com, 1
+zitseng.com, 1
+zitstabureau24.nl, 1
+zivava.ge, 1
+zivot.org, 1
+zivotbezkrutosti.cz, 1
+zivotsdietou.cz, 1
+zivyruzenec.cz, 1
+zixiao.wang, 1
+zixin.com, 1
+ziya.ng, 1
+ziz.exchange, 0
+ziz.nl, 1
+zizcollections.com, 1
+zizibook.ml, 1
+zizin.tk, 1
+zizoled.com, 1
+zjawa.pro, 1
+zjc3.com, 1
+zjeunesse.com, 1
+zjsnrwiki.com, 1
+zju.tv, 1
+zjuqsc.com, 1
+zjy7722.ml, 1
+zjyoulian.cn, 1
+zk.gd, 1
+zk9.nl, 1
+zkbitcoin.com, 1
+zking.ga, 1
+zklcdc.top, 0
+zko.pub, 1
+zkocdn.com, 1
+zkoclub.cn, 1
+zkoclub.com, 1
+zkontrolujsiauto.cz, 1
+zkrd.de, 1
+zkvi.nl, 1
+zkwolf.top, 1
+zl-19.com, 1
+zl-29.com, 1
+zl-59.com, 1
+zl-89.com, 1
+zl.lv, 1
+zl0707.com, 1
+zl071.com, 1
+zl0909.com, 1
+zl0iu.com, 1
+zl1212.com, 1
+zl1515.com, 1
+zl2020.com, 1
+zl2020.vip, 1
+zl2121.com, 1
+zl2727.com, 1
+zl2929.com, 1
+zl2toy.com, 1
+zl335.com, 1
+zl3737.com, 1
+zl4231.com, 1
+zl4290.com, 1
+zl5151.com, 1
+zl6161.com, 1
+zl6868.com, 1
+zl7070.com, 1
+zl7077.com, 1
+zl7171.com, 1
+zl7979.com, 1
+zl8383.com, 1
+zl850.com, 1
+zl861.com, 1
+zl8686.com, 1
+zl8787.com, 1
+zl8824.com, 1
+zl9191.com, 1
+zl969.com, 1
+zl9696.com, 1
+zl9898.com, 1
+zlarin.tk, 1
+zlatakus.cz, 1
+zlatamira.ru, 1
+zlatan-ibrahimovic.tk, 1
+zlatanonline.tk, 1
+zlato.ua, 1
+zlatom.ru, 1
+zlavomat.sk, 1
+zlc1994.com, 1
+zlhuodong.vip, 1
+zlima12.com, 1
+zlogin.nl, 1
+zlotykameleon.tk, 1
+zlotyslawecin.tk, 1
+zloybot.tk, 1
+zlpa.loan, 1
+zlr.hu, 1
+zlypi.com, 1
+zman.co.il, 1
+zmarta.org, 1
+zmc.com.sa, 1
+zmessages.com, 0
+zmeya.tk, 1
+zmgroup.cz, 1
+zmiguel.me, 1
+zmk.fr, 1
+zmprjg.ml, 1
+zms-qs.de, 1
+zmuda.tk, 1
+zmy.im, 0
+zmy666.com, 1
+znachenie-sna.cf, 1
+znachenie-sna.ga, 1
+znachenie-sna.ml, 1
+znachenie-sna.tk, 1
+znaj.ua, 1
+znajdzprzodka.pl, 1
+znakomim.cf, 1
+znakomstva-2013.tk, 1
+znakomstva.gq, 1
+znakomstvablogs.tk, 1
+znakomstvatochka.tk, 1
+znakomstvo.tk, 1
+znalec-okna.cz, 1
+znanie-sila.tk, 1
+znanio.ru, 1
+znanium.com, 1
+znaniya.cf, 1
+znanje.gq, 1
+znation.nl, 1
+znau.ru, 1
+znbr.com, 1
+znd.jp, 1
+znews.vn, 1
+znhglobalresources.com, 1
+znich.tk, 1
+znidar.org, 1
+zniis.ru, 1
+zning.net.cn, 1
+znjc.top, 1
+znowuwrocisz.pl, 1
+znwvw.net, 1
+zobraz.cz, 1
+zochowskiplasticsurgery.com, 1
+zockenbiszumumfallen.de, 1
+zocode.tk, 1
+zocoxx.com, 1
+zode.co, 1
+zodgame.fun, 0
+zodgame.xyz, 1
+zodiac.rs, 1
+zodiacohouses.com, 1
+zodiaconline.com, 1
+zodiak.tk, 1
+zodii.bg, 1
+zoedijital.com, 1
+zoefmasters.be, 1
+zoepolitics.cf, 1
+zoepolitics.ga, 1
+zoepolitics.gq, 1
+zoepolitics.ml, 1
+zoeyachicstore.biz.id, 1
+zoeyvid.de, 1
+zof.kh.ua, 1
+zoflora.co.uk, 1
+zofran-medication.cf, 1
+zofran.ga, 1
+zofran.gq, 1
+zofrancost.ga, 1
+zofrangeneric.ga, 1
+zofranprice.ga, 1
+zofrex.com, 0
+zofzpcb.com, 1
+zogatest.tk, 1
+zogevikst.nl, 1
+zohditech.com, 1
+zohomon.com, 1
+zoidberg.tv, 1
+zoigl.club, 1
+zoisfinefood.fr, 1
+zojadravai.com, 1
+zok-ambicija.tk, 1
+zokdl.zp.ua, 1
+zoki.art, 1
+zoko.tk, 1
+zokuomthawn.tk, 1
+zollernalbtour.de, 1
+zollo-hauswartung.ch, 1
+zollprozess.ch, 1
+zoloft-medication.ml, 1
+zoloftmedication.gq, 1
+zoloftpills.tk, 1
+zoloftprice.cf, 1
+zolondek.ca, 1
+zolotie-ptichki.tk, 1
+zolotistyi-kofe.gq, 1
+zolotoinform.ru, 1
+zolotoioasis.ml, 1
+zolotoy-standart.com.ua, 1
+zolotoyscorpion.ru, 1
+zoltanmatanyi.com, 1
+zolucky.com, 1
+zolushka-1950.tk, 1
+zolw.info, 1
+zom.bi, 1
+zomatree.live, 1
+zombie-40th.com, 1
+zombie.cam, 1
+zombieclown.com, 1
+zombiecomponents.com, 1
+zombiecrowinc.tk, 1
+zombielandkf.tk, 1
+zombieloadattack.com, 1
+zombiemix.tk, 1
+zombiepassions.com, 1
+zombiesecured.com, 1
+zombmage.tk, 1
+zomerschoen.nl, 1
+zomiac.pp.ua, 1
+zona-bellepop.tk, 1
+zona-japonesa.tk, 1
+zonadetestes.com, 1
+zonadjadoel.com, 1
+zonagioco.it, 1
+zonagratisan.ga, 1
+zonainuyasha.tk, 1
+zonajogo.br.com, 1
+zonanews.tk, 1
+zonaperu.tk, 1
+zonaquimica.tk, 1
+zonarumbera.tk, 1
+zonatelevision.tk, 1
+zondervanacademic.com, 1
+zone-de-confiance.fr, 1
+zone-hack.tk, 1
+zone-sys.jp, 1
+zone.ee, 1
+zone.eu, 1
+zone.fi, 1
+zone3000.tk, 1
+zone39.com, 1
+zoneadsl.com, 1
+zoneaffiliation.com, 1
+zoneblog.tk, 1
+zonecheck.org, 1
+zonecloud.ee, 1
+zonehomesolutions.com, 1
+zonemaster.fr, 1
+zonemaster.net, 1
+zonepdf.com, 1
+zones.com, 1
+zonesec.org, 1
+zonesons.com, 1
+zonewatcher.com, 1
+zongboao.com, 1
+zongheng3d.com, 1
+zonglovani.info, 1
+zongzi.zone, 1
+zonky.cz, 1
+zonky.de, 1
+zonneglossis.tk, 1
+zonnenberg.de, 1
+zonnigzieuwent.nl, 1
+zontractors.com, 1
+zoo-dog.ru, 1
+zoo-tver.ru, 1
+zoo.org.au, 1
+zoo24.de, 1
+zooforum.tk, 1
+zoogbook.ml, 1
+zooish.net, 1
+zook.pw, 1
+zook.systems, 1
+zook.tk, 1
+zookids.uy, 1
+zoola.io, 1
+zoolaboo.de, 1
+zoological-gardens.eu, 1
+zoom-eco.net, 1
+zoom.earth, 1
+zoomaal.com, 1
+zoomcar.pro, 1
+zoomek.com, 1
+zoomerhost.com, 1
+zoomgov.com, 1
+zoomir-ra.ru, 1
+zoomsphere.com, 1
+zoon-editor.com, 1
+zoones.net, 1
+zooom.azurewebsites.net, 1
+zooom2.azurewebsites.net, 1
+zoop.ml, 0
+zooparadies.eu, 1
+zoopix.ir, 1
+zooplankton.no, 1
+zoosfera12.ru, 1
+zoot.org, 1
+zootime.net, 1
+zootime.org, 1
+zoowiki.us, 1
+zooxdata.com, 1
+zopyx.com, 1
+zor.com, 1
+zorasvobodova.cz, 1
+zorgclustertool.nl, 1
+zorgenvoorandrea.be, 1
+zorgenvoorherena.be, 1
+zorgenvoorjean.be, 1
+zorgenvoormaria.be, 1
+zorghuys.nl, 1
+zorgnetwerkenabr.nl, 1
+zorgonderwijsnu.nl, 1
+zorgvanoranje.nl, 0
+zorgverzekeringslijn.nl, 1
+zorig.ch, 1
+zork.ca, 1
+zorkin.uz, 1
+zornica.tk, 1
+zorntt.fr, 0
+zorox.sex, 1
+zorro.management, 1
+zorte.net, 1
+zorz.info, 1
+zorzorfm.ml, 1
+zoske.it, 1
+zotan.email, 1
+zotan.network, 1
+zotan.photography, 1
+zotan.photos, 1
+zotan.pictures, 1
+zotan.services, 1
+zotan.stream, 1
+zotan.studio, 1
+zotan.systems, 1
+zotero.org, 1
+zoto.ga, 1
+zottika.com, 1
+zotum.net, 1
+zouaouitransport.fr, 1
+zoubaa.de, 0
+zouk.info, 1
+zouyaoji.top, 1
+zova.io, 1
+zovirax-cream.gq, 1
+zovirax-cream.ml, 1
+zovoscitvfu.cz, 1
+zowe.ru, 1
+zoznamka.tk, 1
+zoznamrealit.sk, 1
+zozzle.co.uk, 1
+zp25.ninja, 1
+zpapieru.pl, 1
+zpasathagroup.com, 1
+zpc.st, 1
+zphmetalus.pl, 1
+zpider.cloud, 1
+zporno.sex, 1
+zpozdeno.cz, 1
+zpozdrowieniem.pl, 1
+zprogramming.tk, 1
+zq.com.sg, 1
+zqwqz.org, 1
+zrali.com, 1
+zravyobrazky.cz, 1
+zravypapir.cz, 1
+zrejstejna.cz, 1
+zrgmedical.com, 1
+zrinski.tk, 1
+zrkhosting.com, 1
+zrkr.de, 1
+zrniecka-pre-sny.sk, 1
+zrnieckapresny.sk, 1
+zrobysama.com.ua, 1
+zrodla.org, 1
+zrs-meissen.de, 1
+zrucne.cz, 1
+zry.io, 1
+zs6688.cc, 0
+zsaqwq.com, 1
+zscaler.es, 1
+zscales.com, 0
+zsdublovice.cz, 1
+zseartcc.org, 1
+zselicivt.hu, 1
+zshmvp.com, 1
+zsien.cn, 1
+zsnm.pl, 1
+zsofit.com.au, 1
+zsoltbereczki.tk, 1
+zsplesivec.cz, 1
+zsq.im, 1
+zsrbcs.com, 1
+zstgmnachod.cz, 1
+zsyaolong.com, 0
+zt360.net, 1
+zta.training, 1
+ztable.io, 1
+ztbro.com, 1
+ztctarrin.com, 1
+zten.org, 1
+ztickerz.nl, 1
+ztmovies.cf, 1
+ztn.sh, 1
+ztu75.ru, 1
+ztv.su, 1
+ztylez.com, 1
+zuan-in.com, 1
+zuan-in.net, 1
+zubby.com, 1
+zubel.it, 0
+zubenciy.tk, 1
+zubilo-perm.ru, 1
+zubnivodni.cz, 1
+zubprotez.ru, 1
+zubr.net, 1
+zubro.net, 0
+zucalgrappe.it, 1
+zudomc.me, 1
+zuefle.net, 1
+zuehlcke.de, 1
+zuehlke-coaching.de, 1
+zuffel.com, 1
+zufuribita.tk, 1
+zug-anwalt.de, 0
+zuhausejobs.at, 1
+zuhausejobs.com, 1
+zuhauserealestate.com, 0
+zuhur2021.tk, 1
+zui.moe, 1
+zuiai.tv, 1
+zuiderlokaal.nl, 1
+zuidplein.nl, 1
+zuijia.com, 1
+zuim.de, 1
+zuitaotu.com, 1
+zuivelonline.nl, 1
+zuiverjegeest.nl, 1
+zukonar.ru, 1
+zukong.party, 1
+zukunft-mobilitaet.net, 1
+zukunftswege.at, 1
+zula.africa, 1
+zulaoyun.ml, 1
+zulfumehmet.tk, 1
+zulu.ro, 1
+zum-baur.de, 1
+zum-ziegenhainer.de, 1
+zumba-oostende.be, 1
+zumba.com, 1
+zumberak.tk, 1
+zummoricambi.com, 1
+zumtaedanceschool.co.za, 1
+zumturm.org, 1
+zumub.com, 1
+zumwildenaffen.com, 1
+zund-app.com, 1
+zundapp.one, 1
+zundapp529.nl, 1
+zundappachterhoek.nl, 1
+zunlong0.com, 1
+zuoai.net, 1
+zuomin.tk, 1
+zupit.it, 1
+zuppy.pm, 1
+zurgl.com, 1
+zurich.co.uk, 1
+zurmas-design.tk, 1
+zuru.ml, 1
+zuru.tk, 1
+zusammen-grossartig.de, 1
+zusjesvandenbos.nl, 1
+zuss.tk, 1
+zusterjansen.nl, 1
+zutobi.com, 0
+zuu.fi, 1
+zuviel.space, 1
+zuyzi.com, 1
+zuzu-market.ru, 1
+zuzulatomas.eu, 1
+zuzumba.es, 1
+zvcdn.de, 1
+zvejonys.lt, 1
+zverovod.info, 1
+zverskij-site.tk, 1
+zvezdy-porno.ml, 1
+zvps.uk, 1
+zvukipro.com, 1
+zvvtheboys.tk, 1
+zvxr.net, 1
+zvz.im, 1
+zwartendijkstalling.nl, 1
+zwedenautohuur.nl, 1
+zwemclub-rob.nl, 1
+zwemschooldezwaantjes.tk, 1
+zwergenfeste.ch, 1
+zwergenfreiheit.at, 1
+zwerimex.com, 1
+zwerkandsons.com, 1
+zwhblog.xyz, 0
+zwickau.de, 1
+zwilla.de, 1
+zwit.au, 1
+zwit.org, 1
+zwitserlandautohuur.nl, 1
+zwitterion.au, 1
+zwitterion.org, 1
+zwk.de, 1
+zwofroue.ch, 1
+zwollemag.nl, 1
+zwollemagazine.nl, 1
+zwr.de, 1
+zwrotzalot.pl, 1
+zwy.ch, 0
+zwyr157wwiu6eior.com, 1
+zwz.cz, 1
+zx1168.com, 0
+zxcs.wiki, 1
+zxdsj1.com, 1
+zxe.com.br, 1
+zxfiles.tk, 1
+zxity.co.uk, 1
+zxity.ltd, 1
+zxity.uk, 1
+zxssl.com, 0
+zxtcode.com, 1
+zy.md, 1
+zy.si, 1
+zybbo.com, 0
+zycao.com, 0
+zycie.news, 1
+zyciedirect.pl, 1
+zyciepl.com, 1
+zycjd.com, 0
+zycrypto.com, 1
+zydecozityradio.tk, 1
+zydronium.com, 1
+zydronium.nl, 1
+zyep.org, 1
+zyex.vip, 1
+zygfrydadamski.tk, 1
+zygmuntsergio.com, 1
+zygozoon.com, 1
+zyiaactive.com, 1
+zylai.com, 1
+zylai.net, 1
+zylo.com, 1
+zymewire.com, 1
+zymmm.com, 1
+zyno.space, 1
+zypernreisen.com, 1
+zypr.pw, 1
+zyrex.eu.org, 1
+zyria.de, 1
+zyrillezuno.com, 1
+zyshow.co, 1
+zyshow.net, 1
+zythom.fr, 1
+zythromax.ga, 1
+zyul.ddns.net, 1
+zywave.co.uk, 1
+zyx3d.tk, 1
+zyzardx.com, 1
+zz5197.co, 1
+zz6729.co, 1
+zz6729.com, 0
+zz6957.co, 1
+zz772.com, 0
+zz9297.co, 1
+zz9728.co, 1
+zz993.com, 1
+zzadmin.de, 1
+zzcc.de, 0
+zzcc.loan, 1
+zzekj.net, 1
+zzf.red, 1
+zzls.xyz, 1
+zzops.eu, 1
+zzops.net, 1
+zzops.nl, 1
+zzops.org, 1
+zzphuis.nl, 1
+zzsec.org, 1
+zzw.ca, 1
+zzz-diary.com, 1
+zzzmode.com, 1
+zzzz365.com, 0
+zzzzz.click, 1
+%%
diff --git a/security/manager/ssl/nsSecureBrowserUI.cpp b/security/manager/ssl/nsSecureBrowserUI.cpp
new file mode 100644
index 0000000000..4f56d7319f
--- /dev/null
+++ b/security/manager/ssl/nsSecureBrowserUI.cpp
@@ -0,0 +1,168 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsSecureBrowserUI.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Unused.h"
+#include "mozilla/dom/Document.h"
+#include "nsContentUtils.h"
+#include "nsIChannel.h"
+#include "nsDocShell.h"
+#include "nsIDocShellTreeItem.h"
+#include "nsIInterfaceRequestorUtils.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIWebProgress.h"
+#include "nsNetUtil.h"
+#include "mozilla/dom/CanonicalBrowsingContext.h"
+#include "mozilla/dom/WindowGlobalParent.h"
+#include "mozilla/dom/Element.h"
+#include "nsIBrowser.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+
+LazyLogModule gSecureBrowserUILog("nsSecureBrowserUI");
+
+nsSecureBrowserUI::nsSecureBrowserUI(CanonicalBrowsingContext* aBrowsingContext)
+ : mState(0) {
+ MOZ_ASSERT(NS_IsMainThread());
+
+ // The BrowsingContext will own the SecureBrowserUI object, we keep a weak
+ // ref.
+ mBrowsingContextId = aBrowsingContext->Id();
+}
+
+NS_IMPL_ISUPPORTS(nsSecureBrowserUI, nsISecureBrowserUI,
+ nsISupportsWeakReference)
+
+NS_IMETHODIMP
+nsSecureBrowserUI::GetState(uint32_t* aState) {
+ MOZ_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG(aState);
+
+ MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
+ ("GetState %p mState: %x", this, mState));
+ *aState = mState;
+ return NS_OK;
+}
+
+void nsSecureBrowserUI::RecomputeSecurityFlags() {
+ // Our BrowsingContext either has a new WindowGlobalParent, or the
+ // existing one has mutated its security state.
+ // Recompute our security state and fire notifications to listeners
+
+ RefPtr<WindowGlobalParent> win = GetCurrentWindow();
+ mState = nsIWebProgressListener::STATE_IS_INSECURE;
+
+ // Only https is considered secure (it is possible to have e.g. an http URI
+ // with a channel that has a securityInfo that indicates the connection is
+ // secure - e.g. h2/alt-svc or by visiting an http URI over an https proxy).
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+ if (win && win->GetIsSecure()) {
+ securityInfo = win->GetSecurityInfo();
+ if (securityInfo) {
+ MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
+ (" we have a security info %p", securityInfo.get()));
+
+ nsresult rv = securityInfo->GetSecurityState(&mState);
+
+ // If the security state is STATE_IS_INSECURE, the TLS handshake never
+ // completed. Don't set any further state.
+ if (NS_SUCCEEDED(rv) &&
+ mState != nsIWebProgressListener::STATE_IS_INSECURE) {
+ MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
+ (" set mTopLevelSecurityInfo"));
+ bool isEV;
+ rv = securityInfo->GetIsExtendedValidation(&isEV);
+ if (NS_SUCCEEDED(rv) && isEV) {
+ MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" is EV"));
+ mState |= nsIWebProgressListener::STATE_IDENTITY_EV_TOPLEVEL;
+ }
+ }
+ }
+ }
+
+ // Add upgraded-state flags when request has been
+ // upgraded with HTTPS-Only Mode
+ if (win) {
+ // Check if top-level load has been upgraded
+ uint32_t httpsOnlyStatus = win->HttpsOnlyStatus();
+ if (!(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UNINITIALIZED) &&
+ !(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
+ mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED;
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) {
+ if (win->GetDocumentURI()->SchemeIs("https")) {
+ mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST;
+ } else {
+ mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED;
+ }
+ }
+ // Add the secruity flags from the window
+ mState |= win->GetSecurityFlags();
+ }
+
+ // If we have loaded mixed content and this is a secure page,
+ // then clear secure flags and add broken instead.
+ static const uint32_t kLoadedMixedContentFlags =
+ nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
+ nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT;
+ if (win && win->GetIsSecure() && (mState & kLoadedMixedContentFlags)) {
+ // reset state security flag
+ mState = mState >> 4 << 4;
+ // set state security flag to broken, since there is mixed content
+ mState |= nsIWebProgressListener::STATE_IS_BROKEN;
+ }
+
+ RefPtr<CanonicalBrowsingContext> ctx =
+ CanonicalBrowsingContext::Get(mBrowsingContextId);
+ if (!ctx) {
+ return;
+ }
+
+ if (ctx->GetDocShell()) {
+ nsDocShell* nativeDocShell = nsDocShell::Cast(ctx->GetDocShell());
+ nativeDocShell->nsDocLoader::OnSecurityChange(nullptr, mState);
+ } else if (ctx->GetWebProgress()) {
+ ctx->GetWebProgress()->OnSecurityChange(nullptr, nullptr, mState);
+ }
+}
+
+NS_IMETHODIMP
+nsSecureBrowserUI::GetIsSecureContext(bool* aIsSecureContext) {
+ MOZ_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG(aIsSecureContext);
+
+ if (WindowGlobalParent* parent = GetCurrentWindow()) {
+ *aIsSecureContext = parent->GetIsSecureContext();
+ } else {
+ *aIsSecureContext = false;
+ }
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsSecureBrowserUI::GetSecInfo(nsITransportSecurityInfo** result) {
+ MOZ_ASSERT(NS_IsMainThread());
+ NS_ENSURE_ARG_POINTER(result);
+
+ if (WindowGlobalParent* parent = GetCurrentWindow()) {
+ *result = parent->GetSecurityInfo();
+ }
+ NS_IF_ADDREF(*result);
+
+ return NS_OK;
+}
+
+WindowGlobalParent* nsSecureBrowserUI::GetCurrentWindow() {
+ RefPtr<CanonicalBrowsingContext> ctx =
+ CanonicalBrowsingContext::Get(mBrowsingContextId);
+ if (!ctx) {
+ return nullptr;
+ }
+ return ctx->GetCurrentWindowGlobal();
+}
diff --git a/security/manager/ssl/nsSecureBrowserUI.h b/security/manager/ssl/nsSecureBrowserUI.h
new file mode 100644
index 0000000000..a71d9ebde4
--- /dev/null
+++ b/security/manager/ssl/nsSecureBrowserUI.h
@@ -0,0 +1,53 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsSecureBrowserUIImpl_h
+#define nsSecureBrowserUIImpl_h
+
+#include "nsCOMPtr.h"
+#include "nsISecureBrowserUI.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIWebProgressListener.h"
+#include "nsWeakReference.h"
+
+class nsITransportSecurityInfo;
+class nsIChannel;
+
+namespace mozilla {
+namespace dom {
+class Document;
+class WindowGlobalParent;
+class CanonicalBrowsingContext;
+} // namespace dom
+} // namespace mozilla
+
+#define NS_SECURE_BROWSER_UI_CID \
+ { \
+ 0xcc75499a, 0x1dd1, 0x11b2, { \
+ 0x8a, 0x82, 0xca, 0x41, 0x0a, 0xc9, 0x07, 0xb8 \
+ } \
+ }
+
+class nsSecureBrowserUI : public nsISecureBrowserUI,
+ public nsSupportsWeakReference {
+ public:
+ explicit nsSecureBrowserUI(
+ mozilla::dom::CanonicalBrowsingContext* aBrowsingContext);
+
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSISECUREBROWSERUI
+
+ void RecomputeSecurityFlags();
+
+ protected:
+ virtual ~nsSecureBrowserUI() = default;
+
+ mozilla::dom::WindowGlobalParent* GetCurrentWindow();
+
+ uint32_t mState;
+ uint64_t mBrowsingContextId;
+};
+
+#endif // nsSecureBrowserUIImpl_h
diff --git a/security/manager/ssl/nsSecurityHeaderParser.cpp b/security/manager/ssl/nsSecurityHeaderParser.cpp
new file mode 100644
index 0000000000..d9d9d48bc0
--- /dev/null
+++ b/security/manager/ssl/nsSecurityHeaderParser.cpp
@@ -0,0 +1,206 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsSecurityHeaderParser.h"
+#include "mozilla/Logging.h"
+
+// The character classes in this file are informed by [RFC2616], Section 2.2.
+// signed char is a signed data type one byte (8 bits) wide, so its value can
+// never be greater than 127. The following implicitly makes use of this.
+
+// A token is one or more CHAR except CTLs or separators.
+// A CHAR is any US-ASCII character (octets 0 - 127).
+// A CTL is any US-ASCII control character (octets 0 - 31) and DEL (127).
+// A separator is one of ()<>@,;:\"/[]?={} as well as space and
+// horizontal-tab (32 and 9, respectively).
+// So, this returns true if chr is any octet 33-126 except ()<>@,;:\"/[]?={}
+bool IsTokenSymbol(signed char chr) {
+ if (chr < 33 || chr == 127 || chr == '(' || chr == ')' || chr == '<' ||
+ chr == '>' || chr == '@' || chr == ',' || chr == ';' || chr == ':' ||
+ chr == '"' || chr == '/' || chr == '[' || chr == ']' || chr == '?' ||
+ chr == '=' || chr == '{' || chr == '}' || chr == '\\') {
+ return false;
+ }
+ return true;
+}
+
+// A quoted-string consists of a quote (") followed by any amount of
+// qdtext or quoted-pair, followed by a quote.
+// qdtext is any TEXT except a quote.
+// TEXT is any 8-bit octet except CTLs, but including LWS.
+// quoted-pair is a backslash (\) followed by a CHAR.
+// So, it turns out, \ can't really be a qdtext symbol for our purposes.
+// This returns true if chr is any octet 9,10,13,32-126 except <"> or "\"
+bool IsQuotedTextSymbol(signed char chr) {
+ return ((chr >= 32 && chr != '"' && chr != '\\' && chr != 127) ||
+ chr == 0x9 || chr == 0xa || chr == 0xd);
+}
+
+// The octet following the "\" in a quoted pair can be anything 0-127.
+bool IsQuotedPairSymbol(signed char chr) { return (chr >= 0); }
+
+static mozilla::LazyLogModule sSHParserLog("nsSecurityHeaderParser");
+
+#define SHPARSERLOG(args) MOZ_LOG(sSHParserLog, mozilla::LogLevel::Debug, args)
+
+nsSecurityHeaderParser::nsSecurityHeaderParser(const nsCString& aHeader)
+ : mCursor(aHeader.get()), mDirective(nullptr), mError(false) {}
+
+nsSecurityHeaderParser::~nsSecurityHeaderParser() {
+ nsSecurityHeaderDirective* directive;
+ while ((directive = mDirectives.popFirst())) {
+ delete directive;
+ }
+}
+
+mozilla::LinkedList<nsSecurityHeaderDirective>*
+nsSecurityHeaderParser::GetDirectives() {
+ return &mDirectives;
+}
+
+nsresult nsSecurityHeaderParser::Parse() {
+ MOZ_ASSERT(mDirectives.isEmpty());
+ SHPARSERLOG(("trying to parse '%s'", mCursor));
+
+ Header();
+
+ // if we didn't consume the entire input, we were unable to parse it => error
+ if (mError || *mCursor) {
+ return NS_ERROR_FAILURE;
+ } else {
+ return NS_OK;
+ }
+}
+
+bool nsSecurityHeaderParser::Accept(char aChr) {
+ if (*mCursor == aChr) {
+ Advance();
+ return true;
+ }
+
+ return false;
+}
+
+bool nsSecurityHeaderParser::Accept(bool (*aClassifier)(signed char)) {
+ if (aClassifier(*mCursor)) {
+ Advance();
+ return true;
+ }
+
+ return false;
+}
+
+void nsSecurityHeaderParser::Expect(char aChr) {
+ if (*mCursor != aChr) {
+ mError = true;
+ } else {
+ Advance();
+ }
+}
+
+void nsSecurityHeaderParser::Advance() {
+ // Technically, 0 is valid in quoted-pair, but we were handed a
+ // null-terminated const char *, so this doesn't handle that.
+ if (*mCursor) {
+ mOutput.Append(*mCursor);
+ mCursor++;
+ } else {
+ mError = true;
+ }
+}
+
+void nsSecurityHeaderParser::Header() {
+ Directive();
+ while (Accept(';')) {
+ Directive();
+ }
+}
+
+void nsSecurityHeaderParser::Directive() {
+ mDirective = new nsSecurityHeaderDirective();
+ LWSMultiple();
+ DirectiveName();
+ LWSMultiple();
+ if (Accept('=')) {
+ LWSMultiple();
+ DirectiveValue();
+ LWSMultiple();
+ }
+ mDirectives.insertBack(mDirective);
+ SHPARSERLOG(("read directive name '%s', value '%s'", mDirective->mName.Data(),
+ mDirective->mValue.Data()));
+}
+
+void nsSecurityHeaderParser::DirectiveName() {
+ mOutput.Truncate(0);
+ Token();
+ mDirective->mName.Assign(mOutput);
+}
+
+void nsSecurityHeaderParser::DirectiveValue() {
+ mOutput.Truncate(0);
+ if (Accept(IsTokenSymbol)) {
+ Token();
+ mDirective->mValue.Assign(mOutput);
+ } else if (Accept('"')) {
+ // Accept advances the cursor if successful, which appends a character to
+ // mOutput. The " is not part of what we want to capture, so truncate
+ // mOutput again.
+ mOutput.Truncate(0);
+ QuotedString();
+ mDirective->mValue.Assign(mOutput);
+ Expect('"');
+ }
+}
+
+void nsSecurityHeaderParser::Token() {
+ while (Accept(IsTokenSymbol))
+ ;
+}
+
+void nsSecurityHeaderParser::QuotedString() {
+ while (true) {
+ if (Accept(IsQuotedTextSymbol)) {
+ QuotedText();
+ } else if (Accept('\\')) {
+ QuotedPair();
+ } else {
+ break;
+ }
+ }
+}
+
+void nsSecurityHeaderParser::QuotedText() {
+ while (Accept(IsQuotedTextSymbol))
+ ;
+}
+
+void nsSecurityHeaderParser::QuotedPair() { Accept(IsQuotedPairSymbol); }
+
+void nsSecurityHeaderParser::LWSMultiple() {
+ while (true) {
+ if (Accept('\r')) {
+ LWSCRLF();
+ } else if (Accept(' ') || Accept('\t')) {
+ LWS();
+ } else {
+ break;
+ }
+ }
+}
+
+void nsSecurityHeaderParser::LWSCRLF() {
+ Expect('\n');
+ if (!(Accept(' ') || Accept('\t'))) {
+ mError = true;
+ }
+ LWS();
+}
+
+void nsSecurityHeaderParser::LWS() {
+ // Note that becaue of how we're called, we don't have to check for
+ // the mandatory presense of at least one of SP or HT.
+ while (Accept(' ') || Accept('\t'))
+ ;
+}
diff --git a/security/manager/ssl/nsSecurityHeaderParser.h b/security/manager/ssl/nsSecurityHeaderParser.h
new file mode 100644
index 0000000000..5cb50d425a
--- /dev/null
+++ b/security/manager/ssl/nsSecurityHeaderParser.h
@@ -0,0 +1,78 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsSecurityHeaderParser_h
+#define nsSecurityHeaderParser_h
+
+#include "mozilla/LinkedList.h"
+#include "nsCOMPtr.h"
+#include "nsString.h"
+
+// Utility class for handing back parsed directives and (optional) values
+class nsSecurityHeaderDirective
+ : public mozilla::LinkedListElement<nsSecurityHeaderDirective> {
+ public:
+ nsCString mName;
+ nsCString mValue;
+};
+
+// This class parses security-related HTTP headers like
+// Strict-Transport-Security. The Augmented Backus-Naur Form syntax for this
+// header is reproduced below, for reference:
+//
+// Strict-Transport-Security = "Strict-Transport-Security" ":"
+// [ directive ] *( ";" [ directive ] )
+//
+// directive = directive-name [ "=" directive-value ]
+// directive-name = token
+// directive-value = token | quoted-string
+//
+// where:
+//
+// token = <token, defined in [RFC2616], Section 2.2>
+// quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>/
+//
+// For further reference, see [RFC6797], Section 6.1
+
+class nsSecurityHeaderParser {
+ public:
+ // The input to this class must be null-terminated, and must have a lifetime
+ // greater than or equal to the lifetime of the created
+ // nsSecurityHeaderParser.
+ explicit nsSecurityHeaderParser(const nsCString& aHeader);
+ ~nsSecurityHeaderParser();
+
+ // Only call Parse once.
+ nsresult Parse();
+ // The caller does not take ownership of the memory returned here.
+ mozilla::LinkedList<nsSecurityHeaderDirective>* GetDirectives();
+
+ private:
+ bool Accept(char aChr);
+ bool Accept(bool (*aClassifier)(signed char));
+ void Expect(char aChr);
+ void Advance();
+ void Header(); // header = [ directive ] *( ";" [ directive ] )
+ void Directive(); // directive = directive-name [ "=" directive-value ]
+ void DirectiveName(); // directive-name = token
+ void DirectiveValue(); // directive-value = token | quoted-string
+ void Token(); // token = 1*<any CHAR except CTLs or separators>
+ void QuotedString(); // quoted-string = (<"> *( qdtext | quoted-pair ) <">)
+ void QuotedText(); // qdtext = <any TEXT except <"> and "\">
+ void QuotedPair(); // quoted-pair = "\" CHAR
+
+ // LWS = [CRLF] 1*( SP | HT )
+ void LWSMultiple(); // Handles *( LWS )
+ void LWSCRLF(); // Handles the [CRLF] part of LWS
+ void LWS(); // Handles the 1*( SP | HT ) part of LWS
+
+ mozilla::LinkedList<nsSecurityHeaderDirective> mDirectives;
+ const char* mCursor;
+ nsSecurityHeaderDirective* mDirective;
+
+ nsCString mOutput;
+ bool mError;
+};
+
+#endif // nsSecurityHeaderParser_h
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
new file mode 100644
index 0000000000..b975d9d66a
--- /dev/null
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -0,0 +1,1011 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsSiteSecurityService.h"
+
+#include "PublicKeyPinningService.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Base64.h"
+#include "mozilla/LinkedList.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Tokenizer.h"
+#include "mozilla/dom/PContent.h"
+#include "mozilla/dom/ToJSValue.h"
+#include "nsCOMArray.h"
+#include "nsIScriptSecurityManager.h"
+#include "nsISocketProvider.h"
+#include "nsIURI.h"
+#include "nsNSSComponent.h"
+#include "nsNetUtil.h"
+#include "nsPromiseFlatString.h"
+#include "nsReadableUtils.h"
+#include "nsSecurityHeaderParser.h"
+#include "nsThreadUtils.h"
+#include "nsVariant.h"
+#include "nsXULAppAPI.h"
+#include "prnetdb.h"
+
+// A note about the preload list:
+// When a site specifically disables HSTS by sending a header with
+// 'max-age: 0', we keep a "knockout" value that means "we have no information
+// regarding the HSTS state of this host" (any ancestor of "this host" can still
+// influence its HSTS status via include subdomains, however).
+// This prevents the preload list from overriding the site's current
+// desired HSTS status.
+#include "nsSTSPreloadListGenerated.inc"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+static LazyLogModule gSSSLog("nsSSService");
+
+#define SSSLOG(args) MOZ_LOG(gSSSLog, mozilla::LogLevel::Debug, args)
+
+static const nsLiteralCString kHSTSKeySuffix = ":HSTS"_ns;
+
+////////////////////////////////////////////////////////////////////////////////
+
+namespace {
+
+class SSSTokenizer final : public Tokenizer {
+ public:
+ explicit SSSTokenizer(const nsACString& source) : Tokenizer(source) {}
+
+ [[nodiscard]] bool ReadBool(/*out*/ bool& value) {
+ uint8_t rawValue;
+ if (!ReadInteger(&rawValue)) {
+ return false;
+ }
+
+ if (rawValue != 0 && rawValue != 1) {
+ return false;
+ }
+
+ value = (rawValue == 1);
+ return true;
+ }
+
+ [[nodiscard]] bool ReadState(/*out*/ SecurityPropertyState& state) {
+ uint32_t rawValue;
+ if (!ReadInteger(&rawValue)) {
+ return false;
+ }
+
+ state = static_cast<SecurityPropertyState>(rawValue);
+ switch (state) {
+ case SecurityPropertyKnockout:
+ case SecurityPropertySet:
+ case SecurityPropertyUnset:
+ break;
+ default:
+ return false;
+ }
+
+ return true;
+ }
+};
+
+// Parses a state string like "1500918564034,1,1" into its constituent parts.
+bool ParseHSTSState(const nsCString& stateString,
+ /*out*/ PRTime& expireTime,
+ /*out*/ SecurityPropertyState& state,
+ /*out*/ bool& includeSubdomains) {
+ SSSTokenizer tokenizer(stateString);
+ SSSLOG(("Parsing state from %s", stateString.get()));
+
+ if (!tokenizer.ReadInteger(&expireTime)) {
+ return false;
+ }
+
+ if (!tokenizer.CheckChar(',')) {
+ return false;
+ }
+
+ if (!tokenizer.ReadState(state)) {
+ return false;
+ }
+
+ if (!tokenizer.CheckChar(',')) {
+ return false;
+ }
+
+ if (!tokenizer.ReadBool(includeSubdomains)) {
+ return false;
+ }
+
+ if (tokenizer.CheckChar(',')) {
+ // Read now-unused "source" field.
+ uint32_t unused;
+ if (!tokenizer.ReadInteger(&unused)) {
+ return false;
+ }
+ }
+
+ return tokenizer.CheckEOF();
+}
+
+} // namespace
+
+SiteHSTSState::SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ const nsCString& aStateString)
+ : mHostname(aHost),
+ mOriginAttributes(aOriginAttributes),
+ mHSTSExpireTime(0),
+ mHSTSState(SecurityPropertyUnset),
+ mHSTSIncludeSubdomains(false) {
+ bool valid = ParseHSTSState(aStateString, mHSTSExpireTime, mHSTSState,
+ mHSTSIncludeSubdomains);
+ if (!valid) {
+ SSSLOG(("%s is not a valid SiteHSTSState", aStateString.get()));
+ mHSTSExpireTime = 0;
+ mHSTSState = SecurityPropertyUnset;
+ mHSTSIncludeSubdomains = false;
+ }
+}
+
+SiteHSTSState::SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ PRTime aHSTSExpireTime,
+ SecurityPropertyState aHSTSState,
+ bool aHSTSIncludeSubdomains)
+
+ : mHostname(aHost),
+ mOriginAttributes(aOriginAttributes),
+ mHSTSExpireTime(aHSTSExpireTime),
+ mHSTSState(aHSTSState),
+ mHSTSIncludeSubdomains(aHSTSIncludeSubdomains) {}
+
+void SiteHSTSState::ToString(nsCString& aString) {
+ aString.Truncate();
+ aString.AppendInt(mHSTSExpireTime);
+ aString.Append(',');
+ aString.AppendInt(mHSTSState);
+ aString.Append(',');
+ aString.AppendInt(static_cast<uint32_t>(mHSTSIncludeSubdomains));
+}
+
+nsSiteSecurityService::nsSiteSecurityService()
+ : mUsePreloadList(true), mPreloadListTimeOffset(0), mDafsa(kDafsa) {}
+
+nsSiteSecurityService::~nsSiteSecurityService() = default;
+
+NS_IMPL_ISUPPORTS(nsSiteSecurityService, nsIObserver, nsISiteSecurityService)
+
+nsresult nsSiteSecurityService::Init() {
+ // Don't access Preferences off the main thread.
+ if (!NS_IsMainThread()) {
+ MOZ_ASSERT_UNREACHABLE("nsSiteSecurityService initialized off main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ mUsePreloadList = mozilla::Preferences::GetBool(
+ "network.stricttransportsecurity.preloadlist", true);
+ mozilla::Preferences::AddStrongObserver(
+ this, "network.stricttransportsecurity.preloadlist");
+ mPreloadListTimeOffset =
+ mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
+ mozilla::Preferences::AddStrongObserver(this,
+ "test.currentTimeOffsetSeconds");
+ nsCOMPtr<nsIDataStorageManager> dataStorageManager(
+ do_GetService("@mozilla.org/security/datastoragemanager;1"));
+ if (!dataStorageManager) {
+ return NS_ERROR_FAILURE;
+ }
+ nsresult rv =
+ dataStorageManager->Get(nsIDataStorageManager::SiteSecurityServiceState,
+ getter_AddRefs(mSiteStateStorage));
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (!mSiteStateStorage) {
+ return NS_ERROR_FAILURE;
+ }
+
+ return NS_OK;
+}
+
+nsresult nsSiteSecurityService::GetHost(nsIURI* aURI, nsACString& aResult) {
+ nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aURI);
+ if (!innerURI) {
+ return NS_ERROR_FAILURE;
+ }
+
+ nsAutoCString host;
+ nsresult rv = innerURI->GetAsciiHost(host);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ aResult.Assign(PublicKeyPinningService::CanonicalizeHostname(host.get()));
+ if (aResult.IsEmpty()) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ return NS_OK;
+}
+
+static void NormalizePartitionKey(nsString& partitionKey) {
+ // If present, the partitionKey will be of the form
+ // "(<scheme>,<domain>[,port>])" (where "<scheme>" will be "https" or "http"
+ // and "<port>", if present, will be a port number). This normalizes the
+ // scheme to "https" and strips the port so that a domain noted as HSTS will
+ // be HSTS regardless of scheme and port, as per the RFC.
+ Tokenizer16 tokenizer(partitionKey, nullptr, u".-_");
+ if (!tokenizer.CheckChar(u'(')) {
+ return;
+ }
+ nsString scheme;
+ if (!(tokenizer.ReadWord(scheme))) {
+ return;
+ }
+ if (!tokenizer.CheckChar(u',')) {
+ return;
+ }
+ nsString host;
+ if (!tokenizer.ReadWord(host)) {
+ return;
+ }
+ partitionKey.Assign(u"(https,");
+ partitionKey.Append(host);
+ partitionKey.Append(u")");
+}
+
+// Uses the previous format of storage key. Only to be used for migrating old
+// entries.
+static void GetOldStorageKey(const nsACString& hostname,
+ const OriginAttributes& aOriginAttributes,
+ /*out*/ nsAutoCString& storageKey) {
+ storageKey = hostname;
+
+ // Don't isolate by userContextId.
+ OriginAttributes originAttributesNoUserContext = aOriginAttributes;
+ originAttributesNoUserContext.mUserContextId =
+ nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID;
+ nsAutoCString originAttributesSuffix;
+ originAttributesNoUserContext.CreateSuffix(originAttributesSuffix);
+ storageKey.Append(originAttributesSuffix);
+ storageKey.Append(kHSTSKeySuffix);
+}
+
+static void GetStorageKey(const nsACString& hostname,
+ const OriginAttributes& aOriginAttributes,
+ /*out*/ nsAutoCString& storageKey) {
+ storageKey = hostname;
+
+ // Don't isolate by userContextId.
+ OriginAttributes originAttributesNoUserContext = aOriginAttributes;
+ originAttributesNoUserContext.mUserContextId =
+ nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID;
+ NormalizePartitionKey(originAttributesNoUserContext.mPartitionKey);
+ nsAutoCString originAttributesSuffix;
+ originAttributesNoUserContext.CreateSuffix(originAttributesSuffix);
+ storageKey.Append(originAttributesSuffix);
+}
+
+// Expire times are in millis. Since Headers max-age is in seconds, and
+// PR_Now() is in micros, normalize the units at milliseconds.
+static int64_t ExpireTimeFromMaxAge(uint64_t maxAge) {
+ return (PR_Now() / PR_USEC_PER_MSEC) + ((int64_t)maxAge * PR_MSEC_PER_SEC);
+}
+
+inline uint64_t AbsoluteDifference(int64_t a, int64_t b) {
+ if (a <= b) {
+ return b - a;
+ }
+ return a - b;
+}
+
+const uint64_t sOneDayInMilliseconds = 24 * 60 * 60 * 1000;
+
+nsresult nsSiteSecurityService::SetHSTSState(
+ const char* aHost, int64_t maxage, bool includeSubdomains,
+ SecurityPropertyState aHSTSState,
+ const OriginAttributes& aOriginAttributes) {
+ nsAutoCString hostname(aHost);
+ // If max-age is zero, the host is no longer considered HSTS. If the host was
+ // preloaded, we store an entry indicating that this host is not HSTS, causing
+ // the preloaded information to be ignored.
+ if (maxage == 0) {
+ return MarkHostAsNotHSTS(hostname, aOriginAttributes);
+ }
+
+ MOZ_ASSERT(aHSTSState == SecurityPropertySet,
+ "HSTS State must be SecurityPropertySet");
+
+ int64_t expiretime = ExpireTimeFromMaxAge(maxage);
+ SiteHSTSState siteState(hostname, aOriginAttributes, expiretime, aHSTSState,
+ includeSubdomains);
+ nsAutoCString stateString;
+ siteState.ToString(stateString);
+ SSSLOG(("SSS: setting state for %s", hostname.get()));
+ bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0;
+ nsIDataStorage::DataType storageType =
+ isPrivate ? nsIDataStorage::DataType::Private
+ : nsIDataStorage::DataType::Persistent;
+ SSSLOG(("SSS: storing HSTS site entry for %s", hostname.get()));
+ nsAutoCString value;
+ nsresult rv =
+ GetWithMigration(hostname, aOriginAttributes, storageType, value);
+ // If this fails for a reason other than nothing by that key exists,
+ // propagate the failure.
+ if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) {
+ return rv;
+ }
+ // This is an entirely new entry.
+ if (rv == NS_ERROR_NOT_AVAILABLE) {
+ nsAutoCString storageKey;
+ GetStorageKey(hostname, aOriginAttributes, storageKey);
+ return mSiteStateStorage->Put(storageKey, stateString, storageType);
+ }
+ // Otherwise, only update the backing storage if the currently-stored state
+ // is different. In the case of expiration time, "different" means "is
+ // different by more than a day".
+ SiteHSTSState curSiteState(hostname, aOriginAttributes, value);
+ if (curSiteState.mHSTSState != siteState.mHSTSState ||
+ curSiteState.mHSTSIncludeSubdomains != siteState.mHSTSIncludeSubdomains ||
+ AbsoluteDifference(curSiteState.mHSTSExpireTime,
+ siteState.mHSTSExpireTime) > sOneDayInMilliseconds) {
+ rv =
+ PutWithMigration(hostname, aOriginAttributes, storageType, stateString);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ return NS_OK;
+}
+
+// Helper function to mark a host as not HSTS. In the general case, we can just
+// remove the HSTS state. However, for preloaded entries, we have to store an
+// entry that indicates this host is not HSTS to prevent the implementation
+// using the preloaded information.
+nsresult nsSiteSecurityService::MarkHostAsNotHSTS(
+ const nsAutoCString& aHost, const OriginAttributes& aOriginAttributes) {
+ bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0;
+ nsIDataStorage::DataType storageType =
+ isPrivate ? nsIDataStorage::DataType::Private
+ : nsIDataStorage::DataType::Persistent;
+ if (GetPreloadStatus(aHost)) {
+ SSSLOG(("SSS: storing knockout entry for %s", aHost.get()));
+ SiteHSTSState siteState(aHost, aOriginAttributes, 0,
+ SecurityPropertyKnockout, false);
+ nsAutoCString stateString;
+ siteState.ToString(stateString);
+ nsresult rv =
+ PutWithMigration(aHost, aOriginAttributes, storageType, stateString);
+ NS_ENSURE_SUCCESS(rv, rv);
+ } else {
+ SSSLOG(("SSS: removing entry for %s", aHost.get()));
+ RemoveWithMigration(aHost, aOriginAttributes, storageType);
+ }
+
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::ResetState(nsIURI* aURI,
+ JS::Handle<JS::Value> aOriginAttributes,
+ nsISiteSecurityService::ResetStateBy aScope,
+ JSContext* aCx, uint8_t aArgc) {
+ if (!aURI) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ OriginAttributes originAttributes;
+ if (aArgc > 0) {
+ // OriginAttributes were passed in.
+ if (!aOriginAttributes.isObject() ||
+ !originAttributes.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ }
+ nsISiteSecurityService::ResetStateBy scope =
+ nsISiteSecurityService::ResetStateBy::ExactDomain;
+ if (aArgc > 1) {
+ // ResetStateBy scope was passed in
+ scope = aScope;
+ }
+
+ return ResetStateInternal(aURI, originAttributes, scope);
+}
+
+// Helper function to reset stored state of the given type for the host
+// identified by the given URI. If there is preloaded information for the host,
+// that information will be used for future queries. C.f. MarkHostAsNotHSTS,
+// which will store a knockout entry for preloaded HSTS hosts that have sent a
+// header with max-age=0 (meaning preloaded information will then not be used
+// for that host).
+nsresult nsSiteSecurityService::ResetStateInternal(
+ nsIURI* aURI, const OriginAttributes& aOriginAttributes,
+ nsISiteSecurityService::ResetStateBy aScope) {
+ if (!aURI) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ nsAutoCString hostname;
+ nsresult rv = GetHost(aURI, hostname);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
+ OriginAttributes normalizedOriginAttributes(aOriginAttributes);
+ NormalizePartitionKey(normalizedOriginAttributes.mPartitionKey);
+
+ if (aScope == ResetStateBy::ExactDomain) {
+ ResetStateForExactDomain(hostname, normalizedOriginAttributes);
+ return NS_OK;
+ }
+
+ nsTArray<RefPtr<nsIDataStorageItem>> items;
+ rv = mSiteStateStorage->GetAll(items);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ for (const auto& item : items) {
+ static const nsLiteralCString kHPKPKeySuffix = ":HPKP"_ns;
+ nsAutoCString key;
+ rv = item->GetKey(key);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ nsAutoCString value;
+ rv = item->GetValue(value);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (StringEndsWith(key, kHPKPKeySuffix)) {
+ (void)mSiteStateStorage->Remove(key,
+ nsIDataStorage::DataType::Persistent);
+ continue;
+ }
+ size_t suffixLength =
+ StringEndsWith(key, kHSTSKeySuffix) ? kHSTSKeySuffix.Length() : 0;
+ nsCString origin(StringHead(key, key.Length() - suffixLength));
+ nsAutoCString itemHostname;
+ OriginAttributes itemOriginAttributes;
+ if (!itemOriginAttributes.PopulateFromOrigin(origin, itemHostname)) {
+ continue;
+ }
+ bool hasRootDomain = false;
+ nsresult rv = net::HasRootDomain(itemHostname, hostname, &hasRootDomain);
+ if (NS_FAILED(rv)) {
+ continue;
+ }
+ if (hasRootDomain) {
+ ResetStateForExactDomain(itemHostname, itemOriginAttributes);
+ } else if (aScope == ResetStateBy::BaseDomain) {
+ mozilla::dom::PartitionKeyPatternDictionary partitionKeyPattern;
+ partitionKeyPattern.mBaseDomain.Construct(
+ NS_ConvertUTF8toUTF16(hostname));
+ OriginAttributesPattern originAttributesPattern;
+ originAttributesPattern.mPartitionKeyPattern.Construct(
+ partitionKeyPattern);
+ if (originAttributesPattern.Matches(itemOriginAttributes)) {
+ ResetStateForExactDomain(itemHostname, itemOriginAttributes);
+ }
+ }
+ }
+ return NS_OK;
+}
+
+void nsSiteSecurityService::ResetStateForExactDomain(
+ const nsCString& aHostname, const OriginAttributes& aOriginAttributes) {
+ bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0;
+ nsIDataStorage::DataType storageType =
+ isPrivate ? nsIDataStorage::DataType::Private
+ : nsIDataStorage::DataType::Persistent;
+ RemoveWithMigration(aHostname, aOriginAttributes, storageType);
+}
+
+bool nsSiteSecurityService::HostIsIPAddress(const nsCString& hostname) {
+ PRNetAddr hostAddr;
+ PRErrorCode prv = PR_StringToNetAddr(hostname.get(), &hostAddr);
+ return (prv == PR_SUCCESS);
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::ProcessHeaderScriptable(
+ nsIURI* aSourceURI, const nsACString& aHeader,
+ JS::Handle<JS::Value> aOriginAttributes, uint64_t* aMaxAge,
+ bool* aIncludeSubdomains, uint32_t* aFailureResult, JSContext* aCx,
+ uint8_t aArgc) {
+ OriginAttributes originAttributes;
+ if (aArgc > 0) {
+ if (!aOriginAttributes.isObject() ||
+ !originAttributes.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ }
+ return ProcessHeader(aSourceURI, aHeader, originAttributes, aMaxAge,
+ aIncludeSubdomains, aFailureResult);
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::ProcessHeader(nsIURI* aSourceURI,
+ const nsACString& aHeader,
+ const OriginAttributes& aOriginAttributes,
+ uint64_t* aMaxAge,
+ bool* aIncludeSubdomains,
+ uint32_t* aFailureResult) {
+ if (aFailureResult) {
+ *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
+ }
+ return ProcessHeaderInternal(aSourceURI, PromiseFlatCString(aHeader),
+ aOriginAttributes, aMaxAge, aIncludeSubdomains,
+ aFailureResult);
+}
+
+nsresult nsSiteSecurityService::ProcessHeaderInternal(
+ nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes, uint64_t* aMaxAge,
+ bool* aIncludeSubdomains, uint32_t* aFailureResult) {
+ if (aFailureResult) {
+ *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
+ }
+ if (aMaxAge != nullptr) {
+ *aMaxAge = 0;
+ }
+
+ if (aIncludeSubdomains != nullptr) {
+ *aIncludeSubdomains = false;
+ }
+
+ nsAutoCString host;
+ nsresult rv = GetHost(aSourceURI, host);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (HostIsIPAddress(host)) {
+ /* Don't process headers if a site is accessed by IP address. */
+ return NS_OK;
+ }
+
+ return ProcessSTSHeader(aSourceURI, aHeader, aOriginAttributes, aMaxAge,
+ aIncludeSubdomains, aFailureResult);
+}
+
+static uint32_t ParseSSSHeaders(const nsCString& aHeader,
+ bool& foundIncludeSubdomains, bool& foundMaxAge,
+ bool& foundUnrecognizedDirective,
+ uint64_t& maxAge) {
+ // "Strict-Transport-Security" ":" OWS
+ // STS-d *( OWS ";" OWS STS-d OWS)
+ //
+ // ; STS directive
+ // STS-d = maxAge / includeSubDomains
+ //
+ // maxAge = "max-age" "=" delta-seconds v-ext
+ //
+ // includeSubDomains = [ "includeSubDomains" ]
+ //
+ // The order of the directives is not significant.
+ // All directives must appear only once.
+ // Directive names are case-insensitive.
+ // The entire header is invalid if a directive not conforming to the
+ // syntax is encountered.
+ // Unrecognized directives (that are otherwise syntactically valid) are
+ // ignored, and the rest of the header is parsed as normal.
+
+ constexpr auto max_age_var = "max-age"_ns;
+ constexpr auto include_subd_var = "includesubdomains"_ns;
+
+ nsSecurityHeaderParser parser(aHeader);
+ nsresult rv = parser.Parse();
+ if (NS_FAILED(rv)) {
+ SSSLOG(("SSS: could not parse header"));
+ return nsISiteSecurityService::ERROR_COULD_NOT_PARSE_HEADER;
+ }
+ mozilla::LinkedList<nsSecurityHeaderDirective>* directives =
+ parser.GetDirectives();
+
+ for (nsSecurityHeaderDirective* directive = directives->getFirst();
+ directive != nullptr; directive = directive->getNext()) {
+ SSSLOG(("SSS: found directive %s\n", directive->mName.get()));
+ if (directive->mName.EqualsIgnoreCase(max_age_var)) {
+ if (foundMaxAge) {
+ SSSLOG(("SSS: found two max-age directives"));
+ return nsISiteSecurityService::ERROR_MULTIPLE_MAX_AGES;
+ }
+
+ SSSLOG(("SSS: found max-age directive"));
+ foundMaxAge = true;
+
+ Tokenizer tokenizer(directive->mValue);
+ if (!tokenizer.ReadInteger(&maxAge)) {
+ SSSLOG(("SSS: could not parse delta-seconds"));
+ return nsISiteSecurityService::ERROR_INVALID_MAX_AGE;
+ }
+
+ if (!tokenizer.CheckEOF()) {
+ SSSLOG(("SSS: invalid value for max-age directive"));
+ return nsISiteSecurityService::ERROR_INVALID_MAX_AGE;
+ }
+
+ SSSLOG(("SSS: parsed delta-seconds: %" PRIu64, maxAge));
+ } else if (directive->mName.EqualsIgnoreCase(include_subd_var)) {
+ if (foundIncludeSubdomains) {
+ SSSLOG(("SSS: found two includeSubdomains directives"));
+ return nsISiteSecurityService::ERROR_MULTIPLE_INCLUDE_SUBDOMAINS;
+ }
+
+ SSSLOG(("SSS: found includeSubdomains directive"));
+ foundIncludeSubdomains = true;
+
+ if (directive->mValue.Length() != 0) {
+ SSSLOG(("SSS: includeSubdomains directive unexpectedly had value '%s'",
+ directive->mValue.get()));
+ return nsISiteSecurityService::ERROR_INVALID_INCLUDE_SUBDOMAINS;
+ }
+ } else {
+ SSSLOG(("SSS: ignoring unrecognized directive '%s'",
+ directive->mName.get()));
+ foundUnrecognizedDirective = true;
+ }
+ }
+ return nsISiteSecurityService::Success;
+}
+
+// 100 years is wildly longer than anyone will ever need.
+const uint64_t sMaxMaxAgeInSeconds = UINT64_C(60 * 60 * 24 * 365 * 100);
+
+nsresult nsSiteSecurityService::ProcessSTSHeader(
+ nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes, uint64_t* aMaxAge,
+ bool* aIncludeSubdomains, uint32_t* aFailureResult) {
+ if (aFailureResult) {
+ *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
+ }
+ SSSLOG(("SSS: processing HSTS header '%s'", aHeader.get()));
+
+ bool foundMaxAge = false;
+ bool foundIncludeSubdomains = false;
+ bool foundUnrecognizedDirective = false;
+ uint64_t maxAge = 0;
+
+ uint32_t sssrv = ParseSSSHeaders(aHeader, foundIncludeSubdomains, foundMaxAge,
+ foundUnrecognizedDirective, maxAge);
+ if (sssrv != nsISiteSecurityService::Success) {
+ if (aFailureResult) {
+ *aFailureResult = sssrv;
+ }
+ return NS_ERROR_FAILURE;
+ }
+
+ // after processing all the directives, make sure we came across max-age
+ // somewhere.
+ if (!foundMaxAge) {
+ SSSLOG(("SSS: did not encounter required max-age directive"));
+ if (aFailureResult) {
+ *aFailureResult = nsISiteSecurityService::ERROR_NO_MAX_AGE;
+ }
+ return NS_ERROR_FAILURE;
+ }
+
+ // Cap the specified max-age.
+ if (maxAge > sMaxMaxAgeInSeconds) {
+ maxAge = sMaxMaxAgeInSeconds;
+ }
+
+ nsAutoCString hostname;
+ nsresult rv = GetHost(aSourceURI, hostname);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // record the successfully parsed header data.
+ rv = SetHSTSState(hostname.get(), maxAge, foundIncludeSubdomains,
+ SecurityPropertySet, aOriginAttributes);
+ if (NS_FAILED(rv)) {
+ SSSLOG(("SSS: failed to set STS state"));
+ if (aFailureResult) {
+ *aFailureResult = nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE;
+ }
+ return rv;
+ }
+
+ if (aMaxAge != nullptr) {
+ *aMaxAge = maxAge;
+ }
+
+ if (aIncludeSubdomains != nullptr) {
+ *aIncludeSubdomains = foundIncludeSubdomains;
+ }
+
+ return foundUnrecognizedDirective ? NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
+ : NS_OK;
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::IsSecureURIScriptable(
+ nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
+ uint8_t aArgc, bool* aResult) {
+ OriginAttributes originAttributes;
+ if (aArgc > 0) {
+ if (!aOriginAttributes.isObject() ||
+ !originAttributes.Init(aCx, aOriginAttributes)) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ }
+ return IsSecureURI(aURI, originAttributes, aResult);
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::IsSecureURI(nsIURI* aURI,
+ const OriginAttributes& aOriginAttributes,
+ bool* aResult) {
+ NS_ENSURE_ARG(aURI);
+ NS_ENSURE_ARG(aResult);
+
+ nsAutoCString hostname;
+ nsresult rv = GetHost(aURI, hostname);
+ NS_ENSURE_SUCCESS(rv, rv);
+ /* An IP address never qualifies as a secure URI. */
+ if (HostIsIPAddress(hostname)) {
+ *aResult = false;
+ return NS_OK;
+ }
+
+ return IsSecureHost(hostname, aOriginAttributes, aResult);
+}
+
+// Checks if the given host is in the preload list.
+//
+// @param aHost The host to match. Only does exact host matching.
+// @param aIncludeSubdomains Out, optional. Indicates whether or not to include
+// subdomains. Only set if the host is matched and this function returns
+// true.
+//
+// @return True if the host is matched, false otherwise.
+bool nsSiteSecurityService::GetPreloadStatus(const nsACString& aHost,
+ bool* aIncludeSubdomains) const {
+ const int kIncludeSubdomains = 1;
+ bool found = false;
+
+ PRTime currentTime = PR_Now() + (mPreloadListTimeOffset * PR_USEC_PER_SEC);
+ if (mUsePreloadList && currentTime < gPreloadListExpirationTime) {
+ int result = mDafsa.Lookup(aHost);
+ found = (result != mozilla::Dafsa::kKeyNotFound);
+ if (found && aIncludeSubdomains) {
+ *aIncludeSubdomains = (result == kIncludeSubdomains);
+ }
+ }
+
+ return found;
+}
+
+nsresult nsSiteSecurityService::GetWithMigration(
+ const nsACString& aHostname, const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType, nsACString& aValue) {
+ // First see if this entry exists and has already been migrated.
+ nsAutoCString storageKey;
+ GetStorageKey(aHostname, aOriginAttributes, storageKey);
+ nsresult rv = mSiteStateStorage->Get(storageKey, aDataStorageType, aValue);
+ if (NS_SUCCEEDED(rv)) {
+ return NS_OK;
+ }
+ if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) {
+ return rv;
+ }
+ // Otherwise, it potentially needs to be migrated, if it's persistent data.
+ if (aDataStorageType != nsIDataStorage::DataType::Persistent) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ nsAutoCString oldStorageKey;
+ GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey);
+ rv = mSiteStateStorage->Get(oldStorageKey,
+ nsIDataStorage::DataType::Persistent, aValue);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // If there was a value, remove the old entry, insert a new one with the new
+ // key, and return the value.
+ rv = mSiteStateStorage->Remove(oldStorageKey,
+ nsIDataStorage::DataType::Persistent);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ return mSiteStateStorage->Put(storageKey, aValue,
+ nsIDataStorage::DataType::Persistent);
+}
+
+nsresult nsSiteSecurityService::PutWithMigration(
+ const nsACString& aHostname, const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType, const nsACString& aStateString) {
+ // Only persistent data needs migrating.
+ if (aDataStorageType == nsIDataStorage::DataType::Persistent) {
+ // Since the intention is to overwrite the previously-stored data anyway,
+ // the old entry can be removed.
+ nsAutoCString oldStorageKey;
+ GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey);
+ nsresult rv = mSiteStateStorage->Remove(
+ oldStorageKey, nsIDataStorage::DataType::Persistent);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ nsAutoCString storageKey;
+ GetStorageKey(aHostname, aOriginAttributes, storageKey);
+ return mSiteStateStorage->Put(storageKey, aStateString, aDataStorageType);
+}
+
+nsresult nsSiteSecurityService::RemoveWithMigration(
+ const nsACString& aHostname, const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType) {
+ // Only persistent data needs migrating.
+ if (aDataStorageType == nsIDataStorage::DataType::Persistent) {
+ nsAutoCString oldStorageKey;
+ GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey);
+ nsresult rv = mSiteStateStorage->Remove(
+ oldStorageKey, nsIDataStorage::DataType::Persistent);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ nsAutoCString storageKey;
+ GetStorageKey(aHostname, aOriginAttributes, storageKey);
+ return mSiteStateStorage->Remove(storageKey, aDataStorageType);
+}
+
+// Determines whether or not there is a matching HSTS entry for the given host.
+// If aRequireIncludeSubdomains is set, then for there to be a matching HSTS
+// entry, it must assert includeSubdomains.
+nsresult nsSiteSecurityService::HostMatchesHSTSEntry(
+ const nsAutoCString& aHost, bool aRequireIncludeSubdomains,
+ const OriginAttributes& aOriginAttributes, bool& aHostMatchesHSTSEntry) {
+ aHostMatchesHSTSEntry = false;
+ // First we check for an entry in site security storage. If that entry exists,
+ // we don't want to check in the preload lists. We only want to use the
+ // stored value if it is not a knockout entry, however.
+ // Additionally, if it is a knockout entry, we want to stop looking for data
+ // on the host, because the knockout entry indicates "we have no information
+ // regarding the security status of this host".
+ bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0;
+ nsIDataStorage::DataType storageType =
+ isPrivate ? nsIDataStorage::DataType::Private
+ : nsIDataStorage::DataType::Persistent;
+ SSSLOG(("Seeking HSTS entry for %s", aHost.get()));
+ nsAutoCString value;
+ nsresult rv = GetWithMigration(aHost, aOriginAttributes, storageType, value);
+ // If this fails for a reason other than nothing by that key exists,
+ // propagate the failure.
+ if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) {
+ return rv;
+ }
+ bool checkPreloadList = true;
+ // If something by that key does exist, decode and process that information.
+ if (NS_SUCCEEDED(rv)) {
+ SiteHSTSState siteState(aHost, aOriginAttributes, value);
+ if (siteState.mHSTSState != SecurityPropertyUnset) {
+ SSSLOG(("Found HSTS entry for %s", aHost.get()));
+ bool expired = siteState.IsExpired();
+ if (!expired) {
+ SSSLOG(("Entry for %s is not expired", aHost.get()));
+ if (siteState.mHSTSState == SecurityPropertySet) {
+ aHostMatchesHSTSEntry = aRequireIncludeSubdomains
+ ? siteState.mHSTSIncludeSubdomains
+ : true;
+ return NS_OK;
+ }
+ }
+
+ if (expired) {
+ SSSLOG(
+ ("Entry %s is expired - checking for preload state", aHost.get()));
+ if (!GetPreloadStatus(aHost)) {
+ SSSLOG(("No static preload - removing expired entry"));
+ nsAutoCString storageKey;
+ GetStorageKey(aHost, aOriginAttributes, storageKey);
+ rv = mSiteStateStorage->Remove(storageKey, storageType);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+ }
+ return NS_OK;
+ }
+ checkPreloadList = false;
+ }
+
+ bool includeSubdomains = false;
+ // Finally look in the static preload list.
+ if (checkPreloadList && GetPreloadStatus(aHost, &includeSubdomains)) {
+ SSSLOG(("%s is a preloaded HSTS host", aHost.get()));
+ aHostMatchesHSTSEntry =
+ aRequireIncludeSubdomains ? includeSubdomains : true;
+ }
+
+ return NS_OK;
+}
+
+nsresult nsSiteSecurityService::IsSecureHost(
+ const nsACString& aHost, const OriginAttributes& aOriginAttributes,
+ bool* aResult) {
+ NS_ENSURE_ARG(aResult);
+ *aResult = false;
+
+ /* An IP address never qualifies as a secure URI. */
+ const nsCString& flatHost = PromiseFlatCString(aHost);
+ if (HostIsIPAddress(flatHost)) {
+ return NS_OK;
+ }
+
+ nsAutoCString host(
+ PublicKeyPinningService::CanonicalizeHostname(flatHost.get()));
+
+ // First check the exact host.
+ bool hostMatchesHSTSEntry = false;
+ nsresult rv = HostMatchesHSTSEntry(host, false, aOriginAttributes,
+ hostMatchesHSTSEntry);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (hostMatchesHSTSEntry) {
+ *aResult = true;
+ return NS_OK;
+ }
+
+ SSSLOG(("%s not congruent match for any known HSTS host", host.get()));
+ const char* superdomain;
+
+ uint32_t offset = 0;
+ for (offset = host.FindChar('.', offset) + 1; offset > 0;
+ offset = host.FindChar('.', offset) + 1) {
+ superdomain = host.get() + offset;
+
+ // If we get an empty string, don't continue.
+ if (strlen(superdomain) < 1) {
+ break;
+ }
+
+ // Do the same thing as with the exact host except now we're looking at
+ // ancestor domains of the original host and, therefore, we have to require
+ // that the entry asserts includeSubdomains.
+ nsAutoCString superdomainString(superdomain);
+ hostMatchesHSTSEntry = false;
+ rv = HostMatchesHSTSEntry(superdomainString, true, aOriginAttributes,
+ hostMatchesHSTSEntry);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (hostMatchesHSTSEntry) {
+ *aResult = true;
+ return NS_OK;
+ }
+
+ SSSLOG(
+ ("superdomain %s not known HSTS host (or includeSubdomains not set), "
+ "walking up domain",
+ superdomain));
+ }
+
+ // If we get here, there was no congruent match, and no superdomain matched
+ // while asserting includeSubdomains, so this host is not HSTS.
+ *aResult = false;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsSiteSecurityService::ClearAll() { return mSiteStateStorage->Clear(); }
+
+//------------------------------------------------------------
+// nsSiteSecurityService::nsIObserver
+//------------------------------------------------------------
+
+NS_IMETHODIMP
+nsSiteSecurityService::Observe(nsISupports* /*subject*/, const char* topic,
+ const char16_t* /*data*/) {
+ // Don't access Preferences off the main thread.
+ if (!NS_IsMainThread()) {
+ MOZ_ASSERT_UNREACHABLE("Preferences accessed off main thread");
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+
+ if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
+ mUsePreloadList = mozilla::Preferences::GetBool(
+ "network.stricttransportsecurity.preloadlist", true);
+ mPreloadListTimeOffset =
+ mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
+ }
+
+ return NS_OK;
+}
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
new file mode 100644
index 0000000000..f5de35936a
--- /dev/null
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -0,0 +1,158 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __nsSiteSecurityService_h__
+#define __nsSiteSecurityService_h__
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Dafsa.h"
+#include "mozilla/RefPtr.h"
+#include "nsCOMPtr.h"
+#include "nsIDataStorage.h"
+#include "nsIObserver.h"
+#include "nsISiteSecurityService.h"
+#include "nsString.h"
+#include "nsTArray.h"
+#include "mozpkix/pkixtypes.h"
+#include "prtime.h"
+
+class nsIURI;
+
+using mozilla::OriginAttributes;
+
+// {16955eee-6c48-4152-9309-c42a465138a1}
+#define NS_SITE_SECURITY_SERVICE_CID \
+ { \
+ 0x16955eee, 0x6c48, 0x4152, { \
+ 0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1 \
+ } \
+ }
+
+/**
+ * SecurityPropertyState: A utility enum for representing the different states
+ * a security property can be in.
+ * SecurityPropertySet and SecurityPropertyUnset correspond to indicating
+ * a site has or does not have the security property in question, respectively.
+ * SecurityPropertyKnockout indicates a value on a preloaded list is being
+ * overridden, and the associated site does not have the security property
+ * in question.
+ */
+enum SecurityPropertyState {
+ SecurityPropertyUnset = 0,
+ SecurityPropertySet = 1,
+ SecurityPropertyKnockout = 2,
+};
+
+/**
+ * SiteHSTSState: A utility class that encodes/decodes a string describing
+ * the security state of a site. Currently only handles HSTS.
+ * HSTS state consists of:
+ * - Hostname (nsCString)
+ * - Origin attributes (OriginAttributes)
+ * - Expiry time (PRTime (aka int64_t) in milliseconds)
+ * - A state flag (SecurityPropertyState, default SecurityPropertyUnset)
+ * - An include subdomains flag (bool, default false)
+ */
+class SiteHSTSState {
+ public:
+ SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ const nsCString& aStateString);
+ SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState,
+ bool aHSTSIncludeSubdomains);
+
+ nsCString mHostname;
+ OriginAttributes mOriginAttributes;
+ PRTime mHSTSExpireTime;
+ SecurityPropertyState mHSTSState;
+ bool mHSTSIncludeSubdomains;
+
+ bool IsExpired() {
+ // If mHSTSExpireTime is 0, this entry never expires (this is the case for
+ // knockout entries).
+ if (mHSTSExpireTime == 0) {
+ return false;
+ }
+
+ PRTime now = PR_Now() / PR_USEC_PER_MSEC;
+ if (now > mHSTSExpireTime) {
+ return true;
+ }
+
+ return false;
+ }
+
+ void ToString(nsCString& aString);
+};
+
+struct nsSTSPreload;
+
+class nsSiteSecurityService : public nsISiteSecurityService,
+ public nsIObserver {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIOBSERVER
+ NS_DECL_NSISITESECURITYSERVICE
+
+ nsSiteSecurityService();
+ nsresult Init();
+
+ static nsresult GetHost(nsIURI* aURI, nsACString& aResult);
+ static bool HostIsIPAddress(const nsCString& hostname);
+
+ protected:
+ virtual ~nsSiteSecurityService();
+
+ private:
+ nsresult SetHSTSState(const char* aHost, int64_t maxage,
+ bool includeSubdomains,
+ SecurityPropertyState aHSTSState,
+ const OriginAttributes& aOriginAttributes);
+ nsresult ProcessHeaderInternal(nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes,
+ uint64_t* aMaxAge, bool* aIncludeSubdomains,
+ uint32_t* aFailureResult);
+ nsresult ProcessSTSHeader(nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes,
+ uint64_t* aMaxAge, bool* aIncludeSubdomains,
+ uint32_t* aFailureResult);
+ nsresult MarkHostAsNotHSTS(const nsAutoCString& aHost,
+ const OriginAttributes& aOriginAttributes);
+ nsresult ResetStateInternal(nsIURI* aURI,
+ const OriginAttributes& aOriginAttributes,
+ nsISiteSecurityService::ResetStateBy aScope);
+ void ResetStateForExactDomain(const nsCString& aHostname,
+ const OriginAttributes& aOriginAttributes);
+ nsresult HostMatchesHSTSEntry(const nsAutoCString& aHost,
+ bool aRequireIncludeSubdomains,
+ const OriginAttributes& aOriginAttributes,
+ bool& aHostMatchesHSTSEntry);
+ bool GetPreloadStatus(
+ const nsACString& aHost,
+ /*optional out*/ bool* aIncludeSubdomains = nullptr) const;
+ nsresult IsSecureHost(const nsACString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ bool* aResult);
+
+ nsresult GetWithMigration(const nsACString& aHostname,
+ const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType,
+ nsACString& aValue);
+ nsresult PutWithMigration(const nsACString& aHostname,
+ const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType,
+ const nsACString& aStateString);
+ nsresult RemoveWithMigration(const nsACString& aHostname,
+ const OriginAttributes& aOriginAttributes,
+ nsIDataStorage::DataType aDataStorageType);
+
+ bool mUsePreloadList;
+ int64_t mPreloadListTimeOffset;
+ nsCOMPtr<nsIDataStorage> mSiteStateStorage;
+ const mozilla::Dafsa mDafsa;
+};
+
+#endif // __nsSiteSecurityService_h__
diff --git a/security/manager/ssl/nsTLSSocketProvider.cpp b/security/manager/ssl/nsTLSSocketProvider.cpp
new file mode 100644
index 0000000000..bc26d47966
--- /dev/null
+++ b/security/manager/ssl/nsTLSSocketProvider.cpp
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/BasePrincipal.h"
+#include "nsTLSSocketProvider.h"
+#include "nsNSSIOLayer.h"
+#include "nsError.h"
+
+using mozilla::OriginAttributes;
+
+nsTLSSocketProvider::nsTLSSocketProvider() = default;
+
+nsTLSSocketProvider::~nsTLSSocketProvider() = default;
+
+NS_IMPL_ISUPPORTS(nsTLSSocketProvider, nsISocketProvider)
+
+NS_IMETHODIMP
+nsTLSSocketProvider::NewSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ uint32_t flags, uint32_t tlsFlags,
+ PRFileDesc** _result,
+ nsITLSSocketControl** tlsSocketControl) {
+ nsresult rv =
+ nsSSLIOLayerNewSocket(family, host, port, proxy, originAttributes,
+ _result, tlsSocketControl, true, flags, tlsFlags);
+
+ return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
+}
+
+// Add the SSL IO layer to an existing socket
+NS_IMETHODIMP
+nsTLSSocketProvider::AddToSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ uint32_t flags, uint32_t tlsFlags,
+ PRFileDesc* aSocket,
+ nsITLSSocketControl** tlsSocketControl) {
+ nsresult rv =
+ nsSSLIOLayerAddToSocket(family, host, port, proxy, originAttributes,
+ aSocket, tlsSocketControl, true, flags, tlsFlags);
+
+ return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
+}
diff --git a/security/manager/ssl/nsTLSSocketProvider.h b/security/manager/ssl/nsTLSSocketProvider.h
new file mode 100644
index 0000000000..eeed0ae40c
--- /dev/null
+++ b/security/manager/ssl/nsTLSSocketProvider.h
@@ -0,0 +1,31 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _NSTLSSOCKETPROVIDER_H_
+#define _NSTLSSOCKETPROVIDER_H_
+
+#include "nsISocketProvider.h"
+
+#define NS_STARTTLSSOCKETPROVIDER_CID \
+ { /* b9507aec-1dd1-11b2-8cd5-c48ee0c50307 */ \
+ 0xb9507aec, 0x1dd1, 0x11b2, { \
+ 0x8c, 0xd5, 0xc4, 0x8e, 0xe0, 0xc5, 0x03, 0x07 \
+ } \
+ }
+
+class nsTLSSocketProvider : public nsISocketProvider {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSISOCKETPROVIDER
+
+ // nsTLSSocketProvider methods:
+ nsTLSSocketProvider();
+
+ protected:
+ virtual ~nsTLSSocketProvider();
+};
+
+#endif /* _NSTLSSOCKETPROVIDER_H_ */
diff --git a/security/manager/ssl/nsVerificationJob.h b/security/manager/ssl/nsVerificationJob.h
new file mode 100644
index 0000000000..377cfabb73
--- /dev/null
+++ b/security/manager/ssl/nsVerificationJob.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _INC_NSVERIFICATIONJOB_H
+#define _INC_NSVERIFICATIONJOB_H
+
+#include "nspr.h"
+
+#include "nsIX509Cert.h"
+#include "nsProxyRelease.h"
+
+class nsBaseVerificationJob {
+ public:
+ virtual ~nsBaseVerificationJob() {}
+ virtual void Run() = 0;
+};
+
+class nsCertVerificationJob : public nsBaseVerificationJob {
+ public:
+ nsCOMPtr<nsIX509Cert> mCert;
+ nsMainThreadPtrHandle<nsICertVerificationListener> mListener;
+
+ void Run();
+};
+
+class nsCertVerificationResult : public nsICertVerificationResult {
+ public:
+ nsCertVerificationResult();
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSICERTVERIFICATIONRESULT
+
+ protected:
+ virtual ~nsCertVerificationResult();
+
+ private:
+ nsresult mRV;
+ uint32_t mVerified;
+ uint32_t mCount;
+ char16_t** mUsages;
+
+ friend class nsCertVerificationJob;
+};
+
+#endif
diff --git a/security/manager/ssl/osclientcerts/Cargo.toml b/security/manager/ssl/osclientcerts/Cargo.toml
new file mode 100644
index 0000000000..db71b97a46
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/Cargo.toml
@@ -0,0 +1,32 @@
+[package]
+name = "osclientcerts-static"
+version = "0.1.4"
+authors = ["Dana Keeler <dkeeler@mozilla.com>"]
+edition = "2018"
+description = "Platform-specific support for client authentication certificates in Firefox"
+repository = "https://github.com/mozkeeler/osclientcerts"
+license = "MPL-2.0"
+
+[dependencies]
+byteorder = "1.3"
+env_logger = {version = "0.10", default-features = false } # disable `regex` to reduce code size
+lazy_static = "1"
+log = "0.4"
+mozilla-central-workspace-hack = { version = "0.1", features = ["osclientcerts-static"], optional = true }
+
+pkcs11-bindings = "0.1"
+rsclientcerts = { path = "../rsclientcerts" }
+sha2 = "0.10.2"
+
+[target."cfg(target_os = \"macos\")".dependencies.core-foundation]
+version = "0.9"
+
+[target."cfg(target_os = \"macos\")".dependencies.libloading]
+version = "0.7"
+
+[target."cfg(target_os = \"windows\")".dependencies.winapi]
+version = "0.3"
+features = ["errhandlingapi", "wincrypt"]
+
+[lib]
+crate-type = ["staticlib"]
diff --git a/security/manager/ssl/osclientcerts/dynamic-library/moz.build b/security/manager/ssl/osclientcerts/dynamic-library/moz.build
new file mode 100644
index 0000000000..36c0341ca7
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/dynamic-library/moz.build
@@ -0,0 +1,33 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+USE_LIBS += ["osclientcerts-static"]
+
+UNIFIED_SOURCES += [
+ "stub.cpp",
+]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+ OS_LIBS += [
+ "advapi32",
+ "crypt32",
+ "kernel32",
+ "ncrypt",
+ "userenv",
+ "ws2_32",
+ "ntdll",
+ ]
+
+if CONFIG["OS_ARCH"] == "Darwin":
+ OS_LIBS += [
+ "-framework CoreFoundation",
+ "-framework Security",
+ ]
+
+SharedLibrary("osclientcerts")
+
+NoVisibilityFlags()
+SYMBOLS_FILE = "osclientcerts.symbols"
diff --git a/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols b/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp b/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp
new file mode 100644
index 0000000000..bd20c15c4f
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp
@@ -0,0 +1,8 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is an intentionally empty file. It is necessary for the build system to
+// successfully convert a static rust library into a dynamic library on
+// Windows.
diff --git a/security/manager/ssl/osclientcerts/moz.build b/security/manager/ssl/osclientcerts/moz.build
new file mode 100644
index 0000000000..fa484af6a4
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/moz.build
@@ -0,0 +1,9 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["dynamic-library"]
+
+RustLibrary("osclientcerts-static")
diff --git a/security/manager/ssl/osclientcerts/src/backend_macos.rs b/security/manager/ssl/osclientcerts/src/backend_macos.rs
new file mode 100644
index 0000000000..34386371aa
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/src/backend_macos.rs
@@ -0,0 +1,849 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(non_upper_case_globals)]
+
+use core_foundation::array::*;
+use core_foundation::base::*;
+use core_foundation::boolean::*;
+use core_foundation::data::*;
+use core_foundation::dictionary::*;
+use core_foundation::error::*;
+use core_foundation::number::*;
+use core_foundation::string::*;
+use libloading::{Library, Symbol};
+use pkcs11_bindings::*;
+use rsclientcerts::error::{Error, ErrorType};
+use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType};
+use rsclientcerts::util::*;
+use sha2::{Digest, Sha256};
+use std::collections::BTreeMap;
+use std::convert::TryInto;
+use std::os::raw::c_void;
+
+// Normally we would generate this with a build script, but macos is
+// cross-compiled on linux, and we'd have to figure out e.g. include paths,
+// etc.. This is easier.
+include!("bindings_macos.rs");
+
+#[repr(C)]
+pub struct __SecIdentity(c_void);
+pub type SecIdentityRef = *const __SecIdentity;
+declare_TCFType!(SecIdentity, SecIdentityRef);
+impl_TCFType!(SecIdentity, SecIdentityRef, SecIdentityGetTypeID);
+
+#[repr(C)]
+pub struct __SecCertificate(c_void);
+pub type SecCertificateRef = *const __SecCertificate;
+declare_TCFType!(SecCertificate, SecCertificateRef);
+impl_TCFType!(SecCertificate, SecCertificateRef, SecCertificateGetTypeID);
+
+#[repr(C)]
+pub struct __SecKey(c_void);
+pub type SecKeyRef = *const __SecKey;
+declare_TCFType!(SecKey, SecKeyRef);
+impl_TCFType!(SecKey, SecKeyRef, SecKeyGetTypeID);
+
+#[repr(C)]
+pub struct __SecPolicy(c_void);
+pub type SecPolicyRef = *const __SecPolicy;
+declare_TCFType!(SecPolicy, SecPolicyRef);
+impl_TCFType!(SecPolicy, SecPolicyRef, SecPolicyGetTypeID);
+
+#[repr(C)]
+pub struct __SecTrust(c_void);
+pub type SecTrustRef = *const __SecTrust;
+declare_TCFType!(SecTrust, SecTrustRef);
+impl_TCFType!(SecTrust, SecTrustRef, SecTrustGetTypeID);
+
+type SecCertificateCopyKeyType = unsafe extern "C" fn(SecCertificateRef) -> SecKeyRef;
+type SecTrustEvaluateWithErrorType =
+ unsafe extern "C" fn(trust: SecTrustRef, error: *mut CFErrorRef) -> bool;
+
+#[derive(Ord, Eq, PartialOrd, PartialEq)]
+enum SecStringConstant {
+ // These are available in macOS 10.13
+ SecKeyAlgorithmRSASignatureDigestPSSSHA1,
+ SecKeyAlgorithmRSASignatureDigestPSSSHA256,
+ SecKeyAlgorithmRSASignatureDigestPSSSHA384,
+ SecKeyAlgorithmRSASignatureDigestPSSSHA512,
+}
+
+/// This implementation uses security framework functions and constants that
+/// are not provided by the version of the SDK we build with. To work around
+/// this, we attempt to open and dynamically load these functions and symbols
+/// at runtime. Unfortunately this does mean that if a user is not on a new
+/// enough version of macOS, they will not be able to use client certificates
+/// from their keychain in Firefox until they upgrade.
+struct SecurityFramework<'a> {
+ sec_certificate_copy_key: Symbol<'a, SecCertificateCopyKeyType>,
+ sec_trust_evaluate_with_error: Symbol<'a, SecTrustEvaluateWithErrorType>,
+ sec_string_constants: BTreeMap<SecStringConstant, String>,
+}
+
+lazy_static! {
+ static ref SECURITY_LIBRARY: Result<Library, String> = unsafe {
+ Library::new("/System/Library/Frameworks/Security.framework/Security")
+ .map_err(|e| e.to_string())
+ };
+}
+
+impl<'a> SecurityFramework<'a> {
+ fn new() -> Result<SecurityFramework<'a>, Error> {
+ let library = match &*SECURITY_LIBRARY {
+ Ok(library) => library,
+ Err(e) => return Err(error_here!(ErrorType::ExternalError, e.clone())),
+ };
+ let sec_certificate_copy_key = unsafe {
+ library
+ .get::<SecCertificateCopyKeyType>(b"SecCertificateCopyKey\0")
+ .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))?
+ };
+ let sec_trust_evaluate_with_error = unsafe {
+ library
+ .get::<SecTrustEvaluateWithErrorType>(b"SecTrustEvaluateWithError\0")
+ .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))?
+ };
+ let mut sec_string_constants = BTreeMap::new();
+ let strings_to_load = vec![
+ (
+ b"kSecKeyAlgorithmRSASignatureDigestPSSSHA1\0".as_ref(),
+ SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA1,
+ ),
+ (
+ b"kSecKeyAlgorithmRSASignatureDigestPSSSHA256\0".as_ref(),
+ SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA256,
+ ),
+ (
+ b"kSecKeyAlgorithmRSASignatureDigestPSSSHA384\0".as_ref(),
+ SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA384,
+ ),
+ (
+ b"kSecKeyAlgorithmRSASignatureDigestPSSSHA512\0".as_ref(),
+ SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA512,
+ ),
+ ];
+ for (symbol_name, sec_string_constant) in strings_to_load {
+ let cfstring_symbol = unsafe {
+ library
+ .get::<*const CFStringRef>(symbol_name)
+ .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))?
+ };
+ let cfstring = unsafe { CFString::wrap_under_create_rule(**cfstring_symbol) };
+ sec_string_constants.insert(sec_string_constant, cfstring.to_string());
+ }
+ Ok(SecurityFramework {
+ sec_certificate_copy_key,
+ sec_trust_evaluate_with_error,
+ sec_string_constants,
+ })
+ }
+}
+
+struct SecurityFrameworkHolder<'a> {
+ framework: Result<SecurityFramework<'a>, Error>,
+}
+
+impl<'a> SecurityFrameworkHolder<'a> {
+ fn new() -> SecurityFrameworkHolder<'a> {
+ SecurityFrameworkHolder {
+ framework: SecurityFramework::new(),
+ }
+ }
+
+ /// SecCertificateCopyKey is available in macOS 10.14
+ fn sec_certificate_copy_key(&self, certificate: &SecCertificate) -> Result<SecKey, Error> {
+ match &self.framework {
+ Ok(framework) => unsafe {
+ let result =
+ (framework.sec_certificate_copy_key)(certificate.as_concrete_TypeRef());
+ if result.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(SecKey::wrap_under_create_rule(result))
+ },
+ Err(e) => Err(e.clone()),
+ }
+ }
+
+ /// SecTrustEvaluateWithError is available in macOS 10.14
+ fn sec_trust_evaluate_with_error(&self, trust: &SecTrust) -> Result<bool, Error> {
+ match &self.framework {
+ Ok(framework) => unsafe {
+ Ok((framework.sec_trust_evaluate_with_error)(
+ trust.as_concrete_TypeRef(),
+ std::ptr::null_mut(),
+ ))
+ },
+ Err(e) => Err(e.clone()),
+ }
+ }
+
+ fn get_sec_string_constant(
+ &self,
+ sec_string_constant: SecStringConstant,
+ ) -> Result<CFString, Error> {
+ match &self.framework {
+ Ok(framework) => match framework.sec_string_constants.get(&sec_string_constant) {
+ Some(string) => Ok(CFString::new(string)),
+ None => Err(error_here!(ErrorType::ExternalError)),
+ },
+ Err(e) => Err(e.clone()),
+ }
+ }
+}
+
+lazy_static! {
+ static ref SECURITY_FRAMEWORK: SecurityFrameworkHolder<'static> =
+ SecurityFrameworkHolder::new();
+}
+
+fn sec_key_create_signature(
+ key: &SecKey,
+ algorithm: SecKeyAlgorithm,
+ data: &CFData,
+) -> Result<CFData, Error> {
+ let mut error = std::ptr::null_mut();
+ let signature = unsafe {
+ SecKeyCreateSignature(
+ key.as_concrete_TypeRef(),
+ algorithm,
+ data.as_concrete_TypeRef(),
+ &mut error,
+ )
+ };
+ if signature.is_null() {
+ let error = unsafe { CFError::wrap_under_create_rule(error) };
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ error.description().to_string()
+ ));
+ }
+ Ok(unsafe { CFData::wrap_under_create_rule(signature) })
+}
+
+fn sec_key_copy_attributes<T: TCFType>(key: &SecKey) -> CFDictionary<CFString, T> {
+ unsafe { CFDictionary::wrap_under_create_rule(SecKeyCopyAttributes(key.as_concrete_TypeRef())) }
+}
+
+fn sec_key_copy_external_representation(key: &SecKey) -> Result<CFData, Error> {
+ let mut error = std::ptr::null_mut();
+ let representation =
+ unsafe { SecKeyCopyExternalRepresentation(key.as_concrete_TypeRef(), &mut error) };
+ if representation.is_null() {
+ let error = unsafe { CFError::wrap_under_create_rule(error) };
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ error.description().to_string()
+ ));
+ }
+ Ok(unsafe { CFData::wrap_under_create_rule(representation) })
+}
+
+fn sec_identity_copy_certificate(identity: &SecIdentity) -> Result<SecCertificate, Error> {
+ let mut certificate = std::ptr::null();
+ let status =
+ unsafe { SecIdentityCopyCertificate(identity.as_concrete_TypeRef(), &mut certificate) };
+ if status != errSecSuccess {
+ return Err(error_here!(ErrorType::ExternalError, status.to_string()));
+ }
+ if certificate.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(unsafe { SecCertificate::wrap_under_create_rule(certificate) })
+}
+
+fn sec_certificate_copy_subject_summary(certificate: &SecCertificate) -> Result<CFString, Error> {
+ let result = unsafe { SecCertificateCopySubjectSummary(certificate.as_concrete_TypeRef()) };
+ if result.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(unsafe { CFString::wrap_under_create_rule(result) })
+}
+
+fn sec_certificate_copy_data(certificate: &SecCertificate) -> Result<CFData, Error> {
+ let result = unsafe { SecCertificateCopyData(certificate.as_concrete_TypeRef()) };
+ if result.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(unsafe { CFData::wrap_under_create_rule(result) })
+}
+
+fn sec_identity_copy_private_key(identity: &SecIdentity) -> Result<SecKey, Error> {
+ let mut key = std::ptr::null();
+ let status = unsafe { SecIdentityCopyPrivateKey(identity.as_concrete_TypeRef(), &mut key) };
+ if status != errSecSuccess {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ if key.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(unsafe { SecKey::wrap_under_create_rule(key) })
+}
+
+pub struct Cert {
+ class: Vec<u8>,
+ token: Vec<u8>,
+ id: Vec<u8>,
+ label: Vec<u8>,
+ value: Vec<u8>,
+ issuer: Vec<u8>,
+ serial_number: Vec<u8>,
+ subject: Vec<u8>,
+}
+
+impl Cert {
+ fn new_from_identity(identity: &SecIdentity) -> Result<Cert, Error> {
+ let certificate = sec_identity_copy_certificate(identity)?;
+ Cert::new_from_certificate(&certificate)
+ }
+
+ fn new_from_certificate(certificate: &SecCertificate) -> Result<Cert, Error> {
+ let label = sec_certificate_copy_subject_summary(certificate)?;
+ let der = sec_certificate_copy_data(certificate)?;
+ let der = der.bytes().to_vec();
+ let id = Sha256::digest(&der).to_vec();
+ let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(&der)?;
+ Ok(Cert {
+ class: serialize_uint(CKO_CERTIFICATE)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ label: label.to_string().into_bytes(),
+ value: der,
+ issuer,
+ serial_number,
+ subject,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn label(&self) -> &[u8] {
+ &self.label
+ }
+
+ fn value(&self) -> &[u8] {
+ &self.value
+ }
+
+ fn issuer(&self) -> &[u8] {
+ &self.issuer
+ }
+
+ fn serial_number(&self) -> &[u8] {
+ &self.serial_number
+ }
+
+ fn subject(&self) -> &[u8] {
+ &self.subject
+ }
+}
+
+impl CryptokiObject for Cert {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ // The modern/legacy slot distinction in theory enables differentiation
+ // between keys that are from modules that can use modern cryptography
+ // (namely EC keys and RSA-PSS signatures) and those that cannot.
+ // However, the function that would enable this
+ // (SecKeyIsAlgorithmSupported) causes a password dialog to appear on
+ // our test machines, so this backend pretends that everything supports
+ // modern crypto for now.
+ if slot_type != SlotType::Modern {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ let result = match attribute {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return None,
+ };
+ Some(result)
+ }
+}
+
+#[allow(clippy::upper_case_acronyms)]
+#[derive(Clone, Copy, Debug)]
+pub enum KeyType {
+ EC(usize),
+ RSA,
+}
+
+#[allow(clippy::upper_case_acronyms)]
+enum SignParams<'a> {
+ EC(CFString, &'a [u8]),
+ RSA(CFString, &'a [u8]),
+}
+
+impl<'a> SignParams<'a> {
+ fn new(
+ key_type: KeyType,
+ data: &'a [u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<SignParams<'a>, Error> {
+ match key_type {
+ KeyType::EC(_) => SignParams::new_ec_params(data),
+ KeyType::RSA => SignParams::new_rsa_params(params, data),
+ }
+ }
+
+ fn new_ec_params(data: &'a [u8]) -> Result<SignParams<'a>, Error> {
+ let algorithm = unsafe {
+ CFString::wrap_under_get_rule(match data.len() {
+ 20 => kSecKeyAlgorithmECDSASignatureDigestX962SHA1,
+ 32 => kSecKeyAlgorithmECDSASignatureDigestX962SHA256,
+ 48 => kSecKeyAlgorithmECDSASignatureDigestX962SHA384,
+ 64 => kSecKeyAlgorithmECDSASignatureDigestX962SHA512,
+ _ => {
+ return Err(error_here!(ErrorType::UnsupportedInput));
+ }
+ })
+ };
+ Ok(SignParams::EC(algorithm, data))
+ }
+
+ fn new_rsa_params(
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ data: &'a [u8],
+ ) -> Result<SignParams<'a>, Error> {
+ if let Some(pss_params) = params {
+ let algorithm = {
+ let algorithm_id = match pss_params.hashAlg {
+ CKM_SHA_1 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA1,
+ CKM_SHA256 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA256,
+ CKM_SHA384 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA384,
+ CKM_SHA512 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA512,
+ _ => {
+ return Err(error_here!(ErrorType::UnsupportedInput));
+ }
+ };
+ SECURITY_FRAMEWORK.get_sec_string_constant(algorithm_id)?
+ };
+ return Ok(SignParams::RSA(algorithm, data));
+ }
+
+ // Handle the case where this is a TLS 1.0 MD5/SHA1 hash.
+ if data.len() == 36 {
+ let algorithm = unsafe {
+ CFString::wrap_under_get_rule(kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw)
+ };
+ return Ok(SignParams::RSA(algorithm, data));
+ }
+ // Otherwise, `data` should be a DigestInfo.
+ let (digest_oid, hash) = read_digest_info(data)?;
+ let algorithm = unsafe {
+ CFString::wrap_under_create_rule(match digest_oid {
+ OID_BYTES_SHA_256 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ OID_BYTES_SHA_384 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ OID_BYTES_SHA_512 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ OID_BYTES_SHA_1 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ _ => return Err(error_here!(ErrorType::UnsupportedInput)),
+ })
+ };
+
+ Ok(SignParams::RSA(algorithm, hash))
+ }
+
+ fn get_algorithm(&self) -> SecKeyAlgorithm {
+ match self {
+ SignParams::EC(algorithm, _) => algorithm.as_concrete_TypeRef(),
+ SignParams::RSA(algorithm, _) => algorithm.as_concrete_TypeRef(),
+ }
+ }
+
+ fn get_data_to_sign(&self) -> &'a [u8] {
+ match self {
+ SignParams::EC(_, data_to_sign) => data_to_sign,
+ SignParams::RSA(_, data_to_sign) => data_to_sign,
+ }
+ }
+}
+
+pub struct Key {
+ identity: SecIdentity,
+ class: Vec<u8>,
+ token: Vec<u8>,
+ id: Vec<u8>,
+ private: Vec<u8>,
+ key_type: Vec<u8>,
+ modulus: Option<Vec<u8>>,
+ ec_params: Option<Vec<u8>>,
+ key_type_enum: KeyType,
+ key_handle: Option<SecKey>,
+}
+
+impl Key {
+ fn new(identity: &SecIdentity) -> Result<Key, Error> {
+ let certificate = sec_identity_copy_certificate(identity)?;
+ let der = sec_certificate_copy_data(&certificate)?;
+ let id = Sha256::digest(der.bytes()).to_vec();
+ let key = SECURITY_FRAMEWORK.sec_certificate_copy_key(&certificate)?;
+ let key_type: CFString = get_key_attribute(&key, unsafe { kSecAttrKeyType })?;
+ let key_size_in_bits: CFNumber = get_key_attribute(&key, unsafe { kSecAttrKeySizeInBits })?;
+ let mut modulus = None;
+ let mut ec_params = None;
+ let sec_attr_key_type_ec =
+ unsafe { CFString::wrap_under_create_rule(kSecAttrKeyTypeECSECPrimeRandom) };
+ let (key_type_enum, key_type_attribute) =
+ if key_type.as_concrete_TypeRef() == unsafe { kSecAttrKeyTypeRSA } {
+ let public_key = sec_key_copy_external_representation(&key)?;
+ let modulus_value = read_rsa_modulus(public_key.bytes())?;
+ modulus = Some(modulus_value);
+ (KeyType::RSA, CKK_RSA)
+ } else if key_type == sec_attr_key_type_ec {
+ // Assume all EC keys are secp256r1, secp384r1, or secp521r1. This
+ // is wrong, but the API doesn't seem to give us a way to determine
+ // which curve this key is on.
+ // This might not matter in practice, because it seems all NSS uses
+ // this for is to get the signature size.
+ let key_size_in_bits = match key_size_in_bits.to_i64() {
+ Some(value) => value,
+ None => return Err(error_here!(ErrorType::ValueTooLarge)),
+ };
+ match key_size_in_bits {
+ 256 => ec_params = Some(ENCODED_OID_BYTES_SECP256R1.to_vec()),
+ 384 => ec_params = Some(ENCODED_OID_BYTES_SECP384R1.to_vec()),
+ 521 => ec_params = Some(ENCODED_OID_BYTES_SECP521R1.to_vec()),
+ _ => return Err(error_here!(ErrorType::UnsupportedInput)),
+ }
+ let coordinate_width = (key_size_in_bits as usize + 7) / 8;
+ (KeyType::EC(coordinate_width), CKK_EC)
+ } else {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ };
+
+ Ok(Key {
+ identity: identity.clone(),
+ class: serialize_uint(CKO_PRIVATE_KEY)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ private: serialize_uint(CK_TRUE)?,
+ key_type: serialize_uint(key_type_attribute)?,
+ modulus,
+ ec_params,
+ key_type_enum,
+ key_handle: None,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn private(&self) -> &[u8] {
+ &self.private
+ }
+
+ fn key_type(&self) -> &[u8] {
+ &self.key_type
+ }
+
+ fn modulus(&self) -> Option<&[u8]> {
+ match &self.modulus {
+ Some(modulus) => Some(modulus.as_slice()),
+ None => None,
+ }
+ }
+
+ fn ec_params(&self) -> Option<&[u8]> {
+ match &self.ec_params {
+ Some(ec_params) => Some(ec_params.as_slice()),
+ None => None,
+ }
+ }
+
+ fn sign_internal(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error> {
+ // If this key hasn't been used for signing yet, there won't be a cached key handle. Obtain
+ // and cache it if this is the case. Doing so can cause the underlying implementation to
+ // show an authentication or pin prompt to the user. Caching the handle can avoid causing
+ // multiple prompts to be displayed in some cases.
+ if self.key_handle.is_none() {
+ let _ = self
+ .key_handle
+ .replace(sec_identity_copy_private_key(&self.identity)?);
+ }
+ let key = match &self.key_handle {
+ Some(key) => key,
+ None => return Err(error_here!(ErrorType::LibraryFailure)),
+ };
+ let sign_params = SignParams::new(self.key_type_enum, data, params)?;
+ let signing_algorithm = sign_params.get_algorithm();
+ let data_to_sign = CFData::from_buffer(sign_params.get_data_to_sign());
+ let signature = sec_key_create_signature(key, signing_algorithm, &data_to_sign)?;
+ let signature_value = match self.key_type_enum {
+ KeyType::EC(coordinate_width) => {
+ // We need to convert the DER Ecdsa-Sig-Value to the
+ // concatenation of r and s, the coordinates of the point on
+ // the curve. r and s must be 0-padded to be coordinate_width
+ // total bytes.
+ let (r, s) = read_ec_sig_point(signature.bytes())?;
+ if r.len() > coordinate_width || s.len() > coordinate_width {
+ return Err(error_here!(ErrorType::InvalidInput));
+ }
+ let mut signature_value = Vec::with_capacity(2 * coordinate_width);
+ let r_padding = vec![0; coordinate_width - r.len()];
+ signature_value.extend(r_padding);
+ signature_value.extend_from_slice(r);
+ let s_padding = vec![0; coordinate_width - s.len()];
+ signature_value.extend(s_padding);
+ signature_value.extend_from_slice(s);
+ signature_value
+ }
+ KeyType::RSA => signature.bytes().to_vec(),
+ };
+ Ok(signature_value)
+ }
+}
+
+impl CryptokiObject for Key {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ // The modern/legacy slot distinction in theory enables differentiation
+ // between keys that are from modules that can use modern cryptography
+ // (namely EC keys and RSA-PSS signatures) and those that cannot.
+ // However, the function that would enable this
+ // (SecKeyIsAlgorithmSupported) causes a password dialog to appear on
+ // our test machines, so this backend pretends that everything supports
+ // modern crypto for now.
+ if slot_type != SlotType::Modern {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_ID => self.id(),
+ CKA_PRIVATE => self.private(),
+ CKA_KEY_TYPE => self.key_type(),
+ CKA_MODULUS => {
+ if let Some(modulus) = self.modulus() {
+ modulus
+ } else {
+ return false;
+ }
+ }
+ CKA_EC_PARAMS => {
+ if let Some(ec_params) = self.ec_params() {
+ ec_params
+ } else {
+ return false;
+ }
+ }
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ match attribute {
+ CKA_CLASS => Some(self.class()),
+ CKA_TOKEN => Some(self.token()),
+ CKA_ID => Some(self.id()),
+ CKA_PRIVATE => Some(self.private()),
+ CKA_KEY_TYPE => Some(self.key_type()),
+ CKA_MODULUS => self.modulus(),
+ CKA_EC_PARAMS => self.ec_params(),
+ _ => None,
+ }
+ }
+}
+
+impl Sign for Key {
+ fn get_signature_length(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<usize, Error> {
+ // Unfortunately we don't have a way of getting the length of a signature without creating
+ // one.
+ let dummy_signature_bytes = self.sign(data, params)?;
+ Ok(dummy_signature_bytes.len())
+ }
+
+ // The input data is a hash. What algorithm we use depends on the size of the hash.
+ fn sign(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error> {
+ let result = self.sign_internal(data, params);
+ if result.is_ok() {
+ return result;
+ }
+ // Some devices appear to not work well when the key handle is held for too long or if a
+ // card is inserted/removed while Firefox is running. Try refreshing the key handle.
+ let _ = self.key_handle.take();
+ self.sign_internal(data, params)
+ }
+}
+
+fn get_key_attribute<T: TCFType + Clone>(key: &SecKey, attr: CFStringRef) -> Result<T, Error> {
+ let attributes: CFDictionary<CFString, T> = sec_key_copy_attributes(key);
+ match attributes.find(attr as *const _) {
+ Some(value) => Ok((*value).clone()),
+ None => Err(error_here!(ErrorType::ExternalError)),
+ }
+}
+
+// Given a SecIdentity, attempts to build as much of a path to a trust anchor as possible, gathers
+// the CA certificates from that path, and returns them. The purpose of this function is not to
+// validate the given certificate but to find CA certificates that gecko may need to do path
+// building when filtering client certificates according to the acceptable CA list sent by the
+// server during client authentication.
+fn get_issuers(identity: &SecIdentity) -> Result<Vec<SecCertificate>, Error> {
+ let certificate = sec_identity_copy_certificate(identity)?;
+ let policy = unsafe { SecPolicyCreateSSL(false, std::ptr::null()) };
+ if policy.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ let policy = unsafe { SecPolicy::wrap_under_create_rule(policy) };
+ let mut trust = std::ptr::null();
+ // Each of SecTrustCreateWithCertificates' input arguments can be either single items or an
+ // array of items. Since we only want to specify one of each, we directly specify the arguments.
+ let status = unsafe {
+ SecTrustCreateWithCertificates(
+ certificate.as_concrete_TypeRef(),
+ policy.as_concrete_TypeRef(),
+ &mut trust,
+ )
+ };
+ if status != errSecSuccess {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ if trust.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ let trust = unsafe { SecTrust::wrap_under_create_rule(trust) };
+ // Disable AIA fetching so that SecTrustEvaluateWithError doesn't result in network I/O.
+ let status = unsafe { SecTrustSetNetworkFetchAllowed(trust.as_concrete_TypeRef(), 0) };
+ if status != errSecSuccess {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ // We ignore the return value here because we don't care if the certificate is trusted or not -
+ // we're only doing this to build its issuer chain as much as possible.
+ let _ = SECURITY_FRAMEWORK.sec_trust_evaluate_with_error(&trust)?;
+ let certificate_count = unsafe { SecTrustGetCertificateCount(trust.as_concrete_TypeRef()) };
+ let mut certificates = Vec::with_capacity(
+ certificate_count
+ .try_into()
+ .map_err(|_| error_here!(ErrorType::ValueTooLarge))?,
+ );
+ for i in 1..certificate_count {
+ let certificate = unsafe { SecTrustGetCertificateAtIndex(trust.as_concrete_TypeRef(), i) };
+ if certificate.is_null() {
+ error!("SecTrustGetCertificateAtIndex returned null certificate?");
+ continue;
+ }
+ let certificate = unsafe { SecCertificate::wrap_under_get_rule(certificate) };
+ certificates.push(certificate);
+ }
+ Ok(certificates)
+}
+
+pub struct Backend {}
+
+impl ClientCertsBackend for Backend {
+ type Cert = Cert;
+ type Key = Key;
+
+ fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> {
+ let mut certs = Vec::new();
+ let mut keys = Vec::new();
+ let identities = unsafe {
+ let class_key = CFString::wrap_under_get_rule(kSecClass);
+ let class_value = CFString::wrap_under_get_rule(kSecClassIdentity);
+ let return_ref_key = CFString::wrap_under_get_rule(kSecReturnRef);
+ let return_ref_value = CFBoolean::wrap_under_get_rule(kCFBooleanTrue);
+ let match_key = CFString::wrap_under_get_rule(kSecMatchLimit);
+ let match_value = CFString::wrap_under_get_rule(kSecMatchLimitAll);
+ let vals = vec![
+ (class_key.as_CFType(), class_value.as_CFType()),
+ (return_ref_key.as_CFType(), return_ref_value.as_CFType()),
+ (match_key.as_CFType(), match_value.as_CFType()),
+ ];
+ let dict = CFDictionary::from_CFType_pairs(&vals);
+ let mut result = std::ptr::null();
+ let status = SecItemCopyMatching(dict.as_CFTypeRef() as CFDictionaryRef, &mut result);
+ if status == errSecItemNotFound {
+ return Ok((certs, keys));
+ }
+ if status != errSecSuccess {
+ return Err(error_here!(ErrorType::ExternalError, status.to_string()));
+ }
+ if result.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ CFArray::<SecIdentityRef>::wrap_under_create_rule(result as CFArrayRef)
+ };
+ for identity in identities.get_all_values().iter() {
+ let identity = unsafe { SecIdentity::wrap_under_get_rule(*identity as SecIdentityRef) };
+ let cert = Cert::new_from_identity(&identity);
+ let key = Key::new(&identity);
+ if let (Ok(cert), Ok(key)) = (cert, key) {
+ certs.push(cert);
+ keys.push(key);
+ } else {
+ continue;
+ }
+ if let Ok(issuers) = get_issuers(&identity) {
+ for issuer in issuers {
+ if let Ok(cert) = Cert::new_from_certificate(&issuer) {
+ certs.push(cert);
+ }
+ }
+ }
+ }
+ Ok((certs, keys))
+ }
+}
diff --git a/security/manager/ssl/osclientcerts/src/backend_windows.rs b/security/manager/ssl/osclientcerts/src/backend_windows.rs
new file mode 100644
index 0000000000..2a80ff8354
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/src/backend_windows.rs
@@ -0,0 +1,914 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(non_camel_case_types)]
+
+use pkcs11_bindings::*;
+use rsclientcerts::error::{Error, ErrorType};
+use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType};
+use rsclientcerts::util::*;
+use sha2::{Digest, Sha256};
+use std::convert::TryInto;
+use std::ffi::{c_void, CStr, CString};
+use std::ops::Deref;
+use std::slice;
+use winapi::shared::bcrypt::*;
+use winapi::shared::minwindef::{DWORD, PBYTE};
+use winapi::um::errhandlingapi::GetLastError;
+use winapi::um::ncrypt::*;
+use winapi::um::wincrypt::{HCRYPTHASH, HCRYPTPROV, *};
+
+// winapi has some support for ncrypt.h, but not for this function.
+extern "system" {
+ fn NCryptSignHash(
+ hKey: NCRYPT_KEY_HANDLE,
+ pPaddingInfo: *mut c_void,
+ pbHashValue: PBYTE,
+ cbHashValue: DWORD,
+ pbSignature: PBYTE,
+ cbSignature: DWORD,
+ pcbResult: *mut DWORD,
+ dwFlags: DWORD,
+ ) -> SECURITY_STATUS;
+}
+
+/// Given a `CERT_INFO`, tries to return the bytes of the subject distinguished name as formatted by
+/// `CertNameToStrA` using the flag `CERT_SIMPLE_NAME_STR`. This is used as the label for the
+/// certificate.
+fn get_cert_subject_dn(cert_info: &CERT_INFO) -> Result<Vec<u8>, Error> {
+ let mut cert_info_subject = cert_info.Subject;
+ let subject_dn_len = unsafe {
+ CertNameToStrA(
+ X509_ASN_ENCODING,
+ &mut cert_info_subject,
+ CERT_SIMPLE_NAME_STR,
+ std::ptr::null_mut(),
+ 0,
+ )
+ };
+ // subject_dn_len includes the terminating null byte.
+ let mut subject_dn_string_bytes: Vec<u8> = vec![0; subject_dn_len as usize];
+ let subject_dn_len = unsafe {
+ CertNameToStrA(
+ X509_ASN_ENCODING,
+ &mut cert_info_subject,
+ CERT_SIMPLE_NAME_STR,
+ subject_dn_string_bytes.as_mut_ptr() as *mut i8,
+ subject_dn_string_bytes
+ .len()
+ .try_into()
+ .map_err(|_| error_here!(ErrorType::ValueTooLarge))?,
+ )
+ };
+ if subject_dn_len as usize != subject_dn_string_bytes.len() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(subject_dn_string_bytes)
+}
+
+/// Represents a certificate for which there exists a corresponding private key.
+pub struct Cert {
+ /// PKCS #11 object class. Will be `CKO_CERTIFICATE`.
+ class: Vec<u8>,
+ /// Whether or not this is on a token. Will be `CK_TRUE`.
+ token: Vec<u8>,
+ /// An identifier unique to this certificate. Must be the same as the ID for the private key.
+ id: Vec<u8>,
+ /// The bytes of a human-readable label for this certificate. Will be the subject DN.
+ label: Vec<u8>,
+ /// The DER bytes of the certificate.
+ value: Vec<u8>,
+ /// The DER bytes of the issuer distinguished name of the certificate.
+ issuer: Vec<u8>,
+ /// The DER bytes of the serial number of the certificate.
+ serial_number: Vec<u8>,
+ /// The DER bytes of the subject distinguished name of the certificate.
+ subject: Vec<u8>,
+ /// Which slot this certificate should be exposed on.
+ slot_type: SlotType,
+}
+
+impl Cert {
+ fn new(cert_context: PCCERT_CONTEXT) -> Result<Cert, Error> {
+ let cert = unsafe { &*cert_context };
+ let cert_info = unsafe { &*cert.pCertInfo };
+ let value =
+ unsafe { slice::from_raw_parts(cert.pbCertEncoded, cert.cbCertEncoded as usize) };
+ let value = value.to_vec();
+ let id = Sha256::digest(&value).to_vec();
+ let label = get_cert_subject_dn(cert_info)?;
+ let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(&value)?;
+ Ok(Cert {
+ class: serialize_uint(CKO_CERTIFICATE)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ label,
+ value,
+ issuer,
+ serial_number,
+ subject,
+ slot_type: SlotType::Modern,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn label(&self) -> &[u8] {
+ &self.label
+ }
+
+ fn value(&self) -> &[u8] {
+ &self.value
+ }
+
+ fn issuer(&self) -> &[u8] {
+ &self.issuer
+ }
+
+ fn serial_number(&self) -> &[u8] {
+ &self.serial_number
+ }
+
+ fn subject(&self) -> &[u8] {
+ &self.subject
+ }
+}
+
+impl CryptokiObject for Cert {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ if slot_type != self.slot_type {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ let result = match attribute {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_LABEL => self.label(),
+ CKA_ID => self.id(),
+ CKA_VALUE => self.value(),
+ CKA_ISSUER => self.issuer(),
+ CKA_SERIAL_NUMBER => self.serial_number(),
+ CKA_SUBJECT => self.subject(),
+ _ => return None,
+ };
+ Some(result)
+ }
+}
+
+struct CertContext(PCCERT_CONTEXT);
+
+impl CertContext {
+ fn new(cert: PCCERT_CONTEXT) -> CertContext {
+ CertContext(unsafe { CertDuplicateCertificateContext(cert) })
+ }
+}
+
+impl Drop for CertContext {
+ fn drop(&mut self) {
+ unsafe {
+ CertFreeCertificateContext(self.0);
+ }
+ }
+}
+
+impl Deref for CertContext {
+ type Target = PCCERT_CONTEXT;
+
+ fn deref(&self) -> &Self::Target {
+ &self.0
+ }
+}
+
+enum KeyHandle {
+ NCrypt(NCRYPT_KEY_HANDLE),
+ CryptoAPI(HCRYPTPROV, DWORD),
+}
+
+impl KeyHandle {
+ fn from_cert(cert: &CertContext) -> Result<KeyHandle, Error> {
+ let mut key_handle = 0;
+ let mut key_spec = 0;
+ let mut must_free = 0;
+ unsafe {
+ if CryptAcquireCertificatePrivateKey(
+ **cert,
+ CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG,
+ std::ptr::null_mut(),
+ &mut key_handle,
+ &mut key_spec,
+ &mut must_free,
+ ) != 1
+ {
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ GetLastError().to_string()
+ ));
+ }
+ }
+ if must_free == 0 {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ if key_spec == CERT_NCRYPT_KEY_SPEC {
+ Ok(KeyHandle::NCrypt(key_handle as NCRYPT_KEY_HANDLE))
+ } else {
+ Ok(KeyHandle::CryptoAPI(key_handle as HCRYPTPROV, key_spec))
+ }
+ }
+
+ fn sign(
+ &self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ do_signature: bool,
+ key_type: KeyType,
+ ) -> Result<Vec<u8>, Error> {
+ match &self {
+ KeyHandle::NCrypt(ncrypt_handle) => {
+ sign_ncrypt(ncrypt_handle, data, params, do_signature, key_type)
+ }
+ KeyHandle::CryptoAPI(hcryptprov, key_spec) => {
+ sign_cryptoapi(hcryptprov, key_spec, data, params, do_signature)
+ }
+ }
+ }
+}
+
+impl Drop for KeyHandle {
+ fn drop(&mut self) {
+ match self {
+ KeyHandle::NCrypt(ncrypt_handle) => unsafe {
+ let _ = NCryptFreeObject(*ncrypt_handle);
+ },
+ KeyHandle::CryptoAPI(hcryptprov, _) => unsafe {
+ let _ = CryptReleaseContext(*hcryptprov, 0);
+ },
+ }
+ }
+}
+
+fn sign_ncrypt(
+ ncrypt_handle: &NCRYPT_KEY_HANDLE,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ do_signature: bool,
+ key_type: KeyType,
+) -> Result<Vec<u8>, Error> {
+ let mut sign_params = SignParams::new(key_type, params)?;
+ let params_ptr = sign_params.params_ptr();
+ let flags = sign_params.flags();
+ let mut data = data.to_vec();
+ let mut signature_len = 0;
+ // We call NCryptSignHash twice: the first time to get the size of the buffer we need to
+ // allocate and then again to actually sign the data, if `do_signature` is `true`.
+ let status = unsafe {
+ NCryptSignHash(
+ *ncrypt_handle,
+ params_ptr,
+ data.as_mut_ptr(),
+ data.len()
+ .try_into()
+ .map_err(|_| error_here!(ErrorType::ValueTooLarge))?,
+ std::ptr::null_mut(),
+ 0,
+ &mut signature_len,
+ flags,
+ )
+ };
+ // 0 is "ERROR_SUCCESS" (but "ERROR_SUCCESS" is unsigned, whereas SECURITY_STATUS is signed)
+ if status != 0 {
+ return Err(error_here!(ErrorType::ExternalError, status.to_string()));
+ }
+ let mut signature = vec![0; signature_len as usize];
+ if !do_signature {
+ return Ok(signature);
+ }
+ let mut final_signature_len = signature_len;
+ let status = unsafe {
+ NCryptSignHash(
+ *ncrypt_handle,
+ params_ptr,
+ data.as_mut_ptr(),
+ data.len()
+ .try_into()
+ .map_err(|_| error_here!(ErrorType::ValueTooLarge))?,
+ signature.as_mut_ptr(),
+ signature_len,
+ &mut final_signature_len,
+ flags,
+ )
+ };
+ if status != 0 {
+ return Err(error_here!(ErrorType::ExternalError, status.to_string()));
+ }
+ if final_signature_len != signature_len {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ Ok(signature)
+}
+
+fn sign_cryptoapi(
+ hcryptprov: &HCRYPTPROV,
+ key_spec: &DWORD,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ do_signature: bool,
+) -> Result<Vec<u8>, Error> {
+ if params.is_some() {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ }
+ // data will be an encoded DigestInfo, which specifies the hash algorithm and bytes of the hash
+ // to sign. However, CryptoAPI requires directly specifying the bytes of the hash, so it must
+ // be extracted first.
+ let (_, hash_bytes) = read_digest_info(data)?;
+ let hash = HCryptHash::new(hcryptprov, hash_bytes)?;
+ let mut signature_len = 0;
+ if unsafe {
+ CryptSignHashW(
+ *hash,
+ *key_spec,
+ std::ptr::null_mut(),
+ 0,
+ std::ptr::null_mut(),
+ &mut signature_len,
+ )
+ } != 1
+ {
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ unsafe { GetLastError() }.to_string()
+ ));
+ }
+ let mut signature = vec![0; signature_len as usize];
+ if !do_signature {
+ return Ok(signature);
+ }
+ let mut final_signature_len = signature_len;
+ if unsafe {
+ CryptSignHashW(
+ *hash,
+ *key_spec,
+ std::ptr::null_mut(),
+ 0,
+ signature.as_mut_ptr(),
+ &mut final_signature_len,
+ )
+ } != 1
+ {
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ unsafe { GetLastError() }.to_string()
+ ));
+ }
+ if final_signature_len != signature_len {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ // CryptoAPI returns the signature with the most significant byte last (little-endian),
+ // whereas PKCS#11 expects the most significant byte first (big-endian).
+ signature.reverse();
+ Ok(signature)
+}
+
+struct HCryptHash(HCRYPTHASH);
+
+impl HCryptHash {
+ fn new(hcryptprov: &HCRYPTPROV, hash_bytes: &[u8]) -> Result<HCryptHash, Error> {
+ let alg = match hash_bytes.len() {
+ 20 => CALG_SHA1,
+ 32 => CALG_SHA_256,
+ 48 => CALG_SHA_384,
+ 64 => CALG_SHA_512,
+ _ => {
+ return Err(error_here!(ErrorType::UnsupportedInput));
+ }
+ };
+ let mut hash: HCRYPTHASH = 0;
+ if unsafe { CryptCreateHash(*hcryptprov, alg, 0, 0, &mut hash) } != 1 {
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ unsafe { GetLastError() }.to_string()
+ ));
+ }
+ if unsafe { CryptSetHashParam(hash, HP_HASHVAL, hash_bytes.as_ptr(), 0) } != 1 {
+ return Err(error_here!(
+ ErrorType::ExternalError,
+ unsafe { GetLastError() }.to_string()
+ ));
+ }
+ Ok(HCryptHash(hash))
+ }
+}
+
+impl Drop for HCryptHash {
+ fn drop(&mut self) {
+ unsafe {
+ CryptDestroyHash(self.0);
+ }
+ }
+}
+
+impl Deref for HCryptHash {
+ type Target = HCRYPTHASH;
+
+ fn deref(&self) -> &Self::Target {
+ &self.0
+ }
+}
+
+// In some cases, the ncrypt API takes a pointer to a null-terminated wide-character string as a way
+// of specifying an algorithm. The "right" way to do this would be to take the corresponding
+// &'static str constant provided by the winapi crate, create an OsString from it, encode it as wide
+// characters, and collect it into a Vec<u16>. However, since the implementation that provides this
+// functionality isn't constant, we would have to manage the memory this creates and uses. Since
+// rust structures generally can't be self-referrential, this memory would have to live elsewhere,
+// and the nice abstractions we've created for this implementation start to break down. It's much
+// simpler to hard-code the identifiers we support, since there are only four of them.
+// The following arrays represent the identifiers "SHA1", "SHA256", "SHA384", and "SHA512",
+// respectively.
+const SHA1_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 49, 0];
+const SHA256_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 50, 53, 54, 0];
+const SHA384_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 51, 56, 52, 0];
+const SHA512_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 53, 49, 50, 0];
+
+enum SignParams {
+ EC,
+ RSA_PKCS1(BCRYPT_PKCS1_PADDING_INFO),
+ RSA_PSS(BCRYPT_PSS_PADDING_INFO),
+}
+
+impl SignParams {
+ fn new(
+ key_type: KeyType,
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<SignParams, Error> {
+ // EC is easy, so handle that first.
+ match key_type {
+ KeyType::EC => return Ok(SignParams::EC),
+ KeyType::RSA => {}
+ }
+ // If `params` is `Some`, we're doing RSA-PSS. If it is `None`, we're doing RSA-PKCS1.
+ let pss_params = match params {
+ Some(pss_params) => pss_params,
+ None => {
+ // The hash algorithm should be encoded in the data to be signed, so we don't have to
+ // (and don't want to) specify a particular algorithm here.
+ return Ok(SignParams::RSA_PKCS1(BCRYPT_PKCS1_PADDING_INFO {
+ pszAlgId: std::ptr::null(),
+ }));
+ }
+ };
+ let algorithm_string = match pss_params.hashAlg {
+ CKM_SHA_1 => SHA1_ALGORITHM_STRING,
+ CKM_SHA256 => SHA256_ALGORITHM_STRING,
+ CKM_SHA384 => SHA384_ALGORITHM_STRING,
+ CKM_SHA512 => SHA512_ALGORITHM_STRING,
+ _ => {
+ return Err(error_here!(ErrorType::UnsupportedInput));
+ }
+ };
+ Ok(SignParams::RSA_PSS(BCRYPT_PSS_PADDING_INFO {
+ pszAlgId: algorithm_string.as_ptr(),
+ cbSalt: pss_params.sLen,
+ }))
+ }
+
+ fn params_ptr(&mut self) -> *mut std::ffi::c_void {
+ match self {
+ SignParams::EC => std::ptr::null_mut(),
+ SignParams::RSA_PKCS1(params) => {
+ params as *mut BCRYPT_PKCS1_PADDING_INFO as *mut std::ffi::c_void
+ }
+ SignParams::RSA_PSS(params) => {
+ params as *mut BCRYPT_PSS_PADDING_INFO as *mut std::ffi::c_void
+ }
+ }
+ }
+
+ fn flags(&self) -> u32 {
+ match *self {
+ SignParams::EC => 0,
+ SignParams::RSA_PKCS1(_) => NCRYPT_PAD_PKCS1_FLAG,
+ SignParams::RSA_PSS(_) => NCRYPT_PAD_PSS_FLAG,
+ }
+ }
+}
+
+/// A helper enum to identify a private key's type. We support EC and RSA.
+#[allow(clippy::upper_case_acronyms)]
+#[derive(Clone, Copy, Debug)]
+pub enum KeyType {
+ EC,
+ RSA,
+}
+
+/// Represents a private key for which there exists a corresponding certificate.
+pub struct Key {
+ /// A handle on the OS mechanism that represents the certificate for this key.
+ cert: CertContext,
+ /// PKCS #11 object class. Will be `CKO_PRIVATE_KEY`.
+ class: Vec<u8>,
+ /// Whether or not this is on a token. Will be `CK_TRUE`.
+ token: Vec<u8>,
+ /// An identifier unique to this key. Must be the same as the ID for the certificate.
+ id: Vec<u8>,
+ /// Whether or not this key is "private" (can it be exported?). Will be CK_TRUE (it can't be
+ /// exported).
+ private: Vec<u8>,
+ /// PKCS #11 key type. Will be `CKK_EC` for EC, and `CKK_RSA` for RSA.
+ key_type: Vec<u8>,
+ /// If this is an RSA key, this is the value of the modulus as an unsigned integer.
+ modulus: Option<Vec<u8>>,
+ /// If this is an EC key, this is the DER bytes of the OID identifying the curve the key is on.
+ ec_params: Option<Vec<u8>>,
+ /// An enum identifying this key's type.
+ key_type_enum: KeyType,
+ /// Which slot this key should be exposed on.
+ slot_type: SlotType,
+ /// A handle on the OS mechanism that represents this key.
+ key_handle: Option<KeyHandle>,
+}
+
+impl Key {
+ fn new(cert_context: PCCERT_CONTEXT) -> Result<Key, Error> {
+ let cert = unsafe { *cert_context };
+ let cert_der =
+ unsafe { slice::from_raw_parts(cert.pbCertEncoded, cert.cbCertEncoded as usize) };
+ let id = Sha256::digest(cert_der).to_vec();
+ let id = id.to_vec();
+ let cert_info = unsafe { &*cert.pCertInfo };
+ let mut modulus = None;
+ let mut ec_params = None;
+ let spki = &cert_info.SubjectPublicKeyInfo;
+ let algorithm_oid = unsafe { CStr::from_ptr(spki.Algorithm.pszObjId) }
+ .to_str()
+ .map_err(|_| error_here!(ErrorType::ExternalError))?;
+ let (key_type_enum, key_type_attribute) = if algorithm_oid == szOID_RSA_RSA {
+ if spki.PublicKey.cUnusedBits != 0 {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ let public_key_bytes = unsafe {
+ std::slice::from_raw_parts(spki.PublicKey.pbData, spki.PublicKey.cbData as usize)
+ };
+ let modulus_value = read_rsa_modulus(public_key_bytes)?;
+ modulus = Some(modulus_value);
+ (KeyType::RSA, CKK_RSA)
+ } else if algorithm_oid == szOID_ECC_PUBLIC_KEY {
+ let params = &spki.Algorithm.Parameters;
+ ec_params = Some(
+ unsafe { std::slice::from_raw_parts(params.pbData, params.cbData as usize) }
+ .to_vec(),
+ );
+ (KeyType::EC, CKK_EC)
+ } else {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ };
+ let cert = CertContext::new(cert_context);
+ Ok(Key {
+ cert,
+ class: serialize_uint(CKO_PRIVATE_KEY)?,
+ token: serialize_uint(CK_TRUE)?,
+ id,
+ private: serialize_uint(CK_TRUE)?,
+ key_type: serialize_uint(key_type_attribute)?,
+ modulus,
+ ec_params,
+ key_type_enum,
+ slot_type: SlotType::Modern,
+ key_handle: None,
+ })
+ }
+
+ fn class(&self) -> &[u8] {
+ &self.class
+ }
+
+ fn token(&self) -> &[u8] {
+ &self.token
+ }
+
+ fn id(&self) -> &[u8] {
+ &self.id
+ }
+
+ fn private(&self) -> &[u8] {
+ &self.private
+ }
+
+ fn key_type(&self) -> &[u8] {
+ &self.key_type
+ }
+
+ fn modulus(&self) -> Option<&[u8]> {
+ match &self.modulus {
+ Some(modulus) => Some(modulus.as_slice()),
+ None => None,
+ }
+ }
+
+ fn ec_params(&self) -> Option<&[u8]> {
+ match &self.ec_params {
+ Some(ec_params) => Some(ec_params.as_slice()),
+ None => None,
+ }
+ }
+
+ fn sign_with_retry(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ do_signature: bool,
+ ) -> Result<Vec<u8>, Error> {
+ let result = self.sign_internal(data, params, do_signature);
+ if result.is_ok() {
+ return result;
+ }
+ // Some devices appear to not work well when the key handle is held for too long or if a
+ // card is inserted/removed while Firefox is running. Try refreshing the key handle.
+ debug!("sign failed: refreshing key handle");
+ let _ = self.key_handle.take();
+ self.sign_internal(data, params, do_signature)
+ }
+
+ /// data: the data to sign
+ /// do_signature: if true, actually perform the signature. Otherwise, return a `Vec<u8>` of the
+ /// length the signature would be, if performed.
+ fn sign_internal(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ do_signature: bool,
+ ) -> Result<Vec<u8>, Error> {
+ // If this key hasn't been used for signing yet, there won't be a cached key handle. Obtain
+ // and cache it if this is the case. Doing so can cause the underlying implementation to
+ // show an authentication or pin prompt to the user. Caching the handle can avoid causing
+ // multiple prompts to be displayed in some cases.
+ if self.key_handle.is_none() {
+ let _ = self.key_handle.replace(KeyHandle::from_cert(&self.cert)?);
+ }
+ let key = match &self.key_handle {
+ Some(key) => key,
+ None => return Err(error_here!(ErrorType::LibraryFailure)),
+ };
+ key.sign(data, params, do_signature, self.key_type_enum)
+ }
+}
+
+impl CryptokiObject for Key {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ if slot_type != self.slot_type {
+ return false;
+ }
+ for (attr_type, attr_value) in attrs {
+ let comparison = match *attr_type {
+ CKA_CLASS => self.class(),
+ CKA_TOKEN => self.token(),
+ CKA_ID => self.id(),
+ CKA_PRIVATE => self.private(),
+ CKA_KEY_TYPE => self.key_type(),
+ CKA_MODULUS => {
+ if let Some(modulus) = self.modulus() {
+ modulus
+ } else {
+ return false;
+ }
+ }
+ CKA_EC_PARAMS => {
+ if let Some(ec_params) = self.ec_params() {
+ ec_params
+ } else {
+ return false;
+ }
+ }
+ _ => return false,
+ };
+ if attr_value.as_slice() != comparison {
+ return false;
+ }
+ }
+ true
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ match attribute {
+ CKA_CLASS => Some(self.class()),
+ CKA_TOKEN => Some(self.token()),
+ CKA_ID => Some(self.id()),
+ CKA_PRIVATE => Some(self.private()),
+ CKA_KEY_TYPE => Some(self.key_type()),
+ CKA_MODULUS => self.modulus(),
+ CKA_EC_PARAMS => self.ec_params(),
+ _ => None,
+ }
+ }
+}
+
+impl Sign for Key {
+ fn get_signature_length(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<usize, Error> {
+ match self.sign_with_retry(data, params, false) {
+ Ok(dummy_signature_bytes) => Ok(dummy_signature_bytes.len()),
+ Err(e) => Err(e),
+ }
+ }
+
+ fn sign(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error> {
+ self.sign_with_retry(data, params, true)
+ }
+}
+
+struct CertStore {
+ handle: HCERTSTORE,
+}
+
+impl Drop for CertStore {
+ fn drop(&mut self) {
+ if !self.handle.is_null() {
+ unsafe {
+ CertCloseStore(self.handle, 0);
+ }
+ }
+ }
+}
+
+impl Deref for CertStore {
+ type Target = HCERTSTORE;
+
+ fn deref(&self) -> &Self::Target {
+ &self.handle
+ }
+}
+
+impl CertStore {
+ fn new(handle: HCERTSTORE) -> CertStore {
+ CertStore { handle }
+ }
+}
+
+// Given a pointer to a CERT_CHAIN_CONTEXT, enumerates each chain in the context and each element
+// in each chain to gather every CERT_CONTEXT pointed to by the CERT_CHAIN_CONTEXT.
+// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_context says
+// that the 0th element of the 0th chain will be the end-entity certificate. This certificate (if
+// present), will be the 0th element of the returned Vec.
+fn gather_cert_contexts(cert_chain_context: *const CERT_CHAIN_CONTEXT) -> Vec<*const CERT_CONTEXT> {
+ let mut cert_contexts = Vec::new();
+ if cert_chain_context.is_null() {
+ return cert_contexts;
+ }
+ let cert_chain_context = unsafe { &*cert_chain_context };
+ let cert_chains = unsafe {
+ std::slice::from_raw_parts(
+ cert_chain_context.rgpChain,
+ cert_chain_context.cChain as usize,
+ )
+ };
+ for cert_chain in cert_chains {
+ // First dereference the borrow.
+ let cert_chain = *cert_chain;
+ if cert_chain.is_null() {
+ continue;
+ }
+ // Then dereference the pointer.
+ let cert_chain = unsafe { &*cert_chain };
+ let chain_elements = unsafe {
+ std::slice::from_raw_parts(cert_chain.rgpElement, cert_chain.cElement as usize)
+ };
+ for chain_element in chain_elements {
+ let chain_element = *chain_element; // dereference borrow
+ if chain_element.is_null() {
+ continue;
+ }
+ let chain_element = unsafe { &*chain_element }; // dereference pointer
+ cert_contexts.push(chain_element.pCertContext);
+ }
+ }
+ cert_contexts
+}
+
+pub struct Backend {}
+
+impl ClientCertsBackend for Backend {
+ type Cert = Cert;
+ type Key = Key;
+
+ /// Attempts to enumerate certificates with private keys exposed by the OS. Currently only looks in
+ /// the "My" cert store of the current user. In the future this may look in more locations.
+ fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> {
+ let mut certs = Vec::new();
+ let mut keys = Vec::new();
+ let location_flags = CERT_SYSTEM_STORE_CURRENT_USER
+ | CERT_STORE_OPEN_EXISTING_FLAG
+ | CERT_STORE_READONLY_FLAG;
+ let store_name = match CString::new("My") {
+ Ok(store_name) => store_name,
+ Err(_) => return Err(error_here!(ErrorType::LibraryFailure)),
+ };
+ let store = CertStore::new(unsafe {
+ CertOpenStore(
+ CERT_STORE_PROV_SYSTEM_REGISTRY_A,
+ 0,
+ 0,
+ location_flags,
+ store_name.as_ptr() as *const winapi::ctypes::c_void,
+ )
+ });
+ if store.is_null() {
+ return Err(error_here!(ErrorType::ExternalError));
+ }
+ let find_params = CERT_CHAIN_FIND_ISSUER_PARA {
+ cbSize: std::mem::size_of::<CERT_CHAIN_FIND_ISSUER_PARA>() as u32,
+ pszUsageIdentifier: std::ptr::null(),
+ dwKeySpec: 0,
+ dwAcquirePrivateKeyFlags: 0,
+ cIssuer: 0,
+ rgIssuer: std::ptr::null_mut(),
+ pfnFindCallback: None,
+ pvFindArg: std::ptr::null_mut(),
+ pdwIssuerChainIndex: std::ptr::null_mut(),
+ pdwIssuerElementIndex: std::ptr::null_mut(),
+ };
+ let mut cert_chain_context: PCCERT_CHAIN_CONTEXT = std::ptr::null_mut();
+ loop {
+ // CertFindChainInStore finds all certificates with private keys in the store. It also
+ // attempts to build a verified certificate chain to a trust anchor for each certificate.
+ // We gather and hold onto these extra certificates so that gecko can use them when
+ // filtering potential client certificates according to the acceptable CAs list sent by
+ // servers when they request client certificates.
+ cert_chain_context = unsafe {
+ CertFindChainInStore(
+ *store,
+ X509_ASN_ENCODING,
+ CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG
+ | CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG,
+ CERT_CHAIN_FIND_BY_ISSUER,
+ &find_params as *const CERT_CHAIN_FIND_ISSUER_PARA
+ as *const winapi::ctypes::c_void,
+ cert_chain_context,
+ )
+ };
+ if cert_chain_context.is_null() {
+ break;
+ }
+ let cert_contexts = gather_cert_contexts(cert_chain_context);
+ // The 0th CERT_CONTEXT is the end-entity (i.e. the certificate with the private key we're
+ // after).
+ match cert_contexts.get(0) {
+ Some(cert_context) => {
+ let key = match Key::new(*cert_context) {
+ Ok(key) => key,
+ Err(_) => continue,
+ };
+ let cert = match Cert::new(*cert_context) {
+ Ok(cert) => cert,
+ Err(_) => continue,
+ };
+ certs.push(cert);
+ keys.push(key);
+ }
+ None => {}
+ };
+ for cert_context in cert_contexts.iter().skip(1) {
+ if let Ok(cert) = Cert::new(*cert_context) {
+ certs.push(cert);
+ }
+ }
+ }
+ Ok((certs, keys))
+ }
+}
diff --git a/security/manager/ssl/osclientcerts/src/bindings_macos.rs b/security/manager/ssl/osclientcerts/src/bindings_macos.rs
new file mode 100644
index 0000000000..7294bbb555
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/src/bindings_macos.rs
@@ -0,0 +1,79 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This was originally generated by rust-bindgen at build time. Later in
+// development it became clear that using bindgen for this library as part of
+// mozilla-central would be difficult (if not impossible). So, this was
+// converted to a static file and unused declarations were removed. Also,
+// intermediate types added by rust-bindgen were removed for clarity.
+
+pub type OSStatus = i32;
+pub const errSecSuccess: OSStatus = 0;
+pub const errSecItemNotFound: OSStatus = -25300;
+
+pub type SecKeyAlgorithm = CFStringRef;
+
+extern "C" {
+ // Available starting macOS 10.3
+ pub fn SecCertificateGetTypeID() -> CFTypeID;
+ pub fn SecTrustCreateWithCertificates(
+ certificates: SecCertificateRef,
+ policies: SecPolicyRef,
+ trust: *mut SecTrustRef,
+ ) -> OSStatus;
+ pub fn SecIdentityGetTypeID() -> CFTypeID;
+ pub fn SecIdentityCopyCertificate(
+ identityRef: SecIdentityRef,
+ certificateRef: *mut SecCertificateRef,
+ ) -> OSStatus;
+ pub fn SecIdentityCopyPrivateKey(
+ identityRef: SecIdentityRef,
+ privateKeyRef: *mut SecKeyRef,
+ ) -> OSStatus;
+ pub fn SecKeyGetTypeID() -> CFTypeID;
+ pub fn SecPolicyGetTypeID() -> CFTypeID;
+ pub fn SecTrustGetTypeID() -> CFTypeID;
+
+ // Available starting macOS 10.6
+ pub fn SecCertificateCopyData(certificate: SecCertificateRef) -> CFDataRef;
+ pub fn SecCertificateCopySubjectSummary(certificate: SecCertificateRef) -> CFStringRef;
+ pub fn SecItemCopyMatching(query: CFDictionaryRef, result: *mut CFTypeRef) -> OSStatus;
+ pub fn SecPolicyCreateSSL(server: bool, hostname: CFStringRef) -> SecPolicyRef;
+ pub static kSecClass: CFStringRef;
+ pub static kSecAttrKeyType: CFStringRef;
+ pub static kSecAttrKeySizeInBits: CFStringRef;
+ pub static kSecMatchLimit: CFStringRef;
+ pub static kSecMatchLimitAll: CFStringRef;
+ pub static kSecReturnRef: CFStringRef;
+
+ // Available starting macOS 10.7
+ pub fn SecTrustGetCertificateAtIndex(trust: SecTrustRef, ix: CFIndex) -> SecCertificateRef;
+ pub fn SecTrustGetCertificateCount(trust: SecTrustRef) -> CFIndex;
+ pub static kSecClassIdentity: CFStringRef;
+ pub static kSecAttrKeyTypeRSA: CFStringRef;
+
+ // Available starting macOS 10.9
+ pub fn SecTrustSetNetworkFetchAllowed(trust: SecTrustRef, allowFetch: Boolean) -> OSStatus;
+
+ // Available starting macOS 10.12
+ pub fn SecKeyCreateSignature(
+ key: SecKeyRef,
+ algorithm: SecKeyAlgorithm,
+ data: CFDataRef,
+ err: *mut CFErrorRef,
+ ) -> CFDataRef;
+ pub fn SecKeyCopyAttributes(key: SecKeyRef) -> CFDictionaryRef;
+ pub fn SecKeyCopyExternalRepresentation(key: SecKeyRef, err: *mut CFErrorRef) -> CFDataRef;
+ pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA1: CFStringRef;
+ pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA256: CFStringRef;
+ pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA384: CFStringRef;
+ pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA512: CFStringRef;
+ pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw: CFStringRef;
+ pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256: CFStringRef;
+ pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384: CFStringRef;
+ pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512: CFStringRef;
+ pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1: CFStringRef;
+ pub static kSecAttrKeyTypeECSECPrimeRandom: CFStringRef;
+}
diff --git a/security/manager/ssl/osclientcerts/src/lib.rs b/security/manager/ssl/osclientcerts/src/lib.rs
new file mode 100644
index 0000000000..acffe51556
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/src/lib.rs
@@ -0,0 +1,1237 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(non_snake_case)]
+
+extern crate byteorder;
+#[cfg(target_os = "macos")]
+#[macro_use]
+extern crate core_foundation;
+extern crate env_logger;
+#[cfg(target_os = "macos")]
+#[macro_use]
+extern crate lazy_static;
+#[cfg(target_os = "macos")]
+extern crate libloading;
+#[macro_use]
+extern crate log;
+extern crate pkcs11_bindings;
+#[macro_use]
+extern crate rsclientcerts;
+extern crate sha2;
+#[cfg(target_os = "windows")]
+extern crate winapi;
+
+use pkcs11_bindings::*;
+use rsclientcerts::manager::{ManagerProxy, SlotType};
+use std::ffi::CStr;
+use std::sync::Mutex;
+use std::thread;
+
+#[cfg(target_os = "macos")]
+mod backend_macos;
+#[cfg(target_os = "windows")]
+mod backend_windows;
+
+#[cfg(target_os = "macos")]
+use crate::backend_macos::Backend;
+#[cfg(target_os = "windows")]
+use crate::backend_windows::Backend;
+
+struct ModuleState {
+ manager_proxy: ManagerProxy,
+ mechanisms: Vec<CK_MECHANISM_TYPE>,
+}
+
+/// The singleton `ModuleState` that handles state with respect to PKCS #11. Only one thread
+/// may use it at a time, but there is no restriction on which threads may use it. However, as
+/// OS APIs being used are not necessarily thread-safe (e.g. they may be using
+/// thread-local-storage), the `ManagerProxy` of the `ModuleState` forwards calls from any
+/// thread to a single thread where the real `Manager` does the actual work.
+static MODULE_STATE: Mutex<Option<ModuleState>> = Mutex::new(None);
+
+// Obtaining a handle on the manager proxy is a two-step process. First the mutex must be locked,
+// which (if successful), results in a mutex guard object. We must then get a mutable refence to the
+// underlying manager proxy (if set - otherwise we return an error). This can't happen all in one
+// macro without dropping a reference that needs to live long enough for this to be safe. In
+// practice, this looks like:
+// let mut module_state_guard = try_to_get_module_state_guard!();
+// let manager = module_state_guard_to_manager!(module_state_guard);
+macro_rules! try_to_get_module_state_guard {
+ () => {
+ match MODULE_STATE.lock() {
+ Ok(maybe_module_state) => maybe_module_state,
+ Err(poison_error) => {
+ log_with_thread_id!(
+ error,
+ "previous thread panicked acquiring manager lock: {}",
+ poison_error
+ );
+ return CKR_DEVICE_ERROR;
+ }
+ }
+ };
+}
+
+macro_rules! module_state_guard_to_manager {
+ ($module_state_guard:ident) => {
+ match $module_state_guard.as_mut() {
+ Some(module_state) => &mut module_state.manager_proxy,
+ None => {
+ log_with_thread_id!(error, "module state expected to be set, but it is not");
+ return CKR_DEVICE_ERROR;
+ }
+ }
+ };
+}
+
+macro_rules! module_state_guard_to_mechanisms {
+ ($module_state_guard:ident) => {
+ match $module_state_guard.as_ref() {
+ Some(module_state) => &module_state.mechanisms,
+ None => {
+ log_with_thread_id!(error, "module state expected to be set, but it is not");
+ return CKR_DEVICE_ERROR;
+ }
+ }
+ };
+}
+
+// Helper macro to prefix log messages with the current thread ID.
+macro_rules! log_with_thread_id {
+ ($log_level:ident, $($message:expr),*) => {
+ $log_level!("{:?} {}", thread::current().id(), format_args!($($message),*));
+ };
+}
+
+/// This gets called to initialize the module. For this implementation, this consists of
+/// instantiating the `ManagerProxy`.
+extern "C" fn C_Initialize(pInitArgs: CK_VOID_PTR) -> CK_RV {
+ // This will fail if this has already been called, but this isn't a problem because either way,
+ // logging has been initialized.
+ let _ = env_logger::try_init();
+
+ if pInitArgs.is_null() {
+ return CKR_DEVICE_ERROR;
+ }
+ let init_args_ptr = unsafe { (*(pInitArgs as CK_C_INITIALIZE_ARGS_PTR)).pReserved };
+ if init_args_ptr.is_null() {
+ return CKR_DEVICE_ERROR;
+ }
+ let init_args_cstr = unsafe { CStr::from_ptr(init_args_ptr as *mut std::os::raw::c_char) };
+ let init_args = match init_args_cstr.to_str() {
+ Ok(init_args) => init_args,
+ Err(_) => return CKR_DEVICE_ERROR,
+ };
+ let mechanisms = if init_args == "RSA-PSS" {
+ vec![CKM_ECDSA, CKM_RSA_PKCS, CKM_RSA_PKCS_PSS]
+ } else {
+ vec![CKM_ECDSA, CKM_RSA_PKCS]
+ };
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager_proxy = match ManagerProxy::new(Backend {}) {
+ Ok(p) => p,
+ Err(e) => {
+ log_with_thread_id!(error, "C_Initialize: ManagerProxy: {}", e);
+ return CKR_DEVICE_ERROR;
+ }
+ };
+ match module_state_guard.replace(ModuleState {
+ manager_proxy,
+ mechanisms,
+ }) {
+ Some(_unexpected_previous_module_state) => {
+ #[cfg(target_os = "macos")]
+ {
+ log_with_thread_id!(info, "C_Initialize: module state previously set (this is expected on macOS - replacing it)");
+ }
+ #[cfg(target_os = "windows")]
+ {
+ log_with_thread_id!(
+ warn,
+ "C_Initialize: module state unexpectedly previously set (replacing it)"
+ );
+ }
+ }
+ None => {}
+ }
+ log_with_thread_id!(debug, "C_Initialize: CKR_OK");
+ CKR_OK
+}
+
+extern "C" fn C_Finalize(_pReserved: CK_VOID_PTR) -> CK_RV {
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.stop() {
+ Ok(()) => {
+ log_with_thread_id!(debug, "C_Finalize: CKR_OK");
+ CKR_OK
+ }
+ Err(e) => {
+ log_with_thread_id!(error, "C_Finalize: CKR_DEVICE_ERROR: {}", e);
+ CKR_DEVICE_ERROR
+ }
+ }
+}
+
+// The specification mandates that these strings be padded with spaces to the appropriate length.
+// Since the length of fixed-size arrays in rust is part of the type, the compiler enforces that
+// these byte strings are of the correct length.
+const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Corporation ";
+const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"OS Client Cert Module ";
+
+/// This gets called to gather some information about the module. In particular, this implementation
+/// supports (portions of) cryptoki (PKCS #11) version 2.2.
+extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV {
+ if pInfo.is_null() {
+ log_with_thread_id!(error, "C_GetInfo: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ log_with_thread_id!(debug, "C_GetInfo: CKR_OK");
+ let mut info = CK_INFO::default();
+ info.cryptokiVersion.major = 2;
+ info.cryptokiVersion.minor = 2;
+ info.manufacturerID = *MANUFACTURER_ID_BYTES;
+ info.libraryDescription = *LIBRARY_DESCRIPTION_BYTES;
+ unsafe {
+ *pInfo = info;
+ }
+ CKR_OK
+}
+
+/// This module has one slot.
+const SLOT_COUNT: CK_ULONG = 1;
+const SLOT_ID: CK_SLOT_ID = 1;
+
+/// This gets called twice: once with a null `pSlotList` to get the number of slots (returned via
+/// `pulCount`) and a second time to get the ID for each slot.
+extern "C" fn C_GetSlotList(
+ _tokenPresent: CK_BBOOL,
+ pSlotList: CK_SLOT_ID_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if pulCount.is_null() {
+ log_with_thread_id!(error, "C_GetSlotList: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ if !pSlotList.is_null() {
+ if unsafe { *pulCount } < SLOT_COUNT {
+ log_with_thread_id!(error, "C_GetSlotList: CKR_BUFFER_TOO_SMALL");
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ unsafe {
+ *pSlotList = SLOT_ID;
+ }
+ };
+ unsafe {
+ *pulCount = SLOT_COUNT;
+ }
+ log_with_thread_id!(debug, "C_GetSlotList: CKR_OK");
+ CKR_OK
+}
+
+const SLOT_DESCRIPTION_BYTES: &[u8; 64] =
+ b"OS Client Cert Slot ";
+
+/// This gets called to obtain information about slots. In this implementation, the token is
+/// always present in the singular slot.
+extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV {
+ if slotID != SLOT_ID || pInfo.is_null() {
+ log_with_thread_id!(error, "C_GetSlotInfo: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let slot_info = CK_SLOT_INFO {
+ slotDescription: *SLOT_DESCRIPTION_BYTES,
+ manufacturerID: *MANUFACTURER_ID_BYTES,
+ flags: CKF_TOKEN_PRESENT,
+ hardwareVersion: CK_VERSION::default(),
+ firmwareVersion: CK_VERSION::default(),
+ };
+ unsafe {
+ *pInfo = slot_info;
+ }
+ log_with_thread_id!(debug, "C_GetSlotInfo: CKR_OK");
+ CKR_OK
+}
+
+const TOKEN_LABEL_BYTES: &[u8; 32] = b"OS Client Cert Token ";
+const TOKEN_MODEL_BYTES: &[u8; 16] = b"osclientcerts ";
+const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"0000000000000000";
+
+/// This gets called to obtain some information about tokens. This implementation has one slot,
+/// so it has one token. This information is primarily for display purposes.
+extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV {
+ if slotID != SLOT_ID || pInfo.is_null() {
+ log_with_thread_id!(error, "C_GetTokenInfo: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut token_info = CK_TOKEN_INFO::default();
+ token_info.label = *TOKEN_LABEL_BYTES;
+ token_info.manufacturerID = *MANUFACTURER_ID_BYTES;
+ token_info.model = *TOKEN_MODEL_BYTES;
+ token_info.serialNumber = *TOKEN_SERIAL_NUMBER_BYTES;
+ unsafe {
+ *pInfo = token_info;
+ }
+ log_with_thread_id!(debug, "C_GetTokenInfo: CKR_OK");
+ CKR_OK
+}
+
+/// This gets called to determine what mechanisms a slot supports. The singular slot supports
+/// ECDSA and RSA PKCS1. Depending on the configuration the module was loaded with, it may also
+/// support RSA PSS.
+extern "C" fn C_GetMechanismList(
+ slotID: CK_SLOT_ID,
+ pMechanismList: CK_MECHANISM_TYPE_PTR,
+ pulCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if slotID != SLOT_ID || pulCount.is_null() {
+ log_with_thread_id!(error, "C_GetMechanismList: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let module_state_guard = try_to_get_module_state_guard!();
+ let mechanisms = module_state_guard_to_mechanisms!(module_state_guard);
+ if !pMechanismList.is_null() {
+ if unsafe { *pulCount as usize } < mechanisms.len() {
+ log_with_thread_id!(error, "C_GetMechanismList: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ for (i, mechanism) in mechanisms.iter().enumerate() {
+ unsafe {
+ *pMechanismList.add(i) = *mechanism;
+ }
+ }
+ }
+ unsafe {
+ *pulCount = mechanisms.len() as CK_ULONG;
+ }
+ log_with_thread_id!(debug, "C_GetMechanismList: CKR_OK");
+ CKR_OK
+}
+
+extern "C" fn C_GetMechanismInfo(
+ _slotID: CK_SLOT_ID,
+ _type: CK_MECHANISM_TYPE,
+ _pInfo: CK_MECHANISM_INFO_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GetMechanismInfo: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitToken(
+ _slotID: CK_SLOT_ID,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+ _pLabel: CK_UTF8CHAR_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_InitToken: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_InitPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_InitPIN: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetPIN(
+ _hSession: CK_SESSION_HANDLE,
+ _pOldPin: CK_UTF8CHAR_PTR,
+ _ulOldLen: CK_ULONG,
+ _pNewPin: CK_UTF8CHAR_PTR,
+ _ulNewLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SetPIN: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to create a new session. This module defers to the `ManagerProxy` to implement
+/// this.
+extern "C" fn C_OpenSession(
+ slotID: CK_SLOT_ID,
+ _flags: CK_FLAGS,
+ _pApplication: CK_VOID_PTR,
+ _Notify: CK_NOTIFY,
+ phSession: CK_SESSION_HANDLE_PTR,
+) -> CK_RV {
+ if slotID != SLOT_ID || phSession.is_null() {
+ log_with_thread_id!(error, "C_OpenSession: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ // The "modern"/"legacy" slot distinction still exists in ipcclientcerts,
+ // which shares some library code with this module, to allow for a more
+ // nuanced notion of whether or not e.g. RSA-PSS is supported.
+ let session_handle = match manager.open_session(SlotType::Modern) {
+ Ok(session_handle) => session_handle,
+ Err(e) => {
+ log_with_thread_id!(error, "C_OpenSession: open_session failed: {}", e);
+ return CKR_DEVICE_ERROR;
+ }
+ };
+ unsafe {
+ *phSession = session_handle;
+ }
+ log_with_thread_id!(debug, "C_OpenSession: CKR_OK");
+ CKR_OK
+}
+
+/// This gets called to close a session. This is handled by the `ManagerProxy`.
+extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ if manager.close_session(hSession).is_err() {
+ log_with_thread_id!(error, "C_CloseSession: CKR_SESSION_HANDLE_INVALID");
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ log_with_thread_id!(debug, "C_CloseSession: CKR_OK");
+ CKR_OK
+}
+
+/// This gets called to close all open sessions at once. This is handled by the `ManagerProxy`.
+extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV {
+ if slotID != SLOT_ID {
+ log_with_thread_id!(error, "C_CloseAllSessions: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.close_all_sessions(SlotType::Modern) {
+ Ok(()) => {
+ log_with_thread_id!(debug, "C_CloseAllSessions: CKR_OK");
+ CKR_OK
+ }
+ Err(e) => {
+ log_with_thread_id!(
+ error,
+ "C_CloseAllSessions: close_all_sessions failed: {}",
+ e
+ );
+ CKR_DEVICE_ERROR
+ }
+ }
+}
+
+extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV {
+ log_with_thread_id!(error, "C_GetSessionInfo: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _pulOperationStateLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GetOperationState: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SetOperationState(
+ _hSession: CK_SESSION_HANDLE,
+ _pOperationState: CK_BYTE_PTR,
+ _ulOperationStateLen: CK_ULONG,
+ _hEncryptionKey: CK_OBJECT_HANDLE,
+ _hAuthenticationKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SetOperationState: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Login(
+ _hSession: CK_SESSION_HANDLE,
+ _userType: CK_USER_TYPE,
+ _pPin: CK_UTF8CHAR_PTR,
+ _ulPinLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_Login: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to log out and drop any authenticated resources. Because this module does not
+/// hold on to authenticated resources, this module "implements" this by doing nothing and
+/// returning a success result.
+extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ log_with_thread_id!(debug, "C_Logout: CKR_OK");
+ CKR_OK
+}
+
+extern "C" fn C_CreateObject(
+ _hSession: CK_SESSION_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_CreateObject: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CopyObject(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phNewObject: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_CopyObject: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV {
+ log_with_thread_id!(error, "C_DestroyObject: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetObjectSize(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pulSize: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GetObjectSize: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to obtain the values of a number of attributes of an object identified by the
+/// given handle. This module implements this by requesting that the `ManagerProxy` find the object
+/// and attempt to get the value of each attribute. If a specified attribute is not defined on the
+/// object, the length of that attribute is set to -1 to indicate that it is not available.
+/// This gets called twice: once to obtain the lengths of the attributes and again to get the
+/// values.
+extern "C" fn C_GetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ hObject: CK_OBJECT_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ log_with_thread_id!(error, "C_GetAttributeValue: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut attr_types = Vec::with_capacity(ulCount as usize);
+ for i in 0..ulCount as usize {
+ let attr = unsafe { &*pTemplate.add(i) };
+ attr_types.push(attr.type_);
+ }
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ let values = match manager.get_attributes(hObject, attr_types) {
+ Ok(values) => values,
+ Err(e) => {
+ log_with_thread_id!(error, "C_GetAttributeValue: CKR_ARGUMENTS_BAD ({})", e);
+ return CKR_ARGUMENTS_BAD;
+ }
+ };
+ if values.len() != ulCount as usize {
+ log_with_thread_id!(
+ error,
+ "C_GetAttributeValue: manager.get_attributes didn't return the right number of values"
+ );
+ return CKR_DEVICE_ERROR;
+ }
+ for (i, value) in values.iter().enumerate().take(ulCount as usize) {
+ let attr = unsafe { &mut *pTemplate.add(i) };
+ if let Some(attr_value) = value {
+ if attr.pValue.is_null() {
+ attr.ulValueLen = attr_value.len() as CK_ULONG;
+ } else {
+ let ptr: *mut u8 = attr.pValue as *mut u8;
+ if attr_value.len() != attr.ulValueLen as usize {
+ log_with_thread_id!(error, "C_GetAttributeValue: incorrect attr size");
+ return CKR_ARGUMENTS_BAD;
+ }
+ unsafe {
+ std::ptr::copy_nonoverlapping(attr_value.as_ptr(), ptr, attr_value.len());
+ }
+ }
+ } else {
+ attr.ulValueLen = (0 - 1) as CK_ULONG;
+ }
+ }
+ log_with_thread_id!(debug, "C_GetAttributeValue: CKR_OK");
+ CKR_OK
+}
+
+extern "C" fn C_SetAttributeValue(
+ _hSession: CK_SESSION_HANDLE,
+ _hObject: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SetAttributeValue: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+fn trace_attr(prefix: &str, attr: &CK_ATTRIBUTE) {
+ let typ = match unsafe_packed_field_access!(attr.type_) {
+ CKA_CLASS => "CKA_CLASS".to_string(),
+ CKA_TOKEN => "CKA_TOKEN".to_string(),
+ CKA_LABEL => "CKA_LABEL".to_string(),
+ CKA_ID => "CKA_ID".to_string(),
+ CKA_VALUE => "CKA_VALUE".to_string(),
+ CKA_ISSUER => "CKA_ISSUER".to_string(),
+ CKA_SERIAL_NUMBER => "CKA_SERIAL_NUMBER".to_string(),
+ CKA_SUBJECT => "CKA_SUBJECT".to_string(),
+ CKA_PRIVATE => "CKA_PRIVATE".to_string(),
+ CKA_KEY_TYPE => "CKA_KEY_TYPE".to_string(),
+ CKA_MODULUS => "CKA_MODULUS".to_string(),
+ CKA_EC_PARAMS => "CKA_EC_PARAMS".to_string(),
+ _ => format!("0x{:x}", unsafe_packed_field_access!(attr.type_)),
+ };
+ let value =
+ unsafe { std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize) };
+ log_with_thread_id!(
+ trace,
+ "{}CK_ATTRIBUTE {{ type: {}, pValue: {:?}, ulValueLen: {} }}",
+ prefix,
+ typ,
+ value,
+ unsafe_packed_field_access!(attr.ulValueLen)
+ );
+}
+
+/// This gets called to initialize a search for objects matching a given list of attributes. This
+/// module implements this by gathering the attributes and passing them to the `ManagerProxy` to
+/// start the search.
+extern "C" fn C_FindObjectsInit(
+ hSession: CK_SESSION_HANDLE,
+ pTemplate: CK_ATTRIBUTE_PTR,
+ ulCount: CK_ULONG,
+) -> CK_RV {
+ if pTemplate.is_null() {
+ log_with_thread_id!(error, "C_FindObjectsInit: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut attrs = Vec::new();
+ log_with_thread_id!(trace, "C_FindObjectsInit:");
+ for i in 0..ulCount as usize {
+ let attr = unsafe { &*pTemplate.add(i) };
+ trace_attr(" ", attr);
+ let slice = unsafe {
+ std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize)
+ };
+ attrs.push((attr.type_, slice.to_owned()));
+ }
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.start_search(hSession, attrs) {
+ Ok(()) => {}
+ Err(e) => {
+ log_with_thread_id!(error, "C_FindObjectsInit: CKR_ARGUMENTS_BAD: {}", e);
+ return CKR_ARGUMENTS_BAD;
+ }
+ }
+ log_with_thread_id!(debug, "C_FindObjectsInit: CKR_OK");
+ CKR_OK
+}
+
+/// This gets called after `C_FindObjectsInit` to get the results of a search. This module
+/// implements this by looking up the search in the `ManagerProxy` and copying out the matching
+/// object handles.
+extern "C" fn C_FindObjects(
+ hSession: CK_SESSION_HANDLE,
+ phObject: CK_OBJECT_HANDLE_PTR,
+ ulMaxObjectCount: CK_ULONG,
+ pulObjectCount: CK_ULONG_PTR,
+) -> CK_RV {
+ if phObject.is_null() || pulObjectCount.is_null() || ulMaxObjectCount == 0 {
+ log_with_thread_id!(error, "C_FindObjects: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ let handles = match manager.search(hSession, ulMaxObjectCount as usize) {
+ Ok(handles) => handles,
+ Err(e) => {
+ log_with_thread_id!(error, "C_FindObjects: CKR_ARGUMENTS_BAD: {}", e);
+ return CKR_ARGUMENTS_BAD;
+ }
+ };
+ log_with_thread_id!(debug, "C_FindObjects: found handles {:?}", handles);
+ if handles.len() > ulMaxObjectCount as usize {
+ log_with_thread_id!(error, "C_FindObjects: manager returned too many handles");
+ return CKR_DEVICE_ERROR;
+ }
+ unsafe {
+ *pulObjectCount = handles.len() as CK_ULONG;
+ }
+ for (index, handle) in handles.iter().enumerate() {
+ if index < ulMaxObjectCount as usize {
+ unsafe {
+ *(phObject.add(index)) = *handle;
+ }
+ }
+ }
+ log_with_thread_id!(debug, "C_FindObjects: CKR_OK");
+ CKR_OK
+}
+
+/// This gets called after `C_FindObjectsInit` and `C_FindObjects` to finish a search. The module
+/// tells the `ManagerProxy` to clear the search.
+extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV {
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ // It would be an error if there were no search for this session, but we can be permissive here.
+ match manager.clear_search(hSession) {
+ Ok(()) => {
+ log_with_thread_id!(debug, "C_FindObjectsFinal: CKR_OK");
+ CKR_OK
+ }
+ Err(e) => {
+ log_with_thread_id!(error, "C_FindObjectsFinal: clear_search failed: {}", e);
+ CKR_DEVICE_ERROR
+ }
+ }
+}
+
+extern "C" fn C_EncryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_EncryptInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Encrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pEncryptedData: CK_BYTE_PTR,
+ _pulEncryptedDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_Encrypt: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_EncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_EncryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastEncryptedPart: CK_BYTE_PTR,
+ _pulLastEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_EncryptFinal: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DecryptInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Decrypt(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedData: CK_BYTE_PTR,
+ _ulEncryptedDataLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_Decrypt: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DecryptUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pLastPart: CK_BYTE_PTR,
+ _pulLastPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DecryptFinal: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV {
+ log_with_thread_id!(error, "C_DigestInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Digest(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_Digest: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DigestUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV {
+ log_with_thread_id!(error, "C_DigestKey: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pDigest: CK_BYTE_PTR,
+ _pulDigestLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DigestFinal: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// This gets called to set up a sign operation. The module essentially defers to the
+/// `ManagerProxy`.
+extern "C" fn C_SignInit(
+ hSession: CK_SESSION_HANDLE,
+ pMechanism: CK_MECHANISM_PTR,
+ hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ if pMechanism.is_null() {
+ log_with_thread_id!(error, "C_SignInit: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ // Presumably we should validate the mechanism against hKey, but the specification doesn't
+ // actually seem to require this.
+ let mechanism = unsafe { *pMechanism };
+ log_with_thread_id!(debug, "C_SignInit: mechanism is {:?}", mechanism);
+ let mechanism_params = if mechanism.mechanism == CKM_RSA_PKCS_PSS {
+ if mechanism.ulParameterLen as usize != std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>() {
+ log_with_thread_id!(
+ error,
+ "C_SignInit: bad ulParameterLen for CKM_RSA_PKCS_PSS: {}",
+ unsafe_packed_field_access!(mechanism.ulParameterLen)
+ );
+ return CKR_ARGUMENTS_BAD;
+ }
+ Some(unsafe { *(mechanism.pParameter as *const CK_RSA_PKCS_PSS_PARAMS) })
+ } else {
+ None
+ };
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.start_sign(hSession, hKey, mechanism_params) {
+ Ok(()) => {}
+ Err(e) => {
+ log_with_thread_id!(error, "C_SignInit: CKR_GENERAL_ERROR: {}", e);
+ return CKR_GENERAL_ERROR;
+ }
+ };
+ log_with_thread_id!(debug, "C_SignInit: CKR_OK");
+ CKR_OK
+}
+
+/// NSS calls this after `C_SignInit` (there are more ways in the PKCS #11 specification to sign
+/// data, but this is the only way supported by this module). The module essentially defers to the
+/// `ManagerProxy` and copies out the resulting signature.
+extern "C" fn C_Sign(
+ hSession: CK_SESSION_HANDLE,
+ pData: CK_BYTE_PTR,
+ ulDataLen: CK_ULONG,
+ pSignature: CK_BYTE_PTR,
+ pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ if pData.is_null() || pulSignatureLen.is_null() {
+ log_with_thread_id!(error, "C_Sign: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let data = unsafe { std::slice::from_raw_parts(pData, ulDataLen as usize) };
+ if pSignature.is_null() {
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.get_signature_length(hSession, data.to_vec()) {
+ Ok(signature_length) => unsafe {
+ *pulSignatureLen = signature_length as CK_ULONG;
+ },
+ Err(e) => {
+ log_with_thread_id!(error, "C_Sign: get_signature_length failed: {}", e);
+ log_with_thread_id!(error, "C_Sign: try setting security.osclientcerts.assume_rsa_pss_support to false and restarting");
+ return CKR_GENERAL_ERROR;
+ }
+ }
+ } else {
+ let mut module_state_guard = try_to_get_module_state_guard!();
+ let manager = module_state_guard_to_manager!(module_state_guard);
+ match manager.sign(hSession, data.to_vec()) {
+ Ok(signature) => {
+ let signature_capacity = unsafe { *pulSignatureLen } as usize;
+ if signature_capacity < signature.len() {
+ log_with_thread_id!(error, "C_Sign: CKR_ARGUMENTS_BAD");
+ return CKR_ARGUMENTS_BAD;
+ }
+ let ptr: *mut u8 = pSignature as *mut u8;
+ unsafe {
+ std::ptr::copy_nonoverlapping(signature.as_ptr(), ptr, signature.len());
+ *pulSignatureLen = signature.len() as CK_ULONG;
+ }
+ }
+ Err(e) => {
+ log_with_thread_id!(error, "C_Sign: sign failed: {}", e);
+ log_with_thread_id!(error, "C_Sign: try setting security.osclientcerts.assume_rsa_pss_support to false and restarting");
+ return CKR_GENERAL_ERROR;
+ }
+ }
+ }
+ log_with_thread_id!(debug, "C_Sign: CKR_OK");
+ CKR_OK
+}
+
+extern "C" fn C_SignUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SignUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SignFinal: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SignRecoverInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _pulSignatureLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SignRecover: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_VerifyInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_Verify(
+ _hSession: CK_SESSION_HANDLE,
+ _pData: CK_BYTE_PTR,
+ _ulDataLen: CK_ULONG,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_Verify: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_VerifyUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyFinal(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_VerifyFinal: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecoverInit(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hKey: CK_OBJECT_HANDLE,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_VerifyRecoverInit: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_VerifyRecover(
+ _hSession: CK_SESSION_HANDLE,
+ _pSignature: CK_BYTE_PTR,
+ _ulSignatureLen: CK_ULONG,
+ _pData: CK_BYTE_PTR,
+ _pulDataLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_VerifyRecover: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DigestEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DigestEncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptDigestUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DecryptDigestUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SignEncryptUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pPart: CK_BYTE_PTR,
+ _ulPartLen: CK_ULONG,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _pulEncryptedPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SignEncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DecryptVerifyUpdate(
+ _hSession: CK_SESSION_HANDLE,
+ _pEncryptedPart: CK_BYTE_PTR,
+ _ulEncryptedPartLen: CK_ULONG,
+ _pPart: CK_BYTE_PTR,
+ _pulPartLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DecryptVerifyUpdate: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GenerateKey: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateKeyPair(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _pPublicKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPublicKeyAttributeCount: CK_ULONG,
+ _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR,
+ _ulPrivateKeyAttributeCount: CK_ULONG,
+ _phPublicKey: CK_OBJECT_HANDLE_PTR,
+ _phPrivateKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GenerateKeyPair: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hWrappingKey: CK_OBJECT_HANDLE,
+ _hKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _pulWrappedKeyLen: CK_ULONG_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_WrapKey: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_UnwrapKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hUnwrappingKey: CK_OBJECT_HANDLE,
+ _pWrappedKey: CK_BYTE_PTR,
+ _ulWrappedKeyLen: CK_ULONG,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_UnwrapKey: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_DeriveKey(
+ _hSession: CK_SESSION_HANDLE,
+ _pMechanism: CK_MECHANISM_PTR,
+ _hBaseKey: CK_OBJECT_HANDLE,
+ _pTemplate: CK_ATTRIBUTE_PTR,
+ _ulAttributeCount: CK_ULONG,
+ _phKey: CK_OBJECT_HANDLE_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_DeriveKey: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_SeedRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _pSeed: CK_BYTE_PTR,
+ _ulSeedLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_SeedRandom: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GenerateRandom(
+ _hSession: CK_SESSION_HANDLE,
+ _RandomData: CK_BYTE_PTR,
+ _ulRandomLen: CK_ULONG,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_GenerateRandom: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ log_with_thread_id!(error, "C_GetFunctionStatus: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV {
+ log_with_thread_id!(error, "C_CancelFunction: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+extern "C" fn C_WaitForSlotEvent(
+ _flags: CK_FLAGS,
+ _pSlot: CK_SLOT_ID_PTR,
+ _pRserved: CK_VOID_PTR,
+) -> CK_RV {
+ log_with_thread_id!(error, "C_WaitForSlotEvent: CKR_FUNCTION_NOT_SUPPORTED");
+ CKR_FUNCTION_NOT_SUPPORTED
+}
+
+/// To be a valid PKCS #11 module, this list of functions must be supported. At least cryptoki 2.2
+/// must be supported for this module to work in NSS.
+static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST {
+ version: CK_VERSION { major: 2, minor: 2 },
+ C_Initialize: Some(C_Initialize),
+ C_Finalize: Some(C_Finalize),
+ C_GetInfo: Some(C_GetInfo),
+ C_GetFunctionList: None,
+ C_GetSlotList: Some(C_GetSlotList),
+ C_GetSlotInfo: Some(C_GetSlotInfo),
+ C_GetTokenInfo: Some(C_GetTokenInfo),
+ C_GetMechanismList: Some(C_GetMechanismList),
+ C_GetMechanismInfo: Some(C_GetMechanismInfo),
+ C_InitToken: Some(C_InitToken),
+ C_InitPIN: Some(C_InitPIN),
+ C_SetPIN: Some(C_SetPIN),
+ C_OpenSession: Some(C_OpenSession),
+ C_CloseSession: Some(C_CloseSession),
+ C_CloseAllSessions: Some(C_CloseAllSessions),
+ C_GetSessionInfo: Some(C_GetSessionInfo),
+ C_GetOperationState: Some(C_GetOperationState),
+ C_SetOperationState: Some(C_SetOperationState),
+ C_Login: Some(C_Login),
+ C_Logout: Some(C_Logout),
+ C_CreateObject: Some(C_CreateObject),
+ C_CopyObject: Some(C_CopyObject),
+ C_DestroyObject: Some(C_DestroyObject),
+ C_GetObjectSize: Some(C_GetObjectSize),
+ C_GetAttributeValue: Some(C_GetAttributeValue),
+ C_SetAttributeValue: Some(C_SetAttributeValue),
+ C_FindObjectsInit: Some(C_FindObjectsInit),
+ C_FindObjects: Some(C_FindObjects),
+ C_FindObjectsFinal: Some(C_FindObjectsFinal),
+ C_EncryptInit: Some(C_EncryptInit),
+ C_Encrypt: Some(C_Encrypt),
+ C_EncryptUpdate: Some(C_EncryptUpdate),
+ C_EncryptFinal: Some(C_EncryptFinal),
+ C_DecryptInit: Some(C_DecryptInit),
+ C_Decrypt: Some(C_Decrypt),
+ C_DecryptUpdate: Some(C_DecryptUpdate),
+ C_DecryptFinal: Some(C_DecryptFinal),
+ C_DigestInit: Some(C_DigestInit),
+ C_Digest: Some(C_Digest),
+ C_DigestUpdate: Some(C_DigestUpdate),
+ C_DigestKey: Some(C_DigestKey),
+ C_DigestFinal: Some(C_DigestFinal),
+ C_SignInit: Some(C_SignInit),
+ C_Sign: Some(C_Sign),
+ C_SignUpdate: Some(C_SignUpdate),
+ C_SignFinal: Some(C_SignFinal),
+ C_SignRecoverInit: Some(C_SignRecoverInit),
+ C_SignRecover: Some(C_SignRecover),
+ C_VerifyInit: Some(C_VerifyInit),
+ C_Verify: Some(C_Verify),
+ C_VerifyUpdate: Some(C_VerifyUpdate),
+ C_VerifyFinal: Some(C_VerifyFinal),
+ C_VerifyRecoverInit: Some(C_VerifyRecoverInit),
+ C_VerifyRecover: Some(C_VerifyRecover),
+ C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate),
+ C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate),
+ C_SignEncryptUpdate: Some(C_SignEncryptUpdate),
+ C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate),
+ C_GenerateKey: Some(C_GenerateKey),
+ C_GenerateKeyPair: Some(C_GenerateKeyPair),
+ C_WrapKey: Some(C_WrapKey),
+ C_UnwrapKey: Some(C_UnwrapKey),
+ C_DeriveKey: Some(C_DeriveKey),
+ C_SeedRandom: Some(C_SeedRandom),
+ C_GenerateRandom: Some(C_GenerateRandom),
+ C_GetFunctionStatus: Some(C_GetFunctionStatus),
+ C_CancelFunction: Some(C_CancelFunction),
+ C_WaitForSlotEvent: Some(C_WaitForSlotEvent),
+};
+
+/// # Safety
+///
+/// This is the only function this module exposes. NSS calls it to obtain the list of functions
+/// comprising this module.
+/// ppFunctionList must be a valid pointer.
+#[no_mangle]
+pub unsafe extern "C" fn C_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
+ if ppFunctionList.is_null() {
+ return CKR_ARGUMENTS_BAD;
+ }
+ // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the
+ // specification, the caller must treat it as *const CK_FUNCTION_LIST.
+ *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR;
+ CKR_OK
+}
+
+#[cfg_attr(target_os = "macos", link(name = "Security", kind = "framework"))]
+extern "C" {}
diff --git a/security/manager/ssl/osclientcerts/test/certificate.bin b/security/manager/ssl/osclientcerts/test/certificate.bin
new file mode 100644
index 0000000000..01fbafb15c
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/test/certificate.bin
Binary files differ
diff --git a/security/manager/ssl/osclientcerts/test/modulus.bin b/security/manager/ssl/osclientcerts/test/modulus.bin
new file mode 100644
index 0000000000..a9b09ff53e
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/test/modulus.bin
@@ -0,0 +1,2 @@
+ºˆQ¨DŽÖAýn¶ˆ6=<Ùêä5J´ìõhWl${ÁÇ%¨àؽ±œ›n†òkâ¯Zukjdqz¥Z§E‡÷Õ$œ~ÍCüiÐ8 )“« ÃIäÛ¹LÂklí‚ñ~­i±Ó:‹*Aî§pà ýf +°$’¤}¹ˆay±W=Ò;Åà¸H¨7ÓˆCï'ØU·fZª~/:{€$Ìl—­–a[·â–Àu1£ ‘Ý´Ê÷ü­%Ó ï¹§há³{/"oiã´Š•aî&Ö%«‘N6Ë$,¿‹/åñ™1¸³þI#úrQÄ1Õ¬Ú
+5í \ No newline at end of file
diff --git a/security/manager/ssl/osclientcerts/test/rsa.bin b/security/manager/ssl/osclientcerts/test/rsa.bin
new file mode 100644
index 0000000000..93ededb827
--- /dev/null
+++ b/security/manager/ssl/osclientcerts/test/rsa.bin
Binary files differ
diff --git a/security/manager/ssl/rsclientcerts/Cargo.toml b/security/manager/ssl/rsclientcerts/Cargo.toml
new file mode 100644
index 0000000000..14a35918b8
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "rsclientcerts"
+version = "0.1.0"
+authors = ["Dana Keeler <dkeeler@mozilla.com>"]
+edition = "2018"
+license = "MPL-2.0"
+
+[dependencies]
+byteorder = "1.3"
+pkcs11-bindings = "0.1"
diff --git a/security/manager/ssl/rsclientcerts/src/error.rs b/security/manager/ssl/rsclientcerts/src/error.rs
new file mode 100644
index 0000000000..6ef9062d32
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/src/error.rs
@@ -0,0 +1,103 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::fmt;
+
+/// Helper macro to create an Error that knows which file and line it occurred
+/// on. Can optionally have some extra information as a String.
+#[macro_export]
+macro_rules! error_here {
+ ($error_type:expr) => {
+ Error::new($error_type, file!(), line!(), None)
+ };
+ ($error_type:expr, $info:expr) => {
+ Error::new($error_type, file!(), line!(), Some($info))
+ };
+}
+
+/// Error type for identifying errors in this crate. Use the error_here! macro
+/// to instantiate.
+#[derive(Debug)]
+pub struct Error {
+ typ: ErrorType,
+ file: &'static str,
+ line: u32,
+ info: Option<String>,
+}
+
+impl Error {
+ pub fn new(typ: ErrorType, file: &'static str, line: u32, info: Option<String>) -> Error {
+ Error {
+ typ,
+ file,
+ line,
+ info,
+ }
+ }
+}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ if let Some(info) = &self.info {
+ write!(f, "{} at {}:{} ({})", self.typ, self.file, self.line, info)
+ } else {
+ write!(f, "{} at {}:{}", self.typ, self.file, self.line)
+ }
+ }
+}
+
+impl Clone for Error {
+ fn clone(&self) -> Self {
+ Error {
+ typ: self.typ,
+ file: self.file,
+ line: self.line,
+ info: self.info.as_ref().cloned(),
+ }
+ }
+
+ fn clone_from(&mut self, source: &Self) {
+ self.typ = source.typ;
+ self.file = source.file;
+ self.line = source.line;
+ self.info = source.info.as_ref().cloned();
+ }
+}
+
+#[derive(Copy, Clone, Debug)]
+pub enum ErrorType {
+ /// An error in an external library or resource.
+ ExternalError,
+ /// Unexpected extra input (e.g. in an ASN.1 encoding).
+ ExtraInput,
+ /// Invalid argument.
+ InvalidArgument,
+ /// Invalid data input.
+ InvalidInput,
+ /// An internal library failure (e.g. an expected invariant failed).
+ LibraryFailure,
+ /// Truncated input (e.g. in an ASN.1 encoding).
+ TruncatedInput,
+ /// Unsupported input.
+ UnsupportedInput,
+ /// A given value could not be represented in the type used for it.
+ ValueTooLarge,
+}
+
+impl fmt::Display for ErrorType {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ let error_type_str = match self {
+ ErrorType::ExternalError => "ExternalError",
+ ErrorType::ExtraInput => "ExtraInput",
+ ErrorType::InvalidArgument => "InvalidArgument",
+ ErrorType::InvalidInput => "InvalidInput",
+ ErrorType::LibraryFailure => "LibraryFailure",
+ ErrorType::TruncatedInput => "TruncatedInput",
+ ErrorType::UnsupportedInput => "UnsupportedInput",
+ ErrorType::ValueTooLarge => "ValueTooLarge",
+ };
+ write!(f, "{}", error_type_str)
+ }
+}
diff --git a/security/manager/ssl/rsclientcerts/src/lib.rs b/security/manager/ssl/rsclientcerts/src/lib.rs
new file mode 100644
index 0000000000..01fa31e204
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/src/lib.rs
@@ -0,0 +1,11 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+extern crate byteorder;
+extern crate pkcs11_bindings;
+
+pub mod error;
+pub mod manager;
+pub mod util;
diff --git a/security/manager/ssl/rsclientcerts/src/manager.rs b/security/manager/ssl/rsclientcerts/src/manager.rs
new file mode 100644
index 0000000000..507bed3a83
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/src/manager.rs
@@ -0,0 +1,671 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use pkcs11_bindings::*;
+use std::collections::{BTreeMap, BTreeSet};
+use std::sync::mpsc::{channel, Receiver, Sender};
+use std::thread;
+use std::thread::JoinHandle;
+use std::time::{Duration, Instant};
+
+use crate::error::{Error, ErrorType};
+use crate::error_here;
+use crate::util::*;
+
+/// Helper enum to differentiate between sessions on the modern slot and sessions on the legacy
+/// slot. The former is for EC keys and RSA keys that can be used with RSA-PSS whereas the latter is
+/// for RSA keys that cannot be used with RSA-PSS.
+#[derive(Clone, Copy, PartialEq)]
+pub enum SlotType {
+ Modern,
+ Legacy,
+}
+
+pub trait CryptokiObject {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool;
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]>;
+}
+
+pub trait Sign {
+ fn get_signature_length(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<usize, Error>;
+ fn sign(
+ &mut self,
+ data: &[u8],
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error>;
+}
+
+pub trait ClientCertsBackend {
+ type Cert: CryptokiObject;
+ type Key: CryptokiObject + Sign;
+
+ #[allow(clippy::type_complexity)]
+ fn find_objects(&self) -> Result<(Vec<Self::Cert>, Vec<Self::Key>), Error>;
+}
+
+/// Helper type for sending `ManagerArguments` to the real `Manager`.
+type ManagerArgumentsSender = Sender<ManagerArguments>;
+/// Helper type for receiving `ManagerReturnValue`s from the real `Manager`.
+type ManagerReturnValueReceiver = Receiver<ManagerReturnValue>;
+
+/// Helper enum that encapsulates arguments to send from the `ManagerProxy` to the real `Manager`.
+/// `ManagerArguments::Stop` is a special variant that stops the background thread and drops the
+/// `Manager`.
+enum ManagerArguments {
+ OpenSession(SlotType),
+ CloseSession(CK_SESSION_HANDLE),
+ CloseAllSessions(SlotType),
+ StartSearch(CK_SESSION_HANDLE, Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>),
+ Search(CK_SESSION_HANDLE, usize),
+ ClearSearch(CK_SESSION_HANDLE),
+ GetAttributes(CK_OBJECT_HANDLE, Vec<CK_ATTRIBUTE_TYPE>),
+ StartSign(
+ CK_SESSION_HANDLE,
+ CK_OBJECT_HANDLE,
+ Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ),
+ GetSignatureLength(CK_SESSION_HANDLE, Vec<u8>),
+ Sign(CK_SESSION_HANDLE, Vec<u8>),
+ Stop,
+}
+
+/// Helper enum that encapsulates return values from the real `Manager` that are sent back to the
+/// `ManagerProxy`. `ManagerReturnValue::Stop` is a special variant that indicates that the
+/// `Manager` will stop.
+enum ManagerReturnValue {
+ OpenSession(Result<CK_SESSION_HANDLE, Error>),
+ CloseSession(Result<(), Error>),
+ CloseAllSessions(Result<(), Error>),
+ StartSearch(Result<(), Error>),
+ Search(Result<Vec<CK_OBJECT_HANDLE>, Error>),
+ ClearSearch(Result<(), Error>),
+ GetAttributes(Result<Vec<Option<Vec<u8>>>, Error>),
+ StartSign(Result<(), Error>),
+ GetSignatureLength(Result<usize, Error>),
+ Sign(Result<Vec<u8>, Error>),
+ Stop(Result<(), Error>),
+}
+
+/// Helper macro to implement the body of each public `ManagerProxy` function. Takes a
+/// `ManagerProxy` instance (should always be `self`), a `ManagerArguments` representing the
+/// `Manager` function to call and the arguments to use, and the qualified type of the expected
+/// `ManagerReturnValue` that will be received from the `Manager` when it is done.
+macro_rules! manager_proxy_fn_impl {
+ ($manager:ident, $argument_enum:expr, $return_type:path) => {
+ match $manager.proxy_call($argument_enum) {
+ Ok($return_type(result)) => result,
+ Ok(_) => Err(error_here!(ErrorType::LibraryFailure)),
+ Err(e) => Err(e),
+ }
+ };
+}
+
+/// `ManagerProxy` synchronously proxies calls from any thread to the `Manager` that runs on a
+/// single thread. This is necessary because the underlying OS APIs in use are not guaranteed to be
+/// thread-safe (e.g. they may use thread-local storage). Using it should be identical to using the
+/// real `Manager`.
+pub struct ManagerProxy {
+ sender: ManagerArgumentsSender,
+ receiver: ManagerReturnValueReceiver,
+ thread_handle: Option<JoinHandle<()>>,
+}
+
+impl ManagerProxy {
+ pub fn new<B: ClientCertsBackend + Send + 'static>(backend: B) -> Result<ManagerProxy, Error> {
+ let (proxy_sender, manager_receiver) = channel();
+ let (manager_sender, proxy_receiver) = channel();
+ let thread_handle = thread::Builder::new()
+ .name("osclientcert".into())
+ .spawn(move || {
+ let mut real_manager = Manager::new(backend);
+ while let Ok(arguments) = manager_receiver.recv() {
+ let results = match arguments {
+ ManagerArguments::OpenSession(slot_type) => {
+ ManagerReturnValue::OpenSession(real_manager.open_session(slot_type))
+ }
+ ManagerArguments::CloseSession(session_handle) => {
+ ManagerReturnValue::CloseSession(
+ real_manager.close_session(session_handle),
+ )
+ }
+ ManagerArguments::CloseAllSessions(slot_type) => {
+ ManagerReturnValue::CloseAllSessions(
+ real_manager.close_all_sessions(slot_type),
+ )
+ }
+ ManagerArguments::StartSearch(session, attrs) => {
+ ManagerReturnValue::StartSearch(
+ real_manager.start_search(session, attrs),
+ )
+ }
+ ManagerArguments::Search(session, max_objects) => {
+ ManagerReturnValue::Search(real_manager.search(session, max_objects))
+ }
+ ManagerArguments::ClearSearch(session) => {
+ ManagerReturnValue::ClearSearch(real_manager.clear_search(session))
+ }
+ ManagerArguments::GetAttributes(object_handle, attr_types) => {
+ ManagerReturnValue::GetAttributes(
+ real_manager.get_attributes(object_handle, attr_types),
+ )
+ }
+ ManagerArguments::StartSign(session, key_handle, params) => {
+ ManagerReturnValue::StartSign(
+ real_manager.start_sign(session, key_handle, params),
+ )
+ }
+ ManagerArguments::GetSignatureLength(session, data) => {
+ ManagerReturnValue::GetSignatureLength(
+ real_manager.get_signature_length(session, data),
+ )
+ }
+ ManagerArguments::Sign(session, data) => {
+ ManagerReturnValue::Sign(real_manager.sign(session, data))
+ }
+ ManagerArguments::Stop => ManagerReturnValue::Stop(Ok(())),
+ };
+ let stop_after_send = matches!(&results, &ManagerReturnValue::Stop(_));
+ match manager_sender.send(results) {
+ Ok(()) => {}
+ Err(_) => {
+ break;
+ }
+ }
+ if stop_after_send {
+ break;
+ }
+ }
+ });
+ match thread_handle {
+ Ok(thread_handle) => Ok(ManagerProxy {
+ sender: proxy_sender,
+ receiver: proxy_receiver,
+ thread_handle: Some(thread_handle),
+ }),
+ Err(_) => Err(error_here!(ErrorType::LibraryFailure)),
+ }
+ }
+
+ fn proxy_call(&self, args: ManagerArguments) -> Result<ManagerReturnValue, Error> {
+ match self.sender.send(args) {
+ Ok(()) => {}
+ Err(_) => {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ }
+ };
+ let result = match self.receiver.recv() {
+ Ok(result) => result,
+ Err(_) => {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ }
+ };
+ Ok(result)
+ }
+
+ pub fn open_session(&mut self, slot_type: SlotType) -> Result<CK_SESSION_HANDLE, Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::OpenSession(slot_type),
+ ManagerReturnValue::OpenSession
+ )
+ }
+
+ pub fn close_session(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::CloseSession(session),
+ ManagerReturnValue::CloseSession
+ )
+ }
+
+ pub fn close_all_sessions(&mut self, slot_type: SlotType) -> Result<(), Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::CloseAllSessions(slot_type),
+ ManagerReturnValue::CloseAllSessions
+ )
+ }
+
+ pub fn start_search(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ attrs: Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>,
+ ) -> Result<(), Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::StartSearch(session, attrs),
+ ManagerReturnValue::StartSearch
+ )
+ }
+
+ pub fn search(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ max_objects: usize,
+ ) -> Result<Vec<CK_OBJECT_HANDLE>, Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::Search(session, max_objects),
+ ManagerReturnValue::Search
+ )
+ }
+
+ pub fn clear_search(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::ClearSearch(session),
+ ManagerReturnValue::ClearSearch
+ )
+ }
+
+ pub fn get_attributes(
+ &self,
+ object_handle: CK_OBJECT_HANDLE,
+ attr_types: Vec<CK_ATTRIBUTE_TYPE>,
+ ) -> Result<Vec<Option<Vec<u8>>>, Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::GetAttributes(object_handle, attr_types,),
+ ManagerReturnValue::GetAttributes
+ )
+ }
+
+ pub fn start_sign(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ key_handle: CK_OBJECT_HANDLE,
+ params: Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<(), Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::StartSign(session, key_handle, params),
+ ManagerReturnValue::StartSign
+ )
+ }
+
+ pub fn get_signature_length(
+ &self,
+ session: CK_SESSION_HANDLE,
+ data: Vec<u8>,
+ ) -> Result<usize, Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::GetSignatureLength(session, data),
+ ManagerReturnValue::GetSignatureLength
+ )
+ }
+
+ pub fn sign(&mut self, session: CK_SESSION_HANDLE, data: Vec<u8>) -> Result<Vec<u8>, Error> {
+ manager_proxy_fn_impl!(
+ self,
+ ManagerArguments::Sign(session, data),
+ ManagerReturnValue::Sign
+ )
+ }
+
+ pub fn stop(&mut self) -> Result<(), Error> {
+ manager_proxy_fn_impl!(self, ManagerArguments::Stop, ManagerReturnValue::Stop)?;
+ let thread_handle = match self.thread_handle.take() {
+ Some(thread_handle) => thread_handle,
+ None => return Err(error_here!(ErrorType::LibraryFailure)),
+ };
+ thread_handle
+ .join()
+ .map_err(|_| error_here!(ErrorType::LibraryFailure))
+ }
+}
+
+// Determines if the attributes of a given search correspond to NSS looking for all certificates or
+// private keys. Returns true if so, and false otherwise.
+// These searches are of the form:
+// { { type: CKA_TOKEN, value: [1] },
+// { type: CKA_CLASS, value: [CKO_CERTIFICATE or CKO_PRIVATE_KEY, as serialized bytes] } }
+// (although not necessarily in that order - see nssToken_TraverseCertificates and
+// nssToken_FindPrivateKeys)
+fn search_is_for_all_certificates_or_keys(
+ attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)],
+) -> Result<bool, Error> {
+ if attrs.len() != 2 {
+ return Ok(false);
+ }
+ let token_bytes = vec![1_u8];
+ let mut found_token = false;
+ let cko_certificate_bytes = serialize_uint(CKO_CERTIFICATE)?;
+ let cko_private_key_bytes = serialize_uint(CKO_PRIVATE_KEY)?;
+ let mut found_certificate_or_private_key = false;
+ for (attr_type, attr_value) in attrs.iter() {
+ if attr_type == &CKA_TOKEN && attr_value == &token_bytes {
+ found_token = true;
+ }
+ if attr_type == &CKA_CLASS
+ && (attr_value == &cko_certificate_bytes || attr_value == &cko_private_key_bytes)
+ {
+ found_certificate_or_private_key = true;
+ }
+ }
+ Ok(found_token && found_certificate_or_private_key)
+}
+
+const SUPPORTED_ATTRIBUTES: &[CK_ATTRIBUTE_TYPE] = &[
+ CKA_CLASS,
+ CKA_TOKEN,
+ CKA_LABEL,
+ CKA_ID,
+ CKA_VALUE,
+ CKA_ISSUER,
+ CKA_SERIAL_NUMBER,
+ CKA_SUBJECT,
+ CKA_PRIVATE,
+ CKA_KEY_TYPE,
+ CKA_MODULUS,
+ CKA_EC_PARAMS,
+];
+
+enum Object<B: ClientCertsBackend> {
+ Cert(B::Cert),
+ Key(B::Key),
+}
+
+impl<B: ClientCertsBackend> Object<B> {
+ fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool {
+ match self {
+ Object::Cert(cert) => cert.matches(slot_type, attrs),
+ Object::Key(key) => key.matches(slot_type, attrs),
+ }
+ }
+
+ fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> {
+ match self {
+ Object::Cert(cert) => cert.get_attribute(attribute),
+ Object::Key(key) => key.get_attribute(attribute),
+ }
+ }
+
+ fn id(&self) -> Result<&[u8], Error> {
+ self.get_attribute(CKA_ID)
+ .ok_or_else(|| error_here!(ErrorType::LibraryFailure))
+ }
+
+ fn get_signature_length(
+ &mut self,
+ data: Vec<u8>,
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<usize, Error> {
+ match self {
+ Object::Cert(_) => Err(error_here!(ErrorType::InvalidArgument)),
+ Object::Key(key) => key.get_signature_length(&data, params),
+ }
+ }
+
+ fn sign(
+ &mut self,
+ data: Vec<u8>,
+ params: &Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<Vec<u8>, Error> {
+ match self {
+ Object::Cert(_) => Err(error_here!(ErrorType::InvalidArgument)),
+ Object::Key(key) => key.sign(&data, params),
+ }
+ }
+}
+
+/// The `Manager` keeps track of the state of this module with respect to the PKCS #11
+/// specification. This includes what sessions are open, which search and sign operations are
+/// ongoing, and what objects are known and by what handle.
+pub struct Manager<B: ClientCertsBackend> {
+ /// A map of session to session type (modern or legacy). Sessions can be created (opened) and
+ /// later closed.
+ sessions: BTreeMap<CK_SESSION_HANDLE, SlotType>,
+ /// A map of searches to PKCS #11 object handles that match those searches.
+ searches: BTreeMap<CK_SESSION_HANDLE, Vec<CK_OBJECT_HANDLE>>,
+ /// A map of sign operations to a pair of the object handle and optionally some params being
+ /// used by each one.
+ signs: BTreeMap<CK_SESSION_HANDLE, (CK_OBJECT_HANDLE, Option<CK_RSA_PKCS_PSS_PARAMS>)>,
+ /// A map of object handles to the underlying objects.
+ objects: BTreeMap<CK_OBJECT_HANDLE, Object<B>>,
+ /// A set of certificate identifiers (not the same as handles).
+ cert_ids: BTreeSet<Vec<u8>>,
+ /// A set of key identifiers (not the same as handles). For each id in this set, there should be
+ /// a corresponding identical id in the `cert_ids` set.
+ key_ids: BTreeSet<Vec<u8>>,
+ /// The next session handle to hand out.
+ next_session: CK_SESSION_HANDLE,
+ /// The next object handle to hand out.
+ next_handle: CK_OBJECT_HANDLE,
+ /// The last time the implementation looked for new objects in the backend.
+ /// The implementation does this search no more than once every 3 seconds.
+ last_scan_time: Option<Instant>,
+ backend: B,
+}
+
+impl<B: ClientCertsBackend> Manager<B> {
+ pub fn new(backend: B) -> Manager<B> {
+ Manager {
+ sessions: BTreeMap::new(),
+ searches: BTreeMap::new(),
+ signs: BTreeMap::new(),
+ objects: BTreeMap::new(),
+ cert_ids: BTreeSet::new(),
+ key_ids: BTreeSet::new(),
+ next_session: 1,
+ next_handle: 1,
+ last_scan_time: None,
+ backend,
+ }
+ }
+
+ /// When a new search session is opened (provided at least 3 seconds have elapsed since the
+ /// last session was opened), this searches for certificates and keys to expose. We
+ /// de-duplicate previously-found certificates and keys by keeping track of their IDs.
+ fn maybe_find_new_objects(&mut self) -> Result<(), Error> {
+ let now = Instant::now();
+ match self.last_scan_time {
+ Some(last_scan_time) => {
+ if now.duration_since(last_scan_time) < Duration::new(3, 0) {
+ return Ok(());
+ }
+ }
+ None => {}
+ }
+ self.last_scan_time = Some(now);
+ let (certs, keys) = self.backend.find_objects()?;
+ for cert in certs {
+ let object = Object::Cert(cert);
+ if self.cert_ids.contains(object.id()?) {
+ continue;
+ }
+ self.cert_ids.insert(object.id()?.to_vec());
+ let handle = self.get_next_handle();
+ self.objects.insert(handle, object);
+ }
+ for key in keys {
+ let object = Object::Key(key);
+ if self.key_ids.contains(object.id()?) {
+ continue;
+ }
+ self.key_ids.insert(object.id()?.to_vec());
+ let handle = self.get_next_handle();
+ self.objects.insert(handle, object);
+ }
+ Ok(())
+ }
+
+ pub fn open_session(&mut self, slot_type: SlotType) -> Result<CK_SESSION_HANDLE, Error> {
+ let next_session = self.next_session;
+ self.next_session += 1;
+ self.sessions.insert(next_session, slot_type);
+ Ok(next_session)
+ }
+
+ pub fn close_session(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> {
+ self.sessions
+ .remove(&session)
+ .ok_or_else(|| error_here!(ErrorType::InvalidInput))
+ .map(|_| ())
+ }
+
+ pub fn close_all_sessions(&mut self, slot_type: SlotType) -> Result<(), Error> {
+ let mut to_remove = Vec::new();
+ for (session, open_slot_type) in self.sessions.iter() {
+ if slot_type == *open_slot_type {
+ to_remove.push(*session);
+ }
+ }
+ for session in to_remove {
+ if self.sessions.remove(&session).is_none() {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ }
+ }
+ Ok(())
+ }
+
+ fn get_next_handle(&mut self) -> CK_OBJECT_HANDLE {
+ let next_handle = self.next_handle;
+ self.next_handle += 1;
+ next_handle
+ }
+
+ /// PKCS #11 specifies that search operations happen in three phases: setup, get any matches
+ /// (this part may be repeated if the caller uses a small buffer), and end. This implementation
+ /// does all of the work up front and gathers all matching objects during setup and retains them
+ /// until they are retrieved and consumed via `search`.
+ pub fn start_search(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ attrs: Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>,
+ ) -> Result<(), Error> {
+ let slot_type = match self.sessions.get(&session) {
+ Some(slot_type) => *slot_type,
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ // If the search is for an attribute we don't support, no objects will match. This check
+ // saves us having to look through all of our objects.
+ for (attr, _) in &attrs {
+ if !SUPPORTED_ATTRIBUTES.contains(attr) {
+ self.searches.insert(session, Vec::new());
+ return Ok(());
+ }
+ }
+ // When NSS wants to find all certificates or all private keys, it will perform a search
+ // with a particular set of attributes. This implementation uses these searches as an
+ // indication for the backend to re-scan for new objects from tokens that may have been
+ // inserted or certificates that may have been imported into the OS. Since these searches
+ // are relatively rare, this minimizes the impact of doing these re-scans.
+ if search_is_for_all_certificates_or_keys(&attrs)? {
+ self.maybe_find_new_objects()?;
+ }
+ let mut handles = Vec::new();
+ for (handle, object) in &self.objects {
+ if object.matches(slot_type, &attrs) {
+ handles.push(*handle);
+ }
+ }
+ self.searches.insert(session, handles);
+ Ok(())
+ }
+
+ /// Given a session and a maximum number of object handles to return, attempts to retrieve up to
+ /// that many objects from the corresponding search. Updates the search so those objects are not
+ /// returned repeatedly. `max_objects` must be non-zero.
+ pub fn search(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ max_objects: usize,
+ ) -> Result<Vec<CK_OBJECT_HANDLE>, Error> {
+ if max_objects == 0 {
+ return Err(error_here!(ErrorType::InvalidArgument));
+ }
+ match self.searches.get_mut(&session) {
+ Some(search) => {
+ let split_at = if max_objects >= search.len() {
+ 0
+ } else {
+ search.len() - max_objects
+ };
+ let to_return = search.split_off(split_at);
+ if to_return.len() > max_objects {
+ return Err(error_here!(ErrorType::LibraryFailure));
+ }
+ Ok(to_return)
+ }
+ None => Err(error_here!(ErrorType::InvalidArgument)),
+ }
+ }
+
+ pub fn clear_search(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> {
+ self.searches.remove(&session);
+ Ok(())
+ }
+
+ pub fn get_attributes(
+ &self,
+ object_handle: CK_OBJECT_HANDLE,
+ attr_types: Vec<CK_ATTRIBUTE_TYPE>,
+ ) -> Result<Vec<Option<Vec<u8>>>, Error> {
+ let object = match self.objects.get(&object_handle) {
+ Some(object) => object,
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ let mut results = Vec::with_capacity(attr_types.len());
+ for attr_type in attr_types {
+ let result = object
+ .get_attribute(attr_type)
+ .map(|value| value.to_owned());
+ results.push(result);
+ }
+ Ok(results)
+ }
+
+ /// The way NSS uses PKCS #11 to sign data happens in two phases: setup and sign. This
+ /// implementation makes a note of which key is to be used (if it exists) during setup. When the
+ /// caller finishes with the sign operation, this implementation retrieves the key handle and
+ /// performs the signature.
+ pub fn start_sign(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ key_handle: CK_OBJECT_HANDLE,
+ params: Option<CK_RSA_PKCS_PSS_PARAMS>,
+ ) -> Result<(), Error> {
+ if self.signs.contains_key(&session) {
+ return Err(error_here!(ErrorType::InvalidArgument));
+ }
+ self.signs.insert(session, (key_handle, params));
+ Ok(())
+ }
+
+ pub fn get_signature_length(
+ &mut self,
+ session: CK_SESSION_HANDLE,
+ data: Vec<u8>,
+ ) -> Result<usize, Error> {
+ let (key_handle, params) = match self.signs.get(&session) {
+ Some((key_handle, params)) => (key_handle, params),
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ let key = match self.objects.get_mut(key_handle) {
+ Some(key) => key,
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ key.get_signature_length(data, params)
+ }
+
+ pub fn sign(&mut self, session: CK_SESSION_HANDLE, data: Vec<u8>) -> Result<Vec<u8>, Error> {
+ // Performing the signature (via C_Sign, which is the only way we support) finishes the sign
+ // operation, so it needs to be removed here.
+ let (key_handle, params) = match self.signs.remove(&session) {
+ Some((key_handle, params)) => (key_handle, params),
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ let key = match self.objects.get_mut(&key_handle) {
+ Some(key) => key,
+ None => return Err(error_here!(ErrorType::InvalidArgument)),
+ };
+ key.sign(data, &params)
+ }
+}
diff --git a/security/manager/ssl/rsclientcerts/src/util.rs b/security/manager/ssl/rsclientcerts/src/util.rs
new file mode 100644
index 0000000000..d0011a0a2e
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/src/util.rs
@@ -0,0 +1,540 @@
+/* -*- Mode: rust; rust-indent-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use byteorder::{BigEndian, NativeEndian, ReadBytesExt, WriteBytesExt};
+use std::convert::TryInto;
+
+use crate::error::{Error, ErrorType};
+use crate::error_here;
+
+/// Accessing fields of packed structs is unsafe (it may be undefined behavior if the field isn't
+/// aligned). Since we're implementing a PKCS#11 module, we already have to trust the caller not to
+/// give us bad data, so normally we would deal with this by adding an unsafe block. If we do that,
+/// though, the compiler complains that the unsafe block is unnecessary. Thus, we use this macro to
+/// annotate the unsafe block to silence the compiler.
+#[macro_export]
+macro_rules! unsafe_packed_field_access {
+ ($e:expr) => {{
+ #[allow(unused_unsafe)]
+ let tmp = unsafe { $e };
+ tmp
+ }};
+}
+
+// The following ENCODED_OID_BYTES_* consist of the encoded bytes of an ASN.1
+// OBJECT IDENTIFIER specifying the indicated OID (in other words, the full
+// tag, length, and value).
+#[cfg(target_os = "macos")]
+pub const ENCODED_OID_BYTES_SECP256R1: &[u8] =
+ &[0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07];
+#[cfg(target_os = "macos")]
+pub const ENCODED_OID_BYTES_SECP384R1: &[u8] = &[0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22];
+#[cfg(target_os = "macos")]
+pub const ENCODED_OID_BYTES_SECP521R1: &[u8] = &[0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23];
+
+// The following OID_BYTES_* consist of the contents of the bytes of an ASN.1
+// OBJECT IDENTIFIER specifying the indicated OID (in other words, just the
+// value, and not the tag or length).
+#[cfg(target_os = "macos")]
+pub const OID_BYTES_SHA_256: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01];
+#[cfg(target_os = "macos")]
+pub const OID_BYTES_SHA_384: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02];
+#[cfg(target_os = "macos")]
+pub const OID_BYTES_SHA_512: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03];
+#[cfg(target_os = "macos")]
+pub const OID_BYTES_SHA_1: &[u8] = &[0x2b, 0x0e, 0x03, 0x02, 0x1a];
+
+// This is a helper function to take a value and lay it out in memory how
+// PKCS#11 is expecting it.
+pub fn serialize_uint<T: TryInto<u64>>(value: T) -> Result<Vec<u8>, Error> {
+ let value_size = std::mem::size_of::<T>();
+ let mut value_buf = Vec::with_capacity(value_size);
+ let value_as_u64 = value
+ .try_into()
+ .map_err(|_| error_here!(ErrorType::ValueTooLarge))?;
+ value_buf
+ .write_uint::<NativeEndian>(value_as_u64, value_size)
+ .map_err(|_| error_here!(ErrorType::LibraryFailure))?;
+ Ok(value_buf)
+}
+
+/// Given a slice of DER bytes representing an RSA public key, extracts the bytes of the modulus
+/// as an unsigned integer. Also verifies that the public exponent is present (again as an
+/// unsigned integer). Finally verifies that reading these values consumes the entirety of the
+/// slice.
+/// RSAPublicKey ::= SEQUENCE {
+/// modulus INTEGER, -- n
+/// publicExponent INTEGER -- e
+/// }
+pub fn read_rsa_modulus(public_key: &[u8]) -> Result<Vec<u8>, Error> {
+ let mut sequence = Sequence::new(public_key)?;
+ let modulus_value = sequence.read_unsigned_integer()?;
+ let _exponent = sequence.read_unsigned_integer()?;
+ if !sequence.at_end() {
+ return Err(error_here!(ErrorType::ExtraInput));
+ }
+ Ok(modulus_value.to_vec())
+}
+
+/// Given a slice of DER bytes representing a DigestInfo, extracts the bytes of
+/// the OID of the hash algorithm and the digest.
+/// DigestInfo ::= SEQUENCE {
+/// digestAlgorithm DigestAlgorithmIdentifier,
+/// digest Digest }
+///
+/// DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+///
+/// AlgorithmIdentifier ::= SEQUENCE {
+/// algorithm OBJECT IDENTIFIER,
+/// parameters ANY DEFINED BY algorithm OPTIONAL }
+///
+/// Digest ::= OCTET STRING
+pub fn read_digest_info(digest_info: &[u8]) -> Result<(&[u8], &[u8]), Error> {
+ let mut sequence = Sequence::new(digest_info)?;
+ let mut algorithm = sequence.read_sequence()?;
+ let oid = algorithm.read_oid()?;
+ algorithm.read_null()?;
+ if !algorithm.at_end() {
+ return Err(error_here!(ErrorType::ExtraInput));
+ }
+ let digest = sequence.read_octet_string()?;
+ if !sequence.at_end() {
+ return Err(error_here!(ErrorType::ExtraInput));
+ }
+ Ok((oid, digest))
+}
+
+/// Given a slice of DER bytes representing an ECDSA signature, extracts the bytes of `r` and `s`
+/// as unsigned integers. Also verifies that this consumes the entirety of the slice.
+/// Ecdsa-Sig-Value ::= SEQUENCE {
+/// r INTEGER,
+/// s INTEGER }
+#[cfg(target_os = "macos")]
+pub fn read_ec_sig_point(signature: &[u8]) -> Result<(&[u8], &[u8]), Error> {
+ let mut sequence = Sequence::new(signature)?;
+ let r = sequence.read_unsigned_integer()?;
+ let s = sequence.read_unsigned_integer()?;
+ if !sequence.at_end() {
+ return Err(error_here!(ErrorType::ExtraInput));
+ }
+ Ok((r, s))
+}
+
+/// Given a slice of DER bytes representing an X.509 certificate, extracts the encoded serial
+/// number, issuer, and subject. Does not verify that the remainder of the certificate is in any
+/// way well-formed.
+/// Certificate ::= SEQUENCE {
+/// tbsCertificate TBSCertificate,
+/// signatureAlgorithm AlgorithmIdentifier,
+/// signatureValue BIT STRING }
+///
+/// TBSCertificate ::= SEQUENCE {
+/// version [0] EXPLICIT Version DEFAULT v1,
+/// serialNumber CertificateSerialNumber,
+/// signature AlgorithmIdentifier,
+/// issuer Name,
+/// validity Validity,
+/// subject Name,
+/// ...
+///
+/// CertificateSerialNumber ::= INTEGER
+///
+/// Name ::= CHOICE { -- only one possibility for now --
+/// rdnSequence RDNSequence }
+///
+/// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+///
+/// Validity ::= SEQUENCE {
+/// notBefore Time,
+/// notAfter Time }
+#[allow(clippy::type_complexity)]
+pub fn read_encoded_certificate_identifiers(
+ certificate: &[u8],
+) -> Result<(Vec<u8>, Vec<u8>, Vec<u8>), Error> {
+ let mut certificate_sequence = Sequence::new(certificate)?;
+ let mut tbs_certificate_sequence = certificate_sequence.read_sequence()?;
+ let _version = tbs_certificate_sequence.read_tagged_value(0)?;
+ let serial_number = tbs_certificate_sequence.read_encoded_sequence_component(INTEGER)?;
+ let _signature = tbs_certificate_sequence.read_sequence()?;
+ let issuer =
+ tbs_certificate_sequence.read_encoded_sequence_component(SEQUENCE | CONSTRUCTED)?;
+ let _validity = tbs_certificate_sequence.read_sequence()?;
+ let subject =
+ tbs_certificate_sequence.read_encoded_sequence_component(SEQUENCE | CONSTRUCTED)?;
+ Ok((serial_number, issuer, subject))
+}
+
+/// Helper macro for reading some bytes from a slice while checking the slice is long enough.
+/// Returns a pair consisting of a slice of the bytes read and a slice of the rest of the bytes
+/// from the original slice.
+macro_rules! try_read_bytes {
+ ($data:ident, $len:expr) => {{
+ if $data.len() < $len {
+ return Err(error_here!(ErrorType::TruncatedInput));
+ }
+ $data.split_at($len)
+ }};
+}
+
+/// ASN.1 tag identifying an integer.
+const INTEGER: u8 = 0x02;
+/// ASN.1 tag identifying an octet string.
+const OCTET_STRING: u8 = 0x04;
+/// ASN.1 tag identifying a null value.
+const NULL: u8 = 0x05;
+/// ASN.1 tag identifying an object identifier (OID).
+const OBJECT_IDENTIFIER: u8 = 0x06;
+/// ASN.1 tag identifying a sequence.
+const SEQUENCE: u8 = 0x10;
+/// ASN.1 tag modifier identifying an item as constructed.
+const CONSTRUCTED: u8 = 0x20;
+/// ASN.1 tag modifier identifying an item as context-specific.
+const CONTEXT_SPECIFIC: u8 = 0x80;
+
+/// A helper struct for reading items from a DER SEQUENCE (in this case, all sequences are
+/// assumed to be CONSTRUCTED).
+struct Sequence<'a> {
+ /// The contents of the SEQUENCE.
+ contents: Der<'a>,
+}
+
+impl<'a> Sequence<'a> {
+ fn new(input: &'a [u8]) -> Result<Sequence<'a>, Error> {
+ let mut der = Der::new(input);
+ let (_, _, sequence_bytes) = der.read_tlv(SEQUENCE | CONSTRUCTED)?;
+ // We're assuming we want to consume the entire input for now.
+ if !der.at_end() {
+ return Err(error_here!(ErrorType::ExtraInput));
+ }
+ Ok(Sequence {
+ contents: Der::new(sequence_bytes),
+ })
+ }
+
+ // TODO: we're not exhaustively validating this integer
+ fn read_unsigned_integer(&mut self) -> Result<&'a [u8], Error> {
+ let (_, _, bytes) = self.contents.read_tlv(INTEGER)?;
+ if bytes.is_empty() {
+ return Err(error_here!(ErrorType::InvalidInput));
+ }
+ // There may be a leading zero (we should also check that the first bit
+ // of the rest of the integer is set).
+ if bytes[0] == 0 && bytes.len() > 1 {
+ let (_, integer) = bytes.split_at(1);
+ Ok(integer)
+ } else {
+ Ok(bytes)
+ }
+ }
+
+ fn read_octet_string(&mut self) -> Result<&'a [u8], Error> {
+ let (_, _, bytes) = self.contents.read_tlv(OCTET_STRING)?;
+ Ok(bytes)
+ }
+
+ fn read_oid(&mut self) -> Result<&'a [u8], Error> {
+ let (_, _, bytes) = self.contents.read_tlv(OBJECT_IDENTIFIER)?;
+ Ok(bytes)
+ }
+
+ fn read_null(&mut self) -> Result<(), Error> {
+ let (_, _, bytes) = self.contents.read_tlv(NULL)?;
+ if bytes.is_empty() {
+ Ok(())
+ } else {
+ Err(error_here!(ErrorType::InvalidInput))
+ }
+ }
+
+ fn read_sequence(&mut self) -> Result<Sequence<'a>, Error> {
+ let (_, _, sequence_bytes) = self.contents.read_tlv(SEQUENCE | CONSTRUCTED)?;
+ Ok(Sequence {
+ contents: Der::new(sequence_bytes),
+ })
+ }
+
+ fn read_tagged_value(&mut self, tag: u8) -> Result<&'a [u8], Error> {
+ let (_, _, tagged_value_bytes) = self
+ .contents
+ .read_tlv(CONTEXT_SPECIFIC | CONSTRUCTED | tag)?;
+ Ok(tagged_value_bytes)
+ }
+
+ fn read_encoded_sequence_component(&mut self, tag: u8) -> Result<Vec<u8>, Error> {
+ let (tag, length, value) = self.contents.read_tlv(tag)?;
+ let mut encoded_component_bytes = length;
+ encoded_component_bytes.insert(0, tag);
+ encoded_component_bytes.extend_from_slice(value);
+ Ok(encoded_component_bytes)
+ }
+
+ fn at_end(&self) -> bool {
+ self.contents.at_end()
+ }
+}
+
+/// A helper struct for reading DER data. The contents are treated like a cursor, so its position
+/// is updated as data is read.
+struct Der<'a> {
+ contents: &'a [u8],
+}
+
+impl<'a> Der<'a> {
+ fn new(contents: &'a [u8]) -> Der<'a> {
+ Der { contents }
+ }
+
+ // In theory, a caller could encounter an error and try another operation, in which case we may
+ // be in an inconsistent state. As long as this implementation isn't exposed to code that would
+ // use it incorrectly (i.e. it stays in this module and we only expose a stateless API), it
+ // should be safe.
+ /// Given an expected tag, reads the next (tag, lengh, value) from the contents. Most
+ /// consumers will only be interested in the value, but some may want the entire encoded
+ /// contents, in which case the returned tuple can be concatenated.
+ fn read_tlv(&mut self, tag: u8) -> Result<(u8, Vec<u8>, &'a [u8]), Error> {
+ let contents = self.contents;
+ let (tag_read, rest) = try_read_bytes!(contents, 1);
+ if tag_read[0] != tag {
+ return Err(error_here!(ErrorType::InvalidInput));
+ }
+ let mut accumulated_length_bytes = Vec::with_capacity(4);
+ let (length1, rest) = try_read_bytes!(rest, 1);
+ accumulated_length_bytes.extend_from_slice(length1);
+ let (length, to_read_from) = if length1[0] < 0x80 {
+ (length1[0] as usize, rest)
+ } else if length1[0] == 0x81 {
+ let (length, rest) = try_read_bytes!(rest, 1);
+ accumulated_length_bytes.extend_from_slice(length);
+ if length[0] < 0x80 {
+ return Err(error_here!(ErrorType::InvalidInput));
+ }
+ (length[0] as usize, rest)
+ } else if length1[0] == 0x82 {
+ let (mut lengths, rest) = try_read_bytes!(rest, 2);
+ accumulated_length_bytes.extend_from_slice(lengths);
+ let length = lengths
+ .read_u16::<BigEndian>()
+ .map_err(|_| error_here!(ErrorType::LibraryFailure))?;
+ if length < 256 {
+ return Err(error_here!(ErrorType::InvalidInput));
+ }
+ (length as usize, rest)
+ } else {
+ return Err(error_here!(ErrorType::UnsupportedInput));
+ };
+ let (contents, rest) = try_read_bytes!(to_read_from, length);
+ self.contents = rest;
+ Ok((tag, accumulated_length_bytes, contents))
+ }
+
+ fn at_end(&self) -> bool {
+ self.contents.is_empty()
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn der_test_empty_input() {
+ let input = Vec::new();
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(INTEGER).is_err());
+ }
+
+ #[test]
+ fn der_test_no_length() {
+ let input = vec![INTEGER];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(INTEGER).is_err());
+ }
+
+ #[test]
+ fn der_test_empty_sequence() {
+ let input = vec![SEQUENCE, 0];
+ let mut der = Der::new(&input);
+ let read_result = der.read_tlv(SEQUENCE);
+ assert!(read_result.is_ok());
+ let (tag, length, sequence_bytes) = read_result.unwrap();
+ assert_eq!(tag, SEQUENCE);
+ assert_eq!(length, vec![0]);
+ assert_eq!(sequence_bytes.len(), 0);
+ assert!(der.at_end());
+ }
+
+ #[test]
+ fn der_test_not_at_end() {
+ let input = vec![SEQUENCE, 0, 1];
+ let mut der = Der::new(&input);
+ let read_result = der.read_tlv(SEQUENCE);
+ assert!(read_result.is_ok());
+ let (tag, length, sequence_bytes) = read_result.unwrap();
+ assert_eq!(tag, SEQUENCE);
+ assert_eq!(length, vec![0]);
+ assert_eq!(sequence_bytes.len(), 0);
+ assert!(!der.at_end());
+ }
+
+ #[test]
+ fn der_test_wrong_tag() {
+ let input = vec![SEQUENCE, 0];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(INTEGER).is_err());
+ }
+
+ #[test]
+ fn der_test_truncated_two_byte_length() {
+ let input = vec![SEQUENCE, 0x81];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_truncated_three_byte_length() {
+ let input = vec![SEQUENCE, 0x82, 1];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_truncated_data() {
+ let input = vec![SEQUENCE, 20, 1];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_sequence() {
+ let input = vec![
+ SEQUENCE, 20, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 0,
+ ];
+ let mut der = Der::new(&input);
+ let result = der.read_tlv(SEQUENCE);
+ assert!(result.is_ok());
+ let (tag, length, value) = result.unwrap();
+ assert_eq!(tag, SEQUENCE);
+ assert_eq!(length, vec![20]);
+ assert_eq!(
+ value,
+ [1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 0]
+ );
+ assert!(der.at_end());
+ }
+
+ #[test]
+ fn der_test_not_shortest_two_byte_length_encoding() {
+ let input = vec![SEQUENCE, 0x81, 1, 1];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_not_shortest_three_byte_length_encoding() {
+ let input = vec![SEQUENCE, 0x82, 0, 1, 1];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_indefinite_length_unsupported() {
+ let input = vec![SEQUENCE, 0x80, 1, 2, 3, 0x00, 0x00];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn der_test_input_too_long() {
+ // This isn't valid DER (the contents of the SEQUENCE are truncated), but it demonstrates
+ // that we don't try to read too much if we're given a long length (and also that we don't
+ // support lengths 2^16 and up).
+ let input = vec![SEQUENCE, 0x83, 0x01, 0x00, 0x01, 1, 1, 1, 1];
+ let mut der = Der::new(&input);
+ assert!(der.read_tlv(SEQUENCE).is_err());
+ }
+
+ #[test]
+ fn empty_input_fails() {
+ let empty = Vec::new();
+ assert!(read_rsa_modulus(&empty).is_err());
+ #[cfg(target_os = "macos")]
+ assert!(read_ec_sig_point(&empty).is_err());
+ assert!(read_encoded_certificate_identifiers(&empty).is_err());
+ }
+
+ #[test]
+ fn empty_sequence_fails() {
+ let empty = vec![SEQUENCE | CONSTRUCTED];
+ assert!(read_rsa_modulus(&empty).is_err());
+ #[cfg(target_os = "macos")]
+ assert!(read_ec_sig_point(&empty).is_err());
+ assert!(read_encoded_certificate_identifiers(&empty).is_err());
+ }
+
+ #[test]
+ fn test_read_rsa_modulus() {
+ let rsa_key = include_bytes!("../test/rsa.bin");
+ let result = read_rsa_modulus(rsa_key);
+ assert!(result.is_ok());
+ let modulus = result.unwrap();
+ assert_eq!(modulus, include_bytes!("../test/modulus.bin").to_vec());
+ }
+
+ #[test]
+ fn test_read_certificate_identifiers() {
+ let certificate = include_bytes!("../test/certificate.bin");
+ let result = read_encoded_certificate_identifiers(certificate);
+ assert!(result.is_ok());
+ let (serial_number, issuer, subject) = result.unwrap();
+ assert_eq!(
+ serial_number,
+ &[
+ 0x02, 0x14, 0x3f, 0xed, 0x7b, 0x43, 0x47, 0x8a, 0x53, 0x42, 0x5b, 0x0d, 0x50, 0xe1,
+ 0x37, 0x88, 0x2a, 0x20, 0x3f, 0x31, 0x17, 0x20
+ ]
+ );
+ assert_eq!(
+ issuer,
+ &[
+ 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41
+ ]
+ );
+ assert_eq!(
+ subject,
+ &[
+ 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x45, 0x6e, 0x64, 0x2d, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79
+ ]
+ );
+ }
+
+ #[test]
+ #[cfg(target_os = "windows")]
+ fn test_read_digest() {
+ // SEQUENCE
+ // SEQUENCE
+ // OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256
+ // NULL
+ // OCTET STRING 1A7FCDB9A5F649F954885CFE145F3E93F0D1FA72BE980CC6EC82C70E1407C7D2
+ let digest_info = [
+ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x1, 0x65, 0x03, 0x04, 0x02,
+ 0x01, 0x05, 0x00, 0x04, 0x20, 0x1a, 0x7f, 0xcd, 0xb9, 0xa5, 0xf6, 0x49, 0xf9, 0x54,
+ 0x88, 0x5c, 0xfe, 0x14, 0x5f, 0x3e, 0x93, 0xf0, 0xd1, 0xfa, 0x72, 0xbe, 0x98, 0x0c,
+ 0xc6, 0xec, 0x82, 0xc7, 0x0e, 0x14, 0x07, 0xc7, 0xd2,
+ ];
+ let result = read_digest(&digest_info);
+ assert!(result.is_ok());
+ let digest = result.unwrap();
+ assert_eq!(
+ digest,
+ &[
+ 0x1a, 0x7f, 0xcd, 0xb9, 0xa5, 0xf6, 0x49, 0xf9, 0x54, 0x88, 0x5c, 0xfe, 0x14, 0x5f,
+ 0x3e, 0x93, 0xf0, 0xd1, 0xfa, 0x72, 0xbe, 0x98, 0x0c, 0xc6, 0xec, 0x82, 0xc7, 0x0e,
+ 0x14, 0x07, 0xc7, 0xd2
+ ]
+ );
+ }
+}
diff --git a/security/manager/ssl/rsclientcerts/test/certificate.bin b/security/manager/ssl/rsclientcerts/test/certificate.bin
new file mode 100644
index 0000000000..01fbafb15c
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/test/certificate.bin
Binary files differ
diff --git a/security/manager/ssl/rsclientcerts/test/modulus.bin b/security/manager/ssl/rsclientcerts/test/modulus.bin
new file mode 100644
index 0000000000..a9b09ff53e
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/test/modulus.bin
@@ -0,0 +1,2 @@
+ºˆQ¨DŽÖAýn¶ˆ6=<Ùêä5J´ìõhWl${ÁÇ%¨àؽ±œ›n†òkâ¯Zukjdqz¥Z§E‡÷Õ$œ~ÍCüiÐ8 )“« ÃIäÛ¹LÂklí‚ñ~­i±Ó:‹*Aî§pà ýf +°$’¤}¹ˆay±W=Ò;Åà¸H¨7ÓˆCï'ØU·fZª~/:{€$Ìl—­–a[·â–Àu1£ ‘Ý´Ê÷ü­%Ó ï¹§há³{/"oiã´Š•aî&Ö%«‘N6Ë$,¿‹/åñ™1¸³þI#úrQÄ1Õ¬Ú
+5í \ No newline at end of file
diff --git a/security/manager/ssl/rsclientcerts/test/rsa.bin b/security/manager/ssl/rsclientcerts/test/rsa.bin
new file mode 100644
index 0000000000..93ededb827
--- /dev/null
+++ b/security/manager/ssl/rsclientcerts/test/rsa.bin
Binary files differ
diff --git a/security/manager/ssl/tests/.eslintrc.js b/security/manager/ssl/tests/.eslintrc.js
new file mode 100644
index 0000000000..379eabb2d0
--- /dev/null
+++ b/security/manager/ssl/tests/.eslintrc.js
@@ -0,0 +1,8 @@
+"use strict";
+
+module.exports = {
+ rules: {
+ // Disallow non-top level |var| declarations.
+ "mozilla/var-only-at-top-level": "error",
+ },
+};
diff --git a/security/manager/ssl/tests/gtest/CoseTest.cpp b/security/manager/ssl/tests/gtest/CoseTest.cpp
new file mode 100644
index 0000000000..2f05cad3a7
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/CoseTest.cpp
@@ -0,0 +1,756 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <cstddef>
+#include <memory>
+
+#include <keyhi.h>
+#include <nss.h>
+#include <pk11pub.h>
+
+#include <pkcs11t.h>
+#include <secmodt.h>
+#include <cert.h>
+
+#include "ScopedNSSTypes.h"
+#include "cosec.h"
+
+namespace mozilla {
+
+// "This is the content."
+const uint8_t PAYLOAD[] = {84, 104, 105, 115, 32, 105, 115, 32, 116, 104,
+ 101, 32, 99, 111, 110, 116, 101, 110, 116, 46};
+
+// This is a COSE signature generated with the cose rust library (see
+// third-party/rust/cose). The payload is signed with the P256 key from
+// pykey.py.
+const uint8_t SIGNATURE[] = {
+ 0xd8, 0x62, 0x84, 0x59, 0x02, 0xa3, 0xa1, 0x04, 0x82, 0x59, 0x01, 0x4e,
+ 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+ 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+ 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+ 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+ 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+ 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+ 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+ 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+ 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+ 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+ 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+ 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+ 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+ 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+ 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+ 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+ 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01,
+ 0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43,
+ 0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30,
+ 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+ 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09,
+ 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+ 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+ 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+ 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+ 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+ 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+ 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+ 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+ 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30,
+ 0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff,
+ 0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77,
+ 0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02,
+ 0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb,
+ 0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57,
+ 0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0xa0, 0xf6, 0x81,
+ 0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59, 0x01, 0x2c, 0x30,
+ 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, 0x13, 0x92, 0xd6,
+ 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, 0x30, 0x0a, 0x06,
+ 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13, 0x31,
+ 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30,
+ 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
+ 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30,
+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e,
+ 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70, 0x32,
+ 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce,
+ 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
+ 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0, 0xf8,
+ 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b,
+ 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45,
+ 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07,
+ 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b,
+ 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x30, 0x0a, 0x06,
+ 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00,
+ 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd,
+ 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73,
+ 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6,
+ 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b, 0x75,
+ 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89, 0xc1,
+ 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0,
+ 0x58, 0x40, 0x1e, 0x6e, 0x08, 0xdf, 0x8f, 0x4f, 0xd6, 0xab, 0x23, 0xae,
+ 0x84, 0xaa, 0xf3, 0x43, 0x35, 0x9a, 0x53, 0xb9, 0x8b, 0xf9, 0x81, 0xa1,
+ 0xbc, 0x1e, 0x5c, 0x57, 0x5c, 0x0a, 0x20, 0x37, 0xf4, 0x3d, 0x11, 0x08,
+ 0xa0, 0x97, 0x4b, 0x68, 0xa4, 0x0f, 0x80, 0xe9, 0x96, 0x30, 0x04, 0x24,
+ 0x0e, 0x81, 0x3d, 0x2a, 0x8a, 0x64, 0x40, 0x61, 0x5a, 0x19, 0x00, 0xff,
+ 0x74, 0x40, 0x71, 0x82, 0x65, 0xe9};
+
+// This is a COSE signature generated with the cose rust library (see
+// third-party/rust/cose). The payload is signed twice; with the P256 and the
+// RSA key from pykey.py.
+const uint8_t SIGNATURE_ES256_PS256[] = {
+ 0xd8, 0x62, 0x84, 0x59, 0x08, 0x52, 0xa1, 0x04, 0x84, 0x59, 0x01, 0x4e,
+ 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+ 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+ 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+ 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+ 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+ 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+ 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+ 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+ 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+ 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+ 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+ 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+ 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+ 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+ 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+ 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+ 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01,
+ 0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43,
+ 0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30,
+ 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+ 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09,
+ 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+ 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+ 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+ 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+ 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+ 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+ 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+ 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+ 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30,
+ 0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff,
+ 0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77,
+ 0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02,
+ 0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb,
+ 0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57,
+ 0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0x59, 0x02, 0xd5,
+ 0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
+ 0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
+ 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+ 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
+ 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+ 0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
+ 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
+ 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
+ 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
+ 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
+ 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
+ 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
+ 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
+ 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
+ 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
+ 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
+ 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
+ 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
+ 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
+ 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
+ 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
+ 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
+ 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
+ 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
+ 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
+ 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
+ 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
+ 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+ 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
+ 0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
+ 0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
+ 0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
+ 0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
+ 0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
+ 0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
+ 0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
+ 0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
+ 0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
+ 0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
+ 0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
+ 0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
+ 0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
+ 0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
+ 0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
+ 0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
+ 0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
+ 0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
+ 0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
+ 0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
+ 0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
+ 0xf0, 0xef, 0x7d, 0x94, 0xb5, 0x59, 0x02, 0xd4, 0x30, 0x82, 0x02, 0xd0,
+ 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x07,
+ 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8, 0xc2, 0xcc, 0x46, 0xd7,
+ 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x13, 0x31, 0x11,
+ 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f, 0x6f,
+ 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31,
+ 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
+ 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e, 0x74, 0x2d, 0x72, 0x73,
+ 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88,
+ 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06,
+ 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec,
+ 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8,
+ 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2,
+ 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7,
+ 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc,
+ 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4,
+ 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1,
+ 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee,
+ 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24,
+ 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d,
+ 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43,
+ 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90,
+ 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad,
+ 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c,
+ 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef,
+ 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69,
+ 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab,
+ 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b,
+ 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23,
+ 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35,
+ 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x1d, 0x30, 0x1b, 0x30,
+ 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
+ 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
+ 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x5e, 0xba, 0x69, 0x55,
+ 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7, 0x31, 0x3e, 0x66, 0xe1,
+ 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9, 0xce, 0x5e, 0x4c, 0xbe,
+ 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38, 0xaa, 0x5b, 0x28, 0xb5,
+ 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82, 0x86, 0x9e, 0x74, 0xd5,
+ 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1, 0x24, 0x76, 0xbb, 0x95,
+ 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44, 0x34, 0x10, 0x8f, 0xb1,
+ 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f, 0xb3, 0x48, 0xe1, 0xcd,
+ 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60, 0xc5, 0xe0, 0x45, 0x79,
+ 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3, 0x19, 0xba, 0x14, 0xa1,
+ 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54, 0x5b, 0x04, 0xdc, 0x1b,
+ 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24, 0x52, 0x6a, 0xad, 0xe2,
+ 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2, 0xbf, 0xe2, 0x20, 0x1b,
+ 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda, 0x7a, 0x1a, 0x5d, 0xd3,
+ 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51, 0xda, 0xd3, 0x91, 0x25,
+ 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb, 0x89, 0x8a, 0xec, 0x8a,
+ 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d, 0xfc, 0x6a, 0x05, 0x21,
+ 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05, 0x5c, 0x22, 0x0a, 0xf6,
+ 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d, 0xca, 0xf3, 0x49, 0x9c,
+ 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc, 0x95, 0x22, 0x2e, 0xb1,
+ 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03, 0x2a, 0x68, 0xe7, 0x2d,
+ 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c, 0x87, 0xc6, 0x5c, 0x51,
+ 0xa0, 0xf6, 0x82, 0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59,
+ 0x01, 0x2c, 0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02,
+ 0x01, 0x02, 0x02, 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45,
+ 0x13, 0x92, 0xd6, 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
+ 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x08, 0x69, 0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65,
+ 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+ 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb,
+ 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2,
+ 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f,
+ 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4,
+ 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7,
+ 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
+ 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13,
+ 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91,
+ 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80,
+ 0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03,
+ 0x36, 0x6b, 0x75, 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9,
+ 0xc5, 0x89, 0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c,
+ 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xa3, 0xfb, 0x49, 0xe6, 0x45, 0x29, 0x64,
+ 0x76, 0xeb, 0x9d, 0xbd, 0xf5, 0x38, 0x56, 0xbe, 0x6e, 0x31, 0x57, 0x73,
+ 0xc1, 0x2d, 0x3e, 0xac, 0xee, 0xba, 0x55, 0x8e, 0x37, 0xd4, 0xea, 0x80,
+ 0x25, 0x31, 0x99, 0x9f, 0x4a, 0xb0, 0xf9, 0xd8, 0xb0, 0xed, 0x74, 0xfc,
+ 0x8c, 0x02, 0xf0, 0x9f, 0x95, 0xf1, 0xaa, 0x71, 0xcc, 0xd2, 0xe7, 0x1a,
+ 0x6d, 0xd4, 0xed, 0xff, 0xf2, 0x78, 0x09, 0x83, 0x7e, 0x83, 0x59, 0x02,
+ 0xbb, 0xa2, 0x01, 0x38, 0x24, 0x04, 0x59, 0x02, 0xb3, 0x30, 0x82, 0x02,
+ 0xaf, 0x30, 0x82, 0x01, 0x99, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14,
+ 0x07, 0x1c, 0x3b, 0x71, 0x08, 0xbe, 0xd7, 0x9f, 0xfd, 0xaf, 0x26, 0xb6,
+ 0x08, 0xa3, 0x99, 0x06, 0x77, 0x69, 0x32, 0x7e, 0x30, 0x0b, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x12, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
+ 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31,
+ 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
+ 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x11, 0x31, 0x0f, 0x30, 0x0d, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x65, 0x65, 0x2d, 0x72, 0x73, 0x61,
+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
+ 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88, 0x51,
+ 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36,
+ 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5,
+ 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f,
+ 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf,
+ 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45,
+ 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e,
+ 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb,
+ 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e,
+ 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7,
+ 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92,
+ 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2,
+ 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef,
+ 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f,
+ 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96,
+ 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91,
+ 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9,
+ 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3,
+ 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91,
+ 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f,
+ 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa,
+ 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed,
+ 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
+ 0x44, 0x92, 0xbb, 0x8e, 0x83, 0x58, 0x56, 0x2e, 0x7a, 0x86, 0xfa, 0x1d,
+ 0x77, 0x50, 0x3f, 0x45, 0x8d, 0x90, 0xc4, 0x62, 0x27, 0x21, 0x96, 0x5a,
+ 0xef, 0x51, 0x78, 0xd7, 0x7d, 0x0d, 0x02, 0x2d, 0x5a, 0x0e, 0x3c, 0x82,
+ 0x6f, 0x1d, 0x92, 0x87, 0xd5, 0x1a, 0x44, 0xae, 0xa7, 0x92, 0xd1, 0x8b,
+ 0xfa, 0x16, 0x53, 0x7f, 0xa3, 0x22, 0x96, 0x1a, 0x51, 0x8c, 0xeb, 0xa1,
+ 0xe6, 0xf6, 0x37, 0x11, 0xfe, 0x7d, 0x53, 0x3f, 0xae, 0xf0, 0x6b, 0xb9,
+ 0xb1, 0x7a, 0x73, 0x07, 0x14, 0xcf, 0x04, 0x05, 0x93, 0x9e, 0xe3, 0xd2,
+ 0x4d, 0x9d, 0x6d, 0x35, 0x68, 0xf9, 0x36, 0xe5, 0x10, 0x0a, 0x36, 0xd9,
+ 0x48, 0xb0, 0x83, 0xd0, 0xb9, 0x58, 0x74, 0x53, 0xb3, 0xbc, 0x99, 0xab,
+ 0xe1, 0x3e, 0xd5, 0x01, 0x8e, 0xcf, 0x3a, 0x69, 0x93, 0x9e, 0xa7, 0x88,
+ 0xd4, 0xad, 0x95, 0xf9, 0x2a, 0xb4, 0x7f, 0x95, 0x97, 0x86, 0x50, 0x38,
+ 0xb1, 0x04, 0x0a, 0xe4, 0x7a, 0xd5, 0x2d, 0x6c, 0xde, 0x3e, 0x1a, 0x47,
+ 0x17, 0x88, 0x63, 0x20, 0x9d, 0x21, 0x3e, 0x0c, 0x6f, 0xfd, 0x20, 0x54,
+ 0xd0, 0x67, 0xd2, 0x6b, 0x06, 0xfe, 0x60, 0x13, 0x42, 0x3d, 0xb7, 0xca,
+ 0xcb, 0xab, 0x7b, 0x5f, 0x5d, 0x01, 0x56, 0xd3, 0x99, 0x80, 0x0f, 0xde,
+ 0x7f, 0x3a, 0x61, 0x9c, 0xd3, 0x6b, 0x5e, 0xfe, 0xb5, 0xfc, 0x39, 0x8b,
+ 0x8e, 0xf0, 0x8c, 0x8b, 0x65, 0x46, 0x45, 0xff, 0x47, 0x8f, 0xd4, 0xdd,
+ 0xae, 0xc9, 0x72, 0xc7, 0x7f, 0x28, 0x86, 0xf1, 0xf7, 0x6e, 0xcb, 0x86,
+ 0x03, 0xeb, 0x0c, 0x46, 0xe5, 0xa0, 0x6b, 0xef, 0xd4, 0x5e, 0xa4, 0x0f,
+ 0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37, 0x0e, 0x75, 0xdd, 0x93, 0xe8, 0x0f,
+ 0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb, 0x1a, 0x42, 0x5b, 0x63, 0x2c,
+ 0x80, 0x80, 0xa6, 0x84, 0xa0, 0x59, 0x01, 0x00, 0x51, 0xf4, 0xe6, 0x1c,
+ 0x18, 0x7b, 0x28, 0xa0, 0x1f, 0x63, 0xbf, 0xa5, 0xbd, 0x89, 0x9f, 0xd9,
+ 0x30, 0x46, 0x4b, 0x34, 0x9b, 0x9d, 0x0f, 0xb0, 0x33, 0x11, 0xf8, 0xaa,
+ 0x84, 0x4e, 0xb2, 0xca, 0x29, 0x83, 0x54, 0x28, 0x99, 0x2a, 0x43, 0x7f,
+ 0xe0, 0xe6, 0xd8, 0xdc, 0xd7, 0xf4, 0xb3, 0xd7, 0xf7, 0x39, 0xd5, 0xdc,
+ 0xde, 0xdc, 0x23, 0x78, 0xd7, 0x90, 0xc0, 0x52, 0xf5, 0xd2, 0x14, 0x6f,
+ 0xf9, 0x24, 0x48, 0xc8, 0x75, 0x4a, 0x9a, 0x4c, 0x61, 0x2f, 0x96, 0x4e,
+ 0xc8, 0x02, 0x95, 0x72, 0xef, 0xbc, 0x91, 0xae, 0xf8, 0x23, 0xfb, 0xba,
+ 0x9f, 0xfd, 0xe0, 0x1a, 0x8e, 0xa9, 0x03, 0x16, 0x76, 0xf4, 0xdb, 0x81,
+ 0x5a, 0x69, 0xeb, 0xf5, 0x55, 0xd7, 0x68, 0x28, 0xe4, 0xce, 0xde, 0x1b,
+ 0xb4, 0x90, 0xac, 0x97, 0x07, 0x15, 0xe0, 0xce, 0x5f, 0x3f, 0x89, 0xaf,
+ 0xc1, 0xb8, 0x46, 0x5e, 0x87, 0xa1, 0x8d, 0xa7, 0x44, 0x09, 0x02, 0x4e,
+ 0xbe, 0x6b, 0xfb, 0xab, 0xeb, 0x19, 0x62, 0x9e, 0xb0, 0xef, 0x0a, 0x6b,
+ 0xcf, 0xe0, 0x00, 0xa9, 0x68, 0x2a, 0x8e, 0xfe, 0x8a, 0xb9, 0x57, 0x52,
+ 0xb3, 0x08, 0x80, 0x5e, 0xa6, 0x88, 0x5f, 0x31, 0xd1, 0xe9, 0x6d, 0xf7,
+ 0x54, 0x4e, 0xf8, 0x17, 0xb0, 0x1c, 0xca, 0xa6, 0xa6, 0x80, 0xf8, 0xd8,
+ 0xf5, 0x94, 0xa4, 0xb2, 0xd0, 0x7e, 0xbb, 0x4f, 0xdb, 0x3a, 0x91, 0x5f,
+ 0xb3, 0xc1, 0xfa, 0x60, 0xe4, 0xce, 0xe3, 0xe5, 0x14, 0x1f, 0x9c, 0x01,
+ 0x60, 0xff, 0xe2, 0x09, 0xe6, 0x1a, 0x82, 0x69, 0xb6, 0xeb, 0x52, 0x1e,
+ 0x3d, 0xc7, 0xfd, 0x69, 0x9d, 0x2a, 0xa5, 0xdb, 0xc1, 0x6a, 0x5a, 0x7d,
+ 0x23, 0x2a, 0x00, 0xe4, 0x53, 0x16, 0x8e, 0xc1, 0x56, 0xf5, 0x5a, 0x8d,
+ 0x59, 0x1f, 0x7f, 0xff, 0x77, 0x6f, 0x92, 0xea, 0x5d, 0x31, 0xe9, 0x18};
+
+// The RSA intermediate certificate that issued the EE cert used in the
+// signature above. The certificate was generated with pycert.py
+const uint8_t RSA_INT[] = {
+ 0x30, 0x82, 0x02, 0xd0, 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x14, 0x07, 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8,
+ 0xc2, 0xcc, 0x46, 0xd7, 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30,
+ 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
+ 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
+ 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
+ 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
+ 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
+ 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
+ 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
+ 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
+ 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
+ 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
+ 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
+ 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
+ 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
+ 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
+ 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
+ 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
+ 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
+ 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
+ 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
+ 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
+ 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
+ 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
+ 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
+ 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+ 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
+ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f,
+ 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
+ 0x5e, 0xba, 0x69, 0x55, 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7,
+ 0x31, 0x3e, 0x66, 0xe1, 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9,
+ 0xce, 0x5e, 0x4c, 0xbe, 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38,
+ 0xaa, 0x5b, 0x28, 0xb5, 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82,
+ 0x86, 0x9e, 0x74, 0xd5, 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1,
+ 0x24, 0x76, 0xbb, 0x95, 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44,
+ 0x34, 0x10, 0x8f, 0xb1, 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f,
+ 0xb3, 0x48, 0xe1, 0xcd, 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60,
+ 0xc5, 0xe0, 0x45, 0x79, 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3,
+ 0x19, 0xba, 0x14, 0xa1, 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54,
+ 0x5b, 0x04, 0xdc, 0x1b, 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24,
+ 0x52, 0x6a, 0xad, 0xe2, 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2,
+ 0xbf, 0xe2, 0x20, 0x1b, 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda,
+ 0x7a, 0x1a, 0x5d, 0xd3, 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51,
+ 0xda, 0xd3, 0x91, 0x25, 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb,
+ 0x89, 0x8a, 0xec, 0x8a, 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d,
+ 0xfc, 0x6a, 0x05, 0x21, 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05,
+ 0x5c, 0x22, 0x0a, 0xf6, 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d,
+ 0xca, 0xf3, 0x49, 0x9c, 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc,
+ 0x95, 0x22, 0x2e, 0xb1, 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03,
+ 0x2a, 0x68, 0xe7, 0x2d, 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c,
+ 0x87, 0xc6, 0x5c, 0x51};
+
+// The RSA root certificate that issued the RSA intermediate certificate above.
+// The certificate was generated with pycert.py
+const uint8_t RSA_ROOT[] = {
+ 0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
+ 0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
+ 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+ 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+ 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+ 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
+ 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+ 0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
+ 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
+ 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
+ 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
+ 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
+ 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
+ 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
+ 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
+ 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
+ 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
+ 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
+ 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
+ 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
+ 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
+ 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
+ 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
+ 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
+ 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
+ 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
+ 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
+ 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
+ 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
+ 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+ 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
+ 0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
+ 0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
+ 0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
+ 0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
+ 0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
+ 0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
+ 0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
+ 0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
+ 0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
+ 0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
+ 0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
+ 0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
+ 0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
+ 0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
+ 0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
+ 0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
+ 0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
+ 0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
+ 0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
+ 0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
+ 0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
+ 0xf0, 0xef, 0x7d, 0x94, 0xb5};
+
+// The P256 intermediate certificate that issued the EE cert used in the
+// signatures above. The certificate was generated with pycert.py
+const uint8_t P256_INT[] = {
+ 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43, 0xec,
+ 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30, 0x0a,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+ 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, 0x11,
+ 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, 0x74,
+ 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+ 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb,
+ 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2,
+ 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f,
+ 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4,
+ 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7,
+ 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0,
+ 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+ 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44,
+ 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, 0xd1,
+ 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, 0x5c,
+ 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, 0x20,
+ 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb, 0x56,
+ 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57, 0x20,
+ 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7};
+
+// The P256 root certificate that issued the P256 intermediate certificate
+// above. The certificate was generated with pycert.py
+const uint8_t P256_ROOT[] = {
+ 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+ 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+ 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+ 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+ 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+ 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+ 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+ 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+ 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+ 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+ 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+ 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+ 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+ 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+ 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+ 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+ 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+ 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b};
+
+void check_hard_coded_certs(const uint8_t** cert_chain, size_t cert_chain_len,
+ const size_t* certs_len) {
+ // Very hacky and fragile check that the intermediate certs are correct.
+ switch (cert_chain_len) {
+ case 2: {
+ const uint8_t* cert = cert_chain[0];
+ size_t cert_len = certs_len[0];
+ ASSERT_EQ(cert_len, sizeof(P256_ROOT));
+ ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len));
+ cert = cert_chain[1];
+ cert_len = certs_len[1];
+ ASSERT_EQ(cert_len, sizeof(P256_INT));
+ ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len));
+ break;
+ }
+ case 4: {
+ const uint8_t* cert = cert_chain[0];
+ size_t cert_len = certs_len[0];
+ ASSERT_EQ(cert_len, sizeof(P256_ROOT));
+ ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len));
+ cert = cert_chain[1];
+ cert_len = certs_len[1];
+ ASSERT_EQ(cert_len, sizeof(P256_INT));
+ ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len));
+ cert = cert_chain[2];
+ cert_len = certs_len[2];
+ ASSERT_EQ(cert_len, sizeof(RSA_ROOT));
+ ASSERT_EQ(0, memcmp(cert, RSA_ROOT, cert_len));
+ cert = cert_chain[3];
+ cert_len = certs_len[3];
+ ASSERT_EQ(cert_len, sizeof(RSA_INT));
+ ASSERT_EQ(0, memcmp(cert, RSA_INT, cert_len));
+ break;
+ }
+ default:
+ // In this case something went wrong.
+ ASSERT_EQ(true, false);
+ }
+}
+
+/* Verification function called from cose-rust.
+ * Returns true if everything goes well and the signature is good, false in any
+ * other case. */
+bool verify_callback(const uint8_t* payload, size_t payload_len,
+ const uint8_t** cert_chain, size_t cert_chain_len,
+ const size_t* certs_len, const uint8_t* ee_cert,
+ size_t ee_cert_len, const uint8_t* signature,
+ size_t signature_len, uint8_t signature_algorithm,
+ void* ctx) {
+ UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return false;
+ }
+
+ CK_MECHANISM_TYPE mechanism;
+ SECOidTag oid;
+ uint32_t hash_length;
+ SECItem param = {siBuffer, nullptr, 0};
+ CK_RSA_PKCS_PSS_PARAMS rsa_pss_params = {CKM_SHA256, CKG_MGF1_SHA256,
+ SHA256_LENGTH};
+ switch (signature_algorithm) {
+ case (ES256):
+ mechanism = CKM_ECDSA;
+ oid = SEC_OID_SHA256;
+ hash_length = SHA256_LENGTH;
+ break;
+ case (PS256):
+ mechanism = CKM_RSA_PKCS_PSS;
+ oid = SEC_OID_SHA256;
+ hash_length = SHA256_LENGTH;
+ param = {siBuffer, reinterpret_cast<unsigned char*>(&rsa_pss_params),
+ sizeof(rsa_pss_params)};
+ break;
+ default:
+ return false;
+ }
+ check_hard_coded_certs(cert_chain, cert_chain_len, certs_len);
+
+ uint8_t hash_buf[HASH_LENGTH_MAX];
+ SECStatus rv = PK11_HashBuf(oid, hash_buf, payload, payload_len);
+ if (rv != SECSuccess) {
+ return false;
+ }
+ SECItem hash_item = {siBuffer, hash_buf, hash_length};
+ CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
+ if (!db_handle) {
+ return false;
+ }
+ SECItem der_cert = {siBuffer, const_cast<uint8_t*>(ee_cert),
+ static_cast<unsigned int>(ee_cert_len)};
+ UniqueCERTCertificate cert(
+ CERT_NewTempCertificate(db_handle, &der_cert, nullptr, false, true));
+ if (!cert) {
+ return false;
+ }
+ UniqueSECKEYPublicKey key(CERT_ExtractPublicKey(cert.get()));
+ if (!key) {
+ return false;
+ }
+ SECItem signature_item = {siBuffer, const_cast<uint8_t*>(signature),
+ static_cast<unsigned int>(signature_len)};
+ rv = PK11_VerifyWithMechanism(key.get(), mechanism, &param, &signature_item,
+ &hash_item, nullptr);
+ if (rv != SECSuccess) {
+ return false;
+ }
+
+ return true;
+}
+
+class psm_COSE : public ::testing::Test {};
+
+TEST_F(psm_COSE, CoseTestingSingleSignature) {
+ SECStatus rv = NSS_NoDB_Init(nullptr);
+ ASSERT_EQ(SECSuccess, rv);
+ bool result =
+ verify_cose_signature_ffi(PAYLOAD, sizeof(PAYLOAD), SIGNATURE,
+ sizeof(SIGNATURE), nullptr, verify_callback);
+ ASSERT_TRUE(result);
+}
+
+TEST_F(psm_COSE, CoseTestingTwoSignatures) {
+ SECStatus rv = NSS_NoDB_Init(nullptr);
+ ASSERT_EQ(SECSuccess, rv);
+ bool result = verify_cose_signature_ffi(
+ PAYLOAD, sizeof(PAYLOAD), SIGNATURE_ES256_PS256,
+ sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback);
+ ASSERT_TRUE(result);
+}
+
+TEST_F(psm_COSE, CoseTestingAlteredPayload) {
+ SECStatus rv = NSS_NoDB_Init(nullptr);
+ ASSERT_EQ(SECSuccess, rv);
+ uint8_t altered_payload[20] = {84, 104, 105, 115, 32, 104, 115,
+ 32, 116, 104, 101, 32, 99, 111,
+ 110, 116, 101, 110, 116, 46};
+ bool result = verify_cose_signature_ffi(
+ altered_payload, sizeof(altered_payload), SIGNATURE_ES256_PS256,
+ sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback);
+ ASSERT_FALSE(result);
+}
+
+} // namespace mozilla
diff --git a/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp
new file mode 100644
index 0000000000..acad30e2ae
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp
@@ -0,0 +1,507 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "TransportSecurityInfo.h"
+#include "nsCOMPtr.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIX509Cert.h"
+#include "nsString.h"
+#include "mozilla/Maybe.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+// nsITransportSecurityInfo de-serializatin tests
+//
+// These tests verify that we can still deserialize old binary strings
+// generated for security info. This is necessary because service workers
+// stores these strings on disk.
+//
+// If you make a change and start breaking these tests, you will need to
+// add a compat fix for loading the old versions. For things that affect
+// the UUID, but do not break the rest of the format you can simply add
+// another hack condition in nsBinaryInputStream::ReadObject(). If you
+// change the overall format of the serialization then we will need more
+// complex handling in the security info concrete classes.
+//
+// We would like to move away from this binary compatibility requirement
+// in service workers. See bug 1248628.
+void deserializeAndVerify(const nsCString& serializedSecInfo,
+ Maybe<size_t> failedCertChainLength = Nothing(),
+ Maybe<size_t> succeededCertChainLength = Nothing()) {
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+ nsresult rv = TransportSecurityInfo::Read(serializedSecInfo,
+ getter_AddRefs(securityInfo));
+ ASSERT_EQ(NS_OK, rv);
+ ASSERT_TRUE(securityInfo);
+
+ nsCOMPtr<nsIX509Cert> cert;
+ rv = securityInfo->GetServerCert(getter_AddRefs(cert));
+ ASSERT_EQ(NS_OK, rv);
+ ASSERT_TRUE(cert);
+
+ nsTArray<RefPtr<nsIX509Cert>> failedCertArray;
+ rv = securityInfo->GetFailedCertChain(failedCertArray);
+ ASSERT_EQ(NS_OK, rv);
+
+ if (failedCertChainLength) {
+ ASSERT_FALSE(failedCertArray.IsEmpty());
+ for (const auto& cert : failedCertArray) {
+ ASSERT_TRUE(cert);
+ }
+ ASSERT_EQ(*failedCertChainLength, failedCertArray.Length());
+ } else {
+ ASSERT_TRUE(failedCertArray.IsEmpty());
+ }
+
+ nsTArray<RefPtr<nsIX509Cert>> succeededCertArray;
+ rv = securityInfo->GetSucceededCertChain(succeededCertArray);
+ ASSERT_EQ(NS_OK, rv);
+
+ if (succeededCertChainLength) {
+ ASSERT_FALSE(succeededCertArray.IsEmpty());
+ for (const auto& cert : succeededCertArray) {
+ ASSERT_TRUE(cert);
+ }
+ ASSERT_EQ(*succeededCertChainLength, succeededCertArray.Length());
+ } else {
+ ASSERT_TRUE(succeededCertArray.IsEmpty());
+ }
+}
+
+TEST(psm_DeserializeCert, gecko33)
+{
+ // clang-format off
+ // Gecko 33+ vintage Security info serialized with UUIDs:
+ // - nsISupports 00000000-0000-0000-c000-000000000046
+ // - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8
+ // - nsIX509Cert f8ed8364-ced9-4c6e-86ba-48af53c393e6
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA"
+ "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8F+O2DZM7ZTG6GukivU8OT5gAAAAIAAAWpMII"
+ "FpTCCBI2gAwIBAgIQD4svsaKEC+QtqtsU2TF8ITANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN"
+ "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN"
+ "lcnZlciBDQTAeFw0xNTAyMjMwMDAwMDBaFw0xNjAzMDIxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRYwFAYDVQQHEw1TYW4gRnJhbmN"
+ "pc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII"
+ "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ"
+ "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh"
+ "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B"
+ "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICPzCCAjs"
+ "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK"
+ "CDnd3dy5naXRodWIuY29tggpnaXRodWIuY29tggwqLmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV"
+ "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM"
+ "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3J"
+ "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb"
+ "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQc"
+ "wAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUN"
+ "lcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAc4dbVmuKvyI7"
+ "KZ4Txk+ZqcAYToJGKUIVaPL94e5SZGweUisjaCbplAOihnf6Mxt8n6vnuH2IsCaz2NRHqhdcosjT3CwAiJpJNkXPKWVL/txgdSTV"
+ "2cqB1GG4esFOalvI52dzn+J4fTIYZvNF+AtGyHSLm2XRXYZCw455laUKf6Sk9RDShDgUvzhOKL4GXfTwKXv12MyMknJybH8UCpjC"
+ "HZmFBVHMcUN/87HsQo20PdOekeEvkjrrMIxW+gxw22Yb67yF/qKgwrWr+43bLN709iyw+LWiU7sQcHL2xk9SYiWQDj2tYz2soObV"
+ "QYTJm0VUZMEVFhtALq46cx92Zu4vFwC8AAwAAAAABAQAA");
+ // clang-format on
+
+ deserializeAndVerify(base64Serialization);
+}
+
+TEST(psm_DeserializeCert, gecko46)
+{
+ // clang-format off
+ // Gecko 46+ vintage Security info serialized with UUIDs:
+ // - nsISupports 00000000-0000-0000-c000-000000000046
+ // - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8
+ // - nsIX509Cert bdc3979a-5422-4cd5-8589-696b6e96ea83
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA"
+ "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAIAAAWzMII"
+ "FrzCCBJegAwIBAgIQB3pdwzYjAfmJ/lT3+G8+ZDANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN"
+ "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN"
+ "lcnZlciBDQTAeFw0xNjAxMjAwMDAwMDBaFw0xNzA0MDYxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml"
+ "hMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII"
+ "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ"
+ "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh"
+ "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B"
+ "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICSTCCAkU"
+ "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK"
+ "CDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV"
+ "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM"
+ "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3J"
+ "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb"
+ "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHU"
+ "wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQ"
+ "uY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQE"
+ "ATxbRdPg+o49+96/P+rbdp4ie+CGtfCgUubT/Z9C54k+BfQO0nbxVgCSM5WZQuLgo2Q+0lcxisod8zxZeU0j5wviQINwOln/iN89"
+ "Bx3VmDRynTe4CqhsAwOoO1ERmCAmsAJBwY/rNr4mK22p8erBrqMW0nYXYU5NFynI+pNTjojhKD4II8PNV8G2yMWwYOb/u4+WPzUA"
+ "HC9DpZdrWTEH/W69Cr/KxRqGsWPwpgMv2Wqav8jaT35JxqTXjOlhQqzo6fNn3eYOeCf4PkCxZKwckWjy10qDaRbjhwAMHAGj2TPr"
+ "idlvOj/7QyyX5m8up/1US8z1fRW4yoCSOt6V2bwuH6cAvAAMAAAAAAQEAAA==");
+ // clang-format on
+
+ deserializeAndVerify(base64Serialization);
+}
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidation)
+{
+ // clang-format off
+ // Generated using serialized output of test "good.include-subdomains.pinning.example.com"
+ // in security/manager/ssl/tests/unit/test_cert_chains.js
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAgAAgAAAAAAAAAAAAAAAAAAAAAB4vFIJp5w"
+ "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAONMIIDiTCCAnGg"
+ "AwIBAgIUWbWLTwLBvfwcoiU7I8lDz9snfUgwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE2MTEyNzAw"
+ "MDAwMFoYDzIwMTkwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+ "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+ "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+ "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+ "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0"
+ "gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs"
+ "ZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB"
+ "hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBE+6IPJK5OeonoQPC4CCWMd69SjhwS7X6TNgxDJzW7"
+ "qpVm4SFyYZ2xqzr2zib5LsYek6/jok5LPSpJVeFuSeiesvGMxk0O4ZEihPxSM4uR4xpCnPzz7LoFIzMELJv5i+cgLw4+6cINPkLj"
+ "oCUdb+AXSTur7THJaO75B44I2JjJfMfzgW1FwoWgXL/PQWRw+VY6OY1glqZOXzP+vfSja1SoggpiCzdPx7h1/SEEZov7zhCZXv1C"
+ "enx1njlpcj9wWEJMsyZczMNtiz5GkRrLaqCz9F8ah3NvkvPAZ0oOqtxuQgMXK/c0OXJVKi0SCJsWqZDoZhCrS/dE9guxlseZqhSI"
+ "wC8DAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+xZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgA"
+ "AAACZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFFm1i08Cwb38HKIlOyPJQ8/b"
+ "J31IMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAwMDAwMFow"
+ "GjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2"
+ "ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC"
+ "a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk"
+ "zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+"
+ "SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbYIVKi5waW5u"
+ "aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9t"
+ "YWlucy5waW5uaW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4"
+ "LzANBgkqhkiG9w0BAQsFAAOCAQEARPuiDySuTnqJ6EDwuAgljHevUo4cEu1+kzYMQyc1u6qVZuEhcmGdsas69s4m+S7GHpOv46JO"
+ "Sz0qSVXhbknonrLxjMZNDuGRIoT8UjOLkeMaQpz88+y6BSMzBCyb+YvnIC8OPunCDT5C46AlHW/gF0k7q+0xyWju+QeOCNiYyXzH"
+ "84FtRcKFoFy/z0FkcPlWOjmNYJamTl8z/r30o2tUqIIKYgs3T8e4df0hBGaL+84QmV79Qnp8dZ45aXI/cFhCTLMmXMzDbYs+RpEa"
+ "y2qgs/RfGodzb5LzwGdKDqrcbkIDFyv3NDlyVSotEgibFqmQ6GYQq0v3RPYLsZbHmaoUiGYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM"
+ "1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYD"
+ "VQQDDAdUZXN0IENBMCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0G"
+ "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr"
+ "4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk"
+ "fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo"
+ "4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF"
+ "MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK"
+ "9cZFVtzRWYEYkIlicAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK9"
+ "22MsOsnrLjNlpRDmuH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZB"
+ "bEw7P6+V9zz5cAzaaq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAAA=");
+ // clang-format on
+
+ deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidationFailedCertChain)
+{
+ // clang-format off
+ // Generated using serialized output of test "expired.example.com"
+ // in security/manager/ssl/tests/unit/test_cert_chains.js
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAAAAAAAAAAA///gCwAAAAAB4vFIJp5w"
+ "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAMgMIIDHDCCAgSg"
+ "AwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAw"
+ "MDAwMFoYDzIwMTQwMTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEB"
+ "BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6"
+ "pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9"
+ "0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK"
+ "lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJl"
+ "ZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcN"
+ "AQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7"
+ "IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l"
+ "297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6"
+ "laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7IAAAMAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vY"
+ "kTvlMZeudM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKAD"
+ "AgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAw"
+ "MDAwWhgPMjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEF"
+ "AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql"
+ "WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S"
+ "O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV"
+ "YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVk"
+ "LmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0B"
+ "AQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4Xsg"
+ "Aw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb"
+ "3tlpKXSdsp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qV"
+ "oHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAA"
+ "AAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENB"
+ "MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA"
+ "A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa"
+ "p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7"
+ "xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh"
+ "He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P"
+ "BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIli"
+ "cAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDm"
+ "uH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAza"
+ "aq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAZWfsWVlF0h/q5vYkTvlMZeu"
+ "dM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKADAgECAhRj"
+ "0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgP"
+ "MjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+ "MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc"
+ "1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf"
+ "qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl"
+ "nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1w"
+ "bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOC"
+ "AQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvk"
+ "VV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSd"
+ "sp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qVoHRS/lbq"
+ "5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcw"
+ "ggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIw"
+ "MTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+ "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+ "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+ "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+ "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG"
+ "MA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIlicAyTiPw3"
+ "4bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDmuH0VFhb5"
+ "uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAzaaq7EB0mC"
+ "E+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBC");
+ // clang-format on
+
+ deserializeAndVerify(base64Serialization, Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacement)
+{
+ // This was the serialized output of test
+ // "good.include-subdomains.pinning.example.com" // in
+ // security/manager/ssl/tests/unit/test_cert_chains.js The serialized output
+ // was generated before we replace nsIX509CertList with Array<nsIX509Cert>, so
+ // it had the old version of transportSecurityInfo.
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA"
+ "AAAAAAAAAAAAAAAAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+ "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB"
+ "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw"
+ "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I"
+ "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ"
+ "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF"
+ "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n"
+ "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN"
+ "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe"
+ "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg"
+ "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu"
+ "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20"
+ "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA"
+ "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X"
+ "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY"
+ "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM"
+ "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41"
+ "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I"
+ "jWEukvJuU1WwC8AAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x"
+ "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p"
+ "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0"
+ "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM"
+ "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN"
+ "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz"
+ "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC"
+ "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk"
+ "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK"
+ "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP"
+ "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI"
+ "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ"
+ "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u"
+ "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x"
+ "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy"
+ "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q"
+ "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616"
+ "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK"
+ "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA"
+ "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul"
+ "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG"
+ "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA"
+ "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw"
+ "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm"
+ "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP"
+ "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth"
+ "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly"
+ "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA"
+ "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB"
+ "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR"
+ "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL"
+ "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal"
+ "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S"
+ "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA==");
+
+ deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementV2)
+{
+ // Same as the above test, however, this is the v2 version of the
+ // serialization.
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA"
+ "AAAAAAAAAAAAAAAAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+ "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB"
+ "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw"
+ "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I"
+ "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ"
+ "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF"
+ "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n"
+ "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN"
+ "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe"
+ "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg"
+ "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu"
+ "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20"
+ "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA"
+ "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X"
+ "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY"
+ "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM"
+ "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41"
+ "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I"
+ "jWEukvJuU1WEwEABAAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x"
+ "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p"
+ "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0"
+ "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM"
+ "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN"
+ "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz"
+ "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC"
+ "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk"
+ "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK"
+ "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP"
+ "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI"
+ "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ"
+ "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u"
+ "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x"
+ "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy"
+ "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q"
+ "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616"
+ "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK"
+ "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA"
+ "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul"
+ "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG"
+ "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA"
+ "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw"
+ "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm"
+ "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP"
+ "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth"
+ "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly"
+ "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA"
+ "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB"
+ "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR"
+ "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL"
+ "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal"
+ "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S"
+ "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAAA=");
+
+ deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChain)
+{
+ // This was the serialized output of test "expired.example.com"
+ // in security/manager/ssl/tests/unit/test_cert_chains.js
+ // The serialized output was generated before we replace nsIX509CertList with
+ // Array<nsIX509Cert>, so it had the old version of transportSecurityInfo.
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA"
+ "AAAAAAAAA///gCwAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+ "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB"
+ "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw"
+ "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc"
+ "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc"
+ "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2"
+ "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI"
+ "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn"
+ "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD"
+ "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB"
+ "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ"
+ "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV"
+ "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ"
+ "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za"
+ "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn"
+ "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw"
+ "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5"
+ "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg"
+ "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw"
+ "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI"
+ "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA"
+ "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv"
+ "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO"
+ "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP"
+ "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO"
+ "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC"
+ "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF"
+ "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0"
+ "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF"
+ "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK"
+ "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99"
+ "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag"
+ "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm"
+ "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA"
+ "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0"
+ "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R"
+ "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj"
+ "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ"
+ "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw"
+ "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f"
+ "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL"
+ "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC"
+ "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW"
+ "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6"
+ "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4"
+ "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01"
+ "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB"
+ "96muQQ2M3WDiMz5ZLI3oMLu8KSPs");
+
+ deserializeAndVerify(base64Serialization, Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChainV2)
+{
+ // Same as the above test, however, this is the v2 version of the
+ // serialization.
+ nsCString base64Serialization(
+ "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA"
+ "AAAAAAAAA///gCwAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+ "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB"
+ "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw"
+ "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc"
+ "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc"
+ "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2"
+ "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI"
+ "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn"
+ "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD"
+ "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB"
+ "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ"
+ "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV"
+ "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ"
+ "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za"
+ "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn"
+ "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw"
+ "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5"
+ "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg"
+ "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw"
+ "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI"
+ "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA"
+ "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv"
+ "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO"
+ "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP"
+ "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO"
+ "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC"
+ "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF"
+ "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0"
+ "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF"
+ "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK"
+ "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99"
+ "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag"
+ "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm"
+ "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA"
+ "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0"
+ "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R"
+ "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj"
+ "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ"
+ "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw"
+ "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f"
+ "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL"
+ "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC"
+ "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW"
+ "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6"
+ "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4"
+ "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01"
+ "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB"
+ "96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA==");
+
+ deserializeAndVerify(base64Serialization, Some(2));
+}
diff --git a/security/manager/ssl/tests/gtest/HMACTest.cpp b/security/manager/ssl/tests/gtest/HMACTest.cpp
new file mode 100644
index 0000000000..434a52d3f0
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/HMACTest.cpp
@@ -0,0 +1,62 @@
+#include <string>
+#include "gtest/gtest.h"
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/gtest/MozAssertions.h"
+#include "mozilla/Span.h"
+#include "nss.h"
+#include "secoidt.h"
+
+// From RFC 2202
+const unsigned char kTestKey[] = "Jefe";
+const unsigned char kTestInput[] = "what do ya want for nothing?";
+
+struct HMACTestCase {
+ SECOidTag hashAlg;
+ std::string expectedOutput;
+};
+
+#define EXPECTED_RESULT(val) std::string(val, sizeof(val) - 1)
+
+static const HMACTestCase HMACTestCases[] = {
+ {
+ SEC_OID_MD5,
+ EXPECTED_RESULT(
+ "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38"),
+ },
+ {
+ SEC_OID_SHA256,
+ EXPECTED_RESULT(
+ "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7"
+ "\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43"),
+ },
+};
+
+#undef EXPECTED_RESULT
+
+class psm_HMAC : public ::testing::Test,
+ public ::testing::WithParamInterface<HMACTestCase> {
+ public:
+ void SetUp() override { NSS_NoDB_Init(nullptr); }
+};
+
+TEST_P(psm_HMAC, Test) {
+ mozilla::HMAC hmac;
+ const HMACTestCase& testCase(GetParam());
+ nsresult rv = hmac.Begin(testCase.hashAlg,
+ mozilla::Span(kTestKey, sizeof(kTestKey) - 1));
+ ASSERT_NS_SUCCEEDED(rv);
+ rv = hmac.Update(reinterpret_cast<const unsigned char*>(kTestInput),
+ sizeof(kTestInput) - 1);
+ ASSERT_NS_SUCCEEDED(rv);
+ nsTArray<uint8_t> output;
+ rv = hmac.End(output);
+ ASSERT_NS_SUCCEEDED(rv);
+ EXPECT_EQ(output.Length(), testCase.expectedOutput.length());
+ for (size_t i = 0; i < output.Length(); i++) {
+ EXPECT_EQ(char(output[i]), testCase.expectedOutput[i]);
+ }
+}
+
+INSTANTIATE_TEST_SUITE_P(psm_HMAC, psm_HMAC,
+ ::testing::ValuesIn(HMACTestCases));
diff --git a/security/manager/ssl/tests/gtest/MD4Test.cpp b/security/manager/ssl/tests/gtest/MD4Test.cpp
new file mode 100644
index 0000000000..0dfc938358
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/MD4Test.cpp
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This file tests the md4.c implementation.
+
+#include "gtest/gtest.h"
+#include "md4.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Casting.h"
+
+struct RFC1320TestParams {
+ const char* data;
+ const uint8_t expectedHash[16];
+};
+
+static const RFC1320TestParams RFC1320_TEST_PARAMS[] = {
+ {"",
+ {0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31, 0xb7, 0x3c, 0x59, 0xd7,
+ 0xe0, 0xc0, 0x89, 0xc0}},
+ {"a",
+ {0xbd, 0xe5, 0x2c, 0xb3, 0x1d, 0xe3, 0x3e, 0x46, 0x24, 0x5e, 0x05, 0xfb,
+ 0xdb, 0xd6, 0xfb, 0x24}},
+ {"abc",
+ {0xa4, 0x48, 0x01, 0x7a, 0xaf, 0x21, 0xd8, 0x52, 0x5f, 0xc1, 0x0a, 0xe8,
+ 0x7a, 0xa6, 0x72, 0x9d}},
+ {"message digest",
+ {0xd9, 0x13, 0x0a, 0x81, 0x64, 0x54, 0x9f, 0xe8, 0x18, 0x87, 0x48, 0x06,
+ 0xe1, 0xc7, 0x01, 0x4b}},
+ {
+ "abcdefghijklmnopqrstuvwxyz",
+ {0xd7, 0x9e, 0x1c, 0x30, 0x8a, 0xa5, 0xbb, 0xcd, 0xee, 0xa8, 0xed, 0x63,
+ 0xdf, 0x41, 0x2d, 0xa9},
+ },
+ {
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+ {0x04, 0x3f, 0x85, 0x82, 0xf2, 0x41, 0xdb, 0x35, 0x1c, 0xe6, 0x27, 0xe1,
+ 0x53, 0xe7, 0xf0, 0xe4},
+ },
+ {
+ "1234567890123456789012345678901234567890123456789012345678901234567890"
+ "1234567890",
+ {0xe3, 0x3b, 0x4d, 0xdc, 0x9c, 0x38, 0xf2, 0x19, 0x9c, 0x3e, 0x7b, 0x16,
+ 0x4f, 0xcc, 0x05, 0x36},
+ }};
+
+class psm_MD4 : public ::testing::Test,
+ public ::testing::WithParamInterface<RFC1320TestParams> {};
+
+TEST_P(psm_MD4, RFC1320TestValues) {
+ const RFC1320TestParams& params(GetParam());
+ uint8_t actualHash[16];
+ md4sum(mozilla::BitwiseCast<const uint8_t*, const char*>(params.data),
+ strlen(params.data), actualHash);
+ EXPECT_TRUE(mozilla::ArrayEqual(actualHash, params.expectedHash))
+ << "MD4 hashes aren't equal for input: '" << params.data << "'";
+}
+
+INSTANTIATE_TEST_SUITE_P(psm_MD4, psm_MD4,
+ testing::ValuesIn(RFC1320_TEST_PARAMS));
diff --git a/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
new file mode 100644
index 0000000000..23d0cefc2b
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
@@ -0,0 +1,357 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CertVerifier.h"
+#include "OCSPCache.h"
+#include "gtest/gtest.h"
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Sprintf.h"
+#include "nss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/test/pkixtestutil.h"
+#include "prerr.h"
+#include "secerr.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+using mozilla::OriginAttributes;
+
+template <size_t N>
+inline Input LiteralInput(const char (&valueString)[N]) {
+ // Ideally we would use mozilla::BitwiseCast() here rather than
+ // reinterpret_cast for better type checking, but the |N - 1| part trips
+ // static asserts.
+ return Input(reinterpret_cast<const uint8_t(&)[N - 1]>(valueString));
+}
+
+const int MaxCacheEntries = 1024;
+
+class psm_OCSPCacheTest : public ::testing::Test {
+ protected:
+ psm_OCSPCacheTest() : now(Now()) {}
+
+ static void SetUpTestCase() { NSS_NoDB_Init(nullptr); }
+
+ const Time now;
+ mozilla::psm::OCSPCache cache;
+};
+
+static void PutAndGet(
+ mozilla::psm::OCSPCache& cache, const CertID& certID, Result result,
+ Time time, const OriginAttributes& originAttributes = OriginAttributes()) {
+ // The first time is thisUpdate. The second is validUntil.
+ // The caller is expecting the validUntil returned with Get
+ // to be equal to the passed-in time. Since these values will
+ // be different in practice, make thisUpdate less than validUntil.
+ Time thisUpdate(time);
+ ASSERT_EQ(Success, thisUpdate.SubtractSeconds(10));
+ Result rv = cache.Put(certID, originAttributes, result, thisUpdate, time);
+ ASSERT_TRUE(rv == Success);
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_TRUE(cache.Get(certID, originAttributes, resultOut, timeOut));
+ ASSERT_EQ(result, resultOut);
+ ASSERT_EQ(time, timeOut);
+}
+
+Input fakeIssuer1(LiteralInput("CN=issuer1"));
+Input fakeKey000(LiteralInput("key000"));
+Input fakeKey001(LiteralInput("key001"));
+Input fakeSerial0000(LiteralInput("0000"));
+
+TEST_F(psm_OCSPCacheTest, TestPutAndGet) {
+ Input fakeSerial000(LiteralInput("000"));
+ Input fakeSerial001(LiteralInput("001"));
+
+ SCOPED_TRACE("");
+ PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001), Success,
+ now);
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000),
+ OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestVariousGets) {
+ SCOPED_TRACE("");
+ for (int i = 0; i < MaxCacheEntries; i++) {
+ uint8_t serialBuf[8];
+ snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+ sizeof(serialBuf), "%04d", i);
+ Input fakeSerial;
+ ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+ Time timeIn(now);
+ ASSERT_EQ(Success, timeIn.AddSeconds(i));
+ PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+ timeIn);
+ }
+
+ Time timeIn(now);
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+
+ // This will be at the end of the list in the cache
+ CertID cert0000(fakeIssuer1, fakeKey000, fakeSerial0000);
+ ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(timeIn, timeOut);
+ // Once we access it, it goes to the front
+ ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(timeIn, timeOut);
+
+ // This will be in the middle
+ Time timeInPlus512(now);
+ ASSERT_EQ(Success, timeInPlus512.AddSeconds(512));
+
+ static const Input fakeSerial0512(LiteralInput("0512"));
+ CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
+ ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(timeInPlus512, timeOut);
+ ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(timeInPlus512, timeOut);
+
+ // We've never seen this certificate
+ static const Input fakeSerial1111(LiteralInput("1111"));
+ ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
+ OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestEviction) {
+ SCOPED_TRACE("");
+ // By putting more distinct entries in the cache than it can hold,
+ // we cause the least recently used entry to be evicted.
+ for (int i = 0; i < MaxCacheEntries + 1; i++) {
+ uint8_t serialBuf[8];
+ snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+ sizeof(serialBuf), "%04d", i);
+ Input fakeSerial;
+ ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+ Time timeIn(now);
+ ASSERT_EQ(Success, timeIn.AddSeconds(i));
+ PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+ timeIn);
+ }
+
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000),
+ OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses) {
+ SCOPED_TRACE("");
+ CertID notEvicted(fakeIssuer1, fakeKey000, fakeSerial0000);
+ Time timeIn(now);
+ PutAndGet(cache, notEvicted, Result::ERROR_REVOKED_CERTIFICATE, timeIn);
+ // By putting more distinct entries in the cache than it can hold,
+ // we cause the least recently used entry that isn't revoked to be evicted.
+ for (int i = 1; i < MaxCacheEntries + 1; i++) {
+ uint8_t serialBuf[8];
+ snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+ sizeof(serialBuf), "%04d", i);
+ Input fakeSerial;
+ ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+ Time timeIn(now);
+ ASSERT_EQ(Success, timeIn.AddSeconds(i));
+ PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+ timeIn);
+ }
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_TRUE(cache.Get(notEvicted, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
+ ASSERT_EQ(timeIn, timeOut);
+
+ Input fakeSerial0001(LiteralInput("0001"));
+ CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
+ ASSERT_FALSE(cache.Get(evicted, OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked) {
+ SCOPED_TRACE("");
+ Time timeIn(now);
+ // Fill up the cache with revoked responses.
+ for (int i = 0; i < MaxCacheEntries; i++) {
+ uint8_t serialBuf[8];
+ snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+ sizeof(serialBuf), "%04d", i);
+ Input fakeSerial;
+ ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+ Time timeIn(now);
+ ASSERT_EQ(Success, timeIn.AddSeconds(i));
+ PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
+ Result::ERROR_REVOKED_CERTIFICATE, timeIn);
+ }
+ static const Input fakeSerial1025(LiteralInput("1025"));
+ CertID good(fakeIssuer1, fakeKey000, fakeSerial1025);
+ // This will "succeed", allowing verification to continue. However,
+ // nothing was actually put in the cache.
+ Time timeInPlus1025(timeIn);
+ ASSERT_EQ(Success, timeInPlus1025.AddSeconds(1025));
+ Time timeInPlus1025Minus50(timeInPlus1025);
+ ASSERT_EQ(Success, timeInPlus1025Minus50.SubtractSeconds(50));
+ Result result = cache.Put(good, OriginAttributes(), Success,
+ timeInPlus1025Minus50, timeInPlus1025);
+ ASSERT_EQ(Success, result);
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_FALSE(cache.Get(good, OriginAttributes(), resultOut, timeOut));
+
+ static const Input fakeSerial1026(LiteralInput("1026"));
+ CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
+ // This will fail, causing verification to fail.
+ Time timeInPlus1026(timeIn);
+ ASSERT_EQ(Success, timeInPlus1026.AddSeconds(1026));
+ Time timeInPlus1026Minus50(timeInPlus1026);
+ ASSERT_EQ(Success, timeInPlus1026Minus50.SubtractSeconds(50));
+ result =
+ cache.Put(revoked, OriginAttributes(), Result::ERROR_REVOKED_CERTIFICATE,
+ timeInPlus1026Minus50, timeInPlus1026);
+ ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result);
+}
+
+TEST_F(psm_OCSPCacheTest, VariousIssuers) {
+ SCOPED_TRACE("");
+ Time timeIn(now);
+ static const Input fakeIssuer2(LiteralInput("CN=issuer2"));
+ static const Input fakeSerial001(LiteralInput("001"));
+ CertID subject(fakeIssuer1, fakeKey000, fakeSerial001);
+ PutAndGet(cache, subject, Success, now);
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_TRUE(cache.Get(subject, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(timeIn, timeOut);
+ // Test that we don't match a different issuer DN
+ ASSERT_FALSE(cache.Get(CertID(fakeIssuer2, fakeKey000, fakeSerial001),
+ OriginAttributes(), resultOut, timeOut));
+ // Test that we don't match a different issuer key
+ ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial001),
+ OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, Times) {
+ SCOPED_TRACE("");
+ CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+ PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
+ TimeFromElapsedSecondsAD(100));
+ PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
+ // This should not override the more recent entry.
+ ASSERT_EQ(
+ Success,
+ cache.Put(certID, OriginAttributes(), Result::ERROR_OCSP_UNKNOWN_CERT,
+ TimeFromElapsedSecondsAD(100), TimeFromElapsedSecondsAD(100)));
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+ // Here we see the more recent time.
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
+
+ // Result::ERROR_REVOKED_CERTIFICATE overrides everything
+ PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
+ TimeFromElapsedSecondsAD(50));
+}
+
+TEST_F(psm_OCSPCacheTest, NetworkFailure) {
+ SCOPED_TRACE("");
+ CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+ PutAndGet(cache, certID, Result::ERROR_CONNECT_REFUSED,
+ TimeFromElapsedSecondsAD(100));
+ PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
+ // This should not override the already present entry.
+ ASSERT_EQ(
+ Success,
+ cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+ TimeFromElapsedSecondsAD(300), TimeFromElapsedSecondsAD(350)));
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Success, resultOut);
+ ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
+
+ PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
+ TimeFromElapsedSecondsAD(400));
+ // This should not override the already present entry.
+ ASSERT_EQ(
+ Success,
+ cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+ TimeFromElapsedSecondsAD(500), TimeFromElapsedSecondsAD(550)));
+ ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT, resultOut);
+ ASSERT_EQ(TimeFromElapsedSecondsAD(400), timeOut);
+
+ PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
+ TimeFromElapsedSecondsAD(600));
+ // This should not override the already present entry.
+ ASSERT_EQ(
+ Success,
+ cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+ TimeFromElapsedSecondsAD(700), TimeFromElapsedSecondsAD(750)));
+ ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+ ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
+ ASSERT_EQ(TimeFromElapsedSecondsAD(600), timeOut);
+}
+
+TEST_F(psm_OCSPCacheTest, TestOriginAttributes) {
+ CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+
+ // We test two attributes, firstPartyDomain and partitionKey, respectively
+ // because we don't have entries that have both attributes set because the two
+ // features that use these attributes are mutually exclusive.
+
+ // Set pref for OCSP cache network partitioning.
+ mozilla::Preferences::SetBool("privacy.partition.network_state.ocsp_cache",
+ true);
+
+ SCOPED_TRACE("");
+ OriginAttributes attrs;
+ attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+ PutAndGet(cache, certID, Success, now, attrs);
+
+ Result resultOut;
+ Time timeOut(Time::uninitialized);
+ attrs.mFirstPartyDomain.AssignLiteral("bar.com");
+ ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+
+ // OCSP cache should not be isolated by containers for firstPartyDomain.
+ attrs.mUserContextId = 1;
+ attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+ ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+ // Clear originAttributes.
+ attrs.mUserContextId = 0;
+ attrs.mFirstPartyDomain.Truncate();
+
+ // Add OCSP cache for the partitionKey.
+ attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+ PutAndGet(cache, certID, Success, now, attrs);
+
+ // Check cache entry for the partitionKey.
+ attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+ ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+ // OCSP cache entry should not exist for the other partitionKey.
+ attrs.mPartitionKey.AssignLiteral("(https,bar.com)");
+ ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+
+ // OCSP cache should not be isolated by containers for partitonKey.
+ attrs.mUserContextId = 1;
+ attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+ ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+ // OCSP cache should not exist for the OAs which has both attributes set.
+ attrs.mUserContextId = 0;
+ attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+ attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+ ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+}
diff --git a/security/manager/ssl/tests/gtest/README.txt b/security/manager/ssl/tests/gtest/README.txt
new file mode 100644
index 0000000000..0e51322690
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/README.txt
@@ -0,0 +1,2 @@
+Please name all test cases in this directory with the prefix "psm". This makes
+it easier to run all PSM related GTests at once.
diff --git a/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
new file mode 100644
index 0000000000..0c9d3ef60d
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
@@ -0,0 +1,383 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSIOLayer.h"
+#include "sslproto.h"
+#include "sslerr.h"
+
+#include "gtest/gtest.h"
+
+constexpr auto HOST = "example.org"_ns;
+const int16_t PORT = 443;
+
+class psm_TLSIntoleranceTest : public ::testing::Test {
+ protected:
+ nsSSLIOLayerHelpers helpers;
+};
+
+TEST_F(psm_TLSIntoleranceTest, FullFallbackProcess) {
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, helpers.mVersionFallbackLimit);
+
+ // No adjustment made when there is no entry for the site.
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+ range.max, 0));
+ }
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+ range.max, 0));
+ }
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
+
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+ range.max, 0));
+ }
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ // When rememberIntolerantAtVersion returns false, it also resets the
+ // intolerance information for the server.
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+}
+
+TEST_F(psm_TLSIntoleranceTest, DisableFallbackWithHighLimit) {
+ // this value disables version fallback entirely: with this value, all efforts
+ // to mark an origin as version intolerant fail
+ helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_0, 0));
+}
+
+TEST_F(psm_TLSIntoleranceTest, FallbackLimitBelowMin) {
+ // check that we still respect the minimum version,
+ // when it is higher than the fallback limit
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+ }
+
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+}
+
+TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant1) {
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+ helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant2) {
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+ helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_2);
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntolerantDoesNotOverrideTolerant) {
+ // No adjustment made when there is no entry for the site.
+ helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+ // false because we reached the floor set by rememberTolerantAtVersion.
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, PortIsRelevant) {
+ helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
+ ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+ HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, 2, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, 1, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+
+ {
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, 2, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+ }
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonInitial) {
+ ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+
+ helpers.rememberTolerantAtVersion(HOST, 2, SSL_LIBRARY_VERSION_TLS_1_2);
+ ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 2));
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonStored) {
+ helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2,
+ SSL_ERROR_BAD_SERVER);
+ ASSERT_EQ(SSL_ERROR_BAD_SERVER, helpers.getIntoleranceReason(HOST, 1));
+
+ helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_1,
+ SSL_ERROR_BAD_MAC_READ);
+ ASSERT_EQ(SSL_ERROR_BAD_MAC_READ, helpers.getIntoleranceReason(HOST, 1));
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonCleared) {
+ ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+
+ helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2,
+ SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+ ASSERT_EQ(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT,
+ helpers.getIntoleranceReason(HOST, 1));
+
+ helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
+ ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSForgetIntolerance) {
+ {
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2,
+ 0));
+
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+ }
+
+ {
+ helpers.forgetIntolerance(HOST, PORT);
+
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSDontForgetTolerance) {
+ {
+ helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+
+ {
+ ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+ HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2,
+ 0));
+
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+ }
+
+ {
+ helpers.forgetIntolerance(HOST, PORT);
+
+ SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+ SSL_LIBRARY_VERSION_TLS_1_2};
+ helpers.adjustForTLSIntolerance(HOST, PORT, range);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+ ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+ }
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSPerSiteFallbackLimit) {
+ constexpr auto example_com = "example.com"_ns;
+ constexpr auto example_net = "example.net"_ns;
+ constexpr auto example_org = "example.org"_ns;
+
+ helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_0;
+
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+ helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
+
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+ helpers.setInsecureFallbackSites(example_com);
+
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+ helpers.setInsecureFallbackSites("example.com,example.net"_ns);
+
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+ helpers.setInsecureFallbackSites(example_net);
+
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_FALSE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+ helpers.setInsecureFallbackSites(""_ns);
+
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+ ASSERT_TRUE(
+ helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+}
diff --git a/security/manager/ssl/tests/gtest/moz.build b/security/manager/ssl/tests/gtest/moz.build
new file mode 100644
index 0000000000..400b1e02cc
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -0,0 +1,24 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+ "CoseTest.cpp",
+ "DeserializeCertTest.cpp",
+ "HMACTest.cpp",
+ "MD4Test.cpp",
+ "OCSPCacheTest.cpp",
+ "TLSIntoleranceTest.cpp",
+]
+
+LOCAL_INCLUDES += [
+ "/security/certverifier",
+ "/security/manager/ssl",
+ "/third_party/rust/cose-c/include",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul-gtest"
diff --git a/security/manager/ssl/tests/mochitest/browser/browser.toml b/security/manager/ssl/tests/mochitest/browser/browser.toml
new file mode 100644
index 0000000000..433fffa4ac
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser.toml
@@ -0,0 +1,52 @@
+[DEFAULT]
+tags = "psm"
+support-files = [
+ "*.pem",
+ "head.js",
+ "hsts_headers.sjs",
+ "hsts_headers_framed.html",
+ "some_content.html",
+ "some_content_framed.html",
+ "browser_clientAuth_speculative_connection.html"
+]
+
+["browser_HSTS.js"]
+https_first_disabled = true
+
+["browser_add_exception_dialog.js"]
+
+["browser_bug627234_perwindowpb.js"]
+
+["browser_certViewer.js"]
+skip-if = ["verify"]
+
+["browser_certificateManager.js"]
+
+["browser_clientAuthRememberService.js"]
+
+["browser_clientAuth_connection.js"]
+# Any test that has to delete certificates (e.g. as part of cleanup) is
+# fundamentally incompatible with verify due to how NSS handles deleting
+# certificates.
+skip-if = [
+ "verify",
+ "socketprocess_networking",
+]
+
+["browser_clientAuth_speculative_connection.js"]
+skip-if = ["socketprocess_networking"]
+
+["browser_clientAuth_ui.js"]
+
+["browser_deleteCert_ui.js"]
+
+["browser_downloadCert_ui.js"]
+
+["browser_editCACertTrust.js"]
+# An earlier attempt at landing this test resulted in frequent intermittent
+# failures, almost entirely on Linux. See Bug 1309519.
+skip-if = ["os == 'linux'"]
+
+["browser_exportP12_passwordUI.js"]
+
+["browser_loadPKCS11Module_ui.js"]
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js
new file mode 100644
index 0000000000..f578ac7c4f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js
@@ -0,0 +1,277 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests that HTTP Strict Transport Security (HSTS) headers are noted as appropriate.
+
+// Register a cleanup function to clear all accumulated HSTS state when this
+// test is done.
+add_task(async function register_cleanup() {
+ registerCleanupFunction(() => {
+ let sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ sss.clearAll();
+ });
+});
+
+// In the absense of HSTS information, no upgrade should happen.
+add_task(async function test_no_hsts_information_no_upgrade() {
+ let httpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+});
+
+// Visit a secure site that sends an HSTS header to set up the rest of the
+// test.
+add_task(async function see_hsts_header() {
+ let setHstsUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "hsts_headers.sjs";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl);
+ gBrowser.removeCurrentTab();
+});
+
+// Given a known HSTS host, future http navigations to that domain will be
+// upgraded.
+add_task(async function test_http_upgrade() {
+ let httpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+ gBrowser.removeCurrentTab();
+});
+
+// http navigations to unrelated hosts should not be upgraded.
+add_task(async function test_unrelated_domain_no_upgrade() {
+ let differentHttpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.org"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, differentHttpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+});
+
+// http navigations in private contexts shouldn't use information from
+// non-private contexts, so no upgrade should occur.
+add_task(async function test_private_window_no_upgrade() {
+ await SpecialPowers.pushPrefEnv({
+ set: [["dom.security.https_first_pbm", false]],
+ });
+ let privateWindow = OpenBrowserWindow({ private: true });
+ await BrowserTestUtils.firstBrowserLoaded(privateWindow, false);
+ let url =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(privateWindow.gBrowser, url);
+ Assert.equal(
+ privateWindow.gBrowser.selectedBrowser.currentURI.scheme,
+ "http"
+ );
+ privateWindow.gBrowser.removeCurrentTab();
+ privateWindow.close();
+});
+
+// Since the header didn't specify "includeSubdomains", visiting a subdomain
+// should not result in an upgrade.
+add_task(async function test_subdomain_no_upgrade() {
+ let subdomainHttpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://test1.example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+});
+
+// Now visit a secure site that sends an HSTS header that also includes subdomains.
+add_task(async function see_hsts_header_include_subdomains() {
+ let setHstsUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "hsts_headers.sjs?includeSubdomains";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl);
+ gBrowser.removeCurrentTab();
+});
+
+// Now visiting a subdomain should result in an upgrade.
+add_task(async function test_subdomain_upgrade() {
+ let subdomainHttpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://test1.example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+ gBrowser.removeCurrentTab();
+});
+
+// Visiting a subdomain with https should result in an https URL (this isn't an
+// upgrade - this test is essentially a consistency check).
+add_task(async function test_already_https() {
+ let subdomainHttpsUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://test2.example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpsUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+ gBrowser.removeCurrentTab();
+});
+
+// Test that subresources are upgraded.
+add_task(async function test_iframe_upgrade() {
+ let framedUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "some_content_framed.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+ await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+ await ContentTaskUtils.waitForCondition(() => {
+ let frame = content.document.getElementById("frame");
+ if (frame) {
+ return frame.baseURI.startsWith("https://");
+ }
+ return false;
+ });
+ });
+ gBrowser.removeCurrentTab();
+});
+
+// Clear state.
+add_task(async function clear_hsts_state() {
+ let sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ sss.clearAll();
+});
+
+// Make sure this test is valid.
+add_task(async function test_no_hsts_information_no_upgrade_again() {
+ let httpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+});
+
+// Visit a site with an iframe that loads first-party content that sends an
+// HSTS header. The header should be heeded because it's first-party.
+add_task(async function see_hsts_header_in_framed_first_party_context() {
+ let framedUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "hsts_headers_framed.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+ await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+ await ContentTaskUtils.waitForCondition(() => {
+ return content.document.getElementById("done");
+ });
+ });
+ gBrowser.removeCurrentTab();
+});
+
+// Check that the framed, first-party header was heeded.
+add_task(async function test_http_upgrade_after_framed_first_party_header() {
+ let httpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+ gBrowser.removeCurrentTab();
+});
+
+// Visit a site with an iframe that loads third-party content that sends an
+// HSTS header. The header should be ignored because it's third-party.
+add_task(async function see_hsts_header_in_third_party_context() {
+ let framedUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "hsts_headers_framed.html?third-party";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+ await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+ await ContentTaskUtils.waitForCondition(() => {
+ return content.document.getElementById("done");
+ });
+ });
+ gBrowser.removeCurrentTab();
+});
+
+// Since the HSTS header was not received in a first-party context, no upgrade
+// should occur.
+add_task(async function test_no_upgrade_for_third_party_header() {
+ let url =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.org"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, url);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+});
+
+// Clear state again.
+add_task(async function clear_hsts_state_again() {
+ let sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ sss.clearAll();
+});
+
+// HSTS information encountered in private contexts should not be used in
+// non-private contexts.
+add_task(
+ async function test_no_upgrade_for_HSTS_information_from_private_window() {
+ await SpecialPowers.pushPrefEnv({
+ set: [["dom.security.https_first_pbm", false]],
+ });
+ let privateWindow = OpenBrowserWindow({ private: true });
+ await BrowserTestUtils.firstBrowserLoaded(privateWindow, false);
+ let setHstsUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+ ) + "hsts_headers.sjs";
+ await BrowserTestUtils.openNewForegroundTab(
+ privateWindow.gBrowser,
+ setHstsUrl
+ );
+ privateWindow.gBrowser.removeCurrentTab();
+
+ let httpUrl =
+ getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "http://example.com"
+ ) + "some_content.html";
+ await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+ Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+ gBrowser.removeCurrentTab();
+
+ privateWindow.close();
+ }
+);
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js
new file mode 100644
index 0000000000..0916ac5ce4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js
@@ -0,0 +1,69 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// This test makes sure that adding certificate exceptions behaves correctly
+// when done from the prefs window
+
+ChromeUtils.defineESModuleGetters(this, {
+ BrowserWindowTracker: "resource:///modules/BrowserWindowTracker.sys.mjs",
+});
+
+function test() {
+ const EXCEPTIONS_DLG_URL = "chrome://pippki/content/exceptionDialog.xhtml";
+ const EXCEPTIONS_DLG_FEATURES = "chrome,centerscreen";
+ const INVALID_CERT_DOMAIN = "self-signed.example.com";
+ const INVALID_CERT_LOCATION = "https://" + INVALID_CERT_DOMAIN + "/";
+ waitForExplicitFinish();
+
+ function testAddCertificate() {
+ win.removeEventListener("load", testAddCertificate);
+ Services.obs.addObserver(async function onCertUI(aSubject, aTopic, aData) {
+ Services.obs.removeObserver(onCertUI, "cert-exception-ui-ready");
+ ok(win.gCert, "The certificate information should be available now");
+
+ let dialog = win.document.getElementById("exceptiondialog");
+ let confirmButton = dialog.getButton("extra1");
+ confirmButton.click();
+ ok(
+ params.exceptionAdded,
+ "The certificate exception should have been added"
+ );
+
+ registerCleanupFunction(() => {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(INVALID_CERT_DOMAIN, -1, {});
+ });
+
+ BrowserTestUtils.startLoadingURIString(gBrowser, INVALID_CERT_LOCATION);
+ let loaded = await BrowserTestUtils.browserLoaded(
+ gBrowser,
+ false,
+ INVALID_CERT_LOCATION,
+ true
+ );
+ ok(loaded, "The certificate exception should allow the page to load");
+
+ finish();
+ }, "cert-exception-ui-ready");
+ }
+
+ let bWin = BrowserWindowTracker.getTopWindow();
+ let params = {
+ exceptionAdded: false,
+ location: INVALID_CERT_LOCATION,
+ prefetchCert: true,
+ };
+
+ let win = bWin.openDialog(
+ EXCEPTIONS_DLG_URL,
+ "",
+ EXCEPTIONS_DLG_FEATURES,
+ params
+ );
+ win.addEventListener("load", testAddCertificate);
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
new file mode 100644
index 0000000000..79e7ad9b12
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
@@ -0,0 +1,94 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+function whenNewWindowLoaded(aOptions, aCallback) {
+ let win = OpenBrowserWindow(aOptions);
+ win.addEventListener(
+ "load",
+ function () {
+ aCallback(win);
+ },
+ { once: true }
+ );
+}
+
+// This is a template to help porting global private browsing tests
+// to per-window private browsing tests
+function test() {
+ // initialization
+ waitForExplicitFinish();
+ let windowsToClose = [];
+ let testURI = "about:blank";
+ let uri;
+ let gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+
+ function originAttributes(aIsPrivateMode) {
+ return aIsPrivateMode ? { privateBrowsingId: 1 } : {};
+ }
+
+ function doTest(aIsPrivateMode, aWindow, aCallback) {
+ BrowserTestUtils.browserLoaded(aWindow.gBrowser.selectedBrowser).then(
+ () => {
+ uri = aWindow.Services.io.newURI("https://localhost/img.png");
+ gSSService.processHeader(
+ uri,
+ "max-age=1000",
+ originAttributes(aIsPrivateMode)
+ );
+ ok(
+ gSSService.isSecureURI(uri, originAttributes(aIsPrivateMode)),
+ "checking sts host"
+ );
+
+ aCallback();
+ }
+ );
+
+ BrowserTestUtils.startLoadingURIString(
+ aWindow.gBrowser.selectedBrowser,
+ testURI
+ );
+ }
+
+ function testOnWindow(aOptions, aCallback) {
+ whenNewWindowLoaded(aOptions, function (aWin) {
+ windowsToClose.push(aWin);
+ // execute should only be called when need, like when you are opening
+ // web pages on the test. If calling executeSoon() is not necesary, then
+ // call whenNewWindowLoaded() instead of testOnWindow() on your test.
+ executeSoon(function () {
+ aCallback(aWin);
+ });
+ });
+ }
+
+ // this function is called after calling finish() on the test.
+ registerCleanupFunction(function () {
+ windowsToClose.forEach(function (aWin) {
+ aWin.close();
+ });
+ uri = Services.io.newURI("http://localhost");
+ gSSService.resetState(uri);
+ });
+
+ // test first when on private mode
+ testOnWindow({ private: true }, function (aWin) {
+ doTest(true, aWin, function () {
+ // test when not on private mode
+ testOnWindow({}, function (aWin) {
+ doTest(false, aWin, function () {
+ // test again when on private mode
+ testOnWindow({ private: true }, function (aWin) {
+ doTest(true, aWin, function () {
+ finish();
+ });
+ });
+ });
+ });
+ });
+ });
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
new file mode 100644
index 0000000000..7f0b8888c1
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -0,0 +1,112 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Repeatedly opens the certificate viewer dialog with various certificates and
+// determines that the viewer correctly identifies either what usages those
+// certificates are valid for or what errors prevented the certificates from
+// being verified.
+
+add_task(async function testCAandTitle() {
+ let cert = await readCertificate("ca.pem", "CTu,CTu,CTu");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "ca");
+});
+
+add_task(async function testSSLEndEntity() {
+ let cert = await readCertificate("ssl-ee.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "ssl-ee");
+});
+
+add_task(async function testEmailEndEntity() {
+ let cert = await readCertificate("email-ee.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "email-ee");
+});
+
+add_task(async function testCodeSignEndEntity() {
+ let cert = await readCertificate("code-ee.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "code-ee");
+});
+
+add_task(async function testExpired() {
+ let cert = await readCertificate("expired-ca.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "expired-ca");
+});
+
+add_task(async function testUntrusted() {
+ let cert = await readCertificate("untrusted-ca.pem", "p,p,p");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "untrusted-ca");
+});
+
+add_task(async function testInvalid() {
+ // This certificate has a keyUsage extension asserting cRLSign and
+ // keyCertSign, but it doesn't have a basicConstraints extension. This
+ // shouldn't be valid for any usage. Sadly, we give a pretty bad error
+ // message in this case.
+ let cert = await readCertificate("invalid.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "invalid");
+});
+
+add_task(async function testLongOID() {
+ // This certificate has a certificatePolicies extension with a policy with a
+ // very long OID. This tests that we don't crash when looking at it.
+ let cert = await readCertificate("longOID.pem", ",,");
+ let url = getURL(cert);
+ await openCertViewerAndCheckTabName(url, "Long OID");
+});
+
+/**
+ * Given a certificate, returns its PEMs (each one of the certificate chain) string in a url.
+ *
+ * @param {object} cert
+ * A certificate object
+ * @returns {string} an URL for opening the certificate viewer
+ */
+function getURL(cert) {
+ // Note that we don't get the certificate chain as in e.g browser/base/content/browser.js,
+ // because all the .pem files when opened with CS (https://github.com/april/certainly-something)
+ // shows only one certificate
+ let derb64 = encodeURIComponent(cert.getBase64DERString());
+ return `about:certificate?cert=${derb64}`;
+}
+
+/**
+ * Given an certificate URL, opens the new certificate viewer and check
+ * if a certain element exists, with its expected result.
+ *
+ * @param {string} url
+ * The URL with the certificate info
+ * @param {string} expectedTabName
+ * The expected name of the tab in the certificate viewer
+ */
+async function openCertViewerAndCheckTabName(url, expectedTabName) {
+ await BrowserTestUtils.withNewTab(
+ { gBrowser, url },
+ async function (browser) {
+ await SpecialPowers.spawn(
+ browser,
+ [expectedTabName],
+ async function (expectedTabName) {
+ let certificateSection = await ContentTaskUtils.waitForCondition(
+ () => {
+ return content.document.querySelector("certificate-section");
+ },
+ "Certificate section found"
+ );
+ let tabName =
+ certificateSection.shadowRoot.querySelector(
+ ".tab[idnumber='0']"
+ ).textContent;
+ Assert.equal(tabName, expectedTabName);
+ }
+ );
+ }
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
new file mode 100644
index 0000000000..c6619909d0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
@@ -0,0 +1,105 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+async function checkServerCertificates(win, expectedValues = []) {
+ await TestUtils.waitForCondition(() => {
+ return (
+ win.document.getElementById("serverList").itemChildren.length ==
+ expectedValues.length
+ );
+ }, `Expected to have ${expectedValues.length} but got ${win.document.getElementById("serverList").itemChildren.length}`);
+ await new Promise(win.requestAnimationFrame);
+
+ let labels = win.document
+ .getElementById("serverList")
+ .querySelectorAll("label");
+
+ // The strings we will get from the DOM are localized with Fluent.
+ // This will wait until the translation is applied.
+ if (expectedValues.length) {
+ await BrowserTestUtils.waitForCondition(
+ () => labels[1].value || !!labels[1].textContent.length,
+ "At least one label is populated"
+ );
+ }
+
+ expectedValues.forEach((item, i) => {
+ let hostPort = labels[i * 3].value;
+ let fingerprint = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
+
+ Assert.equal(
+ hostPort,
+ item.hostPort,
+ `Expected override to be ${item.hostPort} but got ${hostPort}`
+ );
+
+ Assert.equal(
+ fingerprint,
+ item.fingerprint,
+ `Expected override to have field ${item.fingerprint}`
+ );
+ });
+}
+
+async function deleteOverride(win, expectedLength) {
+ win.document.getElementById("serverList").selectedIndex = 0;
+ await TestUtils.waitForCondition(() => {
+ return (
+ win.document.getElementById("serverList").itemChildren.length ==
+ expectedLength
+ );
+ });
+ let newWinPromise = BrowserTestUtils.domWindowOpenedAndLoaded();
+ // Since the .click() blocks we need to dispatch it to the main thread avoid that.
+ Services.tm.dispatchToMainThread(() =>
+ win.document.getElementById("websites_deleteButton").click()
+ );
+ let newWin = await newWinPromise;
+ newWin.document.getElementById("deleteCertificate").acceptDialog();
+ Assert.equal(
+ win.document.getElementById("serverList").selectedIndex,
+ 0,
+ "After deletion we expect the selectedItem to be reset."
+ );
+}
+
+add_task(async function test_cert_manager_server_tab() {
+ let win = await openCertManager();
+
+ await checkServerCertificates(win);
+
+ win.document.getElementById("certmanager").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ let cert = await readCertificate("md5-ee.pem", ",,");
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ 443,
+ {},
+ cert,
+ false
+ );
+
+ win = await openCertManager();
+
+ await checkServerCertificates(win, [
+ {
+ hostPort: "example.com:443",
+ fingerprint: cert.sha256Fingerprint,
+ },
+ ]);
+
+ await deleteOverride(win, 1);
+
+ await checkServerCertificates(win, []);
+
+ win.document.getElementById("certmanager").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ certOverrideService.clearAllOverrides();
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js
new file mode 100644
index 0000000000..87b476e012
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js
@@ -0,0 +1,290 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+/**
+ * Test certificate (i.e. build/pgo/certs/mochitest.client).
+ *
+ * @type {nsIX509Cert}
+ */
+var cert;
+var cert2;
+var cert3;
+
+var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing);
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+var deleted = false;
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+function findCertByCommonName(commonName) {
+ for (let cert of certDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+async function testHelper(connectURL, expectedURL) {
+ let win = await BrowserTestUtils.openNewBrowserWindow();
+
+ await SpecialPowers.pushPrefEnv({
+ set: [["security.default_personal_cert", "Ask Every Time"]],
+ });
+
+ BrowserTestUtils.startLoadingURIString(
+ win.gBrowser.selectedBrowser,
+ connectURL
+ );
+
+ await BrowserTestUtils.browserLoaded(
+ win.gBrowser.selectedBrowser,
+ false,
+ expectedURL,
+ true
+ );
+ let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec;
+ Assert.ok(
+ loadedURL.startsWith(expectedURL),
+ `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')`
+ );
+
+ await win.close();
+
+ // This clears the TLS session cache so we don't use a previously-established
+ // ticket to connect and bypass selecting a client auth certificate in
+ // subsequent tests.
+ sdr.logout();
+}
+
+async function openRequireClientCert() {
+ gClientAuthDialogService.chooseCertificateCalled = false;
+ await testHelper(
+ "https://requireclientcert.example.com:443",
+ "https://requireclientcert.example.com/"
+ );
+}
+
+async function openRequireClientCert2() {
+ gClientAuthDialogService.chooseCertificateCalled = false;
+ await testHelper(
+ "https://requireclientcert-2.example.com:443",
+ "https://requireclientcert-2.example.com/"
+ );
+}
+
+// Mock implementation of nsIClientAuthRememberService
+const gClientAuthRememberService = {
+ forgetRememberedDecision(key) {
+ deleted = true;
+ Assert.equal(
+ key,
+ "exampleKey2",
+ "Expected to get the same key that was passed in getDecisions()"
+ );
+ },
+
+ getDecisions() {
+ return [
+ {
+ asciiHost: "example.com",
+ dbKey: cert.dbKey,
+ entryKey: "exampleKey1",
+ },
+ {
+ asciiHost: "example.org",
+ dbKey: cert2.dbKey,
+ entryKey: "exampleKey2",
+ },
+ {
+ asciiHost: "example.test",
+ dbKey: cert3.dbKey,
+ entryKey: "exampleKey3",
+ },
+ {
+ asciiHost: "unavailable.example.com",
+ // This dbKey should not correspond to any real certificate. The first
+ // 8 bytes have to be 0, followed by the lengths of the serial number
+ // and issuer distinguished name, respectively, and then followed by
+ // the bytes of the serial number and finally the encoded issuer
+ // distinguished name. In this case, the serial number is a single 0
+ // byte and the issuer distinguished name is a DER SEQUENCE of length 0
+ // (the bytes 0x30 and 0).
+ // See also the documentation in nsNSSCertificateDB::FindCertByDBKey.
+ dbKey: "AAAAAAAAAAAAAAABAAAAAgAeAA==",
+ entryKey: "exampleKey4",
+ },
+ ];
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIClientAuthRememberService"]),
+};
+
+const gClientAuthDialogService = {
+ _chooseCertificateCalled: false,
+
+ get chooseCertificateCalled() {
+ return this._chooseCertificateCalled;
+ },
+
+ set chooseCertificateCalled(value) {
+ this._chooseCertificateCalled = value;
+ },
+
+ chooseCertificate(hostname, certArray, loadContext, callback) {
+ this.chooseCertificateCalled = true;
+ callback.certificateChosen(certArray[0], true);
+ },
+
+ QueryInterface: ChromeUtils.generateQI([Ci.nsIClientAuthDialogService]),
+};
+
+add_task(async function testRememberedDecisionsUI() {
+ cert = findCertByCommonName("Mochitest client");
+ cert2 = await readCertificate("pgo-ca-all-usages.pem", ",,");
+ cert3 = await readCertificate("client-cert-via-intermediate.pem", ",,");
+ isnot(cert, null, "Should be able to find the test client cert");
+ isnot(cert2, null, "Should be able to find pgo-ca-all-usages.pem");
+ isnot(cert3, null, "Should be able to find client-cert-via-intermediate.pem");
+
+ let clientAuthRememberServiceCID = MockRegistrar.register(
+ "@mozilla.org/security/clientAuthRememberService;1",
+ gClientAuthRememberService
+ );
+
+ let win = await openCertManager();
+
+ let listItems = win.document
+ .getElementById("rememberedList")
+ .querySelectorAll("richlistitem");
+
+ Assert.equal(
+ listItems.length,
+ 4,
+ "rememberedList has expected number of items"
+ );
+
+ let labels = win.document
+ .getElementById("rememberedList")
+ .querySelectorAll("label");
+
+ Assert.equal(
+ labels.length,
+ 12,
+ "rememberedList has expected number of labels"
+ );
+
+ await BrowserTestUtils.waitForCondition(
+ () => !!labels[10].textContent.length,
+ "Localized label is populated"
+ );
+
+ let expectedHosts = [
+ "example.com",
+ "example.org",
+ "example.test",
+ "unavailable.example.com",
+ ];
+ let hosts = [
+ labels[0].value,
+ labels[3].value,
+ labels[6].value,
+ labels[9].value,
+ ];
+ let expectedNames = [
+ cert.commonName,
+ cert2.commonName,
+ cert3.commonName,
+ "(Unavailable)",
+ ];
+ let names = [
+ labels[1].value,
+ labels[4].value,
+ labels[7].value,
+ labels[10].textContent,
+ ];
+ let expectedSerialNumbers = [
+ cert.serialNumber,
+ cert2.serialNumber,
+ cert3.serialNumber,
+ "(Unavailable)",
+ ];
+ let serialNumbers = [
+ labels[2].value,
+ labels[5].value,
+ labels[8].value,
+ labels[11].textContent,
+ ];
+
+ for (let i = 0; i < listItems.length; i++) {
+ Assert.equal(hosts[i], expectedHosts[i], "got expected asciiHost");
+ Assert.equal(names[i], expectedNames[i], "got expected commonName");
+ Assert.equal(
+ serialNumbers[i],
+ expectedSerialNumbers[i],
+ "got expected serialNumber"
+ );
+ }
+
+ win.document.getElementById("rememberedList").selectedIndex = 1;
+ win.document.getElementById("remembered_deleteButton").click();
+
+ Assert.ok(deleted, "Expected forgetRememberedDecision() to get called");
+
+ win.document.getElementById("certmanager").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ MockRegistrar.unregister(clientAuthRememberServiceCID);
+});
+
+add_task(async function testDeletingRememberedDecisions() {
+ let clientAuthDialogServiceCID = MockRegistrar.register(
+ "@mozilla.org/security/ClientAuthDialogService;1",
+ gClientAuthDialogService
+ );
+ let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService(
+ Ci.nsIClientAuthRememberService
+ );
+
+ await openRequireClientCert();
+ Assert.ok(
+ gClientAuthDialogService.chooseCertificateCalled,
+ "chooseCertificate should have been called if visiting 'requireclientcert.example.com' for the first time"
+ );
+
+ await openRequireClientCert();
+ Assert.ok(
+ !gClientAuthDialogService.chooseCertificateCalled,
+ "chooseCertificate should not have been called if visiting 'requireclientcert.example.com' for the second time"
+ );
+
+ await openRequireClientCert2();
+ Assert.ok(
+ gClientAuthDialogService.chooseCertificateCalled,
+ "chooseCertificate should have been called if visiting 'requireclientcert-2.example.com' for the first time"
+ );
+
+ let originAttributes = { privateBrowsingId: 0 };
+ cars.deleteDecisionsByHost("requireclientcert.example.com", originAttributes);
+
+ await openRequireClientCert();
+ Assert.ok(
+ gClientAuthDialogService.chooseCertificateCalled,
+ "chooseCertificate should have been called after removing all remembered decisions for 'requireclientcert.example.com'"
+ );
+
+ await openRequireClientCert2();
+ Assert.ok(
+ !gClientAuthDialogService.chooseCertificateCalled,
+ "chooseCertificate should not have been called if visiting 'requireclientcert-2.example.com' for the second time"
+ );
+
+ MockRegistrar.unregister(clientAuthDialogServiceCID);
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js
new file mode 100644
index 0000000000..2eed2b620a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js
@@ -0,0 +1,385 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various scenarios connecting to a server that requires client cert
+// authentication. Also tests that nsIClientAuthDialogService.chooseCertificate
+// is called at the appropriate times and with the correct arguments.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const DialogState = {
+ // Assert that chooseCertificate() is never called.
+ ASSERT_NOT_CALLED: "ASSERT_NOT_CALLED",
+ // Return that the user selected the first given cert.
+ RETURN_CERT_SELECTED: "RETURN_CERT_SELECTED",
+ // Return that the user canceled.
+ RETURN_CERT_NOT_SELECTED: "RETURN_CERT_NOT_SELECTED",
+};
+
+var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing);
+let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService(
+ Ci.nsIClientAuthRememberService
+);
+
+var gExpectedClientCertificateChoices;
+
+// Mock implementation of nsIClientAuthDialogService.
+const gClientAuthDialogService = {
+ _state: DialogState.ASSERT_NOT_CALLED,
+ _rememberClientAuthCertificate: false,
+ _chooseCertificateCalled: false,
+
+ set state(newState) {
+ info(`old state: ${this._state}`);
+ this._state = newState;
+ info(`new state: ${this._state}`);
+ },
+
+ get state() {
+ return this._state;
+ },
+
+ set rememberClientAuthCertificate(value) {
+ this._rememberClientAuthCertificate = value;
+ },
+
+ get rememberClientAuthCertificate() {
+ return this._rememberClientAuthCertificate;
+ },
+
+ get chooseCertificateCalled() {
+ return this._chooseCertificateCalled;
+ },
+
+ set chooseCertificateCalled(value) {
+ this._chooseCertificateCalled = value;
+ },
+
+ chooseCertificate(hostname, certArray, loadContext, callback) {
+ this.chooseCertificateCalled = true;
+ Assert.notEqual(
+ this.state,
+ DialogState.ASSERT_NOT_CALLED,
+ "chooseCertificate() should be called only when expected"
+ );
+ Assert.equal(
+ hostname,
+ "requireclientcert.example.com",
+ "Hostname should be 'requireclientcert.example.com'"
+ );
+
+ // For mochitests, the cert at build/pgo/certs/mochitest.client should be
+ // selectable as well as one of the PGO certs we loaded in `setup`, so we do
+ // some brief checks to confirm this.
+ Assert.notEqual(certArray, null, "Cert list should not be null");
+ Assert.equal(
+ certArray.length,
+ gExpectedClientCertificateChoices,
+ `${gExpectedClientCertificateChoices} certificates should be available`
+ );
+
+ for (let cert of certArray) {
+ Assert.notEqual(cert, null, "Cert list should contain nsIX509Certs");
+ Assert.equal(
+ cert.issuerCommonName,
+ "Temporary Certificate Authority",
+ "cert should have expected issuer CN"
+ );
+ }
+
+ if (this.state == DialogState.RETURN_CERT_SELECTED) {
+ callback.certificateChosen(
+ certArray[0],
+ this.rememberClientAuthCertificate
+ );
+ } else {
+ callback.certificateChosen(null, this.rememberClientAuthCertificate);
+ }
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]),
+};
+
+add_setup(async function () {
+ let clientAuthDialogServiceCID = MockRegistrar.register(
+ "@mozilla.org/security/ClientAuthDialogService;1",
+ gClientAuthDialogService
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(clientAuthDialogServiceCID);
+ });
+
+ // This CA has the expected keyCertSign and cRLSign usages. It should not be
+ // presented for use as a client certificate.
+ await readCertificate("pgo-ca-regular-usages.pem", "CTu,CTu,CTu");
+ // This CA has all keyUsages. For compatibility with preexisting behavior, it
+ // will be presented for use as a client certificate.
+ await readCertificate("pgo-ca-all-usages.pem", "CTu,CTu,CTu");
+ // This client certificate was issued by an intermediate that was issued by
+ // the test CA. The server only lists the test CA's subject distinguished name
+ // as an acceptible issuer name for client certificates. If the implementation
+ // can determine that the test CA is a root CA for the client certificate and
+ // thus is acceptible to use, it should be included in the chooseCertificate
+ // callback. At the beginning of this test (speaking of this file as a whole),
+ // the client is not aware of the intermediate, and so it is not available in
+ // the callback.
+ await readCertificate("client-cert-via-intermediate.pem", ",,");
+ // This certificate has an id-kp-OCSPSigning EKU. Client certificates
+ // shouldn't have this EKU, but there is at least one private PKI where they
+ // do. For interoperability, such certificates will be presented for use.
+ await readCertificate("client-cert-with-ocsp-signing.pem", ",,");
+ gExpectedClientCertificateChoices = 3;
+});
+
+/**
+ * Test helper for the tests below.
+ *
+ * @param {string} prefValue
+ * Value to set the "security.default_personal_cert" pref to.
+ * @param {string} urlToNavigate
+ * The URL to navigate to.
+ * @param {string} expectedURL
+ * If the connection is expected to load successfully, the URL that
+ * should load. If the connection is expected to fail and result in an
+ * error page, |undefined|.
+ * @param {boolean} expectCallingChooseCertificate
+ * Determines whether we expect chooseCertificate to be called.
+ * @param {object} options
+ * Optional options object to pass on to the window that gets opened.
+ * @param {string} expectStringInPage
+ * Optional string that is expected to be in the content of the page
+ * once it loads.
+ */
+async function testHelper(
+ prefValue,
+ urlToNavigate,
+ expectedURL,
+ expectCallingChooseCertificate,
+ options = undefined,
+ expectStringInPage = undefined
+) {
+ gClientAuthDialogService.chooseCertificateCalled = false;
+ await SpecialPowers.pushPrefEnv({
+ set: [["security.default_personal_cert", prefValue]],
+ });
+
+ let win = await BrowserTestUtils.openNewBrowserWindow(options);
+
+ BrowserTestUtils.startLoadingURIString(
+ win.gBrowser.selectedBrowser,
+ urlToNavigate
+ );
+ if (expectedURL) {
+ await BrowserTestUtils.browserLoaded(
+ win.gBrowser.selectedBrowser,
+ false,
+ "https://requireclientcert.example.com/",
+ true
+ );
+ let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec;
+ Assert.ok(
+ loadedURL.startsWith(expectedURL),
+ `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')`
+ );
+ } else {
+ await new Promise(resolve => {
+ let removeEventListener = BrowserTestUtils.addContentEventListener(
+ win.gBrowser.selectedBrowser,
+ "AboutNetErrorLoad",
+ () => {
+ removeEventListener();
+ resolve();
+ },
+ { capture: false, wantUntrusted: true }
+ );
+ });
+ }
+
+ Assert.equal(
+ gClientAuthDialogService.chooseCertificateCalled,
+ expectCallingChooseCertificate,
+ "chooseCertificate should have been called if we were expecting it to be called"
+ );
+
+ if (expectStringInPage) {
+ let pageContent = await SpecialPowers.spawn(
+ win.gBrowser.selectedBrowser,
+ [],
+ async function () {
+ return content.document.body.textContent;
+ }
+ );
+ Assert.ok(
+ pageContent.includes(expectStringInPage),
+ `page should contain the string '${expectStringInPage}' (was '${pageContent}')`
+ );
+ }
+
+ await win.close();
+
+ // This clears the TLS session cache so we don't use a previously-established
+ // ticket to connect and bypass selecting a client auth certificate in
+ // subsequent tests.
+ sdr.logout();
+}
+
+// Test that if a certificate is chosen automatically the connection succeeds,
+// and that nsIClientAuthDialogService.chooseCertificate() is never called.
+add_task(async function testCertChosenAutomatically() {
+ gClientAuthDialogService.state = DialogState.ASSERT_NOT_CALLED;
+ await testHelper(
+ "Select Automatically",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ false
+ );
+ // This clears all saved client auth certificate state so we don't influence
+ // subsequent tests.
+ cars.clearRememberedDecisions();
+});
+
+// Test that if the user doesn't choose a certificate, the connection fails and
+// an error page is displayed.
+add_task(async function testCertNotChosenByUser() {
+ gClientAuthDialogService.state = DialogState.RETURN_CERT_NOT_SELECTED;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ undefined,
+ true,
+ undefined,
+ // bug 1818556: ssltunnel doesn't behave as expected here on Windows
+ AppConstants.platform != "win"
+ ? "SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT"
+ : undefined
+ );
+ cars.clearRememberedDecisions();
+});
+
+// Test that if the user chooses a certificate the connection suceeeds.
+add_task(async function testCertChosenByUser() {
+ gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ true
+ );
+ cars.clearRememberedDecisions();
+});
+
+// Test that the cancel decision is remembered correctly
+add_task(async function testEmptyCertChosenByUser() {
+ gClientAuthDialogService.state = DialogState.RETURN_CERT_NOT_SELECTED;
+ gClientAuthDialogService.rememberClientAuthCertificate = true;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ undefined,
+ true
+ );
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ undefined,
+ false
+ );
+ cars.clearRememberedDecisions();
+});
+
+// Test that if the user chooses a certificate in a private browsing window,
+// configures Firefox to remember this certificate for the duration of the
+// session, closes that window (and thus all private windows), reopens a private
+// window, and visits that site again, they are re-asked for a certificate (i.e.
+// any state from the previous private session should be gone). Similarly, after
+// closing that private window, if the user opens a non-private window, they
+// again should be asked to choose a certificate (i.e. private state should not
+// be remembered/used in non-private contexts).
+add_task(async function testClearPrivateBrowsingState() {
+ gClientAuthDialogService.rememberClientAuthCertificate = true;
+ gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ true,
+ {
+ private: true,
+ }
+ );
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ true,
+ {
+ private: true,
+ }
+ );
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ true
+ );
+ // NB: we don't `cars.clearRememberedDecisions()` in between the two calls to
+ // `testHelper` because that would clear all client auth certificate state and
+ // obscure what we're testing (that Firefox properly clears the relevant state
+ // when the last private window closes).
+ cars.clearRememberedDecisions();
+});
+
+// Test that 3rd party certificates are taken into account when filtering client
+// certificates based on the acceptible CA list sent by the server.
+add_task(async function testCertFilteringWithIntermediate() {
+ let intermediateBytes = await IOUtils.readUTF8(
+ getTestFilePath("intermediate.pem")
+ ).then(
+ pem => {
+ let base64 = pemToBase64(pem);
+ let bin = atob(base64);
+ let bytes = [];
+ for (let i = 0; i < bin.length; i++) {
+ bytes.push(bin.charCodeAt(i));
+ }
+ return bytes;
+ },
+ error => {
+ throw error;
+ }
+ );
+ let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+ nssComponent.addEnterpriseIntermediate(intermediateBytes);
+ gExpectedClientCertificateChoices = 4;
+ gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert.example.com/",
+ "https://requireclientcert.example.com/",
+ true
+ );
+ cars.clearRememberedDecisions();
+ // This will reset the added intermediate.
+ await SpecialPowers.pushPrefEnv({
+ set: [["security.enterprise_roots.enabled", true]],
+ });
+});
+
+// Test that if the server certificate does not validate successfully,
+// nsIClientAuthDialogService.chooseCertificate() is never called.
+add_task(async function testNoDialogForUntrustedServerCertificate() {
+ gClientAuthDialogService.state = DialogState.ASSERT_NOT_CALLED;
+ await testHelper(
+ "Ask Every Time",
+ "https://requireclientcert-untrusted.example.com/",
+ undefined,
+ false
+ );
+ // This clears all saved client auth certificate state so we don't influence
+ // subsequent tests.
+ cars.clearRememberedDecisions();
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html
new file mode 100644
index 0000000000..82aac47b2a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+<a href="https://requireclientcert.example.com" id="link">Click Me</a>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
new file mode 100644
index 0000000000..e68568ba86
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
@@ -0,0 +1,84 @@
+/* eslint-disable mozilla/no-arbitrary-setTimeout */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Tests that with speculative connections enabled, connections to servers that
+// request a client authentication certificate succeed (the specific bug that
+// was addressed with this patch involved navigation hanging because the
+// connection to the server couldn't make progress without asking for a client
+// authentication certificate, but it also wouldn't ask for a client
+// authentication certificate until the connection had been claimed, which
+// required that it make progress first).
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+);
+
+let chooseCertificateCalled = false;
+
+const clientAuthDialogService = {
+ chooseCertificate(hostname, certArray, loadContext, callback) {
+ is(
+ certArray.length,
+ 1,
+ "should have only one client certificate available"
+ );
+ ok(
+ !chooseCertificateCalled,
+ "chooseCertificate should only be called once"
+ );
+ chooseCertificateCalled = true;
+ callback.certificateChosen(certArray[0], false);
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]),
+};
+
+add_setup(async function () {
+ await SpecialPowers.pushPrefEnv({
+ set: [
+ // Enable speculative connections.
+ ["network.http.speculative-parallel-limit", 6],
+ // Always ask to select a client authentication certificate.
+ ["security.default_personal_cert", "Ask Every Time"],
+ ],
+ });
+ let clientAuthDialogServiceCID = MockRegistrar.register(
+ "@mozilla.org/security/ClientAuthDialogService;1",
+ clientAuthDialogService
+ );
+ registerCleanupFunction(async function () {
+ MockRegistrar.unregister(clientAuthDialogServiceCID);
+ });
+});
+
+add_task(
+ async function test_no_client_auth_selection_dialog_for_speculative_connections() {
+ await BrowserTestUtils.withNewTab(
+ `${TEST_PATH}browser_clientAuth_speculative_connection.html`,
+ async browser => {
+ // Click the link to navigate to a page that requests a client
+ // authentication certificate. Necko will make a speculative
+ // connection, but unfortunately there's no event or notification to
+ // observe. This test ensures that the navigation succeeds and that a
+ // client authentication certificate was requested.
+ let loaded = BrowserTestUtils.browserLoaded(
+ browser,
+ false,
+ "https://requireclientcert.example.com/"
+ );
+ await BrowserTestUtils.synthesizeMouseAtCenter("#link", {}, browser);
+ await loaded;
+ ok(chooseCertificateCalled, "chooseCertificate must have been called");
+ }
+ );
+ }
+);
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
new file mode 100644
index 0000000000..9bf961250a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
@@ -0,0 +1,161 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the client authentication certificate chooser correctly displays
+// provided information and correctly returns user input.
+
+const TEST_HOSTNAME = "Test Hostname";
+const TEST_ORG = "Test Org";
+const TEST_ISSUER_ORG = "Test Issuer Org";
+const TEST_PORT = 123;
+
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+/**
+ * Test certificate (i.e. build/pgo/certs/mochitest.client).
+ *
+ * @type {nsIX509Cert}
+ */
+var cert;
+
+/**
+ * Opens the client auth cert chooser dialog.
+ *
+ * @param {nsIX509Cert} cert The cert to pass to the dialog for display.
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading, with
+ * an array consisting of:
+ * 1. The window of the opened dialog.
+ * 2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openClientAuthDialog(cert) {
+ let certArray = [cert];
+ let retVals = { cert: undefined, rememberDecision: undefined };
+ let win = window.openDialog(
+ "chrome://pippki/content/clientauthask.xhtml",
+ "",
+ "",
+ { hostname: TEST_HOSTNAME, certArray, retVals }
+ );
+ return TestUtils.topicObserved("cert-dialog-loaded").then(() => {
+ return { win, retVals };
+ });
+}
+
+/**
+ * Checks that the contents of the given cert chooser dialog match the details
+ * of build/pgo/certs/mochitest.client.
+ *
+ * @param {window} win The cert chooser window.
+ * @param {string} notBefore
+ * The formatted notBefore date of mochitest.client.
+ * @param {string} notAfter
+ * The formatted notAfter date of mochitest.client.
+ */
+async function checkDialogContents(win, notBefore, notAfter) {
+ await TestUtils.waitForCondition(() => {
+ return win.document
+ .getElementById("clientAuthSiteIdentification")
+ .textContent.includes(`${TEST_HOSTNAME}`);
+ });
+ let nicknames = win.document.getElementById("nicknames");
+ await TestUtils.waitForCondition(() => {
+ return nicknames.label == "Mochitest client [03]";
+ });
+ await TestUtils.waitForCondition(() => {
+ return nicknames.itemCount == 1;
+ });
+ let subject = win.document.getElementById("clientAuthCertDetailsIssuedTo");
+ await TestUtils.waitForCondition(() => {
+ return subject.textContent == "Issued to: CN=Mochitest client";
+ });
+ let serialNum = win.document.getElementById(
+ "clientAuthCertDetailsSerialNumber"
+ );
+ await TestUtils.waitForCondition(() => {
+ return serialNum.textContent == "Serial number: 03";
+ });
+ let validity = win.document.getElementById(
+ "clientAuthCertDetailsValidityPeriod"
+ );
+ await TestUtils.waitForCondition(() => {
+ return validity.textContent == `Valid from ${notBefore} to ${notAfter}`;
+ });
+ let issuer = win.document.getElementById("clientAuthCertDetailsIssuedBy");
+ await TestUtils.waitForCondition(() => {
+ return (
+ issuer.textContent ==
+ "Issued by: OU=Profile Guided Optimization,O=Mozilla Testing,CN=Temporary Certificate Authority"
+ );
+ });
+ let tokenName = win.document.getElementById("clientAuthCertDetailsStoredOn");
+ await TestUtils.waitForCondition(() => {
+ return tokenName.textContent == "Stored on: Software Security Device";
+ });
+}
+
+function findCertByCommonName(commonName) {
+ for (let cert of certDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+add_setup(async function () {
+ cert = findCertByCommonName("Mochitest client");
+ isnot(cert, null, "Should be able to find the test client cert");
+});
+
+// Test that the contents of the dialog correspond to the details of the
+// provided cert.
+add_task(async function testContents() {
+ const formatter = new Intl.DateTimeFormat(undefined, {
+ dateStyle: "medium",
+ timeStyle: "long",
+ });
+ let { win } = await openClientAuthDialog(cert);
+ await checkDialogContents(
+ win,
+ formatter.format(new Date(cert.validity.notBefore / 1000)),
+ formatter.format(new Date(cert.validity.notAfter / 1000))
+ );
+ await BrowserTestUtils.closeWindow(win);
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+ let { win, retVals } = await openClientAuthDialog(cert);
+ win.document.getElementById("rememberBox").checked = true;
+ info("Accepting dialog");
+ win.document.getElementById("certAuthAsk").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ is(retVals.cert, cert, "cert should be returned as chosen cert");
+ ok(
+ retVals.rememberDecision,
+ "Return value should signal 'Remember this decision' checkbox was checked"
+ );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+ let { win, retVals } = await openClientAuthDialog(cert);
+ win.document.getElementById("rememberBox").checked = false;
+ info("Canceling dialog");
+ win.document.getElementById("certAuthAsk").cancelDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ ok(
+ !retVals.cert,
+ "Return value should signal user did not choose a certificate"
+ );
+ ok(
+ !retVals.rememberDecision,
+ "Return value should signal 'Remember this decision' checkbox was unchecked"
+ );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js
new file mode 100644
index 0000000000..a8ff7cc8fb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js
@@ -0,0 +1,259 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various aspects of the cert delete confirmation dialog.
+// Among other things, tests that for each type of cert that can be deleted:
+// 1. The various lines of explanation text are correctly set.
+// 2. The implementation correctly falls back through multiple cert attributes
+// to determine what to display to represent a cert.
+
+/**
+ * An array of tree items corresponding to TEST_CASES.
+ *
+ * @type {nsICertTreeItem[]}
+ */
+var gCertArray = [];
+
+const FAKE_HOST_PORT = "Fake host and port";
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} certFilename
+ * Filename of the cert, or null if we don't want to import a cert for
+ * this test case (i.e. we expect the hostPort attribute of
+ * nsICertTreeItem to be used).
+ * @property {string} expectedDisplayString
+ * The string we expect the UI to display to represent the given cert.
+ * @property {string} expectedSerialNumber
+ * The serial number we expect the UI to display if it exists.
+ */
+
+/**
+ * A list of test cases representing certs that get "deleted".
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+ {
+ certFilename: null,
+ expectedDisplayString: FAKE_HOST_PORT,
+ expectedSerialNumber: null,
+ },
+ {
+ certFilename: "has-cn.pem",
+ expectedDisplayString: "Foo",
+ expectedSerialNumber: null,
+ },
+ {
+ certFilename: "has-ou.pem",
+ expectedDisplayString: "Bar",
+ expectedSerialNumber: null,
+ },
+ {
+ certFilename: "has-o.pem",
+ expectedDisplayString: "Baz",
+ expectedSerialNumber: null,
+ },
+ {
+ certFilename: "has-non-empty-subject.pem",
+ expectedDisplayString: "C=US",
+ expectedSerialNumber: null,
+ },
+ {
+ certFilename: "has-empty-subject.pem",
+ expectedDisplayString: "Certificate with serial number: 0A",
+ expectedSerialNumber: "0A",
+ },
+];
+
+/**
+ * Opens the cert delete confirmation dialog.
+ *
+ * @param {string} tabID
+ * The ID of the cert category tab the certs to delete belong to.
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading, with
+ * an array consisting of:
+ * 1. The window of the opened dialog.
+ * 2. The return value object passed to the dialog.
+ */
+function openDeleteCertConfirmDialog(tabID) {
+ let retVals = {
+ deleteConfirmed: false,
+ };
+ let win = window.openDialog(
+ "chrome://pippki/content/deletecert.xhtml",
+ "",
+ "",
+ tabID,
+ gCertArray,
+ retVals
+ );
+ return new Promise((resolve, reject) => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve([win, retVals]));
+ },
+ { once: true }
+ );
+ });
+}
+
+add_setup(async function () {
+ for (let testCase of TEST_CASES) {
+ let cert = null;
+ if (testCase.certFilename) {
+ cert = await readCertificate(testCase.certFilename, ",,");
+ }
+ let certTreeItem = {
+ hostPort: FAKE_HOST_PORT,
+ cert,
+ QueryInterface: ChromeUtils.generateQI(["nsICertTreeItem"]),
+ };
+ gCertArray.push(certTreeItem);
+ }
+});
+
+/**
+ * Test helper for the below test cases.
+ *
+ * @param {string} tabID
+ * ID of the cert category tab the certs to delete belong to.
+ * @param {string} expectedTitleL10nId
+ * The L10nId of title the dialog is expected to have.
+ * @param {string} expectedConfirmL10nId
+ * The l10n id of confirmation message the dialog expected to show.
+ * @param {string} expectedImpactL10nId
+ * The l10n id of impact the dialog expected to show.
+ */
+async function testHelper(
+ tabID,
+ expectedTitleL10nId,
+ expectedConfirmL10nId,
+ expectedImpactL10nId
+) {
+ let [win] = await openDeleteCertConfirmDialog(tabID);
+ let certList = win.document.getElementById("certlist");
+
+ Assert.deepEqual(
+ win.document.l10n.getAttributes(win.document.documentElement),
+ expectedTitleL10nId,
+ `Actual and expected titles should match for ${tabID}`
+ );
+ let confirm = win.document.getElementById("confirm");
+ Assert.deepEqual(
+ win.document.l10n.getAttributes(confirm),
+ expectedConfirmL10nId,
+ `Actual and expected confirm message should match for ${tabID}`
+ );
+ let impact = win.document.getElementById("impact");
+ Assert.deepEqual(
+ win.document.l10n.getAttributes(impact),
+ expectedImpactL10nId,
+ `Actual and expected impact should match for ${tabID}`
+ );
+
+ Assert.equal(
+ certList.itemCount,
+ TEST_CASES.length,
+ `No. of certs displayed should match for ${tabID}`
+ );
+ for (let i = 0; i < certList.itemCount; i++) {
+ let item = certList.getItemAtIndex(i);
+ if (TEST_CASES[i].expectedSerialNumber == null) {
+ Assert.equal(
+ item.label,
+ TEST_CASES[i].expectedDisplayString,
+ "Actual and expected display string should match for " +
+ `index ${i} for ${tabID}`
+ );
+ } else {
+ Assert.deepEqual(
+ win.document.l10n.getAttributes(item.children[0]),
+ {
+ id: "cert-with-serial",
+ args: { serialNumber: TEST_CASES[i].expectedSerialNumber },
+ },
+ "Actual and expected display string should match for " +
+ `index ${i} for ${tabID}`
+ );
+ }
+ }
+
+ await BrowserTestUtils.closeWindow(win);
+}
+
+// Test deleting certs from the "Your Certificates" tab.
+add_task(async function testDeletePersonalCerts() {
+ const expectedTitleL10nId = { id: "delete-user-cert-title", args: null };
+ const expectedConfirmL10nId = { id: "delete-user-cert-confirm", args: null };
+ const expectedImpactL10nId = { id: "delete-user-cert-impact", args: null };
+ await testHelper(
+ "mine_tab",
+ expectedTitleL10nId,
+ expectedConfirmL10nId,
+ expectedImpactL10nId
+ );
+});
+
+// Test deleting certs from the "People" tab.
+add_task(async function testDeleteOtherPeopleCerts() {
+ const expectedTitleL10nId = { id: "delete-email-cert-title", args: null };
+ // ’ doesn't seem to work when embedded in the following literals, which is
+ // why escape codes are used instead.
+ const expectedConfirmL10nId = { id: "delete-email-cert-confirm", args: null };
+ const expectedImpactL10nId = { id: "delete-email-cert-impact", args: null };
+ await testHelper(
+ "others_tab",
+ expectedTitleL10nId,
+ expectedConfirmL10nId,
+ expectedImpactL10nId
+ );
+});
+
+// Test deleting certs from the "Authorities" tab.
+add_task(async function testDeleteCACerts() {
+ const expectedTitleL10nId = { id: "delete-ca-cert-title", args: null };
+ const expectedConfirmL10nId = { id: "delete-ca-cert-confirm", args: null };
+ const expectedImpactL10nId = { id: "delete-ca-cert-impact", args: null };
+ await testHelper(
+ "ca_tab",
+ expectedTitleL10nId,
+ expectedConfirmL10nId,
+ expectedImpactL10nId
+ );
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+ let [win, retVals] = await openDeleteCertConfirmDialog(
+ "ca_tab" /* arbitrary */
+ );
+ info("Accepting dialog");
+ win.document.getElementById("deleteCertificate").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ retVals.deleteConfirmed,
+ "Return value should signal user accepted"
+ );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+ let [win, retVals] = await openDeleteCertConfirmDialog(
+ "ca_tab" /* arbitrary */
+ );
+ info("Canceling dialog");
+ win.document.getElementById("deleteCertificate").cancelDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ !retVals.deleteConfirmed,
+ "Return value should signal user did not accept"
+ );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
new file mode 100644
index 0000000000..51715b1352
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
@@ -0,0 +1,134 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the cert download/import UI correctly identifies the cert being
+// downloaded, and allows the trust of the cert to be specified.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} certFilename
+ * Filename of the cert for this test case.
+ * @property {string} expectedDisplayString
+ * The string we expect the UI to display to represent the given cert.
+ * @property {nsIX509Cert} cert
+ * Handle to the cert once read in setup().
+ */
+
+/**
+ * A list of test cases representing certs that get "downloaded".
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+ { certFilename: "has-cn.pem", expectedDisplayString: "Foo", cert: null },
+ {
+ certFilename: "has-empty-subject.pem",
+ expectedDisplayString: "Certificate Authority (unnamed)",
+ cert: null,
+ },
+];
+
+/**
+ * Opens the cert download dialog.
+ *
+ * @param {nsIX509Cert} cert
+ * The cert to pass to the dialog for display.
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading, with
+ * an array consisting of:
+ * 1. The window of the opened dialog.
+ * 2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openCertDownloadDialog(cert) {
+ let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance(
+ Ci.nsIWritablePropertyBag2
+ );
+ let win = window.openDialog(
+ "chrome://pippki/content/downloadcert.xhtml",
+ "",
+ "",
+ cert,
+ returnVals
+ );
+ return new Promise((resolve, reject) => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve([win, returnVals]));
+ },
+ { once: true }
+ );
+ });
+}
+
+add_setup(async function () {
+ for (let testCase of TEST_CASES) {
+ testCase.cert = await readCertificate(testCase.certFilename, ",,");
+ Assert.notEqual(
+ testCase.cert,
+ null,
+ `'${testCase.certFilename}' should have been read`
+ );
+ }
+});
+
+// Test that the trust header message corresponds to the provided cert, and that
+// the View Cert button launches the cert viewer for the provided cert.
+add_task(async function testTrustHeaderAndViewCertButton() {
+ for (let testCase of TEST_CASES) {
+ let [win] = await openCertDownloadDialog(testCase.cert);
+ let expectedTrustHeaderString =
+ `Do you want to trust \u201C${testCase.expectedDisplayString}\u201D ` +
+ "for the following purposes?";
+ Assert.equal(
+ win.document.getElementById("trustHeader").textContent,
+ expectedTrustHeaderString,
+ "Actual and expected trust header text should match for " +
+ `${testCase.certFilename}`
+ );
+
+ await BrowserTestUtils.closeWindow(win);
+ }
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+ let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
+ win.document.getElementById("trustSSL").checked = true;
+ win.document.getElementById("trustEmail").checked = false;
+ info("Accepting dialog");
+ win.document.getElementById("download_cert").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ retVals.get("importConfirmed"),
+ "Return value should signal user chose to import the cert"
+ );
+ Assert.ok(
+ retVals.get("trustForSSL"),
+ "Return value should signal SSL trust checkbox was checked"
+ );
+ Assert.ok(
+ !retVals.get("trustForEmail"),
+ "Return value should signal E-mail trust checkbox was unchecked"
+ );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+ let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
+ info("Canceling dialog");
+ win.document.getElementById("download_cert").cancelDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ !retVals.get("importConfirmed"),
+ "Return value should signal user chose not to import the cert"
+ );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
new file mode 100644
index 0000000000..9a36eca7bf
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
@@ -0,0 +1,141 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the UI for editing the trust of a CA certificate correctly
+// reflects trust in the cert DB, and correctly updates trust in the cert DB
+// when requested.
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+/**
+ * The cert we're editing the trust of.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert;
+
+/**
+ * Opens the cert trust editing dialog.
+ *
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading with
+ * the window of the opened dialog.
+ */
+function openEditCertTrustDialog() {
+ let win = window.openDialog(
+ "chrome://pippki/content/editcacert.xhtml",
+ "",
+ "",
+ gCert
+ );
+ return new Promise((resolve, reject) => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve(win));
+ },
+ { once: true }
+ );
+ });
+}
+
+add_setup(async function () {
+ // Initially trust ca.pem for SSL but not e-mail.
+ gCert = await readCertificate("ca.pem", "CT,,");
+ Assert.ok(
+ gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ ),
+ "Sanity check: ca.pem should be trusted for SSL"
+ );
+ Assert.ok(
+ !gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "Sanity check: ca.pem should not be trusted for e-mail"
+ );
+});
+
+// Tests the following:
+// 1. The checkboxes correctly reflect the trust set in setup().
+// 2. Accepting the dialog after flipping some of the checkboxes results in the
+// correct trust being set in the cert DB.
+add_task(async function testAcceptDialog() {
+ let win = await openEditCertTrustDialog();
+
+ let sslCheckbox = win.document.getElementById("trustSSL");
+ let emailCheckbox = win.document.getElementById("trustEmail");
+ Assert.ok(sslCheckbox.checked, "Cert should be trusted for SSL in UI");
+ Assert.ok(
+ !emailCheckbox.checked,
+ "Cert should not be trusted for e-mail in UI"
+ );
+
+ sslCheckbox.checked = false;
+ emailCheckbox.checked = true;
+
+ info("Accepting dialog");
+ win.document.getElementById("editCaCert").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ !gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ ),
+ "Cert should no longer be trusted for SSL"
+ );
+ Assert.ok(
+ gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "Cert should now be trusted for e-mail"
+ );
+});
+
+// Tests the following:
+// 1. The checkboxes correctly reflect the trust set in testAcceptDialog().
+// 2. Canceling the dialog even after flipping the checkboxes doesn't result in
+// a change of trust in the cert DB.
+add_task(async function testCancelDialog() {
+ let win = await openEditCertTrustDialog();
+
+ let sslCheckbox = win.document.getElementById("trustSSL");
+ let emailCheckbox = win.document.getElementById("trustEmail");
+ Assert.ok(!sslCheckbox.checked, "Cert should not be trusted for SSL in UI");
+ Assert.ok(emailCheckbox.checked, "Cert should be trusted for e-mail in UI");
+
+ sslCheckbox.checked = true;
+ emailCheckbox.checked = false;
+
+ info("Canceling dialog");
+ win.document.getElementById("editCaCert").cancelDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ !gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ ),
+ "Cert should still not be trusted for SSL"
+ );
+ Assert.ok(
+ gCertDB.isCertTrusted(
+ gCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "Cert should still be trusted for e-mail"
+ );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js
new file mode 100644
index 0000000000..8e6af27cbb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js
@@ -0,0 +1,164 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the UI for setting the password on a to be exported PKCS #12 file:
+// 1. Correctly requires the password to be typed in twice as confirmation.
+// 2. Calculates and displays the strength of said password.
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} name
+ * The name of the test case for display purposes.
+ * @property {string} password1
+ * The password to enter into the first password textbox.
+ * @property {string} password2
+ * The password to enter into the second password textbox.
+ * @property {string} strength
+ * The expected strength of the password in the range [0, 100].
+ */
+
+/**
+ * A list of test cases representing various inputs to the password textboxes.
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+ { name: "empty", password1: "", password2: "", strength: "0" },
+ { name: "match-weak", password1: "foo", password2: "foo", strength: "10" },
+ {
+ name: "match-medium",
+ password1: "foo123",
+ password2: "foo123",
+ strength: "60",
+ },
+ {
+ name: "match-strong",
+ password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+ password2: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+ strength: "100",
+ },
+ { name: "mismatch-weak", password1: "foo", password2: "bar", strength: "10" },
+ {
+ name: "mismatch-medium",
+ password1: "foo123",
+ password2: "bar",
+ strength: "60",
+ },
+ {
+ name: "mismatch-strong",
+ password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+ password2: "bar",
+ strength: "100",
+ },
+];
+
+/**
+ * Opens the dialog shown to set the password on a PKCS #12 file being exported.
+ *
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading, with
+ * an array consisting of:
+ * 1. The window of the opened dialog.
+ * 2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openSetP12PasswordDialog() {
+ let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance(
+ Ci.nsIWritablePropertyBag2
+ );
+ let win = window.openDialog(
+ "chrome://pippki/content/setp12password.xhtml",
+ "",
+ "",
+ returnVals
+ );
+ return new Promise((resolve, reject) => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve([win, returnVals]));
+ },
+ { once: true }
+ );
+ });
+}
+
+// Tests that the first password textbox is the element that is initially
+// focused.
+add_task(async function testFocus() {
+ let [win] = await openSetP12PasswordDialog();
+ Assert.equal(
+ win.document.activeElement,
+ win.document.getElementById("pw1"),
+ "First password textbox should have focus"
+ );
+ await BrowserTestUtils.closeWindow(win);
+});
+
+// Tests that the password strength algorithm used is reasonable, and that the
+// Accept button is only enabled if the two passwords match.
+add_task(async function testPasswordStrengthAndEquality() {
+ let [win] = await openSetP12PasswordDialog();
+ let password1Textbox = win.document.getElementById("pw1");
+ let password2Textbox = win.document.getElementById("pw2");
+ let strengthProgressBar = win.document.getElementById("pwmeter");
+
+ for (let testCase of TEST_CASES) {
+ password1Textbox.value = testCase.password1;
+ password2Textbox.value = testCase.password2;
+ // Setting the value of the password textboxes via |.value| apparently
+ // doesn't cause the oninput handlers to be called, so we do it here.
+ password1Textbox.oninput();
+ password2Textbox.oninput();
+
+ Assert.equal(
+ win.document.getElementById("setp12password").getButton("accept")
+ .disabled,
+ password1Textbox.value != password2Textbox.value,
+ "Actual and expected accept button disable state should " +
+ `match for ${testCase.name}`
+ );
+ Assert.equal(
+ strengthProgressBar.value,
+ testCase.strength,
+ `Actual and expected strength value should match for ${testCase.name}`
+ );
+ }
+
+ await BrowserTestUtils.closeWindow(win);
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+ let [win, retVals] = await openSetP12PasswordDialog();
+ const password = "fooBAR 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三";
+ win.document.getElementById("pw1").value = password;
+ win.document.getElementById("pw2").value = password;
+ info("Accepting dialog");
+ win.document.getElementById("setp12password").acceptDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ retVals.get("confirmedPassword"),
+ "Return value should signal user confirmed a password"
+ );
+ Assert.equal(
+ retVals.get("password"),
+ password,
+ "Actual and expected password should match"
+ );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+ let [win, retVals] = await openSetP12PasswordDialog();
+ info("Canceling dialog");
+ win.document.getElementById("setp12password").cancelDialog();
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.ok(
+ !retVals.get("confirmedPassword"),
+ "Return value should signal user didn't confirm a password"
+ );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
new file mode 100644
index 0000000000..9e4e244123
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
@@ -0,0 +1,312 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the dialog used for loading PKCS #11 modules.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const gMockPKCS11ModuleDB = {
+ addModuleCallCount: 0,
+ expectedLibPath: "",
+ expectedModuleName: "",
+ throwOnAddModule: false,
+
+ addModule(moduleName, libraryFullPath, cryptoMechanismFlags, cipherFlags) {
+ this.addModuleCallCount++;
+ Assert.equal(
+ moduleName,
+ this.expectedModuleName,
+ "addModule: Name given should be what's in the name textbox"
+ );
+ Assert.equal(
+ libraryFullPath,
+ this.expectedLibPath,
+ "addModule: Path given should be what's in the path textbox"
+ );
+ Assert.equal(
+ cryptoMechanismFlags,
+ 0,
+ "addModule: No crypto mechanism flags should be passed"
+ );
+ Assert.equal(cipherFlags, 0, "addModule: No cipher flags should be passed");
+
+ if (this.throwOnAddModule) {
+ throw new Error(`addModule: Throwing exception`);
+ }
+ },
+
+ deleteModule(moduleName) {
+ Assert.ok(false, `deleteModule: should not be called`);
+ },
+
+ getInternal() {
+ throw new Error("not expecting getInternal() to be called");
+ },
+
+ getInternalFIPS() {
+ throw new Error("not expecting getInternalFIPS() to be called");
+ },
+
+ listModules() {
+ throw new Error("not expecting listModules() to be called");
+ },
+
+ get canToggleFIPS() {
+ throw new Error("not expecting get canToggleFIPS() to be called");
+ },
+
+ toggleFIPSMode() {
+ throw new Error("not expecting toggleFIPSMode() to be called");
+ },
+
+ get isFIPSEnabled() {
+ throw new Error("not expecting get isFIPSEnabled() to be called");
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPKCS11ModuleDB"]),
+};
+
+const gMockPromptService = {
+ alertCallCount: 0,
+ expectedText: "",
+ expectedWindow: null,
+
+ alert(parent, dialogTitle, text) {
+ this.alertCallCount++;
+ Assert.equal(
+ parent,
+ this.expectedWindow,
+ "alert: Parent should be expected window"
+ );
+ Assert.equal(dialogTitle, null, "alert: Title should be null");
+ Assert.equal(
+ text,
+ this.expectedText,
+ "alert: Actual and expected text should match"
+ );
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]),
+};
+
+var gMockPKCS11CID = MockRegistrar.register(
+ "@mozilla.org/security/pkcs11moduledb;1",
+ gMockPKCS11ModuleDB
+);
+var gMockPromptServiceCID = MockRegistrar.register(
+ "@mozilla.org/prompter;1",
+ gMockPromptService
+);
+
+var gMockFilePicker = SpecialPowers.MockFilePicker;
+gMockFilePicker.init(window);
+
+var gTempFile = Services.dirsvc.get("TmpD", Ci.nsIFile);
+gTempFile.append("browser_loadPKCS11Module_ui-fakeModule");
+
+registerCleanupFunction(() => {
+ gMockFilePicker.cleanup();
+ MockRegistrar.unregister(gMockPKCS11CID);
+ MockRegistrar.unregister(gMockPromptServiceCID);
+});
+
+function resetCallCounts() {
+ gMockPKCS11ModuleDB.addModuleCallCount = 0;
+ gMockPromptService.alertCallCount = 0;
+}
+
+/**
+ * Opens the dialog shown to load a PKCS #11 module.
+ *
+ * @returns {Promise}
+ * A promise that resolves when the dialog has finished loading, with
+ * the window of the opened dialog.
+ */
+function openLoadModuleDialog() {
+ let win = window.openDialog(
+ "chrome://pippki/content/load_device.xhtml",
+ "",
+ ""
+ );
+ return new Promise(resolve => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve(win));
+ },
+ { once: true }
+ );
+ });
+}
+
+/**
+ * Presses the browse button and simulates interacting with the file picker that
+ * should be triggered.
+ *
+ * @param {window} win
+ * The dialog window.
+ * @param {boolean} cancel
+ * If true, the file picker is canceled. If false, gTempFile is chosen in
+ * the file picker and the file picker is accepted.
+ */
+async function browseToTempFile(win, cancel) {
+ gMockFilePicker.showCallback = () => {
+ gMockFilePicker.setFiles([gTempFile]);
+
+ if (cancel) {
+ info("MockFilePicker returning cancel");
+ return Ci.nsIFilePicker.returnCancel;
+ }
+
+ info("MockFilePicker returning OK");
+ return Ci.nsIFilePicker.returnOK;
+ };
+
+ info("Pressing browse button");
+ win.document.getElementById("browse").doCommand();
+ await TestUtils.topicObserved("LoadPKCS11Module:FilePickHandled");
+}
+
+add_task(async function testBrowseButton() {
+ let win = await openLoadModuleDialog();
+ let pathBox = win.document.getElementById("device_path");
+ let originalPathBoxValue = "expected path if picker is canceled";
+ pathBox.value = originalPathBoxValue;
+
+ // Test what happens if the file picker is canceled.
+ await browseToTempFile(win, true);
+ Assert.equal(
+ pathBox.value,
+ originalPathBoxValue,
+ "Path shown should be unchanged due to canceled picker"
+ );
+
+ // Test what happens if the file picker is not canceled.
+ await browseToTempFile(win, false);
+ Assert.equal(
+ pathBox.value,
+ gTempFile.path,
+ "Path shown should be same as the one chosen in the file picker"
+ );
+
+ await BrowserTestUtils.closeWindow(win);
+});
+
+function testAddModuleHelper(win, throwOnAddModule) {
+ resetCallCounts();
+ gMockPKCS11ModuleDB.expectedLibPath = gTempFile.path;
+ gMockPKCS11ModuleDB.expectedModuleName = "test module";
+ gMockPKCS11ModuleDB.throwOnAddModule = throwOnAddModule;
+
+ win.document.getElementById("device_name").value =
+ gMockPKCS11ModuleDB.expectedModuleName;
+ win.document.getElementById("device_path").value =
+ gMockPKCS11ModuleDB.expectedLibPath;
+
+ info("Accepting dialog");
+ win.document.getElementById("loaddevice").acceptDialog();
+}
+
+add_task(async function testAddModuleSuccess() {
+ let win = await openLoadModuleDialog();
+
+ testAddModuleHelper(win, false);
+ await BrowserTestUtils.windowClosed(win);
+
+ Assert.equal(
+ gMockPKCS11ModuleDB.addModuleCallCount,
+ 1,
+ "addModule() should have been called once"
+ );
+ Assert.equal(
+ gMockPromptService.alertCallCount,
+ 0,
+ "alert() should never have been called"
+ );
+});
+
+add_task(async function testAddModuleFailure() {
+ let win = await openLoadModuleDialog();
+ gMockPromptService.expectedText = "Unable to add module";
+ gMockPromptService.expectedWindow = win;
+
+ // The exception we throw in addModule is first reported as an uncaught
+ // exception by XPConnect before an exception is propagated to the actual
+ // caller.
+ expectUncaughtException(true);
+
+ testAddModuleHelper(win, true);
+ expectUncaughtException(false);
+ // If adding a module fails, the dialog will not close. As such, we have to
+ // close the window ourselves.
+ await BrowserTestUtils.closeWindow(win);
+
+ Assert.equal(
+ gMockPKCS11ModuleDB.addModuleCallCount,
+ 1,
+ "addModule() should have been called once"
+ );
+ Assert.equal(
+ gMockPromptService.alertCallCount,
+ 1,
+ "alert() should have been called once"
+ );
+});
+
+add_task(async function testCancel() {
+ let win = await openLoadModuleDialog();
+ resetCallCounts();
+
+ info("Canceling dialog");
+ win.document.getElementById("loaddevice").cancelDialog();
+
+ Assert.equal(
+ gMockPKCS11ModuleDB.addModuleCallCount,
+ 0,
+ "addModule() should never have been called"
+ );
+ Assert.equal(
+ gMockPromptService.alertCallCount,
+ 0,
+ "alert() should never have been called"
+ );
+
+ await BrowserTestUtils.windowClosed(win);
+});
+
+async function testModuleNameHelper(moduleName, acceptButtonShouldBeDisabled) {
+ let win = await openLoadModuleDialog();
+ resetCallCounts();
+
+ info(`Setting Module Name to '${moduleName}'`);
+ let moduleNameBox = win.document.getElementById("device_name");
+ moduleNameBox.value = moduleName;
+ // this makes this not a great test, but it's the easiest way to simulate this
+ moduleNameBox.onchange();
+
+ let dialogNode = win.document.querySelector("dialog");
+ Assert.equal(
+ dialogNode.getAttribute("buttondisabledaccept"),
+ acceptButtonShouldBeDisabled ? "true" : "", // it's a string
+ `dialog accept button should ${
+ acceptButtonShouldBeDisabled ? "" : "not "
+ }be disabled`
+ );
+
+ return BrowserTestUtils.closeWindow(win);
+}
+
+add_task(async function testEmptyModuleName() {
+ await testModuleNameHelper("", true);
+});
+
+add_task(async function testReservedModuleName() {
+ await testModuleNameHelper("Root Certs", true);
+});
+
+add_task(async function testAcceptableModuleName() {
+ await testModuleNameHelper("Some Module Name", false);
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem b/security/manager/ssl/tests/mochitest/browser/ca.pem
new file mode 100644
index 0000000000..90b269209e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUCytXeIVSOQ622rYL1uaLSms7TrcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEpBaH+earFBTSrKZUsUmxH5q1
+9Ln/OCzi1hB5IHo3haTTKl8xrTe5sI4A7knfwbz9AwbLRW0L3zIAJGPjxhMDxYjn
+t5YTQLQwZEbru2A9wCOELiDbXH1kJl0yI2JdGwGMwZ4Y7ifTG5EUEQeVFnDTc2xA
+4W/RZBld/6Iqb2ECMc20tjvBSo9YCJ7OEz+gva4OBx+BtK7LHRVLEMBGYet64wi4
+5Y8cdzMwsV69tlLffrwLV32TCt1a4dNLmq9g/vgaONx1B9ltxq8fc8ErzYvYTLsh
+0FY0VD/EabvGDnLuIHfTnuD5bbKhRFD8vOEoW+NKEVn3JveM8z6z0LQqt8CB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec
new file mode 100644
index 0000000000..6660f5d478
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem
new file mode 100644
index 0000000000..0639b2a7b0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUazXMVwZmjxSa95+Jhrdt0+mMZ3AwDQYJKoZIhvcNAQEL
+BQAwQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV
+MBMGA1UECwwMSW50ZXJtZWRpYXRlMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCcxJTAjBgNVBAMMHGNsaWVudCBjZXJ0IHZpYSBpbnRlcm1lZGlh
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA
+A4IBAQAE8C6ApsLBOltZNrOLFWPb+hKGKJrbUDuvLh8BIXF8GhLz261zEj3IgZMI
+yRgVuEmAcjgkqSnuARq8zqGkr2mFT6g2GXix4QrBAuN8kitOki/Ds7yrTsRzk/iO
+AzJLa2Uvqa0Ai2cs7XepIAv114sSAIp1kP1+e0R1xi7smoDLFJmzisc7XhFmH4qI
+z37aeqU8QdaxJnWF08X+S0Gk5m7qC1ueWgcHEWDq5xenqQYW6IhrEhHEwNLzxs3V
+Q+YXIb8TXTNMfcbYr7j2MicoUD+emYGW+Tb/sB4xq1aH3QocJP/6kwpE6iqhjjr9
+HMJwx81SgJXoGs63k+Tf2ih4OPvG
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec
new file mode 100644
index 0000000000..cab2448889
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/CN=Temporary Certificate Authority/OU=Intermediate
+subject:client cert via intermediate
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem
new file mode 100644
index 0000000000..b3321ade96
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUESnNHJJUmr0N5OMLVtpjwidqEu4wDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw
+MFowKzEpMCcGA1UEAwwgY2xpZW50IGNlcnQgd2l0aCBPQ1NQU2lnbmluZyBla3Uw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjITAfMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDCTANBgkqhkiG
+9w0BAQsFAAOCAQEAQsoHHdWUfZ+DVMAsLGqRs7wUuK+JUT1ZGBUejm/jHUu53n44
+bd9dROahgeXvTAHvwZqvFNL3qYjJPhbtIYzNYa/OQwQCC9dPv9pPE5npRf64m4qc
+sMO1rWkSAnljIfJv+NPugtzfJPTNQ6nimx1CEijKxyv3/5hy2pYMAzMMDMufynID
+PlU8QXp6kHq+xYBggX54iHdAyObvD4O6YrFAOo/xXN6iqH4pNimE6m/+gPbWTerf
+YCHAWXYfZ4Mq3AnE+Dzkl1XxMCrmS9LFguWSV1Zz8YbzAWgiZ4M5qxP7eaA0hPSY
+bNEGLMr+tb3vn7AHGA9LySBZnZG2ZrMOgjdTnA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec
new file mode 100644
index 0000000000..5cbd5af8f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec
@@ -0,0 +1,3 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:client cert with OCSPSigning eku
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem b/security/manager/ssl/tests/mochitest/browser/code-ee.pem
new file mode 100644
index 0000000000..00d89a7880
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAbCgAwIBAgIUcSZpO8heK76gtjUinR9ZHfSXvHIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEjEQMA4GA1UEAwwHY29kZS1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMXMBUwEwYDVR0lBAwwCgYI
+KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAGJiZ7XrXvVd8x8x+Aq9uPgDAvLU
+MBJ2KTGGRcsu3RtTIy4856Ro7dgjuCyX38nX3AqI+geKWCerXe2sbjZ+NVC29Ppx
+BvQwq80s6wy0dSReOr/8hFDHFCqJ/jTHCafNFhX77Db+Tt+lWlkf/tGRiO4cqE/r
+6ejfJM7ZgNAdXHtY0v2H3DkSa19DUcY+kW45gYfnKkSrwAZFGbF//rb4uJy2i01q
+8fvimkpKSIwM6hL6nZdAwzO37xetaH7AhGbjtK9YTiXISfH34zQVjqMH1xddSCU/
+2LBeTxIBj7Pqt2n3diM7cL02Ip3scABoIDdIJkL6I/QcGDg6mUUVBv7cypQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec
new file mode 100644
index 0000000000..93f9a84265
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:code-ee
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem
new file mode 100644
index 0000000000..18d4717a55
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwjCCAaqgAwIBAgIUDwpGZ9TkQ1znfituEv+3wAUjlzcwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZXhwaXJlZC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAdMRswGQYDVQQDDBJlZS1mcm9tLWV4cGlyZWQtY2EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAEwDQYJKoZIhvcNAQELBQADggEBAE6mku7tzWcfYfAA+8fQAPY5P84NmIXa9aRm
+nrcVE0i8w01KmCVA+1PvEosius/Ub6wiaCaze/WUNZig682wCWlbWS4fe+YPyaay
+9UqRNSrLfs8PtKa7iMXvrdU22RuM2XVAYysS/gqYCBxbeCzHDUeCB/08Re41XMOt
+5Vk0McSwOaZ5XELSWlBeFnSGSyYXKTSKaXtPz1hmRdF7oeAMj8oJb6VCRFTDCZSf
+eJN9n4s/TQa5qawlmxiwZIYI8SEir3hhQXF1G/Xf9DQf4EBpm6J5b23SJAUUfDKF
+YYr2uDbkzXOiALGvDjJ2HIbNAPbxhJwNqG1gheHcTpLbhmN6KGc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec
new file mode 100644
index 0000000000..3e280fc4fc
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec
@@ -0,0 +1,2 @@
+issuer:expired-ca
+subject:ee-from-expired-ca
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem
new file mode 100644
index 0000000000..3a029db49e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUJajqZUcpJWGn9b/Eqqf0KVSXdqMwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGVlLWZyb20tdW50cnVzdGVkLWNh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEH6bV29DmFXA+Vg1pRbhKaxJ6DosL
+puDtx8eWeLz1LZnhDxg7WoxSzg8hSINoht+KeE3mEM1wDlj+CHUaHlHpxXA2jnw0
+qTMOw8/uuR9GegtjP8fxWgDRPE8FdObtqgTwgz3PcFGHHDIbdmBjzldjp+mr9rLA
+jLGUaMf2xLHHbIb9tCo06CGKcXs38sxnJLWC1XDe3RK36JD/Ba/6MvjEg7VM9a3T
+uQsKNRj64yy+/fTgJ/1VKlXmVHYdwWAYTs/5zYR388M7xOvUHFp2zrDFpnLkdUdh
+RPa5v7DKHa504V6dFSkMFkHsk0dNHgTznR1YNMFD7VmMQklMuvvgfQ3L
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec
new file mode 100644
index 0000000000..833e1a23a6
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec
@@ -0,0 +1,2 @@
+issuer:untrusted-ca
+subject:ee-from-untrusted-ca
diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem b/security/manager/ssl/tests/mochitest/browser/email-ee.pem
new file mode 100644
index 0000000000..d856aa6aa3
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUVZwQ1Of+nj4eG0+TjbqZffyD1rEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEzERMA8GA1UEAwwIZW1haWwtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoG
+CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCYbnocbOa5AGp4lEMq/ckjdp8J
+8WElrTbZmzFbUSdg4t8a3PCNzxpKQbGaQc4q1OtSGxhXNEVGYzxiOWIXIeYkuQWS
+Ej2SEk5krcOHgxu3JAucdidSaWNSUlhTpMgN2XekukSbSIE+MHBYgZqIM4yoQe59
+T2ns6fyqErRYpx828YrD2gDYiQAqyJQRA3DaGLRi1kjr8MWnalEgfxUkH7l8Qk09
+TGBmsOVLZaXtbXH3gNWW6275/Ea+zHyON3XrSVPNgXGPK6ZF7fb3sRE+SRaPjqgB
+8w2fPZ6y/jw8MklVKiR2zY6GdaDCiX1IxmrsOFy5ANlqTvmOAglCg11pdcTt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec
new file mode 100644
index 0000000000..82e3296706
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:email-ee
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem
new file mode 100644
index 0000000000..e019b37127
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUS6xUkMzG2REizII2g+VecO/KqX8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDExMDEwMTAw
+MDAwMFowFTETMBEGA1UEAwwKZXhwaXJlZC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABJdjrt25wocw4aP
+eR1kZuu3WS0bKfuvhQQPFkAG+HYSC5eu0OriQCRlxn+qHY7du9dePcD6DTMDIVDW
+r+oBJ9BwCEREyTcV8AEaHdcTAakXOMhq6OOltl6HUu3lSlqRslzAhtl1chM0P8m1
+Aj+ceOkCFHvnsDd+zcSP75u8zzJKypSWQwAg/i5S0BNLOWYarPiczuYi4HAOpwtX
+QqlmDNMYySqPFfH72BuQdCLuviBXmMP8/kOouBNP4ti06RR88XgqfoL/jV4gkIM7
+92hXt0WpS/QffjWzLaej39YhW4pMZ+hF4bk9nUCtN/MHtg8WDj1CgfSJZegrl28W
+3riMotA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec
new file mode 100644
index 0000000000..15bdcd7d73
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:expired-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+validity:20100101-20110101
diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem b/security/manager/ssl/tests/mochitest/browser/has-cn.pem
new file mode 100644
index 0000000000..d71fa7af3e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUcRho0IgxDpQ9mLwrKXdUlGx+17EwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowNzEMMAoGA1UEAwwDRm9vMQwwCgYDVQQLDANCYXIxDDAKBgNVBAoMA0Jh
+ejELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAw5KXaTIVAa
+aC5Wtey/YCgRodJWV5FBtBDmMBMVS6p9nKltnrLkns1f+nVPwhngoQ6BCbN0omJO
+SCziNVK0RA3S1SfVOnz37sD0UodgGURZH2WoyLF5CLiplvkFmtR1E/NLGNSVthBk
+lO2U8n4azTjD474/MJfeaafavzp/FfKl/qn9Df+D0GTRuVO/cwTeZgV5Xq+5NQHl
+9TaCBWnJT0nCjXD5LY88MkS5gMfKYhg/Ukr+bXIONpoizc8oEbJ/y+zz40YTlyLS
+nKd3AGFihWamXUNQoRNrqj0LJjkp4UOHse1NjUR/ELBOFoQ+isc4IlqMs6EJkkrV
+nQn1tv3mTZQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec
new file mode 100644
index 0000000000..a4a0fcb5fa
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/CN=Foo/OU=Bar/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem
new file mode 100644
index 0000000000..df14041f69
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICijCCAXKgAwIBAgIBCjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJjYTAi
+GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAAMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBu3MN1OSmzWjcY64BjiW16f8z/YzdgGljNnpiq9LBy3TwB
+Upd0lgIF6y25W6pAYASM9A+5Wk9T3jHz7cYtvgYsxEvbYF9bNSLTc4EQJpMTQCuc
+AcRTuZlGJJmBWAXG+FNgyuSGAHlW5fgv42k5av3Q7irzuDmKTp5nVNwbZ4a8gEyE
+xIdECAsN7OZAcafZKHkAFXE+7x5p1HppDUT6Cnud26bRdw3PzacyvgzbEE/E7SAW
+fi21fSsY84ybygiV6XXEDGlYMKiXPXNqKOKKQiOaNdjZHjDjs0WzMb3FitM6BJfT
+w6yQin/tsf2UbnP/s2hZrCg92fNbCtG3P6MAGdYS
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec
new file mode 100644
index 0000000000..6346f7b83a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:
+serialNumber:10
diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem
new file mode 100644
index 0000000000..6fe0c66e96
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICqjCCAZKgAwIBAgIUcRygY3MPPtD72llMhdZrkA34zIQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACYn
+2YYASS0cJRJNbLsF1u0Fst/4JcPQ/U9qzDh+jc5nhStUD4QUS20/dDQaOLX2LWan
+cDRxY1gXhN4xCbxMhnh6jzkpj6kFqu4Mf6j5J/3V0l2G3jnyRbd+IY3GYRnj7oDk
+1zllpA39hGRo8cdt1KNDwhc1BBfiFIu1M0iUIOEvpK5npKBXuR6z93OUhhtL1Fmf
+k73cAm2HGXsUxlPwLV8jlRRyflF7ndT6+CBN9rHdA2enM2J6WgJraWEiISwDvBgs
+sbWU/LoyrzsKFhH/TX3lN37VlqKeAmJVu1gC020Wu9G/yfzoaG38CQHwsiiwvwX/
+WDLOLH7F1yB7D+wlFCM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec
new file mode 100644
index 0000000000..cc1b668a63
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem b/security/manager/ssl/tests/mochitest/browser/has-o.pem
new file mode 100644
index 0000000000..28080a17a7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUAS43zKpKvEqNftR+iGFQNyxunOEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGzEMMAoGA1UECgwDQmF6MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAl6kVxr3IJXmjnJ+SPVLG7b/UiRyPhZ1sEBBT2PLGeOU1bPNn
+N4vDiLno2UUNPiZOJi3zkG/ljVAz9mQCVvoxwdtqSjduUk3+rZFWSG4VFuGxc66d
+E7R0rTdlaFSdTp0Cf9zSHPIJ+bJzljB6plMzuRxy/PQ2JWii0qmK6pitTNpPrx6K
+VspDcdDdLYsrdZ8OeH1NGvqeYCPaweU5Jmt1tmCv3XLB8Zdk091UAuqmZIlGbH5C
+rXiDLxqnCr15dQYw/hHKNyRL2kSA8ZpVu/psmznGQB9wePYnjPnMUtJS/CF9pW0Y
+2icCxZDUzguu2/1tFT/MVArWlGCR3FUr3XjgJQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec
new file mode 100644
index 0000000000..f7cc3ffc73
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem b/security/manager/ssl/tests/mochitest/browser/has-ou.pem
new file mode 100644
index 0000000000..c5590b5779
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUa9qwFC5BxyhkqYu+ori020sfdFwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowKTEMMAoGA1UECwwDQmFyMQwwCgYDVQQKDANCYXoxCzAJBgNVBAYTAlVT
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJwpYG0a3/hstrP1duw/KaRaQ//NbS
+QrlC0EBDjxZghjXjB+s5OTM78MO0Ao7052WgVCA289JWy9v5Pg9ht6KRBjarHSEU
+H7IsZ/EkK0sV9aHgM0Lw8mZsG1ZCzkMMcySVzYvxUpKbc056pEuZAkATUNj0SZjx
+tQMsqCXW0JvRQLUd7EDiFeGAx5UsRgQ33IUoEXLdJmsj+7RgEYPhX0bTNm18YpZV
+MlDmaYXv2gXCYjOJAMcYXlVruHNuuq/cTHCgwIUObqYtEpkIAPqXb0KaoqdTiHn7
+rdWCnOk7BrTHfnoChc5jJvhlKWS7f2UEUw9nJCO1CN13bRQ7AXhZsGrC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec
new file mode 100644
index 0000000000..8879dabf51
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/OU=Bar/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/head.js b/security/manager/ssl/tests/mochitest/browser/head.js
new file mode 100644
index 0000000000..1ae951d7a5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/head.js
@@ -0,0 +1,82 @@
+/* Any copyright is dedicated to the Public Domain.
+ http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+/**
+ * List of certs imported via readCertificate(). Certs in this list are
+ * automatically deleted from the cert DB when a test including this head file
+ * finishes.
+ *
+ * @type {nsIX509Cert[]}
+ */
+var gImportedCerts = [];
+
+registerCleanupFunction(() => {
+ for (let cert of gImportedCerts) {
+ gCertDB.deleteCertificate(cert);
+ }
+});
+
+// This function serves the same purpose as the one defined in head_psm.js.
+function pemToBase64(pem) {
+ return pem
+ .replace(/-----BEGIN CERTIFICATE-----/, "")
+ .replace(/-----END CERTIFICATE-----/, "")
+ .replace(/[\r\n]/g, "");
+}
+
+/**
+ * Given the filename of a certificate, returns a promise that will resolve with
+ * a handle to the certificate when that certificate has been read and imported
+ * with the given trust settings.
+ *
+ * Certs imported via this function will automatically be deleted from the cert
+ * DB once the calling test finishes.
+ *
+ * @param {string} filename
+ * The filename of the certificate (assumed to be in the same directory).
+ * @param {string} trustString
+ * A string describing how the certificate should be trusted (see
+ * `certutil -A --help`).
+ * @returns {Promise}
+ * A promise that will resolve with a handle to the certificate.
+ */
+function readCertificate(filename, trustString) {
+ return IOUtils.readUTF8(getTestFilePath(filename)).then(
+ pem => {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let base64 = pemToBase64(pem);
+ certdb.addCertFromBase64(base64, trustString);
+ let cert = certdb.constructX509FromBase64(base64);
+ gImportedCerts.push(cert);
+ return cert;
+ },
+ error => {
+ throw error;
+ }
+ );
+}
+
+/**
+ * Asynchronously opens the certificate manager.
+ *
+ * @returns {Window} a handle on the opened certificate manager window
+ */
+async function openCertManager() {
+ let win = window.openDialog("chrome://pippki/content/certManager.xhtml");
+ return new Promise((resolve, reject) => {
+ win.addEventListener(
+ "load",
+ function () {
+ executeSoon(() => resolve(win));
+ },
+ { once: true }
+ );
+ });
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs
new file mode 100644
index 0000000000..95eede25f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs
@@ -0,0 +1,16 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+function handleRequest(request, response) {
+ let hstsHeader = "max-age=300";
+ if (request.queryString == "includeSubdomains") {
+ hstsHeader += "; includeSubdomains";
+ }
+ response.setHeader("Strict-Transport-Security", hstsHeader);
+ response.setHeader("Pragma", "no-cache");
+ response.setHeader("Cache-Control", "no-cache", false);
+ response.setHeader("Content-Type", "text/html", false);
+ response.setStatusLine(request.httpVersion, 200);
+ response.write("<!DOCTYPE html><html><body><h1>Ok!</h1></body></html>");
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html
new file mode 100644
index 0000000000..5a0791557b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ "use strict";
+
+ let src = document.location.href.replace("hsts_headers_framed.html", "hsts_headers.sjs");
+ if (document.location.search == "?third-party") {
+ src = src.replace("example.com", "example.org");
+ }
+ let frame = document.createElement("iframe");
+ frame.setAttribute("src", src);
+ frame.onload = () => {
+ let done = document.createElement("h1");
+ done.textContent = "done";
+ done.setAttribute("id", "done");
+ document.body.appendChild(done);
+ };
+ document.body.appendChild(frame);
+</script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem b/security/manager/ssl/tests/mochitest/browser/intermediate.pem
new file mode 100644
index 0000000000..2480febf91
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIUQ98nHYCeqigGsr++R4IpE/QtJTwwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw
+MFowQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV
+MBMGA1UECwwMSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWSVWMKE1GS9pXzdJ2pgu501C
+H/JSsxDaex9LfN9GGXN4NVDnbgPglf+q1vzY+8XjCGeGVUhum82Ui7s+fjCkDBcO
+cY3iss94021rVHhNsdvuMq7BNE/Y7YtKfEQMNKtjoWWiF4OgU5M7NfNsU/oj3ycp
+mefk+hNA+blPX9yfACKCeO/6RK5QFakDxZl5ls6KJIgqM2RvJHMBedHqTsfvBCbp
+xMojtCZgCtFPGFgAIk2TGzRx5njiZeyseWH/drGdY/YKxJRCu0lLy30zVYJP1Ti/
+s4PSUczBu+6Hrx6PejewWtXcSyeK7E1+Fb7BX1OG9xPzVclUHrO8yuyS12ei7Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
new file mode 100644
index 0000000000..a562814041
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:/CN=Temporary Certificate Authority/OU=Intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem b/security/manager/ssl/tests/mochitest/browser/invalid.pem
new file mode 100644
index 0000000000..0063e0c39d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwDCCAaigAwIBAgIUfZyrU2miUlovoBEId6Sq0W2+GN4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEjEQMA4GA1UEAwwHaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgEG
+MA0GCSqGSIb3DQEBCwUAA4IBAQB+WgW4wZiskIjyu+7JNHvivXSO3N6F6etrjgKS
+0KfvdOYpriS5J4yVsYjiTdlAK+PNgx3V9RDCrYD/lWQKZmMB5eWy5xvPfQvke+PQ
+VSo/IXvCWE3jvmNGH/1x0ludyFa08TgbcGGbfkJQhyg00IvdlyFypRzxkSFx4IiC
+h5UcZEhR8DhXeIS4Jcy9whcRfqC/rGLOWPS75rXDaSI+qolQlFEvmL0c89yYudtL
+g1vQz8YHo3OAqht60gkxMV/dtHwONltxDuO55PXl65Q1OYZGghdUC9q750Hi2U5Y
+lpz5GdxqPH1SlC4TFUXcTw+wTywV+OTR3B/lYxzwh6eZgUPW
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec
new file mode 100644
index 0000000000..71a1707c35
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:invalid
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem b/security/manager/ssl/tests/mochitest/browser/longOID.pem
new file mode 100644
index 0000000000..edbe739c9f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIESjCCAzKgAwIBAgIUH/LZJJV0+HAiFpg1LFyimJNN2/0wDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwITG9uZyBPSUQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1
+MDIwNDAwMDAwMFowEzERMA8GA1UEAwwITG9uZyBPSUQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjggGQMIIBjDAM
+BgNVHRMEBTADAQH/MIIBegYDVR0gBIIBcTCCAW0wggFpBoIBZSqD3OuTf4Pc65N/
+g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr
+k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D
+3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuT
+f4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc
+65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/
+g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr
+k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D
+3OuTf4Pc65N/ATANBgkqhkiG9w0BAQsFAAOCAQEASReXmbBObPQQC3qN9cFj7txY
+ArJ/gW14Os+qqn03/ArWcORIoQF/vD6X8tdV1bKcKzLxqvZ0bdMyaRg2CMUX1LiF
+/jfVooot21ZJwh07IKYi8RBm54BAYlAqUB82mMutUc+6Ut/9MqxsAtKoBjjnoV78
+94cf3K/lKoTwdVz9F1L91RC6ARbnU69xcYLGU4Tazt1Zf3VVY4Y5iOxFYLuFcyyW
+dwHRaobTjN1OA70e5emPQARbVt+nUbcJPGTUL6kQFxNzRJ2GStqBV2QmxXES/cgw
++itB72hrTgIFFAsi9oYLPXlNIgJ+1T0uq7t8vqenpIZUTmch6ZLomFvRYEBOEQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec
new file mode 100644
index 0000000000..c3c08ac84b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Long OID
+subject:Long OID
+extension:basicConstraints:cA,
+extension:certificatePolicies:1.2.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.1
diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem
new file mode 100644
index 0000000000..5c562cf0b4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrjCCAZagAwIBAgIURRrxes60EYjDGrpfM/azxcVXALQwDQYJKoZIhvcNAQEE
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowETEPMA0GA1UEAwwGbWQ1LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEBBAUAA4IB
+AQBvnuXiImrqTkusX+19BoKO2bQlP5sQLnfTvyOzyHOK5MoDkC7up7bFSnFgOdxH
+L2LllEFbS9O26poAMA+EY2sQ6Rn3WiFZUkmF5pKhVp6I90SwIExa13YGyLTqWMsu
+ttbwrAXwNIp31mGmt4UNArLoAyyK+nn+juVaPm+C8VORqzCpJVzJt9+35XAnpwt1
+1Q8lYNNulzi+qbZH85LGrUvhPe2tIstUz9SoGfg0ljP/fvinDRoVPOs7i3+x+RM5
+uVeaQ8LZTmAVCfBdD3e18ehYoHFyWPKZClQTR6X2TeLp4/gepissuwWa1igYA9Hi
+1tEhEobBwd17/mjr3J/fKnSd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec
new file mode 100644
index 0000000000..279c158026
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:md5-ee
+signature:md5WithRSAEncryption
diff --git a/security/manager/ssl/tests/mochitest/browser/moz.build b/security/manager/ssl/tests/mochitest/browser/moz.build
new file mode 100644
index 0000000000..cfd5452a0e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+BROWSER_CHROME_MANIFESTS += ["browser.toml"]
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem
new file mode 100644
index 0000000000..9d21112e3c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIUefe9aVUlLbfhs5MiySqADkIcdJ8wDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw
+MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgH+MA0GCSqGSIb3DQEBCwUAA4IBAQClgVd2rdbSo0TCmrgszyl7TQ465L+YMlqD
+Q/KXpO8H7aKIxptW+7CwfhxnpLd6RLbjsK1K/cFF2a5cVJxsh4t2HoVybjivuOp1
+Yws4/3xVFqu4NsCz2eLHKt3bIZf8TASeJpuvJvNEmqnEHHoRQnfxiQMa0ztcJss7
+Wvb/Nck5iUHTFlkOghgUE3yDZ9yPlofIrCrZiWBGINslHYRZCue0irfv7T40hPyv
+hu+agWCdauh/p77+Z6Nq5b7rGNsF8zN0O3W/f4RbGTjzhtPMZcg4fYCLqqv7ML3z
+C314G9wQIBPwMjVAEyaOf7G6V48WrRz7q6V83noKmf0vsPGHvH9U
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..4def496f67
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem
new file mode 100644
index 0000000000..1fda92bb93
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIUfy7mnEW2lfad+ZR8vPZUtd+l8KEwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw
+MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAiC+uvMvWWWs2WYG/Hf3Q18unxl4jV7QhZ
+TGpxLCM63AUo0vhCZQia8L0qvvwLJ7RUOnDBQrT6mrGDBi8sWQyzna8X/qA7jD/K
+cM2z8QkIs/y8BV1u8KZ68fXqMz6toptWkJK55IFk85GHEDlgPX0lh4SPd4BCuY+X
++v534nMMm8xBtzXZbrvxe2manCFfPIq0yr0Vl+psnAYgVW96JivxqcfiYn59y1n6
+8YZrGgCZ35B5LgLIBzZi5sJtBC/VLRrVGSci8nNGQzqQ5TXDgGns7eO5mOGIy+ZV
+l8A03fNLP5lB6QFNvPMg5ux4gKN2VGjPcU+RxdrucDgJU+RgzuGs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec
new file mode 100644
index 0000000000..448e167bd0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem b/security/manager/ssl/tests/mochitest/browser/revoked.pem
new file mode 100644
index 0000000000..dfdea6aab8
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZegAwIBAgIUY6Ozs/15FHnCV6XP+oKphcqua4IwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEjEQMA4GA1UEAwwHcmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAiygONmY4DwqqR/CexFcHaXXE+L+6O4hjvSjC+JfoAaQjULUYMyILyJLgwy5W
+sjO7zZBm9lpfOq2APz64rWqAWuxISbUkHTAD+Juqq08ehgCbO+qUqDPdN+8gbTy0
+IhJa5MjRg5eO7ggFLiMlnETI2ZkvQYe/LhGMUzel7sfsWi1eTEsB+BZSHQjUrjn4
+AJ7vBEOmI4c67DbZzhMCr32U6Zkv2J8mcH6H12U+WkyCbPDkx69UK+AqaGeEX+ka
+Lmn4Yi5FIP44Vv3IoSy9DMEsjuT+9GHrH9HFgNugThhmNis4DM2wjdbUXdjR/T9e
+yhz9WTXANM5omANrP/zH6dNk1g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec
new file mode 100644
index 0000000000..daf75c670f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:revoked
diff --git a/security/manager/ssl/tests/mochitest/browser/some_content.html b/security/manager/ssl/tests/mochitest/browser/some_content.html
new file mode 100644
index 0000000000..f591f32d3d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/some_content.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+<h1>Some Content!</h1>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/some_content_framed.html b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html
new file mode 100644
index 0000000000..8f8194f9e7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ "use strict";
+
+ let src = document.location.href.replace("https://", "http://");
+ let frame = document.createElement("iframe");
+ frame.setAttribute("id", "frame");
+ frame.setAttribute("src", src);
+ document.body.appendChild(frame);
+</script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem
new file mode 100644
index 0000000000..272be45a76
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUH3+Xdp/O5Rd6jutipltQkifl9ycwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowETEPMA0GA1UEAwwGc3NsLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyEwHzAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAJTxcdoif/XVwjYR
+hPRVCNmy20LErwphK4xK6+X4Zi1DJ/HvAWdjUPOkL/XbnddcoR56E11IgAD2UhLJ
+vFNItTVs8NV7kTTf2Jsg4Fn4n3vfOcivdzlFOPIW5UMHUeJ7PNA9emJnK8YXjbrs
+KZ0NVZ10H4Fuj+BgscdhvZ2FaHwyUhaJ9RgaORxGo+0pJDey/R9ruSn5CoqkHAFI
+bwZ0z22cxjo6hWuewfblsAe8a5Ssbd90q1pXDadcFhQ7Aq+6SJkSCQPiM+Sz/iDN
+xz1qCwdO0VjRRmVzweeOj3Ep8ebuUIGmnIdA08xAUztSHTkyXdAprN6EygHpibah
+vRfsQrY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec
new file mode 100644
index 0000000000..c4037675f1
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ssl-ee
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem
new file mode 100644
index 0000000000..a6d802883b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaOgAwIBAgIUb7DcOwSWh31LKC+TIu6um7tDdIUwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHdW5rbm93bjAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAZMRcwFQYDVQQDDA51bmtub3duLWlzc3VlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEASkzl98adoA7+9SxqkkPzL1cXKOMaWCiDsRUElri/B5B9
+UvIRhPIN1MA5NnkM7F2y+md0jF7fQQ0Ui4VaOpGo6iICFYq4g5SwX16HvIM95Uxy
+1MK4TfbtaG7aoOvbV8fW8WDXnks2YyY34rd3AMU4xi2a+z7p1tNhU7K6gC5RgH+u
+uP/xU0rb+yIyTDApt25QEJBNcLUMLpJN8Zcg5+RKcP4q9YAFkh3tSYhpiZhSgB2q
+CTbFMRKpeXNpp9TgvMcAP1kM1UckNoQIyhBwgdtvPjEa0fbz/Wf7fIArCb6sk/jV
++xANql2CVcT07+Juka15opxAsDgwuYnR5eVaCB/DeA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec
new file mode 100644
index 0000000000..c76a4e2c7b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec
@@ -0,0 +1,2 @@
+issuer:unknown
+subject:unknown-issuer
diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem
new file mode 100644
index 0000000000..fe91a2849c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUN9RlKkRxZsQXbeuVuTiQV/eq/wUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAPivTuANdnSMY
+9vSbWY1LUYMjcXfeKNYPIB6t9tPjNFOFst2QnRG8qUWUQlj9FaB4uTVagHD6r6Gk
+XEbuj3O/IgFfCLPxHebGLw1XlLHfWG9iQiR0bOkmLnlNJdHVJ4uI8aaVU9B80T3x
+AzvPAfc4sv/7Fqu9XXHCUx3g6nqyKgcxWoXUe5sX/Wcvtjf3a5HcRUPJ6CYxM36X
+RFeoELH79QMnJ4cYLbUWrOO8+n2RH0BnJAnyxBd8bNVknnROzbjq10wi60ei8Eon
+8EIPNjveVtlnrAePm4EyTvFTYB8YtUPRTnkfJlRlVRDkRtQlscxdbmPZI/+xeXFu
+5zD9Q/ez+Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec
new file mode 100644
index 0000000000..04f4430574
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:untrusted-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs
new file mode 100644
index 0000000000..96c14f4e65
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs
@@ -0,0 +1,7 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Access-Control-Allow-Origin", "*");
+ response.write("<html><body>hello!</body></html>");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/backward.html b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html
new file mode 100644
index 0000000000..8699a07dda
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <script type="text/javascript">
+ "use strict";
+ window.onload = function()
+ {
+ window.setTimeout(function()
+ {
+ SpecialPowers.wrap(window).docShell
+ .QueryInterface(SpecialPowers.Ci.nsIWebNavigation)
+ .goBack();
+ }, 100);
+ };
+
+ </script>
+</head>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js
new file mode 100644
index 0000000000..053084a7da
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js
@@ -0,0 +1,10 @@
+/* import-globals-from mixedContentTest.js */
+"use strict";
+
+document.open();
+document.write("This is insecure XSS script " + document.cookie);
+isSecurityState(
+ "broken",
+ "security broken after document write from unsecure script"
+);
+finish();
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html
new file mode 100644
index 0000000000..4bbf9bfe8c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 383369 test, step 2</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/does_not_exist.css">
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ window.onload = function runTest() {
+ window.setTimeout(function () {
+ window.location =
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html?runtest";
+ }, 0);
+ };
+
+ async function afterNavigationTest()
+ {
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html
new file mode 100644
index 0000000000..276c2343fd
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 383369 test, final step</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("secure", "secure page after insecure download and insecure subcontent still secure");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "still secure after back/forward");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto
new file mode 100644
index 0000000000..4d2fb7d5ae
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto
@@ -0,0 +1 @@
+Temporary file for security/mixedconent tests \ No newline at end of file
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^
new file mode 100644
index 0000000000..9c3159e153
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^
@@ -0,0 +1,2 @@
+Content-disposition: "attachment"
+Content-type: application/x-auto-download
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs
new file mode 100644
index 0000000000..9e34227f00
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs
@@ -0,0 +1,6 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ //response.setHeader("Content-type", "image/gif");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs
new file mode 100644
index 0000000000..5f78a806b4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs
@@ -0,0 +1,17 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-type", "image/bitmap");
+
+ let bmpheader =
+ "\x42\x4D\x36\x10\x0E\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\xE0\x01\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x00\x10\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+ let bmpdatapiece =
+ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+ response.bodyOutputStream.write(bmpheader, 54);
+ // Fill 640*480*3 nulls
+ for (let i = 0; i < (640 * 480 * 3) / 64; ++i) {
+ response.bodyOutputStream.write(bmpdatapiece, 64);
+ }
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html
new file mode 100644
index 0000000000..90523a57f5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+ This is frame 1:
+ <script>
+ "use strict";
+ document.write(location.href);
+ </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html
new file mode 100644
index 0000000000..87765bbb5b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+ This is frame 2:
+ <script>
+ "use strict";
+ document.write(location.href);
+ </script>
+ <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html
new file mode 100644
index 0000000000..6c7a5473cb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html
@@ -0,0 +1,8 @@
+<!DOCTYPE HTML>
+<META http-equiv="Refresh"
+ Content="0; URL=http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html">
+<html>
+ <body>
+ Redirecting by meta tag...
+ </body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs
new file mode 100644
index 0000000000..914391e8f5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+ response.setHeader(
+ "Location",
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs
new file mode 100644
index 0000000000..32afc824ea
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+ response.setHeader(
+ "Location",
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs
new file mode 100644
index 0000000000..cb966a56d2
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+ response.setHeader(
+ "Location",
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs
new file mode 100644
index 0000000000..d128ce2238
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+ response.setHeader(
+ "Location",
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js
new file mode 100644
index 0000000000..6c300b7fc3
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js
@@ -0,0 +1,211 @@
+"use strict";
+
+/**
+ * Helper script for mixed content testing. It opens a new top-level window
+ * from a secure origin and '?runtest' query. That tells us to run the test
+ * body, function runTest(). Then we wait for call of finish(). On its first
+ * call it loads helper page 'backward.html' that immediately navigates
+ * back to the test secure test. This checks the bfcache. We got second call
+ * to onload and this time we call afterNavigationTest() function to let the
+ * test check security state after re-navigation back. Then we again wait for
+ * finish() call, that this time finishes completelly the test.
+ */
+
+// Tells the framework if to load the test in an insecure page (http://)
+var loadAsInsecure = false;
+// Set true to bypass the navigation forward/back test
+var bypassNavigationTest = false;
+// Set true to do forward/back navigation over an http:// page, test state leaks
+var navigateToInsecure = false;
+// Open the test in two separate windows, test requests sharing among windows
+var openTwoWindows = false;
+// Override the name of the test page to load, useful e.g. to prevent load
+// of images or other content before the test starts; this is actually
+// a 'redirect' to a different test page.
+var testPage = "";
+// Assign a function to this variable to have a clean up at the end
+var testCleanUp = null;
+// Contains mixed active content that needs to load to run the test
+var hasMixedActiveContent = false;
+
+// Internal variables
+var _windowCount = 0;
+
+window.onload = async function onLoad() {
+ if (location.search == "?runtest") {
+ try {
+ if (history.length == 1) {
+ // Each test that includes this helper file is supposed to define
+ // runTest(). See the top level comment.
+ await runTest(); // eslint-disable-line no-undef
+ } else {
+ // Each test that includes this helper file is supposed to define
+ // afterNavigationTest(). See the top level comment.
+ await afterNavigationTest(); // eslint-disable-line no-undef
+ }
+ } catch (ex) {
+ ok(false, "Exception thrown during test: " + ex);
+ finish();
+ }
+ } else {
+ window.addEventListener("message", onMessageReceived);
+
+ let secureTestLocation = loadAsInsecure
+ ? "http://example.com"
+ : "https://example.com";
+ secureTestLocation += location.pathname;
+ if (testPage != "") {
+ let array = secureTestLocation.split("/");
+ array.pop();
+ array.push(testPage);
+ secureTestLocation = array.join("/");
+ }
+ secureTestLocation += "?runtest";
+
+ if (hasMixedActiveContent) {
+ SpecialPowers.pushPrefEnv(
+ { set: [["security.mixed_content.block_active_content", false]] },
+ null
+ );
+ }
+ if (openTwoWindows) {
+ _windowCount = 2;
+ window.open(secureTestLocation, "_new1", "");
+ window.open(secureTestLocation, "_new2", "");
+ } else {
+ _windowCount = 1;
+ window.open(secureTestLocation);
+ }
+ }
+};
+
+function onMessageReceived(event) {
+ switch (event.data) {
+ // Indication of all test parts finish (from any of the frames)
+ case "done":
+ if (--_windowCount == 0) {
+ if (testCleanUp) {
+ testCleanUp();
+ }
+ if (hasMixedActiveContent) {
+ SpecialPowers.popPrefEnv(null);
+ }
+
+ SimpleTest.finish();
+ }
+ break;
+
+ // Any other message is an error or success message of a test.
+ default:
+ SimpleTest.ok(!event.data.match(/^FAILURE/), event.data);
+ break;
+ }
+}
+
+function postMsg(message) {
+ opener.postMessage(message, "http://mochi.test:8888");
+}
+
+function finish() {
+ if (history.length == 1 && !bypassNavigationTest) {
+ window.setTimeout(() => {
+ window.location.assign(
+ navigateToInsecure
+ ? "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html"
+ : "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html"
+ );
+ }, 0);
+ } else {
+ postMsg("done");
+ window.close();
+ }
+}
+
+function ok(a, message) {
+ if (!a) {
+ postMsg("FAILURE: " + message);
+ } else {
+ postMsg(message);
+ }
+}
+
+function is(a, b, message) {
+ if (a != b) {
+ postMsg(`FAILURE: ${message}, expected ${b} got ${a}`);
+ } else {
+ postMsg(`${message}, expected ${b} got ${a}`);
+ }
+}
+
+async function isSecurityState(expectedState, message, test) {
+ if (!test) {
+ test = ok;
+ }
+
+ let state = await SpecialPowers.getSecurityState(window);
+
+ let isInsecure =
+ state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_INSECURE;
+ let isBroken =
+ state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_BROKEN;
+ let isEV =
+ state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
+
+ let gotState = "secure";
+ if (isInsecure) {
+ gotState = "insecure";
+ } else if (isBroken) {
+ gotState = "broken";
+ } else if (isEV) {
+ gotState = "EV";
+ }
+
+ test(
+ gotState == expectedState,
+ (message || "") + ", expected " + expectedState + " got " + gotState
+ );
+
+ switch (expectedState) {
+ case "insecure":
+ test(
+ isInsecure && !isBroken && !isEV,
+ "for 'insecure' excpected flags [1,0,0], " + (message || "")
+ );
+ break;
+ case "broken":
+ test(
+ !isInsecure && isBroken && !isEV,
+ "for 'broken' expected flags [0,1,0], " + (message || "")
+ );
+ break;
+ case "secure":
+ test(
+ !isInsecure && !isBroken && !isEV,
+ "for 'secure' expected flags [0,0,0], " + (message || "")
+ );
+ break;
+ case "EV":
+ test(
+ !isInsecure && !isBroken && isEV,
+ "for 'EV' expected flags [0,0,1], " + (message || "")
+ );
+ break;
+ default:
+ throw new Error("Invalid isSecurityState state");
+ }
+}
+
+function waitForSecurityState(expectedState, callback) {
+ let roundsLeft = 200; // Wait for 20 seconds (=200*100ms)
+ let interval = window.setInterval(async () => {
+ await isSecurityState(expectedState, "", isok => {
+ if (isok) {
+ roundsLeft = 0;
+ }
+ });
+ if (!roundsLeft--) {
+ window.clearInterval(interval);
+ callback();
+ }
+ }, 100);
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml
new file mode 100644
index 0000000000..1a37ba6f38
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml
@@ -0,0 +1,104 @@
+[DEFAULT]
+# Disable for Http/3 since Http/3 tests require to run with https.
+skip-if = [
+ "http3",
+ "http2",
+]
+prefs = [
+ "security.mixed_content.upgrade_display_content=false",
+ "dom.security.https_first=false",
+]
+support-files = [
+ "alloworigin.sjs",
+ "backward.html",
+ "bug329869.js",
+ "bug383369step2.html",
+ "bug383369step3.html",
+ "download.auto",
+ "download.auto^headers^",
+ "emptyimage.sjs",
+ "hugebmp.sjs",
+ "iframe.html",
+ "iframe2.html",
+ "iframeMetaRedirect.html",
+ "iframesecredirect.sjs",
+ "iframeunsecredirect.sjs",
+ "imgsecredirect.sjs",
+ "imgunsecredirect.sjs",
+ "mixedContentTest.js",
+ "moonsurface.jpg",
+ "nocontent.sjs",
+ "redirecttoemptyimage.sjs",
+ "somestyle.css",
+ "unsecureIframe.html",
+ "unsecurePictureDup.html",
+]
+
+["test_bug329869.html"]
+
+["test_bug383369.html"]
+skip-if = ["os == 'android'"]
+
+["test_bug455367.html"]
+
+["test_bug472986.html"]
+
+["test_bug477118.html"]
+
+["test_bug521461.html"]
+
+["test_cssBefore1.html"]
+
+["test_cssContent1.html"]
+
+["test_cssContent2.html"]
+
+["test_documentWrite1.html"]
+
+["test_documentWrite2.html"]
+
+["test_dynDelayedUnsecurePicture.html"]
+
+["test_dynDelayedUnsecureXHR.html"]
+
+["test_dynUnsecureBackground.html"]
+
+["test_dynUnsecureIframeRedirect.html"]
+
+["test_dynUnsecurePicture.html"]
+
+["test_dynUnsecurePicturePreload.html"]
+
+["test_dynUnsecureRedirect.html"]
+skip-if = ["true"] # Bug 487402 intermitently fails, quite often
+
+["test_innerHtmlDelayedUnsecurePicture.html"]
+
+["test_innerHtmlUnsecurePicture.html"]
+
+["test_javascriptPicture.html"]
+
+["test_secureAll.html"]
+
+["test_securePicture.html"]
+
+["test_unsecureBackground.html"]
+
+["test_unsecureCSS.html"]
+
+["test_unsecureIframe.html"]
+
+["test_unsecureIframe2.html"]
+
+["test_unsecureIframeMetaRedirect.html"]
+skip-if = ["true"] # Bug 487632 intermitently fails, quite often
+
+["test_unsecureIframeRedirect.html"]
+
+["test_unsecurePicture.html"]
+
+["test_unsecurePictureDup.html"]
+
+["test_unsecurePictureInIframe.html"]
+
+["test_unsecureRedirect.html"]
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg
new file mode 100644
index 0000000000..c0ffca256a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg
Binary files differ
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moz.build b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build
new file mode 100644
index 0000000000..2f41008128
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+MOCHITEST_MANIFESTS += ["mochitest.toml"]
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs
new file mode 100644
index 0000000000..d5d65cf8a4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs
@@ -0,0 +1,5 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 204, "No Content");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs
new file mode 100644
index 0000000000..98ed0a2f52
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+ response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+ response.setHeader(
+ "Location",
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs"
+ );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css
new file mode 100644
index 0000000000..9867e3c41e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css
@@ -0,0 +1,4 @@
+body
+{
+ background-color: lightBlue;
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html
new file mode 100644
index 0000000000..ccb9a8d9cf
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>dymanic script load</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ window.setTimeout(function () {
+ let newElement = document.createElement("script");
+ newElement.src = "http://example.org/tests/security/manager/ssl/tests/" +
+ "mochitest/mixedcontent/bug329869.js";
+ document.body.appendChild(newElement);
+ }, 0);
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "when we navigate back, we're loading our secure page again and not loading an insecure script, so our security state is secure");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html
new file mode 100644
index 0000000000..d9298cde3f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html
@@ -0,0 +1,89 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 383369 test</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ // We want to start this test from an insecure context
+ loadAsInsecure = true;
+ // We don't want to go through the navigation back/forward test
+ bypassNavigationTest = true;
+
+ async function runTest() {
+ let script = SpecialPowers.loadChromeScript(function() {
+ /* eslint-env mozilla/chrome-script */
+ // Force download to be w/o user assistance for our testing mime type
+ const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService);
+ let handlerInfo =
+ mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+ handlerInfo.preferredAction = Ci.nsIHandlerInfo.saveToDisk;
+ handlerInfo.alwaysAskBeforeHandling = false;
+ handlerInfo.preferredApplicationHandler = null;
+
+ const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"]
+ .getService(Ci.nsIHandlerService);
+ handlerSvc.store(handlerInfo);
+
+ let profileDir = Services.dirsvc.get("ProfDS", Ci.nsIFile);
+ profileDir.append("downloads");
+
+ let prefBranch = Services.prefs.getBranch("browser.download.");
+
+ prefBranch.setCharPref("dir", profileDir.path);
+ prefBranch.setBoolPref("useDownloadDir", true);
+ prefBranch.setIntPref("folderList", 2);
+
+ const { Downloads } =
+ ChromeUtils.importESModule("resource://gre/modules/Downloads.sys.mjs");
+ Downloads.getList(Downloads.PUBLIC).then(list => {
+ list.addView({
+ onDownloadAdded(aDownload) {
+ list.removeView(this);
+ aDownload.whenSucceeded().then(() => {
+ list.removeFinished();
+ sendAsyncMessage("navigate", "bug383369step2.html");
+ });
+ },
+ });
+ sendAsyncMessage("navigate", "download.auto");
+ }).catch(console.error);
+ });
+ script.addMessageListener("navigate", function(url) {
+ window.location = url;
+ });
+ }
+
+ async function afterNavigationTest() {}
+
+ testCleanUp = function cleanup() {
+ SpecialPowers.loadChromeScript(function() {
+ const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService);
+ let handlerInfo =
+ mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+
+ const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"]
+ .getService(Ci.nsIHandlerService);
+ handlerSvc.remove(handlerInfo);
+
+ let prefBranch = Services.prefs.getBranch("browser.download.");
+
+ const prefKeys = ["dir", "useDownloadDir", "folderList"];
+ for (let prefKey of prefKeys) {
+ if (prefBranch.prefHasUserValue(prefKey)) {
+ prefBranch.clearUserPref(prefKey);
+ }
+ }
+ });
+ };
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html
new file mode 100644
index 0000000000..d2ad64c454
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>No content image doesn't break security</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ SpecialPowers.pushPrefEnv(
+ {"set": [["security.mixed_content.upgrade_display_content", false]]},
+ null);
+ await isSecurityState("broken", "broken");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html
new file mode 100644
index 0000000000..bd55a600ca
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img.src replace</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ SimpleTest.expectAssertions(0, 4);
+
+ // Clear the default onload assigned to test start because we must
+ // wait for replaced image to load and only after that test the security state
+ var onLoadFunction = window.onload;
+ window.onload = function()
+ {
+ let img1 = document.getElementById("img1");
+ img1.addEventListener("load", onLoadFunction);
+ img1.src = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+ };
+
+ async function runTest()
+ {
+ await isSecurityState("secure", "secure");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "secure after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img id="img1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html
new file mode 100644
index 0000000000..90932790f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 477118</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("secure", "data <img> doesn't break security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "still secure after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAN1wAADdcBQiibeAAAAAd0SU1FB9kBDxIAOdxBIbcAAAI+SURBVDjLxZO7TxRhFMV/M/PN7EPYhS02yytggo+ERAgxERsNhYnGzsQojaHT3r9F0cTaUjs6NUQLBRKDi4I8FEwkLMgO+5rdeX3XAoVYiZWnP797cu69Bv8gqZ+0QTqIdRpl1VHGvnV884CJwQgwicVtoB/ku/H4ycOnURgP/Q1g21Fw4+r0RjbbNmaq4ayO35UkXp9S2UzHxK2bE4QNl82FVwD0D49jn+hERBCRgwTiIX7pvGUGYF/BlO327d3ENfV7wuL0AyjPICIsfPvAmev3qdVqlMtlCoUCGxurDPT1kEnPomQKkRTFpXOjh4DN4kvGLuSJ/JC38y/ouXyXYrGIiBDHMVtbu1SrvXTlbfp6HcQcoVwp5hRAaWedPXFYfL+E1lAKswSRy+joKEEQICLkcjm01hiGgRcksW0b4SMKYHb+OSt6ma+VffxWRF3S5OeeMX7pHkqpwy5EBK31H90ogFODF1lbm8OtlEhloDORpbdnhDAMaTabhwbbtkkkEkRRhGVZR4BCfojJO4+o1VwQAItEIolpmliWRVtbG7s/dlDKotGo47U8CvkuAEwA3/eJoxhE0WyGuO4+nucRBAHVahXDMKg3agRhQBAGVKsVtNZHCRzHwTAMcrnc0eX9it3e3g7A6cGzhx0AKHWwQOV5jdXXb2ZOaa3BOP5ffF5ZptVqflG+3xpbWv5kh2FolEo7dnmv7Lium6zXG0nf95MiguM4QTqd9jPZTCvX2eF393QHqVRKZ7KZkP+unzPGLX8Jr7F8AAAAAElFTkSuQmCC" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html
new file mode 100644
index 0000000000..59085a5ec4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 521461</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+ loadAsInsecure = true;
+
+ async function runTest()
+ {
+ window.location = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs";
+ window.setTimeout(async () => {
+ await isSecurityState("insecure", "location.href doesn't effect the security state");
+ is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content");
+ finish();
+ }, 1000);
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("insecure", "still not secure after navigation");
+ is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>This is an unsecure page!</body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html
new file mode 100644
index 0000000000..98cee1bb53
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>CSS :before styling 1</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+ <style type="text/css">
+ p:before
+ {
+ content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg);
+ }
+ </style>
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure content added by :before styling breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <p>
+ There is a moon surface left to this text
+ </p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html
new file mode 100644
index 0000000000..5c5019ca78
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>CSS conent styling 1</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <style type="text/css">
+ p
+ {
+ content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg);
+ }
+ </style>
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure content added by :before styling breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <p></p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html
new file mode 100644
index 0000000000..19e5784334
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>CSS conent styling 2</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ if (navigator.platform.startsWith("Mac")) {
+ SimpleTest.expectAssertions(0, 1);
+ }
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ document.getElementById("para").style.content =
+ "url('http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg')";
+
+ waitForSecurityState("broken", async () =>
+ {
+ await isSecurityState("broken", "insecure content added by styling breaks security");
+ finish();
+ });
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("para").style.content, "");
+ await isSecurityState("secure", "security full after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <p id="para"></p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html
new file mode 100644
index 0000000000..90eca5bcdb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>document.write('<img src="http://">')</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> written dynamically breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ document.write(
+ "<img src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />");
+ </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html
new file mode 100644
index 0000000000..e009fd4f54
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>document.write('<iframe src="http://">')</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure iframe written dynamically breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ document.write(
+ "<iframe src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html'></iframe>");
+ </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html
new file mode 100644
index 0000000000..514902d047
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img.src changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ window.setTimeout(function() {
+ // Don't do this synchronously from onload handler
+ document.getElementById("image1").src =
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+ }, 0);
+
+ waitForSecurityState("broken", async () =>
+ {
+ await isSecurityState("broken", "src='http://...' changed to broken");
+ finish();
+ });
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("image1").src,
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+ "img.src secure again");
+ await isSecurityState("secure", "security full after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html
new file mode 100644
index 0000000000..d9a8cc8af7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>unsecure XHR test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ window.setTimeout(async () => {
+ try {
+ let req = new XMLHttpRequest();
+ req.open("GET", "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs", false);
+ req.send(null);
+
+ // Change should be immediate, the request was sent synchronously
+ await isSecurityState("broken", "security broken after insecure XHR");
+ } catch (ex) {
+ ok(false, ex);
+ }
+
+ finish();
+ }, 0);
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "security full after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html
new file mode 100644
index 0000000000..fd66b21a64
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>body.background changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ document.body.background =
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+ waitForSecurityState("broken", async () => {
+ await isSecurityState("broken", "document.body.background='http://...' changed to broken");
+ finish();
+ });
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.body.background,
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+ "document backround secure again");
+ await isSecurityState("secure", "secure after re-navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body background="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg">
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html
new file mode 100644
index 0000000000..8934de4b79
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>iframe.src changes to unsecure redirect test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ let self = window;
+ let iframe = document.getElementById("iframe1");
+ iframe.onload = async () => {
+ await self.isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+ self.finish();
+ };
+
+ iframe.src =
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs";
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe id="iframe1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html
new file mode 100644
index 0000000000..5ef5a28b2c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img.src changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+ // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ document.getElementById("image1").src =
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+ window.setTimeout(async () => {
+ await isSecurityState("broken", "src='http://...' changed to broken");
+ finish();
+ }, 500);
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("image1").src,
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+ "img.src secure again");
+ await isSecurityState("secure", "security full after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html
new file mode 100644
index 0000000000..d8506e8cc5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img.src changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ (new Image()).src =
+ "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "(new Image()).src='http://...' changed to broken");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html
new file mode 100644
index 0000000000..a73c7f8619
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img.src changes to unsecure redirect test</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+ document.getElementById("image1").src =
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs";
+
+ window.setTimeout(async () => {
+ await isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+ finish();
+ }, 500);
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("image1").src,
+ "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+ "img.src secure again");
+ await isSecurityState("secure", "security full after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html
new file mode 100644
index 0000000000..45bf140384
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>innerHTML changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+
+ window.setTimeout(function () {
+ document.getElementById("buddy").innerHTML =
+ "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />";
+ }, 1);
+
+ waitForSecurityState("broken", async () => {
+ await isSecurityState("broken", "innerHTML loading insecure changed to broken");
+ finish();
+ });
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous");
+ await isSecurityState("secure");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body id="buddy"></body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html
new file mode 100644
index 0000000000..d8b3e5f6e0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>innerHTML changes to unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+ SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+ async function runTest()
+ {
+ await isSecurityState("secure");
+
+ document.getElementById("buddy").innerHTML =
+ "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />";
+
+ window.setTimeout(async () => {
+ await isSecurityState("broken", "innerHTML loading insecure changed to broken");
+ finish();
+ }, 500);
+ }
+
+ async function afterNavigationTest()
+ {
+ is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous");
+ await isSecurityState("secure");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body id="buddy"></body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
new file mode 100644
index 0000000000..66a28ce74e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Secure img load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("secure", "javascript: <img> should not break security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "Still secure after renavigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="javascript:'Random data'" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html
new file mode 100644
index 0000000000..efd754dd58
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>All secure anti-regression check</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <link rel="stylesheet" type="text/css"
+ href="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ // Navigation test goes over an insecure page, test state leak
+ navigateToInsecure = true;
+
+ async function runTest()
+ {
+ await isSecurityState("secure", "insecure <img> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("secure", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+ <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs" />
+ <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html
new file mode 100644
index 0000000000..961713a2da
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Secure img load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ loadAsInsecure = true;
+
+ async function runTest()
+ {
+ await isSecurityState("insecure", "left insecure");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("insecure", "left insecure after renavigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html
new file mode 100644
index 0000000000..02fdb29d41
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>background unsecure test</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "security broken");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body background="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg">
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html
new file mode 100644
index 0000000000..c775347e72
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure css load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <link rel="stylesheet" type="text/css"
+ href="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html
new file mode 100644
index 0000000000..291ce3747e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure iframe load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <iframe> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html
new file mode 100644
index 0000000000..8f49ecda51
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure iframe load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <iframe> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html
new file mode 100644
index 0000000000..4eebbf5b22
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure redirect iframe load</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ window.setTimeout(async () =>
+ {
+ await isSecurityState("broken", "insecure meta-tag <iframe> load breaks security");
+ finish();
+ }, 500);
+ }
+
+ async function afterNavigationTest()
+ {
+ window.setTimeout(async () =>
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }, 500);
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html
new file mode 100644
index 0000000000..12a4233494
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure redirect iframe load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <iframe> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html
new file mode 100644
index 0000000000..3c19811db9
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure img load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html
new file mode 100644
index 0000000000..81ed58ffde
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure img load in two windows</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ openTwoWindows = true;
+ testPage = "unsecurePictureDup.html";
+
+ </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html
new file mode 100644
index 0000000000..21bcf5f810
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure img in iframe load</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> in an <iframe> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html
new file mode 100644
index 0000000000..82611ff3fe
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Redirect from secure to unsecure img</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ hasMixedActiveContent = true;
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html
new file mode 100644
index 0000000000..2282677418
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+ <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html
new file mode 100644
index 0000000000..7ce3701620
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Unsecure img load in two windows</title>
+ <script type="text/javascript" src="/MochiKit/Base.js"></script>
+ <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+ <script type="text/javascript" src="/MochiKit/Style.js"></script>
+ <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="mixedContentTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ async function runTest()
+ {
+ await isSecurityState("broken", "insecure <img> load breaks security");
+ finish();
+ }
+
+ async function afterNavigationTest()
+ {
+ await isSecurityState("broken", "security still broken after navigation");
+ finish();
+ }
+
+ </script>
+</head>
+
+<body>
+ <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/moz.build b/security/manager/ssl/tests/mochitest/moz.build
new file mode 100644
index 0000000000..ddb344c83c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+TEST_DIRS += [
+ "browser",
+ "mixedcontent",
+]
diff --git a/security/manager/ssl/tests/moz.build b/security/manager/ssl/tests/moz.build
new file mode 100644
index 0000000000..fbf6bc0b06
--- /dev/null
+++ b/security/manager/ssl/tests/moz.build
@@ -0,0 +1,17 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["unit"]
+
+TEST_DIRS += [
+ "gtest",
+ "mochitest",
+]
+
+XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell.toml"]
+
+if not CONFIG["MOZ_NO_SMART_CARDS"]:
+ XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell-smartcards.toml"]
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
new file mode 100644
index 0000000000..cb8876df77
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUd6+Bk3IKBQ1kcwl2Fzr4p/fTVrEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAmMSQwIgYDVQQDDBtFRSB3aXRoIGJhZCBzdWJqZWN0QWx0TmFt
+ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHjAcMBoGA1UdEQQTMBGCDyouKi5leGFtcGxlLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEATDZDK9PvRB0NTC89FVYZWXfiTYJSPa4F06o+edx4Q0qqb3Zz
+t6GJv1+wvQ5CpTCNe4NCNV16HZeL135sUosjGCHieVcYTyof5dmdNAapr0bxNFNP
+BfSE/LIjksPTnECMUoYZq1E+GVc0zPRWPXiuKcRZSLhcC1KsRRa+dZJIeLYH1DPc
+NVRdaGXVJSkddeFs6pqv2VdT3zvct2z61uUFAspVmlyRJJsd1xYgT4Kw432088P+
+JCjftsfGh0qwTFlDt4CBA92CQDWxFiWw7xUWTs0bOFoV7EHhW52Xa6xB8p20dqf/
+nfYjxRCHmVbtU+Xl4r1fEd6mQuHevydoqSGQ0g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
new file mode 100644
index 0000000000..1b368c26f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE with bad subjectAltNames
+extension:subjectAlternativeName:*.*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
new file mode 100644
index 0000000000..9faffde6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKzCCAhOgAwIBAgIUPU/rVUoMybyCeEAWx++fMAuZ6k0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAsMSowKAYDVQQDDCFCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IEVu
+ZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCGGJlZm9yZS1lcG9jaC5leGFt
+cGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh
+bGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALocgfctX/9NDtkQ7zAkGl14
+UXkXBCq7vn5fKss2bCG7D6M/+Q4ZJ64/QXGK96tKqdJctiyIN3KArnk4/pWfYCQG
+DgIHXFAgbKUQU0uiGmPwbPQnYq8la6VEarMrzWnGhqVPG1wsqiO1cnecycvm2W7W
+9n7qvw3s2Gf0WZIQKqpNmuhouboeiK1xFxryLWiNaG087WPHb71e1C+1enVb/hJN
+E1KD7dBtBh0sOC6bOFdc4BzhDHnDzPSznSqouotHf5U8YniKoPcDCml544msKwP8
+LCj3tG1VdMxL+p83ETDHG6GLUY20R0E6WJJfvfZ3hdxRUKgaAs+diT3xYXXYqTA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
new file mode 100644
index 0000000000..ac97b2231a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test End-entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
new file mode 100644
index 0000000000..6cdfa86a25
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUL5tQyA2FR4V3eMcfGyWTxS4vmp0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAuMSwwKgYDVQQDDCNCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IElu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAGDlMbdxc1BHrn6l1svyskkHx68lSeTGVucIpClu
+mJIT3rsTR5swYuyvrWe/gqkVqGRv2gIpMUYAJoHWjF4fRyWkIjJz5JnSP5qxFKKk
+NFrjXFpGSqxJGtuMUNNGk7P30RLje5aE00bqrZHokfrokzChC3G3QJPOwvJtP1Gk
+wldQ8AeoHu/u3oEB3caoC1QpFfgF5kunNETSIxX5bTmsjTSSJnJjnf46FQdbOWUh
+P5Qkr6ZNK4ZAOIm+PRRyJ44JiHab+up/cEs17/T5dNcnHCy4TYXquNKwOe35qakm
+iexwhKycaAEM0TcTI1OA5K4tCwFvaiOr4eTzxN28Cemd89E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
new file mode 100644
index 0000000000..835e63f2b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test Intermediate
+validity:19460214-20310101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
new file mode 100644
index 0000000000..a77e87cabc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIUf8gdQ4LFK1Kln5vHKQGFoL3Do/EwDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjQmVmb3JlIFVOSVggRXBvY2ggVGVzdCBJbnRlcm1lZGlh
+dGUwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowODE2MDQGA1UE
+AwwtVGVzdCBFbmQtZW50aXR5IHdpdGggQmVmb3JlIFVOSVggRXBvY2ggaXNzdWVy
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo2IwYDAqBgNVHREEIzAhgh9iZWZvcmUtZXBvY2gtaXNzdWVyLmV4YW1w
+bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs
+aG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEACuTyeQ7s3Awm5o/IFgMW3QAJ
+FeaHSD5iGBu3BZlKlg11BgJdoaZ0fl/iRRrLKqsKPnK0I8LztLXarNgGcqVclMj0
+mzM83evJvYHkRfk9T54Eb71mO/ZMxWI//6dGP07+EP5/y6i0b67YPcW1pyTq2U41
+6Faf0LPUfMnCBtoEH4EM/jigH4JwXTxcLIX5KMWHOsSseRSC/aENe6h4tEHqXgB3
+B1f5w02D2Wyfg6u8FHYWTkc7DLpZdeSWgcH5oho3QIg2r3Pt6AKhwwiIIDcQw7Zt
+cC+s8/5INTGsfYsovF5BIf0wEONkGtF8JtcPEJQA7I+BLnqxLItCSQox2n3JHg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
new file mode 100644
index 0000000000..9aabe21628
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Before UNIX Epoch Test Intermediate
+subject:Test End-entity with Before UNIX Epoch issuer
+extension:subjectAlternativeName:before-epoch-issuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
new file mode 100644
index 0000000000..69972591d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL
+BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz
+dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa
+MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg
+RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl
+bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm
+BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz
+prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A
+GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF
+Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l
+AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml
+rvaprkFh5rXU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
new file mode 100644
index 0000000000..579e85e496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-Signed Before UNIX Epoch Test End-Entity
+subject:Self-Signed Before UNIX Epoch Test End-Entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch-self-signed.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..05959d4c6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUcdrK+swAhgsnbPoNXViflHJFgtMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAUV4KW+Z8kuKSA64HNt0qyB2POf/dpZUhUCs/eFw7aamooeH4ZvS6
+Qu1OBFzuU4lYlNOJGBUfYRS0MvUjtYdRGMxhIv/zUBPT1xG0PsOjPj9Y7BbzDbG1
+++O+chZk79KE+9d6QMDquHysRMCku4Ss5wbvOiaJoi5ZnAuqkenzvdS377J4acZ7
+vGyRekqZZssIZ2xnShzXSS5Kexe0B33Ky3Pl3fk7JqMyZDPhLnzRok3sNuZIpB9b
+qNYkd0h9V2ZEI2XSRJzhtN1NX72g5NMnmeFJ2YFll69b9xO3mPLKX4k/gy/djZa0
+eCgPydgLZPTagy9hYorKAFR9D7qX8128oQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
new file mode 100644
index 0000000000..7dd59895af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg
+0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy
+Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5
+tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/
+Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx
+UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
new file mode 100644
index 0000000000..d40e5bb529
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUY9rgTPnNaqq1Kb0e68iPjjXAJq0wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUTWlzc2luZyBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcw
+MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowJzElMCMGA1UEAwwcZWUtZnJvbS1taXNz
+aW5nLWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0
+gg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAptio0ZxdHBqnMsliG
+5KJoYAsvv2lG2a/NqBQAZTJCsf3fAi91/p6LnKaS6nKb4n7dk89QD60hyKuWA7vT
+xGEPylXVNV7S+YcBT4N69i4igvhLVHJPIvCxS4/IyGZ712E9jbu1beJdD2fyxAZp
+cHhRpWlopg0cl+uosiFwuNwWPGvehDa15KAhVI0oERlOY5WjeB4DD1U+43UWAf0C
+1/AtnmZw2nkddlHirXnlw2IIrD3hYVjsHa8FHm0j4q7lmAKRC4ilaQWUl/gW81/E
+4WAeP59faC6pFy9ZhL9H9vZpoM6pkc8I5+/R34Sk+v8z0hbbiNowVM1sm0GM/erG
+CQZm
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..48bb1c6e4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Missing Intermediate
+subject:ee-from-missing-intermediate
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
new file mode 100644
index 0000000000..6aef692e8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUB4TM/Mm0sRhp8Y2i2y5hYIpuS7gwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k
+IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu
+dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB
+AQAQeuh9uaIgE6lZcdlwHx1lCacDapi1/UYmchk6JGZa8YPbdvNvlx56C39rrxZm
+RMIxb31/ySMWMgfoC5pKzcFIRlolUSUV4NF/ZW/xlkpHUfutTcRAu4bWqj0inGBF
+1yMCZtYfyTQKo6zcH2auIFSoGXHchalzBnYjVz2HrJ9ZDJAsQbTIGbxSJb/sdGUG
+ASEDVyWuKY8LCJJjUjOBebaal0/ihsFc/9HHv6qxb+qOGpyZ+vBR693Y/iam1Tb3
+uxZeWronSEgidd5FcSxfgYkoSgiUODE56GrBGQHgmrFs346WYVe9AuXZHnl93hs9
+s2yw+cAN+P411cXfdMqwz3lM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
new file mode 100644
index 0000000000..dd8c6707ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:printableString/CN=Imminently Distrusted End Entity
+extension:subjectAlternativeName:localhost,imminently-distrusted.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
new file mode 100644
index 0000000000..f0ab42dbac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUG50q46ciI2WuRyvXmEZHXT1Z9EkwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME0VFIElzc3VlZCBieSBub24t
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNv
+bTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6
+ODg4OC8wDQYJKoZIhvcNAQELBQADggEBADPjrZ/BNq3Q0vDAP4rkUr+tR4tGtuOu
+IhmV4S+6ovyJHBEkR4q1qyHyYObnIKmdNZrFBpNeH2s+X1qe4Ewc4Uk1STFQeELL
+QP6ZsbcQdGSfk+KX2t00xTrY2awInlvLQ++eqnDbF4mzC+JMIeDVUxFGbGhKUoRV
+ZcO5qnlVIa88Tz3WlgDKDxDjtFui1/xzj4Qx+v7MaNsGBDES+RzX7/qGVvX7v5kh
+Moy9c77CdbGoWvKHWjdegGc0jS0zQMV/fE68CJo9a3goWBdIPW4yVCc5bE3Epdyc
+w43k0CTyxNwiVw5dr3cl8E+DCwOxrtHeaILp3mR1YBwlV0gDEkLrPt0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
new file mode 100644
index 0000000000..63c36d34b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test End-entity
+subject:EE Issued by non-CA
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
new file mode 100644
index 0000000000..98bd3279f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUbW/Sp8rvnvpF0amyMiSsV3M65fEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVjEgQ2VydDAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRFRSBJc3N1ZWQgYnkgVjEgQ2VydDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMA0GCSqG
+SIb3DQEBCwUAA4IBAQBNhHn/B4FiChMDw6MEqhnYg3il2IRBQXMHKZLXP1MXhITy
+kFl/Yz13yrtwREFCgE/yKWgXwVJQ9J0/xk8JeMA/P7NyzfwKUceAyCvcL1ibfacB
+ZPCrRicdgK8KXXwAlKrvvXmzrH5mgYdkgpj5DyPiTD6gHXWRTak97anWTjFM2xbK
+heg18OMziIVnRt5W203v+JTZEzQfr/c1QE6D9fyxErNSf+rzzrnfTnTiu2fleJ1/
+9zacWZwu6Aq/C4MJAlPP0bFkCjNEMnF1r494ORiUxkGPBJE+Tnj7Gbuhe0jjcrWQ
+YXELq5S9zIZ+lUBAR0BXSVsIVa2GKgfevG4azGct
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
new file mode 100644
index 0000000000..9ed9b33db7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:V1 Cert
+subject:EE Issued by V1 Cert
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
new file mode 100644
index 0000000000..3950bab62f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUe9ZaQpC/uQy3a4aB/PFp+i2g9BwwDQYJKoZIhvcNAQEL
+BQAwADAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAtMSswKQYD
+VQQDDCJFbmQgZW50aXR5IHNpZ25lZCBieSBlbXB0eSBuYW1lIENBMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyow
+KDAmBgNVHREEHzAdghtlbXB0eWlzc3Vlcm5hbWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAJCmZN82+yrgQ1uQNbKtRby+GYdw+6ADG1SlYf1zEc3W2A01
+MaIa8inzgAzNIu+9cMJsjuCHAw8A7CiaKo0bRGWy3mSR1PfsAmqjC2dRZxCif0ik
+Tdj3nlbAvUV8p2QVZ77CYUWkv2ZFzwR79OWxRR2UPAo+1QP9odq8DUwLr0lM5mC6
+oTo8GnOknnyn6stq/iblG1mlMBnp3QarxhNAtBMXQOjWrUYmigWVUv5EP80UZ0J0
+A2C0FQ6mR5HaLycI3SlMI7tYg9Ijb9F89UyhAvvsJ8zLclh5QaH63WdGjyS6IVzG
+grfoCSqNKU18EHyuBtE3xMh8jpX6XotkqXhxlhQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
new file mode 100644
index 0000000000..a99d84b79e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
@@ -0,0 +1,3 @@
+issuer:
+subject:End entity signed by empty name CA
+extension:subjectAlternativeName:emptyissuername.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
new file mode 100644
index 0000000000..da9ea15730
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUPe0Af59pnC5Ljo4FiB9Q1/kc7BowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
+BjANBgkqhkiG9w0BAQsFAAOCAQEAH+A0GkIIAKhyd6Ky8CSZXx50LFxrnzVngDfr
+F3Yn9ODreH/gafd3Ag+QbXgaOcrYRKiTaECAK5DWKg1jRYrikkUdOd5VyqoIGmgU
+/3eVh8cO3XylEapvU7+PQllC0LeXmEHECs1b/fLJ1l+PJYfewHtYl7Xb59bFYkpi
+gT936JQNjqQxGfJLDaylD665+Cy17BpTmu5gis+T8BMM6wP2wQ/8azlH2hP5NQl5
+LxgSnsUT5KIL2oIorMDaIapUY3c5NBFkp0QefCdSL0JzMBeBOqhC/ZX6ng1mvbHW
+73ns95iBrHUzMylKt2lk64ad+e0o3eYRnvdlilUz9C/XAihQjQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
new file mode 100644
index 0000000000..0a7cfdfd84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
new file mode 100644
index 0000000000..1c566e80e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIUCaTETyqt/N8/JD/UA6/ZgL81wfUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o3kwdzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBHBggrBgEFBQcBAQQ7MDkw
+NwYIKwYBBQUHMAGGK2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9ldi10ZXN0LWludGVy
+bWVkaWF0ZS8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQAt
+RkahoJhciL6jkf2enZroZsl4Stmdobl1A3ct56YFmmncRlBHo5NDIRNM0sjVXwZT
+nXH0oAFNZOLucqJOZ8TBYxIVRiDwTOnJg/ObyCiuG/mWbDQV3vsIsd/CvtcihMym
+SjYggiEHqn439wYtI0N5QnT/XZerFP4szSBumaqmGwktbKXuM6zxQ3Omuoy65Mho
+t6udcVERBulnRLrOPyRPf6iijcgOEt52AbK5jpx8FCALK1GM0qmXfpOEFYbkr1mC
++jSVY4pSHEJVXfcZYFhoWdVwLS5Hn31Chicy0bzRI3Zl2J2iRZu/URrSVHA5esJb
+EQ4t31XwaoevDtMeoxEv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
new file mode 100644
index 0000000000..d5b5859672
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev-test-intermediate
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
new file mode 100644
index 0000000000..e41661438a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIUWRHuQlrvnOY6rq61b0rQgL7EWp8wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUZXYtdGVzdC1pbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcw
+MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowEjEQMA4GA1UEAwwHZXYtdGVzdDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaN/MH0wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvZXYtdGVzdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0
+CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEAdl81wFiPty5Hz9X6zf/urfECVITVvP4zP2UTRt6uFLVJ3c26uumJ6See
+I5KS+U7rGzcteD63wz520un3P+e1rOztbkB6ySL/Eu2wmteNz/L2F9I7ebjp0TMs
+8zxwO+x9uK4Oh3H+iEIIPcyBXvy04DRNjG7YTwf3JFAfG5H4paYLbLsDmljdAwcu
+3tcVFFb5nw5WrfdUWcr6YP9TNWI7Rhzbht8W76+hrKUBEcZyHZ78viCpbIFUIfmG
+mlOm+Loqh18Ej+Nq7EU9x9n0DV16TbyFxehcPFfpTYc+Kdm9azT6umIY6/lh3HXg
+1lJ0kwfvc0C32XkwvOXu/O0Fz7DLmw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
new file mode 100644
index 0000000000..10f8022585
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev-test-intermediate
+subject:ev-test
+extension:authorityInformationAccess:http://localhost:8888/ev-test/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key b/security/manager/ssl/tests/unit/bad_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
new file mode 100644
index 0000000000..a7d657a970
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyBggrBgEF
+BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ
+KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzf
+T+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5h
+mu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3
+L9zJ2JqNc60+hB8l297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74V
+kQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZ
+gBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
new file mode 100644
index 0000000000..0a03bc36f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
new file mode 100644
index 0000000000..e03d862761
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUY9VlD+O8GH3DRfxtYTip4pS6eBYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAkMSIwIAYDVQQDDBlFeHBpcmVkIFRlc3QgSW50ZXJtZWRpYXRl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEANf+C+WsnAgYfISDS37prll2DOGYWKajcVZNzkScDzNGkK2s0c/td
+Mb+HXehqvYz20hT4wEwQZnPt9qMWH7bBEWiJfw85OINbKmG/i0gjZZDgbFMMdHvc
+j6BXJoxL0gAy8fOQyTDuMNX0NBJzSmWhzBsL99BHAWdG6XXQTzSyumiekc8ip4GG
+EhJvArbZwgIBigzdpbc/lQI0dR2qER0BUXamWU8fi2RuvQqtEi2ANjJHrWOillXU
+PR3j0F2LyvoiYlhiNhE1g3JH4VYZ+3eboRCrjel4J3rZHksN17r6+Fla1/YZdz2l
+nAGA5McLBKXYBVcARV4adXlBe1z79TiDeQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
new file mode 100644
index 0000000000..38a0abd8a4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test Intermediate
+validity:20110101-20130101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
new file mode 100644
index 0000000000..95b9f0c4bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUeVvV7SMvQXrsfRkt0IxcruZ/vlgwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZRXhwaXJlZCBUZXN0IEludGVybWVkaWF0ZTAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAuMSwwKgYDVQQDDCNUZXN0IEVu
+ZC1lbnRpdHkgd2l0aCBleHBpcmVkIGlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNcMFowJAYDVR0RBB0w
+G4IZZXhwaXJlZGlzc3Vlci5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBAG19BBffQq3Zbw/k++j4vtoqq9n2Sgd2pA0yvVpfCaTX5f1EcWzgGMupCEIu
+svr6Cc2MStIf7CWNfzAv6Xq8c7ylcAzi8FDzF7rvX/1nYCYjm+rbLdvgpewh5aE5
+b4XG2fNh92kT+yWkElpOr/XW1zJx+AXHlXxJm7CUuL84J5027Dx07Hw961X4RVE5
+zbVvfM17F/ZydyW7gxVid1x+Fg9OxvSf+SHJVWtB7JO0uKqgeD9RzQtZu7umX2Tc
+MMmYNCGMxaFqy61X1Y2XR0rhTL9OAI+wrLXZ/fyapITdlsZldljIyhRbIytqglFZ
+U5C792+mU+StatopboFrBOEVAtk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
new file mode 100644
index 0000000000..855f454221
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Expired Test Intermediate
+subject:Test End-entity with expired issuer
+extension:subjectAlternativeName:expiredissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
new file mode 100644
index 0000000000..97130645ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUI0vDPCiagS26us97hi/2caCaE0gwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAyMjExMjcwMDAwMDBa
+GA8yMDI1MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPSUROIENlcnRpZmljYXRlMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozgwNjA0BgNVHREELTArgilidWc0MTM5MDkueG4tLWh4YWpiaGVnMmF6M2Fs
+LnhuLS1qeGFscGRscDANBgkqhkiG9w0BAQsFAAOCAQEAfwY2xj26sb/mapkujwEC
+aRyjFD5IWz6pKB+4HHkmrI4X55N+6hk3ToQmmiW40O+Pxc96l0PVSHeQaMjMQxtE
+1MdAv4S9TOdaUPSHSjUurvP7OxxBMgU7cPUwKCHnkMMjd/CZKrSpEJJz9aArZ1eC
+C2c/zt39fZeCyNfXVByoGDEMVZolTTCXy6lE45xvMVaIzKqMy7Fgn36SoPT1N+Ze
+FOx1yk03lMDPeDkmD4La9EJZEy0D9TCnO7hJ9mMHMQ9fOLd4NLqcOpLtUj31WTIS
+DApIxULfLtGD9FXcxsAxgazsSxlIXGwXjewJPUlf9ywSwtCFukCUWfxJ7nzlxunb
+pw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
new file mode 100644
index 0000000000..b3d840fbd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Unknown Issuer
+subject:IDN Certificate
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
new file mode 100644
index 0000000000..b8257a140c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIUM6gG7+rX/E6iwOPdTbfDmqmd1ycwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowKTEnMCUGA1UEAwweSW5hZGVxdWF0ZSBLZXkg
+U2l6ZSBFbmQtRW50aXR5MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7Ev
+uE/dzSmzpRnLZsQ7jY+L5UW6eThM5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+
+0gcWVTSqmQV+R8R+O8ga2m+h4S43JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr217
+5p2aCDE24Vr6j1PByMhPxgdyed0OVdc2mlvdAgMBAAGjZTBjMC0GA1UdEQQmMCSC
+ImluYWRlcXVhdGUta2V5LXNpemUtZWUuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3
+DQEBCwUAA4IBAQARywHQubkWb2U0BwsQqs1FfySZaKO0xbKK3Qwl1obo+R579WSJ
+WGRAkf7PTJwxsifJ3EHP20jVd3DPSQd2mdCtxGkOwhkdh6GysT+X9DHRD7dAXi2W
+QGPR05R1te8j7HqZ1tPNfIzpKR8vfF1MYoBsKN6CMCYBbjsRpD0TVcr8S2PKcZbO
+EPnV9a5oYuJ1RqnK/eGnIpPYcqXFUNsc1YxpYCxkWbwXzZ9tW0lYVWo593B0g8EV
+FoLyDdLEtUwStHkxHsphrmthasYuDBOTE2O28ctLTl5xpdLyGgn/Wol5tGruwXH5
+u+VDs1FA9S09DwNC/c8lmhAdV32PqPH6PQNR
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
new file mode 100644
index 0000000000..02b595dc9a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Intermediate
+subject:Inadequate Key Size End-Entity
+subjectKey:rsa1016
+extension:subjectAlternativeName:inadequate-key-size-ee.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
new file mode 100644
index 0000000000..6768a41734
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIUL3DrOLET5XwR7CX4bShDdmT6ZNAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRJbmFkZXF1YXRlIEtleSBVc2FnZSBUZXN0
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjbjBsMAsGA1UdDwQEAwIBAjApBgNVHREEIjAggh5p
+bmFkZXF1YXRla2V5dXNhZ2UuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIG
+CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUA
+A4IBAQA8v9QkdaYQxGi5VdNBvzpWnRc40tGwNNjMpWHCvGg1WYBC4mro0bT/5Xog
+fW3cwMFrIIuNjwHrYx4DqDwTGBbxjkU45DTMydBb51LFl5VShETdRv0Yai9Wvd/Q
+Oe84IfHjQXDt8WhrGuiSgDSgGr3XXyJkdAJA9ajS2WVdC/3rupP/jkXOSUNGjouB
+WJTzwyNiESuitbzijJOR4eHAMlwepB5gVFgIJQVsOFVlwQ//na1Przj3M2R2Qf1+
+/cQ+KGOrS5+sIRfMT37mlJfLaaJ8o55ljPvo/FItyl28C/mlr7rKR55Bn0VL9EnR
+KQIXP7V/QG+OvcCI278C0n/cky3S
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
new file mode 100644
index 0000000000..4d553890b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Inadequate Key Usage Test End-entity
+extension:keyUsage:cRLSign
+extension:subjectAlternativeName:inadequatekeyusage.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
new file mode 100644
index 0000000000..3645c59100
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUeTOq+w44V4g+/ZK2O5Xfytj12egwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA8MTowOAYDVQQDDDFJUCBhZGRyZXNzIGFzIGROU05hbWUgaW4g
+c3ViamVjdCBhbHRlcm5hdGl2ZSBuYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoz0wOzA5BgNVHREEMjAwggkx
+MjcuMC4wLjGCI2lwQWRkcmVzc0FzRE5TTmFtZUluU0FOLmV4YW1wbGUuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQB9zxe9n2/b6xqibQH/LdIgczeL+xxvdAnuq0dkjEgO
+UcZx3+qdQXL//Iq+dG3nZoaoSqnQMx6KWvlsoVYIyMHlcFyv5EBf6B8feps9i0J+
+YqpuCBp2dGtR4MolxDTKZnk5EopQ/kBckn+qTrOvLCnSy3tfBUvAM67qFW2g1vMG
+9kqbZ5cd/ozv3dAW8LYeIKtM2kqDkCQgx7PbbgY2dixqWSyIPEtqOsrAKceJ5Nga
+s1sWdlh0o8b9fpl9O9AzkojqqyX5hcdt5XjpntCQCAwsgp2GOqOkkLx7G9cLrLDk
+QGUd8FuFAwEe1BQVS8uzUYY0vW8LrOYdqhtDq1a9f5cN
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
new file mode 100644
index 0000000000..26313d82e1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:IP address as dNSName in subject alternative name
+extension:subjectAlternativeName:127.0.0.1,ipAddressAsDNSNameInSAN.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
new file mode 100644
index 0000000000..3f373d09f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGUp8qIucVUZ0D+cPoEILDVfteu8wDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IE1ENVNpZ25hdHVyZS1FeHBpcmVk
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjYzBhMCsGA1UdEQQkMCKCIG1kNXNpZ25hdHVyZS1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQQFAAOCAQEAYMtZZk0A
+c3xvnK0PSwNxsWidAdOEY5uOKJTPT1LZFUQsNHw/2f7csfDneTeLNoCNKH7LPF3t
+J+zwUMzq1Ut0vIRSs5r84P7LK7KaBRrSwWPSnTP90X4VX3IVIQ7dbwTkrlUaRzfs
+B4Pqa/p2GVuvrLmbtmd2SDw+52GubJYVOF6u2s4KKgUGhHWtegzQOsVKTFEOoqBr
+X3yDEJhK7M82NMiGtq3Fr5F0sLD6DuGL0Mm7ei9junSLS4sH0M+Hac2BVmXwYNTS
+ekKzyjmZ1TYRlo2sCgYyYfCLcTOswG7uVHLU+ie0+Dbaik2NcolUgFNnC7Uk3E+t
+DhSRNeOtKglSxw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
new file mode 100644
index 0000000000..e4c2b7008d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:Test MD5Signature-Expired End-entity
+validity:20110101-20130101
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
new file mode 100644
index 0000000000..0ea36040d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDLDCCAhSgAwIBAgIUXRKyQjjAU3Ro3Vc/yn+SSF+dGg0wDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEVuZC1lbnRpdHkgd2l0aCBNRDUg
+c2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAaghhtZDVzaWduYXR1cmUuZXhh
+bXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9j
+YWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBBAUAA4IBAQA4ytFoYqUrspwyjDywhwfj
+Vs7iV3dix4JOAkCPYJcyaS4MPGnVjTFKmVASZeb4062FCLYFDxNWhfQqFtynMERo
+il/XkwYr5A5Jx4gNKRIwFQ1GWN/3pi3O0FaiwxFPn2FJGJkRKtgZNnfLStys7m/i
+isU5okcJtvVpZV3mORciYbPyZbNu0iforwyH4BbnmBClYuftlXgBtTrI3zOCFSUd
+I7OzdOqSVUiyft23d1qCfb7vPYrI8UheA8/vgKX41OkxwxFrUYBug/AeQ+9AxTUO
+pNzKFQ+LlYAk5B2LcdK758BLyH5Jgpl4X2uS7UdJ0P8FVdrL/pFCdQUAAm0yCurj
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
new file mode 100644
index 0000000000..02742d910e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity with MD5 signature
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
new file mode 100644
index 0000000000..d5782da2cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAhGgAwIBAgIUXWNmi3NOMsq8iBKvohtG0kX2YFIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjArMSkwJwYDVQQDDCBNaXNtYXRjaC1FeHBpcmVkIFRlc3QgRW5k
+LWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2guZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCt7JzZlMgD/ZHZobiGxcfE/EPQ
+/V405Xu7DGdTJh5cTiFF1h3sQl06BfrCEAo0yhOrpPyMtmhTI+rMyF7PvFWZMQ89
+bk9y4cZ7jG1NEd6B+jlYfD4mFbLR3AbMEbf6QVjYDK29+XnjnhvczT5NPPl8g7rF
+6y1FhFcFMTGiGZCOyhCz0nXbG/LpP/alH+WucXRdpMLUQbEXEDzWOq5WJ1ZPS556
+2Ouurfr1mkydAlXCGc5RYPVLRY48CwX2z+kfHRnF4TCb3ck5oOlqabP+bc+HD7EE
+UgEEdnE6zpUs1D7s8C8Mp89LUcXx+s51/ZUQvGE4btBMML0lNImwwbqxbv02
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
new file mode 100644
index 0000000000..262f08d6be
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
new file mode 100644
index 0000000000..b70a632693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUcYUtGOYg2nrx/OAYr+cxTZVbv34wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMzMDEwMTAwMDAwMFoYDzIwMzQw
+MTAxMDAwMDAwWjAxMS8wLQYDVQQDDCZNaXNtYXRjaC1Ob3QgWWV0IFZhbGlkIFRl
+c3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2gu
+ZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
+bG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCu5v5Saw0htF59xmKf
+CQJ7YI4M/TvuNJjhVdwq5phvEw3k+qweEdpLHERGu4nrzyDTMKqN8kXO6tXUspnh
+LpXCvmaDLNxx/UyYofWslqYqFwM4vQ4l5QEUriR1ndMN256ELRSx2cEpWCi9xHMb
+1cqB12ulLMCpitmK+NXpflViZy7HliTQOCdwhLPDNWRKsRF85EHOuFzcx4uqfWdw
+5zwA0zVOYG21fyY51bhy4oy7HjTWUOrGi/klwzz2TEDTUX6nRHYagrFxO7C1GMlg
+pe32InUfLU0rR8G9lP/tSug8HawSH/TCE+63jo2BGWaIYGSd+k11QzU+CsT15+A2
+tbAC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
new file mode 100644
index 0000000000..947eb7d678
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Not Yet Valid Test End-entity
+validity:20330101-20340101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
new file mode 100644
index 0000000000..4902855da5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIUO1bWrdrsbGfiDSe6i14vOA3vWsIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjA1MTMwMQYDVQQDDCpNaXNtYXRjaC1VbnRydXN0ZWQt
+RXhwaXJlZCBUZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWjBYMCIGA1UdEQQbMBmCF2Rv
+ZXNudG1hdGNoLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAlTFY
+rHGARngEHz3XEngdY1E3hf2GdITTHssgVRvpW3IvNmUJDhk3zVqvjb2hIVDmxFRv
+ad7yCKK7FQum2A1MKZh/Pl7ylWv6vkdtB8HSg9F5qYifyUD/XEjYp3uSrfAXW7Pp
+XHZHgBR6nlOB1EpAqrLtpEjxMX6F0fcXClOlWf0UsPLv1M6JvPNns/4tbHBnrhfm
+e0DqBMfZIJV7x633eZhpLQmOIA27rZtpElWZsA6Gtenl3szr8mpOgy3hxuEs9oFn
+cigHg2ECzaOKM5ayTP0dc2OVbVgUX/2doF8pGHiIKdsThYNLNEOioBZjJhQlreZE
+K67bzkMDhLQmMBUMtw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..adc8ebaf8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
new file mode 100644
index 0000000000..fe9483d1fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAhmgAwIBAgIUWSSWGPlmqVnzEP84na8sG5jAu1owDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJNaXNtYXRjaC1VbnRydXN0ZWQg
+VGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABo1owWDAiBgNVHREEGzAZghdkb2VzbnRtYXRj
+aC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACm9SsvbMq2c8TlV
+FqDTAp41lfuhUD7xUfknSbfnTYIvxsvZdrKXeMsbOazsMqRrvYZFF3/YKMAzDQb4
+6vxe7rFQ4hbcroV4H1AcztHJ+41jJp8dZ8bTxNpDqapt/B0CokHFK07P87711Zfl
+l5V9GV+mGs29xC7RVa6Msr+mRU01FrhXV1nhd7uV7eEEbW9ofc7IW1XwRH3hr5+y
+Dme0oJpKsalJwe0PTPOb/GlDyNxlny+g3U/aL6Y4jCld/ZQnspHEuNBzyFwxeQ5n
++xryCStRNr7bre2qVaukp4NCO1u5fObcnRhr7DP0g5huYs0B1DR8kZIRMgQhMMhB
+81v6JDM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
new file mode 100644
index 0000000000..91c5f548b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
new file mode 100644
index 0000000000..c47146450e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUQV2JoTMOEIIM5xYwpELqDCVJRkwwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhNaXNtYXRjaCBUZXN0IEVuZC1lbnRpdHkw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjeTB3MEEGA1UdEQQ6MDiCF2RvZXNudG1hdGNoLmV4YW1wbGUuY29tgh0q
+LmFsc29kb2VzbnRtYXRjaC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBAFOg3UyvJvHDoWN5CU8UDhrtZ0s/tdD01ISQITB+RliAIGGR1r3WkIh3D9ZC
+1Yuq34Q8sID8sE7dnjC3Bh7ByzfuGI5HR4dd6bU8zQuoSVdgIBwemYF6j51DLR+0
+UiMaXxqplE0HYV+AtBPTlkw136yg7BX2fxbNAIdYWygAIXiC4H5vkNVte17ERRNg
++B5mYfoIgMHeNENKxpJVLj8+a8GXlyPEELm6LDiHi9PgwqLsFJYulvkqnw/YkbDs
+pXPRQe3QxxJBmn+eCw+olXznGskB4a+Vev8bjOjRPmvP67ueKq4w6vSlysk6v/Fs
+pDRj8CgZOSD5Mp8lUros1rZ70hk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
new file mode 100644
index 0000000000..b93599fc88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Mismatch Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com,*.alsodoesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
new file mode 100644
index 0000000000..581579b0fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUZ347kXsGUKV+lR7xHw9I9BFHqMMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdkb2VzbnRtYXRjaC5leGFtcGxlLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAej9Ob7Spd0OI+lYvy05FPK6Lccbi2xtr
+1VtrAaJjlyQhVxa0tWQujVaw9tEJHcYlGFuWHn/Ichbfitljg8ebYvcgktVIoNvb
++UEDEjwuAeTSBiMv82Y3Xrw+c7OA1rNoGrkN1kus2DQvHOPODw6tcFwLH8tlNo0M
+MYGKxt3MWIlqZfwqY2VOKQ5T1G7vvoYOeuSFdTBIugNTTai2JFdvRMQxYAZIjjGr
+2xLPmVSm3QoMa4tvRN2jZ3AwG970esg2JjqGsLRh5mYDmaB5zIc7FIyi6Fu3Cpf1
+R4nYTlvdoOWhy7IQDaizS9+awvgaykPv/cj27Row0uhW1w3o9TU4mQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
new file mode 100644
index 0000000000..86ef45b7ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:doesntmatch.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
new file mode 100644
index 0000000000..fd1bbd505d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUHSDQM3kwDVGSyrMkUz3GteAahK8wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVGVzdCBNSVRNIFJvb3QwIhgPMjAyMjExMjcwMDAwMDBa
+GA8yMDI1MDIwNDAwMDAwMFowMDEuMCwGA1UEAwwlVGVzdCBlbmQtZW50aXR5IGlz
+c3VlZCBmcm9tIE1JVE0gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMfMB0wGwYDVR0RBBQwEoIQbWl0bS5l
+eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEALI7p6ZRaY+QXCcgHuKDI7VHJ
+4yKagFtAr/f9f29pSyuq0W/dPj2c57uweDTYJ5fLI+geIWbcU/sSUj2zbQ2FeOKs
+hKf1eSALCaG7WqLoxwlPNnsCw9RBlV8v5EC3ERdOr5UaoLO6Xo/A9/LGzmhWW16d
+3uuVCrTIc+8mpY1ugbpKTTSiK37R6eDj3u2figOmSpl4A9dAZ5iBpXUGV0wRUcfl
+C6HqdswAsr6H3tw0pOlpyXnZ0MG/KXT2JagzLySekrC90N9J8GMK2fLAZTepCvMN
+2P+B9rKPFGcJSyUCps0ckurFQOJY8un5SYHHGbEloP70E8vMXlzksNS0soAztQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
new file mode 100644
index 0000000000..1439391f1b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test MITM Root
+subject:Test end-entity issued from MITM Root
+extension:subjectAlternativeName:mitm.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
new file mode 100644
index 0000000000..46f5d046ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUK8zS92hcfMsHkZraoQ+cLK06N3wwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjApMScwJQYDVQQDDB5FbmQtZW50aXR5IHdpdGggbm8gdmFsaWQg
+bmFtZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjNjA0MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
+cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAi1Ym79kpkRin
+XlrNEzJ2WVExGaz+ePMH58KmmdfQjmwe+YQtxlmfwSDOBA6lxyJNr/uMTteFrvry
+RQY60iAT8KExXTOdSrsoY91RCFj2a4PLWvNRXhnI2pSWJDGsPHfe2/tJTZpL/Ugw
+MhYDLxvXijfq/XD/Lklw2ZaaUuFgSd5NlXCmnN/+OryyKrPk9BYIBTLCNKUosKYx
+FpiIUWR8fZAJrTpFKUluXeXPK1YX3Fbne66AxEV1ZkALDY8qiHzhJZEnaVBqeoqn
+U4KPiC6/BUxC4eRb6M+lP5AABNs8nCjIiOQ4AaWZ9MqTYK85waAXUqXrw3KB0564
+GO8EUl8zIg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
new file mode 100644
index 0000000000..87088e87e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:End-entity with no valid names
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
new file mode 100644
index 0000000000..79cc10aa68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIUH+AmYB0Pf6g+gBjtVqu94DStb3UwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzIw
+MTAxMDAwMDAwWjAoMSYwJAYDVQQDDB1Ob3QgWWV0IFZhbGlkIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXbm90eWV0dmFsaWQuZXhhbXBsZS5j
+b20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0
+Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB1xgChilLhS38NJG3FU3vyD8LN3uGV
+wgzFB33egzO4s4GkPK5zjGpkyQG0ofYFmlbP8NpVrjKykbhbgusdvsZOknuPBBAJ
+jgHDrt5fdT4ah7xlRr+o4KC8RpYOZ8pGy6eoheCZZdNvhV3cDVxYWrkFZbdbtvw9
+YqqgpgiFx/j85ZqFudq/ApdMwcueZWPjmc47Y2fsTtrqO7rVVtX9FrG4O3BWcrVH
+5RJpwN5mBsC//zNhhuvaGNWZB3XGNH0wgxEweI+cpfufWHnshJFKoEESJBrdHywz
++kuH3ha9W3JwyorON9M7uduDBdUBsjwjwLpYLd+Saie6X+XjROrGYe8f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
new file mode 100644
index 0000000000..5b60c29ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test End-entity
+validity:20310101-20320101
+extension:subjectAlternativeName:notyetvalid.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
new file mode 100644
index 0000000000..0a111582bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUW7kXNYkW5OLObAOtdMQ9uL8FHUkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzMw
+MTAxMDAwMDAwWjAqMSgwJgYDVQQDDB9Ob3QgWWV0IFZhbGlkIFRlc3QgSW50ZXJt
+ZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB
+/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRx
+CHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMC
+OosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdm
+Wqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGz
+ey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUD
+rNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAJgm8BvVnIEy9uGjgTxLcNnIoOZeLgQ9CPrNir6RHzGIK
+1hIHcNCDdC2mDc9DvyQ8MQPzJvAiMAOvo1v8yHDijC/mmYi6hTGuC6hDxF2YHKXu
+8VZZOSMdaE9pkKUQ8sckzKMS+Oxw8EJOV7VeW/WZsSLKSpba0qAioae7wEBMg0QS
+0Mp72+l4nMMUG5T/gzea6gy/nGTb0ghV97K1r5jekFNuy1pZZbKun9lLd9KJNmEs
+XiJCn2M7Ce3nEhJfaJcDmz9sde4HOlJ/BVLV9ljkOL2cQ3TxdEkLT9/Unp9dmcLo
+1sdvWkwimWiKT3XAs6Df64uM4GYl3PqPH5tQmUyPFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
new file mode 100644
index 0000000000..8a00f2ee23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test Intermediate
+validity:20310101-20330101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
new file mode 100644
index 0000000000..b6623c88d3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjigAwIBAgIUVZUbrAFbzxSCx0uW6PP7Mrnc0CMwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfTm90IFlldCBWYWxpZCBUZXN0IEludGVybWVkaWF0ZTAi
+GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA0MTIwMAYDVQQDDClU
+ZXN0IEVuZC1lbnRpdHkgd2l0aCBub3QgeWV0IHZhbGlkIGlzc3VlcjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNg
+MF4wKAYDVR0RBCEwH4Idbm90eWV0dmFsaWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYI
+KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgv
+MA0GCSqGSIb3DQEBCwUAA4IBAQB7ytlByUBPoXEjVgftcrVKa9aYw0IhEenGR7Fb
+RI5cNxEwvZzznMKJY9+6GgnW5ZWgP4cQtcwcN76ZwffT6KqgzW8HXe9qgtrvO1s+
+m1nF9QONhnds3UF6rlnDXEh1ijQT4bdZFN7DYdOYB5Dogz64m7xNPjauf3GxjoJQ
+Wvo4kITUT7ZozHKYkFNClBhAreHGKKXTYSPNR4WaYk68Bm5cpzag8JyqvomVVIG5
+jLEHgcs45huQu3C0X8S1Zhyuq473eu6dcD0siZANfLAL7BqfEziy2rEl/yi+fiBO
+gIQUK5vENXhkKpklKh5/kKcoHvFRHxizzzs8kzFULyKguB2/
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
new file mode 100644
index 0000000000..d8420898e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Not Yet Valid Test Intermediate
+subject:Test End-entity with not yet valid issuer
+extension:subjectAlternativeName:notyetvalidissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
new file mode 100644
index 0000000000..f4443200c3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUDSf/lOOZ4V0Gb58AN+U6PKy62ewwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNuc0NlcnRUeXBlIENyaXRpY2FsMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+oz0wOzAjBgNVHREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wFAYJYIZI
+AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQBrmPjEIYc0sjzfJWQK
+Qr+PTBzyfm1c18ekTdfRlxodCEiFdQGTgpjBRfNTj4jx/6UUgt8qE7HGZaWBa92G
+wn3+SAIgpXKlFPUgcsCLIHKkkidiAvG7I2NuwKFW6Ds7CC+rYb1+dGIsGwWoEUKs
+q3MAMnN/WaVytbXmGJOn7JuylT4tg/v194aaod1CASFbW/NeXfD+4qihfdxD1uFS
+3+555cnftKaJknQ6UJg9HjmJHt6dIzwNJmakC45j9S7NLRCeqirSo+xyQhyWv/MJ
+CGC6CLowsYAFhaYcXiZHKoqqdJFvbzIoindgbrL/WJlrs5KAj7NfOT+6Z1urM8DV
+C+yD
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
new file mode 100644
index 0000000000..b236bdea47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
new file mode 100644
index 0000000000..1dc16fce4c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIUMX3oAhLN9HzYX/0s5uMASiDn0cEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRuc0NlcnRUeXBlIENyaXRpY2FsIFdpdGgg
+ZXh0S2V5VXNhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjXTBbMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5l
+eGFtcGxlLmNvbTAUBglghkgBhvhCAQEBAf8EBAMCBkAwCQYDVR0TBAIwADATBgNV
+HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAocIgdBUfN8SorCuR
+vKmCZXPIJmN+0p4Rnnej9gPQ+IA3IbZNTabH6Fhxp0oykrqL0pelVqtG7YHBDiUU
+z2zOTXn80JaAn5JYao0nX5G9z7RokUNUrbZEDzXZASLa+qmdp2WrWR8QbuvtnCTP
+jlWoLeRYQI3jkexfj2Pnvf2O5RqZiYNcDu4qtZq7Eo5HcmMC3EHuMzBqXpz2odev
+qo2QxFXv82YLq93BiblDrNNTDowlh7U01h317XITFpfQM760aGyk1aD6tIwonH6S
+yMwuySzR6N2s9Y2RWGWXa/cGpLX9QYrTDAkxtx7xRp1Hs+k+WzppeyGqh3iGDY/i
+UB7D5w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..0ae63e20f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:nsCertType Critical With extKeyUsage
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
+extension:basicConstraints:,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
new file mode 100644
index 0000000000..e9bfb4e163
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDADCCAeigAwIBAgIUBXr5v2qiHAIVr8pYXkv4ye0vM1owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBduc0NlcnRUeXBlIE5vdCBDcml0aWNhbDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaM6MDgwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMBEG
+CWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEADrpPjAg6e7Y8viSh
+lreRTbaDtyArZ9OoUi5ZmaXgNQ+LaiE06dYBVIhMKAWG8Z0Sn7Hyy2PEzmoPbmbJ
+69vIMQnQoyV/HwPBRNpjHOqLrTKMKq0NqvUXjRhlgwNxAFRyZipMZWXc1dLnJ8ds
+I+tviCJQ8RDXQplqNX6rkpkEVu5GF6DR6Cu1VkrUCPQFuQA9Gb/ypwP5PLZzm0O5
+plo19+FTfwALxx1rMf1jUf7DxLNmyuvzV+QI/nl8ZKSuSRYzKsaDRu7EBA3jmAfs
+lKY4e+Z942WzAdpQuVTYXr3kTkYnAXzJKAm3/LRywjFIa7VubWW+QP6g6X4egJJt
+tDaTNQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
new file mode 100644
index 0000000000..a44a1feeef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Not Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
new file mode 100644
index 0000000000..0800392546
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUD6kl6/p1UXrkOAxhdpHbYa+B+oQwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAnMSUwIwYDVQQDDBxXcm9uZyBDQSBQaW4gVGVzdCBF
+bmQtRW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJ
+n3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYCl
+HDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzS
+pss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2
+mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq
+0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZV
+Lx0eGR1xIWjTuwIDAQABo4GtMIGqMHQGA1UdEQRtMGuCKCouaW5jbHVkZS1zdWJk
+b21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5z
+LnBpbm5pbmcuZXhhbXBsZS5jb22CFSoucGlubmluZy5leGFtcGxlLmNvbTAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8w
+DQYJKoZIhvcNAQELBQADggEBAErLSH+7N6ftHfZ87G+BinL+g4W8LNUEVzdqYqjy
+yz+QePPG61tK81VZbfVjZmpBri1W3Xlexd0r7I1q8HWixc3r9qzQoUFnAdl1pdy+
+sGQZEV4ltMeVHFUBIM7J23556k+PFNvi98JhHanLiJl9xVbxikXHbpRYBGws+DaX
+8fp3Ube23AOtg+OXKWTF8bR9ogk60S7gzyqr3g6UbaGmB1q8w0rqYy2UhtOxkFws
+KyIAECe2zEqmQPPmGxc7wziTk/4BrWGhciVUN5OVoEByQZRe0X5DvVA8qdGqKNn7
+7+DxbRh2DAHbkgTMb8r/EVoWD/tH5k+Q9GeWjvHQFmijDO8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..a905a66ac2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Other test CA
+subject:Wrong CA Pin Test End-Entity
+issuerKey:alternate
+subjectKey:alternate
+extension:subjectAlternativeName:*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
new file mode 100644
index 0000000000..93c9f2b7b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIUfQsw0KaNy/+nFopuWJ+eEKJSw4QwDQYJKoZIhvcNAQEL
+BQAwMzExMC8GA1UEAwwoVGVzdCBTZWxmLXNpZ25lZCBFbmQtZW50aXR5IHdpdGgg
+Q0EgdHJ1ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAzMTEw
+LwYDVQQDDChUZXN0IFNlbGYtc2lnbmVkIEVuZC1lbnRpdHkgd2l0aCBDQSB0cnVl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo4GAMH4wDAYDVR0TBAUwAwEB/zAyBggrBgEFBQcBAQQmMCQwIgYIKwYB
+BQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wOgYDVR0RBDMwMYIvc2VsZi1z
+aWduZWQtZW5kLWVudGl0eS13aXRoLWNBLXRydWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAFtRAr+7ZMSCq6UBxDOil0vEPuaTHs+Jc7NlcBSnaOF7mxNV
+fgSzqNuhPm9FSORyVl3PT/JG8i5bAbOUgYgylKijTQwjeA0crDs0CWIbFkxCU1MB
+3x2audEKq/LYhDk/6n6w8P8gYk+jpcYdgysF6B6iikopLnvo5tqQe/zOqVAR2glD
+wzwT7XfC8v7lqUjFIT5838CecYkcMnmj+Edsd7PWC9EZddx47web0Ovo1slNX414
+3jAfEj37mHP71kFghKl1ReqWo9XZcjMsJeYyIOQroKx+Lqu5F2Nd0fO16ht2jw4E
+uPoT3pX7+dHGg61S0HGuBEuBz03wQGjW9L5oBdo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
new file mode 100644
index 0000000000..0ca92d7fd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Self-signed End-entity with CA true
+subject:Test Self-signed End-entity with CA true
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:self-signed-end-entity-with-cA-true.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
new file mode 100644
index 0000000000..3bbcce4046
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUSQmAnLg5f7XHJpXMHGoQVthOx7AwDQYJKoZIhvcNAQEL
+BQAwNTEzMDEGA1UEAwwqU2VsZi1zaWduZWQgSW5hZGVxdWF0ZSBFS1UgVGVzdCBF
+bmQtZW50aXR5MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMDUx
+MzAxBgNVBAMMKlNlbGYtc2lnbmVkIEluYWRlcXVhdGUgRUtVIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaOBijCBhzALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwLwYDVR0RBCgwJoIkc2VsZnNpZ25lZC1pbmFkZXF1YXRlRUtVLmV4YW1wbGUu
+Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
+dDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEARyCZt6R4Gd4XDq4rARZJAKicReWt
+4XBbZZpJKtuG3qyGfWT4dUHITywT8FtJ95ZBqQi8hbtQl/PUiPHJPweqARxQJYRh
+bW46XMD50EYwwfXaauGHRDwgyI7f1LLf974noLxOMffT2P77DvRgyJvr+PRFhVa3
+gppOcosxRK1qpeTucDLZP9P01SNWFMn7KNPLYvgQnUQismn+IaWoAwe3FIjBBzfx
+a/BqntkJ6Qwf4+5mzX2EpTHvHNtS4BbExGIFUS+z3pgJSPSgt/YGEMf1w/uw+/j2
+L/IMcLZEVy4L5Czniv+654xQw9JdZFJGBIbq7FJGgWOBfrTwGMzklfl1sQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
new file mode 100644
index 0000000000..477b90ce14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Self-signed Inadequate EKU Test End-entity
+subject:Self-signed Inadequate EKU Test End-entity
+extension:keyUsage:keyEncipherment,dataEncipherment
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:selfsigned-inadequateEKU.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
new file mode 100644
index 0000000000..32fd470ccd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUGZ2ix8Hh3MVHJ9kcaWmxnkd38XQwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNZMFcwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGG
+Fmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAC/9ZxxK
+Vx6csyDDJ+V37GyDRvbeU6Au6ZKnHqwx8+FONm1VWxFwU4o6uu4T4uBhhIXu/e+y
+WXPDRIpbhF+nPEZm1if9Ay02SbvLUf7FX9oI+Xls/53aF3HhYiCF3n2GZisWGHqH
+QqNHtlFg1cw44Jq8v2DXaLWO3vuEbdE+r2dvg6yIR0I6qp6H9e32S/SAqt8dFr/p
+t80RiP5cur6VHKwmBDK7qmnVzuSu1q2LMhPqoQ8eLvyh/jtDVxZhFcpC/9rCI6nR
+jjVFxnq8nYlBKd/wcvYgCFBXPiqpga9454vttE4tFrOfYIoPb9Ir9MfY0zV7CG/m
+NDPuAIgMwfzxm1E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
new file mode 100644
index 0000000000..99a814be17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
new file mode 100644
index 0000000000..fcbb0fcb29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc
+8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV
+wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb
+zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6
+OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80
+hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk
+iAobTR3jsQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
new file mode 100644
index 0000000000..377ecbbbdc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUMxuPzWMHzKzQQwd8E1ijpVtpcH4wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAGculg20nonBLeYKqiSmjpxTvwZ9RwB/nuFIb9oC1SnKOIzs
+SuYKcYNIiFz744TuNus+1ueSQV3AWXqj4wDdCS1C+Fx/tQ80Omk0B3JeViHiFEiR
+WDA0U0iYEwmsdMaAVor6JD1TGkCeYvO4g/jOv0B9X/vDi238jX/fdC0KihL8JD80
+aq59kCMglwRBwKYwz1kNxEA79ePrqZT533uQabX/Ll+K/BwBfbWV9+hhK4uYC/o0
+kGszNAyf6R6CU2UwDu+Pn4y+9HLcmiKvuzr4B6sHr64zPjC0Z9Nao/5oI6XqUvTT
+JLCvPwlTfU/hsrF00pJj0lnPR0KMfvKRXWbZmzs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
new file mode 100644
index 0000000000..a735c730ca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate to delete
+subject:Test End-entity from unknown issuer
+extension:subjectAlternativeName:unknownissuer.example.com,unknownissuer.include-subdomains.pinning.example.com,unknownissuer.test-mode.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
new file mode 100644
index 0000000000..921d14583f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGTh5myT/JfbNsso9a1ZhGr8B11gwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFVbnRydXN0ZWQtRXhwaXJlZCBU
+ZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjYDBeMCgGA1UdEQQhMB+CHXVudHJ1c3RlZC1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAMktkDNyd
+MHFk4K4dcOfi0McOkxvdZW6/Nqts51scx8A3q8sT5pdW3ftBjvN7O+3c1cNGoThG
+9SA6uLDV2NT2EQp65yxMZe8j1OHX3qybqZ/RVY5r7VHF4JDsPHHXsgew5+CRGraj
+MTIFUqmgAYLMcv74vB0OLIt3JL4XnHVP7atULMLJrOP8QUmkUhZ49MDqyslN0i6w
+X7KwhdM00+JKadqUFqOAfhacMHsH5ErsQ3LXrQRMJiFoaVbElMy9e/jJmY7rg4pw
+0EMnkt+Vj650FkWsCnLndBia+6z+81L4EZ7uwBeeks2fYhXt85qqkuzmZq2T2diu
+ArcEblKIbUYlVg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..3efd1ce677
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:untrusted-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
new file mode 100644
index 0000000000..6eda8824a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIUBe5wWr83A+8lSC5HkQNZYb72bQEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVUZXN0IEVuZC1lbnRpdHkgd2l0
+aCB1bnRydXN0ZWQgaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo14wXDAmBgNVHREEHzAdght1bnRydXN0
+ZWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
+hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBn159y
+BlQmPzzd33Rc8xiLFgS2uaHl2952Il/ab1DueGEsNVlMqFcfU1sQAMmDWIVJaDCg
+FQj+HCFy/oKEepWAi3JarAHdJyQ9yYOHJ8BQ4XZ1pUynYlqM50Xki6uy6h3Z2qi0
+20vT4OdDjJ+9O9KZtPGpJ0l8RcA5Ej4bJysMZMaMvw08bD8tUwYpTmWjjuIWCZiC
+RmbbDs5rxlwm3bvcrDosoyI0N0H1e8dMRUu4ekhHn8BxenkWkEDhuvAUgwkVndLU
+hgoEhqz4MF/96z1Q4PbfgHs/TTtxJtk5pwuUhslbmwBnIcetde/BtYVrYvnpJeOJ
+tA19xaSpeQEm4Igh
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
new file mode 100644
index 0000000000..5ba0bc2535
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Test End-entity with untrusted issuer
+extension:subjectAlternativeName:untrustedissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
new file mode 100644
index 0000000000..36296ac616
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFG/3/opLWM4t4VPXRjmVR1GM24sGMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEjEQMA4GA1UEAwwHVjEgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEASPsKZ/FaOpFAgLjGCbqV7MYimvQMcubQHuNle+X1Qv97rqW9pr0ojrAWydkL
+b/gYs/SMpBy8JBlR5cnaHuh4BpSyGX2qj5MW+dE/EptcpxegjGGdS/194FRtGjE0
+xAk0niJFgCvt2v6lE24EeZmDecYhchO/HY+OzuNk8ogze+W3YBJDfR0qrBglOW6+
+hPfxtxWs85zwKr3/prtUD8IiAnhCy0uu/FR8x0qelH2VpS7tsDKtwSdcc3uCtoup
+gshHVQz3HMt8WZ6d5SIUZpZcbXmoYqmsKOQMYm2+AM+FKEFl0rU05EudOqL4q0sn
+nNjDkuOBdXNt4WzEniGIChWzRw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
new file mode 100644
index 0000000000..7824630bbc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:V1 Cert
+version:1
diff --git a/security/manager/ssl/tests/unit/corrupted_crlite_helper.js b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
new file mode 100644
index 0000000000..2587c5dad9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
@@ -0,0 +1,103 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Helper file for tests that initialize CRLite with corrupted `security_state`
+// files.
+//
+// Usage:
+// Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`,
+// and `crlite.enrollment` files that should be copied to the new profile, and
+// then load this file. The variables should be called `filter`, `coverage`,
+// and `enrollment`, respectively. To omit a file, leave the corresponding
+// variable `undefined`.
+//
+// Example:
+// let filter = do_get_file("some_test_dir/crlite.filter");
+// let coverage = undefined;
+// let enrollment = do_get_file("some_test_dir/crlite.enrollment");
+// load("./corrupted_crlite_helper.js");
+//
+// Note:
+// The cert_storage library only attempts to read security_state once. So
+// this task can only be included once per test file.
+
+"use strict";
+
+/* eslint-disable no-undef */
+
+add_task(async function test_crlite_corrupted() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ if (coverage != undefined) {
+ coverage.copyTo(securityStateDirectory, "crlite.coverage");
+ }
+ if (enrollment != undefined) {
+ enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+ }
+ if (filter != undefined) {
+ filter.copyTo(securityStateDirectory, "crlite.filter");
+ }
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+ // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+ // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // The issuer's certificate needs to be available for path building.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+
+ // If we copied a corrupted file to security_state, then CRLite should not be
+ // initialized, and we should fall back to OCSP. By setting
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no
+ // revocation checking, and the revoked certificate should pass inspection.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // We should not have a filter or a stash.
+ let hasFilter = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasFilter, false, "CRLite should not have a filter");
+
+ let hasStash = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasStash, false, "CRLite should not have a stash");
+});
diff --git a/security/manager/ssl/tests/unit/crlite_enrollment_id.py b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
new file mode 100755
index 0000000000..2deb5ad379
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
@@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+# Given a PEM encoded X.509 certificate, outputs
+# base64(SHA256(subject || spki))
+# where `subject` is the RFC 5280 RDNSequence encoding
+# the certificate's subject, and `spki` is the RFC 5280
+# SubjectPublicKeyInfo field encoding the certificate's
+# public key.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+if len(sys.argv) != 2:
+ print(f"Usage: {sys.argv[0]} <path to pem cert>")
+ sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+ cert = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+subj = cert.subject.public_bytes()
+spki = cert.public_key().public_bytes(
+ format=serialization.PublicFormat.SubjectPublicKeyInfo,
+ encoding=serialization.Encoding.DER,
+)
+
+digest = hashes.Hash(hashes.SHA256(), backend=None)
+digest.update(subj)
+digest.update(spki)
+print(base64.b64encode(digest.finalize()).decode("utf-8"))
diff --git a/security/manager/ssl/tests/unit/crlite_key.py b/security/manager/ssl/tests/unit/crlite_key.py
new file mode 100755
index 0000000000..53d2b2aeaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_key.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+
+# Given PEM encoded X.509 certificates Issuer and Subscriber,
+# outputs the urlsafe base64 encoding of the SHA256 hash of
+# the Issuer's SubjectPublicKeyInfo, and the ascii hex encoding
+# of the Subscriber's serial number.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+
+def uint_to_serial_bytes(a):
+ # Encode the non-negative integer |a| as a DER integer without the leading
+ # tag and length prefix. The DER encoding of |a| is the shortest octet
+ # string that encodes |a| in big endian two's complement form.
+ assert a >= 0
+
+ # Since |a| is non-negative, the shortest bit string that encodes it in
+ # big-endian two's complement form has a leading 0 bit. Positive python
+ # integers have a `bit_length` method that gives the index of the leading 1
+ # bit. The minimal two's complement bit length is one more than this.
+ #
+ # NB: Python defines |int(0).bit_length() == 0|. The other cases are more
+ # intuitive; for integers x and k with x >= 0 and k > 0 with 2**k > x we
+ # have |int(2**k + x).bit_length() == k+1|.
+ bit_len = 1 + a.bit_length()
+ byte_len = (bit_len + 7) // 8
+ return a.to_bytes(byte_len, byteorder="big", signed=False)
+
+
+if len(sys.argv) != 3:
+ print(f"Usage: {sys.argv[0]} <path to issuer cert> <path to subscriber cert>")
+ sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+ issuer = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+with open(sys.argv[2], "r") as f:
+ subscriber = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+assert issuer.subject.public_bytes() == subscriber.issuer.public_bytes()
+
+issuer_spki = issuer.public_key().public_bytes(
+ format=serialization.PublicFormat.SubjectPublicKeyInfo,
+ encoding=serialization.Encoding.DER,
+)
+hasher = hashes.Hash(hashes.SHA256(), backend=None)
+hasher.update(issuer_spki)
+issuer_spki_hash = hasher.finalize()
+
+subscriber_serial = uint_to_serial_bytes(int(subscriber.serial_number))
+
+print(base64.urlsafe_b64encode(issuer_spki_hash).decode("utf-8"))
+print(subscriber_serial.hex())
diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js
new file mode 100644
index 0000000000..d34c7fdc1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -0,0 +1,1247 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+const { AppConstants } = ChromeUtils.importESModule(
+ "resource://gre/modules/AppConstants.sys.mjs"
+);
+const { ctypes } = ChromeUtils.importESModule(
+ "resource://gre/modules/ctypes.sys.mjs"
+);
+const { FileUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/FileUtils.sys.mjs"
+);
+const { HttpServer } = ChromeUtils.importESModule(
+ "resource://testing-common/httpd.sys.mjs"
+);
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+const { NetUtil } = ChromeUtils.importESModule(
+ "resource://gre/modules/NetUtil.sys.mjs"
+);
+const { XPCOMUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+const { X509 } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/X509.sys.mjs"
+);
+
+const gIsDebugBuild = Cc["@mozilla.org/xpcom/debug;1"].getService(
+ Ci.nsIDebug2
+).isDebugBuild;
+
+// The test EV roots are only enabled in debug builds as a security measure.
+const gEVExpected = gIsDebugBuild;
+
+const CLIENT_AUTH_FILE_NAME = "ClientAuthRememberList.bin";
+const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.bin";
+const SSS_STATE_OLD_FILE_NAME = "SiteSecurityServiceState.txt";
+const CERT_OVERRIDE_FILE_NAME = "cert_override.txt";
+
+const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
+const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
+
+// This isn't really a valid PRErrorCode, but is useful for signalling that
+// a test is expected to succeed.
+const PRErrorCodeSuccess = 0;
+
+// Sort in numerical order
+const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8;
+const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9;
+const SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10;
+const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
+const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12;
+const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
+const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
+const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21;
+const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
+const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
+const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41;
+const SEC_ERROR_PKCS7_BAD_SIGNATURE = SEC_ERROR_BASE + 47;
+const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90;
+const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91;
+const SEC_ERROR_CERT_NOT_IN_NAME_SPACE = SEC_ERROR_BASE + 112;
+const SEC_ERROR_CERT_BAD_ACCESS_LOCATION = SEC_ERROR_BASE + 117;
+const SEC_ERROR_OCSP_MALFORMED_REQUEST = SEC_ERROR_BASE + 120;
+const SEC_ERROR_OCSP_SERVER_ERROR = SEC_ERROR_BASE + 121;
+const SEC_ERROR_OCSP_TRY_SERVER_LATER = SEC_ERROR_BASE + 122;
+const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = SEC_ERROR_BASE + 123;
+const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = SEC_ERROR_BASE + 124;
+const SEC_ERROR_OCSP_UNKNOWN_CERT = SEC_ERROR_BASE + 126;
+const SEC_ERROR_OCSP_MALFORMED_RESPONSE = SEC_ERROR_BASE + 129;
+const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = SEC_ERROR_BASE + 130;
+const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132;
+const SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = SEC_ERROR_BASE + 141;
+const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
+const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160;
+const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157;
+const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
+
+const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2;
+const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
+const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
+const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132;
+const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184;
+
+const SSL_ERROR_ECH_RETRY_WITH_ECH = SSL_ERROR_BASE + 188;
+const SSL_ERROR_ECH_RETRY_WITHOUT_ECH = SSL_ERROR_BASE + 189;
+const SSL_ERROR_ECH_FAILED = SSL_ERROR_BASE + 190;
+const SSL_ERROR_ECH_REQUIRED_ALERT = SSL_ERROR_BASE + 191;
+
+const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
+const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY =
+ MOZILLA_PKIX_ERROR_BASE + 1;
+const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2;
+const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE =
+ MOZILLA_PKIX_ERROR_BASE + 5;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE =
+ MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING =
+ MOZILLA_PKIX_ERROR_BASE + 8;
+const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING =
+ MOZILLA_PKIX_ERROR_BASE + 10;
+const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED =
+ MOZILLA_PKIX_ERROR_BASE + 13;
+const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14;
+const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15;
+
+// Supported Certificate Usages
+const certificateUsageSSLClient = 0x0001;
+const certificateUsageSSLServer = 0x0002;
+const certificateUsageSSLCA = 0x0008;
+const certificateUsageEmailSigner = 0x0010;
+const certificateUsageEmailRecipient = 0x0020;
+
+// A map from the name of a certificate usage to the value of the usage.
+// Useful for printing debugging information and for enumerating all supported
+// usages.
+const allCertificateUsages = {
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageSSLCA,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+};
+
+const NO_FLAGS = 0;
+
+const CRLiteModeDisabledPrefValue = 0;
+const CRLiteModeTelemetryOnlyPrefValue = 1;
+const CRLiteModeEnforcePrefValue = 2;
+const CRLiteModeConfirmRevocationsValue = 3;
+
+// Convert a string to an array of bytes consisting of the char code at each
+// index.
+function stringToArray(s) {
+ let a = [];
+ for (let i = 0; i < s.length; i++) {
+ a.push(s.charCodeAt(i));
+ }
+ return a;
+}
+
+// Converts an array of bytes to a JS string using fromCharCode on each byte.
+function arrayToString(a) {
+ let s = "";
+ for (let b of a) {
+ s += String.fromCharCode(b);
+ }
+ return s;
+}
+
+// Commonly certificates are represented as PEM. The format is roughly as
+// follows:
+//
+// -----BEGIN CERTIFICATE-----
+// [some lines of base64, each typically 64 characters long]
+// -----END CERTIFICATE-----
+//
+// However, nsIX509CertDB.constructX509FromBase64 and related functions do not
+// handle input of this form. Instead, they require a single string of base64
+// with no newlines or BEGIN/END headers. This is a helper function to convert
+// PEM to the format that nsIX509CertDB requires.
+function pemToBase64(pem) {
+ return pem
+ .replace(/-----BEGIN CERTIFICATE-----/, "")
+ .replace(/-----END CERTIFICATE-----/, "")
+ .replace(/[\r\n]/g, "");
+}
+
+function build_cert_chain(certNames, testDirectory = "bad_certs") {
+ let certList = [];
+ certNames.forEach(function (certName) {
+ let cert = constructCertFromFile(`${testDirectory}/${certName}.pem`);
+ certList.push(cert);
+ });
+ return certList;
+}
+
+function areCertsEqual(certA, certB) {
+ let derA = certA.getRawDER();
+ let derB = certB.getRawDER();
+ if (derA.length != derB.length) {
+ return false;
+ }
+ for (let i = 0; i < derA.length; i++) {
+ if (derA[i] != derB[i]) {
+ return false;
+ }
+ }
+ return true;
+}
+
+function areCertArraysEqual(certArrayA, certArrayB) {
+ if (certArrayA.length != certArrayB.length) {
+ return false;
+ }
+
+ for (let i = 0; i < certArrayA.length; i++) {
+ const certA = certArrayA[i];
+ const certB = certArrayB[i];
+ if (!areCertsEqual(certA, certB)) {
+ return false;
+ }
+ }
+ return true;
+}
+
+function readFile(file) {
+ let fstream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance(
+ Ci.nsIFileInputStream
+ );
+ fstream.init(file, -1, 0, 0);
+ let available = fstream.available();
+ let data =
+ available > 0 ? NetUtil.readInputStreamToString(fstream, available) : "";
+ fstream.close();
+ return data;
+}
+
+function addCertFromFile(certdb, filename, trustString) {
+ let certFile = do_get_file(filename, false);
+ let certBytes = readFile(certFile);
+ try {
+ return certdb.addCert(certBytes, trustString);
+ } catch (e) {}
+ // It might be PEM instead of DER.
+ return certdb.addCertFromBase64(pemToBase64(certBytes), trustString);
+}
+
+function constructCertFromFile(filename) {
+ let certFile = do_get_file(filename, false);
+ let certBytes = readFile(certFile);
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ try {
+ return certdb.constructX509(stringToArray(certBytes));
+ } catch (e) {}
+ // It might be PEM instead of DER.
+ return certdb.constructX509FromBase64(pemToBase64(certBytes));
+}
+
+function setCertTrust(cert, trustString) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ certdb.setCertTrustFromString(cert, trustString);
+}
+
+function getXPCOMStatusFromNSS(statusNSS) {
+ let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"].getService(
+ Ci.nsINSSErrorsService
+ );
+ return nssErrorsService.getXPCOMFromNSSError(statusNSS);
+}
+
+// Helper for checkCertErrorGenericAtTime
+class CertVerificationExpectedErrorResult {
+ constructor(certName, expectedError, expectedEVStatus, resolve) {
+ this.certName = certName;
+ this.expectedError = expectedError;
+ this.expectedEVStatus = expectedEVStatus;
+ this.resolve = resolve;
+ }
+
+ verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+ equal(
+ aPRErrorCode,
+ this.expectedError,
+ `verifying ${this.certName}: should get error ${this.expectedError}`
+ );
+ if (this.expectedEVStatus != undefined) {
+ equal(
+ aHasEVPolicy,
+ this.expectedEVStatus,
+ `verifying ${this.certName}: ` +
+ `should ${this.expectedEVStatus ? "be" : "not be"} EV`
+ );
+ }
+ this.resolve();
+ }
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ time,
+ /* optional */ isEVExpected,
+ /* optional */ hostname,
+ /* optional */ flags = NO_FLAGS
+) {
+ return new Promise((resolve, reject) => {
+ let result = new CertVerificationExpectedErrorResult(
+ cert.commonName,
+ expectedError,
+ isEVExpected,
+ resolve
+ );
+ certdb.asyncVerifyCertAtTime(cert, usage, flags, hostname, time, result);
+ });
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ /* optional */ isEVExpected,
+ /* optional */ hostname
+) {
+ let now = new Date().getTime() / 1000;
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ now,
+ isEVExpected,
+ hostname
+ );
+}
+
+function checkEVStatus(certDB, cert, usage, isEVExpected) {
+ return checkCertErrorGeneric(
+ certDB,
+ cert,
+ PRErrorCodeSuccess,
+ usage,
+ isEVExpected
+ );
+}
+
+function _getLibraryFunctionWithNoArguments(
+ functionName,
+ libraryName,
+ returnType
+) {
+ // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
+ let path = ctypes.libraryName(libraryName);
+
+ // XXX really want to be able to pass specific dlopen flags here.
+ let nsslib;
+ try {
+ nsslib = ctypes.open(path);
+ } catch (e) {
+ // In case opening the library without a full path fails,
+ // try again with a full path.
+ let file = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ file.append(path);
+ nsslib = ctypes.open(file.path);
+ }
+
+ let SECStatus = ctypes.int;
+ let func = nsslib.declare(
+ functionName,
+ ctypes.default_abi,
+ returnType || SECStatus
+ );
+ return func;
+}
+
+function clearOCSPCache() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ certdb.clearOCSPCache();
+}
+
+function clearSessionCache() {
+ let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+ nssComponent.clearSSLExternalAndInternalSessionCache();
+}
+
+function getSSLStatistics() {
+ let SSL3Statistics = new ctypes.StructType("SSL3Statistics", [
+ { sch_sid_cache_hits: ctypes.long },
+ { sch_sid_cache_misses: ctypes.long },
+ { sch_sid_cache_not_ok: ctypes.long },
+ { hsh_sid_cache_hits: ctypes.long },
+ { hsh_sid_cache_misses: ctypes.long },
+ { hsh_sid_cache_not_ok: ctypes.long },
+ { hch_sid_cache_hits: ctypes.long },
+ { hch_sid_cache_misses: ctypes.long },
+ { hch_sid_cache_not_ok: ctypes.long },
+ { sch_sid_stateless_resumes: ctypes.long },
+ { hsh_sid_stateless_resumes: ctypes.long },
+ { hch_sid_stateless_resumes: ctypes.long },
+ { hch_sid_ticket_parse_failures: ctypes.long },
+ ]);
+ let SSL3StatisticsPtr = new ctypes.PointerType(SSL3Statistics);
+ let SSL_GetStatistics = null;
+ try {
+ SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+ "SSL_GetStatistics",
+ "ssl3",
+ SSL3StatisticsPtr
+ );
+ } catch (e) {
+ // On Windows, this is actually in the nss3 library.
+ SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+ "SSL_GetStatistics",
+ "nss3",
+ SSL3StatisticsPtr
+ );
+ }
+ if (!SSL_GetStatistics) {
+ throw new Error("Failed to get SSL statistics");
+ }
+ return SSL_GetStatistics();
+}
+
+// Set up a TLS testing environment that has a TLS server running and
+// ready to accept connections. This async function starts the server and
+// waits for the server to indicate that it is ready.
+//
+// Each test should have its own subdomain of example.com, for example
+// my-first-connection-test.example.com. The server can use the server
+// name (passed through the SNI TLS extension) to determine what behavior
+// the server side of the text should exhibit. See TLSServer.h for more
+// information on how to write the server side of tests.
+//
+// Create a new source file for your new server executable in
+// security/manager/ssl/tests/unit/tlsserver/cmd similar to the other ones in
+// that directory, and add a reference to it to the sources variable in that
+// directory's moz.build.
+//
+// Modify TEST_HARNESS_BINS in
+// testing/mochitest/Makefile.in and NO_PKG_FILES in
+// toolkit/mozapps/installer/packager.mk to make sure the new executable
+// gets included in the packages used for shipping the tests to the test
+// runners in our build/test farm. (Things will work fine locally without
+// these changes but will break on TBPL.)
+//
+// Your test script should look something like this:
+/*
+
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// <documentation on your test>
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("<test-server-name>", "<path-to-certificate-directory>");
+
+ add_connection_test("<test-name-1>.example.com",
+ SEC_ERROR_xxx,
+ function() { ... },
+ function(aTransportSecurityInfo) { ... },
+ function(aTransport) { ... });
+ [...]
+ add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess);
+
+ run_next_test();
+}
+*/
+
+function add_tls_server_setup(serverBinName, certsPath, addDefaultRoot = true) {
+ add_test(function () {
+ _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot);
+ });
+}
+
+/**
+ * Add a TLS connection test case.
+ *
+ * @param {string} aHost
+ * The hostname to pass in the SNI TLS extension; this should unambiguously
+ * identify which test is being run.
+ * @param {PRErrorCode} aExpectedResult
+ * The expected result of the connection. If an error is not expected, pass
+ * in PRErrorCodeSuccess.
+ * @param {Function} aBeforeConnect
+ * A callback function that takes no arguments that will be called before the
+ * connection is attempted.
+ * @param {Function} aWithSecurityInfo
+ * A callback function that takes an nsITransportSecurityInfo, which is called
+ * after the TLS handshake succeeds.
+ * @param {Function} aAfterStreamOpen
+ * A callback function that is called with the nsISocketTransport once the
+ * output stream is ready.
+ * @param {OriginAttributes} aOriginAttributes (optional)
+ * The origin attributes that the socket transport will have. This parameter
+ * affects OCSP because OCSP cache is double-keyed by origin attributes' first
+ * party domain.
+ *
+ * @param {OriginAttributes} aEchConfig (optional)
+ * A Base64-encoded ECHConfig. If non-empty, it will be configured to the client
+ * socket resulting in an Encrypted Client Hello extension being sent. The client
+ * keypair is ephermeral and generated within NSS.
+ */
+function add_connection_test(
+ aHost,
+ aExpectedResult,
+ aBeforeConnect,
+ aWithSecurityInfo,
+ aAfterStreamOpen,
+ /* optional */ aOriginAttributes,
+ /* optional */ aEchConfig
+) {
+ add_test(function () {
+ if (aBeforeConnect) {
+ aBeforeConnect();
+ }
+ asyncConnectTo(
+ aHost,
+ aExpectedResult,
+ aWithSecurityInfo,
+ aAfterStreamOpen,
+ aOriginAttributes,
+ aEchConfig
+ ).then(run_next_test);
+ });
+}
+
+async function asyncConnectTo(
+ aHost,
+ aExpectedResult,
+ /* optional */ aWithSecurityInfo = undefined,
+ /* optional */ aAfterStreamOpen = undefined,
+ /* optional */ aOriginAttributes = undefined,
+ /* optional */ aEchConfig = undefined
+) {
+ const REMOTE_PORT = 8443;
+
+ function Connection(host) {
+ this.host = host;
+ this.thread = Services.tm.currentThread;
+ this.defer = Promise.withResolvers();
+ let sts = Cc["@mozilla.org/network/socket-transport-service;1"].getService(
+ Ci.nsISocketTransportService
+ );
+ this.transport = sts.createTransport(
+ ["ssl"],
+ host,
+ REMOTE_PORT,
+ null,
+ null
+ );
+ if (aEchConfig) {
+ this.transport.setEchConfig(atob(aEchConfig));
+ }
+ // See bug 1129771 - attempting to connect to [::1] when the server is
+ // listening on 127.0.0.1 causes frequent failures on OS X 10.10.
+ this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
+ this.transport.setEventSink(this, this.thread);
+ if (aOriginAttributes) {
+ this.transport.originAttributes = aOriginAttributes;
+ }
+ this.inputStream = null;
+ this.outputStream = null;
+ this.connected = false;
+ }
+
+ Connection.prototype = {
+ // nsITransportEventSink
+ onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) {
+ if (
+ !this.connected &&
+ aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO
+ ) {
+ this.connected = true;
+ this.outputStream.asyncWait(this, 0, 0, this.thread);
+ }
+ },
+
+ // nsIInputStreamCallback
+ onInputStreamReady(aStream) {
+ try {
+ // this will throw if the stream has been closed by an error
+ let str = NetUtil.readInputStreamToString(aStream, aStream.available());
+ Assert.equal(str, "0", "Should have received ASCII '0' from server");
+ this.inputStream.close();
+ this.outputStream.close();
+ this.result = Cr.NS_OK;
+ } catch (e) {
+ this.result = e.result;
+ }
+ this.defer.resolve(this);
+ },
+
+ // nsIOutputStreamCallback
+ onOutputStreamReady(aStream) {
+ if (aAfterStreamOpen) {
+ aAfterStreamOpen(this.transport);
+ }
+ this.outputStream.write("0", 1);
+ let inStream = this.transport
+ .openInputStream(0, 0, 0)
+ .QueryInterface(Ci.nsIAsyncInputStream);
+ this.inputStream = inStream;
+ this.inputStream.asyncWait(this, 0, 0, this.thread);
+ },
+
+ go() {
+ this.outputStream = this.transport
+ .openOutputStream(0, 0, 0)
+ .QueryInterface(Ci.nsIAsyncOutputStream);
+ return this.defer.promise;
+ },
+ };
+
+ /* Returns a promise to connect to host that resolves to the result of that
+ * connection */
+ function connectTo(host) {
+ Services.prefs.setCharPref("network.dns.localDomains", host);
+ let connection = new Connection(host);
+ return connection.go();
+ }
+
+ return connectTo(aHost).then(async function (conn) {
+ info("handling " + aHost);
+ let expectedNSResult =
+ aExpectedResult == PRErrorCodeSuccess
+ ? Cr.NS_OK
+ : getXPCOMStatusFromNSS(aExpectedResult);
+ Assert.equal(
+ conn.result,
+ expectedNSResult,
+ "Actual and expected connection result should match"
+ );
+ if (aWithSecurityInfo) {
+ aWithSecurityInfo(
+ await conn.transport.tlsSocketControl.asyncGetSecurityInfo()
+ );
+ }
+ });
+}
+
+function _getBinaryUtil(binaryUtilName) {
+ let utilBin = Services.dirsvc.get("GreD", Ci.nsIFile);
+ // On macOS, GreD is .../Contents/Resources, and most binary utilities
+ // are located there, but certutil is in GreBinD (or .../Contents/MacOS),
+ // so we have to change the path accordingly.
+ if (binaryUtilName === "certutil") {
+ utilBin = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ }
+ utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+ // If we're testing locally, the above works. If not, the server executable
+ // is in another location.
+ if (!utilBin.exists()) {
+ utilBin = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ while (utilBin.path.includes("xpcshell")) {
+ utilBin = utilBin.parent;
+ }
+ utilBin.append("bin");
+ utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+ }
+ // But maybe we're on Android, where binaries are in /data/local/xpcb.
+ if (!utilBin.exists()) {
+ utilBin.initWithPath("/data/local/xpcb/");
+ utilBin.append(binaryUtilName);
+ }
+ Assert.ok(utilBin.exists(), `Binary util ${binaryUtilName} should exist`);
+ return utilBin;
+}
+
+// Do not call this directly; use add_tls_server_setup
+function _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot) {
+ asyncStartTLSTestServer(serverBinName, certsPath, addDefaultRoot).then(
+ run_next_test
+ );
+}
+
+async function asyncStartTLSTestServer(
+ serverBinName,
+ certsPath,
+ addDefaultRoot
+) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // The trusted CA that is typically used for "good" certificates.
+ if (addDefaultRoot) {
+ addCertFromFile(certdb, `${certsPath}/test-ca.pem`, "CTu,u,u");
+ }
+
+ const CALLBACK_PORT = 8444;
+
+ let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+ // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+ // does not return this path on Android, so hard code it here.
+ Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+ Services.env.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3");
+ Services.env.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT);
+
+ let httpServer = new HttpServer();
+ let serverReady = new Promise(resolve => {
+ httpServer.registerPathHandler(
+ "/",
+ function handleServerCallback(aRequest, aResponse) {
+ aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+ aResponse.setHeader("Content-Type", "text/plain");
+ let responseBody = "OK!";
+ aResponse.bodyOutputStream.write(responseBody, responseBody.length);
+ executeSoon(function () {
+ httpServer.stop(resolve);
+ });
+ }
+ );
+ httpServer.start(CALLBACK_PORT);
+ });
+
+ let serverBin = _getBinaryUtil(serverBinName);
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+ process.init(serverBin);
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append(`${certsPath}`);
+ Assert.ok(certDir.exists(), `certificate folder (${certsPath}) should exist`);
+ // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+ process.run(false, ["sql:" + certDir.path, Services.appinfo.processID], 2);
+
+ registerCleanupFunction(function () {
+ process.kill();
+ });
+
+ await serverReady;
+}
+
+// Returns an Array of OCSP responses for a given ocspRespArray and a location
+// for a nssDB where the certs and public keys are prepopulated.
+// ocspRespArray is an array of arrays like:
+// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...]
+function generateOCSPResponses(ocspRespArray, nssDBlocation) {
+ let utilBinName = "GenerateOCSPResponse";
+ let ocspGenBin = _getBinaryUtil(utilBinName);
+ let retArray = [];
+
+ for (let i = 0; i < ocspRespArray.length; i++) {
+ let argArray = [];
+ let ocspFilepre = do_get_file(i.toString() + ".ocsp", true);
+ let filename = ocspFilepre.path;
+ // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+ argArray.push("sql:" + nssDBlocation);
+ argArray.push(ocspRespArray[i][0]); // ocsRespType;
+ argArray.push(ocspRespArray[i][1]); // nick;
+ argArray.push(ocspRespArray[i][2]); // extranickname
+ argArray.push(ocspRespArray[i][3]); // thisUpdate skew
+ argArray.push(filename);
+ info("argArray = " + argArray);
+
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(
+ Ci.nsIProcess
+ );
+ process.init(ocspGenBin);
+ process.run(true, argArray, argArray.length);
+ Assert.equal(0, process.exitValue, "Process exit value should be 0");
+ let ocspFile = do_get_file(i.toString() + ".ocsp", false);
+ retArray.push(readFile(ocspFile));
+ ocspFile.remove(false);
+ }
+ return retArray;
+}
+
+// Starts and returns an http responder that will cause a test failure if it is
+// queried. The server identities are given by a non-empty array
+// serverIdentities.
+function getFailingHttpServer(serverPort, serverIdentities) {
+ let httpServer = new HttpServer();
+ httpServer.registerPrefixHandler("/", function (request, response) {
+ Assert.ok(false, "HTTP responder should not have been queried");
+ });
+ httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort);
+ serverIdentities.forEach(function (identity) {
+ httpServer.identity.add("http", identity, serverPort);
+ });
+ httpServer.start(serverPort);
+ return httpServer;
+}
+
+// Starts an http OCSP responder that serves good OCSP responses and
+// returns an object with a method stop that should be called to stop
+// the http server.
+// NB: Because generating OCSP responses inside the HTTP request
+// handler can cause timeouts, the expected responses are pre-generated
+// all at once before starting the server. This means that their producedAt
+// times will all be the same. If a test depends on this not being the case,
+// perhaps calling startOCSPResponder twice (at different times) will be
+// necessary.
+//
+// serverPort is the port of the http OCSP responder
+// identity is the http hostname that will answer the OCSP requests
+// nssDBLocation is the location of the NSS database from where the OCSP
+// responses will be generated (assumes appropiate keys are present)
+// expectedCertNames is an array of nicks of the certs to be responsed
+// expectedBasePaths is an optional array that is used to indicate
+// what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+// by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+// GenerateOCSPResponse.cpp).
+// responseHeaderPairs is an optional array of HTTP header (name, value) pairs
+// to set in each response.
+function startOCSPResponder(
+ serverPort,
+ identity,
+ nssDBLocation,
+ expectedCertNames,
+ expectedBasePaths,
+ expectedMethods,
+ expectedResponseTypes,
+ responseHeaderPairs = []
+) {
+ let ocspResponseGenerationArgs = expectedCertNames.map(function (
+ expectedNick
+ ) {
+ let responseType = "good";
+ if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
+ responseType = expectedResponseTypes.shift();
+ }
+ return [responseType, expectedNick, "unused", 0];
+ });
+ let ocspResponses = generateOCSPResponses(
+ ocspResponseGenerationArgs,
+ nssDBLocation
+ );
+ let httpServer = new HttpServer();
+ httpServer.registerPrefixHandler(
+ "/",
+ function handleServerCallback(aRequest, aResponse) {
+ info("got request for: " + aRequest.path);
+ let basePath = aRequest.path.slice(1).split("/")[0];
+ if (expectedBasePaths.length >= 1) {
+ Assert.equal(
+ basePath,
+ expectedBasePaths.shift(),
+ "Actual and expected base path should match"
+ );
+ }
+ Assert.ok(
+ expectedCertNames.length >= 1,
+ "expectedCertNames should contain >= 1 entries"
+ );
+ if (expectedMethods && expectedMethods.length >= 1) {
+ Assert.equal(
+ aRequest.method,
+ expectedMethods.shift(),
+ "Actual and expected fetch method should match"
+ );
+ }
+ aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+ aResponse.setHeader("Content-Type", "application/ocsp-response");
+ for (let headerPair of responseHeaderPairs) {
+ aResponse.setHeader(headerPair[0], headerPair[1]);
+ }
+ aResponse.write(ocspResponses.shift());
+ }
+ );
+ httpServer.identity.setPrimary("http", identity, serverPort);
+ httpServer.start(serverPort);
+ return {
+ stop(callback) {
+ // make sure we consumed each expected response
+ Assert.equal(
+ ocspResponses.length,
+ 0,
+ "Should have 0 remaining expected OCSP responses"
+ );
+ if (expectedMethods) {
+ Assert.equal(
+ expectedMethods.length,
+ 0,
+ "Should have 0 remaining expected fetch methods"
+ );
+ }
+ if (expectedBasePaths) {
+ Assert.equal(
+ expectedBasePaths.length,
+ 0,
+ "Should have 0 remaining expected base paths"
+ );
+ }
+ if (expectedResponseTypes) {
+ Assert.equal(
+ expectedResponseTypes.length,
+ 0,
+ "Should have 0 remaining expected response types"
+ );
+ }
+ httpServer.stop(callback);
+ },
+ };
+}
+
+// Given an OCSP responder (see startOCSPResponder), returns a promise that
+// resolves when the responder has successfully stopped.
+function stopOCSPResponder(responder) {
+ return new Promise((resolve, reject) => {
+ responder.stop(resolve);
+ });
+}
+
+// Utility functions for adding tests relating to certificate error overrides
+
+// Helper function for add_cert_override_test. Probably doesn't need to be
+// called directly.
+function add_cert_override(aHost, aSecurityInfo) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override results
+// in a subsequent connection succeeding.
+function add_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ add_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+ Assert.ok(
+ aSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "Cert override flag should be set on the security state"
+ );
+ });
+}
+
+// Helper function for add_prevented_cert_override_test. This is much like
+// add_cert_override except it may not be the case that the connection has an
+// SecInfo set on it. In this case, the error was not overridable anyway, so
+// we consider it a success.
+function attempt_adding_cert_override(aHost, aSecurityInfo) {
+ if (aSecurityInfo.serverCert) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+ }
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override does not
+// result in a subsequent connection succeeding (i.e. the same error code is
+// encountered).
+// The idea here is that for HSTS hosts or hosts with key pins, no error is
+// overridable, even if an entry is added to the override service.
+function add_prevented_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ attempt_adding_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, aExpectedError);
+}
+
+// Helper for asyncTestCertificateUsages.
+class CertVerificationResult {
+ constructor(certName, usageString, successExpected, resolve) {
+ this.certName = certName;
+ this.usageString = usageString;
+ this.successExpected = successExpected;
+ this.resolve = resolve;
+ }
+
+ verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+ if (this.successExpected) {
+ equal(
+ aPRErrorCode,
+ PRErrorCodeSuccess,
+ `verifying ${this.certName} for ${this.usageString} should succeed`
+ );
+ } else {
+ notEqual(
+ aPRErrorCode,
+ PRErrorCodeSuccess,
+ `verifying ${this.certName} for ${this.usageString} should fail`
+ );
+ }
+ this.resolve();
+ }
+}
+
+/**
+ * Asynchronously attempts to verify the given certificate for all supported
+ * usages (see allCertificateUsages). Verifies that the results match the
+ * expected successful usages. Returns a promise that will resolve when all
+ * verifications have been performed.
+ * Verification happens "now" with no specified flags or hostname.
+ *
+ * @param {nsIX509CertDB} certdb
+ * The certificate database to use to verify the certificate.
+ * @param {nsIX509Cert} cert
+ * The certificate to be verified.
+ * @param {number[]} expectedUsages
+ * A list of usages (as their integer values) that are expected to verify
+ * successfully.
+ * @returns {Promise}
+ * A promise that will resolve with no value when all asynchronous operations
+ * have completed.
+ */
+function asyncTestCertificateUsages(certdb, cert, expectedUsages) {
+ let now = new Date().getTime() / 1000;
+ let promises = [];
+ Object.keys(allCertificateUsages).forEach(usageString => {
+ let promise = new Promise((resolve, reject) => {
+ let usage = allCertificateUsages[usageString];
+ let successExpected = expectedUsages.includes(usage);
+ let result = new CertVerificationResult(
+ cert.commonName,
+ usageString,
+ successExpected,
+ resolve
+ );
+ let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY;
+ certdb.asyncVerifyCertAtTime(cert, usage, flags, null, now, result);
+ });
+ promises.push(promise);
+ });
+ return Promise.all(promises);
+}
+
+/**
+ * Loads the pkcs11testmodule.cpp test PKCS #11 module, and registers a cleanup
+ * function that unloads it once the calling test completes.
+ *
+ * @param {nsIFile} libraryFile
+ * The dynamic library file that implements the module to
+ * load.
+ * @param {string} moduleName
+ * What to call the module.
+ * @param {boolean} expectModuleUnloadToFail
+ * Should be set to true for tests that manually unload the
+ * test module, so the attempt to auto unload the test module
+ * doesn't cause a test failure. Should be set to false
+ * otherwise, so failure to automatically unload the test
+ * module gets reported.
+ */
+function loadPKCS11Module(libraryFile, moduleName, expectModuleUnloadToFail) {
+ ok(libraryFile.exists(), "The PKCS11 module file should exist");
+
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ registerCleanupFunction(() => {
+ try {
+ pkcs11ModuleDB.deleteModule(moduleName);
+ } catch (e) {
+ Assert.ok(
+ expectModuleUnloadToFail,
+ `Module unload should suceed only when expected: ${e}`
+ );
+ }
+ });
+ pkcs11ModuleDB.addModule(moduleName, libraryFile.path, 0, 0);
+}
+
+/**
+ * @param {string} data
+ * @returns {string}
+ */
+function hexify(data) {
+ // |slice(-2)| chomps off the last two characters of a string.
+ // Therefore, if the Unicode value is < 0x10, we have a single-character hex
+ // string when we want one that's two characters, and unconditionally
+ // prepending a "0" solves the problem.
+ return Array.from(data, (c, i) =>
+ ("0" + data.charCodeAt(i).toString(16)).slice(-2)
+ ).join("");
+}
+
+/**
+ * @param {string[]} lines
+ * Lines to write. Each line automatically has "\n" appended to it when
+ * being written.
+ * @param {nsIFileOutputStream} outputStream
+ */
+function writeLinesAndClose(lines, outputStream) {
+ for (let line of lines) {
+ line += "\n";
+ outputStream.write(line, line.length);
+ }
+ outputStream.close();
+}
+
+/**
+ * @param {string} moduleName
+ * The name of the module that should not be loaded.
+ * @param {string} libraryName
+ * A unique substring of name of the dynamic library file of the module
+ * that should not be loaded.
+ */
+function checkPKCS11ModuleNotPresent(moduleName, libraryName) {
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let modules = moduleDB.listModules();
+ ok(
+ modules.hasMoreElements(),
+ "One or more modules should be present with test module not present"
+ );
+ for (let module of modules) {
+ notEqual(
+ module.name,
+ moduleName,
+ `Non-test module name shouldn't equal '${moduleName}'`
+ );
+ ok(
+ !(module.libName && module.libName.includes(libraryName)),
+ `Non-test module lib name should not include '${libraryName}'`
+ );
+ }
+}
+
+/**
+ * Checks that the test module exists in the module list.
+ * Also checks various attributes of the test module for correctness.
+ *
+ * @param {string} moduleName
+ * The name of the module that should be present.
+ * @param {string} libraryName
+ * A unique substring of the name of the dynamic library file
+ * of the module that should be loaded.
+ * @returns {nsIPKCS11Module}
+ * The test module.
+ */
+function checkPKCS11ModuleExists(moduleName, libraryName) {
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let modules = moduleDB.listModules();
+ ok(
+ modules.hasMoreElements(),
+ "One or more modules should be present with test module present"
+ );
+ let testModule = null;
+ for (let module of modules) {
+ if (module.name == moduleName) {
+ testModule = module;
+ break;
+ }
+ }
+ notEqual(testModule, null, "Test module should have been found");
+ notEqual(testModule.libName, null, "Test module lib name should not be null");
+ ok(
+ testModule.libName.includes(ctypes.libraryName(libraryName)),
+ `Test module lib name should include lib name of '${libraryName}'`
+ );
+
+ return testModule;
+}
+
+// Given an nsIX509Cert, return the bytes of its subject DN (as a JS string) and
+// the sha-256 hash of its subject public key info, base64-encoded.
+function getSubjectAndSPKIHash(nsCert) {
+ let certBytes = nsCert.getRawDER();
+ let cert = new X509.Certificate();
+ cert.parse(certBytes);
+ let subject = cert.tbsCertificate.subject._der._bytes;
+ let subjectString = arrayToString(subject);
+ let spkiHashString = nsCert.sha256SubjectPublicKeyInfoDigest;
+ return { subjectString, spkiHashString };
+}
+
+function run_certutil_on_directory(directory, args, expectSuccess = true) {
+ let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+ // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+ // does not return this path on Android, so hard code it here.
+ Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+ let certutilBin = _getBinaryUtil("certutil");
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+ process.init(certutilBin);
+ args.push("-d");
+ args.push(`sql:${directory}`);
+ process.run(true, args, args.length);
+ if (expectSuccess) {
+ Assert.equal(process.exitValue, 0, "certutil should succeed");
+ }
+}
+
+function get_data_storage_contents(dataStorageFileName) {
+ let stateFile = do_get_profile();
+ stateFile.append(dataStorageFileName);
+ if (!stateFile.exists()) {
+ return undefined;
+ }
+ return readFile(stateFile);
+}
+
+function u16_to_big_endian_bytes(u16) {
+ Assert.less(u16, 65536);
+ return [u16 / 256, u16 % 256];
+}
+
+// Appends a line to the given data storage file (as an nsIOutputStream).
+// score is an integer representing the number of unique days the item has been accessed.
+// lastAccessed is the day since the epoch the item was last accessed.
+// key and value are strings representing the key and value of the item.
+function append_line_to_data_storage_file(
+ outputStream,
+ score,
+ lastAccessed,
+ key,
+ value,
+ valueLength = 24,
+ useBadChecksum = false
+) {
+ let line = arrayToString(u16_to_big_endian_bytes(score));
+ line = line + arrayToString(u16_to_big_endian_bytes(lastAccessed));
+ line = line + key;
+ let keyPadding = [];
+ for (let i = 0; i < 256 - key.length; i++) {
+ keyPadding.push(0);
+ }
+ line = line + arrayToString(keyPadding);
+ line = line + value;
+ let valuePadding = [];
+ for (let i = 0; i < valueLength - value.length; i++) {
+ valuePadding.push(0);
+ }
+ line = line + arrayToString(valuePadding);
+ let checksum = 0;
+ Assert.equal(line.length % 2, 0);
+ for (let i = 0; i < line.length; i += 2) {
+ checksum ^= (line.charCodeAt(i) << 8) + line.charCodeAt(i + 1);
+ }
+ line =
+ arrayToString(
+ u16_to_big_endian_bytes(useBadChecksum ? ~checksum & 0xffff : checksum)
+ ) + line;
+ outputStream.write(line, line.length);
+}
diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build
new file mode 100644
index 0000000000..561502dd51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["tlsserver", "test_signed_apps"]
+
+if not CONFIG["MOZ_NO_SMART_CARDS"]:
+ DIRS += ["pkcs11testmodule"]
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..05959d4c6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUcdrK+swAhgsnbPoNXViflHJFgtMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAUV4KW+Z8kuKSA64HNt0qyB2POf/dpZUhUCs/eFw7aamooeH4ZvS6
+Qu1OBFzuU4lYlNOJGBUfYRS0MvUjtYdRGMxhIv/zUBPT1xG0PsOjPj9Y7BbzDbG1
+++O+chZk79KE+9d6QMDquHysRMCku4Ss5wbvOiaJoi5ZnAuqkenzvdS377J4acZ7
+vGyRekqZZssIZ2xnShzXSS5Kexe0B33Ky3Pl3fk7JqMyZDPhLnzRok3sNuZIpB9b
+qNYkd0h9V2ZEI2XSRJzhtN1NX72g5NMnmeFJ2YFll69b9xO3mPLKX4k/gy/djZa0
+eCgPydgLZPTagy9hYorKAFR9D7qX8128oQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
new file mode 100644
index 0000000000..7dd59895af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg
+0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy
+Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5
+tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/
+Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx
+UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
new file mode 100644
index 0000000000..9a85704a2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUN1YJwqDb7hit7/zGQsHESReD5CMwDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAoMSYwJAYDVQQDDB1UZXN0IFNIQTEgRGVsZWdhdGVkIFJlc3Bv
+bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpn
+kfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJE
+xYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG
+680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYl
+R5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbx
+h83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkd
+cSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
+BQADggEBAHq/8EhMgz0k7VetFlmIAVNnKKo1ME9CVDU1kHZkU4Y9cEDWvSStQkGE
+v3xAq74AYWVYETbCyPGKNhCuPlW+pNUpkh+3bA9Og0liOfVCvRbgz2Scy2K3I3PX
+cSWPECqAE6NJOmpWGPgIYlgK60ZDgKKhVa5jkdBiIjk04QHQnRKdEFhdvFSOly3J
+H03PWi4yxNNIun30I7hZuWKKFiHRHQdvtRr/0rbElFsegwUirgfDS/ybnOJDY/Hk
+1//hi0jDr0kfA4DBmxivQs/+2dTvcGn9GcJV1vdUmJZ19mC68UqqEItRiXOhKVV0
+lOFRnC5xID/9+VThV/xaoOV1YHlBjag=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
new file mode 100644
index 0000000000..bdf3e2ee4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test SHA1 Delegated Responder
+subjectKey:alternate
+signature:sha1WithRSAEncryption
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
new file mode 100644
index 0000000000..d93b4d37a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3jCCAcagAwIBAgIUf7d1PDS74OZ84rbuYcT53gA6x9gwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhUZXN0IERlbGVnYXRlZCBSZXNwb25kZXIw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbD
+f1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRI
+MwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDs
+mMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJp
+CIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6D
+KzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7
+AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB
+AQAbr7I0sCC8GZSVY7rcIaEetwz48FDkzTE7OVMxLNMhKsJXwJmaCxvRfMZ+ZRDd
+RntaDF8suL6gVCVkIUQwYAT+3joGvO/SEJe3YLaeE2IMGw0zoRrpqP6DYq9+6fS7
+2n1BDu57dsyW8XghG0XH4iGQam5DmgUzts/Uadr7E4D9ibFDlrSRmguEVqpzgwb0
+O6ZMuG88uNWbKAQ4TPOJrR6RUzwURckiTrw3ExtOh70YOVCsyYNc7NtpJft338Se
+GQI9UVyi5/wML4HFbyls+1go1o/nHjAbsKsEBfOwE6HTE0CuBW2FPr/3CToaelka
+olDHKbozj5v9ejiyXHVOvwdi
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
new file mode 100644
index 0000000000..19971eeb4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Delegated Responder
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
new file mode 100644
index 0000000000..4f41fa9361
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAeqgAwIBAgIUcVj9ek7otTbf7aHOG9p/UQigFt4wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowPTE7MDkGA1UEAwwyVGVzdCBJbnZhbGlkIERl
+bGVnYXRlZCBSZXNwb25kZXIgRnJvbSBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvU
+b6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqG
+J2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HF
+vmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7k
+jOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dh
+ZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAGjFzAVMBMG
+A1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBxKW7KGxLJtq/f
+LNqaKClRG4UsGxm9QcBaMJ+9FGXBJiV2EuZ+5IdmI45McydSvBv7h40UcPLpl+Dm
+XQilH0YBVX/an946GNG0uC+PEgh86Zv4x2JSZ/mh2Nw1mJwG24uiGJ+c9ng4jwQM
+wrgnD7COaQskBui98zhLDxoj/y/HA3bOqiKQTLAoJVpQPmU/WUaXNyNW8j7KKIro
+8YzcuvdV04vI7dDO67vQP7eRKkkQggV4btap8YlhSR57IeajrdlyzHlXl+ANUAPg
+TH6+mE9di/7/N/e7H/1gqatpoa1Rxc9XoANqoCeTnNEg1snD9KjD8rU2AT6xKJyb
+e2vQdfrf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
new file mode 100644
index 0000000000..be0d3e9e5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test Invalid Delegated Responder From Intermediate
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
new file mode 100644
index 0000000000..77e2e18008
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUE+9k78S70+47fNpmHkOSE0nynkAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA/MT0wOwYDVQQDDDRUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBrZXlVc2FnZSBjcmxTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHI
+wkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNv
+I8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7I
+SURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIram
+nNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIU
+DRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABow8wDTALBgNVHQ8EBAMC
+AQIwDQYJKoZIhvcNAQELBQADggEBAKwrK91/08VmhevSsqYzWQSmFPW7df8IKjvl
+A6QzTWa2QSDm7MK30ZKHQrTUh3ov+sN+R2dyX9lopouE7xRCo6eUjSCywLResFTU
+uj6t2dO//4Pdsd0qw/m48FrF7q+UABzDxugxpU5RLFRtdnXe2X8tJ5llypC2Nn1S
+s09rwX8l3V+VRlPQkw56110n/n/4/hLmxUWMrs1eKMn3lwEvJcdSbqtbstuhksrm
+/dODn2Ulfu29dL2Qbtbhvp/vNu7z/i6LFD17H12oi+TN3qaAmDlh//Gd3Vz9qqbc
+5VOxiOSrr6jTEhghsWx/JIiKaODgKjGigKnvq+cGc9tRwQPXX5E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
new file mode 100644
index 0000000000..2833ed9b52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder keyUsage crlSigning
+subjectKey:alternate
+extension:keyUsage:cRLSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
new file mode 100644
index 0000000000..e85fe654fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgIUbUSfwq75osxohF3A4Le3+p2/KN8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA6MTgwNgYDVQQDDC9UZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBObyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj
+s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT
+ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF
+o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT
+H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4
+xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+VKVc1Gdb31hd5bczAxF16Ko67cdggYvZffYIgPbinMLtFfoVmgeHirJwRRypqnse
+Ry18lHA+/Qy0qHgPoIQNScXvlyds9+z1AOECi1MzkJhbULR77ZlpWW1tYHfRceVt
+7UAEDUZwHOH+13wjvIR2QeYo9owNc9qrI7ENcoZL3gCTndxX/wgn1+ArqLinE9Tg
+Kd9zo0y/TaB9KHNRFGTWBfRhzGUlHTRJxYFZ+GFvztWhImg9a7v3V6KSTwMF7I25
+oxevNmSL/8HOyuA1PNXv05UW9zudk7Ta9O150W5XiwVgaDbJPWTmbF43mLn8HA0a
+h8W+3xAAbTHI3FTV7fnBUQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..92444c94ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder No extKeyUsage
+subjectKey:alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
new file mode 100644
index 0000000000..c9124e08a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeCgAwIBAgIUe4pzYrUW7Cqv1xQ9g7LiVTwfSZcwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA9MTswOQYDVQQDDDJUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBXcm9uZyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ
+isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF
+2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE
+WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS
+g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y
+xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYI
+KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBADdApuLzME3N8qnz7AANa5LBrpMy
+XfuDMqgdgWf8PC38etOIbDNYe6teqWb53TVj9p76JrNMShQOK7psOsdVHIBZaAfc
+7hU79JAmABh9H87KZpIh6wN7zHEiU9cc/XjnAVkwKw0KaMnnXZMN0E8plYG9z3T1
+A2h95aOCY/6tG6AGBAnXRqlvW7oOnSwc3QMI7PyV65qoRjPIeq8Ub2B+6r6kXddz
+qd9fSHcFkVy/P0wQYz4/UoIEcQGqcQQnpmrMTeHxN+Uhyei0FAHDbCGYQwkXEFyz
+qys4kIjH2GZyh//KusdqJ7rjG7f5wPDBq0AbE8h87WCJfdq89cU8hiRkakE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..bc704fbd41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder Wrong extKeyUsage
+subjectKey:alternate
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
new file mode 100644
index 0000000000..9a78ab32a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgygAwIBAgIUNXbnbwDwSpFuzX+TbUC6+0fwluwwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABoy8wLTAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBEGCCsGAQUFBwEYBAUw
+AwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAI6rRgJ9F0L5mIpx9mdZIhN0OUshqD9SO
+a94traLS8TWLadiLDcqF3KdCayYYw2OdkLMXB6Cr6dd+9natevak2BTfC3NguyEf
+qHF7nBHQi5YMFSWlGxgxDq+XGLA19Dkik7guuHlRsl59C2vJjh2tFphZpuc3nCYW
+OK6JPv3Vv8tAJw3z4hfWELaNLRAkHI3KZdEQyd7zHM+o/2mNeyLA5ApqD0K03Aw8
+Y2EJ2YEH6/PkQKdS7Xmska2mUe83s3mny3Q+NEJ9LTJQmJjmUbbEd+nYp/vd+2Ea
+DyIuT4onzgcB8ZzEyPUfEs9GWo0H3IP+3elS5vJ4ERp3C57Ps+5MbA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
new file mode 100644
index 0000000000..3fa2793b30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
new file mode 100644
index 0000000000..8f5e4bf9f6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUR+ptclhXlqm/j0PzeprCWlXnS+QwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozIwMDAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBQGCCsGAQUFBwEYBAgw
+BgIBBQIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWFscG4euFpXJ7tpJQOznyNg2k0hk
+LFsoWuS2jhRt4OUjkM6u/ClnlmiAqKtPSmm2UzdxivFLWFqP8g0Rycs3MWUi/Bd6
+Ispo+Ms+wTvv+MyfCqQin1V76IqAYylCnvVB0OS/nF4Zfu/NaLmeqplb4PmPNySO
+5cQ1Hq2gMwB6Cj4U9rWLhHamZI1zrnEXNnYCKwgZIvpLhuO8ztNzjEnNRX5iUqYZ
+QywPemXePxUmpmPtfpLAraAzpewJ9SIVOGMCR3CcwWVi6dQZ52CfEvNaTK/7SUkQ
+dEPlaaVgL1FW9uZGRxXiMRgGpzGidnqH2GGDvql0whE2vs+eFHoUYyLhzQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
new file mode 100644
index 0000000000..7a8dd223d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
new file mode 100644
index 0000000000..a7e79893df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfCgAwIBAgIUI+sIlPurR9XGLxSPpQhSEkz+zOQwDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQAUNqmA
+4xSMFge1DxdUpNn8ZkaHQoA2dZmVTb+mRQ3pKLs3W5CPmweIJpVVILEUVEy9nxxT
+L5/iVV/tHz2o8+QcUQHhi+RTIBgQ2KG3euxhtLFg2eKEbH2QkeZZCD8Zw5TCcghz
+sqFt9lL3Ksk2FephYV6GT2FbsFr0Vs6wTvjTsVo9XwN43EQ8MLyp3IDFdX6SAJJR
+8whSA6vLke6JQ7VlfOuW7EZ9aLpMP1GBBzAc0LLT0qEDOyXAH/Ji0rpukVdLoxEs
+J4h5yR5Gowzs9dxDk6ngaXi7R7nXRtiRGRayuqT/7Vxqc/H7DXDijI/2BGvM242R
+/CLWVQaMEfPtUAfg
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..352a60675d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
new file mode 100644
index 0000000000..4460f57948
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUP5FghTXhLOeCnB8J1AU/iHTzD5kwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjYzBh
+MBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAlWxrFGfHjnpCLDn6hu4w2Zn0GwE9mSPubTGQ
+HZMLuWczTz6Gdva2RSSM29d4ujhn/I5B+13WcAilHtKQXI0pW3LZ6Zndi0N7aebQ
+ZyS8rSumLr6kEojBDHJ1/RGFoCongTzWQYXgnhvUtEg2eGr1+2+eMqFgjUQbeOmW
+9Ynjh7E3iE8GBMnSH+k3BJM2mp2SOJziuCVB9riMfhz5S751++/fZhh/W0ykCIqT
+oV1He1ij12qa9ojaS/fTyG5zyfZFtu1Cj4AP66e3BUKH80dhIjutRNG7I+lpdaCW
+PZZJjCQz/+Lm6bAK0kEFGUmloIE8325BaIm3WFx41JEorn0mlg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
new file mode 100644
index 0000000000..43edfff0d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
new file mode 100644
index 0000000000..fa359d0b08
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd2gAwIBAgIUWfsNrajIjAByAQVlbEbO1z6PVUswDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAKYKwrmKb7vTodoRwFVcgtfGLUZC0aRf
+Sr+8x5FWMN4hc/YDr2uu9/DpA8/QRV+F3yOt6VBPgqDA5qeHmH7eQMYjRj16e5TA
+NsJdoKpwS9m/7Q/n5Lpla6j4pbgnQCLonvnLuKdqY7VSNmsyTNlfk29BELaowDRq
+JKumvZHCBp/lql6j7ivTyKEbzhyQWreXNHhuHAk9b3jd8IIY102kHiLt65jho9+o
+Vjk0AtuZ+6HeraduYNIVfNU9K1Mhxihr4WM3zS2feKXLbuE8ZAQ2XCNtBUup2u1M
+BWC6XU5QPfMSJERVZ/Ib/e+Vsm7R3HK50DcnTdNX8P9pZTSKNNue/Bw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
new file mode 100644
index 0000000000..8e4a6ac0c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
new file mode 100644
index 0000000000..1efe224912
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUCZpiLR2ndUffcbxe523KU1xHlp8wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCol3N1nPzm
+gvOlprRcgehr1/A6DjlMOhxSBva/Kb1daWo9hvm/HsbuuDfuhb2up28tP8bD8BVE
+GuJcvHZ4OS6ksScpVK6fqL5LMu9muUC7izCxcoQEV5G9LDZKRJulE4eFUr8Nu5FI
+2+onPbt1Eum3Lsm+5Z/xTGsGCrCIVDpAfKzG0XPgzjif/NOwygfWyW59fcj2GfRc
+WhARWIm9kfTCPfmhlDm/hvaqDXml40uJSU2HOf3onAI3E6Rlz0VECh0+aoZNXL/1
+8SgeKOR/uvduJl8Y/UHtBVx/q3kLdpUjTrBdKClJXZhpZ0JotI03yjpRpM9nMeUZ
+Zeq8d8nZw/kz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
new file mode 100644
index 0000000000..ae3a51565a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test End-entity with Intermediate
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
new file mode 100644
index 0000000000..8b281c227c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIUVc3jthuNfUrHgpQaQbQ7kDWCgnkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAVMRMwEQYDVQQDDApPdGhlciBDZXJ0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNV
+HREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAk
+MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEB
+CwUAA4IBAQAVcGH8MG2aFqmH7jWZNwhFdhfBtElmYjezVNC2fNo16KcF6vItAJZm
+aGSEK4NDv591R75OznDYHdzHpNGlxb4JwmPiU4rOCZyKMUSlDXaqCtRZ67BnUxH6
+pSrCEX80QcVqRlMNjJOqEufiVBgrtlccbtQTUmDiTNCxtfo95GzxitHmHcCUGRFJ
+e9Ticu2+gSn39UMzkEREztIv9apBp3PHSqe6JlrthplqVEy39A6RpHRvWVyz51Vm
+DPrvv7npTw8Nuxbs7LA4hCFTqDy8xtYhT2h169KPXx6kmhb1vQ76cW+J+7de/LH0
+j4XRlZJhtgO4iwkSJp1evY5G+E+lY9db
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
new file mode 100644
index 0000000000..5756f6ab5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Other Cert
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
new file mode 100644
index 0000000000..c165b87af5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICazCCAVOgAwIBAgIUP/C++7bzNaXCCoB0/+8txWBP2mUwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA1MTMwMQYDVQQDDCpSU0EgMTAxNiBLZXkgU2l6ZSBUZXN0IERl
+bGVnYXRlZCBSZXNwb25kZXIwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKb
+sS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJ
+aj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyv
+bXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMXMBUwEwYDVR0lBAww
+CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAKYZrrW7GfM1Uogh3tnqcDJn
+5pnr/S1yTcpSAuxPNl/EKty2KkBcM7VMZU5Ac5bRWjG7dEMfSw+67fWWQ+HW/ueS
+rZ9cM6AfC1rR1epbW6bmvLFZRkYI9dooVQJ7lQba/SFSO459Nk+QFeTrS3z+/ItP
+S/oHpeU76oIRW1/ZMeHHGYalK7pAruMoN0iz3KgU0SnF82cPmlP501pwyh0X1Qa7
+BS/2rW5piVHRJUBycgBnKMdvt2nGL6wJbOCEZ7Dhl0vB+2+EmLq90Yl/myhTglrY
+85DXAS66DCIvpJXJm/EsVY38VEkHwZEFHWuad9od8sADn3qQNRaExfkqjbh+Op8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
new file mode 100644
index 0000000000..05f73368a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:RSA 1016 Key Size Test Delegated Responder
+subjectKey:rsa1016
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
new file mode 100644
index 0000000000..fcbb0fcb29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc
+8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV
+wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb
+zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6
+OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80
+hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk
+iAobTR3jsQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
new file mode 100644
index 0000000000..f0b38d26da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgIUCZ58zcMKqo1fCy+Yck82emMJGwkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjA3MTUwMwYDVQQDDCxUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+bHRpcGxlIFRMUyBGZWF0dXJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMzMDEwDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwFAYIKwYBBQUHARgECDAGAgEFAgEGMA0GCSqGSIb3DQEBCwUAA4IB
+AQAkPK4BZB0G2WIovt30J+ququdAVY0VjJ9Qs+OiBLCERGGRKzRWgw87bi8tzVcB
+gwEdZsd5x2FuOiHHD3uBsFaLr4BwzkRToQkiAvwOrEiUCaZ/PMGrVRbY8NhWqsG/
+4VFy+SkIigvkWQ7OA6ek2lahXwI54+uQ1Fzi2ZX19em3BRQ20vD6ylX2uDj3TQUe
+hAvN53076upv9+/hMI8LoKUjE8xR1/52eD+viqLswzF7rqtjRja+yavLyCPqlYPb
+xVLrVHJ8hCaXA2AvUXGhqmP6dIHj5HflO/9CSMGCY9ryRKwCmicIqnL37K3jsZjV
+nwieZZb3g56QGZfsjVLDh+Yu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
new file mode 100644
index 0000000000..3f0e925aae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Multiple TLS Features
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
new file mode 100644
index 0000000000..2f8cdc10e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAemgAwIBAgIUOw4TxnDfhhaenMiNugGiWO0FGokwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+c3QtU3RhcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAR
+BggrBgEFBQcBGAQFMAMCAQUwDQYJKoZIhvcNAQELBQADggEBAF8GCC3e4ljAlwhk
+xhqRp/v8GoPaz74dwkQFRBSdIBYaELutYft7PHzZHTOdogInX6X+hzbT7DiP8/bV
+d79zMU+D5Lz25Lx4Jw+pjQb3mtLwVst0jY7d+7OTs1HVwpuRLECNbJNH3O8TJLfr
+gl4P0ErxLQhVG+YA4wvCwDN5IZVfEeUmeQOEf8ZGGsnD8KP+natwUEnJghjVzI1i
+yMUyOHX/cfJg8lKGPtsVRkOLKKkJbf6rhazzn3+em5++Amuihmd/91FHjUbwz/FS
+V69o77k1709IoogOihPidfOSLujsENTnhivN+9IWkXLfGkZTR0KNaKF5+62LBRnj
+l1OoETM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..7c29aa0ad1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Must-Staple
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
new file mode 100644
index 0000000000..0eef91b076
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/pkcs11testmodule"
+
+UNIFIED_SOURCES += [
+ "pkcs11testmodule.cpp",
+]
+
+SharedLibrary("pkcs11testmodule")
+
+# C_GetFunctionList needs to be exported. As it turns out, it's much easier to
+# just export all the symbols.
+NoVisibilityFlags()
+SYMBOLS_FILE = "pkcs11testmodule.symbols"
+
+NO_PGO = True
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
new file mode 100644
index 0000000000..fb3ff9a10f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
@@ -0,0 +1,597 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a testing PKCS #11 module that simulates a token being inserted and
+// removed from a slot every 50ms. This is achieved mainly in
+// Test_C_WaitForSlotEvent. If the application that loaded this module calls
+// C_WaitForSlotEvent, this module waits for 50ms and returns, having changed
+// its internal state to report that the token has either been inserted or
+// removed, as appropriate.
+// This module also provides an alternate token that is always present for tests
+// that don't want the cyclic behavior described above.
+
+#include <assert.h>
+#include <atomic>
+#include <string.h>
+
+#if defined(WIN32)
+# include <windows.h> // for Sleep
+#else
+# include <unistd.h> // for usleep
+#endif
+
+#include "pkcs11.h"
+
+CK_RV Test_C_Initialize(CK_VOID_PTR) { return CKR_OK; }
+
+CK_RV Test_C_Finalize(CK_VOID_PTR) { return CKR_OK; }
+
+static const CK_VERSION CryptokiVersion = {2, 2};
+static const CK_VERSION TestLibraryVersion = {0, 0};
+static const char TestLibraryDescription[] = "Test PKCS11 Library";
+static const char TestManufacturerID[] = "Test PKCS11 Manufacturer ID";
+
+/* The dest buffer is one in the CK_INFO or CK_TOKEN_INFO structs.
+ * Those buffers are padded with spaces. DestSize corresponds to the declared
+ * size for those buffers (e.g. 32 for `char foo[32]`).
+ * The src buffer is a string literal. SrcSize includes the string
+ * termination character (e.g. 4 for `const char foo[] = "foo"` */
+template <size_t DestSize, size_t SrcSize>
+void CopyString(unsigned char (&dest)[DestSize], const char (&src)[SrcSize]) {
+ static_assert(DestSize >= SrcSize - 1, "DestSize >= SrcSize - 1");
+ memcpy(dest, src, SrcSize - 1);
+ memset(dest + SrcSize - 1, ' ', DestSize - SrcSize + 1);
+}
+
+CK_RV Test_C_GetInfo(CK_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pInfo->cryptokiVersion = CryptokiVersion;
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ pInfo->flags = 0; // must be 0
+ CopyString(pInfo->libraryDescription, TestLibraryDescription);
+ pInfo->libraryVersion = TestLibraryVersion;
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; }
+
+static int tokenPresent = 0;
+
+CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent,
+ CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+ if (!pulCount) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ // We always return slot 2
+ CK_ULONG slotCount = 1;
+ if (!limitToTokensPresent) {
+ // If we want empty slots, we also return slots 1 and 3
+ slotCount += 2;
+ } else if (tokenPresent) {
+ // If we don't want empty slots, but token 1 is present, return that (but
+ // not slot 3)
+ slotCount++;
+ }
+
+ if (pSlotList) {
+ if (*pulCount < slotCount) {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ // apparently CK_SLOT_IDs are integers [1,N] because
+ // who likes counting from 0 all the time?
+ switch (slotCount) {
+ case 1:
+ pSlotList[0] = 2;
+ break;
+ case 2:
+ if (tokenPresent) {
+ pSlotList[0] = 1;
+ pSlotList[1] = 2;
+ } else {
+ pSlotList[0] = 2;
+ pSlotList[1] = 3;
+ }
+ break;
+ case 3:
+ pSlotList[0] = 1;
+ pSlotList[1] = 2;
+ pSlotList[2] = 3;
+ break;
+ default:
+ assert("Unexpected slot count in Test_C_GetSlotList" == NULL);
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+ *pulCount = slotCount;
+ return CKR_OK;
+}
+
+static const char TestSlotDescription[] = "Test PKCS11 Slot";
+static const char TestSlot2Description[] = "Test PKCS11 Slot 二";
+static const char TestSlot3Description[] = "Empty PKCS11 Slot";
+
+CK_RV Test_C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (slotID) {
+ case 1:
+ CopyString(pInfo->slotDescription, TestSlotDescription);
+ pInfo->flags =
+ (tokenPresent ? CKF_TOKEN_PRESENT : 0) | CKF_REMOVABLE_DEVICE;
+ break;
+ case 2:
+ CopyString(pInfo->slotDescription, TestSlot2Description);
+ pInfo->flags = CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE;
+ break;
+ case 3:
+ CopyString(pInfo->slotDescription, TestSlot3Description);
+ pInfo->flags = CKF_REMOVABLE_DEVICE;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ pInfo->hardwareVersion = TestLibraryVersion;
+ pInfo->firmwareVersion = TestLibraryVersion;
+ return CKR_OK;
+}
+
+// Deliberately include énye to ensure we're handling encoding correctly.
+// The PKCS #11 base specification v2.20 specifies that strings be encoded
+// as UTF-8.
+static const char TestTokenLabel[] = "Test PKCS11 Tokeñ Label";
+static const char TestToken2Label[] = "Test PKCS11 Tokeñ 2 Label";
+static const char TestTokenModel[] = "Test Model";
+
+std::atomic<bool> sLoggedIn = false;
+
+CK_RV Test_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (slotID) {
+ case 1:
+ CopyString(pInfo->label, TestTokenLabel);
+ break;
+ case 2:
+ CopyString(pInfo->label, TestToken2Label);
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ CopyString(pInfo->model, TestTokenModel);
+ memset(pInfo->serialNumber, 0, sizeof(pInfo->serialNumber));
+ pInfo->flags = CKF_TOKEN_INITIALIZED;
+ if (slotID == 2) {
+ pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH |
+ CKF_USER_PIN_INITIALIZED | CKF_LOGIN_REQUIRED;
+ }
+ pInfo->ulMaxSessionCount = 1;
+ pInfo->ulSessionCount = 0;
+ pInfo->ulMaxRwSessionCount = 1;
+ pInfo->ulRwSessionCount = 0;
+ pInfo->ulMaxPinLen = 4;
+ pInfo->ulMinPinLen = 4;
+ pInfo->ulTotalPublicMemory = 1024;
+ pInfo->ulFreePublicMemory = 1024;
+ pInfo->ulTotalPrivateMemory = 1024;
+ pInfo->ulFreePrivateMemory = 1024;
+ pInfo->hardwareVersion = TestLibraryVersion;
+ pInfo->firmwareVersion = TestLibraryVersion;
+ memset(pInfo->utcTime, 0, sizeof(pInfo->utcTime));
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR,
+ CK_ULONG_PTR pulCount) {
+ if (!pulCount) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ *pulCount = 0;
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE,
+ CK_MECHANISM_INFO_PTR) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_InitToken(CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_InitPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG,
+ CK_UTF8CHAR_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
+ CK_SESSION_HANDLE_PTR phSession) {
+ switch (slotID) {
+ case 1:
+ *phSession = 1;
+ break;
+ case 2:
+ *phSession = 2;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_CloseSession(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_CloseAllSessions(CK_SLOT_ID) { return CKR_OK; }
+
+CK_RV Test_C_GetSessionInfo(CK_SESSION_HANDLE hSession,
+ CK_SESSION_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (hSession) {
+ case 1:
+ pInfo->slotID = 1;
+ pInfo->state = CKS_RO_PUBLIC_SESSION;
+ break;
+ case 2:
+ pInfo->slotID = 2;
+ pInfo->state = sLoggedIn ? CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pInfo->flags = CKF_SERIAL_SESSION;
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG) {
+ // Sleep for 3 seconds to simulate the user using a protected auth path.
+#ifdef WIN32
+ Sleep(3000); // Sleep takes the duration argument as milliseconds
+#else
+ usleep(3000000); // usleep takes the duration argument as microseconds
+#endif
+ sLoggedIn = true;
+ return CKR_OK;
+}
+
+CK_RV Test_C_Logout(CK_SESSION_HANDLE) {
+ sLoggedIn = false;
+ return CKR_OK;
+}
+
+CK_RV Test_C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
+ CK_ULONG_PTR pulObjectCount) {
+ *pulObjectCount = 0;
+ return CKR_OK;
+}
+
+CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetFunctionStatus(CK_SESSION_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CancelFunction(CK_SESSION_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR) {
+#ifdef WIN32
+ Sleep(50); // Sleep takes the duration argument as milliseconds
+#else
+ usleep(50000); // usleep takes the duration argument as microseconds
+#endif
+ *pSlot = 1;
+ tokenPresent = !tokenPresent;
+ return CKR_OK;
+}
+
+static CK_FUNCTION_LIST FunctionList = {{2, 2},
+ Test_C_Initialize,
+ Test_C_Finalize,
+ Test_C_GetInfo,
+ Test_C_GetFunctionList,
+ Test_C_GetSlotList,
+ Test_C_GetSlotInfo,
+ Test_C_GetTokenInfo,
+ Test_C_GetMechanismList,
+ Test_C_GetMechanismInfo,
+ Test_C_InitToken,
+ Test_C_InitPIN,
+ Test_C_SetPIN,
+ Test_C_OpenSession,
+ Test_C_CloseSession,
+ Test_C_CloseAllSessions,
+ Test_C_GetSessionInfo,
+ Test_C_GetOperationState,
+ Test_C_SetOperationState,
+ Test_C_Login,
+ Test_C_Logout,
+ Test_C_CreateObject,
+ Test_C_CopyObject,
+ Test_C_DestroyObject,
+ Test_C_GetObjectSize,
+ Test_C_GetAttributeValue,
+ Test_C_SetAttributeValue,
+ Test_C_FindObjectsInit,
+ Test_C_FindObjects,
+ Test_C_FindObjectsFinal,
+ Test_C_EncryptInit,
+ Test_C_Encrypt,
+ Test_C_EncryptUpdate,
+ Test_C_EncryptFinal,
+ Test_C_DecryptInit,
+ Test_C_Decrypt,
+ Test_C_DecryptUpdate,
+ Test_C_DecryptFinal,
+ Test_C_DigestInit,
+ Test_C_Digest,
+ Test_C_DigestUpdate,
+ Test_C_DigestKey,
+ Test_C_DigestFinal,
+ Test_C_SignInit,
+ Test_C_Sign,
+ Test_C_SignUpdate,
+ Test_C_SignFinal,
+ Test_C_SignRecoverInit,
+ Test_C_SignRecover,
+ Test_C_VerifyInit,
+ Test_C_Verify,
+ Test_C_VerifyUpdate,
+ Test_C_VerifyFinal,
+ Test_C_VerifyRecoverInit,
+ Test_C_VerifyRecover,
+ Test_C_DigestEncryptUpdate,
+ Test_C_DecryptDigestUpdate,
+ Test_C_SignEncryptUpdate,
+ Test_C_DecryptVerifyUpdate,
+ Test_C_GenerateKey,
+ Test_C_GenerateKeyPair,
+ Test_C_WrapKey,
+ Test_C_UnwrapKey,
+ Test_C_DeriveKey,
+ Test_C_SeedRandom,
+ Test_C_GenerateRandom,
+ Test_C_GetFunctionStatus,
+ Test_C_CancelFunction,
+ Test_C_WaitForSlotEvent};
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ *ppFunctionList = &FunctionList;
+ return CKR_OK;
+}
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/tests/unit/requirements.txt b/security/manager/ssl/tests/unit/requirements.txt
new file mode 100644
index 0000000000..095fcb04fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/requirements.txt
@@ -0,0 +1,6 @@
+lxml
+pyasn1 == 0.3.7
+pyasn1_modules == 0.1.5
+ecc
+mock
+rsa
diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py
new file mode 100755
index 0000000000..5b57e73c4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/sign_app.py
@@ -0,0 +1,426 @@
+#!/usr/bin/env python3
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Given a directory of files, packages them up and signs the
+resulting zip file. Mainly for creating test inputs to the
+nsIX509CertDB.openSignedAppFileAsync API.
+"""
+from base64 import b64encode
+from cbor2 import dumps
+from cbor2.types import CBORTag
+from hashlib import sha1, sha256
+import argparse
+from io import StringIO
+import os
+import re
+import six
+import sys
+import zipfile
+
+# These libraries moved to security/manager/tools/ in bug 1699294.
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "tools"))
+import pycert
+import pycms
+import pykey
+
+ES256 = -7
+ES384 = -35
+ES512 = -36
+KID = 4
+ALG = 1
+COSE_Sign = 98
+
+
+def coseAlgorithmToPykeyHash(algorithm):
+ """Helper function that takes one of (ES256, ES384, ES512)
+ and returns the corresponding pykey.HASH_* identifier."""
+ if algorithm == ES256:
+ return pykey.HASH_SHA256
+ if algorithm == ES384:
+ return pykey.HASH_SHA384
+ if algorithm == ES512:
+ return pykey.HASH_SHA512
+ raise UnknownCOSEAlgorithmError(algorithm)
+
+
+# COSE_Signature = [
+# protected : serialized_map,
+# unprotected : {},
+# signature : bstr
+# ]
+
+
+def coseSignature(payload, algorithm, signingKey, signingCertificate, bodyProtected):
+ """Returns a COSE_Signature structure.
+ payload is a string representing the data to be signed
+ algorithm is one of (ES256, ES384, ES512)
+ signingKey is a pykey.ECKey to sign the data with
+ signingCertificate is a byte string
+ bodyProtected is the serialized byte string of the protected body header
+ """
+ protected = {ALG: algorithm, KID: signingCertificate}
+ protectedEncoded = dumps(protected)
+ # Sig_structure = [
+ # context : "Signature"
+ # body_protected : bodyProtected
+ # sign_protected : protectedEncoded
+ # external_aad : nil
+ # payload : bstr
+ # ]
+ sigStructure = ["Signature", bodyProtected, protectedEncoded, None, payload]
+ sigStructureEncoded = dumps(sigStructure)
+ pykeyHash = coseAlgorithmToPykeyHash(algorithm)
+ signature = signingKey.signRaw(sigStructureEncoded, pykeyHash)
+ return [protectedEncoded, {}, signature]
+
+
+# COSE_Sign = [
+# protected : serialized_map,
+# unprotected : {},
+# payload : nil,
+# signatures : [+ COSE_Signature]
+# ]
+
+
+def coseSig(payload, intermediates, signatures):
+ """Returns the entire (tagged) COSE_Sign structure.
+ payload is a string representing the data to be signed
+ intermediates is an array of byte strings
+ signatures is an array of (algorithm, signingKey,
+ signingCertificate) triplets to be passed to
+ coseSignature
+ """
+ protected = {KID: intermediates}
+ protectedEncoded = dumps(protected)
+ coseSignatures = []
+ for algorithm, signingKey, signingCertificate in signatures:
+ coseSignatures.append(
+ coseSignature(
+ payload, algorithm, signingKey, signingCertificate, protectedEncoded
+ )
+ )
+ tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures])
+ return dumps(tagged)
+
+
+def walkDirectory(directory):
+ """Given a relative path to a directory, enumerates the
+ files in the tree rooted at that location. Returns a list
+ of pairs of paths to those files. The first in each pair
+ is the full path to the file. The second in each pair is
+ the path to the file relative to the directory itself."""
+ paths = []
+ for path, _dirs, files in os.walk(directory):
+ for f in files:
+ fullPath = os.path.join(path, f)
+ internalPath = re.sub(r"^/", "", fullPath.replace(directory, ""))
+ paths.append((fullPath, internalPath))
+ return paths
+
+
+def addManifestEntry(filename, hashes, contents, entries):
+ """Helper function to fill out a manifest entry.
+ Takes the filename, a list of (hash function, hash function name)
+ pairs to use, the contents of the file, and the current list
+ of manifest entries."""
+ entry = "Name: %s\n" % filename
+ for hashFunc, name in hashes:
+ base64hash = b64encode(hashFunc(contents).digest()).decode("ascii")
+ entry += "%s-Digest: %s\n" % (name, base64hash)
+ entries.append(entry)
+
+
+def getCert(subject, keyName, issuerName, ee, issuerKey="", validity=""):
+ """Helper function to create an X509 cert from a specification.
+ Takes the subject, the subject key name to use, the issuer name,
+ a bool whether this is an EE cert or not, and optionally an issuer key
+ name."""
+ certSpecification = (
+ "issuer:%s\n" % issuerName
+ + "subject:"
+ + subject
+ + "\n"
+ + "subjectKey:%s\n" % keyName
+ )
+ if ee:
+ certSpecification += "extension:keyUsage:digitalSignature"
+ else:
+ certSpecification += (
+ "extension:basicConstraints:cA,\n"
+ + "extension:keyUsage:cRLSign,keyCertSign"
+ )
+ if issuerKey:
+ certSpecification += "\nissuerKey:%s" % issuerKey
+ if validity:
+ certSpecification += "\nvalidity:%s" % validity
+ certSpecificationStream = StringIO()
+ print(certSpecification, file=certSpecificationStream)
+ certSpecificationStream.seek(0)
+ return pycert.Certificate(certSpecificationStream)
+
+
+def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName, certValidity):
+ """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer
+ name, returns a (algorithm id, pykey.ECCKey, encoded certificate)
+ triplet for use with coseSig.
+ """
+ if coseAlgorithm == "ES256":
+ keyName = "secp256r1"
+ algId = ES256
+ elif coseAlgorithm == "ES384":
+ keyName = "secp384r1"
+ algId = ES384
+ elif coseAlgorithm == "ES512":
+ keyName = "secp521r1" # COSE uses the hash algorithm; this is the curve
+ algId = ES512
+ else:
+ raise UnknownCOSEAlgorithmError(coseAlgorithm)
+ key = pykey.ECCKey(keyName)
+ # The subject must differ to avoid errors when importing into NSS later.
+ ee = getCert(
+ "xpcshell signed app test signer " + keyName,
+ keyName,
+ issuerName,
+ True,
+ "default",
+ certValidity,
+ )
+ return (algId, key, ee.toDER())
+
+
+def signZip(
+ appDirectory,
+ outputFile,
+ issuerName,
+ rootName,
+ certValidity,
+ manifestHashes,
+ signatureHashes,
+ pkcs7Hashes,
+ coseAlgorithms,
+ emptySignerInfos,
+ headerPaddingFactor,
+):
+ """Given a directory containing the files to package up,
+ an output filename to write to, the name of the issuer of
+ the signing certificate, the name of trust anchor, a list of hash algorithms
+ to use in the manifest file, a similar list for the signature file,
+ a similar list for the pkcs#7 signature, a list of COSE signature algorithms
+ to include, whether the pkcs#7 signer info should be kept empty, and how
+ many MB to pad the manifests by (to test handling large manifest files),
+ packages up the files in the directory and creates the output as
+ appropriate."""
+ # The header of each manifest starts with the magic string
+ # 'Manifest-Version: 1.0' and ends with a blank line. There can be
+ # essentially anything after the first line before the blank line.
+ mfEntries = ["Manifest-Version: 1.0"]
+ if headerPaddingFactor > 0:
+ # In this format, each line can only be 72 bytes long. We make
+ # our padding 50 bytes per line (49 of content and one newline)
+ # so the math is easy.
+ singleLinePadding = "a" * 49
+ # 1000000 / 50 = 20000
+ allPadding = [singleLinePadding] * (headerPaddingFactor * 20000)
+ mfEntries.extend(allPadding)
+ # Append the blank line.
+ mfEntries.append("")
+
+ with zipfile.ZipFile(outputFile, "w", zipfile.ZIP_DEFLATED) as outZip:
+ for fullPath, internalPath in walkDirectory(appDirectory):
+ with open(fullPath, "rb") as inputFile:
+ contents = inputFile.read()
+ outZip.writestr(internalPath, contents)
+
+ # Add the entry to the manifest we're building
+ addManifestEntry(internalPath, manifestHashes, contents, mfEntries)
+
+ if len(coseAlgorithms) > 0:
+ coseManifest = "\n".join(mfEntries)
+ outZip.writestr("META-INF/cose.manifest", coseManifest)
+ coseManifest = six.ensure_binary(coseManifest)
+ addManifestEntry(
+ "META-INF/cose.manifest", manifestHashes, coseManifest, mfEntries
+ )
+ intermediates = []
+ coseIssuerName = issuerName
+ if rootName:
+ coseIssuerName = "xpcshell signed app test issuer"
+ intermediate = getCert(
+ coseIssuerName,
+ "default",
+ rootName,
+ False,
+ "",
+ certValidity,
+ )
+ intermediate = intermediate.toDER()
+ intermediates.append(intermediate)
+ signatures = [
+ coseAlgorithmToSignatureParams(
+ coseAlgorithm,
+ coseIssuerName,
+ certValidity,
+ )
+ for coseAlgorithm in coseAlgorithms
+ ]
+ coseSignatureBytes = coseSig(coseManifest, intermediates, signatures)
+ outZip.writestr("META-INF/cose.sig", coseSignatureBytes)
+ addManifestEntry(
+ "META-INF/cose.sig", manifestHashes, coseSignatureBytes, mfEntries
+ )
+
+ if len(pkcs7Hashes) != 0 or emptySignerInfos:
+ mfContents = "\n".join(mfEntries)
+ sfContents = "Signature-Version: 1.0\n"
+ for hashFunc, name in signatureHashes:
+ hashed = hashFunc(six.ensure_binary(mfContents)).digest()
+ base64hash = b64encode(hashed).decode("ascii")
+ sfContents += "%s-Digest-Manifest: %s\n" % (name, base64hash)
+
+ cmsSpecification = ""
+ for name in pkcs7Hashes:
+ hashFunc, _ = hashNameToFunctionAndIdentifier(name)
+ cmsSpecification += "%s:%s\n" % (
+ name,
+ hashFunc(six.ensure_binary(sfContents)).hexdigest(),
+ )
+ cmsSpecification += (
+ "signer:\n"
+ + "issuer:%s\n" % issuerName
+ + "subject:xpcshell signed app test signer\n"
+ + "extension:keyUsage:digitalSignature"
+ )
+ if certValidity:
+ cmsSpecification += "\nvalidity:%s" % certValidity
+ cmsSpecificationStream = StringIO()
+ print(cmsSpecification, file=cmsSpecificationStream)
+ cmsSpecificationStream.seek(0)
+ cms = pycms.CMS(cmsSpecificationStream)
+ p7 = cms.toDER()
+ outZip.writestr("META-INF/A.RSA", p7)
+ outZip.writestr("META-INF/A.SF", sfContents)
+ outZip.writestr("META-INF/MANIFEST.MF", mfContents)
+
+
+class Error(Exception):
+ """Base class for exceptions in this module."""
+
+ pass
+
+
+class UnknownHashAlgorithmError(Error):
+ """Helper exception type to handle unknown hash algorithms."""
+
+ def __init__(self, name):
+ super(UnknownHashAlgorithmError, self).__init__()
+ self.name = name
+
+ def __str__(self):
+ return "Unknown hash algorithm %s" % repr(self.name)
+
+
+class UnknownCOSEAlgorithmError(Error):
+ """Helper exception type to handle unknown COSE algorithms."""
+
+ def __init__(self, name):
+ super(UnknownCOSEAlgorithmError, self).__init__()
+ self.name = name
+
+ def __str__(self):
+ return "Unknown COSE algorithm %s" % repr(self.name)
+
+
+def hashNameToFunctionAndIdentifier(name):
+ if name == "sha1":
+ return (sha1, "SHA1")
+ if name == "sha256":
+ return (sha256, "SHA256")
+ raise UnknownHashAlgorithmError(name)
+
+
+def main(outputFile, appPath, *args):
+ """Main entrypoint. Given an already-opened file-like
+ object, a path to the app directory to sign, and some
+ optional arguments, signs the contents of the directory and
+ writes the resulting package to the 'file'."""
+ parser = argparse.ArgumentParser(description="Sign an app.")
+ parser.add_argument(
+ "-i",
+ "--issuer",
+ action="store",
+ help="Issuer name",
+ default="xpcshell signed apps test root",
+ )
+ parser.add_argument("-r", "--root", action="store", help="Root name", default="")
+ parser.add_argument(
+ "--cert-validity",
+ action="store",
+ help="Certificate validity; YYYYMMDD-YYYYMMDD or duration in days",
+ default="",
+ )
+ parser.add_argument(
+ "-m",
+ "--manifest-hash",
+ action="append",
+ help="Hash algorithms to use in manifest",
+ default=[],
+ )
+ parser.add_argument(
+ "-s",
+ "--signature-hash",
+ action="append",
+ help="Hash algorithms to use in signature file",
+ default=[],
+ )
+ parser.add_argument(
+ "-c",
+ "--cose-sign",
+ action="append",
+ help="Append a COSE signature with the given "
+ + "algorithms (out of ES256, ES384, and ES512)",
+ default=[],
+ )
+ parser.add_argument(
+ "-z",
+ "--pad-headers",
+ action="store",
+ default=0,
+ help="Pad the header sections of the manifests "
+ + "with X MB of repetitive data",
+ )
+ group = parser.add_mutually_exclusive_group()
+ group.add_argument(
+ "-p",
+ "--pkcs7-hash",
+ action="append",
+ help="Hash algorithms to use in PKCS#7 signature",
+ default=[],
+ )
+ group.add_argument(
+ "-e",
+ "--empty-signerInfos",
+ action="store_true",
+ help="Emit pkcs#7 SignedData with empty signerInfos",
+ )
+ parsed = parser.parse_args(args)
+ if len(parsed.manifest_hash) == 0:
+ parsed.manifest_hash.append("sha256")
+ if len(parsed.signature_hash) == 0:
+ parsed.signature_hash.append("sha256")
+ signZip(
+ appPath,
+ outputFile,
+ parsed.issuer,
+ parsed.root,
+ parsed.cert_validity,
+ [hashNameToFunctionAndIdentifier(h) for h in parsed.manifest_hash],
+ [hashNameToFunctionAndIdentifier(h) for h in parsed.signature_hash],
+ parsed.pkcs7_hash,
+ parsed.cose_sign,
+ parsed.empty_signerInfos,
+ int(parsed.pad_headers),
+ )
diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
new file mode 100644
index 0000000000..8e165b2b8d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests that adding a certificate already present in the certificate database
+// with different trust bits than those stored in the database does not result
+// in the new trust bits being ignored.
+
+do_get_profile();
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert, trust) {
+ let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem";
+ return addCertFromFile(certDB, file, trust);
+}
+
+add_task(async function () {
+ load_cert("ca", "CTu,CTu,CTu");
+ let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
+ let file =
+ "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
+ let cert_pem = readFile(do_get_file(file));
+ let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ // Change the already existing intermediate certificate's trust using
+ // addCertFromBase64().
+ notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
+ let base64_cert = int_cert.getBase64DERString();
+ let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
+ notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
new file mode 100644
index 0000000000..6bcd71aaf3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
@@ -0,0 +1,25 @@
+/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+function run_test() {
+ do_get_profile();
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+ true
+ );
+
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_connection_test("expired.example.com", PRErrorCodeSuccess);
+ add_test(function () {
+ certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+ false
+ );
+ run_next_test();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
new file mode 100644
index 0000000000..161ce88377
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUXwklABFZn09Yj1azSdQ4kpuizxYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCdpP06UqpAnAAak/i4+LShrIG/
+DdjHLQ8qLChBdPkT6Gxx1XVoNfG3GJsIGCoOf6isORMfBlBXiR5kmLFTE3kJhA/I
+pDxDGYDqt9DNb0fxeMpOJxwQ+mBMZIKLPu+nk4jTqUrOX8bLwDMiXTbFeY91SUr8
+4b43YzXVorVQSlYOfcsmrnEfmfJNauHBrzak5BQhsEXHqAI7qV9TCQA1+cGwH8jb
+Aw2SyVu1usAyHkM2wCisHXeidf3qR6PxmfLMAgHKXBLz3DsXY30xDI4jJS9MySu9
+lhrs1IJf5PdJk5z5viYqZQemuv0R+R7ItbpCHpreUXh2GutiAY4Xsgrhfcer
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
new file mode 100644
index 0000000000..9c21e7adcf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
new file mode 100644
index 0000000000..a13b0cbcd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUS00fexo4Y4FagP1oiKQiGCJKd/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAGjMx1NAs2guKp3wRRAWdiAw9NCeX+qCsxxkr4jUdgQ14wZwU2fZ/2rK
+7Z/StpwlWN+G4dWwCRCjibKvjauQs+XLT9wMO3U/1VBcQda36duX70ss2SAF9crs
+dmZdISevFItTn+W6JNyr1Wt2sSiD4buXpW1UzNwuxnWGpo/a++bMEYaM8KDdz73t
+KA9VShYNbcrUZgf70bvCbc8BR3vYUwyIp3fP7TngD/dRLYJyv5ayo9VXVJxOzYU7
+/aRrBvAdAL2w8eQzzYm6uyHlOE+imWYix2QOGNFJIiRXFRTii9Rr0o4geW7x2wZJ
++TzO4XPVlax1h6KDPRLsmwhbJDAMuUU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
new file mode 100644
index 0000000000..7a34d0758f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
new file mode 100644
index 0000000000..f2bb8c97d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUZ3gdKZRvWFYArMRStT2zAGE6JDQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBABERZmWOEZAI2dQHbpXo7BJFw8eigDs8xWGtnu5UbNFs7zGnXzta0L8T
+RBoaWeEbsaVpuGQ648eorgQRGwNdL3JkJb0qHtaSl5/raAOvv+YqmGzZhFWcj3ib
+WUOWODdFlY3oUzpPjA+IeRzULya6//s8DhEKfVi2mJXc/sS6fE9J234IhKBysyr1
+cRIApw6OCr0V78TbHzEPh1z0QuMKY8hH0lz3JvQqGD59oTEdSJ5VVbmDLxqqmVtA
+/i4j2lYkDos2HvHGP7a/LC20FI0lOcSqazSeKc+y2Mand9tDXCU/dEEYMj1IW5rM
+z2+96XzCbJBesYFEEfWXG6XysP3UtE0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
new file mode 100644
index 0000000000..aa682a7afd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
new file mode 100644
index 0000000000..7ac56a0689
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUWxGwhSb8roUQoLNpJajl0X8jk10wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKxEoWUrHht8zENUlC/3tj/KbDSeaIy5nVE49aJRqHwuSczG5PTDn7sD
+rjl6Qq2rx3Z3ftZxJNIdpS3BUeUJ+FsQ2fK3ckDyeWkzxADlWp2l2bgKDtnW5Xjw
+lfzFt1Z/4PUmz0JyNGqijvpT/YYM9uM5OOKmKvy6C/6HiIMI2f5pVHM2bFWLuHLI
+p9yqp056EKPWCEQbkqseXLS0O8ZyxAyW4kHezUQzn1KFq9IGZu5sBZ8Imop0xnal
+2wXCuEisuAIOQNb1l9t+hf/P53+oRLjPbJzuzLZGSNA5PzoTbmZOqOdJS+kCNGCX
+IahLlU3dPILDlvl8DLFhk+lz9mA8x90=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
new file mode 100644
index 0000000000..e38478165c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
new file mode 100644
index 0000000000..ba11dcc152
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUOWkKeR6blD0zzhElEnCm4eSqLTAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEACPZ4Ed3iONrIIKtg3865taT5TUj4Ts3tnYn4riFqojr6h/CHEDPR
+LStAJ4yYGQoTTzQzaxYjEZXHIEI/bCZ1VpGNpZt8DXWsJWwJgt8QUNeYT0eFFE2M
+CjrLJC1OIQRvlR89WEbk/q45KBQC0faeizqkAn+YUSG8mjHHbmSO8PWbh4z0YYlg
+BjwhTRFWUmWfQKC+mHyWblbYyFKlsFWf6cGOd4qE8N/hIz7oPzI4IPN1EQ/IfaQy
+WOOyxPZeu+J5VPlPE10nV5afoRcPLh/6vTwH85tPGzxWU4Jo4NDtFOtZAZR/S7sO
+OB/ST8Dbvs7qQFfRtgCtpEMicG7kxO1F+Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
new file mode 100644
index 0000000000..41817bde75
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
new file mode 100644
index 0000000000..6882ba0554
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUG1q3+RCKIizPHadkamCYLL7cp2swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAqa/ayP8zXODUJJmuZLTJsdT2VaqbOh2WWk2bC2A82feGvCevLuL0
+0gPk+001Zx49Y1erMmt2M1cKtf2Lob8SGLNGUlJf2K7SNJTk7nyog+4UIlK4Hsxo
+CQ9sqKGJjkwHTDK1rB9gSW4e27Taj6tudnsUfgKWVzERxipebtLsCvz8Jfa0YLRI
+bGr6L4LoWiN2RNiK7/IOycfJ8VLDlBRouHD2Xfu0pFcvymMvfOC7GG4oBAacCKGn
+muUfoODgKw2yCIOSe7jsJOQ9yOp03sRipISfO0TALFzJX0V5+7CYDLZYR8vs/F/4
+0cIqkhwyCfUWYsGI4gPPR/nVxNvTRZhiFw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
new file mode 100644
index 0000000000..65acf0b024
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
new file mode 100644
index 0000000000..cd87acfe48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUD1kNqQ0aKQ2TJjGUYztUh8I7j4AwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAU9n5I/Hdfod2fPBYWHZA/5/SabHkOBUHfrg6UUQYeHagVbqmoTQD
+M5F/DcDna+w6nHagIC/GRHBHkgY3Syh8QK5LnL3zi5tC0u4dzysDUjWtEAEgIcWA
+/pYtp6qZwJzxvn68PTnYnFDL61+LDLxlUBa2iRieRkCUOokCLL4ce3jsSTuJ+mGk
+XoaRrRREgtG5loYK8hFXM1RDkzyCa82DF/qD+iYgUJS9LMXrsksIRHP7Lqzhnwba
+Q4N8rgsBDFkNTEAmGcnTLMTlfO+SyKdHZI4n9VHdUQ1n38qFn70jj1YjcqEOFKXb
+wldSrYMedEOFVWyXaVWmxMwMTiDIKWMoxg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
new file mode 100644
index 0000000000..140c201434
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
new file mode 100644
index 0000000000..514964b5fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -0,0 +1,78 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(
+ gCertDB,
+ `test_baseline_requirements/${certName}.pem`,
+ trustString
+ );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+ // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+ const VALIDATION_TIME = 1472083200;
+ return checkCertErrorGenericAtTime(
+ gCertDB,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME,
+ false,
+ "example.com"
+ );
+}
+
+add_task(async function () {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+ });
+
+ Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+ loadCertWithTrust("ca", "CTu,,");
+
+ // At one time there was a preference security.pki.name_matching_mode that
+ // controlled whether or not mozilla::pkix would fall back to using a
+ // certificate's subject common name during name matching. This no longer
+ // exists, and certificates that previously required the fallback should fail
+ // to verify.
+
+ await checkCertOn25August2016(
+ certFromFile("no-san-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("no-san-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("no-san-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_blocklist_onecrl.js b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
new file mode 100644
index 0000000000..d82a493f16
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
@@ -0,0 +1,148 @@
+"use strict";
+
+do_get_profile();
+
+const { Utils } = ChromeUtils.importESModule(
+ "resource://services-settings/Utils.sys.mjs"
+);
+const { RemoteSettings } = ChromeUtils.importESModule(
+ "resource://services-settings/remote-settings.sys.mjs"
+);
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+add_task(async function test_uses_a_custom_signer() {
+ Assert.notEqual(
+ OneCRLBlocklistClient.signerName,
+ RemoteSettings("not-specified").signerName
+ );
+});
+
+add_task(async function test_has_initial_dump() {
+ Assert.ok(
+ await Utils.hasLocalDump(
+ OneCRLBlocklistClient.bucketName,
+ OneCRLBlocklistClient.collectionName
+ )
+ );
+});
+
+add_task(async function test_default_jexl_filter_is_used() {
+ Assert.deepEqual(
+ OneCRLBlocklistClient.filterFunc,
+ RemoteSettings("not-specified").filterFunc
+ );
+});
+
+add_task(
+ async function test_revocations_are_updated_on_sync_with_cert_storage() {
+ const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ const has_revocations = () =>
+ new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+ (rv, hasPriorData) => {
+ if (rv == Cr.NS_OK) {
+ return resolve(hasPriorData);
+ }
+ return resolve(false);
+ }
+ );
+ });
+
+ Assert.ok(!(await has_revocations()));
+
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ ],
+ updated: [],
+ deleted: [],
+ },
+ });
+
+ Assert.ok(await has_revocations());
+ }
+);
+
+add_task(async function test_updated_entry() {
+ // Revoke a particular issuer/serial number.
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ ],
+ updated: [],
+ deleted: [],
+ },
+ });
+ const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let issuerArray = [
+ 0x30, 0x12, 0x31, 0x10, 0x30, 0xe, 0x6, 0x3, 0x55, 0x4, 0x3, 0xc, 0x7, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41,
+ ];
+ let serialArray = [
+ 0x6b, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d, 0xa7, 0x9d, 0xa6, 0xa, 0xc8, 0x26,
+ 0xd, 0xb9, 0x88, 0x13, 0xce, 0x90, 0x83,
+ ];
+ let revocationState = certStorage.getRevocationState(
+ issuerArray,
+ serialArray,
+ [],
+ []
+ );
+ Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE);
+
+ // Update the revocation to be a different serial number; the original
+ // (issuer, serial) pair should now not be revoked.
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [],
+ updated: [
+ {
+ old: {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ new: {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "ALtF+/+w5U0=",
+ },
+ },
+ ],
+ deleted: [],
+ },
+ });
+ let oldRevocationState = certStorage.getRevocationState(
+ issuerArray,
+ serialArray,
+ [],
+ []
+ );
+ Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET);
+
+ let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d];
+ let newRevocationState = certStorage.getRevocationState(
+ issuerArray,
+ newSerialArray,
+ [],
+ []
+ );
+ Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE);
+});
diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js
new file mode 100644
index 0000000000..2aac2496f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips.js
@@ -0,0 +1,61 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was
+// in FIPS mode, Firefox can still make use of keys in the key database.
+// secomd.db can be created via `certutil -N -d <dir>`. Putting it in FIPS mode
+// involves running `modutil -fips true -dbdir <dir>`. key4.db is from
+// test_sdr_preexisting/key4.db.
+
+function run_test() {
+ // Append a single quote and non-ASCII characters to the profile path.
+ let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+ file.initWithPath(profd);
+ file.append("'÷1");
+ Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+ let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+ Assert.ok(
+ /[^\x20-\x7f]/.test(profile.path),
+ "the profile path should contain a non-ASCII character"
+ );
+
+ let keyDBName = "key4.db";
+ let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`);
+ keyDBFile.copyTo(profile, keyDBName);
+
+ let pkcs11modDBName = "pkcs11.txt";
+ let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`);
+ pkcs11modDBFile.copyTo(profile, pkcs11modDBName);
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ ok(!moduleDB.isFIPSEnabled, "FIPS should not be enabled");
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ const encrypted =
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d";
+ const expectedResult = "password";
+ let decrypted = sdr.decryptString(encrypted);
+ equal(
+ decrypted,
+ expectedResult,
+ "decrypted ciphertext should match expected plaintext"
+ );
+
+ let pkcs11modDBFileFIPS = do_get_profile();
+ pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`);
+ ok(
+ pkcs11modDBFileFIPS.exists(),
+ "backed-up PKCS#11 module db should now exist"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
new file mode 100644
index 0000000000..78a11f5fa7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal FIPS PKCS #11 Module
+parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical
+
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
new file mode 100644
index 0000000000..04fa1c655c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
@@ -0,0 +1,56 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob and importing it
+// again with a new password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ // Import the certificate and key so we have something to export.
+ let cert = findCertByCommonName(CERT_COMMON_NAME);
+ equal(cert, null, "cert should not be found before import");
+ let certFile = do_get_file(PKCS12_FILE);
+ ok(certFile, `${PKCS12_FILE} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+ cert = findCertByCommonName(CERT_COMMON_NAME);
+ notEqual(cert, null, "cert should be found now");
+
+ // Export the certificate and key.
+ let output = do_get_tempdir();
+ output.append("output.p12");
+ ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be exported");
+ ok(output.exists(), "output should exist after exporting PKCS12 file");
+
+ // We should be able to import the exported blob again using the new password.
+ errorCode = gCertDB.importPKCS12File(output, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+ output.remove(false /* not a directory; recursive doesn't apply */);
+
+ // Ideally there would be some way to confirm that this actually did anything.
+ // Unfortunately, since deleting a certificate currently doesn't actually do
+ // anything until the platform is restarted, we can't confirm that we
+ // successfully re-imported the certificate.
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
new file mode 100644
index 0000000000..25f4ab58bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
@@ -0,0 +1,117 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob if the user has a
+// primary password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+var gPrompt = {
+ password: "password",
+ clickOk: true,
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gPrompt| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ alert(title, text) {
+ info(`alert('${text}')`);
+ ok(false, "not expecting alert() to be called");
+ },
+
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ password.value = this.password;
+ return this.clickOk;
+ },
+};
+
+const gPromptFactory = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+ getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ let promptFactoryCID = MockRegistrar.register(
+ "@mozilla.org/prompter;1",
+ gPromptFactory
+ );
+
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(promptFactoryCID);
+ });
+
+ // Set a primary password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ // Import the certificate and key so we have something to export.
+ let cert = findCertByCommonName(CERT_COMMON_NAME);
+ equal(cert, null, "cert should not be found before import");
+ let certFile = do_get_file(PKCS12_FILE);
+ ok(certFile, `${PKCS12_FILE} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should import");
+ cert = findCertByCommonName(CERT_COMMON_NAME);
+ notEqual(cert, null, "cert should be found now");
+
+ // Log out so we're prompted for the password.
+ token.logoutSimple();
+
+ // Export the certificate and key (and don't cancel the password request
+ // dialog).
+ let output = do_get_tempdir();
+ output.append("output.p12");
+ ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should export");
+ ok(output.exists(), "output should exist after exporting PKCS12 file");
+ output.remove(false /* not a directory; recursive doesn't apply */);
+
+ // Log out again so we're prompted for the password.
+ token.logoutSimple();
+
+ // Attempt to export the certificate and key, but this time cancel the
+ // password request dialog. The export operation should also be canceled.
+ gPrompt.clickOk = false;
+ let output2 = do_get_tempdir();
+ output2.append("output2.p12");
+ ok(!output2.exists(), "output2 shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(
+ errorCode,
+ Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED,
+ "cert should not export"
+ );
+
+ ok(!output2.exists(), "output2 shouldn't exist after failing to export");
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js
new file mode 100644
index 0000000000..86c66f4989
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -0,0 +1,187 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the various nsIX509CertDB import methods.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+const TEST_EMAIL_ADDRESS = "test@example.com";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+ confirmDownloadCACert: (ctx, cert, trust) => {
+ gCACertImportDialogCount++;
+ equal(
+ cert.commonName,
+ CA_CERT_COMMON_NAME,
+ "CA cert to import should have the correct CN"
+ );
+ trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+ return true;
+ },
+ setPKCS12FilePassword: (ctx, password) => {
+ // This is only relevant to exporting.
+ ok(false, "setPKCS12FilePassword() should not have been called");
+ },
+ getPKCS12FilePassword: (ctx, password) => {
+ // We don't test anything that calls this method yet.
+ ok(false, "getPKCS12FilePassword() should not have been called");
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt.
+const gInterfaceRequestor = {
+ alert: (title, text) => {
+ // We don't test anything that calls this method yet.
+ ok(false, `alert() should not have been called: ${text}`);
+ },
+
+ getInterface: iid => {
+ if (iid.equals(Ci.nsIPrompt)) {
+ return this;
+ }
+
+ throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+ },
+};
+
+function getCertAsByteArray(certPath) {
+ let certFile = do_get_file(certPath, false);
+ let certBytes = readFile(certFile);
+
+ let byteArray = [];
+ for (let i = 0; i < certBytes.length; i++) {
+ byteArray.push(certBytes.charCodeAt(i));
+ }
+
+ return byteArray;
+}
+
+function commonFindCertBy(propertyName, value) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert[propertyName] == value) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function findCertByCommonName(commonName) {
+ return commonFindCertBy("commonName", commonName);
+}
+
+function findCertByEmailAddress(emailAddress) {
+ return commonFindCertBy("emailAddress", emailAddress);
+}
+
+function testImportCACert() {
+ // Sanity check the CA cert is missing.
+ equal(
+ findCertByCommonName(CA_CERT_COMMON_NAME),
+ null,
+ "CA cert should not be in the database before import"
+ );
+
+ // Import and check for success.
+ let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+ gCertDB.importCertificates(
+ caArray,
+ caArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gInterfaceRequestor
+ );
+ equal(
+ gCACertImportDialogCount,
+ 1,
+ "Confirmation dialog for the CA cert should only be shown once"
+ );
+
+ let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+ notEqual(caCert, null, "CA cert should now be found in the database");
+ ok(
+ gCertDB.isCertTrusted(
+ caCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "CA cert should be trusted for e-mail"
+ );
+}
+
+function testImportEmptyCertPackage() {
+ // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+ let byteArray = [
+ 0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+ 0x05, 0xa0, 0x02, 0x30, 0x00,
+ ];
+ gCertDB.importCertificates(
+ byteArray,
+ byteArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gInterfaceRequestor
+ );
+}
+
+function testImportEmptyUserCert() {
+ // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+ let byteArray = [
+ 0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+ 0x05, 0xa0, 0x02, 0x30, 0x00,
+ ];
+ gCertDB.importUserCertificate(
+ byteArray,
+ byteArray.length,
+ gInterfaceRequestor
+ );
+}
+
+function run_test() {
+ let certificateDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsCertificateDialogs;1",
+ gCertificateDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(certificateDialogsCID);
+ });
+
+ // Sanity check the e-mail cert is missing.
+ equal(
+ findCertByEmailAddress(TEST_EMAIL_ADDRESS),
+ null,
+ "E-mail cert should not be in the database before import"
+ );
+
+ // Import the CA cert so that the e-mail import succeeds.
+ testImportCACert();
+ testImportEmptyCertPackage();
+ testImportEmptyUserCert();
+
+ // Import the e-mail cert and check for success.
+ let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem");
+ gCertDB.importEmailCertificate(
+ emailArray,
+ emailArray.length,
+ gInterfaceRequestor
+ );
+ let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS);
+ notEqual(emailCert, null, "E-mail cert should now be found in the database");
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ equal(
+ emailCert.tokenName,
+ bundle.GetStringFromName("PrivateTokenDescription"),
+ "cert's tokenName should be the expected localized value"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
new file mode 100644
index 0000000000..e969d672d7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
new file mode 100644
index 0000000000..879d424b85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
new file mode 100644
index 0000000000..7dcd668121
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
new file mode 100644
index 0000000000..efa03762fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUD6/AN7kvujBSGBoxvIJq71xFd/UwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAvpG51OQ2+Le95l9RquNpzG8yn87g1
+wdqBpf29BFl1/fN9MUbvx5IMsyKz2VRuo3CFj95z/uAZyKsZERIfULUlEKjfaqRN
+FiT/rXrEAskvVJXnVMYDp+Dr7AEUeXepehfYUKtyAwx4rHe5JIsjmT1aYMRbvkl/
+tfDDC5sKzy/qfGB6/kyJ35yeNkQgqqSjfLcsfBdz5CZ0dqa/jOLZ8FrBtoVk3KlR
++mRmPpDoNOq2Zwvl17CgOwapt2h8S6eayO/ThHp28t2kvGFMDXY5cc3M0Le7If6e
+PcGTQk7VBktQfBEwjEHJmXYPXabmVI+ZJaqZ/UQKLiuuWPJjirPev+MF
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
new file mode 100644
index 0000000000..0528bc624a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
@@ -0,0 +1,2 @@
+issuer:importedCA
+subject:/emailAddress=test@example.com
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
new file mode 100644
index 0000000000..105f918782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
new file mode 100644
index 0000000000..945070430e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICzDCCAbSgAwIBAgIUORViFMy+rW4CvpGkwIxF31eNvYwwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCN8ZydQaRL+zy7g8iXPZ82
+9ApH1/YqbgUE83twolLBerhSDLt94vzXrr+rdx413Wot/KvM9JIVYfERDsAmdwSG
+2Nf+Eda/zYWUyeeWCcjXx1mfri0c52A5f+9VMCwy30K8k97ZQk0P3hVt9Bz0TXKz
+FCRMJExY4fbeASqT8N3VM2SNh4Lzv5qYXM2bC8fAeZrwDKgolpi/yGLWYxuT4yUo
+NYQolHqqFb5z7rd+QiX/Df3kV2ZDMEKOOMELyXpcHo0BtfIrCQsVdwIt1A8xDzHM
+HBDT1TbiVm18LdnI6vgX0p8+RyLSTEvf5aPtc3NN/H7lhJXCtV9N6rgHSL5eonRg
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
new file mode 100644
index 0000000000..b168253544
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:importedCA
+subject:importedCA
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
new file mode 100644
index 0000000000..521904d432
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
@@ -0,0 +1,123 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests import PKCS12 file by nsIX509CertDB.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const PKCS12_FILE_EMPTY_PASS =
+ "test_certDB_import/cert_from_windows_emptypass.pfx";
+const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+let gTestcases = [
+ // Test that importing a PKCS12 file with the wrong password fails.
+ {
+ name: "import using incorrect password",
+ filename: PKCS12_FILE,
+ passwordToUse: "this is the wrong password",
+ successExpected: false,
+ errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test that importing something that isn't a PKCS12 file fails.
+ {
+ name: "import non-PKCS12 file",
+ filename: "test_certDB_import_pkcs12.js",
+ passwordToUse: TEST_CERT_PASSWORD,
+ successExpected: false,
+ errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test that importing a PKCS12 file with the correct password succeeds.
+ // This needs to be last because currently there isn't a way to delete the
+ // imported certificate (and thus reset the test state) that doesn't depend on
+ // the garbage collector running.
+ {
+ name: "import PKCS12 file",
+ filename: PKCS12_FILE,
+ passwordToUse: TEST_CERT_PASSWORD,
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Same cert file protected with empty string password
+ {
+ name: "import PKCS12 file empty password",
+ filename: PKCS12_FILE_EMPTY_PASS,
+ passwordToUse: "",
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: false,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Same cert file protected with no password
+ {
+ name: "import PKCS12 file no password",
+ filename: PKCS12_FILE_NO_PASS,
+ passwordToUse: null,
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: false,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test a PKCS12 file encrypted using AES
+ {
+ name: "import PKCS12 file using AES",
+ filename: "test_certDB_import/encrypted_with_aes.p12",
+ passwordToUse: "password",
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: true,
+ certCommonName: "John Doe",
+ },
+];
+
+function doesCertExist(commonName) {
+ let allCerts = gCertDB.getCerts();
+ for (let cert of allCerts) {
+ if (cert.commonName == commonName) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+function runOneTestcase(testcase) {
+ info(`running ${testcase.name}`);
+ if (testcase.checkCertExist) {
+ ok(
+ !doesCertExist(testcase.certCommonName),
+ "cert should not be in the database before import"
+ );
+ }
+
+ // Import and check for failure.
+ let certFile = do_get_file(testcase.filename);
+ ok(certFile, `${testcase.filename} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse);
+ equal(errorCode, testcase.errorCode, `verifying error code`);
+ equal(
+ doesCertExist(testcase.certCommonName),
+ testcase.successExpected,
+ `cert should${testcase.successExpected ? "" : " not"} be found now`
+ );
+}
+
+function run_test() {
+ for (let testcase of gTestcases) {
+ runOneTestcase(testcase);
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
new file mode 100644
index 0000000000..ab1ad36fd2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
@@ -0,0 +1,148 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that a CA certificate can still be imported if the user has a primary
+// password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+ confirmDownloadCACert: (ctx, cert, trust) => {
+ gCACertImportDialogCount++;
+ equal(
+ cert.commonName,
+ CA_CERT_COMMON_NAME,
+ "CA cert to import should have the correct CN"
+ );
+ trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+ return true;
+ },
+ setPKCS12FilePassword: (ctx, password) => {
+ // This is only relevant to exporting.
+ ok(false, "setPKCS12FilePassword() should not have been called");
+ },
+ getPKCS12FilePassword: (ctx, password) => {
+ // We don't test anything that calls this method yet.
+ ok(false, "getPKCS12FilePassword() should not have been called");
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+var gMockPrompter = {
+ passwordToTry: "password",
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // Again with the arrow function issue.
+ getInterface(iid) {
+ if (iid.equals(Ci.nsIPrompt)) {
+ return this;
+ }
+
+ throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+ },
+};
+
+function getCertAsByteArray(certPath) {
+ let certFile = do_get_file(certPath, false);
+ let certBytes = readFile(certFile);
+
+ let byteArray = [];
+ for (let i = 0; i < certBytes.length; i++) {
+ byteArray.push(certBytes.charCodeAt(i));
+ }
+
+ return byteArray;
+}
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ let certificateDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsCertificateDialogs;1",
+ gCertificateDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(certificateDialogsCID);
+ });
+
+ // Set a primary password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ // Sanity check the CA cert is missing.
+ equal(
+ findCertByCommonName(CA_CERT_COMMON_NAME),
+ null,
+ "CA cert should not be in the database before import"
+ );
+
+ // Import and check for success.
+ let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+ gCertDB.importCertificates(
+ caArray,
+ caArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gMockPrompter
+ );
+ equal(
+ gCACertImportDialogCount,
+ 1,
+ "Confirmation dialog for the CA cert should only be shown once"
+ );
+
+ let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+ notEqual(caCert, null, "CA cert should now be found in the database");
+ ok(
+ gCertDB.isCertTrusted(
+ caCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "CA cert should be trusted for e-mail"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js
new file mode 100644
index 0000000000..471bc42c03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_chains.js
@@ -0,0 +1,394 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// We hard-code the following certificates for the pkcs7 export tests so that we
+// don't have to change the test data when the certificates change each year.
+// Luckily these tests don't depend on the certificates being valid, so it's ok
+// to let them expire.
+const gDefaultEEPEM = `-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaob
+K2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4s
+v0swx/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU
++aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb
++ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR
+/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16IjWEukvJuU1W
+-----END CERTIFICATE-----`;
+
+const gTestCAPEM = `-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUKaFwIwCwHXUgKRuOhAX4pjYsmbgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIMgnywHFbPzJ
+BEcbpx/aWQOI2tUFlo7MUoPSoACHzoI/HOUTx25eKHlpNK2jSljLufhUd//eCCXg
++OQt4f2N/tRw8gumbs3YDF7+t3ZNGt+iQxZTwN7MKsGIZy+6R523XHw8lpzFX5iz
+XgIS+0APlX+XyZk7MRCcBWh6PSaSqEOOvUXVp6Omh3it034kBWnm809TEWmwiVw3
+ssPDmpUCArdDNMMdvQehzaH96cdjcSsguqpX9NcMDUmmiG7HLQ2iy+WSzek9S46S
+bKKDLw8Ebevfkl6PEpg+GDulq+EPXayN3AsFXkF8MaFLgfeprkENjN1g4jM+WSyN
+6DC7vCkj7A==
+-----END CERTIFICATE-----`;
+
+const gUnknownIssuerPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUMRiJ9TrwqTOoVFU+j5FDWDWS1X8wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALAnJjBJ+MOc7kMRzmESYZRSxKak7A1K67xBXWzWmK3t3WXv
+e/RLjV/RhbyTN20h2ZjSVcuDzgNYC/RJ/z3Xd5Q9QEGoi1ly84HeaeHw/3kUSHxv
+J3JnbPu2lk96U5y7tXEVfbEVZYpx4Us72fuURPWriVldILH2lgrEg+iKZWbY/wcT
+vfu1j/flMkGEOpc1HytlmR9fkCDnqzFfcmv7Eh3X1BiSBOIemGnUHxONwlthSE68
+IItE5l3c82G8oQGmve6r0N9h7t6opIjH1koFWMck/pzDA01FmWey4ASdlmjE8NSJ
+Al1zsF8EiLOZeI1rvurcXwVOd0Olk9/QT5hwTkk=
+-----END CERTIFICATE-----`;
+
+const gOCSPEEWithIntermediatePEM = `
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUZ67hS7lHVnCQtXx7oXFlzihqh0cwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAxNzExMjcwMDAw
+MDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQAo043hM4Gi
+UtoXKOQB2v0C8nF4Yyzpf+i0LlxQCFZkiLYu9pIuQu16I3TbLQRBwhCC0ml7TqJB
+AbryzILTorCQP8A1WQa1kt6cb30jCyXLcWnDA/ULPexn9cYm6I0YyLFlnkcVzMGL
+Fc+LyWTAPEW5rMauu5iOOp/6L5rBF0M9bg5yXSGNDv8gk3Jc+opJbBDTrAuKDNLp
+JSEp4rqovNFnirzlJWDS+ScAsWHtoLcrH6gnQRPsEV1WFQnYr3HkAakYQok9xs5A
+ikBS6mgz4/cFBts8bSGSuXxctkN2Ss7Y5l3YmTYKCxPz6retVfrhi/islH4W3z9H
+pu3ZqyACO6Lb
+-----END CERTIFICATE-----`;
+
+const gTestIntPEM = `
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----`;
+
+function build_cert_list_from_pem_list(pemList) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let certList = [];
+ for (let pem of pemList) {
+ let cert = certdb.constructX509FromBase64(pemToBase64(pem));
+ certList.push(cert);
+ }
+ return certList;
+}
+
+function test_cert_pkcs7_export() {
+ // This was generated by running BadCertAndPinningServer locally on the bad_certs
+ // directory and visiting:
+ // https://good.include-subdomains.pinning.example.com:8443/
+ // and then viewing the certificate chain presented (in the page info dialog)
+ // and exporting it.
+ // (NB: test-ca must be imported and trusted for the connection to succeed)
+ const expectedPKCS7ForDefaultEE =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCBmQwggLTMIIBu6ADAgE" +
+ "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+ "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+ "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+ "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+ "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+ "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+ "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+ "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+ "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+ "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+ "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+ "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+ "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+ "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6T" +
+ "IyPRSIwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAw" +
+ "MDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggE" +
+ "iMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNU" +
+ "q07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0" +
+ "DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ" +
+ "sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJH" +
+ "dtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFz" +
+ "G4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob" +
+ "3N0gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1z" +
+ "dWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnB" +
+ "pbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi" +
+ "8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvl" +
+ "aobK2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0sw" +
+ "x/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j" +
+ "3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t" +
+ "/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9W" +
+ "tZYAvwT78a2xpHp5XNglj16IjWEukvJuU1WMQAAAAAAAAA=";
+ let certListDefaultEE = build_cert_list_from_pem_list([
+ gDefaultEEPEM,
+ gTestCAPEM,
+ ]);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let pkcs7DefaultEE = certdb.asPKCS7Blob(certListDefaultEE);
+
+ equal(
+ btoa(pkcs7DefaultEE),
+ expectedPKCS7ForDefaultEE,
+ "PKCS7 export should work as expected for default-ee chain"
+ );
+
+ // This was generated by running BadCertAndPinningServer locally on the bad_certs
+ // directory and visiting:
+ // https://unknownissuer.example.com:8443/
+ // and then viewing the certificate presented (in the add certificate
+ // exception dialog) and exporting it.
+ const expectedPKCS7ForUnknownIssuer =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCA60wggOpMIICkaADAgE" +
+ "CAhQxGIn1OvCpM6hUVT6PkUNYNZLVfzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtUZX" +
+ "N0IEludGVybWVkaWF0ZSB0byBkZWxldGUwIhgPMjAxNzExMjcwMDAwMDBaGA8yMDIwMDIwN" +
+ "TAwMDAwMFowLjEsMCoGA1UEAwwjVGVzdCBFbmQtZW50aXR5IGZyb20gdW5rbm93biBpc3N1" +
+ "ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTw" +
+ "T2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs" +
+ "1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkf" +
+ "bmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA" +
+ "dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/" +
+ "l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcIwgb8wgYgGA1UdEQSBgDB+ghl1bm" +
+ "tub3duaXNzdWVyLmV4YW1wbGUuY29tgjR1bmtub3duaXNzdWVyLmluY2x1ZGUtc3ViZG9tY" +
+ "Wlucy5waW5uaW5nLmV4YW1wbGUuY29tgit1bmtub3duaXNzdWVyLnRlc3QtbW9kZS5waW5u" +
+ "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" +
+ "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAsCcmMEn4w5zuQxHOYRJhlFLEpq" +
+ "TsDUrrvEFdbNaYre3dZe979EuNX9GFvJM3bSHZmNJVy4POA1gL9En/Pdd3lD1AQaiLWXLzg" +
+ "d5p4fD/eRRIfG8ncmds+7aWT3pTnLu1cRV9sRVlinHhSzvZ+5RE9auJWV0gsfaWCsSD6Ipl" +
+ "Ztj/BxO9+7WP9+UyQYQ6lzUfK2WZH1+QIOerMV9ya/sSHdfUGJIE4h6YadQfE43CW2FITrw" +
+ "gi0TmXdzzYbyhAaa97qvQ32Hu3qikiMfWSgVYxyT+nMMDTUWZZ7LgBJ2WaMTw1IkCXXOwXw" +
+ "SIs5l4jWu+6txfBU53Q6WT39BPmHBOSTEAAAAAAAAA";
+ let certListUnknownIssuer = build_cert_list_from_pem_list([
+ gUnknownIssuerPEM,
+ ]);
+ let pkcs7UnknownIssuer = certdb.asPKCS7Blob(certListUnknownIssuer);
+ equal(
+ btoa(pkcs7UnknownIssuer),
+ expectedPKCS7ForUnknownIssuer,
+ "PKCS7 export should work as expected for unknown issuer"
+ );
+
+ // This was generated by running OCSPStaplingServer locally on the ocsp_certs
+ // directory and visiting:
+ // https://ocsp-stapling-with-intermediate.example.com:8443/
+ // and then viewing the certificate chain presented (in the page info dialog)
+ // and exporting it.
+ // (NB: test-ca must be imported and trusted for the connection to succeed)
+ const expectedPKCS7WithIntermediate =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCCPEwggLTMIIBu6ADAgE" +
+ "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+ "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+ "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+ "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+ "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+ "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+ "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+ "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+ "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+ "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+ "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+ "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+ "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+ "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25i" +
+ "BPOkIMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAw" +
+ "MDAwMFoYDzIwMjUwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTC" +
+ "CASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6u" +
+ "Q1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8H" +
+ "mnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh" +
+ "eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaM" +
+ "Mkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5" +
+ "kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EB" +
+ "AMCAQYwDQYJKoZIhvcNAQELBQADggEBAILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC" +
+ "2BQF0kMEEB547p+Ms8zdJY00Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77Tk" +
+ "fmnSnxvPi+0nlA+eM8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22" +
+ "+AIU7w6wyAIbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubji" +
+ "Mr3B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpykrGFL" +
+ "vocT/kym6r8galxCJUowggM1MIICHaADAgECAhRnruFLuUdWcJC1fHuhcWXOKGqHRzANBgk" +
+ "qhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTAiGA8yMDE3MTEyNz" +
+ "AwMDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAsMSowKAYDVQQDDCFUZXN0IEVuZC1lbnRpdHkgd" +
+ "2l0aCBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo" +
+ "RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHE" +
+ "IeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7q" +
+ "dw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCAB" +
+ "iTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" +
+ "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1U" +
+ "dEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKw" +
+ "YBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACjTj" +
+ "eEzgaJS2hco5AHa/QLycXhjLOl/6LQuXFAIVmSIti72ki5C7XojdNstBEHCEILSaXtOokEB" +
+ "uvLMgtOisJA/wDVZBrWS3pxvfSMLJctxacMD9Qs97Gf1xibojRjIsWWeRxXMwYsVz4vJZMA" +
+ "8Rbmsxq67mI46n/ovmsEXQz1uDnJdIY0O/yCTclz6iklsENOsC4oM0uklISniuqi80WeKvO" +
+ "UlYNL5JwCxYe2gtysfqCdBE+wRXVYVCdivceQBqRhCiT3GzkCKQFLqaDPj9wUG2zxtIZK5f" +
+ "Fy2Q3ZKztjmXdiZNgoLE/Pqt61V+uGL+KyUfhbfP0em7dmrIAI7otsxAAAAAAAAAA==";
+ let certListWithIntermediate = build_cert_list_from_pem_list([
+ gOCSPEEWithIntermediatePEM,
+ gTestIntPEM,
+ gTestCAPEM,
+ ]);
+ let pkcs7WithIntermediate = certdb.asPKCS7Blob(certListWithIntermediate);
+ equal(
+ btoa(pkcs7WithIntermediate),
+ expectedPKCS7WithIntermediate,
+ "PKCS7 export should work as expected for chain with intermediate"
+ );
+}
+
+function test_cert_pkcs7_empty_array() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ throws(
+ () => certdb.asPKCS7Blob([]),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "trying to convert an empty array to pkcs7 should throw"
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ add_test(function () {
+ test_cert_pkcs7_export();
+ run_next_test();
+ });
+
+ add_test(function () {
+ test_cert_pkcs7_empty_array();
+ run_next_test();
+ });
+
+ // Test successful connection (failedCertChain should be null)
+ add_connection_test(
+ // re-use pinning certs (keeler)
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess,
+ null,
+ function withSecurityInfo(aTransportSecurityInfo) {
+ equal(
+ aTransportSecurityInfo.failedCertChain.length,
+ 0,
+ "failedCertChain for a successful connection should be null"
+ );
+ }
+ );
+
+ // Test overrideable connection failure (failedCertChain should be non-null)
+ add_connection_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for an overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for an" +
+ " overrideable connection failure"
+ );
+ }
+ );
+
+ // Test overrideable connection failure (failedCertChain should be non-null)
+ add_connection_test(
+ "unknownissuer.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for an overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain(["unknownissuer"]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for an" +
+ " overrideable connection failure"
+ );
+ }
+ );
+
+ // Test non-overrideable error (failedCertChain should be non-null)
+ add_connection_test(
+ "inadequatekeyusage.example.com",
+ SEC_ERROR_INADEQUATE_KEY_USAGE,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for a non-overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain([
+ "inadequatekeyusage-ee",
+ "test-ca",
+ ]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for a" +
+ " non-overrideable connection failure"
+ );
+ }
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js
new file mode 100644
index 0000000000..3ff36f905c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js
@@ -0,0 +1,225 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests that the nsIX509Cert.dbKey and nsIX509CertDB.findCertByDBKey
+// APIs work as expected. That is, getting a certificate's dbKey and using it
+// in findCertByDBKey should return the same certificate. Also, for backwards
+// compatibility, findCertByDBKey should ignore any whitespace in its input
+// (even though now nsIX509Cert.dbKey will never have whitespace in it).
+
+function hexStringToBytes(hex) {
+ let bytes = [];
+ for (let hexByteStr of hex.split(":")) {
+ bytes.push(parseInt(hexByteStr, 16));
+ }
+ return bytes;
+}
+
+function encodeCommonNameAsBytes(commonName) {
+ // The encoding will look something like this (in hex):
+ // 30 (SEQUENCE) <length of contents>
+ // 31 (SET) <length of contents>
+ // 30 (SEQUENCE) <length of contents>
+ // 06 (OID) 03 (length)
+ // 55 04 03 (id-at-commonName)
+ // 0C (UTF8String) <length of common name>
+ // <common name bytes>
+ // To make things simple, it would be nice to have the length of each
+ // component be less than 128 bytes (so we can have single-byte lengths).
+ // For this to hold, the maximum length of the contents of the outermost
+ // SEQUENCE must be 127. Everything not in the contents of the common name
+ // will take up 11 bytes, so the value of the common name itself can be at
+ // most 116 bytes.
+ ok(
+ commonName.length <= 116,
+ "test assumption: common name can't be longer than 116 bytes (makes " +
+ "DER encoding easier)"
+ );
+ let commonNameOIDBytes = [0x06, 0x03, 0x55, 0x04, 0x03];
+ let commonNameBytes = [0x0c, commonName.length];
+ for (let i = 0; i < commonName.length; i++) {
+ commonNameBytes.push(commonName.charCodeAt(i));
+ }
+ let bytes = commonNameOIDBytes.concat(commonNameBytes);
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x30); // SEQUENCE
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x31); // SET
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x30); // SEQUENCE
+ return bytes;
+}
+
+function testInvalidDBKey(certDB, dbKey) {
+ throws(
+ () => certDB.findCertByDBKey(dbKey),
+ /NS_ERROR_ILLEGAL_INPUT/,
+ `findCertByDBKey(${dbKey}) should raise NS_ERROR_ILLEGAL_INPUT`
+ );
+}
+
+function testDBKeyForNonexistentCert(certDB, dbKey) {
+ let cert = certDB.findCertByDBKey(dbKey);
+ ok(!cert, "shouldn't find cert for given dbKey");
+}
+
+function byteArrayToByteString(bytes) {
+ let byteString = "";
+ for (let b of bytes) {
+ byteString += String.fromCharCode(b);
+ }
+ return byteString;
+}
+
+function run_test() {
+ do_get_profile();
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let cert = constructCertFromFile("bad_certs/test-ca.pem");
+ equal(
+ cert.issuerName,
+ "CN=" + cert.issuerCommonName,
+ "test assumption: this certificate's issuer distinguished name " +
+ "consists only of a common name"
+ );
+ let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName);
+ ok(
+ issuerBytes.length < 256,
+ "test assumption: length of encoded issuer is less than 256 bytes"
+ );
+ let serialNumberBytes = hexStringToBytes(cert.serialNumber);
+ ok(
+ serialNumberBytes.length < 256,
+ "test assumption: length of encoded serial number is less than 256 bytes"
+ );
+ let dbKeyHeader = [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ serialNumberBytes.length,
+ 0,
+ 0,
+ 0,
+ issuerBytes.length,
+ ];
+ let expectedDbKeyBytes = dbKeyHeader.concat(serialNumberBytes, issuerBytes);
+ let expectedDbKey = btoa(byteArrayToByteString(expectedDbKeyBytes));
+ equal(
+ cert.dbKey,
+ expectedDbKey,
+ "actual and expected dbKey values should match"
+ );
+
+ let certFromDbKey = certDB.findCertByDBKey(expectedDbKey);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should find the right certificate"
+ );
+
+ ok(
+ expectedDbKey.length > 64,
+ "test assumption: dbKey should be longer than 64 characters"
+ );
+ let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n");
+ ok(
+ expectedDbKeyWithCRLF.indexOf("\r\n") == 64,
+ "test self-check: adding CRLF to dbKey should succeed"
+ );
+ certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should work with dbKey with CRLF"
+ );
+
+ let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1 ");
+ ok(
+ expectedDbKeyWithSpaces.indexOf(" ") == 64,
+ "test self-check: adding spaces to dbKey should succeed"
+ );
+ certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should work with dbKey with spaces"
+ );
+
+ // Test some invalid dbKey values.
+ testInvalidDBKey(certDB, "AAAA"); // Not long enough.
+ // No header.
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString(
+ [0, 0, 0, serialNumberBytes.length, 0, 0, 0, issuerBytes.length].concat(
+ serialNumberBytes,
+ issuerBytes
+ )
+ )
+ )
+ );
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 255,
+ 255,
+ 255,
+ 255, // serial number length is way too long
+ 255,
+ 255,
+ 255,
+ 255, // issuer length is way too long
+ 0,
+ 0,
+ 0,
+ 0,
+ ])
+ )
+ );
+ // Truncated issuer.
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 10, 1, 1, 2, 3,
+ ])
+ )
+ );
+ // Issuer doesn't decode to valid common name.
+ testDBKeyForNonexistentCert(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 3, 1, 1, 2, 3,
+ ])
+ )
+ );
+
+ // zero-length serial number and issuer -> no such certificate
+ testDBKeyForNonexistentCert(
+ certDB,
+ btoa(
+ byteArrayToByteString([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_eku.js b/security/manager/ssl/tests/unit/test_cert_eku.js
new file mode 100644
index 0000000000..de1d5fcbfe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -0,0 +1,189 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that the extended key usage extension is properly processed by the
+// platform when verifying certificates. There are already comprehensive tests
+// in mozilla::pkix itself, but these tests serve as integration tests to ensure
+// that the cases we're particularly concerned about are correctly handled.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile(`test_cert_eku/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer
+ );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+ // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+ const VALIDATION_TIME = 1472083200;
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+}
+
+add_task(async function () {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+ });
+ Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+ loadCertWithTrust("ca", "CTu,,");
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
+ // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+ // failure
+ await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
+
+ // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+ // failure (in particular, Netscape Server Gated Crypto (also known as
+ // Netscape Step Up) is not an acceptable substitute for end-entity
+ // certificates).
+ // Verify this for all Netscape Step Up policy configurations.
+ // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 1 = "accept nsSGC before 23 August 2016"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 2 = "accept nsSGC before 23 August 2015"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 3 = "never accept nsSGC"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
+ // certificates being verified as TLS server certificates => failure
+ await checkEndEntity(
+ certFromFile("ee-SA-OCSP"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA-CA", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
+ // intermediate has extended key usage, but id-kp-serverAuth is not present
+ // => failure
+ loadCertWithTrust("int-CA", ",,");
+ await checkEndEntity(
+ certFromFile("ee-int-CA"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA-nsSGC", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
+
+ // Intermediate has Netscape Server Gated Crypto. Success will depend on the
+ // Netscape Step Up policy configuration and the notBefore property of the
+ // intermediate.
+ loadCertWithTrust("int-nsSGC-recent", ",,");
+ loadCertWithTrust("int-nsSGC-old", ",,");
+ loadCertWithTrust("int-nsSGC-older", ",,");
+ // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+ info("Netscape Step Up policy: always accept");
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 1 = "accept nsSGC before 23 August 2016"
+ info("Netscape Step Up policy: accept before 23 August 2016");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 2 = "accept nsSGC before 23 August 2015"
+ info("Netscape Step Up policy: accept before 23 August 2015");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 3 = "never accept nsSGC"
+ info("Netscape Step Up policy: never accept");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // intermediate has id-kp-OCSPSigning, which is acceptable for CA
+ // certificates => success
+ loadCertWithTrust("int-SA-OCSP", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
new file mode 100644
index 0000000000..790e942fbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUbYeck7JVOWdVm1AGwsw/DzdRnaYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTAxMDEwMDAwMDBaGA8yMDM1MDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAI0AO+ZBY1oImSrpifcmQZTE/C4xIu7Uu5GX/A7ApQU7
+8UAXivMgRDbtrjOie1HNH9DIxHBCFY/Y7f0VRXxWmPEmT+5LpHrLoi+YF0h2wh/1
+RuiJV1AfaEdVJyNCVDSQrS8BQG5O3LebBq00gjSJSQ4+DHu7YHWkyMIZk+lbBiO1
+GsD0FWBDlOtiMpL/CQWjyiskiqQjrDCs5m0NayqgzYAMtdlEd+pAKEMNO8Fr8xSI
+tAlcG4frvH0kLJ2scX9ayvKTZrAiAxJz9CjmmnXOyL78yyr/hkJbzYTvk0+1cClg
+J2aGnsFIHgUxEx7sApOqlmG8g1lqL7UPqpi8ItVNl48=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
new file mode 100644
index 0000000000..c6e443f5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+validity:20150101-20350101
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
new file mode 100644
index 0000000000..7c825b6e45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUG5raDQTHsnMnSlmohQUepi+75WIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAF0cq6IygjIInXKKccUVbsdvQPXCkj
+yGi9NQxEVdb6lQyDhsy9REJwGHalKWvU6F2t1pRevaswsLYbJ/rL7Z9mR11S9BVW
+3XfQTcug3xRy7gTHm5eC3TvUkXHsEWtou0eooDOdxcXNsfmA7+j4oszFOl9f3+OB
+wB0yAg+7n8lnFfBfpR8EjGEqZNYzUClpGqc8R70NnDkebs2H4yIBpnx/la+du+lY
+XVEKLrt5G+epKpR7lPqIn3C9+PmvmgwBhYGtyv4E9sgYvEtXHhX+Dz+SsxgembWv
+SvDgddYOlFy7jJXOqepO1koiiL0C8vQjbjiNO0WROziOzP6iVp64pu6R
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
new file mode 100644
index 0000000000..d49cabaa2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-CA
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
new file mode 100644
index 0000000000..555e65765b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUOdbcalffVxJ74ddWhQGlOphTnSQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtU0EtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAfMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAFTkyWBfmB1oT
+16ITB/ar4pTtlU1v0vDJ+lKr0EM0sy8DOg6/0aQgjD7YSTbVi31FAuNZGtmkNqcb
+YxsP1WhzUTghE6UseHhwuTjeIso3goTD/VMOt/hqSBlu8pSEZmFQr/b5knWmAGoc
+vNbiUCr81LcTMBNAWCEbt3Zl+KZWPYyQ5wuEQGv6srL9IGIcSLSHUShPe2NA6wTP
+KxcGhw/o77OhStr1ubscnqTalhsAp6Vjk/pp4CiokZmUafS5NzsWL+U1Odh2Yuzx
+i7Kg8V/paOSubJSKvQ2G7aldNmxNwE42GpfuJ0vFinissplp8Dy5Rfa/62UiW5Os
+BrQ6KRHHHg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
new file mode 100644
index 0000000000..5250cc4a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-CA
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
new file mode 100644
index 0000000000..9f0f510941
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUbZ6DHXv0Hy0REhbAruVFisqk1DYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtU0EtT0NTUDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMhMB8wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQADFuhMBFjA
+lxWKhGHuGJHQzzTIvLyAudXQiF2GtO/ZmvH3zgSfdbASU/H1H5F/JL8oH3zu1R6x
+VNDFTLdwxTiAcScXp+97IWEnJbXpU73guH/AMUah/gwBRwV+0vmNPXlev0R9jfL8
+zw/kXsVgm/Lh95IOgGtCUH6UxNsks60xxPD1aOEqAcU1Qva4wAi929MzjqhR7uYX
+7Tfun8ju6Vu41C6xcs9j+wabnAd3vumqIml/QJL/+PJFl81i6YNU77q4KUefGWDW
+l7WDpOZFPSgzqPTvSxjOQaW1YJkic0lq/3ud0ljvSUcP02fOXBkugrODQpxYOiHW
+gmdHVP4kQXKJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..3b3eff9ae4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-OCSP
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
new file mode 100644
index 0000000000..319fd03dfa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUObjrN+paYhRrbpkZSltbNnyDbI4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtU0EtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjIjAgMB4GA1UdJQQX
+MBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEBAEA1ACys
+GkObtiWt6/1YrMahD5DpPgD/fFfXo0vOQDBuMhEKpRDm70Wpu0glcp0a+uOsbrif
+QlUEPY7FyGdtlH9MQS8biv48GenUNsRJs+AvjqIkY5PKhkH+mxq89O9Nz1JtFK7t
+TFD8VbeR3J0EGE8X5/f01ftzzMYoVBqyLEQGYpnFia92oIxNhTtIzzUOP+DyHECL
+cSpBBWhXSE8aQYTLpOljVAA0TmhGwqXGxwfoXrSjbdFaK4FDDXbMie214kNW/Zhj
+NNiBsye3USuyDKKR4JuiMfAITpknbjW0Ugk/cO9tiagwtQGBlyzGHjZ4YjWbpSVJ
+YPUBj+lRSbIIZe4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..4c51425ce7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-nsSGC
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
new file mode 100644
index 0000000000..b461819bfd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUFXurM57d4PLGyCwipLoDO2tuXRMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA//SBxqafXNJyykLLSpSSCDdZjorP+
+MuI0XsOYXTuFmnyDdWVEISJyx7aW7rEnrHEnbSDbMOTxB7u6FlMOd5xQnE6Z9IYa
+JgJAWYkAt3g4uwjqgXGAduffm8cnuT1zX3XN/hdG7F+gNyrwgWhsBV9KsDUW19qO
+u9NYeu+VYJ3d36fa5ZLcqJgb+1it7fX+ofaNqjchiADzTAsgxq4wvR+SNp5VmZk+
+aky/ZCDFtwYJTdwirkQfjGK3BM5iAP6ZBxZ20XjHaHZBfb3Fn4X6oS8GB1rbg5g8
+hQQrpNtZe7RgYk6kDcfa9t1o5ZJtUs7Irtk38gQvSBTNF8d1Fy4J+JEm
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
new file mode 100644
index 0000000000..690f579afa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
new file mode 100644
index 0000000000..3f87628485
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUHchnUOOkEQ3AfkGRNaMhwR7U+U8wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1DQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAs+ymnpeKOcj4iCAksWRXPevZh13PdAbmzl4YgWyJrt7QlgrpBYiR
+W3cFfYa/nBaYUehCeNEdR8V982i4XwSxliNI8P7KkIhT5bIUqlV4rDdREakDOR1o
+TiP1rWzpG8wO05gb34yN7GGDrGfzBuUqg4F8zR+Ik12+FaAjrw5GQcK8/9EgzugW
+TEWAAgdctilMcBrtbubRkKhEtKDwrL1hi/LCueZOMu/DtkqrLyRbMy6ZYx/lt6Sa
+g5taNygf71ESl9zs0XIw47tpNerazYJppbFyWl419uKbuf9eAvVHW6OpdFPzNLSo
+8lID+3W/wVrCz0Anzi2b+QSpwRgn7NFUEg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
new file mode 100644
index 0000000000..670973930d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-CA
+subject:ee-int-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
new file mode 100644
index 0000000000..e5ac991bb1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaOgAwIBAgIUE9zsz/ZCfAas9g2RV2m4DJrYJLUwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJaW50LVNBLUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy
+NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLWludC1TQS1DQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAswZPAmxHpnTQSh3Wk9g0mZPaiGsxvxYCetZ04BQ7KH04
+8ccWp/Ko1nDtjWJqce8NGqbGTE29ZsKQf6tfJqWPNioewtQwBk+4bev9xJShp2Z4
+ewUgH04r02tS2Iaj7JnUqKURpaLPXO2wGUcRfUAdmK58X+xz0oCEQ1tnWzI2HRql
+aHT+dktk9115BKGzh8s3qnjbH8GMqUx8jwnk30+7jQdPeTkL3FNUtdzCbgg8c/N7
+YOz1XAWL8mPixxpJt82NCHam3ztqCqP77KmQ3meQ71i9+xxuTmCO1rzzS5O7pLJp
+sKQeKHm9whydA+8ee9ZkwK1CLTsP0EmRO/aa3uDvxQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..bd012ab712
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-CA
+subject:ee-int-SA-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
new file mode 100644
index 0000000000..63e97c0306
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAaegAwIBAgIUP5qx4XYdMSegOdUEcxnAtfiMkb0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowGTEXMBUGA1UEAwwOZWUtaW50LVNBLU9DU1AwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEw
+DQYJKoZIhvcNAQELBQADggEBAJkfXu+NMyWvMVI9mHdvu4nTcTFpMknmQqij+9O+
+tYPswurw/1Tyxb3cFjAGShusaJm1NzWFIG8e6oEA+hpt8k4g2WVJHeSCIeHUZo5h
+AHqwBL/TkLd8jjUdUevFzXu+iwfGbAcmW9H/t61+p4k/xMv5tZ1+4RHa3ey/o7Ng
+e2aVMQfg9JqaUFpjvKI8EqumJezr7Kv+jHc89cw3hzlpPoMTSmScfKN5yD3Qz/PF
+hfR3sEZ7Q9KAvNFjZeP5Mh1exnUFWL/NyFQmo0ec+Hlh9YzrpcKhmoyaPgWZ5ssT
+9vLHbhtMXwp971H4kh4yuofWxud4A/6b5w4uFRsDajARQHs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..2374d248f6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-OCSP
+subject:ee-int-SA-OCSP
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
new file mode 100644
index 0000000000..43f134eeaa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUIYjn3UW5pUXKIt8l3bYj/Halm7gwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1TQS1uc1NHQzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAfC/uTkGqVx3apqzpJvF+TaWFMh8gLbBKZRWD
+Cjfly6crWNhONv+vHmbu9Tzh2NeasBsyfnln1phUF9msFg5/GDpbShOIJRv7olHt
+mQA8D/M7JzKDGUcro8y60I5AZEmcd8JeMqHfz6/IPTf5sUGm+wnBicKwqCprKxQV
+JRHld6hlf8aa/Y5OXoYnVHhC2BruarxTDvD96vcyCXRFQCpOijA28V/ROYruxYyf
+M2l2AJSxnjrWaTYJEJXB3j4sFa1ePjxZiWROPf86EwJpqf4jYqUD8VTUqfyIbaxt
+6YaCQ6HAsNL+oiF7iSPCxlYRVAYdobPqq52keIqRXELR2JX0Wg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..6c3cb64730
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-nsSGC
+subject:ee-int-SA-nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
new file mode 100644
index 0000000000..bdd82e942c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUOYiNPy7G5KxoSBi83HlrLA+DH4kwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LVNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1TQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAOmuFlvztDm/71lN5fqx7jH1czCCxaUly2TB5lrnCDf9NS0Ah2wng
+AoITfXaBHxxQc8aulZfvoDAQujk+xNXpLIRB3FpH6oJwgeCWupSBvkhK7YnIOEn0
+y+acoxEdo+yhpamg94GMundHxsDIHuSf0aAlyOqPPgs3iR1AYoVlHQrISJB89MoQ
+bK0vypqNOrPSZqBJKmYdleoI7FZBwaRSo57DG8hUOot7xcYAnchL5UcYwjf3qcze
+6rc7Fa2U7diuEuobU1e6uUAxeG/L7BroBpUlwh0TdggPsmfCeiSlVRH1zcjnnsbq
+iJuNO3TS0g1/o3X6BW4jU87UDAFF8AKw4Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
new file mode 100644
index 0000000000..72ddb78dfd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA
+subject:ee-int-SA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
new file mode 100644
index 0000000000..8e8d4c2c04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUB/nCi+kTmIkobMVqQFtJnevhGwEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDAiGA8yMDE2MDcyNDAwMDAwMFoY
+DzIwMTYwOTI0MDAwMDAwWjAbMRkwFwYDVQQDDBBlZS1pbnQtbnNTR0Mtb2xkMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcxzg5hx9tQ57Jv3wibAhPktjmqapB2suH
+eGE253Xn5haGq+0E3Qkmn7oF1ou6QyLvP+qbElhkx7+eEvhMhzRZFU8XmxzHRqbb
+dZ0/MQw+aLEOc4Utl+1n3pDbVhBjoG3yVxyErndHfyXg+hNPMBEPvtfMYnSkKHX1
+3w3pJSs8HtUNMG3jecwXOJic0kUu6V5npNC0KTeZq4OOzp48WCpEfsQ6W5MzR4PN
+mrCVU2t1GzCKRNA8E8a9unOcxnukz8FaY9RCkeW3cTwRNt0VaFprX32d1C4mz5rV
+vNz/TGA0jy2b4Mg/dpGXrxqyRy1mG3zfs7sDhEoCxLsd/7ytu/bs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..a21b49b783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-old
+subject:ee-int-nsSGC-old
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
new file mode 100644
index 0000000000..4acdf7b59d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxzCCAa+gAwIBAgIUYfx/2lyIWKMRlK/zS6/kmkp+t/MwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMCIYDzIwMTUwNzI0MDAwMDAw
+WhgPMjAxNjA5MjQwMDAwMDBaMB0xGzAZBgNVBAMMEmVlLWludC1uc1NHQy1vbGRl
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbCqK5OcHMj28V1PKiL4CHeN2oTCj
+pObUJrAUqsHJbqS2Q+huzzoSsL+yT4uKeiuDMZnKOm8OIZMtM7M4zQb6b5H1Wqm+
+fM5384kUubmSG+CzUd4adK8NjSwgYhgdvAecbzhPS1GUlai9qDJU+elQVIrNZCL4
+6B634koCQkarYybibdXgoum9zzcla0TRXe9rHjb8VYe+BH7tLAnWGpUqw4x36Buz
+gv605ApVb+QDAB9NH4/EZ1TXuKby6I9I19EkfADHL5XUKHGFH2EE+6Fsqihgu3QG
+NRYMU2GL79bZcwOm2t2v+ZB2fp+UlEs8nykWY7PgwbJ+ObgSauNHhKi5DA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..93e1831a32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-older
+subject:ee-int-nsSGC-older
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
new file mode 100644
index 0000000000..557c8276e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUE/PT07mikR8SeEYcqdLT8IL5vMIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDAiGA8yMDE2MDgyNDAwMDAw
+MFoYDzIwMTcwODI0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbnNTR0MtcmVj
+ZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKnYtenyuUSykB8EP4IkEeeVPo
+PeZpLKEHHr9CnjIC8b0lHhTsFQhIiNsCWt8xh+JS273QJi/A2rdo1M4KiMZyURne
+RZvTBpFu5F8E+VixDP9xmpAffrgqPqgNRyN+co7tUQZgsJHhb8LSKKMHQTMTBOgW
+nrVlMR+MwXBBQx7Yc7KkVob8DMWmIAAXlv0JY6ID2lRb4haBVS1gsPIj24mVF8XG
+dRJIgtVUvey49/PvErG6FNA32QPDCyv9UOkX9mtpnu9dT+v6mAkbRcSDYAsTTWh2
+seog8fOBA8WoqO+EtTIY2VLiO2G8pTp8MftYVc1Mhd5Kh/ZT+PtdngloPnDM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..4a3ad8ec05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-recent
+subject:ee-int-nsSGC-recent
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
new file mode 100644
index 0000000000..7adea67ec3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUDZFQotE9q8gc3a3O4d9a1PgjqXowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1UdJQQNMAsG
+CWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOCAQEAir0+b53o/nKoO+z/UJprnGW8
+CJ+WrBUnjuk1NoF74BgoQKSlG2ZlPwkJKAu8Ve8U3W2qIifno5KaqSxdpD+SFCHM
+UwysBopkxWYw2OnrbFY5+wKDbKbLU52wAL/os0Le7HzmcGYCMRrY3PLFEsBptK+V
+d5G81q9xwm71PiYtT552RJ91R2SM/EUwgmsvpnelbxP1pJ6Plo+MyvPTnKWZIqF5
+8dKOlAXISiGKAAecp8zxd+jb6AfFKI57WFO6YQQjp2VNki89W1gXCTBqYwZMZx7c
+tNi5yQqqV9yK5Ip3ANVO439YlfC4gXsK+7hWdCY8SAFUw5PK9lV1ADApU729Sg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
new file mode 100644
index 0000000000..43d58ab6d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-nsSGC
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
new file mode 100644
index 0000000000..4e9e6cb3c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUT16BYsC9ZI2vDs6QjSYscUuqIyswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCqtlp70MzK
+N04U3vih6vGBQ3uGLrNt9BLPyKMYeL3eBo6A1gpSqYf/Sck0Cz+KfeNsusL8inIU
+PyGCs9gT1wxrdQxYjfHJMXMrP+u1mDv6eNAXLEXTw433wvIc5VjyWcC8NzzaRuz+
+q6QI9xFCWpfoRWYLEXGvBQlOl7DhoFoiMc/Kx8KPJjLj30E5ADG7ynEwTHaEWNu+
+W4rtXJFoWWbrcMLiltoGuwXKJMTZXqCxHbE9kPsFfSxjH3pQPrtf4Y9W40U6zptx
+fMUsRGQJ62mt6Tw3OqRbKkG+fRTaVepSCb8mWNf1W1MiHsPaj1PJpcGsVFu3Gm5l
+BkhLeYqX2Go5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
new file mode 100644
index 0000000000..e5bc18198c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
new file mode 100644
index 0000000000..a5ef270a62
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUP4iCpE43O1hPtEZ/fyTFYWSLc4cwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFDESMBAGA1UEAwwJaW50LVNBLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy8wLTAMBgNVHRMEBTAD
+AQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF
+AAOCAQEASW5cZorOprQwrEB6YMx0DgP4yM+A7xJrvUKYdz3kYp428BYeSLsl8z0I
+fwEOscPDq9rpcYZrxs/64zQ3a1AxQZFWZc/xbTLBGfps5TWTr6bjje5SuFzvPQxu
+nBLptAO+HGXMhPDTs2KA7QVafTP0PH3YsQKIYMjTAV7KbIKYJETYJom3X8uVBhiT
+bKyCfBkPAyR1D2+u5hRHte4Y8Z4SFi4CwqlUyJ6ppikhGjV8SCQT2jxT78LrFbjT
+kbzQza/x7rs1PyqSm2chLxzGV+BUy5V0nJtA+t1Be95zIeJN1FSFvtOu2KpDvz1b
+9ZBYKb5AIf2QjJFIp7o1Rolj0P17Iw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..94e9a42d48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
new file mode 100644
index 0000000000..83016639f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUV9daiZoGrruzgU7Afj/Oqpy1QcswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMAwGA1UdEwQF
+MAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEB
+CwUAA4IBAQBoOOa+LtSngPz1QBWCFBboX9pMXm64hwKgBkMncJVPJIqpmf7HyxJz
+h2It7GiMGcYuGxDct/GpHGR9TzLoznajV9DcXfvnBtrBZa/G8I80EqVdbDkLURP2
+7khBWv3790vhQeleM2v8jfLeTTxzQIDy57Mg1K5yKDKRpDZWXAJ6wvLbODbHq9t+
+D190+G7EihlN0Md+APUSzEgPMzqDtp0ke3Al6euO8m8CganCdTJ4lo/SG2jfW2oS
+L/yi+pNuevxQoE7myIV47dSTfsyWFD2E2GAySyUAtUQyIS9ALicaaoElaOeT7Tjk
+FOTlG3kVrhf1+VrKvVjxYd+2mh2hHTTh
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..c38a640b9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-OCSP
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
new file mode 100644
index 0000000000..ee0d8f799b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUITyADt0JBYv3EAW83CqAdT2fbjowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRME
+BTADAQH/MB4GA1UdJQQXMBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcN
+AQELBQADggEBAHuikV1cMD7zxYKkZ7rY9AA4d+TdugXU/70ygEZK4uKESN2MuHoG
+k7hyfSsEi7yPWp3QxddaNHOYjjpAGNeZEl2ED1fpfv+c76gSMfsnZJqz2GxRnxFV
+evmklE6C6Kze0hnWAUxtxWRCT1Kno5f4z2zIATy90q64owx7F8glRuDUq0vWXp52
+UX4vPDaSpQK4+PQ0g0dKL/kGZrWQgTJUbjcCknW5ZFSpnT+GULrYJC41LBZQYumg
+hprz15Q5SDq2EYpURahVOOi+H+tQ+xp15fysWSpmdWpJ/+H5a8iWyf19iBYKDtjt
+ck1UrabNzbApyYA2uvqXX4udezF02myrYkE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..c84201d874
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-nsSGC
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
new file mode 100644
index 0000000000..9da6a3819c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIURcr7Ci/OweRs9NajK7vt5mCQipAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LVNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBMrePcTsHT
+nLBSjhQrJNwM19i2ENWe1025Y7Dq+XDy6p2vwTpDV5XZpc24Oi8yEyccIHOXyey0
+YtvGeNEe8Z1zzXHjD8wQfmt2AU/9VU9niIWaZRjkt0jkkGBqyC5s/Djay3JY/4UH
+qYyq3KU8Jj8E20CcD/3Qa1aYoMRx4q8aUVUzjDk4JEKkCH/v6GTQoSXufgrqUVa5
+8CxRIOcsDlidklIZIRL5fboWkAjkJ54aVj3uyo2GgPKJVMulH0GnorY6tQBcL+zm
+c7Bd7Z+X2xzAI3hbKoJMSSJXt/Mo/OgBCoAk30KDUDaRcrhVbrFKpF0PSj85Lf6E
+hfdCAphhJF3D
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
new file mode 100644
index 0000000000..74bec2b21c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
new file mode 100644
index 0000000000..e0deef7c3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUbXK8dZ2kTHVUtKZ1Uamdr5h27tQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYDVR0T
+BAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEB
+AK/99QYaWy5/SG7iKiGwSgJ49hobsVUf4DTN9+4FIesvXNUtXc+vmPVNwgy8S4Kn
+23zOUmp2LaRBQ3VxaiQ0o/RN3ZjULhPhGi3cHsjDTKXH3U0snAloUYONx1JCFOif
+RWwLeiyps1oW9ARfUQrbQRtw87ospU5aJ7JSPoVgbCMXubmEpRSeTMv0SHdOs6g7
+ahSaoT7BBRuHDnCb8+ZR509H9Dc4M2Dv4lQ9vlWGZjXnfM1ImIeUBTWQ0fngyoZW
+neTStGeL5MmCjjMMupJYbjNsenQXd9doD08+voOfmKgaMQDH0fgEACJHjmmt+eQ4
+j8WZP3lRZHZm/s23xNl+6S4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..35f61671ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-old
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
new file mode 100644
index 0000000000..dd709c343d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUITNR+z5zrXNAq+3y9u3et1fNp6YwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAMBgNV
+HRMEBTADAQH/MBQGA1UdJQQNMAsGCWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOC
+AQEAtkFQHiG8UeleNMgvJVneYQzIQt8wiZwudAH2FdiyeCtYUp95z19IzPlZeYq0
+FXlMJJ+SOn2wSZ9jHshV5VF8S4Rb3ou0EVJcu+X7cs3jOuLtV/KwFDKXrncWpF7L
+sH1yGVkAUNMQlE52MgPxg7P6yd+lbU9MlqD5rpifsAecrXzctzi8l3qb2UJvkHku
+BLE+ViTnn9RFDQFQ/1AAF9cbSJaUF0rwWznXpB0PAu+v9lBpn9a83/GXZc1SO2mE
+MIdgRpuB1Lr+wZq5ulXHAeBJ+kH8lrG2CIXSQPFQjPfiS2D5hM1cdd7GSEh4BoZv
+AbTKG12NXN9AG7RpG7upSBG4mQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..f7a870c0f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-older
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
new file mode 100644
index 0000000000..c5c8e724c2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUec5AldPAXDY+y1Q7RfO4SfvteiEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE3MDgyNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYD
+VR0TBAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQAD
+ggEBAJO1C5eYEk2/+xvgWsCsUZi7PMoZLhb5Jb2V61JMWREfCozmYepqlamR6IZV
+fn5Q9OClLtAzSybeia40nsW/xb/o+5zJn0rPzk6JIsMToJk07fqp+uG9LbAM82IV
+RnHzmCS4/3n4fl1k1GGL0A/NYBUsilY9oKhVl1zukB/z3ALp9LyProNLsEZmWkl7
+F07+lR9PPMOqA1SuDJmZMyZ4cKDyYYF7NYKGi57xpgpUXGq8IPOKKGq4XlYqQhOQ
+sVSuc+16A+NlPwMogczcgTgy7QD6DF4WNOCDGwuF0YB7uROEbYvh4lkKJfhnAtb7
+1/xnmTVssnCTsbppIiXtKs8zzu0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..f421ddc1a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-recent
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null.js b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
new file mode 100644
index 0000000000..c23717252f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
@@ -0,0 +1,54 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that a certificate with a clever subject common name like
+// 'www.bank1.com[NUL]www.bad-guy.com' (where [NUL] is a single byte with
+// value 0) will not be treated as valid for www.bank1.com.
+// Includes a similar test case but for the subject alternative name extension.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+async function do_testcase(certname, checkCommonName) {
+ let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`);
+ // Where applicable, check that the testcase is meaningful (i.e. that the
+ // certificate's subject common name has an embedded NUL in it).
+ if (checkCommonName) {
+ equal(
+ cert.commonName,
+ "www.bank1.com\\00www.bad-guy.com",
+ "certificate subject common name should have an embedded NUL byte"
+ );
+ }
+ await checkCertErrorGeneric(
+ certdb,
+ cert,
+ SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer,
+ undefined,
+ "www.bank1.com"
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ cert,
+ SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer,
+ undefined,
+ "www.bad-guy.com"
+ );
+}
+
+add_task(async function () {
+ addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,");
+
+ await do_testcase("embeddedNull", true);
+ await do_testcase("embeddedNullSAN", false);
+ await do_testcase("embeddedNullCNAndSAN", true);
+ await do_testcase("embeddedNullSAN2", false);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
new file mode 100644
index 0000000000..90b269209e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUCytXeIVSOQ622rYL1uaLSms7TrcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEpBaH+earFBTSrKZUsUmxH5q1
+9Ln/OCzi1hB5IHo3haTTKl8xrTe5sI4A7knfwbz9AwbLRW0L3zIAJGPjxhMDxYjn
+t5YTQLQwZEbru2A9wCOELiDbXH1kJl0yI2JdGwGMwZ4Y7ifTG5EUEQeVFnDTc2xA
+4W/RZBld/6Iqb2ECMc20tjvBSo9YCJ7OEz+gva4OBx+BtK7LHRVLEMBGYet64wi4
+5Y8cdzMwsV69tlLffrwLV32TCt1a4dNLmq9g/vgaONx1B9ltxq8fc8ErzYvYTLsh
+0FY0VD/EabvGDnLuIHfTnuD5bbKhRFD8vOEoW+NKEVn3JveM8z6z0LQqt8CB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
new file mode 100644
index 0000000000..6660f5d478
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
new file mode 100644
index 0000000000..db898538a5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIUSW4CgJ6IkFhv/K0x6cY0gjS9lUswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAF5Bq4udVIsjOTR5V4WzBODNyT5fsBbA
+E+apdaosxvkPPv83g4qeSyP3rtIACuCPLk3AxapcRnvaavfP2MAHdkbQGpczV+2s
+1RZN94T1ixay8VGQfo5MBYREdSNo5nKUJQceoXUCR9wfOIXST1uBbsua5cW9gN2z
+U2QdzsjN5e77FA6M142Sqa72hYtUp+9ObOPlzNxWs8Nh1g9R/LKk1Rqgfo01w5Xd
+Vnv0SeCKsvlTgWGJS1CKqM+alR2WLKPwmOKbUYA0AhByCcfWiDV0NygtuOd/R3aS
+liyFTG1r34MMLJfXHiBBOJJ0haDTXX27nqC+jGOqZkvQgM/YA0ZiRnc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
new file mode 100644
index 0000000000..d1a32349a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
new file mode 100644
index 0000000000..532c76b044
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUY1NDoZUfpOeIr6u0nQSJqdZnj3kwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjLDAqMCgGA1UdEQQhMB+CHXd3dy5iYW5rMS5jb20Ad3d3LmJhZC1ndXku
+Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQBI1NuS+OXHUhjg6BDmG9aGCLNE29h7qbo8
+hf2UmAJBJKLgatbCujkOQlzE9qU7xpjhuJAMeS1avKuusXJj2hH60oBYqaw6+jFm
+7TQwylGOx63X8hFoTrDBQf2jT2cm/hI6tv4v3dwu+1e92UqjRrXMd4DsT25GzyNU
+pt7MY02eI76mx6lv6QD/1NGbA1iARcd6rUPdX2giQBtCQ8JsSd07hPYxl1nhjKk2
+nvIAr4pqnN+53/tKm37Fl5M1smBQYGo8Zd4QvsxFdbpBgZ6DGaymtJk++6jzG5gj
+lc0b2n/g22VyDvqQ9jDhRUkfVIHqU2B1l/iJw8/fq+hW7S6ewxUB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
new file mode 100644
index 0000000000..1029d6cdd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
new file mode 100644
index 0000000000..934c1d756a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUYeZpvD7fZ4XQm0xEoGEMzCqZXcYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHjEcMBoGA1UEAwwTZW1iZWRkZWQgTlVMIGluIFNBTjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMsMCow
+KAYDVR0RBCEwH4Idd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAC/4E5APdTwhhr/li4zbGNBhkiwr59oA3cVDP4NHoh0DyKJb
+l4EefchtUOXNZe1GyS8K48JeDT6pedM08rdVZrqlNS2f2YfgkxZH1lk4Yqf6s6Lq
+7v9VaJerLTDmDL2OXLIZjDULN5NjVvuWMcYlGBCpPntbbd5hWXECRZXp5NddAXy3
+uHk3NhZmt+HH3J6fzMiiN4MabhJ6m+vqP4S+aNVkCKB37cbZfCxu/O8TrQjZ4JC5
+XDe7L/Xbd8JqfAcKoY8HBWhWwk0a3/9KXXMOLyGG6J5KoRYxO5sgvLpIrUO0xZeU
+C3r/t46WC8kRZgfLdKMizBnChQyFM+Pd1cRYxEA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
new file mode 100644
index 0000000000..f224888eee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:embedded NUL in SAN
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
new file mode 100644
index 0000000000..b0d2921c70
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdagAwIBAgIUV1dlIGRW1pojbxxDG06QuK12TKowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLYmFkLWd1eS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MDUGA1UdEQQu
+MCyCC2JhZC1ndXkuY29tgh13d3cuYmFuazEuY29tAHd3dy5iYWQtZ3V5LmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEACZSJD0vyJtCWL6AgCKaZ8AFSCyN4A3mztbZj8hxM
+LGrA3QiwKzbGSv294MnzmtcE9Nd4AMWfLB96FGjLArIr+rSt+T7x8mw9TX0T+5N3
+/0HznoleG8jkRX841b7KjdK+e1rbDJoPGxzqKhGSTMJZA3R+cAZq1jFk7dudUfb8
+PVQNsr2/FDcujeyGtpQ0APqcDZP0AmeBhOGYB5kvbh2Z/Gg+Sf5vfRvnZtfnc5cS
+xDaVvNWF6u4BLWbWLt0tYzvzAQEXiehnFqRoOMyR6kamqz5q+o58CHUSlhmoil+6
+8On3EmVPwBEFOHXix9XmISi1buEbVK/bw7sMXCWIaiQJ2g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
new file mode 100644
index 0000000000..d352d034b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:bad-guy.com
+extension:subjectAlternativeName:bad-guy.com,www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_expiration_canary.js b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
new file mode 100644
index 0000000000..4f76555096
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
@@ -0,0 +1,40 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Attempts to verify a certificate for a time a few weeks into the future in
+// the hopes of avoiding mass test failures when the certificates all expire.
+// If this test fails, the certificates probably need to be regenerated.
+// See bug 1525191.
+
+// If this test and only this test fails, do the following:
+// 1. Create a bug for the issue in "Core :: Security: PSM".
+// 2. Write a patch to temporarily disable the test.
+// 3. Land the patch.
+// 4. Write a patch to reenable the test but don't land it.
+// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
+// in the bug.
+// 6. Patches to update certificates get created.
+// 7. Test the patches with a Try push.
+// 8. Land the patches on all trees whose code will still be used when the
+// certificates expire in 3 weeks.
+add_task(async function () {
+ do_get_profile();
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,");
+ let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60;
+ let ee = constructCertFromFile("bad_certs/default-ee.pem");
+ await checkCertErrorGenericAtTime(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ threeWeeksFromNowInSeconds,
+ false,
+ "test.example.com"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage.js b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
new file mode 100644
index 0000000000..a327cb41fa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@@ -0,0 +1,76 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const caList = [
+ "ca-no-keyUsage-extension",
+ "ca-missing-keyCertSign",
+ "ca-all-usages",
+];
+const eeList = [
+ "ee-no-keyUsage-extension",
+ "ee-keyCertSign-only",
+ "ee-keyEncipherment-only",
+ "ee-keyCertSign-and-keyEncipherment",
+];
+
+const caUsage = [certificateUsageSSLCA];
+const allEEUsages = [
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+];
+const serverEEUsages = [
+ certificateUsageSSLServer,
+ certificateUsageEmailRecipient,
+];
+
+const expectedUsagesMap = {
+ "ca-no-keyUsage-extension": caUsage,
+ "ca-missing-keyCertSign": [],
+ "ca-all-usages": caUsage,
+
+ "ee-no-keyUsage-extension-ca-no-keyUsage-extension": allEEUsages,
+ "ee-no-keyUsage-extension-ca-missing-keyCertSign": [],
+ "ee-no-keyUsage-extension-ca-all-usages": allEEUsages,
+
+ "ee-keyCertSign-only-ca-no-keyUsage-extension": [],
+ "ee-keyCertSign-only-ca-missing-keyCertSign": [],
+ "ee-keyCertSign-only-ca-all-usages": [],
+
+ "ee-keyEncipherment-only-ca-no-keyUsage-extension": serverEEUsages,
+ "ee-keyEncipherment-only-ca-missing-keyCertSign": [],
+ "ee-keyEncipherment-only-ca-all-usages": serverEEUsages,
+
+ "ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension": serverEEUsages,
+ "ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign": [],
+ "ee-keyCertSign-and-keyEncipherment-ca-all-usages": serverEEUsages,
+};
+
+add_task(async function () {
+ for (let ca of caList) {
+ addCertFromFile(certdb, "test_cert_keyUsage/" + ca + ".pem", "CTu,CTu,CTu");
+ let caCert = constructCertFromFile("test_cert_keyUsage/" + ca + ".pem");
+ await asyncTestCertificateUsages(certdb, caCert, expectedUsagesMap[ca]);
+ for (let ee of eeList) {
+ let eeFullName = ee + "-" + ca;
+ let eeCert = constructCertFromFile(
+ "test_cert_keyUsage/" + eeFullName + ".pem"
+ );
+ await asyncTestCertificateUsages(
+ certdb,
+ eeCert,
+ expectedUsagesMap[eeFullName]
+ );
+ }
+ }
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
new file mode 100644
index 0000000000..fcc47fd85e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUDe1q6ojYziBSfJHkmTtEt83Vw1YwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1jYS1hbGwtdXNhZ2VzMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOC
+AQEAi+zmML7qfqbNp8rzPAkQd8P5vE0l5xG4AsylAzndmyL/nPfAQQMxrfuoa9zE
+XddavSOSqFpatcenBiPwpggvq1j5UgJMOnoj3rBVjr8yCwwIg7x932yLsyJ9DHlb
+qSYWVsDofJaSKzZIdDvH3yBQOpAh8uuRz+gDAhVD4nl5UflfbKMjsBZn3LNEHlFa
+6OyAkQa+RXV91asanQb9rFRYM3c94Bh/HbqksGyS9jAA+QW9ce6VNVVjDVfWwCQ8
+vs76rirUlB6EMPVdUCnBJT/OZflAwlWF0+xoLG2ZmUIGWeazI0BjmMw7l9Pf2zqN
+LG/Z/2D8TimQn2pAZjmOxjmrwA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..2ca523c74e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-all-usages
+subject:ca-all-usages
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..3cef83be1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUJZzH9PTBdr5A7FdPJ2L2b85kpuswDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZjYS1taXNzaW5n
+LWtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
++jANBgkqhkiG9w0BAQsFAAOCAQEAJAWJFj7CUXMnEtZO8VwyFIdOa32xxorC0n+1
+7rVpjN/6ukJ+hD4XdGSU6ypcQOPWGDxfarBLpRKRJ/rZ3ZlWc/c18obTEZpLxTiu
+4CjnzGOHHRvJbkk5ZKZImUdI1NGctd8zyPlY5dRwRdwmQXqgL/v0MvFVv/89KtSA
+Cs++LlA739IPksfAW7frrc0jriGqppI2k93ULLKRmnhPIlBckWGMgKJ+D9hjRSHH
+yznC2RPlwwCRNUHTef9E5KCV6FuqShaqsTZMaytiSankzdJyg6KrqqA0SmQjFMGC
+ZZnm4NMpJk6+lAKucCwZVWxxQBWhNwYoXITr3DcIlQ/rk6PowA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..26e0158ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-missing-keyCertSign
+subject:ca-missing-keyCertSign
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..a6b33cf3fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUd+/+b6OViN/z518Vygo0rIN07PkwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGNhLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAIL3PuRoO4pfu092wv07yfeAx3mH4TXmiI22IM03Suv3fOo8e
+vf/5hCkFqevHVm7FeOC7hBUsT+WuJY/EdLWVULVDKyYiXuteeRMWACxaNCzs2hdC
+K1pQ5JbszNJolMqCw9bwXC529nLaGEDRr7IHXkbLtkKZh+2onwVyMsNPwBzgl9yj
+sU5WX4k8W8TBEu9qC1W+DXX3/oNKlaVStcdlzmr7m4E+Yf+uN8ZO7sftz6FhosCe
+WctIBWP7b2ExQ9WV0RYAtZoVRpBJ4v7G+XMLjIL44BZvsWZsZTmT3Ze0s/EEOJEU
+jQs6SAheC7Pelddacnj+1WVeFfZ1/sERFv8ybQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..d32e6a6496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ca-no-keyUsage-extension
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
new file mode 100644
index 0000000000..b2d623f82c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUF1M7zz4L8p/8GBCLnMudDPzK98YwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0U2lnbi1hbmQt
+a2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQwDQYJKoZIhvcN
+AQELBQADggEBACZoqnvECsTeCsXvcZ+Z9VeT8tZ+WppIXkDx2CwGJV37jr8YIqGK
+pH2ehnTHw2LrKgwUruT87sDlB8uj2BOWNGsvkBEGyNIv8oEAIcLdUvUZAdMikkJF
+OG+1TH9khFI/n7HpchM6rtYWLzxYTj04qoJ3eLF0hr33XoyOcPpsUSmrlkSAM4Yl
+hsJ6iYpjxs5BWPhBSCvNaVCbkmpM7xiuHmL2tnMccE3V6qOnYkbKNyLQh78FE/gt
+1isotOwmcqwabBa4u/9vRe4Ml7xsHVjwyDjcr1TCgsNPeFVVe4RyfPW6To6OHvph
+L3pZNwXfzUyH9l8jtY+jcjYdJrU+ljDvioI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..0bb2721a31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..7f5f825346
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUYyAduDslJs5hBei/TBi9ZBAtpnYwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0
+U2lnbi1hbmQta2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQw
+DQYJKoZIhvcNAQELBQADggEBAFLqg+rnWd1KVkqcURNvN2YqQal5VxjHtJtOYXEp
+P65HyM5rK513E3u68LM+9tktHP5aJgQyHgNB3HaWDhmsiQm+/3k0kY4EOIkO1jAt
+r/9GzgVmCpFLLIFa/KTv0t0ao3LPEHqdIgyAWHkWgD9aQcga0t3P4YMOtj6GEoYu
+3nuZkEG8YttsbhSTBTZ3rLTjypjA30pIegqZfEgIzdajKHCE7J38+bqixgrE1gt4
+K5F/pKsCba47KD3JpMvvEKp5WtUUugtfUvuofyLnaDM5gLEQnDg++a/kM1C3a++a
+N/tfO99TIANpZZaygc0AFKVOJpxgHu6hQkXC92rQhQxITYc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..567ab0ce2d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..94adc7aeb4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUDULiee2As2QvPhufHircsE44shgwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMC0xKzApBgNVBAMMImVlLWtleUNl
+cnRTaWduLWFuZC1rZXlFbmNpcGhlcm1lbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwIC
+JDANBgkqhkiG9w0BAQsFAAOCAQEAYTCX75wjj8tkN3Tl2LdB0zNRUoWt6skLIYTz
+bwUC1fUE6iJpCWUX+pCLsl5V62uVJrD/7CM4LRH1leaIH5dqK8czmdPLQuJG0NOg
+XjfJ7my83AsMHuZt+0P6c9FWbVKJlIH8tWh4SFfIhd/R9fNA75V+h8H776C6wWEt
+UYwsYepJyUQwEdDmLmtyy5uLb1G9j6/J/MWfHUfGquXxgsJ6MBIK2+al8bqvwCbU
+jt7nfn39811iH2fArH1BK64VBP/yzHaWbiVLG/lKz9VuY3Wz8jvR2P7FXWJYueTU
+JTh+Z8VqcZ3Kdsdt82EDyEItU98hVgVxu+T8eBhYtyU/LyrjaQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c48ef66126
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
new file mode 100644
index 0000000000..ee2e4bf68f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUbXF/oBrS0e4ofRESqGt8eE+YGw4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0U2lnbi1vbmx5
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAIt9ScT3
++TtBpQKURJG3OiwEOtEg3LgiB2bOy8M5FfHrzJ91nvLXl5Jb/6yYLCsDAIJq6smz
+4z+C2yH6M4UfGqU1RFtELOXD0QLR3695woGX94jYw7wgbAwopj/osjQDmEC3AWHk
+3T+gQqpnWYJNIVbwjIaZ+3PF1IkWj5CaVAIyeVRONPbhmpK9B7t4ypTmFx0lPjT8
+RpJY2c2t7O3nS9cjKfjNry47+AaaM4qkXKxPn7IWQXHWSBetcS//voiirhgBjmSq
+XijFLzs0iTrZZttqlQUzgrckcp4sW37iIz7WXjVGSqsGmEKkSEjzfUhuRANUb4C1
+lsRUbHG+bFei0T8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..c495ca6d0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..ef21fcf058
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUSyMlnKNqTTIqO3hMZIi/JHUbxs0wDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0
+U2lnbi1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQAD
+ggEBAFzvKvBkm2n5A/4EKpY8zCEtkyRu7O7vPS1QhesGl3X1M7vdPqi6aG/I4F1k
+57cpovroCEFlFSUSFEom+xRyMHL/435vHnI+CrDc3F1R6/RIEO78zLf6kNuzKDGJ
+BqtT1/JrirPSIvvH6g7LydZdNERDzz9EFhCE87dEC8caUcyknnp6zvgPd/EVQFQ6
+5EXMPRWO5ac4MnmDuCLuzGbL3LVp9A/4An0I86HXnkJt70R7sMSMpbCEaWHJPVj3
+gEeXZLchGpfpb2sQR1Z3BzKEQk748Ssan+DOH7A8OQB04jYd5C18vpK/V1NLjVgg
+wZ+ayNVtKZ2ph1RHaXZYZYOWnkg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..23ddd0eb8a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..82e4e1ad10
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUezNkrO9AXj4PC4Jwdpeq9tNO3gYwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME2VlLWtleUNl
+cnRTaWduLW9ubHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsF
+AAOCAQEAdqLwVs+dkEZaVsERQz9spSoHqx1q0qoKGUJYhnYDZycY6LCpmfRTkkQN
+Y5Go+2LMJ3m88aLI7JpRzRIqwryiFhU7zP1Hqjp65Tma3j6HlKXmEg8wfLmvSrAN
+DUT0/HxpR1Hq4ik6op78GTtrplOmsSz8I1QYE/5zWei3Zuay9s9isXLv6yXRzXDP
+U9yK2yA4UJeltIJiXpFSKhshJb1y9UOq46+yrfe7XIekqUrlJ8iNcNIyOJ7SEdGO
+fDl+iMhNORcMMyFjFaKKMX++V2GNayweU6Jr02K9t5p+M0PdMAKRtev89cy4t6So
+/okpqvfW9s70X4gh817h1kiklz8yGQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a5a2d62a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
new file mode 100644
index 0000000000..e3864f8d26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcOgAwIBAgIUaR6XoydtDSMh4UJJYaTxGd4CTjEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNpcGhlcm1lbnQt
+b25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IBAQA8
+UCpvQLEtzvq4yPCGJ/G5iftcXRAxjkBG5h36Hbz6WWKJbzdUUyEuYt9MbJf/S7H0
+6uOxudfnihObn9Oc5mS+h9j+g84+9vkFhOBG7L4pNEmzXqs52hBssHziVdZlsTEk
+BksZXd4ABdNrRhlUE95HxcxYRPJNmWoGnJoo6GpPmnG0ecFsGXTmH5TViXEHgxJL
+y9M65ALhy8dS5QUOuWSTzzn5aFRanikCBVt9NXo+jO/s6+FmjyxuBaCpHcZFiZXt
+tCdE3UzjudHnl05aIicWUcYRTJno457KqWgqtXYbwYnMb4ugQdjpgyhDWFOEZdlh
+V3mC4EaHlm+I9k7s3kVz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..08154a53ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..e65300ce6d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUY+zxGVzhOR20OLgOX0EMB7vGqC0wDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNp
+cGhlcm1lbnQtb25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEB
+CwUAA4IBAQCxM0fNjNAGe1fxAVKRTEJ3f2e+alwU64YGaKK4pPA9RJ/pxLr6HP1U
+YEerBUbTWnDVluCx/ZkzBAPgb5ezasRqaCA9TT9dYf4HKPKj+8p0pv3ojHcZJqf3
+vxGkLKxRq2Ye97E+5jW2M3dIq75wW4Yc4rY4f7RASYKWg064O39Ay4YW/M5j/VTu
+w9h/1NcXYFUC24gWEnwIBOG20Xy5r5OkY075tVmY1ySeG7VkLY3i3weACFpY7dRp
+XUFmUaSnaDAErfBzSYQiZCUMGCPajbqcQTA95/Z8uLPt05IdmQULfF0eLWmwiBGJ
+JhcBZ5L9SeV3AJYzJSUxZDikpfCWwNP+
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9bdcf4b7b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..143b31a4b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUaW6RFCj/GR6VHEK7XKdRe3iIAakwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWtleUVu
+Y2lwaGVybWVudC1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCBSAwDQYJKoZIhvcN
+AQELBQADggEBAEsYnH3fAHOVvNdaAJZ+SI+JVJNtqm8mjOfAHY2iPvf42eIMQJ2r
+XhTnCLqy25EQACVnrYh0p2YW3fXg8jwHbzDACz2MZFyTdEz5FiognWf+LfHDyoMP
+S7bHOKGemkLCFHuGzfL+LZ8+yV8RJ9KcCJOke+RFAmcU/t56T0KDKvrdvGAV3wnp
+fq0hgqB31H/0gaLjf1wlW8f420z40c8vVfpe1BqjKwWq9jgikAlE1pFZSCORnNjD
+Q2kn62M0wXeytaLOaqRhtcu4wBTn1ypUs+DokC+WwN54fyBw2BIIsbWOU39rsW6j
+7nH4UvLxTL9KB2EbFHTr+dQ0TWxkf+fiEuQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a2383ecfdd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
new file mode 100644
index 0000000000..cf73275a30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyzCCAbOgAwIBAgIULcEx7oKr1YDS2ss3s4RQdJCOnR4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlVc2FnZS1leHRl
+bnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADK7GNqsF/zKD7W1Iq6PgEvk
+MI64yXfELuk3h9y9QZr63IbaLBLUoLKxEX03CZBUShPd+FVz+Y93J6+VjkRU7ddb
+tE1RknOgtXN+EsU4MRtKyBBVIeqaYUUQ8EPGYiiGIhsmL+NLCbhsCs2ZRBHHEgyG
+tbvdcDlce4UHv3fmSNdJ0RK7ffomCpF1CjIDDIbKdD0jveIJLCAXqmHz998ty/3E
+ts+KKNYz/FBvqYE/L1Tab0wFJLelwW5BqM0mZoq4ZfaDU1yVBkmrJcyGfF+gjAEs
+XGX4OdV5x2A9ke3lSDlwz50Uy5mhyjsTcbUW/OLBOENhU2vgQc+VNW/wmKEHzIA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..6d2e672961
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-all-usages
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..09c40b8583
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUWW3V0gwj00M/F/tsm0ACf/nJIjEwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlV
+c2FnZS1leHRlbnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABNKxssTPCXj
+3eI51RfswYOBb80aRYdv7Mm9ZekxgVXUtxGzZVekdQQjEJ59vupi8CP+C9cWuSLD
+44qVw80cGgG15GNxBe+ewicFc2UdvLuAO6ZrYM92qW80zXJFbLC0ouksUloUbxup
+mdZtDiI/etccsytmZ3528DEHB9TRuWBW7IavdmprWKyyfSze6yEFPxAgm4J0lZ4g
+/bEymzSFTTS9rEfd6W3AbsR9UcbzAy1SB7ueKMjE1gywJJQA+oqePqZIQTYrAFis
+pIA4/N3tsTu1MZ7SHuovyhoYZG58evKw3TExYy7hsJj0u4CEP8WoN9x333JeAZkb
+6ZnNLg0fAZs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..3cba2f0d81
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-missing-keyCertSign
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..9621cea471
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1jCCAb6gAwIBAgIUB6gSwP2e7JebjDPr1/kGYXG4w7IwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGVlLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsSRtufFC
+I0WR9ub7VG+j5hD92+LN/xxILVlIXU6gpSfnpLn2Pi47K1eVAdkxaURJadvD89fw
+u/fnzDG2Reij+jBmz658laKobgIXsdrXuaypvDUac3SP4ZpOD4JcZdkoMHsAfE1C
+FADw4GSv+aJeOvj2TByfsnhqQqQe01sjUlQIbM4G5nk7PFK+/Tj9hWpzkW7O/Nf4
+3msO2dubsoy0DvhSzzTn2mOSLxHeoN8AxPuDoEXs9Je7+K3geCVhE0iEIj17BAWP
+Cme6X63FaoyzyfN5mXj7OiOUBvwZPtsVBlcQsjtZVldxYlRN9xtS10NrfH3Y6k1U
+smbMqMR4jbkyfw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c850725a63
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
new file mode 100644
index 0000000000..3c21601eb8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
@@ -0,0 +1,188 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks parsing of the the certificate override file
+
+function run_test() {
+ // These are hard-coded to avoid initialization of NSS before setup is complete
+ // bad_certs/mitm.pem
+ let cert1 = {
+ sha256Fingerprint:
+ "E3:E3:56:4C:6D:81:DA:29:E4:52:20:A1:7A:31:E2:03:F1:82:A6:D5:B1:5B:6A:86:D6:10:CF:AE:BA:3B:35:2A",
+ };
+ // bad_certs/selfsigned.pem
+ let cert2 = {
+ sha256Fingerprint:
+ "9A:C8:37:86:6F:1A:20:A2:31:6F:FE:92:68:CE:05:D2:8C:72:F3:A3:E0:23:3B:AD:8A:28:19:93:82:E8:AE:24",
+ };
+ // bad_certs/noValidNames.pem
+ let cert3 = {
+ sha256Fingerprint:
+ "67:7C:84:51:32:B5:0B:63:E4:40:B4:1A:33:FD:20:34:0A:B3:1D:61:24:F1:7A:40:14:39:05:66:42:FD:C2:EA",
+ };
+
+ let profileDir = do_get_profile();
+ let overrideFile = profileDir.clone();
+ overrideFile.append(CERT_OVERRIDE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!overrideFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(overrideFile);
+ let lines = [
+ "# PSM Certificate Override Settings file",
+ "# This is a generated file! Do not edit.",
+ "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert1.sha256Fingerprint +
+ "\t",
+ "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert1.sha256Fingerprint +
+ "\t",
+ "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete)
+ cert1.sha256Fingerprint +
+ "\tM\t" +
+ "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==",
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert2.sha256Fingerprint +
+ "\t",
+ "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
+ cert2.sha256Fingerprint +
+ "\t",
+ "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
+ cert1.sha256Fingerprint +
+ "\t",
+ ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
+ cert3.sha256Fingerprint +
+ "\t",
+ "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
+ cert3.sha256Fingerprint +
+ "\t",
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint
+ cert2.sha256Fingerprint +
+ "\t",
+ "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
+ cert3.sha256Fingerprint +
+ "\t",
+ "example.com:443:\t.0.0.0.0\t" + // malformed OID
+ cert3.sha256Fingerprint +
+ "\t",
+ "example.com:443:\t\t" + // missing OID
+ cert3.sha256Fingerprint +
+ "\t",
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint
+ ];
+ writeLinesAndClose(lines, outputStream);
+ let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+ Ci.nsICertOverrideService
+ );
+ notEqual(overrideService, null);
+
+ // Now that the override service is initialized we can actually read the certificates
+ cert1 = constructCertFromFile("bad_certs/mitm.pem");
+ info(
+ `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"`
+ );
+ cert2 = constructCertFromFile("bad_certs/selfsigned.pem");
+ info(
+ `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"`
+ );
+ cert3 = constructCertFromFile("bad_certs/noValidNames.pem");
+ info(
+ `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"`
+ );
+
+ const OVERRIDES = [
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 1 },
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 2 },
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 3 },
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert2,
+ attributes: {},
+ },
+ {
+ host: "::1",
+ port: 443,
+ cert: cert2,
+ attributes: {},
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert2,
+ attributes: { userContextId: 1 }, // only privateBrowsingId is used
+ },
+ {
+ host: "old.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: {},
+ },
+ ];
+ const BAD_OVERRIDES = [
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 4 }, // wrong attributes
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert3, // wrong certificate
+ attributes: { privateBrowsingId: 1 },
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert3,
+ attributes: {},
+ },
+ ];
+
+ for (let override of OVERRIDES) {
+ let temp = {};
+ ok(
+ overrideService.hasMatchingOverride(
+ override.host,
+ override.port,
+ override.attributes,
+ override.cert,
+ temp
+ ),
+ `${JSON.stringify(override)} should have an override`
+ );
+ equal(temp.value, false);
+ }
+
+ for (let override of BAD_OVERRIDES) {
+ let temp = {};
+ ok(
+ !overrideService.hasMatchingOverride(
+ override.host,
+ override.port,
+ override.attributes,
+ override.cert,
+ temp
+ ),
+ `${override} should not have an override`
+ );
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
new file mode 100644
index 0000000000..a1284cb1df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -0,0 +1,767 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests the certificate overrides we allow.
+// add_cert_override_test will queue a test that does the following:
+// 1. Attempt to connect to the given host. This should fail with the
+// given error.
+// 2. Add an override for that host/port/certificate.
+// 3. Connect again. This should succeed.
+
+do_get_profile();
+
+// Enable the collection (during test) for all products so even products
+// that don't collect the data will be able to run the test without failure.
+Services.prefs.setBoolPref(
+ "toolkit.telemetry.testing.overrideProductsCheck",
+ true
+);
+
+function check_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
+ .snapshot();
+ equal(histogram.values[0], 0, "Should have 0 unclassified values");
+ equal(
+ histogram.values[2],
+ 9,
+ "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match"
+ );
+ equal(
+ histogram.values[3],
+ 1,
+ "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match"
+ );
+ equal(
+ histogram.values[4] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match"
+ );
+ equal(
+ histogram.values[5],
+ 1,
+ "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[6] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match"
+ );
+ equal(
+ histogram.values[7] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match"
+ );
+ equal(
+ histogram.values[8],
+ 2,
+ "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match"
+ );
+ equal(
+ histogram.values[9],
+ gIsDebugBuild ? 9 : 8,
+ "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match"
+ );
+ equal(
+ histogram.values[10],
+ 1,
+ "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[11],
+ 2,
+ "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match"
+ );
+ equal(
+ histogram.values[12],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match"
+ );
+ equal(
+ histogram.values[13],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match"
+ );
+ equal(
+ histogram.values[14],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[15],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[16],
+ 2,
+ "Actual and expected SEC_ERROR_INVALID_TIME values should match"
+ );
+ equal(
+ histogram.values[17],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match"
+ );
+ equal(
+ histogram.values[19],
+ 4,
+ "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match"
+ );
+ equal(
+ histogram.values[20],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match"
+ );
+
+ let keySizeHistogram = Services.telemetry
+ .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS")
+ .snapshot();
+ equal(
+ keySizeHistogram.values[0],
+ 0,
+ "Actual and expected unchecked key size values should match"
+ );
+ equal(
+ keySizeHistogram.values[1],
+ gIsDebugBuild ? 17 : 15,
+ "Actual and expected successful verifications of 2048-bit keys should match"
+ );
+ equal(
+ keySizeHistogram.values[2] || 0,
+ 0,
+ "Actual and expected successful verifications of 1024-bit keys should match"
+ );
+ equal(
+ keySizeHistogram.values[3],
+ 70,
+ "Actual and expected verification failures unrelated to key size should match"
+ );
+
+ run_next_test();
+}
+
+// Internally, specifying "port" -1 is the same as port 443. This tests that.
+function run_port_equivalency_test(inPort, outPort) {
+ Assert.ok(
+ (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
+ "The two specified ports must be -1 and 443 (in any order)"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let cert = constructCertFromFile("bad_certs/default-ee.pem");
+ let expectedTemporary = true;
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ inPort,
+ {},
+ cert,
+ expectedTemporary
+ );
+ let actualTemporary = {};
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.com",
+ outPort,
+ {},
+ cert,
+ actualTemporary
+ ),
+ `override set on port ${inPort} should match port ${outPort}`
+ );
+ equal(
+ actualTemporary.value,
+ expectedTemporary,
+ "input override temporary value should match output temporary value"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}),
+ `override set on port ${inPort} should not match port 563`
+ );
+ certOverrideService.clearValidityOverride("example.com", inPort, {});
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.com",
+ outPort,
+ {},
+ cert,
+ {}
+ ),
+ `override cleared on port ${inPort} should match port ${outPort}`
+ );
+}
+
+function run_test() {
+ run_port_equivalency_test(-1, 443);
+ run_port_equivalency_test(443, -1);
+
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_simple_tests();
+ add_localhost_tests();
+ add_combo_tests();
+ add_distrust_tests();
+
+ add_test(function () {
+ fakeOCSPResponder.stop(check_telemetry);
+ });
+
+ run_next_test();
+}
+
+function add_simple_tests() {
+ add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+ add_cert_override_test(
+ "notyetvalid.example.com",
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE
+ );
+ add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME);
+ add_cert_override_test(
+ "before-epoch-self-signed.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_cert_override_test(
+ "selfsigned.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_cert_override_test(
+ "expiredissuer.example.com",
+ SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+ );
+ add_cert_override_test(
+ "notyetvalidissuer.example.com",
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE
+ );
+ add_cert_override_test(
+ "before-epoch-issuer.example.com",
+ SEC_ERROR_INVALID_TIME
+ );
+ add_cert_override_test(
+ "md5signature.example.com",
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ add_cert_override_test(
+ "emptyissuername.example.com",
+ MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME
+ );
+ // This has name information in the subject alternative names extension,
+ // but not the subject common name.
+ add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+ // This has name information in the subject common name but not the subject
+ // alternative names extension.
+ add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+
+ // A Microsoft IIS utility generates self-signed certificates with
+ // properties similar to the one this "host" will present.
+ add_cert_override_test(
+ "selfsigned-inadequateEKU.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+
+ add_prevented_cert_override_test(
+ "inadequatekeyusage.example.com",
+ SEC_ERROR_INADEQUATE_KEY_USAGE
+ );
+
+ // Test triggering the MitM detection. We don't set-up a proxy here. Just
+ // set the pref. Without the pref set we expect an unkown issuer error.
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_test(function () {
+ Services.prefs.setStringPref(
+ "security.pki.mitm_canary_issuer",
+ "CN=Test MITM Root"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED);
+ add_test(function () {
+ Services.prefs.setStringPref(
+ "security.pki.mitm_canary_issuer",
+ "CN=Other MITM Root"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ // If the canary issuer doesn't match the one we see, we exepct and unknown
+ // issuer error.
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ // If security.pki.mitm_canary_issuer.enabled is false, there should always
+ // be an unknown issuer error.
+ add_test(function () {
+ Services.prefs.setBoolPref(
+ "security.pki.mitm_canary_issuer.enabled",
+ false
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_test(function () {
+ Services.prefs.clearUserPref("security.pki.mitm_canary_issuer");
+ run_next_test();
+ });
+
+ // This is intended to test the case where a verification has failed for one
+ // overridable reason (e.g. unknown issuer) but then, in the process of
+ // reporting that error, a non-overridable error is encountered. The
+ // non-overridable error should be prioritized.
+ add_test(function () {
+ let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+ setCertTrust(rootCert, ",,");
+ run_next_test();
+ });
+ add_prevented_cert_override_test(
+ "nsCertTypeCritical.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+ );
+ add_test(function () {
+ let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+ setCertTrust(rootCert, "CTu,,");
+ run_next_test();
+ });
+
+ // Bug 990603: Apache documentation has recommended generating a self-signed
+ // test certificate with basic constraints: CA:true. For compatibility, this
+ // is a scenario in which an override is allowed.
+ add_cert_override_test(
+ "self-signed-end-entity-with-cA-true.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+
+ add_cert_override_test(
+ "ca-used-as-end-entity.example.com",
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+
+ // If an X.509 version 1 certificate is not a trust anchor, we will
+ // encounter an overridable error.
+ add_cert_override_test(
+ "end-entity-issued-by-v1-cert.example.com",
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ // If we make that certificate a trust anchor, the connection will succeed.
+ add_test(function () {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(
+ "end-entity-issued-by-v1-cert.example.com",
+ 8443,
+ {}
+ );
+ let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+ setCertTrust(v1Cert, "CTu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_connection_test(
+ "end-entity-issued-by-v1-cert.example.com",
+ PRErrorCodeSuccess
+ );
+ // Reset the trust for that certificate.
+ add_test(function () {
+ let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+ setCertTrust(v1Cert, ",,");
+ clearSessionCache();
+ run_next_test();
+ });
+
+ // Due to compatibility issues, we allow overrides for certificates issued by
+ // certificates that are not valid CAs.
+ add_cert_override_test(
+ "end-entity-issued-by-non-CA.example.com",
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // This host presents a 1016-bit RSA key.
+ add_cert_override_test(
+ "inadequate-key-size-ee.example.com",
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ // The test root is not a built-in (by default), so the invalid dNSName entry
+ // in the subject alternative name extension is skipped.
+ add_connection_test(
+ "ipAddressAsDNSNameInSAN.example.com",
+ PRErrorCodeSuccess
+ );
+
+ if (gIsDebugBuild) {
+ // Treat the test root like a built-in.
+ add_test(function () {
+ let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+ Services.prefs.setCharPref(
+ "security.test.built_in_root_hash",
+ rootCert.sha256Fingerprint
+ );
+ run_next_test();
+ });
+ // If the root is a built-in, the invalid dNSName entry in the subject
+ // alternative name extension is not skipped, and this result in an error.
+ add_cert_override_test(
+ "ipAddressAsDNSNameInSAN.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ // Reset the test root's built-in status.
+ add_test(function () {
+ Services.prefs.clearUserPref("security.test.built_in_root_hash");
+ run_next_test();
+ });
+ }
+
+ add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+ add_cert_override_test(
+ "badSubjectAltNames.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+
+ add_cert_override_test(
+ "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_test(function () {
+ // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+ // is still valid. Do some additional tests relating to IDN handling.
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let uri = Services.io.newURI(
+ "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp"
+ );
+ let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ uri.asciiHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ "IDN certificate should have matching override using ascii host"
+ );
+ Assert.throws(
+ () =>
+ !certOverrideService.hasMatchingOverride(
+ uri.displayHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "IDN certificate should not have matching override using (non-ascii) host"
+ );
+ let invalidHost = uri.asciiHost.replace(/./g, c =>
+ String.fromCharCode(c.charCodeAt(0) | 0x100)
+ );
+ Assert.throws(
+ () =>
+ !certOverrideService.hasMatchingOverride(
+ invalidHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "hasMatchingOverride should not truncate high-bytes"
+ );
+ run_next_test();
+ });
+
+ add_test(function () {
+ // Add a bunch of overrides...
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let cert = constructCertFromFile("bad_certs/default-ee.pem");
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ 443,
+ {},
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}),
+ "Should have added override for example.com:443"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ 80,
+ {},
+ cert,
+ false
+ );
+ certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false);
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+ "Should have added override for example.com:80"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.org",
+ 443,
+ {},
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}),
+ "Should have added override for example.org:443"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}),
+ "Should have added override for [::1]:80"
+ );
+ // When in a private browsing context, overrides added in non-private
+ // contexts should match (but not vice-versa).
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have override for example.org:443 with privateBrowsingId 1"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 2 },
+ cert,
+ {}
+ ),
+ "Should have override for example.org:443 with privateBrowsingId 2"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { firstPartyDomain: "example.org", userContextId: 1 },
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when checking overrides"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.org",
+ 80,
+ {},
+ cert,
+ true
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+ "Should have added override for example.org:80"
+ );
+ certOverrideService.rememberValidityOverride(
+ "test.example.org",
+ 443,
+ { firstPartyDomain: "example.org", userContextId: 1 },
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "test.example.org",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when adding overrides"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "test.example.org",
+ 443,
+ { firstPartyDomain: "example.com", userContextId: 2 },
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when checking overrides"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have added override for example.test:443 with privateBrowsingId 1"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 2 },
+ cert,
+ {}
+ ),
+ "Should not have override for example.test:443 with privateBrowsingId 2"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should not have override for example.test:443 with non-private OriginAttributes"
+ );
+ // Clear them all...
+ certOverrideService.clearAllOverrides();
+
+ // And ensure they're all gone.
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.com",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should have removed override for example.com:443"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+ "Should have removed override for example.com:80"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should have removed override for example.org:443"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+ "Should have removed override for example.org:80"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have removed override for example.org:443 with privateBrowsingId 1"
+ );
+
+ run_next_test();
+ });
+}
+
+function add_localhost_tests() {
+ add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER);
+ add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN);
+ add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN);
+}
+
+function add_combo_tests() {
+ add_cert_override_test(
+ "mismatch-expired.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ add_cert_override_test(
+ "mismatch-notYetValid.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ add_cert_override_test(
+ "mismatch-untrusted.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_cert_override_test(
+ "untrusted-expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_cert_override_test(
+ "mismatch-untrusted-expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ add_cert_override_test(
+ "md5signature-expired.example.com",
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+
+ add_cert_override_test(
+ "ca-used-as-end-entity-name-mismatch.example.com",
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+}
+
+function add_distrust_tests() {
+ // Before we specifically distrust this certificate, it should be trusted.
+ add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
+
+ add_distrust_test(
+ "bad_certs/default-ee.pem",
+ "untrusted.example.com",
+ SEC_ERROR_UNTRUSTED_CERT
+ );
+
+ add_distrust_test(
+ "bad_certs/other-test-ca.pem",
+ "untrustedissuer.example.com",
+ SEC_ERROR_UNTRUSTED_ISSUER
+ );
+
+ add_distrust_test(
+ "bad_certs/test-ca.pem",
+ "ca-used-as-end-entity.example.com",
+ SEC_ERROR_UNTRUSTED_ISSUER
+ );
+}
+
+function add_distrust_test(certFileName, hostName, expectedResult) {
+ let certToDistrust = constructCertFromFile(certFileName);
+
+ add_test(function () {
+ // Add an entry to the NSS certDB that says to distrust the cert
+ setCertTrust(certToDistrust, "pu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_prevented_cert_override_test(hostName, expectedResult);
+ add_test(function () {
+ setCertTrust(certToDistrust, "u,,");
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
new file mode 100644
index 0000000000..1d2c2c1727
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
@@ -0,0 +1,94 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that permanent certificate error overrides can be added even if the
+// certificate/key databases are in read-only mode.
+
+// Helper function for add_read_only_cert_override_test. Probably doesn't need
+// to be called directly.
+function add_read_only_cert_override(aHost, aSecurityInfo) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ // Setting the last argument to false here ensures that we attempt to store a
+ // permanent override (which is what was failing in bug 1427273).
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected errors and that adding an override results
+// in a subsequent connection succeeding.
+function add_read_only_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ add_read_only_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+ Assert.ok(
+ aSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "Cert override flag should be set on the security state"
+ );
+ });
+}
+
+function run_test() {
+ let profile = do_get_profile();
+ const KEY_DB_NAME = "key4.db";
+ const CERT_DB_NAME = "cert9.db";
+ let srcKeyDBFile = do_get_file(
+ `test_cert_overrides_read_only/${KEY_DB_NAME}`
+ );
+ srcKeyDBFile.copyTo(profile, KEY_DB_NAME);
+ let srcCertDBFile = do_get_file(
+ `test_cert_overrides_read_only/${CERT_DB_NAME}`
+ );
+ srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+ // set the databases to read-only
+ let keyDBFile = do_get_profile();
+ keyDBFile.append(KEY_DB_NAME);
+ keyDBFile.permissions = 0o400;
+ let certDBFile = do_get_profile();
+ certDBFile.append(CERT_DB_NAME);
+ certDBFile.permissions = 0o400;
+
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // Specifying false as the last argument means we don't try to add the default
+ // test root CA (which would fail).
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ // Since we can't add the root CA to the (read-only) trust db, all of these
+ // will result in an "unknown issuer error" and need the "untrusted" error bit
+ // set in addition to whatever other specific error bits are necessary.
+ add_read_only_cert_override_test(
+ "expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_read_only_cert_override_test(
+ "selfsigned.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_read_only_cert_override_test(
+ "mismatch.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ add_test(function () {
+ fakeOCSPResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
new file mode 100644
index 0000000000..3d452f335c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
new file mode 100644
index 0000000000..44d0cb1728
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1.js b/security/manager/ssl/tests/unit/test_cert_sha1.js
new file mode 100644
index 0000000000..f0a95bcd61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1.js
@@ -0,0 +1,53 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the rejection of SHA-1 certificates.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// (new Date("2016-03-01")).getTime() / 1000
+const VALIDATION_TIME = 1456790400;
+
+function certFromFile(certName) {
+ return constructCertFromFile("test_cert_sha1/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+}
+
+add_task(async function () {
+ loadCertWithTrust("ca", "CTu,,");
+ loadCertWithTrust("int-pre", ",,");
+ loadCertWithTrust("int-post", ",,");
+
+ await checkEndEntity(
+ certFromFile("ee-pre_int-pre"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ await checkEndEntity(
+ certFromFile("ee-post_int-pre"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ await checkEndEntity(
+ certFromFile("ee-post_int-post"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
new file mode 100644
index 0000000000..60140056de
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUUbC4F7yPobFDd+B73iWKejQ3THkwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCU+Y0AeMXFIfX4/L2aX37uSR70
+pGpPrh0FPOwBO2ETUc4j7Whol9wOSPnUwuPIpiDhar5qRuhY6aCPGTIJbRZrVeXv
+T5uFQXq+3CQdIyI55AkFDh9tO7wX7p3pRgzma47mBxIH082Uwy7+eEeQfhuJ5cU4
+e/zyHf6FEdkSrDjgwDip+dn8Q7tnjdaN3WYQjOFRXkHyYCIFkORDPTbYSYZ6DAqq
+Q/loKTdrcbyeEwFVBZxQu4Nb6mjhkfk8U+8TIGMCTQXhoQhgMWMeMo2E0kWvYbjc
+YDiRzmnsdvPu2LKnTvH28M9ODi3ZzcOuLs6jAKAiXISq0CbmwaddV/oAMoF2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
new file mode 100644
index 0000000000..7e65e9ee30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
new file mode 100644
index 0000000000..8fb93e69e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUJWQl8gkrLL7gPn47YYMdN7qBP5wwDQYJKoZIhvcNAQEF
+BQAwEzERMA8GA1UEAwwIaW50LXBvc3QwIhgPMjAxNjAxMDIwMDAwMDBaGA8yMDE3
+MDIwMTAwMDAwMFowEjEQMA4GA1UEAwwHZWUtcG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQUFAAOCAQEAVOPvLS8zwos/RdClnabdxMh5g1WN5T1BsIMExE6oU6sJ7n4HyIXt
+RnFTFe0t2CdXBCQPK6qG8ymeLQFNKykYlQxVZb8m5YgUK3k4IeMS/EoX4g7taREI
+IwK9/n7+oKZYlz2Q/ro/R2HFmLXsCIUrsxV3vAWQCm8rSeCKzEVNlDaQ5FEMVAM7
+VlNhNNKtUnXkzZ3SRj6O4eOq3G4azr5DNo5kAQPaIbAI3k/3AHyPqIjHcoSiG1Ug
+aqzIK6fNNCIAxIKAY2ERJfxA4fPlBZXono2sCOgCdFfF7QAo+o9SO8v3B+djuHgb
+flbfdyEnN+y32UpYe3qV8LnFmRqGAe/vbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
new file mode 100644
index 0000000000..76834f8447
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-post
+subject:ee-post
+validity:20160102-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
new file mode 100644
index 0000000000..2385322a64
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUIVsTCuql4BDO2r4O5zePBEoHg3QwDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE2MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjASMRAwDgYDVQQDDAdlZS1wb3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4IBAQCW5zeJg+LzGn07GtdBprRLarL7aLNFSr+s+3yzphq9kN43prElX6eD
+gdggPWicZozTm3IFLfJfsuhiodBZjWmkF/dsvvT3W77AcKzNWjShCnnA/Vf5IF6k
+U01ROfjmgcX0mMuhVUB7b9Fl6G5DFxJgny2jYehZcJIzWUBLiwu41TIxj5Cv5F9p
++XIHEyygqm8rYzbW8F49FRbsDD9nvhmdVqXsoTaKxY8bsKKu1EpBSBXozRbLKcAn
+/zrLy0HHS4qfXTHm0UKt+RCYVylL5I5YGR6rapXHChkBTBHFXdkPVsW5uHKBdBqY
+98zoAAMWRvJ3xOuqAbtKG6DKadiOpz6l
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
new file mode 100644
index 0000000000..1e8bb35b34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-post
+validity:20160101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
new file mode 100644
index 0000000000..11a5e41e99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUOU+CyYnf3GRRgGHvbeJB8HTUvJ4wDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1wcmUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEF
+BQADggEBACWLcVnT0nNyU/qFZNDZPGDFPuZCXuodBf3sgz1XDmcp5wlH+IjW3J8H
+3HH6ZwIUpTtppqVxuvo2y9GP+GNyeXhxmokHTVdKDj8HqYl5lV+reO1UmzEH0AU8
+x3hd2Fkzv/h3N3EPVETWuPiFSB0oAN/xwsXC/7Yi4AY0s/I/4q/vkS76Oa2RyL3f
+gbaa80+nR73BX+0wRqyg+Sgo2hOzjkCQchtZPUFYsRLhsHHBnokD8GJlT7NBKSN1
+TFt6uXpfEmqDICoyZoAw6rtnFfdEsZNo+PU6NDN3T0fkolBQPvuzfqcqAl85dpJK
+ow8mFKkb2t6qQH98yabi/172l03/P34=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
new file mode 100644
index 0000000000..0f4a6ec257
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-pre
+validity:20150101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
new file mode 100644
index 0000000000..94ab4f5b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbegAwIBAgIUYQ6xulHM0FrQ0sKMdbPI2ecC3PcwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjAxMDEwMDAwMDBaGA8yMDI2MDEwMTAw
+MDAwMFowEzERMA8GA1UEAwwIaW50LXBvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIB
+BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCJN8/XexXMusXYbhVW
+uYA1YpaSTrz96CXlckIuABnzCrGD5iHkfFoB0LPKd+EZ80fdHIvS1zQTYohy6O95
+JageOaTY9HsOEqsgr1BA9VKZW4QlGp7csQzNMa52WRetimv6XY/lrfPf4qAhomWG
+/ImmLJpGTVPhEdz6Pl4Kvmf9zNf/BcXtBTWLSGWUC5UItC58WTopqcr5kLg3DmXB
+Qr7DjqA7DT92N6qefFkTYspDZJzv0nL9OfqkdCj/s6bm3iisTQq3aek6IP6OEkXF
+4TWUF3RDBsyRpG8jt/XsOsrwJDOGZGFPmMTz2uZPsZkeZhU+sfFDWL7wojl7kHV1
+c7f5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
new file mode 100644
index 0000000000..50156c9f6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-post
+validity:20160101-20260101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
new file mode 100644
index 0000000000..0b916d5755
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUYW27TGzVOIbjpG1ADx7m7mZnrNQwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDIwMDEwMTAw
+MDAwMFowEjEQMA4GA1UEAwwHaW50LXByZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAESNgcKkxBwkaBykKo2Q
+GzgimnI3eNw8O8GrhefL+r3Ek/CH4/oBHGvfvrz6D19uemdOyHxo5QNW2iWEq0No
+pE6Hhm504P1fdkfQvjqjIhu/h3y5QjO3zdMGeVE/39TWAGrGsNFKE+jSxm8IbycF
+Ue6165agasf+PhQdorjFca48iLcowKYs5Df0SAhY7zbw1fM1HTr1YGAXc1K9aCA5
+fTmu8Nd0fNKc1NcbNDpdCG2YEj1nox1iMN5A4nY1ve88zJsnlpfsoJkHJqo2Cy+M
+mpQSnkTlf3Gfpl8NO3UW9FTcnK8L4Ix2DSNBDe8Yg2YL5w/VIxecFwlmwV0wWdg6
+vl0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
new file mode 100644
index 0000000000..9f0a59ee99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-pre
+validity:20100101-20200101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures.js b/security/manager/ssl/tests/unit/test_cert_signatures.js
new file mode 100644
index 0000000000..73858afe37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -0,0 +1,140 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that certificates cannot be tampered with without being detected.
+// Tests a combination of cases: RSA signatures, ECDSA signatures, certificate
+// chains where the intermediate has been tampered with, chains where the
+// end-entity has been tampered, tampering of the signature, and tampering in
+// the rest of the certificate.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// Reads a PEM-encoded certificate, modifies the nth byte (0-indexed), and
+// returns the base64-encoded bytes of the certificate. Negative indices may be
+// specified to modify a byte from the end of the certificate.
+function readAndTamperWithNthByte(certificatePath, n) {
+ let pem = readFile(do_get_file(certificatePath, false));
+ let der = atob(pemToBase64(pem));
+ if (n < 0) {
+ // remember, n is negative at this point
+ n = der.length + n;
+ }
+ let replacement = "\x22";
+ if (der.charCodeAt(n) == replacement) {
+ replacement = "\x23";
+ }
+ der = der.substring(0, n) + replacement + der.substring(n + 1);
+ return btoa(der);
+}
+
+// The signature on certificates appears last. This should modify the contents
+// of the signature such that it no longer validates correctly while still
+// resulting in a structurally valid certificate.
+const BYTE_IN_SIGNATURE = -8;
+function addSignatureTamperedCertificate(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+ certdb.addCertFromBase64(base64, ",,");
+}
+
+function ensureSignatureVerificationFailure(certificatePath) {
+ let cert = constructCertFromFile(certificatePath);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+ let cert = certdb.constructX509FromBase64(base64);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+// The beginning of a certificate looks like this (in hex, using DER):
+// 30 XX XX XX [the XX encode length - there are probably 3 bytes here]
+// 30 XX XX XX [length again]
+// A0 03
+// 02 01
+// 02
+// 02 XX [length again - 1 byte as long as we're using pycert]
+// XX XX ... [serial number - 20 bytes as long as we're using pycert]
+// Since we want to modify the serial number, we need to change something from
+// byte 15 to byte 34 (0-indexed). If it turns out that the two length sections
+// we assumed were 3 bytes are shorter (they can't be longer), modifying
+// something from byte 15 to byte 30 will still get us what we want. Since the
+// serial number is a DER INTEGER and because it must be positive, it's best to
+// skip the first two bytes of the serial number so as to not run into any
+// issues there. Thus byte 17 is a good byte to modify.
+const BYTE_IN_SERIAL_NUMBER = 17;
+function addSerialNumberTamperedCertificate(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+ certdb.addCertFromBase64(base64, ",,");
+}
+
+function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+ let cert = certdb.constructX509FromBase64(base64);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function () {
+ addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,");
+ addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,");
+
+ // Tamper with the signatures on intermediate certificates and ensure that
+ // end-entity certificates issued by those intermediates do not validate
+ // successfully.
+ addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem");
+ addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1.pem"
+ );
+
+ // Tamper with the signatures on end-entity certificates and ensure that they
+ // do not validate successfully.
+ await tamperWithSignatureAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-rsa-direct.pem"
+ );
+ await tamperWithSignatureAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1-direct.pem"
+ );
+
+ // Tamper with the serial numbers of intermediate certificates and ensure
+ // that end-entity certificates issued by those intermediates do not validate
+ // successfully.
+ addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem");
+ addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1.pem"
+ );
+
+ // Tamper with the serial numbers of end-entity certificates and ensure that
+ // they do not validate successfully.
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-rsa-direct.pem"
+ );
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1-direct.pem"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
new file mode 100644
index 0000000000..8b45dad277
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUDV80TugFYIoMPwaiYdawE7V/rjkwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBExDzANBgNVBAMMBmNhLXJzYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACQExelnbKhD4GcL
+tRqJXQR4AhLmss7ktDqfp+pZiWv+vwJOvsOwspp4kOh3ztz9iX4njQR4bv3TR+sS
+eBd2QNbUfUhQjuBewNjADxiNfVj54V1l2Cy7AdkrJ0R7eFQ3MEcff7KTrFKeFi3c
+K9BigWa8hlHQ63ttySQpMmolvYbtf2oku/olwX3adpJH3U5HL3syFgNi6VC/kIe+
+Kbgy107DrbXNZwtWFJSH1fFcnPWQeuoYaM3UUXsS8OHlwEBDHK5U5ZFjMVzGdpz3
+R/S/8O5Yd0BH+USVdJ5IzoJA3sCGsrzLAg8fYvs2WtQaBL46geKz2f1ZWh2AtfTO
+FtoX8MQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
new file mode 100644
index 0000000000..5890d2db60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:ca-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
new file mode 100644
index 0000000000..be644e0022
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARSgAwIBAgIUDxOVAGBWpISlY8NCTFeThopVpaowCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy
+NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGNhLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzqMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYI
+KoZIzj0EAwIDaQAwZgIxAO0GJz6haDpUtNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ
+1OxFRuhW515lVbeTqfcA8wIxAOke6+me0k8z0qIWLJAmGhZag42W/SbsPuJMWJDk
+FapWgW9aiWoF20d8IqL6w/fj8A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
new file mode 100644
index 0000000000..0701c23c1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:ca-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
new file mode 100644
index 0000000000..69caa94474
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUM77a0/k/vUucMHymGvhh240zM4AwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBgxFjAUBgNVBAMMDWVlLXJzYS1kaXJlY3QwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAHVsx0EjIAbpDpvodZ+43WN3trKWP6GM8tN+OHjsN4/fOFb7
+yRBbH/xAXL03WOfFhsJpiKdPTB9op+I3lZ1bfmH91npcaI2jsH9n5Z8YOycgSP/f
+cZtKAz3ZjG8zgrnMPQe5aA1NEakcxwPHp7BZeHLKUZ+rVb4YZ9049Lx86XKqsEa1
+0FuPMImqdIvft/XZs31UB1rjHN2AefT0v9MTWsc0nkd/7V6pAUdACX9UxRDzqM+2
+++17MSutN9iosylEzRA3PqbM+57ac12RoHAGoLzhNGYzQED+rcE9/ey9uPktISHF
+sxWawVueVntlU0uAB877iaGcqy4XkS1p7dy5P/Y=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
new file mode 100644
index 0000000000..4e25ddcf94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-rsa
+subject:ee-rsa-direct
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
new file mode 100644
index 0000000000..9a09c3eb49
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUXcTc2SQ1/FZafhESgXzdxvwbIwQwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHaW50LXJzYTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAHowIx3F6a61sqSwLF3Hdgc9IVjR5GYFbM1Oefdn/lFhUF/yWnfbpL6U
+vUsAKI0QaisEJk83jvgTSf+OpCS1mJagh0kvpgapOtOlZ5L9QlAoPWZzdjrMaK1A
+R7FPHSLQPLiwnYUrVyZ3H7qoohUs7hhnwD/ullXfOq4ls7wIwoFVC2Pqppx0aeTh
+hIpL+vG1Fn73ofqj3e24ATY+wQh7QTsrrQv3AOTBCYNWOh6ZOUtBFaoL/s21im9v
+VQabX6xtSU9NLo9x0gum/tigqJEFFTEXvz7ybfoVhKkdCnc5R24GfIFzyaLVde4x
+ht/M1pt97rpNs1txeixmwuf7A/WtDrw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
new file mode 100644
index 0000000000..b974a0a0a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-rsa
+subject:ee-rsa
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
new file mode 100644
index 0000000000..7d8c08e287
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBdjCB/KADAgECAhQZAHoBt09lI61Q3bCATEjYQtltsTAKBggqhkjOPQQDAjAX
+MRUwEwYDVQQDDAxjYS1zZWNwMzg0cjEwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1
+MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTZWUtc2VjcDM4NHIxLWRpcmVjdDB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22CO
+JS3ktxMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXED
+viiIz/AC8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNpADBmAjEA7QYnPqFoOlS0
+2BpDdIRIljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjEAlsY+wH/m
+rlRsGMhNTmwDCqqe+KNZMWXL2fVWRhIKyAbvhATRsEj/fHMHQTrIoz/0
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
new file mode 100644
index 0000000000..386ab95f78
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-secp384r1
+subject:ee-secp384r1-direct
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
new file mode 100644
index 0000000000..9f78ae5596
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCB9qADAgECAhRv/VEnsrkCA8hWjtmF8tS/35wV+TAKBggqhkjOPQQDAjAY
+MRYwFAYDVQQDDA1pbnQtc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy
+NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNoADBlAjEA7QYnPqFoOlS02BpDdIRI
+ljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjA5lYXxjooU1BfUCwDn
+Qk8cNqEXbN6dikgQUMqLRdwnuBGlcV4vQNhyIYUCCg++lUg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
new file mode 100644
index 0000000000..b8f7993be8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-secp384r1
+subject:ee-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
new file mode 100644
index 0000000000..f4114bdb2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIUU6Hu9o9yM2q0UIz1klSmb3O5j6UwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBIxEDAOBgNVBAMMB2ludC1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF
+MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgeoEfAYgunOXP
+zzhV6ZZog7TziqsNHDLGAFbDjLwPHjMOMkcqzhz+uHrBxViV9dINSJdARqTMoQvL
+BGG9DNutm+KjDocWZ8cVcvtleJTYAEpDo1in55t/mD7huUleSuq80whB3uuCDwz5
+TAs9Qfr0AmVTy7rW9/8uO/Tlc89StlqnSQ8QTHfct1egGXG4LY2dKogXq5M+5FrM
+VsFc/lDHDzMUDEw8StRbfQGy7HaU5yFoaVcH/KTgem33QmLVAq6v7prqn2MbwSeX
+lSbT14cFMBiTY8mUC25sdPbM/AkZLco/1iuNFPR3CqU4o0zO3O8mepJ8TPAaRNHI
+38NU05bv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
new file mode 100644
index 0000000000..a86d28b44a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:int-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
new file mode 100644
index 0000000000..e1800be0c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARWgAwIBAgIUX4m+M8t/s153wAjqZK2IklsRMvwwCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy
+NTAyMDQwMDAwMDBaMBgxFjAUBgNVBAMMDWludC1zZWNwMzg0cjEwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcT
+LajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/w
+AvBa9xof3cyDdKpuqc6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA2gAMGUCMQDtBic+oWg6VLTYGkN0hEiWPOY+voEXA+zXPXLwolQG
+WdTsRUboVudeZVW3k6n3APMCMGioCMuJu85AGvcYdq3sAV38rWpDJXUt+YkD5C2U
+d7O9vkcolgeLW6XiJcOK0I+uQg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
new file mode 100644
index 0000000000..e002a1569a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:int-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_storage.js b/security/manager/ssl/tests/unit/test_cert_storage.js
new file mode 100644
index 0000000000..e6bd4d944b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage.js
@@ -0,0 +1,258 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks a number of things:
+// * it ensures that data loaded from revocations.txt on startup is present
+// * it ensures that data served from OneCRL are persisted correctly
+// * it ensures that items in the CertBlocklist are seen as revoked by the
+// cert verifier
+// * it does a sanity check to ensure other cert verifier behavior is
+// unmodified
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+
+// First, we need to setup appInfo for the blocklist service to work
+var id = "xpcshell@tests.mozilla.org";
+var appName = "XPCShell";
+var version = "1";
+var platformVersion = "1.9.2";
+const { updateAppInfo } = ChromeUtils.importESModule(
+ "resource://testing-common/AppInfo.sys.mjs"
+);
+updateAppInfo({
+ name: appName,
+ ID: id,
+ version,
+ platformVersion: platformVersion ? platformVersion : "1.0",
+ crashReporter: true,
+});
+
+// we need to ensure we setup revocation data before certDB, or we'll start with
+// no revocation.txt in the profile
+var gProfile = do_get_profile();
+
+var gRevocations = gProfile.clone();
+gRevocations.append("revocations.txt");
+if (!gRevocations.exists()) {
+ let existing = do_get_file("test_onecrl/sample_revocations.txt", false);
+ existing.copyTo(gProfile, "revocations.txt");
+}
+
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const certBlocklist = [
+ // test with some bad data ...
+ {
+ issuerName: "Some nonsense in issuer",
+ serialNumber: "AkHVNA==",
+ },
+ {
+ issuerName: "MA0xCzAJBgNVBAMMAmNh",
+ serialNumber: "some nonsense in serial",
+ },
+ {
+ issuerName: "and serial",
+ serialNumber: "some nonsense in both issuer",
+ },
+ // some mixed
+ // In these case, the issuer name and the valid serialNumber correspond
+ // to test-int.pem in bad_certs/
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "oops! more nonsense.",
+ },
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ // ... and some good
+ // In this case, the issuer name and the valid serialNumber correspond
+ // to other-test-ca.pem in bad_certs/ (for testing root revocation)
+ {
+ issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
+ serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=",
+ },
+ // These items correspond to an entry in sample_revocations.txt where:
+ // isser name is the base-64 encoded subject DN for the shared Test
+ // Intermediate and the serialNumbers are base-64 encoded 78 and 31,
+ // respectively.
+ // We need this to ensure that existing items are retained if they're
+ // also in the blocklist
+ {
+ issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+ serialNumber: "Tg==",
+ },
+ {
+ issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+ serialNumber: "Hw==",
+ },
+ // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
+ {
+ subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
+ pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=",
+ },
+];
+
+function verify_cert(file, expectedError) {
+ let ee = constructCertFromFile(file);
+ return checkCertErrorGeneric(
+ certDB,
+ ee,
+ expectedError,
+ certificateUsageSSLServer
+ );
+}
+
+// The certificate blocklist currently only applies to TLS server certificates.
+async function verify_non_tls_usage_succeeds(file) {
+ let ee = constructCertFromFile(file);
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+}
+
+function load_cert(cert, trust) {
+ let file = "bad_certs/" + cert + ".pem";
+ addCertFromFile(certDB, file, trust);
+}
+
+async function update_blocklist() {
+ const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+ const fakeEvent = {
+ current: certBlocklist, // with old .txt revocations.
+ deleted: [],
+ created: certBlocklist, // with new cert storage.
+ updated: [],
+ };
+ await OneCRLBlocklistClient.emit("sync", { data: fakeEvent });
+ // Save the last check timestamp, used by cert_storage to assert
+ // if the blocklist is «fresh».
+ Services.prefs.setIntPref(
+ OneCRLBlocklistClient.lastCheckTimePref,
+ Math.floor(Date.now() / 1000)
+ );
+}
+
+function run_test() {
+ // import the certificates we need
+ load_cert("test-ca", "CTu,CTu,CTu");
+ load_cert("test-int", ",,");
+ load_cert("other-test-ca", "CTu,CTu,CTu");
+
+ add_task(async function () {
+ // check some existing items in revocations.txt are blocked.
+ // This test corresponds to:
+ // issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA)
+ // serial: Kg== (42)
+ let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // This test corresponds to:
+ // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+ // serial: Tg== (78)
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // And this test corresponds to:
+ // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+ // serial: Hw== (31)
+ // (we test this issuer twice to ensure we can read multiple serials)
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Test that a certificate revoked by subject and public key hash in
+ // revocations.txt is revoked
+ // subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+ // (CN=EE Revoked By Subject and PubKey)
+ // pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= (this is the
+ // shared RSA SPKI)
+ file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Soon we'll load a blocklist which revokes test-int.pem, which issued
+ // test-int-ee.pem.
+ // Check the cert validates before we load the blocklist
+ file = "test_onecrl/test-int-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // The blocklist also revokes other-test-ca.pem, which issued
+ // other-ca-ee.pem. Check the cert validates before we load the blocklist
+ file = "bad_certs/other-issuer-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
+ // Check the cert validates before we load the blocklist
+ file = "test_onecrl/same-issuer-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+ });
+
+ // blocklist load is async so we must use add_test from here
+ add_task(update_blocklist);
+
+ add_task(async function () {
+ // The blocklist will be loaded now. Let's check the data is sane.
+ // In particular, we should still have the revoked issuer / serial pair
+ // that was in revocations.txt but not the blocklist.
+ let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // We should also still have the revoked issuer / serial pairs that were in
+ // revocations.txt and are also in the blocklist.
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // The cert revoked by subject and pubkeyhash should still be revoked.
+ file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Check the blocklisted intermediate now causes a failure
+ file = "test_onecrl/test-int-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check the ee with the blocklisted root also causes a failure
+ file = "bad_certs/other-issuer-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check the ee blocked by subject / pubKey causes a failure
+ file = "test_onecrl/same-issuer-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check a non-blocklisted chain still validates OK
+ file = "bad_certs/default-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // Check a bad cert is still bad (unknown issuer)
+ file = "bad_certs/unknownissuer.pem";
+ await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
new file mode 100644
index 0000000000..cabf16b48d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
@@ -0,0 +1,72 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests cert_storage's automatic database recreation mechanism. If
+// opening the database for the first time fails, cert_storage will re-create
+// it.
+
+function call_has_prior_data(certStorage, type) {
+ return new Promise(resolve => {
+ certStorage.hasPriorData(type, (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ });
+ });
+}
+
+async function check_has_prior_revocation_data(certStorage, expectedResult) {
+ let hasPriorRevocationData = await call_has_prior_data(
+ certStorage,
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION
+ );
+ Assert.equal(
+ hasPriorRevocationData,
+ expectedResult,
+ `should ${expectedResult ? "have" : "not have"} prior revocation data`
+ );
+}
+
+async function check_has_prior_cert_data(certStorage, expectedResult) {
+ let hasPriorCertData = await call_has_prior_data(
+ certStorage,
+ Ci.nsICertStorage.DATA_TYPE_CERTIFICATE
+ );
+ Assert.equal(
+ hasPriorCertData,
+ expectedResult,
+ `should ${expectedResult ? "have" : "not have"} prior cert data`
+ );
+}
+
+add_task(async function () {
+ // Create an invalid database.
+ let fileToCopy = do_get_file("test_cert_storage_broken_db.js");
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ fileToCopy.copyTo(dbDirectory, "data.mdb");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ check_has_prior_revocation_data(certStorage, false);
+ check_has_prior_cert_data(certStorage, false);
+
+ let result = await new Promise(resolve => {
+ certStorage.setRevocations([], resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "setRevocations should succeed");
+
+ check_has_prior_revocation_data(certStorage, true);
+ check_has_prior_cert_data(certStorage, false);
+
+ result = await new Promise(resolve => {
+ certStorage.addCerts([], resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+
+ check_has_prior_revocation_data(certStorage, true);
+ check_has_prior_cert_data(certStorage, true);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct.js b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
new file mode 100644
index 0000000000..a1ba818dd9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
@@ -0,0 +1,417 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file consists of unit tests for cert_storage (whereas test_cert_storage.js is more of an
+// integration test).
+
+do_get_profile();
+
+this.certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+);
+
+async function addCerts(certInfos) {
+ let result = await new Promise(resolve => {
+ certStorage.addCerts(certInfos, resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+}
+
+async function removeCertsByHashes(hashesBase64) {
+ let result = await new Promise(resolve => {
+ certStorage.removeCertsByHashes(hashesBase64, resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "removeCertsByHashes should succeed");
+}
+
+function getLongString(uniquePart, length) {
+ return String(uniquePart).padStart(length, "0");
+}
+
+class CertInfo {
+ constructor(cert, subject) {
+ this.cert = btoa(cert);
+ this.subject = btoa(subject);
+ this.trust = Ci.nsICertStorage.TRUST_INHERIT;
+ }
+}
+CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]);
+
+add_task(async function test_common_subject() {
+ let someCert1 = new CertInfo(
+ "some certificate bytes 1",
+ "some common subject"
+ );
+ let someCert2 = new CertInfo(
+ "some certificate bytes 2",
+ "some common subject"
+ );
+ let someCert3 = new CertInfo(
+ "some certificate bytes 3",
+ "some common subject"
+ );
+ await addCerts([someCert1, someCert2, someCert3]);
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("some common subject")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "some certificate bytes 1",
+ "some certificate bytes 2",
+ "some certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs"
+ );
+
+ await addCerts([
+ new CertInfo("some other certificate bytes", "some other subject"),
+ ]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("some common subject")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should still find expected certs"
+ );
+
+ let storedOtherCerts = certStorage.findCertsBySubject(
+ stringToArray("some other subject")
+ );
+ let storedOtherCertsAsStrings = storedOtherCerts.map(arrayToString);
+ let expectedOtherCerts = ["some other certificate bytes"];
+ Assert.deepEqual(
+ storedOtherCertsAsStrings,
+ expectedOtherCerts,
+ "should have other certificate"
+ );
+});
+
+add_task(async function test_many_entries() {
+ const NUM_CERTS = 500;
+ const CERT_LENGTH = 3000;
+ const SUBJECT_LENGTH = 40;
+ let certs = [];
+ for (let i = 0; i < NUM_CERTS; i++) {
+ certs.push(
+ new CertInfo(
+ getLongString(i, CERT_LENGTH),
+ getLongString(i, SUBJECT_LENGTH)
+ )
+ );
+ }
+ await addCerts(certs);
+ for (let i = 0; i < NUM_CERTS; i++) {
+ let subject = stringToArray(getLongString(i, SUBJECT_LENGTH));
+ let storedCerts = certStorage.findCertsBySubject(subject);
+ Assert.equal(
+ storedCerts.length,
+ 1,
+ "should have 1 certificate (lots of data test)"
+ );
+ let storedCertAsString = arrayToString(storedCerts[0]);
+ Assert.equal(
+ storedCertAsString,
+ getLongString(i, CERT_LENGTH),
+ "certificate should be as expected (lots of data test)"
+ );
+ }
+});
+
+add_task(async function test_removal() {
+ // As long as cert_storage is given valid base64, attempting to delete some nonexistent
+ // certificate will "succeed" (it'll do nothing).
+ await removeCertsByHashes([btoa("thishashisthewrongsize")]);
+
+ let removalCert1 = new CertInfo(
+ "removal certificate bytes 1",
+ "common subject to remove"
+ );
+ let removalCert2 = new CertInfo(
+ "removal certificate bytes 2",
+ "common subject to remove"
+ );
+ let removalCert3 = new CertInfo(
+ "removal certificate bytes 3",
+ "common subject to remove"
+ );
+ await addCerts([removalCert1, removalCert2, removalCert3]);
+
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "removal certificate bytes 1",
+ "removal certificate bytes 2",
+ "removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs before removing them"
+ );
+
+ // echo -n "removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["2nUPHwl5TVr1mAD1FU9FivLTlTb0BAdnVUhsYgBccN4="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ expectedCerts = [
+ "removal certificate bytes 1",
+ "removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should only have first and third certificates now"
+ );
+
+ // echo -n "removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["8zoRqHYrklr7Zx6UWpzrPuL+ol8KL1Ml6XHBQmXiaTY="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ expectedCerts = ["removal certificate bytes 3"];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should only have third certificate now"
+ );
+
+ // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+
+ // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ // Again, removing a nonexistent certificate should "succeed".
+ await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+});
+
+add_task(async function test_batched_removal() {
+ let removalCert1 = new CertInfo(
+ "batch removal certificate bytes 1",
+ "batch subject to remove"
+ );
+ let removalCert2 = new CertInfo(
+ "batch removal certificate bytes 2",
+ "batch subject to remove"
+ );
+ let removalCert3 = new CertInfo(
+ "batch removal certificate bytes 3",
+ "batch subject to remove"
+ );
+ await addCerts([removalCert1, removalCert2, removalCert3]);
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("batch subject to remove")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "batch removal certificate bytes 1",
+ "batch removal certificate bytes 2",
+ "batch removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs before removing them"
+ );
+ // echo -n "batch removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+ // echo -n "batch removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+ // echo -n "batch removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes([
+ "EOEEUTuanHZX9NFVCoMKVT22puIJC6g+ZuNPpJgvaa8=",
+ "Xz6h/Kvn35cCLJEZXkjPqk1GG36b56sreLyAXpO+0zg=",
+ "Jr7XdiTT8ZONUL+ogNNMW2oxKxanvYOLQPKBPgH/has=",
+ ]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("batch subject to remove")
+ );
+ Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+});
+
+class CRLiteCoverage {
+ constructor(ctLogID, minTimestamp, maxTimestamp) {
+ this.b64LogID = ctLogID;
+ this.minTimestamp = minTimestamp;
+ this.maxTimestamp = maxTimestamp;
+ }
+}
+CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([
+ "nsICRLiteCoverage",
+]);
+
+add_task(async function test_crlite_filter() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(
+ certdb,
+ "test_cert_storage_direct/valid-cert-issuer.pem",
+ ",,"
+ );
+ let validCert = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert.pem"
+ );
+ addCertFromFile(
+ certdb,
+ "test_cert_storage_direct/revoked-cert-issuer.pem",
+ ",,"
+ );
+ let revokedCert = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert.pem"
+ );
+ let filterFile = do_get_file(
+ "test_cert_storage_direct/test-filter.crlite",
+ false
+ );
+ ok(filterFile.exists(), "test filter file should exist");
+ let enrollment = [];
+ let coverage = [];
+ let filterBytes = stringToArray(readFile(filterFile));
+ // First simualte a filter that does not cover any certificates. With CRLite
+ // enabled, none of the certificates should appear to be revoked.
+ let setFullCRLiteFilterResult = await new Promise(resolve => {
+ certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+ });
+ Assert.equal(
+ setFullCRLiteFilterResult,
+ Cr.NS_OK,
+ "setFullCRLiteFilter should succeed"
+ );
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Now replace the filter with one that covers the "valid" and "revoked"
+ // certificates. CRLite should flag the revoked certificate.
+ coverage.push(
+ new CRLiteCoverage(
+ "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ 0,
+ 1641612275000
+ )
+ );
+
+ // crlite_enrollment_id.py test_crlite_filters/issuer.pem
+ enrollment.push("UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=");
+ // crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+ enrollment.push("Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=");
+ // crlite_enrollment_id.py test_cert_storage_direct/revoked-cert-issuer.pem
+ enrollment.push("HTvSp2263dqBYtgYA2fldKAoTYcEVLPVTlRia9XaoCQ=");
+
+ setFullCRLiteFilterResult = await new Promise(resolve => {
+ certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+ });
+ Assert.equal(
+ setFullCRLiteFilterResult,
+ Cr.NS_OK,
+ "setFullCRLiteFilter should succeed"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // If we're only collecting telemetry, none of the certificates should appear to be revoked.
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeTelemetryOnlyPrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // If CRLite is disabled, none of the certificates should appear to be revoked.
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeDisabledPrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
new file mode 100644
index 0000000000..d775817b33
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso
+WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R
+WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL
+VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ
+zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6
+MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID
+AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud
+IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0
+BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
+LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
+RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE
+VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
+MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT
+PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e
+GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu
+JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39
+Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF
+YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
new file mode 100644
index 0000000000..81e01bd783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIHOzCCBiOgAwIBAgIQBi31aKBRMQgg1+xDJ+G6/TANBgkqhkiG9w0BAQsFADBf
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw
+HhcNMTgwNTI4MDAwMDAwWhcNMjAwNTIxMTIwMDAwWjCB6zEdMBsGA1UEDwwUUHJp
+dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFjAUBgsrBgEE
+AYI3PAIBAhMFSGVzc2UxGDAWBgsrBgEEAYI3PAIBAQwHR2llw59lbjERMA8GA1UE
+BRMISFJCIDY5MDIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNV
+BAcTC0hldWNoZWxoZWltMRQwEgYDVQQKEwtTY2h1bmsgR21iSDELMAkGA1UECxMC
+SVQxGTAXBgNVBAMTEHNjaHVuay1ncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCvkuQZz2ExPv9paJb622OOk+o4bWnjDe1zHGK6qnK25mMT
+Zldk74sXF+Wfr9lbwqHTcjGhQFwmVDqvtr55KVX8FOv0CSqNaewOrnNrFz8Xg4rn
+OlIs3+MmqD5CIK+el0rA+xltEY8WvNlwZKG7yeJYrdsr+5DAThDuwCVe8bU7it4h
+sjsMsof5ocee9zDkFThNVGR4sMk5EgBxb1Gt4n9wXUj4OBT78whhlkLH/pVZrrhs
+tQwC3q90MOPC5RJcEolSCNjGdHCKRbexmRqJgbJj/qZ9JT+fQ+Ko6a+UAWvc2BUc
+POnzGV2GzCdFFGOubJb6RjU0nuPG4Lmdc/BuS9kFAgMBAAGjggNkMIIDYDAfBgNV
+HSMEGDAWgBTnAfwMFhjKfbKM7Icno29hgTuEOTAdBgNVHQ4EFgQUNb1SY8Bkil98
+tD8zoxE30jBA1NIwZwYDVR0RBGAwXoIQc2NodW5rLWdyb3VwLmNvbYIUd3d3LnNj
+aHVuay1ncm91cC5jb22CG3NjaHVuay1jYXJib250ZWNobm9sb2d5LmNvbYIXc2No
+dW5rLXNpbnRlcm1ldGFscy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY2Rw
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3JsMEsGA1UdIAREMEIwNwYJ
+YIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9DUFMwBwYFZ4EMAQEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRw
+Oi8vc3RhdHVzLnRoYXd0ZS5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRz
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggF7
+BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf
+uON3zQ7IDdwQAAABY6Ze9XAAAAQDAEYwRAIgNUeXL3GwlpGQtTS/wKBlOkHJvHR5
+knSop0OPumeCfQECIEdxY7qr/WRVbWkQFvP48fgWkZHkd4vTq70Y0aaSZTbPAHUA
+VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFjpl71tQAABAMARjBE
+AiAtxKdc/wum3TE7r9BoRd/gkrjYLWyqeLuL/opRBRy9xwIgPF6uEZxyhEoLZ+9G
+AFBAP+X89zjZphVALjIXu0RRea4AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ
+lmQ2jh7RhQAAAWOmXvY1AAAEAwBGMEQCIHc04ERlUbIkVrlC+I89C9xtugvRCwbR
+a7qZzSdqHltUAiBRVwTacf1dnO9AgLSgrxft5LV32DvH3qNT7pWYh8dFNjANBgkq
+hkiG9w0BAQsFAAOCAQEARJ+tbnM+yS6chgpyzfB3e7IWPq2Den46Ja1H6/4qaKrd
+nsbElcvd4cCQf1zYY6jlQkO6qtfMUChKrEar5aqqnyX8x/8T9PkpHp8XyUxgGlmT
+hrnHML0gDJFS8O4MB5pFnGkgoOQa+OIQokWCXr4/a4AwsTG3Ms+lC+R+vRYz90lg
+TEJLNHB2fSvQyvpXDUL9aAjACBp/9pKxfM9iq06MFO5jP483xJUfdqtVteHMw75w
+1mb8IrM9R1dP47GsblTrf2rZYdaoxdyLjtJQG2aaOdU5unE6QeFrXbz0qeTPePs8
+ftuXSW9xb053HjAkCcVo48j07b2cHfU1hxzGGptVbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
new file mode 100644
index 0000000000..705827a85e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkDCCA3igAwIBAgIJIrmxUyPlrv3NMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
+JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwODIy
+MDczMjI0WhcNMjgwODIyMDczMjI0WjBQMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
+U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVz
+dCBEViBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnTNi5Kgrt
+FL8qBuEmpL2gvLFY7f9MEgjzClvic/45ebM+DxZ2CMuqtMtImgf8XPIpLaFFbozx
+3VgqH41cmGHbpAoDRKpwfF1f53peHYhRxpOVgcnsiVCPZJPBPCUM9St+cuEjfo0d
+YGbr3aG5urdT2zeKIFyxKbggdkU0LVRHwvLFsIpXCn/YK/8Rmx87yW9VB80OXkzf
+IQoZop83+aebq1VwzjNCN3u4bWSFLYDyJGqE40WlZ53NZh+TwBsa6gld9YXPGQfx
+k8x38zkFXberlMQOYhX9KyuTOMdlFkbx6LfIUqVKJavpcr54+XPzVyeroNPpKxtZ
+mEqUYiFjAqUVAgMBAAGjggFeMIIBWjAdBgNVHQ4EFgQUT4twz6lAHJbllF13rNZv
+TS2b8ncwHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw48QrsPM8wEgYDVR0TAQH/
+BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwSQYDVR0fBEIwQDA+oDygOoY4aHR0
+cDovL3JlcG9zaXRvcnkuc2Vjb210cnVzdC5uZXQvU0MtUm9vdDIvU0NSb290MkNS
+TC5jcmwwUgYDVR0gBEswSTBHBgoqgwiMmxtkhwUEMDkwNwYIKwYBBQUHAgEWK2h0
+dHBzOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290Mi8wQAYIKwYB
+BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vc2Nyb290Y2EyLm9jc3Auc2Vj
+b210cnVzdC5uZXQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
+ggEBABEDSrrhhR+Js5q45yih2Ne4cMLZmrH0AZwU3eM+7HZplzi1EhppgvcYk/2k
+LM9haQGWnAZ5wiixLqKu7WlWrHgblZbXyCxALmMBK1rqeP0omxXExqKVqWNHU8KZ
+t3jahH1wDYSzfetM7guWR+PAPpb9oQCtAx8DVyI/3Ocswvti/uWb517Bdo6Nd0+9
+mf0LiphNKcSzSFX0s1Cb47cJROYHGBe2J6NUSWR7wE0asPtKsznGyNO+NJCUR+0h
+OLN2cA2KJwPhZjYJt8UkucAF/EE7qC0Fc8B9Q/gttQ52en5BZxdkDrHCi4qnsSvi
+gueQme/RzYkEaQlNT1WCZ9AIgVE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
new file mode 100644
index 0000000000..195d2d8ca2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF4DCCBMigAwIBAgIQC3d196+a5UJlyc0yVxB3jjANBgkqhkiG9w0BAQsFADBQ
+MQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4s
+TFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVzdCBEViBDQTUwHhcNMTkwNjExMDUyMjEy
+WhcNMjEwNjMwMTQ1OTU5WjAUMRIwEAYDVQQDEwlza3luZXcuanAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeciw7C297026HA4oIwc29vL2h29GVrRF7
+HGdeXzAJA7kh+qwo8rTBFfdX7sgHy6nnE1+flEtFt91Ss8i3BZMEqoFUZFb1jGXd
+DbQtmIWxz7O5skkjR1gdKwt9GImy1hEPt8dwU52mwVsSUEKvlZlsjeofUPAEbnYY
++iA/nYaYXiXyCxJzk6Y09VlzghyMIhkLwDa7rL3S9FgUQI6tSUwsiNYNoQzlYgXF
+yPfQfd57LbBwZJtqVPC6rjPOZZd0sw7uvrDNuxnAM2k2mzlML9Vwt8EvSlZX60xD
+oGQCsQQ/ZgjEQTA8WRZ+fxW/LqQNYYm70KU/1M+e8o4MKmA9xkH5AgMBAAGjggLw
+MIIC7DAfBgNVHSMEGDAWgBRPi3DPqUAcluWUXXes1m9NLZvydzA8BggrBgEFBQcB
+AQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9kdmNhNS5vY3NwLnNlY29tdHJ1c3Qu
+bmV0MCMGA1UdEQQcMBqCCXNreW5ldy5qcIINd3d3LnNreW5ldy5qcDBaBgNVHSAE
+UzBRMEUGCiqDCIybG26BVQIwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly9yZXBvMS5z
+ZWNvbXRydXN0Lm5ldC9zcHBjYS94dGR2NS8wCAYGZ4EMAQIBMBMGA1UdJQQMMAoG
+CCsGAQUFBwMBMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9yZXBvMS5zZWNvbXRy
+dXN0Lm5ldC9zcHBjYS94dGR2NS9mdWxsY3JsLmNybDAdBgNVHQ4EFgQUuj9305tQ
+JIeVAQtsz9JHx3PTqaQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSC
+AW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWtF
+Bb6pAAAEAwBHMEUCIHUQkmFzUh01r1Px/zWMZSL21dNNQwM+rN1z0gutxV3JAiEA
+jSb2/GAm4+2qiNWDtx1EkHsMXjNW+5S4GhJePexjJR8AdgDuS723dc5guuFCaR+r
+4Z5mow9+X7By2IMAxHuJeqj9ywAAAWtFBcdeAAAEAwBHMEUCIDVHdfP9wnVgz45l
+eX80DpRCRNEV/OCDwfW+B0g/dveYAiEArbpLQb5Z9hul3r00kF2LrivNuI7kwEBy
+MpkYsLtSPJoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWtF
+BdCQAAAEAwBHMEUCIE2GUo6x3qDrIhacnCmjikBCHF2yT6Fv5GAehZB569YCAiEA
+vXwMXV8+y3xNFys+A6u9EjKiy8CTKv+SQxqsJ4s6jK0wDQYJKoZIhvcNAQELBQAD
+ggEBAAzlm9W+N5fviTJ9wDsc5nXKYur3744V/cm75+8dUM61Rko1isK6IZt5aNPN
+wOfhBsTzHHSYmAFMR9Xjoq8iDYZtIk01IGI6LEWuls9F2hVcERiHMWJOLTiH35xN
+vRNTG0AbBdIpTX2sURsoCPJ+8DTnVUr3pTzXnIY4EQ4UXfANuYwceOHShF6UJo/L
+PK0uRdHcd5SmMa03gFUdkTc9gU6PIEO/UgubazGh9xDBHtHECeleL+gpSfOP3SkF
+7W1RgmbE6WJdVPlto7FRQtl2xIzHs/gNaPezqNKPHgFlx4c+ECTjPLqoW8LdeXu+
+N8dueJg1+h+lQifkmgl23DqEIiI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
new file mode 100644
index 0000000000..8a757c199c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
@@ -0,0 +1,48 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its "has prior data"
+// information across runs of the browser.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_broken_db.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function () {
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ let dbFile = do_get_file("test_cert_storage_preexisting/data.safe.bin");
+ dbFile.copyTo(dbDirectory, "data.safe.bin");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let hasPriorRevocationData = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+ (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ }
+ );
+ });
+ Assert.equal(
+ hasPriorRevocationData,
+ true,
+ "should have prior revocation data"
+ );
+
+ let hasPriorCertData = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CERTIFICATE,
+ (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ }
+ );
+ });
+ Assert.equal(hasPriorCertData, true, "should have prior cert data");
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
new file mode 100644
index 0000000000..df4cb182a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
new file mode 100644
index 0000000000..011ed93484
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
new file mode 100644
index 0000000000..dc4b50fdfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
new file mode 100644
index 0000000000..c444bdd945
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
@@ -0,0 +1,83 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its information across
+// runs of the browser specifically in the case of CRLite.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_direct.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function () {
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ let crliteFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.filter"
+ );
+ crliteFile.copyTo(dbDirectory, "crlite.filter");
+ let coverageFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.coverage"
+ );
+ coverageFile.copyTo(dbDirectory, "crlite.coverage");
+ let enrollmentFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.enrollment"
+ );
+ enrollmentFile.copyTo(dbDirectory, "crlite.enrollment");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let validCertIssuer = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert-issuer.pem"
+ );
+ let validCert = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-10-28T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ let revokedCertIssuer = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert-issuer.pem"
+ );
+ let revokedCert = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
new file mode 100644
index 0000000000..aac0238188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
@@ -0,0 +1 @@
+3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ;Ò§mºÝÚbØgåt (M‡T³ÕNTbkÕÚ $ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
new file mode 100644
index 0000000000..d96571f128
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
new file mode 100644
index 0000000000..45ff78a253
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -0,0 +1,324 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ return addCertFromFile(
+ certdb,
+ "test_cert_trust/" + cert_filename,
+ trust_string
+ );
+}
+
+function setup_basic_trusts(ca_cert, int_cert) {
+ certdb.setCertTrust(
+ ca_cert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
+ );
+
+ certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
+}
+
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+ // On reset most usages are successful
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Test of active distrust. No usage should pass.
+ setCertTrust(cert_to_modify_trust, "p,p,p");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // Trust set to T - trusted CA to issue client certs, where client cert is
+ // usageSSLClient.
+ setCertTrust(cert_to_modify_trust, "T,T,T");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the SSL trust bit
+ setCertTrust(cert_to_modify_trust, "p,C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Inherited trust SSL
+ setCertTrust(cert_to_modify_trust, ",C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the EMAIL trust bit
+ setCertTrust(cert_to_modify_trust, "C,p,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // inherited EMAIL Trust
+ setCertTrust(cert_to_modify_trust, "C,,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+}
+
+add_task(async function () {
+ let certList = ["ca", "int", "ee"];
+ let loadedCerts = [];
+ for (let certName of certList) {
+ loadedCerts.push(load_cert(certName, ",,"));
+ }
+
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, ca_cert, true);
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, int_cert, false);
+
+ // Reset trust to default ("inherit trust")
+ setCertTrust(ca_cert, ",,");
+ setCertTrust(int_cert, ",,");
+
+ // End-entities can be trust anchors for interoperability with users who
+ // prefer not to build a hierarchy and instead directly trust a particular
+ // server certificate.
+ setCertTrust(ee_cert, "CTu,CTu,CTu");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
new file mode 100644
index 0000000000..8131655251
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUZUAG1XrIsypGQCcYFFUTqaoZw5MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA+F3G6RbYWkt2VtLqA43GkRvQg
+PZGNxGlXGWazQRKDLXMFtbT9FG2l7nRQPPKhoaeKd+36zBPxgwJaC1+N5e9nxAm/
+YUY4ipA7RAaUf0l6hCyCNnbtd6o6E6hnU4ucX7GvgGQQEdXHPIpzF3AfVZviHVpl
+5u02rYNB6wGC9/vSsNKhpGYaIOB2yFzbXhwH4YqC2VwfpukNuSQ7oywFbH2IIj/5
+ik3Mp8uwL1qQ7XcF9se5rtNYcWzNe0aMKS7s/vRn1QeYp5Jsq6kEn0/aNvEmDskR
+GAGbbQ/4CQqKH2vqKQRq8KbDlzsxmfEF8cDZzvXZHWtQmGGURy/4ZAytgXFT
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
new file mode 100644
index 0000000000..26d9c4bb0c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUBTLnMBdk7nC9ESAE2f+8kxwS7wwwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF
+BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAHWVweJbi7RcBDHJ5c+M9O4LfBbY5F7yUfj426fFutBIYT7gkdZBOLLBA
+FXbXMq9OJr//iiU7KdPAk5jeDCKJacP1tDi8vEBG51lt6LDfTYRPn9ncPqlwspIM
+xa/Z8yBFfLgwy3NwkuyxLwWsYCNBkTPbumJXYvnyLju+cGLMmToV24qkMLYNg6m9
+316aao5kx9Oo29qmbnUDK1VUjc6ko64ilPH5RxW4HAjhTYN9unY13F+x1i8rrAA4
+29BXxG31UVZA4Jv9KE/Ck2CMAQteuSTq1tgJaklGCwhDg7ARa4lPIANN8v/yiKbJ
+ag0EYzra8S1FUoXKsaH/B1falyDt7g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
new file mode 100644
index 0000000000..9666c18062
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ee
+extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
new file mode 100644
index 0000000000..b31a9cda93
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
+H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
+WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
+fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
+ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
+yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js
new file mode 100644
index 0000000000..caeddd8158
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8.js
@@ -0,0 +1,79 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function run_test() {
+ // This certificate has a number of placeholder byte sequences that we can
+ // replace with invalid UTF-8 to ensure that we handle these cases safely.
+ let certificateToAlterFile = do_get_file(
+ "test_cert_utf8/certificateToAlter.pem",
+ false
+ );
+ let certificateBytesToAlter = atob(
+ pemToBase64(readFile(certificateToAlterFile))
+ );
+ testUTF8InField("issuerName", "ISSUER CN", certificateBytesToAlter);
+ testUTF8InField("issuerOrganization", "ISSUER O", certificateBytesToAlter);
+ testUTF8InField(
+ "issuerOrganizationUnit",
+ "ISSUER OU",
+ certificateBytesToAlter
+ );
+ testUTF8InField("issuerCommonName", "ISSUER CN", certificateBytesToAlter);
+ testUTF8InField("organization", "SUBJECT O", certificateBytesToAlter);
+ testUTF8InField("organizationalUnit", "SUBJECT OU", certificateBytesToAlter);
+ testUTF8InField("subjectName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField("displayName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField("commonName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField(
+ "emailAddress",
+ "SUBJECT EMAILADDRESS",
+ certificateBytesToAlter
+ );
+}
+
+// Every (issuer, serial number) pair must be unique. If NSS ever encounters two
+// different (in terms of encoding) certificates with the same values for this
+// pair, it will refuse to import it (even as a temporary certificate). Since
+// we're creating a number of different certificates, we need to ensure this
+// pair is always unique. The easiest way to do this is to change the issuer
+// distinguished name each time. To make sure this doesn't introduce additional
+// UTF8 issues, always use a printable ASCII value.
+var gUniqueIssuerCounter = 32;
+
+function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) {
+ let toReplace = `${replacementPrefix} REPLACE ME`;
+ let replacement = "";
+ for (let i = 0; i < toReplace.length; i++) {
+ replacement += "\xEB";
+ }
+ let bytes = certificateBytesToAlter.replace(toReplace, replacement);
+ let uniqueIssuerReplacement =
+ "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter);
+ bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement);
+ ok(
+ gUniqueIssuerCounter < 127,
+ "should have enough ASCII replacements to make a unique issuer DN"
+ );
+ gUniqueIssuerCounter++;
+ let cert = gCertDB.constructX509(stringToArray(bytes));
+ notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`);
+ notEqual(
+ cert.getEmailAddresses(),
+ null,
+ "calling nsIX509Cert.getEmailAddresses() shouldn't assert"
+ );
+ ok(
+ !cert.containsEmailAddress("test@test.test"),
+ "calling nsIX509Cert.containsEmailAddress() shouldn't assert"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
new file mode 100644
index 0000000000..ab0efc2cf7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUTz7zgoTkVoQZ1BOpZr4yFTOu/tYwDQYJKoZIhvcNAQEL
+BQAwfDEcMBoGA1UECgwTSVNTVUVSIE8gUkVQTEFDRSBNRTEdMBsGA1UECwwUSVNT
+VUVSIE9VIFJFUExBQ0UgTUUxHTAbBgNVBAMMFElTU1VFUiBDTiBSRVBMQUNFIE1F
+MR4wHAYDVQQHDBVBTFdBWVMgTUFLRSBNRSBVTklRVUUwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowgY8xHTAbBgNVBAoMFFNVQkpFQ1QgTyBSRVBM
+QUNFIE1FMR4wHAYDVQQLDBVTVUJKRUNUIE9VIFJFUExBQ0UgTUUxHjAcBgNVBAMM
+FVNVQkpFQ1QgQ04gUkVQTEFDRSBNRTEuMCwGCSqGSIb3DQEJARYfU1VCSkVDVCBF
+TUFJTEFERFJFU1MgUkVQTEFDRSBNRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNRME8wTQYDVR0RBEYwRIIeU1VC
+SkVDVCBBTFQgRE5TTkFNRSBSRVBMQUNFIE1FgSJTVUJKRUNUIEFMVCBSRkM4MjJA
+TkFNRSBSRVBMQUNFIE1FMA0GCSqGSIb3DQEBCwUAA4IBAQBgHgU9AH3Ajyo5hoiK
+SJ6M/Qk1FMecpFox6Fe5krk8K8ECqa+lFXBT9HnYMz5q9dT7++KPrtTNGx+7YUc7
+fRTmhjNMkIiODHTfOeJcc0HadMyP810f6XGoDDQDZqNbcDp5hB81GWZEoiCovhbe
+m6rwAKb1sznP16impejUZTHD7EalmbxyIgfl2cX7pjtt4MSsg1EJH3OwSNfMTp4t
+X8tm/x9H2auazAedeRV4dZy5NiueVuQgqi3vdjyf9lZUDkmH5GofQwQEzdVKb6Sl
+J0OrIn3o8pKrIL5Hc6CGtWrkOCvlWyiHl/1KwwMrZRMzyAFoTum9fRuaDrqV8bsJ
+S9ky
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
new file mode 100644
index 0000000000..6579ac5550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/O=ISSUER O REPLACE ME/OU=ISSUER OU REPLACE ME/CN=ISSUER CN REPLACE ME/L=ALWAYS MAKE ME UNIQUE
+subject:/O=SUBJECT O REPLACE ME/OU=SUBJECT OU REPLACE ME/CN=SUBJECT CN REPLACE ME/emailAddress=SUBJECT EMAILADDRESS REPLACE ME
+extension:subjectAlternativeName:SUBJECT ALT DNSNAME REPLACE ME,SUBJECT ALT RFC822@NAME REPLACE ME
diff --git a/security/manager/ssl/tests/unit/test_cert_version.js b/security/manager/ssl/tests/unit/test_cert_version.js
new file mode 100644
index 0000000000..5bf8dd180f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -0,0 +1,304 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the interaction between the basic constraints extension and the
+// certificate version field. In general, the testcases consist of verifying
+// certificate chains of the form:
+//
+// end-entity (issued by) intermediate (issued by) trusted X509v3 root
+//
+// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
+// does not have the basic constraints extension. If it has the extension, it
+// either does or does not specify that it is a CA.
+//
+// To test cases where the trust anchor has a different version and/or does or
+// does not have the basic constraint extension, there are testcases where the
+// intermediate is trusted as an anchor and the verification is repeated.
+// (Loading a certificate with trust "CTu,," means that it is a trust anchor
+// for SSL. Loading a certificate with trust ",," means that it inherits its
+// trust.)
+//
+// There are also testcases for end-entities issued by a trusted X509v3 root
+// where the end-entities similarly cover the range of versions and basic
+// constraint extensions.
+//
+// Finally, there are testcases for self-signed certificates that, again, cover
+// the range of versions and basic constraint extensions.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile("test_cert_version/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(
+ certdb,
+ "test_cert_version/" + certName + ".pem",
+ trustString
+ );
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer
+ );
+}
+
+function checkIntermediate(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLCA
+ );
+}
+
+add_task(async function () {
+ loadCertWithTrust("ca", "CTu,,");
+
+ // Section for CAs lacking the basicConstraints extension entirely:
+ loadCertWithTrust("int-v1-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v1-noBC_ca"),
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-noBC"),
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ // A v1 certificate with no basicConstraints extension may issue certificates
+ // if it is a trust anchor.
+ loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v2-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v2-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v2-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v3-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v3-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v3-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v4-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v4-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v4-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // Section for CAs with basicConstraints not specifying cA:
+ loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v1-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v1-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v2-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v2-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v3-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v3-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v4-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v4-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // Section for CAs with basicConstraints specifying cA:
+ loadCertWithTrust("int-v1-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v2-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v3-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v4-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+
+ // Section for end-entity certificates with various basicConstraints:
+ await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
+
+ await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
+
+ await checkEndEntity(
+ certFromFile("ee-v1-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v2-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v3-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v4-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+
+ // Section for self-signed certificates:
+ await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+
+ await checkEndEntity(
+ certFromFile("ss-v1-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v2-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v3-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v4-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
new file mode 100644
index 0000000000..84c82941ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUJYv6JJKA2mbX4KBRghATFqp+TckwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCMsgBmasgEbA7F/RDtbJM56xPl
+k1190DI+zwk2/n/4QWCZSHeH7U+C8SRrKqs0CZX1Oaj4bRcaBfhipoy9FOtc4a6D
+ibRyZAmZs68dt1mLar6qF5V2s45A5O2rmVF8ZwUq3hZiwrLT3OSX2owaVK70qIfl
+1K1oUKNJZapO1ZBBLz1SlLNc3irg1gPiIewR2YAWI56bP91RNHZ18b42utSOetTe
+ojC/4Rzu4O6wSWrFV+wUa0bKg41uV0PV4hpBTL22hS9HBgNz1C1EWdhHqIdpibmD
+bpc+shHFflt35xoZwUtboV7/2s3tYLyXZv/rJmyex47nLNvaoXz4/WSjrRcI
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
new file mode 100644
index 0000000000..8689ef9ea1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..964b879474
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwDCCAagCFFVRy1zA0UcvELdeXnVBAIQOtIbfMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBYxFDASBgNVBAMMC2VlLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQC4p7KcEw3nuFjHOtQjRXwgZlL83gZc9aJX0uT6
+hHzJIZr9LQIChkoscwfXiqROsT6pzP5KEDjBUxi7Ny4kh/6ZOYJ1eyrOmWZudF4h
+1KcABWvumR+I+t8+Lqc2/RSgXJRITQgEnaR90u/HS/egnaDXt8lig3eQnVxPKVs2
+ubuXsaj3DvvlpeDn7/g7c2TRuEZ3SGI4u6GdAYiyWiVTPWgIZizFIdVnfisKcJpN
+OXXNSbMdh90UiQ+T8mb/v5j4GDf+oZsj+pAOrRQKyO2LrAuqjdwkgHRG4QogKsk4
+yLXmbFHB108nMbqOheolUJ4d6OzG8XtPYbRe0avKEu0ApMi2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4570e6e3ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..4853b3e3f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAakCFDcGYpOvwTC6XLW4X8wP9Tjg2f7/MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBoxGDAWBgNVBAMMD2VlLXYxLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMNMAswCQYDVR0TBAIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEAHAlMthnDdaDoM1Rdn37koSyCE2pcsvrFvHxw
+CSUpWZYJ13HPVJutEqv+Y5N/sVZuis1nphXRLz0GkXoZAkl1C1YoVoA08LCq/Jea
+Q/A7B412DQoEp1RaLpW2OkSYtVSCNmvulhV70a6F4zXGd99rl7cNuzoG0MCO7Iw5
+CiFVmM6bOdaChv3vaersxQQdSi90Gcqr/ftwCi+gPF4DxoIQ1JJgERtfwqu45Q0c
+ImuhWQCXbq0QD+/f6t8CHNcmOcMLvIW705I0+4cMB1pWIj2SRlqeQ8EsPAYHM2t0
+FbKGzoWPCybHUxn/PHLcIfFl2qFbUPy4ps+Br6X1b6YUxX19Wg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f4257841fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
new file mode 100644
index 0000000000..6b58f530ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrTCCAZUCFH+57OBmUjCZYw2Ge/do2rZouE9dMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBUxEzARBgNVBAMMCmVlLXYxLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AHW55SbY/YY/Hh1E+z1nHRaONh0QQ5pNS93ook4Brk29N8EueX8AzqWGn9Tmh0T7
+SrLIeI3xzDlGVOU+K3NRN6SXyOYdVIHPZXFKCthGb5Q63WZQSoSAdkozc7yrtXcq
+HnlA6uGborbz21CcAfE036s+bZ2UH3u5o145HuI9TrcfwTQvo/l8QPOk6W8ifwSv
+970y1VXndJeC2qStKtOuji4+qwLWnW7RaJNIU6cJa1iHO5UJwliQwi7V1HqQxoXT
+DF/LPYXhb8F6FlYH/bFGhAlleo4RFfBPrqxPfJbnJwXuLJav2dAIQm4JqpOa2d9q
+gkx1pIWrzTwE6oYUsxnTCkU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..48fe9e5416
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..b3f48c069d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAQIUWZgHFAWFqkuCRDmxIf5dm4aDb6UwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjItQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDE3MCIo4Ao8WFYSw0SWCVCChlkMxO
+THU8kVk/XB5GrzGxdJ5TpVPNffE3yulZlsjuBGD4KhbTaJadDlNRBMRqp6ze5CdG
+TEsCTRtJXEB9kW7eGPIN6OzAaCjQb8TDQP15jZKUzSa1A2EpV0ZyjA5WSBjB6nIl
+Njelpm+HzkJHs+mo9Kfz7zLYrDYwQVnv6FdKsltXPFBF0hqrxcIVJJDA+bL1WFIT
+g1qpIdx8M2xUQvDGKV/4Ro2/2Q8Y16tKiXrK0FK1hw2oIB/AheuRwQLOoIvRhnnk
+Bbh+COp/nTRNTdUQncymUUZCida8jBDHBA//ePdPYr7on/XTs9IpGqI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f714725d2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..18d23ef06f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAQIUEYwmTGst6bjYEQG+uqyWWF38j6gwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjItQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAsB9fFlLubXkLZ3LzD6tK28NfuRWFR
+d5eBooSyvu82umf93uT/H4xIC2XrmIZZh3UQ2EJM+oLe2i8cMACPi9yJPl8qaVfT
+mXLX9QvVl35jxfVM56uDC+QegeL/DGh3JAR3EpBFbyyp725LfCTsY5KIi0cp/E1s
+ORL2rrWwd6h9PuclTBMu4pYk+n4s5i/ZWrwa5Zr4zpwhQB2MGcisq0woTnI2HRSd
+W35oMOkjH/QkqcJrO4OdzrXScZcuHt6FbQP4l5IuWSW7slNhVJRKj9V0A3YwpkWM
+t8/HBOIFnSwtqfiWRhtL+/+nJ1cZr93ZO4mrNgRP9v30z2zhSgd45CIR
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..db72288814
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
new file mode 100644
index 0000000000..cf01b46745
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAQIULz5Y7h71TVskCdD/HXd4lyWpKt4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjItbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAFuDDOtQH1QsOJA0DRJppIArz9C6h/nZzWS9LuoHvwP4/S+sf0QrTtPgQ
+5gCvIpo/5lb/gCmUV9kkWw86pNNW/B3dBbKIbfBR611LTV4tBW91IlVDe4qYn7+a
+lPDu3IF66egIpDF/OIQ0sgvLqj3qtsG3mR5KBjb24l9LPL1CY6REVS7SYG4tA0SQ
+BBDiwzwd0CUcFb1P6KRekQSNCVn8A4w5/CM+cG9utp13CVrLRPAhIPP7cjHRBM7x
+X4MVh3dLLowW/auXMpSNKgGRfoEfGjYtaAxYfmnQmkmvcX6MKZ7nD+i/Wxaeaycj
+d6sQBP3Q+WfYK0+K+cd+lIL3ZJMcrg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..cc304ab87e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..57dfc5bc99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIURxj6f/OML7KaPL1omJsuIItKf0UwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjMtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC7oIvDnOBvp8lr2Q8EfRtB7bd1MVADT
+ZeDWLRhcu7PQg9/xYVM1kbP+VSIZEuuEALMIzVGrFp6n6DJyt/t+RMz1WuvQhdZe
+SELmtR+wYH8tWjaBXuCyigkNw5e9HnaXhUoNg4/KUwytQDNWq2UmNJ2r9TQ9N/C9
+/MwkMI6ASJGsA3oKkTw53Qkab9+hbVZbKRTIsQxnI8AHyk4I2iquvxrwBTIPcqqR
+UrlZCEyVOjC59aIDI9KSN+P3P5evN4yOR1zV6EpgRmvZKflABR5KBmh2uIzV7EOU
++I2Ql/OjOh3zy1NvMsu583PjfPHWVOd8Mnif0XwrqxGMRFxnE/aHAyA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..6f69c35743
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..29620c538e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUSykVpjIbgiv17yjdOeUYWttMbRkwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjMtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCD+yO/tIIci17r1epEG3CA424UZN4c
+CB331kxTmBz6cALMZqUoR4qbTyfDSXHoDAT6U1N2RW0SAZKEi0lFZzMesYXkNi91
+JpJRPH1/mEoYdOUP/cWXYJdFm7gKYQ4K/QSl66YghsTRym+iZ8+hnBTUxsAojEcP
+AzXEMoYoKnoS91iCKkZuMvjHwBjeKY5g+UWKPiyfnVxj/pEIEu/M+NfOPGE/5trF
+fcyaf2SfpEYalUk/Z5h54W2ndKy1CA0djcQyM1OV/w5tTRLPQwe9dAwdH+opOkfX
+iGwai81WH2KMRZcd+2qvL83+eZNioh1cJpNtTw389+6ItD60wcQoVwgd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4a9de06358
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
new file mode 100644
index 0000000000..5d60fccc7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgIUNZ4VX8V8IsXToRvOZRtJsoV0SZ0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjMtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAJ3bauHWBfv3bdZ5VBMW0faWGpLEY+z9Sg3NcV+IPHpfUw+XGsZsTt+Rm
+/3R8dpEGFclAXEeyJoOeVPkybh17RCt4kZTvZzoctzl7UcwXoboJXiCJCFySR+pY
+bD2kXXDKZ1g2GDoVjMB9JmMmWdCAH7o0OtQ9XUfwjhL4vNKCrsOvA9pGP2f1i0wP
+Xww/l7JlVEYN3u4AW0WTtsaFwAtmozkIbilrnfXkZRX2Iw6gi7nF7A6k5cGgK6PE
+3xvbKh1RWveQJGDPqx+oLMkxZT6Ixk1KSuKAb6ewgoW93l1du6KQYZwpK/jCzoZO
+XHc/t1g/HLGYHCevO167SikP/7Beww==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..9d385900f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..89ead9b087
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAwIUWyX2EHR0QgbaSz0WBnlqpKh3t5gwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjQtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSrB+Vt8BFxTIaxXVlSZ5Dd0D6TmTZY
+0f7eZqC7l6qbwlwdQ3Uhb/ZVZj6sm4aPycwGSkMu71MtRw1einRUd/JnhZQo7Jcj
+D031RKKmRryRKqrsebE4yJs2ei412VyK4uXmjqBnC4gYG8uLSlUKHuaz/EdmXLko
+LYHNxT7CqqlZd60ct+t8eNRghV+gL8uvAlANOy5hqUdIJL9CpoH17mUws2VcAlcD
+mi2qQXieiLmvCNeBXRVxa9DT2PpEmCZcQY9uI4fIlcyB5vu+OcDaDG5tv7kJOFFY
+wLGmShbqyiEJilreovmcoKOzAiB+5qdJvAH+xuERsdvs+jroxoqAYwA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..1f44c1dd27
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..38e3e0c5e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAwIUD2iQQyDuD/kaYvdfWMqBrOlJ0tgwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjQtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQC4FvMACdrCMu4gLNUJ8LFj3NWxH0ox
+0WuuWRTzFLl42hI96pRim5vCxQfJnpixhawZvtWfKQD4rAP4zK3Ko3xTOiioYc5X
+O0eJSXFPhNfCDtTOanLnWNyINVFYvSGHLmjlPDj2f4tuQZGkudvJTAgxT0IELhO6
+xGT6HgUAPb6wjS0OROaR1UIRcsKlghx0qkqWCtMeav0GvOjwY1BSWxO0QTShkwhj
+FvtSyKgB1AJ0pqWA3P/hWnybKDshJBlwq4VqmLKkS4RlSJp+Hw3/HpyXe/B16E3C
+e/uhKNVUIBSvoBQsvSjByBCYKODLAOuBjT40kZTiQ4wsinEU4dxfnYDE
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..e9659153e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
new file mode 100644
index 0000000000..e5a4e75a9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAwIUAVzROKWAcT4VaTSmazfbBEj5r+gwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjQtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAF5LhmI7dCeWNCq8N1bxgIQSwanSUYaz0ibJPbfaKtjoT3UKs99jt6pQo
++7zTHqi2aNLzywTW4w7QhKLPnnATFbLVK74XrdPfOrGJNNvcsGRf3V08O/tL/wpx
+QtLZ8jWxYDOewdN3mkwcAhNwioD6GvajoYIRUGHtmk4nQZ1LFMRIHDRiylCm/NEw
+CZCQArkfCAOW3kxfSlhlUfy8vbs08Fe0cQP+Phg5WwtZaOoZWnnXGdcjGR/pkeaL
+8sDeR79YnqdSo6swG/yR7yOSt/c21vUoLXK/sWKBn4ECcjcdn3N4Er5n+1/f6HPt
+zRpehsbYsjuac5UCXwf6aoG0Ua76Ww==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..19229ba766
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
new file mode 100644
index 0000000000..e19734b48d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUBT0xH5nYGVlq6UwzjV1QSMfnbbQwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYxLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQAGIGmmLpYn2XLVwIvZuc/PNr0fiT2vPqA4bPyp/EXm6pwc16JjutRH
+W9IvqFikIECo0+oSUPBFCApCgbF9gBtrubZ1voX6ke5ylG5/q7S9WE5+RZxVpBK/
+oqG2meKgJN7JoQrF5C3faVHZa/xRr1kHgIIVDw9l+N83b0q+9itrq16NOYrDyWmR
+i1nbi0f5Ghtzi6iBiF0wOF/hVeHhWw/3j3ypEi8w3ITqc/xnjq3oa+F+4vqwexo6
+gTO/86sbyhcWbtuSEwv72ucMotx++PocXAkRJKDBzR01sPH/0M/WWKlJhQZ6O+eg
+r0svB3HO1u7XWCvm6smiX5xy1Arw0z/Y
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..6a7dc5c436
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..33b340b2e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUfel822zZsc+NJ43uF/ZNB48zNRcwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYxLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAA2GmQN2B5gGFd9VUuudJF44TSJL8J8BzbgzCtm0TFwSMowYG
+xiJeQ728F8eHeGzKDVDdqecNQEHzLe1uaLnNNJAuQupTi/rWgIL61/HGt6IhWA3+
+7sBYOsJe4YC7sLpvWKwMtt4Ki9j8aKu+0HN4RyQAgEUW+W7/BDRTK3Uc7cnllX/o
+qDB90igbEL/dn5Z8hTqUEdeg0jE2K2CWV88fnlLRH/Io1YJA45/shlRZ8Ixnvbg+
+Oq/voyxoG1XRMjM6uJh0jMzH2fbUOq7BqZ+WHpGDL6FmaOdirfMD+lw8Aog+i/LU
+gVIL/Z4+lHGb49UFB4f83hVxa5Y9JMgL3ObWEA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..639f83d660
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
new file mode 100644
index 0000000000..30963844dd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUHb+ss9sUhuNu88x+XLeLxAw3YvQwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYxLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAAr7jmPJ/i/nL9iBIFv4ghVC8PaZvKryqwtjLTLwuF729qStqvy/PCkW
+BfNEhiqJCgZn8jnBbVuMpIknTQRLXXnK3rWc6X1NsLdFgPKC2PDj/eTiyueWjzpm
+Wl+Y+vHhtFyVOr4zT0AFKEx61ObyfqxmeqLXJn/d3I66IPRVyWq0qek6bD0cWHPC
+ZlSRl59IFskA33ffFv/xHyuEfZJgULzMuERLGHU+N8YL5/HgHbIputxoLg6nPOLm
+WdejMDnx/ov3JL0FS+BO3l+oX4JEP8Gk+hDk80zu2tTrVwPFgWlDgbZIPwX8rzFB
+scvKUTRFu5+3gDd8pVH21V5Kai0sk94=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..d704f3086d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
new file mode 100644
index 0000000000..ebcef14af2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUQa2vmOFuQIcUEknPf+mySJZYVSAwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQB/UTVHwjP5qiiLNpuQUGIrfYxqMe5a7GzHlq+TKgzTXhUZLeT9L0c0
+tWfyTQVOj/14LLoughDHCxFQU9PPWu5Zcn08gSzuXlxT1IUzKSvoxnd9ummOLxDx
+aBogFYgbXvhCbRBZGl3g8+1TbdrEU7+o91qj6Ud7jo0PEF97HTTWWOznvjH34YjK
+6J4BqUQY/NtMLlq9ggTe+4OHsXxJmIwf3T0e26nSGc0G+A6DdculS0PKL69ALsN7
+OqAbutudQiYdhUyOHzHHv1FXFS2XZ3tS0yq0JrXHnL8RhxP3RChBBBXJOzscGYuZ
+Q0RbJmvqIv+GLW6GqxeYhUqDP/1UyHnt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..5d3a65e650
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..e03916e31e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUIw7nW045opL3An26Z8cQF5EwMhAwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAFM57PmhaejCsPcL2dJUXbysaivaIED9r6UvdLHahWIagWfLZ
+QRAaTGT3u03Yg3ptIw9yVDPJtP6PNbrr2/ZFXvfecUxYaxMFphklBUVG0lazS7pD
+Oz8sk7ruhWcsRnQwp9rLaNMvC4fP8gZQ5DWyOkzsiC4EZpgYUwGfT/RxEENqnSWZ
+BapNk6Z2PrnNXAKoZjkV17X86wwjSeYIxLtkXQFdDlfPeqkWM8KRNPdvzpG1M/Zc
+vivP5ufAbtCrHp5haU5Nlg6m2fjs4JxK0+EyC1c8abkl36TVQSpj7yEnWBwkiCat
+V9ep5JkyK5qLT2OGCXzIXelXA+IF/Qq0VrDBtQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..591a16aca0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
new file mode 100644
index 0000000000..f1ed6869f5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUA/rb765ygQD54Le3G4Cs1yyzBsIwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKtL/b4XIvCDeeQ7l7Iyk23fZyxn0HRNnyA37BCilDQr5fYJK35tteiN
+kboRwcHmOolh+w9lNzTJgej12MUMQDBbY+N4B89Nit4xmylFxsT40vj8ciEjvpVh
+hOGJYBZ+3Azu+eBBAB03fhldFwajVcaU9ySva9wGRKadQrjhjG4P+2s4QmYlvg1D
+vCHaelNOh+dCdCIbK0j3ICs7sLkxZXSwd40hSQot1lUocvJe2pClBjc3Ydg7jOk3
+dXP5cOoTkpoXih1WDxHnOx0QXGonLWUwKOFYUa+mFodRlFaND33c/im7PWt+HBN2
+f4GVJb4XkirP1IOnIAmcjNzwiTIK5Bg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7f99393cf2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
new file mode 100644
index 0000000000..a98b90f4a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUefke4gKDXqy7IPjilelBCDu7bRcwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBrMCdlJ5eshrJdeo/7ch8WcrGhdAK2G3WKhcRIhWTD+G0GNcBfCbPh
+KJLgX+xHM0aE7tafI3FU4lz0jHtjsf9dU2qwoIg/8J0eJMxg840bYa3IK3N8e5Nr
+QQBRgN3Hyd3wZNIJLhHpQqRtyAzUTgpuMObUzbOHkwDAb1mqlQTWjGZBzstToRl+
+Xx3DkYmgZF1S79Ze4ojZbtyoS5LD4ZwQLSLnpvPOi2dA8MnXUxqvg/u1DAb6J2nV
+zH4z2bo/b1OgaW/cLHl0Xr4h9hkDeVfwjQOBpXEuS59xN96/D66+6iOif5tMwu9E
+mvsph4m61j038Bvlye7UKT6CjgldWRl5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..13af934f29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..b20f638bca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUO78FFcR701QsD+vhEppKK3wsDZIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAg2c/f/aD+ppS+ksoNqIvemHUsjQnHuUtvZrYdKjmEkokRX21
+5CzrmmUjBy5NYgtu+6J7c09E1U5MZOE0FwOlLYfQMgJ1rYnVh01o5mNLDXfCOZBG
+yyprmTNF3zwyde42nqfusSWjP8NaY1penWue/KtFerl8nrWVZA9LBgNboeDFVKMO
+b4t6r0g5fu5rfBh4Qh+0Bn9vyNRSGEGaM0psZWem5lFq8S+k+cWsIhg694BIFrCO
+T6vXhQxUzHjcZi0nGkufJnxQDVDCRF75muXPi5rBYVAB8bCss/7hddyBpxM+K7DB
+lL7SUzSQZ32bKOux4M33USslVcJD1dO4RJiOFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..8539715a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
new file mode 100644
index 0000000000..c0f9f120b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUO+QNHqAJb4pTXht/k8UCPzcpyCUwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAFiNaZCKsCXUQPRj/EKoso/moCv/QgLjOgUIdDadCeZVhYIz7RNN0Dyw
+RZICFMn0P+dGpgEd4cQUZv9BUOpss2PZH6geuNVRvp2vN8wC5GAo0VN98dIGS96e
+RRGc1x77buN0pQpORKB9DsHd9XP2LSnW9sO/NSjbApkrREdJl0T+1CcJVO6CQ1Yr
+Zl9TPrDacBsQhBV08H6+NAMdoS3BnYFFFnnRPQBV008/0f4Qsj0U8k63LKBJBxuO
+JLOxRF5yQKWs7Iv7ETZizf9eV1W5bnbkxrBaB6uDZ2Bw38ZZNJkiETKvSYNuA58i
+7mKkskhI8f3ptLuYdehhT89Q8felZmo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..a65e41cea5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
new file mode 100644
index 0000000000..1306f85ba2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUD9mjlZoVjfS3EEG5Xu47+IlGvZwwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBph0HyYKKjKYZVkaicTpNFAvc5Q+w/wIXwsBlzhrej+APOb2eNeV+Y
+nbe9BOeYWbGTry6sibd9eL4Ng8ej7NDEKvRjGkel3GiegHSRZ70TioNnSGoeg3Df
+VH+a52b9Lfn7gS+Lz43IMEg8zz55bs5eHkUHpwCOZKeqwExifDbMM3wOK0bSJdOR
+08QRHCblPToPS7QGK+IQtN+2DhZyar3Mnk45GxckaLGYRezJu4cVbOk7o2TkwMbc
+KufwJrM9qglP8DCwr9POUgDAh7955Lv+9h9uD9ptrfGNrTo22qhU3776AMDwLhu2
+7gC5P+RTvV4a+Q5FkaEY2U66QRopAOi6
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..35a3a9ff36
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..11393b0552
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUFVVwfxYgO4bAguVPe+4QH6P/sJ0wDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAFzhirn4hAf3L8nBCIywulLfcITjmACfZnez3+xiTGak3oYsP
+JRtsoeVwNpPhwxmiEZffH+8mofKOB2JzPWTxwoIbLez3EH3ECDQzPzdhersvg1Id
+Bw9eoSbcyUcHe7o6igUV64yrdMqACe4lHSyNN+SC6W88hY2mecSp7fglwERZpUQL
+OtU6G3z8SzG3oUhYIegdLor+gnO/N8F1XF5xC39jjl0P4PDUiaf5x//KVhTueBk1
+3DszurRdgqmHfOEzY1tf+jxc5Lo7X0REY13jJmbleaNA8GqpvDffPLzGD3GOUT+H
+e1+T7awJUKVXPMlfzm061NHopQJ4Z7L/iI2cEA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..7627d3a8a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
new file mode 100644
index 0000000000..297cbf65e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUDWpVe1isv8G4pH8XXE8FNGEjbG8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBABr4HxTCzrA5IahEU9K2Y8GOLbiXAeU1CEOMLFqtXCV7CF90IlyjHjax
+ANLRXea0Q7uMU7yJH7fsdg+NwjWmC4EpQyalU/5HbPsPQv540ofVZJK5Sup+ppRT
+8Fue6rTgMrpzwbQ42Qi3L5u/fBIDfDfvvBJGTLdZwGB4292Nnl91FZgQ45XgLCK4
+H/vG3a/YbMCi9zHfbHEsYrXzD5R+LaB7n1cyi1RCqct+swHVRYGgbJ1j5FTx5JCz
+DHDoKcBoza8ewfwVrFxvLkF76UJwE4pavA8fqtQZdyctCSRSY0GpgK/Oeq1y09fB
+ZHYkTVDlvJ7aE+s2Uf949ZBdckomX0M=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..a780337539
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py
new file mode 100755
index 0000000000..2afaace3b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This file generates the certspec files for test_cert_version.js. The naming
+# convention for those files is generally of the form
+# "<subject-description>_<issuer-description>.pem.certspec". End-entity
+# certificates are generally called "ee". Intermediates are called
+# "int". The root CA is called "ca" and self-signed certificates are called
+# "ss".
+# In the case that the subject and issuer are the same, the redundant part is
+# not repeated.
+# If there is nothing particularly special about a certificate, it has no
+# description ("nothing particularly special" meaning the certificate is X509v3
+# and has or does not have the basic constraints extension as expected by where
+# it is in the hierarchy). Otherwise, the description includes its version and
+# details about the extension. If the extension is not present, the string
+# "noBC" is used. If it is present but the cA bit is not asserted, the string
+# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
+# "BC-cA" is used.
+# For example, a v1 intermediate that does not have the extension that was
+# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
+# A v4 end-entity that does have the extension but does not assert the cA bit
+# that was issued by the root CA has the name
+# "ee-v4-BC-not-cA_ca.pem.certspec".
+# An end-entity issued by a v3 intermediate with the extension that asserts the
+# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
+
+versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4}
+
+basicConstraintsTypes = {
+ "noBC": "",
+ "BC-not-cA": "extension:basicConstraints:,",
+ "BC-cA": "extension:basicConstraints:cA,",
+}
+
+
+def writeCertspec(issuer, subject, fields):
+ filename = "%s_%s.pem.certspec" % (subject, issuer)
+ if issuer == subject:
+ filename = "%s.pem.certspec" % subject
+ with open(filename, "w") as f:
+ f.write("issuer:%s\n" % issuer)
+ f.write("subject:%s\n" % subject)
+ for field in fields:
+ if len(field) > 0:
+ f.write("%s\n" % field)
+
+
+keyUsage = "extension:keyUsage:keyCertSign,cRLSign"
+basicConstraintsCA = "extension:basicConstraints:cA,"
+
+writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA])
+
+for versionStr, versionVal in versions.iteritems():
+ # intermediates
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType)
+ writeCertspec(
+ "ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension]
+ )
+ writeCertspec(intermediateName, "ee", [])
+
+ # end-entities
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ writeCertspec(
+ "ca",
+ "ee-%s-%s" % (versionStr, basicConstraintsType),
+ [versionText, basicConstraintsExtension],
+ )
+
+ # self-signed certificates
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType)
+ writeCertspec(
+ selfSignedName, selfSignedName, [versionText, basicConstraintsExtension]
+ )
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..65788e2190
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFDMToE4TKwoJrRFEIWin02eKF4D+MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBcxFTATBgNVBAMMDGludC12MS1CQy1jQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG0KdsktfFzQGcr58b5x
+ZzWPxx51X+0umEEks+oJtUicn6k9abyC6V0EF4hP98Civ9xicchxWsgJX6pn/f5m
+PJ7OZLJEdw1VK+MQsCuOfLjL9aQDGm1y7JyEjBE4jw8GI8ovdwJNKDADXsD3ramn
+Z9XDpxVFXbNNwjGoDnBx7woF5qB0W/ZElbGVAvmse9ART52bCd1CDF1uWYEJXkHa
+bTsAziS9RFF9d7R2vYonwJbV6aGOKQ5BgXP10GWcezgGZymwaRuaJArtu6HcRflf
+TOHumXMueXcQHD0QYfV7GU3YyOwJBM3s8BIZWBphNfusapgZiRKyXaPyiwpc2NIV
+z+0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..77f3ae9147
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..d1369fbdda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFFOzCj37KlSP1SKZCkWORw4lt4fPMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBsxGTAXBgNVBAMMEGludC12MS1CQy1ub3QtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAsGA1UdDwQE
+AwIBBjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBHgLF5KhgZfWzEH2Jc
+zF6myuizV377LX99uyskuKqbMCQRaUFmaBbQ6g2SYiSrb6wIR02LTaJ9EL39lIlp
+U+IGCAk0FsrcDc4OH6Z/QL4qC3foqIctdLC6lOGGfeKyeLFCCwvyLx2cS9yQEQ/j
+BnVjpwENCx2lLrBuTBWn28Rk9rbanhf7QApIp1U53Lpmbo3Ax1zLMlWlfSzfapvR
+k1z8cov2HPyrOuXToRsubdq0T00GY9j9LBwJocCfwlNbw3aqAAXouaR5sTdwwwEQ
+5qCVeJtCu8tA+bMVC0SsUMiY5FCZEV2skKb5Ww6cRPipAQNvkjZ/7P5u+Gb3C5rV
+w9IC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..2a366535b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
new file mode 100644
index 0000000000..574cfec262
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAacCFCWAJwB3SeBN/snVnkeVbHEnb22KMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBYxFDASBgNVBAMMC2ludC12MS1ub0JDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBADjWZ0swsQ1tE58wYcooARKJDp+ynL4e/i1zvIhz
+pAJJppP7f5BktvjNHyf6Bev/6pUIS6uWJMx2/zh/O7mD4QnmszgLICqWYUBoJJWB
+h34HdAKpq3tZDCX11uDL+BE9ZcEtGhizDY5kky88Z3VpoavSN0y3VT7VRW6ioK7a
+ow50Cr6dSYZyE77PhBViWRpgHgQIpPBeMsrYh9Nt+4eMwFfOsYajoP1SYc4QiSEQ
+fCg2g4w+Iwf+Rd260Y242q9b20EdsG+kmE5t+G1HTFHmsTtgoDquwPKS0xKUoMEV
+JCy8oU8kmuUS7D7Arm2nzxS0+aY9Bq1h1zfn5vTAdCuaz7M=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..63bf6ed737
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v1-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..4eaf24dfbc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUP4J09v+wB1mdidjzCP6DbDeB1IIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFyM1M3A1xa3F
+ir8yHwnmB7LgmqdjiEPg8YxpActQ57qyid8gFcmIjDJncZgRHB2SpFHGdgUBV9N4
+3jyrtGU69+PWUNe7mnRNMARBItjauwQrtP2MaI3NB3O+pNqGrBBz1XhUWb9mkmm9
+Xi/gHTKVYX7fiFGSE8743Pp5ct0XnVICE6LcvlL4hlBLvpFYVb6bqpj1/m20m4HF
+wSEK912YFvJXwrHcGWC8i8ltmwRyZiRYCYiwZ/T5YX5UunkEimd1PS2M23Nu0hM5
+E9pCM6QTW0glQkuy/f46vfCtuQdNPBSM5/nizqAxqAiI+C5o72rDHj5ufJNmYFoe
+98cs8l6SvQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..ca1bf67a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..eceb7b5f96
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAQIUIW9TLVTTseA70dK1dOagZQKGWJMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAA/+CcSehLRv
+LRCmdq/SZl5sniK08RK8aTjvvvFdgwE1+qjrh6MGp/BNKiW6iK6ZY4Nzecm7tHZR
+Qx2BtsDi92dZR5UfsbHzy+wqoZzOkWf3PkuxB6nZ5LKsegCHGiRSGels3Iji9tsA
+pzYjZ6Wv6kx45+IAKp0Hyh99ls5Qi4VQS2UkYdRx3vVisEa0aKaOqkAWyHdtyT/P
+WPPb10l8vvH/hPxagz56gmMsWxctF7O4VIWboTX7bM2pw/nJbJUVWz8hvAp8TZDc
+OdM70k9KEhTO7KRvovlmKbwhUHVh3aa3nFfc89uux3AV+6RJnu63+Y7UdyDqC6sy
+78IwYD4cnzw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..fc28ff150e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
new file mode 100644
index 0000000000..2802da20ef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAQIUDz652YsUwHYIvm3ITbhQHnQKzn8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAl6iXL3yO0+qeEMIqdt1OOyHXcwuYgzlb
+VOLcC7eDB0bpvuEM94K2GKRrgcPooQjkiz65p0+Og3XI2WMffpQu3uJZh9jmxPaP
+mxYAlVm00HfOfoikhhAXhog1mEAPpo2rEMjaQ4zlk6JFr99OAxWf1tZWfvCXlvMB
+Gl3CYhPgyhSESqWo3qSpJ8ad429UKYNO2DaCRVb+Cwix/7wno9xtd4zM5857KoiH
+uomjtmkq/sLTi7Sskwj+4pY7Zfn7IgB7ystDIaV3vL7SecGhujs6QWwkv6sCDe9I
+zGLJbngoqubh0zYyLpooTamawkv7PJTe0JNxSsiSQaWizfF6EM/mDQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..2d3fe59ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v2-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..4f5393ddf2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUAzvvou3xJqatuq3Ni5WU3XjZErUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAcsFZACYe8BQ5
+lvrpDQk1T7Oap8AP6E5Il6CsxxApt6bWP7GKmV2L1IoaELWr+3+0tjwCqVtyGbOB
++krlXU9q2eSAvwSB4NrhDZc7o6cjOY8s44gnP74SywH2Ugk/F4TeYVrBUlNCUTNm
+CrlmUPCY52q6B0lYPzYlwCFV8D6qhVrT/uVOGoac3iOL23SsAAm9iiXcHpt3b/oN
+Uai0kW+ieKhbUavqGEeSqKSMxFJKAFStyoS25AoBzrN/LJYB104suST8JqPGyOca
++3yOOBZg1n+t3zAFWRYzRgf7HPVLb1MALtQLjZCg5A0e9vXK5E0HTSUjCszrUd/w
+bigId964yw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..56fcb21a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..3a39b28b2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUTYM1sQVw4w4tMAQDvOXpkA+qsJ4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAAMhMUhyb8XY
+wYsNSIXUGGQuq8IT2GxSBaJatD66WfzvT2ij6+FGIo96JgkijahqSYuw3n1J+cx5
+UfFRdIxscOeNiA2SEaN2vPeOjx6SEnzR9ISX5ZfP48jbtkaHG1BMuWCNQ3kW34lq
+H66LrJIfkEua0dPyVZjQeNM8xh97OG0gtBtEU2saFdHhcVUSaAjzUBMNX96r/rMZ
+cvjQ+NyEN/SzFRmgA+i8MLReLjZSuaTwGnFzH0nvsl7t4wyARTvaz2B3XdR2bBYi
+0txprfO7e2sW5FDWD8XTvQKjSr47xdEtco2WfgR1bEwSfsZQNcCaBjUQQ/0TYhuA
+dJC8P5TnhsU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..a2def8d323
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
new file mode 100644
index 0000000000..cf76357178
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUf46hAcLOkyyUh/Zpj5xA4V4dSwgwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEATphgzjhjAxKENNABoQeFrCgFaGYbBSlJ
+NadwUP8zbzFV4RX1KAcyujMWnDzDfIadyMBOgwGyVJ5K9iaBSB6u+S6Od4OvTS2i
+LdW+sBwnnyoyx3tCU7cQEp1NuUDS1w4Q8spnh22LqBvznVtprPElqma+trfZTIMt
+DX+gcK/rAhLU3NQYVhOZ4cFduOJPIu7YkVj+8wGj27B+UVLzmBhG6gREFQB54LtQ
+k0vDOLePiDucabxPdlG25KtxR4GoXwaW49HPetDez+IrSkDWRP7jlItWbvOQT3px
++x5fXycZWXYSB9neEcjlu3vGhfS04EZxVe8GYx79VMaeUPwivvU0dg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..b336397ab6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v3-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..0799c0726f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUAcNvCRz9BJocVqD1LRtwiNEarf0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGcIJDN3eWDVw
+wgE/xySp7WDdAwDJHd9YFoO4kTx54bk0KXoPQIt6tWYC4FaZFn4mJvtEDfC8G8lQ
+2umxcSjA+evhPxYfQqVYGMmDI84WkojwCsgFCNJROUMTTGWJU+VYqF9L0FQAl81I
+zW16HBW1ZEcH1QnZWV92yXf2Obnxv/OqUilu9/IhoRheC+zVgGLtp5ta+zWiAM/P
+BCHZJfLRzaTG1n5HJiFhxi/+rucveyAw2HtdnvxJnkwNOuFvgz+cMm6wF2apE7O+
+8JheSPVbibWiEMR7sg7wW4G/8uqIco/4dmzgydM6p/Z401DCohexGwIxKSnveCut
+zWP+u3Y5CQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..12b94e63a5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..c6f6fff986
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAwIUK6/SdpdcFaBfz8PVmneAECjP0HUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACeDNdOcWU+E
+AQZjoh2Iqmec+Zyt9Z4bDYI54UdbL2P/9T4JgEfT8kx4lPo+eWXR3TgsEXEfS1na
+W37k3525XlWvDTWKz5i3iyHNlJ9FIu2eazsaPEjD8tsv9r33cRPqsOLYerHhU1mJ
+ucpAtvEC9iU/yQNDaYRimehj5tMXb9Y3HI6fYidno6KVjfTezflBTyCjTwPFsI2k
+LAPgStEy8fQ/mZYLTE0UDHfjnq7TxoDKTl3saTI5kbAiLpmfNMxg1mqya+M6pYGN
+JGzj2DC95AWAqyKfU8hgt1Nf1h5wsn5ObK0bny5joOddgt5RMGiGbVImro1/gCnM
+zWPDHVeKnMw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..43a04f70fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
new file mode 100644
index 0000000000..54c0a4cbda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAwIUGx+3hyQ7xvdNhaPOxEuHhLq6xR0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAoyOdO55Pl2LJYrzdlltBuryKJCL9JR6s
+OL6y5X+PpkOU/woM01J9OPbG0qLhOjDZACUi0/xif794ITYvaCpt2tpymsq8YNuT
+MXJ3W42wz2UvMxuT/4DJsZrVRNEaz/BxFRRD4cX5s2wNfbW+HK5BmJCp8ShxLjra
+Wbq4tj+MO+g7q/tpt4kjL636E6pB+EKO2I+eIHr9w0rqN4wmqDVNhhYPA79GmP7/
+A1jnD3d515i0R0za5oyiMO5+pBOeS+m7SvWJQ8SAclmTeOVecdEtmRO/av8IKWYM
+FOz8sZ35yWXO1oXe0Ap4Y339Cfc9cYGmhexSfTUEuh4PEccSFGOsRA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..4970d1e945
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v4-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
new file mode 100644
index 0000000000..c03a94442e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbECFB1o2wSSnQ848oSnWxn/rPX213QHMA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC3NzLXYxLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBYxFDASBgNVBAMMC3NzLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCyBW26BlMXpiaD3T5lpT4C4tt9
+ilZhEMUnvYHNmMzZ4W9LlwAjpk87mB/Rpmj1+0WNrWzdrqRrEn37FfrLx4My2I/0
+ldltRsRmARLPaO/4kp35nynZtU4NDJWXCfqI98IND4fjpVOl6KHjj0GOtG7kjw0N
+rg43ybMrDkNjo5TFPyPLa7TbRU/AC1Ekgk0/xeOcwnKlOkRuIrNY0d9wa5EwG74m
+A27h06vDlzBJtuoLG9vpSDMiUZeZ2u/6OqHLD46F+DsKU2fghGSRMSBJZUhwYUqw
+lIBpJ5zJVv9ymh0IPI0LEvuQgjsa637u7qkkYH9/9hcqPSPD34VK0gM9tX0F
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..731396f034
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-cA
+subject:ss-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..04f367d415
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFAN6bUkpHP4g7bh+SLf3bPaNM775MA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD3NzLXYxLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9zcy12MS1CQy1ub3QtY0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACjbHRr7YwhuzSz1eGKG
+9DDQVa9EgBoyqkym5D4pqOwgAzhzg944PQHuxZBc+EgX9mg1uoHeql2sCQXe1e4w
+ArvIy91LIxERc3gJBrnBPtqhGPWy7ocy9vdLqBff7AJguI2sM+CDi0G0rmW5DYqP
+nDZjBRx10vq+SxjoiwKk1GpLMTC9/3cJotxRM9/qj+gxrMwCcpE5FxX8bGLhXYRe
+BrNEf0PxJ/7zSvtorKAP4Xaw86D1C0syCbnIeUO/MG5j6DpgaxBx0sq1bMjMVvnJ
+JONzwYPcWTUU+P+iuoAyiw379KPMkBGballW7xnE5vV4ghXSJ2+v0MbFtODu4UsP
+ucg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..20d716d494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-not-cA
+subject:ss-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
new file mode 100644
index 0000000000..5ae313a9c4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ0CFG2H9UtZJlaZgU8dTUaZVFYu98swMA0GCSqGSIb3DQEBCwUAMBUx
+EzARBgNVBAMMCnNzLXYxLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIw
+NDAwMDAwMFowFTETMBEGA1UEAwwKc3MtdjEtbm9CQzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEATmXm4iolX2Mj0paZM/ImW1sfTDksXd9Z06QkGPFha0Uq4U9KVgEE
+ZWoaf3YvBVnC6HRyT9kiC6EhuzeFO1HLFrzegzYtgEMNE/QLULftsBwaO24bpkn0
+vC78g5BhxjXyhKr+kZst7+MBxgfqW1BuBQKjTer+3FaeZ9+psokZJkQ2jjS80hTm
+NtYHaGg8boAQqqaRiOmXt7NfanGc3S7v++G+vGS9KPCkwIJahN/QMKOxbfiQaEGB
+IMws/eIb2d6Uvjby67w0rmF244+UZl1xVAmZoTzdUG9fxl+mInpQ3GZwXHFIh+dg
+T8zacnUf9PUspdSJW4X3KR5zWoFnZ4gPnQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..58d2f0d7f5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v1-noBC
+subject:ss-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
new file mode 100644
index 0000000000..60cfbf22ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAQIUbyOcztDE3bJP/+M+df1pwVApAy4wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGH3wSiQNWVlfSRCXqau
+kxen6i0L4vYVKxMPI9fGBipm3CdmViU+vH8hfb3l4K/FCczFiI/9BuaYxp/70+Vj
+LALgt/IpsFN216nvIJhGY0bc86k24Z0wF1cSUwBfmfTYP93CalnJ2Aja9iyQ8uCP
+2ABtrXoNedgm8/mNwk++y/6aCw8nFgzyPHk8q9z7QJYkDk8y09p9StzQL1NhdIAo
+TfJKNQwRVFhwDNPFjBFuVskihgiNlNDoCCVelM7d/txubNJHVJdjMV9+z9Tl7EJU
+tB9Lvoa4CZ3DaTWcru8BPijpD+MYT6Uvax5GcOkfw9FNBhXvB2GloUdw7H2/kmzu
+3lA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..8dbb3a65ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-cA
+subject:ss-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..b5eed2d114
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUDfKvNtqkNTrPJXWJyvURZqRZVd8wDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjItQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYyLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAkJhNlMNzsseu
+aRxllndNdPhJunXxE79o4JnBH+B/1hPEBxgZhILOCROwATtm2HSLDUH4iHrDdHPC
+fHoC1UzQvfBlBvbkK5ILcOdWJeaVV3Fh6BF00q4UxkMdbQ+ClGo0eg2I+03cxIf8
+eM8GGCbGYBn7LItWpDHm16H1Mjmj+JcNNC54XLN2IHNYOZhjM63lF3r5DrgpzsvE
+ymU2HSHZ55o+pI5gNR86Pfo66OisJmjO31zK/DkHKcQdXqG/P1Er+q+Xi2skp0kD
+uWO4NW3LwfJVKP0zkPxzk8KK4vayhPfu0pknGTaKST3q2M8LDpS5wbCjoRK8apci
+Q3VroAPolg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..2b8f4bcc55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-not-cA
+subject:ss-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
new file mode 100644
index 0000000000..243b759abb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAQIUf09w6m0orEMyLAe5BWnalXNY/GowDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjItbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12Mi1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQAihzSymJW+OoCZxc/snHZBhJAmapeAuV6Ud7NfCV/KERh5
+LnhcihI1vKy6b/lklPg1IyNk6krWN0+hBhPq40bWXSoiJSv0Cwhd3seckoH8msZK
+2ydbTBiI7Epu+dJPX7v8es7B2XyqkSCWayRShaIt/dYe7MZbUohtucR/Jl4lRFGi
+gGrWGvQaw+uAtD8kEUwXds52sUdFNt0iMjNQ95aBj7DM44/GULCZ8AM+B2Q9/yf7
+Viyk8ZXNa8C2GWgJC/KEyT2HnO/8JVahsBeVnzHyP+oCaggBCje4sZOB/s1w7etg
+hNk5z9q3AOVlk8K2oiVV2NZsM+6GUFhbArtPy4su
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7656115a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v2-noBC
+subject:ss-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
new file mode 100644
index 0000000000..47d78ccbfa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUd3ssPRZ7t196ljPylWeq9a2OdP0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALieIvBatH7xVUIJ0J7r
+tOs/BUtOsZcBKuUmzNU1h6aQfl2m4XrHFTSK2UV2qI0IXeRJSMOxIXqwMb4k4s2d
+d/RAPvx8rzNr3auTwxwCi0cLddRnSOsifBtqST7nNfCil3y1wD9amXqf7Y63CfM7
+Af0HJ2+jLKe1McxhpzKZ8SqBU/ks02GaTh60QHmAe9AfnNpf+jVsTpYBni/yeD/O
+EMWiqQ7fy7ei5LtCosxuXd8LsVkYQue1AQNqeQUKHVurL5xmI/Wn40+uzUP2kLlh
+tSJckYIId/etuphPwMvebVV34US+LPzD4lejavYYPVBibz/7K4tKuyvyhkM6p5hU
+1Go=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..df822e99b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-cA
+subject:ss-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..8618f1e387
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUNadML4Cv00eagEJ/J8/g+1F47PowDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjMtQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYzLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAZmQEP45EbkCB
+Q7KMhwZFDRJtbr+OjMAwcwhtFy4dKQF0WArFmUt1ZJMTfOsyyuivd63s0ppkxK11
+LgASOmD/nC8MWxEdxjQE8gm6BWx+8aq5wbpRHaqtJgh814wspzn+bel8WMqm/7ot
+0LhPKfz48mrf35tkB68uQcIUUZv7z5G47wbGOAKp1Y6eEurzX3gSNOHsUCRJC9cC
+JMMqEikcT0Z2izCb6eiawyZQv2ImGE3k+I09MGKowhepgDRQq5OT1ZbNzF2ZwSRu
+3kmnAx+WBpglf/sfQazRNT7HU1HLYoROstyvIgPbA52PdyYolD+w3qwd/VcgQCyk
+FZnfeSDzqg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..0b2b575573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-not-cA
+subject:ss-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
new file mode 100644
index 0000000000..b66c58fdf4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAgIUKdWlnBlBA9nOA6mMG3KkfU+WLUowDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjMtbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12My1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQCA7Vy1DesgEw27y5+flhS9/v58Thvjmh2CTVA9tpnPiomc
+3IrFCmmQ074j1/V33YJzNEScN8rsgOAcDqSek+QIWzaiKtLSlVC5g9SAEyk6pPE/
+hDmP2F1MinlqZe2EB6NkIhkY2/35I5bGSA6/1nVgV+Tld/UtBo5NFaAssqFx+ZhJ
+eOyhm+wL/8IW/8H2XcmJWMRDgLniEX9lfhv6dHoQ7TlnbQnKU3Au8rddUHqgKKH2
+f/b9XZQKmQbM0AlQJA99kh/11/nFdpGUVXCH3ko/4zia3ey0Wlc6g3nYcuP6ajvz
+kDbC99LAyua11bHVz3W0Vp0PPTbn0p3CpZgPcKbK
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..96314e51a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v3-noBC
+subject:ss-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
new file mode 100644
index 0000000000..e85576ba40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAwIUA/ItZexsGJ96vHpiZp5xOcdOmngwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y
+MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADkEoX9OySyVkxbpDwTM
+wf6n3OFwz0IaFYwr/KByvJZFz5rbXkEALDhwXOJ/OLnNzPhCX6IboDEzAiP3xCtz
+z1CJEhcg6BPYuLWBzyXaeZkam5f5rp+YdDjTxQv4W3mjTibO0srK/mF1ESJMrVwZ
+BipSKVNRqOvCgyC+tsB5j51p6mrazO5XIn4GHMa1KRx85ObAUF91HBX66djl3rpQ
+e4mQTFYigEUNWN79CsYFdUJDptyhrRKVJDQjdiy5F3PGw9O1KjOlapMRVVQftDlz
+mv+Qd6cXAO180ViZne5f59JsUO72lcoFVSdKXV322UHTLbmbNSgAz309FGrxn2xv
+4Yk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..54269184ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-cA
+subject:ss-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..7273b5f300
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUfVuMEjAfgTtCH2WzIvkGCaZ8bkQwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjQtQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXY0LUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAKDq3h3ozvPP7
+S6ld2jYvhq6py5+sPR2R7MmZ17p3KIlEeLQUanv71sTSo4F54xFH3lq3AjGz2o69
+HRsR9weBaU9KX6h8OIpwxFK1IbTteYW9VriAaGnaYeKXbrSu10/4w6Cs6mgddueK
+cUk+1wJYM3VhwFngb1aQyQI08dSfVfi4IAMR0NRQ0FpXBZcI8B8cAx+S6KlxAugJ
+zVTLp/nG+x/am8Ztgy2yQ8RlPTN2GZ8S9AUfoQ0TGUfGWn2hw/TUJhlDwVGIwe1S
+yqdUtTnaVcCEPnniXLwbx15bkAeDd8psodtMlP2cPILgJe1qzDXcCZ3JbWDt7sx1
+TCt6gCPO7Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..3d65335316
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-not-cA
+subject:ss-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
new file mode 100644
index 0000000000..ee63a57ec2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAwIUXQ61GNGmZMpilNYCelyBlSdQbcgwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjQtbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw
+MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12NC1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZ6zzXkcUCra8W6GEXll9GATX9Qg1+qNvtXZ+aGCnv8GZs
+eg5T4/0YnHQ+yG/cm1qcnDBUmukSEtCAglBQnE6ie5LWhvL6oHPpDfOL3XAxedKU
+SVtFix+paAII97lDd+oY4NmzJcNu90sQ2VxF1qNKRSC2dPbnkYvqw5meMh+8/l6N
+5vWXa0Khx2iANA1EENTLf0DzifJQrAKubBlu5nuzc0ctaSF6353bmPZuFFpxujRV
+koeDKP4TOR13Qv8gcIC9ZmQA/IP4TNgmqoJ0A2h2aVzy59MGky8X3JEqId04nB81
+ErY8jmJcbH+iRwYstjInWdL94kMOZ9b4hmkD4liT
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..d02e04de51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v4-noBC
+subject:ss-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js
new file mode 100644
index 0000000000..6b8d4f6e0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js
@@ -0,0 +1,83 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This tests that the nsIClientAuthRememberService correctly reads its backing
+// state file.
+
+function run_test() {
+ let stateFile = do_get_profile();
+ stateFile.append(CLIENT_AUTH_FILE_NAME);
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let keyValuePairs = [
+ {
+ key: "example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,",
+ value: "AAAA",
+ },
+ {
+ key: "example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,^partitionKey=%28https%2Cexample.com%29",
+ value: "BBBB",
+ },
+ { key: "example.test,,", value: "CCCC" },
+ ];
+ for (let keyValuePair of keyValuePairs) {
+ append_line_to_data_storage_file(
+ outputStream,
+ 1,
+ 1,
+ keyValuePair.key,
+ keyValuePair.value,
+ 1024
+ );
+ }
+
+ let clientAuthRememberService = Cc[
+ "@mozilla.org/security/clientAuthRememberService;1"
+ ].getService(Ci.nsIClientAuthRememberService);
+
+ let dbKey = {};
+ ok(
+ clientAuthRememberService.hasRememberedDecisionScriptable(
+ "example.com",
+ {},
+ dbKey
+ )
+ );
+ equal(dbKey.value, "AAAA");
+
+ dbKey = {};
+ ok(
+ clientAuthRememberService.hasRememberedDecisionScriptable(
+ "example.com",
+ { partitionKey: "(https,example.com)" },
+ dbKey
+ )
+ );
+ equal(dbKey.value, "BBBB");
+
+ ok(
+ !clientAuthRememberService.hasRememberedDecisionScriptable(
+ "example.org",
+ {},
+ {}
+ )
+ );
+ ok(
+ !clientAuthRememberService.hasRememberedDecisionScriptable(
+ "example.com",
+ { partitionKey: "(https,example.org)" },
+ {}
+ )
+ );
+
+ dbKey = {};
+ ok(
+ clientAuthRememberService.hasRememberedDecisionScriptable(
+ "example.test",
+ {},
+ dbKey
+ )
+ );
+ equal(dbKey.value, "CCCC");
+}
diff --git a/security/manager/ssl/tests/unit/test_constructX509FromBase64.js b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
new file mode 100644
index 0000000000..400724bef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
@@ -0,0 +1,87 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that ConstructX509FromBase64() accepts valid input and rejects invalid
+// input.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function excMessage(e) {
+ if (e.message) {
+ let msg = e.message;
+ if (e.data) {
+ msg = msg + ": " + e.data;
+ }
+ return msg;
+ }
+
+ return e.toString();
+}
+
+function testGood(data) {
+ try {
+ let cert = certDB.constructX509FromBase64(data.cert);
+ equal(
+ cert.commonName,
+ data.cn,
+ "Actual and expected commonName should match"
+ );
+ } catch (e) {
+ info(`Exception: ${excMessage(e)}`);
+ ok(false, `Should not have gotten an exception for "CN=${data.cn}"`);
+ }
+}
+
+function testBad(data) {
+ throws(
+ () => certDB.constructX509FromBase64(data.input),
+ data.result,
+ `Should get "${data.result}" for "${data.input}"`
+ );
+}
+
+function run_test() {
+ const badCases = [
+ // Wrong type or too short
+ { input: null, result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "=", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "==", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ // Not base64
+ { input: "forty-four dead stone lions", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ // Not a cert
+ {
+ input: "Zm9ydHktZm91ciBkZWFkIHN0b25lIGxpb25z",
+ result: /NS_ERROR_FAILURE/,
+ },
+ ];
+
+ // Real certs with all three padding levels
+ const goodCases = [
+ {
+ cn: "A",
+ cert: "MIHhMIGcAgEAMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNVBAMTAUEwHhcNMTEwMzIzMjMyNTE3WhcNMTEwNDIyMjMyNTE3WjAMMQowCAYDVQQDEwFBMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxANFm7ZCfYNJViaDWTFuMClX3+9u18VFGiyLfM6xJrxir4QVtQC7VUC/WUGoBUs9COQIDAQABMA0GCSqGSIb3DQEBBQUAAzEAx2+gIwmuYjJO5SyabqIm4lB1MandHH1HQc0y0tUFshBOMESTzQRPSVwPn77a6R9t",
+ },
+ {
+ cn: "Bo",
+ cert: "MIHjMIGeAgEAMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAMTAkJvMB4XDTExMDMyMzIzMjYwMloXDTExMDQyMjIzMjYwMlowDTELMAkGA1UEAxMCQm8wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA1FoSl9w9HqMqVgk2K0J3OTiRsgHeNsQdPUl6S82ME33gH+E56PcWZA3nse+fpS3NAgMBAAEwDQYJKoZIhvcNAQEFBQADMQAo/e3BvQAmygiATljQ68tWPoWcbMwa1xxAvpWTEc1LOvMqeDBinBUqbAbSmPhGWb4=",
+ },
+ {
+ cn: "Cid",
+ cert: "MIHlMIGgAgEAMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTA0NpZDAeFw0xMTAzMjMyMzI2MzJaFw0xMTA0MjIyMzI2MzJaMA4xDDAKBgNVBAMTA0NpZDBMMA0GCSqGSIb3DQEBAQUAAzsAMDgCMQDUUxlF5xKN+8KCSsR83sN+SRwJmZdliXsnBB7PU0OgbmOWN0u8yehRkmu39kN9tzcCAwEAATANBgkqhkiG9w0BAQUFAAMxAJ3UScNqRcjHFrNu4nuwRldZLJlVJvRYXp982V4/kYodQEGN4gJ+Qyj+HTsaXy5x/w==",
+ },
+ ];
+
+ for (let badCase of badCases) {
+ testBad(badCase);
+ }
+ for (let goodCase of goodCases) {
+ testGood(goodCase);
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_content_signing.js b/security/manager/ssl/tests/unit/test_content_signing.js
new file mode 100644
index 0000000000..1f0f26bd12
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing.js
@@ -0,0 +1,438 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// These tests ensure content signatures are working correctly.
+
+const TEST_DATA_DIR = "test_content_signing/";
+
+const ONECRL_NAME = "oneCRL-signer.mozilla.org";
+const ABOUT_NEWTAB_NAME = "remotenewtab.content-signature.mozilla.org";
+var VERIFICATION_HISTOGRAM = Services.telemetry.getHistogramById(
+ "CONTENT_SIGNATURE_VERIFICATION_STATUS"
+);
+var ERROR_HISTOGRAM = Services.telemetry.getKeyedHistogramById(
+ "CONTENT_SIGNATURE_VERIFICATION_ERRORS"
+);
+
+// Enable the collection (during test) for all products so even products
+// that don't collect the data will be able to run the test without failure.
+Services.prefs.setBoolPref(
+ "toolkit.telemetry.testing.overrideProductsCheck",
+ true
+);
+
+function getSignatureVerifier() {
+ return Cc["@mozilla.org/security/contentsignatureverifier;1"].getService(
+ Ci.nsIContentSignatureVerifier
+ );
+}
+
+function getCertHash(name) {
+ let cert = constructCertFromFile(`test_content_signing/${name}.pem`);
+ return cert.sha256Fingerprint.replace(/:/g, "");
+}
+
+function loadChain(prefix, names) {
+ let chain = [];
+ for (let name of names) {
+ let filename = `${prefix}_${name}.pem`;
+ chain.push(readFile(do_get_file(filename)));
+ }
+ return chain;
+}
+
+function check_telemetry(expected_index, expected, expectedId) {
+ for (let i = 0; i < 10; i++) {
+ let expected_value = 0;
+ if (i == expected_index) {
+ expected_value = expected;
+ }
+ let errorSnapshot = ERROR_HISTOGRAM.snapshot();
+ for (let k in errorSnapshot) {
+ // We clear the histogram every time so there should be only this one
+ // category.
+ equal(k, expectedId);
+ equal(errorSnapshot[k].values[i] || 0, expected_value);
+ }
+ equal(
+ VERIFICATION_HISTOGRAM.snapshot().values[i] || 0,
+ expected_value,
+ "count " +
+ i +
+ ": " +
+ VERIFICATION_HISTOGRAM.snapshot().values[i] +
+ " expected " +
+ expected_value
+ );
+ }
+ VERIFICATION_HISTOGRAM.clear();
+ ERROR_HISTOGRAM.clear();
+}
+
+add_task(async function run_test() {
+ // set up some data
+ const DATA = readFile(do_get_file(TEST_DATA_DIR + "test.txt"));
+ const GOOD_SIGNATURE =
+ "p384ecdsa=" +
+ readFile(do_get_file(TEST_DATA_DIR + "test.txt.signature")).trim();
+
+ const BAD_SIGNATURE =
+ "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2r" +
+ "UWM4GJke4pE8ecHiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1G" +
+ "q25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L";
+
+ let remoteNewTabChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "remote_newtab_ee",
+ "int",
+ ]);
+
+ let oneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee",
+ "int",
+ ]);
+
+ let oneCRLBadKeyChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_wrong_key_ee",
+ "int",
+ ]);
+
+ let noSANChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_no_SAN_ee",
+ "int",
+ ]);
+
+ let expiredOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee_expired",
+ "int",
+ ]);
+
+ let notValidYetOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee_not_valid_yet",
+ "int",
+ ]);
+
+ // Check signature verification works without throwing when using the wrong
+ // root
+ VERIFICATION_HISTOGRAM.clear();
+ let chain1 = oneCRLChain.join("\n");
+ let verifier = getSignatureVerifier();
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot
+ )),
+ "using the wrong root, signatures should fail to verify but not throw."
+ );
+ // Check for generic chain building error.
+ check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check good signatures from good certificates with the correct SAN
+ ok(
+ await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ "A OneCRL signature should verify with the OneCRL chain"
+ );
+ let chain2 = remoteNewTabChain.join("\n");
+ ok(
+ await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain2,
+ ABOUT_NEWTAB_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ "A newtab signature should verify with the newtab chain"
+ );
+ // Check for valid signature
+ check_telemetry(0, 2, getCertHash("content_signing_remote_newtab_ee"));
+
+ // Check a bad signature when a good chain is provided
+ chain1 = oneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ BAD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A bad signature should not verify"
+ );
+ // Check for invalid signature
+ check_telemetry(1, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check a good signature from cert with good SAN but a different key than the
+ // one used to create the signature
+ let badKeyChain = oneCRLBadKeyChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ badKeyChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing key is wrong"
+ );
+ // Check for wrong key in cert.
+ check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+ // Check a good signature from cert with good SAN but a different key than the
+ // one used to create the signature (this time, an RSA key)
+ let rsaKeyChain = oneCRLBadKeyChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ rsaKeyChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing key is wrong (RSA)"
+ );
+ // Check for wrong key in cert.
+ check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+ // Check a good signature from cert with good SAN but with no path to root
+ let missingInt = [oneCRLChain[0], oneCRLChain[2]].join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ missingInt,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the chain is incomplete (missing int)"
+ );
+ // Check for generic chain building error.
+ check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check good signatures from good certificates with the wrong SANs
+ chain1 = oneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ABOUT_NEWTAB_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A OneCRL signature should not verify if we require the newtab SAN"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+ chain2 = remoteNewTabChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain2,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A newtab signature should not verify if we require the OneCRL SAN"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_remote_newtab_ee"));
+
+ // Check good signatures with good chains with some other invalid names
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match an empty name"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Test expired certificate.
+ let chainExpired = expiredOneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chainExpired,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing certificate is expired"
+ );
+ // Check for expired cert.
+ check_telemetry(4, 1, getCertHash("content_signing_onecrl_ee_expired"));
+
+ // Test not valid yet certificate.
+ let chainNotValidYet = notValidYetOneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chainNotValidYet,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing certificate is not valid yet"
+ );
+ // Check for not yet valid cert.
+ check_telemetry(5, 1, getCertHash("content_signing_onecrl_ee_not_valid_yet"));
+
+ let relatedName = "subdomain." + ONECRL_NAME;
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ relatedName,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a related name"
+ );
+
+ let randomName =
+ "\xb1\x9bU\x1c\xae\xaa3\x19H\xdb\xed\xa1\xa1\xe0\x81\xfb" +
+ "\xb2\x8f\x1cP\xe5\x8b\x9c\xc2s\xd3\x1f\x8e\xbbN";
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ randomName,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a random name"
+ );
+
+ // check good signatures with chains that have strange or missing SANs
+ chain1 = noSANChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a supplied name"
+ );
+
+ // Check malformed signature data
+ chain1 = oneCRLChain.join("\n");
+ let bad_signatures = [
+ // wrong length
+ "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi-" +
+ "7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L==",
+ // incorrectly encoded
+ "p384ecdsa='WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi" +
+ "-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L=",
+ // missing directive
+ "other_directive=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ec" +
+ "HiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L",
+ // actually sha256 with RSA
+ "p384ecdsa=XS_jiQsS5qlzQyUKaA1nAnQn_OvxhvDfKybflB8Xe5gNH1wNmPGK1qN-jpeTfK" +
+ "6ob3l3gCTXrsMnOXMeht0kPP3wLfVgXbuuO135pQnsv0c-ltRMWLe56Cm4S4Z6E7WWKLPWaj" +
+ "jhAcG5dZxjffP9g7tuPP4lTUJztyc4d1z_zQZakEG7R0vN7P5_CaX9MiMzP4R7nC3H4Ba6yi" +
+ "yjlGvsZwJ_C5zDQzWWs95czUbMzbDScEZ_7AWnidw91jZn-fUK3xLb6m-Zb_b4GAqZ-vnXIf" +
+ "LpLB1Nzal42BQZn7i4rhAldYdcVvy7rOMlsTUb5Zz6vpVW9LCT9lMJ7Sq1xbU-0g==",
+ ];
+ for (let badSig of bad_signatures) {
+ await Assert.rejects(
+ verifier.asyncVerifyContentSignature(
+ DATA,
+ badSig,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ /NS_ERROR/,
+ `Bad or malformed signature "${badSig}" should be rejected`
+ );
+ }
+
+ // Check malformed and missing certificate chain data
+ let chainSuffix = [oneCRLChain[1], oneCRLChain[2]].join("\n");
+ let badChains = [
+ // no data
+ "",
+ // completely wrong data
+ "blah blah \n blah",
+ ];
+
+ let badSections = [
+ // data that looks like PEM but isn't
+ "-----BEGIN CERTIFICATE-----\nBSsPRlYp5+gaFMRIczwUzaioRfteCjr94xyz0g==\n",
+ // data that will start to parse but won't base64decode
+ "-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n-----END CERTIFICATE-----",
+ // data with garbage outside of PEM sections
+ "this data is garbage\n-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n" +
+ "-----END CERTIFICATE-----",
+ ];
+
+ for (let badSection of badSections) {
+ // ensure we test each bad section on its own...
+ badChains.push(badSection);
+ // ... and as part of a chain with good certificates
+ badChains.push(badSection + "\n" + chainSuffix);
+ }
+
+ for (let badChain of badChains) {
+ await Assert.rejects(
+ verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ badChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ /NS_ERROR/,
+ `Bad chain data starting "${badChain.substring(0, 80)}" ` +
+ "should be rejected"
+ );
+ }
+
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA + "appended data",
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (append)"
+ );
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ "prefixed data" + DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (prefix)"
+ );
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA.replace(/e/g, "i"),
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (modify)"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
new file mode 100644
index 0000000000..6c80b1be43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUGU8IXEaU5Al531xp9aITCfLjy/cwDQYJKoZIhvcNAQEL
+BQAwKTEnMCUGA1UEAwweeHBjc2hlbGwgc2lnbmVkIGFwcHMgdGVzdCByb290MCIY
+DzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBExDzANBgNVBAMMBmlu
+dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMlMCMwDAYDVR0TBAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcD
+AzANBgkqhkiG9w0BAQsFAAOCAQEAQw8azGUnMeiHd6BYf8LZDK2dqsbVpWuDT/td
+LNQcYStX4jgPSfSxm9Mg6osXBnEKF83qXoNeP6Zt84WSJDotEf0WlC5JfNZFCMry
+vfd7odumxp/00LYaMbVK8Wz2LXXXwjsYF8xoZz6zq1DYviXIMluhcvCMepnCUnbP
+hY12tcznmHiHCOoEB1qurCfW8MkIz/GkLa409i7wFE9rsAeuAKgtdTStY5g8qp5j
+2KpmTzgfCeDgKwOSEUyW4YZXrvHYpPSnLiFsWvdxG3/D9aZExw1fipvzhpvqZYv9
+u2e7Qpt98Cd+Kitom/uDNmX9hv6E3eBThQI8QpTf43z6w/KD4A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
new file mode 100644
index 0000000000..fc9dfd47ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:xpcshell signed apps test root
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
new file mode 100644
index 0000000000..6bed32b275
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUFTE7Mh2mtfWK0CXoxo6Cg3kjXTYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBExDzANBgNVBAMMBmVlLVJTQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM9MDswEwYDVR0lBAww
+CgYIKwYBBQUHAwMwJAYDVR0RBB0wG4IZb25lQ1JMLXNpZ25lci5tb3ppbGxhLm9y
+ZzANBgkqhkiG9w0BAQsFAAOCAQEAdc8e+0GrLdxWfJdIUHb+0NX80dUhnJcyVUJs
+dDIFnrbobiokoGWFXiJeFP10ykYEdn2J4BcenMlmKiDNe3upy6ptSNscjEu4E5TY
+QEy0r0MIA7ip/BoOTUUQhA31njpCaqNFYkoKnOMtrKPqgIs4KhYGInPaGoNCZfNk
+698Ybaei7mCr0io4PUQTgCWmgQogSpj2K0qjarF+fsxHBAggUn8o004gI3ITKkms
+PjlBh7oUUQlMniwjNCFFzniTKwVww99waMKHacwOwFHTGRTV3VXzIMQztYck/Kxh
+LHocSWTGkZM316xaZWme8SIsmszSzE6uU2iU+ewKEtDNNdmGdA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
new file mode 100644
index 0000000000..7b2a02bdaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-RSA
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
new file mode 100644
index 0000000000..ea13c7f53b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCASegAwIBAgIUA7oml57umCZ/IgF0YUnt3qSjnaIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+oz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREEHTAbghlvbmVDUkwtc2ln
+bmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBj1PtEW92ZLKQYPRq/
+LJcgVtG8Kch2etUd7d3qepgLPy0QEMYL3U/dRix4RnvIPMJwa+RRjYKshMvK1gU1
+6KZagPWYSVVKWYL/es4XoP4vMre+ya6Z1kJ+23pL2T1qb2Z4CyP39Hz2JdQt9DgN
+plyC3Gef5T3UFZV9XGj6EcFsmh8n+SwB5w2/pveeBHbvAN0VDlSrKLZjOlrK1rMd
+H0nAjqvNvPs8AzzFUBCebLszrB74fXHQrhdU+SRlczyWWZuCgmksr7z/2V86lIKe
+vIG0m/ntP6urXYTf3JqLzuilEc2/WiI+shJprdm5cV64KoIKplAjeC/fSs7GG912
+G51n
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
new file mode 100644
index 0000000000..ab22807b9e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
new file mode 100644
index 0000000000..ef22669f4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTjCCATagAwIBAgIUOQNrYQz01j0SirgoHMLKbtGL9RowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAx
+MDEwMDAwMDBaMBwxGjAYBgNVBAMMEWVlLWludC1DQS1leHBpcmVkMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3
+Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP
+8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREE
+HTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IB
+AQBZJPo4llgMe5588+BnRLnFguspIiwMWmTeqCfi8VQBx/tUwRiTizbU7J2Yh9bo
+yZEPKfPSP2o8J0eSUgvXdVOxU1fNRuocsVfXUlveq5x10ddjXBT9X4AY1mtR7HJw
+hl/7269N8b4itfrfvZmCBToJayjv0I2N84bqjpOnXJ/iB5YVdk8oZIJDXWi4SR3B
+E9IejwA1fikpt++RjpJSZ1BSNU7FfiyGGUonxHDoP/29znaOJnpAqaH5LVJCRkfN
+H12vePBbunZd+ay5r+mMJPaXR+V2sY8OaOfcrPSHQLa8Eb/EEhBuITMKkOucohjx
+zqvM6S2iOI9GbwHClybEHRO7
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
new file mode 100644
index 0000000000..48fd9c8cc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-expired
+subjectKey:secp384r1
+validity:20130101-20140101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
new file mode 100644
index 0000000000..6cf5c6a312
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCATygAwIBAgIUbV+rBAfhGRv/bU22A92xneoAy3owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwNTAwMTAxMDAwMDAwWhgPMjA1MTAx
+MDEwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWludC1DQS1ub3QteWV0LXZhbGlkMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXb
+YI4lLeS3Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2p
+cQO+KIjP8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAk
+BgNVHREEHTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjXmLNn2kLa/FzNp7F3PqcSXuAO2jT31Y2g4pZnVqCDfMqplsl2ZFn
+oam3wyQnepm3q9DD4BOAW9JFYR3wqnl9cBRNHlSGyjGM4qBpuSD6WxAz7EdFcRO6
+fcA50245fAuB45UJeYJ58QvIBv7AwoBGnqAI7ZDN3eIGopZIL56jiH7vO9WyQPWj
+XZAWrXTG68rEf0RxXRtjUv9coFiuInT8+oyXB3NwK2EbaI5IeR+x3qIDEgNKk+t+
+PlE3NrtaAiK19p0s9RtQQilBKNmo+5irrUq/OD2H1aurDaAXpLTM5vLUpfyN3/qD
+HzuZujaUIeMsRiXsIRDNql1S+nq4oNRy
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
new file mode 100644
index 0000000000..b2926dfc42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-not-yet-valid
+subjectKey:secp384r1
+validity:20500101-20510101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
new file mode 100644
index 0000000000..38a5cb49d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICIDCCAQigAwIBAgIUY7jRIZeIM6YhjwqgwU+oz6TUcqowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLW5vLVNBTjB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFT
+TmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/d
+zIN0qm6pzqMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD
+ggEBAEqtCU8lSjgP99MrexGbpxALf7VMIufjcXABBvOQOgm2awrncwIHbWRe+0xJ
+FrPRGLnvGvwcA5GBTlaQXCvljKOo/2WoIh9BlQbYYKEf8C/IZqt86vXCWuDZE+B/
+DVhjTYG5NQpoJlt9LPakHrYa/hc5aZsCfX/r4kM7a9z+gOrd8Sw8NmsrXYH6btaL
+o/5YT2Rk2+MDBcfxOsoDLxn/Mmy/gPArxLDOHqKyKKEXpmuuVdaWTB23ka/aioTE
+y/0ofLSPgGkCKMy3IQrsmt2TaZLV8RRTiDy+MZa0lDr7LCblFDELTKqQ/nBb9pEH
+rTvkcKcOR/HW0jpq95qMM+fj4oU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
new file mode 100644
index 0000000000..4a9b9a3ceb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-no-SAN
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
new file mode 100644
index 0000000000..0c29e8f29d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCARSgAwIBAgIUbSoIkbNI9t6sArDLYdbzFiAd0JYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXdyb25nLWtleTBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnS
+M0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjPTA7MBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMCQGA1UdEQQdMBuCGW9uZUNSTC1zaWduZXIubW96aWxsYS5vcmcwDQYJ
+KoZIhvcNAQELBQADggEBAARtyqnHpwUYNk/YrWDukcEhGd/2yRTBR2B2DmzKbQ4h
+S7IT+lYWU09oieEF5REWSsZi4Ox2GuYtkdHZhwUIc/S+2/kad5BPM8okDTBNfG8m
+LP+O/eIajp5FUj3EMcgfGZIO8FmOd2UDfz2Wz9Bmr7vJLq+oySl9Hs3zOD1SBNQt
+Hcn92kDhV+5wzCJnSc0XJ2ceZE6zMEgSiMavtzjNYS+05xoFYYyUyj0AlhOwliqd
+KJh2nmgTSiELWor+UHRM1SutD0fAbDtUIayjKzTM4RDfXXNQB46ECDxb1r1N5gtp
+hR5shvtmKShLD9jeYeZ+jxATISrp7a59FBGD6uGlOR4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
new file mode 100644
index 0000000000..fbc8e603f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee-wrong-key
+subjectKey:secp256r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
new file mode 100644
index 0000000000..cba7eb1251
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUDCCATigAwIBAgIUF/JDW1X4ZKGHzTxZomDnqIjZmc4wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+o04wTDATBgNVHSUEDDAKBggrBgEFBQcDAzA1BgNVHREELjAsgipyZW1vdGVuZXd0
+YWIuY29udGVudC1zaWduYXR1cmUubW96aWxsYS5vcmcwDQYJKoZIhvcNAQELBQAD
+ggEBAEAu16P/xzj+SvJJNjJl/pAJYsI4XVAw2RgOvU6QFW4S11uPdA6hIsuyHpTj
+FycLvhbvGqn18b0tw/fftWDuG5SB+uHWMdXLG/iJYfMbBPQJqCKdJFZIcazjnhwV
+E4l3Iy1+xOA08sO3soMzxojAzfecu9V1ffyqs2H6eQgf4mrNXPV9QuAjkNblwswz
+NnlzwALT0oMGXYxq4sD2uUhIOCrAT4/Yvv6dx/U5d+poP93mfZs/MU05NOhf3lAz
+tmNCHTgAB6fDiMbmDR9GmInhdYXW16/dCIRUBjqqRanHPmeO77az/4FLOWdu5at/
+D/jpygc524O22HsEx65ha23PlCQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
new file mode 100644
index 0000000000..81e1eefe1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:remotenewtab.content-signature.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/pysign.py b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
new file mode 100644
index 0000000000..23c6128aa2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Create an ECDSA signature on the P-384 curve using the SHA-384 hash of data from
+stdin. The key used for the signature is the secp384r1Encoded key used in pykey
+and pycert.
+
+The certificates for the content signature tests make use of this program.
+You can use pysign.py like this:
+
+cat test.txt | python pysign.py > test.txt.signature
+"""
+
+import base64
+import binascii
+import hashlib
+import pathlib
+import six
+import sys
+
+import ecdsa
+
+# For pykey, find the relative file location and add it to path
+toolsDir = (pathlib.Path(__file__).parents[4] / "tools").resolve()
+sys.path.append(str(toolsDir))
+import pykey
+
+data = sys.stdin.buffer.read()
+
+key = pykey.ECCKey("secp384r1")
+sig = key.signRaw(b"Content-Signature:\00" + data, pykey.HASH_SHA384)
+print(str(base64.b64encode(sig)).replace("+", "-").replace("/", "_"))
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt b/security/manager/ssl/tests/unit/test_content_signing/test.txt
new file mode 100644
index 0000000000..2daac1cb00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt
@@ -0,0 +1 @@
+This is a test file to test content-signature verification with a PKI.
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
new file mode 100644
index 0000000000..e613981473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
@@ -0,0 +1 @@
+hSvmvvA7_QLedDsjRJGBevqLwjPILx1EtWSPP4A0fepaWWPuuZRB8VfDT2j07bKDacRsbmJjmvg_R4CpKmnoWF8-2w5lSszlFFDqYSvQVQxpKhu-HMM_qquu_l0KecQ2
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
new file mode 100644
index 0000000000..7bde8641b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
@@ -0,0 +1 @@
+ÿÿÿÿ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
new file mode 100644
index 0000000000..f76dd238ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
@@ -0,0 +1,2 @@
+
+  \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
@@ -0,0 +1,2 @@
+
+  \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
new file mode 100644
index 0000000000..787a2bdfc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
new file mode 100644
index 0000000000..c76b47cac6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
new file mode 100644
index 0000000000..d08c818596
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
new file mode 100644
index 0000000000..3ef70ac188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
new file mode 100644
index 0000000000..2b71c3dfe2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is missing.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = undefined;
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
new file mode 100644
index 0000000000..1782885964
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a LogID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/trunc-log-id.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
new file mode 100644
index 0000000000..0eed16bac3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MinTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+ "test_crlite_corrupted/trunc-min-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
new file mode 100644
index 0000000000..419a639b07
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MaxTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+ "test_crlite_corrupted/trunc-max-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_version.js b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
new file mode 100644
index 0000000000..1764e5abaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/version-0.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
new file mode 100644
index 0000000000..5f259f28a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file is truncated in an issuer ID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file(
+ "test_crlite_corrupted/trunc-issuer-id.enrollment"
+);
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
new file mode 100644
index 0000000000..8c673a47d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_corrupted/version-0.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
new file mode 100644
index 0000000000..cc947d287f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
@@ -0,0 +1,21 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted filter file.
+//
+// There are many ways that a filter file could be corrupted, but the parsing
+// is done in rust-cascade, not cert_storage, so it is sufficient for us to
+// test any form of corruption here. For simplicity we just try to load a
+// single \x00 byte as the filter.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_corrupted/hash-alg-0.filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters.js b/security/manager/ssl/tests/unit/test_crlite_filters.js
new file mode 100644
index 0000000000..55fe4d75e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters.js
@@ -0,0 +1,880 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite filter downloading works correctly.
+
+// The file `test_crlite_filters/20201017-0-filter` can be regenerated using
+// the rust-create-cascade program from https://github.com/mozilla/crlite.
+//
+// The input to this program is a list of known serial numbers and a list of
+// revoked serial numbers. The lists are presented as directories of files in
+// which each file holds serials for one issuer. The file names are
+// urlsafe-base64 encoded SHA256 hashes of issuer SPKIs. The file contents are
+// ascii hex encoded serial numbers. The program crlite_key.py in this directory
+// can generate these values for you.
+//
+// The test filter was generated as follows:
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/valid.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 00da4f392bfd8bcea8
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/revoked.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 2d35ca6503fb1ba3
+//
+// $ mkdir known revoked
+// $ echo "00da4f392bfd8bcea8" > known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" >> known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" > revoked/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+//
+// $ rust-create-cascade --known ./known/ --revoked ./revoked/
+//
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+const { CRLiteFiltersClient } = RemoteSecuritySettings.init();
+
+const CRLITE_FILTERS_ENABLED_PREF =
+ "security.remote_settings.crlite_filters.enabled";
+const INTERMEDIATES_ENABLED_PREF =
+ "security.remote_settings.intermediates.enabled";
+const INTERMEDIATES_DL_PER_POLL_PREF =
+ "security.remote_settings.intermediates.downloads_per_poll";
+
+// crlite_enrollment_id.py test_crlite_filters/issuer.pem
+const ISSUER_PEM_UID = "UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=";
+// crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+const NO_SCT_ISSUER_PEM_UID = "Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=";
+
+function getHashCommon(aStr, useBase64) {
+ let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hasher.init(Ci.nsICryptoHash.SHA256);
+ let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ stringStream.data = aStr;
+ hasher.updateFromStream(stringStream, -1);
+
+ return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+ return hexify(getHashCommon(aStr, false));
+}
+
+// Get the name of the file in the test directory to serve as the attachment
+// for the given filter.
+function getFilenameForFilter(filter) {
+ if (filter.type == "full") {
+ return "20201017-0-filter";
+ }
+ if (filter.id == "0001") {
+ return "20201017-1-filter.stash";
+ }
+ // The addition of another stash file was written more than a month after
+ // other parts of this test. As such, the second stash file for October 17th,
+ // 2020 was not readily available. Since the structure of stash files don't
+ // depend on each other, though, any two stash files are compatible, and so
+ // this stash from December 1st is used instead.
+ return "20201201-3-filter.stash";
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the local data with
+ * fake records.
+ *
+ * @param {*} filters List of filters for which we will create records.
+ * @param {boolean} clear Whether or not to clear the local DB first. Defaults
+ * to true.
+ */
+async function syncAndDownload(filters, clear = true) {
+ const localDB = await CRLiteFiltersClient.client.db;
+ if (clear) {
+ await localDB.clear();
+ }
+
+ for (let filter of filters) {
+ const filename = getFilenameForFilter(filter);
+ const file = do_get_file(`test_crlite_filters/${filename}`);
+ const fileBytes = readFile(file);
+
+ const record = {
+ details: {
+ name: `${filter.timestamp}-${filter.type}`,
+ },
+ attachment: {
+ hash: getHash(fileBytes),
+ size: fileBytes.length,
+ filename,
+ location: `security-state-workspace/cert-revocations/test_crlite_filters/${filename}`,
+ mimetype: "application/octet-stream",
+ },
+ incremental: filter.type == "diff",
+ effectiveTimestamp: new Date(filter.timestamp).getTime(),
+ parent: filter.type == "diff" ? filter.parent : undefined,
+ id: filter.id,
+ coverage: filter.type == "full" ? filter.coverage : undefined,
+ enrolledIssuers:
+ filter.type == "full" ? filter.enrolledIssuers : undefined,
+ };
+
+ await localDB.create(record);
+ }
+ // This promise will wait for the end of downloading.
+ let promise = TestUtils.topicObserved(
+ "remote-security-settings:crlite-filters-downloaded"
+ );
+ // Simulate polling for changes, trigger the download of attachments.
+ Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+ let results = await promise;
+ return results[1]; // topicObserved gives back a 2-array
+}
+
+add_task(async function test_crlite_filters_disabled() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ },
+ ]);
+ equal(result, "disabled", "CRLite filter download should not have run");
+});
+
+add_task(async function test_crlite_no_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([]);
+ equal(
+ result,
+ "unavailable",
+ "CRLite filter download should have run, but nothing was available"
+ );
+});
+
+add_task(async function test_crlite_only_incremental_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ ]);
+ equal(
+ result,
+ "unavailable",
+ "CRLite filter download should have run, but no full filters were available"
+ );
+});
+
+add_task(async function test_crlite_incremental_filters_with_wrong_parent() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0004",
+ parent: "0003",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ ["2019-01-01T00:00:00Z-full", "2019-01-01T06:00:00Z-diff"],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_incremental_filter_too_early() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ ]);
+ equal(
+ result,
+ "finished;2019-01-02T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+});
+
+add_task(async function test_crlite_filters_basic() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ ]);
+ equal(
+ result,
+ "finished;2019-01-01T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+});
+
+add_task(async function test_crlite_filters_not_cached() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ let filters = [
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ ];
+ let result = await syncAndDownload(filters);
+ equal(
+ result,
+ "finished;2019-01-01T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ let records = await CRLiteFiltersClient.client.db.list();
+
+ // `syncAndDownload` should not cache the attachment, so this download should
+ // get the attachment from the source.
+ let attachment = await CRLiteFiltersClient.client.attachments.download(
+ records[0]
+ );
+ equal(attachment._source, "remote_match");
+ await CRLiteFiltersClient.client.attachments.deleteDownloaded(records[0]);
+});
+
+add_task(async function test_crlite_filters_full_and_incremental() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ // These are deliberately listed out of order.
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-01T00:00:00Z-full",
+ "2019-01-01T06:00:00Z-diff",
+ "2019-01-01T12:00:00Z-diff",
+ "2019-01-01T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_filters_multiple_days() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ // These are deliberately listed out of order.
+ {
+ timestamp: "2019-01-02T06:00:00Z",
+ type: "diff",
+ id: "0011",
+ parent: "0010",
+ },
+ {
+ timestamp: "2019-01-03T12:00:00Z",
+ type: "diff",
+ id: "0022",
+ parent: "0021",
+ },
+ {
+ timestamp: "2019-01-02T12:00:00Z",
+ type: "diff",
+ id: "0012",
+ parent: "0011",
+ },
+ {
+ timestamp: "2019-01-03T18:00:00Z",
+ type: "diff",
+ id: "0023",
+ parent: "0022",
+ },
+ {
+ timestamp: "2019-01-02T18:00:00Z",
+ type: "diff",
+ id: "0013",
+ parent: "0012",
+ },
+ { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0010" },
+ { timestamp: "2019-01-03T00:00:00Z", type: "full", id: "0020" },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-03T06:00:00Z",
+ type: "diff",
+ id: "0021",
+ parent: "0020",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-03T00:00:00Z-full",
+ "2019-01-03T06:00:00Z-diff",
+ "2019-01-03T12:00:00Z-diff",
+ "2019-01-03T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_confirm_revocations_mode() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeConfirmRevocationsValue
+ );
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+ addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ {
+ logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ // The CRLite result should be enforced for this certificate and
+ // OCSP should not be consulted.
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ // OCSP should be consulted for this certificate, but OCSP is disabled by
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY so this will be treated as a soft-failure
+ // and the CRLite result will be used.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Reload the filter w/o coverage and enrollment metadata.
+ result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [],
+ enrolledIssuers: [],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ // OCSP will be consulted for the revoked certificate, but a soft-failure
+ // should now result in a Success return.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+add_task(async function test_crlite_filters_and_check_revocation() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+ addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ {
+ logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ // Before any stashes are downloaded, this should verify successfully.
+ let revokedInStashCert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2020-10-17T03:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ ],
+ false
+ );
+ equal(
+ result,
+ "finished;2020-10-17T03:00:00Z-diff",
+ "Should have downloaded the expected CRLite filters"
+ );
+
+ // After downloading the first stash, this should be revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ // Before downloading the second stash, this should not be revoked.
+ let revokedInStash2Cert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash-2.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2020-10-17T06:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ ],
+ false
+ );
+ equal(
+ result,
+ "finished;2020-10-17T06:00:00Z-diff",
+ "Should have downloaded the expected CRLite filters"
+ );
+
+ // After downloading the second stash, this should be revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ // The other certificates should still get the same results as they did before.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ // This certificate has no embedded SCTs, so it is not guaranteed to be in
+ // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+ // not consulted, and the implementation falls back to OCSP. Since the real
+ // OCSP responder can't be reached, this results in a
+ // SEC_ERROR_OCSP_SERVER_ERROR.
+ let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+ // NB: this will cause an OCSP request to be sent to localhost:80, but
+ // since an OCSP responder shouldn't be running on that port, this should
+ // fail safely.
+ Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ await checkCertErrorGenericAtTime(
+ certdb,
+ noSCTCert,
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "mail233.messagelabs.com",
+ 0
+ );
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+
+ // The revoked certificate example has one SCT from the log with ID "9ly...="
+ // at time 1598140096613 and another from the log with ID "XNx...=" at time
+ // 1598140096917. The filter we construct here fails to cover it by one
+ // millisecond in each case. The implementation will fall back to OCSP
+ // fetching. Since this would result in a crash and test failure, the
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.
+ result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 1598140096612,
+ },
+ {
+ logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=",
+ minTimestamp: 1598140096917,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+add_task(async function test_crlite_filters_avoid_reprocessing_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-01T00:00:00Z-full",
+ "2019-01-01T06:00:00Z-diff",
+ "2019-01-01T12:00:00Z-diff",
+ "2019-01-01T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+ // This simulates another poll without clearing the database first. The
+ // filter and stashes should not be re-downloaded.
+ result = await syncAndDownload([], false);
+ equal(result, "finished;");
+
+ // If a new stash is added, only it should be downloaded.
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2019-01-02T00:00:00Z",
+ type: "diff",
+ id: "0004",
+ parent: "0003",
+ },
+ ],
+ false
+ );
+ equal(result, "finished;2019-01-02T00:00:00Z-diff");
+});
+
+let server;
+
+function run_test() {
+ server = new HttpServer();
+ server.start(-1);
+ registerCleanupFunction(() => server.stop(() => {}));
+
+ server.registerDirectory(
+ "/cdn/security-state-workspace/cert-revocations/",
+ do_get_file(".")
+ );
+
+ server.registerPathHandler("/v1/", (request, response) => {
+ response.write(
+ JSON.stringify({
+ capabilities: {
+ attachments: {
+ base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+ },
+ },
+ })
+ );
+ response.setHeader("Content-Type", "application/json; charset=UTF-8");
+ response.setStatusLine(null, 200, "OK");
+ });
+
+ Services.prefs.setCharPref(
+ "services.settings.server",
+ `http://localhost:${server.identity.primaryPort}/v1`
+ );
+
+ // Set intermediate preloading to download 0 intermediates at a time.
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 0);
+
+ Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
new file mode 100644
index 0000000000..151cac41a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
new file mode 100644
index 0000000000..d43193a78c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
new file mode 100644
index 0000000000..52c9ee8d51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
new file mode 100644
index 0000000000..ead19e3c14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
new file mode 100644
index 0000000000..70b86dfd71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
new file mode 100644
index 0000000000..a690a0ad0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN
+MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
+aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv
+cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp
+bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN
+xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W
+1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx
+3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD
+iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug
+8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP
+gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw
+lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz
+dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl
+bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
+K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At
+oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG
+A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
+LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo
+dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy
+dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb
+QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz
+hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1
+kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo
+QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd
+1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh
+C3gxXMNrymE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
new file mode 100644
index 0000000000..bac70a76bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGpzCCBY+gAwIBAgIIfLPIa/Mc/f4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwMTA2MDA1MTI5WhcN
+MjMwMjA0MTUxNjQwWjAeMRwwGgYDVQQDExNwZWVrYWJvb3Bob25pY3MuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCKkB+36Yd/mBwwlq/F+B2R/
+ibNdUncADG1+xCB21TB6H0UWR1Aj92ZsIKXwXIyhj02VT58y0Oh4eycsMtEi/lLq
+KXhpWjRAMZaxjdyIrSJxpQVXC3v8Taej6PG2RewGMA3uXj+oWfl7t25JnEes1l2n
+JOnDXs5w4K0aDD1+r7wqCgZA7evmmdK3WJMWD/GSeF2hYcXFgb5dM2TiSRBGkv/9
+jMAvOSuJO8/kxKHLtLfM4I3O0gugB5Uyxtn5a6+P4vOphozsYgHqnSapCV8eAEN2
+SWRhFpfwsbt6/Dw/k38F2A5axSF0n+IQ49ejtWjs+f/GNTloieTsDbcpKkDSEwID
+AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6
+Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0zNzEwLmNybDBdBgNVHSAEVjBUMEgG
+C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu
+Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow
+aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF
+BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud
+EQQwMC6CE3BlZWthYm9vcGhvbmljcy5jb22CF3d3dy5wZWVrYWJvb3Bob25pY3Mu
+Y29tMB0GA1UdDgQWBBRElZlefxDT9BFjvpeq7zP6TlVv+TCCAYEGCisGAQQB1nkC
+BAIEggFxBIIBbQFrAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4A
+AAF+LN6rOQAABAMASDBGAiEAssjNEfjNFhpQmiFRCFZSr1zZk7ISWHqPIzoghyZ+
+UbgCIQDB6iKxtMkpx1I9P9uL40M93xynsb/3DVl1OX8pSO1n9gB3ADXPGRu/sWxX
+vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfizerPwAAAQDAEgwRgIhANUhPyqm
+inLVPy1zUqikc64dwi0P/nvCoNtC1gO2cDHgAiEAjv1Gw04htq5OyTP3XYQTHsZW
+h35omGu+WCS68t8LnIEAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1Lr
+UgAAAX4s3q2BAAAEAwBIMEYCIQDqxot9iMPghZbHZSegX98g1o5dvSsG1azMv290
+Cp+sBgIhALiMl5lj1A3nWkHTQKF9bF3ops5/ZxxJYE7XwBxlkZYYMA0GCSqGSIb3
+DQEBCwUAA4IBAQAOfIC7VLhn3oBYQKTzX4CN+249JN7l5tbSMqC2zjKRjOWOF3p/
+yNb2gk/v6EW0xN024E2yo8K4XF+QJMfzlwpsed1yuziYHIpjeiad7JGUs/57jdCo
+EUQrvwkuIeR5CZrGcXKG8nlVM5SaNhmId8XixnJz7XfEWiCxszlRkXIZ4Uhpwz2D
+XhQ8RE1DhwX3x6oO5y9Eu6o6+bz2Y14E0lL4hCng09UmrOFEUzVcO4bK8qsSp9oe
+1NNPlMQ3SD6RlGBy+2O5Iy8Kj4BRv2US2stuDeZWSvxp6N2RwLGBnDTyT08VAFD5
+SkulqE2/r6AHWNMe649z1clhq14i1+kQjEq5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
new file mode 100644
index 0000000000..9550453493
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGNTCCBR2gAwIBAgIIFn0oGKdatdgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwOTI3MTE0MzI0WhcN
+MjExMDI5MTE0MzI0WjA5MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxFDASBgNVBAMTC2ljc3JlcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAydMKPhCqRWjy5h1aPUNdRb80kt0hP/g55ytjlSF04PG+1CbIcId1
+GJg1qkbTR1vqZyvaI8wjv3zdfvsvYbka9OQFJiOasJfeqmiA+sDd9AvFiD2EF5zN
+D9uKHi+sF8Ut4JMl7jqaRAu/gbjBvY/9ammkz4sUiTlp1x4rteda3tuX9O7yMO7U
+ldnyfabHgGmmm8KU3nvRAjNbHCq3J/V/zw8YeolXU5OpOeZMhI8KAGKpxk8tRiIb
+LkdSdCTWoKgXO60extYcGTxIT8c8zfY6OoN0VaQY8HA1VyBZQIw2RTWivmI8le0J
+ypXYxNcUtInS0ivO4ymiNnCjYR9pgQ6+tQIDAQABo4ICwzCCAr8wDAYDVR0TAQH/
+BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
+AgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp
+ZzJzMS0yMzM0LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB
+BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
+eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
+dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
+FEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQgMB6CC2ljc3JlcHMuY29tgg93
+d3cuaWNzcmVwcy5jb20wHQYDVR0OBBYEFEgqFQnM5zH3cKFGtFanJxxD9zdPMIIB
+BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98M
+LyALzE7xZOMAAAF0z1/40gAABAMARjBEAiADSOnqg/I15y+dJDSWta8NzBwE6Xti
+UzyBKMT2OYHCYwIgb1aFpZxlkhx6XCCuniBLTcr5JbhigoM/lAfUmvvUqrIAdwBc
+3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXTPX/oBAAAEAwBIMEYC
+IQD6WvavTba+Lydf6uhaaxcRmhuuPeddzSmC8t4+tBLGGgIhANJPxhRl1pGYm6WX
+ay9jPCM2SqtBraOJYncaV6k37zGYMA0GCSqGSIb3DQEBCwUAA4IBAQA0IknIoU51
+FCBqpksgo7zR9OJj5MoQmlsQbzSFppdRKgyHhk8rW6IrBi3yrtWjo3HxcwihZlJQ
+2AbinRTNnHvBpiiiXXxR5u9yVly+9l3KfF/uHIGMnIqsahaKXNOy5h98uq4o4N0+
+YCGu9wSeDwtaCzdT+V447Fq63nmW629pjwin8FYCz2S8RdztranPZuOgwYqBNlWu
+u3Mi9DWIV2hP6eFwMZh7BWgbvnhWiI37TE74YQ+3cEVaLxLHJH9jkBjsel+ZwVIo
+9xeE6kGsh5+D0uHS5NWf9zu+fvW0iTgsB8J4VX5OihAa1v4FS4IaF3snkaMa0PCd
+MJMOgY5VkZiw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
new file mode 100644
index 0000000000..1073159662
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBSWgAwIBAgIJAJeW47AXop8NMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDgyMjIzMDI0NVoX
+DTIxMDkyMTIxMTYxMVowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMRcwFQYDVQQDEw5zdG9rZWRtb3RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANLX8D4Cin6x2bmoSdgnuw9O+tGcD1x1S++3110NJVXUlpSc
+3uSUwqpU4rMOkJlRnuaBtHXYUFG8NMMnbTJYY9JuuhAlnHzVqoRWmcTNRp72fpDA
+XoD3U20spJeGQZXuQnGfe/k9EouvXt5du029YqItkFbjdbub4FP5MbIz1CWeelEn
+fEwpe/peLVYEfKSyYf325tFI9wZhuIM/zTe9DE6lauznM8hg1ioiBujxzeWWSstZ
+K2uJKaI8nlWkSr6vwPqJEBvvoShcWHFEmG8SWqPBy1tsNsLNjJkaHfD7gvG/J1Rc
+G21D0XO2IA0rEo6lo8MNEkWoHZA/oHO1eHrCjNkCAwEAAaOCAscwggLDMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
+/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
+L2dkaWcyczEtMjIzNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
+CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
+aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
+ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
+GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAtBgNVHREEJjAkgg5zdG9rZWRtb3Rv
+LmNvbYISd3d3LnN0b2tlZG1vdG8uY29tMB0GA1UdDgQWBBTP8YI0WwVBgvg5GABQ
+fUksbk6evjCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1APZclC/RdzAiFFQYCDCU
+Vo7jTRMZM7/fDC8gC8xO8WTjAAABdBhpJtAAAAQDAEYwRAIgcrebTXyuMk/ciVyg
+LMbbd6qbkyB3yRAY1QnBs5sGK1ICIGw6EpH/NMXcOfYdkuSmhSYgUx0AIDdT9QWH
+rRIT50D3AHUAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF0GGko
+AwAABAMARjBEAiBtzQQHVVML3yZhZRsLLhJkYcc11nXeU/S/rouOZCCZQQIgVYKY
+jgjCU5HQyY6R5PZQTsCQGWiaOm1VguAIgPbvKzYwDQYJKoZIhvcNAQELBQADggEB
+AH6jCZU9+5TMaR5XThGL/z8EYQ1uFVN0hlXXB+gP3IDQLmyxkqrk9cOSf1D6fLRT
+5T4tGzPLvmReBLfrzQEkuqkXpUieortbpi116V82K+zBDT5s9Dol6+MxhwIZyZ7K
+DkHSbcFyiV9hkr2bf8JZzjvpCOfw9kYZTcYv8M8kheIOQsONdfe/rqNQnMRy56UZ
+OGZmxqDT2RwbewHEMAEb5ZsZ55/UHq08vZSVSA8qIqX/BU+7frwwt4vmv4WQ7AoJ
+YNml0TdV4R27NlnvhbAclucuqEMBcBg8gNylvKD3Mid7O4c5gCX5Wuml6rLpOr05
+vpJJqSf0uy73EtNcyTqfwUQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
new file mode 100644
index 0000000000..ece7360def
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHTjCCBjagAwIBAgIILTXKZQP7G6MwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwODIyMjM0ODE1WhcN
+MjEwMTE0MjEwMzAxWjBDMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxHjAcBgNVBAMMFSoudXMtZGF0YXJlY292ZXJ5LmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKzuSr8LaH2Aw/G1aKN4URo0RwaFv4+7MzM0RVTB
+189BdE8rgNRfxskoAVfte+iftO7P5qjg+1Jx8SCE1ZCNT2TGtcYwlsjyNLnbP3xV
+Cq514bODlwimOKLhpUFH1/ofO4/enbU8E4hlxS4DPtOGbsjouTiRHAOLsi7D+WT3
+3pZelFa5Hgmed5dL/CCJTiwbF10lbTXNwLgI7efUqiwvHRwf/CXEW9IvKJ9HG2We
+tT9ouQGOHfz4fyGOMN268dHqP89K+auCcf9b3BzzWOsknhmDisl+06WaIJe/W7Dn
++eG07nAuJLhE6nH9KLYiU2X5CHnLPvBTOPDdm/hzH84hnHkX2pSbst4d1aNtU4uP
+hyQcE5aMfnV7Yr1ZQUlLreCKzwIAb6BKqF/gHMASXUX7Fw5OFUHxV1xcPbcHQLs6
+D3XAoLBzopTR4YjxIDqhS3pkxHu5u9OEzFfaeP5zYnrj69Bke3lrdbrKV8aXIxHn
+xh9xJV4zAaPoHe8ze03zvdBXfu69DU+TTQkRfzJSZx/sXV6BHe15WGSHZxe0i61z
+wA1Oi7QgySMKIKSs6dsPOqppmePc3seMJy7y0FSxF1Kq6a1tR+W3j2WT9nY1c4Wb
+4LWc+0gDK3nvibJbFqCfnPznq/Q+q0V6m9BqBNjvqyyWXbgzCVn7qcT4apiP47IV
++MiBAgMBAAGjggLSMIICzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
+aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIyMzcuY3JsMF0GA1UdIARW
+MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
+YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
+AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
+KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
+dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
+NQYDVR0RBC4wLIIVKi51cy1kYXRhcmVjb3ZlcnkuY29tghN1cy1kYXRhcmVjb3Zl
+cnkuY29tMB0GA1UdDgQWBBTooRcQfblnnD7pJFCZfGGcf4kD4jCCAQUGCisGAQQB
+1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj
+AAABdBiSoGUAAAQDAEgwRgIhAI4Cd+FhKsWdUZkBugaburD9dzdlVHSxKq6oYNyI
+vmIIAiEAwlmkvAiPb9nwDirqe7MZud5nu/lmq/Ip7M1xSKuraykAdgBc3EOS/uar
+RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXQYkqGUAAAEAwBHMEUCIQCpYqq+
+Uc881tR+ikvsR97FRl6jBfxG50Sum+cdHEQkYQIgZJbGaeNoDS9+LAKI88NNRiCK
+vtQZkwWigDYr+2dWguYwDQYJKoZIhvcNAQELBQADggEBAD+sj44+86AvdVUrAN9h
+cU6kt4I6K1TM0KBmKg3rG8JEY7+Ec4Rztls3uviLR0ajH5tkQPwD7vRBVrLVDtQS
+Ndt2StR38AXiBRWwewy/sPMz11YzOPLyHaTl4pJVfyzHJ+rPdWuFZLtpTras/MIK
+IFnnbInlh5XtRhDCv6UEkAmGu5BeftA+9XxTuZlbwQlO5U1yg9Hqor9zANMqX9Ad
+3omIZrPtBkTdVOwHRU8SoaS6XxQ9jxcmWRgNTVAhU1/J7Bgvg3CPSpcHyV78sXkS
+D9bb1f4jdadaMKuJc0mTHBAxZenr3IFV8upf2FRTJnrCiS0jX8kKobN/+04Gbev6
+Tr0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
new file mode 100644
index 0000000000..6769ba3d37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGyTCCBbGgAwIBAgIJANpPOSv9i86oMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MTAxNTE5NTQxNFoX
+DTIwMTAyNDE4MzczOFowQjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMR0wGwYDVQQDExR2cG4ud29ybGRvZnNwZWVkLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKb1cjhtYv6yiyZa1feabWaSBOCmN0JuqXIMkX3r
+4g+5heKAwPFlPFbZ3vZ3DQXiliV7jb5nhlx0O6nYG+MoGFmj6hEHDptCASAfdd3j
+4tCxg0FlilXgrgMkJCg+SjW0npZ86jMkfc0WzufUyMjxv2pUUicPNXyWbaQr+PCq
+zs6AsOkmuQ8RUUAqZ+Q0EJfQnjuhql7NCdByNui9S2LmrPcV6TAHHeTwKX733edv
+zsNzaLNgE6TLGXSSRvsW/eZ/uNScPHLybE4wdxxCDwSYCPwaQq34csc3a8SUTWfS
+4UkdbOn7j5sZPx7Jj0uUlm20ZDsj2FUi/0SXNvz5flFQbVsCAwEAAaOCA00wggNJ
+MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G
+A1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFk
+ZHkuY29tL2dkaWcyczEtODc4LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcB
+MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v
+cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw
+AYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8v
+Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8G
+A1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFHZwbi53
+b3JsZG9mc3BlZWQub3Jnghh3d3cudnBuLndvcmxkb2ZzcGVlZC5vcmcwHQYDVR0O
+BBYEFGjmOgodY5yPX19UPVcACFpVExz1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
+AWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWZ5SxEeAAAE
+AwBHMEUCIEL5OLHwBpIALbEnLFQntFlGBe8Oko6U/arr15jU4sLDAiEA6uy8DEnh
+PFLOxXDC3ZaeOlK2+cdx76IAr6M6As74ETEAdgDuS723dc5guuFCaR+r4Z5mow9+
+X7By2IMAxHuJeqj9ywAAAWZ5SxMzAAAEAwBHMEUCIFWIeePa6jdf6y9o/YYxoqWr
+Je3j8W94e4f5bixaGPiyAiEA7aJRZI+aWCE/zz5DpvcyRgkIoSKS3+dKS2irf/mp
+qx0AdQBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWZ5SxPjAAAE
+AwBGMEQCIEkYw6g/cIZBdOUh+ETwl2XX2S0Bv8iGGiaOKOoXqVK6AiAh3eqABfMc
+9b/wLJZo186YgbzmbZB0N3y5TUJKK1oMYDANBgkqhkiG9w0BAQsFAAOCAQEAPEwx
+d597oqiP9/TN8RDrZqhn4uLZ9K5mXOD93RorUN8T8O1kV0B4UcXM1CkU2zxv4a9S
+tG3diHjmfJgcrhpa4i19sZD7+QpTU8j0e82JlsB3MpbtuaiBwqb979c5qNPixQlJ
+kDs4DWf8kV+4B9/DWWLDKvs+FtL8ST8n+LfwstZqi2EyK+1ZyM0p9hkUAzrT/M2h
+Ou1DYELbCt2HaKMHMPSlrkESG7Q9v9Ba23EXElG+oFXxgnPwk4n84rYG8lI8pPyA
+clunJNqc2cISUTDMdgGctCFdSVGyEq+8VVG5Y6Od5LMwtOLKcv+VPi17+iGfxNt/
++dAMbzGIlDuJELwn0g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting.js b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
new file mode 100644
index 0000000000..c788a11b54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
@@ -0,0 +1,208 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that starting a profile with a preexisting CRLite filter and stash
+// works correctly.
+
+"use strict";
+
+add_task(async function test_preexisting_crlite_data() {
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // These need to be available to be able to find them during path building
+ // for certificate verification.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+ let noSCTCertIssuer = constructCertFromFile(
+ "test_crlite_filters/no-sct-issuer.pem"
+ );
+ ok(
+ noSCTCertIssuer,
+ "issuer certificate for certificate without SCTs should decode successfully"
+ );
+
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // We didn't load a data.bin file, so the filter is not considered fresh and
+ // we should get a "no filter" result. We later test that CRLite considers
+ // this cert to be revoked. So success here shows that CRLite is not
+ // consulted when the filter is stale.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ let revokedInStashCert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash.pem"
+ );
+ // The stash may not have loaded yet, so await a task that ensures the stash
+ // loading task has completed.
+ await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve();
+ }
+ );
+ });
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ let revokedInStash2Cert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash-2.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ // This certificate has no embedded SCTs, so it is not guaranteed to be in
+ // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+ // not consulted, and the implementation falls back to OCSP. Since the real
+ // OCSP responder can't be reached, this results in a
+ // SEC_ERROR_OCSP_SERVER_ERROR.
+ let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+ // NB: this will cause an OCSP request to be sent to localhost:80, but
+ // since an OCSP responder shouldn't be running on that port, this should
+ // fail safely.
+ Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ await checkCertErrorGenericAtTime(
+ certdb,
+ noSCTCert,
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "mail233.messagelabs.com",
+ 0
+ );
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+
+ let notCoveredCert = constructCertFromFile(
+ "test_crlite_filters/notcovered.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ notCoveredCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2022-01-07T00:00:00Z").getTime() / 1000,
+ false,
+ "peekaboophonics.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+function run_test() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+ // For simplicity, re-use the filter from test_crlite_filters.js.
+ let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter");
+ crilteFile.copyTo(securityStateDirectory, "crlite.filter");
+ // This stash file and the following cert storage file were obtained by
+ // running just the task `test_crlite_filters_and_check_revocation` in
+ // test_crlite_filters.js, causing it to hang (by adding something like
+ // `add_test(() => {});`), and then copying the files from the temporary
+ // profile directory.
+ let stashFile = do_get_file("test_crlite_preexisting/crlite.stash");
+ stashFile.copyTo(securityStateDirectory, "crlite.stash");
+ let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage");
+ coverageFile.copyTo(securityStateDirectory, "crlite.coverage");
+ let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment");
+ enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment");
+ let certStorageFile = do_get_file(
+ "test_crlite_preexisting/crlite.enrollment"
+ );
+ certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
new file mode 100644
index 0000000000..7f34283ded
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
@@ -0,0 +1 @@
+3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
new file mode 100644
index 0000000000..25bd87d8eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
new file mode 100644
index 0000000000..707e2f400b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
@@ -0,0 +1,91 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted stash file.
+
+"use strict";
+
+add_task(async function test_crlite_stash_corrupted() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+ coverage.copyTo(securityStateDirectory, "crlite.coverage");
+
+ let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+ enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+
+ let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+ filter.copyTo(securityStateDirectory, "crlite.filter");
+
+ let stash = do_get_file("test_crlite_corrupted/bad.stash");
+ stash.copyTo(securityStateDirectory, "crlite.stash");
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ // Await a task that ensures the stash loading task has completed.
+ await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve();
+ }
+ );
+ });
+
+ // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+ // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+ // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // The issuer's certificate needs to be available for path building.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+
+ // Loading the stash should not have caused any problems, and `revokedCert`
+ // should be marked as revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ 0
+ );
+
+ let hasFilter = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasFilter, true, "CRLite should have a filter");
+});
diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js
new file mode 100644
index 0000000000..1f436eb44d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct.js
@@ -0,0 +1,72 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+function expectCT(value) {
+ return securityInfo => {
+ Assert.equal(
+ securityInfo.certificateTransparencyStatus,
+ value,
+ "actual and expected CT status should match"
+ );
+ };
+}
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
+ let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+ setCertTrust(cert, ",,");
+});
+
+function run_test() {
+ Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "test_ct");
+ // These certificates have a validity period of 800 days, which is a little
+ // over 2 years and 2 months. This gets rounded down to 2 years (since it's
+ // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs,
+ // where N is 2 in this case. So, a policy-compliant certificate would have at
+ // least 3 SCTs.
+ add_connection_test(
+ "ct-valid.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT
+ )
+ );
+ // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
+ add_connection_test(
+ "ct-insufficient-scts.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo
+ .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+ )
+ );
+
+ // Test that if an end-entity is marked as a trust anchor, CT verification
+ // returns a "not enough SCTs" result.
+ add_test(() => {
+ let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+ setCertTrust(cert, "CTu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_connection_test(
+ "ct-valid.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo
+ .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+ )
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
new file mode 100644
index 0000000000..7aebc9f70d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsjCCA5qgAwIBAgIUYWbExaEcWOn8VCnzXCrC8/k1M0swDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjArMSkwJwYDVQQDDCBjdC1pbnN1ZmZpY2llbnQtc2N0cy5leGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOCAeEwggHdMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20w
+ggG/BgorBgEEAdZ5AgQCBIIBrwSCAasBqQB2ACq4MEQzuRTe0vMeQgfyUcF6N6CS
+aFLZCAIG+F5XORYqAAABUfp73AAAAAQDAEcwRQIgXHVRnxMRUM1dit4go7wGMJH/
+snN1XzFk7P3LQoAKcOYCIQDVZ32WWgV1l/Fgxh9REv8IbOX8UFt/Hb9l5PPQ6ERv
+vAEvADEI9rbdchgH8BaVhE2FAla2cZNgg9u9OTSgUFJQGiiSAAABUfp73AAAAAQB
+AQC3fH7lbEnVInbaJk/wI8y4jxueCV+P6nI00DtbVPVqsHBV4Oc1bFwdHkjlqn+w
+fBRcLYSWr3UCRZiZmRdb0mCAV75u+WcvrtdM/eO6dAe7ox81xAUgDK1ncA9W5Lbz
+PSyddearapxCdV/6Oq3JolXdIv1UlEHpMOP17rmHr1QZipLyDWpQQkeCNupETa1z
+lsv1Md8rgLk+bOtTZkdzDnNiSvSA3LK3MsjUas+VWXDe7JAl5lsk9ZYRWI6rlA3K
+1BHH9abwPEatD7WTOMSi0tZmeSF1q+EYyjRfWScJ4ju75/1yc0St1+xd8GO4JUKo
+xN2308VafAxkSsDwfVBNGnH9MA0GCSqGSIb3DQEBCwUAA4IBAQBH2tCkLa+cF98t
+SvbvzSy6sMkDOgjf+XOIF5mlpoCxwsd6lGzKeRyhNmakLUi66jFWFftCPXfFZYAO
+AUw76bNx52iXoUokXS3Oh5uXzKO6JMI/jQnTftLD+KgLOWr4lCyNCFNZfXWPmYHM
+fNA2zPwQKvReGI2hH7sD2TPY3DAQnmqjnmJaYt9DzQiT7VkmYSX5SJnFCO2LcZ6T
+42EOgkj2145W1+9OC6DYJ9e9CErktB30uSUoNAyQyYuAllQFdhVTqvb/FrV4Pkqh
+VPeTPjoeo+rtpQAqeZwVbcir4fBaKVNbZ4iCOvI1wDbGe0en2UnJyQ67135eayVb
+ukqayAVP
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
new file mode 100644
index 0000000000..c40f26d5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-insufficient-scts.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
new file mode 100644
index 0000000000..cbd21c473b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF1zCCBL+gAwIBAgIUY97zMq7V3aBaCVTHabfwACxYt6kwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRjdC12YWxpZC5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOCAxIwggMOMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wggLwBgorBgEEAdZ5
+AgQCBIIC4ASCAtwC2gEvAFQiJZjzPTZIBULa7ODmuU3hXA7ujFkUykjXXjxIToA/
+AAABUfp73AAAAAQBAQAgzu642vgII0VnX+grl/4o2z1duGvqMcKtYf/Gs9mxKeyl
+6DYlWMGPALkGX29oEyZwm/YX7jafTp7MraDiCvsVx/2xm+jmTcIC3l4cP9giAr6T
+1+O4XvniBFhfmqfBJOXmmllELPhk/VU/FnYFJFXtm2HIOPRBoQiMrb2Kiam7nZ+T
+Wtb8PggqK48NL9iU9gU9SmUFk5q3icGGXzEKorE1V91DIUhUkKSbEh9yKCL9Sqio
+8IbWx5BP4vtuj69XzfT1qSLOburnewCfNE9BrBhCQ1tVsI4Ng2sFO+JEesPepw3d
+11ePBboYVWBBxWvuZKL2eptjpaA+jTo4it/R9BowAHYAKrgwRDO5FN7S8x5CB/JR
+wXo3oJJoUtkIAgb4Xlc5FioAAAFR+nvcAAAABAMARzBFAiBcdVGfExFQzV2K3iCj
+vAYwkf+yc3VfMWTs/ctCgApw5gIhAIKEzUrlYjyiprBc8mlQ42D5RKJ8fIDAnesI
+iYAZeorVAS8AMQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJIAAAFR+nvc
+AAAABAEBAEJAqEDjKXvbby+BCNUW9wbZ5j9YQE5nezooC87RG0tYpLSuFg69nInQ
+mMMA8nNnkUxsZEOp79lsXP6QD8jMV1UKU8rUyIU2zhC230FTyssyQ1wNyA1WIMnl
+y+bohLUToxyIlFv+h9DW5+uDhc1iw13NwNYC2w620XxvdjuPdfGnhtKvdEKJAe/E
+GeQdAsLoYBVgMpg2PflwdenBFwdkgttr53rewaOve8977gdnOBvUc5O7dFW4cOcg
+/wAriiQVW3BEO9v6jpE4SMm6j19hSUS8LMB6x+/DWv3bBUbfi+GyeR3Mb+VTHmAr
+6tr7aAlP/OFDEdkLatOt7UNmV8AB+L4wDQYJKoZIhvcNAQELBQADggEBAIxKu0SR
+1wK6CfynqtpSbtRKc8BSSLF12N1eWi+Gakkwr8n6iDKYu/Q2r0Mkxzalq3YROYPx
+xd+joPjN2MRdzJNaEfCR963/JjfoO0LR8WLDiMlo/ml+ZZyfOwbyNAg+l5D8JrG2
+IS+/47GVfd1zzzX536nan2Y92kw+Dfw/WXzma3MRQ+CW8Uzqpi6qBAm+kr63TOn1
+qkTIdRL/uZ3dqNqlPQl0IjxPMqtwWAkDkjP9CL/DqTxXO6qSXTdHptBFi3ySSpn4
+lP3nJOWZ35dUDknAoNHO2Uo0PB9njtMsLhUMMY3FQJegq2PgXZJWZ6Zuu7vgKG7O
+vjfRjUur20rum0g=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
new file mode 100644
index 0000000000..0ecf46d89c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-valid.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:default:20160101,secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key b/security/manager/ssl/tests/unit/test_ct/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
new file mode 100644
index 0000000000..7dd59895af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg
+0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy
+Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5
+tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/
+Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx
+UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
new file mode 100644
index 0000000000..fcbb0fcb29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc
+8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV
+wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb
+zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6
+OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80
+hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk
+iAobTR3jsQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_data_storage.js b/security/manager/ssl/tests/unit/test_data_storage.js
new file mode 100644
index 0000000000..89d6c2f965
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_data_storage.js
@@ -0,0 +1,119 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+do_get_profile(); // must be done before instantiating nsIDataStorageManager
+
+let dataStorageManager = Cc[
+ "@mozilla.org/security/datastoragemanager;1"
+].getService(Ci.nsIDataStorageManager);
+let dataStorage = dataStorageManager.get(
+ Ci.nsIDataStorageManager.ClientAuthRememberList
+);
+
+add_task(function test_data_storage() {
+ // Test putting a simple key/value pair.
+ dataStorage.put("test", "value", Ci.nsIDataStorage.Persistent);
+ Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "value");
+
+ // Test that getting a value with the same key but of a different type throws.
+ Assert.throws(
+ () => dataStorage.get("test", Ci.nsIDataStorage.Private),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "getting a value of a type that hasn't been set yet should throw"
+ );
+
+ // Put with Private data shouldn't affect Persistent data
+ dataStorage.put("test", "private", Ci.nsIDataStorage.Private);
+ Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Private), "private");
+ Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "value");
+
+ // Put of a previously-present key overwrites it (if of the same type)
+ dataStorage.put("test", "new", Ci.nsIDataStorage.Persistent);
+ Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "new");
+
+ // Removal should work
+ dataStorage.remove("test", Ci.nsIDataStorage.Persistent);
+ Assert.throws(
+ () => dataStorage.get("test", Ci.nsIDataStorage.Persistent),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "getting a removed value should throw"
+ );
+ // But removing one type shouldn't affect the other
+ Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Private), "private");
+ // Test removing the other type as well
+ dataStorage.remove("test", Ci.nsIDataStorage.Private);
+ Assert.throws(
+ () => dataStorage.get("test", Ci.nsIDataStorage.Private),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "getting a removed value should throw"
+ );
+
+ // Saturate the storage tables (there is a maximum of 2048 entries for each
+ // type of data).
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(4, "0");
+ dataStorage.put(
+ `key${padded}`,
+ `value${padded}`,
+ Ci.nsIDataStorage.Persistent
+ );
+ dataStorage.put(
+ `key${padded}`,
+ `value${padded}`,
+ Ci.nsIDataStorage.Private
+ );
+ }
+ // Ensure the data can be read back.
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(4, "0");
+ let val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent);
+ Assert.equal(val, `value${padded}`);
+ val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private);
+ Assert.equal(val, `value${padded}`);
+ }
+ // Remove each entry.
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(4, "0");
+ dataStorage.remove(`key${padded}`, Ci.nsIDataStorage.Persistent);
+ dataStorage.remove(`key${padded}`, Ci.nsIDataStorage.Private);
+ }
+ // Ensure the entries are not present.
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(4, "0");
+ Assert.throws(
+ () => dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "getting a removed value should throw"
+ );
+ Assert.throws(
+ () => dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "getting a removed value should throw"
+ );
+ }
+ // Add new entries.
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(5, "1");
+ dataStorage.put(
+ `key${padded}`,
+ `value${padded}`,
+ Ci.nsIDataStorage.Persistent
+ );
+ dataStorage.put(
+ `key${padded}`,
+ `value${padded}`,
+ Ci.nsIDataStorage.Private
+ );
+ }
+ // Ensure each new entry was added.
+ for (let i = 0; i < 2048; i++) {
+ let padded = i.toString().padStart(5, "1");
+ let val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent);
+ Assert.equal(val, `value${padded}`);
+ val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private);
+ Assert.equal(val, `value${padded}`);
+ }
+});
diff --git a/security/manager/ssl/tests/unit/test_db_format_pref_new.js b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
new file mode 100644
index 0000000000..9921948927
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
@@ -0,0 +1,30 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that when PSM initializes, we create the sqlite-backed certificate and
+// key databases.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let certificateDBFile = profileDir.clone();
+ let certificateDBName = "cert9.db";
+ certificateDBFile.append(certificateDBName);
+ ok(
+ !certificateDBFile.exists(),
+ `${certificateDBName} should not exist beforehand`
+ );
+ let keyDBFile = profileDir.clone();
+ let keyDBName = "key4.db";
+ keyDBFile.append(keyDBName);
+ ok(!keyDBFile.exists(), `${keyDBName} should not exist beforehand`);
+ // This should start PSM.
+ Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+ ok(
+ certificateDBFile.exists(),
+ `${certificateDBName} should exist in the profile`
+ );
+ ok(keyDBFile.exists(), `${keyDBName} should exist in the profile`);
+}
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials.js b/security/manager/ssl/tests/unit/test_delegated_credentials.js
new file mode 100644
index 0000000000..1bb6f70aad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials.js
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates marked as permitting delegated credentials
+
+function shouldBeDelegatedCredential(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.isDelegatedCredential,
+ "This host should have used a delegated credential"
+ );
+}
+
+function shouldNotBeDelegatedCredential(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.isDelegatedCredential,
+ "This host should not have used a delegated credential"
+ );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+ "DelegatedCredentialsServer",
+ "test_delegated_credentials"
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support disabled
+// Result: Successful connection without DC
+add_test(function () {
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.tls.enable_delegated_credentials",
+ false
+ );
+ run_next_test();
+});
+add_connection_test(
+ "delegated-enabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate does not support DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when
+// checking DC against EE cert, no DC in aTransportSecurityInfo.
+add_test(function () {
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true);
+ run_next_test();
+});
+add_connection_test(
+ "standard-enabled.example.com",
+ SSL_ERROR_DC_INVALID_KEY_USAGE,
+ null,
+ // We'll never |mHaveCipherSuiteAndProtocol|,
+ // and therefore can't check IsDelegatedCredential
+ null
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support disabled
+// Client DC support enabled
+// Result: Successful connection without DC
+add_connection_test(
+ "delegated-disabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: Successful connection with DC
+add_connection_test(
+ "delegated-enabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeDelegatedCredential
+);
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
new file mode 100644
index 0000000000..643688e5df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSDCCATCgAwIBAgIUM6z+Vnq3HV8pHyv35ZBjz7giRBcwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBUxEzARBgNVBAMM
+CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm
+ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej
+BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu
+ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBD7Waw
+5pBh1oIJy1vaoLp3xo1SqC7YmisnqhQRCBd5BjCcPQwKPBZ9gzfi9rTXJu5/g/W+
+XAYBtc5AS+vThnQMwkgsXFvB4+LQIRrruHkh4chjgK+bK1Zqlvld/VmWewE+8nSA
+NAhC+q5Jrc+Vls4uXKeKXX3pcHa+P7UVaVlG4vqVqulcZnaBAg4lNhLuobIF3CqU
+DtRGgJ23JyafRuMp9V0/lee2oVsp7lCmuQyFk5dE8CI6FHcOUrWr6yvEdqOfXiWY
+n9bGzGZQjs/oW5mXd7CJxkhdOiDhPVlysjWVtJ47ToFqbwd2YbfFKsK2CbiLuE7F
+BAls8I6YO6+urMmz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
new file mode 100644
index 0000000000..5ebe9b5ba7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:delegated-credential-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:standard-enabled.example.com
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
new file mode 100644
index 0000000000..5166f297b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAXGgAwIBAgIUOSRu0uvKSamln+G0KNOylpfxiI4wDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBcxFTATBgNVBAMM
+DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
+saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st
+B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI
+BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh
+dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI
+hvcNAQELBQADggEBAF3K+ZdEK4Fr3YR1cX1kDH1wEO7H/2cchr9bwgOrGW3h/7yR
+ZHgtju9C+nXqZIz/d1MEMYVtvz/V6HMlS4S35/E/KNn+cIC196F7LoRighKStVb6
+u6RrWNaQHNV8uXLkcWMyCoWjMhwGLy7azgEysRyfP2/GNrGeUPY08oaz39m0mkYo
+eTcWUgrU7/dpVp15KqsmgwirCUxqPeMc9wWZ3/RvbblyOkIyMtbQGOAzdYysMm0J
+mZwQZUCCiuOqBIzb0EcrOT8cTkD1AbHGGUoNbq6Y+7TEnLDknMYNAhVzDlJWutnu
+qx2u2T7JJPjBax3JOHw92onalNphd1RmK7Mn8fs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
new file mode 100644
index 0000000000..e90fa3b646
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
@@ -0,0 +1,7 @@
+issuer:delegated-credential-intermediate
+subject:delegated-ee
+subjectKey:secp256r1
+extension:extKeyUsage:serverAuth
+extension:keyUsage:digitalSignature,keyEncipherment
+extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com
+extension:delegationUsage:
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
new file mode 100644
index 0000000000..1c1af40bda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S
+8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc
+exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl
+uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4=
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
new file mode 100644
index 0000000000..11f041d996
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
@@ -0,0 +1 @@
+secp384r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
new file mode 100644
index 0000000000..7cf1b3f500
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUH9EGlBnFySBNYtqAPDhu3DjZpz8wDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMjEx
+MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAdL3peE+U6IfA/hY4/LW0+wm98/Sd6NHUL
+WZEfdQsL/8q2mcSIA5vHpj0fyZr/WgKUClhrpoH5pB8D0HRU+tPcSdqBDgAVeU99
+G+Kx9JvKUn2mnGvFnypZ7Hr1Gg6pBm5kXlvw3+aFoLwI8AVbLJPVzIRJ4KYN9jap
+YjjklT4OCbFIiRshTniW4FRYveFPXIoQ0rigLVTZ3lW/iywQ9D3g9EXmleqOV+eY
+6aKGcLJC4JnRW58Yf4G2DLOdv2MMJBdF+FAw4YlVYvJbRYq3pbF640lteUXuHBSB
+3jXIYCwJedNHiFYoqAzbxRxNs1iaVy5T1ezUe1AqS+vbbZSIyrNl
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
new file mode 100644
index 0000000000..91227f5da0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
new file mode 100644
index 0000000000..8675316243
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUMcoNwk27t3m9TJXuVhJUt9CVSncwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMjEx
+MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/
+MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAMBXGP30H7gJBhgh/g1xr
+ttnV64iLBe671nDogay6wnSvXvpIRT1Io98Z13YRknPUpMu0q0Ci75NGQx2cJzZA
+jw6WjWFNqUCB1anTUKiAHAZq/PMndK1qpiKkKEDqrkW2sEApysSaSKCx3UR1qgwr
+TMcO03VHJCw2bH7ReYf5/C+K83dgCNf0MHfJxqdLE5EDgm644a/BfKV5PoXDB6Yo
+O02e99drimfXZ1ogFmCFwYgoaO33jQI8RGUaHzclbpFHeAApnd42WzDKpR2yrlGW
+2JfUwkmr1R9zbNGPw1PeVS60iubte9EXx9zxvl7iM4DZ8h/VDVsrAJJ8DvxRv8H+
+Gg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
new file mode 100644
index 0000000000..64cc4e5693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_der.js b/security/manager/ssl/tests/unit/test_der.js
new file mode 100644
index 0000000000..2d125488e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_der.js
@@ -0,0 +1,345 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests DER.jsm functionality.
+
+// Until DER.jsm is actually used in production code, this is where we have to
+// import it from.
+var { DER } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/DER.sys.mjs"
+);
+
+function run_simple_tests() {
+ throws(
+ () => new DER.DERDecoder("this is not an array"),
+ /invalid input/,
+ "should throw given non-array input"
+ );
+
+ let testReadByte = new DER.DERDecoder([0x0a, 0x0b]);
+ equal(testReadByte.readByte(), 0x0a, "should read 0x0a");
+ equal(testReadByte.readByte(), 0x0b, "should read 0x0b");
+ throws(
+ () => testReadByte.readByte(),
+ /data truncated/,
+ "reading more data than is available should fail"
+ );
+
+ let testReadBytes = new DER.DERDecoder([0x0c, 0x0d, 0x0e]);
+ deepEqual(
+ testReadBytes.readBytes(3),
+ [0x0c, 0x0d, 0x0e],
+ "should read correct sequence of bytes"
+ );
+
+ let testReadNegativeBytes = new DER.DERDecoder([0xff, 0xaf]);
+ throws(
+ () => testReadNegativeBytes.readBytes(-4),
+ /invalid length/,
+ "reading a negative number of bytes should fail"
+ );
+
+ let testReadZeroBytes = new DER.DERDecoder([]);
+ equal(
+ testReadZeroBytes.readBytes(0).length,
+ 0,
+ "reading zero bytes should result in a zero-length array"
+ );
+
+ let testReadTooManyBytes = new DER.DERDecoder([0xab, 0xcd, 0xef]);
+ throws(
+ () => testReadTooManyBytes.readBytes(4),
+ /data truncated/,
+ "reading too many bytes should fail"
+ );
+
+ let testSEQUENCE = new DER.DERDecoder([0x30, 0x01, 0x01]);
+ let content = testSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+ equal(content.length, 1, "content should have length 1");
+ equal(content[0], 1, "value of content should be [1]");
+ ok(testSEQUENCE.atEnd(), "testSEQUENCE should be at the end of its input");
+ testSEQUENCE.assertAtEnd();
+
+ // The length purports to be 4 bytes, but there are only 2 available.
+ let truncatedSEQUENCE = new DER.DERDecoder([0x30, 0x04, 0x00, 0x00]);
+ throws(
+ () => truncatedSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /data truncated/,
+ "should get 'data truncated' error"
+ );
+
+ // With 2 bytes of content, there is 1 remaining after reading the content.
+ let extraDataSEQUENCE = new DER.DERDecoder([0x30, 0x02, 0xab, 0xcd, 0xef]);
+ content = extraDataSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+ equal(content.length, 2, "content should have length 2");
+ deepEqual(content, [0xab, 0xcd], "value of content should be [0xab, 0xcd]");
+ ok(
+ !extraDataSEQUENCE.atEnd(),
+ "extraDataSEQUENCE should not be at the end of its input"
+ );
+ throws(
+ () => extraDataSEQUENCE.assertAtEnd(),
+ /extra data/,
+ "should get 'extra data' error"
+ );
+
+ // The length of 0x81 0x01 is invalid because it could be encoded as just
+ // 0x01, which is shorter.
+ let invalidLengthSEQUENCE1 = new DER.DERDecoder([0x30, 0x81, 0x01, 0x00]);
+ throws(
+ () => invalidLengthSEQUENCE1.readTagAndGetContents(DER.SEQUENCE),
+ /invalid length/,
+ "should get 'invalid length' error"
+ );
+
+ // Similarly, 0x82 0x00 0x01 could be encoded as just 0x01, which is shorter.
+ let invalidLengthSEQUENCE2 = new DER.DERDecoder([
+ 0x30, 0x82, 0x00, 0x01, 0x00,
+ ]);
+ throws(
+ () => invalidLengthSEQUENCE2.readTagAndGetContents(DER.SEQUENCE),
+ /invalid length/,
+ "should get 'invalid length' error"
+ );
+
+ // Lengths requiring 4 bytes to encode are not supported.
+ let unsupportedLengthSEQUENCE = new DER.DERDecoder([
+ 0x30, 0x83, 0x01, 0x01, 0x01,
+ ]);
+ throws(
+ () => unsupportedLengthSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /unsupported length/,
+ "should get 'unsupported length' error"
+ );
+
+ // Indefinite lengths are not supported (and aren't DER anyway).
+ let unsupportedASN1SEQUENCE = new DER.DERDecoder([
+ 0x30, 0x80, 0x01, 0x00, 0x00,
+ ]);
+ throws(
+ () => unsupportedASN1SEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /unsupported asn.1/,
+ "should get 'unsupported asn.1' error"
+ );
+
+ let unexpectedTag = new DER.DERDecoder([0x31, 0x01, 0x00]);
+ throws(
+ () => unexpectedTag.readTagAndGetContents(DER.SEQUENCE),
+ /unexpected tag/,
+ "should get 'unexpected tag' error"
+ );
+
+ let readTLVTestcase = new DER.DERDecoder([0x02, 0x03, 0x45, 0x67, 0x89]);
+ let bytes = readTLVTestcase.readTLV();
+ deepEqual(
+ bytes,
+ [0x02, 0x03, 0x45, 0x67, 0x89],
+ "bytes read with readTLV should be equal to expected value"
+ );
+
+ let peekTagTestcase = new DER.DERDecoder([0x30, 0x01, 0x00]);
+ ok(
+ peekTagTestcase.peekTag(DER.SEQUENCE),
+ "peekTag should return true for peeking with a SEQUENCE at a SEQUENCE"
+ );
+ ok(
+ !peekTagTestcase.peekTag(DER.SET),
+ "peekTag should return false for peeking with a SET at a SEQUENCE"
+ );
+ peekTagTestcase.readTLV();
+ ok(
+ !peekTagTestcase.peekTag(DER.SEQUENCE),
+ "peekTag should return false for peeking at a DER with no more data"
+ );
+
+ let tlvChoiceTestcase = new DER.DERDecoder([0x31, 0x02, 0xaa, 0xbb]);
+ let tlvChoiceContents = tlvChoiceTestcase.readTLVChoice([DER.NULL, DER.SET]);
+ deepEqual(
+ tlvChoiceContents,
+ [0x31, 0x02, 0xaa, 0xbb],
+ "readTLVChoice should return expected bytes"
+ );
+
+ let tlvChoiceNoMatchTestcase = new DER.DERDecoder([0x30, 0x01, 0xff]);
+ throws(
+ () => tlvChoiceNoMatchTestcase.readTLVChoice([DER.NULL, DER.SET]),
+ /unexpected tag/,
+ "readTLVChoice should throw if no matching tag is found"
+ );
+}
+
+function run_bit_string_tests() {
+ let bitstringDER = new DER.DERDecoder([0x03, 0x04, 0x03, 0x01, 0x02, 0xf8]);
+ let bitstring = bitstringDER.readBIT_STRING();
+ equal(bitstring.unusedBits, 3, "BIT STRING should have 3 unused bits");
+ deepEqual(
+ bitstring.contents,
+ [0x01, 0x02, 0xf8],
+ "BIT STRING should have expected contents"
+ );
+
+ let bitstringTooManyUnusedBits = new DER.DERDecoder([0x03, 0x02, 0x08, 0x00]);
+ throws(
+ () => bitstringTooManyUnusedBits.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with too many unused bits should throw"
+ );
+
+ // A BIT STRING must have the unused bits byte, and so its length must be at
+ // least one.
+ let bitstringMissingUnusedBits = new DER.DERDecoder([0x03, 0x00]);
+ throws(
+ () => bitstringMissingUnusedBits.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with missing unused bits (and no contents) should throw"
+ );
+
+ // The minimal BIT STRING is 03 01 00 (zero bits of padding and zero bytes of
+ // content).
+ let minimalBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x00]);
+ let minimalBitstring = minimalBitstringDER.readBIT_STRING();
+ equal(
+ minimalBitstring.unusedBits,
+ 0,
+ "minimal BIT STRING should have 0 unused bits"
+ );
+ equal(
+ minimalBitstring.contents.length,
+ 0,
+ "minimal BIT STRING should have empty contents"
+ );
+
+ // However, a BIT STRING with zero bytes of content can't have any padding,
+ // because that makes no sense.
+ let noContentsPaddedBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x03]);
+ throws(
+ () => noContentsPaddedBitstringDER.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with no contents with non-zero padding should throw"
+ );
+}
+
+function run_compound_tests() {
+ let derBytes = [
+ 0x30,
+ 0x1a, // SEQUENCE
+ 0x02,
+ 0x02,
+ 0x77,
+ 0xff, // INTEGER
+ 0x06,
+ 0x03,
+ 0x2b,
+ 0x01,
+ 0x01, // OBJECT IDENTIFIER
+ 0x30,
+ 0x07, // SEQUENCE
+ 0x05,
+ 0x00, // NULL
+ 0x02,
+ 0x03,
+ 0x45,
+ 0x46,
+ 0x47, // INTEGER
+ 0x30,
+ 0x06, // SEQUENCE
+ 0x02,
+ 0x02,
+ 0x00,
+ 0xff, // INTEGER
+ 0x05,
+ 0x00,
+ ]; // NULL
+ let der = new DER.DERDecoder(derBytes);
+ let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE));
+ let firstINTEGER = contents.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ firstINTEGER,
+ [0x77, 0xff],
+ "first INTEGER should have expected value"
+ );
+ let oid = contents.readTagAndGetContents(DER.OBJECT_IDENTIFIER);
+ deepEqual(
+ oid,
+ [0x2b, 0x01, 0x01],
+ "OBJECT IDENTIFIER should have expected value"
+ );
+
+ let firstNested = new DER.DERDecoder(
+ contents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let firstNestedNULL = firstNested.readTagAndGetContents(DER.NULL);
+ equal(
+ firstNestedNULL.length,
+ 0,
+ "first nested NULL should have expected value (empty array)"
+ );
+ let firstNestedINTEGER = firstNested.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ firstNestedINTEGER,
+ [0x45, 0x46, 0x47],
+ "first nested INTEGER should have expected value"
+ );
+ firstNested.assertAtEnd();
+
+ let secondNested = new DER.DERDecoder(
+ contents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let secondNestedINTEGER = secondNested.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ secondNestedINTEGER,
+ [0x00, 0xff],
+ "second nested INTEGER should have expected value"
+ );
+ let secondNestedNULL = secondNested.readTagAndGetContents(DER.NULL);
+ equal(
+ secondNestedNULL.length,
+ 0,
+ "second nested NULL should have expected value (empty array)"
+ );
+ secondNested.assertAtEnd();
+
+ contents.assertAtEnd();
+ der.assertAtEnd();
+
+ let invalidDERBytes = [
+ 0x30,
+ 0x06, // SEQUENCE
+ 0x30,
+ 0x02, // SEQUENCE
+ 0x02,
+ 0x01, // INTEGER (missing data)
+ 0x05,
+ 0x00, // NULL
+ 0x00,
+ 0x00,
+ ]; // (extra data)
+ let invalidDER = new DER.DERDecoder(invalidDERBytes);
+ let invalidContents = new DER.DERDecoder(
+ invalidDER.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let invalidContentsContents = new DER.DERDecoder(
+ invalidContents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ throws(
+ () => invalidContentsContents.readTagAndGetContents(DER.INTEGER),
+ /data truncated/,
+ "should throw due to missing data"
+ );
+ let nestedNULL = invalidContents.readTagAndGetContents(DER.NULL);
+ equal(nestedNULL.length, 0, "nested NULL should have expected value");
+ invalidContents.assertAtEnd();
+ throws(
+ () => invalidDER.assertAtEnd(),
+ /extra data/,
+ "should throw due to extra data"
+ );
+}
+
+function run_test() {
+ run_simple_tests();
+ run_bit_string_tests();
+ run_compound_tests();
+}
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
new file mode 100644
index 0000000000..945a9ea83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
@@ -0,0 +1,101 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of Encrypted Client Hello. These ECHConfigs
+// can be regenerated by running EncryptedClientHelloServer
+// and dumping the output of SSL_EncodeEchConfig. They do not
+// expire. An update here is only needed if the host or ECH
+// ciphersuite configuration changes, or if the keypair in
+// EncryptedClientHelloServer.cpp is modified.
+
+// Public name: ech-public.example.com
+const ECH_CONFIG_FIXED =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host.
+const ECH_CONFIG_TRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host.
+const ECH_CONFIG_UNTRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA";
+
+function shouldBeAcceptedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.isAcceptedEch,
+ "This host should have accepted ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+function shouldBeRejectedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.isAcceptedEch,
+ "This host should have rejected ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+ "EncryptedClientHelloServer",
+ "test_encrypted_client_hello"
+);
+
+// Connect directly without ECH first
+add_connection_test(
+ "ech-public.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeRejectedEch
+);
+
+// Connect with ECH
+add_connection_test(
+ "ech-private.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeAcceptedEch,
+ null,
+ null,
+ ECH_CONFIG_FIXED
+);
+
+// Trigger retry_configs by setting an ECHConfig with a different.
+// AEAD than the server supports.
+add_connection_test(
+ "ech-private.example.com",
+ SSL_ERROR_ECH_RETRY_WITH_ECH,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_TRUSTED_RETRY
+);
+
+// Trigger retry_configs, but from a host that is untrusted
+// (due to a self-signed certificate for the public name).
+// Retry_configs must not be used or reported as available.
+add_connection_test(
+ "ech-private.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_UNTRUSTED_RETRY
+);
+
+// A client-only (retry_without_ech) test is located in
+// test_encrypted_client_hello_client_only.js We can't easily restart
+// a different server (one without ECHConfigs) here, so put that
+// test in a different file that launches a non-ECH server.
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
new file mode 100644
index 0000000000..3798f9e7ac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUA30gCeGZUzW19TdSgFzEzsz99F4wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBgxFjAUBgNVBAMMDWVjaC1wdWJsaWMtZWUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjJTAjMCEG
+A1UdEQQaMBiCFmVjaC1wdWJsaWMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAAK/T2GpSqzGsq0GIEE5FOwdT0flR4EZF3qPfsBgnqoXuAgEV3kkk3i8Q9uj
+GtZy6ZeVoglBNJyu2sk9cQqVBlFH5d8IPonMz00QH+hKVm1wctfrnpIAGI8LJ+I0
+sHuCpZ/UhCIjq1uGIRwk+tevQYEarK+v7yQKSg4ZfNjHJM9ANZdrJIny/CT9vHeY
+eXLMpXVjtIQMb7kZhSV0lO+Rsgx1+Va0egAlDQXmlDvgVroZ0NvHYh/PVMpWeM5X
+/NofY9aiZTA1mDRiPanEb4tydGhEhxAq0Fkrm+xrvTKZnTr4YiH30jijxdXCxqus
+50tWhsXsfrotZo2HIPQidcBMyQg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
new file mode 100644
index 0000000000..d5c332ceec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-public-ee
+extension:subjectAlternativeName:ech-public.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
new file mode 100644
index 0000000000..956217345d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIURclFOLehdaOiDnc45xBlvKkG+kowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBkxFzAVBgNVBAMMDmVjaC1wcml2YXRlLWVlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAi
+BgNVHREEGzAZghdlY2gtcHJpdmF0ZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEAj3KenVOhURkHCinDUd20aOG7Lx/sal+pyqrjZr5SNUZcblvrvZfNg7DB
+K80PmoYKcbV00A26AQ85Kw58fvo/eZVQXPFjXjecD6ThNpQUhVGhbOdstf2NFTyY
+nvLqMwMacLV8rw5yojzg+Ek+OUAYXDtkOWRONFxNoN/c1VsTJDgEXjtJ0lLl+yTf
+z1A6jf0oAZkLImLSPxGDXwJEACteBzipgu7fUO1NdfNzzDyHKXeMtggP/pdzG2zN
+ULiW5vWbQ1G1gd3j1CYLp9yjn2FKXsVXBYQe9a38h04yv/E+qMKUOIEdqq/QnOgY
+F8fDOg4/pu9jp/yDgaA9kWHHg2viWw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
new file mode 100644
index 0000000000..c152462f0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-private-ee
+extension:subjectAlternativeName:ech-private.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
new file mode 100644
index 0000000000..dd7563e4ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUU2XHQYKJ564qpSZWtC7yYzDkXOkwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMlMCMwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEKq/dqASIsY1
+VbcEGjEO8BIQTBVtHT0YThCI+nm1PjVU9rnS+5JxJBwC78pYturbF3Lxt7QdYBSu
+bM7xCpWVRFcUy2yEXRtCq3JK3gPnyqSEs/t3QKT0xQkbW9KNLb1j/P6sZgaCIrgw
+oNb1yxJ3erz7EwIFPPo0fv3pAkNEXiMc5n5qcKBbb2UObkXCG8kozQ8WlYL34ITo
+QdYTnV1PFK9Vs6Rdnl3ZT4hvo1lG8DqavO/grDCTowdvC2z0as6bUlpTqBSC01/d
+j0aMLR874A3ziqv5wrZMsZ4LHRds5oitYZ+2l5/ipzMIRhGOb+KcoFkugyPj+ygZ
+58jtjJscEQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
new file mode 100644
index 0000000000..438a08eba2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
new file mode 100644
index 0000000000..bf6cdd61e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUYW+Fuy67Xb3Ao+tju/Rkb1aDZigwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBExDzANBgNVBAMMBmVjaC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAHlfXnUE2f8W5C5C
+ezkHvHpItFTAi6YW73Xra0pLA5G1oL6PV4ep+TKQUTcXvHMMQSCKGHohn9SmyCLD
+rMgACAdu8pRizKmqw8gqj63tg2m8WyHZt9sXg5MiV/MyQHGtdwfHSPKTAUzMkbrX
+JK8zJVblKGjKEqu8EgUAop1N4D+1aga8BwZIfvMOJ5Xfkftz/6c+jhPnUWwBnIRw
+rKX+zEXQJGo1fMWeODGoJeqbih0fxmmpKEXcBlLvuAxTbsG+nxpndfnKlvWsmtBw
+pppdvWLEeEZsTYEmxvwAu7era3i+z9ce1Pxfo1YJEIZBG7zC1HpX2s3wQJOEMlX8
+7CIrA7I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
new file mode 100644
index 0000000000..1735a15075
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ech-ca
+subject:ech-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
new file mode 100644
index 0000000000..0949bc6038
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Public Name = delegated-enabled.example.com
+const ECH_CONFIG_FIXED =
+ "AFD+DQBMTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QdZGVsZWdhdGVkLWVuYWJsZWQuZXhhbXBsZS5jb20AAA==";
+do_get_profile();
+
+// An arbitrary, non-ECH server.
+add_tls_server_setup(
+ "DelegatedCredentialsServer",
+ "test_delegated_credentials"
+);
+
+add_test(function () {
+ clearSessionCache();
+ run_next_test();
+});
+
+// Connect, sending ECH. The server is not configured for it,
+// but *is* authoritative for the public name.
+add_connection_test(
+ "delegated-disabled.example.com",
+ SSL_ERROR_ECH_RETRY_WITHOUT_ECH,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_FIXED
+);
diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js
new file mode 100644
index 0000000000..0483e44e45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js
@@ -0,0 +1,83 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests enterprise root certificate support. When configured to do so, the
+// platform will attempt to find and import enterprise root certificates. This
+// feature is specific to Windows.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_no_enterprise_roots_imported(
+ nssComponent,
+ certDB,
+ dbKey = undefined
+) {
+ let enterpriseRoots = nssComponent.getEnterpriseRoots();
+ notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+ equal(
+ enterpriseRoots.length,
+ 0,
+ "should not have imported any enterprise roots"
+ );
+ if (dbKey) {
+ let cert = certDB.findCertByDBKey(dbKey);
+ // If the garbage-collector hasn't run, there may be reachable copies of
+ // imported enterprise root certificates. If so, they shouldn't be trusted
+ // to issue TLS server auth certificates.
+ if (cert) {
+ await asyncTestCertificateUsages(certDB, cert, []);
+ }
+ }
+}
+
+async function check_some_enterprise_roots_imported(nssComponent, certDB) {
+ let enterpriseRoots = nssComponent.getEnterpriseRoots();
+ notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+ notEqual(
+ enterpriseRoots.length,
+ 0,
+ "should have imported some enterprise roots"
+ );
+ let foundNonBuiltIn = false;
+ let savedDBKey = null;
+ for (let certDer of enterpriseRoots) {
+ let cert = certDB.constructX509(certDer);
+ notEqual(cert, null, "should be able to decode cert from DER");
+ if (!savedDBKey) {
+ foundNonBuiltIn = true;
+ savedDBKey = cert.dbKey;
+ info("saving dbKey from " + cert.commonName);
+ await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
+ break;
+ }
+ }
+ ok(foundNonBuiltIn, "should have found non-built-in root");
+ return savedDBKey;
+}
+
+add_task(async function run_test() {
+ let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
+ await check_some_enterprise_roots_imported(nssComponent, certDB);
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+ await check_no_enterprise_roots_imported(nssComponent, certDB);
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
+ await TestUtils.topicObserved("psm:enterprise-certs-imported");
+ let savedDBKey = await check_some_enterprise_roots_imported(
+ nssComponent,
+ certDB
+ );
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+ await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js
new file mode 100644
index 0000000000..f163623919
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -0,0 +1,310 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+class EVCertVerificationResult {
+ constructor(
+ testcase,
+ expectedPRErrorCode,
+ expectedEV,
+ resolve,
+ ocspResponder
+ ) {
+ this.testcase = testcase;
+ this.expectedPRErrorCode = expectedPRErrorCode;
+ this.expectedEV = expectedEV;
+ this.resolve = resolve;
+ this.ocspResponder = ocspResponder;
+ }
+
+ verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+ equal(
+ prErrorCode,
+ this.expectedPRErrorCode,
+ `${this.testcase} should have expected error code`
+ );
+ equal(
+ hasEVPolicy,
+ this.expectedEV,
+ `${this.testcase} should result in expected EV status`
+ );
+ this.ocspResponder.stop(this.resolve);
+ }
+}
+
+function asyncTestEV(
+ cert,
+ expectedPRErrorCode,
+ expectedEV,
+ expectedOCSPRequestPaths,
+ ocspResponseTypes = undefined
+) {
+ let now = Date.now() / 1000;
+ return new Promise((resolve, reject) => {
+ let ocspResponder = expectedOCSPRequestPaths.length
+ ? startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ev_certs",
+ expectedOCSPRequestPaths,
+ expectedOCSPRequestPaths.slice(),
+ null,
+ ocspResponseTypes
+ )
+ : failingOCSPResponder();
+ let result = new EVCertVerificationResult(
+ cert.subjectName,
+ expectedPRErrorCode,
+ expectedEV,
+ resolve,
+ ocspResponder
+ );
+ certdb.asyncVerifyCertAtTime(
+ cert,
+ certificateUsageSSLServer,
+ 0,
+ "ev-test.example.com",
+ now,
+ result
+ );
+ });
+}
+
+function ensureVerifiesAsEV(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = [`${testcase}-ee`];
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ gEVExpected,
+ expectedOCSPRequestPaths
+ );
+}
+
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
+
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ false,
+ expectedOCSPRequestPaths ? expectedOCSPRequestPaths : [`${testcase}-ee`]
+ );
+}
+
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
+
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let now = Date.now() / 1000;
+ let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+ if (expectSuccess && gEVExpected) {
+ expectedErrorCode = PRErrorCodeSuccess;
+ }
+ return new Promise((resolve, reject) => {
+ let ocspResponder = failingOCSPResponder();
+ let result = new EVCertVerificationResult(
+ cert.subjectName,
+ expectedErrorCode,
+ expectSuccess && gEVExpected,
+ resolve,
+ ocspResponder
+ );
+ let flags =
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+ certdb.asyncVerifyCertAtTime(
+ cert,
+ certificateUsageSSLServer,
+ flags,
+ "ev-test.example.com",
+ now,
+ result
+ );
+ });
+}
+
+function ensureNoOCSPMeansNoEV(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
+}
+
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
+
+function verifyWithOCSPResponseType(testcase, response, expectEV) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = [`${testcase}-ee`];
+ let ocspResponseTypes = [response];
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ gEVExpected && expectEV,
+ expectedOCSPRequestPaths,
+ ocspResponseTypes
+ );
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+ return verifyWithOCSPResponseType(testcase, "longvalidityalmostold", false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+ return verifyWithOCSPResponseType(testcase, "ancientstillvalid", false);
+}
+
+// These should all verify as EV.
+add_task(async function plainExpectSuccessEVTests() {
+ await ensureVerifiesAsEV("anyPolicy-int-path");
+ await ensureVerifiesAsEV("test-oid-path");
+ await ensureVerifiesAsEV("cabforum-oid-path");
+ await ensureVerifiesAsEV("cabforum-and-test-oid-ee-path");
+ await ensureVerifiesAsEV("test-and-cabforum-oid-ee-path");
+ await ensureVerifiesAsEV("reverse-order-oids-path");
+ // In this case, the end-entity has both the CA/B Forum OID and the test OID
+ // (in that order). The intermediate has the CA/B Forum OID. Since the
+ // implementation tries all EV policies it encounters, this successfully
+ // verifies as EV.
+ await ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path");
+ // In this case, the end-entity has both the test OID and the CA/B Forum OID
+ // (in that order). The intermediate has only the CA/B Forum OID. Since the
+ // implementation tries all EV policies it encounters, this successfully
+ // verifies as EV.
+ await ensureVerifiesAsEV("test-and-cabforum-oid-ee-cabforum-oid-int-path");
+});
+
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(async function expectDVFallbackTests() {
+ await ensureVerifiesAsDV("anyPolicy-ee-path");
+ await ensureVerifiesAsDV("non-ev-root-path");
+ await ensureVerifiesAsDV("no-ocsp-ee-path", []);
+ await ensureVerifiesAsEV("no-ocsp-int-path");
+ // In this case, the end-entity has the test OID and the intermediate has the
+ // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the
+ // anyPolicy OID, this will not verify as EV.
+ await ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path");
+});
+
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(async function evRootTrustTests() {
+ clearOCSPCache();
+ info("untrusting evroot");
+ certdb.setCertTrust(
+ evroot,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.UNTRUSTED
+ );
+ await ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+ info("re-trusting evroot");
+ certdb.setCertTrust(
+ evroot,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ );
+ await ensureVerifiesAsEV("test-oid-path");
+});
+
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(async function localOnlyMustBeEVTests() {
+ clearOCSPCache();
+ await ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+ await ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+ await ensureNoOCSPMeansNoEV("non-ev-root-path");
+ await ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+ await ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+ await ensureNoOCSPMeansNoEV("test-oid-path");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(async function ocspCachingTests() {
+ clearOCSPCache();
+
+ await ensureVerifiesAsEV("anyPolicy-int-path");
+ await ensureVerifiesAsEV("test-oid-path");
+
+ await ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+ await ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+ await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+ await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
+
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(async function oldOCSPResponseTests() {
+ clearOCSPCache();
+
+ clearOCSPCache();
+ await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+ await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+ clearOCSPCache();
+ await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+ "anyPolicy-int-path"
+ );
+ await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
new file mode 100644
index 0000000000..b4697cfe15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUbwD0XgCeMxS5MOc0d8xmf9Gzx+kwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVYW55UG9saWN5LWVlLXBhdGgtaW50MCIYDzIwMjIxMTI3
+MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGFueVBvbGljeS1l
+ZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GFMIGCME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1lZS1wYXRo
+LWVlLzARBgNVHSAECjAIMAYGBFUdIAAwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAYxTA02oIEsPT02PhS6ScSijDeF3u
+8zC0E8D9d0Jx3gtKnpL7OKxvQ53JK8EhglABJoBDLF7FXb9kG7RuCdzu7PFU1bYQ
+uVb7Kb0TEyi9pWN5T9AiHHmvuH8TSOOrZBWOWx+ZvrdpzwnNgzLOCf6v4OATYxOw
+C8jw8ZxaD+OmzXXt0vJtexPY31C0DJ9b9Xo4prq1p3PqmXzOGDysGHvhkE4WfH/f
+wihKy64g7hwGRYlVfquqpw4NOu3tP0g1nZKvhAWjHcYbjyKagWsEKk/warEfGJP4
+Oi3x2DlLf6xpJd6SWCufvC77yufMr5s99EAAViDSmyv5J/au4xaBmGyLYQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9175c32ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
new file mode 100644
index 0000000000..e619dfd5e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIUNxMoepEOaQpYT31BFrMD/Z7B9DkwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgDB+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBv
+bGljeS1lZS1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB
+CwUAA4IBAQCBiyD3v/gx9nMBkq3kHN6lF+x5OAt3/enHwsLPKKQR+wAO44OUG1Ed
+McKmdZBpQG+6+bts+7hFpD2X0KoOe68t9UYW2rMFBcqmr9bI+GgupefobrQiUM5+
+3IyFEVQ98LA4+SUcIZwWprqvoJS4SQJpk7mssScjeyiWB8EKiEyOTzBmTYPzO3xw
+cy9NnQ8hKQqsmYs9h2HDqyJx5HGByX0j1LR5o+J6Ismh8iUmW82+SPDByF6/Gj0R
+8I4Ae31EVsILE9DLoHV3QBxUuR+Vf1ChpZdRWO9rpZTeng+jzJfdsqnCX379vIf6
+vaEUkVFS8467aBpRZ3r7Xfmbx21FuxPE
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..c49f6c4bcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
new file mode 100644
index 0000000000..0cd376dbd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUO84CcGnTBu9BMz4TYOnuEQNV4TcwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWYW55UG9saWN5LWludC1wYXRoLWludDAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3kt
+aW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZQwgZEwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUF
+BzABhjJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9saWN5LWludC1w
+YXRoLWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREE
+FzAVghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB/wMqq
+8UupZcCbUZyhhbfn9fYneG3VHo+yEdv1r0Su4qxV/3hFC8t+XhygDq6162x68s8z
+uFCjj1lFLCnP2eo4DMQcVeh7im8gqqc0Nk9Ix0EJ6FUYXuuuwxQQ/Y2AgPZCZj4D
+xHCBry2nTwm4VB5BrvRSsp/sWh5AqGNOPoJMgXcRuKSZNNc7e0dcjvX2YWo1et3u
+SCMlOrTkfwjiQBH0jRQwRLl4wQouZpaijq3xZ24/eFj+Sc2KBsOcq/5tC4OszeHJ
+AEFSaEPfkuK9MOEL/2Fp0j9+baarPdhACtMkjLWCOmpIu0PhsxXS9E0hpt5E+qUk
+Eq0DaESFkrhEIewJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..1c643c2f95
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
new file mode 100644
index 0000000000..7467532782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRjCCAi6gAwIBAgIUS/Uo89DTxT+sWh6HxJ7vj5wekP8wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQ
+b2xpY3ktaW50LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcN
+AQELBQADggEBADVmaATxyEWwYumgxxDW828NxMoDjkPsa06EVGi0AKqDNGmGLUL6
+1h1w/+K8fl2t41MGRwdc33cZOVzURnyUGx0QBeUxGsH+kNMj1wVMy24iCVcvHGja
+yHuOmLq5sMBErJhZfgMnvujl3/sFl9ZaT2OjSqa7sofghd5O9xZLtBTsvyvRDnIn
+4lQljHVnkoKYJAeBi8X6QbQlXXqEUbnlpTiAPkW/O0EyUP6v/rpcvbOqMD47HdiR
+7lOM52u5Pc4Nywqm3Pp4Ob7jTiFJY5YAk3du+UHfCIOP2NiI9wsuvQiY7k31Qiiu
+xIJUCPBbWbo8tiFRp7IqKoX+D2FLxh0dcBE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
new file mode 100644
index 0000000000..5f5adacc7f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..337a1af520
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUZ3fwSK5rjndC9saKVC9SF9bKSo8wDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwyY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowPDE6MDgGA1UEAwwxY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1
+bS1hbmQtdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQC3m7B2CxtY
+x5uWArmwgaMzKSFaYoCYfDxb73X7tjtm0rcsonpsTyBZzkjTxiHYl96218wWEo2T
+XR/S83jo37mfqCZLHgLa6pjxKzc+wdxjGiDjLwPk33IYTaAzfwMeQ0d7BF2xMAsF
+fccpgwO5OlntOIJhIMBbtLzJurrdog7Jnl50Dkuh8kfg0Q7L8c3RH0DxNqWE5fQK
+OlHW/eYiSZOThT7VzZ8rykaowssMewNcPPya8kaACYSN8izYrbH3ZmlXgeklpuk3
+tPQbNK/wCBIVCb5bAH10CjR3x2sLoDCX5sP6I53jiLr/NiwYms0QfSmZE29kzWwA
+N0Lu/bO1fOUU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..c72237e453
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..6e9557ab26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUO3DQyhSRUrFxxP6dSHYP00ZUenEwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQAFT+RvpRQ0WSu6U+C54fDOtOofv28/yALU+yJ4
+oO7ZUtKXyrMb4Ag4MrSaAT8dTZKOkB/Kwx9V4xM6kvF/WpojCKyazeMlqvj4DvAO
+RQvYnT8pXiN1WsHU4NaX0l2KvuXWdlgBzq9qgTG8i4yRaCqghZEL583GbVFHLWqI
+aiI2lsRgP+SLV9Z0mnDf+taJ82cOH7mwIaMkE459+N1Ni5Pu5LL+hPbCbZm39oKE
+N8Xn2Av3VZaxfxOVThibDH6VsaSOnPKMWKcusQtsRA3LVijThjljUAM0bqIHvp8Y
+/vQ9JEdgreJ/wUU+CYcnsO+yCmnW3G33xfQ3AskkwD0OZj6C
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..92ebdb37fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..6d2c743638
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUDVhIhWMHEXWRG6y+QEWdZ0+muRIwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCsxKTAnBgNVBAMM
+IGNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAz/t7laoUyy4Qc
+fhIYBeR++dCiUGYFQVX7la17X8IPeaYg6CJ6XzRMs9QYzBBp2C20/0f9A4zKgtuD
+kgHJvOFv/y9KThlH/f3bq1bQmcItVuoVG4G6PDfQuvpChiwFzMZlJ9ffZmFFcarI
+MenGzJyxp4+WH0JKHFypBYGWZrLjfjbs75TrRALtNWmImWZvp654RxJe8yVyddQw
+qRMlzMVU+9sq/Xtfqm2EOoUaydzVvYcRAwHKyC5ZGBH4emSsPyiiXMH4CJZ3n1zb
+z/V5I7vT5LTLecOYtxCbUbdNJ06HTla/5F2VZSbhvEKNV1kjlyRN0BpGaiA0tapG
+H/+QErlC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..36f80e017b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-path-int
+subject:cabforum-and-test-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
new file mode 100644
index 0000000000..22f0b45911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUS/1bfm0ejkB+2Q/7e+L3OWe5w4kwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAZMS9mTlpmz96B0hMZLs0
+PTb/O7BnxtQSk8NzU7KiFcJbkE7ioff1NKdrJomr3dZBPRYKQvqOhUsWbWfsw21E
+on0l2Km7jIqaZ1dQpGPUiYobbr0icOhCdA3t0t6M9JIgZqOwMUFCz5oy3Jg4v6py
+7KDUz3zkVxpAloaepG7AkS9bd1vCDih3Tht98/+g7DPvtnHjZqPj4RXJ2J3uSTKq
+TQXFaPc6hhVrA0KK0Qa205qdgqo2hasEY+6Xe64ZStQkteASKDg1sm111wsxpzxt
+HUBVEAXMx9dtmnreyWlU6CQ4fYJtK0FnMJDYDQAVJyMbGB94KGrPM8pr+xkV6mlx
+rA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..79ae7ae801
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
new file mode 100644
index 0000000000..8c7ed0124e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUO7RJiqqzZm6W9jOCJB+zNXkRMC4wDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVY2FiZm9ydW0tb2lkLXBhdGgtaW50MCIYDzIwMjIxMTI3
+MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGNhYmZvcnVtLW9p
+ZC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GGMIGDME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLW9pZC1wYXRo
+LWVlLzASBgNVHSAECzAJMAcGBWeBDAEBMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhh
+bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAIzzqzMTRCKYyLA8HeY0jJU+mjRj
+Ejl1XbRXmQel/aYvKTZyXiRKSA3i+geZauhVfFwsJ+vxGjpGsNdxkRpUaENrHP5u
+DnMmeHGHeLAD8hrHlzqYhCRKBhDey/SIEU2+Qd1M9WNzI4kjydLafrKYAZaxhaQm
+wJNJ/8fDgo26DQRTWxDcVkI3by6ong2pHF14AemMoXOQ0+IKR2B9is2qvHxFm290
+1v8DaTBgaIuaXzqhSLPp1DHbtX0nUyWjzWwy6bNjKpxydRTP1rgMbjvf3RhVUzdx
+GZpVmEF/8fpcBfObFDSKz+/ydoVMz3XlqLiYEIExGTSsCc4PeEfFhOkdbUk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..86fd9aca39
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-oid-path-int
+subject:cabforum-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/
+extension:certificatePolicies:2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
new file mode 100644
index 0000000000..bdbbc02c2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUQ7X92BWdDkDlFsWTB0LTCDZMcDAwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgTB/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZv
+cnVtLW9pZC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0B
+AQsFAAOCAQEAS+XtatnWztt2hsRQA/Gl8KtpXRhZLJetK3G2qFCjXW2KtaMjN3EQ
+RoMYXwUW2FgsFPZmwQ1L1Pu52njxnjG0z9CXA6i/g7JJUCNUhcGrQ5zWP1P3YozU
+/TwMKNwvyjcO4Ev4obC3grAfJ0S+en8YVeV9Rh/HswaS7Q8A/el9SJi8CMiWVEuW
+SYgfgcm8AobKXJNN48DNhY+6GbGRTIm1WuzPQS4C+mTfsJt6Fk695CvL/EjZt8fK
+0lI7qKH0o1pM0QKE0VMuvvYasGEYqDxKCSEszfmIr3b4LovzWAWtHnAm7I2PyncG
+t3EnieaSRT6Nl8e85VCK20d7ORJpq7iy1g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..343307164b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
new file mode 100644
index 0000000000..ba722921cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIUd5h9uRYHwBHO8O+ceQhWGi6L90AwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTbm8tb2NzcC1lZS1wYXRoLWludDAiGA8yMDIyMTEyNzAw
+MDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAdMRswGQYDVQQDDBJuby1vY3NwLWVlLXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjQzBBMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
+MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAGTv4HNZFVEQ0vO8qU1sykwuKMqk7wyXfDHsnzdzt5mGUC9cm6Gd+JisZe9k
+krCI719EWOMkBt2xyCmK2TwDvWRK2brMK7BICEeyyOi/znshzOcw2ohtAwJPKMNb
+xCx2QePLHXHioOly6StbTUSQtmUJTnNhf0qN+1iqZKi/LrVnm54DC+P8MOHZ+8gW
+OM93lMI9Zcq+lTa5GOrbb3JFp9eTLRyYrvugK7gVpAlijvFDknldS+lomz4BY056
+UR8g5RmpTyBgqoJqND6s8zXuyfatcAmOq5apJ5zLcN91GhQJwBk9sg8vwzqRdIww
+/dF7FbEbQdfkDWVtuYdsS8ZCZH8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..ece1cf816f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
new file mode 100644
index 0000000000..a1d1ab962c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIUWxoXkZhXFFizdKCQ8MJ8oOfIzEAwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+fjB8MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEwGCCsGAQUFBwEBBEAwPjA8
+BggrBgEFBQcwAYYwaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25vLW9jc3At
+ZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOC
+AQEAeNGnRLI3C11krIqIXE60uUnV4NZrWSjlFT8iQkohd62uK9i1Xo2PGQbMwdOV
+ooXGsLRyz9ZzlKG0W1FN55pLweuD2je4AlV7uZyLIF264m3zLMBcfEfVjqjk6rQf
+WccudP7VQ60+5YUsUytXuqp9fF4Ye7UJ+ZwvIexq6RIa20JvR/pPjd/1fzXGYi+/
+/24tCYIjROfNLmW5G7SO2StCN+LJehWTUo76gORpbP6snYON6rxynmbXmbdU96l1
+xp9yZ5cvL1v3971cN/nRCw5k+OiP/O8fxFDsIf2gbqTTz3R0HnmJrEUqr9FrfRlV
+P+S2nwNiMV1UWQeQciOIg8WC1A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..5eb952a9a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
new file mode 100644
index 0000000000..a7b7d185ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUG3C5aHEdkynWq8jOXmbjEcP8bgEwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm8tb2NzcC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcw
+MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTbm8tb2NzcC1pbnQt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWludC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCsx7sCebbIWdGg
+hlkAZ2qV3N/3nZwwvVqekUTu3Vy2fu1zM0KZSPbljjLPEcPPKweoefnAxOLvisBg
+GqV9KXBR3sO1fOuK8M1TZtZHl2vkWwqVmogbEN8KOpP/pPySW3DXGPzNlNAWvNrN
+gYg8NTWlcmeV2osuGI2GvJF/bf11VAOSeU1ci+TFpUbW/4QrQUqSG/KDWRtv6/BC
+omfXJYKGfgWRLH8HS7OlJbBOL3h3BZAhqml9Wl9oRox0ArLhKkpOZ8cZpGpzhkND
+DsqhoqSxJEiza0sSFSWJkSCjaY9zrV0UXgi8jxr262/WF6xT6yy6/Gx12hSjcV4U
+BcQw+5kM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..623057e9e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
new file mode 100644
index 0000000000..94e308a653
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUWRei++U2nDD/dQeOd2ijbzx8zC0wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBgNVHSAECjAIMAYGBFUd
+IAAwDQYJKoZIhvcNAQELBQADggEBALQe2fdE+JIIcsV2Cwf1oB6VK5hUtLsm8TvY
+ju8YICG4maKTDI4X4oungxmlE0okP26KDxERQJzsOs2RKmos95UvOz7LKyKo7aSc
+ycAhbpHe30J9KUXDxMMv++2vinjMD2vh30E0XNsLeQsbOXlmla+0lTwsgXFFSQgl
+owYxEcGBigqM1Jgp4S9TBwvowktGTPLgiKGr+elIStEFDF/eoEaDRMZ8AshtPC1G
+hj40lS2xR8ZgfCvq1Y9xWEK9pDRk4ss03XVVyREOLYHcJx1w3Ekf0DlE7vKosew6
+qOgu6Bk5p59c6mm2E/UqT4Pm2p9X6ZWucgUtOAmySLPs/76Dbk4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
new file mode 100644
index 0000000000..548241de3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
new file mode 100644
index 0000000000..5c6f435be7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUHdTPustR4yMtUWmHTSC6+8Y+gfYwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQwIhgPMjAyMjExMjcw
+MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTbm9uLWV2LXJvb3Qt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ub24tZXYtcm9vdC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBgDu2h/ygK4STW
+yg5MNipTtaxQtT2a7ho54YlJK+PSXn2wzUVbVthAXbiVMZURHo4FFOTzvh0ItwtO
+K0TDiUZO4basEt0Ecxk1bjhh9pY2FhmI1xokC53prGrleO6K4gHXVxmhlA1aM38X
+tN9ZuTGlEuo5jFnavZeGoQtkwvtFehxvbDEBZvuyvQ8xIFLvoa8tl9AaQavNpFan
+VOpUrRw4oFIUOor6FPBLYoclQhBD+PFwnnMCm5rkiWxeryt//HAJUnypt02Pr1nT
+7ibC+/szNTuFuz2P7OTFEre866JfEsI7N58qbc/UZXMTiPJuTS1QdBZHIM62Bde5
+HEKNNyTU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
new file mode 100644
index 0000000000..9895732b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
new file mode 100644
index 0000000000..751268f0ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIULW+4H7y472S+j1855jFlwZNMf+UwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRub24tZXYtcm9vdC1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaN/MH0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTQYIKwYBBQUH
+AQEEQTA/MD0GCCsGAQUFBzABhjFodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+bm9uLWV2LXJvb3QtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG
+9w0BAQsFAAOCAQEAOc/Qs9HsvzVrDoXxK7y6TI1x83ydFRT9pOjnVlrNUAPnjnKZ
+acbglf9hni3eaybETDklYf3q9eYBduappGtUD/9pkXT/8xQP5QmBDjVbfaN6xA4P
+SPISeMEnUxngLBmhiGSdSF6yqhol5OP83pDP8GnlqSBicfjbLuaAOesExgRnY1jw
+rDHWFLp2mvJu2NRUQGowCSWBmeTGwpX3VWVBkzQYMABHDlJHvHsPFe3dH2pkFBxJ
+3YpkRaifD87NRGE+AK1fzhhbvbn06xkklLqpr72p9h0BMAzMYnv58CHt1+1/ilVP
+0/Al127tRP0cr7I3311b5V2duYHEbR9UJFRGJw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
new file mode 100644
index 0000000000..5ce035ae1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:non-evroot-ca
+subject:non-ev-root-path-int
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
new file mode 100644
index 0000000000..e7da9dc897
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUSwVlCN0qJzWqVXDYUMj6IC1t5B4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1ub24tZXZyb290LWNhMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAPtd1zsUd6dqBvrL9Y6mwgkEBsd8RcOuQUrOYMQjPYbriJ/4Z4zfNoQnIylQI
+rrwRL64PY4rTorTGgebzu5gm+mVXV4Jd6pO6Qv5vL9hKyUGN5lkxoQZOd4WsiFe5
+kbWvOv1LjJ9o5DyWLkL33Tt/seR3Ux54LFDvrFwBpM+r7bxpgrtYB999vQOXGiZP
+N9lWi60012u+Opqv5egtveAhC6ShZqBmdoTl0rkI0/LANC7O7jigqyjnRZi7rqBt
+0rnRMsTbXMXqfIt8B8kLGDU42dTDz4hK/WjjgcXu3zmHQgZqDxt92rwMexiFpA5Y
+HRdDsGt5cseqjfIDzdIVlkELmQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
new file mode 100644
index 0000000000..7b61447a80
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:non-evroot-ca
+subject:non-evroot-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
new file mode 100644
index 0000000000..5952997df9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUAVfMkILMmIPVXjPAz2TIDldGxGAwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbcmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50MCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCUxIzAhBgNVBAMMGnJldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GiMIGfMFMGCCsGAQUFBwEBBEcw
+RTBDBggrBgEFBQcwAYY3aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3JldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlLzAoBgNVHSAEITAfMAcGBWeBDAEBMBQGEisG
+AQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29t
+MA0GCSqGSIb3DQEBCwUAA4IBAQAf6ZBgxU35yF0XHevzE2TBlJaPvPuc7Xj0igxQ
+Ba62XSBbcOv1wNG9E6VTgs89eYfra+m7cFWP/J2SRAETWYLB/BQ2+gk5ibLkjpX3
+EgeVtcJAITTNMZ/YwpM0qke7tBj69Wr4fQGCaXrwSjMqXllJG73c2nSYivCwsW88
+jxIX9w6OmBtQ34Zms95xcmjRGnEJsuFIHS6ON6UA66m7/ncNtedZ5BUFPqlDlivn
+GPFliWv7/kVavJ9tuBNF3+qa3AKS6y2IcCv8hZcnpp+XejL9S/NC5J2fCzFN52KT
+tZ45bWryxg5Ez+vqZ7RLOlA++Qzu6+FJaYDaTV5rIEouxfE0
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
new file mode 100644
index 0000000000..31e3e69e53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:reverse-order-oids-path-int
+subject:reverse-order-oids-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
new file mode 100644
index 0000000000..37cc460a58
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUbS+sED9hVuKhOooXAr0l466GF40wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBnjCBmzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBUBggrBgEF
+BQcBAQRIMEYwRAYIKwYBBQUHMAGGOGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+OC9yZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQvMCgGA1UdIAQhMB8wFAYSKwYB
+BAHrSYUahRqFGgGDdAkBMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IBAQAc6n0n
+2ygc+bXKejoFBGMSHex9WFTYa6n7Ao5PP0ACVIPPjUUZ/5KjBKCRWe8puVLqRk1W
+bpyLa1KG/falzrFjj8j+Y0OA2v8veH/DHvUAKOus5ntJPM3xJyV7uGhmYDVulNRr
+YPnFduqlBVaxIZOPqESO0T9RLFb4oyTd75uPIJUAGPSYX9kidYUu+LZ7U5sDdJmG
+9pT/RDQjokU5pwgr47V7lNQyJBmZYp1I9qVDT1iBA1T0KWfw9Nz0t5dshXZC4aPe
+uFJEx0pADVyk3pyzddvXwetFXYA3yPWtZCjXG+03uIE9tgdNyZkUlairwS7WVbHG
+UoC9jMK5FGnFhIyH
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
new file mode 100644
index 0000000000..a2b523073e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:reverse-order-oids-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..aa095f3d84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUISZMV3cxwaLxsL3yccxQyMuUob8wDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwydGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowPDE6MDgGA1UEAwwxdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFu
+ZC1jYWJmb3J1bS1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBcDgBoVa2B
+Ziwsi+JNV7c3wAGummbzznkednPMS8ahAuI9UOWi6HkfUPqwPABXJUXFVQR1sofy
++0f1D86NrQv7zErD0tEvL7sguHgjyKNhpsV9KV7c51RF0GCfFNjA2vUweTVYVQgo
+/94Kl5EewrS3MaaL6AQX0oR/9BuJZUhcQPf1H6TiSu5wHMTstMF/tzp/5GILKx6S
+8x6hEZJbUnnazm3ZGIQkCTY+PimxDfC/3OMO68bJ0nrWMt8dXGWLB0NXiWDV3GpO
+HVtd+D6t0MTyVkWMIFOrBX3hDfTkfrljgEDRXgEMzjn956AFQO9YQTEzjdItFPxT
+YE9JR5yqlbDp
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..edac2fc1ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..072ab9f89f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUbw1m4QOmyPiOAHq+GggyEzBvhfowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQB0Qvh7fHW0IDocdxERG8qD2+c7BRxXEJWgRt4f
+xU9jSejKVI3QijhjSn+PyXiqhF1hHW037vYY3TQY/jcvE++iwHTTL8C+Zmd+M7pc
+WxaJi+dZCE7GAeGLr3fHYaFqkE76hlQ6V3z9ayPC1CZwrpXsA1WQgslHxvi+LJHx
+sI8ygsNud8YDxSJQiz9ELik6Cc6MLv9rej/3u0KduQZGItX9nZIcsY0gBYcvJuWY
+T/66RhAvowF/kqjPich5J54VOOUwqq10CmpDft6PZuxvOH5GD3kBDsiIXo3NACfS
+pqSLeHrI/WqOBcACUCcgt6uYwjC4i8Km4MeRbvecWPAJ11R4
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..68dfd00573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..5b23a23056
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUG878Zwj3QMrHTGa2FfvoFFlYZzAwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCsxKTAnBgNVBAMM
+IHRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBAyulWRI1iZUlK
+2vYE91umLRCAYh4v2/+2PCaK0rhKzA/nvYWwMtPKdrMBiCPutL1XsPcf4E92C+Ur
+Uk+Fii9GG0/NVJ06MFVxVmyzfibGQZO/zFigx89W0GF+zYbR4PWqd8zOwvVjcW4d
+4sKUDrNvytqx+k8MedBOA561jp49R97NS5+L7Cw60FJdqY4DR7YPqMajCoIguTm+
+gl5YM+ZXHGMfaRYksToPj3+jbwAGekIjtlIjGNZC2yexknz1XnbfTEk4h6pkyUcm
+9iWdSdE2WYGYFyc7qUHz1PSJadWQM0ZBZPm733+YN3HkSvGpTOjJOK79SNEMkA/i
+AcaGhjaI
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..affbd87458
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-path-int
+subject:test-and-cabforum-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
new file mode 100644
index 0000000000..85aa46f15f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUOWveMMJU+nLZsk73dwkzgFJ6wKIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAOZUmjoXRjZ/kClVFVdfh
+yDe+uAzR7+/aitlLKrbd8Nk+KfzvNkUAobV3qFYcZP757T2rP9YDf26o1//kwYyw
+fjj+ooOefRODphmJS0nGBBUU7SDJvYN6OH4U9VgYvYTsvYm3zoRNLCgxd8z5zV8o
+beCiWi8Zsw3kSQoMi2Y6y0+edR1945jGafkm865/vTlSC1uSMMNm5Ns6BQrEc9+S
+RPSaV5OgEdTXP1obn1Hf+TADElk1xGZcNIavgWxjo8QM7BfPOYMZk0KIW7Pgs0x8
++ZRhJ+kXHaVaOS9gAIi3koYC0DKcHXNSTXCTC7I34iSMvdVDcWwuRR0YrqYIu0QW
+cQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..11630b4b4f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..c70ad55ae4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAn2gAwIBAgIUaW/3PEK8ARYGWVUA798TUHKnEAQwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwldGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWludDAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAvMS0wKwYD
+VQQDDCR0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtZWUwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gaMwgaAwXQYIKwYBBQUHAQEEUTBPME0GCCsGAQUFBzABhkFodHRwOi8vd3d3LmV4
+YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAfD2dMTacd
+U21ufl0G0mZRuM5OHrE63tCGzfXSQ5TgE3og97YysimPrLbIa7dnCczTZ60awRFX
+ycx8aTW3JB1H2lRB0g8dPzJE9sbkh/vHR4DlYJ8ISXd2gkbBINGy9VvFBOAcPGtW
+XpAfFioiX0RPN/RdDuwVaAIfX+x1LRr3CHJUDWctJWpMYwHLtZmDScdwHYXfmdUS
+ZnOF8WpJuQE8r1e5SeUSvima22nX9+IzGKz/6t01z+BeNwq5GZW+FCI/57ZKcshn
+TwcTKe6ObCfLdjf5AkqI47gvHI/J8Ok6IGHpt6f3Z8czmapSiuvqE7VCHxk9WB6E
+fLhH6uUnFktY
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..bd0f955ada
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-ee-cabforum-oid-int-path-int
+subject:test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..477f5aba2e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIUVUZvMWmRe012qtJnB+pH6CRq8WUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1p
+bnQtcGF0aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZIwgY8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
+AQYwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1w
+bGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWlu
+dC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0BAQsFAAOCAQEAIVYXUG/B
+zRSio0gAxeDrJb5DigUcZGcnK39tdfd74W2MUkylo/Yq0cDJwVlsQ/oke5myaJQd
+dpf3wZ33ebCOpVArMXNB11iAUTMR57W8ecyiwKhhyPcCOg/NlIfLFJ6PDsC3eCTM
+dqMAdRYg/WFqNbfXy/nYEBBuCEv6krpqWjgXKOUqYRpwZasPB9Bdpk3U0IOOFAPj
+rhO9ddnQ+IYUshAjVDp7ssSxFCGXJrNPObLnQZ7vGtmHwnIMt9D3Kulz8lZLTzjv
+1TfAwwM/qU1iG1Yj+zd2B5RIHcgegT8i/NY607w9+OgAF4PTS6R8pr6s5o2ZvuG5
+EOqXzqa3c0o7Yw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..37d4d133a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
new file mode 100644
index 0000000000..ad79129976
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIUTXff7OYNjOGJ1ucBiXQFwQrnD70wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRdGVzdC1vaWQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdC1vaWQtcGF0aC1l
+ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBjzCBjDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6
+Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1wYXRoLWVlLzAfBgNVHSAE
+GDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4
+YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB/4nd8VD67vZUPTAzzK6U0i5z5
+JfEUHZyodwbEvCMRx4JPzGa/B4Ra9fTk9f3vlgpmbmIXzeW2V2eKeug/qRR6rTk5
+e5vdjMb2V2NVyHE6uqi6U5YPzIqH4CuIrihy/6f2BXGww6N0jaguP9T+O1hjtS+W
+kCaUMBIYCp8hnGiKcLDyTPxxysPl0g39ML39Pxgk36C5N/0gAun+4U2El+xy+a2r
+MAZchBP9guWBREZfse6wpAJfLpswlaRcsiUm+ohgLb3sKGJOtX7V0vegm5BGkqZK
+yMG5MiHhnEep4cMnrEXly81hWbZNHHBnMlNRqDmR8Vex1igG/tMFmuPQr3Xs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9d62c65e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
new file mode 100644
index 0000000000..4888db9219
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUc1xU18+/MWV14ZhLlRYTr84OIJgwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GL
+MIGIMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEoGCCsGAQUFBwEBBD4wPDA6
+BggrBgEFBQcwAYYuaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3Qtb2lk
+LXBhdGgtaW50LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATANBgkq
+hkiG9w0BAQsFAAOCAQEATHhQmv0hF3M77Re1LYWINecipWJlnilGk5DCCiDyRxmm
+LPTJEz4v1NtC6HambYL5TUk878S4zsFV4SSaJ7DuCpq730se7C4fkP642wFuSKIo
+ExMPEaE5b10NyKtC47yQkrTBqnvBGrdFyY7awuTCpLK7MpEPIIUNjPUN4M7kj3It
+0am6GYVjFzdtY1knyTDQJT2kE8McGOec/CggZucOhjfOyLe6FZLzTY9qmfHlwXb/
+/YgUlGMkQmIYCcEKUcECosIt0TPCjPBvNIovIySHSF77WZS8SR1rIeaznLCAbVbX
+rJ79ZtTtK9XceMzas1pz5lDonwtDEDFUJE2p6TX/ug==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..53534eb526
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server.js b/security/manager/ssl/tests/unit/test_faulty_server.js
new file mode 100644
index 0000000000..7536a91104
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server.js
@@ -0,0 +1,142 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* based on netwerk/test/unit/test_retry_0rtt.js */
+
+"use strict";
+
+/* import-globals-from ../../../../../netwerk/test/unit/head_channels.js */
+load("../../../../../netwerk/test/unit/head_channels.js");
+
+var httpServer = null;
+
+let handlerCallbacks = {};
+
+function listenHandler(metadata, response) {
+ info(metadata.path);
+ handlerCallbacks[metadata.path] = (handlerCallbacks[metadata.path] || 0) + 1;
+}
+
+function handlerCount(path) {
+ return handlerCallbacks[path] || 0;
+}
+
+ChromeUtils.importESModule("resource://gre/modules/AppConstants.sys.mjs");
+
+// Bug 1805371: Tests that require FaultyServer can't currently be built
+// with system NSS.
+add_setup(
+ {
+ skip_if: () => AppConstants.MOZ_SYSTEM_NSS,
+ },
+ async () => {
+ do_get_profile();
+ Services.fog.initializeFOG();
+
+ httpServer = new HttpServer();
+ httpServer.registerPrefixHandler("/callback/", listenHandler);
+ httpServer.start(-1);
+
+ registerCleanupFunction(async () => {
+ await httpServer.stop();
+ });
+
+ Services.env.set(
+ "FAULTY_SERVER_CALLBACK_PORT",
+ httpServer.identity.primaryPort
+ );
+ await asyncStartTLSTestServer("FaultyServer", "test_faulty_server");
+ }
+);
+
+function makeChan(url) {
+ let chan = NetUtil.newChannel({
+ uri: url,
+ loadUsingSystemPrincipal: true,
+ }).QueryInterface(Ci.nsIHttpChannel);
+
+ chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
+ return chan;
+}
+
+function channelOpenPromise(chan, flags) {
+ return new Promise(resolve => {
+ chan.asyncOpen(
+ new ChannelListener((req, buffer) => resolve([req, buffer]), null, flags)
+ );
+ });
+}
+
+add_task(
+ {
+ skip_if: () => AppConstants.MOZ_SYSTEM_NSS,
+ },
+ async function testRetryXyber() {
+ const retryDomain = "xyber-net-interrupt.example.com";
+
+ Services.prefs.setBoolPref("security.tls.enable_kyber", true);
+ Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]);
+ Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0);
+
+ // Get the number of xyber / x25519 callbacks prior to making the request
+ // ssl_grp_kem_xyber768d00 = 25497
+ // ssl_grp_ec_curve25519 = 29
+ let countOfXyber = handlerCount("/callback/25497");
+ let countOfX25519 = handlerCount("/callback/29");
+ let chan = makeChan(`https://${retryDomain}:8443`);
+ let [, buf] = await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL);
+ ok(buf);
+ // The server will make a xyber768d00 callback for the initial request, and
+ // then an x25519 callback for the retry. Both callback counts should
+ // increment by one.
+ equal(
+ handlerCount("/callback/25497"),
+ countOfXyber + 1,
+ "negotiated xyber768d00"
+ );
+ equal(handlerCount("/callback/29"), countOfX25519 + 1, "negotiated x25519");
+ if (!mozinfo.socketprocess_networking) {
+ // Bug 1824574
+ equal(
+ 1,
+ await Glean.tls.xyberIntoleranceReason.PR_END_OF_FILE_ERROR.testGetValue(),
+ "PR_END_OF_FILE_ERROR telemetry accumulated"
+ );
+ }
+ }
+);
+
+add_task(
+ {
+ skip_if: () => AppConstants.MOZ_SYSTEM_NSS,
+ },
+ async function testNoRetryXyber() {
+ const retryDomain = "xyber-alert-after-server-hello.example.com";
+
+ Services.prefs.setBoolPref("security.tls.enable_kyber", true);
+ Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]);
+ Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0);
+
+ // Get the number of xyber / x25519 / p256 callbacks prior to making the request
+ // ssl_grp_kem_xyber768d00 = 25497
+ // ssl_grp_ec_curve25519 = 29
+ let countOfXyber = handlerCount("/callback/25497");
+ let countOfX25519 = handlerCount("/callback/29");
+ let chan = makeChan(`https://${retryDomain}:8443`);
+ let [req] = await channelOpenPromise(chan, CL_EXPECT_FAILURE);
+ equal(req.status, 0x805a2f4d); // psm::GetXPCOMFromNSSError(SSL_ERROR_HANDSHAKE_FAILED)
+ // The server will make a xyber768d00 callback for the initial request and
+ // the client should not retry.
+ equal(
+ handlerCount("/callback/25497"),
+ countOfXyber + 1,
+ "negotiated xyber768d00"
+ );
+ equal(
+ handlerCount("/callback/29"),
+ countOfX25519,
+ "did not negotiate x25519"
+ );
+ }
+);
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
new file mode 100644
index 0000000000..9d3b41a1bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMjCCARqgAwIBAgIUddkSg4Xa4Tq2i+Q1Ebvjh6EWuAkwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs
+dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs
+BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj
+MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j
+b20wDQYJKoZIhvcNAQELBQADggEBAKhgmF34y6L3lvO2tL56geQBnUeY0L/buzAt
+tyW+0KqDDFjMrPkF1uKUH4d59xF7mq57KgMNPNyB0kSnlvu09nZP0yD6BQ67biVa
+YEyLuaJIfa9Ym51Yjx3GqLIRKiiZ9sAPLalIpguh3yvfEfWwCV6HxHWJv6PJ1zVt
+l/89i5J8B+rzRjXluiK+lPiUeRnp2RfXvst1u8KtNh1hbabjAkeox4EXbAqxFTJK
+bzp9IwqlNxlKK93WyeF3wCndEn2nFYwSOR8tBZFcTtv9Z8F8Xu2gF5C0GYTfy6iX
+Y/N5gkxDUGTn+LtG+VyTNNqmS0bXFFuPbuE0mt9OiAydFKpkgJU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
new file mode 100644
index 0000000000..5d471da110
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
new file mode 100644
index 0000000000..fdb59ed65a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFjCB/6ADAgECAhR/GplP7a+yU4EAPSMvru2gC2X6uTANBgkqhkiG9w0BAQsF
+ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t
+ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL
+Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw
+FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAmHFKAXfd
+4vHVJJ7LBHTp4BGpfNQTQXy7sSTOExJi+2WGqtbAubZUQv71WWXqKf7IBpcxzXBy
+D18Hb8aN0wDDVVodQ7eZJ0XPOitfkZeHQHSwhCwinT46030oGffk/m7nRpi/eS/T
+7mvFLaYiKRXssP6FxBHCyYd8DLQ0RPTbigyDdrYkqh7dS8Ei06bCJukUrWbACHvW
+ONUNiY44VaVK/BBZQHn/nqzgNeYZEd7xhJA2yVboP2xZY5E7426V6dUzfU2zqxld
+TNpIDzWmQUUGi080YiYIY24rvjx0Sj7+X2xAYQNXgR16VGpxvi4RcEpzXXafX5e+
+BWRSWF7XdM9k5Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
new file mode 100644
index 0000000000..68eb6b0202
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:no-san-ee
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
new file mode 100644
index 0000000000..d90875fdc8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUTz5eaR08Vrv3WMdQyfUb6nPdzWIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEAVTes4P52u8R5tF6eEN4IO7sT8YjihE63JQ+VDaV9m/KFA1fuBlDH
+4N3LWXK9ilZLQQFl+z+QPYA74dNmzvZPWjsUv0nVLkkV5KPoN1SJV0bZeh8+as4r
+Yy6N4wZf43XN0xDYJpPB1TX7UQV/MEumy3HXXFzOyXUBR2bdNspfe6ok70eLOggf
+vTT3x8usO1rocX7bYf9eqgID85dDYq/VAJXg6HcEsZJ+w4F7w3BI9K/w2TPu0nAt
+TElnzEMcBW235zRXRFV+Z06fUL8mJfzH2IU56CHG7AkCblw5ZqzMtfsjjxRSpzTC
+fJC0xufCzKoee4K74JZmgkreL1kqxpfesg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
new file mode 100644
index 0000000000..bcbf751bb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
new file mode 100644
index 0000000000..c25d6cf85d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUUTRjZwJOxeTcJu+hEU5Nslh/bfIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAFagmFEAlfPNh0dcr8ZP8we4hEpzkLiCkn/bn4+D
+aEZps/yPkQ5R+tRLucwVwVKHdaubp3M8TFSWzCD2DRpQxDLbvdY2+jZyXce/fG8x
+ar7p/x+NVKeMfbKq/Dqb4v1mg7PERpnIbrzaQco2CkCcoptAcWxMqSSlZwPTqNpH
+b7J1fnjasPXS75rSmkNhbXi9AIjIH5qpOmaxOHpMI7IhFbCS01lQZa+w4JHOwKPt
+6Omx7pyy1K1vbjOrlF6oX+q625mJA1YXxipkFPM+WVby97fIEnr3HBipY/f+p3UN
+toiFaLPMe4yTHVcHxYqroFfLebh6YF17tifc4UnQUBTnk2k=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
new file mode 100644
index 0000000000..5be535c81d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
new file mode 100644
index 0000000000..3a595a3e08
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -0,0 +1,119 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures that HSTS (HTTP Strict Transport Security) information is cleared
+// when using "Forget About This Site".
+
+const { ForgetAboutSite } = ChromeUtils.importESModule(
+ "resource://gre/modules/ForgetAboutSite.sys.mjs"
+);
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+});
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+const sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+const uri = Services.io.newURI("https://a.pinning.example.com");
+
+// Test the normal case of processing HSTS headers for a.pinning.example.com,
+// using "Forget About Site" on a.pinning2.example.com, and then checking
+// that the platform doesn't consider a.pinning.example.com to be HSTS any
+// longer.
+add_task(async function () {
+ sss.processHeader(uri, GOOD_MAX_AGE);
+
+ Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS");
+
+ await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com");
+
+ Assert.ok(
+ !sss.isSecureURI(uri),
+ "a.pinning.example.com should not be HSTS now"
+ );
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com, using
+// "Forget About Site" on example.com, and then checking that the platform
+// doesn't consider the subdomain to be HSTS any longer. Also test that
+// unrelated sites don't also get removed.
+add_task(async function () {
+ sss.processHeader(uri, GOOD_MAX_AGE);
+
+ Assert.ok(
+ sss.isSecureURI(uri),
+ "a.pinning.example.com should be HSTS (subdomain case)"
+ );
+
+ // Add an unrelated site to HSTS.
+ let unrelatedURI = Services.io.newURI("https://example.org");
+ sss.processHeader(unrelatedURI, GOOD_MAX_AGE);
+ Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS");
+
+ await ForgetAboutSite.removeDataFromDomain("example.com");
+
+ Assert.ok(
+ !sss.isSecureURI(uri),
+ "a.pinning.example.com should not be HSTS now (subdomain case)"
+ );
+
+ Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS");
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com with
+// various originAttributes, using "Forget About Site" on example.com, and
+// then checking that the platform doesn't consider the subdomain to be HSTS
+// for any originAttributes any longer. Also test that unrelated sites don't
+// also get removed.
+add_task(async function () {
+ let originAttributesList = [
+ {},
+ { userContextId: 1 },
+ { firstPartyDomain: "foo.com" },
+ { userContextId: 1, firstPartyDomain: "foo.com" },
+ ];
+
+ let unrelatedURI = Services.io.newURI("https://example.org");
+
+ for (let originAttributes of originAttributesList) {
+ sss.processHeader(uri, GOOD_MAX_AGE, originAttributes);
+
+ Assert.ok(
+ sss.isSecureURI(uri, originAttributes),
+ "a.pinning.example.com should be HSTS (originAttributes case)"
+ );
+
+ // Add an unrelated site to HSTS.
+ sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes);
+ Assert.ok(
+ sss.isSecureURI(unrelatedURI, originAttributes),
+ "example.org should be HSTS (originAttributes case)"
+ );
+ }
+
+ await ForgetAboutSite.removeDataFromDomain("example.com");
+
+ for (let originAttributes of originAttributesList) {
+ Assert.ok(
+ !sss.isSecureURI(uri, originAttributes),
+ "a.pinning.example.com should not be HSTS now " +
+ "(originAttributes case)"
+ );
+
+ Assert.ok(
+ sss.isSecureURI(unrelatedURI, originAttributes),
+ "example.org should still be HSTS (originAttributes case)"
+ );
+ }
+});
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms.js b/security/manager/ssl/tests/unit/test_hash_algorithms.js
new file mode 100644
index 0000000000..51840bbf08
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms.js
@@ -0,0 +1,149 @@
+"use strict";
+
+// This file tests various aspects of the nsICryptoHash implementation for all
+// of the supported algorithms.
+
+const messages = ["The quick brown fox jumps over the lazy dog", ""];
+const ALGORITHMS = [
+ {
+ initString: "md5",
+ initConstant: Ci.nsICryptoHash.MD5,
+ hexHashes: [
+ "9e107d9d372bb6826bd81d3542a419d6",
+ "d41d8cd98f00b204e9800998ecf8427e",
+ ],
+ b64Hashes: ["nhB9nTcrtoJr2B01QqQZ1g==", "1B2M2Y8AsgTpgAmY7PhCfg=="],
+ },
+ {
+ initString: "sha1",
+ initConstant: Ci.nsICryptoHash.SHA1,
+ hexHashes: [
+ "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+ ],
+ b64Hashes: ["L9ThxnotKPzthJ7hu3bnORuT6xI=", "2jmj7l5rSw0yVb/vlWAYkK/YBwk="],
+ },
+ {
+ initString: "sha256",
+ initConstant: Ci.nsICryptoHash.SHA256,
+ hexHashes: [
+ "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592",
+ "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+ ],
+ b64Hashes: [
+ "16j7swfXgJRpypq8sAguT41WUeRtPNt2LQLQvzfJ5ZI=",
+ "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+ ],
+ },
+ {
+ initString: "sha384",
+ initConstant: Ci.nsICryptoHash.SHA384,
+ hexHashes: [
+ "ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b1",
+ "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
+ ],
+ b64Hashes: [
+ "ynN/EBSkj0wLbdQ8sXewr9nlFpNnVExJQBHjMX2/mlCcseXcHoWpQbvuPX8q+8mx",
+ "OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb",
+ ],
+ },
+ {
+ initString: "sha512",
+ initConstant: Ci.nsICryptoHash.SHA512,
+ hexHashes: [
+ "07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6",
+ "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+ ],
+ b64Hashes: [
+ "B+VH2VhvanP3P7rAQ17XaVEhj7fQyNeIownXhUNru2Quk6JSqVTyORJUfR6KO17W4b/XCXghIz+gU489uFT+5g==",
+ "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==",
+ ],
+ },
+];
+
+function doHash(algo, value, cmp) {
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.initWithString(algo);
+
+ value = new TextEncoder().encode(value);
+ hash.update(value, value.length);
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match`
+ );
+
+ hash.initWithString(algo);
+ hash.update(value, value.length);
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match after re-init`
+ );
+}
+
+function doHashStream(algo, value, cmp) {
+ // TODO(Bug 459835): Make updateFromStream() accept zero length streams.
+ if (!value.length) {
+ return;
+ }
+
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.initWithString(algo);
+
+ let stream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ stream.setUTF8Data(value);
+ hash.updateFromStream(stream, stream.available());
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match updating from stream`
+ );
+}
+
+function testInitConstantAndBase64(
+ initConstant,
+ algoName,
+ message,
+ expectedOutput
+) {
+ let value = new TextEncoder().encode(message);
+
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.init(initConstant);
+ hash.update(value, value.length);
+ equal(
+ hash.finish(true),
+ expectedOutput,
+ `Actual and expected base64 hash for ${algoName} should match`
+ );
+}
+
+function run_test() {
+ for (let algo of ALGORITHMS) {
+ algo.hexHashes.forEach((hash, i) => {
+ doHash(algo.initString, messages[i], hash);
+ doHashStream(algo.initString, messages[i], hash);
+ });
+ algo.b64Hashes.forEach((hash, i) => {
+ testInitConstantAndBase64(
+ algo.initConstant,
+ algo.initString,
+ messages[i],
+ hash
+ );
+ });
+ }
+
+ // Our buffer size for working with streams is 4096 bytes. This tests we
+ // handle larger inputs.
+ doHashStream("md5", " ".repeat(4100), "59f337d82f9ef5c9571bec4d78d66641");
+}
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
new file mode 100644
index 0000000000..f2b7016c05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
@@ -0,0 +1,5 @@
+"use strict";
+
+function run_test() {
+ run_test_in_child("test_hash_algorithms.js");
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
new file mode 100644
index 0000000000..4b09c719fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -0,0 +1,138 @@
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(name, trust) {
+ let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem";
+ addCertFromFile(certdb, filename, trust);
+}
+
+function test_cert_for_usages(certChainNicks, expected_usages) {
+ let certs = [];
+ for (let i in certChainNicks) {
+ let certNick = certChainNicks[i];
+ let certPEM = readFile(
+ do_get_file(
+ "test_intermediate_basic_usage_constraints/" + certNick + ".pem"
+ ),
+ false
+ );
+ certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM)));
+ }
+
+ let cert = certs[0];
+ return asyncTestCertificateUsages(certdb, cert, expected_usages);
+}
+
+add_task(async function () {
+ let ee_usages = [
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+ ];
+ let ca_usages = [certificateUsageSSLCA];
+ let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];
+
+ // Load the ca into mem
+ let ca_name = "ca";
+ load_cert(ca_name, "CTu,CTu,CTu");
+ await test_cert_for_usages([ca_name], ca_usages);
+
+ // A certificate with no basicConstraints extension is considered an EE.
+ await test_cert_for_usages(["int-no-extensions"], ee_usages);
+
+ // int-no-extensions is an EE (see previous case), so no certs can chain to
+ // it.
+ await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []);
+
+ // a certificate with basicConstraints.cA==false is considered an EE.
+ await test_cert_for_usages(["int-not-a-ca"], ee_usages);
+
+ // int-not-a-ca is an EE (see previous case), so no certs can chain to it.
+ await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []);
+
+ // a certificate with basicConstraints.cA==false but with the keyCertSign
+ // key usage may not act as a CA (it can act like an end-entity).
+ await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages);
+ await test_cert_for_usages(
+ ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"],
+ []
+ );
+
+ // int-limited-depth has cA==true and a path length constraint of zero.
+ await test_cert_for_usages(["int-limited-depth"], ca_usages);
+
+ // path length constraints do not affect the ability of a non-CA cert to
+ // chain to to the CA cert.
+ await test_cert_for_usages(
+ ["ee-int-limited-depth", "int-limited-depth"],
+ ee_usages
+ );
+
+ // ca
+ // int-limited-depth (cA==true, pathLenConstraint==0)
+ // int-limited-depth-invalid (cA==true)
+ //
+ await test_cert_for_usages(
+ ["int-limited-depth-invalid", "int-limited-depth"],
+ []
+ );
+ await test_cert_for_usages(
+ [
+ "ee-int-limited-depth-invalid",
+ "int-limited-depth-invalid",
+ "int-limited-depth",
+ ],
+ []
+ );
+
+ // int-valid-ku-no-eku has keyCertSign
+ await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
+ ee_usages
+ );
+
+ // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
+ // but the KU extension is missing keyCertSign. Note that mozilla::pkix
+ // doesn't validate certificates with basicConstraints.Ca==true for non-CA
+ // uses.
+ await test_cert_for_usages(["int-bad-ku-no-eku"], []);
+ await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []);
+
+ // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
+ // We treat a missing KU as "any key usage is OK".
+ await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"],
+ ee_usages
+ );
+
+ // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
+ // and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"],
+ eku_usages
+ );
+
+ // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
+ // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-bad-ku-server-eku"], []);
+ await test_cert_for_usages(
+ ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
+ []
+ );
+
+ // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
+ // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
+ eku_usages
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
new file mode 100644
index 0000000000..07dc4aa671
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUEYQA33NLz6NiG+8Dgvo+0fQtCvswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAJxbBQm14oIDu9jStpt92SEUkNZJhtC3N+rGgKBeSKVQ
+216uhnu9jsku+/zrrfXIMEuEbfI5nFbwb1CQGUh6GB0rG3i/OtA+OHsFGDuHFSzI
+hrnNTrxJf5DTvnLrJNDu+2N2dfeLo+w5Iqbr2uV8GGD/zKSw6EbHyOtE/rLG0NaC
+4JxkEUc1tZ5JAZCG36cGWr5jPta2VpzJd3QETSM99tXAjDXbxelR1Bzs3YDuQRjs
+YpSZvxDsJlgxw+OlmR8ccxNyeLVKV2hWxJOGGH2sc2jco4dCBmkJJZoShXNIQ2lo
+egsQ4BpJQcX+aAOhUd7bfk6D9KIbn7On35pvPJc8Xpw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
new file mode 100644
index 0000000000..eb7c4b4bee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..a73932af90
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUdTdCi3lbYAGAZjNYCvBsJ4Egs6UwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWJhZC1rdS1u
+by1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBsXG5TZRDqCzYowxnJx+SVOfW0L+GJ0JyB4Zol6fYO2ppkRXwq
+nlbD3eFfhJ1C+SMos7fgqSzC83heQgkMe8Zu7rM/hAoMChaQx0DiuQ/33yBvArrz
+T0USPGZRIEBNwm20TZnOGfwWhZoxQyh7tG8Llni6REL4GBdHE0AkZjw55ZRVTju1
+kZUzNC2Y9VLb8xcah03o2SxgMk0MAFJXAc84f4Qno7jHF6ULMcMIxQ6McMnDjmhB
++ySa/hFi5PSwmyR4/CVGpc+WSeq4xhdC6GJ8C8EQltaqc78CgqfqhTnsqDmKPx6O
+skfWb1D7sz7KkkF+ugs4f45DaH8FrfG8Wxg2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..390adf2344
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-no-eku
+subject:ee-int-bad-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..e3590497c6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUKXEge8YWZLSBNg53NaIga1Z9ILQwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MCIYDzIwMjIxMTI3
+MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGVlLWludC1iYWQt
+a3Utc2VydmVyLWVrdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gw
+DQYJKoZIhvcNAQELBQADggEBAFdPo8XMk+fqv7ep8Wnnf7F1l3CKAzEhEH5YvLo0
+UVFehGcz3OqoMhZukciNzKLWDybHtrtZWCf5sOfz5kB/n+0NTr+JaXyfQraXC5x9
+npwmUqQX8Q4apyaMyXIbfUtzpMYeqL4aMkXVwRnRiU12EI3IV7jHTFy+miZ4Ng+3
+GhEg/vPI2BQZabiC0h0Jtc10R4FYViAad8p7j1EDFpARpxNf+wFeRGfbOLx/NPe4
+tW6XpIzGL0KZiAVWBEZQbNWs6L7hKImqbskcncUO0MOIX3a8Dq3TKdKA+aipA9I5
+XzCATYautVjr/hQx9XhtxbBMiGSHiIAS8nnbJ4fPMFjYIqU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..32bb6c2485
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-server-eku
+subject:ee-int-bad-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..75a36d8c96
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUS3oym/SmKZr5ztuBmhtBs0GuSoAwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24w
+IhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLjEsMCoGA1UEAwwj
+ZWUtaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3DQEBCwUAA4IBAQAKvhPEZlVG
+SGN4ztb6Q5ckHtTga9UbBxfJJ00btP0xYCWvUzF+YRIqNI5JtI/fNac1waF8JIlD
+T4l5TmbMOh9m4A4jCt5wLs3i61ZSHKxSfCwSanJr5krRVaFRD+02ujJvEwsf18XV
++woKp6FO3BzRde2HopZe67pvSsFnba6TC7wYjGHN1q5WUh3O/U5NPC9MRSto5xOm
+hWI8KMnXbNKGaUE11Bp5AExxBj89mHfJ+GieTRcBV/LB9lDSAGa9ci0qmWBvUiCi
+RlT1RZYoxsjvxxHGRtKe2hUJXUjgLaQ5C/e84Z27Xxb9YfIQTZjR2ChVS2EgmEi3
+k9fVuKLvM8rq
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9e0fb65fd6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-cA-FALSE-asserts-keyCertSign
+subject:ee-int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..438d05ee44
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUI2r/Fd7yvseRwKsjNLk+upqvezMwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVwdGgtaW52YWxpZDAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAnMSUwIwYDVQQDDBxlZS1pbnQt
+bGltaXRlZC1kZXB0aC1pbnZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID+DANBgkqhkiG9w0BAQsFAAOCAQEAjtSGX+pjliroVL6zD5QUsjMpyv9k
+SFyjvMU9aSAT2b2N3D4jZVPfJ6a7k9+uT9GhnYO7X8tAWqxOSmq//JFArcaaBdQN
+xeeIOdOejDsd3eqYunflhaESN+0Jn9VXQOArZxNUZMv0U5i4lzkW/A7brw+p+EDv
+QL34Ewm6q2RNblPZ/NvnxJ0lX2tg4XrBlDffzvtE8eiChP/X+B2fcKogMU7XYWYF
+AhREsryMWWR0DzfInUcyQFQhVK2rNkwn0P+1W6RGKbNYVb/sNu8q8zhoM/bRZZ5h
+DmzemVCDenewDozLAaGXXaT4mlvyGSsLySyxRtXGFY+kmEZ+4Hqo0D4Qdg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..f00b4d1591
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth-invalid
+subject:ee-int-limited-depth-invalid
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
new file mode 100644
index 0000000000..562bd8b0f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUd8Ott82XwW7of4WG0oKEoPnLvO4wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWxpbWl0ZWQt
+ZGVwdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBdUf6p86i++GEDLq/ztNbdzID7r4JUq05bOCDChc1j+Dp8CL4z
+buILruUX8aZfyMgvOfdwsuqA8CppEq7QAxP+fBalodfeOWTF48qpKX0ENu1yQJaX
+Dp+RzZTQ/bjTUi/zcgUZDkZiqtzdLt3YDQVLZVlMOU6dzbtx6cLtJoWGR4DFTzPv
+fEqNmMkPZLiTEQJxyvtORBnS6EWz4h2szQ5DIdqgQfNBKp83CEgws2P9Ydz2V6Wo
+NX7ffo7KFexxcl7yFAZ97VUm7Oh8YUraF3mj7nUs9hPyj2yn87NFuN4WaY5q2Bl4
+xV4DbCubdqJssVoCtOUgauFKkWQvf7pR0Glt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..df85342d98
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth
+subject:ee-int-limited-depth
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
new file mode 100644
index 0000000000..d406566089
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUSYi2rd1ebYfAk1hnQd0FepY61yowDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LW5vLWV4dGVu
+c2lvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQCL7d6lgHbK95To/n7ZMS+5Gz56Po8xq5DnW8Q9zNw78Pt07ef+
+Q+ov9QlS0rBvK6AqMrAGfqzydxYA61i4x72os/47VmbIh/ZqTDrbGVLYkpBoLIpV
+RxfTAQZj8oNl6MoSSVcTz3MFVQIz9FKjdpSFsXoEWxVMT1wOoLr5RUVgOkHQm9KS
+fP5IlzDu+etdiwkEytfgbkr9cLWyosBUVKrd9dXJ1Po0TtnD4zkyUNxDs6Wpu9TS
+ke0uBPaPK8KqU0ptcp3OzFQYgYSHYdbl6ZLXui+GUmaVBNvJLWmA0diAZgF7RTuW
+WyOthWc5DNrLnDNhVT39d7CV9HFhRh8mjH6X
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c5279046d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-extensions
+subject:ee-int-no-extensions
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..2f13242e88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUN1958Pt52Py8qevNt6tVAKuQ+q4wDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbm8ta3Utbm8t
+ZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkqhkiG9w0B
+AQsFAAOCAQEArYhtyDOeNGHS2s4D3YQ7WGVeATYhGwJuGRfeN1nzOMNXOrc5gz2m
+a7dVUaode+xu1h963xt5bFmIZGP9xSuy3dAuzJ9mKAC/+V6QLjZbiVpmA8jRktBM
+HTO5K1n6RrGegSjGipvENZRpTP1H6s1Y4fkl8lVtgUpa1XP/de9qkPepPUSwdzRZ
+0MsnI35RGp7C+X94ULIIkCmcMKpf8PcmDELYlcEUDK07GWSRpp91HgLuGIQiyCCg
+bvqGzfuL40e49FEL5X8JxY8ymihWXgwGzgloXr/Ym6odNiYOI99KK6w08Kw/T+cy
+FzUmLvSjN/9k3Bdo65jBmNwwCZz1tUbwmw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..92ee3cc6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-no-eku
+subject:ee-int-no-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..55ca453482
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUeayLDH+s22BfC1h08wFNYFlJlIkwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwIhgPMjAyMjExMjcw
+MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowIjEgMB4GA1UEAwwXZWUtaW50LW5vLWt1
+LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0G
+CSqGSIb3DQEBCwUAA4IBAQAHkEmTqmTSU43pHVV+ZYAEKOljrwW7BvNILDtpQgD+
+94wBdkTJWpMHP5WEzeUP9Jh0W+L5KfWUaGld2bF53WFHSHTphucUqxMUlBThs0z+
+G15qGUAIOWutpYHe2tiQnZhu4U1+z2AmOBLB47a5gW4hu4y1j0K8fwsJCfSS9bu0
+xYtLoNwUsfkqnmCQc3z6UUo2dwXV3kpO4NbkhhJwBbYXAursi6gv3zviL7zaEfaP
+B5q3OiW0F3qfZgkgEYQdG5qnBnLvFy7fgSgbbpRXq0X8LcW4rD53CXUbZ/OVKK0A
+0k5PJPUhQbvJMO2IRyvlX8NJUpm39hH0VV08jyItDEYm
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..c148896710
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-server-eku
+subject:ee-int-no-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
new file mode 100644
index 0000000000..c9ba84156f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUD7rkIlbxASKFwZSsBkJcHI18bS8wDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgP
+MjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1ub3QtYS1jYTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQELBQADggEB
+ADYDPzfhTNy98mCmhZQcO3Cw2b6ns40wkBk2QwOmbF3Y7ah/NRo4ukh5nKmFCWIL
+0O5DXptlAc2CPAPV8zrI9e0Taic5Q9Qu46kQ4K+ygvlChob3LwsYBOkyNg5lEjfd
+yrihEuZO/vEXqQypgySiUC/CpYzs2ZtQSWfvxBIgL14f1k+6UrLgl7V/n7Mhyecv
+xfdkX0QLP61ZpaGU331dGCCcIshUFwCxWD7oAmcSpNHE5/ViWWCk4e2Y3Zo+4OlL
+NC/OwYB1b7x7I0YygH1lm/8gEckrrSN7oSI/Ed7b3zVJG2hUQrys2wt+/4eM3dty
+6gUFl7ZHrfBS86bd24pqD7I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..a95b0dc260
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-not-a-ca
+subject:ee-int-not-a-ca
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..eb34fe3d7f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUO+gSZWYxor47jvyLUUI9TrUzeXcwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTAiGA8yMDIyMTEyNzAw
+MDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1pbnQtdmFsaWQt
+a3Utbm8tZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkq
+hkiG9w0BAQsFAAOCAQEAkiVcd2ofl/HQn8WlBbXWjVob7lT6/Ll/CvmgeZTRbe8Z
+FMEbkBxQOrhMVWTR3FsZyv/Y2oYohaiK0jOGw3tKyhEbSjE8iyDKjRLpsXG+byrs
+TfqLu1KvfhAyvp1e5cIIOjg3KeXKptCS0AdFAydzlvIXbY2RaznO3mFDrwnvKm9B
+gbRr8seEyB4mk2RetHrV+9ZH5tEHbv1kwSTSCrDCxtpFID6sNDB+BU7YJajoRHNv
+yYkzQ5uFWCOr5BP/t70nvVv6RZSV7V7b4YeM5FwMYjhGeM030o+llW1sPNSmvWvj
+ABeSs4FuketElNamHWB6lrbJUPrxde9PylYZRIy4dg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..89a66b9f97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-no-eku
+subject:ee-int-valid-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..c128787aba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUDfZRUq6trpvwZ+DeCOEG4iCGxuAwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwIhgPMjAyMjEx
+MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowJTEjMCEGA1UEAwwaZWUtaW50LXZh
+bGlkLWt1LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgP4MA0GCSqGSIb3DQEBCwUAA4IBAQAyL0DG6Cx9aM+2js+AQLl9/3ZOZSGN8NZ3
+q2wZ/mAI9h2w6wizjTuQDPRxyKbDqdQBGmIKfw1CVMOiEXmQZEuQYVr1ZjXQSqM2
+9hbqxocm2PxFbSuWK+8sPoUc0P1ZyZQobcbbCqSckMSvf4rxPrIs9y7w09hFnuYS
+YhJcGePbNGQRouQ5MxvQxQWxQQc7KGwvz5GPrkBUeXb7amIMer4kOiQAT2W2dp1f
+EmJ0Xi4TULakERHApVDOcrcN5QQ1WWS5/M8cH9YOV4OijhE52MLWNALh3EkROk5O
+AACCKlhj6Kpr3cmrI/GN2lIq+jV4MIebnpXIImNbqnKAK9RSMsbg
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..43e83a336e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-server-eku
+subject:ee-int-valid-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..f63044d4ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAcCgAwIBAgIUZzsgYjfvjZbq7WTdGcipyk+CMkIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH6MA0GCSqGSIb3DQEBCwUAA4IBAQC4LCK7
+qH2FvULMTugwtrvm1swahaJ1+DMwtjF4wE1tKgoFQwq1592GTQ47oihhH9Qmz3EF
+kuL1nl+KRjOyKUgehg/cwwJYT0JNNB47hDBQc2vs8AYwcakmMAwS6DxzLz47DqZN
+HwdiWTVILd5ReHOv3mypbKVqr1OAG1cxdyNhy4/hGQxXyf2u08Rijj5wrbQoBuJf
+LzfZLOE4xHEsPashTghbZqFYBtRXxyJgGMhWgzYTBwojLH/9p6vQXmTRt5nt4pDA
+VS1uZaOS8jG4NxWTEC1ucEcmSNdQ4NvWT/3dFE6ov8bd66QyRPgUJ/eMiW0g003O
+ezrMAtQkE8Dtyut2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..f6525449b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-bad-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..b8b232ab71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIUac94mNlBIJeghgHlpGI0Ivc/Eb8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozww
+OjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB+jAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAF0UtDva+INfW5qK9CZLHiOX
+GWpCMTn9X7LSxXGmEA/svZV9XH7g9/iF0ueGgyVxc5qbMXbgMHxUZPuze0UuXt8F
+/8HRq2uCiNvSf1WWbwy2r6B33vRt1LH9GhazCsQvZdVvYLaTc2/NweKP9/Uv4Djr
+u0mKkFCWjnIOVgDHmD7oQAmrBb0K8+ZHuiVXg1OqEj+wrR2TLTBgkhKEo8WWBVQI
+Z/ubsSizcz3kqpJyXtcJgypCjbB1C8HkW6OoyP9ODeYKnkM18ldHrzDEnjsldRL6
+zV+Txu+2+r6zpAoIwJhtz1vz876J4NSjyOGhMOEw3RrXy7lExK75SElnOK9BJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..2d324508d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-bad-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..59fd062895
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUdx4AwUYkgGlMkxtDYxQxJ+Tuci0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNp
+Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgH+MA0GCSqGSIb3DQEB
+CwUAA4IBAQBT5fFH0XnRuCFEEWu/Qj6DAT6IKL++qNGLpAgMfABWgJcVGvU5qyOu
+zjAmAtgdwr9Y18A0Vh8lpzN2UVRhKFjU1uS4XYJDs6Y+sc549SDHgA+yNe4PEUV7
+Cy9vuEir7d5C5/g7mbyHVOs3bnRgYrYlbELS7ZlUReQnTPD2y758OiGb9kY4FH5B
+EhSYUrnVVZaxDYZEj4Y+/jNZMS1RqEa/TeQLaWXW+vVoSxKennyPkfM2s5yYnfZB
+pnWJkxXpO/2mPAuj5XKA+4vQusdRKG8A027CAhFUZY5gjjmKcps39XaKbzvA0B7b
+Ct3eTtNad27+ykUMLaEei8jn+tnZyCRv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..39785d8a48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..484e6e613b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUAfnkYMPQzubBjzBhfvuwk6J3sQQwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVw
+dGgtaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAUVWy4usr6Qqy96oTaWW+KRkeImF/kUdZjAWw+uW4+osQvCO4iOfsIGDF
+oBiqMVYRGaw5yWqx0ZwSzZEw9Ot9AvKGlLMFYqyRLZK9fHSaWuoxrpIwGO0qaVlF
+LfWVYCqMjIyDCDZaof4HGrE3RhMIsGQx1mQniiZmwwutVFTgR0nthN1FbJE9ErCL
+R5MgiFs1fqbExe5yuLpsZ8nD5re59WFWuxWy9eANVpjpJvUmjREeL8iXwyRU62NG
+fMGoKLd7XW/W0aUfQEqDGb91ky2MRTNMORzs+QSAbm0T7OXuYpXgSIap3GPFin13
+SKLne9xKCrUKtT6lBCtUE/QoZT/eHw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..9fdb2a248a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-limited-depth
+subject:int-limited-depth-invalid
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
new file mode 100644
index 0000000000..769a179177
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUUxUrhb4BgjkslVGZAFieWP89+CIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEzARMA8G
+A1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBALHkDu7REPT84Nw4FpdZ
+FfFvNSj5XhmmFFxegea2LOlBdAQi8E0ylVz5QIFuKfSDVfrBAGo/yesHmhCKEFD2
++AuSB74HW8uItlam9YdVHtOlnbyhQRWdChadlV2eYhzkLHOC8oZe/0Q+Ycvzr8uq
+TzzgMs9nWloEdpOmSCPCfzEF75O+/OPqM1kWJJoif7tZx5kQX/Zqgp9RjaM6rU8J
+yyp6uw8j4IXD0DerYISvxkmDxIP7tlcKKjzIXVCb0q01Uk0Bl5th3Gc2nloNmmpr
+TZz9rhOFMcVW1nB/0HnDa1ze9jWhzOGBY7/3fEzDrp9pR2fXoR0kiJwz25uhzb6P
+KsY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..64f54b0441
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-limited-depth
+extension:basicConstraints:cA,0
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
new file mode 100644
index 0000000000..23c4da1e3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUI/ihH8S23PSWe3hDO67GzVPRFuQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBACpm2LZdorCud2fv5ZXwqFvs+3Sy6oEaH8t8thUHX7qb1Eyo
+vePnwXo6WG864cVrjK/eKY7yuzCRJiG1+spEGHfh+9H1nNixT+XmBCzGhRlo017S
+TA1vTuJn6ouVcfpwBnzozxURORvk9sxkcxHVMOOM24ahlXx44htQ/AIw7B6c/NKz
+VYIHkMM81E8D7it+sNfpmiSCnFW+yAZ7duzxtR8sJUjX4S7BGjQYPZyqin+7vvlJ
+0WcYPlHPbuwajwKo13BE/8xxoQRuTK+PMRtfztWns5VQ/dBxnrq9hLDYfIOL5htc
+JLfV0RL5yKVddSU4erqWmHYWJeKGhjkdZepKAhY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c99626bd5a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:int-no-extensions
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..dff2d75ddc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUZw7kdUP+d6L0D25eyoo7P30mNpQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATOAxwW9ijLQFXbEizjBHW8sj
+phPLYpnwstZQ0rlG2X/XmrWE+jU0EBOXcG0kEM1PkRB/0rKCjklQlAqGupusJVLa
+ov55RMInEn1CbJr71TTH6d/Z34kMje6+O4TKxtE5vDH4Wk/CUPUnBc/p3D/wBRe2
+WZwH8Lu+VmBMXB09MkKYT9cBuLeO/pgKj79VA7R4vkUD9Zil57D4bjXpTv3MeSss
+mMo9AVoNCpa7ndYgNmCjVe6/pmFDBCciEcq6ILXjU9FRDjlGnDyLh0F9Gi2ujdq8
+1KvPLRZ6cJwYAyFAhUlMIg7uxjj29fC4ig1u5thAFSPW3R3tbUnViXtfLKTYiA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..306a218db9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-no-ku-no-eku
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..51bdbecf41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUJ1WuvZBW3mlimrxPcn4A8mY8ivkwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAt
+MAwGA1UdEwQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
+CSqGSIb3DQEBCwUAA4IBAQAgEbrZUafufe5mf2FabYotLgfa0Gpm7VLy7TQmWpB+
+hVQH6S5Aw5+wwf6HUf97Mm0FR4oOSNii0nDT7cvYuZS14F/GX2In5R0/SY0AQb+H
+Ozpu6nis2PsSw5/MZw2ezWFVWCKtUM1KoWJytr/DV5iQU52o6gbXR9VTHJ4lE/Lo
+JyQwPQlR3av0Igj0tt5v6AJYwJ7ScxByAi/5DAg1S/MQDDoyOukciSguJRgAR6Wo
+V2QaQXv2aCysebRXSJqRZkx+Tkx9rKm3Dt4FeQre8O7+te6+pF2N+rc9rw2X/YDb
+aM/+oF6n/SjY0I1BHgisTDh74MH1VOX05VAByTSNzJIz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..1482b627c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-no-ku-server-eku
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
new file mode 100644
index 0000000000..21a9394764
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUcYa2sMryjJu9AWZolGBEQIkToB0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNVHRME
+AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQC3MTzOgdEqT2gVg+VZvwMb97wc/H6kyyTv
+xF+cABJ/1oHJR0q9JYixWL4SGVV1zFZllDNIndVje3BkwZBrpEnbpBG6ldNh7SMn
+Vcf4lB4o/+f1LtWCJg8rE6LHvBM39akotUi6QS263PGcQR96TfAarMKaBab8arg2
+9GG8IuO4n9ivkfRclte0QJ+T8+gMbxozneoiYh9ZUmPLnZehHW3ilk2nkW6hP2R8
+a5aboRmZfsofUaxfvXMSpYMqo68fNAi/v62JkJtPvTU7s/vtAzQSH9YG9P5pAH23
+Izr2ScQcYsyQUPfYRhBjLAG9wYMglK+n+pg+MIxckAuqqoRC36qJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..3161680b1c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-not-a-ca
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..09cab5445c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAcKgAwIBAgIUM4OicXZ4gCh8lZlzuvTCXIUBDKYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAAJn
+yDIjm2dDTewadyHcNlES6qFQJtKTfEXpeuwSEjGy1RKhIk2LbDitlop//MOcoLXX
+y5bgBZHidWDWrC/9QKGWxRK4O8gyFclfa0LkTyQHiIoEkLokzhW3jy9vha2NCy1a
+sXFCHgrDQK3a8vCdmRL3PGRgf91kEkrObNZaGgHfbJMEE8/eLsbMBXwNYlqFIwWI
+mtoZhcf9qDQUi10GpZm3ZsYHcWgEytPO+8aN4wnl3J2ExKhzcmnGAgUAH0N17fjO
+yf2Oxdsv4T6DU5RFzSogHMq5HPHZ9QI4k397D+aFy9KESkKZQv+4kiCAKQom5BwC
+YwXsXQtdkZSI64ED0Io=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..d7f9b0387a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-valid-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..1de101fe2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIURy2A3rBwMm3U4brlrpN4em3dGdcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+PDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOxMw/SkInO9x4Yttk/Y9
+Fe70V8UU4Hh1NSLwBpDcH36rJyijb37du3tsygHXkSQmmEjHK0q8KNgvZkA4Bn+O
+6zcZxpM60UoUluWUdenprlpbCH7usco1lF4wc0ZhO/IzUz/P0NlHE1f7S92P/zAH
++gW1oQGXA6/zmy06o88JwyzhTcTwcUwc+dsZniF5kGH7fyfls4X+C9loG8Op3Afk
+pgDQO2XePhjvWuw8rbFWQWhTnuduG7TRSKUB3q8wdRXdAFW8lmvuWRTCHQnUGbZ4
+jfywTG5vCqOLT+fp5U2HUHOXt3VTznkuXsRXCiRdSUR89rNUeydzCIzuVC4JV16/
+zA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..84314bfa40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-valid-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads.js b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
new file mode 100644
index 0000000000..f1568e0a47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
@@ -0,0 +1,528 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+ "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+const { IntermediatePreloadsClient } = RemoteSecuritySettings.init();
+
+let server;
+
+const INTERMEDIATES_DL_PER_POLL_PREF =
+ "security.remote_settings.intermediates.downloads_per_poll";
+const INTERMEDIATES_ENABLED_PREF =
+ "security.remote_settings.intermediates.enabled";
+
+function getHashCommon(aStr, useBase64) {
+ let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hasher.init(Ci.nsICryptoHash.SHA256);
+ let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ stringStream.data = aStr;
+ hasher.updateFromStream(stringStream, -1);
+
+ return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+ return hexify(getHashCommon(aStr, false));
+}
+
+function getSubjectBytes(certDERString) {
+ let bytes = stringToArray(certDERString);
+ let cert = new X509.Certificate();
+ cert.parse(bytes);
+ return arrayToString(cert.tbsCertificate.subject._der._bytes);
+}
+
+function getSPKIBytes(certDERString) {
+ let bytes = stringToArray(certDERString);
+ let cert = new X509.Certificate();
+ cert.parse(bytes);
+ return arrayToString(cert.tbsCertificate.subjectPublicKeyInfo._der._bytes);
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the
+ * local data with fake records.
+ *
+ * @param {*} filenames List of pem files for which we will create
+ * records.
+ * @param {*} options Options for records to generate.
+ */
+async function syncAndDownload(filenames, options = {}) {
+ const {
+ hashFunc = getHash,
+ lengthFunc = arr => arr.length,
+ clear = true,
+ } = options;
+
+ const localDB = await IntermediatePreloadsClient.client.db;
+ if (clear) {
+ await localDB.clear();
+ }
+
+ let count = 1;
+ for (const filename of filenames) {
+ const file = do_get_file(`test_intermediate_preloads/${filename}`);
+ const certBytes = readFile(file);
+ const certDERBytes = atob(pemToBase64(certBytes));
+
+ const record = {
+ details: {
+ who: "",
+ why: "",
+ name: "",
+ created: "",
+ },
+ derHash: getHashCommon(certDERBytes, true),
+ subject: "",
+ subjectDN: btoa(getSubjectBytes(certDERBytes)),
+ attachment: {
+ hash: hashFunc(certBytes),
+ size: lengthFunc(certBytes),
+ filename: `intermediate certificate #${count}.pem`,
+ location: `security-state-workspace/intermediates/${filename}`,
+ mimetype: "application/x-pem-file",
+ },
+ whitelist: false,
+ pubKeyHash: getHashCommon(getSPKIBytes(certDERBytes), true),
+ crlite_enrolled: true,
+ };
+
+ await localDB.create(record);
+ count++;
+ }
+ // This promise will wait for the end of downloading.
+ const updatedPromise = TestUtils.topicObserved(
+ "remote-security-settings:intermediates-updated"
+ );
+ // Simulate polling for changes, trigger the download of attachments.
+ Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+ const results = await updatedPromise;
+ return results[1]; // topicObserved gives back a 2-array
+}
+
+/**
+ * Return the list of records whose attachment was downloaded.
+ */
+async function locallyDownloaded() {
+ return IntermediatePreloadsClient.client.get({
+ filters: { cert_import_complete: true },
+ syncIfEmpty: false,
+ });
+}
+
+add_task(async function test_preload_empty() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ equal(
+ await syncAndDownload([]),
+ "success",
+ "Preloading update should have run"
+ );
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should have been no downloads"
+ );
+
+ // check that ee cert 1 is unknown
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_disabled() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, false);
+
+ equal(
+ await syncAndDownload(["int.pem"]),
+ "disabled",
+ "Preloading update should not have run"
+ );
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should have been no downloads"
+ );
+});
+
+add_task(async function test_preload_invalid_hash() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ const invalidHash =
+ "6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d";
+
+ const result = await syncAndDownload(["int.pem"], {
+ hashFunc: () => invalidHash,
+ });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should be no local entry"
+ );
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // We should still have a missing intermediate.
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_invalid_length() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ const result = await syncAndDownload(["int.pem"], {
+ lengthFunc: () => 42,
+ });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should be no local entry"
+ );
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // We should still have a missing intermediate.
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_basic() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // load the second end entity, ignore both intermediate and root
+ let ee_cert_2 = constructCertFromFile("test_intermediate_preloads/ee2.pem");
+ notEqual(ee_cert_2, null, "EE cert 2 should have successfully loaded");
+
+ // check that the missing intermediate causes an unknown issuer error, as
+ // expected, in both cases
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert_2,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+
+ let intermediateBytes = readFile(
+ do_get_file("test_intermediate_preloads/int.pem")
+ );
+ let intermediateDERBytes = atob(pemToBase64(intermediateBytes));
+ let intermediateCert = new X509.Certificate();
+ intermediateCert.parse(stringToArray(intermediateDERBytes));
+
+ const result = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ // check that ee cert 1 verifies now the update has happened and there is
+ // an intermediate
+
+ // First verify by connecting to a server that uses that end-entity
+ // certificate but doesn't send the intermediate.
+ await asyncStartTLSTestServer(
+ "BadCertAndPinningServer",
+ "test_intermediate_preloads"
+ );
+ // This ensures the test server doesn't include the intermediate in the
+ // handshake.
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("test_intermediate_preloads");
+ Assert.ok(certDir.exists(), "test_intermediate_preloads should exist");
+ let args = ["-D", "-n", "int"];
+ // If the certdb is cached from a previous run, the intermediate will have
+ // already been deleted, so this may "fail".
+ run_certutil_on_directory(certDir.path, args, false);
+ let certsCachedPromise = TestUtils.topicObserved(
+ "psm:intermediate-certs-cached"
+ );
+ await asyncConnectTo("ee.example.com", PRErrorCodeSuccess);
+ let subjectAndData = await certsCachedPromise;
+ Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+ // Since the intermediate is preloaded, we don't save it to the profile's
+ // certdb.
+ Assert.equal(subjectAndData[1], "0", `expecting "0" certs imported`);
+
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+
+ let localDB = await IntermediatePreloadsClient.client.db;
+ let data = await localDB.list();
+ ok(!!data.length, "should have some entries");
+ // simulate a sync (syncAndDownload doesn't actually... sync.)
+ await IntermediatePreloadsClient.client.emit("sync", {
+ data: {
+ current: data,
+ created: data,
+ deleted: [],
+ updated: [],
+ },
+ });
+
+ // check that ee cert 2 does not verify - since we don't know the issuer of
+ // this certificate
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert_2,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_200() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ const files = [];
+ for (let i = 0; i < 200; i++) {
+ files.push(["int.pem", "int2.pem"][i % 2]);
+ }
+
+ let result = await syncAndDownload(files);
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 100,
+ "There should have been only 100 downloaded"
+ );
+
+ // Re-run
+ result = await syncAndDownload([], { clear: false });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 200,
+ "There should have been 200 downloaded"
+ );
+});
+
+add_task(async function test_delete() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(syncResult, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ let localDB = await IntermediatePreloadsClient.client.db;
+ let data = await localDB.list();
+ ok(!!data.length, "should have some entries");
+ let subject = data[0].subjectDN;
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let resultsBefore = certStorage.findCertsBySubject(
+ stringToArray(atob(subject))
+ );
+ equal(
+ resultsBefore.length,
+ 1,
+ "should find the intermediate in cert storage before"
+ );
+ // simulate a sync where we deleted the entry
+ await IntermediatePreloadsClient.client.emit("sync", {
+ data: {
+ current: [],
+ created: [],
+ deleted: [data[0]],
+ updated: [],
+ },
+ });
+ let resultsAfter = certStorage.findCertsBySubject(
+ stringToArray(atob(subject))
+ );
+ equal(
+ resultsAfter.length,
+ 0,
+ "shouldn't find intermediate in cert storage now"
+ );
+});
+
+function findCertByCommonName(certDB, commonName) {
+ for (let cert of certDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+add_task(async function test_healer() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // Add an intermediate as if it had previously been cached.
+ addCertFromFile(certDB, "test_intermediate_preloads/int.pem", ",,");
+ // Add an intermediate with non-default trust settings as if it had been added by the user.
+ addCertFromFile(certDB, "test_intermediate_preloads/int2.pem", "CTu,,");
+
+ let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(syncResult, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ let healerRanPromise = TestUtils.topicObserved(
+ "psm:intermediate-preloading-healer-ran"
+ );
+ Services.prefs.setIntPref(
+ "security.intermediate_preloading_healer.timer_interval_ms",
+ 500
+ );
+ Services.prefs.setBoolPref(
+ "security.intermediate_preloading_healer.enabled",
+ true
+ );
+ await healerRanPromise;
+ Services.prefs.setBoolPref(
+ "security.intermediate_preloading_healer.enabled",
+ false
+ );
+
+ let intermediate = findCertByCommonName(
+ certDB,
+ "intermediate-preloading-intermediate"
+ );
+ equal(intermediate, null, "should not find intermediate in NSS");
+ let intermediate2 = findCertByCommonName(
+ certDB,
+ "intermediate-preloading-intermediate2"
+ );
+ notEqual(intermediate2, null, "should find second intermediate in NSS");
+});
+
+function run_test() {
+ server = new HttpServer();
+ server.start(-1);
+ registerCleanupFunction(() => server.stop(() => {}));
+
+ server.registerDirectory(
+ "/cdn/security-state-workspace/intermediates/",
+ do_get_file("test_intermediate_preloads")
+ );
+
+ server.registerPathHandler("/v1/", (request, response) => {
+ response.write(
+ JSON.stringify({
+ capabilities: {
+ attachments: {
+ base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+ },
+ },
+ })
+ );
+ response.setHeader("Content-Type", "application/json; charset=UTF-8");
+ response.setStatusLine(null, 200, "OK");
+ });
+
+ Services.prefs.setCharPref(
+ "services.settings.server",
+ `http://localhost:${server.identity.primaryPort}/v1`
+ );
+
+ Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
new file mode 100644
index 0000000000..680b068f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIUN/Y56TvJcL2liqk2Feh/QfKrlLwwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAx
+MDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowJTEjMCEGA1UEAwwaaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBSPwr2BfSHT3saxwx6YGEautZx
+w/sdM9AJAubFLqDd3MYHtzCZcQXaeDGbAzvo8m/PKA4Yt+UYbKyDnRR8sLA4f/iu
+z1zHeenlzBWpRVHu/++ZSk/ESwn0zLprIsOcXjaYkbfrqcEGNWvLJzpT4T36Gr9t
+DvxHnpsaMsJviZS3WHzTSoioWkcRyF78bYa51ZJWYJHFKZQppqhJ+jcoJhiomRlc
+WwhI8NAU3dOOFJuEg/z+vQpcEQi0rRW9J6X/15BUZRQlF5Hs2wilGa8ViNX2+B5I
+kjbmNrdT5hcnGEfR7JpHFuihFdxQc4CFY87u1chI8yaHLhhriUP6Jq0+J5ur
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
new file mode 100644
index 0000000000..4ccabc25b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
new file mode 100644
index 0000000000..858ef20f77
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfSgAwIBAgIUS7nGEU4h320gkvuvan60uF0VLhIwDQYJKoZIhvcNAQEL
+BQAwLzEtMCsGA1UEAwwkaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBkxFzAVBgNV
+BAMMDmVlLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcD
+ATAZBgNVHREEEjAQgg5lZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+W7w+FCESgLODEah0v+1zc0BZL5m6rijCDSRmZa3HYU89s6B1SRgbmafY7FmFc/5G
+2kYXY+RvXA32A51D4pnwjVtwvtmXj7McF58BnNFrCQFrSK6+9+oDECOeSbY3FYRP
+llF+pSghVBOUtqE0YTc4/H8pjEXiuvznaG26/T5wD/hGfQYB6+inuQp6TbaWkEfL
+f4PkDz7PH04+lCfbZfZ/XPgkQSIdSFs3aZ6T46srMx+xO6glVDJl0XBNCsNaQODK
+8CGNYG+KjJHuIHfan/wq6k/2/C5ikfyhUeDErm9DInqsb4uczq+gXT4M9AzwVohq
+8WiC4de5MYrql0Z7Dt3Ldw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
new file mode 100644
index 0000000000..e9decb76dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-intermediate
+subject:ee.example.com
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:ee.example.com
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
new file mode 100644
index 0000000000..d5334d330e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUV2SZbt8RBtW013yEH3ahP4XhwuEwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwlaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMjAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAOMQwwCgYD
+VQQDDANlZTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
+DQEBCwUAA4IBAQCMd2NIGqb9yW6ErW4QtAlSvsgwozizt2HNdPLQT/sqiAyJ1Gao
+GpOU+4zNYdUdqGVALYr3gHC7LM5f1OD/h0o8Us357yZc0k4LDf81S3pw5CrUeIrx
+7QRUi8YLJxt9w8zjY8F9ZS0ABszPXnip/aOGwqyWifkXUiuFfBBeMVcKS9UXZ1C9
+I72dnWKUo/wqGlNl5dDLLKom5aJGCB19Kw9DAyCr5BUHoy5NQf6K2yPIDiDFynUy
+XtEBYBt4X7Y+RCx4UZgGs1jBokPNf3/zhTKihiTwMEp5PZGkYyD6j5w4cVQvxMU+
+29M+FIBbjqEXyj1aPA/dtd2RRqAxI4Axs32s
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
new file mode 100644
index 0000000000..089ac63831
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:intermediate-preloading-intermediate2
+subject:ee2
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
new file mode 100644
index 0000000000..5d439d02fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUa05TmhDT2y7ii4gJ+iRbzLuzI/AwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLzEtMCsGA1UEAwwkaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAkW9Sj+OlrVea
+yko6WPtlyUx1zBJhJj7y9geAw+Na5qYjtjNdJven1hJqQ50im8zDjT8JLxKz65Ax
+4X0FWvA1g7CdTOv5+Np1fYBCoa0rpujziI0zuYfd8+7noUKZI4FQrYFsoJ9ANNcE
+6VENIchgadk1aUeNEKQSJyX12xQj99PpRVTEcEEOuR53CGbYocLVhRw0NTz+AQZ+
+RmUWEyG3H/lGb/udUXo+JdlBVyyjhJes7A7v4K3zSjRuwPJ0rYChWAIP4SkKHErw
+hlKgxMGUB7Jm01JVptMNyB9fS6Y2fWpIpGhMQjCmvwFy28nElqD543PlX9BbsiW0
+0C4Z9732NQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
new file mode 100644
index 0000000000..5863b3131f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
new file mode 100644
index 0000000000..7278d9275c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUW1sp+XyGV3pcORGQACi1fhpzAh4wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EyMCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMDAxLjAsBgNVBAMMJWludGVy
+bWVkaWF0ZS1wcmVsb2FkaW5nLWludGVybWVkaWF0ZTIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCsjAE2/+ol
+YAHrHkhtSTJ4E18B7DwYWRGQTuxDjPOFLD4jkA3hJDhWDXflx7r53tX+Vy1skX4t
+vKVjl4dCGx8on9cB9d17xb69r/NtuASIbx7J0pfn2OSvysryWQIXpLKzyMuphmEu
+znQUQGlieUiH2TIaBGiX5pi1/ExrveKS5a0TFA2NYj3aYxtrLDu3zDoKU09T6akk
+g6zGrq3YGqpchg7BAfPgGum6T6ZzxGNTMPZ1MIL6GQsFg8vKVn6GWnXMKUQ3Kfen
++R7CqcSxUDjOsVkAuNCUC+D4zCjY22rT9Mkd9x+aB7mkf/IHVrEQlDTtSE7wJpw8
+Jsdvhg1wyErS
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
new file mode 100644
index 0000000000..27e9a008df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca2
+subject:intermediate-preloading-intermediate2
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js
new file mode 100644
index 0000000000..0fa880f8f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -0,0 +1,204 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that RSA certs with key sizes below 1024 bits are rejected.
+// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521
+// curves are rejected.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+/**
+ * Tests a cert chain.
+ *
+ * @param {string} rootKeyType
+ * The key type of the root certificate, or the name of an elliptic
+ * curve, as output by the 'openssl ecparam -list_curves' command.
+ * @param {number} rootKeySize
+ * @param {string} intKeyType
+ * @param {number} intKeySize
+ * @param {string} eeKeyType
+ * @param {number} eeKeySize
+ * @param {PRErrorCode} eeExpectedError
+ * @returns {Promise} a promise that will resolve when the verification has
+ * completed
+ */
+function checkChain(
+ rootKeyType,
+ rootKeySize,
+ intKeyType,
+ intKeySize,
+ eeKeyType,
+ eeKeySize,
+ eeExpectedError
+) {
+ let rootName = "root_" + rootKeyType + "_" + rootKeySize;
+ let intName = "int_" + intKeyType + "_" + intKeySize;
+ let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
+
+ let intFullName = intName + "-" + rootName;
+ let eeFullName = eeName + "-" + intName + "-" + rootName;
+
+ addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
+ addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
+ let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
+
+ info("cert o=" + eeCert.organization);
+ info("cert issuer o=" + eeCert.issuerOrganization);
+ return checkCertErrorGeneric(
+ certdb,
+ eeCert,
+ eeExpectedError,
+ certificateUsageSSLServer
+ );
+}
+
+/**
+ * Tests various RSA chains.
+ *
+ * @param {number} inadequateKeySize
+ * @param {number} adequateKeySize
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+ // Chain with certs that have adequate sizes for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ PRErrorCodeSuccess
+ );
+
+ // Chain with a root cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ inadequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ // Chain with an intermediate cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ inadequateKeySize,
+ "rsa",
+ adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ // Chain with an end entity cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ inadequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+}
+
+async function checkECCChains() {
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp384r1",
+ 384,
+ "secp521r1",
+ 521,
+ PRErrorCodeSuccess
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp224r1",
+ 224,
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp256k1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256k1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+}
+
+async function checkCombinationChains() {
+ await checkChain(
+ "rsa",
+ 2048,
+ "secp256r1",
+ 256,
+ "secp384r1",
+ 384,
+ PRErrorCodeSuccess
+ );
+ await checkChain(
+ "rsa",
+ 2048,
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "rsa",
+ 1016,
+ "secp256r1",
+ 256,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+}
+
+add_task(async function () {
+ await checkRSAChains(1016, 1024);
+ await checkECCChains();
+ await checkCombinationChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..12d255ff17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUmgAwIBAgIUb7AaRI4nwvKvcWGE1Hb0zHF1ackwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMTYtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ4wDQYJKoZIhvcNAQEB
+BQADgYwAMIGIAoGAANKbsS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDr
+kgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drX
+zLSF2BouGdUNTwtoVKyvbXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEA
+ATANBgkqhkiG9w0BAQsFAAOBgQBxLWLGGcMT2D9iMe8V2PioY1o42AtJQZWoMlax
+hZWaOvz0zTxAk6dUrI9YyyAGZX5SLMdlbSrmW4H4quIYF7LPIoxzGsu3sYwFhXYL
+o0/u3STuyUPEsZCaejnEhkF4+CyL4nk+oE7Pyf+HM9XrERo0TqhnJmuVWk6dhV9t
+kRXIsA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..7b86ef7861
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1016-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..15c897db57
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUqgAwIBAgIUGav8P8oAdtccsZCOyd9YmOM0dCkwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYAAl+U8RPjdcAAQ1uw3x5flze5jLt1jhrxc6/NP
+AsCbmMVo2jnP7/tnXUT27uTfKG6402Kg8QiJWn62ec+gu9jCrFFkmDzJ2hyJsf9H
+o9R4jhe5fiNAysdxCdnjhrz2IKn+jsHrddL6cxCmmAXY2Opub5jbllZESnbSgdX0
+JiEz0g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..326d665dcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1016-root_rsa_1024
+issuerKey:rsa1016
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..f1e989e7cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRjCCAa+gAwIBAgIUT5GYrIC+vTXxB23P98K9jWSDirAwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMTYwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowEjEQMA4GA1UEAwwHcnNhMTAy
+NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBFD4AMKLsPDeVrFLT+MAzWkZ/BGj6g
+FAynTY+/2i4UI4RJNr2hX1Raho6gAJZwkKWmckt/WzEwFw/RB7F+nj6SiKixhIl6
+Vx8rDV+vh8lv3KvpxALpJ8JH7hOegVOWXH+4NKTGILRz2jkcYi0MK98349oFyGPD
+N2GV2tIjVT8KAA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..c44a089ed6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1016
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1016
+issuerKey:rsa1024
+subject:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..e07910aeac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAUqgAwIBAgIUa8G3HEVIDFQSRGkr1+IFA5BJY6IwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYEAF5TNolNsoGzHiMqPDDA1OGAxJnJj08l7Bb4n
+aZTFbHtowrLZQlStH9kBvBeZmfFAfLJ8LrWKUm4X3488pM8bR2SVP/rzGiJmJSC0
+pxqQMAOuYJr3jnM5VInlGaSW096Rnmj3qJI7RZ7ugdH7YJgYRh0SD5kgs+sRYd/F
+Q8/fv8s=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..a6ee408ec9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..cde2ba4987
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXTCCAQOgAwIBAgIUecAQn0Zh9HDG6fLZ12UYeyAlmuowCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMjI0cjFfMjI0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwTTAQ
+BgcqhkjOPQIBBgUrgQQAIQM5AARmjXLMpv1qGzVXtTZhBNhECOy2N/COjIa7/4LM
+6I8AZtevY8Mpi6N3NIoSArA7N/1rH/QVqjEeMAoGCCqGSM49BAMCA0gAMEUCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiEAlGKsIA91n7cHjCgGRYKH
+VWe9rFVH30nHJ0X9p2glIvk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..87d2f67339
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp224r1_224-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..e5ff3fd6be
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCAQ2gAwIBAgIUC1x3yPYHK5KC0guyjDgVXxweBO4wCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyMjRyMV8yMjQtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjs
+tjfwjoyGu/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHjAKBggqhkjOPQQD
+AgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw5gIhAO+zpu/o
+Lo9W8ZtGfbJEnrC5juMw0orQbCfuYpJgeTRZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1aadce0765
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..51e4dd4c14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARagAwIBAgIUTZEvp/9N0X2RyKt/aZB8r8CkVVYwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZrMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAENe58conY/veoav5dpm2Lwuu2
+qFQ/0v6tCJ9FznrND6ZDgqlQDEHa13D/1LURv0tJLrEjiADDLE92xzo/MpTnxTAK
+BggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw
+5gIgQXzLognJxafolyv/RKQfbulETuiutH+RVZW5AmE85o0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..ba999e8f14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..119326c51f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCARKgAwIBAgIUKSb0NwcxUySLk/6rN6sO62gy76IwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfaW50X3JzYV8xMDE2LXJvb3Rfc2VjcDI1NnIxXzI1NjAi
+GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBl
+ZV9zZWNwMjU2cjFfMjU2LWludF9yc2FfMTAxNi1yb290X3NlY3AyNTZyMV8yNTYw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAMA0GCSqG
+SIb3DQEBCwUAA4GAALR1f+neoI7zBc89fS8NUgNVADsRdCzqOJX6YPYxlx3iYhlW
+d5qS69+PLxuIK+QvLcfbM7/P5rJZyYTWJFhrygkOEQQRY+Ti6E04IgkILJhJZcMj
+Y/colmyHMi7H+yN7aox4iORf0VSiGFNHXqV2QrIt7yevaZvq0O3lxS1N/Dg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1e2e0a3759
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_secp256r1_256
+subject:ee_secp256r1_256-int_rsa_1016-root_secp256r1_256
+issuerKey:rsa1016
+subjectKey:secp256r1
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..06d3e3a18c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBazCCARmgAwIBAgIUV9AvyXLYfsXwsVxn6UVNXcs2/kUwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2
+cjFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNAADA9Ah0Amjxv8EbbcPJV9S/WmFIc1y28BSBjT5W2S7JS
+VAIcXTUhqmLEqKYyktBCpWzQv5odIOXyo0WtIjLdEg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..bd7bc770c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp224r1_224-root_secp256r1_256
+subject:ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..45c4754a20
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBczCCARmgAwIBAgIUR4G9BFM2dC1zS3e6CVFZCnGkIkkwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0cjFfMjI0
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0
+cjFfMjI0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIhAL4YvmibHLL2Kh0bZdzbenP9SyZ+9P9yhrNgHZ1pB4li
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..fe7b7f7482
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp224r1_224
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..4e4462b3a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBczCCARmgAwIBAgIUWVsHbwtzMqc2wh3WFxeAAksMBcgwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2azFfMjU2
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+azFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIhALJyeaQYSfcKQ/6OMAEZ6kVWjs6Kjlm3kF3JvL79h840
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..aefffd9810
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256k1_256
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..51a2e5200e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBhTCCASygAwIBAgIUVRrpYwC3LmogCScWtHJpcF4PD6EwCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMzg0cjFfMzg0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtg
+jiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalx
+A74oiM/wAvBa9xof3cyDdKpuqc4wCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1d
+it4go7wGMJH/snN1XzFk7P3LQoAKcOYCIFqkHgNFabzHUhzO2wdgyUyazpvq9dC2
+tqcJ9bKnikkf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..615818d08b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp384r1_384-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..a37e95545d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAVygAwIBAgIUD6n1JM3NC+8tg/511NIiy9tq0kwwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3A1MjFyMV81MjEtaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2
+cjFfMjU2MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBTNycrMR5QQlrycxmdS7C
+f1l3NPpmxit5L4jFGdbTfw0W6hxIOhgnoBC5Eo46CAcMoz719Xg1t8G6JR9sw1Id
+xCsBBlNFGYG0RdND7tN4KjXWz/D/SE9aiD0gnxuQQrcmcDVosvMm4YuDO92KoHND
+krzRlQHhDWmKefU+EeCiK90qrZAwCgYIKoZIzj0EAwIDaAAwZQIxAO0GJz6haDpU
+tNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ1OxFRuhW515lVbeTqfcA8wIwY5tHRg+l
+UUvPCJ4I+AoBunF6mGREeIYONIFBy+2VVFoLU1lpYfknORnB1LSETo/7
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..b2ae9d0c8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp384r1_384-root_secp256r1_256
+subject:ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256
+issuerKey:secp384r1
+subjectKey:secp521r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..3c0e55148c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAU+gAwIBAgIUDfmwgk6LVeIh06pWcUHlMuhH5zcwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMTYtcm9vdF9y
+c2FfMTAyNDCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgCgYAA0puxL7hP3c0ps6UZ
+y2bEO42Pi+VFunk4TOZj7QPfdZkWAOuSB5DSUwzs5UTbmacfBYlqPtIHFlU0qpkF
+fkfEfjvIGtpvoeEuNyaLUEalUmj52tfMtIXYGi4Z1Q1PC2hUrK9te+admggxNuFa
++o9TwcjIT8YHcnndDlXXNppb3QIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQChnRJZnGp6II3xmcwuC2yjt6FAgi+U
+OIzRTkdUZwOecCuWSm+CfvZCFdfKa2vebDRL3ylzxR/RapB0ibq/dnOso4Iqac6l
+EO4dYSRTSfJc1WgP/lgaHKsS5bI3Ycnel2h+0XYMmRus/GwMUr0LfsxscuFPl3g5
+3elZV3uKQeoKdg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..c6e77116b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1016-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..383a1db972
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAVagAwIBAgIUJfow4sYle7pOR9zLmBiO9+TxPSMwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMCoxKDAmBgNVBAMMH2ludF9yc2FfMTAxNi1yb290
+X3NlY3AyNTZyMV8yNTYwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKbsS+4
+T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7S
+BxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvm
+nZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1dit4go7wG
+MJH/snN1XzFk7P3LQoAKcOYCIC2JPJZn7xgwGpuqXKHjpVlofUpyBUA0QjQYPGIv
+v8jC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..27728ca374
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_rsa_1016-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:rsa1016
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..5b38861793
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAVCgAwIBAgIURRvY0077O5480njGvjcUNJ4f0sEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYAAzaHfWTaUGxWr6UAc9ivSGYMsWQsD
+eAlpAKq4Br9Kl06UuviKk9+4tFVth3+t07qYON16SQO1u1MnyTxcjlNX1X+zk8SI
+Jh2BAM6u0+/K3dqcu4LO93YJeUepgy9G68pJ7daDCWUL/J9Drmd2PYEnK8hfdBws
+Bk1frODBUGtGIw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..fafb393bf9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:int_rsa_1024-root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..1794edb81e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAVCgAwIBAgIUY1MfHECEu1i4yYh6r9/BDwiJq10wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAJXqg2yaOdLTFE9nxgPVOmsjLHAQ2
+468rivFXr8v8BANu3v0WQmtQoFE2bBHRzkVkF9bDXXc35AGFRHL2RK00jwY9hZbZ
+NFFcc3MgajXlkcbRVcLBnMBJMDC+AFv6PLAiGJgSueqESpnoz1XFiivIwda8+A+i
+29+oqoeQhpGHXuU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..66891f9793
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..bacc182f66
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQmgAwIBAgIUIUOlpYPBjVND/nAJhIR0upmpbD4wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjI0cjFfMjI0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBNMBAGByqGSM49AgEGBSuBBAAhAzkABGaNcsym
+/WobNVe1NmEE2EQI7LY38I6Mhrv/gszojwBm169jwymLo3c0ihICsDs3/Wsf9BWq
+MR6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cA
+MEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiADjonYXqZaNN5n
+iwRCVAsBPEyHsresykMFdcBSjUCvyA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..89d77d3b89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp224r1_224-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..c2c4f227df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJjCCAQ6gAwIBAgIUT5bQrCx7qyB53fFg2lgsZRoujL0wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAqMSgwJgYDVQQDDB9pbnRfc2VjcDI1NnIxXzI1Ni1y
+b290X3JzYV8yMDQ4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx
+pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H
+owTqoEqmwKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBAATlOxfTmPCizSmYD/VClnBkX2K5IdOrKPKyMzGRUvg0YHe4ECGp
+A7KpFJCuqlQEw4WLXeNQcxYfJ0c1GQYf1jCKtCvH1YJ+weRyM9zQGl6UJ3fgLuXQ
++6/B2Wstmn/NhmbVIEZACpYP2G3ZSAbecWmWzj9JCo4ZdpxUO4LmA+ImW4F+1RHx
+ei6GHWT4hEqgCqjkCie4/hzJtOQtevFKuBHivlRSqV9n1wU15FhvgSLJsYOqerl5
+yN37xJzuqGyZi3oLpOSB8SB9DppYRsvAMnL4JelA3ummSeoG7h+njw28Y/8QLXMw
+TJjfsemcVk4rU/JvaFlmYid+EwYfCyvqv0g=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..44a65ef5a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:root_rsa_2048
+subject:int_secp256r1_256-root_rsa_2048
+subjectKey:secp256r1
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..c90304e5c6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCARWgAwIBAgIUW1iXUMmgMJ/JO+E9WhN0Trc9G98wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDIyNHIxXzIyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0AAMD0CHQCaPG/wRttw8lX1L9aYUhzXLbwFIGNPlbZLslJUAhwV
+sSxscxkGoauWMHWSJ/d1DpnSqgRcu5UYZaVh
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..66ebc1b93e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:int_secp256r1_256-root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..8070ada2dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARWgAwIBAgIUTaVUxZktqQsmYwEXV0tqE4kxslUwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NmsxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0gAMEUCIFuwodUwyOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8d
+AiEAgp9WWDLDZ/Ht8uBK7Tfsh8Q63NGLnYU5ouJTZDEi3RM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c7e190ab0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..760c5fade8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbjCCARWgAwIBAgIURS9EXwmJH2cUzWMxz8bTV/BKH2swCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0cAMEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDm
+AiAdNj7dCllMk/iATOBGD6PmLfTxh3jhcgQ7iIQdCb5Lpw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..6854d21876
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..110d810cee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATKgAwIBAgIUS2z22oddAjnqOtBddcZxdFer3YQwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMzg0cjFfMzg0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2
+K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy
+BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVR
+nxMRUM1dit4go7wGMJH/snN1XzFk7P3LQoAKcOYCID4do7E1l0QXK3oJ3piry7Z5
+4hbDvS70BzD7ZKq03jbB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..de8e851981
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp384r1_384-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
new file mode 100644
index 0000000000..59c181dbd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAUKgAwIBAgIUTzVfvKSTcmX3CJY4Lxg8kPJbUiswDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDE2MIGeMA0G
+CSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7EvuE/dzSmzpRnLZsQ7jY+L5UW6eThM
+5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+0gcWVTSqmQV+R8R+O8ga2m+h4S43
+JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr2175p2aCDE24Vr6j1PByMhPxgdyed0O
+Vdc2mlvdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4GAAF51n2FsUvuG3BxazbOYfdr70t71rV2p5W1D661K37y1L1VZ
+SZMHBPNz6PUYI0UnvD6UrcmooBxpEzqOa9Vf592KMSU6TzAmZnX1wzcJu2GLQ3/P
+ONUu4KP7+Q+LmQbiW1/1VXYFuLC6Py/GwAKq7ueUoGPcm5aWoiv41n6bCEw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..b0b5ba8e5e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
new file mode 100644
index 0000000000..61e94c3697
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAUOgAwIBAgIUZ6YZgwKszM2uk1okp7DxUOxMZUwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDI0MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTqXRAEB66jF35UD5vk161L/6z6+nQ3Fys
+4m+XPKlMvA2cMdZsDAE7zpyC0NSAMo3wX7a815kKUxLdrmFSrW7mHIwb3YZjxovT
+YiSpiCrnjon1Vt/b5vUdphEsv8J8ikkza0Gv23UyG1KySnNE0TSOZGNRpVHHVxzN
+oLj+NfYadQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOBgQDRe6vGacPFx66k4T2SPvTZhEg/oYKEFwkDKdoiLlTzoawJ
+SBc2C2VK4kyo9wa1tFp1O1JcDSIf9FBHLVeSB7Dp4pNV6A5mIBU7QqetWY6vpgz4
+osR4QKpYugduRBY3b8cCmzpF5/uV3K1QZLXm82fudCgG58ke781Ati0w7S13Uw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..09cd420f70
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
new file mode 100644
index 0000000000..0cc341b1b0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUIWpIxRAOEhE64DCKtC5fpZ734/YwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIyMTEyNzAwMDAwMFoY
+DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8yMDQ4MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAs3abtOFdHZ/Jwe/1VkSuwZb4NfgxqATZ6Nbgpi/aALK77foJ/F4bNUIGKWVW
+0dKfBu0kIB1FvBgrXE5bnHRRGDzDJ+M+zzjQbF8bcSL1TB9fuLf+Aq8BtNDeiBVe
+GnVoxT2AAya/cg9NMqF/gSMpbS1hlMyLpke1KIIugSsjoTgzBnXJ8hq7HOIpj6Kf
+HGu0iVKAwtnojKHvooN5+uvdtLbrrsvdVOCijQaE/oslkne4YR8q38nBEdHHp51R
+36gvyOZrSM7m7HyhqdKoNCTrspfnBOGXVgy5Ok6faOobZmX4z6hIAWwWsTdkhBm2
+66PZwUy4Cu7h3LUEVuLPUBZ1Ww==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..cebc2f8e6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
@@ -0,0 +1,4 @@
+issuer:root_rsa_2048
+subject:root_rsa_2048
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
new file mode 100644
index 0000000000..f5acfdb23c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBSTCB96ADAgECAhQDuwrIpREBhWT/b35NNn/sP3wr0DAKBggqhkjOPQQDAjAd
+MRswGQYDVQQDDBJyb290X3NlY3AyMjRyMV8yMjQwIhgPMjAyMjExMjcwMDAwMDBa
+GA8yMDI1MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0
+ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjstjfwjoyG
+u/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHqMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDQQAwPgIdAJo8b/BG23DyVfUv1phS
+HNctvAUgY0+VtkuyUlQCHQDE8b0Hyb/ZrhHsDl6KzWmYWipHsIZ277B/SCc8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..31370f6f73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
new file mode 100644
index 0000000000..b832184280
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWTCCAQCgAwIBAgIUBQ7osp071QhcXj7jOKYaTwutV7AwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NmsxXzI1
+NjBWMBAGByqGSM49AgEGBSuBBAAKA0IABDXufHKJ2P73qGr+XaZti8LrtqhUP9L+
+rQifRc56zQ+mQ4KpUAxB2tdw/9S1Eb9LSS6xI4gAwyxPdsc6PzKU58WjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFuwodUw
+yOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8dAiAcTVj8WVX3Ga2H8BxG5TBr+rJa
+09SnnEO2fT9ACJ2T7A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c78aa61bba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
new file mode 100644
index 0000000000..b91e1b90d3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXDCCAQOgAwIBAgIUVWrLLxRocoe0xCDWzuvEcsBY8DAwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw
+WhgPMjAyNTAyMDQwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NnIxXzI1
+NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtC
+Pjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjHTAb
+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiAfwQsVcY6j3YucVSkIANsF
+k1/ckpod6ltqXGtH7If0eQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..4447fc4b47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js
new file mode 100644
index 0000000000..8e0edd7851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -0,0 +1,169 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that RSA certs with key sizes below 2048 bits when verifying for EV
+// are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+ let expectedPaths = expectedCertNames.slice();
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_keysize_ev/",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function loadCert(certName, trustString) {
+ let certFilename = "test_keysize_ev/" + certName + ".pem";
+ addCertFromFile(certDB, certFilename, trustString);
+ return constructCertFromFile(certFilename);
+}
+
+/**
+ * Asynchronously runs a single EV key size test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ * An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ * The file name of the root cert. Can begin with ".." to reference
+ * certs in folders other than "test_keysize_ev/".
+ * @param {Array} intCertFileNames
+ * An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ * The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ * Whether the chain is expected to validate as EV.
+ */
+async function keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootCertFileName,
+ intCertFileNames,
+ endEntityCertFileName,
+ expectedResult
+) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+ loadCert(rootCertFileName, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(intCertFileName, ",,");
+ }
+ await checkEVStatus(
+ certDB,
+ constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer,
+ expectedResult
+ );
+
+ await stopOCSPResponder(ocspResponder);
+}
+
+/**
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
+ * For opt builds which don't have the test EV roots compiled in, checks that
+ * none of the chains validate as EV.
+ *
+ * Note: This function assumes that the key size requirements for EV are greater
+ * than the requirements for DV.
+ *
+ * @param {number} inadequateKeySize
+ * The inadequate key size of the generated certs.
+ * @param {number} adequateKeySize
+ * The adequate key size of the generated certs.
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+ // Reuse the existing test RSA EV root
+ let rootOKCertFileName = "../test_ev_certs/evroot";
+ let rootOKName = "evroot";
+ let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+ let intOKName = "ev_int_rsa_" + adequateKeySize;
+ let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+ let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+ let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
+
+ // Chain with certs that have adequate sizes for EV and DV
+ // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
+ // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
+ // in such a build.
+ let intFullName = intOKName + "-" + rootOKName;
+ let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
+ let expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ gEVExpected
+ );
+
+ // Chain with a root cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intOKName + "-" + rootNotOKName;
+ eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootNotOKName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+
+ // Chain with an intermediate cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intNotOKName + "-" + rootOKName;
+ eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+
+ // Chain with an end entity cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intOKName + "-" + rootOKName;
+ eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+}
+
+add_task(async function () {
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ let smallKeyEVRoot = constructCertFromFile(
+ "test_keysize_ev/ev_root_rsa_2040.pem"
+ );
+ equal(
+ smallKeyEVRoot.sha256Fingerprint,
+ "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" +
+ "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68",
+ "test sanity check: the small-key EV root must have the same " +
+ "fingerprint as the corresponding entry in ExtendedValidation.cpp"
+ );
+
+ await checkRSAChains(2040, 2048);
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..dcc59c2280
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIUTSkBrJBpb/fEUqw5bdNPB+G9woAwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0MC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBITANBgkqhkiG9w0BAQEFAAOC
+AQ4AMIIBCQKCAQAAusBlL9+8AFWIL/uurO7Ij6LQg8KX3V1AZk3T2Q9S+aoCvYpQ
++6FuD9mRh470dfmzUNn44+sqvXF84yewl4hTHxPfjj5OO51ha7ikHlMG7tJHIWMW
+EFEYASdqTrZvBzMbXLyLyucBao+bPU8qxFU8Ykz1JjvLNI6IQN5mEocJYKeSGRsT
+j7IX92XOx7/46U8Ws5QZv3UExZp+T3m9bRc+nHvz2dKk5zzBgLBZCnPVhPt/ybVP
+pURgflP8aFx6Vf1EqB1BQravUepvps6lKWWi6MXYTzygJNb7ubAFuWUc5dny7PQO
+1ASYGp/8AmNuMRsJXGMyoMh9w5JxtVUUgXdLAgMBAAGjgYQwgYEwXgYIKwYBBQUH
+AQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+ZXZfZWVfcnNhXzIwNDAtZXZfaW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBAI3iCTNz
+L6AN2BaWEDQLo9L8mDJafEUvBCCYCx/RhVYYOGHS7ylFuBFXWH2BC42kMatlXGoQ
+bTNZdSC8izP2qrVCVkzN08qn7x6qZdFKXQYhSWN8LbUFjfuyh+jSlhFvvHHdUjJN
+CKPzkiCKJ8jI4jI9UhjnvQrBkVqk+IjJyGim7bhOR5iXnJyTuU88wuoFxq8PJOm+
+/OVyeB5vOkPWCbm7x7JCKEEI1u+T8nzOT3kIXiCDf2k6plZc2YsDZh8UFjfPjPGK
++RmjWogr9kD9XosXqN4vmTP08Jl53JC46Dp4zI5DXVgXVCSErMNA7B+fOGIawFdN
+BsjNCLU5fHoX1Fc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..e64c651bc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot
+subjectKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..df01d85b19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAlCgAwIBAgIUB0wU6BcJZhQGej2MhMEedgtSjykwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQwLWV2cm9vdDAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDAtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0MC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAAAjfRe3
+ak4M2phW7vpJyqdVUEMR0Gi/IloeFKQhbWgh7Y0aOuDjdt1N8w1ekz5QSo9Bdh6s
+JdGyEQZ7y5kx15fMxOXoLDAQp9H8BzzHYG86PToFOkZoDTdtPdM/P5Z7RpxJtmsR
+ES9geRRyClQUX4wrmmrY9TG394r19Ef9X7xit/XCsZcbNDZnPytua/NPvxIG1x/n
+e5YWqc3iCQt/mkkxSfpT7F94vQxwGGalZkYWWFPkPFoGCtl4g/QBIswNL5OPpwIF
+gezsYSGa66hTWx0M9HHiKBMjGpr6gAlC8dqcNw0zdDpe+HZVt2Uq8k4yMs1nI2Al
+PrSwsIRRvJIBkNg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..0b7bfd4269
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2040-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot
+issuerKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..e0219db774
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgIUMXunKFi5PVKB3hVeGO/F2Op2jSIwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+IhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowOjE4MDYGA1UEAwwv
+ZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY4wgYswaAYIKwYBBQUHAQEEXDBaMFgGCCsGAQUFBzABhkxodHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8y
+MDQ4LWV2X3Jvb3RfcnNhXzIwNDAvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqF
+GgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAf7z//TELvrw9Nf3Jf5fdzDUXkyA1C
+8eYMWWcG4y3y3jHu5nySIfVFaUhoIrIp90AD6nIUC4uQRwk/6aZ3SaUNcEyJpTJN
+iN+BSmYheNsylv2jGACAQ051WACgEGM41HhyVB0so4g3E9fn9Tx6mKqjjPfMFSWJ
+Qb4SnpaU4rl6SvRxBSZCyjnKe6YqucEZC7yK96idz7Ojoc32R0LNDGmHz9yNkeOa
+UYgBjuRskp8BzCTwVFp0b8CjKuk+Pi+SCdHzfZSfB/nq9jbXXTr12gKFc1TddHm0
+OqepOw+FHw6KP2sC/Gi48dhaQ0JhJMXh4L+mzN4y/yKQk4el7Vt3EMW7
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..a36acf887d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-ev_root_rsa_2040
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..a73322ea2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUa6BUN5nAAXXD0ZHZ3A9BLD3gA9IwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIyMTEy
+NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0OC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAHplEg
+IBXFi86lVPIhmqQj7qcsG+CB0TE1hvG14Q4vmowoSrkykuCD2x6BAhmpOhCCzrQ/
+Cqy1Km9BBYvAAG/kyXnQF493+FarP+UN39kzzkZoV4nk55klSgIKXOxIetSaivq0
+kfDsHwXtZN/RguDqL3IAq4hcQg166VMNIauaNl1/7GHiTWFEqFGwfOz8AzJoI4Zy
+GZHpt31edApGeknwUUd88hDENSxatpt1Ik4watIFu6/QARwxS/Lvyg7Qgasb7S/k
+XEfVqYufRb06hHn/ku3Kkdoewiym8hfmB5ab15UhMYTk2ZqAIsyqPxOqzazNqelG
+cjcuNOFHvSTf0And
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..0b34be6db8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..013025037a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIUUS1yMHrNTB04yhzfgIRlUXAJ1RYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0MC1ldnJvb3QwggEh
+MA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAAC6wGUv37wAVYgv+66s7siPotCD
+wpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzjJ7CXiFMfE9+O
+Pk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9TyrEVTxiTPUm
+O8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5Peb1tFz6ce/PZ
+0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+mzqUpZaLoxdhP
+PKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1VRSBd0sCAwEA
+AaOBkDCBjTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ldl9p
+bnRfcnNhXzIwNDAtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoB
+g3QJATANBgkqhkiG9w0BAQsFAAOCAQEABBbmTESafgC0V/hHzhWyyJW1Tyj+MshG
+oAS+IGmK/ImxQDL6Q91arnEOxThBuhFbm6ZjG8HGu+KAa+XudoCMN2RHQQzzVEIn
+Oewbk/UmjS8fZ88JI9WxUByOxo1CtWCe3XqjInVevzzcpTxHIAuhUjQD/CvHzeFl
+pv/6snWb9g4QMdro4FjMjl8qBmm3jwh5wjcDBiMzSbtSUAfF8dcH2haLfQdD+A+T
+xxS6JWOMZFR8xQeUPlgqMiKpHZCewVLzZU4HEyUWo1Tc9aaf97T6v0UnDhVSof6/
+Bqavy3XEpi50FD+H5XQUa0ZIoH3D7UmuCRNzjWCmPUyTWosNE4Ghrg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..80be711742
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_rsa_2040-evroot
+issuerKey:ev
+subjectKey:rsa2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
new file mode 100644
index 0000000000..63b267865f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEtwIBADANBgkqhkiG9w0BAQEFAASCBKEwggSdAgEAAoIBAAC6wGUv37wAVYgv
++66s7siPotCDwpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzj
+J7CXiFMfE9+OPk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9
+TyrEVTxiTPUmO8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5P
+eb1tFz6ce/PZ0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+m
+zqUpZaLoxdhPPKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1
+VRSBd0sCAwEAAQKB/2A9smffl1VcvthrjfNVA0ryjx638+eCnSObzCc6fHppoQvo
+8h8bbEsCxrrjcxwxWLW7/0YF9Xq3t7Kgy6LsAFottbHqbgrO6lvHRdzS0OnWuA1+
+sOorwIEnvONfpQxCzEEYcbpZHiO6ajhISjPv8TR/kH7ppakqIxG7C0NVEAIPeOO7
+AAmdtNEYKSgJZQX8uoTzyhI4/R66XuofORu7zFQksWgGP8F+HKbhkSzLpE+dApIw
+ih/tuAYSUps59Z0KP4GAtbogETIZf5OlgV3tk43459k8mxV2ZYjzObtZEAr9pJSn
+5FLX3UyaGc4uw6M6GLIPC02t4XK+4Z8m8Ny+QQKBgA7Dhpy5LUBsrd96MZqylEi8
+UFoFkTcHhzNh/FuYakmftl7rgVp+N2h9GfEoCHKJ2buIGOe8ylAsSQCtmuzhF5vh
+L/PkZ9YG/IIOqPB6yev/4iNuOBaEEgKIIj5C2+aN/ZcqhaZEflFpXyNNp5EcZ8mr
+lTHzPfO5lDLU7ojJpO+7AoGADKY5NFSehf6sjg9WBDA/0YSf6Ir0t/fhITKDu8ei
+wqUJ+Sc8Qoxo3j25PmFF8bQAvW1KJiYU6QQ602LU66SmuZU5nIk0o5mRIZnoQdjo
+2/8EifaeZjeWcwspgFMLMctwaVohYl6irczAnZMFFvqHIhGpHiLdif2et9qFdLci
+NbECgYANfTp14X9l+KZYpIXECVwQpPZpeeK3O8qc+O8hJT4frKxtR5H1g5LOhlb4
+jxJAzJDCllPjEAxtejjtRLFjsznl87bjiRISbGmzzv8uUZJCbZZJtv/KGrt10rou
+1tmiaqODxZc9ViFv8u25DM+Id0Kg8YOskslM8YdldkXHdy2a1wKBgAP1UBlMEX8k
+vqKFsgkFgDL0KYX/Vazr6IsW35o3UntOYdyRpo28mmRRNFKM5fJIvaKJPJbLe+ee
+5zmWx8Ild/bC95BAbzRyrbOyEbfpRJTzLFxvzAl4g5/kckwxsGMYokiVZ7T8oDN6
+yxuEEieqpfbHSACiMGkp8CzgOLrZQ99BAoGACAp9v6jCWEgUxxZkxW62LOTK8Wr+
+iNRJkVnWdHdKOj7N3xJWwC/JFSXFJ2kkItCrqU5cQe4S3HG7Zvhnn6F+CW8oCAhR
+ugRusxiFwUFOiYWt5ZnZB68XRT0cyuosDQZEP4Nnpr4VSxJeOQ7g2Q90bwiAHdP1
+Nn9Z+6LlpnwF83U=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..f488e73a94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+rsa2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..a824f21311
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlugAwIBAgIUe6r7oOZeGvPiCQzyYHzmsN2cCdAwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDIyMTEyNzAwMDAw
+MFoYDzIwMjUwMjA0MDAwMDAwWjArMSkwJwYDVQQDDCBldl9pbnRfcnNhXzIwNDgt
+ZXZfcm9vdF9yc2FfMjA0MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBmjCBlzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cu
+ZXhhbXBsZS5jb206ODg4OC9ldl9pbnRfcnNhXzIwNDgtZXZfcm9vdF9yc2FfMjA0
+MC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQEL
+BQADggEAAHWhcLzQZ2yiJ1PWSYbzoVhsUieDET0ozszavQNKffv8u5reGrGk82WR
+KhGpm6xsQFejGaSchbTS/hERtJb1kiJl632f4HFMv0bbL4+D/E0nu0o0PJ6jnHGx
+mMMP8SwEA8Gc/kimeu4wGZRGBqDyI6vCCog7sA/8Kcf8txdHfQgpZOfchf2+M8r9
+GfRQOR0+tc15/D4teI/Vzt0Hawxp+FWQyGJdHC6AvpHycmS4ZzBqeHloh4KQCckv
+ogUyG9ZsIPertJxv+pzpG5zJOjq/bJ14XpoLLLOSHYGlRFbPffdXbpC2ZjyW9aqQ
+lpP67r/PylcApVEsp99Q/nSVahn3dw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..5bc5674b2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_int_rsa_2048-ev_root_rsa_2040
+issuerKey:evRSA2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..2cb67ec509
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIUZUWg4gjvMyq7pPVHIL3dTjVIH78wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy
+MDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0OC1ldnJvb3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgZAwgY0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEE
+QzBBMD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvZXZf
+aW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUa
+AYN0CQEwDQYJKoZIhvcNAQELBQADggEBAAidI0skeWsWFGYlGGuICCBsFtZI7amL
+toBgLMMImP7qeJvn3wqgMHeWc2o0RKGn6HGCLwHFL6QbULufi/LMv9U/rZzzX4uT
+w4ao9w+ELEUWNuTnFafpVRJ4k5LsO/mhVHi8D8V9WCx5EzhHygLe2YSitmAct+jI
+tLNLSov/04w0erI6QkERTROxVDVRQ0otpxtLJiqbpJv+GSgijyBH5uBe7I87hZ0B
+Jsk70eXlyt2lXUULxuIAsUzo4PcOf+ytZkrGwRbGVDmfiLCDH5BMTEsWRu3kMg/1
+iK6TTQa6kHXwpmr2cYDBgy8MjB2QTX/BSQJRHXtXCQ6GGfmzqbUu1Ck=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..a0cb6250dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev_int_rsa_2048-evroot
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
new file mode 100644
index 0000000000..bcd996ab23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAADKcCDcIV9XkU00
+P65KAVERaXr5l6Xs6RhmSZ/CPxuIoRjL0wsQ2Rx7mg1O6JcvyuVsr1fyX8EnWipN
+vLmCQowy71h78jh0EDMKD/sWuAKb14OWnvZ19t44wY9nGTy2wHL4sj0LM3QRJiel
+e5AFV3HZ5iYD9TeI1/Y6+nJPXRCAlt8x+J8msetffENXmA4Aj81V2CfdJiOVyi9S
+ageJfMQMWTs4cW68DKpZZxnG8prJtzp6lEdIo6o+CenrTUYeoAJ+VAkmYUcoudJD
+l1z5oFQb79JedrUflREQsOdkT8fjhEF5G20iJzhMuABOIzQjcrHPXMPnPjG3u++h
+YOaGLrsCAwEAAQKCAQAAstt0vOkjYqv3KVWmOK6HILowM7t/lxyvORiNdULqocGr
+tdIFseIRH0eRwIkRouFB6M/XBUcC0jEAtWQsBuGjGxGK/R+aLzlsztQlxQHZFDXK
+hlZ2bO0rk7u4Zp/Om6zXJ9Hayz2vq8MpPjU4nu+OoLWOGusaIOamH5/NRT91Z/4x
+0SO2FqJv703x1sn3SQER0Cju/R2XIEWxokInPdemfr8RHbJ0GlqTx7IonMSiNvWp
+mm7HqCBv2uHB0EvbsZgNSimMWhfa5BhkdKX3g12IK87ySu9O1vFJ+U2WyffXjmR/
+x3ipAX/yCNO0oXaLGCFiECzasDL6u6s41SAKMkZJAoGADzhE0NTU1qIazXam/DcL
+hVDh1+xaYjQXLnkPACmuZR9tXFkzCrGYArnXogfeeh+3eON3T9vcQRdQYz2NGz/g
+dQBv/P0dEOdjx6kifS1fDC2t4cnmWcNQoVnTa7mG8SY21PmUKyiLwP4h2oeZR3Fz
+FEJJyi44nmxcJap4yMrX1N8CgYANTQvt0ZYvB6Hq1rI6TtZ66vEnDwUqbSm6B0lF
+xjYaXE+PB7+FngZ67T9ObjI+8qqKas00CwvcfP5P0ynjyX+HDH93NXksaqnQ9+dU
+KijtbwGw5VorjZwkplxtoxTJVIT1x8OVSoG7AWsH7RfumwYDlpW8oFmnn43CQj0y
+jVJlpQKBgAnymi/wW+ipbWFLoxsIk1QgqGxrxCuZpmkuoNpXY/AeWWlZt93Oc++c
+Lk9uW0BxCIdQDUS6DDzTEyy6J0dfOcLfdVLi0SOiSXpPlwZAKHaaSKNiRlf3K/U5
+89DeI0/szTvooKqQxr9umwvtQwcKJNBh/z7RdRo+8v9/a5C529X7AoGAAaZZ4XDK
+wSCgO+HPj53xyqNTsDWTvXR25YU72HTChziGAcbDQc6dHShKXu8aOmadMrgWpers
+2LeET+BwZLm8oMKzGNVAJ3s/fxUQ04a7NuA7BHceXSKeiIk+E7dTv7lFGLtjjiQE
+vW5qmTwWaNk/wLgv8IqvNDR9P+g5cQjIfKUCgYAEAlfA1KIcC5hDKXxlZS22YwT7
+Jjdz1yi2q/oG03rAymLGKAI+CeN9wKkB5M4SJBgOJYKjqktqGnuY4r1wB3rsFKyK
+tmp1XHHg/BAkcfm7wbRqlaoLZF8sOOdkUCiWGeo/XormEDe//PgknyKqTnbioBkJ
+8/6ykM6T7fV7EOvnlg==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..a85e16858b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+evRSA2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..fe3abd78a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcygAwIBAgIUJ7nCMgtzNcSPG7jAh3CWzlTGHQgwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDE1MDEwMTAwMDAw
+MFoYDzIwMzUwMTAxMDAwMDAwWjAbMRkwFwYDVQQDDBBldl9yb290X3JzYV8yMDQw
+MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAAynAg3CFfV5FNND+uSgFR
+EWl6+Zel7OkYZkmfwj8biKEYy9MLENkce5oNTuiXL8rlbK9X8l/BJ1oqTby5gkKM
+Mu9Ye/I4dBAzCg/7FrgCm9eDlp72dfbeOMGPZxk8tsBy+LI9CzN0ESYnpXuQBVdx
+2eYmA/U3iNf2OvpyT10QgJbfMfifJrHrX3xDV5gOAI/NVdgn3SYjlcovUmoHiXzE
+DFk7OHFuvAyqWWcZxvKaybc6epRHSKOqPgnp601GHqACflQJJmFHKLnSQ5dc+aBU
+G+/SXna1H5URELDnZE/H44RBeRttIic4TLgATiM0I3Kxz1zD5z4xt7vvoWDmhi67
+AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
+CwUAA4IBAAA/4/YVyeRLPr05Uw5j0JOCx5WNUv2HxemfvTZgF4QEg4vDt8ba3VDR
+Xj3Z8hiGYG+s2Wz4k+82wCNRTglm3iutCJ/LbwOAZIa8dFyQUa03EssS0BBvVNhx
+uu6+kYMqGteIX5Q94daqZe+0KM9xKbydNCQJKSMD8IV1YHKvotF91MFQHDdnVAZX
+anpqDnw0j4YGknFHA1i++0GZC0aWxhRn6Epfza+bYCVogC5BviY6xYIg2kZE8kII
+msQ6iUrKQ2OV7HmZ03BdpsGADorycyJ/wRGR3xDDg8RYUur80jU/D0eBq8BX1md8
+Rc+IyDmcFcs7hYRUaJAoxuLPvQ+/vy4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..fd1ade8dea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_root_rsa_2040
+issuerKey:evRSA2040
+subjectKey:evRSA2040
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
new file mode 100644
index 0000000000..1582978398
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
@@ -0,0 +1,192 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+
+"use strict";
+
+// This test ensures that in-progress https connections are cancelled when the
+// user logs out of a PKCS#11 token.
+
+// Get a profile directory and ensure PSM initializes NSS.
+do_get_profile();
+Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+
+function getTestServerCertificate() {
+ const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ const certFile = do_get_file("test_certDB_import/encrypted_with_aes.p12");
+ certDB.importPKCS12File(certFile, "password");
+ for (const cert of certDB.getCerts()) {
+ if (cert.commonName == "John Doe") {
+ return cert;
+ }
+ }
+ return null;
+}
+
+class InputStreamCallback {
+ constructor(output) {
+ this.output = output;
+ this.stopped = false;
+ }
+
+ onInputStreamReady(stream) {
+ info("input stream ready");
+ if (this.stopped) {
+ info("input stream callback stopped - bailing");
+ return;
+ }
+ let available = 0;
+ try {
+ available = stream.available();
+ } catch (e) {
+ // onInputStreamReady may fire when the stream has been closed.
+ equal(
+ e.result,
+ Cr.NS_BASE_STREAM_CLOSED,
+ "error should be NS_BASE_STREAM_CLOSED"
+ );
+ }
+ if (available > 0) {
+ let request = NetUtil.readInputStreamToString(stream, available, {
+ charset: "utf8",
+ });
+ ok(
+ request.startsWith("GET / HTTP/1.1\r\n"),
+ "Should get a simple GET / HTTP/1.1 request"
+ );
+ let response = "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\n";
+ this.output.write(response, response.length);
+ // Keep writing a response until the client disconnects due to the
+ // logoutAndTeardown. If the client never disconnects, the test will time
+ // out, indicating a bug.
+ while (true) {
+ this.output.write("a", 1);
+ }
+ }
+ this.output.close();
+ info("done with input stream ready");
+ }
+
+ stop() {
+ this.stopped = true;
+ this.output.close();
+ }
+}
+
+class TLSServerSecurityObserver {
+ constructor(input, output) {
+ this.input = input;
+ this.output = output;
+ this.callbacks = [];
+ this.stopped = false;
+ }
+
+ onHandshakeDone(socket, status) {
+ info("TLS handshake done");
+ info(`TLS version used: ${status.tlsVersionUsed}`);
+
+ if (this.stopped) {
+ info("handshake done callback stopped - bailing");
+ return;
+ }
+
+ let callback = new InputStreamCallback(this.output);
+ this.callbacks.push(callback);
+ this.input.asyncWait(callback, 0, 0, Services.tm.currentThread);
+
+ // We've set up everything needed for a successful request/response,
+ // but calling logoutAndTeardown should cause the request to be cancelled.
+ Cc["@mozilla.org/security/sdr;1"]
+ .getService(Ci.nsISecretDecoderRing)
+ .logoutAndTeardown();
+ }
+
+ stop() {
+ this.stopped = true;
+ this.input.close();
+ this.output.close();
+ this.callbacks.forEach(callback => {
+ callback.stop();
+ });
+ }
+}
+
+class ServerSocketListener {
+ constructor() {
+ this.securityObservers = [];
+ }
+
+ onSocketAccepted(socket, transport) {
+ info("accepted TLS client connection");
+ let connectionInfo = transport.securityCallbacks.getInterface(
+ Ci.nsITLSServerConnectionInfo
+ );
+ let input = transport.openInputStream(0, 0, 0);
+ let output = transport.openOutputStream(0, 0, 0);
+ let securityObserver = new TLSServerSecurityObserver(input, output);
+ this.securityObservers.push(securityObserver);
+ connectionInfo.setSecurityObserver(securityObserver);
+ }
+
+ // For some reason we get input stream callback events after we've stopped
+ // listening, so this ensures we just drop those events.
+ onStopListening() {
+ info("onStopListening");
+ this.securityObservers.forEach(observer => {
+ observer.stop();
+ });
+ }
+}
+
+function getStartedServer(cert) {
+ let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance(
+ Ci.nsITLSServerSocket
+ );
+ tlsServer.init(-1, true, -1);
+ tlsServer.serverCert = cert;
+ tlsServer.setSessionTickets(false);
+ tlsServer.asyncListen(new ServerSocketListener());
+ return tlsServer;
+}
+
+const hostname = "example.com";
+
+function storeCertOverride(port, cert) {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(hostname, port, {}, cert, true);
+}
+
+function startClient(port) {
+ let req = new XMLHttpRequest();
+ req.open("GET", `https://${hostname}:${port}`);
+ return new Promise((resolve, reject) => {
+ req.onload = () => {
+ ok(false, "should not have gotten load event");
+ resolve();
+ };
+ req.onerror = () => {
+ ok(true, "should have gotten an error");
+ resolve();
+ };
+
+ req.send();
+ });
+}
+
+add_task(async function () {
+ Services.prefs.setCharPref("network.dns.localDomains", hostname);
+ let cert = getTestServerCertificate();
+
+ let server = getStartedServer(cert);
+ storeCertOverride(server.port, cert);
+ await startClient(server.port);
+ server.close();
+});
+
+registerCleanupFunction(function () {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+});
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js
new file mode 100644
index 0000000000..2a723b2a0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js
@@ -0,0 +1,92 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if a server does not send a complete certificate chain, we can
+// make use of cached intermediates to build a trust path.
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+registerCleanupFunction(() => {
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args, false);
+});
+
+function run_test() {
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ // If we don't know about the intermediate, we'll get an unknown issuer error.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ // Make BadCertAndPinningServer aware of the intermediate.
+ add_test(() => {
+ let args = [
+ "-A",
+ "-n",
+ "manually-added-missing-intermediate",
+ "-i",
+ "test_missing_intermediate/missing-intermediate.pem",
+ "-a",
+ "-t",
+ ",,",
+ ];
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // We have to start observing the topic before there's a chance it gets
+ // emitted.
+ add_test(() => {
+ TestUtils.topicObserved("psm:intermediate-certs-cached").then(
+ subjectAndData => {
+ Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+ Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`);
+ run_next_test();
+ }
+ );
+ run_next_test();
+ });
+ // Connect and cache the intermediate.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // Add a dummy test so that the only way we advance from here is by observing
+ // "psm:intermediate-certs-cached".
+ add_test(() => {});
+
+ // Delete the intermediate on the server again.
+ add_test(() => {
+ clearSessionCache();
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // Since we cached the intermediate in gecko, this should succeed.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
new file mode 100644
index 0000000000..f2eecbab1f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUazqLAdtIsDInWymsEwlRNZZIqaswDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRNaXNzaW5nIEludGVybWVkaWF0ZTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQAD
+ggEBAFOZmlCxzl9bxbyKxNOmf/Py63gdJlo610PaEBlNynRVjYciA8HrthfzMNhS
+eHYVuHr7Q6ZLhRunz10WuB35iMQ8xKkzs4rsRqNmHElTU/AKm44W7oPUE7yGP3dN
+7u1FINDJDB6CPDEDK7iFSUrp++et7vFKH7KHPhCYQdsYvV/MqrnvasR6oAS0ii2q
+R7I/6I3cnsCywvAyy1w4dBUjrn93Kh7NdR0efyjb7EKUNhoL2IhnWB+yuNvMdGMs
+zmMNjDYXQELyv6DVsh8HQxIyXtzXtglBwPrWXl9/uZ9fxZt0U7T/HoH752f54zPk
+HHynrNyUqfvh9AI3Tt0IAbT479c=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..c21e757449
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Missing Intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js
new file mode 100644
index 0000000000..ab38b96a31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -0,0 +1,71 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests two specific items:
+// 1. Are name constraints properly enforced across the entire constructed
+// certificate chain? This makes use of a certificate hierarchy like so:
+// - (trusted) root CA with permitted subtree dNSName example.com
+// - intermediate CA with permitted subtree dNSName example.org
+// a. end-entity with dNSNames example.com and example.org
+// (the first entry is allowed by the root but not by the intermediate,
+// and the second entry is allowed by the intermediate but not by the
+// root)
+// b. end-entity with dNSName example.com (not allowed by the intermediate)
+// c. end-entity with dNSName examle.org (not allowed by the root)
+// d. end-entity with dNSName example.test (not allowed by either)
+// All of these cases should fail to verify with the error that the
+// end-entity is not in the name space permitted by the hierarchy.
+//
+// 2. Are externally-imposed name constraints properly enforced? This makes use
+// of a certificate hierarchy rooted by a certificate with the same DN as an
+// existing hierarchy that has externally-imposed name constraints (DCISS).
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(name) {
+ return constructCertFromFile(`test_name_constraints/${name}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString);
+}
+
+function checkCertNotInNameSpace(cert) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+ certificateUsageSSLServer
+ );
+}
+
+function checkCertInNameSpace(cert) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function () {
+ // Test that name constraints from the entire certificate chain are enforced.
+ loadCertWithTrust("ca-example-com-permitted", "CTu,,");
+ loadCertWithTrust("int-example-org-permitted", ",,");
+ await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-com"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-test"));
+
+ // Test that externally-imposed name constraints are enforced (DCISS tests).
+ loadCertWithTrust("dciss", "CTu,,");
+ await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+ await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
+});
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
new file mode 100644
index 0000000000..4711aeb52f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUI6mWkP5zTmykASccGMuIZiel5n8wDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEExCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRcwFQYDVQQDDA5mb28uZXhhbXBsZS5m
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPQS0MUvn+KrIt/nliEzDqwAGSBZX
+w/hfssEDGf/8EJxMk8UwM1j0LvLu72DySFOlBP5rMsEBlk8EDgMgVwKl/OlBDSCT
+PQQh9ul2wqTTJzJy5sxn+PbuJDy321UCRZRQMBtQs3NcKgKpHsHTU8R7qOrzv0JH
+dhSo+BHdmovkzRuk24Y3mv/TMsKicXfB139VaxNiv62wMV+Zl11p5054IVEOKqqQ
+E7HnMcyS47AudLDDuVfxALei1IHnRgI8l+AfAWzTFdC7eGq18V+lwZFkKiCvFzVA
+K1Jbx8CpyhANAajcOBTVXMWlANKN/1coY7A5tBsXJqWM2FTN12Z6hxJjow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
new file mode 100644
index 0000000000..1a02a0cc1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
new file mode 100644
index 0000000000..ddb7b31b5e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUE8HP5mMfdClk3WBDRkQK+NpLT5cwDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEIxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAANzAGVYkRHPSSlBPcL63aR2OhhL
+kkQSn4UbmBVzxH+qNeMD+RjYS421P5fwScKrALUoNxPCV8H1fY1lFTuso6Cdn1th
+QoVLWSgad9v+fZ2uJJlf0hWFMRdBrYKIhM68Y7cXfcDwCqLEr7c9/lVsBmVdVAqY
+EHPqDmDnVToC3XKgMXuVol5z8yu4Ki70HMODqdJP1KRP8k45xLn6eeInd8J/hWEe
+zbeHk5GBoRMcuDBrHyxBZrtgUPCvc+20ymN/E5cCGkjGtUUF6e5oOJ3zNaQwVAAI
+7A3Dfj3Pvltbg9GKHCODVcGhVt9RtJvZMYwdhkLhMsZ8EvFFJmDUFVcq4/o=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
new file mode 100644
index 0000000000..eabee87e83
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
new file mode 100644
index 0000000000..abd537d98a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUa+D7Ru/tv4BIrp5R02ihNjlBjNQwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGNhLWV4YW1w
+bGUtY29tLXBlcm1pdHRlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM5MDcwDAYDVR0TBAUwAwEB/zALBgNVHQ8E
+BAMCAQYwGgYDVR0eBBMwEaAPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA
+A4IBAQByx4nIC7QJZvN1JknJSZdm/AiD1WwQ7kKNnpVnj4iv+PexpTXjn+DjNgqi
+neKI8QUFA6m6tkNju61/SUHXEi/e6GagnpKqXrZLcmdnm0tXYBxE8FQiA/xc1joe
+IOGV8iPmGfaqNFoIBEk3TzagzCggXr14Wa0V7CWI4hS0O9BwEgiwW6JS0tqxwIs2
+2YhBWXKIC5T10+q7HewJClSq9sQO2DMSdVzk56lhabh0q5HSopC6C4IG31Tvn8kB
+65/7vyuiZc+d8Qrs6FiYuTx5kNxgZk6EGybeIGsO8hC9SkIapO/fceJR/ZXjRY8t
+FR9o4+RWSUDH46GBghI6ymFUOTvI
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
new file mode 100644
index 0000000000..1cc3c1d81b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:ca-example-com-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
new file mode 100644
index 0000000000..e640d5c414
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIUZ5yCDkvK/L//BgGU9zNVyxH/zB8wDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMIGFMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczEQMA4GA1UEChMHUE0vU0dE
+TjEOMAwGA1UECxMFRENTU0kxDjAMBgNVBAMTBUlHQy9BMSMwIQYJKoZIhvcNAQkB
+FhRpZ2NhQHNnZG4ucG0uZ291di5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zAL
+BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABrf/JNA+DqdYQwn9RYxSt66
+PZhpot1THGjGmav+5zTV7FrwZLkoEuXBcS+Yg3Gvwtfp+2dJ+xgtmM+78ujmxbTI
+q4tps6Bny+EKvDOYIjqjxp0adanemfywJmpFH3Tgr82KVTa33UbrhW+YXsUyBQv9
+pvUZfMy0O05SHOlIO3lSpaYzQrxx/e0UnkB0Qchfe1Uyhgq/MHQCNOYV11up7iDU
+Sdbq1Nx1Qo6rLeH1z0PJz2uE5hLe9d5hFuCApB0+2eOOvHPz/W6k4AkPeSl2tHr1
+qxMs2wjb/XYyQCieKOD5Hm+8VjHQVOyRBVgHD2avJZdVmrGZ2TKfP15HiPB7YQk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
new file mode 100644
index 0000000000..5d53706bc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
new file mode 100644
index 0000000000..562858db61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIUSdk8F0jpDEN+YOAzKTHFYPYpSbcwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1leGFt
+cGxlLWNvbS1hbmQtb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABoycwJTAjBgNVHREEHDAaggtleGFtcGxlLmNv
+bYILZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAEKJjjUGuvDhrTBOix9j
+WAWVAdH5LV9fsi/n6NT8w8tGr5IjqGlEjJThfpDDbnzcXHCO5MdC8IeIAsx4HxiP
++tleJ45bMNiJDgLjXIF7tD+kGXx5BLHeWEgKX4AEwOUyc9MSOQmAzYdapK4/TMJU
+O/444FWK8KspiaAvZE+kC0b4gQ5xnEL1+HPJL3rrh0V4iSnvHR+vF8gg0R/okkP5
+LiXVjhVa3ijLFCdB/++Kr3CErtL0Uq0fB4OlK3Oy9B0ieCsnQa3Qy8P9SdsPyM7u
+z8AMowAentrU6SpY6z5hWiMpo845g9FWWVHI2YXUjoQvbIhULPcep5u2FJeDbgzk
+qjM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
new file mode 100644
index 0000000000..904ca65955
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com-and-org
+extension:subjectAlternativeName:example.com,example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
new file mode 100644
index 0000000000..33c317c2aa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUcVSFRcZRaVDvcGI+g4f/MZ75ZE0wDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLWNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAJbo7syEpoGC0BtstIQo98hDnTded5+/cDaqfXj/4aGm8NF+
+vIX9s+J6gNnEZxKm7+5fJF5+jLaRIlJLX/dtRR2jOnNdYPf4oC/MHt9YAqJaYvga
+3ZmHllRnAmin4WlxhM6R6cMO7sVI3pe2Q7D/Lw3osm6nDq8ZUwwAiaANCrpWedt2
+OCbbFtY+Yi/P3nRotbh8ImG2yn/UwJOas8KNXaPTPl5JwdEnwvbgJzjJZonhkUoR
+8I3t0NnQyVsyZV7B1LUF6Iq7WRf9O6Pex9WKhYEe6scv/jJYdWhnA7lIzlRPKlIS
+agkqVxrdVNXeUAwqNYpMliIq9YINaBnjtQAoBlI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
new file mode 100644
index 0000000000..46630c4a1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com
+extension:subjectAlternativeName:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
new file mode 100644
index 0000000000..bdc1959bd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUebhi2NR+oiJuaogfqJhY9T/ScvUwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLW9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwDQYJKoZI
+hvcNAQELBQADggEBAHzWG9avWkjx81zISPhrSJsXD4wVrsEFAjI7GPV0ItmoQ8x7
+dKt1G6hEaihrTyfSwibWEB9xy6TFlrPRJKZOVpMtiNWf6iBRdKPgsDW2Ukl99fQL
+Vg125SdhbPKTvOti2HvM80H6TKvnKRhz5QaHk6BJu1ky7jTHvZCCigh7BQhISxix
+noqhltixD+PfVnn/7Gyu+//fhjUl4qV+Nu9msPoeJL2/ONdx6/LNSIBu20hr4MZx
+M+oC5XD77jF1QFT9o+LVr/LtyDcoePM+c8N8HSaxiaCQi7oma6u2SOHsawbrmdYt
+2WgYD/ZX1y253n5/N2pXS8PZzLQqXqgNAr672Cg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
new file mode 100644
index 0000000000..6a24090e51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-org
+extension:subjectAlternativeName:example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
new file mode 100644
index 0000000000..af0e05a6e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUEZls3sstuzIIOQrIfQZH+nnWIw8wDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy
+MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9lZS1leGFt
+cGxlLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjGzAZMBcGA1UdEQQQMA6CDGV4YW1wbGUudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAJUByQ8abS/RVjsiI9eH57oXGIqfgarbC0svvWGK/OEcO
+mWGt9VtEYuhrvCR958xTZiwQE9RM/y0ItBTV+FrVqbH1LrSwPR+V/rhOrCsduwJ0
+GkVWJEb+ElW3aEyYjGOG5OaAv7JKbOFMk3mmN2AVoHT9YBwMFCVDFj2wzIJ44rvV
+NeFjugXa/6AmPL7zEe0BDFLIlA7eKjam0/uUhj0uxhIYMsNzja0LHwiUIeVTP9ZX
+kelXGLwrN1oA39dMrLADZKAwokPtq3gw+EZ1zCcd6PLcyIlzz3VrtQDKBbY9iCg4
+6OgWLdhc8x2mM99Ek4eaTlVyaWaSRzbe35M9ZoNXFQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
new file mode 100644
index 0000000000..0926ce477a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-test
+extension:subjectAlternativeName:example.test
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
new file mode 100644
index 0000000000..04d2356add
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIUKbtT4nBoUSNxDQ0ZHmFVyHfiQowwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjIx
+MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCQxIjAgBgNVBAMMGWludC1leGFt
+cGxlLW9yZy1wZXJtaXR0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MAwGA1UdEwQFMAMBAf8wCwYDVR0P
+BAQDAgEGMBoGA1UdHgQTMBGgDzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsF
+AAOCAQEArcZT82Z/fm6wjkQ4kq6Gl1vo8eVVB0MFAEfSjBHXL/QLckjqTsCmGg8B
+qGLVd8Bs65lyZ1J8teiuUxgXTfZE5C1twt88CsbVV6Q9Z/jr496DsYIPgRb7duaa
+YuqhZ91tqdDt6A59xHaxcwRlK1kJNym6f2O2JXd01PWcJWf7NiY7O1F/E8Sh9fNu
+Fct/WQ6oSvk5RxDPP5RwaHkIyZCM39B/ImU5HOdilu0EWIA/gugMbn3lyCJjUt7t
+ayg6e77PBmpwYkMnyX0ryB8lRgrDzU46DCGB3U4O3nJkaVWDp9ZXHFpzUUfWOcCz
+62KbB27bKPa9sGO+kh/kbQmQWx6QBg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
new file mode 100644
index 0000000000..87e2cf8a56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:int-example-org-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.org
diff --git a/security/manager/ssl/tests/unit/test_nonascii_path.js b/security/manager/ssl/tests/unit/test_nonascii_path.js
new file mode 100644
index 0000000000..3c31640d05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nonascii_path.js
@@ -0,0 +1,52 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests to make sure that the certificate DB works with non-ASCII paths.
+
+// Append a single quote and non-ASCII characters to the profile path.
+let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+file.initWithPath(profd);
+file.append("'÷1");
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+file = do_get_profile(); // must be called before getting nsIX509CertDB
+Assert.ok(
+ /[^\x20-\x7f]/.test(file.path),
+ "the profile path should contain a non-ASCII character"
+);
+
+// Restore the original value.
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", profd);
+
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ return addCertFromFile(
+ certdb,
+ "test_cert_trust/" + cert_filename,
+ trust_string
+ );
+}
+
+function run_test() {
+ let certList = ["ca", "int", "ee"];
+ let loadedCerts = [];
+ for (let certName of certList) {
+ loadedCerts.push(load_cert(certName, ",,"));
+ }
+
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+}
diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js
new file mode 100644
index 0000000000..8341575473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsCertType.js
@@ -0,0 +1,32 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// While the Netscape certificate type extension is not a standard and has been
+// discouraged from use for quite some time, it is still encountered. Thus, we
+// handle it slightly differently from other unknown extensions.
+// If it is not marked critical, we ignore it.
+// If it is marked critical:
+// If the basic constraints and extended key usage extensions are also
+// present, we ignore it, because they are standardized and should convey the
+// same information.
+// Otherwise, we reject it with an error indicating an unknown critical
+// extension.
+
+"use strict";
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess);
+ add_connection_test(
+ "nsCertTypeCriticalWithExtKeyUsage.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "nsCertTypeCritical.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+ );
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
new file mode 100644
index 0000000000..8650409df7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
@@ -0,0 +1,25 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// This file tests the nsIX509CertValidity implementation.
+
+function run_test() {
+ // Date.parse("2013-01-01T00:00:00Z")
+ const NOT_BEFORE_IN_MS = 1356998400000;
+ // Date.parse("2014-01-01T00:00:00Z")
+ const NOT_AFTER_IN_MS = 1388534400000;
+ let cert = constructCertFromFile("bad_certs/expired-ee.pem");
+
+ equal(
+ cert.validity.notBefore,
+ NOT_BEFORE_IN_MS * 1000,
+ "Actual and expected notBefore should be equal"
+ );
+ equal(
+ cert.validity.notAfter,
+ NOT_AFTER_IN_MS * 1000,
+ "Actual and expected notAfter should be equal"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
new file mode 100644
index 0000000000..6305b878b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
@@ -0,0 +1,96 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that various nsIX509Cert attributes correctly handle UTF-8.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function run_test() {
+ let cert = certDB.constructX509FromBase64(
+ "MIIF3DCCBMSgAwIBAgIEAJiZbzANBgkqhkiG9w0BAQUFADCCAQ0xYTBfBgNVBAMM" +
+ "WEkuQ0EgLSBRdWFsaWZpZWQgcm9vdCBjZXJ0aWZpY2F0ZSAoa3ZhbGlmaWtvdmFu" +
+ "w70gY2VydGlmaWvDoXQgcG9za3l0b3ZhdGVsZSkgLSBQU0VVRE9OWU0xCzAJBgNV" +
+ "BAYTAkNaMS8wLQYDVQQHDCZQb2R2aW5uw70gbWzDvW4gMjE3OC82LCAxOTAgMDAg" +
+ "UHJhaGEgOTEsMCoGA1UECgwjUHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRh" +
+ "IGEucy4xPDA6BgNVBAsMM0FrcmVkaXRvdmFuw70gcG9za3l0b3ZhdGVsIGNlcnRp" +
+ "ZmlrYcSNbsOtY2ggc2x1xb5lYjAeFw0wMjEyMTIxMzMzNDZaFw0wMzEyMTIxMzMz" +
+ "NDZaMIIBFDELMAkGA1UEBhMCQ1oxHzAdBgNVBAMeFgBMAHUAZAEbAGsAIABSAGEB" +
+ "YQBlAGsxGTAXBgNVBAgeEABWAHkAcwBvAQ0AaQBuAGExLzAtBgNVBAceJgBQAGEA" +
+ "YwBvAHYALAAgAE4A4QBkAHIAYQF+AG4A7QAgADcANgA5MSUwIwYJKoZIhvcNAQkB" +
+ "FhZsdWRlay5yYXNla0BjZW50cnVtLmN6MRMwEQYDVQQqHgoATAB1AGQBGwBrMQ0w" +
+ "CwYDVQQrHgQATABSMR8wHQYDVQQpHhYATAB1AGQBGwBrACAAUgBhAWEAZQBrMRMw" +
+ "EQYDVQQEHgoAUgBhAWEAZQBrMRcwFQYDVQQFEw5JQ0EgLSAxMDAwMzc2OTCBnzAN" +
+ "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxc7dGd0cNlHZ7tUUl5k30bfYlY3lnOD0" +
+ "49JGbTXSt4jNFMRLj6s/777W3kcIdcIwdKxjQULBKgryDvZJ1DAWp2TwzhPDVYj3" +
+ "sU4Niqb7mOUcp/4ckteUxGF6FmXtJR9+XHTuLZ+omF9HOUefheBKnXvZuqrLM16y" +
+ "nbJn4sPwwdcCAwEAAaOCAbswggG3MCUGA1UdEQQeMBygGgYKKwMGAQQB3BkCAaAM" +
+ "DAoxNzYyODk2ODgzMGkGA1UdHwRiMGAwHqAcoBqGGGh0dHA6Ly9xLmljYS5jei9x" +
+ "aWNhLmNybDAeoBygGoYYaHR0cDovL2IuaWNhLmN6L3FpY2EuY3JsMB6gHKAahhho" +
+ "dHRwOi8vci5pY2EuY3ovcWljYS5jcmwwHwYDVR0jBBgwFoAUK1oKfvvlDYUsZTBy" +
+ "vGN701mca/UwHQYDVR0OBBYEFPAs70DB+LS0PnA6niPUfJ5wdQH5MIG4BgNVHSAE" +
+ "gbAwga0wgaoGCysGAQQBs2EBAQQEMIGaMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3" +
+ "LmljYS5jei9xY3AvY3BxcGljYTAyLnBkZjBnBggrBgEFBQcCAjBbGllUZW50byBj" +
+ "ZXJ0aWZpa2F0IGplIHZ5ZGFuIGpha28gS3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0" +
+ "IHYgc291bGFkdSBzZSB6YWtvbmVtIDIyNy8yMDAwIFNiLjAYBggrBgEFBQcBAwQM" +
+ "MAowCAYGBACORgEBMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEA" +
+ "v2V+nnYYMIgabmmgHx49CtlZIHdGS3TuWKXw130xFhbXDnNhEbx3alaskNsvjQQR" +
+ "Lqs1ZwKy58yynse+eJYHqenmHDACpAfVpCF9PXC/mDarVsoQw7NTcUpsAFhSd/zT" +
+ "v9jIf3twECyxx/RVzONVcob7nPePESHiKoG4FbtcuUh0wSHvCmTwRIQqPDCIuHcF" +
+ "StSt3Jr9iXcbXEhe4mSccOZ8N+r7Rv3ncKcevlRl7uFfDKDTyd43SZeRS/7J8KRf" +
+ "hD/h2nawrCFwc5gJW10aLJGFL/mcS7ViAIT9HCVk23j4TuBjsVmnZ0VKxB5edux+" +
+ "LIEqtU428UVHZWU/I5ngLw=="
+ );
+
+ equal(
+ cert.emailAddress,
+ "ludek.rasek@centrum.cz",
+ "Actual and expected emailAddress should match"
+ );
+ equal(
+ cert.subjectName,
+ 'serialNumber=ICA - 10003769,SN=RaÅ¡ek,name=LudÄ›k RaÅ¡ek,initials=LR,givenName=LudÄ›k,E=ludek.rasek@centrum.cz,L="Pacov, Nádražní 769",ST=VysoÄina,CN=LudÄ›k RaÅ¡ek,C=CZ',
+ "Actual and expected subjectName should match"
+ );
+ equal(
+ cert.commonName,
+ "Luděk Rašek",
+ "Actual and expected commonName should match"
+ );
+ equal(cert.organization, "", "Actual and expected organization should match");
+ equal(
+ cert.organizationalUnit,
+ "",
+ "Actual and expected organizationalUnit should match"
+ );
+ equal(
+ cert.displayName,
+ "Luděk Rašek",
+ "Actual and expected displayName should match"
+ );
+ equal(
+ cert.issuerName,
+ 'OU=Akreditovaný poskytovatel certifikaÄních služeb,O=První certifikaÄní autorita a.s.,L="Podvinný mlýn 2178/6, 190 00 Praha 9",C=CZ,CN=I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM',
+ "Actual and expected issuerName should match"
+ );
+ equal(
+ cert.issuerCommonName,
+ "I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM",
+ "Actual and expected issuerCommonName should match"
+ );
+ equal(
+ cert.issuerOrganization,
+ "První certifikaÄní autorita a.s.",
+ "Actual and expected issuerOrganization should match"
+ );
+ equal(
+ cert.issuerOrganizationUnit,
+ "Akreditovaný poskytovatel certifikaÄních služeb",
+ "Actual and expected issuerOrganizationUnit should match"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js
new file mode 100644
index 0000000000..b964018518
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -0,0 +1,479 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch
+// responses more than necessary.
+
+var gFetchCount = 0;
+var gGoodOCSPResponse = null;
+var gResponsePattern = [];
+
+function respondWithGoodOCSP(request, response) {
+ info("returning 200 OK");
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gGoodOCSPResponse);
+}
+
+function respondWithSHA1OCSP(request, response) {
+ info("returning 200 OK with sha-1 delegated response");
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+
+ let args = [["good-delegated", "default-ee", "delegatedSHA1Signer", 0]];
+ let responses = generateOCSPResponses(args, "ocsp_certs");
+ response.write(responses[0]);
+}
+
+function respondWithError(request, response) {
+ info("returning 500 Internal Server Error");
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ let body = "Refusing to return a response";
+ response.bodyOutputStream.write(body, body.length);
+}
+
+function generateGoodOCSPResponse(thisUpdateSkew) {
+ let args = [["good", "default-ee", "unused", thisUpdateSkew]];
+ let responses = generateOCSPResponses(args, "ocsp_certs");
+ return responses[0];
+}
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aResponses,
+ aMessage,
+ aOriginAttributes
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function () {
+ clearSessionCache();
+ gFetchCount = 0;
+ gResponsePattern = aResponses;
+ },
+ function () {
+ // check the number of requests matches the size of aResponses
+ equal(gFetchCount, aResponses.length, aMessage);
+ },
+ null,
+ aOriginAttributes
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function (request, response) {
+ info("gFetchCount: " + gFetchCount);
+ let responseFunction = gResponsePattern[gFetchCount];
+ Assert.notEqual(undefined, responseFunction);
+
+ ++gFetchCount;
+ responseFunction(request, response);
+ });
+ ocspResponder.start(8888);
+
+ add_tests();
+
+ add_test(function () {
+ ocspResponder.stop(run_next_test);
+ });
+ run_next_test();
+}
+
+function add_tests() {
+ // Test that verifying a certificate with a "short lifetime" doesn't result
+ // in OCSP fetching. Due to longevity requirements in our testing
+ // infrastructure, the certificate we encounter is valid for a very long
+ // time, so we have to define a "short lifetime" as something very long.
+ add_test(function () {
+ Services.prefs.setIntPref(
+ "security.pki.cert_short_lifetime_in_days",
+ 12000
+ );
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "expected zero OCSP requests for a short-lived certificate"
+ );
+
+ add_test(function () {
+ Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100);
+ run_next_test();
+ });
+
+ // If a "short lifetime" is something more reasonable, ensure that we do OCSP
+ // fetching for this long-lived certificate.
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithError],
+ "expected one OCSP request for a long-lived certificate"
+ );
+ add_test(function () {
+ Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days");
+ run_next_test();
+ });
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test assumes that OCSPStaplingServer uses the same cert for
+ // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
+
+ // Get an Unknown response for the *.example.com cert and put it in the
+ // OCSP cache.
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ [],
+ "Stapled Unknown response -> a fetch should not have been attempted"
+ );
+
+ // A failure to retrieve an OCSP response must result in the cached Unknown
+ // response being recognized and honored.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ [respondWithError, respondWithError],
+ "No stapled response -> a fetch should have been attempted"
+ );
+
+ // A valid Good response from the OCSP responder must override the cached
+ // Unknown response.
+ //
+ // Note that We need to make sure that the Unknown response and the Good
+ // response have different thisUpdate timestamps; otherwise, the Good
+ // response will be seen as "not newer" and it won't replace the existing
+ // entry.
+ add_test(function () {
+ gGoodOCSPResponse = generateGoodOCSPResponse(1200);
+ run_next_test();
+ });
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Cached Unknown response, no stapled response -> a fetch" +
+ " should have been attempted"
+ );
+
+ // The Good response retrieved from the previous fetch must have replaced
+ // the Unknown response in the cache, resulting in the catched Good response
+ // being returned and no fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Cached Good response -> a fetch should not have been attempted"
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // A failure to retrieve an OCSP response will result in an error entry being
+ // added to the cache.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithError],
+ "No stapled response -> a fetch should have been attempted"
+ );
+
+ // The error entry will prevent a fetch from happening for a while.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure -> a fetch should not have been attempted"
+ );
+
+ // The error entry must not prevent a stapled OCSP response from being
+ // honored.
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ [],
+ "Stapled Revoked response -> a fetch should not have been attempted"
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Ensure OCSP responses from signers with SHA1 certificates are OK. This
+ // is included in the OCSP caching tests since there were OCSP cache-related
+ // regressions when sha-1 telemetry probes were added.
+ add_test(function () {
+ clearOCSPCache();
+ // set security.OCSP.require so that checking the OCSP signature fails
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ [respondWithSHA1OCSP],
+ "OCSP signing cert was issued with sha1 - should fail"
+ );
+
+ add_test(function () {
+ Services.prefs.setBoolPref("security.OCSP.require", false);
+ run_next_test();
+ });
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by firstPartyDomain.
+
+ let gObservedCnt = 0;
+ let protocolProxyService = Cc[
+ "@mozilla.org/network/protocol-proxy-service;1"
+ ].getService(Ci.nsIProtocolProxyService);
+
+ // Observe all channels and make sure the firstPartyDomain in their loadInfo's
+ // origin attributes are aFirstPartyDomain.
+ function startObservingChannels(aFirstPartyDomain) {
+ // We use a dummy proxy filter to catch all channels, even those that do not
+ // generate an "http-on-modify-request" notification.
+ let proxyFilter = {
+ applyFilter(aChannel, aProxy, aCallback) {
+ // We have the channel; provide it to the callback.
+ if (aChannel.originalURI.spec == "http://localhost:8888/") {
+ gObservedCnt++;
+ equal(
+ aChannel.loadInfo.originAttributes.firstPartyDomain,
+ aFirstPartyDomain,
+ "firstPartyDomain should match"
+ );
+ }
+ // Pass on aProxy unmodified.
+ aCallback.onProxyFilterResult(aProxy);
+ },
+ };
+ protocolProxyService.registerChannelFilter(proxyFilter, 0);
+ // Return the stop() function:
+ return () => protocolProxyService.unregisterChannelFilter(proxyFilter);
+ }
+
+ let stopObservingChannels;
+ add_test(function () {
+ stopObservingChannels = startObservingChannels("foo.com");
+ run_next_test();
+ });
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
+ "should have been attempted",
+ { firstPartyDomain: "foo.com" }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
+ "fetch should not have been attempted",
+ { firstPartyDomain: "foo.com" }
+ );
+
+ add_test(function () {
+ stopObservingChannels();
+ equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+ gObservedCnt = 0;
+ run_next_test();
+ });
+
+ add_test(function () {
+ stopObservingChannels = startObservingChannels("bar.com");
+ run_next_test();
+ });
+
+ // But using a different firstPartyDomain should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
+ "should have been attempted",
+ { firstPartyDomain: "bar.com" }
+ );
+
+ add_test(function () {
+ stopObservingChannels();
+ equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+ gObservedCnt = 0;
+ run_next_test();
+ });
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // Test that the OCSP cache is not isolated by userContextId.
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (userContextId = 1) -> a fetch " +
+ "should have been attempted",
+ { userContextId: 1 }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (userContextId = 1) -> a " +
+ "fetch should not have been attempted",
+ { userContextId: 1 }
+ );
+
+ // Fetching is prevented even if in a different userContextId.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (userContextId = 2) -> a " +
+ "fetch should not have been attempted",
+ { userContextId: 2 }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by partitionKey.
+
+ add_test(function () {
+ Services.prefs.setBoolPref(
+ "privacy.partition.network_state.ocsp_cache",
+ true
+ );
+ run_next_test();
+ });
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+ "should have been attempted",
+ { partitionKey: "(https,foo.com)" }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+ "fetch should not have been attempted",
+ { partitionKey: "(https,foo.com)" }
+ );
+
+ // Using a different partitionKey should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+ "fetch should have been attempted",
+ { partitionKey: "(https,bar.com)" }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ Services.prefs.clearUserPref("privacy.partition.network_state.ocsp_cache");
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by partitionKey in
+ // private mode.
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+ "should have been attempted",
+ { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+ "fetch should not have been attempted",
+ { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+ );
+
+ // Using a different partitionKey should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+ "fetch should have been attempted",
+ { partitionKey: "(https,bar.com)", privateBrowsingId: 1 }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function () {
+ clearOCSPCache();
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
new file mode 100644
index 0000000000..00b1fc02a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -0,0 +1,146 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
+// behavior.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function certFromFile(filename) {
+ return constructCertFromFile(`test_ev_certs/${filename}.pem`);
+}
+
+function loadCert(certName, trustString) {
+ addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
+}
+
+function getFailingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function getOCSPResponder(expectedCertNames) {
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ev_certs",
+ expectedCertNames,
+ []
+ );
+}
+
+// Tests that in ocspOff mode, OCSP fetches are never done.
+async function testOff() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 0);
+ info("Setting security.OCSP.enabled to 0");
+
+ // EV chains should verify successfully but never get EV status.
+ clearOCSPCache();
+ let ocspResponder = getFailingOCSPResponder();
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ false
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // A DV chain should verify successfully.
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
+async function testOn() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ info("Setting security.OCSP.enabled to 1");
+
+ // If a successful OCSP response is fetched, then an EV chain should verify
+ // successfully and get EV status as well.
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ gEVExpected
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // If a successful OCSP response is fetched, then a DV chain should verify
+ // successfully.
+ clearOCSPCache();
+ ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
+async function testEVOnly() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 2);
+ info("Setting security.OCSP.enabled to 2");
+
+ // If a successful OCSP response is fetched, then an EV chain should verify
+ // successfully and get EV status as well.
+ clearOCSPCache();
+ let ocspResponder = gEVExpected
+ ? getOCSPResponder(["test-oid-path-ee"])
+ : getFailingOCSPResponder();
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ gEVExpected
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // A DV chain should verify successfully even without doing OCSP fetches.
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+add_task(async function () {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ });
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ // Enable hard fail to ensure chains that should only succeed because they get
+ // a good OCSP response do not succeed due to soft fail leniency.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ loadCert("evroot", "CTu,,");
+ loadCert("test-oid-path-int", ",,");
+ loadCert("non-evroot-ca", "CTu,,");
+ loadCert("non-ev-root-path-int", ",,");
+
+ await testOff();
+ await testOn();
+ await testEVOnly();
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
new file mode 100644
index 0000000000..32ac332e61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -0,0 +1,160 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests OCSP Must Staple handling by connecting to various domains (as faked by
+// a server running locally) that correspond to combinations of whether the
+// extension is present in intermediate and end-entity certificates.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aStaplingEnabled,
+ aExpectOCSPRequest = false,
+ aWithSecurityInfo = undefined
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function () {
+ gExpectOCSPRequest = aExpectOCSPRequest;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.ssl.enable_ocsp_stapling",
+ aStaplingEnabled
+ );
+ },
+ aWithSecurityInfo
+ );
+}
+
+function add_tests() {
+ // Next, a case where it's present in the intermediate, not the ee
+ add_ocsp_test(
+ "ocsp-stapling-plain-ee-with-must-staple-int.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ true
+ );
+
+ // We disable OCSP stapling in the next two tests so we can perform checks
+ // on TLS Features in the chain without needing to support the TLS
+ // extension values used.
+ // Test an issuer with multiple TLS features in matched in the EE
+ add_ocsp_test(
+ "multi-tls-feature-good.example.com",
+ PRErrorCodeSuccess,
+ false
+ );
+
+ // Finally, an issuer with multiple TLS features not matched by the EE.
+ add_ocsp_test(
+ "multi-tls-feature-bad.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ false
+ );
+
+ // Now a bunch of operations with only a must-staple ee
+ add_ocsp_test(
+ "ocsp-stapling-must-staple.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ true,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-empty.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+
+ // If the stapled response is expired, we will try to fetch a new one.
+ // If that fails, we should report the original error.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ true,
+ true
+ );
+ // Similarly with a "try server later" response.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-try-later.example.com",
+ SEC_ERROR_OCSP_TRY_SERVER_LATER,
+ true,
+ true
+ );
+ // And again with an invalid OCSP response signing certificate.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-invalid-signer.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // check that disabling must-staple works
+ add_test(function () {
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ PRErrorCodeSuccess,
+ true,
+ true
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // This test may sometimes fail on android due to an OCSP request timing out.
+ // That aspect of OCSP requests is not what we're testing here, so we can just
+ // bump the timeout and hopefully avoid these failures.
+ Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ ok(
+ gExpectOCSPRequest,
+ "Should be getting an OCSP request only when expected"
+ );
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_tests();
+
+ add_test(function () {
+ fakeOCSPResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
new file mode 100644
index 0000000000..ed5d0a3e00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -0,0 +1,58 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Test that if an OCSP request is made to a domain that (erroneously)
+// has HSTS status, the request is not upgraded from HTTP to HTTPS.
+
+function run_test() {
+ do_get_profile();
+ // OCSP required means this test will only pass if the request succeeds.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ // We don't actually make use of stapling in this test. This is just how we
+ // get a TLS connection.
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let args = [["good", "default-ee", "unused", 0]];
+ let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+ let goodOCSPResponse = ocspResponses[0];
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(goodOCSPResponse);
+ });
+ ocspResponder.start(8888);
+
+ // ocsp-stapling-none.example.com does not staple an OCSP response in the
+ // handshake, so the revocation checking code will attempt to fetch one.
+ // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+ // (as added in the setup of this test, below), a buggy implementation would
+ // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+ // test demonstrates that our implementation is correct in this regard.
+ add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
+ add_test(function () {
+ run_next_test();
+ });
+
+ add_test(function () {
+ ocspResponder.stop(run_next_test);
+ });
+
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("http://localhost");
+ SSService.processHeader(uri, "max-age=10000");
+ ok(
+ SSService.isSecureURI(uri),
+ "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +
+ " we wouldn't be testing what we think we're testing"
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
new file mode 100644
index 0000000000..47b976cf71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -0,0 +1,115 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we connect to a host and encounter OCSP responses with the
+// Cache-Control header set, which normally Necko would cache. This test
+// ensures that these responses aren't cached. PSM has its own OCSP cache, so
+// Necko shouldn't also be caching them.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const SERVER_PORT = 8888;
+
+function add_flush_cache() {
+ add_test(() => {
+ // This appears to either fire multiple times or fire once for every
+ // observer that has ever been passed to flush. To prevent multiple calls to
+ // run_next_test, keep track of if this observer has already called it.
+ let observed = false;
+ let observer = {
+ observe: () => {
+ if (!observed) {
+ observed = true;
+ run_next_test();
+ }
+ },
+ };
+ Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer);
+ });
+}
+
+function add_ocsp_necko_cache_test(loadContext) {
+ // Pre-testcase cleanup/setup.
+ add_test(() => {
+ Services.cache2.clear();
+ run_next_test();
+ });
+ add_flush_cache();
+
+ let responder;
+ add_test(() => {
+ clearOCSPCache();
+ clearSessionCache();
+ responder = startOCSPResponder(
+ SERVER_PORT,
+ "localhost",
+ "ocsp_certs",
+ ["default-ee"],
+ [],
+ [],
+ [],
+ [["Cache-Control", "max-age=1000"]]
+ );
+ run_next_test();
+ });
+
+ // Prepare a connection that will cause an OCSP request.
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ null,
+ null,
+ null,
+ loadContext.originAttributes
+ );
+
+ add_flush_cache();
+
+ // Traverse the cache and ensure the response was not cached.
+ add_test(() => {
+ let foundEntry = false;
+ let visitor = {
+ onCacheStorageInfo() {},
+ onCacheEntryInfo(
+ aURI,
+ aIdEnhance,
+ aDataSize,
+ aFetchCount,
+ aLastModifiedTime,
+ aExpirationTime,
+ aPinned,
+ aInfo
+ ) {
+ Assert.equal(
+ aURI.spec,
+ "http://localhost:8888/",
+ "expected OCSP request URI should match"
+ );
+ foundEntry = true;
+ },
+ onCacheEntryVisitCompleted() {
+ Assert.ok(!foundEntry, "should not find a cached entry");
+ run_next_test();
+ },
+ QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]),
+ };
+ Services.cache2.asyncVisitAllStorages(visitor, true);
+ });
+
+ // Clean up (stop the responder).
+ add_test(() => {
+ responder.stop(run_next_test);
+ });
+}
+
+function run_test() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+ add_ocsp_necko_cache_test(Services.loadContextInfo.private);
+ add_ocsp_necko_cache_test(Services.loadContextInfo.default);
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js
new file mode 100644
index 0000000000..3b2cceed72
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -0,0 +1,95 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a domain (as faked by a server running locally) and
+// start up an OCSP responder (also basically faked) that gives a response with
+// a bad signature (and later, an empty response). With security.OCSP.require
+// set to true, these connections should fail (but they also shouldn't cause
+// assertion failures).
+
+var gOCSPRequestCount = 0;
+var gOCSPResponse;
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ // We don't actually make use of stapling in this test. This is just how we
+ // get a TLS connection.
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let args = [["bad-signature", "default-ee", "unused", 0]];
+ let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+ // Start by replying with a response with a bad signature.
+ gOCSPResponse = ocspResponses[0];
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gOCSPResponse);
+ gOCSPRequestCount++;
+ });
+ ocspResponder.start(8888);
+
+ add_tests();
+
+ add_test(function () {
+ ocspResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
+
+function add_tests() {
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_BAD_SIGNATURE,
+ function () {},
+ function (aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should have been made."
+ );
+ }
+ );
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_BAD_SIGNATURE,
+ function () {},
+ function (aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should not have been made."
+ );
+ }
+ );
+ add_test(function () {
+ equal(
+ gOCSPRequestCount,
+ 1,
+ "OCSP request count should be 1 due to OCSP response caching"
+ );
+ gOCSPRequestCount = 0;
+ // Now set the OCSP responder to reply with 200 OK but empty content.
+ gOCSPResponse = "";
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ function () {},
+ function (aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should have been made."
+ );
+ }
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
new file mode 100644
index 0000000000..1f183797f6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -0,0 +1,400 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with and without OCSP stapling enabled to determine that good
+// things happen and bad things don't.
+
+// Enable the collection (during test) for all products so even products
+// that don't collect the data will be able to run the test without failure.
+Services.prefs.setBoolPref(
+ "toolkit.telemetry.testing.overrideProductsCheck",
+ true
+);
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aStaplingEnabled,
+ aExpectOCSPRequest = false
+) {
+ add_connection_test(aHost, aExpectedResult, function () {
+ gExpectOCSPRequest = aExpectOCSPRequest;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.ssl.enable_ocsp_stapling",
+ aStaplingEnabled
+ );
+ });
+}
+
+function add_tests() {
+ // In the absence of OCSP stapling, these should actually all work.
+ add_ocsp_test(
+ "ocsp-stapling-good.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-malformed.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-srverr.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-trylater.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-needssig.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unauthorized.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-skip-responseBytes.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-critical-extension.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-noncritical-extension.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-empty-extensions.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+
+ // Now test OCSP stapling
+ // The following error codes are defined in security/nss/lib/util/SECerrs.h
+
+ add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
+
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+
+ // This stapled response is from a CA that is untrusted and did not issue
+ // the server's certificate.
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
+ add_test(function () {
+ certDB.setCertTrust(
+ otherTestCA,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.UNTRUSTED
+ );
+ run_next_test();
+ });
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // The stapled response is from a CA that is trusted but did not issue the
+ // server's certificate.
+ add_test(function () {
+ certDB.setCertTrust(
+ otherTestCA,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ );
+ run_next_test();
+ });
+ // TODO(bug 979055): When using ByName instead of ByKey, the error here is
+ // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // TODO: Test the case where the signing cert can't be found at all, which
+ // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
+
+ add_ocsp_test(
+ "ocsp-stapling-malformed.example.com",
+ SEC_ERROR_OCSP_MALFORMED_REQUEST,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-srverr.example.com",
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-trylater.example.com",
+ SEC_ERROR_OCSP_TRY_SERVER_LATER,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-needssig.example.com",
+ SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unauthorized.example.com",
+ SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other.example.com",
+ MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
+ true
+ );
+ // If the server doesn't staple an OCSP response, we continue as normal
+ // (this means that even though stapling is enabled, we expect an OCSP
+ // request).
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ function () {
+ gExpectOCSPRequest = true;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+ }
+ );
+ add_ocsp_test(
+ "ocsp-stapling-empty.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-skip-responseBytes.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-critical-extension.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-noncritical-extension.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ // TODO(bug 997994): Disallow empty Extensions in responses
+ add_ocsp_test(
+ "ocsp-stapling-empty-extensions.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-delegated-included.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-included-last.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-missing.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-missing-multiple.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-no-extKeyUsage.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-from-intermediate.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // ocsp-stapling-expired.example.com and
+ // ocsp-stapling-expired-fresh-ca.example.com are handled in
+ // test_ocsp_stapling_expired.js
+
+ // Check that OCSP responder certificates with key sizes below 1024 bits are
+ // rejected, even when the main certificate chain keys are at least 1024 bits.
+ add_ocsp_test(
+ "keysize-ocsp-delegated.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ add_ocsp_test(
+ "revoked-ca-cert-used-as-end-entity.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+}
+
+function check_ocsp_stapling_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_OCSP_STAPLING")
+ .snapshot();
+ equal(
+ histogram.values[0],
+ 0,
+ "Should have 0 connections for unused histogram bucket 0"
+ );
+ equal(
+ histogram.values[1],
+ 5,
+ "Actual and expected connections with a good response should match"
+ );
+ equal(
+ histogram.values[2],
+ 18,
+ "Actual and expected connections with no stapled response should match"
+ );
+ equal(
+ histogram.values[3] || 0,
+ 0,
+ "Actual and expected connections with an expired response should match"
+ );
+ equal(
+ histogram.values[4],
+ 21,
+ "Actual and expected connections with bad responses should match"
+ );
+ run_next_test();
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // This test may sometimes fail on android due to an OCSP request timing out.
+ // That aspect of OCSP requests is not what we're testing here, so we can just
+ // bump the timeout and hopefully avoid these failures.
+ Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ ok(
+ gExpectOCSPRequest,
+ "Should be getting an OCSP request only when expected"
+ );
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_tests();
+
+ add_test(function () {
+ fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
new file mode 100644
index 0000000000..9d533c03da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -0,0 +1,324 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Enable the collection (during test) for all products so even products
+// that don't collect the data will be able to run the test without failure.
+Services.prefs.setBoolPref(
+ "toolkit.telemetry.testing.overrideProductsCheck",
+ true
+);
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with OCSP stapling enabled to determine that good things happen
+// and bad things don't, specifically with respect to various expired OCSP
+// responses (stapled and otherwise).
+// According to RFC 6066, if a stapled OCSP response can't be satisfactorilly
+// verified, the client should terminate the connection. Unfortunately, due to
+// some bugs where servers will staple any old garbage without verifying it, we
+// can't be this strict in practice. Originally this caveat only applied to
+// expired responses, but recent high-profile failures have caused us to expand
+// this to "try later" responses and responses where the signing certificate
+// doesn't verify successfully.
+
+var gCurrentOCSPResponse = null;
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aOCSPResponseToServe,
+ aExpectedRequestCount
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function () {
+ clearOCSPCache();
+ clearSessionCache();
+ gCurrentOCSPResponse = aOCSPResponseToServe;
+ gOCSPRequestCount = 0;
+ },
+ function () {
+ equal(
+ gOCSPRequestCount,
+ aExpectedRequestCount,
+ "Should have made " +
+ aExpectedRequestCount +
+ " fallback OCSP request" +
+ (aExpectedRequestCount == 1 ? "" : "s")
+ );
+ }
+ );
+}
+
+do_get_profile();
+Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+// Sometimes this test will fail on android due to an OCSP request timing out.
+// That aspect of OCSP requests is not what we're testing here, so we can just
+// bump the timeout and hopefully avoid these failures.
+Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+var args = [
+ ["good", "default-ee", "unused", 0],
+ ["expiredresponse", "default-ee", "unused", 0],
+ ["oldvalidperiod", "default-ee", "unused", 0],
+ ["revoked", "default-ee", "unused", 0],
+ ["unknown", "default-ee", "unused", 0],
+ ["good", "must-staple-ee", "unused", 0],
+];
+var ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+// Fresh response, certificate is good.
+var ocspResponseGood = ocspResponses[0];
+// Expired response, certificate is good.
+var expiredOCSPResponseGood = ocspResponses[1];
+// Fresh signature, old validity period, certificate is good.
+var oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+// Fresh signature, certificate is revoked.
+var ocspResponseRevoked = ocspResponses[3];
+// Fresh signature, certificate is unknown.
+var ocspResponseUnknown = ocspResponses[4];
+var ocspResponseGoodMustStaple = ocspResponses[5];
+
+// sometimes we expect a result without re-fetch
+var willNotRetry = 1;
+// but sometimes, since a bad response is in the cache, OCSP fetch will be
+// attempted for each validation - in practice, for these test certs, this
+// means 2 requests because various key sizes are tried.
+var willRetry = 2;
+
+function run_test() {
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function (request, response) {
+ if (gCurrentOCSPResponse) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gCurrentOCSPResponse);
+ } else {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ response.write("Internal Server Error");
+ }
+ gOCSPRequestCount++;
+ });
+ ocspResponder.start(8888);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ // In these tests, the OCSP stapling server gives us a stapled
+ // response based on the host name ("ocsp-stapling-expired" or
+ // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
+ // properly falling back to fetching revocation information.
+ // For ocsp-stapling-expired.example.com, the OCSP stapling server
+ // staples an expired OCSP response. The certificate has not expired.
+ // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
+ // server staples an OCSP response with a recent signature but with an
+ // out-of-date validity period. The certificate has not expired.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ // if we can't fetch a more recent response when
+ // given an expired stapled response, we terminate the connection.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ oldValidityPeriodOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ oldValidityPeriodOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ null,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ null,
+ willNotRetry
+ );
+ // Of course, if the newer response indicates Revoked or Unknown,
+ // that status must be returned.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+
+ // If the response is expired but indicates Revoked or Unknown and a
+ // newer status can't be fetched, the Revoked or Unknown status will
+ // be returned.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ null,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ null,
+ willNotRetry
+ );
+ // If the response is expired but indicates Revoked or Unknown and
+ // a newer status can be fetched and successfully verified, this
+ // should result in a successful certificate verification.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ // If a newer status can be fetched but it fails to verify, the
+ // Revoked or Unknown status of the expired stapled response
+ // should be returned.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+
+ // These tests are verifying that an valid but very old response
+ // is rejected as a valid stapled response, requiring a fetch
+ // from the ocsp responder.
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+
+ // Test how OCSP-must-staple (i.e. TLS feature) interacts with stapled OCSP
+ // responses that don't successfully verify.
+ // A strict reading of the relevant RFCs might say that these connections
+ // should all fail because a satisfactory stapled OCSP response is not
+ // present, but for compatibility reasons we fall back to active OCSP fetching
+ // in these situations. If the fetch succeeds, then connection succeeds.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-expired.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-try-later.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-invalid-signer.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+
+ add_test(function () {
+ ocspResponder.stop(run_next_test);
+ });
+ add_test(check_ocsp_stapling_telemetry);
+ run_next_test();
+}
+
+function check_ocsp_stapling_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_OCSP_STAPLING")
+ .snapshot();
+ equal(
+ histogram.values[0] || 0,
+ 0,
+ "Should have 0 connections for unused histogram bucket 0"
+ );
+ equal(
+ histogram.values[1] || 0,
+ 0,
+ "Actual and expected connections with a good response should match"
+ );
+ equal(
+ histogram.values[2] || 0,
+ 0,
+ "Actual and expected connections with no stapled response should match"
+ );
+ equal(
+ histogram.values[3],
+ 22,
+ "Actual and expected connections with an expired response should match"
+ );
+ equal(
+ histogram.values[4],
+ 2,
+ "Actual and expected connections with bad responses should match"
+ );
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
new file mode 100644
index 0000000000..d9c5986dd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -0,0 +1,48 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a server that staples an OCSP response for a
+// certificate signed by an intermediate that has an OCSP AIA to ensure
+// that an OCSP request is not made for the intermediate.
+
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult) {
+ add_connection_test(aHost, aExpectedResult, function () {
+ clearOCSPCache();
+ clearSessionCache();
+ });
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function (request, response) {
+ gOCSPRequestCount++;
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ let body = "Refusing to return a response";
+ response.bodyOutputStream.write(body, body.length);
+ });
+ ocspResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_ocsp_test(
+ "ocsp-stapling-with-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ add_test(function () {
+ ocspResponder.stop(run_next_test);
+ });
+ add_test(function () {
+ equal(gOCSPRequestCount, 0, "No OCSP requests should have been made");
+ run_next_test();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
new file mode 100644
index 0000000000..8d606bc028
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -0,0 +1,100 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test connects to ocsp-stapling-none.example.com to test that OCSP
+// requests are cancelled if they're taking too long.
+// ocsp-stapling-none.example.com doesn't staple an OCSP response, so
+// connecting to it will cause a request to the OCSP responder. As with all of
+// these tests, the OCSP AIA (i.e. the url of the responder) in the certificate
+// is http://localhost:8888. Since this test opens a TCP socket listening on
+// port 8888 that just accepts connections and then ignores them (with
+// connect/read/write timeouts of 30 seconds), the OCSP requests should cancel
+// themselves. When OCSP hard-fail is enabled, connections will be terminated.
+// Otherwise, they will succeed.
+
+var gSocketListener = {
+ onSocketAccepted(serverSocket, socketTransport) {
+ socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30);
+ socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30);
+ },
+
+ onStopListening(serverSocket, status) {},
+};
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance(
+ Ci.nsIServerSocket
+ );
+ socket.init(8888, true, -1);
+ socket.asyncListen(gSocketListener);
+
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000);
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000);
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000);
+
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000);
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000);
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000);
+
+ add_test(function () {
+ socket.close();
+ run_next_test();
+ });
+ run_next_test();
+}
+
+function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) {
+ let startTime;
+ add_test(function () {
+ Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
+ Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds);
+ startTime = new Date();
+ run_next_test();
+ });
+
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess,
+ clearSessionCache
+ );
+
+ add_test(function () {
+ let endTime = new Date();
+ let timeDifference = endTime - startTime;
+ info(`useHardFail = ${useHardFail}`);
+ info(`startTime = ${startTime.getTime()} (${startTime})`);
+ info(`endTime = ${endTime.getTime()} (${endTime})`);
+ info(`timeDifference = ${timeDifference}ms`);
+ // Date() is not guaranteed to be monotonic, so add extra fuzz time to
+ // prevent intermittent failures (this only appeared to be a problem on
+ // Windows XP). See Bug 1121117.
+ const FUZZ_MS = 300;
+ ok(
+ timeDifference + FUZZ_MS > timeoutMilliseconds,
+ `OCSP timeout should be ~${timeoutMilliseconds}s for ` +
+ `${useHardFail ? "hard" : "soft"}-fail`
+ );
+ // Make sure we didn't wait too long.
+ // (Unfortunately, we probably can't have a tight upper bound on
+ // how long is too long for this test, because we might be running
+ // on slow hardware.)
+ ok(
+ timeDifference < 60000,
+ "Automatic OCSP timeout shouldn't be more than 60s"
+ );
+
+ // Reset state
+ clearOCSPCache();
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref(timeoutPrefName);
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js
new file mode 100644
index 0000000000..6ff79df03f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -0,0 +1,122 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we try to validate several ocsp responses, checking in particular
+// if the ocsp url is valid and the path expressed is correctly passed to
+// the caller.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function start_ocsp_responder(expectedCertNames, expectedPaths) {
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ocsp_url",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function check_cert_err(cert_name, expected_error) {
+ let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expected_error,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function () {
+ addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
+ addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
+
+ // Enabled so that we can force ocsp failure responses.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ // Note: We don't test the case of a well-formed HTTP URL with an empty port
+ // because the OCSP code would then send a request to port 80, which we
+ // can't use in tests.
+
+ clearOCSPCache();
+ let ocspResponder = failingOCSPResponder();
+ await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
+ await check_cert_err("hTTp-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
+ await check_cert_err("no-path-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err(
+ "no-scheme-host-port",
+ SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ // Note: We currently don't have anything that ensures user:pass sections
+ // weren't sent. The following test simply checks that such sections
+ // don't cause failures.
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["user-pass"], [""]);
+ await check_cert_err("user-pass", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
new file mode 100644
index 0000000000..95e43ad50f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUPcxwWr/R6L+m+gFFiy0rWi66dGIwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBUxEzARBgNVBAMMCmJhZC1zY2hlbWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMTAvMC0GCCsGAQUF
+BwEBBCEwHzAdBggrBgEFBQcwAYYRL3d3dy5leGFtcGxlLmNvbS8wDQYJKoZIhvcN
+AQELBQADggEBAIuUhW8MgQTS5W1IU3InmGa7D+HL+UKyep++s+EVn3Kdn2WX14ph
+mzuhbJAVC1uMp3DLWlb3KZQcz6DsutRK5y+SEHue4C3eRZJhRUkmU+TsoZDznYVh
+KJAsl0IrUhh2XKPVDJ2ZtDiYE4bcPjrrKPgwMqS6hy/Qtllg6NbEAKiP9JKzmTVO
+ORaNHgXm3zuyXtJ6wGX6qM2jBLVNeRKWqPiFz61zRgGn6kMNJ7Yl1yRTIaQI8FDi
+hh720H3OTWGwXFeLoMuq7dhfTTwuExwko7Z1UieSDDZoFeO2GBAZ7Z4NK7VWSb+D
+GiooYhqSaYDoOylk1TfqhfkL9KWgTU7yddY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
new file mode 100644
index 0000000000..12cc072792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:bad-scheme
+extension:authorityInformationAccess:/www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
new file mode 100644
index 0000000000..8131655251
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUZUAG1XrIsypGQCcYFFUTqaoZw5MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA+F3G6RbYWkt2VtLqA43GkRvQg
+PZGNxGlXGWazQRKDLXMFtbT9FG2l7nRQPPKhoaeKd+36zBPxgwJaC1+N5e9nxAm/
+YUY4ipA7RAaUf0l6hCyCNnbtd6o6E6hnU4ucX7GvgGQQEdXHPIpzF3AfVZviHVpl
+5u02rYNB6wGC9/vSsNKhpGYaIOB2yFzbXhwH4YqC2VwfpukNuSQ7oywFbH2IIj/5
+ik3Mp8uwL1qQ7XcF9se5rtNYcWzNe0aMKS7s/vRn1QeYp5Jsq6kEn0/aNvEmDskR
+GAGbbQ/4CQqKH2vqKQRq8KbDlzsxmfEF8cDZzvXZHWtQmGGURy/4ZAytgXFT
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
new file mode 100644
index 0000000000..b03dd51975
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUKYpgWagQQ8rQkCMJK11dU5LYtFEwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBsxGTAXBgNVBAMMEGVtcHR5LXNjaGVtZS11cmwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjODA2MDQG
+CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYOi8vd3d3LmV4YW1wbGUuY29tOjg4
+ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCOxSgwTWPNpFUf5kZpBLUOMX3/kB5FQVjf
+6HxT8xVukgc4LIVSFTGcxjCos3Nw+4KDvVf9Xa3/nVjOL3X+hAFJdzSqFKhu52JT
+Edh1t7qZ6F9kbNTtr7kjOoMRlt5kVHTNw8ZhrKWacZCvJjsRlvnc94Waw6Cfj4TV
+g7C6hLblo6jIo6yw9AFr4Mei81lwotbNnsP1EoKmGtyuYxnRiDBgatMvIOD/1Dyp
+XBT7imr4v9C0ntCNZIKHtTGKdma7nUN47ck9r+RYFAuIJFzTaDg8kqnd5DgB9P1x
+Fyggsv4+q5NwuMttNVV1Gql0wKzXffsMimfRLGzL9mqqAh9ZdvNu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
new file mode 100644
index 0000000000..e8959653f3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:empty-scheme-url
+extension:authorityInformationAccess:://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
new file mode 100644
index 0000000000..99cfcf00db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUZUXe6sUnYjHg6SGrZoNfo3YLQrQwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBIxEDAOBgNVBAMMB2Z0cC11cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGCCsGAQUFBwEB
+BCswKTAnBggrBgEFBQcwAYYbZnRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQCIEhhV7H0H6dPzGymxFYdq7/wbtOrG2DwAusNe2Ate
+2eVNNfovg2unARpWreK9sO2CgGwcHlulNFsHPlcWIPwnvVeOAFz/Rhndl93PYtch
+5ZV1gT9WSoDAAcxUkz2ycmjhthOJjxLlJ5WBIgG+GoYeK02/YxC94/7GLCVW66rA
+ehCowuSN8p9j9Wmm2Jjna7aVWZHO8lIAEFrEYMHeurYPkDw9y26itn5F/DUmZJB5
+cFiTcU3Qf0R1Eiswh/fhZm6A5cwjViOigKaxTaA4qoEpiVCtbdcWu39Dsp4mi9k2
+JRz425sXav5AGlFt+KidpDB5f5k0S6h1cFCx+2s300Yt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
new file mode 100644
index 0000000000..9f50a7d792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ftp-url
+extension:authorityInformationAccess:ftp://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
new file mode 100644
index 0000000000..bc2c6eda60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUPwOINpymE8g51lV2vT4IYvEfRU0wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBMxETAPBgNVBAMMCGhUVHAtdXJsMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0QwQjBABggrBgEFBQcB
+AQQ0MDIwMAYIKwYBBQUHMAGGJGhUVHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9o
+VFRwLXVybDANBgkqhkiG9w0BAQsFAAOCAQEAAkkcJpJzkYUhpq0FQDV/MKQSbdwW
+GYsPWxPGkjZvjHfEJ5NEmJQhPU6HSKnQDKp1e2axkhmCvS8Y8/wlS6Cc0np0UU4n
+zZYlx15vRBwYlDOprcBsa64xaEXEv3NDnyQTBOGD1SLJgLyA7FmkXv/vcFXr9mga
+9tVVa+SFl2vuOYk3NHSGswaja3OW8eCBfrxx1AYkHIsN8OSKNvgLjCr5mMbjAH0C
+LDV1+0XiaUyUvKVBvvr7dg4cfzbLtxMBAMEUqlLBfJYZuF4Rpkc8NvHo01FlFl+h
+B/f88ihMzQd58g3rp0wzieRZqrVRXn8eMdpGSbMmzAo2WU71lfh+fO9cwQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
new file mode 100644
index 0000000000..10b1504b29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:hTTp-url
+extension:authorityInformationAccess:hTTp://www.example.com:8888/hTTp-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
new file mode 100644
index 0000000000..881afe9faf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUV1jKhIwDRgRkdyJko/7MLL+VmlAwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBQxEjAQBgNVBAMMCWh0dHBzLXVybDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwczovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2h0dHBzLXVybDANBgkqhkiG9w0BAQsFAAOCAQEADLboQ2R+8RSxfPh2glGvvafl
+8KCV/oqMwUpEPVNu9862EVboWei7Xuj3ZLdsorOsasglDEjCutCgyUs4SYIWmoSf
+QaA8jTDWwzPbBQE5eQuhzk7pJJWb0fxDUeZva1YJov7ZOsJKbz1pyX7/kRf22NFw
+tZid6thLiSe5gVpI9/0Sa10KhKe6H9mZjpeqQaYKFzVNjQPwfmZddN0Bn9dgajJL
+NmZk06uuPOHBedHJmlTDGCiPKg8Qtlga2sGWgTaaI1cuO3xAd8ybUG0IooLjpFWC
+qwHs9wXJ1Cj/cfmzFcGhO83lpJ6do5TLbVoyDOnp0bUcQdlhhwatkL5mtK+BxQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
new file mode 100644
index 0000000000..891005bf5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:https-url
+extension:authorityInformationAccess:https://www.example.com:8888/https-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
new file mode 100644
index 0000000000..b31a9cda93
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
+H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
+WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
+fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
+ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
+yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
new file mode 100644
index 0000000000..e1d99ffe0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUabKe59RFXji+vmz2hVT2cKegTcYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5lZ2F0aXZlLXBvcnQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOjA4MDYGCCsG
+AQUFBwEBBCowKDAmBggrBgEFBQcwAYYaaHR0cDovL3d3dy5leGFtcGxlLmNvbTot
+MS8wDQYJKoZIhvcNAQELBQADggEBAIYQAjUDhkgFfi0C7rHvEaIUpuJzvRlTQAtX
++evW3gHpqKH48CC0/Rg6RLlHhURti+EEVOb7d/3RUfJpsNI3Jl2M3MYaXMf/Un0U
+wSGSeKg0JNS+HuQm+HZnQSI3O1yOKUpKoi/RUtYrVzLHHnSyvK4i1QVl7cxhk1SL
+7tX77B3iZSEzObG4Yd9a5xrF6l9R1LsyWT6jXJ4j+zVjzBcq3T8ZRkxKi1i6viOD
+9bHfyQoqMoeuQH13ENvQm/X2sSEfr+SObsS0clztBaOzZaV+mF7tDt64SuSpVMDG
+ncx2f/Z9eTbPrJgAnTPRaHFbzyZdq7C2hMZ+hcKwZGY2tn1JLns=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
new file mode 100644
index 0000000000..fce6d43848
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:negative-port
+extension:authorityInformationAccess:http://www.example.com:-1/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
new file mode 100644
index 0000000000..635a7059d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUHX/JG96jB74HqkQdA0vLTUhq+b4wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLWhvc3QtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy0wKzApBggrBgEF
+BQcBAQQdMBswGQYIKwYBBQUHMAGGDWh0dHA6Ly86ODg4OC8wDQYJKoZIhvcNAQEL
+BQADggEBAAW9QCXaRLhkIBFIDNLycJsDQzPtw3OZmj0u26gglbvFqAuLyyi7pbVB
+RSxMLbkrejaDiC0u5Nw5UV18+F2WSm+l8XK7xqbISfTnhBAXXvebdFSJVTfUhxyC
+NmOV51Bi6tE8/wZkxVjb9Xk9glWI/secTDUt/1mEE4/aJ0mzO1z0U28jCDrLJYQE
+0LHZNk/1KEF8T+Vs1xWKoSEfW7w2AH0imSHHaJop1s8raJP9YloX7BccxD1HA6oE
+qb8ANKDJmfHrn3MBZS/AAGp1gh7y8s/7S0LmuhLNADYyaaLdPJXKgZu2KvSmuZxG
+KE1qHOuc36X1Sz7NsNjazvBmAqHQMSs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
new file mode 100644
index 0000000000..4ac76e7eb3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-host-url
+extension:authorityInformationAccess:http://:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
new file mode 100644
index 0000000000..9ae448aa9d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUDc0Fw6h2xd6MsGfxN1SxVQq80hEwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLXBhdGgtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozswOTA3BggrBgEF
+BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+ODANBgkqhkiG9w0BAQsFAAOCAQEAJvsDo/KBWg+rBqAvztl0dX3gA0ir80umQ9HQ
+/bQGWqiWkVzQJ63918RBMZGQDepR7DAkkypJDqvAJ9LBEPRQ9aEEnqX3yeC+SmlG
+LJVFR71rejSg9dzfj7q3ZkN+5jkCyzU6qz4hlUmy2ZtD7g3j+JuIXW8GLppvfro7
+q8njhczPm/dIIgrBDkrtXoxkEGf/9oF8qow03+zmt0VdaBXM9JQdXOr0EENkc8WE
++fZAGVZpnb2xnVIfPnRU+iaBfKPYaoPuLDlOkxjS57Ko7zhcqhK5etaUmyIiBK2n
+/Kv1I0DcTRcip4iExyHCspJzW9y/NqAKEfu4EmLiZbHrqtA0mA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
new file mode 100644
index 0000000000..497bb28796
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-path-url
+extension:authorityInformationAccess:http://www.example.com:8888
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
new file mode 100644
index 0000000000..629489795b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUAbgRbg/m1UnBU4JeU5gdUyeX1PMwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMB4xHDAaBgNVBAMME25vLXNjaGVtZS1ob3N0LXBvcnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAf
+MB0GCCsGAQUFBwEBBBEwDzANBggrBgEFBQcwAYYBLzANBgkqhkiG9w0BAQsFAAOC
+AQEAfq+rjh+ps++6y+2FAoCgTSGgHYS2f5wLw1XhF3QYEXJEvUYHTCXjzK7PZ45z
+2AYdtCvUbB5EkBD8h0I/qhpvz3he+DvGXyBmq0JK2xLhRZAn5c7bfGf5J1uacBJl
+Y+E6cSGtKqOYBnrmwGE50WiAZBvvZ0RoLTy3dkqMDElcLZdZpLbIZLxw9+A1c0Zk
+G/9ExpwMF5m7kKou7czWlNUpoEqFZrycg+yNviDphaJON9DVTQZe2W2JkrGzMqq/
+MncnJYDpd5gHiYRbTYStQftVHr5JKKDo85MGelcLpthN6H23+cCabwFvGMSFBSwo
+bAtHMWzDus8s1aX6I+fl9lxmAQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
new file mode 100644
index 0000000000..42a555e411
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-host-port
+extension:authorityInformationAccess:/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
new file mode 100644
index 0000000000..9fd1e4e4fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUMQ4FaOlHRe8APFFKFVuEsyzJ6x4wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5vLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEGCCsG
+AQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQCD9UOxBwhdtnbSg+eCvTEEL9x8ssiYE8/AuYKsWS/p
+Rv7dqR/cRyYJgzQyAlyZAVDBEusDxAMeJhLRu6BqTu4R607lCh17Kzn2omQVsx1V
+J1jQWnmOU9VUYDbFgx0Du3q73n/42XaZTIJP3M1b5Mkv9hmPEtvEFNTeqq3SJqJe
+a16nqlpJvqhrDq275YSbfv/jtz0cu1MbSmQhK6uC6ToEk7/omZ2lHtIRJhhqTN8b
+XqckBz7M0meZzO9LfjGlMx7f+3Qdl/RMq/FYwESzG5Vdjx8lUGcGnpuBdDQsA8YT
+03iEvddzfqzOPS6s4tHk/btAVOarcwGp3wJpfqS2YxDX
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
new file mode 100644
index 0000000000..a82196a6d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-url
+extension:authorityInformationAccess:www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
new file mode 100644
index 0000000000..c8e6456611
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUczX4OFX/mHvox1wrRPdNp+YQkH0wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBkxFzAVBgNVBAMMDnVua25vd24tc2NoZW1lMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozYwNDAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFnR0cDovL3d3dy5leGFtcGxlLmNvbS8w
+DQYJKoZIhvcNAQELBQADggEBABBQ89WfNTBdDjN+W8ftdmvOW9vhWbkBBQPZRO/U
+HWjOFhMPwn/Nv2RbIl4+b/qFXWp7kvOjZ7bbW4DpVXlmrP9qY9B1SsKs00ZS2N0f
++ty3SQxjTXzXN7Qphwa7TwiGAjiwBFMUvZ1mIEzT0ODF/g6/hG4SxbyMIhOl34CD
+VZ/+NyYoPdkWZhJ55OJNRbWNbyphA1LP7GkZK59CZtGhvNvIWFsabPN3ob5X9O+M
+cYMxGk3ln1CScEUSz+1k2UM8UufolaWNXllv6AkL4KHwaobkFtWAwCU5g+pH3sEo
+D+szKnApDSVzv8tkB/9f4RgyXym+zPvXnHhIbyCaw/bwjII=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
new file mode 100644
index 0000000000..0089455398
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:unknown-scheme
+extension:authorityInformationAccess:ttp://www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
new file mode 100644
index 0000000000..b673913745
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUL2u+oKD07Txp4pZFkslIHkaq+jUwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMBQxEjAQBgNVBAMMCXVzZXItcGFzczCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vdXNlcjpwYXNzQHd3dy5leGFtcGxl
+LmNvbTo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAPFnw1V43BlxAtHyhz1oUoKRz
+xLBHzSPshe5dlfPZVh8bPgh+6eHDNtvs2IlcC6vAXX/BwCezMSam+3f6fYInih6O
+TNCyJ8ZywHuy+aHvULNpUOolVqzJC1J4aaHaZTc3RCA1qbNOfIvDaElB3WPl4izq
+ov+JHkx70O3rcSm+9qOCebtLb57iG077p+2jh1jyQEV+XOSnuZqeBi7IvFuairgv
+yYcvokJylHmsq4U7rsLIdD7aWTxKaZgi4y2w3/ZGo4v0dqFHTPfSxxvPUYocW0R9
+XgHQrtgfcR6k74NNJNV3/KwAdGaZtxETG8QR56BIJNGat6cWpXlO8Y3xy1TZxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
new file mode 100644
index 0000000000..337e67e5f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:user-pass
+extension:authorityInformationAccess:http://user:pass@www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
new file mode 100644
index 0000000000..9b5b6bcbf8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBHzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC4QPWiV26uv1EwUr2QkZC7pEXc
+8kG/tJlUOkZjhJkXrmKPzP99wOxIzJDPSnsiBb+FIkeRlZYBh4BJ+rjD7v+yA847
+NYw/P9qfLLdPVlM5fbEytQHjzB70XsnP7bEB5VmL167oP64fuVpaQh9znQXQjXw8
+xYfYPM21VXASSfjKtbUNiTyMXetXfwufOOTxe3ulV2JjaaNes8poLFZ0Ikl78oPJ
+aRoSmYU7Jxf15rhXqtRLHmd9/KusNUAhVip6A0yP21J/S+FAOCdT158AV3GFedC/
+i/xKe7cNOSPh2s/ZhJeGrceiP+fSBjfkcjmVwY3Qq2K0u4iV4L32Hy7df772
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
new file mode 100644
index 0000000000..d3ba461104
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:31
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..ff1cbab707
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBTjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBlUJh1KOy5qUMu/lJ3vWPDZ1Vn
+dtoODkWS5jgjc6tcyasVu5DHsmCblNGZzJ7INFIiWp2/VI8ohRsxUo23stpKlysa
+pkAej/c7Uvnuz3JGvVlfr2Si5OqlpuxUvZms9xcVpq+i3slwjG3i/JXjSbNIReE0
+GpB7k3dkbucLe/5v01m6IX8LiDFcZKmL1JzZTJtpKdeInwNBAHvIJ9lMeuL6rFHZ
+3cZde1wXhUsg2N5ZnYe52qyI9QmeQBLSL4zlUZMY8Xny0nHBChrouOfht/jTs8Wo
+878HySDzJQSnVbMaQQ7drglwJqz85rEAa28ZbLrCtmN/MrrsLD/N49fDibea
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..10f8f07cce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:78
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..d1f21d2fb7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIBKjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCgxJjAkBgNV
+BAMMHUVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMudHh0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCKZ8Fkq/PRqRt416vv4AiRLvwO3a3/6IdGFnCYQE5WU99oYMzT
+JyVF9mzMjRErKPqGhHMYVIu+4O87kUa3lcYFhvXGQmDRglu9ZAZ+liIPnjO+B484
+JNFyJYqZELBr1ndFj5ipJxKe0G/QgaONRIH/4OrM3cabGQnzLZE4BnwkaI8tG3xA
+g8R9frLnBK/ShwB95nlZlqLZcz/Dg/reDmfFuG8Qeqx56bWEW9r8QxBJxdJyvZU3
+87wDETb8K54vJEHjKj7aaByTU0ynivXkih5qFbxCPvMaqRtFZm0hnoe51hSmLdPq
+r9sdIhxaOWvk1RwLOzPigsbDXpkJp9OuYBQM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..a2a67d909c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE Revoked by revocations.txt
+serialNumber:42
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
new file mode 100644
index 0000000000..479058f9bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAbWgAwIBAgIUayHb9Obz2uNyFbwZlXV6mUEdRtAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjArMSkwJwYDVQQDDCBFRSBSZXZva2VkIEJ5IFN1YmplY3QgYW5k
+IFB1YktleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAb5nc34vUDqvmAU3yGnha
+fhLCaxIFkNpdQFmbqrZ+0meqA9aGyq0WczoFrDW1UOQ2mgj9ywsnk3SCRlZKApsj
+NlOC0BrYW05zLe9yDJMlPd6fykPpCiats4hVRrAjqFkDPxlFuhcTF5FMTats1XYX
+emLuJvls5M+3AlE6q3sMTXeJepOThfKkDZBMIlyBQLjq4jLpkFUOALOub1zJIFPM
+UJyvJtTvB71KraVXjyknPkIX4MkO94jh7WGDWXLzGRBEjDrH+BD3xlQZf+jD4jyx
+vBkyjZX19ncl3pQVv8Uro2tx6dW9868Szs7IaLheQ74EFYWmNq+6xQIMTHlISi8a
+1g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
new file mode 100644
index 0000000000..cadbcf9038
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:EE Revoked By Subject and PubKey
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
new file mode 100644
index 0000000000..829d60306a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUCRWWg+sxVN12BfGt3Ge//X6/ZoEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdBbm90aGVyIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNbMFkwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAQvj0s0hiJIRiOgwOfV1hRfuVj8zBqo1DQzlI
+mCH4qhNYfq9wUmPtZaaj9aPXpkMnzxTHArLVeeX8RQP8Wm/4ZJ/jGPPX0le+/jzU
+t2bVb32JFWOjcDPK0TAbOrqJQ6p41cYEzS7+E9xQVSCoq6urm8xrUeh89URfG89/
+Gkf4q0ms1NrCzfgxd8gj5jBpArbSp6VtoJ7m0FTPEhTEgGuRACyP1a3gU3ayZzfh
+8fy4oiIE86VPMccWXK8LaPnQD/4ksSKnBKSQp/vf3DJ2RLEmVN25bN+oi516PUjC
+DvAkhLiqzm6vNktqKQiJuBz0ojMeerd1Cf50Tea0NB0q99tuFw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..8b20f03f59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Another Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
new file mode 100644
index 0000000000..2ee2b87b2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
@@ -0,0 +1,41 @@
+# a sample revocations.txt for tests
+# Lines starting with '#' are ignored - as are empty lines like this:
+
+# otherwise:
+# non-empty lines are treated as base-64 encoded DER DN data (e.g. issuer or
+# subject)
+# ...unless the line starts with a ' ' (space) character, in which case it's
+# assumed to be base-64 encoded DER serial data, or
+# the line starts with a '\t' (tab) character, in which case it's assumed to
+# be a base-64 encoded SHA256 hash of a public key
+
+# First a serial with no issuer to ensure this doesn't cause parsing to fail
+# (there should be an issuer first, but we need to test this won't fail)
+ dGVzdA==
+# next, let's ensure data that isn't valid base64 doesn't cause breakage.
+ this serial isn't valid base64 (but then there's no issuer anyway)
+Neither is this issuer, though the serial is fine
+ dGVzdA==
+dGVzdA==
+ in this case, issuer is fine but not the serial
+# Next two entries; we can add valid base-64 encoded data for some basic tests:
+# issuer is the base-64 encoded subject DN for the shared Test CA
+# serial is the base-64 encoded integer 42
+MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=
+ Kg==
+# issuer is the base-64 encoded subject DN for the shared Test Intermediate
+# the first serial is the base-64 encoded integer 78
+# the second serial is the base-64 encoded integer 31
+MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl
+ Tg==
+ Hw==
+ c2VyaWFsMi4=
+# subject is base-64 encoded subject DN "CN=EE Revoked By Subject and PubKey"
+# pubKeyHash is the base-64 encoded sha256 hash of the shared RSA SPKI
+MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+ VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=
+# and some more data to ensure that mixed items don't cause parsing failure
+a DN
+ a serial
+ a hash
+ another serial
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
new file mode 100644
index 0000000000..ea4de5df48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUI+fSldu453DNk3lAfGlpSIh/9lEwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw
+MDBaGA8yMDI1MDIwNDAwMDAwMFowJDEiMCAGA1UEAwwZRUUgaXNzdWVkIGJ5IGlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqG
+SIb3DQEBCwUAA4IBAQAXxofSjWj1UxCsKaPgqaeHqerNYTHgn8rLlMtD73pDIiq9
+r+YDWyf8b97RfPFPP2eNDyDmjvbEl6sXwtB9+zxf+rof9jBV1Oxfqf2NkNgOnRHW
+pNaFUK8umcLeBR02wpHbjXl3tx5NVk69S/r3J9wyMEsd+Rh2bFE+7KV068AhU++o
+edg6Eq5t9biISQwOBFdX7a5I/Jw94kRODJOi+f1zHyJk+o2cI9ZYVdXyWreuLBAn
+cj/gAKf8/d2HbbXHysOOCKgYqZKRFVN9vBDjVmIRaRXsW3t8Oxa8/uytPZvoqVLM
+8bbJuJE9kTGAhtLlCppIRv4/m4Okh3MBzCY5ZaKB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
new file mode 100644
index 0000000000..24792d540a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:EE issued by intermediate
+extension:subjectAlternativeName:localhost
diff --git a/security/manager/ssl/tests/unit/test_osclientcerts_module.js b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
new file mode 100644
index 0000000000..bebc0aa58b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
@@ -0,0 +1,60 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the platform can load the osclientcerts module.
+
+// Ensure that the appropriate initialization has happened.
+Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+do_get_profile();
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_osclientcerts_module_loaded() {
+ // Loading happens asynchronously, so we have to wait for the notification.
+ await TestUtils.topicObserved("psm:load-os-client-certs-module-task-ran");
+ let testModule = checkPKCS11ModuleExists(
+ "OS Client Cert Module",
+ "osclientcerts"
+ );
+
+ // Check that listing the slots for the osclientcerts module works.
+ let testModuleSlotNames = Array.from(
+ testModule.listSlots(),
+ slot => slot.name
+ );
+ testModuleSlotNames.sort();
+ const expectedSlotNames = ["OS Client Cert Slot"];
+ deepEqual(
+ testModuleSlotNames,
+ expectedSlotNames,
+ "Actual and expected slot names should be equal"
+ );
+}
+
+add_task(async function run_test() {
+ // Check that if we haven't loaded the osclientcerts module, we don't find it
+ // in the module list.
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+ // Check that enabling the pref that loads the osclientcerts module makes it
+ // appear in the module list.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+ await check_osclientcerts_module_loaded();
+
+ // Check that disabling the pref that loads the osclientcerts module (thus
+ // unloading the module) makes it disappear from the module list.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+ // Check that loading the module again succeeds.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+ await check_osclientcerts_module_loaded();
+
+ // And once more check that unloading succeeds.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+});
diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js
new file mode 100644
index 0000000000..fcc9de6c59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_oskeystore.js
@@ -0,0 +1,272 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with nsIOSKeyStore.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const LABELS = ["mylabel1", "mylabel2", "mylabel3"];
+
+async function delete_all_secrets() {
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ for (let label of LABELS) {
+ if (await keystore.asyncSecretAvailable(label)) {
+ await keystore.asyncDeleteSecret(label);
+ ok(
+ !(await keystore.asyncSecretAvailable(label)),
+ label + " should be deleted now."
+ );
+ }
+ }
+}
+
+async function encrypt_decrypt_test() {
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "The secret should not be available yet."
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+ let recoveryPhrase2 = await keystore.asyncGenerateSecret(LABELS[1]);
+ ok(recoveryPhrase2, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x01, 0x00, 0x01]);
+ let ciphertext = "";
+ try {
+ ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+ } catch (e) {
+ ok(false, "Error encrypting " + e);
+ }
+
+ // Decrypting should give us the plaintext bytes again.
+ try {
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text."
+ );
+ } catch (e) {
+ ok(false, "Error decrypting ciphertext " + e);
+ }
+
+ // Decrypting with a wrong key should throw an error.
+ try {
+ await keystore.asyncDecryptBytes(LABELS[1], ciphertext);
+ ok(false, "Decrypting with the wrong key should fail.");
+ } catch (e) {
+ ok(true, "Decrypting with the wrong key should fail " + e);
+ }
+}
+
+add_task(async function () {
+ await delete_all_secrets();
+ await encrypt_decrypt_test();
+ await delete_all_secrets();
+});
+
+// Test that using a recovery phrase works.
+add_task(async function () {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x01, 0x00, 0x01]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ await keystore.asyncDeleteSecret(LABELS[0]);
+ // Decrypting should fail after deleting the secret.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() =>
+ ok(false, "decrypting didn't throw as expected after deleting the secret")
+ )
+ .catch(() =>
+ ok(true, "decrypting threw as expected after deleting the secret")
+ );
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that trying to use a non-base64 recovery phrase fails.
+add_task(async function () {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "@##$^&*()#$^&*(@#%&*_")
+ .then(() =>
+ ok(false, "base64-decoding non-base64 should have failed but didn't")
+ )
+ .catch(() => ok(true, "base64-decoding non-base64 failed as expected"));
+
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(
+ recoveryPhrase && !!recoveryPhrase.length,
+ "we should be able to re-use that label to generate a new secret"
+ );
+ await delete_all_secrets();
+});
+
+// Test that re-using a label overwrites any previously-stored secret.
+add_task(async function () {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+ // The new secret replaced the old one so we shouldn't be able to decrypt the ciphertext now.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() =>
+ ok(false, "decrypting without the original key should have failed")
+ )
+ .catch(() =>
+ ok(true, "decrypting without the original key failed as expected")
+ );
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text (once we have the original key again)."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that re-using a label (this time using a recovery phrase) overwrites any previously-stored
+// secret.
+add_task(async function () {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+
+ // We recovered the old secret, so decrypting ciphertext that had been encrypted with the newer
+ // key should fail.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() => ok(false, "decrypting without the new key should have failed"))
+ .catch(() => ok(true, "decrypting without the new key failed as expected"));
+
+ await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text (once we have the new key again)."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that trying to use recovery phrases that are the wrong size fails.
+add_task(async function () {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "")
+ .then(() => ok(false, "'recovering' with an empty key should have failed"))
+ .catch(() => ok(true, "'recovering' with an empty key failed as expected"));
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "AAAAAA")
+ .then(() =>
+ ok(false, "recovering with a key that is too short should have failed")
+ )
+ .catch(() =>
+ ok(true, "recovering with a key that is too short failed as expected")
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ await keystore
+ .asyncRecoverSecret(
+ LABELS[0],
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+ )
+ .then(() =>
+ ok(false, "recovering with a key that is too long should have failed")
+ )
+ .catch(() =>
+ ok(true, "recovering with a key that is too long failed as expected")
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(
+ recoveryPhrase && !!recoveryPhrase.length,
+ "we should be able to use that label to generate a new secret"
+ );
+ ok(
+ await keystore.asyncSecretAvailable(LABELS[0]),
+ "the generated secret should now be available"
+ );
+
+ await delete_all_secrets();
+});
diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js
new file mode 100644
index 0000000000..01784a5fef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js
@@ -0,0 +1,27 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests nsIOSReauthenticator.asyncReauthenticateUser().
+// As this gets implemented on various platforms, running this test
+// will result in a prompt from the OS. Consequently, we won't be able
+// to run this in automation, but it will help in testing locally.
+add_task(async function test_asyncReauthenticateUser() {
+ const reauthenticator = Cc[
+ "@mozilla.org/security/osreauthenticator;1"
+ ].getService(Ci.nsIOSReauthenticator);
+ ok(reauthenticator, "nsIOSReauthenticator should be available");
+ const EXPECTED = false; // Change this variable to suit your needs while testing.
+ ok(
+ (
+ await reauthenticator.asyncReauthenticateUser(
+ "this is the prompt string",
+ "this is the caption string",
+ null
+ )
+ )[0] == EXPECTED,
+ "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " +
+ EXPECTED
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js
new file mode 100644
index 0000000000..cf4c6db7bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_password_prompt.js
@@ -0,0 +1,87 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM can successfully ask for a password from the user and relay it
+// back to NSS. Does so by mocking out the actual dialog and "filling in" the
+// password. Also tests that providing an incorrect password will fail (well,
+// technically the user will just get prompted again, but if they then cancel
+// the dialog the overall operation will fail).
+
+var gMockPrompter = {
+ passwordToTry: null,
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+ do_get_profile();
+
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+
+ // Set an initial password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("hunter2");
+ token.logoutSimple();
+
+ // Try with the correct password.
+ gMockPrompter.passwordToTry = "hunter2";
+ // Using nsISecretDecoderRing will cause the password prompt to come up if the
+ // token has a password and is logged out.
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+ sdr.encryptString("poke");
+ equal(gMockPrompter.numPrompts, 1, "should have prompted for password once");
+
+ // Reset state.
+ gMockPrompter.numPrompts = 0;
+ token.logoutSimple();
+
+ // Try with an incorrect password.
+ gMockPrompter.passwordToTry = "*******";
+ throws(
+ () => sdr.encryptString("poke2"),
+ /NS_ERROR_FAILURE/,
+ "logging in with the wrong password should fail"
+ );
+ equal(gMockPrompter.numPrompts, 2, "should have prompted for password twice");
+}
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
new file mode 100644
index 0000000000..1a0fa866aa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -0,0 +1,318 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// For all cases, the acceptable pinset includes only certificates pinned to
+// Test End Entity Cert (signed by issuer testCA). Other certificates
+// are issued by otherCA, which is never in the pinset but is a user-specified
+// trust anchor. This test covers multiple cases:
+//
+// Pinned domain include-subdomains.pinning.example.com includes subdomains
+// - PASS: include-subdomains.pinning.example.com serves a correct cert
+// - PASS: good.include-subdomains.pinning.example.com serves a correct cert
+// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert
+// not in the pinset
+// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not
+// in the pinset, but issued by a user-specified trust domain
+//
+// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains
+// - PASS: exclude-subdomains.pinning.example.com serves a correct cert
+// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert
+// (TODO: test using verifyCertNow)
+// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert
+
+"use strict";
+
+// Enable the collection (during test) for all products so even products
+// that don't collect the data will be able to run the test without failure.
+Services.prefs.setBoolPref(
+ "toolkit.telemetry.testing.overrideProductsCheck",
+ true
+);
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function add_clear_override(host) {
+ add_test(function () {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(host, 8443, {});
+ run_next_test();
+ });
+}
+
+function test_strict() {
+ // In strict mode, we always evaluate pinning data, regardless of whether the
+ // issuer is a built-in trust anchor. We only enforce pins that are not in
+ // test mode.
+ add_test(function () {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
+ run_next_test();
+ });
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // Issued by otherCA, which is not in the pinset for pinning.example.com.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // Check that using a FQDN doesn't bypass pinning.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com.",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+ // For some reason this is also navigable (see bug 1118522).
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com..",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // These domains serve certs that match the pinset.
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain serves a cert that doesn't match the pinset, but subdomains
+ // are excluded.
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain's pinset is exactly the same as
+ // include-subdomains.pinning.example.com, serves the same cert as
+ // bad.include-subdomains.pinning.example.com, but it should pass because
+ // it's in test_mode.
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+ // Similarly, this pin is in test-mode, so it should be overridable.
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_mitm() {
+ // In MITM mode, we allow pinning to pass if the chain resolves to any
+ // user-specified trust anchor, even if it is not in the pinset.
+ add_test(function () {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
+ run_next_test();
+ });
+
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides (since building a trusted chain fails,
+ // we have no reason to believe this was issued by a user-added trust
+ // anchor, so we can't allow overrides for it).
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // In this case, even though otherCA is not in the pinset, it is a
+ // user-specified trust anchor and the pinning check succeeds.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_disabled() {
+ // Disable pinning.
+ add_test(function () {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0);
+ run_next_test();
+ });
+
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+
+ add_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_enforce_test_mode() {
+ // In enforce test mode, we always enforce all pins, even test pins.
+ add_test(function () {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3);
+ run_next_test();
+ });
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // Issued by otherCA, which is not in the pinset for pinning.example.com.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // These domains serve certs that match the pinset.
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain serves a cert that doesn't match the pinset, but subdomains
+ // are excluded.
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain's pinset is exactly the same as
+ // include-subdomains.pinning.example.com, serves the same cert as
+ // bad.include-subdomains.pinning.example.com, is in test-mode, but we are
+ // enforcing test mode pins.
+ add_connection_test(
+ "test-mode.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+ // Normally this is overridable. But, since we have pinning information for
+ // this host (and since we're enforcing test mode), we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function check_pinning_telemetry() {
+ let prod_histogram = Services.telemetry
+ .getHistogramById("CERT_PINNING_RESULTS")
+ .snapshot();
+ let test_histogram = Services.telemetry
+ .getHistogramById("CERT_PINNING_TEST_RESULTS")
+ .snapshot();
+ // Because all of our test domains are pinned to user-specified trust
+ // anchors, effectively only strict mode and enforce test-mode get evaluated
+ equal(
+ prod_histogram.values[0],
+ 4,
+ "Actual and expected prod (non-Mozilla) failure count should match"
+ );
+ equal(
+ prod_histogram.values[1],
+ 6,
+ "Actual and expected prod (non-Mozilla) success count should match"
+ );
+ equal(
+ test_histogram.values[0],
+ 2,
+ "Actual and expected test (non-Mozilla) failure count should match"
+ );
+ equal(
+ test_histogram.values[1] || 0,
+ 0,
+ "Actual and expected test (non-Mozilla) success count should match"
+ );
+
+ run_next_test();
+}
+
+function run_test() {
+ // Ensure that static pinning works when HPKP is disabled.
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ // Add a user-specified trust anchor.
+ addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u");
+
+ test_strict();
+ test_mitm();
+ test_disabled();
+ test_enforce_test_mode();
+
+ add_test(function () {
+ check_pinning_telemetry();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_module.js b/security/manager/ssl/tests/unit/test_pkcs11_module.js
new file mode 100644
index 0000000000..abad2dbb54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 module and
+// the module database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const gModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+);
+
+function run_test() {
+ // Check that if we have never added the test module, that we don't find it
+ // in the module list.
+ checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+ // Check that adding the test module makes it appear in the module list.
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ loadPKCS11Module(libraryFile, "PKCS11 Test Module", true);
+ let testModule = checkPKCS11ModuleExists(
+ "PKCS11 Test Module",
+ "pkcs11testmodule"
+ );
+
+ // Check that listing the slots for the test module works.
+ let testModuleSlotNames = Array.from(
+ testModule.listSlots(),
+ slot => slot.name
+ );
+ testModuleSlotNames.sort();
+ const expectedSlotNames = [
+ "Empty PKCS11 Slot",
+ "Test PKCS11 Slot",
+ "Test PKCS11 Slot 二",
+ ];
+ deepEqual(
+ testModuleSlotNames,
+ expectedSlotNames,
+ "Actual and expected slot names should be equal"
+ );
+
+ // Check that deleting the test module makes it disappear from the module list.
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
+ checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+ // Check miscellaneous module DB methods and attributes.
+ ok(!gModuleDB.canToggleFIPS, "It should NOT be possible to toggle FIPS");
+ ok(!gModuleDB.isFIPSEnabled, "FIPS should not be enabled");
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
new file mode 100644
index 0000000000..e8cbf17abf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that adding modules with invalid names are prevented.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ throws(
+ () => moduleDB.addModule("Root Certs", libraryFile.path, 0, 0),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Adding a module named 'Root Certs' should fail."
+ );
+ throws(
+ () => moduleDB.addModule("", libraryFile.path, 0, 0),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Adding a module with an empty name should fail."
+ );
+
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ let rootsModuleName = bundle.GetStringFromName("RootCertModuleName");
+ let foundRootsModule = false;
+ for (let module of moduleDB.listModules()) {
+ if (module.name == rootsModuleName) {
+ foundRootsModule = true;
+ break;
+ }
+ }
+ ok(
+ foundRootsModule,
+ "Should be able to find builtin roots module by localized name."
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
new file mode 100644
index 0000000000..e4e3467d79
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// In safe mode, PKCS#11 modules should not be loaded. This test tests this by
+// simulating starting in safe mode and then attempting to load a module.
+
+function run_test() {
+ do_get_profile();
+
+ // Simulate starting in safe mode.
+ let xulRuntime = {
+ inSafeMode: true,
+ logConsoleErrors: true,
+ OS: "XPCShell",
+ XPCOMABI: "noarch-spidermonkey",
+ invalidateCachesOnRestart: function invalidateCachesOnRestart() {
+ // Do nothing
+ },
+ QueryInterface: ChromeUtils.generateQI(["nsIXULRuntime"]),
+ };
+
+ let xulRuntimeFactory = {
+ createInstance(iid) {
+ return xulRuntime.QueryInterface(iid);
+ },
+ };
+
+ let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
+ const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1";
+ const XULRUNTIME_CID = Components.ID(
+ "{f0f0b230-5525-4127-98dc-7bca39059e70}"
+ );
+ registrar.registerFactory(
+ XULRUNTIME_CID,
+ "XULRuntime",
+ XULRUNTIME_CONTRACTID,
+ xulRuntimeFactory
+ );
+
+ // When starting in safe mode, the test module should fail to load.
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let libraryName = ctypes.libraryName("pkcs11testmodule");
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(libraryName);
+ ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+ throws(
+ () =>
+ pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0),
+ /NS_ERROR_FAILURE/,
+ "addModule should throw when in safe mode"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
new file mode 100644
index 0000000000..dba2a4d3a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
@@ -0,0 +1,161 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 slot.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function find_slot_by_name(module, name) {
+ for (let slot of module.listSlots()) {
+ if (slot.name == name) {
+ return slot;
+ }
+ }
+ return null;
+}
+
+function find_module_by_name(moduleDB, name) {
+ for (let slot of moduleDB.listModules()) {
+ if (slot.name == name) {
+ return slot;
+ }
+ }
+ return null;
+}
+
+var gPrompt = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gPrompt| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ alert(title, text) {
+ equal(
+ text,
+ "Please authenticate to the token “Test PKCS11 Tokeñ 2 Labelâ€. " +
+ "How to do so depends on the token (for example, using a fingerprint " +
+ "reader or entering a code with a keypad)."
+ );
+ },
+};
+
+const gPromptFactory = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+ getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function run_test() {
+ MockRegistrar.register("@mozilla.org/prompter;1", gPromptFactory);
+
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ loadPKCS11Module(libraryFile, "PKCS11 Test Module", false);
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let testModule = find_module_by_name(moduleDB, "PKCS11 Test Module");
+ notEqual(testModule, null, "should be able to find test module");
+ let testSlot = find_slot_by_name(testModule, "Test PKCS11 Slot 二");
+ notEqual(testSlot, null, "should be able to find 'Test PKCS11 Slot 二'");
+
+ equal(
+ testSlot.name,
+ "Test PKCS11 Slot 二",
+ "Actual and expected name should match"
+ );
+ equal(
+ testSlot.desc,
+ "Test PKCS11 Slot 二",
+ "Actual and expected description should match"
+ );
+ equal(
+ testSlot.manID,
+ "Test PKCS11 Manufacturer ID",
+ "Actual and expected manufacturer ID should match"
+ );
+ equal(
+ testSlot.HWVersion,
+ "0.0",
+ "Actual and expected hardware version should match"
+ );
+ equal(
+ testSlot.FWVersion,
+ "0.0",
+ "Actual and expected firmware version should match"
+ );
+ equal(
+ testSlot.status,
+ Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN,
+ "Actual and expected status should match"
+ );
+ equal(
+ testSlot.tokenName,
+ "Test PKCS11 Tokeñ 2 Label",
+ "Actual and expected token name should match"
+ );
+
+ let testToken = testSlot.getToken();
+ notEqual(testToken, null, "getToken() should succeed");
+ equal(
+ testToken.tokenName,
+ "Test PKCS11 Tokeñ 2 Label",
+ "Spot check: the actual and expected test token names should be equal"
+ );
+ ok(!testToken.isInternalKeyToken, "This token is not the internal key token");
+
+ testToken.login(true);
+ ok(testToken.isLoggedIn(), "Should have 'logged in' successfully");
+
+ testSlot = find_slot_by_name(testModule, "Empty PKCS11 Slot");
+ notEqual(testSlot, null, "should be able to find 'Empty PKCS11 Slot'");
+ equal(testSlot.tokenName, null, "Empty slot is empty");
+ equal(
+ testSlot.status,
+ Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT,
+ "Actual and expected status should match"
+ );
+
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ let internalModule = find_module_by_name(
+ moduleDB,
+ "NSS Internal PKCS #11 Module"
+ );
+ notEqual(internalModule, null, "should be able to find internal module");
+ let cryptoSlot = find_slot_by_name(
+ internalModule,
+ bundle.GetStringFromName("TokenDescription")
+ );
+ notEqual(cryptoSlot, "should be able to find internal crypto slot");
+ equal(
+ cryptoSlot.desc,
+ bundle.GetStringFromName("SlotDescription"),
+ "crypto slot should have expected 'desc'"
+ );
+ equal(
+ cryptoSlot.manID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "crypto slot should have expected 'manID'"
+ );
+ let keySlot = find_slot_by_name(
+ internalModule,
+ bundle.GetStringFromName("PrivateTokenDescription")
+ );
+ notEqual(keySlot, "should be able to find internal key slot");
+ equal(
+ keySlot.desc,
+ bundle.GetStringFromName("PrivateSlotDescription"),
+ "key slot should have expected 'desc'"
+ );
+ equal(
+ keySlot.manID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "key slot should have expected 'manID'"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_token.js b/security/manager/ssl/tests/unit/test_pkcs11_token.js
new file mode 100644
index 0000000000..575fc26b88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_token.js
@@ -0,0 +1,149 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 token, using
+// the internal key token.
+// We don't use either of the test tokens in the test PKCS #11 module because:
+// 1. Test token 1 cyclically inserts and removes itself in a tight loop.
+// Using token 1 would complicate the test and introduce intermittent
+// failures.
+// 2. Neither test token implements login or password related functionality.
+// We want to test such functionality.
+// 3. Using the internal token lets us actually test the internal token works
+// as expected.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function checkBasicAttributes(token) {
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+
+ let expectedTokenName = bundle.GetStringFromName("PrivateTokenDescription");
+ equal(
+ token.tokenName,
+ expectedTokenName,
+ "Actual and expected name should match"
+ );
+ equal(
+ token.tokenManID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "Actual and expected manufacturer ID should match"
+ );
+ equal(
+ token.tokenHWVersion,
+ "0.0",
+ "Actual and expected hardware version should match"
+ );
+ equal(
+ token.tokenFWVersion,
+ "0.0",
+ "Actual and expected firmware version should match"
+ );
+ equal(
+ token.tokenSerialNumber,
+ "0000000000000000",
+ "Actual and expected serial number should match"
+ );
+}
+
+/**
+ * Checks the various password related features of the given token.
+ * The token should already have been init with a password and be logged into.
+ * The password of the token will be reset after calling this function.
+ *
+ * @param {nsIPK11Token} token
+ * The token to test.
+ * @param {string} initialPW
+ * The password that the token should have been init with.
+ */
+function checkPasswordFeaturesAndResetPassword(token, initialPW) {
+ ok(
+ !token.needsUserInit,
+ "Token should not need user init after setting a password"
+ );
+ ok(
+ token.hasPassword,
+ "Token should have a password after setting a password"
+ );
+
+ ok(
+ token.checkPassword(initialPW),
+ "checkPassword() should succeed if the correct initial password is given"
+ );
+ token.changePassword(initialPW, "newPW ÿ 一二三");
+ ok(
+ token.checkPassword("newPW ÿ 一二三"),
+ "checkPassword() should succeed if the correct new password is given"
+ );
+
+ ok(
+ !token.checkPassword("wrongPW"),
+ "checkPassword() should fail if an incorrect password is given"
+ );
+ ok(
+ !token.isLoggedIn(),
+ "Token should be logged out after an incorrect password was given"
+ );
+ ok(
+ !token.needsUserInit,
+ "Token should still be init with a password even if an incorrect " +
+ "password was given"
+ );
+
+ token.reset();
+ ok(token.needsUserInit, "Token should need password init after reset");
+ ok(!token.hasPassword, "Token should not have a password after reset");
+ ok(!token.isLoggedIn(), "Token should be logged out of after reset");
+}
+
+function run_test() {
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ notEqual(token, null, "The internal token should be present");
+ ok(
+ token.isInternalKeyToken,
+ "The internal token should be represented as such"
+ );
+
+ checkBasicAttributes(token);
+
+ ok(!token.isLoggedIn(), "Token should not be logged into yet");
+ // Test that attempting to log out even when the token was not logged into
+ // does not result in an error.
+ token.logoutSimple();
+ ok(!token.isLoggedIn(), "Token should still not be logged into");
+ ok(
+ !token.hasPassword,
+ "Token should not have a password before it has been set"
+ );
+
+ let initialPW = "foo 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/? 一二三";
+ token.initPassword(initialPW);
+ token.login(/* force */ false);
+ ok(token.isLoggedIn(), "Token should now be logged into");
+
+ checkPasswordFeaturesAndResetPassword(token, initialPW);
+
+ // We reset the password previously, so we need to initialize again.
+ token.initPassword("arbitrary");
+ ok(
+ token.isLoggedIn(),
+ "Token should be logged into after initializing password again"
+ );
+ token.logoutSimple();
+ ok(
+ !token.isLoggedIn(),
+ "Token should be logged out after calling logoutSimple()"
+ );
+
+ ok(
+ token.needsLogin(),
+ "The internal token should always need authentication"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
new file mode 100644
index 0000000000..127c533439
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
@@ -0,0 +1,20 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods for interfacing with the PKCS #11 token database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+
+ notEqual(
+ tokenDB.getInternalKeyToken(),
+ null,
+ "The internal token should be non-null"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
new file mode 100644
index 0000000000..8401bd3e87
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAsegAwIBAgIQDGdiB3elq8S6U12Nrc+a1zAKBggqhkjOPQQDAzBhMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
+Fw0xODEyMjExMjAwMDBaFw0zMTA2MDgxMjAwMDBaMGIxHDAaBgNVBAMME0FwcGxl
+IElTVCBDQSA4IC0gRzExIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABC1UjmiwEBPv9C3b2AmyQ+idZZluNLjUl8mOydaoIjcyyHFg
+7rDx8sVk9rpHX/zmB3gyLfbKgCDJ/XD4cpMhiEWjggFeMIIBWjAdBgNVHQ4EFgQU
+w8SkWAVj14MGupaN3LKPMva7t0EwHwYDVR0jBBgwFoAUs9tIpPmhxdiuNkHMEWNp
+Yim8S8YwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
+BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOG
+MWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMy5j
+cmwwWwYDVR0gBFQwUjAMBgoqhkiG92NkBQsEMAgGBmeBDAECAjA4BgpghkgBhv1s
+AAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
+CgYIKoZIzj0EAwMDZwAwZAIwaMzTwP/37zR/ZM5T7OGnd9hYStUPL3QlqDXGhNUZ
+cUZM7UmDZWvBS97XS9wKCtxPAjAeetP564whYQw4g3yLIEqpXNiHCW1Pf1e+uXMa
+g1fK+AQr8p7TR2320C8NorVUcfM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
new file mode 100644
index 0000000000..5e3054e80e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGnzCCBkWgAwIBAgIQVwXojWDvTZtfUY6TR9QUTDAKBggqhkjOPQQDAjBiMRww
+GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0
+aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
+HhcNMTkwMzExMjEzMjQxWhcNMjEwNDA5MjEzMjQxWjB2MRYwFAYDVQQDDA1jZHMu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuNjY1MDM1
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHADA5vqarO+Cj0Ha6T
+uh/JhKmaIVuz0z7dVZUIBgVbxNOE3FW8zJTH20k4NBAnls3IXkJEiOWtt8GZbzlS
+cXijggTHMIIEwzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW
+jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl
+cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0
+cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDUwGAYDVR0R
+BBEwD4INY2RzLmFwcGxlLmNvbTCB/gYDVR0gBIH2MIHzMIHwBgoqhkiG92NkBQsE
+MIHhMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNh
+dGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGlj
+YWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRpZmlj
+YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOAYIKwYBBQUHAgIwLAwqaHR0cDov
+L3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmNybDAdBgNVHQ4EFgQUtfKFXS+GsdSn
+im90n/2GX/X47rgwDgYDVR0PAQH/BAQDAgOIMIICbgYKKwYBBAHWeQIEAgSCAl4E
+ggJaAlgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWlutS/9
+AAAEAwBHMEUCIQC7JOfynh9ir4vZfE39sB2b7b9u6hwSo3i1A0WMCsB2kwIgHnqJ
+dmGCaGHryIgFREBginRf879Km3zjdnCR4XjGTN4AdgDuS723dc5guuFCaR+r4Z5m
+ow9+X7By2IMAxHuJeqj9ywAAAWlutS/9AAAEAwBHMEUCIQD+dYvPDT3PQ6T4eqqF
+SSHsHU+ETeeMIhPWF1+5xxt0igIgbjEPNy+PV3wa0+dw4Umqvlp4padXYhF/zxKQ
+UVSF5u0AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWlutTHE
+AAAEAwBHMEUCIQCsggeANxAqJffU5L8inc3QZCQpC5f3ILhwSymugYaelQIgOKLJ
+RmDt2rvI10G661L9MO0g4SHSbGZcTnkMVzUlSOUAdgBvU3asMfAxGdiZAKRRFf93
+FRwR2QLBACkGjbIImjfZEwAAAWlutTH/AAAEAwBHMEUCIFA7S1eyu7kxhvnAmVyB
+fJUi7cy2/bizaC0LLE0w35dNAiEA+aIKxhYy6VAAyGAmTiAOA/VU/pDtQp4uUIKF
+azgRpscAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWlutTA2
+AAAEAwBHMEUCIQDkm2/8xF0dSiyO/o8iwKPjEgYYhokUM03KLiSZWUSRzQIgMp5z
+ryZTqIHFLgbE0y7L8CCDvgZRRyoKbnBcCaGJJ1gwCgYIKoZIzj0EAwIDSAAwRQIh
+AKJgejWMoWWP42EQIPsvua2biHvRng0QcgA3+0GLzcjXAiBr2xfk0vGWinDLG3gz
+m73X42sCFxyMZrLDbgyeBQNI8A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
new file mode 100644
index 0000000000..7dd59895af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw
+MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg
+0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy
+Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5
+tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/
+Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx
+UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
new file mode 100644
index 0000000000..95316b235e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUN+Dcp+HeMvZhIJ3BD5af4bwrj4IwDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNjA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKTEnMCUGA1UEAwweZWUtZnJvbS1hbGxvd2xpc3Qt
+YWZ0ZXItY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABozowODA2BgNVHREELzAtgitzeW1hbnRlYy1hbGxv
+d2xpc3QtYWZ0ZXItY3V0b2ZmLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
+AQB/2Pgyyje+T4uKkibYZ537NZB6OUvef4nrGtswjxKbUnHzrLK1kJd3mtyNpydK
+fzW8WV1CR+nltFI5oaoOAf26FuQfaoCADmlmFlirgnm2fEH2xCokDCQHIgQxNwXr
+Ok6JTHWeuaOsu+verDPjkuUATnONY+FRTBxfPh5B3OA+aBO62bAeNCAjIya1U60S
+emAnleYtwhXs0Q9TLsR7O7aSYP3FgnqnWPuOkPF3wrUiE8Nrd3givz5OJW42IU63
+ijiojHtPpjAiudbzD8y1zuDcxTxiI4jEjTDS1kIqnvHd3f4bSxpgcQUPk44nu+wO
+j5+as/TRu5dC+xHmWCVT10yd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..c8a4249dfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-allowlist-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
new file mode 100644
index 0000000000..0c8a52b8d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUVWP+EbM7hYQLOXoABvWpRwoPWJ0wDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNDA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtZnJvbS1hbGxvd2xpc3Qt
+YmVmb3JlLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaM7MDkwNwYDVR0RBDAwLoIsc3ltYW50ZWMtYWxs
+b3dsaXN0LWJlZm9yZS1jdXRvZmYuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAFhn9xNv/Yp1Ua9OX7oXgbVgzxCIAm6/zDK7V4V37P5em/lI85OpbuuTO4ns
+9VB2/nijkELhSkiyCjmCaxQhlUBzA/2wJeNIfaWu9Mq5MR6jWShhNXND66lTCDIQ
+wGVQkBl8/3OqSD4IFI3pKAiPhCGsUnRIhGSARcrFMQpKssnN5XN1ump1YA7/u6Kv
+apNbKccgKvLekO8/kUpFrpHt+uQaNS2IeVrmOnNh4GtyD3DG1ZDcZ1VgLAnzbVUg
+xiUbs58mY0o1qumuzqJ0/ie5UPOjWnoXSNq6dd4jqsXcFeYXe106G6arV5BLN1Pa
+gNxxfOfBcebE1OwxZpfQwNy3JxI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..51cecd1f8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-allowlist-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
new file mode 100644
index 0000000000..65eab919b5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUNWWgyC4I0/jmqdamoCRL0qhP3QQwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNjA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtbm90LWFsbG93
+bGlzdGVkLWFmdGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNAMD4wPAYDVR0RBDUwM4Ixc3ltYW50
+ZWMtbm90LWFsbG93bGlzdGVkLWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTANBgkq
+hkiG9w0BAQsFAAOCAQEARlQNYz+w2ekzdX8FKwlWoMX6Df5o4ZhXreRK9V4SuYJg
+SvAucL35TuTKkBz9C5VPjAL/Qts4n5DKWaWQfsvoCJOGtTMEKd1MEL9RbMFOewI0
+tN9sV9aMNsmhNPL4PB3A7lKJb8gi/tyoN3BXjsaZBxmyi5A6Vt3lyybgMOSTdzR6
+u2XAPm+zNDrOzc2tavZEyhEKzptaJuCQrefcnAM9JTHtJhvJp30WWighJyclqmRX
+bLDYaHRRuRI0jkgrrcUKolau8YKsSoIBoxP2aels8drZDH4UAC86GW2iF/tK+J65
++JJ2Mk9erdcLoYGLxHZqQySpRaFtciSF+Uym1nmNxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..85edcf742d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
new file mode 100644
index 0000000000..23d6fec107
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUaxGuzjOrA/2qScMaz5tKQTUrvAYwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNDA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKzEpMCcGA1UEAwwgZWUtbm90LWFsbG93
+bGlzdGVkLWJlZm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQTA/MD0GA1UdEQQ2MDSCMnN5bWFu
+dGVjLW5vdC1hbGxvd2xpc3RlZC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQBCkIIEXnX/3rv0JuF0FZEpROnQw8zoa4vZjwG1NmvH
++PwnTL7FvBg9QBK0n8ZKfCMqJU98jR5+x6V9Eo2amXEYRAsxCU6kY/Xz43OxGLQz
+5cbr9eDswWmt7h/LXl0tsprpgfBNaQ9512UbPMkDG4MSwLjkuTgdnM4dBsLURrAU
+5lcukutuNYJ7x92/Ah7hffouB6QHyP80onxqqQTQs2j/0MvJxlUWrnKBzk+B475W
+/1iMOCE3r2q6+TVp1sun9mcn7UvRHQRPvjSdjujjJ++5fqH5s4cF2Sv4lv+dEGJn
+xrr/a9GA3bUE6Iq9PbAeX3l7RaP+q/znSDBtaLYZ1Xau
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..b736169a04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
new file mode 100644
index 0000000000..70bfa802ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUHayrfZ5YGkWYRPXIsNuGSemGyk8wDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMEkx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxHb29n
+bGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUMbnz3c2Evfehzm1LU+L
+3UL3alL/C5jteDjrrNqkamAZF26klGAZ5AX2tW6yG4bOnmZMzqkW/NV8+ydE6HGW
+oVwm+qekOyR4nSPHS5mZRdHD3uBrVJ0PR2rUyk/6oIVBYEcNHY/vuHMorQ0q2plq
+Z+62i1SHuq5qxP9apKmhvmgwvna3ber9VH8DgiZLJRAuiDAXpanGZh37dm/e2ZVI
+OgVctvRIb7ETcDrSbj4oOKo4WwFaZHlsN1ee0hstxDnIVXWzu5cCdqGALlw2N1av
+RPUgDI0kshVojmvKFwnYptE1Ru+CYf403ZD7gt3ZvHueOTpEEKLRQp1QRELXIx/7
+XQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
new file mode 100644
index 0000000000..518527b741
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
new file mode 100644
index 0000000000..819d8a30da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIUBy1RVPb6jMqyBSQwtlK+jZftnKIwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAxMDAxMDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3Ro
+ZXIgQ0EgSW5jLjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhl
+cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQAs7dfRClCtgzMfYVRIciVqdjNR+jeFLmYFCDDqx5h6zve4VfxK
+AEQPWNsIVdPlu+djILHHd9+RvLSHh5HqeXKppBevnux2SxwfXJQ3T+ysqGxH4tEQ
+BCgXryt8v5q/DL9H2+T352NJCh7ZMkftEta3Hchtr4TSaT7udtib1uQ9JeLx97LJ
+A6aI8SpfI/as1Ku1LAAV9rfhkJgMyeC0ppMfTVGj/gjgq8fL52/9Su9Id8l+SeYD
+yLCXjPX0rhAjTeJyiOpAK9OPQgk7i3DRvdO/F+JCkTNE9V6PLX0J+30g+3YZND+a
+R81zibhRfa6Ki5cqRflHYhAY4GCFk7mhHLsL
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
new file mode 100644
index 0000000000..fdcb287cd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Unknown Issuer
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
new file mode 100644
index 0000000000..9057a0a0dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUSyQ/MON3PZLW/WEcsIuOIT0kUlQwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaME8x
+CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNVBAMT
+HVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfpCigqN5qPf/
+fD6N8a5taq4bsmggdNztYabFOFY8zIRNVYoVVAHd8a5FOlShKw1MTgRNEpzWcN4O
+rX16HCaKCJA6mGbkoE/XVqo/shQR1P0U8N75oeWgxd10IsWpJoYYtF38GIM+HZM4
+8NZ/aM2ViKWexlpa7KhmIjCNsP4U+VFXPwLLuKbegQ6miTwdyG5Sq2PLsjQEn4Xq
+/nHYyE3Nn+8H+dlyFuWn9XcJN9D9H3NqVGqAvnWWPR0Vz9Q5/iixw2Ym8NWNzlxa
+RXLC9Bfg1BDSJLttopU6qGPotuQkhlm1AElcauI9FaWATsdM82tNMK3hrHnTqV28
+C/BiYIunmA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
new file mode 100644
index 0000000000..0c96819f94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
new file mode 100644
index 0000000000..77f5a05963
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUd4MA0Hhfw36r5rkFHdHo5/oSbTYwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMIGU
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxRTBDBgNVBAMTPFN5bWFudGVj
+IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKAdvWVDbB3GxOooXgqNElLvjYwmNcWk12CvQnwxglCRytY5
+DX4UhcCJ6TW8pcezPDEdqrkf4iR+UpgDyBUbVa4m5O5MHGYy3nRHfwT/js9hh2PH
+gcAmT0ivknTFlEcP4D0kp7HQr2kmlFuW64HOM+/3J7Zyvu3VNYAlqTlxgG7QyRaN
+3W3jfDvc5Ol0O0vyFmhHv0k1yOqLJiOmmOOujfltl4Grbvss+wsHjmP+WOH/BYRn
+ACDXdvGr9uu0Z2mymqP0Sy2ZKKrbA7dX5Q/RUr4p3EfyDuNgERx+pYXTUeQ3o9sL
+ynQmBa+9aWijUN2USC69EDX9zObn7lO8WV19dQM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
new file mode 100644
index 0000000000..f84697130c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
new file mode 100644
index 0000000000..4c3b9f406f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
@@ -0,0 +1,95 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+do_get_profile();
+
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+add_tls_server_setup(
+ "SanctionsTestServer",
+ "test_sanctions",
+ /* Don't try to load non-existent test-ca.pem */ false
+);
+
+addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
+
+// Add the necessary intermediates. This is important because the test server,
+// though it will attempt to send along an intermediate, isn't able to reliably
+// pick between the intermediate-other-crossigned and intermediate-other.
+add_test(function () {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-allowlisted.pem",
+ ",,"
+ );
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-other.pem",
+ ",,"
+ );
+ run_next_test();
+});
+
+add_connection_test(
+ "symantec-not-allowlisted-before-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+add_connection_test(
+ "symantec-not-allowlisted-after-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+// Add a cross-signed intermediate into the database, and ensure we still get
+// the expected error.
+add_test(function () {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-other-crossigned.pem",
+ ",,"
+ );
+ run_next_test();
+});
+
+add_connection_test(
+ "symantec-not-allowlisted-before-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+// Load the Apple EE cert and its intermediate, then verify
+// it at a reasonable time and make sure the allowlists work
+add_task(async function () {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
+ ",,"
+ );
+ let allowlistedCert = constructCertFromFile(
+ "test_sanctions/cds-apple-com.pem"
+ );
+
+ // Since we don't want to actually try to fetch OCSP for this certificate,
+ // (as an external fetch is bad in the tests), disable OCSP first.
+ Services.prefs.setIntPref("security.OCSP.enabled", 0);
+
+ // (new Date("2020-01-01")).getTime() / 1000
+ const VALIDATION_TIME = 1577836800;
+
+ await checkCertErrorGenericAtTime(
+ certDB,
+ allowlistedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js
new file mode 100644
index 0000000000..e9e477efc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr.js
@@ -0,0 +1,272 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various aspects of the nsISecretDecoderRing implementation.
+
+do_get_profile();
+
+let gSetPasswordShownCount = 0;
+
+// Mock implementation of nsITokenPasswordDialogs.
+const gTokenPasswordDialogs = {
+ setPassword(ctx, tokenName) {
+ gSetPasswordShownCount++;
+ info(`setPassword() called; shown ${gSetPasswordShownCount} times`);
+ info(`tokenName: ${tokenName}`);
+ return false; // Returning false means "the user didn't cancel".
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsITokenPasswordDialogs"]),
+};
+
+let gMockPrompter = {
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ // Returning false simulates the user canceling the password prompt.
+ return false;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+let gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+add_task(function setup() {
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+});
+
+add_task(function testEncryptString() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let inputs = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+ for (let input of inputs) {
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(input);
+ convertedInput += converter.Finish();
+
+ let encrypted = sdr.encryptString(convertedInput);
+
+ notEqual(
+ convertedInput,
+ encrypted,
+ "Encrypted input should not just be the input itself"
+ );
+
+ try {
+ atob(encrypted);
+ } catch (e) {
+ ok(false, `encryptString() should have returned Base64: ${e}`);
+ }
+
+ equal(
+ convertedInput,
+ sdr.decryptString(encrypted),
+ "decryptString(encryptString(input)) should return input"
+ );
+ }
+
+ // Test invalid inputs for decryptString().
+ throws(
+ () => sdr.decryptString("*"),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "decryptString() should throw if given non-Base64 input"
+ );
+
+ // Test calling changePassword() pops up the appropriate dialog.
+ // Note: On Android, nsITokenPasswordDialogs is apparently not implemented,
+ // which also seems to prevent us from mocking out the interface.
+ if (AppConstants.platform != "android") {
+ let tokenPasswordDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsTokenPasswordDialogs;1",
+ gTokenPasswordDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(tokenPasswordDialogsCID);
+ });
+
+ equal(
+ gSetPasswordShownCount,
+ 0,
+ "changePassword() dialog should have been shown zero times"
+ );
+ sdr.changePassword();
+ equal(
+ gSetPasswordShownCount,
+ 1,
+ "changePassword() dialog should have been shown exactly once"
+ );
+ }
+});
+
+add_task(async function testAsyncEncryptStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let inputs = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+
+ let encrypteds = await sdr.asyncEncryptStrings(inputs);
+ for (let i = 0; i < inputs.length; i++) {
+ let encrypted = encrypteds[i];
+ let input = inputs[i];
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(input);
+ convertedInput += converter.Finish();
+ notEqual(
+ convertedInput,
+ encrypted,
+ "Encrypted input should not just be the input itself"
+ );
+
+ try {
+ atob(encrypted);
+ } catch (e) {
+ ok(false, `encryptString() should have returned Base64: ${e}`);
+ }
+
+ equal(
+ convertedInput,
+ sdr.decryptString(encrypted),
+ "decryptString(encryptString(input)) should return input"
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let testCases = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+
+ let convertedTestCases = testCases.map(tc => {
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(tc);
+ convertedInput += converter.Finish();
+ return convertedInput;
+ });
+
+ let encryptedStrings = convertedTestCases.map(tc => sdr.encryptString(tc));
+ let decrypteds = await sdr.asyncDecryptStrings(encryptedStrings);
+ for (let i = 0; i < encryptedStrings.length; i++) {
+ let decrypted = decrypteds[i];
+
+ equal(
+ decrypted,
+ testCases[i],
+ "decrypted string should match expected value"
+ );
+ equal(
+ sdr.decryptString(encryptedStrings[i]),
+ convertedTestCases[i],
+ "decryptString(encryptString(input)) should return the initial decrypted string value"
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptInvalidStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test invalid inputs for sdr.asyncDecryptStrings
+ let testCases = [
+ "~bmV0cGxheQ==", // invalid base64 encoding
+ "bmV0cGxheQ==", // valid base64 characters but not encrypted
+ "https://www.example.com", // website address from erroneous migration
+ ];
+
+ let decrypteds = await sdr.asyncDecryptStrings(testCases);
+ equal(
+ decrypteds.length,
+ testCases.length,
+ "each testcase should still return a response"
+ );
+ for (let i = 0; i < decrypteds.length; i++) {
+ let decrypted = decrypteds[i];
+
+ equal(
+ decrypted,
+ "",
+ "decrypted string should be empty when trying to decrypt an invalid input with asyncDecryptStrings"
+ );
+
+ Assert.throws(
+ () => sdr.decryptString(testCases[i]),
+ /NS_ERROR_ILLEGAL_VALUE|NS_ERROR_FAILURE/,
+ `Check testcase would have thrown: ${testCases[i]}`
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptLoggedOut() {
+ // Set a master password.
+ let token = Cc["@mozilla.org/security/pk11tokendb;1"]
+ .getService(Ci.nsIPK11TokenDB)
+ .getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ await Assert.rejects(
+ sdr.asyncDecryptStrings(["irrelevant"]),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "Check error is thrown instead of returning empty strings"
+ );
+
+ token.reset();
+ token.initPassword("");
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
new file mode 100644
index 0000000000..69b5c194df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
@@ -0,0 +1,79 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database. Creating the database is straight-forward:
+// simply run Firefox (or xpcshell) and encrypt something using
+// nsISecretDecoderRing (e.g. by saving a password or directly using the
+// interface). The resulting key4.db file (in the profile directory) now
+// contains the private key used to encrypt the data.
+
+function run_test() {
+ const keyDBName = "key4.db";
+ let profile = do_get_profile();
+ let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`);
+ keyDBFile.copyTo(profile, keyDBName);
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ let testcases = [
+ // a full padding block
+ {
+ ciphertext:
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+ plaintext: "password",
+ },
+ // 7 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+ plaintext: "a",
+ },
+ // 6 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+ plaintext: "bb",
+ },
+ // 1 byte of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+ plaintext: "!seven!",
+ },
+ // 2 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+ plaintext: "sixsix",
+ },
+ // long plaintext requiring more than two blocks
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+ },
+ // this differs from the previous ciphertext by one bit and demonstrates
+ // that this implementation does not enforce message integrity
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+ },
+ ];
+
+ for (let testcase of testcases) {
+ let decrypted = sdr.decryptString(testcase.ciphertext);
+ equal(
+ decrypted,
+ testcase.plaintext,
+ "decrypted ciphertext should match expected plaintext"
+ );
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
new file mode 100644
index 0000000000..5c1b2bb653
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
@@ -0,0 +1,135 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database that has a password.
+// To create such a database, run Firefox (or xpcshell), set a primary
+// password, and then encrypt something using nsISecretDecoderRing.
+
+var gMockPrompter = {
+ passwordToTry: "password",
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+
+ // Append a single quote and non-ASCII characters to the profile path.
+ let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+ file.initWithPath(profd);
+ file.append("'÷1");
+ Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+ let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+ Assert.ok(
+ /[^\x20-\x7f]/.test(profile.path),
+ "the profile path should contain a non-ASCII character"
+ );
+
+ let key4DBFile = do_get_file("test_sdr_preexisting_with_password/key4.db");
+ key4DBFile.copyTo(profile, "key4.db");
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ let testcases = [
+ // a full padding block
+ {
+ ciphertext:
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+ plaintext: "password",
+ },
+ // 7 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+ plaintext: "a",
+ },
+ // 6 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+ plaintext: "bb",
+ },
+ // 1 byte of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+ plaintext: "!seven!",
+ },
+ // 2 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+ plaintext: "sixsix",
+ },
+ // long plaintext requiring more than two blocks
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+ },
+ // this differs from the previous ciphertext by one bit and demonstrates
+ // that this implementation does not enforce message integrity
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+ },
+ ];
+
+ for (let testcase of testcases) {
+ let decrypted = sdr.decryptString(testcase.ciphertext);
+ equal(
+ decrypted,
+ testcase.plaintext,
+ "decrypted ciphertext should match expected plaintext"
+ );
+ }
+ equal(
+ gMockPrompter.numPrompts,
+ 1,
+ "Should have been prompted for a password once"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
new file mode 100644
index 0000000000..959718da34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js
new file mode 100644
index 0000000000..ef0a38f9bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js
@@ -0,0 +1,109 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test uses a specially-crafted NSS cert DB containing 12 self-signed certificates that all
+// have the same subject and issuer distinguished name. Since they all have different keys and none
+// of them are trust anchors, there are a large number of potential trust paths that could be
+// explored. If our trust domain were naive enough to allow mozilla::pkix to explore them all, it
+// would take a long time to perform (mozilla::pkix does have the concept of a path-building budget,
+// but even on a fast computer, it takes an unacceptable amount of time to exhaust). To prevent the
+// full exploration of this space, NSSCertDBTrustDomain skips searching through self-signed
+// certificates that aren't trust anchors, since those would never otherwise be essential to
+// complete a path (note that this is only true as long as the extensions we support are restrictive
+// rather than additive).
+// When we try to verify one of these certificates in this test, we should finish relatively
+// quickly, even on slow hardware.
+// Should these certificates ever need regenerating, they were produced with the following commands:
+// certutil -N -d . --empty-password
+// for num in 00 01 02 03 04 05 06 07 08 09 10 11; do
+// echo -ne "5\n6\n9\ny\ny\n\ny\n" | certutil -d . -S -s "CN=self-signed cert" -t ,, \
+// -q secp256r1 -x -k ec -z <(date +%s) -1 -2 -n cert$num; sleep 2;
+// done
+
+add_task(async function test_no_overlong_path_building() {
+ let profile = do_get_profile();
+ const CERT_DB_NAME = "cert9.db";
+ let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`);
+ srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let certToVerify = null;
+ for (let cert of certDB.getCerts()) {
+ if (cert.subjectName == "CN=self-signed cert") {
+ certToVerify = cert;
+ break;
+ }
+ }
+ notEqual(
+ certToVerify,
+ null,
+ "should have found one of the preloaded self-signed certs"
+ );
+ let timeBefore = Date.now();
+ // As mentioned above, mozilla::pkix limits how much it will search for a trusted path, even if a
+ // trust domain keeps providing potential issuers. So, if we only tried to verify a certificate
+ // once, this test could potentially pass on a fast computer even if we weren't properly skipping
+ // unnecessary paths. If we were to try and lower our time limit (the comparison with
+ // secondsElapsed, below), this test would intermittently fail on slow hardware. By trying to
+ // verify the certificate 10 times, we hopefully end up with a meaningful test (it should still
+ // fail on fast hardware if we don't properly skip unproductive paths) that won't intermittently
+ // time out on slow hardware.
+ for (let i = 0; i < 10; i++) {
+ let date = new Date("2019-05-15T00:00:00.000Z");
+ await checkCertErrorGenericAtTime(
+ certDB,
+ certToVerify,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLCA,
+ date.getTime() / 1000
+ );
+ }
+ let timeAfter = Date.now();
+ let secondsElapsed = (timeAfter - timeBefore) / 1000;
+ ok(secondsElapsed < 120, "verifications shouldn't take too long");
+});
+
+add_task(async function test_no_bad_signature() {
+ // If there are two self-signed CA certificates with the same subject and
+ // issuer but different keys, where one is trusted, test that using the other
+ // one as a server certificate doesn't result in a non-overridable "bad
+ // signature" error but rather a "self-signed cert" error.
+ let selfSignedCert = constructCertFromFile("test_self_signed_certs/ca1.pem");
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certDB, "test_self_signed_certs/ca2.pem", "CTu,,");
+ await checkCertErrorGeneric(
+ certDB,
+ selfSignedCert,
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+ certificateUsageSSLServer,
+ false,
+ "example.com"
+ );
+});
+
+add_task(async function test_no_inadequate_key_usage() {
+ // If there are two different non-CA, self-signed certificates with the same
+ // subject and issuer but different keys, test that using one of them as a
+ // server certificate doesn't result in a non-overridable "inadequate key
+ // usage" error but rather a "self-signed cert" error.
+ let selfSignedCert = constructCertFromFile("test_self_signed_certs/ee1.pem");
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certDB, "test_self_signed_certs/ee2.pem", ",,");
+ await checkCertErrorGeneric(
+ certDB,
+ selfSignedCert,
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+ certificateUsageSSLServer,
+ false,
+ "example.com"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem
new file mode 100644
index 0000000000..02436d046a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm
+LVNpZ25lZCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZ
+MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACUeP9ynC3AtB+TmlQ8z
+1Eo7Vcgd2t1D1l+c9uaSBAb1ajymH/vyFv1/6rJiRF/uQGl2sMmEaLMNMOkD6fke
+S6PZ+V8J2n4XOly4UwLpg/bMP8dyEXajGuf/JddsKQaj1241dY8egkGJesArRUH6
++HBym166t6HJtv7xi4xBiljeS8UW7XQXke/tv4mDLuaITkasOOgyDniJucO46TQh
+ZzlEN6DMAicgqpghAlHERUhDoAcEA8m/qpZtA9to7xhzN7AvwU/596oQjyUk0umc
+fE7vzatI6+iiCxW9cO93T2lIGzzdz5HlgFinC65VNXSuMYz69A1D6rZ09wZpYZ0G
+b/I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec
new file mode 100644
index 0000000000..97bc2d4ad1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Self-Signed CA
+subject:Self-Signed CA
+serialNumber:1
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem
new file mode 100644
index 0000000000..b9207a7d51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm
+LVNpZ25lZCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZ
+MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ
+isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF
+2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE
+WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS
+g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y
+xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJ0DeA2k4D90l9iBmfHt
+24F2kB3ZZvqHJBrRJBiz5WrrTbG1QlD9PlKjlePDAegWrsFgCzDVqe/hmOXYgqDO
+jXOm0KxulzT18Udsvhat+IHD7qiwOgXHK7nTl2LlM/FptykRbGXfZGvuC/DpJVtl
+J84l4FtgzZEdSGLDIxRSPAYViE9wn5vk/sdEzIY1W8/j7W4AKjk13rMwA0+4zlMW
+eeVqQOSZRdIgARMS6aB5FEqLVBGpxcRhS2jBpWMltJ7yvbhYiWxZQww/Is0QjxTd
+BEiL3cnaUuXjzVnZrYJ4jcvbD0fxlDLz9DVF9iKNV43+20ML8EHe7qdrQ9DZX2i8
+K6c=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec
new file mode 100644
index 0000000000..f827239d2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Self-Signed CA
+subject:Self-Signed CA
+serialNumber:2
+issuerKey:alternate
+subjectKey:alternate
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
new file mode 100644
index 0000000000..5450fe82e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem
new file mode 100644
index 0000000000..194e9a6ae5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm
+LVNpZ25lZCBDZXJ0MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAAyarwsbvYKjlS2vQRRzIbbwzwwHROuYI03XL0sbV/T+0VKdd/v4fQe0
+acCKoIewqJhTibykvWPUESoGdOXjzCJZw59XdyyG6o7RsvMazH+/MZap2yqh13tH
+n4JVng4+084WcLi9M+IQG3wLvKhgdNd+zVjIgXPNayx8mS0/IeYmhnSW2gbGuwkB
+wLI1mU7fI5LqlEfW1bcqTV/P7xMm/eqSCIdFyscABYWMbO6tBxRZA+i+eQ/8WbdE
+3/HF1xGAfT2FJIvpjW1lzjYGTLj9Nbk8b77qCN2QOmDCTxHLGJGgMTMibPj6N5dy
+N7/rOulljFEzMUS9F4fNJOcXUpoED6Y=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec
new file mode 100644
index 0000000000..9582f7b918
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Self-Signed Cert
+subject:Self-Signed Cert
+serialNumber:1
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem
new file mode 100644
index 0000000000..c683fe188b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm
+LVNpZ25lZCBDZXJ0MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa
+MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvUb6Za2ird
+QcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo
+828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst
+/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0i
+tqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dhZyQqsf1t
+YhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBADBRWFxP9KJKpwRzCzNkdoZ1GlCKFGYqrx5bz9zkjoTcBVmDn0u+mknw
+piqBMlzxnVy77V0I/VchD1a5bMjzhUzQgDVI33N+/4R4sVpevJ+p22D1gJMggY17
+ryeBEbd7tkSF+ajT5oWtiQw5Ytstj+cmKmpDqRccjvNtce82m1mg2Na9ZRrDP6cP
+E06XgVbYKf7WhWdwTf3fKjwQzfjujndP2ZxSAizNEj5/GaqN4TtQBAl7y2vBgB0c
+wrih3DMJkEOJUpjlnaTuB38LG7h6cLoiAHK9I8onVRgN3zAwni/vYylyEnlV1HnX
+E/IAiEYBJ0HrAfIrPB1X7E70D64QJ7g=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec
new file mode 100644
index 0000000000..fa45f13078
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Self-Signed Cert
+subject:Self-Signed Cert
+serialNumber:2
+issuerKey:alternate
+subjectKey:alternate
diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js
new file mode 100644
index 0000000000..fe7252a630
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,291 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+ // This adds the override and makes one successful connection.
+ add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+
+ // This connects again, using session resumption. Note that we don't clear
+ // the TLS session cache between these operations (that would defeat the
+ // purpose).
+ add_connection_test(
+ "expired.example.com",
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ ok(transportSecurityInfo.resumed, "connection should be resumed");
+ ok(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"
+ );
+ equal(
+ transportSecurityInfo.succeededCertChain.length,
+ 0,
+ "expired.example.com should not have succeededCertChain set"
+ );
+ equal(
+ transportSecurityInfo.failedCertChain.length,
+ 2,
+ "expired.example.com should have failedCertChain set"
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ Ci.nsITransportSecurityInfo.ERROR_TIME,
+ "expired.example.com should have time overridable error category"
+ );
+ ok(
+ !transportSecurityInfo.isExtendedValidation,
+ "expired.example.com should not have isExtendedValidation set"
+ );
+
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(
+ "expired.example.com",
+ 8443,
+ {}
+ );
+ }
+ );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test(resumed) {
+ add_connection_test(
+ "ev-test.example.com",
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ equal(
+ transportSecurityInfo.resumed,
+ resumed,
+ "connection should be resumed or not resumed as expected"
+ );
+ ok(
+ !(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+ ),
+ "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"
+ );
+ equal(
+ transportSecurityInfo.succeededCertChain.length,
+ 3,
+ "ev-test.example.com should have succeededCertChain set"
+ );
+ equal(
+ transportSecurityInfo.failedCertChain.length,
+ 0,
+ "ev-test.example.com should not have failedCertChain set"
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ Ci.nsITransportSecurityInfo.ERROR_UNSET,
+ "ev-test.example.com should not have an overridable error category"
+ );
+ ok(
+ !gEVExpected || transportSecurityInfo.isExtendedValidation,
+ "ev-test.example.com should have isExtendedValidation set " +
+ "(or this is a non-debug build)"
+ );
+ }
+ );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+ const SERVER_PORT = 8888;
+ let expectedRequestPaths = ["ev-test"];
+ let responseTypes = ["good"];
+ // Since we cache OCSP responses, we only ever actually serve one set.
+ let ocspResponder;
+ // If we don't wrap this in an `add_test`, the OCSP responder will be running
+ // while we are actually running unrelated testcases, which can disrupt them.
+ add_test(() => {
+ ocspResponder = startOCSPResponder(
+ SERVER_PORT,
+ "localhost",
+ "bad_certs",
+ expectedRequestPaths,
+ expectedRequestPaths.slice(),
+ null,
+ responseTypes
+ );
+ run_next_test();
+ });
+ // We should be able to connect and verify the certificate as EV (in debug
+ // builds).
+ add_one_ev_test(false);
+ // We should be able to connect again (using session resumption). In debug
+ // builds, the certificate should be noted as EV. Again, it's important that
+ // nothing clears the TLS cache in between these two operations.
+ add_one_ev_test(true);
+
+ add_test(() => {
+ ocspResponder.stop(run_next_test);
+ });
+}
+
+const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";
+
+// Helper function that adds a test that connects to a domain that should
+// succeed (but isn't EV) and verifies that its succeededCertChain gets set
+// appropriately.
+function add_one_non_ev_test() {
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ ok(
+ !(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+ ),
+ `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`
+ );
+ ok(
+ transportSecurityInfo.succeededCertChain,
+ `${GOOD_DOMAIN} should have succeededCertChain set`
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ 0,
+ `${GOOD_DOMAIN} should not have an overridable error category set`
+ );
+ ok(
+ !transportSecurityInfo.isExtendedValidation,
+ `${GOOD_DOMAIN} should not have isExtendedValidation set`
+ );
+ }
+ );
+}
+
+// This test is similar, except with non-extended validation. We should connect
+// successfully, and the certificate should not be EV. Without clearing the
+// session cache, we should connect successfully again, this time with session
+// resumption. In this case, though, we want to ensure the succeededCertChain is
+// set.
+function add_resume_non_ev_test() {
+ add_one_non_ev_test();
+ add_one_non_ev_test();
+}
+
+const statsPtr = getSSLStatistics();
+const toInt32 = ctypes.Int64.lo;
+
+// Connect to the same domain with two origin attributes and check if any ssl
+// session is resumed.
+function add_origin_attributes_test(
+ originAttributes1,
+ originAttributes2,
+ resumeExpected
+) {
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ clearSessionCache,
+ null,
+ null,
+ originAttributes1
+ );
+
+ let hitsBeforeConnect;
+ let missesBeforeConnect;
+ let expectedHits = resumeExpected ? 1 : 0;
+ let expectedMisses = 1 - expectedHits;
+
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ function () {
+ // Add the hits and misses before connection.
+ let stats = statsPtr.contents;
+ hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);
+ missesBeforeConnect = toInt32(stats.sch_sid_cache_misses);
+ },
+ function () {
+ let stats = statsPtr.contents;
+ equal(
+ toInt32(stats.sch_sid_cache_hits),
+ hitsBeforeConnect + expectedHits,
+ "Unexpected cache hits"
+ );
+ equal(
+ toInt32(stats.sch_sid_cache_misses),
+ missesBeforeConnect + expectedMisses,
+ "Unexpected cache misses"
+ );
+ },
+ null,
+ originAttributes2
+ );
+}
+
+function add_resumption_tests() {
+ add_resume_ev_test();
+ add_resume_non_ev_test();
+ add_resume_non_ev_with_override_test();
+ add_origin_attributes_test({}, {}, true);
+ add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);
+ add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);
+ add_origin_attributes_test(
+ { firstPartyDomain: "foo.com" },
+ { firstPartyDomain: "bar.com" },
+ false
+ );
+ add_origin_attributes_test(
+ { firstPartyDomain: "baz.com" },
+ { firstPartyDomain: "baz.com" },
+ true
+ );
+}
+
+function run_test() {
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_resumption_tests();
+ // Enable external session cache and reset the status.
+ add_test(function () {
+ Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);
+ certdb.clearOCSPCache();
+ run_next_test();
+ });
+ // Do tests again.
+ add_resumption_tests();
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js
new file mode 100644
index 0000000000..4893bfd714
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps.js
@@ -0,0 +1,1038 @@
+"use strict";
+
+// Tests the API nsIX509CertDB.openSignedAppFileAsync, which backs add-on
+// signature verification. Testcases include various ways of tampering with
+// add-ons as well as different hash algorithms used in the various
+// signature/metadata files.
+
+// from prio.h
+const PR_RDWR = 0x04;
+const PR_CREATE_FILE = 0x08;
+const PR_TRUNCATE = 0x20;
+const PR_USEC_PER_MSEC = 1000;
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// Creates a new app package based in the inFilePath package, with a set of
+// modifications (including possibly deletions) applied to the existing entries,
+// and/or a set of new entries to be included.
+function tamper(inFilePath, outFilePath, modifications, newEntries) {
+ let writer = Cc["@mozilla.org/zipwriter;1"].createInstance(Ci.nsIZipWriter);
+ writer.open(outFilePath, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE);
+ try {
+ let reader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance(
+ Ci.nsIZipReader
+ );
+ reader.open(inFilePath);
+ try {
+ for (let entryName of reader.findEntries("")) {
+ let inEntry = reader.getEntry(entryName);
+ let entryInput = reader.getInputStream(entryName);
+ try {
+ let f = modifications[entryName];
+ let outEntry, outEntryInput;
+ if (f) {
+ [outEntry, outEntryInput] = f(inEntry, entryInput);
+ delete modifications[entryName];
+ } else {
+ [outEntry, outEntryInput] = [inEntry, entryInput];
+ }
+ // if f does not want the input entry to be copied to the output entry
+ // at all (i.e. it wants it to be deleted), it will return null.
+ if (outEntryInput) {
+ try {
+ writer.addEntryStream(
+ entryName,
+ outEntry.lastModifiedTime,
+ outEntry.compression,
+ outEntryInput,
+ false
+ );
+ } finally {
+ if (entryInput != outEntryInput) {
+ outEntryInput.close();
+ }
+ }
+ }
+ } finally {
+ entryInput.close();
+ }
+ }
+ } finally {
+ reader.close();
+ }
+
+ // Any leftover modification means that we were expecting to modify an entry
+ // in the input file that wasn't there.
+ for (let name in modifications) {
+ if (modifications.hasOwnProperty(name)) {
+ throw new Error("input file was missing expected entries: " + name);
+ }
+ }
+
+ // Now, append any new entries to the end
+ newEntries.forEach(function (newEntry) {
+ let sis = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ try {
+ sis.setData(newEntry.content, newEntry.content.length);
+ writer.addEntryStream(
+ newEntry.name,
+ new Date() * PR_USEC_PER_MSEC,
+ Ci.nsIZipWriter.COMPRESSION_BEST,
+ sis,
+ false
+ );
+ } finally {
+ sis.close();
+ }
+ });
+ } finally {
+ writer.close();
+ }
+}
+
+function removeEntry(entry, entryInput) {
+ return [null, null];
+}
+
+function truncateEntry(entry, entryInput) {
+ if (entryInput.available() == 0) {
+ throw new Error(
+ "Truncating already-zero length entry will result in " +
+ "identical entry."
+ );
+ }
+
+ let content = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ content.data = "";
+
+ return [entry, content];
+}
+
+function check_open_result(name, expectedRv) {
+ return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) {
+ info("openSignedAppFileCallback called for " + name);
+ equal(rv, expectedRv, "Actual and expected return value should match");
+ equal(
+ aZipReader != null,
+ Components.isSuccessCode(expectedRv),
+ "ZIP reader should be null only if the return value denotes failure"
+ );
+ equal(
+ aSignerCert != null,
+ Components.isSuccessCode(expectedRv),
+ "Signer cert should be null only if the return value denotes failure"
+ );
+ run_next_test();
+ };
+}
+
+function original_app_path(test_name) {
+ return do_get_file("test_signed_apps/" + test_name + ".zip", false);
+}
+
+function tampered_app_path(test_name) {
+ return new FileUtils.File(
+ PathUtils.join(
+ Services.dirsvc.get("TmpD", Ci.nsIFile).path,
+ `test_signed_app-${test_name}.zip`
+ )
+ );
+}
+
+var hashTestcases = [
+ // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK
+ { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+
+ // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK
+ { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK },
+
+ // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID
+ {
+ name: "app_mf-1-256_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1-256_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1-256_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1-256_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+
+ // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID
+ {
+ name: "app_mf-1-256_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+];
+
+// Policy values for the preference "security.signed_app_signatures.policy"
+const PKCS7WithSHA1OrSHA256 = 0b0;
+const PKCS7WithSHA256 = 0b1;
+const COSEAndPKCS7WithSHA1OrSHA256 = 0b10;
+const COSEAndPKCS7WithSHA256 = 0b11;
+const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100;
+const COSERequiredAndPKCS7WithSHA256 = 0b101;
+const COSEOnly = 0b110;
+const COSEOnlyAgain = 0b111;
+
+function add_signature_test(policy, test) {
+ // First queue up a test to set the desired policy:
+ add_test(function () {
+ Services.prefs.setIntPref("security.signed_app_signatures.policy", policy);
+ run_next_test();
+ });
+ // Then queue up the test itself:
+ add_test(test);
+}
+
+for (let testcase of hashTestcases) {
+ add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path(testcase.name),
+ check_open_result(testcase.name, testcase.expectedResult)
+ );
+ });
+}
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("empty_signerInfos"),
+ check_open_result(
+ "the signerInfos in the PKCS#7 signature is empty",
+ Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("unsigned_app"),
+ check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("unknown_issuer_app"),
+ check_open_result(
+ "unknown_issuer",
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_signed_with_pkcs7"),
+ check_open_result("cose_signed_with_pkcs7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result("no COSE but correct PK#7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-256_p7-256"),
+ check_open_result(
+ "no COSE and wrong PK#7 hash",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "COSE signature missing (SHA1 or 256)",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "COSE signature missing (SHA256)",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "COSE signature only (PK#7 allowed, not present)",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "COSE signature only (PK#7 allowed, not present)",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_multiple_signed_with_pkcs7"),
+ check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_int_signed_with_pkcs7"),
+ check_open_result("COSE signed with an intermediate", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "PK7 signature missing",
+ Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_multiple_signed_with_pkcs7"),
+ check_open_result(
+ "Expected only COSE signature",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_multiple_signed"),
+ check_open_result("only Multiple COSE signatures", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnly, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result("only_cose_signed", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnlyAgain, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result("only_cose_signed (again)", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnly, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_signed_with_pkcs7"),
+ check_open_result(
+ "COSE only expected but also PK#7 signed",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+// Sanity check to ensure a no-op tampering gives a valid result
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("identity_tampering");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, []);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ check_open_result("identity_tampering", Cr.NS_OK)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("missing_rsa");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.RSA": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("missing_sf");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.SF": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("missing_manifest_mf");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/MANIFEST.MF": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "missing_manifest_mf",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("missing_entry");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("truncated_entry");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("truncated_manifestFile");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/MANIFEST.MF": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "truncated_manifestFile",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("truncated_signatureFile");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.SF": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "truncated_signatureFile",
+ getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE)
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("truncated_pkcs7File");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.RSA": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("unsigned_entry");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ let tampered = tampered_app_path("unsigned_metainf_entry");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+ { name: "META-INF/unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "unsigned_metainf_entry",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ check_open_result(
+ "SHA-1 should not be accepted if disabled by policy",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "SHA-256 should work if SHA-1 is disabled by policy",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(
+ PKCS7WithSHA256,
+ function testMultipleSignaturesWorkWithSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1-256_sf-1-256_p7-1-256"),
+ check_open_result(
+ "Multiple signatures should work if SHA-1 is " +
+ "disabled by policy (if SHA-256 signature verifies)",
+ Cr.NS_OK
+ )
+ );
+ }
+);
+
+var cosePolicies = [
+ COSEAndPKCS7WithSHA1OrSHA256,
+ COSERequiredAndPKCS7WithSHA1OrSHA256,
+];
+
+// PS256 is not yet supported.
+var coseTestcasesStage = [
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+];
+
+var coseTestcasesProd = [
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+];
+
+for (let policy of cosePolicies) {
+ for (let testcase of [...coseTestcasesStage, ...coseTestcasesProd]) {
+ add_signature_test(policy, function () {
+ certdb.openSignedAppFileAsync(
+ testcase.root,
+ original_app_path(testcase.name),
+ check_open_result(testcase.name, testcase.expectedResult)
+ );
+ });
+ }
+}
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() {
+ let tampered = tampered_app_path("cose_sig_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.sig": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_sig_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// PKCS7 is processed before COSE, so if a COSE signature file is removed or
+// tampered with, this appears as a PKCS7 signature verification failure.
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() {
+ let tampered = tampered_app_path("cose_sig_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.sig": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() {
+ let tampered = tampered_app_path("cose_manifest_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.manifest": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_manifest_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() {
+ let tampered = tampered_app_path("cose_manifest_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.manifest": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_manifest_removed",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() {
+ let tampered = tampered_app_path("cose_file_added");
+ tamper(original_app_path("cose_signed_with_pkcs7"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() {
+ let tampered = tampered_app_path("cose_file_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() {
+ let tampered = tampered_app_path("cose_file_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_file_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigTampered() {
+ let tampered = tampered_app_path("only_cose_sig_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.sig": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_sig_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() {
+ let tampered = tampered_app_path("only_cose_sig_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.sig": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_sig_removed",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() {
+ let tampered = tampered_app_path("only_cose_manifest_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.manifest": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_manifest_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() {
+ let tampered = tampered_app_path("only_cose_manifest_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.manifest": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_manifest_removed",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() {
+ let tampered = tampered_app_path("only_cose_file_added");
+ tamper(original_app_path("only_cose_signed"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_added",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() {
+ let tampered = tampered_app_path("only_cose_file_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_removed",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() {
+ let tampered = tampered_app_path("only_cose_file_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// This was signed with only COSE first, and then the contents were tampered
+// with (making the signature invalid). Then, the file was signed with
+// PKCS7/SHA1. We need to ensure that if we're configured to process COSE, this
+// verification fails.
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should fail " +
+ "when COSE and PKCS7 is processed",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should fail " +
+ "when only COSE is processed",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// If we're not processing COSE, this should verify successfully.
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should succeed" +
+ "when COSE is not processed",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_test(function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("bug_1411458"),
+ check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO)
+ );
+});
+
+// This has a big manifest file (~2MB). It should verify correctly.
+add_test(function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("big_manifest"),
+ check_open_result("add-on with big manifest file", Cr.NS_OK)
+ );
+});
+
+// This has a huge manifest file (~10MB). Manifest files this large are not
+// supported (8MB is the limit). It should not verify correctly.
+add_test(function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("huge_manifest"),
+ check_open_result(
+ "add-on with huge manifest file",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID
+ )
+ );
+});
+
+// Verification should pass despite a not-yet-valid EE certificate.
+// Regression test for bug 1713628
+add_test(function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("validity_not_yet_valid"),
+ check_open_result("validity_not_yet_valid", Cr.NS_OK)
+ );
+});
+
+// Verification should pass despite an expired EE certificate.
+// Regression test for bug 1267318 and bug 1548973
+add_test(function () {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("validity_expired"),
+ check_open_result("validity_expired", Cr.NS_OK)
+ );
+});
+
+// TODO: tampered MF, tampered SF
+// TODO: too-large MF, too-large RSA, too-large SF
+// TODO: MF and SF that end immediately after the last main header
+// (no CR nor LF)
+// TODO: broken headers to exercise the parser
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/README b/security/manager/ssl/tests/unit/test_signed_apps/app/README
new file mode 100644
index 0000000000..4f4db4f73e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/README
@@ -0,0 +1 @@
+This is the readme for the test extension.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
@@ -0,0 +1,5 @@
+{
+ "manifest_version": 2,
+ "name": "Test Extension",
+ "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
new file mode 100644
index 0000000000..be5069f57b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
@@ -0,0 +1,10 @@
+Manifest-Version: 1.0
+
+Name: README
+SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg=
+
+Name: manifest.json
+SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE=
+
+Name: data/image.png
+SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ=
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
new file mode 100644
index 0000000000..ee9f3e2ce9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
new file mode 100644
index 0000000000..46217087d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
@@ -0,0 +1,2 @@
+This is the readme for the test extension.
+This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature).
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
@@ -0,0 +1,5 @@
+{
+ "manifest_version": 2,
+ "name": "Test Extension",
+ "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..48f34fbd78
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..4f2e376440
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..e484ccfdf1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..e1aa3d0dea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..69ce9ea2e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..09c2009cc4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..7e6e6ad8e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..d4ae1e1f13
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..1bd8d00b23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..c076ec01b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..da29a1b057
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..726ce6d920
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..8e06df3332
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
new file mode 100644
index 0000000000..1ad810331b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
new file mode 100644
index 0000000000..2b163051dd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..c64c184586
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
new file mode 100644
index 0000000000..27729c8dae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
new file mode 100644
index 0000000000..798ac6858f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..45dddf1ed8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..1e6188de5d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..68cdc0f0ac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..5ff5f8c946
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..49ac1edc5d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..fb884ed8f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..e7a6d259fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..881db28d9f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..8177c5f58a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..40b4fc7857
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..d364e590e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..a4353bba19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..51ae592ee9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..b74e087620
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..772c42e494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..b1d1999551
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..0ce563680d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
new file mode 100644
index 0000000000..b2e9e44d19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
new file mode 100644
index 0000000000..0b296945ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..f1d1447ee2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..e695e856c3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..e3ab79db2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
new file mode 100644
index 0000000000..6ece7c4a12
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
new file mode 100644
index 0000000000..02bac29bdc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
new file mode 100644
index 0000000000..846d36cc3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
new file mode 100644
index 0000000000..8680c8d457
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
@@ -0,0 +1,78 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+@template
+def SignedAppFile(name, flags, app_directory="app/"):
+ if not CONFIG["COMPILE_ENVIRONMENT"]:
+ return
+
+ GENERATED_FILES += [name]
+ props = GENERATED_FILES[name]
+ props.script = "/security/manager/ssl/tests/unit/sign_app.py"
+ props.inputs = [app_directory]
+ props.flags = flags
+ # Turn RELATIVEDIR into list entry: like
+ # 'security/manager/ssl/tests/unit/test_signed_apps' ->
+ # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_signed_apps.
+ files = TEST_HARNESS_FILES.xpcshell
+ for part in RELATIVEDIR.split("/"):
+ files = files[part]
+ files += ["!%s" % name]
+
+
+# Except for unusual testcases (unknown issuer, unsigned app, empty
+# signerInfos), the naming scheme is as follows:
+# app_mf{-1,-256}_sf{-1,-256}_p7{-1,-256}.zip, where:
+# "mf" refers to the manifest file, "sf" refers to the signature file,
+# and "p7" refers to the pkcs#7 file. The "{-1,-256}" indicates which
+# hash algorithms are present in the corresponding file (both may be
+# present).
+# For example, "app_mf-1_sf-1-256_p7-256.zip" means that the manifest
+# file has sha-1 hashes, the signature file has sha-1 hashes and sha-256
+# hashes, and the pkcs#7 file only has sha-256.
+#
+# Temporarily disabled. See bug 1256495.
+# signed_app_files = (
+# ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'],
+# ['unsigned_app.zip'],
+# ['empty_signerInfos.zip', '-e'],
+# )
+#
+# for signed_app_file_params in signed_app_files:
+# SignedAppFile(signed_app_file_params[0], signed_app_file_params[1:])
+#
+# for mf_algs in [['1'], ['256'], ['1', '256']]:
+# for sf_algs in [['1'], ['256'], ['1', '256']]:
+# for p7_algs in [['1'], ['256'], ['1', '256']]:
+# filename = "app_mf-%s_sf-%s_p7-%s.zip" % ('-'.join(mf_algs), '-'.join(sf_algs), '-'.join(p7_algs))
+# args = []
+# for mf_alg in mf_algs:
+# args.append('-m')
+# args.append('sha%s' % mf_alg)
+# for sf_alg in sf_algs:
+# args.append('-s')
+# args.append('sha%s' % sf_alg)
+# for p7_alg in p7_algs:
+# args.append('-p')
+# args.append('sha%s' % p7_alg)
+# SignedAppFile(filename, args)
+#
+# COSE test-cases
+# SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256'])
+# SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256'])
+# SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256'])
+# SignedAppFile('only_cose_signed.zip', ['-c', 'ES256'])
+# SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256'])
+# SignedAppFile('cose_tampered_good_pkcs7.zip', ['-m', 'sha1', '-s', 'sha1', '-p', 'sha1'], 'app_cose_tampered/')
+# SignedAppFile('big_manifest.zip', ['-p', 'sha256', '--pad-headers', '2'])
+# SignedAppFile('huge_manifest.zip', ['-p', 'sha256', '--pad-headers', '10'])
+# SignedAppFile('validity_expired.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '19700101-19701212'])
+# SignedAppFile('validity_not_yet_valid.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '99990101-99991212'])
+
+# To generate a new entry, add SignedAppFile, run mach build and copy from
+# objdir/_tests/xpcshell/security/manager/ssl/tests/unit/test_signed_apps/
+# to this directory.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
new file mode 100644
index 0000000000..37d72ddbc0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
new file mode 100644
index 0000000000..d21f797b6d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
new file mode 100644
index 0000000000..17c0063cce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
new file mode 100644
index 0000000000..17a0747667
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
new file mode 100644
index 0000000000..b9cc2cc31e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
new file mode 100644
index 0000000000..f08fe14a9a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
new file mode 100644
index 0000000000..3c1869b13b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
new file mode 100644
index 0000000000..500c4185cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
@@ -0,0 +1,6 @@
+issuer:xpcshell signed apps test root
+subject:xpcshell signed apps test root
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyEncipherment,keyCertSign
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js
new file mode 100644
index 0000000000..e8df767c85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ssl_status.js
@@ -0,0 +1,75 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+do_get_profile();
+
+function run_test() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ // Test successful connection (failedCertChain should be null,
+ // succeededCertChain should be set as expected)
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess,
+ null,
+ function withSecurityInfo(aSecInfo) {
+ equal(
+ aSecInfo.failedCertChain.length,
+ 0,
+ "failedCertChain for a successful connection should be empty"
+ );
+ ok(
+ areCertArraysEqual(
+ aSecInfo.succeededCertChain,
+ build_cert_chain(["default-ee", "test-ca"])
+ ),
+ "succeededCertChain for a successful connection should be as expected"
+ );
+ }
+ );
+
+ // Test failed connection (failedCertChain should be set as expected,
+ // succeededCertChain should be null)
+ add_connection_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ null,
+ function withSecurityInfo(aSecInfo) {
+ equal(
+ aSecInfo.succeededCertChain.length,
+ 0,
+ "succeededCertChain for a failed connection should be null"
+ );
+ ok(
+ areCertArraysEqual(
+ aSecInfo.failedCertChain,
+ build_cert_chain(["expired-ee", "test-ca"])
+ ),
+ "failedCertChain for a failed connection should be as expected"
+ );
+ }
+ );
+
+ // Ensure the correct failed cert chain is set on cert override
+ let overrideStatus = {
+ failedCertChain: build_cert_chain(["expired-ee", "test-ca"]),
+ };
+ add_cert_override_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ undefined,
+ overrideStatus
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_eviction.js b/security/manager/ssl/tests/unit/test_sss_eviction.js
new file mode 100644
index 0000000000..6e1e70075f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_eviction.js
@@ -0,0 +1,41 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to check that a frequently visited site
+// will not be evicted over an infrequently visited site.
+function run_test() {
+ let stateFile = do_get_profile();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let now = new Date().getTime();
+ let key = "frequentlyused.example.com";
+ let value = `${now + 100000},1,0`;
+ append_line_to_data_storage_file(outputStream, 4, 1000, key, value);
+ outputStream.close();
+ let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(siteSecurityService, null);
+ // isSecureURI blocks until the backing data is read.
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://frequentlyused.example.com")
+ )
+ );
+ // The storage limit is currently 2048, so this should cause evictions.
+ for (let i = 0; i < 3000; i++) {
+ let uri = Services.io.newURI("http://bad" + i + ".example.com");
+ siteSecurityService.processHeader(uri, "max-age=1000");
+ }
+ // The frequently used entry should not be evicted.
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://frequentlyused.example.com")
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_migration.js b/security/manager/ssl/tests/unit/test_sss_migration.js
new file mode 100644
index 0000000000..df174ae309
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_migration.js
@@ -0,0 +1,64 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// and see that the site security service reads and migrates it properly.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_OLD_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let now = Date.now();
+ let lines = [];
+ lines.push(
+ `no-origin-attributes.example.com:HSTS\t0\t0\t${now + 100000},1,0`
+ );
+ lines.push(`not-hsts.example.com:HPKP\t0\t0\t${now + 100000},1,0`);
+ lines.push(
+ `with-port.example.com^partitionKey=%28http%2Cexample.com%2C8443%29:HSTS\t0\t0\t${
+ now + 100000
+ },1,0`
+ );
+ for (let i = 0; lines.length < 1024; i++) {
+ lines.push(`filler-${i}.example.com:HPKP\t0\t0\t${now + 100000},1,0`);
+ }
+ writeLinesAndClose(lines, outputStream);
+ let sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(sss, null);
+
+ // nsISiteSecurityService.isSecureURI will block until the backing file is read.
+ ok(
+ sss.isSecureURI(
+ Services.io.newURI("https://no-origin-attributes.example.com")
+ )
+ );
+ ok(!sss.isSecureURI(Services.io.newURI("https://not-hsts.example.com")));
+ ok(
+ sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), {
+ partitionKey: "(http,example.com,8443)",
+ })
+ );
+ ok(
+ sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), {
+ partitionKey: "(http,example.com)",
+ })
+ );
+ ok(
+ sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), {
+ partitionKey: "(http,example.com,8000)",
+ })
+ );
+ ok(
+ sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), {
+ partitionKey: "(https,example.com)",
+ })
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_originAttributes.js b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
new file mode 100644
index 0000000000..9c127adcec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
@@ -0,0 +1,105 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures nsISiteSecurityService APIs respects origin attributes.
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+let host = "a.pinning.example.com";
+let uri = Services.io.newURI("https://" + host);
+
+// Check if originAttributes1 and originAttributes2 are isolated with respect
+// to HSTS storage.
+function doTest(originAttributes1, originAttributes2, shouldShare) {
+ sss.clearAll();
+ let header = GOOD_MAX_AGE;
+ // Set HSTS for originAttributes1.
+ sss.processHeader(uri, header, originAttributes1);
+ ok(
+ sss.isSecureURI(uri, originAttributes1),
+ "URI should be secure given original origin attributes"
+ );
+ equal(
+ sss.isSecureURI(uri, originAttributes2),
+ shouldShare,
+ "URI should be secure given different origin attributes if and " +
+ "only if shouldShare is true"
+ );
+
+ if (!shouldShare) {
+ // Remove originAttributes2 from the storage.
+ sss.resetState(uri, originAttributes2);
+ ok(
+ sss.isSecureURI(uri, originAttributes1),
+ "URI should still be secure given original origin attributes"
+ );
+ }
+
+ // Remove originAttributes1 from the storage.
+ sss.resetState(uri, originAttributes1);
+ ok(
+ !sss.isSecureURI(uri, originAttributes1),
+ "URI should not be secure after removeState"
+ );
+
+ sss.clearAll();
+}
+
+function testInvalidOriginAttributes(originAttributes) {
+ let header = GOOD_MAX_AGE;
+
+ let callbacks = [
+ () => sss.processHeader(uri, header, originAttributes),
+ () => sss.isSecureURI(uri, originAttributes),
+ () => sss.resetState(uri, originAttributes),
+ ];
+
+ for (let callback of callbacks) {
+ throws(
+ callback,
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Should get an error with invalid origin attributes"
+ );
+ }
+}
+
+function run_test() {
+ sss.clearAll();
+
+ let originAttributesList = [];
+ for (let userContextId of [0, 1, 2]) {
+ for (let firstPartyDomain of ["", "foo.com", "bar.com"]) {
+ originAttributesList.push({ userContextId, firstPartyDomain });
+ }
+ }
+ for (let attrs1 of originAttributesList) {
+ for (let attrs2 of originAttributesList) {
+ // SSS storage is not isolated by userContext
+ doTest(
+ attrs1,
+ attrs2,
+ attrs1.firstPartyDomain == attrs2.firstPartyDomain
+ );
+ }
+ }
+
+ doTest(
+ { partitionKey: "(http,example.com,8443)" },
+ { partitionKey: "(https,example.com)" },
+ true
+ );
+
+ testInvalidOriginAttributes(undefined);
+ testInvalidOriginAttributes(null);
+ testInvalidOriginAttributes(1);
+ testInvalidOriginAttributes("foo");
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate.js b/security/manager/ssl/tests/unit/test_sss_readstate.js
new file mode 100644
index 0000000000..3c78b96ebc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// and see that the site security service reads it properly.
+
+function run_test() {
+ let stateFile = do_get_profile();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let now = Date.now();
+ let keyValuePairs = [
+ { key: "expired.example.com", value: `${now - 100000},1,0` },
+ { key: "notexpired.example.com", value: `${now + 100000},1,0` },
+ // This overrides an entry on the preload list.
+ { key: "includesubdomains.preloaded.test", value: `${now + 100000},1,0` },
+ { key: "incsubdomain.example.com", value: `${now + 100000},1,1` },
+ // This overrides an entry on the preload list.
+ { key: "includesubdomains2.preloaded.test", value: "0,2,0" },
+ ];
+ for (let keyValuePair of keyValuePairs) {
+ append_line_to_data_storage_file(
+ outputStream,
+ 1,
+ 1,
+ keyValuePair.key,
+ keyValuePair.value
+ );
+ }
+ // Append a line with a bad checksum.
+ append_line_to_data_storage_file(
+ outputStream,
+ 1,
+ 1,
+ "badchecksum.example.com",
+ `${now + 100000},1,0`,
+ 24,
+ true
+ );
+ outputStream.close();
+ let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(siteSecurityService, null);
+
+ // The backing data storage will block until the background task that reads
+ // the backing file has finished.
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://expired.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://notexpired.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://incsubdomain.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.incsubdomain.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+ )
+ );
+
+ // Clearing the data should make everything go back to default.
+ siteSecurityService.clearAll();
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://expired.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://notexpired.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://incsubdomain.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.incsubdomain.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://badchecksum.example.com")
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
new file mode 100644
index 0000000000..76f073e998
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -0,0 +1,43 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create an empty site security service state
+// file and see that the site security service doesn't fail when reading it.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ stateFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0x1a4); // 0x1a4 == 0o644
+ ok(stateFile.exists());
+ // Initialize nsISiteSecurityService after do_get_profile() so it
+ // can read the state file.
+ let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(siteSecurityService, null);
+ // nsISiteSecurityService.isSecureURI blocks until the backing file has been read.
+ // nonexistent.example.com should never be an HSTS host
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://nonexistent.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ // notexpired.example.com is an HSTS host in a different test - we
+ // want to make sure that test hasn't interfered with this one.
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://notexpired.example.com")
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
new file mode 100644
index 0000000000..794a402702
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -0,0 +1,77 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a mostly bogus old site security
+// service state file and see that the site security service migrates it
+// to the new format properly, discarding invalid data.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_OLD_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let expiryTime = Date.now() + 100000;
+ let lines = [
+ // General state file entry tests.
+ `example1.example.com\t0\t0\t${expiryTime},1,0`,
+ "I'm a lumberjack and I'm okay; I work all night and I sleep all day!",
+ "This is a totally bogus entry\t",
+ "0\t0\t0\t0\t",
+ "\t\t\t\t\t\t\t",
+ "example.com\t\t\t\t\t\t\t",
+ "example3.example.com\t0\t\t\t\t\t\t",
+ `example2.example.com\t0\t0\t${expiryTime},1,0`,
+ // HSTS state string parsing tests
+ `extra.comma.example.com\t0\t0\t${expiryTime},,1,0`,
+ "empty.statestring.example.com\t0\t0\t",
+ "rubbish.statestring.example.com\t0\t0\tfoobar",
+ `spaces.statestring.example.com\t0\t0\t${expiryTime}, 1,0 `,
+ `invalid.expirytime.example.com\t0\t0\t${expiryTime}foo123,1,0`,
+ `text.securitypropertystate.example.com\t0\t0\t${expiryTime},1foo,0`,
+ `invalid.securitypropertystate.example.com\t0\t0\t${expiryTime},999,0`,
+ `text.includesubdomains.example.com\t0\t0\t${expiryTime},1,1foo`,
+ `invalid.includesubdomains.example.com\t0\t0\t${expiryTime},1,0foo`,
+ ];
+ writeLinesAndClose(lines, outputStream);
+
+ let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(siteSecurityService, null);
+
+ const HSTS_HOSTS = [
+ "https://example1.example.com",
+ "https://example2.example.com",
+ ];
+ for (let host of HSTS_HOSTS) {
+ ok(
+ siteSecurityService.isSecureURI(Services.io.newURI(host)),
+ `${host} should be HSTS enabled`
+ );
+ }
+
+ const NOT_HSTS_HOSTS = [
+ "https://example.com",
+ "https://example3.example.com",
+ "https://extra.comma.example.com",
+ "https://empty.statestring.example.com",
+ "https://rubbish.statestring.example.com",
+ "https://spaces.statestring.example.com",
+ "https://invalid.expirytime.example.com",
+ "https://text.securitypropertystate.example.com",
+ "https://invalid.securitypropertystate.example.com",
+ "https://text.includesubdomains.example.com",
+ "https://invalid.includesubdomains.example.com",
+ ];
+ for (let host of NOT_HSTS_HOSTS) {
+ ok(
+ !siteSecurityService.isSecureURI(Services.io.newURI(host)),
+ `${host} should not be HSTS enabled`
+ );
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
new file mode 100644
index 0000000000..50b4f2198c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
@@ -0,0 +1,72 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create an old site security service state
+// file that is too large and see that the site security service migrates it to
+// the new format properly.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_OLD_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let expiryTime = Date.now() + 100000;
+ let lines = [];
+ for (let i = 0; i < 10000; i++) {
+ // The 0s will all get squashed down into one 0 when they are read.
+ // This is just to make the file size large (>2MB).
+ lines.push(
+ `example${i}.example.com\t` +
+ "0000000000000000000000000000000000000000000000000\t" +
+ "00000000000000000000000000000000000000\t" +
+ `${expiryTime},1,0`
+ );
+ }
+ writeLinesAndClose(lines, outputStream);
+
+ let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(siteSecurityService, null);
+
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example0.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example423.example.com")
+ )
+ );
+ ok(
+ siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example1023.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example1024.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example1025.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example9000.example.com")
+ )
+ );
+ ok(
+ !siteSecurityService.isSecureURI(
+ Services.io.newURI("https://example99999.example.com")
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js
new file mode 100644
index 0000000000..4a667c05f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_resetState.js
@@ -0,0 +1,62 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that resetting HSTS state in the way the "forget about this site"
+// functionality does works as expected for preloaded and non-preloaded sites.
+
+do_get_profile();
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+
+function test_removeState(originAttributes) {
+ info(`running test_removeState(originAttributes=${originAttributes})`);
+ // Simulate visiting a non-preloaded site by processing an HSTS header check
+ // that the HSTS bit gets set, simulate "forget about this site" (call
+ // removeState), and then check that the HSTS bit isn't set.
+ let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com");
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a non-preloaded site that unsets HSTS by processing
+ // an HSTS header with "max-age=0", check that the HSTS bit isn't
+ // set, simulate "forget about this site" (call removeState), and then check
+ // that the HSTS bit isn't set.
+ gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site by processing an HSTS header, check
+ // that the HSTS bit is still set, simulate "forget about this site"
+ // (call removeState), and then check that the HSTS bit is still set.
+ let preloadedHost = "includesubdomains.preloaded.test";
+ let preloadedURI = Services.io.newURI(`https://${preloadedHost}`);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site that unsets HSTS by processing an
+ // HSTS header with "max-age=0", check that the HSTS bit is what we
+ // expect (see below), simulate "forget about this site" (call removeState),
+ // and then check that the HSTS bit is set.
+ gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+}
+
+function run_test() {
+ test_removeState({});
+ test_removeState({ privateBrowsingId: 1 });
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
new file mode 100644
index 0000000000..e462eb78f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
@@ -0,0 +1,59 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to ensure that Firefox sanitizes site security
+// service data on shutdown if configured to do so.
+
+ChromeUtils.defineESModuleGetters(this, {
+ Sanitizer: "resource:///modules/Sanitizer.sys.mjs",
+ TestUtils: "resource://testing-common/TestUtils.sys.mjs",
+});
+
+Sanitizer.onStartup();
+
+// This helps us away from test timed out. If service worker manager(swm) hasn't
+// been initilaized before profile-change-teardown, this test would fail due to
+// the shutdown blocker added by swm. Normally, swm should be initialized before
+// that and the similar crash signatures are fixed. So, assume this cannot
+// happen in the real world and initilaize swm here as a workaround.
+Cc["@mozilla.org/serviceworkers/manager;1"].getService(
+ Ci.nsIServiceWorkerManager
+);
+
+add_task(async function run_test() {
+ do_get_profile();
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let header = "max-age=50000";
+ SSService.processHeader(Services.io.newURI("https://example.com"), header);
+ await TestUtils.waitForCondition(() => {
+ let stateFileContents = get_data_storage_contents(SSS_STATE_FILE_NAME);
+ return stateFileContents
+ ? stateFileContents.includes("example.com")
+ : false;
+ });
+
+ // Configure Firefox to clear this data on shutdown.
+ Services.prefs.setBoolPref(
+ Sanitizer.PREF_SHUTDOWN_BRANCH + "siteSettings",
+ true
+ );
+ Services.prefs.setBoolPref(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, true);
+
+ // Simulate shutdown.
+ Services.startup.advanceShutdownPhase(
+ Services.startup.SHUTDOWN_PHASE_APPSHUTDOWNTEARDOWN
+ );
+ Services.startup.advanceShutdownPhase(
+ Services.startup.SHUTDOWN_PHASE_APPSHUTDOWN
+ );
+
+ await TestUtils.waitForCondition(() => {
+ let stateFile = do_get_profile();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ return !stateFile.exists();
+ });
+});
diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js
new file mode 100644
index 0000000000..6963f18d81
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to see that the site security service properly
+// writes its state file.
+
+ChromeUtils.defineESModuleGetters(this, {
+ TestUtils: "resource://testing-common/TestUtils.sys.mjs",
+});
+
+const EXPECTED_ENTRIES = 5;
+const EXPECTED_HSTS_COLUMNS = 3;
+
+function contents_is_as_expected() {
+ // The file consists of a series of [score][last accessed][key][value], where
+ // score and last accessed are 2 bytes big-endian, key is 0-padded to 256
+ // bytes, and value is 0-padded to 24 bytes.
+ // Each score will be 1, and last accessed is some number of days (>255)
+ // since the epoch, so there will be 3 non-0 bytes just in front of the key.
+ // Splitting by 0 and filtering out zero-length strings will result in a series of
+ // [BBBkey1, value1, BBBkey2, value2, ...], where "BBB" are the score and
+ // last accessed bytes, which are ignored here.
+ let contents = get_data_storage_contents(SSS_STATE_FILE_NAME);
+ if (!contents) {
+ return false;
+ }
+ let keysAndValues = contents.split("\0").filter(s => !!s.length);
+ let keys = keysAndValues
+ .filter((_, i) => i % 2 == 0)
+ .map(key => key.substring(3));
+ let values = keysAndValues.filter((_, i) => i % 2 == 1);
+
+ if (keys.length != EXPECTED_ENTRIES || values.length != EXPECTED_ENTRIES) {
+ return false;
+ }
+
+ let sites = {}; // a map of domain name -> [the entry in the state file]
+ for (let i in keys) {
+ let host = keys[i];
+ let entry = values[i].split(",");
+ equal(entry.length, EXPECTED_HSTS_COLUMNS);
+ sites[host] = entry;
+ }
+
+ // each sites[url][1] should be SecurityPropertySet (i.e. 1).
+ // sites[url][2] corresponds to includeSubdomains, so every other one should
+ // be set (i.e. 1);
+ return (
+ sites["includesubdomains.preloaded.test"][1] == 1 &&
+ sites["includesubdomains.preloaded.test"][2] == 0 &&
+ sites["a.example.com"][1] == 1 &&
+ sites["a.example.com"][2] == 1 &&
+ sites["b.example.com"][1] == 1 &&
+ sites["b.example.com"][2] == 0 &&
+ sites["c.c.example.com"][1] == 1 &&
+ sites["c.c.example.com"][2] == 1 &&
+ sites["d.example.com"][1] == 1 &&
+ sites["d.example.com"][2] == 0
+ );
+}
+
+function process_headers() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+
+ let uris = [
+ Services.io.newURI("http://includesubdomains.preloaded.test"),
+ Services.io.newURI("http://a.example.com"),
+ Services.io.newURI("http://b.example.com"),
+ Services.io.newURI("http://c.c.example.com"),
+ Services.io.newURI("http://d.example.com"),
+ ];
+
+ for (let i = 0; i < 1000; i++) {
+ let uriIndex = i % uris.length;
+ // vary max-age, but have it be within one day of one year
+ let maxAge = "max-age=" + (i + 31536000);
+ // have every other URI set includeSubdomains
+ let includeSubdomains = uriIndex % 2 == 1 ? "; includeSubdomains" : "";
+ SSService.processHeader(uris[uriIndex], maxAge + includeSubdomains);
+ }
+}
+
+function run_test() {
+ do_get_profile();
+ process_headers();
+ TestUtils.waitForCondition(contents_is_as_expected);
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_fqdn.js b/security/manager/ssl/tests/unit/test_sts_fqdn.js
new file mode 100644
index 0000000000..3c136a9d99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("https://example.com");
+ let uri1 = Services.io.newURI("https://example.com.");
+ let uri2 = Services.io.newURI("https://example.com..");
+ ok(!SSService.isSecureURI(uri));
+ ok(!SSService.isSecureURI(uri1));
+ // These cases are only relevant as long as bug 1118522 hasn't been fixed.
+ ok(!SSService.isSecureURI(uri2));
+
+ SSService.processHeader(uri, "max-age=1000;includeSubdomains");
+ ok(SSService.isSecureURI(uri));
+ ok(SSService.isSecureURI(uri1));
+ ok(SSService.isSecureURI(uri2));
+
+ SSService.resetState(uri);
+ ok(!SSService.isSecureURI(uri));
+ ok(!SSService.isSecureURI(uri1));
+ ok(!SSService.isSecureURI(uri2));
+
+ // Somehow creating this malformed URI succeeds - we need to handle it
+ // gracefully.
+ uri = Services.io.newURI("https://../foo");
+ equal(uri.host, "..");
+ throws(
+ () => {
+ SSService.isSecureURI(uri);
+ },
+ /NS_ERROR_UNEXPECTED/,
+ "Malformed URI should be rejected"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
new file mode 100644
index 0000000000..4ffac59356
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
@@ -0,0 +1,55 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+function check_ip(s, v, ip) {
+ let str = "https://";
+ if (v == 6) {
+ str += "[";
+ }
+ str += ip;
+ if (v == 6) {
+ str += "]";
+ }
+ str += "/";
+
+ let uri = Services.io.newURI(str);
+ ok(!s.isSecureURI(uri));
+
+ let parsedMaxAge = {};
+ let parsedIncludeSubdomains = {};
+ s.processHeader(
+ uri,
+ "max-age=1000;includeSubdomains",
+ {},
+ parsedMaxAge,
+ parsedIncludeSubdomains
+ );
+ ok(
+ !s.isSecureURI(uri),
+ "URI should not be secure if it contains an IP address"
+ );
+
+ /* Test that processHeader will ignore headers for an uri, if the uri
+ * contains an IP address not a hostname.
+ * If processHeader indeed ignore the header, then the output parameters will
+ * remain empty, and we shouldn't see the values passed as the header.
+ */
+ notEqual(parsedMaxAge.value, 1000);
+ notEqual(parsedIncludeSubdomains.value, true);
+ notEqual(parsedMaxAge.value, undefined);
+ notEqual(parsedIncludeSubdomains.value, undefined);
+}
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+
+ check_ip(SSService, 4, "127.0.0.1");
+ check_ip(SSService, 4, "10.0.0.1");
+ check_ip(SSService, 6, "2001:db8::1");
+ check_ip(SSService, 6, "1080::8:800:200C:417A");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_parser.js b/security/manager/ssl/tests/unit/test_sts_parser.js
new file mode 100644
index 0000000000..3d99a44e79
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_parser.js
@@ -0,0 +1,126 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// STS parser tests
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+
+function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
+ let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+ let maxAge = {};
+ let includeSubdomains = {};
+
+ sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+
+ equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge");
+ equal(
+ includeSubdomains.value,
+ expectedIncludeSubdomains,
+ "Did not correctly parse presence/absence of includeSubdomains"
+ );
+}
+
+function testFailure(header) {
+ let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+ let maxAge = {};
+ let includeSubdomains = {};
+
+ throws(
+ () => {
+ sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+ },
+ /NS_ERROR_FAILURE/,
+ "Parsed invalid header: " + header
+ );
+}
+
+function run_test() {
+ // SHOULD SUCCEED:
+ testSuccess("max-age=100", 100, false);
+ testSuccess("max-age =100", 100, false);
+ testSuccess(" max-age=100", 100, false);
+ testSuccess("max-age = 100 ", 100, false);
+ testSuccess('max-age = "100" ', 100, false);
+ testSuccess('max-age="100"', 100, false);
+ testSuccess(' max-age ="100" ', 100, false);
+ testSuccess('\tmax-age\t=\t"100"\t', 100, false);
+ testSuccess("max-age = 100 ", 100, false);
+
+ testSuccess("maX-aGe=100", 100, false);
+ testSuccess("MAX-age =100", 100, false);
+ testSuccess("max-AGE=100", 100, false);
+ testSuccess("Max-Age = 100 ", 100, false);
+ testSuccess("MAX-AGE = 100 ", 100, false);
+
+ testSuccess("max-age=100;includeSubdomains", 100, true);
+ testSuccess("max-age=100\t; includeSubdomains", 100, true);
+ testSuccess(" max-age=100; includeSubdomains", 100, true);
+ testSuccess("max-age = 100 ; includeSubdomains", 100, true);
+ testSuccess(
+ "max-age = 100 ; includeSubdomains",
+ 100,
+ true
+ );
+
+ testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true);
+ testSuccess("MAX-age =100; includeSubDomains", 100, true);
+ testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true);
+ testSuccess("Max-Age = 100; includesubdomains ", 100, true);
+ testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true);
+ // Turns out, the actual directive is entirely optional (hence the
+ // trailing semicolon)
+ testSuccess("max-age=100;includeSubdomains;", 100, true);
+
+ // these are weird tests, but are testing that some extended syntax is
+ // still allowed (but it is ignored)
+ testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false);
+ testSuccess(
+ "\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103" +
+ "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t",
+ 34520103,
+ true
+ );
+ testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false);
+
+ // Test a max-age greater than 100 years. It will be capped at 100 years.
+ testSuccess("max-age=4294967296", 60 * 60 * 24 * 365 * 100, false);
+
+ // SHOULD FAIL:
+ // invalid max-ages
+ testFailure("max-age");
+ testFailure("max-age ");
+ testFailure("max-age=p");
+ testFailure("max-age=*1p2");
+ testFailure("max-age=.20032");
+ testFailure("max-age=!20032");
+ testFailure("max-age==20032");
+
+ // invalid headers
+ testFailure("foobar");
+ testFailure("maxage=100");
+ testFailure("maxa-ge=100");
+ testFailure("max-ag=100");
+ testFailure("includesubdomains");
+ testFailure(";");
+ testFailure('max-age="100');
+ // The max-age directive here doesn't conform to the spec, so it MUST
+ // be ignored. Consequently, the REQUIRED max-age directive is not
+ // present in this header, and so it is invalid.
+ testFailure("max-age=100, max-age=200; includeSubdomains");
+ testFailure("max-age=100 includesubdomains");
+ testFailure("max-age=100 bar foo");
+ testFailure("max-age=100randomstuffhere");
+ // All directives MUST appear only once in an STS header field.
+ testFailure("max-age=100; max-age=200");
+ testFailure("includeSubdomains; max-age=200; includeSubdomains");
+ testFailure("max-age=200; includeSubdomains; includeSubdomains");
+ // The includeSubdomains directive is valueless.
+ testFailure("max-age=100; includeSubdomains=unexpected");
+ // LWS must have at least one space or horizontal tab
+ testFailure("\r\nmax-age=200");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
new file mode 100644
index 0000000000..6b1b4a5ba6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -0,0 +1,269 @@
+"use strict";
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+
+function Observer() {}
+Observer.prototype = {
+ observe(subject, topic, data) {
+ if (topic == "last-pb-context-exited") {
+ run_next_test();
+ }
+ },
+};
+
+var gObserver = new Observer();
+
+function cleanup() {
+ Services.obs.removeObserver(gObserver, "last-pb-context-exited");
+ gSSService.clearAll();
+}
+
+function run_test() {
+ do_get_profile();
+
+ registerCleanupFunction(cleanup);
+ Services.obs.addObserver(gObserver, "last-pb-context-exited");
+
+ add_test(test_part1);
+ add_test(test_private_browsing1);
+ add_test(test_private_browsing2);
+
+ run_next_test();
+}
+
+function test_part1() {
+ // check that a host not in the list is not identified as an sts host
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://nonexistent.example.com")
+ )
+ );
+
+ // check that an ancestor domain is not identified as an sts host
+ ok(!gSSService.isSecureURI(Services.io.newURI("https://com")));
+
+ // check that the pref to toggle using the preload list works
+ Services.prefs.setBoolPref(
+ "network.stricttransportsecurity.preloadlist",
+ false
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ Services.prefs.setBoolPref(
+ "network.stricttransportsecurity.preloadlist",
+ true
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a subdomain is an sts host (includeSubdomains is set)
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that another subdomain is an sts host (includeSubdomains is set)
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a subdomain is not an sts host (includeSubdomains is not set)
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a host with a dot on the end won't break anything
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://notsts.nonexistent.example.com.")
+ )
+ );
+
+ // check that processing a header with max-age: 0 will remove a preloaded
+ // site from the list
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+ let subDomainUri = Services.io.newURI(
+ "https://subdomain.includesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ ok(!gSSService.isSecureURI(uri));
+ ok(!gSSService.isSecureURI(subDomainUri));
+ // check that processing another header (with max-age non-zero) will
+ // re-enable a site's sts status
+ gSSService.processHeader(uri, "max-age=1000");
+ ok(gSSService.isSecureURI(uri));
+ // but this time include subdomains was not set, so test for that
+ ok(!gSSService.isSecureURI(subDomainUri));
+ gSSService.clearAll();
+
+ // check that processing a header with max-age: 0 from a subdomain of a site
+ // will not remove that (ancestor) site from the list
+ uri = Services.io.newURI(
+ "https://subdomain.noincludesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://noincludesubdomains.preloaded.test")
+ )
+ );
+ ok(!gSSService.isSecureURI(uri));
+
+ uri = Services.io.newURI(
+ "https://subdomain.includesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ // we received a header with "max-age=0", so we have "no information"
+ // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
+ // but it is actually still an STS host, because of the preloaded
+ // includesubdomains.preloaded.test including subdomains.
+ // Here's a drawing:
+ // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+ // |-- subdomain.includesubdomains.preloaded.test IS sts host
+ // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host
+ // `-- sibling.includesubdomains.preloaded.test IS sts host
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI(
+ "https://another.subdomain.includesubdomains.preloaded.test"
+ )
+ )
+ );
+
+ gSSService.processHeader(uri, "max-age=1000");
+ // Here's what we have now:
+ // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+ // |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host
+ // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host
+ // `-- sibling.includesubdomains.preloaded.test IS sts host
+ // Note that another.subdomain.includesubdomains.preloaded.test IS still an sts host, because
+ // there exists a superdomain that is sts and asserts includeSubdomains (namely,
+ // includesubdomains.preloaded.test)
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI(
+ "https://another.subdomain.includesubdomains.preloaded.test"
+ )
+ )
+ );
+
+ // Test that an expired non-private browsing entry results in correctly
+ // identifying a host that is on the preload list as no longer sts.
+ // (This happens when we're in regular browsing mode, we get a header from
+ // a site on the preload list, and that header later expires. We need to
+ // then treat that host as no longer an sts host.)
+ // (sanity check first - this should be in the preload list)
+ uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+ ok(gSSService.isSecureURI(uri));
+ gSSService.processHeader(uri, "max-age=1");
+ do_timeout(1250, function () {
+ ok(!gSSService.isSecureURI(uri));
+ run_next_test();
+ });
+}
+
+const PRIVATE_ORIGIN_ATTRIBUTES = { privateBrowsingId: 1 };
+
+function test_private_browsing1() {
+ gSSService.clearAll();
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+ let subDomainUri = Services.io.newURI(
+ "https://a.b.c.subdomain.includesubdomains.preloaded.test"
+ );
+ // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // check adding it back in
+ gSSService.processHeader(uri, "max-age=1000", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ // but no includeSubdomains this time
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // do the hokey-pokey...
+ gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // Test that an expired private browsing entry results in correctly
+ // identifying a host that is on the preload list as no longer sts.
+ // (This happens when we're in private browsing mode, we get a header from
+ // a site on the preload list, and that header later expires. We need to
+ // then treat that host as no longer an sts host.)
+ // (sanity check first - this should be in the preload list)
+ uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ gSSService.processHeader(uri, "max-age=1", PRIVATE_ORIGIN_ATTRIBUTES);
+ do_timeout(1250, function () {
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ // Simulate leaving private browsing mode
+ Services.obs.notifyObservers(null, "last-pb-context-exited");
+ });
+}
+
+function test_private_browsing2() {
+ // if this test gets this far, it means there's a private browsing service
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ // the includesubdomains.preloaded.test entry has includeSubdomains set
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+
+ // Now that we're out of private browsing mode, we need to make sure
+ // we've "forgotten" that we "forgot" this site's sts status.
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
new file mode 100644
index 0000000000..334fbf8a7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -0,0 +1,22 @@
+"use strict";
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+
+ // check that a host on the preload list is identified as an sts host
+ ok(SSService.isSecureURI(uri));
+
+ // now simulate that it's 19 weeks later than it actually is
+ let offsetSeconds = 19 * 7 * 24 * 60 * 60;
+ Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
+
+ // check that the preloaded host is no longer considered sts
+ ok(!SSService.isSecureURI(uri));
+
+ // just make sure we can get everything back to normal
+ Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
+ ok(SSService.isSecureURI(uri));
+}
diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js
new file mode 100644
index 0000000000..e1ee44b060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -0,0 +1,106 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that chains containing an end-entity cert with an overly long validity
+// period are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+ let expectedPaths = expectedCertNames.slice();
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_validity",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function certFromFile(filename) {
+ return constructCertFromFile(`test_validity/${filename}`);
+}
+
+function loadCert(certFilename, trustString) {
+ addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
+}
+
+/**
+ * Asynchronously runs a single EV test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ * An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ * The file name of the root cert. Can begin with ".." to reference
+ * certs in folders other than "test_validity/".
+ * @param {Array} intCertFileNames
+ * An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ * The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ * Whether the chain is expected to validate as EV.
+ */
+async function doEVTest(
+ expectedNamesForOCSP,
+ rootCertFileName,
+ intCertFileNames,
+ endEntityCertFileName,
+ expectedResult
+) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+ loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(`${intCertFileName}.pem`, ",,");
+ }
+ await checkEVStatus(
+ certDB,
+ certFromFile(`${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer,
+ expectedResult
+ );
+
+ await stopOCSPResponder(ocspResponder);
+}
+
+async function checkEVChains() {
+ // Chain with an end entity cert with a validity period that is acceptable
+ // for EV.
+ const intFullName = "ev_int_60_months-evroot";
+ let eeFullName = `ev_ee_27_months-${intFullName}`;
+ let expectedNamesForOCSP = [eeFullName];
+ await doEVTest(
+ expectedNamesForOCSP,
+ "../test_ev_certs/evroot",
+ [intFullName],
+ eeFullName,
+ gEVExpected
+ );
+
+ // Chain with an end entity cert with a validity period that is too long
+ // for EV.
+ eeFullName = `ev_ee_28_months-${intFullName}`;
+ expectedNamesForOCSP = [eeFullName];
+ await doEVTest(
+ expectedNamesForOCSP,
+ "../test_ev_certs/evroot",
+ [intFullName],
+ eeFullName,
+ false
+ );
+}
+
+add_task(async function () {
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ await checkEVChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..aaf8b498bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUY9hPK5Ff+dVl+bpyQq1nHl6nlc8wDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMjEx
+MTUxMjAwMDBaGA8yMDI1MDIxNTEyMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjdf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI3X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+AFyaoN7S5Kj+6FEOtM70dfhnHR8qF+3t946fztY5Ap9P49LmyOusITodzfsaGKB+
+sAA/w1+R/gPBnNjLo+RgaDHjm24dbCQHARIiQwmWZuKpwxV6D3RQUiskFu9JT16U
+A/VwrMkDxOUEbNcZ6ysaQ4yNS0OjNzLbWL7Iwwxd8HnSJeyBDhBR2m2d7uIgAP8Z
+ZOa3Zbk/Vk/gifnQkX3fExybZHla17rpZ78oUZr3itPTSCoZchZkQRj3YKgbW1eX
+spHmm05DEhZrAagXfy5HKGuahT7bH9YdmzYNBudtgo/PT4rYMeRK9KoF2s50yHQ6
+m6MKlx3Fe6rkFI8dQQwKuYU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..d2c7fa1275
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_27_months-ev_int_60_months-evroot
+validity:823
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..4a04867f48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUQetbhf/P9ZguDkeS/tY1AQgNWiYwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMjEw
+MzEwMDAwMDBaGA8yMDI1MDMwMzAwMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjhf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI4X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+AFP2HCOWpflh1TIMdBgnfRGmu2vuDmPCZmYJp0C06UFoMJi9A5XFEUHNKc7zvvof
+RhZx7nR03YxNavTclMrnJLFrcL6vaygsuMumsY+ipcCeNVk+AiB4E3iyhfkf8fxE
+iU63QXoPAAjv3Tpduv6Qqht0s4A9V5/XtIpOKKkthgIBboxHLg0jfAbEa3pOZXZf
+3lebCXyshl7Nxfm7soMLW1uBOtdrZEmSJJLQyPv9oQ5dQFBX2a/4lokdSCfTMng4
+k2UBgbKOf1zJivB0F97FEitw+LJz9HzQ/6HHF9GNYA5VIZTie1xrtUJsCtG2n8VJ
+WlX0qTD4H9UKg53KLhLUOro=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..2dcfb2e29c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_28_months-ev_int_60_months-evroot
+validity:854
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..9aef7ce612
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUNUgRbd0SqGrb5aXqd6f3AXyywlowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjEwNzAyMTIwMDAwWhgPMjAyNjA3
+MDExMjAwMDBaMCIxIDAeBgNVBAMMF2V2X2ludF82MF9tb250aHMtZXZyb290MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMFAGCCsGAQUFBwEB
+BEQwQjBABggrBgEFBQcwAYY0aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2
+X2ludF82MF9tb250aHMtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUa
+hRoBg3QJATANBgkqhkiG9w0BAQsFAAOCAQEANm/Z3UW4IQGo5WfrEzD80fM73y8R
+kt890DnDZPohiyup+YpApWUy/yv0KqBton1qkQwbZY3oiGeKI7FAlTzXexWp86C+
+gL87q07Ys3lxyn1hBJB7kIs0nafNrbHC4wL8WFUCwrjs4vgYMfCVzFBu2Wmwmq5u
+7WGUqIF5xK1stag6Ml3g2uyDTMzyesQnTw14a9kBc1iD+i2ZmelP4A0FDT1jXPA5
+fVR4uvaIAzWGUu4JAe8obupzbJIaPAuondHnHSbl/WQDlZSPDarxEML1nS9ltV04
+Xbqu0pVBWyZDGwhSWGGJcOgkipx2Rzkvn5AKgp3qdaweN/rLmNXKY2pqzw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..e169514ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_60_months-evroot
+issuerKey:ev
+validity:1825
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key b/security/manager/ssl/tests/unit/test_validity/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem b/security/manager/ssl/tests/unit/test_validity/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_x509.js b/security/manager/ssl/tests/unit/test_x509.js
new file mode 100644
index 0000000000..89fd01e819
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_x509.js
@@ -0,0 +1,124 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests X509.jsm functionality.
+
+function stringToArray(s) {
+ let b = [];
+ for (let i = 0; i < s.length; i++) {
+ b.push(s.charCodeAt(i));
+ }
+ return b;
+}
+
+function readPEMToBytes(filename) {
+ return stringToArray(atob(pemToBase64(readFile(do_get_file(filename)))));
+}
+
+function run_test() {
+ let certificate = new X509.Certificate();
+ // We use this certificate because it has a set validity period, which means that when
+ // the test certificates get regenerated each year, the values in this test won't change.
+ certificate.parse(readPEMToBytes("bad_certs/expired-ee.pem"));
+
+ equal(
+ certificate.tbsCertificate.version,
+ 3,
+ "expired-ee.pem should be x509v3"
+ );
+
+ // serialNumber
+ deepEqual(
+ certificate.tbsCertificate.serialNumber,
+ [
+ 0x63, 0xd1, 0x11, 0x00, 0x82, 0xa3, 0xd2, 0x3b, 0x3f, 0x61, 0xb8, 0x49,
+ 0xa0, 0xca, 0xdc, 0x2e, 0x78, 0xfe, 0xfa, 0xea,
+ ],
+ "expired-ee.pem should have expected serialNumber"
+ );
+
+ deepEqual(
+ certificate.tbsCertificate.signature.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+ "expired-ee.pem should have sha256WithRSAEncryption signature"
+ );
+ deepEqual(
+ certificate.tbsCertificate.signature.parameters._contents,
+ [],
+ "expired-ee.pem should have NULL parameters for signature"
+ );
+
+ equal(
+ certificate.tbsCertificate.issuer.rdns.length,
+ 1,
+ "expired-ee.pem should have one RDN in issuer"
+ );
+ equal(
+ certificate.tbsCertificate.issuer.rdns[0].avas.length,
+ 1,
+ "expired-ee.pem should have one AVA in RDN in issuer"
+ );
+ deepEqual(
+ certificate.tbsCertificate.issuer.rdns[0].avas[0].value.value,
+ stringToArray("Test CA"),
+ "expired-ee.pem should have issuer 'Test CA'"
+ );
+
+ equal(
+ certificate.tbsCertificate.validity.notBefore.time.getTime(),
+ Date.parse("2013-01-01T00:00:00.000Z"),
+ "expired-ee.pem should have the correct value for notBefore"
+ );
+ equal(
+ certificate.tbsCertificate.validity.notAfter.time.getTime(),
+ Date.parse("2014-01-01T00:00:00.000Z"),
+ "expired-ee.pem should have the correct value for notAfter"
+ );
+
+ equal(
+ certificate.tbsCertificate.subject.rdns.length,
+ 1,
+ "expired-ee.pem should have one RDN in subject"
+ );
+ equal(
+ certificate.tbsCertificate.subject.rdns[0].avas.length,
+ 1,
+ "expired-ee.pem should have one AVA in RDN in subject"
+ );
+ deepEqual(
+ certificate.tbsCertificate.subject.rdns[0].avas[0].value.value,
+ stringToArray("Expired Test End-entity"),
+ "expired-ee.pem should have subject 'Expired Test End-entity'"
+ );
+
+ deepEqual(
+ certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 1], // rsaEncryption
+ "expired-ee.pem should have a spki algorithm of rsaEncryption"
+ );
+
+ equal(
+ certificate.tbsCertificate.extensions.length,
+ 2,
+ "expired-ee.pem should have two extensions"
+ );
+
+ deepEqual(
+ certificate.signatureAlgorithm.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+ "expired-ee.pem should have sha256WithRSAEncryption signatureAlgorithm"
+ );
+ deepEqual(
+ certificate.signatureAlgorithm.parameters._contents,
+ [],
+ "expired-ee.pem should have NULL parameters for signatureAlgorithm"
+ );
+
+ equal(
+ certificate.signatureValue.length,
+ 2048 / 8,
+ "length of signature on expired-ee.pem should be 2048 bits"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
new file mode 100644
index 0000000000..1ccd5e876b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct BadCertAndPinningHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
+ {"expired.example.com", "expired-ee"},
+ {"notyetvalid.example.com", "notYetValid"},
+ {"before-epoch.example.com", "beforeEpoch"},
+ {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
+ {"selfsigned.example.com", "selfsigned"},
+ {"unknownissuer.example.com", "unknownissuer"},
+ {"mismatch.example.com", "mismatch"},
+ {"mismatch-CN.example.com", "mismatchCN"},
+ {"mitm.example.com", "mitm"},
+ {"expiredissuer.example.com", "expiredissuer"},
+ {"notyetvalidissuer.example.com", "notYetValidIssuer"},
+ {"before-epoch-issuer.example.com", "beforeEpochIssuer"},
+ {"md5signature.example.com", "md5signature"},
+ {"untrusted.example.com", "default-ee"},
+ {"untrustedissuer.example.com", "untrustedissuer"},
+ {"mismatch-expired.example.com", "mismatch-expired"},
+ {"mismatch-notYetValid.example.com", "mismatch-notYetValid"},
+ {"mismatch-untrusted.example.com", "mismatch-untrusted"},
+ {"untrusted-expired.example.com", "untrusted-expired"},
+ {"md5signature-expired.example.com", "md5signature-expired"},
+ {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"},
+ {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"},
+ {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"},
+ {"self-signed-end-entity-with-cA-true.example.com",
+ "self-signed-EE-with-cA-true"},
+ {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"},
+ {"ca-used-as-end-entity-name-mismatch.example.com",
+ "ca-used-as-end-entity"},
+ // All of include-subdomains.pinning.example.com is pinned to End Entity
+ // Test Cert with nick default-ee. Any other nick will only
+ // pass pinning when security.cert_pinning.enforcement.level != strict and
+ // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
+ {"include-subdomains.pinning.example.com", "default-ee"},
+ {"good.include-subdomains.pinning.example.com", "default-ee"},
+ {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"},
+ {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"},
+ {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"},
+ {"exclude-subdomains.pinning.example.com", "default-ee"},
+ {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"},
+ {"test-mode.pinning.example.com", "other-issuer-ee"},
+ {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"},
+ {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"},
+ {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"},
+ {"nsCertTypeCriticalWithExtKeyUsage.example.com",
+ "nsCertTypeCriticalWithExtKeyUsage"},
+ {"nsCertTypeCritical.example.com", "nsCertTypeCritical"},
+ {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"},
+ {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"},
+ {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"},
+ {"badSubjectAltNames.example.com", "badSubjectAltNames"},
+ {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"},
+ {"noValidNames.example.com", "noValidNames"},
+ {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"},
+ {"emptyissuername.example.com", "emptyIssuerName"},
+ {"ev-test.example.com", "ev-test"},
+ {"ee-from-missing-intermediate.example.com",
+ "ee-from-missing-intermediate"},
+ {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
+ {"localhost", "unknownissuer"},
+ {"a.pinning.example.com", "default-ee"},
+ {"b.pinning.example.com", "default-ee"},
+ {"not-preloaded.example.com", "default-ee"},
+ {"ee.example.com", "default-ee"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const BadCertAndPinningHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts);
+ if (!host) {
+ // No static cert <-> hostname mapping found. This happens when we use a
+ // collection of certificates in a given directory and build a cert DB at
+ // runtime, rather than using an NSS cert DB populated at build time.
+ // (This will be the default in the future.)
+ // For all given server names, check if the runtime-built cert DB contains
+ // a certificate with a matching subject CN.
+ return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
new file mode 100644
index 0000000000..17c12cb34a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
@@ -0,0 +1,142 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server used to test Delegated Credentials
+// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03).
+//
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <iostream>
+
+#include "TLSServer.h"
+
+#include "sslexp.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct DelegatedCertHost {
+ const char* mHostName;
+ const char* mCertName;
+ const char* mDCKeyNick;
+ bool mEnableDelegatedCredentials;
+};
+
+const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+
+// {host, eeCert, dcCert, enableDC}
+const DelegatedCertHost sDelegatedCertHosts[] = {
+ {"delegated-enabled.example.com", "delegated-ee", "delegated.key", true},
+ {"standard-enabled.example.com", "default-ee", "delegated.key", true},
+ {"delegated-disabled.example.com", "delegated-ee",
+ /* anything non-null */ "delegated.key", false},
+ {nullptr, nullptr, nullptr, false}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const DelegatedCertHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts);
+ if (!host) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ std::cerr << "Identified host " << host->mHostName << '\n';
+ }
+
+ UniqueCERTCertificate delegatorCert(
+ PK11_FindCertFromNickname(host->mCertName, nullptr));
+ if (!delegatorCert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ SSLExtraServerCertData extra_data = {ssl_auth_null,
+ /* Filled in by callee */ nullptr,
+ nullptr,
+ nullptr,
+ /* DC */ nullptr,
+ /* DC PrivKey */ nullptr};
+
+ UniqueSECKEYPrivateKey delegatorPriv(
+ PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
+ if (!delegatorPriv) {
+ PrintPRError("PK11_FindKeyByDERCert failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // Find the DC keypair by the file (nick) name.
+ ScopedAutoSECItem dc;
+ UniqueSECKEYPrivateKey dcPriv;
+ if (host->mEnableDelegatedCredentials) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ std::cerr << "Enabling a delegated credential for host "
+ << host->mHostName << '\n';
+ }
+
+ if (PK11_NeedLogin(slot.get())) {
+ SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_Authenticate failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ }
+ UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
+ slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr));
+ if (!list) {
+ PrintPRError("PK11_ListPrivKeysInSlot failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list);
+
+ dcPriv.reset(SECKEY_CopyPrivateKey(node->key));
+ if (!dcPriv) {
+ PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get()));
+ if (!dcPub) {
+ PrintPRError("SECKEY_ConvertToPublicKey failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // Create and set the DC.
+ if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
+ dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
+ kDCValidFor, PR_Now(), &dc) != SECSuccess) {
+ PrintPRError("SSL_DelegateCredential failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ extra_data.delegCred = &dc;
+ extra_data.delegCredPrivKey = dcPriv.get();
+
+ // The list should only have a single key.
+ PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list));
+ }
+
+ if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
+ &extra_data) != SECSuccess) {
+ PrintPRError("ConfigSecureServerWithNamedCert failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
new file mode 100644
index 0000000000..fd284874b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
@@ -0,0 +1,178 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that offers TLS 1.3 Encrypted
+// Client Hello support.
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "TLSServer.h"
+#include <pk11pub.h>
+#include <vector>
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct EchHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+const std::vector<uint32_t> kSuiteChaCha = {
+ (static_cast<uint32_t>(HpkeKdfHkdfSha256) << 16) |
+ HpkeAeadChaCha20Poly1305};
+
+// Hostname, cert nickname pairs.
+const EchHost sEchHosts[] = {{"ech-public.example.com", "default-ee"},
+ {"ech-private.example.com", "private-ee"},
+ {"selfsigned.example.com", "selfsigned"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const EchHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sEchHosts);
+ if (!host) {
+ PrintPRError("No cert found for hostname");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int32_t SetAlpnOptions(PRFileDesc* aFd, uint8_t flags) {
+ const std::vector<uint8_t> http1 = {0x08, 0x68, 0x74, 0x74, 0x70,
+ 0x2f, 0x31, 0x2e, 0x31};
+ const std::vector<uint8_t> http2 = {0x02, 0x68, 0x32};
+ const std::vector<uint8_t> http3 = {0x02, 0x68, 0x33};
+ std::vector<uint8_t> alpnVec = {};
+ if (flags & 0b001) {
+ alpnVec.insert(alpnVec.end(), http1.begin(), http1.end());
+ }
+ if (flags & 0b010) {
+ alpnVec.insert(alpnVec.end(), http2.begin(), http2.end());
+ }
+ if (flags & 0b100) {
+ alpnVec.insert(alpnVec.end(), http3.begin(), http3.end());
+ }
+ fprintf(stderr, "ALPN Flags: %u\n", flags);
+ fprintf(stderr, "ALPN length: %zu\n", alpnVec.size());
+ if (SSL_SetNextProtoNego(aFd, alpnVec.data(), alpnVec.size()) != SECSuccess) {
+ fprintf(stderr, "Setting ALPN failed!\n");
+ return 1;
+ }
+
+ return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) {
+ const char* alpnFlag = PR_GetEnv("MOZ_TLS_ECH_ALPN_FLAG");
+ if (alpnFlag) {
+ uint8_t flag = atoi(alpnFlag);
+ SetAlpnOptions(aFd, flag);
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+
+ UniqueSECKEYPublicKey pubKey;
+ UniqueSECKEYPrivateKey privKey;
+ SECKEYPublicKey* tmpPubKey = nullptr;
+ SECKEYPrivateKey* tmpPrivKey = nullptr;
+
+ static const std::vector<uint8_t> pkcs8{
+ 0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda,
+ 0x47, 0x0f, 0x01, 0x04, 0x4c, 0x30, 0x4a, 0x02, 0x01, 0x01, 0x04, 0x20,
+ 0x8c, 0x49, 0x0e, 0x5b, 0x0c, 0x7d, 0xbe, 0x0c, 0x6d, 0x21, 0x92, 0x48,
+ 0x4d, 0x2b, 0x7a, 0x04, 0x23, 0xb3, 0xb4, 0x54, 0x4f, 0x24, 0x81, 0x09,
+ 0x5a, 0x99, 0xdb, 0xf2, 0x38, 0xfb, 0x35, 0x0f, 0xa1, 0x23, 0x03, 0x21,
+ 0x00, 0x8a, 0x07, 0x56, 0x39, 0x49, 0xfa, 0xc6, 0x23, 0x29, 0x36, 0xed,
+ 0x6f, 0x36, 0xc4, 0xfa, 0x73, 0x59, 0x30, 0xec, 0xde, 0xae, 0xf6, 0x73,
+ 0x4e, 0x31, 0x4a, 0xea, 0xc3, 0x5a, 0x56, 0xfd, 0x0a};
+
+ SECItem pkcs8Item = {siBuffer, const_cast<uint8_t*>(pkcs8.data()),
+ static_cast<unsigned int>(pkcs8.size())};
+ SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+ slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL,
+ &tmpPrivKey, nullptr);
+
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+ return SECFailure;
+ }
+ privKey.reset(tmpPrivKey);
+ tmpPubKey = SECKEY_ConvertToPublicKey(privKey.get());
+ pubKey.reset(tmpPubKey);
+
+ if (!privKey || !pubKey) {
+ PrintPRError("ECH/HPKE Public or Private key is null!");
+ return SECFailure;
+ }
+
+ std::vector<uint8_t> echConfig(1000, 0);
+ unsigned int len = 0;
+ const PRUint8 configId = 77;
+ const HpkeSymmetricSuite echCipherSuite = {HpkeKdfHkdfSha256,
+ HpkeAeadChaCha20Poly1305};
+ rv = SSL_EncodeEchConfigId(configId, "ech-public.example.com", 100,
+ HpkeDhKemX25519Sha256, pubKey.get(),
+ &echCipherSuite, 1, echConfig.data(), &len,
+ echConfig.size());
+ if (rv != SECSuccess) {
+ PrintPRError("SSL_EncodeEchConfig failed");
+ return rv;
+ }
+
+ rv = SSL_SetServerEchConfigs(aFd, pubKey.get(), privKey.get(),
+ echConfig.data(), len);
+ if (rv != SECSuccess) {
+ PrintPRError("SSL_SetServerEchConfigs failed");
+ return rv;
+ }
+
+ return SECSuccess;
+}
+
+int main(int argc, char* argv[]) {
+ int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+ if (rv < 0) {
+ return rv;
+ }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
new file mode 100644
index 0000000000..38bfa87e1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
@@ -0,0 +1,257 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "ssl3prot.h"
+#include "sslexp.h"
+#include "sslimpl.h"
+#include "TLSServer.h"
+
+#include "mozilla/Sprintf.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+enum FaultType {
+ None = 0,
+ ZeroRtt,
+ UnknownSNI,
+ Xyber,
+};
+
+struct FaultyServerHost {
+ const char* mHostName;
+ const char* mCertName;
+ FaultType mFaultType;
+};
+
+const char* kHostOk = "ok.example.com";
+const char* kHostUnknown = "unknown.example.com";
+const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com";
+const char* kHostZeroRttAlertVersion =
+ "0rtt-alert-protocol-version.example.com";
+const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com";
+const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com";
+
+const char* kHostXyberNetInterrupt = "xyber-net-interrupt.example.com";
+const char* kHostXyberAlertAfterServerHello =
+ "xyber-alert-after-server-hello.example.com";
+
+const char* kCertWildcard = "default-ee";
+
+/* Each type of failure gets a different SNI.
+ * the "default-ee" cert has a SAN for *.example.com
+ * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs.
+ */
+const FaultyServerHost sFaultyServerHosts[]{
+ {kHostOk, kCertWildcard, None},
+ {kHostUnknown, kCertWildcard, UnknownSNI},
+ {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt},
+ {kHostXyberNetInterrupt, kCertWildcard, Xyber},
+ {kHostXyberAlertAfterServerHello, kCertWildcard, Xyber},
+ {nullptr, nullptr},
+};
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "sending '%s'\n", aData);
+ }
+
+ int32_t len = static_cast<int32_t>(aDataLen);
+ while (len > 0) {
+ int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesSent == -1) {
+ PrintPRError("PR_Send failed");
+ return NS_ERROR_FAILURE;
+ }
+
+ len -= bytesSent;
+ aData += bytesSent;
+ }
+
+ return NS_OK;
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback(const char* path) {
+ UniquePRFileDesc socket(PR_NewTCPSocket());
+ if (!socket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ uint32_t port = 0;
+ const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT");
+ if (callbackPort) {
+ port = atoi(callbackPort);
+ }
+ if (!port) {
+ return 0;
+ }
+
+ PRNetAddr addr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr);
+ if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+ PrintPRError("PR_Connect failed");
+ return 1;
+ }
+
+ char request[512];
+ SprintfLiteral(request, "GET %s HTTP/1.0\r\n\r\n", path);
+ SendAll(socket.get(), request, strlen(request));
+ char buf[4096];
+ memset(buf, 0, sizeof(buf));
+ int32_t bytesRead =
+ PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed 1");
+ return 1;
+ }
+ if (bytesRead == 0) {
+ fprintf(stderr, "PR_Recv eof 1\n");
+ return 1;
+ }
+ // fprintf(stderr, "%s\n", buf);
+ return 0;
+}
+
+/* These are very rough examples. In practice the `arg` parameter to a callback
+ * might need to be an object that holds some state, like the various traffic
+ * secrets. */
+
+/* An SSLSecretCallback is called after every key derivation step in the TLS
+ * 1.3 key schedule.
+ *
+ * Epoch 1 is for the early traffic secret.
+ * Epoch 2 is for the handshake traffic secrets.
+ * Epoch 3 is for the application traffic secrets.
+ */
+void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch,
+ SSLSecretDirection dir, PK11SymKey* secret,
+ void* arg) {
+ fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir);
+ FaultyServerHost* host = static_cast<FaultyServerHost*>(arg);
+
+ if (epoch == 1 && dir == ssl_secret_read) {
+ sslSocket* ss = ssl_FindSocket(fd);
+ if (!ss) {
+ fprintf(stderr, "0RTT handler, no ss!\n");
+ return;
+ }
+
+ char path[256];
+ SprintfLiteral(path, "/callback/%d", epoch);
+ DoCallback(path);
+
+ fprintf(stderr, "0RTT handler, configuring alert\n");
+ if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) {
+ SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+ } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) {
+ SSL3_SendAlert(ss, alert_fatal, protocol_version);
+ } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) {
+ SSL3_SendAlert(ss, alert_fatal, no_alert);
+ }
+ }
+}
+
+SECStatus FailingWriteCallback(PRFileDesc* fd, PRUint16 epoch,
+ SSLContentType contentType, const PRUint8* data,
+ unsigned int len, void* arg) {
+ return SECFailure;
+}
+
+void SecretCallbackFailXyber(PRFileDesc* fd, PRUint16 epoch,
+ SSLSecretDirection dir, PK11SymKey* secret,
+ void* arg) {
+ fprintf(stderr, "Xyber handler epoch=%d dir=%d\n", epoch, (uint32_t)dir);
+ FaultyServerHost* host = static_cast<FaultyServerHost*>(arg);
+
+ if (epoch == 2 && dir == ssl_secret_write) {
+ sslSocket* ss = ssl_FindSocket(fd);
+ if (!ss) {
+ fprintf(stderr, "Xyber handler, no ss!\n");
+ return;
+ }
+
+ if (!ss->sec.keaGroup) {
+ fprintf(stderr, "Xyber handler, no ss->sec.keaGroup!\n");
+ return;
+ }
+
+ char path[256];
+ SprintfLiteral(path, "/callback/%u", ss->sec.keaGroup->name);
+ DoCallback(path);
+
+ if (ss->sec.keaGroup->name != ssl_grp_kem_xyber768d00) {
+ return;
+ }
+
+ fprintf(stderr, "Xyber handler, configuring alert\n");
+ if (strcmp(host->mHostName, kHostXyberNetInterrupt) == 0) {
+ // Install a record write callback that causes the next write to fail.
+ // The client will see this as a PR_END_OF_FILE / NS_ERROR_NET_INTERRUPT
+ // error.
+ ss->recordWriteCallback = FailingWriteCallback;
+ } else if (!strcmp(host->mHostName, kHostXyberAlertAfterServerHello)) {
+ SSL3_SendAlert(ss, alert_fatal, close_notify);
+ }
+ }
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const FaultyServerHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts);
+ if (!host || host->mFaultType == UnknownSNI) {
+ PrintPRError("No cert found for hostname");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ const SSLNamedGroup xyberTestNamedGroups[] = {ssl_grp_kem_xyber768d00,
+ ssl_grp_ec_curve25519};
+
+ switch (host->mFaultType) {
+ case ZeroRtt:
+ SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host);
+ break;
+ case Xyber:
+ SSL_SecretCallback(aFd, &SecretCallbackFailXyber, (void*)host);
+ SSL_NamedGroupConfig(aFd, xyberTestNamedGroups,
+ mozilla::ArrayLength(xyberTestNamedGroups));
+ break;
+ case None:
+ break;
+ default:
+ break;
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; }
+
+int main(int argc, char* argv[]) {
+ int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+ if (rv < 0) {
+ return rv;
+ }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
new file mode 100644
index 0000000000..113e668f89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
@@ -0,0 +1,168 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 sw=2 tw=80 et: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This simple program takes a database directory, and one or more tuples like
+ * <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename>
+ * to generate (one or more) ocsp responses.
+ */
+
+#include <stdio.h>
+#include <string>
+#include <vector>
+
+#include "mozilla/ArrayUtils.h"
+
+#include "cert.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prerror.h"
+#include "ssl.h"
+#include "secerr.h"
+
+#include "OCSPCommon.h"
+#include "ScopedNSSTypes.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct OCSPResponseName {
+ const char* mTypeString;
+ const OCSPResponseType mORT;
+};
+
+const static OCSPResponseName kOCSPResponseNameList[] = {
+ {"good", ORTGood}, // the certificate is good
+ {"good-delegated", ORTDelegatedIncluded}, // the certificate is good, using
+ // a delegated signer
+ {"revoked", ORTRevoked}, // the certificate has been revoked
+ {"unknown", ORTUnknown}, // the responder doesn't know if the
+ // cert is good
+ {"goodotherca", ORTGoodOtherCA}, // the wrong CA has signed the
+ // response
+ {"expiredresponse", ORTExpired}, // the signature on the response has
+ // expired
+ {"oldvalidperiod", ORTExpiredFreshCA}, // fresh signature, but old validity
+ // period
+ {"empty", ORTEmpty}, // an empty stapled response
+
+ {"malformed", ORTMalformed}, // the response from the responder
+ // was malformed
+ {"serverr", ORTSrverr}, // the response indicates there was a
+ // server error
+ {"trylater", ORTTryLater}, // the responder replied with
+ // "try again later"
+ {"resp-unsigned", ORTNeedsSig}, // the response needs a signature
+ {"unauthorized", ORTUnauthorized}, // the responder does not know about
+ // the cert
+ {"bad-signature", ORTBadSignature}, // the response has a bad signature
+ {"longvalidityalmostold",
+ ORTLongValidityAlmostExpired}, // the response is
+ // still valid, but the generation
+ // is almost a year old
+ {"ancientstillvalid", ORTAncientAlmostExpired}, // The response is still
+ // valid but the generation
+ // is almost two years old
+};
+
+bool StringToOCSPResponseType(const char* respText,
+ /*out*/ OCSPResponseType* OCSPType) {
+ if (!OCSPType) {
+ return false;
+ }
+ for (auto ocspResponseName : kOCSPResponseNameList) {
+ if (strcmp(respText, ocspResponseName.mTypeString) == 0) {
+ *OCSPType = ocspResponseName.mORT;
+ return true;
+ }
+ }
+ return false;
+}
+
+bool WriteResponse(const char* filename, const SECItem* item) {
+ if (!filename || !item || !item->data) {
+ PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse");
+ return false;
+ }
+
+ UniquePRFileDesc outFile(
+ PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644));
+ if (!outFile) {
+ PrintPRError("cannot open file for writing");
+ return false;
+ }
+ int32_t rv = PR_Write(outFile.get(), item->data, item->len);
+ if (rv < 0 || (uint32_t)rv != item->len) {
+ PrintPRError("File write failure");
+ return false;
+ }
+
+ return true;
+}
+
+int main(int argc, char* argv[]) {
+ if (argc < 7 || (argc - 7) % 5 != 0) {
+ PR_fprintf(
+ PR_STDERR,
+ "usage: %s <NSS DB directory> <responsetype> "
+ "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
+ "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
+ argv[0]);
+ exit(EXIT_FAILURE);
+ }
+ SECStatus rv = InitializeNSS(argv[1]);
+ if (rv != SECSuccess) {
+ PR_fprintf(PR_STDERR, "Failed to initialize NSS\n");
+ exit(EXIT_FAILURE);
+ }
+ UniquePLArenaPool arena(PORT_NewArena(256 * argc));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ exit(EXIT_FAILURE);
+ }
+
+ for (int i = 2; i + 3 < argc; i += 5) {
+ const char* ocspTypeText = argv[i];
+ const char* certNick = argv[i + 1];
+ const char* extraCertname = argv[i + 2];
+ const char* skewChars = argv[i + 3];
+ const char* filename = argv[i + 4];
+
+ OCSPResponseType ORT;
+ if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
+ PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n",
+ ocspTypeText);
+ exit(EXIT_FAILURE);
+ }
+
+ UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
+ certNick);
+ exit(EXIT_FAILURE);
+ }
+
+ time_t skew = static_cast<time_t>(atoll(skewChars));
+
+ SECItemArray* response =
+ GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew);
+ if (!response) {
+ PR_fprintf(PR_STDERR,
+ "Failed to generate OCSP response of type %s "
+ "for %s\n",
+ ocspTypeText, certNick);
+ exit(EXIT_FAILURE);
+ }
+
+ if (!WriteResponse(filename, &response->items[0])) {
+ PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename);
+ exit(EXIT_FAILURE);
+ }
+ }
+ return 0;
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
new file mode 100644
index 0000000000..b35484572f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
@@ -0,0 +1,153 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that delivers various stapled OCSP responses.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the OCSP response.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "OCSPCommon.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+const OCSPHost sOCSPHosts[] = {
+ {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr},
+ {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr},
+ {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr},
+ {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr},
+ {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr},
+ {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert,
+ "ocspOtherEndEntity", nullptr},
+ {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca",
+ nullptr},
+ {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr},
+ {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr,
+ nullptr},
+ {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr},
+ {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr},
+ {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr},
+ {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr},
+ {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr},
+ {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr},
+ {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr,
+ nullptr},
+ {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr,
+ "ocspEEWithIntermediate"},
+ {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr,
+ nullptr},
+ {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes,
+ nullptr, nullptr},
+ {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension,
+ nullptr, nullptr},
+ {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension,
+ nullptr, nullptr},
+ {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr,
+ nullptr},
+ {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded,
+ "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-included-last.example.com",
+ ORTDelegatedIncludedLast, "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing,
+ "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-missing-multiple.example.com",
+ ORTDelegatedMissingMultiple, "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded,
+ "invalidDelegatedSignerNoExtKeyUsage", nullptr},
+ {"ocsp-stapling-delegated-from-intermediate.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr},
+ {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr},
+ {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr},
+ {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired,
+ nullptr, nullptr},
+ {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded,
+ "rsa-1016-keysizeDelegatedSigner", nullptr},
+ {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked,
+ "ca-used-as-end-entity", nullptr},
+ {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood,
+ nullptr, "must-staple-ee-with-must-staple-int"},
+ {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood,
+ nullptr, "must-staple-missing-ee"},
+ {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA,
+ "other-test-ca", "must-staple-ee"},
+ {"multi-tls-feature-good.example.com", ORTNone, nullptr,
+ "multi-tls-feature-good-ee"},
+ {"multi-tls-feature-bad.example.com", ORTNone, nullptr,
+ "multi-tls-feature-bad-ee"},
+ {nullptr, ORTNull, nullptr, nullptr}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const OCSPHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts);
+ if (!host) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ const char* certNickname =
+ host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME;
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // If the OCSP response type is "none", don't staple a response.
+ if (host->mORT == ORTNone) {
+ return 0;
+ }
+
+ UniquePLArenaPool arena(PORT_NewArena(1024));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // response is contained by the arena - freeing the arena will free it
+ SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena,
+ host->mAdditionalCertName, 0);
+ if (!response) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // SSL_SetStapledOCSPResponses makes a deep copy of response
+ SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
+ if (st != SECSuccess) {
+ PrintPRError("SSL_SetStapledOCSPResponses failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
new file mode 100644
index 0000000000..9371617305
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
@@ -0,0 +1,87 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct SanctionsCertHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const SanctionsCertHost sSanctionsCertHosts[] = {
+ {"symantec-allowlist-after-cutoff.example.com",
+ "symantec-ee-from-allowlist-after-cutoff"},
+ {"symantec-allowlist-before-cutoff.example.com",
+ "symantec-ee-from-allowlist-before-cutoff"},
+ {"symantec-not-allowlisted-after-cutoff.example.com",
+ "symantec-ee-not-allowlisted-after-cutoff"},
+ {"symantec-not-allowlisted-before-cutoff.example.com",
+ "symantec-ee-not-allowlisted-before-cutoff"},
+ {"symantec-unaffected.example.com", "symantec-ee-unaffected"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const SanctionsCertHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sSanctionsCertHosts);
+ if (!host) {
+ // No static cert <-> hostname mapping found. This happens when we use a
+ // collection of certificates in a given directory and build a cert DB at
+ // runtime, rather than using an NSS cert DB populated at build time.
+ // (This will be the default in the future.)
+ // For all given server names, check if the runtime-built cert DB contains
+ // a certificate with a matching subject CN.
+ return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
new file mode 100644
index 0000000000..ebf8f8e3e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -0,0 +1,45 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+GeckoSimplePrograms(
+ [
+ "BadCertAndPinningServer",
+ "DelegatedCredentialsServer",
+ "EncryptedClientHelloServer",
+ "GenerateOCSPResponse",
+ "OCSPStaplingServer",
+ "SanctionsTestServer",
+ ],
+ linkage=None,
+)
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+ # Bug 1805371. See comment in ../lib/moz.build
+ GeckoSimplePrograms(
+ [
+ "FaultyServer",
+ ],
+ linkage=None,
+ )
+
+ DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+ LOCAL_INCLUDES += [
+ "../../../../../../nss/lib/ssl",
+ "../lib",
+ ]
+ USE_LIBS += [
+ "tlsserver",
+ ]
+else:
+ LOCAL_INCLUDES += [
+ "../lib",
+ ]
+ USE_LIBS += ["mozpkix", "nspr", "nss", "tlsserver"]
+
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+ CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
diff --git a/security/manager/ssl/tests/unit/tlsserver/default-ee.der b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
new file mode 100644
index 0000000000..3a9b8fa9bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
@@ -0,0 +1,3 @@
+This is now an unused file. It exists to ease the coordination between gecko
+development trees and the automation infrastructure that runs periodic updates.
+See bug 1203312 and bug 1205406.
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
new file mode 100644
index 0000000000..be9a9af9b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -0,0 +1,204 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OCSPCommon.h"
+
+#include <stdio.h>
+
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
+#include "TLSServer.h"
+#include "secder.h"
+#include "secerr.h"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+using namespace mozilla::test;
+
+static TestKeyPair* CreateTestKeyPairFromCert(
+ const UniqueCERTCertificate& cert) {
+ ScopedSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr));
+ if (!privateKey) {
+ return nullptr;
+ }
+ ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
+ if (!publicKey) {
+ return nullptr;
+ }
+ return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
+}
+
+SECItemArray* GetOCSPResponseForType(OCSPResponseType aORT,
+ const UniqueCERTCertificate& aCert,
+ const UniquePLArenaPool& aArena,
+ const char* aAdditionalCertName,
+ time_t aThisUpdateSkew) {
+ MOZ_ASSERT(aArena);
+ MOZ_ASSERT(aCert);
+ // Note: |aAdditionalCertName| may or may not need to be non-null depending
+ // on the |aORT| value given.
+
+ if (aORT == ORTNone) {
+ if (gDebugLevel >= DEBUG_WARNINGS) {
+ fprintf(stderr,
+ "GetOCSPResponseForType called with type ORTNone, "
+ "which makes no sense.\n");
+ }
+ return nullptr;
+ }
+
+ if (aORT == ORTEmpty) {
+ SECItemArray* arr = SECITEM_AllocArray(aArena.get(), nullptr, 1);
+ arr->items[0].data = nullptr;
+ arr->items[0].len = 0;
+ return arr;
+ }
+
+ time_t now = time(nullptr) + aThisUpdateSkew;
+ time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);
+
+ mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));
+
+ if (aORT == ORTGoodOtherCert) {
+ cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return nullptr;
+ }
+ }
+ // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
+ mozilla::UniqueCERTCertificate issuerCert(
+ CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA));
+ if (!issuerCert) {
+ PrintPRError("CERT_FindCertIssuer failed");
+ return nullptr;
+ }
+ Input issuer;
+ if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) {
+ return nullptr;
+ }
+ Input issuerPublicKey;
+ if (issuerPublicKey.Init(issuerCert->derPublicKey.data,
+ issuerCert->derPublicKey.len) != Success) {
+ return nullptr;
+ }
+ Input serialNumber;
+ if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) !=
+ Success) {
+ return nullptr;
+ }
+ CertID certID(issuer, issuerPublicKey, serialNumber);
+ OCSPResponseContext context(certID, now);
+
+ mozilla::UniqueCERTCertificate signerCert;
+ if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
+ aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
+ aORT == ORTDelegatedMissingMultiple) {
+ signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+ if (!signerCert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return nullptr;
+ }
+ }
+
+ ByteString certs[5];
+
+ if (aORT == ORTDelegatedIncluded) {
+ certs[0].assign(signerCert->derCert.data, signerCert->derCert.len);
+ context.certs = certs;
+ }
+ if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
+ certs[0].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+ certs[1].assign(cert->derCert.data, cert->derCert.len);
+ certs[2].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+ if (aORT != ORTDelegatedMissingMultiple) {
+ certs[3].assign(signerCert->derCert.data, signerCert->derCert.len);
+ }
+ context.certs = certs;
+ }
+
+ switch (aORT) {
+ case ORTMalformed:
+ context.responseStatus = 1;
+ break;
+ case ORTSrverr:
+ context.responseStatus = 2;
+ break;
+ case ORTTryLater:
+ context.responseStatus = 3;
+ break;
+ case ORTNeedsSig:
+ context.responseStatus = 5;
+ break;
+ case ORTUnauthorized:
+ context.responseStatus = 6;
+ break;
+ default:
+ // context.responseStatus is 0 in all other cases, and it has
+ // already been initialized in the constructor.
+ break;
+ }
+ if (aORT == ORTSkipResponseBytes) {
+ context.skipResponseBytes = true;
+ }
+ if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
+ aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
+ context.thisUpdate = oldNow;
+ context.nextUpdate = oldNow + Time::ONE_DAY_IN_SECONDS;
+ }
+ if (aORT == ORTLongValidityAlmostExpired) {
+ context.thisUpdate = now - (320 * Time::ONE_DAY_IN_SECONDS);
+ }
+ if (aORT == ORTAncientAlmostExpired) {
+ context.thisUpdate = now - (640 * Time::ONE_DAY_IN_SECONDS);
+ }
+ if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
+ context.certStatus = 1;
+ }
+ if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
+ context.certStatus = 2;
+ }
+ if (aORT == ORTBadSignature) {
+ context.badSignature = true;
+ }
+ OCSPResponseExtension extension;
+ if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
+ // python DottedOIDToCode.py --tlv
+ // some-Mozilla-OID 1.3.6.1.4.1.13769.666.666.666.1.500.9.2
+ static const uint8_t tlv_some_Mozilla_OID[] = {
+ 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85,
+ 0x1a, 0x85, 0x1a, 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x02};
+
+ extension.id.assign(tlv_some_Mozilla_OID, sizeof(tlv_some_Mozilla_OID));
+ extension.critical = (aORT == ORTCriticalExtension);
+ extension.value.push_back(0x05); // tag: NULL
+ extension.value.push_back(0x00); // length: 0
+ extension.next = nullptr;
+ context.responseExtensions = &extension;
+ }
+ if (aORT == ORTEmptyExtensions) {
+ context.includeEmptyExtensions = true;
+ }
+
+ if (!signerCert) {
+ signerCert.reset(CERT_DupCertificate(issuerCert.get()));
+ }
+ context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert));
+ if (!context.signerKeyPair) {
+ PrintPRError("PK11_FindKeyByAnyCert failed");
+ return nullptr;
+ }
+
+ ByteString response(CreateEncodedOCSPResponse(context));
+ if (ENCODING_FAILED(response)) {
+ PrintPRError("CreateEncodedOCSPResponse failed");
+ return nullptr;
+ }
+
+ SECItem item = {siBuffer, const_cast<uint8_t*>(response.data()),
+ static_cast<unsigned int>(response.length())};
+ SECItemArray arr = {&item, 1};
+ return SECITEM_DupArray(aArena.get(), &arr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
new file mode 100644
index 0000000000..c72eae6a8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
@@ -0,0 +1,66 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Implements generating OCSP responses of various types. Used by the
+// programs in tlsserver/cmd.
+
+#ifndef OCSPCommon_h
+#define OCSPCommon_h
+
+#include "ScopedNSSTypes.h"
+#include "certt.h"
+#include "seccomon.h"
+
+enum OCSPResponseType {
+ ORTNull = 0,
+ ORTGood, // the certificate is good
+ ORTRevoked, // the certificate has been revoked
+ ORTRevokedOld, // same, but the response is old
+ ORTUnknown, // the responder doesn't know if the cert is good
+ ORTUnknownOld, // same, but the response is old
+ ORTGoodOtherCert, // the response references a different certificate
+ ORTGoodOtherCA, // the wrong CA has signed the response
+ ORTExpired, // the signature on the response has expired
+ ORTExpiredFreshCA, // fresh signature, but old validity period
+ ORTNone, // no stapled response
+ ORTEmpty, // an empty stapled response
+ ORTMalformed, // the response from the responder was malformed
+ ORTSrverr, // the response indicates there was a server error
+ ORTTryLater, // the responder replied with "try again later"
+ ORTNeedsSig, // the response needs a signature
+ ORTUnauthorized, // the responder is not authorized for this certificate
+ ORTBadSignature, // the response has a signature that does not verify
+ ORTSkipResponseBytes, // the response does not include responseBytes
+ ORTCriticalExtension, // the response includes a critical extension
+ ORTNoncriticalExtension, // the response includes an extension that is not
+ // critical
+ ORTEmptyExtensions, // the response includes a SEQUENCE OF Extension that is
+ // empty
+ ORTDelegatedIncluded, // the response is signed by an included delegated
+ // responder
+ ORTDelegatedIncludedLast, // same, but multiple other certificates are
+ // included
+ ORTDelegatedMissing, // the response is signed by a not included delegated
+ // responder
+ ORTDelegatedMissingMultiple, // same, but multiple other certificates are
+ // included
+ ORTLongValidityAlmostExpired, // a good response, but that was generated a
+ // almost a year ago
+ ORTAncientAlmostExpired, // a good response, with a validity of almost two
+ // years almost expiring
+};
+
+struct OCSPHost {
+ const char* mHostName;
+ OCSPResponseType mORT;
+ const char* mAdditionalCertName; // useful for ORTGoodOtherCert, etc.
+ const char* mServerCertName;
+};
+
+SECItemArray* GetOCSPResponseForType(
+ OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert,
+ const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName,
+ time_t aThisUpdateSkew);
+
+#endif // OCSPCommon_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
new file mode 100644
index 0000000000..e4aeda0e82
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@@ -0,0 +1,694 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "TLSServer.h"
+
+#include <stdio.h>
+#include <string>
+#include <thread>
+#include <vector>
+#include <fstream>
+#include <iostream>
+#ifdef XP_WIN
+# include <windows.h>
+#else
+# include <unistd.h>
+#endif
+
+#include <utility>
+
+#include "base64.h"
+#include "mozilla/Sprintf.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prenv.h"
+#include "prerror.h"
+#include "prnetdb.h"
+#include "prtime.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "sslproto.h"
+
+namespace mozilla {
+namespace test {
+
+static const uint16_t LISTEN_PORT = 8443;
+
+SSLAntiReplayContext* antiReplay = nullptr;
+
+DebugLevel gDebugLevel = DEBUG_ERRORS;
+uint16_t gCallbackPort = 0;
+
+const std::string kPEMBegin = "-----BEGIN ";
+const std::string kPEMEnd = "-----END ";
+const char DEFAULT_CERT_NICKNAME[] = "default-ee";
+
+struct Connection {
+ PRFileDesc* mSocket;
+ char mByte;
+
+ explicit Connection(PRFileDesc* aSocket);
+ ~Connection();
+};
+
+Connection::Connection(PRFileDesc* aSocket) : mSocket(aSocket), mByte(0) {}
+
+Connection::~Connection() {
+ if (mSocket) {
+ PR_Close(mSocket);
+ }
+}
+
+void PrintPRError(const char* aPrefix) {
+ const char* err = PR_ErrorToName(PR_GetError());
+ if (err) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "%s: %s\n", aPrefix, err);
+ }
+ } else {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "%s\n", aPrefix);
+ }
+ }
+}
+
+// This decodes a PEM file into `item`. The line endings need to be
+// UNIX-style, or there will be cross-platform issues.
+static bool DecodePEMFile(const std::string& filename, SECItem* item) {
+ std::ifstream in(filename);
+ if (in.bad()) {
+ return false;
+ }
+
+ char buf[1024];
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) {
+ return false;
+ }
+
+ if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size()) != 0) {
+ return false;
+ }
+
+ std::string value;
+ for (;;) {
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) {
+ return false;
+ }
+
+ if (strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size()) == 0) {
+ break;
+ }
+
+ value += buf;
+ }
+
+ unsigned int binLength;
+ UniquePORTString bin(BitwiseCast<char*, unsigned char*>(
+ ATOB_AsciiToData(value.c_str(), &binLength)));
+ if (!bin || binLength == 0) {
+ PrintPRError("ATOB_AsciiToData failed");
+ return false;
+ }
+
+ if (SECITEM_AllocItem(nullptr, item, binLength) == nullptr) {
+ return false;
+ }
+
+ PORT_Memcpy(item->data, bin.get(), binLength);
+ return true;
+}
+
+static SECStatus AddKeyFromFile(const std::string& path,
+ const std::string& filename) {
+ ScopedAutoSECItem item;
+
+ std::string file = path + "/" + filename;
+ if (!DecodePEMFile(file, &item)) {
+ return SECFailure;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+
+ if (PK11_NeedUserInit(slot.get())) {
+ if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) {
+ PrintPRError("PK11_InitPin failed");
+ return SECFailure;
+ }
+ }
+
+ SECKEYPrivateKey* privateKey = nullptr;
+ SECItem nick = {siBuffer,
+ BitwiseCast<unsigned char*, const char*>(filename.data()),
+ static_cast<unsigned int>(filename.size())};
+ if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
+ slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey,
+ nullptr) != SECSuccess) {
+ PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+ return SECFailure;
+ }
+
+ SECKEY_DestroyPrivateKey(privateKey);
+ return SECSuccess;
+}
+
+static SECStatus AddCertificateFromFile(const std::string& path,
+ const std::string& filename) {
+ ScopedAutoSECItem item;
+
+ std::string file = path + "/" + filename;
+ if (!DecodePEMFile(file, &item)) {
+ return SECFailure;
+ }
+
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &item, nullptr, false, true));
+ if (!cert) {
+ PrintPRError("CERT_NewTempCertificate failed");
+ return SECFailure;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+ // The nickname is the filename without '.pem'.
+ std::string nickname = filename.substr(0, filename.length() - 4);
+ SECStatus rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
+ nickname.c_str(), false);
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_ImportCert failed");
+ return rv;
+ }
+
+ return SECSuccess;
+}
+
+SECStatus LoadCertificatesAndKeys(const char* basePath) {
+ // The NSS cert DB path could have been specified as "sql:path". Trim off
+ // the leading "sql:" if so.
+ if (strncmp(basePath, "sql:", 4) == 0) {
+ basePath = basePath + 4;
+ }
+
+ UniquePRDir fdDir(PR_OpenDir(basePath));
+ if (!fdDir) {
+ PrintPRError("PR_OpenDir failed");
+ return SECFailure;
+ }
+ // On the B2G ICS emulator, operations taken in AddCertificateFromFile
+ // appear to interact poorly with readdir (more specifically, something is
+ // causing readdir to never return null - it indefinitely loops through every
+ // file in the directory, which causes timeouts). Rather than waste more time
+ // chasing this down, loading certificates and keys happens in two phases:
+ // filename collection and then loading. (This is probably a good
+ // idea anyway because readdir isn't reentrant. Something could change later
+ // such that it gets called as a result of calling AddCertificateFromFile or
+ // AddKeyFromFile.)
+ std::vector<std::string> certificates;
+ std::vector<std::string> keys;
+ for (PRDirEntry* dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH); dirEntry;
+ dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH)) {
+ size_t nameLength = strlen(dirEntry->name);
+ if (nameLength > 4) {
+ if (strncmp(dirEntry->name + nameLength - 4, ".pem", 4) == 0) {
+ certificates.push_back(dirEntry->name);
+ } else if (strncmp(dirEntry->name + nameLength - 4, ".key", 4) == 0) {
+ keys.push_back(dirEntry->name);
+ }
+ }
+ }
+ SECStatus rv;
+ for (std::string& certificate : certificates) {
+ rv = AddCertificateFromFile(basePath, certificate.c_str());
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ }
+ for (std::string& key : keys) {
+ rv = AddKeyFromFile(basePath, key.c_str());
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ }
+ return SECSuccess;
+}
+
+SECStatus InitializeNSS(const char* nssCertDBDir) {
+ // Try initializing an existing DB.
+ if (NSS_Init(nssCertDBDir) == SECSuccess) {
+ return SECSuccess;
+ }
+
+ // Create a new DB if there is none...
+ SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
+ // ...and load all certificates into it.
+ return LoadCertificatesAndKeys(nssCertDBDir);
+}
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "sending '%s'\n", aData);
+ }
+
+ while (aDataLen > 0) {
+ int32_t bytesSent =
+ PR_Send(aSocket, aData, aDataLen, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesSent == -1) {
+ PrintPRError("PR_Send failed");
+ return NS_ERROR_FAILURE;
+ }
+
+ aDataLen -= bytesSent;
+ aData += bytesSent;
+ }
+
+ return NS_OK;
+}
+
+nsresult ReplyToRequest(Connection* aConn) {
+ // For debugging purposes, SendAll can print out what it's sending.
+ // So, any strings we give to it to send need to be null-terminated.
+ char buf[2] = {aConn->mByte, 0};
+ return SendAll(aConn->mSocket, buf, 1);
+}
+
+nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) {
+ PRFileDesc* sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket);
+ if (!sslSocket) {
+ PrintPRError("SSL_ImportFD failed");
+ return NS_ERROR_FAILURE;
+ }
+ aConn->mSocket = sslSocket;
+
+ /* anti-replay must be configured to accept 0RTT */
+ if (antiReplay) {
+ SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay);
+ if (rv != SECSuccess) {
+ PrintPRError("error configuring anti-replay ");
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ SSL_OptionSet(sslSocket, SSL_SECURITY, true);
+ SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
+ SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
+ // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+ SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA,
+ !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+ SSL_ResetHandshake(sslSocket, /* asServer */ 1);
+
+ return NS_OK;
+}
+
+nsresult ReadRequest(Connection* aConn) {
+ int32_t bytesRead =
+ PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed");
+ return NS_ERROR_FAILURE;
+ } else if (bytesRead == 0) {
+ PR_SetError(PR_IO_ERROR, 0);
+ PrintPRError("PR_Recv EOF in ReadRequest");
+ return NS_ERROR_FAILURE;
+ } else {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "read '0x%hhx'\n", aConn->mByte);
+ }
+ }
+ return NS_OK;
+}
+
+void HandleConnection(PRFileDesc* aSocket,
+ const UniquePRFileDesc& aModelSocket) {
+ Connection conn(aSocket);
+ nsresult rv = SetupTLS(&conn, aModelSocket.get());
+ if (NS_FAILED(rv)) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ PrintPRError("PR_Recv failed");
+ exit(1);
+ }
+
+ // TODO: On tests that are expected to fail (e.g. due to a revoked
+ // certificate), the client will close the connection wtihout sending us the
+ // request byte. In those cases, we should keep going. But, in the cases
+ // where the connection is supposed to suceed, we should verify that we
+ // successfully receive the request and send the response.
+ rv = ReadRequest(&conn);
+ if (NS_SUCCEEDED(rv)) {
+ rv = ReplyToRequest(&conn);
+ }
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback() {
+ UniquePRFileDesc socket(PR_NewTCPSocket());
+ if (!socket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ PRNetAddr addr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr);
+ if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+ PrintPRError("PR_Connect failed");
+ return 1;
+ }
+
+ const char* request = "GET / HTTP/1.0\r\n\r\n";
+ SendAll(socket.get(), request, strlen(request));
+ char buf[4096];
+ memset(buf, 0, sizeof(buf));
+ int32_t bytesRead =
+ PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed 1");
+ return 1;
+ }
+ if (bytesRead == 0) {
+ fprintf(stderr, "PR_Recv eof 1\n");
+ return 1;
+ }
+ fprintf(stderr, "%s\n", buf);
+ return 0;
+}
+
+SECStatus ConfigSecureServerWithNamedCert(
+ PRFileDesc* fd, const char* certName,
+ /*optional*/ UniqueCERTCertificate* certOut,
+ /*optional*/ SSLKEAType* keaOut,
+ /*optional*/ SSLExtraServerCertData* extraData) {
+ UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return SECFailure;
+ }
+ // If an intermediate certificate issued the server certificate (rather than
+ // directly by a trust anchor), we want to send it along in the handshake so
+ // we don't encounter unknown issuer errors when that's not what we're
+ // testing.
+ UniqueCERTCertificateList certList;
+ UniqueCERTCertificate issuerCert(
+ CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
+ // If we can't find the issuer cert, continue without it.
+ if (issuerCert) {
+ // Sadly, CERTCertificateList does not have a CERT_NewCertificateList
+ // utility function, so we must create it ourselves. This consists
+ // of creating an arena, allocating space for the CERTCertificateList,
+ // and then transferring ownership of the arena to that list.
+ UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ return SECFailure;
+ }
+ certList.reset(static_cast<CERTCertificateList*>(
+ PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList))));
+ if (!certList) {
+ PrintPRError("PORT_ArenaAlloc failed");
+ return SECFailure;
+ }
+ certList->arena = arena.release();
+ // We also have to manually copy the certificates we care about to the
+ // list, because there aren't any utility functions for that either.
+ certList->certs = static_cast<SECItem*>(
+ PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem)));
+ if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert) !=
+ SECSuccess) {
+ PrintPRError("SECITEM_CopyItem failed");
+ return SECFailure;
+ }
+ if (SECITEM_CopyItem(certList->arena, certList->certs + 1,
+ &issuerCert->derCert) != SECSuccess) {
+ PrintPRError("SECITEM_CopyItem failed");
+ return SECFailure;
+ }
+ certList->len = 2;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+ UniqueSECKEYPrivateKey key(
+ PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr));
+ if (!key) {
+ PrintPRError("PK11_FindKeyByDERCert failed");
+ return SECFailure;
+ }
+
+ if (extraData) {
+ SSLExtraServerCertData dataCopy = {ssl_auth_null, nullptr, nullptr,
+ nullptr, nullptr, nullptr};
+ memcpy(&dataCopy, extraData, sizeof(dataCopy));
+ dataCopy.certChain = certList.get();
+
+ if (SSL_ConfigServerCert(fd, cert.get(), key.get(), &dataCopy,
+ sizeof(dataCopy)) != SECSuccess) {
+ PrintPRError("SSL_ConfigServerCert failed");
+ return SECFailure;
+ }
+
+ } else {
+ // This is the deprecated setup mechanism, to be cleaned up in Bug 1569222
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert.get());
+ if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(),
+ key.get(), certKEA) != SECSuccess) {
+ PrintPRError("SSL_ConfigSecureServer failed");
+ return SECFailure;
+ }
+
+ if (keaOut) {
+ *keaOut = certKEA;
+ }
+ }
+
+ if (certOut) {
+ *certOut = std::move(cert);
+ }
+
+ SSL_OptionSet(fd, SSL_NO_CACHE, false);
+ SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
+ // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+ SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+ return SECSuccess;
+}
+
+#ifdef XP_WIN
+using PidType = DWORD;
+constexpr bool IsValidPid(long long pid) {
+ // Excluding `(DWORD)-1` because it is not a valid process ID.
+ // See https://devblogs.microsoft.com/oldnewthing/20040223-00/?p=40503
+ return pid > 0 && pid < std::numeric_limits<PidType>::max();
+}
+#else
+using PidType = pid_t;
+constexpr bool IsValidPid(long long pid) {
+ return pid > 0 && pid <= std::numeric_limits<PidType>::max();
+}
+#endif
+
+PidType ConvertPid(const char* pidStr) {
+ long long pid = strtoll(pidStr, nullptr, 10);
+ if (!IsValidPid(pid)) {
+ return 0;
+ }
+ return static_cast<PidType>(pid);
+}
+
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+ void* sniSocketConfigArg, ServerConfigFunc configFunc) {
+ if (argc != 3) {
+ fprintf(stderr, "usage: %s <NSS DB directory> <ppid>\n", argv[0]);
+ return 1;
+ }
+ const char* nssCertDBDir = argv[1];
+ PidType ppid = ConvertPid(argv[2]);
+
+ const char* debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
+ if (debugLevel) {
+ int level = atoi(debugLevel);
+ switch (level) {
+ case DEBUG_ERRORS:
+ gDebugLevel = DEBUG_ERRORS;
+ break;
+ case DEBUG_WARNINGS:
+ gDebugLevel = DEBUG_WARNINGS;
+ break;
+ case DEBUG_VERBOSE:
+ gDebugLevel = DEBUG_VERBOSE;
+ break;
+ default:
+ PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
+ return 1;
+ }
+ }
+
+ const char* callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
+ if (callbackPort) {
+ gCallbackPort = atoi(callbackPort);
+ }
+
+ if (InitializeNSS(nssCertDBDir) != SECSuccess) {
+ PR_fprintf(PR_STDERR, "InitializeNSS failed");
+ return 1;
+ }
+
+ if (NSS_SetDomesticPolicy() != SECSuccess) {
+ PrintPRError("NSS_SetDomesticPolicy failed");
+ return 1;
+ }
+
+ NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, NSS_USE_ALG_IN_SSL_KX, 0);
+
+ if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
+ PrintPRError("SSL_ConfigServerSessionIDCache failed");
+ return 1;
+ }
+
+ UniquePRFileDesc serverSocket(PR_NewTCPSocket());
+ if (!serverSocket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ PRSocketOptionData socketOption;
+ socketOption.option = PR_SockOpt_Reuseaddr;
+ socketOption.value.reuse_addr = true;
+ PR_SetSocketOption(serverSocket.get(), &socketOption);
+
+ PRNetAddr serverAddr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
+ if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) {
+ PrintPRError("PR_Bind failed");
+ return 1;
+ }
+
+ if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) {
+ PrintPRError("PR_Listen failed");
+ return 1;
+ }
+
+ UniquePRFileDesc rawModelSocket(PR_NewTCPSocket());
+ if (!rawModelSocket) {
+ PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
+ return 1;
+ }
+
+ UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release()));
+ if (!modelSocket) {
+ PrintPRError("SSL_ImportFD of rawModelSocket failed");
+ return 1;
+ }
+
+ SSLVersionRange range = {0, 0};
+ if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) {
+ PrintPRError("SSL_VersionRangeGet failed");
+ return 1;
+ }
+
+ if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_3;
+ if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) {
+ PrintPRError("SSL_VersionRangeSet failed");
+ return 1;
+ }
+ }
+
+ if (PR_GetEnv("MOZ_TLS_SERVER_0RTT")) {
+ if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14,
+ &antiReplay) != SECSuccess) {
+ PrintPRError("Unable to create anti-replay context for 0-RTT.");
+ return 1;
+ }
+ }
+
+ if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
+ sniSocketConfigArg) != SECSuccess) {
+ PrintPRError("SSL_SNISocketConfigHook failed");
+ return 1;
+ }
+
+ // We have to configure the server with a certificate, but it's not one
+ // we're actually going to end up using. In the SNI callback, we pick
+ // the right certificate for the connection.
+ //
+ // Provide an empty |extra_data| to force config via SSL_ConfigServerCert.
+ // This is a temporary mechanism to work around inconsistent setting of
+ // |authType| in the deprecated API (preventing the default cert from
+ // being removed in favor of the SNI-selected cert). This may be removed
+ // after Bug 1569222 removes the deprecated mechanism.
+ SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr,
+ nullptr, nullptr, nullptr};
+ if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME,
+ nullptr, nullptr,
+ &extra_data) != SECSuccess) {
+ return 1;
+ }
+
+ // Call back to implementation-defined configuration func, if provided.
+ if (configFunc) {
+ if (((configFunc)(modelSocket.get())) != SECSuccess) {
+ PrintPRError("configFunc failed");
+ return 1;
+ }
+ }
+
+ if (gCallbackPort != 0) {
+ if (DoCallback()) {
+ return 1;
+ }
+ }
+
+ std::thread([ppid] {
+ if (!ppid) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "invalid ppid\n");
+ }
+ return;
+ }
+#ifdef XP_WIN
+ HANDLE parent = OpenProcess(SYNCHRONIZE, false, ppid);
+ if (!parent) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "OpenProcess failed\n");
+ }
+ return;
+ }
+ WaitForSingleObject(parent, INFINITE);
+ CloseHandle(parent);
+#else
+ while (getppid() == ppid) {
+ sleep(1);
+ }
+#endif
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "Parent process crashed\n");
+ }
+ exit(1);
+ }).detach();
+
+ while (true) {
+ PRNetAddr clientAddr;
+ PRFileDesc* clientSocket =
+ PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT);
+ HandleConnection(clientSocket, modelSocket);
+ }
+}
+
+} // namespace test
+} // namespace mozilla
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
new file mode 100644
index 0000000000..3927b3e541
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
@@ -0,0 +1,93 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef TLSServer_h
+#define TLSServer_h
+
+// This is a standalone server for testing SSL features of Gecko.
+// The client is expected to connect and initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to). If all is good, the client then
+// sends one encrypted byte and receives that same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdint.h>
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Casting.h"
+#include "prio.h"
+#include "secerr.h"
+#include "ssl.h"
+
+namespace mozilla {
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRDir, PRDir, PR_CloseDir);
+
+} // namespace mozilla
+
+namespace mozilla {
+namespace test {
+
+typedef SECStatus (*ServerConfigFunc)(PRFileDesc* fd);
+
+enum DebugLevel { DEBUG_ERRORS = 1, DEBUG_WARNINGS = 2, DEBUG_VERBOSE = 3 };
+
+extern DebugLevel gDebugLevel;
+
+void PrintPRError(const char* aPrefix);
+
+// The default certificate is trusted for localhost and *.example.com
+extern const char DEFAULT_CERT_NICKNAME[];
+
+// ConfigSecureServerWithNamedCert sets up the hostname name provided. If the
+// extraData parameter is presented, extraData->certChain will be automatically
+// filled in using database information.
+// Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific
+// certificate.
+SECStatus ConfigSecureServerWithNamedCert(
+ PRFileDesc* fd, const char* certName,
+ /*optional*/ UniqueCERTCertificate* cert,
+ /*optional*/ SSLKEAType* kea,
+ /*optional*/ SSLExtraServerCertData* extraData);
+
+SECStatus InitializeNSS(const char* nssCertDBDir);
+
+// StartServer initializes NSS, sockets, the SNI callback, and a default
+// certificate. configFunc (optional) is a pointer to an implementation-
+// defined configuration function, which is called on the model socket
+// prior to handling any connections.
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+ void* sniSocketConfigArg,
+ ServerConfigFunc configFunc = nullptr);
+
+template <typename Host>
+inline const Host* GetHostForSNI(const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, const Host* hosts) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ for (const Host* host = hosts; host->mHostName; ++host) {
+ SECItem hostName;
+ hostName.data = BitwiseCast<unsigned char*, const char*>(host->mHostName);
+ hostName.len = strlen(host->mHostName);
+ if (SECITEM_ItemsAreEqual(&hostName, &aSrvNameArr[i])) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+ return host;
+ }
+ }
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "could not find host info from SNI\n");
+ }
+
+ PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+ return nullptr;
+}
+
+} // namespace test
+} // namespace mozilla
+
+#endif // TLSServer_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
new file mode 100644
index 0000000000..54820f9b52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -0,0 +1,48 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+ "OCSPCommon.cpp",
+ "TLSServer.cpp",
+]
+
+USE_LIBS += [
+ "mozpkix-testlib",
+]
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+ # Bug 1805371: The FaultyServer binary added in Bug 1754746 needs to
+ # be statically linked against NSS, but the configuration here breaks
+ # builds with system NSS. A complete solution involves some changes
+ # to the NSS build system. For now we're disabling FaultyServer when
+ # using system NSS and linking the rest of the tests dynamically.
+ DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+ USE_LIBS += [
+ "certdb",
+ "certhi",
+ "cryptohi",
+ "freebl",
+ "mozpkix",
+ "mozpkix-testlib",
+ "nspr",
+ "nss_static",
+ "nssb",
+ "nssdev",
+ "nsspki",
+ "pk11wrap",
+ "smime",
+ "softokn3",
+ "sqlite",
+ "ssl",
+ ]
+
+ if CONFIG["MOZ_FOLD_LIBS"]:
+ USE_LIBS += ["nssutil"]
+ else:
+ USE_LIBS += ["nssutil3"]
+
+Library("tlsserver")
diff --git a/security/manager/ssl/tests/unit/tlsserver/moz.build b/security/manager/ssl/tests/unit/tlsserver/moz.build
new file mode 100644
index 0000000000..1488352914
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# lib must be first, because cmd depends on its output
+DIRS += ["lib", "cmd"]
diff --git a/security/manager/ssl/tests/unit/xpcshell-smartcards.toml b/security/manager/ssl/tests/unit/xpcshell-smartcards.toml
new file mode 100644
index 0000000000..4e4d47e42f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell-smartcards.toml
@@ -0,0 +1,22 @@
+[DEFAULT]
+head = "head_psm.js"
+tags = "psm"
+skip-if = ["os == 'android'"]
+
+["test_osclientcerts_module.js"]
+skip-if = [
+ "os == 'linux'",
+ "os == 'android'",
+]
+
+["test_pkcs11_module.js"]
+
+["test_pkcs11_moduleDB.js"]
+
+["test_pkcs11_safe_mode.js"]
+
+["test_pkcs11_slot.js"]
+
+["test_pkcs11_token.js"]
+
+["test_pkcs11_tokenDB.js"]
diff --git a/security/manager/ssl/tests/unit/xpcshell.toml b/security/manager/ssl/tests/unit/xpcshell.toml
new file mode 100644
index 0000000000..6cfab1a043
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell.toml
@@ -0,0 +1,361 @@
+[DEFAULT]
+head = "head_psm.js"
+tags = "psm condprof"
+firefox-appdir = "browser"
+skip-if = ["os == 'win' && msix"] # https://bugzilla.mozilla.org/show_bug.cgi?id=1809477
+support-files = [
+ "corrupted_crlite_helper.js",
+ "bad_certs/**",
+ "ocsp_certs/**",
+ "test_baseline_requirements/**",
+ "test_broken_fips/**",
+ "test_cert_eku/**",
+ "test_cert_embedded_null/**",
+ "test_cert_keyUsage/**",
+ "test_cert_overrides_read_only/**",
+ "test_cert_sha1/**",
+ "test_cert_signatures/**",
+ "test_cert_storage_direct/**",
+ "test_cert_storage_preexisting/**",
+ "test_cert_storage_preexisting_crlite/**",
+ "test_cert_trust/**",
+ "test_cert_utf8/**",
+ "test_cert_version/**",
+ "test_certDB_import/**",
+ "test_content_signing/**",
+ "test_crlite_filters/**",
+ "test_crlite_preexisting/**",
+ "test_crlite_corrupted/**",
+ "test_ct/**",
+ "test_delegated_credentials/**",
+ "test_encrypted_client_hello/**",
+ "test_ev_certs/**",
+ "test_faulty_server/**",
+ "test_intermediate_basic_usage_constraints/**",
+ "test_intermediate_preloads/**",
+ "test_keysize/**",
+ "test_keysize_ev/**",
+ "test_missing_intermediate/**",
+ "test_name_constraints/**",
+ "test_ocsp_url/**",
+ "test_onecrl/**",
+ "test_sanctions/**",
+ "test_sdr_preexisting/**",
+ "test_sdr_preexisting_with_password/**",
+ "test_self_signed_certs/**",
+ "test_signed_apps/**",
+ "test_validity/**",
+ "tlsserver/**",
+]
+
+["test_add_preexisting_cert.js"]
+
+["test_allow_all_cert_errors.js"]
+run-sequentially = "hardcoded ports"
+
+["test_baseline_requirements_subject_common_name.js"]
+
+["test_blocklist_onecrl.js"]
+# Skip signature tests for Thunderbird (Bug 1341983).
+skip-if = ["appname == 'thunderbird'"]
+tags = "remote-settings blocklist psm"
+
+["test_broken_fips.js"]
+# FIPS has never been a thing on Android, so the workaround doesn't
+# exist on that platform.
+# FIPS still works on Linux, so this test doesn't make any sense there.
+# FIPS still works on Windows, but running the test to ensure that it does not
+# break with a non-ASCII profile path.
+skip-if = [
+ "os == 'android'",
+ "os == 'linux'"
+]
+
+["test_certDB_export_pkcs12.js"]
+
+["test_certDB_export_pkcs12_with_primary_password.js"]
+
+["test_certDB_import.js"]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = ["os == 'android' && processor == 'x86_64'"]
+
+["test_certDB_import_pkcs12.js"]
+
+["test_certDB_import_with_primary_password.js"]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = ["os == 'android' && processor == 'x86_64'"]
+
+["test_cert_chains.js"]
+run-sequentially = "hardcoded ports"
+
+["test_cert_dbKey.js"]
+
+["test_cert_eku.js"]
+
+["test_cert_embedded_null.js"]
+
+["test_cert_expiration_canary.js"]
+run-if = ["nightly_build"]
+
+["test_cert_keyUsage.js"]
+
+["test_cert_override_read.js"]
+
+["test_cert_overrides.js"]
+run-sequentially = "hardcoded ports"
+
+["test_cert_overrides_read_only.js"]
+run-sequentially = "hardcoded ports"
+
+["test_cert_sha1.js"]
+
+["test_cert_signatures.js"]
+
+["test_cert_storage.js"]
+tags = "addons psm blocklist"
+
+["test_cert_storage_broken_db.js"]
+
+["test_cert_storage_direct.js"]
+
+["test_cert_storage_preexisting.js"]
+
+["test_cert_storage_preexisting_crlite.js"]
+# This test cannot succeed on 32-bit platforms. See bugs 1546361 and 1548956.
+skip-if = ["bits != 64"]
+
+["test_cert_trust.js"]
+
+["test_cert_utf8.js"]
+
+["test_cert_version.js"]
+
+["test_client_auth_remember_service_read.js"]
+skip-if = ["condprof"]
+
+["test_constructX509FromBase64.js"]
+
+["test_content_signing.js"]
+
+["test_crlite_coverage_missing.js"]
+
+["test_crlite_coverage_trunc1.js"]
+
+["test_crlite_coverage_trunc2.js"]
+
+["test_crlite_coverage_trunc3.js"]
+
+["test_crlite_coverage_version.js"]
+
+["test_crlite_enrollment_trunc1.js"]
+
+["test_crlite_enrollment_version.js"]
+
+["test_crlite_filter_corrupted.js"]
+
+["test_crlite_filters.js"]
+tags = "remote-settings psm"
+
+["test_crlite_preexisting.js"]
+
+["test_crlite_stash_corrupted.js"]
+
+["test_ct.js"]
+# Requires hard-coded debug-only data
+skip-if = ["!debug"]
+run-sequentially = "hardcoded ports"
+
+["test_data_storage.js"]
+
+["test_db_format_pref_new.js"]
+# Android always has and always will use the new format, so
+# this test doesn't apply.
+skip-if = [
+ "os == 'android'",
+ "condprof",
+] # Bug 1769154 - as designed
+
+["test_delegated_credentials.js"]
+run-sequentially = "hardcoded ports"
+
+["test_der.js"]
+
+["test_encrypted_client_hello.js"]
+run-sequentially = "hardcoded ports"
+
+["test_encrypted_client_hello_client_only.js"]
+run-sequentially = "hardcoded ports"
+
+["test_enterprise_roots.js"]
+# This feature is implemented for Windows and OS X. However, we don't currently
+# have a way to test it on OS X.
+skip-if = ["os != 'win'"]
+
+["test_ev_certs.js"]
+tags = "blocklist psm"
+run-sequentially = "hardcoded ports"
+
+["test_faulty_server.js"]
+run-sequentially = "hardcoded ports"
+
+["test_forget_about_site_security_headers.js"]
+
+["test_hash_algorithms.js"]
+
+["test_hash_algorithms_wrap.js"]
+# bug 1124289 - run_test_in_child violates the sandbox on android
+skip-if = ["os == 'android'"]
+
+["test_intermediate_basic_usage_constraints.js"]
+
+["test_intermediate_preloads.js"]
+run-sequentially = "hardcoded ports"
+tags = "blocklist psm remote-settings"
+
+["test_keysize.js"]
+
+["test_keysize_ev.js"]
+run-sequentially = "hardcoded ports"
+
+["test_logoutAndTeardown.js"]
+skip-if = ["socketprocess_networking && os == 'linux' && debug"]
+run-sequentially = "hardcoded ports"
+
+["test_missing_intermediate.js"]
+run-sequentially = "hardcoded ports"
+
+["test_name_constraints.js"]
+
+["test_nonascii_path.js"]
+
+["test_nsCertType.js"]
+run-sequentially = "hardcoded ports"
+
+["test_nsIX509CertValidity.js"]
+
+["test_nsIX509Cert_utf8.js"]
+
+["test_ocsp_caching.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_enabled_pref.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_must_staple.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_no_hsts_upgrade.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_private_caching.js"]
+run-sequentially = "hardcoded ports"
+skip-if = ["condprof"] # Bug 1769154 - should look into this
+
+["test_ocsp_required.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_stapling.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_stapling_expired.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_stapling_with_intermediate.js"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_timeout.js"]
+skip-if = ["(os == 'win' && socketprocess_networking)"]
+run-sequentially = "hardcoded ports"
+
+["test_ocsp_url.js"]
+run-sequentially = "hardcoded ports"
+
+["test_oskeystore.js"]
+skip-if = ["apple_silicon"] # bug 1729538
+
+["test_osreauthenticator.js"]
+# Reauthentication has been implemented on Windows and MacOS, so running this
+# test results in the OS popping up a dialog, which means we can't run it in
+# automation.
+skip-if = [
+ "os == 'win'",
+ "os == 'mac'"
+]
+
+["test_password_prompt.js"]
+
+["test_pinning.js"]
+run-sequentially = "hardcoded ports"
+
+["test_sanctions_symantec_apple_google.js"]
+run-sequentially = "hardcoded ports"
+
+["test_sdr.js"]
+
+["test_sdr_preexisting.js"]
+# Not relevant to Android. See the comment in the test.
+skip-if = ["os == 'android'"]
+
+["test_sdr_preexisting_with_password.js"]
+# Not relevant to Android. See the comment in the test.
+skip-if = ["os == 'android'"]
+
+["test_self_signed_certs.js"]
+
+["test_session_resumption.js"]
+skip-if = ["os == 'win'"] # Bug 1585916
+run-sequentially = "hardcoded ports"
+
+["test_signed_apps.js"]
+
+["test_ssl_status.js"]
+run-sequentially = "hardcoded ports"
+
+["test_sss_eviction.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_migration.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_originAttributes.js"]
+
+["test_sss_readstate.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_readstate_empty.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_readstate_garbage.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_readstate_huge.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sss_resetState.js"]
+
+["test_sss_sanitizeOnShutdown.js"]
+firefox-appdir = "browser"
+# Sanitization works differently on Android - this doesn't apply.
+# browser/modules/Sanitizer.jsm used by the test isn't available in Thunderbird.
+skip-if = [
+ "os == 'android'",
+ "appname == 'thunderbird'"
+]
+
+["test_sss_savestate.js"]
+skip-if = ["condprof"] # Bug 1769154 - as designed
+
+["test_sts_fqdn.js"]
+
+["test_sts_ipv4_ipv6.js"]
+
+["test_sts_parser.js"]
+
+["test_sts_preloadlist_perwindowpb.js"]
+
+["test_sts_preloadlist_selfdestruct.js"]
+
+["test_validity.js"]
+run-sequentially = "hardcoded ports"
+
+["test_x509.js"]
diff --git a/security/manager/tools/.eslintrc.js b/security/manager/tools/.eslintrc.js
new file mode 100644
index 0000000000..44c1d9cba6
--- /dev/null
+++ b/security/manager/tools/.eslintrc.js
@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+module.exports = {
+ globals: {
+ // JS files in this folder are commonly xpcshell scripts where |arguments|
+ // is defined in the global scope.
+ arguments: false,
+ },
+};
diff --git a/security/manager/tools/KnownRootHashes.json b/security/manager/tools/KnownRootHashes.json
new file mode 100644
index 0000000000..0dc9fa9dd1
--- /dev/null
+++ b/security/manager/tools/KnownRootHashes.json
@@ -0,0 +1,1343 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+//
+//***************************************************************************
+// This is an automatically generated file. It's used to maintain state for
+// runs of genRootCAHashes.js; you should never need to manually edit it
+//***************************************************************************
+
+// Notes:
+// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was
+// removed from the built-in roots module, so now it is used to indicate that
+// the certificate is not a built-in and was found in the softoken (cert9.db).
+
+// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from
+// the built-in roots module, so now it is used to indicate that the certificate
+// is not a built-in and was found on an external PKCS#11 token.
+
+// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was
+// removed from the built-in roots module, so now it is used to indicate that
+// the certificate is not a built-in and was temporarily imported from the OS as
+// part of the "Enterprise Roots" feature.
+
+{
+ "roots": [
+ {
+ "label": "OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US",
+ "binNumber": 4,
+ "sha256Fingerprint": "CCl6QEfbojaAxzHbbjF2U8p4SOG+vToLAXmnB/ks8Xg="
+ },
+ {
+ "label": "OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US",
+ "binNumber": 5,
+ "sha256Fingerprint": "g848Eiloilk9SF+BlzwPkZVDHto3zF42Qw55x6iIY4s="
+ },
+ {
+ "label": "GlobalSign_Root_CA",
+ "binNumber": 6,
+ "sha256Fingerprint": "69QQQOS7PsdCyeOB0x7ypBpItmhclufO88HfbNQzHJk="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 7,
+ "sha256Fingerprint": "ykLdQXRf0LgeuQI2LPnYv3Gdob0bHvyUb1tMmfQsG54="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G3",
+ "binNumber": 8,
+ "sha256Fingerprint": "6wTPXrHzmvp2LyuxIPKWy6Ugwbl9sViVZbgcuaF7ckQ="
+ },
+ {
+ "label": "VeriSign_Class_4_Public_Primary_Certification_Authority___G3",
+ "binNumber": 9,
+ "sha256Fingerprint": "44k2DQ/brrPSUFhLRzAxTiIvOcFWoCAUTo2WBWF5FQY="
+ },
+ {
+ "label": "Entrust_net_Certification_Authority__2048_",
+ "binNumber": 10,
+ "sha256Fingerprint": "bcRxcuAcvLC/YlgNiV/iuKya1PhzgB4MELnIN9IesXc="
+ },
+ {
+ "label": "Baltimore_CyberTrust_Root",
+ "binNumber": 11,
+ "sha256Fingerprint": "Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus="
+ },
+ {
+ "label": "Equifax_Secure_Global_eBusiness_CA_1",
+ "binNumber": 12,
+ "sha256Fingerprint": "Xwti6rXjU+plIWUWWPu2U1n0QygKSvvRBNd9EPnwTAc="
+ },
+ {
+ "label": "Equifax_Secure_eBusiness_CA_1",
+ "binNumber": 13,
+ "sha256Fingerprint": "z1b/RqShhhCd2WWEte61ilEMQnWw5flPQLuuhl4Z9nM="
+ },
+ {
+ "label": "AddTrust_Class_1_CA_Root",
+ "binNumber": 14,
+ "sha256Fingerprint": "jHIJJ5rATideFtB/07d16AFUtZaARuMfUt0ldmMk6ac="
+ },
+ {
+ "label": "AddTrust_External_CA_Root",
+ "binNumber": 15,
+ "sha256Fingerprint": "aH+kUTgieP/wyLEfjUPVdmccbrK86rQT+4PZZdBtL/I="
+ },
+ {
+ "label": "AddTrust_Public_CA_Root",
+ "binNumber": 16,
+ "sha256Fingerprint": "B5HKB0myB4Kq08fXvQzfyUhYNYQ+steZYAnOQ6tsaSc="
+ },
+ {
+ "label": "AddTrust_Qualified_CA_Root",
+ "binNumber": 17,
+ "sha256Fingerprint": "gJUhCAXbS7w1XkQo2P1uws3jq1+5eplCmI649NzQYBY="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority",
+ "binNumber": 18,
+ "sha256Fingerprint": "c8F2Q08bxtWt9FsOducnKHyN5XYWwebmFBorLLx9jkw="
+ },
+ {
+ "label": "OU_RSA_Security_2048_V3_O_RSA_Security_Inc",
+ "binNumber": 19,
+ "sha256Fingerprint": "r4tnYqHlKCKBYaldXFWe4mYnj3XXnoMBiaUDUGq9a0w="
+ },
+ {
+ "label": "GeoTrust_Global_CA",
+ "binNumber": 20,
+ "sha256Fingerprint": "/4VqLSUdzYjTZlb0UBJnmM+rqt5AeZxyLeTStds2pzo="
+ },
+ {
+ "label": "GeoTrust_Global_CA_2",
+ "binNumber": 21,
+ "sha256Fingerprint": "yi2CoIZ3By+KtnZP8DVnbP4+XjJeASFy3z+SCW23m4U="
+ },
+ {
+ "label": "GeoTrust_Universal_CA",
+ "binNumber": 22,
+ "sha256Fingerprint": "oEWbn2OyJVn1+l1MbbP59y/xk0IDNXjwc78dG0bLuRI="
+ },
+ {
+ "label": "GeoTrust_Universal_CA_2",
+ "binNumber": 23,
+ "sha256Fingerprint": "oCNPO8hSfKVijuyBrV1piV2laA3JHRy4R38z+Hi5Wws="
+ },
+ {
+ "label": "America_Online_Root_Certification_Authority_1",
+ "binNumber": 24,
+ "sha256Fingerprint": "d0BzEsY6FT1bwAtOUXWc39rCN9wqM7Z5RumOm/poCuM="
+ },
+ {
+ "label": "America_Online_Root_Certification_Authority_2",
+ "binNumber": 25,
+ "sha256Fingerprint": "fTtGWmAU5SbAr/zuISfSMRcnrYEcJoQtAGrzcwbMgL0="
+ },
+ {
+ "label": "Visa_eCommerce_Root",
+ "binNumber": 26,
+ "sha256Fingerprint": "afrJvVX7CseNU7vuXPHVl5if0KqrIKJRUb3xcz7n0SI="
+ },
+ {
+ "label": "Certum_CA",
+ "binNumber": 27,
+ "sha256Fingerprint": "2OD+vB2y440AlA830n1BNE2ZPnNLmdVlbZd41NgUNiQ="
+ },
+ {
+ "label": "AAA_Certificate_Services",
+ "binNumber": 28,
+ "sha256Fingerprint": "16eg+11+JzHXcelITrze9x1fDD4KKUh4K8g+4OppnvQ="
+ },
+ {
+ "label": "Secure_Certificate_Services",
+ "binNumber": 29,
+ "sha256Fingerprint": "vYHOO09lkdEaZ7X8ekf97yVSG/mqThi5498uNKeAO+g="
+ },
+ {
+ "label": "Trusted_Certificate_Services",
+ "binNumber": 30,
+ "sha256Fingerprint": "PwblVoHUlvW+Fp61OJ+fK4/2HhcI32iBckhJzV0ny2k="
+ },
+ {
+ "label": "QuoVadis_Root_Certification_Authority",
+ "binNumber": 31,
+ "sha256Fingerprint": "pF7eO7vwnIrhXHLvwHJo1pOiHJlv1R5nygeUYP1tiHM="
+ },
+ {
+ "label": "QuoVadis_Root_CA_2",
+ "binNumber": 32,
+ "sha256Fingerprint": "haDdfdcgrbf/Bfg9VCsgncf/RSj31nexg4n+peXEnoY="
+ },
+ {
+ "label": "QuoVadis_Root_CA_3",
+ "binNumber": 33,
+ "sha256Fingerprint": "GPH8fyBd+K3d63/gB91X4683WpxNjXNUa/Tx/tHhjTU="
+ },
+ {
+ "label": "OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP",
+ "binNumber": 34,
+ "sha256Fingerprint": "515y7Z9WDuxutIAAc6Q/w60ZGVo5IoIBeJWXSpkCa2w="
+ },
+ {
+ "label": "Sonera_Class2_CA",
+ "binNumber": 35,
+ "sha256Fingerprint": "eQi0AxTBOBALUY0HNYB/+/z4UYoAlTNxBbo4axU92Sc="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA",
+ "binNumber": 36,
+ "sha256Fingerprint": "1B2CnowWWYIq+T/OYr/83iZPyE6LlQxf8nXQUjVGlaM="
+ },
+ {
+ "label": "UTN___DATACorp_SGC",
+ "binNumber": 37,
+ "sha256Fingerprint": "hfsvkd0SJ1oBRbY2U0+EAkrWi2m47ohoT/cRN1gFs0g="
+ },
+ {
+ "label": "UTN_USERFirst_Hardware",
+ "binNumber": 38,
+ "sha256Fingerprint": "bqVHQdAEZn7tG0gWY0qjp55uS5aVD4J52vyNm9iBITc="
+ },
+ {
+ "label": "Chambers_of_Commerce_Root",
+ "binNumber": 39,
+ "sha256Fingerprint": "DCWKEqVnSu8l8oun3Prs7qNI5UHm9cxO5jtxs2FgasM="
+ },
+ {
+ "label": "Global_Chambersign_Root",
+ "binNumber": 40,
+ "sha256Fingerprint": "7zy0F/yOv2+Xh2yeTs453h6l/mSRQdECi30RwLIpjO0="
+ },
+ {
+ "label": "NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado",
+ "binNumber": 41,
+ "sha256Fingerprint": "fxLNX35eKQ7H2FF51bcsIKW+dQj/21v4GrloSn/J9mc="
+ },
+ {
+ "label": "XRamp_Global_Certification_Authority",
+ "binNumber": 42,
+ "sha256Fingerprint": "zs3ckFCZ2NrfxbHSCbc3y+LBjPssEMD/C88NMob8GqI="
+ },
+ {
+ "label": "OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US",
+ "binNumber": 43,
+ "sha256Fingerprint": "w4Rr8kuek8pkJ0wOxnwezF4CT/ys0tdAGTUOgf5UauQ="
+ },
+ {
+ "label": "OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US",
+ "binNumber": 44,
+ "sha256Fingerprint": "FGX6IFOXuHb6pvCplY5VkOQPzH+qT7fCyGd1Iftftlg="
+ },
+ {
+ "label": "StartCom_Certification_Authority",
+ "binNumber": 45,
+ "sha256Fingerprint": "x2apvvLUBxyGOjGqSSDoE7LRmGCMt7fP4hFDuDbfCeo="
+ },
+ {
+ "label": "O_Government_Root_Certification_Authority_C_TW",
+ "binNumber": 46,
+ "sha256Fingerprint": "dgApXu/oW54f1iTbdgYqqq5ZgYpU0ndM1MCywBEx4bM="
+ },
+ {
+ "label": "Swisscom_Root_CA_1",
+ "binNumber": 47,
+ "sha256Fingerprint": "IdsgEjZguy7UGCBdoR7nqFpl4rxuVbWvfniZyKJm2S4="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_CA",
+ "binNumber": 48,
+ "sha256Fingerprint": "PpCZtQFej0hsALzqnREe5yH6ujVaibzx32lWHj3GMlw="
+ },
+ {
+ "label": "DigiCert_Global_Root_CA",
+ "binNumber": 49,
+ "sha256Fingerprint": "Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE="
+ },
+ {
+ "label": "DigiCert_High_Assurance_EV_Root_CA",
+ "binNumber": 50,
+ "sha256Fingerprint": "dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8="
+ },
+ {
+ "label": "Class_2_Primary_CA",
+ "binNumber": 51,
+ "sha256Fingerprint": "D5k8iu+Xuq9WhxQO1ZrRghu0r6zwqppYtdV6M4o6+8s="
+ },
+ {
+ "label": "DST_Root_CA_X3",
+ "binNumber": 52,
+ "sha256Fingerprint": "BocmAzGnJAPZCfEF5pvPDTLhvSST/8bZIG0RvNZ3Bzk="
+ },
+ {
+ "label": "DST_ACES_CA_X6",
+ "binNumber": 53,
+ "sha256Fingerprint": "dnyVWnZBLImvaI6QoccPVWz9a2Al2+oQQW1+toMfjEA="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 54,
+ "sha256Fingerprint": "RATjO14UDc+ZgFH9/IAox8gWFcXuc3sRG1iCM6m1NaA="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 55,
+ "sha256Fingerprint": "xHDPVH4jArl3+yndcaiae2wfYHd7Ayn1YBfzKL9Pa+Y="
+ },
+ {
+ "label": "SwissSign_Gold_CA___G2",
+ "binNumber": 56,
+ "sha256Fingerprint": "Yt0L6bn1ChY+oPjnXAU7HspX6lXIaI9kfGiB8sg1e5U="
+ },
+ {
+ "label": "SwissSign_Silver_CA___G2",
+ "binNumber": 57,
+ "sha256Fingerprint": "vmxNoru5ulm285OXaDdCRsPABZk/qY8CDR3tvtSKgdU="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority",
+ "binNumber": 58,
+ "sha256Fingerprint": "N9UQBsUS6qtiZCHx7IySAT/F+CrpjuUz60YZuN600Gw="
+ },
+ {
+ "label": "thawte_Primary_Root_CA",
+ "binNumber": 59,
+ "sha256Fingerprint": "jXIvganBE8B5HfE2opZtsmyVCpcdtGtBmfTqVLeL+58="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G5",
+ "binNumber": 60,
+ "sha256Fingerprint": "ms+rfkPI2IDQayYqlN7u5LRlmYnD0Mrxm69kBeQat98="
+ },
+ {
+ "label": "SecureTrust_CA",
+ "binNumber": 61,
+ "sha256Fingerprint": "8cG1CuWiDdgDDsn2vCSCPdNntSVXWbTnG2H86fc3XXM="
+ },
+ {
+ "label": "Secure_Global_CA",
+ "binNumber": 62,
+ "sha256Fingerprint": "QgD1BDrIWQ67Un0gntFQMCn7y9QcobUG7CfxWt59rGk="
+ },
+ {
+ "label": "COMODO_Certification_Authority",
+ "binNumber": 63,
+ "sha256Fingerprint": "DCzWPfeAb6OZ7egJEWtXW/h5ifBlGPmAjIYFAxeLr2Y="
+ },
+ {
+ "label": "Network_Solutions_Certificate_Authority",
+ "binNumber": 64,
+ "sha256Fingerprint": "FfC6AKOsevOsiEwHKxARoHe9d8CX9AFksvhZir2Dhgw="
+ },
+ {
+ "label": "WellsSecure_Public_Root_Certificate_Authority",
+ "binNumber": 65,
+ "sha256Fingerprint": "pxJyrqqjz+hyf3+znw+z0eVCbpBgsG7m8T6aPFgzzUM="
+ },
+ {
+ "label": "COMODO_ECC_Certification_Authority",
+ "binNumber": 66,
+ "sha256Fingerprint": "F5OSegYUVJeJrc4vjzT38LZtDzrjo7hNIewV27pPrcc="
+ },
+ {
+ "label": "IGC_A",
+ "binNumber": 67,
+ "sha256Fingerprint": "ub6nhgqWLqNhHauXq22j4hwQaLl9VVde0OESecEciTI="
+ },
+ {
+ "label": "OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+ "binNumber": 68,
+ "sha256Fingerprint": "oi26aB6XN24tOX1yiq46m2KWuf26YLwuEfZH8sZ1+zc="
+ },
+ {
+ "label": "OISTE_WISeKey_Global_Root_GA_CA",
+ "binNumber": 69,
+ "sha256Fingerprint": "Qckjhmq0yta3rVeAgVguAgeXpsvfT/94zoOWs4k31/U="
+ },
+ {
+ "label": "Microsec_e_Szigno_Root_CA",
+ "binNumber": 70,
+ "sha256Fingerprint": "Mno9dhq63qA065mEBidcsaR3bv2uL99tAWjqHE9VZ9A="
+ },
+ {
+ "label": "Certigna",
+ "binNumber": 71,
+ "sha256Fingerprint": "47ai2y7XzkiEL3rFMkHHtx1UFEv7QMEfPx0LQvXuoS0="
+ },
+ {
+ "label": "TC_TrustCenter_Class_2_CA_II",
+ "binNumber": 72,
+ "sha256Fingerprint": "5rj4dmSF+Aeuf42sFnBGHwfAoT7vOh/3F1ONerrTkbQ="
+ },
+ {
+ "label": "TC_TrustCenter_Class_3_CA_II",
+ "binNumber": 73,
+ "sha256Fingerprint": "jaCE/Pmc4Hci+JsyBZOYBvpcuBHhyBP2oQjH0zazQI4="
+ },
+ {
+ "label": "TC_TrustCenter_Universal_CA_I",
+ "binNumber": 74,
+ "sha256Fingerprint": "6/PAKoeJsft9URmV1mO3KQbZE84NXhBWiop34lhhZ+c="
+ },
+ {
+ "label": "Deutsche_Telekom_Root_CA_2",
+ "binNumber": 75,
+ "sha256Fingerprint": "thkaUNDDl399qZvNqshqIn2uuWeexwujsMnZInHBcNM="
+ },
+ {
+ "label": "ComSign_Secured_CA",
+ "binNumber": 76,
+ "sha256Fingerprint": "UHlBx0RgoLRwhiINTpkyVyq10bW7y4mAqxyxdlGoRNI="
+ },
+ {
+ "label": "Cybertrust_Global_Root",
+ "binNumber": 77,
+ "sha256Fingerprint": "lgrfAGPpY1Z1DCll3QoIZ9oLnL1ud3FK6vsjSas5PaM="
+ },
+ {
+ "label": "OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW",
+ "binNumber": 78,
+ "sha256Fingerprint": "wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U="
+ },
+ {
+ "label": "T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3",
+ "binNumber": 79,
+ "sha256Fingerprint": "5Mc0MNeltQkl30M3Cg0hbpp5udbbg3Ogxp6xzDHHxSo="
+ },
+ {
+ "label": "Buypass_Class_2_CA_1",
+ "binNumber": 80,
+ "sha256Fingerprint": "D06c3SZLAlVQ0XCAY0AhT+lENMmwL2l+xxD8X+r7Xjg="
+ },
+ {
+ "label": "Buypass_Class_3_CA_1",
+ "binNumber": 81,
+ "sha256Fingerprint": "t7ErFx+CHaqZDND+UIexKESLqOUYT4TFHgK1yPuWKyQ="
+ },
+ {
+ "label": "EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 82,
+ "sha256Fingerprint": "Na5b3dj3rmNc/7pWgqjwC5X0hGLHEI7poOUpKwdKr7I="
+ },
+ {
+ "label": "OU_certSIGN_ROOT_CA_O_certSIGN_C_RO",
+ "binNumber": 83,
+ "sha256Fingerprint": "6qlixPpKa6/r5BUZbTUczYiNT1Pz+orm18RmqU5gQrs="
+ },
+ {
+ "label": "CNNIC_ROOT",
+ "binNumber": 84,
+ "sha256Fingerprint": "4oOTdz2oRaZ58ggMx/tEo7ehw3kst+t3Kf3Lao2Zrqc="
+ },
+ {
+ "label": "OU_ApplicationCA_O_Japanese_Government_C_JP",
+ "binNumber": 85,
+ "sha256Fingerprint": "LUdDfeF5USFaEvPFjlHHKaWAJu8fzApfs9ncAS9gDRk="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority___G3",
+ "binNumber": 86,
+ "sha256Fingerprint": "tHi4EiUN+HhjXCqn7H0VXqpiXugpFuLNKUNhiGzR+9Q="
+ },
+ {
+ "label": "thawte_Primary_Root_CA___G2",
+ "binNumber": 87,
+ "sha256Fingerprint": "pDENUK8YpkRxkDcqhq+vi5Uf+0Mdg38eVoi0WXHtFVc="
+ },
+ {
+ "label": "thawte_Primary_Root_CA___G3",
+ "binNumber": 88,
+ "sha256Fingerprint": "SwP0WAetcPIb/Cyuccn95GBMBkz1/7aGuuXbqtf900w="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority___G2",
+ "binNumber": 89,
+ "sha256Fingerprint": "Xtt6xDuCoGqHYejXvkl56/JhH33Xm/kcHGtWaiGe12Y="
+ },
+ {
+ "label": "VeriSign_Universal_Root_Certification_Authority",
+ "binNumber": 90,
+ "sha256Fingerprint": "I5lWESelcSXejO/qYQ3fL6B4tcgGf06CgpC/uGDoSzw="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G4",
+ "binNumber": 91,
+ "sha256Fingerprint": "ad3X6pC7V8k+E13IXqb81UgLYDI5vcRU/HWLKibPf3k="
+ },
+ {
+ "label": "NetLock_Arany__Class_Gold__F_tan_s_tv_ny",
+ "binNumber": 92,
+ "sha256Fingerprint": "bGHaw6Le8DFQa+A20qb+QBmU+9E9+cjUZlmSdMRG7Jg="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA___G2",
+ "binNumber": 93,
+ "sha256Fingerprint": "ZoyDlH2mO3JL7OF0PDGg5q7Q247Fsxvjd7t4T5G2cW8="
+ },
+ {
+ "label": "CA_Disig",
+ "binNumber": 94,
+ "sha256Fingerprint": "kr9RGavsytCxMy3E4dBfunW1Z5BE7gyibpMfdE8vM88="
+ },
+ {
+ "label": "Juur_SK",
+ "binNumber": 95,
+ "sha256Fingerprint": "7MPpw0B1A77gkaqVL0E0j/iLqoY7ImS++sgHkBV06Tk="
+ },
+ {
+ "label": "Hongkong_Post_Root_CA_1",
+ "binNumber": 96,
+ "sha256Fingerprint": "+eZ9M2xRACrAVMYyAi1m3aLn4//xCtBh7THYu7QQz7I="
+ },
+ {
+ "label": "SecureSign_RootCA11",
+ "binNumber": 97,
+ "sha256Fingerprint": "vw/u+546WBrV+enbdYmYV0PSYQhcTTFPb11yWapCFhI="
+ },
+ {
+ "label": "ACEDICOM_Root",
+ "binNumber": 98,
+ "sha256Fingerprint": "A5UPtJpTHz4ZkZQjmN+p4Ooy17oc3ZvIXbV+2UALQ0o="
+ },
+ {
+ "label": "Microsec_e_Szigno_Root_CA_2009",
+ "binNumber": 99,
+ "sha256Fingerprint": "PF+B/qX6uCxkv6Lq7K/N6OB3/IYgp8rlNxY9827b83g="
+ },
+ {
+ "label": "e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi",
+ "binNumber": 100,
+ "sha256Fingerprint": "5gkHhGWkGXgMtqxMHAv7RlPZ2cxus5Rut/PWmZe61Zg="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 101,
+ "sha256Fingerprint": "y7Ui17fxJ61qAROGW98c1BAufQdZr2NafPRyDcljxTs="
+ },
+ {
+ "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068",
+ "binNumber": 102,
+ "sha256Fingerprint": "BASAKL8fKGTUj5rU2DKUNmqCiFZVPzsUMD+QFH9dQO8="
+ },
+ {
+ "label": "Izenpe_com",
+ "binNumber": 103,
+ "sha256Fingerprint": "JTDMjpgyFQK62W+bH7obCZ4tKZ4PRUi7kU82O8DUUx8="
+ },
+ {
+ "label": "Chambers_of_Commerce_Root___2008",
+ "binNumber": 104,
+ "sha256Fingerprint": "Bj5K+sSR39My8wibhULpRhfYk9f+lE4Qp5N+4p2Wk8A="
+ },
+ {
+ "label": "Global_Chambersign_Root___2008",
+ "binNumber": 105,
+ "sha256Fingerprint": "E2M1Q5M0p2mAFqDTJN5yKE4HnXtSILuPvXR4Fu6+uso="
+ },
+ {
+ "label": "Go_Daddy_Root_Certificate_Authority___G2",
+ "binNumber": 106,
+ "sha256Fingerprint": "RRQLMkfrnMjFtPDXtTCR9zKSCJ5uWmPidJ3TrKkZjto="
+ },
+ {
+ "label": "Starfield_Root_Certificate_Authority___G2",
+ "binNumber": 107,
+ "sha256Fingerprint": "LOHLC/nS+eECmT++IVFSw7LdDKveHGjlMZuDkVTbt/U="
+ },
+ {
+ "label": "Starfield_Services_Root_Certificate_Authority___G2",
+ "binNumber": 108,
+ "sha256Fingerprint": "Vo1pBaLIhwikswJRkO3P7bGXSmBqE8blKQ/LKuY+2rU="
+ },
+ {
+ "label": "AffirmTrust_Commercial",
+ "binNumber": 109,
+ "sha256Fingerprint": "A3arHVTF+YA85LLiAaDufu97V7Y26Kk8m41IYMlvX6c="
+ },
+ {
+ "label": "AffirmTrust_Networking",
+ "binNumber": 110,
+ "sha256Fingerprint": "CoHsWpKXd/FFkErzjV1Qn2a14sWPzbUxBYsOF/PwtBs="
+ },
+ {
+ "label": "AffirmTrust_Premium",
+ "binNumber": 111,
+ "sha256Fingerprint": "cKc/fzdrYAdCSJBFNLEUgtW/DmmOzEmN9SV36/LpO5o="
+ },
+ {
+ "label": "AffirmTrust_Premium_ECC",
+ "binNumber": 112,
+ "sha256Fingerprint": "vXH99tqX5M9i0WR63SWBsH15rfg5frTsupxehIiCFCM="
+ },
+ {
+ "label": "Certum_Trusted_Network_CA",
+ "binNumber": 113,
+ "sha256Fingerprint": "XFhGjVX1jkl+dDmC0rUAELbRZTdKz4On1KMtt2jEQI4="
+ },
+ {
+ "label": "Certinomis___Autorit__Racine",
+ "binNumber": 114,
+ "sha256Fingerprint": "/L/iiGIG9ysnWTyLBwKX4S12ntEO15MHBagJjv/BTRc="
+ },
+ {
+ "label": "Root_CA_Generalitat_Valenciana",
+ "binNumber": 115,
+ "sha256Fingerprint": "jE7f0ENI8yKWnn4ppM1NygBGVQYcFuGwdkIu80KtYw4="
+ },
+ {
+ "label": "A_Trust_nQual_03",
+ "binNumber": 116,
+ "sha256Fingerprint": "eTy/RVm5/eOKsi3xaGn2mIGuFMSwE5rHiKeKGvzKAvs="
+ },
+ {
+ "label": "TWCA_Root_Certification_Authority",
+ "binNumber": 117,
+ "sha256Fingerprint": "v9iP4RAcQa4+gBv4vlY1Dum60aa5vVFe3FxtW4cRrEQ="
+ },
+ {
+ "label": "OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+ "binNumber": 118,
+ "sha256Fingerprint": "UTss7LgQ1M3l3YU5Gt/Gwt1g2Hu3NtK1IUhKpHoOvvY="
+ },
+ {
+ "label": "EC_ACC",
+ "binNumber": 119,
+ "sha256Fingerprint": "iEl/AWAvMVQkauKMTVrvEPHYfrt2Ym9K4Lf5W6eWh5k="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2011",
+ "binNumber": 120,
+ "sha256Fingerprint": "vBBPFaSL5wncpUKn4dS5328FRSfoAuqpLVlURCWK/nE="
+ },
+ {
+ "label": "Actalis_Authentication_Root_CA",
+ "binNumber": 121,
+ "sha256Fingerprint": "VZJghOyWOmS5biq+Ac4LqGpk+/68x6q1r8FVs3/XYGY="
+ },
+ {
+ "label": "OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB",
+ "binNumber": 122,
+ "sha256Fingerprint": "wbSCmaulII/pYwrOVcpooD7aWlGciAKg06Zzvo+OVX0="
+ },
+ {
+ "label": "StartCom_Certification_Authority",
+ "binNumber": 123,
+ "sha256Fingerprint": "4XiQ7gmj+/T0i5xBShfWN7elBkfpvHUjInJ/zBdCqRE="
+ },
+ {
+ "label": "StartCom_Certification_Authority_G2",
+ "binNumber": 124,
+ "sha256Fingerprint": "x7plZ96Tp5iuH6p5HnEtN4+uH5PEOX/qRBu3y+b9WZU="
+ },
+ {
+ "label": "Buypass_Class_2_Root_CA",
+ "binNumber": 125,
+ "sha256Fingerprint": "mhFAJRl8W7ldlOY9Vc1DeQhHtkayPN8RraSgDv8V+0g="
+ },
+ {
+ "label": "Buypass_Class_3_Root_CA",
+ "binNumber": 126,
+ "sha256Fingerprint": "7ffrvKJ6KjhNOHt9QBDGZuLttIQ+TCm0rh1bkzLmsk0="
+ },
+ {
+ "label": "T_TeleSec_GlobalRoot_Class_3",
+ "binNumber": 127,
+ "sha256Fingerprint": "/XPa0xxkT/G0O+8MzdqWcQuc2Ydeyn4xcHrz6W1SK70="
+ },
+ {
+ "label": "EE_Certification_Centre_Root_CA",
+ "binNumber": 128,
+ "sha256Fingerprint": "PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 129,
+ "sha256Fingerprint": "l4zZZvL6oHunqpUA2cAunXfyza2mrWunSvS5HGZZPFA="
+ },
+ {
+ "label": "D_TRUST_Root_Class_3_CA_2_2009",
+ "binNumber": 130,
+ "sha256Fingerprint": "SeekQqzw6mKHBQBUtSVktlDk9J5C40jWqjjgOelXscE="
+ },
+ {
+ "label": "D_TRUST_Root_Class_3_CA_2_EV_2009",
+ "binNumber": 131,
+ "sha256Fingerprint": "7sVJa5iM6YYluTQJLuwpCL7QsPMWwtRzDITq8fPTSIE="
+ },
+ {
+ "label": "PSCProcert",
+ "binNumber": 132,
+ "sha256Fingerprint": "PPw8FNH2hP8X44xDykQMALln7JM+i/4GTKHXLJDyrbA="
+ },
+ {
+ "label": "China_Internet_Network_Information_Center_EV_Certificates_Root",
+ "binNumber": 133,
+ "sha256Fingerprint": "HAHG9Nuy/vwiVYsryjJWP0mESs/DK3vksP9Zn56Mevc="
+ },
+ {
+ "label": "Swisscom_Root_CA_2",
+ "binNumber": 134,
+ "sha256Fingerprint": "8JsSLHEU9KCb1OpPSpnVWLRuTCXNgRQNKcBWE5FMOEE="
+ },
+ {
+ "label": "Swisscom_Root_EV_CA_2",
+ "binNumber": 135,
+ "sha256Fingerprint": "2V/qPKTu3OdM1251/G0f9ixEHw+ovHfwNLGeXbJYAV0="
+ },
+ {
+ "label": "CA_Disig_Root_R1",
+ "binNumber": 136,
+ "sha256Fingerprint": "+W8j9MPnnAd6RpiNWvWQBnag8DnLZF3RdUmyFsgkQM4="
+ },
+ {
+ "label": "CA_Disig_Root_R2",
+ "binNumber": 137,
+ "sha256Fingerprint": "4j1KA217cOn1lbFCIHnSuR7fux+2UaBjPqqKncX4BwM="
+ },
+ {
+ "label": "ACCVRAIZ1",
+ "binNumber": 138,
+ "sha256Fingerprint": "mm7AEuGn2p2+NBlNR4rXwNsYIvsHHfEpgUlu0QQ4QRM="
+ },
+ {
+ "label": "TWCA_Global_Root_CA",
+ "binNumber": 139,
+ "sha256Fingerprint": "WXaQB/doXQ/NUIcvn5XVdVpbK0V9gfNpK2EKmGcvDhs="
+ },
+ {
+ "label": "TeliaSonera_Root_CA_v1",
+ "binNumber": 140,
+ "sha256Fingerprint": "3Wk2/iH48HfBI6GlIcEiJPciVbc+A6cmBpPooksPo4k="
+ },
+ {
+ "label": "E_Tugra_Certification_Authority",
+ "binNumber": 141,
+ "sha256Fingerprint": "sL/VK7DX2b2Sv11NwT2iVcAsVC83g2XqiTkR9V5V8jw="
+ },
+ {
+ "label": "T_TeleSec_GlobalRoot_Class_2",
+ "binNumber": 142,
+ "sha256Fingerprint": "keL1eI1YEOunulhzfeFUio7KzQFFmLwLFD4EGxcFJVI="
+ },
+ {
+ "label": "Atos_TrustedRoot_2011",
+ "binNumber": 143,
+ "sha256Fingerprint": "81a+okS3qR6zXVPKmteGSs4Bji011fj5bd9opvQapHQ="
+ },
+ {
+ "label": "QuoVadis_Root_CA_1_G3",
+ "binNumber": 144,
+ "sha256Fingerprint": "ioZv0bJ2tX5XjpIcZYKKK+1Y6fLyiAVBNLfx9L/JzHQ="
+ },
+ {
+ "label": "QuoVadis_Root_CA_2_G3",
+ "binNumber": 145,
+ "sha256Fingerprint": "j+T7Cvk6TQ1n2wvrsj43xxvzJdy83SQOoE2vWLR+GEA="
+ },
+ {
+ "label": "QuoVadis_Root_CA_3_G3",
+ "binNumber": 146,
+ "sha256Fingerprint": "iO+B3iAusBhFLkP4ZHJc6l+9H8LZ0gVzBwnF2LhpD0Y="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_G2",
+ "binNumber": 147,
+ "sha256Fingerprint": "fQXrtoIzn4yUUe4JTuv++nlToRTtsvRJSUUvq30vwYU="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_G3",
+ "binNumber": 148,
+ "sha256Fingerprint": "fjfLi0xHCQyrNlUbpvRduEBoD7oWapUtsQBxf0MFP8I="
+ },
+ {
+ "label": "DigiCert_Global_Root_G2",
+ "binNumber": 149,
+ "sha256Fingerprint": "yzzLt2Ax5eATj43TmiP53kf/w15DwRRM6ifUalqxy18="
+ },
+ {
+ "label": "DigiCert_Global_Root_G3",
+ "binNumber": 150,
+ "sha256Fingerprint": "Ma1mSPgQQTjHOPOepDIBMzk+OhjMAilu+Xwqye9nMdA="
+ },
+ {
+ "label": "DigiCert_Trusted_Root_G4",
+ "binNumber": 151,
+ "sha256Fingerprint": "VS973PGnr55s5nIBf08Sq/dyQMeOdhrCA9HZ0grImYg="
+ },
+ {
+ "label": "Certification_Authority_of_WoSign",
+ "binNumber": 152,
+ "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg="
+ },
+ {
+ "label": "CA______",
+ "binNumber": 153,
+ "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ="
+ },
+ {
+ "label": "COMODO_RSA_Certification_Authority",
+ "binNumber": 154,
+ "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ="
+ },
+ {
+ "label": "USERTrust_RSA_Certification_Authority",
+ "binNumber": 155,
+ "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I="
+ },
+ {
+ "label": "USERTrust_ECC_Certification_Authority",
+ "binNumber": 156,
+ "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 157,
+ "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 158,
+ "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA___G3",
+ "binNumber": 159,
+ "sha256Fingerprint": "PE+wuVq4swAy9DK4b1Nf4XLBhdD9OYZYN882GH+m9Cg="
+ },
+ {
+ "label": "Staat_der_Nederlanden_EV_Root_CA",
+ "binNumber": 160,
+ "sha256Fingerprint": "TSSRQUz+lWdG7Ezvps9vcuKKEylDL52KkHrEy12twVo="
+ },
+ {
+ "label": "IdenTrust_Commercial_Root_CA_1",
+ "binNumber": 161,
+ "sha256Fingerprint": "XVZJm+TS4IvPytCKPjhyPVBQO95waUjkL1VgMBnlKK4="
+ },
+ {
+ "label": "IdenTrust_Public_Sector_Root_CA_1",
+ "binNumber": 162,
+ "sha256Fingerprint": "MNCJWppEiiYgkWNVItH1IBC1hnrK4Sx475WP1PQ4ny8="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority___G2",
+ "binNumber": 163,
+ "sha256Fingerprint": "Q99XdLA+f+9f5A2TGnvt8bsua0JzjE5tOEEQPTqn8zk="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority___EC1",
+ "binNumber": 164,
+ "sha256Fingerprint": "Au0OsowU2kUWXFZnkXANZFHX+1bwsqsdO46wcOVu3/U="
+ },
+ {
+ "label": "CFCA_EV_ROOT",
+ "binNumber": 165,
+ "sha256Fingerprint": "XMPXjk4dXkVUegTmhz5k+Qz5U20czC74APNVxMX9cP0="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5",
+ "binNumber": 166,
+ "sha256Fingerprint": "STUbkDREwYXM3FxpPSTYVVyyCNaoFBMHaZ9K8GMZnXg="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6",
+ "binNumber": 167,
+ "sha256Fingerprint": "jeeGVeG+f3hHgAuT9pTSHTaMwG4DPn+rBLteuZ2mtwA="
+ },
+ {
+ "label": "Certinomis___Root_CA",
+ "binNumber": 168,
+ "sha256Fingerprint": "Kpn1vBF0tzy7HWIIhOAcNOUcyzl42hJfDjMmiIO/QVg="
+ },
+ {
+ "label": "OISTE_WISeKey_Global_Root_GB_CA",
+ "binNumber": 169,
+ "sha256Fingerprint": "a5wI6G6w92fPrWXNmLYhSeVJSmf1hF570e0Bnye4a9Y="
+ },
+ {
+ "label": "Certification_Authority_of_WoSign_G2",
+ "binNumber": 170,
+ "sha256Fingerprint": "1Ielb4OwdILoXpYzlMHswsnlHQkD7pRrAsMBWB7ZnhY="
+ },
+ {
+ "label": "CA_WoSign_ECC_Root",
+ "binNumber": 171,
+ "sha256Fingerprint": "i0XaHAb3kesMq/Jr5Yj1+yMWXC5hS/iFVi0NzlCymwI="
+ },
+ {
+ "label": "SZAFIR_ROOT_CA2",
+ "binNumber": 172,
+ "sha256Fingerprint": "oTOdMygaC1blV9PTKxzn+TZ+sJS9X6cqflAEyN7Xyv4="
+ },
+ {
+ "label": "Certum_Trusted_Network_CA_2",
+ "binNumber": 173,
+ "sha256Fingerprint": "tnby7drod1zTbLD2PNHUYDlh9J5iZboBOi8DB7bQuAQ="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2015",
+ "binNumber": 174,
+ "sha256Fingerprint": "oECSmgLOU7Ss9PL/xpgc5ElvdV5tRf4LKmkrzVJSPzY="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015",
+ "binNumber": 175,
+ "sha256Fingerprint": "RLVFqool5lpzyhXcJ/w20kwcuZU6BmU5sRWC3Eh7SDM="
+ },
+ {
+ "label": "Certplus_Root_CA_G1",
+ "binNumber": 176,
+ "sha256Fingerprint": "FSpAK/zfLNVIBU0idbOcf8o+wJeAeLDw6nblYabHQz4="
+ },
+ {
+ "label": "Certplus_Root_CA_G2",
+ "binNumber": 177,
+ "sha256Fingerprint": "bMBQQeZEXnRpbEz7yfgPVDt+q7tEtM5veHxqmXHELxc="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G1",
+ "binNumber": 178,
+ "sha256Fingerprint": "VsdxKNmMGNkbTP3/vCXukQPUdY6iq62CapDzRX1GDrQ="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G2",
+ "binNumber": 179,
+ "sha256Fingerprint": "J5lYKf5qdRXBv+hI+cR2HbFsIlkpJXv0DQiU8p6ouvI="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G3",
+ "binNumber": 180,
+ "sha256Fingerprint": "t8NiMXBugQeMNny4lhmPHjII3ZJpSd2PVwmkEPdbYpI="
+ },
+ {
+ "label": "ISRG_Root_X1",
+ "binNumber": 181,
+ "sha256Fingerprint": "lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY="
+ },
+ {
+ "label": "OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES",
+ "binNumber": 182,
+ "sha256Fingerprint": "68VXDCkBjE1nsaoSe68S9wO0YR68F7fatVc4lBebk/o="
+ },
+ {
+ "label": "Amazon_Root_CA_1",
+ "binNumber": 183,
+ "sha256Fingerprint": "js3miE89h7ESW6Maw/yxPXAW3n9XzJBP4cuXxq6YGW4="
+ },
+ {
+ "label": "Amazon_Root_CA_2",
+ "binNumber": 184,
+ "sha256Fingerprint": "G6WyqoxlQBqClgEY+AvsT2IwTYPOxHE6GcOcAR6kbbQ="
+ },
+ {
+ "label": "Amazon_Root_CA_3",
+ "binNumber": 185,
+ "sha256Fingerprint": "GM5s/nvxTmCy40e43+hoyzHQLrs62icVafUDQ7Rts6Q="
+ },
+ {
+ "label": "Amazon_Root_CA_4",
+ "binNumber": 186,
+ "sha256Fingerprint": "410oQZ7QICXPppA4zWI5YkWNpcaV+96jwisL+yWJcJI="
+ },
+ {
+ "label": "LuxTrust_Global_Root_2",
+ "binNumber": 187,
+ "sha256Fingerprint": "VEVfcSnCCxRHxBj5lxaPJMWPxQI79dpb4utuHdiQLtU="
+ },
+ {
+ "label": "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1",
+ "binNumber": 188,
+ "sha256Fingerprint": "Ru3DaJBG1TpFP7MQSrgNyuxliyZg6hYp3X6GeZBkhxY="
+ },
+ {
+ "label": "GDCA_TrustAUTH_R5_ROOT",
+ "binNumber": 189,
+ "sha256Fingerprint": "v/+P0EQzSH1qiqYMGil2ep/Cu7BeQg9xOhO5kokdOJM="
+ },
+ {
+ "label": "TrustCor_RootCert_CA_1",
+ "binNumber": 190,
+ "sha256Fingerprint": "1A6chs2P5GjBd2lZ9J6ndPpUhoS2xAbzkJJh9NziV1w="
+ },
+ {
+ "label": "TrustCor_RootCert_CA_2",
+ "binNumber": 191,
+ "sha256Fingerprint": "B1PpQDeMG9Xjg245Xa6ly4OeUEbxvQ6uGVHPEP7HyWU="
+ },
+ {
+ "label": "TrustCor_ECA_1",
+ "binNumber": 192,
+ "sha256Fingerprint": "WohdsZwB2RLFdZOIk4yvu98DGrLUjpHuFVibQpcdA5w="
+ },
+ {
+ "label": "SSL_com_Root_Certification_Authority_RSA",
+ "binNumber": 193,
+ "sha256Fingerprint": "hWZqVi7gvlzpJcHYiQpvdqh+wW1NfV8p6nQZzyASO2k="
+ },
+ {
+ "label": "SSL_com_Root_Certification_Authority_ECC",
+ "binNumber": 194,
+ "sha256Fingerprint": "NBe7BsxgB9oblhySC4q0zj+tgg5Kowuay8SnTr3OvGU="
+ },
+ {
+ "label": "SSL_com_EV_Root_Certification_Authority_RSA_R2",
+ "binNumber": 195,
+ "sha256Fingerprint": "LnvxbMIkhae74qqGlnUHYbCuOb47L+nQzG1O9zSRQlw="
+ },
+ {
+ "label": "SSL_com_EV_Root_Certification_Authority_ECC",
+ "binNumber": 196,
+ "sha256Fingerprint": "IqLB973tcEzB5wG19AjDEIgP6Va13ipKRPmchzolp8g="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 197,
+ "sha256Fingerprint": "LKvq/jfQbKIqunORwAM9JZgpUsRTZHNJdjo6ta1sz2k="
+ },
+ {
+ "label": "OISTE_WISeKey_Global_Root_GC_CA",
+ "binNumber": 198,
+ "sha256Fingerprint": "hWD5HDYk2rqVcLX+oNvjb/EagyO+lIaFT7PzSlVxGY0="
+ },
+ {
+ "label": "GTS_Root_R1",
+ "binNumber": 199,
+ "sha256Fingerprint": "KldUceMTQLwhWBy9LPE+FYRjID7OlLz508wZa/CaVHI="
+ },
+ {
+ "label": "GTS_Root_R2",
+ "binNumber": 200,
+ "sha256Fingerprint": "xF17sI5tZ+YuQjURC1ZOX3j9ku8FjIQK6k5kVddYXGA="
+ },
+ {
+ "label": "GTS_Root_R3",
+ "binNumber": 201,
+ "sha256Fingerprint": "FdW4d0YZ6n1Uzhym0LDEA+A3qRfxMeigTh5renG6vOU="
+ },
+ {
+ "label": "GTS_Root_R4",
+ "binNumber": 202,
+ "sha256Fingerprint": "ccylOR+eeUsEgCUws2PhIdqKMEO7JmYv6k3Kf8lRpL0="
+ },
+ {
+ "label": "UCA_Global_G2_Root",
+ "binNumber": 203,
+ "sha256Fingerprint": "m+oRyXb+AUdkwb5WpvkUtaVgMXq9mYg5M4LlFhqgSTw="
+ },
+ {
+ "label": "UCA_Extended_Validation_Root",
+ "binNumber": 204,
+ "sha256Fingerprint": "1Dr5s1RzdVyWhPwG19jLcO5cKOdz+ylOtB7nFyKSTSQ="
+ },
+ {
+ "label": "Certigna_Root_CA",
+ "binNumber": 205,
+ "sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg="
+ },
+ {
+ "label": "emSign_Root_CA___G1",
+ "binNumber": 206,
+ "sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c="
+ },
+ {
+ "label": "emSign_ECC_Root_CA___G3",
+ "binNumber": 207,
+ "sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms="
+ },
+ {
+ "label": "emSign_Root_CA___C1",
+ "binNumber": 208,
+ "sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8="
+ },
+ {
+ "label": "emSign_ECC_Root_CA___C3",
+ "binNumber": 209,
+ "sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM="
+ },
+ {
+ "label": "Hongkong_Post_Root_CA_3",
+ "binNumber": 210,
+ "sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority___G4",
+ "binNumber": 211,
+ "sha256Fingerprint": "2zUX0fZzKi1auXxTPscHee4ycKYvtKxCODckYObwHog="
+ },
+ {
+ "label": "Microsoft_ECC_Root_Certificate_Authority_2017",
+ "binNumber": 212,
+ "sha256Fingerprint": "NY3znXZK+eG3ZunJct81LuFc+sInr2rR1w6OSm7cugI="
+ },
+ {
+ "label": "Microsoft_RSA_Root_Certificate_Authority_2017",
+ "binNumber": 213,
+ "sha256Fingerprint": "x0H3D0sqjYi/LnHBQSLvU+8Q66DPpeZM+iD0GIUwc+A="
+ },
+ {
+ "label": "e_Szigno_Root_CA_2017",
+ "binNumber": 214,
+ "sha256Fingerprint": "vrALMIObm8MsMuREeQWVBkHyZCGxXtCJGYtRiuLqG5k="
+ },
+ {
+ "label": "OU_certSIGN_ROOT_CA_G2_O_CERTSIGN_SA_C_RO",
+ "binNumber": 215,
+ "sha256Fingerprint": "ZXz+L6c/qjhGJXHzMqI2Okb85wIJUXEHAs37tu7aMwU="
+ },
+ {
+ "label": "Trustwave_Global_Certification_Authority",
+ "binNumber": 216,
+ "sha256Fingerprint": "l1UgFfXd/DyHiMAGlEVVQIiURQCE8QCGcIa8Giu1jcg="
+ },
+ {
+ "label": "Trustwave_Global_ECC_P256_Certification_Authority",
+ "binNumber": 217,
+ "sha256Fingerprint": "lFu8gl6lVPSJ0f1Rpz3fLqYkrHAZoFIFIlwip4zPqLQ="
+ },
+ {
+ "label": "Trustwave_Global_ECC_P384_Certification_Authority",
+ "binNumber": 218,
+ "sha256Fingerprint": "VZA4WcjAw+u4dZ7OTiVXIl/1dYu9OOvUgnZgHhvVgJc="
+ },
+ {
+ "label": "NAVER_Global_Root_Certification_Authority",
+ "binNumber": 219,
+ "sha256Fingerprint": "iPQ43Pj/0fqPQpEV/+X4KuHgbgxww3X6rXF7NKSecmU="
+ },
+ {
+ "label": "AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS",
+ "binNumber": 220,
+ "sha256Fingerprint": "VUFTsT0s+d23U7++Gk4K4I0KpBhwWP5gorhisuS4e8s="
+ },
+ {
+ "label": "GlobalSign_Root_R46",
+ "binNumber": 221,
+ "sha256Fingerprint": "T6MSbY06EdHEhVpPgHy61s+RnTpaiLA76ixjctk8QMk="
+ },
+ {
+ "label": "GlobalSign_Root_E46",
+ "binNumber": 222,
+ "sha256Fingerprint": "y7nETYS4BD4QUOoxpp9RSVXXv9LixrSTAQGa1h2fUFg="
+ },
+ {
+ "label": "GLOBALTRUST_2020",
+ "binNumber": 223,
+ "sha256Fingerprint": "milqUYLR1FGi439Dm3Tar6JnUjMp+Q+aDSAHwzTiPJo="
+ },
+ {
+ "label": "ANF_Secure_Server_Root_CA",
+ "binNumber": 224,
+ "sha256Fingerprint": "+4/sdZFpuRBrHlEWRMYYxRMENz9sBkMIjYvv/RuZdZk="
+ },
+ {
+ "label": "Certum_EC_384_CA",
+ "binNumber": 225,
+ "sha256Fingerprint": "azKAhWJTGKpQ0XPJjYvaCdV+J0E9EUz3h6D10GwDDPY="
+ },
+ {
+ "label": "Certum_Trusted_Root_CA",
+ "binNumber": 226,
+ "sha256Fingerprint": "/naWVzhVdz43qV561NnMlsMBV8FdMXZbqbFXBOGueP0="
+ },
+ {
+ "label": "TunTrust_Root_CA",
+ "binNumber": 227,
+ "sha256Fingerprint": "LkQQKrWMuFQZRRyOGdms82Ysr7xhS2pTlgow99Di60E="
+ },
+ {
+ "label": "HARICA_TLS_RSA_Root_CA_2021",
+ "binNumber": 228,
+ "sha256Fingerprint": "2V0Ojtp5Ulv5vrEbFNIQDTKUmF8MYtn6vZzZmezLex0="
+ },
+ {
+ "label": "HARICA_TLS_ECC_Root_CA_2021",
+ "binNumber": 229,
+ "sha256Fingerprint": "P5nMR0rPzk3+1YeUZl5HjRVHc58ueA8btMqbEzCX1AE="
+ },
+ {
+ "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068",
+ "binNumber": 230,
+ "sha256Fingerprint": "V94Fg+/Ssm4DYdqZ2p30ZI3vfuhEHDtyivqbzeD5smo="
+ },
+ {
+ "label": "vTrus_ECC_Root_CA",
+ "binNumber": 231,
+ "sha256Fingerprint": "MPu6LDIjjiqYVHr5eTHlUEKLmz8cjutmM9z6hsWyfdM="
+ },
+ {
+ "label": "vTrus_Root_CA",
+ "binNumber": 232,
+ "sha256Fingerprint": "inHeZVkzb0JsJuU4gNANiKGNpMapHw3LYZTiBsXJY4c="
+ },
+ {
+ "label": "ISRG_Root_X2",
+ "binNumber": 233,
+ "sha256Fingerprint": "aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA="
+ },
+ {
+ "label": "HiPKI_Root_CA___G1",
+ "binNumber": 234,
+ "sha256Fingerprint": "8BXOPMI5v+8GS+nx0sQX4aAmSgqUvh8MjRIYZOtpScw="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 235,
+ "sha256Fingerprint": "sIXXC5ZPGRpz5K8NVK56Dgeq/a+bcd0IYhOKtzJaJKI="
+ },
+ {
+ "label": "GTS_Root_R1",
+ "binNumber": 236,
+ "sha256Fingerprint": "2UdDKr3nt/qQ/C5rWRAbEoDg4cfk5A+jxoh//1en9M8="
+ },
+ {
+ "label": "GTS_Root_R2",
+ "binNumber": 237,
+ "sha256Fingerprint": "jSXNlyKdv3A1a9pOs8xzQDHiTPAPr8/TLcdutYQcfqg="
+ },
+ {
+ "label": "GTS_Root_R3",
+ "binNumber": 238,
+ "sha256Fingerprint": "NNinPuII2bzbDZVlIJNLTkDmlIJZbotvc8hCawEKb0g="
+ },
+ {
+ "label": "GTS_Root_R4",
+ "binNumber": 239,
+ "sha256Fingerprint": "NJ36QFjF4mMSOzmK55VXPE4TE8g/5o+TVWzV6AMbPH0="
+ },
+ {
+ "label": "Telia_Root_CA_v2",
+ "binNumber": 240,
+ "sha256Fingerprint": "JCtpdC/LHlsqv5iJi5RXIYdUTltNmRF4ZXNiH2p0uCw="
+ },
+ {
+ "label": "D_TRUST_BR_Root_CA_1_2020",
+ "binNumber": 241,
+ "sha256Fingerprint": "5ZqqgWAJwiv/WyW6033zBvBJeXwfgdhasInmV72PAEQ="
+ },
+ {
+ "label": "D_TRUST_EV_Root_CA_1_2020",
+ "binNumber": 242,
+ "sha256Fingerprint": "CBcNGqNkU5AaL5WSReNH2wyNN6uqvFa4GqEA3JWJcNs="
+ },
+ {
+ "label": "DigiCert_TLS_ECC_P384_Root_G5",
+ "binNumber": 243,
+ "sha256Fingerprint": "AY4T8HclMs+Am9GxcoGGcoP8SMbhO+nGmBKFSkkMGwU="
+ },
+ {
+ "label": "DigiCert_TLS_RSA4096_Root_G5",
+ "binNumber": 244,
+ "sha256Fingerprint": "NxoA3AUzs3IafutA6EGecHmdKwoPLB2AaTFl987ErXU="
+ },
+ {
+ "label": "Certainly_Root_R1",
+ "binNumber": 245,
+ "sha256Fingerprint": "d7gs2GRMQwX3rMXLFWtFZ1AEAz1RxgxiAqjgwzRn06A="
+ },
+ {
+ "label": "Certainly_Root_E1",
+ "binNumber": 246,
+ "sha256Fingerprint": "tFhfIuSsdWpOhhKhNhxdnQMak/2E/rt3j6MGiw/ELcI="
+ },
+ {
+ "label": "E_Tugra_Global_Root_CA_RSA_v3",
+ "binNumber": 247,
+ "sha256Fingerprint": "72awsQo8258uNkjHa9KvGOrSv+bxF2VeKMQGDaGj9MI="
+ },
+ {
+ "label": "E_Tugra_Global_Root_CA_ECC_v3",
+ "binNumber": 248,
+ "sha256Fingerprint": "hz9Ghfp/VjYlJS5tNrzX8W/CSVHyZOR+G5VPSQjNyhM="
+ },
+ {
+ "label": "Security_Communication_RootCA3",
+ "binNumber": 249,
+ "sha256Fingerprint": "JKVcKrBRRC0GF3ZlQSOaStAy18VRdao0/94vvE9cUpQ="
+ },
+ {
+ "label": "Security_Communication_ECC_RootCA1",
+ "binNumber": 250,
+ "sha256Fingerprint": "50+9pVvVZMRzo2tEGqeZyKaOB3RA6CiLn6HlDku6yhE="
+ },
+ {
+ "label": "BJCA_Global_Root_CA2",
+ "binNumber": 251,
+ "sha256Fingerprint": "V032kx4ngDlme3IK/cFgD8J+tm3TCSl5+3OFZIchKII="
+ },
+ {
+ "label": "BJCA_Global_Root_CA1",
+ "binNumber": 252,
+ "sha256Fingerprint": "84lviP58CognZqf6atJ0n7V6fz6Y+3acH6ewnCxE1a4="
+ },
+ {
+ "label": "Sectigo_Public_Server_Authentication_Root_R46",
+ "binNumber": 253,
+ "sha256Fingerprint": "e7ZHpirurIi/JXqlItAf/qOV4KtFxz+T9lZU7DjyWgY="
+ },
+ {
+ "label": "Sectigo_Public_Server_Authentication_Root_E46",
+ "binNumber": 254,
+ "sha256Fingerprint": "yQ8m8PsbQBiyIidRm1yitT4spbO+XPGO/hvvRzgMU4M="
+ },
+ {
+ "label": "SSL_com_TLS_RSA_Root_CA_2022",
+ "binNumber": 255,
+ "sha256Fingerprint": "j699Liy0cJu44LM2Zr91pd1Ftd5ID46o1L/mvrwX8u0="
+ },
+ {
+ "label": "SSL_com_TLS_ECC_Root_CA_2022",
+ "binNumber": 256,
+ "sha256Fingerprint": "wy/9n0b5NtFsNnOZCVlDS5rWCq+7nnzzNlTxRMwboUM="
+ },
+ {
+ "label": "Atos_TrustedRoot_Root_CA_RSA_TLS_2021",
+ "binNumber": 257,
+ "sha256Fingerprint": "gakIjqWfs2TFSKb4VVkJm28EBe+/GOUyTsn0V7oAES8="
+ },
+ {
+ "label": "Atos_TrustedRoot_Root_CA_ECC_TLS_2021",
+ "binNumber": 258,
+ "sha256Fingerprint": "svrlPhTM16uSEgZHAa4nnB2JiPrLd1+ooAiRTmY5iKg="
+ },
+ {
+ "label": "TrustAsia_Global_Root_CA_G4",
+ "binNumber": 259,
+ "sha256Fingerprint": "vktWy1BWwBNqUm30RFCNqjagtU9C5Kw49yr0cOR5ZUw="
+ },
+ {
+ "label": "TrustAsia_Global_Root_CA_G3",
+ "binNumber": 260,
+ "sha256Fingerprint": "4NMiausRY8Lkj/m+O1C0xkMb57serMXDa11exQkDmgg="
+ },
+ {
+ "label": "CommScope_Public_Trust_RSA_Root_02",
+ "binNumber": 261,
+ "sha256Fingerprint": "/+lD15NCS098RAwcPWSNU2PzS4Lch6p6nxGPxd7hAfE="
+ },
+ {
+ "label": "CommScope_Public_Trust_RSA_Root_01",
+ "binNumber": 262,
+ "sha256Fingerprint": "Ar35bipF3Zvxj8fh298hoDebo8nCYQNEz9jWBv7B7YE="
+ },
+ {
+ "label": "CommScope_Public_Trust_ECC_Root_02",
+ "binNumber": 263,
+ "sha256Fingerprint": "L/t/gTu7s8iatOgWLQ8W1xUJqDDMnXPCYuUUCHXRrUo="
+ },
+ {
+ "label": "CommScope_Public_Trust_ECC_Root_01",
+ "binNumber": 264,
+ "sha256Fingerprint": "EUN82nu0XkE2X0WzmjiYaw3gDe80jgx7sIc2M4ALw4s="
+ },
+ {
+ "label": "Telekom_Security_TLS_RSA_Root_2023",
+ "binNumber": 265,
+ "sha256Fingerprint": "78ZcrbtZrbbv6E2iIxGzViS3GzseoNqLZlUXTsiXhkY="
+ },
+ {
+ "label": "Telekom_Security_TLS_ECC_Root_2020",
+ "binNumber": 266,
+ "sha256Fingerprint": "V4r03tCFP05ZmNtK6vnL6o2UX2C2IKONGjwTsrx7qOE="
+ }
+ ],
+ "maxBin": 266
+} \ No newline at end of file
diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
new file mode 100644
index 0000000000..9ea773de31
--- /dev/null
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -0,0 +1,207 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// The top-level element is a dictionary with two keys: "pinsets" maps details
+// of certificate pinning to a name and "entries" contains the HPKP details for
+// each host.
+//
+// "pinsets" is a list of objects. Each object has the following members:
+// name: (string) the name of the pinset
+// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
+//
+// For a given pinset, a certificate is accepted if at least one of the
+// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
+// as names, which must match up with the name given in the Mozilla root store.
+//
+// "entries" is a list of objects. Each object has the following members:
+// name: (string) the DNS name of the host in question
+// include_subdomains: (optional bool) whether subdomains of |name| are also covered
+// pins: (string) the |name| member of an object in |pinsets|
+//
+// "extra_certificates" is a list of base64-encoded certificates. These are used in
+// pinsets that reference certificates not in our root program (for example,
+// Facebook or intermediate CA certs).
+
+{
+ "chromium_data" : {
+ "cert_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static.pins?format=TEXT",
+ "json_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static_pins.json?format=TEXT",
+ "substitute_pinsets": {
+ // Use the larger google_root_pems pinset instead of google
+ "google": "google_root_pems"
+ },
+ "production_pinsets": [
+ "google_root_pems",
+ "facebook",
+ "ncsccs"
+ ],
+ "production_domains": [
+ // Chrome's test domains.
+ "pinningtest.appspot.com",
+ "pinning-test.badssl.com",
+ // Tor
+ "torproject.org",
+ "blog.torproject.org",
+ "check.torproject.org",
+ "dist.torproject.org",
+ "www.torproject.org",
+ // SpiderOak
+ "spideroak.com"
+ ],
+ "exclude_domains" : []
+ },
+ "pinsets": [
+ {
+ "name": "mozilla_services",
+ "sha256_hashes": [
+ // Current Digicert root hierarchy (G1)
+ // Digicert is migrating users off this root hierarchy
+ // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html
+ "DigiCert Global Root CA",
+ "DigiCert High Assurance EV Root CA",
+ // New Digicert root hierarchy (G2)
+ // Digicert is migrating users to this root hierarchy
+ // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html
+ "DigiCert Global Root G2",
+ // Future Digicert root hierarchy (G5)
+ // Digicert will be switching to this root hierarchy in the future
+ // https://knowledge.digicert.com/generalinformation/digicert-g5-root-and-intermediate-ca-certificate-migration.html
+ "DigiCert TLS ECC P384 Root G5",
+ "DigiCert TLS RSA4096 Root G5",
+ // Current Let’s Encrypt root hierachy
+ // https://letsencrypt.org/certificates/
+ "ISRG Root X1"
+ ]
+ },
+ // For pinning tests on pinning.example.com, the certificate must be 'End
+ // Entity Test Cert'
+ {
+ "name": "mozilla_test",
+ "sha256_hashes": [
+ "End Entity Test Cert"
+ ]
+ },
+ // Google's root PEMs. Chrome pins only to their intermediate certs, but
+ // they'd like us to be more liberal. For the initial list, we are using
+ // the certs from https://pki.google.com/roots.pem.
+ // We have no built-in for commented out CAs.
+ // This list should be updated via the dumpGoogleRoots.js script.
+ {
+ "name": "google_root_pems",
+ "sha256_hashes": [
+ "AffirmTrust Commercial",
+ "AffirmTrust Networking",
+ "AffirmTrust Premium",
+ "AffirmTrust Premium ECC",
+ "Baltimore CyberTrust Root",
+ "Comodo AAA Services root",
+ "COMODO Certification Authority",
+ "COMODO ECC Certification Authority",
+ "COMODO RSA Certification Authority",
+ "DigiCert Assured ID Root CA",
+ "DigiCert Assured ID Root G2",
+ "DigiCert Assured ID Root G3",
+ "DigiCert Global Root CA",
+ "DigiCert Global Root G2",
+ "DigiCert Global Root G3",
+ "DigiCert High Assurance EV Root CA",
+ "DigiCert Trusted Root G4",
+ "Entrust Root Certification Authority",
+ "Entrust Root Certification Authority - EC1",
+ "Entrust Root Certification Authority - G2",
+ "Entrust.net Premium 2048 Secure Server CA",
+ "GlobalSign ECC Root CA - R4",
+ "GlobalSign ECC Root CA - R5",
+ "GlobalSign Root CA",
+ "GlobalSign Root CA - R3",
+ "GlobalSign Root CA - R6",
+ "Go Daddy Class 2 CA",
+ "Go Daddy Root Certificate Authority - G2",
+ "GTS Root R1",
+ "GTS Root R2",
+ "GTS Root R3",
+ "GTS Root R4",
+ "Starfield Class 2 CA",
+ "Starfield Root Certificate Authority - G2",
+ "USERTrust ECC Certification Authority",
+ "USERTrust RSA Certification Authority"
+ ]
+ }
+ // The list above should be updated via the dumpGoogleRoots.js script.
+ ],
+
+ "entries": [
+ // Only domains that are operationally crucial to Firefox can have per-host
+ // telemetry reporting (the "id") field
+ { "name": "addons.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 1 },
+ { "name": "addons.mozilla.net", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 2 },
+ // AUS servers MUST remain in test mode
+ // see: https://bugzilla.mozilla.org/show_bug.cgi?id=1301956#c23
+ { "name": "aus4.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": true, "id": 3 },
+ { "name": "aus5.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": true, "id": 7 },
+ // Catchall for applications hosted under firefox.com
+ // see https://bugzilla.mozilla.org/show_bug.cgi?id=1494431
+ { "name": "firefox.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": true, "id": 15 },
+ // Firefox Accounts & sync
+ // superseded by catchall for firefox.com, but leaving for tracking
+ { "name": "accounts.firefox.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 4 },
+ { "name": "api.accounts.firefox.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 5 },
+ { "name": "sync.services.mozilla.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 13 },
+ // Catch-all for all CDN resources, including product delivery
+ // Telemetry IDs added in bug 1521983.
+ { "name": "cdn.mozilla.net", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 16 },
+ { "name": "cdn.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 17 },
+ { "name": "download.mozilla.org", "include_subdomains": false,
+ "pins": "mozilla_services", "test_mode": false, "id": 14 },
+ // Catch-all for everything hosted under services.mozilla.com
+ { "name": "services.mozilla.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 6 },
+ // Catch-all for everything hosted under telemetry.mozilla.org
+ // MUST remain in test mode in order to receive telemetry on broken pins
+ { "name": "telemetry.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": true, "id": 8 },
+ // Test Pilot
+ // superseded by catchall for firefox.com, but leaving for tracking
+ { "name": "testpilot.firefox.com", "include_subdomains": false,
+ "pins": "mozilla_services", "test_mode": false, "id": 9 },
+ // Crash report sites
+ { "name": "crash-reports.mozilla.com", "include_subdomains": false,
+ "pins": "mozilla_services", "test_mode": false, "id": 10 },
+ { "name": "crash-reports-xpsp2.mozilla.com", "include_subdomains": false,
+ "pins": "mozilla_services", "test_mode": false, "id": 11 },
+ { "name": "crash-stats.mozilla.org", "include_subdomains": false,
+ "pins": "mozilla_services", "test_mode": false, "id": 12 },
+ { "name": "include-subdomains.pinning.example.com",
+ "include_subdomains": true, "pins": "mozilla_test",
+ "test_mode": false },
+ // Example domain to collect per-host stats for telemetry tests.
+ { "name": "exclude-subdomains.pinning.example.com",
+ "include_subdomains": false, "pins": "mozilla_test",
+ "test_mode": false },
+ { "name": "test-mode.pinning.example.com", "include_subdomains": true,
+ "pins": "mozilla_test", "test_mode": true }
+ ],
+ // When pinning to non-root certs, like intermediates,
+ // place the PEM of the pinned certificate in this array
+ // so Firefox can find the subject DN and public key
+ "extra_certificates": [
+ // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
+ // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
+ "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrXNSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHlNpi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7DcGu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgzuEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGxA/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRMUM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOuOsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vwp7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKRPB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5brUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt",
+ // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4
+ // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
+ "MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXiakL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJHdFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPbaLZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YOlD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3OGJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEkmdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49MoFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3DS0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6lNHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSBu4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu"
+ ]
+}
diff --git a/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py
new file mode 100644
index 0000000000..05e0842e2a
--- /dev/null
+++ b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py
@@ -0,0 +1,156 @@
+#!/usr/bin/env python3
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+This utility takes a series of https://crt.sh/ identifiers and writes to
+stdout all of those certs' distinguished name or SPKI fields in hex, with an
+array of all those. You'll need to post-process this list to handle any
+duplicates.
+
+Requires Python 3.
+"""
+import argparse
+import io
+import re
+import sys
+
+import requests
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.x509.oid import NameOID
+from pyasn1.codec.der import decoder, encoder
+from pyasn1_modules import pem, rfc5280
+
+assert sys.version_info >= (3, 2), "Requires Python 3.2 or later"
+
+
+def hex_string_for_struct(bytes):
+ return ["0x{:02X}".format(x) for x in bytes]
+
+
+def hex_string_human_readable(bytes):
+ return ["{:02X}".format(x) for x in bytes]
+
+
+def nameOIDtoString(oid):
+ if oid == NameOID.COUNTRY_NAME:
+ return "C"
+ if oid == NameOID.COMMON_NAME:
+ return "CN"
+ if oid == NameOID.LOCALITY_NAME:
+ return "L"
+ if oid == NameOID.ORGANIZATION_NAME:
+ return "O"
+ if oid == NameOID.ORGANIZATIONAL_UNIT_NAME:
+ return "OU"
+ raise Exception("Unknown OID: {}".format(oid))
+
+
+def print_block(pemData, identifierType="DN", crtshId=None):
+ substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8")))
+ cert, _ = decoder.decode(substrate, asn1Spec=rfc5280.Certificate())
+ octets = None
+
+ if identifierType == "DN":
+ der_subject = encoder.encode(cert["tbsCertificate"]["subject"])
+ octets = hex_string_for_struct(der_subject)
+ elif identifierType == "SPKI":
+ der_spki = encoder.encode(cert["tbsCertificate"]["subjectPublicKeyInfo"])
+ octets = hex_string_for_struct(der_spki)
+ else:
+ raise Exception("Unknown identifier type: " + identifierType)
+
+ cert = x509.load_pem_x509_certificate(pemData, default_backend())
+ common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0]
+ block_name = "CA{}{}".format(
+ re.sub(r"[-:=_. ]", "", common_name.value), identifierType
+ )
+
+ fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256()))
+
+ dn_parts = [
+ "/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value)
+ for part in cert.subject
+ ]
+ distinguished_name = "".join(dn_parts)
+
+ print("// {dn}".format(dn=distinguished_name))
+ print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16]))
+ print("// " + ":".join(fingerprint[16:]))
+ if crtshId:
+ print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format(crtsh=crtshId))
+ print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) + "{")
+
+ while len(octets) > 0:
+ print(" " + ", ".join(octets[:13]) + ",")
+ octets = octets[13:]
+
+ print("};")
+ print()
+
+ return block_name
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ "-spki",
+ action="store_true",
+ help="Create a list of subject public key info fields",
+ )
+ parser.add_argument(
+ "-dn",
+ action="store_true",
+ help="Create a list of subject distinguished name fields",
+ )
+ parser.add_argument("-listname", help="Name of the final DataAndLength block")
+ parser.add_argument(
+ "certId", nargs="+", help="A list of PEM files on disk or crt.sh IDs"
+ )
+ args = parser.parse_args()
+
+ if not args.dn and not args.spki:
+ parser.print_help()
+ raise Exception("You must select either DN or SPKI matching")
+
+ blocks = []
+
+ print(
+ "// Script from security/manager/tools/crtshToIdentifyingStruct/"
+ + "crtshToIdentifyingStruct.py"
+ )
+ print("// Invocation: {}".format(" ".join(sys.argv)))
+ print()
+
+ identifierType = None
+ if args.dn:
+ identifierType = "DN"
+ else:
+ identifierType = "SPKI"
+
+ for certId in args.certId:
+ # Try a local file first, then crt.sh
+ try:
+ with open(certId, "rb") as pemFile:
+ blocks.append(
+ print_block(pemFile.read(), identifierType=identifierType)
+ )
+ except OSError:
+ r = requests.get("https://crt.sh/?d={}".format(certId))
+ r.raise_for_status()
+ blocks.append(
+ print_block(r.content, crtshId=certId, identifierType=identifierType)
+ )
+
+ print("static const DataAndLength " + args.listname + "[]= {")
+ for structName in blocks:
+ if len(structName) < 33:
+ print(" { " + "{name}, sizeof({name}) ".format(name=structName) + "},")
+ else:
+ print(" { " + "{},".format(structName))
+ print(" sizeof({})".format(structName) + " },")
+ print("};")
diff --git a/security/manager/tools/crtshToIdentifyingStruct/requirements.txt b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt
new file mode 100644
index 0000000000..c5c04ec1cc
--- /dev/null
+++ b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt
@@ -0,0 +1,4 @@
+cryptography >= 1.8
+requests >= 2.0
+pyasn1 >= 0.3
+pyasn1_modules >= 0.1 \ No newline at end of file
diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js
new file mode 100644
index 0000000000..464febacc5
--- /dev/null
+++ b/security/manager/tools/dumpGoogleRoots.js
@@ -0,0 +1,108 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file is a helper script that generates the list of certificates that
+// make up the preloaded pinset for Google properties.
+//
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js'
+// 4. [paste the output into the appropriate section in
+// security/manager/tools/PreloadedHPKPins.json]
+
+Services.prefs.setBoolPref("network.process.enabled", false);
+
+function downloadRoots() {
+ let req = new XMLHttpRequest();
+ req.open("GET", "https://pki.google.com/roots.pem", false);
+ try {
+ req.send();
+ } catch (e) {
+ throw new Error("ERROR: problem downloading Google Root PEMs: " + e);
+ }
+
+ if (req.status != 200) {
+ throw new Error(
+ "ERROR: problem downloading Google Root PEMs. Status: " + req.status
+ );
+ }
+
+ let pem = req.responseText;
+ let roots = [];
+ let currentPEM = "";
+ let readingRoot = false;
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ for (let line of pem.split(/[\r\n]/)) {
+ if (line == "-----END CERTIFICATE-----") {
+ if (currentPEM) {
+ roots.push(certDB.constructX509FromBase64(currentPEM));
+ }
+ currentPEM = "";
+ readingRoot = false;
+ continue;
+ }
+ if (readingRoot) {
+ currentPEM += line;
+ }
+ if (line == "-----BEGIN CERTIFICATE-----") {
+ readingRoot = true;
+ }
+ }
+ return roots;
+}
+
+function makeFormattedNickname(cert, knownNicknames) {
+ if (cert.displayName in knownNicknames) {
+ return `"${cert.displayName}"`;
+ }
+ // Otherwise, this isn't a built-in and we have to comment it out.
+ return `// "${cert.displayName}"`;
+}
+
+function gatherKnownNicknames() {
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let nicknames = {};
+ for (let cert of certDB.getCerts()) {
+ nicknames[cert.displayName] = true;
+ }
+ return nicknames;
+}
+
+var knownNicknames = gatherKnownNicknames();
+var roots = downloadRoots();
+var rootNicknames = [];
+for (var root of roots) {
+ rootNicknames.push(makeFormattedNickname(root, knownNicknames));
+}
+rootNicknames.sort(function (rootA, rootB) {
+ let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ if (rootALowercase < rootBLowercase) {
+ return -1;
+ }
+ if (rootALowercase > rootBLowercase) {
+ return 1;
+ }
+ return 0;
+});
+dump(" {\n");
+dump(' "name": "google_root_pems",\n');
+dump(' "sha256_hashes": [\n');
+var first = true;
+for (var nickname of rootNicknames) {
+ if (!first) {
+ dump(",\n");
+ }
+ first = false;
+ dump(" " + nickname);
+}
+dump("\n");
+dump(" ]\n");
+dump(" }\n");
diff --git a/security/manager/tools/genRootCAHashes.js b/security/manager/tools/genRootCAHashes.js
new file mode 100644
index 0000000000..be0233a0c0
--- /dev/null
+++ b/security/manager/tools/genRootCAHashes.js
@@ -0,0 +1,275 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell genRootCAHashes.js \
+// [absolute path to]/RootHashes.inc'
+
+const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
+const CertDb = Cc[nsX509CertDB].getService(Ci.nsIX509CertDB);
+
+const { FileUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/FileUtils.sys.mjs"
+);
+const { NetUtil } = ChromeUtils.importESModule(
+ "resource://gre/modules/NetUtil.sys.mjs"
+);
+const { CommonUtils } = ChromeUtils.importESModule(
+ "resource://services-common/utils.sys.mjs"
+);
+
+const FILENAME_OUTPUT = "RootHashes.inc";
+const FILENAME_TRUST_ANCHORS = "KnownRootHashes.json";
+const ROOT_NOT_ASSIGNED = -1;
+
+const JSON_HEADER = `// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+//
+//***************************************************************************
+// This is an automatically generated file. It's used to maintain state for
+// runs of genRootCAHashes.js; you should never need to manually edit it
+//***************************************************************************
+
+// Notes:
+// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was
+// removed from the built-in roots module, so now it is used to indicate that
+// the certificate is not a built-in and was found in the softoken (cert9.db).
+
+// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from
+// the built-in roots module, so now it is used to indicate that the certificate
+// is not a built-in and was found on an external PKCS#11 token.
+
+// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was
+// removed from the built-in roots module, so now it is used to indicate that
+// the certificate is not a built-in and was temporarily imported from the OS as
+// part of the "Enterprise Roots" feature.
+
+`;
+
+const FILE_HEADER =
+ "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+ " * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+ " * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+ "\n" +
+ "/*****************************************************************************/\n" +
+ "/* This is an automatically generated file. If you're not */\n" +
+ "/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */\n" +
+ "/*****************************************************************************/\n" +
+ "\n" +
+ "#define HASH_LEN 32\n";
+
+const FP_PREAMBLE =
+ "struct CertAuthorityHash {\n" +
+ " // See bug 1338873 about making these fields const.\n" +
+ " uint8_t hash[HASH_LEN];\n" +
+ " int32_t binNumber;\n" +
+ "};\n\n" +
+ "static const struct CertAuthorityHash ROOT_TABLE[] = {\n";
+
+const FP_POSTAMBLE = "};\n";
+
+// Helper
+function writeString(fos, string) {
+ fos.write(string, string.length);
+}
+
+// Remove all colons from a string
+function stripColons(hexString) {
+ return hexString.replace(/:/g, "");
+}
+
+// Expect an array of bytes and make it C-formatted
+function hexSlice(bytes, start, end) {
+ let ret = "";
+ for (let i = start; i < end; i++) {
+ let hex = (0 + bytes.charCodeAt(i).toString(16)).slice(-2).toUpperCase();
+ ret += "0x" + hex;
+ if (i < end - 1) {
+ ret += ", ";
+ }
+ }
+ return ret;
+}
+
+function stripComments(buf) {
+ let lines = buf.split("\n");
+ let entryRegex = /^\s*\/\//;
+ let data = "";
+ for (let i = 0; i < lines.length; i++) {
+ let match = entryRegex.exec(lines[i]);
+ if (!match) {
+ data = data + lines[i];
+ }
+ }
+ return data;
+}
+
+// Load the trust anchors JSON object from disk
+function loadTrustAnchors(file) {
+ if (file.exists()) {
+ let stream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance(
+ Ci.nsIFileInputStream
+ );
+ stream.init(file, -1, 0, 0);
+ let buf = NetUtil.readInputStreamToString(stream, stream.available());
+ return JSON.parse(stripComments(buf));
+ }
+ // If there's no input file, bootstrap.
+ return { roots: [], maxBin: 0 };
+}
+
+// Saves our persistence file so that we don't lose track of the mapping
+// between bin numbers and the CA-hashes, even as CAs come and go.
+function writeTrustAnchors(file) {
+ let fos = FileUtils.openSafeFileOutputStream(file);
+
+ let serializedData = JSON.stringify(gTrustAnchors, null, " ");
+ fos.write(JSON_HEADER, JSON_HEADER.length);
+ fos.write(serializedData, serializedData.length);
+
+ FileUtils.closeSafeFileOutputStream(fos);
+}
+
+// Write the C++ header file
+function writeRootHashes(fos) {
+ try {
+ writeString(fos, FILE_HEADER);
+
+ // Output the sorted gTrustAnchors
+ writeString(fos, FP_PREAMBLE);
+ gTrustAnchors.roots.forEach(function (fp) {
+ let fpBytes = atob(fp.sha256Fingerprint);
+
+ writeString(fos, " {\n");
+ writeString(fos, " /* " + fp.label + " */\n");
+ writeString(fos, " { " + hexSlice(fpBytes, 0, 16) + ",\n");
+ writeString(fos, " " + hexSlice(fpBytes, 16, 32) + " },\n");
+ writeString(fos, " " + fp.binNumber + " /* Bin Number */\n");
+
+ writeString(fos, " },\n");
+ });
+ writeString(fos, FP_POSTAMBLE);
+
+ writeString(fos, "\n");
+ } catch (e) {
+ dump("ERROR: problem writing output: " + e + "\n");
+ }
+}
+
+// Scan our list (linearly) for the given fingerprint string
+function findTrustAnchorByFingerprint(sha256Fingerprint) {
+ for (let i = 0; i < gTrustAnchors.roots.length; i++) {
+ if (sha256Fingerprint == gTrustAnchors.roots[i].sha256Fingerprint) {
+ return i;
+ }
+ }
+ return ROOT_NOT_ASSIGNED;
+}
+
+// Get a clean label for a given certificate; usually the common name.
+function getLabelForCert(cert) {
+ let label = cert.commonName;
+
+ if (label.length < 5) {
+ label = cert.subjectName;
+ }
+
+ // replace non-ascii characters
+ label = label.replace(/[^[:ascii:]]/g, "_");
+ // replace non-word characters
+ label = label.replace(/[^A-Za-z0-9]/g, "_");
+ return label;
+}
+
+// Fill in the gTrustAnchors list with trust anchors from the database.
+function insertTrustAnchorsFromDatabase() {
+ // We only want CA certs for SSL
+ const CERT_TYPE = Ci.nsIX509Cert.CA_CERT;
+ const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL;
+
+ // Iterate through the whole Cert DB
+ for (let cert of CertDb.getCerts()) {
+ // Find the certificate in our existing list. Do it here because we need to check if
+ // it's untrusted too.
+
+ // If this is a trusted cert
+ if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) {
+ // Base64 encode the hex string
+ let binaryFingerprint = CommonUtils.hexToBytes(
+ stripColons(cert.sha256Fingerprint)
+ );
+ let encodedFingerprint = btoa(binaryFingerprint);
+
+ // Scan to see if this is already in the database.
+ if (
+ findTrustAnchorByFingerprint(encodedFingerprint) == ROOT_NOT_ASSIGNED
+ ) {
+ // Let's get a usable name; some old certs do not have CN= filled out
+ let label = getLabelForCert(cert);
+
+ // Add to list
+ gTrustAnchors.maxBin += 1;
+ gTrustAnchors.roots.push({
+ label,
+ binNumber: gTrustAnchors.maxBin,
+ sha256Fingerprint: encodedFingerprint,
+ });
+ }
+ }
+ }
+}
+
+//
+// PRIMARY LOGIC
+//
+
+if (arguments.length != 1) {
+ throw new Error(
+ "Usage: genRootCAHashes.js <absolute path to current RootHashes.inc>"
+ );
+}
+
+var trustAnchorsFile = new FileUtils.File(
+ PathUtils.join(
+ Services.dirsvc.get("CurWorkD", Ci.nsIFile).path,
+ FILENAME_TRUST_ANCHORS
+ )
+);
+var rootHashesFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+rootHashesFile.initWithPath(arguments[0]);
+
+// Open the known hashes file; this is to ensure stable bin numbers.
+var gTrustAnchors = loadTrustAnchors(trustAnchorsFile);
+
+// Collect all certificate entries
+insertTrustAnchorsFromDatabase();
+
+// Update known hashes before we sort
+writeTrustAnchors(trustAnchorsFile);
+
+// Sort all trust anchors before writing, as AccumulateRootCA.cpp
+// will perform binary searches
+gTrustAnchors.roots.sort(function (a, b) {
+ // We need to work from the binary values, not the base64 values.
+ let aBin = atob(a.sha256Fingerprint);
+ let bBin = atob(b.sha256Fingerprint);
+
+ if (aBin < bBin) {
+ return -1;
+ }
+ if (aBin > bBin) {
+ return 1;
+ }
+ return 0;
+});
+
+// Write the output file.
+var rootHashesFileOutputStream =
+ FileUtils.openSafeFileOutputStream(rootHashesFile);
+writeRootHashes(rootHashesFileOutputStream);
+FileUtils.closeSafeFileOutputStream(rootHashesFileOutputStream);
diff --git a/security/manager/tools/getCTKnownLogs.py b/security/manager/tools/getCTKnownLogs.py
new file mode 100755
index 0000000000..677791bffd
--- /dev/null
+++ b/security/manager/tools/getCTKnownLogs.py
@@ -0,0 +1,330 @@
+#!/usr/bin/env python
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Parses a JSON file listing the known Certificate Transparency logs
+(log_list.json) and generates a C++ header file to be included in Firefox.
+
+The current log_list.json file available under security/manager/tools
+was originally downloaded from
+https://www.certificate-transparency.org/known-logs
+and edited to include the disqualification time for the disqualified logs using
+https://cs.chromium.org/chromium/src/net/cert/ct_known_logs_static-inc.h
+"""
+
+import argparse
+import base64
+import datetime
+import json
+import os.path
+import sys
+import textwrap
+from string import Template
+
+import six
+import urllib3
+
+
+def decodebytes(s):
+ if six.PY3:
+ return base64.decodebytes(six.ensure_binary(s))
+ return base64.decodestring(s)
+
+
+OUTPUT_TEMPLATE = """\
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This file was automatically generated by $prog. */
+
+#ifndef $include_guard
+#define $include_guard
+
+#include "CTLog.h"
+
+#include <stddef.h>
+
+struct CTLogInfo
+{
+ // See bug 1338873 about making these fields const.
+ const char* name;
+ // Index within kCTLogOperatorList.
+ mozilla::ct::CTLogStatus status;
+ // 0 for qualified logs, disqualification time for disqualified logs
+ // (in milliseconds, measured since the epoch, ignoring leap seconds).
+ uint64_t disqualificationTime;
+ size_t operatorIndex;
+ const char* key;
+ size_t keyLength;
+};
+
+struct CTLogOperatorInfo
+{
+ // See bug 1338873 about making these fields const.
+ const char* name;
+ mozilla::ct::CTLogOperatorId id;
+};
+
+const CTLogInfo kCTLogList[] = {
+$logs
+};
+
+const CTLogOperatorInfo kCTLogOperatorList[] = {
+$operators
+};
+
+#endif // $include_guard
+"""
+
+
+def get_disqualification_time(time_str):
+ """
+ Convert a time string such as "2017-01-01T00:00:00Z" to an integer
+ representing milliseconds since the epoch.
+ Timezones in the string are not supported and will result in an exception.
+ """
+ t = datetime.datetime.strptime(time_str, "%Y-%m-%dT%H:%M:%SZ")
+ epoch = datetime.datetime.utcfromtimestamp(0)
+ seconds_since_epoch = (t - epoch).total_seconds()
+ return int(seconds_since_epoch * 1000)
+
+
+def get_hex_lines(blob, width):
+ """Convert a binary string to a multiline text of C escape sequences."""
+ text = "".join(["\\x{:02x}".format(c) for c in blob])
+ # When escaped, a single byte takes 4 chars (e.g. "\x00").
+ # Make sure we don't break an escaped byte between the lines.
+ return textwrap.wrap(text, width - width % 4)
+
+
+def get_operator_index(json_data, target_name):
+ """Return operator's entry from the JSON along with its array index."""
+ matches = [
+ (operator, index)
+ for (index, operator) in enumerate(json_data["operators"])
+ if operator["name"] == target_name
+ ]
+ assert len(matches) != 0, "No operators with id {0} defined.".format(target_name)
+ assert len(matches) == 1, "Found multiple operators with id {0}.".format(
+ target_name
+ )
+ return matches[0][1]
+
+
+def get_log_info_structs(json_data):
+ """Return array of CTLogInfo initializers for the known logs."""
+ tmpl = Template(
+ textwrap.dedent(
+ """\
+ { $description,
+ $status,
+ $disqualification_time, // $disqualification_time_comment
+ $operator_index, // $operator_comment
+ $indented_log_key,
+ $log_key_len }"""
+ )
+ )
+ initializers = []
+ for operator in json_data["operators"]:
+ operator_name = operator["name"]
+ for log in operator["logs"]:
+ log_key = decodebytes(log["key"])
+ operator_index = get_operator_index(json_data, operator_name)
+ if "disqualification_time" in log:
+ status = "mozilla::ct::CTLogStatus::Disqualified"
+ disqualification_time = get_disqualification_time(
+ log["disqualification_time"]
+ )
+ disqualification_time_comment = 'Date.parse("{0}")'.format(
+ log["disqualification_time"]
+ )
+ else:
+ status = "mozilla::ct::CTLogStatus::Included"
+ disqualification_time = 0
+ disqualification_time_comment = "no disqualification time"
+ is_test_log = "test_only" in operator and operator["test_only"]
+ prefix = ""
+ suffix = ","
+ if is_test_log:
+ prefix = "#ifdef DEBUG\n"
+ suffix = ",\n#endif // DEBUG"
+ toappend = tmpl.substitute(
+ # Use json.dumps for C-escaping strings.
+ # Not perfect but close enough.
+ description=json.dumps(log["description"]),
+ operator_index=operator_index,
+ operator_comment="operated by {0}".
+ # The comment must not contain "/".
+ format(operator_name).replace("/", "|"),
+ status=status,
+ disqualification_time=disqualification_time,
+ disqualification_time_comment=disqualification_time_comment,
+ # Maximum line width is 80.
+ indented_log_key="\n".join(
+ [' "{0}"'.format(l) for l in get_hex_lines(log_key, 74)]
+ ),
+ log_key_len=len(log_key),
+ )
+ initializers.append(prefix + toappend + suffix)
+ return initializers
+
+
+def get_log_operator_structs(json_data):
+ """Return array of CTLogOperatorInfo initializers."""
+ tmpl = Template(" { $name, $id }")
+ initializers = []
+ currentId = 0
+ for operator in json_data["operators"]:
+ prefix = ""
+ suffix = ","
+ is_test_log = "test_only" in operator and operator["test_only"]
+ if is_test_log:
+ prefix = "#ifdef DEBUG\n"
+ suffix = ",\n#endif // DEBUG"
+ toappend = tmpl.substitute(name=json.dumps(operator["name"]), id=currentId)
+ currentId += 1
+ initializers.append(prefix + toappend + suffix)
+ return initializers
+
+
+def generate_cpp_header_file(json_data, out_file):
+ """Generate the C++ header file for the known logs."""
+ filename = os.path.basename(out_file.name)
+ include_guard = filename.replace(".", "_").replace("/", "_")
+ log_info_initializers = get_log_info_structs(json_data)
+ operator_info_initializers = get_log_operator_structs(json_data)
+ out_file.write(
+ Template(OUTPUT_TEMPLATE).substitute(
+ prog=os.path.basename(sys.argv[0]),
+ include_guard=include_guard,
+ logs="\n".join(log_info_initializers),
+ operators="\n".join(operator_info_initializers),
+ )
+ )
+
+
+def patch_in_test_logs(json_data):
+ """Insert Mozilla-specific test log data."""
+ max_id = len(json_data["operators"])
+ mozilla_test_operator_1 = {
+ "name": "Mozilla Test Org 1",
+ "id": max_id + 1,
+ "test_only": True,
+ "logs": [
+ {
+ "description": "Mozilla Test RSA Log 1",
+ # `openssl x509 -noout -pubkey -in <path/to/default-ee.pem>`
+ "key": """
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+ h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+ cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+ OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+ tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+ jQIDAQAB
+ """,
+ "operated_by": [max_id + 1],
+ },
+ {
+ "description": "Mozilla Test EC Log",
+ # `openssl x509 -noout -pubkey -in <path/to/root_secp256r1_256.pem`
+ "key": """
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE4uwFC0I+
+ PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqmwA==
+ """,
+ "operated_by": [max_id + 1],
+ },
+ ],
+ }
+ mozilla_test_operator_2 = {
+ "name": "Mozilla Test Org 2",
+ "id": max_id + 2,
+ "test_only": True,
+ "logs": [
+ {
+ "description": "Mozilla Test RSA Log 2",
+ # `openssl x509 -noout -pubkey -in <path/to/other-test-ca.pem>`
+ "key": """
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2
+ w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTE
+ SDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw
+ 7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1C
+ aQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVO
+ gys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjT
+ uwIDAQAB
+ """,
+ "operated_by": [max_id + 2],
+ }
+ ],
+ }
+ json_data["operators"].append(mozilla_test_operator_1)
+ json_data["operators"].append(mozilla_test_operator_2)
+
+
+def run(args):
+ """
+ Load the input JSON file and generate the C++ header according to the
+ command line arguments.
+ """
+ if args.file:
+ print("Reading file: ", args.file)
+ with open(args.file, "rb") as json_file:
+ json_text = json_file.read()
+ elif args.url:
+ print("Fetching URL: ", args.url)
+ json_request = urllib3.urlopen(args.url)
+ try:
+ json_text = json_request.read()
+ finally:
+ json_request.close()
+
+ json_data = json.loads(json_text)
+
+ print("Writing output: ", args.out)
+
+ patch_in_test_logs(json_data)
+
+ with open(args.out, "w") as out_file:
+ generate_cpp_header_file(json_data, out_file)
+
+ print("Done.")
+
+
+def parse_arguments_and_run():
+ """Parse the command line arguments and run the program."""
+ arg_parser = argparse.ArgumentParser(
+ description="Parses a JSON file listing the known "
+ "Certificate Transparency logs and generates "
+ "a C++ header file to be included in Firefox.",
+ epilog="Example: python %s --url" % os.path.basename(sys.argv[0]),
+ )
+
+ source_group = arg_parser.add_mutually_exclusive_group(required=True)
+ source_group.add_argument(
+ "--file",
+ nargs="?",
+ const="log_list.json",
+ help="Read the known CT logs JSON data from the "
+ "specified local file (%(const)s by default).",
+ )
+ source_group.add_argument(
+ "--url", help="Download the known CT logs JSON file " "from the specified URL."
+ )
+
+ arg_parser.add_argument(
+ "--out",
+ default="../../certverifier/CTKnownLogs.h",
+ help="Path and filename of the header file "
+ "to be generated. Defaults to %(default)s",
+ )
+
+ run(arg_parser.parse_args())
+
+
+if __name__ == "__main__":
+ parse_arguments_and_run()
diff --git a/security/manager/tools/log_list.json b/security/manager/tools/log_list.json
new file mode 100644
index 0000000000..39c0952634
--- /dev/null
+++ b/security/manager/tools/log_list.json
@@ -0,0 +1,403 @@
+{
+ "version": "20.36",
+ "log_list_timestamp": "2023-04-11T12:55:27Z",
+ "operators": [
+ {
+ "name": "Google",
+ "email": [
+ "google-ct-logs@googlegroups.com"
+ ],
+ "logs": [
+ {
+ "description": "Google 'Argon2023' log",
+ "log_id": "6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0JCPZFJOQqyEti5M8j13ALN3CAVHqkVM4yyOcKWCu2yye5yYeqDpEXYoALIgtM3TmHtNlifmt+4iatGwLpF3eA==",
+ "url": "https://ct.googleapis.com/logs/argon2023/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2019-12-17T18:38:01Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Google 'Argon2024' log",
+ "log_id": "7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZs=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHblsqctplMVc5ramA7vSuNxUQxcomQwGAVAdnWTAWUYr3MgDHQW0LagJ95lB7QT75Ve6JgT2EVLOFGU7L3YrwA==",
+ "url": "https://ct.googleapis.com/logs/us1/argon2024/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Google 'Xenon2023' log",
+ "log_id": "rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEchY+C+/vzj5g3ZXLY3q5qY1Kb2zcYYCmRV4vg6yU84WI0KV00HuO/8XuQqLwLZPjwtCymeLhQunSxgAnaXSuzg==",
+ "url": "https://ct.googleapis.com/logs/xenon2023/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2019-12-17T18:38:01Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Google 'Xenon2024' log",
+ "log_id": "dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuWDgNB415GUAk0+QCb1a7ETdjA/O7RE+KllGmjG2x5n33O89zY+GwjWlPtwpurvyVOKoDIMIUQbeIW02UI44TQ==",
+ "url": "https://ct.googleapis.com/logs/eu1/xenon2024/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Google 'Icarus' log",
+ "log_id": "KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETtK8v7MICve56qTHHDhhBOuV4IlUaESxZryCfk9QbG9co/CqPvTsgPDbCpp6oFtyAHwlDhnvr7JijXRD9Cb2FA==",
+ "url": "https://ct.googleapis.com/icarus/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2022-09-15T00:00:00Z"
+ }
+ }
+ },
+ {
+ "description": "Google 'Pilot' log",
+ "log_id": "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==",
+ "url": "https://ct.googleapis.com/pilot/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2022-09-15T00:00:00Z"
+ }
+ }
+ },
+ {
+ "description": "Google 'Rocketeer' log",
+ "log_id": "7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==",
+ "url": "https://ct.googleapis.com/rocketeer/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2022-09-15T00:00:00Z"
+ }
+ }
+ },
+ {
+ "description": "Google 'Skydiver' log",
+ "log_id": "u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmyGDvYXsRJsNyXSrYc9DjHsIa2xzb4UR7ZxVoV6mrc9iZB7xjI6+NrOiwH+P/xxkRmOFG6Jel20q37hTh58rA==",
+ "url": "https://ct.googleapis.com/skydiver/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2022-09-15T00:00:00Z"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "Cloudflare",
+ "email": [
+ "ct-logs@cloudflare.com",
+ "brendan@cloudflare.com",
+ "nick@cloudflare.com",
+ "pat@cloudflare.com",
+ "zi@cloudflare.com",
+ "ivan@cloudflare.com"
+ ],
+ "logs": [
+ {
+ "description": "Cloudflare 'Nimbus2023' Log",
+ "log_id": "ejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61I=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi/8tkhjLRp0SXrlZdTzNkTd6HqmcmXiDJz3fAdWLgOhjmv4mohvRhwXul9bgW0ODgRwC9UGAgH/vpGHPvIS1qA==",
+ "url": "https://ct.cloudflare.com/logs/nimbus2023/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2019-10-31T19:22:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Cloudflare 'Nimbus2024' Log",
+ "log_id": "2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6s=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd7Gbe4/mizX+OpIpLayKjVGKJfyTttegiyk3cR0zyswz6ii5H+Ksw6ld3Ze+9p6UJd02gdHrXSnDK0TxW8oVSA==",
+ "url": "https://ct.cloudflare.com/logs/nimbus2024/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-30T17:00:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ }
+ ]
+ },
+ {
+ "name": "DigiCert",
+ "email": [
+ "ctops@digicert.com"
+ ],
+ "logs": [
+ {
+ "description": "DigiCert Yeti2023 Log",
+ "log_id": "Nc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kw=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfQ0DsdWYitzwFTvG3F4Nbj8Nv5XIVYzQpkyWsU4nuSYlmcwrAp6m092fsdXEw6w1BAeHlzaqrSgNfyvZaJ9y0Q==",
+ "url": "https://yeti2023.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2022-09-29T00:00:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "DigiCert Yeti2024 Log",
+ "log_id": "SLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHM=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV7jBbzCkfy7k8NDZYGITleN6405Tw7O4c4XBGA0jDliE0njvm7MeLBrewY+BGxlEWLcAd2AgGnLYgt6unrHGSw==",
+ "url": "https://yeti2024.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "DigiCert Yeti2025 Log",
+ "log_id": "fVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebg=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE35UAXhDBAfc34xB00f+yypDtMplfDDn+odETEazRs3OTIMITPEy1elKGhj3jlSR82JGYSDvw8N8h8bCBWlklQw==",
+ "url": "https://yeti2025.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2025-01-01T00:00:00Z",
+ "end_exclusive": "2026-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "DigiCert Nessie2023 Log",
+ "log_id": "s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXu8iQwSCRSf2CbITGpUpBtFVt8+I0IU0d1C36Lfe1+fbwdaI0Z5FktfM2fBoI1bXBd18k2ggKGYGgdZBgLKTg==",
+ "url": "https://nessie2023.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2019-10-31T19:22:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "DigiCert Nessie2024 Log",
+ "log_id": "c9meiRtMlnigIH1HneayxhzQUV5xGSqMa4AQesF3crU=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELfyieza/VpHp/j/oPfzDp+BhUuos6QWjnycXgQVwa4FhRIr4OxCAQu0DLwBQIfxBVISjVNUusnoWSyofK2YEKw==",
+ "url": "https://nessie2024.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "DigiCert Nessie2025 Log",
+ "log_id": "5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlA=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8vDwp4uBLgk5O59C2jhEX7TM7Ta72EN/FklXhwR/pQE09+hoP7d4H2BmLWeadYC3U6eF1byrRwZV27XfiKFvOA==",
+ "url": "https://nessie2025.ct.digicert.com/log/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-01T18:54:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2025-01-01T00:00:00Z",
+ "end_exclusive": "2026-01-01T00:00:00Z"
+ }
+ }
+ ]
+ },
+ {
+ "name": "Sectigo",
+ "email": [
+ "ctops@sectigo.com"
+ ],
+ "logs": [
+ {
+ "description": "Sectigo 'Sabre' CT log",
+ "log_id": "VYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0ww=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8m/SiQ8/xfiHHqtls9m7FyOMBg4JVZY9CgiixXGz0akvKD6DEL8S0ERmFe9U4ZiA0M4kbT5nmuk3I85Sk4bagA==",
+ "url": "https://sabre.ct.comodo.com/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2017-10-10T00:38:10Z"
+ }
+ }
+ },
+ {
+ "description": "Sectigo 'Mammoth' CT log",
+ "log_id": "b1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RM=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7+R9dC4VFbbpuyOL+yy14ceAmEf7QGlo/EmtYU6DRzwat43f/3swtLr/L8ugFOOt1YU/RFmMjGCL17ixv66MZw==",
+ "url": "https://mammoth.ct.comodo.com/",
+ "mmd": 86400,
+ "state": {
+ "retired": {
+ "timestamp": "2023-01-15T00:00:00Z"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "Let's Encrypt",
+ "email": [
+ "sre@letsencrypt.org"
+ ],
+ "logs": [
+ {
+ "description": "Let's Encrypt 'Oak2023' log",
+ "log_id": "tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJk=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz0OeL7jrVxEXJu+o4QWQYLKyokXHiPOOKVUL3/TNFFquVzDSer7kZ3gijxzBp98ZTgRgMSaWgCmZ8OD74mFUQ==",
+ "url": "https://oak.ct.letsencrypt.org/2023/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2021-03-01T19:24:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-07T00:00:00Z"
+ }
+ },
+ {
+ "description": "Let's Encrypt 'Oak2024H1' log",
+ "log_id": "O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61Bc=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVkPXfnvUcre6qVG9NpO36bWSD+pet0Wjkv3JpTyArBog7yUvuOEg96g6LgeN5uuk4n0kY59Gv5RzUo2Wrqkm/Q==",
+ "url": "https://oak.ct.letsencrypt.org/2024h1/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-30T17:00:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-12-20T00:00:00Z",
+ "end_exclusive": "2024-07-20T00:00:00Z"
+ }
+ },
+ {
+ "description": "Let's Encrypt 'Oak2024H2' log",
+ "log_id": "PxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE13PWU0fp88nVfBbC1o9wZfryUTapE4Av7fmU01qL6E8zz8PTidRfWmaJuiAfccvKu5+f81wtHqOBWa+Ss20waA==",
+ "url": "https://oak.ct.letsencrypt.org/2024h2/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2022-11-30T17:00:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-06-20T00:00:00Z",
+ "end_exclusive": "2025-01-20T00:00:00Z"
+ }
+ }
+ ]
+ },
+ {
+ "name": "TrustAsia",
+ "email": [
+ "trustasia-ct-logs@trustasia.com"
+ ],
+ "logs": [
+ {
+ "description": "Trust Asia Log2023",
+ "log_id": "6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1Q1o=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpBFS2xdBTpDUVlESMFL4mwPPTJ/4Lji18Vq6+ji50o8agdqVzDPsIShmxlY+YDYhINnUrF36XBmhBX3+ICP89Q==",
+ "url": "https://ct.trustasia.com/log2023/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2021-03-01T19:24:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2023-01-01T00:00:00Z",
+ "end_exclusive": "2024-01-01T00:00:00Z"
+ }
+ },
+ {
+ "description": "Trust Asia Log2024-2",
+ "log_id": "h0+1DcAp2ZMd5XPp8omejkUzs5LTiwpGJXS/D+6y/B4=",
+ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp2TieYE/YdfsxvhlKB2gtGYzwyXVCpV4nI/+pCrYj35y4P6of/ixLYXAjhJ0DS+Mq9d/eh7ZhDM56P2JX5ZICA==",
+ "url": "https://ct2024.trustasia.com/log2024/",
+ "mmd": 86400,
+ "state": {
+ "usable": {
+ "timestamp": "2023-02-03T08:00:00Z"
+ }
+ },
+ "temporal_interval": {
+ "start_inclusive": "2024-01-01T00:00:00Z",
+ "end_exclusive": "2025-01-01T00:00:00Z"
+ }
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/security/manager/tools/mach_commands.py b/security/manager/tools/mach_commands.py
new file mode 100644
index 0000000000..e543821dbe
--- /dev/null
+++ b/security/manager/tools/mach_commands.py
@@ -0,0 +1,129 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import os
+
+from mach.decorators import Command, CommandArgument
+from mach.util import UserError
+from mozpack.files import FileFinder
+from mozpack.path import basedir
+
+
+def run_module_main_on(module, input_filename, output_is_binary):
+ """Run the given module (pycert or pykey) on the given
+ file."""
+ # By convention, the specification files have names of the form
+ # "name.ext.*spec", where "ext" is some extension, and the "*" in
+ # "*spec" identifies what kind of specification it represents
+ # (certspec or keyspec). Taking off the ".*spec" part results in the
+ # desired filename for this file.
+ output_filename = os.path.splitext(input_filename)[0]
+ mode = "w"
+ encoding = "utf-8"
+ newline = "\n"
+ if output_is_binary:
+ mode = "wb"
+ encoding = None
+ newline = None
+ with open(output_filename, mode=mode, encoding=encoding, newline=newline) as output:
+ module.main(output, input_filename)
+
+
+def is_certspec_file(filename):
+ """Returns True if the given filename is a certificate
+ specification file (.certspec) and False otherwise."""
+ return filename.endswith(".certspec")
+
+
+def is_keyspec_file(filename):
+ """Returns True if the given filename is a key specification
+ file (.keyspec) and False otherwise."""
+ return filename.endswith(".keyspec")
+
+
+def is_pkcs12spec_file(filename):
+ """Returns True if the given filename is a pkcs12
+ specification file (.pkcs12spec) and False otherwise."""
+ return filename.endswith(".pkcs12spec")
+
+
+def is_specification_file(filename):
+ """Returns True if the given filename is a specification
+ file supported by this script, and False otherewise."""
+ return (
+ is_certspec_file(filename)
+ or is_keyspec_file(filename)
+ or is_pkcs12spec_file(filename)
+ )
+
+
+def is_excluded_directory(directory, exclusions):
+ """Returns True if the given directory is in or is a
+ subdirectory of a directory in the list of exclusions and
+ False otherwise."""
+
+ for exclusion in exclusions:
+ if directory.startswith(exclusion):
+ return True
+ return False
+
+
+@Command(
+ "generate-test-certs",
+ category="devenv",
+ description="Generate test certificates and keys from specifications.",
+)
+@CommandArgument(
+ "specifications",
+ nargs="*",
+ help="Specification files for test certs. If omitted, all certs are regenerated.",
+)
+def generate_test_certs(command_context, specifications):
+ """Generate test certificates and keys from specifications."""
+ import pycert
+ import pykey
+ import pypkcs12
+
+ if not specifications:
+ specifications = find_all_specifications(command_context)
+
+ for specification in specifications:
+ output_is_binary = False
+ if is_certspec_file(specification):
+ module = pycert
+ elif is_keyspec_file(specification):
+ module = pykey
+ elif is_pkcs12spec_file(specification):
+ module = pypkcs12
+ output_is_binary = True
+ else:
+ raise UserError(
+ "'{}' is not a .certspec, .keyspec, or .pkcs12spec file".format(
+ specification
+ )
+ )
+ run_module_main_on(module, os.path.abspath(specification), output_is_binary)
+ return 0
+
+
+def find_all_specifications(command_context):
+ """Searches the source tree for all specification files
+ and returns them as a list."""
+ specifications = []
+ inclusions = [
+ "netwerk/test/unit",
+ "security/manager/ssl/tests",
+ "services/settings/test/unit/test_remote_settings_signatures",
+ "testing/xpcshell/moz-http2",
+ "toolkit/mozapps/extensions/test/xpcshell/data/productaddons",
+ ]
+ exclusions = ["security/manager/ssl/tests/unit/test_signed_apps"]
+ finder = FileFinder(command_context.topsrcdir)
+ for inclusion_path in inclusions:
+ for f, _ in finder.find(inclusion_path):
+ if basedir(f, exclusions):
+ continue
+ if is_specification_file(f):
+ specifications.append(os.path.join(command_context.topsrcdir, f))
+ return specifications
diff --git a/security/manager/tools/pycert.py b/security/manager/tools/pycert.py
new file mode 100755
index 0000000000..2fe90515e1
--- /dev/null
+++ b/security/manager/tools/pycert.py
@@ -0,0 +1,805 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Reads a certificate specification from stdin or a file and outputs a
+signed x509 certificate with the desired properties.
+
+The input format is as follows:
+
+issuer:<issuer distinguished name specification>
+subject:<subject distinguished name specification>
+[version:{1,2,3,4}]
+[validity:<YYYYMMDD-YYYYMMDD|duration in days>]
+[issuerKey:<key specification>]
+[subjectKey:<key specification>]
+[signature:{sha256WithRSAEncryption,sha1WithRSAEncryption,
+ md5WithRSAEncryption,ecdsaWithSHA256,ecdsaWithSHA384,
+ ecdsaWithSHA512}]
+[serialNumber:<integer in the interval [1, 127]>]
+[extension:<extension name:<extension-specific data>>]
+[...]
+
+Known extensions are:
+basicConstraints:[cA],[pathLenConstraint]
+keyUsage:[digitalSignature,nonRepudiation,keyEncipherment,
+ dataEncipherment,keyAgreement,keyCertSign,cRLSign]
+extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
+ nsSGC, # Netscape Server Gated Crypto
+ OCSPSigning,timeStamping]
+subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...]
+authorityInformationAccess:<OCSP URI>
+certificatePolicies:[<policy OID>,...]
+nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...]
+nsCertType:sslServer
+TLSFeature:[<TLSFeature>,...]
+embeddedSCTList:[<key specification>:<YYYYMMDD>,...]
+delegationUsage:
+
+Where:
+ [] indicates an optional field or component of a field
+ <> indicates a required component of a field
+ {} indicates a choice of exactly one value among a set of values
+ [a,b,c] indicates a list of potential values, of which zero or more
+ may be used
+
+For instance, the version field is optional. However, if it is
+specified, it must have exactly one value from the set {1,2,3,4}.
+
+Most fields have reasonable default values. By default one shared RSA
+key is used for all signatures and subject public key information
+fields. Using "issuerKey:<key specification>" or
+"subjectKey:<key specification>" causes a different key be used for
+signing or as the subject public key information field, respectively.
+See pykey.py for the list of available specifications.
+The signature algorithm is sha256WithRSAEncryption by default.
+
+The validity period may be specified as either concrete notBefore and
+notAfter values or as a validity period centered around 'now'. For the
+latter, this will result in a notBefore of 'now' - duration/2 and a
+notAfter of 'now' + duration/2.
+
+Issuer and subject distinguished name specifications are of the form
+'[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST
+(state or province name), L (locality name), O (organization name), OU
+(organizational unit name), CN (common name) and emailAddress (email
+address) are currently supported. The optional stringEncoding field may
+be 'utf8String' or 'printableString'. If the given string does not
+contain a '/', it is assumed to represent a common name. If an empty
+string is provided, then an empty distinguished name is returned.
+DirectoryNames also use this format. When specifying a directoryName in
+a nameConstraints extension, the implicit form may not be used.
+
+If an extension name has '[critical]' after it, it will be marked as
+critical. Otherwise (by default), it will not be marked as critical.
+
+TLSFeature values can either consist of a named value (currently only
+'OCSPMustStaple' which corresponds to status_request) or a numeric TLS
+feature value (see rfc7633 for more information).
+
+If a serial number is not explicitly specified, it is automatically
+generated based on the contents of the certificate.
+"""
+
+import base64
+import datetime
+import hashlib
+import re
+import socket
+import sys
+from struct import pack
+
+import pyct
+import pykey
+import six
+from pyasn1.codec.der import decoder, encoder
+from pyasn1.type import constraint, tag, univ, useful
+from pyasn1_modules import rfc2459
+
+
+class Error(Exception):
+ """Base class for exceptions in this module."""
+
+ pass
+
+
+class UnknownBaseError(Error):
+ """Base class for handling unexpected input in this module."""
+
+ def __init__(self, value):
+ super(UnknownBaseError, self).__init__()
+ self.value = value
+ self.category = "input"
+
+ def __str__(self):
+ return 'Unknown %s type "%s"' % (self.category, repr(self.value))
+
+
+class UnknownAlgorithmTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown algorithm types."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "algorithm"
+
+
+class UnknownParameterTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown input parameters."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "parameter"
+
+
+class UnknownExtensionTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown input extensions."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "extension"
+
+
+class UnknownKeyPurposeTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown key purposes."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "keyPurpose"
+
+
+class UnknownKeyTargetError(UnknownBaseError):
+ """Helper exception type to handle unknown key targets."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "key target"
+
+
+class UnknownVersionError(UnknownBaseError):
+ """Helper exception type to handle unknown specified versions."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "version"
+
+
+class UnknownNameConstraintsSpecificationError(UnknownBaseError):
+ """Helper exception type to handle unknown specified
+ nameConstraints."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "nameConstraints specification"
+
+
+class UnknownDNTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown DN types."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "DN"
+
+
+class UnknownNSCertTypeError(UnknownBaseError):
+ """Helper exception type to handle unknown nsCertType types."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "nsCertType"
+
+
+class UnknownTLSFeature(UnknownBaseError):
+ """Helper exception type to handle unknown TLS Features."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "TLSFeature"
+
+
+class UnknownDelegatedCredentialError(UnknownBaseError):
+ """Helper exception type to handle unknown Delegated Credential args."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "delegatedCredential"
+
+
+class InvalidSCTSpecification(Error):
+ """Helper exception type to handle invalid SCT specifications."""
+
+ def __init__(self, value):
+ super(InvalidSCTSpecification, self).__init__()
+ self.value = value
+
+ def __str__(self):
+ return repr('invalid SCT specification "{}"' % self.value)
+
+
+class InvalidSerialNumber(Error):
+ """Exception type to handle invalid serial numbers."""
+
+ def __init__(self, value):
+ super(InvalidSerialNumber, self).__init__()
+ self.value = value
+
+ def __str__(self):
+ return repr(self.value)
+
+
+def getASN1Tag(asn1Type):
+ """Helper function for returning the base tag value of a given
+ type from the pyasn1 package"""
+ return asn1Type.tagSet.baseTag.tagId
+
+
+def stringToAccessDescription(string):
+ """Helper function that takes a string representing a URI
+ presumably identifying an OCSP authority information access
+ location. Returns an AccessDescription usable by pyasn1."""
+ accessMethod = rfc2459.id_ad_ocsp
+ accessLocation = rfc2459.GeneralName()
+ accessLocation["uniformResourceIdentifier"] = string
+ sequence = univ.Sequence()
+ sequence.setComponentByPosition(0, accessMethod)
+ sequence.setComponentByPosition(1, accessLocation)
+ return sequence
+
+
+def stringToDN(string, tag=None):
+ """Takes a string representing a distinguished name or directory
+ name and returns a Name for use by pyasn1. See the documentation
+ for the issuer and subject fields for more details. Takes an
+ optional implicit tag in cases where the Name needs to be tagged
+ differently."""
+ if string and "/" not in string:
+ string = "/CN=%s" % string
+ rdns = rfc2459.RDNSequence()
+ pattern = "/(C|ST|L|O|OU|CN|emailAddress)="
+ split = re.split(pattern, string)
+ # split should now be [[encoding], <type>, <value>, <type>, <value>, ...]
+ if split[0]:
+ encoding = split[0]
+ else:
+ encoding = "utf8String"
+ for pos, (nameType, value) in enumerate(zip(split[1::2], split[2::2])):
+ ava = rfc2459.AttributeTypeAndValue()
+ if nameType == "C":
+ ava["type"] = rfc2459.id_at_countryName
+ nameComponent = rfc2459.X520countryName(value)
+ elif nameType == "ST":
+ ava["type"] = rfc2459.id_at_stateOrProvinceName
+ nameComponent = rfc2459.X520StateOrProvinceName()
+ elif nameType == "L":
+ ava["type"] = rfc2459.id_at_localityName
+ nameComponent = rfc2459.X520LocalityName()
+ elif nameType == "O":
+ ava["type"] = rfc2459.id_at_organizationName
+ nameComponent = rfc2459.X520OrganizationName()
+ elif nameType == "OU":
+ ava["type"] = rfc2459.id_at_organizationalUnitName
+ nameComponent = rfc2459.X520OrganizationalUnitName()
+ elif nameType == "CN":
+ ava["type"] = rfc2459.id_at_commonName
+ nameComponent = rfc2459.X520CommonName()
+ elif nameType == "emailAddress":
+ ava["type"] = rfc2459.emailAddress
+ nameComponent = rfc2459.Pkcs9email(value)
+ else:
+ raise UnknownDNTypeError(nameType)
+ if not nameType == "C" and not nameType == "emailAddress":
+ # The value may have things like '\0' (i.e. a slash followed by
+ # the number zero) that have to be decoded into the resulting
+ # '\x00' (i.e. a byte with value zero).
+ nameComponent[encoding] = six.ensure_binary(value).decode(
+ encoding="unicode_escape"
+ )
+ ava["value"] = nameComponent
+ rdn = rfc2459.RelativeDistinguishedName()
+ rdn.setComponentByPosition(0, ava)
+ rdns.setComponentByPosition(pos, rdn)
+ if tag:
+ name = rfc2459.Name().subtype(implicitTag=tag)
+ else:
+ name = rfc2459.Name()
+ name.setComponentByPosition(0, rdns)
+ return name
+
+
+def stringToAlgorithmIdentifiers(string):
+ """Helper function that converts a description of an algorithm
+ to a representation usable by the pyasn1 package and a hash
+ algorithm constant for use by pykey."""
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmType = None
+ algorithm = None
+ # We add Null parameters for RSA only
+ addParameters = False
+ if string == "sha1WithRSAEncryption":
+ algorithmType = pykey.HASH_SHA1
+ algorithm = rfc2459.sha1WithRSAEncryption
+ addParameters = True
+ elif string == "sha256WithRSAEncryption":
+ algorithmType = pykey.HASH_SHA256
+ algorithm = univ.ObjectIdentifier("1.2.840.113549.1.1.11")
+ addParameters = True
+ elif string == "md5WithRSAEncryption":
+ algorithmType = pykey.HASH_MD5
+ algorithm = rfc2459.md5WithRSAEncryption
+ addParameters = True
+ elif string == "ecdsaWithSHA256":
+ algorithmType = pykey.HASH_SHA256
+ algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.2")
+ elif string == "ecdsaWithSHA384":
+ algorithmType = pykey.HASH_SHA384
+ algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.3")
+ elif string == "ecdsaWithSHA512":
+ algorithmType = pykey.HASH_SHA512
+ algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.4")
+ else:
+ raise UnknownAlgorithmTypeError(string)
+ algorithmIdentifier["algorithm"] = algorithm
+ if addParameters:
+ # Directly setting parameters to univ.Null doesn't currently work.
+ nullEncapsulated = encoder.encode(univ.Null())
+ algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated)
+ return (algorithmIdentifier, algorithmType)
+
+
+def datetimeToTime(dt):
+ """Takes a datetime object and returns an rfc2459.Time object with
+ that time as its value as a GeneralizedTime"""
+ time = rfc2459.Time()
+ time["generalTime"] = useful.GeneralizedTime(dt.strftime("%Y%m%d%H%M%SZ"))
+ return time
+
+
+def serialBytesToString(serialBytes):
+ """Takes a list of integers in the interval [0, 255] and returns
+ the corresponding serial number string."""
+ serialBytesLen = len(serialBytes)
+ if serialBytesLen > 127:
+ raise InvalidSerialNumber("{} bytes is too long".format(serialBytesLen))
+ # Prepend the ASN.1 INTEGER tag and length bytes.
+ stringBytes = [getASN1Tag(univ.Integer), serialBytesLen] + serialBytes
+ return bytes(stringBytes)
+
+
+class Certificate(object):
+ """Utility class for reading a certificate specification and
+ generating a signed x509 certificate"""
+
+ def __init__(self, paramStream):
+ self.versionValue = 2 # a value of 2 is X509v3
+ self.signature = "sha256WithRSAEncryption"
+ self.issuer = "Default Issuer"
+ actualNow = datetime.datetime.utcnow()
+ self.now = datetime.datetime.strptime(str(actualNow.year), "%Y")
+ aYearAndAWhile = datetime.timedelta(days=400)
+ self.notBefore = self.now - aYearAndAWhile
+ self.notAfter = self.now + aYearAndAWhile
+ self.subject = "Default Subject"
+ self.extensions = None
+ # The serial number can be automatically generated from the
+ # certificate specification. We need this value to depend in
+ # part of what extensions are present. self.extensions are
+ # pyasn1 objects. Depending on the string representation of
+ # these objects can cause the resulting serial number to change
+ # unexpectedly, so instead we depend on the original string
+ # representation of the extensions as specified.
+ self.extensionLines = None
+ self.savedEmbeddedSCTListData = None
+ self.subjectKey = pykey.keyFromSpecification("default")
+ self.issuerKey = pykey.keyFromSpecification("default")
+ self.serialNumber = None
+ self.decodeParams(paramStream)
+ # If a serial number wasn't specified, generate one based on
+ # the certificate contents.
+ if not self.serialNumber:
+ self.serialNumber = self.generateSerialNumber()
+ # This has to be last because the SCT signature depends on the
+ # contents of the certificate.
+ if self.savedEmbeddedSCTListData:
+ self.addEmbeddedSCTListData()
+
+ def generateSerialNumber(self):
+ """Generates a serial number for this certificate based on its
+ contents. Intended to be reproducible for compatibility with
+ the build system on OS X (see the comment above main, later in
+ this file)."""
+ hasher = hashlib.sha256()
+ hasher.update(six.ensure_binary(str(self.versionValue)))
+ hasher.update(six.ensure_binary(self.signature))
+ hasher.update(six.ensure_binary(self.issuer))
+ hasher.update(six.ensure_binary(str(self.notBefore)))
+ hasher.update(six.ensure_binary(str(self.notAfter)))
+ hasher.update(six.ensure_binary(self.subject))
+ if self.extensionLines:
+ for extensionLine in self.extensionLines:
+ hasher.update(six.ensure_binary(extensionLine))
+ if self.savedEmbeddedSCTListData:
+ # savedEmbeddedSCTListData is
+ # (embeddedSCTListSpecification, critical), where |critical|
+ # may be None
+ hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[0]))
+ if self.savedEmbeddedSCTListData[1]:
+ hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[1]))
+ serialBytes = [c for c in hasher.digest()[:20]]
+ # Ensure that the most significant bit isn't set (which would
+ # indicate a negative number, which isn't valid for serial
+ # numbers).
+ serialBytes[0] &= 0x7F
+ # Also ensure that the least significant bit on the most
+ # significant byte is set (to prevent a leading zero byte,
+ # which also wouldn't be valid).
+ serialBytes[0] |= 0x01
+ return serialBytesToString(serialBytes)
+
+ def decodeParams(self, paramStream):
+ for line in paramStream.readlines():
+ self.decodeParam(line.strip())
+
+ def decodeParam(self, line):
+ param = line.split(":")[0]
+ value = ":".join(line.split(":")[1:])
+ if param == "version":
+ self.setVersion(value)
+ elif param == "subject":
+ self.subject = value
+ elif param == "issuer":
+ self.issuer = value
+ elif param == "validity":
+ self.decodeValidity(value)
+ elif param == "extension":
+ self.decodeExtension(value)
+ elif param == "issuerKey":
+ self.setupKey("issuer", value)
+ elif param == "subjectKey":
+ self.setupKey("subject", value)
+ elif param == "signature":
+ self.signature = value
+ elif param == "serialNumber":
+ serialNumber = int(value)
+ # Ensure only serial numbers that conform to the rules listed in
+ # generateSerialNumber() are permitted.
+ if serialNumber < 1 or serialNumber > 127:
+ raise InvalidSerialNumber(value)
+ self.serialNumber = serialBytesToString([serialNumber])
+ else:
+ raise UnknownParameterTypeError(param)
+
+ def setVersion(self, version):
+ intVersion = int(version)
+ if intVersion >= 1 and intVersion <= 4:
+ self.versionValue = intVersion - 1
+ else:
+ raise UnknownVersionError(version)
+
+ def decodeValidity(self, duration):
+ match = re.search("([0-9]{8})-([0-9]{8})", duration)
+ if match:
+ self.notBefore = datetime.datetime.strptime(match.group(1), "%Y%m%d")
+ self.notAfter = datetime.datetime.strptime(match.group(2), "%Y%m%d")
+ else:
+ delta = datetime.timedelta(days=(int(duration) / 2))
+ self.notBefore = self.now - delta
+ self.notAfter = self.now + delta
+
+ def decodeExtension(self, extension):
+ match = re.search(r"([a-zA-Z]+)(\[critical\])?:(.*)", extension)
+ if not match:
+ raise UnknownExtensionTypeError(extension)
+ extensionType = match.group(1)
+ critical = match.group(2)
+ value = match.group(3)
+ if extensionType == "basicConstraints":
+ self.addBasicConstraints(value, critical)
+ elif extensionType == "keyUsage":
+ self.addKeyUsage(value, critical)
+ elif extensionType == "extKeyUsage":
+ self.addExtKeyUsage(value, critical)
+ elif extensionType == "subjectAlternativeName":
+ self.addSubjectAlternativeName(value, critical)
+ elif extensionType == "authorityInformationAccess":
+ self.addAuthorityInformationAccess(value, critical)
+ elif extensionType == "certificatePolicies":
+ self.addCertificatePolicies(value, critical)
+ elif extensionType == "nameConstraints":
+ self.addNameConstraints(value, critical)
+ elif extensionType == "nsCertType":
+ self.addNSCertType(value, critical)
+ elif extensionType == "TLSFeature":
+ self.addTLSFeature(value, critical)
+ elif extensionType == "embeddedSCTList":
+ self.savedEmbeddedSCTListData = (value, critical)
+ elif extensionType == "delegationUsage":
+ self.addDelegationUsage(critical)
+ else:
+ raise UnknownExtensionTypeError(extensionType)
+
+ if extensionType != "embeddedSCTList":
+ if not self.extensionLines:
+ self.extensionLines = []
+ self.extensionLines.append(extension)
+
+ def setupKey(self, subjectOrIssuer, value):
+ if subjectOrIssuer == "subject":
+ self.subjectKey = pykey.keyFromSpecification(value)
+ elif subjectOrIssuer == "issuer":
+ self.issuerKey = pykey.keyFromSpecification(value)
+ else:
+ raise UnknownKeyTargetError(subjectOrIssuer)
+
+ def addExtension(self, extensionType, extensionValue, critical):
+ if not self.extensions:
+ self.extensions = []
+ encapsulated = univ.OctetString(encoder.encode(extensionValue))
+ extension = rfc2459.Extension()
+ extension["extnID"] = extensionType
+ # critical is either the string '[critical]' or None.
+ # We only care whether or not it is truthy.
+ if critical:
+ extension["critical"] = True
+ extension["extnValue"] = encapsulated
+ self.extensions.append(extension)
+
+ def addBasicConstraints(self, basicConstraints, critical):
+ cA = basicConstraints.split(",")[0]
+ pathLenConstraint = basicConstraints.split(",")[1]
+ basicConstraintsExtension = rfc2459.BasicConstraints()
+ basicConstraintsExtension["cA"] = cA == "cA"
+ if pathLenConstraint:
+ pathLenConstraintValue = univ.Integer(int(pathLenConstraint)).subtype(
+ subtypeSpec=constraint.ValueRangeConstraint(0, float("inf"))
+ )
+ basicConstraintsExtension["pathLenConstraint"] = pathLenConstraintValue
+ self.addExtension(
+ rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical
+ )
+
+ def addKeyUsage(self, keyUsage, critical):
+ keyUsageExtension = rfc2459.KeyUsage(keyUsage)
+ self.addExtension(rfc2459.id_ce_keyUsage, keyUsageExtension, critical)
+
+ def keyPurposeToOID(self, keyPurpose):
+ if keyPurpose == "serverAuth":
+ return rfc2459.id_kp_serverAuth
+ if keyPurpose == "clientAuth":
+ return rfc2459.id_kp_clientAuth
+ if keyPurpose == "codeSigning":
+ return rfc2459.id_kp_codeSigning
+ if keyPurpose == "emailProtection":
+ return rfc2459.id_kp_emailProtection
+ if keyPurpose == "nsSGC":
+ return univ.ObjectIdentifier("2.16.840.1.113730.4.1")
+ if keyPurpose == "OCSPSigning":
+ return univ.ObjectIdentifier("1.3.6.1.5.5.7.3.9")
+ if keyPurpose == "timeStamping":
+ return rfc2459.id_kp_timeStamping
+ raise UnknownKeyPurposeTypeError(keyPurpose)
+
+ def addExtKeyUsage(self, extKeyUsage, critical):
+ extKeyUsageExtension = rfc2459.ExtKeyUsageSyntax()
+ for count, keyPurpose in enumerate(extKeyUsage.split(",")):
+ extKeyUsageExtension.setComponentByPosition(
+ count, self.keyPurposeToOID(keyPurpose)
+ )
+ self.addExtension(rfc2459.id_ce_extKeyUsage, extKeyUsageExtension, critical)
+
+ def addSubjectAlternativeName(self, names, critical):
+ IPV4_PREFIX = "ip4:"
+
+ subjectAlternativeName = rfc2459.SubjectAltName()
+ for count, name in enumerate(names.split(",")):
+ generalName = rfc2459.GeneralName()
+ if "/" in name:
+ directoryName = stringToDN(
+ name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)
+ )
+ generalName["directoryName"] = directoryName
+ elif "@" in name:
+ generalName["rfc822Name"] = name
+ elif name.startswith(IPV4_PREFIX):
+ generalName["iPAddress"] = socket.inet_pton(
+ socket.AF_INET, name[len(IPV4_PREFIX) :]
+ )
+ else:
+ # The string may have things like '\0' (i.e. a slash
+ # followed by the number zero) that have to be decoded into
+ # the resulting '\x00' (i.e. a byte with value zero).
+ generalName["dNSName"] = six.ensure_binary(name).decode(
+ "unicode_escape"
+ )
+ subjectAlternativeName.setComponentByPosition(count, generalName)
+ self.addExtension(
+ rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical
+ )
+
+ def addAuthorityInformationAccess(self, ocspURI, critical):
+ sequence = univ.Sequence()
+ accessDescription = stringToAccessDescription(ocspURI)
+ sequence.setComponentByPosition(0, accessDescription)
+ self.addExtension(rfc2459.id_pe_authorityInfoAccess, sequence, critical)
+
+ def addCertificatePolicies(self, policyOIDs, critical):
+ policies = rfc2459.CertificatePolicies()
+ for pos, policyOID in enumerate(policyOIDs.split(",")):
+ if policyOID == "any":
+ policyOID = "2.5.29.32.0"
+ policy = rfc2459.PolicyInformation()
+ policyIdentifier = rfc2459.CertPolicyId(policyOID)
+ policy["policyIdentifier"] = policyIdentifier
+ policies.setComponentByPosition(pos, policy)
+ self.addExtension(rfc2459.id_ce_certificatePolicies, policies, critical)
+
+ def addNameConstraints(self, constraints, critical):
+ nameConstraints = rfc2459.NameConstraints()
+ if constraints.startswith("permitted:"):
+ (subtreesType, subtreesTag) = ("permittedSubtrees", 0)
+ elif constraints.startswith("excluded:"):
+ (subtreesType, subtreesTag) = ("excludedSubtrees", 1)
+ else:
+ raise UnknownNameConstraintsSpecificationError(constraints)
+ generalSubtrees = rfc2459.GeneralSubtrees().subtype(
+ implicitTag=tag.Tag(
+ tag.tagClassContext, tag.tagFormatConstructed, subtreesTag
+ )
+ )
+ subtrees = constraints[(constraints.find(":") + 1) :]
+ for pos, name in enumerate(subtrees.split(",")):
+ generalName = rfc2459.GeneralName()
+ if "/" in name:
+ directoryName = stringToDN(
+ name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)
+ )
+ generalName["directoryName"] = directoryName
+ else:
+ generalName["dNSName"] = name
+ generalSubtree = rfc2459.GeneralSubtree()
+ generalSubtree["base"] = generalName
+ generalSubtrees.setComponentByPosition(pos, generalSubtree)
+ nameConstraints[subtreesType] = generalSubtrees
+ self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints, critical)
+
+ def addNSCertType(self, certType, critical):
+ if certType != "sslServer":
+ raise UnknownNSCertTypeError(certType)
+ self.addExtension(
+ univ.ObjectIdentifier("2.16.840.1.113730.1.1"),
+ univ.BitString("'01'B"),
+ critical,
+ )
+
+ def addDelegationUsage(self, critical):
+ if critical:
+ raise UnknownDelegatedCredentialError(critical)
+ self.addExtension(
+ univ.ObjectIdentifier("1.3.6.1.4.1.44363.44"), univ.Null(), critical
+ )
+
+ def addTLSFeature(self, features, critical):
+ namedFeatures = {"OCSPMustStaple": 5}
+ featureList = [f.strip() for f in features.split(",")]
+ sequence = univ.Sequence()
+ for pos, feature in enumerate(featureList):
+ featureValue = 0
+ try:
+ featureValue = int(feature)
+ except ValueError:
+ try:
+ featureValue = namedFeatures[feature]
+ except Exception:
+ raise UnknownTLSFeature(feature)
+ sequence.setComponentByPosition(pos, univ.Integer(featureValue))
+ self.addExtension(
+ univ.ObjectIdentifier("1.3.6.1.5.5.7.1.24"), sequence, critical
+ )
+
+ def addEmbeddedSCTListData(self):
+ (scts, critical) = self.savedEmbeddedSCTListData
+ encodedSCTs = []
+ for sctSpec in scts.split(","):
+ match = re.search(r"(\w+):(\d{8})", sctSpec)
+ if not match:
+ raise InvalidSCTSpecification(sctSpec)
+ keySpec = match.group(1)
+ key = pykey.keyFromSpecification(keySpec)
+ time = datetime.datetime.strptime(match.group(2), "%Y%m%d")
+ tbsCertificate = self.getTBSCertificate()
+ tbsDER = encoder.encode(tbsCertificate)
+ sct = pyct.SCT(key, time, tbsDER, self.issuerKey)
+ signed = sct.signAndEncode()
+ lengthPrefix = pack("!H", len(signed))
+ encodedSCTs.append(lengthPrefix + signed)
+ encodedSCTBytes = b"".join(encodedSCTs)
+ lengthPrefix = pack("!H", len(encodedSCTBytes))
+ extensionBytes = lengthPrefix + encodedSCTBytes
+ self.addExtension(
+ univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2"),
+ univ.OctetString(extensionBytes),
+ critical,
+ )
+
+ def getVersion(self):
+ return rfc2459.Version(self.versionValue).subtype(
+ explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)
+ )
+
+ def getSerialNumber(self):
+ return decoder.decode(self.serialNumber)[0]
+
+ def getIssuer(self):
+ return stringToDN(self.issuer)
+
+ def getValidity(self):
+ validity = rfc2459.Validity()
+ validity["notBefore"] = self.getNotBefore()
+ validity["notAfter"] = self.getNotAfter()
+ return validity
+
+ def getNotBefore(self):
+ return datetimeToTime(self.notBefore)
+
+ def getNotAfter(self):
+ return datetimeToTime(self.notAfter)
+
+ def getSubject(self):
+ return stringToDN(self.subject)
+
+ def getTBSCertificate(self):
+ (signatureOID, _) = stringToAlgorithmIdentifiers(self.signature)
+ tbsCertificate = rfc2459.TBSCertificate()
+ tbsCertificate["version"] = self.getVersion()
+ tbsCertificate["serialNumber"] = self.getSerialNumber()
+ tbsCertificate["signature"] = signatureOID
+ tbsCertificate["issuer"] = self.getIssuer()
+ tbsCertificate["validity"] = self.getValidity()
+ tbsCertificate["subject"] = self.getSubject()
+ tbsCertificate[
+ "subjectPublicKeyInfo"
+ ] = self.subjectKey.asSubjectPublicKeyInfo()
+ if self.extensions:
+ extensions = rfc2459.Extensions().subtype(
+ explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)
+ )
+ for count, extension in enumerate(self.extensions):
+ extensions.setComponentByPosition(count, extension)
+ tbsCertificate["extensions"] = extensions
+ return tbsCertificate
+
+ def toDER(self):
+ (signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature)
+ certificate = rfc2459.Certificate()
+ tbsCertificate = self.getTBSCertificate()
+ certificate["tbsCertificate"] = tbsCertificate
+ certificate["signatureAlgorithm"] = signatureOID
+ tbsDER = encoder.encode(tbsCertificate)
+ certificate["signatureValue"] = self.issuerKey.sign(tbsDER, hashAlgorithm)
+ return encoder.encode(certificate)
+
+ def toPEM(self):
+ output = "-----BEGIN CERTIFICATE-----"
+ der = self.toDER()
+ b64 = six.ensure_text(base64.b64encode(der))
+ while b64:
+ output += "\n" + b64[:64]
+ b64 = b64[64:]
+ output += "\n-----END CERTIFICATE-----"
+ return output
+
+
+# The build harness will call this function with an output
+# file-like object and a path to a file containing a
+# specification. This will read the specification and output
+# the certificate as PEM.
+def main(output, inputPath):
+ with open(inputPath) as configStream:
+ output.write(Certificate(configStream).toPEM() + "\n")
+
+
+# When run as a standalone program, this will read a specification from
+# stdin and output the certificate as PEM to stdout.
+if __name__ == "__main__":
+ print(Certificate(sys.stdin).toPEM())
diff --git a/security/manager/tools/pycms.py b/security/manager/tools/pycms.py
new file mode 100755
index 0000000000..1717513fdf
--- /dev/null
+++ b/security/manager/tools/pycms.py
@@ -0,0 +1,219 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Reads a specification from stdin and outputs a PKCS7 (CMS) message with
+the desired properties.
+
+The specification format is as follows:
+
+sha1:<hex string>
+sha256:<hex string>
+signer:
+<pycert specification>
+
+Eith or both of sha1 and sha256 may be specified. The value of
+each hash directive is what will be put in the messageDigest
+attribute of the SignerInfo that corresponds to the signature
+algorithm defined by the hash algorithm and key type of the
+default key. Together, these comprise the signerInfos field of
+the SignedData. If neither hash is specified, the signerInfos
+will be an empty SET (i.e. there will be no actual signature
+information).
+The certificate specification must come last.
+"""
+
+import base64
+import sys
+from io import StringIO
+
+import pycert
+import pykey
+from pyasn1.codec.der import decoder, encoder
+from pyasn1.type import tag, univ
+from pyasn1_modules import rfc2315, rfc2459
+
+
+class Error(Exception):
+ """Base class for exceptions in this module."""
+
+ pass
+
+
+class UnknownDirectiveError(Error):
+ """Helper exception type to handle unknown specification
+ directives."""
+
+ def __init__(self, directive):
+ super(UnknownDirectiveError, self).__init__()
+ self.directive = directive
+
+ def __str__(self):
+ return "Unknown directive %s" % repr(self.directive)
+
+
+class CMS(object):
+ """Utility class for reading a CMS specification and
+ generating a CMS message"""
+
+ def __init__(self, paramStream):
+ self.sha1 = ""
+ self.sha256 = ""
+ signerSpecification = StringIO()
+ readingSignerSpecification = False
+ for line in paramStream.readlines():
+ if readingSignerSpecification:
+ print(line.strip(), file=signerSpecification)
+ elif line.strip() == "signer:":
+ readingSignerSpecification = True
+ elif line.startswith("sha1:"):
+ self.sha1 = line.strip()[len("sha1:") :]
+ elif line.startswith("sha256:"):
+ self.sha256 = line.strip()[len("sha256:") :]
+ else:
+ raise UnknownDirectiveError(line.strip())
+ signerSpecification.seek(0)
+ self.signer = pycert.Certificate(signerSpecification)
+ self.signingKey = pykey.keyFromSpecification("default")
+
+ def buildAuthenticatedAttributes(self, value, implicitTag=None):
+ """Utility function to build a pyasn1 AuthenticatedAttributes
+ object. Useful because when building a SignerInfo, the
+ authenticatedAttributes needs to be tagged implicitly, but when
+ signing an AuthenticatedAttributes, it needs the explicit SET
+ tag."""
+ if implicitTag:
+ authenticatedAttributes = rfc2315.Attributes().subtype(
+ implicitTag=implicitTag
+ )
+ else:
+ authenticatedAttributes = rfc2315.Attributes()
+ contentTypeAttribute = rfc2315.Attribute()
+ # PKCS#9 contentType
+ contentTypeAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.3")
+ contentTypeAttribute["values"] = univ.SetOf(rfc2459.AttributeValue())
+ # PKCS#7 data
+ contentTypeAttribute["values"][0] = univ.ObjectIdentifier(
+ "1.2.840.113549.1.7.1"
+ )
+ authenticatedAttributes[0] = contentTypeAttribute
+ hashAttribute = rfc2315.Attribute()
+ # PKCS#9 messageDigest
+ hashAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.4")
+ hashAttribute["values"] = univ.SetOf(rfc2459.AttributeValue())
+ hashAttribute["values"][0] = univ.OctetString(hexValue=value)
+ authenticatedAttributes[1] = hashAttribute
+ return authenticatedAttributes
+
+ def pykeyHashToDigestAlgorithm(self, pykeyHash):
+ """Given a pykey hash algorithm identifier, builds an
+ AlgorithmIdentifier for use with pyasn1."""
+ if pykeyHash == pykey.HASH_SHA1:
+ oidString = "1.3.14.3.2.26"
+ elif pykeyHash == pykey.HASH_SHA256:
+ oidString = "2.16.840.1.101.3.4.2.1"
+ else:
+ raise pykey.UnknownHashAlgorithmError(pykeyHash)
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmIdentifier["algorithm"] = univ.ObjectIdentifier(oidString)
+ # Directly setting parameters to univ.Null doesn't currently work.
+ nullEncapsulated = encoder.encode(univ.Null())
+ algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated)
+ return algorithmIdentifier
+
+ def buildSignerInfo(self, certificate, pykeyHash, digestValue):
+ """Given a pyasn1 certificate, a pykey hash identifier
+ and a hash value, creates a SignerInfo with the
+ appropriate values."""
+ signerInfo = rfc2315.SignerInfo()
+ signerInfo["version"] = 1
+ issuerAndSerialNumber = rfc2315.IssuerAndSerialNumber()
+ issuerAndSerialNumber["issuer"] = self.signer.getIssuer()
+ issuerAndSerialNumber["serialNumber"] = certificate["tbsCertificate"][
+ "serialNumber"
+ ]
+ signerInfo["issuerAndSerialNumber"] = issuerAndSerialNumber
+ signerInfo["digestAlgorithm"] = self.pykeyHashToDigestAlgorithm(pykeyHash)
+ rsa = rfc2459.AlgorithmIdentifier()
+ rsa["algorithm"] = rfc2459.rsaEncryption
+ rsa["parameters"] = univ.Null()
+ authenticatedAttributes = self.buildAuthenticatedAttributes(
+ digestValue,
+ implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0),
+ )
+ authenticatedAttributesTBS = self.buildAuthenticatedAttributes(digestValue)
+ signerInfo["authenticatedAttributes"] = authenticatedAttributes
+ signerInfo["digestEncryptionAlgorithm"] = rsa
+ authenticatedAttributesEncoded = encoder.encode(authenticatedAttributesTBS)
+ signature = self.signingKey.sign(authenticatedAttributesEncoded, pykeyHash)
+ # signature will be a hexified bit string of the form
+ # "'<hex bytes>'H". For some reason that's what BitString wants,
+ # but since this is an OCTET STRING, we have to strip off the
+ # quotation marks and trailing "H".
+ signerInfo["encryptedDigest"] = univ.OctetString(hexValue=signature[1:-2])
+ return signerInfo
+
+ def toDER(self):
+ contentInfo = rfc2315.ContentInfo()
+ contentInfo["contentType"] = rfc2315.signedData
+
+ signedData = rfc2315.SignedData()
+ signedData["version"] = rfc2315.Version(1)
+
+ digestAlgorithms = rfc2315.DigestAlgorithmIdentifiers()
+ digestAlgorithms[0] = self.pykeyHashToDigestAlgorithm(pykey.HASH_SHA1)
+ signedData["digestAlgorithms"] = digestAlgorithms
+
+ dataContentInfo = rfc2315.ContentInfo()
+ dataContentInfo["contentType"] = rfc2315.data
+ signedData["contentInfo"] = dataContentInfo
+
+ certificates = rfc2315.ExtendedCertificatesAndCertificates().subtype(
+ implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)
+ )
+ extendedCertificateOrCertificate = rfc2315.ExtendedCertificateOrCertificate()
+ certificate = decoder.decode(
+ self.signer.toDER(), asn1Spec=rfc2459.Certificate()
+ )[0]
+ extendedCertificateOrCertificate["certificate"] = certificate
+ certificates[0] = extendedCertificateOrCertificate
+ signedData["certificates"] = certificates
+
+ signerInfos = rfc2315.SignerInfos()
+
+ if len(self.sha1) > 0:
+ signerInfos[len(signerInfos)] = self.buildSignerInfo(
+ certificate, pykey.HASH_SHA1, self.sha1
+ )
+ if len(self.sha256) > 0:
+ signerInfos[len(signerInfos)] = self.buildSignerInfo(
+ certificate, pykey.HASH_SHA256, self.sha256
+ )
+ signedData["signerInfos"] = signerInfos
+
+ encoded = encoder.encode(signedData)
+ anyTag = univ.Any(encoded).subtype(
+ explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)
+ )
+
+ contentInfo["content"] = anyTag
+ return encoder.encode(contentInfo)
+
+ def toPEM(self):
+ output = "-----BEGIN PKCS7-----"
+ der = self.toDER()
+ b64 = base64.b64encode(der)
+ while b64:
+ output += "\n" + b64[:64]
+ b64 = b64[64:]
+ output += "\n-----END PKCS7-----\n"
+ return output
+
+
+# When run as a standalone program, this will read a specification from
+# stdin and output the certificate as PEM to stdout.
+if __name__ == "__main__":
+ print(CMS(sys.stdin).toPEM())
diff --git a/security/manager/tools/pyct.py b/security/manager/tools/pyct.py
new file mode 100644
index 0000000000..8f9d61b72b
--- /dev/null
+++ b/security/manager/tools/pyct.py
@@ -0,0 +1,103 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Helper library for creating a Signed Certificate Timestamp given the
+details of a signing key, when to sign, and the certificate data to
+sign. Currently only supports precert_entry types. See RFC 6962.
+"""
+
+import binascii
+import calendar
+import hashlib
+from struct import pack
+
+import pykey
+from pyasn1.codec.der import encoder
+
+
+class InvalidKeyError(Exception):
+ """Helper exception to handle unknown key types."""
+
+ def __init__(self, key):
+ self.key = key
+
+ def __str__(self):
+ return 'Invalid key: "%s"' % str(self.key)
+
+
+class SCT(object):
+ """SCT represents a Signed Certificate Timestamp."""
+
+ def __init__(self, key, date, tbsCertificate, issuerKey):
+ self.key = key
+ self.timestamp = calendar.timegm(date.timetuple()) * 1000
+ self.tbsCertificate = tbsCertificate
+ self.issuerKey = issuerKey
+
+ def signAndEncode(self):
+ """Returns a signed and encoded representation of the SCT as a
+ string."""
+ # The signature is over the following data:
+ # sct_version (one 0 byte)
+ # signature_type (one 0 byte)
+ # timestamp (8 bytes, milliseconds since the epoch)
+ # entry_type (two bytes [0, 1] - currently only precert_entry is
+ # supported)
+ # signed_entry (bytes of PreCert)
+ # extensions (2-byte-length-prefixed, currently empty (so two 0
+ # bytes))
+ # A PreCert is:
+ # issuer_key_hash (32 bytes of SHA-256 hash of the issuing
+ # public key, as DER-encoded SPKI)
+ # tbs_certificate (3-byte-length-prefixed data)
+ timestamp = pack("!Q", self.timestamp)
+ hasher = hashlib.sha256()
+ hasher.update(encoder.encode(self.issuerKey.asSubjectPublicKeyInfo()))
+ issuer_key_hash = hasher.digest()
+ len_prefix = pack("!L", len(self.tbsCertificate))[1:]
+ data = (
+ b"\0\0"
+ + timestamp
+ + b"\0\1"
+ + issuer_key_hash
+ + len_prefix
+ + self.tbsCertificate
+ + b"\0\0"
+ )
+ if isinstance(self.key, pykey.ECCKey):
+ signatureByte = b"\3"
+ elif isinstance(self.key, pykey.RSAKey):
+ signatureByte = b"\1"
+ else:
+ raise InvalidKeyError(self.key)
+ # sign returns a hex string like "'<hex bytes>'H", but we want
+ # bytes here
+ hexSignature = self.key.sign(data, pykey.HASH_SHA256)
+ signature = binascii.unhexlify(hexSignature[1:-2])
+ # The actual data returned is the following:
+ # sct_version (one 0 byte)
+ # id (32 bytes of SHA-256 hash of the signing key, as
+ # DER-encoded SPKI)
+ # timestamp (8 bytes, milliseconds since the epoch)
+ # extensions (2-byte-length-prefixed data, currently
+ # empty)
+ # hash (one 4 byte representing sha256)
+ # signature (one byte - 1 for RSA and 3 for ECDSA)
+ # signature (2-byte-length-prefixed data)
+ hasher = hashlib.sha256()
+ hasher.update(encoder.encode(self.key.asSubjectPublicKeyInfo()))
+ key_id = hasher.digest()
+ signature_len_prefix = pack("!H", len(signature))
+ return (
+ b"\0"
+ + key_id
+ + timestamp
+ + b"\0\0\4"
+ + signatureByte
+ + signature_len_prefix
+ + signature
+ )
diff --git a/security/manager/tools/pykey.py b/security/manager/tools/pykey.py
new file mode 100755
index 0000000000..fec8021c26
--- /dev/null
+++ b/security/manager/tools/pykey.py
@@ -0,0 +1,957 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Reads a key specification from stdin or a file and outputs a
+PKCS #8 file representing the (private) key. Also provides
+methods for signing data and representing the key as a subject
+public key info for use with pyasn1.
+
+The key specification format is as follows:
+
+default: a 2048-bit RSA key
+alternate: a different 2048-bit RSA key
+ev: a 2048-bit RSA key that, when combined with the right pycert
+ specification, results in a certificate that is enabled for
+ extended validation in debug Firefox (see ExtendedValidation.cpp).
+evRSA2040: a 2040-bit RSA key that, when combined with the right pycert
+ specification, results in a certificate that is enabled for
+ extended validation in debug Firefox.
+rsa2040: a 2040-bit RSA key
+rsa1024: a 1024-bit RSA key
+rsa1016: a 1016-bit RSA key
+secp256k1: an ECC key on the curve secp256k1
+secp244r1: an ECC key on the curve secp244r1
+secp256r1: an ECC key on the curve secp256r1
+secp384r1: an ECC key on the curve secp384r1
+secp521r1: an ECC key on the curve secp521r1
+"""
+
+import base64
+import binascii
+import hashlib
+import math
+import sys
+
+import ecdsa
+import rsa
+import six
+from pyasn1.codec.der import encoder
+from pyasn1.type import namedtype, tag, univ
+from pyasn1_modules import rfc2459
+
+# "constants" to make it easier for consumers to specify hash algorithms
+HASH_MD5 = "hash:md5"
+HASH_SHA1 = "hash:sha1"
+HASH_SHA256 = "hash:sha256"
+HASH_SHA384 = "hash:sha384"
+HASH_SHA512 = "hash:sha512"
+
+
+# NOTE: With bug 1621441 we migrated from one library for ecdsa to another.
+# These libraries differ somewhat in terms of functionality and interface. In
+# order to ensure there are no diffs and that the generated signatures are
+# exactly the same between the two libraries, we need to patch some stuff in.
+
+
+def _gen_k(curve):
+ # This calculation is arbitrary, but it matches what we were doing pre-
+ # bug 1621441 (see the above NOTE). Crucially, this generation of k is
+ # non-random; the ecdsa library exposes an option to deterministically
+ # generate a value of k for us, but it doesn't match up to what we were
+ # doing before so we have to inject a custom value.
+ num_bytes = int(math.log(curve.order - 1, 2) + 1) // 8 + 8
+ entropy = int.from_bytes(b"\04" * num_bytes, byteorder="big")
+ p = curve.curve.p()
+ return (entropy % (p - 1)) + 1
+
+
+# As above, the library has built-in logic for truncating digests that are too
+# large, but they use a slightly different technique than our previous library.
+# Re-implement that logic here.
+def _truncate_digest(digest, curve):
+ i = int.from_bytes(digest, byteorder="big")
+ p = curve.curve.p()
+ while i > p:
+ i >>= 1
+ return i.to_bytes(math.ceil(i.bit_length() / 8), byteorder="big")
+
+
+def byteStringToHexifiedBitString(string):
+ """Takes a string of bytes and returns a hex string representing
+ those bytes for use with pyasn1.type.univ.BitString. It must be of
+ the form "'<hex bytes>'H", where the trailing 'H' indicates to
+ pyasn1 that the input is a hex string."""
+ return "'%s'H" % six.ensure_binary(string).hex()
+
+
+class UnknownBaseError(Exception):
+ """Base class for handling unexpected input in this module."""
+
+ def __init__(self, value):
+ super(UnknownBaseError, self).__init__()
+ self.value = value
+ self.category = "input"
+
+ def __str__(self):
+ return 'Unknown %s type "%s"' % (self.category, repr(self.value))
+
+
+class UnknownKeySpecificationError(UnknownBaseError):
+ """Helper exception type to handle unknown key specifications."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "key specification"
+
+
+class UnknownHashAlgorithmError(UnknownBaseError):
+ """Helper exception type to handle unknown key specifications."""
+
+ def __init__(self, value):
+ UnknownBaseError.__init__(self, value)
+ self.category = "hash algorithm"
+
+
+class UnsupportedHashAlgorithmError(Exception):
+ """Helper exception type for unsupported hash algorithms."""
+
+ def __init__(self, value):
+ super(UnsupportedHashAlgorithmError, self).__init__()
+ self.value = value
+
+ def __str__(self):
+ return 'Unsupported hash algorithm "%s"' % repr(self.value)
+
+
+class RSAPublicKey(univ.Sequence):
+ """Helper type for encoding an RSA public key"""
+
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType("N", univ.Integer()),
+ namedtype.NamedType("E", univ.Integer()),
+ )
+
+
+class RSAPrivateKey(univ.Sequence):
+ """Helper type for encoding an RSA private key"""
+
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType("version", univ.Integer()),
+ namedtype.NamedType("modulus", univ.Integer()),
+ namedtype.NamedType("publicExponent", univ.Integer()),
+ namedtype.NamedType("privateExponent", univ.Integer()),
+ namedtype.NamedType("prime1", univ.Integer()),
+ namedtype.NamedType("prime2", univ.Integer()),
+ namedtype.NamedType("exponent1", univ.Integer()),
+ namedtype.NamedType("exponent2", univ.Integer()),
+ namedtype.NamedType("coefficient", univ.Integer()),
+ )
+
+
+class ECPrivateKey(univ.Sequence):
+ """Helper type for encoding an EC private key
+ ECPrivateKey ::= SEQUENCE {
+ version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ privateKey OCTET STRING,
+ parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ (NOTE: parameters field is not supported)
+ publicKey [1] BIT STRING OPTIONAL
+ }"""
+
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType("version", univ.Integer()),
+ namedtype.NamedType("privateKey", univ.OctetString()),
+ namedtype.OptionalNamedType(
+ "publicKey",
+ univ.BitString().subtype(
+ explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)
+ ),
+ ),
+ )
+
+
+class ECPoint(univ.Sequence):
+ """Helper type for encoding a EC point"""
+
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType("x", univ.Integer()),
+ namedtype.NamedType("y", univ.Integer()),
+ )
+
+
+class PrivateKeyInfo(univ.Sequence):
+ """Helper type for encoding a PKCS #8 private key info"""
+
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType("version", univ.Integer()),
+ namedtype.NamedType("privateKeyAlgorithm", rfc2459.AlgorithmIdentifier()),
+ namedtype.NamedType("privateKey", univ.OctetString()),
+ )
+
+
+class RSAKey(object):
+ # For reference, when encoded as a subject public key info, the
+ # base64-encoded sha-256 hash of this key is
+ # VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=
+ sharedRSA_N = int(
+ "00ba8851a8448e16d641fd6eb6880636103d3c13d9eae4354ab4ecf56857"
+ "6c247bc1c725a8e0d81fbdb19c069b6e1a86f26be2af5a756b6a6471087a"
+ "a55aa74587f71cd5249c027ecd43fc1e69d038202993ab20c349e4dbb94c"
+ "c26b6c0eed15820ff17ead691ab1d3023a8b2a41eea770e00f0d8dfd660b"
+ "2bb02492a47db988617990b157903dd23bc5e0b8481fa837d38843ef2716"
+ "d855b7665aaa7e02902f3a7b10800624cc1c6c97ad96615bb7e29612c075"
+ "31a30c91ddb4caf7fcad1d25d309efb9170ea768e1b37b2f226f69e3b48a"
+ "95611dee26d6259dab91084e36cb1c24042cbf168b2fe5f18f991731b8b3"
+ "fe4923fa7251c431d503acda180a35ed8d",
+ 16,
+ )
+ sharedRSA_E = 65537
+ sharedRSA_D = int(
+ "009ecbce3861a454ecb1e0fe8f85dd43c92f5825ce2e997884d0e1a949da"
+ "a2c5ac559b240450e5ac9fe0c3e31c0eefa6525a65f0c22194004ee1ab46"
+ "3dde9ee82287cc93e746a91929c5e6ac3d88753f6c25ba5979e73e5d8fb2"
+ "39111a3cdab8a4b0cdf5f9cab05f1233a38335c64b5560525e7e3b92ad7c"
+ "7504cf1dc7cb005788afcbe1e8f95df7402a151530d5808346864eb370aa"
+ "79956a587862cb533791307f70d91c96d22d001a69009b923c683388c9f3"
+ "6cb9b5ebe64302041c78d908206b87009cb8cabacad3dbdb2792fb911b2c"
+ "f4db6603585be9ae0ca3b8e6417aa04b06e470ea1a3b581ca03a6781c931"
+ "5b62b30e6011f224725946eec57c6d9441",
+ 16,
+ )
+ sharedRSA_P = int(
+ "00dd6e1d4fffebf68d889c4d114cdaaa9caa63a59374286c8a5c29a717bb"
+ "a60375644d5caa674c4b8bc7326358646220e4550d7608ac27d55b6db74f"
+ "8d8127ef8fa09098b69147de065573447e183d22fe7d885aceb513d9581d"
+ "d5e07c1a90f5ce0879de131371ecefc9ce72e9c43dc127d238190de81177"
+ "3ca5d19301f48c742b",
+ 16,
+ )
+ sharedRSA_Q = int(
+ "00d7a773d9ebc380a767d2fec0934ad4e8b5667240771acdebb5ad796f47"
+ "8fec4d45985efbc9532968289c8d89102fadf21f34e2dd4940eba8c09d6d"
+ "1f16dcc29729774c43275e9251ddbe4909e1fd3bf1e4bedf46a39b8b3833"
+ "28ef4ae3b95b92f2070af26c9e7c5c9b587fedde05e8e7d86ca57886fb16"
+ "5810a77b9845bc3127",
+ 16,
+ )
+ sharedRSA_exp1 = int(
+ "0096472b41a610c0ade1af2266c1600e3671355ba42d4b5a0eb4e9d7eb35"
+ "81400ba5dd132cdb1a5e9328c7bbc0bbb0155ea192972edf97d12751d8fc"
+ "f6ae572a30b1ea309a8712dd4e33241db1ee455fc093f5bc9b592d756e66"
+ "21474f32c07af22fb275d340792b32ba2590bbb261aefb95a258eea53765"
+ "5315be9c24d191992d",
+ 16,
+ )
+ sharedRSA_exp2 = int(
+ "28b450a7a75a856413b2bda6f7a63e3d964fb9ecf50e3823ef6cc8e8fa26"
+ "ee413f8b9d1205540f12bbe7a0c76828b7ba65ad83cca4d0fe2a220114e1"
+ "b35d03d5a85bfe2706bd50fce6cfcdd571b46ca621b8ed47d605bbe765b0"
+ "aa4a0665ac25364da20154032e1204b8559d3e34fb5b177c9a56ff93510a"
+ "5a4a6287c151de2d",
+ 16,
+ )
+ sharedRSA_coef = int(
+ "28067b9355801d2ef52dfa96d8adb589673cf8ee8a9c6ff72aeeabe9ef6b"
+ "e58a4f4abf05f788947dc851fdaa34542147a71a246bfb054ee76aa346ab"
+ "cd2692cfc9e44c51e6f069c735e073ba019f6a7214961c91b26871caeabf"
+ "8f064418a02690e39a8d5ff3067b7cdb7f50b1f53418a703966c4fc774bf"
+ "7402af6c43247f43",
+ 16,
+ )
+
+ # For reference, when encoded as a subject public key info, the
+ # base64-encoded sha-256 hash of this key is
+ # MQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJI=
+ alternateRSA_N = int(
+ "00c175c65266099f77082a6791f1b876c37f5ce538b06c4acd22b1cbd46f"
+ "a65ada2add41c8c2498ac4a3b3c1f61487f41b698941bd80a51c3c120244"
+ "c584a4c4483305e5138c0106cf08be9a862760bae6a2e8f36f23c5d98313"
+ "b9dfaf378345dace51d4d6dcd2a6cb3cc706ebcd3070ec98cce40aa591d7"
+ "295a7f71c5be66691d2b2dfec84944590bc5a3ea49fd93b1d753405f1773"
+ "7699958666254797ed426908880811422069988a43fee48ce68781dd22b6"
+ "a69cd28375131f932b128ce286fa7d251c062ad27ef016f187cdd54e832b"
+ "35b8930f74ba90aa8bc76167242ab1fd6d62140d18c4c0b8c68fc3748457"
+ "324ad7de86e6552f1d1e191d712168d3bb",
+ 16,
+ )
+ alternateRSA_E = 65537
+ alternateRSA_D = int(
+ "7e3f6d7cb839ef66ae5d7dd92ff5410bb341dc14728d39034570e1a37079"
+ "0f30f0681355fff41e2ad4e9a9d9fcebfbd127bdfab8c00affb1f3cea732"
+ "7ead47aa1621f2ac1ee14ca02f04b3b2786017980b181a449d03b03e69d1"
+ "12b83571e55434f012056575d2832ed6731dce799e37c83f6d51c55ab71e"
+ "b58015af05e1af15c747603ef7f27d03a6ff049d96bbf854c1e4e50ef5b0"
+ "58d0fb08180e0ac7f7be8f2ff1673d97fc9e55dba838077bbf8a7cff2962"
+ "857785269cd9d5bad2b57469e4afcd33c4ca2d2f699f11e7c8fbdcd484f0"
+ "8d8efb8a3cb8a972eb24bed972efaae4bb712093e48fe94a46eb629a8750"
+ "78c4021a9a2c93c9a70390e9d0a54401",
+ 16,
+ )
+ alternateRSA_P = int(
+ "00e63fc725a6ba76925a7ff8cb59c4f56dd7ec83fe85bf1f53e11cac9a81"
+ "258bcfc0ae819077b0f2d1477aaf868de6a8ecbeaf7bb22b196f2a9ad82d"
+ "3286f0d0cc29de719e5f2be8e509b7284d5963edd362f927887a4c4a8979"
+ "9d340d51b301ac7601ab27179024fcaadd38bf6522af63eb16461ec02a7f"
+ "27b06fe09ddda7c0a1",
+ 16,
+ )
+ alternateRSA_Q = int(
+ "00d718b1fe9f8f99f00e832ae1fbdc6fe2ab27f34e049c498010fa0eb708"
+ "4852182346083b5c96c3eee5592c014a410c6b930b165c13b5c26aa32eac"
+ "6e7c925a8551c25134f2f4a72c6421f19a73148a0edfaba5d3a6888b35cb"
+ "a18c00fd38ee5aaf0b545731d720761bbccdee744a52ca415e98e4de01cd"
+ "fe764c1967b3e8cadb",
+ 16,
+ )
+ alternateRSA_exp1 = int(
+ "01e5aca266c94a88d22e13c2b92ea247116c657a076817bdfd30db4b3a9d"
+ "3095b9a4b6749647e2f84e7a784fc7838b08c85971cf7a036fa30e3b91c3"
+ "c4d0df278f80c1b6e859d8456adb137defaa9f1f0ac5bac9a9184fd4ea27"
+ "9d722ea626f160d78aad7bc83845ccb29df115c83f61b7622b99bd439c60"
+ "9b5790a63c595181",
+ 16,
+ )
+ alternateRSA_exp2 = int(
+ "0080cc45d10d2484ee0d1297fc07bf80b3beff461ea27e1f38f371789c3a"
+ "f66b4a0edd2192c227791db4f1c77ae246bf342f31856b0f56581b58a95b"
+ "1131c0c5396db2a8c3c6f39ea2e336bc205ae6a2a0b36869fca98cbba733"
+ "cf01319a6f9bb26b7ca23d3017fc551cd8da8afdd17f6fa2e30d34868798"
+ "1cd6234d571e90b7df",
+ 16,
+ )
+ alternateRSA_coef = int(
+ "6f77c0c1f2ae7ac169561cca499c52bdfbe04cddccdbdc12aec5a85691e8"
+ "594b7ee29908f30e7b96aa6254b80ed4aeec9b993782bdfc79b69d8d58c6"
+ "8870fa4be1bc0c3527288c5c82bb4aebaf15edff110403fc78e6ace6a828"
+ "27bf42f0cfa751e507651c5638db9393dd23dd1f6b295151de44b77fe55a"
+ "7b0df271e19a65c0",
+ 16,
+ )
+
+ evRSA_N = int(
+ "00b549895c9d00108d11a1f99f87a9e3d1a5db5dfaecf188da57bf641368"
+ "8f2ce4722cff109038c17402c93a2a473dbd286aed3fdcd363cf5a291477"
+ "01bdd818d7615bf9356bd5d3c8336aaa8c0971368a06c3cd4461b93e5142"
+ "4e1744bb2eaad46aab38ce196821961f87714a1663693f09761cdf4d6ba1"
+ "25eacec7be270d388f789f6cdf78ae3144ed28c45e79293863a7a22a4898"
+ "0a36a40e72d579c9b925dff8c793362ffd6897a7c1754c5e97c967c3eadd"
+ "1aae8aa2ccce348a0169b80e28a2d70c1a960c6f335f2da09b9b643f5abf"
+ "ba49e8aaa981e960e27d87480bdd55dd9417fa18509fbb554ccf81a4397e"
+ "8ba8128a34bdf27865c189e5734fb22905",
+ 16,
+ )
+ evRSA_E = 65537
+ evRSA_D = int(
+ "00983d54f94d6f4c76eb23d6f93d78523530cf73b0d16254c6e781768d45"
+ "f55681d1d02fb2bd2aac6abc1c389860935c52a0d8f41482010394778314"
+ "1d864bff30803638a5c0152570ae9d18f3d8ca163efb475b0dddf32e7e16"
+ "ec7565e6bb5e025c41c5c66e57a03cede554221f83045347a2c4c451c3dc"
+ "e476b787ce0c057244be9e04ef13118dbbb3d5e0a6cc87029eafd4a69ed9"
+ "b14759b15e39d8a9884e56f54d2f9ab013f0d15f318a9ab6b2f73d1ec3c9"
+ "fe274ae89431a10640be7899b0011c5e5093a1834708689de100634dabde"
+ "60fbd6aaefa3a33df34a1f36f60c043036b748d1c9ee98c4031a0afec60e"
+ "fda0a990be524f5614eac4fdb34a52f951",
+ 16,
+ )
+ evRSA_P = int(
+ "00eadc2cb33e5ff1ca376bbd95bd6a1777d2cf4fac47545e92d11a6209b9"
+ "d5e4ded47834581c169b3c884742a09ea187505c1ca55414d8d25b497632"
+ "d5ec2aaa05233430fad49892777a7d68e038f561a3b8969e60b0a263defb"
+ "fda48a9b0ff39d95bc88b15267c8ade97b5107948e41e433249d87f7db10"
+ "9d5d74584d86bcc1d7",
+ 16,
+ )
+ evRSA_Q = int(
+ "00c59ae576a216470248d944a55b9e9bf93299da341ec56e558eba821abc"
+ "e1bf57b79cf411d2904c774f9dba1f15185f607b0574a08205d6ec28b66a"
+ "36d634232eaaf2fea37561abaf9d644b68db38c9964cb8c96ec0ac61eba6"
+ "4d05b446542f423976f5acde4ecc95536d2df578954f93f0cfd9c58fb78b"
+ "a2a76dd5ac284dc883",
+ 16,
+ )
+ evRSA_exp1 = int(
+ "00c1d2ef3906331c52aca64811f9fe425beb2898322fb3db51032ce8d7e9"
+ "fc32240be92019cf2480fcd5e329837127118b2a59a1bfe06c883e3a4447"
+ "f3f031cd9aebd0b8d368fc79740d2cce8eadb324df7f091eafe1564361d5"
+ "4920b01b0471230e5e47d93f8ed33963c517bc4fc78f6d8b1f9eba85bcce"
+ "db7033026508db6285",
+ 16,
+ )
+ evRSA_exp2 = int(
+ "008521b8db5694dfbe804a315f9efc9b65275c5490acf2a3456d65e6e610"
+ "bf9f647fc67501d4f5772f232ac70ccdef9fc2a6dfa415c7c41b6afc7af9"
+ "d07c3ca03f7ed93c09f0b99f2c304434322f1071709bbc1baa4c91575fa6"
+ "a959e07d4996956d95e22b57938b6e47c8d51ffedfc9bf888ce0d1a3e42b"
+ "65a89bed4b91d3e5f5",
+ 16,
+ )
+ evRSA_coef = int(
+ "00dc497b06b920c8be0b0077b798e977eef744a90ec2c5d7e6cbb22448fa"
+ "c72da81a33180e0d8a02e831460c7fc7fd3a612f7b9930b61b799f8e908e"
+ "632e9ba0409b6aa70b03a3ba787426263b5bd5843df8476edb5d14f6a861"
+ "3ebaf5b9cd5ca42f5fbd2802e08e4e49e5709f5151510caa5ab2c1c6eb3e"
+ "fe9295d16e8c25c916",
+ 16,
+ )
+
+ evRSA2040_N = int(
+ "00ca7020dc215f57914d343fae4a015111697af997a5ece91866499fc23f"
+ "1b88a118cbd30b10d91c7b9a0d4ee8972fcae56caf57f25fc1275a2a4dbc"
+ "b982428c32ef587bf2387410330a0ffb16b8029bd783969ef675f6de38c1"
+ "8f67193cb6c072f8b23d0b3374112627a57b90055771d9e62603f53788d7"
+ "f63afa724f5d108096df31f89f26b1eb5f7c4357980e008fcd55d827dd26"
+ "2395ca2f526a07897cc40c593b38716ebc0caa596719c6f29ac9b73a7a94"
+ "4748a3aa3e09e9eb4d461ea0027e540926614728b9d243975cf9a0541bef"
+ "d25e76b51f951110b0e7644fc7e38441791b6d2227384cb8004e23342372"
+ "b1cf5cc3e73e31b7bbefa160e6862ebb",
+ 16,
+ )
+ evRSA2040_E = 65537
+ evRSA2040_D = int(
+ "00b2db74bce92362abf72955a638ae8720ba3033bb7f971caf39188d7542"
+ "eaa1c1abb5d205b1e2111f4791c08911a2e141e8cfd7054702d23100b564"
+ "2c06e1a31b118afd1f9a2f396cced425c501d91435ca8656766ced2b93bb"
+ "b8669fce9bacd727d1dacb3dafabc3293e35389eef8ea0b58e1aeb1a20e6"
+ "a61f9fcd453f7567fe31d123b616a26fef4df1d6c9f7490111d028eefd1d"
+ "972045b1a242273dd7a67ebf111db2741a5a93c7b2289cc4a236f5a99a6e"
+ "c7a8206fdae1c1d04bdbb1980d4a298c5a17dae4186474a5f7835d882bce"
+ "f24aef4ed6f149f94d96c9f7d78e647fc778a9017ff208d3b4a1768b1821"
+ "62102cdab032fabbab38d5200a324649",
+ 16,
+ )
+ evRSA2040_P = int(
+ "0f3844d0d4d4d6a21acd76a6fc370b8550e1d7ec5a6234172e790f0029ae"
+ "651f6d5c59330ab19802b9d7a207de7a1fb778e3774fdbdc411750633d8d"
+ "1b3fe075006ffcfd1d10e763c7a9227d2d5f0c2dade1c9e659c350a159d3"
+ "6bb986f12636d4f9942b288bc0fe21da8799477173144249ca2e389e6c5c"
+ "25aa78c8cad7d4df",
+ 16,
+ )
+ evRSA2040_Q = int(
+ "0d4d0bedd1962f07a1ead6b23a4ed67aeaf1270f052a6d29ba074945c636"
+ "1a5c4f8f07bf859e067aed3f4e6e323ef2aa8a6acd340b0bdc7cfe4fd329"
+ "e3c97f870c7f7735792c6aa9d0f7e7542a28ed6f01b0e55a2b8d9c24a65c"
+ "6da314c95484f5c7c3954a81bb016b07ed17ee9b06039695bca059a79f8d"
+ "c2423d328d5265a5",
+ 16,
+ )
+ evRSA2040_exp1 = int(
+ "09f29a2ff05be8a96d614ba31b08935420a86c6bc42b99a6692ea0da5763"
+ "f01e596959b7ddce73ef9c2e4f6e5b40710887500d44ba0c3cd3132cba27"
+ "475f39c2df7552e2d123a2497a4f97064028769a48a3624657f72bf539f3"
+ "d0de234feccd3be8a0aa90c6bf6e9b0bed43070a24d061ff3ed1751a3ef2"
+ "ff7f6b90b9dbd5fb",
+ 16,
+ )
+ evRSA2040_exp2 = int(
+ "01a659e170cac120a03be1cf8f9df1caa353b03593bd7476e5853bd874c2"
+ "87388601c6c341ce9d1d284a5eef1a3a669d32b816a5eaecd8b7844fe070"
+ "64b9bca0c2b318d540277b3f7f1510d386bb36e03b04771e5d229e88893e"
+ "13b753bfb94518bb638e2404bd6e6a993c1668d93fc0b82ff08aaf34347d"
+ "3fe8397108c87ca5",
+ 16,
+ )
+ evRSA2040_coef = int(
+ "040257c0d4a21c0b9843297c65652db66304fb263773d728b6abfa06d37a"
+ "c0ca62c628023e09e37dc0a901e4ce1224180e2582a3aa4b6a1a7b98e2bd"
+ "70077aec14ac8ab66a755c71e0fc102471f9bbc1b46a95aa0b645f2c38e7"
+ "6450289619ea3f5e8ae61037bffcf8249f22aa4e76e2a01909f3feb290ce"
+ "93edf57b10ebe796",
+ 16,
+ )
+
+ rsa2040_N = int(
+ "00bac0652fdfbc0055882ffbaeaceec88fa2d083c297dd5d40664dd3d90f"
+ "52f9aa02bd8a50fba16e0fd991878ef475f9b350d9f8e3eb2abd717ce327"
+ "b09788531f13df8e3e4e3b9d616bb8a41e5306eed2472163161051180127"
+ "6a4eb66f07331b5cbc8bcae7016a8f9b3d4f2ac4553c624cf5263bcb348e"
+ "8840de6612870960a792191b138fb217f765cec7bff8e94f16b39419bf75"
+ "04c59a7e4f79bd6d173e9c7bf3d9d2a4e73cc180b0590a73d584fb7fc9b5"
+ "4fa544607e53fc685c7a55fd44a81d4142b6af51ea6fa6cea52965a2e8c5"
+ "d84f3ca024d6fbb9b005b9651ce5d9f2ecf40ed404981a9ffc02636e311b"
+ "095c6332a0c87dc39271b5551481774b",
+ 16,
+ )
+ rsa2040_E = 65537
+ rsa2040_D = int(
+ "603db267df97555cbed86b8df355034af28f1eb7f3e7829d239bcc273a7c"
+ "7a69a10be8f21f1b6c4b02c6bae3731c3158b5bbff4605f57ab7b7b2a0cb"
+ "a2ec005a2db5b1ea6e0aceea5bc745dcd2d0e9d6b80d7eb0ea2bc08127bc"
+ "e35fa50c42cc411871ba591e23ba6a38484a33eff1347f907ee9a5a92a23"
+ "11bb0b435510020f78e3bb00099db4d1182928096505fcba84f3ca1238fd"
+ "1eba5eea1f391bbbcc5424b168063fc17e1ca6e1912ccba44f9d0292308a"
+ "1fedb80612529b39f59d0a3f8180b5ba201132197f93a5815ded938df8e7"
+ "d93c9b15766588f339bb59100afda494a7e452d7dd4c9a19ce2ec3a33a18"
+ "b20f0b4dade172bee19f26f0dcbe41",
+ 16,
+ )
+ rsa2040_P = int(
+ "0ec3869cb92d406caddf7a319ab29448bc505a05913707873361fc5b986a"
+ "499fb65eeb815a7e37687d19f128087289d9bb8818e7bcca502c4900ad9a"
+ "ece1179be12ff3e467d606fc820ea8f07ac9ebffe2236e38168412028822"
+ "3e42dbe68dfd972a85a6447e51695f234da7911c67c9ab9531f33df3b994"
+ "32d4ee88c9a4efbb",
+ 16,
+ )
+ rsa2040_Q = int(
+ "0ca63934549e85feac8e0f5604303fd1849fe88af4b7f7e1213283bbc7a2"
+ "c2a509f9273c428c68de3db93e6145f1b400bd6d4a262614e9043ad362d4"
+ "eba4a6b995399c8934a399912199e841d8e8dbff0489f69e663796730b29"
+ "80530b31cb70695a21625ea2adccc09d930516fa872211a91e22dd89fd9e"
+ "b7da8574b72235b1",
+ 16,
+ )
+ rsa2040_exp1 = int(
+ "0d7d3a75e17f65f8a658a485c4095c10a4f66979e2b73bca9cf8ef21253e"
+ "1facac6d4791f58392ce8656f88f1240cc90c29653e3100c6d7a38ed44b1"
+ "63b339e5f3b6e38912126c69b3ceff2e5192426d9649b6ffca1abb75d2ba"
+ "2ed6d9a26aa383c5973d56216ff2edb90ccf887742a0f183ac92c94cf187"
+ "657645c7772d9ad7",
+ 16,
+ )
+ rsa2040_exp2 = int(
+ "03f550194c117f24bea285b209058032f42985ff55acebe88b16df9a3752"
+ "7b4e61dc91a68dbc9a645134528ce5f248bda2893c96cb7be79ee73996c7"
+ "c22577f6c2f790406f3472adb3b211b7e94494f32c5c6fcc0978839fe472"
+ "4c31b06318a2489567b4fca0337acb1b841227aaa5f6c74800a2306929f0"
+ "2ce038bad943df41",
+ 16,
+ )
+ rsa2040_coef = int(
+ "080a7dbfa8c2584814c71664c56eb62ce4caf16afe88d4499159d674774a"
+ "3a3ecddf1256c02fc91525c527692422d0aba94e5c41ee12dc71bb66f867"
+ "9fa17e096f28080851ba046eb31885c1414e8985ade599d907af17453d1c"
+ "caea2c0d06443f8367a6be154b125e390ee0d90f746f08801dd3f5367f59"
+ "fba2e5a67c05f375",
+ 16,
+ )
+
+ rsa1024_N = int(
+ "00d3a97440101eba8c5df9503e6f935eb52ffeb3ebe9d0dc5cace26f973c"
+ "a94cbc0d9c31d66c0c013bce9c82d0d480328df05fb6bcd7990a5312ddae"
+ "6152ad6ee61c8c1bdd8663c68bd36224a9882ae78e89f556dfdbe6f51da6"
+ "112cbfc27c8a49336b41afdb75321b52b24a7344d1348e646351a551c757"
+ "1ccda0b8fe35f61a75",
+ 16,
+ )
+ rsa1024_E = 65537
+ rsa1024_D = int(
+ "5b6708e185548fc07ff062dba3792363e106ff9177d60ee3227162391024"
+ "1813f958a318f26db8b6a801646863ebbc69190d6c2f5e7723433e99666d"
+ "76b3987892cd568f1f18451e8dc05477c0607ee348380ebb7f4c98d0c036"
+ "a0260bc67b2dab46cbaa4ce87636d839d8fddcbae2da3e02e8009a21225d"
+ "d7e47aff2f82699d",
+ 16,
+ )
+ rsa1024_P = int(
+ "00fcdee570323e8fc399dbfc63d8c1569546fb3cd6886c628668ab1e1d0f"
+ "ca71058febdf76d702970ad6579d80ac2f9521075e40ef8f3f39983bd819"
+ "07e898bad3",
+ 16,
+ )
+ rsa1024_Q = int(
+ "00d64801c955b4eb75fbae230faa8b28c9cc5e258be63747ff5ac8d2af25"
+ "3e9f6d6ce03ea2eb13ae0eb32572feb848c32ca00743635374338fedacd8"
+ "c5885f7897",
+ 16,
+ )
+ rsa1024_exp1 = int(
+ "76c0526d5b1b28368a75d5d42a01b9a086e20b9310241e2cd2d0b166a278"
+ "c694ff1e9d25d9193d47789b52bb0fa194de1af0b77c09007f12afdfeef9"
+ "58d108c3",
+ 16,
+ )
+ rsa1024_exp2 = int(
+ "008a41898d8b14217c4d782cbd15ef95d0a660f45ed09a4884f4e170367b"
+ "946d2f20398b907896890e88fe17b54bd7febe133ebc7720c86fe0649cca"
+ "7ca121e05f",
+ 16,
+ )
+ rsa1024_coef = int(
+ "22db133445f7442ea2a0f582031ee214ff5f661972986f172651d8d6b4ec"
+ "3163e99bff1c82fe58ec3d075c6d8f26f277020edb77c3ba821b9ba3ae18"
+ "ff8cb2cb",
+ 16,
+ )
+
+ rsa1016_N = int(
+ "00d29bb12fb84fddcd29b3a519cb66c43b8d8f8be545ba79384ce663ed03"
+ "df75991600eb920790d2530cece544db99a71f05896a3ed207165534aa99"
+ "057e47c47e3bc81ada6fa1e12e37268b5046a55268f9dad7ccb485d81a2e"
+ "19d50d4f0b6854acaf6d7be69d9a083136e15afa8f53c1c8c84fc6077279"
+ "dd0e55d7369a5bdd",
+ 16,
+ )
+ rsa1016_E = 65537
+ rsa1016_D = int(
+ "3c4965070bf390c251d5a2c5277c5b5fd0bdee85cad7fe2b27982bb28511"
+ "4a507004036ae1cf8ae54b25e4db39215abd7e903f618c2d8b2f08cc6cd1"
+ "2dbccd72205e4945b6b3df389e5e43de0a148bb2c84e2431fdbe5920b044"
+ "bb272f45ecff0721b7dfb60397fc613a9ea35c22300530cae8f9159c534d"
+ "f3bf0910951901",
+ 16,
+ )
+ rsa1016_P = int(
+ "0f9f17597c85b8051b9c69afb55ef576c996dbd09047d0ccde5b9d60ea5c"
+ "67fe4fac67be803f4b6ac5a3f050f76b966fb14f5cf105761e5ade6dd960"
+ "b183ba55",
+ 16,
+ )
+ rsa1016_Q = int(
+ "0d7b637112ce61a55168c0f9c9386fb279ab40cba0d549336bba65277263"
+ "aac782611a2c81d9b635cf78c40018859e018c5e9006d12e3d2ee6f346e7"
+ "9fa43369",
+ 16,
+ )
+ rsa1016_exp1 = int(
+ "09fd6c9a3ea6e91ae32070f9fc1c210ff9352f97be5d1eeb951bb39681e9"
+ "dc5b672a532221b3d8900c9a9d99b9d0a4e102dc450ca1b87b0b1389de65"
+ "16c0ae0d",
+ 16,
+ )
+ rsa1016_exp2 = int(
+ "0141b832491b7dd4a83308920024c79cae64bd447df883bb4c5672a96bab"
+ "48b7123b34f26324452cdceb17f21e570e347cbe2fd4c2d8f9910eac2cb6"
+ "d895b8c9",
+ 16,
+ )
+ rsa1016_coef = int(
+ "0458dd6aee18c88b2f9b81f1bc3075ae20dc1f9973d20724f20b06043d61"
+ "47c8789d4a07ae88bc82c8438c893e017b13947f62e0b18958a31eb664b1"
+ "9e64d3e0",
+ 16,
+ )
+
+ def __init__(self, specification):
+ if specification == "default":
+ self.RSA_N = self.sharedRSA_N
+ self.RSA_E = self.sharedRSA_E
+ self.RSA_D = self.sharedRSA_D
+ self.RSA_P = self.sharedRSA_P
+ self.RSA_Q = self.sharedRSA_Q
+ self.RSA_exp1 = self.sharedRSA_exp1
+ self.RSA_exp2 = self.sharedRSA_exp2
+ self.RSA_coef = self.sharedRSA_coef
+ elif specification == "alternate":
+ self.RSA_N = self.alternateRSA_N
+ self.RSA_E = self.alternateRSA_E
+ self.RSA_D = self.alternateRSA_D
+ self.RSA_P = self.alternateRSA_P
+ self.RSA_Q = self.alternateRSA_Q
+ self.RSA_exp1 = self.alternateRSA_exp1
+ self.RSA_exp2 = self.alternateRSA_exp2
+ self.RSA_coef = self.alternateRSA_coef
+ elif specification == "ev":
+ self.RSA_N = self.evRSA_N
+ self.RSA_E = self.evRSA_E
+ self.RSA_D = self.evRSA_D
+ self.RSA_P = self.evRSA_P
+ self.RSA_Q = self.evRSA_Q
+ self.RSA_exp1 = self.evRSA_exp1
+ self.RSA_exp2 = self.evRSA_exp2
+ self.RSA_coef = self.evRSA_coef
+ elif specification == "evRSA2040":
+ self.RSA_N = self.evRSA2040_N
+ self.RSA_E = self.evRSA2040_E
+ self.RSA_D = self.evRSA2040_D
+ self.RSA_P = self.evRSA2040_P
+ self.RSA_Q = self.evRSA2040_Q
+ self.RSA_exp1 = self.evRSA2040_exp1
+ self.RSA_exp2 = self.evRSA2040_exp2
+ self.RSA_coef = self.evRSA2040_coef
+ elif specification == "rsa2040":
+ self.RSA_N = self.rsa2040_N
+ self.RSA_E = self.rsa2040_E
+ self.RSA_D = self.rsa2040_D
+ self.RSA_P = self.rsa2040_P
+ self.RSA_Q = self.rsa2040_Q
+ self.RSA_exp1 = self.rsa2040_exp1
+ self.RSA_exp2 = self.rsa2040_exp2
+ self.RSA_coef = self.rsa2040_coef
+ elif specification == "rsa1024":
+ self.RSA_N = self.rsa1024_N
+ self.RSA_E = self.rsa1024_E
+ self.RSA_D = self.rsa1024_D
+ self.RSA_P = self.rsa1024_P
+ self.RSA_Q = self.rsa1024_Q
+ self.RSA_exp1 = self.rsa1024_exp1
+ self.RSA_exp2 = self.rsa1024_exp2
+ self.RSA_coef = self.rsa1024_coef
+ elif specification == "rsa1016":
+ self.RSA_N = self.rsa1016_N
+ self.RSA_E = self.rsa1016_E
+ self.RSA_D = self.rsa1016_D
+ self.RSA_P = self.rsa1016_P
+ self.RSA_Q = self.rsa1016_Q
+ self.RSA_exp1 = self.rsa1016_exp1
+ self.RSA_exp2 = self.rsa1016_exp2
+ self.RSA_coef = self.rsa1016_coef
+ else:
+ raise UnknownKeySpecificationError(specification)
+
+ def toDER(self):
+ privateKeyInfo = PrivateKeyInfo()
+ privateKeyInfo["version"] = 0
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption
+ # Directly setting parameters to univ.Null doesn't currently work.
+ nullEncapsulated = encoder.encode(univ.Null())
+ algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated)
+ privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier
+ rsaPrivateKey = RSAPrivateKey()
+ rsaPrivateKey["version"] = 0
+ rsaPrivateKey["modulus"] = self.RSA_N
+ rsaPrivateKey["publicExponent"] = self.RSA_E
+ rsaPrivateKey["privateExponent"] = self.RSA_D
+ rsaPrivateKey["prime1"] = self.RSA_P
+ rsaPrivateKey["prime2"] = self.RSA_Q
+ rsaPrivateKey["exponent1"] = self.RSA_exp1
+ rsaPrivateKey["exponent2"] = self.RSA_exp2
+ rsaPrivateKey["coefficient"] = self.RSA_coef
+ rsaPrivateKeyEncoded = encoder.encode(rsaPrivateKey)
+ privateKeyInfo["privateKey"] = univ.OctetString(rsaPrivateKeyEncoded)
+ return encoder.encode(privateKeyInfo)
+
+ def toPEM(self):
+ output = "-----BEGIN PRIVATE KEY-----"
+ der = self.toDER()
+ b64 = six.ensure_text(base64.b64encode(der))
+ while b64:
+ output += "\n" + b64[:64]
+ b64 = b64[64:]
+ output += "\n-----END PRIVATE KEY-----"
+ return output
+
+ def asSubjectPublicKeyInfo(self):
+ """Returns a subject public key info representing
+ this key for use by pyasn1."""
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption
+ # Directly setting parameters to univ.Null doesn't currently work.
+ nullEncapsulated = encoder.encode(univ.Null())
+ algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated)
+ spki = rfc2459.SubjectPublicKeyInfo()
+ spki["algorithm"] = algorithmIdentifier
+ rsaKey = RSAPublicKey()
+ rsaKey["N"] = univ.Integer(self.RSA_N)
+ rsaKey["E"] = univ.Integer(self.RSA_E)
+ subjectPublicKey = univ.BitString(
+ byteStringToHexifiedBitString(encoder.encode(rsaKey))
+ )
+ spki["subjectPublicKey"] = subjectPublicKey
+ return spki
+
+ def sign(self, data, hashAlgorithm):
+ """Returns a hexified bit string representing a
+ signature by this key over the specified data.
+ Intended for use with pyasn1.type.univ.BitString"""
+ hashAlgorithmName = None
+ if hashAlgorithm == HASH_MD5:
+ hashAlgorithmName = "MD5"
+ elif hashAlgorithm == HASH_SHA1:
+ hashAlgorithmName = "SHA-1"
+ elif hashAlgorithm == HASH_SHA256:
+ hashAlgorithmName = "SHA-256"
+ elif hashAlgorithm == HASH_SHA384:
+ hashAlgorithmName = "SHA-384"
+ elif hashAlgorithm == HASH_SHA512:
+ hashAlgorithmName = "SHA-512"
+ else:
+ raise UnknownHashAlgorithmError(hashAlgorithm)
+ rsaPrivateKey = rsa.PrivateKey(
+ self.RSA_N, self.RSA_E, self.RSA_D, self.RSA_P, self.RSA_Q
+ )
+ signature = rsa.sign(data, rsaPrivateKey, hashAlgorithmName)
+ return byteStringToHexifiedBitString(signature)
+
+
+ecPublicKey = univ.ObjectIdentifier("1.2.840.10045.2.1")
+secp256k1 = univ.ObjectIdentifier("1.3.132.0.10")
+secp224r1 = univ.ObjectIdentifier("1.3.132.0.33")
+secp256r1 = univ.ObjectIdentifier("1.2.840.10045.3.1.7")
+secp384r1 = univ.ObjectIdentifier("1.3.132.0.34")
+secp521r1 = univ.ObjectIdentifier("1.3.132.0.35")
+
+
+def longToEvenLengthHexString(val):
+ h = format(val, "x")
+ if not len(h) % 2 == 0:
+ h = "0" + h
+ return h
+
+
+class ECCKey(object):
+ secp256k1KeyPair = (
+ "35ee7c7289d8fef7a86afe5da66d8bc2ebb6a8543fd2fead089f45ce7acd0fa6"
+ + "4382a9500c41dad770ffd4b511bf4b492eb1238800c32c4f76c73a3f3294e7c5",
+ "67cebc208a5fa3df16ec2bb34acc59a42ab4abb0538575ca99b92b6a2149a04f",
+ )
+
+ secp224r1KeyPair = (
+ "668d72cca6fd6a1b3557b5366104d84408ecb637f08e8c86bbff82cc"
+ + "00e88f0066d7af63c3298ba377348a1202b03b37fd6b1ff415aa311e",
+ "04389459926c3296c242b83e10a6cd2011c8fe2dae1b772ea5b21067",
+ )
+
+ secp256r1KeyPair = (
+ "4fbfbbbb61e0f8f9b1a60a59ac8704e2ec050b423e3cf72e923f2c4f794b455c"
+ + "2a69d233456c36c4119d0706e00eedc8d19390d7991b7b2d07a304eaa04aa6c0",
+ "2191403d5710bf15a265818cd42ed6fedf09add92d78b18e7a1e9feb95524702",
+ )
+
+ secp384r1KeyPair = (
+ "a1687243362b5c7b1889f379154615a1c73fb48dee863e022915db608e252de4b71"
+ + "32da8ce98e831534e6a9c0c0b09c8d639ade83206e5ba813473a11fa330e05da8c9"
+ + "6e4383fe27873da97103be2888cff002f05af71a1fddcc8374aa6ea9ce",
+ "035c7a1b10d9fafe837b64ad92f22f5ced0789186538669b5c6d872cec3d926122b"
+ + "393772b57602ff31365efe1393246",
+ )
+
+ secp521r1KeyPair = (
+ "014cdc9cacc47941096bc9cc66752ec27f597734fa66c62b792f88c519d6d37f0d1"
+ + "6ea1c483a1827a010b9128e3a08070ca33ef5f57835b7c1ba251f6cc3521dc42b01"
+ + "0653451981b445d343eed3782a35d6cff0ff484f5a883d209f1b9042b726703568b"
+ + "2f326e18b833bdd8aa0734392bcd19501e10d698a79f53e11e0a22bdd2aad90",
+ "014f3284fa698dd9fe1118dd331851cdfaac5a3829278eb8994839de9471c940b85"
+ + "8c69d2d05e8c01788a7d0b6e235aa5e783fc1bee807dcc3865f920e12cf8f2d29",
+ )
+
+ def __init__(self, specification):
+ if specification == "secp256k1":
+ key_pair = self.secp256k1KeyPair
+ self.keyOID = secp256k1
+ self.curve = ecdsa.SECP256k1
+ elif specification == "secp224r1":
+ key_pair = self.secp224r1KeyPair
+ self.keyOID = secp224r1
+ self.curve = ecdsa.NIST224p
+ elif specification == "secp256r1":
+ key_pair = self.secp256r1KeyPair
+ self.keyOID = secp256r1
+ self.curve = ecdsa.NIST256p
+ elif specification == "secp384r1":
+ key_pair = self.secp384r1KeyPair
+ self.keyOID = secp384r1
+ self.curve = ecdsa.NIST384p
+ elif specification == "secp521r1":
+ key_pair = self.secp521r1KeyPair
+ self.keyOID = secp521r1
+ self.curve = ecdsa.NIST521p
+ else:
+ raise UnknownKeySpecificationError(specification)
+
+ self.public_key, self.private_key = (
+ binascii.unhexlify(key_pair[0]),
+ binascii.unhexlify(key_pair[1]),
+ )
+ self.key = ecdsa.SigningKey.from_string(self.private_key, curve=self.curve)
+
+ def getPublicKeyHexifiedString(self):
+ """Returns the EC public key as a hex string using the uncompressed
+ point representation. This is intended to be used in the encoder
+ functions, as it surrounds the value with ''H to indicate its type."""
+ p1, p2 = (
+ self.public_key[: len(self.public_key) // 2],
+ self.public_key[len(self.public_key) // 2 :],
+ )
+ # We don't want leading zeroes.
+ p1, p2 = (p1.lstrip(b"\0"), p2.lstrip(b"\0"))
+ # '04' indicates that the points are in uncompressed form.
+ return byteStringToHexifiedBitString(b"\04" + p1 + p2)
+
+ def toPEM(self):
+ """Return the EC private key in PEM-encoded form."""
+ output = "-----BEGIN EC PRIVATE KEY-----"
+ der = self.toDER()
+ b64 = six.ensure_text(base64.b64encode(der))
+ while b64:
+ output += "\n" + b64[:64]
+ b64 = b64[64:]
+ output += "\n-----END EC PRIVATE KEY-----"
+ return output
+
+ def toDER(self):
+ """Return the EC private key in DER-encoded form, encoded per SEC 1
+ section C.4 format."""
+ privateKeyInfo = PrivateKeyInfo()
+ privateKeyInfo["version"] = 0
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmIdentifier["algorithm"] = ecPublicKey
+ algorithmIdentifier["parameters"] = self.keyOID
+ privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier
+ ecPrivateKey = ECPrivateKey()
+ ecPrivateKey["version"] = 1
+ ecPrivateKey["privateKey"] = self.private_key
+ ecPrivateKey["publicKey"] = univ.BitString(
+ self.getPublicKeyHexifiedString()
+ ).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))
+ ecPrivateKeyEncoded = encoder.encode(ecPrivateKey)
+ privateKeyInfo["privateKey"] = univ.OctetString(ecPrivateKeyEncoded)
+ return encoder.encode(privateKeyInfo)
+
+ def asSubjectPublicKeyInfo(self):
+ """Returns a subject public key info representing
+ this key for use by pyasn1."""
+ algorithmIdentifier = rfc2459.AlgorithmIdentifier()
+ algorithmIdentifier["algorithm"] = ecPublicKey
+ algorithmIdentifier["parameters"] = self.keyOID
+ spki = rfc2459.SubjectPublicKeyInfo()
+ spki["algorithm"] = algorithmIdentifier
+ spki["subjectPublicKey"] = univ.BitString(self.getPublicKeyHexifiedString())
+ return spki
+
+ def signRaw(self, data, hashAlgorithm):
+ """Performs the ECDSA signature algorithm over the given data.
+ The returned value is a string representing the bytes of the
+ resulting point when encoded by left-padding each of (r, s) to
+ the key size and concatenating them.
+ """
+ assert hashAlgorithm.startswith("hash:")
+ hashAlgorithm = hashAlgorithm[len("hash:") :]
+ k = _gen_k(self.curve)
+ digest = hashlib.new(hashAlgorithm, six.ensure_binary(data)).digest()
+ digest = _truncate_digest(digest, self.curve)
+ # NOTE: Under normal circumstances it's advisable to use
+ # sign_digest_deterministic. In this case we don't want the library's
+ # default generation of k, so we call the normal "sign" method and
+ # inject it here.
+ return self.key.sign_digest(digest, sigencode=ecdsa.util.sigencode_string, k=k)
+
+ def sign(self, data, hashAlgorithm):
+ """Returns a hexified bit string representing a
+ signature by this key over the specified data.
+ Intended for use with pyasn1.type.univ.BitString"""
+ # signRaw returns an encoded point, which is useful in some situations.
+ # However, for signatures on X509 certificates, we need to decode it so
+ # we can encode it as a BITSTRING consisting of a SEQUENCE of two
+ # INTEGERs.
+ raw = self.signRaw(data, hashAlgorithm)
+ point = ECPoint()
+ point["x"] = int.from_bytes(raw[: len(raw) // 2], byteorder="big")
+ point["y"] = int.from_bytes(raw[len(raw) // 2 :], byteorder="big")
+ return byteStringToHexifiedBitString(encoder.encode(point))
+
+
+def keyFromSpecification(specification):
+ """Pass in a specification, get the appropriate key back."""
+ if specification.startswith("secp"):
+ return ECCKey(specification)
+ return RSAKey(specification)
+
+
+# The build harness will call this function with an output file-like
+# object and a path to a file containing a specification. This will
+# read the specification and output the key as ASCII-encoded PKCS #8.
+def main(output, inputPath):
+ with open(inputPath) as configStream:
+ output.write(keyFromSpecification(configStream.read().strip()).toPEM() + "\n")
+
+
+# When run as a standalone program, this will read a specification from
+# stdin and output the certificate as PEM to stdout.
+if __name__ == "__main__":
+ print(keyFromSpecification(sys.stdin.read().strip()).toPEM())
diff --git a/security/manager/tools/pypkcs12.py b/security/manager/tools/pypkcs12.py
new file mode 100644
index 0000000000..ab4c42d53c
--- /dev/null
+++ b/security/manager/tools/pypkcs12.py
@@ -0,0 +1,124 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Reads a specification from stdin or a file and outputs a PKCS12
+file with the desired properties.
+
+The input format currently consists of a pycert certificate
+specification (see pycert.py).
+Currently, keys other than the default key are not supported.
+The password that is used to encrypt and authenticate the file
+is "password".
+"""
+
+import base64
+import os
+import shutil
+import subprocess
+import sys
+
+import mozinfo
+import pycert
+import pykey
+import six
+from mozfile import NamedTemporaryFile
+
+
+class Error(Exception):
+ """Base class for exceptions in this module."""
+
+ pass
+
+
+class OpenSSLError(Error):
+ """Class for handling errors when calling OpenSSL."""
+
+ def __init__(self, status):
+ super(OpenSSLError, self).__init__()
+ self.status = status
+
+ def __str__(self):
+ return "Error running openssl: %s " % self.status
+
+
+def runUtil(util, args):
+ env = os.environ.copy()
+ if mozinfo.os == "linux":
+ pathvar = "LD_LIBRARY_PATH"
+ app_path = os.path.dirname(util)
+ if pathvar in env:
+ env[pathvar] = "%s%s%s" % (app_path, os.pathsep, env[pathvar])
+ else:
+ env[pathvar] = app_path
+ proc = subprocess.run(
+ [util] + args,
+ env=env,
+ universal_newlines=True,
+ )
+ return proc.returncode
+
+
+class PKCS12(object):
+ """Utility class for reading a specification and generating
+ a PKCS12 file"""
+
+ def __init__(self, paramStream):
+ self.cert = pycert.Certificate(paramStream)
+ self.key = pykey.keyFromSpecification("default")
+
+ def toDER(self):
+ with NamedTemporaryFile(mode="wt+") as certTmp, NamedTemporaryFile(
+ mode="wt+"
+ ) as keyTmp, NamedTemporaryFile(mode="rb+") as pkcs12Tmp:
+ certTmp.write(self.cert.toPEM())
+ certTmp.flush()
+ keyTmp.write(self.key.toPEM())
+ keyTmp.flush()
+ openssl = shutil.which("openssl")
+ status = runUtil(
+ openssl,
+ [
+ "pkcs12",
+ "-export",
+ "-inkey",
+ keyTmp.name,
+ "-in",
+ certTmp.name,
+ "-out",
+ pkcs12Tmp.name,
+ "-passout",
+ "pass:password",
+ ],
+ )
+ if status != 0:
+ raise OpenSSLError(status)
+ return pkcs12Tmp.read()
+
+ def toPEM(self):
+ output = "-----BEGIN PKCS12-----"
+ der = self.toDER()
+ b64 = six.ensure_text(base64.b64encode(der))
+ while b64:
+ output += "\n" + b64[:64]
+ b64 = b64[64:]
+ output += "\n-----END PKCS12-----"
+ return output
+
+
+# The build harness will call this function with an output
+# file-like object and a path to a file containing a
+# specification. This will read the specification and output
+# the PKCS12 file.
+def main(output, inputPath):
+ with open(inputPath) as configStream:
+ output.write(PKCS12(configStream).toDER())
+
+
+# When run as a standalone program, this will read a specification from
+# stdin and output the PKCS12 file as PEM to stdout.
+if __name__ == "__main__":
+ print(PKCS12(sys.stdin).toPEM())